Re: [PATCH] src: fix parsing for set handle attributes

Hi, I am new here, but isn't it strange that you mask the flags with the HANDLE attribute? Regards, Máté 2018-03-11 14:18 GMT+01:00 Harsha Sharma : > Correct one typo for parsing set handles. > > Signed-off-by: Harsha Sharma > --- >

Re: [nft] nftables: Fixing Bug 1219 - handle rt0 and rt2 properly

On Sun, 11 Mar 2018 23:00:41 +0100 Pablo Neira Ayuso wrote: > On Tue, Feb 27, 2018 at 07:25:14AM +0100, Ahmed Abdelsalam wrote: > > Type 0 and 2 of the IPv6 Routing extension header are not handled > > properly by exthdr_init_raw() in src/exthdr.c > > > > In order to fix

Re: [PATCH nft] src: install table skeleton files to sysconfdir/nftables

Arturo Borrero Gonzalez wrote: > On 12 March 2018 at 12:36, Florian Westphal wrote: > > + > > +install-data-hook: > > + ${SED} -i 's|@sbindir[@]|${sbindir}/|g' ${DESTDIR}${pkgsysconfdir}/* > > -- > > The shebang in those files is static now

[PATCH nft] netlink: use nftnl_flowtable_get/set

the '_array' variant is just a wrapper for get/set api; this allows the array variant to be removed from libnftnl. Signed-off-by: Florian Westphal --- src/netlink.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/netlink.c b/src/netlink.c index

[PATCH] Net: netfilter: Replace printk() with pr_*() and define pr_fmt()

Using pr_() is more concise than printk(KERN_). This patch: * Replace printks having a log level with the appropriate pr_*() macros. * Define pr_fmt() to include relevant name. * Remove redundant prefixes from pr_*() calls. * Indent the code where possible. * Remove the useless output messages. *

Re: Port triggering

Partially answering to myself : here is a good starting point for nftables dev -> https://zasdfgbnm.github.io/2017/09/07/Extending-nftables/ -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at

Re: [PATCH nft] src: install table skeleton files to sysconfdir/nftables

On 12 March 2018 at 12:36, Florian Westphal wrote: > + > +install-data-hook: > + ${SED} -i 's|@sbindir[@]|${sbindir}/|g' ${DESTDIR}${pkgsysconfdir}/* > -- The shebang in those files is static now (#!/usr/sbin/nft -f) Perhaps we should differentiate between files we use for

Re: Port triggering

Stéphane Veyret wrote: > A few words on the specs I imagined for the port triggering: > > table ip trigger { > chain postrouting { > type filter hook postrouting priority 0; > ip dport 554 trigger open rtsp timeout 300 # Open the > trigger named rtsp

[PATCH 00/30] Netfilter/IPVS updates for net-next

Hi David, The following patchset contains Netfilter/IPVS updates for your net-next tree. This batch comes with more input sanitization for xtables to address bug reports from fuzzers, preparation works to the flowtable infrastructure and assorted updates. In no particular order, they are: 1)

[PATCH 15/30] netfilter: compat: reject huge allocation requests

From: Florian Westphal no need to bother even trying to allocating huge compat offset arrays, such ruleset is rejected later on anyway becaus we refuse to allocate overly large rule blobs. However, compat translation happens before blob allocation, so we should add a check there

[PATCH 05/30] netfilter: ipt_ah: return boolean instead of integer

From: "Gustavo A. R. Silva" Return statements in functions returning bool should use true/false instead of 1/0. This issue was detected with the help of Coccinelle. Signed-off-by: Gustavo A. R. Silva Signed-off-by: Pablo Neira Ayuso

[PATCH 13/30] netfilter: x_tables: add counters allocation wrapper

From: Florian Westphal allows to have size checks in a single spot. This is supposed to reduce oom situations when fuzz-testing xtables. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso ---

