_match_one()")
Signed-off-by: Fernando Fernandez Mancera
---
net/netfilter/nfnetlink_osf.c | 4
1 file changed, 4 insertions(+)
diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
index 6f41dd74729d..1f1d90c1716b 100644
--- a/net/netfilter/nfnetlink_osf.c
+++
ux 4.19 kicks in, the osf finds no matching because the
TCP options pointer is updated after checking for the TCP options in the first
line.
Therefore, reset pointer back to where it should be.
Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match")
Signed-off-by: Fernando
Hi,
I have been updating the pf.os signatures with more recent OS
fingerprints. I have checked out new Linux, FreeBSD and OpenBSD but only
Linux and FreeBSD needed new ones. I have been doing this because it is
related with my work during the last Google Summer of Code. In addition,
Michal Zalewsk
Hi Pablo,
On 2/8/19 5:07 PM, Pablo Neira Ayuso wrote:
> Hi Fernando,
>
> On Fri, Feb 08, 2019 at 03:06:00PM +0100, Fernando Fernandez Mancera wrote:
>> Hi,
>>
>> I have been updating the pf.os signatures with more recent OS
>> fingerprints. I have checked out n
;
> http://patchwork.ozlabs.org/project/netfilter-devel/list/
>
> Anyway, no worries, comments below.
>
> On Wed, Mar 06, 2019 at 01:44:35PM +0100, Fernando Fernandez Mancera wrote:
>> Add version option support to the nftables "osf" expression.
>>
>> Signed-of
I have some notes, comments below. Thanks!
On 3/6/19 5:55 PM, Fernando Fernandez Mancera wrote:
> Sorry about the wrong mailing list, it was a mistake. I am fine with
> your comments so I am going to send a v2. Thanks.
>
> On 3/6/19 5:15 PM, Pablo Neira Ayuso wrote:
>> Ups,
Signed-off-by: Fernando Fernandez Mancera
---
v1: initial patch
v2: flags type is now u32
---
doc/libnftables-json.adoc | 7 +-
src/json.c| 13 +++
src/parser_json.c | 48 ++-
3 files changed, 66 insertions(+), 2 deletions
ot;
}
}
Signed-off-by: Fernando Fernandez Mancera
---
v1: initial patch
v2: flags type is now u32
---
include/expression.h| 1 +
include/linux/netfilter/nf_tables.h | 6 ++
include/osf.h | 3 ++-
src/netlink_delinearize.c | 4
Signed-off-by: Fernando Fernandez Mancera
---
v1: initial patch
v2: flags type is now u32
---
doc/primary-expression.txt | 2 ++
1 file changed, 2 insertions(+)
diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index d819b24..a62ed00 100644
--- a/doc/primary-expression.txt
Signed-off-by: Fernando Fernandez Mancera
---
v1: initial patch
v2: flags type is now u32
---
files/osf/pf.os | 40 ++--
1 file changed, 14 insertions(+), 26 deletions(-)
diff --git a/files/osf/pf.os b/files/osf/pf.os
index 7612d76..35cbb47 100644
--- a/files
After notice that some fingerprints are outdated we have updated the most common
of them.
Signed-off-by: Fernando Fernandez Mancera
---
v1: initial patch
v2: flags type is now u32
---
files/osf/pf.os | 6 ++
1 file changed, 6 insertions(+)
diff --git a/files/osf/pf.os b/files/osf/pf.os
Signed-off-by: Fernando Fernandez Mancera
---
v1: initial patch
v2: flags type is now u32
---
tests/py/inet/osf.t | 4 +++
tests/py/inet/osf.t.json| 16 +
tests/py/inet/osf.t.payload | 66 +
3 files changed, 86 insertions(+)
diff --git a
Signed-off-by: Fernando Fernandez Mancera
---
v1: initial patch
v2: flags type is now uint32_t
---
include/libnftnl/expr.h | 1 +
include/linux/netfilter/nf_tables.h | 2 ++
src/expr/osf.c | 17 +
3 files changed, 20 insertions(+)
diff --git a
Add version option support to the nftables "osf" expression.
