[PATCH libnftnl V2] expr: queue: add NFTA_QUEUE_SREG_QNUM attr support

From: Liping Zhang <liping.zh...@spreadtrum.com> After adding _SREG_QNUM attr, queuenum is not must option anymore, so we must test NFTNL_EXPR_QUEUE_NUM first before dumpping queue num in snprintf_default. Also add a tailing space in snprintf_default, this is consistent with other expre

[PATCH nf-next V2] netfilter: nft_queue: add _SREG_QNUM attr to select the queue number

From: Liping Zhang <liping.zh...@spreadtrum.com> Currently, the user can specify the queue numbers by _QUEUE_NUM and _QUEUE_TOTAL attributes, this is enough in most situations. But acctually, it is not very flexible, for example: tcp dport 80 mapped to queue0 tcp dport 81 mapped to

Re: [PATCH nf-next] netfilter: nft_queue: add _SREG_FROM and _SRGE_TO to select the queue numbers

2016-09-13 17:19 GMT+08:00 Pablo Neira Ayuso <pa...@netfilter.org>: > Hi Liping, > > A bit more comments on top of Florian's suggestion to use one single > _SREG. > > On Sun, Sep 11, 2016 at 10:05:28PM +0800, Liping Zhang wrote: >> diff --git a/net/netfilter/nft_queue

Re: [PATCH v2] netfilter: nft_hash: Add hash offset value

Hi Laura, 2016-09-06 14:44 GMT+08:00 Laura Garcia Liebana : > static int nft_hash_init(const struct nft_ctx *ctx, > @@ -60,6 +62,11 @@ static int nft_hash_init(const struct nft_ctx *ctx, > !tb[NFTA_HASH_MODULUS]) > return -EINVAL; > > + if

Re: [PATCH nf-next] netfilter: nf_queue: get rid of dependency on IP6_NF_IPTABLES

2016-09-13 1:50 GMT+08:00 Pablo Neira Ayuso : > We have nft_queue support for bridge now, but nfqueue_hash() takes a > pkt->pf parameter expecting NFPROTO_IPV4 or NFPROTO_IPV6. > > So nft_queue hashing with bridge is currently broken. Yes, I will send another patch to do this

[PATCH nf-next] netfilter: nft_numgen: fix race between num generate and store it

From: Liping Zhang <liping.zh...@spreadtrum.com> After we generate a new number, we still use the priv->counter and store it to the dreg. This is not correct, another cpu may already change it to a new number. So we must use the generated number, not the priv->counter itself. Fixes:

[PATCH nft V2] src: fix compile error due to _UNTIL renamed to _MODULUS in libnftnl

From: Liping Zhang <liping.zh...@spreadtrum.com> In the latest libnftnl, NFTNL_EXPR_NG_UNTIL was renamed to NFTNL_EXPR_NG_MODULUS, so compile error happened: netlink_linearize.c: In function ‘netlink_gen_numgen’: netlink_linearize.c:184:26: error: ‘NFTNL_EXPR_NG_UNTIL’ undeclared (fir

Re: [PATCH nft] src: fix compile error due to _UNTIL renamed to _MODULUS in libnftnl

2016-09-12 17:49 GMT+08:00 Laura Garcia <nev...@gmail.com>: > On Sun, Sep 11, 2016 at 04:35:57PM +0800, Liping Zhang wrote: >> From: Liping Zhang <liping.zh...@spreadtrum.com> >> >> In the latest libnftnl, NFTNL_EXPR_NG_UNTIL was renamed to >> NFTNL_EXP

Re: [PATCH nf-next] netfilter: nft_queue: add _SREG_FROM and _SRGE_TO to select the queue numbers

2016-09-12 5:12 GMT+08:00 Florian Westphal <f...@strlen.de>: > Liping Zhang <zlpnob...@163.com> wrote: >> So similer to nft_nat, take two registers to select the queue numbers, >> then we can add one simple rule to mapping queues, maybe like this: >> queue num

[PATCH libnftnl 3/3] expr: queue: add sreg_from and sreg_to support

From: Liping Zhang <liping.zh...@spreadtrum.com> Add NFTA_QUEUE_SREG_FROM and NFTA_QUEUE_SREG_TO attributes support. After adding _SREG_FROM attr, queuenum is not must option anymore, so we must test NFTNL_EXPR_QUEUE_NUM first before dumpping queue num in snprintf_default. Signed-off-by:

[PATCH libnftnl 1/3] expr: queue: remove redundant NFTNL_EXPR_QUEUE_NUM set in json parse

From: Liping Zhang <liping.zh...@spreadtrum.com> We have already set NFTNL_EXPR_QUEUE_NUM when parse "num" successfully, here is wrong and redundant, remove it. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> --- src/expr/queue.c | 1 - 1 file changed, 1 deletio

[PATCH libnftnl 2/3] tests: queue: add missing NFTNL_EXPR_QUEUE_FLAGS compare test

