19 Jun, 2019
1 commit
-
Based on 2 normalized pattern(s):
this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license version 2 as
published by the free software foundationthis program is free software you can redistribute it and or modify
it under the terms of the gnu general public license version 2 as
published by the free software foundation #extracted by the scancode license scanner the SPDX license identifier
GPL-2.0-only
has been chosen to replace the boilerplate/reference in 4122 file(s).
Signed-off-by: Thomas Gleixner
Reviewed-by: Enrico Weigelt
Reviewed-by: Kate Stewart
Reviewed-by: Allison Randal
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190604081206.933168790@linutronix.de
Signed-off-by: Greg Kroah-Hartman
23 May, 2018
1 commit
-
Credit calculations for the packet ratelimiting are not correct, as per
the applied ratelimit of 25/second and burst 8, a total of 33 packets
should have been accepted. This is true in iptables(33) but not in
nftables (~65). For packet ratelimiting, use:div_u64(limit->nsecs, limit->rate) * limit->burst;
to calculate credit, just like in iptables' xt_limit does.
Moreover, use default burst in iptables, users are expecting similar
behaviour.Signed-off-by: Pablo Neira Ayuso
04 Sep, 2017
2 commits
-
Register a new limit stateful object type into the stateful object
infrastructure.Signed-off-by: Pablo M. Bermudo Garay
Signed-off-by: Pablo Neira Ayuso -
Just a small refactor patch in order to improve the code readability.
Signed-off-by: Pablo M. Bermudo Garay
Signed-off-by: Pablo Neira Ayuso
24 Aug, 2017
1 commit
-
Current implementation treats the burst configuration the same as
rate configuration. This can cause the per packet cost to be lower
than configured. In effect, this bug causes the token bucket to be
refilled at a higher rate than what user has specified.This patch changes the implementation so that the token bucket size
is controlled by "rate + burst", while maintain the token bucket
refill rate the same as user specified.Fixes: 96518518cc41 ("netfilter: add nftables")
Signed-off-by: Andy Zhou
Acked-by: Joe Stringer
Signed-off-by: Pablo Neira Ayuso
14 Mar, 2017
1 commit
-
The limit token is independent between each rules, so there's no
need to use a global spinlock.Signed-off-by: Liping Zhang
Signed-off-by: Pablo Neira Ayuso
04 Oct, 2016
1 commit
-
After I input the following nftables rule, a panic happened on my system:
# nft add rule filter OUTPUT limit rate 0xf00000000 bytes/seconddivide error: 0000 [#1] SMP
[ ... ]
RIP: 0010:[] []
nft_limit_pkt_bytes_eval+0x2e/0xa0 [nft_limit]
Call Trace:
[] nft_do_chain+0xfb/0x4e0 [nf_tables]
[] ? nf_nat_setup_info+0x96/0x480 [nf_nat]
[] ? ipt_do_table+0x327/0x610
[] ? __nf_nat_alloc_null_binding+0x57/0x80 [nf_nat]
[] nft_ipv4_output+0xaf/0xd0 [nf_tables_ipv4]
[] nf_iterate+0x62/0x80
[] nf_hook_slow+0x73/0xd0
[] __ip_local_out+0xcd/0xe0
[] ? ip_forward_options+0x1b0/0x1b0
[] ip_local_out+0x1c/0x40This is because divisor is 64-bit, but we treat it as a 32-bit integer,
then 0xf00000000 becomes zero, i.e. divisor becomes 0.Signed-off-by: Liping Zhang
Signed-off-by: Pablo Neira Ayuso
24 Apr, 2016
1 commit
-
nla_data() is now aligned on a 64-bit area.
A temporary version (nla_put_be64_32bit()) is added for nla_put_net64().
This function is removed in the next patch.Signed-off-by: Nicolas Dichtel
Signed-off-by: David S. Miller
04 Jan, 2016
1 commit
-
This patch allows you to invert the ratelimit matching criteria, so you
can match packets over the ratelimit. This is required to support what
hashlimit does.Signed-off-by: Pablo Neira Ayuso
07 Aug, 2015
6 commits
-
This patch adds a new NFTA_LIMIT_TYPE netlink attribute to indicate the type of
limiting.Contrary to per-packet limiting, the cost is calculated from the packet path
since this depends on the packet length.The burst attribute indicates the number of bytes in which the rate can be
exceeded.Signed-off-by: Pablo Neira Ayuso
-
The cost per packet can be calculated from the control plane path since this
doesn't ever change.Signed-off-by: Pablo Neira Ayuso
-
This patch adds the burst parameter. This burst indicates the number of packets
that can exceed the limit.Signed-off-by: Pablo Neira Ayuso
-
This patch prepares the introduction of per-byte limiting.
Signed-off-by: Pablo Neira Ayuso
-
Rework the limit expression to use a token-based limiting approach that refills
the bucket gradually. The tokens are calculated at nanosecond granularity
instead jiffies to improve precision.Signed-off-by: Pablo Neira Ayuso
-
To prepare introduction of bytes ratelimit support.
Signed-off-by: Pablo Neira Ayuso
14 Apr, 2015
1 commit
-
Add a flag to mark stateful expressions.
This is used for dynamic expression instanstiation to limit the usable
expressions. Strictly speaking only the dynset expression can not be
used in order to avoid recursion, but since dynamically instantiating
non-stateful expressions will simply create an identical copy, which
behaves no differently than the original, this limits to expressions
where it actually makes sense to dynamically instantiate them.Signed-off-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso
13 Apr, 2015
1 commit
-
Replace the array of registers passed to expressions by a struct nft_regs,
containing the verdict as a seperate member, which aliases to the
NFT_REG_VERDICT register.This is needed to seperate the verdict from the data registers completely,
so their size can be changed.Signed-off-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso
14 Oct, 2013
2 commits
-
Split the expression ops into two parts and support overloading of
the runtime expression ops based on the requested function through
a ->select_ops() callback.This can be used to provide optimized implementations, for instance
for loading small aligned amounts of data from the packet or inlining
frequently used operations into the main evaluation loop.Signed-off-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso -
This patch adds nftables which is the intended successor of iptables.
