[PATCH nft] src: trace: fix policy printing

9f40c5c7 inet filter input verdict continue trace id 9f40c5c7 inet filter input policy drop Reported-by: v...@gmx.net Signed-off-by: Florian Westphal --- src/netlink.c | 31 ++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/src/netlink.c b/src/netlink.

Re: [PATCH nft] Add tproxy support

Máté Eckl wrote: > On Wed, Jun 20, 2018 at 01:29:51PM +0200, Florian Westphal wrote: > > Máté Eckl wrote: > > > This patch is built on the commit not applied yet with the title: > > > evaluate: Detect address family in inet context > > > > You can

Re: nft 0.8.2 - icmp missing verdict

ѽ҉ᶬḳ℠ wrote: moving to nf-devel. > Having this very simple setup icmp is not getting through at the target > machine. Flushing the nft ruleset the icmp traffic is getting through. Yes, this set > table inet filter { >     chain input { >         type filter hook input priority 0; policy drop;

Re: [PATCH nf-next] netfilter: Add native tproxy support for nf_tables

Pablo Neira Ayuso wrote: > A few comments on top of Florian's. > > On Wed, Jun 20, 2018 at 12:41:29PM +0200, Máté Eckl wrote: > [...] > > +#if IS_ENABLED(CONFIG_NF_TPROXY_IPV6) > > +static void nft_tproxy_eval_v6(const struct nft_expr *expr, > > + struct nft_regs *regs, > >

Re: [PATCH nf-next] netfilter: Add native tproxy support for nf_tables

Máté Eckl wrote: > There are some changes compared to the iptables implementation: > - tproxy statement is not terminal here > - no transport protocol criterion is necessary to set target ip address > + const struct nft_tproxy *priv = nft_expr_priv(expr); > + struct sk_buff *skb =

Re: [PATCH nft] evaluate: Detect address family in inet context

add rule inet x y tproxy to 1.1.1.1 > Error: Could not resolve hostname: Address family for hostname not > supported > add rule inet x y tproxy to 1.1.1.1 I see no problem here, so Acked-by: Florian Westphal -- To unsubscribe from this list: send the line "unsubscribe net

Re: [PATCH v2] nftables: Fix typos/Grammatical Errors

Arushi Singhal wrote: > typos/Grammatical errors are corrected. Applied, thanks everyone. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

[PATCH] xtables: warn in case old-style (set/getsockopt) tables exist

Provide a hint that iptables isn't showing all rules because its using nfnetlink rather than old set/getsockopt. Signed-off-by: Florian Westphal --- iptables/nft-shared.c | 29 + iptables/nft-shared.h | 1 + iptables/xtables-save.c | 20

[PATCH xtables] xtables: add nf_tables vs. legacy postfix to version strings

(nf_tables) Suggested-by: Harald Welte Signed-off-by: Florian Westphal --- iptables/ip6tables-restore.c | 2 +- iptables/ip6tables-save.c| 9 - iptables/ip6tables.c | 2 +- iptables/iptables-restore.c | 2 +- iptables/iptables-save.c | 9 - iptables/iptables.c

[PATCH xtables v2] xtables: add xtables-monitor

t-pfx 1c3::/64 NEWGEN: GENID=6581 PID=15601 NAME=xtables-multi Signed-off-by: Florian Westphal --- Changes since v1: - allow filtering for ip(6)tables, but also allow listing both ipv4/ipv6 events - add fallback for nft-style events for base chains (hook prios etc) - change to -N/-X for us

[PATCH nf] netfilter: nf_conncount: fix garbage collection confirm race

got moved around). This most likely also fixes an xt_connlimit imbalance earlier reported by Dmitry Andrianov. Cc: Dmitry Andrianov Reported-by: Justin Pettit Reported-by: Yi-Hung Wei Signed-off-by: Florian Westphal --- Only compile tested so far, sending it now to illustrate idea and so

[PATCH xtables 3/3] xtables: add xtables-monitor

t-pfx 1c3::/64 NEWGEN: GENID=6581 PID=15601 NAME=xtables-multi Signed-off-by: Florian Westphal --- iptables/Makefile.am| 3 +- iptables/xtables-compat-multi.c | 1 + iptables/xtables-monitor.c | 639 iptables/xtables-multi.c| 1 -

