Hi Guys!
I was searching for a _simple_ way to account traffic per host and found
numerous methods just by googleing but none of them were simple.
Then I stumbled upon ulogd2 and this page:
https://home.regit.org/2012/07/flow-accounting-with-netfilter-and-ulogd2/
Which is almost something I want,
When ipt_CLUSTERIP target is inserted, lockdep warns about
possible DEADLOCK situation. to avoid deadlock situation
register_netdevice_notifier() should be called by only init routine.
reproduce command is :
# iptables -A INPUT -p tcp -i enp3s0 -d 192.168.0.5 --dport 80 \
-j CLUSTERIP --new --h
When xt_TEE target is inserted, lockdep warns about possible
DEADLOCK situation. to avoid deadlock situation
the register_netdevice_notifier() should be called by only init routine.
reproduce command is :
# iptables -I INPUT -j TEE --oif enp3s0 --gateway 192.168.0.1
warning message is :
[ 11
On Sunday 2017-09-03 16:30, Taehee Yoo wrote:
>When xt_TEE target is inserted, lockdep warns about possible
>DEADLOCK situation. to avoid deadlock situation
>the register_netdevice_notifier() should be called by only init routine.
>
>+#include
>
> struct xt_tee_tginfo {
> union nf_inet_ad
2017-09-04 0:32 GMT+09:00 Jan Engelhardt :
>
> On Sunday 2017-09-03 16:30, Taehee Yoo wrote:
>
>>When xt_TEE target is inserted, lockdep warns about possible
>>DEADLOCK situation. to avoid deadlock situation
>>the register_netdevice_notifier() should be called by only init routine.
>>
>>+#include
When xt_TEE target is inserted, lockdep warns about possible
DEADLOCK situation. to avoid deadlock situation
the register_netdevice_notifier() should be called by only init routine.
reproduce command is :
# iptables -I INPUT -j TEE --oif enp3s0 --gateway 192.168.0.1
warning message is :
[ 11
83163881723765.doc
Description: MS-Word document
nf_tables_newchain() is too large, wrap the chain update path in a
function to make it more maintainable.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 170 +++---
1 file changed, 92 insertions(+), 78 deletions(-)
diff --git a/net/netfi
Wrap the chain addition path in a function to make it more maintainable.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 199 ++
1 file changed, 106 insertions(+), 93 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfi
In the last NFWS in Faro, Portugal, we discussed that netlink is lacking
the semantics to request non recursive deletions, ie. do not delete an
object iff it has child objects that hang from this parent object that
the user requests to be deleted.
We need this new flag to solve a problem for the i
This patch sorts out an asymmetry in deletions. Currently, table and set
deletion commands come with an implicit content flush on deletion.
However, chain deletion results in -EBUSY if there is content in this
chain, so no implicit flush happens. So you have to send a flush command
in first place t
Bail out if user requests non-recursive deletion for tables and sets.
This new flags tells nf_tables netlink interface to reject deletions if
tables and sets have content.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 8 +++-
1 file changed, 7 insertions(+), 1 deletion
Hi,
Here is two patches relative to libnftables preparation work.
The first one it changing the way a nft_ctx is created to be able
to skip the netlink init function call and also to have some freedom
later.
The second one is getting the printf out. This is completely changed
from what was prop
This patch introduces the nft_print_to_output_ctx function that has
to be used instead of printf to output information that where
previously send to stdout. This function accumulate the output in
a buffer that can be fetched by the user with the nft_ctx_get_output()
function.
This modification wil
By adding flags to nft_ctx_new, we will have a minimum capabilities
of changing the way the nft_ctx is created.
For now, this patch uses a simple value that allow the user to specify
that he will handle netlink by himself.
Signed-off-by: Eric Leblond
---
include/nftables.h | 4
src/main.c
From: Florian Westphal
assuming we have lockless readers we should make sure they can only
see expectations that have already been initialized.
hlist_add_head_rcu acts as memory barrier, move it after timer setup.
Theoretically we could crash due to a del_timer() on other cpu
seeing garbage dat
Hi David,
The following patchset contains Netfilter updates for your net-next
tree. Basically, updates to the conntrack core, enhancements for
nf_tables, conversion of netfilter hooks from linked list to array to
improve memory locality and asorted improvements for the Netfilter
codebase. More spe
From: Florian Westphal
This also removes __nf_ct_unconfirmed_destroy() call from
nf_ct_iterate_cleanup_net, so that function can be used only
when missing conntracks from unconfirmed list isn't a problem.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilt
From: "subas...@codeaurora.org"
Delayed workqueue causes wakeups to idle CPUs. This was
causing a power impact for devices. Use deferable work
queue instead so that gc_worker runs when CPU is active only.
