Daniel Martin | 22 Oct 23:06 2014
Picon

Xtables Getting Started Question

Hello,

I am writing this message because I have developed a personal interest in Xtables and Netfilter.  I am not a
programmer by trade but I wish to develop a custom NAT module using Xtables and Netfilter.  So far I have
began reading through existing Xtables code and I have only found one single pdf called Writing Netfilter
modules by Jan Engelhardt and Nicolas Bouliane which looks like it will be helpful but I was wondering if
there was any other documentation or books out there that can be helpful or is there a way better way to start
learning because so far things have been very slow going?  Thanks for your time.

Joe--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Alvaro Neira Ayuso | 22 Oct 15:25 2014
Picon

[nft PATCH 1/2 v3] evaluate: reject: accept a reject reason with incorrect network context

nft add rule bridge test-bridge input ether type ip \
				reject with icmpv6 type no-route

This rule pass the evaluation step but the network context is incompatible with
the reject reason. In that cases, we have to throw an error like "conflicting
protocols specified: ip vs ip6"

Signed-off-by: Alvaro Neira Ayuso <alvaroneay <at> gmail.com>
---
[no changes in v3]

 src/evaluate.c |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/evaluate.c b/src/evaluate.c
index ff46fda..977f6b4 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
 <at>  <at>  -1237,6 +1237,8  <at>  <at>  static int stmt_evaluate_reject_family(struct eval_ctx *ctx, struct stmt *stmt,
 			case __constant_htons(ETH_P_IP):
 				if (NFPROTO_IPV4 == stmt->reject.family)
 					break;
+				return stmt_error(ctx, stmt,
+				  "conflicting protocols specified: ip vs ip6");
 			case __constant_htons(ETH_P_IPV6):
 				if (NFPROTO_IPV6 == stmt->reject.family)
 					break;
--

-- 
1.7.10.4

(Continue reading)

Pablo Neira Ayuso | 21 Oct 17:31 2014

Re: [PATCH] netfilter: xt_hashlimit: Enhance the xt_hashlimit to avoid duplicated codes

On Tue, Oct 21, 2014 at 11:23:16PM +0800, Feng Gao wrote:
> Hi all,
> 
> Enhance the functions "dsthash_alloc_init" and "hashlimit_mt" in file
> "xt_hashlimit.c" to avoid two duplicated codes following:
> 
> -           dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire);
> -           rateinfo_recalc(dh, now, hinfo->cfg.mode);
> 
> 
> The whole patch is following

The patch seems mangled by your MUA.

BTW, you can just Cc netfilter patches to
netfilter-devel <at> vger.kernel.org. No need to Cc that many people.

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Alvaro Neira Ayuso | 21 Oct 16:15 2014
Picon

[nft PATCH 1/4 v2] evaluate: refactor function to check the reject family in inet and bridge

This patch make a refactorization of the code to check the reject family in inet
and bridge. These changes will be used in follow up patches.

Signed-off-by: Alvaro Neira Ayuso <alvaroneay <at> gmail.com>
---
[changes in v2]
 * Refactor the functions in two functions more, to check the reject family in
   inet and bridge tables.

 src/evaluate.c |  134 ++++++++++++++++++++++++++++++++++++--------------------
 1 file changed, 86 insertions(+), 48 deletions(-)

diff --git a/src/evaluate.c b/src/evaluate.c
index ff46fda..e26e2f8 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
 <at>  <at>  -1202,12 +1202,94  <at>  <at>  static int stmt_reject_gen_dependency(struct eval_ctx *ctx, struct stmt *stmt,
 	return 0;
 }

-static int stmt_evaluate_reject_family(struct eval_ctx *ctx, struct stmt *stmt,
+static int stmt_evaluate_reject_inet_family(struct eval_ctx *ctx,
+					    struct stmt *stmt,
+					    const struct proto_desc *desc)
+{
+	const struct proto_desc *base;
+	int protocol;
+
+	base = ctx->pctx.protocol[PROTO_BASE_LL_HDR].desc;
+	protocol = proto_find_num(base, desc);
(Continue reading)

Feng Gao | 21 Oct 15:48 2014
Picon

Re: [PATCH] netfilter: Fix wastful cleanup check for unconfirmed conn in get_next_corpse

Sorry. I get it is not an issue after read the codes again.
The unconfirmed conn list check is only checked once in the current codes.
Because it will be checked only when no matched conntracks found in
function get_next_corpse.

Then I think current codes may confuse the reader. I am an example.
So could my changes be as the enhancement ?

