16 Jul, 2019
1 commit
-
The rule below doesn't work as the kernel raises -ERANGE.
nft add rule netdev nftlb lb01 ip daddr set \
symhash mod 1 map { 0 : 192.168.0.10 } fwd to "eth0"This patch allows to use the symhash modulus with one
element, in the same way that the other types of hashes and
algorithms that uses the modulus parameter.Signed-off-by: Laura Garcia Liebana
Signed-off-by: Pablo Neira Ayuso
19 Jun, 2019
1 commit
-
Based on 2 normalized pattern(s):
this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license version 2 as
published by the free software foundationthis program is free software you can redistribute it and or modify
it under the terms of the gnu general public license version 2 as
published by the free software foundation #extracted by the scancode license scanner the SPDX license identifier
GPL-2.0-only
has been chosen to replace the boilerplate/reference in 4122 file(s).
Signed-off-by: Thomas Gleixner
Reviewed-by: Enrico Weigelt
Reviewed-by: Kate Stewart
Reviewed-by: Allison Randal
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190604081206.933168790@linutronix.de
Signed-off-by: Greg Kroah-Hartman
18 Jan, 2019
1 commit
-
A better way to implement this from userspace has been found without
specific code in the kernel side, revert this.Fixes: b9ccc07e3f31 ("netfilter: nft_hash: add map lookups for hashing operations")
Signed-off-by: Laura Garcia Liebana
Signed-off-by: Pablo Neira Ayuso
01 Jun, 2018
1 commit
-
net/netfilter/nft_numgen.c:117:1-3: WARNING: PTR_ERR_OR_ZERO can be used
net/netfilter/nft_hash.c:180:1-3: WARNING: PTR_ERR_OR_ZERO can be used
net/netfilter/nft_hash.c:223:1-3: WARNING: PTR_ERR_OR_ZERO can be usedUse PTR_ERR_OR_ZERO rather than if(IS_ERR(...)) + PTR_ERR
Generated by: scripts/coccinelle/api/ptr_ret.cocci
Fixes: b9ccc07e3f31 ("netfilter: nft_hash: add map lookups for hashing operations")
Fixes: d734a2888922 ("netfilter: nft_numgen: add map lookups for numgen statements")
CC: Laura Garcia Liebana
Signed-off-by: kbuild test robot
Acked-by: Laura Garcia Liebana
Signed-off-by: Pablo Neira Ayuso
17 May, 2018
1 commit
-
This patch creates new attributes to accept a map as argument and
then perform the lookup with the generated hash accordingly.Both current hash functions are supported: Jenkins and Symmetric Hash.
Signed-off-by: Laura Garcia Liebana
Signed-off-by: Pablo Neira Ayuso
07 May, 2018
1 commit
-
The modulus in the hash function was limited to > 1 as initially
there was no sense to create a hashing of just one element.Nevertheless, there are certain cases specially for load balancing
where this case needs to be addressed.This patch fixes the following error.
Error: Could not process rule: Numerical result out of range
add rule ip nftlb lb01 dnat to jhash ip saddr mod 1 map { 0: 192.168.0.10 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^The solution comes to force the hash to 0 when the modulus is 1.
Signed-off-by: Laura Garcia Liebana
01 May, 2017
1 commit
-
Pablo Neira Ayuso says:
====================
Netfilter/IPVS updates for net-nextThe following patchset contains Netfilter updates for your net-next
tree. A large bunch of code cleanups, simplify the conntrack extension
codebase, get rid of the fake conntrack object, speed up netns by
selective synchronize_net() calls. More specifically, they are:1) Check for ct->status bit instead of using nfct_nat() from IPVS and
Netfilter codebase, patch from Florian Westphal.2) Use kcalloc() wherever possible in the IPVS code, from Varsha Rao.
3) Simplify FTP IPVS helper module registration path, from Arushi Singhal.
4) Introduce nft_is_base_chain() helper function.
