linux/net/ipv4/netfilter, branch v4.7Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
https://git.shady.money/linux/atom?h=v4.72016-05-06T09:50:01Znetfilter: conntrack: use a single expectation table for all namespaces2016-05-06T09:50:01ZFlorian Westphalfw@strlen.de2016-05-05T22:51:49Zurn:sha1:0a93aaedc46af2c5feecfb1066d98bfb491ec0b8
We already include netns address in the hash and compare the netns pointers
during lookup, so even if namespaces have overlapping addresses entries
will be spread across the expectation table.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: conntrack: check netns when walking expect hash2016-05-06T09:50:01ZFlorian Westphalfw@strlen.de2016-05-05T22:51:47Zurn:sha1:03d7dc5cdfe6fd4e5bd04cfc2be7ae259f956428
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: x_tables: get rid of old and inconsistent debugging2016-05-05T14:39:51ZPablo Neira Ayusopablo@netfilter.org2016-05-03T11:54:23Zurn:sha1:d7cdf81657776ca1aa8377fd84d02fd8774db483
The dprintf() and duprintf() functions are enabled at compile time,
these days we have better runtime debugging through pr_debug() and
static keys.
On top of this, this debugging is so old that I don't expect anyone
using this anymore, so let's get rid of this.
IP_NF_ASSERT() is still left in place, although this needs that
NETFILTER_DEBUG is enabled, I think these assertions provide useful
context information when reading the code.
Note that ARP_NF_ASSERT() has been removed as there is no user of
this.
Kill also DEBUG_ALLOW_ALL and a couple of pr_error() and pr_debug()
spots that are inconsistently placed in the code.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: conntrack: use a single hashtable for all namespaces2016-05-05T14:39:47ZFlorian Westphalfw@strlen.de2016-05-02T16:39:55Zurn:sha1:56d52d4892d0e478a005b99ed10d0a7f488ea8c1
We already include netns address in the hash and compare the netns pointers
during lookup, so even if namespaces have overlapping addresses entries
will be spread across the table.
Assuming 64k bucket size, this change saves 0.5 mbyte per namespace on a
64bit system.
NAT bysrc and expectation hash is still per namespace, those will
changed too soon.
Future patch will also make conntrack object slab cache global again.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: conntrack: check netns when comparing conntrack objects2016-05-05T14:39:46ZFlorian Westphalfw@strlen.de2016-04-28T17:13:45Zurn:sha1:e0c7d47221883966d930fa7335b3ca295bc316b2
Once we place all conntracks in the same hash table we must also compare
the netns pointer to skip conntracks that belong to a different namespace.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: conntrack: small refactoring of conntrack seq_printf2016-05-05T14:39:45ZFlorian Westphalfw@strlen.de2016-04-28T17:13:44Zurn:sha1:245cfdcaba2e7e4ee16b12af547ead37f9c501cd
The iteration process is lockless, so we test if the conntrack object is
eligible for printing (e.g. is AF_INET) after obtaining the reference
count.
Once we put all conntracks into same hash table we might see more
entries that need to be skipped.
So add a helper and first perform the test in a lockless fashion
for fast skip.
Once we obtain the reference count, just repeat the check.
Note that this refactoring also includes a missing check for unconfirmed
conntrack entries due to slab rcu object re-usage, so they need to be
skipped since they are not part of the listing.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: fix IS_ERR_VALUE usage2016-04-29T09:02:33ZPablo Neira Ayusopablo@netfilter.org2016-04-29T08:39:34Zurn:sha1:92b4423e3a0bc5d43ecde4bcad871f8b5ba04efd
This is a forward-port of the original patch from Andrzej Hajda,
he said:
"IS_ERR_VALUE should be used only with unsigned long type.
Otherwise it can work incorrectly. To achieve this function
xt_percpu_counter_alloc is modified to return unsigned long,
and its result is assigned to temporary variable to perform
error checking, before assigning to .pcnt field.
The patch follows conclusion from discussion on LKML [1][2].
[1]: http://permalink.gmane.org/gmane.linux.kernel/2120927
[2]: http://permalink.gmane.org/gmane.linux.kernel/2150581"
Original patch from Andrzej is here:
http://patchwork.ozlabs.org/patch/582970/
This patch has clashed with input validation fixes for x_tables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next2016-04-24T04:12:08ZDavid S. Millerdavem@davemloft.net2016-04-24T04:12:08Zurn:sha1:11afbff86168bc2ce11ae9d64ff687567a2352de
Pablo Neira Ayuso says:
====================
Netfilter updates for net-next
The following patchset contains Netfilter updates for your net-next
tree, mostly from Florian Westphal to sort out the lack of sufficient
validation in x_tables and connlabel preparation patches to add
nf_tables support. They are:
1) Ensure we don't go over the ruleset blob boundaries in
mark_source_chains().
2) Validate that target jumps land on an existing xt_entry. This extra
sanitization comes with a performance penalty when loading the ruleset.
3) Introduce xt_check_entry_offsets() and use it from {arp,ip,ip6}tables.
4) Get rid of the smallish check_entry() functions in {arp,ip,ip6}tables.
5) Make sure the minimal possible target size in x_tables.
6) Similar to #3, add xt_compat_check_entry_offsets() for compat code.
7) Check that standard target size is valid.
8) More sanitization to ensure that the target_offset field is correct.
9) Add xt_check_entry_match() to validate that matches are well-formed.
10-12) Three patch to reduce the number of parameters in
translate_compat_table() for {arp,ip,ip6}tables by using a container
structure.
13) No need to return value from xt_compat_match_from_user(), so make
it void.
14) Consolidate translate_table() so it can be used by compat code too.
15) Remove obsolete check for compat code, so we keep consistent with
what was already removed in the native layout code (back in 2007).
16) Get rid of target jump validation from mark_source_chains(),
obsoleted by #2.
17) Introduce xt_copy_counters_from_user() to consolidate counter
copying, and use it from {arp,ip,ip6}tables.
18,22) Get rid of unnecessary explicit inlining in ctnetlink for dump
functions.
19) Move nf_connlabel_match() to xt_connlabel.
20) Skip event notification if connlabel did not change.
21) Update of nf_connlabels_get() to make the upcoming nft connlabel
support easier.
23) Remove spinlock to read protocol state field in conntrack.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
netfilter: x_tables: introduce and use xt_copy_counters_from_user2016-04-13T22:30:41ZFlorian Westphalfw@strlen.de2016-04-01T13:37:59Zurn:sha1:d7591f0c41ce3e67600a982bab6989ef0f07b3ce
The three variants use same copy&pasted code, condense this into a
helper and use that.
Make sure info.name is 0-terminated.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: x_tables: remove obsolete check2016-04-13T22:30:41ZFlorian Westphalfw@strlen.de2016-04-01T12:17:36Zurn:sha1:aded9f3e9fa8db559c5b7661bbb497754270e754
Since 'netfilter: x_tables: validate targets of jumps' change we
validate that the target aligns exactly with beginning of a rule,
so offset test is now redundant.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>