Concurrent iptables-restore calls clobberring each other

Hi, I'm trying to diagnose an incompatibility between my application (Project Calico's Felix daemon) and another (Kuberenetes' kube-proxy). Both are (ab)using iptables-restore to do high-speed bulk updates to iptables and they're both using --noflush so they can use iptables-restore to edit only

[PATCH nft] statement: Print NAT IPv4 address in nat_stmt_print()

The case which "nat.addr != NULL && nat.proto != NULL && type != ipv6" wasn't caught in nat_stmt_print(). Now all cases should be considered. Also, the if statements were reorganized to get rid of one nested if. Fixes(Bug 1117 - Table ipv4-nat prerouting dnat doesn't accept dest IP:PORT)

Re: Concurrent iptables-restore calls clobberring each other

On Friday 2017-02-03 21:37, Shaun Crampton wrote: > >I'm trying to diagnose an incompatibility between my application >(Project Calico's Felix daemon) and another (Kuberenetes' kube-proxy). >Both are (ab)using iptables-restore to do high-speed bulk updates to >iptables and they're both using

Re: [PATCH 00/27] Netfilter updates for net-next

From: Pablo Neira Ayuso Date: Fri, 3 Feb 2017 13:25:11 +0100 > The following patchset contains Netfilter updates for your net-next > tree, they are: ... > You can pull these changes from: > > git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git Pulled,

Re: [RFC PATCH] audit: normalize NETFILTER_PKT

On Tue, Jan 31, 2017 at 2:44 PM, Richard Guy Briggs wrote: > On 2017-01-31 17:13, Steve Grubb wrote: ... >> I was curious about something. Auparse is trying to interpret the >> icmptype field for every event. This is not good. Which fields are >> valid for each kind of packet?

[PATCH 01/27] netfilter: merge udp and udplite conntrack helpers

From: Florian Westphal udplite was copied from udp, they are virtually 100% identical. This adds udplite tracker to udp instead, removes udplite module, and then makes the udplite tracker builtin. udplite will then simply re-use udp timeout settings. It makes little sense to

[PATCH 02/27] netfilter: nat: merge udp and udplite helpers

From: Florian Westphal udplite nat was copied from udp nat, they are virtually 100% identical. Not really surprising given udplite is just udp with partial csum coverage. old: textdata bss dec hex filename 116061457 210 1327333d9 nf_nat.ko

[PATCH 03/27] netfilter: nf_tables: add missing descriptions in nft_ct_keys

From: Liping Zhang We missed to add descriptions about NFT_CT_LABELS, NFT_CT_PKTS and NFT_CT_BYTES, now add it. Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso --- include/uapi/linux/netfilter/nf_tables.h | 3 +++ 1

[PATCH 04/27] netfilter: nft_ct: add average bytes per packet support

From: Liping Zhang Similar to xt_connbytes, user can match how many average bytes per packet a connection has transferred so far. Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso ---

[PATCH 09/27] iptables: use match, target and data copy_to_user helpers

From: Willem de Bruijn Convert iptables to copying entries, matches and targets one by one, using the xt_match_to_user and xt_target_to_user helper functions. Signed-off-by: Willem de Bruijn Signed-off-by: Pablo Neira Ayuso ---

[PATCH 08/27] xtables: add xt_match, xt_target and data copy_to_user functions

From: Willem de Bruijn xt_entry_target, xt_entry_match and their private data may contain kernel data. Introduce helper functions xt_match_to_user, xt_target_to_user and xt_data_to_user that copy only the expected fields. These replace existing logic that calls copy_to_user

[PATCH -next 0/9] nftables: add zone support to ct statement

This adds the ability to set the conntrack zone from nftables, i.e. native replacement for -j CT --zone $number. See individual patches for details. This will need more documentation and exposure of the builtin hook priorities (e.g. via defines?) so users can more easily see whats happening.

[PATCH libnftnl 4/9] src: ct: add zone support

Signed-off-by: Florian Westphal --- include/linux/netfilter/nf_tables.h | 2 ++ src/expr/ct.c | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index

[PATCH nf-next 2/9] netfilter: nft_ct: prepare for key-dependent error unwind

Next patch will add ZONE_ID set support which will need similar error unwind (put operation) as conntrack labels. Prepare for this: remove the 'label_got' boolean in favor of a switch statement that can be extended in next patch. As we already have that in the set_destroy function place that in

[PATCH nftables 9/9] tests: add test entries for conntrack zones

Signed-off-by: Florian Westphal --- tests/py/any/ct.t | 13 + tests/py/any/ct.t.payload | 44 2 files changed, 57 insertions(+) diff --git a/tests/py/any/ct.t b/tests/py/any/ct.t index 2cfbfe13ccd2..6f32d29c0c40

[PATCH nftables 7/9] ct: refactor print function so it can be re-used for ct statement

Once directional zone support is added we also need to print the direction of the statement, so factor the common code to re-use this helper from the statement print function. Signed-off-by: Florian Westphal --- src/ct.c | 13 + 1 file changed, 9 insertions(+), 4

[PATCH nftables 6/9] src: add conntrack zone support

This enables zone get/set support. As the zone can be optionally tied to a direction as well we need a new token for this (unless we turn reply/original into tokens in which case we could handle zone via STRING). There was some discussion on how zone set support should be handled, especially

[PATCH nftables 5/9] src: add host byte order integer type

This is needed once we add support to set a zone, as in ct zone set 42 Using integer_type makes nft use big-endian representation of the zone id instead of the required host byte order. When using 'ct zone 1', things will work because the (implicit) relational operation makes sure that the left

[PATCH 25/27] netfilter: merge ctinfo into nfct pointer storage area

From: Florian Westphal After this change conntrack operations (lookup, creation, matching from ruleset) only access one instead of two sk_buff cache lines. This works for normal conntracks because those are allocated from a slab that guarantees hw cacheline or 8byte alignment

[PATCH 19/27] netfilter: conntrack: no need to pass ctinfo to error handler

From: Florian Westphal It is never accessed for reading and the only places that write to it are the icmp(6) handlers, which also set skb->nfct (and skb->nfctinfo). The conntrack core specifically checks for attached skb->nfct after ->error() invocation and returns early in this

[PATCH 23/27] netfilter: add and use nf_ct_set helper

From: Florian Westphal Add a helper to assign a nf_conn entry and the ctinfo bits to an sk_buff. This avoids changing code in followup patch that merges skb->nfct and skb->nfctinfo into skb->_nfct. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

[PATCH 15/27] netfilter: pkttype: unnecessary to check ipv6 multicast address

From: Liping Zhang Since there's no broadcast address in IPV6, so in ipv6 family, the PACKET_LOOPBACK must be multicast packets, there's no need to check it again. Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso ---

[PATCH 00/27] Netfilter updates for net-next

Hi David, The following patchset contains Netfilter updates for your net-next tree, they are: 1) Stash ctinfo 3-bit field into pointer to nf_conntrack object from sk_buff so we only access one single cacheline in the conntrack hotpath. Patchset from Florian Westphal. 2) Don't leak pointer

[PATCH 22/27] skbuff: add and use skb_nfct helper

From: Florian Westphal Followup patch renames skb->nfct and changes its type so add a helper to avoid intrusive rename change later. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- include/linux/skbuff.h

[PATCH 21/27] netfilter: reduce direct skb->nfct usage

From: Florian Westphal Next patch makes direct skb->nfct access illegal, reduce noise in next patch by using accessors we already have. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- include/net/ip_vs.h

[PATCH 14/27] xtables: extend matches and targets with .usersize

From: Willem de Bruijn In matches and targets that define a kernel-only tail to their xt_match and xt_target data structs, add a field .usersize that specifies up to where data is to be shared with userspace. Performed a search for comment "Used internally by the kernel" to

[PATCH 18/27] netfilter: nf_tables: Eliminate duplicated code in nf_tables_table_enable()

From: Feng If something fails in nf_tables_table_enable(), it unregisters the chains. But the rollback code is the same as nf_tables_table_disable() almostly, except there is one counter check. Now create one wrapper function to eliminate the duplicated codes. Signed-off-by:

[PATCH 12/27] ebtables: use match, target and data copy_to_user helpers

From: Willem de Bruijn Convert ebtables to copying entries, matches and targets one by one. The solution is analogous to that of generic xt_(match|target)_to_user helpers, but is applied to different structs. Convert existing helpers ebt_make_XXXname helpers that overwrite

[PATCH 13/27] xtables: use match, target and data copy_to_user helpers in compat

From: Willem de Bruijn Convert compat to copying entries, matches and targets one by one, using the xt_match_to_user and xt_target_to_user helper functions. Signed-off-by: Willem de Bruijn Signed-off-by: Pablo Neira Ayuso ---

[PATCH 16/27] netfilter: nft_meta: deal with PACKET_LOOPBACK in netdev family

From: Liping Zhang After adding the following nft rule, then ping 224.0.0.1: # nft add rule netdev t c pkttype host counter The warning complain message will be printed out again and again: WARNING: CPU: 0 PID: 10182 at net/netfilter/nft_meta.c:163 \

[PATCH 07/27] netfilter: xt_connlimit: use rb_entry()

From: Geliang Tang To make the code clearer, use rb_entry() instead of container_of() to deal with rbtree. Signed-off-by: Geliang Tang Signed-off-by: Pablo Neira Ayuso --- net/netfilter/xt_connlimit.c | 4 ++-- 1 file

[PATCH 10/27] ip6tables: use match, target and data copy_to_user helpers

From: Willem de Bruijn Convert ip6tables to copying entries, matches and targets one by one, using the xt_match_to_user and xt_target_to_user helper functions. Signed-off-by: Willem de Bruijn Signed-off-by: Pablo Neira Ayuso ---

[PATCH 11/27] arptables: use match, target and data copy_to_user helpers

From: Willem de Bruijn Convert arptables to copying entries, matches and targets one by one, using the xt_match_to_user and xt_target_to_user helper functions. Signed-off-by: Willem de Bruijn Signed-off-by: Pablo Neira Ayuso ---

[PATCH ulogd2] adjust ulogd.logrotate to match ulogd.conf

Signed-off-by: Kaarle Ritvanen --- ulogd.logrotate | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ulogd.logrotate b/ulogd.logrotate index b3fb6d1..a865353 100644 --- a/ulogd.logrotate +++ b/ulogd.logrotate @@ -1,4 +1,4 @@ -/var/log/ulogd.log

[PATCH nftables] statement: fix print of ip dnat address

the change causes non-ipv6 addresses to not be printed at all in case a nfproto was given. Also add a test case to catch this. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1117 Fixes: 5ab0e10fc6e2c22363a ("src: support for RFC2732 IPv6 address format with brackets") Signed-off-by: