Re: [PATCH v2] netfilter: nf_tables: add hash expression
Hi Laura,
2016-08-10 2:22 GMT+08:00 Laura Garcia Liebana :
> This patch adds a new hash expression, this provides jhash support but
> this can be extended to support for other hash functions.
>
> The modulus and seed already comes embedded into this new expression.
>
> Use case example:
> meta mark set hash ip saddr mod 10
>
> +static int nft_hash_init(const struct nft_ctx *ctx,
> +const struct nft_expr *expr,
> +const struct nlattr * const tb[])
> +{
> + struct nft_hash *priv = nft_expr_priv(expr);
> + u32 len;
> +
> + if (!tb[NFTA_HASH_SREG] ||
> + !tb[NFTA_HASH_DREG] ||
> + !tb[NFTA_HASH_LEN])
> + return -EINVAL;
I think tb[NFTA_HASH_MODULUS] and tb[NFTA_HASH_SEED] should also be
checked is NULL or not? :)
> +
> + priv->sreg = nft_parse_register(tb[NFTA_HASH_SREG]);
> + priv->dreg = nft_parse_register(tb[NFTA_HASH_DREG]);
Should we use nft_validate_register_load and
nft_validate_register_store here to check the validity ?
> +
> + len = ntohl(nla_get_be32(tb[NFTA_HASH_LEN]));
> + if (len == 0 || len > U8_MAX)
> + return -EINVAL;
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] netfilter: nf_tables: Add size check on u8 nft_exthdr attributes
Fix the direct assignment of offset and length attributes included in
nft_exthdr structure from u32 data to u8.
Signed-off-by: Laura Garcia Liebana
---
net/netfilter/nft_exthdr.c | 13 +++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
index ba7aed1..dec3c36 100644
--- a/net/netfilter/nft_exthdr.c
+++ b/net/netfilter/nft_exthdr.c
@@ -59,6 +59,7 @@ static int nft_exthdr_init(const struct nft_ctx *ctx,
const struct nlattr * const tb[])
{
struct nft_exthdr *priv = nft_expr_priv(expr);
+ u32 offset, len;
if (tb[NFTA_EXTHDR_DREG] == NULL ||
tb[NFTA_EXTHDR_TYPE] == NULL ||
@@ -67,8 +68,16 @@ static int nft_exthdr_init(const struct nft_ctx *ctx,
return -EINVAL;
priv->type = nla_get_u8(tb[NFTA_EXTHDR_TYPE]);
- priv->offset = ntohl(nla_get_be32(tb[NFTA_EXTHDR_OFFSET]));
- priv->len= ntohl(nla_get_be32(tb[NFTA_EXTHDR_LEN]));
+
+ offset = ntohl(nla_get_be32(tb[NFTA_EXTHDR_OFFSET]));
+ len= ntohl(nla_get_be32(tb[NFTA_EXTHDR_LEN]));
+
+ if (offset > U8_MAX || len > U8_MAX)
+ return -EINVAL;
+
+ priv->offset = offset;
+ priv->len = len;
+
priv->dreg = nft_parse_register(tb[NFTA_EXTHDR_DREG]);
return nft_validate_register_store(ctx, priv->dreg, NULL,
--
2.8.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v2] netfilter: nf_tables: add hash expression
This patch adds a new hash expression, this provides jhash support but
this can be extended to support for other hash functions.
The modulus and seed already comes embedded into this new expression.
Use case example:
meta mark set hash ip saddr mod 10
Signed-off-by: Laura Garcia Liebana
---
Changes in V2:
- Define len as u8 instead of u32
- Improved module description
- Remove unnecessary includes
include/uapi/linux/netfilter/nf_tables.h | 20 +
net/netfilter/Kconfig| 6 ++
net/netfilter/Makefile | 1 +
net/netfilter/nft_hash.c | 133 +++
4 files changed, 160 insertions(+)
create mode 100644 net/netfilter/nft_hash.c
diff --git a/include/uapi/linux/netfilter/nf_tables.h
b/include/uapi/linux/netfilter/nf_tables.h
index 0e7928e..1399946 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -724,6 +724,26 @@ enum nft_meta_keys {
};
/**
+ * enum nft_hash_attributes - nf_tables hash expression netlink attributes
+ *
+ * @NFTA_HASH_SREG: source register (NLA_U32)
+ * @NFTA_HASH_DREG: destination register (NLA_U32)
+ * @NFTA_HASH_LEN: source data length (NLA_U32)
+ * @NFTA_HASH_MODULUS: modulus value (NLA_U32)
+ * @NFTA_HASH_SEED: seed value (NLA_U32)
+ */
+enum nft_hash_attributes {
+ NFTA_HASH_UNSPEC,
+ NFTA_HASH_SREG,
+ NFTA_HASH_DREG,
+ NFTA_HASH_LEN,
+ NFTA_HASH_MODULUS,
+ NFTA_HASH_SEED,
+ __NFTA_HASH_MAX,
+};
+#define NFTA_HASH_MAX (__NFTA_HASH_MAX - 1)
+
+/**
* enum nft_meta_attributes - nf_tables meta expression netlink attributes
*
* @NFTA_META_DREG: destination register (NLA_U32)
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index a2e4cf6..1074700 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -569,6 +569,12 @@ config NFT_COMPAT
x_tables match/target extensions over the nf_tables
framework.
+config NFT_HASH
+ tristate "Netfilter nf_tables hash module"
+ help
+ This option adds the "hash" expression that you can use to perform
+ a hash operation on registers.
