gmane.comp.security.firewalls.netfilter.devel

[ANNOUNCE] libmnl 1.0.3 release

Pablo Neira Ayuso — 2012-05-26T18:23:50

Hi!

The Netfilter project proudly presents:

        libmnl 1.0.3

libmnl is a minimalistic (really!) library that provides simple
abstractions to communicate using Netlink sockets.

If you're looking for a way to communicate some kernel subsystem and
user-space, Netlink provides a nice method to do so. For those not yet
familiar with Netlink, I suggest you to read:

http://1984.lsi.us.es/~pablo/docs/spae.pdf

This release include one fix and one new interface to allow to parse
messages from some payload offset, skipping the Netlink header. See
ChangeLog that comes attached to this email for more details.

You can download it from:

http://www.netfilter.org/projects/libmnl/downloads.html
ftp://ftp.netfilter.org/pub/libmnl/

Have fun!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[ANNOUNCE] libnetfilter_cttimeout 1.0.0 release

Pablo Neira Ayuso — 2012-05-26T18:03:17

Hi!

The Netfilter project proudly presents:

        libnetfilter_cttimeout 1.0.0

libnetfilter_cttimeout is the userspace library that provides the
programming interface to the fine-grain connection tracking timeout
infrastructure. With this library, you can create, update and delete
timeout policies that can be attached to traffic flows. This library
is used by conntrack-tools.

To use this library, you require a Linux kernel >= 3.4.0.

See ChangeLog that comes attached to this email for more details.

You can download it from:

http://www.netfilter.org/projects/libnetfilter_cttimeout/downloads.html
ftp://ftp.netfilter.org/pub/libnetfilter_cttimeout/

Have fun!
Jan Engelhardt (6):
      Add .gitignore
      const-ify static data objects
      Add stdint header and type corrections
      Properly NUL-terminate name in nfct_timeout_attr_set
      const-ify arguments of functions
      Add extern "C" guard for C++ compilation mode

Pablo Neira Ayuso (11):
      initial commit
      add README file
      This

[v5 PATCH 0/1] netfilter: "fail-open" feature support for NFQUEUE

Krishna Kumar — 2012-05-24T13:56:31

Many users of an IBM security product, which uses netfilter's NFQUEUE
target to process packets in userspace, face a problem of dropped
connections during heavy load. Incoming packets are queued and
processed by the security module, which does deep packet analysis to
decide whether to accept or reject them. However during heavy load,
the queue fills up and connections fail when large number of packets
get dropped.

This patch implements a "failopen" support for NFQUEUE to help keep
connections open during such failures. This is achieved by allowing
acceptance of packets temporarily when the queue is full, which
enables existing connections to be kept open.

Failopen is enabled/disabled using a new call - nfq_set_flags(qh,
mask, flags), which makes use of two new netlink attributes:
NFQA_CFG_MASK -  Specifies which flags are being modified.
NFQA_CFG_FLAGS - Set/reset the bits for each of those flags.


Tests done:
------------
- netperf TCP_STREAM.
- 64 netperf stress testing to ensure there are no memo

[v4 PATCH 0/1] netfilter: "fail-open" feature support for NFQUEUE

Krishna Kumar — 2012-05-24T08:25:18

Many users of an IBM security product, which uses netfilter's NFQUEUE
target to process packets in userspace, face a problem of dropped
connections during heavy load. Incoming packets are queued and
processed by the security module, which does deep packet analysis to
decide whether to accept or reject them. However during heavy load,
the queue fills up and connections fail when large number of packets
get dropped.

This patch implements a "failopen" support for NFQUEUE to help keep
connections open during such failures. This is achieved by allowing
acceptance of packets temporarily when the queue is full, which
enables existing connections to be kept open.

Failopen is enabled/disabled using a new call - nfq_set_flags(qh,
mask, flags), which makes use of two new netlink attributes:
NFQA_CFG_MASK -  Specifies which flags are being modified.
NFQA_CFG_FLAGS - Set/reset the bits for each of those flags.


Tests done:
------------
- netperf TCP_STREAM
- 64 netperf stress testing to ensure there are no memor

reason that iptables mac module only has mac-source option

JieYue Ma — 2012-05-24T04:47:44

hi guys,

I am working on the mac module, and I added some arp related options
in it. I noticed that this module originally has only --mac-source
options in it. At first I think maybe author didn't want touch any
output packet. But now I doubt that maybe iptables hook point doesn't
support to do so. That is why I came here asking you guys for help. I
think in iptables OUTPUT hook point, it has not yet generate any 2nd
level information in the skb buffer, hasn't it? That is why mac module
can only touch incoming packet because only the incoming packet takes
the mac information in iptables

anybody can answer me? thanks a lot

BRs
jerry ma
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[README] patches that did not reach net-next (upcoming 3.5)

Pablo Neira Ayuso — 2012-05-23T11:00:23

Hi!

David has closed net-next merge window.

I know there are several patches still on the table, you can see the
list here:

http://patchwork.ozlabs.org/project/netfilter-devel/list/

Some of them are small enough that I did not feel like pushing hard
for them to David, like the one from Amerigo Wang, Alban Crequy and
Denys Fedoryshchenko. My plan is to include them once merge window
opens again.

Gao Feng's namespace ct timeout requires another spin.

For bugfixes, I'll start collecting them to pass them asap.

Thanks for your work!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Using RELATED for a level4 protocol (MPTCP)

Nicolas Maître — 2012-05-22T20:51:02

Hi everyone,

I'm a complete newbie in netfilter hacking and I'm trying to implement
the support of MPTCP [0] (standing for MultiPath TCP) in netfilter in
the context of a master's thesis.

I'll just summarize some points of MPTCP here to get a chance to be
understood with my request.
MPTCP is an extension of TCP which enables it to use multiple paths as
part of a single "MPTCP connection", answering to a multihoming and
performance demand. It acts as a higher-level, using TCP connections
as subflows and it has been designed to be backward-compatible with
regular TCP.
It exposes a similar interface to TCP to the application layer. A
figure might help to get the whole thing:

       +-------------------------------+
       |           Application         |
       +-------------------------------+
       |             MPTCP             |
       + - - - - - - - + - - - - - - - +
       | Subflow (TCP) | Subflow (TCP) |
       +-------------------------------+
       |       IP      |      IP       |
       +---

[v3 PATCH 0/1] netfilter: "fail-open" feature support for NFQUEUE

Krishna Kumar — 2012-05-22T12:10:37

Many users of an IBM security product, which uses netfilter's NFQUEUE
target to process packets in userspace, face a problem of dropped
connections during heavy load. Incoming packets are queued and
processed by the security module, which does deep packet analysis to
decide whether to accept or reject them. However during heavy load,
NFQUEUE queue (default 1024 entries) fills up and connections fail
after large number of packets drop during enqueue.

This patch implements a "failopen" support for NFQUEUE to help keep
connections open during such failures. This is achieved by allowing
acceptance of packets temporarily when the queue is full, which enables
existing connections to be kept open.

Failopen is enabled/disabled using a new call - nfq_set_flags(qh, mask,
flags), which makes use of two new netlink attributes:
1. NFQA_CFG_MASK:  Specifies which flags are being modified.
2. NFQA_CFG_FLAGS: Set/reset the value for each of those flags.


Tests done:
------------
- netperf TCP_STREAM
- 64 netperf st

[PATCH] netfilter conntrack helper: nf_ct_h323: fix bug in rtcp natting

Jagdish Motwani — 2012-05-22T06:00:27

The nat_rtp_rtcp hook takes two separate parameters port and rtp_port.

port is expected to be the real h245 address(found inside the packet).
rtp_port is the even number closest to port  (RTP ports are even and 
RTCP ports are odd)

However currently, both port and rtp_port are having same value(both are 
rounded to nearest even numbers).

This works well in case of openlogicalchannel with media (RTP/even) port.

But in case of openlogicalchannel for media control (RTCP/odd) port, 
h245 address in the packet is wrongly modified to have an even port.

I am attaching a pcap demonstrating the problem, for any further analysis.

