[PATCH v3 nf-next 4/7] skbuff: add and use skb_nfct helper

Followup patch renames skb->nfct and changes its type so add a helper to avoid intrusive rename change later. Signed-off-by: Florian Westphal --- changes since v2: this patch is new, it was split from v2 'netfilter: merge ctinfo into nfct pointer storage area'.

[PATCH v3 nf-next 2/7] netfilter: reset netfilter state when duplicating packet

We should also toss nf_bridge_info, if any -- packet is leaving via ip_local_out, also, this skb isn't bridged -- it is a locally generated copy. Also this avoids the need to touch this later when skb->nfct is replaced with 'unsigned long _nfct' in followup patch. Signed-off-by: Florian Westphal

[PATCH v3 nf-next 3/7] netfilter: reduce direct skb->nfct usage

Next patch makes direct skb->nfct access illegal, reduce noise in next patch by using accessors we already have. Signed-off-by: Florian Westphal --- No changes in v1 and v2. include/net/ip_vs.h | 9 ++--- net/netfilter/nf_conntrack_core.c | 15

[PATCH v3 nf-next 1/7] netfilter: conntrack: no need to pass ctinfo to error handler

It is never accessed for reading and the only places that write to it are the icmp(6) handlers, which also set skb->nfct (and skb->nfctinfo). The conntrack core specifically checks for attached skb->nfct after ->error() invocation and returns early in this case. Signed-off-by: Florian Westphal

Re: [nft PATCH 0/3] Boolean comparison and exthdr existence match support

Hi Phil, On Tue, Jan 17, 2017 at 11:10:04PM +0100, Phil Sutter wrote: > The following series adds two distinct features to nftables, though > since the second one depends on presence of the first one this is > submitted as a series. > > Patch 1 adds support for a boolean variant of relational

[PATCH v3 nf-next 5/7] netfilter: add and use nf_ct_set helper

Add a helper to assign a nf_conn entry and the ctinfo bits to an sk_buff. This avoids changing code in followup patch that merges skb->nfct and skb->nfctinfo into skb->_nfct. Suggested-by: Pablo Neira Ayuso Signed-off-by: Florian Westphal --- Not part of

[PATCH v3 nf-next 6/7] netfilter: guarantee 8 byte minalign for template addresses

The next change will merge skb->nfct pointer and skb->nfctinfo status bits into single skb->_nfct (unsigned long) area. For this to work nf_conn addresses must always be aligned at least on an 8 byte boundary since we will need the lower 3bits to store nfctinfo. Conntrack templates are allocated

[PATCH v3 nf-next 7/7] netfilter: merge ctinfo into nfct pointer storage area

After this change conntrack operations (lookup, creation, matching from ruleset) only access one instead of two sk_buff cache lines. This works for normal conntracks because those are allocated from a slab that guarantees hw cacheline or 8byte alignment (whatever is larger) so the 3 bits needed

[PATCH nf-next v3 0/7] netfilter: skbuff: merge nfctinfo bits and nfct pointer

Whenever we fetch skb conntrack info, we need to access two distinct cache lines in sk_buff, #2 (nfct pointer) and #3 (nfctinfo bits). This series removes nfctinfo and joins it with the data pointer in a single ulong. We have 3 nfctinfo bits, the slab cache used for nf_conn objects guarantees at

Re: [PATCH v3 nf-next 5/7] netfilter: add and use nf_ct_set helper

On Mon, Jan 23, 2017 at 01:28:48PM +0100, Florian Westphal wrote: > diff --git a/net/netfilter/core.c b/net/netfilter/core.c > index 0c629fdf90e1..ce6adfae521a 100644 > --- a/net/netfilter/core.c > +++ b/net/netfilter/core.c > @@ -375,7 +375,7 @@ void nf_ct_attach(struct sk_buff *new, const struct

Re: [PATCH nf V2] netfilter: nf_tables: validate the name size when possible

On Fri, Jan 20, 2017 at 09:03:03PM +0800, Liping Zhang wrote: > From: Liping Zhang > > Currently, if the user add a stateful object with the name size exceed > NFT_OBJ_MAXNAMELEN - 1 (i.e. 31), we truncate it down to 31 silently. > This is not friendly, furthermore, this

