Thomas Backlund | 24 Oct 21:23 2014

[PATCH] add missing ipset_parse_tcp_udp_port to libipset.map

Found this issue when we switched from 6.19 static build to 6.21 dynamic 
build, and is still there in 6.23

--
Thomas
Marcelo Ricardo Leitner | 24 Oct 14:59 2014
Picon

[PATCH 1/3] Introduce nft_log_dereference() macro

Wrap up a common call pattern in an easier to handle call.

Signed-off-by: Marcelo Ricardo Leitner <mleitner <at> redhat.com>
---
 net/netfilter/nf_log.c | 21 +++++++++------------
 1 file changed, 9 insertions(+), 12 deletions(-)

diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
index daad6022c689c47a66a47e7a89a83c0c848c53d6..f1409d95f810c689ec70755eb8a85125d291ad47 100644
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
 <at>  <at>  -19,6 +19,9  <at>  <at> 
 static struct nf_logger __rcu *loggers[NFPROTO_NUMPROTO][NF_LOG_TYPE_MAX] __read_mostly;
 static DEFINE_MUTEX(nf_log_mutex);

+#define nft_log_dereference(logger) \
+	rcu_dereference_protected(logger, lockdep_is_held(&nf_log_mutex))
+
 static struct nf_logger *__find_logger(int pf, const char *str_logger)
 {
 	struct nf_logger *log;
 <at>  <at>  -28,8 +31,7  <at>  <at>  static struct nf_logger *__find_logger(int pf, const char *str_logger)
 		if (loggers[pf][i] == NULL)
 			continue;

-		log = rcu_dereference_protected(loggers[pf][i],
-						lockdep_is_held(&nf_log_mutex));
+		log = nft_log_dereference(loggers[pf][i]);
 		if (!strnicmp(str_logger, log->name, strlen(log->name)))
 			return log;
(Continue reading)

Neutron Soutmun | 24 Oct 11:36 2014
Picon

[PATCH] libipset: Bump lib version and update map file

The ipset_parse_uint16() was introduced but no lib version bumped and
no map file updated.

Bump lib version to 9:0:6. (current and age was bumped)

Signed-off-by: Neutron Soutmun <neo.neutron <at> gmail.com>
---
 Make_global.am   | 2 +-
 lib/libipset.map | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/Make_global.am b/Make_global.am
index 7953451..f9ec7b2 100644
--- a/Make_global.am
+++ b/Make_global.am
 <at>  <at>  -69,7 +69,7  <at>  <at> 
 # interface. 

 #            curr:rev:age
-LIBVERSION = 8:0:5
+LIBVERSION = 9:0:6

 AM_CPPFLAGS = $(kinclude_CFLAGS) $(all_includes) -I$(top_srcdir)/include \
 	-I/usr/local/include
diff --git a/lib/libipset.map b/lib/libipset.map
index 58174ec..61f6d6e 100644
--- a/lib/libipset.map
+++ b/lib/libipset.map
 <at>  <at>  -152,3 +152,8  <at>  <at>  global:
   ipset_print_skbmark;
(Continue reading)

Florian Westphal | 24 Oct 11:24 2014
Picon

Re: [PATCHv3 1/1 lnf-ct] qa: build unshared nfct environment

Ken-ichirou MATSUZAWA <chamaken <at> gmail.com> wrote:
> nssocket forks and change netns pre-establishd by ip(8), serves its
> socket descriptor to parent via nssocket().  Since this socket is
> isolated, it can be used to create regression tests for conntrack.
> 
> This also adds a conntrack event testcase as a first user.
> A ct_echo_event.sh script is provided to build and run this test
> automatically:
> 
>   # ./qa/ct_echo_event.sh
>   make: Entering directory...
>   ...debug output like:
>       [NEW] tcp      6 2 SYN_SENT src=10.255.255.249 dst=10.255.255.250 sport...
>    [UPDATE] tcp      6 2 SYN_RECV src=10.255.255.249 dst=10.255.255.250 sport...
>   ...
>   [DESTROY] icmp     1 src=10.255.255.249 dst=10.255.255.250 type=8 code=0...
>   # echo $?
>   0

Applied, thanks for your patience.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Li Zhong | 24 Oct 09:28 2014
Picon

[RFC PATCH netfilter] Fix Unknown symbols in nf_reject_ipvX modules

Commit c8d7b98bec43 moved nf_send_resetX() to modules without module
license, which causes following errors seen on my system: 

[   26.926014] nf_reject_ipv4: Unknown symbol rcu_read_lock_bh_held (err 0)
[   26.926022] nf_reject_ipv4: Unknown symbol rcu_read_lock_held (err 0)
[   26.926030] nf_reject_ipv4: Unknown symbol ip_local_out_sk (err 0)

The code below adds MODULE_LICENSE("GPL") to fix this issue. 