[PATCH xtables 2/3] xtables: translate nft meta trace set 1 to -j TRACE

nft meta expr enables the nfnetlink based trace infrastruvture, so prefer to use that rather than xt_TRACE. Signed-off-by: Florian Westphal --- iptables/nft-shared.c | 65 +-- iptables/nft-shared.h | 5 iptables/nft.c| 25

[PATCH xtables 1/3] include: update kernel netfilter header files

needed to get the TRACE definition. Signed-off-by: Florian Westphal --- include/linux/netfilter.h | 15 +- include/linux/netfilter/nf_tables.h | 680 +++- include/linux/netfilter/nfnetlink.h | 16 + 3 files changed, 703 insertions(+), 8 deletions(-) diff

Re: [nft PATCH] doc: Fix typo in Makefile.am

Phil Sutter wrote: > Previous patch adding libnftables man page missed a backslash. applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at

[PATCH nf-next] netfilter: flowtables: use fixed renew timeout on teardown

This is one of the very few external callers of ->get_timeouts(), We can use a fixed timeout instead, conntrack core will refresh this in case a new packet comes within this period. Use of ESTABLISHED timeout seems way too huge anyway. Signed-off-by: Florian Westphal --- net/netfil

[PATCH nf-next 6/7] netfilter: conntrack: remove invert_tuple indirection from l3 protocol trackers

Its simpler to just handle it directly in nf_ct_invert_tuple(). Also gets rid of need to pass l3proto pointer to resolve_conntrack(). Signed-off-by: Florian Westphal --- include/net/netfilter/nf_conntrack_core.h | 1 - include/net/netfilter/nf_conntrack_l3proto.h | 7 --- net/ipv4

[PATCH nf-next 7/7] netfilter: conntrack: remove get_l4proto indirection from l3 protocol trackers

Handle it in the core instead. ipv6_skip_exthdr() is built-in even if ipv6 is a module, i.e. this doesn't create an ipv6 dependency. Signed-off-by: Florian Westphal --- include/net/netfilter/nf_conntrack_l3proto.h | 8 -- net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 30 --- net

[PATCH nf-next 4/7] netfilter: conntrack: remove ctnetlink callbacks from l3 protocol trackers

art with ctnetlink, then move on to packet-path ones. Signed-off-by: Florian Westphal --- include/net/netfilter/nf_conntrack_core.h | 6 +- include/net/netfilter/nf_conntrack_l3proto.h | 8 --- net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 47 - net/ipv6/netfil

[PATCH nf-next 5/7] netfilter: conntrack: remove pkt_to_tuple indirection from l3 protocol trackers

Signed-off-by: Florian Westphal --- include/net/netfilter/nf_conntrack_l3proto.h | 7 - net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 17 --- net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 18 net/netfilter/nf_conntrack_core.c | 39

[PATCH nf-next 2/7] netfilter: utils: move nf_ip6_checksum* from ipv6 to utils

similar to previous change, this also allows to remove it from nf_ipv6_ops and avoid the indirection. It also removes the bogus dependency of nf_conntrack_ipv6 on ipv6 module: ipv6 checksum functions are built into kernel even if CONFIG_IPV6=m, but ipv6/netfilter.o isn't. Signed-off-by: Florian

[PATCH nf-next 3/7] openvswitch: use nf_ct_get_tuplepr, invert_tuplepr

These versions deal with the l3proto/l4proto details internally. After this, l3proto->get_l4proto() can be removed in a followup patch. Signed-off-by: Florian Westphal --- include/net/netfilter/nf_conntrack_core.h | 7 --- net/netfilter/nf_conntrack_core.c | 3 +-- net/openvswi

[PATCH nf-next 1/7] netfilter: utils: move nf_ip_checksum* from ipv4 to utils

allows to make nf_ip_checksum_partial static, it no longer has an external caller. Signed-off-by: Florian Westphal --- include/linux/netfilter_ipv4.h | 11 - net/ipv4/netfilter.c | 53 net/netfilter/utils.c | 55

[PATCH nf-next 0/7] netfilter: preparation work to remove l3 trackers

This patch series does some initial preparation work with the (eventual) goal to remove nf_conntrack_ipv{4,6} and replace it with a builtin inet tracker than handles both protocols. The first two patches move nf_ip_checksum handling out of ipv4/ip6. This is to get rid of the (unneeded)

