Re: [Bridge] [PATCH net-next] bridge: ebtables: Avoid resetting limit rule state

[Linus Lüssing]

On Mon, Dec 04, 2017 at 05:53:35AM +0100, Linus Lüssing wrote:
> And so, no I do not have this patch. I looked at it now, but it
> does not seem to have any relation with .matchinfo, does it?

Relation between .usersize and .checkentry I ment, not
.usersize and .matchinfo.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH net-next] bridge: ebtables: Avoid resetting limit rule state

[Linus Lüssing]

Hi Pablo,

Thanks for your reply!

On Tue, Nov 28, 2017 at 12:30:08AM +0100, Pablo Neira Ayuso wrote:
> [...]
> > diff --git a/net/bridge/netfilter/ebt_limit.c 
> > b/net/bridge/netfilter/ebt_limit.c
> > index 61a9f1be1263..f74b48633feb 100644
> > --- a/net/bridge/netfilter/ebt_limit.c
> > +++ b/net/bridge/netfilter/ebt_limit.c
> > @@ -69,6 +69,10 @@ static int ebt_limit_mt_check(const struct 
> > xt_mtchk_param *par)
> >  {
> > struct ebt_limit_info *info = par->matchinfo;
> >  
> > +   /* Do not reset state on unrelated table changes */
> > +   if (info->prev)
> > +   return 0;
> 
> What kernel version are you using? I suspect you don't have this
> applied?

I'm indeed using a 4.4.102 kernel, as LEDE is still in the process
of updating to 4.14. So 4.4 with LEDE is where I got the measurement
results from.

> 
> commit ec23189049651b16dc2ffab35a4371dc1f491aca
> Author: Willem de Bruijn 
> Date:   Mon Jan 2 17:19:46 2017 -0500
> 
> xtables: extend matches and targets with .usersize

And so, no I do not have this patch. I looked at it now, but it
does not seem to have any relation with .matchinfo, does it?

I also had a quick look at a 4.15-rc1 kernel in a VM now. I still
end up in ebt_limit_mt_check() with the variables being reset
when editing the table somewhere.

Regards, Linus
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] doc: nft.8 aim for consistent synopses throughout

[Florian Westphal]

Duncan Roe  wrote:
> Single items in braces have the braces removed as per wiki Scripting:
> "It is simply overkill to define a set that only stores one single element".
> Items that were in braces or square brackets are made consistent, e.g. 
> {family}
> expands to single wor Ip, inet , but (type) in set spec expands to
> "type type_name ;".

Looks good, applied, thank you.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] iptables: masquerade: add randomize-full support

[Max Laverse]

Hi,

It seems that the email I sent on Friday never made it to the mailing list.
That’s why I'm sending this new one to you. I hope you don’t mind and 
could forward it, if it still can't reach the mailing list. If the old one is
blocked somewhere, it can be deleted.

Thanks

--

There is a known race condition when allocating a port for masquerading that
can lead to insertion in the conntrack table to fail under heavy load, with an
increment of the insert_failed counter. The kernel supports the 
NF_NAT_RANGE_PROTO_RANDOM_FULLY flag since [1] which uses prandom_u32() to
choose the first port to try when looking for a free tuple. Using this flag
significantly reduces the number of insertion collision. This patch provides
the user space part to make randomize-full support available in iptables on the
MASQUERADE target as it was done for SNAT [2].

 [1] https://patchwork.ozlabs.org/patch/304306/
 [2] https://patchwork.ozlabs.org/patch/304447/


7d1ec25 iptables: masquerade: add randomize-full support
diff --git a/extensions/libip6t_MASQUERADE.c b/extensions/libip6t_MASQUERADE.c
index 3b59e43..f92760f 100644
--- a/extensions/libip6t_MASQUERADE.c
+++ b/extensions/libip6t_MASQUERADE.c
@@ -18,6 +18,7 @@
 enum {
O_TO_PORTS = 0,
O_RANDOM,
+   O_RANDOM_FULLY,
 };
 
 static void MASQUERADE_help(void)
@@ -27,12 +28,15 @@ static void MASQUERADE_help(void)
 " --to-ports [-]\n"
 "  Port (range) to map to.\n"
 " --random\n"
-"  Randomize source port.\n");
+"  Randomize source port.\n"
+" --random-fully\n"
+"  Fully randomize source port.\n");
 }
 
 static const struct xt_option_entry MASQUERADE_opts[] = {
{.name = "to-ports", .id = O_TO_PORTS, .type = XTTYPE_STRING},
{.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE},
+   {.name = "random-fully", .id = O_RANDOM_FULLY, .type = XTTYPE_NONE},
XTOPT_TABLEEND,
 };
 
@@ -96,6 +100,9 @@ static void MASQUERADE_parse(struct xt_option_call *cb)
case O_RANDOM:
r->flags |=  NF_NAT_RANGE_PROTO_RANDOM;
break;
+   case O_RANDOM_FULLY:
+   r->flags |=  NF_NAT_RANGE_PROTO_RANDOM_FULLY;
+   break;
}
 }
 