5) Enforce expectation limit from userspace conntrack helper,
from Gao Feng.6) Add nf_ct_remove_expect() helper function, from Gao Feng.
7) NAT mangle helper function return boolean, from Gao Feng.
8) ctnetlink_alloc_expect() should only work for conntrack with
helpers, from Gao Feng.9) Add nfnl_msg_type() helper function to nfnetlink to build the
netlink message type.10) Get rid of unnecessary cast on void, from simran singhal.
11) Use seq_puts()/seq_putc() instead of seq_printf() where possible,
also from simran singhal.12) Use list_prev_entry() from nf_tables, from simran signhal.
13) Remove unnecessary & on pointer function in the Netfilter and IPVS
code.14) Remove obsolete comment on set of rules per CPU in ip6_tables,
no longer true. From Arushi Singhal.15) Remove duplicated nf_conntrack_l4proto_udplite4, from Gao Feng.
16) Remove unnecessary nested rcu_read_lock() in
__nf_nat_decode_session(). Code running from hooks are already
guaranteed to run under RCU read side.17) Remove deadcode in nf_tables_getobj(), from Aaron Conole.
18) Remove double assignment in nf_ct_l4proto_pernet_unregister_one(),
also from Aaron.19) Get rid of unsed __ip_set_get_netlink(), from Aaron Conole.
20) Don't propagate NF_DROP error to userspace via ctnetlink in
__nf_nat_alloc_null_binding() function, from Gao Feng.21) Revisit nf_ct_deliver_cached_events() to remove unnecessary checks,
from Gao Feng.22) Kill the fake untracked conntrack objects, use ctinfo instead to
annotate a conntrack object is untracked, from Florian Westphal.23) Remove nf_ct_is_untracked(), now obsolete since we have no
conntrack template anymore, from Florian.24) Add event mask support to nft_ct, also from Florian.
25) Move nf_conn_help structure to
include/net/netfilter/nf_conntrack_helper.h.26) Add a fixed 32 bytes scratchpad area for conntrack helpers.
Thus, we don't deal with variable conntrack extensions anymore.
Make sure userspace conntrack helper doesn't go over that size.
Remove variable size ct extension infrastructure now this code
got no more clients. From Florian Westphal.27) Restore offset and length of nf_ct_ext structure to 8 bytes now
that wraparound is not possible any longer, also from Florian.28) Allow to get rid of unassured flows under stress in conntrack,
this applies to DCCP, SCTP and TCP protocols, from Florian.29) Shrink size of nf_conntrack_ecache structure, from Florian.
30) Use TCP_MAX_WSCALE instead of hardcoded 14 in TCP tracker,
from Gao Feng.31) Register SYNPROXY hooks on demand, from Florian Westphal.
32) Use pernet hook whenever possible, instead of global hook
registration, from Florian Westphal.33) Pass hook structure to ebt_register_table() to consolidate some
infrastructure code, from Florian Westphal.34) Use consume_skb() and return NF_STOLEN, instead of NF_DROP in the
SYNPROXY code, to make sure device stats are not fooled, patch
from Gao Feng.35) Remove NF_CT_EXT_F_PREALLOC this kills quite some code that we
don't need anymore if we just select a fixed size instead of
expensive runtime time calculation of this. From Florian.36) Constify nf_ct_extend_register() and nf_ct_extend_unregister(),
from Florian.37) Simplify nf_ct_ext_add(), this kills nf_ct_ext_create(), from
Florian.38) Attach NAT extension on-demand from masquerade and pptp helper
path, from Florian.39) Get rid of useless ip_vs_set_state_timeout(), from Aaron Conole.
40) Speed up netns by selective calls of synchronize_net(), from
Florian Westphal.41) Silence stack size warning gcc in 32-bit arch in snmp helper,
from Florian.42) Inconditionally call nf_ct_ext_destroy(), even if we have no
extensions, to deal with the NF_NAT_MANIP_SRC case. Patch from
Liping Zhang.
