Re: [PATCH] libxtables: duplicated loopback address via host_to_ipaddr()

On Wed, Mar 08, 2017 at 03:33:04PM +0100, Pablo Neira Ayuso wrote: > Originally reported as a iptables-translate problem, but this also > affects iptables and ip6tables. > > $ iptables-translate -A INPUT -s localhost -j ACCEPT > > gives duplicated rules: > > nft add rule ip filter INPUT ip

Re: [PATCH iptables 1/2] iptables-translate: print nft command for each expand rules via dns names

On Wed, Mar 08, 2017 at 02:16:09PM +0100, Pablo Neira Ayuso wrote: > After this patch: > > # iptables-translate -I INPUT -s yahoo.com > nft insert rule ip filter INPUT ip saddr 206.190.36.45 counter > nft insert rule ip filter INPUT ip saddr 98.138.253.109 counter > nft insert rule ip filter

Re: [PATCH nf-next] netfilter: bridge: remove unneeded rcu_read_lock

On Tue, Mar 07, 2017 at 12:45:04PM +0100, Florian Westphal wrote: > as comment says, the function is always called with rcu read lock held. Applied, thanks Florian. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org

Re: [PATCH v2 nf] netfilter: don't track fragmented packets

On Fri, Mar 03, 2017 at 09:44:00PM +0100, Florian Westphal wrote: > Andrey reports syzkaller splat caused by > > NF_CT_ASSERT(!ip_is_fragment(ip_hdr(skb))); > > in ipv4 nat. But this assertion (and the comment) are wrong, this function > does see fragments when IP_NODEFRAG setsockopt is used. >

Question about getting counters for transparent terminated flows

Hi, I have an application that acts as a transparent proxy for tcp flows. I need to get packet and byte counters for these tcp flows on both sides of the proxy application. I looked at pulling the counters from the kernel using libnetfilter_conntrack. However I noticed that the conntrack

Re: [net] netfilter: nat: sctp: fix ICMP packet to be dropped accidently

On Sat, Mar 04, 2017 at 06:00:02PM +0800, Ying Xue wrote: > Regarding RFC 792, the first 64 bits of the original SCTP datagram's > data could be contained in ICMP packet, such as: > > 0 1 2 3 > 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0

Re: [PATCH 3/3] libxtables: avoid returning duplicate address for host resolution

On Wednesday 2017-03-08 17:45, Pablo Neira Ayuso wrote: >On Wed, Mar 08, 2017 at 05:26:58PM +0100, Jan Engelhardt wrote: >> A long-standing problem has been that `iptables -s any_host_here` >> could yield multiple rules with the same address if the DNS was >> indeed so populated. > >When did

Re: [PATCH 2/3] libxtables: abolish AI_CANONNAME

On Wed, Mar 08, 2017 at 05:26:57PM +0100, Jan Engelhardt wrote: > ares->ai_canonname is never used, so there is no point in requesting > that piece of information with AI_CANONNAME. I already had one like this here that derived from my previous patch, anyway. Applied. -- To unsubscribe from this

Re: [PATCH 1/3] libxtables: remove unnecessary nesting from host_to_ip(6)addr

On Wed, Mar 08, 2017 at 05:26:56PM +0100, Jan Engelhardt wrote: > The error path already terminally returns from the function, so there > is no point in having an explicit else block. Applied. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message

Re: [PATCH nf-next 0/2] netfilter: helper set support

On Wed, Mar 08, 2017 at 04:48:42PM +0100, Florian Westphal wrote: > This adds support to set the conntrack helper from nftables, using > nft set ct helper "foo" syntax. > > Helpers are defined through the objref infrastructure. > > Open question: should NFT_MSG_GETOBJ_RESET get rejected for this

[PATCH 2/3] libxtables: abolish AI_CANONNAME

ares->ai_canonname is never used, so there is no point in requesting that piece of information with AI_CANONNAME. Signed-off-by: Jan Engelhardt --- libxtables/xtables.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libxtables/xtables.c b/libxtables/xtables.c index

[PATCH 3/3] libxtables: avoid returning duplicate address for host resolution

A long-standing problem has been that `iptables -s any_host_here` could yield multiple rules with the same address if the DNS was indeed so populated. Signed-off-by: Jan Engelhardt --- libxtables/xtables.c | 44 1 file changed, 32

[PATCH 1/3] libxtables: remove unnecessary nesting from host_to_ip(6)addr

The error path already terminally returns from the function, so there is no point in having an explicit else block. Signed-off-by: Jan Engelhardt --- libxtables/xtables.c | 54 +++- 1 file changed, 24 insertions(+), 30

[PATCH 3/3] libxtables: avoid returning duplicate address for host resolution

A long-standing problem has been that `iptables -s any_host_here` could yield multiple rules with the same address if the DNS was indeed so populated. Signed-off-by: Jan Engelhardt --- libxtables/xtables.c | 44 1 file changed, 32

[PATCH 2/3] libxtables: abolish AI_CANONNAME

ares->ai_canonname is never used, so there is no point in requesting that piece of information with AI_CANONNAME. Signed-off-by: Jan Engelhardt --- libxtables/xtables.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libxtables/xtables.c b/libxtables/xtables.c index

Filter duplicate IP addresses from libxtables

(Of course that send went wrong.. with github and all that, I hardly had to use git-send-email ever since.) The right set follows. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at

Re: [PATCH nf-next 0/2] netfilter: untracked object removal

On Wed, 2017-03-08 at 13:49 +0100, Florian Westphal wrote: > These patches remove the percpu untracked objects, they get replaced > with a new (kernel internal) ctinfo state. > > This avoids reference counter operations for untracked packets and > removes the need to check a conntrack for the

[PATCH 1/3] extensions: libxt_socket: add --restore-skmark option

From: Harout Hedeshian xt_socket is useful for matching sockets with IP_TRANSPARENT and taking some action on the matching packets. However, it lacks the ability to match only a small subset of transparent sockets. Suppose there are 2 applications, each with its own set

Re: [PATCH] libxtables: duplicated loopback address via host_to_ipaddr()

Pablo wrote: >libc seem to need if we have 127.0.0.1 and ::1 >entries in /etc/hosts that are common in many distros. I was trying to imply that this problem is not specific to localhost, but could happen with any host name. Testing the memory contents for for just htonl(INADDR_LOOPBACK) does not

[PATCH 3/3] extensions: restore matching any SPI id by default

This is the same as commit v1.4.15-12-g8a988f6. If no id option is given, the extensions only match packets with a zero-valued identification field. This behavior deviates from what it used to do back in v1.4.10-273-g6944f2c^. Signed-off-by: Jan Engelhardt ---

[PATCH nf-next 0/2] netfilter: helper set support

This adds support to set the conntrack helper from nftables, using nft set ct helper "foo" syntax. Helpers are defined through the objref infrastructure. Open question: should NFT_MSG_GETOBJ_RESET get rejected for this new type? A future patch could extend the attributes so we can also handle

[PATCH nf-next 2/2] netfilter: nft_ct: add helper set support

this allows to assign connection tracking helpers to connections via nft objref infrastructure. The idea is to first specifiy a helper object: table ip filter { ct helper some-name { type "ftp" protocol tcp l3proto ip } } and then assign it via nft add ... ct helper

[PATCH nf-next 1/2] netfilter: provide nft_ctxc in object init function

this is needed by the upcoming ct helper object type -- we'd like to be able use the table family (ip, ip6, inet) to figure out which helper has to be requested. Signed-off-by: Florian Westphal --- include/net/netfilter/nf_tables.h | 3 ++- net/netfilter/nf_tables_api.c | 7

