[PATCH v2 3/3] ebtables: Add string filter

This patch is part of a proposal to add a string filter to ebtables, which would be similar to the string filter in iptables. Like iptables, the ebtables filter uses the xt_string module. Signed-off-by: Bernie Harris --- net/netfilter/xt_string.c | 1 + 1 file

[ebtables PATCH v2] Add string filter to ebtables

This patch is part of a proposal to add a string filter to ebtables, which would be similar to the string filter in iptables. Like iptables, the ebtables filter uses the xt_string module, however some modifications have been made for this to work correctly. Currently ebtables assumes that the

[PATCH v2 2/3] ebtables: Add support for specifying match revision

Currently ebtables assumes that the revision number of all match modules is 0, which is an issue when trying to use existing xtables matches with ebtables. The solution is to modify ebtables to allow extensions to specify a revision number, similar to iptables. This gets passed down to the kernel,

[PATCH v2 1/3] net: Allow to and from offsets to be equal in skb_find_text

The xt_string module uses skb_find_text to match a pattern against packet data. The current behaviour is that the offsets are used as the range in which a match can start, with the 'to' offset being included in that range. This means that to do an exact match for a string at a specific offset, the

[PATCH] netfilter: ipset: Use is_zero_ether_addr instead of static and memcmp

To make the test a bit clearer and to reduce object size a little. Miscellanea: o remove now unnecessary static const array $ size ip_set_hash_mac.o* textdata bss dec hex filename 228224619 64 275056b71 ip_set_hash_mac.o.allyesconfig.new 229324683

Re: [PATCH nf-next 0/2] ebtables: add support for ICMP and IGMP type/code matching

On Sun, Mar 04, 2018 at 09:28:52AM +0100, Matthias Schiffer wrote: > I recently found myself in a situation that required me to filter IGMP > packets of certain types on a bridge. Switching to nftables is > unfortunately not an option at the moment because of hardware constraints, > in particular

Re: [PATCH libnftnl v2] examples: add nft-ct-helper-{add,get,del}

On Tue, Mar 20, 2018 at 10:53:22PM +0800, Yang Zheng wrote: > nft-ct-helper-{add,get,del}: add, get, or delete ct helper objects from the > specified table. > > Examples: > % ./nft-ct-helper-get ip filter > > % ./nft-ct-helper-add ip filter sip-5060 sip udp > % ./nft-ct-helper-get ip

Re: [PATCH libnftnl v2] examples: add nft-ct-helper-{add,get,del}

On Tue, Mar 20, 2018 at 10:53:22PM +0800, Yang Zheng wrote: > nft-ct-helper-{add,get,del}: add, get, or delete ct helper objects from the > specified table. > > Examples: > % ./nft-ct-helper-get ip filter > > % ./nft-ct-helper-add ip filter sip-5060 sip udp > % ./nft-ct-helper-get ip

[PATCH libnftnl v2] examples: add nft-ct-helper-{add,get,del}

nft-ct-helper-{add,get,del}: add, get, or delete ct helper objects from the specified table. Examples: % ./nft-ct-helper-get ip filter % ./nft-ct-helper-add ip filter sip-5060 sip udp % ./nft-ct-helper-get ip filter table filter name sip-5060 use 0 [ ct_helper name sip family 2

[PATCH nf] netfilter: nf_tables: add missing netlink attrs to policies

Fixes: 8aeff920dcc9 ("netfilter: nf_tables: add stateful object reference to set elements") Fixes: f25ad2e907f1 ("netfilter: nf_tables: prepare for expressions associated to set elements") Fixes: 1a94e38d254b ("netfilter: nf_tables: add NFTA_RULE_ID attribute") Signed-off-by: Florian Westphal

Re: [RFC PATCH] netfilter: nf_tables: nf_tables_allow_nat_conflict() can be static

On Mon, Mar 19, 2018 at 04:39:33PM +0100, Florian Westphal wrote: > kbuild test robot wrote: > > -bool nf_tables_allow_nat_conflict(const struct net *net, > > - const struct nf_hook_ops *ops) > > +static bool nf_tables_allow_nat_conflict(const struct

Re: [PATCH nf] netfilter: nf_tables: meter: pick a set backend that supports updates

On Wed, Mar 14, 2018 at 01:37:58PM +0100, Florian Westphal wrote: > in nftables, 'meter' can be used to instantiate a hash-table at run > time: > > rule add filter forward iif "internal" meter hostacct { ip saddr counter} > nft list meter ip filter hostacct > table ip filter { > meter hostacct

Re: [PATCH nf] netfilter: nf_tables: permit second nat hook if colliding hook is going away

On Sun, Mar 18, 2018 at 07:22:39PM +0100, Florian Westphal wrote: > Sergei Trofimovich reported that restoring an nft ruleset doesn't work > anymore unless old rule content is flushed first. > > The problem stems from a recent change designed to prevent multiple nat > hooks at the same hook point

Re: [PATCH] Net: netfilter: Replace printk() with pr_*() and define pr_fmt()

On Mon, Mar 12, 2018 at 06:36:29PM +0530, Arushi Singhal wrote: > Using pr_() is more concise than printk(KERN_). > This patch: > * Replace printks having a log level with the appropriate > pr_*() macros. > * Define pr_fmt() to include relevant name. > * Remove redundant prefixes from pr_*()

Re: [PATCH] netfilter: nfnetlink_cthelper: Remove VLA usage

On Mon, Mar 12, 2018 at 07:21:38PM -0500, Gustavo A. R. Silva wrote: > In preparation to enabling -Wvla, remove VLA and replace it > with dynamic memory allocation. > > From a security viewpoint, the use of Variable Length Arrays can be > a vector for stack overflow attacks. Also, in general, as

Re: [PATCH] xt_conntrack: Support bit-shifting for CONNMARK & MARK targets.

On Mon, Mar 19, 2018 at 09:41:59AM +1300, Jack Ma wrote: > This patch introduces a new feature that allows bitshifting (left > and right) operations to co-operate with existing iptables options. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the

Re: [PATCH] netfilter: ebtables: use ADD_COUNTER macro

On Wed, Mar 14, 2018 at 11:36:53PM +0900, Taehee Yoo wrote: > xtables uses ADD_COUNTER macro to increase > packet and byte count. ebtables also can use this. Applied to nf-next, thanks. Please, specify your tree target next time, ie. [PATCH nf-next] blah Thanks! -- To unsubscribe from this

Re: [PATCH v2] netfilter: nf_tables: remove VLA usage

On Mon, Mar 12, 2018 at 10:16:17PM -0500, Gustavo A. R. Silva wrote: > In preparation to enabling -Wvla, remove VLA and replace it > with dynamic memory allocation. > > From a security viewpoint, the use of Variable Length Arrays can be > a vector for stack overflow attacks. Also, in general, as

Re: [PATCH] netfilter: cttimeout: remove VLA usage

On Mon, Mar 12, 2018 at 06:14:42PM -0500, Gustavo A. R. Silva wrote: > In preparation to enabling -Wvla, remove VLA and replace it > with dynamic memory allocation. > > From a security viewpoint, the use of Variable Length Arrays can be > a vector for stack overflow attacks. Also, in general, as

Re: [PATCH 1/2 conntrackd] src: add ARRAY_SIZE definition

On Tuesday 2018-03-20 12:47, Pablo Neira Ayuso wrote: >Signed-off-by: Pablo Neira Ayuso >--- > include/conntrackd.h | 4 > include/helper.h | 2 -- > 2 files changed, 4 insertions(+), 2 deletions(-) > >diff --git a/include/conntrackd.h b/include/conntrackd.h >index

Re: [PATCH libmnl] attr: zero attribute padding

On Sun, Mar 18, 2018 at 07:37:41PM +0100, Florian Westphal wrote: > Sergei Trofimovich reports 'uninitialized bytes' warnings from nftables: > > Syscall param sendmsg(msg.msg_iov[0]) points to uninitialised byte(s) >at 0x55B9EFB: sendmsg (in /lib64/libc-2.25.so) >by 0x43E658:

Re: [nft PATCH 0/6] A set of patches resulting from running tests/shell

On Mon, Mar 19, 2018 at 06:02:01PM +0100, Phil Sutter wrote: > This series is the result of me trying to get all tests in tests/shell > to pass. Sadly I wasn't fully successful, these two still fail: > > - testcases/sets/0028autoselect_0 > - testcases/sets/0031set_timeout_size_0 These need

Re: [PATCH 2/2 nf-next] netfilter: SYNPROXY: don't proxy invalid PSH,ACK packets

Pablo Neira Ayuso wrote: > On Tue, Mar 20, 2018 at 12:43:33PM +0100, Florian Westphal wrote: > > I don't understand why push,ack is invalid in first place. > > If we do not have a valid connection at this point then a pure > > ack would have same effect (reset), no? > >

Re: [PATCH 2/2 nf-next] netfilter: SYNPROXY: don't proxy invalid PSH,ACK packets

On Tue, Mar 20, 2018 at 12:43:33PM +0100, Florian Westphal wrote: > Pablo Neira Ayuso wrote: > > The example rule in the iptables-extensions(8) manpage suggests: > > > > iptables -A INPUT -i eth0 -p tcp --dport 80 > > -m state --state UNTRACKED,INVALID

[PATCH 1/2 conntrackd] src: add ARRAY_SIZE definition

Signed-off-by: Pablo Neira Ayuso --- include/conntrackd.h | 4 include/helper.h | 2 -- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/include/conntrackd.h b/include/conntrackd.h index ece702543082..81dff221e96d 100644 --- a/include/conntrackd.h +++

[PATCH 2/2 conntrackd] conntrackd: add TCP flag support

Back in 2008, there was no TCP flags support in the kernel, hence the workaround was to infer the flags from the TCP state. This patch is implicitly fixing a problem, since the existing RETRANS and UNACK TCP conntrack states plus the _CLOSE_INIT flag that is bogusly infered (to be frank, it was

[PATCH nf-next,RFC] netfilter: nf_conntrack_tcp: reset entry only from CLOSE and TIME_WAIT states

Before this patch, if TCP state is < TIME_WAIT, we skip this logic. Along time, we got new states over the TIME_WAIT value, such as SYN_SENT2, RETRANS and UNACK, that can trigger this conntrack entry reset, however this check was never updated. My understanding is that we should only exercise the

Re: [PATCH 2/2 nf-next] netfilter: SYNPROXY: don't proxy invalid PSH,ACK packets

Pablo Neira Ayuso wrote: > The example rule in the iptables-extensions(8) manpage suggests: > > iptables -A INPUT -i eth0 -p tcp --dport 80 > -m state --state UNTRACKED,INVALID -j SYNPROXY > --sack-perm --timestamp --mss 1460

[PATCH 2/2 nf-next] netfilter: SYNPROXY: don't proxy invalid PSH,ACK packets

The example rule in the iptables-extensions(8) manpage suggests: iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state UNTRACKED,INVALID -j SYNPROXY --sack-perm --timestamp --mss 1460 --wscale 9 This is allowing invalid PSH,ACK packets to enter

[PATCH 1/2 nf-next,v2] netfilter: ctnetlink: synproxy support

This patch exposes synproxy information per-conntrack. Moreover, send sequence adjustment events once server sends us the SYN,ACK packet, so we can synchronize the sequence adjustment too for packets going as reply from the server, as part of the synproxy logic. Signed-off-by: Pablo Neira Ayuso

Re: [PATCH libnftnl] examples: add nft-ct-helper-{add,get,del}

On 19 March 2018 at 18:19, Yang Zheng wrote: > nft-ct-helper-{add,get,del}: add, get, or delete ct helper objects from the > specified table. > It would be great if you extend a bit the commit message with your tests: % ./nft-ct-helper-get % ./nft-ct-helper-add %

Re: [nft PATCH 0/6] A set of patches resulting from running tests/shell

On 19 March 2018 at 18:02, Phil Sutter wrote: > This series is the result of me trying to get all tests in tests/shell > to pass. Sadly I wasn't fully successful, these two still fail: > > - testcases/sets/0028autoselect_0 > - testcases/sets/0031set_timeout_size_0 > > I had a look at