Клиентские базы Skype: prodawez390 Email: prodawez...@gmail.com Whatsapp: +79139230330
Клиентские базы Skype: prodawez390 Email: prodawez...@gmail.com Whatsapp: +79139230330 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nf-next 1/3] netfilter: introduce accessor functions for hook entries
This allows easier future refactoring.
Signed-off-by: Aaron Conole
---
include/linux/netfilter.h | 27 +++
net/bridge/br_netfilter_hooks.c | 2 +-
net/netfilter/core.c| 10 --
net/netfilter/nf_queue.c| 5 ++---
4 files changed, 34 insertions(+), 10 deletions(-)
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 6923014..575aa19 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -79,6 +79,33 @@ struct nf_hook_entry {
const struct nf_hook_ops*orig_ops;
};
+static inline void
+nf_hook_entry_init(struct nf_hook_entry *entry,const struct
nf_hook_ops *ops)
+{
+ entry->next = NULL;
+ entry->ops = *ops;
+ entry->orig_ops = ops;
+}
+
+static inline int
+nf_hook_entry_priority(const struct nf_hook_entry *entry)
+{
+ return entry->ops.priority;
+}
+
+static inline int
+nf_hook_entry_hookfn(const struct nf_hook_entry *entry, struct sk_buff *skb,
+struct nf_hook_state *state)
+{
+ return entry->ops.hook(entry->ops.priv, skb, state);
+}
+
+static inline const struct nf_hook_ops *
+nf_hook_entry_ops(const struct nf_hook_entry *entry)
+{
+ return entry->orig_ops;
+}
+
static inline void nf_hook_state_init(struct nf_hook_state *p,
unsigned int hook,
u_int8_t pf,
diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index 8155bd2..ef8cfa7 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -1010,7 +1010,7 @@ int br_nf_hook_thresh(unsigned int hook, struct net *net,
elem = rcu_dereference(net->nf.hooks[NFPROTO_BRIDGE][hook]);
- while (elem && (elem->ops.priority <= NF_BR_PRI_BRNF))
+ while (elem && (nf_hook_entry_priority(elem) <= NF_BR_PRI_BRNF))
elem = rcu_dereference(elem->next);
if (!elem)
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index de30e08..2bb46e2 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -102,15 +102,13 @@ int nf_register_net_hook(struct net *net, const struct
nf_hook_ops *reg)
if (!entry)
return -ENOMEM;
- entry->orig_ops = reg;
- entry->ops = *reg;
- entry->next = NULL;
+ nf_hook_entry_init(entry, reg);
mutex_lock(&nf_hook_mutex);
/* Find the spot in the list */
while ((p = nf_entry_dereference(*pp)) != NULL) {
- if (reg->priority < p->orig_ops->priority)
+ if (reg->priority < nf_hook_entry_priority(p))
break;
pp = &p->next;
}
@@ -140,7 +138,7 @@ void nf_unregister_net_hook(struct net *net, const struct
nf_hook_ops *reg)
mutex_lock(&nf_hook_mutex);
while ((p = nf_entry_dereference(*pp)) != NULL) {
- if (p->orig_ops == reg) {
+ if (nf_hook_entry_ops(p) == reg) {
rcu_assign_pointer(*pp, p->next);
break;
}
@@ -311,7 +309,7 @@ int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state
*state,
int ret;
do {
- verdict = entry->ops.hook(entry->ops.priv, skb, state);
+ verdict = nf_hook_entry_hookfn(entry, skb, state);
switch (verdict & NF_VERDICT_MASK) {
case NF_ACCEPT:
entry = rcu_dereference(entry->next);
diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index 77cba9f..4a76624 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -185,7 +185,7 @@ static unsigned int nf_iterate(struct sk_buff *skb,
do {
repeat:
- verdict = (*entryp)->ops.hook((*entryp)->ops.priv, skb, state);
+ verdict = nf_hook_entry_hookfn((*entryp), skb, state);
if (verdict != NF_ACCEPT) {
if (verdict != NF_REPEAT)
return verdict;
@@ -200,7 +200,6 @@ static unsigned int nf_iterate(struct sk_buff *skb,
void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict)
{
struct nf_hook_entry *hook_entry = entry->hook;
- struct nf_hook_ops *elem = &hook_entry->ops;
struct sk_buff *skb = entry->skb;
const struct nf_afinfo *afinfo;
int err;
@@ -209,7 +208,7 @@ void nf_reinject(struct nf_queue_entry *entry, unsigned int
verdict)
/* Continue traversal iff userspace said ok... */
if (verdict == NF_REPEAT)
- verdict = elem->hook(elem->priv, skb, &entry->state);
+ verdict = nf_hook_entry_hookfn(hook_entry, skb, &entry->state);
if (verdict == NF_ACCEPT) {
afinfo = nf_get_afinfo(entry->state.pf);
--
2.7.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.k
[PATCH nf-next 2/3] netfilter: decouple nf_hook_entry and nf_hook_ops
From: Aaron Conole
During nfhook traversal we only need a very small subset of
nf_hook_ops members.
We need:
- next element
- hook function to call
- hook function priv argument
Bridge netfilter also needs 'thresh'; can be obtained via ->orig_ops.
nf_hook_entry struct is now 32 bytes on x86_64.
A followup patch will turn the run-time list into an array that only
stores hook functions plus their priv arguments, eliminating the ->next
element.
Suggested-by: Florian Westphal
Signed-off-by: Aaron Conole
---
include/linux/netfilter.h | 10 ++
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 575aa19..a4b97be 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -75,7 +75,8 @@ struct nf_hook_ops {
struct nf_hook_entry {
struct nf_hook_entry __rcu *next;
- struct nf_hook_ops ops;
+ nf_hookfn *hook;
+ void*priv;
const struct nf_hook_ops*orig_ops;
};
@@ -83,21 +84,22 @@ static inline void
nf_hook_entry_init(struct nf_hook_entry *entry,const struct
nf_hook_ops *ops)
{
entry->next = NULL;
- entry->ops = *ops;
+ entry->hook = ops->hook;
+ entry->priv = ops->priv;
entry->orig_ops = ops;
}
static inline int
nf_hook_entry_priority(const struct nf_hook_entry *entry)
{
- return entry->ops.priority;
+ return entry->orig_ops->priority;
}
static inline int
nf_hook_entry_hookfn(const struct nf_hook_entry *entry, struct sk_buff *skb,
struct nf_hook_state *state)
{
- return entry->ops.hook(entry->ops.priv, skb, state);
+ return entry->hook(entry->priv, skb, state);
}
static inline const struct nf_hook_ops *
--
2.7.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nf-next 3/3] netfilter: convert while loops to for loops
This is to facilitate converting from a singly-linked list to an array
of elements.
Signed-off-by: Aaron Conole
---
net/bridge/br_netfilter_hooks.c | 8
net/netfilter/core.c| 6 ++
2 files changed, 6 insertions(+), 8 deletions(-)
diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index ef8cfa7..1434de1 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -1008,10 +1008,10 @@ int br_nf_hook_thresh(unsigned int hook, struct net
*net,
struct nf_hook_state state;
int ret;
- elem = rcu_dereference(net->nf.hooks[NFPROTO_BRIDGE][hook]);
-
- while (elem && (nf_hook_entry_priority(elem) <= NF_BR_PRI_BRNF))
- elem = rcu_dereference(elem->next);
+ for (elem = rcu_dereference(net->nf.hooks[NFPROTO_BRIDGE][hook]);
+nf_hook_entry_priority(elem) <= NF_BR_PRI_BRNF;
+elem = rcu_dereference(elem->next))
+ ;
if (!elem)
return okfn(net, sk, skb);
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 2bb46e2..ce6adfa 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -107,10 +107,9 @@ int nf_register_net_hook(struct net *net, const struct
nf_hook_ops *reg)
mutex_lock(&nf_hook_mutex);
/* Find the spot in the list */
- while ((p = nf_entry_dereference(*pp)) != NULL) {
+ for (; (p = nf_entry_dereference(*pp)) != NULL; pp = &p->next) {
if (reg->priority < nf_hook_entry_priority(p))
break;
- pp = &p->next;
}
rcu_assign_pointer(entry->next, p);
rcu_assign_pointer(*pp, entry);
@@ -137,12 +136,11 @@ void nf_unregister_net_hook(struct net *net, const struct
nf_hook_ops *reg)
return;
mutex_lock(&nf_hook_mutex);
- while ((p = nf_entry_dereference(*pp)) != NULL) {
+ for (; (p = nf_entry_dereference(*pp)) != NULL; pp = &p->next) {
if (nf_hook_entry_ops(p) == reg) {
rcu_assign_pointer(*pp, p->next);
break;
}
- pp = &p->next;
}
mutex_unlock(&nf_hook_mutex);
if (!p) {
--
2.7.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nf-next 0/3] Additional nf_hook_entry compaction
This series introduces a set of accessors, compacts the nf_hook_entry, and rearranges some of the loops in preparation for the final set of work going to an array based hook system. After this series, the nf_hook_entry should fit in a cacheline on a modern Intel i7. Tested on bare-metal system. Aaron Conole (3): netfilter: introduce accessor functions for hook entries netfilter: decouple nf_hook_entry and nf_hook_ops netfilter: convert while loops to for loops include/linux/netfilter.h | 31 ++- net/bridge/br_netfilter_hooks.c | 8 net/netfilter/core.c| 16 ++-- net/netfilter/nf_queue.c| 5 ++--- 4 files changed, 42 insertions(+), 18 deletions(-) -- 2.7.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nf-next 6/7] conntrack: add nf_conntrack_default_on sysctl
This switch (default on) can be used to disable automatic registration
of connection tracking functionality in newly created network
namespaces.
This means that when net namespace goes down (or the tracker protocol
module is unloaded) we *might* have to unregister the hooks.
We can either add another per-netns variable that tells if
the hooks got registered by default, or, alternatively, just call
the protocol _put() function and have the callee deal with a possible
'extra' put() operation that doesn't pair with a get() one.
This uses the latter approach, i.e. a put() without a get has no effect.
Conntrack is still enabled automatically regardless of the new sysctl
setting if the new net namespace requires connection tracking, e.g. when
NAT rules are created.
Signed-off-by: Florian Westphal
---
This patch was not part of earlier series version.
Documentation/networking/nf_conntrack-sysctl.txt | 11 +++
include/net/netfilter/nf_conntrack_l3proto.h | 9 +
net/netfilter/nf_conntrack_proto.c | 19 ++-
net/netfilter/nf_conntrack_standalone.c | 10 ++
4 files changed, 48 insertions(+), 1 deletion(-)
diff --git a/Documentation/networking/nf_conntrack-sysctl.txt
b/Documentation/networking/nf_conntrack-sysctl.txt
index 399e4e866a9c..cdeb9d6a44c7 100644
--- a/Documentation/networking/nf_conntrack-sysctl.txt
+++ b/Documentation/networking/nf_conntrack-sysctl.txt
@@ -93,6 +93,17 @@ nf_conntrack_max - INTEGER
Size of connection tracking table. Default value is
nf_conntrack_buckets value * 4.
+nf_conntrack_default_on - BOOLEAN
+ 0 - don't register conntrack in new net namespaces
+ 1 - register conntrack in new net namespaces (default)
+
+ This controls wheter newly created network namespaces have connection
+ tracking enabled by default. It will be enabled automatically
+ regardless of this setting if the new net namespace requires
+ connection tracking, e.g. when NAT rules are created.
+ This setting is only visible in initial user namespace, it has no
+ effect on existing namespaces.
+
nf_conntrack_tcp_be_liberal - BOOLEAN
0 - disabled (default)
not 0 - enabled
diff --git a/include/net/netfilter/nf_conntrack_l3proto.h
b/include/net/netfilter/nf_conntrack_l3proto.h
index e7dcd72be21c..e01559b4d781 100644
--- a/include/net/netfilter/nf_conntrack_l3proto.h
+++ b/include/net/netfilter/nf_conntrack_l3proto.h
@@ -73,9 +73,18 @@ struct nf_conntrack_l3proto {
extern struct nf_conntrack_l3proto __rcu *nf_ct_l3protos[AF_MAX];
+#ifdef CONFIG_SYSCTL
/* Protocol pernet registration. */
int nf_ct_l3proto_pernet_register(struct net *net,
struct nf_conntrack_l3proto *proto);
+#else
+static inline int nf_ct_l3proto_pernet_register(struct net *n,
+ struct nf_conntrack_l3proto *p)
+{
+ return 0;
+}
+#endif
+
void nf_ct_l3proto_pernet_unregister(struct net *net,
struct nf_conntrack_l3proto *proto);
diff --git a/net/netfilter/nf_conntrack_proto.c
b/net/netfilter/nf_conntrack_proto.c
index 758688b25fd8..2d6ee1803415 100644
--- a/net/netfilter/nf_conntrack_proto.c
+++ b/net/netfilter/nf_conntrack_proto.c
@@ -238,12 +238,19 @@ int nf_ct_l3proto_register(struct nf_conntrack_l3proto
*proto)
}
EXPORT_SYMBOL_GPL(nf_ct_l3proto_register);
+#ifdef CONFIG_SYSCTL
+extern unsigned int nf_conntrack_default_on;
+
int nf_ct_l3proto_pernet_register(struct net *net,
struct nf_conntrack_l3proto *proto)
{
- return 0;
+ if (nf_conntrack_default_on == 0)
+ return 0;
+
+ return proto->net_ns_get ? proto->net_ns_get(net) : 0;
}
EXPORT_SYMBOL_GPL(nf_ct_l3proto_pernet_register);
+#endif
void nf_ct_l3proto_unregister(struct nf_conntrack_l3proto *proto)
{
@@ -264,6 +271,16 @@ EXPORT_SYMBOL_GPL(nf_ct_l3proto_unregister);
void nf_ct_l3proto_pernet_unregister(struct net *net,
struct nf_conntrack_l3proto *proto)
{
+ /*
+* nf_conntrack_default_on *might* have registered hooks.
+* ->net_ns_put must cope with more puts() than get(), i.e.
+* if nf_conntrack_default_on was 0 at time of
+* nf_ct_l3proto_pernet_register invocation this net_ns_put()
+* should be a noop.
+*/
+ if (proto->net_ns_put)
+ proto->net_ns_put(net);
+
/* Remove all contrack entries for this protocol */
nf_ct_iterate_cleanup(net, kill_l3proto, proto, 0, 0);
}
diff --git a/net/netfilter/nf_conntrack_standalone.c
b/net/netfilter/nf_conntrack_standalone.c
index 5f446cd9f3fd..d009ae663453 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -452,6 +452,9 @@ static int log_invalid_proto_max __read_mostly = 255;
/* size the user *wants to set */
static unsigned
[PATCH v4 nf-next 4/7] nftables: add conntrack dependencies for nat/masq/redir expressions
so that conntrack core will add the needed hooks in this namespace.
Signed-off-by: Florian Westphal
---
no changes since v3.
net/ipv4/netfilter/nft_masq_ipv4.c | 7 +++
net/ipv4/netfilter/nft_redir_ipv4.c | 7 +++
net/ipv6/netfilter/nft_masq_ipv6.c | 7 +++
net/ipv6/netfilter/nft_redir_ipv6.c | 7 +++
net/netfilter/nft_masq.c| 2 +-
net/netfilter/nft_nat.c | 11 ++-
net/netfilter/nft_redir.c | 2 +-
7 files changed, 40 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/netfilter/nft_masq_ipv4.c
b/net/ipv4/netfilter/nft_masq_ipv4.c
index 4f697e431811..914da9188820 100644
--- a/net/ipv4/netfilter/nft_masq_ipv4.c
+++ b/net/ipv4/netfilter/nft_masq_ipv4.c
@@ -35,12 +35,19 @@ static void nft_masq_ipv4_eval(const struct nft_expr *expr,
&range, nft_out(pkt));
}
+static void
+nft_masq_ipv4_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
+{
+ nf_ct_netns_put(ctx->net, NFPROTO_IPV4);
+}
+
static struct nft_expr_type nft_masq_ipv4_type;
static const struct nft_expr_ops nft_masq_ipv4_ops = {
.type = &nft_masq_ipv4_type,
.size = NFT_EXPR_SIZE(sizeof(struct nft_masq)),
.eval = nft_masq_ipv4_eval,
.init = nft_masq_init,
+ .destroy= nft_masq_ipv4_destroy,
.dump = nft_masq_dump,
.validate = nft_masq_validate,
};
diff --git a/net/ipv4/netfilter/nft_redir_ipv4.c
b/net/ipv4/netfilter/nft_redir_ipv4.c
index 16df0493c5ce..94238fe3bccc 100644
--- a/net/ipv4/netfilter/nft_redir_ipv4.c
+++ b/net/ipv4/netfilter/nft_redir_ipv4.c
@@ -38,12 +38,19 @@ static void nft_redir_ipv4_eval(const struct nft_expr *expr,
regs->verdict.code = nf_nat_redirect_ipv4(pkt->skb, &mr, nft_hook(pkt));
}
+static void
+nft_redir_ipv4_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
+{
+ nf_ct_netns_put(ctx->net, NFPROTO_IPV4);
+}
+
static struct nft_expr_type nft_redir_ipv4_type;
static const struct nft_expr_ops nft_redir_ipv4_ops = {
.type = &nft_redir_ipv4_type,
.size = NFT_EXPR_SIZE(sizeof(struct nft_redir)),
.eval = nft_redir_ipv4_eval,
.init = nft_redir_init,
+ .destroy= nft_redir_ipv4_destroy,
.dump = nft_redir_dump,
.validate = nft_redir_validate,
};
diff --git a/net/ipv6/netfilter/nft_masq_ipv6.c
b/net/ipv6/netfilter/nft_masq_ipv6.c
index a2aff1277b40..c79dcb87f4a3 100644
--- a/net/ipv6/netfilter/nft_masq_ipv6.c
+++ b/net/ipv6/netfilter/nft_masq_ipv6.c
@@ -36,12 +36,19 @@ static void nft_masq_ipv6_eval(const struct nft_expr *expr,
nft_out(pkt));
}
+static void
+nft_masq_ipv6_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
+{
+ nf_ct_netns_put(ctx->net, NFPROTO_IPV6);
+}
+
static struct nft_expr_type nft_masq_ipv6_type;
static const struct nft_expr_ops nft_masq_ipv6_ops = {
.type = &nft_masq_ipv6_type,
.size = NFT_EXPR_SIZE(sizeof(struct nft_masq)),
.eval = nft_masq_ipv6_eval,
.init = nft_masq_init,
+ .destroy= nft_masq_ipv6_destroy,
.dump = nft_masq_dump,
.validate = nft_masq_validate,
};
diff --git a/net/ipv6/netfilter/nft_redir_ipv6.c
b/net/ipv6/netfilter/nft_redir_ipv6.c
index bfcd5af6bc15..88dd1d94ed25 100644
--- a/net/ipv6/netfilter/nft_redir_ipv6.c
+++ b/net/ipv6/netfilter/nft_redir_ipv6.c
@@ -39,12 +39,19 @@ static void nft_redir_ipv6_eval(const struct nft_expr *expr,
nf_nat_redirect_ipv6(pkt->skb, &range, nft_hook(pkt));
}
+static void
+nft_redir_ipv6_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
+{
+ nf_ct_netns_put(ctx->net, NFPROTO_IPV6);
+}
+
static struct nft_expr_type nft_redir_ipv6_type;
static const struct nft_expr_ops nft_redir_ipv6_ops = {
.type = &nft_redir_ipv6_type,
.size = NFT_EXPR_SIZE(sizeof(struct nft_redir)),
.eval = nft_redir_ipv6_eval,
.init = nft_redir_init,
+ .destroy= nft_redir_ipv6_destroy,
.dump = nft_redir_dump,
.validate = nft_redir_validate,
};
diff --git a/net/netfilter/nft_masq.c b/net/netfilter/nft_masq.c
index 81b5ad6165ac..f90e49c990f9 100644
--- a/net/netfilter/nft_masq.c
+++ b/net/netfilter/nft_masq.c
@@ -77,7 +77,7 @@ int nft_masq_init(const struct nft_ctx *ctx,
}
}
- return 0;
+ return nf_ct_netns_get(ctx->net, ctx->afi->family);
}
EXPORT_SYMBOL_GPL(nft_masq_init);
diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c
index ee2d71753746..19a7bf3236f9 100644
--- a/net/netfilter/nft_nat.c
+++ b/net/netfilter/nft_nat.c
@@ -209,7 +209,7 @@ static int nft_nat_init(const struct nft_ctx
[PATCH v4 nf-next 7/7] netfilter: defrag: only register defrag functionality if needed
nf_defrag modules for ipv4 and ipv6 export an empty stub function.
Any module that needs the defragmentation hooks registered simply 'calls'
this empty function to create a phony module dependency -- modprobe will
then load the defrag module too.
This extends netfilter ipv4/ipv6 defragmentation modules to delay the hook
registration until the functionality is requested within a network namespace
instead of module load time for all namespaces.
Hooks are only un-registered on module unload or when a namespace that used
such defrag functionality exits.
We have to use struct net for this as the register hooks can be called
before netns initialization here from the ipv4/ipv6 conntrack module
init path.
There is no unregister functionality support, defrag will always be
active once it was requested inside a net namespace.
The reason is that defrag has impact on nft and iptables rulesets
(without defrag we might see framents).
Signed-off-by: Florian Westphal
---
Changes since v3: place 'defrag_ipv4' in netns_ct, see above
include/net/netfilter/ipv4/nf_defrag_ipv4.h| 3 +-
include/net/netfilter/ipv6/nf_defrag_ipv6.h| 3 +-
include/net/netns/conntrack.h | 2 ++
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 7 -
net/ipv4/netfilter/nf_defrag_ipv4.c| 41 +++--
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 7 -
net/ipv6/netfilter/nf_defrag_ipv6_hooks.c | 42 +++---
net/netfilter/xt_TPROXY.c | 15 ++---
net/netfilter/xt_socket.c | 33 +---
9 files changed, 132 insertions(+), 21 deletions(-)
diff --git a/include/net/netfilter/ipv4/nf_defrag_ipv4.h
b/include/net/netfilter/ipv4/nf_defrag_ipv4.h
index f01ef208dff6..db405f70e538 100644
--- a/include/net/netfilter/ipv4/nf_defrag_ipv4.h
+++ b/include/net/netfilter/ipv4/nf_defrag_ipv4.h
@@ -1,6 +1,7 @@
#ifndef _NF_DEFRAG_IPV4_H
#define _NF_DEFRAG_IPV4_H
-void nf_defrag_ipv4_enable(void);
+struct net;
+int nf_defrag_ipv4_enable(struct net *);
#endif /* _NF_DEFRAG_IPV4_H */
diff --git a/include/net/netfilter/ipv6/nf_defrag_ipv6.h
b/include/net/netfilter/ipv6/nf_defrag_ipv6.h
index ddf162f7966f..7664efe37974 100644
--- a/include/net/netfilter/ipv6/nf_defrag_ipv6.h
+++ b/include/net/netfilter/ipv6/nf_defrag_ipv6.h
@@ -1,7 +1,8 @@
#ifndef _NF_DEFRAG_IPV6_H
#define _NF_DEFRAG_IPV6_H
-void nf_defrag_ipv6_enable(void);
+struct net;
+int nf_defrag_ipv6_enable(struct net *);
int nf_ct_frag6_init(void);
void nf_ct_frag6_cleanup(void);
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
index 3d06d94d2e52..f0e14a6cc13f 100644
--- a/include/net/netns/conntrack.h
+++ b/include/net/netns/conntrack.h
@@ -81,6 +81,8 @@ struct netns_ct {
int sysctl_acct;
int sysctl_auto_assign_helper;
boolauto_assign_helper_warned;
+ booldefrag_ipv4;
+ booldefrag_ipv6;
int sysctl_tstamp;
int sysctl_checksum;
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 999d47bd2c9f..9de5d822f21b 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -325,6 +325,12 @@ static int ipv4_hooks_register(struct net *net)
if (cnet->users > 1)
goto out_unlock;
+ err = nf_defrag_ipv4_enable(net);
+ if (err) {
+ cnet->users = 0;
+ goto out_unlock;
+ }
+
err = nf_register_net_hooks(net, ipv4_conntrack_ops,
ARRAY_SIZE(ipv4_conntrack_ops));
@@ -413,7 +419,6 @@ static int __init nf_conntrack_l3proto_ipv4_init(void)
int ret = 0;
need_conntrack();
- nf_defrag_ipv4_enable();
ret = nf_register_sockopt(&so_getorigdst);
if (ret < 0) {
diff --git a/net/ipv4/netfilter/nf_defrag_ipv4.c
b/net/ipv4/netfilter/nf_defrag_ipv4.c
index d88da36b383c..8f72e4f172be 100644
--- a/net/ipv4/netfilter/nf_defrag_ipv4.c
+++ b/net/ipv4/netfilter/nf_defrag_ipv4.c
@@ -11,6 +11,7 @@
#include
#include
#include
+#include
#include
#include
@@ -22,6 +23,8 @@
#endif
#include
+static DEFINE_MUTEX(defrag4_mutex);
+
static int nf_ct_ipv4_gather_frags(struct net *net, struct sk_buff *skb,
u_int32_t user)
{
@@ -102,18 +105,50 @@ static struct nf_hook_ops ipv4_defrag_ops[] = {
},
};
+static void __net_exit defrag4_net_exit(struct net *net)
+{
+ if (net->ct.defrag_ipv4) {
+ nf_unregister_net_hooks(net, ipv4_defrag_ops,
+ ARRAY_SIZE(ipv4_defrag_ops));
+ net->ct.defrag_ipv4 = false;
+ }
+}
+
+static struct pernet_operations defrag4_net_ops = {
+ .exit
[PATCH v4 nf-next 5/7] netfilter: conntrack: register hooks in netns when needed by ruleset
This makes use of nf_ct_netns_get/put added in previous patch.
We add get/put functions to nf_conntrack_l3proto structure, ipv4 and ipv6
then implement use-count to track how many users (nft or xtables modules)
have a dependency on ipv4 and/or ipv6 connection tracking functionality.
When count reaches zero, the hooks are unregistered.
This delays activation of connection tracking inside a namespace until
stateful firewall rule or nat rule gets added.
This patch breaks backwards compatibility in the sense that connection
tracking won't be active anymore when the protocol tracker module is
loaded. This breaks e.g. setups that ctnetlink for flow accounting and
the like, without any '-m conntrack' packet filter rules.
Followup patch restores old behavour and makes new delayed scheme
optional via sysctl.
Signed-off-by: Florian Westphal
---
No changes since v3.
