* nf-next: checks and three modules
@ 2010-03-17 13:18 Jan Engelhardt
2010-03-17 13:18 ` [PATCH 1/9] netfilter: xtables: do without explicit XT_ALIGN Jan Engelhardt
` (8 more replies)
0 siblings, 9 replies; 46+ messages in thread
From: Jan Engelhardt @ 2010-03-17 13:18 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
The following changes since commit 0e706b5d2042a0e0451f8d1c9707cf42d353709f:
Tim Gardner (1):
netfilter: xt_recent: add an entry reaper
are available in the git repository at:
git://dev.medozas.de/linux master
Jan Engelhardt (9):
netfilter: xtables: do without explicit XT_ALIGN
netfilter: xtables: slightly more detailed checkentry return values
netfilter: xtables: restrict TCPMSS to mangle table as intended
netfilter: xtables: clean up xt_mac match routine
netfilter: xtables: limit xt_mac to ethernet devices
netfilter: xtables: resort osf kconfig text
netfilter: xtables: inclusion of xt_SYSRQ
netfilter: xtables: inclusion of xt_TEE
netfilter: xtables: inclusion of xt_condition
Please review :)
include/linux/netfilter/Kbuild | 2 +
include/linux/netfilter/x_tables.h | 6 +-
include/linux/netfilter/xt_TEE.h | 8 +
include/linux/netfilter/xt_condition.h | 12 +
net/bridge/netfilter/ebt_802_3.c | 2 +-
net/bridge/netfilter/ebt_among.c | 2 +-
net/bridge/netfilter/ebt_arp.c | 2 +-
net/bridge/netfilter/ebt_arpreply.c | 2 +-
net/bridge/netfilter/ebt_dnat.c | 2 +-
net/bridge/netfilter/ebt_ip.c | 2 +-
net/bridge/netfilter/ebt_ip6.c | 2 +-
net/bridge/netfilter/ebt_limit.c | 2 +-
net/bridge/netfilter/ebt_log.c | 2 +-
net/bridge/netfilter/ebt_mark.c | 2 +-
net/bridge/netfilter/ebt_mark_m.c | 2 +-
net/bridge/netfilter/ebt_nflog.c | 2 +-
net/bridge/netfilter/ebt_pkttype.c | 2 +-
net/bridge/netfilter/ebt_redirect.c | 2 +-
net/bridge/netfilter/ebt_snat.c | 2 +-
net/bridge/netfilter/ebt_stp.c | 2 +-
net/bridge/netfilter/ebt_ulog.c | 2 +-
net/bridge/netfilter/ebt_vlan.c | 2 +-
net/ipv4/netfilter/arpt_mangle.c | 2 +-
net/ipv4/netfilter/ip_tables.c | 2 +-
net/ipv4/netfilter/ipt_CLUSTERIP.c | 13 +-
net/ipv4/netfilter/ipt_ECN.c | 2 +-
net/ipv4/netfilter/ipt_LOG.c | 2 +-
net/ipv4/netfilter/ipt_MASQUERADE.c | 2 +-
net/ipv4/netfilter/ipt_NETMAP.c | 2 +-
net/ipv4/netfilter/ipt_REDIRECT.c | 2 +-
net/ipv4/netfilter/ipt_REJECT.c | 2 +-
net/ipv4/netfilter/ipt_ULOG.c | 2 +-
net/ipv4/netfilter/ipt_addrtype.c | 2 +-
net/ipv4/netfilter/ipt_ah.c | 2 +-
net/ipv4/netfilter/ipt_ecn.c | 2 +-
net/ipv4/netfilter/nf_nat_rule.c | 4 +-
net/ipv6/netfilter/ip6_tables.c | 2 +-
net/ipv6/netfilter/ip6t_LOG.c | 2 +-
net/ipv6/netfilter/ip6t_REJECT.c | 2 +-
net/ipv6/netfilter/ip6t_ah.c | 2 +-
net/ipv6/netfilter/ip6t_frag.c | 2 +-
net/ipv6/netfilter/ip6t_hbh.c | 2 +-
net/ipv6/netfilter/ip6t_ipv6header.c | 2 +-
net/ipv6/netfilter/ip6t_mh.c | 2 +-
net/ipv6/netfilter/ip6t_rt.c | 2 +-
net/netfilter/Kconfig | 53 ++++--
net/netfilter/Makefile | 3 +
net/netfilter/x_tables.c | 22 ++-
net/netfilter/xt_CONNSECMARK.c | 8 +-
net/netfilter/xt_CT.c | 15 +-
net/netfilter/xt_DSCP.c | 2 +-
net/netfilter/xt_HL.c | 4 +-
net/netfilter/xt_LED.c | 15 +-
net/netfilter/xt_NFLOG.c | 2 +-
net/netfilter/xt_NFQUEUE.c | 2 +-
net/netfilter/xt_RATEEST.c | 11 +-
net/netfilter/xt_SECMARK.c | 14 +-
net/netfilter/xt_SYSRQ.c | 372 ++++++++++++++++++++++++++++++++
net/netfilter/xt_TCPMSS.c | 6 +-
net/netfilter/xt_TEE.c | 304 ++++++++++++++++++++++++++
net/netfilter/xt_TPROXY.c | 2 +-
net/netfilter/xt_cluster.c | 2 +-
net/netfilter/xt_condition.c | 243 +++++++++++++++++++++
net/netfilter/xt_connbytes.c | 8 +-
net/netfilter/xt_connlimit.c | 10 +-
net/netfilter/xt_connmark.c | 18 +-
net/netfilter/xt_conntrack.c | 9 +-
net/netfilter/xt_dccp.c | 2 +-
net/netfilter/xt_dscp.c | 2 +-
net/netfilter/xt_esp.c | 2 +-
net/netfilter/xt_hashlimit.c | 33 ++--
net/netfilter/xt_helper.c | 2 +-
net/netfilter/xt_limit.c | 4 +-
net/netfilter/xt_mac.c | 21 ++-
net/netfilter/xt_multiport.c | 8 +-
net/netfilter/xt_physdev.c | 2 +-
net/netfilter/xt_policy.c | 2 +-
net/netfilter/xt_quota.c | 4 +-
net/netfilter/xt_rateest.c | 4 +-
net/netfilter/xt_recent.c | 9 +-
net/netfilter/xt_sctp.c | 2 +-
net/netfilter/xt_state.c | 9 +-
net/netfilter/xt_statistic.c | 4 +-
net/netfilter/xt_string.c | 4 +-
net/netfilter/xt_tcpudp.c | 4 +-
net/netfilter/xt_time.c | 2 +-
86 files changed, 1199 insertions(+), 169 deletions(-)
create mode 100644 include/linux/netfilter/xt_TEE.h
create mode 100644 include/linux/netfilter/xt_condition.h
create mode 100644 net/netfilter/xt_SYSRQ.c
create mode 100644 net/netfilter/xt_TEE.c
create mode 100644 net/netfilter/xt_condition.c
^ permalink raw reply [flat|nested] 46+ messages in thread
* [PATCH 1/9] netfilter: xtables: do without explicit XT_ALIGN
2010-03-17 13:18 nf-next: checks and three modules Jan Engelhardt
@ 2010-03-17 13:18 ` Jan Engelhardt
2010-03-17 13:18 ` [PATCH 2/9] netfilter: xtables: slightly more detailed checkentry return values Jan Engelhardt
` (7 subsequent siblings)
8 siblings, 0 replies; 46+ messages in thread
From: Jan Engelhardt @ 2010-03-17 13:18 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
XT_ALIGN is already applied on matchsize/targetsize in x_tables.c,
so it is not strictly needed in the extensions.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/netfilter/xt_CT.c | 2 +-
net/netfilter/xt_LED.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
index fda603e..6509e03 100644
--- a/net/netfilter/xt_CT.c
+++ b/net/netfilter/xt_CT.c
@@ -137,7 +137,7 @@ static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par)
static struct xt_target xt_ct_tg __read_mostly = {
.name = "CT",
.family = NFPROTO_UNSPEC,
- .targetsize = XT_ALIGN(sizeof(struct xt_ct_target_info)),
+ .targetsize = sizeof(struct xt_ct_target_info),
.checkentry = xt_ct_tg_check,
.destroy = xt_ct_tg_destroy,
.target = xt_ct_target,
diff --git a/net/netfilter/xt_LED.c b/net/netfilter/xt_LED.c
index 8ff7843..f86dc52 100644
--- a/net/netfilter/xt_LED.c
+++ b/net/netfilter/xt_LED.c
@@ -141,7 +141,7 @@ static struct xt_target led_tg_reg __read_mostly = {
.revision = 0,
.family = NFPROTO_UNSPEC,
.target = led_tg,
- .targetsize = XT_ALIGN(sizeof(struct xt_led_info)),
+ .targetsize = sizeof(struct xt_led_info),
.checkentry = led_tg_check,
.destroy = led_tg_destroy,
.me = THIS_MODULE,
--
1.7.0.2
^ permalink raw reply related [flat|nested] 46+ messages in thread
* [PATCH 2/9] netfilter: xtables: slightly more detailed checkentry return values
2010-03-17 13:18 nf-next: checks and three modules Jan Engelhardt
2010-03-17 13:18 ` [PATCH 1/9] netfilter: xtables: do without explicit XT_ALIGN Jan Engelhardt
@ 2010-03-17 13:18 ` Jan Engelhardt
2010-03-17 13:39 ` Patrick McHardy
2010-03-17 13:18 ` [PATCH 3/9] netfilter: xtables: restrict TCPMSS to mangle table as intended Jan Engelhardt
` (6 subsequent siblings)
8 siblings, 1 reply; 46+ messages in thread
From: Jan Engelhardt @ 2010-03-17 13:18 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
When extended status codes are available, such as ENOMEM on failed
allocations, or subsequent functions (e.g. nf_ct_get_l3proto), passing
them up to userspace seems like a good idea compared to just always
EINVAL.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 6 +++---
net/bridge/netfilter/ebt_802_3.c | 2 +-
net/bridge/netfilter/ebt_among.c | 2 +-
net/bridge/netfilter/ebt_arp.c | 2 +-
net/bridge/netfilter/ebt_arpreply.c | 2 +-
net/bridge/netfilter/ebt_dnat.c | 2 +-
net/bridge/netfilter/ebt_ip.c | 2 +-
net/bridge/netfilter/ebt_ip6.c | 2 +-
net/bridge/netfilter/ebt_limit.c | 2 +-
net/bridge/netfilter/ebt_log.c | 2 +-
net/bridge/netfilter/ebt_mark.c | 2 +-
net/bridge/netfilter/ebt_mark_m.c | 2 +-
net/bridge/netfilter/ebt_nflog.c | 2 +-
net/bridge/netfilter/ebt_pkttype.c | 2 +-
net/bridge/netfilter/ebt_redirect.c | 2 +-
net/bridge/netfilter/ebt_snat.c | 2 +-
net/bridge/netfilter/ebt_stp.c | 2 +-
net/bridge/netfilter/ebt_ulog.c | 2 +-
net/bridge/netfilter/ebt_vlan.c | 2 +-
net/ipv4/netfilter/arpt_mangle.c | 2 +-
net/ipv4/netfilter/ip_tables.c | 2 +-
net/ipv4/netfilter/ipt_CLUSTERIP.c | 13 +++++++------
net/ipv4/netfilter/ipt_ECN.c | 2 +-
net/ipv4/netfilter/ipt_LOG.c | 2 +-
net/ipv4/netfilter/ipt_MASQUERADE.c | 2 +-
net/ipv4/netfilter/ipt_NETMAP.c | 2 +-
net/ipv4/netfilter/ipt_REDIRECT.c | 2 +-
net/ipv4/netfilter/ipt_REJECT.c | 2 +-
net/ipv4/netfilter/ipt_ULOG.c | 2 +-
net/ipv4/netfilter/ipt_addrtype.c | 2 +-
net/ipv4/netfilter/ipt_ah.c | 2 +-
net/ipv4/netfilter/ipt_ecn.c | 2 +-
net/ipv4/netfilter/nf_nat_rule.c | 4 ++--
net/ipv6/netfilter/ip6_tables.c | 2 +-
net/ipv6/netfilter/ip6t_LOG.c | 2 +-
net/ipv6/netfilter/ip6t_REJECT.c | 2 +-
net/ipv6/netfilter/ip6t_ah.c | 2 +-
net/ipv6/netfilter/ip6t_frag.c | 2 +-
net/ipv6/netfilter/ip6t_hbh.c | 2 +-
| 2 +-
net/ipv6/netfilter/ip6t_mh.c | 2 +-
net/ipv6/netfilter/ip6t_rt.c | 2 +-
net/netfilter/x_tables.c | 22 ++++++++++++++++++----
net/netfilter/xt_CONNSECMARK.c | 8 +++++---
net/netfilter/xt_CT.c | 13 ++++++++++---
net/netfilter/xt_DSCP.c | 2 +-
net/netfilter/xt_HL.c | 4 ++--
net/netfilter/xt_LED.c | 13 ++++---------
net/netfilter/xt_NFLOG.c | 2 +-
net/netfilter/xt_NFQUEUE.c | 2 +-
net/netfilter/xt_RATEEST.c | 11 +++++++----
net/netfilter/xt_SECMARK.c | 14 ++++++++------
net/netfilter/xt_TCPMSS.c | 4 ++--
net/netfilter/xt_TPROXY.c | 2 +-
net/netfilter/xt_cluster.c | 2 +-
net/netfilter/xt_connbytes.c | 8 +++++---
net/netfilter/xt_connlimit.c | 10 ++++++----
net/netfilter/xt_connmark.c | 18 ++++++++++++------
net/netfilter/xt_conntrack.c | 9 ++++++---
net/netfilter/xt_dccp.c | 2 +-
net/netfilter/xt_dscp.c | 2 +-
net/netfilter/xt_esp.c | 2 +-
net/netfilter/xt_hashlimit.c | 33 ++++++++++++++++++++-------------
net/netfilter/xt_helper.c | 2 +-
net/netfilter/xt_limit.c | 4 ++--
net/netfilter/xt_multiport.c | 8 ++++----
net/netfilter/xt_physdev.c | 2 +-
net/netfilter/xt_policy.c | 2 +-
net/netfilter/xt_quota.c | 4 ++--
net/netfilter/xt_rateest.c | 4 +++-
net/netfilter/xt_recent.c | 9 ++++++---
net/netfilter/xt_sctp.c | 2 +-
net/netfilter/xt_state.c | 9 ++++++---
net/netfilter/xt_statistic.c | 4 ++--
net/netfilter/xt_string.c | 4 ++--
net/netfilter/xt_tcpudp.c | 4 ++--
net/netfilter/xt_time.c | 2 +-
77 files changed, 198 insertions(+), 146 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 84c7c92..568677d 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -297,7 +297,7 @@ struct xt_match {
const struct xt_match_param *);
/* Called when user tries to insert an entry of this type. */
- bool (*checkentry)(const struct xt_mtchk_param *);
+ int (*checkentry)(const struct xt_mtchk_param *);
/* Called when entry of this type deleted. */
void (*destroy)(const struct xt_mtdtor_param *);
@@ -338,8 +338,8 @@ struct xt_target {
/* Called when user tries to insert an entry of this type:
hook_mask is a bitmask of hooks from which it can be
called. */
- /* Should return true or false. */
- bool (*checkentry)(const struct xt_tgchk_param *);
+ /* Can return either true or false, or an error code. */
+ int (*checkentry)(const struct xt_tgchk_param *);
/* Called when entry of this type deleted. */
void (*destroy)(const struct xt_tgdtor_param *);
diff --git a/net/bridge/netfilter/ebt_802_3.c b/net/bridge/netfilter/ebt_802_3.c
index 5d11767..7b6f4c4 100644
--- a/net/bridge/netfilter/ebt_802_3.c
+++ b/net/bridge/netfilter/ebt_802_3.c
@@ -36,7 +36,7 @@ ebt_802_3_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return true;
}
-static bool ebt_802_3_mt_check(const struct xt_mtchk_param *par)