Signed-off-by: Fernando Fernandez Mancera
---
v1: initial patch
v2: flags type is now u32 and using snprintf() instead of strlcat()
---
include/linux/netfilter/nfnetlink_osf.h | 11 ++---
include/uapi/linux/netfilter/n
Hi Phil,
On 3/13/19 10:44 AM, Phil Sutter wrote:
> Hi Fernando,
>
> On Mon, Mar 11, 2019 at 04:14:12PM +0100, Fernando Fernandez Mancera wrote:
>> Add support for version fingerprint in "osf" expression. Example:
>>
>> table ip foo {
>> chain b
On 3/13/19 12:27 PM, Phil Sutter wrote:
> On Wed, Mar 13, 2019 at 11:14:04AM +0100, Fernando Fernandez Mancera wrote:
>> Hi Phil,
>>
>> On 3/13/19 10:44 AM, Phil Sutter wrote:
>>> Hi Fernando,
>>>
>>> On Mon, Mar 11, 2019 at 04:14:12PM +0100, Fe
Hi Phil,
On 3/13/19 4:06 PM, Phil Sutter wrote:
> Hi Fernando,
>
> On Wed, Mar 13, 2019 at 03:15:51PM +0100, Fernando Fernandez Mancera wrote:
>> On 3/13/19 12:27 PM, Phil Sutter wrote:
>>> On Wed, Mar 13, 2019 at 11:14:04AM +0100, Fernando Fernandez Mancera wrote:
>
On 3/13/19 4:34 PM, Phil Sutter wrote:
> On Wed, Mar 13, 2019 at 04:22:27PM +0100, Fernando Fernandez Mancera wrote:
>> On 3/13/19 4:06 PM, Phil Sutter wrote:
>>> Hi Fernando,
>>>
>>> On Wed, Mar 13, 2019 at 03:15:51PM +0100, Fernando Fernandez Mancera wrote:
&
nando Fernandez Mancera wrote:
> On 3/13/19 4:34 PM, Phil Sutter wrote:
>> On Wed, Mar 13, 2019 at 04:22:27PM +0100, Fernando Fernandez Mancera wrote:
>>> On 3/13/19 4:06 PM, Phil Sutter wrote:
>>>> Hi Fernando,
>>>>
>>>> On Wed, Mar 13, 2019 at 03:15:
El 14 de marzo de 2019 18:34:54 CET, Phil Sutter escribió:
>Hi,
>
>On Thu, Mar 14, 2019 at 02:58:40PM +0100, Pablo Neira Ayuso wrote:
>> Hi,
>>
>> On Thu, Mar 14, 2019 at 12:14:23PM +0100, Fernando Fernandez Mancera
>wrote:
>> > Hi,
>> >
>>
Hi,
On 3/15/19 6:13 PM, Pablo Neira Ayuso wrote:
> On Fri, Mar 15, 2019 at 11:03:33AM +0100, Phil Sutter wrote:
> [...]
>> On Thu, Mar 14, 2019 at 09:07:37PM +0100, Pablo Neira Ayuso wrote:
>> [...]
>>> The osf expression returns a string with the OS genre, and if thev
>>> version flag is set on,
On 3/16/19 10:05 AM, Pablo Neira Ayuso wrote:
> On Fri, Mar 15, 2019 at 09:21:56PM +0100, Fernando Fernandez Mancera wrote:
> [...]
>> We can hide the flags for the json support if needed by counting the
>> numbers of colons.
>
> No need to parse colons, we can map
Add version option support to the nftables "osf" expression.
Signed-off-by: Fernando Fernandez Mancera
---
v1: initial patch
v2: flags type is now u32 and using snprintf() instead of strlcat()
---
include/linux/netfilter/nfnetlink_osf.h | 11 ++---
include/uapi/linux/netfilter/n
Signed-off-by: Fernando Fernandez Mancera
---
v1: initial patch
v2: flags type is now uint32_t
---
include/libnftnl/expr.h | 1 +
include/linux/netfilter/nf_tables.h | 2 ++
src/expr/osf.c | 17 +
3 files changed, 20 insertions(+)
diff --git a
Signed-off-by: Fernando Fernandez Mancera
---
src/json.c| 7 ++-
src/parser_json.c | 9 +++--
2 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/src/json.c b/src/json.c
index 276a3c0..4900c02 100644
--- a/src/json.c
+++ b/src/json.c
@@ -864,7 +864,12 @@ json_t
ot;
}
}
Signed-off-by: Fernando Fernandez Mancera
---
include/expression.h| 1 +
include/linux/netfilter/nf_tables.h | 6 ++
include/osf.h | 3 ++-
src/netlink_delinearize.c | 4 +++-
src/netlink_linearize.c | 1 +
src/osf.c
Signed-off-by: Fernando Fernandez Mancera
---
tests/py/inet/osf.t | 4 +++
tests/py/inet/osf.t.json| 15 +
tests/py/inet/osf.t.payload | 66 +
3 files changed, 85 insertions(+)
diff --git a/tests/py/inet/osf.t b/tests/py/inet/osf.t
index
Signed-off-by: Fernando Fernandez Mancera
---
doc/primary-expression.txt | 2 ++
1 file changed, 2 insertions(+)
diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index d819b24..a62ed00 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -219,6 +219,8
Signed-off-by: Fernando Fernandez Mancera
---
files/osf/pf.os | 40 ++--
1 file changed, 14 insertions(+), 26 deletions(-)
diff --git a/files/osf/pf.os b/files/osf/pf.os
index 7612d76..35cbb47 100644
--- a/files/osf/pf.os
+++ b/files/osf/pf.os
@@ -201,12
After notice that some fingerprints are outdated we have updated the most common
of them.
Signed-off-by: Fernando Fernandez Mancera
---
files/osf/pf.os | 6 ++
1 file changed, 6 insertions(+)
diff --git a/files/osf/pf.os b/files/osf/pf.os
index e285851..7612d76 100644
--- a/files/osf/pf.os
Signed-off-by: Fernando Fernandez Mancera
---
doc/nft.txt | 13 +
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/doc/nft.txt b/doc/nft.txt
index d162dad..36a92fe 100644
--- a/doc/nft.txt
+++ b/doc/nft.txt
@@ -256,6 +256,7 @@ TABLES
[verse]
{add | create} *table
Hi,
On 4/4/19 2:01 PM, Pablo Neira Ayuso wrote:
> Cc'ing Duncan, he's been helping with reviewing documentation.
>
> On Thu, Apr 04, 2019 at 01:41:58PM +0200, Fernando Fernandez Mancera wrote:
>> Signed-off-by: Fernando Fernandez Mancera
>> ---
>> doc/
I am trying to extract the value from a symbol which comes from a
variable_expr. This variable is a simple string i.e "define foo = bar".
I am doing something like that:
char *example_function(struct expr *variable)
{
struct *sym;
char *sym_value;
sym = variable->sym;
Signed-off-by: Fernando Fernandez Mancera
---
doc/nft.txt | 6 ++
1 file changed, 6 insertions(+)
diff --git a/doc/nft.txt b/doc/nft.txt
index d162dad..127a703 100644
--- a/doc/nft.txt
+++ b/doc/nft.txt
@@ -256,6 +256,7 @@ TABLES
[verse]
{add | create} *table* ['family'] '
This patch introduces the use of nft input files variables in 'jump'
statements, e.g.
define dest = chainame
add rule ip filter input jump $dest
Signed-off-by: Fernando Fernandez Mancera
---
include/expression.h | 3 ++-
src/expression.c | 14 --
src/netlink.c
I faced a similar problem a long time ago, I solved it by resetting the
linker cache. Try this.
# rm /etc/ld.so.cache
# ldconfig
On 5/12/19 6:20 PM, Stéphane Veyret wrote:
> Le dim. 12 mai 2019 à 10:56, Florian Westphal a écrit :
>>
>>> Now, I am trying to modify the nftables userspace tool. I h
Thanks Pablo, comments below.
On 5/9/19 4:57 PM, Pablo Neira Ayuso wrote:
> On Thu, May 09, 2019 at 01:33:58PM +0200, Fernando Fernandez Mancera wrote:
>> This patch introduces the use of nft input files variables in 'jump'
>> statements, e.g.
