1. 25 Sep, 2016 5 commits
    • Vishwanath Pai's avatar
      netfilter: xt_hashlimit: Prepare for revision 2 · 0dc60a45
      Vishwanath Pai authored
      I am planning to add a revision 2 for the hashlimit xtables module to
      support higher packets per second rates. This patch renames all the
      functions and variables related to revision 1 by adding _v1 at the
      end of the names.
      Signed-off-by: default avatarVishwanath Pai <vpai@akamai.com>
      Signed-off-by: default avatarJoshua Hunt <johunt@akamai.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      0dc60a45
    • Liping Zhang's avatar
      netfilter: nft_ct: report error if mark and dir specified simultaneously · 7bfdde70
      Liping Zhang authored
      NFT_CT_MARK is unrelated to direction, so if NFTA_CT_DIRECTION attr is
      specified, report EINVAL to the userspace. This validation check was
      already done at nft_ct_get_init, but we missed it in nft_ct_set_init.
      Signed-off-by: default avatarLiping Zhang <liping.zhang@spreadtrum.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      7bfdde70
    • Liping Zhang's avatar
      netfilter: nft_ct: unnecessary to require dir when use ct l3proto/protocol · d767ff2c
      Liping Zhang authored
      Currently, if the user want to match ct l3proto, we must specify the
      direction, for example:
        # nft add rule filter input ct original l3proto ipv4
                                       ^^^^^^^^
      Otherwise, error message will be reported:
        # nft add rule filter input ct l3proto ipv4
        nft add rule filter input ct l3proto ipv4
        <cmdline>:1:1-38: Error: Could not process rule: Invalid argument
        add rule filter input ct l3proto ipv4
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
      
      Actually, there's no need to require NFTA_CT_DIRECTION attr, because
      ct l3proto and protocol are unrelated to direction.
      
      And for compatibility, even if the user specify the NFTA_CT_DIRECTION
      attr, do not report error, just skip it.
      Signed-off-by: default avatarLiping Zhang <liping.zhang@spreadtrum.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      d767ff2c
    • Gao Feng's avatar
      netfilter: seqadj: Fix the wrong ack adjust for the RST packet without ack · 8d11350f
      Gao Feng authored
      It is valid that the TCP RST packet which does not set ack flag, and bytes
      of ack number are zero. But current seqadj codes would adjust the "0" ack
      to invalid ack number. Actually seqadj need to check the ack flag before
      adjust it for these RST packets.
      
      The following is my test case
      
      client is 10.26.98.245, and add one iptable rule:
      iptables  -I INPUT -p tcp --sport 12345 -m connbytes --connbytes 2:
      --connbytes-dir reply --connbytes-mode packets -j REJECT --reject-with
      tcp-reset
      This iptables rule could generate on TCP RST without ack flag.
      
      server:10.172.135.55
      Enable the synproxy with seqadjust by the following iptables rules
      iptables -t raw -A PREROUTING -i eth0 -p tcp -d 10.172.135.55 --dport 12345
      -m tcp --syn -j CT --notrack
      
      iptables -A INPUT -i eth0 -p tcp -d 10.172.135.55 --dport 12345 -m conntrack
      --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7
      --mss 1460
      iptables -A OUTPUT -o eth0 -p tcp -s 10.172.135.55 --sport 12345 -m conntrack
      --ctstate INVALID,UNTRACKED -m tcp --tcp-flags SYN,RST,ACK SYN,ACK -j ACCEPT
      
      The following is my test result.
      
      1. packet trace on client
      root@routers:/tmp# tcpdump -i eth0 tcp port 12345 -n
      tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
      listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
      IP 10.26.98.245.45154 > 10.172.135.55.12345: Flags [S], seq 3695959829,
      win 29200, options [mss 1460,sackOK,TS val 452367884 ecr 0,nop,wscale 7],
      length 0
      IP 10.172.135.55.12345 > 10.26.98.245.45154: Flags [S.], seq 546723266,
      ack 3695959830, win 0, options [mss 1460,sackOK,TS val 15643479 ecr 452367884,
      nop,wscale 7], length 0
      IP 10.26.98.245.45154 > 10.172.135.55.12345: Flags [.], ack 1, win 229,
      options [nop,nop,TS val 452367885 ecr 15643479], length 0
      IP 10.172.135.55.12345 > 10.26.98.245.45154: Flags [.], ack 1, win 226,
      options [nop,nop,TS val 15643479 ecr 452367885], length 0
      IP 10.26.98.245.45154 > 10.172.135.55.12345: Flags [R], seq 3695959830,
      win 0, length 0
      
      2. seqadj log on server
      [62873.867319] Adjusting sequence number from 602341895->546723267,
      ack from 3695959830->3695959830
      [62873.867644] Adjusting sequence number from 602341895->546723267,
      ack from 3695959830->3695959830
      [62873.869040] Adjusting sequence number from 3695959830->3695959830,
      ack from 0->55618628
      
      To summarize, it is clear that the seqadj codes adjust the 0 ack when receive
      one TCP RST packet without ack.
      Signed-off-by: default avatarGao Feng <fgao@ikuai8.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      8d11350f
    • Aaron Conole's avatar
      netfilter: replace list_head with single linked list · e3b37f11
      Aaron Conole authored
      The netfilter hook list never uses the prev pointer, and so can be trimmed to
      be a simple singly-linked list.
      
      In addition to having a more light weight structure for hook traversal,
      struct net becomes 5568 bytes (down from 6400) and struct net_device becomes
      2176 bytes (down from 2240).
      Signed-off-by: default avatarAaron Conole <aconole@bytheb.org>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      e3b37f11
  2. 24 Sep, 2016 7 commits
  3. 23 Sep, 2016 8 commits
  4. 22 Sep, 2016 1 commit
  5. 13 Sep, 2016 1 commit
  6. 12 Sep, 2016 13 commits
  7. 09 Sep, 2016 2 commits
  8. 07 Sep, 2016 3 commits
    • Marco Angaroni's avatar
      netfilter: nf_ct_sip: allow tab character in SIP headers · 1bcabc81
      Marco Angaroni authored
      Current parsing methods for SIP headers do not allow the presence of
      tab characters between header name and header value. As a result Call-ID
      SIP headers like the following are discarded by IPVS SIP persistence
      engine:
      
      "Call-ID\t: mycallid@abcde"
      "Call-ID:\tmycallid@abcde"
      
      In above examples Call-IDs are represented as strings in C language.
      Obviously in real message we have byte "09" before/after colon (":").
      
      Proposed fix is in nf_conntrack_sip module.
      Function sip_skip_whitespace() should skip tabs in addition to spaces,
      since in SIP grammar whitespace (WSP) corresponds to space or tab.
      
      Below is an extract of relevant SIP ABNF syntax.
      
      Call-ID  =  ( "Call-ID" / "i" ) HCOLON callid
      callid   =  word [ "@" word ]
      
      HCOLON  =  *( SP / HTAB ) ":" SWS
      SWS     =  [LWS] ; sep whitespace
      LWS     =  [*WSP CRLF] 1*WSP ; linear whitespace
      WSP     =  SP / HTAB
      word    =  1*(alphanum / "-" / "." / "!" / "%" / "*" /
                 "_" / "+" / "`" / "'" / "~" /
                 "(" / ")" / "<" / ">" /
                 ":" / "\" / DQUOTE /
                 "/" / "[" / "]" / "?" /
                 "{" / "}" )
      Signed-off-by: default avatarMarco Angaroni <marcoangaroni@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      1bcabc81
    • Pablo Neira Ayuso's avatar
      netfilter: nft_quota: introduce nft_overquota() · 22609b43
      Pablo Neira Ayuso authored
      This is patch renames the existing function to nft_overquota() and make
      it return a boolean that tells us if we have exceeded our byte quota.
      Just a cleanup.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      22609b43
    • Pablo Neira Ayuso's avatar
      netfilter: nft_quota: fix overquota logic · db6d857b
      Pablo Neira Ayuso authored
      Use xor to decide to break further rule evaluation or not, since the
      existing logic doesn't achieve the expected inversion.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      db6d857b