Eric Lee / smarc-fsl-linux-kernel

02 Nov, 2016

2 commits

  • 8db4c5be8   netfilter: move socket lookup infrastructure to nf_socket_ipv{4,6}.c ... Browse Code »

    We need this split to reuse existing codebase for the upcoming nf_tables
    socket expression.

    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     
  • f6d0cbcf0   netfilter: nf_tables: add fib expression ... Browse Code »

    Add FIB expression, supported for ipv4, ipv6 and inet family (the latter
    just dispatches to ipv4 or ipv6 one based on nfproto).

    Currently supports fetching output interface index/name and the
    rtm_type associated with an address.

    This can be used for adding path filtering. rtm_type is useful
    to e.g. enforce a strong-end host model where packets
    are only accepted if daddr is configured on the interface the
    packet arrived on.

    The fib expression is a native nftables alternative to the
    xtables addrtype and rp_filter matches.

    FIB result order for oif/oifname retrieval is as follows:
    - if packet is local (skb has rtable, RTF_LOCAL set, this
    will also catch looped-back multicast packets), set oif to
    the loopback interface.
    - if fib lookup returns an error, or result points to local,
    store zero result. This means '--local' option of -m rpfilter
    is not supported. It is possible to use 'fib type local' or add
    explicit saddr/daddr matching rules to create exceptions if this
    is really needed.
    - store result in the destination register.
    In case of multiple routes, search set for desired oif in case
    strict matching is requested.

    ipv4 and ipv6 behave fib expressions are supposed to behave the same.

    [ I have collapsed Arnd Bergmann's ("netfilter: nf_tables: fib warnings")

    http://patchwork.ozlabs.org/patch/688615/

    to address fallout from this patch after rebasing nf-next, that was
    posted to address compilation warnings. --pablo ]

    Signed-off-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Florian Westphal
     

13 Aug, 2016

1 commit

  • adf051684   netfilter: remove ip_conntrack* sysctl compat code ... Browse Code »

    This backward compatibility has been around for more than ten years,
    since Yasuyuki Kozakai introduced IPv6 in conntrack. These days, we have
    alternate /proc/net/nf_conntrack* entries, the ctnetlink interface and
    the conntrack utility got adopted by many people in the user community
    according to what I observed on the netfilter user mailing list.

    So let's get rid of this.

    Note that nf_conntrack_htable_size and unsigned int nf_conntrack_max do
    not need to be exported as symbol anymore.

    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     

07 Aug, 2015

2 commits

  • d877f0711   netfilter: nf_tables: add nft_dup expression ... Browse Code »

    This new expression uses the nf_dup engine to clone packets to a given gateway.
    Unlike xt_TEE, we use an index to indicate output interface which should be
    fine at this stage.

    Moreover, change to the preemtion-safe this_cpu_read(nf_skb_duplicated) from
    nf_dup_ipv{4,6} to silence a lockdep splat.

    Based on the original tee expression from Arturo Borrero Gonzalez, although
    this patch has diverted quite a bit from this initial effort due to the
    change to support maps.

    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     
  • bbde9fc18   netfilter: factor out packet duplication for IPv4/IPv6 ... Browse Code »

    Extracted from the xtables TEE target. This creates two new modules for IPv4
    and IPv6 that are shared between the TEE target and the new nf_tables dup
    expressions.

    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     

27 Nov, 2014

1 commit

28 Oct, 2014

2 commits

03 Oct, 2014

1 commit

11 Sep, 2014

1 commit

  • 0aac38335   Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next ... Browse Code »

    Pablo Neira Ayuso says:

    ====================
    nf-next pull request

    The following patchset contains Netfilter/IPVS updates for your
    net-next tree. Regarding nf_tables, most updates focus on consolidating
    the NAT infrastructure and adding support for masquerading. More
    specifically, they are:

    1) use __u8 instead of u_int8_t in arptables header, from
    Mike Frysinger.

    2) Add support to match by skb->pkttype to the meta expression, from
    Ana Rey.

    3) Add support to match by cpu to the meta expression, also from
    Ana Rey.

    4) A smatch warning about IPSET_ATTR_MARKMASK validation, patch from
    Vytas Dauksa.

    5) Fix netnet and netportnet hash types the range support for IPv4,
    from Sergey Popovich.

    6) Fix missing-field-initializer warnings resolved, from Mark Rustad.

