Re: [PATCH][PING] Hide private symbols in libnfnetlink
On Thursday 2018-05-03 17:03, Yuri Gribov wrote: >Hi all, > >Here's the updated version of the patch. > >diff --git a/src/Makefile.am b/src/Makefile.am >index d0098cc..d91c9f7 100644 >--- a/src/Makefile.am >+++ b/src/Makefile.am >@@ -3,7 +3,8 @@ include $(top_srcdir)/Make_global.am > lib_LTLIBRARIES = libnfnetlink.la > > libnfnetlink_la_LDFLAGS = -Wc,-nostartfiles \ >--version-info $(LIBVERSION) >+-version-info $(LIBVERSION) \ >+-Wl,--version-script=$(srcdir)/nfnl.version > libnfnetlink_la_SOURCES = libnfnetlink.c iftable.c rtnl.c > > noinst_HEADERS = iftable.h rtnl.h Another additional line will be needed, EXTRA_libnfnetlink_la_DEPENDENCIES = nfnl.version otherwise the linker won't rerun if the .version file gets modified. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH iptables] extensions: libipt_DNAT: use size of nf_nat_range2 for rev2
On 03-05-18 21:40, Florian Westphal wrote: > DNAT tests fail on nf-next.git, kernel complains about target size > mismatch (40 vs 48), this fixes this for me. > > Fixes: 36976c4b5406 ("extensions: libipt_DNAT: support shifted portmap > ranges") > Signed-off-by: Florian Westphal> --- > extensions/libip6t_DNAT.c | 4 ++-- > extensions/libipt_DNAT.c | 4 ++-- > 2 files changed, 4 insertions(+), 4 deletions(-) > > diff --git a/extensions/libip6t_DNAT.c b/extensions/libip6t_DNAT.c > index 2a7574b02444..89c5ceb15325 100644 > --- a/extensions/libip6t_DNAT.c > +++ b/extensions/libip6t_DNAT.c > @@ -393,8 +393,8 @@ static struct xtables_target dnat_tg_reg[] = { > .version= XTABLES_VERSION, > .family = NFPROTO_IPV6, > .revision = 2, > - .size = XT_ALIGN(sizeof(struct nf_nat_range)), > - .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range)), > + .size = XT_ALIGN(sizeof(struct nf_nat_range2)), > + .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range2)), > .help = DNAT_help_v2, > .print = DNAT_print_v2, > .save = DNAT_save_v2, > diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c > index b89d3ca5f0d4..4907a2e83d06 100644 > --- a/extensions/libipt_DNAT.c > +++ b/extensions/libipt_DNAT.c > @@ -537,8 +537,8 @@ static struct xtables_target dnat_tg_reg[] = { > .version= XTABLES_VERSION, > .family = NFPROTO_IPV4, > .revision = 2, > - .size = XT_ALIGN(sizeof(struct nf_nat_range)), > - .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range)), > + .size = XT_ALIGN(sizeof(struct nf_nat_range2)), > + .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range2)), > .help = DNAT_help_v2, > .print = DNAT_print_v2, > .save = DNAT_save_v2, Hi Florian, I'm going to verify, but that looks like a logical fix indeed. Thierry -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH iptables] extensions: libipt_DNAT: use size of nf_nat_range2 for rev2
DNAT tests fail on nf-next.git, kernel complains about target size mismatch (40 vs 48), this fixes this for me. Fixes: 36976c4b5406 ("extensions: libipt_DNAT: support shifted portmap ranges") Signed-off-by: Florian Westphal--- extensions/libip6t_DNAT.c | 4 ++-- extensions/libipt_DNAT.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/extensions/libip6t_DNAT.c b/extensions/libip6t_DNAT.c index 2a7574b02444..89c5ceb15325 100644 --- a/extensions/libip6t_DNAT.c +++ b/extensions/libip6t_DNAT.c @@ -393,8 +393,8 @@ static struct xtables_target dnat_tg_reg[] = { .version= XTABLES_VERSION, .family = NFPROTO_IPV6, .revision = 2, - .size = XT_ALIGN(sizeof(struct nf_nat_range)), - .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range)), + .size = XT_ALIGN(sizeof(struct nf_nat_range2)), + .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range2)), .help = DNAT_help_v2, .print = DNAT_print_v2, .save = DNAT_save_v2, diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c index b89d3ca5f0d4..4907a2e83d06 100644 --- a/extensions/libipt_DNAT.c +++ b/extensions/libipt_DNAT.c @@ -537,8 +537,8 @@ static struct xtables_target dnat_tg_reg[] = { .version= XTABLES_VERSION, .family = NFPROTO_IPV4, .revision = 2, - .size = XT_ALIGN(sizeof(struct nf_nat_range)), - .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range)), + .size = XT_ALIGN(sizeof(struct nf_nat_range2)), + .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range2)), .help = DNAT_help_v2, .print = DNAT_print_v2, .save = DNAT_save_v2, -- 2.16.1 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH net] ipvs: fix stats update from local clients
Local clients are not properly synchronized on 32-bit CPUs when updating stats (3.10+). Now it is possible estimation_timer (timer), a stats reader, to interrupt the local client in the middle of write_seqcount_{begin,end} sequence leading to loop (DEADLOCK). The same interrupt can happen from received packet (SoftIRQ) which updates the same per-CPU stats. Fix it by disabling BH while updating stats. Found with debug: WARNING: inconsistent lock state 4.17.0-rc2-00105-g35cb6d7-dirty #2 Not tainted inconsistent {IN-SOFTIRQ-R} -> {SOFTIRQ-ON-W} usage. ftp/2545 [HC0[0]:SC0[0]:HE1:SE1] takes: 86845479 (>seq#6){+.+-}, at: ip_vs_schedule+0x1c5/0x59e [ip_vs] {IN-SOFTIRQ-R} state was registered at: lock_acquire+0x44/0x5b estimation_timer+0x1b3/0x341 [ip_vs] call_timer_fn+0x54/0xcd run_timer_softirq+0x10c/0x12b __do_softirq+0xc1/0x1a9 do_softirq_own_stack+0x1d/0x23 irq_exit+0x4a/0x64 smp_apic_timer_interrupt+0x63/0x71 apic_timer_interrupt+0x3a/0x40 default_idle+0xa/0xc arch_cpu_idle+0x9/0xb default_idle_call+0x21/0x23 do_idle+0xa0/0x167 cpu_startup_entry+0x19/0x1b start_secondary+0x133/0x182 startup_32_smp+0x164/0x168 irq event stamp: 42213 other info that might help us debug this: Possible unsafe locking scenario: CPU0 lock(>seq#6); lock(>seq#6); *** DEADLOCK *** Fixes: ac69269a45e8 ("ipvs: do not disable bh for long time") Signed-off-by: Julian Anastasov--- net/netfilter/ipvs/ip_vs_core.c | 12 1 file changed, 12 insertions(+) diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c index 5f6f73c..0679dd1 100644 --- a/net/netfilter/ipvs/ip_vs_core.c +++ b/net/netfilter/ipvs/ip_vs_core.c @@ -119,6 +119,8 @@ ip_vs_in_stats(struct ip_vs_conn *cp, struct sk_buff *skb) struct ip_vs_cpu_stats *s; struct ip_vs_service *svc; + local_bh_disable(); + s = this_cpu_ptr(dest->stats.cpustats); u64_stats_update_begin(>syncp); s->cnt.inpkts++; @@ -137,6 +139,8 @@ ip_vs_in_stats(struct ip_vs_conn *cp, struct sk_buff *skb) s->cnt.inpkts++; s->cnt.inbytes += skb->len; u64_stats_update_end(>syncp); + + local_bh_enable(); } } @@ -151,6 +155,8 @@ ip_vs_out_stats(struct ip_vs_conn *cp, struct sk_buff *skb) struct ip_vs_cpu_stats *s; struct ip_vs_service *svc; + local_bh_disable(); + s = this_cpu_ptr(dest->stats.cpustats); u64_stats_update_begin(>syncp); s->cnt.outpkts++; @@ -169,6 +175,8 @@ ip_vs_out_stats(struct ip_vs_conn *cp, struct sk_buff *skb) s->cnt.outpkts++; s->cnt.outbytes += skb->len; u64_stats_update_end(>syncp); + + local_bh_enable(); } } @@ -179,6 +187,8 @@ ip_vs_conn_stats(struct ip_vs_conn *cp, struct ip_vs_service *svc) struct netns_ipvs *ipvs = svc->ipvs; struct ip_vs_cpu_stats *s; + local_bh_disable(); + s = this_cpu_ptr(cp->dest->stats.cpustats); u64_stats_update_begin(>syncp); s->cnt.conns++; @@ -193,6 +203,8 @@ ip_vs_conn_stats(struct ip_vs_conn *cp, struct ip_vs_service *svc) u64_stats_update_begin(>syncp); s->cnt.conns++; u64_stats_update_end(>syncp); + + local_bh_enable(); } -- 2.9.5 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH net] ipvs: fix refcount usage for conns in ops mode
Connections in One-packet scheduling mode (-o, --ops) are removed with refcnt=0 because they are not hashed in conn table. To avoid refcount_dec reporting this as error, change them to be removed with refcount_dec_if_one as all other connections. refcount_t hit zero at ip_vs_conn_put+0x31/0x40 [ip_vs] in sh[15519], uid/euid: 497/497 WARNING: CPU: 0 PID: 15519 at ../kernel/panic.c:657 refcount_error_report+0x94/0x9e Modules linked in: ip_vs_rr cirrus ttm sb_edac edac_core drm_kms_helper crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc mousedev drm aesni_intel aes_x86_64 crypto_simd glue_helper cryptd psmouse evdev input_leds led_class intel_agp fb_sys_fops syscopyarea sysfillrect intel_rapl_perf mac_hid intel_gtt serio_raw sysimgblt agpgart i2c_piix4 i2c_core ata_generic pata_acpi floppy cfg80211 rfkill button loop macvlan ip_vs nf_conntrack libcrc32c crc32c_generic ip_tables x_tables ipv6 crc_ccitt autofs4 ext4 crc16 mbcache jbd2 fscrypto ata_piix libata atkbd libps2 scsi_mod crc32c_intel i8042 rtc_cmos serio af_packet dm_mod dax fuse xen_netfront xen_blkfront CPU: 0 PID: 15519 Comm: sh Tainted: GW 4.15.17 #1-NixOS Hardware name: Xen HVM domU, BIOS 4.2.amazon 08/24/2006 RIP: 0010:refcount_error_report+0x94/0x9e RSP: :a344dde039c8 EFLAGS: 00010296 RAX: 0057 RBX: 92f20e06 RCX: 0006 RDX: 0007 RSI: 0086 RDI: a344dde165c0 RBP: a344dde03b08 R08: 0218 R09: 0004 R10: 93006a80 R11: 0001 R12: a344d68cd100 R13: 01f1 R14: 92f12fb0 R15: 0004 FS: 7fc9d2040fc0() GS:a344dde0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 0262a000 CR3: 16a0c004 CR4: 001606f0 Call Trace: ex_handler_refcount+0x4e/0x80 fixup_exception+0x33/0x40 do_trap+0x83/0x140 do_error_trap+0x83/0xf0 ? ip_vs_conn_drop_conntrack+0x120/0x1a5 [ip_vs] ? ip_finish_output2+0x29c/0x390 ? ip_finish_output2+0x1a2/0x390 invalid_op+0x1b/0x40 RIP: 0010:ip_vs_conn_put+0x31/0x40 [ip_vs] RSP: :a344dde03bb8 EFLAGS: 00010246 RAX: 0001 RBX: a344df31cf00 RCX: a344d7450198 RDX: 0003 RSI: fe01 RDI: a344d7450140 RBP: 0002 R08: 0476 R09: R10: a344dde03b28 R11: a344df20 R12: a344d7d09000 R13: a344def3a980 R14: c04f6e20 R15: 0008 ip_vs_in.part.29.constprop.36+0x34f/0x640 [ip_vs] ? ip_vs_conn_out_get+0xe0/0xe0 [ip_vs] ip_vs_remote_request4+0x47/0xa0 [ip_vs] ? ip_vs_in.part.29.constprop.36+0x640/0x640 [ip_vs] nf_hook_slow+0x43/0xc0 ip_local_deliver+0xac/0xc0 ? ip_rcv_finish+0x400/0x400 ip_rcv+0x26c/0x380 __netif_receive_skb_core+0x3a0/0xb10 ? inet_gro_receive+0x23c/0x2b0 ? netif_receive_skb_internal+0x24/0xb0 netif_receive_skb_internal+0x24/0xb0 napi_gro_receive+0xb8/0xe0 xennet_poll+0x676/0xb40 [xen_netfront] net_rx_action+0x139/0x3a0 __do_softirq+0xde/0x2b4 irq_exit+0xae/0xb0 xen_evtchn_do_upcall+0x2c/0x40 xen_hvm_callback_vector+0x7d/0x90 RIP: 0033:0x7fc9d11c91f9 RSP: 002b:7ffebe8a2ea0 EFLAGS: 0202 ORIG_RAX: ff0c RAX: RBX: 02609808 RCX: 0054 RDX: 0001 RSI: 02605440 RDI: 025f940e RBP: 025f940e R08: 0260213d R09: 1999 R10: 0262a808 R11: 025f942d R12: 025f940e R13: 7fc9d1301e20 R14: 025f9408 R15: 7fc9d1302720 Code: 48 8b 95 80 00 00 00 41 55 49 8d 8c 24 e0 05 00 00 45 8b 84 24 38 04 00 00 41 89 c1 48 89 de 48 c7 c7 a8 2f f2 92 e8 7c fa ff ff <0f> 0b 58 5b 5d 41 5c 41 5d c3 0f 1f 44 00 00 55 48 89 e5 41 56 Reported-by: Net FilterFixes: b54ab92b84b6 ("netfilter: refcounter conversions") Signed-off-by: Julian Anastasov --- net/netfilter/ipvs/ip_vs_conn.c | 17 ++--- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c index 370abbf..75de465 100644 --- a/net/netfilter/ipvs/ip_vs_conn.c +++ b/net/netfilter/ipvs/ip_vs_conn.c @@ -232,7 +232,10 @@ static inline int ip_vs_conn_unhash(struct ip_vs_conn *cp) static inline bool ip_vs_conn_unlink(struct ip_vs_conn *cp) { unsigned int hash; - bool ret; + bool ret = false; + + if (cp->flags & IP_VS_CONN_F_ONE_PACKET) + return refcount_dec_if_one(>refcnt); hash = ip_vs_conn_hashkey_conn(cp); @@ -240,15 +243,13 @@ static inline bool ip_vs_conn_unlink(struct ip_vs_conn *cp) spin_lock(>lock); if (cp->flags & IP_VS_CONN_F_HASHED) { - ret = false; /* Decrease refcnt and unlink conn only if we are last user */ if (refcount_dec_if_one(>refcnt)) { hlist_del_rcu(>c_list); cp->flags &=
[PATCH][PING] Hide private symbols in libnfnetlink
Hi all, Here's the updated version of the patch. -Y 0001-Hide-private-symbols-v4.patch Description: Binary data
[PATCH] netfilter: nf_queue: Replace conntrack entry
