Eric Lee / smarc-ti-linux-kernel

27 Nov, 2014

1 commit

12 Nov, 2014

1 commit

  • f6c6339d5   netfilter: fix unmet dependencies in NETFILTER_XT_TARGET_REDIRECT ... Browse Code »

    warning: (NETFILTER_XT_TARGET_REDIRECT) selects NF_NAT_REDIRECT_IPV4 which has unmet direct dependencies (NET && INET && NETFILTER && NF_NAT_IPV4)

    warning: (NETFILTER_XT_TARGET_REDIRECT) selects NF_NAT_REDIRECT_IPV6 which has unmet direct dependencies (NET && INET && IPV6 && NETFILTER && NF_NAT_IPV6)

    Fixes: 8b13edd ("netfilter: refactor NAT redirect IPv4 to use it from nf_tables")
    Fixes: 9de920e ("netfilter: refactor NAT redirect IPv6 code to use it from nf_tables")
    Reported-by: kbuild test robot
    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     

28 Oct, 2014

3 commits

03 Oct, 2014

1 commit

27 Sep, 2014

1 commit

  • e7af85db5   Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf ... Browse Code »

    Pablo Neira Ayuso says:

    ====================
    nf pull request for net

    This series contains netfilter fixes for net, they are:

    1) Fix lockdep splat in nft_hash when releasing sets from the
    rcu_callback context. We don't the mutex there anymore.

    2) Remove unnecessary spinlock_bh in the destroy path of the nf_tables
    rbtree set type from rcu_callback context.

    3) Fix another lockdep splat in rhashtable. None of the callers hold
    a mutex when calling rhashtable_destroy.

    4) Fix duplicated error reporting from nfnetlink when aborting and
    replaying a batch.

    5) Fix a Kconfig issue reported by kbuild robot.
    ====================

    Signed-off-by: David S. Miller

    David S. Miller
     

11 Sep, 2014

1 commit

  • 0aac38335   Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next ... Browse Code »

    Pablo Neira Ayuso says:

    ====================
    nf-next pull request

    The following patchset contains Netfilter/IPVS updates for your
    net-next tree. Regarding nf_tables, most updates focus on consolidating
    the NAT infrastructure and adding support for masquerading. More
    specifically, they are:

    1) use __u8 instead of u_int8_t in arptables header, from
    Mike Frysinger.

    2) Add support to match by skb->pkttype to the meta expression, from
    Ana Rey.

    3) Add support to match by cpu to the meta expression, also from
    Ana Rey.

    4) A smatch warning about IPSET_ATTR_MARKMASK validation, patch from
    Vytas Dauksa.

    5) Fix netnet and netportnet hash types the range support for IPv4,
    from Sergey Popovich.

    6) Fix missing-field-initializer warnings resolved, from Mark Rustad.

    7) Dan Carperter reported possible integer overflows in ipset, from
    Jozsef Kadlecsick.

    8) Filter out accounting objects in nfacct by type, so you can
    selectively reset quotas, from Alexey Perevalov.

    9) Move specific NAT IPv4 functions to the core so x_tables and
    nf_tables can share the same NAT IPv4 engine.

    10) Use the new NAT IPv4 functions from nft_chain_nat_ipv4.

    11) Move specific NAT IPv6 functions to the core so x_tables and
    nf_tables can share the same NAT IPv4 engine.

    12) Use the new NAT IPv6 functions from nft_chain_nat_ipv6.

    13) Refactor code to add nft_delrule(), which can be reused in the
    enhancement of the NFT_MSG_DELTABLE to remove a table and its
    content, from Arturo Borrero.

    14) Add a helper function to unregister chain hooks, from
    Arturo Borrero.

    15) A cleanup to rename to nft_delrule_by_chain for consistency with
    the new nft_*() functions, also from Arturo.

    16) Add support to match devgroup to the meta expression, from Ana Rey.

    17) Reduce stack usage for IPVS socket option, from Julian Anastasov.

    18) Remove unnecessary textsearch state initialization in xt_string,
    from Bojan Prtvar.

    19) Add several helper functions to nf_tables, more work to prepare
    the enhancement of NFT_MSG_DELTABLE, again from Arturo Borrero.

    20) Enhance NFT_MSG_DELTABLE to delete a table and its content, from
    Arturo Borrero.

    21) Support NAT flags in the nat expression to indicate the flavour,
    eg. random fully, from Arturo.

    22) Add missing audit code to ebtables when replacing tables, from
    Nicolas Dichtel.

    23) Generalize the IPv4 masquerading code to allow its re-use from
    nf_tables, from Arturo.

    24) Generalize the IPv6 masquerading code, also from Arturo.

