From: Liping Zhang <liping.zh...@spreadtrum.com>
After adding _SREG_QNUM attr, queuenum is not must option anymore,
so we must test NFTNL_EXPR_QUEUE_NUM first before dumpping queue num
in snprintf_default. Also add a tailing space in snprintf_default,
this is consistent with other expre
From: Liping Zhang <liping.zh...@spreadtrum.com>
Currently, the user can specify the queue numbers by _QUEUE_NUM and
_QUEUE_TOTAL attributes, this is enough in most situations.
But acctually, it is not very flexible, for example:
tcp dport 80 mapped to queue0
tcp dport 81 mapped to
2016-09-13 17:19 GMT+08:00 Pablo Neira Ayuso <pa...@netfilter.org>:
> Hi Liping,
>
> A bit more comments on top of Florian's suggestion to use one single
> _SREG.
>
> On Sun, Sep 11, 2016 at 10:05:28PM +0800, Liping Zhang wrote:
>> diff --git a/net/netfilter/nft_queue
Hi Laura,
2016-09-06 14:44 GMT+08:00 Laura Garcia Liebana :
> static int nft_hash_init(const struct nft_ctx *ctx,
> @@ -60,6 +62,11 @@ static int nft_hash_init(const struct nft_ctx *ctx,
> !tb[NFTA_HASH_MODULUS])
> return -EINVAL;
>
> + if
2016-09-13 1:50 GMT+08:00 Pablo Neira Ayuso :
> We have nft_queue support for bridge now, but nfqueue_hash() takes a
> pkt->pf parameter expecting NFPROTO_IPV4 or NFPROTO_IPV6.
>
> So nft_queue hashing with bridge is currently broken.
Yes, I will send another patch to do this
From: Liping Zhang <liping.zh...@spreadtrum.com>
After we generate a new number, we still use the priv->counter and
store it to the dreg. This is not correct, another cpu may already
change it to a new number. So we must use the generated number, not
the priv->counter itself.
Fixes:
From: Liping Zhang <liping.zh...@spreadtrum.com>
In the latest libnftnl, NFTNL_EXPR_NG_UNTIL was renamed to
NFTNL_EXPR_NG_MODULUS, so compile error happened:
netlink_linearize.c: In function ‘netlink_gen_numgen’:
netlink_linearize.c:184:26: error: ‘NFTNL_EXPR_NG_UNTIL’ undeclared
(fir
2016-09-12 17:49 GMT+08:00 Laura Garcia <nev...@gmail.com>:
> On Sun, Sep 11, 2016 at 04:35:57PM +0800, Liping Zhang wrote:
>> From: Liping Zhang <liping.zh...@spreadtrum.com>
>>
>> In the latest libnftnl, NFTNL_EXPR_NG_UNTIL was renamed to
>> NFTNL_EXP
2016-09-12 5:12 GMT+08:00 Florian Westphal <f...@strlen.de>:
> Liping Zhang <zlpnob...@163.com> wrote:
>> So similer to nft_nat, take two registers to select the queue numbers,
>> then we can add one simple rule to mapping queues, maybe like this:
>> queue num
From: Liping Zhang <liping.zh...@spreadtrum.com>
Add NFTA_QUEUE_SREG_FROM and NFTA_QUEUE_SREG_TO attributes support.
After adding _SREG_FROM attr, queuenum is not must option anymore,
so we must test NFTNL_EXPR_QUEUE_NUM first before dumpping queue num
in snprintf_default.
Signed-off-by:
From: Liping Zhang <liping.zh...@spreadtrum.com>
We have already set NFTNL_EXPR_QUEUE_NUM when parse "num" successfully,
here is wrong and redundant, remove it.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
---
src/expr/queue.c | 1 -
1 file changed, 1 deletio
From: Liping Zhang <liping.zh...@spreadtrum.com>
We forgot to compare NFTNL_EXPR_QUEUE_FLAGS between two exprs,
now add it.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
---
tests/nft-expr_queue-test.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/tests/nf
From: Liping Zhang <liping.zh...@spreadtrum.com>
This patch sets mainly used to add NFTA_QUEUE_SREG_FROM and NFTA_QUEUE_SREG_TO
attributes support in libnftnl. Meanwhile, I find some trivial bugs exsit in
queue expr. So try to fix them at patch #1 and patch #2.