>>
>> define des
This patch introduces the use of nft input files variables in 'jump'
statements, e.g.
define dest = chainame
add rule ip filter input jump $dest
Signed-off-by: Fernando Fernandez Mancera
---
src/parser_bison.y | 8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff -
Now we can introduce expressions as a chain in jump and goto statements. This
is going to be used to support variables as a chain in the following patches.
Signed-off-by: Fernando Fernandez Mancera
---
include/expression.h | 4 ++--
src/datatype.c | 10 --
src/evaluate.c
expr_evaluate() call added in the first patch.
On 5/14/19 5:25 PM, Fernando Fernandez Mancera wrote:
> This patch introduces the use of nft input files variables in 'jump'
> statements, e.g.
>
> define dest = chainame
>
> add rule ip filter input jump $dest
>
>
Hi Phil,
On 5/14/19 6:17 PM, Phil Sutter wrote:
> Hi Fernando,
>
> On Tue, May 14, 2019 at 05:43:39PM +0200, Fernando Fernandez Mancera wrote:
>> This last patch does not work. The first one works fine with a string as
>> chain name.
>>
> [...]
>> [...]
>&g
On 5/14/19 9:31 PM, Phil Sutter wrote:
> Hi Fernando,
>
> On Tue, May 14, 2019 at 06:24:48PM +0200, Fernando Fernandez Mancera wrote:
>> Hi Phil,
>>
>> On 5/14/19 6:17 PM, Phil Sutter wrote:
>>> Hi Fernando,
>>>
>>> On Tue, May 14, 2019
$dest
table ip foo {
chain bar {
type filter hook input priority filter; policy accept;
jump ber
}
chain ber {
counter packets 71 bytes 6664
}
}
Signed-off-by: Fernando Fernandez Mancera
---
src/datatype.c | 11 +++
Now we can introduce expressions as a chain in jump and goto statements. This
is going to be used to support variables as a chain in the following patches.
Signed-off-by: Fernando Fernandez Mancera
---
include/expression.h | 4 ++--
src/datatype.c | 10 --
src/evaluate.c
Hi,
On 5/15/19 12:46 PM, Phil Sutter wrote:
> Hi,
>
> On Tue, May 14, 2019 at 11:13:40PM +0200, Fernando Fernandez Mancera wrote:
>> This patch introduces the use of nft input files variables in 'jump' and
>> 'goto'
>> statements, e.g.
>>
>
On 5/15/19 12:58 PM, Phil Sutter wrote:
> Hey,
>
> On Tue, May 14, 2019 at 11:13:40PM +0200, Fernando Fernandez Mancera wrote:
> [...]
>> diff --git a/src/datatype.c b/src/datatype.c
>> index 6aaf9ea..7e9ec5e 100644
>> --- a/src/datatype.c
>> +++ b/
$dest
table ip foo {
chain bar {
type filter hook input priority filter; policy accept;
jump ber
}
chain ber {
counter packets 71 bytes 6664
}
}
Signed-off-by: Fernando Fernandez Mancera
---
src/datatype.c
Now we can introduce expressions as a chain in jump and goto statements. This
is going to be used to support variables as a chain in the following patches.
Signed-off-by: Fernando Fernandez Mancera
---
include/expression.h | 4 ++--
src/datatype.c | 22 --
src
Hi Phil,
On 5/15/19 9:26 PM, Phil Sutter wrote:
> Hi Pablo,
>
> On Wed, May 15, 2019 at 05:21:32PM +0200, Pablo Neira Ayuso wrote:
>> On Wed, May 15, 2019 at 01:46:17PM +0200, Phil Sutter wrote>> [...]
>> '@' is currently allowed, as any arbitrary string can be
>> placed in between strings - alth
Hi!
On 5/15/19 10:31 PM, Phil Sutter wrote:
> Hi,
>
> On Wed, May 15, 2019 at 09:56:11PM +0200, Fernando Fernandez Mancera wrote:
>> Hi Phil,
>>
>> On 5/15/19 9:26 PM, Phil Sutter wrote:
>>> Hi Pablo,
>>>
>>> On Wed, May 15, 2019 at 05:21:32
El 16 de mayo de 2019 16:39:42 CEST, Pablo Neira Ayuso
escribió:
>On Thu, May 16, 2019 at 01:58:17PM +0200, Fernando Fernandez Mancera
>wrote:
>> Hi!
