[nf-next:nexpr-wip 38/41] ERROR: "__invalid_xchg_size" [net/netfilter/nft_counter.ko] undefined!

[kbuild test robot]

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git 
nexpr-wip
head:   79fecc65dbc173c5c12e0fa33997e4b8cae10d41
commit: 3593c74388e4faafa88c04cbb8e0a6792d4600eb [38/41] netfilter: 
nft_counter: support for atomic dump and reset
config: m68k-sun3_defconfig (attached as .config)
compiler: m68k-linux-gcc (GCC) 4.9.0
reproduce:
wget 
https://git.kernel.org/cgit/linux/kernel/git/wfg/lkp-tests.git/plain/sbin/make.cross
 -O ~/bin/make.cross
chmod +x ~/bin/make.cross
git checkout 3593c74388e4faafa88c04cbb8e0a6792d4600eb
# save the attached .config to linux build tree
make.cross ARCH=m68k 

All errors (new ones prefixed by >>):

>> ERROR: "__invalid_xchg_size" [net/netfilter/nft_counter.ko] undefined!

---
0-DAY kernel test infrastructureOpen Source Technology Center
https://lists.01.org/pipermail/kbuild-all   Intel Corporation


.config.gz
Description: Binary data

[nf-next:nexpr-wip 38/41] net/netfilter/nft_counter.c:72:21: error: call to '__xchg_wrong_size' declared with attribute error: Bad argument size for xchg

[kbuild test robot]

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git 
nexpr-wip
head:   79fecc65dbc173c5c12e0fa33997e4b8cae10d41
commit: 3593c74388e4faafa88c04cbb8e0a6792d4600eb [38/41] netfilter: 
nft_counter: support for atomic dump and reset
config: i386-allyesconfig (attached as .config)
compiler: gcc-6 (Debian 6.1.1-9) 6.1.1 20160705
reproduce:
git checkout 3593c74388e4faafa88c04cbb8e0a6792d4600eb
# save the attached .config to linux build tree
make ARCH=i386 

All errors (new ones prefixed by >>):

   net/netfilter/nft_counter.c: In function 'nft_counter_fetch':
>> net/netfilter/nft_counter.c:72:21: error: call to '__xchg_wrong_size' 
>> declared with attribute error: Bad argument size for xchg
   }
^  
   net/netfilter/nft_counter.c:73:7: error: call to '__xchg_wrong_size' 
declared with attribute error: Bad argument size for xchg
  } while (u64_stats_fetch_retry_irq(_stats->syncp, seq));
  ^~~

vim +/__xchg_wrong_size +72 net/netfilter/nft_counter.c

66  if (reset) {
67  packets += 
xchg(_stats->counter.packets, 0);
68  bytes   += 
xchg(_stats->counter.bytes, 0);
69  } else {
70  bytes   = cpu_stats->counter.bytes;
71  packets = cpu_stats->counter.packets;
  > 72  }
73  } while (u64_stats_fetch_retry_irq(_stats->syncp, 
seq));
74  
75  total->packets += packets;

---
0-DAY kernel test infrastructureOpen Source Technology Center
https://lists.01.org/pipermail/kbuild-all   Intel Corporation


.config.gz
Description: Binary data

Re: [PATCH nf] netfilter: seqadj: Fix the wrong ack adjust for the RST packet without ack

[Feng Gao]

On Tue, Sep 6, 2016 at 10:06 AM,   wrote:
> From: Gao Feng 
>
> It is valid that the TCP RST packet which does not set ack flag, and bytes
> of ack number are zero. For these RST packets, seqadj could not adjust the
> ack number.
>
> Signed-off-by: Gao Feng 
> ---
>  v2: Regenerate because the first patch is removed
>  v1: Initial patch
>
>  net/netfilter/nf_conntrack_seqadj.c | 34 +++---
>  1 file changed, 19 insertions(+), 15 deletions(-)
>
> diff --git a/net/netfilter/nf_conntrack_seqadj.c 
> b/net/netfilter/nf_conntrack_seqadj.c
> index dff0f0c..3bd9c7e 100644
> --- a/net/netfilter/nf_conntrack_seqadj.c
> +++ b/net/netfilter/nf_conntrack_seqadj.c
> @@ -179,30 +179,34 @@ int nf_ct_seq_adjust(struct sk_buff *skb,
>
> tcph = (void *)skb->data + protoff;
> spin_lock_bh(>lock);
> +
> if (after(ntohl(tcph->seq), this_way->correction_pos))
> seqoff = this_way->offset_after;
> else
> seqoff = this_way->offset_before;
>
> -   if (after(ntohl(tcph->ack_seq) - other_way->offset_before,
> - other_way->correction_pos))
> -   ackoff = other_way->offset_after;
> -   else
> -   ackoff = other_way->offset_before;
> -
> newseq = htonl(ntohl(tcph->seq) + seqoff);
> -   newack = htonl(ntohl(tcph->ack_seq) - ackoff);
> -
> inet_proto_csum_replace4(>check, skb, tcph->seq, newseq, false);
> -   inet_proto_csum_replace4(>check, skb, tcph->ack_seq, newack,
> -false);
> -
> -   pr_debug("Adjusting sequence number from %u->%u, ack from %u->%u\n",
> -ntohl(tcph->seq), ntohl(newseq), ntohl(tcph->ack_seq),
> -ntohl(newack));
>
> +   pr_debug("Adjusting sequence number from %u->%u\n",
> +ntohl(tcph->seq), ntohl(newseq));
> tcph->seq = newseq;
> -   tcph->ack_seq = newack;
> +
> +   if (likely(tcph->ack)) {
> +   if (after(ntohl(tcph->ack_seq) - other_way->offset_before,
> + other_way->correction_pos))
> +   ackoff = other_way->offset_after;
> +   else
> +   ackoff = other_way->offset_before;
> +
> +   newack = htonl(ntohl(tcph->ack_seq) - ackoff);
> +   inet_proto_csum_replace4(>check, skb, tcph->ack_seq,
> +newack, false);
> +
> +   pr_debug("Adjusting ack number from %u->%u\n",
> +ntohl(tcph->ack_seq), ntohl(newack));
> +   tcph->ack_seq = newack;
> +   }
>
> res = nf_ct_sack_adjust(skb, protoff, tcph, ct, ctinfo);
> spin_unlock_bh(>lock);
> --
> 1.9.1
>
>

Sorry, I forget to add the v2 in the subject.

Best Regards
Feng
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH nf] netfilter: seqadj: Fix the wrong ack adjust for the RST packet without ack

[fgao]

From: Gao Feng 

It is valid that the TCP RST packet which does not set ack flag, and bytes
of ack number are zero. For these RST packets, seqadj could not adjust the
ack number.

Signed-off-by: Gao Feng 
---
 v2: Regenerate because the first patch is removed
 v1: Initial patch

 net/netfilter/nf_conntrack_seqadj.c | 34 +++---
 1 file changed, 19 insertions(+), 15 deletions(-)

diff --git a/net/netfilter/nf_conntrack_seqadj.c 
b/net/netfilter/nf_conntrack_seqadj.c
index dff0f0c..3bd9c7e 100644
--- a/net/netfilter/nf_conntrack_seqadj.c
+++ b/net/netfilter/nf_conntrack_seqadj.c
@@ -179,30 +179,34 @@ int nf_ct_seq_adjust(struct sk_buff *skb,
 
tcph = (void *)skb->data + protoff;
spin_lock_bh(>lock);
+
if (after(ntohl(tcph->seq), this_way->correction_pos))
seqoff = this_way->offset_after;
else
seqoff = this_way->offset_before;
 
-   if (after(ntohl(tcph->ack_seq) - other_way->offset_before,
- other_way->correction_pos))
-   ackoff = other_way->offset_after;
-   else
-   ackoff = other_way->offset_before;
-
newseq = htonl(ntohl(tcph->seq) + seqoff);
-   newack = htonl(ntohl(tcph->ack_seq) - ackoff);
-
inet_proto_csum_replace4(>check, skb, tcph->seq, newseq, false);
-   inet_proto_csum_replace4(>check, skb, tcph->ack_seq, newack,
-false);
-
-   pr_debug("Adjusting sequence number from %u->%u, ack from %u->%u\n",
-ntohl(tcph->seq), ntohl(newseq), ntohl(tcph->ack_seq),
-ntohl(newack));
 
+   pr_debug("Adjusting sequence number from %u->%u\n",
+ntohl(tcph->seq), ntohl(newseq));
tcph->seq = newseq;
-   tcph->ack_seq = newack;
+
+   if (likely(tcph->ack)) {
+   if (after(ntohl(tcph->ack_seq) - other_way->offset_before,
+ other_way->correction_pos))
+   ackoff = other_way->offset_after;
+   else
+   ackoff = other_way->offset_before;
+
+   newack = htonl(ntohl(tcph->ack_seq) - ackoff);
+   inet_proto_csum_replace4(>check, skb, tcph->ack_seq,
+newack, false);
+
+   pr_debug("Adjusting ack number from %u->%u\n",
+ntohl(tcph->ack_seq), ntohl(newack));
+   tcph->ack_seq = newack;
+   }
 
res = nf_ct_sack_adjust(skb, protoff, tcph, ct, ctinfo);
spin_unlock_bh(>lock);
-- 
1.9.1


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 3/3] tests: py: any: Remove duplicate tests

[Manuel Johannes Messner]

This commit removes some duplicated tests.

Signed-off-by: Manuel Johannes Messner 

---
 tests/py/any/meta.t |  3 ---
 tests/py/any/meta.t.payload | 12 
 2 files changed, 15 deletions(-)

diff --git a/tests/py/any/meta.t b/tests/py/any/meta.t
index 852ef82..a1249e8 100644
--- a/tests/py/any/meta.t
+++ b/tests/py/any/meta.t
@@ -66,8 +66,6 @@ meta mark xor 0x03 == 0x01;ok;mark 0x0002
 meta mark xor 0x03 != 0x01;ok;mark != 0x0002
 
 meta iif "lo" accept;ok;iif "lo" accept
-meta iif "lo" accept;ok;iif "lo" accept
-meta iif != "lo" accept;ok;iif != "lo" accept
 meta iif != "lo" accept;ok;iif != "lo" accept
 
 meta iifname "dummy0";ok;iifname "dummy0"
@@ -92,7 +90,6 @@ meta oif {"lo"} accept;ok
 meta oifname "dummy0";ok;oifname "dummy0"
 meta oifname != "dummy0";ok;oifname != "dummy0"
 meta oifname { "dummy0", "lo"};ok
-- meta iifname != {"dummy0", "lo"};ok
 meta oifname "dummy*";ok;oifname "dummy*"
 meta oifname "dummy\*";ok;oifname "dummy\*"
 
diff --git a/tests/py/any/meta.t.payload b/tests/py/any/meta.t.payload
index 19cc6ac..5fff76e 100644
--- a/tests/py/any/meta.t.payload
+++ b/tests/py/any/meta.t.payload
@@ -199,18 +199,6 @@ ip test-ip4 input
   [ cmp eq reg 1 0x0001 ]
   [ immediate reg 0 accept ]
 
-# meta iif "lo" accept
-ip test-ip4 input
-  [ meta load iif => reg 1 ]
-  [ cmp eq reg 1 0x0001 ]
-  [ immediate reg 0 accept ]
-
-# meta iif != "lo" accept
-ip test-ip4 input
-  [ meta load iif => reg 1 ]
-  [ cmp neq reg 1 0x0001 ]
-  [ immediate reg 0 accept ]
-
 # meta iif != "lo" accept
 ip test-ip4 input
   [ meta load iif => reg 1 ]
-- 
2.9.3

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 02/29] netfilter: physdev: add missed blank

[Joe Perches]

On Mon, 2016-09-05 at 12:58 +0200, Pablo Neira Ayuso wrote:
[]
> diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
[]
> @@ -107,8 +107,8 @@ static int physdev_mt_check(const struct xt_mtchk_param 
> *par)
>    info->invert & XT_PHYSDEV_OP_BRIDGED) &&
>   par->hook_mask & ((1 << NF_INET_LOCAL_OUT) |
>   (1 << NF_INET_FORWARD) | (1 << NF_INET_POST_ROUTING))) {
> - pr_info("using --physdev-out and --physdev-is-out are only"
> - "supported in the FORWARD and POSTROUTING chains with"
> + pr_info("using --physdev-out and --physdev-is-out are only "
> + "supported in the FORWARD and POSTROUTING chains with "
>   "bridged traffic.\n");
>   if (par->hook_mask & (1 << NF_INET_LOCAL_OUT))
>   return -EINVAL;

Perhaps it would be reasonable at some point to coalesce
all the string fragments.