====================Signed-off-by: David S. Miller
16 Apr, 2017
1 commit
-
Conflicts were simply overlapping changes. In the net/ipv4/route.c
case the code had simply moved around a little bit and the same fix
was made in both 'net' and 'net-next'.In the net/sched/sch_generic.c case a fix in 'net' happened at
the same time that a new argument was added to qdisc_hash_add().Signed-off-by: David S. Miller
14 Apr, 2017
1 commit
-
This can prevent the nft utility from printing out the auto generated
seed to the user, which is unnecessary and confusing.Fixes: cb1b69b0b15b ("netfilter: nf_tables: add hash expression")
Signed-off-by: Liping Zhang
Signed-off-by: Pablo Neira Ayuso
08 Apr, 2017
1 commit
-
Remove & from function pointers to conform to the style found elsewhere
in the file. Done using the following semantic patch//
@r@
identifier f;
@@f(...) { ... }
@@
identifier r.f;
@@- &f
+ f
//Signed-off-by: Arushi Singhal
Signed-off-by: Pablo Neira Ayuso
07 Mar, 2017
2 commits
-
This patch provides symmetric hash support according to source
ip address and port, and destination ip address and port.For this purpose, the __skb_get_hash_symmetric() is used to
identify the flow as it uses FLOW_DISSECTOR_F_STOP_AT_FLOW_LABEL
flag by default.The new attribute NFTA_HASH_TYPE has been included to support
different types of hashing functions. Currently supported
NFT_HASH_JENKINS through jhash and NFT_HASH_SYM through symhash.The main difference between both types are:
- jhash requires an expression with sreg, symhash doesn't.
- symhash supports modulus and offset, but not seed.Examples:
nft add rule ip nat prerouting ct mark set jhash ip saddr mod 2
nft add rule ip nat prerouting ct mark set symhash mod 2By default, jenkins hash will be used if no hash type is
provided for compatibility reasons.Signed-off-by: Laura Garcia Liebana
Signed-off-by: Pablo Neira Ayuso -
This patch renames the local nft_hash structure and functions
to nft_jhash in order to prepare the nft_hash module code to
add new hash functions.Signed-off-by: Laura Garcia Liebana
Signed-off-by: Pablo Neira Ayuso
04 Dec, 2016
1 commit
-
Couple conflicts resolved here:
1) In the MACB driver, a bug fix to properly initialize the
RX tail pointer properly overlapped with some changes
to support variable sized rings.2) In XGBE we had a "CONFIG_PM" --> "CONFIG_PM_SLEEP" fix
overlapping with a reorganization of the driver to support
ACPI, OF, as well as PCI variants of the chip.3) In 'net' we had several probe error path bug fixes to the
stmmac driver, meanwhile a lot of this code was cleaned up
and reorganized in 'net-next'.4) The cls_flower classifier obtained a helper function in
'net-next' called __fl_delete() and this overlapped with
Daniel Borkamann's bug fix to use RCU for object destruction
in 'net'. It also overlapped with Jiri's change to guard
the rhashtable_remove_fast() call with a check against
tc_skip_sw().5) In mlx4, a revert bug fix in 'net' overlapped with some
unrelated changes in 'net-next'.6) In geneve, a stale header pointer after pskb_expand_head()
bug fix in 'net' overlapped with a large reorganization of
the same code in 'net-next'. Since the 'net-next' code no
longer had the bug in question, there was nothing to do
other than to simply take the 'net-next' hunks.Signed-off-by: David S. Miller
24 Nov, 2016
1 commit
-
Use the function nft_parse_u32_check() to fetch the value and validate
the u32 attribute into the hash len u8 field.This patch revisits 4da449ae1df9 ("netfilter: nft_exthdr: Add size check
on u8 nft_exthdr attributes").Fixes: cb1b69b0b15b ("netfilter: nf_tables: add hash expression")
Signed-off-by: Laura Garcia Liebana
Signed-off-by: Pablo Neira Ayuso
10 Nov, 2016
1 commit
-
If the user doesn't specify a seed, generate one at configuration time.