    25) Add the new masq expression to support IPv4/IPv6 masquerading
    from nf_tables, also from Arturo.
    ====================

    Signed-off-by: David S. Miller

    David S. Miller
     

09 Sep, 2014

1 commit

07 Sep, 2014

1 commit

  • 679ab4ddb   netfilter: xt_TPROXY: undefined reference to `udp6_lib_lookup' ... Browse Code »

    CONFIG_IPV6=m
    CONFIG_NETFILTER_XT_TARGET_TPROXY=y

    net/built-in.o: In function `nf_tproxy_get_sock_v6.constprop.11':
    >> xt_TPROXY.c:(.text+0x583a1): undefined reference to `udp6_lib_lookup'
    net/built-in.o: In function `tproxy_tg_init':
    >> xt_TPROXY.c:(.init.text+0x1dc3): undefined reference to `nf_defrag_ipv6_enable'

    This fix is similar to 1a5bbfc ("netfilter: Fix build errors with
    xt_socket.c").

    Reported-by: kbuild test robot
    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     

06 Sep, 2014

1 commit

  • 84a59ca55   netfilter: add explicit Kconfig for NETFILTER_XT_NAT ... Browse Code »

    Paul Bolle reports that 'select NETFILTER_XT_NAT' from the IPV4 and IPV6
    NAT tables becomes noop since there is no Kconfig switch for it. Add the
    Kconfig switch to resolve this problem.

    Fixes: 8993cf8 netfilter: move NAT Kconfig switches out of the iptables scope
    Reported-by: Paul Bolle
    Signed-off-by: Pablo Neira Ayuso
    Signed-off-by: David S. Miller

    Pablo Neira Ayuso
     

01 Sep, 2014

1 commit

  • d79a61d64   netfilter: NETFILTER_XT_TARGET_LOG selects NF_LOG_* ... Browse Code »
    13

    CONFIG_NETFILTER_XT_TARGET_LOG is not selected anymore when jumping
    from 3.16 to 3.17-rc1 if you don't set on the new NF_LOG_IPV4 and
    NF_LOG_IPV6 switches.

    Change this to select the three new symbols NF_LOG_COMMON, NF_LOG_IPV4
    and NF_LOG_IPV6 instead, so NETFILTER_XT_TARGET_LOG remains enabled
    when moving from old to new kernels.

    Reported-by: Rafał Miłecki
    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     

20 Aug, 2014

1 commit

29 Jun, 2014

1 commit

  • c1878869c   netfilter: fix several Kconfig problems in NF_LOG_* ... Browse Code »

    warning: (NETFILTER_XT_TARGET_LOG) selects NF_LOG_IPV6 which has unmet direct dependencies (NET && INET && IPV6 && NETFILTER && IP6_NF_IPTABLES && NETFILTER_ADVANCED)
    warning: (NF_LOG_IPV4 && NF_LOG_IPV6) selects NF_LOG_COMMON which has unmet direct dependencies (NET && INET && NETFILTER && NF_CONNTRACK)

    Fixes: 83e96d4 ("netfilter: log: split family specific code to nf_log_{ip,ip6,common}.c files")
    Reported-by: Fengguang Wu
    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     

27 Jun, 2014

1 commit

  • 83e96d443   netfilter: log: split family specific code to nf_log_{ip,ip6,common}.c files ... Browse Code »
    13

    The plain text logging is currently embedded into the xt_LOG target.
    In order to be able to use the plain text logging from nft_log, as a
    first step, this patch moves the family specific code to the following
    files and Kconfig symbols:

    1) net/ipv4/netfilter/nf_log_ip.c: CONFIG_NF_LOG_IPV4
    2) net/ipv6/netfilter/nf_log_ip6.c: CONFIG_NF_LOG_IPV6
    3) net/netfilter/nf_log_common.c: CONFIG_NF_LOG_COMMON

    These new modules will be required by xt_LOG and nft_log. This patch
    is based on original patch from Arturo Borrero Gonzalez.

    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     

06 Feb, 2014

2 commits

17 Jan, 2014

1 commit

  • 5ff1dd241   Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nftables ... Browse Code »

    Pablo Neira Ayuso says:

    ====================
    This small batch contains several Netfilter fixes for your net-next
    tree, more specifically:

    * Fix compilation warning in nft_ct in NF_CONNTRACK_MARK is not set,
    from Kristian Evensen.

    * Add dependency to IPV6 for NF_TABLES_INET. This one has been reported
    by the several robots that are testing .config combinations, from Paul
    Gortmaker.

