Liping Zhang | 23 Jul 16:16 2016

[PATCH nf-next] netfilter: nf_ct_h323: do not re-activate already expired timer

From: Liping Zhang <liping.zhang <at> spreadtrum.com>

Commit 96d1327ac2e3 ("netfilter: h323: Use mod_timer instead of
set_expect_timeout") just simplify the source codes
    if (!del_timer(&exp->timeout))
        return 0;
    add_timer(&exp->timeout);
to mod_timer(&exp->timeout, jiffies + info->timeout * HZ);

This is not correct, and introduce a race codition:
    CPU0                     CPU1
     -                     timer expire
  process_rcf              expectation_timed_out
  lock(exp_lock)              -
  find_exp                 waiting exp_lock...
  re-activate timer!!      waiting exp_lock...
  unlock(exp_lock)         lock(exp_lock)
     -                     unlink expect
     -                     free(expect)
     -                     unlock(exp_lock)
So when the timer expires again, we will access the memory that
was already freed.

Replace mod_timer with mod_timer_pending here to fix this problem.

Fixes: 96d1327ac2e3 ("netfilter: h323: Use mod_timer instead of set_expect_timeout")
Cc: Gao Feng <fgao <at> ikuai8.com>
Signed-off-by: Liping Zhang <liping.zhang <at> spreadtrum.com>
---
When I found this problem and want to report it, it was a little too late.
(Continue reading)

fgao | 23 Jul 13:21 2016

[PATCH 1/1] netfilter: Only need first 4 bytes to get l4proto ports

From: Gao Feng <fgao <at> ikuai8.com>

We only need first 4 bytes instead of 8 bytes to get the ports of
tcp/udp/dccp/sctp/udplite in their pkt_to_tuple function.

Signed-off-by: Gao Feng <fgao <at> ikuai8.com>
---
 v3: Keep consistent for tcp/udp/dccp/sctp/udplite to get 4 bytes instead of 8 bytes
 v2: Use 4 bytes intead of 8 bytes, and add more description
 v1: Intial Patch
 net/netfilter/nf_conntrack_proto_dccp.c    | 3 ++-
 net/netfilter/nf_conntrack_proto_sctp.c    | 4 ++--
 net/netfilter/nf_conntrack_proto_tcp.c     | 4 ++--
 net/netfilter/nf_conntrack_proto_udp.c     | 4 ++--
 net/netfilter/nf_conntrack_proto_udplite.c | 3 ++-
 5 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
index 399a38f..a45bee5 100644
--- a/net/netfilter/nf_conntrack_proto_dccp.c
+++ b/net/netfilter/nf_conntrack_proto_dccp.c
 <at>  <at>  -402,7 +402,8  <at>  <at>  static bool dccp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
 {
 	struct dccp_hdr _hdr, *dh;

-	dh = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr);
+	/* Actually only need first 4 bytes to get ports. */
+	dh = skb_header_pointer(skb, dataoff, 4, &_hdr);
 	if (dh == NULL)
 		return false;
(Continue reading)

Pablo Neira Ayuso | 23 Jul 13:08 2016

[PATCH 00/25] Netfilter/IPVS updates for net-next

Sorry, resending this pull request, I modified my robot and it was not
including explicit Cc to netdev.

-o-

Hi David,

The following patchset contains Netfilter/IPVS updates for net-next,
they are:

1) Count pre-established connections as active in "least connection"
   schedulers such that pre-established connections to avoid overloading
   backend servers on peak demands, from Michal Kubecek via Simon Horman.

2) Address a race condition when resizing the conntrack table by caching
   the bucket size when fulling iterating over the hashtable in these
   three possible scenarios: 1) dump via /proc/net/nf_conntrack,
   2) unlinking userspace helper and 3) unlinking custom conntrack timeout.
   From Liping Zhang.

3) Revisit early_drop() path to perform lockless traversal on conntrack
   eviction under stress, use del_timer() as synchronization point to
   avoid two CPUs evicting the same entry, from Florian Westphal.

4) Move NAT hlist_head to nf_conn object, this simplifies the existing
   NAT extension and it doesn't increase size since recent patches to
   align nf_conn, from Florian.

5) Use rhashtable for the by-source NAT hashtable, also from Florian.

(Continue reading)

Pablo Neira Ayuso | 23 Jul 13:02 2016

[PATCH 00/25] Netfilter/IPVS updates for net-next

Hi David,

The following patchset contains Netfilter/IPVS updates for net-next,
they are:

1) Count pre-established connections as active in "least connection"
   schedulers such that pre-established connections to avoid overloading
   backend servers on peak demands, from Michal Kubecek via Simon Horman.

2) Address a race condition when resizing the conntrack table by caching
   the bucket size when fulling iterating over the hashtable in these
   three possible scenarios: 1) dump via /proc/net/nf_conntrack,
   2) unlinking userspace helper and 3) unlinking custom conntrack timeout.
   From Liping Zhang.

