[PATCH v3] xtables: Add a smaller delay option when waiting for xtables lock

ted by Pablo. Also maintain current behavior for -w to sleep for 1 second as mentioned by Liping. v2->v3: Move the millisecond behavior to a new option as suggested by Pablo. Cc: Liping Zhang <zlpnob...@gmail.com> Cc: Pablo Neira Ayuso <pa...@netfilter.org> Signed-off-by: Subash Abhin

[PATCH v4] xtables: Add an interval option for xtables lock wait

.@gmail.com> Cc: Pablo Neira Ayuso <pa...@netfilter.org> Signed-off-by: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org> --- iptables/ip6tables.c | 26 -- iptables/iptables.8.in | 7 +++ iptables/iptables.c| 26 ++

[PATCH v5] xtables: Add an interval option for xtables lock wait

on error when enabling nftables Cc: Liping Zhang <zlpnob...@gmail.com> Cc: Pablo Neira Ayuso <pa...@netfilter.org> Signed-off-by: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org> --- iptables/ip6tables.c | 26 -- iptables/iptables.8.in |

[PATCH iptables] xtables: Remove unused macro

Minor change to remove the unused macro added as part of commit e8f857a5a1514c3e7d0d8ea0f7d2d571f0e37bd1 ("xtables: Add an interval option for xtables lock wait") Signed-off-by: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org> --- iptables/xshared.c | 1 - 1 file cha

Re: [PATCH iptables 1/2] iptables: remove duplicated argument parsing code

On 2017-03-15 07:45, Lorenzo Colitti wrote: 1. Factor out repeated code to a new xs_has_arg function. 2. Add a new parse_wait_time option to parse the value of -w. 3. Make parse_wait_interval take argc and argv so its callers can be simpler. Signed-off-by: Lorenzo Colitti

[PATCH nf-next] netfilter: conntrack: Change to deferable work queue

Delayed workqueue causes wakeups to idle CPUs. This was causing a power impact for devices. Use deferable work queue instead so that gc_worker runs when CPU is active only. Signed-off-by: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org> --- net/netfilter/nf_conntrack_core.c | 2

Re: [PATCH] netfilter: xt_socket: Restore mark from full sockets only

if (info->flags & XT_SOCKET_RESTORESKMARK && !wildcard && - transparent) + transparent && sk_fullsock(sk)) pskb->mark = sk->sk_mark; if (sk != skb->sk) What about socket_mt6_v1_v2_v3() ? Thanks. Hi

[PATCH] netfilter: xt_socket: Restore mark from full sockets only

ip_local_deliver_finish+0x174/0x3e0 net/ipv4/ip_input.c:216 Fixes: a9407388 ("netfilter: xt_socket: prepare for TCP_NEW_SYN_RECV support") Signed-off-by: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org> --- net/netfilter/xt_socket.c | 2 +- 1 file changed, 1 insertio

Re: [PATCH v2] netfilter: xt_socket: Restore mark from full sockets only

On 2017-09-21 18:01, Eric Dumazet wrote: On Thu, 2017-09-21 at 16:08 -0600, Subash Abhinov Kasiviswanathan wrote: An out of bounds error was detected on an ARM64 target with Android based kernel 4.9. This occurs while trying to restore mark on a skb from an inet request socket. BUG: KASAN

[PATCH v2] netfilter: xt_socket: Restore mark from full sockets only

ip_local_deliver_finish+0x174/0x3e0 net/ipv4/ip_input.c:216 v1->v2: Change socket_mt6_v1_v2_v3() as well as mentioned by Eric Fixes: a9407388 ("netfilter: xt_socket: prepare for TCP_NEW_SYN_RECV support") Signed-off-by: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org>

[PATCH v3] netfilter: xt_socket: Restore mark from full sockets only

ip_local_deliver_finish+0x174/0x3e0 net/ipv4/ip_input.c:216 v1->v2: Change socket_mt6_v1_v2_v3() as well as mentioned by Eric v2->v3: Put the correct fixes tag Fixes: 01555e74bde5 ("netfilter: xt_socket: add XT_SOCKET_RESTORESKMARK flag") Signed-off-by: Subash Abhinov Kasivi

[PATCH nf-next v2] netfilter: nf_defrag_ipv4: Skip defrag if NOTRACK is set

ter to pass in the priority during module load as suggested by Pablo. Also update commit text. Signed-off-by: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org> --- net/ipv4/netfilter/iptable_raw.c| 14 +- net/ipv4/netfilter/nf_defrag_ipv4.c | 2 +- 2 files changed, 14 i

[PATCH nf-next] netfilter: nf_defrag_ipv4: Skip defrag if NOTRACK is set

. We need to introduce a lower priority rule and deprecate the existing rule. Signed-off-by: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org> --- include/uapi/linux/netfilter_ipv4.h | 3 ++- net/ipv4/netfilter/nf_defrag_ipv4.c | 6 +++--- 2 files changed, 5 insertions(+), 4 del

Re: [PATCH nf-next] netfilter: nf_defrag_ipv4: Add sysctl to disable per interface

We can probably skip defrag if explicit notrack is requested via rule. Hi Pablo Thanks for the suggestion. I tried this and it appears that defrag occurs before NOTRACK is hit in raw table in PREROUTING. This is because the defrag priority happens to be higher than that of RAW.

