Florian Westphal | 29 Jan 10:59 2015
Picon

[PATCH next] netfilter: reject: don't send icmp error if packet has invalid checksum

tcp resets are never emitted if the packet that triggers the
reject/reset has an invalid checksum.

For icmp error responses there was no such check.
It allows to distinguish icmp response generated via

iptables -I INPUT -p udp --dport 42 -j REJECT

and those emitted by network stack (won't respond if csum is invalid,
REJECT does).

Arguably its possible to avoid this by using conntrack and only using
REJECT with -m conntrack NEW/RELATED.

However, this doesn't work when connection tracking is not in use or
when using nf_conntrack_checksum=0.

Furthermore, sending errors in response to invalid csums doesn't make
much sense so just add similar test as in nf_send_reset.

Signed-off-by: Florian Westphal <fw <at> strlen.de>
---
 include/net/netfilter/ipv4/nf_reject.h |  6 +-----
 include/net/netfilter/ipv6/nf_reject.h | 11 ++---------
 net/ipv4/netfilter/ipt_REJECT.c        | 17 +++++++++--------
 net/ipv4/netfilter/nf_reject_ipv4.c    | 12 ++++++++++++
 net/ipv4/netfilter/nft_reject_ipv4.c   |  3 ++-
 net/ipv6/netfilter/nf_reject_ipv6.c    | 29 +++++++++++++++++++++++++++++
 net/netfilter/nft_reject_inet.c        |  6 ++++--
 7 files changed, 59 insertions(+), 25 deletions(-)
(Continue reading)

Ander Juaristi Alamos | 27 Jan 15:54 2015
Picon

I want to help. Pointers?

Hi all,

I'd love to help with this project. I was thinking of starting with nft, fixing some of the bugs listed in its
Bugzilla page. However, I can't see much activity there. All the submitted bugs have status "NEW" (except
one), and are assigned to the same person, which I think is the default. Is it OK if I pick one item from the
list and start working on it (after discussing it with you, of course), or do they have to be reviewed first?
I haven't found any formal instructions of working with bugs/feature requests apart from the guidelines
provided at http://www.netfilter.org/documentation/FAQ/netfilter-faq-4.html#ss4.4.
 
Regards,

- AJ
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Ana Rey Botello | 26 Jan 20:43 2015
Picon

[nf v2 0/6] Accounting objects support in nft

Hi,

With this patchset, we add accounting objects support to let us
manipulate extended accounting objects.

Example of use in nft:

 # nft add counter ip filter http-traffic
 # nft add counter ip filter https-traffic

 # nft add rule ip filter output tcp dport 80 counter name http-traffic
 # nft add rule ip filter output tcp dport 443 counter name https-traffic

 # nft delete counter ip filter https-traffic

 # nft list table ip test

table ip filter {
        counter http-traffic { pkts 779 bytes 99495}
        counter https-traffic { pkts 189 bytes 37824}

        chain output {
             type filter hook output priority 0;
             tcp dport http counter http-traffic
             tcp dport https counter https-traffic
        }
}

It is difficult to reuse the existing code of nfacct because:
 * nfacct does not have transation support transactions.
(Continue reading)

Giuseppe Longo | 26 Jan 16:27 2015
Picon

[nft_compat PATCH v3] nft_compat: adds support for ebtables match/target

This extends nft_compat to support ebtables matches/targets.

Signed-off-by: Giuseppe Longo <giuseppelng <at> gmail.com>
Tested-by: Arturo Borrero Gonzalez <arturo.borrero.glez <at> gmail.com>
---
 net/netfilter/nft_compat.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index 265e190..b0635c4 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
 <at>  <at>  -19,6 +19,7  <at>  <at> 
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter_bridge/ebtables.h>
 #include <net/netfilter/nf_tables.h>

 static int nft_compat_chain_validate_dependency(const char *tablename,
 <at>  <at>  -40,6 +41,7  <at>  <at>  static int nft_compat_chain_validate_dependency(const char *tablename,
 union nft_entry {
 	struct ipt_entry e4;
 	struct ip6t_entry e6;
+	struct ebt_entry ebt;
 };

 static inline void
 <at>  <at>  -100,6 +102,10  <at>  <at>  nft_target_set_tgchk_param(struct xt_tgchk_param *par,
 		entry->e6.ipv6.proto = proto;
(Continue reading)

Alvaro Neira Ayuso | 26 Jan 14:04 2015
Picon

[libnftnl PATCH 4/5 v3] example: Parse and create netlink message using the new parsing functions.

With this example, we can parse the elements in the ruleset and create the
netlink message with the action associated. For example:

- Flush ruleset
- Add, delete or flush tables/chains
- Add, delete sets
- Add, delete set elements
- Add, delete, replace or prepend rules

Signed-off-by: Alvaro Neira Ayuso <alvaroneay <at> gmail.com>
---
[changes in v3]
 * Rename the example to use another more clear.
 * Change the help to explain better the use of this file.

 examples/Makefile.am              |    4 +
 examples/nft-ruleset-parse-file.c |  439 +++++++++++++++++++++++++++++++++++++
 2 files changed, 443 insertions(+)
 create mode 100644 examples/nft-ruleset-parse-file.c

diff --git a/examples/Makefile.am b/examples/Makefile.am
index fafcb76..e002d36 100644
--- a/examples/Makefile.am
+++ b/examples/Makefile.am
 <at>  <at>  -22,6 +22,7  <at>  <at>  check_PROGRAMS = nft-table-add		\
 		 nft-set-elem-get	\
 		 nft-set-elem-del	\
 		 nft-ruleset-get	\
+		 nft-ruleset-parse-file	\
 		 nft-compat-get
(Continue reading)

Alvaro Neira Ayuso | 26 Jan 12:39 2015
Picon

[libnftnl PATCH 4/5 v2] example: Parse and create netlink message using the new parsing functions.

