Revision tags: v5.8.12, v5.8.11, v5.8.10 |
|
#
8a8b9047 |
| 16-Sep-2020 |
YueHaibing <yuehaibing@huawei.com> |
netfilter: nf_tables: Remove ununsed function nft_data_debug
It is never used, so can be removed.
Signed-off-by: YueHaibing <yuehaibing@huawei.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter
netfilter: nf_tables: Remove ununsed function nft_data_debug
It is never used, so can be removed.
Signed-off-by: YueHaibing <yuehaibing@huawei.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
show more ...
|
Revision tags: v5.8.9, v5.8.8 |
|
#
b131c964 |
| 08-Sep-2020 |
Jose M. Guisado Gomez <guigom@riseup.net> |
netfilter: nf_tables: add userdata support for nft_object
Enables storing userdata for nft_object. Initially this will store an optional comment but can be extended in the future as needed.
Adds ne
netfilter: nf_tables: add userdata support for nft_object
Enables storing userdata for nft_object. Initially this will store an optional comment but can be extended in the future as needed.
Adds new attribute NFTA_OBJ_USERDATA to nft_object.
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
show more ...
|
Revision tags: v5.8.7, v5.8.6, v5.4.62, v5.8.5, v5.8.4, v5.4.61, v5.8.3, v5.4.60 |
|
#
7a81575b |
| 20-Aug-2020 |
Jose M. Guisado Gomez <guigom@riseup.net> |
netfilter: nf_tables: add userdata attributes to nft_table
Enables storing userdata for nft_table. Field udata points to user data and udlen store its length.
Adds new attribute flag NFTA_TABLE_USE
netfilter: nf_tables: add userdata attributes to nft_table
Enables storing userdata for nft_table. Field udata points to user data and udlen store its length.
Adds new attribute flag NFTA_TABLE_USERDATA
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
show more ...
|
#
1e105e6a |
| 20-Aug-2020 |
Florian Westphal <fw@strlen.de> |
netfilter: nf_tables: fix destination register zeroing
Following bug was reported via irc: nft list ruleset set knock_candidates_ipv4 { type ipv4_addr . inet_service size 65535
netfilter: nf_tables: fix destination register zeroing
Following bug was reported via irc: nft list ruleset set knock_candidates_ipv4 { type ipv4_addr . inet_service size 65535 elements = { 127.0.0.1 . 123, 127.0.0.1 . 123 } } .. udp dport 123 add @knock_candidates_ipv4 { ip saddr . 123 } udp dport 123 add @knock_candidates_ipv4 { ip saddr . udp dport }
It should not have been possible to add a duplicate set entry.
After some debugging it turned out that the problem is the immediate value (123) in the second-to-last rule.
Concatenations use 32bit registers, i.e. the elements are 8 bytes each, not 6 and it turns out the kernel inserted
inet firewall @knock_candidates_ipv4 element 0100007f ffff7b00 : 0 [end] element 0100007f 00007b00 : 0 [end]
Note the non-zero upper bits of the first element. It turns out that nft_immediate doesn't zero the destination register, but this is needed when the length isn't a multiple of 4.
Furthermore, the zeroing in nft_payload is broken. We can't use [len / 4] = 0 -- if len is a multiple of 4, index is off by one.
Skip zeroing in this case and use a conditional instead of (len -1) / 4.
Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing") Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
show more ...
|
Revision tags: v5.8.2, v5.4.59, v5.8.1, v5.4.58, v5.4.57, v5.4.56, v5.8, v5.7.12, v5.4.55, v5.7.11, v5.4.54 |
|
#
ffe8923f |
| 24-Jul-2020 |
Florian Westphal <fw@strlen.de> |
netfilter: nft_compat: make sure xtables destructors have run
Pablo Neira found that after recent update of xt_IDLETIMER the iptables-nft tests sometimes show an error.
He tracked this down to the
netfilter: nft_compat: make sure xtables destructors have run
Pablo Neira found that after recent update of xt_IDLETIMER the iptables-nft tests sometimes show an error.
