linux/include/net/netfilter/ipv4, branch v4.8Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
https://git.shady.money/linux/atom?h=v4.82015-09-29T18:21:31Zipv4: Push struct net down into nf_send_reset2015-09-29T18:21:31ZEric W. Biedermanebiederm@xmission.com2015-09-25T20:07:27Zurn:sha1:372892ec1151c895c7dec362f3246f089690cfc7
This is needed so struct net can be pushed down into
ip_route_me_harder.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: Pass net to nf_dup_ipv4 and nf_dup_ipv62015-09-18T19:59:11ZEric W. Biedermanebiederm@xmission.com2015-09-18T19:33:02Zurn:sha1:206e8c00752fbe9cc463184236ac64b2a532cda5
This allows them to stop guessing the network namespace with pick_net.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: factor out packet duplication for IPv4/IPv62015-08-07T09:49:49ZPablo Neira Ayusopablo@netfilter.org2015-05-31T15:54:44Zurn:sha1:bbde9fc1824aab58bc78c084163007dd6c03fe5b
Extracted from the xtables TEE target. This creates two new modules for IPv4
and IPv6 that are shared between the TEE target and the new nf_tables dup
expressions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: fix sparse warnings in reject handling2015-03-10T14:01:32ZFlorian Westphalfw@strlen.de2015-03-09T22:04:15Zurn:sha1:a03a8dbe20eff6d57aae3147577bf84b52aba4e6
make C=1 CF=-D__CHECK_ENDIAN__ shows following:
net/bridge/netfilter/nft_reject_bridge.c:65:50: warning: incorrect type in argument 3 (different base types)
net/bridge/netfilter/nft_reject_bridge.c:65:50: expected restricted __be16 [usertype] protocol [..]
net/bridge/netfilter/nft_reject_bridge.c:102:37: warning: cast from restricted __be16
net/bridge/netfilter/nft_reject_bridge.c:102:37: warning: incorrect type in argument 1 (different base types) [..]
net/bridge/netfilter/nft_reject_bridge.c:121:50: warning: incorrect type in argument 3 (different base types) [..]
net/bridge/netfilter/nft_reject_bridge.c:168:52: warning: incorrect type in argument 3 (different base types) [..]
net/bridge/netfilter/nft_reject_bridge.c:233:52: warning: incorrect type in argument 3 (different base types) [..]
Caused by two (harmless) errors:
1. htons() instead of ntohs()
2. __be16 for protocol in nf_reject_ipXhdr_put API, use u8 instead.
Reported-by: kbuild test robot <fengguang.wu@intel.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: reject: don't send icmp error if csum is invalid2015-03-03T01:10:35ZFlorian Westphalfw@strlen.de2015-02-16T17:54:04Zurn:sha1:ee586bbc28fb7128133457cf711880d13a3b7ce4
tcp resets are never emitted if the packet that triggers the
reject/reset has an invalid checksum.
For icmp error responses there was no such check.
It allows to distinguish icmp response generated via
iptables -I INPUT -p udp --dport 42 -j REJECT
and those emitted by network stack (won't respond if csum is invalid,
REJECT does).
Arguably its possible to avoid this by using conntrack and only
using REJECT with -m conntrack NEW/RELATED.
However, this doesn't work when connection tracking is not in use
or when using nf_conntrack_checksum=0.
Furthermore, sending errors in response to invalid csums doesn't make
much sense so just add similar test as in nf_send_reset.
Validate csum if needed and only send the response if it is ok.
Reference: http://bugzilla.redhat.com/show_bug.cgi?id=1169829
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_reject_ipv4: split nf_send_reset() in smaller functions2014-10-31T11:49:05ZPablo Neira Ayusopablo@netfilter.org2014-10-25T16:24:57Zurn:sha1:052b9498eea532deb5de75277a53f6e0623215dc
That can be reused by the reject bridge expression to build the reject
packet. The new functions are:
* nf_reject_ip_tcphdr_get(): to sanitize and to obtain the TCP header.
* nf_reject_iphdr_put(): to build the IPv4 header.
* nf_reject_ip_tcphdr_put(): to build the TCP header.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: move nf_send_resetX() code to nf_reject_ipvX modules2014-10-02T16:30:49ZPablo Neira Ayusopablo@netfilter.org2014-09-26T12:35:15Zurn:sha1:c8d7b98bec43faaa6583c3135030be5eb4693acb
Move nf_send_reset() and nf_send_reset6() to nf_reject_ipv4 and
nf_reject_ipv6 respectively. This code is shared by x_tables and
nf_tables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nft_reject: introduce icmp code abstraction for inet and bridge2014-10-02T16:29:57ZPablo Neira Ayusopablo@netfilter.org2014-09-26T12:35:14Zurn:sha1:51b0a5d8c21a91801bbef9bcc8639dc0b206c6cd
This patch introduces the NFT_REJECT_ICMPX_UNREACH type which provides
an abstraction to the ICMP and ICMPv6 codes that you can use from the
inet and bridge tables, they are:
* NFT_REJECT_ICMPX_NO_ROUTE: no route to host - network unreachable
* NFT_REJECT_ICMPX_PORT_UNREACH: port unreachable
* NFT_REJECT_ICMPX_HOST_UNREACH: host unreachable
* NFT_REJECT_ICMPX_ADMIN_PROHIBITED: administratevely prohibited
You can still use the specific codes when restricting the rule to match
the corresponding layer 3 protocol.
I decided to not overload the existing NFT_REJECT_ICMP_UNREACH to have
different semantics depending on the table family and to allow the user
to specify ICMP family specific codes if they restrict it to the
corresponding family.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: bridge: move br_netfilter out of the core2014-09-26T16:42:31ZPablo Neira Ayusopablo@netfilter.org2014-09-18T09:29:03Zurn:sha1:34666d467cbf1e2e3c7bb15a63eccfb582cdd71f
Jesper reported that br_netfilter always registers the hooks since
this is part of the bridge core. This harms performance for people that
don't need this.
This patch modularizes br_netfilter so it can be rmmod'ed, thus,
the hooks can be unregistered. I think the bridge netfilter should have
been a separated module since the beginning, Patrick agreed on that.
Note that this is breaking compatibility for users that expect that
bridge netfilter is going to be available after explicitly 'modprobe
bridge' or via automatic load through brctl.
However, the damage can be easily undone by modprobing br_netfilter.
The bridge core also spots a message to provide a clue to people that
didn't notice that this has been deprecated.
On top of that, the plan is that nftables will not rely on this software
layer, but integrate the connection tracking into the bridge layer to
enable stateful filtering and NAT, which is was bridge netfilter users
seem to require.
This patch still keeps the fake_dst_ops in the bridge core, since this
is required by when the bridge port is initialized. So we can safely
modprobe/rmmod br_netfilter anytime.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Florian Westphal <fw@strlen.de>
netfilter: nf_nat: generalize IPv4 masquerading support for nf_tables2014-09-09T14:31:29ZArturo Borreroarturo.borrero.glez@gmail.com2014-09-04T12:06:33Zurn:sha1:8dd33cc93ec92b8460ed2ad98c6db39276f6a72b
Let's refactor the code so we can reach the masquerade functionality
from outside the xt context (ie. nftables).
The patch includes the addition of an atomic counter to the masquerade
notifier: the stuff to be done by the notifier is the same for xt and
nftables. Therefore, only one notification handler is needed.
This factorization only involves IPv4; a similar patch follows to
handle IPv6.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>