[PATCH nf-next v2 1/1] netfilter: SYNPROXY: Return NF_STOLEN instead of NF_DROP during handshaking

2017-04-11 Thread gfree . wind 
From: Gao Feng 

Current SYNPROXY codes return NF_DROP during normal TCP handshaking,
it is not friendly to caller. Because the nf_hook_slow would treat
the NF_DROP as an error, and return -EPERM.
As a result, it may cause the top caller think it meets one error.

So use NF_STOLEN instead of NF_DROP now because there is no error
happened indeed, and free the skb directly.

Signed-off-by: Gao Feng 
---
 v2: Add the check for synproxy_recv_client_ack, per Gao Feng,
 v1: initial version

 net/ipv4/netfilter/ipt_SYNPROXY.c  | 21 ++---
 net/ipv6/netfilter/ip6t_SYNPROXY.c | 20 ++--
 2 files changed, 28 insertions(+), 13 deletions(-)

diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c 
b/net/ipv4/netfilter/ipt_SYNPROXY.c
index 3240a26..ab0f576 100644
--- a/net/ipv4/netfilter/ipt_SYNPROXY.c
+++ b/net/ipv4/netfilter/ipt_SYNPROXY.c
@@ -293,12 +293,16 @@
  XT_SYNPROXY_OPT_ECN);
 
synproxy_send_client_synack(net, skb, th, );
-   return NF_DROP;
-
+   consume_skb(skb);
+   return NF_STOLEN;
} else if (th->ack && !(th->fin || th->rst || th->syn)) {
/* ACK from client */
-   synproxy_recv_client_ack(net, skb, th, , ntohl(th->seq));
-   return NF_DROP;
+   if (synproxy_recv_client_ack(net, skb, th, , 
ntohl(th->seq))) {
+   consume_skb(skb);
+   return NF_STOLEN;
+   } else {
+   return NF_DROP;
+   }
}
 
return XT_CONTINUE;
@@ -367,10 +371,13 @@ static unsigned int ipv4_synproxy_hook(void *priv,
 * number match the one of first SYN.
 */
if (synproxy_recv_client_ack(net, skb, th, ,
-ntohl(th->seq) + 1))
+ntohl(th->seq) + 1)) {
this_cpu_inc(snet->stats->cookie_retrans);
-
-   return NF_DROP;
+   consume_skb(skb);
+   return NF_STOLEN;
+   } else {
+   return NF_DROP;
+   }
}
 
synproxy->isn = ntohl(th->ack_seq);
diff --git a/net/ipv6/netfilter/ip6t_SYNPROXY.c 
b/net/ipv6/netfilter/ip6t_SYNPROXY.c
index 4ef1ddd..6a4f49e 100644
--- a/net/ipv6/netfilter/ip6t_SYNPROXY.c
+++ b/net/ipv6/netfilter/ip6t_SYNPROXY.c
@@ -307,12 +307,17 @@
  XT_SYNPROXY_OPT_ECN);
 
synproxy_send_client_synack(net, skb, th, );
-   return NF_DROP;
+   consume_skb(skb);
+   return NF_STOLEN;
 
} else if (th->ack && !(th->fin || th->rst || th->syn)) {
/* ACK from client */
-   synproxy_recv_client_ack(net, skb, th, , ntohl(th->seq));
-   return NF_DROP;
+   if (synproxy_recv_client_ack(net, skb, th, , 
ntohl(th->seq))) {
+   consume_skb(skb);
+   return NF_STOLEN;
+   } else {
+   return NF_DROP;
+   }
}
 
return XT_CONTINUE;
@@ -388,10 +393,13 @@ static unsigned int ipv6_synproxy_hook(void *priv,
 * number match the one of first SYN.
 */
if (synproxy_recv_client_ack(net, skb, th, ,
-ntohl(th->seq) + 1))
+ntohl(th->seq) + 1)) {
this_cpu_inc(snet->stats->cookie_retrans);
-
-   return NF_DROP;
+   consume_skb(skb);
+   return NF_STOLEN;
+   } else {
+   return NF_DROP;
+   }
}
 
synproxy->isn = ntohl(th->ack_seq);
-- 
1.9.1




--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nf-next] ipvs: remove unused function ip_vs_set_state_timeout

2017-04-11 Thread Simon Horman 
On Mon, Apr 10, 2017 at 03:50:44PM -0400, Aaron Conole wrote:
> There are no in-tree callers of this function and it isn't exported.
> 
> Signed-off-by: Aaron Conole 

Thanks, applied to ipvs-next.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH iptables] extensions: libxt_hashlimit: fix 64-bit printf formats

2017-04-11 Thread Pablo Neira Ayuso 
On Mon, Apr 10, 2017 at 05:59:07PM +0200, Jan Engelhardt wrote:
> 
> On Saturday 2017-04-08 22:29, Pablo Neira Ayuso wrote:
> >> @@ -262,7 +262,7 @@ static uint64_t parse_burst(const char *burst, int 
> >> revision)
> >>if (v > max)
> >>xtables_error(PARAMETER_PROBLEM, "bad value for option "
> >>"\"--hashlimit-burst\", value \"%s\" too large "
> >> -  "(max %lumb).", burst, max/1024/1024);
> >> +  "(max %" PRIu64 "mb).", burst, max/1024/1024);
> >^  ^
> >
> >I can remove this whitespaces, right?
> 
> With my distro hat on:
> 
> Clumping these together like "foo"BAR"baz" has already caused compile failures
> in the broader scope of distributions (thousands of packages) because 
> languages
> introduced new tokenization rules. Admittedly, this occurred in C++ (namely,
> user-defined string literals), but it does show that tokens which logically 
> are
> separate should stay separate.

Existing code doesn't add space, so I would like we don't introduce
inconsistencies.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html