Best Regards
Feng

On Tue, Oct 21, 2014 at 10:47 AM, Feng Gao <gfree.wind <at> gmail.com> wrote:
> Paste my changes directly instead of the attachment.
>
> Subject: [PATCH 1/1] netfilter: Fix wastful cleanup check for unconfirmed
> conn in get_next_corpse
>
> The function get_next_corpse is used to iterate the conntracks.
> It will check the per cpu unconfirmed list of every cpu too.
> Now it is only invoked by nf_ct_iterate_cleanup in one while loop.
> Actually the unconfirmed list could be accessed completely by one call, then
> the others are wastful.
>
> So move the unconfirmed list check outside the function get_next_corpse and
> create one new function
> Let the nf_ct_iterate_cleanup invokes the new function
> clean_up_unconfirmed_conntracks once after the loops.
>
> Signed-off-by: fgao <gfree.wind <at> gmail.com>
> ---
(Continue reading)

Arturo Borrero Gonzalez | 21 Oct 13:25 2014
Picon

[RFC nft PATCH] src: add import operation

The import operation reads a XML or JSON file, with syntax:
 % nft import {xml|json}

A basic way to test this new functionality is:
 % nft export xml | nft import xml

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez <at> gmail.com>
---

NOTE: This patchs requires:
	* [nft] mnl: delete useless parameter nf_sock in batch functions
	* [libnftnl] ruleset: deconstify _get interface

Please comment :-)

 include/mnl.h     |   12 ++++
 include/netlink.h |    4 +
 include/rule.h    |   13 ++++
 src/evaluate.c    |    1 
 src/mnl.c         |  170 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
 src/netlink.c     |   64 ++++++++++++++++++++
 src/parser.y      |   20 +++++-
 src/rule.c        |   52 ++++++++++++++++
 src/scanner.l     |    1 
 9 files changed, 330 insertions(+), 7 deletions(-)

diff --git a/include/mnl.h b/include/mnl.h
index a0dfa1b..4126f18 100644
--- a/include/mnl.h
+++ b/include/mnl.h
(Continue reading)

Arturo Borrero Gonzalez | 21 Oct 11:47 2014
Picon

[nft PATCH] mnl: delete useless parameter nf_sock in batch functions

The 'struct mnl_socket *nf_sock' parameter is useless and perturbing.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez <at> gmail.com>
---
 include/mnl.h |   16 ++++++++--------
 src/mnl.c     |   32 ++++++++++++++++----------------
 src/netlink.c |   20 ++++++++++----------
 3 files changed, 34 insertions(+), 34 deletions(-)

diff --git a/include/mnl.h b/include/mnl.h
index 03d1876..a0dfa1b 100644
--- a/include/mnl.h
+++ b/include/mnl.h
 <at>  <at>  -36,11 +36,11  <at>  <at>  struct nft_rule_list *mnl_nft_rule_dump(struct mnl_socket *nf_sock,

 int mnl_nft_chain_add(struct mnl_socket *nf_sock, struct nft_chain *nlc,
 		      unsigned int flags);
-int mnl_nft_chain_batch_add(struct mnl_socket *nf_sock, struct nft_chain *nlc,
+int mnl_nft_chain_batch_add(struct nft_chain *nlc,
 			    unsigned int flags, uint32_t seq);
 int mnl_nft_chain_delete(struct mnl_socket *nf_sock, struct nft_chain *nlc,
                          unsigned int flags);
-int mnl_nft_chain_batch_del(struct mnl_socket *nf_sock, struct nft_chain *nlc,
+int mnl_nft_chain_batch_del(struct nft_chain *nlc,
 			    unsigned int flags, uint32_t seq);
 struct nft_chain_list *mnl_nft_chain_dump(struct mnl_socket *nf_sock,
 					  int family);
 <at>  <at>  -49,11 +49,11  <at>  <at>  int mnl_nft_chain_get(struct mnl_socket *nf_sock, struct nft_chain *nlc,

 int mnl_nft_table_add(struct mnl_socket *nf_sock, struct nft_table *nlt,
(Continue reading)

Dan Carpenter | 21 Oct 10:28 2014
Picon

[patch] netfilter: ipset: off by one in ip_set_nfnl_get_byindex()

The ->ip_set_list[] array is initialized in ip_set_net_init() and it
has ->ip_set_max elements so this check should be >= instead of >
otherwise we are off by one.

