[PATCH net] netfilter: check for seqadj ext existence before adding it in nf_nat_setup_info

[Xin Long]

Commit 4440a2ab3b9f ("netfilter: synproxy: Check oom when adding synproxy
and seqadj ct extensions") wanted to drop the packet when it fails to add
seqadj ext due to no memory by checking if nfct_seqadj_ext_add returns
NULL.

But that nfct_seqadj_ext_add returns NULL can also happen when seqadj ext
already exists in a nf_conn. It will cause that userspace protocol doesn't
work when both dnat and snat are configured.

Li Shuang found this issue in the case:

Topo:
   ftp client   router  ftp server
  10.167.131.2  <-> 10.167.131.254  10.167.141.254 <-> 10.167.141.1

Rules:
  # iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 21 -j \
DNAT --to-destination 10.167.141.1
  # iptables -t nat -A POSTROUTING -o eth2 -p tcp -m tcp --dport 21 -j \
SNAT --to-source 10.167.141.254

In router, when both dnat and snat are added, nf_nat_setup_info will be
called twice. The packet can be dropped at the 2nd time for DNAT due to
seqadj ext is already added at the 1st time for SNAT.

This patch is to fix it by checking for seqadj ext existence before adding
it, so that the packet will not be dropped if seqadj ext already exists.

Note that as Florian mentioned, as a long term, we should review ext_add()
behaviour, it's better to return a pointer to the existing ext instead.

Fixes: 4440a2ab3b9f ("netfilter: synproxy: Check oom when adding synproxy and 
seqadj ct extensions")
Reported-by: Li Shuang 
Acked-by: Florian Westphal 
Signed-off-by: Xin Long 
---
 net/netfilter/nf_nat_core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index eb54178..b1d3740 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -441,7 +441,7 @@ nf_nat_setup_info(struct nf_conn *ct,
else
ct->status |= IPS_DST_NAT;
 
-   if (nfct_help(ct))
+   if (nfct_help(ct) && !nfct_seqadj(ct))
if (!nfct_seqadj_ext_add(ct))
return NF_DROP;
}
-- 
2.1.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[conntrack-tools PATCH] conntrackd: remove warning for -S

[Arturo Borrero Gonzalez]

Remove the warning message for the -S option which has been deprecated for
years now.

Users calling conntrackd with this switch activated will now get an error.

Signed-off-by: Arturo Borrero Gonzalez 
---
 src/main.c |3 ---
 1 file changed, 3 deletions(-)

diff --git a/src/main.c b/src/main.c
index 3b19160..7062e12 100644
--- a/src/main.c
+++ b/src/main.c
@@ -281,9 +281,6 @@ int main(int argc, char *argv[])
action = STATS;
}
break;
-   case 'S':
-   dlog(LOG_WARNING,"-S option is obsolete. Ignoring.");
-   break;
case 'n':
set_operation_mode(, REQUEST, argv);
action = REQUEST_DUMP;

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[nft PATCH v4 1/3] netlink: Pass nlmsg flags from rule.c

[Phil Sutter]

There is no point in checking value of excl in each called function.
Just do it in a single spot and pass resulting flags.

Signed-off-by: Phil Sutter 
---
Changes since v3:
- Fix for 'insert rule' command.
---
 include/netlink.h | 10 -
 src/netlink.c | 64 +--
 src/rule.c| 26 +++---
 3 files changed, 48 insertions(+), 52 deletions(-)

diff --git a/include/netlink.h b/include/netlink.h
index 7865186b62767..ffbc51d352fa0 100644
--- a/include/netlink.h
+++ b/include/netlink.h
@@ -124,7 +124,7 @@ extern int netlink_replace_rule_batch(struct netlink_ctx 
*ctx,
 
 extern int netlink_add_chain(struct netlink_ctx *ctx, const struct handle *h,
 const struct location *loc,
-const struct chain *chain, bool excl);
+const struct chain *chain, uint32_t flags);
 extern int netlink_rename_chain(struct netlink_ctx *ctx, const struct handle 
*h,
const struct location *loc, const char *name);
 extern int netlink_delete_chain(struct netlink_ctx *ctx, const struct handle 
*h,
@@ -140,7 +140,7 @@ extern int netlink_flush_chain(struct netlink_ctx *ctx, 
const struct handle *h,
 
