headers
Florian Westphal | 25 May 2013 13:46
Picon

[PATCH -next, resend] netfilter: nfnetlink_queue: avoid peer_portid test

The portid is set to NETLINK_CB(skb).portid at create time.
The run-time check will always be false.

Signed-off-by: Florian Westphal <fw <at> strlen.de>
---
 Pablo,
 This is a re-send of a similar patch:
 ( http://patchwork.ozlabs.org/patch/238013/ )

 Change since last version:
 - Remove check altogether instead of moving it to
   instance_create().

diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
index 2e0e835..cff4449 100644
--- a/net/netfilter/nfnetlink_queue_core.c
+++ b/net/netfilter/nfnetlink_queue_core.c
 <at>  <at>  -509,10 +509,6  <at>  <at>  __nfqnl_enqueue_packet(struct net *net, struct nfqnl_instance *queue,
 	}
 	spin_lock_bh(&queue->lock);

-	if (!queue->peer_portid) {
-		err = -EINVAL;
-		goto err_out_free_nskb;
-	}
 	if (queue->queue_total >= queue->queue_maxlen) {
 		if (queue->flags & NFQA_CFG_F_FAIL_OPEN) {
 			failopen = 1;
--

-- 
1.8.1.5
(Continue reading)

Permalink | Reply | 0 comments |
headers
Arturo Borrero | 24 May 2013 13:28
Picon
Gravatar

[libnftables PATCH 0/2] small fixes for libnftables XML

The following series implements a couple of fixes for libnftables XML.

The versioning attributes for XML is added to provide a future way to easily modify que XML format once
libnftables is released.
Casting are for the same data type, thus useless.

---

Arturo Borrero (2):
      src: chain: delete useless castings
      src: xml: add versioning

 include/libnftables/chain.h |    2 ++
 include/libnftables/rule.h  |    2 ++
 include/libnftables/table.h |    2 ++
 src/chain.c                 |   24 ++++++++++++++++++------
 src/expr/counter.c          |    4 ++--
 src/rule.c                  |   19 ++++++++++++++++---
 src/table.c                 |   18 ++++++++++++++++--
 7 files changed, 58 insertions(+), 13 deletions(-)

--

-- 
Arturo Borrero Gonzalez
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Permalink | Reply | 2 comments |
headers
Pablo Neira Ayuso | 23 May 2013 10:42
Favicon

[PATCH 1/3] netfilter: ctnetlink: attach expectations to unconfirmed conntracks

This patch adds the capability to attach expectations to unconfirmed
conntrack entries. This patch is required by the DHCPv6 helper in
user-space.

Signed-off-by: Pablo Neira Ayuso <pablo <at> netfilter.org>
---
 include/net/netfilter/nf_conntrack.h               |    4 ++++
 include/uapi/linux/netfilter/nfnetlink_conntrack.h |    1 +
 net/netfilter/nf_conntrack_core.c                  |   20 ++++++++++++++++++++
 net/netfilter/nf_conntrack_netlink.c               |   14 ++++++++++++--
 4 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index 644d9c2..d172fc5 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
 <at>  <at>  -180,6 +180,10  <at>  <at>  extern struct nf_conntrack_tuple_hash *
 __nf_conntrack_find(struct net *net, u16 zone,
 		    const struct nf_conntrack_tuple *tuple);

+struct nf_conntrack_tuple_hash *
+nf_ct_unconfirmed_find(struct net *net, u16 zone,
+		       const struct nf_conntrack_tuple *tuple);
+
 extern int nf_conntrack_hash_check_insert(struct nf_conn *ct);
 extern void nf_ct_delete_from_lists(struct nf_conn *ct);
 extern void nf_ct_dying_timeout(struct nf_conn *ct);
diff --git a/include/uapi/linux/netfilter/nfnetlink_conntrack.h b/include/uapi/linux/netfilter/nfnetlink_conntrack.h
index 08fabc6..8f7c2fe 100644
--- a/include/uapi/linux/netfilter/nfnetlink_conntrack.h
(Continue reading)

