Pablo Neira Ayuso | 2 Mar 15:10 2015

[PATCH nf-next v2] netfilter: x_tables: add context to know if extension runs from nft_compat

Currently, we have four xtables extensions that cannot be used from the
xt over nft compat layer. The problem is that they need real access to
the full blown xt_entry to validate that the rule comes with the right
dependencies. This check was introduced to overcome the lack of
sufficient userspace dependency validation in iptables.

To resolve this problem, this patch introduces a new field to the
xt_tgchk_param structure that tell us if the target is executed from
nft_compat context.

The four affected extensions are:

1) CLUSTERIP, this target has been superseded by xt_cluster. So just
   bail out by returning -EINVAL.

2) TCPMSS. Relax the checking when used from nft_compat. If used with
   the wrong configuration, it will corrupt by adding MSS TCP option
   to TCP packets.

3) SYMPROXY6. Don't check for e->ipv6.flags, we can instead check
   for e->ipv6.proto as other extensions do, if zero then it doesn't
   fulfill the dependency.

4) ebt_stp. Relax the check to make sure it uses the reserved
   destination MAC address for STP.

Signed-off-by: Pablo Neira Ayuso <pablo <at> netfilter.org>
---
 include/linux/netfilter/x_tables.h |    2 ++
 net/bridge/netfilter/ebt_stp.c     |    6 ++++--
(Continue reading)

Pablo Neira Ayuso | 2 Mar 14:40 2015

[PATCH nf-next] netfilter: ipt_CLUSTERIP: deprecate it in favour of xt_cluster

xt_cluster supersedes ipt_CLUSTERIP since it can be also used in
gateway configurations (not only from the backend side).

ipt_CLUSTER is also known to leak the netdev that it uses on
device removal, which requires a rather large fix to workaround
the problem: http://patchwork.ozlabs.org/patch/358629/

So let's deprecate this so we can probably kill code this in the
future.

Signed-off-by: Pablo Neira Ayuso <pablo <at> netfilter.org>
---
 include/net/netns/x_tables.h       |    1 +
 net/ipv4/netfilter/ipt_CLUSTERIP.c |    7 +++++++
 2 files changed, 8 insertions(+)

diff --git a/include/net/netns/x_tables.h b/include/net/netns/x_tables.h
index c24060e..4d6597a 100644
--- a/include/net/netns/x_tables.h
+++ b/include/net/netns/x_tables.h
 <at>  <at>  -9,6 +9,7  <at>  <at>  struct ebt_table;
 struct netns_xt {
 	struct list_head tables[NFPROTO_NUMPROTO];
 	bool notrack_deprecated_warning;
+	bool clusterip_deprecated_warning;
 #if defined(CONFIG_BRIDGE_NF_EBTABLES) || \
     defined(CONFIG_BRIDGE_NF_EBTABLES_MODULE)
 	struct ebt_table *broute_table;
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index a287e02..e69a6d8 100644
(Continue reading)

Pablo Neira Ayuso | 2 Mar 14:11 2015

[PATCH nf-next] netfilter: x_tables: add context to know if extension runs from nft_compat

Currently, we have four xtables extensions that cannot be used from the
xt over nft compat layer. The problem is that they need real access to
the full blown xt_entry to validate that the rule comes with the right
dependencies. This check was introduced to overcome the lack of
sufficient userspace dependency validation in iptables.

To resolve this problem, this patch introduces a new field to the
xt_tgchk_param structure that tell us if the target is executed from
nft_compat context.

The four affected extensions are:

1) CLUSTERIP, this target has been superseded by xt_cluster. So just
   bail out by returning -EINVAL.

2) TCPMSS. Relax the checking when used from nft_compat and make sure
   that we skip !syn packets in case userspace provides a wrong
   configuration.

3) SYMPROXY6. Don't check for e->ipv6.flags, we can instead check
   for e->ipv6.proto as other extensions do, if zero then it doesn't
   fulfill the dependency.