3) Revisit early_drop() path to perform lockless traversal on conntrack
   eviction under stress, use del_timer() as synchronization point to
   avoid two CPUs evicting the same entry, from Florian Westphal.

4) Move NAT hlist_head to nf_conn object, this simplifies the existing
   NAT extension and it doesn't increase size since recent patches to
   align nf_conn, from Florian.

5) Use rhashtable for the by-source NAT hashtable, also from Florian.

6) Don't allow --physdev-is-out from OUTPUT chain, just like
   --physdev-out is not either, from Hangbin Liu.

7) Automagically set on nf_conntrack counters if the user tries to
   match ct bytes/packets from nftables, from Liping Zhang.
(Continue reading)

Liping Zhang | 23 Jul 10:00 2016

[PATCH nf-next 1/2] netfilter: nft_compat: put back match/target module if init fail

From: Liping Zhang <liping.zhang <at> spreadtrum.com>

If the user specify the invalid NFTA_MATCH_INFO/NFTA_TARGET_INFO attr
or memory alloc fail, we should call module_put to the related match
or target. Otherwise, we cannot remove the module even nobody use it.

Signed-off-by: Liping Zhang <liping.zhang <at> spreadtrum.com>
---
 net/netfilter/nft_compat.c | 34 ++++++++++++++++++++++++++--------
 1 file changed, 26 insertions(+), 8 deletions(-)

diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index 6228c42..d74adf4 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
 <at>  <at>  -634,6 +634,7  <at>  <at>  nft_match_select_ops(const struct nft_ctx *ctx,
 	struct xt_match *match;
 	char *mt_name;
 	u32 rev, family;
+	int err;

 	if (tb[NFTA_MATCH_NAME] == NULL ||
 	    tb[NFTA_MATCH_REV] == NULL ||
 <at>  <at>  -660,13 +661,17  <at>  <at>  nft_match_select_ops(const struct nft_ctx *ctx,
 	if (IS_ERR(match))
 		return ERR_PTR(-ENOENT);

-	if (match->matchsize > nla_len(tb[NFTA_MATCH_INFO]))
-		return ERR_PTR(-EINVAL);
+	if (match->matchsize > nla_len(tb[NFTA_MATCH_INFO])) {
(Continue reading)

Liping Zhang | 23 Jul 09:11 2016

[PATCH iptables] extensions: libxt_connlabel: add unit test

From: Liping Zhang <liping.zhang <at> spreadtrum.com>

Add some unit tests for connlabel match extension:
  # ./iptables-test.py extensions/libxt_connlabel.t
  extensions/libxt_connlabel.t: OK
  1 test files, 7 unit tests, 7 passed

Signed-off-by: Liping Zhang <liping.zhang <at> spreadtrum.com>
---
 extensions/libxt_connlabel.t | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 extensions/libxt_connlabel.t

diff --git a/extensions/libxt_connlabel.t b/extensions/libxt_connlabel.t
new file mode 100644
index 0000000..aad1032
--- /dev/null
+++ b/extensions/libxt_connlabel.t
 <at>  <at>  -0,0 +1,18  <at>  <at> 
+:INPUT,FORWARD,OUTPUT
+# Backup the connlabel.conf, then add some label maps for test
+ <at> [ -f /etc/xtables/connlabel.conf ] && mv /etc/xtables/connlabel.conf /tmp/connlabel.conf.bak
+ <at> mkdir -p /etc/xtables
+ <at> echo "40 bit40" > /etc/xtables/connlabel.conf
+ <at> echo "41 bit41" >> /etc/xtables/connlabel.conf
+ <at> echo "128 bit128" >> /etc/xtables/connlabel.conf
+-m connlabel --label "bit40";=;OK
+-m connlabel ! --label "bit40";=;OK
+-m connlabel --label "bit41" --set;=;OK
+-m connlabel ! --label "bit41" --set;=;OK
(Continue reading)

fgao | 22 Jul 17:59 2016

[PATCH 1/1] netfilter: tcp/udp: Only get 4 bytes to get tcp/udp ports

From: Gao Feng <fgao <at> ikuai8.com>

We use tcp/udp_pkt_to_tuple to get the ports of tcp/udp.
Actually only need to get 4 bytes by skb_header_pointer instead
of 8 bytes.

Signed-off-by: Gao Feng <fgao <at> ikuai8.com>
---
 v2: Use 4 bytes intead of 8 bytes, and add more description
 v1: Initial Patch

 net/netfilter/nf_conntrack_proto_tcp.c | 4 ++--
 net/netfilter/nf_conntrack_proto_udp.c | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 70c8381..4abe9e1 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
 <at>  <at>  -282,8 +282,8  <at>  <at>  static bool tcp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
 	const struct tcphdr *hp;
 	struct tcphdr _hdr;

-	/* Actually only need first 8 bytes. */
-	hp = skb_header_pointer(skb, dataoff, 8, &_hdr);
+	/* Actually only need first 4 bytes to get ports. */
+	hp = skb_header_pointer(skb, dataoff, 4, &_hdr);
 	if (hp == NULL)
 		return false;

(Continue reading)

Pablo M. Bermudo Garay | 22 Jul 17:48 2016
Picon

[PATCH iptables 1/2] xtables-translate: add new field to identify the caller

In some cases, xlate functions must print a different result if they are
invoked from nft and not from a xtables-translate command.

