> On 23 May 2018, at 23:40, Toke Høiland-Jørgensen wrote:
>
>
> Hmm, and we still have an issue with ingress filtering (where cake is
> running on an ifb interface). That runs pre-NAT in the conntrack case,
> and we can't do the RX trick. Here we do the lookup manually in
> conntrack (and thi
Pablo Neira Ayuso writes:
> On Tue, May 22, 2018 at 04:11:06PM +0200, Toke Høiland-Jørgensen wrote:
>> Pablo Neira Ayuso writes:
>>
>> > Hi Toke,
>> >
>> > On Tue, May 22, 2018 at 03:57:38PM +0200, Toke Høiland-Jørgensen wrote:
>> >> When CAKE is deployed on a gateway that also performs NAT (wh
On Tue, May 22, 2018 at 04:11:06PM +0200, Toke Høiland-Jørgensen wrote:
> Pablo Neira Ayuso writes:
>
> > Hi Toke,
> >
> > On Tue, May 22, 2018 at 03:57:38PM +0200, Toke Høiland-Jørgensen wrote:
> >> When CAKE is deployed on a gateway that also performs NAT (which is a
> >> common deployment mode
David Miller writes:
> From: Toke Høiland-Jørgensen
> Date: Wed, 23 May 2018 23:05:16 +0200
>
>> Ah, right, that could work. Is there any particular field in sk_buff
>> we should stomp on for this purpose, or would you prefer a new one?
>> Looking through it, the only obvious one that comes to m
The error message is still shown, but try to make sense of further
expressions (if any).
I tried to replace the expression by a textual representation.
Two variants I tested are:
1. append as comment:
ip saddr 127.0.0.2 drop comment "unknown expression 'foo'"
This allows nft -f, but it adds
From: Toke Høiland-Jørgensen
Date: Wed, 23 May 2018 23:05:16 +0200
> Ah, right, that could work. Is there any particular field in sk_buff
> we should stomp on for this purpose, or would you prefer a new one?
> Looking through it, the only obvious one that comes to mind is, well,
> skb->_nfct :)
>
David Miller writes:
> From: Toke Høiland-Jørgensen
> Date: Wed, 23 May 2018 22:38:30 +0200
>
>> How would this work?
>
> On egress the core networking flow dissector records what you need
> somewhere in SKB or wherever. You later retrieve it at egress time
> after NAT has occurred.
Ah, right,
From: Toke Høiland-Jørgensen
Date: Wed, 23 May 2018 22:38:30 +0200
> How would this work?
On egress the core networking flow dissector records what you need
somewhere in SKB or wherever. You later retrieve it at egress time
after NAT has occurred.
> It's about making sure the per-host fairness
From: Jonathan Morton
Date: Wed, 23 May 2018 23:33:04 +0300
> Now I'm *really* confused.
>
> Are you saying that the user has to set up their own conntrack
> mechanism using extra userspace commands? Because complicating the
> setup process that way runs directly counter to Cake's design
> phil
David Miller writes:
> From: Toke Høiland-Jørgensen
> Date: Tue, 22 May 2018 15:57:38 +0200
>
>> When CAKE is deployed on a gateway that also performs NAT (which is a
>> common deployment mode), the host fairness mechanism cannot distinguish
>> internal hosts from each other, and so fails to wor
From: Pablo Neira Ayuso
Date: Wed, 23 May 2018 20:42:36 +0200
> The following patchset contains Netfilter updates for your net-next
> tree, they are:
...
> This batch comes with is a conflict between 25fd386e0bc0 ("netfilter:
> core: add missing __rcu annotation") in your tree and 2c205dd3981f
>
> On 23 May, 2018, at 11:04 pm, David Miller wrote:
>
> Who said anything about using an ingress qdisc to record/remember
> this information?
Now I'm *really* confused.
Are you saying that the user has to set up their own conntrack mechanism using
extra userspace commands? Because complicatin
From: Jonathan Morton
Date: Wed, 23 May 2018 22:31:53 +0300
> Remember that it takes two different qdiscs to implement ingress and
> egress on the same physical interface, and there's no obvious
> logical link between them - especially since the ingress one has to
> be attached to an ifb, not to
> On 23 May, 2018, at 9:44 pm, David Miller wrote:
>
> I'd much rather you do something NAT method agnostic, like save
> or compute the necessary information on ingress and then later
> use it on egress.
We were under the impression that conntrack was the cleanest and most correct
way to convey
From: Florian Westphal
Stephen Rothwell says:
today's linux-next build (x86_64 allmodconfig) produced this warning:
./usr/include/linux/netfilter/nf_osf.h:25: found __[us]{8,16,32,64} type
without #include
Fix that up and also move kernel-private struct out of uapi (it was not
exposed in a
From: Laura Garcia Liebana
This patch creates new attributes to accept a map as argument and
then perform the lookup with the generated hash accordingly.
