[PATCH] netfilter: xt_TEE: Fix potential deadlock when TEE target is inserted

When xt_TEE target is inserted, lockdep warns about possible DEADLOCK situation. to avoid deadlock situation the register_netdevice_notifier() should be called by only init routine. reproduce command is : # iptables -I INPUT -j TEE --oif enp3s0 --gateway 192.168.0.1 warning message is : [

[PATCH] netfilter: ipt_CLUSTERIP: Fix potential deadlock when CLUSTERIP target is inserted

When ipt_CLUSTERIP target is inserted, lockdep warns about possible DEADLOCK situation. to avoid deadlock situation register_netdevice_notifier() should be called by only init routine. reproduce command is : # iptables -A INPUT -p tcp -i enp3s0 -d 192.168.0.5 --dport 80 \ -j CLUSTERIP --new

Re: [PATCH] netfilter: xt_TEE: Fix potential deadlock when TEE target is inserted

On Sunday 2017-09-03 16:30, Taehee Yoo wrote: >When xt_TEE target is inserted, lockdep warns about possible >DEADLOCK situation. to avoid deadlock situation >the register_netdevice_notifier() should be called by only init routine. > >+#include > > struct xt_tee_tginfo { > union

On ulogd2, nfacct and sqlite3

Hi Guys! I was searching for a _simple_ way to account traffic per host and found numerous methods just by googleing but none of them were simple. Then I stumbled upon ulogd2 and this page: https://home.regit.org/2012/07/flow-accounting-with-netfilter-and-ulogd2/ Which is almost something I

Re: [PATCH] netfilter: xt_TEE: Fix potential deadlock when TEE target is inserted

2017-09-04 0:32 GMT+09:00 Jan Engelhardt : > > On Sunday 2017-09-03 16:30, Taehee Yoo wrote: > >>When xt_TEE target is inserted, lockdep warns about possible >>DEADLOCK situation. to avoid deadlock situation >>the register_netdevice_notifier() should be called by only init

[PATCH V2] netfilter: xt_TEE: Fix potential deadlock when TEE target is inserted

When xt_TEE target is inserted, lockdep warns about possible DEADLOCK situation. to avoid deadlock situation the register_netdevice_notifier() should be called by only init routine. reproduce command is : # iptables -I INPUT -j TEE --oif enp3s0 --gateway 192.168.0.1 warning message is : [

[PATCH 02/47] netfilter: nf_tables: keep chain counters away from hot path

These chain counters are only used by the iptables-compat tool, that allow users to use the x_tables extensions from the existing nf_tables framework. This patch makes nf_tables by ~5% for the general usecase, ie. native nft users, where no chain counters are used at all. Signed-off-by: Pablo

[PATCH 08/47] netfilter: expect: add and use nf_ct_expect_iterate helpers

From: Florian Westphal We have several spots that open-code a expect walk, add a helper that is similar to nf_ct_iterate_destroy/nf_ct_iterate_cleanup. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso ---

[PATCH 06/47] netfilter: nf_tables: add fib expression to the netdev family

From: "Pablo M. Bermudo Garay" Add fib expression support for netdev family. Like inet family, netdev delegates the actual decision to the corresponding backend, either ipv4 or ipv6. This allows to perform very early reverse path filtering, among other things. You can find

[PATCH 10/47] netfilter: conntrack: destroy functions need to free queued packets

From: Florian Westphal queued skbs might be using conntrack extensions that are being removed, such as timeout. This happens for skbs that have a skb->nfct in unconfirmed state (i.e., not in hash table yet). This is destructive, but there are only two use cases: - module

[PATCH 05/47] netfilter: nf_tables: fib: use skb_header_pointer

From: "Pablo M. Bermudo Garay" This is a preparatory patch for adding fib support to the netdev family. The netdev family receives the packets from ingress hook. At this point we have no guarantee that the ip header is linear. So this patch replaces ip_hdr with

[PATCH 07/47] netfilter: conntrack: Change to deferable work queue

From: "subas...@codeaurora.org" Delayed workqueue causes wakeups to idle CPUs. This was causing a power impact for devices. Use deferable work queue instead so that gc_worker runs when CPU is active only. Signed-off-by: Subash Abhinov Kasiviswanathan

[PATCH 03/47] netfilter: Remove duplicated rcu_read_lock.