SKBs are assigned a conntrack entry before being passed to any NFQUEUEs, and if no entry is found then a new one is created. This behavior causes problems for some traffic patterns. For example, if two UDP packets to/from the same host (using the same ports) arrive at the "same" time, both are assigned a new conntrack entry. After the first packet have traversed all chains, the conntrack entry will be inserted into the global table. The second packet will then be dropped during the insertion step, as an entry for the same flow already exists. One type of application that frequently generates this traffic pattern, is DNS resolvers. This commit introduces a new function that checks, and potentially replaces, the conntrack entry for any additional "new" SKBs mapping to an existing flow. While not a perfect solution, there are still situations where to-be-dropped SKBs can slip through, the situations is improved considerably. On the routers I have used for testing, packets belonging to the same UDP flow are let through (when generating the traffic pattern described above). Without the change in this commit, all packets except the first one was dropped. With the change in this commit, a user can implement "perfect" solutions in user-space. An application can for example keep track of seen UDP flows, and then only release packets belonging to one flow when the entry has been created. Without the change, and SKB is stuck with the original conntrack entry. Signed-off-by: Kristian Evensen--- net/netfilter/nfnetlink_queue.c | 68 + 1 file changed, 68 insertions(+) diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index c97966298..150c11ff4 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -43,6 +43,9 @@ #if IS_ENABLED(CONFIG_NF_CONNTRACK) #include +#include +#include +#include #endif #define NFQNL_QMAX_DEFAULT 1024 @@ -1046,6 +1049,53 @@ static int nfq_id_after(unsigned int id, unsigned int max) return (int)(id - max) > 0; } +#if IS_ENABLED(CONFIG_NF_CONNTRACK) +static void nfqnl_update_ct(struct net *net, struct sk_buff *skb) +{ + const struct nf_conntrack_l3proto *l3proto; + const struct nf_conntrack_l4proto *l4proto; + struct nf_conntrack_tuple_hash *h; + struct nf_conntrack_tuple tuple; + enum ip_conntrack_info ctinfo; + struct nf_conn *ct = NULL; + unsigned int dataoff; + u16 l3num; + u8 l4num; + + ct = nf_ct_get(skb, ); + l3num = nf_ct_l3num(ct); + l3proto = nf_ct_l3proto_find_get(l3num); + + if (l3proto->get_l4proto(skb, skb_network_offset(skb), , +) <= 0) { + return; + } + + l4proto = nf_ct_l4proto_find_get(l3num, l4num); + + if (!nf_ct_get_tuple(skb, skb_network_offset(skb), dataoff, l3num, +l4num, net, , l3proto, l4proto)) { + return; + } + +#if IS_ENABLED(CONFIG_NF_CONNTRACK_ZONES) + h = nf_conntrack_find_get(net, >zone, ); +#else + h = nf_conntrack_find_get(net, NULL, ); +#endif + + if (h) { + pr_debug("%s: tuple %u %pI4:%hu -> %pI4:%hu\n", __func__, +tuple.dst.protonum, , +ntohs(tuple.src.u.all), , +ntohs(tuple.dst.u.all)); + nf_ct_put(ct); + ct = nf_ct_tuplehash_to_ctrack(h); + nf_ct_set(skb, ct, IP_CT_NEW); + } +} +#endif + static int nfqnl_recv_verdict_batch(struct net *net, struct sock *ctnl, struct sk_buff *skb, const struct nlmsghdr *nlh, @@ -1060,6 +1110,7 @@ static int nfqnl_recv_verdict_batch(struct net *net, struct sock *ctnl, LIST_HEAD(batch_list); u16 queue_num = ntohs(nfmsg->res_id); struct nfnl_queue_net *q = nfnl_queue_pernet(net); + enum ip_conntrack_info ctinfo; queue = verdict_instance_lookup(q, queue_num, NETLINK_CB(skb).portid); @@ -1090,6 +1141,16 @@ static int nfqnl_recv_verdict_batch(struct net *net, struct sock *ctnl, list_for_each_entry_safe(entry, tmp, _list, list) { if (nfqa[NFQA_MARK]) entry->skb->mark = ntohl(nla_get_be32(nfqa[NFQA_MARK])); + +#if IS_ENABLED(CONFIG_NF_CONNTRACK) + nf_ct_get(entry->skb, ); + + if (ctinfo == IP_CT_NEW && verdict != NF_STOLEN && + verdict != NF_DROP) { + nfqnl_update_ct(net, entry->skb); + } +#endif + nf_reinject(entry, verdict); } return 0; @@ -1213,6 +1274,13 @@ static int nfqnl_recv_verdict(struct net *net, struct sock *ctnl, if (nfqa[NFQA_MARK]) entry->skb->mark =
[PATCH nf-next v5] netfilter: nf_osf: nf_osf_ttl() and nf_osf_match()
Added nf_osf_ttl() and nf_osf_match() into nf_osf.c in order to start the nftables OSF implementation. Signed-off-by: Fernando Fernandez Mancera--- include/linux/netfilter/nf_osf.h | 29 include/uapi/linux/netfilter/nf_osf.h | 93 +++ include/uapi/linux/netfilter/xt_osf.h | 108 +++-- net/netfilter/Kconfig | 4 + net/netfilter/Makefile| 1 + net/netfilter/nf_osf.c| 218 ++ net/netfilter/xt_osf.c| 202 +--- 7 files changed, 365 insertions(+), 290 deletions(-) create mode 100644 include/linux/netfilter/nf_osf.h create mode 100644 include/uapi/linux/netfilter/nf_osf.h create mode 100644 net/netfilter/nf_osf.c diff --git a/include/linux/netfilter/nf_osf.h b/include/linux/netfilter/nf_osf.h new file mode 100644 index ..6b0167a9274c --- /dev/null +++ b/include/linux/netfilter/nf_osf.h @@ -0,0 +1,29 @@ +#include + +/* + * Initial window size option state machine: multiple of mss, mtu or + * plain numeric value. Can also be made as plain numeric value which + * is not a multiple of specified value. + */ +enum nf_osf_window_size_options { + OSF_WSS_PLAIN = 0, + OSF_WSS_MSS, + OSF_WSS_MTU, + OSF_WSS_MODULO, + OSF_WSS_MAX, +}; + +enum osf_fmatch_states { + /* Packet does not match the fingerprint */ + FMATCH_WRONG = 0, + /* Packet matches the fingerprint */ + FMATCH_OK, + /* Options do not match the fingerprint, but header does */ + FMATCH_OPT_WRONG, +}; + +bool nf_osf_match(const struct sk_buff *skb, u_int8_t family, + int hooknum, struct net_device *in, struct net_device *out, + const struct nf_osf_info *info, struct net *net, + const struct list_head *nf_osf_fingers); + diff --git a/include/uapi/linux/netfilter/nf_osf.h b/include/uapi/linux/netfilter/nf_osf.h new file mode 100644 index ..076ec2ee5906 --- /dev/null +++ b/include/uapi/linux/netfilter/nf_osf.h @@ -0,0 +1,93 @@ +#ifndef _NF_OSF_H +#define _NF_OSF_H + +#define MAXGENRELEN32 + +#define NF_OSF_GENRE (1<<0) +#define NF_OSF_TTL (1<<1) +#define NF_OSF_LOG (1<<2) +#define NF_OSF_INVERT (1<<3) + +#define NF_OSF_LOGLEVEL_ALL0 /* log all matched fingerprints */ +#define NF_OSF_LOGLEVEL_FIRST 1 /* log only the first matced fingerprint */ +#define NF_OSF_LOGLEVEL_ALL_KNOWN 2 /* do not log unknown packets */ + +#define NF_OSF_TTL_TRUE0 /* True ip and fingerprint TTL comparison */ + +/* Do not compare ip and fingerprint TTL at all */ +#define NF_OSF_TTL_NOCHECK 2 + +/* + * Wildcard MSS (kind of). + * It is used to implement a state machine for the different wildcard values + * of the MSS and window sizes. + */ +struct nf_osf_wc { + __u32 wc; + __u32 val; +}; + +/* + * This struct represents IANA options + * http://www.iana.org/assignments/tcp-parameters + */ +struct nf_osf_opt { + __u16 kind, length; + struct nf_osf_wc wc; +}; + +struct nf_osf_info { + chargenre[MAXGENRELEN]; + __u32 len; + __u32 flags; + __u32 loglevel; + __u32 ttl; +}; + +struct nf_osf_user_finger { + struct nf_osf_wcwss; + + __u8ttl, df; + __u16 ss, mss; + __u16 opt_num; + + chargenre[MAXGENRELEN]; + charversion[MAXGENRELEN]; + charsubtype[MAXGENRELEN]; + + /* MAX_IPOPTLEN is maximum if all options are NOPs or EOLs */ + struct nf_osf_opt opt[MAX_IPOPTLEN]; +}; + +struct nf_osf_finger { + struct rcu_head rcu_head; + struct list_headfinger_entry; + struct nf_osf_user_finger finger; +}; + +struct nf_osf_nlmsg { + struct nf_osf_user_finger f; + struct iphdrip; + struct tcphdr tcp; +}; + +/* Defines for IANA option kinds */ + +enum iana_options { + OSFOPT_EOL = 0, /* End of options */ + OSFOPT_NOP, /* NOP */ + OSFOPT_MSS, /* Maximum segment size */ + OSFOPT_WSO, /* Window scale option */ + OSFOPT_SACKP, /* SACK permitted */ + OSFOPT_SACK,/* SACK */ + OSFOPT_ECHO, + OSFOPT_ECHOREPLY, + OSFOPT_TS, /* Timestamp option */ + OSFOPT_POCP,/* Partial Order Connection Permitted */ + OSFOPT_POSP,/* Partial Order Service Profile */ + + /* Others are not used in the current OSF */ + OSFOPT_EMPTY = 255, +}; + +#endif /* _NF_OSF_H */ diff --git a/include/uapi/linux/netfilter/xt_osf.h b/include/uapi/linux/netfilter/xt_osf.h index dad197e2ab99..5d5874b5d747 100644 --- a/include/uapi/linux/netfilter/xt_osf.h +++ b/include/uapi/linux/netfilter/xt_osf.h @@ -23,101
Re: Silently dropped UDP packets on kernel 4.14
Hi Michal, Thanks for providing a nice summary of your experience when dealing with this problem. Always nice to know that I am not alone :) On Thu, May 3, 2018 at 11:42 AM, Michal Kubecekwrote: > One of the ideas I had was this: > > - keep also unconfirmed conntracks in some data structure > - check new packets also against unconfirmed conntracks > - if it matches an unconfirmed conntrack, defer its processing > until that conntrack is either inserted or discarded I was thinking about something along the same lines and came to the same conclusion, it is a lot of hassle and work for a very special case. I think that replacing the conntrack entry is a good compromise, it improves on the current situation, and allows for the creation of "perfect" solutions in user-space. For example, a user can keep track of seen UDP flows, and then only release new packets belonging to the same flow when the conntrack entry is created. BR, Kristian -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nft 5/5] src: use location to display error messages
# nft add chain foo bar Error: Could not process rule: No such file or directory add chain foo bar ^^^ Signed-off-by: Pablo Neira Ayuso--- src/evaluate.c | 156 ++--- 1 file changed, 94 insertions(+), 62 deletions(-) diff --git a/src/evaluate.c b/src/evaluate.c index fdc536479785..c5f86395c84b 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -21,6 +21,7 @@ #include #include #include +#include #include #include @@ -42,8 +43,8 @@ static const char * const byteorder_names[] = { __stmt_binary_error(ctx, &(s1)->location, NULL, fmt, ## args) #define monitor_error(ctx, s1, fmt, args...) \ __stmt_binary_error(ctx, &(s1)->location, NULL, fmt, ## args) -#define cmd_error(ctx, fmt, args...) \ - __stmt_binary_error(ctx, &(ctx->cmd)->location, NULL, fmt, ## args) +#define cmd_error(ctx, loc, fmt, args...) \ + __stmt_binary_error(ctx, loc, NULL, fmt, ## args) static int __fmtstring(3, 4) set_error(struct eval_ctx *ctx, const struct set *set, @@ -190,8 +191,9 @@ static int expr_evaluate_symbol(struct eval_ctx *ctx, struct expr **expr) table = table_lookup_global(ctx); if (table == NULL) - return cmd_error(ctx, "Could not process rule: Table '%s' does not exist", -ctx->cmd->handle.table.name); + return cmd_error(ctx, >cmd->handle.table.location, +"Could not process rule: %s", +strerror(ENOENT)); set = set_lookup(table, (*expr)->identifier); if (set == NULL) @@ -2746,13 +2748,15 @@ static int setelem_evaluate(struct eval_ctx *ctx, struct expr **expr) table = table_lookup_global(ctx); if (table == NULL) - return cmd_error(ctx, "Could not process rule: Table '%s' does not exist", -ctx->cmd->handle.table.name); + return cmd_error(ctx, >cmd->handle.table.location, +"Could not process rule: %s", +strerror(ENOENT)); set = set_lookup(table, ctx->cmd->handle.set.name); if (set == NULL) - return cmd_error(ctx, "Could not process rule: Set '%s' does not exist", -ctx->cmd->handle.set.name); + return cmd_error(ctx, >cmd->handle.set.location, +"Could not process rule: %s", +strerror(ENOENT)); ctx->set = set; expr_set_context(>ectx, set->key->dtype, set->key->len); @@ -2769,8 +2773,9 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set) table = table_lookup_global(ctx); if (table == NULL) - return cmd_error(ctx, "Could not process rule: Table '%s' does not exist", -ctx->cmd->handle.table.name); + return cmd_error(ctx, >cmd->handle.table.location, +"Could not process rule: %s", +strerror(ENOENT)); if (!(set->flags & NFT_SET_INTERVAL) && set->automerge) return set_error(ctx, set, "auto-merge only works with interval sets"); @@ -2831,8 +2836,9 @@ static int flowtable_evaluate(struct eval_ctx *ctx, struct flowtable *ft) table = table_lookup_global(ctx); if (table == NULL) - return cmd_error(ctx, "Could not process rule: Table '%s' does not exist", -ctx->cmd->handle.table.name); + return cmd_error(ctx, >cmd->handle.table.location, +"Could not process rule: %s", +strerror(ENOENT)); ft->hooknum = str2hooknum(NFPROTO_NETDEV, ft->hookstr); if (ft->hooknum == NF_INET_NUMHOOKS) @@ -2923,8 +2929,9 @@ static int chain_evaluate(struct eval_ctx *ctx, struct chain *chain) table = table_lookup_global(ctx); if (table == NULL) - return cmd_error(ctx, "Could not process rule: Table '%s' does not exist", -ctx->cmd->handle.table.name); + return cmd_error(ctx, >cmd->handle.table.location, +"Could not process rule: %s", +strerror(ENOENT)); if (chain == NULL) { if (chain_lookup(table, >cmd->handle) == NULL) { @@ -3087,12 +3094,14 @@ static int cmd_evaluate_get(struct eval_ctx *ctx, struct cmd *cmd) case CMD_OBJ_SETELEM: table = table_lookup(>handle, ctx->cache); if (table == NULL) - return cmd_error(ctx, "Could not process rule: Table '%s' does not exist", -
[PATCH nft 1/5] src: add table_spec
Store location object in handle to improve error reporting. Signed-off-by: Pablo Neira Ayuso--- include/rule.h| 7 ++- src/evaluate.c| 42 +- src/monitor.c | 4 ++-- src/netlink.c | 40 src/netlink_delinearize.c | 2 +- src/parser_bison.y| 3 ++- src/rule.c| 42 +- 7 files changed, 73 insertions(+), 67 deletions(-) diff --git a/include/rule.h b/include/rule.h index ee22cf217ac6..88750f0a4b54 100644 --- a/include/rule.h +++ b/include/rule.h @@ -27,6 +27,11 @@ struct position_spec { uint64_tid; }; +struct table_spec { + struct location location; + const char *name; +}; + /** * struct handle - handle for tables, chains, rules and sets * @@ -42,7 +47,7 @@ struct position_spec { */ struct handle { uint32_tfamily; - const char *table; + struct table_spec table; const char *chain; const char *set; const char *obj; diff --git a/src/evaluate.c b/src/evaluate.c index 4384e2710176..76125fcd884d 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -191,7 +191,7 @@ static int expr_evaluate_symbol(struct eval_ctx *ctx, struct expr **expr) table = table_lookup_global(ctx); if (table == NULL) return cmd_error(ctx, "Could not process rule: Table '%s' does not exist", -ctx->cmd->handle.table); +ctx->cmd->handle.table.name); set = set_lookup(table, (*expr)->identifier); if (set == NULL) @@ -2747,7 +2747,7 @@ static int setelem_evaluate(struct eval_ctx *ctx, struct expr **expr) table = table_lookup_global(ctx); if (table == NULL) return cmd_error(ctx, "Could not process rule: Table '%s' does not exist", -ctx->cmd->handle.table); +ctx->cmd->handle.table.name); set = set_lookup(table, ctx->cmd->handle.set); if (set == NULL) @@ -2770,7 +2770,7 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set) table = table_lookup_global(ctx); if (table == NULL) return cmd_error(ctx, "Could not process rule: Table '%s' does not exist", -ctx->cmd->handle.table); +ctx->cmd->handle.table.name); if (!(set->flags & NFT_SET_INTERVAL) && set->automerge) return set_error(ctx, set, "auto-merge only works with interval sets"); @@ -2832,7 +2832,7 @@ static int flowtable_evaluate(struct eval_ctx *ctx, struct flowtable *ft) table = table_lookup_global(ctx); if (table == NULL) return cmd_error(ctx, "Could not process rule: Table '%s' does not exist", -ctx->cmd->handle.table); +ctx->cmd->handle.table.name); ft->hooknum = str2hooknum(NFPROTO_NETDEV, ft->hookstr); if (ft->hooknum == NF_INET_NUMHOOKS) @@ -2924,7 +2924,7 @@ static int chain_evaluate(struct eval_ctx *ctx, struct chain *chain) table = table_lookup_global(ctx); if (table == NULL) return cmd_error(ctx, "Could not process rule: Table '%s' does not exist", -ctx->cmd->handle.table); +ctx->cmd->handle.table.name); if (chain == NULL) { if (chain_lookup(table, >cmd->handle) == NULL) { @@ -3088,7 +3088,7 @@ static int cmd_evaluate_get(struct eval_ctx *ctx, struct cmd *cmd) table = table_lookup(>handle, ctx->cache); if (table == NULL) return cmd_error(ctx, "Could not process rule: Table '%s' does not exist", -cmd->handle.table); +cmd->handle.table.name); set = set_lookup(table, cmd->handle.set); if (set == NULL || set->flags & (NFT_SET_MAP | NFT_SET_EVAL)) return cmd_error(ctx, "Could not process rule: Set '%s' does not exist", @@ -3111,7 +3111,7 @@ static int cmd_evaluate_list_obj(struct eval_ctx *ctx, const struct cmd *cmd, table = table_lookup(>handle, ctx->cache); if (table == NULL) return cmd_error(ctx, "Could not process rule: Table '%s' does not exist", -cmd->handle.table); +cmd->handle.table.name); if (obj_lookup(table, cmd->handle.obj, obj_type) == NULL) return cmd_error(ctx, "Could not process rule: Object '%s' does not exist",
[PATCH nft 3/5] src: add set_spec
Store location object in handle to improve error reporting. Signed-off-by: Pablo Neira Ayuso--- include/rule.h | 7 ++- src/evaluate.c | 36 ++-- src/expression.c| 4 ++-- src/netlink.c | 6 +++--- src/netlink_linearize.c | 10 +- src/parser_bison.y | 6 -- src/rule.c | 18 +- src/segtree.c | 4 ++-- 8 files changed, 49 insertions(+), 42 deletions(-) diff --git a/include/rule.h b/include/rule.h index 4ea09c52b12e..68d32f10c353 100644 --- a/include/rule.h +++ b/include/rule.h @@ -37,6 +37,11 @@ struct chain_spec { const char *name; }; +struct set_spec { + struct location location; + const char *name; +}; + /** * struct handle - handle for tables, chains, rules and sets * @@ -54,7 +59,7 @@ struct handle { uint32_tfamily; struct table_spec table; struct chain_spec chain; - const char *set; + struct set_spec set; const char *obj; const char *flowtable; struct handle_spec handle; diff --git a/src/evaluate.c b/src/evaluate.c index 78ff6071230a..79fa3221e20d 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -84,7 +84,7 @@ static struct expr *implicit_set_declaration(struct eval_ctx *ctx, set = set_alloc(>location); set->flags = NFT_SET_ANONYMOUS | expr->set_flags; - set->handle.set = xstrdup(name); + set->handle.set.name = xstrdup(name); set->key= key; set->init = expr; set->automerge = set->flags & NFT_SET_INTERVAL; @@ -2749,10 +2749,10 @@ static int setelem_evaluate(struct eval_ctx *ctx, struct expr **expr) return cmd_error(ctx, "Could not process rule: Table '%s' does not exist", ctx->cmd->handle.table.name); - set = set_lookup(table, ctx->cmd->handle.set); + set = set_lookup(table, ctx->cmd->handle.set.name); if (set == NULL) return cmd_error(ctx, "Could not process rule: Set '%s' does not exist", -ctx->cmd->handle.set); +ctx->cmd->handle.set.name); ctx->set = set; expr_set_context(>ectx, set->key->dtype, set->key->len); @@ -2813,7 +2813,7 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set) } ctx->set = NULL; - if (set_lookup(table, set->handle.set) == NULL) + if (set_lookup(table, set->handle.set.name) == NULL) set_add_hash(set_get(set), table); /* Default timeout value implies timeout support */ @@ -3089,10 +3089,10 @@ static int cmd_evaluate_get(struct eval_ctx *ctx, struct cmd *cmd) if (table == NULL) return cmd_error(ctx, "Could not process rule: Table '%s' does not exist", cmd->handle.table.name); - set = set_lookup(table, cmd->handle.set); + set = set_lookup(table, cmd->handle.set.name); if (set == NULL || set->flags & (NFT_SET_MAP | NFT_SET_EVAL)) return cmd_error(ctx, "Could not process rule: Set '%s' does not exist", -cmd->handle.set); +cmd->handle.set.name); return setelem_evaluate(ctx, >expr); default: @@ -3144,30 +3144,30 @@ static int cmd_evaluate_list(struct eval_ctx *ctx, struct cmd *cmd) if (table == NULL) return cmd_error(ctx, "Could not process rule: Table '%s' does not exist", cmd->handle.table.name); - set = set_lookup(table, cmd->handle.set); + set = set_lookup(table, cmd->handle.set.name); if (set == NULL || set->flags & (NFT_SET_MAP | NFT_SET_EVAL)) return cmd_error(ctx, "Could not process rule: Set '%s' does not exist", -cmd->handle.set); +cmd->handle.set.name); return 0; case CMD_OBJ_METER: table = table_lookup(>handle, ctx->cache); if (table == NULL) return cmd_error(ctx, "Could not process rule: Table '%s' does not exist", cmd->handle.table.name); - set = set_lookup(table, cmd->handle.set); + set = set_lookup(table, cmd->handle.set.name); if (set == NULL || !(set->flags & NFT_SET_EVAL)) return cmd_error(ctx, "Could not process rule: Meter '%s' does not exist", -cmd->handle.set); +
[PATCH nft 2/5] src: add chain_spec
Store location object in handle to improve error reporting. Signed-off-by: Pablo Neira Ayuso--- include/rule.h| 7 ++- src/evaluate.c| 4 ++-- src/netlink.c | 14 +++--- src/netlink_delinearize.c | 4 ++-- src/parser_bison.y| 6 -- src/rule.c| 16 6 files changed, 29 insertions(+), 22 deletions(-) diff --git a/include/rule.h b/include/rule.h index 88750f0a4b54..4ea09c52b12e 100644 --- a/include/rule.h +++ b/include/rule.h @@ -32,6 +32,11 @@ struct table_spec { const char *name; }; +struct chain_spec { + struct location location; + const char *name; +}; + /** * struct handle - handle for tables, chains, rules and sets * @@ -48,7 +53,7 @@ struct table_spec { struct handle { uint32_tfamily; struct table_spec table; - const char *chain; + struct chain_spec chain; const char *set; const char *obj; const char *flowtable; diff --git a/src/evaluate.c b/src/evaluate.c index 76125fcd884d..78ff6071230a 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -3176,7 +3176,7 @@ static int cmd_evaluate_list(struct eval_ctx *ctx, struct cmd *cmd) cmd->handle.table.name); if (chain_lookup(table, >handle) == NULL) return cmd_error(ctx, "Could not process rule: Chain '%s' does not exist", -cmd->handle.chain); +cmd->handle.chain.name); return 0; case CMD_OBJ_QUOTA: return cmd_evaluate_list_obj(ctx, cmd, NFT_OBJECT_QUOTA); @@ -3319,7 +3319,7 @@ static int cmd_evaluate_rename(struct eval_ctx *ctx, struct cmd *cmd) ctx->cmd->handle.table.name); if (chain_lookup(table, >cmd->handle) == NULL) return cmd_error(ctx, "Could not process rule: Chain '%s' does not exist", -ctx->cmd->handle.chain); +ctx->cmd->handle.chain.name); break; default: BUG("invalid command object type %u\n", cmd->obj); diff --git a/src/netlink.c b/src/netlink.c index 0c078d643344..e33e094e1992 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -145,8 +145,8 @@ struct nftnl_chain *alloc_nftnl_chain(const struct handle *h) nftnl_chain_set_str(nlc, NFTNL_CHAIN_TABLE, h->table.name); if (h->handle.id) nftnl_chain_set_u64(nlc, NFTNL_CHAIN_HANDLE, h->handle.id); - if (h->chain != NULL) - nftnl_chain_set_str(nlc, NFTNL_CHAIN_NAME, h->chain); + if (h->chain.name != NULL) + nftnl_chain_set_str(nlc, NFTNL_CHAIN_NAME, h->chain.name); return nlc; } @@ -161,8 +161,8 @@ struct nftnl_rule *alloc_nftnl_rule(const struct handle *h) nftnl_rule_set_u32(nlr, NFTNL_RULE_FAMILY, h->family); nftnl_rule_set_str(nlr, NFTNL_RULE_TABLE, h->table.name); - if (h->chain != NULL) - nftnl_rule_set_str(nlr, NFTNL_RULE_CHAIN, h->chain); + if (h->chain.name != NULL) + nftnl_rule_set_str(nlr, NFTNL_RULE_CHAIN, h->chain.name); if (h->handle.id) nftnl_rule_set_u64(nlr, NFTNL_RULE_HANDLE, h->handle.id); if (h->position.id) @@ -540,7 +540,7 @@ static int list_rule_cb(struct nftnl_rule *nlr, void *arg) if (h->family != family || strcmp(table, h->table.name) != 0 || - (h->chain && strcmp(chain, h->chain) != 0)) + (h->chain.name && strcmp(chain, h->chain.name) != 0)) return 0; netlink_dump_rule(nlr, ctx); @@ -697,7 +697,7 @@ static int list_chain_cb(struct nftnl_chain *nlc, void *arg) if (h->family != family || strcmp(table, h->table.name) != 0) return 0; - if (h->chain && strcmp(name, h->chain) != 0) + if (h->chain.name && strcmp(name, h->chain.name) != 0) return 0; chain = netlink_delinearize_chain(ctx, nlc); @@ -1720,7 +1720,7 @@ static void trace_print_rule(const struct nftnl_trace *nlt, h.family = nftnl_trace_get_u32(nlt, NFTNL_TRACE_FAMILY); h.table.name = nftnl_trace_get_str(nlt, NFTNL_TRACE_TABLE); - h.chain = nftnl_trace_get_str(nlt, NFTNL_TRACE_CHAIN); + h.chain.name = nftnl_trace_get_str(nlt, NFTNL_TRACE_CHAIN); if (!h.table.name) return; diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index 8b42850ecd43..eb509917e01d 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -2444,8 +2444,8 @@ struct rule *netlink_delinearize_rule(struct netlink_ctx *ctx, memset(, 0, sizeof(h));