Signed-off-by: Dan Carpenter <dan.carpenter <at> oracle.com>
---
I am not very familiar with this code, so please review cautiously.
This is an old bug which should go to -stable.

diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 912e5a0..86f9d76 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
 <at>  <at>  -659,7 +659,7  <at>  <at>  ip_set_nfnl_get_byindex(struct net *net, ip_set_id_t index)
 	struct ip_set *set;
 	struct ip_set_net *inst = ip_set_pernet(net);

-	if (index > inst->ip_set_max)
+	if (index >= inst->ip_set_max)
 		return IPSET_INVALID_ID;

 	nfnl_lock(NFNL_SUBSYS_IPSET);
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Alvaro Neira Ayuso | 21 Oct 01:29 2014
Picon

[nft PATCH 1/4] evaluate: refactor function to check the reject family in inet and bridge

This patch make a refactorization of the code to check the reject family in inet
and bridge. These changes will be used in follow up patches.

Signed-off-by: Alvaro Neira Ayuso <alvaroneay <at> gmail.com>
---
 src/evaluate.c |  110 ++++++++++++++++++++++++++++++++------------------------
 1 file changed, 63 insertions(+), 47 deletions(-)

diff --git a/src/evaluate.c b/src/evaluate.c
index 1fec120..977df86 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
 <at>  <at>  -1202,12 +1202,72  <at>  <at>  static int stmt_reject_gen_dependency(struct eval_ctx *ctx, struct stmt *stmt,
 	return 0;
 }

-static int stmt_evaluate_reject_family(struct eval_ctx *ctx, struct stmt *stmt,
+static int stmt_evaluate_reject_inet(struct eval_ctx *ctx, struct stmt *stmt,
+				       struct expr *expr)
+{
+	const struct proto_desc *desc, *base;
+	int protocol;
+
+	base = ctx->pctx.protocol[PROTO_BASE_LL_HDR].desc;
+	desc = ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR].desc;
+	if (desc != NULL) {
+		protocol = proto_find_num(base, desc);
+		switch (protocol) {
+		case NFPROTO_IPV4:
+			if (stmt->reject.family == NFPROTO_IPV4)
(Continue reading)

Marcelo Ricardo Leitner | 20 Oct 23:58 2014
Picon

[PATCH] netfilter: log: protect nf_log_register against double registering

Currently, despite the comment right before the function,
nf_log_register allows registering two loggers on with the same type and
end up overwriting the previous register.

Not a real issue today as current tree doesn't have two loggers for the
same type but it's better to get this protected.

Also make sure that all of its callers do error checking.

Signed-off-by: Marcelo Ricardo Leitner <mleitner <at> redhat.com>
---

Notes:
    Please let me know if you have any issues with the identation on
    nf_log_register. I just couldn't find a better one.

    Thanks

 net/ipv4/netfilter/nf_log_arp.c  |  8 +++++++-
 net/ipv4/netfilter/nf_log_ipv4.c |  8 +++++++-
 net/ipv6/netfilter/nf_log_ipv6.c |  8 +++++++-
 net/netfilter/nf_log.c           | 13 ++++++++++++-
 4 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/net/ipv4/netfilter/nf_log_arp.c b/net/ipv4/netfilter/nf_log_arp.c
index ccfc78db12ee8acae68faf451f2cf6bc5597f2c1..8b39174b7be390397a110ec9d3ed497bf8ce6d26 100644
--- a/net/ipv4/netfilter/nf_log_arp.c
+++ b/net/ipv4/netfilter/nf_log_arp.c
 <at>  <at>  -130,7 +130,13  <at>  <at>  static int __init nf_log_arp_init(void)
 	if (ret < 0)
(Continue reading)

vDev | 20 Oct 23:58 2014
Picon

TCP LAST ACK incorrectly treated as invalid

It looks like TCP conntrack is incorrectly treating "LAST ACK" (ACK
from peer for last FIN) as the sequence number comparison does not
take into account that the last ACK sequence number will be one
greater than the previous sequence number.

Here's the code that seems to be the cause of it in tcp_in_window()
[nf_conntrack_proto_tcp.c]:

       pr_debug("tcp_in_window: I=%i II=%i III=%i IV=%i\n",
                 before(seq, sender->td_maxend + 1),
                 after(end, sender->td_end - receiver->td_maxwin - 1),
                 before(sack, receiver->td_end + 1),
                 after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1));

        if (before(seq, sender->td_maxend + 1) &&
            after(end, sender->td_end - receiver->td_maxwin - 1) &&
            before(sack, receiver->td_end + 1) &&
            after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1)) {

III in pr_debug will be 0 as "before(sack, receiver->td_end + 1)" will
evaluate to false as sack will be equal to (receiver->td_end + 1) for
the last ACK. The sequence number will be one greater in the last ACK.

Any feedback will be helpful. Thanks for looking into this.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

(Continue reading)


Gmane