>>
>> On 5/15/19 10:31 PM, Phil Sutter wrote:
>> > Hi,
>> >
>> > On Wed, May 15, 2019 at
$dest
table ip foo {
chain bar {
type filter hook input priority filter; policy accept;
jump ber
}
chain ber {
counter packets 71 bytes 6664
}
}
Signed-off-by: Fernando Fernandez Mancera
---
v1: Initial patch
v2: Add shell t
Now we can introduce expressions as a chain in jump and goto statements. This
is going to be used to support variables as a chain in the following patches.
Signed-off-by: Fernando Fernandez Mancera
---
v1: Initial patch
v2: Use expr_cmp in verdict expr cmp callback
v3: Fix strange variable cases
Signed-off-by: Fernando Fernandez Mancera
---
net/ipv4/netfilter/Kconfig | 4
net/ipv4/netfilter/Makefile | 3 +++
2 files changed, 7 insertions(+)
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 1412b029f37f..5038bb95dbf2 100644
--- a/net/ipv4/netfilter/Kconfig
Add common functions into nf_synproxy_ipv6.c to prepare for nftables support.
Signed-off-by: Fernando Fernandez Mancera
---
include/net/netfilter/ipv6/nf_synproxy_ipv6.h | 43 ++
net/ipv6/netfilter/ip6t_SYNPROXY.c| 420 +-
net/ipv6/netfilter/nf_synproxy_ipv6.c
Add common functions into nf_synproxy_ipv4.c to prepare for nftables support.
Signed-off-by: Fernando Fernandez Mancera
---
include/net/netfilter/ipv4/nf_synproxy_ipv4.h | 42 ++
net/ipv4/netfilter/ipt_SYNPROXY.c | 394 +-
net/ipv4/netfilter/nf_synproxy_ipv4.c
,nf_synproxy_ipv4,nf_synproxy_core,xt_CT
Fernando Fernandez Mancera (5):
netfilter: synproxy: add common uapi for SYNPROXY infrastructure
netfilter: synproxy: extract IPv4 SYNPROXY infrastructure from
ipt_SYNPROXY
netfilter: add NF_SYNPROXY_IPV4 symbol
netfilter: synproxy: extract IPv6
This new UAPI file is going to be used by the xt and nft common SYNPROXY
infrastructure. It is needed to avoid duplicated code.
Signed-off-by: Fernando Fernandez Mancera
---
include/uapi/linux/netfilter/nf_SYNPROXY.h | 19 +++
include/uapi/linux/netfilter/xt_SYNPROXY.h | 18
Signed-off-by: Fernando Fernandez Mancera
---
net/ipv6/netfilter/Kconfig | 4
net/ipv6/netfilter/Makefile | 3 +++
2 files changed, 7 insertions(+)
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 086fc669279e..60146a0d390d 100644
--- a/net/ipv6/netfilter/Kconfig
Hi Florian,
El 18 de mayo de 2019 22:20:32 CEST, Florian Westphal escribió:
>Fernando Fernandez Mancera wrote:
>
>Hi Fernando
>
>> +void
>> +synproxy_send_client_synack_ipv6(struct net *net,
>> + const struct sk_buff *skb,
>>
20480 2 ip6t_SYNPROXY,ipt_SYNPROXY
nf_synproxy_core 16384 3 ip6t_SYNPROXY,ipt_SYNPROXY,nf_synproxy
nf_conntrack 159744 6
ip6t_SYNPROXY,xt_conntrack,xt_state,ipt_SYNPROXY,nf_synproxy_core,nf_synproxy
Fernando Fernandez Mancera (4):
netfilter: synproxy: add common uapi for
This new UAPI file is going to be used by the xt and nft common SYNPROXY
infrastructure. It is needed to avoid duplicated code.
Signed-off-by: Fernando Fernandez Mancera
---
include/uapi/linux/netfilter/nf_SYNPROXY.h | 19 +++
include/uapi/linux/netfilter/xt_SYNPROXY.h | 18
Add common functions into nf_synproxy.c to prepare for nftables support.
