Eric Lee / smarc-fsl-linux-kernel

07 Aug, 2015

2 commits

  • d877f0711   netfilter: nf_tables: add nft_dup expression ... Browse Code »

    This new expression uses the nf_dup engine to clone packets to a given gateway.
    Unlike xt_TEE, we use an index to indicate output interface which should be
    fine at this stage.

    Moreover, change to the preemtion-safe this_cpu_read(nf_skb_duplicated) from
    nf_dup_ipv{4,6} to silence a lockdep splat.

    Based on the original tee expression from Arturo Borrero Gonzalez, although
    this patch has diverted quite a bit from this initial effort due to the
    change to support maps.

    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     
  • bbde9fc18   netfilter: factor out packet duplication for IPv4/IPv6 ... Browse Code »

    Extracted from the xtables TEE target. This creates two new modules for IPv4
    and IPv6 that are shared between the TEE target and the new nf_tables dup
    expressions.

    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     

27 Nov, 2014

1 commit

28 Oct, 2014

2 commits

03 Oct, 2014

1 commit

11 Sep, 2014

1 commit

  • 0aac38335   Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next ... Browse Code »

    Pablo Neira Ayuso says:

    ====================
    nf-next pull request

    The following patchset contains Netfilter/IPVS updates for your
    net-next tree. Regarding nf_tables, most updates focus on consolidating
    the NAT infrastructure and adding support for masquerading. More
    specifically, they are:

    1) use __u8 instead of u_int8_t in arptables header, from
    Mike Frysinger.

    2) Add support to match by skb->pkttype to the meta expression, from
    Ana Rey.

    3) Add support to match by cpu to the meta expression, also from
    Ana Rey.

    4) A smatch warning about IPSET_ATTR_MARKMASK validation, patch from
    Vytas Dauksa.

    5) Fix netnet and netportnet hash types the range support for IPv4,
    from Sergey Popovich.

    6) Fix missing-field-initializer warnings resolved, from Mark Rustad.

    7) Dan Carperter reported possible integer overflows in ipset, from
    Jozsef Kadlecsick.

    8) Filter out accounting objects in nfacct by type, so you can
    selectively reset quotas, from Alexey Perevalov.

    9) Move specific NAT IPv4 functions to the core so x_tables and
    nf_tables can share the same NAT IPv4 engine.

    10) Use the new NAT IPv4 functions from nft_chain_nat_ipv4.

    11) Move specific NAT IPv6 functions to the core so x_tables and
    nf_tables can share the same NAT IPv4 engine.

    12) Use the new NAT IPv6 functions from nft_chain_nat_ipv6.

    13) Refactor code to add nft_delrule(), which can be reused in the
    enhancement of the NFT_MSG_DELTABLE to remove a table and its
    content, from Arturo Borrero.

    14) Add a helper function to unregister chain hooks, from
    Arturo Borrero.

    15) A cleanup to rename to nft_delrule_by_chain for consistency with
    the new nft_*() functions, also from Arturo.

    16) Add support to match devgroup to the meta expression, from Ana Rey.

    17) Reduce stack usage for IPVS socket option, from Julian Anastasov.

    18) Remove unnecessary textsearch state initialization in xt_string,
    from Bojan Prtvar.

    19) Add several helper functions to nf_tables, more work to prepare
    the enhancement of NFT_MSG_DELTABLE, again from Arturo Borrero.

    20) Enhance NFT_MSG_DELTABLE to delete a table and its content, from
    Arturo Borrero.

    21) Support NAT flags in the nat expression to indicate the flavour,
    eg. random fully, from Arturo.

    22) Add missing audit code to ebtables when replacing tables, from
    Nicolas Dichtel.

    23) Generalize the IPv4 masquerading code to allow its re-use from
    nf_tables, from Arturo.

    24) Generalize the IPv6 masquerading code, also from Arturo.

    25) Add the new masq expression to support IPv4/IPv6 masquerading
    from nf_tables, also from Arturo.
    ====================

    Signed-off-by: David S. Miller

    David S. Miller
     

09 Sep, 2014

2 commits

  • 9ba1f726b   netfilter: nf_tables: add new nft_masq expression ... Browse Code »

    The nft_masq expression is intended to perform NAT in the masquerade flavour.

    We decided to have the masquerade functionality in a separated expression other
    than nft_nat.

    Signed-off-by: Arturo Borrero Gonzalez
    Signed-off-by: Pablo Neira Ayuso

    Arturo Borrero
     
  • be6b635cd   netfilter: nf_nat: generalize IPv6 masquerading support for nf_tables ... Browse Code »

    Let's refactor the code so we can reach the masquerade functionality
    from outside the xt context (ie. nftables).

