Re: [Bridge] [PATCH net] bridge: ebtables: fix reception of frames DNAT-ed to bridge device
On Sun, Mar 19, 2017 at 05:55:06PM +0100, Linus Lüssing wrote: > On Fri, Mar 17, 2017 at 02:10:44PM +0100, Pablo Neira Ayuso wrote: > > Wait. > > > > May this break local multicast listener that are bound to the bridge > > interface? Assuming the bridge interface got an IP address, and that > > there is local multicast listener. > > > > Missing anything here? > > Hm, for multicast packets usually the code path a few lines > later in br_handle_frame_finish() should be taken instead. > > But you might be right for IP multicast packets with a unicast MAC > destination (due to whatever reason, for instance via DNAT'ing > again). > > Will check that - thanks! Ok, I tested DNAT'ing an IP multicast packet to the unicast MAC address of the bridge interface. Both ping-ing to an IPv4 and IPv6 multicast listener on br0 worked and was replied to fine, both with or without changing skb->pkt_type from PACKET_MULTICAST to PACKET_HOST. ("$ ping 224.1.0.123" and "$ ping6 ff02::1:ff40:707c%in0" from a network namespace, tied into the bridge via veth) Also, a DNAT'ed PACKET_BROADCAST worked, with or without changing it to PACKET_HOST. I also checked via tcpdump that the destination MAC was changed successfully. So, so far I wasn't able to find any bugs with the current patch. But I think I like the idea of leaving the skb->pkt_type unaltered for PACKET_MULTICAST and PACKET_BROADCAST, seems cleaner. I'd just add an "if (skb->pkt_type == PACKET_OTHERHOST)" check then and resend a PATCH v2. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nf v3 1/1] netfilter: snmp: Fix one possible panic when snmp_trap_helper fail to register
From: Gao FengIn the commit 93557f53e1fb ("netfilter: nf_conntrack: nf_conntrack snmp helper"), the snmp_helper is replaced by nf_nat_snmp_hook. So the snmp_helper is never registered. But it still tries to unregister the snmp_helper, it could cause the panic. Now remove the useless snmp_helper and the unregister call in the error handler. Fixes: 93557f53e1fb ("netfilter: nf_conntrack: nf_conntrack snmp helper") Signed-off-by: Gao Feng --- v3: Remove the angle brackets in description, per Sergei v2: Add the SHA1 ID in the description, per Sergei v1: Initial version net/ipv4/netfilter/nf_nat_snmp_basic.c | 14 +- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c b/net/ipv4/netfilter/nf_nat_snmp_basic.c index c9b52c3..5787364 100644 --- a/net/ipv4/netfilter/nf_nat_snmp_basic.c +++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c @@ -1260,16 +1260,6 @@ static int help(struct sk_buff *skb, unsigned int protoff, .timeout= 180, }; -static struct nf_conntrack_helper snmp_helper __read_mostly = { - .me = THIS_MODULE, - .help = help, - .expect_policy = _exp_policy, - .name = "snmp", - .tuple.src.l3num= AF_INET, - .tuple.src.u.udp.port = cpu_to_be16(SNMP_PORT), - .tuple.dst.protonum = IPPROTO_UDP, -}; - static struct nf_conntrack_helper snmp_trap_helper __read_mostly = { .me = THIS_MODULE, .help = help, @@ -1294,10 +1284,8 @@ static int __init nf_nat_snmp_basic_init(void) RCU_INIT_POINTER(nf_nat_snmp_hook, help); ret = nf_conntrack_helper_register(_trap_helper); - if (ret < 0) { - nf_conntrack_helper_unregister(_helper); + if (ret < 0) return ret; - } return ret; } -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nf v2 1/1] netfilter: snmp: Fix one possible panic when snmp_trap_helper fail to register
On Tue, Mar 21, 2017 at 12:35 AM, Sergei Shtylyovwrote: > On 03/20/2017 01:15 PM, Feng Gao wrote: > From: Gao Feng In the commit <93557f53e1fb> ("netfilter: nf_conntrack: nf_conntrack snmp >>> >>> >>> >>>Angle brackets not needed. :-) >>>The commit citing style is the same as for the Fixes: tag. >> >> >> The checkpatch.pl reports the following error, if remove the angle >> brackets. > > >Because it stops recognizing the commit ID! :-) > >> ERROR: Please use git commit description style 'commit <12+ chars of >> sha1> ("")' - ie: 'commit fatal: ambig ("evision or path >> not in the working tree.")' > > >So check the patch in the correct tree because that seems to be the > problem... Angle brackets are surely not required. Actually I didn't add the angle brackets firstly, but it fail to pass the check_patch.pl check. So I had to modify it. Ok, I removed the angle brackets now, just ignored the error report of check_patch.pl. Best Regards Feng > >> #7: >> In the commit 93557f53e1fb ("netfilter: nf_conntrack: nf_conntrack snmp >> >> total: 1 errors, 0 warnings, 0 checks, 27 lines checked >> >> >> Regards >> Feng > > > [...] > > MBR, Sergei > -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [NetDev-tech] [NetDev] [Netdev ANNOUNCE]: New tc workshop accepted
On Mon, Mar 20, 2017 at 06:56:44PM +, Mathieu Desnoyers wrote: > Hi Jamal, > > So, the interesting thing is that I've been automatically > re-subscribed to peo...@netdevconf.org about 1 day after > I explicitly unsubscribed. What do I need to do to stop > receiving those unsolicited emails ? That is my fault, sorry. I have received the full list of people, including people that were already subscribed previously. So I placed them in the same batch when doing the mailing list subscription, that is why you got accidentally re-subscribed. My apologies. Jamal, moving forward, please send me new registrations only. Thanks! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [NetDev] [Netdev ANNOUNCE]: New tc workshop accepted
Hi Jamal, So, the interesting thing is that I've been automatically re-subscribed to peo...@netdevconf.org about 1 day after I explicitly unsubscribed. What do I need to do to stop receiving those unsolicited emails ? Best regards, Mathieu - On Mar 20, 2017, at 1:32 PM, Jamal Hadi Salim j...@mojatatu.com wrote: > The tech committee would like to announce a new accepted workshop. > > Jamal Hadi Salim will chair the Traffic Control (tc) workshop > > Details are as follows: > - > Face to Face discussions on different tc topics > > Current WAG agenda (subject to update): > > New tc offloads since netdev 1.2 > New features/requests/improvements > Performance > Packet edit/offload discussion > YATO (Yet another Tunnel offload). > > > > cheers, > jamal > > ___ > people mailing list > peo...@lists.netdevconf.org > http://lists.netdevconf.org/cgi-bin/mailman/listinfo/people -- Mathieu Desnoyers EfficiOS Inc. http://www.efficios.com -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[Netdev ANNOUNCE]: New tc workshop accepted
The tech committee would like to announce a new accepted workshop. Jamal Hadi Salim will chair the Traffic Control (tc) workshop Details are as follows: - Face to Face discussions on different tc topics Current WAG agenda (subject to update): New tc offloads since netdev 1.2 New features/requests/improvements Performance Packet edit/offload discussion YATO (Yet another Tunnel offload). cheers, jamal -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[nft PATCH 0/2] Some fixes for nested sets
This series fixes a number of issues with nested anonymous sets. Phil Sutter (2): evaluate: set: Allow for set elems to be sets evaluate: set: Fix nested set merge size adjustment src/evaluate.c | 11 ++- 1 file changed, 10 insertions(+), 1 deletion(-) -- 2.11.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[nft PATCH 2/2] evaluate: set: Fix nested set merge size adjustment
When merging a nested set into the parent one, we are actually replacing one item with the items of the nested set. Therefore we have to remove the replaced item from size. The respective bug isn't as easy to trigger, since the size field seems to be relevant only when set elements are ranges which are checked for overlaps. Here's an example of how to trigger it: | add rule ip saddr { { 1.1.1.0/24, 3.3.3.0/24 }, 2.2.2.0/24 } Signed-off-by: Phil Sutter--- src/evaluate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/evaluate.c b/src/evaluate.c index 86ff8ebd17629..b5db724cbd37b 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -1149,7 +1149,7 @@ static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr) /* Merge recursive set definitions */ list_splice_tail_init(>expressions, >list); list_del(>list); - set->size += i->size; + set->size += i->size - 1; set->set_flags |= i->set_flags; expr_free(i); } else if (!expr_is_singleton(i)) -- 2.11.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[nft PATCH 1/2] evaluate: set: Allow for set elems to be sets
Recursive use of sets is handled in parts by parser_bison.y, which has a rule for inline unnamed sets in set_list_member_expr, e.g. like this: | add rule ip saddr { { 1.1.1.0, 2.2.2.0 }, 3.3.3.0 } Yet there is another way to have an unnamed set inline, which is via define: | define myset = { | 1.1.1.0, | 2.2.2.0, | } | add rule ip saddr { $myset, 3.3.3.0 } This didn't work because the inline set comes in as EXPR_SET_ELEM with EXPR_SET as key. This patch handles that case by replacing the former by a copy of the latter, so the following set list merging can take place. Signed-off-by: Phil Sutter--- src/evaluate.c | 9 + 1 file changed, 9 insertions(+) diff --git a/src/evaluate.c b/src/evaluate.c index 8fb716c062449..86ff8ebd17629 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -1132,6 +1132,15 @@ static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr) return expr_error(ctx->msgs, i, "Set reference cannot be part of another set"); + if (i->ops->type == EXPR_SET_ELEM && + i->key->ops->type == EXPR_SET) { + struct expr *new = expr_clone(i->key); + + list_replace(>list, >list); + expr_free(i); + i = new; + } + if (!expr_is_constant(i)) return expr_error(ctx->msgs, i, "Set member is not constant"); -- 2.11.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nf v2 1/1] netfilter: snmp: Fix one possible panic when snmp_trap_helper fail to register
On 03/20/2017 01:15 PM, Feng Gao wrote: From: Gao FengIn the commit <93557f53e1fb> ("netfilter: nf_conntrack: nf_conntrack snmp Angle brackets not needed. :-) The commit citing style is the same as for the Fixes: tag. The checkpatch.pl reports the following error, if remove the angle brackets. Because it stops recognizing the commit ID! :-) ERROR: Please use git commit description style 'commit <12+ chars of sha1> ("")' - ie: 'commit fatal: ambig ("evision or path not in the working tree.")' So check the patch in the correct tree because that seems to be the problem... Angle brackets are surely not required. #7: In the commit 93557f53e1fb ("netfilter: nf_conntrack: nf_conntrack snmp total: 1 errors, 0 warnings, 0 checks, 27 lines checked Regards Feng [...] MBR, Sergei -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH libnetfilter_cthelper] src: fix incorrect building and parsing of the NFCTH_POLICY_SETX attribute
From: Liping ZhangIn nfct_helper_nlmsg_build_policy(), we always set the attribute type to NFCTH_POLICY_SET, so we cannot add more than one nfct_helper_policy to the kernel. Also: in nfct_helper_nlmsg_parse_policy(), we will increase the helper->policy_num for each nfct_helper_policy, but we mistakenly set it to the total number of nfct_helper_policy. So when the total number is more than 3, later out of bound access will happen. Signed-off-by: Liping Zhang --- src/libnetfilter_cthelper.c | 23 +++ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/src/libnetfilter_cthelper.c b/src/libnetfilter_cthelper.c index af543a1..7ed1f64 100644 --- a/src/libnetfilter_cthelper.c +++ b/src/libnetfilter_cthelper.c @@ -497,12 +497,12 @@ nfct_helper_nlmsg_build_hdr(char *buf, uint8_t cmd, } static void -nfct_helper_nlmsg_build_policy(struct nlmsghdr *nlh, +nfct_helper_nlmsg_build_policy(struct nlmsghdr *nlh, uint16_t type, struct nfct_helper_policy *p) { struct nlattr *nest; - nest = mnl_attr_nest_start(nlh, NFCTH_POLICY_SET); + nest = mnl_attr_nest_start(nlh, type); mnl_attr_put_strz(nlh, NFCTH_POLICY_NAME, p->name); mnl_attr_put_u32(nlh, NFCTH_POLICY_EXPECT_MAX, htonl(p->expect_max)); mnl_attr_put_u32(nlh, NFCTH_POLICY_EXPECT_TIMEOUT, @@ -549,22 +549,22 @@ nfct_helper_nlmsg_build_payload(struct nlmsghdr *nlh, struct nfct_helper *h) int policy_set_num = 0; if (h->bitset & (1 << NFCTH_ATTR_POLICY1)) { - nfct_helper_nlmsg_build_policy(nlh, + nfct_helper_nlmsg_build_policy(nlh, NFCTH_POLICY_SET1, h->expect_policy[0]); policy_set_num++; } if (h->bitset & (1 << NFCTH_ATTR_POLICY2)) { - nfct_helper_nlmsg_build_policy(nlh, + nfct_helper_nlmsg_build_policy(nlh, NFCTH_POLICY_SET2, h->expect_policy[1]); policy_set_num++; } if (h->bitset & (1 << NFCTH_ATTR_POLICY3)) { - nfct_helper_nlmsg_build_policy(nlh, + nfct_helper_nlmsg_build_policy(nlh, NFCTH_POLICY_SET3, h->expect_policy[2]); policy_set_num++; } if (h->bitset & (1 << NFCTH_ATTR_POLICY4)) { - nfct_helper_nlmsg_build_policy(nlh, + nfct_helper_nlmsg_build_policy(nlh, NFCTH_POLICY_SET4, h->expect_policy[3]); policy_set_num++; } @@ -717,14 +717,13 @@ nfct_helper_nlmsg_parse_policy_set(const struct nlattr *attr, struct nfct_helper *helper) { struct nlattr *tb[NFCTH_POLICY_SET_MAX+1] = {}; - int i; + int i, policy_num = 0; mnl_attr_parse_nested(attr, nfct_helper_nlmsg_parse_policy_set_cb, tb); - if (tb[NFCTH_POLICY_SET_NUM]) { - helper->policy_num = - ntohl(mnl_attr_get_u32(tb[NFCTH_POLICY_SET_NUM])); - } - for (i=0; ipolicy_num; i++) { + if (tb[NFCTH_POLICY_SET_NUM]) + policy_num = ntohl(mnl_attr_get_u32(tb[NFCTH_POLICY_SET_NUM])); + + for (i=0; i
Re: [PATCH v2 nf 1/1] netfilter: helper: Fix possible panic caused by invoking expectfn unloaded
On Mon, Mar 20, 2017 at 9:11 PM, Pablo Neira Ayusowrote: > On Mon, Mar 20, 2017 at 09:06:22PM +0800, Gao Feng wrote: >> On Mon, Mar 20, 2017 at 8:50 PM, Pablo Neira Ayuso >> wrote: >> > On Mon, Mar 20, 2017 at 11:44:42AM +0100, Pablo Neira Ayuso wrote: >> >> > diff --git a/net/netfilter/nf_conntrack_helper.c >> >> > b/net/netfilter/nf_conntrack_helper.c >> >> > index 6dc44d9..6c840af 100644 >> >> > --- a/net/netfilter/nf_conntrack_helper.c >> >> > +++ b/net/netfilter/nf_conntrack_helper.c >> >> > @@ -130,6 +130,42 @@ static unsigned int helper_hash(const struct >> >> > nf_conntrack_tuple *tuple) >> >> > return NULL; >> >> > } >> >> > >> >> > +static void >> >> > +nf_ct_remove_expect_refer_dying_module(const struct module *me) >> >> > +{ >> >> > + struct nf_conntrack_expect *exp; >> >> > + const struct hlist_node *next; >> >> > + u32 i; >> >> > + >> >> > + if (!me) >> >> > + return; >> >> > + >> >> > + /* Make sure no one is still using the moudule unless >> >> > +* its a connection in the hash. >> >> > +*/ >> >> > + synchronize_rcu(); >> >> > + >> >> > + /* Get rid of expectations */ >> >> > + spin_lock_bh(_conntrack_expect_lock); >> >> > + for (i = 0; i < nf_ct_expect_hsize; i++) { >> >> > + hlist_for_each_entry_safe(exp, next, >> >> > + _ct_expect_hash[i], hnode) { >> >> > + struct nf_conn_help *master_help = >> >> > nfct_help(exp->master); >> >> > + >> >> > + if ((master_help->helper && master_help->helper->me >> >> > == me) || >> >> > + (exp->helper && exp->helper->me == me) || >> >> > + exp->expectfn_module == me) { >> > >> > Are you also sure this is correct? >> > >> > me can be nf_nat_sip, while exp->helper->me points to >> > nf_conntrack_sip. >> >> I don't read the source codes of ctlink command. >> But it seems be correct from the kernel codes. >> >> Please look at the function "ctnetlink_create_expect". >> >> if (cda[CTA_EXPECT_HELP_NAME]) { >> const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]); >> >> helper = __nf_conntrack_helper_find(helpname, u3, >> nf_ct_protonum(ct)); >> The helper is got by cda[CTA_EXPECT_HELP_NAME]. >> >> Then go to the function ctnetlink_alloc_expect, >> >> if (cda[CTA_EXPECT_FN]) { >> const char *name = nla_data(cda[CTA_EXPECT_FN]); >> struct nf_ct_helper_expectfn *expfn; >> >> expfn = nf_ct_helper_expectfn_find_by_name(name); >> The expfn is got by cda[CTA_EXPECT_FN]. >> >> So it is possible that the helper and expfn which they belongs to >> different modules. > > ctnetlink is not the only path to create expressions. > > We can also create expectations from the packet path, from the helper > itself. Thanks, but I know the data path could create expectation from the helper. But I want to show the helper and expfn could belongs to different modules. So we need to check them when flush expect. if (master->helper->module == me || helper->module == me || expect_module == me) These three conditions are necessary. My regards Feng -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nf] netfilter: invoke synchronize_rcu after set the _hook_ to NULL
