Florian Westphal | 28 May 22:51 2015
Picon

[PATCH v2 -next 1/2] netfilter: iptables: separate counters from iptables rules

The binary arp/ip/ip6tables ruleset is stored per cpu.

The only reason left as to why we need percpu duplication are the rule
counters embedded into ipt_entry et al -- since each cpu has its own copy
of the rules, all counters can be lockless.

The downside is that the more cpus are supported, the more memory is
required.  Rules are not just duplicated per online cpu but for each
possible cpu, i.e. if maxcpu is 144, then rule is duplicated 144 times,
not for the e.g. 64 cores present.

To save some memory and also allow cpus with shared caches to make
better use of available cache size, it would be preferable to only
store a copy of the rule blob for each numa node.

So we first need to separate counters and the rule blob.

We create array of struct xt_counters for each possible cpu and
index them from the main blob via the (unused after validation)
->comefrom member.

Reported-by: Marcelo Ricardo Leitner <marcelo.leitner <at> gmail.com>
Acked-by: Jesper Dangaard Brouer <brouer <at> redhat.com>
Signed-off-by: Florian Westphal <fw <at> strlen.de>
---
 Changes since v1:
  - add ->comefrom comment in arptables, too

 include/linux/netfilter/x_tables.h |  6 ++++++
 net/ipv4/netfilter/arp_tables.c    | 33 +++++++++++++++---------------
(Continue reading)

Paul Aitken | 28 May 17:41 2015

Re: conntrack-tools bugs

Please see the attached patches.

Thanks,
P.

On 27/05/15 19:09, Pablo Neira Ayuso wrote:
> On Wed, May 27, 2015 at 03:56:18PM +0100, Paul Aitken wrote:
>> Pablo, I found a couple of bugs in conntrack-tools.
>>
>> I could clone the git repo and fix them or submit a patch. What's
>> the right process?
> Please, send patches to netfilter-devel <at> vger.kernel.org
>
> I need that they apply through git am, ie. you have to generate it
> with git format-patch.
>
> Include a title and a description. Thanks.

Bernhard Thaler | 28 May 10:26 2015
Picon

[PATCH] Revert "netfilter: ensure number of counters is >0 in do_replace()"

This partially reverts commit 1086bbe97a07 ("netfilter: ensure number of
counters is >0 in do_replace()") in net/bridge/netfilter/ebtables.c.

Setting rules with ebtables does not work any more with 1086bbe97a07 place.

There is an error message and no rules set in the end.

e.g.

~# ebtables -t nat -A POSTROUTING --src 12:34:56:78:9a:bc -j DROP
Unable to update the kernel. Two possible causes:
1. Multiple ebtables programs were executing simultaneously. The ebtables
   userspace tool doesn't by default support multiple ebtables programs
running

Reverting the ebtables part of 1086bbe97a07 makes this work again.

Signed-off-by: Bernhard Thaler <bernhard.thaler <at> wvnet.at>
---
 net/bridge/netfilter/ebtables.c |    4 ----
 1 file changed, 4 deletions(-)

diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index d5aba39..5149d9e 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
 <at>  <at>  -1117,8 +1117,6  <at>  <at>  static int do_replace(struct net *net, const void __user *user,
 		return -ENOMEM;
 	if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
 		return -ENOMEM;
(Continue reading)

Bernhard Thaler | 28 May 10:25 2015
Picon

[PATCH 4/4] netfilter: bridge: refactor frag_max_size

Currently frag_max_size is member of br_input_skb_cb and copied back and
forth using IPCB(skb) and BR_INPUT_SKB_CB(skb) each time it is changed or
used.

Attach frag_max_size to nf_bridge_info and set value in pre_routing and
forward functions and use its value in forward and xmit functions.

Signed-off-by: Bernhard Thaler <bernhard.thaler <at> wvnet.at>
---
 include/linux/skbuff.h    |    1 +
 net/bridge/br_netfilter.c |   28 +++++++++++-----------------
 net/bridge/br_private.h   |    1 -
 3 files changed, 12 insertions(+), 18 deletions(-)

diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 369643b..1def030 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
 <at>  <at>  -175,6 +175,7  <at>  <at>  struct nf_bridge_info {
 		BRNF_PROTO_PPPOE
 	} orig_proto:8;
 	bool			pkt_otherhost;
+	__u16			frag_max_size;
 	unsigned int		mask;
 	struct net_device	*physindev;
 	union {
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index f34edb6..048f5cb 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
(Continue reading)

Bernhard Thaler | 28 May 10:25 2015
Picon

[PATCHv5 3/4] netfilter: bridge: rename br_parse_ip_options

br_parse_ip_options() does not parse any IP options, it validates IP
packets as a whole and the function name is misleading.

Rename br_parse_ip_options() to br_validate_ipv4().

Signed-off-by: Bernhard Thaler <bernhard.thaler <at> wvnet.at>
---
Patch revision history:

v5
* rebase to current davem/net-next

v4
* re-post due to errors in v3 formatting introduced by my MUA

v3
* re-assignment of iph variable needed because pskb_may_pull() can
invalidate the network header
* same patch as v1 again

v2
* first patch did not contain statement removing double iph variable
  assignment

 net/bridge/br_netfilter.c |   11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index a43e216..f34edb6 100644
--- a/net/bridge/br_netfilter.c
(Continue reading)

Bernhard Thaler | 28 May 10:24 2015
Picon

[PATCHv6 2/4] netfilter: bridge: forward IPv6 fragmented packets

IPv6 fragmented packets are not forwarded on an ethernet bridge
with netfilter ip6_tables loaded. e.g. steps to reproduce

1) create a simple bridge like this

        modprobe br_netfilter
        brctl addbr br0
        brctl addif br0 eth0
        brctl addif br0 eth2
        ifconfig eth0 up
        ifconfig eth2 up
        ifconfig br0 up

2) place a host with an IPv6 address on each side of the bridge

        set IPv6 address on host A:
        ip -6 addr add fd01:2345:6789:1::1/64 dev eth0

        set IPv6 address on host B:
        ip -6 addr add fd01:2345:6789:1::2/64 dev eth0

3) run a simple ping command on host A with packets > MTU

        ping6 -s 4000 fd01:2345:6789:1::2

4) wait some time and run e.g. "ip6tables -t nat -nvL" on the bridge

IPv6 fragmented packets traverse the bridge cleanly until somebody runs.
"ip6tables -t nat -nvL". As soon as it is run (and netfilter modules are
loaded) IPv6 fragmented packets do not traverse the bridge any more (you
(Continue reading)

Bernhard Thaler | 28 May 10:23 2015
Picon

[PATCHv3 1/4] netfilter: bridge: detect NAT66 correctly and change MAC address

IPv4 iptables allows to REDIRECT/DNAT/SNAT any traffic over a bridge.

e.g. REDIRECT
$ sysctl -w net.bridge.bridge-nf-call-iptables=1
$ iptables -t nat -A PREROUTING -p tcp -m tcp --dport 8080 \
  -j REDIRECT --to-ports 81

This does not work with ip6tables on a bridge in NAT66 scenario
because the REDIRECT/DNAT/SNAT is not correctly detected.

The bridge pre-routing (finish) netfilter hook has to check for a possible
redirect and then fix the destination mac address. This allows to use the
ip6tables rules for local REDIRECT/DNAT/SNAT REDIRECT similar to the IPv4
iptables version.

e.g. REDIRECT
$ sysctl -w net.bridge.bridge-nf-call-ip6tables=1
$ ip6tables -t nat -A PREROUTING -p tcp -m tcp --dport 8080 \
  -j REDIRECT --to-ports 81

This patch makes it possible to use IPv6 NAT66 on a bridge. It was tested
on a bridge with two interfaces using SNAT/DNAT NAT66 rules.

Reported-by: Artie Hamilton <artiemhamilton <at> yahoo.com>
Signed-off-by: Sven Eckelmann <sven <at> open-mesh.com>
[bernhard.thaler <at> wvnet.at: rebased, adjust function order]
[bernhard.thaler <at> wvnet.at: add indirect call to ip6_route_input()]
[bernhard.thaler <at> wvnet.at: rebased]
Signed-off-by: Bernhard Thaler <bernhard.thaler <at> wvnet.at>
---
(Continue reading)

Eddi Linder | 27 May 12:11 2015

REOUTE target extenstion

Hey,

I am planning to write a "redirection" extension that based on a match
will copy the matched packet to other interfaces.
The extension should work both on input chains and output chains
(ingress and egress traffic), and will be able to copy the packet as
egress or ingress of the selected interface.
I currently have a basic working POC, but I have some concerns.

1. When dealing with egress traffic (OUTPUT/POSTROUTING), the packet
is lacking the Ethernet layer headers. So, as I see it, I can either
fetch those fields by myself which is inefficient, or somehow change
only the output device we are dealing with and call the function
following the NF_HOOK. The latter option requires me to pass the okfn
pointer somehow into the target handling code.
2. An skb received on a bridge needs to be stripped from its nf_bridge
fields, can it cause any problems after the redirect?
3. I'd like to support multiple redirects per-match, currently I use
skb_clone before each redirect (otherwise, the original skb is being
freed), is that the best way to do it?