+static int ebt_802_3_mt_check(const struct xt_mtchk_param *par)
{
const struct ebt_802_3_info *info = par->matchinfo;
diff --git a/net/bridge/netfilter/ebt_among.c b/net/bridge/netfilter/ebt_among.c
index b595f09..682d277 100644
--- a/net/bridge/netfilter/ebt_among.c
+++ b/net/bridge/netfilter/ebt_among.c
@@ -171,7 +171,7 @@ ebt_among_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return true;
}
-static bool ebt_among_mt_check(const struct xt_mtchk_param *par)
+static int ebt_among_mt_check(const struct xt_mtchk_param *par)
{
const struct ebt_among_info *info = par->matchinfo;
const struct ebt_entry_match *em =
diff --git a/net/bridge/netfilter/ebt_arp.c b/net/bridge/netfilter/ebt_arp.c
index e727697..fc62055 100644
--- a/net/bridge/netfilter/ebt_arp.c
+++ b/net/bridge/netfilter/ebt_arp.c
@@ -100,7 +100,7 @@ ebt_arp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return true;
}
-static bool ebt_arp_mt_check(const struct xt_mtchk_param *par)
+static int ebt_arp_mt_check(const struct xt_mtchk_param *par)
{
const struct ebt_arp_info *info = par->matchinfo;
const struct ebt_entry *e = par->entryinfo;
diff --git a/net/bridge/netfilter/ebt_arpreply.c b/net/bridge/netfilter/ebt_arpreply.c
index f392e9d..2491564 100644
--- a/net/bridge/netfilter/ebt_arpreply.c
+++ b/net/bridge/netfilter/ebt_arpreply.c
@@ -57,7 +57,7 @@ ebt_arpreply_tg(struct sk_buff *skb, const struct xt_target_param *par)
return info->target;
}
-static bool ebt_arpreply_tg_check(const struct xt_tgchk_param *par)
+static int ebt_arpreply_tg_check(const struct xt_tgchk_param *par)
{
const struct ebt_arpreply_info *info = par->targinfo;
const struct ebt_entry *e = par->entryinfo;
diff --git a/net/bridge/netfilter/ebt_dnat.c b/net/bridge/netfilter/ebt_dnat.c
index 2bb40d7..5fddebe 100644
--- a/net/bridge/netfilter/ebt_dnat.c
+++ b/net/bridge/netfilter/ebt_dnat.c
@@ -26,7 +26,7 @@ ebt_dnat_tg(struct sk_buff *skb, const struct xt_target_param *par)
return info->target;
}
-static bool ebt_dnat_tg_check(const struct xt_tgchk_param *par)
+static int ebt_dnat_tg_check(const struct xt_tgchk_param *par)
{
const struct ebt_nat_info *info = par->targinfo;
unsigned int hook_mask;
diff --git a/net/bridge/netfilter/ebt_ip.c b/net/bridge/netfilter/ebt_ip.c
index 5de6df6..d1a555d 100644
--- a/net/bridge/netfilter/ebt_ip.c
+++ b/net/bridge/netfilter/ebt_ip.c
@@ -77,7 +77,7 @@ ebt_ip_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return true;
}
-static bool ebt_ip_mt_check(const struct xt_mtchk_param *par)
+static int ebt_ip_mt_check(const struct xt_mtchk_param *par)
{
const struct ebt_ip_info *info = par->matchinfo;
const struct ebt_entry *e = par->entryinfo;
diff --git a/net/bridge/netfilter/ebt_ip6.c b/net/bridge/netfilter/ebt_ip6.c
index 05d0d0c..06563c8 100644
--- a/net/bridge/netfilter/ebt_ip6.c
+++ b/net/bridge/netfilter/ebt_ip6.c
@@ -90,7 +90,7 @@ ebt_ip6_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return true;
}
-static bool ebt_ip6_mt_check(const struct xt_mtchk_param *par)
+static int ebt_ip6_mt_check(const struct xt_mtchk_param *par)
{
const struct ebt_entry *e = par->entryinfo;
struct ebt_ip6_info *info = par->matchinfo;
diff --git a/net/bridge/netfilter/ebt_limit.c b/net/bridge/netfilter/ebt_limit.c
index 7a81827..b8c5e69 100644
--- a/net/bridge/netfilter/ebt_limit.c
+++ b/net/bridge/netfilter/ebt_limit.c
@@ -64,7 +64,7 @@ user2credits(u_int32_t user)
return (user * HZ * CREDITS_PER_JIFFY) / EBT_LIMIT_SCALE;
}
-static bool ebt_limit_mt_check(const struct xt_mtchk_param *par)
+static int ebt_limit_mt_check(const struct xt_mtchk_param *par)
{
struct ebt_limit_info *info = par->matchinfo;
diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c
index e873924..a0aeac6 100644
--- a/net/bridge/netfilter/ebt_log.c
+++ b/net/bridge/netfilter/ebt_log.c
@@ -24,7 +24,7 @@
static DEFINE_SPINLOCK(ebt_log_lock);
-static bool ebt_log_tg_check(const struct xt_tgchk_param *par)
+static int ebt_log_tg_check(const struct xt_tgchk_param *par)
{
struct ebt_log_info *info = par->targinfo;
diff --git a/net/bridge/netfilter/ebt_mark.c b/net/bridge/netfilter/ebt_mark.c
index 2b5ce53..dd94daf 100644
--- a/net/bridge/netfilter/ebt_mark.c
+++ b/net/bridge/netfilter/ebt_mark.c
@@ -36,7 +36,7 @@ ebt_mark_tg(struct sk_buff *skb, const struct xt_target_param *par)
return info->target | ~EBT_VERDICT_BITS;
}
-static bool ebt_mark_tg_check(const struct xt_tgchk_param *par)
+static int ebt_mark_tg_check(const struct xt_tgchk_param *par)
{
const struct ebt_mark_t_info *info = par->targinfo;
int tmp;
diff --git a/net/bridge/netfilter/ebt_mark_m.c b/net/bridge/netfilter/ebt_mark_m.c
index 8de8c39..1e5b0b3 100644
--- a/net/bridge/netfilter/ebt_mark_m.c
+++ b/net/bridge/netfilter/ebt_mark_m.c
@@ -22,7 +22,7 @@ ebt_mark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return ((skb->mark & info->mask) == info->mark) ^ info->invert;
}
-static bool ebt_mark_mt_check(const struct xt_mtchk_param *par)
+static int ebt_mark_mt_check(const struct xt_mtchk_param *par)
{
const struct ebt_mark_m_info *info = par->matchinfo;
diff --git a/net/bridge/netfilter/ebt_nflog.c b/net/bridge/netfilter/ebt_nflog.c
index 40dbd24..1f2b7bb 100644
--- a/net/bridge/netfilter/ebt_nflog.c
+++ b/net/bridge/netfilter/ebt_nflog.c
@@ -35,7 +35,7 @@ ebt_nflog_tg(struct sk_buff *skb, const struct xt_target_param *par)
return EBT_CONTINUE;
}
-static bool ebt_nflog_tg_check(const struct xt_tgchk_param *par)
+static int ebt_nflog_tg_check(const struct xt_tgchk_param *par)
{
struct ebt_nflog_info *info = par->targinfo;
diff --git a/net/bridge/netfilter/ebt_pkttype.c b/net/bridge/netfilter/ebt_pkttype.c
index e2a07e6..9b3c645 100644
--- a/net/bridge/netfilter/ebt_pkttype.c
+++ b/net/bridge/netfilter/ebt_pkttype.c
@@ -20,7 +20,7 @@ ebt_pkttype_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return (skb->pkt_type == info->pkt_type) ^ info->invert;
}
-static bool ebt_pkttype_mt_check(const struct xt_mtchk_param *par)
+static int ebt_pkttype_mt_check(const struct xt_mtchk_param *par)
{
const struct ebt_pkttype_info *info = par->matchinfo;
diff --git a/net/bridge/netfilter/ebt_redirect.c b/net/bridge/netfilter/ebt_redirect.c
index 9be8fbc..73c4d3a 100644
--- a/net/bridge/netfilter/ebt_redirect.c
+++ b/net/bridge/netfilter/ebt_redirect.c
@@ -32,7 +32,7 @@ ebt_redirect_tg(struct sk_buff *skb, const struct xt_target_param *par)
return info->target;
}
-static bool ebt_redirect_tg_check(const struct xt_tgchk_param *par)
+static int ebt_redirect_tg_check(const struct xt_tgchk_param *par)
{
const struct ebt_redirect_info *info = par->targinfo;
unsigned int hook_mask;
diff --git a/net/bridge/netfilter/ebt_snat.c b/net/bridge/netfilter/ebt_snat.c
index 9c7b520..94bcecd 100644
--- a/net/bridge/netfilter/ebt_snat.c
+++ b/net/bridge/netfilter/ebt_snat.c
@@ -42,7 +42,7 @@ out:
return info->target | ~EBT_VERDICT_BITS;
}
-static bool ebt_snat_tg_check(const struct xt_tgchk_param *par)
+static int ebt_snat_tg_check(const struct xt_tgchk_param *par)
{
const struct ebt_nat_info *info = par->targinfo;
int tmp;
diff --git a/net/bridge/netfilter/ebt_stp.c b/net/bridge/netfilter/ebt_stp.c
index 92a93d3..521186f 100644
--- a/net/bridge/netfilter/ebt_stp.c
+++ b/net/bridge/netfilter/ebt_stp.c
@@ -153,7 +153,7 @@ ebt_stp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return true;
}
-static bool ebt_stp_mt_check(const struct xt_mtchk_param *par)
+static int ebt_stp_mt_check(const struct xt_mtchk_param *par)
{
const struct ebt_stp_info *info = par->matchinfo;
const uint8_t bridge_ula[6] = {0x01, 0x80, 0xc2, 0x00, 0x00, 0x00};
diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c
index c6ac657..8253e4e 100644
--- a/net/bridge/netfilter/ebt_ulog.c
+++ b/net/bridge/netfilter/ebt_ulog.c
@@ -254,7 +254,7 @@ ebt_ulog_tg(struct sk_buff *skb, const struct xt_target_param *par)
return EBT_CONTINUE;
}
-static bool ebt_ulog_tg_check(const struct xt_tgchk_param *par)
+static int ebt_ulog_tg_check(const struct xt_tgchk_param *par)
{
struct ebt_ulog_info *uloginfo = par->targinfo;
diff --git a/net/bridge/netfilter/ebt_vlan.c b/net/bridge/netfilter/ebt_vlan.c
index be1dd2e..79b95f0 100644
--- a/net/bridge/netfilter/ebt_vlan.c
+++ b/net/bridge/netfilter/ebt_vlan.c
@@ -84,7 +84,7 @@ ebt_vlan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return true;
}
-static bool ebt_vlan_mt_check(const struct xt_mtchk_param *par)
+static int ebt_vlan_mt_check(const struct xt_mtchk_param *par)
{
struct ebt_vlan_info *info = par->matchinfo;
const struct ebt_entry *e = par->entryinfo;
diff --git a/net/ipv4/netfilter/arpt_mangle.c b/net/ipv4/netfilter/arpt_mangle.c
index b0d5b1d..4b51a02 100644
--- a/net/ipv4/netfilter/arpt_mangle.c
+++ b/net/ipv4/netfilter/arpt_mangle.c
@@ -54,7 +54,7 @@ target(struct sk_buff *skb, const struct xt_target_param *par)
return mangle->target;
}
-static bool checkentry(const struct xt_tgchk_param *par)
+static int checkentry(const struct xt_tgchk_param *par)
{
const struct arpt_mangle *mangle = par->targinfo;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index b29c66d..afa94eb 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -2184,7 +2184,7 @@ icmp_match(const struct sk_buff *skb, const struct xt_match_param *par)
!!(icmpinfo->invflags&IPT_ICMP_INV));
}
-static bool icmp_checkentry(const struct xt_mtchk_param *par)
+static int icmp_checkentry(const struct xt_mtchk_param *par)
{
const struct ipt_icmp *icmpinfo = par->matchinfo;
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index 0886f96..e5977f7 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -347,12 +347,12 @@ clusterip_tg(struct sk_buff *skb, const struct xt_target_param *par)
return XT_CONTINUE;
}
-static bool clusterip_tg_check(const struct xt_tgchk_param *par)
+static int clusterip_tg_check(const struct xt_tgchk_param *par)
{
struct ipt_clusterip_tgt_info *cipinfo = par->targinfo;
const struct ipt_entry *e = par->entryinfo;
-
struct clusterip_config *config;
+ int ret;
if (cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP &&
cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT &&
@@ -386,7 +386,7 @@ static bool clusterip_tg_check(const struct xt_tgchk_param *par)
dev = dev_get_by_name(&init_net, e->ip.iniface);
if (!dev) {
printk(KERN_WARNING "CLUSTERIP: no such interface %s\n", e->ip.iniface);
- return false;
+ return -ENOENT;
}
config = clusterip_config_init(cipinfo,
@@ -394,17 +394,18 @@ static bool clusterip_tg_check(const struct xt_tgchk_param *par)
if (!config) {
printk(KERN_WARNING "CLUSTERIP: cannot allocate config\n");
dev_put(dev);
- return false;
+ return -ENOMEM;
}
dev_mc_add(config->dev,config->clustermac, ETH_ALEN, 0);
}
}
cipinfo->config = config;
- if (nf_ct_l3proto_try_module_get(par->target->family) < 0) {
+ ret = nf_ct_l3proto_try_module_get(par->target->family);
+ if (ret < 0) {
printk(KERN_WARNING "can't load conntrack support for "
"proto=%u\n", par->target->family);
- return false;
+ return ret;
}
return true;
diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
index ea5cea2..7e78fd3 100644
--- a/net/ipv4/netfilter/ipt_ECN.c
+++ b/net/ipv4/netfilter/ipt_ECN.c
@@ -93,7 +93,7 @@ ecn_tg(struct sk_buff *skb, const struct xt_target_param *par)
return XT_CONTINUE;
}
-static bool ecn_tg_check(const struct xt_tgchk_param *par)
+static int ecn_tg_check(const struct xt_tgchk_param *par)
{
const struct ipt_ECN_info *einfo = par->targinfo;
