gmane.comp.security.firewalls.netfilter.devel

[ULOG PATCH 0/4] misc fixes, and new DBI output plugin

Pierre Chifflier — 2008-12-01T12:41:52

The first two patches fixes the following problems: - impossibility to run ulogd in gdb, due to a missing link to libpthread - possible use of uninitialized memory in a calloc(0), spotted by valgrind It also adds a new output mode, libdbi libdbi implements a database-independent abstraction layer in C, similar to the DBI/DBD layer in Perl. It allows to use all database types supported by libdbi, including MySQL, PostgreSQL, sqlite, Firebird, MSSQL, Sybase, Oracle, ingres .. It does not, however, replace other database modules, because as a common abstraction layer, it is unable to use any specific function, for ex. the asynchronous API for PostgreSQL. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo< at >vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

[libnetfilter_log patch] Fix minor memory leak.

Eric Leblond — 2008-11-30T14:34:03

The nflog_handle is allocated in nflog_open(). This patch adds the missing free in nlog_close(). Signed-off-by: Eric Leblond inl.fr> --- src/libnetfilter_log.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/src/libnetfilter_log.c b/src/libnetfilter_log.c index 6c0936e..216cdb8 100644 --- a/src/libnetfilter_log.c +++ b/src/libnetfilter_log.c < at >< at > -237,7 +237,9 < at >< at > int nflog_handle_packet(struct nflog_handle *h, char *buf, int len) int nflog_close(struct nflog_handle *h) { -return nfnl_close(h->nfnlh); +int ret = nfnl_close(h->nfnlh); +free(h); +return ret; } /* bind nf_queue from a specific protocol family */

netfilter 00/29: Netfilter Update

Patrick McHardy — 2008-11-27T16:15:03

Hi Dave, the following patches contain part 1 of the netfilter updates for 2.6.29. The highlights are: - netns support for ebtables, ipt_addrtype and some related cleanups from Alexey Dobriyan - ctnetlink updates from Pablo: automatic helper module loading, proper event generation for actions performed through ctnetlink, minor cleanups - switching of xt_NFLOG to directly use nfnetlink_log as backend instead of the first loaded logging module, which was a constant source of confusion for users. From Eric Leblond. Also from Eric are two patches to support rerouting based on packet marks in nfnetlink_queue. - Misc cleanups and minor fixes from myself, Andy Whitcroft, Simon Arlot and Ingo Molnar. There's a trivial merge conflict in net/netfilter/nf_conntrack_netlink.c, so the patches won't apply directly. Please pull from git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6.git Thanks! include/linux/netfilter_bridge/ebtables.h | 3 +- include/linux/netfilter_ipv4/ipt_poli

[PATCH] More secure SYSRQ for xtables-addons

John Haxby — 2008-11-27T12:28:29

Hello All, This is a patch to the SYSRQ xtables-addon that is, I believe, secure enough to use in moderately untrustworthy environments. I'm relatively new to posting patches so please forgive me if I've messed this up. Rationale: I want to be able to use SYSRQ to reboot, crash or partially diagnose machines that become unresponsive for one reason or another. These machines, typically, are blades or rack mounted machines that do not have a PS/2 connection for a keyboard and the old method of wheeling round a "crash trolley" that has a monitor and a keyboard on it no longer works: USB keyboards rarely, if ever, work because by the time the machine is responding only to a ping, udev is incapable of setting up a new keyboard. This patch extends the xt_SYSRQ module to avoid both disclosing the sysrq password and preventing replay. This is done by changing the request packet from the simple "" to a slightly more complex ",,,". The hash is the sha1 chec

iptables cut specific connections when lots of files are commited via subversion

IKA SysAdmin — 2008-11-27T08:53:24

Hi there, I had a problematic experience with iptables and thought, you might be interested. regards, Claudia Server FSC RX300, 8GB Memory Red Hat Enterprise Linux Server release 5.2 (Tikanga) Kernel 2.6.18-92.1.13.el5 #1 SMP Thu Sep 4 03:51:21 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux Diskspace 175GB free out of 185GB (mirrored) 2 network cards - one for "internal" use that provides samba shares - one for "external" use that provieds access to the subversion system the server is in a university campus in a virtual networkzone, but the filters there are open to my servers. apache httpd 2.2.3-11 subversion 1.4.2-2 iptables 1.3.5-4 iptables-ipv6 1.3.5-4 iptables added (created with firewall builder 3), only certain networks have access on the port 443, some on the samba shares on the server and some on the ssh port, everything else is closed down. cronjob, that refreshed the firewall builder iptables all 15min. (*/15 * * * * /bin/sh /etc/firewall/IkaFw.fw > /dev/null) svn clients mostly with tortoise over h

Building the conntrack rule from scratch

Bryan Duff — 2008-11-26T21:45:07

If I build a conntrack rule (before any traffic actually traverses), and then send traffic through, the conntrack rule gets used, but no SNAT takes place. It sends the packet outbound with a source IP on the LAN instead of using the reply-dst and SNAT'ing to the WAN side. How do I get it to SNAT the packet? In this way I'm circumventing iptables (why use it when you already have all the information anyway) - so nat POSTROUTING is never actually touched by the first outbound packet - it's picked up by the conntrack rule. Tell me if I'm missing something, or if more information is needed. -Bryan -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo< at >vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

netfilter: ctnetlink: fix GFP_KERNEL allocation under spinlock

Patrick McHardy — 2008-11-26T11:23:08

This patch for 2.6.28 fixes a GFP_KERNEL allocation under spinlock in ctnetlink that was missed in the conntrack creation race fix. Please apply, thanks.

getting kernel compilation error after applying patches using p-o-m

2008-11-25T01:49:21

Hi, I am trying to build IPTable-1.4.2 with Red Hat Linux v4 U3 - kernel-2.6.9-34.EL. I have taken the following steps- I downloaded source code of iptables-1.4.2. I compiled and installed the IPTables-1.4.2 using the following command. # make # make install # and then I rebooted linux Then, I used the patch-o-matic to apply the set of patches( I downloaded the patch-o-match-ng using git clone, git://git.netfilter.org/patch-o-matic-ng) I am having kernel-2.6.9.34EL source code at /usr/src/kernel-2.6.9/linux-2.6.9 and IPTable-1.4.2 source code at /usr/src/iptables-1.4.2 I used the following steps to apply the patches- [root< at >RHEL4U3 patch-o-matic-ng]# export KERNEL_DIR=/usr/src/kernel-2.6.9/linux-2.6.9/ [root< at >RHEL4U3 patch-o-matic-ng]# export IPTABLES_DIR=/usr/src/iptables-1.4.2/ [root< at >RHEL4U3 patch-o-matic-ng]# ./runme base I applied all patches (which applies cleanly) and then used the following steps to build the kernel- [root< at >RHEL4U3]# make oldconfig [root< at >RHEL4U3]# make menuconfig [root< at >RHEL4U3]

[PATCH 0/2] routing via nfmark in OUTPUT NFQUEUE

Eric Leblond — 2008-11-24T20:46:45

Hi, This small patchset is a resend of a work by Laurent Licour. It adds a rerouting possibility if the mark has been changed in OUTPUT via NFQUEUE. First patch is IPv4 version from Laurent Licour, second patch is a port to IPv6 I've done. BR, -- Eric Leblond inl.fr> NuFW, Now User Filtering Works : http://www.nufw.org -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo< at >vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

netfilter 00/03: netfilter fixes

Patrick McHardy — 2008-11-24T13:44:35

Hi Dave, the following three patches for 2.6.28 fix a couple of netfilter issues: - a conntrack creation race in ctnetlink that can cause NULL pointer dereferences in ctnetlink and duplicate conntrack entries. - a missing const qualifier that got lost during the encapsulation of iptables target parameters - a crash with bridge netfilter and GRE caused by a missing update_pmtu() function for the fake dst_entry. Please apply, thanks. include/linux/netfilter/x_tables.h | 2 +- net/bridge/br_netfilter.c | 13 +++++++++++++ net/netfilter/nf_conntrack_core.c | 2 -- net/netfilter/nf_conntrack_netlink.c | 5 +++-- 4 files changed, 17 insertions(+), 5 deletions(-) Herbert Xu (1): bridge: netfilter: fix update_pmtu crash with GRE Jan Engelhardt (1): netfilter: xtables: add missing const qualifier to xt_tgchk_param Patrick McHardy (1): netfilter: ctnetlink: fix conntrack creation race -- To unsubscribe from this list: send the line "unsubscribe netfilter-de

I need help with libnetfilter_queue

ilninno — 2008-11-23T14:03:49

Hi again! I need help with libnetfilter_queue, I searched examples, but I only found one simple test. My problem is that i need source ip and source port, but i don't know how can i get from struct nfq_data *pkt in the callback function. Sorry for my english and thanks for your time :) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo< at >vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

reinject packets

赵磊 — 2008-11-23T08:51:42

Hi, I register an NF_IP_PRE_ROUTING hook that check all the incoming packets and return NF_STOLEN on particular TCP packets. I’m trying to reinject them into the TCP/IP stack later. Any advice about how this can be achieved in a module? Does netfilter provide such a functionality? Thanks a lot.

iptables (1.4.2 release) failed to run on embedded system with "can't initialize iptables table `filter'"

David Wu — 2008-11-21T14:51:38

I am trying to run iptables (1.4.2 release)on a MCF53281(m68knommu, 2.6.26 kernel) embedded board. It failed with " iptables v1.4.2: can't initialize iptables table `filter': No chain/target/match by that name Perhaps iptables or your kernel needs to be upgraded. I traced the calls and found out that it failed at iptcc_chain_index_alloc(): h->chain_index = malloc(array_mem); in the first call to iptcc_chain_index_alloc() array_mem is 0 which means malloc(0) is called in the above statement. depends on the implementation malloc(0) may return NULL which is the case for m68k-uclinux-gcc(gcc version 4.2.3 and uClibc-0.9.29-20081003) I have changed the code to: if(array_mem == 0) h->chain_index = malloc(1); else h->chain_index = malloc(array_mem); and it works(while I have to fix another error -- ip_tables: ERROR target: invalid size 30 != 32) My question: 1 why tries to allocate 0 size memory, it is useful? 2 is there any problem to

problem with iptables....badly need help

varun uppal — 2008-11-21T11:40:31

Hi, I am using iptables to queue the packets and then read them from IP_queue. The downloads stop, I took tcpdump on Ethernet interface and loopback interface, the data seems to be getting corrupted By the time it hits INPUT chain or is read from ip_queue. I have red hat enterprise linux 4, with kernel 2.6.9-42 and iptables version 1.2.11 please please badly need help. thanks varun -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo< at >vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

NF_STOLEN

赵磊 — 2008-11-21T02:17:06

Hi, I register a NF_IP_PRE_ROUTING hook that check the incoming packets. I’m trying to return NF_STOLEN on particular TCP packets and later pass them to the TCP module of the kernel. Any advice about how this can be achieved? Thanks a lot. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo< at >vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

doc: fix a typo in libip6t_REJECT.man

Jan Engelhardt — 2008-11-20T16:40:50

commit 0b474f182c0735e3920a4ae8ade73e8a6aaedecf Author: Jan Engelhardt medozas.de> Date: Thu Nov 20 17:21:04 2008 +0100 doc: fix a typo in libip6t_REJECT.man Signed-off-by: Jan Engelhardt medozas.de> --- extensions/libip6t_REJECT.man | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) diff --git a/extensions/libip6t_REJECT.man b/extensions/libip6t_REJECT.man index 909d826..877a769 100644 --- a/extensions/libip6t_REJECT.man +++ b/extensions/libip6t_REJECT.man < at >< at > -32,5 +32,4 < at >< at > TCP RST packet to be sent back. This is mainly useful for blocking (113/tcp) probes which frequently occur when sending mail to broken mail hosts (which won't accept your mail otherwise). .B tcp-reset -can only be used with kernel versions 2.6.14 or latter. - +can only be used with kernel versions 2.6.14 or later. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo< at >vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo

[PATCH] nf_conntrack_proto_gre: spread __exit

Alexey Dobriyan — 2008-11-20T09:01:20

Signed-off-by: Alexey Dobriyan gmail.com> --- net/netfilter/nf_conntrack_proto_gre.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/netfilter/nf_conntrack_proto_gre.c +++ b/net/netfilter/nf_conntrack_proto_gre.c < at >< at > -341,7 +341,7 < at >< at > static int __init nf_ct_proto_gre_init(void) return rv; } -static void nf_ct_proto_gre_fini(void) +static void __exit nf_ct_proto_gre_fini(void) { nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_gre4); unregister_pernet_gen_subsys(proto_gre_net_id, &proto_gre_net_ops); -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo< at >vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

[PATCH] ip6table_filter: merge LOCAL_IN and FORWARD hooks

Alexey Dobriyan — 2008-11-20T09:00:23

Signed-off-by: Alexey Dobriyan gmail.com> --- net/ipv6/netfilter/ip6table_filter.c | 17 +++-------------- 1 file changed, 3 insertions(+), 14 deletions(-) --- a/net/ipv6/netfilter/ip6table_filter.c +++ b/net/ipv6/netfilter/ip6table_filter.c < at >< at > -61,7 +61,7 < at >< at > static struct xt_table packet_filter = { /* The work comes in here from netfilter.c. */ static unsigned int -ip6t_local_in_hook(unsigned int hook, +ip6t_in_hook(unsigned int hook, struct sk_buff *skb, const struct net_device *in, const struct net_device *out, < at >< at > -72,17 +72,6 < at >< at > ip6t_local_in_hook(unsigned int hook, } static unsigned int -ip6t_forward_hook(unsigned int hook, - struct sk_buff *skb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ -return ip6t_do_table(skb, hook, in, out, - dev_net(in)->ipv6.ip6table_filter); -} - -static unsigned int ip6t_local_out_hook(unsigned int hook, struct sk_buff *skb, const struct net_device

xt_recent: don't save proc dirs

Alexey Dobriyan — 2008-11-20T08:58:43

Not needed, since creation and removal are done by name. Signed-off-by: Alexey Dobriyan gmail.com> --- net/netfilter/xt_recent.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) --- a/net/netfilter/xt_recent.c +++ b/net/netfilter/xt_recent.c < at >< at > -72,9 +72,6 < at >< at > struct recent_entry { struct recent_table { struct list_headlist; charname[XT_RECENT_NAME_LEN]; -#ifdef CONFIG_PROC_FS -struct proc_dir_entry*proc_old, *proc; -#endif unsigned intrefcnt; unsigned intentries; struct list_headlru_list; < at >< at > -284,6 +281,9 < at >< at > static bool recent_mt_check(const struct xt_mtchk_param *par) { const struct xt_recent_mtinfo *info = par->matchinfo; struct recent_table *t; +#ifdef CONFIG_PROC_FS +struct proc_dir_entry *pde; +#endif unsigned i; bool ret = false; < at >< at > -318,25 +318,25 < at >< at > static bool recent_mt_check(const struct xt_mtchk_param *par) for (i = 0; i < ip_list_hash_size; i++) INIT_LIST_HEAD(&t->iphash[i]); #ifdef CONFIG_PROC_FS -t->proc = p

山鉧科技網頁設計

張明杰 — 2008-11-19T06:26:07

山鉧科技網頁設計 ◇我們的宗旨：客戶的每ㄧ件小事情，都是山鉧的大事情＝＝我們在推出企業形象網站包含前台網頁美工+後台管理程式＄限時限量專案價只要$29,900 ％(在送ㄧ年100MB不限流量網站空間) ▽我們做的不只是網站，而是您企業的入口＆ㄧ個好的企業網站資料即時更新的速度是很重要的－企業ｅ化的高品質團隊，打造您的網路門面 ↖選擇山鉧成就您的夢想～～～～～～～～～～～～～～～～～～～～～～～～～～ PS: 線上購物網站我們還可提供刷卡機制，　　與線上列印帳單全省超商+郵局繳費......等金流服務機制～～～～～～～～～～～～～～～～～～～～～～～～～～歡迎來電洽詢黃專員（Sam）：0980119812 / 0938764395 ～～～～～～～～～～～～～～～～～～～～～～～～～～本公司另外提供關鍵字SEO排序服務保證將您的網站在Yx / Gx ...

improve error handling: previous patches

Pablo Neira Ayuso — 2008-11-18T23:46:13

The previous patches improve a bit the iptables error handling. The last two patches may seem very stupid but I have seen people stuck on this errors a lot during some training sessions in the university. If nobody objects I'll push the to git.