Signed-off-by: Fernando Fernandez Mancera
---
include/net/netfilter/nf_synproxy.h | 76 +++
net/ipv4/netfilter/ipt_SYNPROXY.c | 394 +
net/ipv6/netfilter/ip6t_SYNPROXY.c | 420 +-
net/netfilter
Signed-off-by: Fernando Fernandez Mancera
---
net/ipv4/netfilter/Kconfig | 2 +-
net/ipv6/netfilter/Kconfig | 2 +-
net/netfilter/Kconfig | 3 +++
net/netfilter/Makefile | 1 +
4 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter
This is a prerequisite for the new infrastructure module NF_SYNPROXY. The new
module is needed to avoid duplicated code for the SYNPROXY nftables support.
Signed-off-by: Fernando Fernandez Mancera
---
include/linux/netfilter_ipv6.h | 3 +++
net/ipv6/netfilter.c | 1 +
2 files changed
Hi Jan,
On 5/18/19 9:29 PM, Jan Engelhardt wrote:
> On Saturday 2019-05-18 20:21, Fernando Fernandez Mancera wrote:
>
>> The patch series have been tested by enabling iptables and ip6tables
>> SYNPROXY.
>> All the modules loaded as expected.
>
> What is the subse
Hi Florian,
On 5/19/19 11:00 PM, Florian Westphal wrote:
> Fernando Fernandez Mancera wrote:
>> ---
>> include/net/netfilter/nf_synproxy.h | 76 +++
>> net/ipv4/netfilter/ipt_SYNPROXY.c | 394 +
>> net/ipv6/netfilter/ip6t_SYNPROXY.c | 420 +
Hi Florian,
On 5/19/19 11:12 PM, Florian Westphal wrote:
> Fernando Fernandez Mancera wrote:
>> This is a prerequisite for the new infrastructure module NF_SYNPROXY. The new
>> module is needed to avoid duplicated code for the SYNPROXY nftables support.
>>
>> Signed
El 20 de mayo de 2019 21:48:33 CEST, Florian Westphal escribió:
>Fernando Fernandez Mancera wrote:
>> > ERROR: "ipv4_synproxy_hook" [net/ipv6/netfilter/ip6t_SYNPROXY.ko]
>undefined!
>> >ERROR: "synproxy_send_client_synack_ipv6"
>[net/ipv6/netfi
Hi Pablo,
On 5/21/19 11:28 AM, Pablo Neira Ayuso wrote:
> On Thu, May 16, 2019 at 10:45:58PM +0200, Fernando Fernandez Mancera wrote:
>> Now we can introduce expressions as a chain in jump and goto statements. This
>> is going to be used to support variables as a chain in the fo
Hi Pablo,
On 5/21/19 9:38 PM, Fernando Fernandez Mancera wrote:
> Hi Pablo,
>
> On 5/21/19 11:28 AM, Pablo Neira Ayuso wrote:
>> On Thu, May 16, 2019 at 10:45:58PM +0200, Fernando Fernandez Mancera wrote:
>>> Now we can introduce expressions as a chain in jump and go
On 5/24/19 9:17 AM, Fernando Fernandez Mancera wrote:
> Hi Pablo,
>
> On 5/21/19 9:38 PM, Fernando Fernandez Mancera wrote:
>> Hi Pablo,
>>
>> On 5/21/19 11:28 AM, Pablo Neira Ayuso wrote:
>>> On Thu, May 16, 2019 at 10:45:58PM +0200, Fernando Fernandez Manc
Now we can introduce expressions as a chain in jump and goto statements. This
is going to be used to support variables as a chain in the following patches.
Signed-off-by: Fernando Fernandez Mancera
---
v1: initial patch
v2: fixes in the parser
v3: fixes rare usecases
v4: add json support
$dest
table ip foo {
chain bar {
type filter hook input priority filter; policy accept;
jump ber
}
chain ber {
counter packets 71 bytes 6664
}
}
Signed-off-by: Fernando Fernandez Mancera
---
v1: initial patch
v2: fixes parser
v
nf_synproxy
v3: Remove synproxy_cookie dependency
Fernando Fernandez Mancera (4):
netfilter: synproxy: add common uapi for SYNPROXY infrastructure
netfilter: synproxy: remove module dependency on IPv6 SYNPROXY
netfilter: synproxy: extract SYNPROXY infrastructure from
{ipt,ip6t}_SYNPROXY
This is a prerequisite for the new infrastructure module NF_SYNPROXY. The new
module is needed to avoid duplicated code for the SYNPROXY nftables support.