Permalink | Reply | 7 comments |
headers
Phil Oester | 23 May 2013 00:36

[PATCH v2] xtables: Add locking to prevent concurrent instances

There have been numerous complaints and bug reports over the years when admins
attempt to run more than one instance of iptables simultaneously.  Currently
open bug reports which are related:

325: Parallel execution of the iptables is impossible
758: Retry iptables command on transient failure
764: Doing -Z twice in parallel breaks counters
822: iptables shows negative or other bad packet/byte counts

As Patrick notes in 325:  "Since this has been a problem people keep running
into, I'd suggest to simply add some locking to iptables to catch the most
common case."

I started looking into alternatives to add locking, and of course the most
common/obvious solution is to use a pidfile.  But this has various downsides,
such as if the application is terminated abnormally and the pidfile isn't
cleaned up.  And this also requires a writable filesystem.  Using a UNIX domain
socket file (e.g. in /var/run) has similar issues.

Starting in 2.2, Linux added support for abstract sockets.  These sockets
require no filesystem, and automatically disappear once the application
terminates.  This is the locking solution I chose to implement in xtables-multi.
As an added bonus, since each network namespace has its own socket pool, an
iptables instance running in one namespace will not lock out an iptables
instance running in another namespace.  A filesystem approach would have
to recognize and handle multiple network namespaces.

Changes from v1:
- Addressed Patrick's comments - locking attempts will be made indefinitely
  until successful.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Eric Dumazet | 22 May 2013 23:01
Picon

[PATCH net-next] netfilter: xt_socket: use IP early demux

From: Eric Dumazet <edumazet <at> google.com>

With IP early demux added in linux-3.6, we perform TCP lookup in IP
layer before iptables hooks.

We can avoid doing a second lookup in xt_socket.

Signed-off-by: Eric Dumazet <edumazet <at> google.com>
---
 net/netfilter/xt_socket.c |   26 ++++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)

diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 63b2bdb..0270424 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
 <at>  <at>  -107,7 +107,7  <at>  <at>  socket_match(const struct sk_buff *skb, struct xt_action_param *par,
 {
 	const struct iphdr *iph = ip_hdr(skb);
 	struct udphdr _hdr, *hp = NULL;
-	struct sock *sk;
+	struct sock *sk = skb->sk;
 	__be32 uninitialized_var(daddr), uninitialized_var(saddr);
 	__be16 uninitialized_var(dport), uninitialized_var(sport);
 	u8 uninitialized_var(protocol);
 <at>  <at>  -155,9 +155,11  <at>  <at>  socket_match(const struct sk_buff *skb, struct xt_action_param *par,
 	}
 #endif

-	sk = nf_tproxy_get_sock_v4(dev_net(skb->dev), protocol,
(Continue reading)

Permalink | Reply | 2 comments |
headers
Phil Oester | 22 May 2013 19:35

[PATCH] xtables: Add locking to prevent concurrent instances

There have been numerous complaints and bug reports over the years when admins
attempt to run more than one instance of iptables simultaneously.  Currently
open bug reports which are related:

325: Parallel execution of the iptables is impossible
758: Retry iptables command on transient failure
764: Doing -Z twice in parallel breaks counters
822: iptables shows negative or other bad packet/byte counts

As Patrick notes in 325:  "Since this has been a problem people keep running
into, I'd suggest to simply add some locking to iptables to catch the most
common case."

I started looking into alternatives to add locking, and of course the most
common/obvious solution is to use a pidfile.  But this has various downsides,
such as if the application is terminated abnormally and the pidfile isn't
cleaned up.  And this also requires a writable filesystem.  Using a UNIX domain
socket file (e.g. in /var/run) has similar issues.

Starting in 2.2, Linux added support for abstract sockets.  These sockets
require no filesystem, and automatically disappear once the application
terminates.  This is the locking solution I chose to implement in xtables-multi.
As an added bonus, since each network namespace has its own socket pool, an
iptables instance running in one namespace will not lock out an iptables
instance running in another namespace.  A filesystem approach would have
to recognize and handle multiple network namespaces.

