Re: [PATCH 00/50] Netfilter/IPVS updates for net-next

From: Pablo Neira Ayuso Date: Wed, 7 Dec 2016 22:52:06 +0100 > The following patchset contains a large Netfilter update for net-next, > to summarise: ... > You can pull these changes from: > > git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git Pulled,

[PATCH 09/50] netfilter: nf_conntrack_tuple_common.h: fix #include

From: Davide Caratti To allow usage of enum ip_conntrack_dir in include/net/netns/conntrack.h, this patch encloses #include in a #ifndef __KERNEL__ directive, so that compiler errors caused by unwanted inclusion of include/linux/netfilter.h are avoided. In addition,

[PATCH 27/50] netfilter: nft_fib_ipv4: initialize *dest to zero

From: Liping Zhang Otherwise, if fib lookup fail, *dest will be filled with garbage value, so reverse path filtering will not work properly: # nft add rule x prerouting fib saddr oif eq 0 drop Fixes: f6d0cbcf09c5 ("netfilter: nf_tables: add fib expression") Signed-off-by:

[PATCH 36/50] netfilter: nft_quota: dump consumed quota

Add a new attribute NFTA_QUOTA_CONSUMED that displays the amount of quota that has been already consumed. This allows us to restore the internal state of the quota object between reboots as well as to monitor how wasted it is. This patch changes the logic to account for the consumed bytes,

[PATCH 43/50] netfilter: rpfilter: bypass ipv4 lbcast packets with zeronet source

From: Liping Zhang Otherwise, DHCP Discover packets(0.0.0.0->255.255.255.255) may be dropped incorrectly. Signed-off-by: Liping Zhang Acked-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso ---

[PATCH 06/50] netfilter: built-in NAT support for UDPlite

From: Davide Caratti CONFIG_NF_NAT_PROTO_UDPLITE is no more a tristate. When set to y, NAT support for UDPlite protocol is built-in into nf_nat.ko. footprint test: (nf_nat_proto_) |udplite || nf_nat --+++ no builtin

[PATCH 38/50] netfilter: nf_tables: notify internal updates of stateful objects

Introduce nf_tables_obj_notify() to notify internal state changes in stateful objects. This is used by the quota object to report depletion in a follow up patch. Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_tables.h | 4 net/netfilter/nf_tables_api.c

[PATCH 23/50] netfilter: x_tables: pass xt_counters struct instead of packet counter

From: Florian Westphal On SMP we overload the packet counter (unsigned long) to contain percpu offset. Hide this from callers and pass xt_counters address instead. Preparation patch to allocate the percpu counters in page-sized batch chunks. Signed-off-by: Florian Westphal

[PATCH 44/50] netfilter: nat: skip checksum on offload SCTP packets

From: Davide Caratti SCTP GSO and hardware can do CRC32c computation after netfilter processing, so we can avoid calling sctp_compute_checksum() on skb if skb->ip_summed is equal to CHECKSUM_PARTIAL. Moreover, set skb->ip_summed to CHECKSUM_NONE when the NAT code computes

[PATCH 28/50] netfilter: nft_payload: layer 4 checksum adjustment for pseudoheader fields

This patch adds a new flag that signals the kernel to update layer 4 checksum if the packet field belongs to the layer 4 pseudoheader. This implicitly provides stateless NAT 1:1 that is useful under very specific usecases. Since rules mangling layer 3 fields that are part of the pseudoheader may

[PATCH 15/50] netfilter: nat: add dependencies on conntrack module

From: Florian Westphal MASQUERADE, S/DNAT and REDIRECT already call functions that depend on the conntrack module. However, since the conntrack hooks are now registered in a lazy fashion (i.e., only when needed) a symbol reference is not enough. Thus, when something is added to

[PATCH 00/50] Netfilter/IPVS updates for net-next

Hi David, The following patchset contains a large Netfilter update for net-next, to summarise: 1) Add support for stateful objects. This series provides a nf_tables native alternative to the extended accounting infrastructure for nf_tables. Two initial stateful objects are supported:

[PATCH 22/50] netfilter: convert while loops to for loops

From: Aaron Conole This is to facilitate converting from a singly-linked list to an array of elements. Signed-off-by: Aaron Conole Signed-off-by: Pablo Neira Ayuso --- net/bridge/br_netfilter_hooks.c | 8

[PATCH 16/50] netfilter: nf_tables: add conntrack dependencies for nat/masq/redir expressions

From: Florian Westphal so that conntrack core will add the needed hooks in this namespace. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- net/ipv4/netfilter/nft_masq_ipv4.c | 7 +++

[PATCH 32/50] netfilter: nf_tables: add stateful objects

This patch augments nf_tables to support stateful objects. This new infrastructure allows you to create, dump and delete stateful objects, that are identified by a user-defined name. This patch adds the generic infrastructure, follow up patches add support for two stateful objects: counters and