Signed-off-by: Pablo Neira Ayuso
17 Oct, 2016
1 commit
-
Missing the nla_policy description will also miss the validation check
in kernel.Fixes: 70ca767ea1b2 ("netfilter: nft_hash: Add hash offset value")
Signed-off-by: Liping Zhang
Signed-off-by: Pablo Neira Ayuso
13 Sep, 2016
2 commits
-
The overflow validation in the init() function establishes that the
maximum value that the hash could reach is less than U32_MAX, which is
likely to be true.The fix detects the overflow when the maximum hash value is less than
the offset itself.Fixes: 70ca767ea1b2 ("netfilter: nft_hash: Add hash offset value")
Reported-by: Liping Zhang
Signed-off-by: Laura Garcia Liebana
Signed-off-by: Pablo Neira Ayuso -
Add support to pass through an offset to the hash value. With this
feature, the sysadmin is able to generate a hash with a given
offset value.Example:
meta mark set jhash ip saddr mod 2 seed 0xabcd offset 100
This option generates marks according to the source address from 100 to
101.Signed-off-by: Laura Garcia Liebana
26 Aug, 2016
1 commit
-
nft_dump_register() should only be used with registers, not with
immediates.Fixes: cb1b69b0b15b ("netfilter: nf_tables: add hash expression")
Fixes: 91dbc6be0a62("netfilter: nf_tables: add number generator expression")
Signed-off-by: Pablo Neira Ayuso
22 Aug, 2016
1 commit
-
Fixes the following sparse warning:
net/netfilter/nft_hash.c:40:25: warning:
symbol 'nft_hash_policy' was not declared. Should it be static?Signed-off-by: Wei Yongjun
Signed-off-by: Pablo Neira Ayuso
12 Aug, 2016
2 commits
-
This patch adds a new hash expression, this provides jhash support but
this can be extended to support for other hash functions. The modulus
and seed already comes embedded into this new expression.Use case example:
... meta mark set hash ip saddr mod 10
Signed-off-by: Laura Garcia Liebana
Signed-off-by: Pablo Neira Ayuso -
Use nft_set_* prefix for backend set implementations, thus we can use
nft_hash for the new hash expression.Signed-off-by: Pablo Neira Ayuso
11 Jul, 2016
1 commit
-
We can pass the netns pointer as parameter to the functions that need to
gain access to it. From basechains, I didn't find any client for this
field anymore so let's remove this too.Signed-off-by: Pablo Neira Ayuso
07 Jul, 2016
1 commit
-
Pablo Neira Ayuso says:
====================
Netfilter updates for net-nextThe following patchset contains Netfilter updates for net-next,
they are:1) Don't use userspace datatypes in bridge netfilter code, from
Tobin Harding.2) Iterate only once over the expectation table when removing the
helper module, instead of once per-netns, from Florian Westphal.3) Extra sanitization in xt_hook_ops_alloc() to return error in case
we ever pass zero hooks, xt_hook_ops_alloc():4) Handle NFPROTO_INET from the logging core infrastructure, from
Liping Zhang.5) Autoload loggers when TRACE target is used from rules, this doesn't
change the behaviour in case the user already selected nfnetlink_log
as preferred way to print tracing logs, also from Liping Zhang.6) Conntrack slabs with SLAB_HWCACHE_ALIGN to allow rearranging fields
by cache lines, increases the size of entries in 11% per entry.
From Florian Westphal.7) Skip zone comparison if CONFIG_NF_CONNTRACK_ZONES=n, from Florian.