const struct ipt_entry *e = par->entryinfo;
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
index ee128ef..1113fc5 100644
--- a/net/ipv4/netfilter/ipt_LOG.c
+++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -439,7 +439,7 @@ log_tg(struct sk_buff *skb, const struct xt_target_param *par)
return XT_CONTINUE;
}
-static bool log_tg_check(const struct xt_tgchk_param *par)
+static int log_tg_check(const struct xt_tgchk_param *par)
{
const struct ipt_log_info *loginfo = par->targinfo;
diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c
index 650b540..fa58726 100644
--- a/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -28,7 +28,7 @@ MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
MODULE_DESCRIPTION("Xtables: automatic-address SNAT");
/* FIXME: Multiple targets. --RR */
-static bool masquerade_tg_check(const struct xt_tgchk_param *par)
+static int masquerade_tg_check(const struct xt_tgchk_param *par)
{
const struct nf_nat_multi_range_compat *mr = par->targinfo;
diff --git a/net/ipv4/netfilter/ipt_NETMAP.c b/net/ipv4/netfilter/ipt_NETMAP.c
index 7c29582..e75dbe7 100644
--- a/net/ipv4/netfilter/ipt_NETMAP.c
+++ b/net/ipv4/netfilter/ipt_NETMAP.c
@@ -22,7 +22,7 @@ MODULE_LICENSE("GPL");
MODULE_AUTHOR("Svenning Soerensen <svenning@post5.tele.dk>");
MODULE_DESCRIPTION("Xtables: 1:1 NAT mapping of IPv4 subnets");
-static bool netmap_tg_check(const struct xt_tgchk_param *par)
+static int netmap_tg_check(const struct xt_tgchk_param *par)
{
const struct nf_nat_multi_range_compat *mr = par->targinfo;
diff --git a/net/ipv4/netfilter/ipt_REDIRECT.c b/net/ipv4/netfilter/ipt_REDIRECT.c
index 698e5e7..aff6e67 100644
--- a/net/ipv4/netfilter/ipt_REDIRECT.c
+++ b/net/ipv4/netfilter/ipt_REDIRECT.c
@@ -26,7 +26,7 @@ MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
MODULE_DESCRIPTION("Xtables: Connection redirection to localhost");
/* FIXME: Take multiple ranges --RR */
-static bool redirect_tg_check(const struct xt_tgchk_param *par)
+static int redirect_tg_check(const struct xt_tgchk_param *par)
{
const struct nf_nat_multi_range_compat *mr = par->targinfo;
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index 5113b8f..48e13e0 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -174,7 +174,7 @@ reject_tg(struct sk_buff *skb, const struct xt_target_param *par)
return NF_DROP;
}
-static bool reject_tg_check(const struct xt_tgchk_param *par)
+static int reject_tg_check(const struct xt_tgchk_param *par)
{
const struct ipt_reject_info *rejinfo = par->targinfo;
const struct ipt_entry *e = par->entryinfo;
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
index 09a5d3f..0074514 100644
--- a/net/ipv4/netfilter/ipt_ULOG.c
+++ b/net/ipv4/netfilter/ipt_ULOG.c
@@ -313,7 +313,7 @@ static void ipt_logfn(u_int8_t pf,
ipt_ulog_packet(hooknum, skb, in, out, &loginfo, prefix);
}
-static bool ulog_tg_check(const struct xt_tgchk_param *par)
+static int ulog_tg_check(const struct xt_tgchk_param *par)
{
const struct ipt_ulog_info *loginfo = par->targinfo;
diff --git a/net/ipv4/netfilter/ipt_addrtype.c b/net/ipv4/netfilter/ipt_addrtype.c
index 3b216be..454ab1a 100644
--- a/net/ipv4/netfilter/ipt_addrtype.c
+++ b/net/ipv4/netfilter/ipt_addrtype.c
@@ -70,7 +70,7 @@ addrtype_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
return ret;
}
-static bool addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par)
+static int addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par)
{
struct ipt_addrtype_info_v1 *info = par->matchinfo;
diff --git a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c
index 0104c0b..e9c736d 100644
--- a/net/ipv4/netfilter/ipt_ah.c
+++ b/net/ipv4/netfilter/ipt_ah.c
@@ -61,7 +61,7 @@ static bool ah_mt(const struct sk_buff *skb, const struct xt_match_param *par)
!!(ahinfo->invflags & IPT_AH_INV_SPI));
}
-static bool ah_mt_check(const struct xt_mtchk_param *par)
+static int ah_mt_check(const struct xt_mtchk_param *par)
{
const struct ipt_ah *ahinfo = par->matchinfo;
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c
index 2a1e56b..eb8442f 100644
--- a/net/ipv4/netfilter/ipt_ecn.c
+++ b/net/ipv4/netfilter/ipt_ecn.c
@@ -85,7 +85,7 @@ static bool ecn_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return true;
}
-static bool ecn_mt_check(const struct xt_mtchk_param *par)
+static int ecn_mt_check(const struct xt_mtchk_param *par)
{
const struct ipt_ecn_info *info = par->matchinfo;
const struct ipt_ip *ip = par->entryinfo;
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c
index ab74cc0..a3813af 100644
--- a/net/ipv4/netfilter/nf_nat_rule.c
+++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -73,7 +73,7 @@ ipt_dnat_target(struct sk_buff *skb, const struct xt_target_param *par)
return nf_nat_setup_info(ct, &mr->range[0], IP_NAT_MANIP_DST);
}
-static bool ipt_snat_checkentry(const struct xt_tgchk_param *par)
+static int ipt_snat_checkentry(const struct xt_tgchk_param *par)
{
const struct nf_nat_multi_range_compat *mr = par->targinfo;
@@ -85,7 +85,7 @@ static bool ipt_snat_checkentry(const struct xt_tgchk_param *par)
return true;
}
-static bool ipt_dnat_checkentry(const struct xt_tgchk_param *par)
+static int ipt_dnat_checkentry(const struct xt_tgchk_param *par)
{
const struct nf_nat_multi_range_compat *mr = par->targinfo;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 9210e31..3ade0b7 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -2216,7 +2216,7 @@ icmp6_match(const struct sk_buff *skb, const struct xt_match_param *par)
}
/* Called when user tries to insert an entry of this type. */
-static bool icmp6_checkentry(const struct xt_mtchk_param *par)
+static int icmp6_checkentry(const struct xt_mtchk_param *par)
{
const struct ip6t_icmp *icmpinfo = par->matchinfo;
diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c
index b285fdf..2f374d2 100644
--- a/net/ipv6/netfilter/ip6t_LOG.c
+++ b/net/ipv6/netfilter/ip6t_LOG.c
@@ -452,7 +452,7 @@ log_tg6(struct sk_buff *skb, const struct xt_target_param *par)
}
-static bool log_tg6_check(const struct xt_tgchk_param *par)
+static int log_tg6_check(const struct xt_tgchk_param *par)
{
const struct ip6t_log_info *loginfo = par->targinfo;
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index dd8afba..ec67465 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -213,7 +213,7 @@ reject_tg6(struct sk_buff *skb, const struct xt_target_param *par)
return NF_DROP;
}
-static bool reject_tg6_check(const struct xt_tgchk_param *par)
+static int reject_tg6_check(const struct xt_tgchk_param *par)
{
const struct ip6t_reject_info *rejinfo = par->targinfo;
const struct ip6t_entry *e = par->entryinfo;
diff --git a/net/ipv6/netfilter/ip6t_ah.c b/net/ipv6/netfilter/ip6t_ah.c
index ac0b7c6..4a23ba4 100644
--- a/net/ipv6/netfilter/ip6t_ah.c
+++ b/net/ipv6/netfilter/ip6t_ah.c
@@ -87,7 +87,7 @@ static bool ah_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
!(ahinfo->hdrres && ah->reserved);
}
-static bool ah_mt6_check(const struct xt_mtchk_param *par)
+static int ah_mt6_check(const struct xt_mtchk_param *par)
{
const struct ip6t_ah *ahinfo = par->matchinfo;
diff --git a/net/ipv6/netfilter/ip6t_frag.c b/net/ipv6/netfilter/ip6t_frag.c
index 7b91c25..41c901c 100644
--- a/net/ipv6/netfilter/ip6t_frag.c
+++ b/net/ipv6/netfilter/ip6t_frag.c
@@ -102,7 +102,7 @@ frag_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
(ntohs(fh->frag_off) & IP6_MF));
}
-static bool frag_mt6_check(const struct xt_mtchk_param *par)
+static int frag_mt6_check(const struct xt_mtchk_param *par)
{
const struct ip6t_frag *fraginfo = par->matchinfo;
diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c
index cbe8dec..252c9cd 100644
--- a/net/ipv6/netfilter/ip6t_hbh.c
+++ b/net/ipv6/netfilter/ip6t_hbh.c
@@ -160,7 +160,7 @@ hbh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
return false;
}
-static bool hbh_mt6_check(const struct xt_mtchk_param *par)
+static int hbh_mt6_check(const struct xt_mtchk_param *par)
{
const struct ip6t_opts *optsinfo = par->matchinfo;
--git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c
index 91490ad..90e1e04 100644
--- a/net/ipv6/netfilter/ip6t_ipv6header.c
+++ b/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -118,7 +118,7 @@ ipv6header_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
}
}
-static bool ipv6header_mt6_check(const struct xt_mtchk_param *par)
+static int ipv6header_mt6_check(const struct xt_mtchk_param *par)
{
const struct ip6t_ipv6header_info *info = par->matchinfo;
diff --git a/net/ipv6/netfilter/ip6t_mh.c b/net/ipv6/netfilter/ip6t_mh.c
index aafe4e6..5847bdb 100644
--- a/net/ipv6/netfilter/ip6t_mh.c
+++ b/net/ipv6/netfilter/ip6t_mh.c
@@ -67,7 +67,7 @@ static bool mh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
!!(mhinfo->invflags & IP6T_MH_INV_TYPE));
}
-static bool mh_mt6_check(const struct xt_mtchk_param *par)
+static int mh_mt6_check(const struct xt_mtchk_param *par)
{
const struct ip6t_mh *mhinfo = par->matchinfo;
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c
index b77307f..31f2f54 100644
--- a/net/ipv6/netfilter/ip6t_rt.c
+++ b/net/ipv6/netfilter/ip6t_rt.c
@@ -183,7 +183,7 @@ static bool rt_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
return false;
}
-static bool rt_mt6_check(const struct xt_mtchk_param *par)
+static int rt_mt6_check(const struct xt_mtchk_param *par)
{
const struct ip6t_rt *rtinfo = par->matchinfo;
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 0a12ced..59bde81 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -360,6 +360,8 @@ static char *textify_hooks(char *buf, size_t size, unsigned int mask)
int xt_check_match(struct xt_mtchk_param *par,
unsigned int size, u_int8_t proto, bool inv_proto)
{
+ int ret;
+
if (XT_ALIGN(par->match->matchsize) != size &&
par->match->matchsize != -1) {
/*
@@ -396,8 +398,13 @@ int xt_check_match(struct xt_mtchk_param *par,
par->match->proto);
return -EINVAL;
}
- if (par->match->checkentry != NULL && !par->match->checkentry(par))
- return -EINVAL;
+ if (par->match->checkentry != NULL) {
+ ret = par->match->checkentry(par);
+ if (ret < 0)
+ return ret;
+ else if (ret == 0)
+ return -EINVAL;
+ }
return 0;
}
EXPORT_SYMBOL_GPL(xt_check_match);
@@ -517,6 +524,8 @@ EXPORT_SYMBOL_GPL(xt_compat_match_to_user);
int xt_check_target(struct xt_tgchk_param *par,
unsigned int size, u_int8_t proto, bool inv_proto)
{
+ int ret;
+
if (XT_ALIGN(par->target->targetsize) != size) {
pr_err("%s_tables: %s.%u target: invalid size "
"%u (kernel) != (user) %u\n",
@@ -548,8 +557,13 @@ int xt_check_target(struct xt_tgchk_param *par,
par->target->proto);
return -EINVAL;
}
- if (par->target->checkentry != NULL && !par->target->checkentry(par))
- return -EINVAL;
+ if (par->target->checkentry != NULL) {
+ ret = par->target->checkentry(par);
+ if (ret < 0)
+ return ret;
+ else if (ret == false)
+ return -EINVAL;
+ }
return 0;
}
EXPORT_SYMBOL_GPL(xt_check_target);
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
index b54c375..9d86530 100644
--- a/net/netfilter/xt_CONNSECMARK.c
+++ b/net/netfilter/xt_CONNSECMARK.c
@@ -85,9 +85,10 @@ connsecmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
return XT_CONTINUE;
}
-static bool connsecmark_tg_check(const struct xt_tgchk_param *par)
+static int connsecmark_tg_check(const struct xt_tgchk_param *par)
{
const struct xt_connsecmark_target_info *info = par->targinfo;
+ int ret;
if (strcmp(par->table, "mangle") != 0 &&
strcmp(par->table, "security") != 0) {