    * Fix default base chain policy setting in nf_tables, from myself.
    ====================

    Signed-off-by: David S. Miller

    David S. Miller
     

14 Jan, 2014

1 commit

  • 419331d8f   netfilter: Add dependency on IPV6 for NF_TABLES_INET ... Browse Code »

    Commit 1d49144c0aa ("netfilter: nf_tables: add "inet" table for
    IPv4/IPv6") allows creation of non-IPV6 enabled .config files that
    will fail to configure/link as follows:

    warning: (NF_TABLES_INET) selects NF_TABLES_IPV6 which has unmet direct dependencies (NET && INET && IPV6 && NETFILTER && NF_TABLES)
    warning: (NF_TABLES_INET) selects NF_TABLES_IPV6 which has unmet direct dependencies (NET && INET && IPV6 && NETFILTER && NF_TABLES)
    warning: (NF_TABLES_INET) selects NF_TABLES_IPV6 which has unmet direct dependencies (NET && INET && IPV6 && NETFILTER && NF_TABLES)
    net/built-in.o: In function `nft_reject_eval':
    nft_reject.c:(.text+0x651e8): undefined reference to `nf_ip6_checksum'
    nft_reject.c:(.text+0x65270): undefined reference to `ip6_route_output'
    nft_reject.c:(.text+0x656c4): undefined reference to `ip6_dst_hoplimit'
    make: *** [vmlinux] Error 1

    Since the feature is to allow for a mixed IPV4 and IPV6 table, it
    seems sensible to make it depend on IPV6.

    Signed-off-by: Paul Gortmaker
    Acked-by: Patrick McHardy
    Signed-off-by: Pablo Neira Ayuso

    Paul Gortmaker
     

11 Jan, 2014

1 commit

10 Jan, 2014

1 commit

  • 74f77a6b2   netfilter: introduce l2tp match extension ... Browse Code »

    Introduce an xtables add-on for matching L2TP packets. Supports L2TPv2
    and L2TPv3 over IPv4 and IPv6. As well as filtering on L2TP tunnel-id
    and session-id, the filtering decision can also include the L2TP
    packet type (control or data), protocol version (2 or 3) and
    encapsulation type (UDP or IP).

    The most common use for this will likely be to filter L2TP data
    packets of individual L2TP tunnels or sessions. While a u32 match can
    be used, the L2TP protocol headers are such that field offsets differ
    depending on bits set in the header, making rules for matching generic
    L2TP connections cumbersome. This match extension takes care of all
    that.

    Signed-off-by: James Chapman
    Signed-off-by: Pablo Neira Ayuso

    James Chapman
     

08 Jan, 2014

1 commit

07 Jan, 2014

1 commit

  • 9aa28f2b7   Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nftables ... Browse Code »

    Pablo Neira Ayuso says:

    ====================
    nftables updates for net-next

    The following patchset contains nftables updates for your net-next tree,
    they are:

    * Add set operation to the meta expression by means of the select_ops()
    infrastructure, this allows us to set the packet mark among other things.
    From Arturo Borrero Gonzalez.

    * Fix wrong format in sscanf in nf_tables_set_alloc_name(), from Daniel
    Borkmann.

    * Add new queue expression to nf_tables. These comes with two previous patches
    to prepare this new feature, one to add mask in nf_tables_core to
    evaluate the queue verdict appropriately and another to refactor common
    code with xt_NFQUEUE, from Eric Leblond.

    * Do not hide nftables from Kconfig if nfnetlink is not enabled, also from
    Eric Leblond.

    * Add the reject expression to nf_tables, this adds the missing TCP RST
    support. It comes with an initial patch to refactor common code with
    xt_NFQUEUE, again from Eric Leblond.

    * Remove an unused variable assignment in nf_tables_dump_set(), from Michal
    Nazarewicz.

    * Remove the nft_meta_target code, now that Arturo added the set operation
    to the meta expression, from me.

    * Add help information for nf_tables to Kconfig, also from me.

    * Allow to dump all sets by specifying NFPROTO_UNSPEC, similar feature is
    available to other nf_tables objects, requested by Arturo, from me.

    * Expose the table usage counter, so we can know how many chains are using
    this table without dumping the list of chains, from Tomasz Bursztyka.
    ====================

    Signed-off-by: David S. Miller

    David S. Miller
     

04 Jan, 2014

1 commit

  • 82a37132f   netfilter: x_tables: lightweight process control group matching ... Browse Code »

    It would be useful e.g. in a server or desktop environment to have
    a facility in the notion of fine-grained "per application" or "per
    application group" firewall policies. Probably, users in the mobile,
    embedded area (e.g. Android based) with different security policy
    requirements for application groups could have great benefit from
    that as well. For example, with a little bit of configuration effort,
    an admin could whitelist well-known applications, and thus block
    otherwise unwanted "hard-to-track" applications like [1] from a
    user's machine. Blocking is just one example, but it is not limited
    to that, meaning we can have much different scenarios/policies that
    netfilter allows us than just blocking, e.g. fine grained settings
    where applications are allowed to connect/send traffic to, application
    traffic marking/conntracking, application-specific packet mangling,
    and so on.