From: Liping Zhang <liping.zh...@spreadtrum.com> We forgot to compare NFTNL_EXPR_QUEUE_FLAGS between two exprs, now add it. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> --- tests/nft-expr_queue-test.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/nf

[PATCH libnftnl 0/3] expr: queue: add sreg_from and sreg_to support

From: Liping Zhang <liping.zh...@spreadtrum.com> This patch sets mainly used to add NFTA_QUEUE_SREG_FROM and NFTA_QUEUE_SREG_TO attributes support in libnftnl. Meanwhile, I find some trivial bugs exsit in queue expr. So try to fix them at patch #1 and patch #2. Liping Zhang (3): expr:

[PATCH nf-next] netfilter: nft_queue: add _SREG_FROM and _SRGE_TO to select the queue numbers

From: Liping Zhang <liping.zh...@spreadtrum.com> Currently, the user can specify the queue numbers by _QUEUE_NUM and _QUEUE_TOTAL attributes, this is enough in most situations. But acctually, it is not very flexible, for example: tcp dport 80 mapped to queue0 tcp dport 81 mapped to

[PATCH nf-next] netfilter: nf_queue: get rid of dependency on IP6_NF_IPTABLES

From: Liping Zhang <liping.zh...@spreadtrum.com> hash_v6 is used by both nftables and ip6tables, so depend on IP6_NF_IPTABLES is not properly. Actually, it only parses ipv6hdr and computes a hash value, so even if IPV6 is disabled, there's no side effect too, remove it. Signed-off-by:

[PATCH nft] src: fix compile error due to _UNTIL renamed to _MODULUS in libnftnl

From: Liping Zhang <liping.zh...@spreadtrum.com> In the latest libnftnl, NFTNL_EXPR_NG_UNTIL was renamed to NFTNL_EXPR_NG_MODULUS, so compile error happened: netlink_linearize.c: In function ‘netlink_gen_numgen’: netlink_linearize.c:184:26: error: ‘NFTNL_EXPR_NG_UNTIL’ undeclared (fir

[PATCH nft] tests: py: replace "eth0" with "lo" in dup expr tests

From: Liping Zhang <liping.zh...@spreadtrum.com> This patch follow up on Manuel's commit a8871ba6daa0 ("tests: py: any: Make tests more generic by using other interfaces"). The ifindex of "eth0" is not always 1, furthermore, "eth0" maybe not exist on

Re: [PATCH nf-next] netfilter: nft_queue: check the validation of queues_total and queuenum

2016-09-09 22:04 GMT+08:00 Pablo Neira Ayuso : > More comments on things I see on nft_queue at this stage: > > 1) Another issue, I can see nfqueue_hash() depends on > CONFIG_IP6_NF_IPTABLES, this is not good since nft_queue > infrastructure should not depend on iptables.

[PATCH nf] netfilter: nft_chain_route: re-route before skb is queued to userspace

From: Liping Zhang <liping.zh...@spreadtrum.com> Imagine such situation, user add the following nft rules, and queue the packets to userspace for further check: # ip rule add fwmark 0x0/0x1 lookup eth0 # ip rule add fwmark 0x1/0x1 lookup eth1 # nft add table filter # nft add chain

[PATCH nf] netfilter: nf_tables_trace: fix endiness when dump chain policy

From: Liping Zhang <liping.zh...@spreadtrum.com> NFTA_TRACE_POLICY attribute is big endian, but we forget to call htonl to convert it. Fortunately, this attribute is parsed as big endian in libnftnl. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> --- net/netfilter/nf_ta

[PATCH iptables] extensions: libip6t_SNAT/DNAT: add square bracket in xlat output when port is specified

From: Liping Zhang <liping.zh...@spreadtrum.com> It is better to add square brackets to ip6 address in nft translation output when the port is specified. This is keep consistent with the nft syntax. Before this patch: # ip6tables-translate -t nat -A OUTPUT -p tcp -j DNAT --to-desti

[PATCH nf] netfilter: nf_tables_netdev: remove redundant ip_hdr assignment

From: Liping Zhang <liping.zh...@spreadtrum.com> We have already use skb_header_pointer to get the ip header pointer, so there's no need to use ip_hdr again. Moreover, in NETDEV INGRESS hook, ip header maybe not linear, so use ip_hdr is not appropriate, remove it. Signed-off-by: Liping

[PATCH iptables 3/3] extensions: libip[6]t_REDIRECT: use new nft syntax when do xlate

From: Liping Zhang <liping.zh...@spreadtrum.com> After commit "parser_bison: redirect to :port for consistency with nat/masq statement" in nftables tree, we should recommend the end user to use the new syntax. Before this patch: # iptables-translate -t nat -A PREROUTING -p

[PATCH iptables 2/3] extensions: libip[6]t_SNAT/DNAT: use the new nft syntax when do xlate