    7) Dan Carperter reported possible integer overflows in ipset, from
    Jozsef Kadlecsick.

    8) Filter out accounting objects in nfacct by type, so you can
    selectively reset quotas, from Alexey Perevalov.

    9) Move specific NAT IPv4 functions to the core so x_tables and
    nf_tables can share the same NAT IPv4 engine.

    10) Use the new NAT IPv4 functions from nft_chain_nat_ipv4.

    11) Move specific NAT IPv6 functions to the core so x_tables and
    nf_tables can share the same NAT IPv4 engine.

    12) Use the new NAT IPv6 functions from nft_chain_nat_ipv6.

    13) Refactor code to add nft_delrule(), which can be reused in the
    enhancement of the NFT_MSG_DELTABLE to remove a table and its
    content, from Arturo Borrero.

    14) Add a helper function to unregister chain hooks, from
    Arturo Borrero.

    15) A cleanup to rename to nft_delrule_by_chain for consistency with
    the new nft_*() functions, also from Arturo.

    16) Add support to match devgroup to the meta expression, from Ana Rey.

    17) Reduce stack usage for IPVS socket option, from Julian Anastasov.

    18) Remove unnecessary textsearch state initialization in xt_string,
    from Bojan Prtvar.

    19) Add several helper functions to nf_tables, more work to prepare
    the enhancement of NFT_MSG_DELTABLE, again from Arturo Borrero.

    20) Enhance NFT_MSG_DELTABLE to delete a table and its content, from
    Arturo Borrero.

    21) Support NAT flags in the nat expression to indicate the flavour,
    eg. random fully, from Arturo.

    22) Add missing audit code to ebtables when replacing tables, from
    Nicolas Dichtel.

    23) Generalize the IPv4 masquerading code to allow its re-use from
    nf_tables, from Arturo.

    24) Generalize the IPv6 masquerading code, also from Arturo.

    25) Add the new masq expression to support IPv4/IPv6 masquerading
    from nf_tables, also from Arturo.
    ====================

    Signed-off-by: David S. Miller

    David S. Miller
     

09 Sep, 2014

2 commits

  • 9ba1f726b   netfilter: nf_tables: add new nft_masq expression ... Browse Code »

    The nft_masq expression is intended to perform NAT in the masquerade flavour.

    We decided to have the masquerade functionality in a separated expression other
    than nft_nat.

    Signed-off-by: Arturo Borrero Gonzalez
    Signed-off-by: Pablo Neira Ayuso

    Arturo Borrero
     
  • 8dd33cc93   netfilter: nf_nat: generalize IPv4 masquerading support for nf_tables ... Browse Code »

    Let's refactor the code so we can reach the masquerade functionality
    from outside the xt context (ie. nftables).

    The patch includes the addition of an atomic counter to the masquerade
    notifier: the stuff to be done by the notifier is the same for xt and
    nftables. Therefore, only one notification handler is needed.

    This factorization only involves IPv4; a similar patch follows to
    handle IPv6.

    Signed-off-by: Arturo Borrero Gonzalez
    Signed-off-by: Pablo Neira Ayuso

    Arturo Borrero
     

19 Aug, 2014

1 commit

  • 8993cf8ed   netfilter: move NAT Kconfig switches out of the iptables scope ... Browse Code »

    Currently, the NAT configs depend on iptables and ip6tables. However,
    users should be capable of enabling NAT for nft without having to
    switch on iptables.

    Fix this by adding new specific IP_NF_NAT and IP6_NF_NAT config
    switches for iptables and ip6tables NAT support. I have also moved
    the original NF_NAT_IPV4 and NF_NAT_IPV6 configs out of the scope
    of iptables to make them independent of it.

    This patch also adds NETFILTER_XT_NAT which selects the xt_nat
    combo that provides snat/dnat for iptables. We cannot use NF_NAT
    anymore since nf_tables can select this.

    Reported-by: Matteo Croce
    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     

25 Jul, 2014

1 commit

27 Jun, 2014

2 commits

  • 35b939510   netfilter: add generic ARP packet logger ... Browse Code »

    This adds the generic plain text packet loggger for ARP packets. It is
    based on the ebt_log code. Nevertheless, the output has been modified
    to make it consistent with the original xt_LOG output.

    This is an example output:

    IN=wlan0 OUT= ARP HTYPE=1 PTYPE=0x0800 OPCODE=2 MACSRC=00:ab:12:34:55:63 IPSRC=192.168.10.1 MACDST=80:09:12:70:4f:50 IPDST=192.168.10.150

    This patch enables packet logging from ARP chains, eg.

    nft add rule arp filter input log prefix "input: "

    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     
  • 83e96d443   netfilter: log: split family specific code to nf_log_{ip,ip6,common}.c files ... Browse Code »

    The plain text logging is currently embedded into the xt_LOG target.
    In order to be able to use the plain text logging from nft_log, as a
    first step, this patch moves the family specific code to the following
    files and Kconfig symbols:

    1) net/ipv4/netfilter/nf_log_ip.c: CONFIG_NF_LOG_IPV4
    2) net/ipv6/netfilter/nf_log_ip6.c: CONFIG_NF_LOG_IPV6
    3) net/netfilter/nf_log_common.c: CONFIG_NF_LOG_COMMON

    These new modules will be required by xt_LOG and nft_log. This patch
    is based on original patch from Arturo Borrero Gonzalez.

    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     

06 Feb, 2014

1 commit

31 Dec, 2013

1 commit

  • bee11dc78   netfilter: nft_reject: support for IPv6 and TCP reset ... Browse Code »

    This patch moves nft_reject_ipv4 to nft_reject and adds support
    for IPv6 protocol. This patch uses functions included in nf_reject.h
    to implement reject by TCP reset.

    The code has to be build as a module if NF_TABLES_IPV6 is also a
    module to avoid compilation error due to usage of IPv6 functions.
    This has been done in Kconfig by using the construct:

    depends on NF_TABLES_IPV6 || !NF_TABLES_IPV6

    This seems a bit weird in terms of syntax but works perfectly.

    Signed-off-by: Eric Leblond
    Signed-off-by: Pablo Neira Ayuso

    Eric Leblond
     

15 Oct, 2013

1 commit

14 Oct, 2013

2 commits

  • 9370761c5   netfilter: nf_tables: convert built-in tables/chains to chain types ... Browse Code »

    This patch converts built-in tables/chains to chain types that
    allows you to deploy customized table and chain configurations from
    userspace.

    After this patch, you have to specify the chain type when
    creating a new chain:

    add chain ip filter output { type filter hook input priority 0; }
    ^^^^ ------

    The existing chain types after this patch are: filter, route and
    nat. Note that tables are just containers of chains with no specific
    semantics, which is a significant change with regards to iptables.

    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     
  • 96518518c   netfilter: add nftables ... Browse Code »

    This patch adds nftables which is the intended successor of iptables.
    This packet filtering framework reuses the existing netfilter hooks,
    the connection tracking system, the NAT subsystem, the transparent
    proxying engine, the logging infrastructure and the userspace packet
    queueing facilities.

    In a nutshell, nftables provides a pseudo-state machine with 4 general
    purpose registers of 128 bits and 1 specific purpose register to store
    verdicts. This pseudo-machine comes with an extensible instruction set,
    a.k.a. "expressions" in the nftables jargon. The expressions included
    in this patch provide the basic functionality, they are:

    * bitwise: to perform bitwise operations.
    * byteorder: to change from host/network endianess.
    * cmp: to compare data with the content of the registers.
    * counter: to enable counters on rules.
    * ct: to store conntrack keys into register.
    * exthdr: to match IPv6 extension headers.
    * immediate: to load data into registers.
    * limit: to limit matching based on packet rate.
    * log: to log packets.
    * meta: to match metainformation that usually comes with the skbuff.
    * nat: to perform Network Address Translation.
    * payload: to fetch data from the packet payload and store it into
    registers.
    * reject (IPv4 only): to explicitly close connection, eg. TCP RST.

    Using this instruction-set, the userspace utility 'nft' can transform
    the rules expressed in human-readable text representation (using a
    new syntax, inspired by tcpdump) to nftables bytecode.

    nftables also inherits the table, chain and rule objects from
    iptables, but in a more configurable way, and it also includes the
    original datatype-agnostic set infrastructure with mapping support.
    This set infrastructure is enhanced in the follow up patch (netfilter:
    nf_tables: add netlink set API).

