27 Nov, 2020
1 commit
-
Userspace might match on prefix bytes of header fields if they are on
the byte boundary, this requires that the mask is adjusted accordingly.
Use NFT_OFFLOAD_MATCH_EXACT() for meta since prefix byte matching is not
allowed for this type of selector.The bitwise expression might be optimized out by userspace, hence the
kernel needs to infer the prefix from the number of payload bytes to
match on. This patch adds nft_payload_offload_mask() to calculate the
bitmask to match on the prefix.Fixes: c9626a2cbdb2 ("netfilter: nf_tables: add hardware offload support")
Signed-off-by: Pablo Neira Ayuso
08 Sep, 2020
1 commit
-
... instead of using init_user_ns.
Fixes: 96518518cc41 ("netfilter: add nftables")
Tested-by: Phil Sutter
Signed-off-by: Pablo Neira Ayuso
02 Aug, 2020
1 commit
-
iifgroup matching erroneously checks the output interface.
Fixes: 8724e819cc9a ("netfilter: nft_meta: move all interface related keys to helper")
Reported-by: Demi M. Obenour
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
27 Dec, 2019
9 commits
-
Allow to match on vrf slave ifindex or name.
In case there was no slave interface involved, store 0 in the
destination register just like existing iif/oif matching.sdif(name) is restricted to the ipv4/ipv6 input and forward hooks,
as it depends on ip(6) stack parsing/storing info in skb->cb[].Cc: Martin Willi
Cc: David Ahern
Cc: Shrijeet Mukherjee
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
skb_dst is an inline helper with a WARN_ON(), so this is a bit more code
than it looks like.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
Move this out of the main eval loop, the numgen expression
provides a better alternative to meta random.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
Reduces repetiveness and reduces size of meta eval function.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
checkpatch complains about == NULL checks in original code,
so use !in instead.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
Reduce size of main eval function.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
Not a hot path. Also, both have copy&paste case statements,
so use a common helper for both.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
When pkttype is loopback, nft_meta performs guesswork to detect
broad/multicast packets. Place this in a helper, this is hardly a hot path.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
reduce size of the (large) meta evaluation function.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
21 Nov, 2019
1 commit
-
Hardware offload support at this stage assumes an ethernet device in
place. The flow dissector provides the intermediate representation to
express this selector, so extend it to allow to store the interface
type. Flower does not uses this, so skb_flow_dissect_meta() is not
extended to match on this new field.Signed-off-by: Pablo Neira Ayuso
Signed-off-by: David S. Miller
16 Nov, 2019
1 commit
-
On 32-bit architectures, get_seconds() returns an unsigned 32-bit
time value, which also matches the type used in the nft_meta
code. This will not overflow in year 2038 as a time_t would, but
it still suffers from the overflow problem later on in year 2106.Change this instance to use the time64_t type consistently
and avoid the deprecated get_seconds().The nft_meta_weekday() calculation potentially gets a little slower
on 32-bit architectures, but now it has the same behavior as on
64-bit architectures and does not overflow.Fixes: 63d10e12b00d ("netfilter: nft_meta: support for time matching")
Signed-off-by: Arnd Bergmann
Acked-by: Phil Sutter
Signed-off-by: Pablo Neira Ayuso
13 Nov, 2019
1 commit
-
This patch adds support for offloading the NFT_META_IIF selector.
Signed-off-by: Pablo Neira Ayuso
26 Aug, 2019
1 commit
-
This patch introduces meta matches in the kernel for time (a UNIX timestamp),
day (a day of week, represented as an integer between 0-6), and
hour (an hour in the current day, or: number of seconds since midnight).All values are taken as unsigned 64-bit integers.
The 'time' keyword is internally converted to nanoseconds by nft in
userspace, and hence the timestamp is taken in nanoseconds as well.Signed-off-by: Ander Juaristi
Signed-off-by: Pablo Neira Ayuso
25 Jul, 2019
1 commit
-
nft_meta_get_eval()'s tendency to bail out setting NFT_BREAK verdict in
situations where required data is missing leads to unexpected behaviour
with inverted checks like so:| meta iifname != eth0 accept
This rule will never match if there is no input interface (or it is not
known) which is not intuitive and, what's worse, breaks consistency of
iptables-nft with iptables-legacy.Fix this by falling back to placing a value in dreg which never matches
(avoiding accidental matches), i.e. zero for interface index and an
empty string for interface name.Signed-off-by: Phil Sutter
Signed-off-by: Pablo Neira Ayuso
20 Jul, 2019
1 commit
-
The new nft_meta_bridge code fails to link as built-in when NF_TABLES
is a loadable module.net/bridge/netfilter/nft_meta_bridge.o: In function `nft_meta_bridge_get_eval':
nft_meta_bridge.c:(.text+0x1e8): undefined reference to `nft_meta_get_eval'
net/bridge/netfilter/nft_meta_bridge.o: In function `nft_meta_bridge_get_init':
nft_meta_bridge.c:(.text+0x468): undefined reference to `nft_meta_get_init'
nft_meta_bridge.c:(.text+0x49c): undefined reference to `nft_parse_register'
nft_meta_bridge.c:(.text+0x4cc): undefined reference to `nft_validate_register_store'
net/bridge/netfilter/nft_meta_bridge.o: In function `nft_meta_bridge_module_exit':
nft_meta_bridge.c:(.exit.text+0x14): undefined reference to `nft_unregister_expr'
net/bridge/netfilter/nft_meta_bridge.o: In function `nft_meta_bridge_module_init':
nft_meta_bridge.c:(.init.text+0x14): undefined reference to `nft_register_expr'
net/bridge/netfilter/nft_meta_bridge.o:(.rodata+0x60): undefined reference to `nft_meta_get_dump'
net/bridge/netfilter/nft_meta_bridge.o:(.rodata+0x88): undefined reference to `nft_meta_set_eval'This can happen because the NF_TABLES_BRIDGE dependency itself is just a
'bool'. Make the symbol a 'tristate' instead so Kconfig can propagate the
dependencies correctly.Fixes: 30e103fe24de ("netfilter: nft_meta: move bridge meta keys into nft_meta_bridge")
Signed-off-by: Arnd Bergmann
Signed-off-by: Pablo Neira Ayuso
19 Jul, 2019
1 commit
-
If it is a module, request this module. Otherwise, if it is compiled
built-in or not selected, skip this.Fixes: 0ef1efd1354d ("netfilter: nf_tables: force module load in case select_ops() returns -EAGAIN")
Signed-off-by: Pablo Neira Ayuso
10 Jul, 2019
1 commit
-
This patch adds hardware offload support for nftables through the
existing netdev_ops->ndo_setup_tc() interface, the TC_SETUP_CLSFLOWER
classifier and the flow rule API. This hardware offload support is
available for the NFPROTO_NETDEV family and the ingress hook.Each nftables expression has a new ->offload interface, that is used to
populate the flow rule object that is attached to the transaction
object.There is a new per-table NFT_TABLE_F_HW flag, that is set on to offload
an entire table, including all of its chains.This patch supports for basic metadata (layer 3 and 4 protocol numbers),
5-tuple payload matching and the accept/drop actions; this also includes
basechain hardware offload only.Signed-off-by: Pablo Neira Ayuso
Signed-off-by: David S. Miller
06 Jul, 2019
2 commits
-
nft_meta needs to pull in the nft_meta_bridge module in case that this
is a bridge family rule from the select_ops() path.Signed-off-by: Pablo Neira Ayuso
-
Separate bridge meta key from nft_meta to meta_bridge to avoid a
dependency between the bridge module and nft_meta when using the bridge
API available through include/linux/if_bridge.hSigned-off-by: wenxu
Reviewed-by: Nikolay Aleksandrov
Signed-off-by: Pablo Neira Ayuso
19 Jun, 2019
1 commit
-
Based on 2 normalized pattern(s):
this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license version 2 as
published by the free software foundationthis program is free software you can redistribute it and or modify
it under the terms of the gnu general public license version 2 as
published by the free software foundation #extracted by the scancode license scanner the SPDX license identifier
GPL-2.0-only
has been chosen to replace the boilerplate/reference in 4122 file(s).