Re: [PATCH nf-next v4] netfilter: nft_ct: add ct timeout support

Pablo Neira Ayuso wrote: > > Unrelated to your patch: I think timeout handling is braindead > > in current conntrack, we should revisit this. > > By now, I think it's fine as is, I mean using the template, so > Harsha/someone else can have a look at this in a second step. Yes, sure. Its on my

[PATCH nf] netfilter: xt_connmark: fix list corruption on rmmod

This needs to use xt_unregister_targets, else new revision is left on the list which then causes list to point to a target struct that has been free'd. Fixes: 472a73e00757 ("netfilter: xt_conntrack: Support bit-shifting for CONNMARK & MARK targets.") Signed-off-by: Florian West

Re: [PATCH nf-next v4] netfilter: nft_ct: add ct timeout support

Harsha Sharma wrote: > +ctnl_timeout_parse_policy(void *timeouts, > + const struct nf_conntrack_l4proto *l4proto, > + struct net *net, const struct nlattr *attr) > +{ > + int ret = 0; > + struct nlattr **tb; > + > + if

[PATCH nf] netfilter: ctnetlink: avoid null pointer dereference

Dan Carpenter points out that deref occurs after NULL check, we should re-fetch the pointer and check that instead. Fixes: 2c205dd3981f7 ("netfilter: add struct nf_nat_hook and use it") Reported-by: Dan Carpenter Signed-off-by: Florian Westphal --- Not even compile tested, patch is v

Re: [PATCH nf-next] netfilter: nf_tables: use WARN_ON_ONCE instead of BUG_ON in nft_do_chain()

Taehee Yoo wrote: > When depth of chain is bigger than NFT_JUMP_STACK_SIZE, > the nft_do_chain crashes. > But there is no need to crash hard here. Thanks a lot for follwing up. Acked-by: Florian Westphal -- To unsubscribe from this list: send the line "unsubscribe netfilter-deve

Re: [PATCH nf-next] netfilter: nf_tables: fix jumpstack depth validation

Taehee Yoo wrote: > The level of struct nft_ctx is updated by nf_tables_check_loops(). [..] > [ 168.803743] kernel BUG at net/netfilter/nf_tables_core.c:186! Could you also send a followup patch to replace this BUG_ON with WARN_ON_ONCE+ return NF_DROP? There is no need to crash hard here. --

[PATCH nf 2/2] netfilter: nf_tables: close race between netns exit and rmmod

care of cleanup work. We also need to make sure the netdev hook type gets removed before netns ops removal, else notifier might be invoked with device event for a netns where net->nft was never initialised (because pernet ops was removed beforehand). Signed-off-by: Florian Westphal ---

[PATCH nf 1/2] netfilter: nf_tables: fix module unload race

ill registered. Change netns exit path of nf_tables to make sure any incompleted transaction gets removed on exit. Signed-off-by: Florian Westphal --- net/netfilter/nf_tables_api.c | 12 +--- net/netfilter/nfnetlink.c | 10 +++--- 2 files changed, 16 insertions(+), 6 deleti

Re: Tproxy matching syntax

Máté Eckl wrote: > I've been working on implementing tproxy matching to nftables, and I'd like > you > to comment on the planned syntax and possibilities. > > Basically I have planned an interface similar to nat statements with some > restrictions. > > tproxy [][:] > > The restrictions

[ANNOUNCE] nftables 0.9.0 release

Hi! The Netfilter project proudly presents: nftables 0.9.0 This release contains fixes and following 'future features' that will be available with upcoming 4.18 kernel: - support to check if packet matches an existing socket. This work is done as part of the "Summer of code" program and

[ANNOUNCE] libnftnl 1.1.1 release

Hi! The Netfilter project proudly presents: libnftnl 1.1.1 libnftnl is a userspace library providing a low-level netlink programming interface (API) to the in-kernel nf_tables subsystem. This library is currently used by the nft command line tool. There are only a few changes since 1.1.0. Full

Re: [PATCH] iptables: tests: shell: add shell test-suite

Pablo Neira Ayuso wrote: > Can we avoid having the same script twice for iptables and ip6tables? Yes, please. > I mean, call the same script setting $IPTABLES to iptables or > ip6tables. We'll also want to use other frontends in the future, e.g. arptables, ebtables, iptables-compat, etc. so its