[PATCH 14/50] netfilter: add and use nf_ct_netns_get/put

From: Florian Westphal currently aliased to try_module_get/_put. Will be changed in next patch when we add functions to make use of ->net argument to store usercount per l3proto tracker. This is needed to avoid registering the conntrack hooks in all netns and later only enable

[PATCH 26/50] netfilter: nft_fib: convert htonl to ntohl properly

From: Liping Zhang Acctually ntohl and htonl are identical, so this doesn't affect anything, but it is conceptually wrong. Signed-off-by: Liping Zhang Acked-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

[PATCH 39/50] netfilter: nft_quota: add depleted flag for objects

Notify on depleted quota objects. The NFT_QUOTA_F_DEPLETED flag indicates we have reached overquota. Add pointer to table from nft_object, so we can use it when sending the depletion notification to userspace. Signed-off-by: Pablo Neira Ayuso ---

[PATCH 31/50] netfilter: add and use nf_fwd_netdev_egress

From: Florian Westphal ... so we can use current skb instead of working with a clone. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_dup_netdev.h | 1 + net/netfilter/nf_dup_netdev.c

[PATCH 25/50] netfilter: x_tables: pack percpu counter allocations

From: Florian Westphal instead of allocating each xt_counter individually, allocate 4k chunks and then use these for counter allocation requests. This should speed up rule evaluation by increasing data locality, also speeds up ruleset loading because we reduce calls to the

[PATCH 20/50] netfilter: introduce accessor functions for hook entries

From: Aaron Conole This allows easier future refactoring. Signed-off-by: Aaron Conole Signed-off-by: Pablo Neira Ayuso --- include/linux/netfilter.h | 27 +++ net/bridge/br_netfilter_hooks.c | 2 +-

[PATCH 24/50] netfilter: x_tables: pass xt_counters struct to counter allocator

From: Florian Westphal Keeps some noise away from a followup patch. Signed-off-by: Florian Westphal Acked-by: Eric Dumazet Signed-off-by: Pablo Neira Ayuso --- include/linux/netfilter/x_tables.h | 27

[PATCH 42/50] netfilter: nf_tables: allow to filter stateful object dumps by type

This patch adds the netlink code to filter out dump of stateful objects, through the NFTA_OBJ_TYPE netlink attribute. Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_tables_api.c | 50 +++ 1 file changed, 50 insertions(+) diff

[PATCH 34/50] netfilter: nft_quota: add stateful object type

Register a new quota stateful object type into the new stateful object infrastructure. Signed-off-by: Pablo Neira Ayuso --- include/uapi/linux/netfilter/nf_tables.h | 1 + net/netfilter/nft_quota.c| 96 +++- 2 files changed, 84

[PATCH 29/50] netfilter: xt_multiport: Fix wrong unmatch result with multiple ports

From: Gao Feng I lost one test case in the last commit for xt_multiport. For example, the rule is "-m multiport --dports 22,80,443". When first port is unmatched and the second is matched, the curent codes could not return the right result. It would return false directly when

[PATCH 30/50] netfilter: ingress: translate 0 nf_hook_slow retval to -1

From: Florian Westphal The caller assumes that < 0 means that skb was stolen (or free'd). All other return values continue skb processing. nf_hook_slow returns 3 different return value types: A) a (negative) errno value: the skb was dropped (NF_DROP, e.g. by iptables '-j DROP'

[PATCH 40/50] netfilter: nf_tables: add stateful object reference to set elements

This patch allows you to refer to stateful objects from set elements. This provides the infrastructure to create maps where the right hand side of the mapping is a stateful object. This allows us to build dictionaries of stateful objects, that you can use to perform fast lookups using any

[PATCH 08/50] netfilter: nfnetlink_log: add "nf-logger-5-1" module alias name

From: Liping Zhang So we can autoload nfnetlink_log.ko when the user adding nft log group X rule in netdev family. Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nfnetlink_log.c | 1 + 1 file

[PATCH 41/50] netfilter: nft_objref: support for stateful object maps

This patch allows us to refer to stateful object dictionaries, the source register indicates the key data to be used to look up for the corresponding state object. We can refer to these maps through names or, alternatively, the map transaction id. This allows us to refer to both anonymous and

[PATCH 49/50] netfilter: xt_bpf: support ebpf

From: Willem de Bruijn Add support for attaching an eBPF object by file descriptor. The iptables binary can be called with a path to an elf object or a pinned bpf object. Also pass the mode and path to the kernel to be able to return it later for iptables dump and save.

