after ip6 nexthdr also switch ip to meta l4proto instead of ip protocol.
While its needed for ipv6 (due to extension headers) this isn't needed
for ip but it has the advantage that
tcp dport 22
produces same expressions for ip/ip6/inet families.
Signed-off-by: Florian Westphal
---
No changes
After some discussion with Pablo we agreed to treat icmp/icmpv6 specially.
in the case of a rule like 'tcp dport 22' the inet, bridge and netdev
families only care about the lower layer protocol.
In the icmpv6 case however we'd like to also enforce an ipv6 protocol check
(and ipv4 check in icmp c
After previous commit nft generates meta l4proto for ipv6 dependencies
instead of checking the (first) nexthdr value.
This fixes up all tests cases accordingly except one which fails with
ip6/reject.t: ... 12: 'ip6 nexthdr 6 reject with tcp reset' mismatches 'meta
l4proto 6 reject with tcp reset
when using rule like
ip6 filter input tcp dport 22
nft generates:
[ payload load 1b @ network header + 6 => reg 1 ]
[ cmp eq reg 1 0x0006 ]
[ payload load 2b @ transport header + 2 => reg 1 ]
[ cmp eq reg 1 0x1600 ]
which is: ip6 filter input ip6 nexthdr tcp dport 22
IOW, such a r
will be re-used in folloup patch for icmp/icmpv6 depenency
handling.
Signed-off-by: Florian Westphal
---
patch was not part of earlier series.
src/payload.c | 29 ++---
1 file changed, 18 insertions(+), 11 deletions(-)
diff --git a/src/payload.c b/src/payload.c
index 5
Currently nft inserts different types of dependencies for l4 protocols,
depending on the family.
For inet, nft inserts 'meta l4proto' to e.g. check for tcp, for
ip, nft uses 'ip protocol'. Both are fine. The ip6 family however
uses 'ip6 nexthdr', and thats a problem because e.g. tcp dport 22 will
nft add rule ip6 f i meta l4proto ipv6-icmp icmpv6 type nd-router-advert
:1:50-60: Error: conflicting protocols specified: unknown vs. icmpv6
add icmpv6 to nexthdr list so base gets updated correctly.
Reported-by: Thomas Woerner
Signed-off-by: Florian Westphal
---
Change since last version:
Resolves warnings:
net/netfilter/nft_rt.c:26:6: warning: no previous prototype for
‘nft_rt_get_eval’ [-Wmissing-prototypes]
net/netfilter/nft_rt.c:75:5: warning: no previous prototype for
‘nft_rt_get_init’ [-Wmissing-prototypes]
net/netfilter/nft_rt.c:106:5: warning: no previous prototype for
‘n
Missing include file causes:
net/netfilter/nf_dup_netdev.c:26:6: warning: no previous prototype for
‘nf_fwd_netdev_egress’ [-Wmissing-prototypes]
net/netfilter/nf_dup_netdev.c:40:6: warning: no previous prototype for
‘nf_dup_netdev_egress’ [-Wmissing-prototypes]
Signed-off-by: Stephen Hemminger
On Fri, May 19, 2017 at 12:36 PM, Florian Westphal wrote:
> Oliver Ford wrote:
>> On Fri, May 19, 2017 at 11:38 AM, Florian Westphal wrote:
>> > Oliver Ford wrote:
>> >> On Fri, May 19, 2017 at 11:04 AM, Florian Westphal wrote:
>> >> > Oliver Ford wrote:
>> >> >> Filter a beginning '--t'. Bec
Fixes the crash reported in Bugzilla #1131 where a malformed parameter that
specifies the table option during a restore can create an invalid pointer.
It was discovered during fuzz testing that options like '-ftf'
can cause a segfault. A parameter that includes a 't' is not currently
filtered corre
Being able to retrieve an added rule's handle atomically is a crucial
feature for scripts invoking nft command: Without it, there is no way to
be sure a handle extracted from 'nft list ruleset' command actually
refers to the rule one has added before or that of another process which
ran in between.
hello Pablo, thank you for looking at this!
On Fri, 2017-05-19 at 10:41 +0200, Pablo Neira Ayuso wrote:
> On Thu, May 18, 2017 at 06:01:43PM +0200, Davide Caratti wrote:
> > sctp_compute_cksum() implementation assumes that at least the SCTP header
> > is in the linear part of skb: modify conntrack
Oliver Ford wrote:
> On Fri, May 19, 2017 at 11:38 AM, Florian Westphal wrote:
> > Oliver Ford wrote:
> >> On Fri, May 19, 2017 at 11:04 AM, Florian Westphal wrote:
> >> > Oliver Ford wrote:
> >> >> Filter a beginning '--t'. Because the getopt_long function allows
> >> >> abbreviations,
> >>
On Fri, May 19, 2017 at 11:38 AM, Florian Westphal wrote:
> Oliver Ford wrote:
>> On Fri, May 19, 2017 at 11:04 AM, Florian Westphal wrote:
>> > Oliver Ford wrote:
>> >> Filter a beginning '--t'. Because the getopt_long function allows
>> >> abbreviations,
>> >> any parameter beginning with '-
Fixes the crash reported in Bugzilla #1131 where a malformed parameter that
specifies the table option during a restore can create an invalid pointer.
It was discovered during fuzz testing that options like '-ftf'
can cause a segfault. A parameter that includes a 't' is not currently
filtered corre
On Mon, May 15, 2017 at 07:54:44PM +0200, Pablo Neira Ayuso wrote:
> On Mon, May 15, 2017 at 06:44:32PM +0200, Phil Sutter wrote:
> > On Mon, May 15, 2017 at 05:53:31PM +0200, Pablo Neira Ayuso wrote:
> > > On Mon, May 15, 2017 at 04:51:49PM +0200, Phil Sutter wrote:
> > > > When committing a trans
On Fri, May 19, 2017 at 11:38 AM, Florian Westphal wrote:
> Oliver Ford wrote:
>> On Fri, May 19, 2017 at 11:04 AM, Florian Westphal wrote:
>> > Oliver Ford wrote:
>> >> Filter a beginning '--t'. Because the getopt_long function allows
>> >> abbreviations,
>> >> any parameter beginning with '-
Oliver Ford wrote:
> On Fri, May 19, 2017 at 11:04 AM, Florian Westphal wrote:
> > Oliver Ford wrote:
> >> Filter a beginning '--t'. Because the getopt_long function allows
> >> abbreviations,
> >> any parameter beginning with '--t' will be treated as '--table'.
> >
> > No, thats not correct:
>
On Fri, May 19, 2017 at 11:04 AM, Florian Westphal wrote:
> Oliver Ford wrote:
>> Filter a beginning '--t'. Because the getopt_long function allows
>> abbreviations,
>> any parameter beginning with '--t' will be treated as '--table'.
>
> No, thats not correct:
> --t is treated as --table.
> --tf
Oliver Ford wrote:
> Filter a beginning '--t'. Because the getopt_long function allows
> abbreviations,
> any parameter beginning with '--t' will be treated as '--table'.
No, thats not correct:
--t is treated as --table.
--tfoo is an invalid option.
--ttl is ttl.
So this:
> +
On Thu, May 18, 2017 at 4:29 PM, Oliver Ford wrote:
> On Thu, May 18, 2017 at 4:20 PM, Florian Westphal wrote:
>> Oliver Ford wrote:
>>> On Thu, May 18, 2017 at 3:42 PM, Florian Westphal wrote:
>>> > Oliver Ford wrote:
>>> >> --- a/iptables/ip6tables-restore.c
>>> >> +++ b/iptables/ip6tables-r
Fixes the crash reported in Bugzilla #1131 where a malformed parameter that
specifies the table option during a restore can create an invalid pointer.
It was discovered during fuzz testing that options like '-ftf'
can cause a segfault. A parameter that includes a 't' is not currently
filtered corre
Hi Davide,
On Thu, May 18, 2017 at 06:01:43PM +0200, Davide Caratti wrote:
> sctp_compute_cksum() implementation assumes that at least the SCTP header
> is in the linear part of skb: modify conntrack error callback to avoid
> false CRC32c mismatch, if the transport header is partially/entirely pag
From: Matthias Kaehlcke
Not all parameters passed to ctnetlink_parse_tuple() and
ctnetlink_exp_dump_tuple() match the enum type in the signatures of these
functions. Since this is intended change the argument type of to be an
unsigned integer value.
Signed-off-by: Matthias Kaehlcke
Signed-off-b
Hi David,
The following patchset contains Netfilter/IPVS fixes for your net tree,
they are:
1) When using IPVS in direct-routing mode, normal traffic from the LVS
host to a back-end server is sometimes incorrectly NATed on the way
back into the LVS host. Patch to fix this from Julian Anasta
From: Julian Anastasov
We do not check if packet from real server is for NAT
connection before performing SNAT. This causes problems
for setups that use DR/TUN and allow local clients to
access the real server directly, for example:
- local client in director creates IPVS-DR/TUN connection
CIP->
From: Liping Zhang
And convert module_put invocation to nf_conntrack_helper_put, this is
prepared for the followup patch, which will add a refcnt for cthelper,
so we can reject the deleting request when cthelper is in use.
Signed-off-by: Liping Zhang
Signed-off-by: Pablo Neira Ayuso
---
inclu
From: Willem de Bruijn
When looking up an iptables rule, the iptables binary compares the
aligned match and target data (XT_ALIGN). In some cases this can
exceed the actual data size to include padding bytes.
Before commit f77bc5b23fb1 ("iptables: use match, target and data
copy_to_user helpers"
From: Gao Feng
The info->target comes from userspace and it would be used directly.
So we need to add the sanity check to make sure it is a valid standard
target, although the ebtables tool has already checked it. Kernel needs
to validate anything coming from userspace.
If the target is set as a
From: Liping Zhang
We can still delete the ct helper even if it is in use, this will cause
a use-after-free error. In more detail, I mean:
# nfct helper add ssdp inet udp
# iptables -t raw -A OUTPUT -p udp -j CT --helper ssdp
# nfct helper delete ssdp //--> oops, succeed!
BUG: unable to h
From: Liping Zhang
When dumping the elements related to a specified set, we may invoke the
nf_tables_dump_set with the NFNL_SUBSYS_NFTABLES lock not acquired. So
we should use the proper rcu operation to avoid race condition, just
like other nft dump operations.
Signed-off-by: Liping Zhang
Sign
Do not assume userspace always sends us NFT_DATA_VALUE for bitwise and
cmp expressions. Although NFT_DATA_VERDICT does not make any sense, it
is still possible to handcraft a netlink message using this incorrect
data type.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nft_bitwise.c | 19 +++
Andreas reports that the following incremental update using our commit
protocol doesn't work.
# nft -f incremental-update.nft
delete element ip filter client_to_any { 10.180.86.22 : goto CIn_1 }
delete chain ip filter CIn_1
... Error: Could not process rule: Device or resource busy
The existi
From: Eric Leblond
This patch fixes the creation of connection tracking entry from
netlink when synproxy is used. It was missing the addition of
the synproxy extension.
This was causing kernel crashes when a conntrack entry created by
conntrackd was used after the switch of traffic from active n
From: Willem de Bruijn
The patch in the Fixes references COMPAT_XT_ALIGN in the definition
of XT_DATA_TO_USER, outside an #ifdef CONFIG_COMPAT block.
Split XT_DATA_TO_USER into separate compat and non compat variants and
define the first inside an CONFIG_COMPAT block.
This simplifies both varia
From: Liping Zhang
We cannot setup nat info if the ct has been confirmed already, else,
different cpu may race to handle the same ct. In extreme situation,
we may hit the "BUG_ON(nf_nat_initialized(ct, maniptype))" in the
nf_nat_setup_info.
Also running the following commands will easily hit NF_
On Thu, May 4, 2017 at 12:57 AM, Lorenzo Colitti wrote:
> > I would like to skip this compile time switch, if the existing
> > behaviour is broken, we should just fix it. What is the scenario that
> > can indeed have an impact in terms of backward compatibility breakage?
> > Does it really make se
Currently, iptables programs will exit with an error if the
iptables lock cannot be acquired, but will silently continue if
the lock cannot be opened at all. This can cause unexpected
failures (with unhelpful error messages) in the presence of
concurrent updates, which can be very difficult to find
39 matches
Mail list logo
