[PATCH nf-next 3/4] netfilter: xt_TRACE: add explicitly nf_logger_find_get call

2016-06-08 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> Consider such situation, if nf_log_ipv4 kernel module is not installed, and the user add a following iptables rule: # iptables -t raw -I PREROUTING -j TRACE There will be no trace log generated until the user install nf_log_ipv4 module m

[PATCH nf-next 0/4] netfilter: request related nf_log module when we add TRACE rule

2016-06-08 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> This patch set solve such problem, for example, if we add a following iptables rule: # iptables -t raw -I PREROUTING -j TRACE And nf_log_ipv4 kernel module is not installed, no trace log will be generated, until we install the nf_log_ipv4

[PATCH nf-next 4/4] netfilter: nft_meta: add explicitly nf_logger_find_get call

2016-06-08 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> Like xt_TRACE do, we should request related nf_log module appropriately. Otherwise, if the nf_log_ipv4 kernel module is not installed, and the user add the following nft rule: # nft add rule filter input nftrace set 1 There will be no tra

[PATCH nf-next 2/4] netfilter: nft_log: no need to deal with NFPROTO_INET family

2016-06-08 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> Since nf_logger_find_get and nf_logger_put can handle NFPROTO_INET properly, we can remove the special process logic now. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> --- net/netfilter/nft_log.c | 21 +

[PATCH iptables] extensions: libxt_TRACE: Add translation to nft

2016-06-08 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> For example: # iptables-translate -t raw -A PREROUTING -j TRACE nft add rule ip raw PREROUTING counter nftrace set 1 Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> --- extensions/libxt_TRACE.c | 8 1 fil

[PATCH nf-next] netfilter: nft_meta: set skb->nf_trace appropriately

2016-06-08 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> When user add a nft rule to set nftrace to zero, for example: # nft add rule ip filter input nftrace set 0 We should set nf_trace to zero also. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> --- net/netfilter/nft_meta

[PATCH nf-next] netfilter: xt_cpu: no need to check the validity of invert flag

2016-06-08 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> Instead, we can convert invert flag and ensure it is 1 or 0. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> --- net/netfilter/xt_cpu.c | 12 +--- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/n

[PATCH nf-next 1/4] netfilter: nf_log: handle NFPROTO_INET properly in nf_logger_[find_get|put]

2016-06-08 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> When we request NFPROTO_INET, it means both NFPROTO_IPV4 and NFPROTO_IPV6. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> --- net/netfilter/nf_log.c | 20 1 file changed, 20 insertions(+) diff

[PATCH nft] tests: shell: make testcases which using tcp/udp port more rubost

2016-06-10 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> In my mechain, port 12345 is mapped to italk in /etc/services: italk 12345/tcp # Italk Chat System So when we add nft rule with udp port "12345", nft list ruleset will displayed it as "italk&qu

[PATCH nf-next 0/3] netfilter: fix a endless jump loop bug

2016-06-10 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> This patch set mainly fix a endless jump loop bug, for example, user can add the following nft rules successfully: # nft add table filter # nft add chain filter test # nft add rule filter test tcp dport vmap {1: jump test} This is beca

[PATCH nf-next 1/3] netfilter: nf_tables: fix wrong check of NFT_SET_MAP in nf_tables_bind_set

2016-06-10 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> We should check "i" is used as a dictionary or not, "binding" is already checked before. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> --- net/netfilter/nf_tables_api.c | 2 +- 1 file changed, 1 inserti

[PATCH nf-next 3/3] netfilter: nf_tables: fix wrong destroy anonymous sets if binding fails

2016-06-10 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> When we add a nft rule like follows: # nft add rule filter test tcp dport vmap {1: jump test} -ELOOP error will be returned, and the anonymous set will be destroyed. But after that, nf_tables_abort will also try to remove the element and d

[PATCH nf-next 2/3] netfilter: nf_tables: fix a endless jump loop when use vmap

2016-06-10 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> Currently, user can add such a wrong nft rules successfully, which will cause an endless jump loop: # nft add rule filter test tcp dport vmap {1: jump test} This is because before we commit, the element in the current anonymous set is in

[PATCH nf-next] netfilter: nf_tables: fix a wrong check to skip the inactive rules

2016-06-14 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> nft_genmask_cur has already done left-shift operator on the gencursor, so there's no need to do left-shift operator on it again. Fixes: ea4bd995b0f2 ("netfilter: nf_tables: add transaction helper functions") Cc: Patrick McHardy

Re: [PATCH nf-next 4/4] netfilter: nft_meta: add explicitly nf_logger_find_get call

2016-06-14 Thread Liping Zhang
Hi Florian, At 2016-06-08 20:59:32, "Florian Westphal" wrote: > >With nftables we have a new infrastructure in place that emits trace info via >nfnetlink. > >So loading nf_log_ipX isn't needed anymore in nft. Yes, in nftables, user can use "nft monitor" to get the trace info.