This packet filtering framework reuses the existing netfilter hooks,
the connection tracking system, the NAT subsystem, the transparent
proxying engine, the logging infrastructure and the userspace packet
queueing facilities.In a nutshell, nftables provides a pseudo-state machine with 4 general
purpose registers of 128 bits and 1 specific purpose register to store
verdicts. This pseudo-machine comes with an extensible instruction set,
a.k.a. "expressions" in the nftables jargon. The expressions included
in this patch provide the basic functionality, they are:* bitwise: to perform bitwise operations.
* byteorder: to change from host/network endianess.
* cmp: to compare data with the content of the registers.
* counter: to enable counters on rules.
* ct: to store conntrack keys into register.
* exthdr: to match IPv6 extension headers.
* immediate: to load data into registers.
* limit: to limit matching based on packet rate.
* log: to log packets.
* meta: to match metainformation that usually comes with the skbuff.
* nat: to perform Network Address Translation.
* payload: to fetch data from the packet payload and store it into
registers.
* reject (IPv4 only): to explicitly close connection, eg. TCP RST.Using this instruction-set, the userspace utility 'nft' can transform
the rules expressed in human-readable text representation (using a
new syntax, inspired by tcpdump) to nftables bytecode.nftables also inherits the table, chain and rule objects from
iptables, but in a more configurable way, and it also includes the
original datatype-agnostic set infrastructure with mapping support.
This set infrastructure is enhanced in the follow up patch (netfilter:
nf_tables: add netlink set API).This patch includes the following components:
* the netlink API: net/netfilter/nf_tables_api.c and
include/uapi/netfilter/nf_tables.h
* the packet filter core: net/netfilter/nf_tables_core.c
* the expressions (described above): net/netfilter/nft_*.c
* the filter tables: arp, IPv4, IPv6 and bridge:
net/ipv4/netfilter/nf_tables_ipv4.c
net/ipv6/netfilter/nf_tables_ipv6.c
net/ipv4/netfilter/nf_tables_arp.c
net/bridge/netfilter/nf_tables_bridge.c
* the NAT table (IPv4 only):
net/ipv4/netfilter/nf_table_nat_ipv4.c
* the route table (similar to mangle):
net/ipv4/netfilter/nf_table_route_ipv4.c
net/ipv6/netfilter/nf_table_route_ipv6.c
* internal definitions under:
include/net/netfilter/nf_tables.h
include/net/netfilter/nf_tables_core.h
* It also includes an skeleton expression:
net/netfilter/nft_expr_template.c
and the preliminary implementation of the meta target
net/netfilter/nft_meta_target.cIt also includes a change in struct nf_hook_ops to add a new
pointer to store private data to the hook, that is used to store
the rule list per chain.This patch is based on the patch from Patrick McHardy, plus merged
accumulated cleanups, fixes and small enhancements to the nftables
code that has been done since 2009, which are:From Patrick McHardy:
* nf_tables: adjust netlink handler function signatures
* nf_tables: only retry table lookup after successful table module load
* nf_tables: fix event notification echo and avoid unnecessary messages
* nft_ct: add l3proto support
* nf_tables: pass expression context to nft_validate_data_load()
* nf_tables: remove redundant definition
* nft_ct: fix maxattr initialization
* nf_tables: fix invalid event type in nf_tables_getrule()
* nf_tables: simplify nft_data_init() usage
* nf_tables: build in more core modules
* nf_tables: fix double lookup expression unregistation
* nf_tables: move expression initialization to nf_tables_core.c
* nf_tables: build in payload module
* nf_tables: use NFPROTO constants
* nf_tables: rename pid variables to portid
* nf_tables: save 48 bits per rule
* nf_tables: introduce chain rename
* nf_tables: check for duplicate names on chain rename
* nf_tables: remove ability to specify handles for new rules
* nf_tables: return error for rule change request
* nf_tables: return error for NLM_F_REPLACE without rule handle
* nf_tables: include NLM_F_APPEND/NLM_F_REPLACE flags in rule notification
* nf_tables: fix NLM_F_MULTI usage in netlink notifications
* nf_tables: include NLM_F_APPEND in rule dumpsFrom Pablo Neira Ayuso:
* nf_tables: fix stack overflow in nf_tables_newrule
* nf_tables: nft_ct: fix compilation warning
* nf_tables: nft_ct: fix crash with invalid packets
* nft_log: group and qthreshold are 2^16
* nf_tables: nft_meta: fix socket uid,gid handling
* nft_counter: allow to restore counters
* nf_tables: fix module autoload
* nf_tables: allow to remove all rules placed in one chain
* nf_tables: use 64-bits rule handle instead of 16-bits
* nf_tables: fix chain after rule deletion
* nf_tables: improve deletion performance
* nf_tables: add missing code in route chain type
* nf_tables: rise maximum number of expressions from 12 to 128
* nf_tables: don't delete table if in use
* nf_tables: fix basechain releaseFrom Tomasz Bursztyka:
* nf_tables: Add support for changing users chain's name
* nf_tables: Change chain's name to be fixed sized
* nf_tables: Add support for replacing a rule by another one
* nf_tables: Update uapi nftables netlink header documentationFrom Florian Westphal:
* nft_log: group is u16, snaplen u32From Phil Oester:
* nf_tables: operational limit matchSigned-off-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso