Re: [PATCH 00/23] Netfilter/IPVS updates for net-next

[David Miller]

From: Pablo Neira Ayuso 
Date: Tue,  7 Nov 2017 01:51:50 +0100

> The following patchset contains Netfilter/IPVS updates for your net-next
> tree, they are:
 ...
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git

Pulled, thanks a lot!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nf-next] netfilter: nf_defrag_ipv4: Add sysctl to disable per interface

[Pablo Neira Ayuso]

On Tue, Nov 07, 2017 at 11:58:40AM -0700, Subash Abhinov Kasiviswanathan wrote:
> >This breaks connection tracking for packets coming in via such
> >interfaces.
> >
> >Nowadays we only enable defrag in a network namespace if the ip/nftables
> >ruleset requires it, so this setting would be counter-productive.
[...]
> This usecase is run on an Android based device, so there will be only
> the init namespace. While the specific rmnet interfaces for wifi calling do
> not require conntrack / iptables, some other scenarios like NAT on other
> interfaces may trigger the load of the defrag module. Hence, we needed
> this interface specific way of preventing defrag.

We can probably skip defrag if explicit notrack is requested via rule.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nf-next] netfilter: nf_defrag_ipv4: Add sysctl to disable per interface

[Subash Abhinov Kasiviswanathan]

This breaks connection tracking for packets coming in via such
interfaces.

Nowadays we only enable defrag in a network namespace if the 
ip/nftables

ruleset requires it, so this setting would be counter-productive.


Hi Florian

This usecase is run on an Android based device, so there will be only
the init namespace. While the specific rmnet interfaces for wifi calling 
do

not require conntrack / iptables, some other scenarios like NAT on other
interfaces may trigger the load of the defrag module. Hence, we needed
this interface specific way of preventing defrag.


An example of this usage is for fixing wifi calling on networks
where certain routers are configured to drop fragments explicitly.


Yay...  does that happen for all frags or is this related to df bit
somehow?


Based on our observations, the routers usually drop all fragmented
packets possibly for security reasons.

--
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum,
a Linux Foundation Collaborative Project
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v2] netfilter: nf_nat_snmp_basic: use asn1 decoder library

[Taehee Yoo]

The basic SNMP ALG parse snmp ASN.1 payload
however, since 2012 linux kernel provide ASN.1 decoder library.
If we use ASN.1 decoder in the /lib/asn1_decoder.c, we can remove
about 1000 line of ASN.1 parsing routine.

To use asn1_decoder.c, we should write mib file(nf_nat_snmp_basic.asn1)
then /script/asn1_compiler.c makes *-asn1.c and *-asn1.h file
at the compiletime.(nf_nat_snmp_basic-asn1.c, nf_nat_snmp_basic-asn1.h)
The nf_nat_snmp_basic.asn1 is made by RFC1155, RFC1157, RFC1902, RFC1905,
RFC2578, RFC3416. of course that mib file supports only the basic SNMP ALG.

Previous SNMP ALG mangles only first octet of IPv4 address.
but after this patch, the SNMP ALG mangles whole IPv4 Address.
And SNMPv3 is not supported.

I tested with snmp commands such ans snmpd, snmpwalk, snmptrap.

Signed-off-by: Taehee Yoo 
---

v2:
 - Add missing nf_nat_snmp_basic.asn1 file

v1:
 - Initial version


 net/ipv4/netfilter/Kconfig|1 +
 net/ipv4/netfilter/Makefile   |4 +-
 net/ipv4/netfilter/nf_nat_snmp_basic.asn1 |  198 +
 net/ipv4/netfilter/nf_nat_snmp_basic.c| 1172 ++---
 4 files changed, 262 insertions(+), 1113 deletions(-)
 create mode 100644 net/ipv4/netfilter/nf_nat_snmp_basic.asn1

diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index c11eb17..346c474 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -148,6 +148,7 @@ config NF_NAT_SNMP_BASIC
depends on NF_CONNTRACK_SNMP
depends on NETFILTER_ADVANCED
default NF_NAT && NF_CONNTRACK_SNMP
+   select ASN1
---help---
 
  This module implements an Application Layer Gateway (ALG) for
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index f462fee..16c509c 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -26,8 +26,10 @@ obj-$(CONFIG_NF_REJECT_IPV4) += nf_reject_ipv4.o
 # NAT helpers (nf_conntrack)
 obj-$(CONFIG_NF_NAT_H323) += nf_nat_h323.o
 obj-$(CONFIG_NF_NAT_PPTP) += nf_nat_pptp.o
-obj-$(CONFIG_NF_NAT_SNMP_BASIC) += nf_nat_snmp_basic.o
+nf_nat_snmp_basic-asn1.o := nf_nat_snmp_basic-asn1.c nf_nat_snmp_basic-asn1.h
+obj-$(CONFIG_NF_NAT_SNMP_BASIC) += nf_nat_snmp_basic.o nf_nat_snmp_basic-asn1.o
 obj-$(CONFIG_NF_NAT_MASQUERADE_IPV4) += nf_nat_masquerade_ipv4.o
+clean-files := nf_nat_snmp_basic-asn1.c nf_nat_snmp_basic-asn1.h
 
 # NAT protocols (nf_nat)
 obj-$(CONFIG_NF_NAT_PROTO_GRE) += nf_nat_proto_gre.o
diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.asn1 
b/net/ipv4/netfilter/nf_nat_snmp_basic.asn1
new file mode 100644
index 000..1e460fa
--- /dev/null
+++ b/net/ipv4/netfilter/nf_nat_snmp_basic.asn1
@@ -0,0 +1,198 @@
+Message ::=
+   SEQUENCE {
+   version
+   INTEGER ({snmp_version}),
+
+   community
+   OCTET STRING,
+
+   pdu
+   PDUs
+   }
+
+ObjectName ::=
+   OBJECT IDENTIFIER
+
+ObjectSyntax ::=
+   CHOICE {
+   simple
+   SimpleSyntax,
+
+   application-wide
+   ApplicationSyntax
+   }
+
+SimpleSyntax ::=
+   CHOICE {
+   integer-value
+   INTEGER,
+
+   string-value
+   OCTET STRING,
+
+   objectID-value
+   OBJECT IDENTIFIER
+   }
+
+ApplicationSyntax ::=
+   CHOICE {
+   ipAddress-value
+   IpAddress,
+
+   counter-value
+   Counter32,
+
+   timeticks-value
+   TimeTicks,
+
+   arbitrary-value
+   Opaque,
+
+   big-counter-value
+   Counter64,
+
+   unsigned-integer-value
+   Unsigned32
+   }
+
+IpAddress ::=
+   [APPLICATION 0]
+   IMPLICIT OCTET STRING OPTIONAL ({snmp_helper})
+
+Counter32 ::=
+   [APPLICATION 1]
+   IMPLICIT INTEGER OPTIONAL
+
+Unsigned32 ::=
+   [APPLICATION 2]
+   IMPLICIT INTEGER OPTIONAL
+
+TimeTicks ::=
+   [APPLICATION 3]
+   IMPLICIT INTEGER OPTIONAL
+
+Opaque ::=
+   [APPLICATION 4]
+   IMPLICIT OCTET STRING OPTIONAL
+
+Counter64 ::=
+   [APPLICATION 6]
+   IMPLICIT INTEGER OPTIONAL
+
+PDUs ::=
+   CHOICE {
+   get-request
+   GetRequest-PDU,
+
+   get-next-request
+   GetNextRequest-PDU,
+
+   get-bulk-request
+   GetBulkRequest-PDU,
+
+   response
+   Response-PDU,
+
+   trap
+   SNMPv1-Trap-PDU,
+
+   set-request
+   SetRequest-PDU,
+
+   inform-request
+   InformRequest-PDU,
+
+   snmpV2-trap
+ 

[PATCH v2] netfilter: mark expected switch fall-throughs

[Gustavo A. R. Silva]

In preparation to enabling -Wimplicit-fallthrough, mark switch cases
where we are expecting to fall through.

