[PATCH nf-next] netfilter: nf_ct_h323: do not re-activate already expired timer

From: Liping Zhang Commit 96d1327ac2e3 ("netfilter: h323: Use mod_timer instead of set_expect_timeout") just simplify the source codes if (!del_timer(>timeout)) return 0; add_timer(>timeout); to mod_timer(>timeout, jiffies + info->timeout * HZ); This

[PATCH 1/1] netfilter: Only need first 4 bytes to get l4proto ports

From: Gao Feng We only need first 4 bytes instead of 8 bytes to get the ports of tcp/udp/dccp/sctp/udplite in their pkt_to_tuple function. Signed-off-by: Gao Feng --- v3: Keep consistent for tcp/udp/dccp/sctp/udplite to get 4 bytes instead of 8 bytes v2:

Re: [PATCH iptables 1/2] xtables-translate: add new field to identify the caller

On Fri, Jul 22, 2016 at 05:48:33PM +0200, Pablo M. Bermudo Garay wrote: > In some cases, xlate functions must print a different result if they are > invoked from nft and not from a xtables-translate command. > > This commit adds a new boolean field to the xt_xlate struct. This > variable must be

[PATCH 20/25] netfilter: nf_tables: allow to filter out rules by table and chain

If the table and/or chain attributes are set in a rule dump request, we filter out the rules based on this selection. Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_tables_api.c | 38 ++ 1 file changed, 38 insertions(+) diff --git

[PATCH 10/25] netfilter: constify arg to is_dying/confirmed

From: Florian Westphal Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_conntrack.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/net/netfilter/nf_conntrack.h

[PATCH 23/25] netfilter: h323: Use mod_timer instead of set_expect_timeout

From: Gao Feng Simplify the code without any side effect. The set_expect_timeout is used to modify the timer expired time. It tries to delete timer, and add it again. So we could use mod_timer directly. Signed-off-by: Gao Feng Signed-off-by: Pablo Neira

[PATCH 15/25] netfilter: nft_ct: fix unpaired nf_connlabels_get/put call

From: Liping Zhang We only get nf_connlabels if the user add ct label set expr successfully, but we will also put nf_connlabels if the user delete ct lable get expr. This is mismathced, and will cause ct label expr cannot work properly. Also, if we init something

[PATCH 05/25] netfilter: conntrack: simplify early_drop

From: Florian Westphal We don't need to acquire the bucket lock during early drop, we can use lockless traveral just like nf_conntrack_find. The timer deletion serves as synchronization point, if another cpu attempts to evict same entry, only one will succeed with timer

[PATCH 09/25] netfilter: nft_ct: make byte/packet expr more friendly

From: Liping Zhang If we want to use ct packets expr, and add a rule like follows: # nft add rule filter input ct packets gt 1 counter We will find that no packets will hit it, because nf_conntrack_acct is disabled by default. So It will not work until we enable

[PATCH 14/25] netfilter: x_tables: speed up jump target validation

From: Florian Westphal The dummy ruleset I used to test the original validation change was broken, most rules were unreachable and were not tested by mark_source_chains(). In some cases rulesets that used to load in a few seconds now require several minutes. sample ruleset that

[PATCH 21/25] netfilter: conntrack: support a fixed size of 128 distinct labels

From: Florian Westphal The conntrack label extension is currently variable-sized, e.g. if only 2 labels are used by iptables rules then the labels->bits[] array will only contain one element. We track size of each label storage area in the 'words' member. But in nftables and

[PATCH 19/25] netfilter: nft_log: fix snaplen does not truncate packets

From: Liping Zhang There's a similar problem in xt_NFLOG, and was fixed by commit 7643507fe8b5 ("netfilter: xt_NFLOG: nflog-range does not truncate packets"). Only set copy_len here does not work, so we should enable NF_LOG_F_COPY_LEN also. Signed-off-by: Liping

[PATCH 13/25] netfilter: conntrack: protect early_drop by rcu read lock

From: Liping Zhang User can add ct entry via nfnetlink(IPCTNL_MSG_CT_NEW), and if the total number reach the nf_conntrack_max, we will try to drop some ct entries. But in this case(the main function call path is ctnetlink_create_conntrack -> nf_conntrack_alloc ->

[PATCH 22/25] netfilter: connlabels: move set helper to xt_connlabel

From: Florian Westphal xt_connlabel is the only user so move it. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_conntrack_labels.h | 2 -- net/netfilter/nf_conntrack_labels.c | 17

[PATCH 07/25] netfilter: nat: convert nat bysrc hash to rhashtable

From: Florian Westphal It did use a fixed-size bucket list plus single lock to protect add/del. Unlike the main conntrack table we only need to add and remove keys. Convert it to rhashtable to get table autosizing and per-bucket locking. The maximum number of entries is -- as

[PATCH 03/25] netfilter: cttimeout: unlink timeout obj again when hash resize happen

From: Liping Zhang Imagine such situation, nf_conntrack_htable_size now is 4096, we are doing ctnl_untimeout, and iterate on 3000# bucket. Meanwhile, another user try to reduce hash size to 2048, then all nf_conn are removed to the new hashtable. When this hash

[PATCH 16/25] netfilter: Add helper array register/unregister functions

From: Gao Feng Add nf_ct_helper_init(), nf_conntrack_helpers_register() and nf_conntrack_helpers_unregister() functions to avoid repetitive opencoded initialization in helpers. This patch keeps an id parameter for nf_ct_helper_init() not to break helper matching by name that

[PATCH 08/25] netfilter: physdev: physdev-is-out should not work with OUTPUT chain

From: Hangbin Liu physdev_mt() will check skb->nf_bridge first, which was alloced in br_nf_pre_routing. So if we want to use --physdev-out and physdev-is-out, we need to match it in FORWARD or POSTROUTING chain. physdev_mt_check() only checked physdev-out and missed

[PATCH 25/25] netfilter: nft_compat: fix crash when related match/target module is removed

From: Liping Zhang We "cache" the loaded match/target modules and reuse them, but when the modules are removed, we still point to them. Then we may end up with invalid memory references when using iptables-compat to add rules later. Input the following commands will

[PATCH 11/25] netfilter: nf_tables: get rid of possible_net_t from set and basechain

We can pass the netns pointer as parameter to the functions that need to gain access to it. From basechains, I didn't find any client for this field anymore so let's remove this too. Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_tables.h | 21

[PATCH 01/25] ipvs: count pre-established TCP states as active

From: Michal Kubecek Some users observed that "least connection" distribution algorithm doesn't handle well bursts of TCP connections from reconnecting clients after a node or network failure. This is because the algorithm counts active connection as worth 256 inactive ones

[PATCH 22/25] netfilter: connlabels: move set helper to xt_connlabel

From: Florian Westphal xt_connlabel is the only user so move it. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_conntrack_labels.h | 2 -- net/netfilter/nf_conntrack_labels.c | 17

[PATCH 23/25] netfilter: h323: Use mod_timer instead of set_expect_timeout

From: Gao Feng Simplify the code without any side effect. The set_expect_timeout is used to modify the timer expired time. It tries to delete timer, and add it again. So we could use mod_timer directly. Signed-off-by: Gao Feng Signed-off-by: Pablo Neira

[PATCH 18/25] netfilter: nft_log: check the validity of log level

From: Liping Zhang User can specify the log level larger than 7(debug level) via nfnetlink, this is invalid. So in this case, we should report EINVAL to the userspace. Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso

[PATCH 19/25] netfilter: nft_log: fix snaplen does not truncate packets

From: Liping Zhang There's a similar problem in xt_NFLOG, and was fixed by commit 7643507fe8b5 ("netfilter: xt_NFLOG: nflog-range does not truncate packets"). Only set copy_len here does not work, so we should enable NF_LOG_F_COPY_LEN also. Signed-off-by: Liping

[PATCH 25/25] netfilter: nft_compat: fix crash when related match/target module is removed

From: Liping Zhang We "cache" the loaded match/target modules and reuse them, but when the modules are removed, we still point to them. Then we may end up with invalid memory references when using iptables-compat to add rules later. Input the following commands will

[PATCH 16/25] netfilter: Add helper array register/unregister functions

From: Gao Feng Add nf_ct_helper_init(), nf_conntrack_helpers_register() and nf_conntrack_helpers_unregister() functions to avoid repetitive opencoded initialization in helpers. This patch keeps an id parameter for nf_ct_helper_init() not to break helper matching by name that

[PATCH 24/25] netfilter: nft_compat: put back match/target module if init fail

From: Liping Zhang If the user specify the invalid NFTA_MATCH_INFO/NFTA_TARGET_INFO attr or memory alloc fail, we should call module_put to the related match or target. Otherwise, we cannot remove the module even nobody use it. Signed-off-by: Liping Zhang

[PATCH 21/25] netfilter: conntrack: support a fixed size of 128 distinct labels

From: Florian Westphal The conntrack label extension is currently variable-sized, e.g. if only 2 labels are used by iptables rules then the labels->bits[] array will only contain one element. We track size of each label storage area in the 'words' member. But in nftables and

[PATCH 14/25] netfilter: x_tables: speed up jump target validation

From: Florian Westphal The dummy ruleset I used to test the original validation change was broken, most rules were unreachable and were not tested by mark_source_chains(). In some cases rulesets that used to load in a few seconds now require several minutes. sample ruleset that

[PATCH 20/25] netfilter: nf_tables: allow to filter out rules by table and chain

If the table and/or chain attributes are set in a rule dump request, we filter out the rules based on this selection. Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_tables_api.c | 38 ++ 1 file changed, 38 insertions(+) diff --git

[PATCH 17/25] netfilter: nft_log: fix possible memory leak if log expr init fail

From: Liping Zhang Suppose that we specify the NFTA_LOG_PREFIX, then NFTA_LOG_LEVEL and NFTA_LOG_GROUP are specified together or nf_logger_find_get call returns fail, i.e. expr init fail, memory leak will happen. Signed-off-by: Liping Zhang

[PATCH 06/25] netfilter: move nat hlist_head to nf_conn

From: Florian Westphal The nat extension structure is 32bytes in size on x86_64: struct nf_conn_nat { struct hlist_node bysource; /* 016 */ struct nf_conn * ct; /*16 8 */ union

[PATCH 07/25] netfilter: nat: convert nat bysrc hash to rhashtable

From: Florian Westphal It did use a fixed-size bucket list plus single lock to protect add/del. Unlike the main conntrack table we only need to add and remove keys. Convert it to rhashtable to get table autosizing and per-bucket locking. The maximum number of entries is -- as

[PATCH 11/25] netfilter: nf_tables: get rid of possible_net_t from set and basechain

We can pass the netns pointer as parameter to the functions that need to gain access to it. From basechains, I didn't find any client for this field anymore so let's remove this too. Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_tables.h | 21

[PATCH 13/25] netfilter: conntrack: protect early_drop by rcu read lock

From: Liping Zhang User can add ct entry via nfnetlink(IPCTNL_MSG_CT_NEW), and if the total number reach the nf_conntrack_max, we will try to drop some ct entries. But in this case(the main function call path is ctnetlink_create_conntrack -> nf_conntrack_alloc ->

[PATCH 02/25] netfilter: conntrack: fix race between nf_conntrack proc read and hash resize

From: Liping Zhang When we do "cat /proc/net/nf_conntrack", and meanwhile resize the conntrack hash table via /sys/module/nf_conntrack/parameters/hashsize, race will happen, because reader can observe a newly allocated hash but the old size (or vice versa). So oops

[PATCH 01/25] ipvs: count pre-established TCP states as active

From: Michal Kubecek Some users observed that "least connection" distribution algorithm doesn't handle well bursts of TCP connections from reconnecting clients after a node or network failure. This is because the algorithm counts active connection as worth 256 inactive ones

[PATCH 00/25] Netfilter/IPVS updates for net-next

Hi David, The following patchset contains Netfilter/IPVS updates for net-next, they are: 1) Count pre-established connections as active in "least connection" schedulers such that pre-established connections to avoid overloading backend servers on peak demands, from Michal Kubecek via Simon

Re: [PATCH 1/1] netfilter: tcp/udp: Only get 4 bytes to get tcp/udp ports

On Fri, Jul 22, 2016 at 11:59:22PM +0800, f...@ikuai8.com wrote: > From: Gao Feng > > We use tcp/udp_pkt_to_tuple to get the ports of tcp/udp. > Actually only need to get 4 bytes by skb_header_pointer instead > of 8 bytes. > > Signed-off-by: Gao Feng > --- >

Re: [PATCH 2/2] netfilter: connlabels: move set helper to xt_connlabel

On Thu, Jul 21, 2016 at 12:51:17PM +0200, Florian Westphal wrote: > xt_connlabel is the only user so move it. Also applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at

Re: [PATCH 1/2] netfilter: conntrack: support a fixed size of 128 distinct labels

On Thu, Jul 21, 2016 at 12:51:16PM +0200, Florian Westphal wrote: > The conntrack label extension is currently variable-sized, e.g. if > only 2 labels are used by iptables rules then the labels->bits[] array > will only contain one element. > > We track size of each label storage area in the

Re: [PATCH iptables 2/2] xtables-translate: fix issue with quotes

On Fri, Jul 22, 2016 at 05:48:34PM +0200, Pablo M. Bermudo Garay wrote: > Some translations included escaped quotes when they were called from > nft: git am /tmp/iptables-2-2-xtables-translate-fix-issue-with-quotes.patch -s gApplying: xtables-translate: fix issue with quotes error: patch failed:

[PATCH nf-next 2/2] netfilter: nft_compat: fix crash when related match/target module is removed

From: Liping Zhang We "cache" the loaded match/target modules and reuse them, but when the modules are removed, we still point to them. Then we may end up with invalid memory references when using iptables-compat to add rules later. Input the following commands will

[PATCH nf-next 1/2] netfilter: nft_compat: put back match/target module if init fail

From: Liping Zhang If the user specify the invalid NFTA_MATCH_INFO/NFTA_TARGET_INFO attr or memory alloc fail, we should call module_put to the related match or target. Otherwise, we cannot remove the module even nobody use it. Signed-off-by: Liping Zhang

[PATCH iptables] extensions: libxt_connlabel: add unit test

From: Liping Zhang Add some unit tests for connlabel match extension: # ./iptables-test.py extensions/libxt_connlabel.t extensions/libxt_connlabel.t: OK 1 test files, 7 unit tests, 7 passed Signed-off-by: Liping Zhang ---