Signed-off-by: Li Zhong <zhong <at> linux.vnet.ibm.com>
---
 net/ipv4/netfilter/nf_reject_ipv4.c | 3 +++
 net/ipv6/netfilter/nf_reject_ipv6.c | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c
index b023b4e..d5df20d 100644
--- a/net/ipv4/netfilter/nf_reject_ipv4.c
+++ b/net/ipv4/netfilter/nf_reject_ipv4.c
 <at>  <at>  -11,6 +11,9  <at>  <at> 
 #include <net/route.h>
 #include <net/dst.h>
 #include <linux/netfilter_ipv4.h>
+#include <linux/module.h>
+
+MODULE_LICENSE("GPL");

 /* Send RST reply */
 void nf_send_reset(struct sk_buff *oldskb, int hook)
diff --git a/net/ipv6/netfilter/nf_reject_ipv6.c b/net/ipv6/netfilter/nf_reject_ipv6.c
(Continue reading)

billbonaparte | 24 Oct 06:01 2014
Picon

netfilter: NAT: do the optimization for getting curr_tuple in function nf_nat_setup_info

Hi all:
	In function nf_nat_setup_info, we need to get the current tuple
which is supposed to send to destination. 
    If we haven't done any NAT (SNAT or DNAT) for the tuple, then the
current tuple is equal to original tuple,
    otherwise, we should get current tuple by invoking
nf_ct_invert_tuplepr(curr_tuple, &ct->tuplehash[IP_CT_DIR_REPLY].tuple);
    like the existing comment says:
    /* What we've got will look like inverse of reply. Normally
	 * this is what is in the conntrack, except for prior
	 * manipulations (future optimization: if num_manips == 0,
	 * orig_tp = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple)
	 */
	nf_ct_invert_tuplepr(&curr_tuple, 
			     &ct->tuplehash[IP_CT_DIR_REPLY].tuple);
	
	So, since it is so, why don't we do the optimization for getting
current tuple ?

   As mentioned above, if we have not done DNAT for the tuple, then the
current tuple is equal to original tuple. 
   So I add the optimization as following:

+	if (!(ct->status & IPS_DST_NAT))  /* we do the optimization, as
mentioned above */
+		curr_tuple = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
+	else 
+		nf_ct_invert_tuplepr(curr_tuple,
 			     &ct->tuplehash[IP_CT_DIR_REPLY].tuple);
	
(Continue reading)

Alvaro Neira Ayuso | 23 Oct 19:36 2014
Picon

[nft PATCH 1/2 v2] evaluate: reject: check the context in reject without reason for bridge and inet tables

In rules like:

  nft add rule inet filter input reject
or
  nft add rule bridge filter input reject

we use icmpx to reject it. But if we have network context, we also use type of
reject. With this patch, we check the network context. If we don't have context,
we still use icmpx. However, if we have rules with network context like:

  nft add rule inet meta nfproto ipv4 reject
or
  nft add rule bridge ether type ipv6 reject

We are going to use icmp or icmpv6 to reject it taking into account the network
context.

Signed-off-by: Alvaro Neira Ayuso <alvaroneay <at> gmail.com>
---
[changes in v2]
 * Added these new rules into the reject tests for bridge and inet tables.

 src/evaluate.c                   |   44 ++++++++++++++++++++++++++++++++++++--
 tests/regression/bridge/reject.t |    3 +++
 tests/regression/inet/reject.t   |    3 +++
 3 files changed, 48 insertions(+), 2 deletions(-)

diff --git a/src/evaluate.c b/src/evaluate.c
index 63ba82e..2dd49fa 100644
--- a/src/evaluate.c
(Continue reading)

Alvaro Neira Ayuso | 23 Oct 18:21 2014
Picon

[nft PATCH 1/2] evaluate: reject: check the context in reject without reason for bridge and inet tables

In rules like:

  nft add rule inet filter input reject
or
  nft add rule bridge filter input reject

we use icmpx to reject it. But if we have network context, we also use type of
reject. With this patch, we check the network context. If we don't have context,
we still use icmpx. However, if we have rules with network context like:

  nft add rule inet meta nfproto ipv4 reject
or
  nft add rule bridge ether type ipv6 reject

We are going to use icmp or icmpv6 to reject it taking into account the network
context.