From: Liping Zhang <liping.zh...@spreadtrum.com> After commit "src: add 'to' for snat and dnat" in nftables tree, we should recommend the end user to use the new syntax. Before this patch: # iptables-translate -t nat -A POSTROUTING -j SNAT --to-source 1.1.1.1 nft add rule ip

[PATCH iptables 1/3] extensions: libipt_DNAT/SNAT: fix "OOM" when do translation to nft

From: Liping Zhang <liping.zh...@spreadtrum.com> When I want to translate SNAT target to nft rule, an error message was printed out: # iptables-translate -A POSTROUTING -j SNAT --to-source 1.1.1.1 iptables-translate v1.6.0: OOM Because ipt_natinfo{} started with a xt_entry_target{}, s

[PATCH nft] meta: fix memory leak in tc classid parser

From: Liping Zhang <liping.zh...@spreadtrum.com> We forgot to free the str which was allocated by xstrdup, so memory leak will happen. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> --- src/meta.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/

[PATCH nft] tests: shell: add testcase for reject expr

From: Liping Zhang <liping.zh...@spreadtrum.com> Reject expr is only valid in input/forward/output chain, and if user can add reject expr in prerouting chain, kernel panic will happen. So add a simple test case to cover this situation. Signed-off-by: Liping Zhang <liping.zh...@sprea

[PATCH nf] netfilter: nft_meta: improve the validity check of pkttype set expr

From: Liping Zhang <liping.zh...@spreadtrum.com> "meta pkttype set" is only supported on prerouting chain with bridge family and ingress chain with netdev family. But the validate check is incomplete, and the user can add the nft rules on input chain with bridge family, for exam

[PATCH nf 1/3] netfilter: nfnetlink: use list_for_each_entry_safe to delete all objects

From: Liping Zhang <liping.zh...@spreadtrum.com> cttimeout and acct objects are deleted from the list while traversing it, so use list_for_each_entry is unsafe here. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> --- net/netfilter/nfnetlink_acct.c | 6 +++--- n

[PATCH nf 3/3] netfilter: cttimeout: unlink timeout objs in the unconfirmed ct lists

From: Liping Zhang <liping.zh...@spreadtrum.com> KASAN reported this bug: BUG: KASAN: use-after-free in icmp_packet+0x25/0x50 [nf_conntrack_ipv4] at addr 880002db08c8 Read of size 4 by task lt-nf-queue/19041 Call Trace: [] dump_stack+0x63/0x88 [] kasan_report_error+0x528

[PATCH nf 2/3] netfilter: cttimeout: put back l4proto when replacing timeout policy

From: Liping Zhang <liping.zh...@spreadtrum.com> We forget to call nf_ct_l4proto_put when replacing the existing timeout policy. Acctually, there's no need to get ct l4proto before doing replace, so we can move it to a later position. Signed-off-by: Liping Zhang <liping.zh...@sprea

[PATCH nf] netfilter: nft_reject: restrict to INPUT/FORWARD/OUTPUT

From: Liping Zhang <liping.zh...@spreadtrum.com> After I add the nft rule "nft add rule filter prerouting reject with tcp reset", kernel panic happened on my system: NULL pointer dereference at ... IP: [] nf_send_reset+0xaf/0x400 Call Trace: [] ? nf_reject_ip_tcphdr

[PATCH iptables] extensions: libxt_CLASSIFY: Add translation to nft

From: Liping Zhang <liping.zh...@spreadtrum.com> For examples: # iptables-translate -A OUTPUT -j CLASSIFY --set-class 0:0 nft add rule ip filter OUTPUT counter meta priority set none # iptables-translate -A OUTPUT -j CLASSIFY --set-class : nft add rule ip filter OUTPUT c

[PATCH nf] netfilter: cttimeout: fix use after free error when delete netns

From: Liping Zhang <liping.zh...@spreadtrum.com> In general, when we want to delete a netns, cttimeout_net_exit will be called before ipt_unregister_table, i.e. before ctnl_timeout_put. But after call kfree_rcu in cttimeout_net_exit, we will still decrease the timeout object's

Re: [PATCH nf 1/2] netfilter: nfnetlink_acct: fix race between nfacct del and xt_nfacct destroy

Hi Pablo, 2016-08-18 6:37 GMT+08:00 Pablo Neira Ayuso : > > Wait. I noticed we have the same problem in cttimeout, so it would be > good to fix this in the same logical change. > > I'm attaching your original patch that I have mangled here, including > the cttimeout chunk. >

[PATCH nf] netfilter: conntrack: do not dump other netns's conntrack entries via proc

From: Liping Zhang <liping.zh...@spreadtrum.com> We should skip the conntracks that belong to a different namespace, otherwise other unrelated netns's conntrack entries will be dumped via /proc/net/nf_conntrack. Fixes: 56d52d4892d0 ("netfilter: conntrack: use a single hashta

