subashab | 30 Jul 04:34 2015

[PATCH nf-next] netfilter: ip6t_REJECT: Log reject reason in reject_tg6()

The existing message is not very useful, so add the reject reason
to help in debug.

Signed-off-by: Subash Abhinov Kasiviswanathan <subashab <at>>
 net/ipv6/netfilter/ip6t_REJECT.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/ipv6/netfilter/ip6t_REJECT.c
index 544b0a9..f956513 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
 <at>  <at>  -42,7 +42,7  <at>  <at>  reject_tg6(struct sk_buff *skb, const struct
xt_action_param *par)
 	const struct ip6t_reject_info *reject = par->targinfo;
 	struct net *net = dev_net((par->in != NULL) ? par->in : par->out);

-	pr_debug("%s: medium point\n", __func__);
+	pr_debug("%s: case %u\n", __func__, reject->with);
 	switch (reject->with) {
 		nf_send_unreach6(net, skb, ICMPV6_NOROUTE, par->hooknum);
Employee of Qualcomm Innovation Center, Inc.
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, a Linux
Foundation Collaborative Project

To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
(Continue reading)

Bernhard Thaler | 30 Jul 06:07 2015

[PATCHv3 2/2 nf] netfilter: bridge: fix IPv6 packets not being bridged with CONFIG_IPV6=n

230ac490f7fba introduced a dependency to CONFIG_IPV6 which breaks bridging
of IPv6 packets on a bridge with CONFIG_IPV6=n. This is due to the default
value 1 for sysctl entry /proc/sys/net/bridge/bridge-nf-call-ip6tables,
manually setting it to 0 makes IPv6 packets traverse bridge again.

Default /proc/sys/net/bridge/bridge-nf-call-ip6tables to 0 if
CONFIG_IP6_NF_IPTABLES is not enabled as CONFIG_IP6_NF_IPTABLES depends on
CONFIG_IPV6 as well and is needed for ip6tables to work correctly.

Do not expose sysctl entry /proc/sys/net/bridge/bridge-nf-call-ip6tables
and sysfs entry /sys/class/net/brXXX/bridge/nf_call_ip6tables if
CONFIG_IP6_NF_IPTABLES is not enabled.

Make br_netfilter_ipv6.o dependent on CONFIG_IP6_NF_IPTABLES instead of

Set global brnf_call_* variables to defaults in br_nf_proc_register() and
br_nf_ipv6_proc_register() at module init instead of at variable definition
to avoid further #ifdef CONFIG_SYSCTL constructs.

Define br_nf_ipv6_proc_register() and br_nf_ipv6_proc_unregister() to avoid

Tested with a simple bridge with two interfaces and IPv6 packets trying
to pass from host on left side to host on right side of the bridge.

Fixes: 230ac490f7fba ("netfilter: bridge: split ipv6 code into separated file")

Signed-off-by: Bernhard Thaler <bernhard.thaler <at>>
(Continue reading)

Bernhard Thaler | 30 Jul 06:06 2015

[PATCH 1/2 nf] netfilter: bridge: do not initialize statics to 0 or NULL

Fix "ERROR: do not initialise statics to 0 or NULL" for
all statics explicitly initialized to 0.

Signed-off-by: Bernhard Thaler <bernhard.thaler <at>>
 net/bridge/br_netfilter_hooks.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index c8b9bcf..624e1f2 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
 <at>  <at>  -49,9 +49,9  <at>  <at>  static struct ctl_table_header *brnf_sysctl_header;
 static int brnf_call_iptables __read_mostly = 1;
 static int brnf_call_ip6tables __read_mostly = 1;
 static int brnf_call_arptables __read_mostly = 1;
-static int brnf_filter_vlan_tagged __read_mostly = 0;
-static int brnf_filter_pppoe_tagged __read_mostly = 0;
-static int brnf_pass_vlan_indev __read_mostly = 0;
+static int brnf_filter_vlan_tagged __read_mostly;
+static int brnf_filter_pppoe_tagged __read_mostly;
+static int brnf_pass_vlan_indev __read_mostly;
 #define brnf_call_iptables 1
 #define brnf_call_ip6tables 1


To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
(Continue reading)

Tarik Demirci | 24 Jul 12:34 2015

IPv4 IPv6 parallel dns lookup in combination with nfqueue is problematic

Hi Everyone,

I have a simple daemon listening for packets coming from nfqueue. When
a client issues  parallel dns requests for IPv4 and IPv6 addresses
(since glibc 2.9 this is default behaviour), IPv6 request is dropped
on its way in gateway. Client, after 5 seconds timeout, sends these
requests sequentially and there is no problem in this case.

I applied a kernel patch from an earlier mail ( ) to kernel
version 3.16. This patch solves the problem but I'm unaware of the
performance and security implications of this solution. I hope to find
a better solution that doesn't require patching kernel.


