On Thu, Oct 13, 2016 at 05:10:55PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > On Thu, Oct 13, 2016 at 02:25:45PM +0200, Florian Westphal wrote:
> > > Pablo Neira Ayuso wrote:
> > > > Patch c5136b15ea36 ("netfilter: bridge: add and use
On Thu, Oct 13, 2016 at 02:25:45PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > Patch c5136b15ea36 ("netfilter: bridge: add and use br_nf_hook_thresh")
> > introduced br_nf_hook_thresh().
> >
> > Replace NF_HOOK_THRESH() by br_nf_hook_thresh from
> >
Pablo Neira Ayuso wrote:
> On Thu, Oct 13, 2016 at 02:25:45PM +0200, Florian Westphal wrote:
> > Pablo Neira Ayuso wrote:
> > > Patch c5136b15ea36 ("netfilter: bridge: add and use br_nf_hook_thresh")
> > > introduced br_nf_hook_thresh().
> > >
> > >
Pablo Neira Ayuso wrote:
> int br_nf_hook_thresh(unsigned int hook, struct net *net,
> struct sock *sk, struct sk_buff *skb,
> struct net_device *indev,
> struct net_device *outdev,
> int
Pablo Neira Ayuso wrote:
> > Any reason why this is needed?
> > AFAICS xt_NFQUEUE will never return NF_QUEUE after this patch.
>
> -j QUEUE uses the standard target to return NF_QUEUE. This is very
> primitive way to queue packets to userspace queue 0 via nf_queue, but
>
On Thu, Oct 13, 2016 at 02:38:21PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
[...]
> > diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
> > index de4fa03f46f3..7040842c34f4 100644
> > --- a/net/ipv4/netfilter/ip_tables.c
> > +++
On Wed, Oct 12, 2016 at 11:27 PM, Markus Trippelsdorf
wrote:
>
> Yeah.
>
> 105 entry->orig_ops = reg;
> 106 entry->ops = *reg;
> 107 entry->next = NULL;
So ipt_register_table() does:
ret = nf_register_net_hooks(net, ops,
On Thu, Oct 13, 2016 at 12:49:33PM -0700, Linus Torvalds wrote:
> That said, xt_hook_ops_alloc() itself is odd. Lookie here, this is the
> loop that initializes things:
>
> for (i = 0, hooknum = 0; i < num_hooks && hook_mask != 0;
> hook_mask >>= 1, ++hooknum) {
>
> and it
Linus Torvalds wrote:
> On Wed, Oct 12, 2016 at 11:27 PM, Markus Trippelsdorf
> wrote:
> >
> > Yeah.
> >
> > 105 entry->orig_ops = reg;
> > 106 entry->ops = *reg;
> > 107 entry->next = NULL;
>
> So
Nicolas Dichtel wrote:
> Le 10/10/2016 à 16:04, Florian Westphal a écrit :
> > Nicolas Dichtel wrote:
> >> After commit b87a2f9199ea ("netfilter: conntrack: add gc worker to remove
> >> timed-out entries"), netlink conntrack deletion events
Add range expression available that is scheduled for linux kernel 4.9.
This range expression allows us to check if a given value placed in a
register is within/outside a specified interval.
Signed-off-by: Pablo Neira Ayuso
---
include/libnftnl/expr.h | 7 +
Make sure we skip the current hook from where the packet was enqueued,
otherwise the packets gets enqueued over and over again.
Fixes: e3b37f11e6e4 ("netfilter: replace list_head with single linked list")
Signed-off-by: Pablo Neira Ayuso
---
I managed to reproduce this with
Use nft_parse_u32_check() to make sure we don't get a value over the
unsigned 8-bit integer. Moreover, make sure this value doesn't go over
the two supported range comparison modes.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nft_range.c | 16 +++-
1 file
On 2016.10.13 at 08:02 +0200, Markus Trippelsdorf wrote:
> On 2016.10.11 at 04:57 -0400, David Miller wrote:
> > From: Linus Torvalds
> > Date: Mon, 10 Oct 2016 22:47:50 -0700
> >
> > > On Mon, Oct 10, 2016 at 10:39 PM, Linus Torvalds
> > >
Use new range expression in the kernel to fix wrong bytecode generation.
This patch also adjust tests so we don't hit problems there.
Signed-off-by: Pablo Neira Ayuso
---
include/linux/netfilter/nf_tables.h| 29 +
src/netlink_delinearize.c
Pablo Neira Ayuso writes:
> Make sure we skip the current hook from where the packet was enqueued,
> otherwise the packets gets enqueued over and over again.
>
> Fixes: e3b37f11e6e4 ("netfilter: replace list_head with single linked list")
> Signed-off-by: Pablo Neira Ayuso
We cannot block/sleep on nf_iterate because netfilter runs under rcu
read lock these days, where blocking is illegal. So let's remove these
old comments.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/core.c | 7 ---
1 file changed, 7 deletions(-)
diff --git
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/core.c | 9 -
1 file changed, 9 deletions(-)
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index fcb5d1df11e9..7b723bcd2522 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -323,15 +323,6
Pablo Neira Ayuso wrote:
> Patch c5136b15ea36 ("netfilter: bridge: add and use br_nf_hook_thresh")
> introduced br_nf_hook_thresh().
