Pablo Neira Ayuso | 30 Oct 18:40 2014

[PATCH] netfilter: nf_log: fix sparse warning in nf_logger_find_get()

net/netfilter/nf_log.c:157:16: warning: incorrect type in assignment (different address spaces)
net/netfilter/nf_log.c:157:16:    expected struct nf_logger *logger
net/netfilter/nf_log.c:157:16:    got struct nf_logger [noderef] <asn:4>*<noident>

Signed-off-by: Pablo Neira Ayuso <pablo <at> netfilter.org>
---
 net/netfilter/nf_log.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
index 9562e39..49a6417 100644
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
 <at>  <at>  -154,8 +154,7  <at>  <at>  int nf_logger_find_get(int pf, enum nf_log_type type)
 	struct nf_logger *logger;
 	int ret = -ENOENT;

-	logger = loggers[pf][type];
-	if (logger == NULL)
+	if (rcu_access_pointer(loggers[pf][type]) == NULL)
 		request_module("nf-logger-%u-%u", pf, type);

 	rcu_read_lock();
--

-- 
1.7.10.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
(Continue reading)

Ana Rey | 30 Oct 17:26 2014
Picon

[PATCH] extensions: devgroup: fix showing and saving of dst-group

Closes bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=985

The --dst-group parameter in devgroup extensions lists and saves
incorrectly its value. --dst-group always shows "0x0/0x0".

This is an example:

 # iptables -I FORWARD -m devgroup --dst-group 200 -j ACCEPT

 # iptables -L FORWARD
 Chain FORWARD (policy ACCEPT)
 target     prot opt source               destination
 ACCEPT     all  --  anywhere             anywhere     src-group 0x64 dst-group 0x0/0x0

 # iptables -S FORWARD
 -P FORWARD ACCEPT
 -A FORWARD -m devgroup --dst-group 0x0/0x0 -j ACCEPT

Reporte-by: Axinchan <axinchan <at> cnrouter.com>
Signed-off-by: Ana Rey <anarey <at> gmail.com>
---
 extensions/libxt_devgroup.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/extensions/libxt_devgroup.c b/extensions/libxt_devgroup.c
index fb1fcb5..1a52627 100644
--- a/extensions/libxt_devgroup.c
+++ b/extensions/libxt_devgroup.c
 <at>  <at>  -124,7 +124,7  <at>  <at>  static void devgroup_show(const char *pfx, const struct xt_devgroup_info *info,
 		if (info->flags & XT_DEVGROUP_INVERT_DST)
(Continue reading)

Ana Rey | 30 Oct 09:31 2014
Picon

[PATCH] iptables-compat: homogenize error messages

There are some differences between error messages in iptables and
iptables-compat:

 # iptables -C INPUT -s 192.168.2.102 -j ACCEPT
iptables: Bad rule (does a matching rule exist in that chain?).
 # iptables-compat -C INPUT -s 192.168.2.102 -j ACCEPT
iptables: No chain/target/match by that name.

 # iptables -N new_chain
 # iptables -N new_chain
iptables: Chain already exists.
 # iptables-compat -N new_chain
 # iptables-compat -N new_chain
iptables: File exists.

Now, iptables-compat shows the same error messages than iptables in
those cases.

Signed-off-by: Ana Rey <anarey <at> gmail.com>
---
 iptables/nft.c |    4 ++++
 1 file changed, 4 insertions(+)

diff --git a/iptables/nft.c b/iptables/nft.c
index ac72bfa..1a2c438 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
 <at>  <at>  -1298,6 +1298,8  <at>  <at>  int nft_chain_user_add(struct nft_handle *h, const char *chain, const char *tabl
 	struct nft_chain *c;
 	int ret;
(Continue reading)

Stephen Hemminger | 30 Oct 06:57 2014

[PATCH net-next] netfilter: fix spelling errors


Signed-off-by: Stephen Hemminger <stephen <at> networkplumber.org>

--- a/net/netfilter/nf_conntrack_helper.c	2014-03-21 08:16:54.297654128 -0700
+++ b/net/netfilter/nf_conntrack_helper.c	2014-10-27 20:33:42.471629995 -0700
 <at>  <at>  -250,7 +250,7  <at>  <at>  out:
 }
 EXPORT_SYMBOL_GPL(__nf_ct_try_assign_helper);

-/* appropiate ct lock protecting must be taken by caller */
+/* appropriate ct lock protecting must be taken by caller */
 static inline int unhelp(struct nf_conntrack_tuple_hash *i,
 			 const struct nf_conntrack_helper *me)
 {
--- a/net/netfilter/nf_tables_api.c	2014-10-26 10:43:41.762315418 -0700
+++ b/net/netfilter/nf_tables_api.c	2014-10-27 20:33:27.479554628 -0700
 <at>  <at>  -2477,7 +2477,7  <at>  <at>  static int nf_tables_getset(struct sock
 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
 	int err;