@@ -114,6 +121,9 @@ MASQUERADE_print(const void *ip, const struct 
xt_entry_target *target,
 
if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
printf(" random");
+
+   if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY)
+   printf(" random-fully");
 }
 
 static void
@@ -129,6 +139,9 @@ MASQUERADE_save(const void *ip, const struct 
xt_entry_target *target)
 
if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
printf(" --random");
+
+   if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY)
+   printf(" --random-fully");
 }
 
 static int MASQUERADE_xlate(struct xt_xlate *xl,
@@ -148,6 +161,10 @@ static int MASQUERADE_xlate(struct xt_xlate *xl,
if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
xt_xlate_add(xl, "random ");
 
+   xt_xlate_add(xl, " ");
+   if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY)
+   xt_xlate_add(xl, "random-fully ");
+
return 1;
 }
 
diff --git a/extensions/libip6t_MASQUERADE.t b/extensions/libip6t_MASQUERADE.t
index 4650204..e25d2a0 100644
--- a/extensions/libip6t_MASQUERADE.t
+++ b/extensions/libip6t_MASQUERADE.t
@@ -2,6 +2,7 @@
 *nat
 -j MASQUERADE;=;OK
 -j MASQUERADE --random;=;OK
+-j MASQUERADE --random-fully;=;OK
 -p tcp -j MASQUERADE --to-ports 1024;=;OK
 -p udp -j MASQUERADE --to-ports 1024-65535;=;OK
 -p udp -j MASQUERADE --to-ports 1024-65536;;FAIL
diff --git a/extensions/libipt_MASQUERADE.c b/extensions/libipt_MASQUERADE.c
index b7b5fc7..90bf606 100644
--- a/extensions/libipt_MASQUERADE.c
+++ b/extensions/libipt_MASQUERADE.c
@@ -11,6 +11,7 @@
 enum {
O_TO_PORTS = 0,
O_RANDOM,
+   O_RANDOM_FULLY,
 };
 
 static void MASQUERADE_help(void)
@@ -20,12 +21,15 @@ static void MASQUERADE_help(void)
 " --to-ports [-]\n"
 "  Port (range) to map to.\n"
 " --random\n"
-"  Randomize source port.\n");
+"  Randomize source port.\n"
+" --random-fully\n"
+"  Fully randomize source port.\n");
 }
 
 static const struct xt_option_entry MASQUERADE_opts[] = {
{.name = "to-ports", .id = O_TO_PORTS, .type = XTTYPE_STRING},
{.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE},
+   {.name = "random-fully", .id = O_RANDOM_FULLY, .type = XTTYPE_NONE},
XTOPT_TABLEEND,
 };
 
@@ -97,6 +101,9 @@ static void MASQUERADE_parse(struct xt_option_call *cb)
case O_RANDOM:
mr->range[0].flags |=  NF_NAT_RANGE_PROTO_RANDOM;
break;
+   case O_RANDOM_FULLY:
+   mr->range[0].flags |=  NF_NAT_RANGE_PROTO_RANDOM_FULLY;
+   break;
}
 }
 
@@ 

[PATCH] netfilter: nfnetlink_cthelper: Add missing permission checks

[Kevin Cernekee]

The capability check in nfnetlink_rcv() verifies that the caller
has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
However, nfnl_cthelper_list is shared by all net namespaces on the
system.  An unprivileged user can create user and net namespaces
in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
check:

$ nfct helper list
nfct v1.4.4: netlink error: Operation not permitted
$ vpnns -- nfct helper list
{
.name = ftp,
.queuenum = 0,
.l3protonum = 2,
.l4protonum = 6,
.priv_data_len = 24,
.status = enabled,
};

Add capable() checks in nfnetlink_cthelper, as this is cleaner than
trying to generalize the solution.

Signed-off-by: Kevin Cernekee 
---
 net/netfilter/nfnetlink_cthelper.c | 10 ++
 1 file changed, 10 insertions(+)


I think xt_osf has the same issue with respect to xt_osf_fingers.
Also, it looks like nlmon devices created in an unprivileged netns can
see netlink activity from the init namespace.


diff --git a/net/netfilter/nfnetlink_cthelper.c 
b/net/netfilter/nfnetlink_cthelper.c
index 41628b393673..d33ce6d5ebce 100644
--- a/net/netfilter/nfnetlink_cthelper.c
+++ b/net/netfilter/nfnetlink_cthelper.c
@@ -17,6 +17,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 
@@ -407,6 +408,9 @@ static int nfnl_cthelper_new(struct net *net, struct sock 
*nfnl,
struct nfnl_cthelper *nlcth;
int ret = 0;
 
+   if (!capable(CAP_NET_ADMIN))
+   return -EPERM;
+
if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE])
return -EINVAL;
 
@@ -611,6 +615,9 @@ static int nfnl_cthelper_get(struct net *net, struct sock 
*nfnl,
struct nfnl_cthelper *nlcth;
bool tuple_set = false;
 
+   if (!capable(CAP_NET_ADMIN))
+   return -EPERM;
+
if (nlh->nlmsg_flags & NLM_F_DUMP) {
struct netlink_dump_control c = {
.dump = nfnl_cthelper_dump_table,
@@ -678,6 +685,9 @@ static int nfnl_cthelper_del(struct net *net, struct sock 
*nfnl,
struct nfnl_cthelper *nlcth, *n;
int j = 0, ret;
 
+   if (!capable(CAP_NET_ADMIN))
+   return -EPERM;
+
if (tb[NFCTH_NAME])
helper_name = nla_data(tb[NFCTH_NAME]);
 
-- 
2.7.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html