Addresses-Coverity-ID: 1128839
Addresses-Coverity-ID: 1128840
Addresses-Coverity-ID: 115120
Addresses-Coverity-ID: 115121
Signed-off-by: Gustavo A. R. Silva 
---
Changes in v2:
 Replace code comments with "fall through" as suggested by Pablo Neira Ayuso.
 Add Coverity IDs to the changelog.

 net/netfilter/ipset/ip_set_core.c  | 2 +-
 net/netfilter/ipvs/ip_vs_proto_tcp.c   | 1 +
 net/netfilter/ipvs/ip_vs_proto_udp.c   | 1 +
 net/netfilter/nf_conntrack_h323_asn1.c | 3 +++
 net/netfilter/nft_cmp.c| 2 ++
 net/netfilter/x_tables.c   | 2 +-
 6 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/ipset/ip_set_core.c 
b/net/netfilter/ipset/ip_set_core.c
index cf84f7b..d5a43ca 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1386,7 +1386,7 @@ ip_set_dump_start(struct sk_buff *skb, struct 
netlink_callback *cb)
goto next_set;
if (set->variant->uref)
set->variant->uref(set, cb, true);
-   /* Fall through and add elements */
+   /* fall through */
default:
rcu_read_lock_bh();
ret = set->variant->list(set, skb, cb);
diff --git a/net/netfilter/ipvs/ip_vs_proto_tcp.c 
b/net/netfilter/ipvs/ip_vs_proto_tcp.c
index 1c6e101..569631d 100644
--- a/net/netfilter/ipvs/ip_vs_proto_tcp.c
+++ b/net/netfilter/ipvs/ip_vs_proto_tcp.c
@@ -315,6 +315,7 @@ tcp_csum_check(int af, struct sk_buff *skb, struct 
ip_vs_protocol *pp)
switch (skb->ip_summed) {
case CHECKSUM_NONE:
skb->csum = skb_checksum(skb, tcphoff, skb->len - tcphoff, 0);
+   /* fall through */
case CHECKSUM_COMPLETE:
 #ifdef CONFIG_IP_VS_IPV6
if (af == AF_INET6) {
diff --git a/net/netfilter/ipvs/ip_vs_proto_udp.c 
b/net/netfilter/ipvs/ip_vs_proto_udp.c
index 30e11cd..c15ef7c 100644
--- a/net/netfilter/ipvs/ip_vs_proto_udp.c
+++ b/net/netfilter/ipvs/ip_vs_proto_udp.c
@@ -319,6 +319,7 @@ udp_csum_check(int af, struct sk_buff *skb, struct 
ip_vs_protocol *pp)
case CHECKSUM_NONE:
skb->csum = skb_checksum(skb, udphoff,
 skb->len - udphoff, 0);
+   /* fall through */
case CHECKSUM_COMPLETE:
 #ifdef CONFIG_IP_VS_IPV6
if (af == AF_INET6) {
diff --git a/net/netfilter/nf_conntrack_h323_asn1.c 
b/net/netfilter/nf_conntrack_h323_asn1.c
index cf1bf26..c957fcf 100644
--- a/net/netfilter/nf_conntrack_h323_asn1.c
+++ b/net/netfilter/nf_conntrack_h323_asn1.c
@@ -250,12 +250,15 @@ static unsigned int get_uint(struct bitstr *bs, int b)
case 4:
v |= *bs->cur++;
v <<= 8;
+   /* fall through */
case 3:
v |= *bs->cur++;
v <<= 8;
+   /* fall through */
case 2:
v |= *bs->cur++;
v <<= 8;
+   /* fall through */
case 1:
v |= *bs->cur++;
break;
diff --git a/net/netfilter/nft_cmp.c b/net/netfilter/nft_cmp.c
index c2945eb..fa90a84 100644
--- a/net/netfilter/nft_cmp.c
+++ b/net/netfilter/nft_cmp.c
@@ -44,6 +44,7 @@ static void nft_cmp_eval(const struct nft_expr *expr,
case NFT_CMP_LT:
if (d == 0)
goto mismatch;
+   /* fall through */
case NFT_CMP_LTE:
if (d > 0)
goto mismatch;
@@ -51,6 +52,7 @@ static void nft_cmp_eval(const struct nft_expr *expr,
case NFT_CMP_GT:
if (d == 0)
goto mismatch;
+   /* fall through */
case NFT_CMP_GTE:
if (d < 0)
goto mismatch;
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index a77dd51..7c1414e 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1397,7 +1397,7 @@ static void *xt_mttg_seq_next(struct seq_file *seq, void 
*v, loff_t *ppos,
trav->curr = trav->curr->next;
if (trav->curr != trav->head)
break;
-   /* fallthru, _stop will unlock */
+   /* fall through */
default:
return NULL;
}
-- 
2.7.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] [net-next] netfilter: add ifdef around ctnetlink_proto_size