include/net/netfilter/nf_conntrack_l3proto.h | 4 ++
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 55 --
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 54 +++--
net/netfilter/nf_conntrack_proto.c | 38 +-
4 files changed, 127 insertions(+), 24 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack_l3proto.h
b/include/net/netfilter/nf_conntrack_l3proto.h
index cf8f3dfd810d..e7dcd72be21c 100644
--- a/include/net/netfilter/nf_conntrack_l3proto.h
+++ b/include/net/netfilter/nf_conntrack_l3proto.h
@@ -52,6 +52,10 @@ struct nf_conntrack_l3proto {
int (*tuple_to_nlattr)(struct sk_buff *skb,
const struct nf_conntrack_tuple *t);
+ /* Called when netns wants to use connection tracking */
+ int (*net_ns_get)(struct net *);
+ void (*net_ns_put)(struct net *);
+
/*
* Calculate size of tuple nlattr
*/
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 823cf3331b9d..999d47bd2c9f 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -31,6 +31,13 @@
#include
#include
+static int conntrack4_net_id __read_mostly;
+static DEFINE_MUTEX(register_ipv4_hooks);
+
+struct conntrack4_net {
+ unsigned int users;
+};
+
static bool ipv4_pkt_to_tuple(const struct sk_buff *skb, unsigned int nhoff,
struct nf_conntrack_tuple *tuple)
{
@@ -307,6 +314,38 @@ static struct nf_sockopt_ops so_getorigdst = {
.owner = THIS_MODULE,
};
+static int ipv4_hooks_register(struct net *net)
+{
+ struct conntrack4_net *cnet = net_generic(net, conntrack4_net_id);
+ int err = 0;
+
+ mutex_lock(®ister_ipv4_hooks);
+
+ cnet->users++;
+ if (cnet->users > 1)
+ goto out_unlock;
+
+ err = nf_register_net_hooks(net, ipv4_conntrack_ops,
+ ARRAY_SIZE(ipv4_conntrack_ops));
+
+ if (err)
+ cnet->users = 0;
+ out_unlock:
+ mutex_unlock(®ister_ipv4_hooks);
+ return err;
+}
+
+static void ipv4_hooks_unregister(struct net *net)
+{
+ struct conntrack4_net *cnet = net_generic(net, conntrack4_net_id);
+
+ mutex_lock(®ister_ipv4_hooks);
+ if (cnet->users && (--cnet->users == 0))
+ nf_unregister_net_hooks(net, ipv4_conntrack_ops,
+ ARRAY_SIZE(ipv4_conntrack_ops));
+ mutex_unlock(®ister_ipv4_hooks);
+}
+
struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4 __read_mostly = {
.l3proto = PF_INET,
.name= "ipv4",
@@ -320,6 +359,8 @@ struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4
__read_mostly = {
.nlattr_to_tuple = ipv4_nlattr_to_tuple,
.nla_policy = ipv4_nla_policy,
#endif
+ .net_ns_get = ipv4_hooks_register,
+ .net_ns_put = ipv4_hooks_unregister,
.me = THIS_MODULE,
};
@@ -363,6 +404,8 @@ static void ipv4_net_exit(struct net *net)
static struct pernet_operations ipv4_net_ops = {
.init = ipv4_net_init,
.exit = ipv4_net_exit,
+ .id = &conntrack4_net_id,
+ .size = sizeof(struct conntrack4_net),
};
static int __init nf_conntrack_l3proto_ipv4_init(void)
@@ -384,17 +427,10 @@ static int __init nf_conntrack_l3proto_ipv4_init(void)
goto cleanup_sockopt;
}
- ret = nf_register_hooks(ipv4_conntrack_ops,
- ARRAY_SIZE(ipv4_conntrack_ops));
- if (ret < 0) {
- pr_err("nf_conntrack_ipv4: can't register hooks.\n");
- goto cleanup_pernet;
- }
-
ret = nf_ct_l4proto_register(builtin_l4proto4,
ARRAY_SIZE(builtin_l4proto4));
if (ret < 0)
- goto cleanup_hooks;
+ goto cleanup_pernet;
ret = nf_ct_l3proto_register(&nf_conntrack_l3proto_ipv4);
if (ret < 0) {
@@
[PATCH v4 nf-next] netfilter: allow disabling conntrack-on-by-default
Historically all the netfilter hooks got registered on module load time. When net namespace support was added, hooks were registered in each namespace (and new net namespaces inherit already-registered hooks from global list). This means that once nf_conntrack_ipv4/6.ko is loaded, all existing and future net namespaces do connection tracking. This series adds a new sysctl, nf_conntrack_default_on, that can be set to 0 to disable this behaviour. Once its set to 0, conntrack hooks are not registered in newly created net namespaces, and new l3 protocol trackers are not registered with any existing namespaces either. The setting does NOT disable already-active connection tracking in existing namespaces. connection tracking is enabled via packet filter ruleset, regardless of the sysctl setting, once a rule that needs conntrack functionality is added (e.g. iptables -m conntrack, targets like SNAT/DNAT or nftables equivalents make sure the hooks get registered, and deleted, as needed). It is currently NOT possible to disable connection tracking inside a net namespace that had its hooks registered implicitly due to nf_conntrack_default_on=1 (except unloading the l3 tracker module). Comments welcome. Documentation/networking/nf_conntrack-sysctl.txt | 11 +++ include/net/netfilter/ipv4/nf_defrag_ipv4.h |3 include/net/netfilter/ipv6/nf_defrag_ipv6.h |3 include/net/netfilter/nf_conntrack.h |4 + include/net/netfilter/nf_conntrack_l3proto.h | 16 - include/net/netns/conntrack.h|2 net/ipv4/netfilter/ipt_CLUSTERIP.c |4 - net/ipv4/netfilter/ipt_MASQUERADE.c |8 ++ net/ipv4/netfilter/ipt_SYNPROXY.c|4 - net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 62 ++- net/ipv4/netfilter/nf_defrag_ipv4.c | 41 +++- net/ipv4/netfilter/nft_masq_ipv4.c |7 ++ net/ipv4/netfilter/nft_redir_ipv4.c |7 ++ net/ipv6/netfilter/ip6t_SYNPROXY.c |4 - net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 61 +++ net/ipv6/netfilter/nf_defrag_ipv6_hooks.c| 42 +++-- net/ipv6/netfilter/nft_masq_ipv6.c |7 ++ net/ipv6/netfilter/nft_redir_ipv6.c |7 ++ net/netfilter/nf_conntrack_proto.c | 73 --- net/netfilter/nf_conntrack_standalone.c | 10 +++ net/netfilter/nft_ct.c | 26 net/netfilter/nft_masq.c |2 net/netfilter/nft_nat.c | 11 +++ net/netfilter/nft_redir.c|2 net/netfilter/xt_CONNSECMARK.c |4 - net/netfilter/xt_CT.c|6 - net/netfilter/xt_NETMAP.c| 11 ++- net/netfilter/xt_REDIRECT.c | 12 +++ net/netfilter/xt_TPROXY.c| 15 +++- net/netfilter/xt_connbytes.c |4 - net/netfilter/xt_connlabel.c |6 - net/netfilter/xt_connlimit.c |6 - net/netfilter/xt_connmark.c |8 +- net/netfilter/xt_conntrack.c |4 - net/netfilter/xt_helper.c|4 - net/netfilter/xt_nat.c | 18 + net/netfilter/xt_socket.c| 33 -- net/netfilter/xt_state.c |4 - 38 files changed, 443 insertions(+), 109 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v4 nf-next 3/7] netfilter: nat: add dependencies on conntrack module
MASQUERADE, S/DNAT and REDIRECT already call functions that depend on the
conntrack module.
However, since the conntrack hooks are now registered in a lazy fashion
(i.e., only when needed) a symbol reference is not enough.
Thus, when something is added to a nat table, make sure that it will see
packets by calling nf_ct_netns_get() which will register the conntrack
hooks in the current netns.
An alternative would be to add these dependencies to the NAT table.
However, that has problems when using non-modular builds -- we might
register e.g. ipv6 conntrack before its initcall has run, leading to NULL
deref crashes since its per-netns storage has not yet been allocated.
Adding the dependency in the modules instead has the advantage that nat
table also does not register its hooks until rules are added.
Signed-off-by: Florian Westphal
---
No changes since v3.
net/ipv4/netfilter/ipt_MASQUERADE.c | 8 +++-
net/netfilter/xt_NETMAP.c | 11 +--
net/netfilter/xt_REDIRECT.c | 12 ++--
net/netfilter/xt_nat.c | 18 +-
4 files changed, 43 insertions(+), 6 deletions(-)
diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c
b/net/ipv4/netfilter/ipt_MASQUERADE.c
index 34cfb9b0bc0a..a03e4e7ef5f9 100644
--- a/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -41,7 +41,7 @@ static int masquerade_tg_check(const struct xt_tgchk_param
*par)
pr_debug("bad rangesize %u\n", mr->rangesize);
return -EINVAL;
}
- return 0;
+ return nf_ct_netns_get(par->net, par->family);
}
static unsigned int
@@ -59,6 +59,11 @@ masquerade_tg(struct sk_buff *skb, const struct
xt_action_param *par)
xt_out(par));
}
+static void masquerade_tg_destroy(const struct xt_tgdtor_param *par)
+{
+ nf_ct_netns_put(par->net, par->family);
+}
+
static struct xt_target masquerade_tg_reg __read_mostly = {
.name = "MASQUERADE",
.family = NFPROTO_IPV4,
@@ -67,6 +72,7 @@ static struct xt_target masquerade_tg_reg __read_mostly = {
.table = "nat",
.hooks = 1 << NF_INET_POST_ROUTING,
.checkentry = masquerade_tg_check,
+ .destroy= masquerade_tg_destroy,
.me = THIS_MODULE,
};
diff --git a/net/netfilter/xt_NETMAP.c b/net/netfilter/xt_NETMAP.c
index 94d0b5411192..e45a01255e70 100644
--- a/net/netfilter/xt_NETMAP.c
+++ b/net/netfilter/xt_NETMAP.c
@@ -60,7 +60,12 @@ static int netmap_tg6_checkentry(const struct xt_tgchk_param
*par)
if (!(range->flags & NF_NAT_RANGE_MAP_IPS))
return -EINVAL;
- return 0;
+ return nf_ct_netns_get(par->net, par->family);
+}
+
+static void netmap_tg_destroy(const struct xt_tgdtor_param *par)
+{
+ nf_ct_netns_put(par->net, par->family);
}
static unsigned int
@@ -111,7 +116,7 @@ static int netmap_tg4_check(const struct xt_tgchk_param
*par)
pr_debug("bad rangesize %u.\n", mr->rangesize);
return -EINVAL;
}
- return 0;
+ return nf_ct_netns_get(par->net, par->family);
}
static struct xt_target netmap_tg_reg[] __read_mostly = {
@@ -127,6 +132,7 @@ static struct xt_target netmap_tg_reg[] __read_mostly = {
(1 << NF_INET_LOCAL_OUT) |
(1 << NF_INET_LOCAL_IN),
.checkentry = netmap_tg6_checkentry,
+ .destroy= netmap_tg_destroy,
.me = THIS_MODULE,
},
{
@@ -141,6 +147,7 @@ static struct xt_target netmap_tg_reg[] __read_mostly = {
(1 << NF_INET_LOCAL_OUT) |
(1 << NF_INET_LOCAL_IN),
.checkentry = netmap_tg4_check,
+ .destroy= netmap_tg_destroy,
.me = THIS_MODULE,
},
};
diff --git a/net/netfilter/xt_REDIRECT.c b/net/netfilter/xt_REDIRECT.c
index 651dce65a30b..98a4c6d4f1cb 100644
--- a/net/netfilter/xt_REDIRECT.c
+++ b/net/netfilter/xt_REDIRECT.c
@@ -40,7 +40,13 @@ static int redirect_tg6_checkentry(const struct
xt_tgchk_param *par)
if (range->flags & NF_NAT_RANGE_MAP_IPS)
return -EINVAL;
- return 0;
+
+ return nf_ct_netns_get(par->net, par->family);
+}
+
+static void redirect_tg_destroy(const struct xt_tgdtor_param *par)
+{
+ nf_ct_netns_put(par->net, par->family);
}
/* FIXME: Take multiple ranges --RR */
@@ -56,7 +62,7 @@ static int redirect_tg4_check(const struct xt_tgchk_param
*par)
pr_debug("bad rangesize %u.\n", mr->rangesize);
return -EINVAL;
}
- return 0;
+ return nf_ct_netns_get(par->net, par->family);
}
static unsigned int
@@ -72,6 +78,7 @@ static struct xt_target redirect_tg_reg[] __read_mostly = {
.revision = 0,
.table = "nat",
[PATCH nf-next 1/7] conntrack: remove unused init_net hook
since adf0516845bcd0 ("netfilter: remove ip_conntrack* sysctl compat code")
the only user (ipv4 tracker) sets this to an empty stub function.
After this change nf_ct_l3proto_pernet_register() is also empty,
but this will change in a followup patch to add conditional register
of the hooks.
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_conntrack_l3proto.h | 3 ---
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 6 --
net/netfilter/nf_conntrack_proto.c | 8
3 files changed, 17 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack_l3proto.h
b/include/net/netfilter/nf_conntrack_l3proto.h
index 8992e4229da9..cf8f3dfd810d 100644
--- a/include/net/netfilter/nf_conntrack_l3proto.h
+++ b/include/net/netfilter/nf_conntrack_l3proto.h
@@ -63,9 +63,6 @@ struct nf_conntrack_l3proto {
size_t nla_size;
- /* Init l3proto pernet data */
- int (*init_net)(struct net *net);
-
/* Module (if any) which this is connected to. */
struct module *me;
};
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 7130ed5dc1fa..823cf3331b9d 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -307,11 +307,6 @@ static struct nf_sockopt_ops so_getorigdst = {
.owner = THIS_MODULE,
};
-static int ipv4_init_net(struct net *net)
-{
- return 0;
-}
-
struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4 __read_mostly = {
.l3proto = PF_INET,
.name= "ipv4",
@@ -325,7 +320,6 @@ struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4
__read_mostly = {
.nlattr_to_tuple = ipv4_nlattr_to_tuple,
.nla_policy = ipv4_nla_policy,
#endif
- .init_net= ipv4_init_net,
.me = THIS_MODULE,
};
diff --git a/net/netfilter/nf_conntrack_proto.c
b/net/netfilter/nf_conntrack_proto.c
index 9bd34647225a..b218e70b2f74 100644
--- a/net/netfilter/nf_conntrack_proto.c
+++ b/net/netfilter/nf_conntrack_proto.c
@@ -193,14 +193,6 @@ EXPORT_SYMBOL_GPL(nf_ct_l3proto_register);
int nf_ct_l3proto_pernet_register(struct net *net,
struct nf_conntrack_l3proto *proto)
{
- int ret;
-
- if (proto->init_net) {
- ret = proto->init_net(net);
- if (ret < 0)
- return ret;
- }
-
return 0;
}
EXPORT_SYMBOL_GPL(nf_ct_l3proto_pernet_register);
--
2.7.3
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v4 nf-next 2/7] netfilter: add and use nf_ct_netns_get/put
currently aliased to try_module_get/_put.
Will be changed in next patch when we add functions to make use of ->net
argument to store usercount per l3proto tracker.
This is needed to avoid registering the conntrack hooks in all netns and
later only enable connection tracking in those that need conntrack.
Signed-off-by: Florian Westphal
---
No changes since v3.
include/net/netfilter/nf_conntrack.h | 4
net/ipv4/netfilter/ipt_CLUSTERIP.c | 4 ++--
net/ipv4/netfilter/ipt_SYNPROXY.c| 4 ++--
net/ipv6/netfilter/ip6t_SYNPROXY.c | 4 ++--
net/netfilter/nf_conntrack_proto.c | 12
net/netfilter/nft_ct.c | 26 +-
net/netfilter/xt_CONNSECMARK.c | 4 ++--
net/netfilter/xt_CT.c| 6 +++---
net/netfilter/xt_connbytes.c | 4 ++--
net/netfilter/xt_connlabel.c | 6 +++---
net/netfilter/xt_connlimit.c | 6 +++---
net/netfilter/xt_connmark.c | 8
net/netfilter/xt_conntrack.c | 4 ++--
net/netfilter/xt_helper.c| 4 ++--
net/netfilter/xt_state.c | 4 ++--
15 files changed, 58 insertions(+), 42 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack.h
b/include/net/netfilter/nf_conntrack.h
index 50418052a520..e1ab3b008510 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -181,6 +181,10 @@ static inline void nf_ct_put(struct nf_conn *ct)
int nf_ct_l3proto_try_module_get(unsigned short l3proto);
void nf_ct_l3proto_module_put(unsigned short l3proto);
+/* load module; enable/disable conntrack in this namespace */
+int nf_ct_netns_get(struct net *net, u8 nfproto);
+void nf_ct_netns_put(struct net *net, u8 nfproto);
+
/*
* Allocate a hashtable of hlist_head (if nulls == 0),
* or hlist_nulls_head (if nulls == 1)
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c
b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index 4a9e6db9df8d..2c3fe0697990 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -419,7 +419,7 @@ static int clusterip_tg_check(const struct xt_tgchk_param
*par)
}
cipinfo->config = config;
- ret = nf_ct_l3proto_try_module_get(par->family);
+ ret = nf_ct_netns_get(par->net, par->family);
if (ret < 0)
pr_info("cannot load conntrack support for proto=%u\n",
par->family);
@@ -444,7 +444,7 @@ static void clusterip_tg_destroy(const struct
xt_tgdtor_param *par)
clusterip_config_put(cipinfo->config);
- nf_ct_l3proto_module_put(par->family);
+ nf_ct_netns_get(par->net, par->family);
}
#ifdef CONFIG_COMPAT
diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c
b/net/ipv4/netfilter/ipt_SYNPROXY.c
index 361411688221..30c0de53e254 100644
--- a/net/ipv4/netfilter/ipt_SYNPROXY.c
+++ b/net/ipv4/netfilter/ipt_SYNPROXY.c
@@ -418,12 +418,12 @@ static int synproxy_tg4_check(const struct xt_tgchk_param
*par)
e->ip.invflags & XT_INV_PROTO)
return -EINVAL;
- return nf_ct_l3proto_try_module_get(par->family);
+ return nf_ct_netns_get(par->net, par->family);
}
static void synproxy_tg4_destroy(const struct xt_tgdtor_param *par)
{
- nf_ct_l3proto_module_put(par->family);
+ nf_ct_netns_put(par->net, par->family);
}
static struct xt_target synproxy_tg4_reg __read_mostly = {
diff --git a/net/ipv6/netfilter/ip6t_SYNPROXY.c
b/net/ipv6/netfilter/ip6t_SYNPROXY.c
index 99a1216287c8..98c8dd38575a 100644
--- a/net/ipv6/netfilter/ip6t_SYNPROXY.c
+++ b/net/ipv6/netfilter/ip6t_SYNPROXY.c
@@ -440,12 +440,12 @@ static int synproxy_tg6_check(const struct xt_tgchk_param
*par)
e->ipv6.invflags & XT_INV_PROTO)
return -EINVAL;
- return nf_ct_l3proto_try_module_get(par->family);
+ return nf_ct_netns_get(par->net, par->family);
}
static void synproxy_tg6_destroy(const struct xt_tgdtor_param *par)
{
- nf_ct_l3proto_module_put(par->family);
+ nf_ct_netns_put(par->net, par->family);
}
static struct xt_target synproxy_tg6_reg __read_mostly = {
diff --git a/net/netfilter/nf_conntrack_proto.c
b/net/netfilter/nf_conntrack_proto.c
index b218e70b2f74..948f1e2fc80b 100644
--- a/net/netfilter/nf_conntrack_proto.c
+++ b/net/netfilter/nf_conntrack_proto.c
@@ -125,6 +125,18 @@ void nf_ct_l3proto_module_put(unsigned short l3proto)
}
EXPORT_SYMBOL_GPL(nf_ct_l3proto_module_put);
+int nf_ct_netns_get(struct net *net, u8 nfproto)
+{
+ return nf_ct_l3proto_try_module_get(nfproto);
+}
+EXPORT_SYMBOL_GPL(nf_ct_netns_get);
+
+void nf_ct_netns_put(struct net *net, u8 nfproto)
+{
+ nf_ct_l3proto_module_put(nfproto);
+}
+EXPORT_SYMBOL_GPL(nf_ct_netns_put);
+
struct nf_conntrack_l4proto *
nf_ct_l4proto_find_get(u_int16_t l3num, u_int8_t l4num)
{
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index 6837348c8993..e6baeaebe653 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter
Re: [PATCH] erec: Make error messages in nft consistent
On Tue, Nov 15, 2016 at 08:50:10PM +0100, Pablo Neira Ayuso wrote:
> On Tue, Nov 15, 2016 at 05:22:38PM -0200, Elise Lennion wrote:
> > Error messages in nft should start with "syntax error" to keep
> > consistency. A new function add_syntax_error() was created to add this
> > prefix when necessary.
>
> Probably you can just add EREC_SYNTAX_ERROR to enum
> error_record_types, then add:
>
> #define syntax_error(loc, fmt, args...) \
>erec_create(EREC_SYNTA_ERROR, (loc), (fmt), ## args)
Actually, git grep "erec_queue(error(" tells me all:
erec_queue(error(...
occur in parser_bison.y, so we can just update #define error in erec.h
You will have to define something like __error, which doesn't include
the "syntax error" string, as bison is already including it in this
spot below:
static void yyerror(struct location *loc, void *scanner,
struct parser_state *state, const char *s)
{
erec_queue(__error(loc, "%s", s), state->msgs);
}
So it will be a simple patch in the end.
Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] erec: Make error messages in nft consistent
On Tue, Nov 15, 2016 at 05:22:38PM -0200, Elise Lennion wrote: > Error messages in nft should start with "syntax error" to keep > consistency. A new function add_syntax_error() was created to add this > prefix when necessary. Probably you can just add EREC_SYNTAX_ERROR to enum error_record_types, then add: #define syntax_error(loc, fmt, args...) \ erec_create(EREC_SYNTA_ERROR, (loc), (fmt), ## args) and use it from src/parser_bison.y Thanks! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nf-next v2 1/4] netfilter: nf_conntrack_tuple_common.h: fix #include
On Tue, Nov 15, 2016 at 03:08:24PM +0100, Davide Caratti wrote:
> To allow usage of enum ip_conntrack_dir in include/net/netns/conntrack.h,
> this patch encloses #include in a #ifndef __KERNEL__
> directive, so that compiler errors caused by unwanted inclusion of
> include/linux/netfilter.h are avoided.
> In addition, #include line has
> been added to resolve correctly CTINFO2DIR macro.
>
> Signed-off-by: Davide Caratti
Acked-by: Mikko Rapeli
-Mikko
> ---
> include/uapi/linux/netfilter/nf_conntrack_tuple_common.h | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h
> b/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h
> index a9c3834..526b424 100644
> --- a/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h
> +++ b/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h
> @@ -2,7 +2,10 @@
> #define _NF_CONNTRACK_TUPLE_COMMON_H
>
> #include
> +#ifndef __KERNEL__
> #include
> +#endif
> +#include /* IP_CT_IS_REPLY */
>
> enum ip_conntrack_dir {
> IP_CT_DIR_ORIGINAL,
> --
> 2.7.4
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] erec: Make error messages in nft consistent
Error messages in nft should start with "syntax error" to keep
consistency. A new function add_syntax_error() was created to add this
prefix when necessary.
Signed-off-by: Elise Lennion
---
include/erec.h | 3 +++
src/erec.c | 23 +++
2 files changed, 26 insertions(+)
diff --git a/include/erec.h b/include/erec.h
index 36e0efa..82754e0 100644
--- a/include/erec.h
+++ b/include/erec.h
@@ -52,9 +52,12 @@ extern void erec_add_location(struct error_record *erec,
#define warning(loc, fmt, args...) \
erec_create(EREC_WARNING, (loc), (fmt), ## args)
+extern void add_syntax_error(struct error_record *erec);
+
static inline void erec_queue(struct error_record *erec,
struct list_head *queue)
{
+ add_syntax_error(erec);
list_add_tail(&erec->list, queue);
}
diff --git a/src/erec.c b/src/erec.c
index 3603216..e4d7aef 100644
--- a/src/erec.c
+++ b/src/erec.c
@@ -194,3 +194,26 @@ int __fmtstring(4, 5) __stmt_binary_error(struct eval_ctx
*ctx,
erec_queue(erec, ctx->msgs);
return -1;
}
+
+void add_syntax_error(struct error_record *erec){
+ if (erec) {
+ const char *stxmsg = "syntax error, ";
+ int mlen = strlen(erec->msg);
+ int slen = strlen(stxmsg);
+ char *tmp;
+
+ if (!strncmp(erec->msg, stxmsg, slen - 2))
+ return;
+
+ if (!mlen)
+ slen -= 2;
+
+ tmp = realloc(erec->msg, slen + mlen + 1);
+ if (tmp) {
+ erec->msg = tmp;
+ memmove(&(erec->msg[slen]), erec->msg, mlen);
+ memcpy(erec->msg, stxmsg, slen);
+ erec->msg[slen + mlen] = '\0';
+ }
+ }
+}
--
2.7.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nft 0/3] src: add nft log flags support
2016-11-15 6:21 GMT+08:00 Pablo Neira Ayuso : > On Sun, Sep 25, 2016 at 05:06:58PM +0800, Liping Zhang wrote: >> From: Liping Zhang >> >> After NF_LOG_XXX is exposed to the userspace, we can set log flags to >> log more things. The following iptables rule: >> # iptables -A OUTPUT -j LOG --log-tcp-sequence --log-tcp-options \ >> --log-ip-options --log-uid --log-macdecode >> is equal to the following nft rule: >> # nft add rule filter OUTPUT log tcpseq,tcpopt,ipopt,uid,macdecode > > Sorry, I wanted to have a closer look at this but time has been > running up and I didn't manage to get back to this. > > So basically, I would like to explore different syntax for this, eg. > > log flags tcp sequence,options > log flags ip options > log flags skuid > log flags ether Yes, this syntax looks better, I will send V2 later based on your suggestions. Thanks Pablo. > > I think syntax would be larger, but it would look more consistent to > what we have. Worst case is to get them all set. We can provide a > compact version for this: > > log flags all > > Please, see sketch patch attached for brainstorming. > > Would you have a look into this? Thanks and again sorry for not > getting any sooner on this. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nf-next v2 2/4] netfilter: conntrack: built-in support for DCCP
CONFIG_NF_CT_PROTO_DCCP is no more a tristate. When set to y, connection
tracking support for DCCP protocol is built-in into nf_conntrack.ko.
footprint test:
$ ls -l net/netfilter/nf_conntrack{_proto_dccp,}.ko \
net/ipv4/netfilter/nf_conntrack_ipv4.ko \
net/ipv6/netfilter/nf_conntrack_ipv6.ko
(builtin)|| dccp | ipv4 | ipv6 | nf_conntrack
-+++++--
none || 469140 | 828755 | 828676 | 6141434
DCCP || -| 830566 | 829935 | 6533526
Signed-off-by: Davide Caratti
---
include/linux/netfilter/nf_conntrack_dccp.h| 2 +-
include/net/netfilter/ipv4/nf_conntrack_ipv4.h | 3 +
include/net/netfilter/ipv6/nf_conntrack_ipv6.h | 3 +
include/net/netns/conntrack.h | 14 +
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 3 +
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 3 +
net/netfilter/Kconfig | 6 +-
net/netfilter/Makefile | 3 +-
net/netfilter/nf_conntrack_proto_dccp.c| 79 --
9 files changed, 41 insertions(+), 75 deletions(-)
diff --git a/include/linux/netfilter/nf_conntrack_dccp.h
b/include/linux/netfilter/nf_conntrack_dccp.h
index 40dcc82..ff721d7 100644
--- a/include/linux/netfilter/nf_conntrack_dccp.h
+++ b/include/linux/netfilter/nf_conntrack_dccp.h
@@ -25,7 +25,7 @@ enum ct_dccp_roles {
#define CT_DCCP_ROLE_MAX (__CT_DCCP_ROLE_MAX - 1)
#ifdef __KERNEL__
-#include
+#include
struct nf_ct_dccp {
u_int8_trole[IP_CT_DIR_MAX];
diff --git a/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
b/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
index 981c327..c2f155f 100644
--- a/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
+++ b/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
@@ -15,6 +15,9 @@ extern struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4;
extern struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4;
extern struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4;
extern struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp;
+#ifdef CONFIG_NF_CT_PROTO_DCCP
+extern struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp4;
+#endif
int nf_conntrack_ipv4_compat_init(void);
void nf_conntrack_ipv4_compat_fini(void);
diff --git a/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
b/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
index a4c9936..5ec66c0 100644
--- a/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
+++ b/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
@@ -6,6 +6,9 @@ extern struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv6;
extern struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp6;
extern struct nf_conntrack_l4proto nf_conntrack_l4proto_udp6;
extern struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6;
+#ifdef CONFIG_NF_CT_PROTO_DCCP
+extern struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp6;
+#endif
#include
extern struct ctl_table nf_ct_ipv6_sysctl_table[];
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
index 3d06d94..440b781 100644
--- a/include/net/netns/conntrack.h
+++ b/include/net/netns/conntrack.h
@@ -6,6 +6,9 @@
#include
#include
#include
+#ifdef CONFIG_NF_CT_PROTO_DCCP
+#include
+#endif
#include
struct ctl_table_header;
@@ -48,12 +51,23 @@ struct nf_icmp_net {
unsigned int timeout;
};
+#ifdef CONFIG_NF_CT_PROTO_DCCP
+struct nf_dccp_net {
+ struct nf_proto_net pn;
+ int dccp_loose;
+ unsigned int dccp_timeout[CT_DCCP_MAX + 1];
+};
+#endif
+
struct nf_ip_net {
struct nf_generic_net generic;
struct nf_tcp_net tcp;
struct nf_udp_net udp;
struct nf_icmp_net icmp;
struct nf_icmp_net icmpv6;
+#ifdef CONFIG_NF_CT_PROTO_DCCP
+ struct nf_dccp_net dccp;
+#endif
};
struct ct_pcpu {
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 7130ed5..cb3cf77 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -340,6 +340,9 @@ static struct nf_conntrack_l4proto *builtin_l4proto4[] = {
&nf_conntrack_l4proto_tcp4,
&nf_conntrack_l4proto_udp4,
&nf_conntrack_l4proto_icmp,
+#ifdef CONFIG_NF_CT_PROTO_DCCP
+ &nf_conntrack_l4proto_dccp4,
+#endif
};
static int ipv4_net_init(struct net *net)
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 500be28..f52338d 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -340,6 +340,9 @@ static struct nf_conntrack_l4proto *builtin_l4proto6[] = {
&nf_conntrack_l4proto_tcp6,
&nf_conntrack_l4proto_udp6,
&nf_conntrack_l4proto_icmpv6,
+#ifdef CONFIG_NF_CT_PROTO_DCCP
+ &nf_conntrack_l4proto_dccp6,
+#endif
};
static int ipv6_net_init(struct net *net)
diff --git a/net/netfilter/Kconfig b/
[PATCH nf-next v2 3/4] netfilter: conntrack: built-in support for SCTP
CONFIG_NF_CT_PROTO_SCTP is no more a tristate. When set to y, connection
tracking support for SCTP protocol is built-in into nf_conntrack.ko.
footprint test:
$ ls -l net/netfilter/nf_conntrack{_proto_sctp,}.ko \
net/ipv4/netfilter/nf_conntrack_ipv4.ko \
net/ipv6/netfilter/nf_conntrack_ipv6.ko
(builtin)|| sctp | ipv4 | ipv6 | nf_conntrack
-+++++--
none || 498243 | 828755 | 828676 | 6141434
SCTP || -| 829254 | 829175 | 6547872
Signed-off-by: Davide Caratti
---
include/net/netfilter/ipv4/nf_conntrack_ipv4.h | 3 +
include/net/netfilter/ipv6/nf_conntrack_ipv6.h | 3 +
include/net/netns/conntrack.h | 13 +
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 3 +
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 3 +
net/netfilter/Kconfig | 7 +--
net/netfilter/Makefile | 2 +-
net/netfilter/nf_conntrack_proto_sctp.c| 76 +++---
8 files changed, 38 insertions(+), 72 deletions(-)
diff --git a/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
b/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
index c2f155f..5f1fc15 100644
--- a/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
+++ b/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
@@ -18,6 +18,9 @@ extern struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp;
#ifdef CONFIG_NF_CT_PROTO_DCCP
extern struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp4;
#endif
+#ifdef CONFIG_NF_CT_PROTO_SCTP
+extern struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4;
+#endif
int nf_conntrack_ipv4_compat_init(void);
void nf_conntrack_ipv4_compat_fini(void);
diff --git a/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
b/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
index 5ec66c0..f70d191 100644
--- a/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
+++ b/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
@@ -9,6 +9,9 @@ extern struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6;
#ifdef CONFIG_NF_CT_PROTO_DCCP
extern struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp6;
#endif
+#ifdef CONFIG_NF_CT_PROTO_SCTP
+extern struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6;
+#endif
#include
extern struct ctl_table nf_ct_ipv6_sysctl_table[];
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
index 440b781..17724c6 100644
--- a/include/net/netns/conntrack.h
+++ b/include/net/netns/conntrack.h
@@ -9,6 +9,9 @@
#ifdef CONFIG_NF_CT_PROTO_DCCP
#include
#endif
+#ifdef CONFIG_NF_CT_PROTO_SCTP
+#include
+#endif
#include
struct ctl_table_header;
@@ -59,6 +62,13 @@ struct nf_dccp_net {
};
#endif
+#ifdef CONFIG_NF_CT_PROTO_SCTP
+struct nf_sctp_net {
+ struct nf_proto_net pn;
+ unsigned int timeouts[SCTP_CONNTRACK_MAX];
+};
+#endif
+
struct nf_ip_net {
struct nf_generic_net generic;
struct nf_tcp_net tcp;
@@ -68,6 +78,9 @@ struct nf_ip_net {
#ifdef CONFIG_NF_CT_PROTO_DCCP
struct nf_dccp_net dccp;
#endif
+#ifdef CONFIG_NF_CT_PROTO_SCTP
+ struct nf_sctp_net sctp;
+#endif
};
struct ct_pcpu {
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index cb3cf77..0a9d354 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -343,6 +343,9 @@ static struct nf_conntrack_l4proto *builtin_l4proto4[] = {
#ifdef CONFIG_NF_CT_PROTO_DCCP
&nf_conntrack_l4proto_dccp4,
#endif
+#ifdef CONFIG_NF_CT_PROTO_SCTP
+ &nf_conntrack_l4proto_sctp4,
+#endif
};
static int ipv4_net_init(struct net *net)
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index f52338d..1d8daaf 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -343,6 +343,9 @@ static struct nf_conntrack_l4proto *builtin_l4proto6[] = {
#ifdef CONFIG_NF_CT_PROTO_DCCP
&nf_conntrack_l4proto_dccp6,
#endif
+#ifdef CONFIG_NF_CT_PROTO_SCTP
+ &nf_conntrack_l4proto_sctp6,
+#endif
};
static int ipv6_net_init(struct net *net)
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 27a3d8c..29c0bf0 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -159,15 +159,14 @@ config NF_CT_PROTO_GRE
tristate
config NF_CT_PROTO_SCTP
- tristate 'SCTP protocol connection tracking support'
+ bool 'SCTP protocol connection tracking support'
depends on NETFILTER_ADVANCED
- default IP_SCTP
+ default y
help
With this option enabled, the layer 3 independent connection
tracking code will be able to do state tracking on SCTP connections.
- If you want to compile it as a module, say M here and read
- . If unsure, say `N'.
+ If unsure, say Y.
config NF_CT_PROTO_UDPLITE
tristate 'UDP-Lite protocol conn
[PATCH nf-next v2 4/4] netfilter: conntrack: built-in support for UDPlite
CONFIG_NF_CT_PROTO_UDPLITE is no more a tristate. When set to y,
connection tracking support for UDPlite protocol is built-in into
nf_conntrack.ko.
footprint test:
$ ls -l net/netfilter/nf_conntrack{_proto_udplite,}.ko \
net/ipv4/netfilter/nf_conntrack_ipv4.ko \
net/ipv6/netfilter/nf_conntrack_ipv6.ko
(builtin)|| udplite| ipv4 | ipv6 |nf_conntrack
-+++++--
none || 432538 | 828755 | 828676 | 6141434
UDPlite || -| 829649 | 829362 | 6498204
Signed-off-by: Davide Caratti
---
include/net/netfilter/ipv4/nf_conntrack_ipv4.h | 3 +
include/net/netfilter/ipv6/nf_conntrack_ipv6.h | 3 +
include/net/netns/conntrack.h | 16 ++
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 3 +
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 3 +
net/netfilter/Kconfig | 5 +-
net/netfilter/Makefile | 2 +-
net/netfilter/nf_conntrack_proto_udplite.c | 79 +++---
8 files changed, 41 insertions(+), 73 deletions(-)
diff --git a/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
b/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
index 5f1fc15..919e4e8 100644
--- a/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
+++ b/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
@@ -21,6 +21,9 @@ extern struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp4;
#ifdef CONFIG_NF_CT_PROTO_SCTP
extern struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4;
#endif
+#ifdef CONFIG_NF_CT_PROTO_UDPLITE
+extern struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite4;
+#endif
int nf_conntrack_ipv4_compat_init(void);
void nf_conntrack_ipv4_compat_fini(void);
diff --git a/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
b/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
index f70d191..eaea968 100644
--- a/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
+++ b/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
@@ -12,6 +12,9 @@ extern struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp6;
#ifdef CONFIG_NF_CT_PROTO_SCTP
extern struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6;
#endif
+#ifdef CONFIG_NF_CT_PROTO_UDPLITE
+extern struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite6;
+#endif
#include
extern struct ctl_table nf_ct_ipv6_sysctl_table[];
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
index 17724c6..cf799fc 100644
--- a/include/net/netns/conntrack.h
+++ b/include/net/netns/conntrack.h
@@ -69,6 +69,19 @@ struct nf_sctp_net {
};
#endif
+#ifdef CONFIG_NF_CT_PROTO_UDPLITE
+enum udplite_conntrack {
+ UDPLITE_CT_UNREPLIED,
+ UDPLITE_CT_REPLIED,
+ UDPLITE_CT_MAX
+};
+
+struct nf_udplite_net {
+ struct nf_proto_net pn;
+ unsigned int timeouts[UDPLITE_CT_MAX];
+};
+#endif
+
struct nf_ip_net {
struct nf_generic_net generic;
struct nf_tcp_net tcp;
@@ -81,6 +94,9 @@ struct nf_ip_net {
#ifdef CONFIG_NF_CT_PROTO_SCTP
struct nf_sctp_net sctp;
#endif
+#ifdef CONFIG_NF_CT_PROTO_UDPLITE
+ struct nf_udplite_net udplite;
+#endif
};
struct ct_pcpu {
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 0a9d354..22fce4f 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -346,6 +346,9 @@ static struct nf_conntrack_l4proto *builtin_l4proto4[] = {
#ifdef CONFIG_NF_CT_PROTO_SCTP
&nf_conntrack_l4proto_sctp4,
#endif
+#ifdef CONFIG_NF_CT_PROTO_UDPLITE
+ &nf_conntrack_l4proto_udplite4,
+#endif
};
static int ipv4_net_init(struct net *net)
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 1d8daaf..389f712 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -346,6 +346,9 @@ static struct nf_conntrack_l4proto *builtin_l4proto6[] = {
#ifdef CONFIG_NF_CT_PROTO_SCTP
&nf_conntrack_l4proto_sctp6,
#endif
+#ifdef CONFIG_NF_CT_PROTO_UDPLITE
+ &nf_conntrack_l4proto_udplite6,
+#endif
};
static int ipv6_net_init(struct net *net)
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 29c0bf0..def4be0 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -169,14 +169,15 @@ config NF_CT_PROTO_SCTP
If unsure, say Y.
config NF_CT_PROTO_UDPLITE
- tristate 'UDP-Lite protocol connection tracking support'
+ bool 'UDP-Lite protocol connection tracking support'
depends on NETFILTER_ADVANCED
+ default y
help
With this option enabled, the layer 3 independent connection
tracking code will be able to do state tracking on UDP-Lite
connections.
- To compile it as a module, choose M here. If unsure, say N.
+ If unsure, say Y.
config NF_CONNTRACK_AMANDA
tristate "Amanda backup protocol support"
diff --git
[PATCH nf-next v2 1/4] netfilter: nf_conntrack_tuple_common.h: fix #include
To allow usage of enum ip_conntrack_dir in include/net/netns/conntrack.h,
this patch encloses #include in a #ifndef __KERNEL__
directive, so that compiler errors caused by unwanted inclusion of
include/linux/netfilter.h are avoided.
In addition, #include line has
been added to resolve correctly CTINFO2DIR macro.
Signed-off-by: Davide Caratti
---
include/uapi/linux/netfilter/nf_conntrack_tuple_common.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h
b/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h
index a9c3834..526b424 100644
--- a/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h
+++ b/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h
@@ -2,7 +2,10 @@
#define _NF_CONNTRACK_TUPLE_COMMON_H
#include
+#ifndef __KERNEL__
#include
+#endif
+#include /* IP_CT_IS_REPLY */
enum ip_conntrack_dir {
IP_CT_DIR_ORIGINAL,
--
2.7.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nf-next v2 0/4] netfilter: built-in conntrack support for DCCP, SCTP, UDPlite
When netfilter needs to match traffic made by one of the above protocols,
layer-4 connection tracking functionality will not be available, unless the
user explicly loads it in the kernel (e.g. "modprobe nf_conntrack_proto_sctp")
or modifies the default kernel configuration and rebuilds.
In order to remove such limitation, this series converts
CONFIG_NF_CT_PROTO_{DCCP,SCTP,UDPLITE} from tristate to boolean: in case
conntrack support for these protocols is enabled in the kernel configuration,
it will be built into nf_conntrack.ko.
Patch 1/4 fixes nf_conntrack_tuple_common.h to avoid compile-time errors
when moving module per-net private data.
Patches 2/4 3,4 and 4/4 remove loadable kernel module support from DCCP,
SCTP and UDPlite respectively.
footprint test (nf-next.git, x86_64, RHEL7)
Patches 2/4 to 4/4 in this series have been individually tested on a
nf-next.git kernel with standard RHEL7 configuration on x86_64 architecture,
recording the unstripped binary size after module clean/rebuild:
$ ls -l net/netfilter/nf_conntrack{,_proto_{dccp,sctp,udplite}}.ko \
net/ipv4/netfilter/nf_conntrack_ipv4.ko \
net/ipv6/netfilter/nf_conntrack_ipv6.ko
(builtin)|| dccp | sctp | udplite | ipv4 | ipv6 | nf_conntrack
-++++---+++--
none || 469140 | 498243 | 432538 | 828755 | 828676 | 6141434
DCCP || -| 498987 | 432746 | 830566 | 829935 | 6533526
SCTP || 469276 | -| 432690 | 829254 | 829175 | 6547872
UDPlite || 469484 | 498587 |- | 829649 | 829362 | 6498204
all || -| -|- | 831999 | 831104 | 7298358
v2:
- patch 1/4: use #ifndef __KERNEL__ directive instead of just removing
"#include " line
- patch 1/4: reword commit message
Davide Caratti (4):
netfilter: nf_conntrack_tuple_common.h: fix #include
netfilter: conntrack: built-in support for DCCP
netfilter: conntrack: built-in support for SCTP
netfilter: conntrack: built-in support for UDPlite
include/linux/netfilter/nf_conntrack_dccp.h| 2 +-
include/net/netfilter/ipv4/nf_conntrack_ipv4.h | 9 +++
include/net/netfilter/ipv6/nf_conntrack_ipv6.h | 9 +++
include/net/netns/conntrack.h | 43
.../linux/netfilter/nf_conntrack_tuple_common.h| 3 +
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 9 +++
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 9 +++
net/netfilter/Kconfig | 18 ++---
net/netfilter/Makefile | 7 +-
net/netfilter/nf_conntrack_proto_dccp.c| 79 +++---
net/netfilter/nf_conntrack_proto_sctp.c| 76 +++--
net/netfilter/nf_conntrack_proto_udplite.c | 79 +++---
12 files changed, 123 insertions(+), 220 deletions(-)
--
2.7.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
RE: [PATCH 20/39] netfilter: ipset: Use kmalloc() in comment extension helper
From: Pablo Neira Ayuso > Sent: 13 November 2016 22:25 > Allocate memory with kmalloc() rather than kzalloc(): the string > is immediately initialized so it is unnecessary to zero out > the allocated memory area. > > Ported from a patch proposed by Sergey Popovich . > > Suggested-by: Sergey Popovich > Signed-off-by: Jozsef Kadlecsik > --- > include/linux/netfilter/ipset/ip_set_comment.h | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/include/linux/netfilter/ipset/ip_set_comment.h > b/include/linux/netfilter/ipset/ip_set_comment.h > index bae5c7609be2..5444b1bbe656 100644 > --- a/include/linux/netfilter/ipset/ip_set_comment.h > +++ b/include/linux/netfilter/ipset/ip_set_comment.h > @@ -34,7 +34,7 @@ ip_set_init_comment(struct ip_set_comment *comment, > return; > if (unlikely(len > IPSET_MAX_COMMENT_SIZE)) > len = IPSET_MAX_COMMENT_SIZE; > - c = kzalloc(sizeof(*c) + len + 1, GFP_ATOMIC); > + c = kmalloc(sizeof(*c) + len + 1, GFP_ATOMIC); > if (unlikely(!c)) > return; > strlcpy(c->str, ext->comment, len + 1); I think I'd do a memcpy() and zero the last byte. Note that any other parts of 'c->' are no longer zeroed by this code fragment. David -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[GIT PULL nf-next 0/2] IPVS Updates for v4.10
Hi Pablo, please consider these enhancements to the IPVS for v4.10. * Decrement the IP ttl in all the modes in order to prevent infinite route loops. Thanks to Dwip Banerjee. * Use IS_ERR_OR_NULL macro. Clean-up from Gao Feng. The following changes since commit 7d384846b9987f7b611357adf3cdfecfdcf0c402: Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next (2016-11-13 22:41:25 -0500) are available in the git repository at: https://git.kernel.org/pub/scm/linux/kernel/git/horms/ipvs-next.git tags/ipvs-for-v4.10 for you to fetch changes up to 8d8e20e2d7bba8c50e64e0eca1cb83956f468e49: ipvs: Decrement ttl (2016-11-15 09:49:20 +0100) Dwip Banerjee (1): ipvs: Decrement ttl Gao Feng (1): ipvs: Use IS_ERR_OR_NULL(svc) instead of IS_ERR(svc) || svc == NULL net/netfilter/ipvs/ip_vs_ctl.c | 2 +- net/netfilter/ipvs/ip_vs_xmit.c | 54 + 2 files changed, 55 insertions(+), 1 deletion(-) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nf-next 1/2] ipvs: Use IS_ERR_OR_NULL(svc) instead of IS_ERR(svc) || svc == NULL
From: Gao Feng This minor refactoring does not change the logic of function ip_vs_genl_dump_dests. Signed-off-by: Gao Feng Acked-by: Julian Anastasov Signed-off-by: Simon Horman --- net/netfilter/ipvs/ip_vs_ctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c index 6b85ded4f91d..217e0105b5e0 100644 --- a/net/netfilter/ipvs/ip_vs_ctl.c +++ b/net/netfilter/ipvs/ip_vs_ctl.c @@ -3260,7 +3260,7 @@ static int ip_vs_genl_dump_dests(struct sk_buff *skb, svc = ip_vs_genl_find_service(ipvs, attrs[IPVS_CMD_ATTR_SERVICE]); - if (IS_ERR(svc) || svc == NULL) + if (IS_ERR_OR_NULL(svc)) goto out_err; /* Dump the destinations */ -- 2.7.0.rc3.207.g0ac5344 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nf-next 2/2] ipvs: Decrement ttl
From: Dwip Banerjee
We decrement the IP ttl in all the modes in order to prevent infinite
route loops. The changes were done based on Julian Anastasov's
suggestions in a prior thread.
The ttl based check/discard and the actual decrement are done in
__ip_vs_get_out_rt() and in __ip_vs_get_out_rt_v6(), for the IPv6
case. decrement_ttl() implements the actual functionality for the
two cases.
Signed-off-by: Dwip Banerjee
Acked-by: Julian Anastasov
Signed-off-by: Simon Horman
---
net/netfilter/ipvs/ip_vs_xmit.c | 54 +
1 file changed, 54 insertions(+)
diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
index 01d3d894de46..4e1a98fcc8c3 100644
--- a/net/netfilter/ipvs/ip_vs_xmit.c
+++ b/net/netfilter/ipvs/ip_vs_xmit.c
@@ -254,6 +254,54 @@ static inline bool ensure_mtu_is_adequate(struct
netns_ipvs *ipvs, int skb_af,
return true;
}
+static inline bool decrement_ttl(struct netns_ipvs *ipvs,
+int skb_af,
+struct sk_buff *skb)
+{
+ struct net *net = ipvs->net;
+
+#ifdef CONFIG_IP_VS_IPV6
+ if (skb_af == AF_INET6) {
+ struct dst_entry *dst = skb_dst(skb);
+
+ /* check and decrement ttl */
+ if (ipv6_hdr(skb)->hop_limit <= 1) {
+ /* Force OUTPUT device used as source address */
+ skb->dev = dst->dev;
+ icmpv6_send(skb, ICMPV6_TIME_EXCEED,
+ ICMPV6_EXC_HOPLIMIT, 0);
+ __IP6_INC_STATS(net, ip6_dst_idev(dst),
+ IPSTATS_MIB_INHDRERRORS);
+
+ return false;
+ }
+
+ /* don't propagate ttl change to cloned packets */
+ if (!skb_make_writable(skb, sizeof(struct ipv6hdr)))
+ return false;
+
+ ipv6_hdr(skb)->hop_limit--;
+ } else
+#endif
+ {
+ if (ip_hdr(skb)->ttl <= 1) {
+ /* Tell the sender its packet died... */
+ __IP_INC_STATS(net, IPSTATS_MIB_INHDRERRORS);
+ icmp_send(skb, ICMP_TIME_EXCEEDED, ICMP_EXC_TTL, 0);
+ return false;
+ }
+
+ /* don't propagate ttl change to cloned packets */
+ if (!skb_make_writable(skb, sizeof(struct iphdr)))
+ return false;
+
+ /* Decrease ttl */
+ ip_decrease_ttl(ip_hdr(skb));
+ }
+
+ return true;
+}
+
/* Get route to destination or remote server */
static int
__ip_vs_get_out_rt(struct netns_ipvs *ipvs, int skb_af, struct sk_buff *skb,
@@ -326,6 +374,9 @@ __ip_vs_get_out_rt(struct netns_ipvs *ipvs, int skb_af,
struct sk_buff *skb,
return local;
}
+ if (!decrement_ttl(ipvs, skb_af, skb))
+ goto err_put;
+
if (likely(!(rt_mode & IP_VS_RT_MODE_TUNNEL))) {
mtu = dst_mtu(&rt->dst);
} else {
@@ -473,6 +524,9 @@ __ip_vs_get_out_rt_v6(struct netns_ipvs *ipvs, int skb_af,
struct sk_buff *skb,
return local;
}
+ if (!decrement_ttl(ipvs, skb_af, skb))
+ goto err_put;
+
/* MTU checking */
if (likely(!(rt_mode & IP_VS_RT_MODE_TUNNEL)))
mtu = dst_mtu(&rt->dst);
--
2.7.0.rc3.207.g0ac5344
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