[PATCH nft] tests: shell: add endless jump loop tests

2016-06-13 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> Add some tests for endless jump loop validation. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> --- tests/shell/testcases/chains/0010endless_jump_loop_1 | 9 + tests/shell/testcases/chains/0011endless_jump

[PATCH nft 3/3] meta: fix a format error display when we set priority to root or none

2016-05-29 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> Also delete the redundant '\n'. This fixes: # nft add rule filter test meta priority set root # nft list chain filter test table ip filter { chain test { meta priority set root none : } } Sign

[PATCH nft 2/3] meta: fix endianness in priority

2016-05-29 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> For example, after we add rule to set priority 1:2, it will be displayed in network byte order as 0200:0100, this is wrong: # nft add rule filter test meta priority set 1:2 # nft list chain filter test table ip filter { chai

[PATCH nft] parser: fix crash if we add a chain with an error chain type

2016-05-29 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> If we add a chain and specify the nonexistent chain type, chain_type_name_lookup will return a NULL pointer, and meet the assert condition in xstrdup. Fix crash like this: # nft add chain filter input {type none hook input priority 0\;}

Re: [PATCH -next v2] netfilter: conntrack: allow increasing bucket size via sysctl too

2016-06-22 Thread Liping Zhang
Hi Florian, 2016-06-22 2:46 GMT+08:00 Florian Westphal : > @@ -1650,11 +1646,31 @@ int nf_conntrack_set_hashsize(const char *val, struct > kernel_param *kp) > write_seqcount_end(_conntrack_generation); > nf_conntrack_all_unlock(); > local_bh_enable(); > +

[PACTH nf-next] netfilter: nf_reject_ipv4: don't send tcp RST if the packet is non-TCP

2016-06-20 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> In iptables, if the user add a rule to send tcp RST and specify the non-TCP protocol, such as UDP, kernel will reject this request. But in nftables, this validity check only occurs in nft tool, i.e. only in userspace. This means that user c

[PATCH nf] netfilter: nf_tables: fix memory leak if expr init fails

2016-06-20 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> If expr init fails then we need to free it. So when the user add a nft rule as follows: # nft add rule filter input tcp dport 22 flow table ssh \ { ip saddr limit rate 0/second } memory leak will happen. Signed-off-by: Liping

Re: [PACTH nf-next] netfilter: nf_reject_ipv4: don't send tcp RST if the packet is non-TCP

2016-06-20 Thread Liping Zhang
Hi Marcelo, 2016-06-20 23:48 GMT+08:00 Marcelo Ricardo Leitner : > > A different check/log is made for ip6: > nf_reject_ip6_tcphdr_get(): > /* IP header checks: fragment, too short. */ > if (proto != IPPROTO_TCP || *otcplen < sizeof(struct tcphdr)) { >

Re: [PATCH nf-next] netfilter: xt_cpu: no need to check the validity of invert flag

2016-06-23 Thread Liping Zhang
Hi Pablo, 2016-06-23 19:11 GMT+08:00 Pablo Neira Ayuso : >> -static int cpu_mt_check(const struct xt_mtchk_param *par) >> -{ >> - const struct xt_cpu_info *info = par->matchinfo; >> - >> - if (info->invert & ~1) >> - return -EINVAL; >> - return 0; >>

Re: [PATCH] netfilter: ipv4: fix NULL dereference

2016-03-25 Thread Liping Zhang
At 2016-03-25 04:22:05, "Pablo Neira Ayuso" wrote: > >Could you also pass net as parameter to synproxy_send_server_syn() ? > >par->net provides this from synproxy_tg4(). Not pass the net but replace the first parameter 'snet' with 'net' seems better? snet is only used in

Re:Re: [PATCH] netfilter: ipv4: fix NULL dereference

2016-03-25 Thread Liping Zhang
At 2016-03-25 04:22:05, "Pablo Neira Ayuso" wrote: > >Could you also pass net as parameter to synproxy_send_server_syn() ? > >par->net provides this from synproxy_tg4(). Not pass the net but replace the first parameter 'snet' with 'net' seems better? snet is only used in