Both current hash functions are supported: Jenkins and Symmetric Hash.
Signed-off-by: Laura Garcia Liebana
Signed-off-by: Pablo Neira Ayuso
From: Florian Westphal
Copy-pasted, both l3 helpers almost use same code here.
Split out the common part into an 'inet' helper.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_nat_core.h | 7
net/ipv4/netfilter/nf_nat_l3proto_ipv4.c | 5
From: Florian Westphal
nfnetlink tracing is available since nft 0.6 (June 2016).
Remove old nf_log based tracing to avoid rule counter in main loop.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_core.c | 29 +++--
1 file c
From: Florian Westphal
This will allow the nat core to reuse the nf_hook infrastructure
to maintain nat lookup functions.
The raw versions don't assume a particular hook location, the
functions get added/deleted from the hook blob that is passed to the
functions.
Signed-off-by: Florian Westphal
From: Florian Westphal
This reverts commit f92b40a8b2645
("netfilter: core: only allow one nat hook per hook point"), this
limitation is no longer needed. The nat core now invokes these
functions and makes sure that hook evaluation stops after a mapping is
created and a null binding is created o
From: Fernando Fernandez Mancera
Signed-off-by: Fernando Fernandez Mancera
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index e57c9d479503..a5b60e6a983e 100644
--- a/
From: Florian Westphal
Will be used in followup patch when nat types no longer
use nf_register_net_hook() but will instead register with the nat core.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h | 8
net/ipv4/netfilter
From: Toke Høiland-Jørgensen
Date: Tue, 22 May 2018 15:57:38 +0200
> When CAKE is deployed on a gateway that also performs NAT (which is a
> common deployment mode), the host fairness mechanism cannot distinguish
> internal hosts from each other, and so fails to work correctly.
>
> To fix this,
Add garbage collection logic to expire elements stored in the rb-tree
representation.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nft_set_rbtree.c | 75 --
1 file changed, 72 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/nft_set_rbtree.c
Move decode_session() and parse_nat_setup_hook() indirections to struct
nf_nat_hook structure.
Signed-off-by: Pablo Neira Ayuso
---
include/linux/netfilter.h| 21 -
include/net/netfilter/nf_nat_core.h | 7 ---
net/netfilter/core.c | 8 +++---
Move the nf_ct_destroy indirection to the struct nf_ct_hook.
Signed-off-by: Pablo Neira Ayuso
---
include/linux/netfilter.h | 7 ++-
net/netfilter/core.c | 14 +++---
net/netfilter/nf_conntrack_core.c | 9 ++---
3 files changed, 19 insertions(+), 11 deletio
In nfqueue, two consecutive skbuffs may race to create the conntrack
entry. Hence, the one that loses the race gets dropped due to clash in
the insertion into the hashes from the nf_conntrack_confirm() path.
This patch adds a new nf_conntrack_update() function which searches for
possible clashes a
From: Florian Westphal
Currently the packet rewrite and instantiation of nat NULL bindings
happens from the protocol specific nat backend.
Invocation occurs either via ip(6)table_nat or the nf_tables nat chain type.
Invocation looks like this (simplified):
NF_HOOK()
|
`---iptable_nat
From: Florian Westphal
The ip(6)tables nat table is currently receiving skbs from the netfilter
core, after a followup patch skbs will be coming from the netfilter nat
core instead, so the table is no longer backed by normal hook_ops.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira A
From: Vincent Bernat
In commit 47b7e7f82802, this bit was removed at the same time the
RT6_LOOKUP_F_IFACE flag was removed. However, it is needed when
link-local addresses are used, which is a very common case: when
packets are routed, neighbor solicitations are done using link-local
addresses. F
From: Taehee Yoo
The struct nft_af_info was removed.
Signed-off-by: Taehee Yoo
Signed-off-by: Pablo Neira Ayuso
---
include/net/netns/nftables.h | 2 --
1 file changed, 2 deletions(-)
diff --git a/include/net/netns/nftables.h b/include/net/netns/nftables.h
index 48134353411d..29c3851b486a 10
From: Florian Westphal
This adds the infrastructure to register nat hooks with the nat core
instead of the netfilter core.
nat hooks are used to configure nat bindings. Such hooks are registered
from ip(6)table_nat or by the nftables core when a nat chain is added.
After next patch, nat hooks
Hi David,
The following patchset contains Netfilter updates for your net-next
tree, they are:
1) Remove obsolete nf_log tracing from nf_tables, from Florian Westphal.
2) Add support for map lookups to numgen, random and hash expressions,
from Laura Garcia.
3) Allow to register nat hooks for
From: Laura Garcia Liebana
This patch uses the map lookup already included to be applied
for random number generation.
Signed-off-by: Laura Garcia Liebana
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nft_numgen.c | 76 +++---
1 file changed, 72 in
These have to be included always when nf_socket.h is included.
Signed-off-by: Máté Eckl
---
include/net/netfilter/nf_socket.h | 6 ++
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/include/net/netfilter/nf_socket.h
b/include/net/netfilter/nf_socket.h
index 8230fefff9f5..29b63
On Wed, May 23, 2018 at 11:16:27AM +0200, Máté Eckl wrote:
> These have to be included always when nf_socket.h is included.
>
> Signed-off-by: Máté Eckl
> ---
> include/net/netfilter/nf_socket.h | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/include/net/netfilter/nf_socket.h
> b/i
The following ruleset:
add table ip filter
add chain ip filter input { type filter hook input priority 4; }
add chain ip filter ap
add rule ip filter input jump ap
add rule ip filter ap masquerade
results in a panic, because the masquerade extension should be rejected
from the filter chain.
From: kbuild test robot
net/netfilter/nft_numgen.c:117:1-3: WARNING: PTR_ERR_OR_ZERO can be used
Use PTR_ERR_OR_ZERO rather than if(IS_ERR(...)) + PTR_ERR
Generated by: scripts/coccinelle/api/ptr_ret.cocci
Fixes: d734a2888922 ("netfilter: nft_numgen: add map lookups for numgen
statements")
tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
head: 0c6bca747111dee19aa48c8f73d77fc85fcb8dd0
commit: b9ccc07e3f31ad8073697982bac014fbceef7ecb [4/18] netfilter: nft_hash:
add map lookups for hashing operations
coccinelle warnings: (new ones prefixed by >>)
>>
From: kbuild test robot
net/netfilter/nft_hash.c:180:1-3: WARNING: PTR_ERR_OR_ZERO can be used
net/netfilter/nft_hash.c:223:1-3: WARNING: PTR_ERR_OR_ZERO can be used
Use PTR_ERR_OR_ZERO rather than if(IS_ERR(...)) + PTR_ERR
Generated by: scripts/coccinelle/api/ptr_ret.cocci
Fixes: b9ccc07e3f
On Tue, May 15, 2018 at 09:23:31PM +0900, Taehee Yoo wrote:
> The struct nft_af_info was removed.
This one applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel
On Wed, May 23, 2018 at 10:19:09AM +0200, Simon Horman wrote:
> On Sat, May 19, 2018 at 06:22:35PM +0300, Julian Anastasov wrote:
> > syzkaller reports for buffer overflow for interface name
> > when starting sync daemons [1]
> >
> > What we do is that we copy user structure into larger stack
> >
These have to be included always when nf_socket.h is included.
Signed-off-by: Máté Eckl
---
include/net/netfilter/nf_socket.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/include/net/netfilter/nf_socket.h
b/include/net/netfilter/nf_socket.h
index 8230fefff9f5..bf1680be54c3 100644
---
On Sat, May 19, 2018 at 06:22:35PM +0300, Julian Anastasov wrote:
> syzkaller reports for buffer overflow for interface name
> when starting sync daemons [1]
>
> What we do is that we copy user structure into larger stack
> buffer but later we search NUL past the stack buffer.
> The same happens f
On Mon, Apr 30, 2018 at 10:28:16AM +0200, David Fabian wrote:
> Hello,
>
> this series of patches follows a discussion brought here about adding support
> for deeper variable scopes especially in the flat notation. These patches add
> a new variable scope to each include statement. The new scope
On Fri, May 11, 2018 at 12:15:41AM +0200, Laura Garcia Liebana wrote:
> This patch introduces two new attributes for hash expression
> to allow map lookups where the hash is the key.
>
> The new attributes are NFTNL_EXPR_HASH_SET_NAME and
> NFTNL_EXPR_HASH_SET_ID in order to identify the given map
On Mon, May 21, 2018 at 07:11:51PM +0200, Laura Garcia Liebana wrote:
> These series apply some small code cleanups.
Series applied, thanks Laura.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info
On Thu, May 17, 2018 at 10:49:49PM +0900, Taehee Yoo wrote:
> In the nft_meta_set_eval, nftrace value is dereferenced as u32 from sreg.
> But correct type is u8. so that sometimes incorrect value is dereferenced.
>
> Steps to reproduce:
>
>%nft add table ip filter
>%nft add chain ip filte
On Sun, May 20, 2018 at 01:03:38PM +0200, Vincent Bernat wrote:
> In commit 47b7e7f82802, this bit was removed at the same time the
> RT6_LOOKUP_F_IFACE flag was removed. However, it is needed when
> link-local addresses are used, which is a very common case: when
> packets are routed, neighbor sol
Applied, thanks Fernando.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
On Mon, May 14, 2018 at 11:46:52PM +0200, Florian Westphal wrote:
[...]
> After this change, the base NAT hooks gets registered not from iptable_nat
> or nftables nat hooks, but from the l3 nat core via the ipv4/ipv6 nat
> backend.
Series applied, thanks Florian.
--
To unsubscribe from this list:
51 matches
Mail list logo