Ana Rey | 2 Sep 20:37 2014
Picon

[PATCH] src: Add devgroup support in meta expresion.

This adds device group support in meta expresion.

The new attributes of meta are "iffgroup" and "oifgroup"
- iffgroup: Match device group of incoming device.
- oifgroup: Match device group of outcoming device.

Example of use:
nft add rule ip test input meta iifgroup 2 counter
nft add rule ip test output meta oifgroup 2 counter

The kernel and libnftnl support were added in these commits:
netfilter: nf_tables: add devgroup support in meta expresion
src: meta: Add devgroup support to meta expresion

Signed-off-by: Ana Rey <anarey <at> gmail.com>
---
 include/linux/netfilter/nf_tables.h |    4 ++++
 src/meta.c                          |    6 ++++++
 src/parser.y                        |    4 ++++
 src/scanner.l                       |    2 ++
 4 files changed, 16 insertions(+)

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index dbdc4f5..e8b9d19 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
 <at>  <at>  -537,6 +537,8  <at>  <at>  enum nft_exthdr_attributes {
  *  <at> NFT_META_BRI_OIFNAME: packet output bridge interface name
  *  <at> NFT_META_PKTTYPE: packet type (skb->pkt_type), special handling for loopback
  *  <at> NFT_META_CPU: cpu id through smp_processor_id()
(Continue reading)

Ana Rey | 2 Sep 20:36 2014
Picon

[PATCH libnftnl] expr: meta: Add devgroup support

The kernel support is add in commit:
netfilter: nf_tables: add devgroup support in meta expresion

Signed-off-by: Ana Rey <anarey <at> gmail.com>
---
 include/linux/netfilter/nf_tables.h |    4 ++++
 src/expr/meta.c                     |    4 +++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index c9b6f00..c000947 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
 <at>  <at>  -573,6 +573,8  <at>  <at>  enum nft_exthdr_attributes {
  *  <at> NFT_META_BRI_OIFNAME: packet output bridge interface name
  *  <at> NFT_META_PKTTYPE: packet type (skb->pkt_type), special handling for loopback
  *  <at> NFT_META_CPU: cpu id through smp_processor_id()
+ *  <at> NFT_META_IIFGROUP: packet input interface group
+ *  <at> NFT_META_OIFGROUP: packet output interface group
  */
 enum nft_meta_keys {
 	NFT_META_LEN,
 <at>  <at>  -596,6 +598,8  <at>  <at>  enum nft_meta_keys {
 	NFT_META_BRI_OIFNAME,
 	NFT_META_PKTTYPE,
 	NFT_META_CPU,
+	NFT_META_IIFGROUP,
+	NFT_META_OIFGROUP,
 };

(Continue reading)

Ana Rey | 2 Sep 20:36 2014
Picon

[PATCH] netfilter: nf_tables: add devgroup support in meta expresion

Add devgroup support to let us match device group of a packets incoming
or outgoing interface.

Signed-off-by: Ana Rey <anarey <at> gmail.com>
---
 include/uapi/linux/netfilter/nf_tables.h |    4 ++++
 net/netfilter/nft_meta.c                 |   12 ++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 67218f3..7e5dbcd 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
 <at>  <at>  -573,6 +573,8  <at>  <at>  enum nft_exthdr_attributes {
  *  <at> NFT_META_BRI_OIFNAME: packet output bridge interface name
  *  <at> NFT_META_PKTTYPE: Packet type
  *  <at> NFT_META_CPU: Packet cpu
+ *  <at> NFT_META_IIFGROUP: packet input interface group
+ *  <at> NFT_META_OIFGROUP: packet output interface group
  */
 enum nft_meta_keys {
 	NFT_META_LEN,
 <at>  <at>  -596,6 +598,8  <at>  <at>  enum nft_meta_keys {
 	NFT_META_BRI_OIFNAME,
 	NFT_META_PKTTYPE,
 	NFT_META_CPU,
+	NFT_META_IIFGROUP,
+	NFT_META_OIFGROUP,
 };

(Continue reading)

Ana Rey | 2 Sep 20:13 2014
Picon

[PATCH] src: meta: Fix the size of cpu attribute.

Fix the size of cpu attribute in meta_template struct.

Signed-off-by: Ana Rey <anarey <at> gmail.com>
---
 src/meta.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/meta.c b/src/meta.c
index 1f7217f..bf41ac4 100644
--- a/src/meta.c
+++ b/src/meta.c
 <at>  <at>  -394,7 +394,7  <at>  <at>  static const struct meta_template meta_templates[] = {
 						BITS_PER_BYTE,
 						BYTEORDER_HOST_ENDIAN),
 	[NFT_META_CPU]		= META_TEMPLATE("cpu",  &integer_type,
-						BITS_PER_BYTE,
+						4 * BITS_PER_BYTE,
 						BYTEORDER_HOST_ENDIAN),
 };

--

-- 
1.7.10.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Arturo Borrero Gonzalez | 2 Sep 16:42 2014
Picon

[nf_tables PATCH 1/6 v5] netfilter: nf_tables: refactor rule deletion helper

This helper function always schedule the rule to be removed in the following
transaction.
In follow-up patches, it is interesting to handle separately the logic of rule
activation/disactivation from the transaction mechanism.

So, this patch simply splits the original nf_tables_delrule_one() in two
functions, allowing further control.

While at it, for the sake of homigeneize the function naming scheme, let's
rename nf_tables_delrule_one() to nft_delrule().

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez <at> gmail.com>
---
v2: no changes, resending the series.
v3: change 'disactivate' and use 'deactivate'. Requested by Patrick.
v4: no changes, resending the series because v3 series is invalid.
v5: no changes, resending the series.

 net/netfilter/nf_tables_api.c |   26 +++++++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index deeb95f..3664bab 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
 <at>  <at>  -1868,12 +1868,10  <at>  <at>  err1:
 }

 static int
-nf_tables_delrule_one(struct nft_ctx *ctx, struct nft_rule *rule)
(Continue reading)

Pablo Neira Ayuso | 2 Sep 12:13 2014

[PATCH 0/7] pull request: Netfilter/IPVS fixes for net

Hi David,

The following patchset contains seven Netfilter fixes for your net
tree, they are:

1) Make the NAT infrastructure independent of x_tables, some users are
   already starting to test nf_tables with NAT without enabling x_tables.
   Without this patch for Kconfig, there's a superfluous dependency
   between NAT and x_tables.
2) Allow to use 0 in the cgroup match, the kernel rejects with -EINVAL
   with no good reason. From Daniel Borkmann.

3) Select CONFIG_NF_NAT from the nf_tables NAT expression, this also
   resolves another NAT dependency with x_tables.

4) Use HAVE_JUMP_LABEL instead of CONFIG_JUMP_LABEL in the Netfilter hook
   code as elsewhere in the kernel to resolve toolchain problems, from
   Zhouyi Zhou.

5) Use iptunnel_handle_offloads() to set up tunnel encapsulation
   depending on the offload capabilities, reported by Alex Gartrell
   patch from Julian Anastasov.

6) Fix wrong family when registering the ip_vs_local_reply6() hook,
   also from Julian.

7) Select the NF_LOG_* symbols from NETFILTER_XT_TARGET_LOG. Rafał
   Miłecki reported that when jumping from 3.16 to 3.17-rc, his log
   target is not selected anymore due to changes in the previous
   development cycle to accomodate the full logging support for
(Continue reading)

Pablo Neira Ayuso | 2 Sep 11:38 2014

[PATCH 1/3] netfilter: nft_hash: no need for rcu in the hash set destroy path

The sets are released from the rcu callback, after the rule is removed
from the chain list, which implies that nfnetlink cannot update the
hashes (thus, no resizing may occur) and no packets are walking on the
set anymore.

This resolves a lockdep splat in the nft_hash_destroy() path since the
nfnl mutex is not held there.

===============================
[ INFO: suspicious RCU usage. ]
3.16.0-rc2+ #168 Not tainted
-------------------------------
net/netfilter/nft_hash.c:362 suspicious rcu_dereference_protected() usage!

other info that might help us debug this:

rcu_scheduler_active = 1, debug_locks = 1
1 lock held by ksoftirqd/0/3:
 #0:  (rcu_callback){......}, at: [<ffffffff81096393>] rcu_process_callbacks+0x27e/0x4c7

stack backtrace:
CPU: 0 PID: 3 Comm: ksoftirqd/0 Not tainted 3.16.0-rc2+ #168
Hardware name: LENOVO 23259H1/23259H1, BIOS G2ET32WW (1.12 ) 05/30/2012
 0000000000000001 ffff88011769bb98 ffffffff8142c922 0000000000000006
 ffff880117694090 ffff88011769bbc8 ffffffff8107c3ff ffff8800cba52400
 ffff8800c476bea8 ffff8800c476bea8 ffff8800cba52400 ffff88011769bc08
Call Trace:
 [<ffffffff8142c922>] dump_stack+0x4e/0x68
 [<ffffffff8107c3ff>] lockdep_rcu_suspicious+0xfa/0x103
 [<ffffffffa079931e>] nft_hash_destroy+0x50/0x137 [nft_hash]
(Continue reading)

