Re: [PATCH] netfilter: bridge: define INT_MIN & INT_MAX in userspace
On Wed, Oct 24, 2018 at 01:54:03PM +0200, Jiri Slaby wrote:
> With 4.19, programs like ebtables fail to build when they include
> "linux/netfilter_bridge.h". It is caused by commit 94276fa8a2a4 which
> added a use of INT_MIN and INT_MAX to the header:
> : In file included from /usr/include/linux/netfilter_bridge/ebtables.h:18,
> : from include/ebtables_u.h:28,
> : from communication.c:23:
> : /usr/include/linux/netfilter_bridge.h:30:20: error: 'INT_MIN' undeclared
> here (not in a function)
> : NF_BR_PRI_FIRST = INT_MIN,
> : ^~~
>
> Define these constants by including "limits.h" when !__KERNEL__ (the
> same way as for other netfilter_* headers).
Indeed I didn't think of this solution.
Thanks for the fix Jiri!
>
> Fixes: 94276fa8a2a4 ("netfilter: bridge: Expose nf_tables bridge hook
> priorities through uapi")
> Signed-off-by: Jiri Slaby
> Cc: Máté Eckl
> Cc: Pablo Neira Ayuso
Acked-by: Máté Eckl
> ---
> include/uapi/linux/netfilter_bridge.h | 4
> 1 file changed, 4 insertions(+)
>
> diff --git a/include/uapi/linux/netfilter_bridge.h
> b/include/uapi/linux/netfilter_bridge.h
> index 156ccd089df1..1610fdbab98d 100644
> --- a/include/uapi/linux/netfilter_bridge.h
> +++ b/include/uapi/linux/netfilter_bridge.h
> @@ -11,6 +11,10 @@
> #include
> #include
>
> +#ifndef __KERNEL__
> +#include /* for INT_MIN, INT_MAX */
> +#endif
> +
> /* Bridge Hooks */
> /* After promisc drops, checksum checks. */
> #define NF_BR_PRE_ROUTING0
> --
> 2.19.1
>
Re: [libnftnl PATCH] expr: xfrm: Fix for unused variable warning
On Tue, Sep 25, 2018 at 03:38:43PM +0200, Florian Westphal wrote: > Phil Sutter wrote: > > On Tue, Sep 25, 2018 at 12:18:50PM +0200, Florian Westphal wrote: > > > Phil Sutter wrote: > > > > In nftnl_expr_xfrm_json_parse(), variable 'spnum' is apparently unused > > > > so remove it. > > > > > > It should be used, "spnum" parsing is missing. > > > > I see. Máté, do you plan to add the missing bits? > > I think this was my fsckup, I can handle this. Then I leave it to you. Thanks!
Re: change netfilter packet flow
Hi, On Sat, Sep 22, 2018 at 09:05:45AM +0330, morteza1...@gmail.com wrote: > Hello > I am in a dire need about using squid in my Linux iptables firewall as a > transparent proxy. > I want to have both firewalling rules and http filtering with squid based on > linux iptables. > I know, it is not possible to apply iptables rules in forward chain and after > that filter http requests with applications like squid. > When i use squid for http filtering, squid is listen on input port of machine > so when i redirect packets to the input chain, my firewall rules in forward > chain are bypassed. is there any way to handle such situation??? I am not sure I am understanding every part of your email correctly, so you might need to clarify. Forward chain is not used because you are not forwarding packets but squid copies them from one socket to another, so you should forget about forwarding chain in this case. See [1]. In case of a transparent proxy you route the packets to the local computer, so according to [1] forwarding chain is not touched. I suppose you use SOCKET and/or TPROXY match in the prerouting chain along with policy routing. AFAIK this makes matching packets appear in the input chain (see [1] again) so you might try firewalling in the input chain. Hope this helps, Mate [1]: https://www.csie.ntu.edu.tw/~b93070/CNL/v4.0/CNLv4.0.files/image2070.gif > > do you know how other firewalls like Pfsense or opensense and ... handle this > situation? > > tanx > > Sent from my Huawei Mobile
Re: [PATCH nft 3/4] src: tproxy: relax family restrictions
On Thu, Aug 30, 2018 at 10:13:56AM +0200, Florian Westphal wrote: > Eckl, Máté wrote: > > Could you please hold this one back for a few days? I can review this at > > the beginning of next week and I'd like to because of the tricky use of > > families. > > Sorry, I pushed it moments ago before seeing your reply. > You can send a relative patch or even a revert if needed, its no > problem. I went through the patch, it seems correct. I saw more into it, than what it was, it was not obvious on the phone. Thanks for this one and the JSON support! Mate
[PATCH nft 2/2] test: shell: Test cases for standard prios for flowtables
Signed-off-by: Máté Eckl
---
tests/shell/testcases/flowtable/0007prio_0 | 24 ++
tests/shell/testcases/flowtable/0008prio_1 | 14 +
2 files changed, 38 insertions(+)
create mode 100755 tests/shell/testcases/flowtable/0007prio_0
create mode 100755 tests/shell/testcases/flowtable/0008prio_1
diff --git a/tests/shell/testcases/flowtable/0007prio_0
b/tests/shell/testcases/flowtable/0007prio_0
new file mode 100755
index 000..49bbcac
--- /dev/null
+++ b/tests/shell/testcases/flowtable/0007prio_0
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+set -e
+
+format_offset () {
+ i=$1
+ if ((i == 0))
+ then
+ echo ""
+ elif ((i > 0))
+ then
+ echo "+$i"
+ else
+ echo "$i"
+ fi
+}
+
+$NFT add table t
+for offset in -11 -10 0 10 11
+do
+ $NFT add flowtable t f "{ hook ingress priority filter `format_offset
$offset`; devices = { lo }; }"
+ $NFT delete flowtable t f
+done
+
diff --git a/tests/shell/testcases/flowtable/0008prio_1
b/tests/shell/testcases/flowtable/0008prio_1
new file mode 100755
index 000..87084b9
--- /dev/null
+++ b/tests/shell/testcases/flowtable/0008prio_1
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+$NFT add table t
+for prioname in raw mangle dstnar security srcnat out dummy
+do
+ $NFT add flowtable t f { hook ingress priority $prioname \; devices = {
lo }\; }
+ if (($? == 0))
+ then
+ echo "E: $prioname should not be a valid priority name for
flowtables" >&2
+ exit 0
+ fi
+done
+
+exit 1
--
ecklm
[PATCH nft 1/2] test: shell: Test cases for standard chain prios
Signed-off-by: Máté Eckl
---
The indention of the bash files is intentional to conform single value
assignments to for-loop assignments.
tests/shell/testcases/chains/0021prio_0 | 97 ++
tests/shell/testcases/chains/0022prio_dummy_1 |7 +
.../testcases/chains/0023prio_inet_srcnat_1 | 16 +
.../testcases/chains/0024prio_inet_dstnat_1 | 16 +
tests/shell/testcases/chains/0025prio_arp_1 | 17 +
.../shell/testcases/chains/0026prio_netdev_1 | 15 +
.../testcases/chains/0027prio_bridge_dstnat_1 | 15 +
.../testcases/chains/0028prio_bridge_out_1| 15 +
.../testcases/chains/0029prio_bridge_srcnat_1 | 15 +
.../testcases/chains/dumps/0021prio_0.nft | 1546 +
10 files changed, 1759 insertions(+)
create mode 100755 tests/shell/testcases/chains/0021prio_0
create mode 100755 tests/shell/testcases/chains/0022prio_dummy_1
create mode 100755 tests/shell/testcases/chains/0023prio_inet_srcnat_1
create mode 100755 tests/shell/testcases/chains/0024prio_inet_dstnat_1
create mode 100755 tests/shell/testcases/chains/0025prio_arp_1
create mode 100755 tests/shell/testcases/chains/0026prio_netdev_1
create mode 100755 tests/shell/testcases/chains/0027prio_bridge_dstnat_1
create mode 100755 tests/shell/testcases/chains/0028prio_bridge_out_1
create mode 100755 tests/shell/testcases/chains/0029prio_bridge_srcnat_1
create mode 100644 tests/shell/testcases/chains/dumps/0021prio_0.nft
diff --git a/tests/shell/testcases/chains/0021prio_0
b/tests/shell/testcases/chains/0021prio_0
new file mode 100755
index 000..ada1d92
--- /dev/null
+++ b/tests/shell/testcases/chains/0021prio_0
@@ -0,0 +1,97 @@
+#!/bin/bash
+
+set -e
+
+format_offset () {
+ i=$1
+ if ((i == 0))
+ then
+ echo ""
+ elif ((i > 0))
+ then
+ echo "+$i"
+ else
+ echo "$i"
+ fi
+}
+
+chainname () {
+ hook=$1
+ prioname=$2
+ priooffset=$3
+
+ echo "${hook}${prioname}${priooffset}" | tr "\-+" "mp"
+}
+
+gen_chains () {
+ family=$1
+ hook=$2
+ prioname=$3
+
+ for i in -11 -10 0 10 11
+ do
+ offset=`format_offset $i`
+ $NFT add chain $family x `chainname $hook $prioname $offset` "{
type filter hook $hook priority $prioname $offset; }"
+ done
+}
+
+for family in ip ip6 inet
+do
+ $NFT add table $family x
+ for hook in prerouting input forward output postrouting
+ do
+ for prioname in raw mangle filter security
+ do
+ gen_chains $family $hook $prioname
+ done
+ done
+
+ hook=prerouting
+ prioname=dstnat
+ gen_chains $family $hook $prioname
+
+ hook=postrouting
+ prioname=srcnat
+ gen_chains $family $hook $prioname
+done
+
+
+family=arp
+ $NFT add table $family x
+ for hook in input output
+ do
+ prioname=filter
+ gen_chains $family $hook $prioname
+ done
+
+
+family=netdev
+ $NFT add table $family x
+ hook=ingress
+ prioname=filter
+ for i in -11 -10 0 10 11
+ do
+ offset=`format_offset $i`
+ $NFT add chain $family x `chainname $hook
$prioname $offset` "{ type filter hook $hook device lo priority $prioname
$offset; }"
+ done
+
+family=bridge
+ $NFT add table $family x
+ for hook in prerouting input forward output postrouting
+ do
+ prioname=filter
+ gen_chains $family $hook $prioname
+ done
+
+ hook=prerouting
+ prioname=dstnat
+ gen_chains $family $hook $prioname
+
+ hook=output
+ prioname=out
+ gen_chains $family $hook $prioname
+
+ hook=postrouting
+ prioname=srcnat
+ gen_chains $family $hook $prioname
+
diff --git a/tests/shell/testcases/chains/0022prio_dummy_1
b/tests/shell/testcases/chains/0022prio_dummy_1
new file mode 100755
index 000..ecdd945
--- /dev/null
+++ b/tests/shell/testcases/chains/0022prio_dummy_1
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+set -e
+
+$NFT add table ip x
+$NFT add chain ip x y "{ type filter hook input priority dummy+1; }" &>
/dev/null
+echo "E: dummy should not be a valid priority." >&2
diff --git a/tests/shell/testcases/chains/0023prio_inet_srcnat_1
b/tests/shell/testcases/chains/0023prio_inet_srcnat_1
new file mode 100755
index 000..fa53f7a
--- /dev/null
+++ b/tests/shell/testcases/chains/0023prio_inet_srcnat_1
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+for family in ip ip6 inet
+do
+ for hook in prerouting input forward output
+
[PATCH v2 nft] Standard prios: Make invalid prio error more specific
So far if invalid priority name was specified the error message referred
to the whole chain/flowtable specification:
nft> add chain ip x h { type filter hook prerouting priority first; }
Error: 'first' is invalid priority in this context.
add chain ip x h { type filter hook prerouting priority first; }
^
With this patch this reference is made specific to the priority
specification:
nft> add chain ip x h { type filter hook prerouting priority first; }
Error: 'first' is invalid priority in this context.
add chain ip x h { type filter hook prerouting priority first; }
^^
`prio_spec` is also reused to keep naming intuitive. The parser section
formerly named `prio_spec` is renamed to `int_num` as it basically provides the
mathematical set of integer numbers.
Signed-off-by: Máté Eckl
---
v2:
- I missed a semicolon after prio-spec
include/rule.h | 1 +
src/evaluate.c | 11 ++-
src/parser_bison.y | 23 +++
3 files changed, 22 insertions(+), 13 deletions(-)
diff --git a/include/rule.h b/include/rule.h
index d564cb0..cfbbcf1 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -172,6 +172,7 @@ enum chain_flags {
struct prio_spec {
const char *str;
int num;
+ struct location loc;
};
/**
diff --git a/src/evaluate.c b/src/evaluate.c
index 8b2cd8c..a5431c1 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2995,8 +2995,9 @@ static int flowtable_evaluate(struct eval_ctx *ctx,
struct flowtable *ft)
return chain_error(ctx, ft, "invalid hook %s", ft->hookstr);
if (!evaluate_priority(>priority, NFPROTO_NETDEV, ft->hooknum))
- return chain_error(ctx, ft, "'%s' is invalid priority.",
- ft->priority.str);
+ return __stmt_binary_error(ctx, >priority.loc, NULL,
+ "'%s' is invalid priority.",
+ ft->priority.str);
if (!ft->dev_expr)
return chain_error(ctx, ft, "Unbound flowtable not allowed
(must specify devices)");
@@ -3153,9 +3154,9 @@ static int chain_evaluate(struct eval_ctx *ctx, struct
chain *chain)
if (!evaluate_priority(>priority, chain->handle.family,
chain->hooknum))
- return chain_error(ctx, chain,
- "'%s' is invalid priority in this
context.",
- chain->priority.str);
+ return __stmt_binary_error(ctx, >priority.loc,
NULL,
+ "'%s' is invalid priority in
this context.",
+ chain->priority.str);
}
list_for_each_entry(rule, >rules, list) {
diff --git a/src/parser_bison.y b/src/parser_bison.y
index bc6f727..80151f1 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -528,8 +528,8 @@ int nft_lex(void *, void *, void *);
%destructor { handle_free(&$$); } table_spec tableid_spec chain_spec
chainid_spec flowtable_spec chain_identifier ruleid_spec handle_spec
position_spec rule_position ruleset_spec index_spec
%type set_spec setid_spec set_identifier
flowtable_identifier obj_spec objid_spec obj_identifier
%destructor { handle_free(&$$); } set_spec setid_spec set_identifier obj_spec
objid_spec obj_identifier
-%type family_spec family_spec_explicit chain_policy
prio_spec
-%type extended_prio_spec
+%type family_spec family_spec_explicit chain_policy
int_num
+%type extended_prio_spec prio_spec
%type dev_spec quota_unit
%destructor { xfree($$); } dev_spec quota_unit
@@ -1647,7 +1647,7 @@ flowtable_block_alloc : /* empty */
flowtable_block: /* empty */ { $$ = $-1; }
| flowtable_block common_block
| flowtable_block stmt_separator
- | flowtable_block HOOKSTRING
PRIORITYextended_prio_spec stmt_separator
+ | flowtable_block HOOKSTRING
prio_spec stmt_separator
{
$$->hookstr = chain_hookname_lookup($3);
if ($$->hookstr == NULL) {
@@ -1658,7 +1658,7 @@ flowtable_block : /* empty */ { $$ =
$-1; }
}
xfree($3);
- $$->priority = $5;
+
[PATCH nft] Standard prios: Make invalid prio error more specific
So far if invalid priority name was specified the error message referred
to the whole chain/flowtable specification:
nft> add chain ip x h { type filter hook prerouting priority first; }
Error: 'first' is invalid priority in this context.
add chain ip x h { type filter hook prerouting priority first; }
^
With this patch this reference is made specific to the priority
specification:
nft> add chain ip x h { type filter hook prerouting priority first; }
Error: 'first' is invalid priority in this context.
add chain ip x h { type filter hook prerouting priority first; }
^^
`prio_spec` is also reused to keep naming intuitive. The parser section
formerly named `prio_spec` is renamed to `int_num` as it basically provides the
mathematical set of integer numbers.
Signed-off-by: Máté Eckl
---
include/rule.h | 1 +
src/evaluate.c | 11 ++-
src/parser_bison.y | 22 ++
3 files changed, 21 insertions(+), 13 deletions(-)
diff --git a/include/rule.h b/include/rule.h
index d564cb0..cfbbcf1 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -172,6 +172,7 @@ enum chain_flags {
struct prio_spec {
const char *str;
int num;
+ struct location loc;
};
/**
diff --git a/src/evaluate.c b/src/evaluate.c
index 8b2cd8c..a5431c1 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2995,8 +2995,9 @@ static int flowtable_evaluate(struct eval_ctx *ctx,
struct flowtable *ft)
return chain_error(ctx, ft, "invalid hook %s", ft->hookstr);
if (!evaluate_priority(>priority, NFPROTO_NETDEV, ft->hooknum))
- return chain_error(ctx, ft, "'%s' is invalid priority.",
- ft->priority.str);
+ return __stmt_binary_error(ctx, >priority.loc, NULL,
+ "'%s' is invalid priority.",
+ ft->priority.str);
if (!ft->dev_expr)
return chain_error(ctx, ft, "Unbound flowtable not allowed
(must specify devices)");
@@ -3153,9 +3154,9 @@ static int chain_evaluate(struct eval_ctx *ctx, struct
chain *chain)
if (!evaluate_priority(>priority, chain->handle.family,
chain->hooknum))
- return chain_error(ctx, chain,
- "'%s' is invalid priority in this
context.",
- chain->priority.str);
+ return __stmt_binary_error(ctx, >priority.loc,
NULL,
+ "'%s' is invalid priority in
this context.",
+ chain->priority.str);
}
list_for_each_entry(rule, >rules, list) {
diff --git a/src/parser_bison.y b/src/parser_bison.y
index bc6f727..7e247bc 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -528,8 +528,8 @@ int nft_lex(void *, void *, void *);
%destructor { handle_free(&$$); } table_spec tableid_spec chain_spec
chainid_spec flowtable_spec chain_identifier ruleid_spec handle_spec
position_spec rule_position ruleset_spec index_spec
%type set_spec setid_spec set_identifier
flowtable_identifier obj_spec objid_spec obj_identifier
%destructor { handle_free(&$$); } set_spec setid_spec set_identifier obj_spec
objid_spec obj_identifier
-%type family_spec family_spec_explicit chain_policy
prio_spec
-%type extended_prio_spec
+%type family_spec family_spec_explicit chain_policy
int_num
+%type extended_prio_spec prio_spec
%type dev_spec quota_unit
%destructor { xfree($$); } dev_spec quota_unit
@@ -1647,7 +1647,7 @@ flowtable_block_alloc : /* empty */
flowtable_block: /* empty */ { $$ = $-1; }
| flowtable_block common_block
| flowtable_block stmt_separator
- | flowtable_block HOOKSTRING
PRIORITYextended_prio_spec stmt_separator
+ | flowtable_block HOOKSTRING
prio_spec stmt_separator
{
$$->hookstr = chain_hookname_lookup($3);
if ($$->hookstr == NULL) {
@@ -1658,7 +1658,7 @@ flowtable_block : /* empty */ { $$ =
$-1; }
}
xfree($3);
- $$->priority = $5;
+ $$->priority = $4;
[PATCH nf-next] netfilter: nft_tproxy: Fix missing-braces warning
This patch fixes a warning reported by the kbuild test robot (from linux-next
tree):
net/netfilter/nft_tproxy.c: In function 'nft_tproxy_eval_v6':
>> net/netfilter/nft_tproxy.c:85:9: warning: missing braces around initializer
>> [-Wmissing-braces]
struct in6_addr taddr = {0};
^
net/netfilter/nft_tproxy.c:85:9: warning: (near initialization for
'taddr.in6_u') [-Wmissing-braces]
This warning is actually caused by a gcc bug already resolved in newer
versions (kbuild used 4.9) so this kind of initialization is omitted and
memset is used instead.
Fixes: 4ed8eb6570a4 ("netfilter: nf_tables: Add native tproxy support")
Signed-off-by: Máté Eckl
---
net/netfilter/nft_tproxy.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_tproxy.c b/net/netfilter/nft_tproxy.c
index eff99dffc842..f92a82c73880 100644
--- a/net/netfilter/nft_tproxy.c
+++ b/net/netfilter/nft_tproxy.c
@@ -82,13 +82,15 @@ static void nft_tproxy_eval_v6(const struct nft_expr *expr,
const struct nft_tproxy *priv = nft_expr_priv(expr);
struct sk_buff *skb = pkt->skb;
const struct ipv6hdr *iph = ipv6_hdr(skb);
- struct in6_addr taddr = {0};
+ struct in6_addr taddr;
int thoff = pkt->xt.thoff;
struct udphdr _hdr, *hp;
__be16 tport = 0;
struct sock *sk;
int l4proto;
+ memset(, 0, sizeof(taddr));
+
if (!pkt->tprot_set) {
regs->verdict.code = NFT_BREAK;
return;
--
ecklm
Re: [PATCH v5 nft] Set/print standard chain prios with textual names
On Tue, Aug 14, 2018 at 03:26:16PM +0200, Pablo Neira Ayuso wrote:
> On Fri, Aug 03, 2018 at 10:55:33AM +0200, Máté Eckl wrote:
> > This patch adds the possibility to use textual names to set the chain
> > priority
> > to standard values so that numeric values do not need to be learnt any more
> > for
> > basic usage.
> >
> [...]
> > Example:
> > nft> add table ip x
> > nft> add chain ip x y { type filter hook prerouting priority raw; }
> > nft> add chain ip x z { type filter hook prerouting priority mangle + 1; }
> > nft> add chain ip x w { type filter hook prerouting priority dstnat - 5; }
> > nft> add chain ip x r { type filter hook prerouting priority filter + 10; }
> > nft> add chain ip x t { type filter hook prerouting priority security; }
> > nft> add chain ip x q { type filter hook postrouting priority srcnat + 11; }
> > nft> add chain ip x h { type filter hook prerouting priority 15; }
>
> Applied, thanks Máté. BTW, can we have automated tests for this?
I will make them.
>
> [...]
> > nft> add chain ip x h { type filter hook prerouting priority first; }
> > Error: 'first' is invalid priority in this context.
> > add chain ip x h { type filter hook prerouting priority first; }
> > ^
>
> BTW, now that you have added a prio_spec object, you can place the
> struct location there and store the position from the parser, so we
> can perform better error reporting, eg.
>
> nft> add chain ip x h { type filter hook prerouting priority first; }
> Error: 'first' is invalid priority in this context.
> add chain ip x h { type filter hook prerouting priority first; }
>^^
Thanks for the idea, I'll try it out next week.
>
> Thanks.
Re: [PATCH] doc: Remove double-spacing in text
On Tue, Aug 14, 2018 at 02:31:51PM +1000, Duncan Roe wrote: > Double-spacing in .txt files has no effect on PDF or man page output and > can make it hard to locate phrases when editing, so remove them. > > Signed-off-by: Duncan Roe Hi, Most (if not all) of these double spaces are produced by vim auto-reformatting so basically they are intentionally there. Being automatic, I don't think they will be avoided in the future. Adding that they are there to make the text as justified as possible (and the man page does not include extra spaces from the source) so I think it is not a broblem to have them. Regards, Mate
Re: [PATCH] nft: doc: Fixed all the typos in asciidoc
On Wed, Aug 08, 2018 at 03:18:18PM +0530, Arushi Singhal wrote:
> Hello
>
> On Wed, Aug 8, 2018 at 12:12 PM, Máté Eckl wrote:
>
> > On Wed, Aug 08, 2018 at 11:00:36AM +0530, Arushi Singhal wrote:
> > > Correct all the typo mistakes done while converting man page source to
> > > asciidoc.
> >
> > Hi,
> >
> > I made only two comments. See below.
> >
> > >
> > > Signed-off-by: Arushi Singhal
> > > ---
> > > doc/data-types.txt | 2 +-
> > > doc/nft.txt| 7 +++
> > > doc/primary-expression.txt | 2 +-
> > > doc/statements.txt | 6 +++---
> > > 4 files changed, 8 insertions(+), 9 deletions(-)
> > > mode change 100644 => 100755 doc/nft.txt
> > >
> > > diff --git a/doc/data-types.txt b/doc/data-types.txt
> > > index 8bbdd57..39c65ac 100644
> > > --- a/doc/data-types.txt
> > > +++ b/doc/data-types.txt
> > > @@ -362,7 +362,7 @@ ICMPVX CODE TYPE
> > > |==
> > > |Name | Keyword | Size | Base type
> > > |ICMPvX Code |
> > > -icmpv6_type |
> > > +icmpx_code |
> >
> > icmpvx ?
> >
>
> I followed xml doc for converting it into asciidoc and there it was "
> icmpx_code".
>
>
> > > 8 bit |
> > > integer
> > > |===
> > > diff --git a/doc/nft.txt b/doc/nft.txt
> > > old mode 100644
> > > new mode 100755
> > > index 0f824a5..c1e807c
> > > --- a/doc/nft.txt
> > > +++ b/doc/nft.txt
> > > @@ -61,8 +61,8 @@ For a full summary of options, run *nft --help*.
> > >
> > > *-e*::
> > > *--echo*::
> > > - When inserting items into the ruleset using add, insert or
> > replace commands, print notifications
> > > - just like nft monitor.
> > > + When inserting items into the ruleset using *add*, *insert* or
> > *replace* commands, print notifications
> > > + just like *nft monitor*.
> > >
> > > *-I*::
> > > *--includepath directory*::
> > > @@ -72,7 +72,7 @@ For a full summary of options, run *nft --help*.
> > > *-f*::
> > > *--file 'filename'*::
> > > Read input from 'filename'. If 'filename' is -, read from stdin. +
> > > - nft scripts must start #!/usr/sbin/nft -f
> > > + nft scripts must start *#!/usr/sbin/nft -f*
> > >
> > > *-i*::
> > > *--interactive*::
> > > @@ -571,7 +571,6 @@ numbers etc. or data gathered from the packet
> > during ruleset evaluation.
> > > Expressions can be combined using binary, logical, relational and other
> > types of
> > > expressions to form complex or relational (match) expressions. They are
> > also
> > > used as arguments to certain types of operations, like NAT, packet
> > marking etc.
> > > -+
> > >
> > > Each expression has a data type, which determines the size, parsing and
> > > representation of symbolic values and type compatibility with other
> > expressions.
> > > diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
> > > index 13adfe3..3cea23e 100644
> > > --- a/doc/primary-expression.txt
> > > +++ b/doc/primary-expression.txt
> > > @@ -130,7 +130,7 @@ raw prerouting meta secpath exists accept
> > > SOCKET EXPRESSION
> > > ~
> > > [verse]
> > > -socket {transparent}
> > > +socket \{transparent\}
> > >
> > > Socket expression can be used to search for an existing open TCP/UDP
> > socket and
> > > its attributes that can be associated with a packet. It looks for an
> > established
> > > diff --git a/doc/statements.txt b/doc/statements.txt
> > > index 8a54a6b..19ed197 100644
> > > --- a/doc/statements.txt
> > > +++ b/doc/statements.txt
> > > @@ -62,8 +62,8 @@ tcp flags syn tcp option maxseg size set rt mtu
> > > LOG STATEMENT
> > > ~
> > > [verse]
> > > -log [prefix quoted_string] [level syslog-level] [flags log-flags]
> > > -log group nflog_group [prefix quoted_string] [queue-threshold value]
> > [snaplen size]
> > > +*log* [prefix 'quoted_string'] [level 'syslog-level'] [flags
> > 'log-flags']
> > > +*log* group 'nflog_group' [prefix 'quoted_string'] [queue-threshold
> > 'value'] [snaplen 'size']
> > >
> > > The log statement enables logging of matching packets. When th
Re: [PATCH] nft: doc: Fixed all the typos in asciidoc
On Wed, Aug 08, 2018 at 11:00:36AM +0530, Arushi Singhal wrote:
> Correct all the typo mistakes done while converting man page source to
> asciidoc.
Hi,
I made only two comments. See below.
>
> Signed-off-by: Arushi Singhal
> ---
> doc/data-types.txt | 2 +-
> doc/nft.txt| 7 +++
> doc/primary-expression.txt | 2 +-
> doc/statements.txt | 6 +++---
> 4 files changed, 8 insertions(+), 9 deletions(-)
> mode change 100644 => 100755 doc/nft.txt
>
> diff --git a/doc/data-types.txt b/doc/data-types.txt
> index 8bbdd57..39c65ac 100644
> --- a/doc/data-types.txt
> +++ b/doc/data-types.txt
> @@ -362,7 +362,7 @@ ICMPVX CODE TYPE
> |==
> |Name | Keyword | Size | Base type
> |ICMPvX Code |
> -icmpv6_type |
> +icmpx_code |
icmpvx ?
> 8 bit |
> integer
> |===
> diff --git a/doc/nft.txt b/doc/nft.txt
> old mode 100644
> new mode 100755
> index 0f824a5..c1e807c
> --- a/doc/nft.txt
> +++ b/doc/nft.txt
> @@ -61,8 +61,8 @@ For a full summary of options, run *nft --help*.
>
> *-e*::
> *--echo*::
> - When inserting items into the ruleset using add, insert or replace
> commands, print notifications
> - just like nft monitor.
> + When inserting items into the ruleset using *add*, *insert* or
> *replace* commands, print notifications
> + just like *nft monitor*.
>
> *-I*::
> *--includepath directory*::
> @@ -72,7 +72,7 @@ For a full summary of options, run *nft --help*.
> *-f*::
> *--file 'filename'*::
> Read input from 'filename'. If 'filename' is -, read from stdin. +
> - nft scripts must start #!/usr/sbin/nft -f
> + nft scripts must start *#!/usr/sbin/nft -f*
>
> *-i*::
> *--interactive*::
> @@ -571,7 +571,6 @@ numbers etc. or data gathered from the packet during
> ruleset evaluation.
> Expressions can be combined using binary, logical, relational and other
> types of
> expressions to form complex or relational (match) expressions. They are also
> used as arguments to certain types of operations, like NAT, packet marking
> etc.
> -+
>
> Each expression has a data type, which determines the size, parsing and
> representation of symbolic values and type compatibility with other
> expressions.
> diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
> index 13adfe3..3cea23e 100644
> --- a/doc/primary-expression.txt
> +++ b/doc/primary-expression.txt
> @@ -130,7 +130,7 @@ raw prerouting meta secpath exists accept
> SOCKET EXPRESSION
> ~
> [verse]
> -socket {transparent}
> +socket \{transparent\}
>
> Socket expression can be used to search for an existing open TCP/UDP socket
> and
> its attributes that can be associated with a packet. It looks for an
> established
> diff --git a/doc/statements.txt b/doc/statements.txt
> index 8a54a6b..19ed197 100644
> --- a/doc/statements.txt
> +++ b/doc/statements.txt
> @@ -62,8 +62,8 @@ tcp flags syn tcp option maxseg size set rt mtu
> LOG STATEMENT
> ~
> [verse]
> -log [prefix quoted_string] [level syslog-level] [flags log-flags]
> -log group nflog_group [prefix quoted_string] [queue-threshold value]
> [snaplen size]
> +*log* [prefix 'quoted_string'] [level 'syslog-level'] [flags 'log-flags']
> +*log* group 'nflog_group' [prefix 'quoted_string'] [queue-threshold 'value']
> [snaplen 'size']
>
> The log statement enables logging of matching packets. When this statement is
> used from a rule, the Linux kernel will print some information on all
> matching
> @@ -165,7 +165,7 @@ COUNTER STATEMENT
> A counter statement sets the hit count of packets along with the number of
> bytes.
>
> [verse]
> -counter [ packets 'number' bytes 'number' ]
> +*counter* [ packets 'number' bytes 'number' ]
How do you decide if the keyword should be bold or not? I'm asking this because
even in this comment there is a syntax line where the keyword is not bold, and
if you are doing this, perhaps it's better do it everywhere or nowhere to avoid
later commits with the same purpose. There has already been some fixing typos.
>
> CONNTRACK STATEMENT
> ~~~
> --
> 2.7.4
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majord...@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] nft: doc: fix make distcheck
On Wed, Aug 08, 2018 at 10:49:26AM +0530, Arushi Singhal wrote:
> fix make distcheck for conversion to asciidoc.
>
> Signed-off-by: Arushi Singhal
> ---
> doc/Makefile.am | 8
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/doc/Makefile.am b/doc/Makefile.am
> index 291bcc8..4d8cd98 100644
> --- a/doc/Makefile.am
> +++ b/doc/Makefile.am
> @@ -17,11 +17,11 @@ ASCIIDOCS = ${ASCIIDOC_MAIN} ${ASCIIDOC_INCLUDES}
>
> pdfdir=${docdir}/pdf
>
> -nft.8: ${ASCIIDOCS}
> - ${AM_V_GEN}${A2X} --doctype manpage --format manpage ${ASCIIDOC_MAIN}
> +.txt.8: ${ASCIIDOCS}
Why is this .txt suffix good? I applied the patch and I didn't notice any change
in the output filename.
Nevertheless I don't see why one should include the input file extension in the
output file name.
> + ${AM_V_GEN}${A2X} --doctype manpage --format manpage $<
>
> -nft.pdf: ${ASCIIDOCS}
> - ${AM_V_GEN}${A2X} --doctype manpage --format pdf ${ASCIIDOC_MAIN}
> +.txt.pdf: ${ASCIIDOCS}
Same question here.
> + ${AM_V_GEN}${A2X} --doctype manpage --format pdf $<
>
> .adoc.pdf:
> a2x --doctype manpage --format pdf -D ${builddir} $<
> --
> 2.7.4
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majord...@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nft] doc: Add comment possibility to man page
Commenting is really useful in complex rulesets, however it is not
documented that they can be added to any rule.
This patch adds commenting possibility to the man page.
Signed-off-by: Máté Eckl
---
This patch should be applied after '[PATCH nft] doc: fix syntax for RULES' which
is important, because otherwise a2x procudes a strange error message.
asciidoc: ERROR: nft.txt: line 359: illegal style name: add | insert]
*rule* ['family'] 'table' 'chain' [ {handle | position} 'handle' | index
'index' ] 'statement' ... [ comment 'comment'
The mentionet patch is meaningful though so it should not be a problem.
doc/nft.txt | 9 +++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/doc/nft.txt b/doc/nft.txt
index 7495296..703cca1 100644
--- a/doc/nft.txt
+++ b/doc/nft.txt
@@ -356,8 +356,8 @@ are *accept* (which is the default) or *drop*.
RULES
-
[verse]
-{add | insert} *rule* ['family'] 'table' 'chain' [ {handle | position}
'handle' | index 'index' ] 'statement'...
-replace *rule* ['family'] 'table' 'chain' handle 'handle' 'statement'...
+{add | insert} *rule* ['family'] 'table' 'chain' [ {handle | position}
'handle' | index 'index' ] 'statement' ... [ comment 'comment' ]
+replace *rule* ['family'] 'table' 'chain' handle 'handle' 'statement' ... [
comment 'comment' ]
delete *rule* ['family'] 'table' 'chain' handle 'handle'
Rules are added to chains in the given table. If the family is not specified,
the
@@ -373,6 +373,11 @@ rule index might change if a rule was inserted or deleted
before the referred
one. If the referred rule was deleted, the command is rejected by the kernel
just as if an invalid 'handle' was given.
+A 'comment' is a single word or a double-quoted (") multi-word string which can
+be used to make notes regarding the actual rule. *Note:* If you use bash for
+adding rules, you have to escape the quotation marks (eg. \"enable ssh for
+servers\")
+
[horizontal]
*add*:: Add a new rule described by the list of statements. The
rule is appended to the given chain unless a position is specified, in which
--
ecklm
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nft] doc: fix syntax for RULES
[] means optional but 'add' or 'insert' is not optional one of them is required
which is usually signed with {} braces.
Signed-off-by: Máté Eckl
---
doc/nft.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/nft.txt b/doc/nft.txt
index 20ae54b..7495296 100644
--- a/doc/nft.txt
+++ b/doc/nft.txt
@@ -356,7 +356,7 @@ are *accept* (which is the default) or *drop*.
RULES
-
[verse]
-[add | insert] *rule* ['family'] 'table' 'chain' [ {handle | position}
'handle' | index 'index' ] 'statement'...
+{add | insert} *rule* ['family'] 'table' 'chain' [ {handle | position}
'handle' | index 'index' ] 'statement'...
replace *rule* ['family'] 'table' 'chain' handle 'handle' 'statement'...
delete *rule* ['family'] 'table' 'chain' handle 'handle'
--
ecklm
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nf-next] netfilter_bridge: uapi: Expose nf_tables bridge hook priorities
On Fri, Aug 03, 2018 at 07:04:44PM +0200, Máté Eckl wrote:
> On Fri, Aug 03, 2018 at 05:17:29PM +0200, Pablo Neira Ayuso wrote:
> > On Fri, Aug 03, 2018 at 01:36:13PM +0200, Máté Eckl wrote:
> > > Netfilter exposes standard hook priorities in case of ipv4, ipv6 and
> > > arp but not in case of bridge.
> > >
> > > This patch exposes the hook priority values of the bridge family (which
> > > are
> > > different from the formerly mentioned) via uapi so that they can be used
> > > by
> > > user-space applications just like the others.
> >
> > Applied, thanks.
> >
> > One minor glitch, see below.
