08 Apr, 2017

1 commit

• d4ef38354   netfilter: Remove exceptional & on function name ... Browse Code »

  Remove & from function pointers to conform to the style found elsewhere
  in the file. Done using the following semantic patch

  //
  @r@
  identifier f;
  @@

  f(...) { ... }
  @@
  identifier r.f;
  @@

  - &f
  + f
  //

  Signed-off-by: Arushi Singhal
  Signed-off-by: Pablo Neira Ayuso

  Arushi Singhal

  2017-04-08 00:24:47 +0800  

13 Mar, 2017

1 commit

• 055c4b34b   netfilter: nft_fib: Support existence check ... Browse Code »

  Instead of the actual interface index or name, set destination register
  to just 1 or 0 depending on whether the lookup succeeded or not if
  NFTA_FIB_F_PRESENT was set in userspace.

  Signed-off-by: Phil Sutter
  Signed-off-by: Pablo Neira Ayuso

  Phil Sutter

  2017-03-13 20:45:36 +0800  

16 Jan, 2017

1 commit

• 6443ebc3f   netfilter: rpfilter: fix incorrect loopback packet judgment ... Browse Code »

  Currently, we check the existing rtable in PREROUTING hook, if RTCF_LOCAL
  is set, we assume that the packet is loopback.

  But this assumption is incorrect, for example, a packet encapsulated
  in ipsec transport mode was received and routed to local, after
  decapsulation, it would be delivered to local again, and the rtable
  was not dropped, so RTCF_LOCAL check would trigger. But actually, the
  packet was not loopback.

  So for these normal loopback packets, we can check whether the in device
  is IFF_LOOPBACK or not. For these locally generated broadcast/multicast,
  we can check whether the skb->pkt_type is PACKET_LOOPBACK or not.

  Finally, there's a subtle difference between nft fib expr and xtables
  rpfilter extension, user can add the following nft rule to do strict
  rpfilter check:
  # nft add rule x y meta iif eth0 fib saddr . iif oif != eth0 drop

  So when the packet is loopback, it's better to store the in device
  instead of the LOOPBACK_IFINDEX, otherwise, after adding the above
  nft rule, locally generated broad/multicast packets will be dropped
  incorrectly.

  Fixes: f83a7ea2075c ("netfilter: xt_rpfilter: skip locally generated broadcast/multicast, too")
  Fixes: f6d0cbcf09c5 ("netfilter: nf_tables: add fib expression")
  Signed-off-by: Liping Zhang
  Signed-off-by: Pablo Neira Ayuso

  Liping Zhang

  2017-01-16 21:23:01 +0800  

07 Dec, 2016

3 commits

• 3b760dcb0   netfilter: rpfilter: bypass ipv4 lbcast packets with zeronet source ... Browse Code »

  Otherwise, DHCP Discover packets(0.0.0.0->255.255.255.255) may be
  dropped incorrectly.

  Signed-off-by: Liping Zhang
  Acked-by: Florian Westphal
  Signed-off-by: Pablo Neira Ayuso

  Liping Zhang

  2016-12-07 20:22:50 +0800  
• e0ffdbc78   netfilter: nft_fib_ipv4: initialize *dest to zero ... Browse Code »

  Otherwise, if fib lookup fail, *dest will be filled with garbage value,
  so reverse path filtering will not work properly:
  # nft add rule x prerouting fib saddr oif eq 0 drop

  Fixes: f6d0cbcf09c5 ("netfilter: nf_tables: add fib expression")
  Signed-off-by: Liping Zhang
  Acked-by: Florian Westphal
  Signed-off-by: Pablo Neira Ayuso

  Liping Zhang

  2016-12-07 04:42:21 +0800  
• 11583438b   netfilter: nft_fib: convert htonl to ntohl properly ... Browse Code »

  Acctually ntohl and htonl are identical, so this doesn't affect
  anything, but it is conceptually wrong.

  Signed-off-by: Liping Zhang
  Acked-by: Florian Westphal
  Signed-off-by: Pablo Neira Ayuso

  Liping Zhang

  2016-12-07 04:42:20 +0800  

03 Nov, 2016

1 commit

• 0e5a1c7eb   netfilter: nf_tables: use hook state from xt_action_param structure ... Browse Code »

  Don't copy relevant fields from hook state structure, instead use the
  one that is already available in struct xt_action_param.

  This patch also adds a set of new wrapper functions to fetch relevant
  hook state structure fields.

  Signed-off-by: Pablo Neira Ayuso

  Pablo Neira Ayuso

  2016-11-03 18:52:34 +0800  

02 Nov, 2016

1 commit

• f6d0cbcf0   netfilter: nf_tables: add fib expression ... Browse Code »

  Add FIB expression, supported for ipv4, ipv6 and inet family (the latter
  just dispatches to ipv4 or ipv6 one based on nfproto).

  Currently supports fetching output interface index/name and the
  rtm_type associated with an address.

  This can be used for adding path filtering. rtm_type is useful
  to e.g. enforce a strong-end host model where packets
  are only accepted if daddr is configured on the interface the
  packet arrived on.

  The fib expression is a native nftables alternative to the
  xtables addrtype and rp_filter matches.

  FIB result order for oif/oifname retrieval is as follows:
  - if packet is local (skb has rtable, RTF_LOCAL set, this
  will also catch looped-back multicast packets), set oif to
  the loopback interface.
  - if fib lookup returns an error, or result points to local,
  store zero result. This means '--local' option of -m rpfilter
  is not supported. It is possible to use 'fib type local' or add
  explicit saddr/daddr matching rules to create exceptions if this
  is really needed.
  - store result in the destination register.
  In case of multiple routes, search set for desired oif in case
  strict matching is requested.

  ipv4 and ipv6 behave fib expressions are supposed to behave the same.

  [ I have collapsed Arnd Bergmann's ("netfilter: nf_tables: fib warnings")

  http://patchwork.ozlabs.org/patch/688615/

  to address fallout from this patch after rebasing nf-next, that was
  posted to address compilation warnings. --pablo ]

  Signed-off-by: Florian Westphal
  Signed-off-by: Pablo Neira Ayuso

  Florian Westphal

  2016-11-02 03:50:14 +0800