Daniel Borkmann | 27 Mar 19:38 2015

[PATCH -iptables] cgroup, man: improve man-page bits

Document limitations when in use with INPUT until we found a
better solution. Also fix up indent in the example section.

Signed-off-by: Daniel Borkmann <daniel <at> iogearbox.net>
 extensions/libxt_cgroup.man | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/extensions/libxt_cgroup.man b/extensions/libxt_cgroup.man
index 456a031..d0eb09b 100644
--- a/extensions/libxt_cgroup.man
+++ b/extensions/libxt_cgroup.man
 <at>  <at>  -2,13 +2,21  <at>  <at> 
 [\fB!\fP] \fB\-\-cgroup\fP \fIfwid\fP
 Match corresponding cgroup for this packet.

-Can be used to assign particular firewall policies for aggregated
-task/jobs on the system. This allows for more fine-grained firewall
-policies that only match for a subset of the system's processes.
-fwid is the maker set through the net_cls cgroup's id.
+Can be used in the OUTPUT chain to assign particular firewall
+policies for aggregated task/jobs on the system. This allows
+for more fine-grained firewall policies that only match for a
+subset of the system's processes. fwid is the maker set through
+the net_cls cgroup's id.
+\fBIMPORTANT\fP: when being used in the INPUT chain, the cgroup
+matcher is currently only of limited functionality, meaning it
+will only match on packets that are processed for local sockets
+through early socket demuxing. Therefore, general usage on the
(Continue reading)

Daniel Borkmann | 27 Mar 19:37 2015

[PATCH -nf] netfilter: x_tables: fix cgroup matching on non-full sks

While originally only being intended for outgoing traffic, commit
a00e76349f35 ("netfilter: x_tables: allow to use cgroup match for
LOCAL_IN nf hooks") enabled xt_cgroups for the NF_INET_LOCAL_IN hook
as well, in order to allow for nfacct accounting.

Besides being currently limited to early demuxes only, commit
a00e76349f35 forgot to add a check if we deal with full sockets,
i.e. in this case not with time wait sockets. TCP time wait sockets
do not have the same memory layout as full sockets, a lower memory
footprint and consequently also don't have a sk_classid member;
probing for sk_classid member there could potentially lead to a

Fixes: a00e76349f35 ("netfilter: x_tables: allow to use cgroup match for LOCAL_IN nf hooks")
Cc: Alexey Perevalov <a.perevalov <at> samsung.com>
Signed-off-by: Daniel Borkmann <daniel <at> iogearbox.net>
 (As discussed the fix for xt_cgroups, so it can be queued for
  -stable. In nf-next speak that would be !sk_fullsock(skb->sk).)

 net/netfilter/xt_cgroup.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/xt_cgroup.c b/net/netfilter/xt_cgroup.c
index 7198d66..d64aca0 100644
--- a/net/netfilter/xt_cgroup.c
+++ b/net/netfilter/xt_cgroup.c
 <at>  <at>  -16,6 +16,7  <at>  <at> 
 #include <linux/module.h>
 #include <linux/netfilter/x_tables.h>
(Continue reading)

Justin Michael Schwartzbeck | 27 Mar 16:13 2015

How to do a NAT lookup from the kernel?


I have been trying to figure out how to do a NAT lookup from the
kernel. I have been looking at connection tracking in the
documentation but I can't figure out exactly what this is capable of
or whether it can do what I want it to do.

This is my situation in detail: I have a client VM, a dNAT VM, and a
proxy VM. HTTP/HTTPS traffic from the client is routed to the dNAT VM
and is destination natted (via iptables rule) to the proxy VM and
proxy port. Right now I am having trouble with path MTU discovery and
am wanting to write a module that forwards ICMP (no route to host)
packets associated with an HTTP connection (sent back from the client)
back to the HTTP proxy and rewrites the translated IP/ports according
to what is in the NAT table for that connection. So basically when the
dNAT receives an ICMP (no route to host, fragmentation needed) from
the client side, I want to be able to look in the NAT table and do a
lookup on the source IP, destination IP, source port, and destination
port and find the associated connection to the proxy server. I know
this is possible because when I establish the connection I can do a
cat on /proc/net/nf_conntrack and get the full information, for
example, when the client makes a connection to slashdot this gets

ipv4     2 tcp      6 86396 ESTABLISHED src=(client vm ip)
dst=(slashdot ip) sport=1028 dport=80 src=(proxy vm ip) dst=(dnat vm
ip) sport=8080 dport=1028 [ASSURED] mark=0 secmark=0 use=2

The thing is I want to be able to get this information from within the
kernel. Any tips on how to do this?
(Continue reading)

Daniel Borkmann | 26 Mar 20:14 2015

[PATCH nf-next v2 0/2] xt_cgroups fix

Hi Pablo,

here's a possible fix for xt_cgroups that was previously reported
by Daniel Mack.