Maybe using this could help:

$ git ls-files -- "net/netfilter/*.[ch]" | \
  xargs ./scripts/checkpatch.pl  -f --types=split_string --fix-inplace
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [nft PATCH v2 2/4] netlink_delinearize: Avoid potential null pointer deref

[Pablo Neira Ayuso]

On Tue, Aug 30, 2016 at 07:39:50PM +0200, Phil Sutter wrote:
> As netlink_get_register() may return NULL, we must not pass the returned
> data unchecked to expr_set_type() as that will dereference it. Since the
> parser has failed at that point anyway, by returning early we can skip
> the useless statement allocation that follows in
> netlink_parse_ct_stmt().

I found a couple more spots, such as the payload stmt that was not
covered by this patch.

Attaching a new one based on this, looks good to you?

Anyway, this is very unlikely to happen: Only if we ever get more
registers in the kernel, given that expl_clone() relies on the
xzalloc() function that just stops execution under OOM.

Actually this brings an interesting issue that is that we need to
provide a way to describe the vm capabilities so we can extend things
in the future without breaking userspace.
commit 098dae9e0cf2237b4cb3cf4c1ee89fbf9f9fb5e9
Author: Phil Sutter 
Date:   Tue Aug 30 19:39:50 2016 +0200

netlink_delinearize: Avoid potential null pointer deref

As netlink_get_register() may return NULL, we must not pass the returned
data unchecked to expr_set_type() as that will dereference it. Since the
parser has failed at that point anyway, by returning early we can skip
the useless statement allocation that follows in
netlink_parse_ct_stmt().

Signed-off-by: Phil Sutter 
Signed-off-by: Pablo Neira Ayuso 

diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 1a1cfbd..cddbfa6 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -428,6 +428,10 @@ static void netlink_parse_payload_stmt(struct netlink_parse_ctx *ctx,
 
 	sreg = netlink_parse_register(nle, NFTNL_EXPR_PAYLOAD_SREG);
 	val  = netlink_get_register(ctx, loc, sreg);
+	if (val == NULL)
+		return netlink_error(ctx, loc,
+ "payload statement has no expression");
+
 	stmt = payload_stmt_alloc(loc, expr, val);
 
 	list_add_tail(>list, >rule->stmts);
@@ -473,6 +477,9 @@ static void netlink_parse_hash(struct netlink_parse_ctx *ctx,
 
 	sreg = netlink_parse_register(nle, NFTNL_EXPR_HASH_SREG);
 	hexpr = netlink_get_register(ctx, loc, sreg);
+	if (hexpr == NULL)
+		return netlink_error(ctx, loc,
+ "hash statement has no expression");
 
 	seed = nftnl_expr_get_u32(nle, NFTNL_EXPR_HASH_SEED);
 	mod  = nftnl_expr_get_u32(nle, NFTNL_EXPR_HASH_MODULUS);
@@ -517,6 +524,9 @@ static void netlink_parse_meta_stmt(struct netlink_parse_ctx *ctx,
 
 	sreg = netlink_parse_register(nle, NFTNL_EXPR_META_SREG);
 	expr = netlink_get_register(ctx, loc, sreg);
+	if (expr == NULL)
+		return netlink_error(ctx, loc,
+ "meta statement has no expression");
 
 	key  = nftnl_expr_get_u32(nle, NFTNL_EXPR_META_KEY);
 	stmt = meta_stmt_alloc(loc, key, expr);
@@ -562,6 +572,9 @@ static void netlink_parse_ct_stmt(struct netlink_parse_ctx *ctx,
 
 	sreg = netlink_parse_register(nle, NFTNL_EXPR_CT_SREG);
 	expr = netlink_get_register(ctx, loc, sreg);
+	if (expr == NULL)
+		return netlink_error(ctx, loc,
+ "ct statement has no expression");
 
 	key  = nftnl_expr_get_u32(nle, NFTNL_EXPR_CT_KEY);
 	stmt = ct_stmt_alloc(loc, key, expr);

Re: [PATCH iptables v3] xtables-translate-restore: do not escape quotes

[Pablo Neira Ayuso]

On Wed, Aug 31, 2016 at 09:59:16AM +0200, Pablo M. Bermudo Garay wrote:
> If quotes are escaped, nft -f is unable to parse and load the translated
> ruleset.

Applied, thanks.

It would be good to set 'cs->restore' in iptables and ip6tables.

Currently this is left unset and not used, which leaves things in
inconsistent state. Please follow up on this.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH iptables] extensions: libip6t_SNAT/DNAT: add square bracket in xlat output when port is specified

[Pablo Neira Ayuso]

On Fri, Sep 02, 2016 at 08:47:05PM +0800, Liping Zhang wrote:
> From: Liping Zhang 
> 
> It is better to add square brackets to ip6 address in nft translation
> output when the port is specified. This is keep consistent with the
> nft syntax.
> 
> Before this patch:
>   # ip6tables-translate -t nat -A OUTPUT -p tcp -j DNAT --to-destination \
>   [123::4]:1
>   nft add rule ip6 nat OUTPUT meta l4proto tcp counter dnat to 123::4 :1
>   # ip6tables-translate -t nat -A POSTROUTING -p tcp -j SNAT --to-source \
>   [123::4-123::8]:1
>   nft add rule ip6 nat POSTROUTING meta l4proto tcp counter snat to 
> 123::4-123::8 :1
> 
> Apply this patch:
>   # ip6tables-translate -t nat -A OUTPUT -p tcp -j DNAT --to-destination \
>   [123::4]:1
>   nft add rule ip6 nat OUTPUT meta l4proto tcp counter dnat to [123::4]:1
>   # ip6tables-translate -t nat -A POSTROUTING -p tcp -j SNAT --to-source \
>   [123::4-123::8]:1
>   nft add rule ip6 nat POSTROUTING meta l4proto tcp counter snat to 
> [123::4]-[123::8]:1

Applied, thanks!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [nft PATCH v2 1/4] evaluate: Fix datalen checks in expr_evaluate_string()

[Pablo Neira Ayuso]

On Tue, Aug 30, 2016 at 07:39:49PM +0200, Phil Sutter wrote:
> I have been told that the flex scanner won't return empty strings, so
> strlen(data) should always be greater 0. To avoid a hard to debug issue
> though, add an assert() to make sure this is always the case before
> risking an unsigned variable underrun.
> 
> A real issue though is the check for 'datalen - 1 >= 0', which will
> never fail due to datalen being unsigned. Fix this by incrementing both
> sides by one, hence checking 'datalen >= 1'.

Applied, thanks Phil.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 1/2] netfilter: correct parsing of continuation lines in SIP headers

[Pablo Neira Ayuso]

On Tue, Aug 30, 2016 at 06:48:19PM +0200, Marco Angaroni wrote:
> Current parsing methods for SIP headers do not properly manage
> continuation lines: in case of Call-ID header the first character of
> Call-ID header value is truncated. As a result IPVS SIP persistence
> engine hashes over a call-id that is not exactly the one present in
> the originale message.
> 
> Example: "Call-ID: \r\n abcdeABCDE1234"
> results in extracted call-id equal to "bcdeABCDE1234".
> 
> In above example Call-ID is represented as a string in C language.
> Obviously in real message the first bytes after colon (":") are
> "20 0d 0a 20".
> 
> Proposed fix is in nf_conntrack_sip module.
> Since sip_follow_continuation() function walks past the leading
> spaces or tabs of the continuation line, sip_skip_whitespace()
> should simply return the ouput of sip_follow_continuation().
> Otherwise another iteration of the for loop is done and dptr
> is incremented by one pointing to the second character of the
> first word in the header.
> 
> Below is an extract of relevant SIP ABNF syntax.
> 
> Call-ID  =  ( "Call-ID" / "i" ) HCOLON callid
> callid   =  word [ "@" word ]
> 
> HCOLON  =  *( SP / HTAB ) ":" SWS
> SWS =  [LWS] ; sep whitespace
> LWS =  [*WSP CRLF] 1*WSP ; linear whitespace
> WSP =  SP / HTAB
> word=  1*(alphanum / "-" / "." / "!" / "%" / "*" /
>"_" / "+" / "`" / "'" / "~" /
>"(" / ")" / "<" / ">" /
>":" / "\" / DQUOTE /
>"/" / "[" / "]" / "?" /
>"{" / "}" )
> 
> Signed-off-by: Marco Angaroni 
> ---
>  net/netfilter/nf_conntrack_sip.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/net/netfilter/nf_conntrack_sip.c 
> b/net/netfilter/nf_conntrack_sip.c
> index 8971109..c23249e 100644
> --- a/net/netfilter/nf_conntrack_sip.c
> +++ b/net/netfilter/nf_conntrack_sip.c
> @@ -335,8 +335,7 @@ static const char *sip_skip_whitespace(const char *dptr, 
> const char *limit)
>   if (*dptr != '\r' && *dptr != '\n')
>   break;
>   dptr = sip_follow_continuation(dptr, limit);
> - if (dptr == NULL)
> - return NULL;
> + return dptr;

I'd suggest you use the break statement here instead, ie.

-   if (dptr == NULL)
-   return NULL;
+   break;

>   }
>   return dptr;
>  }
> -- 
> 1.8.3.1
> 
> --
> To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
> the body of a message to majord...@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 2/2 nf] netfilter: seqadj: Fix the wrong ack adjust for the RST packet without ack

[Feng Gao]

Hi Pablo,

On Mon, Sep 5, 2016 at 11:02 PM,   wrote:
> From: Gao Feng 
>
> It is valid that the TCP RST packet which does not set ack flag, and bytes
> of ack number are zero. For these RST packets, seqadj could not adjust the
> ack number.
>
> Signed-off-by: Gao Feng 
> ---
>  net/netfilter/nf_conntrack_seqadj.c | 34 +++---
>  1 file changed, 19 insertions(+), 15 deletions(-)
>
> diff --git a/net/netfilter/nf_conntrack_seqadj.c 
> b/net/netfilter/nf_conntrack_seqadj.c
> index 7f8d814..65bb4a6 100644
> --- a/net/netfilter/nf_conntrack_seqadj.c
> +++ b/net/netfilter/nf_conntrack_seqadj.c
> @@ -182,30 +182,34 @@ int nf_ct_seq_adjust(struct sk_buff *skb,
>
> tcph = (void *)skb->data + protoff;
> spin_lock_bh(>lock);
> +
> if (after(ntohl(tcph->seq), this_way->correction_pos))
> seqoff = this_way->offset_after;
> else
> seqoff = this_way->offset_before;
>
> -   if (after(ntohl(tcph->ack_seq) - other_way->offset_before,
> - other_way->correction_pos))
> -   ackoff = other_way->offset_after;
> -   else
> -   ackoff = other_way->offset_before;
> -
> newseq = htonl(ntohl(tcph->seq) + seqoff);
> -   newack = htonl(ntohl(tcph->ack_seq) - ackoff);
> -
> inet_proto_csum_replace4(>check, skb, tcph->seq, newseq, false);
> -   inet_proto_csum_replace4(>check, skb, tcph->ack_seq, newack,
> -false);
> -
> -   pr_debug("Adjusting sequence number from %u->%u, ack from %u->%u\n",
> -ntohl(tcph->seq), ntohl(newseq), ntohl(tcph->ack_seq),
> -ntohl(newack));
>
> +   pr_debug("Adjusting sequence number from %u->%u\n",
> +ntohl(tcph->seq), ntohl(newseq));
> tcph->seq = newseq;
> -   tcph->ack_seq = newack;
> +
> +   if (likely(tcph->ack)) {
> +   if (after(ntohl(tcph->ack_seq) - other_way->offset_before,
> + other_way->correction_pos))
> +   ackoff = other_way->offset_after;
> +   else
> +   ackoff = other_way->offset_before;
> +
> +   newack = htonl(ntohl(tcph->ack_seq) - ackoff);
> +   inet_proto_csum_replace4(>check, skb, tcph->ack_seq,
> +newack, false);
> +
> +   pr_debug("Adjusting ack number from %u->%u\n",
> +ntohl(tcph->ack_seq), ntohl(newack));
> +   tcph->ack_seq = newack;
> +   }
>
> res = nf_ct_sack_adjust(skb, protoff, tcph, ct, ctinfo);
> spin_unlock_bh(>lock);
> --
> 1.9.1
>
>

This patch is generated base on the patch commit "netfilter: seqadj:
Fix one possible panic in seqadj when mem is exhausted" whose link is
http://patchwork.ozlabs.org/patch/665116/.

So its subject contains "2/2".

Best Regards
Feng



Best Regards
Feng
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 2/2 nf] netfilter: seqadj: Fix the wrong ack adjust for the RST packet without ack

[fgao]

From: Gao Feng 

It is valid that the TCP RST packet which does not set ack flag, and bytes
of ack number are zero. For these RST packets, seqadj could not adjust the
ack number.

Signed-off-by: Gao Feng 
---
 net/netfilter/nf_conntrack_seqadj.c | 34 +++---
 1 file changed, 19 insertions(+), 15 deletions(-)

diff --git a/net/netfilter/nf_conntrack_seqadj.c 
b/net/netfilter/nf_conntrack_seqadj.c
index 7f8d814..65bb4a6 100644
--- a/net/netfilter/nf_conntrack_seqadj.c
+++ b/net/netfilter/nf_conntrack_seqadj.c
@@ -182,30 +182,34 @@ int nf_ct_seq_adjust(struct sk_buff *skb,
 
tcph = (void *)skb->data + protoff;
spin_lock_bh(>lock);
+
if (after(ntohl(tcph->seq), this_way->correction_pos))
seqoff = this_way->offset_after;
else
seqoff = this_way->offset_before;
 
-   if (after(ntohl(tcph->ack_seq) - other_way->offset_before,
- other_way->correction_pos))
-   ackoff = other_way->offset_after;
-   else
-   ackoff = other_way->offset_before;
-
newseq = htonl(ntohl(tcph->seq) + seqoff);
-   newack = htonl(ntohl(tcph->ack_seq) - ackoff);
-
inet_proto_csum_replace4(>check, skb, tcph->seq, newseq, false);
-   inet_proto_csum_replace4(>check, skb, tcph->ack_seq, newack,
-false);
-
-   pr_debug("Adjusting sequence number from %u->%u, ack from %u->%u\n",
-ntohl(tcph->seq), ntohl(newseq), ntohl(tcph->ack_seq),
-ntohl(newack));
 
+   pr_debug("Adjusting sequence number from %u->%u\n",
+ntohl(tcph->seq), ntohl(newseq));
tcph->seq = newseq;
-   tcph->ack_seq = newack;
+
+   if (likely(tcph->ack)) {
+   if (after(ntohl(tcph->ack_seq) - other_way->offset_before,
+ other_way->correction_pos))
+   ackoff = other_way->offset_after;
+   else
+   ackoff = other_way->offset_before;
+
+   newack = htonl(ntohl(tcph->ack_seq) - ackoff);
+   inet_proto_csum_replace4(>check, skb, tcph->ack_seq,
+newack, false);
+
+   pr_debug("Adjusting ack number from %u->%u\n",
+ntohl(tcph->ack_seq), ntohl(newack));
+   tcph->ack_seq = newack;
+   }
 
res = nf_ct_sack_adjust(skb, protoff, tcph, ct, ctinfo);
spin_unlock_bh(>lock);
-- 
1.9.1


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [conntrack-tools PATCH 1/4] src/main: refresh help message

[Pablo Neira Ayuso]

On Tue, Aug 30, 2016 at 02:20:35PM +0200, Arturo Borrero Gonzalez wrote:
> It seems there are two kind of options:
>  * general commands (-d, -v, -h, -C)
>  * client commands (which requires another conntrackd instance)
> 
> Refresh the help message to better reflect this.

Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 04/29] netfilter: use_nf_conn_expires helper in more places

[Pablo Neira Ayuso]

From: Florian Westphal 

... so we don't need to touch all of these places when we get rid of the
timer in nf_conn.

Signed-off-by: Florian Westphal 
Signed-off-by: Pablo Neira Ayuso 
---
 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c | 3 +--
 net/netfilter/nf_conntrack_netlink.c  | 5 +
 net/netfilter/nf_conntrack_standalone.c   | 3 +--
 net/netfilter/xt_conntrack.c  | 4 +---
 4 files changed, 4 insertions(+), 11 deletions(-)

diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c 
b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
index 6392371..67bfc69 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
@@ -163,8 +163,7 @@ static int ct_seq_show(struct seq_file *s, void *v)
ret = -ENOSPC;
seq_printf(s, "%-8s %u %ld ",
   l4proto->name, nf_ct_protonum(ct),
-  timer_pending(>timeout)
-  ? (long)(ct->timeout.expires - jiffies)/HZ : 0);
+  nf_ct_expires(ct) / HZ);
 
if (l4proto->print_conntrack)
l4proto->print_conntrack(s, ct);
diff --git a/net/netfilter/nf_conntrack_netlink.c 
b/net/netfilter/nf_conntrack_netlink.c
index 050bb34..68800c1 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -149,10 +149,7 @@ nla_put_failure:
 
 static int ctnetlink_dump_timeout(struct sk_buff *skb, const struct nf_conn 
*ct)
 {
-   long timeout = ((long)ct->timeout.expires - (long)jiffies) / HZ;
-
-   if (timeout < 0)
-   timeout = 0;
+   long timeout = nf_ct_expires(ct) / HZ;
 
if (nla_put_be32(skb, CTA_TIMEOUT, htonl(timeout)))
goto nla_put_failure;
diff --git a/net/netfilter/nf_conntrack_standalone.c 
b/net/netfilter/nf_conntrack_standalone.c
index 958a145..4e7becd 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -224,8 +224,7 @@ static int ct_seq_show(struct seq_file *s, void *v)
seq_printf(s, "%-8s %u %-8s %u %ld ",
   l3proto->name, nf_ct_l3num(ct),
   l4proto->name, nf_ct_protonum(ct),
-  timer_pending(>timeout)
-  ? (long)(ct->timeout.expires - jiffies)/HZ : 0);
+  nf_ct_expires(ct)  / HZ);
 
if (l4proto->print_conntrack)
l4proto->print_conntrack(s, ct);
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index 188404b9..a3b8f69 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -233,10 +233,8 @@ conntrack_mt(const struct sk_buff *skb, struct 
xt_action_param *par,
return false;
 
if (info->match_flags & XT_CONNTRACK_EXPIRES) {
-   unsigned long expires = 0;
+   unsigned long expires = nf_ct_expires(ct) / HZ;
 
-   if (timer_pending(>timeout))
-   expires = (ct->timeout.expires - jiffies) / HZ;
if ((expires >= info->expires_min &&
expires <= info->expires_max) ^
!(info->invert_flags & XT_CONNTRACK_EXPIRES))
-- 
2.1.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 13/29] netfilter: fix spelling mistake: "delimitter" -> "delimiter"

[Pablo Neira Ayuso]

From: Colin Ian King 

trivial fix to spelling mistake in pr_debug message

Signed-off-by: Colin Ian King 
Signed-off-by: Pablo Neira Ayuso 
---
 net/netfilter/nf_conntrack_ftp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index 4314700..b6934b5 100644
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -237,7 +237,7 @@ static int try_eprt(const char *data, size_t dlen, struct 
nf_conntrack_man *cmd,
}
delim = data[0];
if (isdigit(delim) || delim < 33 || delim > 126 || data[2] != delim) {
-   pr_debug("try_eprt: invalid delimitter.\n");
+   pr_debug("try_eprt: invalid delimiter.\n");
return 0;
}
 
-- 
2.1.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 17/29] netfilter: nf_tables: reject hook configuration updates on existing chains

[Pablo Neira Ayuso]

Currently, if you add a base chain whose name clashes with an existing
non-base chain, nf_tables doesn't complain about this. Similarly, if you
update the chain type, the hook number and priority.

With this patch, nf_tables bails out in case any of this unsupported
operations occur by returning EBUSY.

 # nft add table x
 # nft add chain x y
 # nft add chain x y { type nat hook input priority 0\; }
 :1:1-49: Error: Could not process rule: Device or resource busy
 add chain x y { type nat hook input priority 0; }
 ^

Signed-off-by: Pablo Neira Ayuso 
---
 net/netfilter/nf_tables_api.c | 31 +++
 1 file changed, 31 insertions(+)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 463fcad..221d27f 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1348,6 +1348,37 @@ static int nf_tables_newchain(struct net *net, struct 
sock *nlsk,
if (nlh->nlmsg_flags & NLM_F_REPLACE)
return -EOPNOTSUPP;
 
+   if (nla[NFTA_CHAIN_HOOK]) {
+   struct nft_base_chain *basechain;
+   struct nft_chain_hook hook;
+   struct nf_hook_ops *ops;
+
+   if (!(chain->flags & NFT_BASE_CHAIN))
+   return -EBUSY;
+
+   err = nft_chain_parse_hook(net, nla, afi, ,
+  create);
+   if (err < 0)
+   return err;
+
+   basechain = nft_base_chain(chain);
+   if (basechain->type != hook.type) {
+   nft_chain_release_hook();
+   return -EBUSY;
+   }
+
+   for (i = 0; i < afi->nops; i++) {
+   ops = >ops[i];
+   if (ops->hooknum != hook.num ||
+   ops->priority != hook.priority ||
+   ops->dev != hook.dev) {
+   nft_chain_release_hook();
+   return -EBUSY;
+   }
+   }
+   nft_chain_release_hook();
+   }
+
if (nla[NFTA_CHAIN_HANDLE] && name) {
struct nft_chain *chain2;
 
-- 
2.1.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 02/29] netfilter: physdev: add missed blank

[Pablo Neira Ayuso]

From: Hangbin Liu 

Signed-off-by: Hangbin Liu 
Signed-off-by: Pablo Neira Ayuso 
---
 net/netfilter/xt_physdev.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index e5f1898..bb33598 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -107,8 +107,8 @@ static int physdev_mt_check(const struct xt_mtchk_param 
*par)
 info->invert & XT_PHYSDEV_OP_BRIDGED) &&
par->hook_mask & ((1 << NF_INET_LOCAL_OUT) |
(1 << NF_INET_FORWARD) | (1 << NF_INET_POST_ROUTING))) {
-   pr_info("using --physdev-out and --physdev-is-out are only"
-   "supported in the FORWARD and POSTROUTING chains with"
+   pr_info("using --physdev-out and --physdev-is-out are only "
+   "supported in the FORWARD and POSTROUTING chains with "
"bridged traffic.\n");
if (par->hook_mask & (1 << NF_INET_LOCAL_OUT))
return -EINVAL;
-- 
2.1.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 12/29] netfilter: nf_tables: add number generator expression

[Pablo Neira Ayuso]

From: Laura Garcia Liebana 

This patch adds the numgen expression that allows us to generated
incremental and random numbers, this generator is bound to a upper limit
that is specified by userspace.