With this example, we can parse the elements in the ruleset and create the
netlink message with the action associated. For example:

- Flush ruleset
- Add, delete or flush tables/chains
- Add, delete sets
- Add, delete set elements
- Add, delete, replace or prepend rules

Signed-off-by: Alvaro Neira Ayuso <alvaroneay <at> gmail.com>
---
[changes in v2]
 * Unset the handle in rules if we want to add or insert it.

 examples/Makefile.am       |    4 +
 examples/nft-ruleset-cmd.c |  439 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 443 insertions(+)
 create mode 100644 examples/nft-ruleset-cmd.c

diff --git a/examples/Makefile.am b/examples/Makefile.am
index fafcb76..f2a2740 100644
--- a/examples/Makefile.am
+++ b/examples/Makefile.am
 <at>  <at>  -22,6 +22,7  <at>  <at>  check_PROGRAMS = nft-table-add		\
 		 nft-set-elem-get	\
 		 nft-set-elem-del	\
 		 nft-ruleset-get	\
+		 nft-ruleset-cmd	\
 		 nft-compat-get

(Continue reading)

Pablo Neira Ayuso | 26 Jan 11:51 2015

[PATCH nf] netfilter: nf_tables: disable preemption when restoring chain counters

With CONFIG_DEBUG_PREEMPT=y

[22144.496057] BUG: using smp_processor_id() in preemptible [00000000] code: iptables-compat/10406
[22144.496061] caller is debug_smp_processor_id+0x17/0x1b
[22144.496065] CPU: 2 PID: 10406 Comm: iptables-compat Not tainted 3.19.0-rc4+ #
[...]
[22144.496092] Call Trace:
[22144.496098]  [<ffffffff8145b9fa>] dump_stack+0x4f/0x7b
[22144.496104]  [<ffffffff81244f52>] check_preemption_disabled+0xd6/0xe8
[22144.496110]  [<ffffffff81244f90>] debug_smp_processor_id+0x17/0x1b
[22144.496120]  [<ffffffffa07c557e>] nft_stats_alloc+0x94/0xc7 [nf_tables]
[22144.496130]  [<ffffffffa07c73d2>] nf_tables_newchain+0x471/0x6d8 [nf_tables]
[22144.496140]  [<ffffffffa07c5ef6>] ? nft_trans_alloc+0x18/0x34 [nf_tables]
[22144.496154]  [<ffffffffa063c8da>] nfnetlink_rcv_batch+0x2b4/0x457 [nfnetlink]

Reported-by: Andreas Schultz <aschultz <at> tpip.net>
Signed-off-by: Pablo Neira Ayuso <pablo <at> netfilter.org>
---
 net/netfilter/nf_tables_api.c |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 7e68694..b543606 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
 <at>  <at>  -1134,9 +1134,11  <at>  <at>  static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
 	/* Restore old counters on this cpu, no problem. Per-cpu statistics
 	 * are not exposed to userspace.
 	 */
+	preempt_disable();
(Continue reading)

Karin Lock | 24 Jan 15:09 2015
Picon

Finanzierung Angebot


Hallo
Ich finanzieren alle Großprojekt und ich gewähre Darlehen mit 3 % Zinsen.
Bitte schreiben Sie mir um einen Kredit zu beantragen
E-Mail: lock.karin <at> yahoo.com
Herzliche Grüße.

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Karin Lock | 24 Jan 15:14 2015
Picon

Finanzierung Angebot


Hallo
Ich finanzieren alle Großprojekt und ich gewähre Darlehen mit 3 % Zinsen.
Bitte schreiben Sie mir um einen Kredit zu beantragen
E-Mail: lock.karin <at> yahoo.com
Herzliche Grüße.

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Pablo Neira Ayuso | 23 Jan 21:25 2015

Sad news - our Netfilter collegue Holger Eitzenberger passed away

Dear Netfilter community,

We want to inform you that earlier this week we learnt that our
colleague and friend Holger Eitzenberger had died unexpectedly.

Holger was a long term Netfilter contributor during the last 10 years.
We will remember all the fun we have had during the Netfilter
Workshops and Linux Meetings.

Our thoughts go out to his family.

He will be greatly missed.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Alvaro Neira Ayuso | 23 Jan 15:49 2015
Picon

[libnftnl PATCH] set: refactor code in json parse function

This patch refactor code to parse the set in two functions
nft_jansson_parse_set_info and nft_jansson_parse_set. Those changes is used
in follow up patches.

Signed-off-by: Alvaro Neira Ayuso <alvaroneay <at> gmail.com>
---
 src/set.c |   22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/src/set.c b/src/set.c
index 61e0632..4fd786a 100644
--- a/src/set.c
+++ b/src/set.c
 <at>  <at>  -410,19 +410,15  <at>  <at>  int nft_set_nlmsg_parse(const struct nlmsghdr *nlh, struct nft_set *s)
 EXPORT_SYMBOL(nft_set_nlmsg_parse);

 #ifdef JSON_PARSING
-int nft_jansson_parse_set(struct nft_set *s, json_t *tree,
-			  struct nft_parse_err *err)
+static int nft_jansson_parse_set_info(struct nft_set *s, json_t *tree,
+				      struct nft_parse_err *err)
 {
-	json_t *root, *array, *json_elem;
+	json_t *root = tree, *array, *json_elem;
 	uint32_t flags, key_type, key_len, data_type, data_len, policy, size;
 	int family, i;
 	const char *name, *table;
 	struct nft_set_elem *elem;

-	root = nft_jansson_get_node(tree, "set", err);
(Continue reading)


Gmane