I respinned the set based on your previous feedback wrt tw sockets.

The first patch refactors common helpers, which is later on being
used by the actual fix. Please see individual patches for details.

I have rebased it against nf-next as in the previous version.

Thanks a lot!

  - patch1 as is
  - patch2 checks for full socket

Daniel Borkmann (2):
  netfilter: x_tables: refactor lookup helpers from xt_socket
  netfilter: x_tables: fix cgroup's NF_INET_LOCAL_IN sk lookups

 net/netfilter/Kconfig        |   5 +
 net/netfilter/xt_cgroup.c    |  92 +++++++++++---
 net/netfilter/xt_sk_helper.h | 282 +++++++++++++++++++++++++++++++++++++++++
 net/netfilter/xt_socket.c    | 293 +++----------------------------------------
 4 files changed, 379 insertions(+), 293 deletions(-)
 create mode 100644 net/netfilter/xt_sk_helper.h


(Continue reading)

Patrick McHardy | 26 Mar 14:10 2015

[PATCH libnftnl 0/2] set timeout support

The following two patches add support for set timeouts to libnfnl.

Patrick McHardy (2):
  set: add support for set timeouts
  set_elem: add timeout support

 include/libnftnl/set.h              |  8 ++++++
 include/linux/netfilter/nf_tables.h | 10 ++++++++
 include/set.h                       |  2 ++
 include/set_elem.h                  |  2 ++
 src/libnftnl.map                    |  4 +++
 src/set.c                           | 50 +++++++++++++++++++++++++++++++++++++
 src/set_elem.c                      | 38 ++++++++++++++++++++++++++++
 7 files changed, 114 insertions(+)



To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patrick McHardy | 26 Mar 13:51 2015

[PATCH libnftnl] list: fix prefetch dummy

../include/linux_list.h:385:59: warning: right-hand operand of comma expression has no effect [-Wunused-value]
  for (pos = list_entry((head)->next, typeof(*pos), member), \
set.c:266:2: note: in expansion of macro 'list_for_each_entry'
  list_for_each_entry(elem, &set->element_list, head) {

Signed-off-by: Patrick McHardy <kaber <at> trash.net>
 include/linux_list.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/linux_list.h b/include/linux_list.h
index de182a4..efffb91 100644
--- a/include/linux_list.h
+++ b/include/linux_list.h
 <at>  <at>  -29,7 +29,7  <at>  <at> 
 	1; \

-#define prefetch(x)		1
+#define prefetch(x)		((void)0)

 /* empty define to make this work in userspace -HW */
 #ifndef smp_wmb


To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
(Continue reading)

Patrick McHardy | 26 Mar 13:39 2015

[PATCH 0/5] netfilter: nf_tables: set timeout support

These patches add support for set timeouts. Sets can have a default
timeout value that can be overriden by element specific timeouts.

Removal of expired elements will usually be performed by a garbage
collector for two reasons: avoiding an excessive number of timers
and because data deinit has to happen in process context.

The first two patches add the required netlink attributes, parsing,
dump etc. A set of GC helper functions for batched RCU element
destruction is added in patch three, some synchronization helpers
to avoid races between async GC and netlink insertion and removal
of elements are added in patch four.

Following patches will use this infrastrucure to support set updates
from the packet classification path for dynamic sets and dynamic
flow state maintenance.

Please apply, thanks!

Patrick McHardy (5):
  netfilter: nf_tables: add set timeout API support
  netfilter: nf_tables: add set element timeout support
  netfilter: nf_tables: add set garbage collection helpers
  netfilter: nf_tables: add GC synchronization helpers
  netfilter: nft_hash: add support for timeouts

 include/net/netfilter/nf_tables.h        | 125 +++++++++++++++++++++++++++++++
 include/uapi/linux/netfilter/nf_tables.h |  10 +++
 net/netfilter/nf_tables_api.c            | 110 +++++++++++++++++++++++++--
 net/netfilter/nft_hash.c                 |  80 +++++++++++++++++++-
(Continue reading)

Pablo Neira Ayuso | 26 Mar 13:06 2015

[PATCH 00/15] Netfilter updates for net-next

Hi David,

The following patchset contains Netfilter updates for your net-next tree.
Basically, nf_tables updates to add the set extension infrastructure and finish
the transaction for sets from Patrick McHardy. More specifically, they are:

1) Move netns to basechain and use recently added possible_net_t, from
   Patrick McHardy.