[PATCH nf] netfilter: x_tables: initialise match/target check parameter struct

ded there. Reported-by: syzbot+da4494182233c23a5...@syzkaller.appspotmail.com Fixes: 55917a21d0cc0 ("netfilter: x_tables: add context to know if extension runs from nft_compat") Signed-off-by: Florian Westphal --- net/bridge/netfilter/ebtables.c | 2 ++ net/ipv4/netfilter/ip_tables.c |

Re: [nft PATCH] Explicitly deny concatenated types in interval sets

Phil Sutter wrote: > Previously, this triggered a program abort: > > | # nft add table ip t > | # nft add set ip t my_set '{ type ipv4_addr . inet_service ; flags interval > ; }' > | # nft add element ip t my_set '{10.0.0.1 . tcp }' > | BUG: invalid range expression type concat > | nft:

Re: [PATCH] build: update ebtables.h from kernel and drop local unused copy

Jan Engelhardt wrote: > Revert 66a97018a31eed416c6a25d051ea172e4d65be1b partly so as to use > again and import a new ebtables.h > from the kernel tree that has the "revision" field. > > With this, include/ebtables.h is (again) used by no source file, and > so can be removed. Looks good,

[PATCH v2 nf] netfilter: ebtables: reject non-bridge targets

have AF_BRIDGE specific wrappers on kernel side. Reported-by: syzbot+2b43f681169a2a0d3...@syzkaller.appspotmail.com Signed-off-by: Florian Westphal --- net/bridge/netfilter/ebtables.c | 13 + 1 file changed, 13 insertions(+) diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge

[PATCH nf] netfilter: ebtables: reject non-bridge targets

will consider these as jumps. Therefore reject any target found due to unspec fallback. Reported-by: syzbot+2b43f681169a2a0d3...@syzkaller.appspotmail.com Signed-off-by: Florian Westphal --- net/bridge/netfilter/ebtables.c | 7 +++ 1 file changed, 7 insertions(+) diff --git a/net/bridge/netfilter

Re: [nft PATCH] nft.8: Fix reject statement documentation

Phil Sutter wrote: > First of all, 'with icmp6' is invalid, expected is 'with icmpv6'. In > addition to that, parameter 'type' expects an icmp*_code type, not > icmp*_type. The respective table column was already correct, but in > synopsis it was wrong. Applied, thanks. -- To unsubscribe from

Re: [PATCH nftables] configure.ac: fix a typo in docbook2x error message.

Fernando Fernandez Mancera wrote: > The correct name is "docbook2x-man" not "docbookx2-man". applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at

[PATCH nf-next] netfilter: nf_tables: handle chain name lookups via rhltable

drops the nfnl mutex (for request_module) and the abort of this old transaction is still pending. The list is kept -- we need a way to iterate chains even if hash resize is in progress without missing an entry. Signed-off-by: Florian Westphal --- include/net/netfilter/nf_tables.h | 7 ++- net

Re: [PATCH nf-next] netfilter: Libify xt_TPROXY

Máté Eckl wrote: > On Fri, Jun 01, 2018 at 08:59:07PM +0200, Florian Westphal wrote: > > Máté Eckl wrote: > > > diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig > > > index d03bc5a01a70..24802a2a9a90 100644 > > > --- a/net/ipv4/netfilter/Kc

Re: [PATCH nf-next] netfilter: Libify xt_TPROXY

Máté Eckl wrote: > diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig > index d03bc5a01a70..24802a2a9a90 100644 > --- a/net/ipv4/netfilter/Kconfig > +++ b/net/ipv4/netfilter/Kconfig > @@ -29,7 +29,13 @@ config NF_SOCKET_IPV4 > tristate "IPv4 socket lookup support" >

Re: [PATCH nft] netlink: Print value sizes on Relational expression size mismatch

Máté Eckl wrote: > On Thu, May 31, 2018 at 08:39:35PM +0200, Florian Westphal wrote: > > Máté Eckl wrote: > > > On Thu, May 31, 2018 at 04:48:58PM +0200, Pablo Neira Ayuso wrote: > > > > On Thu, May 31, 2018 at 01:42:17PM +0200, Máté Eckl wrote: > > > >

Re: [PATCH nft] netlink: Print value sizes on Relational expression size mismatch

Máté Eckl wrote: > On Thu, May 31, 2018 at 04:48:58PM +0200, Pablo Neira Ayuso wrote: > > On Thu, May 31, 2018 at 01:42:17PM +0200, Máté Eckl wrote: > > > On Thu, May 31, 2018 at 10:57:49AM +0200, Pablo Neira Ayuso wrote: > > > > > I just wanted to make sure that the only accepted values are 0