[Arnd Bergmann]

This function is no longer marked 'inline', so we now get a warning
when it is unused:

net/netfilter/nf_conntrack_netlink.c:536:15: error: 'ctnetlink_proto_size' 
defined but not used [-Werror=unused-function]

We could mark it inline again, mark it __maybe_unused, or add an #ifdef
around the definition. I'm picking the third approach here since that
seems to be what the rest of the file has.

Fixes: 5caaed151a68 ("netfilter: conntrack: don't cache nlattr_tuple_size 
result in nla_size")
Signed-off-by: Arnd Bergmann 
---
 net/netfilter/nf_conntrack_netlink.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/netfilter/nf_conntrack_netlink.c 
b/net/netfilter/nf_conntrack_netlink.c
index 6e0adfefb9ed..59c08997bfdf 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -533,6 +533,7 @@ ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 
seq, u32 type,
return -1;
 }
 
+#if defined(CONFIG_NETFILTER_NETLINK_GLUE_CT) || 
defined(CONFIG_NF_CONNTRACK_EVENTS)
 static size_t ctnetlink_proto_size(const struct nf_conn *ct)
 {
const struct nf_conntrack_l3proto *l3proto;
@@ -552,6 +553,7 @@ static size_t ctnetlink_proto_size(const struct nf_conn *ct)
 
return len + len4;
 }
+#endif
 
 static inline size_t ctnetlink_acct_size(const struct nf_conn *ct)
 {
-- 
2.9.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] netfilter: mark expected switch fall-throughs

[Gustavo A. R. Silva]

Hello Pablo,

Quoting Pablo Neira Ayuso :


Hi Gustavo,

On Thu, Oct 19, 2017 at 09:06:16AM -0500, Gustavo A. R. Silva wrote:
diff --git a/net/netfilter/ipset/ip_set_core.c  
b/net/netfilter/ipset/ip_set_core.c

index cf84f7b..72f654a 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1386,7 +1386,8 @@ ip_set_dump_start(struct sk_buff *skb, struct  
netlink_callback *cb)

goto next_set;
if (set->variant->uref)
set->variant->uref(set, cb, true);
-   /* Fall through and add elements */
+   /* add elements */
+   /* fall through */


Just replace this comment by /* fall through */, I think it's enough
to remember that this is intentional.


OK. Will do.




default:
rcu_read_lock_bh();
ret = set->variant->list(set, skb, cb);

[...]

diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index d8571f4..fa5cdd0 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1382,7 +1382,8 @@ static void *xt_mttg_seq_next(struct seq_file  
*seq, void *v, loff_t *ppos,

trav->curr = trav->curr->next;
if (trav->curr != trav->head)
break;
-   /* fallthru, _stop will unlock */
+   /* _stop will unlock */


Same thing here, thanks!


OK. I will send v2 shortly.