@@ -106,10 +107,11 @@ static bool connsecmark_tg_check(const struct xt_tgchk_param *par)
return false;
}
- if (nf_ct_l3proto_try_module_get(par->family) < 0) {
+ ret = nf_ct_l3proto_try_module_get(par->family);
+ if (ret < 0) {
printk(KERN_WARNING "can't load conntrack support for "
"proto=%u\n", par->family);
- return false;
+ return ret;
}
return true;
}
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
index 6509e03..da5b951 100644
--- a/net/netfilter/xt_CT.c
+++ b/net/netfilter/xt_CT.c
@@ -53,12 +53,13 @@ static u8 xt_ct_find_proto(const struct xt_tgchk_param *par)
return 0;
}
-static bool xt_ct_tg_check(const struct xt_tgchk_param *par)
+static int xt_ct_tg_check(const struct xt_tgchk_param *par)
{
struct xt_ct_target_info *info = par->targinfo;
struct nf_conntrack_tuple t;
struct nf_conn_help *help;
struct nf_conn *ct;
+ int ret = 0;
u8 proto;
if (info->flags & ~XT_CT_NOTRACK)
@@ -75,28 +76,34 @@ static bool xt_ct_tg_check(const struct xt_tgchk_param *par)
goto err1;
#endif
- if (nf_ct_l3proto_try_module_get(par->family) < 0)
+ ret = nf_ct_l3proto_try_module_get(par->family);
+ if (ret < 0)
goto err1;
memset(&t, 0, sizeof(t));
ct = nf_conntrack_alloc(par->net, info->zone, &t, &t, GFP_KERNEL);
+ ret = PTR_ERR(ct);
if (IS_ERR(ct))
goto err2;
+ ret = 0;
if ((info->ct_events || info->exp_events) &&
!nf_ct_ecache_ext_add(ct, info->ct_events, info->exp_events,
GFP_KERNEL))
goto err3;
if (info->helper[0]) {
+ ret = -ENOENT;
proto = xt_ct_find_proto(par);
if (!proto)
goto err3;
+ ret = -ENOMEM;
help = nf_ct_helper_ext_add(ct, GFP_KERNEL);
if (help == NULL)
goto err3;
+ ret = -ENOENT;
help->helper = nf_conntrack_helper_try_module_get(info->helper,
par->family,
proto);
@@ -115,7 +122,7 @@ err3:
err2:
nf_ct_l3proto_module_put(par->family);
err1:
- return false;
+ return ret;
}
static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par)
diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c
index 74ce892..e37ca94 100644
--- a/net/netfilter/xt_DSCP.c
+++ b/net/netfilter/xt_DSCP.c
@@ -60,7 +60,7 @@ dscp_tg6(struct sk_buff *skb, const struct xt_target_param *par)
return XT_CONTINUE;
}
-static bool dscp_tg_check(const struct xt_tgchk_param *par)
+static int dscp_tg_check(const struct xt_tgchk_param *par)
{
const struct xt_DSCP_info *info = par->targinfo;
diff --git a/net/netfilter/xt_HL.c b/net/netfilter/xt_HL.c
index 10e789e..601321e 100644
--- a/net/netfilter/xt_HL.c
+++ b/net/netfilter/xt_HL.c
@@ -101,7 +101,7 @@ hl_tg6(struct sk_buff *skb, const struct xt_target_param *par)
return XT_CONTINUE;
}
-static bool ttl_tg_check(const struct xt_tgchk_param *par)
+static int ttl_tg_check(const struct xt_tgchk_param *par)
{
const struct ipt_TTL_info *info = par->targinfo;
@@ -115,7 +115,7 @@ static bool ttl_tg_check(const struct xt_tgchk_param *par)
return true;
}
-static bool hl_tg6_check(const struct xt_tgchk_param *par)
+static int hl_tg6_check(const struct xt_tgchk_param *par)
{
const struct ip6t_HL_info *info = par->targinfo;
diff --git a/net/netfilter/xt_LED.c b/net/netfilter/xt_LED.c
index f86dc52..f776f52 100644
--- a/net/netfilter/xt_LED.c
+++ b/net/netfilter/xt_LED.c
@@ -80,7 +80,7 @@ static void led_timeout_callback(unsigned long data)
led_trigger_event(&ledinternal->netfilter_led_trigger, LED_OFF);
}
-static bool led_tg_check(const struct xt_tgchk_param *par)
+static int led_tg_check(const struct xt_tgchk_param *par)
{
struct xt_led_info *ledinfo = par->targinfo;
struct xt_led_info_internal *ledinternal;
@@ -94,7 +94,7 @@ static bool led_tg_check(const struct xt_tgchk_param *par)
ledinternal = kzalloc(sizeof(struct xt_led_info_internal), GFP_KERNEL);
if (!ledinternal) {
printk(KERN_CRIT KBUILD_MODNAME ": out of memory\n");
- return false;
+ return -ENOMEM;
}
ledinternal->netfilter_led_trigger.name = ledinfo->id;
@@ -106,7 +106,8 @@ static bool led_tg_check(const struct xt_tgchk_param *par)
if (err == -EEXIST)
printk(KERN_ERR KBUILD_MODNAME
": Trigger name is already in use.\n");
- goto exit_alloc;
+ kfree(ledinternal);
+ return err;
}
/* See if we need to set up a timer */
@@ -115,13 +116,7 @@ static bool led_tg_check(const struct xt_tgchk_param *par)
(unsigned long)ledinfo);
ledinfo->internal_data = ledinternal;
-
return true;
-
-exit_alloc:
- kfree(ledinternal);
-
- return false;
}
static void led_tg_destroy(const struct xt_tgdtor_param *par)
diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c
index a57c5cf..13e6c00 100644
--- a/net/netfilter/xt_NFLOG.c
+++ b/net/netfilter/xt_NFLOG.c
@@ -37,7 +37,7 @@ nflog_tg(struct sk_buff *skb, const struct xt_target_param *par)
return XT_CONTINUE;
}
-static bool nflog_tg_check(const struct xt_tgchk_param *par)
+static int nflog_tg_check(const struct xt_tgchk_param *par)
{
const struct xt_nflog_info *info = par->targinfo;
diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c
index a37e216..5e503b1 100644
--- a/net/netfilter/xt_NFQUEUE.c
+++ b/net/netfilter/xt_NFQUEUE.c
@@ -81,7 +81,7 @@ nfqueue_tg_v1(struct sk_buff *skb, const struct xt_target_param *par)
return NF_QUEUE_NR(queue);
}
-static bool nfqueue_tg_v1_check(const struct xt_tgchk_param *par)
+static int nfqueue_tg_v1_check(const struct xt_tgchk_param *par)
{
const struct xt_NFQ_info_v1 *info = par->targinfo;
u32 maxid;
diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c
index 87ae97e..3c5d1c9 100644
--- a/net/netfilter/xt_RATEEST.c
+++ b/net/netfilter/xt_RATEEST.c
@@ -85,7 +85,7 @@ xt_rateest_tg(struct sk_buff *skb, const struct xt_target_param *par)
return XT_CONTINUE;
}
-static bool xt_rateest_tg_checkentry(const struct xt_tgchk_param *par)
+static int xt_rateest_tg_checkentry(const struct xt_tgchk_param *par)
{
struct xt_rateest_target_info *info = par->targinfo;
struct xt_rateest *est;
@@ -93,6 +93,7 @@ static bool xt_rateest_tg_checkentry(const struct xt_tgchk_param *par)
struct nlattr opt;
struct gnet_estimator est;
} cfg;
+ int ret;
if (unlikely(!rnd_inited)) {
get_random_bytes(&jhash_rnd, sizeof(jhash_rnd));
@@ -115,6 +116,7 @@ static bool xt_rateest_tg_checkentry(const struct xt_tgchk_param *par)
return true;
}
+ ret = -ENOMEM;
est = kzalloc(sizeof(*est), GFP_KERNEL);
if (!est)
goto err1;
@@ -130,8 +132,9 @@ static bool xt_rateest_tg_checkentry(const struct xt_tgchk_param *par)
cfg.est.interval = info->interval;
cfg.est.ewma_log = info->ewma_log;
- if (gen_new_estimator(&est->bstats, &est->rstats, &est->lock,
- &cfg.opt) < 0)
+ ret = gen_new_estimator(&est->bstats, &est->rstats,
+ &est->lock, &cfg.opt);
+ if (ret < 0)
goto err2;
info->est = est;
@@ -142,7 +145,7 @@ static bool xt_rateest_tg_checkentry(const struct xt_tgchk_param *par)
err2:
kfree(est);
err1:
- return false;
+ return ret;
}
static void xt_rateest_tg_destroy(const struct xt_tgdtor_param *par)
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index 7a6f9e6..acb2b98 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -49,7 +49,7 @@ secmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
return XT_CONTINUE;
}
-static bool checkentry_selinux(struct xt_secmark_target_info *info)
+static int checkentry_selinux(struct xt_secmark_target_info *info)
{
int err;
struct xt_secmark_target_selinux_info *sel = &info->u.sel;
@@ -61,7 +61,7 @@ static bool checkentry_selinux(struct xt_secmark_target_info *info)
if (err == -EINVAL)
printk(KERN_INFO PFX "invalid SELinux context \'%s\'\n",
sel->selctx);
- return false;
+ return err;
}
if (!sel->selsid) {
@@ -73,16 +73,17 @@ static bool checkentry_selinux(struct xt_secmark_target_info *info)
err = selinux_secmark_relabel_packet_permission(sel->selsid);
if (err) {
printk(KERN_INFO PFX "unable to obtain relabeling permission\n");
- return false;
+ return err;
}
selinux_secmark_refcount_inc();
return true;
}
-static bool secmark_tg_check(const struct xt_tgchk_param *par)
+static int secmark_tg_check(const struct xt_tgchk_param *par)
{
struct xt_secmark_target_info *info = par->targinfo;
+ int err;
if (strcmp(par->table, "mangle") != 0 &&
strcmp(par->table, "security") != 0) {
@@ -99,8 +100,9 @@ static bool secmark_tg_check(const struct xt_tgchk_param *par)
switch (info->mode) {
case SECMARK_MODE_SEL:
- if (!checkentry_selinux(info))
- return false;
+ err = checkentry_selinux(info);
+ if (err <= 0)
+ return err;
break;
default:
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index 0e357ac..5f69a20 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -235,7 +235,7 @@ static inline bool find_syn_match(const struct xt_entry_match *m)
return false;
}
-static bool tcpmss_tg4_check(const struct xt_tgchk_param *par)
+static int tcpmss_tg4_check(const struct xt_tgchk_param *par)
{
const struct xt_tcpmss_info *info = par->targinfo;
const struct ipt_entry *e = par->entryinfo;
@@ -257,7 +257,7 @@ static bool tcpmss_tg4_check(const struct xt_tgchk_param *par)
}
#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
-static bool tcpmss_tg6_check(const struct xt_tgchk_param *par)
+static int tcpmss_tg6_check(const struct xt_tgchk_param *par)
{
const struct xt_tcpmss_info *info = par->targinfo;
const struct ip6t_entry *e = par->entryinfo;
diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c
index 1340c2f..bb4d385 100644
--- a/net/netfilter/xt_TPROXY.c
+++ b/net/netfilter/xt_TPROXY.c
@@ -59,7 +59,7 @@ tproxy_tg(struct sk_buff *skb, const struct xt_target_param *par)
return NF_DROP;
}
-static bool tproxy_tg_check(const struct xt_tgchk_param *par)
+static int tproxy_tg_check(const struct xt_tgchk_param *par)
{
const struct ipt_ip *i = par->entryinfo;
diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c
index 225ee3e..f049121 100644
--- a/net/netfilter/xt_cluster.c
+++ b/net/netfilter/xt_cluster.c
@@ -131,7 +131,7 @@ xt_cluster_mt(const struct sk_buff *skb, const struct xt_match_param *par)
!!(info->flags & XT_CLUSTER_F_INV);
}
-static bool xt_cluster_mt_checkentry(const struct xt_mtchk_param *par)
+static int xt_cluster_mt_checkentry(const struct xt_mtchk_param *par)
{
struct xt_cluster_match_info *info = par->matchinfo;
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
index 955e659..697fd4a 100644
--- a/net/netfilter/xt_connbytes.c
+++ b/net/netfilter/xt_connbytes.c
@@ -92,9 +92,10 @@ connbytes_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return what >= sinfo->count.from;
}
-static bool connbytes_mt_check(const struct xt_mtchk_param *par)
+static int connbytes_mt_check(const struct xt_mtchk_param *par)
{
const struct xt_connbytes_info *sinfo = par->matchinfo;
+ int ret;
if (sinfo->what != XT_CONNBYTES_PKTS &&
sinfo->what != XT_CONNBYTES_BYTES &&
@@ -106,10 +107,11 @@ static bool connbytes_mt_check(const struct xt_mtchk_param *par)
sinfo->direction != XT_CONNBYTES_DIR_BOTH)
return false;
- if (nf_ct_l3proto_try_module_get(par->family) < 0) {
+ ret = nf_ct_l3proto_try_module_get(par->family);
+ if (ret < 0) {
printk(KERN_WARNING "can't load conntrack support for "
"proto=%u\n", par->family);
- return false;
+ return ret;
}
return true;
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index 9e624af..ead25e3 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -215,26 +215,28 @@ connlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return false;
}
-static bool connlimit_mt_check(const struct xt_mtchk_param *par)
+static int connlimit_mt_check(const struct xt_mtchk_param *par)
{
struct xt_connlimit_info *info = par->matchinfo;
unsigned int i;
+ int ret;
if (unlikely(!connlimit_rnd_inited)) {
get_random_bytes(&connlimit_rnd, sizeof(connlimit_rnd));
connlimit_rnd_inited = true;
}
- if (nf_ct_l3proto_try_module_get(par->family) < 0) {
+ ret = nf_ct_l3proto_try_module_get(par->family);
+ if (ret < 0) {
printk(KERN_WARNING "cannot load conntrack support for "
"address family %u\n", par->family);
- return false;
+ return ret;
}
/* init private data */
info->data = kmalloc(sizeof(struct xt_connlimit_data), GFP_KERNEL);
if (info->data == NULL) {
nf_ct_l3proto_module_put(par->family);
- return false;
+ return -ENOMEM;
}
spin_lock_init(&info->data->lock);
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index 97465a4..4d59846 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -74,12 +74,15 @@ connmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
return XT_CONTINUE;
}
-static bool connmark_tg_check(const struct xt_tgchk_param *par)
+static int connmark_tg_check(const struct xt_tgchk_param *par)
{
- if (nf_ct_l3proto_try_module_get(par->family) < 0) {
+ int ret;
+
+ ret = nf_ct_l3proto_try_module_get(par->family);
+ if (ret < 0) {
printk(KERN_WARNING "cannot load conntrack support for "
"proto=%u\n", par->family);
- return false;
+ return ret;
}
return true;
}
@@ -103,12 +106,15 @@ connmark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return ((ct->mark & info->mask) == info->mark) ^ info->invert;
}
-static bool connmark_mt_check(const struct xt_mtchk_param *par)
+static int connmark_mt_check(const struct xt_mtchk_param *par)
{
- if (nf_ct_l3proto_try_module_get(par->family) < 0) {
+ int ret;
+
+ ret = nf_ct_l3proto_try_module_get(par->family);
+ if (ret < 0) {
printk(KERN_WARNING "cannot load conntrack support for "
"proto=%u\n", par->family);
- return false;
+ return ret;
}
return true;
}
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index ae66305..60fc99f 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -206,12 +206,15 @@ conntrack_mt_v2(const struct sk_buff *skb, const struct xt_match_param *par)
return conntrack_mt(skb, par, info->state_mask, info->status_mask);
}
-static bool conntrack_mt_check(const struct xt_mtchk_param *par)
+static int conntrack_mt_check(const struct xt_mtchk_param *par)
{
- if (nf_ct_l3proto_try_module_get(par->family) < 0) {
+ int ret;
+
+ ret = nf_ct_l3proto_try_module_get(par->family);
+ if (ret < 0) {
printk(KERN_WARNING "can't load conntrack support for "
"proto=%u\n", par->family);
- return false;
+ return ret;
}
return true;
}
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c
index 0989f29..1394deb 100644
--- a/net/netfilter/xt_dccp.c
+++ b/net/netfilter/xt_dccp.c
@@ -123,7 +123,7 @@ dccp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
XT_DCCP_OPTION, info->flags, info->invflags);
}
-static bool dccp_mt_check(const struct xt_mtchk_param *par)
+static int dccp_mt_check(const struct xt_mtchk_param *par)
{
const struct xt_dccp_info *info = par->matchinfo;
diff --git a/net/netfilter/xt_dscp.c b/net/netfilter/xt_dscp.c
index 0280d3a..e29b1b2 100644
--- a/net/netfilter/xt_dscp.c
+++ b/net/netfilter/xt_dscp.c
@@ -42,7 +42,7 @@ dscp_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
return (dscp == info->dscp) ^ !!info->invert;
}
-static bool dscp_mt_check(const struct xt_mtchk_param *par)
+static int dscp_mt_check(const struct xt_mtchk_param *par)
{
const struct xt_dscp_info *info = par->matchinfo;
diff --git a/net/netfilter/xt_esp.c b/net/netfilter/xt_esp.c
index 6094399..990a824 100644
--- a/net/netfilter/xt_esp.c
+++ b/net/netfilter/xt_esp.c
@@ -66,7 +66,7 @@ static bool esp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
!!(espinfo->invflags & XT_ESP_INV_SPI));
}
-static bool esp_mt_check(const struct xt_mtchk_param *par)
+static int esp_mt_check(const struct xt_mtchk_param *par)
{
const struct xt_esp *espinfo = par->matchinfo;
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 8032463..9ec2ad5 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -217,7 +217,7 @@ static int htable_create_v0(struct net *net, struct xt_hashlimit_info *minfo, u_
sizeof(struct list_head) * size);
if (!hinfo) {
printk(KERN_ERR "xt_hashlimit: unable to create hashtable\n");
- return -1;
+ return -ENOMEM;
}
minfo->hinfo = hinfo;
@@ -254,7 +254,7 @@ static int htable_create_v0(struct net *net, struct xt_hashlimit_info *minfo, u_
&dl_file_ops, hinfo);
if (!hinfo->pde) {
vfree(hinfo);
- return -1;
+ return -ENOMEM;
}
hinfo->net = net;
@@ -290,7 +290,7 @@ static int htable_create(struct net *net, struct xt_hashlimit_mtinfo1 *minfo,
sizeof(struct list_head) * size);
if (hinfo == NULL) {
printk(KERN_ERR "xt_hashlimit: unable to create hashtable\n");
- return -1;
+ return -ENOMEM;
}
minfo->hinfo = hinfo;
@@ -317,7 +317,7 @@ static int htable_create(struct net *net, struct xt_hashlimit_mtinfo1 *minfo,
&dl_file_ops, hinfo);
if (hinfo->pde == NULL) {
vfree(hinfo);
- return -1;
+ return -ENOMEM;
}
hinfo->net = net;
@@ -677,10 +677,11 @@ hashlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return false;
}
-static bool hashlimit_mt_check_v0(const struct xt_mtchk_param *par)
+static int hashlimit_mt_check_v0(const struct xt_mtchk_param *par)
{
struct net *net = par->net;
struct xt_hashlimit_info *r = par->matchinfo;
+ int ret;
/* Check for overflow. */
if (r->cfg.burst == 0 ||
@@ -704,19 +705,22 @@ static bool hashlimit_mt_check_v0(const struct xt_mtchk_param *par)
mutex_lock(&hashlimit_mutex);
r->hinfo = htable_find_get(net, r->name, par->match->family);
- if (!r->hinfo && htable_create_v0(net, r, par->match->family) != 0) {
- mutex_unlock(&hashlimit_mutex);
- return false;
+ if (r->hinfo == NULL) {
+ ret = htable_create_v0(net, r, par->match->family);
+ if (ret < 0) {
+ mutex_unlock(&hashlimit_mutex);
+ return ret;
+ }
}
mutex_unlock(&hashlimit_mutex);
-
return true;
}
-static bool hashlimit_mt_check(const struct xt_mtchk_param *par)
+static int hashlimit_mt_check(const struct xt_mtchk_param *par)
{
struct net *net = par->net;
struct xt_hashlimit_mtinfo1 *info = par->matchinfo;
+ int ret;
/* Check for overflow. */
if (info->cfg.burst == 0 ||
@@ -740,9 +744,12 @@ static bool hashlimit_mt_check(const struct xt_mtchk_param *par)
mutex_lock(&hashlimit_mutex);
info->hinfo = htable_find_get(net, info->name, par->match->family);
- if (!info->hinfo && htable_create(net, info, par->match->family) != 0) {
- mutex_unlock(&hashlimit_mutex);
- return false;
+ if (info->hinfo == NULL) {
+ ret = htable_create(net, info, par->match->family);
+ if (ret < 0) {
+ mutex_unlock(&hashlimit_mutex);
+ return ret;
+ }
}
mutex_unlock(&hashlimit_mutex);
return true;
diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c
index 64fc7f2..ce05d3a 100644
--- a/net/netfilter/xt_helper.c
+++ b/net/netfilter/xt_helper.c
@@ -54,7 +54,7 @@ helper_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return ret;
}
-static bool helper_mt_check(const struct xt_mtchk_param *par)
+static int helper_mt_check(const struct xt_mtchk_param *par)
{
struct xt_helper_info *info = par->matchinfo;
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index a0ca533..9638de3 100644
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -97,7 +97,7 @@ user2credits(u_int32_t user)
return (user * HZ * CREDITS_PER_JIFFY) / XT_LIMIT_SCALE;
}
-static bool limit_mt_check(const struct xt_mtchk_param *par)
+static int limit_mt_check(const struct xt_mtchk_param *par)
{
struct xt_rateinfo *r = par->matchinfo;
struct xt_limit_priv *priv;
@@ -112,7 +112,7 @@ static bool limit_mt_check(const struct xt_mtchk_param *par)
priv = kmalloc(sizeof(*priv), GFP_KERNEL);
if (priv == NULL)
- return false;
+ return -ENOMEM;
/* For SMP, we only want to use one set of state. */
r->master = priv;
diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c
index d06bb2d..75d9ad4 100644
--- a/net/netfilter/xt_multiport.c
+++ b/net/netfilter/xt_multiport.c
@@ -158,7 +158,7 @@ check(u_int16_t proto,
&& count <= XT_MULTI_PORTS;
}
-static bool multiport_mt_check_v0(const struct xt_mtchk_param *par)
+static int multiport_mt_check_v0(const struct xt_mtchk_param *par)
{
const struct ipt_ip *ip = par->entryinfo;
const struct xt_multiport *multiinfo = par->matchinfo;
@@ -167,7 +167,7 @@ static bool multiport_mt_check_v0(const struct xt_mtchk_param *par)
multiinfo->count);
}
-static bool multiport_mt_check(const struct xt_mtchk_param *par)
+static int multiport_mt_check(const struct xt_mtchk_param *par)
{
const struct ipt_ip *ip = par->entryinfo;
const struct xt_multiport_v1 *multiinfo = par->matchinfo;
@@ -176,7 +176,7 @@ static bool multiport_mt_check(const struct xt_mtchk_param *par)
multiinfo->count);
}
-static bool multiport_mt6_check_v0(const struct xt_mtchk_param *par)
+static int multiport_mt6_check_v0(const struct xt_mtchk_param *par)
{
const struct ip6t_ip6 *ip = par->entryinfo;
const struct xt_multiport *multiinfo = par->matchinfo;
@@ -185,7 +185,7 @@ static bool multiport_mt6_check_v0(const struct xt_mtchk_param *par)
multiinfo->count);
}
-static bool multiport_mt6_check(const struct xt_mtchk_param *par)
+static int multiport_mt6_check(const struct xt_mtchk_param *par)
{
const struct ip6t_ip6 *ip = par->entryinfo;
const struct xt_multiport_v1 *multiinfo = par->matchinfo;
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index 8d28ca5..ecce894 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -83,7 +83,7 @@ match_outdev:
return (!!ret ^ !(info->invert & XT_PHYSDEV_OP_OUT));
}
-static bool physdev_mt_check(const struct xt_mtchk_param *par)
+static int physdev_mt_check(const struct xt_mtchk_param *par)
{
const struct xt_physdev_info *info = par->matchinfo;
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c
index 4cbfebd..e4bd7c7 100644
--- a/net/netfilter/xt_policy.c
+++ b/net/netfilter/xt_policy.c
@@ -128,7 +128,7 @@ policy_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return ret;
}
-static bool policy_mt_check(const struct xt_mtchk_param *par)
+static int policy_mt_check(const struct xt_mtchk_param *par)
{
const struct xt_policy_info *info = par->matchinfo;
diff --git a/net/netfilter/xt_quota.c b/net/netfilter/xt_quota.c
index 390b7d0..d61f05d 100644
--- a/net/netfilter/xt_quota.c
+++ b/net/netfilter/xt_quota.c
@@ -43,7 +43,7 @@ quota_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return ret;
}
-static bool quota_mt_check(const struct xt_mtchk_param *par)
+static int quota_mt_check(const struct xt_mtchk_param *par)
{
struct xt_quota_info *q = par->matchinfo;
@@ -52,7 +52,7 @@ static bool quota_mt_check(const struct xt_mtchk_param *par)
q->master = kmalloc(sizeof(*q->master), GFP_KERNEL);
if (q->master == NULL)
- return false;
+ return -ENOMEM;
q->master->quota = q->quota;
return true;
diff --git a/net/netfilter/xt_rateest.c b/net/netfilter/xt_rateest.c
index 4fc6a91..9badfa6 100644
--- a/net/netfilter/xt_rateest.c
+++ b/net/netfilter/xt_rateest.c
@@ -74,10 +74,11 @@ xt_rateest_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return ret;
}
-static bool xt_rateest_mt_checkentry(const struct xt_mtchk_param *par)
+static int xt_rateest_mt_checkentry(const struct xt_mtchk_param *par)
{
struct xt_rateest_match_info *info = par->matchinfo;
struct xt_rateest *est1, *est2;
+ int ret = false;
if (hweight32(info->flags & (XT_RATEEST_MATCH_ABS |
XT_RATEEST_MATCH_REL)) != 1)
@@ -95,6 +96,7 @@ static bool xt_rateest_mt_checkentry(const struct xt_mtchk_param *par)
goto err1;
}
+ ret = -ENOENT;
est1 = xt_rateest_lookup(info->name1);
if (!est1)
goto err1;