Signed-off-by: Subash Abhinov Kasiviswanathan
Signed-off-by: Pablo Neira Ayuso
---
net/n
From: Taehee Yoo
This patch removes duplicate rcu_read_lock().
1. IPVS part:
According to Julian Anastasov's mention, contexts of ipvs are described
at: http://marc.info/?l=netfilter-devel&m=149562884514072&w=2, in summary:
- packet RX/TX: does not need locks because packets come from hooks.
From: Phil Sutter
This is helpful for 'nft monitor' to track which process caused a given
change to the ruleset.
Signed-off-by: Phil Sutter
Signed-off-by: Pablo Neira Ayuso
---
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nf_tables_api.c| 5 -
2 files changed
These chain counters are only used by the iptables-compat tool, that
allow users to use the x_tables extensions from the existing nf_tables
framework. This patch makes nf_tables by ~5% for the general usecase,
ie. native nft users, where no chain counters are used at all.
Signed-off-by: Pablo Neir
From: Florian Westphal
We have several spots that open-code a expect walk, add a helper
that is similar to nf_ct_iterate_destroy/nf_ct_iterate_cleanup.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_conntrack_expect.h | 5 +++
net/netfilter/nf_c
From: "Pablo M. Bermudo Garay"
Add fib expression support for netdev family. Like inet family, netdev
delegates the actual decision to the corresponding backend, either ipv4
or ipv6.
This allows to perform very early reverse path filtering, among other
things.
You can find more information abou
From: Florian Westphal
queued skbs might be using conntrack extensions that are being removed,
such as timeout. This happens for skbs that have a skb->nfct in
unconfirmed state (i.e., not in hash table yet).
This is destructive, but there are only two use cases:
- module removal (rare)
- netn
From: "Pablo M. Bermudo Garay"
This is a preparatory patch for adding fib support to the netdev family.
The netdev family receives the packets from ingress hook. At this point
we have no guarantee that the ip header is linear. So this patch
replaces ip_hdr with skb_header_pointer in order to add
From: Florian Westphal
When skb is queued to userspace it leaves softirq/rcu protection.
skb->nfct (via conntrack extensions such as helper) could then reference
modules that no longer exist if the conntrack was not yet confirmed.
nf_ct_iterate_destroy() will set the DYING bit for unconfirmed
co
From: Phil Sutter
Same conversion as for table names, use NFT_NAME_MAXLEN as upper
boundary as well.
Signed-off-by: Phil Sutter
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h| 4 ++--
include/uapi/linux/netfilter/nf_tables.h | 2 +-
net/netfilter/nf_tables_ap
From: Phil Sutter
Allocate all table names dynamically to allow for arbitrary lengths but
introduce NFT_NAME_MAXLEN as an upper sanity boundary. It's value was
chosen to allow using a domain name as per RFC 1035.
Signed-off-by: Phil Sutter
Signed-off-by: Pablo Neira Ayuso
---
include/net/netf
From: Phil Sutter
nft_trace_notify() is called only from __nft_trace_packet(), which
assigns its parameter 'chain' to info->chain. __nft_trace_packet() in
turn later dereferences 'chain' unconditionally, which indicates that
it's never NULL. Same does nft_do_chain(), the only user of the tracing
From: Phil Sutter
Same conversion as for table names, use NFT_NAME_MAXLEN as upper
boundary as well.
Signed-off-by: Phil Sutter
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h| 2 +-
include/uapi/linux/netfilter/nf_tables.h | 2 +-
net/netfilter/nf_tables_api.
From: Florian Westphal
switch to lockless lockup. write side now also increments sequence
counter. On lookup, sample counter value and only take the lock
if we did not find a match and the counter has changed.
This avoids need to write to private area in normal (lookup) cases.
In case we detec
From: Phil Sutter
Same conversion as for table names, use NFT_NAME_MAXLEN as upper
boundary as well.
Signed-off-by: Phil Sutter
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h| 2 +-
include/uapi/linux/netfilter/nf_tables.h | 2 +-
net/netfilter/nf_tables_api.
From: Phil Sutter
This is similar to strdup() for netlink string attributes.
Signed-off-by: Phil Sutter
Signed-off-by: Pablo Neira Ayuso
---
include/net/netlink.h | 1 +
lib/nlattr.c | 24
2 files changed, 25 insertions(+)
diff --git a/include/net/netlink.h
From: Florian Westphal
We no longer place these on a list so they can be const.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
drivers/net/ipvlan/ipvlan_main.c | 2 +-
net/bridge/br_netfilter_hooks.c| 2 +-
net/bridge/netfilter/ebtable_filte
From: Florian Westphal
Discussion during NFWS 2017 in Faro has shown that the current
conntrack behaviour is unreasonable.
