gmane.comp.security.firewalls.netfilter.devel

Re: [PATCH 05/17] netfilter: add namespace support for l4proto_tcp

Pablo Neira Ayuso — 2012-05-25T03:00:15

Hi Gao,

While having a look at this again, I have two new requests:

On Mon, May 14, 2012 at 04:52:15PM +0800, Gao feng wrote:
[...]
[...]

You can make a generic function to set the ctl_data that you can
reuse for this code above and the one below.


I have bad experience with code that has lots of #ifdef's.

Please, split all *_init_net into smaller functions.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 01/17] netfilter: add struct nf_proto_net for register l4proto sysctl

Pablo Neira Ayuso — 2012-05-25T02:54:51

Could you resolve this by checking pn->ctl_compat_header != NULL ?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 01/17] netfilter: add struct nf_proto_net for register l4proto sysctl

Gao feng — 2012-05-25T01:05:34

于 2012年05月24日 22:38, Pablo Neira Ayuso 写道:

Sorry I miss something.

nf_ct_l4proto_unregister_sysctl also uses .compat to identify if we
can unregister the compat sysctl.

if we register l4proto_tcp and l4proto_tcp6 both. without .compat,
when unregister l4proto_tcp6, the compat sysctl will be unregister too.

So maybe we have to use .compat.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [v5 PATCH 1/1] netfilter: Add fail-open support

Florian Westphal — 2012-05-24T20:42:05

Looks good to me.  Thanks for your patience!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 01/17] netfilter: add struct nf_proto_net for register l4proto sysctl

Pablo Neira Ayuso — 2012-05-24T14:38:54

[...]

If this removes the .compat field that you added, then use two
init_net functions, yes.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[v5 PATCH 1/1] netfilter: Add fail-open support

Krishna Kumar — 2012-05-24T13:56:44

Implement a new "fail-open" mode where packets are not dropped
upon queue-full condition. This mode can be enabled/disabled per
queue using netlink NFQA_CFG_FLAGS & NFQA_CFG_MASK attributes.

Signed-off-by: Krishna Kumar <krkumar2< at >in.ibm.com>
Signed-off-by: Vivek Kashyap <vivk< at >us.ibm.com>
Signed-off-by: Sridhar Samudrala <samudrala< at >us.ibm.com>
---
 include/linux/netfilter/nfnetlink_queue.h |    5 ++
 net/netfilter/nfnetlink_queue.c           |   40 ++++++++++++++++++--
 2 files changed, 42 insertions(+), 3 deletions(-)

diff -ruNp org/include/linux/netfilter/nfnetlink_queue.h new/include/linux/netfilter/nfnetlink_queue.h
--- org/include/linux/netfilter/nfnetlink_queue.h2012-05-24 15:47:52.361984483 +0530
+++ new/include/linux/netfilter/nfnetlink_queue.h2012-05-24 16:06:29.123911109 +0530
< at >< at > -84,8 +84,13 < at >< at > enum nfqnl_attr_config {
 NFQA_CFG_CMD,/* nfqnl_msg_config_cmd */
 NFQA_CFG_PARAMS,/* nfqnl_msg_config_params */
 NFQA_CFG_QUEUE_MAXLEN,/* __u32 */
+NFQA_CFG_MASK,/* identify which flags to change */
+NFQA_CFG_FLAGS,/* value of these flags (__u32) */
 __NFQA_CFG_MAX
 };
 #define NFQA_CFG_MAX (__NFQA_CFG_MAX-1)
 
+/* Flags for NFQA_CFG_FLAGS */
+#define NFQA_CFG_F_FAIL_OPEN(1 << 0)
+
 #endif /* _NFNETLINK_QUEUE_H */
diff -ruNp org/net/netfilter/nfnetlink_queue.c new/net/netfilter/nfnetlink_queue.c
--- org/net/netfilter/nfnetlink_queue.c2012-05-24 15:47:52.366985562 +0530
+++ new/net/netfilter/nfnetlink_queue.c2012-05-24 18:12:04.695509859 +0530
< at >< at > -52,6 +52,7 < at >< at > struct nfqnl_instance {
 
 u_int16_t queue_num;/* number of this queue */
 u_int8_t copy_mode;
+u_int32_t flags;/* Set using NFQA_CFG_FLAGS */
 /*
  * Following fields are dirtied for each queued packet,
  * keep them in same cache line if possible.
< at >< at > -406,6 +407,7 < at >< at > nfqnl_enqueue_packet(struct nf_queue_ent
 struct nfqnl_instance *queue;
 int err = -ENOBUFS;
 __be32 *packet_id_ptr;
+int failopen = 0;
 
