On 2018-01-08 06:32, Pablo Neira Ayuso wrote:
Hi Subash,
One more concern before this gets upstream.
Do you think we can turn this into an on/off knob instead?
I mean, I think it's good if you add a new
NF_IP_PRI_RAW_BEFORE_DEFRAG and we place it into uapi.
I'm just worried about follow up pa
From: Pablo Neira Ayuso
Date: Mon, 8 Jan 2018 21:19:08 +0100
> The following patchset contains Netfilter/IPVS updates for your
> net-next tree:
...
> 4) Add generic flow table offload infrastructure for nf_tables, this
>includes the netlink control plane and support for IPv4, IPv6 and
>
From: Florian Westphal
similar to previous commit, but instead compute this at compile time
and turn nlattr_size into an u16.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_conntrack_l4proto.h | 7 +++
net/netfilter/nf_conntrack_netlink.c
From: Florian Westphal
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_conntrack_l4proto.h | 10 +-
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 2 +-
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 2 +-
net/netfilter/nf_conntrack
From: "Gustavo A. R. Silva"
In preparation to enabling -Wimplicit-fallthrough, mark switch cases
where we are expecting to fall through.
Signed-off-by: Gustavo A. R. Silva
Signed-off-by: Simon Horman
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/ipset/ip_set_core.c | 2 +-
net/netf
From: Florian Westphal
previous patches removed all writes to these structs so we can
now mark them as const.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/ipv4/nf_conntrack_ipv4.h | 12 ++--
include/net/netfilter/ipv6/nf_conntrack_ipv6.h |
From: Florian Westphal
Giuseppe Scrivano says:
"SELinux, if enabled, registers for each new network namespace 6
netfilter hooks."
Cost for this is high. With synchronize_net() removed:
"The net benefit on an SMP machine with two cores is that creating a
new network namespace takes -
From: Florian Westphal
Nowadays this is just the default template that is used when setting up
the net namespace, so nothing writes to these locations.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 2 +-
net/ipv6/netfilte
From: Florian Westphal
This reverts commit d3ad2c17b4047
("netfilter: core: batch nf_unregister_net_hooks synchronize_net calls").
Nothing wrong with it. However, followup patch will delay freeing of hooks
with call_rcu, so all synchronize_net() calls become obsolete and there
is no need anymor
From: Gao Feng
The param of frag_safe_skb_hp, ipvsh, isn't used now. So remove it and
update the callers' codes too.
Signed-off-by: Gao Feng
Acked-by: Simon Horman
Signed-off-by: Pablo Neira Ayuso
---
include/net/ip_vs.h | 3 +--
net/netfilter/ipvs/ip_vs_conn.c | 2 +-
net/netf
From: Varsha Rao
Change old multi-line comment style to kernel comment style and
remove unwanted comments.
Signed-off-by: Varsha Rao
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_conntrack_h323_asn1.c | 37 +++---
net/netfilter/nf_conntrack_h323_main.c | 47 +++
From: Florian Westphal
since commit 960632ece6949b ("netfilter: convert hook list to an array")
nfqueue no longer stores a pointer to the hook that caused the packet
to be queued. Therefore no extra synchronize_net() call is needed after
dropping the packets enqueued by the old rule blob.
Signe
From: Florian Westphal
When sets are extremely large we can get softlockup during ipset -L.
We could fix this by adding cond_resched_rcu() at the right location
during iteration, but this only works if RCU nesting depth is 1.
At this time entire variant->list() is called under under rcu_read_loc
From: Florian Westphal
struct net contains:
struct nf_hook_entries __rcu *hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
which store the hook entry point locations for the various protocol
families and the hooks.
Using array results in compact c code when doing accesses, i.e.
x = rcu_dereference(net
From: Florian Westphal
The kernel already has defines for this, but they are in uapi exposed
headers.
Including these from netns.h causes build errors and also adds unneeded
dependencies on heads that we don't need.
So move these defines to netfilter_defs.h and place the uapi ones
in ifndef __K
From: Florian Westphal
currently we always return -ENOENT to userspace if we can't find
a particular table, or if the table initialization fails.
Followup patch will make nat table init fail in case nftables already
registered a nat hook so this change makes xt_find_table_lock return
an ERR_PTR
From: Florian Westphal
No problem for iptables as priorities are fixed values defined in the
nat modules, but in nftables the priority its coming from userspace.