8) Remove useless defensive check in nf_logger_find_get() from Shivani
Bhardwaj.9) Remove zone extension as place it in the conntrack object, this is
always include in the hashing and we expect more intensive use of
zones since containers are in place. Also from Florian Westphal.10) Owner match now works from any namespace, from Eric Bierdeman.
11) Make sure we only reply with TCP reset to TCP traffic from
nf_reject_ipv4, patch from Liping Zhang.12) Introduce --nflog-size to indicate amount of network packet bytes
that are copied to userspace via log message, from Vishwanath Pai.
This obsoletes --nflog-range that has never worked, it was designed
to achieve this but it has never worked.13) Introduce generic macros for nf_tables object generation masks.
14) Use generation mask in table, chain and set objects in nf_tables.
This allows fixes interferences with ongoing preparation phase of
the commit protocol and object listings going on at the same time.
This update is introduced in three patches, one per object.15) Check if the object is active in the next generation for element
deactivation in the rbtree implementation, given that deactivation
happens from the commit phase path we have to observe the future
status of the object.16) Support for deletion of just added elements in the hash set type.
17) Allow to resize hashtable from /proc entry, not only from the
obscure /sys entry that maps to the module parameter, from Florian
Westphal.18) Get rid of NFT_BASECHAIN_DISABLED, this code is not exercised
anymore since we tear down the ruleset whenever the netdevice
goes away.19) Support for matching inverted set lookups, from Arturo Borrero.
20) Simplify the iptables_mangle_hook() by removing a superfluous
extra branch.21) Introduce ether_addr_equal_masked() and use it from the netfilter
codebase, from Joe Perches.22) Remove references to "Use netfilter MARK value as routing key"
from the Netfilter Kconfig description given that this toggle
doesn't exists already for 10 years, from Moritz Sichert.23) Introduce generic NF_INVF() and use it from the xtables codebase,
from Joe Perches.24) Setting logger to NONE via /proc was not working unless explicit
nul-termination was included in the string. This fixes seems to
leave the former behaviour there, so we don't break backward.
====================Signed-off-by: David S. Miller
24 Jun, 2016
1 commit
-
New elements are inactive in the preparation phase, and its
NFT_SET_ELEM_BUSY_MASK flag is set on.This busy flag doesn't allow us to delete it from the same transaction,
following a sequence like:begin transaction
add element X
delete element X
end transactionThis sequence is valid and may be triggered by robots. To resolve this
problem, allow deactivating elements that are active in the current
generation (ie. those that has been just added in this batch).Signed-off-by: Pablo Neira Ayuso
15 Jun, 2016
1 commit
-
Liping Zhang says:
"Users may add such a wrong nft rules successfully, which will cause an
endless jump loop:# nft add rule filter test tcp dport vmap {1: jump test}
This is because before we commit, the element in the current anonymous
set is inactive, so osp->walk will skip this element and miss the
validate check."To resolve this problem, this patch passes the generation mask to the
walk function through the iter container structure depending on the code
path:1) If we're dumping the elements, then we have to check if the element
is active in the current generation. Thus, we check for the current
bit in the genmask.2) If we're checking for loops, then we have to check if the element is
active in the next generation, as we're in the middle of a
transaction. Thus, we check for the next bit in the genmask.Based on original patch from Liping Zhang.
Reported-by: Liping Zhang
Signed-off-by: Pablo Neira Ayuso
Tested-by: Liping Zhang
05 Apr, 2016
1 commit
-
In certain cases, the 802.11 mesh pathtable code wants to
iterate over all of the entries in the forwarding table from
the receive path, which is inside an RCU read-side critical
section. Enable walks inside atomic sections by allowing
GFP_ATOMIC allocations for the walker state.Change all existing callsites to pass in GFP_KERNEL.