Re: [PATCH nf-next] netfilter: x_tables: Decrease code duplication in tproxy target

Máté Eckl wrote: > Transparent socket check is already implemented in nf_socket.h. Acked-by: Florian Westphal -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vg

Re: [PATCH nft] netlink: Print value sizes on Relational expression size mismatch

Pablo Neira Ayuso wrote: > I suspect you're missing some code in the evaluation phase? > > So you get left->len 1 and right->len 4? Yes, meta template sets len of 1, where as RHS is 8 bit. This can be fixed up during delinearization, in this case we can know that kernel actually stores 1 byte.

Re: [PATCH nft] netlink: Print value sizes on Relational expression size mismatch

Máté Eckl wrote: > Not all of the ocurances are covered as this information is not > available in the scope where the error message is printed. Looks good to me, I'll apply in a few hours in case there are no further comments. -- To unsubscribe from this list: send the line "unsubscribe

Re: [PATCH nft] Introduce socket matching

Máté Eckl wrote: > On Mon, May 28, 2018 at 05:43:18PM +0200, Florian Westphal wrote: > > Máté Eckl wrote: > > > > +const struct socket_template socket_templates[] = { > > > > + [NFT_SOCKET_TRANSPARENT

Re: [PATCH nf v2] netfilter: xt_CT: Reject the non-null terminated string from user space

gfree.w...@vip.163.com wrote: > From: Gao Feng > > The helper and timeout strings are from user-space, we need to make > sure they are null terminated. If not, evil user could make kernel Looks good to me, thank you. Acked-by: Florian Westphal -- To unsubscribe from this list: s

Re: using specific ip address to restrict traffic flow on mips linux target is not permited ?

Rosysong wrote: > I met a strange issue on nftables when I ran my commands on Linux (mips > target, linux-4.9.102). > Using specific ip address can not restrict the traffic flow while using > broadcast address is ok (The ip for my machine is 192.168.2.223). Anybody > can tell my why

[PATCH nft] tests: shell: add crash reproducer

othy Redaelli Signed-off-by: Florian Westphal --- tests/shell/testcases/cache/0001_cache_handling_0 | 4 1 file changed, 4 insertions(+) diff --git a/tests/shell/testcases/cache/0001_cache_handling_0 b/tests/shell/testcases/cache/0001_cache_handling_0 index 20c19117033d..77afdf8d9072 100755 ---

[PATCH nf-next] netfilter: nf_tables: fix jump evaluation

phase") Signed-off-by: Florian Westphal Please consider squashing this. --- net/netfilter/nf_tables_core.c | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c index c3315aa855f8..03dce8ff6f0d 100644 --- a/net

Re: [PATCH nf-next 2/8] netfilter: nf_tables: nf_tables_gettable: use call_rcu

kbuild test robot wrote: > >> include/linux/rcupdate.h:686:9: sparse: context imbalance in > >> 'nft_netlink_dump_start_rcu' - unexpected unlock Yep, i forgot to mention this in change log. I don't know how to fix this. nft_netlink_dump_start_rcu() is called with rcu read lock held. But we

[PATCH xtables] xtables-compat: append all errors into single line

ed error reporting"). Signed-off-by: Florian Westphal --- iptables/nft.c | 56 +--- 1 file changed, 37 insertions(+), 19 deletions(-) diff --git a/iptables/nft.c b/iptables/nft.c index e33d00f4259c..6c68600fd979 100644 --- a/iptables/nft.c +

[PATCH xtables] xtables-compat: ignore '+' interface name

its same as omitting it, so instead of generating invalid compare-with-0-sized-register, just ignore it. Reported-by: Pablo Neira Ayuso Signed-off-by: Florian Westphal --- iptables/nft-shared.c | 14 -- 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/iptables/nft

Re: [PATCH nf] netfilter: nf_tables: fix NULL-ptr in nf_tables_dump_obj()

xes: e46abbcc05aa8 ("netfilter: nf_tables: Allow table names of up to 255 chars") Acked-by: Florian Westphal <f...@strlen.de> -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH nf-next] netfilter: nf_tables: remove unused variables

Taehee Yoo <ap420...@gmail.com> wrote: > The comment and trace_loginfo are not used anymore. Indeed, thanks for fixing this up. Acked-by: Florian Westphal <f...@strlen.de> -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the bo

