Re: [Bridge] [PATCH net-next] bridge: ebtables: Avoid resetting limit rule state
On Mon, Dec 04, 2017 at 05:53:35AM +0100, Linus Lüssing wrote: > And so, no I do not have this patch. I looked at it now, but it > does not seem to have any relation with .matchinfo, does it? Relation between .usersize and .checkentry I ment, not .usersize and .matchinfo. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH net-next] bridge: ebtables: Avoid resetting limit rule state
Hi Pablo, Thanks for your reply! On Tue, Nov 28, 2017 at 12:30:08AM +0100, Pablo Neira Ayuso wrote: > [...] > > diff --git a/net/bridge/netfilter/ebt_limit.c > > b/net/bridge/netfilter/ebt_limit.c > > index 61a9f1be1263..f74b48633feb 100644 > > --- a/net/bridge/netfilter/ebt_limit.c > > +++ b/net/bridge/netfilter/ebt_limit.c > > @@ -69,6 +69,10 @@ static int ebt_limit_mt_check(const struct > > xt_mtchk_param *par) > > { > > struct ebt_limit_info *info = par->matchinfo; > > > > + /* Do not reset state on unrelated table changes */ > > + if (info->prev) > > + return 0; > > What kernel version are you using? I suspect you don't have this > applied? I'm indeed using a 4.4.102 kernel, as LEDE is still in the process of updating to 4.14. So 4.4 with LEDE is where I got the measurement results from. > > commit ec23189049651b16dc2ffab35a4371dc1f491aca > Author: Willem de Bruijn> Date: Mon Jan 2 17:19:46 2017 -0500 > > xtables: extend matches and targets with .usersize And so, no I do not have this patch. I looked at it now, but it does not seem to have any relation with .matchinfo, does it? I also had a quick look at a 4.15-rc1 kernel in a VM now. I still end up in ebt_limit_mt_check() with the variables being reset when editing the table somewhere. Regards, Linus -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] doc: nft.8 aim for consistent synopses throughout
Duncan Roewrote: > Single items in braces have the braces removed as per wiki Scripting: > "It is simply overkill to define a set that only stores one single element". > Items that were in braces or square brackets are made consistent, e.g. > {family} > expands to single wor Ip, inet , but (type) in set spec expands to > "type type_name ;". Looks good, applied, thank you. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] iptables: masquerade: add randomize-full support
Hi, It seems that the email I sent on Friday never made it to the mailing list. That’s why I'm sending this new one to you. I hope you don’t mind and could forward it, if it still can't reach the mailing list. If the old one is blocked somewhere, it can be deleted. Thanks -- There is a known race condition when allocating a port for masquerading that can lead to insertion in the conntrack table to fail under heavy load, with an increment of the insert_failed counter. The kernel supports the NF_NAT_RANGE_PROTO_RANDOM_FULLY flag since [1] which uses prandom_u32() to choose the first port to try when looking for a free tuple. Using this flag significantly reduces the number of insertion collision. This patch provides the user space part to make randomize-full support available in iptables on the MASQUERADE target as it was done for SNAT [2]. [1] https://patchwork.ozlabs.org/patch/304306/ [2] https://patchwork.ozlabs.org/patch/304447/ 7d1ec25 iptables: masquerade: add randomize-full support diff --git a/extensions/libip6t_MASQUERADE.c b/extensions/libip6t_MASQUERADE.c index 3b59e43..f92760f 100644 --- a/extensions/libip6t_MASQUERADE.c +++ b/extensions/libip6t_MASQUERADE.c @@ -18,6 +18,7 @@ enum { O_TO_PORTS = 0, O_RANDOM, + O_RANDOM_FULLY, }; static void MASQUERADE_help(void) @@ -27,12 +28,15 @@ static void MASQUERADE_help(void) " --to-ports [-]\n" " Port (range) to map to.\n" " --random\n" -" Randomize source port.\n"); +" Randomize source port.\n" +" --random-fully\n" +" Fully randomize source port.