    This patch includes the following components:

    * the netlink API: net/netfilter/nf_tables_api.c and
    include/uapi/netfilter/nf_tables.h
    * the packet filter core: net/netfilter/nf_tables_core.c
    * the expressions (described above): net/netfilter/nft_*.c
    * the filter tables: arp, IPv4, IPv6 and bridge:
    net/ipv4/netfilter/nf_tables_ipv4.c
    net/ipv6/netfilter/nf_tables_ipv6.c
    net/ipv4/netfilter/nf_tables_arp.c
    net/bridge/netfilter/nf_tables_bridge.c
    * the NAT table (IPv4 only):
    net/ipv4/netfilter/nf_table_nat_ipv4.c
    * the route table (similar to mangle):
    net/ipv4/netfilter/nf_table_route_ipv4.c
    net/ipv6/netfilter/nf_table_route_ipv6.c
    * internal definitions under:
    include/net/netfilter/nf_tables.h
    include/net/netfilter/nf_tables_core.h
    * It also includes an skeleton expression:
    net/netfilter/nft_expr_template.c
    and the preliminary implementation of the meta target
    net/netfilter/nft_meta_target.c

    It also includes a change in struct nf_hook_ops to add a new
    pointer to store private data to the hook, that is used to store
    the rule list per chain.

    This patch is based on the patch from Patrick McHardy, plus merged
    accumulated cleanups, fixes and small enhancements to the nftables
    code that has been done since 2009, which are:

    From Patrick McHardy:
    * nf_tables: adjust netlink handler function signatures
    * nf_tables: only retry table lookup after successful table module load
    * nf_tables: fix event notification echo and avoid unnecessary messages
    * nft_ct: add l3proto support
    * nf_tables: pass expression context to nft_validate_data_load()
    * nf_tables: remove redundant definition
    * nft_ct: fix maxattr initialization
    * nf_tables: fix invalid event type in nf_tables_getrule()
    * nf_tables: simplify nft_data_init() usage
    * nf_tables: build in more core modules
    * nf_tables: fix double lookup expression unregistation
    * nf_tables: move expression initialization to nf_tables_core.c
    * nf_tables: build in payload module
    * nf_tables: use NFPROTO constants
    * nf_tables: rename pid variables to portid
    * nf_tables: save 48 bits per rule
    * nf_tables: introduce chain rename
    * nf_tables: check for duplicate names on chain rename
    * nf_tables: remove ability to specify handles for new rules
    * nf_tables: return error for rule change request
    * nf_tables: return error for NLM_F_REPLACE without rule handle
    * nf_tables: include NLM_F_APPEND/NLM_F_REPLACE flags in rule notification
    * nf_tables: fix NLM_F_MULTI usage in netlink notifications
    * nf_tables: include NLM_F_APPEND in rule dumps

    From Pablo Neira Ayuso:
    * nf_tables: fix stack overflow in nf_tables_newrule
    * nf_tables: nft_ct: fix compilation warning
    * nf_tables: nft_ct: fix crash with invalid packets
    * nft_log: group and qthreshold are 2^16
    * nf_tables: nft_meta: fix socket uid,gid handling
    * nft_counter: allow to restore counters
    * nf_tables: fix module autoload
    * nf_tables: allow to remove all rules placed in one chain
    * nf_tables: use 64-bits rule handle instead of 16-bits
    * nf_tables: fix chain after rule deletion
    * nf_tables: improve deletion performance
    * nf_tables: add missing code in route chain type
    * nf_tables: rise maximum number of expressions from 12 to 128
    * nf_tables: don't delete table if in use
    * nf_tables: fix basechain release

    From Tomasz Bursztyka:
    * nf_tables: Add support for changing users chain's name
    * nf_tables: Change chain's name to be fixed sized
    * nf_tables: Add support for replacing a rule by another one
    * nf_tables: Update uapi nftables netlink header documentation

    From Florian Westphal:
    * nft_log: group is u16, snaplen u32

    From Phil Oester:
    * nf_tables: operational limit match

    Signed-off-by: Patrick McHardy
    Signed-off-by: Pablo Neira Ayuso

    Patrick McHardy
     

28 Aug, 2013

1 commit

  • 48b1de4c1   netfilter: add SYNPROXY core/target ... Browse Code »

    Add a SYNPROXY for netfilter. The code is split into two parts, the synproxy
    core with common functions and an address family specific target.

    The SYNPROXY receives the connection request from the client, responds with
    a SYN/ACK containing a SYN cookie and announcing a zero window and checks
    whether the final ACK from the client contains a valid cookie.