[PATCH nf 2/2] netfilter: nfnetlink_acct: report overquota to the right netns

From: Liping Zhang <liping.zh...@spreadtrum.com> We should report the over quota message to the right net namespace instead of the init netns. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> --- include/linux/netfilter/nfnetlink_acct.h | 4 ++-- net/netfilter/nfne

[PATCH nf-next] netfilter: nfnetlink_log: add "nf-logger-3-1" module alias name

From: Liping Zhang <liping.zh...@spreadtrum.com> Otherwise, if nfnetlink_log.ko is not loaded, we cannot add rules to log packets to the userspace when we specify it with arp family, such as: # nft add rule arp filter input log group 0 :1:1-37: Error: Could not process rule: No suc

[PATCH V3 nf-next] netfilter: conntrack: simplify the code by using nf_conntrack_get_ht

From: Liping Zhang <liping.zh...@spreadtrum.com> Since Commit 64b87639c9cb ("netfilter: conntrack: fix race between nf_conntrack proc read and hash resize") introdue the nf_conntrack_get_ht, so there's no need to check nf_conntrack_generation again and again to get the hash tab

Re: [PATCH] netfilter: remove ip_conntrack* sysctl compat code

Hi Pablo, 2016-08-12 19:47 GMT+08:00 Pablo Neira Ayuso : > diff --git a/net/netfilter/nf_conntrack_core.c > b/net/netfilter/nf_conntrack_core.c > index dd2c43a..22558b7 100644 > --- a/net/netfilter/nf_conntrack_core.c > +++ b/net/netfilter/nf_conntrack_core.c > @@ -161,10

Re: [PATCH nf-next V2] netfilter: conntrack: simplify the code by using nf_conntrack_get_ht

2016-08-12 19:49 GMT+08:00 Pablo Neira Ayuso <pa...@netfilter.org>: > On Fri, Aug 12, 2016 at 07:12:32PM +0800, Liping Zhang wrote: >> 2016-08-12 18:34 GMT+08:00 Pablo Neira Ayuso <pa...@netfilter.org>: > [...] >> > >> > I think it is a good

Re: [PATCH v2] netfilter: nf_tables: add hash expression

Hi Laura, 2016-08-10 2:22 GMT+08:00 Laura Garcia Liebana : > This patch adds a new hash expression, this provides jhash support but > this can be extended to support for other hash functions. > > The modulus and seed already comes embedded into this new expression. > > Use case

[PATCH nf] netfilter: nfnetlink_queue: reject verdict request from different portid

From: Liping Zhang <liping.zh...@spreadtrum.com> Like NFQNL_MSG_VERDICT_BATCH do, we should also reject the verdict request when the portid is not same with the initial portid(maybe from another process). Fixes: 97d32cf9440d ("netfilter: nfnetlink_queue: batch verdict support&q

[PATCH nf] netfilter: ctnetlink: reject new conntrack request with different l4proto

From: Liping Zhang <liping.zh...@spreadtrum.com> Currently, user can add a conntrack with different l4proto via nfnetlink. For example, original tuple is TCP while reply tuple is SCTP. This is invalid combination, we should report EINVAL to userspace. Signed-off-by: Liping Zhang <

[PATCH nf] netfilter: nfnetlink_queue: fix memory leak when attach expectation successfully

From: Liping Zhang <liping.zh...@spreadtrum.com> User can use NFQA_EXP to attach expectations to conntracks, but we forget to put back nf_conntrack_expect when it is inserted successfully, i.e. in this normal case, expect's use refcnt will be 3. So even we unlink it and put it back later, t

[PATCH nf] netfilter: nf_expect_proc: remove the redundant slash when policy name is empty

From: Liping Zhang <liping.zh...@spreadtrum.com> The 'name' filed in struct nf_conntrack_expect_policy{} is not a pointer, so check it is NULL or not will always return true. Even if the name is empty, slash will always be displayed like follows: # cat /proc/net/nf_conntrack_expect

[PATCH nf-next] netfilter: nf_dup4: remove redundant checksum recalculation

From: Liping Zhang <liping.zh...@spreadtrum.com> IP header checksum will be recalculated at ip_local_out, so there's no need to calculated it here, remove it. Also update code comments to illustrate it, and delete the misleading comments about checksum recalculation. Signed-off-by: Liping

[PATCH nf-next] netfilter: nf_ct_h323: do not re-activate already expired timer

From: Liping Zhang <liping.zh...@spreadtrum.com> Commit 96d1327ac2e3 ("netfilter: h323: Use mod_timer instead of set_expect_timeout") just simplify the source codes if (!del_timer(>timeout)) return 0; add_timer(>timeout); to mod_timer(>timeout, jif

[PATCH nf-next 2/2] netfilter: nft_compat: fix crash when related match/target module is removed

From: Liping Zhang <liping.zh...@spreadtrum.com> We "cache" the loaded match/target modules and reuse them, but when the modules are removed, we still point to them. Then we may end up with invalid memory references when using iptables-compat to add rules later. Input the fo