[PATCH 29/30] netfilter: conncount: Support count only use case

From: Yi-Hung Wei Currently, nf_conncount_count() counts the number of connections that matches key and inserts a conntrack 'tuple' with the same key into the accounting data structure. This patch supports another use case that only counts the number of connections where

[PATCH 30/30] netfilter: nft_ct: add NFT_CT_{SRC,DST}_{IP,IP6}

All existing keys, except the NFT_CT_SRC and NFT_CT_DST are assumed to have strict datatypes. This is causing problems with sets and concatenations given the specific length of these keys is not known. Signed-off-by: Pablo Neira Ayuso Acked-by: Florian Westphal

[PATCH 22/30] ipv6: make ip6_dst_mtu_forward inline

From: Felix Fietkau Needed to remove a direct dependency on ipv6.ko from flowtable infrastructure. Make it inline like ip_dst_mtu_maybe_forward(). Signed-off-by: Felix Fietkau Signed-off-by: Pablo Neira Ayuso --- include/net/ip6_route.h | 21

[PATCH 20/30] netfilter: nf_flow_table: use IP_CT_DIR_* values for FLOW_OFFLOAD_DIR_*

From: Felix Fietkau Simplifies further code cleanups Signed-off-by: Felix Fietkau Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_flow_table.h | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git

[PATCH 14/30] netfilter: compat: prepare xt_compat_init_offsets to return errors

From: Florian Westphal should have no impact, function still always returns 0. This patch is only to ease review. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- include/linux/netfilter/x_tables.h | 2 +-

[PATCH 28/30] netfilter: Refactor nf_conncount

From: Yi-Hung Wei Remove parameter 'family' in nf_conncount_count() and count_tree(). It is because the parameter is not useful after commit 625c556118f3 ("netfilter: connlimit: split xt_connlimit into front and backend"). Signed-off-by: Yi-Hung Wei

[PATCH 26/30] ipvs: use true and false for boolean values

From: "Gustavo A. R. Silva" Assign true or false to boolean variables instead of an integer value. This issue was detected with the help of Coccinelle. Signed-off-by: Gustavo A. R. Silva Signed-off-by: Simon Horman

[PATCH 27/30] netfilter: nf_tables: handle rt0 and rt2 properly

From: Ahmed Abdelsalam This fixes Netfilter's bugzilla #1219. Type 0 and 2 of the IPv6 Routing extension header are not handled properlyby exthdr_init_raw() in src/exthdr.c In order to fix the bug, we extended the "enum nft_exthdr_op" to differentiate between rt, rt0, and

[PATCH 24/30] netfilter: nf_flow_table: rename nf_flow_table.c to nf_flow_table_core.c

From: Felix Fietkau Preparation for adding more code to the same module Signed-off-by: Felix Fietkau Signed-off-by: Pablo Neira Ayuso --- net/netfilter/Makefile | 2 ++ net/netfilter/{nf_flow_table.c =>

[PATCH 23/30] netfilter: nf_flow_table: cache mtu in struct flow_offload_tuple

From: Felix Fietkau Reduces the number of cache lines touched in the offload forwarding path. This is safe because PMTU limits are bypassed for the forwarding path (see commit f87c10a8aa1e for more details). Signed-off-by: Felix Fietkau Signed-off-by: Pablo Neira

[PATCH 25/30] netfilter: x_tables: fix build with CONFIG_COMPAT=n

From: Florian Westphal I placed the helpers within CONFIG_COMPAT section, move them outside. Fixes: 472ebdcd15ebdb ("netfilter: x_tables: check error target size too") Fixes: 07a9da51b4b6ae ("netfilter: x_tables: check standard verdicts in core") Signed-off-by: Florian Westphal

[PATCH 21/30] netfilter: nf_flow_table: clean up flow_offload_alloc

From: Felix Fietkau Reduce code duplication and make it much easier to read Signed-off-by: Felix Fietkau Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_flow_table.c | 93 --- 1 file changed, 34

[PATCH 18/30] netfilter: make xt_rateest hash table per net

From: Cong Wang As suggested by Eric, we need to make the xt_rateest hash table and its lock per netns to reduce lock contentions. Cc: Florian Westphal Cc: Eric Dumazet Cc: Pablo Neira Ayuso Signed-off-by:

[PATCH 16/30] netfilter: x_tables: make sure compat af mutex is held

From: Florian Westphal Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- net/netfilter/x_tables.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index

[PATCH 17/30] netfilter: x_tables: ensure last rule in base chain matches underflow/policy

From: Florian Westphal Harmless from kernel point of view, but again iptables assumes that this is true when decoding ruleset coming from kernel. If a (syzkaller generated) ruleset doesn't have the underflow/policy stored as the last rule in the base chain, then iptables will

[PATCH 10/30] netfilter: x_tables: enforce unique and ascending entry points

From: Florian Westphal Harmless from kernel point of view, but iptables assumes that this is true when decoding a ruleset. iptables walks the dumped blob from kernel, and, for each entry that creates a new chain it prints out rule/chain information. Base chains (hook entry

[PATCH 06/30] netfilter: unlock xt_table earlier in __do_replace

From: Xin Long Now it's doing cleanup_entry for oldinfo under the xt_table lock, but it's not really necessary. After the replacement job is done in xt_replace_table, oldinfo is not used elsewhere any more, and it can be freed without xt_table lock safely. The important

[PATCH 04/30] netfilter: nf_conntrack_broadcast: remove useless parameter

From: Taehee Yoo parameter protoff in nf_conntrack_broadcast_help is not used anywhere. Signed-off-by: Taehee Yoo Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_conntrack_helper.h | 3 +--

[PATCH 07/30] netfilter: x_tables: check standard verdicts in core

From: Florian Westphal Userspace must provide a valid verdict to the standard target. The verdict can be either a jump (signed int > 0), or a return code. Allowed return codes are either RETURN (pop from stack), NF_ACCEPT, DROP and QUEUE (latter is allowed for legacy reasons).

[PATCH 08/30] netfilter: x_tables: check error target size too

From: Florian Westphal Check that userspace ERROR target (custom user-defined chains) match expected format, and the chain name is null terminated. This is irrelevant for kernel, but iptables itself relies on sane input when it dumps rules from kernel. Signed-off-by: Florian

[PATCH 12/30] netfilter: x_tables: limit allocation requests for blob rule heads

From: Florian Westphal This is a very conservative limit (134217728 rules), but good enough to not trigger frequent oom from syzkaller. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- net/netfilter/x_tables.c | 3 +++

[PATCH 02/30] netfilter: nfnetlink_acct: remove useless parameter

From: Taehee Yoo parameter skb in nfnl_acct_overquota is not used anywhere. Signed-off-by: Taehee Yoo Signed-off-by: Pablo Neira Ayuso --- include/linux/netfilter/nfnetlink_acct.h | 3 +-- net/netfilter/nfnetlink_acct.c |

[PATCH 03/30] netfilter: xt_cluster: get rid of xt_cluster_ipv6_is_multicast

From: Taehee Yoo If use the ipv6_addr_is_multicast instead of xt_cluster_ipv6_is_multicast, then we can reduce code size. Signed-off-by: Taehee Yoo Signed-off-by: Pablo Neira Ayuso --- net/netfilter/xt_cluster.c | 10 +- 1

[PATCH 01/30] netfilter: nf_tables: nf_tables_obj_lookup_byhandle() can be static

From: kbuild test robot Fixes: 3ecbfd65f50e ("netfilter: nf_tables: allocate handle and delete objects via handle") Signed-off-by: Fengguang Wu Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_tables_api.c | 8

[PATCH] net: drivers/net: Remove unnecessary skb_copy_expand OOM messages

skb_copy_expand without __GFP_NOWARN already does a dump_stack on OOM so these messages are redundant. Signed-off-by: Joe Perches --- drivers/net/ethernet/qualcomm/qca_spi.c | 1 - drivers/net/usb/lg-vl600.c | 6 +- drivers/net/wimax/i2400m/usb-rx.c | 3

Re: [PATCH 00/30] Netfilter/IPVS updates for net-next

From: Pablo Neira Ayuso Date: Mon, 12 Mar 2018 18:58:50 +0100 > The following patchset contains Netfilter/IPVS updates for your net-next > tree. This batch comes with more input sanitization for xtables to > address bug reports from fuzzers, preparation works to the

Re: [PATCH 00/30] Netfilter/IPVS updates for net-next

On 2018-03-12 19:58, David Miller wrote: > From: Pablo Neira Ayuso > Date: Mon, 12 Mar 2018 18:58:50 +0100 > >> The following patchset contains Netfilter/IPVS updates for your net-next >> tree. This batch comes with more input sanitization for xtables to >> address bug

Re: Port triggering

Stéphane Veyret wrote: > 2018-03-12 12:25 GMT+01:00 Florian Westphal : > > (Or i still fail to understand what you want to do, it does > > sound exactly like expectations, e.g. for ftp data channel in > > response to PASV command on ftp control channel). > >

Re: Port triggering

2018-03-12 16:53 GMT+01:00 Florian Westphal : >> It may be what I'm looking for. But I couldn't find any documentation >> about this “ct expectation” command. Or do you mean I should create a >> conntrack helper module for that? > > Right, this doesn't exist yet. > > I think we

[PATCH 3/5] netfilter: x_tables: add and use xt_check_proc_name

From: Florian Westphal recent and hashlimit both create /proc files, but only check that name is 0 terminated. This can trigger WARN() from procfs when name is "" or "/". Add helper for this and then use it for both. Cc: Eric Dumazet Reported-by: Eric

[PATCH 4/5] netfilter: bridge: ebt_among: add more missing match size checks

From: Florian Westphal ebt_among is special, it has a dynamic match size and is exempt from the central size checks. commit c4585a2823edf ("bridge: ebt_among: add missing match size checks") added validation for pool size, but missed fact that the macros ebt_among_wh_src/dst can

[PATCH 5/5] netfilter: nf_tables: release flowtable hooks

Otherwise we leak this array. Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_tables_api.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 558593e6a0a3..c4acc7340eb1 100644 ---

[PATCH 2/5] netfilter: ebtables: fix erroneous reject of last rule

From: Florian Westphal The last rule in the blob has next_entry offset that is same as total size. This made "ebtables32 -A OUTPUT -d de:ad:be:ef:01:02" fail on 64 bit kernel. Fixes: b71812168571fa ("netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets")

Re: Port triggering

Thank you for your help. 2018-03-12 12:25 GMT+01:00 Florian Westphal : > (Or i still fail to understand what you want to do, it does > sound exactly like expectations, e.g. for ftp data channel in > response to PASV command on ftp control channel). No, what I would like to have

Re: [PATCH nft] netlink: use nftnl_flowtable_get/set

On Mon, Mar 12, 2018 at 01:00:17PM +0100, Florian Westphal wrote: > the '_array' variant is just a wrapper for get/set api; this > allows the array variant to be removed from libnftnl. LGTM, thanks Florian! > Signed-off-by: Florian Westphal > --- > src/netlink.c | 8 >

[PATCH 1/5] netfilter: nft_set_hash: skip fixed hash if timeout is specified

Fixed hash supports to timeouts, so skip it. Otherwise, userspace hits EOPNOTSUPP. Fixes: 6c03ae210ce3 ("netfilter: nft_set_hash: add non-resizable hashtable implementation") Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nft_set_hash.c | 2 +- 1 file changed, 1

[PATCH 0/5] Netfilter fixes for net

Hi David, The following patchset contains Netfilter fixes for your net tree, they are: 1) Fixed hashtable representation doesn't support timeout flag, skip it otherwise rules to add elements from the packet fail bogusly fail with EOPNOTSUPP. 2) Fix bogus error with 32-bits ebtables

[PATCH nft] src: install table skeleton files to sysconfdir/nftables

commit 6c9230e79339ca ("nftables: rearrange files and examples") removed the install hook for the old 'iptables table skeleton rulesets'. This restores the install hook for some of these. Reported-by: Duncan Roe Cc: Arturo Borrero Gonzalez

Re: [PATCH 00/30] Netfilter/IPVS updates for net-next

From: Felix Fietkau Date: Mon, 12 Mar 2018 20:30:01 +0100 > It's not dead and useless. In its current state, it has a software fast > path that significantly improves nftables routing/NAT throughput, > especially on embedded devices. > On some devices, I've seen "only" 20%

Re: [PATCH 00/30] Netfilter/IPVS updates for net-next

On 2018-03-12 21:01, David Miller wrote: > From: Felix Fietkau > Date: Mon, 12 Mar 2018 20:30:01 +0100 > >> It's not dead and useless. In its current state, it has a software fast >> path that significantly improves nftables routing/NAT throughput, >> especially on embedded

Re: [PATCH 0/5] Netfilter fixes for net

From: Pablo Neira Ayuso Date: Mon, 12 Mar 2018 17:15:59 +0100 > The following patchset contains Netfilter fixes for your net tree, they are: > > 1) Fixed hashtable representation doesn't support timeout flag, skip it >otherwise rules to add elements from the packet fail

[PATCH v2] netfilter: nf_tables: remove VLA usage

In preparation to enabling -Wvla, remove VLA and replace it with dynamic memory allocation. >From a security viewpoint, the use of Variable Length Arrays can be a vector for stack overflow attacks. Also, in general, as the code evolves it is easy to lose track of how big a VLA can get. Thus, we

[PATCH] netfilter: nf_tables: remove VLA usage

In preparation to enabling -Wvla, remove VLA and replace it with dynamic memory allocation. >From a security viewpoint, the use of Variable Length Arrays can be a vector for stack overflow attacks. Also, in general, as the code evolves it is easy to lose track of how big a VLA can get. Thus, we

Re: [PATCH 2/2] ebtables: Add string filter

Hi Pablo, thanks for the reply. Just wanted to clarify your first comment below: On Mon, Mar 12, 2018 at 09:41:00AM +0100, Pablo Neira Ayuso wrote: > To: Bernie Harris > Cc: netfilter-devel@vger.kernel.org; kad...@blackhole.kfki.hu; > f...@strlen.de; da...@davemloft.net > Subject: Re: [PATCH

Re: iptables-save - suggest patch to add functionality

Package: iptables Dear Maintainers, Le 11/03/2018 à 21:57, Pablo Neira Ayuso a écrit : > Hi Alban, > > On Tue, Jan 23, 2018 at 11:44:22AM +0100, Alban Vidal wrote: >> 1) Adding -z or --zero option: Reset to zero counters of the chains. > I have no objections to this -z feature, but better use -Z

[PATCH] netfilter: nfnetlink_cthelper: Remove VLA usage

In preparation to enabling -Wvla, remove VLA and replace it with dynamic memory allocation. >From a security viewpoint, the use of Variable Length Arrays can be a vector for stack overflow attacks. Also, in general, as the code evolves it is easy to lose track of how big a VLA can get. Thus, we

[PATCH] netfilter: cttimeout: remove VLA usage

In preparation to enabling -Wvla, remove VLA and replace it with dynamic memory allocation. >From a security viewpoint, the use of Variable Length Arrays can be a vector for stack overflow attacks. Also, in general, as the code evolves it is easy to lose track of how big a VLA can get. Thus, we

Re: [PATCH] netfilter: cttimeout: remove VLA usage

On Mon, 2018-03-12 at 18:14 -0500, Gustavo A. R. Silva wrote: > In preparation to enabling -Wvla, remove VLA and replace it > with dynamic memory allocation. > > From a security viewpoint, the use of Variable Length Arrays can be > a vector for stack overflow attacks. Also, in general, as the