    The patch includes the addition of an atomic counter to the masquerade
    notifier: the stuff to be done by the notifier is the same for xt and
    nftables. Therefore, only one notification handler is needed.

    This factorization only involves IPv6; a similar patch exists to
    handle IPv4.

    Signed-off-by: Arturo Borrero Gonzalez
    Signed-off-by: Pablo Neira Ayuso

    Arturo Borrero
     

19 Aug, 2014

1 commit

  • 8993cf8ed   netfilter: move NAT Kconfig switches out of the iptables scope ... Browse Code »

    Currently, the NAT configs depend on iptables and ip6tables. However,
    users should be capable of enabling NAT for nft without having to
    switch on iptables.

    Fix this by adding new specific IP_NF_NAT and IP6_NF_NAT config
    switches for iptables and ip6tables NAT support. I have also moved
    the original NF_NAT_IPV4 and NF_NAT_IPV6 configs out of the scope
    of iptables to make them independent of it.

    This patch also adds NETFILTER_XT_NAT which selects the xt_nat
    combo that provides snat/dnat for iptables. We cannot use NF_NAT
    anymore since nf_tables can select this.

    Reported-by: Matteo Croce
    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     

27 Jun, 2014

1 commit

  • 83e96d443   netfilter: log: split family specific code to nf_log_{ip,ip6,common}.c files ... Browse Code »

    The plain text logging is currently embedded into the xt_LOG target.
    In order to be able to use the plain text logging from nft_log, as a
    first step, this patch moves the family specific code to the following
    files and Kconfig symbols:

    1) net/ipv4/netfilter/nf_log_ip.c: CONFIG_NF_LOG_IPV4
    2) net/ipv6/netfilter/nf_log_ip6.c: CONFIG_NF_LOG_IPV6
    3) net/netfilter/nf_log_common.c: CONFIG_NF_LOG_COMMON

    These new modules will be required by xt_LOG and nft_log. This patch
    is based on original patch from Arturo Borrero Gonzalez.

    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     

06 Feb, 2014

1 commit

15 Oct, 2013

1 commit

  • eb31628e3   netfilter: nf_tables: Add support for IPv6 NAT ... Browse Code »

    This patch generalizes the NAT expression to support both IPv4 and IPv6
    using the existing IPv4/IPv6 NAT infrastructure. This also adds the
    NAT chain type for IPv6.

    This patch collapses the following patches that were posted to the
    netfilter-devel mailing list, from Tomasz:

    * nf_tables: Change NFTA_NAT_ attributes to better semantic significance
    * nf_tables: Split IPv4 NAT into NAT expression and IPv4 NAT chain
    * nf_tables: Add support for IPv6 NAT expression
    * nf_tables: Add support for IPv6 NAT chain
    * nf_tables: Fix up build issue on IPv6 NAT support

    And, from Pablo Neira Ayuso:

    * fix missing dependencies in nft_chain_nat

    Signed-off-by: Tomasz Bursztyka
    Signed-off-by: Pablo Neira Ayuso

    Tomasz Bursztyka
     

14 Oct, 2013

2 commits

  • 9370761c5   netfilter: nf_tables: convert built-in tables/chains to chain types ... Browse Code »

    This patch converts built-in tables/chains to chain types that
    allows you to deploy customized table and chain configurations from
    userspace.

    After this patch, you have to specify the chain type when
    creating a new chain:

    add chain ip filter output { type filter hook input priority 0; }
    ^^^^ ------

    The existing chain types after this patch are: filter, route and
    nat. Note that tables are just containers of chains with no specific
    semantics, which is a significant change with regards to iptables.

    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     
  • 96518518c   netfilter: add nftables ... Browse Code »

    This patch adds nftables which is the intended successor of iptables.
    This packet filtering framework reuses the existing netfilter hooks,
    the connection tracking system, the NAT subsystem, the transparent
    proxying engine, the logging infrastructure and the userspace packet
    queueing facilities.

    In a nutshell, nftables provides a pseudo-state machine with 4 general
    purpose registers of 128 bits and 1 specific purpose register to store
    verdicts. This pseudo-machine comes with an extensible instruction set,
    a.k.a. "expressions" in the nftables jargon. The expressions included
    in this patch provide the basic functionality, they are:

    * bitwise: to perform bitwise operations.
    * byteorder: to change from host/network endianess.
    * cmp: to compare data with the content of the registers.
    * counter: to enable counters on rules.
    * ct: to store conntrack keys into register.
    * exthdr: to match IPv6 extension headers.
    * immediate: to load data into registers.
    * limit: to limit matching based on packet rate.
    * log: to log packets.
    * meta: to match metainformation that usually comes with the skbuff.
    * nat: to perform Network Address Translation.
    * payload: to fetch data from the packet payload and store it into
    registers.
    * reject (IPv4 only): to explicitly close connection, eg. TCP RST.