Reject in case we see that such a hook would not work.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/ne
From: Florian Westphal
Not all families share the same hook count, adjust sizes to what is
needed.
struct net before:
/* size: 6592, cachelines: 103, members: 46 */
after:
/* size: 5952, cachelines: 93, members: 46 */
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
inclu
From: Florian Westphal
The netfilter NAT core cannot deal with more than one NAT hook per hook
location (prerouting, input ...), because the NAT hooks install a NAT null
binding in case the iptables nat table (iptable_nat hooks) or the
corresponding nftables chain (nft nat hooks) doesn't specify
46928a0b49f3 ("netfilter: nf_tables: remove multihook chains and
families") already removed this, this is a leftover.
Signed-off-by: Pablo Neira Ayuso
---
net/ipv4/netfilter/nf_tables_arp.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/net/ipv4/netfilter/nf_tables_arp.c
b/net/ipv4/netfilte
From: Florian Westphal
no need to define hook points if the family isn't supported.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/linux/netfilter.h | 2 ++
include/net/netns/netfilter.h | 2 ++
net/netfilter/core.c | 4
3 files changed, 8 inser
From: Florian Westphal
This can be same as NF_INET_NUMHOOKS if we don't support DECNET.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/linux/netfilter_defs.h | 10 +++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/include/linux/netfilter_de
Just a cleanup, __nf_unregister_net_hook() is used by a follow up patch
when handling NFPROTO_INET as a real family from the core.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/core.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/core.c b/net/netf
Instead of calling this function from the family specific variant, this
reduces the code size in the fast path for the netdev, bridge and inet
families. After this change, we must call nft_set_pktinfo() upfront from
the chain hook indirection.
Before:
textdata bss dec hex filen
From: Florian Westphal
no need to define hook points if the family isn't supported.
Because we need these hooks for either nftables, arp/ebtables
or the 'call-iptables' hack we have in the bridge layer add two
new dependencies, NETFILTER_FAMILY_{ARP,BRIDGE}, and have the
users select them.
Signe
We cannot make a direct call to nf_ip6_checksum() because that would
result in autoloading the 'ipv6' module because of symbol dependencies.
Therefore, define checksum indirection in nf_ipv6_ops where this really
belongs to.
For IPv4, we can indeed make a direct function call, which is faster,
giv
So static_key_slow_dec applies to the family behind NFPROTO_INET.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/core.c | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index bcbaa78ec374..6c9874c8b10a 100644
--- a/net
Add helper function to test for the NFT_SET_ANONYMOUS flag.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h | 5 +
net/netfilter/nf_tables_api.c | 8
net/netfilter/nft_dynset.c| 2 +-
3 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/
Instead of passing struct nf_hook_ops, this is needed by follow up
patches to handle NFPROTO_INET from the core.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/core.c | 36 +++-
1 file changed, 19 insertions(+), 17 deletions(-)
diff --git a/net/netfilter/core
Expand NFPROTO_INET in two hook registrations, one for NFPROTO_IPV4 and
another for NFPROTO_IPV6. Hence, we handle NFPROTO_INET from the core.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/core.c | 53 +++-
1 file changed, 44 insertions(+), 9
Since NFPROTO_INET is handled from the core, we don't need to maintain
extra infrastructure in nf_tables to handle the double hook
registration, one for IPv4 and another for IPv6.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h | 9 +--
net/bridge/netfilter/nf_tabl
We cannot make a direct call to nf_ip6_checksum_partial() because that
would result in autoloading the 'ipv6' module because of symbol
dependencies. Therefore, define checksum_partial indirection in
nf_ipv6_ops where this really belongs to.
For IPv4, we can indeed make a direct function call, whi
Use new native NFPROTO_INET support in netfilter core, this gets rid of
ad-hoc code in the nf_tables API codebase.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables_ipv4.h | 2 -
include/net/netfilter/nf_tables_ipv6.h | 2 -
net/ipv4/netfilter/nf_tables_ipv4.c| 3 +-
ne
This is only used by nf_queue.c and this function comes with no symbol
dependencies with IPv6, it just refers to structure layouts. Therefore,
we can replace it by a direct function call from where it belongs.
Signed-off-by: Pablo Neira Ayuso
---
include/linux/netfilter.h | 2 --
From: Florian Westphal
This allows to reuse xt_connlimit infrastructure from nf_tables.
The upcoming nf_tables frontend can just pass in an nftables register
as input key, this allows limiting by any nft-supported key, including
concatenations.
For xt_connlimit, pass in the zone and the ip/ipv6
Users cannot forge malformed IPv4/IPv6 headers via raw sockets that they
can inject into the stack. Specifically, not for IPv4 since 55888dfb6ba7
("AF_RAW: Augment raw_send_hdrinc to expand skb to fit iphdr->ihl
(v2)"). IPv6 raw sockets also ensure that packets have a well-formed
IPv6 header availa
This new bit tells us that the conntrack entry is owned by the flow
table offload infrastructure.