As long as I was adding locking, I also chose to add a retry loop, with 3
attempts made to grab the lock before giving up.
(Continue reading)

Permalink | Reply | 3 comments |
headers
Arturo Borrero | 22 May 2013 12:33
Picon
Gravatar

[libnftables PATCH v2] examples: XML parsing examples

Some code snipplets to add tables/chain/rules using the XML representation.

The examples contains:
 * A binary to parse/add the object using libnftables.
 * A shellscript to easily call that binary, doing some tests.
 * table/chain/rule sample XML file.

I included my name in new files, but I don't know if this is correct. Please let me know.

Instructions:
 $ cd examples/ ; make nft-table-xml-add
 # cd test/ ; ./nft-table-xml-add.sh

NOTE: Some kernel changes are required to allow reinsert exactly what is printed (handle handling, flags..)

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez <at> gmail.com>
---
 examples/Makefile.am         |   48 +++++++++------
 examples/chain.xml           |   11 +++
 examples/nft-chain-xml-add.c |  116 ++++++++++++++++++++++++++++++++++++
 examples/nft-rule-xml-add.c  |  110 ++++++++++++++++++++++++++++++++++
 examples/nft-table-xml-add.c |  118 +++++++++++++++++++++++++++++++++++++
 examples/rule.xml            |   85 ++++++++++++++++++++++++++
 examples/table.xml           |    6 ++
 test/nft-chain-xml-add.sh    |  123 ++++++++++++++++++++++++++++++++++++++
 test/nft-rule-xml-add.sh     |  135 ++++++++++++++++++++++++++++++++++++++++++
 test/nft-table-xml-add.sh    |   75 +++++++++++++++++++++++
 10 files changed, 809 insertions(+), 18 deletions(-)
 create mode 100644 examples/chain.xml
 create mode 100644 examples/nft-chain-xml-add.c
(Continue reading)

Permalink | Reply | 1 comment |
headers
Eric Leblond | 21 May 2013 01:09
Gravatar

[nftables PATCH] rule: display rule handle as comment

Knowing the rule handle is necessary to be able to delete a single
rule. It was not displayed till now in the output and it was thus
impossible to remove a single rule.
This patch modify the listing output to add a comment containing
the handle.

Signed-off-by: Eric Leblond <eric <at> regit.org>
---
 src/rule.c |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/rule.c b/src/rule.c
index 9d9eaee..b2d7844 100644
--- a/src/rule.c
+++ b/src/rule.c
 <at>  <at>  -13,6 +13,7  <at>  <at> 
 #include <stdio.h>
 #include <stdint.h>
 #include <string.h>
+#include <inttypes.h>

 #include <statement.h>
 #include <rule.h>
 <at>  <at>  -136,6 +137,7  <at>  <at>  void rule_print(const struct rule *rule)
 		printf(" ");
 		stmt->ops->print(stmt);
 	}
+	printf(" # handle %" PRIu64, rule->handle.handle);
 	printf("\n");
 }
(Continue reading)

Permalink | Reply | 4 comments |
headers
Pablo Neira Ayuso | 20 May 2013 15:00
Favicon

[RFC 1/2] netfilter: nfnetlink: add commit operation to nfnl_subsystems

This patch adds the commit operations, that is called after
processing a batch composed of several netlink messages. This
only allows batches composed of netlink messages going to the
same subsystem.