He tracked this down to the delayed cleanup used by nf_tables core: del rule (transaction A) add rule (transaction B)
Its possible that by time transaction B (both in same netns) runs, the xt target destructor has not been invoked yet.
For native nft expressions this is no problem because all expressions that have such side effects make sure these are handled from the commit phase, rather than async cleanup.
For nft_compat however this isn't true.
Instead of forcing synchronous behaviour for nft_compat, keep track of the number of outstanding destructor calls.
When we attempt to create a new expression, flush the cleanup worker to make sure destructors have completed.
With lots of help from Pablo Neira.
Reported-by: Pablo Neira Ayso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
show more ...
|
Revision tags: v5.7.10, v5.4.53, v5.4.52, v5.7.9, v5.7.8, v5.4.51, v5.4.50, v5.7.7 |
|
#
d0e2c7de |
| 30-Jun-2020 |
Pablo Neira Ayuso <pablo@netfilter.org> |
netfilter: nf_tables: add NFT_CHAIN_BINDING
This new chain flag specifies that:
* the kernel dynamically allocates the chain name, if no chain name is specified.
* If the immediate expression th
netfilter: nf_tables: add NFT_CHAIN_BINDING
This new chain flag specifies that:
* the kernel dynamically allocates the chain name, if no chain name is specified.
* If the immediate expression that refers to this chain is removed, then this bound chain (and its content) is destroyed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
show more ...
|
#
67c49de4 |
| 30-Jun-2020 |
Pablo Neira Ayuso <pablo@netfilter.org> |
netfilter: nf_tables: expose enum nft_chain_flags through UAPI
This enum definition was never exposed through UAPI. Rename NFT_BASE_CHAIN to NFT_CHAIN_BASE for consistency.
Signed-off-by: Pablo Nei
netfilter: nf_tables: expose enum nft_chain_flags through UAPI
This enum definition was never exposed through UAPI. Rename NFT_BASE_CHAIN to NFT_CHAIN_BASE for consistency.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
show more ...
|
#
74cccc3d |
| 30-Jun-2020 |
Pablo Neira Ayuso <pablo@netfilter.org> |
netfilter: nf_tables: add NFTA_CHAIN_ID attribute
This netlink attribute allows you to refer to chains inside a transaction as an alternative to the name and the handle. The chain binding support re
netfilter: nf_tables: add NFTA_CHAIN_ID attribute
This netlink attribute allows you to refer to chains inside a transaction as an alternative to the name and the handle. The chain binding support requires this new chain ID approach.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
show more ...
|
Revision tags: v5.4.49, v5.7.6, v5.7.5, v5.4.48, v5.7.4, v5.7.3, v5.4.47, v5.4.46, v5.7.2, v5.4.45, v5.7.1, v5.4.44, v5.7, v5.4.43 |
|
#
abadb2f8 |
| 20-May-2020 |
Pablo Neira Ayuso <pablo@netfilter.org> |
netfilter: nf_tables: delete devices from flowtable
This patch allows users to delete devices from existing flowtables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
#
78d9f48f |
| 20-May-2020 |
Pablo Neira Ayuso <pablo@netfilter.org> |
netfilter: nf_tables: add devices to existing flowtable
This patch allows users to add devices to an existing flowtable.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
Revision tags: v5.4.42, v5.4.41, v5.4.40, v5.4.39, v5.4.38, v5.4.37, v5.4.36 |
|
#
fdb9c405 |
| 24-Apr-2020 |
Pablo Neira Ayuso <pablo@netfilter.org> |
netfilter: nf_tables: allow up to 64 bytes in the set element data area
So far, the set elements could store up to 128-bits in the data area.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
Revision tags: v5.4.35, v5.4.34, v5.4.33, v5.4.32, v5.4.31, v5.4.30, v5.4.29 |
|
#
a26c1e49 |
| 31-Mar-2020 |
Pablo Neira Ayuso <pablo@netfilter.org> |
netfilter: nf_tables: do not update stateful expressions if lookup is inverted
Initialize set lookup matching element to NULL. Otherwise, the NFT_LOOKUP_F_INV flag reverses the matching logic and it
netfilter: nf_tables: do not update stateful expressions if lookup is inverted
Initialize set lookup matching element to NULL. Otherwise, the NFT_LOOKUP_F_INV flag reverses the matching logic and it leads to deference an uninitialized pointer to the matching element. Make sure element data area and stateful expression are accessed if there is a matching set element.
This patch undoes 24791b9aa1ab ("netfilter: nft_set_bitmap: initialize set element extension in lookups") which is not required anymore.
Fixes: 339706bc21c1 ("netfilter: nft_lookup: update element stateful expression") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
show more ...
|
Revision tags: v5.6 |
|
#
d56aab26 |
| 27-Mar-2020 |
Pablo Neira Ayuso <pablo@netfilter.org> |
netfilter: nf_tables: skip set types that do not support for expressions
The bitmap set does not support for expressions, skip it from the estimation step.
Signed-off-by: Pablo Neira Ayuso <pablo@n
netfilter: nf_tables: skip set types that do not support for expressions
The bitmap set does not support for expressions, skip it from the estimation step.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
show more ...
|
Revision tags: v5.4.28, v5.4.27, v5.4.26 |
|
#
65038428 |
| 17-Mar-2020 |
Pablo Neira Ayuso <pablo@netfilter.org> |
netfilter: nf_tables: allow to specify stateful expression in set definition
This patch allows users to specify the stateful expression for the elements in this set via NFTA_SET_EXPR. This new featu
netfilter: nf_tables: allow to specify stateful expression in set definition
This patch allows users to specify the stateful expression for the elements in this set via NFTA_SET_EXPR. This new feature allows you to turn on counters for all of the elements in this set.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
show more ...
|
#
c604cc69 |
| 17-Mar-2020 |
Pablo Neira Ayuso <pablo@netfilter.org> |
netfilter: nf_tables: move nft_expr_clone() to nf_tables_api.c
Move the nft_expr_clone() helper function to the core.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
Revision tags: v5.4.25 |
|
#
76adfafe |
| 11-Mar-2020 |
Pablo Neira Ayuso <pablo@netfilter.org> |
netfilter: nf_tables: add nft_set_elem_update_expr() helper function
This helper function runs the eval path of the stateful expression of an existing set element.
Signed-off-by: Pablo Neira Ayuso
netfilter: nf_tables: add nft_set_elem_update_expr() helper function
This helper function runs the eval path of the stateful expression of an existing set element.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
show more ...
|
#
795a6d6b |
| 11-Mar-2020 |
Pablo Neira Ayuso <pablo@netfilter.org> |
netfilter: nf_tables: statify nft_expr_init()
Not exposed anymore to modules, statify this function.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
#
a7fc9368 |
| 11-Mar-2020 |
Pablo Neira Ayuso <pablo@netfilter.org> |
netfilter: nf_tables: add nft_set_elem_expr_alloc()
Add helper function to create stateful expression.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
Revision tags: v5.4.24, v5.4.23, v5.4.22 |
|
#
6daf1414 |
| 20-Feb-2020 |
Gustavo A. R. Silva <gustavo@embeddedor.com> |
netfilter: Replace zero-length array with flexible-array member
The current codebase makes use of the zero-length array language extension to the C90 standard, but the preferred mechanism to declare
netfilter: Replace zero-length array with flexible-array member
The current codebase makes use of the zero-length array language extension to the C90 standard, but the preferred mechanism to declare variable-length types such as these ones is a flexible array member[1][2], introduced in C99:
struct foo { int stuff; struct boo array[]; };
By making use of the mechanism above, we will get a compiler warning in case the flexible array does not occur last in the structure, which will help us prevent some kind of undefined behavior bugs from being inadvertently introduced[3] to the codebase from now on.
Also, notice that, dynamic memory allocations won't be affected by this change:
"Flexible array members have incomplete type, and so the sizeof operator may not be applied. As a quirk of the original implementation of zero-length arrays, sizeof evaluates to zero."[1]
Lastly, fix checkpatch.pl warning WARNING: __aligned(size) is preferred over __attribute__((aligned(size))) in net/bridge/netfilter/ebtables.c
This issue was found with the help of Coccinelle.
[1] https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html [2] https://github.com/KSPP/linux/issues/21 [3] commit 76497732932f ("cxgb3/l2t: Fix undefined behaviour")
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
show more ...
|
Revision tags: v5.4.21 |
|
#
24d19826 |
| 18-Feb-2020 |
Florian Westphal <fw@strlen.de> |
netfilter: nf_tables: make all set structs const
They do not need to be writeable anymore.
v2: remove left-over __read_mostly annotation in set_pipapo.c (Stefano)
Signed-off-by: Florian Westphal <
netfilter: nf_tables: make all set structs const
They do not need to be writeable anymore.
v2: remove left-over __read_mostly annotation in set_pipapo.c (Stefano)
Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
show more ...
|
#
e32a4dc6 |
| 18-Feb-2020 |
Florian Westphal <fw@strlen.de> |
netfilter: nf_tables: make sets built-in
Placing nftables set support in an extra module is pointless:
1. nf_tables needs dynamic registeration interface for sake of one module 2. nft heavily relie
netfilter: nf_tables: make sets built-in
Placing nftables set support in an extra module is pointless:
1. nf_tables needs dynamic registeration interface for sake of one module 2. nft heavily relies on sets, e.g. even simple rule like "nft ... tcp dport { 80, 443 }" will not work with _SETS=n.
IOW, either nftables isn't used or both nf_tables and nf_tables_set modules are needed anyway.
With extra module: 307K net/netfilter/nf_tables.ko 79K net/netfilter/nf_tables_set.ko
text data bss dec filename 146416 3072 545 150033 nf_tables.ko 35496 1817 0 37313 nf_tables_set.ko
This patch: 373K net/netfilter/nf_tables.ko
178563 4049 545 183157 nf_tables.ko
Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
show more ...
|
Revision tags: v5.4.20, v5.4.19, v5.4.18, v5.4.17, v5.4.16, v5.5, v5.4.15, v5.4.14 |
|
#
f3a2181e |
| 21-Jan-2020 |
Stefano Brivio <sbrivio@redhat.com> |
netfilter: nf_tables: Support for sets with multiple ranged fields
Introduce a new nested netlink attribute, NFTA_SET_DESC_CONCAT, used to specify the length of each field in a set concatenation.
T
netfilter: nf_tables: Support for sets with multiple ranged fields
Introduce a new nested netlink attribute, NFTA_SET_DESC_CONCAT, used to specify the length of each field in a set concatenation.
This allows set implementations to support concatenation of multiple ranged items, as they can divide the input key into matching data for every single field. Such set implementations would be selected as they specify support for NFT_SET_INTERVAL and allow desc->field_count to be greater than one. Explicitly disallow this for nft_set_rbtree.
In order to specify the interval for a set entry, userspace would include in NFTA_SET_DESC_CONCAT attributes field lengths, and pass range endpoints as two separate keys, represented by attributes NFTA_SET_ELEM_KEY and NFTA_SET_ELEM_KEY_END.
While at it, export the number of 32-bit registers available for packet matching, as nftables will need this to know the maximum number of field lengths that can be specified.