This expression is useful to distribute packets in a round-robin fashion
as well as randomly.

Signed-off-by: Laura Garcia Liebana 
Signed-off-by: Pablo Neira Ayuso 
---
 include/uapi/linux/netfilter/nf_tables.h |  24 
 net/netfilter/Kconfig|   6 +
 net/netfilter/Makefile   |   1 +
 net/netfilter/nft_numgen.c   | 192 +++
 4 files changed, 223 insertions(+)
 create mode 100644 net/netfilter/nft_numgen.c

diff --git a/include/uapi/linux/netfilter/nf_tables.h 
b/include/uapi/linux/netfilter/nf_tables.h
index 784fbf1..8c9d6ff 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -1121,4 +1121,28 @@ enum nft_trace_types {
__NFT_TRACETYPE_MAX
 };
 #define NFT_TRACETYPE_MAX (__NFT_TRACETYPE_MAX - 1)
+
+/**
+ * enum nft_ng_attributes - nf_tables number generator expression netlink 
attributes
+ *
+ * @NFTA_NG_DREG: destination register (NLA_U32)
+ * @NFTA_NG_UNTIL: source value to increment the counter until reset (NLA_U32)
+ * @NFTA_NG_TYPE: operation type (NLA_U32)
+ */
+enum nft_ng_attributes {
+   NFTA_NG_UNSPEC,
+   NFTA_NG_DREG,
+   NFTA_NG_UNTIL,
+   NFTA_NG_TYPE,
+   __NFTA_NG_MAX
+};
+#define NFTA_NG_MAX(__NFTA_NG_MAX - 1)
+
+enum nft_ng_types {
+   NFT_NG_INCREMENTAL,
+   NFT_NG_RANDOM,
+   __NFT_NG_MAX
+};
+#define NFT_NG_MAX (__NFT_NG_MAX - 1)
+
 #endif /* _LINUX_NF_TABLES_H */
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 29a8078..e8d56d9 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -474,6 +474,12 @@ config NFT_META
  This option adds the "meta" expression that you can use to match and
  to set packet metainformation such as the packet mark.
 
+config NFT_NUMGEN
+   tristate "Netfilter nf_tables number generator module"
+   help
+ This option adds the number generator expression used to perform
+ incremental counting and random numbers bound to a upper limit.
+
 config NFT_CT
depends on NF_CONNTRACK
tristate "Netfilter nf_tables conntrack module"
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 0fc42df..0c858110 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -80,6 +80,7 @@ obj-$(CONFIG_NF_TABLES_NETDEV)+= nf_tables_netdev.o
 obj-$(CONFIG_NFT_COMPAT)   += nft_compat.o
 obj-$(CONFIG_NFT_EXTHDR)   += nft_exthdr.o
 obj-$(CONFIG_NFT_META) += nft_meta.o
+obj-$(CONFIG_NFT_NUMGEN)   += nft_numgen.o
 obj-$(CONFIG_NFT_CT)   += nft_ct.o
 obj-$(CONFIG_NFT_LIMIT)+= nft_limit.o
 obj-$(CONFIG_NFT_NAT)  += nft_nat.o
diff --git a/net/netfilter/nft_numgen.c b/net/netfilter/nft_numgen.c
new file mode 100644
index 000..176e26d
--- /dev/null
+++ b/net/netfilter/nft_numgen.c
@@ -0,0 +1,192 @@
+/*
+ * Copyright (c) 2016 Laura Garcia 
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ */
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+static DEFINE_PER_CPU(struct rnd_state, nft_numgen_prandom_state);
+
+struct nft_ng_inc {
+   enum nft_registers  dreg:8;
+   u32 until;
+   atomic_tcounter;
+};
+
+static void nft_ng_inc_eval(const struct nft_expr *expr,
+   struct nft_regs *regs,
+   const struct nft_pktinfo *pkt)
+{
+   struct nft_ng_inc *priv = nft_expr_priv(expr);
+   u32 nval, oval;
+
+   do {
+   oval = atomic_read(>counter);
+   nval = (oval + 1 < priv->until) ? oval + 1 : 0;
+   } while (atomic_cmpxchg(>counter, oval, nval) != oval);
+
+   memcpy(>data[priv->dreg], >counter, sizeof(u32));
+}
+
+static const struct nla_policy nft_ng_policy[NFTA_NG_MAX + 1] = {
+   [NFTA_NG_DREG]  = { .type = NLA_U32 },
+   [NFTA_NG_UNTIL] = { .type = NLA_U32 },
+   [NFTA_NG_TYPE]  = { .type = NLA_U32 },
+};
+
+static int nft_ng_inc_init(const struct nft_ctx *ctx,
+  const struct nft_expr *expr,
+  const struct nlattr * const tb[])
+{
+   struct nft_ng_inc *priv = nft_expr_priv(expr);
+
+   priv->until = ntohl(nla_get_be32(tb[NFTA_NG_UNTIL]));
+   if (priv->until == 0)
+   return -ERANGE;
+
+   priv->dreg = nft_parse_register(tb[NFTA_NG_DREG]);
+   atomic_set(>counter, 0);
+
+   return nft_validate_register_store(ctx, priv->dreg, NULL,

[PATCH 23/29] netfilter: conntrack: get rid of conntrack timer

[Pablo Neira Ayuso]

From: Florian Westphal 

With stats enabled this eats 80 bytes on x86_64 per nf_conn entry, as
Eric Dumazet pointed out during netfilter workshop 2016.

Eric also says: "Another reason was the fact that Thomas was about to
change max timer range [..]" (500462a9de657f8, 'timers: Switch to
a non-cascading wheel').

Remove the timer and use a 32bit jiffies value containing timestamp until
entry is valid.

During conntrack lookup, even before doing tuple comparision, check
the timeout value and evict the entry in case it is too old.

The dying bit is used as a synchronization point to avoid races where
multiple cpus try to evict the same entry.

Because lookup is always lockless, we need to bump the refcnt once
when we evict, else we could try to evict already-dead entry that
is being recycled.

This is the standard/expected way when conntrack entries are destroyed.

Followup patches will introduce garbage colliction via work queue
and further places where we can reap obsoleted entries (e.g. during
netlink dumps), this is needed to avoid expired conntracks from hanging
around for too long when lookup rate is low after a busy period.

Signed-off-by: Florian Westphal 
Acked-by: Eric Dumazet 
Signed-off-by: Pablo Neira Ayuso 
---
 include/net/netfilter/nf_conntrack.h | 23 +++--
 net/netfilter/nf_conntrack_core.c| 91 
 net/netfilter/nf_conntrack_netlink.c | 14 ++
 net/netfilter/nf_conntrack_pptp.c|  3 +-
 net/netfilter/nf_nat_core.c  |  6 ---
 5 files changed, 74 insertions(+), 63 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack.h 
b/include/net/netfilter/nf_conntrack.h
index 2a12748..7277751 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -42,7 +42,6 @@ union nf_conntrack_expect_proto {
 
 #include 
 #include 
-#include 
 
 #ifdef CONFIG_NETFILTER_DEBUG
 #define NF_CT_ASSERT(x)WARN_ON(!(x))
@@ -73,7 +72,7 @@ struct nf_conn_help {
 #include 
 
 struct nf_conn {
-   /* Usage count in here is 1 for hash table/destruct timer, 1 per skb,
+   /* Usage count in here is 1 for hash table, 1 per skb,
 * plus 1 for any connection(s) we are `master' for
 *
 * Hint, SKB address this struct and refcnt via skb->nfct and
@@ -96,8 +95,8 @@ struct nf_conn {
/* Have we seen traffic both ways yet? (bitset) */
unsigned long status;
 
-   /* Timer function; drops refcnt when it goes off. */
-   struct timer_list timeout;
+   /* jiffies32 when this ct is considered dead */
+   u32 timeout;
 
possible_net_t ct_net;
 
@@ -291,14 +290,28 @@ static inline bool nf_is_loopback_packet(const struct 
sk_buff *skb)
return skb->dev && skb->skb_iif && skb->dev->flags & IFF_LOOPBACK;
 }
 
+#define nfct_time_stamp ((u32)(jiffies))
+
 /* jiffies until ct expires, 0 if already expired */
 static inline unsigned long nf_ct_expires(const struct nf_conn *ct)
 {
-   long timeout = (long)ct->timeout.expires - (long)jiffies;
+   s32 timeout = ct->timeout - nfct_time_stamp;
 
return timeout > 0 ? timeout : 0;
 }
 
+static inline bool nf_ct_is_expired(const struct nf_conn *ct)
+{
+   return (__s32)(ct->timeout - nfct_time_stamp) <= 0;
+}
+
+/* use after obtaining a reference count */
+static inline bool nf_ct_should_gc(const struct nf_conn *ct)
+{
+   return nf_ct_is_expired(ct) && nf_ct_is_confirmed(ct) &&
+  !nf_ct_is_dying(ct);
+}
+
 struct kernel_param;
 
 int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp);
diff --git a/net/netfilter/nf_conntrack_core.c 
b/net/netfilter/nf_conntrack_core.c
index 887926a..87ee6da 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -371,7 +371,6 @@ destroy_conntrack(struct nf_conntrack *nfct)
 
pr_debug("destroy_conntrack(%p)\n", ct);
NF_CT_ASSERT(atomic_read(>use) == 0);
-   NF_CT_ASSERT(!timer_pending(>timeout));
 
if (unlikely(nf_ct_is_template(ct))) {
nf_ct_tmpl_free(ct);
@@ -434,35 +433,30 @@ bool nf_ct_delete(struct nf_conn *ct, u32 portid, int 
report)
 {
struct nf_conn_tstamp *tstamp;
 
+   if (test_and_set_bit(IPS_DYING_BIT, >status))
+   return false;
+
tstamp = nf_conn_tstamp_find(ct);
if (tstamp && tstamp->stop == 0)
tstamp->stop = ktime_get_real_ns();
 
-   if (nf_ct_is_dying(ct))
-   goto delete;
-
if (nf_conntrack_event_report(IPCT_DESTROY, ct,
portid, report) < 0) {
-   /* destroy event was not delivered */
+   /* destroy event was not delivered. nf_ct_put will
+* be done by event cache worker on redelivery.
+*/
nf_ct_delete_from_lists(ct);

[PATCH 20/29] netfilter: nf_tables: Use nla_put_be32() to dump immediate parameters

[Pablo Neira Ayuso]

nft_dump_register() should only be used with registers, not with
immediates.