The current api I'm looking into is: "iptables -A INPUT -i eth2 -j
REROUTE --actions input:eth0,output:veth0,continue".
Upon packet received on eth2 it will redirect the packet into eth0 rx
queue, veth1 tx queue, and will continue the packet handling on eth2
(return XT_CONTINUE).

Any suggestions or comments will be appreciated.
Thanks,
Eddie
(Continue reading)

Florian Westphal | 27 May 02:35 2015
Picon

[PATCH -next 1/2] netfilter: iptables: separate counters from iptables rules

The binary arp/ip/ip6tables ruleset is stored per cpu.

The only reason left as to why we need percpu duplication are the rule
counters embedded into ipt_entry et al -- since each cpu has its own copy
of the rules, all counters can be lockless.

The downside is that the more cpus are supported, the more memory is
required.  Rules are not just duplicated per online cpu but for each
possible cpu, i.e. if maxcpu is 144, then rule is duplicated 144 times,
not for the e.g. 64 cores present.

To save some memory and also allow cpus with shared caches to make
better use of available cache size, it would be preferable to only
store a copy of the rule blob for each numa node.

So we first need to separate counters and the rule blob.

We create array of struct xt_counters for each possible cpu and
index them from the main blob via the (unused after validation)
->comefrom member.

Reported-by: Marcelo Ricardo Leitner <marcelo.leitner <at> gmail.com>
Acked-by: Jesper Dangaard Brouer <brouer <at> redhat.com>
Signed-off-by: Florian Westphal <fw <at> strlen.de>
---
 include/linux/netfilter/x_tables.h |  6 ++++++
 net/ipv4/netfilter/arp_tables.c    | 31 ++++++++++++++--------------
 net/ipv4/netfilter/ip_tables.c     | 31 ++++++++++++++--------------
 net/ipv6/netfilter/ip6_tables.c    | 32 ++++++++++++++---------------
 net/netfilter/x_tables.c           | 42 ++++++++++++++++++++++++++++++++++++++
(Continue reading)

Eddie Linder | 26 May 11:13 2015

[PATCH 1/1] netfilter: Added vlan matching extension

Signed-off-by: Eddie Linder <eddi <at> guardicore.com>
---
 include/uapi/linux/netfilter/Kbuild    |  1 +
 include/uapi/linux/netfilter/xt_vlan.h | 10 ++++
 net/netfilter/Makefile                 |  1 +
 net/netfilter/xt_vlan.c                | 88 ++++++++++++++++++++++++++++++++++
 4 files changed, 100 insertions(+)
 create mode 100644 include/uapi/linux/netfilter/xt_vlan.h
 create mode 100644 net/netfilter/xt_vlan.c

diff --git a/include/uapi/linux/netfilter/Kbuild b/include/uapi/linux/netfilter/Kbuild
index 1d973d2..2ca36db 100644
--- a/include/uapi/linux/netfilter/Kbuild
+++ b/include/uapi/linux/netfilter/Kbuild
 <at>  <at>  -85,3 +85,4  <at>  <at>  header-y += xt_tcpmss.h
 header-y += xt_tcpudp.h
 header-y += xt_time.h
 header-y += xt_u32.h
+header-y += xt_vlan.h
diff --git a/include/uapi/linux/netfilter/xt_vlan.h b/include/uapi/linux/netfilter/xt_vlan.h
new file mode 100644
index 0000000..71e8089
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_vlan.h
 <at>  <at>  -0,0 +1,10  <at>  <at> 
+#ifndef _XT_VLAN_H
+#define _XT_VLAN_H
+
+
+struct xt_vlan_info {
(Continue reading)

Bernhard Thaler | 26 May 04:09 2015
Picon

ebtables not working correctly with 1086bbe97a074844188c6c988fa0b1a98c3ccbb9

Hi,

setting rules with ebtables does not work for me any more with
1086bbe97a074844188c6c988fa0b1a98c3ccbb9 / "netfilter: ensure number of
counters is >0 in do_replace()" in place.

There is an error message and no rules set in the end.

e.g.

root <at> kali:~# ebtables -t nat -A POSTROUTING --src 12:34:56:78:9a:bc -j DROP
Unable to update the kernel. Two possible causes:
1. Multiple ebtables programs were executing simultaneously. The ebtables
   userspace tool doesn't by default support multiple ebtables programs
running
   concurrently. The ebtables option --concurrent or a tool like flock
can be
   used to support concurrent scripts that update the ebtables kernel
tables.
2. The kernel doesn't support a certain ebtables extension, consider
   recompiling your kernel or insmod the extension.
.

The rule is not set:

root <at> kali:~# ebtables -t nat -Ln --Lc
Bridge table: nat

Bridge chain: PREROUTING, entries: 0, policy: ACCEPT

(Continue reading)


Gmane