From: Liping ZhangOtherwise, another CPU may access the invalid pointer. For example: CPU0CPU1 - rcu_read_lock(); - pfunc = _hook_; _hook_ = NULL; - mod unload - - pfunc(); // invalid, panic - rcu_read_unlock(); So we must call synchronize_rcu() to wait the rcu reader to finish. Also note, in nf_nat_snmp_basic_fini, synchronize_rcu() will be invoked by later nf_conntrack_helper_unregister, but I'm inclined to add a explicit synchronize_rcu after set the nf_nat_snmp_hook to NULL. Depend on such obscure assumptions is not a good idea. Last, in nfnetlink_cttimeout, we use kfree_rcu to free the time object, so in cttimeout_exit, invoking rcu_barrier() is not necessary at all, remove it now. Signed-off-by: Liping Zhang --- net/ipv4/netfilter/nf_nat_snmp_basic.c | 1 + net/netfilter/nf_conntrack_ecache.c| 2 ++ net/netfilter/nf_conntrack_netlink.c | 1 + net/netfilter/nf_nat_core.c| 2 ++ net/netfilter/nfnetlink_cttimeout.c| 2 +- 5 files changed, 7 insertions(+), 1 deletion(-) diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c b/net/ipv4/netfilter/nf_nat_snmp_basic.c index c9b52c3..5a8f7c3 100644 --- a/net/ipv4/netfilter/nf_nat_snmp_basic.c +++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c @@ -1304,6 +1304,7 @@ static int __init nf_nat_snmp_basic_init(void) static void __exit nf_nat_snmp_basic_fini(void) { RCU_INIT_POINTER(nf_nat_snmp_hook, NULL); + synchronize_rcu(); nf_conntrack_helper_unregister(_trap_helper); } diff --git a/net/netfilter/nf_conntrack_ecache.c b/net/netfilter/nf_conntrack_ecache.c index da9df2d..12cc98f 100644 --- a/net/netfilter/nf_conntrack_ecache.c +++ b/net/netfilter/nf_conntrack_ecache.c @@ -290,6 +290,7 @@ void nf_conntrack_unregister_notifier(struct net *net, BUG_ON(notify != new); RCU_INIT_POINTER(net->ct.nf_conntrack_event_cb, NULL); mutex_unlock(_ct_ecache_mutex); + synchronize_rcu(); } EXPORT_SYMBOL_GPL(nf_conntrack_unregister_notifier); @@ -326,6 +327,7 @@ void nf_ct_expect_unregister_notifier(struct net *net, BUG_ON(notify != new); RCU_INIT_POINTER(net->ct.nf_expect_event_cb, NULL); mutex_unlock(_ct_ecache_mutex); + synchronize_rcu(); } EXPORT_SYMBOL_GPL(nf_ct_expect_unregister_notifier); diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 6806b5e..455c2c2 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -3441,6 +3441,7 @@ static void __exit ctnetlink_exit(void) nfnetlink_subsys_unregister(_subsys); #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT RCU_INIT_POINTER(nfnl_ct_hook, NULL); + synchronize_rcu(); #endif } diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c index 94b14c5..82802e4 100644 --- a/net/netfilter/nf_nat_core.c +++ b/net/netfilter/nf_nat_core.c @@ -903,6 +903,8 @@ static void __exit nf_nat_cleanup(void) #ifdef CONFIG_XFRM RCU_INIT_POINTER(nf_nat_decode_session_hook, NULL); #endif + synchronize_rcu(); + for (i = 0; i < NFPROTO_NUMPROTO; i++) kfree(nf_nat_l4protos[i]); diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c index 139e086..47d6656 100644 --- a/net/netfilter/nfnetlink_cttimeout.c +++ b/net/netfilter/nfnetlink_cttimeout.c @@ -646,8 +646,8 @@ static void __exit cttimeout_exit(void) #ifdef CONFIG_NF_CONNTRACK_TIMEOUT RCU_INIT_POINTER(nf_ct_timeout_find_get_hook, NULL); RCU_INIT_POINTER(nf_ct_timeout_put_hook, NULL); + synchronize_rcu(); #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ - rcu_barrier(); } module_init(cttimeout_init); -- 2.5.5 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2 nf 1/1] netfilter: helper: Fix possible panic caused by invoking expectfn unloaded
On Mon, Mar 20, 2017 at 09:06:22PM +0800, Gao Feng wrote: > On Mon, Mar 20, 2017 at 8:50 PM, Pablo Neira Ayuso> wrote: > > On Mon, Mar 20, 2017 at 11:44:42AM +0100, Pablo Neira Ayuso wrote: > >> > diff --git a/net/netfilter/nf_conntrack_helper.c > >> > b/net/netfilter/nf_conntrack_helper.c > >> > index 6dc44d9..6c840af 100644 > >> > --- a/net/netfilter/nf_conntrack_helper.c > >> > +++ b/net/netfilter/nf_conntrack_helper.c > >> > @@ -130,6 +130,42 @@ static unsigned int helper_hash(const struct > >> > nf_conntrack_tuple *tuple) > >> > return NULL; > >> > } > >> > > >> > +static void > >> > +nf_ct_remove_expect_refer_dying_module(const struct module *me) > >> > +{ > >> > + struct nf_conntrack_expect *exp; > >> > + const struct hlist_node *next; > >> > + u32 i; > >> > + > >> > + if (!me) > >> > + return; > >> > + > >> > + /* Make sure no one is still using the moudule unless > >> > +* its a connection in the hash. > >> > +*/ > >> > + synchronize_rcu(); > >> > + > >> > + /* Get rid of expectations */ > >> > + spin_lock_bh(_conntrack_expect_lock); > >> > + for (i = 0; i < nf_ct_expect_hsize; i++) { > >> > + hlist_for_each_entry_safe(exp, next, > >> > + _ct_expect_hash[i], hnode) { > >> > + struct nf_conn_help *master_help = > >> > nfct_help(exp->master); > >> > + > >> > + if ((master_help->helper && master_help->helper->me > >> > == me) || > >> > + (exp->helper && exp->helper->me == me) || > >> > + exp->expectfn_module == me) { > > > > Are you also sure this is correct? > > > > me can be nf_nat_sip, while exp->helper->me points to > > nf_conntrack_sip. > > I don't read the source codes of ctlink command. > But it seems be correct from the kernel codes. > > Please look at the function "ctnetlink_create_expect". > > if (cda[CTA_EXPECT_HELP_NAME]) { > const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]); > > helper = __nf_conntrack_helper_find(helpname, u3, > nf_ct_protonum(ct)); > The helper is got by cda[CTA_EXPECT_HELP_NAME]. > > Then go to the function ctnetlink_alloc_expect, > > if (cda[CTA_EXPECT_FN]) { > const char *name = nla_data(cda[CTA_EXPECT_FN]); > struct nf_ct_helper_expectfn *expfn; > > expfn = nf_ct_helper_expectfn_find_by_name(name); > The expfn is got by cda[CTA_EXPECT_FN]. > > So it is possible that the helper and expfn which they belongs to > different modules. ctnetlink is not the only path to create expressions. We can also create expectations from the packet path, from the helper itself. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2 nf 1/1] netfilter: helper: Fix possible panic caused by invoking expectfn unloaded
On Mon, Mar 20, 2017 at 8:50 PM, Pablo Neira Ayusowrote: > On Mon, Mar 20, 2017 at 11:44:42AM +0100, Pablo Neira Ayuso wrote: >> > diff --git a/net/netfilter/nf_conntrack_helper.c >> > b/net/netfilter/nf_conntrack_helper.c >> > index 6dc44d9..6c840af 100644 >> > --- a/net/netfilter/nf_conntrack_helper.c >> > +++ b/net/netfilter/nf_conntrack_helper.c >> > @@ -130,6 +130,42 @@ static unsigned int helper_hash(const struct >> > nf_conntrack_tuple *tuple) >> > return NULL; >> > } >> > >> > +static void >> > +nf_ct_remove_expect_refer_dying_module(const struct module *me) >> > +{ >> > + struct nf_conntrack_expect *exp; >> > + const struct hlist_node *next; >> > + u32 i; >> > + >> > + if (!me) >> > + return; >> > + >> > + /* Make sure no one is still using the moudule unless >> > +* its a connection in the hash. >> > +*/ >> > + synchronize_rcu(); >> > + >> > + /* Get rid of expectations */ >> > + spin_lock_bh(_conntrack_expect_lock); >> > + for (i = 0; i < nf_ct_expect_hsize; i++) { >> > + hlist_for_each_entry_safe(exp, next, >> > + _ct_expect_hash[i], hnode) { >> > + struct nf_conn_help *master_help = >> > nfct_help(exp->master); >> > + >> > + if ((master_help->helper && master_help->helper->me == >> > me) || >> > + (exp->helper && exp->helper->me == me) || >> > + exp->expectfn_module == me) { > > Are you also sure this is correct? > > me can be nf_nat_sip, while exp->helper->me points to > nf_conntrack_sip. I don't read the source codes of ctlink command. But it seems be correct from the kernel codes. Please look at the function "ctnetlink_create_expect". if (cda[CTA_EXPECT_HELP_NAME]) { const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]); helper = __nf_conntrack_helper_find(helpname, u3, nf_ct_protonum(ct)); The helper is got by cda[CTA_EXPECT_HELP_NAME]. Then go to the function ctnetlink_alloc_expect, if (cda[CTA_EXPECT_FN]) { const char *name = nla_data(cda[CTA_EXPECT_FN]); struct nf_ct_helper_expectfn *expfn; expfn = nf_ct_helper_expectfn_find_by_name(name); The expfn is got by cda[CTA_EXPECT_FN]. So it is possible that the helper and expfn which they belongs to different modules. If I was right, it is not good to use one member "nat_module" to save the module of helper and expfn at the same time. Regards Feng -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] [netfilter-next] netfilter: remove unused refcount variable
On Mon, Mar 20, 2017 at 01:37:01PM +0100, Arnd Bergmann wrote: > The refcount variable was accidentally introduced without any reference > to it. Removing it again avoids this warning: > > net/netfilter/nfnetlink_acct.c: In function 'nfnl_acct_try_del': > net/netfilter/nfnetlink_acct.c:329:15: error: unused variable 'refcount' > [-Werror=unused-variable] Thanks Arnd. Elena already fixed it here: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git/commit/ -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2 nf 1/1] netfilter: helper: Fix possible panic caused by invoking expectfn unloaded
On Mon, Mar 20, 2017 at 6:44 PM, Pablo Neira Ayusowrote: > On Sat, Mar 18, 2017 at 03:40:45PM +0800, f...@ikuai8.com wrote: >> From: Gao Feng >> >> The helper module could register one helper expectfn by the function >> nf_ct_helper_expectfn_register. When the module is unloaded, it invokes >> the nf_ct_helper_expectfn_unregister to unregister the expectfn. But >> it doesn't remove the expectations which refer to this expectfn. Then >> there is one possible use-after-free issue. >> >> Because ctnetlink_alloc_expect could create one expecatation whose >> helper and expectfn belong to different modules. So I bring one >> new member expectfn_module in nf_conntrack_expect. Then when unload >> one helper module, we could remove all expectation whose helper or >> expectfn belong to this module. > > This looks fine. However, I would clarify here that the problem is > that the conntrack NAT module can be rmmod anytime, so we should > really leave things in clean state if such thing happens and make sure > we don't leave any packet running over code that will be gone after > the removal, ie. the correspoding expectfn may be gone. Ok, I would enhance the description according to your advice. You comments is more clearer. > > Comments below. > >> Signed-off-by: Gao Feng >> --- >> v2: Create one new function to remove expectations, per Pablo >> v1: Initial version >> >> include/net/netfilter/nf_conntrack_expect.h | 2 + >> include/net/netfilter/nf_conntrack_helper.h | 1 + >> net/ipv4/netfilter/nf_nat_h323.c| 2 + >> net/netfilter/nf_conntrack_broadcast.c | 1 + >> net/netfilter/nf_conntrack_expect.c | 1 + >> net/netfilter/nf_conntrack_helper.c | 63 >> ++--- >> net/netfilter/nf_conntrack_netlink.c| 5 ++- >> net/netfilter/nf_nat_core.c | 1 + >> net/netfilter/nf_nat_sip.c | 1 + >> 9 files changed, 52 insertions(+), 25 deletions(-) >> >> diff --git a/include/net/netfilter/nf_conntrack_expect.h >> b/include/net/netfilter/nf_conntrack_expect.h >> index 5ed33ea..76e2858 100644 >> --- a/include/net/netfilter/nf_conntrack_expect.h >> +++ b/include/net/netfilter/nf_conntrack_expect.h >> @@ -26,6 +26,8 @@ struct nf_conntrack_expect { >> /* Function to call after setup and insertion */ >> void (*expectfn)(struct nf_conn *new, >>struct nf_conntrack_expect *this); >> + /* The moudule which expectfn belongs to */ > > Typo here: 'moudule', instead 'module'. Ok, I would correct the typo. > >> + struct module *expectfn_module; > > Please, rename this to nat_module instead, see below why. > >> /* Helper to assign to new connection */ >> struct nf_conntrack_helper *helper; >> diff --git a/include/net/netfilter/nf_conntrack_helper.h >> b/include/net/netfilter/nf_conntrack_helper.h >> index 1eaac1f..c4d88d4 100644 >> --- a/include/net/netfilter/nf_conntrack_helper.h >> +++ b/include/net/netfilter/nf_conntrack_helper.h >> @@ -114,6 +114,7 @@ int nf_conntrack_broadcast_help(struct sk_buff *skb, >> unsigned int protoff, >> struct nf_ct_helper_expectfn { > > Could you rename nf_ct_helper_expectfn to nf_ct_nat_helper? You have > to do this in an initial patch, so these will result in a series of > two patches: One to rename, and another for this fix. > > Look, now this structure provides a description of the ct NAT helper, > not just the expectfn. > > Sorry if I look picky, but I would look the structure name shows the > right semantics when reading this code. No problem, I will follow you:) > >> struct list_head head; >> const char *name; >> + struct module *me; >> void (*expectfn)(struct nf_conn *ct, struct nf_conntrack_expect *exp); >> }; >> >> diff --git a/net/ipv4/netfilter/nf_nat_h323.c >> b/net/ipv4/netfilter/nf_nat_h323.c >> index 574f7eb..a5fa8de 100644 >> --- a/net/ipv4/netfilter/nf_nat_h323.c >> +++ b/net/ipv4/netfilter/nf_nat_h323.c >> @@ -569,11 +569,13 @@ static int nat_callforwarding(struct sk_buff *skb, >> struct nf_conn *ct, >> >> static struct nf_ct_helper_expectfn q931_nat = { >> .name = "Q.931", >> + .me = THIS_MODULE, >> .expectfn = ip_nat_q931_expect, >> }; >> >> static struct nf_ct_helper_expectfn callforwarding_nat = { >> .name = "callforwarding", >> + .me = THIS_MODULE, >> .expectfn = ip_nat_callforwarding_expect, >> }; >> >> diff --git a/net/netfilter/nf_conntrack_broadcast.c >> b/net/netfilter/nf_conntrack_broadcast.c >> index 4e99cca..edce551 100644 >> --- a/net/netfilter/nf_conntrack_broadcast.c >> +++ b/net/netfilter/nf_conntrack_broadcast.c >> @@ -66,6 +66,7 @@ int nf_conntrack_broadcast_help(struct sk_buff *skb, >> exp->mask.src.u.udp.port = htons(0x); >> >> exp->expectfn = NULL; >> + exp->expectfn_module = NULL; >>
[PATCH] [netfilter-next] netfilter: remove unused refcount variable
The refcount variable was accidentally introduced without any reference to it. Removing it again avoids this warning: net/netfilter/nfnetlink_acct.c: In function 'nfnl_acct_try_del': net/netfilter/nfnetlink_acct.c:329:15: error: unused variable 'refcount' [-Werror=unused-variable] Fixes: b54ab92b84b6 ("netfilter: refcounter conversions") Signed-off-by: Arnd Bergmann--- net/netfilter/nfnetlink_acct.c | 1 - 1 file changed, 1 deletion(-) diff --git a/net/netfilter/nfnetlink_acct.c b/net/netfilter/nfnetlink_acct.c index f44cbd35357f..c86da174a5fc 100644 --- a/net/netfilter/nfnetlink_acct.c +++ b/net/netfilter/nfnetlink_acct.c @@ -326,7 +326,6 @@ static int nfnl_acct_get(struct net *net, struct sock *nfnl, static int nfnl_acct_try_del(struct nf_acct *cur) { int ret = 0; - unsigned int refcount; /* We want to avoid races with nfnl_acct_put. So only when the current * refcnt is 1, we decrease it to 0. -- 2.9.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Interrest in a ASA-like packet tracer?