Re: [iptables PATCH] xtables-translate: Avoid querying the kernel

On Wed, Mar 08, 2017 at 04:43:25PM +0100, Phil Sutter wrote: > This originally came up when accidentally calling iptables-translate as > unprivileged user - nft_compatible_revision() then fails every time, > making the translator fall back to using revision 0 only which often > leads to failed

[iptables PATCH] xtables-translate: Avoid querying the kernel

This originally came up when accidentally calling iptables-translate as unprivileged user - nft_compatible_revision() then fails every time, making the translator fall back to using revision 0 only which often leads to failed translations (due to missing xlate callback). The bottom line is there

[PATCH nf] netfilter: nf_tables: fix missmatch in big-endian system

From: Liping Zhang Currently, there are two different methods to store an u16 integer to the u32 data register. For example: u32 *dest = >data[priv->dreg]; 1. *dest = 0; *(u16 *) dest = val_u16; 2. *dest = val_u16; For method 1, the u16 value will be stored like this,

[PATCH] libxtables: duplicated loopback address via host_to_ipaddr()

Originally reported as a iptables-translate problem, but this also affects iptables and ip6tables. $ iptables-translate -A INPUT -s localhost -j ACCEPT gives duplicated rules: nft add rule ip filter INPUT ip saddr 127.0.0.1 counter accept nft add rule ip filter INPUT ip saddr 127.0.0.1

Re: [PATCH iptables 2/2] libxtables: pass AI_ADDRCONFIG flag to getaddrinfo()

On Wednesday 2017-03-08 14:16, Pablo Neira Ayuso wrote: > >If hints.ai_flags includes the AI_ADDRCONFIG flag, then IPv4 addresses >are returned in the list pointed to by res only if the local system has >at least one IPv4 address configured, and IPv6 addresses are only >returned if the local

Re: [iptables PATCH] extensions: libxt_conntrack: Fix 'state' translation to nft

On Wed, Mar 08, 2017 at 02:38:42PM +0100, Pablo Neira Ayuso wrote: > On Wed, Mar 08, 2017 at 01:31:51PM +0100, Phil Sutter wrote: > > On Wed, Mar 08, 2017 at 11:36:52AM +0100, Pablo Neira Ayuso wrote: > > > On Tue, Mar 07, 2017 at 09:07:45PM +0100, Phil Sutter wrote: > > > > On Tue, Mar 07, 2017

Re: [iptables PATCH] extensions: libxt_conntrack: Fix 'state' translation to nft

On Wed, Mar 08, 2017 at 01:31:51PM +0100, Phil Sutter wrote: > Oh man, I just found the cause: I was running iptables-translate as > unprivileged user. Calling it with sudo magically makes everything work. > > I'll have a look whether it's possible to communicate the received > -EPERM back to the

Re: [PATCH iptables 2/2] libxtables: pass AI_ADDRCONFIG flag to getaddrinfo()

On Wed, Mar 08, 2017 at 02:56:24PM +0100, Jan Engelhardt wrote: > > On Wednesday 2017-03-08 14:16, Pablo Neira Ayuso wrote: > > > >If hints.ai_flags includes the AI_ADDRCONFIG flag, then IPv4 addresses > >are returned in the list pointed to by res only if the local system has > >at least one IPv4

[PATCH nf-next 0/2] netfilter: untracked object removal

These patches remove the percpu untracked objects, they get replaced with a new (kernel internal) ctinfo state. This avoids reference counter operations for untracked packets and removes the need to check a conntrack for the UNTRACKED status bit before setting connmark, labels, etc. I checked

[PATCH iptables 1/2] iptables-translate: print nft command for each expand rules via dns names

We have to print nft at the very beginning for each rule that rules from the expansion, otherwise the output is not correct: # iptables-translate -I INPUT -s yahoo.com nft insert rule ip filter INPUT ip saddr 206.190.36.45 counter insert rule ip filter INPUT ip saddr 98.138.253.109 counter

[PATCH iptables 2/2] libxtables: pass AI_ADDRCONFIG flag to getaddrinfo()

According to man getaddrinfo(3): If hints.ai_flags includes the AI_ADDRCONFIG flag, then IPv4 addresses are returned in the list pointed to by res only if the local system has at least one IPv4 address configured, and IPv6 addresses are only returned if the local system has at least one IPv6

[PATCH nf-next 1/2] netfilter: kill the fake untracked conntrack objects

resurrect an old patch from Pablo Neira to remove the untracked objects. Currently, there are four possible states of an skb wrt. conntrack. 1. No conntrack attached, ct is NULL. 2. Normal (kmem cache allocated) ct attached. 3. a template (kmalloc'd), not in any hash tables at any point in time

ANNOUNCE: Verizon Labs New Platinum Sponsor

The organizing committee is happy to announce Verizon Labs as our second Platinum sponsor. Verizon Labs has been a solid supporter of the netdev community from the very first conference. We appreciate you! cheers, jamal -- To unsubscribe from this list: send the line "unsubscribe

[PATCH nf-next 2/2] netfilter: remove nf_ct_is_untracked

This function is now obsolete and always returns false, change has no effect on generated code. Signed-off-by: Florian Westphal --- include/net/ip_vs.h | 4 ++-- include/net/netfilter/nf_conntrack.h | 5 -

Re: [iptables PATCH] extensions: libxt_conntrack: Fix 'state' translation to nft

On Wed, Mar 08, 2017 at 11:36:52AM +0100, Pablo Neira Ayuso wrote: > On Tue, Mar 07, 2017 at 09:07:45PM +0100, Phil Sutter wrote: > > On Tue, Mar 07, 2017 at 08:31:58PM +0100, Pablo Neira Ayuso wrote: > > > On Tue, Mar 07, 2017 at 05:54:09PM +0100, Phil Sutter wrote: > > > > On Tue, Mar 07, 2017

Re: [PATCH iptables] libxtables: fix wrong naddr when using localhost

On Wed, Mar 08, 2017 at 10:55:32AM +0100, Pablo Neira Ayuso wrote: > > This is actually a generic problem: > > # iptables -I INPUT -p tcp -s localhost > > results in: > > # iptables-save > # Generated by iptables-save v1.6.1 on Wed Mar 8 10:53:07 2017 > *filter > :INPUT ACCEPT [13:1628] >

Re: [PATCH iptables] libxtables: fix wrong naddr when using localhost

On Wed, Mar 08, 2017 at 12:28:13AM +0100, Alexander Alemayhu wrote: > $ iptables-translate -A INPUT -p tcp -s localhost --dport 8000 -j ACCEPT > > gives > > nft add rule ip filter INPUT ip saddr 127.0.0.1 tcp dport 8000 counter accept > add rule ip filter INPUT ip saddr 127.0.0.1 tcp dport

Re: [iptables PATCH] extensions: libxt_conntrack: Fix 'state' translation to nft

On Tue, Mar 07, 2017 at 09:07:45PM +0100, Phil Sutter wrote: > On Tue, Mar 07, 2017 at 08:31:58PM +0100, Pablo Neira Ayuso wrote: > > On Tue, Mar 07, 2017 at 05:54:09PM +0100, Phil Sutter wrote: > > > On Tue, Mar 07, 2017 at 05:20:55PM +0100, Pablo Neira Ayuso wrote: > > > > On Tue, Mar 07, 2017

Re: [iptables PATCH] extensions: libxt_addrtype: Add translation to nft

On Wed, Mar 08, 2017 at 02:06:14AM +0100, Phil Sutter wrote: > Translate addrtype match into fib expression: > > $ iptables-translate -A INPUT -m addrtype --src-type LOCAL > nft add rule ip filter INPUT fib saddr type local counter > > $ iptables-translate -A INPUT -m addrtype --dst-type LOCAL >