11 Nov, 2015

1 commit

• 086f33216   netfilter: nf_tables: add clone interface to expression operations ... Browse Code »

  With the conversion of the counter expressions to make it percpu, we
  need to clone the percpu memory area, otherwise we crash when using
  counters from flow tables.

  Signed-off-by: Pablo Neira Ayuso

  Pablo Neira Ayuso

  2015-11-11 06:47:32 +0800  

14 Apr, 2015

1 commit

• 3e135cd49   netfilter: nft_dynset: dynamic stateful expression instantiation ... Browse Code »

  Support instantiating stateful expressions based on a template that
  are associated with dynamically created set entries. The expressions
  are evaluated when adding or updating the set element.

  This allows to maintain per flow state using the existing set
  infrastructure and expression types, with arbitrary definitions of
  a flow.

  Usage is currently restricted to anonymous sets, meaning only a single
  binding can exist, since the desired semantics of multiple independant
  bindings haven't been defined so far.

  Examples (userspace syntax is still WIP):

  1. Limit the rate of new SSH connections per host, similar to iptables
  hashlimit:

  flow ip saddr timeout 60s \
  limit 10/second \
  accept

  2. Account network traffic between each set of /24 networks:

  flow ip saddr & 255.255.255.0 . ip daddr & 255.255.255.0 \
  counter

  3. Account traffic to each host per user:

  flow skuid . ip daddr \
  counter

  4. Account traffic for each combination of source address and TCP flags:

  flow ip saddr . tcp flags \
  counter

  The resulting set content after a Xmas-scan look like this:

  {
  192.168.122.1 . fin | psh | urg : counter packets 1001 bytes 40040,
  192.168.122.1 . ack : counter packets 74 bytes 3848,
  192.168.122.1 . psh | ack : counter packets 35 bytes 3144
  }

  Signed-off-by: Patrick McHardy
  Signed-off-by: Pablo Neira Ayuso

  Patrick McHardy

  2015-04-14 02:19:55 +0800  

13 Apr, 2015

3 commits

• b1c96ed37   netfilter: nf_tables: add register parsing/dumping helpers ... Browse Code »

  Add helper functions to parse and dump register values in netlink attributes.
  These helpers will later be changed to take care of translation between the
  old 128 bit and the new 32 bit register numbers.

  Signed-off-by: Patrick McHardy
  Signed-off-by: Pablo Neira Ayuso

  Patrick McHardy

  2015-04-13 23:17:28 +0800  
• a55e22e92   netfilter: nf_tables: get rid of NFT_REG_VERDICT usage ... Browse Code »

  Replace the array of registers passed to expressions by a struct nft_regs,
  containing the verdict as a seperate member, which aliases to the
  NFT_REG_VERDICT register.

  This is needed to seperate the verdict from the data registers completely,
  so their size can be changed.

  Signed-off-by: Patrick McHardy
  Signed-off-by: Pablo Neira Ayuso

  Patrick McHardy

  2015-04-13 23:17:07 +0800  
• d07db9884   netfilter: nf_tables: introduce nft_validate_register_load() ... Browse Code »

  Change nft_validate_input_register() to not only validate the input
  register number, but also the length of the load, and rename it to
  nft_validate_register_load() to reflect that change.

  Signed-off-by: Patrick McHardy
  Signed-off-by: Pablo Neira Ayuso

  Patrick McHardy

  2015-04-13 22:25:50 +0800  

08 Apr, 2015

1 commit

• 22fe54d5f   netfilter: nf_tables: add support for dynamic set updates ... Browse Code »

  Add a new "dynset" expression for dynamic set updates.

  A new set op ->update() is added which, for non existant elements,
  invokes an initialization callback and inserts the new element.
  For both new or existing elements the extenstion pointer is returned
  to the caller to optionally perform timer updates or other actions.

  Element removal is not supported so far, however that seems to be a
  rather exotic need and can be added later on.

  Signed-off-by: Patrick McHardy
  Signed-off-by: Pablo Neira Ayuso

  Patrick McHardy

  2015-04-08 22:58:27 +0800