1. 12 Sep, 2016 5 commits
    • Pablo Neira Ayuso's avatar
      netfilter: introduce nft_set_pktinfo_{ipv4, ipv6}_validate() · ddc8b602
      Pablo Neira Ayuso authored
      These functions are extracted from the netdev family, they initialize
      the pktinfo structure and validate that the IPv4 and IPv6 headers are
      well-formed given that these functions are called from a path where
      layer 3 sanitization did not happen yet.
      
      These functions are placed in include/net/netfilter/nf_tables_ipv{4,6}.h
      so they can be reused by a follow up patch to use them from the bridge
      family too.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      ddc8b602
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables_ipv6: setup pktinfo transport field on failure to parse · 8df9e32e
      Pablo Neira Ayuso authored
      Make sure the pktinfo protocol fields are initialized if this fails to
      parse the transport header.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      8df9e32e
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: ensure proper initialization of nft_pktinfo fields · beac5afa
      Pablo Neira Ayuso authored
      This patch introduces nft_set_pktinfo_unspec() that ensures proper
      initialization all of pktinfo fields for non-IP traffic. This is used
      by the bridge, netdev and arp families.
      
      This new function relies on nft_set_pktinfo_proto_unspec() to set a new
      tprot_set field that indicates if transport protocol information is
      available. Remain fields are zeroed.
      
      The meta expression has been also updated to check to tprot_set in first
      place given that zero is a valid tprot value. Even a handcrafted packet
      may come with the IPPROTO_RAW (255) protocol number so we can't rely on
      this value as tprot unset.
      Reported-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      beac5afa
    • Pablo Neira Ayuso's avatar
      netfilter: nft_dynset: allow to invert match criteria · dbd2be06
      Pablo Neira Ayuso authored
      The dynset expression matches if we can fit a new entry into the set.
      If there is no room for it, then it breaks the rule evaluation.
      
      This patch introduces the inversion flag so you can add rules to
      explicitly drop packets that don't fit into the set. For example:
      
       # nft filter input flow table xyz size 4 { ip saddr timeout 120s counter } overflow drop
      
      This is useful to provide a replacement for connlimit.
      
      For the rule above, every new entry uses the IPv4 address as key in the
      set, this entry gets a timeout of 120 seconds that gets refresh on every
      packet seen. If we get new flow and our set already contains 4 entries
      already, then this packet is dropped.
      
      You can already express this in positive logic, assuming default policy
      to drop:
      
       # nft filter input flow table xyz size 4 { ip saddr timeout 10s counter } accept
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      dbd2be06
    • Laura Garcia Liebana's avatar
      netfilter: nft_hash: Add hash offset value · 70ca767e
      Laura Garcia Liebana authored
      Add support to pass through an offset to the hash value. With this
      feature, the sysadmin is able to generate a hash with a given
      offset value.
      
      Example:
      
      	meta mark set jhash ip saddr mod 2 seed 0xabcd offset 100
      
      This option generates marks according to the source address from 100 to
      101.
      Signed-off-by: default avatarLaura Garcia Liebana <nevola@gmail.com>
      70ca767e
  2. 09 Sep, 2016 2 commits
  3. 07 Sep, 2016 10 commits
    • Marco Angaroni's avatar
      netfilter: nf_ct_sip: allow tab character in SIP headers · 1bcabc81
      Marco Angaroni authored
      Current parsing methods for SIP headers do not allow the presence of
      tab characters between header name and header value. As a result Call-ID
      SIP headers like the following are discarded by IPVS SIP persistence
      engine:
      
      "Call-ID\t: mycallid@abcde"
      "Call-ID:\tmycallid@abcde"
      
      In above examples Call-IDs are represented as strings in C language.
      Obviously in real message we have byte "09" before/after colon (":").
      
      Proposed fix is in nf_conntrack_sip module.
      Function sip_skip_whitespace() should skip tabs in addition to spaces,
      since in SIP grammar whitespace (WSP) corresponds to space or tab.
      
      Below is an extract of relevant SIP ABNF syntax.
      
      Call-ID  =  ( "Call-ID" / "i" ) HCOLON callid
      callid   =  word [ "@" word ]
      
      HCOLON  =  *( SP / HTAB ) ":" SWS
      SWS     =  [LWS] ; sep whitespace
      LWS     =  [*WSP CRLF] 1*WSP ; linear whitespace
      WSP     =  SP / HTAB
      word    =  1*(alphanum / "-" / "." / "!" / "%" / "*" /
                 "_" / "+" / "`" / "'" / "~" /
                 "(" / ")" / "<" / ">" /
                 ":" / "\" / DQUOTE /
                 "/" / "[" / "]" / "?" /
                 "{" / "}" )
      Signed-off-by: default avatarMarco Angaroni <marcoangaroni@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      1bcabc81
    • Pablo Neira Ayuso's avatar
      netfilter: nft_quota: introduce nft_overquota() · 22609b43
      Pablo Neira Ayuso authored
      This is patch renames the existing function to nft_overquota() and make
      it return a boolean that tells us if we have exceeded our byte quota.
      Just a cleanup.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      22609b43
    • Pablo Neira Ayuso's avatar
      netfilter: nft_quota: fix overquota logic · db6d857b
      Pablo Neira Ayuso authored
      Use xor to decide to break further rule evaluation or not, since the
      existing logic doesn't achieve the expected inversion.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      db6d857b
    • Laura Garcia Liebana's avatar
      netfilter: nft_numgen: rename until attribute by modulus · 0d9932b2
      Laura Garcia Liebana authored
      The _until_ attribute is renamed to _modulus_ as the behaviour is similar to
      other expresions with number limits (ex. nft_hash).
      