    Implementation of PID-based matching would not be appropriate
    as they frequently change, and child tracking would make that
    even more complex and ugly. Cgroups would be a perfect candidate
    for accomplishing that as they associate a set of tasks with a
    set of parameters for one or more subsystems, in our case the
    netfilter subsystem, which, of course, can be combined with other
    cgroup subsystems into something more complex if needed.

    As mentioned, to overcome this constraint, such processes could
    be placed into one or multiple cgroups where different fine-grained
    rules can be defined depending on the application scenario, while
    e.g. everything else that is not part of that could be dropped (or
    vice versa), thus making life harder for unwanted processes to
    communicate to the outside world. So, we make use of cgroups here
    to track jobs and limit their resources in terms of iptables
    policies; in other words, limiting, tracking, etc what they are
    allowed to communicate.

    In our case we're working on outgoing traffic based on which local
    socket that originated from. Also, one doesn't even need to have
    an a-prio knowledge of the application internals regarding their
    particular use of ports or protocols. Matching is *extremly*
    lightweight as we just test for the sk_classid marker of sockets,
    originating from net_cls. net_cls and netfilter do not contradict
    each other; in fact, each construct can live as standalone or they
    can be used in combination with each other, which is perfectly fine,
    plus it serves Tejun's requirement to not introduce a new cgroups
    subsystem. Through this, we result in a very minimal and efficient
    module, and don't add anything except netfilter code.

    One possible, minimal usage example (many other iptables options
    can be applied obviously):

    1) Configuring cgroups if not already done, e.g.:

    mkdir /sys/fs/cgroup/net_cls
    mount -t cgroup -o net_cls net_cls /sys/fs/cgroup/net_cls
    mkdir /sys/fs/cgroup/net_cls/0
    echo 1 > /sys/fs/cgroup/net_cls/0/net_cls.classid
    (resp. a real flow handle id for tc)

    2) Configuring netfilter (iptables-nftables), e.g.:

    iptables -A OUTPUT -m cgroup ! --cgroup 1 -j DROP

    3) Running applications, e.g.:

    ping 208.67.222.222
    echo 1799 > /sys/fs/cgroup/net_cls/0/tasks
    64 bytes from 208.67.222.222: icmp_seq=44 ttl=49 time=11.9 ms
    [...]
    ping 208.67.220.220
    ping: sendmsg: Operation not permitted
    [...]
    echo 1804 > /sys/fs/cgroup/net_cls/0/tasks
    64 bytes from 208.67.220.220: icmp_seq=89 ttl=56 time=19.0 ms
    [...]

    Of course, real-world deployments would make use of cgroups user
    space toolsuite, or own custom policy daemons dynamically moving
    applications from/to various cgroups.

    [1] http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf

    Signed-off-by: Daniel Borkmann
    Cc: Tejun Heo
    Cc: cgroups@vger.kernel.org
    Acked-by: Li Zefan
    Signed-off-by: Pablo Neira Ayuso

    Daniel Borkmann
     

02 Jan, 2014

1 commit

31 Dec, 2013

1 commit

  • bee11dc78   netfilter: nft_reject: support for IPv6 and TCP reset ... Browse Code »

    This patch moves nft_reject_ipv4 to nft_reject and adds support
    for IPv6 protocol. This patch uses functions included in nf_reject.h
    to implement reject by TCP reset.

    The code has to be build as a module if NF_TABLES_IPV6 is also a
    module to avoid compilation error due to usage of IPv6 functions.
    This has been done in Kconfig by using the construct:

    depends on NF_TABLES_IPV6 || !NF_TABLES_IPV6

    This seems a bit weird in terms of syntax but works perfectly.

    Signed-off-by: Eric Leblond
    Signed-off-by: Pablo Neira Ayuso

    Eric Leblond
     

29 Dec, 2013

1 commit

  • 5f291c286   netfilter: select NFNETLINK when enabling NF_TABLES ... Browse Code »

    In Kconfig, nf_tables depends on NFNETLINK so building nf_tables as
    a module or inside kernel depends on the state of NFNETLINK inside
    the kernel config. If someone wants to build nf_tables inside the
    kernel, it is necessary to also build NFNETLINK inside the kernel.
    But NFNETLINK can not be set in the menu so it is necessary to
    toggle other nfnetlink subsystems such as logging and nfacct to see
    the nf_tables switch.

    This patch changes the dependency from 'depend' to 'select' inside
    Kconfig to allow to set the build of nftables as modules or inside
    kernel independently.

    Signed-off-by: Eric Leblond
    Signed-off-by: Pablo Neira Ayuso

    Eric Leblond
     

24 Dec, 2013

1 commit

  • 6a649f339   netfilter: add IPv4/6 IPComp extension match support ... Browse Code »

    With this plugin, user could specify IPComp tagged with certain
    CPI that host not interested will be DROPped or any other action.

    For example:
    iptables -A INPUT -p 108 -m ipcomp --ipcompspi 0x87 -j DROP
    ip6tables -A INPUT -p 108 -m ipcomp --ipcompspi 0x87 -j DROP

    Then input IPComp packet with CPI equates 0x87 will not reach
    upper layer anymore.

    Signed-off-by: Fan Du
    Signed-off-by: Pablo Neira Ayuso

    fan.du
     

08 Dec, 2013

1 commit

  • 0aff078d5   netfilter: nft: add queue module ... Browse Code »

    This patch adds a new nft module named "nft_queue" which provides
    a new nftables expression that allows you to enqueue packets to
    userspace via the nfnetlink_queue subsystem. It provides the same
    level of functionality as NFQUEUE and it shares some code with it.

    Signed-off-by: Eric Leblond
    Signed-off-by: Pablo Neira Ayuso

    Eric Leblond
     

14 Nov, 2013

1 commit

  • 481922485   netfilter: fix connlimit Kconfig prompt string ... Browse Code »

    Under Core Netfilter Configuration, connlimit match support has
    an extra double quote at the end of it.

    Fixes a portion of kernel bugzilla #52671:
    https://bugzilla.kernel.org/show_bug.cgi?id=52671

    Signed-off-by: Randy Dunlap
    Reported-by: lailavrazda1979@gmail.com
    Signed-off-by: Pablo Neira Ayuso

    Randy Dunlap
     

15 Oct, 2013

2 commits

  • eb31628e3   netfilter: nf_tables: Add support for IPv6 NAT ... Browse Code »

    This patch generalizes the NAT expression to support both IPv4 and IPv6
    using the existing IPv4/IPv6 NAT infrastructure. This also adds the
    NAT chain type for IPv6.

    This patch collapses the following patches that were posted to the
    netfilter-devel mailing list, from Tomasz:

    * nf_tables: Change NFTA_NAT_ attributes to better semantic significance
    * nf_tables: Split IPv4 NAT into NAT expression and IPv4 NAT chain
    * nf_tables: Add support for IPv6 NAT expression
    * nf_tables: Add support for IPv6 NAT chain
    * nf_tables: Fix up build issue on IPv6 NAT support

    And, from Pablo Neira Ayuso:

    * fix missing dependencies in nft_chain_nat

    Signed-off-by: Tomasz Bursztyka
    Signed-off-by: Pablo Neira Ayuso

    Tomasz Bursztyka
     
  • 0ca743a55   netfilter: nf_tables: add compatibility layer for x_tables ... Browse Code »
    9

    This patch adds the x_tables compatibility layer. This allows you
    to use existing x_tables matches and targets from nf_tables.

    This compatibility later allows us to use existing matches/targets
    for features that are still missing in nf_tables. We can progressively
    replace them with native nf_tables extensions. It also provides the
    userspace compatibility software that allows you to express the
    rule-set using the iptables syntax but using the nf_tables kernel
    components.

    In order to get this compatibility layer working, I've done the
    following things:

    * add NFNL_SUBSYS_NFT_COMPAT: this new nfnetlink subsystem is used
    to query the x_tables match/target revision, so we don't need to
    use the native x_table getsockopt interface.

    * emulate xt structures: this required extending the struct nft_pktinfo
    to include the fragment offset, which is already obtained from
    ip[6]_tables and that is used by some matches/targets.

    * add support for default policy to base chains, required to emulate
    x_tables.

    * add NFTA_CHAIN_USE attribute to obtain the number of references to
    chains, required by x_tables emulation.

    * add chain packet/byte counters using per-cpu.

    * support 32-64 bits compat.

    For historical reasons, this patch includes the following patches
    that were posted in the netfilter-devel mailing list.

    From Pablo Neira Ayuso:
    * nf_tables: add default policy to base chains
    * netfilter: nf_tables: add NFTA_CHAIN_USE attribute
    * nf_tables: nft_compat: private data of target and matches in contiguous area
    * nf_tables: validate hooks for compat match/target
    * nf_tables: nft_compat: release cached matches/targets
    * nf_tables: x_tables support as a compile time option
    * nf_tables: fix alias for xtables over nftables module
    * nf_tables: add packet and byte counters per chain
    * nf_tables: fix per-chain counter stats if no counters are passed
    * nf_tables: don't bump chain stats
    * nf_tables: add protocol and flags for xtables over nf_tables
    * nf_tables: add ip[6]t_entry emulation
    * nf_tables: move specific layer 3 compat code to nf_tables_ipv[4|6]
    * nf_tables: support 32bits-64bits x_tables compat
    * nf_tables: fix compilation if CONFIG_COMPAT is disabled

    From Patrick McHardy:
    * nf_tables: move policy to struct nft_base_chain
    * nf_tables: send notifications for base chain policy changes

    From Alexander Primak:
    * nf_tables: remove the duplicate NF_INET_LOCAL_OUT

    From Nicolas Dichtel:
    * nf_tables: fix compilation when nf-netlink is a module

    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     

14 Oct, 2013

2 commits

  • 20a69341f   netfilter: nf_tables: add netlink set API ... Browse Code »

    This patch adds the new netlink API for maintaining nf_tables sets
    independently of the ruleset. The API supports the following operations:

    - creation of sets
    - deletion of sets
    - querying of specific sets
    - dumping of all sets

    - addition of set elements
    - removal of set elements
    - dumping of all set elements

    Sets are identified by name, each table defines an individual namespace.
    The name of a set may be allocated automatically, this is mostly useful
    in combination with the NFT_SET_ANONYMOUS flag, which destroys a set
    automatically once the last reference has been released.

    Sets can be marked constant, meaning they're not allowed to change while
    linked to a rule. This allows to perform lockless operation for set
    types that would otherwise require locking.

    Additionally, if the implementation supports it, sets can (as before) be
    used as maps, associating a data value with each key (or range), by
    specifying the NFT_SET_MAP flag and can be used for interval queries by
    specifying the NFT_SET_INTERVAL flag.

    Set elements are added and removed incrementally. All element operations
    support batching, reducing netlink message and set lookup overhead.

    The old "set" and "hash" expressions are replaced by a generic "lookup"
    expression, which binds to the specified set. Userspace is not aware
    of the actual set implementation used by the kernel anymore, all
    configuration options are generic.

    Currently the implementation selection logic is largely missing and the
    kernel will simply use the first registered implementation supporting the
    requested operation. Eventually, the plan is to have userspace supply a
    description of the data characteristics and select the implementation
    based on expected performance and memory use.

    This patch includes the new 'lookup' expression to look up for element
    matching in the set.

    This patch includes kernel-doc descriptions for this set API and it
    also includes the following fixes.

    From Patrick McHardy:
    * netfilter: nf_tables: fix set element data type in dumps
    * netfilter: nf_tables: fix indentation of struct nft_set_elem comments
    * netfilter: nf_tables: fix oops in nft_validate_data_load()
    * netfilter: nf_tables: fix oops while listing sets of built-in tables
    * netfilter: nf_tables: destroy anonymous sets immediately if binding fails
    * netfilter: nf_tables: propagate context to set iter callback
    * netfilter: nf_tables: add loop detection

    From Pablo Neira Ayuso:
    * netfilter: nf_tables: allow to dump all existing sets
    * netfilter: nf_tables: fix wrong type for flags variable in newelem

    Signed-off-by: Patrick McHardy
    Signed-off-by: Pablo Neira Ayuso

    Patrick McHardy
     
  • 96518518c   netfilter: add nftables ... Browse Code »
    4

    This patch adds nftables which is the intended successor of iptables.
    This packet filtering framework reuses the existing netfilter hooks,
    the connection tracking system, the NAT subsystem, the transparent
    proxying engine, the logging infrastructure and the userspace packet
    queueing facilities.

    In a nutshell, nftables provides a pseudo-state machine with 4 general
    purpose registers of 128 bits and 1 specific purpose register to store
    verdicts. This pseudo-machine comes with an extensible instruction set,
    a.k.a. "expressions" in the nftables jargon. The expressions included
    in this patch provide the basic functionality, they are:

    * bitwise: to perform bitwise operations.
    * byteorder: to change from host/network endianess.
    * cmp: to compare data with the content of the registers.
    * counter: to enable counters on rules.
    * ct: to store conntrack keys into register.
    * exthdr: to match IPv6 extension headers.
    * immediate: to load data into registers.
    * limit: to limit matching based on packet rate.
    * log: to log packets.
    * meta: to match metainformation that usually comes with the skbuff.
    * nat: to perform Network Address Translation.
    * payload: to fetch data from the packet payload and store it into
    registers.
    * reject (IPv4 only): to explicitly close connection, eg. TCP RST.

    Using this instruction-set, the userspace utility 'nft' can transform
    the rules expressed in human-readable text representation (using a
    new syntax, inspired by tcpdump) to nftables bytecode.

    nftables also inherits the table, chain and rule objects from
    iptables, but in a more configurable way, and it also includes the
    original datatype-agnostic set infrastructure with mapping support.
    This set infrastructure is enhanced in the follow up patch (netfilter:
    nf_tables: add netlink set API).