[PATCH nft 4/5] src: add obj_spec
Store location object in handle to improve error reporting. Signed-off-by: Pablo Neira Ayuso--- include/rule.h | 7 ++- src/evaluate.c | 4 ++-- src/netlink.c | 8 src/parser_bison.y | 6 -- src/rule.c | 18 +- 5 files changed, 25 insertions(+), 18 deletions(-) diff --git a/include/rule.h b/include/rule.h index 68d32f10c353..b265690d3c96 100644 --- a/include/rule.h +++ b/include/rule.h @@ -42,6 +42,11 @@ struct set_spec { const char *name; }; +struct obj_spec { + struct location location; + const char *name; +}; + /** * struct handle - handle for tables, chains, rules and sets * @@ -60,7 +65,7 @@ struct handle { struct table_spec table; struct chain_spec chain; struct set_spec set; - const char *obj; + struct obj_spec obj; const char *flowtable; struct handle_spec handle; struct position_specposition; diff --git a/src/evaluate.c b/src/evaluate.c index 79fa3221e20d..fdc536479785 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -3112,9 +3112,9 @@ static int cmd_evaluate_list_obj(struct eval_ctx *ctx, const struct cmd *cmd, if (table == NULL) return cmd_error(ctx, "Could not process rule: Table '%s' does not exist", cmd->handle.table.name); - if (obj_lookup(table, cmd->handle.obj, obj_type) == NULL) + if (obj_lookup(table, cmd->handle.obj.name, obj_type) == NULL) return cmd_error(ctx, "Could not process rule: Object '%s' does not exist", -cmd->handle.obj); +cmd->handle.obj.name); return 0; } diff --git a/src/netlink.c b/src/netlink.c index e465daa79c84..864947b4d2f0 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -293,8 +293,8 @@ __alloc_nftnl_obj(const struct handle *h, uint32_t type) nftnl_obj_set_u32(nlo, NFTNL_OBJ_FAMILY, h->family); nftnl_obj_set_str(nlo, NFTNL_OBJ_TABLE, h->table.name); - if (h->obj != NULL) - nftnl_obj_set_str(nlo, NFTNL_OBJ_NAME, h->obj); + if (h->obj.name != NULL) + nftnl_obj_set_str(nlo, NFTNL_OBJ_NAME, h->obj.name); nftnl_obj_set_u32(nlo, NFTNL_OBJ_TYPE, type); if (h->handle.id) @@ -1410,7 +1410,7 @@ struct obj *netlink_delinearize_obj(struct netlink_ctx *ctx, obj->handle.family = nftnl_obj_get_u32(nlo, NFTNL_OBJ_FAMILY); obj->handle.table.name = xstrdup(nftnl_obj_get_str(nlo, NFTNL_OBJ_TABLE)); - obj->handle.obj = + obj->handle.obj.name = xstrdup(nftnl_obj_get_str(nlo, NFTNL_OBJ_NAME)); obj->handle.handle.id = nftnl_obj_get_u64(nlo, NFTNL_OBJ_HANDLE); @@ -1564,7 +1564,7 @@ int netlink_reset_objs(struct netlink_ctx *ctx, const struct cmd *cmd, int err; obj_cache = mnl_nft_obj_dump(ctx, h->family, -h->table.name, h->obj, type, dump, true); +h->table.name, h->obj.name, type, dump, true); if (obj_cache == NULL) return -1; diff --git a/src/parser_bison.y b/src/parser_bison.y index e4b83523b411..5b3860368bc5 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -1925,7 +1925,8 @@ flowtable_identifier : identifier obj_spec : table_spec identifier { $$ = $1; - $$.obj = $2; + $$.obj.name = $2; + $$.obj.location = @2; } ; @@ -1940,7 +1941,8 @@ objid_spec: table_spec HANDLE NUM obj_identifier : identifier { memset(&$$, 0, sizeof($$)); - $$.obj = $1; + $$.obj.name = $1; + $$.obj.location = @1; } ; diff --git a/src/rule.c b/src/rule.c index 7d18bd08c1fb..2f0123b7a4a5 100644 --- a/src/rule.c +++ b/src/rule.c @@ -48,8 +48,8 @@ void handle_merge(struct handle *dst, const struct handle *src) dst->set.name = xstrdup(src->set.name); if (dst->flowtable == NULL && src->flowtable != NULL) dst->flowtable = xstrdup(src->flowtable); - if (dst->obj == NULL && src->obj != NULL) - dst->obj = xstrdup(src->obj); + if (dst->obj.name == NULL && src->obj.name != NULL) + dst->obj.name = xstrdup(src->obj.name); if (dst->handle.id == 0) dst->handle = src->handle;
Re: Silently dropped UDP packets on kernel 4.14
On Thu, May 03, 2018 at 07:03:45AM +0200, Florian Westphal wrote: > Kristian Evensenwrote: > > I went for the early-insert approached and have patched > > I'm sorry for suggesting that. > > It doesn't work, because of NAT. > NAT rewrites packet content and changes the reply tuple, but the tuples > determine the hash insertion location. > > I don't know how to solve this problem. It's an old problem which surfaces from time to time when some special conditions make it more visible. When I was facing it in 2015, I found this thread from as early as 2009: https://www.spinics.net/lists/linux-net/msg16712.html In our case, the customer was using IPVS in "one packet scheduling" mode (it drops the conntrack entry after each packet) which increased the probability of insert collisions significantly. Using NFQUEUE We were lucky, though, as it turned out the only reason why customer needed connection tracking was to make sure fragments of long UDP datagrams are not sent to different real servers. For newer kernels after commit 6aafeef03b9d ("netfilter: push reasm skb through instead of original frag skbs"), this was no longer necessary so that they could disable connection tracking for these packets. For older kernels without this change, I tried several ideas, each of which didn't work for some reason. We ended up with rather hacky workaround, not dropping the packet on collision (so that its conntrack wasn't inserted into the table and was dropped once the packet was sent). It worked fine for our customer but like the early insert approach, it wouldn't work with NAT. One of the ideas I had was this: - keep also unconfirmed conntracks in some data structure - check new packets also against unconfirmed conntracks - if it matches an unconfirmed conntrack, defer its processing until that conntrack is either inserted or discarded But as it would be rather complicated to implement without races and harming performance, I didn't want to actually try it until I would run out of other ideas. With NAT coming to the play, there doesn't seem to be many other options. Michal Kubecek -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[arptables PATCH] arptables: cleanup sysvinit script
