gmane.comp.security.firewalls.netfilter.devel

Re: [PATCH 2/2] ipvs: Fix reuse connection if real server is dead

Simon Horman — 2013-05-24T03:01:15

Sure, will do.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v2] ipv4: netfilter: always let NUL terminated string ended by '\0'

Chen Gang — 2013-05-24T01:11:08

Thank you too.

Re: [PATCH] ipv4: netfilter: always let NUL terminated string ended by '\0'

Chen Gang — 2013-05-23T11:59:19

Yes, for 'loginfo->prefix', really it is.

But for 'prefix', it is 128. the call work flow is:

  nf_log_packet() ->  "char prefix[NF_LOG_PREFIXLEN];"
    logger->logfn() -> "prefix as last parameter"
      ipt_logfn() ->   "prefix as last parameter"
        ipt_ulog_packet() "prefix as last parameter"

  netfilter/nf_log.c:16:#define NF_LOG_PREFIXLEN128


Thanks.

Re: [PATCH] ipv4: netfilter: always let NUL terminated string ended by '\0'

Pablo Neira Ayuso — 2013-05-23T11:49:50

Both are ULOG_PREFIX_LEN long.

From include/uapi/linux/netfilter_ipv4/ipt_ULOG.h:

/* private data structure for each rule with a ULOG target */
struct ipt_ulog_info {
        unsigned int nl_group;
        size_t copy_range;
        size_t qthreshold;
        char prefix[ULOG_PREFIX_LEN];
};

/* Format of the ULOG packets passed through netlink */
typedef struct ulog_packet_msg {
        unsigned long mark;
        long timestamp_sec;
        long timestamp_usec;
        unsigned int hook;
        char indev_name[IFNAMSIZ];
        char outdev_name[IFNAMSIZ];
        size_t data_len;
        char prefix[ULOG_PREFIX_LEN];
        unsigned char mac_len;
        unsigned char mac[ULOG_MAC_LEN;
        unsigned char payload[0];
} ulog_packet_msg_t;
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] ipv4: netfilter: always let NUL terminated string ended by '\0'

Chen Gang — 2013-05-23T11:39:39

Really it is.

And 'prefix' max length is 128 (NF_LOG_PREFIXLEN), and 'pm->prefix' max
length is 32 (ULOG_PREFIX_LEN), so we still need this patch, but need
improved.

So I should send patch v2.


Thanks.

Re: [PATCH 2/2] ipvs: Fix reuse connection if real server is dead

Pablo Neira Ayuso — 2013-05-23T11:34:35

Hi Simon,

On Wed, May 22, 2013 at 02:56:49PM +0900, Simon Horman wrote:

We can get this fix into 3.10-rc.

Please, address the comestic cleanups proposed by Sergei and resubmit
against the nf tree.

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [libnftables PATCH v2] examples: XML parsing examples

Pablo Neira Ayuso — 2013-05-23T11:22:11

Applied with minor comestic cleanups, thanks Arturo.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [libnftables PATCH v4] src: support for XML parsing

Pablo Neira Ayuso — 2013-05-23T11:21:19

I fixed compilation without --with-xml-parsing, that case was probably
untested.

Finally applied with minor glitches. If you have follow up patches,
please make sure you rebase your tree upon current.

Thanks Arturo.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v2] netfilter: add and use nf_ipv6_ops in xt_addrtype

Pablo Neira Ayuso — 2013-05-23T11:18:43

Applied to nf, thanks Florian.

I made some minor glitches (see below).


Renamed this to chk_addr, all functions there will be ipv6 related and
moved this to include/linux/netfilter_ipv6.h
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 3/3] netfilter: {ipt,ebt}_ULOG: rise warning on deprecation

Pablo Neira Ayuso — 2013-05-23T11:09:48

Fixed and applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 2/3] netfilter: don't panic on error while walking through the init path

Pablo Neira Ayuso — 2013-05-23T11:09:24

Applied.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] bridge: netfilter: using strlcpy() instead of strncpy()

Chen Gang — 2013-05-23T10:57:05

Thank you too.

Re: [PATCH net-next] netfilter: xt_socket: use IP early demux

Pablo Neira Ayuso — 2013-05-23T10:53:44

Applied to nf-next, thanks!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 1/3] netfilter: ctnetlink: attach expectations to unconfirmed conntracks

Gao feng — 2013-05-23T09:34:43

Shouldn't we get reference of nf_ct_tuplehash_to_ctrack(h) here?
ctnetlink_create_expect will call nf_ct_put to release the reference finally.

or I miss something?


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 3/3] netfilter: {ipt,ebt}_ULOG: rise warning on deprecation

Gao feng — 2013-05-23T08:59:12

par->net->xt.ebt_ulog_warn_deprecated?

anyway
Acked-by: Gao feng <gaofeng< at >cn.fujitsu.com>


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 2/3] netfilter: don't panic on error while walking through the init path

Gao feng — 2013-05-23T08:50:48

Acked-by: Gao feng <gaofeng< at >cn.fujitsu.com>


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 2/3] netfilter: don't panic on error while walking through the init path

Pablo Neira Ayuso — 2013-05-23T08:42:36

Don't panic if we hit an error while adding the nf_log or pernet
netfilter support, just bail out.

Signed-off-by: Pablo Neira Ayuso <pablo< at >netfilter.org>
---
 net/netfilter/core.c   |   19 ++++++++++++++-----
 net/netfilter/nf_log.c |    5 +----
 2 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 07c865a..3905104 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
< at >< at > -304,15 +304,24 < at >< at > static struct pernet_operations netfilter_net_ops = {
 
 void __init netfilter_init(void)
 {
-int i, h;
+int i, h, ret;
+
 for (i = 0; i < ARRAY_SIZE(nf_hooks); i++) {
 for (h = 0; h < NF_MAX_HOOKS; h++)
 INIT_LIST_HEAD(&nf_hooks[i][h]);
 }
 
-if (register_pernet_subsys(&netfilter_net_ops) < 0)
-panic("cannot create netfilter proc entry");
+ret = register_pernet_subsys(&netfilter_net_ops);
+if (ret < 0)
+goto err;
+
+ret = netfilter_log_init();
+if (ret < 0)
+goto err_pernet;
 
-if (netfilter_log_init() < 0)
-panic("cannot initializ

[PATCH 1/3] netfilter: ctnetlink: attach expectations to unconfirmed conntracks

Pablo Neira Ayuso — 2013-05-23T08:42:35

This patch adds the capability to attach expectations to unconfirmed
conntrack entries. This patch is required by the DHCPv6 helper in
user-space.

Signed-off-by: Pablo Neira Ayuso <pablo< at >netfilter.org>
---
 include/net/netfilter/nf_conntrack.h               |    4 ++++
 include/uapi/linux/netfilter/nfnetlink_conntrack.h |    1 +
 net/netfilter/nf_conntrack_core.c                  |   20 ++++++++++++++++++++
 net/netfilter/nf_conntrack_netlink.c               |   14 ++++++++++++--
 4 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index 644d9c2..d172fc5 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
< at >< at > -180,6 +180,10 < at >< at > extern struct nf_conntrack_tuple_hash *
 __nf_conntrack_find(struct net *net, u16 zone,
     const struct nf_conntrack_tuple *tuple);
 
+struct nf_conntrack_tuple_hash *
+nf_ct_unconfirmed_find(struct net *net, u16 zone,
+       const struct nf_conntrack_

[PATCH 3/3] netfilter: {ipt,ebt}_ULOG: rise warning on deprecation

Pablo Neira Ayuso — 2013-05-23T08:42:37

This target has been superseded by NFLOG. Spot a warning
so we prepare removal in a couple of years.

Signed-off-by: Pablo Neira Ayuso <pablo< at >netfilter.org>
---
 include/net/netns/x_tables.h    |    6 ++++++
 net/bridge/netfilter/ebt_ulog.c |    6 ++++++
 net/ipv4/netfilter/Kconfig      |    2 +-
 net/ipv4/netfilter/ipt_ULOG.c   |    6 ++++++
 4 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/include/net/netns/x_tables.h b/include/net/netns/x_tables.h
index c24060e..02fe40f 100644
--- a/include/net/netns/x_tables.h
+++ b/include/net/netns/x_tables.h
< at >< at > -15,5 +15,11 < at >< at > struct netns_xt {
 struct ebt_table *frame_filter;
 struct ebt_table *frame_nat;
 #endif
+#if IS_ENABLED(CONFIG_IP_NF_TARGET_ULOG)
+bool ulog_warn_deprecated;
+#endif
+#if IS_ENABLED(CONFIG_BRIDGE_EBT_ULOG)
+bool ebt_ulog_warn_deprecated;
+#endif
 };
 #endif
diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c
index fc1905c..bfc40c7 100644
--- a/net/bridge/netfilter/ebt_ulog.c
+++ b/net/bridge/netfilte

[PATCH v2] xtables: Add locking to prevent concurrent instances

Phil Oester — 2013-05-22T22:36:34

There have been numerous complaints and bug reports over the years when admins
attempt to run more than one instance of iptables simultaneously.  Currently
open bug reports which are related:

325: Parallel execution of the iptables is impossible
758: Retry iptables command on transient failure
764: Doing -Z twice in parallel breaks counters
822: iptables shows negative or other bad packet/byte counts

As Patrick notes in 325:  "Since this has been a problem people keep running
into, I'd suggest to simply add some locking to iptables to catch the most
common case."

I started looking into alternatives to add locking, and of course the most
common/obvious solution is to use a pidfile.  But this has various downsides,
such as if the application is terminated abnormally and the pidfile isn't
cleaned up.  And this also requires a writable filesystem.  Using a UNIX domain
socket file (e.g. in /var/run) has similar issues.

Starting in 2.2, Linux added support for abstract sockets.  These sockets
require no filesy

Re: [PATCH v2 nf-next] netfilter: conntrack: remove the central spinlock

Eric Dumazet — 2013-05-22T21:34:49

Typical machines have less than 10 structures like this one, there is no
gain trying to save some bytes, and more gain trying to get correct
alignments ;)

While conntracking can easily consume more than 10.000.000 conntracks on
a machine.



--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html