-	/* Verify existance before starting dump */
+	/* Verify existence before starting dump */
 	err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
 	if (err < 0)
 		return err;
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

(Continue reading)

Giuseppe Longo | 29 Oct 21:31 2014
Picon

Re: [ebtables-compat PATCH] extensions: libebt_log

Forgot to say, the patch is not completed yet there are some compiling
issues to fix.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Giuseppe Longo | 29 Oct 16:21 2014
Picon

[ebtables-compat PATCH] extensions: libebt_log

This implements libebt_log extensions for ebtables-compat layer.
Based on the ebt_log code, but adapted for libxtables parser.

Signed-off-by: Giuseppe Longo <giuseppelng <at> gmail.com>
---
 extensions/libebt_log.c | 184 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 184 insertions(+)
 create mode 100644 extensions/libebt_log.c

diff --git a/extensions/libebt_log.c b/extensions/libebt_log.c
new file mode 100644
index 0000000..416ad85
--- /dev/null
+++ b/extensions/libebt_log.c
 <at>  <at>  -0,0 +1,184  <at>  <at> 
+/*
+ * (C) 2014 Giuseppe Longo <giuseppelng <at> gmail.com>
+ *
+ * Based on code from ebt_log from:
+ *
+ * Bart De Schuymer <bdschuym <at> pandora.be>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <syslog.h>
(Continue reading)

Giuseppe Longo | 29 Oct 15:10 2014
Picon

[ebtables-compat PATCH] build ebtables extensions

This permits to build extensions for ebtables-compat layer.

Signed-off-by: Giuseppe Longo <giuseppelng <at> gmail.com>
---
 extensions/GNUmakefile.in | 40 +++++++++++++++++++++++++++++++++++-----
 1 file changed, 35 insertions(+), 5 deletions(-)

diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index 5291572..7b4f891 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
 <at>  <at>  -39,16 +39,20  <at>  <at>  endif
 #	Wildcard module list
 #
 pfx_build_mod := $(patsubst ${srcdir}/libxt_%.c,%,$(sort $(wildcard ${srcdir}/libxt_*.c)))
+pfb_build_mod := $(patsubst ${srcdir}/libebt_%.c,%,$(sort $(wildcard ${srcdir}/libebt_*.c)))
 pfx_symlinks  := NOTRACK state
  <at> ENABLE_IPV4_TRUE <at>  pf4_build_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(sort $(wildcard ${srcdir}/libipt_*.c)))
  <at> ENABLE_IPV6_TRUE <at>  pf6_build_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(sort $(wildcard ${srcdir}/libip6t_*.c)))
 pfx_build_mod := $(filter-out  <at> blacklist_modules <at> ,${pfx_build_mod})
+pfb_build_mod := $(filter-out  <at> blacklist_modules <at> ,${pfb_build_mod})
 pf4_build_mod := $(filter-out  <at> blacklist_modules <at> ,${pf4_build_mod})
 pf6_build_mod := $(filter-out  <at> blacklist_modules <at> ,${pf6_build_mod})
 pfx_objs      := $(patsubst %,libxt_%.o,${pfx_build_mod})
+pfb_objs      := $(patsubst %,libebt_%.o,${pfb_build_mod})
 pf4_objs      := $(patsubst %,libipt_%.o,${pf4_build_mod})
 pf6_objs      := $(patsubst %,libip6t_%.o,${pf6_build_mod})
 pfx_solibs    := $(patsubst %,libxt_%.so,${pfx_build_mod} ${pfx_symlinks})
+pfb_solibs    := $(patsubst %,libebt_%.so,${pfb_build_mod})
 pf4_solibs    := $(patsubst %,libipt_%.so,${pf4_build_mod})
(Continue reading)

Marcelo Ricardo Leitner | 29 Oct 13:51 2014
Picon

[PATCH v4 1/3] netfilter: log: protect nf_log_register against double registering

Currently, despite the comment right before the function,
nf_log_register allows registering two loggers on with the same type and
end up overwriting the previous register.

Not a real issue today as current tree doesn't have two loggers for the
same type but it's better to get this protected.

Also make sure that all of its callers do error checking.