Fixes: cb1b69b0b15b ("netfilter: nf_tables: add hash expression")
Fixes: 91dbc6be0a62("netfilter: nf_tables: add number generator expression")
Signed-off-by: Pablo Neira Ayuso 
---
 net/netfilter/nft_hash.c   | 6 +++---
 net/netfilter/nft_numgen.c | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c
index e090aee..764251d 100644
--- a/net/netfilter/nft_hash.c
+++ b/net/netfilter/nft_hash.c
@@ -88,11 +88,11 @@ static int nft_hash_dump(struct sk_buff *skb,
goto nla_put_failure;
if (nft_dump_register(skb, NFTA_HASH_DREG, priv->dreg))
goto nla_put_failure;
-   if (nft_dump_register(skb, NFTA_HASH_LEN, priv->len))
+   if (nla_put_be32(skb, NFTA_HASH_LEN, htonl(priv->len)))
goto nla_put_failure;
-   if (nft_dump_register(skb, NFTA_HASH_MODULUS, priv->modulus))
+   if (nla_put_be32(skb, NFTA_HASH_MODULUS, htonl(priv->modulus)))
goto nla_put_failure;
-   if (nft_dump_register(skb, NFTA_HASH_SEED, priv->seed))
+   if (nla_put_be32(skb, NFTA_HASH_SEED, htonl(priv->seed)))
goto nla_put_failure;
 
return 0;
diff --git a/net/netfilter/nft_numgen.c b/net/netfilter/nft_numgen.c
index 176e26d..294745e 100644
--- a/net/netfilter/nft_numgen.c
+++ b/net/netfilter/nft_numgen.c
@@ -68,9 +68,9 @@ static int nft_ng_dump(struct sk_buff *skb, enum 
nft_registers dreg,
 {
if (nft_dump_register(skb, NFTA_NG_DREG, dreg))
goto nla_put_failure;
-   if (nft_dump_register(skb, NFTA_NG_UNTIL, until))
+   if (nla_put_be32(skb, NFTA_NG_UNTIL, htonl(until)))
goto nla_put_failure;
-   if (nft_dump_register(skb, NFTA_NG_TYPE, type))
+   if (nla_put_be32(skb, NFTA_NG_TYPE, htonl(type)))
goto nla_put_failure;
 
return 0;
-- 
2.1.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 15/29] netfilter: nf_tables: typo in trace attribute definition

[Pablo Neira Ayuso]

From: Pablo Neira 

Should be attributes, instead of attibutes, for consistency with other
definitions.

Signed-off-by: Pablo Neira Ayuso 
---
 include/uapi/linux/netfilter/nf_tables.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/uapi/linux/netfilter/nf_tables.h 
b/include/uapi/linux/netfilter/nf_tables.h
index 8c9d6ff..8a63f22 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -1090,7 +1090,7 @@ enum nft_gen_attributes {
  * @NFTA_TRACE_NFPROTO: nf protocol processed (NLA_U32)
  * @NFTA_TRACE_POLICY: policy that decided fate of packet (NLA_U32)
  */
-enum nft_trace_attibutes {
+enum nft_trace_attributes {
NFTA_TRACE_UNSPEC,
NFTA_TRACE_TABLE,
NFTA_TRACE_CHAIN,
-- 
2.1.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 03/29] netfilter: nf_dup4: remove redundant checksum recalculation

[Pablo Neira Ayuso]

From: Liping Zhang 

IP header checksum will be recalculated at ip_local_out, so
there's no need to calculated it here, remove it. Also update
code comments to illustrate it, and delete the misleading
comments about checksum recalculation.

Signed-off-by: Liping Zhang 
Signed-off-by: Pablo Neira Ayuso 
---
 net/ipv4/netfilter/nf_dup_ipv4.c | 10 --
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/net/ipv4/netfilter/nf_dup_ipv4.c b/net/ipv4/netfilter/nf_dup_ipv4.c
index ceb1873..cf986e1 100644
--- a/net/ipv4/netfilter/nf_dup_ipv4.c
+++ b/net/ipv4/netfilter/nf_dup_ipv4.c
@@ -74,21 +74,19 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, 
unsigned int hooknum,
nf_conntrack_get(skb->nfct);
 #endif
/*
-* If we are in PREROUTING/INPUT, the checksum must be recalculated
-* since the length could have changed as a result of defragmentation.
-*
-* We also decrease the TTL to mitigate potential loops between two
-* hosts.
+* If we are in PREROUTING/INPUT, decrease the TTL to mitigate potential
+* loops between two hosts.
 *
 * Set %IP_DF so that the original source is notified of a potentially
 * decreased MTU on the clone route. IPv6 does this too.
+*
+* IP header checksum will be recalculated at ip_local_out.
 */
iph = ip_hdr(skb);
iph->frag_off |= htons(IP_DF);
if (hooknum == NF_INET_PRE_ROUTING ||
hooknum == NF_INET_LOCAL_IN)
--iph->ttl;
-   ip_send_check(iph);
 
if (nf_dup_ipv4_route(net, skb, gw, oif)) {
__this_cpu_write(nf_skb_duplicated, true);
-- 
2.1.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 07/29] netfilter: nf_tables: add hash expression

[Pablo Neira Ayuso]

From: Laura Garcia Liebana 

This patch adds a new hash expression, this provides jhash support but
this can be extended to support for other hash functions. The modulus
and seed already comes embedded into this new expression.

Use case example:

... meta mark set hash ip saddr mod 10

Signed-off-by: Laura Garcia Liebana 
Signed-off-by: Pablo Neira Ayuso 
---
 include/uapi/linux/netfilter/nf_tables.h |  20 +
 net/netfilter/Kconfig|   6 ++
 net/netfilter/Makefile   |   1 +
 net/netfilter/nft_hash.c | 136 +++
 4 files changed, 163 insertions(+)
 create mode 100644 net/netfilter/nft_hash.c

diff --git a/include/uapi/linux/netfilter/nf_tables.h 
b/include/uapi/linux/netfilter/nf_tables.h
index 01751fa..6ce0a6d 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -724,6 +724,26 @@ enum nft_meta_keys {
 };
 
 /**
+ * enum nft_hash_attributes - nf_tables hash expression netlink attributes
+ *
+ * @NFTA_HASH_SREG: source register (NLA_U32)
+ * @NFTA_HASH_DREG: destination register (NLA_U32)
+ * @NFTA_HASH_LEN: source data length (NLA_U32)
+ * @NFTA_HASH_MODULUS: modulus value (NLA_U32)
+ * @NFTA_HASH_SEED: seed value (NLA_U32)
+ */
+enum nft_hash_attributes {
+   NFTA_HASH_UNSPEC,
+   NFTA_HASH_SREG,
+   NFTA_HASH_DREG,
+   NFTA_HASH_LEN,
+   NFTA_HASH_MODULUS,
+   NFTA_HASH_SEED,
+   __NFTA_HASH_MAX,
+};
+#define NFTA_HASH_MAX  (__NFTA_HASH_MAX - 1)
+
+/**
  * enum nft_meta_attributes - nf_tables meta expression netlink attributes
  *
  * @NFTA_META_DREG: destination register (NLA_U32)
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index e5740e1..9cfaa00 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -563,6 +563,12 @@ config NFT_COMPAT
  x_tables match/target extensions over the nf_tables
  framework.
 
+config NFT_HASH
+   tristate "Netfilter nf_tables hash module"
+   help
+ This option adds the "hash" expression that you can use to perform
+ a hash operation on registers.
+
 if NF_TABLES_NETDEV
 
 config NF_DUP_NETDEV
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 101fb85..1106ccd 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -92,6 +92,7 @@ obj-$(CONFIG_NFT_COUNTER) += nft_counter.o
 obj-$(CONFIG_NFT_LOG)  += nft_log.o
 obj-$(CONFIG_NFT_MASQ) += nft_masq.o
 obj-$(CONFIG_NFT_REDIR)+= nft_redir.o
+obj-$(CONFIG_NFT_HASH) += nft_hash.o
 
 # nf_tables netdev
 obj-$(CONFIG_NFT_DUP_NETDEV)   += nft_dup_netdev.o
diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c
new file mode 100644
index 000..b82ff29
--- /dev/null
+++ b/net/netfilter/nft_hash.c
@@ -0,0 +1,136 @@
+/*
+ * Copyright (c) 2016 Laura Garcia 
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ */
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+struct nft_hash {
+   enum nft_registers  sreg:8;
+   enum nft_registers  dreg:8;
+   u8  len;
+   u32 modulus;
+   u32 seed;
+};
+
+static void nft_hash_eval(const struct nft_expr *expr,
+ struct nft_regs *regs,
+ const struct nft_pktinfo *pkt)
+{
+   struct nft_hash *priv = nft_expr_priv(expr);
+   const void *data = >data[priv->sreg];
+
+   regs->data[priv->dreg] =
+   reciprocal_scale(jhash(data, priv->len, priv->seed),
+priv->modulus);
+}
+
+const struct nla_policy nft_hash_policy[NFTA_HASH_MAX + 1] = {
+   [NFTA_HASH_SREG]= { .type = NLA_U32 },
+   [NFTA_HASH_DREG]= { .type = NLA_U32 },
+   [NFTA_HASH_LEN] = { .type = NLA_U32 },
+   [NFTA_HASH_MODULUS] = { .type = NLA_U32 },
+   [NFTA_HASH_SEED]= { .type = NLA_U32 },
+};
+
+static int nft_hash_init(const struct nft_ctx *ctx,
+const struct nft_expr *expr,
+const struct nlattr * const tb[])
+{
+   struct nft_hash *priv = nft_expr_priv(expr);
+   u32 len;
+
+   if (!tb[NFTA_HASH_SREG] ||
+   !tb[NFTA_HASH_DREG] ||
+   !tb[NFTA_HASH_LEN]  ||
+   !tb[NFTA_HASH_SEED] ||
+   !tb[NFTA_HASH_MODULUS])
+   return -EINVAL;
+
+   priv->sreg = nft_parse_register(tb[NFTA_HASH_SREG]);
+   priv->dreg = nft_parse_register(tb[NFTA_HASH_DREG]);
+
+   len = ntohl(nla_get_be32(tb[NFTA_HASH_LEN]));
+   if (len == 0 || len > U8_MAX)
+   return -ERANGE;
+
+   priv->len = len;
+
+   

[PATCH 09/29] netfilter: conntrack: simplify the code by using nf_conntrack_get_ht

[Pablo Neira Ayuso]

From: Liping Zhang 

Since commit 64b87639c9cb ("netfilter: conntrack: fix race between
nf_conntrack proc read and hash resize") introduce the
nf_conntrack_get_ht, so there's no need to check nf_conntrack_generation
again and again to get the hash table and hash size. And convert
nf_conntrack_get_ht to inline function here.