[PATCH nf-next 1/2] netfilter: nft_compat: put back match/target module if init fail

From: Liping Zhang <liping.zh...@spreadtrum.com> If the user specify the invalid NFTA_MATCH_INFO/NFTA_TARGET_INFO attr or memory alloc fail, we should call module_put to the related match or target. Otherwise, we cannot remove the module even nobody use it. Signed-off-by: Liping Zhang <

[PATCH iptables] extensions: libxt_connlabel: add unit test

From: Liping Zhang <liping.zh...@spreadtrum.com> Add some unit tests for connlabel match extension: # ./iptables-test.py extensions/libxt_connlabel.t extensions/libxt_connlabel.t: OK 1 test files, 7 unit tests, 7 passed Signed-off-by: Liping Zhang <liping.zh...@sprea

[PATCH iptables] extensions: libxt_NFLOG: add unit test to cover nflog-size with zero

From: Liping Zhang <liping.zh...@spreadtrum.com> "--nflog-size 0" is valid and we must display it appropriately. Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org> Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> --- extensions/libxt_NFLOG.t | 1 +

Re: [PATCH nf-next 3/3] netfilter: nft_log: fix snaplen does not truncate packets

Hi Pablo, 2016-07-20 16:25 GMT+08:00 Pablo Neira Ayuso <pa...@netfilter.org>: > On Wed, Jul 20, 2016 at 07:00:13AM +0800, Liping Zhang wrote: >> I find that nftables already support this feature, the following command >> mean to truncate packets >> to 100 bytes befo

Re: [PATCH 1/1] netfilter: Add helper array register/unregister functions

2016-07-18 11:39 GMT+08:00 : > From: Gao Feng > > Add nf_ct_helper_init, nf_conntrack_helpers_register/unregister > functions to enhance the conntrack helper codes. I think this patch is breaking something ... This irc: > - if (ports[i] ==

[PATCH nf-next 0/3] netfilter: fix some small bugs related to nft_log

From: Liping Zhang <liping.zh...@spreadtrum.com> This patchset is very small, aim to fix some bugs related to nftables log expr. patch#1 fix a possible memory leak if the user specify the log prefix but the log expr init fail. patch#2 add a validity check of log level, otherwise us

[PATCH nf-next 1/3] netfilter: nft_log: fix possible memory leak if log expr init fail

From: Liping Zhang <liping.zh...@spreadtrum.com> Suppose that we specify the NFTA_LOG_PREFIX, then NFTA_LOG_LEVEL and NFTA_LOG_GROUP are specified together or nf_logger_find_get call returns fail, i.e. expr init fail, memory leak will happen. Signed-off-by: Liping Zhang <

[PATCH nf-next 2/3] netfilter: nft_log: check the validity of log level

From: Liping Zhang <liping.zh...@spreadtrum.com> User can specify the log level larger than 7(debug level) via nfnetlink, this is invalid. So in this case, we should report EINVAL to the userspace. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> --- net/netfilter/n

[PATCH nf-next 3/3] netfilter: nft_log: fix snaplen does not truncate packets

From: Liping Zhang <liping.zh...@spreadtrum.com> There's a similar problem in xt_NFLOG, and was fixed by commit 7643507fe8b5 ("netfilter: xt_NFLOG: nflog-range does not truncate packets"). Only set copy_len here does not work, so we should enable NF_LOG_F_COPY_LEN also. Signe

[PATCH V2 iptables] extensions: libxt_connlabel: Add translation to nft

From: Liping Zhang <liping.zh...@spreadtrum.com> Add translation for connlabel to nftables. For examples: # iptables-translate -A INPUT -m connlabel --label bit40 nft add rule ip filter INPUT ct label bit40 counter # iptables-translate -A INPUT -m connlabel ! --label bit40 --set n

Re: [PATCH iptables] extensions: libxt_connlabel: Add translation to nft

At 2016-07-16 17:04:39, "Florian Westphal" <f...@strlen.de> wrote: >Liping Zhang <zlpnob...@163.com> wrote: >> >> # iptables-translate -A INPUT -m connlabel ! --label bit40 --set >> nft add rule ip filter INPUT ct label set bit40 ct label != bit

[PATCH nf] netfilter: nft_ct: fix unpaired nf_connlabels_get/put call

From: Liping Zhang <liping.zh...@spreadtrum.com> We only get nf_connlabels if the user add ct label set expr successfully, but we will also put nf_connlabels if the user delete ct lable get expr. This is mismathced, and will cause ct label expr cannot work properly. Also, if we init som

[PATCH iptables] extensions: libxt_connlabel: Add translation to nft

From: Liping Zhang <liping.zh...@spreadtrum.com> Add translation for connlabel to nftables. For examples: # iptables-translate -A INPUT -m connlabel --label bit40 nft add rule ip filter INPUT ct label bit40 counter # iptables-translate -A INPUT -m connlabel ! --label bit40 --set n

Re: [PATCH nf-next 2/2] netfilter: conntrack: simplify the code by using nf_conntrack_get_ht

Hi Florian, At 2016-07-12 21:03:03, "Florian Westphal" <f...@strlen.de> wrote: >Liping Zhang <zlpnob...@163.com> wrote: >> +inline void >> +nf_conntrack_get_ht(struct hlist_nulls_head **hash, unsigned int *hsize) > >Which "inline void"?