 extern int netlink_add_table(struct netlink_ctx *ctx, const struct handle *h,
 const struct location *loc,
-const struct table *table, bool excl);
+const struct table *table, uint32_t flags);
 extern int netlink_delete_table(struct netlink_ctx *ctx, const struct handle 
*h,
const struct location *loc);
 extern int netlink_list_tables(struct netlink_ctx *ctx, const struct handle *h,
@@ -153,7 +153,7 @@ extern int netlink_flush_table(struct netlink_ctx *ctx, 
const struct handle *h,
   const struct location *loc);
 
 extern int netlink_add_set(struct netlink_ctx *ctx, const struct handle *h,
-  struct set *set, bool excl);
+  struct set *set, uint32_t flags);
 extern int netlink_delete_set(struct netlink_ctx *ctx, const struct handle *h,
  const struct location *loc);
 extern int netlink_list_sets(struct netlink_ctx *ctx, const struct handle *h,
@@ -165,7 +165,7 @@ extern struct stmt *netlink_parse_set_expr(const struct set 
*set,
   const struct nftnl_expr *nle);
 
 extern int netlink_add_setelems(struct netlink_ctx *ctx, const struct handle 
*h,
-   const struct expr *expr, bool excl);
+   const struct expr *expr, uint32_t flags);
 extern int netlink_delete_setelems(struct netlink_ctx *ctx, const struct 
handle *h,
   const struct expr *expr);
 extern int netlink_get_setelems(struct netlink_ctx *ctx, const struct handle 
*h,
@@ -179,7 +179,7 @@ extern int netlink_reset_objs(struct netlink_ctx *ctx, 
const struct handle *h,
  const struct location *loc, uint32_t type,
  bool dump);
 extern int netlink_add_obj(struct netlink_ctx *ctx, const struct handle *h,
-  struct obj *obj, bool excl);
+  struct obj *obj, uint32_t flags);
 extern int netlink_delete_obj(struct netlink_ctx *ctx, const struct handle *h,
  struct location *loc, uint32_t type);
 
diff --git a/src/netlink.c b/src/netlink.c
index ffdadfb19a4a3..26032f956aba6 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -597,7 +597,7 @@ void netlink_dump_chain(const struct nftnl_chain *nlc)
 static int netlink_add_chain_compat(struct netlink_ctx *ctx,
const struct handle *h,
const struct location *loc,
-   const struct chain *chain, bool excl)
+   const struct chain *chain, uint32_t flags)
 {
struct nftnl_chain *nlc;
int err;
@@ -618,7 +618,7 @@ static int netlink_add_chain_compat(struct netlink_ctx *ctx,
}
 
netlink_dump_chain(nlc);
-   err = mnl_nft_chain_add(ctx->nf_sock, nlc, excl ? NLM_F_EXCL : 0);
+   err = mnl_nft_chain_add(ctx->nf_sock, nlc, flags);
nftnl_chain_free(nlc);
 
if (err < 0)
@@ -630,7 +630,7 @@ static int netlink_add_chain_compat(struct netlink_ctx *ctx,
 static int netlink_add_chain_batch(struct netlink_ctx *ctx,
   const struct handle *h,
   const struct location *loc,
-  const struct chain *chain, bool excl)
+  const struct chain *chain, uint32_t flags)
 {
struct nftnl_chain *nlc;
int err;
@@ -654,8 +654,7 @@ static int netlink_add_chain_batch(struct netlink_ctx *ctx,

[nft PATCH v4 0/3] Implement --echo option

[Phil Sutter]

Long description of what it is and how it works in patch 3. Patch 1 is a
dependency to patch 2, Patch 3 adds a simple test suite which was
helpful during development.

Patch 1 from v3 has been applied already, so it is no longer present
here. Changelog for remaining patches is contained in them.

Phil Sutter (3):
  netlink: Pass nlmsg flags from rule.c
  Implement --echo option
  tests: Add a simple test suite for --echo option

 doc/nft.xml   | 10 ++
 include/netlink.h | 12 ---
 include/nftables.h|  1 +
 src/evaluate.c|  7 
 src/main.c| 11 +-
 src/mnl.c | 25 +++--
 src/netlink.c | 84 ---
 src/rule.c| 35 ++
 tests/echo/run-tests.sh   | 45 +++
 tests/echo/testcases/simple.t | 12 +++
 10 files changed, 183 insertions(+), 59 deletions(-)
 create mode 100755 tests/echo/run-tests.sh
 create mode 100644 tests/echo/testcases/simple.t

-- 
2.13.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[nft PATCH v4 2/3] Implement --echo option

[Phil Sutter]

When used with add, insert or replace commands, nft tool will print
event notifications just like 'nft monitor' does for the same commands.