> >
> > > Signed-off-by: Máté Eckl
> > > ---
> > > The list of the modified files can be validated with the following
> > > command:
> > > find -name "*.[ch]" -exec grep --color -HnE
> > > \
> > >
> > > "(NF_BR_PRI_FIRST|NF_BR_PRI_NAT_DST_BRIDGED|NF_BR_PRI_FILTER_BRIDGED|NF_BR_PRI_BRNF|NF_BR_PRI_NAT_DST_OTHER|NF_BR_PRI_FILTER_OTHER|NF_BR_PRI_NAT_SRC|NF_BR_PRI_LAST)"
> > > \
> > > {} \; | cut -d ":" -f1 | uniq
> > >
> > > include/linux/netfilter_bridge.h | 11 ---
> > > include/uapi/linux/netfilter_bridge.h | 11 +++
> > > net/bridge/br_netfilter_hooks.c | 1 +
> > > net/bridge/netfilter/ebtable_filter.c | 1 +
> > > net/bridge/netfilter/ebtable_nat.c| 1 +
> > > 5 files changed, 14 insertions(+), 11 deletions(-)
> > >
> > > diff --git a/include/linux/netfilter_bridge.h
> > > b/include/linux/netfilter_bridge.h
> > > index b671fdfd212b..fa0686500970 100644
> > > --- a/include/linux/netfilter_bridge.h
> > > +++ b/include/linux/netfilter_bridge.h
> > > @@ -5,17 +5,6 @@
> > > #include
> > > #include
> > >
> > > -enum nf_br_hook_priorities {
> > > - NF_BR_PRI_FIRST = INT_MIN,
> > > - NF_BR_PRI_NAT_DST_BRIDGED = -300,
> > > - NF_BR_PRI_FILTER_BRIDGED = -200,
> > > - NF_BR_PRI_BRNF = 0,
> > > - NF_BR_PRI_NAT_DST_OTHER = 100,
> > > - NF_BR_PRI_FILTER_OTHER = 200,
> > > - NF_BR_PRI_NAT_SRC = 300,
> > > - NF_BR_PRI_LAST = INT_MAX,
> > > -};
> > > -
> > > #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
> > >
> > > int br_handle_frame_finish(struct net *net, struct sock *sk, struct
> > > sk_buff *skb);
> > > diff --git a/include/uapi/linux/netfilter_bridge.h
> > > b/include/uapi/linux/netfilter_bridge.h
> > > index 12fb77633f83..156ccd089df1 100644
> > > --- a/include/uapi/linux/netfilter_bridge.h
> > > +++ b/include/uapi/linux/netfilter_bridge.h
> > > @@ -26,4 +26,15 @@
> > > #define NF_BR_BROUTING 5
> > > #define NF_BR_NUMHOOKS 6
> > >
> > > +enum nf_br_hook_priorities {
> >
> > I have renamed this to 'enum nf_br_hooks' to make it consistent with
> > 'enum nf_inet_hooks' definition in uapi/linux/netfilter.h before
> > applying.
>
> You should not do that. nf_inet_hooks does not represent hook priority values,
> but the hooks themselves.
>
> nf_br_hook_priorities is analog with nf_ipv4_hook_priorities in
nf_ip_hook_priorities
> uapi/linux/netfitlter_ipv4.h and also ipv6 and arp equivalets follow the same
> convention.
Well arp probably does not have this (i can't find it right now), but the rest
is
still true.
>
> >
> > > + NF_BR_PRI_FIRST = INT_MIN,
> > > + NF_BR_PRI_NAT_DST_BRIDGED = -300,
> > > + NF_BR_PRI_FILTER_BRIDGED = -200,
> > > + NF_BR_PRI_BRNF = 0,
> > > + NF_BR_PRI_NAT_DST_OTHER = 100,
> > > + NF_BR_PRI_FILTER_OTHER = 200,
> > > + NF_BR_PRI_NAT_SRC = 300,
> > > + NF_BR_PRI_LAST = INT_MAX,
> > > +};
> > > +
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nf-next] netfilter_bridge: uapi: Expose nf_tables bridge hook priorities
On Fri, Aug 03, 2018 at 05:17:29PM +0200, Pablo Neira Ayuso wrote:
> On Fri, Aug 03, 2018 at 01:36:13PM +0200, Máté Eckl wrote:
> > Netfilter exposes standard hook priorities in case of ipv4, ipv6 and
> > arp but not in case of bridge.
> >
> > This patch exposes the hook priority values of the bridge family (which are
> > different from the formerly mentioned) via uapi so that they can be used by
> > user-space applications just like the others.
>
> Applied, thanks.
>
> One minor glitch, see below.
>
> > Signed-off-by: Máté Eckl
> > ---
> > The list of the modified files can be validated with the following
> > command:
> > find -name "*.[ch]" -exec grep --color -HnE
> > \
> >
> > "(NF_BR_PRI_FIRST|NF_BR_PRI_NAT_DST_BRIDGED|NF_BR_PRI_FILTER_BRIDGED|NF_BR_PRI_BRNF|NF_BR_PRI_NAT_DST_OTHER|NF_BR_PRI_FILTER_OTHER|NF_BR_PRI_NAT_SRC|NF_BR_PRI_LAST)"
> > \
> > {} \; | cut -d ":" -f1 | uniq
> >
> > include/linux/netfilter_bridge.h | 11 ---
> > include/uapi/linux/netfilter_bridge.h | 11 +++
> > net/bridge/br_netfilter_hooks.c | 1 +
> > net/bridge/netfilter/ebtable_filter.c | 1 +
> > net/bridge/netfilter/ebtable_nat.c| 1 +
> > 5 files changed, 14 insertions(+), 11 deletions(-)
> >
> > diff --git a/include/linux/netfilter_bridge.h
> > b/include/linux/netfilter_bridge.h
> > index b671fdfd212b..fa0686500970 100644
> > --- a/include/linux/netfilter_bridge.h
> > +++ b/include/linux/netfilter_bridge.h
> > @@ -5,17 +5,6 @@
> > #include
> > #include
> >
> > -enum nf_br_hook_priorities {
> > - NF_BR_PRI_FIRST = INT_MIN,
> > - NF_BR_PRI_NAT_DST_BRIDGED = -300,
> > - NF_BR_PRI_FILTER_BRIDGED = -200,
> > - NF_BR_PRI_BRNF = 0,
> > - NF_BR_PRI_NAT_DST_OTHER = 100,
> > - NF_BR_PRI_FILTER_OTHER = 200,
> > - NF_BR_PRI_NAT_SRC = 300,
> > - NF_BR_PRI_LAST = INT_MAX,
> > -};
> > -
> > #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
> >
> > int br_handle_frame_finish(struct net *net, struct sock *sk, struct
> > sk_buff *skb);
> > diff --git a/include/uapi/linux/netfilter_bridge.h
> > b/include/uapi/linux/netfilter_bridge.h
> > index 12fb77633f83..156ccd089df1 100644
> > --- a/include/uapi/linux/netfilter_bridge.h
> > +++ b/include/uapi/linux/netfilter_bridge.h
> > @@ -26,4 +26,15 @@
> > #define NF_BR_BROUTING 5
> > #define NF_BR_NUMHOOKS 6
> >
> > +enum nf_br_hook_priorities {
>
> I have renamed this to 'enum nf_br_hooks' to make it consistent with
> 'enum nf_inet_hooks' definition in uapi/linux/netfilter.h before
> applying.
You should not do that. nf_inet_hooks does not represent hook priority values,
but the hooks themselves.
nf_br_hook_priorities is analog with nf_ipv4_hook_priorities in
uapi/linux/netfitlter_ipv4.h and also ipv6 and arp equivalets follow the same
convention.
>
> > + NF_BR_PRI_FIRST = INT_MIN,
> > + NF_BR_PRI_NAT_DST_BRIDGED = -300,
> > + NF_BR_PRI_FILTER_BRIDGED = -200,
> > + NF_BR_PRI_BRNF = 0,
> > + NF_BR_PRI_NAT_DST_OTHER = 100,
> > + NF_BR_PRI_FILTER_OTHER = 200,
> > + NF_BR_PRI_NAT_SRC = 300,
> > + NF_BR_PRI_LAST = INT_MAX,
> > +};
> > +
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nf-next] netfilter_bridge: uapi: Expose nf_tables bridge hook priorities
Netfilter exposes standard hook priorities in case of ipv4, ipv6 and
arp but not in case of bridge.
This patch exposes the hook priority values of the bridge family (which are
different from the formerly mentioned) via uapi so that they can be used by
user-space applications just like the others.
Signed-off-by: Máté Eckl
---
The list of the modified files can be validated with the following
command:
find -name "*.[ch]" -exec grep --color -HnE
\
"(NF_BR_PRI_FIRST|NF_BR_PRI_NAT_DST_BRIDGED|NF_BR_PRI_FILTER_BRIDGED|NF_BR_PRI_BRNF|NF_BR_PRI_NAT_DST_OTHER|NF_BR_PRI_FILTER_OTHER|NF_BR_PRI_NAT_SRC|NF_BR_PRI_LAST)"
\
{} \; | cut -d ":" -f1 | uniq
include/linux/netfilter_bridge.h | 11 ---
include/uapi/linux/netfilter_bridge.h | 11 +++
net/bridge/br_netfilter_hooks.c | 1 +
net/bridge/netfilter/ebtable_filter.c | 1 +
net/bridge/netfilter/ebtable_nat.c| 1 +
5 files changed, 14 insertions(+), 11 deletions(-)
diff --git a/include/linux/netfilter_bridge.h b/include/linux/netfilter_bridge.h
index b671fdfd212b..fa0686500970 100644
--- a/include/linux/netfilter_bridge.h
+++ b/include/linux/netfilter_bridge.h
@@ -5,17 +5,6 @@
#include
#include
-enum nf_br_hook_priorities {
- NF_BR_PRI_FIRST = INT_MIN,
- NF_BR_PRI_NAT_DST_BRIDGED = -300,
- NF_BR_PRI_FILTER_BRIDGED = -200,
- NF_BR_PRI_BRNF = 0,
- NF_BR_PRI_NAT_DST_OTHER = 100,
- NF_BR_PRI_FILTER_OTHER = 200,
- NF_BR_PRI_NAT_SRC = 300,
- NF_BR_PRI_LAST = INT_MAX,
-};
-
#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff
*skb);
diff --git a/include/uapi/linux/netfilter_bridge.h
b/include/uapi/linux/netfilter_bridge.h
index 12fb77633f83..156ccd089df1 100644
--- a/include/uapi/linux/netfilter_bridge.h
+++ b/include/uapi/linux/netfilter_bridge.h
@@ -26,4 +26,15 @@
#define NF_BR_BROUTING 5
#define NF_BR_NUMHOOKS 6
+enum nf_br_hook_priorities {
+ NF_BR_PRI_FIRST = INT_MIN,
+ NF_BR_PRI_NAT_DST_BRIDGED = -300,
+ NF_BR_PRI_FILTER_BRIDGED = -200,
+ NF_BR_PRI_BRNF = 0,
+ NF_BR_PRI_NAT_DST_OTHER = 100,
+ NF_BR_PRI_FILTER_OTHER = 200,
+ NF_BR_PRI_NAT_SRC = 300,
+ NF_BR_PRI_LAST = INT_MAX,
+};
+
#endif /* _UAPI__LINUX_BRIDGE_NETFILTER_H */
diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index 9b16eaf33819..6e0dc6bcd32a 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -26,6 +26,7 @@
#include
#include
#include
+#include
#include
#include
#include
diff --git a/net/bridge/netfilter/ebtable_filter.c
b/net/bridge/netfilter/ebtable_filter.c
index c41da5fac84f..550324c516ee 100644
--- a/net/bridge/netfilter/ebtable_filter.c
+++ b/net/bridge/netfilter/ebtable_filter.c
@@ -9,6 +9,7 @@
*/
#include
+#include
#include
#define FILTER_VALID_HOOKS ((1 << NF_BR_LOCAL_IN) | (1 << NF_BR_FORWARD) | \
diff --git a/net/bridge/netfilter/ebtable_nat.c
b/net/bridge/netfilter/ebtable_nat.c
index 08df7406ecb3..c0fb3ca518af 100644
--- a/net/bridge/netfilter/ebtable_nat.c
+++ b/net/bridge/netfilter/ebtable_nat.c
@@ -9,6 +9,7 @@
*/
#include
+#include
#include
#define NAT_VALID_HOOKS ((1 << NF_BR_PRE_ROUTING) | (1 << NF_BR_LOCAL_OUT) | \
--
ecklm
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v5 nft] Set/print standard chain prios with textual names
}
}
table bridge x {
chain y {
type filter hook input priority filter + 9; policy accept;
}
chain z {
type filter hook prerouting priority dstnat; policy accept;
}
chain q {
type filter hook postrouting priority srcnat; policy accept;
}
chain k {
type filter hook output priority out; policy accept;
}
}
nft> # Everything should fail after this
nft> add chain ip x h { type filter hook prerouting priority first; }
Error: 'first' is invalid priority in this context.
add chain ip x h { type filter hook prerouting priority first; }
^
nft> add chain ip x q { type filter hook prerouting priority srcnat + 11; }
Error: 'srcnat' is invalid priority in this context.
add chain ip x q { type filter hook prerouting priority srcnat + 11; }
^^^
nft> add chain arp x y { type filter hook input priority raw; }
Error: 'raw' is invalid priority in this context.
add chain arp x y { type filter hook input priority raw; }
^^
nft> add flowtable ip x y { hook ingress priority magle; devices = {enp0s31f6};
}
Error: 'magle' is invalid priority.
add flowtable ip x y { hook ingress priority magle; devices = {enp0s31f6}; }
^
nft> add chain bridge x r { type filter hook postrouting priority dstnat; }
Error: 'dstnat' is invalid priority in this context.
add chain bridge x r { type filter hook postrouting priority dstnat; }
^^^
nft> add chain bridge x t { type filter hook prerouting priority srcnat; }
Error: 'srcnat' is invalid priority in this context.
add chain bridge x t { type filter hook prerouting priority srcnat; }
^^
Signed-off-by: Máté Eckl
---
v2:
- more comprehensive names
- expose basic priorities used by iptables
- use arithmetics with new names (+-)
- print friendly names with arithmetics with an epsilon of 10
v3:
- no tokens are used for priority names, lookup is used instead
- names and values are moved out to a structure
- the helper function became unnecessary, thus I removed it
v4:
- fix snat and dnat conflict with existing tokens
- remove static char array from chain_prio2str
- make numerical priority printing available via -nnn nft flag
- add docs about priority names
- check compatibility of standard prio names and table family
- handle flowtables
v5:
- Add hook compatibility check
- make priority necessary only in base chains (in evaluate)
- doc updated
- Add asciidoc man part
- Make bridge priorities work
- Refactor compatibility function
- Store string + offset instead of instead of building and resplitting
in eval
doc/nft.txt | 56 --
include/linux/netfilter_bridge.h | 13 +++
include/rule.h | 19 +++-
src/evaluate.c | 27 +
src/json.c | 4 +-
src/netlink.c| 8 +-
src/parser_bison.y | 36 ++-
src/parser_json.c| 2 +-
src/rule.c | 180 +--
src/scanner.l| 2 +
10 files changed, 323 insertions(+), 24 deletions(-)
diff --git a/doc/nft.txt b/doc/nft.txt
index d33d01c..4f42c39 100644
--- a/doc/nft.txt
+++ b/doc/nft.txt
@@ -37,7 +37,7 @@ For a full summary of options, run *nft --help*.
Show data numerically. When used once (the default behaviour), skip
lookup of addresses to symbolic names. Use twice to also show Internet
services (port numbers) numerically. Use three times to also show
- protocols and UIDs/GIDs numerically.
+ protocols, UIDs/GIDs and priorities numerically.
*-s*::
*--stateless*::
@@ -345,13 +345,51 @@ further quirks worth noticing:
* arp family supports only *input* and *output* hooks, both in chains of type
*filter*.
-The *priority* parameter accepts a signed integer value which specifies the
-order in which chains with same *hook* value are traversed. The ordering is
-ascending, i.e. lower priority values have precedence over higher ones.
+The *priority* parameter accepts a signed integer value or a standard priority
+name which specifies the order in which chains with same *hook* value are
+traversed. The ordering is ascending, i.e. lower priority values have
precedence
+over higher ones.
-Base chains also allow to set the chain's *policy*, i.e. what happens to
packets
-not explicitly accepted or refused in contained rules. Supported policy values
-are *accept* (which is the default) or *drop*.
+Standard priority values can be replaced with easily memorizable names. Not
al
[PATCH nf-next] netfilter: nft_tproxy: Add missing config check
A config check was missing form the code when using
nf_defrag_ipv6_enable with NFT_TPROXY != n and NF_DEFRAG_IPV6 = n and
this caused the following error:
../net/netfilter/nft_tproxy.c: In function 'nft_tproxy_init':
../net/netfilter/nft_tproxy.c:237:3: error: implicit declaration of function
+'nf_defrag_ipv6_enable' [-Werror=implicit-function-declaration]
err = nf_defrag_ipv6_enable(ctx->net);
This patch adds a check for NF_TABLES_IPV6 when NF_DEFRAG_IPV6 is
selected by Kconfig.
Reported-by: Randy Dunlap
Fixes: 4ed8eb6570a4 ("netfilter: nf_tables: Add native tproxy support")
Signed-off-by: Máté Eckl
---
net/netfilter/nft_tproxy.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/netfilter/nft_tproxy.c b/net/netfilter/nft_tproxy.c
index c6845f7baa08..eff99dffc842 100644
--- a/net/netfilter/nft_tproxy.c
+++ b/net/netfilter/nft_tproxy.c
@@ -234,9 +234,11 @@ static int nft_tproxy_init(const struct nft_ctx *ctx,
err = nf_defrag_ipv4_enable(ctx->net);
if (err)
return err;
+#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
err = nf_defrag_ipv6_enable(ctx->net);
if (err)
return err;
+#endif
break;
default:
return -EOPNOTSUPP;
--
ecklm
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v4 nft] Set/print standard chain prios with textual names
On Wed, Aug 01, 2018 at 06:50:14PM +0200, Máté Eckl wrote:
[...]
> > > > >
> > > > > Could you store the string plus offset instead of building this
> > > > > string that you need to parse again from the evaluation phase?
> > > > >
> > > > > Probably you could reuse the existing priority integer field, then, if
> > > > > the label is non-NULL, then it means the priority integer becomes an
> > > > > offset.
I tried another way of doing this. I think it will be good if you don't mind
adding a new attribute to the parser's union. I have attached the diff for the
parser, I'd like to test it a bit more before sending a new version of the
patch.
I also changed the chain and flowtable priority attributes to prio_spec and this
way it is quite simple in the parser and in evaluate.c.
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 98bfeba..73af3bc 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -153,6 +153,7 @@ int nft_lex(void *, void *, void *);
const struct datatype *datatype;
struct handle_spec handle_spec;
struct position_specposition_spec;
+ struct prio_specprio_spec;
const struct exthdr_desc *exthdr_desc;
}
@@ -182,6 +183,8 @@ int nft_lex(void *, void *, void *);
%token AT "@"
%token VMAP"vmap"
+%token PLUS"+"
+
%token INCLUDE "include"
%token DEFINE "define"
%token REDEFINE"redefine"
@@ -522,6 +525,7 @@ int nft_lex(void *, void *, void *);
%type set_spec setid_spec set_identifier
flowtable_identifier obj_spec objid_spec obj_identifier
%destructor { handle_free(&$$); } set_spec setid_spec set_identifier obj_spec
objid_spec obj_identifier
%type family_spec family_spec_explicit chain_policy
prio_spec
+%type extended_prio_spec
%type dev_spec quota_unit
%destructor { xfree($$); } dev_spec quota_unit
@@ -1633,7 +1637,7 @@ flowtable_block_alloc : /* empty */
flowtable_block: /* empty */ { $$ = $-1; }
| flowtable_block common_block
| flowtable_block stmt_separator
- | flowtable_block HOOKSTRING
PRIORITYprio_spec stmt_separator
+ | flowtable_block HOOKSTRING
PRIORITYextended_prio_spec stmt_separator
{
$$->hookstr = chain_hookname_lookup($3);
if ($$->hookstr == NULL) {
@@ -1766,7 +1770,7 @@ type_identifier : STRING { $$ = $1; }
| CLASSID { $$ = xstrdup("classid"); }
;
-hook_spec : TYPESTRING HOOK
STRING dev_specPRIORITYprio_spec
+hook_spec : TYPESTRING HOOK
STRING dev_specPRIORITYextended_prio_spec
{
const char *chain_type =
chain_type_name_lookup($2);
@@ -1788,9 +1792,37 @@ hook_spec: TYPESTRING
HOOKSTRING dev_specPRIORITY
prio_spec
}
xfree($4);
- $0->dev = $5;
- $0->priority = $7;
- $0->flags|= CHAIN_F_BASECHAIN;
+ $0->dev = $5;
+ $0->priority = $7;
+ $0->flags |= CHAIN_F_BASECHAIN;
+ }
+ ;
+
+extended_prio_spec : prio_spec
+ {
+ struct prio_spec spec = {0};
+ spec.num = $1;
+ $$ = spec;
+ }
+ | STRING
+ {
+ struct prio_spec spec = {0};
+ spec.str = xstrdup($1);
+ $$ = spec;
+ }
+ | STRING PLUS NUM
+ {
+ struct prio_spec spec = {0};
+ spec.num = $3;
+ spec.str = xstrdup($1);
+ $$ = spec;
+ }
+ | STRING DASH NUM
+ {
+ struct prio_spec spec = {0};
+ spec.num = -$3;
+ spec.str = xstrdup($1);
+ $$ = spec;
}
;
[PATCH v3 nft] Expose socket mark via socket expression
It can be used like ct mark or meta mark except it cannot be set.
doc and tests are included.
Signed-off-by: Máté Eckl
---
v2:
- doc: remove 0 retval when there's no match
v3:
- Convert doc to asciidoc
doc/primary-expression.txt | 17 +
include/linux/netfilter/nf_tables.h | 5 +++--
src/evaluate.c | 6 +-
src/parser_bison.y | 2 ++
src/parser_json.c | 2 ++
src/socket.c| 8 +++-
tests/py/inet/socket.t | 2 ++
tests/py/inet/socket.t.json | 14 ++
tests/py/inet/socket.t.payload | 15 +++
9 files changed, 67 insertions(+), 4 deletions(-)
diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index 162f32f..94c6996 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -136,6 +136,7 @@ Socket expression can be used to search for an existing
open TCP/UDP socket and
|transparent|
Value of the IP_TRANSPARENT socket option in the found socket. It can be 0 or
1.|
boolean (1 bit)
+|mark| Value of the socket mark (SOL_SOCKET, SO_MARK). | mark
|==
.Using socket expression
@@ -147,6 +148,22 @@ table inet x {
socket transparent 1 mark set 0x0001 accept
}
}
+
+# Trace packets that corresponds to a socket with a mark value of 15
+table inet x {
+chain y {
+type filter hook prerouting priority -150; policy accept;
+socket mark 0x000f nftrace set 1
+}
+}
+
+# Set packet mark to socket mark
+table inet x {
+chain y {
+type filter hook prerouting priority -150; policy accept;
+tcp dport 8080 mark set socket mark
+}
+}
--
FIB EXPRESSIONS
diff --git a/include/linux/netfilter/nf_tables.h
b/include/linux/netfilter/nf_tables.h
index 88e0ca1..ad42d05 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -923,11 +923,12 @@ enum nft_socket_attributes {
/*
* enum nft_socket_keys - nf_tables socket expression keys
*
- * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option_
+ * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option
+ * @NFT_SOCKET_MARK: Value of the socket mark
*/
enum nft_socket_keys {
NFT_SOCKET_TRANSPARENT,
-
+ NFT_SOCKET_MARK,
__NFT_SOCKET_MAX
};
#define NFT_SOCKET_MAX (__NFT_SOCKET_MAX - 1)
diff --git a/src/evaluate.c b/src/evaluate.c
index 61cdff0..2b0e6fa 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1719,8 +1719,12 @@ static int expr_evaluate_meta(struct eval_ctx *ctx,
struct expr **exprp)
static int expr_evaluate_socket(struct eval_ctx *ctx, struct expr **expr)
{
+ int maxval = 0;
+
+ if((*expr)->socket.key == NFT_SOCKET_TRANSPARENT)
+ maxval = 1;
__expr_set_context(>ectx, (*expr)->dtype, (*expr)->byteorder,
- (*expr)->len, 1);
+ (*expr)->len, maxval);
return 0;
}
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 98bfeba..0ee2ebd 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -2487,6 +2487,7 @@ primary_stmt_expr : symbol_expr { $$ =
$1; }
| hash_expr { $$ = $1; }
| payload_expr{ $$ = $1; }
| keyword_expr{ $$ = $1; }
+ | socket_expr { $$ = $1; }
;
shift_stmt_expr: primary_stmt_expr
@@ -3575,6 +3576,7 @@ socket_expr : SOCKET socket_key
;
socket_key : TRANSPARENT { $$ = NFT_SOCKET_TRANSPARENT; }
+ | MARK { $$ = NFT_SOCKET_MARK; }
;
offset_opt : /* empty */ { $$ = 0; }
diff --git a/src/parser_json.c b/src/parser_json.c
index 8f29aaf..80364d9 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -358,6 +358,8 @@ static struct expr *json_parse_socket_expr(struct json_ctx
*ctx,
if (!strcmp(key, "transparent"))
keyval = NFT_SOCKET_TRANSPARENT;
+ else if (!strcmp(key, "mark"))
+ keyval = NFT_SOCKET_MARK;
if (keyval == -1) {
json_error(ctx, "Invalid socket key value.");
diff --git a/src/socket.c b/src/socket.c
index 7cfe5a9..c963699 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -18,7 +18,13 @@ const struct socket_template socket_templates[] = {
.dtype = _type,
.len = BITS_PER_BYTE,
.byteorder = BYTEORDER_HOST_ENDIAN,
- }
+
[PATCH v2 nft] doc: Add tproxy statement to man page
Signed-off-by: Máté Eckl
---
v2: convert to asciidoc
doc/statements.txt | 58 ++
1 file changed, 58 insertions(+)
diff --git a/doc/statements.txt b/doc/statements.txt
index bcf3cc2..38d9982 100644
--- a/doc/statements.txt
+++ b/doc/statements.txt
@@ -356,6 +356,64 @@ add rule nat postrouting oif eth0 masquerade
add rule nat prerouting tcp dport 22 redirect to :
+TPROXY STATEMENT
+
+Tproxy redirects the packet to a local socket without changing the packet
header
+in any way. If any of the arguments is missing the data of the incoming packet
+is used as parameter. Tproxy matching requires another rule that ensures the
+presence of transport protocol header is specified.
+
+[verse]
+tproxy to 'address' : 'port'
+tproxy to {'address' | : 'port'}
+
+This syntax can be used in *ip/ip6* tables where network layer protocol is
+obvious. Either ip address or port can be specified, but at least one of them
is
+necessary.
+
+[verse]
+tproxy {ip | ip6} to 'address' [: 'port']
+tproxy to : 'port'
+
+This syntax can be used in *inet* tables. The *ip/ip6* parameter defines the
+family the rule will match. The *address* parameter must be of this family.
+When only *port* is defined, the address family should not be specified. In
+this case the rule will match for both families.
+
+.tproxy attributes
+[options="header"]
+|=
+| Name | Description
+| address | IP address the listening socket with IP_TRANSPARENT option is
bound to.
+| port | Port the listening socket with IP_TRANSPARENT option is bound to.
+|=
+
+.Example ruleset for tproxy statement
+-
+table ip x {
+chain y {
+type filter hook prerouting priority -150; policy accept;
+tcp dport ntp tproxy to 1.1.1.1
+udp dport ssh tproxy to :
+}
+}
+table ip6 x {
+chain y {
+ type filter hook prerouting priority -150; policy accept;
+ tcp dport ntp tproxy to [dead::beef]
+ udp dport ssh tproxy to :
+}
+}
+table inet x {
+chain y {
+type filter hook prerouting priority -150; policy accept;
+tcp dport 321 tproxy to :ssh
+tcp dport 99 tproxy ip to 1.1.1.1:999
+udp dport 155 tproxy ip6 to [dead::beef]:smux
+}
+}
+-
+
FLOW OFFLOAD STATEMENT
~~
A flow offload statement allows us to select what flows you want to accelerate
--
ecklm
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nft 5/5] doc: statements.txt: Wrap extra long lines to 80 chars
Signed-off-by: Máté Eckl
---
doc/statements.txt | 108 ++---
1 file changed, 83 insertions(+), 25 deletions(-)
diff --git a/doc/statements.txt b/doc/statements.txt
index 499b573..bcf3cc2 100644
--- a/doc/statements.txt
+++ b/doc/statements.txt
@@ -11,9 +11,14 @@ The verdict statement alters control flow in the ruleset and
issues policy decis
*drop*:: Terminate ruleset evaluation and drop the packet.
*queue*:: Terminate ruleset evaluation and queue the packet to userspace.
*continue*:: Continue ruleset evaluation with the next rule. FIXME
-*return*:: Return from the current chain and continue evaluation at the next
rule in the last chain. If issued in a base chain, it is equivalent to *accept*.
-*jump* 'chain':: Continue evaluation at the first rule in 'chain'. The
current position in the ruleset is pushed to a call stack and evaluation will
continue there when the new chain is entirely evaluated of a *return* verdict
is issued.
-*goto* 'chain':: Similar to *jump*, but the current position is not pushed to
the call stack, meaning that after the new chain evaluation will continue at
the last chain instead of the one containing the goto statement.
+*return*:: Return from the current chain and continue evaluation at the
+ next rule in the last chain. If issued in a base chain, it is equivalent to
*accept*.
+*jump* 'chain':: Continue evaluation at the first rule in 'chain'. The current
+ position in the ruleset is pushed to a call stack and evaluation will continue
+ there when the new chain is entirely evaluated of a *return* verdict is
issued.
+*goto* 'chain':: Similar to *jump*, but the current position is not pushed to
the
+ call stack, meaning that after the new chain evaluation will continue at the
last
+ chain instead of the one containing the goto statement.
.Verdict statements
---
@@ -26,7 +31,8 @@ filter input iif eth0 drop
PAYLOAD STATEMENT
~
-The payload statement alters packet content. It can be used for example to
set ip DSCP (differv) header field or ipv6 flow labels.
+The payload statement alters packet content. It can be used for example to
+set ip DSCP (differv) header field or ipv6 flow labels.
.route some packets instead of bridging
---
@@ -42,7 +48,9 @@ ip forward ip dscp set 42
EXTENSION HEADER STATEMENT
~~
-The extension header statement alters packet content in variable-sized
headers. This can currently be used to alter the TCP Maximum segment size of
packets, similar to TCPMSS.
+The extension header statement alters packet content in variable-sized headers.
+This can currently be used to alter the TCP Maximum segment size of packets,
+similar to TCPMSS.
.change tcp mss
---
@@ -57,7 +65,15 @@ LOG STATEMENT
log [prefix quoted_string] [level syslog-level] [flags log-flags]
log group nflog_group [prefix quoted_string] [queue-threshold value] [snaplen
size]
-The log statement enables logging of matching packets. When this statement is
used from a rule, the Linux kernel will print some information on all matching
packets, such as header fields, via the kernel log (where it can be read with
dmesg(1) or read in the syslog). If the group number is specified, the Linux
kernel will pass the packet to nfnetlink_log which will multicast the packet
through a netlink socket to the specified multicast group. One or more
userspace processes may subscribe to the group to receive the packets, see
libnetfilter_queue documentation for details. This is a non-terminating
statement, so the rule evaluation continues after the packet is logged.
+The log statement enables logging of matching packets. When this statement is
+used from a rule, the Linux kernel will print some information on all matching
+packets, such as header fields, via the kernel log (where it can be read with
+dmesg(1) or read in the syslog). If the group number is specified, the Linux
+kernel will pass the packet to nfnetlink_log which will multicast the packet
+through a netlink socket to the specified multicast group. One or more
userspace
+processes may subscribe to the group to receive the packets, see
+libnetfilter_queue documentation for details. This is a non-terminating
+statement, so the rule evaluation continues after the packet is logged.
.log statement options
[options="header"]
@@ -116,7 +132,11 @@ REJECT STATEMENT
*reject* [ with {icmp | icmpv6 | icmpx} type {icmp_code | icmpv6_code |
icmpx_code} ]
*reject* [ with tcp reset ]
-A reject statement is used to send back an error packet in response to the
matched packet otherwise it is equivalent to drop so it is a terminating
statement, ending rule traversal. This statement is only valid in the input,
forward and output chains, and user-defined chains which are only called from
those chains.
+A reject statement is used to send back an error packet i
Re: [PATCH nft] doc: nft.txt: Wrap extra long lines to 80 chars
On Wed, Aug 01, 2018 at 04:17:04PM +0200, Florian Westphal wrote: > Máté Eckl wrote: > > When I tried to send a patch that included man page update I got the > > following error from git send-email: > > fatal: patch.patch:287: patch contains a line longer than 998 characters > > Line 287 was a non-modified line so it was there before my patch. > > Applied, thanks for fixing this up. I didn't realize that the doc has been split into multiple files, I'll send a wrapping patch for the other ones too. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nft 0/5] doc: Wrap extra long lines to 80 chars
Too long lines may cause error when sending a patch with git send-email. fatal: patch.patch:287: patch contains a line longer than 998 characters This series wraps long lines to 80 characters. Máté Eckl (5): doc: data-types.txt: Wrap extra long lines to 80 chars doc: payload-expression.txt: Wrap extra long lines to 80 chars doc: primary-expression.txt: Wrap extra long lines to 80 chars doc: stateful-objects.txt: Wrap extra long lines to 80 chars doc: statements.txt: Wrap extra long lines to 80 chars doc/data-types.txt | 29 +++--- doc/payload-expression.txt | 24 +++-- doc/primary-expression.txt | 16 -- doc/stateful-objects.txt | 9 +++- doc/statements.txt | 108 - 5 files changed, 146 insertions(+), 40 deletions(-) -- ecklm -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nft 1/5] doc: data-types.txt: Wrap extra long lines to 80 chars
Signed-off-by: Máté Eckl
---
doc/data-types.txt | 29 ++---
1 file changed, 22 insertions(+), 7 deletions(-)
diff --git a/doc/data-types.txt b/doc/data-types.txt
index 1d4218e..57aa3a4 100644
--- a/doc/data-types.txt
+++ b/doc/data-types.txt
@@ -9,7 +9,9 @@ variable |
-
|===
-The integer type is used for numeric values. It may be specified as decimal,
hexadecimal or octal number. The integer type doesn't have a fixed size, its
size is determined by the expression for which it is used.
+The integer type is used for numeric values. It may be specified as decimal,
+hexadecimal or octal number. The integer type doesn't have a fixed size, its
+size is determined by the expression for which it is used.
BITMASK TYPE
@@ -35,7 +37,10 @@ variable |
-
|===
-The string type is used for character strings. A string begins with an
alphabetic character (a-zA-Z) followed by zero or more alphanumeric characters
or the characters /, -, _ and .. In addition anything enclosed in double
quotes (") is recognized as a string.
+The string type is used for character strings. A string begins with an
+alphabetic character (a-zA-Z) followed by zero or more alphanumeric characters
+or the characters /, -, _ and .. In addition anything enclosed in double
+quotes (") is recognized as a string.
.String specification
--
@@ -57,7 +62,9 @@ variable |
integer
|===
-The link layer address type is used for link layer addresses. Link layer
addresses are specified as a variable amount of groups of two hexadecimal
digits separated using colons (:).
+The link layer address type is used for link layer addresses. Link layer
+addresses are specified as a variable amount of groups of two hexadecimal
digits
+separated using colons (:).
.Link layer address specification
--
@@ -76,7 +83,10 @@ ipv4_addr|
integer
|===
-The IPv4 address type is used for IPv4 addresses. Addresses are specified in
either dotted decimal, dotted hexadecimal, dotted octal, decimal, hexadecimal,
octal notation or as a host name. A host name will be resolved using the
standard system resolver.
+The IPv4 address type is used for IPv4 addresses. Addresses are specified in
+either dotted decimal, dotted hexadecimal, dotted octal, decimal, hexadecimal,
+octal notation or as a host name. A host name will be resolved using the
+standard system resolver.
.IPv4 address specification
--
@@ -98,7 +108,9 @@ ipv6_addr|
integer
|===
-The IPv6 address type is used for IPv6 addresses. Addresses are specified as
a host name or as hexadecimal halfwords separated by colons. Addresses might be
enclosed in square brackets ("[]") to differentiate them from port numbers.
+The IPv6 address type is used for IPv6 addresses. Addresses are specified as a
+host name or as hexadecimal halfwords separated by colons. Addresses might be
+enclosed in square brackets ("[]") to differentiate them from port numbers.
.IPv6 address specificationIPv6 address specification with bracket notation
--
@@ -120,7 +132,9 @@ boolean |
integer
|===
-The boolean type is a syntactical helper type in user space. It's use is in
the right-hand side of a (typically implicit) relational expression to change
the expression on the left-hand side into a boolean check (usually for
existence). +
+The boolean type is a syntactical helper type in user space. It's use is in
the
+right-hand side of a (typically implicit) relational expression to change the
+expression on the left-hand side into a boolean check (usually for existence).
+
The following keywords will automatically resolve into a boolean type with
given value:
The bitmask type (bitmask) is used for bitmasks.
@@ -361,7 +375,8 @@ icmpv6_type |
integer
|===
-The ICMPvX Code type abstraction is a set of values which overlap between ICMP
and ICMPv6 Code types to be used from the inet family.
+The ICMPvX Code type abstraction is a set of values which overlap between ICMP
+and ICMPv6 Code types to be used from the inet family.
.keywords may be used when specifying the ICMPvX code
[options="header"]
--
ecklm
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nft 4/5] doc: stateful-objects.txt: Wrap extra long lines to 80 chars
Signed-off-by: Máté Eckl
---
doc/stateful-objects.txt | 9 +++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/doc/stateful-objects.txt b/doc/stateful-objects.txt
index 9d99264..57bf627 100644
--- a/doc/stateful-objects.txt
+++ b/doc/stateful-objects.txt
@@ -3,7 +3,11 @@ CT
[verse]
*ct* helper 'helper' {type 'type' protocol 'protocol' ; [l3proto 'family' ;] }
-Ct helper is used to define connection tracking helpers that can then be used
in combination with the *ct helper set* statement. 'type' and 'protocol' are
mandatory, l3proto is derived from the table family by default, i.e. in the
inet table the kernel will try to load both the ipv4 and ipv6 helper backends,
if they are supported by the kernel.
+Ct helper is used to define connection tracking helpers that can then be used
in
+combination with the *ct helper set* statement. 'type' and 'protocol' are
+mandatory, l3proto is derived from the table family by default, i.e. in the
inet
+table the kernel will try to load both the ipv4 and ipv6 helper backends, if
+they are supported by the kernel.
.conntrack helper specifications
[options="header"]
@@ -22,7 +26,8 @@ address family (e.g. ip)
.defining and assigning ftp helper
--
-Unlike iptables, helper assignment needs to be performed after the conntrack
lookup has completed, for example with the default 0 hook priority.
+Unlike iptables, helper assignment needs to be performed after the conntrack
+lookup has completed, for example with the default 0 hook priority.
table inet myhelpers {
ct helper ftp-standard {
--
ecklm
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nft 3/5] doc: primary-expression.txt: Wrap extra long lines to 80 chars
Signed-off-by: Máté Eckl
---
doc/primary-expression.txt | 16 +---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index 162f32f..50093b4 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -8,7 +8,12 @@ skuid | skgid | nftrace | rtclassid | ibrname | obrname |
pkttype | cpu
A meta expression refers to meta data associated with a packet.