Hi list, inspired by the 'packet-tracer' cli-command of cisco ASAs I have implemented a linux application with the same functionality. For those of you who are not familiar with the command, please read up at lpt's homepage: http://www.o-schroeder.de/projects/lpt/ My question is if this might be of interrest to you? I believe it is a very useful command and possibly should be integrated in iptables? What do you think? Best regards, Oliver -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nf v2 1/1] netfilter: snmp: Fix one possible panic when snmp_trap_helper fail to register
On Mon, Mar 20, 2017 at 6:09 PM, Sergei Shtylyovwrote: > On 3/20/2017 12:55 PM, f...@ikuai8.com wrote: > >> From: Gao Feng >> >> In the commit <93557f53e1fb> ("netfilter: nf_conntrack: nf_conntrack snmp > > >Angle brackets not needed. :-) >The commit citing style is the same as for the Fixes: tag. The checkpatch.pl reports the following error, if remove the angle brackets. ERROR: Please use git commit description style 'commit <12+ chars of sha1> ("")' - ie: 'commit fatal: ambig ("evision or path not in the working tree.")' #7: In the commit 93557f53e1fb ("netfilter: nf_conntrack: nf_conntrack snmp total: 1 errors, 0 warnings, 0 checks, 27 lines checked Regards Feng > >> helper"), the snmp_helper is replaced by nf_nat_snmp_hook. So the >> snmp_helper is never registered. But it still tries to unregister the >> snmp_helper, it could cause the panic. >> >> Now remove the useless snmp_helper and the unregister call in the >> error handler. >> >> Fixes: 93557f53e1fb ("netfilter: nf_conntrack: nf_conntrack snmp helper") >> >> Signed-off-by: Gao Feng > > [...] > > MBR, Sergei > -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2 nf 1/1] netfilter: helper: Fix possible panic caused by invoking expectfn unloaded
On Sat, Mar 18, 2017 at 03:40:45PM +0800, f...@ikuai8.com wrote: > From: Gao Feng> > The helper module could register one helper expectfn by the function > nf_ct_helper_expectfn_register. When the module is unloaded, it invokes > the nf_ct_helper_expectfn_unregister to unregister the expectfn. But > it doesn't remove the expectations which refer to this expectfn. Then > there is one possible use-after-free issue. > > Because ctnetlink_alloc_expect could create one expecatation whose > helper and expectfn belong to different modules. So I bring one > new member expectfn_module in nf_conntrack_expect. Then when unload > one helper module, we could remove all expectation whose helper or > expectfn belong to this module. This looks fine. However, I would clarify here that the problem is that the conntrack NAT module can be rmmod anytime, so we should really leave things in clean state if such thing happens and make sure we don't leave any packet running over code that will be gone after the removal, ie. the correspoding expectfn may be gone. Comments below. > Signed-off-by: Gao Feng > --- > v2: Create one new function to remove expectations, per Pablo > v1: Initial version > > include/net/netfilter/nf_conntrack_expect.h | 2 + > include/net/netfilter/nf_conntrack_helper.h | 1 + > net/ipv4/netfilter/nf_nat_h323.c| 2 + > net/netfilter/nf_conntrack_broadcast.c | 1 + > net/netfilter/nf_conntrack_expect.c | 1 + > net/netfilter/nf_conntrack_helper.c | 63 > ++--- > net/netfilter/nf_conntrack_netlink.c| 5 ++- > net/netfilter/nf_nat_core.c | 1 + > net/netfilter/nf_nat_sip.c | 1 + > 9 files changed, 52 insertions(+), 25 deletions(-) > > diff --git a/include/net/netfilter/nf_conntrack_expect.h > b/include/net/netfilter/nf_conntrack_expect.h > index 5ed33ea..76e2858 100644 > --- a/include/net/netfilter/nf_conntrack_expect.h > +++ b/include/net/netfilter/nf_conntrack_expect.h > @@ -26,6 +26,8 @@ struct nf_conntrack_expect { > /* Function to call after setup and insertion */ > void (*expectfn)(struct nf_conn *new, >struct nf_conntrack_expect *this); > + /* The moudule which expectfn belongs to */ Typo here: 'moudule', instead 'module'. > + struct module *expectfn_module; Please, rename this to nat_module instead, see below why. > /* Helper to assign to new connection */ > struct nf_conntrack_helper *helper; > diff --git a/include/net/netfilter/nf_conntrack_helper.h > b/include/net/netfilter/nf_conntrack_helper.h > index 1eaac1f..c4d88d4 100644 > --- a/include/net/netfilter/nf_conntrack_helper.h > +++ b/include/net/netfilter/nf_conntrack_helper.h > @@ -114,6 +114,7 @@ int nf_conntrack_broadcast_help(struct sk_buff *skb, > unsigned int protoff, > struct nf_ct_helper_expectfn { Could you rename nf_ct_helper_expectfn to nf_ct_nat_helper? You have to do this in an initial patch, so these will result in a series of two patches: One to rename, and another for this fix. Look, now this structure provides a description of the ct NAT helper, not just the expectfn. Sorry if I look picky, but I would look the structure name shows the right semantics when reading this code. > struct list_head head; > const char *name; > + struct module *me; > void (*expectfn)(struct nf_conn *ct, struct nf_conntrack_expect *exp); > }; > > diff --git a/net/ipv4/netfilter/nf_nat_h323.c > b/net/ipv4/netfilter/nf_nat_h323.c > index 574f7eb..a5fa8de 100644 > --- a/net/ipv4/netfilter/nf_nat_h323.c > +++ b/net/ipv4/netfilter/nf_nat_h323.c > @@ -569,11 +569,13 @@ static int nat_callforwarding(struct sk_buff *skb, > struct nf_conn *ct, > > static struct nf_ct_helper_expectfn q931_nat = { > .name = "Q.931", > + .me = THIS_MODULE, > .expectfn = ip_nat_q931_expect, > }; > > static struct nf_ct_helper_expectfn callforwarding_nat = { > .name = "callforwarding", > + .me = THIS_MODULE, > .expectfn = ip_nat_callforwarding_expect, > }; > > diff --git a/net/netfilter/nf_conntrack_broadcast.c > b/net/netfilter/nf_conntrack_broadcast.c > index 4e99cca..edce551 100644 > --- a/net/netfilter/nf_conntrack_broadcast.c > +++ b/net/netfilter/nf_conntrack_broadcast.c > @@ -66,6 +66,7 @@ int nf_conntrack_broadcast_help(struct sk_buff *skb, > exp->mask.src.u.udp.port = htons(0x); > > exp->expectfn = NULL; > + exp->expectfn_module = NULL; > exp->flags= NF_CT_EXPECT_PERMANENT; > exp->class= NF_CT_EXPECT_CLASS_DEFAULT; > exp->helper = NULL; > diff --git a/net/netfilter/nf_conntrack_expect.c > b/net/netfilter/nf_conntrack_expect.c > index 4b2e1fb..1e58a0e 100644 > --- a/net/netfilter/nf_conntrack_expect.c > +++
Re: [PATCH nf 1/1] netfilter: snmp: Fix one possible panic when snmp_trap_helper fail to register
On Mon, Mar 20, 2017 at 5:37 PM, Sergei Shtylyovwrote: > Hello! > > On 3/20/2017 4:44 AM, f...@ikuai8.com wrote: > >> From: Gao Feng >> >> In the commit ("netfilter: nf_conntrack: nf_conntrack snmp helper"), > > >Need to specify the 12-digit SHA1 ID as well. Thanks Sergei. I didn't know it is asked to add SHA1 ID into description, thanks your reminder. I have sent the v2 patch. Regards Feng > >> the snmp_helper is replaced by nf_nat_snmp_hook. So the snmp_helper >> is never registered. But it still tries to unregister the snmp_helper, >> it could cause the panic. >> >> Now remove the useless snmp_helper and the unregister call in the >> error handler. >> >> Fixes: 93557f53e1fb ("netfilter: nf_conntrack: nf_conntrack snmp helper") >> >> Signed-off-by: Gao Feng > > [...] > > MBR, Sergei > -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nft 2/3] parser_bison: Allow flushing maps
On Fri, Mar 17, 2017 at 12:04:06PM -0300, Elise Lennion wrote: > This patch enables the command flush on maps, which removes all > entries in it: > > $ nft flush map filter map1 > > Command above flushes map 'map1' in table 'filter'. > > The documentation was updated accordingly. Also applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nft 3/3] doc: Document add / delete element operations of sets and maps
On Fri, Mar 17, 2017 at 12:04:48PM -0300, Elise Lennion wrote: > The add / delete operations weren't documented yet. They fit better > in the sets and maps blocks since these operations are used to directly > modify their content. Applied, thanks. A couple requests: 1) Could you check that flow table flush command doesn't flush sets/maps too? This should be selective. 2) Could you add shell tests for this? Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nft 1/3] parser_bison: Allow flushing flow tables
On Fri, Mar 17, 2017 at 12:03:17PM -0300, Elise Lennion wrote: > This patch enables the command flush on flow tables, which removes all > entries in it: > > $ nft flush flow table filter ft-https > > Command above flushes flow table 'ft-https' in table 'filter'. Applied, thanks Elise. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 08/22] netfilter: bridge: remove unneeded rcu_read_lock
From: Florian Westphalas comment says, the function is always called with rcu read lock held. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- net/bridge/br_netfilter_hooks.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c index 95087e6e8258..52739e6c610e 100644 --- a/net/bridge/br_netfilter_hooks.c +++ b/net/bridge/br_netfilter_hooks.c @@ -1016,13 +1016,10 @@ int br_nf_hook_thresh(unsigned int hook, struct net *net, if (!elem) return okfn(net, sk, skb); - /* We may already have this, but read-locks nest anyway */ - rcu_read_lock(); nf_hook_state_init(, hook, NFPROTO_BRIDGE, indev, outdev, sk, net, okfn); ret = nf_hook_slow(skb, , elem); - rcu_read_unlock(); if (ret == 1) ret = okfn(net, sk, skb); -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 03/22] netfilter: nft_hash: support of symmetric hash
From: Laura Garcia LiebanaThis patch provides symmetric hash support according to source ip address and port, and destination ip address and port. For this purpose, the __skb_get_hash_symmetric() is used to identify the flow as it uses FLOW_DISSECTOR_F_STOP_AT_FLOW_LABEL flag by default. The new attribute NFTA_HASH_TYPE has been included to support different types of hashing functions. Currently supported NFT_HASH_JENKINS through jhash and NFT_HASH_SYM through symhash. The main difference between both types are: - jhash requires an expression with sreg, symhash doesn't. - symhash supports modulus and offset, but not seed. Examples: nft add rule ip nat prerouting ct mark set jhash ip saddr mod 2 nft add rule ip nat prerouting ct mark set symhash mod 2 By default, jenkins hash will be used if no hash type is provided for compatibility reasons. Signed-off-by: Laura Garcia Liebana Signed-off-by: Pablo Neira Ayuso --- include/uapi/linux/netfilter/nf_tables.h | 13 + net/netfilter/nft_hash.c | 99 +++- 2 files changed, 111 insertions(+), 1 deletion(-) diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h index 05215d30fe5c..4f7d75682c59 100644 --- a/include/uapi/linux/netfilter/nf_tables.h +++ b/include/uapi/linux/netfilter/nf_tables.h @@ -816,6 +816,17 @@ enum nft_rt_keys { }; /** + * enum nft_hash_types - nf_tables hash expression types + * + * @NFT_HASH_JENKINS: Jenkins Hash + * @NFT_HASH_SYM: Symmetric Hash + */ +enum nft_hash_types { + NFT_HASH_JENKINS, + NFT_HASH_SYM, +}; + +/** * enum nft_hash_attributes - nf_tables hash expression netlink attributes * * @NFTA_HASH_SREG: source register (NLA_U32) @@ -824,6 +835,7 @@ enum nft_rt_keys { * @NFTA_HASH_MODULUS: modulus value (NLA_U32) * @NFTA_HASH_SEED: seed value (NLA_U32) * @NFTA_HASH_OFFSET: add this offset value to hash result (NLA_U32) + * @NFTA_HASH_TYPE: hash operation (NLA_U32: nft_hash_types) */ enum nft_hash_attributes { NFTA_HASH_UNSPEC, @@ -833,6 +845,7 @@ enum nft_hash_attributes { NFTA_HASH_MODULUS, NFTA_HASH_SEED, NFTA_HASH_OFFSET, + NFTA_HASH_TYPE, __NFTA_HASH_MAX, }; #define NFTA_HASH_MAX (__NFTA_HASH_MAX - 1) diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c index ccb834ef049b..a6a4633725bb 100644 --- a/net/netfilter/nft_hash.c +++ b/net/netfilter/nft_hash.c @@ -38,6 +38,25 @@ static void nft_jhash_eval(const struct nft_expr *expr, regs->data[priv->dreg] = h + priv->offset; } +struct nft_symhash { + enum nft_registers dreg:8; + u32 modulus; + u32 offset; +}; + +static void nft_symhash_eval(const struct nft_expr *expr, +struct nft_regs *regs, +const struct nft_pktinfo *pkt) +{ + struct nft_symhash *priv = nft_expr_priv(expr); + struct sk_buff *skb = pkt->skb; + u32 h; + + h = reciprocal_scale(__skb_get_hash_symmetric(skb), priv->modulus); + + regs->data[priv->dreg] = h + priv->offset; +} + static const struct nla_policy nft_hash_policy[NFTA_HASH_MAX + 1] = { [NFTA_HASH_SREG]= { .type = NLA_U32 }, [NFTA_HASH_DREG]= { .type = NLA_U32 }, @@ -45,6 +64,7 @@ static const struct nla_policy nft_hash_policy[NFTA_HASH_MAX + 1] = { [NFTA_HASH_MODULUS] = { .type = NLA_U32 }, [NFTA_HASH_SEED]= { .type = NLA_U32 }, [NFTA_HASH_OFFSET] = { .type = NLA_U32 }, + [NFTA_HASH_TYPE]= { .type = NLA_U32 }, }; static int nft_jhash_init(const struct nft_ctx *ctx, @@ -92,6 +112,32 @@ static int nft_jhash_init(const struct nft_ctx *ctx, NFT_DATA_VALUE, sizeof(u32)); } +static int nft_symhash_init(const struct nft_ctx *ctx, + const struct nft_expr *expr, + const struct nlattr * const tb[]) +{ + struct nft_symhash *priv = nft_expr_priv(expr); + + if (!tb[NFTA_HASH_DREG]|| + !tb[NFTA_HASH_MODULUS]) + return -EINVAL; + + if (tb[NFTA_HASH_OFFSET]) + priv->offset = ntohl(nla_get_be32(tb[NFTA_HASH_OFFSET])); + + priv->dreg = nft_parse_register(tb[NFTA_HASH_DREG]); + + priv->modulus = ntohl(nla_get_be32(tb[NFTA_HASH_MODULUS])); + if (priv->modulus <= 1) + return -ERANGE; + + if (priv->offset + priv->modulus - 1 < priv->offset) + return -EOVERFLOW; + + return nft_validate_register_store(ctx, priv->dreg, NULL, + NFT_DATA_VALUE, sizeof(u32)); +} + static int nft_jhash_dump(struct sk_buff *skb, const struct nft_expr *expr) { @@ -110,6 +156,28 @@ static int nft_jhash_dump(struct sk_buff