\n"); } static const struct xt_option_entry MASQUERADE_opts[] = { {.name = "to-ports", .id = O_TO_PORTS, .type = XTTYPE_STRING}, {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE}, + {.name = "random-fully", .id = O_RANDOM_FULLY, .type = XTTYPE_NONE}, XTOPT_TABLEEND, }; @@ -96,6 +100,9 @@ static void MASQUERADE_parse(struct xt_option_call *cb) case O_RANDOM: r->flags |= NF_NAT_RANGE_PROTO_RANDOM; break; + case O_RANDOM_FULLY: + r->flags |= NF_NAT_RANGE_PROTO_RANDOM_FULLY; + break; } } @@ -114,6 +121,9 @@ MASQUERADE_print(const void *ip, const struct xt_entry_target *target, if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) printf(" random"); + + if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) + printf(" random-fully"); } static void @@ -129,6 +139,9 @@ MASQUERADE_save(const void *ip, const struct xt_entry_target *target) if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) printf(" --random"); + + if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) + printf(" --random-fully"); } static int MASQUERADE_xlate(struct xt_xlate *xl, @@ -148,6 +161,10 @@ static int MASQUERADE_xlate(struct xt_xlate *xl, if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) xt_xlate_add(xl, "random "); + xt_xlate_add(xl, " "); + if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) + xt_xlate_add(xl, "random-fully "); + return 1; } diff --git a/extensions/libip6t_MASQUERADE.t b/extensions/libip6t_MASQUERADE.t index 4650204..e25d2a0 100644 --- a/extensions/libip6t_MASQUERADE.t +++ b/extensions/libip6t_MASQUERADE.t @@ -2,6 +2,7 @@ *nat -j MASQUERADE;=;OK -j MASQUERADE --random;=;OK +-j MASQUERADE --random-fully;=;OK -p tcp -j MASQUERADE --to-ports 1024;=;OK -p udp -j MASQUERADE --to-ports 1024-65535;=;OK -p udp -j MASQUERADE --to-ports 1024-65536;;FAIL diff --git a/extensions/libipt_MASQUERADE.c b/extensions/libipt_MASQUERADE.c index b7b5fc7..90bf606 100644 --- a/extensions/libipt_MASQUERADE.c +++ b/extensions/libipt_MASQUERADE.c @@ -11,6 +11,7 @@ enum { O_TO_PORTS = 0, O_RANDOM, + O_RANDOM_FULLY, }; static void MASQUERADE_help(void) @@ -20,12 +21,15 @@ static void MASQUERADE_help(void) " --to-ports [-]\n" " Port (range) to map to.\n" " --random\n" -" Randomize source port.\n"); +" Randomize source port.\n" +" --random-fully\n" +" Fully randomize source port.\n"); } static const struct xt_option_entry MASQUERADE_opts[] = { {.name = "to-ports", .id = O_TO_PORTS, .type = XTTYPE_STRING}, {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE}, + {.name = "random-fully", .id = O_RANDOM_FULLY, .type = XTTYPE_NONE}, XTOPT_TABLEEND, }; @@ -97,6 +101,9 @@ static void MASQUERADE_parse(struct xt_option_call *cb) case O_RANDOM: mr->range[0].flags |= NF_NAT_RANGE_PROTO_RANDOM; break; + case O_RANDOM_FULLY: + mr->range[0].flags |= NF_NAT_RANGE_PROTO_RANDOM_FULLY; + break; } } @@
[PATCH] netfilter: nfnetlink_cthelper: Add missing permission checks
The capability check in nfnetlink_rcv() verifies that the caller has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. However, nfnl_cthelper_list is shared by all net namespaces on the system. An unprivileged user can create user and net namespaces in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() check: $ nfct helper list nfct v1.4.4: netlink error: Operation not permitted $ vpnns -- nfct helper list { .name = ftp, .queuenum = 0, .l3protonum = 2, .l4protonum = 6, .priv_data_len = 24, .status = enabled, }; Add capable() checks in nfnetlink_cthelper, as this is cleaner than trying to generalize the solution. Signed-off-by: Kevin Cernekee--- net/netfilter/nfnetlink_cthelper.c | 10 ++ 1 file changed, 10 insertions(+) I think xt_osf has the same issue with respect to xt_osf_fingers. Also, it looks like nlmon devices created in an unprivileged netns can see netlink activity from the init namespace. diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c index 41628b393673..d33ce6d5ebce 100644 --- a/net/netfilter/nfnetlink_cthelper.c +++ b/net/netfilter/nfnetlink_cthelper.c @@ -17,6 +17,7 @@ #include #include #include +#include #include #include @@ -407,6 +408,9 @@ static int nfnl_cthelper_new(struct net *net, struct sock *nfnl, struct nfnl_cthelper *nlcth; int ret = 0; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE]) return -EINVAL; @@ -611,6 +615,9 @@ static int nfnl_cthelper_get(struct net *net, struct sock *nfnl, struct nfnl_cthelper *nlcth; bool tuple_set = false; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (nlh->nlmsg_flags & NLM_F_DUMP) { struct netlink_dump_control c = { .dump = nfnl_cthelper_dump_table, @@ -678,6 +685,9 @@ static int nfnl_cthelper_del(struct net *net, struct sock *nfnl, struct nfnl_cthelper *nlcth, *n; int j = 0, ret; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (tb[NFCTH_NAME]) helper_name = nla_data(tb[NFCTH_NAME]); -- 2.7.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html