>
> Replace NF_HOOK_THRESH() by br_nf_hook_thresh from
> br_nf_forward_finish(), so we have no more callers for this macro.
>
> As a result,
Export a new nf_queue() function that translates the NF_QUEUE verdict
depending on the scenario:
1) Drop packet if queue is full.
2) Accept packet if bypass is enabled.
3) Return stolen if packet is enqueued.
We can call this function from xt_NFQUEUE and nft_queue. Thus, we
move packet queuing
NF_STOP is only used by br_netfilter these days, and it can be emulated
with a combination of NF_STOLEN plus explicit call to the ->okfn()
function as Florian suggests.
To retain binary compatibility with userspace nf_queue application, we
have to keep NF_STOP around, so libnetfilter_queue
Use switch() for verdict handling and add explicit handling for
NF_STOLEN and other non-conventional verdicts.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/core.c | 28 ++--
1 file changed, 18 insertions(+), 10 deletions(-)
diff --git
Now that this function has become smaller, inline it and use a better
name to describe what this is doing.
Signed-off-by: Pablo Neira Ayuso
---
include/linux/netfilter.h | 41 +--
include/linux/netfilter_ingress.h | 2 +-
Hi,
This is a quick RFC that has passed just very basic testing here. This
patchset achieves what it has been discussed during NetDev 1.2:
1) Deprecate NF_STOP, as this is only used by br_netfilter.
2) Remove threshold handling, this is also only used by br_netfilter
too.
3) Move NF_QUEUE
Patch c5136b15ea36 ("netfilter: bridge: add and use br_nf_hook_thresh")
introduced br_nf_hook_thresh().
Replace NF_HOOK_THRESH() by br_nf_hook_thresh from
br_nf_forward_finish(), so we have no more callers for this macro.
As a result, state->thresh and explicit thresh parameter in the hook
state
Don't copy relevant fields from hook state structure, instead use the
one that is already available in struct xt_action_param.
This patch also adds a set of new wrapper functions to fetch relevant
hook state structure fields.
Signed-off-by: Pablo Neira Ayuso
---
nf_iterate() has become rather simple, we can integrate this code into
nf_hook_slow() to reduce the amount of LOC in the core path.
However, we still need nf_iterate() around for nf_queue packet handling,
so move this function there where we only need it. I think it should be
possible to refactor
Place pointer to hook state in xt_action_param structure instead of
copying the fields that we need. After this change xt_action_param fits
into one cacheline.
This patch also adds a set of new wrapper functions to fetch relevant
hook state structure fields.
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/core.c | 9 -
1 file changed, 9 deletions(-)
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index fcb5d1df11e9..7b723bcd2522 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -323,15 +323,6
Place pointer to hook state in xt_action_param structure instead of
copying the fields that we need. After this change xt_action_param fits
into one cacheline.
This patch also adds a set of new wrapper functions to fetch relevant
hook state structure fields.
Signed-off-by: Pablo Neira Ayuso
Now that this function has become smaller, inline it and use a better
name to describe what this is doing.
Signed-off-by: Pablo Neira Ayuso
---
include/linux/netfilter.h | 41 +--
include/linux/netfilter_ingress.h | 2 +-
Patch c5136b15ea36 ("netfilter: bridge: add and use br_nf_hook_thresh")
introduced br_nf_hook_thresh().
Replace NF_HOOK_THRESH() by br_nf_hook_thresh from
br_nf_forward_finish(), so we have no more callers for this macro.
As a result, state->thresh and explicit thresh parameter in the hook
state
We cannot block/sleep on nf_iterate because netfilter runs under rcu
read lock these days, where blocking is illegal. So let's remove these
old comments.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/core.c | 7 ---
1 file changed, 7 deletions(-)
diff --git
NF_STOP is only used by br_netfilter these days, and it can be emulated
with a combination of NF_STOLEN plus explicit call to the ->okfn()
function as Florian suggests.
To retain binary compatibility with userspace nf_queue application, we
have to keep NF_STOP around, so libnetfilter_queue
On 2016.10.11 at 04:57 -0400, David Miller wrote:
> From: Linus Torvalds
> Date: Mon, 10 Oct 2016 22:47:50 -0700
>
> > On Mon, Oct 10, 2016 at 10:39 PM, Linus Torvalds
> > wrote:
> >>
> >> I guess I will have to double-check that the
On 2016.10.12 at 23:18 -0700, Linus Torvalds wrote:
> On Oct 12, 2016 23:07, "Markus Trippelsdorf" wrote:
> >
> > This is nf_register_net_hook at net/netfilter/core.c:106
>
> The "*regs" access?
Yeah.
105 entry->orig_ops = reg;
106 entry->ops = *reg;
36 matches
Mail list logo