+
if NF_TABLES_NETDEV
config NF_DUP_NETDEV
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 441a3c0..faa277e 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -93,6 +93,7 @@ obj-$(CONFIG_NFT_COUNTER) += nft_counter.o
obj-$(CONFIG_NFT_LOG) += nft_log.o
obj-$(CONFIG_NFT_MASQ) += nft_masq.o
obj-$(CONFIG_NFT_REDIR)+= nft_redir.o
+obj-$(CONFIG_NFT_HASH) += nft_hash.o
# nf_tables netdev
obj-$(CONFIG_NFT_DUP_NETDEV) += nft_dup_netdev.o
diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c
new file mode 100644
index 000..c3e8263
--- /dev/null
+++ b/net/netfilter/nft_hash.c
@@ -0,0 +1,133 @@
+/*
+ * Copyright (c) 2016 Laura Garcia
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ */
+
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+
+struct nft_hash {
+ enum nft_registers sreg:8;
+ enum nft_registers dreg:8;
+ u8 len;
+ u32 modulus;
+ u32 seed;
+};
+
+static void nft_hash_eval(const struct nft_expr *expr,
+ struct nft_regs *regs,
+ const struct nft_pktinfo *pkt)
+{
+ struct nft_hash *priv = nft_expr_priv(expr);
+ const void *data = ®s->data[priv->sreg];
+ u32 h;
+
+ h = reciprocal_scale(jhash(data, priv->len, priv->seed), priv->modulus);
+
+ regs->data[priv->dreg] = h;
+}
+
+const struct nla_policy nft_hash_policy[NFTA_HASH_MAX + 1] = {
+ [NFTA_HASH_SREG]= { .type = NLA_U32 },
+ [NFTA_HASH_DREG]= { .type = NLA_U32 },
+ [NFTA_HASH_LEN] = { .type = NLA_U32 },
+ [NFTA_HASH_MODULUS] = { .type = NLA_U32 },
+ [NFTA_HASH_SEED]= { .type = NLA_U32 },
+};
+
+static int nft_hash_init(const struct nft_ctx *ctx,
+const struct nft_expr *expr,
+const struct nlattr * const tb[])
+{
+ struct nft_hash *priv = nft_expr_priv(expr);
+ u32 len;
+
+ if (!tb[NFTA_HASH_SREG] ||
+ !tb[NFTA_HASH_DREG] ||
+ !tb[NFTA_HASH_LEN])
+ return -EINVAL;
+
+ priv->sreg = nft_parse_register(tb[NFTA_HASH_SREG]);
+ priv->dreg = nft_parse_register(tb[NFTA_HASH_DREG]);
+
+ len = ntohl(nla_get_be32(tb[NFTA_HASH_LEN]));
+ if (len == 0 || len > U8_MAX)
+ return -EINVAL;
+
+ priv->len = len;
+
+ priv->modulus = ntohl(nla_get_be32(tb[NFTA_HASH_MODULUS]));
+ if (pr
4.7.0: RCU stall in nf_conntrack
Hi, I just experienced network hangup with 4.7.0, it happened shortly after resume from hibernate: [201988.443552] INFO: rcu_preempt detected stalls on CPUs/tasks: [201988.443556] Tasks blocked on level-0 rcu_node (CPUs 0-3): P14563 [201988.443557] (detected by 3, t=18002 jiffies, g=7365154, c=7365153, q=15274) [201988.443560] client_socket_t R running task0 14563 1 0x [201988.443563] 8800c427a900 e1b77832 880217603da0 810bf66a [201988.443565] 810bf5d1 8800c427a900 81e566c0 880217603dd0 [201988.443567] 8119a3cf 8802177d80c0 81e566c0 81f89ae0 [201988.443569] Call Trace: [201988.443571][] sched_show_task+0xfa/0x160 [201988.443585] [] ? sched_show_task+0x61/0x160 [201988.443587] [] rcu_print_detail_task_stall_rnp+0x52/0x76 [201988.443590] [] rcu_check_callbacks+0x866/0x9e0 [201988.443592] [] update_process_times+0x39/0x60 [201988.443594] [] tick_sched_handle.isra.5+0x21/0x60 [201988.443596] [] tick_sched_timer+0x42/0x70 [201988.443598] [] __hrtimer_run_queues+0x140/0x3c0 [201988.443599] [] ? tick_sched_handle.isra.5+0x60/0x60 [201988.443601] [] hrtimer_interrupt+0xb3/0x1c0 [201988.443603] [] local_apic_timer_interrupt+0x36/0x60 [201988.443606] [] smp_apic_timer_interrupt+0x3d/0x50 [201988.443607] [] apic_timer_interrupt+0x8c/0xa0 [201988.443608][] ? __nf_conntrack_find_get+0x285/0x420 [201988.443611] [] ? nf_conntrack_in+0x1d1/0x8d0 [201988.443612] [] nf_conntrack_in+0x1d1/0x8d0 [201988.443615] [] ipv4_conntrack_local+0x45/0x50 [201988.443616] [] nf_iterate+0x62/0x80 [201988.443618] [] nf_hook_slow+0xa0/0x110 [201988.443620] [] ? nf_hook_slow+0x5/0x110 [201988.443622] [] __ip_local_out+0xd8/0x120 [201988.443624] [] ? ip_forward_options+0x1f0/0x1f0 [201988.443625] [] ip_local_out+0x1c/0x70 [201988.443627] [] ip_queue_xmit+0x18f/0x450 [201988.443628] [] ? ip_queue_xmit+0x5/0x450 [201988.443630] [] tcp_transmit_skb+0x48b/0x8e0 [201988.443632] [] tcp_connect+0x629/0x830 [201988.443634] [] ? secure_tcp_sequence_number+0x7f/0xe0 [201988.443636] [] tcp_v4_connect+0x2b9/0x460 [201988.443638] [] __inet_stream_connect+0xb2/0x310 [201988.443640] [] ? preempt_count_sub+0xa1/0x100 [201988.443642] [] ? lock_sock_nested+0x31/0x90 [201988.443644] [] ? __local_bh_enable_ip+0x6f/0xd0 [201988.443646] [] inet_stream_connect+0x38/0x50 [201988.443647] [] SyS_connect+0x7b/0xf0 [201988.443649] [] ? sock_alloc_file+0xa5/0x140 [201988.443651] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [201988.443652] [] entry_SYSCALL_64_fastpath+0x1f/0xbd [201988.443654] client_socket_t R running task0 14563 1 0x [201988.443656] 8800c427a900 e1b77832 880217603da0 810bf66a [201988.443658] 810bf5d1 8800c427a900 81e566c0 880217603dd0 [201988.443660] 8119a3cf 8802177d80c0 81e566c0 81f89ae0 [201988.443662] Call Trace: [201988.443663][] sched_show_task+0xfa/0x160 [201988.443665] [] ? sched_show_task+0x61/0x160 [201988.443666] [] rcu_print_detail_task_stall_rnp+0x52/0x76 [201988.443668] [] rcu_check_callbacks+0x89f/0x9e0 [201988.443669] [] update_process_times+0x39/0x60 [201988.443671] [] tick_sched_handle.isra.5+0x21/0x60 [201988.443672] [] tick_sched_timer+0x42/0x70 [201988.443674] [] __hrtimer_run_queues+0x140/0x3c0 [201988.443675] [] ? tick_sched_handle.isra.5+0x60/0x60 [201988.443677] [] hrtimer_interrupt+0xb3/0x1c0 [201988.443679] [] local_apic_timer_interrupt+0x36/0x60 [201988.443680] [] smp_apic_timer_interrupt+0x3d/0x50 [201988.443682] [] apic_timer_interrupt+0x8c/0xa0 [201988.443682][] ? __nf_conntrack_find_get+0x285/0x420 [201988.443685] [] ? nf_conntrack_in+0x1d1/0x8d0 [201988.443686] [] nf_conntrack_in+0x1d1/0x8d0 [201988.443688] [] ipv4_conntrack_local+0x45/0x50 [201988.443689] [] nf_iterate+0x62/0x80 [201988.443691] [] nf_hook_slow+0xa0/0x110 [201988.443692] [] ? nf_hook_slow+0x5/0x110 [201988.443694] [] __ip_local_out+0xd8/0x120 [201988.443696] [] ? ip_forward_options+0x1f0/0x1f0 [201988.443697] [] ip_local_out+0x1c/0x70 [201988.443699] [] ip_queue_xmit+0x18f/0x450 [201988.443700] [] ? ip_queue_xmit+0x5/0x450 [201988.443702] [] tcp_transmit_skb+0x48b/0x8e0 [201988.443703] [] tcp_connect+0x629/0x830 [201988.443705] [] ? secure_tcp_sequence_number+0x7f/0xe0 [201988.443706] [] tcp_v4_connect+0x2b9/0x460 [201988.443708] [] __inet_stream_connect+0xb2/0x310 [201988.443710] [] ? preempt_count_sub+0xa1/0x100 [201988.443711] [] ? lock_sock_nested+0x31/0x90 [201988.443713] [] ? __local_bh_enable_ip+0x6f/0xd0 [201988.443715] [] inet_stream_connect+0x38/0x50 [201988.443716] [] SyS_connect+0x7b/0xf0 [201988.443718] [] ? sock_alloc_file+0xa5/0x140 [201988.443719] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [201988.443720] [] entry_SYSCALL_64_fastpath+0x1f/0xbd [202168.442569] INFO: rcu_preempt detected stalls on CPUs/tasks: [202168.442572] Tasks
Drop pings to other VLAN interfaces
We have a Linux gateway with multiple VLANs with the default policy being DROP. We have the following rules in the INPUT and OUTPUT chains of the filter table: iptables -I INPUT -p icmp -j ACCEPT iptables -I OUTPUT -p icmp -j ACCEPT to allow pings to and from the gateway. What would be the best way to allow pings from a host on a VLAN to the VLAN interface on the gateway and everywhere else EXCEPT to other VLAN interfaces on the gateway? For example, if the gateway's VLAN interfaces had IP addresses 192.168.1.1/24 (vlan0) and 192.168.2.1/24 (vlan1) and host on vlan0 with address 192.168.1.8 must be able to ping 192.168.1.1 and other public addresses EXCEPT 192.168.2.1. There could be many VLAN interfaces so excluding each one will be not so efficient. I'm trying to see if there's a better way that add specific DROP rules for each, which can lead to a good number of rules depending on the number of VLANs. Thanks in advance for your help. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2] netfilter: nft_nth: match every n packets
On Tue, Aug 09, 2016 at 04:13:40PM +0200, Laura Garcia wrote:
> On Tue, Aug 09, 2016 at 12:52:53PM +0200, Pablo Neira Ayuso wrote:
> > On Thu, Jul 28, 2016 at 11:20:59AM +0200, Florian Westphal wrote:
> > > Laura Garcia wrote:
> > > > On Thu, Jul 28, 2016 at 01:01:05AM +0200, Florian Westphal wrote:
> > > > > How exactly is this used by nftables?
> > > > >
> > > > > AFAIU usespace will check if ->dreg is 0 or not, but does that make
> > > > > sense?
> > > > >
> > > > > Seems to me it would be more straightforward to not use a dreg at all
> > > > > and just NFT_BREAK if nval != 0?
> > > > >
> > > >
> > > > The main idea is to provide a round robin like scheduling method, for
> > > > example:
> > > >
> > > > ip daddr dnat nth 3 map {
> > > > 0: ,
> > > > 1: ,
> > > > 2:
> > > > }
> > > >
> > >
> > > That makes sense, would be nice to place a small blurb in the commit
> > > message.
> >
> > I'd suggest you rename this to nft_numgen.c where numgen stands for
> > 'number generator', then rename 'every' to 'until' (this sets the
> > upper limit in the generator) and add support for random too, so we
> > provide incremental and random number generators to start with and we
> > leave room to extend this with more number generators in the future if
> > needed.
> >
> > Florian added random to meta, but I don't see an easy way to reuse
> > this with maps unless we introduce another modulus/scale expression,
> > and we should skip oversplitting expressions in way too basic
> > operations.
>
> So, do you mean something like this?
>
> ip daddr dnat numgen nth 3 map {
> 0: ,
> 1: ,
> 2:
> }
>
> and
>
> ip daddr dnat numgen random 3 map {
> 0: ,
> 1: ,
> 2:
> }
Something like this, but I would like to have a better syntax for
this.
> Maybe _math_ could be a better name?
> The counter expression could be included as well.
We already have a counter expression ;-) So what counter expression
are you refering to?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] netfilter: nft_hash: generate Jenkins Hash per source register
I'd rename the patch title to:
netfilter: nf_tables: add hash expression
While it is true that we support jenkins initially, we can potentially
extend this to support anything, so let's keep this patch title a bit
more generic.
On Tue, Aug 09, 2016 at 04:03:16PM +0200, Laura Garcia Liebana wrote:
> This patch adds a new hash expression, this provides jhash support but
> this can be extended to support for other hash functions.
>
> The modulus and seed comes already come embedded into this new
> expression.