[PATCH nf-next 1/2] netfilter: conntrack: protect early_drop by rcu read lock

From: Liping Zhang <liping.zh...@spreadtrum.com> User can add ct entry via nfnetlink(IPCTNL_MSG_CT_NEW), and if the total number reach the nf_conntrack_max, we will try to drop some ct entries. But in this case(the main function call path is ctnetlink_create_conntrack -> nf_conntr

[PATCH nf-next 2/2] netfilter: conntrack: simplify the code by using nf_conntrack_get_ht

From: Liping Zhang <liping.zh...@spreadtrum.com> Since Commit 64b87639c9cb ("netfilter: conntrack: fix race between nf_conntrack proc read and hash resize") introdue the nf_conntrack_get_ht, so there's no need to check nf_conntrack_generation again and again to get the hash tab

[PATCH nf-next] netfilter: nft_ct: make byte/packet expr more friendly

From: Liping Zhang <liping.zh...@spreadtrum.com> If we want to use ct packets expr, and add a rule like follows: # nft add rule filter input ct packets gt 1 counter We will find that no packets will hit it, because nf_conntrack_acct is disabled by default. So It will not work until we

Re: [PATCH] netfilter: nf_conntrack_sip: CSeq 0 is a valid CSeq

2016-07-04 14:14 GMT+08:00 Christophe Leroy : >> I think there is no need to convert simple_strtoul to kstrtouint, add >> a further check seems better? >> Like this: >> - if (!cseq) { >> + if (!cseq && *(*dptr + matchoff) != '0') { >> > > And what about an

Re: [PATCH] netfilter: nf_conntrack_sip: CSeq 0 is a valid CSeq

2016-07-01 17:48 GMT+08:00 Christophe Leroy : > Do not drop packet when CSeq is 0 as 0 is also a valid value for CSeq. > > --- a/net/netfilter/nf_conntrack_sip.c > +++ b/net/netfilter/nf_conntrack_sip.c > @@ -1368,6 +1368,7 @@ static int process_sip_response(struct sk_buff

[PATCH V2,nf 1/3] netfilter: conntrack: fix race between nf_conntrack proc read and hash resize

From: Liping Zhang <liping.zh...@spreadtrum.com> When we do "cat /proc/net/nf_conntrack", and meanwhile resize the conntrack hash table via /sys/module/nf_conntrack/parameters/hashsize, race will happen, because reader can observe a newly allocated hash but the old size (or vice

[PATCH V2,nf 2/3] netfilter: cttimeout: unlink timeout obj again when hash resize happen

From: Liping Zhang <liping.zh...@spreadtrum.com> Imagine such situation, nf_conntrack_htable_size now is 4096, we are doing ctnl_untimeout, and iterate on 3000# bucket. Meanwhile, another user try to reduce hash size to 2048, then all nf_conn are removed to the new hashtable. When thi

[PATCH V2,nf 3/3] netfilter: nf_ct_helper: unlink helper again when hash resize happen

From: Liping Zhang <liping.zh...@spreadtrum.com> Similar to ctnl_untimeout, when hash resize happened, we should try to do unhelp from the 0# bucket again. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> --- V2: no need to use nf_conntrack_generation to check hash resize

Re: [PATCH nf 1/3] netfilter: conntrack: fix race between nf_conntrack proc read and hash resize

>Good catch, but ... > >> diff --git a/include/net/netfilter/nf_conntrack_core.h >> b/include/net/netfilter/nf_conntrack_core.h >> index 3e2f332..4f6453a 100644 >> --- a/include/net/netfilter/nf_conntrack_core.h >> +++ b/include/net/netfilter/nf_conntrack_core.h >> @@ -82,6 +82,7 @@

[PATCH nf 2/3] netfilter: cttimeout: unlink timeout obj again when hash resize happen

From: Liping Zhang <liping.zh...@spreadtrum.com> Imagine such situation, nf_conntrack_htable_size now is 4096, we are doing ctnl_untimeout, and iterate on 3000# bucket. Meanwhile, another user try to reduce hash size to 2048, then all nf_conn are removed to the new hashtable. When thi

[PATCH nf 0/3] netfilter: conntrack: fix race condition associated with hash resize

From: Liping Zhang <liping.zh...@spreadtrum.com> When user adjust the hash size via /sys/module/nf_conntrack/parameters/hashsize, something will break because race condition happened. This patch set aim to fix these bugs. When we do "cat /proc/net/nf_conntrack", and at the s

