19 Jun, 2019
1 commit
-
Based on 2 normalized pattern(s):
this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license version 2 as
published by the free software foundationthis program is free software you can redistribute it and or modify
it under the terms of the gnu general public license version 2 as
published by the free software foundation #extracted by the scancode license scanner the SPDX license identifier
GPL-2.0-only
has been chosen to replace the boilerplate/reference in 4122 file(s).
Signed-off-by: Thomas Gleixner
Reviewed-by: Enrico Weigelt
Reviewed-by: Kate Stewart
Reviewed-by: Allison Randal
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190604081206.933168790@linutronix.de
Signed-off-by: Greg Kroah-Hartman
18 Jan, 2019
4 commits
-
Those were needed we still had modular trackers.
As we don't have those anymore, prefer direct calls and remove all
the (un)register infrastructure associated with this.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
Due to historical reasons, all l4 trackers register their own
sysctls.This leads to copy&pasted boilerplate code, that does exactly same
thing, just with different data structure.Place all of this in a single file.
This allows to remove the various ctl_table pointers from the ct_netns
structure and reduces overall code size.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
Now that all l4trackers are builtin, no need to use a mix of direct and
indirect calls.
This removes the last two users: gre and the generic l4 protocol
tracker.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
GRE is now builtin, so we can handle it via direct call and
remove the callback.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
03 Nov, 2018
1 commit
-
Expose these functions to access conntrack protocol tracker netns area,
nfnetlink_cttimeout needs this.Signed-off-by: Pablo Neira Ayuso
21 Sep, 2018
3 commits
-
l4 protocols are demuxed by l3num, l4num pair.
However, almost all l4 trackers are l3 agnostic.
Only exceptions are:
- gre, icmp (ipv4 only)
- icmpv6 (ipv6 only)This commit gets rid of the l3 mapping, l4 trackers can now be looked up
by their IPPROTO_XXX value alone, which gets rid of the additional l3
indirection.For icmp, ipcmp6 and gre, add a check on state->pf and
return -NF_ACCEPT in case we're asked to track e.g. icmpv6-in-ipv4,
this seems more fitting than using the generic tracker.Additionally we can kill the 2nd l4proto definitions that were needed
for v4/v6 split -- they are now the same so we can use single l4proto
struct for each protocol, rather than two.The EXPORT_SYMBOLs can be removed as all these object files are
part of nf_conntrack with no external references.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
Its unused, next patch will remove l4proto->l3proto number to simplify
l4 protocol demuxer lookup.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
Only two protocols need the ->error() function: icmp and icmpv6.
This is because icmp error mssages might be RELATED to an existing
connection (e.g. PMTUD, port unreachable and the like), and their
->error() handlers do this.The error callback is already optional, so remove it for
udp and call them from ->packet() instead.As the error() callback can call checksum functions that write to
skb->csum*, the const qualifier has to be removed as well.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
20 Sep, 2018
2 commits
-
->new() gets invoked after ->error() and before ->packet() if
a conntrack lookup has found no result for the tuple.We can fold it into ->packet() -- the packet() implementations
can check if the conntrack is confirmed (new) or not
(already in hash).If its unconfirmed, the conntrack isn't in the hash yet so current
skb created a new conntrack entry.Only relevant side effect -- if packet() doesn't return NF_ACCEPT
but -NF_ACCEPT (or drop), while the conntrack was just created,
then the newly allocated conntrack is freed right away, rather than not
created in the first place.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
nf_hook_state contains all the hook meta-information: netns, protocol family,
hook location, and so on.Instead of only passing selected information, pass a pointer to entire
structure.This will allow to merge the error and the packet handlers and remove
the ->new() function in followup patches.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
11 Sep, 2018
1 commit
-
Now that cttimeout support for nft_ct is in place, these should depend
on CONFIG_NF_CONNTRACK_TIMEOUT otherwise we can crash when dumping the
policy if this option is not enabled.[ 71.600121] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
[...]
[ 71.600141] CPU: 3 PID: 7612 Comm: nft Not tainted 4.18.0+ #246
[...]