>
> Use case example:
> meta mark set hash ip saddr mod 10
>
> Signed-off-by: Laura Garcia Liebana
> ---
> include/uapi/linux/netfilter/nf_tables.h | 20 +
> net/netfilter/Kconfig| 6 ++
> net/netfilter/Makefile | 1 +
> net/netfilter/nft_hash.c | 134
> +++
> 4 files changed, 161 insertions(+)
> create mode 100644 net/netfilter/nft_hash.c
>
> diff --git a/include/uapi/linux/netfilter/nf_tables.h
> b/include/uapi/linux/netfilter/nf_tables.h
> index 0e7928e..5e74c05 100644
> --- a/include/uapi/linux/netfilter/nf_tables.h
> +++ b/include/uapi/linux/netfilter/nf_tables.h
> @@ -1097,4 +1097,24 @@ enum nft_nth_attributes {
> };
> #define NFTA_NTH_MAX (__NFTA_NTH_MAX - 1)
>
> +/**
> + * enum nft_hash_attributes - nf_tables hash expression netlink attributes
> + * @NFTA_HASH_UNSPEC: unspecified attribute
We don't document the unspec attribute in other spots, so no need to
include this.
> + * @NFTA_HASH_SREG: source register (NLA_U32)
> + * @NFTA_HASH_DREG: destination register (NLA_U32)
> + * @NFTA_HASH_LEN: source data length (NLA_U32)
> + * @NFTA_HASH_MODULUS: modulus value (NLA_U32)
> + * @NFTA_HASH_SEED: seed value (NLA_U32)
> + */
> +enum nft_hash_attributes {
> + NFTA_HASH_UNSPEC,
> + NFTA_HASH_SREG,
> + NFTA_HASH_DREG,
> + NFTA_HASH_LEN,
> + NFTA_HASH_MODULUS,
> + NFTA_HASH_SEED,
> + __NFTA_HASH_MAX,
> +};
> +#define NFTA_HASH_MAX(__NFTA_HASH_MAX - 1)
> +
> #endif /* _LINUX_NF_TABLES_H */
> diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
> index a2e4cf6..f821902 100644
> --- a/net/netfilter/Kconfig
> +++ b/net/netfilter/Kconfig
> @@ -480,6 +480,12 @@ config NFT_NTH
> This option adds the "nth" expression that you can use to match a
> packet every a specific given value.
This seems to apply on top of your previous nth patch so it will not
apply in my tree because of this dependency, better place this
description in Kconfig in alphabetical order in Kconfig.
> +config NFT_HASH
> + tristate "Netfilter nf_tables hash module"
> + help
> + This option adds the "hash" expression that you can use to perform
> + a hash operation on registers.
> +
> config NFT_CT
> depends on NF_CONNTRACK
> tristate "Netfilter nf_tables conntrack module"
> diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
> index 441a3c0..fd11c6d 100644
> --- a/net/netfilter/Makefile
> +++ b/net/netfilter/Makefile
> @@ -81,6 +81,7 @@ obj-$(CONFIG_NFT_COMPAT)+= nft_compat.o
> obj-$(CONFIG_NFT_EXTHDR) += nft_exthdr.o
> obj-$(CONFIG_NFT_META) += nft_meta.o
> obj-$(CONFIG_NFT_NTH)+= nft_nth.o
> +obj-$(CONFIG_NFT_HASH) += nft_hash.o
> obj-$(CONFIG_NFT_CT) += nft_ct.o
> obj-$(CONFIG_NFT_LIMIT) += nft_limit.o
> obj-$(CONFIG_NFT_NAT)+= nft_nat.o
> diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c
> new file mode 100644
> index 000..bb124aa
> --- /dev/null
> +++ b/net/netfilter/nft_hash.c
> @@ -0,0 +1,134 @@
> +/*
> + * Copyright (c) 2016 Laura Garcia
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + *
> + */
> +
> +#include
> +#include
> +#include
> +#include
> +#include
> +#include
> +#include
> +#include
> +#include
> +#include
I think we don't need these include files above, probably you got them
there from your copy and paste ;-)
> +#include
> +#include
> +#include
> +
> +struct nft_hash {
> + enum nft_registers sreg:8;
> + enum nft_registers dreg:8;
> + u32 len:8;
Better:
u8 len;
> + u32 modulus;
> + u32 seed;
> +};
> +
> +static void nft_hash_eval(const struct nft_expr *expr,
> + struct nft_regs *regs,
> + const struct nft_pktinfo *pkt)
> +{
> + struct nft_hash *priv = nft_expr_priv(expr);
> + const void *data = ®s->data[priv->sreg];
> + u32 h;
> +
> + h = reciprocal_scale(jhash(data, priv->len, priv->seed), priv->modulus);
> +
> + regs->data[priv->dreg] = h;
> +}
> +
> +const struct nla_policy nft_hash_policy[NFTA_HASH_MAX + 1] = {
> + [NFTA_HASH_SREG]
Re: [PATCH v2] netfilter: nft_nth: match every n packets
On Tue, Aug 09, 2016 at 12:52:53PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Jul 28, 2016 at 11:20:59AM +0200, Florian Westphal wrote:
> > Laura Garcia wrote:
> > > On Thu, Jul 28, 2016 at 01:01:05AM +0200, Florian Westphal wrote:
> > > > How exactly is this used by nftables?
> > > >
> > > > AFAIU usespace will check if ->dreg is 0 or not, but does that make
> > > > sense?
> > > >
> > > > Seems to me it would be more straightforward to not use a dreg at all
> > > > and just NFT_BREAK if nval != 0?
> > > >
> > >
> > > The main idea is to provide a round robin like scheduling method, for
> > > example:
> > >
> > > ip daddr dnat nth 3 map {
> > > 0: ,
> > > 1: ,
> > > 2:
> > > }
> > >
> >
> > That makes sense, would be nice to place a small blurb in the commit
> > message.
>
> I'd suggest you rename this to nft_numgen.c where numgen stands for
> 'number generator', then rename 'every' to 'until' (this sets the
> upper limit in the generator) and add support for random too, so we
> provide incremental and random number generators to start with and we
> leave room to extend this with more number generators in the future if
> needed.
>
> Florian added random to meta, but I don't see an easy way to reuse
> this with maps unless we introduce another modulus/scale expression,
> and we should skip oversplitting expressions in way too basic
> operations.