 /* rcu_read_lock()ed by nf_hook_slow() */
 queue = instance_lookup(queuenum);
< at >< at > -431,9 +433,14 < at >< at > nfqnl_enqueue_packet(struct nf_queue_ent
 goto err_out_free_nskb;
 }
 if (queue->queue_total >= queue->queue_maxlen) {
-queue->queue_dropped++;
-net_warn_ratelimited("nf_queue: full at %d entries, dropping packets(s)\n",
-     queue->queue_total);
+if (queue->flags & NFQA_CFG_F_FAIL_OPEN) {
+failopen = 1;
+err = 0;
+} else {
+queue->queue_dropped++;
+net_warn_ratelimited("nf_queue: full at %d entries, dropping packets(s)\n",
+     queue->queue_total);
+}
 goto err_out_free_nskb;
 }
 entry->id = ++queue->id_sequence;
< at >< at > -455,6 +462,8 < at >< at > err_out_free_nskb:
 kfree_skb(nskb);
 err_out_unlock:
 spin_unlock_bh(&queue->lock);
+if (failopen)
+nf_reinject(entry, NF_ACCEPT);
 err_out:
 return err;
 }
< at >< at > -858,6 +867,31 < at >< at > nfqnl_recv_config(struct sock *ctnl, str
 spin_unlock_bh(&queue->lock);
 }
 
+if (nfqa[NFQA_CFG_FLAGS]) {
+__u32 flags, mask;
+
+if (!queue) {
+ret = -ENODEV;
+goto err_out_unlock;
+}
+
+if (!nfqa[NFQA_CFG_MASK]) {
+/* A mask is needed to specify which flags are being
+ * changed.
+ */
+ret = -EINVAL;
+goto err_out_unlock;
+}
+
+flags = ntohl(nla_get_be32(nfqa[NFQA_CFG_FLAGS]));
+mask = ntohl(nla_get_be32(nfqa[NFQA_CFG_MASK]));
+
+spin_lock_bh(&queue->lock);
+queue->flags &= ~mask;
+queue->flags |= flags & mask;
+spin_unlock_bh(&queue->lock);
+}
+
 err_out_unlock:
 rcu_read_unlock();
 return ret;

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[v5 PATCH 0/1] netfilter: "fail-open" feature support for NFQUEUE

Krishna Kumar — 2012-05-24T13:56:31

Many users of an IBM security product, which uses netfilter's NFQUEUE
target to process packets in userspace, face a problem of dropped
connections during heavy load. Incoming packets are queued and
processed by the security module, which does deep packet analysis to
decide whether to accept or reject them. However during heavy load,
the queue fills up and connections fail when large number of packets
get dropped.

This patch implements a "failopen" support for NFQUEUE to help keep
connections open during such failures. This is achieved by allowing
acceptance of packets temporarily when the queue is full, which
enables existing connections to be kept open.

Failopen is enabled/disabled using a new call - nfq_set_flags(qh,
mask, flags), which makes use of two new netlink attributes:
NFQA_CFG_MASK - Specifies which flags are being modified.
NFQA_CFG_FLAGS - Set/reset the bits for each of those flags.

Tests done:
------------
- netperf TCP_STREAM.
- 64 netperf stress testing to ensure there are no memory leaks.
- icmp ping.
- enabling/disabling failopen in the middle of existing connections.
- checksum verification of transferred files using scp.
- different flag/mask values to check that code handling NFQA_CFG_MASK
works as expected.

Test results:
-------------
Server:
-------
# iptables -A INPUT -p tcp -m mac --mac-source 00:00:C9:C6:4F:22 \
-j NFQUEUE --queue-num 0
# Run interceptor program with 50ms delay between packet processing,
and also sets qlen to 16. After every read system call, this program
tests and read's a config file's contents and calls
nfq_set_flags(qh, mask, flags).

