1. 25 Sep, 2016 8 commits
    • KOVACS Krisztian's avatar
      netfilter: xt_socket: fix transparent match for IPv6 request sockets · 7a682575
      KOVACS Krisztian authored
      The introduction of TCP_NEW_SYN_RECV state, and the addition of request
      sockets to the ehash table seems to have broken the --transparent option
      of the socket match for IPv6 (around commit a9407000).
      
      Now that the socket lookup finds the TCP_NEW_SYN_RECV socket instead of the
      listener, the --transparent option tries to match on the no_srccheck flag
      of the request socket.
      
      Unfortunately, that flag was only set for IPv4 sockets in tcp_v4_init_req()
      by copying the transparent flag of the listener socket. This effectively
      causes '-m socket --transparent' not match on the ACK packet sent by the
      client in a TCP handshake.
      
      Based on the suggestion from Eric Dumazet, this change moves the code
      initializing no_srccheck to tcp_conn_request(), rendering the above
      scenario working again.
      
      Fixes: a9407000 ("netfilter: xt_socket: prepare for TCP_NEW_SYN_RECV support")
      Signed-off-by: default avatarAlex Badics <alex.badics@balabit.com>
      Signed-off-by: default avatarKOVACS Krisztian <hidden@balabit.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      7a682575
    • Florian Westphal's avatar
      netfilter: evict stale entries when user reads /proc/net/nf_conntrack · 58e207e4
      Florian Westphal authored
      Fabian reports a possible conntrack memory leak (could not reproduce so
      far), however, one minor issue can be easily resolved:
      
      > cat /proc/net/nf_conntrack | wc -l = 5
      > 4 minutes required to clean up the table.
      
      We should not report those timed-out entries to the user in first place.
      And instead of just skipping those timed-out entries while iterating over
      the table we can also zap them (we already do this during ctnetlink
      walks, but I forgot about the /proc interface).
      
      Fixes: f330a7fd ("netfilter: conntrack: get rid of conntrack timer")
      Reported-by: default avatarFabian Frederick <fabf@skynet.be>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      58e207e4
    • Vishwanath Pai's avatar
      netfilter: xt_hashlimit: Create revision 2 to support higher pps rates · 11d5f157
      Vishwanath Pai authored
      Create a new revision for the hashlimit iptables extension module. Rev 2
      will support higher pps of upto 1 million, Version 1 supports only 10k.
      
      To support this we have to increase the size of the variables avg and
      burst in hashlimit_cfg to 64-bit. Create two new structs hashlimit_cfg2
      and xt_hashlimit_mtinfo2 and also create newer versions of all the
      functions for match, checkentry and destroy.
      
      Some of the functions like hashlimit_mt, hashlimit_mt_check etc are very
      similar in both rev1 and rev2 with only minor changes, so I have split
      those functions and moved all the common code to a *_common function.
      Signed-off-by: default avatarVishwanath Pai <vpai@akamai.com>
      Signed-off-by: default avatarJoshua Hunt <johunt@akamai.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      11d5f157
    • Vishwanath Pai's avatar
      netfilter: xt_hashlimit: Prepare for revision 2 · 0dc60a45
      Vishwanath Pai authored
      I am planning to add a revision 2 for the hashlimit xtables module to
      support higher packets per second rates. This patch renames all the
      functions and variables related to revision 1 by adding _v1 at the
      end of the names.
      Signed-off-by: default avatarVishwanath Pai <vpai@akamai.com>
      Signed-off-by: default avatarJoshua Hunt <johunt@akamai.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      0dc60a45
    • Liping Zhang's avatar
      netfilter: nft_ct: report error if mark and dir specified simultaneously · 7bfdde70
      Liping Zhang authored
      NFT_CT_MARK is unrelated to direction, so if NFTA_CT_DIRECTION attr is
      specified, report EINVAL to the userspace. This validation check was
      already done at nft_ct_get_init, but we missed it in nft_ct_set_init.
      Signed-off-by: default avatarLiping Zhang <liping.zhang@spreadtrum.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      7bfdde70
    • Liping Zhang's avatar
      netfilter: nft_ct: unnecessary to require dir when use ct l3proto/protocol · d767ff2c
      Liping Zhang authored
      Currently, if the user want to match ct l3proto, we must specify the
      direction, for example:
        # nft add rule filter input ct original l3proto ipv4
                                       ^^^^^^^^
      Otherwise, error message will be reported:
        # nft add rule filter input ct l3proto ipv4
        nft add rule filter input ct l3proto ipv4
        <cmdline>:1:1-38: Error: Could not process rule: Invalid argument
        add rule filter input ct l3proto ipv4
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
      
      Actually, there's no need to require NFTA_CT_DIRECTION attr, because
      ct l3proto and protocol are unrelated to direction.
      