[PATCH V2] netfilter: ipv4: fix NULL dereference

2016-03-26 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> Commit fa50d974d104 ("ipv4: Namespaceify ip_default_ttl sysctl knob") use sock_net(skb->sk) to get the net namespace, but we can't assume that sk_buff->sk is always exist, so when it is NULL, oops will happen. Signe

[PATCH] netfilter: ipv4: fix NULL dereference

2016-03-23 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> Commit fa50d974d104 ("ipv4: Namespaceify ip_default_ttl sysctl knob") introduce the namespaceify ip_default_ttl, but sk_buff->sk maybe NULL, so sock_net(skb->sk) will dereference the NULL pointer and oops will happen. Signe

[PATCH V2] netfilter: ip6t_SYNPROXY: remove magic number

2016-03-28 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> Replace '64' with the per-net ipv6_devconf_all's hop_limit when building the ipv6 header. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> --- net/ipv6/netfilter/ip6t_SYNPROXY.c | 56 -- 1

[PATCH] netfilter: ip6t_SYNPROXY: unnecessary to check whether ip6_route_output returns NULL

2016-04-22 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> ip6_route_output() will never return a NULL pointer, so there's no need to check it. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> --- net/ipv6/netfilter/ip6t_SYNPROXY.c |2 +- 1 file changed, 1 insertion(+), 1 delet

Re: [PATCH iptables] xtables: use exponential delay when waiting for xtables lock

2016-04-27 Thread Liping Zhang
2016-04-08 11:07 GMT+08:00 Subash Abhinov Kasiviswanathan : > ip[6]tables currently waits for 1 second for the xtables lock to > be freed if the -w option is used. We have seen that the lock is > held much less than that resulting in unnecessary delay when > trying to

[PATCH iptables] extensions: libxt_limit: fix a wrong translation to nft rule

2016-05-21 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> The default burst value is 5 in iptables limit extension while it is 0 in nft limit expression, if the burst value is default, it will not be displayed when we dump the rules. But when we do translation from iptables rules to nft rules, we

[PATCH nft] evaluate: fix crash if we add an error format rule

2016-05-14 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> If we add a such nft rule: nft add rule filter input ip protocol icmp tcp dport 0 we will always meet the assert condition: nft: evaluate.c:536: resolve_protocol_conflict: Assertion `base < (__PROTO_BASE_MAX - 1)' failed. Abor

[PATCH iptables] extensions: libxt_connlabel: add unit test

2016-07-23 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> Add some unit tests for connlabel match extension: # ./iptables-test.py extensions/libxt_connlabel.t extensions/libxt_connlabel.t: OK 1 test files, 7 unit tests, 7 passed Signed-off-by: Liping Zhang <liping.zh...@sprea

[PATCH nf-next 2/2] netfilter: nft_compat: fix crash when related match/target module is removed

2016-07-23 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> We "cache" the loaded match/target modules and reuse them, but when the modules are removed, we still point to them. Then we may end up with invalid memory references when using iptables-compat to add rules later. Input the fo

[PATCH nf-next 1/2] netfilter: nft_compat: put back match/target module if init fail

2016-07-23 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> If the user specify the invalid NFTA_MATCH_INFO/NFTA_TARGET_INFO attr or memory alloc fail, we should call module_put to the related match or target. Otherwise, we cannot remove the module even nobody use it. Signed-off-by: Liping Zhang <

[PATCH nf-next] netfilter: nf_dup4: remove redundant checksum recalculation

2016-07-30 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> IP header checksum will be recalculated at ip_local_out, so there's no need to calculated it here, remove it. Also update code comments to illustrate it, and delete the misleading comments about checksum recalculation. Signed-off-by: Liping

Re: [PATCH v2] netfilter: nf_tables: add hash expression

2016-08-09 Thread Liping Zhang
Hi Laura, 2016-08-10 2:22 GMT+08:00 Laura Garcia Liebana : > This patch adds a new hash expression, this provides jhash support but > this can be extended to support for other hash functions. > > The modulus and seed already comes embedded into this new expression. > > Use case

Re: [PATCH nf-next V2] netfilter: conntrack: simplify the code by using nf_conntrack_get_ht

2016-08-12 Thread Liping Zhang
2016-08-12 19:49 GMT+08:00 Pablo Neira Ayuso <pa...@netfilter.org>: > On Fri, Aug 12, 2016 at 07:12:32PM +0800, Liping Zhang wrote: >> 2016-08-12 18:34 GMT+08:00 Pablo Neira Ayuso <pa...@netfilter.org>: > [...] >> > >> > I think it is a good