Client:
-------
---> failopen is disabled on server at this time
# netperf -v0 -H 10.0.4.1
TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 10.0.4.1 (10.0.4.1) port 0 AF_INET
0.16
---> failopen is enabled on server at this time
# netperf -v0 -H 10.0.4.1
TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 10.0.4.1 (10.0.4.1) port 0 AF_INET
2292.82

---> failopen is disabled on server at this time
# scp FILE 10.0.4.1:/tmp
FILE 0% 2960KB 88.4KB/s 12:19:37 ETA
---> Enable failopen on server at this time
FILE 21% 809MB 44.2MB/s 01:08 ETA
---> Disable failopen on server at this time
FILE 23% 903MB 157.4KB/s 5:18:01 ETA
---> Enable failopen on server at this time
FILE 100% 3835MB 24.1MB/s 02:39

Changes from rev4:
------------------

1. Localize all changes to net/netfilter/nfnetlink_queue.c, which
helps remove GSO handling and other code in core.

Changes from rev3:
------------------

1. Changed flags/mask to big-endian.
2. Use nla_get_be32 instead of nla_data to access flags/masks.
3. Cleaned up some comments.

Changes from rev2:
------------------

1. Changed NFQA_CFG_FAIL_OPEN to generic NFQA_CFG_FLAGS and NFQA_CFG_MASK to
support new flags/options in future.
2. Enqueue handler changed to return -ENOSPC on queue-full condition.
3. Do not invoke okfn on -ENOSPC, but process all hooks first. nf_hook_slow
has code to handle failopen.

Please review.

Signed-off-by: Krishna Kumar <krkumar2< at >in.ibm.com>
Signed-off-by: Vivek Kashyap <vivk< at >us.ibm.com>
Signed-off-by: Sridhar Samudrala <samudrala< at >us.ibm.com>
---

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH 04/17] netfilter: add namespace support for l4proto_generic

Gao feng — 2012-05-24T11:07:36

于 2012年05月24日 17:52, Pablo Neira Ayuso 写道:

sounds good,but the l4protos except l4proto_generic are enabled by
insmod modules(such as nf_conntrack_ipv4,nf_conntrack_proto_udplite).

So I think it makes no sense to init all protocol here, unless we decide
to put those protos into module nf_conntrack.

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 03/17] netfilter: add namespace support for l3proto

Gao feng — 2012-05-24T10:57:16

于 2012年05月24日 18:04, Pablo Neira Ayuso 写道:

Yes, I will add a comment to make it more clearer ;)

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [v4 PATCH 1/1] netfilter: Add fail-open support

Florian Westphal — 2012-05-24T10:53:14

Good catch.  Yes, the lock should be dropped, else we
deadlock when same queue is hit in next table/chain.


Yes.

Thanks,
Florian
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [v4 PATCH 1/1] netfilter: Add fail-open support

Krishna Kumar2 — 2012-05-24T10:31:58

Florian Westphal <fw< at >strlen.de> wrote on 05/24/2012 03:00:43 PM:

(s)\n",

No, I think it should work fine. Do this after dropping the lock?


Yes, that will help remove quite some code from front-end.


Maybe just use __u32 type for flags/mask?

Thanks,
- KK

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [v4 PATCH 1/1] netfilter: Add fail-open support

Florian Westphal — 2012-05-24T09:30:43

What about this:

if (queue->queue_total >= queue->queue_maxlen) {
if (queue->flags & NFQA_CFG_F_FAIL_OPEN) {
nf_reinject(entry, NF_ACCEPT);
err = 0;
goto err_out_free_nskb;
}
queue->queue_dropped++;
net_warn_ratelimited("nf_queue: full at %d entries, dropping packets(s)\n",

[..]

Do you see any problems with that?

It should do the same as the nf_hook_slow/nf_queue ENOSPC changes while
avoiding modifications outside the queueing backend.


[..]


ntohl returns __u32 type.

Thanks,
Florian
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[v4 PATCH 0/1] netfilter: "fail-open" feature support for NFQUEUE

Krishna Kumar — 2012-05-24T08:25:18

Tests done:
------------
- netperf TCP_STREAM
- 64 netperf stress testing to ensure there are no memory leaks
- icmp ping
- enabling/disabling failopen in the middle of existing connections
- checksum verification of transferred files using scp
- different flag/mask values to check that code handling NFQA_CFG_MASK
works as expected

Changes from rev3:
------------------

1. Changed flags/mask to big-endian.
2. Use nla_get_be32 instead of nla_data to access flags/masks.
3. Cleaned up some comments.

Changes from rev2:
------------------

Please review.

Signed-off-by: Krishna Kumar <krkumar2< at >in.ibm.com>
Signed-off-by: Vivek Kashyap <vivk< at >us.ibm.com>
Signed-off-by: Sridhar Samudrala <samudrala< at >us.ibm.com>
---

[v4 PATCH 1/1] netfilter: Add fail-open support

Krishna Kumar — 2012-05-24T08:25:31

Implement a new "fail-open" mode where packets are not dropped
upon queue-full condition. This mode can be enabled/disabled per
queue using netlink NFAQ_CFG_FLAGS & NFAQ_CFG_MASK attributes.

Signed-off-by: Krishna Kumar <krkumar2< at >in.ibm.com>
Signed-off-by: Vivek Kashyap <vivk< at >us.ibm.com>
Signed-off-by: Sridhar Samudrala <samudrala< at >us.ibm.com>
---
 include/linux/netfilter/nfnetlink_queue.h |    5 ++
 net/netfilter/core.c                      |   37 +++++++++++++++++++-
 net/netfilter/nf_queue.c                  |   15 ++++++--
 net/netfilter/nfnetlink_queue.c           |   36 +++++++++++++++++--
 4 files changed, 86 insertions(+), 7 deletions(-)

diff -ruNp org/include/linux/netfilter/nfnetlink_queue.h new/include/linux/netfilter/nfnetlink_queue.h
--- org/include/linux/netfilter/nfnetlink_queue.h2012-05-23 09:52:54.738660685 +0530
+++ new/include/linux/netfilter/nfnetlink_queue.h2012-05-24 10:25:33.500073415 +0530
< at >< at > -84,8 +84,13 < at >< at > enum nfqnl_attr_config {
 NFQA_CFG_CMD,/* nfqnl_msg_config_cmd */
 NFQA_CFG_PARAMS,/* nfqnl_msg_config_params */
 NFQA_CFG_QUEUE_MAXLEN,/* __u32 */
+NFQA_CFG_MASK,/* identify which flags to change */
+NFQA_CFG_FLAGS,/* value of these flags (__be32) */
 __NFQA_CFG_MAX
 };
 #define NFQA_CFG_MAX (__NFQA_CFG_MAX-1)
 
+/* Flags for NFQA_CFG_FLAGS */
+#define NFQA_CFG_F_FAIL_OPEN(1 << 0)
+
 #endif /* _NFNETLINK_QUEUE_H */
diff -ruNp org/net/netfilter/core.c new/net/netfilter/core.c
--- org/net/netfilter/core.c2012-05-23 09:52:54.740660556 +0530
+++ new/net/netfilter/core.c2012-05-24 11:35:55.958845493 +0530
< at >< at > -163,6 +163,31 < at >< at > repeat:
 return NF_ACCEPT;
 }
 
+/*
+ * Handler was not able to enqueue the packet, and returned ENOSPC
+ * as "fail-open" was enabled. We temporarily accept the skb; or
+ * each segment for a GSO skb and free the header.
+ */
+static void handle_fail_open(struct sk_buff *skb,
+     int (*okfn)(struct sk_buff *))
+{
+struct sk_buff *segs;
+bool gso;
+
+segs = skb->next ? : skb;
+gso = skb->next != NULL;
+
+do {
+struct sk_buff *nskb = segs->next;
+
+segs->next = NULL;
+okfn(segs);
+segs = nskb;
+} while (segs);
+
+if (gso)
+kfree_skb(skb);
+}
 
 /* Returns 1 if okfn() needs to be executed by the caller,
  * -EPERM for NF_DROP, 0 otherwise. */
< at >< at > -174,6 +199,7 < at >< at > int nf_hook_slow(u_int8_t pf, unsigned i
 {
 struct list_head *elem;
 unsigned int verdict;
+int failopen = 0;
 int ret = 0;
 
 /* We may already have this, but read-locks nest anyway */
< at >< at > -184,7 +210,8 < at >< at > next_hook:
 verdict = nf_iterate(&nf_hooks[pf][hook], skb, hook, indev,
      outdev, &elem, okfn, hook_thresh);
 if (verdict == NF_ACCEPT || verdict == NF_STOP) {
-ret = 1;
+if (!failopen) /* don't use the default verdict if 'failopen' */
+ret = 1;
 } else if ((verdict & NF_VERDICT_MASK) == NF_DROP) {
 kfree_skb(skb);
 ret = NF_DROP_GETERR(verdict);
< at >< at > -199,10 +226,18 < at >< at > next_hook:
 if (err == -ESRCH &&
    (verdict & NF_VERDICT_FLAG_QUEUE_BYPASS))
 goto next_hook;
+if (err == -ENOSPC) {
+failopen = 1;
+goto next_hook;
+}
 kfree_skb(skb);
 }
 }
 rcu_read_unlock();
+
+if (!ret && failopen)
+handle_fail_open(skb, okfn);
+
 return ret;
 }
 EXPORT_SYMBOL(nf_hook_slow);
diff -ruNp org/net/netfilter/nfnetlink_queue.c new/net/netfilter/nfnetlink_queue.c
--- org/net/netfilter/nfnetlink_queue.c2012-05-23 09:52:54.742661899 +0530
+++ new/net/netfilter/nfnetlink_queue.c2012-05-24 13:42:24.155860334 +0530
< at >< at > -52,6 +52,7 < at >< at > struct nfqnl_instance {
 
 u_int16_t queue_num;/* number of this queue */
 u_int8_t copy_mode;
+u_int32_t flags;/* Set using NFQA_CFG_FLAGS */
 /*
  * Following fields are dirtied for each queued packet,
  * keep them in same cache line if possible.
< at >< at > -431,9 +432,13 < at >< at > nfqnl_enqueue_packet(struct nf_queue_ent
 goto err_out_free_nskb;
 }
 if (queue->queue_total >= queue->queue_maxlen) {
-queue->queue_dropped++;
-net_warn_ratelimited("nf_queue: full at %d entries, dropping packets(s)\n",
-     queue->queue_total);
+if (queue->flags & NFQA_CFG_F_FAIL_OPEN) {
+err = -ENOSPC;
+} else {
+queue->queue_dropped++;
+net_warn_ratelimited("nf_queue: full at %d entries, dropping packets(s)\n",
+     queue->queue_total);
+}
 goto err_out_free_nskb;
 }
 entry->id = ++queue->id_sequence;
< at >< at > -858,6 +863,31 < at >< at > nfqnl_recv_config(struct sock *ctnl, str
 spin_unlock_bh(&queue->lock);
 }
 
+if (nfqa[NFQA_CFG_FLAGS]) {
+__be32 flags, mask;
+
+if (!queue) {
+ret = -ENODEV;
+goto err_out_unlock;
+}
+
+if (!nfqa[NFQA_CFG_MASK]) {
+/* A mask is needed to specify which flags are being
+ * changed.
+ */
+ret = -EINVAL;
+goto err_out_unlock;
+}
+
+flags = ntohl(nla_get_be32(nfqa[NFQA_CFG_FLAGS]));
+mask = ntohl(nla_get_be32(nfqa[NFQA_CFG_MASK]));
+
+spin_lock_bh(&queue->lock);
+queue->flags &= ~mask;
+queue->flags |= flags & mask;
+spin_unlock_bh(&queue->lock);
+}
+
 err_out_unlock:
 rcu_read_unlock();
 return ret;
diff -ruNp org/net/netfilter/nf_queue.c new/net/netfilter/nf_queue.c
--- org/net/netfilter/nf_queue.c2012-05-23 09:52:54.739533744 +0530
+++ new/net/netfilter/nf_queue.c2012-05-24 11:34:46.302003629 +0530
< at >< at > -268,14 +268,23 < at >< at > int nf_queue(struct sk_buff *skb,
 err = __nf_queue(segs, elem, pf, hook, indev,
    outdev, okfn, queuenum);
 }
-if (err == 0)
+
+if (err == 0) {
 queued++;
-else
+} else if (err == -ENOSPC) {
+/* Enqueue failed due to queue-full and handler is
+ * in "fail-open" mode.
+ */
+segs->next = nskb;
+skb->next = segs;
+break;
+} else {
 kfree_skb(segs);
+}
 segs = nskb;
 } while (segs);
 
-if (queued) {
+if (queued && err != -ENOSPC) {
 kfree_skb(skb);
 return 0;
 }

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

reason that iptables mac module only has mac-source option

JieYue Ma — 2012-05-24T04:47:44

hi guys,

I am working on the mac module, and I added some arp related options
in it. I noticed that this module originally has only --mac-source
options in it. At first I think maybe author didn't want touch any
output packet. But now I doubt that maybe iptables hook point doesn't
support to do so. That is why I came here asking you guys for help. I
think in iptables OUTPUT hook point, it has not yet generate any 2nd
level information in the skb buffer, hasn't it? That is why mac module
can only touch incoming packet because only the incoming packet takes
the mac information in iptables

anybody can answer me? thanks a lot

BRs
jerry ma
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 02/17] netfilter: add namespace support for l4proto

Gao feng — 2012-05-24T01:52:51

于 2012年05月23日 18:25, Pablo Neira Ayuso 写道:

thanks! I will fix it.


I miss it...
thanks

yes,l4proto_tcp(udp,icmp)'s ctl_table is stored in netns_ct.proto,
so when we register l4proto_tcp's sysctl failed,ctl_table will still
point to the kfreed memory. this will cause panic the next
time we register l4proto_tcp's sysctl.


Yes,it will be more readable,I will do it.

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 15/17] netfilter: cleanup sysctl for l4proto and l3proto

Gao feng — 2012-05-24T00:59:18

Hi pablo:

于 2012年05月23日 18:38, Pablo Neira Ayuso 写道:

This structure means ctl_table_header,ctl_table and so on?

I add this structure to struct nf_proto_net in patch 1/17,so those fields in
struct nf_conntrack_l4proto are useless,this patch is just some cleanup.

the same with nf_conntrack_l3proto.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 16/17] netfilter: add namespace support for cttimeout

Gao feng — 2012-05-24T01:04:10

于 2012年05月23日 18:41, Pablo Neira Ayuso 写道:

got it,thanks ;)

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 01/17] netfilter: add struct nf_proto_net for register l4proto sysctl

Gao feng — 2012-05-24T01:35:50

Hi pablo:

于 2012年05月23日 18:12, Pablo Neira Ayuso 写道:

It seams this patch should be merged to "netfilter: add namespace support for l4proto"
the struct nf_proto_net is first used there.


because some protocols such l4proto_tcp6 and l4proto_tcp use the same init_net
function. the l4proto_tcp6 doesn't need compat sysctl, so we should use this new
field to identify if we should kmemdup compat_sysctl_table.

and beacuse protocols will have pernet ctl_compat_table and ctl_table,the .ctl_compat_table
field will be deleted in patch 15/17. so we should the new field compat.

actually, we don't need to pass compat value for generic_init_net,beacuse
we know l4proto_generic need compat. But consider there are l4proto_tcp(6), and in order to keep
code readable,I prefer to add compat field and pass it to init_net.



--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 04/17] netfilter: add namespace support for l4proto_generic

Gao feng — 2012-05-24T01:13:36

于 2012年05月23日 18:32, Pablo Neira Ayuso 写道:

you mean per-net's generic_proto sysctl are registered by
nf_conntrack_proto_init?

such as

int nf_conntrack_proto_init(struct net *net)
{
...
err = nf_ct_l4proto_register_sysctl(net, &nf_conntrack_l4proto_generic);
...
}

if my understanding is right,my answer is yes we can ;)

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [v3 PATCH 1/1] netfilter: Add fail-open support.

Krishna Kumar2 — 2012-05-23T14:11:10

Florian Westphal <fw< at >strlen.de> wrote on 05/23/2012 01:24:56 PM:


Yes, all segments need to be processed for this option. I will
check if it is possible to do any code-sharing, and post the
patches tomorrow with your other feedback incorporated.

Thanks for your review,
- KK

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html