Signed-off-by: Alvaro Neira Ayuso <alvaroneay <at> gmail.com>
---
 src/evaluate.c |   44 ++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 42 insertions(+), 2 deletions(-)

diff --git a/src/evaluate.c b/src/evaluate.c
index 63ba82e..2dd49fa 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
 <at>  <at>  -1357,6 +1357,9  <at>  <at>  static int stmt_evaluate_reject_family(struct eval_ctx *ctx, struct stmt *stmt,
 static int stmt_evaluate_reject_default(struct eval_ctx *ctx,
 					  struct stmt *stmt)
 {
(Continue reading)

Ana Rey | 23 Oct 14:44 2014
Picon

[nftables PATCH] meta: Add support for datatype devgroup

This adds the new devgroup datatype to get the group name from
/etc/iproute2/group file.

Example of use:

nft add rule ip test input meta iifgroup 0 counter
nft add rule ip test input meta iifgroup default counter

Moreover, It adds tests in meta.t test file.

Signed-off-by: Ana Rey <anarey <at> gmail.com>
---
 include/datatype.h          |    2 ++
 src/meta.c                  |   39 +++++++++++++++++++++++++++++++++++++--
 tests/regression/any/meta.t |   21 +++++++++++++++++++++
 3 files changed, 60 insertions(+), 2 deletions(-)

diff --git a/include/datatype.h b/include/datatype.h
index 15fea44..3f13dcd 100644
--- a/include/datatype.h
+++ b/include/datatype.h
 <at>  <at>  -39,6 +39,7  <at>  <at> 
  *  <at> TYPE_ICMP_CODE:	icmp code (integer subtype)
  *  <at> TYPE_ICMPV6_CODE:	icmpv6 code (integer subtype)
  *  <at> TYPE_ICMPX_CODE:	icmpx code (integer subtype)
+ *  <at> TYPE_DEVGROUP:	devgroup code (integer subtype)
  */
 enum datatypes {
 	TYPE_INVALID,
 <at>  <at>  -76,6 +77,7  <at>  <at>  enum datatypes {
(Continue reading)

Pablo Neira Ayuso | 23 Oct 13:36 2014

[PATCH] iptables-compat: fix empty chains after first invocation of iptables-compat -L

 # iptables-compat -L
 # iptables-compat -L
 Chain INPUT (policy ACCEPT)
 target     prot opt source               destination

 Chain FORWARD (policy ACCEPT)
 target     prot opt source               destination

 Chain OUTPUT (policy ACCEPT)
 target     prot opt source               destination

Note that the second (and follow up) invocations after the first one
display the chains.

Signed-off-by: Pablo Neira Ayuso <pablo <at> netfilter.org>
---
 iptables/nft.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/iptables/nft.c b/iptables/nft.c
index 52c89b9..5492a8f 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
 <at>  <at>  -1937,8 +1937,14  <at>  <at>  int nft_rule_list(struct nft_handle *h, const char *chain, const char *table,
 	bool found = false;

 	/* If built-in chains don't exist for this table, create them */
-	if (nft_xtables_config_load(h, XTABLES_CONFIG_DEFAULT, 0) < 0)
+	if (nft_xtables_config_load(h, XTABLES_CONFIG_DEFAULT, 0) < 0) {
 		nft_xt_builtin_init(h, table);
(Continue reading)

Pablo Neira Ayuso | 23 Oct 13:18 2014

[PATCH 1/3] iptables-compat: fix chain policy reset with iptables -L -n

Initialize built-in tables/chains if they don't exists, otherwise
simply skip.

This avoids the chain policy reset to NF_ACCEPT by when you call
iptables -L -n.

Reported-by: Ana Rey <anarey <at> gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo <at> netfilter.org>
---
 iptables/nft.c |   14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/iptables/nft.c b/iptables/nft.c
index ca199cd..b68b275 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
 <at>  <at>  -620,11 +620,17  <at>  <at>  __nft_chain_builtin_init(struct nft_handle *h,
 			 int policy)
 {
 	int i, default_policy;
+	struct nft_chain_list *list = nft_chain_dump(h);
+	struct nft_chain *c;

-	/* Initialize all built-in chains. Exception, for e one received as
-	 * parameter, set the default policy as requested.
-	 */
+	/* Initialize built-in chains if they don't exist yet */
 	for (i=0; i<NF_IP_NUMHOOKS && table->chains[i].name != NULL; i++) {
+
+		c = nft_chain_list_find(list, table->name,
(Continue reading)


Gmane