Re: [PATCH] netfilter: remove ip_conntrack* sysctl compat code

2016-08-13 Thread Liping Zhang
Hi Pablo, 2016-08-12 19:47 GMT+08:00 Pablo Neira Ayuso : > diff --git a/net/netfilter/nf_conntrack_core.c > b/net/netfilter/nf_conntrack_core.c > index dd2c43a..22558b7 100644 > --- a/net/netfilter/nf_conntrack_core.c > +++ b/net/netfilter/nf_conntrack_core.c > @@ -161,10

[PATCH V3 nf-next] netfilter: conntrack: simplify the code by using nf_conntrack_get_ht

2016-08-13 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> Since Commit 64b87639c9cb ("netfilter: conntrack: fix race between nf_conntrack proc read and hash resize") introdue the nf_conntrack_get_ht, so there's no need to check nf_conntrack_generation again and again to get the hash tab

[PATCH nf-next] netfilter: nfnetlink_log: add "nf-logger-3-1" module alias name

2016-08-13 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> Otherwise, if nfnetlink_log.ko is not loaded, we cannot add rules to log packets to the userspace when we specify it with arp family, such as: # nft add rule arp filter input log group 0 :1:1-37: Error: Could not process rule: No suc

[PATCH nf 2/2] netfilter: nfnetlink_acct: report overquota to the right netns

2016-08-13 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> We should report the over quota message to the right net namespace instead of the init netns. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> --- include/linux/netfilter/nfnetlink_acct.h | 4 ++-- net/netfilter/nfne

[PATCH nf-next 2/2] netfilter: conntrack: simplify the code by using nf_conntrack_get_ht

2016-07-12 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> Since Commit 64b87639c9cb ("netfilter: conntrack: fix race between nf_conntrack proc read and hash resize") introdue the nf_conntrack_get_ht, so there's no need to check nf_conntrack_generation again and again to get the hash tab

[PATCH nf-next 1/2] netfilter: conntrack: protect early_drop by rcu read lock

2016-07-12 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> User can add ct entry via nfnetlink(IPCTNL_MSG_CT_NEW), and if the total number reach the nf_conntrack_max, we will try to drop some ct entries. But in this case(the main function call path is ctnetlink_create_conntrack -> nf_conntr

Re: [PATCH nf-next 2/2] netfilter: conntrack: simplify the code by using nf_conntrack_get_ht

2016-07-13 Thread Liping Zhang
Hi Florian, At 2016-07-12 21:03:03, "Florian Westphal" <f...@strlen.de> wrote: >Liping Zhang <zlpnob...@163.com> wrote: >> +inline void >> +nf_conntrack_get_ht(struct hlist_nulls_head **hash, unsigned int *hsize) > >Which "inline void"?

[PATCH iptables 1/2] extensions: libxt_NFLOG: display nflog-size even if it is zero

2016-07-18 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> The following iptables rules have the different semantics: # iptables -A INPUT -j NFLOG # iptables -A INPUT -j NFLOG --nflog-size 0 But they are all displayed as "-A INPUT -j NFLOG", so if the user input the following comman

[PATCH iptables 2/2] extensions: libxt_NFLOG: translate to nft log snaplen if nflog-size is specified

2016-07-18 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> The nflog-size was introduced by commit 7070b1f3c88a ("extensions: libxt_NFLOG: nflog-range does not truncate packets"). Then make the nflog-range become deprecated, because it has no effect from the beginning. So when we do tran

[PATCH nf-next 3/3] netfilter: nft_log: fix snaplen does not truncate packets

2016-07-18 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> There's a similar problem in xt_NFLOG, and was fixed by commit 7643507fe8b5 ("netfilter: xt_NFLOG: nflog-range does not truncate packets"). Only set copy_len here does not work, so we should enable NF_LOG_F_COPY_LEN also. Signe

[PATCH nf-next 2/3] netfilter: nft_log: check the validity of log level

2016-07-18 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> User can specify the log level larger than 7(debug level) via nfnetlink, this is invalid. So in this case, we should report EINVAL to the userspace. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> --- net/netfilter/n

[PATCH nf-next 0/3] netfilter: fix some small bugs related to nft_log

2016-07-18 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> This patchset is very small, aim to fix some bugs related to nftables log expr. patch#1 fix a possible memory leak if the user specify the log prefix but the log expr init fail. patch#2 add a validity check of log level, otherwise us

[PATCH nf-next 1/3] netfilter: nft_log: fix possible memory leak if log expr init fail

2016-07-18 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> Suppose that we specify the NFTA_LOG_PREFIX, then NFTA_LOG_LEVEL and NFTA_LOG_GROUP are specified together or nf_logger_find_get call returns fail, i.e. expr init fail, memory leak will happen. Signed-off-by: Liping Zhang <

Re: [PATCH 1/1] netfilter: Add helper array register/unregister functions

2016-07-19 Thread Liping Zhang
2016-07-18 11:39 GMT+08:00 : > From: Gao Feng > > Add nf_ct_helper_init, nf_conntrack_helpers_register/unregister > functions to enhance the conntrack helper codes. I think this patch is breaking something ... This irc: > - if (ports[i] ==

Re: [PATCH nf-next 3/3] netfilter: nft_log: fix snaplen does not truncate packets

2016-07-20 Thread Liping Zhang
Hi Pablo, 2016-07-20 16:25 GMT+08:00 Pablo Neira Ayuso <pa...@netfilter.org>: > On Wed, Jul 20, 2016 at 07:00:13AM +0800, Liping Zhang wrote: >> I find that nftables already support this feature, the following command >> mean to truncate packets >> to 100 bytes befo

[PATCH iptables] extensions: libxt_NFLOG: add unit test to cover nflog-size with zero

2016-07-20 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> "--nflog-size 0" is valid and we must display it appropriately. Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org> Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> --- extensions/libxt_NFLOG.t | 1 +

Re: [PATCH iptables] extensions: libxt_connlabel: Add translation to nft

2016-07-16 Thread Liping Zhang
At 2016-07-16 17:04:39, "Florian Westphal" <f...@strlen.de> wrote: >Liping Zhang <zlpnob...@163.com> wrote: >> >> # iptables-translate -A INPUT -m connlabel ! --label bit40 --set >> nft add rule ip filter INPUT ct label set bit40 ct label != bit

[PATCH V2 iptables] extensions: libxt_connlabel: Add translation to nft

2016-07-16 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> Add translation for connlabel to nftables. For examples: # iptables-translate -A INPUT -m connlabel --label bit40 nft add rule ip filter INPUT ct label bit40 counter # iptables-translate -A INPUT -m connlabel ! --label bit40 --set n

[PATCH iptables] extensions: libxt_connlabel: fix crash when connlabel.conf is empty

2016-07-16 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> When connlabel.conf is empty, nfct_labelmap_new will return NULL and set errno to 0. So we will miss to check this situation, and cause NULL deference in nfct_labelmap_get_bit. Input the following commands will reproduce this crash:

[PATCH iptables] extensions: libxt_connlabel: Add translation to nft

2016-07-16 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> Add translation for connlabel to nftables. For examples: # iptables-translate -A INPUT -m connlabel --label bit40 nft add rule ip filter INPUT ct label bit40 counter # iptables-translate -A INPUT -m connlabel ! --label bit40 --set n

[PATCH nf] netfilter: nft_ct: fix unpaired nf_connlabels_get/put call

2016-07-16 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> We only get nf_connlabels if the user add ct label set expr successfully, but we will also put nf_connlabels if the user delete ct lable get expr. This is mismathced, and will cause ct label expr cannot work properly. Also, if we init som

[PATCH iptables] extensions: libipt_realm: fix order of mask and id when do nft translation

2016-06-27 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> Before: # iptables-translate -A INPUT -m realm --realm 1/0xf nft add rule ip filter INPUT rtclassid and 0x1 == 0xf counter Apply this patch: # iptables-translate -A INPUT -m realm --realm 1/0xf nft add rule ip filter INPUT rtc

[PATCH nf-next] netfilter: nft_ct: make byte/packet expr more friendly

2016-07-05 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> If we want to use ct packets expr, and add a rule like follows: # nft add rule filter input ct packets gt 1 counter We will find that no packets will hit it, because nf_conntrack_acct is disabled by default. So It will not work until we

[PATCH nf] netfilter: nfnetlink_queue: fix memory leak when attach expectation successfully

2016-08-08 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> User can use NFQA_EXP to attach expectations to conntracks, but we forget to put back nf_conntrack_expect when it is inserted successfully, i.e. in this normal case, expect's use refcnt will be 3. So even we unlink it and put it back later, t

[PATCH nf] netfilter: nf_expect_proc: remove the redundant slash when policy name is empty

2016-08-08 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> The 'name' filed in struct nf_conntrack_expect_policy{} is not a pointer, so check it is NULL or not will always return true. Even if the name is empty, slash will always be displayed like follows: # cat /proc/net/nf_conntrack_expect

[PATCH nf] netfilter: ctnetlink: reject new conntrack request with different l4proto

2016-08-08 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> Currently, user can add a conntrack with different l4proto via nfnetlink. For example, original tuple is TCP while reply tuple is SCTP. This is invalid combination, we should report EINVAL to userspace. Signed-off-by: Liping Zhang <

[PATCH nf] netfilter: nfnetlink_queue: reject verdict request from different portid

2016-08-08 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> Like NFQNL_MSG_VERDICT_BATCH do, we should also reject the verdict request when the portid is not same with the initial portid(maybe from another process). Fixes: 97d32cf9440d ("netfilter: nfnetlink_queue: batch verdict support&q

[PATCH nf-next] netfilter: nf_ct_h323: do not re-activate already expired timer

2016-07-23 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> Commit 96d1327ac2e3 ("netfilter: h323: Use mod_timer instead of set_expect_timeout") just simplify the source codes if (!del_timer(>timeout)) return 0; add_timer(>timeout); to mod_timer(>timeout, jif

[PATCH nf 1/3] netfilter: conntrack: fix race between nf_conntrack proc read and hash resize

2016-07-02 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> When we do "cat /proc/net/nf_conntrack", and meanwhile resize the conntrack hash table via /sys/module/nf_conntrack/parameters/hashsize, race will happen, because reader can observe a newly allocated hash but the old size (or vice

[PATCH nf 3/3] netfilter: nf_ct_helper: unlink helper again when hash resize happen

2016-07-02 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> Similar to ctnl_untimeout, when hash resize happened, we should try to do unhelp from the 0# bucket again. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> --- net/netfilter/nf_conntrack_helper.c | 14 -- 1 file

[PATCH nf 2/3] netfilter: cttimeout: unlink timeout obj again when hash resize happen

2016-07-02 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> Imagine such situation, nf_conntrack_htable_size now is 4096, we are doing ctnl_untimeout, and iterate on 3000# bucket. Meanwhile, another user try to reduce hash size to 2048, then all nf_conn are removed to the new hashtable. When thi

[PATCH nf 0/3] netfilter: conntrack: fix race condition associated with hash resize

2016-07-02 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> When user adjust the hash size via /sys/module/nf_conntrack/parameters/hashsize, something will break because race condition happened. This patch set aim to fix these bugs. When we do "cat /proc/net/nf_conntrack", and at the s

Re: [PATCH nf 1/3] netfilter: conntrack: fix race between nf_conntrack proc read and hash resize

2016-07-02 Thread Liping Zhang
>Good catch, but ... > >> diff --git a/include/net/netfilter/nf_conntrack_core.h >> b/include/net/netfilter/nf_conntrack_core.h >> index 3e2f332..4f6453a 100644 >> --- a/include/net/netfilter/nf_conntrack_core.h >> +++ b/include/net/netfilter/nf_conntrack_core.h >> @@ -82,6 +82,7 @@

[PATCH V2,nf 1/3] netfilter: conntrack: fix race between nf_conntrack proc read and hash resize

2016-07-02 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> When we do "cat /proc/net/nf_conntrack", and meanwhile resize the conntrack hash table via /sys/module/nf_conntrack/parameters/hashsize, race will happen, because reader can observe a newly allocated hash but the old size (or vice

[PATCH V2,nf 2/3] netfilter: cttimeout: unlink timeout obj again when hash resize happen

2016-07-02 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> Imagine such situation, nf_conntrack_htable_size now is 4096, we are doing ctnl_untimeout, and iterate on 3000# bucket. Meanwhile, another user try to reduce hash size to 2048, then all nf_conn are removed to the new hashtable. When thi

[PATCH V2,nf 3/3] netfilter: nf_ct_helper: unlink helper again when hash resize happen

2016-07-02 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> Similar to ctnl_untimeout, when hash resize happened, we should try to do unhelp from the 0# bucket again. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> --- V2: no need to use nf_conntrack_generation to check hash resize

Re: [PATCH] netfilter: nf_conntrack_sip: CSeq 0 is a valid CSeq

2016-07-04 Thread Liping Zhang
2016-07-04 14:14 GMT+08:00 Christophe Leroy : >> I think there is no need to convert simple_strtoul to kstrtouint, add >> a further check seems better? >> Like this: >> - if (!cseq) { >> + if (!cseq && *(*dptr + matchoff) != '0') { >> > > And what about an

Re: [PATCH] netfilter: nf_conntrack_sip: CSeq 0 is a valid CSeq

2016-07-03 Thread Liping Zhang
2016-07-01 17:48 GMT+08:00 Christophe Leroy : > Do not drop packet when CSeq is 0 as 0 is also a valid value for CSeq. > > --- a/net/netfilter/nf_conntrack_sip.c > +++ b/net/netfilter/nf_conntrack_sip.c > @@ -1368,6 +1368,7 @@ static int process_sip_response(struct sk_buff