[ 71.600188] Call Trace:
[ 71.600201] ? nft_ct_timeout_obj_dump+0xc6/0xf0 [nft_ct]Signed-off-by: Pablo Neira Ayuso
16 Jul, 2018
2 commits
-
Not needed, we can have the l4trackers fetch it themselvs.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
Handle the common cases (tcp, udp, etc). in the core and only
do the indirect call for the protocols that need it (GRE for instance).Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
09 Jan, 2018
2 commits
-
Nowadays this is just the default template that is used when setting up
the net namespace, so nothing writes to these locations.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
previous patches removed all writes to these structs so we can
now mark them as const.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
25 Oct, 2017
1 commit
-
not needed/used anymore.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
04 Sep, 2017
1 commit
-
tested with allmodconfig build.
Signed-off-by: Florian Westphal
29 Aug, 2017
1 commit
-
L4 protocol helpers for DCCP, SCTP and UDPlite can't be built as kernel
modules anymore, so we can remove code enclosed in
#ifdef CONFIG_NF_CT_PROTO_{DCCP,SCTP,UDPLITE}_MODULESigned-off-by: Davide Caratti
Signed-off-by: Pablo Neira Ayuso
25 Aug, 2017
2 commits
-
CONFIG_NF_CONNTRACK_PROCFS is deprecated, no need to use a function
pointer in the trackers for this. Place the printf formatting in
the one place that uses it.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
no need to waste storage for something that is only needed
in one place and can be deduced from protocol number.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
13 Aug, 2016
1 commit
-
This backward compatibility has been around for more than ten years,
since Yasuyuki Kozakai introduced IPv6 in conntrack. These days, we have
alternate /proc/net/nf_conntrack* entries, the ctnetlink interface and
the conntrack utility got adopted by many people in the user community
according to what I observed on the netfilter user mailing list.So let's get rid of this.
Note that nf_conntrack_htable_size and unsigned int nf_conntrack_max do
not need to be exported as symbol anymore.Signed-off-by: Pablo Neira Ayuso
19 Sep, 2015
1 commit
-
As gre does not have the srckey in the packet gre_pkt_to_tuple
needs to perform a lookup in it's per network namespace tables.Pass in the proper network namespace to all pkt_to_tuple
implementations to ensure gre (and any similar protocols) can get this
right.Signed-off-by: "Eric W. Biederman"
Signed-off-by: Pablo Neira Ayuso
12 Jun, 2015
1 commit
-
After db29a9508a92 ("netfilter: conntrack: disable generic tracking for
known protocols"), if the specific helper is built but not loaded
(a standard for most distributions) systems with a restrictive firewall
but weak configuration regarding netfilter modules to load, will
silently stop working.This patch then puts a warning message so the sysadmin knows where to
start looking into. It's a pr_warn_once regardless of protocol itself
but it should be enough to give a hint on where to look.Cc: Florian Westphal
Cc: Daniel Borkmann
Signed-off-by: Marcelo Ricardo Leitner
Signed-off-by: Pablo Neira Ayuso
06 Nov, 2014
1 commit
-
Since adding a new function to seq_file (seq_has_overflowed())
there isn't any value for functions called from seq_show to
return anything. Remove the int returns of the various
print_tuple/_print_tuple functions.Link: http://lkml.kernel.org/p/f2e8cf8df433a197daa62cbaf124c900c708edc7.1412031505.git.joe@perches.com
Cc: Pablo Neira Ayuso
Cc: Patrick McHardy
Cc: Jozsef Kadlecsik
Cc: netfilter-devel@vger.kernel.org
Cc: coreteam@netfilter.org
Signed-off-by: Joe Perches
Signed-off-by: Steven Rostedt
29 Sep, 2014
1 commit
-
Given following iptables ruleset:
-P FORWARD DROP
-A FORWARD -m sctp --dport 9 -j ACCEPT
-A FORWARD -p tcp --dport 80 -j ACCEPT
-A FORWARD -p tcp -m conntrack -m state ESTABLISHED,RELATED -j ACCEPTOne would assume that this allows SCTP on port 9 and TCP on port 80.