2) Use LOGLEVEL_<FOO> from nf_log infrastructure, from Joe Perches.

3) Restore nf_log_trace that was accidentally removed during conflict

4) nft_queue does not depend on NETFILTER_XTABLES, starting from here
   all patches from Patrick McHardy.

5) Use raw_smp_processor_id() in nft_meta.

Then, several patches to prepare ground for the new set extension

6) Pass object length to the hash callback in rhashtable as needed by
   the new set extension infrastructure.

7) Cleanup patch to restore struct nft_hash as wrapper for struct

8) Another small source code readability cleanup for nft_hash.

(Continue reading)

Zhang Chunyu | 26 Mar 10:33 2015

[PATCH V3 0/2] add mark target

  add mark target for arptables

  add --and-mark
  add --or-mark
  add revision for common api

  fold 2/4, 3/4 and 4/4 patch into one single patch
  use C99 initialization
  change some format

Zhang Chunyu (2):
  Add MARK target for arptables

 arptables.8                              |  17 ++++
 arptables.c                              |   2 +
 extensions/Makefile                      |   2 +-
 extensions/arpt_CLASSIFY.c               |   1 +
 extensions/arpt_MARK.c                   | 151 +++++++++++++++++++++++++++++++
 extensions/arpt_mangle.c                 |   1 +
 extensions/arpt_standard.c               |   1 +
 include/arptables.h                      |   6 ++
 include/linux/netfilter_arp/arp_tables.h |   3 +-
 9 files changed, 182 insertions(+), 2 deletions(-)
 create mode 100644 extensions/arpt_MARK.c


(Continue reading)

Patrick McHardy | 25 Mar 22:00 2015

[PATCH 1/3] netlink: fix use after free in netlink_get_table()

Signed-off-by: Patrick McHardy <kaber <at> trash.net>
 src/netlink.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/netlink.c b/src/netlink.c
index 24dda67..f957295 100644
--- a/src/netlink.c
+++ b/src/netlink.c
 <at>  <at>  -953,19 +953,19  <at>  <at>  int netlink_get_table(struct netlink_ctx *ctx, const struct handle *h,

 	nlt = alloc_nft_table(h);
 	err = mnl_nft_table_get(nf_sock, nlt, 0);
-	nft_table_free(nlt);
 	if (err < 0) {
 		netlink_io_error(ctx, loc,
 				 "Could not receive table from kernel: %s",
-		return err;
+		goto out;

 	ntable = netlink_delinearize_table(ctx, nlt);
 	table->flags = ntable->flags;
-	return 0;
+	nft_table_free(nlt);
+	return err;
(Continue reading)

Arturo Borrero Gonzalez | 25 Mar 20:15 2015

[nft PATCH 1/3] src: expose delinearize/linearize structures and stmt_error()

From: Pablo Neira Ayuso <pablo <at> netfilter.org>

Needed by the follow up xt compatibility layer patch.

Signed-off-by: Pablo Neira Ayuso <pablo <at> netfilter.org>
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez <at> gmail.com>
 include/netlink.h         |   41 ++++++++++++++++++++++++++++++++++++++++-
 include/statement.h       |   10 ++++++++++
 src/evaluate.c            |   12 ++++--------
 src/netlink_delinearize.c |   13 -------------
 src/netlink_linearize.c   |    5 -----
 5 files changed, 54 insertions(+), 27 deletions(-)

diff --git a/include/netlink.h b/include/netlink.h
index c1ff9c6..57f7a7b 100644
--- a/include/netlink.h
+++ b/include/netlink.h
 <at>  <at>  -12,10 +12,49  <at>  <at> 

 #include <rule.h>

+/** struct netlink_linearize_ctx
+ *
+ *  <at> nlr:	nftnl rule object
+ *  <at> reg_low:	next spare register
+ */
+struct netlink_linearize_ctx {
+	struct nft_rule		*nlr;
+	unsigned int		reg_low;
(Continue reading)