Liping Zhang (3):
expr:
From: Liping Zhang <liping.zh...@spreadtrum.com>
Currently, the user can specify the queue numbers by _QUEUE_NUM and
_QUEUE_TOTAL attributes, this is enough in most situations.
But acctually, it is not very flexible, for example:
tcp dport 80 mapped to queue0
tcp dport 81 mapped to
From: Liping Zhang <liping.zh...@spreadtrum.com>
hash_v6 is used by both nftables and ip6tables, so depend on
IP6_NF_IPTABLES is not properly.
Actually, it only parses ipv6hdr and computes a hash value, so
even if IPV6 is disabled, there's no side effect too, remove it.
Signed-off-by:
From: Liping Zhang <liping.zh...@spreadtrum.com>
In the latest libnftnl, NFTNL_EXPR_NG_UNTIL was renamed to
NFTNL_EXPR_NG_MODULUS, so compile error happened:
netlink_linearize.c: In function ‘netlink_gen_numgen’:
netlink_linearize.c:184:26: error: ‘NFTNL_EXPR_NG_UNTIL’ undeclared
(fir
From: Liping Zhang <liping.zh...@spreadtrum.com>
This patch follow up on Manuel's commit a8871ba6daa0 ("tests: py: any:
Make tests more generic by using other interfaces"). The ifindex of
"eth0" is not always 1, furthermore, "eth0" maybe not exist on
2016-09-09 22:04 GMT+08:00 Pablo Neira Ayuso :
> More comments on things I see on nft_queue at this stage:
>
> 1) Another issue, I can see nfqueue_hash() depends on
> CONFIG_IP6_NF_IPTABLES, this is not good since nft_queue
> infrastructure should not depend on iptables.
From: Liping Zhang <liping.zh...@spreadtrum.com>
Imagine such situation, user add the following nft rules, and queue
the packets to userspace for further check:
# ip rule add fwmark 0x0/0x1 lookup eth0
# ip rule add fwmark 0x1/0x1 lookup eth1
# nft add table filter
# nft add chain
From: Liping Zhang <liping.zh...@spreadtrum.com>
NFTA_TRACE_POLICY attribute is big endian, but we forget to call
htonl to convert it. Fortunately, this attribute is parsed as big
endian in libnftnl.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
---
net/netfilter/nf_ta
From: Liping Zhang <liping.zh...@spreadtrum.com>
It is better to add square brackets to ip6 address in nft translation
output when the port is specified. This is keep consistent with the
nft syntax.
Before this patch:
# ip6tables-translate -t nat -A OUTPUT -p tcp -j DNAT --to-desti
From: Liping Zhang <liping.zh...@spreadtrum.com>
We have already use skb_header_pointer to get the ip header pointer,
so there's no need to use ip_hdr again. Moreover, in NETDEV INGRESS
hook, ip header maybe not linear, so use ip_hdr is not appropriate,
remove it.
Signed-off-by: Liping
From: Liping Zhang <liping.zh...@spreadtrum.com>
After commit "parser_bison: redirect to :port for consistency with
nat/masq statement" in nftables tree, we should recommend the end
user to use the new syntax.
Before this patch:
# iptables-translate -t nat -A PREROUTING -p
From: Liping Zhang <liping.zh...@spreadtrum.com>
After commit "src: add 'to' for snat and dnat" in nftables tree,
we should recommend the end user to use the new syntax.
Before this patch:
# iptables-translate -t nat -A POSTROUTING -j SNAT --to-source 1.1.1.1
nft add rule ip
From: Liping Zhang <liping.zh...@spreadtrum.com>
When I want to translate SNAT target to nft rule, an error message
was printed out:
# iptables-translate -A POSTROUTING -j SNAT --to-source 1.1.1.1
iptables-translate v1.6.0: OOM
Because ipt_natinfo{} started with a xt_entry_target{}, s
From: Liping Zhang <liping.zh...@spreadtrum.com>
We forgot to free the str which was allocated by xstrdup,
so memory leak will happen.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
---
src/meta.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/
From: Liping Zhang <liping.zh...@spreadtrum.com>
Reject expr is only valid in input/forward/output chain,
and if user can add reject expr in prerouting chain, kernel
panic will happen.
So add a simple test case to cover this situation.
Signed-off-by: Liping Zhang <liping.zh...@sprea
From: Liping Zhang <liping.zh...@spreadtrum.com>
"meta pkttype set" is only supported on prerouting chain with bridge
family and ingress chain with netdev family.