Re: [PATCH] ebtables: fix limit and mark modules incompatibilities between 32-bit user space and 64-bit kernel space

Alin Nastac wrote: Whats wrong exactly? 64bit kernel should be able to understand this without userspace kludges (see net/bridge/netfilter/ebt_mark_m.c, mark_mt_compat_from_user()). -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body

Re: [PATCH nft] Introduce socket matching

Máté Eckl wrote: > > +const struct socket_template socket_templates[] = { > > + [NFT_SOCKET_TRANSPARENT]= {.token = "transparent", > > + .dtype = _type, > > + .len = 1 * BITS_PER_BYTE, > > I

Re: [nft PATCH 14/14] meter: Don't print default size value

Phil Sutter wrote: > A meter size of 0x is the default, so regardless of whether it was > explicitly specified by user or not, don't print it. This is in line > with nft's tendency of shortening rules down to the minimal required > form. I think it should be printed to not

[PATCH nf-next 8/8] netfilter: nf_tables: nf_tables_getrule: use call_rcu

Signed-off-by: Florian Westphal <f...@strlen.de> --- net/netfilter/nf_tables_api.c | 16 +--- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 528766cfd0a0..ab306e169d36 100644 --- a/net/net

[PATCH nf-next 7/8] netfilter: nf_tables: nf_tables_getflowtable: use call_rcu

Signed-off-by: Florian Westphal <f...@strlen.de> --- net/netfilter/nf_tables_api.c | 14 -- 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 9454c7fc1978..528766cfd0a0 100644 --- a/net/net

[PATCH nf-next 5/8] netfilter: nf_tables: nf_tables_getsetelem: use call_rcu

Signed-off-by: Florian Westphal <f...@strlen.de> --- net/netfilter/nf_tables_api.c | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 879807f6015b..d0cfce2fb72b 100644 --- a/net/net

[PATCH nf-next 6/8] netfilter: nf_tables: nf_tables_getobj: use call_rcu

Signed-off-by: Florian Westphal <f...@strlen.de> --- net/netfilter/nf_tables_api.c | 16 +--- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index d0cfce2fb72b..9454c7fc1978 100644 --- a/net/net

[PATCH nf-next 2/8] netfilter: nf_tables: nf_tables_gettable: use call_rcu

,put-ref sequence. The helper will be reused for all dumps in the followup patches. Signed-off-by: Florian Westphal <f...@strlen.de> --- net/netfilter/nf_tables_api.c | 28 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/net/netfilter/nf_tables_a

[PATCH nf-next 1/8] netfilter: nf_tables: nf_tables_getgen: use call_rcu

This callback just fetches the current base sequence, there is no need to serialize this with nfnl nft mutex. Signed-off-by: Florian Westphal <f...@strlen.de> --- net/netfilter/nf_tables_api.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nf_tables_a

[PATCH nf-next 0/8] netfilter: nf_tables: make get and dump operations lockless

just convert the callbacks to .call_rcu to have nfnetlink not grab the subsystem mutex in the first place. The patches are repetitive, as the same pattern is applied to all get callbacks. I splitted them up into smaller chunks to make this more dissectable. Florian Westphal (8): netfilter

[PATCH nf-next 4/8] netfilter: nf_tables: nf_tables_getset: use call_rcu

Signed-off-by: Florian Westphal <f...@strlen.de> --- net/netfilter/nf_tables_api.c | 12 +++- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index e87faf5ea10c..879807f6015b 100644 --- a/net/net

[PATCH nf-next 3/8] netfilter: nf_tables: nf_tables_getchain: use call_rcu

in nf_tables not depend on the nfnl mutex anymore. Signed-off-by: Florian Westphal <f...@strlen.de> --- net/netfilter/nf_tables_api.c | 11 +++ 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index c22795

[PATCH nf-next] netfilter: nf_tables: fail batch if fatal signal is pending

abort batch processing and return so task can exit faster. Otherwise even SIGKILL has no immediate effect. Signed-off-by: Florian Westphal <f...@strlen.de> --- net/netfilter/nfnetlink.c | 8 1 file changed, 8 insertions(+) diff --git a/net/netfilter/nfnetlink.c b/net/net

[PATCH nf-next] netfilter: nf_tables: fix endian mismatch in return type

base types) nf_tables_api.c:3538:55: warning: incorrect type in argument 3 (different base types) Signed-off-by: Florian Westphal <f...@strlen.de> --- diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index ab306e169d36..6bffbe9d5d87 100644 --- a/net/net

[PATCH nf-next] netfilter: nft_compat: use call_rcu for nfnl_compat_get

Just use .call_rcu instead. We can drop the rcu read lock after obtaining a reference and re-acquire on return. Signed-off-by: Florian Westphal <f...@strlen.de> --- net/netfilter/nft_compat.c | 29 ++--- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git

[PATCH xtables 2/3] xtables-compat: remove nft_is_ruleset_compatible

that such table exists. Signed-off-by: Florian Westphal <f...@strlen.de> --- iptables/nft.c | 62 + iptables/nft.h | 1 - iptables/xtables-save.c | 7 -- iptables/xtables.c | 6 - 4 files changed, 27 insertions(

[PATCH xtables 1/3] xtables: allow dumping of chains in specific table

This is used by a followup patch to avoid continuing the 'dump everything and then ignore what we don't need' model. Places that know they only need a particular table 'iptables-save -t filter' can ask the kernel to limit this for us. Signed-off-by: Florian Westphal <f...@strlen

[PATCH xtables 3/3] xtables: remove error reporting

that. Signed-off-by: Florian Westphal <f...@strlen.de> --- iptables/nft.c | 175 +++-- iptables/nft.h | 5 ++ iptables/xtables-restore.c | 1 + 3 files changed, 159 insertions(+), 22 deletions(-) diff --git a/iptables/n

Re: [PATCH nft] fix printing of "tcp flags syn" and "tcp flags == syn" expressions

Sabrina Dubroca wrote: > Commit 6979625686ec ("relational: Eliminate meta OPs") introduced some > bugs when printing bitmask types. > > First, during the post-processing phase of delinearization, the > expression for "tcp flags syn" (PAYLOAD & flag != 0) gets converted to >

[PATCH nf-next 2/2] netfilter: nf_tables: remove synchronize_rcu in commit phase

can be incremented. nft_do_chain() will either continue to use the current generation (in case loop was invoked right before increment), or the new one. Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org> Signed-off-by: Florian Westphal <f...@strlen.de> --- include/net/netfilter/nf_ta

[PATCH nf-next 0/2] netfilter: nf_tables: speed up commit phase

commit phase is slow as it can invoke synchronize_rcu twice (depending on the batch). Remove the unconditional synchronize_rcu() by storing rcu-protected array of the active rules. After this, nft_do_chain always gets a consistent snapshot and no longer needs to examine the rule struct to decide

[PATCH nf-next 1/2] netfilter: nfnetlink: allow commit to fail

we perform all actions that could return an error before we increment the generation counter and the base seq. Signed-off-by: Florian Westphal <f...@strlen.de> --- net/netfilter/nfnetlink.c | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nfnetlin

[PATCH v2 nf-next 0/2] netfilter: nat: remove masq/redirect modules

No need to have those available as extra modules; make it part of nat core and nat_ipv4/ip6, respectively. kconfig options are turned into implicit dependencies. No changes vs. v1 except a rebase on nf-next. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the

[PATCH v2 nf-next 1/2] netfilter: nat: merge ipv4/ipv6 masquerade code into main nat module

7245 872 881251fbd net/ipv4/netfilter/nf_nat_ipv4.ko 9165 848 12 100252729 net/ipv6/netfilter/nf_nat_ipv6.ko Signed-off-by: Florian Westphal <f...@strlen.de> --- net/ipv4/netfilter/Kconfig | 5 + net/ipv4/netfilter/Makefile

[PATCH v2 nf-next 2/2] netfilter: nat: merge nf_nat_redirect into nf_nat

792 02028 7ec net/netfilter/nf_nat_redirect.ko after: 2034015084138 259866582 net/netfilter/nf_nat.ko Signed-off-by: Florian Westphal <f...@strlen.de> --- net/netfilter/Kconfig | 6 +- net/netfilter/Makefile | 2 +- net/net

[PATCH nft] src: netlink_delinarize: don't stop when encountering unsupported expression

ormation if we can't find an expression (e.g. added by newer version). Signed-off-by: Florian Westphal <f...@strlen.de> --- src/netlink_delinearize.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index 8f4035a291f4..9db