Signed-off-by: Thomas Gleixner
Reviewed-by: Enrico Weigelt
Reviewed-by: Kate Stewart
Reviewed-by: Allison Randal
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190604081206.933168790@linutronix.de
Signed-off-by: Greg Kroah-Hartman
18 Jan, 2019
1 commit
-
In the ip_rcv the skb goes through the PREROUTING hook first, then kicks
in vrf device and go through the same hook again. When conntrack dnat
works with vrf, there will be some conflict with rules because the
packet goes through the hook twice with different nf status.ip link add user1 type vrf table 1
ip link add user2 type vrf table 2
ip l set dev tun1 master user1
ip l set dev tun2 master user2nft add table firewall
nft add chain firewall zones { type filter hook prerouting priority - 300 \; }
nft add rule firewall zones counter ct zone set iif map { "tun1" : 1, "tun2" : 2 }
nft add chain firewall rule-1000-ingress
nft add rule firewall rule-1000-ingress ct zone 1 tcp dport 22 ct state new counter accept
nft add rule firewall rule-1000-ingress counter drop
nft add chain firewall rule-1000-egress
nft add rule firewall rule-1000-egress tcp dport 22 ct state new counter drop
nft add rule firewall rule-1000-egress counter acceptnft add chain firewall rules-all { type filter hook prerouting priority - 150 \; }
nft add rule firewall rules-all ip daddr vmap { "2.2.2.11" : jump rule-1000-ingress }
nft add rule firewall rules-all ct zone vmap { 1 : jump rule-1000-egress }nft add rule firewall dnat-all ct zone vmap { 1 : jump dnat-1000 }
nft add rule firewall dnat-1000 ip daddr 2.2.2.11 counter dnat to 10.0.0.7For a package with ip daddr 2.2.2.11 and tcp dport 22, first time accept in the
rule-1000-ingress and dnat to 10.0.0.7. Then second time the packet goto the wrong
chain rule-1000-egress which leads the packet dropWith this patch, userspace can add the 'don't re-do entire ruleset for
vrf' policy itself via:nft add rule firewall rules-all meta iifkind "vrf" counter accept
Signed-off-by: wenxu
Signed-off-by: Pablo Neira Ayuso
20 Dec, 2018
1 commit
-
Future patch will remove skb->sp pointer.
To reduce noise in those patches, move existing helper to
sk_buff and use it in more places to ease skb->sp replacement later.Signed-off-by: Florian Westphal
Signed-off-by: David S. Miller
28 Sep, 2018
2 commits
-
Add ability to set the connection tracking secmark value.
Add ability to set the meta secmark value.
Signed-off-by: Christian Göttsche
Acked-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
Add the ability to set the security context of packets within the nf_tables framework.
Add a nft_object for holding security contexts in the kernel and manipulating packets on the wire.Convert the security context strings at rule addition time to security identifiers.
This is the same behavior like in xt_SECMARK and offers better performance than computing it per packet.Set the maximum security context length to 256.
Signed-off-by: Christian Göttsche
Acked-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
30 Jul, 2018
1 commit
-
Currently nft uses inlined variants for common operations
such as 'ip saddr 1.2.3.4' instead of an indirect call.Also handle meta get operations and lookups without indirect call,
both are builtin.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
28 Jun, 2018
1 commit
-
Netfilter assumes that if the socket is present in the skb, then
it can be used because that reference is cleaned up while the skb
is crossing netns.We want to change that to preserve the socket reference in a future
patch, so this is a preparation updating netfilter to check if the
socket netns matches before use it.Signed-off-by: Flavio Leitner
Acked-by: Florian Westphal
Signed-off-by: David S. Miller
03 Jun, 2018
1 commit
-
Filling in the padding slot in the bpf structure as a bug fix in 'ne'
overlapped with actually using that padding area for something in
'net-next'.Signed-off-by: David S. Miller
23 May, 2018
1 commit
-
In the nft_meta_set_eval, nftrace value is dereferenced as u32 from sreg.
But correct type is u8. so that sometimes incorrect value is dereferenced.Steps to reproduce:
%nft add table ip filter
%nft add chain ip filter input { type filter hook input priority 4\; }
%nft add rule ip filter input nftrace set 0
%nft monitorSometimes, we can see trace messages.
trace id 16767227 ip filter input packet: iif "enp2s0"
ether saddr xx:xx:xx:xx:xx:xx ether daddr xx:xx:xx:xx:xx:xx
ip saddr 192.168.0.1 ip daddr 255.255.255.255 ip dscp cs0
ip ecn not-ect ip
trace id 16767227 ip filter input rule nftrace set 0 (verdict continue)
trace id 16767227 ip filter input verdict continue
trace id 16767227 ip filter inputSigned-off-by: Taehee Yoo
Signed-off-by: Pablo Neira Ayuso
27 Apr, 2018
1 commit
-
size net/netfilter/nft_meta.ko
text data bss dec hex filename
5826 936 1 6763 1a6b net/netfilter/nft_meta.ko
96407 2064 400 98871 18237 net/netfilter/nf_tables.koafter:
100826 2240 401 103467 1942b net/netfilter/nf_tables.koSigned-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
24 Apr, 2018
1 commit
-
It overcomplicates things for no reason.
nft_meta_bridge only offers retrieval of bridge port interface name.Because of this being its own module, we had to export all nft_meta
functions, which we can then make static again (which even reduces
the size of nft_meta -- including bridge port retrieval...):before:
text data bss dec hex filename
1838 832 0 2670 a6e net/bridge/netfilter/nft_meta_bridge.ko
6147 936 1 7084 1bac net/netfilter/nft_meta.koafter:
5826 936 1 6763 1a6b net/netfilter/nft_meta.koSigned-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
10 Jan, 2018
1 commit
-
Place all existing user defined tables in struct net *, instead of
having one list per family. This saves us from one level of indentation
in netlink dump functions.Place pointer to struct nft_af_info in struct nft_table temporarily, as
we still need this to put back reference module reference counter on
table removal.This patch comes in preparation for the removal of struct nft_af_info.
Signed-off-by: Pablo Neira Ayuso
09 Jan, 2018
1 commit
-
replacement for iptables "-m policy --dir in --policy {ipsec,none}".
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
08 Apr, 2017
1 commit
-
Remove & from function pointers to conform to the style found elsewhere
in the file. Done using the following semantic patch//
@r@
identifier f;
@@f(...) { ... }
@@
identifier r.f;
@@- &f
+ f
//Signed-off-by: Arushi Singhal
Signed-off-by: Pablo Neira Ayuso
24 Mar, 2017
1 commit
-
Conflicts:
drivers/net/ethernet/broadcom/genet/bcmmii.c
drivers/net/hyperv/netvsc.c
kernel/bpf/hashtab.cAlmost entirely overlapping changes.
Signed-off-by: David S. Miller
13 Mar, 2017
1 commit
-
Currently, there are two different methods to store an u16 integer to
the u32 data register. For example:
u32 *dest = ®s->data[priv->dreg];
1. *dest = 0; *(u16 *) dest = val_u16;
2. *dest = val_u16;For method 1, the u16 value will be stored like this, either in
big-endian or little-endian system:
0 15 31
+-+-+-+-+-+-+-+-+-+-+-+-+
| Value | 0 |
+-+-+-+-+-+-+-+-+-+-+-+-+For method 2, in little-endian system, the u16 value will be the same
as listed above. But in big-endian system, the u16 value will be stored
like this:
0 15 31
+-+-+-+-+-+-+-+-+-+-+-+-+
| 0 | Value |
+-+-+-+-+-+-+-+-+-+-+-+-+So later we use "memcmp(®s->data[priv->sreg], data, 2);" to do
compare in nft_cmp, nft_lookup expr ..., method 2 will get the wrong
result in big-endian system, as 0~15 bits will always be zero.For the similar reason, when loading an u16 value from the u32 data
register, we should use "*(u16 *) sreg;" instead of "(u16)*sreg;",
the 2nd method will get the wrong value in the big-endian system.So introduce some wrapper functions to store/load an u8 or u16
integer to/from the u32 data register, and use them in the right
place.Signed-off-by: Liping Zhang
Signed-off-by: Pablo Neira Ayuso
07 Mar, 2017
1 commit
-
When we want to validate the expr's dependency or hooks, we must do two
things to accomplish it. First, write a X_validate callback function
and point ->validate to it. Second, call X_validate in init routine.
This is very common, such as fib, nat, reject expr and so on ...It is a little ugly, since we will call X_validate in the expr's init
routine, it's better to do it in nf_tables_newexpr. So we can avoid to
do this again and again. After doing this, the second step listed above
is not useful anymore, remove them now.Patch was tested by nftables/tests/py/nft-test.py and
nftables/tests/shell/run-tests.sh.Signed-off-by: Liping Zhang
Signed-off-by: Pablo Neira Ayuso
19 Jan, 2017
1 commit
-
After adding the following nft rule, then ping 224.0.0.1:
# nft add rule netdev t c pkttype host counterThe warning complain message will be printed out again and again:
WARNING: CPU: 0 PID: 10182 at net/netfilter/nft_meta.c:163 \
nft_meta_get_eval+0x3fe/0x460 [nft_meta]
[...]
Call Trace:
dump_stack+0x85/0xc2
__warn+0xcb/0xf0
warn_slowpath_null+0x1d/0x20
nft_meta_get_eval+0x3fe/0x460 [nft_meta]
nft_do_chain+0xff/0x5e0 [nf_tables]So we should deal with PACKET_LOOPBACK in netdev family too. For ipv4,
convert it to PACKET_BROADCAST/MULTICAST according to the destination
address's type; For ipv6, convert it to PACKET_MULTICAST directly.Signed-off-by: Liping Zhang
Signed-off-by: Pablo Neira Ayuso