Acked-by: Thomas Graf
Signed-off-by: Bob Copeland
[also adjust gfs2/glock.c and rhashtable tests]
Signed-off-by: Johannes Berg
13 Apr, 2015
4 commits
-
This patch changes sets to support variable sized set element keys / data
up to 64 bytes each by using variable sized set extensions. This allows
to use concatenations with bigger data items suchs as IPv6 addresses.As a side effect, small keys/data now don't require the full 16 bytes
of struct nft_data anymore but just the space they need.Signed-off-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso -
Simple conversion to use u32 pointers to the beginning of the data
area to keep follow up patches smaller.Signed-off-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso -
Only needlessly complicates things due to requiring specific argument
types. Use memcmp directly.Signed-off-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso -
Replace the array of registers passed to expressions by a struct nft_regs,
containing the verdict as a seperate member, which aliases to the
NFT_REG_VERDICT register.This is needed to seperate the verdict from the data registers completely,
so their size can be changed.Signed-off-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso
08 Apr, 2015
2 commits
-
Add a new "dynset" expression for dynamic set updates.
A new set op ->update() is added which, for non existant elements,
invokes an initialization callback and inserts the new element.
For both new or existing elements the extenstion pointer is returned
to the caller to optionally perform timer updates or other actions.Element removal is not supported so far, however that seems to be a
rather exotic need and can be added later on.Signed-off-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso -
Use atomic operations for the element count to avoid races with async
updates.To properly handle the transactional semantics during netlink updates,
deleted but not yet committed elements are accounted for seperately and
are treated as being already removed. This means for the duration of
a netlink transaction, the limit might be exceeded by the amount of
elements deleted. Set implementations must be prepared to handle this.Signed-off-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso
01 Apr, 2015
1 commit
-
Add support for element timeouts to nft_hash. The lookup and walking
functions are changed to ignore timed out elements, a periodic garbage
collection task cleans out expired entries.Signed-off-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso
26 Mar, 2015
6 commits
-
Set elements are the last object type not supporting transaction support.
Implement similar to the existing rule transactions:The global transaction counter keeps track of two generations, current
and next. Each element contains a bitmask specifying in which generations
it is inactive.New elements start out as inactive in the current generation and active
in the next. On commit, the previous next generation becomes the current
generation and the element becomes active. The bitmask is then cleared
to indicate that the element is active in all future generations. If the
transaction is aborted, the element is removed from the set before it
becomes active.When removing an element, it gets marked as inactive in the next generation.
On commit the next generation becomes active and the therefor the element
inactive. It is then taken out of then set and released. On abort, the
element is marked as active for the next generation again.Lookups ignore elements not active in the current generation.
The current set types (hash/rbtree) both use a field in the extension area
to store the generation mask. This (currently) does not require any
additional memory since we have some free space in there.Signed-off-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso -
Return the extension area from the ->lookup() function to allow to
consolidate common actions.Signed-off-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso -
With the conversion to set extensions, it is now possible to consolidate
the different set element destruction functions.The set implementations' ->remove() functions are changed to only take
the element out of their internal data structures. Elements will be freed
in a batched fashion after the global transaction's completion RCU grace
period.This reduces the amount of grace periods required for nft_hash from N
to zero additional ones, additionally this guarantees that the set
elements' extensions of all implementations can be used under RCU
protection.Signed-off-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso -
The set implementations' private struct will only contain the elements
needed to maintain the search structure, all other elements are moved
to the set extensions.Element allocation and initialization is performed centrally by
nf_tables_api instead of by the different set implementations'
->insert() functions. A new "elemsize" member in the set ops specifies
the amount of memory to reserve for internal usage. Destruction
will also be moved out of the set implementations by a following patch.Except for element allocation, the patch is a simple conversion to
using data from the extension area.Signed-off-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso -
A following patch will convert sets to use so called set extensions,
where the key is not located in a fixed position anymore. This will
require rhashtable hashing and comparison callbacks to be used.As preparation, convert nft_hash to use these callbacks without any
functional changes.Signed-off-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso -
Improve readability by indenting the parameter initialization.
Signed-off-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso