Re: [PATCH nf-next] netfilter: cttimeout: move ctnl_untimeout to nf_conntrack
Hi Harsha, Thank you for the patch! Perhaps something to improve: [auto build test WARNING on nf-next/master] url: https://github.com/0day-ci/linux/commits/Harsha-Sharma/netfilter-cttimeout-move-ctnl_untimeout-to-nf_conntrack/20180714-095352 base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master reproduce: # apt-get install sparse make ARCH=x86_64 allmodconfig make C=1 CF=-D__CHECK_ENDIAN__ sparse warnings: (new ones prefixed by >>) >> net/netfilter/nf_conntrack_timeout.c:38:62: sparse: incompatible types in >> comparison expression (different base types) vim +38 net/netfilter/nf_conntrack_timeout.c 33 34 static int untimeout(struct nf_conn *ct, void *timeout) 35 { 36 struct nf_conn_timeout *timeout_ext = nf_ct_timeout_find(ct); 37 > 38 if (timeout_ext && (!timeout || timeout_ext->timeout == timeout)) 39 RCU_INIT_POINTER(timeout_ext->timeout, NULL); 40 41 /* We are not intended to delete this conntrack. */ 42 return 0; 43 } 44 --- 0-DAY kernel test infrastructureOpen Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nf-next v7] netfilter: nft_ct: add ct timeout support
Hi Harsha, Thank you for the patch! Yet something to improve: [auto build test ERROR on nf-next/master] url: https://github.com/0day-ci/linux/commits/Harsha-Sharma/netfilter-nft_ct-add-ct-timeout-support/20180714-095128 base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master config: i386-allmodconfig (attached as .config) compiler: gcc-7 (Debian 7.3.0-16) 7.3.0 reproduce: # save the attached .config to linux build tree make ARCH=i386 All errors (new ones prefixed by >>): >> net/netfilter/nft_ct.c:1106:11: error: 'nft_ct_timeout_obj_eval' undeclared >> here (not in a function); did you mean 'nft_ct_timeout_obj_ops'? .eval = nft_ct_timeout_obj_eval, ^~~ nft_ct_timeout_obj_ops >> net/netfilter/nft_ct.c:1107:11: error: 'nft_ct_timeout_obj_init' undeclared >> here (not in a function); did you mean 'nft_ct_timeout_obj_eval'? .init = nft_ct_timeout_obj_init, ^~~ nft_ct_timeout_obj_eval >> net/netfilter/nft_ct.c:1108:13: error: 'nft_ct_timeout_obj_destroy' >> undeclared here (not in a function); did you mean 'nft_ct_timeout_obj_init'? .destroy = nft_ct_timeout_obj_destroy, ^~ nft_ct_timeout_obj_init >> net/netfilter/nft_ct.c:1109:11: error: 'nft_ct_timeout_obj_dump' undeclared >> here (not in a function); did you mean 'nft_ct_timeout_obj_init'? .dump = nft_ct_timeout_obj_dump, ^~~ nft_ct_timeout_obj_init vim +1106 net/netfilter/nft_ct.c 1101 1102 static struct nft_object_type nft_ct_timeout_obj_type; 1103 static const struct nft_object_ops nft_ct_timeout_obj_ops = { 1104 .type = _ct_timeout_obj_type, 1105 .size = sizeof(struct nft_ct_timeout_obj), > 1106 .eval = nft_ct_timeout_obj_eval, > 1107 .init = nft_ct_timeout_obj_init, > 1108 .destroy= nft_ct_timeout_obj_destroy, > 1109 .dump = nft_ct_timeout_obj_dump, 1110 }; --- 0-DAY kernel test infrastructureOpen Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation .config.gz Description: application/gzip
Re: [PATCH nf-next] netfilter: cttimeout: move ctnl_untimeout to nf_conntrack
Hi Harsha, Thank you for the patch! Yet something to improve: [auto build test ERROR on nf-next/master] url: https://github.com/0day-ci/linux/commits/Harsha-Sharma/netfilter-cttimeout-move-ctnl_untimeout-to-nf_conntrack/20180714-095352 base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master config: i386-randconfig-x015-201827 (attached as .config) compiler: gcc-7 (Debian 7.3.0-16) 7.3.0 reproduce: # save the attached .config to linux build tree make ARCH=i386 All errors (new ones prefixed by >>): net//netfilter/nfnetlink_cttimeout.c: In function 'ctnl_timeout_try_del': >> net//netfilter/nfnetlink_cttimeout.c:312:3: error: implicit declaration of >> function 'nf_ct_untimeout'; did you mean 'nf_ct_netns_put'? >> [-Werror=implicit-function-declaration] nf_ct_untimeout(net, timeout); ^~~ nf_ct_netns_put cc1: some warnings being treated as errors vim +312 net//netfilter/nfnetlink_cttimeout.c 299 300 /* try to delete object, fail if it is still in use. */ 301 static int ctnl_timeout_try_del(struct net *net, struct ctnl_timeout *timeout) 302 { 303 int ret = 0; 304 305 /* We want to avoid races with ctnl_timeout_put. So only when the 306 * current refcnt is 1, we decrease it to 0. 307 */ 308 if (refcount_dec_if_one(>refcnt)) { 309 /* We are protected by nfnl mutex. */ 310 list_del_rcu(>head); 311 nf_ct_l4proto_put(timeout->l4proto); > 312 nf_ct_untimeout(net, timeout); 313 kfree_rcu(timeout, rcu_head); 314 } else { 315 ret = -EBUSY; 316 } 317 return ret; 318 } 319 --- 0-DAY kernel test infrastructureOpen Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation .config.gz Description: application/gzip
Re: [PATCH nf-next v7] netfilter: nft_ct: add ct timeout support
Hi Harsha, Thank you for the patch! Yet something to improve: [auto build test ERROR on nf-next/master] url: https://github.com/0day-ci/linux/commits/Harsha-Sharma/netfilter-nft_ct-add-ct-timeout-support/20180714-095128 base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master config: i386-randconfig-x015-201827 (attached as .config) compiler: gcc-7 (Debian 7.3.0-16) 7.3.0 reproduce: # save the attached .config to linux build tree make ARCH=i386 All errors (new ones prefixed by >>): net/netfilter/nft_ct.c: In function 'nft_ct_timeout_obj_destroy': >> net/netfilter/nft_ct.c:901:3: error: implicit declaration of function >> 'nf_ct_untimeout'; did you mean 'nf_ct_netns_put'? >> [-Werror=implicit-function-declaration] nf_ct_untimeout(ctx->net, priv->timeout); ^~~ nf_ct_netns_put cc1: some warnings being treated as errors vim +901 net/netfilter/nft_ct.c 890 891 static void nft_ct_timeout_obj_destroy(const struct nft_ctx *ctx, 892 struct nft_object *obj) 893 { 894 struct nft_ct_timeout_obj *priv = nft_obj_data(obj); 895 896 nf_ct_tmpl_free(priv->tmpl); 897 898 if (refcount_dec_if_one(>timeout->refcnt)) { 899 nf_ct_l4proto_put(priv->timeout->l4proto); 900 list_del_rcu(>timeout->head); > 901 nf_ct_untimeout(ctx->net, priv->timeout); 902 } 903 } 904 --- 0-DAY kernel test infrastructureOpen Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation .config.gz Description: application/gzip
Re: [PATCH nf-next 3/3] netfilter: nf_osf: add nf_osf_find()
Hi Pablo, I love your patch! Perhaps something to improve: [auto build test WARNING on nf-next/master] url: https://github.com/0day-ci/linux/commits/Pablo-Neira-Ayuso/netfilter-nf_osf-add-nf_osf_match_one/20180714-051307 base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master reproduce: # apt-get install sparse make ARCH=x86_64 allmodconfig make C=1 CF=-D__CHECK_ENDIAN__ sparse warnings: (new ones prefixed by >>) >> net/netfilter/nf_osf.c:267:24: sparse: Using plain integer as NULL pointer vim +267 net/netfilter/nf_osf.c 251 252 const char *nf_osf_find(const struct sk_buff *skb, 253 const struct list_head *nf_osf_fingers) 254 { 255 const struct iphdr *ip = ip_hdr(skb); 256 const struct nf_osf_user_finger *f; 257 unsigned char opts[MAX_IPOPTLEN]; 258 const struct nf_osf_finger *kf; 259 struct nf_osf_hdr_ctx ctx; 260 const struct tcphdr *tcp; 261 const char *genre = NULL; 262 263 memset(, 0, sizeof(ctx)); 264 265 tcp = nf_osf_hdr_ctx_init(, skb, ip, opts); 266 if (!tcp) > 267 return false; 268 269 list_for_each_entry_rcu(kf, _osf_fingers[ctx.df], finger_entry) { 270 f = >finger; 271 if (!nf_osf_match_one(skb, f, -1, )) 272 continue; 273 274 genre = f->genre; 275 break; 276 } 277 278 return genre; 279 } 280 EXPORT_SYMBOL_GPL(nf_osf_find); 281 --- 0-DAY kernel test infrastructureOpen Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v3 nf-next 1/2] ipv6: remove dependency of nf_defrag_ipv6 on ipv6 module
IPV6=m DEFRAG_IPV6=m CONNTRACK=y yields: net/netfilter/nf_conntrack_proto.o: In function `nf_ct_netns_do_get': net/netfilter/nf_conntrack_proto.c:802: undefined reference to `nf_defrag_ipv6_enable' net/netfilter/nf_conntrack_proto.o:(.rodata+0x640): undefined reference to `nf_conntrack_l4proto_icmpv6' Setting DEFRAG_IPV6=y causes undefined references to ip6_rhash_params ip6_frag_init and ip6_expire_frag_queue so it would be needed to force IPV6=y too. This patch gets rid of the 'followup linker error' by removing the dependency of ipv6.ko symbols from netfilter ipv6 defrag. Shared code is placed into a header, then used from both. Signed-off-by: Florian Westphal --- v3: fix ovs build failure with IPV6=n v2: fix build failure with 6lowpan (missing include) include/net/ipv6.h| 28 include/net/ipv6_frag.h | 104 ++ net/ieee802154/6lowpan/reassembly.c | 2 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 17 +++-- net/ipv6/netfilter/nf_defrag_ipv6_hooks.c | 3 +- net/ipv6/reassembly.c | 92 ++ net/openvswitch/conntrack.c | 1 + 7 files changed, 126 insertions(+), 121 deletions(-) create mode 100644 include/net/ipv6_frag.h diff --git a/include/net/ipv6.h b/include/net/ipv6.h index 16475c269749..0012c0a6c86e 100644 --- a/include/net/ipv6.h +++ b/include/net/ipv6.h @@ -561,34 +561,6 @@ static inline bool ipv6_prefix_equal(const struct in6_addr *addr1, } #endif -struct inet_frag_queue; - -enum ip6_defrag_users { - IP6_DEFRAG_LOCAL_DELIVER, - IP6_DEFRAG_CONNTRACK_IN, - __IP6_DEFRAG_CONNTRACK_IN = IP6_DEFRAG_CONNTRACK_IN + USHRT_MAX, - IP6_DEFRAG_CONNTRACK_OUT, - __IP6_DEFRAG_CONNTRACK_OUT = IP6_DEFRAG_CONNTRACK_OUT + USHRT_MAX, - IP6_DEFRAG_CONNTRACK_BRIDGE_IN, - __IP6_DEFRAG_CONNTRACK_BRIDGE_IN = IP6_DEFRAG_CONNTRACK_BRIDGE_IN + USHRT_MAX, -}; - -void ip6_frag_init(struct inet_frag_queue *q, const void *a); -extern const struct rhashtable_params ip6_rhash_params; - -/* - * Equivalent of ipv4 struct ip - */ -struct frag_queue { - struct inet_frag_queue q; - - int iif; - __u16 nhoffset; - u8 ecn; -}; - -void ip6_expire_frag_queue(struct net *net, struct frag_queue *fq); - static inline bool ipv6_addr_any(const struct in6_addr *a) { #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) && BITS_PER_LONG == 64 diff --git a/include/net/ipv6_frag.h b/include/net/ipv6_frag.h new file mode 100644 index ..6ced1e6899b6 --- /dev/null +++ b/include/net/ipv6_frag.h @@ -0,0 +1,104 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef _IPV6_FRAG_H +#define _IPV6_FRAG_H +#include +#include +#include +#include + +enum ip6_defrag_users { + IP6_DEFRAG_LOCAL_DELIVER, + IP6_DEFRAG_CONNTRACK_IN, + __IP6_DEFRAG_CONNTRACK_IN = IP6_DEFRAG_CONNTRACK_IN + USHRT_MAX, + IP6_DEFRAG_CONNTRACK_OUT, + __IP6_DEFRAG_CONNTRACK_OUT = IP6_DEFRAG_CONNTRACK_OUT + USHRT_MAX, + IP6_DEFRAG_CONNTRACK_BRIDGE_IN, + __IP6_DEFRAG_CONNTRACK_BRIDGE_IN = IP6_DEFRAG_CONNTRACK_BRIDGE_IN + USHRT_MAX, +}; + +/* + * Equivalent of ipv4 struct ip + */ +struct frag_queue { + struct inet_frag_queue q; + + int iif; + __u16 nhoffset; + u8 ecn; +}; + +#if IS_ENABLED(CONFIG_IPV6) +static inline void ip6frag_init(struct inet_frag_queue *q, const void *a) +{ + struct frag_queue *fq = container_of(q, struct frag_queue, q); + const struct frag_v6_compare_key *key = a; + + q->key.v6 = *key; + fq->ecn = 0; +} + +static inline u32 ip6frag_key_hashfn(const void *data, u32 len, u32 seed) +{ + return jhash2(data, + sizeof(struct frag_v6_compare_key) / sizeof(u32), seed); +} + +static inline u32 ip6frag_obj_hashfn(const void *data, u32 len, u32 seed) +{ + const struct inet_frag_queue *fq = data; + + return jhash2((const u32 *)>key.v6, + sizeof(struct frag_v6_compare_key) / sizeof(u32), seed); +} + +static inline int +ip6frag_obj_cmpfn(struct rhashtable_compare_arg *arg, const void *ptr) +{ + const struct frag_v6_compare_key *key = arg->key; + const struct inet_frag_queue *fq = ptr; + + return !!memcmp(>key, key, sizeof(*key)); +} + +static inline void +ip6frag_expire_frag_queue(struct net *net, struct frag_queue *fq) +{ + struct net_device *dev = NULL; + struct sk_buff *head; + + rcu_read_lock(); + spin_lock(>q.lock); + + if (fq->q.flags & INET_FRAG_COMPLETE) + goto out; + + inet_frag_kill(>q); + + dev = dev_get_by_index_rcu(net, fq->iif); + if (!dev) + goto out; + + __IP6_INC_STATS(net, __in6_dev_get(dev), IPSTATS_MIB_REASMFAILS); +
[PATCH nf-next] netfilter: cttimeout: move ctnl_untimeout to nf_conntrack
As, ctnl_untimeout is required by nft_ct, so move ctnl_timeout from nfnetlink_cttimeout to nf_conntrack_timeout and rename as nf_ct_timeout. Signed-off-by: Harsha Sharma --- include/net/netfilter/nf_conntrack_timeout.h | 1 + net/netfilter/nf_conntrack_timeout.c | 17 + net/netfilter/nfnetlink_cttimeout.c | 20 ++-- 3 files changed, 20 insertions(+), 18 deletions(-) diff --git a/include/net/netfilter/nf_conntrack_timeout.h b/include/net/netfilter/nf_conntrack_timeout.h index 80ceb3d0291d..edb3b5271ef5 100644 --- a/include/net/netfilter/nf_conntrack_timeout.h +++ b/include/net/netfilter/nf_conntrack_timeout.h @@ -98,6 +98,7 @@ static inline void nf_conntrack_timeout_fini(void) #ifdef CONFIG_NF_CONNTRACK_TIMEOUT extern struct ctnl_timeout *(*nf_ct_timeout_find_get_hook)(struct net *net, const char *name); extern void (*nf_ct_timeout_put_hook)(struct ctnl_timeout *timeout); +extern void nf_ct_untimeout(struct net *net, struct ctnl_timeout *timeout); #endif #endif /* _NF_CONNTRACK_TIMEOUT_H */ diff --git a/net/netfilter/nf_conntrack_timeout.c b/net/netfilter/nf_conntrack_timeout.c index 46aee65f339b..401c2cce4a61 100644 --- a/net/netfilter/nf_conntrack_timeout.c +++ b/net/netfilter/nf_conntrack_timeout.c @@ -31,6 +31,23 @@ EXPORT_SYMBOL_GPL(nf_ct_timeout_find_get_hook); void (*nf_ct_timeout_put_hook)(struct ctnl_timeout *timeout) __read_mostly; EXPORT_SYMBOL_GPL(nf_ct_timeout_put_hook); +static int untimeout(struct nf_conn *ct, void *timeout) +{ + struct nf_conn_timeout *timeout_ext = nf_ct_timeout_find(ct); + + if (timeout_ext && (!timeout || timeout_ext->timeout == timeout)) + RCU_INIT_POINTER(timeout_ext->timeout, NULL); + + /* We are not intended to delete this conntrack. */ + return 0; +} + +void nf_ct_untimeout(struct net *net, struct ctnl_timeout *timeout) +{ + nf_ct_iterate_cleanup_net(net, untimeout, timeout, 0, 0); +} +EXPORT_SYMBOL_GPL(nf_ct_untimeout); + static const struct nf_ct_ext_type timeout_extend = { .len= sizeof(struct nf_conn_timeout), .align = __alignof__(struct nf_conn_timeout), diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c index d9d952fad3e0..4bad8586c744 100644 --- a/net/netfilter/nfnetlink_cttimeout.c +++ b/net/netfilter/nfnetlink_cttimeout.c @@ -297,22 +297,6 @@ static int cttimeout_get_timeout(struct net *net, struct sock *ctnl, return ret; } -static int untimeout(struct nf_conn *ct, void *timeout) -{ - struct nf_conn_timeout *timeout_ext = nf_ct_timeout_find(ct); - - if (timeout_ext && (!timeout || timeout_ext->timeout == timeout)) - RCU_INIT_POINTER(timeout_ext->timeout, NULL); - - /* We are not intended to delete this conntrack. */ - return 0; -} - -static void ctnl_untimeout(struct net *net, struct ctnl_timeout *timeout) -{ - nf_ct_iterate_cleanup_net(net, untimeout, timeout, 0, 0); -} - /* try to delete object, fail if it is still in use. */ static int ctnl_timeout_try_del(struct net *net, struct ctnl_timeout *timeout) { @@ -325,7 +309,7 @@ static int ctnl_timeout_try_del(struct net *net, struct ctnl_timeout *timeout) /* We are protected by nfnl mutex. */ list_del_rcu(>head); nf_ct_l4proto_put(timeout->l4proto); - ctnl_untimeout(net, timeout); + nf_ct_untimeout(net, timeout); kfree_rcu(timeout, rcu_head); } else { ret = -EBUSY; @@ -575,7 +559,7 @@ static void __net_exit cttimeout_net_exit(struct net *net) struct ctnl_timeout *cur, *tmp; nf_ct_unconfirmed_destroy(net); - ctnl_untimeout(net, NULL); + nf_ct_untimeout(net, NULL); list_for_each_entry_safe(cur, tmp, >nfct_timeout_list, head) { list_del_rcu(>head); -- 2.14.1 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nf-next v7] netfilter: nft_ct: add ct timeout support
This patch allows to add, list and delete connection tracking timeout policies via nft objref infrastructure and assigning these timeout via nft rule. Ruleset: table ip raw { ct timeout cttime { protocol tcp established 111 close 13 l3proto ip } chain output { type filter hook output priority -300; policy accept; ct timeout set "cttime" } } %./libnftnl/examples/nft-ct-timeout-add ip raw cttime tcp %./libnftnl/examples/nft-rule-ct-timeout-add ip raw output cttime %conntrack -E [NEW] tcp 6 111 ESTABLISHED src=172.16.19.128 dst=172.16.19.1 sport=22 dport=41360 [UNREPLIED] src=172.16.19.1 dst=172.16.19.128 sport=41360 dport=22 Signed-off-by: Harsha Sharma --- Changes in v7: - initialise list_head for nfct_timeout_list in nf_tables_api - use nf_ct_untimeout for cleanup - other minor changes Changes in v6: - Remove unnecessary chunks - initialise timeout list in nf_tables_api.c - minor changes Changes in v5: - wrap with NF_CT_NETLINK_TIMEOUT option - attach timeout template in init - other minor changes Changes in v4: - Remove unused attributes - allocate template from init() path - minor changes - updated log message - pull to latest tree Changes in v3: - Use nf_ct_tmpl_alloc to attach timeout via template conntrack. Changes in v2: - Add code for nft_ct_timeout_obj_eval - remove likely() from code - remove vla in ctnl_timeout_parse_policy include/uapi/linux/netfilter/nf_tables.h | 14 ++- net/netfilter/nf_tables_api.c| 4 + net/netfilter/nft_ct.c | 192 +++ 3 files changed, 209 insertions(+), 1 deletion(-) diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h index 89438e68dc03..552fa5a6b7c3 100644 --- a/include/uapi/linux/netfilter/nf_tables.h +++ b/include/uapi/linux/netfilter/nf_tables.h @@ -955,6 +955,7 @@ enum nft_socket_keys { * @NFT_CT_DST_IP: conntrack layer 3 protocol destination (IPv4 address) * @NFT_CT_SRC_IP6: conntrack layer 3 protocol source (IPv6 address) * @NFT_CT_DST_IP6: conntrack layer 3 protocol destination (IPv6 address) + * @NFT_CT_TIMEOUT: connection tracking timeout policy assigned to conntrack */ enum nft_ct_keys { NFT_CT_STATE, @@ -980,6 +981,7 @@ enum nft_ct_keys { NFT_CT_DST_IP, NFT_CT_SRC_IP6, NFT_CT_DST_IP6, + NFT_CT_TIMEOUT, __NFT_CT_MAX }; #define NFT_CT_MAX (__NFT_CT_MAX - 1) @@ -1392,13 +1394,23 @@ enum nft_ct_helper_attributes { }; #define NFTA_CT_HELPER_MAX (__NFTA_CT_HELPER_MAX - 1) +enum nft_ct_timeout_timeout_attributes { + NFTA_CT_TIMEOUT_UNSPEC, + NFTA_CT_TIMEOUT_L3PROTO, + NFTA_CT_TIMEOUT_L4PROTO, + NFTA_CT_TIMEOUT_DATA, + __NFTA_CT_TIMEOUT_MAX, +}; +#define NFTA_CT_TIMEOUT_MAX(__NFTA_CT_TIMEOUT_MAX - 1) + #define NFT_OBJECT_UNSPEC 0 #define NFT_OBJECT_COUNTER 1 #define NFT_OBJECT_QUOTA 2 #define NFT_OBJECT_CT_HELPER 3 #define NFT_OBJECT_LIMIT 4 #define NFT_OBJECT_CONNLIMIT 5 -#define __NFT_OBJECT_MAX 6 +#define NFT_OBJECT_CT_TIMEOUT 6 +#define __NFT_OBJECT_MAX 7 #define NFT_OBJECT_MAX (__NFT_OBJECT_MAX - 1) /** diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 3f211e1025c1..c1cf24b6db96 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -7152,6 +7152,10 @@ static int __net_init nf_tables_init_net(struct net *net) { INIT_LIST_HEAD(>nft.tables); INIT_LIST_HEAD(>nft.commit_list); + +#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) + INIT_LIST_HEAD(>nfct_timeout_list); +#endif net->nft.base_seq = 1; net->nft.validate_state = NFT_VALIDATE_SKIP; diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c index 1435ffc5f57e..c5a0a8edd248 100644 --- a/net/netfilter/nft_ct.c +++ b/net/netfilter/nft_ct.c @@ -22,6 +22,9 @@ #include #include #include +#include +#include +#include struct nft_ct { enum nft_ct_keyskey:8; @@ -38,6 +41,11 @@ struct nft_ct_helper_obj { u8 l4proto; }; +struct nft_ct_timeout_obj { + struct ctnl_timeout *timeout; + struct nf_conn *tmpl; +}; + #ifdef CONFIG_NF_CONNTRACK_ZONES static DEFINE_PER_CPU(struct nf_conn *, nft_ct_pcpu_template); static unsigned int nft_ct_pcpu_template_refcnt __read_mostly; @@ -765,6 +773,159 @@ static struct nft_expr_type nft_notrack_type __read_mostly = { .owner = THIS_MODULE, }; +#ifdef CONFIG_NF_CT_NETLINK_TIMEOUT +static int +nft_ct_timeout_parse_policy(void *timeouts, + const struct nf_conntrack_l4proto *l4proto, + struct net *net, const struct nlattr *attr) +{ + struct nlattr **tb; + int ret = 0; + + if (!l4proto->ctnl_timeout.nlattr_to_obj) + return 0; + + tb = kcalloc(l4proto->ctnl_timeout.nlattr_max + 1,
[PATCH nf-next 1/3] netfilter: nf_osf: add nf_osf_match_one()
This new function allows us to check if there is TCP syn packet matching with a given fingerprint that can be reused from the upcoming new nf_osf_find() function. Signed-off-by: Pablo Neira Ayuso --- Compile tested only. net/netfilter/nf_osf.c | 207 ++--- 1 file changed, 111 insertions(+), 96 deletions(-) diff --git a/net/netfilter/nf_osf.c b/net/netfilter/nf_osf.c index 5ba5c7bef2f9..bd7b34dd7d87 100644 --- a/net/netfilter/nf_osf.c +++ b/net/netfilter/nf_osf.c @@ -21,15 +21,14 @@ #include static inline int nf_osf_ttl(const struct sk_buff *skb, -const struct nf_osf_info *info, -unsigned char f_ttl) +int ttl_check, unsigned char f_ttl) { const struct iphdr *ip = ip_hdr(skb); - if (info->flags & NF_OSF_TTL) { - if (info->ttl == NF_OSF_TTL_TRUE) + if (ttl_check != -1) { + if (ttl_check == NF_OSF_TTL_TRUE) return ip->ttl == f_ttl; - if (info->ttl == NF_OSF_TTL_NOCHECK) + if (ttl_check == NF_OSF_TTL_NOCHECK) return 1; else if (ip->ttl <= f_ttl) return 1; @@ -52,6 +51,104 @@ static inline int nf_osf_ttl(const struct sk_buff *skb, return ip->ttl == f_ttl; } +static bool nf_osf_match_one(const struct sk_buff *skb, +const struct nf_osf_user_finger *f, +int ttl_check, u16 totlen, u16 window, +const unsigned char *optp, +unsigned int optsize) +{ + unsigned int check_WSS = 0; + int fmatch = FMATCH_WRONG; + int foptsize, optnum; + u16 mss = 0; + + if (totlen != f->ss || !nf_osf_ttl(skb, ttl_check, f->ttl)) + return false; + + /* +* Should not happen if userspace parser was written correctly. +*/ + if (f->wss.wc >= OSF_WSS_MAX) + return false; + + /* Check options */ + + foptsize = 0; + for (optnum = 0; optnum < f->opt_num; ++optnum) + foptsize += f->opt[optnum].length; + + if (foptsize > MAX_IPOPTLEN || + optsize > MAX_IPOPTLEN || + optsize != foptsize) + return false; + + check_WSS = f->wss.wc; + + for (optnum = 0; optnum < f->opt_num; ++optnum) { + if (f->opt[optnum].kind == (*optp)) { + __u32 len = f->opt[optnum].length; + const __u8 *optend = optp + len; + + fmatch = FMATCH_OK; + + switch (*optp) { + case OSFOPT_MSS: + mss = optp[3]; + mss <<= 8; + mss |= optp[2]; + + mss = ntohs((__force __be16)mss); + break; + case OSFOPT_TS: + break; + } + + optp = optend; + } else + fmatch = FMATCH_OPT_WRONG; + + if (fmatch != FMATCH_OK) + break; + } + + if (fmatch != FMATCH_OPT_WRONG) { + fmatch = FMATCH_WRONG; + + switch (check_WSS) { + case OSF_WSS_PLAIN: + if (f->wss.val == 0 || window == f->wss.val) + fmatch = FMATCH_OK; + break; + case OSF_WSS_MSS: + /* +* Some smart modems decrease mangle MSS to +* SMART_MSS_2, so we check standard, decreased +* and the one provided in the fingerprint MSS +* values. +*/ +#define SMART_MSS_11460 +#define SMART_MSS_21448 + if (window == f->wss.val * mss || + window == f->wss.val * SMART_MSS_1 || + window == f->wss.val * SMART_MSS_2) + fmatch = FMATCH_OK; + break; + case OSF_WSS_MTU: + if (window == f->wss.val * (mss + 40) || + window == f->wss.val * (SMART_MSS_1 + 40) || + window == f->wss.val * (SMART_MSS_2 + 40)) + fmatch = FMATCH_OK; + break; + case OSF_WSS_MODULO: + if ((window % f->wss.val) == 0) + fmatch = FMATCH_OK; + break; + } + } + + return fmatch == FMATCH_OK; +} + bool nf_osf_match(const struct sk_buff *skb, u_int8_t family, int hooknum, struct net_device *in, struct net_device
[PATCH nf-next 2/3] netfilter: nf_osf: add struct nf_osf_hdr_ctx
Wrap context that allow us to guess the OS into a structure. Signed-off-by: Pablo Neira Ayuso --- Compile tested only. net/netfilter/nf_osf.c | 105 + 1 file changed, 62 insertions(+), 43 deletions(-) diff --git a/net/netfilter/nf_osf.c b/net/netfilter/nf_osf.c index bd7b34dd7d87..b44d62d5d9a9 100644 --- a/net/netfilter/nf_osf.c +++ b/net/netfilter/nf_osf.c @@ -51,18 +51,25 @@ static inline int nf_osf_ttl(const struct sk_buff *skb, return ip->ttl == f_ttl; } +struct nf_osf_hdr_ctx { + booldf; + u16 window; + u16 totlen; + const unsigned char *optp; + unsigned intoptsize; +}; + static bool nf_osf_match_one(const struct sk_buff *skb, const struct nf_osf_user_finger *f, -int ttl_check, u16 totlen, u16 window, -const unsigned char *optp, -unsigned int optsize) +int ttl_check, +struct nf_osf_hdr_ctx *ctx) { unsigned int check_WSS = 0; int fmatch = FMATCH_WRONG; int foptsize, optnum; u16 mss = 0; - if (totlen != f->ss || !nf_osf_ttl(skb, ttl_check, f->ttl)) + if (ctx->totlen != f->ss || !nf_osf_ttl(skb, ttl_check, f->ttl)) return false; /* @@ -78,24 +85,24 @@ static bool nf_osf_match_one(const struct sk_buff *skb, foptsize += f->opt[optnum].length; if (foptsize > MAX_IPOPTLEN || - optsize > MAX_IPOPTLEN || - optsize != foptsize) + ctx->optsize > MAX_IPOPTLEN || + ctx->optsize != foptsize) return false; check_WSS = f->wss.wc; for (optnum = 0; optnum < f->opt_num; ++optnum) { - if (f->opt[optnum].kind == (*optp)) { + if (f->opt[optnum].kind == *ctx->optp) { __u32 len = f->opt[optnum].length; - const __u8 *optend = optp + len; + const __u8 *optend = ctx->optp + len; fmatch = FMATCH_OK; - switch (*optp) { + switch (*ctx->optp) { case OSFOPT_MSS: - mss = optp[3]; + mss = ctx->optp[3]; mss <<= 8; - mss |= optp[2]; + mss |= ctx->optp[2]; mss = ntohs((__force __be16)mss); break; @@ -103,7 +110,7 @@ static bool nf_osf_match_one(const struct sk_buff *skb, break; } - optp = optend; + ctx->optp = optend; } else fmatch = FMATCH_OPT_WRONG; @@ -116,7 +123,7 @@ static bool nf_osf_match_one(const struct sk_buff *skb, switch (check_WSS) { case OSF_WSS_PLAIN: - if (f->wss.val == 0 || window == f->wss.val) + if (f->wss.val == 0 || ctx->window == f->wss.val) fmatch = FMATCH_OK; break; case OSF_WSS_MSS: @@ -128,19 +135,19 @@ static bool nf_osf_match_one(const struct sk_buff *skb, */ #define SMART_MSS_11460 #define SMART_MSS_21448 - if (window == f->wss.val * mss || - window == f->wss.val * SMART_MSS_1 || - window == f->wss.val * SMART_MSS_2) + if (ctx->window == f->wss.val * mss || + ctx->window == f->wss.val * SMART_MSS_1 || + ctx->window == f->wss.val * SMART_MSS_2) fmatch = FMATCH_OK; break; case OSF_WSS_MTU: - if (window == f->wss.val * (mss + 40) || - window == f->wss.val * (SMART_MSS_1 + 40) || - window == f->wss.val * (SMART_MSS_2 + 40)) + if (ctx->window == f->wss.val * (mss + 40) || + ctx->window == f->wss.val * (SMART_MSS_1 + 40) || + ctx->window == f->wss.val * (SMART_MSS_2 + 40)) fmatch = FMATCH_OK; break; case OSF_WSS_MODULO: - if ((window % f->wss.val) == 0) + if ((ctx->window % f->wss.val) == 0) fmatch = FMATCH_OK; break; } @@ -149,54 +156,66 @@ static bool nf_osf_match_one(const struct sk_buff *skb, return fmatch == FMATCH_OK; }
[PATCH nf-next 3/3] netfilter: nf_osf: add nf_osf_find()
This new function returns the OS genre as a string. Plan is to use to from the new nft_osf extension. Note that this doesn't yet support ttl options, but it could be easily extended to do so. Signed-off-by: Pablo Neira Ayuso --- Compile tested only. include/linux/netfilter/nf_osf.h | 3 +++ net/netfilter/nf_osf.c | 30 ++ 2 files changed, 33 insertions(+) diff --git a/include/linux/netfilter/nf_osf.h b/include/linux/netfilter/nf_osf.h index 0e114c492fb8..7d0947d6ef16 100644 --- a/include/linux/netfilter/nf_osf.h +++ b/include/linux/netfilter/nf_osf.h @@ -31,3 +31,6 @@ bool nf_osf_match(const struct sk_buff *skb, u_int8_t family, int hooknum, struct net_device *in, struct net_device *out, const struct nf_osf_info *info, struct net *net, const struct list_head *nf_osf_fingers); + +const char *nf_osf_find(const struct sk_buff *skb, +const struct list_head *nf_osf_fingers); diff --git a/net/netfilter/nf_osf.c b/net/netfilter/nf_osf.c index b44d62d5d9a9..f4c75e982902 100644 --- a/net/netfilter/nf_osf.c +++ b/net/netfilter/nf_osf.c @@ -249,4 +249,34 @@ nf_osf_match(const struct sk_buff *skb, u_int8_t family, } EXPORT_SYMBOL_GPL(nf_osf_match); +const char *nf_osf_find(const struct sk_buff *skb, + const struct list_head *nf_osf_fingers) +{ + const struct iphdr *ip = ip_hdr(skb); + const struct nf_osf_user_finger *f; + unsigned char opts[MAX_IPOPTLEN]; + const struct nf_osf_finger *kf; + struct nf_osf_hdr_ctx ctx; + const struct tcphdr *tcp; + const char *genre = NULL; + + memset(, 0, sizeof(ctx)); + + tcp = nf_osf_hdr_ctx_init(, skb, ip, opts); + if (!tcp) + return false; + + list_for_each_entry_rcu(kf, _osf_fingers[ctx.df], finger_entry) { + f = >finger; + if (!nf_osf_match_one(skb, f, -1, )) + continue; + + genre = f->genre; + break; + } + + return genre; +} +EXPORT_SYMBOL_GPL(nf_osf_find); + MODULE_LICENSE("GPL"); -- 2.11.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v4 nft] Set/print standard chain prios with textual names
On Fri, Jul 13, 2018 at 02:38:19PM +0200, Florian Westphal wrote: > Máté Eckl wrote: > > But that means that this solution cannot support bridge family at all. Or > > BRNF > > stands for something that can be interpreted as filter? > > Currently bridge family has no special hooks, they are all 'filter'. > So it would be fine to only support numbers in my opinion. > > We can revisit it later if needed. I looked it up in iptables and it uses NF_BR_PRI_FILTER_BRIDGED for filter tables so it would be inapproppriate to translate 0 to filter here. So yes, maybe we should leave bridge family alone. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v4 nft] Set/print standard chain prios with textual names
Máté Eckl wrote: > But that means that this solution cannot support bridge family at all. Or BRNF > stands for something that can be interpreted as filter? Currently bridge family has no special hooks, they are all 'filter'. So it would be fine to only support numbers in my opinion. We can revisit it later if needed. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v4 nft] Set/print standard chain prios with textual names
On Fri, Jul 13, 2018 at 12:59:14PM +0200, Pablo Neira Ayuso wrote: > On Fri, Jul 13, 2018 at 12:45:34PM +0200, Florian Westphal wrote: > > Pablo Neira Ayuso wrote: > > > On Fri, Jul 13, 2018 at 12:22:51PM +0200, Máté Eckl wrote: > > > > > > BTW, srcnat only makes sense from postrouting, I think it would it > > > > > > be > > > > > > possible to reject things that make no sense from there, like srcnat > > > > > > with prerouting as in the example above. > > > > > > > > > > I'll look after this. > > > > > > > > What do you think about this compatibility "matrix"? > > > > > > Looks fine, one comment though regarding bridge: > > > > > > include/linux/netfilter_bridge.h: NF_BR_PRI_NAT_DST_OTHER = 100, > > > include/linux/netfilter_bridge.h: NF_BR_PRI_NAT_SRC = 300, > > > include/linux/netfilter_bridge.h: NF_BR_PRI_NAT_DST_BRIDGED = -300, Oh. These are not exposed to the nft includes. > > > Unfortunately I think we'll need these too, ie. we cannot reuse > > > NF_IP_PRI_NAT_SRC. > > > > BR_NAT isn't "nat" family though, they are normal 'filter' types. > > > > I think it would be fine to just use 'filter + 300'. > > OK, let's do that then. But that means that this solution cannot support bridge family at all. Or BRNF stands for something that can be interpreted as filter? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v4 nft] Set/print standard chain prios with textual names
Pablo Neira Ayuso wrote: > On Fri, Jul 13, 2018 at 12:22:51PM +0200, Máté Eckl wrote: > > > > BTW, srcnat only makes sense from postrouting, I think it would it be > > > > possible to reject things that make no sense from there, like srcnat > > > > with prerouting as in the example above. > > > > > > I'll look after this. > > > > What do you think about this compatibility "matrix"? > > Looks fine, one comment though regarding bridge: > > include/linux/netfilter_bridge.h: NF_BR_PRI_NAT_DST_OTHER = 100, > include/linux/netfilter_bridge.h: NF_BR_PRI_NAT_SRC = 300, > include/linux/netfilter_bridge.h: NF_BR_PRI_NAT_DST_BRIDGED = -300, > > Unfortunately I think we'll need these too, ie. we cannot reuse > NF_IP_PRI_NAT_SRC. BR_NAT isn't "nat" family though, they are normal 'filter' types. I think it would be fine to just use 'filter + 300'. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v4 nft] Set/print standard chain prios with textual names
On Fri, Jul 13, 2018 at 12:22:51PM +0200, Máté Eckl wrote: > > > BTW, srcnat only makes sense from postrouting, I think it would it be > > > possible to reject things that make no sense from there, like srcnat > > > with prerouting as in the example above. > > > > I'll look after this. > > What do you think about this compatibility "matrix"? Looks fine, one comment though regarding bridge: include/linux/netfilter_bridge.h: NF_BR_PRI_NAT_DST_OTHER = 100, include/linux/netfilter_bridge.h: NF_BR_PRI_NAT_SRC = 300, include/linux/netfilter_bridge.h: NF_BR_PRI_NAT_DST_BRIDGED = -300, Unfortunately I think we'll need these too, ie. we cannot reuse NF_IP_PRI_NAT_SRC. > static bool std_prio_family_hook_compat(int prio, int family, int hook) > { > switch(prio) { > case NF_IP_PRI_FILTER: > switch(family) { > case NFPROTO_INET: > case NFPROTO_IPV4: > case NFPROTO_IPV6: > case NFPROTO_ARP: > case NFPROTO_BRIDGE: > case NFPROTO_NETDEV: > return true; > default: > return false; > } > case NF_IP_PRI_RAW: > case NF_IP_PRI_MANGLE: > case NF_IP_PRI_SECURITY: > // For these I didn't find any info about which hook > // they can make sense in > switch(family) { > case NFPROTO_INET: > case NFPROTO_IPV4: > case NFPROTO_IPV6: > return true; > default: > return false; > } > case NF_IP_PRI_NAT_DST: > switch(family) { > case NFPROTO_INET: > case NFPROTO_IPV4: > case NFPROTO_IPV6: > case NFPROTO_BRIDGE: > switch(hook) { > case NF_INET_PRE_ROUTING: > return true; > default: > return false; > } > default: > return false; > } > case NF_IP_PRI_NAT_SRC: > switch(family) { > case NFPROTO_INET: > case NFPROTO_IPV4: > case NFPROTO_IPV6: > case NFPROTO_BRIDGE: > switch(hook) { > case NF_INET_POST_ROUTING: > return true; > default: > return false; > } > default: > return false; > } > default: > return false; > } > } -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v4 nft] Set/print standard chain prios with textual names
> > BTW, srcnat only makes sense from postrouting, I think it would it be > > possible to reject things that make no sense from there, like srcnat > > with prerouting as in the example above. > > I'll look after this. What do you think about this compatibility "matrix"? static bool std_prio_family_hook_compat(int prio, int family, int hook) { switch(prio) { case NF_IP_PRI_FILTER: switch(family) { case NFPROTO_INET: case NFPROTO_IPV4: case NFPROTO_IPV6: case NFPROTO_ARP: case NFPROTO_BRIDGE: case NFPROTO_NETDEV: return true; default: return false; } case NF_IP_PRI_RAW: case NF_IP_PRI_MANGLE: case NF_IP_PRI_SECURITY: // For these I didn't find any info about which hook // they can make sense in switch(family) { case NFPROTO_INET: case NFPROTO_IPV4: case NFPROTO_IPV6: return true; default: return false; } case NF_IP_PRI_NAT_DST: switch(family) { case NFPROTO_INET: case NFPROTO_IPV4: case NFPROTO_IPV6: case NFPROTO_BRIDGE: switch(hook) { case NF_INET_PRE_ROUTING: return true; default: return false; } default: return false; } case NF_IP_PRI_NAT_SRC: switch(family) { case NFPROTO_INET: case NFPROTO_IPV4: case NFPROTO_IPV6: case NFPROTO_BRIDGE: switch(hook) { case NF_INET_POST_ROUTING: return true; default: return false; } default: return false; } default: return false; } } -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html