[PATCH nf] netfilter: conntrack: do not dump other netns's conntrack entries via proc

2016-08-15 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> We should skip the conntracks that belong to a different namespace, otherwise other unrelated netns's conntrack entries will be dumped via /proc/net/nf_conntrack. Fixes: 56d52d4892d0 ("netfilter: conntrack: use a single hashta

[PATCH iptables V2 2/2] xshared: using the blocking file lock request when we wait indefinitely

2017-02-06 Thread Liping Zhang
From: Liping Zhang <zlpnob...@gmail.com> When using "-w" to avoid concurrent instances, we try to do flock() every one second until it success. But one second maybe too long in some situations, and it's hard to select a suitable interval time. So when using "iptables -w&

[PATCH iptables 2/2] xshared: using the blocking file lock request when we wait indefinitely

2017-02-05 Thread Liping Zhang
From: Liping Zhang <zlpnob...@gmail.com> When using "-w" to avoid concurrent instances, we try to do flock() every one second until it success. But one second maybe too long in some situations, and it's hard to select a suitable interval time. So when using "iptables

Re: [PATCH nf-next v2 1/1] netfilter: nf_tables: Eliminate duplicated codes in nf_tables_table_enable

2017-01-20 Thread Liping Zhang
2017-01-20 15:42 GMT+08:00 Feng Gao : [...] > In v2 patch, I copied your recommend codes "if (cnt && --cnt == 0)". > Today I think it is not right to use "--cnt", it should use "cnt--". > Because when the cnt is 1, the "--cnt" would break directly. > So I send the v3 patch.

[PATCH nf] netfilter: nft_log: restrict the log prefix length to 127

2017-01-22 Thread Liping Zhang
From: Liping Zhang <zlpnob...@gmail.com> First, log prefix will be truncated to NF_LOG_PREFIXLEN-1, i.e. 127, at nf_log_packet(), so the extra part is useless. Second, after adding a log rule with a very very long prefix, we will fail to dump the nft rules after this _special_ one, but acc

[PATCH nf-next] netfilter: nfnetlink: remove static declaration from err_list

2017-02-17 Thread Liping Zhang
From: Liping Zhang <zlpnob...@gmail.com> Otherwise, different subsys will race to access the err_list, with holding the different nfnl_lock(subsys_id). But this will not happen now, since ->call_batch is only implemented by nftables, so the err_list is protected by nfnl_lock(NFNL_SUBSYS

Re: [PATCH nf] netfilter: nf_tables: report error if stateful obj's name is truncated

2017-01-19 Thread Liping Zhang
2017-01-19 22:09 GMT+08:00 Pablo Neira Ayuso <pa...@netfilter.org>: > On Thu, Jan 19, 2017 at 10:00:20PM +0800, Liping Zhang wrote: >> From: Liping Zhang <zlpnob...@gmail.com> >> >> Currently, if the user add a stateful object with the name size exceed >&g

[PATCH nf] netfilter: nf_tables: report error if stateful obj's name is truncated

2017-01-19 Thread Liping Zhang
From: Liping Zhang <zlpnob...@gmail.com> Currently, if the user add a stateful object with the name size exceed NFT_OBJ_MAXNAMELEN - 1 (i.e. 31), we truncate it down to 31 silently. This is not friendly, furthermore, this will cause duplicated stateful objects when the first 31 char

[PATCH nf V2] netfilter: nf_tables: validate the name size when possible

2017-01-20 Thread Liping Zhang
From: Liping Zhang <zlpnob...@gmail.com> Currently, if the user add a stateful object with the name size exceed NFT_OBJ_MAXNAMELEN - 1 (i.e. 31), we truncate it down to 31 silently. This is not friendly, furthermore, this will cause duplicated stateful objects when the first 31 char

[PATCH nf] netfilter: nft_reject: restrict to INPUT/FORWARD/OUTPUT

2016-08-21 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> After I add the nft rule "nft add rule filter prerouting reject with tcp reset", kernel panic happened on my system: NULL pointer dereference at ... IP: [] nf_send_reset+0xaf/0x400 Call Trace: [] ? nf_reject_ip_tcphdr

[PATCH iptables] extensions: libxt_CLASSIFY: Add translation to nft

2016-08-21 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> For examples: # iptables-translate -A OUTPUT -j CLASSIFY --set-class 0:0 nft add rule ip filter OUTPUT counter meta priority set none # iptables-translate -A OUTPUT -j CLASSIFY --set-class : nft add rule ip filter OUTPUT c