    This patch includes the following components:

    * the netlink API: net/netfilter/nf_tables_api.c and
    include/uapi/netfilter/nf_tables.h
    * the packet filter core: net/netfilter/nf_tables_core.c
    * the expressions (described above): net/netfilter/nft_*.c
    * the filter tables: arp, IPv4, IPv6 and bridge:
    net/ipv4/netfilter/nf_tables_ipv4.c
    net/ipv6/netfilter/nf_tables_ipv6.c
    net/ipv4/netfilter/nf_tables_arp.c
    net/bridge/netfilter/nf_tables_bridge.c
    * the NAT table (IPv4 only):
    net/ipv4/netfilter/nf_table_nat_ipv4.c
    * the route table (similar to mangle):
    net/ipv4/netfilter/nf_table_route_ipv4.c
    net/ipv6/netfilter/nf_table_route_ipv6.c
    * internal definitions under:
    include/net/netfilter/nf_tables.h
    include/net/netfilter/nf_tables_core.h
    * It also includes an skeleton expression:
    net/netfilter/nft_expr_template.c
    and the preliminary implementation of the meta target
    net/netfilter/nft_meta_target.c

    It also includes a change in struct nf_hook_ops to add a new
    pointer to store private data to the hook, that is used to store
    the rule list per chain.

    This patch is based on the patch from Patrick McHardy, plus merged
    accumulated cleanups, fixes and small enhancements to the nftables
    code that has been done since 2009, which are:

    From Patrick McHardy:
    * nf_tables: adjust netlink handler function signatures
    * nf_tables: only retry table lookup after successful table module load
    * nf_tables: fix event notification echo and avoid unnecessary messages
    * nft_ct: add l3proto support
    * nf_tables: pass expression context to nft_validate_data_load()
    * nf_tables: remove redundant definition
    * nft_ct: fix maxattr initialization
    * nf_tables: fix invalid event type in nf_tables_getrule()
    * nf_tables: simplify nft_data_init() usage
    * nf_tables: build in more core modules
    * nf_tables: fix double lookup expression unregistation
    * nf_tables: move expression initialization to nf_tables_core.c
    * nf_tables: build in payload module
    * nf_tables: use NFPROTO constants
    * nf_tables: rename pid variables to portid
    * nf_tables: save 48 bits per rule
    * nf_tables: introduce chain rename
    * nf_tables: check for duplicate names on chain rename
    * nf_tables: remove ability to specify handles for new rules
    * nf_tables: return error for rule change request
    * nf_tables: return error for NLM_F_REPLACE without rule handle
    * nf_tables: include NLM_F_APPEND/NLM_F_REPLACE flags in rule notification
    * nf_tables: fix NLM_F_MULTI usage in netlink notifications
    * nf_tables: include NLM_F_APPEND in rule dumps

    From Pablo Neira Ayuso:
    * nf_tables: fix stack overflow in nf_tables_newrule
    * nf_tables: nft_ct: fix compilation warning
    * nf_tables: nft_ct: fix crash with invalid packets
    * nft_log: group and qthreshold are 2^16
    * nf_tables: nft_meta: fix socket uid,gid handling
    * nft_counter: allow to restore counters
    * nf_tables: fix module autoload
    * nf_tables: allow to remove all rules placed in one chain
    * nf_tables: use 64-bits rule handle instead of 16-bits
    * nf_tables: fix chain after rule deletion
    * nf_tables: improve deletion performance
    * nf_tables: add missing code in route chain type
    * nf_tables: rise maximum number of expressions from 12 to 128
    * nf_tables: don't delete table if in use
    * nf_tables: fix basechain release

    From Tomasz Bursztyka:
    * nf_tables: Add support for changing users chain's name
    * nf_tables: Change chain's name to be fixed sized
    * nf_tables: Add support for replacing a rule by another one
    * nf_tables: Update uapi nftables netlink header documentation

    From Florian Westphal:
    * nft_log: group is u16, snaplen u32

    From Phil Oester:
    * nf_tables: operational limit match

    Signed-off-by: Patrick McHardy
    Signed-off-by: Pablo Neira Ayuso

    Patrick McHardy
     

06 Sep, 2013

1 commit

  • 1a5bbfc3d   netfilter: Fix build errors with xt_socket.c ... Browse Code »
    13

    As reported by Randy Dunlap:

    ====================
    when CONFIG_IPV6=m
    and CONFIG_NETFILTER_XT_MATCH_SOCKET=y:

    net/built-in.o: In function `socket_mt6_v1_v2':
    xt_socket.c:(.text+0x51b55): undefined reference to `udp6_lib_lookup'
    net/built-in.o: In function `socket_mt_init':
    xt_socket.c:(.init.text+0x1ef8): undefined reference to `nf_defrag_ipv6_enable'
    ====================

    Like several other modules under net/netfilter/ we have to
    have a dependency "IPV6 disabled or set compatibly with this
    module" clause.