[PATCH 00/22] Netfilter/IPVS updates for net-next
Hi David, The following patchset contains Netfilter/IPVS updates for your net-next tree. A couple of new features for nf_tables, and unsorted cleanups and incremental updates for the Netfilter tree. More specifically, they are: 1) Allow to check for TCP option presence via nft_exthdr, patch from Phil Sutter. 2) Add symmetric hash support to nft_hash, from Laura Garcia Liebana. 3) Use pr_cont() in ebt_log, from Joe Perches. 4) Remove some dead code in arp_tables reported via static analysis tool, from Colin Ian King. 5) Consolidate nf_tables expression validation, from Liping Zhang. 6) Consolidate set lookup via nft_set_lookup(). 7) Remove unnecessary rcu read lock side in bridge netfilter, from Florian Westphal. 8) Remove unused variable in nf_reject_ipv4, from Tahee Yoo. 9) Pass nft_ctx struct to object initialization indirections, from Florian Westphal. 10) Add code to integrate conntrack helper into nf_tables, also from Florian. 11) Allow to check if interface index or name exists via NFTA_FIB_F_PRESENT, from Phil Sutter. 12) Simplify resolve_normal_ct(), from Florian. 13) Use per-limit spinlock in nft_limit and xt_limit, from Liping Zhang. 14) Use rwlock in nft_set_rbtree set, also from Liping Zhang. 15) One patch to remove a useless printk at netns init path in ipvs, and several patches to document IPVS knobs. 16) Use refcount_t for reference counter in the Netfilter/IPVS code, from Elena Reshetova. You can pull these changes from: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git Thanks! The following changes since commit 8d70eeb84ab277377c017af6a21d0a337025dede: Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net (2017-03-04 17:31:39 -0800) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git HEAD for you to fetch changes up to 4485a841be171dbd8d3f0701b00f59d389e94ce6: netfilter: fix the warning on unused refcount variable (2017-03-20 10:49:12 +0100) Colin Ian King (1): netfilter: arp_tables: remove redundant check on ret being non-zero Cong Wang (1): ipvs: remove an annoying printk in netns init Florian Westphal (4): netfilter: bridge: remove unneeded rcu_read_lock netfilter: provide nft_ctx in object init function netfilter: nft_ct: add helper set support netfilter: nf_conntrack: reduce resolve_normal_ct args Hangbin Liu (4): ipvs: fix sync_threshold description and add sync_refresh_period, sync_retries ipvs: Document sysctl sync_qlen_max and sync_sock_size ipvs: Document sysctl sync_ports ipvs: Document sysctl pmtu_disc Joe Perches (1): netfilter: Use pr_cont where appropriate Laura Garcia Liebana (2): netfilter: nft_hash: rename nft_hash to nft_jhash netfilter: nft_hash: support of symmetric hash Liping Zhang (3): netfilter: nf_tables: validate the expr explicitly after init successfully netfilter: limit: use per-rule spinlock to improve the scalability netfilter: nft_set_rbtree: use per-set rwlock to improve the scalability Pablo Neira Ayuso (1): netfilter: nf_tables: add nft_set_lookup() Phil Sutter (2): netfilter: nft_exthdr: Allow checking TCP option presence, too netfilter: nft_fib: Support existence check Reshetova, Elena (2): netfilter: refcounter conversions netfilter: fix the warning on unused refcount variable Taehee Yoo (1): netfilter: nf_reject: remove unused variable Documentation/networking/ipvs-sysctl.txt | 68 +-- include/net/ip_vs.h | 16 +-- include/net/netfilter/nf_conntrack_expect.h | 4 +- include/net/netfilter/nf_conntrack_timeout.h | 3 +- include/net/netfilter/nf_tables.h| 12 +- include/net/netfilter/nft_fib.h | 2 +- include/uapi/linux/netfilter/nf_tables.h | 26 +++- net/bridge/br_netfilter_hooks.c | 3 - net/bridge/netfilter/ebt_log.c | 34 +++--- net/bridge/netfilter/nft_reject_bridge.c | 6 +- net/ipv4/netfilter/arp_tables.c | 2 - net/ipv4/netfilter/ipt_CLUSTERIP.c | 19 +-- net/ipv4/netfilter/nf_nat_snmp_basic.c | 15 +-- net/ipv4/netfilter/nf_reject_ipv4.c | 3 - net/ipv4/netfilter/nft_fib_ipv4.c| 4 +- net/ipv6/netfilter/nft_fib_ipv6.c| 2 +- net/netfilter/ipvs/ip_vs_conn.c | 24 ++-- net/netfilter/ipvs/ip_vs_core.c | 6 +- net/netfilter/ipvs/ip_vs_ctl.c | 12 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 6 +- net/netfilter/ipvs/ip_vs_nq.c| 2 +- net/netfilter/ipvs/ip_vs_proto_sctp.c| 2 +- net/netfilter/ipvs/ip_vs_proto_tcp.c | 2
[PATCH 04/22] netfilter: Use pr_cont where appropriate
From: Joe PerchesLogging output was changed when simple printks without KERN_CONT are now emitted on a new line and KERN_CONT is required to continue lines so use pr_cont. Miscellanea: o realign arguments o use print_hex_dump instead of a local variant Signed-off-by: Joe Perches Signed-off-by: Pablo Neira Ayuso --- net/bridge/netfilter/ebt_log.c | 34 +- net/ipv4/netfilter/nf_nat_snmp_basic.c | 15 ++- 2 files changed, 19 insertions(+), 30 deletions(-) diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c index 98b9c8e8615e..707caea39743 100644 --- a/net/bridge/netfilter/ebt_log.c +++ b/net/bridge/netfilter/ebt_log.c @@ -62,10 +62,10 @@ print_ports(const struct sk_buff *skb, uint8_t protocol, int offset) pptr = skb_header_pointer(skb, offset, sizeof(_ports), &_ports); if (pptr == NULL) { - printk(" INCOMPLETE TCP/UDP header"); + pr_cont(" INCOMPLETE TCP/UDP header"); return; } - printk(" SPT=%u DPT=%u", ntohs(pptr->src), ntohs(pptr->dst)); + pr_cont(" SPT=%u DPT=%u", ntohs(pptr->src), ntohs(pptr->dst)); } } @@ -100,11 +100,11 @@ ebt_log_packet(struct net *net, u_int8_t pf, unsigned int hooknum, ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph); if (ih == NULL) { - printk(" INCOMPLETE IP header"); + pr_cont(" INCOMPLETE IP header"); goto out; } - printk(" IP SRC=%pI4 IP DST=%pI4, IP tos=0x%02X, IP proto=%d", - >saddr, >daddr, ih->tos, ih->protocol); + pr_cont(" IP SRC=%pI4 IP DST=%pI4, IP tos=0x%02X, IP proto=%d", + >saddr, >daddr, ih->tos, ih->protocol); print_ports(skb, ih->protocol, ih->ihl*4); goto out; } @@ -120,11 +120,11 @@ ebt_log_packet(struct net *net, u_int8_t pf, unsigned int hooknum, ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph); if (ih == NULL) { - printk(" INCOMPLETE IPv6 header"); + pr_cont(" INCOMPLETE IPv6 header"); goto out; } - printk(" IPv6 SRC=%pI6 IPv6 DST=%pI6, IPv6 priority=0x%01X, Next Header=%d", - >saddr, >daddr, ih->priority, ih->nexthdr); + pr_cont(" IPv6 SRC=%pI6 IPv6 DST=%pI6, IPv6 priority=0x%01X, Next Header=%d", + >saddr, >daddr, ih->priority, ih->nexthdr); nexthdr = ih->nexthdr; offset_ph = ipv6_skip_exthdr(skb, sizeof(_iph), , _off); if (offset_ph == -1) @@ -142,12 +142,12 @@ ebt_log_packet(struct net *net, u_int8_t pf, unsigned int hooknum, ah = skb_header_pointer(skb, 0, sizeof(_arph), &_arph); if (ah == NULL) { - printk(" INCOMPLETE ARP header"); + pr_cont(" INCOMPLETE ARP header"); goto out; } - printk(" ARP HTYPE=%d, PTYPE=0x%04x, OPCODE=%d", - ntohs(ah->ar_hrd), ntohs(ah->ar_pro), - ntohs(ah->ar_op)); + pr_cont(" ARP HTYPE=%d, PTYPE=0x%04x, OPCODE=%d", + ntohs(ah->ar_hrd), ntohs(ah->ar_pro), + ntohs(ah->ar_op)); /* If it's for Ethernet and the lengths are OK, * then log the ARP payload @@ -161,17 +161,17 @@ ebt_log_packet(struct net *net, u_int8_t pf, unsigned int hooknum, ap = skb_header_pointer(skb, sizeof(_arph), sizeof(_arpp), &_arpp); if (ap == NULL) { - printk(" INCOMPLETE ARP payload"); + pr_cont(" INCOMPLETE ARP payload"); goto out; } - printk(" ARP MAC SRC=%pM ARP IP SRC=%pI4 ARP MAC DST=%pM ARP IP DST=%pI4", - ap->mac_src, ap->ip_src, ap->mac_dst, ap->ip_dst); + pr_cont(" ARP MAC SRC=%pM ARP IP SRC=%pI4 ARP MAC DST=%pM ARP IP DST=%pI4", + ap->mac_src, ap->ip_src, + ap->mac_dst, ap->ip_dst); } } out: - printk("\n"); + pr_cont("\n"); spin_unlock_bh(_log_lock); - } static unsigned int diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c b/net/ipv4/netfilter/nf_nat_snmp_basic.c index c9b52c361da2..ef49989c93b1 100644 --- a/net/ipv4/netfilter/nf_nat_snmp_basic.c +++
Re: [PATCH nf v2 1/1] netfilter: snmp: Fix one possible panic when snmp_trap_helper fail to register
On 3/20/2017 12:55 PM, f...@ikuai8.com wrote: From: Gao FengIn the commit <93557f53e1fb> ("netfilter: nf_conntrack: nf_conntrack snmp Angle brackets not needed. :-) The commit citing style is the same as for the Fixes: tag. helper"), the snmp_helper is replaced by nf_nat_snmp_hook. So the snmp_helper is never registered. But it still tries to unregister the snmp_helper, it could cause the panic. Now remove the useless snmp_helper and the unregister call in the error handler. Fixes: 93557f53e1fb ("netfilter: nf_conntrack: nf_conntrack snmp helper") Signed-off-by: Gao Feng [...] MBR, Sergei -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 13/22] netfilter: nf_conntrack: reduce resolve_normal_ct args
From: Florian Westphalalso mark init_conntrack noinline, in most cases resolve_normal_ct will find an existing conntrack entry. textdata bss dec hex filename 167355707 176 22618585a net/netfilter/nf_conntrack_core.o 166875707 176 22570582a net/netfilter/nf_conntrack_core.o Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_conntrack_core.c | 57 ++- 1 file changed, 26 insertions(+), 31 deletions(-) diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 071b97fcbefb..b0f2e8e65084 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -1129,7 +1129,7 @@ EXPORT_SYMBOL_GPL(nf_conntrack_free); /* Allocate a new conntrack: we return -ENOMEM if classification failed due to stress. Otherwise it really is unclassifiable. */ -static struct nf_conntrack_tuple_hash * +static noinline struct nf_conntrack_tuple_hash * init_conntrack(struct net *net, struct nf_conn *tmpl, const struct nf_conntrack_tuple *tuple, struct nf_conntrack_l3proto *l3proto, @@ -1237,21 +1237,20 @@ init_conntrack(struct net *net, struct nf_conn *tmpl, return >tuplehash[IP_CT_DIR_ORIGINAL]; } -/* On success, returns conntrack ptr, sets skb->_nfct | ctinfo */ -static inline struct nf_conn * +/* On success, returns 0, sets skb->_nfct | ctinfo */ +static int resolve_normal_ct(struct net *net, struct nf_conn *tmpl, struct sk_buff *skb, unsigned int dataoff, u_int16_t l3num, u_int8_t protonum, struct nf_conntrack_l3proto *l3proto, - struct nf_conntrack_l4proto *l4proto, - int *set_reply, - enum ip_conntrack_info *ctinfo) + struct nf_conntrack_l4proto *l4proto) { const struct nf_conntrack_zone *zone; struct nf_conntrack_tuple tuple; struct nf_conntrack_tuple_hash *h; + enum ip_conntrack_info ctinfo; struct nf_conntrack_zone tmp; struct nf_conn *ct; u32 hash; @@ -1260,7 +1259,7 @@ resolve_normal_ct(struct net *net, struct nf_conn *tmpl, dataoff, l3num, protonum, net, , l3proto, l4proto)) { pr_debug("Can't get tuple\n"); - return NULL; + return 0; } /* look for tuple match */ @@ -1271,33 +1270,30 @@ resolve_normal_ct(struct net *net, struct nf_conn *tmpl, h = init_conntrack(net, tmpl, , l3proto, l4proto, skb, dataoff, hash); if (!h) - return NULL; + return 0; if (IS_ERR(h)) - return (void *)h; + return PTR_ERR(h); } ct = nf_ct_tuplehash_to_ctrack(h); /* It exists; we have (non-exclusive) reference. */ if (NF_CT_DIRECTION(h) == IP_CT_DIR_REPLY) { - *ctinfo = IP_CT_ESTABLISHED_REPLY; - /* Please set reply bit if this packet OK */ - *set_reply = 1; + ctinfo = IP_CT_ESTABLISHED_REPLY; } else { /* Once we've had two way comms, always ESTABLISHED. */ if (test_bit(IPS_SEEN_REPLY_BIT, >status)) { pr_debug("normal packet for %p\n", ct); - *ctinfo = IP_CT_ESTABLISHED; + ctinfo = IP_CT_ESTABLISHED; } else if (test_bit(IPS_EXPECTED_BIT, >status)) { pr_debug("related packet for %p\n", ct); - *ctinfo = IP_CT_RELATED; + ctinfo = IP_CT_RELATED; } else { pr_debug("new packet for %p\n", ct); - *ctinfo = IP_CT_NEW; + ctinfo = IP_CT_NEW; } - *set_reply = 0; } - nf_ct_set(skb, ct, *ctinfo); - return ct; + nf_ct_set(skb, ct, ctinfo); + return 0; } unsigned int @@ -1311,7 +1307,6 @@ nf_conntrack_in(struct net *net, u_int8_t pf, unsigned int hooknum, unsigned int *timeouts; unsigned int dataoff; u_int8_t protonum; - int set_reply = 0; int ret; tmpl = nf_ct_get(skb, ); @@ -1354,23 +1349,22 @@ nf_conntrack_in(struct net *net, u_int8_t pf, unsigned int hooknum, goto out; } repeat: - ct = resolve_normal_ct(net, tmpl, skb, dataoff, pf, protonum, - l3proto, l4proto, _reply, ); - if (!ct) { - /* Not valid part of a connection */ - NF_CT_STAT_INC_ATOMIC(net, invalid); - ret = NF_ACCEPT; - goto out; -