-There are two types of meta expressions: unqualified and qualified meta
expressions. Qualified meta expressions require the meta keyword before the
meta key, unqualified meta expressions can be specified by using the meta key
directly or as qualified meta expressions. Meta l4proto is useful to match a
particular transport protocol that is part of either an IPv4 or IPv6 packet. It
will also skip any IPv6 extension headers present in an IPv6 packet.
+There are two types of meta expressions: unqualified and qualified meta
+expressions. Qualified meta expressions require the meta keyword before the
meta
+key, unqualified meta expressions can be specified by using the meta key
+directly or as qualified meta expressions. Meta l4proto is useful to match a
+particular transport protocol that is part of either an IPv4 or IPv6 packet. It
+will also skip any IPv6 extension headers present in an IPv6 packet.
.Meta expression types
[options="header"]
@@ -127,7 +132,9 @@ SOCKET EXPRESSION
[verse]
socket {transparent}
-Socket expression can be used to search for an existing open TCP/UDP socket
and its attributes that can be associated with a packet. It looks for an
established or non-zero bound listening socket (possibly with a non-local
address).
+Socket expression can be used to search for an existing open TCP/UDP socket and
+its attributes that can be associated with a packet. It looks for an
established
+or non-zero bound listening socket (possibly with a non-local address).
.Available socket attributes
[options="header"]
@@ -154,7 +161,10 @@ FIB EXPRESSIONS
[verse]
fib {saddr | daddr | {mark | iif | oif}} {oif | oifname | type}
-A fib expression queries the fib (forwarding information base) to obtain
information such as the output interface index a particular address would use.
The input is a tuple of elements that is used as input to the fib lookup
functions.
+A fib expression queries the fib (forwarding information base) to obtain
+information such as the output interface index a particular address would use.
+The input is a tuple of elements that is used as input to the fib lookup
+functions.
.fib expression specific types
[options="header"]
--
ecklm
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nft 2/5] doc: payload-expression.txt: Wrap extra long lines to 80 chars
Signed-off-by: Máté Eckl
---
doc/payload-expression.txt | 24 +---
1 file changed, 21 insertions(+), 3 deletions(-)
diff --git a/doc/payload-expression.txt b/doc/payload-expression.txt
index d454c95..3f47b4e 100644
--- a/doc/payload-expression.txt
+++ b/doc/payload-expression.txt
@@ -146,7 +146,12 @@ IPV6 HEADER EXPRESSION
[verse]
ip6 ['IPv6' 'header' 'field']
-This expression refers to the ipv6 header fields. Caution when using ip6
nexthdr, the value only refers to the next header, i.e. ip6 nexthdr tcp will
only match if the ipv6 packet does not contain any extension headers. Packets
that are fragmented or e.g. contain a routing extension headers will not be
matched. Please use meta l4proto if you wish to match the real transport header
and ignore any additional extension headers instead.
+This expression refers to the ipv6 header fields. Caution when using ip6
+nexthdr, the value only refers to the next header, i.e. ip6 nexthdr tcp will
+only match if the ipv6 packet does not contain any extension headers. Packets
+that are fragmented or e.g. contain a routing extension headers will not be
+matched. Please use meta l4proto if you wish to match the real transport header
+and ignore any additional extension headers instead.
.IPv6 header expression
[options="header"]
@@ -410,7 +415,14 @@ RAW PAYLOAD EXPRESSION
[verse]
*@* [base,offset,length]
-The raw payload expression instructs to load lengthbits starting at
offsetbits. Bit 0 refers to the very first bit -- in the C programming
language, this corresponds to the topmost bit, i.e. 0x80 in case of an octet.
They are useful to match headers that do not have a human-readable template
expression yet. Note that nft will not add dependencies for Raw payload
expressions. If you e.g. want to match protocol fields of a transport header
with protocol number 5, you need to manually exclude packets that have a
different transport header, for instance my using meta l4proto 5 before the raw
expression.
+The raw payload expression instructs to load lengthbits starting at offsetbits.
+Bit 0 refers to the very first bit -- in the C programming language, this
+corresponds to the topmost bit, i.e. 0x80 in case of an octet. They are useful
+to match headers that do not have a human-readable template expression yet.
Note
+that nft will not add dependencies for Raw payload expressions. If you e.g.
want
+to match protocol fields of a transport header with protocol number 5, you need
+to manually exclude packets that have a different transport header, for
instance
+my using meta l4proto 5 before the raw expression.
.Support payload protocol bases
[options="header"]
@@ -524,7 +536,13 @@ CONNTRACK EXPRESSIONS
~
Conntrack expressions refer to meta data of the connection tracking entry
associated with a packet. +
-There are three types of conntrack expressions. Some conntrack expressions
require the flow direction before the conntrack key, others must be used
directly because they are direction agnostic. The *packets*, *bytes* and
*avgpkt* keywords can be used with or without a direction. If the direction is
omitted, the sum of the original and the reply direction is returned. The same
is true for the *zone*, if a direction is given, the zone is only matched if
the zone id is tied to the given direction. +
+There are three types of conntrack expressions. Some conntrack expressions
+require the flow direction before the conntrack key, others must be used
+directly because they are direction agnostic. The *packets*, *bytes* and
+*avgpkt* keywords can be used with or without a direction. If the direction is
+omitted, the sum of the original and the reply direction is returned. The same
+is true for the *zone*, if a direction is given, the zone is only matched if
the
+zone id is tied to the given direction. +
[verse]
*ct* {state | direction | status | mark | expiration | helper | label |
l3proto | protocol | bytes | packets | avgpkt | zone}
--
ecklm
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v4 nft] Set/print standard chain prios with textual names
On Sat, Jul 28, 2018 at 12:14:57PM +0200, Pablo Neira Ayuso wrote:
> On Fri, Jul 27, 2018 at 04:21:46PM +0200, Máté Eckl wrote:
> > On Mon, Jul 16, 2018 at 09:58:44AM +0200, Máté Eckl wrote:
> > > On Tue, Jul 10, 2018 at 12:10:22PM +0200, Pablo Neira Ayuso wrote:
> > > > > diff --git a/src/parser_bison.y b/src/parser_bison.y
> > > > > index 98bfeba..2b7d7cc 100644
> > > > > --- a/src/parser_bison.y
> > > > > +++ b/src/parser_bison.y
> > > > > @@ -182,6 +182,8 @@ int nft_lex(void *, void *, void *);
> > > > > %token AT"@"
> > > > > %token VMAP "vmap"
> > > > >
> > > > > +%token PLUS "+"
> > > > > +
> > > > > %token INCLUDE "include"
> > > > > %token DEFINE"define"
> > > > > %token REDEFINE "redefine"
> > > > > @@ -522,6 +524,7 @@ int nft_lex(void *, void *, void *);
> > > > > %typeset_spec setid_spec
> > > > > set_identifier flowtable_identifier obj_spec objid_spec obj_identifier
> > > > > %destructor { handle_free(&$$); } set_spec setid_spec set_identifier
> > > > > obj_spec objid_spec obj_identifier
> > > > > %type family_spec family_spec_explicit
> > > > > chain_policy prio_spec
> > > > > +%typestr_prio_spec
> > > > >
> > > > > %typedev_spec quota_unit
> > > > > %destructor { xfree($$); } dev_spec quota_unit
> > > > > @@ -1633,7 +1636,7 @@ flowtable_block_alloc : /* empty */
> > > > > flowtable_block : /* empty */ { $$ =
> > > > > $-1; }
> > > > > | flowtable_block common_block
> > > > > | flowtable_block stmt_separator
> > > > > - | flowtable_block HOOKSTRING
> > > > > PRIORITYprio_spec stmt_separator
> > > > > + | flowtable_block HOOKSTRING
> > > > > PRIORITYstr_prio_spec stmt_separator
> > > > > {
> > > > > $$->hookstr =
> > > > > chain_hookname_lookup($3);
> > > > > if ($$->hookstr == NULL) {
> > > > > @@ -1644,7 +1647,7 @@ flowtable_block : /* empty */
> > > > > { $$ = $-1; }
> > > > > }
> > > > > xfree($3);
> > > > >
> > > > > - $$->priority = $5;
> > > > > + $$->priostr = $5;
> > > > > }
> > > > > | flowtable_block DEVICES '='
> > > > > flowtable_expr stmt_separator
> > > > > {
> > > > > @@ -1766,7 +1769,7 @@ type_identifier : STRING { $$ =
> > > > > $1; }
> > > > > | CLASSID { $$ = xstrdup("classid"); }
> > > > > ;
> > > > >
> > > > > -hook_spec: TYPESTRING HOOK
> > > > > STRING dev_specPRIORITYprio_spec
> > > > > +hook_spec: TYPESTRING HOOK
> > > > > STRING dev_specPRIORITYstr_prio_spec
> > > > > {
> > > > > const char *chain_type =
> > > > > chain_type_name_lookup($2);
> > > > >
> > > > > @@ -1789,13 +1792,34 @@ hook_spec : TYPE
> > > > > STRING HOOKSTRING dev_spec
> > > > > PRIORITYprio_spec
> > > > > xfree($4);
> > > > >
> > > > > $0->dev = $5;
> > > > > - $0->priority = $7;
> > > > > +
[PATCH nft] doc: nft.txt: Wrap extra long lines to 80 chars
When I tried to send a patch that included man page update I got the
following error from git send-email:
fatal: patch.patch:287: patch contains a line longer than 998 characters
Line 287 was a non-modified line so it was there before my patch.
Even this patch can only be sent with mutt but not with git send-email.
This patch tries to fix this issue by wrapping extra long lines to 80
characters wide.
Signed-off-by: Máté Eckl
---
doc/nft.txt | 234
1 file changed, 183 insertions(+), 51 deletions(-)
diff --git a/doc/nft.txt b/doc/nft.txt
index e317cfd..d33d01c 100644
--- a/doc/nft.txt
+++ b/doc/nft.txt
@@ -15,7 +15,10 @@ SYNOPSIS
DESCRIPTION
---
-nft is the command line tool used to set up, maintain and inspect packet
filtering and classification rules in the Linux kernel, in the nftables
framework. The Linux kernel subsystem is known as nf_tables, and `nft' stands
for Netfilter.
+nft is the command line tool used to set up, maintain and inspect packet
+filtering and classification rules in the Linux kernel, in the nftables
+framework. The Linux kernel subsystem is known as nf_tables, and `nft' stands
+for Netfilter.
OPTIONS
---
@@ -80,22 +83,40 @@ INPUT FILE FORMATS
--
LEXICAL CONVENTIONS
~~~
-Input is parsed line-wise. When the last character of a line, just before the
newline character, is a non-quoted backslash (\), the next line is treated as a
continuation. Multiple commands on the same line can be separated using a
semicolon (;). +
+Input is parsed line-wise. When the last character of a line, just before the
+newline character, is a non-quoted backslash (\), the next line is treated as a
+continuation. Multiple commands on the same line can be separated using a
+semicolon (;). +
-A hash sign (#) begins a comment. All following characters on the same line
are ignored. +
+A hash sign (#) begins a comment. All following characters on the same line are
+ignored. +
-Identifiers begin with an alphabetic character (a-z,A-Z), followed zero or
more alphanumeric characters (a-z,A-Z,0-9) and the characters slash (/),
backslash (\), underscore (_) and dot (.). Identifiers using different
characters or clashing with a keyword need to be enclosed in double quotes (").
+Identifiers begin with an alphabetic character (a-z,A-Z), followed zero or more
+alphanumeric characters (a-z,A-Z,0-9) and the characters slash (/), backslash
+(\), underscore (_) and dot (.). Identifiers using different characters or
+clashing with a keyword need to be enclosed in double quotes (").
INCLUDE FILES
~
[verse]
*include* 'filename'
-Other files can be included by using the *include* statement. The directories
to be searched for include files can be specified using the
*-I*/*--includepath* option. You can override this behaviour either by
prepending `./' to your path to force inclusion of files located in the current
working directory (i.e. relative path) or / for file location expressed as an
absolute path. +
+Other files can be included by using the *include* statement. The directories
to
+be searched for include files can be specified using the *-I*/*--includepath*
+option. You can override this behaviour either by prepending `./' to your path
+to force inclusion of files located in the current working directory (i.e.
+relative path) or / for file location expressed as an absolute path. +
-If *-I*/*--includepath* is not specified, then nft relies on the default
directory that is specified at compile time. You can retrieve this default
directory via *-h*/*--help* option. +
+If *-I*/*--includepath* is not specified, then nft relies on the default
+directory that is specified at compile time. You can retrieve this default
+directory via *-h*/*--help* option. +
-Include statements support the usual shell wildcard symbols (\*,?,[]). Having
no matches for an include statement is not an error, if wildcard symbols are
used in the include statement. This allows having potentially empty include
directories for statements like **include "/etc/firewall/rules/"**. The
wildcard matches are loaded in alphabetical order. Files beginning with dot (.)
are not matched by include statements.
+Include statements support the usual shell wildcard symbols (\*,?,[]). Having
no
+matches for an include statement is not an error, if wildcard symbols are used
+in the include statement. This allows having potentially empty include
+directories for statements like **include "/etc/firewall/rules/"**. The
wildcard
+matches are loaded in alphabetical order. Files beginning with dot (.) are not
+matched by include statements.
SYMBOLIC VARIABLES
~~
@@ -103,7 +124,9 @@ SYMBOLIC VARIABLES
*define* variable 'expr'
*$variable*
-Symbolic variables can be defined using the *define* statement. Variable
references are expressions and can be u
[PATCH v5 nf-next] netfilter: Add native tproxy support for nf_tables
A great portion of the code is taken from xt_TPROXY.c
There are some changes compared to the iptables implementation:
- tproxy statement is not terminal here
- Either address or port has to be specified, but at least one of them
is necessary. If one of them is not specified, the evaluation will be
performed with the original attribute of the packet (ie. target port
is not specified => the packet's dport will be used).
To make this work in inet tables, the tproxy structure has a family
member (typically called priv->family) which is not necessarily equal to
ctx->family.
priv->family can have three values legally:
- NFPROTO_IPV4 if the table family is ip OR if table family is inet,
but an ipv4 address is specified as a target address. The rule only
evaluates ipv4 packets in this case.
- NFPROTO_IPV6 if the table family is ip6 OR if table family is inet,
but an ipv6 address is specified as a target address. The rule only
evaluates ipv6 packets in this case.
- NFPROTO_UNSPEC if the table family is inet AND if only the port is
specified. The rule will evaluate both ipv4 and ipv6 packets.
Signed-off-by: Máté Eckl
---
v2:
- address or port is now compulsory
- nf_defrag_ipv{4,6}_enable called in init
- nft_tproxy now selects NF_DEFRAG_IPV4/6
- Add transport header presence test in ipv4 eval (in ipv6 it was
already present)
- Add check for the case when address is specified but the rule family
is not set accordingly
v3:
- Fix tproxy and context family compatibility test in init
v4:
- Fix module test macros. Use NF_TABLES_IPV6 as dependency for
compiling ipv6 related functions.
- Apply cosmetic changes what Pablo suggested.
- Use NFPROTO_UNSPEC when only port is specified in inet tables.
- Conform 5711b4e89319 ("netfilter: nf_tproxy: fix possible non-linear access
to transport header") in nf tree
- More detailed commit message.
v5: minor nft_tproxy_init refactor
include/uapi/linux/netfilter/nf_tables.h | 16 ++
net/netfilter/Kconfig| 10 +
net/netfilter/Makefile | 1 +
net/netfilter/nft_tproxy.c | 316 +++
4 files changed, 343 insertions(+)
create mode 100644 net/netfilter/nft_tproxy.c
diff --git a/include/uapi/linux/netfilter/nf_tables.h
b/include/uapi/linux/netfilter/nf_tables.h
index 89438e68dc03..e58d2b70dde7 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -1250,6 +1250,22 @@ enum nft_nat_attributes {
};
#define NFTA_NAT_MAX (__NFTA_NAT_MAX - 1)
+/**
+ * enum nft_tproxy_attributes - nf_tables tproxy expression netlink attributes
+ *
+ * NFTA_TPROXY_FAMILY: Target address family (NLA_U32: nft_registers)
+ * NFTA_TPROXY_REG_ADDR: Target address register (NLA_U32: nft_registers)
+ * NFTA_TPROXY_REG_PORT: Target port register (NLA_U32: nft_registers)
+ */
+enum nft_tproxy_attributes {
+ NFTA_TPROXY_UNSPEC,
+ NFTA_TPROXY_FAMILY,
+ NFTA_TPROXY_REG_ADDR,
+ NFTA_TPROXY_REG_PORT,
+ __NFTA_TPROXY_MAX
+};
+#define NFTA_TPROXY_MAX(__NFTA_TPROXY_MAX - 1)
+
/**
* enum nft_masq_attributes - nf_tables masquerade expression attributes
*
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 6c65d756e603..fc570c22a860 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -633,6 +633,16 @@ config NFT_SOCKET
This option allows matching for the presence or absence of a
corresponding socket and its attributes.
+config NFT_TPROXY
+ tristate "Netfilter nf_tables tproxy support"
+ depends on IPV6 || IPV6=n
+ select NF_DEFRAG_IPV4
+ select NF_DEFRAG_IPV6 if NF_TABLES_IPV6
+ select NF_TPROXY_IPV4
+ select NF_TPROXY_IPV6 if NF_TABLES_IPV6
+ help
+ This makes transparent proxy support available in nftables.
+
if NF_TABLES_NETDEV
config NF_DUP_NETDEV
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 0b3851e825fa..ea35f206e49d 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -109,6 +109,7 @@ obj-$(CONFIG_NFT_FIB_INET) += nft_fib_inet.o
obj-$(CONFIG_NFT_FIB_NETDEV) += nft_fib_netdev.o
obj-$(CONFIG_NF_OSF) += nf_osf.o
obj-$(CONFIG_NFT_SOCKET) += nft_socket.o
+obj-$(CONFIG_NFT_TPROXY) += nft_tproxy.o
# nf_tables netdev
obj-$(CONFIG_NFT_DUP_NETDEV) += nft_dup_netdev.o
diff --git a/net/netfilter/nft_tproxy.c b/net/netfilter/nft_tproxy.c
new file mode 100644
index ..f3a5bea3901d
--- /dev/null
+++ b/net/netfilter/nft_tproxy.c
@@ -0,0 +1,316 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
+#include
+#endif
+
+struct nft_tproxy {
+ enum nft_registers sreg_addr:8;
+ enum nft_registers sreg_port:8;
+ u8
Re: [PATCH v4 nf-next] netfilter: Add native tproxy support for nf_tables
On Sat, Jul 28, 2018 at 12:11:15PM +0200, Pablo Neira Ayuso wrote:
> On Fri, Jul 27, 2018 at 04:15:29PM +0200, Máté Eckl wrote:
> > On Mon, Jul 23, 2018 at 09:28:27AM +0200, Máté Eckl wrote:
> > > On Fri, Jul 20, 2018 at 03:28:31PM +0200, Pablo Neira Ayuso wrote:
> > > > Hi Mate,
> > > >
> > > > A few comestic on the _init path, and one concern of probably missing
> > > > sanity check, also from the _init path see below.
> > > >
> > > > On Fri, Jul 20, 2018 at 09:34:14AM +0200, Máté Eckl wrote:
> >
> > [...]
> >
> > > > > +static int nft_tproxy_init(const struct nft_ctx *ctx,
> > > > > +const struct nft_expr *expr,
> > > > > +const struct nlattr * const tb[])
> > > > > +{
> > > > > + struct nft_tproxy *priv = nft_expr_priv(expr);
> > > > > + unsigned int alen = 0;
> > > > > + int err;
> > > >
> > > > Probably check here:
> > > >
> > > > if (!tb[NFTA_TPROXY_FAMILY])
> > > > return -EINVAL;
> > > >
> > > > family = ...;
> > > >
> > > > So we can reuse the switch() below...
> > > >
> > > > > +
> > > > > + switch (ctx->family) {
> > > > > + case NFPROTO_IPV4:
> > > > > +#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
> > > > > + case NFPROTO_IPV6:
> > > > > +#endif
> > > > > + case NFPROTO_INET:
> > > >
> > > > I think you have to update this to NFPROTO_UNSPEC.
> > >
> > > No because this is the ctx->family, not the priv->family. This has to be
> > > done so
> > > that a tproxy statement cannot be added to a netdev (or arp, etc.) table.
> > >
> > > >
> > > > > + break;
> > > > > + default:
> > > > > + return -EOPNOTSUPP;
> > > > > + }
> > > > > +
> > > > > + if (!tb[NFTA_TPROXY_FAMILY] ||
> > > > > + (!tb[NFTA_TPROXY_REG_ADDR] && !tb[NFTA_TPROXY_REG_PORT]))
> > > > > + return -EINVAL;
> > > > > +
> > > > > + priv->family = ntohl(nla_get_be32(tb[NFTA_TPROXY_FAMILY]));
> > > > > + switch (ctx->family) {
> > > >
> > > > To do what we're doing this in this switch() ...
> > > >
> > > > > + case NFPROTO_IPV4:
> > > > > + if (priv->family != NFPROTO_IPV4)
> > > > > + return -EINVAL;
> > > > > + break;
> > > > > + case NFPROTO_IPV6:
> > > > > + if (priv->family != NFPROTO_IPV6)
> > > > > + return -EINVAL;
> > > > > + break;
> > > > > + }
> > > > > +
> > > > > + /* Address is specified but the rule family is not set
> > > > > accordingly */
> > > > > + if (priv->family == NFPROTO_UNSPEC && tb[NFTA_TPROXY_REG_ADDR])
> > > > > + return -EINVAL;
> > > >
> > > > With the change I'm proposing above, you can do all these attribute
> > > > sanity checks at the very beginning of the function.
> > >
> > > I see your point. See later.
> > >
> > > >
> > > > > +
> > > > > + switch (priv->family) {
> > > > > + case NFPROTO_IPV4:
> > > >
> > > > I'm missing a check like:
> > > >
> > > > if (priv->family != NFPROTO_UNSPEC &&
> > > > ctx->family != priv->family)
> > > > return -EINVAL;
> > > >
> > > > somewhere.
> > >
> > > This switch basically does the same in a reverse logic, doesn't it?
> > >
> > > switch (ctx->family) {
> > > case NFPROTO_IPV4:
> > > if (priv->family != NFPROTO_IPV4)
> > > return -EINVAL;
> > > break;
> > > case NFPROTO_IPV6:
> > > if (priv->family != NFPROTO_IPV6)
> > > return -EINVAL;
> > > break;
> > > }
> > >
> > > >
> > > > So
Re: [PATCH v4 nft] Set/print standard chain prios with textual names
On Fri, Jul 13, 2018 at 02:43:46PM +0200, Máté Eckl wrote: > On Fri, Jul 13, 2018 at 02:38:19PM +0200, Florian Westphal wrote: > > Máté Eckl wrote: > > > But that means that this solution cannot support bridge family at all. Or > > > BRNF > > > stands for something that can be interpreted as filter? > > > > Currently bridge family has no special hooks, they are all 'filter'. > > So it would be fine to only support numbers in my opinion. > > > > We can revisit it later if needed. > > I looked it up in iptables and it uses NF_BR_PRI_FILTER_BRIDGED for filter > tables so it would be inapproppriate to translate 0 to filter here. > > So yes, maybe we should leave bridge family alone. What is your opinion about this Pablo? Is it okay to omit bridge tables out of this for now? To implement this for them I think we should expose NF_BR_PRI_* values to the uapi or something like that. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v4 nft] Set/print standard chain prios with textual names
On Mon, Jul 16, 2018 at 09:58:44AM +0200, Máté Eckl wrote:
> On Tue, Jul 10, 2018 at 12:10:22PM +0200, Pablo Neira Ayuso wrote:
> > > diff --git a/src/parser_bison.y b/src/parser_bison.y
> > > index 98bfeba..2b7d7cc 100644
> > > --- a/src/parser_bison.y
> > > +++ b/src/parser_bison.y
> > > @@ -182,6 +182,8 @@ int nft_lex(void *, void *, void *);
> > > %token AT"@"
> > > %token VMAP "vmap"
> > >
> > > +%token PLUS "+"
> > > +
> > > %token INCLUDE "include"
> > > %token DEFINE"define"
> > > %token REDEFINE "redefine"
> > > @@ -522,6 +524,7 @@ int nft_lex(void *, void *, void *);
> > > %typeset_spec setid_spec set_identifier
> > > flowtable_identifier obj_spec objid_spec obj_identifier
> > > %destructor { handle_free(&$$); } set_spec setid_spec set_identifier
> > > obj_spec objid_spec obj_identifier
> > > %type family_spec family_spec_explicit
> > > chain_policy prio_spec
> > > +%typestr_prio_spec
> > >
> > > %typedev_spec quota_unit
> > > %destructor { xfree($$); } dev_spec quota_unit
> > > @@ -1633,7 +1636,7 @@ flowtable_block_alloc : /* empty */
> > > flowtable_block : /* empty */ { $$ = $-1; }
> > > | flowtable_block common_block
> > > | flowtable_block stmt_separator
> > > - | flowtable_block HOOKSTRING
> > > PRIORITYprio_spec stmt_separator
> > > + | flowtable_block HOOKSTRING
> > > PRIORITYstr_prio_spec stmt_separator
> > > {
> > > $$->hookstr = chain_hookname_lookup($3);
> > > if ($$->hookstr == NULL) {
> > > @@ -1644,7 +1647,7 @@ flowtable_block : /* empty */
> > > { $$ = $-1; }
> > > }
> > > xfree($3);
> > >
> > > - $$->priority = $5;
> > > + $$->priostr = $5;
> > > }
> > > | flowtable_block DEVICES '='
> > > flowtable_expr stmt_separator
> > > {
> > > @@ -1766,7 +1769,7 @@ type_identifier : STRING { $$ =
> > > $1; }
> > > | CLASSID { $$ = xstrdup("classid"); }
> > > ;
> > >
> > > -hook_spec: TYPESTRING HOOK
> > > STRING dev_specPRIORITYprio_spec
> > > +hook_spec: TYPESTRING HOOK
> > > STRING dev_specPRIORITYstr_prio_spec
> > > {
> > > const char *chain_type =
> > > chain_type_name_lookup($2);
> > >
> > > @@ -1789,13 +1792,34 @@ hook_spec : TYPESTRING
> > > HOOKSTRING dev_specPRIORITY
> > > prio_spec
> > > xfree($4);
> > >
> > > $0->dev = $5;
> > > - $0->priority = $7;
> > > + $0->priostr = $7;
> > > $0->flags|= CHAIN_F_BASECHAIN;
> > > }
> > > ;
> > >
> > > -prio_spec: NUM { $$ = $1; }
> > > - | DASHNUM { $$ = -$2; }
> > > +str_prio_spec: prio_spec
> > > + {
> > > + char buf[STD_PRIO_BUFSIZE];
> > > + snprintf(buf, STD_PRIO_BUFSIZE, "%d", (int)$1);
> > > + $$ = xstrdup(buf);
> > > + }
> > > + | STRING { $$ = xstrdup($1); }
> > > + | STRING PLUS NUM
> > > + {
> > > + char buf[STD_PRIO_BUFSIZE];
> &
Re: [PATCH v4 nf-next] netfilter: Add native tproxy support for nf_tables
On Mon, Jul 23, 2018 at 09:28:27AM +0200, Máté Eckl wrote:
> On Fri, Jul 20, 2018 at 03:28:31PM +0200, Pablo Neira Ayuso wrote:
> > Hi Mate,
> >
> > A few comestic on the _init path, and one concern of probably missing
> > sanity check, also from the _init path see below.
> >
> > On Fri, Jul 20, 2018 at 09:34:14AM +0200, Máté Eckl wrote:
[...]
> > > +static int nft_tproxy_init(const struct nft_ctx *ctx,
> > > +const struct nft_expr *expr,
> > > +const struct nlattr * const tb[])
> > > +{
> > > + struct nft_tproxy *priv = nft_expr_priv(expr);
> > > + unsigned int alen = 0;
> > > + int err;
> >
> > Probably check here:
> >
> > if (!tb[NFTA_TPROXY_FAMILY])
> > return -EINVAL;
> >
> > family = ...;
> >
> > So we can reuse the switch() below...
> >
> > > +
> > > + switch (ctx->family) {
> > > + case NFPROTO_IPV4:
> > > +#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
> > > + case NFPROTO_IPV6:
> > > +#endif
> > > + case NFPROTO_INET:
> >
> > I think you have to update this to NFPROTO_UNSPEC.
>
> No because this is the ctx->family, not the priv->family. This has to be done
> so
> that a tproxy statement cannot be added to a netdev (or arp, etc.) table.
>
> >
> > > + break;
> > > + default:
> > > + return -EOPNOTSUPP;
> > > + }
> > > +
> > > + if (!tb[NFTA_TPROXY_FAMILY] ||
> > > + (!tb[NFTA_TPROXY_REG_ADDR] && !tb[NFTA_TPROXY_REG_PORT]))
> > > + return -EINVAL;
> > > +
> > > + priv->family = ntohl(nla_get_be32(tb[NFTA_TPROXY_FAMILY]));
> > > + switch (ctx->family) {
> >
> > To do what we're doing this in this switch() ...
> >
> > > + case NFPROTO_IPV4:
> > > + if (priv->family != NFPROTO_IPV4)
> > > + return -EINVAL;
> > > + break;
> > > + case NFPROTO_IPV6:
> > > + if (priv->family != NFPROTO_IPV6)
> > > + return -EINVAL;
> > > + break;
> > > + }
> > > +
> > > + /* Address is specified but the rule family is not set accordingly */
> > > + if (priv->family == NFPROTO_UNSPEC && tb[NFTA_TPROXY_REG_ADDR])
> > > + return -EINVAL;
> >
> > With the change I'm proposing above, you can do all these attribute
> > sanity checks at the very beginning of the function.
>
> I see your point. See later.
>
> >
> > > +
> > > + switch (priv->family) {
> > > + case NFPROTO_IPV4:
> >
> > I'm missing a check like:
> >
> > if (priv->family != NFPROTO_UNSPEC &&
> > ctx->family != priv->family)
> > return -EINVAL;
> >
> > somewhere.
>
> This switch basically does the same in a reverse logic, doesn't it?
>
> switch (ctx->family) {
> case NFPROTO_IPV4:
> if (priv->family != NFPROTO_IPV4)
> return -EINVAL;
> break;
> case NFPROTO_IPV6:
> if (priv->family != NFPROTO_IPV6)
> return -EINVAL;
> break;
> }
>
> >
> > So we don't allow crazy things like, priv->family == NFPROTO_IPV6 from
> > ctx->family == NFPROTO_IPV4... I may be wrong but I think it's still
> > possible with this code.
>
> The switch above rejects this with -EINVAL.
>
> How about this:
>
> static int nft_tproxy_init(const struct nft_ctx *ctx,
> const struct nft_expr *expr,
> const struct nlattr * const tb[])
> {
> struct nft_tproxy *priv = nft_expr_priv(expr);
> unsigned int alen = 0;
> int err;
>
> if (!tb[NFTA_TPROXY_FAMILY] ||
> (!tb[NFTA_TPROXY_REG_ADDR] && !tb[NFTA_TPROXY_REG_PORT]))
> return -EINVAL;
>
> priv->family = ntohl(nla_get_be32(tb[NFTA_TPROXY_FAMILY]));
>
> switch (ctx->family) {
> case NFPROTO_IPV4:
> if (priv->family != NFPROTO_IPV4)
> return -EINVAL;
> break;
> #if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
> case NFPROTO_IPV6:
> if (priv->family != NFPROTO_IPV6)
> return -EINVAL;
> break;
> #endif
> case NFPROTO_INET:
> break;
> default:
> return -EOPNOTSUPP;
> }
>
> /* Address is specified but the rule family is not set
> accordingly */
> if (priv->family == NFPROTO_UNSPEC && tb[NFTA_TPROXY_REG_ADDR])
> return -EINVAL;
> [...]
>
> I think this addressess all of your concerns.
What do you think? If you are satisfied, I'll send in a new version.
[...]
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v4 nf-next] netfilter: Add native tproxy support for nf_tables
On Fri, Jul 20, 2018 at 03:28:31PM +0200, Pablo Neira Ayuso wrote:
> Hi Mate,
>
> A few comestic on the _init path, and one concern of probably missing
> sanity check, also from the _init path see below.
>
> On Fri, Jul 20, 2018 at 09:34:14AM +0200, Máté Eckl wrote:
> > A great portion of the code is taken from xt_TPROXY.c
> >
> > There are some changes compared to the iptables implementation:
> > - tproxy statement is not terminal here
> > - Either address or port has to be specified, but at least one of them
> >is necessary. If one of them is not specified, the evaluation will be
> >performed with the original attribute of the packet (ie. target port
> >is not specified => the packet's dport will be used).
> >
> > To make this work in inet tables, the tproxy structure has a family
> > member (typically called priv->family) which is not necessarily equal to
> > ctx->family.
> >
> > priv->family can have three values legally:
> > - NFPROTO_IPV4 if the table family is ip OR if table family is inet,
> >but an ipv4 address is specified as a target address. The rule only
> >evaluates ipv4 packets in this case.
> > - NFPROTO_IPV6 if the table family is ip6 OR if table family is inet,
> >but an ipv6 address is specified as a target address. The rule only
> >evaluates ipv6 packets in this case.
> > - NFPROTO_UNSPEC if the table family is inet AND if only the port is
> >specified. The rule will evaluate both ipv4 and ipv6 packets.
> >
> > Signed-off-by: Máté Eckl
> > ---
> > v2:
> > - address or port is now compulsory
> > - nf_defrag_ipv{4,6}_enable called in init
> > - nft_tproxy now selects NF_DEFRAG_IPV4/6
> > - Add transport header presence test in ipv4 eval (in ipv6 it was
> >already present)
> > - Add check for the case when address is specified but the rule family
> >is not set accordingly
> >
> > v3:
> > - Fix tproxy and context family compatibility test in init
> >
> > v4:
> > - Fix module test macros. Use NF_TABLES_IPV6 as dependency for
> >compiling ipv6 related functions.
> > - Apply cosmetic changes what Pablo suggested.
> > - Use NFPROTO_UNSPEC when only port is specified in inet tables.
> > - Conform 5711b4e89319 ("netfilter: nf_tproxy: fix possible non-linear
> > access to transport header") in nf tree
> > - More detailed commit message.
> >
> > include/uapi/linux/netfilter/nf_tables.h | 16 ++
> > net/netfilter/Kconfig| 10 +
> > net/netfilter/Makefile | 1 +
> > net/netfilter/nft_tproxy.c | 320 +++
> > 4 files changed, 347 insertions(+)
> > create mode 100644 net/netfilter/nft_tproxy.c
> >
> > diff --git a/include/uapi/linux/netfilter/nf_tables.h
> > b/include/uapi/linux/netfilter/nf_tables.h
> > index 89438e68dc03..e58d2b70dde7 100644
> > --- a/include/uapi/linux/netfilter/nf_tables.h
> > +++ b/include/uapi/linux/netfilter/nf_tables.h
> > @@ -1250,6 +1250,22 @@ enum nft_nat_attributes {
> > };
> > #define NFTA_NAT_MAX (__NFTA_NAT_MAX - 1)
> >
> > +/**
> > + * enum nft_tproxy_attributes - nf_tables tproxy expression netlink
> > attributes
> > + *
> > + * NFTA_TPROXY_FAMILY: Target address family (NLA_U32: nft_registers)
> > + * NFTA_TPROXY_REG_ADDR: Target address register (NLA_U32: nft_registers)
> > + * NFTA_TPROXY_REG_PORT: Target port register (NLA_U32: nft_registers)
> > + */
> > +enum nft_tproxy_attributes {
> > + NFTA_TPROXY_UNSPEC,
> > + NFTA_TPROXY_FAMILY,
> > + NFTA_TPROXY_REG_ADDR,
> > + NFTA_TPROXY_REG_PORT,
> > + __NFTA_TPROXY_MAX
> > +};
> > +#define NFTA_TPROXY_MAX(__NFTA_TPROXY_MAX - 1)
> > +
> > /**
> > * enum nft_masq_attributes - nf_tables masquerade expression attributes
> > *
> > diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
> > index 6c65d756e603..fc570c22a860 100644
> > --- a/net/netfilter/Kconfig
> > +++ b/net/netfilter/Kconfig
> > @@ -633,6 +633,16 @@ config NFT_SOCKET
> > This option allows matching for the presence or absence of a
> > corresponding socket and its attributes.