      Renaming is possible because there isn't a kernel release yet with these
      changes.
      Signed-off-by: default avatarLaura Garcia Liebana <nevola@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      0d9932b2
    • Gao Feng's avatar
      netfilter: ftp: Remove the useless code · ddb075b0
      Gao Feng authored
      There are some debug code which are commented out in find_pattern by #if 0.
      Now remove them.
      Signed-off-by: default avatarGao Feng <fgao@ikuai8.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      ddb075b0
    • Gao Feng's avatar
      netfilter: ftp: Remove the useless dlen==0 condition check in find_pattern · 723eb299
      Gao Feng authored
      The caller function "help" has already make sure the datalen could not be zero
      before invoke find_pattern as a parameter by the following codes
      
              if (dataoff >= skb->len) {
                      pr_debug("ftp: dataoff(%u) >= skblen(%u)\n", dataoff,
                               skb->len);
                      return NF_ACCEPT;
              }
              datalen = skb->len - dataoff;
      
      And the latter codes "ends_in_nl = (fb_ptr[datalen - 1] == '\n');" use datalen
      directly without checking if it is zero.
      
      So it is unneccessary to check it in find_pattern too.
      Signed-off-by: default avatarGao Feng <fgao@ikuai8.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      723eb299
    • Marco Angaroni's avatar
      netfilter: nf_ct_sip: correct allowed characters in Call-ID SIP header · f0608cea
      Marco Angaroni authored
      Current parsing methods for SIP header Call-ID do not check correctly all
      characters allowed by RFC 3261. In particular "," character is allowed
      instead of "'" character. As a result Call-ID headers like the following
      are discarded by IPVS SIP persistence engine.
      
      Call-ID: -.!%*_+`'~()<>:\"/[]?{}
      
      Above example is composed using all non-alphanumeric characters listed
      in RFC 3261 for Call-ID header syntax.
      
      Proposed fix is in nf_conntrack_sip module; function iswordc() checks this
      range: (c >= '(' && c <= '/') which includes these characters: ()*+,-./
      They are all allowed except ",". Instead "'" is not included in the list.
      
      Below is an extract of relevant SIP ABNF syntax.
      
      Call-ID  =  ( "Call-ID" / "i" ) HCOLON callid
      callid   =  word [ "@" word ]
      
      HCOLON  =  *( SP / HTAB ) ":" SWS
      SWS     =  [LWS] ; sep whitespace
      LWS     =  [*WSP CRLF] 1*WSP ; linear whitespace
      WSP     =  SP / HTAB
      word    =  1*(alphanum / "-" / "." / "!" / "%" / "*" /
                 "_" / "+" / "`" / "'" / "~" /
                 "(" / ")" / "<" / ">" /
                 ":" / "\" / DQUOTE /
                 "/" / "[" / "]" / "?" /
                 "{" / "}" )
      Signed-off-by: default avatarMarco Angaroni <marcoangaroni@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      f0608cea
    • Marco Angaroni's avatar
      netfilter: nf_ct_sip: correct parsing of continuation lines in SIP headers · 68cb9fe4
      Marco Angaroni authored
      Current parsing methods for SIP headers do not properly manage
      continuation lines: in case of Call-ID header the first character of
      Call-ID header value is truncated. As a result IPVS SIP persistence
      engine hashes over a call-id that is not exactly the one present in
      the originale message.
      
      Example: "Call-ID: \r\n abcdeABCDE1234"
      results in extracted call-id equal to "bcdeABCDE1234".
      
      In above example Call-ID is represented as a string in C language.
      Obviously in real message the first bytes after colon (":") are
      "20 0d 0a 20".
      
      Proposed fix is in nf_conntrack_sip module.
      Since sip_follow_continuation() function walks past the leading
      spaces or tabs of the continuation line, sip_skip_whitespace()
      should simply return the ouput of sip_follow_continuation().
      Otherwise another iteration of the for loop is done and dptr
      is incremented by one pointing to the second character of the
      first word in the header.
      
      Below is an extract of relevant SIP ABNF syntax.
      
      Call-ID  =  ( "Call-ID" / "i" ) HCOLON callid
      callid   =  word [ "@" word ]
      
      HCOLON  =  *( SP / HTAB ) ":" SWS
      SWS     =  [LWS] ; sep whitespace
      LWS     =  [*WSP CRLF] 1*WSP ; linear whitespace
      WSP     =  SP / HTAB
      word    =  1*(alphanum / "-" / "." / "!" / "%" / "*" /
                 "_" / "+" / "`" / "'" / "~" /
                 "(" / ")" / "<" / ">" /
                 ":" / "\" / DQUOTE /
                 "/" / "[" / "]" / "?" /
                 "{" / "}" )
      Signed-off-by: default avatarMarco Angaroni <marcoangaroni@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      68cb9fe4
    • Gao Feng's avatar
      netfilter: gre: Use consistent GRE and PTTP header structure instead of the... · c579a9e7
      Gao Feng authored
      netfilter: gre: Use consistent GRE and PTTP header structure instead of the ones defined by netfilter
      
      There are two existing strutures which defines the GRE and PPTP header.
      So use these two structures instead of the ones defined by netfilter to
      keep consitent with other codes.
      Signed-off-by: default avatarGao Feng <fgao@ikuai8.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      c579a9e7
    • Gao Feng's avatar
      netfilter: gre: Use consistent GRE_* macros instead of ones defined by netfilter. · ecc6569f
      Gao Feng authored
      There are already some GRE_* macros in kernel, so it is unnecessary
      to define these macros. And remove some useless macros
      Signed-off-by: default avatarGao Feng <fgao@ikuai8.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      ecc6569f
  4. 06 Sep, 2016 23 commits