From: Taehee Yoo This patch removes duplicate rcu_read_lock(). 1. IPVS part: According to Julian Anastasov's mention, contexts of ipvs are described at: http://marc.info/?l=netfilter-devel=149562884514072=2, in summary: - packet RX/TX: does not need locks because packets

[PATCH 04/47] netfilter: nf_tables: Attach process info to NFT_MSG_NEWGEN notifications

From: Phil Sutter This is helpful for 'nft monitor' to track which process caused a given change to the ruleset. Signed-off-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso --- include/uapi/linux/netfilter/nf_tables.h | 2 ++

[PATCH 00/47] Netfilter updates for net-next

Hi David, The following patchset contains Netfilter updates for your net-next tree. Basically, updates to the conntrack core, enhancements for nf_tables, conversion of netfilter hooks from linked list to array to improve memory locality and asorted improvements for the Netfilter codebase. More

[PATCH 09/47] netfilter: add and use nf_ct_unconfirmed_destroy

From: Florian Westphal This also removes __nf_ct_unconfirmed_destroy() call from nf_ct_iterate_cleanup_net, so that function can be used only when missing conntracks from unconfirmed list isn't a problem. Signed-off-by: Florian Westphal Signed-off-by: Pablo

[PATCH 01/47] netfilter: expect: add to hash table after expect init

From: Florian Westphal assuming we have lockless readers we should make sure they can only see expectations that have already been initialized. hlist_add_head_rcu acts as memory barrier, move it after timer setup. Theoretically we could crash due to a del_timer() on other cpu

Re: [nft PATCH 1/2] src: add flags fo nft_ctx_new

On Mon, Sep 04, 2017 at 12:03:55AM +0200, Eric Leblond wrote: > By adding flags to nft_ctx_new, we will have a minimum capabilities > of changing the way the nft_ctx is created. > > For now, this patch uses a simple value that allow the user to specify > that he will handle netlink by himself. >

Re: [nft PATCH 2/2] src: get rid of printf

On Mon, Sep 04, 2017 at 12:03:56AM +0200, Eric Leblond wrote: > This patch introduces the nft_print_to_output_ctx function that has > to be used instead of printf to output information that where > previously send to stdout. This function accumulate the output in > a buffer that can be fetched by

[PATCH 37/47] netfilter: conntrack: print_conntrack only needed if CONFIG_NF_CONNTRACK_PROCFS

From: Florian Westphal Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_conntrack_l4proto.h | 7 --- net/netfilter/nf_conntrack_proto_dccp.c | 6 ++

[PATCH 34/47] netfilter: conntrack: remove protocol name from l4proto struct

From: Florian Westphal no need to waste storage for something that is only needed in one place and can be deduced from protocol number. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso ---

[PATCH 33/47] netfilter: conntrack: remove protocol name from l3proto struct

From: Florian Westphal no need to waste storage for something that is only needed in one place and can be deduced from protocol number. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso ---

[PATCH 35/47] netfilter: conntrack: reduce size of l4protocol trackers

From: Florian Westphal can use u16 for both, shrinks size by another 8 bytes. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_conntrack_l4proto.h | 4 ++-- 1 file changed, 2 insertions(+), 2

[PATCH 29/47] netfilter: exthdr: tcp option set support

From: Florian Westphal This allows setting 2 and 4 byte quantities in the tcp option space. Main purpose is to allow native replacement for xt_TCPMSS to work around pmtu blackholes. Writes to kind and len are now allowed at the moment, it does not seem useful to do this as it

[PATCH 31/47] netfilter: nf_nat_h323: fix logical-not-parentheses warning

From: Nick Desaulniers Clang produces the following warning: net/ipv4/netfilter/nf_nat_h323.c:553:6: error: logical not is only applied to the left hand side of this comparison [-Werror,-Wlogical-not-parentheses] if (!set_h225_addr(skb, protoff, data, dataoff, taddr,

[PATCH 26/47] netfilter: use audit_log()

From: Geliang Tang Use audit_log() instead of open-coding it. Signed-off-by: Geliang Tang Signed-off-by: Pablo Neira Ayuso --- net/bridge/netfilter/ebtables.c | 13 - net/netfilter/x_tables.c| 14

[PATCH 24/47] netfilter: connlimit: merge root4 and root6.

From: Taehee Yoo The root4 variable is used only when connlimit extension module has been stored by the iptables command. and the roo6 variable is used only when connlimit extension module has been stored by the ip6tables command. So the root4 and roo6 variable does not be

[PATCH 32/47] netfilter: conntrack: compute l3proto nla size at compile time

From: Florian Westphal avoids a pointer and allows struct to be const later on. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_conntrack_l3proto.h | 19 ---

[PATCH 28/47] netfilter: exthdr: split netlink dump function

From: Florian Westphal so eval and uncoming eval_set versions can reuse a common helper. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nft_exthdr.c | 16 +++- 1 file changed, 11

[PATCH 27/47] netfilter: exthdr: factor out tcp option access

From: Florian Westphal Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nft_exthdr.c | 33 + 1 file changed, 21 insertions(+), 12 deletions(-) diff --git

[PATCH 25/47] netfilter: remove prototype of netfilter_queue_init

From: Taehee Yoo The netfilter_queue_init() has been removed. so we can remove the prototype of that. Signed-off-by: Taehee Yoo Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_internals.h | 1 - 1 file changed, 1 deletion(-)

Re: [nft PATCH 1/2] src: add flags fo nft_ctx_new

On Mon, Sep 04, 2017 at 12:33:09AM +0200, Pablo Neira Ayuso wrote: > On Mon, Sep 04, 2017 at 12:03:55AM +0200, Eric Leblond wrote: > > By adding flags to nft_ctx_new, we will have a minimum capabilities > > of changing the way the nft_ctx is created. > > > > For now, this patch uses a simple

Re: [PATCH nf-next 3/5] netlink: add NLM_F_NONREC flag for deletion requests

On Sun, Sep 03, 2017 at 05:14:18PM -0700, David Miller wrote: > > I only see patches 3, 4, and 5 of this series. > > If this is meant for net-next inclusion, you'll have to submit it such that > I see the entire series on netdev and thus in patchwork. I'm posting this new NLM_F_NONREC for

Re: [PATCH nf-next 3/5] netlink: add NLM_F_NONREC flag for deletion requests

I only see patches 3, 4, and 5 of this series. If this is meant for net-next inclusion, you'll have to submit it such that I see the entire series on netdev and thus in patchwork. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to

[no subject]

423567.doc Description: MS-Word document

[PATCH nf-next 1/5] netfilter: nf_tables: add nf_tables_updchain()

nf_tables_newchain() is too large, wrap the chain update path in a function to make it more maintainable. Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_tables_api.c | 170 +++--- 1 file changed, 92 insertions(+), 78 deletions(-)

[PATCH nf-next 2/5] netfilter: nf_tables: add nf_tables_addchain()

Wrap the chain addition path in a function to make it more maintainable. Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_tables_api.c | 199 ++ 1 file changed, 106 insertions(+), 93 deletions(-) diff --git

[PATCH nf-next 3/5] netlink: add NLM_F_NONREC flag for deletion requests

In the last NFWS in Faro, Portugal, we discussed that netlink is lacking the semantics to request non recursive deletions, ie. do not delete an object iff it has child objects that hang from this parent object that the user requests to be deleted. We need this new flag to solve a problem for the

[PATCH nf-next 5/5] netfilter: nf_tables: support for recursive chain deletion

This patch sorts out an asymmetry in deletions. Currently, table and set deletion commands come with an implicit content flush on deletion. However, chain deletion results in -EBUSY if there is content in this chain, so no implicit flush happens. So you have to send a flush command in first place

[PATCH nf-next 4/5] netfilter: nf_tables: use NLM_F_NONREC for deletion requests

Bail out if user requests non-recursive deletion for tables and sets. This new flags tells nf_tables netlink interface to reject deletions if tables and sets have content. Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_tables_api.c | 8 +++- 1 file changed, 7

[no subject]

83163881723765.doc Description: MS-Word document

[nft PATCH 0/2] libnftables preparation work

Hi, Here is two patches relative to libnftables preparation work. The first one it changing the way a nft_ctx is created to be able to skip the netlink init function call and also to have some freedom later. The second one is getting the printf out. This is completely changed from what was