[PATCH 09/22] netfilter: nf_reject: remove unused variable
From: Taehee Yoovariable oiph is not used. Signed-off-by: Taehee Yoo Signed-off-by: Pablo Neira Ayuso --- net/ipv4/netfilter/nf_reject_ipv4.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c index 146d86105183..7cd8d0d918f8 100644 --- a/net/ipv4/netfilter/nf_reject_ipv4.c +++ b/net/ipv4/netfilter/nf_reject_ipv4.c @@ -104,7 +104,6 @@ EXPORT_SYMBOL_GPL(nf_reject_ip_tcphdr_put); void nf_send_reset(struct net *net, struct sk_buff *oldskb, int hook) { struct sk_buff *nskb; - const struct iphdr *oiph; struct iphdr *niph; const struct tcphdr *oth; struct tcphdr _oth; @@ -116,8 +115,6 @@ void nf_send_reset(struct net *net, struct sk_buff *oldskb, int hook) if (skb_rtable(oldskb)->rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST)) return; - oiph = ip_hdr(oldskb); - nskb = alloc_skb(sizeof(struct iphdr) + sizeof(struct tcphdr) + LL_MAX_HEADER, GFP_ATOMIC); if (!nskb) -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 12/22] netfilter: nft_fib: Support existence check
From: Phil SutterInstead of the actual interface index or name, set destination register to just 1 or 0 depending on whether the lookup succeeded or not if NFTA_FIB_F_PRESENT was set in userspace. Signed-off-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nft_fib.h | 2 +- include/uapi/linux/netfilter/nf_tables.h | 1 + net/ipv4/netfilter/nft_fib_ipv4.c| 4 ++-- net/ipv6/netfilter/nft_fib_ipv6.c| 2 +- net/netfilter/nft_fib.c | 14 +- 5 files changed, 14 insertions(+), 9 deletions(-) diff --git a/include/net/netfilter/nft_fib.h b/include/net/netfilter/nft_fib.h index 5ceb2205e4e3..381af9469e6a 100644 --- a/include/net/netfilter/nft_fib.h +++ b/include/net/netfilter/nft_fib.h @@ -32,6 +32,6 @@ void nft_fib6_eval_type(const struct nft_expr *expr, struct nft_regs *regs, void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs, const struct nft_pktinfo *pkt); -void nft_fib_store_result(void *reg, enum nft_fib_result r, +void nft_fib_store_result(void *reg, const struct nft_fib *priv, const struct nft_pktinfo *pkt, int index); #endif diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h index 34c8d08b687a..8f3842690d17 100644 --- a/include/uapi/linux/netfilter/nf_tables.h +++ b/include/uapi/linux/netfilter/nf_tables.h @@ -1257,6 +1257,7 @@ enum nft_fib_flags { NFTA_FIB_F_MARK = 1 << 2, /* use skb->mark */ NFTA_FIB_F_IIF = 1 << 3, /* restrict to iif */ NFTA_FIB_F_OIF = 1 << 4, /* restrict to oif */ + NFTA_FIB_F_PRESENT = 1 << 5, /* check existence only */ }; enum nft_ct_helper_attributes { diff --git a/net/ipv4/netfilter/nft_fib_ipv4.c b/net/ipv4/netfilter/nft_fib_ipv4.c index 2981291910dd..f4e4462cb5bb 100644 --- a/net/ipv4/netfilter/nft_fib_ipv4.c +++ b/net/ipv4/netfilter/nft_fib_ipv4.c @@ -90,7 +90,7 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs, if (nft_hook(pkt) == NF_INET_PRE_ROUTING && nft_fib_is_loopback(pkt->skb, nft_in(pkt))) { - nft_fib_store_result(dest, priv->result, pkt, + nft_fib_store_result(dest, priv, pkt, nft_in(pkt)->ifindex); return; } @@ -99,7 +99,7 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs, if (ipv4_is_zeronet(iph->saddr)) { if (ipv4_is_lbcast(iph->daddr) || ipv4_is_local_multicast(iph->daddr)) { - nft_fib_store_result(dest, priv->result, pkt, + nft_fib_store_result(dest, priv, pkt, get_ifindex(pkt->skb->dev)); return; } diff --git a/net/ipv6/netfilter/nft_fib_ipv6.c b/net/ipv6/netfilter/nft_fib_ipv6.c index 765facf03d45..e8d88d82636b 100644 --- a/net/ipv6/netfilter/nft_fib_ipv6.c +++ b/net/ipv6/netfilter/nft_fib_ipv6.c @@ -159,7 +159,7 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs, if (nft_hook(pkt) == NF_INET_PRE_ROUTING && nft_fib_is_loopback(pkt->skb, nft_in(pkt))) { - nft_fib_store_result(dest, priv->result, pkt, + nft_fib_store_result(dest, priv, pkt, nft_in(pkt)->ifindex); return; } diff --git a/net/netfilter/nft_fib.c b/net/netfilter/nft_fib.c index fd0b19303b0d..21df8cccea65 100644 --- a/net/netfilter/nft_fib.c +++ b/net/netfilter/nft_fib.c @@ -24,7 +24,8 @@ const struct nla_policy nft_fib_policy[NFTA_FIB_MAX + 1] = { EXPORT_SYMBOL(nft_fib_policy); #define NFTA_FIB_F_ALL (NFTA_FIB_F_SADDR | NFTA_FIB_F_DADDR | \ - NFTA_FIB_F_MARK | NFTA_FIB_F_IIF | NFTA_FIB_F_OIF) + NFTA_FIB_F_MARK | NFTA_FIB_F_IIF | NFTA_FIB_F_OIF | \ + NFTA_FIB_F_PRESENT) int nft_fib_validate(const struct nft_ctx *ctx, const struct nft_expr *expr, const struct nft_data **data) @@ -133,19 +134,22 @@ int nft_fib_dump(struct sk_buff *skb, const struct nft_expr *expr) } EXPORT_SYMBOL_GPL(nft_fib_dump); -void nft_fib_store_result(void *reg, enum nft_fib_result r, +void nft_fib_store_result(void *reg, const struct nft_fib *priv, const struct nft_pktinfo *pkt, int index) { struct net_device *dev; u32 *dreg = reg; - switch (r) { + switch (priv->result) { case NFT_FIB_RESULT_OIF: - *dreg = index; + *dreg = (priv->flags & NFTA_FIB_F_PRESENT) ? !!index : index; break; case NFT_FIB_RESULT_OIFNAME: dev = dev_get_by_index_rcu(nft_net(pkt), index); - strncpy(reg, dev ? dev->name :
[PATCH 19/22] ipvs: Document sysctl sync_ports
From: Hangbin LiuDocument sysctl sync_ports based on commit f73181c8288f ("ipvs: add support for sync threads"). Signed-off-by: Hangbin Liu Signed-off-by: Simon Horman --- Documentation/networking/ipvs-sysctl.txt | 8 1 file changed, 8 insertions(+) diff --git a/Documentation/networking/ipvs-sysctl.txt b/Documentation/networking/ipvs-sysctl.txt index 159d70b6dff3..a6feecd467cd 100644 --- a/Documentation/networking/ipvs-sysctl.txt +++ b/Documentation/networking/ipvs-sysctl.txt @@ -231,6 +231,14 @@ sync_sock_size - INTEGER Configuration of SNDBUF (master) or RCVBUF (slave) socket limit. Default value is 0 (preserve system defaults). +sync_ports - INTEGER + default 1 + + The number of threads that master and backup servers can use for + sync traffic. Every thread will use single UDP port, thread 0 will + use the default port 8848 while last thread will use port + 8848+sync_ports-1. + snat_reroute - BOOLEAN 0 - disabled not 0 - enabled (default) -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 05/22] netfilter: arp_tables: remove redundant check on ret being non-zero
From: Colin Ian Kingret is initialized to zero and if it is set to non-zero in the xt_entry_foreach loop then we exit via the out_free label. Hence the check for ret being non-zero is redundant and can be removed. Detected by CoverityScan, CID#1357132 ("Logically Dead Code") Signed-off-by: Colin Ian King Signed-off-by: Pablo Neira Ayuso --- net/ipv4/netfilter/arp_tables.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index 6241a81fd7f5..f17dab1dee6e 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c @@ -562,8 +562,6 @@ static int translate_table(struct xt_table_info *newinfo, void *entry0, XT_ERROR_TARGET) == 0) ++newinfo->stacksize; } - if (ret != 0) - goto out_free; ret = -EINVAL; if (i != repl->num_entries) -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 18/22] ipvs: Document sysctl sync_qlen_max and sync_sock_size
From: Hangbin LiuDocument sysctl sync_qlen_max and sync_sock_size based on commit 1c003b1580e2 ("ipvs: wakeup master thread"). Signed-off-by: Hangbin Liu Signed-off-by: Simon Horman --- Documentation/networking/ipvs-sysctl.txt | 14 ++ 1 file changed, 14 insertions(+) diff --git a/Documentation/networking/ipvs-sysctl.txt b/Documentation/networking/ipvs-sysctl.txt index 7acaaa65451e..159d70b6dff3 100644 --- a/Documentation/networking/ipvs-sysctl.txt +++ b/Documentation/networking/ipvs-sysctl.txt @@ -217,6 +217,20 @@ sync_retries - INTEGER to protect against loss of sync messages. The range of the sync_retries is from 0 to 3. +sync_qlen_max - UNSIGNED LONG + + Hard limit for queued sync messages that are not sent yet. It + defaults to 1/32 of the memory pages but actually represents + number of messages. It will protect us from allocating large + parts of memory when the sending rate is lower than the queuing + rate. + +sync_sock_size - INTEGER + default 0 + + Configuration of SNDBUF (master) or RCVBUF (slave) socket limit. + Default value is 0 (preserve system defaults). + snat_reroute - BOOLEAN 0 - disabled not 0 - enabled (default) -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 17/22] ipvs: fix sync_threshold description and add sync_refresh_period, sync_retries
From: Hangbin LiuFix sync_threshold description which should have two values. Also add sync_refresh_period and sync_retries based on commit 749c42b620a9 ("ipvs: reduce sync rate with time thresholds"). Signed-off-by: Hangbin Liu Signed-off-by: Simon Horman --- Documentation/networking/ipvs-sysctl.txt | 40 +--- 1 file changed, 31 insertions(+), 9 deletions(-) diff --git a/Documentation/networking/ipvs-sysctl.txt b/Documentation/networking/ipvs-sysctl.txt index e6b1c025fdd8..7acaaa65451e 100644 --- a/Documentation/networking/ipvs-sysctl.txt +++ b/Documentation/networking/ipvs-sysctl.txt @@ -185,15 +185,37 @@ secure_tcp - INTEGER The value definition is the same as that of drop_entry and drop_packet. -sync_threshold - INTEGER -default 3 - -It sets synchronization threshold, which is the minimum number -of incoming packets that a connection needs to receive before -the connection will be synchronized. A connection will be -synchronized, every time the number of its incoming packets -modulus 50 equals the threshold. The range of the threshold is -from 0 to 49. +sync_threshold - vector of 2 INTEGERs: sync_threshold, sync_period + default 3 50 + + It sets synchronization threshold, which is the minimum number + of incoming packets that a connection needs to receive before + the connection will be synchronized. A connection will be + synchronized, every time the number of its incoming packets + modulus sync_period equals the threshold. The range of the + threshold is from 0 to sync_period. + + When sync_period and sync_refresh_period are 0, send sync only + for state changes or only once when pkts matches sync_threshold + +sync_refresh_period - UNSIGNED INTEGER + default 0 + + In seconds, difference in reported connection timer that triggers + new sync message. It can be used to avoid sync messages for the + specified period (or half of the connection timeout if it is lower) + if connection state is not changed since last sync. + + This is useful for normal connections with high traffic to reduce + sync rate. Additionally, retry sync_retries times with period of + sync_refresh_period/8. + +sync_retries - INTEGER + default 0 + + Defines sync retries with period of sync_refresh_period/8. Useful + to protect against loss of sync messages. The range of the + sync_retries is from 0 to 3. snat_reroute - BOOLEAN 0 - disabled -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 22/22] netfilter: fix the warning on unused refcount variable
From: "Reshetova, Elena"net/netfilter/nfnetlink_acct.c: In function 'nfnl_acct_try_del': net/netfilter/nfnetlink_acct.c:329:15: warning: unused variable 'refcount' [-Wunused-variable] unsigned int refcount; ^ Fixes: b54ab92b84b6 ("netfilter: refcounter conversions") Signed-off-by: Elena Reshetova Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nfnetlink_acct.c | 1 - 1 file changed, 1 deletion(-) diff --git a/net/netfilter/nfnetlink_acct.c b/net/netfilter/nfnetlink_acct.c index f44cbd35357f..c86da174a5fc 100644 --- a/net/netfilter/nfnetlink_acct.c +++ b/net/netfilter/nfnetlink_acct.c @@ -326,7 +326,6 @@ static int nfnl_acct_get(struct net *net, struct sock *nfnl, static int nfnl_acct_try_del(struct nf_acct *cur) { int ret = 0; - unsigned int refcount; /* We want to avoid races with nfnl_acct_put. So only when the current * refcnt is 1, we decrease it to 0. -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 06/22] netfilter: nf_tables: validate the expr explicitly after init successfully
From: Liping ZhangWhen we want to validate the expr's dependency or hooks, we must do two things to accomplish it. First, write a X_validate callback function and point ->validate to it. Second, call X_validate in init routine. This is very common, such as fib, nat, reject expr and so on ... It is a little ugly, since we will call X_validate in the expr's init routine, it's better to do it in nf_tables_newexpr. So we can avoid to do this again and again. After doing this, the second step listed above is not useful anymore, remove them now. Patch was tested by nftables/tests/py/nft-test.py and nftables/tests/shell/run-tests.sh. Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso --- net/bridge/netfilter/nft_reject_bridge.c | 6 +- net/netfilter/nf_tables_api.c| 11 +++ net/netfilter/nft_compat.c | 8 net/netfilter/nft_fib.c | 2 +- net/netfilter/nft_masq.c | 4 net/netfilter/nft_meta.c | 4 net/netfilter/nft_nat.c | 4 net/netfilter/nft_redir.c| 4 net/netfilter/nft_reject.c | 5 - net/netfilter/nft_reject_inet.c | 6 +- 10 files changed, 14 insertions(+), 40 deletions(-) diff --git a/net/bridge/netfilter/nft_reject_bridge.c b/net/bridge/netfilter/nft_reject_bridge.c index 206dc266ecd2..346ef6b00b8f 100644 --- a/net/bridge/netfilter/nft_reject_bridge.c +++ b/net/bridge/netfilter/nft_reject_bridge.c @@ -375,11 +375,7 @@ static int nft_reject_bridge_init(const struct nft_ctx *ctx, const struct nlattr * const tb[]) { struct nft_reject *priv = nft_expr_priv(expr); - int icmp_code, err; - - err = nft_reject_bridge_validate(ctx, expr, NULL); - if (err < 0) - return err; + int icmp_code; if (tb[NFTA_REJECT_TYPE] == NULL) return -EINVAL; diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 5e0ccfd5bb37..fd8789eccc92 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -1772,8 +1772,19 @@ static int nf_tables_newexpr(const struct nft_ctx *ctx, goto err1; } + if (ops->validate) { + const struct nft_data *data = NULL; + + err = ops->validate(ctx, expr, ); + if (err < 0) + goto err2; + } + return 0; +err2: + if (ops->destroy) + ops->destroy(ctx, expr); err1: expr->ops = NULL; return err; diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c index c21e7eb8dce0..fab6bf3f955e 100644 --- a/net/netfilter/nft_compat.c +++ b/net/netfilter/nft_compat.c @@ -230,10 +230,6 @@ nft_target_init(const struct nft_ctx *ctx, const struct nft_expr *expr, union nft_entry e = {}; int ret; - ret = nft_compat_chain_validate_dependency(target->table, ctx->chain); - if (ret < 0) - goto err; - target_compat_from_user(target, nla_data(tb[NFTA_TARGET_INFO]), info); if (ctx->nla[NFTA_RULE_COMPAT]) { @@ -419,10 +415,6 @@ nft_match_init(const struct nft_ctx *ctx, const struct nft_expr *expr, union nft_entry e = {}; int ret; - ret = nft_compat_chain_validate_dependency(match->table, ctx->chain); - if (ret < 0) - goto err; - match_compat_from_user(match, nla_data(tb[NFTA_MATCH_INFO]), info); if (ctx->nla[NFTA_RULE_COMPAT]) { diff --git a/net/netfilter/nft_fib.c b/net/netfilter/nft_fib.c index 29a4906adc27..fd0b19303b0d 100644 --- a/net/netfilter/nft_fib.c +++ b/net/netfilter/nft_fib.c @@ -112,7 +112,7 @@ int nft_fib_init(const struct nft_ctx *ctx, const struct nft_expr *expr, if (err < 0) return err; - return nft_fib_validate(ctx, expr, NULL); + return 0; } EXPORT_SYMBOL_GPL(nft_fib_init); diff --git a/net/netfilter/nft_masq.c b/net/netfilter/nft_masq.c index 11ce016cd479..6ac03d4266c9 100644 --- a/net/netfilter/nft_masq.c +++ b/net/netfilter/nft_masq.c @@ -46,10 +46,6 @@ int nft_masq_init(const struct nft_ctx *ctx, struct nft_masq *priv = nft_expr_priv(expr); int err; - err = nft_masq_validate(ctx, expr, NULL); - if (err) - return err; - if (tb[NFTA_MASQ_FLAGS]) { priv->flags = ntohl(nla_get_be32(tb[NFTA_MASQ_FLAGS])); if (priv->flags & ~NF_NAT_RANGE_MASK) diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c index e1f5ca9b423b..d14417aaf5d4 100644 --- a/net/netfilter/nft_meta.c +++ b/net/netfilter/nft_meta.c @@ -370,10 +370,6 @@ int nft_meta_set_init(const struct nft_ctx *ctx, return -EOPNOTSUPP; } - err = nft_meta_set_validate(ctx, expr, NULL); - if (err
[PATCH 16/22] ipvs: remove an annoying printk in netns init
From: Cong WangAt most it is used for debugging purpose, but I don't think it is even useful for debugging, just remove it. Signed-off-by: Cong Wang Signed-off-by: Simon Horman --- net/netfilter/ipvs/ip_vs_core.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c index db40050f8785..9aaa49025cdc 100644 --- a/net/netfilter/ipvs/ip_vs_core.c +++ b/net/netfilter/ipvs/ip_vs_core.c @@ -2231,8 +2231,6 @@ static int __net_init __ip_vs_init(struct net *net) if (ip_vs_sync_net_init(ipvs) < 0) goto sync_fail; - printk(KERN_INFO "IPVS: Creating netns size=%zu id=%d\n", -sizeof(struct netns_ipvs), ipvs->gen); return 0; /* * Error handling -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 07/22] netfilter: nf_tables: add nft_set_lookup()
This new function consolidates set lookup via either name or ID by introducing a new nft_set_lookup() function. Replace existing spots where we can use this too. Signed-off-by: Pablo Neira Ayuso--- include/net/netfilter/nf_tables.h | 9 + net/netfilter/nf_tables_api.c | 31 --- net/netfilter/nft_dynset.c| 14 -- net/netfilter/nft_lookup.c| 14 -- net/netfilter/nft_objref.c| 14 -- 5 files changed, 41 insertions(+), 41 deletions(-) diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index 2aa8a9d80fbe..f0d46726d06e 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -385,10 +385,11 @@ static inline struct nft_set *nft_set_container_of(const void *priv) return (void *)priv - offsetof(struct nft_set, data); } -struct nft_set *nf_tables_set_lookup(const struct nft_table *table, -const struct nlattr *nla, u8 genmask); -struct nft_set *nf_tables_set_lookup_byid(const struct net *net, - const struct nlattr *nla, u8 genmask); +struct nft_set *nft_set_lookup(const struct net *net, + const struct nft_table *table, + const struct nlattr *nla_set_name, + const struct nlattr *nla_set_id, + u8 genmask); static inline unsigned long nft_set_gc_interval(const struct nft_set *set) { diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index fd8789eccc92..4559f5d66bcc 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -2534,8 +2534,8 @@ static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net, return 0; } -struct nft_set *nf_tables_set_lookup(const struct nft_table *table, -const struct nlattr *nla, u8 genmask) +static struct nft_set *nf_tables_set_lookup(const struct nft_table *table, + const struct nlattr *nla, u8 genmask) { struct nft_set *set; @@ -2549,11 +2549,10 @@ struct nft_set *nf_tables_set_lookup(const struct nft_table *table, } return ERR_PTR(-ENOENT); } -EXPORT_SYMBOL_GPL(nf_tables_set_lookup); -struct nft_set *nf_tables_set_lookup_byid(const struct net *net, - const struct nlattr *nla, - u8 genmask) +static struct nft_set *nf_tables_set_lookup_byid(const struct net *net, +const struct nlattr *nla, +u8 genmask) { struct nft_trans *trans; u32 id = ntohl(nla_get_be32(nla)); @@ -2568,7 +2567,25 @@ struct nft_set *nf_tables_set_lookup_byid(const struct net *net, } return ERR_PTR(-ENOENT); } -EXPORT_SYMBOL_GPL(nf_tables_set_lookup_byid); + +struct nft_set *nft_set_lookup(const struct net *net, + const struct nft_table *table, + const struct nlattr *nla_set_name, + const struct nlattr *nla_set_id, + u8 genmask) +{ + struct nft_set *set; + + set = nf_tables_set_lookup(table, nla_set_name, genmask); + if (IS_ERR(set)) { + if (!nla_set_id) + return set; + + set = nf_tables_set_lookup_byid(net, nla_set_id, genmask); + } + return set; +} +EXPORT_SYMBOL_GPL(nft_set_lookup); static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set, const char *name) diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c index 049ad2d9ee66..3948da380259 100644 --- a/net/netfilter/nft_dynset.c +++ b/net/netfilter/nft_dynset.c @@ -133,16 +133,10 @@ static int nft_dynset_init(const struct nft_ctx *ctx, priv->invert = true; } - set = nf_tables_set_lookup(ctx->table, tb[NFTA_DYNSET_SET_NAME], - genmask); - if (IS_ERR(set)) { - if (tb[NFTA_DYNSET_SET_ID]) - set = nf_tables_set_lookup_byid(ctx->net, - tb[NFTA_DYNSET_SET_ID], - genmask); - if (IS_ERR(set)) - return PTR_ERR(set); - } + set = nft_set_lookup(ctx->net, ctx->table, tb[NFTA_DYNSET_SET_NAME], +tb[NFTA_DYNSET_SET_ID], genmask); + if (IS_ERR(set)) + return PTR_ERR(set); if (set->ops->update == NULL) return -EOPNOTSUPP; diff --git a/net/netfilter/nft_lookup.c b/net/netfilter/nft_lookup.c index
[PATCH 21/22] netfilter: refcounter conversions
From: "Reshetova, Elena"refcount_t type and corresponding API (see include/linux/refcount.h) should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by: Hans Liljestrand Signed-off-by: Kees Cook Signed-off-by: David Windsor Signed-off-by: Pablo Neira Ayuso --- include/net/ip_vs.h | 16 +--- include/net/netfilter/nf_conntrack_expect.h | 4 +++- include/net/netfilter/nf_conntrack_timeout.h | 3 ++- net/ipv4/netfilter/ipt_CLUSTERIP.c | 19 ++- net/netfilter/ipvs/ip_vs_conn.c | 24 net/netfilter/ipvs/ip_vs_core.c | 4 ++-- net/netfilter/ipvs/ip_vs_ctl.c | 12 ++-- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 6 +++--- net/netfilter/ipvs/ip_vs_nq.c| 2 +- net/netfilter/ipvs/ip_vs_proto_sctp.c| 2 +- net/netfilter/ipvs/ip_vs_proto_tcp.c | 2 +- net/netfilter/ipvs/ip_vs_rr.c| 2 +- net/netfilter/ipvs/ip_vs_sed.c | 2 +- net/netfilter/ipvs/ip_vs_wlc.c | 2 +- net/netfilter/ipvs/ip_vs_wrr.c | 2 +- net/netfilter/nf_conntrack_expect.c | 10 +- net/netfilter/nf_conntrack_netlink.c | 4 ++-- net/netfilter/nfnetlink_acct.c | 16 +--- net/netfilter/nfnetlink_cttimeout.c | 12 ++-- net/netfilter/nfnetlink_log.c| 14 -- 21 files changed, 85 insertions(+), 75 deletions(-) diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h index 7bdfa7d78363..8a4a57b887fb 100644 --- a/include/net/ip_vs.h +++ b/include/net/ip_vs.h @@ -12,6 +12,8 @@ #include /* for struct list_head */ #include /* for struct rwlock_t */ #include/* for struct atomic_t */ +#include /* for struct refcount_t */ + #include #include #include @@ -525,7 +527,7 @@ struct ip_vs_conn { struct netns_ipvs *ipvs; /* counter and timer */ - atomic_trefcnt; /* reference count */ + refcount_t refcnt; /* reference count */ struct timer_list timer; /* Expiration timer */ volatile unsigned long timeout;/* timeout */ @@ -667,7 +669,7 @@ struct ip_vs_dest { atomic_tconn_flags; /* flags to copy to conn */ atomic_tweight; /* server weight */ - atomic_trefcnt; /* reference counter */ + refcount_t refcnt; /* reference counter */ struct ip_vs_stats stats; /* statistics */ unsigned long idle_start; /* start time, jiffies */ @@ -1211,14 +1213,14 @@ struct ip_vs_conn * ip_vs_conn_out_get_proto(struct netns_ipvs *ipvs, int af, */ static inline bool __ip_vs_conn_get(struct ip_vs_conn *cp) { - return atomic_inc_not_zero(>refcnt); + return refcount_inc_not_zero(>refcnt); } /* put back the conn without restarting its timer */ static inline void __ip_vs_conn_put(struct ip_vs_conn *cp) { smp_mb__before_atomic(); - atomic_dec(>refcnt); + refcount_dec(>refcnt); } void ip_vs_conn_put(struct ip_vs_conn *cp); void ip_vs_conn_fill_cport(struct ip_vs_conn *cp, __be16 cport); @@ -1410,18 +1412,18 @@ void ip_vs_try_bind_dest(struct ip_vs_conn *cp); static inline void ip_vs_dest_hold(struct ip_vs_dest *dest) { - atomic_inc(>refcnt); + refcount_inc(>refcnt); } static inline void ip_vs_dest_put(struct ip_vs_dest *dest) { smp_mb__before_atomic(); - atomic_dec(>refcnt); + refcount_dec(>refcnt); } static inline void ip_vs_dest_put_and_free(struct ip_vs_dest *dest) { - if (atomic_dec_and_test(>refcnt)) + if (refcount_dec_and_test(>refcnt)) kfree(dest); } diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h index 5ed33ea4718e..65cc2cb005d9 100644 --- a/include/net/netfilter/nf_conntrack_expect.h +++ b/include/net/netfilter/nf_conntrack_expect.h @@ -5,6 +5,8 @@ #ifndef _NF_CONNTRACK_EXPECT_H #define _NF_CONNTRACK_EXPECT_H +#include + #include #include @@ -37,7 +39,7 @@ struct nf_conntrack_expect { struct timer_list timeout; /* Usage count. */ - atomic_t use; + refcount_t use; /* Flags */ unsigned int flags; diff --git a/include/net/netfilter/nf_conntrack_timeout.h b/include/net/netfilter/nf_conntrack_timeout.h index
[PATCH 10/22] netfilter: provide nft_ctx in object init function