    Using this instruction-set, the userspace utility 'nft' can transform
    the rules expressed in human-readable text representation (using a
    new syntax, inspired by tcpdump) to nftables bytecode.

    nftables also inherits the table, chain and rule objects from
    iptables, but in a more configurable way, and it also includes the
    original datatype-agnostic set infrastructure with mapping support.
    This set infrastructure is enhanced in the follow up patch (netfilter:
    nf_tables: add netlink set API).

    This patch includes the following components:

    * the netlink API: net/netfilter/nf_tables_api.c and
    include/uapi/netfilter/nf_tables.h
    * the packet filter core: net/netfilter/nf_tables_core.c
    * the expressions (described above): net/netfilter/nft_*.c
    * the filter tables: arp, IPv4, IPv6 and bridge:
    net/ipv4/netfilter/nf_tables_ipv4.c
    net/ipv6/netfilter/nf_tables_ipv6.c
    net/ipv4/netfilter/nf_tables_arp.c
    net/bridge/netfilter/nf_tables_bridge.c
    * the NAT table (IPv4 only):
    net/ipv4/netfilter/nf_table_nat_ipv4.c
    * the route table (similar to mangle):
    net/ipv4/netfilter/nf_table_route_ipv4.c
    net/ipv6/netfilter/nf_table_route_ipv6.c
    * internal definitions under:
    include/net/netfilter/nf_tables.h
    include/net/netfilter/nf_tables_core.h
    * It also includes an skeleton expression:
    net/netfilter/nft_expr_template.c
    and the preliminary implementation of the meta target
    net/netfilter/nft_meta_target.c

    It also includes a change in struct nf_hook_ops to add a new
    pointer to store private data to the hook, that is used to store
    the rule list per chain.

    This patch is based on the patch from Patrick McHardy, plus merged
    accumulated cleanups, fixes and small enhancements to the nftables
    code that has been done since 2009, which are:

    From Patrick McHardy:
    * nf_tables: adjust netlink handler function signatures
    * nf_tables: only retry table lookup after successful table module load
    * nf_tables: fix event notification echo and avoid unnecessary messages
    * nft_ct: add l3proto support
    * nf_tables: pass expression context to nft_validate_data_load()
    * nf_tables: remove redundant definition
    * nft_ct: fix maxattr initialization
    * nf_tables: fix invalid event type in nf_tables_getrule()
    * nf_tables: simplify nft_data_init() usage
    * nf_tables: build in more core modules
    * nf_tables: fix double lookup expression unregistation
    * nf_tables: move expression initialization to nf_tables_core.c
    * nf_tables: build in payload module
    * nf_tables: use NFPROTO constants
    * nf_tables: rename pid variables to portid
    * nf_tables: save 48 bits per rule
    * nf_tables: introduce chain rename
    * nf_tables: check for duplicate names on chain rename
    * nf_tables: remove ability to specify handles for new rules
    * nf_tables: return error for rule change request
    * nf_tables: return error for NLM_F_REPLACE without rule handle
    * nf_tables: include NLM_F_APPEND/NLM_F_REPLACE flags in rule notification
    * nf_tables: fix NLM_F_MULTI usage in netlink notifications
    * nf_tables: include NLM_F_APPEND in rule dumps

    From Pablo Neira Ayuso:
    * nf_tables: fix stack overflow in nf_tables_newrule
    * nf_tables: nft_ct: fix compilation warning
    * nf_tables: nft_ct: fix crash with invalid packets
    * nft_log: group and qthreshold are 2^16
    * nf_tables: nft_meta: fix socket uid,gid handling
    * nft_counter: allow to restore counters
    * nf_tables: fix module autoload
    * nf_tables: allow to remove all rules placed in one chain
    * nf_tables: use 64-bits rule handle instead of 16-bits
    * nf_tables: fix chain after rule deletion
    * nf_tables: improve deletion performance
    * nf_tables: add missing code in route chain type
    * nf_tables: rise maximum number of expressions from 12 to 128
    * nf_tables: don't delete table if in use
    * nf_tables: fix basechain release