Related links to the problem:

Extra info:
I insert packets to nfqueue in mangle table (rather than raw) because
the daemon will need to process connection marks in the future.
Currently, it reads packets from queue, marks them and allows them to
pass (NF_ACCEPT).

(Continue reading)

Florian Westphal | 23 Jul 16:21 2015

[PATCH nf-next] netfilter: bridge: reduce nf_bridge_info to 32 bytes again

We can use union for most of the temporary cruft (original ipv4/ipv6
address, source mac, physoutdev) since they're used during different
stages of br netfilter traversal.

Also get rid of the last two ->mask users.

Shrinks struct from 48 to 32 on 64bit arch.

Signed-off-by: Florian Westphal <fw <at>>
 include/linux/netfilter_bridge.h          | 12 +++++++++---
 include/linux/skbuff.h                    | 19 +++++++++++++------
 net/bridge/br_netfilter_hooks.c           | 14 ++++++--------
 net/bridge/br_netfilter_ipv6.c            |  2 +-
 net/ipv4/netfilter/nf_defrag_ipv4.c       |  7 ++-----
 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c |  7 ++-----
 6 files changed, 33 insertions(+), 28 deletions(-)

diff --git a/include/linux/netfilter_bridge.h b/include/linux/netfilter_bridge.h
index 6d80fc6..92dc1ac 100644
--- a/include/linux/netfilter_bridge.h
+++ b/include/linux/netfilter_bridge.h
 <at>  <at>  -17,9 +17,6  <at>  <at>  enum nf_br_hook_priorities {


-#define BRNF_BRIDGED_DNAT		0x02
 int br_handle_frame_finish(struct sock *sk, struct sk_buff *skb);
(Continue reading)

Pablo Neira Ayuso | 23 Jul 13:09 2015

[PATCH nf] netfilter: nf_conntrack: silence warning on falling back to vmalloc()

Since 88eab472ec21 ("netfilter: conntrack: adjust nf_conntrack_buckets default
value"), the hashtable can easily hit this warning. We got reports from users
that are getting this message in a quite spamming fashion, so better silence

Signed-off-by: Pablo Neira Ayuso <pablo <at>>
Acked-by: Florian Westphal <fw <at>>
 net/netfilter/nf_conntrack_core.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 651039a..f168099 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
 <at>  <at>  -1544,10 +1544,8  <at>  <at>  void *nf_ct_alloc_hashtable(unsigned int *sizep, int nulls)
 	sz = nr_slots * sizeof(struct hlist_nulls_head);
 	hash = (void *)__get_free_pages(GFP_KERNEL | __GFP_NOWARN | __GFP_ZERO,
-	if (!hash) {
-		printk(KERN_WARNING "nf_conntrack: falling back to vmalloc.\n");
+	if (!hash)
 		hash = vzalloc(sz);
-	}

 	if (hash && nulls)
 		for (i = 0; i < nr_slots; i++)


(Continue reading)

Pablo Neira Ayuso | 23 Jul 12:31 2015

[PATCH nf-next] netfilter: nf_queue: fix nf_queue_nf_hook_drop()

This function reacquires the rtnl_lock() which is already held by

This can be triggered via: modprobe nf_conntrack_ipv4 && rmmod nf_conntrack_ipv4

[  720.628746] INFO: task rmmod:3578 blocked for more than 120 seconds.
[  720.628749]       Not tainted 4.2.0-rc2+ #113
[  720.628752] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[  720.628754] rmmod           D ffff8800ca46fd58     0  3578   3571 0x00000080
[  720.628783] Call Trace:
[  720.628790]  [<ffffffff8152ea0b>] schedule+0x6b/0x90
[  720.628795]  [<ffffffff8152ecb3>] schedule_preempt_disabled+0x13/0x20
[  720.628799]  [<ffffffff8152ff55>] mutex_lock_nested+0x1f5/0x380
[  720.628803]  [<ffffffff81462622>] ? rtnl_lock+0x12/0x20
[  720.628807]  [<ffffffff81462622>] ? rtnl_lock+0x12/0x20
[  720.628812]  [<ffffffff81462622>] rtnl_lock+0x12/0x20
[  720.628817]  [<ffffffff8148ab25>] nf_queue_nf_hook_drop+0x15/0x160
[  720.628825]  [<ffffffff81488d48>] nf_unregister_net_hook+0x168/0x190
[  720.628831]  [<ffffffff81488e24>] nf_unregister_hook+0x64/0x80
[  720.628837]  [<ffffffff81488e60>] nf_unregister_hooks+0x20/0x30

Moreover, nf_unregister_net_hook() should only destroy the queue for this
netns, not for every netns.

Reported-by: Fengguang Wu <fengguang.wu <at>>
Fixes: 085db2c04557 ("netfilter: Per network namespace netfilter hooks.")
Signed-off-by: Pablo Neira Ayuso <pablo <at>>
(Continue reading)

Daniel Borkmann | 22 Jul 12:59 2015

[PATCH iptables] libxt_CT: add support for recently introduced zone options

This adds the user space front-end and man-page bits for the
additional zone options (direction, mark) of the CT target.

Signed-off-by: Daniel Borkmann <daniel <at>>
 No changes, only resent.

 extensions/libxt_CT.c           | 102 +++++++++++++++++++++++++++++++++++-----
 extensions/         |   9 +++-
 include/linux/netfilter/xt_CT.h |   3 ++
 3 files changed, 100 insertions(+), 14 deletions(-)

diff --git a/extensions/libxt_CT.c b/extensions/libxt_CT.c
index 6b28fe1..86b1221 100644
--- a/extensions/libxt_CT.c
+++ b/extensions/libxt_CT.c
 <at>  <at>  -16,7 +16,8  <at>  <at>  static void ct_help(void)
 " --helper name			Use conntrack helper 'name' for connection\n"
 " --ctevents event[,event...]	Generate specified conntrack events for connection\n"
 " --expevents event[,event...]	Generate specified expectation events for connection\n"
-" --zone ID			Assign/Lookup connection in zone ID\n"
+" --zone {ID|mark}		Assign/Lookup connection in zone ID/packet nfmark\n"
+" --zone-dir {ORIGINAL|REPLY}	Only apply zone in a particular direction\n"

 <at>  <at>  -29,7 +30,8  <at>  <at>  static void ct_help_v1(void)
 " --timeout name 		Use timeout policy 'name' for connection\n"
 " --ctevents event[,event...]	Generate specified conntrack events for connection\n"
 " --expevents event[,event...]	Generate specified expectation events for connection\n"
(Continue reading)

Daniel Borkmann | 22 Jul 12:54 2015

[PATCH nf-next v3 0/3] Netfilter zone directions

This is v3 of the originally named flextuples [1] patch set, but
this time after discussions from NFWS completely reworked towards
integration into the existing zones infrastructure. Please see
individual patches for details.



v2 -> v3:
 - Have a global default zone object, use it directly
 - Do not touch uapi-exposed ct->status bits, but integrate
   the marking flag into the zones structure
 - Rebased onto latest nf-next, rerun all stress tests
v1 -> v2:
 - Reworked entire set, integration into zones
 - Rebased onto latest nf-next

Daniel Borkmann (3):
  netfilter: nf_conntrack: push zone object into functions
  netfilter: nf_conntrack: add direction support for zones
  netfilter: nf_conntrack: add efficient mark to zone mapping

 include/net/netfilter/nf_conntrack.h               |   6 +-
 include/net/netfilter/nf_conntrack_core.h          |   3 +-
 include/net/netfilter/nf_conntrack_expect.h        |  11 +-
 include/net/netfilter/nf_conntrack_zones.h         |  82 ++++++++++--
 include/uapi/linux/netfilter/nfnetlink_conntrack.h |   9 ++
 include/uapi/linux/netfilter/xt_CT.h               |   8 +-
 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c     |   2 +-
(Continue reading)

Felix Bolte | 22 Jul 11:21 2015

ip(6)tables-restore segfault + patch


while fuzzing iptables-restore input with afl [0],
i found a very old and known crash to be still existent,
there was even a mailing list discussion [1][2] about it

instead of fixing the real cause,
the restore input was parsed for "-t" and "--table",
however this was not enough and the error could
still be triggered by e.g. "-vtnew"

please consider/review my two attached patches
the first patch is fixing the segfault less intrusively
and the second one removes the insufficient "-t" check


best regards

Joe Stringer | 22 Jul 06:37 2015

[PATCH nf] netfilter: Support expectations in different zones

When zones were originally introduced, the expectation functions were
all extended to perform lookup using the zone. However, insertion was
not modified to check the zone. This means that two expectations which
are intended to apply for different connections that have the same tuple
but exist in different zones cannot both be tracked.

Fixes: 5d0aa2ccd4 (netfilter: nf_conntrack: add support for "conntrack zones")

Signed-off-by: Joe Stringer <joestringer <at>>
 net/netfilter/nf_conntrack_expect.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index 7a17070..b45a422 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
 <at>  <at>  -219,7 +219,8  <at>  <at>  static inline int expect_clash(const struct nf_conntrack_expect *a,
 			a->mask.src.u3.all[count] & b->mask.src.u3.all[count];

-	return nf_ct_tuple_mask_cmp(&a->tuple, &b->tuple, &intersect_mask);
+	return nf_ct_tuple_mask_cmp(&a->tuple, &b->tuple, &intersect_mask) &&
+	       nf_ct_zone(a->master) == nf_ct_zone(b->master);

 static inline int expect_matches(const struct nf_conntrack_expect *a,


(Continue reading)