So, do you mean something like this?
ip daddr dnat numgen nth 3 map {
0: ,
1: ,
2:
}
and
ip daddr dnat numgen random 3 map {
0: ,
1: ,
2:
}
Maybe _math_ could be a better name?
The counter expression could be included as well.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] netfilter: nf_tables: rename set implementations
Use nft_set_* prefix for backend set implementations, thus we can use
nft_hash for the new hash expression.
Signed-off-by: Pablo Neira Ayuso
---
Laura, I'm posting this patch that you need in first place before the hash
expression.
net/netfilter/Kconfig| 4 ++--
net/netfilter/Makefile | 4 ++--
net/netfilter/{nft_hash.c => nft_set_hash.c} | 0
net/netfilter/{nft_rbtree.c => nft_set_rbtree.c} | 0
4 files changed, 4 insertions(+), 4 deletions(-)
rename net/netfilter/{nft_hash.c => nft_set_hash.c} (100%)
rename net/netfilter/{nft_rbtree.c => nft_set_rbtree.c} (100%)
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 9266cee..e5740e1 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -481,13 +481,13 @@ config NFT_CT
This option adds the "meta" expression that you can use to match
connection tracking information such as the flow state.
-config NFT_RBTREE
+config NFT_SET_RBTREE
tristate "Netfilter nf_tables rbtree set module"
help
This option adds the "rbtree" set type (Red Black tree) that is used
to build interval-based sets.
-config NFT_HASH
+config NFT_SET_HASH
tristate "Netfilter nf_tables hash set module"
help
This option adds the "hash" set type that is used to build one-way
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 6913454..101fb85 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -86,8 +86,8 @@ obj-$(CONFIG_NFT_NAT) += nft_nat.o
obj-$(CONFIG_NFT_QUEUE)+= nft_queue.o
obj-$(CONFIG_NFT_REJECT) += nft_reject.o
obj-$(CONFIG_NFT_REJECT_INET) += nft_reject_inet.o
-obj-$(CONFIG_NFT_RBTREE) += nft_rbtree.o
-obj-$(CONFIG_NFT_HASH) += nft_hash.o
+obj-$(CONFIG_NFT_SET_RBTREE) += nft_set_rbtree.o
+obj-$(CONFIG_NFT_SET_HASH) += nft_set_hash.o
obj-$(CONFIG_NFT_COUNTER) += nft_counter.o
obj-$(CONFIG_NFT_LOG) += nft_log.o
obj-$(CONFIG_NFT_MASQ) += nft_masq.o
diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_set_hash.c
similarity index 100%
rename from net/netfilter/nft_hash.c
rename to net/netfilter/nft_set_hash.c
diff --git a/net/netfilter/nft_rbtree.c b/net/netfilter/nft_set_rbtree.c
similarity index 100%
rename from net/netfilter/nft_rbtree.c
rename to net/netfilter/nft_set_rbtree.c
--
2.1.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH libnftnl] expr: hash: Jenkins hash expression support
Support for the nft hash expression within libnftnl.
Signed-off-by: Laura Garcia Liebana
---
include/buffer.h| 2 +
include/libnftnl/expr.h | 16 ++
include/linux/netfilter/nf_tables.h | 20 +++
src/Makefile.am | 1 +
src/expr/hash.c | 295
src/expr_ops.c | 2 +
6 files changed, 336 insertions(+)
create mode 100644 src/expr/hash.c
diff --git a/include/buffer.h b/include/buffer.h
index 36f0ee3..c76bd4d 100644
--- a/include/buffer.h
+++ b/include/buffer.h
@@ -90,5 +90,7 @@ int nftnl_buf_reg(struct nftnl_buf *b, int type, union
nftnl_data_reg *reg,
#define REPLACE"replace"
#define FLUSH "flush"
#define EVERY "every"
+#define MODULUS"modulus"
+#define SEED "seed"
#endif
diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h
index 6aa7756..811c254 100644
--- a/include/libnftnl/expr.h
+++ b/include/libnftnl/expr.h
@@ -54,6 +54,14 @@ enum {
};
enum {
+ NFTNL_EXPR_HASH_SREG= NFTNL_EXPR_BASE,
+ NFTNL_EXPR_HASH_DREG,
+ NFTNL_EXPR_HASH_LEN,
+ NFTNL_EXPR_HASH_MODULUS,
+ NFTNL_EXPR_HASH_SEED,
+};
+
+enum {
NFTNL_EXPR_META_KEY = NFTNL_EXPR_BASE,
NFTNL_EXPR_META_DREG,
NFTNL_EXPR_META_SREG,
@@ -245,6 +253,14 @@ enum {
};
enum {
+ NFT_EXPR_HASH_SREG = NFT_RULE_EXPR_ATTR_BASE,
+ NFT_EXPR_HASH_DREG,
+ NFT_EXPR_HASH_LEN,
+ NFT_EXPR_HASH_MODULUS,
+ NFT_EXPR_HASH_SEED,
+};
+
+enum {
NFT_EXPR_META_KEY = NFT_RULE_EXPR_ATTR_BASE,
NFT_EXPR_META_DREG,
NFT_EXPR_META_SREG,
diff --git a/include/linux/netfilter/nf_tables.h
b/include/linux/netfilter/nf_tables.h
index 6fe5fc8..7b574c7 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -681,6 +681,26 @@ enum nft_nth_attributes {
#define NFTA_NTH_MAX (__NFTA_NTH_MAX - 1)
/**
+ * enum nft_hash_attributes - nf_tables hash expression attributes
+ *
+ * @NFTA_HASH_SREG: source register (NLA_U32)
+ * @NFTA_HASH_DREG: destination register (NLA_U32)
+ * @NFTA_HASH_LEN: data length (NLA_U32)
+ * @NFTA_HASH_MODULUS: Modulus value (NLA_U32)
+ * @NFTA_HASH_SEED: hash initial value (NLA_U32)
+ */
+enum nft_hash_attributes {
+ NFTA_HASH_UNSPEC,
+ NFTA_HASH_SREG,
+ NFTA_HASH_DREG,
+ NFTA_HASH_LEN,
+ NFTA_HASH_MODULUS,
+ NFTA_HASH_SEED,
+ __NFTA_HASH_MAX
+};
+#define NFTA_HASH_MAX (__NFTA_HASH_MAX - 1)
+
+/**
* enum nft_meta_keys - nf_tables meta expression keys
*
* @NFT_META_LEN: packet length (skb->len)
diff --git a/src/Makefile.am b/src/Makefile.am
index 69b61ef..a01970d 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -39,6 +39,7 @@ libnftnl_la_SOURCES = utils.c \
expr/match.c \
expr/meta.c \
expr/nth.c\
+ expr/hash.c \
expr/nat.c\
expr/payload.c\
expr/queue.c \
diff --git a/src/expr/hash.c b/src/expr/hash.c
new file mode 100644
index 000..1383b07
--- /dev/null
+++ b/src/expr/hash.c
@@ -0,0 +1,295 @@
+/*
+ * (C) 2016 by Laura Garcia
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published
+ * by the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ */
+
+#include
+#include
+#include
+#include
+#include
+#include
+
+#include "internal.h"
+#include
+#include
+#include
+
+
+struct nftnl_expr_hash {
+ enum nft_registers sreg;
+ enum nft_registers dreg;
+ unsigned intlen;
+ unsigned intmodulus;
+ unsigned intseed;
+};
+
+static int
+nftnl_expr_hash_set(struct nftnl_expr *e, uint16_t type,
+ const void *data, uint32_t data_len)
+{
+ struct nftnl_expr_hash *hash = nftnl_expr_data(e);
+
+ switch (type) {
+ case NFTNL_EXPR_HASH_SREG:
+ hash->sreg = *((uint32_t *)data);
+ break;
+ case NFTNL_EXPR_HASH_DREG:
+ hash->dreg = *((uint32_t *)data);
+ break;
+ case NFTNL_EXPR_HASH_LEN:
+ hash->len = *((unsigned int *)data);
+ break;
+ case NFTNL_EXPR_HASH_MODULUS:
+ hash->modulus = *((unsigned int *)data);
+ break;
+ case NFTNL_EXPR_HASH_SEED:
+ hash->seed = *((unsigned int *)data);
+ break;
+ default:
+ return -1;
+ }
+ return 0;
+}
+
+static const void *
+nftnl_expr_hash_get(const struct nftnl_expr *e, uint16_t type,
+ uint32_t *data_le
[PATCH] netfilter: nft_hash: generate Jenkins Hash per source register
This patch adds a new hash expression, this provides jhash support but
this can be extended to support for other hash functions.
The modulus and seed comes already come embedded into this new
expression.
Use case example:
meta mark set hash ip saddr mod 10
Signed-off-by: Laura Garcia Liebana
---
include/uapi/linux/netfilter/nf_tables.h | 20 +
net/netfilter/Kconfig| 6 ++
net/netfilter/Makefile | 1 +
net/netfilter/nft_hash.c | 134 +++
4 files changed, 161 insertions(+)
create mode 100644 net/netfilter/nft_hash.c
diff --git a/include/uapi/linux/netfilter/nf_tables.h
b/include/uapi/linux/netfilter/nf_tables.h
index 0e7928e..5e74c05 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -1097,4 +1097,24 @@ enum nft_nth_attributes {
};
#define NFTA_NTH_MAX (__NFTA_NTH_MAX - 1)
+/**
+ * enum nft_hash_attributes - nf_tables hash expression netlink attributes
+ * @NFTA_HASH_UNSPEC: unspecified attribute
+ * @NFTA_HASH_SREG: source register (NLA_U32)
+ * @NFTA_HASH_DREG: destination register (NLA_U32)
+ * @NFTA_HASH_LEN: source data length (NLA_U32)
+ * @NFTA_HASH_MODULUS: modulus value (NLA_U32)
+ * @NFTA_HASH_SEED: seed value (NLA_U32)
+ */
+enum nft_hash_attributes {
+ NFTA_HASH_UNSPEC,
+ NFTA_HASH_SREG,
+ NFTA_HASH_DREG,
+ NFTA_HASH_LEN,
+ NFTA_HASH_MODULUS,
+ NFTA_HASH_SEED,
+ __NFTA_HASH_MAX,
+};
+#define NFTA_HASH_MAX (__NFTA_HASH_MAX - 1)
+
#endif /* _LINUX_NF_TABLES_H */
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index a2e4cf6..f821902 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -480,6 +480,12 @@ config NFT_NTH
This option adds the "nth" expression that you can use to match a
packet every a specific given value.
+config NFT_HASH
+ tristate "Netfilter nf_tables hash module"
+ help
+ This option adds the "hash" expression that you can use to perform
+ a hash operation on registers.