      And for compatibility, even if the user specify the NFTA_CT_DIRECTION
      attr, do not report error, just skip it.
      Signed-off-by: default avatarLiping Zhang <liping.zhang@spreadtrum.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      d767ff2c
    • Gao Feng's avatar
      netfilter: seqadj: Fix the wrong ack adjust for the RST packet without ack · 8d11350f
      Gao Feng authored
      It is valid that the TCP RST packet which does not set ack flag, and bytes
      of ack number are zero. But current seqadj codes would adjust the "0" ack
      to invalid ack number. Actually seqadj need to check the ack flag before
      adjust it for these RST packets.
      
      The following is my test case
      
      client is 10.26.98.245, and add one iptable rule:
      iptables  -I INPUT -p tcp --sport 12345 -m connbytes --connbytes 2:
      --connbytes-dir reply --connbytes-mode packets -j REJECT --reject-with
      tcp-reset
      This iptables rule could generate on TCP RST without ack flag.
      
      server:10.172.135.55
      Enable the synproxy with seqadjust by the following iptables rules
      iptables -t raw -A PREROUTING -i eth0 -p tcp -d 10.172.135.55 --dport 12345
      -m tcp --syn -j CT --notrack
      
      iptables -A INPUT -i eth0 -p tcp -d 10.172.135.55 --dport 12345 -m conntrack
      --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7
      --mss 1460
      iptables -A OUTPUT -o eth0 -p tcp -s 10.172.135.55 --sport 12345 -m conntrack
      --ctstate INVALID,UNTRACKED -m tcp --tcp-flags SYN,RST,ACK SYN,ACK -j ACCEPT
      
      The following is my test result.
      
      1. packet trace on client
      root@routers:/tmp# tcpdump -i eth0 tcp port 12345 -n
      tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
      listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
      IP 10.26.98.245.45154 > 10.172.135.55.12345: Flags [S], seq 3695959829,
      win 29200, options [mss 1460,sackOK,TS val 452367884 ecr 0,nop,wscale 7],
      length 0
      IP 10.172.135.55.12345 > 10.26.98.245.45154: Flags [S.], seq 546723266,
      ack 3695959830, win 0, options [mss 1460,sackOK,TS val 15643479 ecr 452367884,
      nop,wscale 7], length 0
      IP 10.26.98.245.45154 > 10.172.135.55.12345: Flags [.], ack 1, win 229,
      options [nop,nop,TS val 452367885 ecr 15643479], length 0
      IP 10.172.135.55.12345 > 10.26.98.245.45154: Flags [.], ack 1, win 226,
      options [nop,nop,TS val 15643479 ecr 452367885], length 0
      IP 10.26.98.245.45154 > 10.172.135.55.12345: Flags [R], seq 3695959830,
      win 0, length 0
      
      2. seqadj log on server
      [62873.867319] Adjusting sequence number from 602341895->546723267,
      ack from 3695959830->3695959830
      [62873.867644] Adjusting sequence number from 602341895->546723267,
      ack from 3695959830->3695959830
      [62873.869040] Adjusting sequence number from 3695959830->3695959830,
      ack from 0->55618628
      
      To summarize, it is clear that the seqadj codes adjust the 0 ack when receive
      one TCP RST packet without ack.
      Signed-off-by: default avatarGao Feng <fgao@ikuai8.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      8d11350f
    • Aaron Conole's avatar
      netfilter: replace list_head with single linked list · e3b37f11
      Aaron Conole authored
      The netfilter hook list never uses the prev pointer, and so can be trimmed to
      be a simple singly-linked list.
      
      In addition to having a more light weight structure for hook traversal,
      struct net becomes 5568 bytes (down from 6400) and struct net_device becomes
      2176 bytes (down from 2240).
      Signed-off-by: default avatarAaron Conole <aconole@bytheb.org>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      e3b37f11
  2. 24 Sep, 2016 7 commits
  3. 23 Sep, 2016 8 commits
  4. 22 Sep, 2016 1 commit
  5. 13 Sep, 2016 1 commit
  6. 12 Sep, 2016 13 commits
  7. 09 Sep, 2016 2 commits