For example, "packets with an IPv4 address between 192.0.2.0 and 192.0.2.42, with destination port between 22 and 25", can be expressed as two concatenated elements:
NFTA_SET_ELEM_KEY: 192.0.2.0 . 22 NFTA_SET_ELEM_KEY_END: 192.0.2.42 . 25
and NFTA_SET_DESC_CONCAT attribute would contain:
NFTA_LIST_ELEM NFTA_SET_FIELD_LEN: 4 NFTA_LIST_ELEM NFTA_SET_FIELD_LEN: 2
v4: No changes v3: Complete rework, NFTA_SET_DESC_CONCAT instead of NFTA_SET_SUBKEY v2: No changes
Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
show more ...
|
#
7b225d0b |
| 21-Jan-2020 |
Pablo Neira Ayuso <pablo@netfilter.org> |
netfilter: nf_tables: add NFTA_SET_ELEM_KEY_END attribute
Add NFTA_SET_ELEM_KEY_END attribute to convey the closing element of the interval between kernel and userspace.
This patch also adds the NF
netfilter: nf_tables: add NFTA_SET_ELEM_KEY_END attribute
Add NFTA_SET_ELEM_KEY_END attribute to convey the closing element of the interval between kernel and userspace.
This patch also adds the NFT_SET_EXT_KEY_END extension to store the closing element value in this interval.
v4: No changes v3: New patch
[sbrivio: refactor error paths and labels; add corresponding nft_set_ext_type for new key; rebase] Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
show more ...
|
Revision tags: v5.4.13, v5.4.12, v5.4.11, v5.4.10, v5.4.9, v5.4.8, v5.4.7, v5.4.6, v5.4.5, v5.4.4, v5.4.3, v5.3.15, v5.4.2, v5.4.1, v5.3.14, v5.4, v5.3.13, v5.3.12 |
|
#
7cd9a58d |
| 19-Nov-2019 |
Pablo Neira Ayuso <pablo@netfilter.org> |
netfilter: nf_tables: constify nft_reg_load{8, 16, 64}()
This patch constifies the pointer to source register data that is passed as an input parameter.
Signed-off-by: Pablo Neira Ayuso <pablo@netf
netfilter: nf_tables: constify nft_reg_load{8, 16, 64}()
This patch constifies the pointer to source register data that is passed as an input parameter.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|
Revision tags: v5.3.11, v5.3.10, v5.3.9 |
|
#
250367c5 |
| 31-Oct-2019 |
Lukas Wunner <lukas@wunner.de> |
netfilter: nf_tables: Align nft_expr private data to 64-bit
Invoking the following commands on a 32-bit architecture with strict alignment requirements (such as an ARMv7-based Raspberry Pi) results
netfilter: nf_tables: Align nft_expr private data to 64-bit
Invoking the following commands on a 32-bit architecture with strict alignment requirements (such as an ARMv7-based Raspberry Pi) results in an alignment exception:
# nft add table ip test-ip4 # nft add chain ip test-ip4 output { type filter hook output priority 0; } # nft add rule ip test-ip4 output quota 1025 bytes
Alignment trap: not handling instruction e1b26f9f at [<7f4473f8>] Unhandled fault: alignment exception (0x001) at 0xb832e824 Internal error: : 1 [#1] PREEMPT SMP ARM Hardware name: BCM2835 [<7f4473fc>] (nft_quota_do_init [nft_quota]) [<7f447448>] (nft_quota_init [nft_quota]) [<7f4260d0>] (nf_tables_newrule [nf_tables]) [<7f4168dc>] (nfnetlink_rcv_batch [nfnetlink]) [<7f416bd0>] (nfnetlink_rcv [nfnetlink]) [<8078b334>] (netlink_unicast) [<8078b664>] (netlink_sendmsg) [<8071b47c>] (sock_sendmsg) [<8071bd18>] (___sys_sendmsg) [<8071ce3c>] (__sys_sendmsg) [<8071ce94>] (sys_sendmsg)
The reason is that nft_quota_do_init() calls atomic64_set() on an atomic64_t which is only aligned to 32-bit, not 64-bit, because it succeeds struct nft_expr in memory which only contains a 32-bit pointer. Fix by aligning the nft_expr private data to 64-bit.
Fixes: 96518518cc41 ("netfilter: add nftables") Signed-off-by: Lukas Wunner <lukas@wunner.de> Cc: stable@vger.kernel.org # v3.13+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
show more ...
|