Unfortunately, if the SCTP conntrack module is not loaded, this allows
*all* SCTP communication, to pass though, i.e. -p sctp -j ACCEPT,
which we think is a security issue.This is because on the first SCTP packet on port 9, we create a dummy
"generic l4" conntrack entry without any port information (since
conntrack doesn't know how to extract this information).All subsequent packets that are unknown will then be in established
state since they will fallback to proto_generic and will match the
'generic' entry.Our originally proposed version [1] completely disabled generic protocol
tracking, but Jozsef suggests to not track protocols for which a more
suitable helper is available, hence we now mitigate the issue for in
tree known ct protocol helpers only, so that at least NAT and direction
information will still be preserved for others.[1] http://www.spinics.net/lists/netfilter-devel/msg33430.html
Joint work with Daniel Borkmann.
Signed-off-by: Florian Westphal
Signed-off-by: Daniel Borkmann
Acked-by: Jozsef Kadlecsik
Signed-off-by: Pablo Neira Ayuso
05 Jul, 2012
1 commit
-
This patch generalizes nf_ct_l4proto_net by splitting it into chunks and
moving the corresponding protocol part to where it really belongs to.To clarify, note that we follow two different approaches to support per-net
depending if it's built-in or run-time loadable protocol tracker.Signed-off-by: Pablo Neira Ayuso
Acked-by: Gao feng
28 Jun, 2012
2 commits
-
This patch is a cleanup. It adds generic_kmemdup_sysctl_table to
split code into smaller chunks. Yet it prepares introduction
of nf_conntrack_proto_*_sysctl.c.Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso -
l4proto->init contain quite redundant code. We can simplify this
by adding a new parameter l3proto.This patch prepares that code simplification.
Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso
07 Jun, 2012
3 commits
-
This patch adds namespace support for cttimeout.
Acked-by: Eric W. Biederman
Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso -
Since the sysctl data for l[3|4]proto now resides in pernet nf_proto_net.
We can now remove this unused fields from struct nf_contrack_l[3,4]proto.Acked-by: Eric W. Biederman
Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso -
This patch adds namespace support for the generic layer 4 protocol
tracker.Acked-by: Eric W. Biederman
Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso
02 Apr, 2012
1 commit
-
These macros contain a hidden goto, and are thus extremely error
prone and make code hard to audit.Signed-off-by: David S. Miller
08 Mar, 2012
2 commits
-
This patch adds the infrastructure to add fine timeout tuning
over nfnetlink. Now you can use the NFNL_SUBSYS_CTNETLINK_TIMEOUT
subsystem to create/delete/dump timeout objects that contain some
specific timeout policy for one flow.The follow up patches will allow you attach timeout policy object
to conntrack via the CT target and the conntrack extension
infrastructure.Signed-off-by: Pablo Neira Ayuso
-
This patch defines a new interface for l4 protocol trackers:
unsigned int *(*get_timeouts)(struct net *net);
that is used to return the array of unsigned int that contains
the timeouts that will be applied for this flow. This is passed
to the l4proto->new(...) and l4proto->packet(...) functions to
specify the timeout policy.This interface allows per-net global timeout configuration
(although only DCCP supports this by now) and it will allow
custom custom timeout configuration by means of follow-up
patches.Signed-off-by: Pablo Neira Ayuso
12 Nov, 2009
1 commit
-
Now that sys_sysctl is a compatiblity wrapper around /proc/sys
all sysctl strategy routines, and all ctl_name and strategy
entries in the sysctl tables are unused, and can be
revmoed.In addition neigh_sysctl_register has been modified to no longer
take a strategy argument and it's callers have been modified not
to pass one.Cc: "David Miller"
Cc: Hideaki YOSHIFUJI
Cc: netdev@vger.kernel.org
Signed-off-by: Eric W. Biederman
18 Feb, 2009
1 commit
-
0 is used by Hop-by-hop header and so this may cause confusion.
255 is stated as 'Reserved' by IANA.Signed-off-by: Christoph Paasch
Signed-off-by: Patrick McHardy
04 Nov, 2008
1 commit
-
I want to compile out proc_* and sysctl_* handlers totally and
stub them to NULL depending on config options, however usage of &
will prevent this, since taking adress of NULL pointer will break
compilation.So, drop & in front of every ->proc_handler and every ->strategy
handler, it was never needed in fact.Signed-off-by: Alexey Dobriyan
Signed-off-by: David S. Miller
08 Oct, 2008
1 commit
-
and (try to) consistently use u_int8_t for the L3 family.
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
14 Apr, 2008
1 commit
-
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