[nft PATCH 2/2] src: get rid of printf

This patch introduces the nft_print_to_output_ctx function that has to be used instead of printf to output information that where previously send to stdout. This function accumulate the output in a buffer that can be fetched by the user with the nft_ctx_get_output() function. This modification

[nft PATCH 1/2] src: add flags fo nft_ctx_new

By adding flags to nft_ctx_new, we will have a minimum capabilities of changing the way the nft_ctx is created. For now, this patch uses a simple value that allow the user to specify that he will handle netlink by himself. Signed-off-by: Eric Leblond --- include/nftables.h | 4

[PATCH 13/47] netfilter: nf_tables: No need to check chain existence when tracing

From: Phil Sutter nft_trace_notify() is called only from __nft_trace_packet(), which assigns its parameter 'chain' to info->chain. __nft_trace_packet() in turn later dereferences 'chain' unconditionally, which indicates that it's never NULL. Same does nft_do_chain(), the only user

[PATCH 16/47] netfilter: nf_tables: Allow chain name of up to 255 chars

From: Phil Sutter Same conversion as for table names, use NFT_NAME_MAXLEN as upper boundary as well. Signed-off-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_tables.h| 4 ++--

[PATCH 15/47] netfilter: nf_tables: Allow table names of up to 255 chars

From: Phil Sutter Allocate all table names dynamically to allow for arbitrary lengths but introduce NFT_NAME_MAXLEN as an upper sanity boundary. It's value was chosen to allow using a domain name as per RFC 1035. Signed-off-by: Phil Sutter Signed-off-by: Pablo Neira

[PATCH 18/47] netfilter: nf_tables: Allow object names of up to 255 chars

From: Phil Sutter Same conversion as for table names, use NFT_NAME_MAXLEN as upper boundary as well. Signed-off-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_tables.h| 2 +-

[PATCH 19/47] netfilter: nft_set_rbtree: use seqcount to avoid lock in most cases

From: Florian Westphal switch to lockless lockup. write side now also increments sequence counter. On lookup, sample counter value and only take the lock if we did not find a match and the counter has changed. This avoids need to write to private area in normal (lookup) cases.

[PATCH 17/47] netfilter: nf_tables: Allow set names of up to 255 chars

From: Phil Sutter Same conversion as for table names, use NFT_NAME_MAXLEN as upper boundary as well. Signed-off-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_tables.h| 2 +-

[PATCH 14/47] netlink: Introduce nla_strdup()

From: Phil Sutter This is similar to strdup() for netlink string attributes. Signed-off-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso --- include/net/netlink.h | 1 + lib/nlattr.c | 24 2 files changed, 25

[PATCH 12/47] netfilter: nf_hook_ops structs can be const

From: Florian Westphal We no longer place these on a list so they can be const. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- drivers/net/ipvlan/ipvlan_main.c | 2 +- net/bridge/br_netfilter_hooks.c

[PATCH 11/47] netfilter: nfnetlink_queue: don't queue dying conntracks to userspace

From: Florian Westphal When skb is queued to userspace it leaves softirq/rcu protection. skb->nfct (via conntrack extensions such as helper) could then reference modules that no longer exist if the conntrack was not yet confirmed. nf_ct_iterate_destroy() will set the DYING bit

[PATCH 20/47] netfilter: conntrack: do not enable connection tracking unless needed

From: Florian Westphal Discussion during NFWS 2017 in Faro has shown that the current conntrack behaviour is unreasonable. Even if conntrack module is loaded on behalf of a single net namespace, its turned on for all namespaces, which is expensive. Commit 481fa373476

[PATCH 21/47] netfilter: xtables: Remove unused variable in compat_copy_entry_from_user()

From: Taehee Yoo The target variable is not used in the compat_copy_entry_from_user(). So It can be removed. Signed-off-by: Taehee Yoo Signed-off-by: Pablo Neira Ayuso --- net/ipv4/netfilter/arp_tables.c | 2 --

[PATCH 22/47] netfilter: constify nf_conntrack_l3/4proto parameters

From: Julia Lawall When a nf_conntrack_l3/4proto parameter is not on the left hand side of an assignment, its address is not taken, and it is not passed to a function that may modify its fields, then it can be declared as const. This change is useful from a documentation

[PATCH 23/47] netfilter: constify nf_loginfo structures

From: Julia Lawall The nf_loginfo structures are only passed as the seventh argument to nf_log_trace, which is declared as const or stored in a local const variable. Thus the nf_loginfo structures themselves can be const. Done with the help of Coccinelle. // @r disable

[PATCH 30/47] netfilter: rt: add support to fetch path mss

From: Florian Westphal to be used in combination with tcp option set support to mimic iptables TCPMSS --clamp-mss-to-pmtu. v2: Eric Dumazet points out dst must be initialized. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

[PATCH 38/47] netfilter: conntrack: make protocol tracker pointers const

From: Florian Westphal Doesn't change generated code, but will make it easier to eventually make the actual trackers themselvers const. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso ---

[PATCH 45/47] netfilter: Remove NFDEBUG()

From: Varsha Rao Remove NFDEBUG and use pr_debug() instead of it. Signed-off-by: Varsha Rao Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_internals.h | 6 -- net/netfilter/nf_sockopt.c | 2 +- 2 files changed, 1

[PATCH 39/47] netfilter: ebtables: fix indent on if statements

From: Colin Ian King The returns on some if statements are not indented correctly, add in the missing tab. Signed-off-by: Colin Ian King Signed-off-by: Pablo Neira Ayuso --- net/bridge/netfilter/ebt_ip.c | 4 ++--

[PATCH 36/47] netfilter: conntrack: place print_tuple in procfs part

From: Florian Westphal CONFIG_NF_CONNTRACK_PROCFS is deprecated, no need to use a function pointer in the trackers for this. Place the printf formatting in the one place that uses it. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

[PATCH 41/47] netfilter: convert hook list to an array

From: Aaron Conole This converts the storage and layout of netfilter hook entries from a linked list to an array. After this commit, hook entries will be stored adjacent in memory. The next pointer is no longer required. The ops pointers are stored at the end of the array

[PATCH 43/47] netfilter: core: batch nf_unregister_net_hooks synchronize_net calls

From: Florian Westphal re-add batching in nf_unregister_net_hooks(). Similar as before, just store an array with to-be-free'd rule arrays on stack, then call synchronize_net once per batch. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

[PATCH 47/47] netfilter: rt: account for tcp header size too

From: Florian Westphal This needs to accout for the ipv4/ipv6 header size and the tcp header without options. Fixes: 6b5dc98e8fac0 ("netfilter: rt: add support to fetch path mss") Reported-by: Matteo Croce Signed-off-by: Florian Westphal

[PATCH 46/47] netfilter: conntrack: remove unused code in nf_conntrack_proto_generic.c

From: Davide Caratti L4 protocol helpers for DCCP, SCTP and UDPlite can't be built as kernel modules anymore, so we can remove code enclosed in #ifdef CONFIG_NF_CT_PROTO_{DCCP,SCTP,UDPLITE}_MODULE Signed-off-by: Davide Caratti Signed-off-by: Pablo

[PATCH 40/47] netfilter: fix a few (harmless) sparse warnings

From: Florian Westphal net/netfilter/nft_payload.c:187:18: warning: incorrect type in return expression (expected bool got restricted __sum16 [usertype] check) net/netfilter/nft_exthdr.c:222:14: warning: cast to restricted __be32 net/netfilter/nft_rt.c:49:23: warning: incorrect

[PATCH 44/47] netfilter: conntrack: don't log "invalid" icmpv6 connections

From: Florian Westphal When enabling logging for invalid connections we currently also log most icmpv6 types, which we don't track intentionally (e.g. neigh discovery). "invalid" should really mean "invalid", i.e. short header or bad checksum. We don't do any logging for

[PATCH 42/47] netfilter: debug: check for sorted array

From: Florian Westphal Make sure our grow/shrink routine places them in the correct order. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- net/netfilter/core.c | 23 +++ 1 file changed, 23

Re: [PATCH 00/47] Netfilter updates for net-next

From: Pablo Neira Ayuso Date: Mon, 4 Sep 2017 00:25:42 +0200 > The following patchset contains Netfilter updates for your net-next > tree. Basically, updates to the conntrack core, enhancements for > nf_tables, conversion of netfilter hooks from linked list to array to >