[PATCH nf] netfilter: nft_meta: improve the validity check of pkttype set expr

2016-08-22 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> "meta pkttype set" is only supported on prerouting chain with bridge family and ingress chain with netdev family. But the validate check is incomplete, and the user can add the nft rules on input chain with bridge family, for exam

[PATCH nft] parser_bison: keep snat/dnat existing syntax unchanged

2016-08-22 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> We should keep existing syntax unchanged, and this was emphasized in the commit 850f0a56b6ad ("src: add 'to' for snat and dnat")'s commit log: "Existing syntax is still preserved, but the listing shows the one including

[PATCH nft] tests: shell: add testcase for reject expr

2016-08-22 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> Reject expr is only valid in input/forward/output chain, and if user can add reject expr in prerouting chain, kernel panic will happen. So add a simple test case to cover this situation. Signed-off-by: Liping Zhang <liping.zh...@sprea

[PATCH nf 1/3] netfilter: nfnetlink: use list_for_each_entry_safe to delete all objects

2016-08-22 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> cttimeout and acct objects are deleted from the list while traversing it, so use list_for_each_entry is unsafe here. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> --- net/netfilter/nfnetlink_acct.c | 6 +++--- n

[PATCH nf 3/3] netfilter: cttimeout: unlink timeout objs in the unconfirmed ct lists

2016-08-22 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> KASAN reported this bug: BUG: KASAN: use-after-free in icmp_packet+0x25/0x50 [nf_conntrack_ipv4] at addr 880002db08c8 Read of size 4 by task lt-nf-queue/19041 Call Trace: [] dump_stack+0x63/0x88 [] kasan_report_error+0x528

[PATCH nf 2/3] netfilter: cttimeout: put back l4proto when replacing timeout policy

2016-08-22 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> We forget to call nf_ct_l4proto_put when replacing the existing timeout policy. Acctually, there's no need to get ct l4proto before doing replace, so we can move it to a later position. Signed-off-by: Liping Zhang <liping.zh...@sprea

Re: [PATCH iptables] xtables: Remove unused macro

2017-02-27 Thread Liping Zhang
Hi, 2017-02-28 4:33 GMT+08:00 Subash Abhinov Kasiviswanathan : > Minor change to remove the unused macro added as part of commit > e8f857a5a1514c3e7d0d8ea0f7d2d571f0e37bd1 ("xtables: Add an interval > option for xtables lock wait") [...] > -#define BASE_MICROSECONDS

[PATCH iptables] extensions: libip6t_SNAT/DNAT: add square bracket in xlat output when port is specified

2016-09-02 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> It is better to add square brackets to ip6 address in nft translation output when the port is specified. This is keep consistent with the nft syntax. Before this patch: # ip6tables-translate -t nat -A OUTPUT -p tcp -j DNAT --to-desti

[PATCH nf] netfilter: nf_tables_trace: fix endiness when dump chain policy

2016-09-02 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> NFTA_TRACE_POLICY attribute is big endian, but we forget to call htonl to convert it. Fortunately, this attribute is parsed as big endian in libnftnl. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> --- net/netfilter/nf_ta

[PATCH nf] netfilter: nft_chain_route: re-route before skb is queued to userspace

2016-09-06 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> Imagine such situation, user add the following nft rules, and queue the packets to userspace for further check: # ip rule add fwmark 0x0/0x1 lookup eth0 # ip rule add fwmark 0x1/0x1 lookup eth1 # nft add table filter # nft add chain

Re: [PATCH nf-next] netfilter: nft_queue: add _SREG_FROM and _SRGE_TO to select the queue numbers

2016-09-11 Thread Liping Zhang
2016-09-12 5:12 GMT+08:00 Florian Westphal <f...@strlen.de>: > Liping Zhang <zlpnob...@163.com> wrote: >> So similer to nft_nat, take two registers to select the queue numbers, >> then we can add one simple rule to mapping queues, maybe like this: >> queue num

[PATCH libnftnl 0/3] expr: queue: add sreg_from and sreg_to support

2016-09-11 Thread Liping Zhang
From: Liping Zhang <liping.zh...@spreadtrum.com> This patch sets mainly used to add NFTA_QUEUE_SREG_FROM and NFTA_QUEUE_SREG_TO attributes support in libnftnl. Meanwhile, I find some trivial bugs exsit in queue expr. So try to fix them at patch #1 and patch #2. Liping Zhang (3): expr:

  1   2   3   4   >