This file belong to downstream distributions. Also, it's unmaintained. Signed-off-by: Arturo Borrero Gonzalez--- Makefile |8 +--- arptables.sysv | 103 2 files changed, 2 insertions(+), 109 deletions(-) delete mode 100644 arptables.sysv diff --git a/Makefile b/Makefile index 7bead0d..139c9ca 100644 --- a/Makefile +++ b/Makefile @@ -7,7 +7,6 @@ LIBDIR:=$(PREFIX)/lib BINDIR:=$(PREFIX)/sbin MANDIR:=$(PREFIX)/man man8dir=$(MANDIR)/man8 -INITDIR:=/etc/rc.d/init.d SYSCONFIGDIR:=/etc/sysconfig DESTDIR:= @@ -46,15 +45,12 @@ $(DESTDIR)$(BINDIR)/arptables: arptables tmp1:=$(shell printf $(BINDIR) | sed 's/\//\\\//g') tmp2:=$(shell printf $(SYSCONFIGDIR) | sed 's/\//\\\//g') .PHONY: scripts -scripts: arptables-save arptables-restore arptables.sysv +scripts: arptables-save arptables-restore cat arptables-save | sed 's/__EXEC_PATH__/$(tmp1)/g' > arptables-save_ install -m 0755 arptables-save_ $(DESTDIR)$(BINDIR)/arptables-save cat arptables-restore | sed 's/__EXEC_PATH__/$(tmp1)/g' > arptables-restore_ install -m 0755 arptables-restore_ $(DESTDIR)$(BINDIR)/arptables-restore - cat arptables.sysv | sed 's/__EXEC_PATH__/$(tmp1)/g' | sed 's/__SYSCONFIG__/$(tmp2)/g' > arptables.sysv_ - if [ "$(DESTDIR)" != "" ]; then mkdir -p $(DESTDIR)$(INITDIR); fi - if test -d $(DESTDIR)$(INITDIR); then install -m 0755 arptables.sysv_ $(DESTDIR)$(INITDIR)/arptables; fi - rm -f arptables-save_ arptables-restore_ arptables.sysv_ + rm -f arptables-save_ arptables-restore_ .PHONY: install-man install-man: $(MANS) diff --git a/arptables.sysv b/arptables.sysv deleted file mode 100644 index ea5cf09..000 --- a/arptables.sysv +++ /dev/null @@ -1,103 +0,0 @@ -#!/bin/bash -# -# init script for arptables -# -# Original by Dag Wieers . -# Modified/changed to arptables by -# Rok Papez . -# -# chkconfig: - 16 84 -# description: Arp filtering tables -# -# config: __SYSCONFIG__/arptables - -source /etc/init.d/functions -source /etc/sysconfig/network - -# Check that networking is up. -[ ${NETWORKING} = "no" ] && exit 0 - -[ -x __EXEC_PATH__/arptables ] || exit 1 -[ -x __EXEC_PATH__/arptables-save ] || exit 1 -[ -x __EXEC_PATH__/arptables-restore ] || exit 1 - -[ "$1" != "save" -o -r __SYSCONFIG__/arptables ] || exit 1 - -RETVAL=0 -prog="arptables" -desc="Arp filtering" - -start() { - echo -n $"Starting $desc ($prog): " - __EXEC_PATH__/arptables-restore < __SYSCONFIG__/arptables || RETVAL=1 - - if [ $RETVAL -eq 0 ]; then - success "$prog startup" - rm -f /var/lock/subsys/$prog - else - failure "$prog startup" - fi - - echo - return $RETVAL -} - -stop() { - echo -n $"Stopping $desc ($prog): " - __EXEC_PATH__/arptables-restore < /dev/null || RETVAL=1 - - if [ $RETVAL -eq 0 ]; then - success "$prog shutdown" - rm -f %{_localstatedir}/lock/subsys/$prog - else - failure "$prog shutdown" - fi - - echo - return $RETVAL -} - -restart() { - stop - start -} - -save() { - echo -n $"Saving $desc ($prog): " - __EXEC_PATH__/arptables-save > __SYSCONFIG__/arptables || RETVAL=1 - - if [ $RETVAL -eq 0 ]; then - success "$prog saved" - else - failure "$prog saved" - fi - echo -} - -case "$1" in - start) - start - ;; - stop) - stop - ;; - restart|reload) - restart - ;; - condrestart) - [ -e /var/lock/subsys/$prog ] && restart - RETVAL=$? - ;; - save) - save - ;; - status) - __EXEC_PATH__/arptables-save - RETVAL=$? - ;; - *) - echo $"Usage $0 {start|stop|restart|condrestart|save|status}" - RETVAL=1 -esac - -exit $RETVAL -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: Silently dropped UDP packets on kernel 4.14
Hi Florian, On Thu, May 3, 2018 at 7:03 AM, Florian Westphalwrote: > I'm sorry for suggesting that. > > It doesn't work, because of NAT. > NAT rewrites packet content and changes the reply tuple, but the tuples > determine the hash insertion location. > > I don't know how to solve this problem. No problem. This has anyway served as a good exercise for getting more familiar with the conntrack/nat code in the kernel. I did some more tests and I see that on my router (or routers actually), just replacing the ct solves the issue. While not a perfect solution, the situation is improved considerably. Do you think a patch where the ct is replace would be acceptable, or would upstream rather wait for a "proper" fix to this problem? When replacing the ct, it is at least possible to work around the problem in userspace, while without replacing ct we are stuck with the original entry. BR, Kristian -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [ANNOUNCE] libnftnl 1.1.0 release
On Thu, May 03, 2018 at 01:08:36AM +1000, Duncan Roe wrote: > On Wed, May 02, 2018 at 10:09:04AM +0200, Pablo Neira Ayuso wrote: > > On Wed, May 02, 2018 at 11:32:13AM +1000, Duncan Roe wrote: > > > On Tue, May 01, 2018 at 11:33:33PM +0200, Florian Westphal wrote: > [...] > > > Hey Florian, > > > > > > I just downloaded > > > https://netfilter.org/projects/libnftnl/downloads.html#libnftnl-1.1.0 but > > > the > > > sha256sum doesn't match: > > > ec0eaca11b165110c2b61e6a7b50a7a0a9b17fa04a0c333f795bec2d19f78f6c instead > > > of the > > > expected 36c6d99c7684851d4d72e75bd07ff3f0ff1baaf4b6f069eb7244990cd1a9a462. > > > Installing it anyway, > > > > Just fixed website, sorry about this. > > > > The right checksum is > > ec0eaca11b165110c2b61e6a7b50a7a0a9b17fa04a0c333f795bec2d19f78f6c as: > > > > http://ftp.netfilter.org/pub/libnftnl/libnftnl-1.1.0.tar.bz2.sha256sum > > > > says. > > > > Thanks for reporting. > > I refreshed > https://netfilter.org/projects/libnftnl/downloads.html#libnftnl-1.1.0 several > times, but still see > 36c6d99c7684851d4d72e75bd07ff3f0ff1baaf4b6f069eb7244990cd1a9a462 displayed on > the screen. The downloaded one is right, but I always use the screen. I have compiled the website but I forgot to push out changes to website, sorry. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html