Urgent Please,,

Good Day Dear, My name is Ms. Joyes Dadi, I am glad you are reading this letter and I hope we will start our communication and I know that this message will look strange, surprising and probably unbelievable to you, but it is the reality. I want to make a donation of money to you. I contact you

Re: [PATCH nft] src: Honor obligatory stateless printing of flow tables

On Wed, Jan 18, 2017 at 09:06:47PM -0200, Elise Lennion wrote: Please, next time always add a description here, even is small one, this is good to help other follow track of what we're doing. I have applied this, but one more comment below. > Signed-off-by: Elise Lennion

[PATCH nft] rule: check for EINTR error from cache_init_objects() for stateful objects

Catch -1 case, so we have a chance to handle EINTR. Signed-off-by: Pablo Neira Ayuso --- src/rule.c | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/src/rule.c b/src/rule.c index f2ffd4b27e8a..b5181a90f795 100644 --- a/src/rule.c +++ b/src/rule.c

Re: [PATCH nft] tests: shell: Add test for set element leak bug

On Thu, Jan 19, 2017 at 02:29:47PM -0200, Elise Lennion wrote: > This tests for a bug where a repeated element is added and the set > elements counter is incorrectly increased. Applied, thanks. It would be good to have another test to catch the 'nft flush set x y' bug that you uncover, this

Re: [PATCH v3 nf-next 5/7] netfilter: add and use nf_ct_set helper

Pablo Neira Ayuso wrote: > On Mon, Jan 23, 2017 at 01:28:48PM +0100, Florian Westphal wrote: > > diff --git a/net/netfilter/core.c b/net/netfilter/core.c > > index 0c629fdf90e1..ce6adfae521a 100644 > > --- a/net/netfilter/core.c > > +++ b/net/netfilter/core.c > > @@ -375,7

[PATCH nft 1/2] src: Allow reset single stateful object

Currently the stateful objects can only be reseted in groups. With this patch reseting a single object is allowed: $ nft reset counter x https-traffic table ip x { counter https-traffic { packets 8774 bytes 542668 } } $ nft reset quota x https-quota table ip x {

[PATCH nft] tests: shell: Add test for flush bug on sets with size

This tests for a bug where elements can't be added after flushing a full set with the flag NFTNL_SET_DESC_SIZE set. Signed-off-by: Elise Lennion --- tests/shell/testcases/sets/0017add_after_flush_0 | 12 1 file changed, 12 insertions(+) create mode 100755

Re: [RFC PATCH 0/2] restore original default of nf_conntrack_helper sysctl

On Mon, Jan 23, 2017 at 05:09:55PM -0800, Linus Torvalds wrote: > On Mon, Jan 23, 2017 at 4:06 PM, Jiri Kosina wrote: > > > > Considering this being really close to the "userspace breakage" > > borderline, I'm CCing Linus as well. > > For all I know, there may be some security

Re: [RFC PATCH 0/2] restore original default of nf_conntrack_helper sysctl

On Mon, Jan 23, 2017 at 4:06 PM, Jiri Kosina wrote: > > Considering this being really close to the "userspace breakage" > borderline, I'm CCing Linus as well. For all I know, there may be some security reason why we really don't want the automatic helpers, even if they can be

[PATCH 2/2] Revert "netfilter: fix nf_conntrack_helper documentation"

From: Jiri Kosina This reverts commit 486dcf43da7815baa615822f3e46883ccca5400f. The commit that flipped the default has been reverted as well. Signed-off-by: Jiri Kosina --- Documentation/networking/nf_conntrack-sysctl.txt | 7 ++- 1 file changed, 2

[PATCH 1/2] Revert "netfilter: nf_ct_helper: disable automatic helper assignment"

From: Jiri Kosina This reverts commit 3bb398d925ec73e42b778cf823c8f4aecae359ea. It breaks existing firewall configurations. Signed-off-by: Jiri Kosina --- net/netfilter/nf_conntrack_helper.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff

Re: [PATCH v3 nf-next 5/7] netfilter: add and use nf_ct_set helper

On Mon, 23 Jan 2017, Florian Westphal wrote: > Jozsef Kadlecsik wrote: > > > > > --- a/net/netfilter/core.c > > > > > +++ b/net/netfilter/core.c > > > > > @@ -375,7 +375,7 @@ void nf_ct_attach(struct sk_buff *new, const > > > > > struct sk_buff *skb) > > > > > { > > >

Re: [PATCH v3 nf-next 5/7] netfilter: add and use nf_ct_set helper

Jozsef Kadlecsik wrote: > > > > --- a/net/netfilter/core.c > > > > +++ b/net/netfilter/core.c > > > > @@ -375,7 +375,7 @@ void nf_ct_attach(struct sk_buff *new, const struct > > > > sk_buff *skb) > > > > { > > > > void (*attach)(struct sk_buff *, const struct

[PATCH] netfilter: nf_ct_helper: warn when not applying default helper assignment (was Re: [RFC PATCH 0/2] restore original default of nf_conntrack_helper sysctl)

On Mon, 23 Jan 2017, Linus Torvalds wrote: > For all I know, there may be some security reason why we really don't > want the automatic helpers, even if they can be convenient. > > Also, you can just enable them with a kernel command line or a sysctl, > so it's not like you can't get the old

Re: EPOLLERR on memory mapped netlink socket

Hi ! I think nobody here will answer you. Those who know the answer will not answer you because they think it's trivial or don't want to spend time to. And those who don't know it will not answer you because they do not want show they don't know the answer(like me). I asked some help for 2

[PATCH v4 nf-next 6/7] netfilter: guarantee 8 byte minalign for template addresses

The next change will merge skb->nfct pointer and skb->nfctinfo status bits into single skb->_nfct (unsigned long) area. For this to work nf_conn addresses must always be aligned at least on an 8 byte boundary since we will need the lower 3bits to store nfctinfo. Conntrack templates are allocated

[PATCH v4 nf-next 7/7] netfilter: merge ctinfo into nfct pointer storage area

After this change conntrack operations (lookup, creation, matching from ruleset) only access one instead of two sk_buff cache lines. This works for normal conntracks because those are allocated from a slab that guarantees hw cacheline or 8byte alignment (whatever is larger) so the 3 bits needed

[PATCH v4 nf-next 4/7] skbuff: add and use skb_nfct helper

Followup patch renames skb->nfct and changes its type so add a helper to avoid intrusive rename change later. Signed-off-by: Florian Westphal --- changes since v3: don't alter core.c -- we should check skb->nfct, skb_nfct() won't be enough after removal of conntrack untracked

[PATCH v4 nf-next 5/7] netfilter: add and use nf_ct_set helper

Add a helper to assign a nf_conn entry and the ctinfo bits to an sk_buff. This avoids changing code in followup patch that merges skb->nfct and skb->nfctinfo into skb->_nfct. Signed-off-by: Florian Westphal --- changes since v3: get rid of an unneeded hunk (core.c), previous

[PATCH v4 nf-next 3/7] netfilter: reduce direct skb->nfct usage

Next patch makes direct skb->nfct access illegal, reduce noise in next patch by using accessors we already have. Signed-off-by: Florian Westphal --- no changes since v1. include/net/ip_vs.h | 9 ++--- net/netfilter/nf_conntrack_core.c | 15 +-- 2

[PATCH v4 nf-next 2/7] netfilter: reset netfilter state when duplicating packet

We should also toss nf_bridge_info, if any -- packet is leaving via ip_local_out, also, this skb isn't bridged -- it is a locally generated copy. Also this avoids the need to touch this later when skb->nfct is replaced with 'unsigned long _nfct' in followup patch. Signed-off-by: Florian Westphal

[PATCH v4 nf-next 1/7] netfilter: conntrack: no need to pass ctinfo to error handler

It is never accessed for reading and the only places that write to it are the icmp(6) handlers, which also set skb->nfct (and skb->nfctinfo). The conntrack core specifically checks for attached skb->nfct after ->error() invocation and returns early in this case. Signed-off-by: Florian Westphal

[PATCH nf-next v4 0/7] netfilter: skbuff: merge nfctinfo bits and nfct pointer

Whenever we fetch skb conntrack info, we need to access two distinct cache lines in sk_buff, #2 (nfct pointer) and #3 (nfctinfo bits). This series removes nfctinfo and joins it with the data pointer in a single ulong. We have 3 nfctinfo bits, the slab cache used for nf_conn objects guarantees at