Thanks for your comments
--
Gustavo A. R. Silva





--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] netfilter: nf_nat_snmp_basic: use asn1 decoder library

[Taehee Yoo]

2017-11-06 23:44 GMT+09:00 Pablo Neira Ayuso :
> On Sun, Oct 29, 2017 at 09:34:53PM +0900, Taehee Yoo wrote:
>> The basic SNMP ALG parse snmp ASN.1 payload
>> however, since 2012 linux kernel provide ASN.1 decoder library.
>> If we use ASN.1 decoder in the /lib/asn1_decoder.c, we can remove
>> about 1000 line of ASN.1 parsing routine.
>>
>> To use asn1_decoder.c, we should write mib file(nf_nat_snmp_basic.asn1)
>> then /script/asn1_compiler.c makes *-asn1.c and *-asn1.h file
>> at the compiletime.(nf_nat_snmp_basic-asn1.c, nf_nat_snmp_basic-asn1.h)
>> The nf_nat_snmp_basic.asn1 is made by RFC1155, RFC1157, RFC1902, RFC1905,
>> RFC2578, RFC3416. of course that mib file supports only the basic SNMP ALG.
>>
>> Previous SNMP ALG mangles only first octet of IPv4 address.
>> but after this patch, the SNMP ALG mangles whole IPv4 Address.
>> And SNMPv3 is not supported.
>>
>> I tested with snmp commands such ans snmpd, snmpwalk, snmptrap.
>
> OK, something is missing here, I see no definition for
> nf_nat_snmp_basic_decoder.

I apologize for incomplete patch.
I forgot to add nf_nat_snmp_basic.asn1 file. so I will resend v2 patch.
Thank you for review!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nf-next] netfilter: nf_defrag_ipv4: Add sysctl to disable per interface

[Florian Westphal]

Subash Abhinov Kasiviswanathan  wrote:
> Add a sysctl nf_ipv4_defrag_skip to skip defragmentation per
> interface. This is set 0 to preserve existing behavior (always
> defrag per interface).
> 
> This is useful for pure ipv4 forwarding scenarios (without NAT)
> in conjunction with xfrm. It appears that network stack defrags
> the packets and then forwards them to xfrm which then encrypts
> and then later fragments them on a different boundary compared
> to the source.

This breaks connection tracking for packets coming in via such
interfaces.

Nowadays we only enable defrag in a network namespace if the ip/nftables
ruleset requires it, so this setting would be counter-productive.

> An example of this usage is for fixing wifi calling on networks
> where certain routers are configured to drop fragments explicitly.

Yay...  does that happen for all frags or is this related to df bit
somehow?

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH][V2] netfilter: remove redundant assignment to e

[Colin King]

From: Colin Ian King 

The assignment to variable e is redundant since the same assignment
occurs just a few lines later, hence it can be removed.  Cleans up
clang warning for arp_tables, ip_tables and ip6_tables:

warning: Value stored to 'e' is never read

Signed-off-by: Colin Ian King 
---
 net/ipv4/netfilter/arp_tables.c | 1 -
 net/ipv4/netfilter/ip_tables.c  | 1 -
 net/ipv6/netfilter/ip6_tables.c | 1 -
 3 files changed, 3 deletions(-)

diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index f88221aebc9d..0c3c944a7b72 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -373,7 +373,6 @@ static int mark_source_chains(const struct xt_table_info 
*newinfo,
if (!xt_find_jump_offset(offsets, 
newpos,
 
newinfo->number))
return 0;
-   e = entry0 + newpos;
} else {
/* ... this is a fallthru */
newpos = pos + e->next_offset;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 4cbe5e80f3bf..2e0d339028bb 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -439,7 +439,6 @@ mark_source_chains(const struct xt_table_info *newinfo,
if (!xt_find_jump_offset(offsets, 
newpos,
 
newinfo->number))
return 0;
-   e = entry0 + newpos;
} else {
/* ... this is a fallthru */
newpos = pos + e->next_offset;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index f06e25065a34..1d7ae9366335 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -458,7 +458,6 @@ mark_source_chains(const struct xt_table_info *newinfo,
if (!xt_find_jump_offset(offsets, 
newpos,
 
newinfo->number))
return 0;
-   e = entry0 + newpos;
} else {
/* ... this is a fallthru */
newpos = pos + e->next_offset;
-- 
2.14.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html