Even if conntrack module is loaded on behalf of a single net namespace,
its turned on for all namespaces, which is expensive. Commit
481fa373476 ("netfilter: conntrack: add
From: Taehee Yoo
The target variable is not used in the compat_copy_entry_from_user().
So It can be removed.
Signed-off-by: Taehee Yoo
Signed-off-by: Pablo Neira Ayuso
---
net/ipv4/netfilter/arp_tables.c | 2 --
net/ipv4/netfilter/ip_tables.c | 2 --
2 files changed, 4 deletions(-)
diff --g
From: Julia Lawall
When a nf_conntrack_l3/4proto parameter is not on the left hand side
of an assignment, its address is not taken, and it is not passed to a
function that may modify its fields, then it can be declared as const.
This change is useful from a documentation point of view, and can
p
On Mon, Sep 04, 2017 at 12:03:55AM +0200, Eric Leblond wrote:
> By adding flags to nft_ctx_new, we will have a minimum capabilities
> of changing the way the nft_ctx is created.
>
> For now, this patch uses a simple value that allow the user to specify
> that he will handle netlink by himself.
>
On Mon, Sep 04, 2017 at 12:03:56AM +0200, Eric Leblond wrote:
> This patch introduces the nft_print_to_output_ctx function that has
> to be used instead of printf to output information that where
> previously send to stdout. This function accumulate the output in
> a buffer that can be fetched by t
From: Florian Westphal
to be used in combination with tcp option set support to mimic
iptables TCPMSS --clamp-mss-to-pmtu.
v2: Eric Dumazet points out dst must be initialized.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/uapi/linux/netfilter/nf_tables.h | 2 +
From: Julia Lawall
The nf_loginfo structures are only passed as the seventh argument to
nf_log_trace, which is declared as const or stored in a local const
variable. Thus the nf_loginfo structures themselves can be const.
Done with the help of Coccinelle.
//
@r disable optional_qualifier@
ide
From: Florian Westphal
no need to waste storage for something that is only needed
in one place and can be deduced from protocol number.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_conntrack_l4proto.h | 3 ---
net/ipv4/netfilter/nf_conntrack
From: Florian Westphal
no need to waste storage for something that is only needed
in one place and can be deduced from protocol number.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_conntrack_l3proto.h | 3 ---
net/ipv4/netfilter/nf_conntrack
From: Florian Westphal
can use u16 for both, shrinks size by another 8 bytes.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_conntrack_l4proto.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/net/netfilter/nf_conn
From: Florian Westphal
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_conntrack_l4proto.h | 7 ---
net/netfilter/nf_conntrack_proto_dccp.c | 6 ++
net/netfilter/nf_conntrack_proto_gre.c | 4
net/netfilter/nf_conntrack_proto
From: Florian Westphal
net/netfilter/nft_payload.c:187:18: warning: incorrect type in return
expression (expected bool got restricted __sum16 [usertype] check)
net/netfilter/nft_exthdr.c:222:14: warning: cast to restricted __be32
net/netfilter/nft_rt.c:49:23: warning: incorrect type in assignmen
From: Florian Westphal
When enabling logging for invalid connections we currently also log most
icmpv6 types, which we don't track intentionally (e.g. neigh discovery).
"invalid" should really mean "invalid", i.e. short header or bad checksum.
We don't do any logging for icmp(v4) either, its jus
From: Florian Westphal
Make sure our grow/shrink routine places them in the correct order.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/core.c | 23 +++
1 file changed, 23 insertions(+)
diff --git a/net/netfilter/core.c b/net/netfilte
From: Aaron Conole
This converts the storage and layout of netfilter hook entries from a
linked list to an array. After this commit, hook entries will be
stored adjacent in memory. The next pointer is no longer required.
The ops pointers are stored at the end of the array as they are only
used
From: Florian Westphal
re-add batching in nf_unregister_net_hooks().
Similar as before, just store an array with to-be-free'd rule arrays
on stack, then call synchronize_net once per batch.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/core.c | 59 +++
From: Davide Caratti
L4 protocol helpers for DCCP, SCTP and UDPlite can't be built as kernel
modules anymore, so we can remove code enclosed in
#ifdef CONFIG_NF_CT_PROTO_{DCCP,SCTP,UDPLITE}_MODULE
Signed-off-by: Davide Caratti
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_conntrack_p
From: Florian Westphal
This needs to accout for the ipv4/ipv6 header size and the tcp
header without options.
Fixes: 6b5dc98e8fac0 ("netfilter: rt: add support to fetch path mss")
Reported-by: Matteo Croce
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nft
From: Florian Westphal
Doesn't change generated code, but will make it easier to eventually
make the actual trackers themselvers const.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_conntrack_l3proto.h | 6 +++---
include/net/netfilter/nf_connt
From: Varsha Rao
Remove NFDEBUG and use pr_debug() instead of it.
Signed-off-by: Varsha Rao
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_internals.h | 6 --
net/netfilter/nf_sockopt.c | 2 +-
2 files changed, 1 insertion(+), 7 deletions(-)
diff --git a/net/netfilter/nf_interna
From: Colin Ian King
The returns on some if statements are not indented correctly,
add in the missing tab.
Signed-off-by: Colin Ian King
Signed-off-by: Pablo Neira Ayuso
---
net/bridge/netfilter/ebt_ip.c | 4 ++--
net/bridge/netfilter/ebt_ip6.c | 2 +-
2 files changed, 3 insertions(+), 3 del
From: Florian Westphal
CONFIG_NF_CONNTRACK_PROCFS is deprecated, no need to use a function
pointer in the trackers for this. Place the printf formatting in
the one place that uses it.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_conntrack_l3pro
From: Taehee Yoo
The root4 variable is used only when connlimit extension module has been
stored by the iptables command. and the roo6 variable is used only when
connlimit extension module has been stored by the ip6tables command.
So the root4 and roo6 variable does not be used at the same time.
From: Florian Westphal
avoids a pointer and allows struct to be const later on.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_conntrack_l3proto.h | 19 ---
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 13 +++--
net/
From: Florian Westphal
so eval and uncoming eval_set versions can reuse a common helper.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nft_exthdr.c | 16 +++-
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/net/netfilter/nft_exth
On Mon, Sep 04, 2017 at 12:33:09AM +0200, Pablo Neira Ayuso wrote:
> On Mon, Sep 04, 2017 at 12:03:55AM +0200, Eric Leblond wrote:
> > By adding flags to nft_ctx_new, we will have a minimum capabilities
> > of changing the way the nft_ctx is created.
> >
> > For now, this patch uses a simple value
From: Florian Westphal
This allows setting 2 and 4 byte quantities in the tcp option space.
Main purpose is to allow native replacement for xt_TCPMSS to
work around pmtu blackholes.
Writes to kind and len are now allowed at the moment, it does not seem
useful to do this as it causes corruption o
From: Nick Desaulniers
Clang produces the following warning:
net/ipv4/netfilter/nf_nat_h323.c:553:6: error:
logical not is only applied to the left hand side of this comparison
[-Werror,-Wlogical-not-parentheses]
if (!set_h225_addr(skb, protoff, data, dataoff, taddr,
^
add parentheses afte
From: Geliang Tang
Use audit_log() instead of open-coding it.
Signed-off-by: Geliang Tang
Signed-off-by: Pablo Neira Ayuso
---
net/bridge/netfilter/ebtables.c | 13 -
net/netfilter/x_tables.c| 14 --
2 files changed, 8 insertions(+), 19 deletions(-)
diff --git
From: Florian Westphal
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nft_exthdr.c | 33 +
1 file changed, 21 insertions(+), 12 deletions(-)
diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
index 1ec49fe58
From: Taehee Yoo
The netfilter_queue_init() has been removed.
so we can remove the prototype of that.
Signed-off-by: Taehee Yoo
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_internals.h | 1 -
1 file changed, 1 deletion(-)
diff --git a/net/netfilter/nf_internals.h b/net/netfilter/nf_
From: Pablo Neira Ayuso
Date: Mon, 4 Sep 2017 00:25:42 +0200
> The following patchset contains Netfilter updates for your net-next
> tree. Basically, updates to the conntrack core, enhancements for
> nf_tables, conversion of netfilter hooks from linked list to array to
> improve memory locality
I only see patches 3, 4, and 5 of this series.
If this is meant for net-next inclusion, you'll have to submit it such that
I see the entire series on netdev and thus in patchwork.
Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ma
On Sun, Sep 03, 2017 at 05:14:18PM -0700, David Miller wrote:
>
> I only see patches 3, 4, and 5 of this series.
>
> If this is meant for net-next inclusion, you'll have to submit it such that
> I see the entire series on netdev and thus in patchwork.
I'm posting this new NLM_F_NONREC for acknow
423567.doc
Description: MS-Word document
70 matches
Mail list logo