From: Florian Westphalthis is needed by the upcoming ct helper object type -- we'd like to be able use the table family (ip, ip6, inet) to figure out which helper has to be requested. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_tables.h | 3 ++- net/netfilter/nf_tables_api.c | 7 --- net/netfilter/nft_counter.c | 3 ++- net/netfilter/nft_quota.c | 3 ++- 4 files changed, 10 insertions(+), 6 deletions(-) diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index f0d46726d06e..49436849d7d7 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -1017,7 +1017,8 @@ struct nft_object_type { unsigned intmaxattr; struct module *owner; const struct nla_policy *policy; - int (*init)(const struct nlattr * const tb[], + int (*init)(const struct nft_ctx *ctx, + const struct nlattr *const tb[], struct nft_object *obj); void(*destroy)(struct nft_object *obj); int (*dump)(struct sk_buff *skb, diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 4559f5d66bcc..12cc5218de96 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -4095,7 +4095,8 @@ static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = { [NFTA_OBJ_DATA] = { .type = NLA_NESTED }, }; -static struct nft_object *nft_obj_init(const struct nft_object_type *type, +static struct nft_object *nft_obj_init(const struct nft_ctx *ctx, + const struct nft_object_type *type, const struct nlattr *attr) { struct nlattr *tb[type->maxattr + 1]; @@ -4115,7 +4116,7 @@ static struct nft_object *nft_obj_init(const struct nft_object_type *type, if (obj == NULL) goto err1; - err = type->init((const struct nlattr * const *)tb, obj); + err = type->init(ctx, (const struct nlattr * const *)tb, obj); if (err < 0) goto err2; @@ -4223,7 +4224,7 @@ static int nf_tables_newobj(struct net *net, struct sock *nlsk, if (IS_ERR(type)) return PTR_ERR(type); - obj = nft_obj_init(type, nla[NFTA_OBJ_DATA]); + obj = nft_obj_init(, type, nla[NFTA_OBJ_DATA]); if (IS_ERR(obj)) { err = PTR_ERR(obj); goto err1; diff --git a/net/netfilter/nft_counter.c b/net/netfilter/nft_counter.c index 7f8422213341..67a710ebde09 100644 --- a/net/netfilter/nft_counter.c +++ b/net/netfilter/nft_counter.c @@ -82,7 +82,8 @@ static int nft_counter_do_init(const struct nlattr * const tb[], return 0; } -static int nft_counter_obj_init(const struct nlattr * const tb[], +static int nft_counter_obj_init(const struct nft_ctx *ctx, + const struct nlattr * const tb[], struct nft_object *obj) { struct nft_counter_percpu_priv *priv = nft_obj_data(obj); diff --git a/net/netfilter/nft_quota.c b/net/netfilter/nft_quota.c index 2d6fe3559912..25e33159be57 100644 --- a/net/netfilter/nft_quota.c +++ b/net/netfilter/nft_quota.c @@ -99,7 +99,8 @@ static int nft_quota_do_init(const struct nlattr * const tb[], return 0; } -static int nft_quota_obj_init(const struct nlattr * const tb[], +static int nft_quota_obj_init(const struct nft_ctx *ctx, + const struct nlattr * const tb[], struct nft_object *obj) { struct nft_quota *priv = nft_obj_data(obj); -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 14/22] netfilter: limit: use per-rule spinlock to improve the scalability
From: Liping ZhangThe limit token is independent between each rules, so there's no need to use a global spinlock. Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nft_limit.c | 10 +- net/netfilter/xt_limit.c | 11 ++- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/net/netfilter/nft_limit.c b/net/netfilter/nft_limit.c index c6baf412236d..18dd57a52651 100644 --- a/net/netfilter/nft_limit.c +++ b/net/netfilter/nft_limit.c @@ -17,9 +17,8 @@ #include #include -static DEFINE_SPINLOCK(limit_lock); - struct nft_limit { + spinlock_t lock; u64 last; u64 tokens; u64 tokens_max; @@ -34,7 +33,7 @@ static inline bool nft_limit_eval(struct nft_limit *limit, u64 cost) u64 now, tokens; s64 delta; - spin_lock_bh(_lock); + spin_lock_bh(>lock); now = ktime_get_ns(); tokens = limit->tokens + now - limit->last; if (tokens > limit->tokens_max) @@ -44,11 +43,11 @@ static inline bool nft_limit_eval(struct nft_limit *limit, u64 cost) delta = tokens - cost; if (delta >= 0) { limit->tokens = delta; - spin_unlock_bh(_lock); + spin_unlock_bh(>lock); return limit->invert; } limit->tokens = tokens; - spin_unlock_bh(_lock); + spin_unlock_bh(>lock); return !limit->invert; } @@ -86,6 +85,7 @@ static int nft_limit_init(struct nft_limit *limit, limit->invert = true; } limit->last = ktime_get_ns(); + spin_lock_init(>lock); return 0; } diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c index dab962df1787..d27b5f1ea619 100644 --- a/net/netfilter/xt_limit.c +++ b/net/netfilter/xt_limit.c @@ -18,6 +18,7 @@ #include struct xt_limit_priv { + spinlock_t lock; unsigned long prev; uint32_t credit; }; @@ -32,8 +33,6 @@ MODULE_ALIAS("ip6t_limit"); * see net/sched/sch_tbf.c in the linux source tree */ -static DEFINE_SPINLOCK(limit_lock); - /* Rusty: This is my (non-mathematically-inclined) understanding of this algorithm. The `average rate' in jiffies becomes your initial amount of credit `credit' and the most credit you can ever have @@ -72,7 +71,7 @@ limit_mt(const struct sk_buff *skb, struct xt_action_param *par) struct xt_limit_priv *priv = r->master; unsigned long now = jiffies; - spin_lock_bh(_lock); + spin_lock_bh(>lock); priv->credit += (now - xchg(>prev, now)) * CREDITS_PER_JIFFY; if (priv->credit > r->credit_cap) priv->credit = r->credit_cap; @@ -80,11 +79,11 @@ limit_mt(const struct sk_buff *skb, struct xt_action_param *par) if (priv->credit >= r->cost) { /* We're not limited. */ priv->credit -= r->cost; - spin_unlock_bh(_lock); + spin_unlock_bh(>lock); return true; } - spin_unlock_bh(_lock); + spin_unlock_bh(>lock); return false; } @@ -126,6 +125,8 @@ static int limit_mt_check(const struct xt_mtchk_param *par) r->credit_cap = priv->credit; /* Credits full. */ r->cost = user2credits(r->avg); } + spin_lock_init(>lock); + return 0; } -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 20/22] ipvs: Document sysctl pmtu_disc
From: Hangbin LiuDocument sysctl pmtu_disc based on commit 3654e61137db ("ipvs: add pmtu_disc option to disable IP DF for TUN packets"). Signed-off-by: Hangbin Liu Signed-off-by: Simon Horman --- Documentation/networking/ipvs-sysctl.txt | 8 1 file changed, 8 insertions(+) diff --git a/Documentation/networking/ipvs-sysctl.txt b/Documentation/networking/ipvs-sysctl.txt index a6feecd467cd..056898685d40 100644 --- a/Documentation/networking/ipvs-sysctl.txt +++ b/Documentation/networking/ipvs-sysctl.txt @@ -175,6 +175,14 @@ nat_icmp_send - BOOLEAN for VS/NAT when the load balancer receives packets from real servers but the connection entries don't exist. +pmtu_disc - BOOLEAN + 0 - disabled + not 0 - enabled (default) + + By default, reject with FRAG_NEEDED all DF packets that exceed + the PMTU, irrespective of the forwarding method. For TUN method + the flag can be disabled to fragment such packets. + secure_tcp - INTEGER 0 - disabled (default) -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 11/22] netfilter: nft_ct: add helper set support
From: Florian Westphalthis allows to assign connection tracking helpers to connections via nft objref infrastructure. The idea is to first specifiy a helper object: table ip filter { ct helper some-name { type "ftp" protocol tcp l3proto ip } } and then assign it via nft add ... ct helper set "some-name" helper assignment works for new conntracks only as we cannot expand the conntrack extension area once it has been committed to the main conntrack table. ipv4 and ipv6 protocols are tracked stored separately so we can also handle families that observe both ipv4 and ipv6 traffic. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- include/uapi/linux/netfilter/nf_tables.h | 12 ++- net/netfilter/nft_ct.c | 171 +++ 2 files changed, 182 insertions(+), 1 deletion(-) diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h index 4f7d75682c59..34c8d08b687a 100644 --- a/include/uapi/linux/netfilter/nf_tables.h +++ b/include/uapi/linux/netfilter/nf_tables.h @@ -1259,10 +1259,20 @@ enum nft_fib_flags { NFTA_FIB_F_OIF = 1 << 4, /* restrict to oif */ }; +enum nft_ct_helper_attributes { + NFTA_CT_HELPER_UNSPEC, + NFTA_CT_HELPER_NAME, + NFTA_CT_HELPER_L3PROTO, + NFTA_CT_HELPER_L4PROTO, + __NFTA_CT_HELPER_MAX, +}; +#define NFTA_CT_HELPER_MAX (__NFTA_CT_HELPER_MAX - 1) + #define NFT_OBJECT_UNSPEC 0 #define NFT_OBJECT_COUNTER 1 #define NFT_OBJECT_QUOTA 2 -#define __NFT_OBJECT_MAX 3 +#define NFT_OBJECT_CT_HELPER 3 +#define __NFT_OBJECT_MAX 4 #define NFT_OBJECT_MAX (__NFT_OBJECT_MAX - 1) /** diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c index bf548a7a71ec..4144ae845bdd 100644 --- a/net/netfilter/nft_ct.c +++ b/net/netfilter/nft_ct.c @@ -32,6 +32,12 @@ struct nft_ct { }; }; +struct nft_ct_helper_obj { + struct nf_conntrack_helper *helper4; + struct nf_conntrack_helper *helper6; + u8 l4proto; +}; + #ifdef CONFIG_NF_CONNTRACK_ZONES static DEFINE_PER_CPU(struct nf_conn *, nft_ct_pcpu_template); static unsigned int nft_ct_pcpu_template_refcnt __read_mostly; @@ -730,6 +736,162 @@ static struct nft_expr_type nft_notrack_type __read_mostly = { .owner = THIS_MODULE, }; +static int nft_ct_helper_obj_init(const struct nft_ctx *ctx, + const struct nlattr * const tb[], + struct nft_object *obj) +{ + struct nft_ct_helper_obj *priv = nft_obj_data(obj); + struct nf_conntrack_helper *help4, *help6; + char name[NF_CT_HELPER_NAME_LEN]; + int family = ctx->afi->family; + + if (!tb[NFTA_CT_HELPER_NAME] || !tb[NFTA_CT_HELPER_L4PROTO]) + return -EINVAL; + + priv->l4proto = nla_get_u8(tb[NFTA_CT_HELPER_L4PROTO]); + if (!priv->l4proto) + return -ENOENT; + + nla_strlcpy(name, tb[NFTA_CT_HELPER_NAME], sizeof(name)); + + if (tb[NFTA_CT_HELPER_L3PROTO]) + family = ntohs(nla_get_be16(tb[NFTA_CT_HELPER_L3PROTO])); + + help4 = NULL; + help6 = NULL; + + switch (family) { + case NFPROTO_IPV4: + if (ctx->afi->family == NFPROTO_IPV6) + return -EINVAL; + + help4 = nf_conntrack_helper_try_module_get(name, family, + priv->l4proto); + break; + case NFPROTO_IPV6: + if (ctx->afi->family == NFPROTO_IPV4) + return -EINVAL; + + help6 = nf_conntrack_helper_try_module_get(name, family, + priv->l4proto); + break; + case NFPROTO_NETDEV: /* fallthrough */ + case NFPROTO_BRIDGE: /* same */ + case NFPROTO_INET: + help4 = nf_conntrack_helper_try_module_get(name, NFPROTO_IPV4, + priv->l4proto); + help6 = nf_conntrack_helper_try_module_get(name, NFPROTO_IPV6, + priv->l4proto); + break; + default: + return -EAFNOSUPPORT; + } + + /* && is intentional; only error if INET found neither ipv4 or ipv6 */ + if (!help4 && !help6) + return -ENOENT; + + priv->helper4 = help4; + priv->helper6 = help6; + + return 0; +} + +static void nft_ct_helper_obj_destroy(struct nft_object *obj) +{ + struct nft_ct_helper_obj *priv = nft_obj_data(obj); + + if (priv->helper4) + module_put(priv->helper4->me); + if (priv->helper6) + module_put(priv->helper6->me); +} + +static void nft_ct_helper_obj_eval(struct nft_object *obj, +
[PATCH 15/22] netfilter: nft_set_rbtree: use per-set rwlock to improve the scalability
From: Liping ZhangKarel Rericha reported that in his test case, ICMP packets going through boxes had normally about 5ms latency. But when running nft, actually listing the sets with interval flags, latency would go up to 30-100ms. This was observed when router throughput is from 600Mbps to 2Gbps. This is because we use a single global spinlock to protect the whole rbtree sets, so "dumping sets" will race with the "key lookup" inevitably. But actually they are all _readers_, so it's ok to convert the spinlock to rwlock to avoid competition between them. Also use per-set rwlock since each set is independent. Reported-by: Karel Rericha Tested-by: Karel Rericha Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nft_set_rbtree.c | 31 --- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c index 78dfbf9588b3..e97e2fb53f0a 100644 --- a/net/netfilter/nft_set_rbtree.c +++ b/net/netfilter/nft_set_rbtree.c @@ -18,9 +18,8 @@ #include #include -static DEFINE_SPINLOCK(nft_rbtree_lock); - struct nft_rbtree { + rwlock_tlock; struct rb_root root; }; @@ -44,14 +43,14 @@ static bool nft_rbtree_equal(const struct nft_set *set, const void *this, static bool nft_rbtree_lookup(const struct net *net, const struct nft_set *set, const u32 *key, const struct nft_set_ext **ext) { - const struct nft_rbtree *priv = nft_set_priv(set); + struct nft_rbtree *priv = nft_set_priv(set); const struct nft_rbtree_elem *rbe, *interval = NULL; u8 genmask = nft_genmask_cur(net); const struct rb_node *parent; const void *this; int d; - spin_lock_bh(_rbtree_lock); + read_lock_bh(>lock); parent = priv->root.rb_node; while (parent != NULL) { rbe = rb_entry(parent, struct nft_rbtree_elem, node); @@ -75,7 +74,7 @@ static bool nft_rbtree_lookup(const struct net *net, const struct nft_set *set, } if (nft_rbtree_interval_end(rbe)) goto out; - spin_unlock_bh(_rbtree_lock); + read_unlock_bh(>lock); *ext = >ext; return true; @@ -85,12 +84,12 @@ static bool nft_rbtree_lookup(const struct net *net, const struct nft_set *set, if (set->flags & NFT_SET_INTERVAL && interval != NULL && nft_set_elem_active(>ext, genmask) && !nft_rbtree_interval_end(interval)) { - spin_unlock_bh(_rbtree_lock); + read_unlock_bh(>lock); *ext = >ext; return true; } out: - spin_unlock_bh(_rbtree_lock); + read_unlock_bh(>lock); return false; } @@ -140,12 +139,13 @@ static int nft_rbtree_insert(const struct net *net, const struct nft_set *set, const struct nft_set_elem *elem, struct nft_set_ext **ext) { + struct nft_rbtree *priv = nft_set_priv(set); struct nft_rbtree_elem *rbe = elem->priv; int err; - spin_lock_bh(_rbtree_lock); + write_lock_bh(>lock); err = __nft_rbtree_insert(net, set, rbe, ext); - spin_unlock_bh(_rbtree_lock); + write_unlock_bh(>lock); return err; } @@ -157,9 +157,9 @@ static void nft_rbtree_remove(const struct net *net, struct nft_rbtree *priv = nft_set_priv(set); struct nft_rbtree_elem *rbe = elem->priv; - spin_lock_bh(_rbtree_lock); + write_lock_bh(>lock); rb_erase(>node, >root); - spin_unlock_bh(_rbtree_lock); + write_unlock_bh(>lock); } static void nft_rbtree_activate(const struct net *net, @@ -224,12 +224,12 @@ static void nft_rbtree_walk(const struct nft_ctx *ctx, struct nft_set *set, struct nft_set_iter *iter) { - const struct nft_rbtree *priv = nft_set_priv(set); + struct nft_rbtree *priv = nft_set_priv(set); struct nft_rbtree_elem *rbe; struct nft_set_elem elem; struct rb_node *node; - spin_lock_bh(_rbtree_lock); + read_lock_bh(>lock); for (node = rb_first(>root); node != NULL; node = rb_next(node)) { rbe = rb_entry(node, struct nft_rbtree_elem, node); @@ -242,13 +242,13 @@ static void nft_rbtree_walk(const struct nft_ctx *ctx, iter->err = iter->fn(ctx, set, iter, ); if (iter->err < 0) { - spin_unlock_bh(_rbtree_lock); + read_unlock_bh(>lock); return; } cont: iter->count++; } -
