Daniel Borkmann | 1 Jul 18:24 2015
Picon

[PATCH nf] netfilter: nf_conntrack: fix endless loop on netns deletion

When adding connection tracking template rules to a netns, f.e. to
configure netfilter zones, the kernel will endlessly busy-loop as soon
as we try to delete the given netns in case there's at least one
template present. Minimal example:

  ip netns add foo
  ip netns exec foo iptables -t raw -A PREROUTING -d 1.2.3.4 -j CT --zone 1
  ip netns del foo

What happens is that when nf_ct_iterate_cleanup() is being called from
nf_conntrack_cleanup_net_list() for a provided netns, we always end up
with a net->ct.count > 0 and thus jump back to i_see_dead_people. We
don't get a soft-lockup as we still have a schedule() point, but the
serving CPU spins on 100% from that point onwards.

Since templates are normally allocated with nf_conntrack_alloc(), we
also bump net->ct.count, but they are never freed via nf_ct_put(). Thus,
when we delete a netns, we also need to check and free them from the
pcpu template list, so that the refcount can actually drop to 0 and
eventually move on with destroying the netns.

Therefore, we add a nf_ct_tmpls_cleanup() function, that is similar to
nf_ct_iterate_cleanup(), but which handles templates that got onto the
list via nf_conntrack_tmpl_insert(). Note that nf_ct_put() needs to be
done outside of the lock protecting the pcpu lists.

Fixes: 252b3e8c1bc0 ("netfilter: xt_CT: fix crash while destroy ct templates")
Signed-off-by: Daniel Borkmann <daniel <at> iogearbox.net>
---
 (I believe this should be the case since 252b3e8c1bc0.)
(Continue reading)

Pablo Neira Ayuso | 1 Jul 16:14 2015

[PATCH nf,v2] netfilter: nfnetlink: keep going batch handling on missing modules

After a fresh boot with no modules in place at all and a large rulesets, the
existing nfnetlink_rcv_batch() funcion can take long time to commit the ruleset
due to the many abort path. This is specifically a problem for the existing
client of this code, ie. nf_tables, since it results in several
synchronize_rcu() call in a row.

This patch changes the policy to keep full batch processing on missing modules
errors so we abort only once.

Reported-by: Eric Leblond <eric <at> regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo <at> netfilter.org>
---
v2: cleanup that introduces status flags instead.

 net/netfilter/nfnetlink.c |   38 +++++++++++++++++++++++++-------------
 1 file changed, 25 insertions(+), 13 deletions(-)

diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index 8b117c9..0c0e8ec 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
 <at>  <at>  -269,6 +269,12  <at>  <at>  static void nfnl_err_deliver(struct list_head *err_list, struct sk_buff *skb)
 	}
 }

+enum {
+	NFNL_BATCH_FAILURE	= (1 << 0),
+	NFNL_BATCH_DONE		= (1 << 1),
+	NFNL_BATCH_REPLAY	= (1 << 2),
+};
(Continue reading)

Sasnett_Karen | 1 Jul 14:13 2015

(unknown)


Haben Sie einen Investor brauchen?

Haben Sie geschäftliche oder persönliche Darlehen benötigen?

Wir geben Darlehen an eine natürliche Person und Unternehmen bei 3% Zinsen jährlich. Weitere
Informationen Kontaktieren Sie uns per E-Mail: omfcreditspa <at> hotmail.com<mailto:omfcreditspa <at> hotmail.com>

HINWEIS: Leiten Sie Ihre Antwort nur an diese E-Mail: omfcreditspa <at> hotmail.com<mailto:omfcreditspa <at> hotmail.com>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Florian Westphal | 30 Jun 22:27 2015
Picon

[PATCH nf] netfilter: bridge: don't leak skb in error paths

br_nf_dev_queue_xmit must free skb in its error path.
NF_DROP is misleading -- its an okfn, not a netfilter hook.

Fixes: 462fb2af9788a ("bridge : Sanitize skb before it enters the IP stack")
Fixes: efb6de9b4ba00 ("netfilter: bridge: forward IPv6 fragmented packets")
Signed-off-by: Florian Westphal <fw <at> strlen.de>
---
 Not sure the br_validate* calls are needed. When we reach br_nf_dev_queue_xmit
 skbs have already been through all brnf hooks where we also have these checks.

diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index d89f4fa..1a6fa67 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
 <at>  <at>  -742,7 +742,7  <at>  <at>  static int br_nf_dev_queue_xmit(struct sock *sk, struct sk_buff *skb)
 		struct brnf_frag_data *data;

 		if (br_validate_ipv4(skb))
-			return NF_DROP;
+			goto drop;

 		IPCB(skb)->frag_max_size = nf_bridge->frag_max_size;

 <at>  <at>  -767,7 +767,7  <at>  <at>  static int br_nf_dev_queue_xmit(struct sock *sk, struct sk_buff *skb)
 		struct brnf_frag_data *data;

 		if (br_validate_ipv6(skb))
-			return NF_DROP;
+			goto drop;

(Continue reading)

Florian Westphal | 30 Jun 22:21 2015
Picon

[PATCH nf] netfilter: arptables: use percpu jumpstack

commit 482cfc318559 ("netfilter: xtables: avoid percpu ruleset duplication")

Unlike ip and ip6tables, arp tables were never converted to use the percpu
jump stack.

It still uses the rule blob to store return address, which isn't safe
anymore since we now share this blob among all processors.

Because there is no TEE support for arptables, we don't need to cope
with reentrancy, so we can use loocal variable to hold stack offset.