[PATCH nf 1/3] netfilter: conntrack: fix race between nf_conntrack proc read and hash resize

From: Liping Zhang <liping.zh...@spreadtrum.com> When we do "cat /proc/net/nf_conntrack", and meanwhile resize the conntrack hash table via /sys/module/nf_conntrack/parameters/hashsize, race will happen, because reader can observe a newly allocated hash but the old size (or vice

[PATCH nf 3/3] netfilter: nf_ct_helper: unlink helper again when hash resize happen

From: Liping Zhang <liping.zh...@spreadtrum.com> Similar to ctnl_untimeout, when hash resize happened, we should try to do unhelp from the 0# bucket again. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> --- net/netfilter/nf_conntrack_helper.c | 14 -- 1 file

[PATCH iptables] extensions: libipt_realm: fix order of mask and id when do nft translation

From: Liping Zhang <liping.zh...@spreadtrum.com> Before: # iptables-translate -A INPUT -m realm --realm 1/0xf nft add rule ip filter INPUT rtclassid and 0x1 == 0xf counter Apply this patch: # iptables-translate -A INPUT -m realm --realm 1/0xf nft add rule ip filter INPUT rtc

Re: [PATCH nf-next] netfilter: xt_cpu: no need to check the validity of invert flag

Hi Pablo, 2016-06-23 19:11 GMT+08:00 Pablo Neira Ayuso : >> -static int cpu_mt_check(const struct xt_mtchk_param *par) >> -{ >> - const struct xt_cpu_info *info = par->matchinfo; >> - >> - if (info->invert & ~1) >> - return -EINVAL; >> - return 0; >>

Re: [PATCH -next v2] netfilter: conntrack: allow increasing bucket size via sysctl too

Hi Florian, 2016-06-22 2:46 GMT+08:00 Florian Westphal : > @@ -1650,11 +1646,31 @@ int nf_conntrack_set_hashsize(const char *val, struct > kernel_param *kp) > write_seqcount_end(_conntrack_generation); > nf_conntrack_all_unlock(); > local_bh_enable(); > +

Re: [PACTH nf-next] netfilter: nf_reject_ipv4: don't send tcp RST if the packet is non-TCP

Hi Marcelo, 2016-06-20 23:48 GMT+08:00 Marcelo Ricardo Leitner : > > A different check/log is made for ip6: > nf_reject_ip6_tcphdr_get(): > /* IP header checks: fragment, too short. */ > if (proto != IPPROTO_TCP || *otcplen < sizeof(struct tcphdr)) { >

[PACTH nf-next] netfilter: nf_reject_ipv4: don't send tcp RST if the packet is non-TCP

From: Liping Zhang <liping.zh...@spreadtrum.com> In iptables, if the user add a rule to send tcp RST and specify the non-TCP protocol, such as UDP, kernel will reject this request. But in nftables, this validity check only occurs in nft tool, i.e. only in userspace. This means that user c

[PATCH nf] netfilter: nf_tables: fix memory leak if expr init fails

From: Liping Zhang <liping.zh...@spreadtrum.com> If expr init fails then we need to free it. So when the user add a nft rule as follows: # nft add rule filter input tcp dport 22 flow table ssh \ { ip saddr limit rate 0/second } memory leak will happen. Signed-off-by: Liping

Re: [PATCH nf-next 4/4] netfilter: nft_meta: add explicitly nf_logger_find_get call

Hi Florian, At 2016-06-08 20:59:32, "Florian Westphal" wrote: > >With nftables we have a new infrastructure in place that emits trace info via >nfnetlink. > >So loading nf_log_ipX isn't needed anymore in nft. Yes, in nftables, user can use "nft monitor" to get the trace info.

[PATCH nf-next] netfilter: nf_tables: fix a wrong check to skip the inactive rules

From: Liping Zhang <liping.zh...@spreadtrum.com> nft_genmask_cur has already done left-shift operator on the gencursor, so there's no need to do left-shift operator on it again. Fixes: ea4bd995b0f2 ("netfilter: nf_tables: add transaction helper functions") Cc: Patrick McHardy

[PATCH nft] tests: shell: add endless jump loop tests

From: Liping Zhang <liping.zh...@spreadtrum.com> Add some tests for endless jump loop validation. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> --- tests/shell/testcases/chains/0010endless_jump_loop_1 | 9 + tests/shell/testcases/chains/0011endless_jump

[PATCH nft] tests: shell: make testcases which using tcp/udp port more rubost

From: Liping Zhang <liping.zh...@spreadtrum.com> In my mechain, port 12345 is mapped to italk in /etc/services: italk 12345/tcp # Italk Chat System So when we add nft rule with udp port "12345", nft list ruleset will displayed it as "italk&qu