Signed-off-by: Marcelo Ricardo Leitner <mleitner <at> redhat.com>
---
 net/ipv4/netfilter/nf_log_arp.c  | 12 +++++++++++-
 net/ipv4/netfilter/nf_log_ipv4.c | 12 +++++++++++-
 net/ipv6/netfilter/nf_log_ipv6.c | 12 +++++++++++-
 net/netfilter/nf_log.c           | 16 +++++++++++++---
 4 files changed, 46 insertions(+), 6 deletions(-)

diff --git a/net/ipv4/netfilter/nf_log_arp.c b/net/ipv4/netfilter/nf_log_arp.c
index ccfc78db12ee8acae68faf451f2cf6bc5597f2c1..0c8799a0c9e46df1bd414251c4d5661da024fae1 100644
--- a/net/ipv4/netfilter/nf_log_arp.c
+++ b/net/ipv4/netfilter/nf_log_arp.c
 <at>  <at>  -10,6 +10,7  <at>  <at> 
  * it under the terms of the GNU General Public License version 2 as
  * published by the Free Software Foundation.
  */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt

 #include <linux/module.h>
 #include <linux/spinlock.h>
 <at>  <at>  -130,8 +131,17  <at>  <at>  static int __init nf_log_arp_init(void)
(Continue reading)

Marcelo Ricardo Leitner | 29 Oct 13:04 2014
Picon

[PATCH v3 1/3] netfilter: log: protect nf_log_register against double registering

Currently, despite the comment right before the function,
nf_log_register allows registering two loggers on with the same type and
end up overwriting the previous register.

Not a real issue today as current tree doesn't have two loggers for the
same type but it's better to get this protected.

Also make sure that all of its callers do error checking.

Signed-off-by: Marcelo Ricardo Leitner <mleitner <at> redhat.com>
---
 net/ipv4/netfilter/nf_log_arp.c  | 12 +++++++++++-
 net/ipv4/netfilter/nf_log_ipv4.c | 12 +++++++++++-
 net/ipv6/netfilter/nf_log_ipv6.c | 12 +++++++++++-
 net/netfilter/nf_log.c           | 16 +++++++++++++---
 4 files changed, 46 insertions(+), 6 deletions(-)

diff --git a/net/ipv4/netfilter/nf_log_arp.c b/net/ipv4/netfilter/nf_log_arp.c
index ccfc78db12ee8acae68faf451f2cf6bc5597f2c1..0c8799a0c9e46df1bd414251c4d5661da024fae1 100644
--- a/net/ipv4/netfilter/nf_log_arp.c
+++ b/net/ipv4/netfilter/nf_log_arp.c
 <at>  <at>  -10,6 +10,7  <at>  <at> 
  * it under the terms of the GNU General Public License version 2 as
  * published by the Free Software Foundation.
  */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt

 #include <linux/module.h>
 #include <linux/spinlock.h>
 <at>  <at>  -130,8 +131,17  <at>  <at>  static int __init nf_log_arp_init(void)
(Continue reading)

Marcelo Ricardo Leitner | 29 Oct 13:04 2014
Picon

[PATCH v2] Introduce nft_log_dereference() macro

Wrap up a common call pattern in an easier to handle call.

Signed-off-by: Marcelo Ricardo Leitner <mleitner <at> redhat.com>
---

Notes:
    Removed from patchset because now they aren't really related.

 net/netfilter/nf_log.c | 21 +++++++++------------
 1 file changed, 9 insertions(+), 12 deletions(-)

diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
index d7197649dba689bae96edb10848e8c1c3d4a63f6..5eaf047ed37facad0df59e70428c08ef8717a70d 100644
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
 <at>  <at>  -19,6 +19,9  <at>  <at> 
 static struct nf_logger __rcu *loggers[NFPROTO_NUMPROTO][NF_LOG_TYPE_MAX] __read_mostly;
 static DEFINE_MUTEX(nf_log_mutex);

+#define nft_log_dereference(logger) \
+	rcu_dereference_protected(logger, lockdep_is_held(&nf_log_mutex))
+
 static struct nf_logger *__find_logger(int pf, const char *str_logger)
 {
 	struct nf_logger *log;
 <at>  <at>  -28,8 +31,7  <at>  <at>  static struct nf_logger *__find_logger(int pf, const char *str_logger)
 		if (loggers[pf][i] == NULL)
 			continue;

-		log = rcu_dereference_protected(loggers[pf][i],
(Continue reading)

Ed Tomlinson | 29 Oct 13:00 2014
Picon

nftables in network name spaces breaks networking

Hi

Using 3.17.1 and setting up firewalls with nftables breaks networking when nft -f <somefile> is run in an
systemd-nspawn instance.  

Please take a look at: https://bugs.freedesktop.org/show_bug.cgi?id=85464 

The network gets setup correctly either by systemd-nspawn or manually via ip netns and all is okay until you
try to load a firewall in
the spawned instance with nftables.  At this point the host's bridge interface stop responding.  Load a
nftable in the spawned client 
should NOT affect the host's networking.

I like nftables and find them easier to use than iptables (or ipchains which dates me).

Please fix this problem or stop nft from loading tables when not it the root namespace.

I am willing to test fixes.

Thanks,
Ed Tomlinson

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Gmane