Suggested-by: Pablo Neira Ayuso 
Signed-off-by: Liping Zhang 
Signed-off-by: Pablo Neira Ayuso 
---
 include/net/netfilter/nf_conntrack.h  | 20 ++
 include/net/netfilter/nf_conntrack_core.h |  3 --
 net/netfilter/nf_conntrack_core.c | 46 +++
 3 files changed, 30 insertions(+), 39 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack.h 
b/include/net/netfilter/nf_conntrack.h
index 445b019..2a12748 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -303,9 +303,29 @@ struct kernel_param;
 
 int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp);
 int nf_conntrack_hash_resize(unsigned int hashsize);
+
+extern struct hlist_nulls_head *nf_conntrack_hash;
 extern unsigned int nf_conntrack_htable_size;
+extern seqcount_t nf_conntrack_generation;
 extern unsigned int nf_conntrack_max;
 
+/* must be called with rcu read lock held */
+static inline void
+nf_conntrack_get_ht(struct hlist_nulls_head **hash, unsigned int *hsize)
+{
+   struct hlist_nulls_head *hptr;
+   unsigned int sequence, hsz;
+
+   do {
+   sequence = read_seqcount_begin(_conntrack_generation);
+   hsz = nf_conntrack_htable_size;
+   hptr = nf_conntrack_hash;
+   } while (read_seqcount_retry(_conntrack_generation, sequence));
+
+   *hash = hptr;
+   *hsize = hsz;
+}
+
 struct nf_conn *nf_ct_tmpl_alloc(struct net *net,
 const struct nf_conntrack_zone *zone,
 gfp_t flags);
diff --git a/include/net/netfilter/nf_conntrack_core.h 
b/include/net/netfilter/nf_conntrack_core.h
index 79d7ac5..62e17d1 100644
--- a/include/net/netfilter/nf_conntrack_core.h
+++ b/include/net/netfilter/nf_conntrack_core.h
@@ -51,8 +51,6 @@ bool nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse,
const struct nf_conntrack_l3proto *l3proto,
const struct nf_conntrack_l4proto *l4proto);
 
-void nf_conntrack_get_ht(struct hlist_nulls_head **hash, unsigned int *hsize);
-
 /* Find a connection corresponding to a tuple. */
 struct nf_conntrack_tuple_hash *
 nf_conntrack_find_get(struct net *net,
@@ -83,7 +81,6 @@ print_tuple(struct seq_file *s, const struct 
nf_conntrack_tuple *tuple,
 
 #define CONNTRACK_LOCKS 1024
 
-extern struct hlist_nulls_head *nf_conntrack_hash;
 extern spinlock_t nf_conntrack_locks[CONNTRACK_LOCKS];
 void nf_conntrack_lock(spinlock_t *lock);
 
diff --git a/net/netfilter/nf_conntrack_core.c 
b/net/netfilter/nf_conntrack_core.c
index 22558b7..aeba28c 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -74,7 +74,6 @@ EXPORT_SYMBOL_GPL(nf_conntrack_hash);
 
 static __read_mostly struct kmem_cache *nf_conntrack_cachep;
 static __read_mostly spinlock_t nf_conntrack_locks_all_lock;
-static __read_mostly seqcount_t nf_conntrack_generation;
 static __read_mostly DEFINE_SPINLOCK(nf_conntrack_locks_all_lock);
 static __read_mostly bool nf_conntrack_locks_all;
 
@@ -162,6 +161,7 @@ static void nf_conntrack_all_unlock(void)
 
 unsigned int nf_conntrack_htable_size __read_mostly;
 unsigned int nf_conntrack_max __read_mostly;
+seqcount_t nf_conntrack_generation __read_mostly;
 
 DEFINE_PER_CPU(struct nf_conn, nf_conntrack_untracked);
 EXPORT_PER_CPU_SYMBOL(nf_conntrack_untracked);
@@ -478,23 +478,6 @@ nf_ct_key_equal(struct nf_conntrack_tuple_hash *h,
   net_eq(net, nf_ct_net(ct));
 }
 
-/* must be called with rcu read lock held */
-void nf_conntrack_get_ht(struct hlist_nulls_head **hash, unsigned int *hsize)
-{
-   struct hlist_nulls_head *hptr;
-   unsigned int sequence, hsz;
-
-   do {
-   sequence = read_seqcount_begin(_conntrack_generation);
-   hsz = nf_conntrack_htable_size;
-   hptr = nf_conntrack_hash;
-   } while (read_seqcount_retry(_conntrack_generation, sequence));
-
-   *hash = hptr;
-   *hsize = hsz;
-}
-EXPORT_SYMBOL_GPL(nf_conntrack_get_ht);
-
 /*
  * Warning :
  * - Caller must take a reference on returned object
@@ -507,14 +490,11 @@ nf_conntrack_find(struct net *net, const struct 
nf_conntrack_zone *zone,
struct nf_conntrack_tuple_hash *h;
struct hlist_nulls_head *ct_hash;
struct hlist_nulls_node *n;
-   unsigned int bucket, sequence;
+   unsigned int bucket, hsize;
 
 begin:
-   do {
-   sequence = read_seqcount_begin(_conntrack_generation);
-   bucket = scale_hash(hash);
- 

[PATCH 01/29] netfilter: conntrack: Only need first 4 bytes to get l4proto ports

[Pablo Neira Ayuso]

From: Gao Feng 

We only need first 4 bytes instead of 8 bytes to get the ports of
tcp/udp/dccp/sctp/udplite in their pkt_to_tuple function.

Signed-off-by: Gao Feng 
Signed-off-by: Pablo Neira Ayuso 
---
 net/netfilter/nf_conntrack_proto_dccp.c| 3 ++-
 net/netfilter/nf_conntrack_proto_sctp.c| 4 ++--
 net/netfilter/nf_conntrack_proto_tcp.c | 4 ++--
 net/netfilter/nf_conntrack_proto_udp.c | 4 ++--
 net/netfilter/nf_conntrack_proto_udplite.c | 3 ++-
 5 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/net/netfilter/nf_conntrack_proto_dccp.c 
b/net/netfilter/nf_conntrack_proto_dccp.c
index 399a38f..a45bee5 100644
--- a/net/netfilter/nf_conntrack_proto_dccp.c
+++ b/net/netfilter/nf_conntrack_proto_dccp.c
@@ -402,7 +402,8 @@ static bool dccp_pkt_to_tuple(const struct sk_buff *skb, 
unsigned int dataoff,
 {
struct dccp_hdr _hdr, *dh;
 
-   dh = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr);
+   /* Actually only need first 4 bytes to get ports. */
+   dh = skb_header_pointer(skb, dataoff, 4, &_hdr);
if (dh == NULL)
return false;
 
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c 
b/net/netfilter/nf_conntrack_proto_sctp.c
index 1d7ab96..e769f05 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -161,8 +161,8 @@ static bool sctp_pkt_to_tuple(const struct sk_buff *skb, 
unsigned int dataoff,
const struct sctphdr *hp;
struct sctphdr _hdr;
 
-   /* Actually only need first 8 bytes. */
-   hp = skb_header_pointer(skb, dataoff, 8, &_hdr);
+   /* Actually only need first 4 bytes to get ports. */
+   hp = skb_header_pointer(skb, dataoff, 4, &_hdr);
if (hp == NULL)
return false;
 
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c 
b/net/netfilter/nf_conntrack_proto_tcp.c
index 70c8381..4abe9e1 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -282,8 +282,8 @@ static bool tcp_pkt_to_tuple(const struct sk_buff *skb, 
unsigned int dataoff,
const struct tcphdr *hp;
struct tcphdr _hdr;
 
-   /* Actually only need first 8 bytes. */
-   hp = skb_header_pointer(skb, dataoff, 8, &_hdr);
+   /* Actually only need first 4 bytes to get ports. */
+   hp = skb_header_pointer(skb, dataoff, 4, &_hdr);
if (hp == NULL)
return false;
 
diff --git a/net/netfilter/nf_conntrack_proto_udp.c 
b/net/netfilter/nf_conntrack_proto_udp.c
index 4fd0405..8a057e1 100644
--- a/net/netfilter/nf_conntrack_proto_udp.c
+++ b/net/netfilter/nf_conntrack_proto_udp.c
@@ -44,8 +44,8 @@ static bool udp_pkt_to_tuple(const struct sk_buff *skb,
const struct udphdr *hp;
struct udphdr _hdr;
 
-   /* Actually only need first 8 bytes. */
-   hp = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr);
+   /* Actually only need first 4 bytes to get ports. */
+   hp = skb_header_pointer(skb, dataoff, 4, &_hdr);
if (hp == NULL)
return false;
 
diff --git a/net/netfilter/nf_conntrack_proto_udplite.c 
b/net/netfilter/nf_conntrack_proto_udplite.c
index 9d692f5..029206e 100644
--- a/net/netfilter/nf_conntrack_proto_udplite.c
+++ b/net/netfilter/nf_conntrack_proto_udplite.c
@@ -54,7 +54,8 @@ static bool udplite_pkt_to_tuple(const struct sk_buff *skb,
const struct udphdr *hp;
struct udphdr _hdr;
 
-   hp = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr);
+   /* Actually only need first 4 bytes to get ports. */
+   hp = skb_header_pointer(skb, dataoff, 4, &_hdr);
if (hp == NULL)
return false;
 
-- 
2.1.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 05/29] ipvs: use nf_ct_kill helper

[Pablo Neira Ayuso]

From: Florian Westphal 

Once timer is removed from nf_conn struct we cannot open-code
the removal sequence anymore.

Signed-off-by: Florian Westphal 
Acked-by: Julian Anastasov 
Signed-off-by: Pablo Neira Ayuso 
---
 net/netfilter/ipvs/ip_vs_nfct.c | 7 ++-
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/net/netfilter/ipvs/ip_vs_nfct.c b/net/netfilter/ipvs/ip_vs_nfct.c
index f04fd8d..fc230d9 100644
--- a/net/netfilter/ipvs/ip_vs_nfct.c
+++ b/net/netfilter/ipvs/ip_vs_nfct.c
@@ -281,13 +281,10 @@ void ip_vs_conn_drop_conntrack(struct ip_vs_conn *cp)
h = nf_conntrack_find_get(cp->ipvs->net, _ct_zone_dflt, );
if (h) {
ct = nf_ct_tuplehash_to_ctrack(h);
-   /* Show what happens instead of calling nf_ct_kill() */
-   if (del_timer(>timeout)) {
-   IP_VS_DBG(7, "%s: ct=%p, deleted conntrack timer for 
tuple="
+   if (nf_ct_kill(ct)) {
+   IP_VS_DBG(7, "%s: ct=%p, deleted conntrack for tuple="
FMT_TUPLE "\n",
__func__, ct, ARG_TUPLE());
-   if (ct->timeout.function)
-   ct->timeout.function(ct->timeout.data);
} else {
IP_VS_DBG(7, "%s: ct=%p, no conntrack timer for tuple="
FMT_TUPLE "\n",
-- 
2.1.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] netfilter: nft_hash: Add hash offset value

[Pablo Neira Ayuso]