Fixes: 482cfc318559 ("netfilter: xtables: avoid percpu ruleset duplication")
Signed-off-by: Florian Westphal <fw <at> strlen.de>
---
 net/ipv4/netfilter/arp_tables.c | 25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 95c9b6e..0fbe1a6 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
 <at>  <at>  -254,9 +254,10  <at>  <at>  unsigned int arpt_do_table(struct sk_buff *skb,
 	static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
 	unsigned int verdict = NF_DROP;
 	const struct arphdr *arp;
-	struct arpt_entry *e, *back;
+	struct arpt_entry *e, **jumpstack;
 	const char *indev, *outdev;
 	const void *table_base;
+	unsigned int cpu, stackidx = 0;
(Continue reading)

Patrick McHardy | 30 Jun 11:19 2015
Picon

Re: [RFC] COLO Proxy Module

On 30.06, Li Zhijian wrote:
> |ping...
> 
> and i have another question:
> can i add a new |||nf_ct_ext_id simply without touching the exiting kernel
> code?|

No, the kernel needs to know the highest extension ID in order to
allocate space for the offsets.

> in order to support COLO-Proxy, i need a extra nf_ct_ext_id called
> "NF_CT_EXT_COLO"
> to store some message of COLO related. This message can help COLO-Proxy to
> buffer packet and compare packet for each connection.
> 
> Thanks
> Li Zhijian

Cheers,
Patrick
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Juergen Brendel | 30 Jun 01:43 2015

Extending nftables user-space utility for custom filters


Hello!

I'm still very new to nftables, so hopefully my question isn't too
silly.

From what I understand so far, one of the neat features of nftables is
that a small VM in the kernel interprets the byte code, which was sent
down to it by the nftables user-space utility.

So it seems to me that if I would like to add some fancy, specialized
type of packet filtering/processing then all I would have to do is to
extend the nftables user-space utility to create new byte code: No
updated kernel or kernel modules required.

Is my understanding correct? And if so, I have these questions:

     1. Have the features and capabilities of the in-kernel VM been
        documented somewhere? So that I know what is even possible for
        the kernel code?
     2. Is there any documentation (a howto or getting-started guide),
        which explains how to extend the user-space utility so that it
        understands new commands and can construct new byte code?

Thank you very much!

Juergen

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
(Continue reading)

Pablo Neira Ayuso | 29 Jun 19:53 2015

[PATCH 0/7 nft] cache consolidation

Hi Patrick,

This patchset creates two caches, one for tables and another for sets, that
contain the existing objects in the kernel.

Moreover, this also adds the declared objects that don't exists yet in the
kernel to the cache, so they can be referenced from a batch, eg.

-BEGIN of test.ruleset-
add table test
add chain test test
add set test myset { type ipv4_addr; }
add element test myset { 4.4.4.10 }
add element test myset { 4.4.4.11 }
add element test myset { 4.4.4.12 }
add element test myset { 4.4.4.13 }
add rule test test ip saddr  <at> myset
-EOF-

 # nft -f test.ruleset

The idea is to use table_lookup() and set_lookup(), instead of inquiring the
kernel (which would fail since those objects don't exist yet there). The
example above now works and those updates are handled from the same
transaction.

This patch also includes the fix of intervals in set declarations by using
these caches as you suggested, now that we got rid of the get_set() function.

Let me know if you have any concern with these, thanks!
(Continue reading)

WaaX | 27 Jun 16:43 2015

IPSet target SET subnet options

Hi,
I hve explored the manual of SETtarget:

      SET target options:
--add-set name flags [--exist] [--timeout n]
--del-set name flags
          add/del src/dst IP/port from/to named sets,
where flags are the comma separated list of
'src' and 'dst' specifications.

I can not find solution for add a subnet mask to a hash:net with the target.

Thanks for reading.

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Balazs Scheidler | 26 Jun 14:44 2015

nftables: parser conflict between tokens & symbols

Hi,

I've noticed that our set of keywords in nftables is pretty rich and
this can cause conflicts in the grammar when a keyword is also used
as a symbol.

For instance, we do have a "redirect" expression and "redirect" as
a word is also used as an ICMP message type.

# here is the redirect expression in action, which works:
$ nft add rule tcp dport 80 redirect to 8080

# here's an ICMP rule that works
$ nft add rule filter input icmp type echo-request accept

# here's an ICMP rule that should work, but it doesn't
$ nft add rule filter input icmp type redirect accept

The root cause is that "redirect" is now recognized as a token, whereas the
icmp type is expecting a STRING token.

I have tried to solve this but the idea I had didn't work out, and I don't
really have more time now to fix it, but still thought this information
would be useful.

Cheers,
Bazsi
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
(Continue reading)

balazs.scheidler | 26 Jun 11:57 2015

[PATCH] redir: fix snprintf to return the number of bytes printed

From: Balazs Scheidler <balazs.scheidler <at> balabit.com>

This fixes --debug netlink output when a redir target is included.

Signed-off-by: Balazs Scheidler <balazs.scheidler <at> balabit.com>
---
 src/expr/redir.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/expr/redir.c b/src/expr/redir.c
index b6adf88..69bd94f 100644
--- a/src/expr/redir.c
+++ b/src/expr/redir.c
 <at>  <at>  -223,7 +223,7  <at>  <at>  static int nft_rule_expr_redir_snprintf_default(char *buf, size_t len,
 		SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
 	}

-	return 0;
+	return offset;
 }

 static int
--

-- 
2.1.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

(Continue reading)


Gmane