    It then establishes a connection to the original destination and, if
    successful, sends a window update to the client with the window size
    announced by the server.

    Support for timestamps, SACK, window scaling and MSS options can be
    statically configured as target parameters if the features of the server
    are known. If timestamps are used, the timestamp value sent back to
    the client in the SYN/ACK will be different from the real timestamp of
    the server. In order to now break PAWS, the timestamps are translated in
    the direction server->client.

    Signed-off-by: Patrick McHardy
    Tested-by: Martin Topholm
    Signed-off-by: Jesper Dangaard Brouer
    Signed-off-by: Pablo Neira Ayuso

    Patrick McHardy
     

21 Sep, 2012

2 commits

  • 2cbc78a29   netfilter: combine ipt_REDIRECT and ip6t_REDIRECT ... Browse Code »

    Combine more modules since the actual code is so small anyway that the
    kmod metadata and the module in its loaded state totally outweighs the
    combined actual code size.

    IP_NF_TARGET_REDIRECT becomes a compat option; IP6_NF_TARGET_REDIRECT
    is completely eliminated since it has not see a release yet.

    Signed-off-by: Jan Engelhardt
    Acked-by: Patrick McHardy
    Signed-off-by: Pablo Neira Ayuso

    Jan Engelhardt
     
  • b3d54b3e4   netfilter: combine ipt_NETMAP and ip6t_NETMAP ... Browse Code »

    Combine more modules since the actual code is so small anyway that the
    kmod metadata and the module in its loaded state totally outweighs the
    combined actual code size.

    IP_NF_TARGET_NETMAP becomes a compat option; IP6_NF_TARGET_NETMAP
    is completely eliminated since it has not see a release yet.

    Signed-off-by: Jan Engelhardt
    Acked-by: Patrick McHardy
    Signed-off-by: Pablo Neira Ayuso

    Jan Engelhardt
     

30 Aug, 2012

6 commits

09 May, 2012

1 commit

  • d16cf20e2   netfilter: remove ip_queue support ... Browse Code »

    This patch removes ip_queue support which was marked as obsolete
    years ago. The nfnetlink_queue modules provides more advanced
    user-space packet queueing mechanism.

    This patch also removes capability code included in SELinux that
    refers to ip_queue. Otherwise, we break compilation.

    Several warning has been sent regarding this to the mailing list
    in the past month without anyone rising the hand to stop this
    with some strong argument.

    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     

08 Mar, 2012

1 commit

28 Dec, 2011

1 commit

05 Dec, 2011

1 commit

  • 8f97339d3   netfilter: add ipv4 reverse path filter match ... Browse Code »

    This tries to do the same thing as fib_validate_source(), but differs
    in several aspects.

    The most important difference is that the reverse path filter built into
    fib_validate_source uses the oif as iif when performing the reverse
    lookup. We do not do this, as the oif is not yet known by the time the
    PREROUTING hook is invoked.

    We can't wait until FORWARD chain because by the time FORWARD is invoked
    ipv4 forward path may have already sent icmp messages is response
    to to-be-discarded-via-rpfilter packets.

    To avoid the such an additional lookup in PREROUTING, Patrick McHardy
    suggested to attach the path information directly in the match
    (i.e., just do what the standard ipv4 path does a bit earlier in PREROUTING).

    This works, but it also has a few caveats. Most importantly, when using
    marks in PREROUTING to re-route traffic based on the nfmark, -m rpfilter
    would have to be used after the nfmark has been set; otherwise the nfmark
    would have no effect (because the route is already attached).

    Another problem would be interaction with -j TPROXY, as this target sets an
    nfmark and uses ACCEPT instead of continue, i.e. such a version of
    -m rpfilter cannot be used for the initial to-be-intercepted packets.

    In case in turns out that the oif is required, we can add Patricks
    suggestion with a new match option (e.g. --rpf-use-oif) to keep ruleset
    compatibility.

    Another difference to current builtin ipv4 rpfilter is that packets subject to ipsec
    transformation are not automatically excluded. If you want this, simply
    combine -m rpfilter with the policy match.

    Packets arriving on loopback interfaces always match.

    Signed-off-by: Florian Westphal
    Acked-by: David S. Miller
    Signed-off-by: Pablo Neira Ayuso

    Florian Westphal
     

16 Mar, 2011

1 commit

23 Nov, 2010

1 commit

19 Feb, 2009

2 commits

08 Oct, 2008

2 commits