[PATCH nf-next] netfilter: nf_defrag_ipv4: Add sysctl to disable per interface

to be fragmented after encryption since these packets were smaller in size than the wifi MTU. Signed-off-by: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org> --- Documentation/networking/ip-sysctl.txt | 3 +++ include/linux/inetdevice.h | 2 ++ include/uapi/linu

Re: [PATCH nf-next] netfilter: nf_defrag_ipv4: Add sysctl to disable per interface

This breaks connection tracking for packets coming in via such interfaces. Nowadays we only enable defrag in a network namespace if the ip/nftables ruleset requires it, so this setting would be counter-productive. Hi Florian This usecase is run on an Android based device, so there will be

Re: [PATCH nf-next] netfilter: nf_defrag_ipv4: Skip defrag if NOTRACK is set

I'm actually refering to module_param(), that is specified at modprobe time. Such parameter would set an alternative hook priority for the raw table, ie. before the defrag hook. I guess there must be a way to store these module parameters in Android, so whenever modprobe is invoked, either

Re: [PATCH nf-next] netfilter: nf_defrag_ipv4: Skip defrag if NOTRACK is set

Would it work for you if this is specific via global modparam? I'm telling this because: 1) This is changing the default behaviour, which is always tricky. 2) This is already solved in nftables, so whatever solution that we apply, it should be iptables specific. If modparam is fine, just

Re: [PATCH nf-next v2] netfilter: nf_defrag_ipv4: Skip defrag if NOTRACK is set

Can we get the same thing for IPv6, for symmetry? Thanks! Hi Pablo Yes, I can include IPv6 in v3. -- Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, a Linux Foundation Collaborative Project -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in

Re: [PATCH nf-next v3] netfilter: nf_defrag: Skip defrag if NOTRACK is set

On 2018-01-08 06:32, Pablo Neira Ayuso wrote: Hi Subash, One more concern before this gets upstream. Do you think we can turn this into an on/off knob instead? I mean, I think it's good if you add a new NF_IP_PRI_RAW_BEFORE_DEFRAG and we place it into uapi. I'm just worried about follow up

[PATCH nf-next v4] netfilter: nf_defrag: Skip defrag if NOTRACK is set

mit text. v2->v3: Implement similar functionality for IPv6 as well v3->v4: Add NF_IP_PRI_RAW_BEFORE_DEFRAG in uapi and make the module load priority into an on/off knob. Add the module name to the print. Signed-off-by: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org>

[PATCH net-next v2] netfilter: ipv6: nf_defrag: Pass on packets to stack per RFC2460

tle and commit message accordingly. Signed-off-by: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org> --- net/ipv6/netfilter/nf_conntrack_reasm.c | 15 ++- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/

Re: [PATCH nf-next] netfilter: ipv6: nf_defrag: Always pass on packets to stack

On 2018-01-11 23:35, Florian Westphal wrote: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org> wrote: diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c index 977d890..a44c8b2 100644 --- a/net/ipv6/netfilter/nf_conntrack_reasm.c +++ b/ne

Re: [nf-next:master 16/16] net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:68:9: error: 'struct sk_buff' has no member named '_nfct'

On 2018-01-11 22:10, kbuild test robot wrote: tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master head: 902d6a4c2a4f411582689e53fb101895ffe99028 commit: 902d6a4c2a4f411582689e53fb101895ffe99028 [16/16] netfilter: nf_defrag: Skip defrag if NOTRACK is set config:

[PATCH nf-next] netfilter: nf_defrag: Fix compiler errors

) Reported-by: kbuild test robot <fengguang...@intel.com> Signed-off-by: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org> --- net/ipv4/netfilter/iptable_raw.c | 2 +- net/ipv4/netfilter/nf_defrag_ipv4.c | 6 +- net/ipv6/netfilter/ip6table_raw.c | 2

[PATCH nf-next] netfilter: ipv6: nf_defrag: Always pass on packets to stack

this cloned skb and pass on the original skb. Signed-off-by: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org> --- net/ipv6/netfilter/nf_conntrack_reasm.c | 15 +-- net/ipv6/netfilter/nf_defrag_ipv6_hooks.c | 4 ++-- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git

[PATCH nf-next] netfilter: ipv6: nf_defrag: Kill frag queue on RFC2460 failure

was not released if an error in IPv6 fragmentation header was detected by RFC2460. Fixes: 83f1999caeb1 ("netfilter: ipv6: nf_defrag: Pass on packets to stack per RFC2460") Signed-off-by: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org> --- Hi Pablo This needs to be picked up f

[PATCH nf-next v3] netfilter: nf_defrag: Skip defrag if NOTRACK is set

ter to pass in the priority during module load as suggested by Pablo. Also update commit text. v2->v3: Implement similar functionality for IPv6 as well Signed-off-by: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org> --- net/ipv4/netfilter/iptable_raw.c | 14

[PATCH] netfilter: nf_socket: Fix out of bounds access in nf_sk_lookup_slow_v{4,6}

;) Signed-off-by: Tejaswi Tanikella <tejas...@codeaurora.org> Signed-off-by: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- Hi Pablo This patch is a backport and it is for 4.9 and older kernels only. --- net/netfilter/x

[PATCH nf] netfilter: nf_socket: Fix out of bounds access in nf_sk_lookup_slow_v{4,6}

gned-off-by: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org> --- Hi Pablo This crash was seen on a 4.9 based kernel, so the call stack is slightly different from current upstream code. xt_socket_lookup_slow_v{4,6} was replaced by nf_sk_lookup_slow_v4 on newer kernels after commit

Re: [PATCH nf] netfilter: nf_socket: Fix out of bounds access in nf_sk_lookup_slow_v{4,6}

I think its best if you wait before the patch ends up in linus' tree so you can reference the commit id from the backports commit message. Hi Florian Sure, I can do that. -- Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, a Linux Foundation Collaborative Project -- To