Easy way to set NOTRACK for INPUT, FORWARD and OUTPUT independently

2016-12-05 Thread mudrunka
Hello, currently in iptables i can set NOTRACK (-j CT --notrack) only for OUTPUT and PREROUTING. Because the routing decision is made after the conntracking. I need stateful firewall on INPUT, but conntrack on FORWARD is performance drawback for me. And i can imagine that someone might have

Re: Easy way to set NOTRACK for INPUT, FORWARD and OUTPUT independently

2016-12-05 Thread mudrunka
And by "disguise" i've meant "distinguish" :-) T. Dne 2016-12-06 06:54, mudru...@spoje.net napsal: Hello, currently in iptables i can set NOTRACK (-j CT --notrack) only for OUTPUT and PREROUTING. Because the routing decision is made after the conntracking. I need stateful firewall on INPUT,

[PATCH nft] datatype: Display pre-defined inet_service values in host byte order

2016-12-05 Thread Elise Lennion
nft describe displays, to the user, which values are available for a selector, then the values should be in host byte order. Reported-by: Pablo Neira Ayuso Fixes: ccc5da470e76 ("datatype: Replace getnameinfo() by internal lookup table") Signed-off-by: Elise Lennion

Re: [PATCH nf-next] netfilter: xt_bpf: support ebpf

2016-12-05 Thread Florian Westphal
Willem de Bruijn wrote: > While we're discussing the patch, another question, about revisions: I > tested both modified and original iptables binaries on both standard > and modified kernels. It all works as expected, except for the case > where both binaries are

Re: [PATCH nf-next] netfilter: xt_bpf: support ebpf

2016-12-05 Thread Willem de Bruijn
On Mon, Dec 5, 2016 at 6:29 PM, Willem de Bruijn wrote: > On Mon, Dec 5, 2016 at 6:22 PM, Pablo Neira Ayuso wrote: >> On Mon, Dec 05, 2016 at 06:06:05PM -0500, Willem de Bruijn wrote: >> [...] >>> Eric also suggests a private variable to avoid being

Re: [PATCH nf-next] netfilter: xt_bpf: support ebpf

2016-12-05 Thread Willem de Bruijn
On Mon, Dec 5, 2016 at 6:22 PM, Pablo Neira Ayuso wrote: > On Mon, Dec 05, 2016 at 06:06:05PM -0500, Willem de Bruijn wrote: > [...] >> Eric also suggests a private variable to avoid being subject to >> changes to PATH_MAX. Then we can indeed also choose an arbitrary lower >>

Re: [PATCH nf-next] netfilter: xt_bpf: support ebpf

2016-12-05 Thread Pablo Neira Ayuso
On Mon, Dec 05, 2016 at 06:06:05PM -0500, Willem de Bruijn wrote: [...] > Eric also suggests a private variable to avoid being subject to > changes to PATH_MAX. Then we can indeed also choose an arbitrary lower > length than current PATH_MAX. Good. > FWIW, there is a workaround for users with

Re: [PATCH nf-next] netfilter: xt_bpf: support ebpf

2016-12-05 Thread Willem de Bruijn
On Mon, Dec 5, 2016 at 6:00 PM, Pablo Neira Ayuso wrote: > On Mon, Dec 05, 2016 at 11:34:15PM +0100, Pablo Neira Ayuso wrote: >> On Mon, Dec 05, 2016 at 10:30:01PM +0100, Florian Westphal wrote: >> > Eric Dumazet wrote: >> > > On Mon, 2016-12-05 at

Re: [PATCH nf-next] netfilter: xt_bpf: support ebpf

2016-12-05 Thread Pablo Neira Ayuso
On Mon, Dec 05, 2016 at 02:59:09PM -0800, Eric Dumazet wrote: > On Mon, 2016-12-05 at 23:40 +0100, Florian Westphal wrote: > > > Fair enough, I have no objections to the patch. > > An additional question is about PATH_MAX : > > Is it guaranteed to stay at 4096 forever ? > > To be safe, maybe

Re: [PATCH nf-next] netfilter: xt_bpf: support ebpf

2016-12-05 Thread Pablo Neira Ayuso
On Mon, Dec 05, 2016 at 11:34:15PM +0100, Pablo Neira Ayuso wrote: > On Mon, Dec 05, 2016 at 10:30:01PM +0100, Florian Westphal wrote: > > Eric Dumazet wrote: > > > On Mon, 2016-12-05 at 15:28 -0500, Willem de Bruijn wrote: > > > > From: Willem de Bruijn

Re: [PATCH nf-next] netfilter: xt_bpf: support ebpf

2016-12-05 Thread Daniel Borkmann
Hi Willem, On 12/05/2016 09:28 PM, Willem de Bruijn wrote: From: Willem de Bruijn Add support for attaching an eBPF object by file descriptor. The iptables binary can be called with a path to an elf object or a pinned bpf object. Also pass the mode and path to the kernel

Re: [PATCH nf-next] netfilter: xt_bpf: support ebpf

2016-12-05 Thread Florian Westphal
Pablo Neira Ayuso wrote: > On Mon, Dec 05, 2016 at 10:30:01PM +0100, Florian Westphal wrote: > > Eric Dumazet wrote: > > > On Mon, 2016-12-05 at 15:28 -0500, Willem de Bruijn wrote: > > > > From: Willem de Bruijn > > > > > > > >

[PATCH nft] src: add support to flush sets

2016-12-05 Thread Pablo Neira Ayuso
You can use this new command to remove all existing elements in a set: # nft flush set filter xyz After this command, the set 'xyz' in table 'filter' becomes empty. Signed-off-by: Pablo Neira Ayuso --- include/netlink.h | 2 ++ src/evaluate.c| 3 +++ src/netlink.c

[PATCH nf-next 3/3] netfilter: nf_tables: support for set flushing

2016-12-05 Thread Pablo Neira Ayuso
This patch adds support for set flushing, that consists of walking over the set elements if the NFTA_SET_ELEM_LIST_ELEMENTS attribute is set. This patch requires the following changes: 1) Add set->ops->deactivate_one() operation: This allows us to deactivate an element from the set element

[PATCH nf-next 1/3] netfilter: nf_tables: constify struct nft_ctx * parameter in nft_trans_alloc()

2016-12-05 Thread Pablo Neira Ayuso
Context is not modified by nft_trans_alloc(), so constify it. Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_tables_api.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index

[PATCH nf-next 2/3] netfilter: nft_set: introduce nft_{hash,rbtree}_deactivate_one()

2016-12-05 Thread Pablo Neira Ayuso
This new function allows us to deactivate one single element, this is required by the set flush command that comes in a follow up patch. Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nft_set_hash.c | 24 +--- net/netfilter/nft_set_rbtree.c | 11

Re: [PATCH nft] parser: Add glob support to include directive

2016-12-05 Thread Pablo Neira Ayuso
Please, add a description to this patch. Thanks. On Mon, Dec 05, 2016 at 08:58:38PM +0900, Kohei Suzuki wrote: > --- > src/scanner.l | 36 > +-- > tests/shell/testcases/include/0005glob_0 | 32 >

Kernel panic in netfilter 4.8.10 probably on conntrack -L

2016-12-05 Thread Denys Fedoryshchenko
Hi! I have quite loaded NAT server (approx 17Gbps of traffic) where periodic "conntrack -L" might trigger once per day kernel panic. I am not definitely sure it is triggered exactly at running tool, or just by enabling events. Here is panic message: [221287.380762] general protection fault:

Re: [PATCH nf-next] netfilter: xt_bpf: support ebpf

2016-12-05 Thread Florian Westphal
Eric Dumazet wrote: > On Mon, 2016-12-05 at 15:28 -0500, Willem de Bruijn wrote: > > From: Willem de Bruijn > > > > Add support for attaching an eBPF object by file descriptor. > > > > The iptables binary can be called with a path to an elf object or

Re: [PATCH nf-next] netfilter: xt_bpf: support ebpf

2016-12-05 Thread Eric Dumazet
On Mon, 2016-12-05 at 15:28 -0500, Willem de Bruijn wrote: > From: Willem de Bruijn > > Add support for attaching an eBPF object by file descriptor. > > The iptables binary can be called with a path to an elf object or a > pinned bpf object. Also pass the mode and path to

[PATCH nf-next] netfilter: xt_bpf: support ebpf

2016-12-05 Thread Willem de Bruijn
From: Willem de Bruijn Add support for attaching an eBPF object by file descriptor. The iptables binary can be called with a path to an elf object or a pinned bpf object. Also pass the mode and path to the kernel to be able to return it later for iptables dump and save.