Signed-off-by: Pablo Neira Ayuso <pablo <at> netfilter.org>
---
 net/netfilter/nfnetlink.c |   73 ++++++++++++++++++++++++++++++++++-----------
 1 file changed, 55 insertions(+), 18 deletions(-)

diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index ffb92c0..c470123 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
 <at>  <at>  -87,11 +87,21  <at>  <at>  EXPORT_SYMBOL_GPL(nfnetlink_subsys_unregister);
 static inline const struct nfnetlink_subsystem *nfnetlink_get_subsys(u_int16_t type)
 {
 	u_int8_t subsys_id = NFNL_SUBSYS_ID(type);
+	const struct nfnetlink_subsystem *ss;

 	if (subsys_id >= NFNL_SUBSYS_COUNT)
 		return NULL;

-	return rcu_dereference(subsys_table[subsys_id]);
+	ss = rcu_dereference(subsys_table[subsys_id]);
+	if (!ss) {
+#ifdef CONFIG_MODULES
+		rcu_read_unlock();
+		request_module("nfnetlink-subsys-%d", NFNL_SUBSYS_ID(type));
+		rcu_read_lock();
(Continue reading)

Permalink | Reply | 2 comments |
headers
Andy Spencer | 20 May 2013 05:01
Picon

[PATCH] iptables: use autoconf to process .in man pages

This fixes a bug in iptables.8 and ip6tables.8 where  <at> PACKAGE_VERSION <at> 
was not processed in the VERSION section. It also simplifies the
Makefile by avoiding some sed commands.
---
Yea, I don't know how I feel about having a .in.in, but it seems to work
well enough.

 configure.ac                                                     | 2 ++
 iptables/.gitignore                                              | 1 +
 iptables/Makefile.am                                             | 9 +--------
 iptables/ip6tables.8.in                                          | 2 +-
 .../{iptables-extensions.8.in => iptables-extensions.8.in.in}    | 2 +-
 iptables/iptables.8.in                                           | 2 +-
 6 files changed, 7 insertions(+), 11 deletions(-)
 rename iptables/{iptables-extensions.8.in => iptables-extensions.8.in.in} (94%)

diff --git a/configure.ac b/configure.ac
index 0620466..7066ad2 100644
--- a/configure.ac
+++ b/configure.ac
 <at>  <at>  -127,6 +127,8  <at>  <at>  AC_SUBST([libxtables_vmajor])

 AC_CONFIG_FILES([Makefile extensions/GNUmakefile include/Makefile
 	iptables/Makefile iptables/xtables.pc
+	iptables/iptables.8 iptables/ip6tables.8
+	iptables/iptables-extensions.8.in
 	libipq/Makefile libipq/libipq.pc
 	libiptc/Makefile libiptc/libiptc.pc
 	libiptc/libip4tc.pc libiptc/libip6tc.pc
diff --git a/iptables/.gitignore b/iptables/.gitignore
(Continue reading)

Permalink | Reply | 0 comments |
headers
Michael Roth | 19 May 2013 13:22

[PATCH] doc: mention SNAT in INPUT chain since kernel 2.6.36

From: Michael Roth <mroth <at> nessie.de>

SNAT in the INPUT chain was added Jun 2010 to the kernel
(commit c68cd6cc21eb329c47ff020ff7412bf58176984e).

Signed-off-by: Michael Roth <mail <at> mroth.net>
---
 extensions/libipt_SNAT.man |   11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/extensions/libipt_SNAT.man b/extensions/libipt_SNAT.man
index 626b592..093b09c 100644
--- a/extensions/libipt_SNAT.man
+++ b/extensions/libipt_SNAT.man
 <at>  <at>  -2,7 +2,10  <at>  <at>  This target is only valid in the
 .B nat
 table, in the
 .B POSTROUTING
-chain.  It specifies that the source address of the packet should be
+and
+.B INPUT
+chains, and user-defined chains which are only called from those
+chains.  It specifies that the source address of the packet should be
 modified (and all future packets in this connection will also be
 mangled), and rules should cease being examined.  It takes one type
 of option:
 <at>  <at>  -35,3 +38,9  <at>  <at>  is used then port mapping will be randomized (kernel >= 2.6.21).
 Gives a client the same source-/destination-address for each connection.
 This supersedes the SAME target. Support for persistent mappings is available
 from 2.6.29-rc2.
(Continue reading)

Permalink | Reply | 1 comment |

Gmane