[PATCH 02/22] netfilter: nft_hash: rename nft_hash to nft_jhash
From: Laura Garcia LiebanaThis patch renames the local nft_hash structure and functions to nft_jhash in order to prepare the nft_hash module code to add new hash functions. Signed-off-by: Laura Garcia Liebana Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nft_hash.c | 36 ++-- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c index eb2721af898d..ccb834ef049b 100644 --- a/net/netfilter/nft_hash.c +++ b/net/netfilter/nft_hash.c @@ -17,7 +17,7 @@ #include #include -struct nft_hash { +struct nft_jhash { enum nft_registers sreg:8; enum nft_registers dreg:8; u8 len; @@ -26,11 +26,11 @@ struct nft_hash { u32 offset; }; -static void nft_hash_eval(const struct nft_expr *expr, - struct nft_regs *regs, - const struct nft_pktinfo *pkt) +static void nft_jhash_eval(const struct nft_expr *expr, + struct nft_regs *regs, + const struct nft_pktinfo *pkt) { - struct nft_hash *priv = nft_expr_priv(expr); + struct nft_jhash *priv = nft_expr_priv(expr); const void *data = >data[priv->sreg]; u32 h; @@ -47,11 +47,11 @@ static const struct nla_policy nft_hash_policy[NFTA_HASH_MAX + 1] = { [NFTA_HASH_OFFSET] = { .type = NLA_U32 }, }; -static int nft_hash_init(const struct nft_ctx *ctx, -const struct nft_expr *expr, -const struct nlattr * const tb[]) +static int nft_jhash_init(const struct nft_ctx *ctx, + const struct nft_expr *expr, + const struct nlattr * const tb[]) { - struct nft_hash *priv = nft_expr_priv(expr); + struct nft_jhash *priv = nft_expr_priv(expr); u32 len; int err; @@ -92,10 +92,10 @@ static int nft_hash_init(const struct nft_ctx *ctx, NFT_DATA_VALUE, sizeof(u32)); } -static int nft_hash_dump(struct sk_buff *skb, -const struct nft_expr *expr) +static int nft_jhash_dump(struct sk_buff *skb, + const struct nft_expr *expr) { - const struct nft_hash *priv = nft_expr_priv(expr); + const struct nft_jhash *priv = nft_expr_priv(expr); if (nft_dump_register(skb, NFTA_HASH_SREG, priv->sreg)) goto nla_put_failure; @@ -117,17 +117,17 @@ static int nft_hash_dump(struct sk_buff *skb, } static struct nft_expr_type nft_hash_type; -static const struct nft_expr_ops nft_hash_ops = { +static const struct nft_expr_ops nft_jhash_ops = { .type = _hash_type, - .size = NFT_EXPR_SIZE(sizeof(struct nft_hash)), - .eval = nft_hash_eval, - .init = nft_hash_init, - .dump = nft_hash_dump, + .size = NFT_EXPR_SIZE(sizeof(struct nft_jhash)), + .eval = nft_jhash_eval, + .init = nft_jhash_init, + .dump = nft_jhash_dump, }; static struct nft_expr_type nft_hash_type __read_mostly = { .name = "hash", - .ops= _hash_ops, + .ops= _jhash_ops, .policy = nft_hash_policy, .maxattr= NFTA_HASH_MAX, .owner = THIS_MODULE, -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 01/22] netfilter: nft_exthdr: Allow checking TCP option presence, too
From: Phil SutterHonor NFT_EXTHDR_F_PRESENT flag so we check if the TCP option is present. Signed-off-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nft_exthdr.c | 13 ++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c index c308920b194c..d212a85d2f33 100644 --- a/net/netfilter/nft_exthdr.c +++ b/net/netfilter/nft_exthdr.c @@ -98,14 +98,21 @@ static void nft_exthdr_tcp_eval(const struct nft_expr *expr, goto err; offset = i + priv->offset; - dest[priv->len / NFT_REG32_SIZE] = 0; - memcpy(dest, opt + offset, priv->len); + if (priv->flags & NFT_EXTHDR_F_PRESENT) { + *dest = 1; + } else { + dest[priv->len / NFT_REG32_SIZE] = 0; + memcpy(dest, opt + offset, priv->len); + } return; } err: - regs->verdict.code = NFT_BREAK; + if (priv->flags & NFT_EXTHDR_F_PRESENT) + *dest = 0; + else + regs->verdict.code = NFT_BREAK; } static const struct nla_policy nft_exthdr_policy[NFTA_EXTHDR_MAX + 1] = { -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nf v2 1/1] netfilter: snmp: Fix one possible panic when snmp_trap_helper fail to register
From: Gao FengIn the commit <93557f53e1fb> ("netfilter: nf_conntrack: nf_conntrack snmp helper"), the snmp_helper is replaced by nf_nat_snmp_hook. So the snmp_helper is never registered. But it still tries to unregister the snmp_helper, it could cause the panic. Now remove the useless snmp_helper and the unregister call in the error handler. Fixes: 93557f53e1fb ("netfilter: nf_conntrack: nf_conntrack snmp helper") Signed-off-by: Gao Feng --- v2: Add the SHA1 ID in the description, per Sergei v1: Initial version net/ipv4/netfilter/nf_nat_snmp_basic.c | 14 +- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c b/net/ipv4/netfilter/nf_nat_snmp_basic.c index c9b52c3..5787364 100644 --- a/net/ipv4/netfilter/nf_nat_snmp_basic.c +++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c @@ -1260,16 +1260,6 @@ static int help(struct sk_buff *skb, unsigned int protoff, .timeout= 180, }; -static struct nf_conntrack_helper snmp_helper __read_mostly = { - .me = THIS_MODULE, - .help = help, - .expect_policy = _exp_policy, - .name = "snmp", - .tuple.src.l3num= AF_INET, - .tuple.src.u.udp.port = cpu_to_be16(SNMP_PORT), - .tuple.dst.protonum = IPPROTO_UDP, -}; - static struct nf_conntrack_helper snmp_trap_helper __read_mostly = { .me = THIS_MODULE, .help = help, @@ -1294,10 +1284,8 @@ static int __init nf_nat_snmp_basic_init(void) RCU_INIT_POINTER(nf_nat_snmp_hook, help); ret = nf_conntrack_helper_register(_trap_helper); - if (ret < 0) { - nf_conntrack_helper_unregister(_helper); + if (ret < 0) return ret; - } return ret; } -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] netfilter: fix the warning on unused refcount variable
Applied. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] netfilter: fix the warning on unused refcount variable
Signed-off-by: Elena Reshetova--- net/netfilter/nfnetlink_acct.c | 1 - 1 file changed, 1 deletion(-) diff --git a/net/netfilter/nfnetlink_acct.c b/net/netfilter/nfnetlink_acct.c index f44cbd3..c86da17 100644 --- a/net/netfilter/nfnetlink_acct.c +++ b/net/netfilter/nfnetlink_acct.c @@ -326,7 +326,6 @@ static int nfnl_acct_get(struct net *net, struct sock *nfnl, static int nfnl_acct_try_del(struct nf_acct *cur) { int ret = 0; - unsigned int refcount; /* We want to avoid races with nfnl_acct_put. So only when the current * refcnt is 1, we decrease it to 0. -- 2.7.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nf 1/1] netfilter: snmp: Fix one possible panic when snmp_trap_helper fail to register
Hello! On 3/20/2017 4:44 AM, f...@ikuai8.com wrote: From: Gao FengIn the commit ("netfilter: nf_conntrack: nf_conntrack snmp helper"), Need to specify the 12-digit SHA1 ID as well. the snmp_helper is replaced by nf_nat_snmp_hook. So the snmp_helper is never registered. But it still tries to unregister the snmp_helper, it could cause the panic. Now remove the useless snmp_helper and the unregister call in the error handler. Fixes: 93557f53e1fb ("netfilter: nf_conntrack: nf_conntrack snmp helper") Signed-off-by: Gao Feng [...] MBR, Sergei -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: linux-next: build warning after merge of the netfilter-next tree
Hi Elena, On Mon, 20 Mar 2017 07:00:13 + "Reshetova, Elena"wrote: > > > After merging the netfilter-next tree, today's linux-next build (x86_64 > > allmodconfig) produced this warning: > > > > net/netfilter/nfnetlink_acct.c: In function 'nfnl_acct_try_del': > > net/netfilter/nfnetlink_acct.c:329:15: warning: unused variable 'refcount' > > [- > > Wunused-variable] > > unsigned int refcount; > >^ > > > > Introduced by commit > > Ups, sorry about this, slipped through. Should I submit a fix or how do you > want to handle this? That's up to Pablo, but presumably you should send him a followup patch. -- Cheers, Stephen Rothwell -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] ulogd: add +1 char for null char
This is a bit zealous to fix like this, but it seems to work. The crash was reproduced on ppc32, with GCC 5.4 & musl libc 1.1.16. And also on LEDE (mips_24kc and ARM): https://github.com/openwrt/packages/issues/4123 https://github.com/openwrt/packages/issues/4090 I personally saw it on ppc32. The offending code was in `pluginstance_alloc_init()` line 671: ``` memcpy(pi->id, pi_id, sizeof(pi->id)); ``` Seems that it would copy 1 char from the stack, and that caused some failsafes to kick in. This fix addresses the issue directly. Maybe a more appropriate rework of string stuff would be needed. What I also noticed, is that there's also places in the code that define name[ULOGD_MAX_KEYLEN+1] and some that don't add the +1 char. Basically, this just aligns the remaining bits of code that don't add the +1 char. Signed-off-by: Alexandru Ardelean--- output/sqlite3/ulogd_output_SQLITE3.c | 6 +++--- src/ulogd.c | 2 +- util/db.c | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/output/sqlite3/ulogd_output_SQLITE3.c b/output/sqlite3/ulogd_output_SQLITE3.c index 20ceb3b..ea66061 100644 --- a/output/sqlite3/ulogd_output_SQLITE3.c +++ b/output/sqlite3/ulogd_output_SQLITE3.c @@ -48,7 +48,7 @@ struct field { TAILQ_ENTRY(field) link; - char name[ULOGD_MAX_KEYLEN]; + char name[ULOGD_MAX_KEYLEN+1]; /* +1 for null char */ struct ulogd_key *key; }; @@ -214,7 +214,7 @@ sqlite3_createstmt(struct ulogd_pluginstance *pi) { struct sqlite3_priv *priv = (void *)pi->private; struct field *f; - char buf[ULOGD_MAX_KEYLEN]; + char buf[ULOGD_MAX_KEYLEN+1]; /* +1 for null char */ char *underscore; char *stmt_pos; int i, cols = 0; @@ -305,7 +305,7 @@ static int sqlite3_init_db(struct ulogd_pluginstance *pi) { struct sqlite3_priv *priv = (void *)pi->private; - char buf[ULOGD_MAX_KEYLEN]; + char buf[ULOGD_MAX_KEYLEN+1]; char *underscore; struct field *f; sqlite3_stmt *schema_stmt; diff --git a/src/ulogd.c b/src/ulogd.c index 5b9a586..0d6a367 100644 --- a/src/ulogd.c +++ b/src/ulogd.c @@ -942,7 +942,7 @@ static int create_stack(const char *option) /* PASS 1: find and instanciate plugins of stack, link them together */ for (tok = strtok(buf, ",\n"); tok; tok = strtok(NULL, ",\n")) { char *plname, *equals; - char pi_id[ULOGD_MAX_KEYLEN]; + char pi_id[ULOGD_MAX_KEYLEN+1]; /* +1 for the null char */ struct ulogd_pluginstance *pi; struct ulogd_plugin *pl; diff --git a/util/db.c b/util/db.c index c9aec41..6af4555 100644 --- a/util/db.c +++ b/util/db.c @@ -96,7 +96,7 @@ static int sql_createstmt(struct ulogd_pluginstance *upi) if (strncasecmp(procedure,"INSERT", strlen("INSERT")) == 0 && (procedure[strlen("INSERT")] == '\0' || procedure[strlen("INSERT")] == ' ')) { - char buf[ULOGD_MAX_KEYLEN]; + char buf[ULOGD_MAX_KEYLEN+1]; /* +1 for null char */ char *underscore; if(procedure[6] == '\0') { -- 2.7.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
RE: linux-next: build warning after merge of the netfilter-next tree
> Hi all, > > After merging the netfilter-next tree, today's linux-next build (x86_64 > allmodconfig) produced this warning: > > net/netfilter/nfnetlink_acct.c: In function 'nfnl_acct_try_del': > net/netfilter/nfnetlink_acct.c:329:15: warning: unused variable 'refcount' [- > Wunused-variable] > unsigned int refcount; >^ > > Introduced by commit Ups, sorry about this, slipped through. Should I submit a fix or how do you want to handle this? Best Regards, Elena. > > b54ab92b84b6 ("netfilter: refcounter conversions") > > -- > Cheers, > Stephen Rothwell -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html