+
config NFT_CT
depends on NF_CONNTRACK
tristate "Netfilter nf_tables conntrack module"
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 441a3c0..fd11c6d 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -81,6 +81,7 @@ obj-$(CONFIG_NFT_COMPAT) += nft_compat.o
obj-$(CONFIG_NFT_EXTHDR) += nft_exthdr.o
obj-$(CONFIG_NFT_META) += nft_meta.o
obj-$(CONFIG_NFT_NTH) += nft_nth.o
+obj-$(CONFIG_NFT_HASH) += nft_hash.o
obj-$(CONFIG_NFT_CT) += nft_ct.o
obj-$(CONFIG_NFT_LIMIT)+= nft_limit.o
obj-$(CONFIG_NFT_NAT) += nft_nat.o
diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c
new file mode 100644
index 000..bb124aa
--- /dev/null
+++ b/net/netfilter/nft_hash.c
@@ -0,0 +1,134 @@
+/*
+ * Copyright (c) 2016 Laura Garcia
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ */
+
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+
+struct nft_hash {
+ enum nft_registers sreg:8;
+ enum nft_registers dreg:8;
+ u32 len:8;
+ u32 modulus;
+ u32 seed;
+};
+
+static void nft_hash_eval(const struct nft_expr *expr,
+ struct nft_regs *regs,
+ const struct nft_pktinfo *pkt)
+{
+ struct nft_hash *priv = nft_expr_priv(expr);
+ const void *data = ®s->data[priv->sreg];
+ u32 h;
+
+ h = reciprocal_scale(jhash(data, priv->len, priv->seed), priv->modulus);
+
+ regs->data[priv->dreg] = h;
+}
+
+const struct nla_policy nft_hash_policy[NFTA_HASH_MAX + 1] = {
+ [NFTA_HASH_SREG]= { .type = NLA_U32 },
+ [NFTA_HASH_DREG]= { .type = NLA_U32 },
+ [NFTA_HASH_LEN] = { .type = NLA_U32 },
+ [NFTA_HASH_MODULUS] = { .type = NLA_U32 },
+ [NFTA_HASH_SEED]= { .type = NLA_U32 },
+};
+
+static int nft_hash_init(const struct nft_ctx *ctx,
+const struct nft_expr *expr,
+const struct nlattr * const tb[])
+{
+ struct nft_hash *priv = nft_expr_priv(expr);
+
+ if (!tb[NFTA_HASH_SREG] ||
+ !tb[NFTA_HASH_DREG] ||
+ !tb[NFTA_HASH_LEN])
+ return -EINVAL;
+
+ priv->sreg = nft_parse_register(tb[NFTA_HASH_SREG]);
+ priv->dreg = nft_parse_register(tb[NFTA_HASH_DREG]);
+
+ priv->len = ntohl(nla_get_be32(tb[NFTA_HASH_LEN]));
+ if (priv->len == 0)
+ return -EINVAL;
+
+ priv->modulus = ntohl(nla_get_be32(tb[NFTA_HASH_MODULUS]));
[PATCH, v2] Constify iterators
Iterators do not modify objects which they iterate, so input pointer must be const. Signed-off-by: Carlos Falgueras García --- include/libnftnl/chain.h | 4 ++-- include/libnftnl/rule.h | 8 include/libnftnl/set.h | 16 include/libnftnl/table.h | 4 ++-- src/chain.c | 6 +++--- src/rule.c | 8 src/set.c| 6 +++--- src/set_elem.c | 10 +- src/table.c | 6 +++--- 9 files changed, 34 insertions(+), 34 deletions(-) diff --git a/include/libnftnl/chain.h b/include/libnftnl/chain.h index ed21e48..26460a6 100644 --- a/include/libnftnl/chain.h +++ b/include/libnftnl/chain.h @@ -81,7 +81,7 @@ void nftnl_chain_list_del(struct nftnl_chain *c); struct nftnl_chain_list_iter; -struct nftnl_chain_list_iter *nftnl_chain_list_iter_create(struct nftnl_chain_list *l); +struct nftnl_chain_list_iter *nftnl_chain_list_iter_create(const struct nftnl_chain_list *l); struct nftnl_chain *nftnl_chain_list_iter_next(struct nftnl_chain_list_iter *iter); void nftnl_chain_list_iter_destroy(struct nftnl_chain_list_iter *iter); @@ -158,7 +158,7 @@ void nft_chain_list_del(struct nft_chain *c); struct nft_chain_list_iter; -struct nft_chain_list_iter *nft_chain_list_iter_create(struct nft_chain_list *l); +struct nft_chain_list_iter *nft_chain_list_iter_create(const struct nft_chain_list *l); struct nft_chain *nft_chain_list_iter_next(struct nft_chain_list_iter *iter); void nft_chain_list_iter_destroy(struct nft_chain_list_iter *iter); diff --git a/include/libnftnl/rule.h b/include/libnftnl/rule.h index 2776a77..e3bd6b8 100644 --- a/include/libnftnl/rule.h +++ b/include/libnftnl/rule.h @@ -70,7 +70,7 @@ int nftnl_expr_foreach(struct nftnl_rule *r, struct nftnl_expr_iter; -struct nftnl_expr_iter *nftnl_expr_iter_create(struct nftnl_rule *r); +struct nftnl_expr_iter *nftnl_expr_iter_create(const struct nftnl_rule *r); struct nftnl_expr *nftnl_expr_iter_next(struct nftnl_expr_iter *iter); void nftnl_expr_iter_destroy(struct nftnl_expr_iter *iter); @@ -86,7 +86,7 @@ int nftnl_rule_list_foreach(struct nftnl_rule_list *rule_list, int (*cb)(struct struct nftnl_rule_list_iter; -struct nftnl_rule_list_iter *nftnl_rule_list_iter_create(struct nftnl_rule_list *l); +struct nftnl_rule_list_iter *nftnl_rule_list_iter_create(const struct nftnl_rule_list *l); struct nftnl_rule *nftnl_rule_list_iter_cur(struct nftnl_rule_list_iter *iter); struct nftnl_rule *nftnl_rule_list_iter_next(struct nftnl_rule_list_iter *iter); void nftnl_rule_list_iter_destroy(const struct nftnl_rule_list_iter *iter); @@ -153,7 +153,7 @@ int nft_rule_expr_foreach(struct nft_rule *r, struct nft_rule_expr_iter; -struct nft_rule_expr_iter *nft_rule_expr_iter_create(struct nft_rule *r); +struct nft_rule_expr_iter *nft_rule_expr_iter_create(const struct nft_rule *r); struct nft_rule_expr *nft_rule_expr_iter_next(struct nft_rule_expr_iter *iter); void nft_rule_expr_iter_destroy(struct nft_rule_expr_iter *iter); @@ -169,7 +169,7 @@ int nft_rule_list_foreach(struct nft_rule_list *rule_list, int (*cb)(struct nft_ struct nft_rule_list_iter; -struct nft_rule_list_iter *nft_rule_list_iter_create(struct nft_rule_list *l); +struct nft_rule_list_iter *nft_rule_list_iter_create(const struct nft_rule_list *l); struct nft_rule *nft_rule_list_iter_cur(struct nft_rule_list_iter *iter); struct nft_rule *nft_rule_list_iter_next(struct nft_rule_list_iter *iter); void nft_rule_list_iter_destroy(struct nft_rule_list_iter *iter); diff --git a/include/libnftnl/set.h b/include/libnftnl/set.h index 5266b6f..adeb16c 100644 --- a/include/libnftnl/set.h +++ b/include/libnftnl/set.h @@ -71,8 +71,8 @@ void nftnl_set_list_del(struct nftnl_set *s); int nftnl_set_list_foreach(struct nftnl_set_list *set_list, int (*cb)(struct nftnl_set *t, void *data), void *data); struct nftnl_set_list_iter; -struct nftnl_set_list_iter *nftnl_set_list_iter_create(struct nftnl_set_list *l); -struct nftnl_set *nftnl_set_list_iter_cur(struct nftnl_set_list_iter *iter); +struct nftnl_set_list_iter *nftnl_set_list_iter_create(const struct nftnl_set_list *l); +struct nftnl_set *nftnl_set_list_iter_cur(const struct nftnl_set_list_iter *iter); struct nftnl_set *nftnl_set_list_iter_next(struct nftnl_set_list_iter *iter); void nftnl_set_list_iter_destroy(const struct nftnl_set_list_iter *iter); @@ -133,8 +133,8 @@ int nftnl_set_elem_fprintf(FILE *fp, struct nftnl_set_elem *se, uint32_t type, u int nftnl_set_elem_foreach(struct nftnl_set *s, int (*cb)(struct nftnl_set_elem *e, void *data), void *data); struct nftnl_set_elems_iter; -struct nftnl_set_elems_iter *nftnl_set_elems_iter_create(struct nftnl_set *s); -struct nftnl_set_elem *nftnl_set_elems_iter_cur(struct nftnl_set_elems_iter *iter); +struct nftnl_set_elems_iter *nftnl_set_elems_iter_create(const struct nftnl_set *s); +struct nftnl_set_elem *nftnl_set_elems_iter_cur(const struct nftnl_se
Re: [PATCH v2] netfilter: nft_nth: match every n packets
On Thu, Jul 28, 2016 at 11:20:59AM +0200, Florian Westphal wrote:
> Laura Garcia wrote:
> > On Thu, Jul 28, 2016 at 01:01:05AM +0200, Florian Westphal wrote:
> > > How exactly is this used by nftables?
> > >
> > > AFAIU usespace will check if ->dreg is 0 or not, but does that make
> > > sense?
> > >
> > > Seems to me it would be more straightforward to not use a dreg at all
> > > and just NFT_BREAK if nval != 0?
> > >
> >
> > The main idea is to provide a round robin like scheduling method, for
> > example:
> >
> > ip daddr dnat nth 3 map {
> > 0: ,
> > 1: ,
> > 2:
> > }
> >
>
> That makes sense, would be nice to place a small blurb in the commit
> message.
I'd suggest you rename this to nft_numgen.c where numgen stands for
'number generator', then rename 'every' to 'until' (this sets the
upper limit in the generator) and add support for random too, so we
provide incremental and random number generators to start with and we
leave room to extend this with more number generators in the future if
needed.
Florian added random to meta, but I don't see an easy way to reuse
this with maps unless we introduce another modulus/scale expression,
and we should skip oversplitting expressions in way too basic
operations.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nft 1/3] scanner: honor absolute and relative paths via include file
If the path refers to an absolute or relative path, do not check for the
default include paths, eg. /etc/nftables/.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1040
Signed-off-by: Pablo Neira Ayuso
---
src/scanner.l | 24 +---
1 file changed, 17 insertions(+), 7 deletions(-)
diff --git a/src/scanner.l b/src/scanner.l
index 88669d0..6f1a551 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -611,6 +611,13 @@ err:
return -1;
}
+static bool search_in_include_path(const char *filename)
+{
+ return (strncmp(filename, "./", strlen("./") != 0) &&
+ strncmp(filename, "../", strlen("../") != 0) &&
+ filename[0] != '/');
+}
+
int scanner_include_file(void *scanner, const char *filename,
const struct location *loc)
{
@@ -622,13 +629,16 @@ int scanner_include_file(void *scanner, const char
*filename,
FILE *f;
f = NULL;
- for (i = 0; i < INCLUDE_PATHS_MAX; i++) {
- if (include_paths[i] == NULL)
- break;
- snprintf(buf, sizeof(buf), "%s/%s", include_paths[i], filename);
- f = fopen(buf, "r");
- if (f != NULL)
- break;
+ if (search_in_include_path(filename)) {
+ for (i = 0; i < INCLUDE_PATHS_MAX; i++) {
+ if (include_paths[i] == NULL)
+ break;
+ snprintf(buf, sizeof(buf), "%s/%s",
+include_paths[i], filename);
+ f = fopen(buf, "r");
+ if (f != NULL)
+ break;
+ }
}
if (f == NULL) {
f = fopen(filename, "r");
--
2.1.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nft 3/3] scanner: don't break line on include error message
For consistency with other error messages in this codebase, don't add a
line break.
Signed-off-by: Pablo Neira Ayuso
---
src/scanner.l | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/scanner.l b/src/scanner.l
index cb2ea32..613c3c9 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -644,7 +644,7 @@ int scanner_include_file(void *scanner, const char
*filename,
name = filename;
}
if (f == NULL) {
- erec = error(loc, "Could not open file \"%s\": %s\n",
+ erec = error(loc, "Could not open file \"%s\": %s",
filename, strerror(errno));
goto err;
}
--
2.1.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nft 2/3] scanner: don't fall back on current directory if include is not found
This resolves an ambiguity if the same file name is used both under
sysconfdir and the current working directory.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1040
Signed-off-by: Pablo Neira Ayuso
---
src/scanner.l | 13 ++---
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/src/scanner.l b/src/scanner.l
index 6f1a551..cb2ea32 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -639,16 +639,15 @@ int scanner_include_file(void *scanner, const char
*filename,
if (f != NULL)
break;
}
- }
- if (f == NULL) {
+ } else {
f = fopen(filename, "r");
- if (f == NULL) {
- erec = error(loc, "Could not open file \"%s\": %s\n",
-filename, strerror(errno));
- goto err;
- }
name = filename;
}
+ if (f == NULL) {
+ erec = error(loc, "Could not open file \"%s\": %s\n",
+filename, strerror(errno));
+ goto err;
+ }
erec = scanner_push_file(scanner, name, f, loc);
if (erec != NULL)
--
2.1.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH iptables] xtables-compat: fix comments listing
On Tue, Aug 02, 2016 at 04:29:47PM +0200, Pablo M. Bermudo Garay wrote:
> ip[6]tables-compat -L was not printing the comments since commit
> d64ef34a9961 ("iptables-compat: use nft built-in comments support").
>
> This patch solves the issue.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] rule: Constify rule iterators
On Mon, Aug 08, 2016 at 08:10:16PM +0200, Carlos Falgueras García wrote: > Iterators do not modify objects which they iterate, so input pointer must > be const. Please, constify other iterators: chain, set, set_elem, table, and so on. So we get this code in sync too. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