# cat /proc/net/nf_conntrack
ipv4 2 tcp 6 src=10.141.10.2 dst=147.75.205.195 sport=36392 dport=443
src=147.75.205.195 dst=192.168.2.195 sport=443 dport=36392 [OFFLOAD] mark=0
zone=0 use=2
This macro is unnecessary, it just hides details for one single caller.
nfnl_dereference() is just enough.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h | 3 ---
net/netfilter/nf_tables_api.c | 6 +++---
2 files changed, 3 insertions(+), 6 deletions(-)
diff --git a/
This abstraction has no clients anymore, remove it.
This is what remains from previous authors, so correct copyright
statement after recent modifications and code removal.
Signed-off-by: Pablo Neira Ayuso
---
include/linux/netfilter.h | 13 -
net/bridge/netfilter/nf_ta
We cannot make a direct call to nf_ip6_route() because that would result
in autoloading the 'ipv6' module because of symbol dependencies.
Therefore, define route indirection in nf_ipv6_ops where this really
belongs to.
For IPv4, we can indeed make a direct function call, which is faster,
given IPv
We cannot make a direct call to nf_ip6_reroute() because that would result
in autoloading the 'ipv6' module because of symbol dependencies.
Therefore, define reroute indirection in nf_ipv6_ops where this really
belongs to.
For IPv4, we can indeed make a direct function call, which is faster,
given
This patch defines the API to interact with flow tables, this allows to
add, delete and lookup for entries in the flow table. This also adds the
generic garbage code that removes entries that have expired, ie. no
traffic has been seen for a while.
Users of the flow table infrastructure can delete
From: "Gustavo A. R. Silva"
Make use of the swap macro and remove unnecessary variables tmp.
This makes the code easier to read and maintain.
This code was detected with the help of Coccinelle.
Signed-off-by: Gustavo A. R. Silva
Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Pablo Neira Ayuso
This patch adds the IPv6 flow table type, that implements the datapath
flow table to forward IPv6 traffic.
This patch exports ip6_dst_mtu_forward() that is required to check for
mtu to pass up packets that need PMTUD handling to the classic
forwarding path.
Signed-off-by: Pablo Neira Ayuso
---
This patch adds the IPv6 flow table type, that implements the datapath
flow table to forward IPv6 traffic.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_flow_table.h | 5
net/ipv4/netfilter/nf_flow_table_ipv4.c | 3 ++-
net/ipv6/netfilter/nf_flow_table_ipv6.c | 3 ++-
n
This patch introduces a netlink control plane to create, delete and dump
flow tables. Flow tables are identified by name, this name is used from
rules to refer to an specific flow table. Flow tables use the rhashtable
class and a generic garbage collector to remove expired entries.
This also adds
From: Jozsef Kadlecsik
The matching of the counters was not taken into account, fixed.
Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Pablo Neira Ayuso
---
include/linux/netfilter/ipset/ip_set.h | 6 ++
include/linux/netfilter/ipset/ip_set_counter.h | 25 --
net/netfilter/ipset
From: Jozsef Kadlecsik
Patch "netfilter: ipset: use nfnl_mutex_is_locked" is added the real
mutex locking check, which revealed the missing locking in ip_set_net_exit().
Signed-off-by: Jozsef Kadlecsik
Reported-by: syzbot+36b06f219f2439fe6...@syzkaller.appspotmail.com
Signed-off-by: Pablo Neira
Add new instruction for the nf_tables VM that allows us to specify what
flows are offloaded into a given flow table via name. This new
instruction creates the flow entry and adds it to the flow table.
Only established flows, ie. we have seen traffic in both directions, are
added to the flow table.
This patch adds the IPv4 flow table type, that implements the datapath
flow table to forward IPv4 traffic. Rationale is:
1) Look up for the packet in the flow table, from the ingress hook.
2) If there's a hit, decrement ttl and pass it on to the neighbour layer
for transmission.
3) If there's a
From: Florian Westphal
replacement for iptables "-m policy --dir in --policy {ipsec,none}".
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nft_meta.c | 43
2
Hi David,
The following patchset contains Netfilter/IPVS updates for your
net-next tree:
1) Free hooks via call_rcu to speed up netns release path, from
Florian Westphal.
2) Reduce memory footprint of hook arrays, skip allocation if family is
not present - useful in case decnet support is
This is only needed by nf_queue, place this code where it belongs.
Signed-off-by: Pablo Neira Ayuso
---
include/linux/netfilter.h | 1 -
net/ipv4/netfilter.c | 1 -
net/ipv6/netfilter.c | 1 -
net/netfilter/nf_queue.c | 22 --
4 files changed, 16 insertions(+),
They don't belong to the family definition, move them to the filter
chain type definition instead.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h | 4 +---
net/bridge/netfilter/nf_tables_bridge.c | 14 +++---
net/ipv4/netfilter/nf_tables_arp.c | 8 +++
From: Florian Westphal
Check that we really hold nfnl mutex here instead of relying on correct
usage alone.
Signed-off-by: Florian Westphal
Acked-by: Jozsef Kadlecsik
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/ipset/ip_set_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
On Mon, Jan 08, 2018 at 11:28:18PM +0530, Harsha Sharma wrote:
> This patch add code to delete table via unique table handle and table
> family.
>
> Signed-off-by: Harsha Sharma
> ---
> Changes in v2:
> - Remove nf_tables_afinfo_lookup_byhandle
> - Change log message
>
> net/netfilter/nf_tabl
This patch add code to delete table via unique table handle and table
family.
Signed-off-by: Harsha Sharma
---
Changes in v2:
- Remove nf_tables_afinfo_lookup_byhandle
- Change log message
net/netfilter/nf_tables_api.c | 45 +--
1 file changed, 43 inser
This patch allows deletion of table via unique table handles and table
family which can be listed with '-a' option.
For.eg.
nft delete table [] [handle ]
Signed-off-by: Harsha Sharma
---
Changes in v3:
- Add tableid_spec
- Change log message
Changes in v2:
- remove tableid_spec
src/parser_bi
Fixes: db2ff0f2f440 ("netfilter: nf_tables: flow offload expression")
Signed-off-by: Fengguang Wu
---
nft_flow_offload.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c
index b7c7082..e7f16fe 100644
--- a/
kbuild test robot reports a compilation error in
rhashtable_walk_start() in the new net/netfilter/nf_flow_table.c,
given this has changed in net-next.
Sorry for the inconvenience.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vg
tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
head: 7844629488fd1489d19a08ce25a51e03e69834a7
commit: 7844629488fd1489d19a08ce25a51e03e69834a7 [54/54] Merge
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
config: ia64-allmodconfig (attached as .conf
On Mon, Jan 08, 2018 at 02:45:16PM +0100, Ahmed AbdelSalam wrote:
>
> > On 8 Jan 2018, at 14:37, Pablo Neira Ayuso wrote:
> >
> > On Sun, Jan 07, 2018 at 07:22:02PM +0100, Ahmed Abdelsalam wrote:
> >> It allows matching packets based on Segment Routing Header
> >> (SRH) information.
> >> The imp
Hi Subash,
One more concern before this gets upstream.
On Wed, Jan 03, 2018 at 09:24:47PM -0700, Subash Abhinov Kasiviswanathan wrote:
> conntrack defrag is needed only if some module like CONNTRACK or NAT
> explicitly requests it. For plain forwarding scenarios, defrag is
> not needed and can be
On Sun, Jan 07, 2018 at 07:22:02PM +0100, Ahmed Abdelsalam wrote:
> It allows matching packets based on Segment Routing Header
> (SRH) information.
> The implementation considers revision 7 of the SRH draft.
> https://tools.ietf.org/html/draft-ietf-6man-segment-routing-header-07
>
> Currently supp
On Mon, Jan 08, 2018 at 01:31:52PM +0100, Florian Westphal wrote:
> We need to retain the 'case' statement, otherwise, if e.g. arp tables
> isn't supported first NF_HOOK(NFPROTO_ARP, ... will produce a bogus
> WARN_ON().
Applied, thanks Florian.
--
To unsubscribe from this list: send the line "uns
On Sat, Jan 06, 2018 at 04:36:06PM +0100, Jozsef Kadlecsik wrote:
> Hi Pablo,
>
> Please consider to apply the next patches:
>
> - A patch to use the swap() macro instead of the manual coding
> from Gustavo A. R. Silva
> - A fix to take into account the possible counter value matching
> for t
We need to retain the 'case' statement, otherwise, if e.g. arp tables
isn't supported first NF_HOOK(NFPROTO_ARP, ... will produce a bogus
WARN_ON().
Fixes: 8de98f05836 ("netfilter: don't allocate space for arp/bridge hooks
unless needed")
Signed-off-by: Florian Westphal
---
include/linux/netfil
67 matches
Mail list logo