Signed-off-by: Fernando Fernandez Mancera
---
include/linux/netfilter_ipv6.h | 17 +
net/ipv6/netfilter.c | 1
This new UAPI file is going to be used by the xt and nft common SYNPROXY
infrastructure. It is needed to avoid duplicated code.
Signed-off-by: Fernando Fernandez Mancera
---
include/uapi/linux/netfilter/nf_SYNPROXY.h | 19 +++
include/uapi/linux/netfilter/xt_SYNPROXY.h | 18
Add common functions into nf_synproxy.c to prepare for nftables support.
Signed-off-by: Fernando Fernandez Mancera
---
include/net/netfilter/nf_synproxy.h | 46 ++
net/ipv4/netfilter/ipt_SYNPROXY.c | 394 +
net/ipv6/netfilter/ip6t_SYNPROXY.c | 420 +-
net/netfilter
Signed-off-by: Fernando Fernandez Mancera
---
net/ipv4/netfilter/Kconfig | 2 +-
net/ipv6/netfilter/Kconfig | 2 +-
net/netfilter/Kconfig | 4
net/netfilter/Makefile | 1 +
4 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4
Hi,
I am getting the following error when compiling the kernel after pull
the last changes from nf-next.git.
> CC security/apparmor/lsm.o
> CC kernel/trace/trace_stack.o
> In file included from security/apparmor/lsm.c:27:
> ./include/linux/netfilter_ipv6.h: In function ‘nf_ipv6_br_d
another synproxy_cookie, unify nf_synproxy into nf_synproxy_core so
now we are using a single module.
Fernando Fernandez Mancera (3):
netfilter: synproxy: add common uapi for SYNPROXY infrastructure
netfilter: synproxy: remove module dependency on IPv6 SYNPROXY
netfilter: synproxy: extract
This new UAPI file is going to be used by the xt and nft common SYNPROXY
infrastructure. It is needed to avoid duplicated code.
Signed-off-by: Fernando Fernandez Mancera
---
include/uapi/linux/netfilter/nf_SYNPROXY.h | 19 +++
include/uapi/linux/netfilter/xt_SYNPROXY.h | 18
This is a prerequisite for the infrastructure module NETFILTER_SYNPROXY. The
new module is needed to avoid duplicated code for the SYNPROXY nftables
support.
Signed-off-by: Fernando Fernandez Mancera
---
include/linux/netfilter_ipv6.h | 36 ++
net/ipv6
Add common functions into nf_synproxy_core.c to prepare for nftables support.
The prototypes of the functions used by {ipt, ip6t}_SYNPROXY are in the new
file nf_synproxy.h
Signed-off-by: Fernando Fernandez Mancera
---
include/net/netfilter/nf_conntrack_synproxy.h | 13 +-
include/net
Signed-off-by: Fernando Fernandez Mancera
---
include/libnftnl/expr.h | 6 +
include/linux/netfilter/nf_tables.h | 16 +++
src/Makefile.am | 1 +
src/expr/synproxy.c | 170
src/expr_ops.c | 2
Signed-off-by: Fernando Fernandez Mancera
---
include/linux/netfilter/nf_SYNPROXY.h | 23
include/linux/netfilter/nf_tables.h | 16 +
include/statement.h | 11 ++
src/evaluate.c| 16 +
src/netlink_delinearize.c
Add SYNPROXY module support in nf_tables. It preserves the behaviour of the
SYNPROXY target of iptables but structured in a different way to propose
improvements in the future.
Signed-off-by: Fernando Fernandez Mancera
---
include/uapi/linux/netfilter/nf_SYNPROXY.h | 4 +
include/uapi/linux
rror. The problem should be in the libnftnl or nf-next patch.
I am probably missing something. Any suggestion? Thanks :-)
On 6/17/19 12:32 PM, Fernando Fernandez Mancera wrote:
> Signed-off-by: Fernando Fernandez Mancera
> ---
> include/linux/netfilter/nf_SYNPROXY.h | 23
> in
Hi Pablo, comments below.