On Mon, Sep 05, 2016 at 11:58:24AM +0200, Laura Garcia wrote:
> On Mon, Sep 05, 2016 at 11:10:28AM +0200, Pablo Neira Ayuso wrote:
> > On Mon, Sep 05, 2016 at 10:36:57AM +0200, Laura Garcia Liebana wrote:
> > > Add support to pass through an offset to the hash value. With this
> > > feature, the sysadmin is able to generate a hash with a given
> > > offset value.
> > > 
> > > Example:
> > > 
> > >   meta mark set jhash ip saddr mod 2 seed 0xabcd sum 100
> > > 
> > > This option generates marks according to the source address from 100 to
> > > 101.
> > > 
> > > Signed-off-by: Laura Garcia Liebana 
> > > ---
> > >  include/uapi/linux/netfilter/nf_tables.h |  2 ++
> > >  net/netfilter/nft_hash.c | 13 +++--
> > >  2 files changed, 13 insertions(+), 2 deletions(-)
> > > 
> > > diff --git a/include/uapi/linux/netfilter/nf_tables.h 
> > > b/include/uapi/linux/netfilter/nf_tables.h
> > > index 4dbeeed..8026684 100644
> > > --- a/include/uapi/linux/netfilter/nf_tables.h
> > > +++ b/include/uapi/linux/netfilter/nf_tables.h
> > > @@ -764,6 +764,7 @@ enum nft_meta_keys {
> > >   * @NFTA_HASH_LEN: source data length (NLA_U32)
> > >   * @NFTA_HASH_MODULUS: modulus value (NLA_U32)
> > >   * @NFTA_HASH_SEED: seed value (NLA_U32)
> > > + * @NFTA_HASH_SUM: Hash offset value (NLA_U32)
> > >   */
> > >  enum nft_hash_attributes {
> > >   NFTA_HASH_UNSPEC,
> > > @@ -772,6 +773,7 @@ enum nft_hash_attributes {
> > >   NFTA_HASH_LEN,
> > >   NFTA_HASH_MODULUS,
> > >   NFTA_HASH_SEED,
> > > + NFTA_HASH_SUM,
> > >   __NFTA_HASH_MAX,
> > >  };
> > >  #define NFTA_HASH_MAX(__NFTA_HASH_MAX - 1)
> > > diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c
> > > index b7e3b40..8ab04d9 100644
> > > --- a/net/netfilter/nft_hash.c
> > > +++ b/net/netfilter/nft_hash.c
> > > @@ -23,6 +23,7 @@ struct nft_hash {
> > >   u8  len;
> > >   u32 modulus;
> > >   u32 seed;
> > > + u32 sum;
> > >  };
> > >  
> > >  static void nft_hash_eval(const struct nft_expr *expr,
> > > @@ -35,7 +36,7 @@ static void nft_hash_eval(const struct nft_expr *expr,
> > >  
> > >   h = reciprocal_scale(jhash(data, priv->len, priv->seed), priv->modulus);
> > >  
> > > - regs->data[priv->dreg] = h;
> > > + regs->data[priv->dreg] = priv->sum + h;
> > >  }
> > >  
> > >  const struct nla_policy nft_hash_policy[NFTA_HASH_MAX + 1] = {
> > > @@ -44,6 +45,7 @@ const struct nla_policy nft_hash_policy[NFTA_HASH_MAX + 
> > > 1] = {
> > >   [NFTA_HASH_LEN] = { .type = NLA_U32 },
> > >   [NFTA_HASH_MODULUS] = { .type = NLA_U32 },
> > >   [NFTA_HASH_SEED]= { .type = NLA_U32 },
> > > + [NFTA_HASH_SUM] = { .type = NLA_U32 },
> > >  };
> > >  
> > >  static int nft_hash_init(const struct nft_ctx *ctx,
> > > @@ -60,6 +62,11 @@ static int nft_hash_init(const struct nft_ctx *ctx,
> > >   !tb[NFTA_HASH_MODULUS])
> > >   return -EINVAL;
> > >  
> > > + if (tb[NFTA_HASH_SUM])
> > > + priv->sum = ntohl(nla_get_be32(tb[NFTA_HASH_SUM]));
> > > + else
> > > + priv->sum = 0;
> > 
> > There is a corner case that we should reject from the kernel, I think
> > this is:
> > 
> > if (priv->sum + priv->modulus - 1 < priv->sum)
> > return -EOVERFLOW;
> > 
> > We'll handle this from userspace anyway too, but I think it's easy to
> > reject this crazy this.
> 
> Such case shouldn't happen cause the modulus must be > 1. The init()
> provides:
> 
> priv->modulus = ntohl(nla_get_be32(tb[NFTA_HASH_MODULUS]));
> if (priv->modulus <= 1)
> return -ERANGE;

I don't see how this is preventing an overflow of hash(x) + sum.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] netfilter: nft_hash: Add hash offset value

[Laura Garcia]

On Mon, Sep 05, 2016 at 11:10:28AM +0200, Pablo Neira Ayuso wrote:
> On Mon, Sep 05, 2016 at 10:36:57AM +0200, Laura Garcia Liebana wrote:
> > Add support to pass through an offset to the hash value. With this
> > feature, the sysadmin is able to generate a hash with a given
> > offset value.
> > 
> > Example:
> > 
> > meta mark set jhash ip saddr mod 2 seed 0xabcd sum 100
> > 
> > This option generates marks according to the source address from 100 to
> > 101.
> > 
> > Signed-off-by: Laura Garcia Liebana 
> > ---
> >  include/uapi/linux/netfilter/nf_tables.h |  2 ++
> >  net/netfilter/nft_hash.c | 13 +++--
> >  2 files changed, 13 insertions(+), 2 deletions(-)
> > 
> > diff --git a/include/uapi/linux/netfilter/nf_tables.h 
> > b/include/uapi/linux/netfilter/nf_tables.h
> > index 4dbeeed..8026684 100644
> > --- a/include/uapi/linux/netfilter/nf_tables.h
> > +++ b/include/uapi/linux/netfilter/nf_tables.h
> > @@ -764,6 +764,7 @@ enum nft_meta_keys {
> >   * @NFTA_HASH_LEN: source data length (NLA_U32)
> >   * @NFTA_HASH_MODULUS: modulus value (NLA_U32)
> >   * @NFTA_HASH_SEED: seed value (NLA_U32)
> > + * @NFTA_HASH_SUM: Hash offset value (NLA_U32)
> >   */
> >  enum nft_hash_attributes {
> > NFTA_HASH_UNSPEC,
> > @@ -772,6 +773,7 @@ enum nft_hash_attributes {
> > NFTA_HASH_LEN,
> > NFTA_HASH_MODULUS,
> > NFTA_HASH_SEED,
> > +   NFTA_HASH_SUM,
> > __NFTA_HASH_MAX,
> >  };
> >  #define NFTA_HASH_MAX  (__NFTA_HASH_MAX - 1)
> > diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c
> > index b7e3b40..8ab04d9 100644
> > --- a/net/netfilter/nft_hash.c
> > +++ b/net/netfilter/nft_hash.c
> > @@ -23,6 +23,7 @@ struct nft_hash {
> > u8  len;
> > u32 modulus;
> > u32 seed;
> > +   u32 sum;
> >  };
> >  
> >  static void nft_hash_eval(const struct nft_expr *expr,
> > @@ -35,7 +36,7 @@ static void nft_hash_eval(const struct nft_expr *expr,
> >  
> > h = reciprocal_scale(jhash(data, priv->len, priv->seed), priv->modulus);
> >  
> > -   regs->data[priv->dreg] = h;
> > +   regs->data[priv->dreg] = priv->sum + h;
> >  }
> >  
> >  const struct nla_policy nft_hash_policy[NFTA_HASH_MAX + 1] = {
> > @@ -44,6 +45,7 @@ const struct nla_policy nft_hash_policy[NFTA_HASH_MAX + 
> > 1] = {
> > [NFTA_HASH_LEN] = { .type = NLA_U32 },
> > [NFTA_HASH_MODULUS] = { .type = NLA_U32 },
> > [NFTA_HASH_SEED]= { .type = NLA_U32 },
> > +   [NFTA_HASH_SUM] = { .type = NLA_U32 },
> >  };
> >  
> >  static int nft_hash_init(const struct nft_ctx *ctx,
> > @@ -60,6 +62,11 @@ static int nft_hash_init(const struct nft_ctx *ctx,
> > !tb[NFTA_HASH_MODULUS])
> > return -EINVAL;
> >  
> > +   if (tb[NFTA_HASH_SUM])
> > +   priv->sum = ntohl(nla_get_be32(tb[NFTA_HASH_SUM]));
> > +   else
> > +   priv->sum = 0;
> 
> There is a corner case that we should reject from the kernel, I think
> this is:
> 
> if (priv->sum + priv->modulus - 1 < priv->sum)
> return -EOVERFLOW;
> 
> We'll handle this from userspace anyway too, but I think it's easy to
> reject this crazy this.

Such case shouldn't happen cause the modulus must be > 1. The init()
provides:

priv->modulus = ntohl(nla_get_be32(tb[NFTA_HASH_MODULUS]));
if (priv->modulus <= 1)
return -ERANGE;


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] netfilter: nft_hash: Add hash offset value

[Pablo Neira Ayuso]

On Mon, Sep 05, 2016 at 10:36:57AM +0200, Laura Garcia Liebana wrote:
> Add support to pass through an offset to the hash value. With this
> feature, the sysadmin is able to generate a hash with a given
> offset value.
> 
> Example:
> 
>   meta mark set jhash ip saddr mod 2 seed 0xabcd sum 100
> 
> This option generates marks according to the source address from 100 to
> 101.
> 
> Signed-off-by: Laura Garcia Liebana 
> ---
>  include/uapi/linux/netfilter/nf_tables.h |  2 ++
>  net/netfilter/nft_hash.c | 13 +++--
>  2 files changed, 13 insertions(+), 2 deletions(-)
> 
> diff --git a/include/uapi/linux/netfilter/nf_tables.h 
> b/include/uapi/linux/netfilter/nf_tables.h
> index 4dbeeed..8026684 100644
> --- a/include/uapi/linux/netfilter/nf_tables.h
> +++ b/include/uapi/linux/netfilter/nf_tables.h
> @@ -764,6 +764,7 @@ enum nft_meta_keys {
>   * @NFTA_HASH_LEN: source data length (NLA_U32)
>   * @NFTA_HASH_MODULUS: modulus value (NLA_U32)
>   * @NFTA_HASH_SEED: seed value (NLA_U32)
> + * @NFTA_HASH_SUM: Hash offset value (NLA_U32)
>   */
>  enum nft_hash_attributes {
>   NFTA_HASH_UNSPEC,
> @@ -772,6 +773,7 @@ enum nft_hash_attributes {
>   NFTA_HASH_LEN,
>   NFTA_HASH_MODULUS,
>   NFTA_HASH_SEED,
> + NFTA_HASH_SUM,
>   __NFTA_HASH_MAX,
>  };
>  #define NFTA_HASH_MAX(__NFTA_HASH_MAX - 1)
> diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c
> index b7e3b40..8ab04d9 100644
> --- a/net/netfilter/nft_hash.c
> +++ b/net/netfilter/nft_hash.c
> @@ -23,6 +23,7 @@ struct nft_hash {
>   u8  len;
>   u32 modulus;
>   u32 seed;
> + u32 sum;
>  };
>  
>  static void nft_hash_eval(const struct nft_expr *expr,
> @@ -35,7 +36,7 @@ static void nft_hash_eval(const struct nft_expr *expr,
>  
>   h = reciprocal_scale(jhash(data, priv->len, priv->seed), priv->modulus);
>  
> - regs->data[priv->dreg] = h;
> + regs->data[priv->dreg] = priv->sum + h;
>  }
>  
>  const struct nla_policy nft_hash_policy[NFTA_HASH_MAX + 1] = {
> @@ -44,6 +45,7 @@ const struct nla_policy nft_hash_policy[NFTA_HASH_MAX + 1] 
> = {
>   [NFTA_HASH_LEN] = { .type = NLA_U32 },
>   [NFTA_HASH_MODULUS] = { .type = NLA_U32 },
>   [NFTA_HASH_SEED]= { .type = NLA_U32 },
> + [NFTA_HASH_SUM] = { .type = NLA_U32 },
>  };
>  
>  static int nft_hash_init(const struct nft_ctx *ctx,
> @@ -60,6 +62,11 @@ static int nft_hash_init(const struct nft_ctx *ctx,
>   !tb[NFTA_HASH_MODULUS])
>   return -EINVAL;
>  
> + if (tb[NFTA_HASH_SUM])
> + priv->sum = ntohl(nla_get_be32(tb[NFTA_HASH_SUM]));
> + else
> + priv->sum = 0;

There is a corner case that we should reject from the kernel, I think
this is:

if (priv->sum + priv->modulus - 1 < priv->sum)
return -EOVERFLOW;

We'll handle this from userspace anyway too, but I think it's easy to
reject this crazy this.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH libnftnl] expr: hash: Add offset to hash value

[Laura Garcia Liebana]

Add support to pass through an offset to the hash value. With this
feature, the sysadmin is able to generate a hash with a given
started value.

Example:

meta mark set jhash ip saddr mod 2 seed 0xabcd sum 100

This option generates marks according to the source address from 100 to
101.

Signed-off-by: Laura Garcia Liebana 
---
 include/libnftnl/expr.h |  1 +
 include/linux/netfilter/nf_tables.h |  2 ++
 src/expr/hash.c | 39 +++--
 tests/nft-expr_hash-test.c  |  4 
 4 files changed, 40 insertions(+), 6 deletions(-)

diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h
index 3cf0db1..9188364 100644
--- a/include/libnftnl/expr.h
+++ b/include/libnftnl/expr.h
@@ -211,6 +211,7 @@ enum {
NFTNL_EXPR_HASH_LEN,
NFTNL_EXPR_HASH_MODULUS,
NFTNL_EXPR_HASH_SEED,
+   NFTNL_EXPR_HASH_SUM,
 };
 
 /*
diff --git a/include/linux/netfilter/nf_tables.h 
b/include/linux/netfilter/nf_tables.h
index 2718832..65d9fe8 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -1139,6 +1139,7 @@ enum nft_trace_types {
  * @NFTA_HASH_LEN: data length (NLA_U32)
  * @NFTA_HASH_MODULUS: Modulus value (NLA_U32)
  * @NFTA_HASH_SEED: hash initial value (NLA_U32)
+ * @NFTA_HASH_SUM: offset value to be added (NLA_U32)
  */
 enum nft_hash_attributes {
NFTA_HASH_UNSPEC,
@@ -1147,6 +1148,7 @@ enum nft_hash_attributes {
NFTA_HASH_LEN,
NFTA_HASH_MODULUS,
NFTA_HASH_SEED,
+   NFTA_HASH_SUM,
__NFTA_HASH_MAX
 };
 #define NFTA_HASH_MAX  (__NFTA_HASH_MAX - 1)
diff --git a/src/expr/hash.c b/src/expr/hash.c
index 2d61508..54c6dbc 100644
--- a/src/expr/hash.c
+++ b/src/expr/hash.c
@@ -26,6 +26,7 @@ struct nftnl_expr_hash {
unsigned intlen;
unsigned intmodulus;
unsigned intseed;
+   unsigned intsum;
 };
 
 static int
@@ -50,6 +51,9 @@ nftnl_expr_hash_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_HASH_SEED:
hash->seed = *((uint32_t *)data);
break;
+   case NFTNL_EXPR_HASH_SUM:
+   hash->sum = *((uint32_t *)data);
+   break;
default:
return -1;
}
@@ -78,6 +82,9 @@ nftnl_expr_hash_get(const struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_HASH_SEED:
*data_len = sizeof(hash->seed);
return >seed;
+   case NFTNL_EXPR_HASH_SUM:
+   *data_len = sizeof(hash->sum);
+   return >sum;
}
return NULL;
 }
@@ -96,6 +103,7 @@ static int nftnl_expr_hash_cb(const struct nlattr *attr, 
void *data)
case NFTA_HASH_LEN:
case NFTA_HASH_MODULUS:
case NFTA_HASH_SEED:
+   case NFTA_HASH_SUM:
if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
abi_breakage();
break;
@@ -120,7 +128,8 @@ nftnl_expr_hash_build(struct nlmsghdr *nlh, const struct 
nftnl_expr *e)
mnl_attr_put_u32(nlh, NFTA_HASH_MODULUS, htonl(hash->modulus));
if (e->flags & (1 << NFTNL_EXPR_HASH_SEED))
mnl_attr_put_u32(nlh, NFTA_HASH_SEED, htonl(hash->seed));
-
+   if (e->flags & (1 << NFTNL_EXPR_HASH_SUM))
+   mnl_attr_put_u32(nlh, NFTA_HASH_SUM, htonl(hash->sum));
 }
 
 static int
@@ -153,6 +162,10 @@ nftnl_expr_hash_parse(struct nftnl_expr *e, struct nlattr 
*attr)
hash->seed = ntohl(mnl_attr_get_u32(tb[NFTA_HASH_SEED]));
e->flags |= (1 << NFTNL_EXPR_HASH_SEED);
}
+   if (tb[NFTA_HASH_SUM]) {
+   hash->sum = ntohl(mnl_attr_get_u32(tb[NFTA_HASH_SUM]));
+   e->flags |= (1 << NFTNL_EXPR_HASH_SUM);
+   }
 
return ret;
 }
@@ -161,7 +174,7 @@ static int nftnl_expr_hash_json_parse(struct nftnl_expr *e, 
json_t *root,
  struct nftnl_parse_err *err)
 {
 #ifdef JSON_PARSING
-   uint32_t sreg, dreg, len, modulus, seed;
+   uint32_t sreg, dreg, len, modulus, seed, sum;
 
if (nftnl_jansson_parse_reg(root, "sreg", NFTNL_TYPE_U32,
, err) == 0)
@@ -183,6 +196,10 @@ static int nftnl_expr_hash_json_parse(struct nftnl_expr 
*e, json_t *root,
, err) == 0)
nftnl_expr_set_u32(e, NFTNL_EXPR_HASH_SEED, seed);
 
+   if (nftnl_jansson_parse_val(root, "sum", NFTNL_TYPE_U32,
+   , err) == 0)
+   nftnl_expr_set_u32(e, NFTNL_EXPR_HASH_SUM, sum);
+
return 0;
 #else
errno = EOPNOTSUPP;
@@ -196,7 +213,7 @@ static int nftnl_expr_hash_xml_parse(struct nftnl_expr *e,
 struct nftnl_parse_err *err)
 {
 #ifdef XML_PARSING
-   uint32_t sreg, dreg, len, modulus, seed;
+   uint32_t sreg, dreg, len, modulus, seed, 

[PATCH] netfilter: nft_hash: Add hash offset value

[Laura Garcia Liebana]

Add support to pass through an offset to the hash value. With this
feature, the sysadmin is able to generate a hash with a given
offset value.

Example:

meta mark set jhash ip saddr mod 2 seed 0xabcd sum 100

This option generates marks according to the source address from 100 to
101.

Signed-off-by: Laura Garcia Liebana 
---
 include/uapi/linux/netfilter/nf_tables.h |  2 ++
 net/netfilter/nft_hash.c | 13 +++--
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/include/uapi/linux/netfilter/nf_tables.h 
b/include/uapi/linux/netfilter/nf_tables.h
index 4dbeeed..8026684 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -764,6 +764,7 @@ enum nft_meta_keys {
  * @NFTA_HASH_LEN: source data length (NLA_U32)
  * @NFTA_HASH_MODULUS: modulus value (NLA_U32)
  * @NFTA_HASH_SEED: seed value (NLA_U32)
+ * @NFTA_HASH_SUM: Hash offset value (NLA_U32)
  */
 enum nft_hash_attributes {
NFTA_HASH_UNSPEC,
@@ -772,6 +773,7 @@ enum nft_hash_attributes {
NFTA_HASH_LEN,
NFTA_HASH_MODULUS,
NFTA_HASH_SEED,
+   NFTA_HASH_SUM,
__NFTA_HASH_MAX,
 };
 #define NFTA_HASH_MAX  (__NFTA_HASH_MAX - 1)
diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c
index b7e3b40..8ab04d9 100644
--- a/net/netfilter/nft_hash.c
+++ b/net/netfilter/nft_hash.c
@@ -23,6 +23,7 @@ struct nft_hash {
u8  len;
u32 modulus;
u32 seed;
+   u32 sum;
 };
 
 static void nft_hash_eval(const struct nft_expr *expr,
@@ -35,7 +36,7 @@ static void nft_hash_eval(const struct nft_expr *expr,
 
h = reciprocal_scale(jhash(data, priv->len, priv->seed), priv->modulus);
 
-   regs->data[priv->dreg] = h;
+   regs->data[priv->dreg] = priv->sum + h;
 }
 
 const struct nla_policy nft_hash_policy[NFTA_HASH_MAX + 1] = {
@@ -44,6 +45,7 @@ const struct nla_policy nft_hash_policy[NFTA_HASH_MAX + 1] = {
[NFTA_HASH_LEN] = { .type = NLA_U32 },
[NFTA_HASH_MODULUS] = { .type = NLA_U32 },
[NFTA_HASH_SEED]= { .type = NLA_U32 },
+   [NFTA_HASH_SUM] = { .type = NLA_U32 },
 };
 
 static int nft_hash_init(const struct nft_ctx *ctx,
@@ -60,6 +62,11 @@ static int nft_hash_init(const struct nft_ctx *ctx,
!tb[NFTA_HASH_MODULUS])
return -EINVAL;
 
+   if (tb[NFTA_HASH_SUM])
+   priv->sum = ntohl(nla_get_be32(tb[NFTA_HASH_SUM]));
+   else
+   priv->sum = 0;
+
priv->sreg = nft_parse_register(tb[NFTA_HASH_SREG]);
if (priv->sreg < 0)
return -ERANGE;
@@ -99,7 +106,9 @@ static int nft_hash_dump(struct sk_buff *skb,
goto nla_put_failure;
if (nft_dump_register(skb, NFTA_HASH_SEED, priv->seed))
goto nla_put_failure;
-
+   if (priv->sum != 0)
+   if (nft_dump_register(skb, NFTA_HASH_SUM, priv->sum))
+   goto nla_put_failure;
return 0;
 
 nla_put_failure:
-- 
2.8.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[conntrack-tools PATCH 4/4 v2] doc/manual/conntrack-tools: include some bits about init systems

[Arturo Borrero Gonzalez]

Update the conntrack-tools manual to include some bits regarding init systems
and the integration with systemd.

More on this topic here:
 
http://ral-arturo.blogspot.com.es/2016/08/why-conntrackd-in-debian-is-better-with.html

Suggested-by: Pablo Neira Ayuso 
Signed-off-by: Arturo Borrero Gonzalez 
---
v2: include suggestions reported by Rami Rosen.

 doc/manual/conntrack-tools.tmpl |   51 +++
 1 file changed, 51 insertions(+)

diff --git a/doc/manual/conntrack-tools.tmpl b/doc/manual/conntrack-tools.tmpl
index 87a792e..3e83d78 100644
--- a/doc/manual/conntrack-tools.tmpl
+++ b/doc/manual/conntrack-tools.tmpl
@@ -1185,4 +1185,55 @@ not enough space errors:   0
 
 
 
+  System integration
+
+  
+   You may want to integrate conntrackd into your system in order to build
+   a robust firewall cluster. You should take a look at how the linux
+   distro of your choose does this, as there are some interesting things
+   to take into account.
+  
+
+  
+   Depending on the architecture of the firewall cluster, you may want to
+   sync each node after a fallback operation, so the new node
+   inmediately knows the connection of the other. This is specially
+   interesting in Active-Active mode.
+  
+
+  
+   This can be done using conntrackd -n just after
+   the new node has joined the conntrackd cluster, for example at boot
+   time. These operations require the main conntrackd daemon to open the
+   UNIX socket to receive the order from the
+   conntrackd -n call.
+  
+
+  
+   Care must be taken that no race conditions happens (i.e, the UNIX
+   socket is actually opened before conntrackd -n is
+   launched). Otherwise, you may end with a new node (after fallback)
+   which doesn't know any connection states from the other node.
+  
+
+  
+   Since conntrack-tools 1.4.4, the conntrackd
+   daemon includes integration with libsystemd. If
+   conntrackd is configured at build time with this support
+   (using --enable-systemd), then you can
+   use Systemd on in the
+   conntrackd.conf main configuration file.
+   To benefit from this integration, you should use a systemd service file
+   of Type=notify, which also includes support for
+   the systemd watchdog.
+  
+
+  
+   Using systemd and conntrackd with libsystemd support and a service file
+   of Type=notify means that conntrackd will notify of its readiness to
+   systemd, so you can launch conntrackd -n safely,
+   avoiding such race conditions.
+  
+
+  
 

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html