[PATCH xtables] ebtables-compat: add arp extension

no translation yet, might be doable with raw payload expressions though. Signed-off-by: Florian Westphal <f...@strlen.de> --- extensions/libebt_arp.c | 490 iptables/xtables-eb.c | 1 + 2 files changed, 491 insertions(+) create mode 100644 exte

[PATCH xtables] ebtables-compat: add redirect match extension

No translation. The kernel match will alter packet type (meta set pkttype), but also replace dst mac with the bridges' mac address, however nft currently doesn't allow to retrieve this at runtime. So just add this without the xlate part for now. Signed-off-by: Florian Westphal <f...@strlen

[PATCH xtables] ebtables-compat: add nat match extensions

adds snat and dnat. Translation for snat isn't complete, the --snat-arp switch isn't supported so far. Signed-off-by: Florian Westphal <f...@strlen.de> --- extensions/libebt_dnat.c | 134 ++ extensions/libebt_dnat.txlate | 8 ++ extensions/libebt_

Re: [PATCH v2] netfilter: properly initialize xt_table_info structure

Greg Kroah-Hartman wrote: > On Thu, May 17, 2018 at 12:42:00PM +0200, Jan Engelhardt wrote: > > > > On Thursday 2018-05-17 12:09, Greg Kroah-Hartman wrote: > > >> > --- a/net/netfilter/x_tables.c > > >> > +++ b/net/netfilter/x_tables.c > > >> > @@ -1183,11 +1183,10 @@

Re: [PATCH nft 0/7] Python test fixes

Máté Eckl wrote: > This sereis of patches fix or supplement files related to python tests that I > have met during my first test case. > > Máté Eckl (7): > test: Specify python version in nft-test.py > test: Small typo fixes in the python tests README > test/py: Updated

Re: [nft PATCH] nft.8: Document limitation of reject statement in bridge family

Phil Sutter wrote: > Bridge family allows reject statement in prerouting and input chains > only. Users can't know without looking at kernel code. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to

Re: [PATCH nft 1/2] Introduce socket matching

Máté Eckl wrote: > +socket_stmt : SOCKET EXISTS /* with the actual > implementation we cannot match abscence */ I think we should go for a native expression. I'll leave it up to you what you'd like to do next. There are a few options: 1. First go for TPROXY

Re: [PATCH nf-next] netfilter: nft_meta: fix wrong value dereference in nft_meta_set_eval

Taehee Yoo <ap420...@gmail.com> wrote: > In the nft_meta_set_eval, nftrace value is dereferenced as u32 from sreg. > But correct type is u8. so that sometimes incorrect value is dereferenced. Acked-by: Florian Westphal <f...@strlen.de> -- To unsubscribe from this list: send the

Re: [PATCH nft 1/2] Introduce socket matching

Máté Eckl wrote: > Originally I also added the following lines but it made the print too slow for > the test to pass. > > It printed the following warning: > inet/socket.t: WARNING: line 8: 'add rule ip sockip4 sockchain socket > exists': 'socket exists' mismatches

Re: [PATCH nf] netfilter: nf_tables: fix NULL pointer dereference on nft_ct_helper_obj_dump()

r ftp { > type "ftp" protocol tcp > } > chain input { > type filter hook input priority 4; > ct helper set "ftp" > } >} Acked-by: Florian Westphal <f...@strlen.de> -- To

Re: nft: Help with writing test cases

Máté Eckl wrote: > Hi all, > > I've been trying to write a python test for socket matching I am about to > introduce, but I cannot generate a payload file for it. Florian told me that > if > I provide an empty payload file, it will be autogenerated, but it does not. Works

Re: linux-next: build warning after merge of the netfilter-next tree

Geert Uytterhoeven <ge...@linux-m68k.org> wrote: > On Tue, May 8, 2018 at 9:17 AM, Florian Westphal <f...@strlen.de> wrote: > > Stephen Rothwell <s...@canb.auug.org.au> wrote: > >> On Mon, 7 May 2018 10:55:19 +1000 Stephen Rothwell <s...@canb.auug.org.au>

[PATCH iptables] xtables-compat: extend generic tests for masks and wildcards

This uncovered broken translation of ethernet + mask. Signed-off-by: Florian Westphal <f...@strlen.de> --- extensions/generic.txlate | 15 ++ iptables/nft-bridge.c | 73 +++ 2 files changed, 57 insertions(+), 31 deletions(-) diff

<    1   2   3   4   5   6   7   8   9   10   >