> >
> > +config NFT_TPROXY
> > + tristate "Netfilter nf_tables tproxy support"
> > + depends on IPV6 || IPV6=n
> > + select NF_DEFRAG_IPV4
> > + select NF_DEFRAG_IPV6 if NF_TABLES_IPV6
> > + select NF_TPROXY_IPV4
> > + select NF_
[PATCH v3 nft] tests: py: Add test cases for tproxy support
v3: update payloads according to libnftnl changes -- 8< -- Signed-off-by: Máté Eckl --- tests/py/inet/tproxy.t | 20 tests/py/inet/tproxy.t.payload | 37 tests/py/ip/tproxy.t | 14 +++ tests/py/ip/tproxy.t.payload | 22 + tests/py/ip6/tproxy.t | 16 + tests/py/ip6/tproxy.t.payload | 44 ++ 6 files changed, 153 insertions(+) create mode 100644 tests/py/inet/tproxy.t create mode 100644 tests/py/inet/tproxy.t.payload create mode 100644 tests/py/ip/tproxy.t create mode 100644 tests/py/ip/tproxy.t.payload create mode 100644 tests/py/ip6/tproxy.t create mode 100644 tests/py/ip6/tproxy.t.payload diff --git a/tests/py/inet/tproxy.t b/tests/py/inet/tproxy.t new file mode 100644 index 000..f80f773 --- /dev/null +++ b/tests/py/inet/tproxy.t @@ -0,0 +1,20 @@ +:y;type filter hook prerouting priority -150 + +*inet;x;y + +tproxy;fail +meta l4proto 17 tproxy to 192.0.2.1;fail +meta l4proto 6 tproxy to 192.0.2.1:50080;fail +meta l4proto 17 tproxy ip to 192.0.2.1;ok +meta l4proto 6 tproxy ip to 192.0.2.1:50080;ok +ip protocol 6 tproxy ip6 to [2001:db8::1];fail + +meta l4proto 6 tproxy to [2001:db8::1];fail +meta l4proto 17 tproxy to [2001:db8::1]:50080;fail +meta l4proto 6 tproxy ip6 to [2001:db8::1];ok +meta l4proto 17 tproxy ip6 to [2001:db8::1]:50080;ok +ip6 nexthdr 6 tproxy ip to 192.0.2.1;fail + +meta l4proto 17 tproxy ip to :50080;fail +meta l4proto 17 tproxy ip6 to :50080;fail +meta l4proto 17 tproxy to :50080;ok diff --git a/tests/py/inet/tproxy.t.payload b/tests/py/inet/tproxy.t.payload new file mode 100644 index 000..4b18460 --- /dev/null +++ b/tests/py/inet/tproxy.t.payload @@ -0,0 +1,37 @@ +# meta l4proto 17 tproxy ip to 192.0.2.1 +inet x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0011 ] + [ immediate reg 1 0x010200c0 ] + [ tproxy ip addr reg 1 ] + +# meta l4proto 6 tproxy ip to 192.0.2.1:50080 +inet x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0006 ] + [ immediate reg 1 0x010200c0 ] + [ immediate reg 2 0xa0c3 ] + [ tproxy ip addr reg 1 port reg 2 ] + +# meta l4proto 6 tproxy ip6 to [2001:db8::1] +inet x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0006 ] + [ immediate reg 1 0xb80d0120 0x 0x 0x0100 ] + [ tproxy ip6 addr reg 1 ] + +# meta l4proto 17 tproxy ip6 to [2001:db8::1]:50080 +inet x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0011 ] + [ immediate reg 1 0xb80d0120 0x 0x 0x0100 ] + [ immediate reg 2 0xa0c3 ] + [ tproxy ip6 addr reg 1 port reg 2 ] + +# meta l4proto 17 tproxy to :50080 +inet x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0011 ] + [ immediate reg 1 0xa0c3 ] + [ tproxy port reg 1 ] + diff --git a/tests/py/ip/tproxy.t b/tests/py/ip/tproxy.t new file mode 100644 index 000..6e959f4 --- /dev/null +++ b/tests/py/ip/tproxy.t @@ -0,0 +1,14 @@ +:y;type filter hook prerouting priority -150 + +*ip;x;y + +tproxy;fail +tproxy to 192.0.2.1;fail +tproxy to 192.0.2.1:50080;fail +tproxy to :50080;fail +meta l4proto 17 tproxy to 192.0.2.1;ok +meta l4proto 6 tproxy to 192.0.2.1:50080;ok +ip protocol 6 tproxy to :50080;ok +meta l4proto 17 tproxy ip to 192.0.2.1;fail +meta l4proto 6 tproxy ip to 192.0.2.1:50080;fail +ip protocol 6 tproxy ip to :50080;fail diff --git a/tests/py/ip/tproxy.t.payload b/tests/py/ip/tproxy.t.payload new file mode 100644 index 000..9a899a8 --- /dev/null +++ b/tests/py/ip/tproxy.t.payload @@ -0,0 +1,22 @@ +# meta l4proto 17 tproxy to 192.0.2.1 +ip x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0011 ] + [ immediate reg 1 0x010200c0 ] + [ tproxy ip addr reg 1 ] + +# meta l4proto 6 tproxy to 192.0.2.1:50080 +ip x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0006 ] + [ immediate reg 1 0x010200c0 ] + [ immediate reg 2 0xa0c3 ] + [ tproxy ip addr reg 1 port reg 2 ] + +# ip protocol 6 tproxy to :50080 +ip x y + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x0006 ] + [ immediate reg 1 0xa0c3 ] + [ tproxy ip port reg 1 ] + diff --git a/tests/py/ip6/tproxy.t b/tests/py/ip6/tproxy.t new file mode 100644 index 000..dcd2bd8 --- /dev/null +++ b/tests/py/ip6/tproxy.t @@ -0,0 +1,16 @@ +:y;type filter hook prerouting priority -150 + +*ip6;x;y + +tproxy;fail +tproxy to [2001:db8::1];fail +tproxy to [2001:db8::1]:50080;fail +tproxy to :50080;fail +meta l4proto 6 tproxy to [2001:db8::1];ok +meta l4proto 17 tproxy to [2001:db8::1]:50080;ok +meta l4proto 6 tproxy to :50080;ok +meta l4proto 6 tproxy ip6 to [2001:db8::1];fail +meta l4proto 17 tproxy ip6 to [2001:db8::1]:50080;fail +meta l4proto 6 tproxy ip6 to :50080;fail + + diff --git a/tests/py/ip6/tproxy.t.payload b/tests/py/ip6/tproxy.t.payload new file mode 100644 index 000..d03beee --- /dev/null +++ b/tests/py/ip6/tproxy.t.paylo
Re: [PATCH v2 nft] tests: py: Add test cases for tproxy support
On Fri, Jul 20, 2018 at 09:41:32AM +0200, Máté Eckl wrote: > Signed-off-by: Máté Eckl > --- > v2: update payloads according to libnftnl changes Sorry it should've been tagged v3. I send a new one with v3. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v2 nft] tests: py: Add test cases for tproxy support
Signed-off-by: Máté Eckl --- v2: update payloads according to libnftnl changes tests/py/inet/tproxy.t | 20 tests/py/inet/tproxy.t.payload | 37 tests/py/ip/tproxy.t | 14 +++ tests/py/ip/tproxy.t.payload | 22 + tests/py/ip6/tproxy.t | 16 + tests/py/ip6/tproxy.t.payload | 44 ++ 6 files changed, 153 insertions(+) create mode 100644 tests/py/inet/tproxy.t create mode 100644 tests/py/inet/tproxy.t.payload create mode 100644 tests/py/ip/tproxy.t create mode 100644 tests/py/ip/tproxy.t.payload create mode 100644 tests/py/ip6/tproxy.t create mode 100644 tests/py/ip6/tproxy.t.payload diff --git a/tests/py/inet/tproxy.t b/tests/py/inet/tproxy.t new file mode 100644 index 000..f80f773 --- /dev/null +++ b/tests/py/inet/tproxy.t @@ -0,0 +1,20 @@ +:y;type filter hook prerouting priority -150 + +*inet;x;y + +tproxy;fail +meta l4proto 17 tproxy to 192.0.2.1;fail +meta l4proto 6 tproxy to 192.0.2.1:50080;fail +meta l4proto 17 tproxy ip to 192.0.2.1;ok +meta l4proto 6 tproxy ip to 192.0.2.1:50080;ok +ip protocol 6 tproxy ip6 to [2001:db8::1];fail + +meta l4proto 6 tproxy to [2001:db8::1];fail +meta l4proto 17 tproxy to [2001:db8::1]:50080;fail +meta l4proto 6 tproxy ip6 to [2001:db8::1];ok +meta l4proto 17 tproxy ip6 to [2001:db8::1]:50080;ok +ip6 nexthdr 6 tproxy ip to 192.0.2.1;fail + +meta l4proto 17 tproxy ip to :50080;fail +meta l4proto 17 tproxy ip6 to :50080;fail +meta l4proto 17 tproxy to :50080;ok diff --git a/tests/py/inet/tproxy.t.payload b/tests/py/inet/tproxy.t.payload new file mode 100644 index 000..4b18460 --- /dev/null +++ b/tests/py/inet/tproxy.t.payload @@ -0,0 +1,37 @@ +# meta l4proto 17 tproxy ip to 192.0.2.1 +inet x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0011 ] + [ immediate reg 1 0x010200c0 ] + [ tproxy ip addr reg 1 ] + +# meta l4proto 6 tproxy ip to 192.0.2.1:50080 +inet x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0006 ] + [ immediate reg 1 0x010200c0 ] + [ immediate reg 2 0xa0c3 ] + [ tproxy ip addr reg 1 port reg 2 ] + +# meta l4proto 6 tproxy ip6 to [2001:db8::1] +inet x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0006 ] + [ immediate reg 1 0xb80d0120 0x 0x 0x0100 ] + [ tproxy ip6 addr reg 1 ] + +# meta l4proto 17 tproxy ip6 to [2001:db8::1]:50080 +inet x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0011 ] + [ immediate reg 1 0xb80d0120 0x 0x 0x0100 ] + [ immediate reg 2 0xa0c3 ] + [ tproxy ip6 addr reg 1 port reg 2 ] + +# meta l4proto 17 tproxy to :50080 +inet x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0011 ] + [ immediate reg 1 0xa0c3 ] + [ tproxy port reg 1 ] + diff --git a/tests/py/ip/tproxy.t b/tests/py/ip/tproxy.t new file mode 100644 index 000..6e959f4 --- /dev/null +++ b/tests/py/ip/tproxy.t @@ -0,0 +1,14 @@ +:y;type filter hook prerouting priority -150 + +*ip;x;y + +tproxy;fail +tproxy to 192.0.2.1;fail +tproxy to 192.0.2.1:50080;fail +tproxy to :50080;fail +meta l4proto 17 tproxy to 192.0.2.1;ok +meta l4proto 6 tproxy to 192.0.2.1:50080;ok +ip protocol 6 tproxy to :50080;ok +meta l4proto 17 tproxy ip to 192.0.2.1;fail +meta l4proto 6 tproxy ip to 192.0.2.1:50080;fail +ip protocol 6 tproxy ip to :50080;fail diff --git a/tests/py/ip/tproxy.t.payload b/tests/py/ip/tproxy.t.payload new file mode 100644 index 000..9a899a8 --- /dev/null +++ b/tests/py/ip/tproxy.t.payload @@ -0,0 +1,22 @@ +# meta l4proto 17 tproxy to 192.0.2.1 +ip x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0011 ] + [ immediate reg 1 0x010200c0 ] + [ tproxy ip addr reg 1 ] + +# meta l4proto 6 tproxy to 192.0.2.1:50080 +ip x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0006 ] + [ immediate reg 1 0x010200c0 ] + [ immediate reg 2 0xa0c3 ] + [ tproxy ip addr reg 1 port reg 2 ] + +# ip protocol 6 tproxy to :50080 +ip x y + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x0006 ] + [ immediate reg 1 0xa0c3 ] + [ tproxy ip port reg 1 ] + diff --git a/tests/py/ip6/tproxy.t b/tests/py/ip6/tproxy.t new file mode 100644 index 000..dcd2bd8 --- /dev/null +++ b/tests/py/ip6/tproxy.t @@ -0,0 +1,16 @@ +:y;type filter hook prerouting priority -150 + +*ip6;x;y + +tproxy;fail +tproxy to [2001:db8::1];fail +tproxy to [2001:db8::1]:50080;fail +tproxy to :50080;fail +meta l4proto 6 tproxy to [2001:db8::1];ok +meta l4proto 17 tproxy to [2001:db8::1]:50080;ok +meta l4proto 6 tproxy to :50080;ok +meta l4proto 6 tproxy ip6 to [2001:db8::1];fail +meta l4proto 17 tproxy ip6 to [2001:db8::1]:50080;fail +meta l4proto 6 tproxy ip6 to :50080;fail + + diff --git a/tests/py/ip6/tproxy.t.payload b/tests/py/ip6/tproxy.t.payload new file mode 100644 index 000..d03beee --- /dev/null +++ b/tests/py/ip6/tproxy.t.payload @@ -0,0 +1
[PATCH v3 nft] Add tproxy support
This patch adds support for transparent proxy functionality which is
supported in ip, ip6 and inet tables.
The syntax is the following:
tproxy [{|ip|ip6}] to {|:|:}
It looks for a socket listening on the specified address or port and
assigns it to the matching packet.
In an inet table, a packet matches for both families until address is
specified.
Network protocol family has to be specified **only** in inet tables if
address is specified.
As transparent proxy support is implemented for sockets with layer 4
information, a transport protocol header criterion has to be set in the
same rule. eg. 'meta l4proto tcp' or 'udp dport '
Example ruleset:
table ip x {
chain y {
type filter hook prerouting priority -150; policy
accept;
tcp dport ntp tproxy to 1.1.1.1
udp dport ssh tproxy to :
}
}
table ip6 x {
chain y {
type filter hook prerouting priority -150; policy
accept;
tcp dport ntp tproxy to [dead::beef]
udp dport ssh tproxy to :
}
}
table inet x {
chain y {
type filter hook prerouting priority -150; policy
accept;
tcp dport 321 tproxy to :ssh
tcp dport 99 tproxy ip to 1.1.1.1:999
udp dport 155 tproxy ip6 to [dead::beef]:smux
}
}
Signed-off-by: Máté Eckl
---
v2:
- tproxy statement without arguments is not supported
- Add transport protocol matching criterion to address evaluation.
- Specify network layer protocol in inet tables
v3:
- use NFPROTO_UNSPEC when only port is specified in inet tables.
include/linux/netfilter/nf_tables.h | 16 ++
include/statement.h | 11
src/evaluate.c | 82 +
src/netlink_delinearize.c | 53 +++
src/netlink_linearize.c | 41 +++
src/parser_bison.y | 44
src/scanner.l | 2 +
src/statement.c | 45
8 files changed, 294 insertions(+)
diff --git a/include/linux/netfilter/nf_tables.h
b/include/linux/netfilter/nf_tables.h
index 88e0ca1..d98cebb 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -1231,6 +1231,22 @@ enum nft_nat_attributes {
};
#define NFTA_NAT_MAX (__NFTA_NAT_MAX - 1)
+/**
+ * enum nft_tproxy_attributes - nf_tables tproxy expression netlink attributes
+ *
+ * NFTA_TPROXY_FAMILY: Target address family (NLA_U32: nft_registers)
+ * NFTA_TPROXY_REG_ADDR: Target address register (NLA_U32: nft_registers)
+ * NFTA_TPROXY_REG_PORT: Target port register (NLA_U32: nft_registers)
+ */
+enum nft_tproxy_attributes {
+ NFTA_TPROXY_UNSPEC,
+ NFTA_TPROXY_FAMILY,
+ NFTA_TPROXY_REG_ADDR,
+ NFTA_TPROXY_REG_PORT,
+ __NFTA_TPROXY_MAX
+};
+#define NFTA_TPROXY_MAX(__NFTA_TPROXY_MAX - 1)
+
/**
* enum nft_masq_attributes - nf_tables masquerade expression attributes
*
diff --git a/include/statement.h b/include/statement.h
index 5a907aa..7840e9d 100644
--- a/include/statement.h
+++ b/include/statement.h
@@ -128,6 +128,15 @@ struct nat_stmt {
extern struct stmt *nat_stmt_alloc(const struct location *loc,
enum nft_nat_etypes type);
+struct tproxy_stmt {
+ struct expr *addr;
+ struct expr *port;
+ uint8_t family;
+ uint8_t table_family; /* only used for printing the rule */
+};
+
+extern struct stmt *tproxy_stmt_alloc(const struct location *loc);
+
struct queue_stmt {
struct expr *queue;
uint16_tflags;
@@ -271,6 +280,7 @@ enum stmt_types {
STMT_LOG,
STMT_REJECT,
STMT_NAT,
+ STMT_TPROXY,
STMT_QUEUE,
STMT_CT,
STMT_SET,
@@ -337,6 +347,7 @@ struct stmt {
struct limit_stmt limit;
struct reject_stmt reject;
struct nat_stmt nat;
+ struct tproxy_stmt tproxy;
struct queue_stmt queue;
struct quota_stmt quota;
struct ct_stmt ct;
diff --git a/src/evaluate.c b/src/evaluate.c
index 61cdff0..2862085 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2482,6 +2482,86 @@ static int stmt_evaluate_nat(struct eval_ctx *ctx,
struct stmt *stmt)
return 0;
}
+static int stmt_evaluate_tproxy(struct eval_ctx *ctx, struct stmt *stmt)
+{
+ const struct datatype *dtype;
+ int err, len;
+
+ switch (ctx->pctx.family) {
+ case NFPROTO_IPV4:
+ case NFPROTO_IPV6:
+ case NFPROTO_INET:
+ br
[PATCH v2 libnftnl] Add tproxy support
Signed-off-by: Máté Eckl
---
v2:
- don't print tproxy keyword twice
- don't print 'unknown' when tproxy->family is NFPROTO_UNPSEC, that is
possible when only port is specified in an inet table.
include/libnftnl/expr.h | 6 +
include/linux/netfilter/nf_tables.h | 16 +++
src/Makefile.am | 1 +
src/expr/tproxy.c | 205
src/expr_ops.c | 2 +
5 files changed, 230 insertions(+)
create mode 100644 src/expr/tproxy.c
diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h
index 219104e..141b04a 100644
--- a/include/libnftnl/expr.h
+++ b/include/libnftnl/expr.h
@@ -137,6 +137,12 @@ enum {
NFTNL_EXPR_NAT_FLAGS,
};
+enum {
+ NFTNL_EXPR_TPROXY_FAMILY= NFTNL_EXPR_BASE,
+ NFTNL_EXPR_TPROXY_REG_ADDR,
+ NFTNL_EXPR_TPROXY_REG_PORT,
+};
+
enum {
NFTNL_EXPR_LOOKUP_SREG = NFTNL_EXPR_BASE,
NFTNL_EXPR_LOOKUP_DREG,
diff --git a/include/linux/netfilter/nf_tables.h
b/include/linux/netfilter/nf_tables.h
index 91449ef..18f385a 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -1223,6 +1223,22 @@ enum nft_nat_attributes {
};
#define NFTA_NAT_MAX (__NFTA_NAT_MAX - 1)
+/**
+ * enum nft_tproxy_attributes - nf_tables tproxy expression netlink attributes
+ *
+ * NFTA_TPROXY_FAMILY: Target address family (NLA_U32: nft_registers)
+ * NFTA_TPROXY_REG_ADDR: Target address register (NLA_U32: nft_registers)
+ * NFTA_TPROXY_REG_PORT: Target port register (NLA_U32: nft_registers)
+ */
+enum nft_tproxy_attributes {
+ NFTA_TPROXY_UNSPEC,
+ NFTA_TPROXY_FAMILY,
+ NFTA_TPROXY_REG_ADDR,
+ NFTA_TPROXY_REG_PORT,
+ __NFTA_TPROXY_MAX
+};
+#define NFTA_TPROXY_MAX(__NFTA_TPROXY_MAX - 1)
+
/**
* enum nft_masq_attributes - nf_tables masquerade expression attributes
*
diff --git a/src/Makefile.am b/src/Makefile.am
index c66a257..fc03661 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -45,6 +45,7 @@ libnftnl_la_SOURCES = utils.c \
expr/meta.c \
expr/numgen.c \
expr/nat.c\
+ expr/tproxy.c \
expr/objref.c \
expr/payload.c\
expr/queue.c \
diff --git a/src/expr/tproxy.c b/src/expr/tproxy.c
new file mode 100644
index 000..6fae172
--- /dev/null
+++ b/src/expr/tproxy.c
@@ -0,0 +1,205 @@
+/*
+ * Copyright (c) 2018 Máté Eckl
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published
+ * by the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ */
+
+#include "internal.h"
+
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+
+struct nftnl_expr_tproxy {
+ enum nft_registers sreg_addr;
+ enum nft_registers sreg_port;
+ intfamily;
+};
+
+static int
+nftnl_expr_tproxy_set(struct nftnl_expr *e, uint16_t type,
+ const void *data, uint32_t data_len)
+{
+ struct nftnl_expr_tproxy *tproxy = nftnl_expr_data(e);
+
+ switch(type) {
+ case NFTNL_EXPR_TPROXY_FAMILY:
+ tproxy->family = *((uint32_t *)data);
+ break;
+ case NFTNL_EXPR_TPROXY_REG_ADDR:
+ tproxy->sreg_addr = *((uint32_t *)data);
+ break;
+ case NFTNL_EXPR_TPROXY_REG_PORT:
+ tproxy->sreg_port = *((uint32_t *)data);
+ break;
+ default:
+ return -1;
+ }
+
+ return 0;
+}
+
+static const void *
+nftnl_expr_tproxy_get(const struct nftnl_expr *e, uint16_t type,
+ uint32_t *data_len)
+{
+ struct nftnl_expr_tproxy *tproxy = nftnl_expr_data(e);
+
+ switch(type) {
+ case NFTNL_EXPR_TPROXY_FAMILY:
+ *data_len = sizeof(tproxy->family);
+ return >family;
+ case NFTNL_EXPR_TPROXY_REG_ADDR:
+ *data_len = sizeof(tproxy->sreg_addr);
+ return >sreg_addr;
+ case NFTNL_EXPR_TPROXY_REG_PORT:
+ *data_len = sizeof(tproxy->sreg_port);
+ return >sreg_port;
+ }
+ return NULL;
+}
+
+static int nftnl_expr_tproxy_cb(const struct nlattr *attr, void *data)
+{
+ const struct nlattr **tb = data;
+ int type = mnl_attr_get_type(attr);
+
+ if (mnl_attr_type_valid(attr, NFTA_TPROXY_MAX) < 0)
+ return MNL_CB_OK;
+
+ switch(type) {
+ case NFTA_TPROXY_FAMILY:
+ case NFTA_TPROXY_REG_ADDR:
+ case NFTA_TPROXY_REG_PORT:
+ if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
+ abi_breakage();
+
[PATCH v4 nf-next] netfilter: Add native tproxy support for nf_tables
A great portion of the code is taken from xt_TPROXY.c
There are some changes compared to the iptables implementation:
- tproxy statement is not terminal here
- Either address or port has to be specified, but at least one of them
is necessary. If one of them is not specified, the evaluation will be
performed with the original attribute of the packet (ie. target port
is not specified => the packet's dport will be used).
To make this work in inet tables, the tproxy structure has a family
member (typically called priv->family) which is not necessarily equal to
ctx->family.
priv->family can have three values legally:
- NFPROTO_IPV4 if the table family is ip OR if table family is inet,
but an ipv4 address is specified as a target address. The rule only
evaluates ipv4 packets in this case.
- NFPROTO_IPV6 if the table family is ip6 OR if table family is inet,
but an ipv6 address is specified as a target address. The rule only
evaluates ipv6 packets in this case.
- NFPROTO_UNSPEC if the table family is inet AND if only the port is
specified. The rule will evaluate both ipv4 and ipv6 packets.
Signed-off-by: Máté Eckl
---
v2:
- address or port is now compulsory
- nf_defrag_ipv{4,6}_enable called in init
- nft_tproxy now selects NF_DEFRAG_IPV4/6
- Add transport header presence test in ipv4 eval (in ipv6 it was
already present)
- Add check for the case when address is specified but the rule family
is not set accordingly
v3:
- Fix tproxy and context family compatibility test in init
v4:
- Fix module test macros. Use NF_TABLES_IPV6 as dependency for
compiling ipv6 related functions.
- Apply cosmetic changes what Pablo suggested.
- Use NFPROTO_UNSPEC when only port is specified in inet tables.
- Conform 5711b4e89319 ("netfilter: nf_tproxy: fix possible non-linear access
to transport header") in nf tree
- More detailed commit message.
include/uapi/linux/netfilter/nf_tables.h | 16 ++
net/netfilter/Kconfig| 10 +
net/netfilter/Makefile | 1 +
net/netfilter/nft_tproxy.c | 320 +++
4 files changed, 347 insertions(+)
create mode 100644 net/netfilter/nft_tproxy.c
diff --git a/include/uapi/linux/netfilter/nf_tables.h
b/include/uapi/linux/netfilter/nf_tables.h
index 89438e68dc03..e58d2b70dde7 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -1250,6 +1250,22 @@ enum nft_nat_attributes {
};
#define NFTA_NAT_MAX (__NFTA_NAT_MAX - 1)
+/**
+ * enum nft_tproxy_attributes - nf_tables tproxy expression netlink attributes
+ *
+ * NFTA_TPROXY_FAMILY: Target address family (NLA_U32: nft_registers)
+ * NFTA_TPROXY_REG_ADDR: Target address register (NLA_U32: nft_registers)
+ * NFTA_TPROXY_REG_PORT: Target port register (NLA_U32: nft_registers)
+ */
+enum nft_tproxy_attributes {
+ NFTA_TPROXY_UNSPEC,
+ NFTA_TPROXY_FAMILY,
+ NFTA_TPROXY_REG_ADDR,
+ NFTA_TPROXY_REG_PORT,
+ __NFTA_TPROXY_MAX
+};
+#define NFTA_TPROXY_MAX(__NFTA_TPROXY_MAX - 1)
+
/**
* enum nft_masq_attributes - nf_tables masquerade expression attributes
*
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 6c65d756e603..fc570c22a860 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -633,6 +633,16 @@ config NFT_SOCKET
This option allows matching for the presence or absence of a
corresponding socket and its attributes.
+config NFT_TPROXY
+ tristate "Netfilter nf_tables tproxy support"
+ depends on IPV6 || IPV6=n
+ select NF_DEFRAG_IPV4
+ select NF_DEFRAG_IPV6 if NF_TABLES_IPV6
+ select NF_TPROXY_IPV4
+ select NF_TPROXY_IPV6 if NF_TABLES_IPV6
+ help
+ This makes transparent proxy support available in nftables.
+
if NF_TABLES_NETDEV
config NF_DUP_NETDEV
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 0b3851e825fa..ea35f206e49d 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -109,6 +109,7 @@ obj-$(CONFIG_NFT_FIB_INET) += nft_fib_inet.o
obj-$(CONFIG_NFT_FIB_NETDEV) += nft_fib_netdev.o
obj-$(CONFIG_NF_OSF) += nf_osf.o
obj-$(CONFIG_NFT_SOCKET) += nft_socket.o
+obj-$(CONFIG_NFT_TPROXY) += nft_tproxy.o
# nf_tables netdev
obj-$(CONFIG_NFT_DUP_NETDEV) += nft_dup_netdev.o
diff --git a/net/netfilter/nft_tproxy.c b/net/netfilter/nft_tproxy.c
new file mode 100644
index ..a9290035c651
--- /dev/null
+++ b/net/netfilter/nft_tproxy.c
@@ -0,0 +1,320 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
+#include
+#endif
+
+struct nft_tproxy {
+ enum nft_registers sreg_addr:8;
+ enum nft_registers sreg_port:8;
+ u8 family;
+};
+
+static void nft_tproxy_eva
Re: [PATCH v4 nft] Set/print standard chain prios with textual names
On Tue, Jul 10, 2018 at 12:10:22PM +0200, Pablo Neira Ayuso wrote:
> > diff --git a/src/parser_bison.y b/src/parser_bison.y
> > index 98bfeba..2b7d7cc 100644
> > --- a/src/parser_bison.y
> > +++ b/src/parser_bison.y
> > @@ -182,6 +182,8 @@ int nft_lex(void *, void *, void *);
> > %token AT "@"
> > %token VMAP"vmap"
> >
> > +%token PLUS"+"
> > +
> > %token INCLUDE "include"
> > %token DEFINE "define"
> > %token REDEFINE"redefine"
> > @@ -522,6 +524,7 @@ int nft_lex(void *, void *, void *);
> > %type set_spec setid_spec set_identifier
> > flowtable_identifier obj_spec objid_spec obj_identifier
> > %destructor { handle_free(&$$); } set_spec setid_spec set_identifier
> > obj_spec objid_spec obj_identifier
> > %type family_spec family_spec_explicit
> > chain_policy prio_spec
> > +%type str_prio_spec
> >
> > %type dev_spec quota_unit
> > %destructor { xfree($$); } dev_spec quota_unit
> > @@ -1633,7 +1636,7 @@ flowtable_block_alloc : /* empty */
> > flowtable_block: /* empty */ { $$ = $-1; }
> > | flowtable_block common_block
> > | flowtable_block stmt_separator
> > - | flowtable_block HOOKSTRING
> > PRIORITYprio_spec stmt_separator
> > + | flowtable_block HOOKSTRING
> > PRIORITYstr_prio_spec stmt_separator
> > {
> > $$->hookstr = chain_hookname_lookup($3);
> > if ($$->hookstr == NULL) {
> > @@ -1644,7 +1647,7 @@ flowtable_block : /* empty */
> > { $$ = $-1; }
> > }
> > xfree($3);
> >
> > - $$->priority = $5;
> > + $$->priostr = $5;
> > }
> > | flowtable_block DEVICES '='
> > flowtable_expr stmt_separator
> > {
> > @@ -1766,7 +1769,7 @@ type_identifier : STRING { $$ =
> > $1; }
> > | CLASSID { $$ = xstrdup("classid"); }
> > ;
> >
> > -hook_spec : TYPESTRING HOOK
> > STRING dev_specPRIORITYprio_spec
> > +hook_spec : TYPESTRING HOOK
> > STRING dev_specPRIORITYstr_prio_spec
> > {
> > const char *chain_type =
> > chain_type_name_lookup($2);
> >
> > @@ -1789,13 +1792,34 @@ hook_spec : TYPESTRING
> > HOOKSTRING dev_specPRIORITY
> > prio_spec
> > xfree($4);
> >
> > $0->dev = $5;
> > - $0->priority = $7;
> > + $0->priostr = $7;
> > $0->flags|= CHAIN_F_BASECHAIN;
> > }
> > ;
> >
> > -prio_spec : NUM { $$ = $1; }
> > - | DASHNUM { $$ = -$2; }
> > +str_prio_spec : prio_spec
> > + {
> > + char buf[STD_PRIO_BUFSIZE];
> > + snprintf(buf, STD_PRIO_BUFSIZE, "%d", (int)$1);
> > + $$ = xstrdup(buf);
> > + }
> > + | STRING { $$ = xstrdup($1); }
> > + | STRING PLUS NUM
> > + {
> > + char buf[STD_PRIO_BUFSIZE];
> > + snprintf(buf, STD_PRIO_BUFSIZE, "%s+%d",$1,
> > (int)$3);
>
> Could you store the string plus offset instead of building this
> string that you need to parse again from the evaluation phase?
>
> Probably you could reuse the existing priority integer field, then, if
> the label is non-NULL, then it means the priority integer becomes an
> offset.
I thought about different possibilities to do this, and I think the diff below
does this with the less possible code duplication (it's only the parser, the
other components would not be duplicated). And for now it does not even work for
some obscure reason. (The chain pointer is not tha same at the evaluation phase
as in the parser, so the values are in the bad place...)
Of course the evaluation is simpler.
I personally prefer my former solution as it is more general and results in less
code duplication so I would stay with that.
What do you think?
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 98bfeba..db55cc5 100644
---
Re: [PATCH v4 nft] Set/print standard chain prios with textual names
On Fri, Jul 13, 2018 at 02:38:19PM +0200, Florian Westphal wrote: > Máté Eckl wrote: > > But that means that this solution cannot support bridge family at all. Or > > BRNF > > stands for something that can be interpreted as filter? > > Currently bridge family has no special hooks, they are all 'filter'. > So it would be fine to only support numbers in my opinion. > > We can revisit it later if needed. I looked it up in iptables and it uses NF_BR_PRI_FILTER_BRIDGED for filter tables so it would be inapproppriate to translate 0 to filter here. So yes, maybe we should leave bridge family alone. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v4 nft] Set/print standard chain prios with textual names
On Fri, Jul 13, 2018 at 12:59:14PM +0200, Pablo Neira Ayuso wrote: > On Fri, Jul 13, 2018 at 12:45:34PM +0200, Florian Westphal wrote: > > Pablo Neira Ayuso wrote: > > > On Fri, Jul 13, 2018 at 12:22:51PM +0200, Máté Eckl wrote: > > > > > > BTW, srcnat only makes sense from postrouting, I think it would it > > > > > > be > > > > > > possible to reject things that make no sense from there, like srcnat > > > > > > with prerouting as in the example above. > > > > > > > > > > I'll look after this. > > > > > > > > What do you think about this compatibility "matrix"? > > > > > > Looks fine, one comment though regarding bridge: > > > > > > include/linux/netfilter_bridge.h: NF_BR_PRI_NAT_DST_OTHER = 100, > > > include/linux/netfilter_bridge.h: NF_BR_PRI_NAT_SRC = 300, > > > include/linux/netfilter_bridge.h: NF_BR_PRI_NAT_DST_BRIDGED = -300, Oh. These are not exposed to the nft includes. > > > Unfortunately I think we'll need these too, ie. we cannot reuse > > > NF_IP_PRI_NAT_SRC. > > > > BR_NAT isn't "nat" family though, they are normal 'filter' types. > > > > I think it would be fine to just use 'filter + 300'. > > OK, let's do that then. But that means that this solution cannot support bridge family at all. Or BRNF stands for something that can be interpreted as filter? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v4 nft] Set/print standard chain prios with textual names
> > BTW, srcnat only makes sense from postrouting, I think it would it be
> > possible to reject things that make no sense from there, like srcnat
> > with prerouting as in the example above.
>
> I'll look after this.
What do you think about this compatibility "matrix"?
static bool std_prio_family_hook_compat(int prio, int family, int hook)
{
switch(prio) {
case NF_IP_PRI_FILTER:
switch(family) {
case NFPROTO_INET:
case NFPROTO_IPV4:
case NFPROTO_IPV6:
case NFPROTO_ARP:
case NFPROTO_BRIDGE:
case NFPROTO_NETDEV:
return true;
default:
return false;
}
case NF_IP_PRI_RAW:
case NF_IP_PRI_MANGLE:
case NF_IP_PRI_SECURITY:
// For these I didn't find any info about which hook
// they can make sense in
switch(family) {
case NFPROTO_INET:
case NFPROTO_IPV4:
case NFPROTO_IPV6:
return true;
default:
return false;
}
case NF_IP_PRI_NAT_DST:
switch(family) {
case NFPROTO_INET:
case NFPROTO_IPV4:
case NFPROTO_IPV6:
case NFPROTO_BRIDGE:
switch(hook) {
case NF_INET_PRE_ROUTING:
return true;
default:
return false;
}
default:
return false;
}
case NF_IP_PRI_NAT_SRC:
switch(family) {
case NFPROTO_INET:
case NFPROTO_IPV4:
case NFPROTO_IPV6:
case NFPROTO_BRIDGE:
switch(hook) {
case NF_INET_POST_ROUTING:
return true;
default:
return false;
}
default:
return false;
}
default:
return false;
}
}
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v2 nft] Expose socket mark via socket expression
It can be used like ct mark or meta mark except it cannot be set.
doc and tests are included.
Signed-off-by: Máté Eckl
---
v2:
- doc: remove 0 retval when there's no match
doc/nft.xml | 23 +++
include/linux/netfilter/nf_tables.h | 5 +++--
src/evaluate.c | 6 +-
src/parser_bison.y | 2 ++
src/parser_json.c | 2 ++
src/socket.c| 8 +++-
tests/py/inet/socket.t | 2 ++
tests/py/inet/socket.t.json | 14 ++
tests/py/inet/socket.t.payload | 15 +++
9 files changed, 73 insertions(+), 4 deletions(-)
diff --git a/doc/nft.xml b/doc/nft.xml
index 190a8ee..c122e8e 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -3058,6 +3058,13 @@ raw prerouting meta secpath exists accept
boolean
(1 bit)
+
+
mark
+
+ Value
of the socket mark (SOL_SOCKET, SO_MARK).
+
+
mark
+
@@ -3073,6 +3080,22 @@ table inet x {
socket transparent 1 mark set 0x0001 accept
}
}
+
+# Trace packets that corresponds to a socket with a mark value of 15
+table inet x {
+chain y {
+type filter hook prerouting priority -150; policy accept;
+socket mark 0x000f nftrace set 1
+}
+}
+
+# Set packet mark to socket mark
+table inet x {
+chain y {
+type filter hook prerouting priority -150; policy accept;
+tcp dport 8080 mark set socket mark
+}
+}
diff --git a/include/linux/netfilter/nf_tables.h
b/include/linux/netfilter/nf_tables.h
index 88e0ca1..ad42d05 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -923,11 +923,12 @@ enum nft_socket_attributes {
/*
* enum nft_socket_keys - nf_tables socket expression keys
*
- * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option_
+ * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option
+ * @NFT_SOCKET_MARK: Value of the socket mark
*/
enum nft_socket_keys {
NFT_SOCKET_TRANSPARENT,
-
+ NFT_SOCKET_MARK,
__NFT_SOCKET_MAX
};
#define NFT_SOCKET_MAX (__NFT_SOCKET_MAX - 1)
diff --git a/src/evaluate.c b/src/evaluate.c
index 61cdff0..2b0e6fa 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1719,8 +1719,12 @@ static int expr_evaluate_meta(struct eval_ctx *ctx,
struct expr **exprp)
static int expr_evaluate_socket(struct eval_ctx *ctx, struct expr **expr)
{
+ int maxval = 0;
+
+ if((*expr)->socket.key == NFT_SOCKET_TRANSPARENT)
+ maxval = 1;
__expr_set_context(>ectx, (*expr)->dtype, (*expr)->byteorder,
- (*expr)->len, 1);
+ (*expr)->len, maxval);
return 0;
}
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 98bfeba..0ee2ebd 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -2487,6 +2487,7 @@ primary_stmt_expr : symbol_expr { $$ =
$1; }
| hash_expr { $$ = $1; }
| payload_expr{ $$ = $1; }
| keyword_expr{ $$ = $1; }
+ | socket_expr { $$ = $1; }
;
shift_stmt_expr: primary_stmt_expr
@@ -3575,6 +3576,7 @@ socket_expr : SOCKET socket_key
;
socket_key : TRANSPARENT { $$ = NFT_SOCKET_TRANSPARENT; }
+ | MARK { $$ = NFT_SOCKET_MARK; }
;
offset_opt : /* empty */ { $$ = 0; }
diff --git a/src/parser_json.c b/src/parser_json.c
index 8f29aaf..80364d9 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -358,6 +358,8 @@ static struct expr *json_parse_socket_expr(struct json_ctx
*ctx,
if (!strcmp(key, "transparent"))
keyval = NFT_SOCKET_TRANSPARENT;
+ else if (!strcmp(key, "mark"))
+ keyval = NFT_SOCKET_MARK;
if (keyval == -1) {
json_error(ctx, &q
[PATCH v2 nf-next] netfilter: nft_socket: Expose socket mark
Signed-off-by: Máté Eckl
---
Formerly: ("netfilter: nf_tables: Expose socket mark")
v2:
- store sk->sk_mark instead of inet_request_mark(sk, skb)
- Break evaluation if !sk_fullsock
include/uapi/linux/netfilter/nf_tables.h | 4 +++-
net/netfilter/nft_socket.c | 11 +++
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/include/uapi/linux/netfilter/nf_tables.h
b/include/uapi/linux/netfilter/nf_tables.h
index 89438e68dc03..f466860bcf75 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -921,10 +921,12 @@ enum nft_socket_attributes {
/*
* enum nft_socket_keys - nf_tables socket expression keys
*
- * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option_
+ * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option
+ * @NFT_SOCKET_MARK: Value of the socket mark
*/
enum nft_socket_keys {
NFT_SOCKET_TRANSPARENT,
+ NFT_SOCKET_MARK,
__NFT_SOCKET_MAX
};
#define NFT_SOCKET_MAX (__NFT_SOCKET_MAX - 1)
diff --git a/net/netfilter/nft_socket.c b/net/netfilter/nft_socket.c
index 18b2793a8a67..8b3585f673cd 100644
--- a/net/netfilter/nft_socket.c
+++ b/net/netfilter/nft_socket.c
@@ -51,6 +51,14 @@ static void nft_socket_eval(const struct nft_expr *expr,
case NFT_SOCKET_TRANSPARENT:
nft_reg_store8(dest, inet_sk_transparent(sk));
break;
+ case NFT_SOCKET_MARK:
+ if (sk_fullsock(sk))
+ *dest = sk->sk_mark;
+ else {
+ regs->verdict.code = NFT_BREAK;
+ return;
+ }
+ break;
default:
WARN_ON(1);
regs->verdict.code = NFT_BREAK;
@@ -88,6 +96,9 @@ static int nft_socket_init(const struct nft_ctx *ctx,
case NFT_SOCKET_TRANSPARENT:
len = sizeof(u8);
break;
+ case NFT_SOCKET_MARK:
+ len = sizeof(u32);
+ break;
default:
return -EOPNOTSUPP;
}
--
ecklm
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nf-next] netfilter: nft_socket: Break evaluation if no socket found
Actual implementation stores 0 in the destination register if no socket
is found by the lookup, but that is not intentional as it is not really
a value of any socket metadata.
This patch fixes this and breaks rule evaluation in this case.
Fixes: 554ced0a6e29 ("netfilter: nf_tables: add support for native socket
matching")
Signed-off-by: Máté Eckl
---
net/netfilter/nft_socket.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nft_socket.c b/net/netfilter/nft_socket.c
index 74e1b3bd6954..18b2793a8a67 100644
--- a/net/netfilter/nft_socket.c
+++ b/net/netfilter/nft_socket.c
@@ -40,7 +40,7 @@ static void nft_socket_eval(const struct nft_expr *expr,
}
if(!sk) {
- nft_reg_store8(dest, 0);
+ regs->verdict.code = NFT_BREAK;
return;
}
--
ecklm
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nf-next] netfilter: nf_tables: Expose socket mark
On Thu, Jul 12, 2018 at 04:26:54PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Jul 12, 2018 at 12:52:16AM +0200, Máté Eckl wrote:
> > Signed-off-by: Máté Eckl
> > ---
> > include/uapi/linux/netfilter/nf_tables.h | 4 +++-
> > net/netfilter/nft_socket.c | 11 ++-
> > 2 files changed, 13 insertions(+), 2 deletions(-)
> >
> > diff --git a/include/uapi/linux/netfilter/nf_tables.h
> > b/include/uapi/linux/netfilter/nf_tables.h
> > index 89438e68dc03..f466860bcf75 100644
> > --- a/include/uapi/linux/netfilter/nf_tables.h
> > +++ b/include/uapi/linux/netfilter/nf_tables.h
> > @@ -921,10 +921,12 @@ enum nft_socket_attributes {
> > /*
> > * enum nft_socket_keys - nf_tables socket expression keys
> > *
> > - * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option_
> > + * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option
> > + * @NFT_SOCKET_MARK: Value of the socket mark
> > */
> > enum nft_socket_keys {
> > NFT_SOCKET_TRANSPARENT,
> > + NFT_SOCKET_MARK,
> > __NFT_SOCKET_MAX
> > };
> > #define NFT_SOCKET_MAX (__NFT_SOCKET_MAX - 1)
> > diff --git a/net/netfilter/nft_socket.c b/net/netfilter/nft_socket.c
> > index 74e1b3bd6954..3f46b2013e26 100644
> > --- a/net/netfilter/nft_socket.c
> > +++ b/net/netfilter/nft_socket.c
> > @@ -40,7 +40,7 @@ static void nft_socket_eval(const struct nft_expr *expr,
> > }
> >
> > if(!sk) {
> > - nft_reg_store8(dest, 0);
> > + *dest = 0;
> > return;
>
> I think this should be:
>
> if (!sk)
> regs->verdict.code = NFT_BREAK;
>
> So we make sure we skip further evaluation, because zero may be a
> valid mark.
>
> or better:
>
> if (!sk)
> goto out:
> ...
> out:
> regs->verdict.code = NFT_BREAK;
>
> so you consolidate this evaluation break path.
>
> An initial patch to fix what we have would be good to have.
>
> > }
> >
> > @@ -51,6 +51,12 @@ static void nft_socket_eval(const struct nft_expr *expr,
> > case NFT_SOCKET_TRANSPARENT:
> > nft_reg_store8(dest, inet_sk_transparent(sk));
> > break;
> > + case NFT_SOCKET_MARK:
> > + if (sk_fullsock(sk))
> > + *dest = inet_request_mark(sk, skb);
> > + else
> > + *dest = 0;
>
> Again, better break evaluation here, so I would do:
>
> if (!sk_fullsock(sk))
> goto out;
>
> ...
> out:
> regs->verdict.code = NFT_BREAK;
>
> Thanks.
Thanks for the observation, you are right, it should break evaluation. I'll fix
this too.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nf-next] netfilter: nf_tables: Expose socket mark
On Thu, Jul 12, 2018 at 01:11:33PM +0200, Florian Westphal wrote:
> Máté Eckl wrote:
> > Signed-off-by: Máté Eckl
> > ---
> > include/uapi/linux/netfilter/nf_tables.h | 4 +++-
> > net/netfilter/nft_socket.c | 11 ++-
> > 2 files changed, 13 insertions(+), 2 deletions(-)
> >
> > diff --git a/include/uapi/linux/netfilter/nf_tables.h
> > b/include/uapi/linux/netfilter/nf_tables.h
> > index 89438e68dc03..f466860bcf75 100644
> > --- a/include/uapi/linux/netfilter/nf_tables.h
> > +++ b/include/uapi/linux/netfilter/nf_tables.h
> > @@ -921,10 +921,12 @@ enum nft_socket_attributes {
> > /*
> > * enum nft_socket_keys - nf_tables socket expression keys
> > *
> > - * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option_
> > + * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option
> > + * @NFT_SOCKET_MARK: Value of the socket mark
> > */
> > enum nft_socket_keys {
> > NFT_SOCKET_TRANSPARENT,
> > + NFT_SOCKET_MARK,
> > __NFT_SOCKET_MAX
> > };
> > #define NFT_SOCKET_MAX (__NFT_SOCKET_MAX - 1)
> > diff --git a/net/netfilter/nft_socket.c b/net/netfilter/nft_socket.c
> > index 74e1b3bd6954..3f46b2013e26 100644
> > --- a/net/netfilter/nft_socket.c
> > +++ b/net/netfilter/nft_socket.c
> > @@ -40,7 +40,7 @@ static void nft_socket_eval(const struct nft_expr *expr,
> > }
> >
> > if(!sk) {
> > - nft_reg_store8(dest, 0);
> > + *dest = 0;
> > return;
> > }
> >
> > @@ -51,6 +51,12 @@ static void nft_socket_eval(const struct nft_expr *expr,
> > case NFT_SOCKET_TRANSPARENT:
> > nft_reg_store8(dest, inet_sk_transparent(sk));
> > break;
> > + case NFT_SOCKET_MARK:
> > + if (sk_fullsock(sk))
> > + *dest = inet_request_mark(sk, skb);
>
> I wonder if it wouldn't be better to use sk->sk_mark directly.
> If user wants to fallback to skb->mark they could do
>
> socket mark 0 meta mark 42
>
> rather than
>
> socket mark 42
>
> ... matching when skb->mark is 42 and sk_mark is 0, it seems
> unexpected to me.
Yes that will be better. I'll wait some time in case other comments come up and
then I resubmit with this modification.
> Rest looks great.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nf-next] netfilter: nf_tables: Expose socket mark
Signed-off-by: Máté Eckl
---
include/uapi/linux/netfilter/nf_tables.h | 4 +++-
net/netfilter/nft_socket.c | 11 ++-
2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/include/uapi/linux/netfilter/nf_tables.h
b/include/uapi/linux/netfilter/nf_tables.h
index 89438e68dc03..f466860bcf75 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -921,10 +921,12 @@ enum nft_socket_attributes {
/*
* enum nft_socket_keys - nf_tables socket expression keys
*
- * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option_
+ * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option
+ * @NFT_SOCKET_MARK: Value of the socket mark
*/
enum nft_socket_keys {
NFT_SOCKET_TRANSPARENT,
+ NFT_SOCKET_MARK,
__NFT_SOCKET_MAX
};
#define NFT_SOCKET_MAX (__NFT_SOCKET_MAX - 1)
diff --git a/net/netfilter/nft_socket.c b/net/netfilter/nft_socket.c
index 74e1b3bd6954..3f46b2013e26 100644
--- a/net/netfilter/nft_socket.c
+++ b/net/netfilter/nft_socket.c
@@ -40,7 +40,7 @@ static void nft_socket_eval(const struct nft_expr *expr,
}
if(!sk) {
- nft_reg_store8(dest, 0);
+ *dest = 0;
return;
}
@@ -51,6 +51,12 @@ static void nft_socket_eval(const struct nft_expr *expr,
case NFT_SOCKET_TRANSPARENT:
nft_reg_store8(dest, inet_sk_transparent(sk));
break;
+ case NFT_SOCKET_MARK:
+ if (sk_fullsock(sk))
+ *dest = inet_request_mark(sk, skb);
+ else
+ *dest = 0;
+ break;
default:
WARN_ON(1);
regs->verdict.code = NFT_BREAK;
@@ -88,6 +94,9 @@ static int nft_socket_init(const struct nft_ctx *ctx,
case NFT_SOCKET_TRANSPARENT:
len = sizeof(u8);
break;
+ case NFT_SOCKET_MARK:
+ len = sizeof(u32);
+ break;
default:
return -EOPNOTSUPP;
}
--
ecklm
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH libnftnl] Expose socket mark via socket expression
Signed-off-by: Máté Eckl
---
include/linux/netfilter/nf_tables.h | 4 +++-
src/expr/socket.c | 1 +
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/include/linux/netfilter/nf_tables.h
b/include/linux/netfilter/nf_tables.h
index 91449ef..eef157d 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -921,10 +921,12 @@ enum nft_socket_attributes {
/*
* enum nft_socket_keys - nf_tables socket expression keys
*
- * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option_
+ * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option
+ * @NFT_SOCKET_MARK: Value of the socket mark
*/
enum nft_socket_keys {
NFT_SOCKET_TRANSPARENT,
+ NFT_SOCKET_MARK,
__NFT_SOCKET_MAX
};
#define NFT_SOCKET_MAX (__NFT_SOCKET_MAX - 1)
diff --git a/src/expr/socket.c b/src/expr/socket.c
index db160a1..5fa2ef2 100644
--- a/src/expr/socket.c
+++ b/src/expr/socket.c
@@ -114,6 +114,7 @@ nftnl_expr_socket_parse(struct nftnl_expr *e, struct nlattr
*attr)
static const char *socket_key2str_array[NFT_SOCKET_MAX + 1] = {
[NFT_SOCKET_TRANSPARENT] = "transparent",
+ [NFT_SOCKET_MARK] = "mark",
};
static const char *socket_key2str(uint8_t key)
--
ecklm
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nft] Expose socket mark via socket expression
It can be used like ct mark or meta mark except it cannot be set.
doc and tests are included.
Signed-off-by: Máté Eckl
---
doc/nft.xml | 23 +++
include/linux/netfilter/nf_tables.h | 5 +++--
src/evaluate.c | 6 +-
src/parser_bison.y | 2 ++
src/parser_json.c | 2 ++
src/socket.c| 8 +++-
tests/py/inet/socket.t | 2 ++
tests/py/inet/socket.t.json | 14 ++
tests/py/inet/socket.t.payload | 15 +++
9 files changed, 73 insertions(+), 4 deletions(-)
diff --git a/doc/nft.xml b/doc/nft.xml
index 190a8ee..0625d04 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -3058,6 +3058,13 @@ raw prerouting meta secpath exists accept
boolean
(1 bit)
+
+
mark
+
+ Value
of the socket mark (SOL_SOCKET, SO_MARK) or 0 if there is no corresponding
socket.
+
+
mark
+
@@ -3073,6 +3080,22 @@ table inet x {
socket transparent 1 mark set 0x0001 accept
}
}
+
+# Trace packets that corresponds to a socket with a mark value of 15
+table inet x {
+chain y {
+type filter hook prerouting priority -150; policy accept;
+socket mark 0x000f nftrace set 1
+}
+}
+
+# Set packet mark to socket mark
+table inet x {
+chain y {
+type filter hook prerouting priority -150; policy accept;
+tcp dport 8080 mark set socket mark
+}
+}
diff --git a/include/linux/netfilter/nf_tables.h
b/include/linux/netfilter/nf_tables.h
index 88e0ca1..ad42d05 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -923,11 +923,12 @@ enum nft_socket_attributes {
/*
* enum nft_socket_keys - nf_tables socket expression keys
*
- * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option_
+ * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option
+ * @NFT_SOCKET_MARK: Value of the socket mark
*/
enum nft_socket_keys {
NFT_SOCKET_TRANSPARENT,
-
+ NFT_SOCKET_MARK,
__NFT_SOCKET_MAX
};
#define NFT_SOCKET_MAX (__NFT_SOCKET_MAX - 1)
diff --git a/src/evaluate.c b/src/evaluate.c
index 61cdff0..2b0e6fa 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1719,8 +1719,12 @@ static int expr_evaluate_meta(struct eval_ctx *ctx,
struct expr **exprp)
static int expr_evaluate_socket(struct eval_ctx *ctx, struct expr **expr)
{
+ int maxval = 0;
+
+ if((*expr)->socket.key == NFT_SOCKET_TRANSPARENT)
+ maxval = 1;
__expr_set_context(>ectx, (*expr)->dtype, (*expr)->byteorder,
- (*expr)->len, 1);
+ (*expr)->len, maxval);
return 0;
}
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 98bfeba..0ee2ebd 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -2487,6 +2487,7 @@ primary_stmt_expr : symbol_expr { $$ =
$1; }
| hash_expr { $$ = $1; }
| payload_expr{ $$ = $1; }
| keyword_expr{ $$ = $1; }
+ | socket_expr { $$ = $1; }
;
shift_stmt_expr: primary_stmt_expr
@@ -3575,6 +3576,7 @@ socket_expr : SOCKET socket_key
;
socket_key : TRANSPARENT { $$ = NFT_SOCKET_TRANSPARENT; }
+ | MARK { $$ = NFT_SOCKET_MARK; }
;
offset_opt : /* empty */ { $$ = 0; }
diff --git a/src/parser_json.c b/src/parser_json.c
index 8f29aaf..80364d9 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -358,6 +358,8 @@ static struct expr *json_parse_socket_expr(struct json_ctx
*ctx,
if (!strcmp(key, "transparent"))
keyval = NFT_SOCKET_TRANSPARENT;
+ else if (!strcmp(key, "mark"))
+ keyval = NFT_SOCKET_MARK;
if (keyval == -1) {
json_error(ctx, "In
nf_tables: Expose socket mark
The following patches expose socket mark as part of the nft socket expression.
I have tested it with two setups:
1)
server:
# nft list ruleset
table inet x {
chain y {
type filter hook prerouting priority -150; policy accept;
socket mark 0x000f nftrace set 1
}
}
# cat skmarktest.py
#!/usr/sbin/env python3
import socket
srv = socket.socket()
srv.bind(('192.0.2.3', 8080))
srv.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, True)
srv.setsockopt(socket.SOL_SOCKET, socket.SO_MARK, 15)
srv.listen()
sk = srv.accept()[0]
sk.send(b'kutya\n')
sk.close()
srv.close()
# ./skmarktest.py &
[1] 551
# nft monitor
trace id db73b26e inet x y packet: iif "enp0s8" ether saddr
0a:00:27:00:00:00 ether daddr 08:00:27:6d:c4:57 ip saddr 192.0.2.1 ip daddr
192.0.2.3 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 11622 ip protocol tcp ip
length 60 tcp sport 46792 tcp dport 8080 tcp flags == 0xc2 tcp window 29200
trace id db73b26e inet x y rule socket mark 0x000f nftrace set 1
(verdict continue)
trace id db73b26e inet x y verdict continue
trace id db73b26e inet x y policy accept
trace id 9b0130d6 inet x y packet: iif "enp0s8" ether saddr
0a:00:27:00:00:00 ether daddr 08:00:27:6d:c4:57 ip saddr 192.0.2.1 ip daddr
192.0.2.3 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 11624 ip protocol tcp ip
length 52 tcp sport 46792 tcp dport 8080 tcp flags == ack tcp window 229
trace id 9b0130d6 inet x y rule socket mark 0x000f nftrace set 1
(verdict continue)
trace id 9b0130d6 inet x y verdict continue
trace id 9b0130d6 inet x y policy accept
trace id 21301fc1 inet x y packet: iif "enp0s8" ether saddr
0a:00:27:00:00:00 ether daddr 08:00:27:6d:c4:57 ip saddr 192.0.2.1 ip daddr
192.0.2.3 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 11625 ip protocol tcp ip
length 52 tcp sport 46792 tcp dport 8080 tcp flags == 0x11 tcp window 229
trace id 21301fc1 inet x y rule socket mark 0x000f nftrace set 1
(verdict continue)
trace id 21301fc1 inet x y verdict continue
trace id 21301fc1 inet x y policy accept
client:
$ telnet 192.0.2.3 8080
Trying 192.0.2.3...
Connected to 192.0.2.3.
Escape character is '^]'.
kutya
Connection closed by foreign host.
2)
server:
# nft list ruleset
table inet x {
chain y {
type filter hook prerouting priority -150; policy accept;
tcp dport 8080 mark set socket mark mark 0x000f nftrace set
1 accept
}
}
# ./skmarktest.py &
[1] 551
# nft monitor
trace id baa7ac3c inet x y packet: iif "enp0s8" ether saddr
0a:00:27:00:00:00 ether daddr 08:00:27:6d:c4:57 ip saddr 192.0.2.1 ip daddr
192.0.2.3 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 57686 ip protocol tcp ip
length 60 tcp sport 50308 tcp dport 8080 tcp flags == 0xc2 tcp window 29200
trace id baa7ac3c inet x y rule tcp dport 8080 mark set socket mark
mark 0x000f nftrace set 1 accept (verdict accept)
trace id 806e8f4b inet x y packet: iif "enp0s8" ether saddr
0a:00:27:00:00:00 ether daddr 08:00:27:6d:c4:57 ip saddr 192.0.2.1 ip daddr
192.0.2.3 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 57688 ip protocol tcp ip
length 52 tcp sport 50308 tcp dport 8080 tcp flags == ack tcp window 229
trace id 806e8f4b inet x y rule tcp dport 8080 mark set socket mark
mark 0x000f nftrace set 1 accept (verdict accept)
trace id 655c0df4 inet x y packet: iif "enp0s8" ether saddr
0a:00:27:00:00:00 ether daddr 08:00:27:6d:c4:57 ip saddr 192.0.2.1 ip daddr
192.0.2.3 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 57689 ip protocol tcp ip
length 52 tcp sport 50308 tcp dport 8080 tcp flags == 0x11 tcp window 229
trace id 655c0df4 inet x y rule tcp dport 8080 mark set socket mark
mark 0x000f nftrace set 1 accept (verdict accept)
nft monitor does not print anything if I modify the socket mark in skmarktest.py
client:
The client side uses the same telnet command.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v2 nf-next] netfilter: Kconfig: Change select dependencies from IPV6 to NF_TABLES_IPV6 and IP6_NF_IPTABLES
In some cases module selects depend on IPV6, but this means that they
select another module even if eg. NF_TABLES_IPV6 is not set in which
case the selected module is useless due to the lack of IPv6 nf_tables
functionality.
The same applies for IP6_NF_IPTABLES and iptables.
Joint work with: Arnd Bermann
Signed-off-by: Máté Eckl
---
v2: squashes (with some refinement) the following patches:
- netfilter: Kconfig: Change select dependencies from IPV6 to NF_TABLES_IPV6
and IP6_NF_IPTABLES (https://patchwork.ozlabs.org/patch/936305/)
- netfilter: fix NETFILTER_XT_TARGET_TEE dependencies
(https://patchwork.ozlabs.org/patch/940460/)
- netfilter: xt_tee: fix calling nf_dup_ipv6
(https://patchwork.ozlabs.org/patch/941374/)
- netfilter: NFT_SOCKET don't use NF_SOCKET_IPV6 without NF_TABLES_IPV6
(https://patchwork.ozlabs.org/patch/941696/)
Now nothing that is specific to nftables or xtables uses CONFIG_IPV6 as a
compile-time criterion.
$ find net/{,ipv6}/netfilter -name "*.[hc]" -exec grep --color -H
"CONFIG_IPV6" {} \;
net//netfilter/nf_conntrack_proto.c:#if IS_ENABLED(CONFIG_IPV6)
net//netfilter/nf_conntrack_proto.c:#if IS_ENABLED(CONFIG_IPV6)
net//netfilter/nf_conntrack_proto.c:#if IS_ENABLED(CONFIG_IPV6)
net//netfilter/nf_conntrack_proto.c:#if IS_ENABLED(CONFIG_IPV6)
net//netfilter/nf_conntrack_proto.c:#endif /* CONFIG_IPV6 */
net//netfilter/nf_conntrack_proto.c:#if IS_ENABLED(CONFIG_IPV6)
net//netfilter/nf_conntrack_proto.c:#if IS_ENABLED(CONFIG_IPV6)
net//netfilter/nf_conntrack_proto.c:#if IS_ENABLED(CONFIG_IPV6)
net//netfilter/nf_conntrack_core.c:#if IS_ENABLED(CONFIG_IPV6)
net//netfilter/nf_conntrack_core.c:#if IS_ENABLED(CONFIG_IPV6)
Nothing that is specific to nftables or iptables use 'select if IPV6.
net/netfilter/Kconfig | 6 +++---
net/netfilter/nft_socket.c | 4 ++--
net/netfilter/xt_TEE.c | 4 ++--
3 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index f5866eb6911b..6c65d756e603 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -628,7 +628,7 @@ config NFT_SOCKET
tristate "Netfilter nf_tables socket match support"
depends on IPV6 || IPV6=n
select NF_SOCKET_IPV4
- select NF_SOCKET_IPV6 if IPV6
+ select NF_SOCKET_IPV6 if NF_TABLES_IPV6
help
This option allows matching for the presence or absence of a
corresponding socket and its attributes.
@@ -894,7 +894,7 @@ config NETFILTER_XT_TARGET_LOG
tristate "LOG target support"
select NF_LOG_COMMON
select NF_LOG_IPV4
- select NF_LOG_IPV6 if IPV6
+ select NF_LOG_IPV6 if IP6_NF_IPTABLES
default m if NETFILTER_ADVANCED=n
help
This option adds a `LOG' target, which allows you to create rules in
@@ -986,7 +986,7 @@ config NETFILTER_XT_TARGET_TEE
depends on IPV6 || IPV6=n
depends on !NF_CONNTRACK || NF_CONNTRACK
select NF_DUP_IPV4
- select NF_DUP_IPV6 if IPV6
+ select NF_DUP_IPV6 if IP6_NF_IPTABLES
---help---
This option adds a "TEE" target with which a packet can be cloned and
this clone be rerouted to another nexthop.
diff --git a/net/netfilter/nft_socket.c b/net/netfilter/nft_socket.c
index 74e1b3bd6954..70e2690afc72 100644
--- a/net/netfilter/nft_socket.c
+++ b/net/netfilter/nft_socket.c
@@ -28,7 +28,7 @@ static void nft_socket_eval(const struct nft_expr *expr,
case NFPROTO_IPV4:
sk = nf_sk_lookup_slow_v4(nft_net(pkt), skb,
nft_in(pkt));
break;
-#if IS_ENABLED(CONFIG_NF_SOCKET_IPV6)
+#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
case NFPROTO_IPV6:
sk = nf_sk_lookup_slow_v6(nft_net(pkt), skb,
nft_in(pkt));
break;
@@ -74,7 +74,7 @@ static int nft_socket_init(const struct nft_ctx *ctx,
switch(ctx->family) {
case NFPROTO_IPV4:
-#if IS_ENABLED(CONFIG_NF_SOCKET_IPV6)
+#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
case NFPROTO_IPV6:
#endif
case NFPROTO_INET:
diff --git a/net/netfilter/xt_TEE.c b/net/netfilter/xt_TEE.c
index 475957cfcf50..0d0d68c989df 100644
--- a/net/netfilter/xt_TEE.c
+++ b/net/netfilter/xt_TEE.c
@@ -38,7 +38,7 @@ tee_tg4(struct sk_buff *skb, const struct xt_action_param
*par)
return XT_CONTINUE;
}
-#if IS_ENABLED(CONFIG_IPV6)
+#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
static unsigned int
tee_tg6(struct sk_buff *skb, const struct xt_action_param *par)
{
@@ -141,7 +141,7 @@ static struct xt_target tee_tg_reg[] __read_mostly = {
.destroy= tee_tg_destroy,
.me = THIS_MODULE,
},
-#if IS_ENABLED(CONFIG_IPV6)
+#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
{
.name = "TEE",
.re
Re: [PATCH v2 nf-next] netfilter: Add native tproxy support for nf_tables
On Tue, Jul 10, 2018 at 01:26:41PM +0200, Pablo Neira Ayuso wrote:
> On Tue, Jul 10, 2018 at 01:19:21PM +0200, Máté Eckl wrote:
> > On Tue, Jul 10, 2018 at 12:54:24PM +0200, Pablo Neira Ayuso wrote:
> > [...]
> > > > > Please, could you describe how you have tested the nft tproxy
> > > > > datapath? Did you run any example configuration to make sure things
> > > > > are working? If so, please slightly describe.
> > > > >
> > > > > Thanks.
> > > >
> > > > I used the tcprdr [2] as a proxy software at point X, netcat (OpenBSD
> > > > version
> > > > that can handle IPv6) as a server at point Z, and telnet as a clinet at
> > > > point Y.
> > > > See the topology at [1].
> > > >
> > > > The config of X was the following:
> > > > # ip rule add fwmark 1 lookup 100
> > > > # ip route add local 0.0.0.0/0 dev lo table 100
> > > > # ip -6 rule add fwmark 1 lookup 100
> > > > # ip -6 route add local ::/0 dev lo table 100
> > > > # nft -f testrules
> > > >
> > > > # cat testrules
> > > > table inet x {
> > > > chain y {
> > > > type filter hook prerouting priority
> > > > -150; policy accept;
> > > > meta l4proto tcp socket transparent 1
> > > > mark set 0x0001 accept
> > > > tcp dport http tproxy to :50080 mark
> > > > set 0x0001 accept
> > > > }
> > > > }
> > > >
> > > > # ./tcprdr -4 -t -T 50080 192.0.2.130 80
> > > > and for ipv6
> > > > # ./tcprdr -6 -t -T 50080 2001:db8:0:1::2 80
> > > >
> > > > Commands on Z:
> > > > # nc -l -p 80
> > > > and for ipv6
> > > > # nc -6 -l -p 80
> > > > Z also had routes to Y via X.
> > > >
> > > > Commands on Y:
> > > > # telnet 192.0.2.3 80
> > > > # telnet 2001:db8:0:0::3 80
> > > >
> > > > I also tried how it works when tproxy target address is specified
> > > > (tcprdr -L can
> > > > be used for it) and protocol-specific cases too.
> > > >
> > > > Proof at point X:
> > > > # ss -tpn
> > > > State Recv-Q Send-Q
> > > > Local Address:Port Peer Address:Port
> > > > ESTAB 0 0
> > > > 192.0.2.3:22192.0.2.1:45006
> > > > users:(("sshd",pid=452,fd=3))
> > > > ESTAB 0 0
> > > > [2001:db8::3]:80[2001:db8::1]:51900
> > > > users:(("tcprdr",pid=534,fd=4))
> > > > ESTAB 0 0
> > > > [2001:db8::1]:51900 [2001:db8:0:1::2]:80
> > > > users:(("tcprdr",pid=534,fd=5))
> > > >
> > > >
> > > >
> > > > Regarding the code, I added some checks to during the debugging which
> > > > could
> > > > occur with a non-nft frontend, but now they are checked.
> > > >
> > > > [1]:
> > > > IPv4:
> > > > +---+ .129 .130 +---+
> > > > (proxy) | X || Z | (server)
> > > > +---+ 192.0.2.128/25 +---+
> > > >| .3
> > > >|
> > > >| 192.0.2.0/25
> > > >|
> > > >| .1
> > > > +---+
> > > > | Y | (client)
> > > > +---+
> > > >
> > > > IPv6:
> > > > +---+ :1 :2 +---+
> > > > (proxy) | X || Z | (server)
> > > > +
Re: [PATCH v2 nf-next] netfilter: Add native tproxy support for nf_tables
On Tue, Jul 10, 2018 at 12:54:24PM +0200, Pablo Neira Ayuso wrote:
[...]
> > > Please, could you describe how you have tested the nft tproxy
> > > datapath? Did you run any example configuration to make sure things
> > > are working? If so, please slightly describe.
> > >
> > > Thanks.
> >
> > I used the tcprdr [2] as a proxy software at point X, netcat (OpenBSD
> > version
> > that can handle IPv6) as a server at point Z, and telnet as a clinet at
> > point Y.
> > See the topology at [1].
> >
> > The config of X was the following:
> > # ip rule add fwmark 1 lookup 100
> > # ip route add local 0.0.0.0/0 dev lo table 100
> > # ip -6 rule add fwmark 1 lookup 100
> > # ip -6 route add local ::/0 dev lo table 100
> > # nft -f testrules
> >
> > # cat testrules
> > table inet x {
> > chain y {
> > type filter hook prerouting priority -150;
> > policy accept;
> > meta l4proto tcp socket transparent 1 mark set
> > 0x0001 accept
> > tcp dport http tproxy to :50080 mark set
> > 0x0001 accept
> > }
> > }
> >
> > # ./tcprdr -4 -t -T 50080 192.0.2.130 80
> > and for ipv6
> > # ./tcprdr -6 -t -T 50080 2001:db8:0:1::2 80
> >
> > Commands on Z:
> > # nc -l -p 80
> > and for ipv6
> > # nc -6 -l -p 80
> > Z also had routes to Y via X.
> >
> > Commands on Y:
> > # telnet 192.0.2.3 80
> > # telnet 2001:db8:0:0::3 80
> >
> > I also tried how it works when tproxy target address is specified (tcprdr
> > -L can
> > be used for it) and protocol-specific cases too.
> >
> > Proof at point X:
> > # ss -tpn
> > State Recv-Q Send-Q Local
> > Address:Port Peer Address:Port
> > ESTAB 0 0
> > 192.0.2.3:22192.0.2.1:45006
> > users:(("sshd",pid=452,fd=3))
> > ESTAB 0 0
> > [2001:db8::3]:80[2001:db8::1]:51900
> > users:(("tcprdr",pid=534,fd=4))
> > ESTAB 0 0
> > [2001:db8::1]:51900 [2001:db8:0:1::2]:80
> > users:(("tcprdr",pid=534,fd=5))
> >
> >
> >
> > Regarding the code, I added some checks to during the debugging which could
> > occur with a non-nft frontend, but now they are checked.
> >
> > [1]:
> > IPv4:
> > +---+ .129 .130 +---+
> > (proxy) | X || Z | (server)
> > +---+ 192.0.2.128/25 +---+
> >| .3
> >|
> >| 192.0.2.0/25
> >|
> >| .1
> > +---+
> > | Y | (client)
> > +---+
> >
> > IPv6:
> > +---+ :1 :2 +---+
> > (proxy) | X || Z | (server)
> > +---+ 2001:db8:0:1::/64 +---+
> >| :3
> >|
> >| 2001:db8:0:0::/64
> >|
> >| :1
> > +---+
> > | Y | (client)
> > +---+
> >
> > X and Z are VirtualBox VMs
> >
> > [2]: https://git.breakpoint.cc/cgit/fw/tcprdr.git/
>
> Thanks for explaining.
>
> Good to know about this example BTW.
>
> Probably we can add this TPROXY demo somewhere in the netfilter tree,
> this is something that has been always missing.
I planned to add this to Documentation/networking/tproxy.txt. Should I do it in
this commit?
> I know of other examples on the Internet, but one from Florian would
> be definitely better.
>
> Florian, do you think it's worth placing this somewhere at
> netfilter.org?
>
> Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v4 nft] Set/print standard chain prios with textual names
On Tue, Jul 10, 2018 at 12:10:22PM +0200, Pablo Neira Ayuso wrote:
> Hi,
>
> On Mon, Jul 09, 2018 at 04:44:53PM +0200, Máté Eckl wrote:
> [...]
> > Example:
> > nft> add table ip x
> > nft> add chain ip x y { type filter hook prerouting priority raw; }
> > nft> add chain ip x z { type filter hook prerouting priority mangle + 1; }
>
> Nice stuff.
>
> > nft> add chain ip x w { type filter hook prerouting priority dstnat - 5; }
>
> I'd suggest prenat instead of dstnat, probably? I understand this is
> leaking the definition we have in the kernel, but this is expected to
> be used by non-programmers, so I wonder if we can offer a better tag
> for this.
Destination nat (dnat/dstnat) is a well-known expression among sysadmins and
netadmins so I think this is better than prenat which just seems to be a new
word for the same thing.
> > nft> add chain ip x r { type filter hook prerouting priority filter + 10; }
> > nft> add chain ip x t { type filter hook prerouting priority security; }
> > nft> add chain ip x q { type filter hook prerouting priority srcnat + 11; }
>
> I'd suggest postnat instead of srcnat.
Same as for dstnat.
> BTW, srcnat only makes sense from postrouting, I think it would it be
> possible to reject things that make no sense from there, like srcnat
> with prerouting as in the example above.
I'll look after this.
> More comments below.
>
> > nft> add chain ip x h { type filter hook prerouting priority 15; }
> > nft>
> > nft> add flowtable ip x y { hook ingress priority filter + 5 ; devices =
> > {enp0s31f6}; }
> > nft>
> > nft> add table arp x
> > nft> add chain arp x y { type filter hook input priority filter + 5; }
> > nft>
> > nft> list ruleset
> > table ip x {
> > flowtable y {
> > hook ingress priority filter + 5
> > devices = { enp0s31f6 }
> > }
> >
> > chain y {
> > type filter hook prerouting priority raw; policy accept;
> > }
> >
> > chain z {
> > type filter hook prerouting priority mangle + 1; policy accept;
> > }
> >
> > chain w {
> > type filter hook prerouting priority dstnat - 5; policy accept;
> > }
> >
> > chain r {
> > type filter hook prerouting priority filter + 10; policy accept;
> > }
> >
> > chain t {
> > type filter hook prerouting priority security; policy accept;
> > }
> >
> > chain q {
> > type filter hook prerouting priority 111; policy accept;
> > }
> >
> > chain h {
> > type filter hook prerouting priority 15; policy accept;
> > }
> > }
> > table arp x {
> > chain y {
> > type filter hook input priority filter + 5; policy accept;
> > }
> > }
> > nft>
> > nft> add chain ip x h { type filter hook prerouting priority first; }
> > Error: 'first' is invalid for priority in this context.
> > add chain ip x h { type filter hook prerouting priority first; }
> > ^
> > nft> add chain arp x y { type filter hook input priority raw; }
> > Error: 'raw' is invalid for priority in this context.
> > add chain arp x y { type filter hook input priority raw; }
> > ^^
> > nft> add flowtable ip x y { hook ingress priority magle; devices =
> > {enp0s31f6}; }
> > Error: 'magle' is invalid for priority.
> > add flowtable ip x y { hook ingress priority magle; devices = {enp0s31f6}; }
> > ^
> >
> > Signed-off-by: Máté Eckl
> > ---
> > v4:
> > - fix snat and dnat conflict with existing tokens
> > - remove static char array from chain_prio2str
> > - make numerical priority printing available via -nnn nft flag
> > - add docs about priority names
> > - check compatibility of standard prio names and table family
> > - handle flowtables
> >
> > doc/nft.xml| 68 ++--
> > include/rule.h | 5 ++
> > src/evaluate.c | 56
> > src/parser_bison.y | 36 ++---
> > src/rule.c | 129 ++---
> > src/scanner.l | 2 +
> > 6 files changed, 281 insertions(+), 15 deletions(-)
> >
> > diff --git a/doc/nft.xml b/doc/nft.xml
> > index
Re: [PATCH v2 nf-next] netfilter: Add native tproxy support for nf_tables
On Mon, Jul 09, 2018 at 05:40:38PM +0200, Pablo Neira Ayuso wrote:
> Hi Máté,
>
> On Thu, Jun 28, 2018 at 06:42:58PM +0200, Máté Eckl wrote:
> > v2:
> > - address or port is now compulsory
> > - nf_defrag_ipv{4,6}_enable called in init
> > - nft_tproxy now selects NF_DEFRAG_IPV4/6
> > - Add transport header presence test in ipv4 eval (in ipv6 it was
> >already present)
> > - Add check for the case when address is specified but the rule family
> >is not set accordingly
> >
> > -- 8< --
> > A great portion of the code is taken from xt_TPROXY.c
> >
> > There are some changes compared to the iptables implementation:
> > - tproxy statement is not terminal here
>
> Looks good to me, thanks.
I don't know how this works yet, but this code will fail to compile once
'netfilter: nf_tproxy: fix possible non-linear access to transport header' patch
is merged from the nf tree.
Also based on the '[PATCH] netfilter: NFT_SOCKET don't use NF_SOCKET_IPV6
without NF_TABLES_IPV6' thread I might need to change the IS_ENABLED macros to
NF_TABLES_IPV6 in a next version of the patch.
I'll have to change one anyways. So please wait for v4 patch before applying.
> Please, could you describe how you have tested the nft tproxy
> datapath? Did you run any example configuration to make sure things
> are working? If so, please slightly describe.
>
> Thanks.
I used the tcprdr [2] as a proxy software at point X, netcat (OpenBSD version
that can handle IPv6) as a server at point Z, and telnet as a clinet at point Y.