    From Tomasz Bursztyka:
    * nf_tables: Add support for changing users chain's name
    * nf_tables: Change chain's name to be fixed sized
    * nf_tables: Add support for replacing a rule by another one
    * nf_tables: Update uapi nftables netlink header documentation

    From Florian Westphal:
    * nft_log: group is u16, snaplen u32

    From Phil Oester:
    * nf_tables: operational limit match

    Signed-off-by: Patrick McHardy
    Signed-off-by: Pablo Neira Ayuso

    Patrick McHardy
     

28 Aug, 2013

2 commits

21 Sep, 2012

2 commits

  • 2cbc78a29   netfilter: combine ipt_REDIRECT and ip6t_REDIRECT ... Browse Code »

    Combine more modules since the actual code is so small anyway that the
    kmod metadata and the module in its loaded state totally outweighs the
    combined actual code size.

    IP_NF_TARGET_REDIRECT becomes a compat option; IP6_NF_TARGET_REDIRECT
    is completely eliminated since it has not see a release yet.

    Signed-off-by: Jan Engelhardt
    Acked-by: Patrick McHardy
    Signed-off-by: Pablo Neira Ayuso

    Jan Engelhardt
     
  • b3d54b3e4   netfilter: combine ipt_NETMAP and ip6t_NETMAP ... Browse Code »

    Combine more modules since the actual code is so small anyway that the
    kmod metadata and the module in its loaded state totally outweighs the
    combined actual code size.

    IP_NF_TARGET_NETMAP becomes a compat option; IP6_NF_TARGET_NETMAP
    is completely eliminated since it has not see a release yet.

    Signed-off-by: Jan Engelhardt
    Acked-by: Patrick McHardy
    Signed-off-by: Pablo Neira Ayuso

    Jan Engelhardt
     

30 Aug, 2012

5 commits

09 May, 2012

1 commit

  • d16cf20e2   netfilter: remove ip_queue support ... Browse Code »

    This patch removes ip_queue support which was marked as obsolete
    years ago. The nfnetlink_queue modules provides more advanced
    user-space packet queueing mechanism.

    This patch also removes capability code included in SELinux that
    refers to ip_queue. Otherwise, we break compilation.

    Several warning has been sent regarding this to the mailing list
    in the past month without anyone rising the hand to stop this
    with some strong argument.

    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     

08 Mar, 2012

1 commit

13 Dec, 2011

1 commit

23 Nov, 2010

1 commit

26 Oct, 2010

1 commit

  • f6318e558   netfilter: fix module dependency issues with IPv6 defragmentation, ip6tables and xt_TPROXY ... Browse Code »

    One of the previous tproxy related patches split IPv6 defragmentation and
    connection tracking, but did not correctly add Kconfig stanzas to handle the
    new dependencies correctly. This patch fixes that by making the config options
    mirror the setup we have for IPv4: a distinct config option for defragmentation
    that is automatically selected by both connection tracking and
    xt_TPROXY/xt_socket.

    The patch also changes the #ifdefs enclosing IPv6 specific code in xt_socket
    and xt_TPROXY: we only compile these in case we have ip6tables support enabled.

    Signed-off-by: KOVACS Krisztian
    Signed-off-by: David S. Miller

    KOVACS Krisztian
     

21 Oct, 2010

1 commit

  • e97c3e278   tproxy: split off ipv6 defragmentation to a separate module ... Browse Code »

    Like with IPv4, TProxy needs IPv6 defragmentation but does not
    require connection tracking. Since defragmentation was coupled
    with conntrack, I split off the two, creating an nf_defrag_ipv6 module,
    similar to the already existing nf_defrag_ipv4.

    Signed-off-by: Balazs Scheidler
    Signed-off-by: KOVACS Krisztian
    Signed-off-by: Patrick McHardy

    Balazs Scheidler
     

19 Feb, 2009

2 commits

10 Jun, 2008

1 commit

29 Jan, 2008

1 commit

07 Nov, 2007

1 commit

09 Feb, 2007

1 commit

  • a0ca215a7   [NETFILTER]: ip6_tables: support MH match ... Browse Code »

    This introduces match for Mobility Header (MH) described by Mobile IPv6
    specification (RFC3775). User can specify the MH type or its range to be
    matched.

    Signed-off-by: Masahide NAKAMURA
    Signed-off-by: Yasuyuki Kozakai
    Signed-off-by: Patrick McHardy
    Signed-off-by: David S. Miller

    Masahide NAKAMURA
     

23 Sep, 2006

1 commit

01 Apr, 2006

2 commits

21 Mar, 2006

1 commit