Apart from seeing what a given command will turn out in the rule set,
this allows to reliably retrieve a new rule's assigned handle (if used
together with --handle option).

Here are some examples of how it works:

| # nft --echo --handle add table ip t
| add table ip t
|
| # nft --echo --handle add chain ip t c \
|   '{ type filter hook forward priority 0; }'
| add chain ip t c { type filter hook forward priority 0; policy accept; }
|
| # nft --echo --handle add rule ip t c tcp dport '{22, 80}' accept
| add rule ip t c tcp dport { ssh, http } accept # handle 2
|
| # nft --echo --handle add set ip t ipset '{ type ipv4_addr; \
|   elements = { 192.168.0.1, 192.168.0.2 }; }'
| add set ip t ipset { type ipv4_addr; }
| add element ip t ipset { 192.168.0.1 }
| add element ip t ipset { 192.168.0.2 }

Signed-off-by: Phil Sutter 
---
Changes since v1:
- Drop extern declaration of unused variable echo_output.
- Reworded --echo description in man page a bit.

Changes since v2:
- Get rid of NFT_MSG_META_ECHO hack, just use -1 instead.
- Fix for unknown tag  in nft.xml.

Changes since v3:
- Reuse nft monitor code completely.
- Added missing cache updates when adding a rule or named object.
- Pass flags on to __do_add_setelems() so that anonymous set elements
  are cached as well.
- Drop long description of echo option from nft.8 since it doesn't apply
  anymore.
---
 doc/nft.xml| 10 ++
 include/netlink.h  |  2 ++
 include/nftables.h |  1 +
 src/evaluate.c |  7 +++
 src/main.c | 11 ++-
 src/mnl.c  | 25 +++--
 src/netlink.c  | 20 ++--
 src/rule.c |  9 +++--
 8 files changed, 78 insertions(+), 7 deletions(-)

diff --git a/doc/nft.xml b/doc/nft.xml
index 4d03a3dbc75bf..6c845013c088d 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -157,6 +157,16 @@ vi:ts=4 sw=4



+   -e, --echo
+   
+   
+   When inserting items into the 
ruleset using add,
+   insert or 
replace commands,
+   print notifications just like 
nft monitor.
+   
+   
+   
+   
-I, --includepath 
directory


diff --git a/include/netlink.h b/include/netlink.h
index ffbc51d352fa0..47ecef38f9e9d 100644
--- a/include/netlink.h
+++ b/include/netlink.h
@@ -222,4 +222,6 @@ extern int netlink_monitor(struct netlink_mon_handler 
*monhandler,
struct mnl_socket *nf_sock);
 bool netlink_batch_supported(struct mnl_socket *nf_sock);
 
+int netlink_echo_callback(const struct nlmsghdr *nlh, void *data);
+
 #endif /* NFTABLES_NETLINK_H */
diff --git a/include/nftables.h b/include/nftables.h
index 640d3c7e715d8..ca609015274a9 100644
--- a/include/nftables.h
+++ b/include/nftables.h
@@ -29,6 +29,7 @@ struct output_ctx {
unsigned int stateless;
unsigned int ip2name;
unsigned int handle;
+   unsigned int echo;
 };
 
 struct nft_ctx {
diff --git a/src/evaluate.c b/src/evaluate.c
index d24526fef2954..477fb54d51f26 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2962,6 +2962,9 @@ static int cmd_evaluate_add(struct eval_ctx *ctx, struct 
cmd *cmd)
handle_merge(>set->handle, >handle);
return set_evaluate(ctx, cmd->set);
case CMD_OBJ_RULE:
+   ret = cache_update(ctx->nf_sock, cmd->op, ctx->msgs);
+   if (ret < 0)
+   return ret;
handle_merge(>rule->handle, >handle);
return rule_evaluate(ctx, cmd->rule);
case CMD_OBJ_CHAIN:
@@ -2975,6 +2978,10 @@ static int cmd_evaluate_add(struct eval_ctx *ctx, struct 
cmd *cmd)
case CMD_OBJ_COUNTER:
case CMD_OBJ_QUOTA:
case CMD_OBJ_CT_HELPER:
+   ret = cache_update(ctx->nf_sock, cmd->op, ctx->msgs);
+   if (ret < 0)
+   return ret;
+
return 0;
default:
BUG("invalid command object type %u\n", cmd->obj);
diff --git a/src/main.c b/src/main.c
index 1535153ec815d..86862a1088e0c 100644
--- a/src/main.c
+++ b/src/main.c
@@ -49,10 +49,11 @@ enum opt_vals {
OPT_IP2NAME = 'N',
OPT_DEBUG   = 'd',
OPT_HANDLE_OUTPUT   = 'a',
+   OPT_ECHO= 'e',
OPT_INVALID = '?',
 };
 
-#define OPTSTRING  "hvcf:iI:vnsNa"
+#define OPTSTRING 

[nft PATCH v4 3/3] tests: Add a simple test suite for --echo option

[Phil Sutter]

The fancy thing about this is that it uses the actual echo output to
undo the changes to the rule set.

Signed-off-by: Phil Sutter 
---
Changes since v3:
- Dropped undo logic completely, it is not feasible anymore.
- Changed testcase syntax to accommodate for rules which contain
  semi-colons.
- Call nft with '-nna' flags to avoid translating numbers into names and
  enable handle output for rules.
- Extend simple.t to test named sets as well.
---
 tests/echo/run-tests.sh   | 45 +++
 tests/echo/testcases/simple.t | 12 
 2 files changed, 57 insertions(+)
 create mode 100755 tests/echo/run-tests.sh
 create mode 100644 tests/echo/testcases/simple.t

diff --git a/tests/echo/run-tests.sh b/tests/echo/run-tests.sh
new file mode 100755
index 0..da7934d16965f
--- /dev/null
+++ b/tests/echo/run-tests.sh
@@ -0,0 +1,45 @@
+#!/bin/bash
+
+cd $(dirname $0)
+nft=../../src/nft
+nft_opts="-nn -a --echo"
+debug=false
+
+debug_echo() {
+   $debug || return
+
+   echo "$@"
+}
+
+trap "$nft flush ruleset" EXIT
+
+for testcase in testcases/*.t; do
+   echo "running tests from file $(basename $testcase)"
+   # files are like this:
+   #
+   # [;;]
+
+   $nft flush ruleset
+
+   while read line; do
+   [[ -z "$line" || "$line" == "#"* ]] && continue
+
+   # XXX: this only works if there is no semicolon in output
+   input="${line%;;*}"
+   output="${line##*;;}"
+
+   [[ -z $output ]] && output="$input"
+
+   debug_echo "calling '$nft $nft_opts $input'"
+   cmd_out=$($nft $nft_opts $input)
+   # strip trailing whitespace (happens when adding a named set)
+   cmd_out="${cmd_out% }"
+   debug_echo "got output '$cmd_out'"
+   [[ $cmd_out == $output ]] || {
+   echo "Warning: Output differs:"
+   echo "# nft $nft_opts $input"
+   echo "- $output"
+   echo "+ $cmd_out"
+   }
+   done <$testcase
+done
diff --git a/tests/echo/testcases/simple.t b/tests/echo/testcases/simple.t
new file mode 100644
index 0..566fd7e0f8176
--- /dev/null
+++ b/tests/echo/testcases/simple.t
@@ -0,0 +1,12 @@
+add table ip t
+add chain ip t c
+
+# note the added handle output
+add rule ip t c accept;;add rule ip t c accept # handle *
+add rule ip t c tcp dport { 22, 80, 443 } accept;;add rule ip t c tcp dport { 
22, 80, 443 } accept # handle *
+
+add set ip t ipset { type ipv4_addr; }
+add element ip t ipset { 192.168.0.1 }
+
+# counter output comes with statistics
+add counter ip t cnt;;add counter ip t cnt *
-- 
2.13.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] netfilter: xt_NFLOG: use nf_log_packet instead of nfulnl_log_packet.

[Taehee Yoo]

The nfulnl_log_packet() is added to make sure that the NFLOG target
works as only user-space logger. but now, nf_log_packet() can find proper
log function using NF_LOG_TYPE_ULOG and NF_LOG_TYPE_LOG.