Yanchuan Nian | 2 Sep 08:58 2014
Picon

[nft] Some network services cannot be recognized

When matching network service, we can identify it by protocol name or
port number, but
(1) some names include special characters, such as
    whois++ (63), sql*net(66), 914c/g(211)
(2) some names start with a number, such as
    9pfs(564), 3com-amp3(629), 3comnetman(1181), 3l-l1(1511), 3ds-lm(1538)
(3) some names conflict with keywords in nft, such as
    set(257), monitor(561), checksum(1386)
In these cases, the network service cannot be recognized correctly.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Yanchuan Nian | 2 Sep 08:55 2014
Picon

Re: [nft] Byteorder problem still exists in nft

On Mon, Sep 01, 2014 at 01:54:38PM +0200, Alvaro Neira Ayuso wrote:
> Hello
> 
> El 01/09/2014 11:25, "Yanchuan Nian" <ycnian <at> gmail.com> escribió:
> >
> > Hi,
> > There are still some byteorder prolems in nft.
> >
> > The first one:
> > nft> add rule bridge filter input ip saddr 192.168.1.1 counter
> > nft> list table bridge filter
> > table bridge filter {
> >         chain input {
> >                  type filter hook input priority 0;
> >                  unknown unknown 0xc0a80101 [invalid type] counter
> packets 0 bytes 0
> >         }
> > }
> > nft>
> > I guess this error occurs in payload_gen_dependency() which set the
> byteorder
> > host endian but ether type is big endian.
> >
> > The second one:
> > nft> add rule ip filter input ip length > 10 counter
> > BUG: invalid byte order conversion 0 => 2
> > nft: src/evaluate.c:153: byteorder_conversion_op: Assertion `0' failed.
> > This is because the datatype of ip length is integer_type whose byteorder
> is invalid.
> 
(Continue reading)

Pablo Neira Ayuso | 1 Sep 13:45 2014

[PATCH] netfilter: NETFILTER_XT_TARGET_LOG selects NF_LOG_*

From: Pablo Neira Ayuso <pablo <at> soleta.eu>

CONFIG_NETFILTER_XT_TARGET_LOG is not selected anymore when jumping
from 3.16 to 3.17-rc1 if you don't set on the new NF_LOG_IPV4 and
NF_LOG_IPV6 switches.

Change this to select the three new symbols NF_LOG_COMMON, NF_LOG_IPV4
and NF_LOG_IPV6 instead, so NETFILTER_XT_TARGET_LOG remains enabled
when moving from old to new kernels.

Reported-by: Rafał Miłecki <zajec5 <at> gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo <at> soleta.eu>
---
 net/netfilter/Kconfig |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 05eb177..4bef6eb 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
 <at>  <at>  -747,7 +747,9  <at>  <at>  config NETFILTER_XT_TARGET_LED

 config NETFILTER_XT_TARGET_LOG
 	tristate "LOG target support"
-	depends on NF_LOG_IPV4 && NF_LOG_IPV6
+	select NF_LOG_COMMON
+	select NF_LOG_IPV4
+	select NF_LOG_IPV6 if IPV6
 	default m if NETFILTER_ADVANCED=n
 	help
(Continue reading)

Yanchuan Nian | 1 Sep 11:25 2014
Picon

[nft] Byteorder problem still exists in nft

Hi,
There are still some byteorder prolems in nft.

The first one:
nft> add rule bridge filter input ip saddr 192.168.1.1 counter
nft> list table bridge filter
table bridge filter {
	chain input {
		 type filter hook input priority 0;
		 unknown unknown 0xc0a80101 [invalid type] counter packets 0 bytes 0
	}
}
nft>
I guess this error occurs in payload_gen_dependency() which set the byteorder
host endian but ether type is big endian.

The second one:
nft> add rule ip filter input ip length > 10 counter
BUG: invalid byte order conversion 0 => 2
nft: src/evaluate.c:153: byteorder_conversion_op: Assertion `0' failed.
This is because the datatype of ip length is integer_type whose byteorder is invalid.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Gmane