4) ebt_stp. Relax the check to make sure it uses the reserved
   destination MAC address for STP. The packet path seems safe.

Signed-off-by: Pablo Neira Ayuso <pablo <at> netfilter.org>
---
ebt_among also needs some glue code in nft_compat to get the hackish
matchsize = -1 case. Arturo is working to sort out that.
(Continue reading)

Patrick McHardy | 2 Mar 12:51 2015
Picon

nftables transaction semantics

I'm looking at the nftables transaction code and wondering about the
semantics of GET operations intermixed with ADD/DEL operations:

AFAIK there are currently some inconsistencies:

- new sets get marked as inactive and invisible to GET until the
  transaction is supported. So

  ADD set
  GET set

  will return ENOENT.

- Rule GET operations OTOH don't care about the activeness of the rule
  at all, so

  DEL rule
  GET rule

  will return the rule even though it is actually deleted.

  ADD rule
  GET rule
  transaction fail

  Will equally return the rule even though it will afterwards not be
  present.

So the general question is how to properly handle this. GET operations
should obviously take activeness into account and not return deleted
(Continue reading)

nfnty | 2 Mar 03:01 2015
Picon

NFLOG and Namespaces

Why aren't packets between bridge and namespace logged via NFLOG?

Related:

https://docs.docker.com/articles/networking/#building-a-point-to-point-connection
http://www.spinics.net/lists/netfilter-devel/msg24503.html
https://lkml.org/lkml/2011/7/1/233
https://lists.linux-foundation.org/pipermail/containers/2013-February/031730.html

//nfnty
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Markus Kötter | 1 Mar 19:06 2015
Picon
Picon

[RFC] nft trace

Hi,

the only thing which I do not like about
https://github.com/commonism/iptables-trace
is the timing.
Getting released more than 10 years after iptables had it's initial 
release, I decided to address nft in time.

So, I propose to add a new command to nft - "trace".

nft trace uses libnetfilter_log receive log messages, and gathers 
information from messages prefixed with "TRACE: ".
It looks up the chain, rule, and action, and prints a human readable 
representation.

such as

> IN=eth0 OUT= SRC=141.30.13.10 DST=10.0.2.15 LEN=1408 TOS=0x00 PREC=0x00 TTL=64 ID=60563
>         filter input (#2) NFMARK=0x0
>                  ip protocol icmp nftrace set 1
>         filter input (#3) NFMARK=0x0
>                  icmp type { echo-request, echo-reply} counter packets 5 bytes 420
>         filter input (#4) NFMARK=0x0
>                  ip protocol icmp jump test-0-0
>         filter test-0-0 (#1) NFMARK=0x1
>                  mark set 0x00000001
>         filter test-0-0 (#3) NFMARK=0x2
>                  mark set 0x00000002
>         filter test-0-0 NFMARK=0x2
>                  => RETURN
(Continue reading)

Pedro Alvarez | 26 Feb 17:37 2015
Picon

[PATCH] ebtables: Cache a copy of the v3.16 kernel headers in the ebtables tree

Hi everyone.

I've had some problems trying to build ebtables with the v3.19 kernels headers,
failing to build with the following error:

gcc -Wall -Wunused -Werror -fPIC -O3 -DPROGVERSION=\"2.0.10-4\"
-DPROGNAME=\"ebtables\" -DPROGDATE=\"December\ 2011\"
-D_PATH_ETHERTYPES=\"/etc/ethertypes\" -DEBTD_ARGC_MAX=50
-DEBTD_CMDLINE_MAXLN=2048 -DLOCKFILE=\"/var/lib/ebtables/lock\"
-DLOCKDIR=\"/var/lib/ebtables/\" -c -o extensions/ebt_ulog.o
extensions/ebt_ulog.c -Iinclude/
extensions/ebt_ulog.c:17:45: fatal error: linux/netfilter_bridge/ebt_ulog.h: No
such file or directory
 #include <linux/netfilter_bridge/ebt_ulog.h>
                                             ^

After some discussion on IRC we agreed there were 2 possible solutions:

 -1: Disable 'ulog' in the extensions/Makefile

 -2: Cache the headers needed in the ebtables tree.