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index b65eca9..deef3bc 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -304,7 +304,7 @@ out:
return ret;
}
-static bool recent_mt_check(const struct xt_mtchk_param *par)
+static int recent_mt_check(const struct xt_mtchk_param *par)
{
struct recent_net *recent_net = recent_pernet(par->net);
const struct xt_recent_mtinfo *info = par->matchinfo;
@@ -313,7 +313,7 @@ static bool recent_mt_check(const struct xt_mtchk_param *par)
struct proc_dir_entry *pde;
#endif
unsigned i;
- bool ret = false;
+ int ret = false;
if (unlikely(!hash_rnd_inited)) {
get_random_bytes(&hash_rnd, sizeof(hash_rnd));
@@ -349,8 +349,10 @@ static bool recent_mt_check(const struct xt_mtchk_param *par)
t = kzalloc(sizeof(*t) + sizeof(t->iphash[0]) * ip_list_hash_size,
GFP_KERNEL);
- if (t == NULL)
+ if (t == NULL) {
+ ret = -ENOMEM;
goto out;
+ }
t->refcnt = 1;
strcpy(t->name, info->name);
INIT_LIST_HEAD(&t->lru_list);
@@ -361,6 +363,7 @@ static bool recent_mt_check(const struct xt_mtchk_param *par)
&recent_mt_fops, t);
if (pde == NULL) {
kfree(t);
+ ret = -ENOMEM;
goto out;
}
pde->uid = ip_list_uid;
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
index a189ada..3d2d1b8 100644
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -147,7 +147,7 @@ sctp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
XT_SCTP_CHUNK_TYPES, info->flags, info->invflags);
}
-static bool sctp_mt_check(const struct xt_mtchk_param *par)
+static int sctp_mt_check(const struct xt_mtchk_param *par)
{
const struct xt_sctp_info *info = par->matchinfo;
diff --git a/net/netfilter/xt_state.c b/net/netfilter/xt_state.c
index 4c946cb..f4205f3 100644
--- a/net/netfilter/xt_state.c
+++ b/net/netfilter/xt_state.c
@@ -37,12 +37,15 @@ state_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return (sinfo->statemask & statebit);
}
-static bool state_mt_check(const struct xt_mtchk_param *par)
+static int state_mt_check(const struct xt_mtchk_param *par)
{
- if (nf_ct_l3proto_try_module_get(par->match->family) < 0) {
+ int ret;
+
+ ret = nf_ct_l3proto_try_module_get(par->match->family);
+ if (ret < 0) {
printk(KERN_WARNING "can't load conntrack support for "
"proto=%u\n", par->match->family);
- return false;
+ return ret;
}
return true;
}
diff --git a/net/netfilter/xt_statistic.c b/net/netfilter/xt_statistic.c
index d8c0f8f..43f0d42 100644
--- a/net/netfilter/xt_statistic.c
+++ b/net/netfilter/xt_statistic.c
@@ -52,7 +52,7 @@ statistic_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return ret;
}
-static bool statistic_mt_check(const struct xt_mtchk_param *par)
+static int statistic_mt_check(const struct xt_mtchk_param *par)
{
struct xt_statistic_info *info = par->matchinfo;
@@ -63,7 +63,7 @@ static bool statistic_mt_check(const struct xt_mtchk_param *par)
info->master = kzalloc(sizeof(*info->master), GFP_KERNEL);
if (info->master == NULL) {
printk(KERN_ERR KBUILD_MODNAME ": Out of memory\n");
- return false;
+ return -ENOMEM;
}
info->master->count = info->u.nth.count;
diff --git a/net/netfilter/xt_string.c b/net/netfilter/xt_string.c
index b4d7741..fa7d066 100644
--- a/net/netfilter/xt_string.c
+++ b/net/netfilter/xt_string.c
@@ -40,7 +40,7 @@ string_mt(const struct sk_buff *skb, const struct xt_match_param *par)
#define STRING_TEXT_PRIV(m) ((struct xt_string_info *)(m))
-static bool string_mt_check(const struct xt_mtchk_param *par)
+static int string_mt_check(const struct xt_mtchk_param *par)
{
struct xt_string_info *conf = par->matchinfo;
struct ts_config *ts_conf;
@@ -63,7 +63,7 @@ static bool string_mt_check(const struct xt_mtchk_param *par)
ts_conf = textsearch_prepare(conf->algo, conf->pattern, conf->patlen,
GFP_KERNEL, flags);
if (IS_ERR(ts_conf))
- return false;
+ return PTR_ERR(ts_conf);
conf->config = ts_conf;
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
index 1ebdc49..7ec34ee 100644
--- a/net/netfilter/xt_tcpudp.c
+++ b/net/netfilter/xt_tcpudp.c
@@ -126,7 +126,7 @@ static bool tcp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return true;
}
-static bool tcp_mt_check(const struct xt_mtchk_param *par)
+static int tcp_mt_check(const struct xt_mtchk_param *par)
{
const struct xt_tcp *tcpinfo = par->matchinfo;
@@ -161,7 +161,7 @@ static bool udp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
!!(udpinfo->invflags & XT_UDP_INV_DSTPT));
}
-static bool udp_mt_check(const struct xt_mtchk_param *par)
+static int udp_mt_check(const struct xt_mtchk_param *par)
{
const struct xt_udp *udpinfo = par->matchinfo;
diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
index 9a9c9a3..fa5ab6e 100644
--- a/net/netfilter/xt_time.c
+++ b/net/netfilter/xt_time.c
@@ -217,7 +217,7 @@ time_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return true;
}
-static bool time_mt_check(const struct xt_mtchk_param *par)
+static int time_mt_check(const struct xt_mtchk_param *par)
{
const struct xt_time_info *info = par->matchinfo;
--
1.7.0.2
^ permalink raw reply related [flat|nested] 46+ messages in thread
* [PATCH 3/9] netfilter: xtables: restrict TCPMSS to mangle table as intended
2010-03-17 13:18 nf-next: checks and three modules Jan Engelhardt
2010-03-17 13:18 ` [PATCH 1/9] netfilter: xtables: do without explicit XT_ALIGN Jan Engelhardt
2010-03-17 13:18 ` [PATCH 2/9] netfilter: xtables: slightly more detailed checkentry return values Jan Engelhardt
@ 2010-03-17 13:18 ` Jan Engelhardt
2010-03-17 13:30 ` Patrick McHardy
2010-03-17 13:18 ` [PATCH 4/9] netfilter: xtables: clean up xt_mac match routine Jan Engelhardt
` (5 subsequent siblings)
8 siblings, 1 reply; 46+ messages in thread
From: Jan Engelhardt @ 2010-03-17 13:18 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
References: http://bugs.debian.org/567050
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/netfilter/xt_TCPMSS.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index 5f69a20..0c485c4 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -283,6 +283,7 @@ static struct xt_target tcpmss_tg_reg[] __read_mostly = {
{
.family = NFPROTO_IPV4,
.name = "TCPMSS",
+ .table = "mangle",
.checkentry = tcpmss_tg4_check,
.target = tcpmss_tg4,
.targetsize = sizeof(struct xt_tcpmss_info),
@@ -293,6 +294,7 @@ static struct xt_target tcpmss_tg_reg[] __read_mostly = {
{
.family = NFPROTO_IPV6,
.name = "TCPMSS",
+ .table = "mangle",
.checkentry = tcpmss_tg6_check,
.target = tcpmss_tg6,
.targetsize = sizeof(struct xt_tcpmss_info),
--
1.7.0.2
^ permalink raw reply related [flat|nested] 46+ messages in thread
* [PATCH 4/9] netfilter: xtables: clean up xt_mac match routine
2010-03-17 13:18 nf-next: checks and three modules Jan Engelhardt
` (2 preceding siblings ...)
2010-03-17 13:18 ` [PATCH 3/9] netfilter: xtables: restrict TCPMSS to mangle table as intended Jan Engelhardt
@ 2010-03-17 13:18 ` Jan Engelhardt
2010-03-17 13:19 ` [PATCH 5/9] netfilter: xtables: limit xt_mac to ethernet devices Jan Engelhardt
` (4 subsequent siblings)
8 siblings, 0 replies; 46+ messages in thread
From: Jan Engelhardt @ 2010-03-17 13:18 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/netfilter/xt_mac.c | 18 ++++++++++--------
1 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/net/netfilter/xt_mac.c b/net/netfilter/xt_mac.c
index c200711..2039d07 100644
--- a/net/netfilter/xt_mac.c
+++ b/net/netfilter/xt_mac.c
@@ -26,14 +26,16 @@ MODULE_ALIAS("ip6t_mac");
static bool mac_mt(const struct sk_buff *skb, const struct xt_match_param *par)
{
- const struct xt_mac_info *info = par->matchinfo;
-
- /* Is mac pointer valid? */
- return skb_mac_header(skb) >= skb->head &&
- skb_mac_header(skb) + ETH_HLEN <= skb->data
- /* If so, compare... */
- && ((!compare_ether_addr(eth_hdr(skb)->h_source, info->srcaddr))
- ^ info->invert);
+ const struct xt_mac_info *info = par->matchinfo;
+ bool ret;
+
+ if (skb_mac_header(skb) < skb->head)
+ return false;
+ if (skb_mac_header(skb) + ETH_HLEN > skb->data)
+ return false;
+ ret = compare_ether_addr(eth_hdr(skb)->h_source, info->srcaddr) == 0;
+ ret ^= info->invert;
+ return ret;
}
static struct xt_match mac_mt_reg __read_mostly = {
--
1.7.0.2
^ permalink raw reply related [flat|nested] 46+ messages in thread
* [PATCH 5/9] netfilter: xtables: limit xt_mac to ethernet devices
2010-03-17 13:18 nf-next: checks and three modules Jan Engelhardt
` (3 preceding siblings ...)
2010-03-17 13:18 ` [PATCH 4/9] netfilter: xtables: clean up xt_mac match routine Jan Engelhardt
@ 2010-03-17 13:19 ` Jan Engelhardt
2010-03-17 13:31 ` Patrick McHardy
2010-03-17 13:19 ` [PATCH 6/9] netfilter: xtables: resort osf kconfig text Jan Engelhardt
` (3 subsequent siblings)
8 siblings, 1 reply; 46+ messages in thread
From: Jan Engelhardt @ 2010-03-17 13:19 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
I do not see a point of allowing the MAC module to work with devices
that don't possibly have one, e.g. various tunnel interfaces such as
tun and sit.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/netfilter/xt_mac.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/net/netfilter/xt_mac.c b/net/netfilter/xt_mac.c
index 2039d07..b971ce9 100644
--- a/net/netfilter/xt_mac.c
+++ b/net/netfilter/xt_mac.c
@@ -10,6 +10,7 @@
#include <linux/module.h>
#include <linux/skbuff.h>
+#include <linux/if_arp.h>
#include <linux/if_ether.h>
#include <linux/etherdevice.h>
@@ -29,6 +30,8 @@ static bool mac_mt(const struct sk_buff *skb, const struct xt_match_param *par)
const struct xt_mac_info *info = par->matchinfo;
bool ret;
+ if (skb->dev == NULL || skb->dev->type != ARPHRD_ETHER)
+ return false;
if (skb_mac_header(skb) < skb->head)
return false;
if (skb_mac_header(skb) + ETH_HLEN > skb->data)
--
1.7.0.2
^ permalink raw reply related [flat|nested] 46+ messages in thread
* [PATCH 6/9] netfilter: xtables: resort osf kconfig text
2010-03-17 13:18 nf-next: checks and three modules Jan Engelhardt
` (4 preceding siblings ...)
2010-03-17 13:19 ` [PATCH 5/9] netfilter: xtables: limit xt_mac to ethernet devices Jan Engelhardt
@ 2010-03-17 13:19 ` Jan Engelhardt
2010-03-17 13:19 ` [PATCH 7/9] netfilter: xtables: inclusion of xt_SYSRQ Jan Engelhardt
` (2 subsequent siblings)
8 siblings, 0 replies; 46+ messages in thread
From: Jan Engelhardt @ 2010-03-17 13:19 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
Restore alphabetical ordering of the list and put the xt_osf option
into its 'right' place again.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/netfilter/Kconfig | 26 +++++++++++++-------------
1 files changed, 13 insertions(+), 13 deletions(-)
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 6ac28ef..8055786 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -774,6 +774,19 @@ config NETFILTER_XT_MATCH_MULTIPORT
To compile it as a module, choose M here. If unsure, say N.
+config NETFILTER_XT_MATCH_OSF
+ tristate '"osf" Passive OS fingerprint match'
+ depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
+ help
+ This option selects the Passive OS Fingerprinting match module
+ that allows to passively match the remote operating system by
+ analyzing incoming TCP SYN packets.
+
+ Rules and loading software can be downloaded from
+ http://www.ioremap.net/projects/osf
+
+ To compile it as a module, choose M here. If unsure, say N.
+
config NETFILTER_XT_MATCH_OWNER
tristate '"owner" match support'
depends on NETFILTER_ADVANCED
@@ -958,19 +971,6 @@ config NETFILTER_XT_MATCH_U32
Details and examples are in the kernel module source.