On 6/17/19 5:45 PM, Pablo Neira Ayuso wrote:
> On Mon, Jun 17, 2019 at 12:32:35PM +0200, Fernando Fernandez Mancera wrote:
>> Add SYNPROXY module support in nf_tables. It preserves the behaviour of the
>> SYNPROXY target of iptables but structured in a d
On 6/17/19 11:55 PM, Pablo Neira Ayuso wrote:
> On Mon, Jun 17, 2019 at 09:49:43PM +0200, Fernando Fernandez Mancera wrote:
>> Hi Pablo, comments below.
>>
>> On 6/17/19 5:45 PM, Pablo Neira Ayuso wrote:
>>> On Mon, Jun 17, 2019 at 12:32:35PM +0200, Fernando Fer
Signed-off-by: Fernando Fernandez Mancera
---
include/libnftnl/expr.h | 6 +
include/linux/netfilter/nf_tables.h | 17 +++
src/Makefile.am | 1 +
src/expr/synproxy.c | 170
src/expr_ops.c | 2
icy accept;
ct state { invalid, untracked } synproxy mss 1460 wscale 7
timestamp sack-perm
ct state invalid drop
}
}
Signed-off-by: Fernando Fernandez Mancera
---
doc/statements.txt| 87 +
include/json.h
Add SYNPROXY module support in nf_tables. It preserves the behaviour of the
SYNPROXY target of iptables but structured in a different way to propose
improvements in the future.
Signed-off-by: Fernando Fernandez Mancera
---
include/uapi/linux/netfilter/nf_SYNPROXY.h | 4 +
include/uapi/linux
Add SYNPROXY module support in nf_tables. It preserves the behaviour of the
SYNPROXY target of iptables but structured in a different way to propose
improvements in the future.
Signed-off-by: Fernando Fernandez Mancera
---
v1: initial patch
v2: add IPV6 module checks
---
include/uapi/linux
Agree with everything, I am going to send a new patch series with all
the fixes. Thanks Pablo :-)
On 6/20/19 4:10 PM, Pablo Neira Ayuso wrote:
> On Wed, Jun 19, 2019 at 08:06:54PM +0200, Fernando Fernandez Mancera wrote:
> [...]
>> diff --git a/net/netfilter/nft_synproxy.c b/n
This operation is handled by nf_synproxy_ipv4_init() now.
Fixes: d7f9b2f18eae ("netfilter: synproxy: extract SYNPROXY infrastructure from
{ipt, ip6t}_SYNPROXY")
Signed-off-by: Fernando Fernandez Mancera
---
net/ipv4/netfilter/ipt_SYNPROXY.c | 1 -
1 file changed, 1 deletion(-)
di
Hi Pablo, comments below.
On 6/20/19 4:10 PM, Pablo Neira Ayuso wrote:
> On Wed, Jun 19, 2019 at 08:06:54PM +0200, Fernando Fernandez Mancera wrote:
> [...]
>> diff --git a/net/netfilter/nft_synproxy.c b/net/netfilter/nft_synproxy.c
>> new file mode 100644
>> index 00
Add SYNPROXY module support in nf_tables. It preserves the behaviour of the
SYNPROXY target of iptables but structured in a different way to propose
improvements in the future.
Signed-off-by: Fernando Fernandez Mancera
---
v1: initial patch
v2: add IPV6 module checks
v3: move common eval parts
icy accept;
ct state { invalid, untracked } synproxy mss 1460 wscale 7
timestamp sack-perm
ct state invalid drop
}
}
Signed-off-by: Fernando Fernandez Mancera
---
v1: initial patch
v2: rename synproxy uapi header
---
doc/statements.txt
Hi Ibrahim,
On 6/24/19 9:55 AM, İbrahim Ercan wrote:
> On Fri, Jun 21, 2019 at 2:10 PM Florian Westphal wrote:
>>
>> Yes, something like this is needed, i.e. we need to pass two
>> mss values -- one from info->mss ("server") that we need to
>> place in the tcp options sent to client and one conta
1 - 100 of 286 matches
Mail list logo