This commit adds a new boolean field to the xt_xlate struct. This
variable must be true when a xlate function is called from a nft
command. Additional code is required in nft in order to obtain this
behavior.

Signed-off-by: Pablo M. Bermudo Garay <pablombg <at> gmail.com>
---
 include/xtables.h    |  2 ++
 libxtables/xtables.c | 12 ++++++++++++
 2 files changed, 14 insertions(+)

diff --git a/include/xtables.h b/include/xtables.h
index 48be514..fd72623 100644
--- a/include/xtables.h
+++ b/include/xtables.h
 <at>  <at>  -576,6 +576,8  <at>  <at>  void xt_xlate_add(struct xt_xlate *xl, const char *fmt, ...);
 void xt_xlate_add_comment(struct xt_xlate *xl, const char *comment);
 const char *xt_xlate_get_comment(struct xt_xlate *xl);
 const char *xt_xlate_get(struct xt_xlate *xl);
+void xt_xlate_set_nft_compat(struct xt_xlate *xl, bool nft_compat);
+bool xt_xlate_get_nft_compat(struct xt_xlate *xl);

 #ifdef XTABLES_INTERNAL

diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 921dfe9..1c3f63d 100644
--- a/libxtables/xtables.c
(Continue reading)

fgao | 22 Jul 06:59 2016

[PATCH 1/1] netfilter: h323: Use mod_timer instead of set_expect_timeout

From: Gao Feng <fgao <at> ikuai8.com>

It could simplify the codes without any side effect.
The set_expect_timeout is used to modify the timer expired time.
It tries to delete timer, and add it again.
So we could use mod_timer directly.

Signed-off-by: Gao Feng <fgao <at> ikuai8.com>
---
 v1: Intial Patch

 net/netfilter/nf_conntrack_h323_main.c | 15 +--------------
 1 file changed, 1 insertion(+), 14 deletions(-)

diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c
index 9511af0..bb77a97 100644
--- a/net/netfilter/nf_conntrack_h323_main.c
+++ b/net/netfilter/nf_conntrack_h323_main.c
 <at>  <at>  -1273,19 +1273,6  <at>  <at>  static struct nf_conntrack_expect *find_expect(struct nf_conn *ct,
 }

 /****************************************************************************/
-static int set_expect_timeout(struct nf_conntrack_expect *exp,
-			      unsigned int timeout)
-{
-	if (!exp || !del_timer(&exp->timeout))
-		return 0;
-
-	exp->timeout.expires = jiffies + timeout * HZ;
-	add_timer(&exp->timeout);
(Continue reading)

Pablo Neira Ayuso | 21 Jul 19:16 2016

[PATCH libnftnl] expr: lookup: print flags only if they are available

Follow same approach as with other objects, print what it is set only.

Signed-off-by: Pablo Neira Ayuso <pablo <at> netfilter.org>
---
 src/expr/lookup.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/expr/lookup.c b/src/expr/lookup.c
index 16cfce2..97478c2 100644
--- a/src/expr/lookup.c
+++ b/src/expr/lookup.c
 <at>  <at>  -264,8 +264,10  <at>  <at>  nftnl_expr_lookup_snprintf_default(char *buf, size_t size,
 		SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
 	}

-	ret = snprintf(buf + offset, len, "0x%x ", l->flags);
-	SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
+	if (e->flags & (1 << NFTNL_EXPR_LOOKUP_FLAGS)) {
+		ret = snprintf(buf + offset, len, "0x%x ", l->flags);
+		SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
+	}

 	return offset;
 }
--

-- 
2.1.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
(Continue reading)

Florian Westphal | 21 Jul 12:51 2016
Picon

netfilter: connlabels: get rid of variable-size support

As discussed earlier, lets make the current 128bit upper size
the fixed standard size.

It allows to get rid of a few run-time tests and also reduces
needed extension size with both openvswitch and nftables.

While at it, also move a helper that is only needed by the
xt_connlabel match there.  Originally I kept this in the core
because it wasn't yet clear if nft would needed it later.

 include/net/netfilter/nf_conntrack_labels.h |   18 +++--------------
 net/netfilter/nf_conntrack_labels.c         |   28 +--------------------------
 net/netfilter/nf_conntrack_netlink.c        |   10 ++++-----
 net/netfilter/nft_ct.c                      |   13 ++----------
 net/netfilter/xt_connlabel.c                |   29 +++++++++++++++-------------
 net/openvswitch/conntrack.c                 |    4 +--
 6 files changed, 32 insertions(+), 70 deletions(-)

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Gmane