    Reported-by: Randy Dunlap
    Signed-off-by: David S. Miller

    David S. Miller
     

28 Aug, 2013

1 commit

  • 48b1de4c1   netfilter: add SYNPROXY core/target ... Browse Code »

    Add a SYNPROXY for netfilter. The code is split into two parts, the synproxy
    core with common functions and an address family specific target.

    The SYNPROXY receives the connection request from the client, responds with
    a SYN/ACK containing a SYN cookie and announcing a zero window and checks
    whether the final ACK from the client contains a valid cookie.

    It then establishes a connection to the original destination and, if
    successful, sends a window update to the client with the window size
    announced by the server.

    Support for timestamps, SACK, window scaling and MSS options can be
    statically configured as target parameters if the features of the server
    are known. If timestamps are used, the timestamp value sent back to
    the client in the SYN/ACK will be different from the real timestamp of
    the server. In order to now break PAWS, the timestamps are translated in
    the direction server->client.

    Signed-off-by: Patrick McHardy
    Tested-by: Martin Topholm
    Signed-off-by: Jesper Dangaard Brouer
    Signed-off-by: Pablo Neira Ayuso

    Patrick McHardy
     

31 Jul, 2013

1 commit

  • fd158d79d   netfilter: tproxy: remove nf_tproxy_core, keep tw sk assigned to skb ... Browse Code »

    The module was "permanent", due to the special tproxy skb->destructor.
    Nowadays we have tcp early demux and its sock_edemux destructor in
    networking core which can be used instead.

    Thanks to early demux changes the input path now also handles
    "skb->sk is tw socket" correctly, so this no longer needs the special
    handling introduced with commit d503b30bd648b3cb4e5f50b65d27e389960cc6d9
    (netfilter: tproxy: do not assign timewait sockets to skb->sk).

    Thus:
    - move assign_sock function to where its needed
    - don't prevent timewait sockets from being assigned to the skb
    - remove nf_tproxy_core.

    Signed-off-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Florian Westphal
     

22 Feb, 2013

1 commit

  • 06991c28f   Merge tag 'driver-core-3.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core ... Browse Code »

    Pull driver core patches from Greg Kroah-Hartman:
    "Here is the big driver core merge for 3.9-rc1

    There are two major series here, both of which touch lots of drivers
    all over the kernel, and will cause you some merge conflicts:

    - add a new function called devm_ioremap_resource() to properly be
    able to check return values.

    - remove CONFIG_EXPERIMENTAL

    Other than those patches, there's not much here, some minor fixes and
    updates"

    Fix up trivial conflicts

    * tag 'driver-core-3.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core: (221 commits)
    base: memory: fix soft/hard_offline_page permissions
    drivercore: Fix ordering between deferred_probe and exiting initcalls
    backlight: fix class_find_device() arguments
    TTY: mark tty_get_device call with the proper const values
    driver-core: constify data for class_find_device()
    firmware: Ignore abort check when no user-helper is used
    firmware: Reduce ifdef CONFIG_FW_LOADER_USER_HELPER
    firmware: Make user-mode helper optional
    firmware: Refactoring for splitting user-mode helper code
    Driver core: treat unregistered bus_types as having no devices
    watchdog: Convert to devm_ioremap_resource()
    thermal: Convert to devm_ioremap_resource()
    spi: Convert to devm_ioremap_resource()
    power: Convert to devm_ioremap_resource()
    mtd: Convert to devm_ioremap_resource()
    mmc: Convert to devm_ioremap_resource()
    mfd: Convert to devm_ioremap_resource()
    media: Convert to devm_ioremap_resource()
    iommu: Convert to devm_ioremap_resource()
    drm: Convert to devm_ioremap_resource()
    ...

    Linus Torvalds
     

05 Feb, 2013

1 commit

21 Jan, 2013

1 commit

  • e6f30c731   netfilter: x_tables: add xt_bpf match ... Browse Code »
    18

    Support arbitrary linux socket filter (BPF) programs as x_tables
    match rules. This allows for very expressive filters, and on
    platforms with BPF JIT appears competitive with traditional
    hardcoded iptables rules using the u32 match.

    The size of the filter has been artificially limited to 64
    instructions maximum to avoid bloating the size of each rule
    using this new match.

    Signed-off-by: Willem de Bruijn
    Signed-off-by: Pablo Neira Ayuso

    Willem de Bruijn