Signed-off-by: Taehee Yoo 
---
 include/net/netfilter/nfnetlink_log.h | 17 -
 net/netfilter/nfnetlink_log.c |  8 +++-
 net/netfilter/xt_NFLOG.c  | 15 +++
 3 files changed, 14 insertions(+), 26 deletions(-)
 delete mode 100644 include/net/netfilter/nfnetlink_log.h

diff --git a/include/net/netfilter/nfnetlink_log.h 
b/include/net/netfilter/nfnetlink_log.h
deleted file mode 100644
index 5ca3f14..000
--- a/include/net/netfilter/nfnetlink_log.h
+++ /dev/null
@@ -1,17 +0,0 @@
-#ifndef _KER_NFNETLINK_LOG_H
-#define _KER_NFNETLINK_LOG_H
-
-void
-nfulnl_log_packet(struct net *net,
- u_int8_t pf,
- unsigned int hooknum,
- const struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- const struct nf_loginfo *li_user,
- const char *prefix);
-
-#define NFULNL_COPY_DISABLED0xff
-
-#endif /* _KER_NFNETLINK_LOG_H */
-
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index c684ba9..0ea69fc 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -37,7 +37,6 @@
 #include 
 #include 
 #include 
-#include 
 
 #include 
 #include 
@@ -47,6 +46,7 @@
 #include "../bridge/br_private.h"
 #endif
 
+#define NFULNL_COPY_DISABLED   0xff
 #define NFULNL_NLBUFSIZ_DEFAULTNLMSG_GOODSIZE
 #define NFULNL_TIMEOUT_DEFAULT 100 /* every second */
 #define NFULNL_QTHRESH_DEFAULT 100 /* 100 packets */
@@ -618,7 +618,7 @@ static struct nf_loginfo default_loginfo = {
 };
 
 /* log handler for internal netfilter logging api */
-void
+static void
 nfulnl_log_packet(struct net *net,
  u_int8_t pf,
  unsigned int hooknum,
@@ -633,7 +633,7 @@ nfulnl_log_packet(struct net *net,
struct nfulnl_instance *inst;
const struct nf_loginfo *li;
unsigned int qthreshold;
-   unsigned int plen;
+   unsigned int plen = 0;
struct nfnl_log_net *log = nfnl_log_pernet(net);
const struct nfnl_ct_hook *nfnl_ct = NULL;
struct nf_conn *ct = NULL;
@@ -648,7 +648,6 @@ nfulnl_log_packet(struct net *net,
if (!inst)
return;
 
-   plen = 0;
if (prefix)
plen = strlen(prefix) + 1;
 
@@ -760,7 +759,6 @@ nfulnl_log_packet(struct net *net,
/* FIXME: statistics */
goto unlock_and_release;
 }
-EXPORT_SYMBOL_GPL(nfulnl_log_packet);
 
 static int
 nfulnl_rcv_nl_event(struct notifier_block *this,
diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c
index c7f8958..1ed0cac 100644
--- a/net/netfilter/xt_NFLOG.c
+++ b/net/netfilter/xt_NFLOG.c
@@ -13,7 +13,6 @@
 #include 
 #include 
 #include 
-#include 
 
 MODULE_AUTHOR("Patrick McHardy ");
 MODULE_DESCRIPTION("Xtables: packet logging to netlink using NFLOG");
@@ -37,8 +36,9 @@ nflog_tg(struct sk_buff *skb, const struct xt_action_param 
*par)
if (info->flags & XT_NFLOG_F_COPY_LEN)
li.u.ulog.flags |= NF_LOG_F_COPY_LEN;
 
-   nfulnl_log_packet(net, xt_family(par), xt_hooknum(par), skb,
- xt_in(par), xt_out(par), , info->prefix);
+   nf_log_packet(net, xt_family(par), xt_hooknum(par), skb, xt_in(par),
+ xt_out(par), , "%s", info->prefix);
+
return XT_CONTINUE;
 }
 
@@ -50,7 +50,13 @@ static int nflog_tg_check(const struct xt_tgchk_param *par)
return -EINVAL;
if (info->prefix[sizeof(info->prefix) - 1] != '\0')
return -EINVAL;
-   return 0;
+
+   return nf_logger_find_get(par->family, NF_LOG_TYPE_ULOG);
+}
+
+static void nflog_tg_destroy(const struct xt_tgdtor_param *par)
+{
+   nf_logger_put(par->family, NF_LOG_TYPE_ULOG);
 }
 
 static struct xt_target nflog_tg_reg __read_mostly = {
@@ -58,6 +64,7 @@ static struct xt_target nflog_tg_reg __read_mostly = {
.revision   = 0,
.family = NFPROTO_UNSPEC,
.checkentry = nflog_tg_check,
+   .destroy= nflog_tg_destroy,
.target = nflog_tg,
.targetsize = sizeof(struct xt_nflog_info),
.me = THIS_MODULE,
-- 
2.9.3

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html