gmane.comp.security.firewalls.netfilter.devel

Re: [PATCH 01/17] netfilter: add struct nf_proto_net for register l4proto sysctl

Gao feng — 2012-05-26T02:28:33

于 2012年05月25日 14:02, Gao feng 写道:

Maybe we can resolve this by  nf_conntrack_l4proto.l3proto == AF_INET &&  pn->ctl_compat_header != NULL
Because compat sysctl is registered by AF_INET's proto only.

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 04/17] netfilter: add namespace support for l4proto_generic

Gao feng — 2012-05-26T02:36:36

于 2012年05月24日 22:40, Pablo Neira Ayuso 写道:

AFAIK l4proto_generic is registered when install module nf_conntrack,
BUT l4proto_tcp,l4proto_udp,l4proto_icmp are registered when install module nf_conntrack_ipv4.

So we can only register generic proto here.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 05/17] netfilter: add namespace support for l4proto_tcp

Gao feng — 2012-05-25T06:05:40

于 2012年05月25日 11:00, Pablo Neira Ayuso 写道:

Actually I want reuse this code too,
But Unfortunately the ctl_data has different order or different size.
ctl_compat_table[1].data = &tn->timeouts[TCP_CONNTRACK_SYN_SENT2]
but
ctl_table[1].data = &tn->timeouts[TCP_CONNTRACK_SYN_RECV];



It did look ugly,I will try my best to make code clear. ;)

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 01/17] netfilter: add struct nf_proto_net for register l4proto sysctl

Gao feng — 2012-05-25T06:02:37

于 2012年05月25日 10:54, Pablo Neira Ayuso 写道:

pn->ctl_table_header and ctl_compat_header is shared by l4proto_tcp and l4proto_tcp6.
if we both register l4proto_tcp and l4proto_tcp6, when unregister l4proto_tcp6
pn->ctl_compat_header must not be NULL.

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 05/17] netfilter: add namespace support for l4proto_tcp

Pablo Neira Ayuso — 2012-05-25T03:00:15

Hi Gao,

While having a look at this again, I have two new requests:

On Mon, May 14, 2012 at 04:52:15PM +0800, Gao feng wrote:
[...]
[...]

You can make a generic function to set the ctl_data that you can
reuse for this code above and the one below.


I have bad experience with code that has lots of #ifdef's.

Please, split all *_init_net into smaller functions.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 01/17] netfilter: add struct nf_proto_net for register l4proto sysctl

Pablo Neira Ayuso — 2012-05-25T02:54:51

Could you resolve this by checking pn->ctl_compat_header != NULL ?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 01/17] netfilter: add struct nf_proto_net for register l4proto sysctl

Gao feng — 2012-05-25T01:05:34

于 2012年05月24日 22:38, Pablo Neira Ayuso 写道:

Sorry I miss something.

nf_ct_l4proto_unregister_sysctl also uses .compat to identify if we
can unregister the compat sysctl.

if we register l4proto_tcp and l4proto_tcp6 both. without .compat,
when unregister l4proto_tcp6, the compat sysctl will be unregister too.

So maybe we have to use .compat.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [v5 PATCH 1/1] netfilter: Add fail-open support

Florian Westphal — 2012-05-24T20:42:05

Looks good to me.  Thanks for your patience!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 01/17] netfilter: add struct nf_proto_net for register l4proto sysctl

Pablo Neira Ayuso — 2012-05-24T14:38:54

[...]

If this removes the .compat field that you added, then use two
init_net functions, yes.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[v5 PATCH 1/1] netfilter: Add fail-open support

Krishna Kumar — 2012-05-24T13:56:44

Implement a new "fail-open" mode where packets are not dropped
upon queue-full condition. This mode can be enabled/disabled per
queue using netlink NFQA_CFG_FLAGS & NFQA_CFG_MASK attributes.

Signed-off-by: Krishna Kumar <krkumar2< at >in.ibm.com>
Signed-off-by: Vivek Kashyap <vivk< at >us.ibm.com>
Signed-off-by: Sridhar Samudrala <samudrala< at >us.ibm.com>
---
 include/linux/netfilter/nfnetlink_queue.h |    5 ++
 net/netfilter/nfnetlink_queue.c           |   40 ++++++++++++++++++--
 2 files changed, 42 insertions(+), 3 deletions(-)

diff -ruNp org/include/linux/netfilter/nfnetlink_queue.h new/include/linux/netfilter/nfnetlink_queue.h
--- org/include/linux/netfilter/nfnetlink_queue.h2012-05-24 15:47:52.361984483 +0530
+++ new/include/linux/netfilter/nfnetlink_queue.h2012-05-24 16:06:29.123911109 +0530
< at >< at > -84,8 +84,13 < at >< at > enum nfqnl_attr_config {
 NFQA_CFG_CMD,/* nfqnl_msg_config_cmd */
 NFQA_CFG_PARAMS,/* nfqnl_msg_config_params */
 NFQA_CFG_QUEUE_MAXLEN,/* __u32 */
+NFQA_CFG_MASK,/* identify which flags to

[v5 PATCH 0/1] netfilter: "fail-open" feature support for NFQUEUE

Krishna Kumar — 2012-05-24T13:56:31

Many users of an IBM security product, which uses netfilter's NFQUEUE
target to process packets in userspace, face a problem of dropped
connections during heavy load. Incoming packets are queued and
processed by the security module, which does deep packet analysis to
decide whether to accept or reject them. However during heavy load,
the queue fills up and connections fail when large number of packets
get dropped.

This patch implements a "failopen" support for NFQUEUE to help keep
connections open during such failures. This is achieved by allowing
acceptance of packets temporarily when the queue is full, which
enables existing connections to be kept open.

Failopen is enabled/disabled using a new call - nfq_set_flags(qh,
mask, flags), which makes use of two new netlink attributes:
NFQA_CFG_MASK -  Specifies which flags are being modified.
NFQA_CFG_FLAGS - Set/reset the bits for each of those flags.


Tests done:
------------
- netperf TCP_STREAM.
- 64 netperf stress testing to ensure there are no memo

Re: [PATCH 04/17] netfilter: add namespace support for l4proto_generic

Gao feng — 2012-05-24T11:07:36

于 2012年05月24日 17:52, Pablo Neira Ayuso 写道:

sounds good,but the l4protos except l4proto_generic are enabled by
insmod modules(such as nf_conntrack_ipv4,nf_conntrack_proto_udplite).

So I think it makes no sense to init all protocol here, unless we decide
to put those protos into module nf_conntrack.

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 03/17] netfilter: add namespace support for l3proto

Gao feng — 2012-05-24T10:57:16

于 2012年05月24日 18:04, Pablo Neira Ayuso 写道:

Yes, I will add a comment to make it more clearer ;)

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [v4 PATCH 1/1] netfilter: Add fail-open support

Florian Westphal — 2012-05-24T10:53:14

Good catch.  Yes, the lock should be dropped, else we
deadlock when same queue is hit in next table/chain.


Yes.

Thanks,
Florian
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [v4 PATCH 1/1] netfilter: Add fail-open support

Krishna Kumar2 — 2012-05-24T10:31:58

Florian Westphal <fw< at >strlen.de> wrote on 05/24/2012 03:00:43 PM:

(s)\n",

No, I think it should work fine. Do this after dropping the lock?


Yes, that will help remove quite some code from front-end.


Maybe just use __u32 type for flags/mask?

Thanks,
- KK

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [v4 PATCH 1/1] netfilter: Add fail-open support

Florian Westphal — 2012-05-24T09:30:43

What about this:

if (queue->queue_total >= queue->queue_maxlen) {
if (queue->flags & NFQA_CFG_F_FAIL_OPEN) {
nf_reinject(entry, NF_ACCEPT);
err = 0;
goto err_out_free_nskb;
}
queue->queue_dropped++;
net_warn_ratelimited("nf_queue: full at %d entries, dropping packets(s)\n",

[..]

Do you see any problems with that?

It should do the same as the nf_hook_slow/nf_queue ENOSPC changes while
avoiding modifications outside the queueing backend.


[..]


ntohl returns __u32 type.

Thanks,
Florian
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[v4 PATCH 0/1] netfilter: "fail-open" feature support for NFQUEUE

Krishna Kumar — 2012-05-24T08:25:18

Many users of an IBM security product, which uses netfilter's NFQUEUE
target to process packets in userspace, face a problem of dropped
connections during heavy load. Incoming packets are queued and
processed by the security module, which does deep packet analysis to
decide whether to accept or reject them. However during heavy load,
the queue fills up and connections fail when large number of packets
get dropped.

This patch implements a "failopen" support for NFQUEUE to help keep
connections open during such failures. This is achieved by allowing
acceptance of packets temporarily when the queue is full, which
enables existing connections to be kept open.

Failopen is enabled/disabled using a new call - nfq_set_flags(qh,
mask, flags), which makes use of two new netlink attributes:
NFQA_CFG_MASK -  Specifies which flags are being modified.
NFQA_CFG_FLAGS - Set/reset the bits for each of those flags.


Tests done:
------------
- netperf TCP_STREAM
- 64 netperf stress testing to ensure there are no memor

[v4 PATCH 1/1] netfilter: Add fail-open support

Krishna Kumar — 2012-05-24T08:25:31

Implement a new "fail-open" mode where packets are not dropped
upon queue-full condition. This mode can be enabled/disabled per
queue using netlink NFAQ_CFG_FLAGS & NFAQ_CFG_MASK attributes.

Signed-off-by: Krishna Kumar <krkumar2< at >in.ibm.com>
Signed-off-by: Vivek Kashyap <vivk< at >us.ibm.com>
Signed-off-by: Sridhar Samudrala <samudrala< at >us.ibm.com>
---
 include/linux/netfilter/nfnetlink_queue.h |    5 ++
 net/netfilter/core.c                      |   37 +++++++++++++++++++-
 net/netfilter/nf_queue.c                  |   15 ++++++--
 net/netfilter/nfnetlink_queue.c           |   36 +++++++++++++++++--
 4 files changed, 86 insertions(+), 7 deletions(-)

diff -ruNp org/include/linux/netfilter/nfnetlink_queue.h new/include/linux/netfilter/nfnetlink_queue.h
--- org/include/linux/netfilter/nfnetlink_queue.h2012-05-23 09:52:54.738660685 +0530
+++ new/include/linux/netfilter/nfnetlink_queue.h2012-05-24 10:25:33.500073415 +0530
< at >< at > -84,8 +84,13 < at >< at > enum nfqnl_attr_config {
 NFQA_CFG_CMD,/* nfqnl_msg_config_cmd */
 NF

reason that iptables mac module only has mac-source option

JieYue Ma — 2012-05-24T04:47:44

hi guys,

I am working on the mac module, and I added some arp related options
in it. I noticed that this module originally has only --mac-source
options in it. At first I think maybe author didn't want touch any
output packet. But now I doubt that maybe iptables hook point doesn't
support to do so. That is why I came here asking you guys for help. I
think in iptables OUTPUT hook point, it has not yet generate any 2nd
level information in the skb buffer, hasn't it? That is why mac module
can only touch incoming packet because only the incoming packet takes
the mac information in iptables

anybody can answer me? thanks a lot

BRs
jerry ma
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 02/17] netfilter: add namespace support for l4proto

Gao feng — 2012-05-24T01:52:51

于 2012年05月23日 18:25, Pablo Neira Ayuso 写道:

thanks! I will fix it.


I miss it...
thanks

yes,l4proto_tcp(udp,icmp)'s ctl_table is stored in netns_ct.proto,
so when we register l4proto_tcp's sysctl failed,ctl_table will still
point to the kfreed memory. this will cause panic the next
time we register l4proto_tcp's sysctl.


Yes,it will be more readable,I will do it.

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 15/17] netfilter: cleanup sysctl for l4proto and l3proto

Gao feng — 2012-05-24T00:59:18

Hi pablo:

于 2012年05月23日 18:38, Pablo Neira Ayuso 写道:

This structure means ctl_table_header,ctl_table and so on?

I add this structure to struct nf_proto_net in patch 1/17,so those fields in
struct nf_conntrack_l4proto are useless,this patch is just some cleanup.

the same with nf_conntrack_l3proto.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html