But the validate check is incomplete, and the user can add the nft
rules on input chain with bridge family, for exam
From: Liping Zhang <liping.zh...@spreadtrum.com>
cttimeout and acct objects are deleted from the list while traversing
it, so use list_for_each_entry is unsafe here.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
---
net/netfilter/nfnetlink_acct.c | 6 +++---
n
From: Liping Zhang <liping.zh...@spreadtrum.com>
KASAN reported this bug:
BUG: KASAN: use-after-free in icmp_packet+0x25/0x50 [nf_conntrack_ipv4] at
addr 880002db08c8
Read of size 4 by task lt-nf-queue/19041
Call Trace:
[] dump_stack+0x63/0x88
[] kasan_report_error+0x528
From: Liping Zhang <liping.zh...@spreadtrum.com>
We forget to call nf_ct_l4proto_put when replacing the existing
timeout policy. Acctually, there's no need to get ct l4proto
before doing replace, so we can move it to a later position.
Signed-off-by: Liping Zhang <liping.zh...@sprea
From: Liping Zhang <liping.zh...@spreadtrum.com>
After I add the nft rule "nft add rule filter prerouting reject
with tcp reset", kernel panic happened on my system:
NULL pointer dereference at ...
IP: [] nf_send_reset+0xaf/0x400
Call Trace:
[] ? nf_reject_ip_tcphdr
From: Liping Zhang <liping.zh...@spreadtrum.com>
For examples:
# iptables-translate -A OUTPUT -j CLASSIFY --set-class 0:0
nft add rule ip filter OUTPUT counter meta priority set none
# iptables-translate -A OUTPUT -j CLASSIFY --set-class :
nft add rule ip filter OUTPUT c
From: Liping Zhang <liping.zh...@spreadtrum.com>
In general, when we want to delete a netns, cttimeout_net_exit will
be called before ipt_unregister_table, i.e. before ctnl_timeout_put.
But after call kfree_rcu in cttimeout_net_exit, we will still decrease
the timeout object's
Hi Pablo,
2016-08-18 6:37 GMT+08:00 Pablo Neira Ayuso :
>
> Wait. I noticed we have the same problem in cttimeout, so it would be
> good to fix this in the same logical change.
>
> I'm attaching your original patch that I have mangled here, including
> the cttimeout chunk.
>
From: Liping Zhang <liping.zh...@spreadtrum.com>
We should skip the conntracks that belong to a different namespace,
otherwise other unrelated netns's conntrack entries will be dumped via
/proc/net/nf_conntrack.
Fixes: 56d52d4892d0 ("netfilter: conntrack: use a single hashta
From: Liping Zhang <liping.zh...@spreadtrum.com>
We should report the over quota message to the right net namespace
instead of the init netns.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
---
include/linux/netfilter/nfnetlink_acct.h | 4 ++--
net/netfilter/nfne
From: Liping Zhang <liping.zh...@spreadtrum.com>
Otherwise, if nfnetlink_log.ko is not loaded, we cannot add rules
to log packets to the userspace when we specify it with arp family,
such as:
# nft add rule arp filter input log group 0
:1:1-37: Error: Could not process rule: No suc
From: Liping Zhang <liping.zh...@spreadtrum.com>
Since Commit 64b87639c9cb ("netfilter: conntrack: fix race between
nf_conntrack proc read and hash resize") introdue the
nf_conntrack_get_ht, so there's no need to check nf_conntrack_generation
again and again to get the hash tab
Hi Pablo,
2016-08-12 19:47 GMT+08:00 Pablo Neira Ayuso :
> diff --git a/net/netfilter/nf_conntrack_core.c
> b/net/netfilter/nf_conntrack_core.c
> index dd2c43a..22558b7 100644
> --- a/net/netfilter/nf_conntrack_core.c
> +++ b/net/netfilter/nf_conntrack_core.c
> @@ -161,10
2016-08-12 19:49 GMT+08:00 Pablo Neira Ayuso <pa...@netfilter.org>:
> On Fri, Aug 12, 2016 at 07:12:32PM +0800, Liping Zhang wrote:
>> 2016-08-12 18:34 GMT+08:00 Pablo Neira Ayuso <pa...@netfilter.org>:
> [...]
>> >
>> > I think it is a good
Hi Laura,
2016-08-10 2:22 GMT+08:00 Laura Garcia Liebana :
> This patch adds a new hash expression, this provides jhash support but
> this can be extended to support for other hash functions.
>
> The modulus and seed already comes embedded into this new expression.
>
> Use case
From: Liping Zhang <liping.zh...@spreadtrum.com>
Like NFQNL_MSG_VERDICT_BATCH do, we should also reject the verdict
request when the portid is not same with the initial portid(maybe
from another process).
Fixes: 97d32cf9440d ("netfilter: nfnetlink_queue: batch verdict support&q
From: Liping Zhang <liping.zh...@spreadtrum.com>
Currently, user can add a conntrack with different l4proto via nfnetlink.
For example, original tuple is TCP while reply tuple is SCTP. This is
invalid combination, we should report EINVAL to userspace.
Signed-off-by: Liping Zhang <
From: Liping Zhang <liping.zh...@spreadtrum.com>
User can use NFQA_EXP to attach expectations to conntracks, but we
forget to put back nf_conntrack_expect when it is inserted successfully,
i.e. in this normal case, expect's use refcnt will be 3. So even we
unlink it and put it back later, t
From: Liping Zhang <liping.zh...@spreadtrum.com>
The 'name' filed in struct nf_conntrack_expect_policy{} is not a
pointer, so check it is NULL or not will always return true. Even if the
name is empty, slash will always be displayed like follows:
# cat /proc/net/nf_conntrack_expect
From: Liping Zhang <liping.zh...@spreadtrum.com>
IP header checksum will be recalculated at ip_local_out, so
there's no need to calculated it here, remove it. Also update
code comments to illustrate it, and delete the misleading
comments about checksum recalculation.
Signed-off-by: Liping
From: Liping Zhang <liping.zh...@spreadtrum.com>
Commit 96d1327ac2e3 ("netfilter: h323: Use mod_timer instead of
set_expect_timeout") just simplify the source codes
if (!del_timer(>timeout))
return 0;
add_timer(>timeout);
to mod_timer(>timeout, jif
From: Liping Zhang <liping.zh...@spreadtrum.com>
We "cache" the loaded match/target modules and reuse them, but when the
modules are removed, we still point to them. Then we may end up with
invalid memory references when using iptables-compat to add rules later.
Input the fo
From: Liping Zhang <liping.zh...@spreadtrum.com>
If the user specify the invalid NFTA_MATCH_INFO/NFTA_TARGET_INFO attr
or memory alloc fail, we should call module_put to the related match
or target. Otherwise, we cannot remove the module even nobody use it.
Signed-off-by: Liping Zhang <
From: Liping Zhang <liping.zh...@spreadtrum.com>
Add some unit tests for connlabel match extension:
# ./iptables-test.py extensions/libxt_connlabel.t
extensions/libxt_connlabel.t: OK
1 test files, 7 unit tests, 7 passed
Signed-off-by: Liping Zhang <liping.zh...@sprea
From: Liping Zhang <liping.zh...@spreadtrum.com>
"--nflog-size 0" is valid and we must display it appropriately.
Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org>
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
---
extensions/libxt_NFLOG.t | 1 +
Hi Pablo,
2016-07-20 16:25 GMT+08:00 Pablo Neira Ayuso <pa...@netfilter.org>:
> On Wed, Jul 20, 2016 at 07:00:13AM +0800, Liping Zhang wrote:
>> I find that nftables already support this feature, the following command
>> mean to truncate packets
>> to 100 bytes befo
2016-07-18 11:39 GMT+08:00 :
> From: Gao Feng
>
> Add nf_ct_helper_init, nf_conntrack_helpers_register/unregister
> functions to enhance the conntrack helper codes.
I think this patch is breaking something ...
This irc:
> - if (ports[i] ==
From: Liping Zhang <liping.zh...@spreadtrum.com>
This patchset is very small, aim to fix some bugs related to nftables log expr.
patch#1 fix a possible memory leak if the user specify the log prefix but the
log
expr init fail.
patch#2 add a validity check of log level, otherwise us
From: Liping Zhang <liping.zh...@spreadtrum.com>
Suppose that we specify the NFTA_LOG_PREFIX, then NFTA_LOG_LEVEL
and NFTA_LOG_GROUP are specified together or nf_logger_find_get
call returns fail, i.e. expr init fail, memory leak will happen.
Signed-off-by: Liping Zhang <
From: Liping Zhang <liping.zh...@spreadtrum.com>
User can specify the log level larger than 7(debug level) via
nfnetlink, this is invalid. So in this case, we should report
EINVAL to the userspace.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
---
net/netfilter/n
From: Liping Zhang <liping.zh...@spreadtrum.com>
There's a similar problem in xt_NFLOG, and was fixed by commit 7643507fe8b5
("netfilter: xt_NFLOG: nflog-range does not truncate packets"). Only set
copy_len here does not work, so we should enable NF_LOG_F_COPY_LEN also.
Signe
From: Liping Zhang <liping.zh...@spreadtrum.com>
Add translation for connlabel to nftables.
For examples:
# iptables-translate -A INPUT -m connlabel --label bit40
nft add rule ip filter INPUT ct label bit40 counter
# iptables-translate -A INPUT -m connlabel ! --label bit40 --set
n
At 2016-07-16 17:04:39, "Florian Westphal" <f...@strlen.de> wrote:
>Liping Zhang <zlpnob...@163.com> wrote:
>>
>> # iptables-translate -A INPUT -m connlabel ! --label bit40 --set
>> nft add rule ip filter INPUT ct label set bit40 ct label != bit
From: Liping Zhang <liping.zh...@spreadtrum.com>
We only get nf_connlabels if the user add ct label set expr successfully,
but we will also put nf_connlabels if the user delete ct lable get expr.
This is mismathced, and will cause ct label expr cannot work properly.
Also, if we init som
From: Liping Zhang <liping.zh...@spreadtrum.com>
Add translation for connlabel to nftables.
For examples:
# iptables-translate -A INPUT -m connlabel --label bit40
nft add rule ip filter INPUT ct label bit40 counter
# iptables-translate -A INPUT -m connlabel ! --label bit40 --set
n
Hi Florian,
At 2016-07-12 21:03:03, "Florian Westphal" <f...@strlen.de> wrote:
>Liping Zhang <zlpnob...@163.com> wrote:
>> +inline void
>> +nf_conntrack_get_ht(struct hlist_nulls_head **hash, unsigned int *hsize)
>
>Which "inline void"?
From: Liping Zhang <liping.zh...@spreadtrum.com>
User can add ct entry via nfnetlink(IPCTNL_MSG_CT_NEW), and if the total
number reach the nf_conntrack_max, we will try to drop some ct entries.
But in this case(the main function call path is ctnetlink_create_conntrack
-> nf_conntr
From: Liping Zhang <liping.zh...@spreadtrum.com>
Since Commit 64b87639c9cb ("netfilter: conntrack: fix race between
nf_conntrack proc read and hash resize") introdue the
nf_conntrack_get_ht, so there's no need to check nf_conntrack_generation
again and again to get the hash tab
From: Liping Zhang <liping.zh...@spreadtrum.com>
If we want to use ct packets expr, and add a rule like follows:
# nft add rule filter input ct packets gt 1 counter
We will find that no packets will hit it, because
nf_conntrack_acct is disabled by default. So It will
not work until we
2016-07-04 14:14 GMT+08:00 Christophe Leroy :
>> I think there is no need to convert simple_strtoul to kstrtouint, add
>> a further check seems better?
>> Like this:
>> - if (!cseq) {
>> + if (!cseq && *(*dptr + matchoff) != '0') {
>>
>
> And what about an
2016-07-01 17:48 GMT+08:00 Christophe Leroy :
> Do not drop packet when CSeq is 0 as 0 is also a valid value for CSeq.
>
> --- a/net/netfilter/nf_conntrack_sip.c
> +++ b/net/netfilter/nf_conntrack_sip.c
> @@ -1368,6 +1368,7 @@ static int process_sip_response(struct sk_buff
From: Liping Zhang <liping.zh...@spreadtrum.com>
When we do "cat /proc/net/nf_conntrack", and meanwhile resize the conntrack
hash table via /sys/module/nf_conntrack/parameters/hashsize, race will
happen, because reader can observe a newly allocated hash but the old size
(or vice
From: Liping Zhang <liping.zh...@spreadtrum.com>
Imagine such situation, nf_conntrack_htable_size now is 4096, we are doing
ctnl_untimeout, and iterate on 3000# bucket.
Meanwhile, another user try to reduce hash size to 2048, then all nf_conn
are removed to the new hashtable. When thi
From: Liping Zhang <liping.zh...@spreadtrum.com>
Similar to ctnl_untimeout, when hash resize happened, we should try
to do unhelp from the 0# bucket again.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
---
V2: no need to use nf_conntrack_generation to check hash resize
>Good catch, but ...
>
>> diff --git a/include/net/netfilter/nf_conntrack_core.h
>> b/include/net/netfilter/nf_conntrack_core.h
>> index 3e2f332..4f6453a 100644
>> --- a/include/net/netfilter/nf_conntrack_core.h
>> +++ b/include/net/netfilter/nf_conntrack_core.h
>> @@ -82,6 +82,7 @@
From: Liping Zhang <liping.zh...@spreadtrum.com>
Imagine such situation, nf_conntrack_htable_size now is 4096, we are doing
ctnl_untimeout, and iterate on 3000# bucket.
Meanwhile, another user try to reduce hash size to 2048, then all nf_conn
are removed to the new hashtable. When thi
From: Liping Zhang <liping.zh...@spreadtrum.com>
When user adjust the hash size via /sys/module/nf_conntrack/parameters/hashsize,
something will break because race condition happened.
This patch set aim to fix these bugs.
When we do "cat /proc/net/nf_conntrack", and at the s
From: Liping Zhang <liping.zh...@spreadtrum.com>
When we do "cat /proc/net/nf_conntrack", and meanwhile resize the conntrack
hash table via /sys/module/nf_conntrack/parameters/hashsize, race will
happen, because reader can observe a newly allocated hash but the old size
(or vice
From: Liping Zhang <liping.zh...@spreadtrum.com>
Similar to ctnl_untimeout, when hash resize happened, we should try
to do unhelp from the 0# bucket again.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
---
net/netfilter/nf_conntrack_helper.c | 14 --
1 file
From: Liping Zhang <liping.zh...@spreadtrum.com>
Before:
# iptables-translate -A INPUT -m realm --realm 1/0xf
nft add rule ip filter INPUT rtclassid and 0x1 == 0xf counter
Apply this patch:
# iptables-translate -A INPUT -m realm --realm 1/0xf
nft add rule ip filter INPUT rtc
Hi Pablo,
2016-06-23 19:11 GMT+08:00 Pablo Neira Ayuso :
>> -static int cpu_mt_check(const struct xt_mtchk_param *par)
>> -{
>> - const struct xt_cpu_info *info = par->matchinfo;
>> -
>> - if (info->invert & ~1)
>> - return -EINVAL;
>> - return 0;
>>
Hi Florian,
2016-06-22 2:46 GMT+08:00 Florian Westphal :
> @@ -1650,11 +1646,31 @@ int nf_conntrack_set_hashsize(const char *val, struct
> kernel_param *kp)
> write_seqcount_end(_conntrack_generation);
> nf_conntrack_all_unlock();
> local_bh_enable();
> +
Hi Marcelo,
2016-06-20 23:48 GMT+08:00 Marcelo Ricardo Leitner :
>
> A different check/log is made for ip6:
> nf_reject_ip6_tcphdr_get():
> /* IP header checks: fragment, too short. */
> if (proto != IPPROTO_TCP || *otcplen < sizeof(struct tcphdr)) {
>
From: Liping Zhang <liping.zh...@spreadtrum.com>
In iptables, if the user add a rule to send tcp RST and specify the
non-TCP protocol, such as UDP, kernel will reject this request. But
in nftables, this validity check only occurs in nft tool, i.e. only
in userspace.
This means that user c
From: Liping Zhang <liping.zh...@spreadtrum.com>
If expr init fails then we need to free it.
So when the user add a nft rule as follows:
# nft add rule filter input tcp dport 22 flow table ssh \
{ ip saddr limit rate 0/second }
memory leak will happen.
Signed-off-by: Liping
Hi Florian,
At 2016-06-08 20:59:32, "Florian Westphal" wrote:
>
>With nftables we have a new infrastructure in place that emits trace info via
>nfnetlink.
>
>So loading nf_log_ipX isn't needed anymore in nft.
Yes, in nftables, user can use "nft monitor" to get the trace info.
From: Liping Zhang <liping.zh...@spreadtrum.com>
nft_genmask_cur has already done left-shift operator on the gencursor,
so there's no need to do left-shift operator on it again.
Fixes: ea4bd995b0f2 ("netfilter: nf_tables: add transaction helper functions")
Cc: Patrick McHardy
From: Liping Zhang <liping.zh...@spreadtrum.com>
Add some tests for endless jump loop validation.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
---
tests/shell/testcases/chains/0010endless_jump_loop_1 | 9 +
tests/shell/testcases/chains/0011endless_jump
From: Liping Zhang <liping.zh...@spreadtrum.com>
In my mechain, port 12345 is mapped to italk in /etc/services:
italk 12345/tcp # Italk Chat System
So when we add nft rule with udp port "12345", nft list ruleset
will displayed it as "italk&qu
From: Liping Zhang <liping.zh...@spreadtrum.com>
Currently, user can add such a wrong nft rules successfully, which
will cause an endless jump loop:
# nft add rule filter test tcp dport vmap {1: jump test}
This is because before we commit, the element in the current anonymous
set is in
From: Liping Zhang <liping.zh...@spreadtrum.com>
This patch set mainly fix a endless jump loop bug, for example, user
can add the following nft rules successfully:
# nft add table filter
# nft add chain filter test
# nft add rule filter test tcp dport vmap {1: jump test}
This is beca
From: Liping Zhang <liping.zh...@spreadtrum.com>
We should check "i" is used as a dictionary or not, "binding" is already
checked before.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
---
net/netfilter/nf_tables_api.c | 2 +-
1 file changed, 1 inserti
From: Liping Zhang <liping.zh...@spreadtrum.com>
When we add a nft rule like follows:
# nft add rule filter test tcp dport vmap {1: jump test}
-ELOOP error will be returned, and the anonymous set will be
destroyed.
But after that, nf_tables_abort will also try to remove the
element and d
From: Liping Zhang <liping.zh...@spreadtrum.com>
For example:
# iptables-translate -t raw -A PREROUTING -j TRACE
nft add rule ip raw PREROUTING counter nftrace set 1
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
---
extensions/libxt_TRACE.c | 8
1 fil
From: Liping Zhang <liping.zh...@spreadtrum.com>
Consider such situation, if nf_log_ipv4 kernel module is not installed,
and the user add a following iptables rule:
# iptables -t raw -I PREROUTING -j TRACE
There will be no trace log generated until the user install nf_log_ipv4
module m
From: Liping Zhang <liping.zh...@spreadtrum.com>
This patch set solve such problem, for example, if we add a following
iptables rule:
# iptables -t raw -I PREROUTING -j TRACE
And nf_log_ipv4 kernel module is not installed, no trace log
will be generated, until we install the nf_log_ipv4
From: Liping Zhang <liping.zh...@spreadtrum.com>
When we request NFPROTO_INET, it means both NFPROTO_IPV4 and NFPROTO_IPV6.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
---
net/netfilter/nf_log.c | 20
1 file changed, 20 insertions(+)
diff
From: Liping Zhang <liping.zh...@spreadtrum.com>
Instead, we can convert invert flag and ensure it is 1 or 0.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
---
net/netfilter/xt_cpu.c | 12 +---
1 file changed, 1 insertion(+), 11 deletions(-)
diff --git a/n
From: Liping Zhang <liping.zh...@spreadtrum.com>
When user add a nft rule to set nftrace to zero, for example:
# nft add rule ip filter input nftrace set 0
We should set nf_trace to zero also.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
---
net/netfilter/nft_meta
From: Liping Zhang <liping.zh...@spreadtrum.com>
If we add a chain and specify the nonexistent chain type, chain_type_name_lookup
will return a NULL pointer, and meet the assert condition in xstrdup.
Fix crash like this:
# nft add chain filter input {type none hook input priority 0\;}
From: Liping Zhang <liping.zh...@spreadtrum.com>
For example, after we add rule to set priority 1:2, it will be displayed in
network
byte order as 0200:0100, this is wrong:
# nft add rule filter test meta priority set 1:2
# nft list chain filter test
table ip filter {
chai
From: Liping Zhang <liping.zh...@spreadtrum.com>
The default burst value is 5 in iptables limit extension while it is 0 in
nft limit expression, if the burst value is default, it will not be
displayed when we dump the rules. But when we do translation from iptables
rules to nft rules, we
From: Liping Zhang <liping.zh...@spreadtrum.com>
If we add a such nft rule:
nft add rule filter input ip protocol icmp tcp dport 0
we will always meet the assert condition:
nft: evaluate.c:536: resolve_protocol_conflict: Assertion `base <
(__PROTO_BASE_MAX - 1)' failed.
Abor
201 - 300 of 307 matches
Mail list logo