I decided to go for 2, and here is the patch:

  Repo: git://git.baserock.org/delta/ebtables.git
  Branch: baserock/pedroalvarez/ebt_ulog-fix
  Sha1: 13747a56890cc710b2b4d420edc03a6c2714f40e

NOTE: I didn't want to send a diff, since it would be big and nonsense, but I
can do that if needed.
(Continue reading)

Dan Carpenter | 26 Feb 15:22 2015
Picon

[bug report] ct_sip_parse_numerical_param() error handling

Hello Patrick McHardy,

The patch 2bbb21168a90: "[NETFILTER]: nf_conntrack_sip: introduce URI
and header parameter parsing helpers" from Mar 25, 2008, leads to the
following static checker warning:

	net/netfilter/nf_conntrack_sip.c:1230 process_register_request()
		warn: bool is not less than zero.

	net/netfilter/nf_conntrack_sip.c:1336 process_register_response()
		warn: bool is not less than zero.

The problem is ct_sip_parse_numerical_param() returns zero on failure
but two of the callers expect negative error codes.

net/netfilter/nf_conntrack_sip.c
  1307          if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_EXPIRES,
  1308                                &matchoff, &matchlen) > 0)
  1309                  expires = simple_strtoul(*dptr + matchoff, NULL, 10);
                        ^^^^^^^
We set expires.

  1310  
  1311          while (1) {
  1312                  unsigned int c_expires = expires;
                                     ^^^^^^^^^^^^^^^^^^^^
and c_expires.

  1313  
  1314                  ret = ct_sip_parse_header_uri(ct, *dptr, &coff, *datalen,
(Continue reading)

Eric Leblond | 26 Feb 00:51 2015

[nft PATCH 0/3] fix a delinearization issue


Hello,

This small patchset is fixing a ntables delinearization issue when
using counter. The rule triggering this is not straightforward as
it relays on statement order:
 ip protocol tcp counter packets tcp dport ssh accept
But it is possible some users are using this kind of rules so it
should be linearized and delinearized correctly.

With current code it was converted when reading rules from kernel
to:
 counter packets tcp dport ssh accept

BR,
--
Eric
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Markus Teich | 24 Feb 21:45 2015
Picon
Picon

[libmnl] portability of getpagesize() in libmnl.h

Heyho,

the getpagesize() call in line

#define MNL_SOCKET_BUFFER_SIZE (getpagesize() < 8192L ? getpagesize() : 8192L)

of libmnl.h seems to be less portable than sysconf(_SC_PAGESIZE) as suggested by
the getpagesize man page. getpagesize() needs e.g. _BSD_SOURCE while sysconf()
does not.

Would you consider fixing this or should I write a patch?

(I'm not on the list, so please leave me a CC)

--Markus
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Pablo Neira Ayuso | 24 Feb 19:32 2015

[PATCH nft v2] main: display errors through stderr

Debugging still goes through stdout as Patrick requests.

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1000
Signed-off-by: Pablo Neira Ayuso <pablo <at> netfilter.org>
---
 src/main.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main.c b/src/main.c
index b447aad..4590c30 100644
--- a/src/main.c
+++ b/src/main.c
 <at>  <at>  -361,7 +361,7  <at>  <at>  int main(int argc, char * const *argv)
 		rc = NFT_EXIT_FAILURE;
 out:
 	scanner_destroy(scanner);
-	erec_print_list(stdout, &msgs);
+	erec_print_list(stderr, &msgs);

 	xfree(buf);
 	return rc;
--

-- 
1.7.10.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

(Continue reading)


Gmane