03 Mar, 2016
2 commits
-
delay hook registration until the table is being requested inside a
namespace.Historically, a particular table (iptables mangle, ip6tables filter, etc)
was registered on module load.When netns support was added to iptables only the ip/ip6tables ruleset was
made namespace aware, not the actual hook points.This means f.e. that when ipt_filter table/module is loaded on a system,
then each namespace on that system has an (empty) iptables filter ruleset.In other words, if a namespace sends a packet, such skb is 'caught' by
netfilter machinery and fed to hooking points for that table (i.e. INPUT,
FORWARD, etc).Thanks to Eric Biederman, hooks are no longer global, but per namespace.
This means that we can avoid allocation of empty ruleset in a namespace and
defer hook registration until we need the functionality.We register a tables hook entry points ONLY in the initial namespace.
When an iptables get/setockopt is issued inside a given namespace, we check
if the table is found in the per-namespace list.If not, we attempt to find it in the initial namespace, and, if found,
create an empty default table in the requesting namespace and register the
needed hooks.Hook points are destroyed only once namespace is deleted, there is no
'usage count' (it makes no sense since there is no 'remove table' operation
in xtables api).Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
This change prepares for upcoming on-demand xtables hook registration.
We change the protoypes of the register/unregister functions.
A followup patch will then add nf_hook_register/unregister calls
to the iptables one.Once a hook is registered packets will be picked up, so all assignments
of the formnet->ipv4.iptable_$table = new_table
have to be moved to ip(6)t_register_table, else we can see NULL
net->ipv4.iptable_$table later.This patch doesn't change functionality; without this the actual change
simply gets too big.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
17 Oct, 2015
1 commit
-
since commit 8405a8fff3f8 ("netfilter: nf_qeueue: Drop queue entries on
nf_unregister_hook") all pending queued entries are discarded.So we can simply remove all of the owner handling -- when module is
removed it also needs to unregister all its hooks.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
19 Sep, 2015
2 commits
-
Only pass the void *priv parameter out of the nf_hook_ops. That is
all any of the functions are interested now, and by limiting what is
passed it becomes simpler to change implementation details.Signed-off-by: "Eric W. Biederman"
Signed-off-by: Pablo Neira Ayuso -
The values of ops->hooknum and state->hook are guaraneted to be equal
making the hook argument to ip6t_do_table, arp_do_table, and
ipt_do_table is unnecessary. Remove the unnecessary hook argument.In the callers use state->hook instead of ops->hooknum for clarity and
to reduce the number of cachelines the callers touch.Signed-off-by: "Eric W. Biederman"
Signed-off-by: Pablo Neira Ayuso
18 Sep, 2015
1 commit
-
Instead of saying "net = dev_net(state->in?state->in:state->out)"
just say "state->net". As that information is now availabe,
much less confusing and much less error prone.Signed-off-by: "Eric W. Biederman"
Signed-off-by: David S. Miller
05 Apr, 2015
3 commits
-
Signed-off-by: David S. Miller
-
Signed-off-by: David S. Miller
-
Pass the nf_hook_state all the way down into the hook
functions themselves.Signed-off-by: David S. Miller
02 Sep, 2014
1 commit
-
Move the specific NAT IPv4 core functions that are called from the
hooks from iptable_nat.c to nf_nat_l3proto_ipv4.c. This prepares the
ground to allow iptables and nft to use the same NAT engine code that
comes in a follow up patch.Signed-off-by: Pablo Neira Ayuso
30 Apr, 2014
1 commit
-
Reduce copy-past a bit by adding a common helper.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
14 Oct, 2013
1 commit
-
Pass the hook ops to the hookfn to allow for generic hook
functions. This change is required by nf_tables.Signed-off-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso
15 Jul, 2013
1 commit
-
Sweep of the simple cases.
Cc: netdev@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux-arm-kernel@lists.infradead.org
Cc: Julia Lawall
Signed-off-by: Rusty Russell
Acked-by: David S. Miller
Acked-by: Benjamin Herrenschmidt
08 Apr, 2013
2 commits
-
Propagate errors from ip_xfrm_me_harder() instead of returning EPERM in
all cases.Signed-off-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso -
Propagate routing errors from ip_route_me_harder() when dropping a packet
using NF_DROP_ERR(). This makes userspace get the proper error instead of
EPERM for everything.Example:
# ip r a unreachable default table 100
# ip ru add fwmark 0x1 lookup 100
# iptables -t mangle -A OUTPUT -d 8.8.8.8 -j MARK --set-mark 0x1Current behaviour:
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permittedNew behaviour:
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
ping: sendmsg: Network is unreachable
ping: sendmsg: Network is unreachable
ping: sendmsg: Network is unreachable
ping: sendmsg: Network is unreachableSigned-off-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso
17 Dec, 2012
1 commit
-
Since (a0ecb85 netfilter: nf_nat: Handle routing changes in MASQUERADE
target), the MASQUERADE target handles routing changes which affect
the output interface of a connection, but only for ESTABLISHED
connections. It is also possible for NEW connections which
already have a conntrack entry to be affected by routing changes.This adds a check to drop entries in the NEW+conntrack state
when the oif has changed.Signed-off-by: Andrew Collins
Acked-by: Jozsef Kadlecsik
Signed-off-by: Pablo Neira Ayuso
03 Dec, 2012
1 commit
-
When the route changes (backup default route, VPNs) which affect a
masqueraded target, the packets were sent out with the outdated source
address. The patch addresses the issue by comparing the outgoing interface
directly with the masqueraded interface in the nat table.Events are inefficient in this case, because it'd require adding route
events to the network core and then scanning the whole conntrack table
and re-checking the route for all entry.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Pablo Neira Ayuso
17 Nov, 2012
1 commit
-
Conflicts:
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.cMinor conflict due to some IS_ENABLED conversions done
in net-next.Signed-off-by: David S. Miller
29 Oct, 2012
2 commits
-
Use PTR_RET rather than if(IS_ERR(...)) + PTR_ERR
Generated by: coccinelle/api/ptr_ret.cocci
Reported-by: Fengguang Wu
Signed-off-by: Fengguang Wu
Signed-off-by: Pablo Neira Ayuso -
ICMP tuples have id in src and type/code in dst.
So comparing src.u.all with dst.u.all will always fail here
and ip_xfrm_me_harder() is called for every ICMP packet,
even if there was no NAT.Signed-off-by: Ulrich Weber
Signed-off-by: Pablo Neira Ayuso
30 Aug, 2012
1 commit
-
Convert the IPv4 NAT implementation to a protocol independent core and
address family specific modules.Signed-off-by: Patrick McHardy