See the topology at [1].
The config of X was the following:
# ip rule add fwmark 1 lookup 100
# ip route add local 0.0.0.0/0 dev lo table 100
# ip -6 rule add fwmark 1 lookup 100
# ip -6 route add local ::/0 dev lo table 100
# nft -f testrules
# cat testrules
table inet x {
chain y {
type filter hook prerouting priority -150;
policy accept;
meta l4proto tcp socket transparent 1 mark set
0x0001 accept
tcp dport http tproxy to :50080 mark set
0x0001 accept
}
}
# ./tcprdr -4 -t -T 50080 192.0.2.130 80
and for ipv6
# ./tcprdr -6 -t -T 50080 2001:db8:0:1::2 80
Commands on Z:
# nc -l -p 80
and for ipv6
# nc -6 -l -p 80
Z also had routes to Y via X.
Commands on Y:
# telnet 192.0.2.3 80
# telnet 2001:db8:0:0::3 80
I also tried how it works when tproxy target address is specified (tcprdr -L can
be used for it) and protocol-specific cases too.
Proof at point X:
# ss -tpn
State Recv-Q Send-Q Local
Address:Port Peer Address:Port
ESTAB 0 0
192.0.2.3:22192.0.2.1:45006
users:(("sshd",pid=452,fd=3))
ESTAB 0 0
[2001:db8::3]:80[2001:db8::1]:51900
users:(("tcprdr",pid=534,fd=4))
ESTAB 0 0
[2001:db8::1]:51900 [2001:db8:0:1::2]:80
users:(("tcprdr",pid=534,fd=5))
Regarding the code, I added some checks to during the debugging which could
occur with a non-nft frontend, but now they are checked.
[1]:
IPv4:
+---+ .129 .130 +---+
(proxy) | X || Z | (server)
+---+ 192.0.2.128/25 +---+
| .3
|
| 192.0.2.0/25
|
| .1
+---+
| Y | (client)
+---+
IPv6:
+---+ :1 :2 +---+
(proxy) | X || Z | (server)
+---+ 2001:db8:0:1::/64 +---+
| :3
|
| 2001:db8:0:0::/64
|
| :1
+---+
| Y | (client)
+---+
X and Z are VirtualBox VMs
[2]: https://git.breakpoint.cc/cgit/fw/tcprdr.git/
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] netfilter: NFT_SOCKET don't use NF_SOCKET_IPV6 without NF_TABLES_IPV6
On Mon, Jul 09, 2018 at 11:35:09PM +0200, Arnd Bergmann wrote:
> It is now possible to build the nft_socket module as built-in when
> NF_TABLES_IPV6 is disabled, and have NF_SOCKET_IPV6=m set manually.
>
> In this case, the NF_SOCKET_IPV6 functionality will be useless according
> to the explanation in commit 35bf1ccecaaa ("netfilter: Kconfig: Change
> IPv6 select dependencies"), but on top of that it also causes a link
> error:
>
> net/netfilter/nft_socket.o: In function `nft_socket_eval':
> nft_socket.c:(.text+0x162): undefined reference to `nf_sk_lookup_slow_v6'
>
> This changes the compile-time check so we don't attempt to use
> the NF_SOCKET_IPV6 code when it cannot be used, and make it all
> compile again. That may lead to unexpected behavior when a user
> enables NF_SOCKET_IPV6 but cannot use it, but seems to be the
> logical conclusion of the 35bf1ccecaaa change.
>
> Fixes: 35bf1ccecaaa ("netfilter: Kconfig: Change IPv6 select dependencies")
> Signed-off-by: Arnd Bergmann
I think this should be fixed in the Kconfig rather than inside the module(s).
I did some investigation and it turns out that you missed a circumstance. This
link error occures only if NFT_SOCKET=y && NF_SOCKET_IPV6=m && NF_TABLES_IPV6=y
(cannot be m here if NFT_SOCKET is y). And probably the same with
iptables-related modules. Probably this possibility should be eliminated.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v4 nft] Set/print standard chain prios with textual names
This patch adds the possibility to use textual names to set the chain priority
to standard values so that numeric values do not need to be learnt any more for
basic usage.
Basic arithmetic can also be done with them to ease the addition of
relatively higher/lower priority chains.
Addition and substraction is possible.
Values are also printed with their friendly name within the range of
+- 10.
Also numeric printing is supported in case of -nnn option
(numeric == NFT_NUMERIC_ALL)
Not all names apply to every family. The supported names are based on
the tables they have in their x_tableas implementation.
These are the following:
ip,ip6,inet
filter
nat (dstnat, srcnat)
mangle
raw
security
arp, netdev, flowtables
filter
bridge
filter
nat (dstnat, srcnat)
broute (no corresponding priority value)
Example:
nft> add table ip x
nft> add chain ip x y { type filter hook prerouting priority raw; }
nft> add chain ip x z { type filter hook prerouting priority mangle + 1; }
nft> add chain ip x w { type filter hook prerouting priority dstnat - 5; }
nft> add chain ip x r { type filter hook prerouting priority filter + 10; }
nft> add chain ip x t { type filter hook prerouting priority security; }
nft> add chain ip x q { type filter hook prerouting priority srcnat + 11; }
nft> add chain ip x h { type filter hook prerouting priority 15; }
nft>
nft> add flowtable ip x y { hook ingress priority filter + 5 ; devices =
{enp0s31f6}; }
nft>
nft> add table arp x
nft> add chain arp x y { type filter hook input priority filter + 5; }
nft>
nft> list ruleset
table ip x {
flowtable y {
hook ingress priority filter + 5
devices = { enp0s31f6 }
}
chain y {
type filter hook prerouting priority raw; policy accept;
}
chain z {
type filter hook prerouting priority mangle + 1; policy accept;
}
chain w {
type filter hook prerouting priority dstnat - 5; policy accept;
}
chain r {
type filter hook prerouting priority filter + 10; policy accept;
}
chain t {
type filter hook prerouting priority security; policy accept;
}
chain q {
type filter hook prerouting priority 111; policy accept;
}
chain h {
type filter hook prerouting priority 15; policy accept;
}
}
table arp x {
chain y {
type filter hook input priority filter + 5; policy accept;
}
}
nft>
nft> add chain ip x h { type filter hook prerouting priority first; }
Error: 'first' is invalid for priority in this context.
add chain ip x h { type filter hook prerouting priority first; }
^
nft> add chain arp x y { type filter hook input priority raw; }
Error: 'raw' is invalid for priority in this context.
add chain arp x y { type filter hook input priority raw; }
^^
nft> add flowtable ip x y { hook ingress priority magle; devices = {enp0s31f6};
}
Error: 'magle' is invalid for priority.
add flowtable ip x y { hook ingress priority magle; devices = {enp0s31f6}; }
^^^^^
Signed-off-by: Máté Eckl
---
v4:
- fix snat and dnat conflict with existing tokens
- remove static char array from chain_prio2str
- make numerical priority printing available via -nnn nft flag
- add docs about priority names
- check compatibility of standard prio names and table family
- handle flowtables
doc/nft.xml| 68 ++--
include/rule.h | 5 ++
src/evaluate.c | 56
src/parser_bison.y | 36 ++---
src/rule.c | 129 ++---
src/scanner.l | 2 +
6 files changed, 281 insertions(+), 15 deletions(-)
diff --git a/doc/nft.xml b/doc/nft.xml
index dc93a8c..01cc1d1 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -109,7 +109,7 @@ vi:ts=4 sw=4
Show data numerically. When
used once (the default behaviour), skip
lookup of addresses to symbolic
names. Use twice to also show Internet
services (port numbers)
numerically. Use three times to also show
- protocols and UIDs/GIDs
numerically.
+ protocols, UIDs/GIDs and
priorities numerically.
Re: [PATCH v4 nf] netfilter: nf_tproxy: fix possible non-linear access to transport header
On Fri, Jul 06, 2018 at 02:35:41PM +0200, Pablo Neira Ayuso wrote:
> Applied with some changes, see below.
>
> On Thu, Jul 05, 2018 at 12:01:53PM +0200, Máté Eckl wrote:
> > v3: linearize based on layer4 protocol.
> > v4: no WARN_ON_ONCE call
>
> Please, next time place these comments...
>
> > -- 8< --
> > This patch fixes a silent out-of-bound read possibility that was present
> > because of the misuse of this function.
> >
> > Mostly it was called with a struct udphdr *hp which had only the udphdr
> > part linearized by the skb_header_pointer, however
> > nf_tproxy_get_sock_v{4,6} uses it as a tcphdr pointer, so some reads for
> > tcp specific attributes may be invalid.
> >
> > Fixes: a583636a83ea ("inet: refactor inet[6]_lookup functions to take skb")
> > Signed-off-by: Máté Eckl
> > ---
>
> *Right here*
Ok.
> 'git am' ignores everything coming after ---, so it's very you want to
> place volatile comments like the one above.
>
> More comments below.
>
> > include/net/netfilter/nf_tproxy.h | 4 ++--
> > net/ipv4/netfilter/nf_tproxy_ipv4.c | 16 +++-
> > net/ipv6/netfilter/nf_tproxy_ipv6.c | 16 +++-
> > net/netfilter/xt_TPROXY.c | 8
> > 4 files changed, 28 insertions(+), 16 deletions(-)
> >
> > diff --git a/include/net/netfilter/nf_tproxy.h
> > b/include/net/netfilter/nf_tproxy.h
> > index 9754a50ecde9..4cc64c8446eb 100644
> > --- a/include/net/netfilter/nf_tproxy.h
> > +++ b/include/net/netfilter/nf_tproxy.h
> > @@ -64,7 +64,7 @@ nf_tproxy_handle_time_wait4(struct net *net, struct
> > sk_buff *skb,
> > * belonging to established connections going through that one.
> > */
> > struct sock *
> > -nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb, void *hp,
> > +nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb,
> > const u8 protocol,
> > const __be32 saddr, const __be32 daddr,
> > const __be16 sport, const __be16 dport,
> > @@ -103,7 +103,7 @@ nf_tproxy_handle_time_wait6(struct sk_buff *skb, int
> > tproto, int thoff,
> > struct sock *sk);
> >
> > struct sock *
> > -nf_tproxy_get_sock_v6(struct net *net, struct sk_buff *skb, int thoff,
> > void *hp,
> > +nf_tproxy_get_sock_v6(struct net *net, struct sk_buff *skb, int thoff,
> > const u8 protocol,
> > const struct in6_addr *saddr, const struct in6_addr
> > *daddr,
> > const __be16 sport, const __be16 dport,
> > diff --git a/net/ipv4/netfilter/nf_tproxy_ipv4.c
> > b/net/ipv4/netfilter/nf_tproxy_ipv4.c
> > index 805e83ec3ad9..e2559a1cdbf4 100644
> > --- a/net/ipv4/netfilter/nf_tproxy_ipv4.c
> > +++ b/net/ipv4/netfilter/nf_tproxy_ipv4.c
> > @@ -37,7 +37,7 @@ nf_tproxy_handle_time_wait4(struct net *net, struct
> > sk_buff *skb,
> > * to a listener socket if there's one */
> > struct sock *sk2;
> >
> > - sk2 = nf_tproxy_get_sock_v4(net, skb, hp, iph->protocol,
> > + sk2 = nf_tproxy_get_sock_v4(net, skb, iph->protocol,
> > iph->saddr, laddr ? laddr :
> > iph->daddr,
> > hp->source, lport ? lport :
> > hp->dest,
> > skb->dev,
> > NF_TPROXY_LOOKUP_LISTENER);
> > @@ -71,24 +71,27 @@ __be32 nf_tproxy_laddr4(struct sk_buff *skb, __be32
> > user_laddr, __be32 daddr)
> > EXPORT_SYMBOL_GPL(nf_tproxy_laddr4);
> >
> > struct sock *
> > -nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb, void *hp,
> > +nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb,
> > const u8 protocol,
> > const __be32 saddr, const __be32 daddr,
> > const __be16 sport, const __be16 dport,
> > const struct net_device *in,
> > const enum nf_tproxy_lookup_t lookup_type)
> > {
> > + struct tcphdr _hdr, *hp;
> > struct sock *sk;
> > - struct tcphdr *tcph;
> >
> > switch (protocol) {
> > case IPPROTO_TCP:
>
> I have placed the 'struct tcphdr _hdr, *hp;' here, for clarify so...
>
> > + hp = skb_header_pointer(skb, ip_hdrlen(skb),
> > + sizeof(struct tcphdr), &_hdr);
> > + if (hp == NULL)
> > + return NULL;
> >
Re: [PATCH v3 nft] Set/print standard chain priorities with textual names
On Thu, Jul 05, 2018 at 05:22:23PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Jul 05, 2018 at 05:14:20PM +0200, Máté Eckl wrote:
> > On Thu, Jun 21, 2018 at 01:42:14PM +0200, Pablo Neira Ayuso wrote:
> > > On Thu, Jun 21, 2018 at 01:01:31PM +0200, Phil Sutter wrote:
> > > [...]
> > > > On Thu, Jun 21, 2018 at 11:26:37AM +0200, Máté Eckl wrote:
> > > > > By the way, there's a question I haven't met yet. Prio spec is used
> > > > > by not only
> > > > > hook_spec but also flowtable_block. Are these standard priorities
> > > > > applicable for
> > > > > flowtable priorities? Or should I make it specific to chains?
> > >
> > > Only the filter priority you can apply to the flowtable_block.
> >
> > Is there a man page you could recommend to read more about flowtables?
> > Maybe one
> > of an older tool? I haven't find much about this.
>
> man nft.
>
> There is also: Documentation/networking/nf_flowtable.txt
But these don't say anything about filter or anything.. I'd like to see if it
makes any sense here. It seems not to make any for now. How about leaving
flowtables alone with this change and only apply this for chains?
> > > Note that standard priorities may depend on family, so you may need to
> > > do the chain_std_prio_lookup() from the evaluation phase, instead of
> > > doing it from the parser.
> > >
> > > Telling this only filter applies to arp, bridge and netdev families
> > > IIRC.
> > >
> > > Have a look and let us know.
> >
> > This is what I found:
> > iptables
> > filter
> > nat (dstnat, srcnat)
> > mangle
> > raw
> > security
> > arptables
> > filter
> > ebtables
> > filter
> > nat (dstnat, srcnat)
> > broute (no corresponding priority value)
> >
> > I have an implementation to handle this, but I'd still like to do the
> > name->number translation outside the eval funcitons.
>
> Why you willing to make your life so complicated? :-)
I will need to refactor the chain structure and initialisation, so it actually
seemed to be less complicatad so far. But I guess I have no other options.
> > Is there any way to get the family of the context in the parser? I'd like
> > to do
> > something like this:
> > standard_prio : STRING
> > {
> > int tmp = chain_std_prio_lookup(something->family, $1);
> > [...]
> > }
> > ;
> >
> > I tried chain family but it is not initialised at this point.
>
> Problem with bison is that context may not even be there by when this
> standard_prio rule runs.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v3 nft] Set/print standard chain priorities with textual names
On Thu, Jun 21, 2018 at 01:42:14PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Jun 21, 2018 at 01:01:31PM +0200, Phil Sutter wrote:
> [...]
> > On Thu, Jun 21, 2018 at 11:26:37AM +0200, Máté Eckl wrote:
> > > By the way, there's a question I haven't met yet. Prio spec is used by
> > > not only
> > > hook_spec but also flowtable_block. Are these standard priorities
> > > applicable for
> > > flowtable priorities? Or should I make it specific to chains?
>
> Only the filter priority you can apply to the flowtable_block.
Is there a man page you could recommend to read more about flowtables? Maybe one
of an older tool? I haven't find much about this.
> Note that standard priorities may depend on family, so you may need to
> do the chain_std_prio_lookup() from the evaluation phase, instead of
> doing it from the parser.
>
> Telling this only filter applies to arp, bridge and netdev families
> IIRC.
>
> Have a look and let us know.
This is what I found:
iptables
filter
nat (dstnat, srcnat)
mangle
raw
security
arptables
filter
ebtables
filter
nat (dstnat, srcnat)
broute (no corresponding priority value)
I have an implementation to handle this, but I'd still like to do the
name->number translation outside the eval funcitons.
Is there any way to get the family of the context in the parser? I'd like to do
something like this:
standard_prio : STRING
{
int tmp = chain_std_prio_lookup(something->family, $1);
[...]
}
;
I tried chain family but it is not initialised at this point.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v4 nf] netfilter: nf_tproxy: fix possible non-linear access to transport header
v3: linearize based on layer4 protocol.
v4: no WARN_ON_ONCE call
-- 8< --
This patch fixes a silent out-of-bound read possibility that was present
because of the misuse of this function.
Mostly it was called with a struct udphdr *hp which had only the udphdr
part linearized by the skb_header_pointer, however
nf_tproxy_get_sock_v{4,6} uses it as a tcphdr pointer, so some reads for
tcp specific attributes may be invalid.
Fixes: a583636a83ea ("inet: refactor inet[6]_lookup functions to take skb")
Signed-off-by: Máté Eckl
---
include/net/netfilter/nf_tproxy.h | 4 ++--
net/ipv4/netfilter/nf_tproxy_ipv4.c | 16 +++-
net/ipv6/netfilter/nf_tproxy_ipv6.c | 16 +++-
net/netfilter/xt_TPROXY.c | 8
4 files changed, 28 insertions(+), 16 deletions(-)
diff --git a/include/net/netfilter/nf_tproxy.h
b/include/net/netfilter/nf_tproxy.h
index 9754a50ecde9..4cc64c8446eb 100644
--- a/include/net/netfilter/nf_tproxy.h
+++ b/include/net/netfilter/nf_tproxy.h
@@ -64,7 +64,7 @@ nf_tproxy_handle_time_wait4(struct net *net, struct sk_buff
*skb,
* belonging to established connections going through that one.
*/
struct sock *
-nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb, void *hp,
+nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb,
const u8 protocol,
const __be32 saddr, const __be32 daddr,
const __be16 sport, const __be16 dport,
@@ -103,7 +103,7 @@ nf_tproxy_handle_time_wait6(struct sk_buff *skb, int
tproto, int thoff,
struct sock *sk);
struct sock *
-nf_tproxy_get_sock_v6(struct net *net, struct sk_buff *skb, int thoff, void
*hp,
+nf_tproxy_get_sock_v6(struct net *net, struct sk_buff *skb, int thoff,
const u8 protocol,
const struct in6_addr *saddr, const struct in6_addr
*daddr,
const __be16 sport, const __be16 dport,
diff --git a/net/ipv4/netfilter/nf_tproxy_ipv4.c
b/net/ipv4/netfilter/nf_tproxy_ipv4.c
index 805e83ec3ad9..e2559a1cdbf4 100644
--- a/net/ipv4/netfilter/nf_tproxy_ipv4.c
+++ b/net/ipv4/netfilter/nf_tproxy_ipv4.c
@@ -37,7 +37,7 @@ nf_tproxy_handle_time_wait4(struct net *net, struct sk_buff
*skb,
* to a listener socket if there's one */
struct sock *sk2;
- sk2 = nf_tproxy_get_sock_v4(net, skb, hp, iph->protocol,
+ sk2 = nf_tproxy_get_sock_v4(net, skb, iph->protocol,
iph->saddr, laddr ? laddr :
iph->daddr,
hp->source, lport ? lport :
hp->dest,
skb->dev,
NF_TPROXY_LOOKUP_LISTENER);
@@ -71,24 +71,27 @@ __be32 nf_tproxy_laddr4(struct sk_buff *skb, __be32
user_laddr, __be32 daddr)
EXPORT_SYMBOL_GPL(nf_tproxy_laddr4);
struct sock *
-nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb, void *hp,
+nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb,
const u8 protocol,
const __be32 saddr, const __be32 daddr,
const __be16 sport, const __be16 dport,
const struct net_device *in,
const enum nf_tproxy_lookup_t lookup_type)
{
+ struct tcphdr _hdr, *hp;
struct sock *sk;
- struct tcphdr *tcph;
switch (protocol) {
case IPPROTO_TCP:
+ hp = skb_header_pointer(skb, ip_hdrlen(skb),
+ sizeof(struct tcphdr), &_hdr);
+ if (hp == NULL)
+ return NULL;
switch (lookup_type) {
case NF_TPROXY_LOOKUP_LISTENER:
- tcph = hp;
sk = inet_lookup_listener(net, _hashinfo, skb,
ip_hdrlen(skb) +
- __tcp_hdrlen(tcph),
+ __tcp_hdrlen(hp),
saddr, sport,
daddr, dport,
in->ifindex, 0);
@@ -111,6 +114,9 @@ nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb,
void *hp,
}
break;
case IPPROTO_UDP:
+ /* hp and _hdr is not used here so skb_header_pointer do not
+* need to be called
+*/
sk = udp4_lib_lookup(net, saddr, sport, daddr, dport,
in->ifindex);
if (sk) {
diff --git a/net/ipv6/netfilter/nf_tproxy_ipv6.c
b/net/ipv6/netfilter/nf_tproxy_ipv6.c
index bf1d6c421e3b..3d4b087a846f 100644
--- a/net/ipv6/netfilter/nf_tproxy_ipv6.c
+++ b/net/ipv6/netfilter/nf_tproxy_ipv6.c
@@ -55,7 +55,7 @@ nf_tprox
[PATCH v3 nf] netfilter: nf_tproxy: fix possible non-linear access to transport header
v3: linearize based on layer4 protocol.
-- 8< --
This patch fixes a silent out-of-bound read possibility that was present
because of the misuse of this function.
Mostly it was called with a struct udphdr *hp which had only the udphdr
part linearized by the skb_header_pointer, however
nf_tproxy_get_sock_v{4,6} uses it as a tcphdr pointer, so some reads for
tcp specific attributes may be invalid.
Fixes: a583636a83ea ("inet: refactor inet[6]_lookup functions to take skb")
Signed-off-by: Máté Eckl
---
include/net/netfilter/nf_tproxy.h | 4 ++--
net/ipv4/netfilter/nf_tproxy_ipv4.c | 18 +-
net/ipv6/netfilter/nf_tproxy_ipv6.c | 18 +-
net/netfilter/xt_TPROXY.c | 8
4 files changed, 32 insertions(+), 16 deletions(-)
diff --git a/include/net/netfilter/nf_tproxy.h
b/include/net/netfilter/nf_tproxy.h
index 9754a50ecde9..4cc64c8446eb 100644
--- a/include/net/netfilter/nf_tproxy.h
+++ b/include/net/netfilter/nf_tproxy.h
@@ -64,7 +64,7 @@ nf_tproxy_handle_time_wait4(struct net *net, struct sk_buff
*skb,
* belonging to established connections going through that one.
*/
struct sock *
-nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb, void *hp,
+nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb,
const u8 protocol,
const __be32 saddr, const __be32 daddr,
const __be16 sport, const __be16 dport,
@@ -103,7 +103,7 @@ nf_tproxy_handle_time_wait6(struct sk_buff *skb, int
tproto, int thoff,
struct sock *sk);
struct sock *
-nf_tproxy_get_sock_v6(struct net *net, struct sk_buff *skb, int thoff, void
*hp,
+nf_tproxy_get_sock_v6(struct net *net, struct sk_buff *skb, int thoff,
const u8 protocol,
const struct in6_addr *saddr, const struct in6_addr
*daddr,
const __be16 sport, const __be16 dport,
diff --git a/net/ipv4/netfilter/nf_tproxy_ipv4.c
b/net/ipv4/netfilter/nf_tproxy_ipv4.c
index 805e83ec3ad9..6351d313dc78 100644
--- a/net/ipv4/netfilter/nf_tproxy_ipv4.c
+++ b/net/ipv4/netfilter/nf_tproxy_ipv4.c
@@ -37,7 +37,7 @@ nf_tproxy_handle_time_wait4(struct net *net, struct sk_buff
*skb,
* to a listener socket if there's one */
struct sock *sk2;
- sk2 = nf_tproxy_get_sock_v4(net, skb, hp, iph->protocol,
+ sk2 = nf_tproxy_get_sock_v4(net, skb, iph->protocol,
iph->saddr, laddr ? laddr :
iph->daddr,
hp->source, lport ? lport :
hp->dest,
skb->dev,
NF_TPROXY_LOOKUP_LISTENER);
@@ -71,24 +71,29 @@ __be32 nf_tproxy_laddr4(struct sk_buff *skb, __be32
user_laddr, __be32 daddr)
EXPORT_SYMBOL_GPL(nf_tproxy_laddr4);
struct sock *
-nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb, void *hp,
+nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb,
const u8 protocol,
const __be32 saddr, const __be32 daddr,
const __be16 sport, const __be16 dport,
const struct net_device *in,
const enum nf_tproxy_lookup_t lookup_type)
{
+ struct tcphdr _hdr, *hp;
struct sock *sk;
- struct tcphdr *tcph;
switch (protocol) {
case IPPROTO_TCP:
+ hp = skb_header_pointer(skb, ip_hdrlen(skb),
+ sizeof(struct tcphdr), &_hdr);
+ if (hp == NULL) {
+ WARN_ON_ONCE(1);
+ return NULL;
+ }
switch (lookup_type) {
case NF_TPROXY_LOOKUP_LISTENER:
- tcph = hp;
sk = inet_lookup_listener(net, _hashinfo, skb,
ip_hdrlen(skb) +
- __tcp_hdrlen(tcph),
+ __tcp_hdrlen(hp),
saddr, sport,
daddr, dport,
in->ifindex, 0);
@@ -111,6 +116,9 @@ nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb,
void *hp,
}
break;
case IPPROTO_UDP:
+ /* hp and _hdr is not used here so skb_header_pointer do not
+* need to be called
+*/
sk = udp4_lib_lookup(net, saddr, sport, daddr, dport,
in->ifindex);
if (sk) {
diff --git a/net/ipv6/netfilter/nf_tproxy_ipv6.c
b/net/ipv6/netfilter/nf_tproxy_ipv6.c
index bf1d6c421e3b..dbfa9ce171aa 100644
--- a/net/ipv6/netfilter/nf_tproxy_ipv6.c
+++ b/net/ip
Re: [PATCH v2 nf] netfilter: nf_tproxy: fix possible non-linear access to transport header
On Wed, Jul 04, 2018 at 07:49:38PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > On Wed, Jul 04, 2018 at 07:34:54PM +0200, Pablo Neira Ayuso wrote:
> > > On Thu, Jun 28, 2018 at 01:34:42PM +0200, Máté Eckl wrote:
> > > > This patch fixes a silent out-of-bound read possibility that was present
> > > > because of the misuse of this function.
> > > >
> > > > Mostly it was called with a struct udphdr *hp which had only the udphdr
> > > > part linearized by the skb_header_pointer, however
> > > > nf_tproxy_get_sock_v{4,6} uses it as a tcphdr pointer, so some reads for
> > > > tcp specific attributes may be invalid.
> > >
> > > Applied, thanks.
> >
> > Wait, I think this may break UDP traffic over tproxy.
> >
> > If we get a UDP packet whose header + payload is smaller than the TCP
> > header, this will break things.
>
> Indeed, good catch. This will need to indicate l4 protocol as arg
> to tell skb_header_pointer the correct l4 header size.
I'll take care of this.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH RFC nft] src: meta: always prefix 'meta' for all tokens
On Tue, Jul 03, 2018 at 04:16:51PM +0200, Florian Westphal wrote: > got following bug report: > > nft add ... ct mark set mark and 0x10 > > ... always sets 0. > What reporter meant to write instead was 'ct mark', > not 'mark'. > > We can't just remove support for 'mark' and force > 'meta mark', but we can start to discourage it by always > printing the longer form. > > Later on, we could start to print deprecation warning if needed. > > NB: Patch causes gazillion of test case warnings, I would fix those > up of course. This is a good idea. It would also be ambiguous with socket mark (as it will probably be introduced soon). -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nft] doc: Add tproxy statement to man page
Signed-off-by: Máté Eckl --- doc/nft.xml | 119 1 file changed, 119 insertions(+) diff --git a/doc/nft.xml b/doc/nft.xml index ef1b2c4..0cf3dcc 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -5341,6 +5341,125 @@ add rule nat prerouting tcp dport 22 redirect to : + + tproxy statements + + Tproxy redirects the packet to a local socket + without changing the packet header in any way. + If any of the arguments is missing the data of + the incoming packet is used as parameter. + Tproxy matching requires another rule that ensures + the presence of transport protocol header is specified. + + + + tproxy + to + address + :port + + + tproxy + to + + address + :port + + + + + This syntax can be used in ip/ip6 tables where + network layer protocol is obvious. Either ip address or port can + be specified, but at least one of them is necessary. + + + + tproxy + + ip + ip6 + + to + address + :port + + + tproxy + to + :port + + + + This syntax can be used in inet tables. The + ip/ip6 parameter defines the family the rule + will match. The address parameter must be of + this family. + When only port is defined, the address family + should not be specified. In this case the rule will match for both + families. + + + + tproxy attributes + + + + + + Name + Description + + + + + address + + IP address the listening socket with IP_TRANSPARENT + option is bound to. + + + + port + + Port the listening socket with IP_TRANSPARENT + option is bound
[PATCH nft] doc: Add socket expression to man page
Signed-off-by: Máté Eckl
---
doc/nft.xml | 56 +
1 file changed, 56 insertions(+)
diff --git a/doc/nft.xml b/doc/nft.xml
index dc93a8c..ef1b2c4 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -3015,6 +3015,62 @@ raw prerouting meta secpath exists accept
+
+ socket expression
+
+
+ socket
+
+ transparent
+
+
+
+
+ Socket expression can be used to search for an
existing open TCP/UDP socket
+ and its attributes that can be associated with
a packet. It looks for an
+ established or non-zero bound listening socket
(possibly with a non-local address).
+
+
+
+ Available socket
attributes
+
+
+
+
+
+
+
Name
+
Description
+
Type
+
+
+
+
+
transparent
+
+ Value
of the IP_TRANSPARENT socket option in the found socket. It can be 0 or 1.
+
+ boolean
(1 bit)
+
+
+
+
+
+
+
+ Using socket expression
+
+# Mark packets that correspond to a transparent socket
+table inet x {
+chain y {
+type filter hook prerouting priority -150; policy accept;
+socket transparent 1 mark set 0x0001 accept
+}
+}
+
+
+
+
fib expressions
--
ecklm
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v3 nft] Set/print standard chain priorities with textual names
On Thu, Jun 21, 2018 at 01:42:14PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Jun 21, 2018 at 01:01:31PM +0200, Phil Sutter wrote:
> [...]
> > On Thu, Jun 21, 2018 at 11:26:37AM +0200, Máté Eckl wrote:
> > > By the way, there's a question I haven't met yet. Prio spec is used by
> > > not only
> > > hook_spec but also flowtable_block. Are these standard priorities
> > > applicable for
> > > flowtable priorities? Or should I make it specific to chains?
>
> Only the filter priority you can apply to the flowtable_block.
>
> Note that standard priorities may depend on family, so you may need to
> do the chain_std_prio_lookup() from the evaluation phase, instead of
> doing it from the parser.
>
> Telling this only filter applies to arp, bridge and netdev families
> IIRC.
>
> Have a look and let us know
I found no evaluation for any families so I could do
nft add chain arp x y { type filter hook input priority -300;}
without any problem, which would be translated to 'raw'.
So I shouldn't have the possibility to add this priority? In this case, I think
the evaluation of the numerical value should be refined, but putting the
text->number translation into the evaluation phase does not seem approppriate to
me.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v2 nft] test: Add test cases for tproxy support
Signed-off-by: Máté Eckl --- tests/py/inet/tproxy.t | 20 +++ tests/py/inet/tproxy.t.payload | 46 ++ tests/py/ip/tproxy.t | 14 +++ tests/py/ip/tproxy.t.payload | 36 ++ tests/py/ip6/tproxy.t | 16 tests/py/ip6/tproxy.t.payload | 22 6 files changed, 154 insertions(+) create mode 100644 tests/py/inet/tproxy.t create mode 100644 tests/py/inet/tproxy.t.payload create mode 100644 tests/py/ip/tproxy.t create mode 100644 tests/py/ip/tproxy.t.payload create mode 100644 tests/py/ip6/tproxy.t create mode 100644 tests/py/ip6/tproxy.t.payload diff --git a/tests/py/inet/tproxy.t b/tests/py/inet/tproxy.t new file mode 100644 index 000..f80f773 --- /dev/null +++ b/tests/py/inet/tproxy.t @@ -0,0 +1,20 @@ +:y;type filter hook prerouting priority -150 + +*inet;x;y + +tproxy;fail +meta l4proto 17 tproxy to 192.0.2.1;fail +meta l4proto 6 tproxy to 192.0.2.1:50080;fail +meta l4proto 17 tproxy ip to 192.0.2.1;ok +meta l4proto 6 tproxy ip to 192.0.2.1:50080;ok +ip protocol 6 tproxy ip6 to [2001:db8::1];fail + +meta l4proto 6 tproxy to [2001:db8::1];fail +meta l4proto 17 tproxy to [2001:db8::1]:50080;fail +meta l4proto 6 tproxy ip6 to [2001:db8::1];ok +meta l4proto 17 tproxy ip6 to [2001:db8::1]:50080;ok +ip6 nexthdr 6 tproxy ip to 192.0.2.1;fail + +meta l4proto 17 tproxy ip to :50080;fail +meta l4proto 17 tproxy ip6 to :50080;fail +meta l4proto 17 tproxy to :50080;ok diff --git a/tests/py/inet/tproxy.t.payload b/tests/py/inet/tproxy.t.payload new file mode 100644 index 000..5ec02bd --- /dev/null +++ b/tests/py/inet/tproxy.t.payload @@ -0,0 +1,46 @@ +# meta l4proto 17 tproxy ip to 192.0.2.1 +inet x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0011 ] + [ immediate reg 1 0x010200c0 ] + [ tproxy tproxy ip addr reg 1 ] + +# meta l4proto 6 tproxy ip to 192.0.2.1:50080 +inet x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0006 ] + [ immediate reg 1 0x010200c0 ] + [ immediate reg 2 0xa0c3 ] + [ tproxy tproxy ip addr reg 1 port reg 2 ] + +# meta l4proto 6 tproxy ip6 to [2001:db8::1] +inet x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0006 ] + [ immediate reg 1 0xb80d0120 0x 0x 0x0100 ] + [ tproxy tproxy ip6 addr reg 1 ] + +# meta l4proto 17 tproxy ip6 to [2001:db8::1]:50080 +inet x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0011 ] + [ immediate reg 1 0xb80d0120 0x 0x 0x0100 ] + [ immediate reg 2 0xa0c3 ] + [ tproxy tproxy ip6 addr reg 1 port reg 2 ] + +# ip protocol 6 tproxy to :50080 +inet x y + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0002 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x0006 ] + [ immediate reg 1 0xa0c3 ] + [ tproxy tproxy inet port reg 1 ] + +# meta l4proto 17 tproxy to :50080 +inet x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0011 ] + [ immediate reg 1 0xa0c3 ] + [ tproxy tproxy inet port reg 1 ] + diff --git a/tests/py/ip/tproxy.t b/tests/py/ip/tproxy.t new file mode 100644 index 000..6e959f4 --- /dev/null +++ b/tests/py/ip/tproxy.t @@ -0,0 +1,14 @@ +:y;type filter hook prerouting priority -150 + +*ip;x;y + +tproxy;fail +tproxy to 192.0.2.1;fail +tproxy to 192.0.2.1:50080;fail +tproxy to :50080;fail +meta l4proto 17 tproxy to 192.0.2.1;ok +meta l4proto 6 tproxy to 192.0.2.1:50080;ok +ip protocol 6 tproxy to :50080;ok +meta l4proto 17 tproxy ip to 192.0.2.1;fail +meta l4proto 6 tproxy ip to 192.0.2.1:50080;fail +ip protocol 6 tproxy ip to :50080;fail diff --git a/tests/py/ip/tproxy.t.payload b/tests/py/ip/tproxy.t.payload new file mode 100644 index 000..063b684 --- /dev/null +++ b/tests/py/ip/tproxy.t.payload @@ -0,0 +1,36 @@ +# meta l4proto 17 tproxy to 192.0.2.1 +ip x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0011 ] + [ immediate reg 1 0x010200c0 ] + [ tproxy tproxy ip addr reg 1 ] + +# ip protocol 6 tproxy to :50080 +ip x y + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x0006 ] + [ immediate reg 1 0xa0c3 ] + [ tproxy tproxy ip port reg 1 ] + +# meta l4proto 17 tproxy to 192.0.2.1 +ip x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0011 ] + [ immediate reg 1 0x010200c0 ] + [ tproxy tproxy ip addr reg 1 ] + +# ip protocol 6 tproxy to :50080 +ip x y + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x0006 ] + [ immediate reg 1 0xa0c3 ] + [ tproxy tproxy ip port reg 1 ] + +# meta l4proto 6 tproxy to 192.0.2.1:50080 +ip x y + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x0006 ] + [ immediate reg 1 0x010200c0 ] + [ immediate reg 2 0xa0c3 ] + [ tproxy tproxy ip addr reg 1 port reg 2 ] + diff --git a/tests/py/ip6/tproxy.t b/tests/py/ip6/tproxy.t new file mode 100644 index 000..dcd2bd8 --- /dev/null
Re: [PATCH v2 nft] Add tproxy support
Once we agree on the syntax, I'll send the next version of the tests, too.
On Fri, Jun 29, 2018 at 04:38:47PM +0200, Máté Eckl wrote:
> v2:
> - tproxy statement without arguments is not supported
> - Add transport protocol matching criterion to address evaluation.
> - Specify network layer protocol in inet tables
>
> -- 8< --
> This patch adds support for transparent proxy functionality which is
> supported in ip, ip6 and inet tables.
>
> The syntax is the following:
> tproxy [{|ip|ip6}] to {|:|:}
>
> It looks for a socket listening on the specified address or port and
> assigns it to the matching packet.
>
> In an inet table, a packet matches for both families until address is
> specified.
> Network protocol family has to be specified **only** in inet tables if
> address is specified.