This behavior was introduced around v2.6.19 while rewriting the helper.



Signed-off-by: Jagdish Motwani <jagdish.motwani< at >elitecore.com>
Signed-off-by: Sanket Shah <sanket.shah< at >elitecore.com>

--
diff --git a/net/netfilter/nf_conntrack_h323_main.c 
b/net/netfilter/nf_conntrack_h323_main.c
index 46d69d7..7f0de36 100644
--- a/net/netfilter/nf_conntrack_h323_main.c
+++ b/net/netfilter/nf_

[README] net-next has been merged

David Miller — 2012-05-21T21:09:39

Linus has pulled in all of the net-next changes, and I have
subsequently fast-forwarded both 'net' and 'net-next' to
Linus's tree.

All work at this time should be bug fixes and should be arranged
against 'net'.  'net-next' will be frozen and untouched until
some time after the merge window closes, and no development should
occur against it.

I am rejecting all patches in patchwork which implement new features,
perform cleanups, or otherwise are inappropriate at this time.  You
must resubmit them when the net-next tree opens back up.

There is one exception waiting in the wings, there is one netfilter
pull remaining from Pedro for the merge window and I told him that
this is OK.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

libnetfilter_conntrack updates

Jan Engelhardt — 2012-05-19T22:08:08

The following changes since commit 6fdd30fe6de1311022ae9e17304dd72f4958bbb8:

  build: bump version to 1.0.1 (2012-05-18 01:24:29 +0200)

are available in the git repository at:
  git://git.inai.de/libnetfilter_conntrack master

Jan Engelhardt (4):
      build: remove unused LDFLAGS
      qa: change an if to elseif
      build: remove unused -DLIBNETFILTER_CONNTRACK_DIR
      Update .gitignore

 configure.ac            |    5 -----
 qa/.gitignore           |    2 ++
 qa/Makefile.am          |    4 ----
 qa/ct_events_reliable.c |    2 +-
 utils/.gitignore        |    1 +
 utils/Makefile.am       |   20 --------------------
 6 files changed, 4 insertions(+), 30 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Resend PATCH 1/2] netfilter: remove include/linux/netfilter_ipv4/ipt_addrtype.h

Cong Wang — 2012-05-19T14:39:00

From: Cong Wang <xiyou.wangcong< at >gmail.com>

It was scheduled to be removed.

Acked-by: Florian Westphal <fw< at >strlen.de>
Signed-off-by: Cong Wang <xiyou.wangcong< at >gmail.com>
---
 Documentation/feature-removal-schedule.txt  |    8 --------
 include/linux/netfilter_ipv4/Kbuild         |    1 -
 include/linux/netfilter_ipv4/ipt_addrtype.h |   27 ---------------------------
 3 files changed, 0 insertions(+), 36 deletions(-)
 delete mode 100644 include/linux/netfilter_ipv4/ipt_addrtype.h

diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt
index e4b5775..366d158 100644
--- a/Documentation/feature-removal-schedule.txt
+++ b/Documentation/feature-removal-schedule.txt
< at >< at > -414,14 +414,6 < at >< at > Files:net/netfilter/xt_connlimit.c
 
 ----------------------------
 
-What:ipt_addrtype match include file
-When:2012
-Why:superseded by xt_addrtype
-Who:Florian Westphal <fw< at >strlen.de>
-Files:include/linux/netfilter_ipv4/ipt_addrtype.h
-
-----------------------------
-
 What:i2c

Sending packet bypassing iptables rules

Arif Hossain — 2012-05-18T11:54:35

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

In my userspace app, i receive packets from NF_QUEUE. I manage a
userspace queue to do some processing over the packets. So i have to
set nfq_set_verdict(NF_DROP,.....). Now after the processing i need to
send the packets to the destinations. But this time i need to send
them such way so that they won't be caught in iptable rules.

What i have done for now is, i've set the dscp field of the IP packet
. And added a rule $iptables -t mangle -A PREROUTING -m dscp --dscp 10
-j ACCEPT before the rule which queues the packets. Then send the
packet over raw socket.

May be because of my intensive traffic (Traffic is real time media
data, so delays are fatal), the performance of my system is horrible.
So i'm thinking how i can achieve a more efficient processing. One
thing comes to my mind is the process i'm following for forwarding
packet is not very efficient. So i'm thinking about how can i improve
this.

Thanks in advance.

- --
- -aft

-----BEGIN PGP SIGNATURE

[PATCH][conntrack-tools] conntrack: flush stdout for each expectation event, too

Florian Westphal — 2012-05-18T11:36:49

else, piping "conntrack -E expect" output will be buffered/delayed,
which is not what users expect. Normal conntrack events are already
flushed.

Signed-off-by: Florian Westphal <fw< at >strlen.de>
---
 src/conntrack.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/src/conntrack.c b/src/conntrack.c
index b065211..0920bc5 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
< at >< at > -1380,6 +1380,7 < at >< at > static int event_exp_cb(enum nf_conntrack_msg_type type,
 
 nfexp_snprintf(buf,sizeof(buf), exp, type, op_type, op_flags);
 printf("%s\n", buf);
+fflush(stdout);
 counter++;
 
 return NFCT_CB_CONTINUE;

[PATCH][libnetfilter_conntrack] snprintf: print conntrack helper name, too

Florian Westphal — 2012-05-18T11:35:59

Signed-off-by: Florian Westphal <fw< at >strlen.de>
---
 src/conntrack/snprintf_default.c |   11 +++++++++++
 src/conntrack/snprintf_xml.c     |   16 ++++++++++++++++
 2 files changed, 27 insertions(+), 0 deletions(-)

diff --git a/src/conntrack/snprintf_default.c b/src/conntrack/snprintf_default.c
index 206b9c0..45d192d 100644
--- a/src/conntrack/snprintf_default.c
+++ b/src/conntrack/snprintf_default.c
< at >< at > -282,6 +282,12 < at >< at > __snprintf_timestamp_delta(char *buf, unsigned int len,
 (unsigned long long)delta_time));
 }
 
+static int
+__snprintf_helper_name(char *buf, unsigned int len, const struct nf_conntrack *ct)
+{
+return (snprintf(buf, len, "helper=%s ", ct->helper_name));
+}
+
 int __snprintf_conntrack_default(char *buf, 
  unsigned int len,
  const struct nf_conntrack *ct,
< at >< at > -415,6 +421,11 < at >< at > int __snprintf_conntrack_default(char *buf,
 BUFFER_SIZE(ret, size, len, offset);
 }
 
+if (test_bit(ATTR_HELPER_NAME, ct->head.set)) {
+ret = __snprintf_helper_name(buf+offset, len, ct);
+BUFFER_SI

RTP stats explaination

Arif Hossain — 2012-05-18T10:21:30

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,
We are getting very poor quality of voice during testing of a new
filtering application of us.

The application receives packets from kernel using netfilter_queue
library. Then insert the packets into a new user managed queue and
does some transformations on it, like concatenation of udp payload.

The network is healthy. Its inside our lab. And it does not drop
packets or anything .

In our app we do not forward packet immediately. After enough packet
received to increase rtp packetization time (ptime) the we forward the
message over raw socket and set dscp to be 10 so that this time
packets can escape iptable rules.

From client side the RTP stream analysis shows nearly every stream as
problematic. summery for some streams are given below :

Stream 1:

Max delta = 1758.72 ms at packet no. 40506
Max jitter = 231.07 ms. Mean jitter = 9.27 ms.
Max skew = -2066.18 ms.
Total RTP packets = 468   (expected 468)   Lost RTP packets = 0
(0.00%)   Sequence errors

NAT66

Venkateswarlu Bandi — 2012-05-18T09:52:50

Hi T.Moes,
  I am trying to use source code for NAT66 for network address 
translation in ipv6.
  Can you please tell me it will work or not, if we patch three files in 
kernel.
  Module compilation done successfully, but how to configure tart by 
using ip6tables.
  Can you please guide me about this...
Thanks,
Venkatb.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Questions about ebtables QUEUE/NFQUEUE target implementation

JieYue Ma — 2012-05-18T06:13:14

hello, everyone,

We are carrying out a project related with ebtables/arptables. We plan
to add logic in user space to deal with arp packets. But I found out
in ebtables homepage that the QUEUE/NFQUEUE target has not been
supported yet, while it is supported already in iptables. So does
community has any plan to support QUEUE/NFQUEUE target in ebtables? If
not, maybe we can contribute to do so.

As for arptables, I am not sure if it is supported already. I wrote
small programs using libipq as well as libnetfilter_queue, but both do
not work anyway. It does work together with iptables.

Thanks
Jerry Ma
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] iptables: xt_recent: Add optional mask option for xt_recent

Denys Fedoryshchenko — 2012-05-17T20:08:57

Use case for this feature:
1)In some occasions if you need to allow,block,match specific subnet.
2)I can use recent as a trigger when netfilter rule matches, with mask 0.0.0.0

Tested for backward compatibility:
)old (userspace) iptables, new kernel
)old kernel, new iptables
)new kernel, new iptables

Signed-off-by: Denys Fedoryshchenko <denys< at >visp.net.lb>
---
 extensions/libxt_recent.c           |  152 ++++++++++++++++++++++++++++++----
 include/linux/netfilter/xt_recent.h |   11 +++-
 2 files changed, 144 insertions(+), 19 deletions(-)

diff --git a/extensions/libxt_recent.c b/extensions/libxt_recent.c
index c7dce4e..930da29 100644
--- a/extensions/libxt_recent.c
+++ b/extensions/libxt_recent.c
< at >< at > -16,6 +16,7 < at >< at > enum {
 O_NAME,
 O_RSOURCE,
 O_RDEST,
+O_MASK,
 F_SET    = 1 << O_SET,
 F_RCHECK = 1 << O_RCHECK,
 F_UPDATE = 1 << O_UPDATE,
< at >< at > -25,7 +26,7 < at >< at > enum {
 };
 
 #define s struct xt_recent_mtinfo
-static const struct xt_option_entry recent_opts[] = {
+static const struct xt_option_entry recent_op

[PATCH 1/2] extensions: libxt_rateest: output all options in save hook

Florian Westphal — 2012-05-17T11:03:08

ipt-restore fails to parse the ipt-save output:
zmatches -m rateest --rateest RE1 --rateest-pps --rateest-lt 5
(should be "--rateest-pps 5 --rateest-lt").  Also, the "delta" option
was never shown in -save output, but twice in some cases when using
"iptables -L".

Also, the "b/pps1" option must be shown when "delta" option is used with
relative mode.

Signed-off-by: Florian Westphal <fw< at >strlen.de>
---
 extensions/libxt_rateest.c |   55 +++++++++++++++++++++++++++----------------
 1 files changed, 34 insertions(+), 21 deletions(-)

diff --git a/extensions/libxt_rateest.c b/extensions/libxt_rateest.c
index 86bbb06..185a813 100644
--- a/extensions/libxt_rateest.c
+++ b/extensions/libxt_rateest.c
< at >< at > -348,8 +348,8 < at >< at > rateest_print(const void *ip, const struct xt_entry_match *match, int numeric)
 if (info->flags & XT_RATEEST_MATCH_DELTA)
 rateest_print_rate(info->bps1, numeric);
 if (info->flags & XT_RATEEST_MATCH_ABS) {
-rateest_print_mode(info, "");
 rateest_print_rate(info->bps2, numeric);
+rate

Re[2]: [PATCH] netfilter: xt_HMARK: fix endian bugs and warnings

Hans Schillstrom — 2012-05-17T08:07:39


Indeed,  but it saves some cpu cycles 


Ok, to make it endian safe a shift is required.
Like this:

        hp.b32 = (uports->b32 & info->port_mask.b32) | info->port_set.b32;
        src = ntohs(hp.b16.src);
        dst = ntohs(hp.b16.dst);

        if (dst > src)
                uports->v32 = (dst << 16) | src;
        else
                uports->v32 = (src << 16) | dst;


I'll re-spin the patch



--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html