[PATCH 48/50] netfilter: x_tables: avoid warn and OOM killer on vmalloc call

From: Marcelo Ricardo Leitner Andrey Konovalov reported that this vmalloc call is based on an userspace request and that it's spewing traces, which may flood the logs and cause DoS if abused. Florian Westphal also mentioned that this call should not trigger OOM

[PATCH 46/50] netfilter: nft_set: introduce nft_{hash, rbtree}_deactivate_one()

This new function allows us to deactivate one single element, this is required by the set flush command that comes in a follow up patch. Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nft_set_hash.c | 24 +--- net/netfilter/nft_set_rbtree.c | 11

[PATCH 45/50] netfilter: nf_tables: constify struct nft_ctx * parameter in nft_trans_alloc()

Context is not modified by nft_trans_alloc(), so constify it. Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_tables_api.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index

[PATCH 47/50] netfilter: nf_tables: support for set flushing

This patch adds support for set flushing, that consists of walking over the set elements if the NFTA_SET_ELEM_LIST_ELEMENTS attribute is set. This patch requires the following changes: 1) Add set->ops->deactivate_one() operation: This allows us to deactivate an element from the set element

[PATCH 11/50] netfilter: conntrack: built-in support for SCTP

From: Davide Caratti CONFIG_NF_CT_PROTO_SCTP is no more a tristate. When set to y, connection tracking support for SCTP protocol is built-in into nf_conntrack.ko. footprint test: $ ls -l net/netfilter/nf_conntrack{_proto_sctp,}.ko \

[PATCH 19/50] netfilter: defrag: only register defrag functionality if needed

From: Florian Westphal nf_defrag modules for ipv4 and ipv6 export an empty stub function. Any module that needs the defragmentation hooks registered simply 'calls' this empty function to create a phony module dependency -- modprobe will then load the defrag module too. This

[PATCH 21/50] netfilter: decouple nf_hook_entry and nf_hook_ops

From: Aaron Conole During nfhook traversal we only need a very small subset of nf_hook_ops members. We need: - next element - hook function to call - hook function priv argument Bridge netfilter also needs 'thresh'; can be obtained via ->orig_ops. nf_hook_entry struct is

[PATCH 35/50] netfilter: nf_tables: add stateful object reference expression

This new expression allows us to refer to existing stateful objects from rules. Signed-off-by: Pablo Neira Ayuso --- include/uapi/linux/netfilter/nf_tables.h | 14 net/netfilter/Kconfig| 6 ++ net/netfilter/Makefile | 1 +

[PATCH 01/50] ipvs: Use IS_ERR_OR_NULL(svc) instead of IS_ERR(svc) || svc == NULL

From: Gao Feng This minor refactoring does not change the logic of function ip_vs_genl_dump_dests. Signed-off-by: Gao Feng Acked-by: Julian Anastasov Signed-off-by: Simon Horman --- net/netfilter/ipvs/ip_vs_ctl.c | 2 +- 1

[PATCH 05/50] netfilter: built-in NAT support for SCTP

From: Davide Caratti CONFIG_NF_NAT_PROTO_SCTP is no more a tristate. When set to y, NAT support for SCTP protocol is built-in into nf_nat.ko. footprint test: (nf_nat_proto_) | sctp || nf_nat --+++ no builtin

[PATCH 10/50] netfilter: conntrack: built-in support for DCCP

From: Davide Caratti CONFIG_NF_CT_PROTO_DCCP is no more a tristate. When set to y, connection tracking support for DCCP protocol is built-in into nf_conntrack.ko. footprint test: $ ls -l net/netfilter/nf_conntrack{_proto_dccp,}.ko \

[PATCH 04/50] netfilter: built-in NAT support for DCCP

From: Davide Caratti CONFIG_NF_NAT_PROTO_DCCP is no more a tristate. When set to y, NAT support for DCCP protocol is built-in into nf_nat.ko. footprint test: (nf_nat_proto_) | dccp || nf_nat --+++ no builtin

[PATCH 03/50] netfilter: update Arturo Borrero Gonzalez email address

From: Arturo Borrero Gonzalez The email address has changed, let's update the copyright statements. Signed-off-by: Arturo Borrero Gonzalez Signed-off-by: Pablo Neira Ayuso --- net/ipv4/netfilter/nft_masq_ipv4.c | 4 ++--

Re: [PATCH nft v2] datatype: Display pre-defined inet_service values in host byte order

Hi Elise, On Wed, Dec 07, 2016 at 05:03:31PM -0200, Elise Lennion wrote: > nft describe displays, to the user, which values are available for a selector, > then the values should be in host byte order. > > Reported-by: Pablo Neira Ayuso > Fixes: ccc5da470e76 ("datatype:

[nf-next:master 36/48] net/netfilter/nft_counter.c:131:9: error: implicit declaration of function 'cmpxchg64'

tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master head: 2c16d60332643e90d4fa244f4a706c454b8c7569 commit: 43da04a593d8b2626f1cf4b56efe9402f6b53652 [36/48] netfilter: nf_tables: atomic dump and reset for stateful objects config: sh-allmodconfig (attached as .config)

[PATCH nf-next] netfilter: nft_quota: allow to restore consumed quota

Allow to restore consumed quota, this is useful to restore the quota state across reboots. Signed-off-by: Pablo Neira Ayuso --- N.B: Just this one more patch on the current pile on nf-next, and I'll be preparing the pull request for David. net/netfilter/nft_quota.c | 11