>
> As transparent proxy support is implemented for sockets with layer 4
> information, a transport protocol header criterion has to be set in the
> same rule. eg. 'meta l4proto tcp' or 'udp dport '
>
> Example ruleset:
> table ip x {
> chain y {
> type filter hook prerouting priority -150; policy
> accept;
> tcp dport ntp tproxy to 1.1.1.1
> udp dport ssh tproxy to :
> }
> }
> table ip6 x {
> chain y {
> type filter hook prerouting priority -150; policy
> accept;
> tcp dport ntp tproxy to [dead::beef]
> udp dport ssh tproxy to :
> }
> }
> table inet x {
> chain y {
> type filter hook prerouting priority -150; policy
> accept;
> tcp dport 321 tproxy to :ssh
> tcp dport 99 tproxy ip to 1.1.1.1:999
> udp dport 155 tproxy ip6 to [dead::beef]:smux
> }
> }
>
> Signed-off-by: Máté Eckl
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v2 nft] Add tproxy support
v2:
- tproxy statement without arguments is not supported
- Add transport protocol matching criterion to address evaluation.
- Specify network layer protocol in inet tables
-- 8< --
This patch adds support for transparent proxy functionality which is
supported in ip, ip6 and inet tables.
The syntax is the following:
tproxy [{|ip|ip6}] to {|:|:}
It looks for a socket listening on the specified address or port and
assigns it to the matching packet.
In an inet table, a packet matches for both families until address is
specified.
Network protocol family has to be specified **only** in inet tables if
address is specified.
As transparent proxy support is implemented for sockets with layer 4
information, a transport protocol header criterion has to be set in the
same rule. eg. 'meta l4proto tcp' or 'udp dport '
Example ruleset:
table ip x {
chain y {
type filter hook prerouting priority -150; policy
accept;
tcp dport ntp tproxy to 1.1.1.1
udp dport ssh tproxy to :
}
}
table ip6 x {
chain y {
type filter hook prerouting priority -150; policy
accept;
tcp dport ntp tproxy to [dead::beef]
udp dport ssh tproxy to :
}
}
table inet x {
chain y {
type filter hook prerouting priority -150; policy
accept;
tcp dport 321 tproxy to :ssh
tcp dport 99 tproxy ip to 1.1.1.1:999
udp dport 155 tproxy ip6 to [dead::beef]:smux
}
}
Signed-off-by: Máté Eckl
---
include/linux/netfilter/nf_tables.h | 16 ++
include/statement.h | 11
src/evaluate.c | 84 +
src/netlink_delinearize.c | 53 ++
src/netlink_linearize.c | 41 ++
src/parser_bison.y | 44 +++
src/scanner.l | 2 +
src/statement.c | 45
8 files changed, 296 insertions(+)
diff --git a/include/linux/netfilter/nf_tables.h
b/include/linux/netfilter/nf_tables.h
index 88e0ca1..d98cebb 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -1231,6 +1231,22 @@ enum nft_nat_attributes {
};
#define NFTA_NAT_MAX (__NFTA_NAT_MAX - 1)
+/**
+ * enum nft_tproxy_attributes - nf_tables tproxy expression netlink attributes
+ *
+ * NFTA_TPROXY_FAMILY: Target address family (NLA_U32: nft_registers)
+ * NFTA_TPROXY_REG_ADDR: Target address register (NLA_U32: nft_registers)
+ * NFTA_TPROXY_REG_PORT: Target port register (NLA_U32: nft_registers)
+ */
+enum nft_tproxy_attributes {
+ NFTA_TPROXY_UNSPEC,
+ NFTA_TPROXY_FAMILY,
+ NFTA_TPROXY_REG_ADDR,
+ NFTA_TPROXY_REG_PORT,
+ __NFTA_TPROXY_MAX
+};
+#define NFTA_TPROXY_MAX(__NFTA_TPROXY_MAX - 1)
+
/**
* enum nft_masq_attributes - nf_tables masquerade expression attributes
*
diff --git a/include/statement.h b/include/statement.h
index 5a907aa..7840e9d 100644
--- a/include/statement.h
+++ b/include/statement.h
@@ -128,6 +128,15 @@ struct nat_stmt {
extern struct stmt *nat_stmt_alloc(const struct location *loc,
enum nft_nat_etypes type);
+struct tproxy_stmt {
+ struct expr *addr;
+ struct expr *port;
+ uint8_t family;
+ uint8_t table_family; /* only used for printing the rule */
+};
+
+extern struct stmt *tproxy_stmt_alloc(const struct location *loc);
+
struct queue_stmt {
struct expr *queue;
uint16_tflags;
@@ -271,6 +280,7 @@ enum stmt_types {
STMT_LOG,
STMT_REJECT,
STMT_NAT,
+ STMT_TPROXY,
STMT_QUEUE,
STMT_CT,
STMT_SET,
@@ -337,6 +347,7 @@ struct stmt {
struct limit_stmt limit;
struct reject_stmt reject;
struct nat_stmt nat;
+ struct tproxy_stmt tproxy;
struct queue_stmt queue;
struct quota_stmt quota;
struct ct_stmt ct;
diff --git a/src/evaluate.c b/src/evaluate.c
index 9ff2c0b..bde38ce 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2481,6 +2481,88 @@ static int stmt_evaluate_nat(struct eval_ctx *ctx,
struct stmt *stmt)
return 0;
}
+static int stmt_evaluate_tproxy(struct eval_ctx *ctx, struct stmt *stmt)
+{
+ const struct datatype *dtype;
+ int err, len;
+
+ switch (ctx->pctx.family) {
+ case NFPROTO_IPV4:
+ case NFPROTO_IPV6:
+ case NFPROTO_INET:
+ break;
+ default:
+ return stmt_error(ctx
[PATCH v3 nf-next] netfilter: Add native tproxy support for nf_tables
v2:
- address or port is now compulsory
- nf_defrag_ipv{4,6}_enable called in init
- nft_tproxy now selects NF_DEFRAG_IPV4/6
- Add transport header presence test in ipv4 eval (in ipv6 it was
already present)
- Add check for the case when address is specified but the rule family
is not set accordingly
v3:
- Fix tproxy and context family compatibility test in init
-- 8< --
A great portion of the code is taken from xt_TPROXY.c
There are some changes compared to the iptables implementation:
- tproxy statement is not terminal here
Signed-off-by: Máté Eckl
---
include/uapi/linux/netfilter/nf_tables.h | 16 ++
net/netfilter/Kconfig| 10 +
net/netfilter/Makefile | 1 +
net/netfilter/nft_tproxy.c | 331 +++
4 files changed, 358 insertions(+)
create mode 100644 net/netfilter/nft_tproxy.c
diff --git a/include/uapi/linux/netfilter/nf_tables.h
b/include/uapi/linux/netfilter/nf_tables.h
index 89438e68dc03..e58d2b70dde7 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -1250,6 +1250,22 @@ enum nft_nat_attributes {
};
#define NFTA_NAT_MAX (__NFTA_NAT_MAX - 1)
+/**
+ * enum nft_tproxy_attributes - nf_tables tproxy expression netlink attributes
+ *
+ * NFTA_TPROXY_FAMILY: Target address family (NLA_U32: nft_registers)
+ * NFTA_TPROXY_REG_ADDR: Target address register (NLA_U32: nft_registers)
+ * NFTA_TPROXY_REG_PORT: Target port register (NLA_U32: nft_registers)
+ */
+enum nft_tproxy_attributes {
+ NFTA_TPROXY_UNSPEC,
+ NFTA_TPROXY_FAMILY,
+ NFTA_TPROXY_REG_ADDR,
+ NFTA_TPROXY_REG_PORT,
+ __NFTA_TPROXY_MAX
+};
+#define NFTA_TPROXY_MAX(__NFTA_TPROXY_MAX - 1)
+
/**
* enum nft_masq_attributes - nf_tables masquerade expression attributes
*
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index aec182c22020..41861b8216da 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -631,6 +631,16 @@ config NFT_SOCKET
This option allows matching for the presence or absence of a
corresponding socket and its attributes.
+config NFT_TPROXY
+ tristate "Netfilter nf_tables tproxy support"
+ depends on IPV6 || IPV6=n
+ select NF_DEFRAG_IPV4
+ select NF_DEFRAG_IPV6 if NF_TABLES_IPV6
+ select NF_TPROXY_IPV4
+ select NF_TPROXY_IPV6 if NF_TABLES_IPV6
+ help
+ This makes transparent proxy support available in nftables.
+
if NF_TABLES_NETDEV
config NF_DUP_NETDEV
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 9389e527..2af51df46d71 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -104,6 +104,7 @@ obj-$(CONFIG_NFT_FIB_INET) += nft_fib_inet.o
obj-$(CONFIG_NFT_FIB_NETDEV) += nft_fib_netdev.o
obj-$(CONFIG_NF_OSF) += nf_osf.o
obj-$(CONFIG_NFT_SOCKET) += nft_socket.o
+obj-$(CONFIG_NFT_TPROXY) += nft_tproxy.o
# nf_tables netdev
obj-$(CONFIG_NFT_DUP_NETDEV) += nft_dup_netdev.o
diff --git a/net/netfilter/nft_tproxy.c b/net/netfilter/nft_tproxy.c
new file mode 100644
index ..b3de90055a6a
--- /dev/null
+++ b/net/netfilter/nft_tproxy.c
@@ -0,0 +1,331 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
+#include
+#endif
+
+struct nft_tproxy {
+ enum nft_registers sreg_addr:8;
+ enum nft_registers sreg_port:8;
+ u8 family;
+};
+
+static void nft_tproxy_eval_v4(const struct nft_expr *expr,
+ struct nft_regs *regs,
+ const struct nft_pktinfo *pkt)
+{
+ const struct nft_tproxy *priv = nft_expr_priv(expr);
+ struct sk_buff *skb = pkt->skb;
+ struct sock *sk = skb->sk;
+ const struct iphdr *iph = ip_hdr(skb);
+ struct udphdr _hdr, *hp;
+ __be32 taddr = 0;
+ __be16 tport = 0;
+
+ if (!pkt->tprot_set) {
+ regs->verdict.code = NFT_BREAK;
+ return;
+ }
+
+ hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr);
+ if (!hp) {
+ regs->verdict.code = NFT_BREAK;
+ return;
+ }
+
+ /* check if there's an ongoing connection on the packet
+* addresses, this happens if the redirect already happened
+* and the current packet belongs to an already established
+* connection */
+ sk = nf_tproxy_get_sock_v4(nft_net(pkt), skb, hp, iph->protocol,
+ iph->saddr, iph->daddr,
+ hp->source, hp->dest,
+ skb->dev, NF_TPROXY_LOOKUP_ESTABLISHED);
+
+ if (priv->sreg_addr)
+ taddr = regs->data[priv->sreg_addr];
+ taddr = n
Re: [PATCH nft] Add tproxy support
Hi,
I have considered the protocol family specification, and I have a working
implementation for adding rules, but I still miss something from printing them.
What I'd like to achieve is not to print protocol family in ip/ip6 tables, but
do it in inet tables.
For example:
table ip x {
chain y {
type filter hook prerouting priority -150; policy
accept;
# Now I print this:
ip protocol tcp tproxy ip to 1.1.1.1
# but I'd like this:
ip protocol tcp tproxy to 1.1.1.1
}
}
Is there a way to do this?
Regards,
Máté
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nft] configure.ac: docbook2man invalid syntax error
On Thu, Jun 28, 2018 at 06:43:40PM +0200, Pablo Neira Ayuso wrote: > On Thu, Jun 28, 2018 at 06:30:15PM +0200, Florian Westphal wrote: > > Máté Eckl wrote: > > > I don't really know autoconfig, but isn't that possible to prioritize the > > > alternatives? For example, use docbook2x-man if available, if it is not, > > > use > > > db2x-docbook2man, if neither of them is present, use docbook2man? And of > > > course > > > fail, if none of them is present. > > > > I think it would be much better to display an error and just continue > > without building documentation. > > We can also fallback and make a second search for the package in > ArchLinux too, right? So we are looking for docbook2x-man or db2x_docbook2man binaries, right? Btw, which of these are present on Debian/fedora? For ArchLinux: In the official repo there is no binary (nor package) like this. docbook2x provides the following binaries: - usr/bin/db2x_manxml - usr/bin/db2x_texixml - usr/bin/db2x_xsltproc - usr/bin/docbook2man - usr/bin/docbook2texi - usr/bin/sgml2xml-isoent - usr/bin/utf8trans docbook-utils provide these: - usr/bin/db2dvi - usr/bin/db2html - usr/bin/db2man - usr/bin/db2pdf - usr/bin/db2ps - usr/bin/db2rtf - usr/bin/db2tex - usr/bin/db2texi - usr/bin/db2txt - usr/bin/docbook2dvi - usr/bin/docbook2html - usr/bin/docbook2man - usr/bin/docbook2pdf - usr/bin/docbook2ps - usr/bin/docbook2rtf - usr/bin/docbook2tex - usr/bin/docbook2texi - usr/bin/docbook2txt - usr/bin/jw - usr/bin/sgmldiff For other packages related to docbook, see [1], but the rest seems irrelevant. There is no *db2* package here. In the Arch User Repository docbook-to-man provides: ./usr/bin ./usr/bin/instant ./usr/bin/docbook-to-man No other packages seem to be relevant. There are some *db2* packages, but they are not related to man generation. [1] https://www.archlinux.org/packages/?sort==docbook [2] https://aur.archlinux.org/packages/?O=0=docbook -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nf-next] netfilter: Kconfig: Make NETFILTER_XT_MATCH_SOCKET select NF_SOCKET_IPV4/6 instead of dependinf on it
Signed-off-by: Máté Eckl --- net/netfilter/Kconfig | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 25861340f818..aec182c22020 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -1492,8 +1492,8 @@ config NETFILTER_XT_MATCH_SOCKET depends on NETFILTER_ADVANCED depends on IPV6 || IPV6=n depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n - depends on NF_SOCKET_IPV4 - depends on NF_SOCKET_IPV6 + select NF_SOCKET_IPV4 + select NF_SOCKET_IPV6 if IP6_NF_IPTABLES select NF_DEFRAG_IPV4 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n help -- ecklm -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nf-next] netfilter: Kconfig: Change select dependencies from IPV6 to NF_TABLES_IPV6 and IP6_NF_IPTABLES
In some cases module selects depend on IPV6, but this means that they select another module even if eg. NF_TABLES_IPV6 is not set in which case the selected module is useless due to the lack of IPv6 nf_tables functionality. The same applies for IP6_NF_IPTABLES and iptables. Signed-off-by: Máté Eckl --- net/netfilter/Kconfig | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index dbd7d1fad277..25861340f818 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -626,7 +626,7 @@ config NFT_SOCKET tristate "Netfilter nf_tables socket match support" depends on IPV6 || IPV6=n select NF_SOCKET_IPV4 - select NF_SOCKET_IPV6 if IPV6 + select NF_SOCKET_IPV6 if NF_TABLES_IPV6 help This option allows matching for the presence or absence of a corresponding socket and its attributes. @@ -892,7 +892,7 @@ config NETFILTER_XT_TARGET_LOG tristate "LOG target support" select NF_LOG_COMMON select NF_LOG_IPV4 - select NF_LOG_IPV6 if IPV6 + select NF_LOG_IPV6 if IP6_NF_IPTABLES default m if NETFILTER_ADVANCED=n help This option adds a `LOG' target, which allows you to create rules in @@ -984,7 +984,7 @@ config NETFILTER_XT_TARGET_TEE depends on IPV6 || IPV6=n depends on !NF_CONNTRACK || NF_CONNTRACK select NF_DUP_IPV4 - select NF_DUP_IPV6 if IPV6 + select NF_DUP_IPV6 if IP6_NF_IPTABLES ---help--- This option adds a "TEE" target with which a packet can be cloned and this clone be rerouted to another nexthop. -- ecklm -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nf-next] netfilter: Configuration fixes for ip/nftables socket matching
On Thu, Jun 28, 2018 at 12:05:17PM +0200, Pablo Neira Ayuso wrote: > On Wed, Jun 27, 2018 at 11:58:29PM +0200, Florian Westphal wrote: > > Pablo Neira Ayuso wrote: > > > On Mon, Jun 18, 2018 at 03:12:51PM +0200, Máté Eckl wrote: > > > > - NFT_SOCKET selected NF_SOCKET based on the wrong criterion. > > > > IPV6 itself does not guarantee that ipv6 functionality is available > > > > in nft. > > > > - NETFILTER_XT_MATCH_SOCKET now selects NF_SOCKET > > > > NF_SOCKET is not good for anything alone, so dependency is > > > > inapproproiate. > > Probably we can remove NF_SOCKET description too, so this is not > shown. I mean, now that we'll go for "select". Earlier someone said, that if there is no help message, it will not appear in menuconfig and other configuration tools. But it still does, it only says that there is no help for it. In this case, I would keep help text or really make this (and nf_tproxy_ipv4/6) disappear. > > > > Signed-off-by: Máté Eckl > > > > --- > > > > net/netfilter/Kconfig | 6 +++--- > > > > 1 file changed, 3 insertions(+), 3 deletions(-) > > > > > > > > diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig > > > > index dbd7d1fad277..8abcefb8b418 100644 > > > > --- a/net/netfilter/Kconfig > > > > +++ b/net/netfilter/Kconfig > > > > @@ -626,7 +626,7 @@ config NFT_SOCKET > > > > tristate "Netfilter nf_tables socket match support" > > > > depends on IPV6 || IPV6=n > > > > select NF_SOCKET_IPV4 > > > > - select NF_SOCKET_IPV6 if IPV6 > > > > + select NF_SOCKET_IPV6 if NF_TABLES_IPV6 > > > > > > Are you sure this is needed? I mean, I can see other spots in > > > net/netfilter/Kconfig following the same approach. > > > > Its not needed but its a good idea. > > No point in autoselecting NF_SOCKET_IPV6 in case there is no ipv6 > > nftables support. > > Thanks for explaining. > > Then, we can probably switch other "if IPV6" dependencies in the > Kconfig file I think, in a single patch. > > Probably this can be done in two separated patches? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v2 nf-next] netfilter: Add native tproxy support for nf_tables
v2:
- address or port is now compulsory
- nf_defrag_ipv{4,6}_enable called in init
- nft_tproxy now selects NF_DEFRAG_IPV4/6
- Add transport header presence test in ipv4 eval (in ipv6 it was
already present)
- Add check for the case when address is specified but the rule family
is not set accordingly
-- 8< --
A great portion of the code is taken from xt_TPROXY.c
There are some changes compared to the iptables implementation:
- tproxy statement is not terminal here
Signed-off-by: Máté Eckl
---
include/uapi/linux/netfilter/nf_tables.h | 16 ++
net/netfilter/Kconfig| 10 +
net/netfilter/Makefile | 1 +
net/netfilter/nft_tproxy.c | 324 +++
4 files changed, 351 insertions(+)
create mode 100644 net/netfilter/nft_tproxy.c
diff --git a/include/uapi/linux/netfilter/nf_tables.h
b/include/uapi/linux/netfilter/nf_tables.h
index 89438e68dc03..e58d2b70dde7 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -1250,6 +1250,22 @@ enum nft_nat_attributes {
};
#define NFTA_NAT_MAX (__NFTA_NAT_MAX - 1)
+/**
+ * enum nft_tproxy_attributes - nf_tables tproxy expression netlink attributes
+ *
+ * NFTA_TPROXY_FAMILY: Target address family (NLA_U32: nft_registers)
+ * NFTA_TPROXY_REG_ADDR: Target address register (NLA_U32: nft_registers)
+ * NFTA_TPROXY_REG_PORT: Target port register (NLA_U32: nft_registers)
+ */
+enum nft_tproxy_attributes {
+ NFTA_TPROXY_UNSPEC,
+ NFTA_TPROXY_FAMILY,
+ NFTA_TPROXY_REG_ADDR,
+ NFTA_TPROXY_REG_PORT,
+ __NFTA_TPROXY_MAX
+};
+#define NFTA_TPROXY_MAX(__NFTA_TPROXY_MAX - 1)
+
/**
* enum nft_masq_attributes - nf_tables masquerade expression attributes
*
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 8abcefb8b418..f82237fa449e 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -631,6 +631,16 @@ config NFT_SOCKET
This option allows matching for the presence or absence of a
corresponding socket and its attributes.
+config NFT_TPROXY
+ tristate "Netfilter nf_tables tproxy support"
+ depends on IPV6 || IPV6=n
+ select NF_DEFRAG_IPV4
+ select NF_DEFRAG_IPV6 if NF_TABLES_IPV6
+ select NF_TPROXY_IPV4
+ select NF_TPROXY_IPV6 if NF_TABLES_IPV6
+ help
+ This makes transparent proxy support available in nftables.
+
if NF_TABLES_NETDEV
config NF_DUP_NETDEV
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 9389e527..2af51df46d71 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -104,6 +104,7 @@ obj-$(CONFIG_NFT_FIB_INET) += nft_fib_inet.o
obj-$(CONFIG_NFT_FIB_NETDEV) += nft_fib_netdev.o
obj-$(CONFIG_NF_OSF) += nf_osf.o
obj-$(CONFIG_NFT_SOCKET) += nft_socket.o
+obj-$(CONFIG_NFT_TPROXY) += nft_tproxy.o
# nf_tables netdev
obj-$(CONFIG_NFT_DUP_NETDEV) += nft_dup_netdev.o
diff --git a/net/netfilter/nft_tproxy.c b/net/netfilter/nft_tproxy.c
new file mode 100644
index ..01f1d2aae730
--- /dev/null
+++ b/net/netfilter/nft_tproxy.c
@@ -0,0 +1,324 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
+#include
+#endif
+
+struct nft_tproxy {
+ enum nft_registers sreg_addr:8;
+ enum nft_registers sreg_port:8;
+ u8 family;
+};
+
+static void nft_tproxy_eval_v4(const struct nft_expr *expr,
+ struct nft_regs *regs,
+ const struct nft_pktinfo *pkt)
+{
+ const struct nft_tproxy *priv = nft_expr_priv(expr);
+ struct sk_buff *skb = pkt->skb;
+ struct sock *sk = skb->sk;
+ const struct iphdr *iph = ip_hdr(skb);
+ struct udphdr _hdr, *hp;
+ __be32 taddr = 0;
+ __be16 tport = 0;
+
+ if (!pkt->tprot_set) {
+ regs->verdict.code = NFT_BREAK;
+ return;
+ }
+
+ hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr);
+ if (!hp) {
+ regs->verdict.code = NFT_BREAK;
+ return;
+ }
+
+ /* check if there's an ongoing connection on the packet
+* addresses, this happens if the redirect already happened
+* and the current packet belongs to an already established
+* connection */
+ sk = nf_tproxy_get_sock_v4(nft_net(pkt), skb, hp, iph->protocol,
+ iph->saddr, iph->daddr,
+ hp->source, hp->dest,
+ skb->dev, NF_TPROXY_LOOKUP_ESTABLISHED);
+
+ if (priv->sreg_addr)
+ taddr = regs->data[priv->sreg_addr];
+ taddr = nf_tproxy_laddr4(skb, taddr, iph->daddr);
+
+ if (priv-
Re: [PATCH nft] configure.ac: docbook2man invalid syntax error
On Thu, Jun 28, 2018 at 02:36:28PM +0200, Eric Leblond wrote: > Hello, > > On Thu, 2018-06-28 at 12:20 +0200, Máté Eckl wrote: > > Hi, > > > > It seems that I might be a bit late on this, but could you provide > > some details > > on what error occured with docbook2man being an alternative? > > I checked out the commit before yours (291f9a3) and I don't get any > > errors with > > doc generation (nor had I before my last pull). > > > > On the other hand, ArchLinux seems not to have the the executables of > > the other > > alternatives (at least not with the same names), so I cannot compile > > nft now. > > Ok, so this was done for ArchLinux. I did not manage to find an > operating system where it was working. > > > > > I attached the output of the compilation commands run at 291f9a3, I > > don't see any errors > > regarding man page generation so I don't understand why this patch is > > necessary. > > On Fedora and Debian, docbook2man is wrapper and has a different syntax > so the command fails. > > > > > Maybe if you point out the bug, I can look after it. > > A possible solution is to update configure.ac to check that docbook2man > (if found) accept the correct option. I don't really know autoconfig, but isn't that possible to prioritize the alternatives? For example, use docbook2x-man if available, if it is not, use db2x-docbook2man, if neither of them is present, use docbook2man? And of course fail, if none of them is present. > > BR, > -- > Eric > > > > > Regards, > > Máté > > > > On Mon, Jun 18, 2018 at 02:17:47PM +0200, Eric Leblond wrote: > > > docbook2man can not be used with the same option so let's remove > > > it from the alternative. Fedora and debian seems to be fine with > > > that. > > > --- > > > configure.ac | 9 +++-- > > > 1 file changed, 3 insertions(+), 6 deletions(-) > > > > > > diff --git a/configure.ac b/configure.ac > > > index 2a19733..88f0d74 100644 > > > --- a/configure.ac > > > +++ b/configure.ac > > > @@ -56,14 +56,11 @@ AM_PROG_LIBTOOL > > > > > > AM_COND_IF([BUILD_MAN], [ > > > AC_CHECK_PROG(DOCBOOK2X_MAN, [docbook2x-man], [docbook2x- > > > man], [no]) > > > - AC_CHECK_PROG(DOCBOOK2MAN, [docbook2man], [docbook2man], > > > [no]) > > > AC_CHECK_PROG(DB2X_DOCBOOK2MAN, [db2x_docbook2man], > > > [db2x_docbook2man], [no]) > > > AS_IF([test "$DOCBOOK2X_MAN" != "no"], > > > [DB2MAN="$DOCBOOK2X_MAN"], > > > - [AS_IF([test "$DOCBOOK2MAN" != "no"], > > > [DB2MAN="$DOCBOOK2MAN"], > > > - [AS_IF([test "$DB2X_DOCBOOK2MAN" != "no"], > > > - [DB2MAN="$DB2X_DOCBOOK2MAN"], > > > - [AC_MSG_ERROR([docbook2x- > > > man/db2x_docbook2man not found, required for building man pages])] > > > - )] > > > + [AS_IF([test "$DB2X_DOCBOOK2MAN" != "no"], > > > + [DB2MAN="$DB2X_DOCBOOK2MAN --xinclude"], > > > + [AC_MSG_ERROR([docbook2x-man/db2x_docbook2man > > > not found, required for building man pages])] > > >)] > > > ) > > > AC_SUBST(DB2MAN) > > > -- > > > 2.17.1 > > > > > > -- > > > To unsubscribe from this list: send the line "unsubscribe > > > netfilter-devel" in > > > the body of a message to majord...@vger.kernel.org > > > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- > Eric Leblond > -- > To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in > the body of a message to majord...@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v2 nf] netfilter: nf_tproxy: fix possible non-linear access to transport header
This patch fixes a silent out-of-bound read possibility that was present
because of the misuse of this function.
Mostly it was called with a struct udphdr *hp which had only the udphdr
part linearized by the skb_header_pointer, however
nf_tproxy_get_sock_v{4,6} uses it as a tcphdr pointer, so some reads for
tcp specific attributes may be invalid.
Fixes: a583636a83ea ("inet: refactor inet[6]_lookup functions to take skb")
Signed-off-by: Máté Eckl
---
include/net/netfilter/nf_tproxy.h | 4 ++--
net/ipv4/netfilter/nf_tproxy_ipv4.c | 15 ++-
net/ipv6/netfilter/nf_tproxy_ipv6.c | 15 ++-
net/netfilter/xt_TPROXY.c | 8
4 files changed, 26 insertions(+), 16 deletions(-)
diff --git a/include/net/netfilter/nf_tproxy.h
b/include/net/netfilter/nf_tproxy.h
index 9754a50ecde9..4cc64c8446eb 100644
--- a/include/net/netfilter/nf_tproxy.h
+++ b/include/net/netfilter/nf_tproxy.h
@@ -64,7 +64,7 @@ nf_tproxy_handle_time_wait4(struct net *net, struct sk_buff
*skb,
* belonging to established connections going through that one.
*/
struct sock *
-nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb, void *hp,
+nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb,
const u8 protocol,
const __be32 saddr, const __be32 daddr,
const __be16 sport, const __be16 dport,
@@ -103,7 +103,7 @@ nf_tproxy_handle_time_wait6(struct sk_buff *skb, int
tproto, int thoff,
struct sock *sk);
struct sock *
-nf_tproxy_get_sock_v6(struct net *net, struct sk_buff *skb, int thoff, void
*hp,
+nf_tproxy_get_sock_v6(struct net *net, struct sk_buff *skb, int thoff,
const u8 protocol,
const struct in6_addr *saddr, const struct in6_addr
*daddr,
const __be16 sport, const __be16 dport,
diff --git a/net/ipv4/netfilter/nf_tproxy_ipv4.c
b/net/ipv4/netfilter/nf_tproxy_ipv4.c
index 805e83ec3ad9..507b5a235ce0 100644
--- a/net/ipv4/netfilter/nf_tproxy_ipv4.c
+++ b/net/ipv4/netfilter/nf_tproxy_ipv4.c
@@ -37,7 +37,7 @@ nf_tproxy_handle_time_wait4(struct net *net, struct sk_buff
*skb,
* to a listener socket if there's one */
struct sock *sk2;
- sk2 = nf_tproxy_get_sock_v4(net, skb, hp, iph->protocol,
+ sk2 = nf_tproxy_get_sock_v4(net, skb, iph->protocol,
iph->saddr, laddr ? laddr :
iph->daddr,
hp->source, lport ? lport :
hp->dest,
skb->dev,
NF_TPROXY_LOOKUP_LISTENER);
@@ -71,24 +71,29 @@ __be32 nf_tproxy_laddr4(struct sk_buff *skb, __be32
user_laddr, __be32 daddr)
EXPORT_SYMBOL_GPL(nf_tproxy_laddr4);
struct sock *
-nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb, void *hp,
+nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb,
const u8 protocol,
const __be32 saddr, const __be32 daddr,
const __be16 sport, const __be16 dport,
const struct net_device *in,
const enum nf_tproxy_lookup_t lookup_type)
{
+ struct tcphdr _hdr, *hp;
struct sock *sk;
- struct tcphdr *tcph;
+
+ hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr);
+ if (hp == NULL) {
+ WARN_ON_ONCE(1);
+ return NULL;
+ }
switch (protocol) {
case IPPROTO_TCP:
switch (lookup_type) {
case NF_TPROXY_LOOKUP_LISTENER:
- tcph = hp;
sk = inet_lookup_listener(net, _hashinfo, skb,
ip_hdrlen(skb) +
- __tcp_hdrlen(tcph),
+ __tcp_hdrlen(hp),
saddr, sport,
daddr, dport,
in->ifindex, 0);
diff --git a/net/ipv6/netfilter/nf_tproxy_ipv6.c
b/net/ipv6/netfilter/nf_tproxy_ipv6.c
index bf1d6c421e3b..397b6e5e435e 100644
--- a/net/ipv6/netfilter/nf_tproxy_ipv6.c
+++ b/net/ipv6/netfilter/nf_tproxy_ipv6.c
@@ -55,7 +55,7 @@ nf_tproxy_handle_time_wait6(struct sk_buff *skb, int tproto,
int thoff,
* to a listener socket if there's one */
struct sock *sk2;
- sk2 = nf_tproxy_get_sock_v6(net, skb, thoff, hp, tproto,
+ sk2 = nf_tproxy_get_sock_v6(net, skb, thoff, tproto,
>saddr,
nf_tproxy_laddr6(skb, laddr,
>daddr),
hp->source,
@@ -72,23 +72,28 @@ nf_tproxy_handle_time_wa
Re: [PATCH nf|nf-next] netfilter: Refactor nf_tproxy_get_sock_v{4,6}
On Wed, Jun 27, 2018 at 05:10:02PM +0200, Pablo Neira Ayuso wrote:
> Hi,
>
> On Sun, Jun 24, 2018 at 03:03:07PM +0200, Máté Eckl wrote:
> > This patch fixes a silent out-of-bound read possibility that was present
> > because of the misuse of this function.
>
> This is a bit confusing. Subject says this is a refactoring, but this
> seems not be a clean up, but actually fixing up something.
Yes, it is a fix indeed, sorry.
>
> > Mostly it was called with a struct udphdr *hp which had only the udphdr
> > part linearized by the skb_header_pointer, however
> > nf_tproxy_get_sock_v{4,6} uses it as a tcphdr pointer, so some reads for
> > tcp specific attributes may be invalid.
>
> I think we should rename title to something like:
>
> netfilter: nf_tproxy: possible non-linear access to transport header
>
> A "Fixes:" tag would be good? Is this a new bug or it has been
> introduced by your recent changes?
This code seems to date back to a583636a83ea in 2016. I'll add this to the
commit message.
> I think we should get this through nf.git, then you will have to wait
> a bit to see how this dependency propagates to nf-next.git.
>
> Another comestic comment below.
>
> > Signed-off-by: Máté Eckl
> > ---
> > include/net/netfilter/nf_tproxy.h | 4 ++--
> > net/ipv4/netfilter/nf_tproxy_ipv4.c | 15 ++-
> > net/ipv6/netfilter/nf_tproxy_ipv6.c | 15 ++-
> > net/netfilter/xt_TPROXY.c | 8
> > 4 files changed, 26 insertions(+), 16 deletions(-)
> >
> > diff --git a/include/net/netfilter/nf_tproxy.h
> > b/include/net/netfilter/nf_tproxy.h
> > index 9754a50ecde9..4cc64c8446eb 100644
> > --- a/include/net/netfilter/nf_tproxy.h
> > +++ b/include/net/netfilter/nf_tproxy.h
> > @@ -64,7 +64,7 @@ nf_tproxy_handle_time_wait4(struct net *net, struct
> > sk_buff *skb,
> > * belonging to established connections going through that one.
> > */
> > struct sock *
> > -nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb, void *hp,
> > +nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb,
> > const u8 protocol,
> > const __be32 saddr, const __be32 daddr,
> > const __be16 sport, const __be16 dport,
> > @@ -103,7 +103,7 @@ nf_tproxy_handle_time_wait6(struct sk_buff *skb, int
> > tproto, int thoff,
> > struct sock *sk);
> >
> > struct sock *
> > -nf_tproxy_get_sock_v6(struct net *net, struct sk_buff *skb, int thoff,
> > void *hp,
> > +nf_tproxy_get_sock_v6(struct net *net, struct sk_buff *skb, int thoff,
> > const u8 protocol,
> > const struct in6_addr *saddr, const struct in6_addr
> > *daddr,
> > const __be16 sport, const __be16 dport,
> > diff --git a/net/ipv4/netfilter/nf_tproxy_ipv4.c
> > b/net/ipv4/netfilter/nf_tproxy_ipv4.c
> > index 805e83ec3ad9..efbec3b2ad25 100644
> > --- a/net/ipv4/netfilter/nf_tproxy_ipv4.c
> > +++ b/net/ipv4/netfilter/nf_tproxy_ipv4.c
> > @@ -37,7 +37,7 @@ nf_tproxy_handle_time_wait4(struct net *net, struct
> > sk_buff *skb,
> > * to a listener socket if there's one */
> > struct sock *sk2;
> >
> > - sk2 = nf_tproxy_get_sock_v4(net, skb, hp, iph->protocol,
> > + sk2 = nf_tproxy_get_sock_v4(net, skb, iph->protocol,
> > iph->saddr, laddr ? laddr :
> > iph->daddr,
> > hp->source, lport ? lport :
> > hp->dest,
> > skb->dev,
> > NF_TPROXY_LOOKUP_LISTENER);
> > @@ -71,7 +71,7 @@ __be32 nf_tproxy_laddr4(struct sk_buff *skb, __be32
> > user_laddr, __be32 daddr)
> > EXPORT_SYMBOL_GPL(nf_tproxy_laddr4);
> >
> > struct sock *
> > -nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb, void *hp,
> > +nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb,
> > const u8 protocol,
> > const __be32 saddr, const __be32 daddr,
> > const __be16 sport, const __be16 dport,
> > @@ -79,16 +79,21 @@ nf_tproxy_get_sock_v4(struct net *net, struct sk_buff
> > *skb, void *hp,
> > const enum nf_tproxy_lookup_t lookup_type)
> > {
> > struct sock *sk;
> > - struct tcphdr *tcph;
> > + struct tcphdr _hdr, *hp;
>
> While you're updating this code, variable definitions in this form are
> prefered:
>
> struct tcphdr _hdr, *hp;
> struct sock *sk;
>
> Larger line if code first.
>
> Please, revamp and send v2.
>
> Thanks Máté.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nf-next] netfilter: Configuration fixes for ip/nftables socket matching
On Thu, Jun 28, 2018 at 12:05:17PM +0200, Pablo Neira Ayuso wrote: > On Wed, Jun 27, 2018 at 11:58:29PM +0200, Florian Westphal wrote: > > Pablo Neira Ayuso wrote: > > > On Mon, Jun 18, 2018 at 03:12:51PM +0200, Máté Eckl wrote: > > > > - NFT_SOCKET selected NF_SOCKET based on the wrong criterion. > > > > IPV6 itself does not guarantee that ipv6 functionality is available > > > > in nft. > > > > - NETFILTER_XT_MATCH_SOCKET now selects NF_SOCKET > > > > NF_SOCKET is not good for anything alone, so dependency is > > > > inapproproiate. > > Probably we can remove NF_SOCKET description too, so this is not > shown. I mean, now that we'll go for "select". > > > > > Signed-off-by: Máté Eckl > > > > --- > > > > net/netfilter/Kconfig | 6 +++--- > > > > 1 file changed, 3 insertions(+), 3 deletions(-) > > > > > > > > diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig > > > > index dbd7d1fad277..8abcefb8b418 100644 > > > > --- a/net/netfilter/Kconfig > > > > +++ b/net/netfilter/Kconfig > > > > @@ -626,7 +626,7 @@ config NFT_SOCKET > > > > tristate "Netfilter nf_tables socket match support" > > > > depends on IPV6 || IPV6=n > > > > select NF_SOCKET_IPV4 > > > > - select NF_SOCKET_IPV6 if IPV6 > > > > + select NF_SOCKET_IPV6 if NF_TABLES_IPV6 > > > > > > Are you sure this is needed? I mean, I can see other spots in > > > net/netfilter/Kconfig following the same approach. > > > > Its not needed but its a good idea. > > No point in autoselecting NF_SOCKET_IPV6 in case there is no ipv6 > > nftables support. Yes, it was more of a clarification than a fix, I'll amend the title. > > Thanks for explaining. > > Then, we can probably switch other "if IPV6" dependencies in the > Kconfig file I think, in a single patch. Ok, I'll look after similar cases. This seems to be useful for XT_* and NFT modules as they both have a separate IPV6 support modules (NF_TABLES_IPV6 and IP6_NF_IPTABLES). As we already do this: are those IPV6 || IPV6=n dependencies really meaningful? It is always true. If they are, they might also be updated to NF_TABLES_IPV6 || NF_TABLES_IPV6=n and similar with IP6_NF_IPTABLES, don't you think? > Probably this can be done in two separated patches? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nft] configure.ac: docbook2man invalid syntax error
Hi, It seems that I might be a bit late on this, but could you provide some details on what error occured with docbook2man being an alternative? I checked out the commit before yours (291f9a3) and I don't get any errors with doc generation (nor had I before my last pull). On the other hand, ArchLinux seems not to have the the executables of the other alternatives (at least not with the same names), so I cannot compile nft now. I attached the output of the compilation commands run at 291f9a3, I don't see any errors regarding man page generation so I don't understand why this patch is necessary. Maybe if you point out the bug, I can look after it. Regards, Máté On Mon, Jun 18, 2018 at 02:17:47PM +0200, Eric Leblond wrote: > docbook2man can not be used with the same option so let's remove > it from the alternative. Fedora and debian seems to be fine with > that. > --- > configure.ac | 9 +++-- > 1 file changed, 3 insertions(+), 6 deletions(-) > > diff --git a/configure.ac b/configure.ac > index 2a19733..88f0d74 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -56,14 +56,11 @@ AM_PROG_LIBTOOL > > AM_COND_IF([BUILD_MAN], [ > AC_CHECK_PROG(DOCBOOK2X_MAN, [docbook2x-man], [docbook2x-man], [no]) > - AC_CHECK_PROG(DOCBOOK2MAN, [docbook2man], [docbook2man], [no]) > AC_CHECK_PROG(DB2X_DOCBOOK2MAN, [db2x_docbook2man], [db2x_docbook2man], > [no]) > AS_IF([test "$DOCBOOK2X_MAN" != "no"], [DB2MAN="$DOCBOOK2X_MAN"], > - [AS_IF([test "$DOCBOOK2MAN" != "no"], [DB2MAN="$DOCBOOK2MAN"], > - [AS_IF([test "$DB2X_DOCBOOK2MAN" != "no"], > - [DB2MAN="$DB2X_DOCBOOK2MAN"], > - [AC_MSG_ERROR([docbook2x-man/db2x_docbook2man not > found, required for building man pages])] > - )] > + [AS_IF([test "$DB2X_DOCBOOK2MAN" != "no"], > + [DB2MAN="$DB2X_DOCBOOK2MAN --xinclude"], > + [AC_MSG_ERROR([docbook2x-man/db2x_docbook2man not found, > required for building man pages])] >)] > ) > AC_SUBST(DB2MAN) > -- > 2.17.1 > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in > the body of a message to majord...@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html $ sh autogen.sh && ./configure --prefix=/usr --sbindir=/usr/bin --sysconfdir=/etc && make -j8 libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, 'build-aux'. libtoolize: copying file 'build-aux/ltmain.sh' libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'. libtoolize: copying file 'm4/libtool.m4' libtoolize: copying file 'm4/ltoptions.m4' libtoolize: copying file 'm4/ltsugar.m4' libtoolize: copying file 'm4/ltversion.m4' libtoolize: copying file 'm4/lt~obsolete.m4' configure.ac:54: installing 'build-aux/ar-lib' configure.ac:34: installing 'build-aux/compile' configure.ac:55: installing 'build-aux/config.guess' configure.ac:55: installing 'build-aux/config.sub' configure.ac:6: installing 'build-aux/install-sh' configure.ac:6: installing 'build-aux/missing' src/Makefile.am: installing 'build-aux/depcomp' configure.ac: installing 'build-aux/ylwrap' checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for a thread-safe mkdir -p... /usr/bin/mkdir -p checking for gawk... gawk checking whether make sets $(MAKE)... yes checking whether make supports nested variables... yes checking how to create a pax tar archive... gnutar checking whether make supports nested variables... (cached) yes checking for gcc... gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... no checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking whether gcc understands -c and -o together... yes checking for style of include used by make... GNU checking dependency style of gcc... gcc3 checking for a sed that does not truncate output... /usr/bin/sed checking for flex... flex checking lex output file root... lex.yy checking lex library... -lfl checking whether yytext is a pointer... yes checking for bison... bison -y checking for ar... ar checking the archiver (ar) interface... ar checking build system type... x86_64-pc-linux-gnu checking host system type... x86_64-pc-linux-gnu checking how to print strings... printf checking for a sed that does not truncate output... (cached) /usr/bin/sed checking for grep that handles long lines and -e... /usr/bin/grep checking for egrep... /usr/bin/grep -E checking for fgrep... /usr/bin/grep -F checking for ld used by gcc... /usr/bin/ld checking if the linker (/usr/bin/ld) is GNU ld... yes checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B checking the name
Re: [PATCH nft] evaluate: Detect address family in inet context
Hi Pablo, Could we make things clear about this discussion? I think we have some misunderstandings, and I am certainly unaware of some concerns you are trying to enforce. How about discussing them one by one? = Detect or specify address family in tproxy command = I submitted a patch to detect the address family in evaluate_addr in case the table is INET and print an error if table is not IPV4, IPV6 or INET. Do you disagree with this solution in general or only in case of tproxy? In general, I think it is better to have explicit checks here as the error message generated by the current solution may be misleading in a situation like mine (basically every time trying ot evaluate an ipv4 address to a rule in inet table). Regarding family detection, you say family should be specified in the rule in case the table is inet. Do you say this because of UX or technical reasons? I think, the technical part can easily be covered (as I do in stmt_evaluate_tproxy) with setting a family attribute after a successfull evaluation and sending it to the kernel. As a consequence the family of the rule match is not ambiguous technically. The UX part is more subjective by nature. In my opinion, if a user specifies an IPv4 address he/she expects that it will match IPv4 for packets and the same with IPv6. Therefor my intention is to leave explicit specification out. Do you think it is not this obvious? In tproxy case, the kernel will receive a family attribute with the value of IPV4 or IPV6 in case an address is specified so it will not be necessary to generate ip dependency to an ipv6 rule (although I don't think I generate any dependency explicitly) and this information is used for matching, so kernel has sufficient information of the family of the role. = Dependency = You mentioned some kind of dependency in some of your emails, but I don't know what you think of. Could you describe what a dependency is in this context? Is it in user- or kernelspace? For ip/ip6/inet tables isn't that default to process *only* packets with IPv4 or IPv6 header? If it is default, I don't understand why any other dependency should be generated, I can just check the family of the packet against the family of the, can't I? You bring bridge/netdev as examples, but tproxy is not supported in these tables (refused from nft_tproxy_init in the kernel), so I don't see why we should consider them. Regarding the address family detection, the evaluate_addr function only cares about L3 addresses so bridge/netdev seems to be irrelevant here, too. = Kernel, address family check = You had a comment in an email which I still don't really understand. I think your kernel patch is also lacking this, and a custom userspace program may add a tproxy expression to deal with IPV6 traffic, which may result in crashing the kernel. Do you mean that a program can add an expression with an IPv6 address with a family of NFPROTO_IPV4? Then I suppose the nft_validate_register_load should return error in the init function, shouldn't it? Do you mean that address may be specified whereas tproxy family is left on default? Yes, this was possible, I added a check for this in my v2 patch. Do you mean, that an IPv6 packet can be passed to the IPv4 evaluation function? Your code snippet seems to be related to this. It examined if the L3 header is IP header, but it really seems to be the same as what I do (at least in ip/ip6/inet tables). I compare the packet's family (from nft_pf()) and the tproxy family, and I pass the packet to the v4 or v6 eval function respectively. The L3 header should be present so this should work securely with such a strict init function. If none of these, could you please define the scenario with more details? In which point do you think my code is voulnerable and what is a scenario? I hope I grabbed the important points to make this situation clear. It would be nice if you could reply to all these notes and questions as I am confused about what we disagree on right now. Regards, Máté -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] build: abandon KERNEL_INCLUDES variable
Hi,
Isn't that an option to add these includes to CFLAGS variable? So that it would
be less redundant.
There is another comment below.
Máté
On Tue, Jun 26, 2018 at 08:21:30AM +0200, Jan Engelhardt wrote:
> Since UAPI headers are shipped since commit
> ebtables-2.0.10-4-8-gf4bdc80, "-Iinclude" must always be used ever
> since. Remove the KERNEL_INCLUDES make variable for good.
>
> Signed-off-by: Jan Engelhardt
> ---
> INSTALL | 4 ++--
> Makefile | 34 --
> examples/ulog/test_ulog.c | 2 +-
> extensions/Makefile | 4 ++--
> 4 files changed, 21 insertions(+), 23 deletions(-)
>
> diff --git a/INSTALL b/INSTALL
> index e90d5c1..b94beeb 100644
> --- a/INSTALL
> +++ b/INSTALL
> @@ -8,7 +8,7 @@ Put the files in the right directories:
>
> If you are using the CVS code or need your own kernel includes, do this
> instead (change the include directory to the appropriate one):
> -%make install KERNEL_INCLUDES=/usr/src/linux/include
> +%make install
>
> If you want to make a static binary for ebtables, containing all the
> extensions, without shared libraries, do this (this will make a
> @@ -50,7 +50,7 @@ Contains an example to receive and parse netlink messages
> containing
> packets seen by the ebtables ulog watcher.
>
> Compile with:
> -%make test_ulog KERNEL_INCLUDES=/usr/src/linux/include
> +%make test_ulog
>
> Usage:
> %examples/ulog/test_ulog NETLINK_GROUP
> diff --git a/Makefile b/Makefile
> index c1106a4..f7680b6 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -32,8 +32,6 @@ useful_functions.o ebtables.o
>
> OBJECTS:=$(OBJECTS2) $(EXT_OBJS) $(EXT_LIBS)
>
> -KERNEL_INCLUDES?=include/
> -
> ETHERTYPESPATH?=$(ETCDIR)
> ETHERTYPESFILE:=$(ETHERTYPESPATH)/ethertypes
>
> @@ -69,45 +67,45 @@ PROGSPECSD:=-DPROGVERSION=\"$(PROGVERSION)\" \
> all: ebtables ebtables-restore
>
> communication.o: communication.c include/ebtables_u.h
> - $(CC) $(CFLAGS) $(CFLAGS_SH_LIB) $(PROGSPECS) -c -o $@ $<
> -I$(KERNEL_INCLUDES)
> + $(CC) $(CFLAGS) $(CFLAGS_SH_LIB) $(PROGSPECS) -c -o $@ $< -Iinclude/
>
> libebtc.o: libebtc.c include/ebtables_u.h
> - $(CC) $(CFLAGS) $(CFLAGS_SH_LIB) $(PROGSPECS) -c -o $@ $<
> -I$(KERNEL_INCLUDES)
> + $(CC) $(CFLAGS) $(CFLAGS_SH_LIB) $(PROGSPECS) -c -o $@ $< -Iinclude/
>
> useful_functions.o: useful_functions.c include/ebtables_u.h
> - $(CC) $(CFLAGS) $(CFLAGS_SH_LIB) $(PROGSPECS) -c -o $@ $<
> -I$(KERNEL_INCLUDES)
> + $(CC) $(CFLAGS) $(CFLAGS_SH_LIB) $(PROGSPECS) -c -o $@ $< -Iinclude/
>
> getethertype.o: getethertype.c include/ethernetdb.h
> $(CC) $(CFLAGS) $(CFLAGS_SH_LIB) $(PROGSPECS) -c -o $@ $< -Iinclude/
>
> ebtables.o: ebtables.c include/ebtables_u.h
> - $(CC) $(CFLAGS) $(CFLAGS_SH_LIB) $(PROGSPECS) -c -o $@ $<
> -I$(KERNEL_INCLUDES)
> + $(CC) $(CFLAGS) $(CFLAGS_SH_LIB) $(PROGSPECS) -c -o $@ $< -Iinclude/
>
> ebtables-standalone.o: ebtables-standalone.c include/ebtables_u.h
> - $(CC) $(CFLAGS) $(CFLAGS_SH_LIB) $(PROGSPECS) -c $< -o $@
> -I$(KERNEL_INCLUDES)
> + $(CC) $(CFLAGS) $(CFLAGS_SH_LIB) $(PROGSPECS) -c $< -o $@ -Iinclude/
>
> libebtc.so: $(OBJECTS2)
> $(CC) -shared $(LDFLAGS) -Wl,-soname,libebtc.so -o libebtc.so -lc
> $(OBJECTS2)
>
> ebtables: $(OBJECTS) ebtables-standalone.o libebtc.so
> - $(CC) $(CFLAGS) $(CFLAGS_SH_LIB) $(LDFLAGS) -o $@ ebtables-standalone.o
> -I$(KERNEL_INCLUDES) -L. -Lextensions -lebtc $(EXT_LIBSI) \
> + $(CC) $(CFLAGS) $(CFLAGS_SH_LIB) $(LDFLAGS) -o $@ ebtables-standalone.o
> -Iinclude/ -L. -Lextensions -lebtc $(EXT_LIBSI) \
> -Wl,-rpath,$(LIBDIR)
>
> ebtablesu: ebtablesu.c
> $(CC) $(CFLAGS) $(PROGSPECSD) $< -o $@
>
> ebtablesd.o: ebtablesd.c include/ebtables_u.h
> - $(CC) $(CFLAGS) $(PROGSPECSD) -c $< -o $@ -I$(KERNEL_INCLUDES)
> + $(CC) $(CFLAGS) $(PROGSPECSD) -c $< -o $@ -Iinclude/
>
> ebtablesd: $(OBJECTS) ebtablesd.o libebtc.so
> - $(CC) $(CFLAGS) -o $@ ebtablesd.o -I$(KERNEL_INCLUDES) -L. -Lextensions
> -lebtc $(EXT_LIBSI) \
> + $(CC) $(CFLAGS) -o $@ ebtablesd.o -Iinclude/ -L. -Lextensions -lebtc
> $(EXT_LIBSI) \
> -Wl,-rpath,$(LIBDIR)
>
> ebtables-restore.o: ebtables-restore.c include/ebtables_u.h
> - $(CC) $(CFLAGS) $(PROGSPECS) -c $< -o $@ -I$(KERNEL_INCLUDES)
> + $(CC) $(CFLAGS) $(PROGSPECS) -c $< -o $@ -Iinclude/
>
> ebtables-restore: $(OBJECTS) ebtables-restore.o libebtc.so
> - $(CC) $(CFLAGS) $(LDFLAGS) -o $@ ebtables-restore.o
> -I$(KERNEL_INCLUDES) -L. -Lextensions -lebtc $(EXT_LIBSI) \
> + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ ebtables-restore.o -Iinclude/ -L.
> -Lextensions -lebtc $(EXT_LIBSI) \
> -Wl,-rpath,$(LIBDIR)
>
> .PHONY: daemon
> @@ -136,7 +134,7 @@ static: extensions/ebt_*.c extensions/ebtable_*.c
> ebtables.c communication.c ebt
> printf "extern void %s();\n" _t_$${arg}_init >> include/ebtables_u.h ; \
> done ; \
> printf "\n\tpseudomain(argc,
Re: [PATCH nft] evaluate: Detect address family in inet context
On Fri, Jun 22, 2018 at 11:53:44AM +0200, Pablo Neira Ayuso wrote: > On Fri, Jun 22, 2018 at 11:45:12AM +0200, Máté Eckl wrote: > [...] > > > if (skb->protocol != htons(ETH_P_IP)) > > > ... break verdict ... > > > > > which is actually needed for safety reasons. > > > > This is something that should appear in the eval function right? > > Also in the kernel for safety reasons. I meant the kernel eval function (which evaluates packets against rules). > > Isn't it the same as what I added there? > > This is needed because someone may use the raw kernel netlink > interface (not libnftnl / nftables) to generate an incorrect > combination such as allow IPv6 to be passed to tproxy in IPV4 mode > which may crash the kernel. > > Well, it may be just result in a packet drop, but better be safe than > sorry. The code snippet included in my previous email was also from the kernel code and it seems to provide the same check as the 'if' you suggested. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nf|nf-next] netfilter: Refactor nf_tproxy_get_sock_v{4,6}
This patch fixes a silent out-of-bound read possibility that was present
because of the misuse of this function.
Mostly it was called with a struct udphdr *hp which had only the udphdr
part linearized by the skb_header_pointer, however
nf_tproxy_get_sock_v{4,6} uses it as a tcphdr pointer, so some reads for
tcp specific attributes may be invalid.
Signed-off-by: Máté Eckl
---
include/net/netfilter/nf_tproxy.h | 4 ++--
net/ipv4/netfilter/nf_tproxy_ipv4.c | 15 ++-
net/ipv6/netfilter/nf_tproxy_ipv6.c | 15 ++-
net/netfilter/xt_TPROXY.c | 8
4 files changed, 26 insertions(+), 16 deletions(-)
diff --git a/include/net/netfilter/nf_tproxy.h
b/include/net/netfilter/nf_tproxy.h
index 9754a50ecde9..4cc64c8446eb 100644
--- a/include/net/netfilter/nf_tproxy.h
+++ b/include/net/netfilter/nf_tproxy.h
@@ -64,7 +64,7 @@ nf_tproxy_handle_time_wait4(struct net *net, struct sk_buff
*skb,
* belonging to established connections going through that one.
*/
struct sock *
-nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb, void *hp,
+nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb,
const u8 protocol,
const __be32 saddr, const __be32 daddr,
const __be16 sport, const __be16 dport,
@@ -103,7 +103,7 @@ nf_tproxy_handle_time_wait6(struct sk_buff *skb, int
tproto, int thoff,
struct sock *sk);
struct sock *
-nf_tproxy_get_sock_v6(struct net *net, struct sk_buff *skb, int thoff, void
*hp,
+nf_tproxy_get_sock_v6(struct net *net, struct sk_buff *skb, int thoff,
const u8 protocol,
const struct in6_addr *saddr, const struct in6_addr
*daddr,
const __be16 sport, const __be16 dport,
diff --git a/net/ipv4/netfilter/nf_tproxy_ipv4.c
b/net/ipv4/netfilter/nf_tproxy_ipv4.c
index 805e83ec3ad9..efbec3b2ad25 100644
--- a/net/ipv4/netfilter/nf_tproxy_ipv4.c
+++ b/net/ipv4/netfilter/nf_tproxy_ipv4.c
@@ -37,7 +37,7 @@ nf_tproxy_handle_time_wait4(struct net *net, struct sk_buff
*skb,
* to a listener socket if there's one */
struct sock *sk2;
- sk2 = nf_tproxy_get_sock_v4(net, skb, hp, iph->protocol,
+ sk2 = nf_tproxy_get_sock_v4(net, skb, iph->protocol,
iph->saddr, laddr ? laddr :
iph->daddr,
hp->source, lport ? lport :
hp->dest,
skb->dev,
NF_TPROXY_LOOKUP_LISTENER);
@@ -71,7 +71,7 @@ __be32 nf_tproxy_laddr4(struct sk_buff *skb, __be32
user_laddr, __be32 daddr)
EXPORT_SYMBOL_GPL(nf_tproxy_laddr4);
struct sock *
-nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb, void *hp,
+nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb,
const u8 protocol,
const __be32 saddr, const __be32 daddr,
const __be16 sport, const __be16 dport,
@@ -79,16 +79,21 @@ nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb,
void *hp,
const enum nf_tproxy_lookup_t lookup_type)
{
struct sock *sk;
- struct tcphdr *tcph;
+ struct tcphdr _hdr, *hp;
+
+ hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr);
+ if (hp == NULL) {
+ WARN_ON_ONCE(1);
+ return NULL;
+ }
switch (protocol) {
case IPPROTO_TCP:
switch (lookup_type) {
case NF_TPROXY_LOOKUP_LISTENER:
- tcph = hp;
sk = inet_lookup_listener(net, _hashinfo, skb,
ip_hdrlen(skb) +
- __tcp_hdrlen(tcph),
+ __tcp_hdrlen(hp),
saddr, sport,
daddr, dport,
in->ifindex, 0);
diff --git a/net/ipv6/netfilter/nf_tproxy_ipv6.c
b/net/ipv6/netfilter/nf_tproxy_ipv6.c
index bf1d6c421e3b..172cc761fe86 100644
--- a/net/ipv6/netfilter/nf_tproxy_ipv6.c
+++ b/net/ipv6/netfilter/nf_tproxy_ipv6.c
@@ -55,7 +55,7 @@ nf_tproxy_handle_time_wait6(struct sk_buff *skb, int tproto,
int thoff,
* to a listener socket if there's one */
struct sock *sk2;
- sk2 = nf_tproxy_get_sock_v6(net, skb, thoff, hp, tproto,
+ sk2 = nf_tproxy_get_sock_v6(net, skb, thoff, tproto,
>saddr,
nf_tproxy_laddr6(skb, laddr,
>daddr),
hp->source,
@@ -72,7 +72,7 @@ nf_tproxy_handle_time_wait6(struct sk_buff *skb, int t
Re: [PATCH nf-next] netfilter: Add native tproxy support for nf_tables
On Fri, Jun 22, 2018 at 06:24:51PM +0200, Florian Westphal wrote:
> Máté Eckl wrote:
> > On Thu, Jun 21, 2018 at 04:31:48PM +0200, Florian Westphal wrote:
> > > Máté Eckl wrote:
> > > > > This looks like its subtly broken, inherited from xt_TPROXY.
> > > > > Above skb_header_pointer uses sizeof(udphdr) only, but
> > > > > nf_tproxy_get_sock_v4
> > > > > assumes it gets tcphdr (it checks th->doff, and that might be
> > > > > garbage).
> > > >
> > > > I thought about why iptables uses udphdr consequently and I think it
> > > > does
> > > > because we do not nead other than source and destination address and
> > > > port which
> > > > is part of the udp header too at the same position.
> > >
> > > It does for LISTEN case, see __tcp_hdrlen() usage in
> > > nf_tproxy_get_sock_v4.
> > >
> > > > I think they paid attention to this. nf_tproxy_get_sock_v4 treats that
> > > > pointer
> > > > as a tcphdr indeed, but it only uses tcp-related attributes and
> > > > functions if ip
> > > > protocol is IPPROTO_TCP, so what you described does not happen with an
> > > > udp
> > > > packet.
> > >
> > > It doesn't happen with an udp packet. But in case tcp header wasn't in
> > > linar area (skb->data), but in pagefrags (or split), it will be copied
> > > by skb_header_pointer to __udphdr (on stack), so in that case we then
> > > get out-of-bounds read access.
> > >
> > > Hence my suggestion to remove 'hp' arg and repeat skb_header_pointer()
> > > call with struct tcphdr.
> >
> > Ok, I made the patch. Do you agree with this commit message? This
> > linearisation
> > thing is not clear to me yet.
> >
> > netfilter: Refactor nf_tproxy_get_sock_v{4,6}
> >
> > This patch fixes a silent out-of-bound read possibility that was present
> > because of the misuse of this function.
> >
> > Mostly it was called with a struct udphdr *hp which had only the udphdr
> > part linearized by the skb_header_pointer, however the
> > nf_tproxy_get_sock_v{4,6} uses it as a tcphdr pointer, so some reads for
> > tcp specific flags may be invalid.
>
> Yes, looks ok.
>
> sk_buff references packet data in two ways:
>
> 1. linear part, this referenced via skb->head and skb->data (head points
> to start of buffer, skb->data is moved around as headers are
> added/removed).
>
> 2. nonlinar part. This is referenced via skb_shinfo area, and points to
> pages of memory, i.e. an skb can be made up of dozens of pages.
>
> It will typically be both for packets aggregated via GRO (receive
> offloading) or built on transmit.
>
> In this particular case (LISTEN lookup, we'll normally always see 1)
> only, which explains why this wasn't noticed before, in case of 1)
> current code is fine.
>
> In second case, accessing skb->data[bignum] may cause out-of-bounds read,
> as the data might reside in the "non-linear area", i.e. skb->head memory
> is much smaller.
>
> One has to use the 'big hammer', skb_linearize(), to force reallocation
> of skb->head + copy of all pages' contents into it (very expensive,
> might not work if memory is fragmented and allocation request is large),
> or pskb_may_pull() with the amount of bytes you expect to be accessible
> via skb->head[] (doesn't do anything if its already accessible, or
> causes reallocation of skb->head if its too small, but will only 'pull'
> all pages, just whatever was requested).
>
> To get access to a (small) header, you can also use
> skb_header_pointer(), which never reallocates skb->head.
>
> If the requested access is already ok (because requested start offset +
> size is accessible via skb->head), it just returns a pointer to the
> offset in the linear area.
>
> If not, it copies that requested size into the buffer that gets passed
> to the function, and returns a pointer to that buffer rather than to
> skb->head region.
>
> In this case, we asked for sizeof(udphdr).
> If sizeof(tcphdr) (yes, tcphdr) would be ok/in linear area, everything
> is fine, the returned udp-header pointer can be re-used/treated like
> tcp.
>
> But in the second case, the pointer returned could be the address of the
> _udphdr stack-buffer.
> It would be fine if only accessing those tcp fields that are <=
> sizeof(udphdr), but tcphdr->doff isn't within that region.
>
> If you're interested in the gory details, look at skb_header_pointer and
> pskb_may_pull() implementations.
Thanks very much for the extensive description.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nf-next] netfilter: Add native tproxy support for nf_tables
On Thu, Jun 21, 2018 at 04:31:48PM +0200, Florian Westphal wrote:
> Máté Eckl wrote:
> > > This looks like its subtly broken, inherited from xt_TPROXY.
> > > Above skb_header_pointer uses sizeof(udphdr) only, but
> > > nf_tproxy_get_sock_v4
> > > assumes it gets tcphdr (it checks th->doff, and that might be garbage).
> >
> > I thought about why iptables uses udphdr consequently and I think it does
> > because we do not nead other than source and destination address and port
> > which
> > is part of the udp header too at the same position.
>
> It does for LISTEN case, see __tcp_hdrlen() usage in
> nf_tproxy_get_sock_v4.
>
> > I think they paid attention to this. nf_tproxy_get_sock_v4 treats that
> > pointer
> > as a tcphdr indeed, but it only uses tcp-related attributes and functions
> > if ip
> > protocol is IPPROTO_TCP, so what you described does not happen with an udp
> > packet.
>
> It doesn't happen with an udp packet. But in case tcp header wasn't in
> linar area (skb->data), but in pagefrags (or split), it will be copied
> by skb_header_pointer to __udphdr (on stack), so in that case we then
> get out-of-bounds read access.
>
> Hence my suggestion to remove 'hp' arg and repeat skb_header_pointer()
> call with struct tcphdr.
Ok, I made the patch. Do you agree with this commit message? This linearisation
thing is not clear to me yet.
netfilter: Refactor nf_tproxy_get_sock_v{4,6}
This patch fixes a silent out-of-bound read possibility that was present
because of the misuse of this function.
Mostly it was called with a struct udphdr *hp which had only the udphdr
part linearized by the skb_header_pointer, however the
nf_tproxy_get_sock_v{4,6} uses it as a tcphdr pointer, so some reads for
tcp specific flags may be invalid.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nft] evaluate: Detect address family in inet context
On Wed, Jun 20, 2018 at 02:26:36PM +0200, Pablo Neira Ayuso wrote:
> On Wed, Jun 20, 2018 at 02:21:18PM +0200, Máté Eckl wrote:
> > On Wed, Jun 20, 2018 at 01:40:45PM +0200, Pablo Neira Ayuso wrote:
> > > On Mon, Jun 18, 2018 at 11:57:10AM +0200, Máté Eckl wrote:
> > > > Signed-off-by: Máté Eckl
> > > > ---
> > > > src/evaluate.c | 20 ++--
> > > > 1 file changed, 18 insertions(+), 2 deletions(-)
> > > >
> > > > diff --git a/src/evaluate.c b/src/evaluate.c
> > > > index d6aff61..0564b44 100644
> > > > --- a/src/evaluate.c
> > > > +++ b/src/evaluate.c
> > > > @@ -2431,12 +2431,28 @@ static int evaluate_addr(struct eval_ctx *ctx,
> > > > struct stmt *stmt,
> > > > const struct datatype *dtype;
> > > > unsigned int len;
> > > >
> > > > - if (pctx->family == NFPROTO_IPV4) {
> > > > + switch (pctx->family) {
> > > > + case NFPROTO_IPV4:
> > > > dtype = _type;
> > > > len = 4 * BITS_PER_BYTE;
> > > > - } else {
> > > > + break;
> > > > + case NFPROTO_IPV6:
> > > > dtype = _type;
> > > > len = 16 * BITS_PER_BYTE;
> > > > + break;
> > > > + case NFPROTO_INET:
> > > > + if (strchr((*expr)->identifier, ':')) {
> > >
> > > I'd suggest you specify this in this syntax:
> > >
> > > tproxy ip to 1.1.1.1
> > >
> > > for the bridge/netdev/inet families.
> > >
> > > From the kernel, this will also skip non-IP packets, so we don't need
> > > to build an IP dependency for this statement.
> >
> > This patch solves a problem regardless of the tproxy functionality, as it
> > was
> > impossible to specify an address other than ipv6 in non-ip tables. Tproxy
> > was
> > only an example to demonstrate the error.
> >
> > If this patch is applied, there is no need for the 'ip' here (and I'd like
> > to
> > avoid it). Bridge and netdev tables are not supported to use tproxy in.
>
> For ip/ip6, tproxy to 1.1.1.1 is fine.
>
> But for bridge/netdev/inet, I think it makes explicit the dependency
> with either ip and ip6. So this is visible from the ruleset that this
> rule will only apply to either ip or ip6.
I thought that the address itself will be explicit enough to decide which of the
families the rule deals with. I (as a user) would never think that any ipv4
address will be used for ipv6 socket lookup.
If you disagree, I can specify it in case of address is specified, I just liked
the idea of not having to specify this.
> And we'll skip having to generate a dependency for this, which is
> always more work, given that from the kernel we can just add:
I might not understand clearly what you mean by dependency. I thought that ip,
ip6 and inet tables only receive packets that have ipv4/ipv6 network layer
header, so this dependency is satisfied by definition, doesn't it? I don't
think I generated any dependency explicitly.
> if (skb->protocol != htons(ETH_P_IP))
> ... break verdict ...
>
> which is actually needed for safety reasons.
This is something that should appear in the eval function right?
Isn't it the same as what I added there?
switch (nft_pf(pkt)) {
case NFPROTO_IPV4:
switch (priv->family) {
case NFPROTO_IPV4:
case NFPROTO_INET:
nft_tproxy_eval_v4(expr, regs, pkt);
break;
default:
regs->verdict.code = NFT_BREAK;
break;
}
break;
#if IS_ENABLED(CONFIG_NF_TPROXY_IPV6)
case NFPROTO_IPV6:
switch (priv->family) {
case NFPROTO_IPV6:
case NFPROTO_INET:
nft_tproxy_eval_v6(expr, regs, pkt);
break;
default:
regs->verdict.code = NFT_BREAK;
break;
}
break;
#endif
}
> I think your kernel patch is also lacking this, and a custom userspace
> program may add a tproxy expression to deal with IPV6 traffic, which
> may result in crashing the kernel.
Given the switch-case I don't think an ipv6 packet can pass to ipv4 evaluation.
Am I missing something?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nf-next] netfilter: Add native tproxy support for nf_tables
On Wed, Jun 20, 2018 at 02:18:25PM +0200, Pablo Neira Ayuso wrote:
> A few comments on top of Florian's.
>
> On Wed, Jun 20, 2018 at 12:41:29PM +0200, Máté Eckl wrote:
> [...]
> > +#if IS_ENABLED(CONFIG_NF_TPROXY_IPV6)
> > +static void nft_tproxy_eval_v6(const struct nft_expr *expr,
> > + struct nft_regs *regs,
> > + const struct nft_pktinfo *pkt)
>
> Hm, better place IPv6 code in net/netfilter/nft_tproxy_ipv6.c ?
>
> @Florian, do you prefer this monolitic style maybe?
>
> I mean, I'll be fine either way.
>
> [...]
> > +static int nft_tproxy_init(const struct nft_ctx *ctx,
> > + const struct nft_expr *expr,
> > + const struct nlattr * const tb[])
> > +{
>
> I'm missing nf_defrag_ipv6_enable() calls from your _init() path.
I added them.
> > + struct nft_tproxy *priv = nft_expr_priv(expr);
> > + unsigned int alen = 0, plen = 0;
> > + int err;
> > +
> > + if (!tb[NFTA_TPROXY_FAMILY])
> > + return -EINVAL;
> > +
> > + switch(ctx->family) {
> > + case NFPROTO_IPV4:
> > +#if IS_ENABLED(CONFIG_NF_TPROXY_IPV6)
> > + case NFPROTO_IPV6:
> > +#endif
> > + case NFPROTO_INET:
> > + break;
> > + default:
> > + return -EOPNOTSUPP;
> > + }
> > +
> > + priv->family = ntohl(nla_get_be32(tb[NFTA_TPROXY_FAMILY]));
> > + if ((priv->family == NFPROTO_IPV4 && ctx->family == NFPROTO_IPV6) ||
> > + (priv->family == NFPROTO_IPV6 && ctx->family == NFPROTO_IPV4))
> > + return -EINVAL;
> > +
> > + switch (priv->family) {
> > + case NFPROTO_IPV4:
> > + alen = FIELD_SIZEOF(union nf_inet_addr, in);
> > + break;
> > +#if IS_ENABLED(CONFIG_NF_TPROXY_IPV6)
> > + case NFPROTO_IPV6:
> > + alen = FIELD_SIZEOF(union nf_inet_addr, in6);
> > + break;
> > +#endif
> > + case NFPROTO_INET:
> > + /* No address is specified here */
> > + break;
> > + default:
> > + return -EOPNOTSUPP;
> > + }
> > +
> > + if (tb[NFTA_TPROXY_REG_ADDR]) {
> > + priv->sreg_addr = nft_parse_register(tb[NFTA_TPROXY_REG_ADDR]);
> > + err = nft_validate_register_load(priv->sreg_addr, alen);
> > + if (err < 0)
> > + return err;
> > + }
> > +
> > + plen = sizeof(u16);
> > + if (tb[NFTA_TPROXY_REG_PORT]) {
> > + priv->sreg_port = nft_parse_register(tb[NFTA_TPROXY_REG_PORT]);
> > + err = nft_validate_register_load(priv->sreg_port, plen);
> > + if (err < 0)
> > + return err;
> > + }
>
> How does this work if neither if neither address nor port are set?
It uses the original destination ip address and port for socket lookup. Florian
already drew my attention to that it does not make any sense, so I'll remove
this
scenario, address or port will have to be specified.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nf-next] netfilter: Add native tproxy support for nf_tables
On Wed, Jun 20, 2018 at 01:36:49PM +0200, Florian Westphal wrote:
> Máté Eckl wrote:
> > There are some changes compared to the iptables implementation:
> > - tproxy statement is not terminal here
> > - no transport protocol criterion is necessary to set target ip address
>
> > + const struct nft_tproxy *priv = nft_expr_priv(expr);
> > + struct sk_buff *skb = pkt->skb;
> > + struct sock *sk = skb->sk;
> > + const struct iphdr *iph = ip_hdr(skb);
> > + struct udphdr _hdr, *hp;
> > + __be32 taddr = 0;
> > + __be16 tport = 0;
> > +
> > + hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr);
> > + if (!hp)
> > + regs->verdict.code = NFT_BREAK;
>
> This is missing needed 'return'.
Fixed.
>
> > + /* UDP has no TCP_TIME_WAIT state, so we never enter here */
> > + if (sk && sk->sk_state == TCP_TIME_WAIT)
> > + /* reopening a TIME_WAIT connection needs special handling */
> > + sk = nf_tproxy_handle_time_wait4(nft_net(pkt), skb, taddr,
> > tport, sk);
> > + else if (!sk)
> > + /* no, there's no established connection, check if
> > +* there's a listener on the redirected addr/port */
> > + sk = nf_tproxy_get_sock_v4(nft_net(pkt), skb, hp, iph->protocol,
> > + iph->saddr, taddr,
> > + hp->source, tport,
> > + skb->dev, NF_TPROXY_LOOKUP_LISTENER);
>
> This looks like its subtly broken, inherited from xt_TPROXY.
> Above skb_header_pointer uses sizeof(udphdr) only, but nf_tproxy_get_sock_v4
> assumes it gets tcphdr (it checks th->doff, and that might be garbage).
I thought about why iptables uses udphdr consequently and I think it does
because we do not nead other than source and destination address and port which
is part of the udp header too at the same position.
I think they paid attention to this. nf_tproxy_get_sock_v4 treats that pointer
as a tcphdr indeed, but it only uses tcp-related attributes and functions if ip
protocol is IPPROTO_TCP, so what you described does not happen with an udp
packet.
> So I suggest to remove 'hp' argument from nf_tproxy_get_sock_v4/6 and repeat
> the skb_header_pointer() call there, using struct tcphdr size as backend
> storage for TCP case.
>
> This will need to be a extra patch vs. nf.git tree.
>
> > + if (sk && nf_tproxy_sk_is_transparent(sk)) {
> > + nf_tproxy_assign_sock(skb, sk);
> > + }
>
> No need for extra { }, see scripts/checkpatch.pl (no need to follow
> every advice that script provides of course, decide for yourself).
I thought I removed all of these. I'll pay more attention to these.
>
> > + /* NOTE: assign_sock consumes our sk reference */
> > + if (sk && nf_tproxy_sk_is_transparent(sk)) {
> > + nf_tproxy_assign_sock(skb, sk);
> > + return;
> > + }
> > +
> > + regs->verdict.code = NFT_BREAK;
> > +}
>
> So ipv4 and ipv6 behavce differenty?
> Why does one set BREAK but not the other?
>
> I *guess* its best to BREAK in case sk wasn't assigned for both.
It's an error of mine. I'll review the v4/v6 once more and eliminate these
differences.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nft] Add tproxy support
On Wed, Jun 20, 2018 at 05:24:46PM +0200, Florian Westphal wrote: > > I think, it is a useful one. If I want to make proxy working only for web > > traffic this simple tproxy statement is sufficient: > > tcp dport 80 tproxy > > if the proxy software is listening on port 80. > > Yes, but in that case TPROXY isn't needed as all of it can > be done only by policy routing (i.e., use >tcp dport 80 mark set mark 0x1 > and add policy routing rule). > > > This use-case seems quite meaningful to me. > > Okay, but you don't need tproxy for this to work :-) > > tproxy is only needed if packet for destination port x should end up > with socket on destination port y. Indeed :) I'll remove it then. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
