08 Jul, 2012
1 commit
05 Jul, 2012
5 commits
-
Allow setting of only supported flag bits in queue->flags.
Signed-off-by: Krishna Kumar
Signed-off-by: Pablo Neira Ayuso -
nfnetlink_rcv_msg() might call a NULL callback which will cause NULL pointer
dereference.Signed-off-by: Tomasz Bursztyka
Signed-off-by: Pablo Neira Ayuso -
This patch adds missing per-net support for the cttimeout
infrastructure to TCP.Signed-off-by: Pablo Neira Ayuso
Acked-by: Gao feng -
This patch generalizes nf_ct_l4proto_net by splitting it into chunks and
moving the corresponding protocol part to where it really belongs to.To clarify, note that we follow two different approaches to support per-net
depending if it's built-in or run-time loadable protocol tracker.Signed-off-by: Pablo Neira Ayuso
Acked-by: Gao feng
30 Jun, 2012
2 commits
-
This patch adds a hook in the binding path of netlink.
This is used by ctnetlink to allow module autoloading for the case
in which one user executes:conntrack -E
So far, this resulted in nfnetlink loaded, but not
nf_conntrack_netlink.I have received in the past many complains on this behaviour.
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: David S. Miller -
This patch adds the following structure:
struct netlink_kernel_cfg {
unsigned int groups;
void (*input)(struct sk_buff *skb);
struct mutex *cb_mutex;
};That can be passed to netlink_kernel_create to set optional configurations
for netlink kernel sockets.I've populated this structure by looking for NULL and zero parameters at the
existing code. The remaining parameters that always need to be set are still
left in the original interface.That includes optional parameters for the netlink socket creation. This allows
easy extensibility of this interface in the future.This patch also adapts all callers to use this new interface.
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: David S. Miller
29 Jun, 2012
2 commits
-
Bug added in commit 6b75e3e8d664a9a (netfilter: nfnetlink: add RCU in
nfnetlink_rcv_msg())Signed-off-by: Tomasz Bursztyka
Acked-by: Eric Dumazet
Signed-off-by: Pablo Neira Ayuso -
This patch fixes a crash if that ipset command is sent over nfnetlink.
Signed-off-by: Tomasz Bursztyka
Acked-by: Jozsef Kadlecsik
Signed-off-by: Pablo Neira Ayuso
28 Jun, 2012
11 commits
-
This patch is a cleanup. It adds dccp_kmemdup_sysctl_table to
split code into smaller chunks. Yet it prepares introduction
of nf_conntrack_proto_*_sysctl.c.Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso -
This patch is a cleanup. It adds generic_kmemdup_sysctl_table to
split code into smaller chunks. Yet it prepares introduction
of nf_conntrack_proto_*_sysctl.c.Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso -
Merge sctpv4_net_init and sctpv6_net_init into sctp_net_init to
remove redundant code now that we have the u_int16_t proto
parameter.And use nf_proto_net.users to identify if it's the first time
we use the nf_proto_net, in that case, we initialize iSigned-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso -
This cleans up nf_conntrack_l4proto_udplite[4,6] and it prepares
the moving of the sysctl code to nf_conntrack_proto_*_sysctl.c
to reduce the ifdef pollution.And use nf_proto_net.users to identify if it's the first time
we use the nf_proto_net, in that case, we initialize it.Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso -
Merge udpv4_net_init and udpv6_net_init into udp_net_init to
remove redundant code now that we have the u_int16_t proto
parameter.And use nf_proto_net.users to identify if it's the first time
we use the nf_proto_net, in that case, we initialize it.Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso -
Merge tcpv4_net_init and tcpv6_net_init into tcp_net_init to
remove redundant code now that we have the u_int16_t proto
parameter.And use nf_proto_net.users to identify if it's the first time
we use the nf_proto_net, in that case, we initialize it.Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso -
In nf_ct_l4proto_register_sysctl, if l4proto sysctl registration
fails, we have to make sure that we release the compat sysctl
table.This can happen if TCP has been registered compat for IPv4, and
IPv6 compat registration fails.Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso -
Currently, nf_proto_net's l4proto->users meaning is quite confusing
since it depends on the compilation tweaks.To resolve this, we cleanup this code to regard it as the refcount
for l4proto's per-net data, since there may be two l4protos use the
same per-net data.Thus, we increment pn->users when nf_conntrack_l4proto_register
successfully, and decrement it for nf_conntrack_l4_unregister case.The users refcnt is not required form layer 3 protocol trackers.
Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso -
This patch is a cleanup.
It adds nf_ct_kfree_compat_sysctl_table to release l4proto's
compat sysctl table and set the compat sysctl table point to NULL.This new function will be used by follow-up patches.
Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso -
l4proto->init contain quite redundant code. We can simplify this
by adding a new parameter l3proto.This patch prepares that code simplification.
Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso -
Before commit 2c352f444ccfa966a1aa4fd8e9ee29381c467448
(netfilter: nf_conntrack: prepare namespace support for
l4 protocol trackers), we register sysctl before register
protocol tracker. Thus, if sysctl is registration fails,
the protocol tracker will not be registered.After that commit, if sysctl registration fails, protocol
registration still remains, so we leave things in intermediate
state.To fix this, this patch registers sysctl before protocols.
And if protocol registration fail, sysctl is unregistered.Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso
27 Jun, 2012
3 commits
-
This patch adds the following messages to ctnetlink:
IPCTNL_MSG_CT_GET_STATS_CPU
IPCTNL_MSG_CT_GET_STATS
IPCTNL_MSG_EXP_GET_STATS_CPUTo display connection tracking system per-cpu and global statistics.
This provides a replacement for the following /proc interfaces:
/proc/net/stat/nf_conntrack
/proc/sys/net/netfilter/nf_conntrack_countSigned-off-by: Pablo Neira Ayuso
-
And use nlmsg_data() while we're here too.
Signed-off-by: David S. Miller
-
And use nlmsg_data() while we're here too.
Signed-off-by: David S. Miller
25 Jun, 2012
2 commits
-
After call to ip6_route_output() we must release dst or we leak it.
Also should test dst->error, as ip6_route_output() never returns NULL.
Use boolean while we are at it.
Signed-off-by: Eric Dumazet
Signed-off-by: Pablo Neira Ayuso -
ifname_compare() assumes that skb->dev is zero-padded,
e.g 'eth1\0\0\0\0\0...'. This isn't always the case. e1000 driver doesstrncpy(netdev->name, pci_name(pdev), sizeof(netdev->name) - 1);
in e1000_probe(), so once device is registered dev->name memory contains
'eth1\0:0:3\0\0\0' (or something like that), which makes eth1 compare
fail.Use plain strcmp() instead.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
23 Jun, 2012
2 commits
-
This patch fixes compilation with NF_CONNTRACK_EVENTS=n and
NETFILTER_NETLINK_QUEUE_CT=y.I'm leaving all those static inline functions that calculate the size
of the event message out of the ifdef area of NF_CONNTRACK_EVENTS since
they will not be included by gcc in case they are unused.Reported-by: Randy Dunlap
Signed-off-by: Pablo Neira Ayuso -
This patch fixes a sparse warning due to missing include header file.
Signed-off-by: Pablo Neira Ayuso
22 Jun, 2012
1 commit
-
LD init/built-in.o
net/built-in.o:(.data+0x4408): undefined reference to `nf_nat_tcp_seq_adjust'
make: *** [vmlinux] Error 1This patch adds a new pointer hook (nfq_ct_nat_hook) similar to other existing
in Netfilter to solve our complicated configuration dependencies.Reported-by: Valdis Kletnieks
Signed-off-by: Pablo Neira Ayuso
21 Jun, 2012
1 commit
-
This removes some sparse warnings.
Reported-by: Fengguang Wu
Signed-off-by: Pablo Neira Ayuso
19 Jun, 2012
4 commits
-
In "9cb0176 netfilter: add glue code to integrate nfnetlink_queue and ctnetlink"
the compilation with NF_CONNTRACK disabled is broken. This patch fixes this
issue.I have moved the conntrack part into nfnetlink_queue_ct.c to avoid
peppering the entire nfnetlink_queue.c code with ifdefs.I also needed to rename nfnetlink_queue.c to nfnetlink_queue_pkt.c
to update the net/netfilter/Makefile to support conditional compilation
of the conntrack integration.This patch also adds CONFIG_NETFILTER_QUEUE_CT in case you want to explicitly
disable the integration between nf_conntrack and nfnetlink_queue.Reported-by: Andrew Morton
Signed-off-by: Pablo Neira Ayuso -
This patch fixes the compilation of net/netfilter/nfnetlink_cthelper.c
if CONFIG_NF_CONNTRACK is not set.This patch also moves the definition of the cthelper infrastructure to
the scope of NF_CONNTRACK things.I have also renamed NETFILTER_NETLINK_CTHELPER by NF_CT_NETLINK_HELPER,
to use similar names to other nf_conntrack_netlink extensions. Better now
that this has been only for two days in David's tree.Two new dependencies have been added:
* NF_CT_NETLINK
* NETFILTER_NETLINK_QUEUESince these infrastructure requires both ctnetlink and nfqueue.
Reported-by: Randy Dunlap
Signed-off-by: Pablo Neira Ayuso -
This patch modifies __nf_ct_try_assign_helper in a way that invalidates support
for the following scenario:1) attach the helper A for first time when the conntrack is created
2) attach new (different) helper B due to changes the reply tuple caused by NATeg. port redirection from TCP/21 to TCP/5060 with both FTP and SIP helpers
loaded, which seems to be a quite unorthodox scenario.I can provide a more elaborated patch to support this scenario but explicit
helper attachment provides a better solution for this since now the use can
attach the helpers consistently, without relying on the automatic helper
lookup magic.This patch fixes a possible out of bound zeroing of the conntrack helper
extension if the helper B uses more memory for its private data than
helper A.Signed-off-by: Pablo Neira Ayuso
-
The patch 1afc56794e03: "netfilter: nf_ct_helper: implement variable
length helper private data" from Jun 7, 2012, leads to the following
Smatch complaint:net/netfilter/nf_conntrack_netlink.c:1231 ctnetlink_change_helper()
error: we previously assumed 'help->helper' could be null (see line 1228)This NULL dereference can be triggered with the following sequence:
1) attach the helper for first time when the conntrack is created.
2) remove the helper module or detach the helper from the conntrack
via ctnetlink.
3) attach helper again (the same or different one, no matter) to the
that existing conntrack again via ctnetlink.This patch fixes the problem by removing the use case that allows you
to re-assign again a helper for one conntrack entry via ctnetlink since
I cannot find any practical use for it.Reported-by: Dan Carpenter
Signed-off-by: Pablo Neira Ayuso
17 Jun, 2012
1 commit
-
Pablo says:
====================
This is the second batch of Netfilter updates for net-next. It contains the
kernel changes for the new user-space connection tracking helper
infrastructure.More details on this infrastructure are provides here:
http://lwn.net/Articles/500196/Still, I plan to provide some official documentation through the
conntrack-tools user manual on how to setup user-space utilities for this.
So far, it provides two helper in user-space, one for NFSv3 and another for
Oracle/SQLnet/TNS. Yet in my TODO list.