[PATCH nf-next 2/3] netfilter: nf_tables: fix a endless jump loop when use vmap

From: Liping Zhang <liping.zh...@spreadtrum.com> Currently, user can add such a wrong nft rules successfully, which will cause an endless jump loop: # nft add rule filter test tcp dport vmap {1: jump test} This is because before we commit, the element in the current anonymous set is in

[PATCH nf-next 0/3] netfilter: fix a endless jump loop bug

From: Liping Zhang <liping.zh...@spreadtrum.com> This patch set mainly fix a endless jump loop bug, for example, user can add the following nft rules successfully: # nft add table filter # nft add chain filter test # nft add rule filter test tcp dport vmap {1: jump test} This is beca

[PATCH nf-next 1/3] netfilter: nf_tables: fix wrong check of NFT_SET_MAP in nf_tables_bind_set

From: Liping Zhang <liping.zh...@spreadtrum.com> We should check "i" is used as a dictionary or not, "binding" is already checked before. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> --- net/netfilter/nf_tables_api.c | 2 +- 1 file changed, 1 inserti

[PATCH nf-next 3/3] netfilter: nf_tables: fix wrong destroy anonymous sets if binding fails

From: Liping Zhang <liping.zh...@spreadtrum.com> When we add a nft rule like follows: # nft add rule filter test tcp dport vmap {1: jump test} -ELOOP error will be returned, and the anonymous set will be destroyed. But after that, nf_tables_abort will also try to remove the element and d

[PATCH iptables] extensions: libxt_TRACE: Add translation to nft

From: Liping Zhang <liping.zh...@spreadtrum.com> For example: # iptables-translate -t raw -A PREROUTING -j TRACE nft add rule ip raw PREROUTING counter nftrace set 1 Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> --- extensions/libxt_TRACE.c | 8 1 fil

[PATCH nf-next 3/4] netfilter: xt_TRACE: add explicitly nf_logger_find_get call

From: Liping Zhang <liping.zh...@spreadtrum.com> Consider such situation, if nf_log_ipv4 kernel module is not installed, and the user add a following iptables rule: # iptables -t raw -I PREROUTING -j TRACE There will be no trace log generated until the user install nf_log_ipv4 module m

[PATCH nf-next 0/4] netfilter: request related nf_log module when we add TRACE rule

From: Liping Zhang <liping.zh...@spreadtrum.com> This patch set solve such problem, for example, if we add a following iptables rule: # iptables -t raw -I PREROUTING -j TRACE And nf_log_ipv4 kernel module is not installed, no trace log will be generated, until we install the nf_log_ipv4

[PATCH nf-next 1/4] netfilter: nf_log: handle NFPROTO_INET properly in nf_logger_[find_get|put]

From: Liping Zhang <liping.zh...@spreadtrum.com> When we request NFPROTO_INET, it means both NFPROTO_IPV4 and NFPROTO_IPV6. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> --- net/netfilter/nf_log.c | 20 1 file changed, 20 insertions(+) diff

[PATCH nf-next] netfilter: xt_cpu: no need to check the validity of invert flag

From: Liping Zhang <liping.zh...@spreadtrum.com> Instead, we can convert invert flag and ensure it is 1 or 0. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> --- net/netfilter/xt_cpu.c | 12 +--- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/n

[PATCH nf-next] netfilter: nft_meta: set skb->nf_trace appropriately

From: Liping Zhang <liping.zh...@spreadtrum.com> When user add a nft rule to set nftrace to zero, for example: # nft add rule ip filter input nftrace set 0 We should set nf_trace to zero also. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> --- net/netfilter/nft_meta

[PATCH nft] parser: fix crash if we add a chain with an error chain type

From: Liping Zhang <liping.zh...@spreadtrum.com> If we add a chain and specify the nonexistent chain type, chain_type_name_lookup will return a NULL pointer, and meet the assert condition in xstrdup. Fix crash like this: # nft add chain filter input {type none hook input priority 0\;}

[PATCH nft 2/3] meta: fix endianness in priority

From: Liping Zhang <liping.zh...@spreadtrum.com> For example, after we add rule to set priority 1:2, it will be displayed in network byte order as 0200:0100, this is wrong: # nft add rule filter test meta priority set 1:2 # nft list chain filter test table ip filter { chai

[PATCH iptables] extensions: libxt_limit: fix a wrong translation to nft rule

From: Liping Zhang <liping.zh...@spreadtrum.com> The default burst value is 5 in iptables limit extension while it is 0 in nft limit expression, if the burst value is default, it will not be displayed when we dump the rules. But when we do translation from iptables rules to nft rules, we

[PATCH nft] evaluate: fix crash if we add an error format rule

From: Liping Zhang <liping.zh...@spreadtrum.com> If we add a such nft rule: nft add rule filter input ip protocol icmp tcp dport 0 we will always meet the assert condition: nft: evaluate.c:536: resolve_protocol_conflict: Assertion `base < (__PROTO_BASE_MAX - 1)' failed. Abor

<    1   2   3   4   >