====================Signed-off-by: David S. Miller
16 Jun, 2012
5 commits
-
There are good reasons to supports helpers in user-space instead:
* Rapid connection tracking helper development, as developing code
in user-space is usually faster.* Reliability: A buggy helper does not crash the kernel. Moreover,
we can monitor the helper process and restart it in case of problems.* Security: Avoid complex string matching and mangling in kernel-space
running in privileged mode. Going further, we can even think about
running user-space helpers as a non-root process.* Extensibility: It allows the development of very specific helpers (most
likely non-standard proprietary protocols) that are very likely not to be
accepted for mainline inclusion in the form of kernel-space connection
tracking helpers.This patch adds the infrastructure to allow the implementation of
user-space conntrack helpers by means of the new nfnetlink subsystem
`nfnetlink_cthelper' and the existing queueing infrastructure
(nfnetlink_queue).I had to add the new hook NF_IP6_PRI_CONNTRACK_HELPER to register
ipv[4|6]_helper which results from splitting ipv[4|6]_confirm into
two pieces. This change is required not to break NAT sequence
adjustment and conntrack confirmation for traffic that is enqueued
to our user-space conntrack helpers.Basic operation, in a few steps:
1) Register user-space helper by means of `nfct':
nfct helper add ftp inet tcp
[ It must be a valid existing helper supported by conntrack-tools ]
2) Add rules to enable the FTP user-space helper which is
used to track traffic going to TCP port 21.For locally generated packets:
iptables -I OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp
For non-locally generated packets:
iptables -I PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp
3) Run the test conntrackd in helper mode (see example files under
doc/helper/conntrackd.confconntrackd
4) Generate FTP traffic going, if everything is OK, then conntrackd
should create expectations (you can check that with `conntrack':conntrack -E expect
[NEW] 301 proto=6 src=192.168.1.136 dst=130.89.148.12 sport=0 dport=54037 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.1.136 master-dst=130.89.148.12 sport=57127 dport=21 class=0 helper=ftp
[DESTROY] 301 proto=6 src=192.168.1.136 dst=130.89.148.12 sport=0 dport=54037 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.1.136 master-dst=130.89.148.12 sport=57127 dport=21 class=0 helper=ftpThis confirms that our test helper is receiving packets including the
conntrack information, and adding expectations in kernel-space.The user-space helper can also store its private tracking information
in the conntrack structure in the kernel via the CTA_HELP_INFO. The
kernel will consider this a binary blob whose layout is unknown. This
information will be included in the information that is transfered
to user-space via glue code that integrates nfnetlink_queue and
ctnetlink.Signed-off-by: Pablo Neira Ayuso
-
This attribute can be used to modify and to dump the internal
protocol information.Signed-off-by: Pablo Neira Ayuso
-
User-space programs that receive traffic via NFQUEUE may mangle packets.
If NAT is enabled, this usually puzzles sequence tracking, leading to
traffic disruptions.With this patch, nfnl_queue will make the corresponding NAT TCP sequence
adjustment if:1) The packet has been mangled,
2) the NFQA_CFG_F_CONNTRACK flag has been set, and
3) NAT is detected.There are some records on the Internet complaning about this issue:
http://stackoverflow.com/questions/260757/packet-mangling-utilities-besides-iptablesBy now, we only support TCP since we have no helpers for DCCP or SCTP.
Better to add this if we ever have some helper over those layer 4 protocols.Signed-off-by: Pablo Neira Ayuso
-
This patch allows you to include the conntrack information together
with the packet that is sent to user-space via NFQUEUE.Previously, there was no integration between ctnetlink and
nfnetlink_queue. If you wanted to access conntrack information
from your libnetfilter_queue program, you required to query
ctnetlink from user-space to obtain it. Thus, delaying the packet
processing even more.Including the conntrack information is optional, you can set it
via NFQA_CFG_F_CONNTRACK flag with the new NFQA_CFG_FLAGS attribute.Signed-off-by: Pablo Neira Ayuso
-
This patch uses the new variable length conntrack extensions.
Instead of using union nf_conntrack_help that contain all the
helper private data information, we allocate variable length
area to store the private helper data.This patch includes the modification of all existing helpers.
It also includes a couple of include header to avoid compilation
warnings.Signed-off-by: Pablo Neira Ayuso