-config NETFILTER_XT_MATCH_OSF
- tristate '"osf" Passive OS fingerprint match'
- depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
- help
- This option selects the Passive OS Fingerprinting match module
- that allows to passively match the remote operating system by
- analyzing incoming TCP SYN packets.
-
- Rules and loading software can be downloaded from
- http://www.ioremap.net/projects/osf
-
- To compile it as a module, choose M here. If unsure, say N.
-
endif # NETFILTER_XTABLES
endmenu
--
1.7.0.2
^ permalink raw reply related [flat|nested] 46+ messages in thread
* [PATCH 7/9] netfilter: xtables: inclusion of xt_SYSRQ
2010-03-17 13:18 nf-next: checks and three modules Jan Engelhardt
` (5 preceding siblings ...)
2010-03-17 13:19 ` [PATCH 6/9] netfilter: xtables: resort osf kconfig text Jan Engelhardt
@ 2010-03-17 13:19 ` Jan Engelhardt
2010-03-17 13:56 ` Patrick McHardy
2010-03-17 13:19 ` [PATCH 8/9] netfilter: xtables: inclusion of xt_TEE Jan Engelhardt
2010-03-17 13:19 ` [PATCH 9/9] netfilter: xtables: inclusion of xt_condition Jan Engelhardt
8 siblings, 1 reply; 46+ messages in thread
From: Jan Engelhardt @ 2010-03-17 13:19 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
The SYSRQ target will allow to remotely invoke sysrq on the local
machine. Authentication is by means of a pre-shared key that can
either be transmitted plaintext or digest-secured.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/netfilter/Kconfig | 12 ++
net/netfilter/Makefile | 1 +
net/netfilter/xt_SYSRQ.c | 372 ++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 385 insertions(+), 0 deletions(-)
create mode 100644 net/netfilter/xt_SYSRQ.c
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 8055786..3f2042b 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -502,6 +502,18 @@ config NETFILTER_XT_TARGET_RATEEST
To compile it as a module, choose M here. If unsure, say N.
+config NETFILTER_XT_TARGET_SYSRQ
+ tristate '"SYSRQ" - remote sysrq invocation'
+ depends on NETFILTER_ADVANCED
+ ---help---
+ This option enables the "SYSRQ" target which can be used to trigger
+ sysrq from a remote machine using a magic UDP packet with a pre-shared
+ password. This is useful when the receiving host has locked up in an
+ Oops yet still can process incoming packets.
+
+ Besides plaintext packets, digest-secured SYSRQ requests will be
+ supported when CONFIG_CRYPTO is enabled.
+
config NETFILTER_XT_TARGET_TPROXY
tristate '"TPROXY" target support (EXPERIMENTAL)'
depends on EXPERIMENTAL
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index cd31afe..0bfd0af 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -56,6 +56,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o
obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o
obj-$(CONFIG_NETFILTER_XT_TARGET_RATEEST) += xt_RATEEST.o
obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
+obj-$(CONFIG_NETFILTER_XT_TARGET_SYSRQ) += xt_SYSRQ.o
obj-$(CONFIG_NETFILTER_XT_TARGET_TPROXY) += xt_TPROXY.o
obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o
obj-$(CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP) += xt_TCPOPTSTRIP.o
diff --git a/net/netfilter/xt_SYSRQ.c b/net/netfilter/xt_SYSRQ.c
new file mode 100644
index 0000000..a843643
--- /dev/null
+++ b/net/netfilter/xt_SYSRQ.c
@@ -0,0 +1,372 @@
+/*
+ * "SYSRQ" target extension for Netfilter
+ * Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2010
+ *
+ * Based upon the ipt_SYSRQ idea by Marek Zalem <marek [at] terminus sk>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * version 2 or later as published by the Free Software Foundation.
+ */
+#include <linux/in.h>
+#include <linux/ip.h>
+#include <linux/ipv6.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/sysrq.h>
+#include <linux/udp.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/crypto.h>
+#include <linux/scatterlist.h>
+#include <net/ip.h>
+
+#if defined(CONFIG_CRYPTO) || defined(CRYPTO_CONFIG_MODULE)
+# define WITH_CRYPTO 1
+#endif
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+# define WITH_IPV6 1
+#endif
+
+static bool sysrq_once;
+static char sysrq_password[64];
+static char sysrq_hash[16] = "sha1";
+static long sysrq_seqno;
+static int sysrq_debug;
+module_param_string(password, sysrq_password, sizeof(sysrq_password),
+ S_IRUSR | S_IWUSR);
+module_param_string(hash, sysrq_hash, sizeof(sysrq_hash), S_IRUSR);
+module_param_named(seqno, sysrq_seqno, long, S_IRUSR | S_IWUSR);
+module_param_named(debug, sysrq_debug, int, S_IRUSR | S_IWUSR);
+MODULE_PARM_DESC(password, "password for remote sysrq");
+MODULE_PARM_DESC(hash, "hash algorithm, default sha1");
+MODULE_PARM_DESC(seqno, "sequence number for remote sysrq");
+MODULE_PARM_DESC(debug, "debugging: 0=off, 1=on");
+
+#ifdef WITH_CRYPTO
+static struct crypto_hash *sysrq_tfm;
+static int sysrq_digest_size;
+static unsigned char *sysrq_digest_password;
+static unsigned char *sysrq_digest;
+static char *sysrq_hexdigest;
+
+/*
+ * The data is of the form "<requests>,<seqno>,<salt>,<hash>" where <requests>
+ * is a series of sysrq requests; <seqno> is a sequence number that must be
+ * greater than the last sequence number; <salt> is some random bytes; and
+ * <hash> is the hash of everything up to and including the preceding ","
+ * together with the password.
+ *
+ * For example
+ *
+ * salt=$RANDOM
+ * req="s,$(date +%s),$salt"
+ * echo "$req,$(echo -n $req,secret | sha1sum | cut -c1-40)"
+ *
+ * You will want a better salt and password than that though :-)
+ */
+static unsigned int sysrq_tg(const void *pdata, uint16_t len)
+{
+ const char *data = pdata;
+ int i, n;
+ struct scatterlist sg[2];
+ struct hash_desc desc;
+ int ret;
+ long new_seqno = 0;
+
+ if (*sysrq_password == '\0') {
+ if (!sysrq_once)
+ printk(KERN_INFO KBUILD_MODNAME ": No password set\n");
+ sysrq_once = true;
+ return NF_DROP;
+ }
+ if (len == 0)
+ return NF_DROP;
+
+ for (i = 0; sysrq_password[i] != '\0' &&
+ sysrq_password[i] != '\n'; ++i)
+ /* loop */;
+ sysrq_password[i] = '\0';
+
+ i = 0;
+ for (n = 0; n < len - 1; ++n) {
+ if (i == 1 && '0' <= data[n] && data[n] <= '9')
+ new_seqno = 10L * new_seqno + data[n] - '0';
+ if (data[n] == ',' && ++i == 3)
+ break;
+ }
+ ++n;
+ if (i != 3) {
+ if (sysrq_debug)
+ printk(KERN_WARNING KBUILD_MODNAME
+ ": badly formatted request\n");
+ return NF_DROP;
+ }
+ if (sysrq_seqno >= new_seqno) {
+ if (sysrq_debug)
+ printk(KERN_WARNING KBUILD_MODNAME
+ ": old sequence number ignored\n");
+ return NF_DROP;
+ }
+
+ desc.tfm = sysrq_tfm;
+ desc.flags = 0;
+ ret = crypto_hash_init(&desc);
+ if (ret != 0)
+ goto hash_fail;
+ sg_init_table(sg, 2);
+ sg_set_buf(&sg[0], data, n);
+ strcpy(sysrq_digest_password, sysrq_password);
+ i = strlen(sysrq_digest_password);
+ sg_set_buf(&sg[1], sysrq_digest_password, i);
+ ret = crypto_hash_digest(&desc, sg, n + i, sysrq_digest);
+ if (ret != 0)
+ goto hash_fail;
+
+ for (i = 0; i < sysrq_digest_size; ++i) {
+ sysrq_hexdigest[2*i] =
+ "0123456789abcdef"[(sysrq_digest[i] >> 4) & 0xf];
+ sysrq_hexdigest[2*i+1] =
+ "0123456789abcdef"[sysrq_digest[i] & 0xf];
+ }
+ sysrq_hexdigest[2*sysrq_digest_size] = '\0';
+ if (len - n < sysrq_digest_size) {
+ if (sysrq_debug)
+ printk(KERN_INFO KBUILD_MODNAME ": Short digest,"
+ " expected %s\n", sysrq_hexdigest);
+ return NF_DROP;
+ }
+ if (strncmp(data + n, sysrq_hexdigest, sysrq_digest_size) != 0) {
+ if (sysrq_debug)
+ printk(KERN_INFO KBUILD_MODNAME ": Bad digest,"
+ " expected %s\n", sysrq_hexdigest);
+ return NF_DROP;
+ }
+
+ /* Now we trust the requester */
+ sysrq_seqno = new_seqno;
+ for (i = 0; i < len && data[i] != ','; ++i) {
+ printk(KERN_INFO KBUILD_MODNAME ": SysRq %c\n", data[i]);
+ handle_sysrq(data[i], NULL);
+ }
+ return NF_ACCEPT;
+
+ hash_fail:
+ printk(KERN_WARNING KBUILD_MODNAME ": digest failure\n");
+ return NF_DROP;
+}
+#else
+static unsigned int sysrq_tg(const void *pdata, uint16_t len)
+{
+ const char *data = pdata;
+ char c;
+
+ if (*sysrq_password == '\0') {
+ if (!sysrq_once)
+ printk(KERN_INFO KBUILD_MODNAME "No password set\n");
+ sysrq_once = true;
+ return NF_DROP;
+ }
+
+ if (len == 0)
+ return NF_DROP;
+
+ c = *data;
+ if (strncmp(&data[1], sysrq_password, len - 1) != 0) {
+ printk(KERN_INFO KBUILD_MODNAME "Failed attempt - "
+ "password mismatch\n");
+ return NF_DROP;
+ }
+
+ handle_sysrq(c, NULL);
+ return NF_ACCEPT;
+}
+#endif
+
+static unsigned int
+sysrq_tg4(struct sk_buff *skb, const struct xt_target_param *par)
+{
+ const struct iphdr *iph;
+ const struct udphdr *udph;
+ uint16_t len;
+
+ if (skb_linearize(skb) < 0)
+ return NF_DROP;
+
+ iph = ip_hdr(skb);
+ if (iph->protocol != IPPROTO_UDP && iph->protocol != IPPROTO_UDPLITE)
+ return NF_DROP;
+
+ udph = (const void *)iph + ip_hdrlen(skb);
+ len = ntohs(udph->len) - sizeof(struct udphdr);
+
+ if (sysrq_debug)
+ printk(KERN_INFO KBUILD_MODNAME
+ ": " NIPQUAD_FMT ":%u -> :%u len=%u\n",
+ NIPQUAD(iph->saddr), htons(udph->source),
+ htons(udph->dest), len);
+ return sysrq_tg((void *)udph + sizeof(struct udphdr), len);
+}
+
+#ifdef WITH_IPV6
+static unsigned int
+sysrq_tg6(struct sk_buff *skb, const struct xt_target_param *par)
+{
+ const struct ipv6hdr *iph;
+ const struct udphdr *udph;
+ unsigned short frag_off;
+ unsigned int th_off;
+ uint16_t len;
+
+ if (skb_linearize(skb) < 0)
+ return NF_DROP;
+
+ iph = ipv6_hdr(skb);
+ if (ipv6_find_hdr(skb, &th_off, IPPROTO_UDP, &frag_off) < 0 ||
+ frag_off > 0)
+ return NF_ACCEPT; /* sink it */
+
+ udph = (const void *)iph + th_off;
+ len = ntohs(udph->len) - sizeof(struct udphdr);
+
+ if (sysrq_debug)
+ printk(KERN_INFO KBUILD_MODNAME
+ ": %pI6:%hu -> :%hu len=%u\n",
+ &iph->saddr, ntohs(udph->source),
+ ntohs(udph->dest), len);
+ return sysrq_tg(udph + sizeof(struct udphdr), len);
+}
+#endif
+
+static int sysrq_tg_check(const struct xt_tgchk_param *par)
+{
+ if (par->target->family == NFPROTO_IPV4) {
+ const struct ipt_entry *entry = par->entryinfo;
+
+ if ((entry->ip.proto != IPPROTO_UDP &&
+ entry->ip.proto != IPPROTO_UDPLITE) ||
+ entry->ip.invflags & XT_INV_PROTO)
+ goto out;
+ } else if (par->target->family == NFPROTO_IPV6) {
+ const struct ip6t_entry *entry = par->entryinfo;
+
+ if ((entry->ipv6.proto != IPPROTO_UDP &&
+ entry->ipv6.proto != IPPROTO_UDPLITE) ||
+ entry->ipv6.invflags & XT_INV_PROTO)
+ goto out;
+ }
+
+ return true;
+
+ out:
+ printk(KERN_ERR KBUILD_MODNAME ": only available for UDP and UDP-Lite");
+ return false;
+}
+
+static struct xt_target sysrq_tg_reg[] __read_mostly = {
+ {
+ .name = "SYSRQ",
+ .revision = 1,
+ .family = NFPROTO_IPV4,
+ .target = sysrq_tg4,
+ .checkentry = sysrq_tg_check,
+ .me = THIS_MODULE,
+ },
+#ifdef WITH_IPV6
+ {
+ .name = "SYSRQ",
+ .revision = 1,
+ .family = NFPROTO_IPV6,
+ .target = sysrq_tg6,
+ .checkentry = sysrq_tg_check,
+ .me = THIS_MODULE,
+ },
+#endif
+};
+
+static void sysrq_crypto_exit(void)
+{
+#ifdef WITH_CRYPTO
+ if (sysrq_tfm)
+ crypto_free_hash(sysrq_tfm);
+ if (sysrq_digest)
+ kfree(sysrq_digest);
+ if (sysrq_hexdigest)
+ kfree(sysrq_hexdigest);
+ if (sysrq_digest_password)
+ kfree(sysrq_digest_password);
+#endif
+}
+
+static int __init sysrq_crypto_init(void)
+{
+#if defined(WITH_CRYPTO)
+ struct timeval now;
+ int ret;
+
+ sysrq_tfm = crypto_alloc_hash(sysrq_hash, 0, CRYPTO_ALG_ASYNC);
+ if (IS_ERR(sysrq_tfm)) {
+ printk(KERN_WARNING KBUILD_MODNAME
+ ": Error: Could not find or load %s hash\n",
+ sysrq_hash);
+ sysrq_tfm = NULL;
+ ret = PTR_ERR(sysrq_tfm);
+ goto fail;
+ }
+ sysrq_digest_size = crypto_hash_digestsize(sysrq_tfm);
+ sysrq_digest = kmalloc(sysrq_digest_size, GFP_KERNEL);
+ ret = -ENOMEM;
+ if (sysrq_digest == NULL) {
+ printk(KERN_WARNING KBUILD_MODNAME
+ ": Cannot allocate digest\n");
+ goto fail;
+ }
+ sysrq_hexdigest = kmalloc(2 * sysrq_digest_size + 1, GFP_KERNEL);
+ if (sysrq_hexdigest == NULL) {
+ printk(KERN_WARNING KBUILD_MODNAME
+ ": Cannot allocate hexdigest\n");
+ goto fail;
+ }
+ sysrq_digest_password = kmalloc(sizeof(sysrq_password), GFP_KERNEL);
+ if (sysrq_digest_password == NULL) {
+ printk(KERN_WARNING KBUILD_MODNAME
+ ": Cannot allocate password digest space\n");
+ goto fail;
+ }
+ do_gettimeofday(&now);
+ sysrq_seqno = now.tv_sec;
+ ret = xt_register_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
+ if (ret < 0)
+ goto fail;
+ return ret;
+
+ fail:
+ sysrq_crypto_exit();
+ return ret;
+#else
+ printk(KERN_WARNING "xt_SYSRQ compiled without crypto\n");
+#endif
+ return -EINVAL;
+}
+
+static int __init sysrq_tg_init(void)
+{
+ if (sysrq_crypto_init() < 0)
+ printk(KERN_WARNING "xt_SYSRQ starting without crypto\n");
+ return xt_register_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
+}
+
+static void __exit sysrq_tg_exit(void)
+{
+ sysrq_crypto_exit();
+ xt_unregister_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
+}
+
+module_init(sysrq_tg_init);
+module_exit(sysrq_tg_exit);
+MODULE_DESCRIPTION("Xtables: triggering SYSRQ remotely");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_SYSRQ");
+MODULE_ALIAS("ip6t_SYSRQ");
--
1.7.0.2
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 46+ messages in thread
* [PATCH 8/9] netfilter: xtables: inclusion of xt_TEE
2010-03-17 13:18 nf-next: checks and three modules Jan Engelhardt
` (6 preceding siblings ...)
2010-03-17 13:19 ` [PATCH 7/9] netfilter: xtables: inclusion of xt_SYSRQ Jan Engelhardt
@ 2010-03-17 13:19 ` Jan Engelhardt
2010-03-17 13:35 ` Patrick McHardy
2010-03-17 13:19 ` [PATCH 9/9] netfilter: xtables: inclusion of xt_condition Jan Engelhardt
8 siblings, 1 reply; 46+ messages in thread
From: Jan Engelhardt @ 2010-03-17 13:19 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
xt_TEE can be used to clone and reroute a packet. This can for
example be used to copy traffic at a router for logging purposes
to another dedicated machine.
References: http://www.gossamer-threads.com/lists/iptables/devel/68781
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/Kbuild | 1 +
include/linux/netfilter/xt_TEE.h | 8 +
net/netfilter/Kconfig | 7 +
net/netfilter/Makefile | 1 +
net/netfilter/xt_TEE.c | 304 ++++++++++++++++++++++++++++++++++++++
5 files changed, 321 insertions(+), 0 deletions(-)
create mode 100644 include/linux/netfilter/xt_TEE.h
create mode 100644 net/netfilter/xt_TEE.c
diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild
index a5a63e4..48767cd 100644
--- a/include/linux/netfilter/Kbuild
+++ b/include/linux/netfilter/Kbuild
@@ -16,6 +16,7 @@ header-y += xt_RATEEST.h
header-y += xt_SECMARK.h
header-y += xt_TCPMSS.h
header-y += xt_TCPOPTSTRIP.h
+header-y += xt_TEE.h
header-y += xt_TPROXY.h
header-y += xt_comment.h
header-y += xt_connbytes.h
diff --git a/include/linux/netfilter/xt_TEE.h b/include/linux/netfilter/xt_TEE.h
new file mode 100644
index 0000000..83fa768
--- /dev/null
+++ b/include/linux/netfilter/xt_TEE.h
@@ -0,0 +1,8 @@
+#ifndef _XT_TEE_TARGET_H
+#define _XT_TEE_TARGET_H
+
+struct xt_tee_tginfo {
+ union nf_inet_addr gw;
+};
+
+#endif /* _XT_TEE_TARGET_H */
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 3f2042b..bfd9b6f 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -514,6 +514,13 @@ config NETFILTER_XT_TARGET_SYSRQ
Besides plaintext packets, digest-secured SYSRQ requests will be
supported when CONFIG_CRYPTO is enabled.
+config NETFILTER_XT_TARGET_TEE
+ tristate '"TEE" - packet cloning to alternate destiantion'
+ depends on NETFILTER_ADVANCED
+ ---help---
+ This option adds a "TEE" target with which a packet can be cloned and
+ this clone be rerouted to another nexthop.
+
config NETFILTER_XT_TARGET_TPROXY
tristate '"TPROXY" target support (EXPERIMENTAL)'
depends on EXPERIMENTAL
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 0bfd0af..f032195 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -60,6 +60,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_SYSRQ) += xt_SYSRQ.o
obj-$(CONFIG_NETFILTER_XT_TARGET_TPROXY) += xt_TPROXY.o
obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o
obj-$(CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP) += xt_TCPOPTSTRIP.o
+obj-$(CONFIG_NETFILTER_XT_TARGET_TEE) += xt_TEE.o
obj-$(CONFIG_NETFILTER_XT_TARGET_TRACE) += xt_TRACE.o
# matches
diff --git a/net/netfilter/xt_TEE.c b/net/netfilter/xt_TEE.c
new file mode 100644
index 0000000..7b1cb42
--- /dev/null
+++ b/net/netfilter/xt_TEE.c
@@ -0,0 +1,304 @@
+/*
+ * "TEE" target extension for Xtables
+ * Copyright © Sebastian Claßen <sebastian.classen [at] freenet de>, 2007
+ * Jan Engelhardt <jengelh [at] medozas de>, 2007 - 2008
+ *
+ * based on ipt_ROUTE.c from Cédric de Launois
+ * <delaunois [at] info ucl ac be>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * version 2 or later, as published by the Free Software Foundation.
+ */
+#include <linux/ip.h>
+#include <linux/module.h>
+#include <linux/route.h>
+#include <linux/skbuff.h>
+#include <net/checksum.h>
+#include <net/icmp.h>
+#include <net/ip.h>
+#include <net/ip6_route.h>
+#include <net/route.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_TEE.h>
+
+#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
+# define WITH_CONNTRACK 1
+# include <net/netfilter/nf_conntrack.h>
+static struct nf_conn tee_track;
+#endif
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+# define WITH_IPV6 1
+#endif
+
+static const union nf_inet_addr tee_zero_address;
+
+/*
+ * Try to route the packet according to the routing keys specified in
+ * route_info. Keys are :
+ * - ifindex :
+ * 0 if no oif preferred,
+ * otherwise set to the index of the desired oif
+ * - route_info->gateway :
+ * 0 if no gateway specified,
+ * otherwise set to the next host to which the pkt must be routed
+ * If success, skb->dev is the output device to which the packet must
+ * be sent and skb->dst is not NULL
+ *
+ * RETURN: false - if an error occured
+ * true - if the packet was succesfully routed to the
+ * destination desired
+ */
+static bool
+tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info)
+{
+ const struct iphdr *iph = ip_hdr(skb);
+ struct rtable *rt;
+ struct flowi fl;
+ int err;
+
+ memset(&fl, 0, sizeof(fl));
+ fl.iif = skb->skb_iif;
+ fl.mark = skb->mark;
+ fl.nl_u.ip4_u.daddr = info->gw.ip;
+ fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
+ fl.nl_u.ip4_u.scope = RT_SCOPE_UNIVERSE;
+
+ /* Trying to route the packet using the standard routing table. */
+ err = ip_route_output_key(&init_net, &rt, &fl);
+ if (err != 0)
+ return false;
+
+ dst_release(skb_dst(skb));
+ skb_dst_set(skb, &rt->u.dst);
+ skb->dev = rt->u.dst.dev;
+ skb->protocol = htons(ETH_P_IP);
+ return true;
+}
+
+/*
+ * Stolen from ip_finish_output2
+ * PRE : skb->dev is set to the device we are leaving by
+ * skb->dst is not NULL
+ * POST: the packet is sent with the link layer header pushed
+ * the packet is destroyed
+ */
+static void tee_tg_send(struct sk_buff *skb)
+{
+ const struct dst_entry *dst = skb_dst(skb);
+ const struct net_device *dev = dst->dev;
+ unsigned int hh_len = LL_RESERVED_SPACE(dev);
+
+ /* Be paranoid, rather than too clever. */
+ if (unlikely(skb_headroom(skb) < hh_len && dev->header_ops != NULL)) {
+ struct sk_buff *skb2;
+
+ skb2 = skb_realloc_headroom(skb, LL_RESERVED_SPACE(dev));
+ if (skb2 == NULL) {
+ kfree_skb(skb);
+ return;
+ }
+ if (skb->sk != NULL)
+ skb_set_owner_w(skb2, skb->sk);
+ kfree_skb(skb);
+ skb = skb2;
+ }
+
+ if (dst->hh != NULL) {
+ neigh_hh_output(dst->hh, skb);
+ } else if (dst->neighbour != NULL) {
+ dst->neighbour->output(skb);
+ } else {
+ if (net_ratelimit())
+ pr_debug(KBUILD_MODNAME
+ "no hdr & no neighbour cache!\n");
+ kfree_skb(skb);
+ }
+}
+
+/*
+ * To detect and deter routed packet loopback when using the --tee option, we
+ * take a page out of the raw.patch book: on the copied skb, we set up a fake
+ * ->nfct entry, pointing to the local &route_tee_track. We skip routing
+ * packets when we see they already have that ->nfct.
+ */
+static unsigned int
+tee_tg4(struct sk_buff *skb, const struct xt_target_param *par)
+{
+ const struct xt_tee_tginfo *info = par->targinfo;
+
+#ifdef WITH_CONNTRACK
+ if (skb->nfct == &tee_track.ct_general) {
+ /*
+ * Loopback - a packet we already routed, is to be
+ * routed another time. Avoid that, now.
+ */
+ if (net_ratelimit())
+ pr_debug(KBUILD_MODNAME "loopback - DROP!\n");
+ return NF_DROP;
+ }
+#endif
+ if (!skb_make_writable(skb, sizeof(struct iphdr)))
+ return XT_CONTINUE;
+ /*
+ * If we are in INPUT, the checksum must be recalculated since
+ * the length could have changed as a result of defragmentation.
+ */
+ if (par->hooknum == NF_INET_LOCAL_IN) {
+ struct iphdr *iph = ip_hdr(skb);
+
+ iph->check = 0;
+ iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl);
+ }
+ /*
+ * Copy the skb, and route the copy. Will later return %XT_CONTINUE for
+ * the original skb, which should continue on its way as if nothing has
+ * happened. The copy should be independently delivered to the TEE
+ * --gateway.
+ */
+ skb = skb_copy(skb, GFP_ATOMIC);
+ if (skb == NULL)
+ return XT_CONTINUE;
+
+#ifdef WITH_CONNTRACK
+ nf_conntrack_put(skb->nfct);
+ skb->nfct = &tee_track.ct_general;
+ skb->nfctinfo = IP_CT_NEW;
+ nf_conntrack_get(skb->nfct);
+#endif
+ /*
+ * Normally, we would just use ip_local_out. Because iph->check is
+ * already correct, we could take a shortcut and call dst_output
+ * [forwards to ip_output] directly. ip_output however will invoke
+ * Netfilter hooks and cause reentrancy. So we skip that too and go
+ * directly to ip_finish_output. Since we should not do XFRM, control
+ * passes to ip_finish_output2. That function is not exported, so it is
+ * copied here as tee_ip_direct_send.
+ *
+ * We do no XFRM on the cloned packet on purpose! The choice of
+ * iptables match options will control whether the raw packet or the
+ * transformed version is cloned.
+ *
+ * Also on purpose, no fragmentation is done, to preserve the
+ * packet as best as possible.
+ */
+ if (tee_tg_route4(skb, info))
+ tee_tg_send(skb);
+
+ return XT_CONTINUE;
+}
+
+#ifdef WITH_IPV6
+static bool
+tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info)
+{
+ const struct ipv6hdr *iph = ipv6_hdr(skb);
+ struct dst_entry *dst;
+ struct flowi fl;
+
+ memset(&fl, 0, sizeof(fl));
+ fl.iif = skb->skb_iif;
+ fl.mark = skb->mark;
+ fl.nl_u.ip6_u.daddr = info->gw.in6;
+ fl.nl_u.ip6_u.flowlabel = ((iph->flow_lbl[0] & 0xF) << 16) |
+ (iph->flow_lbl[1] << 8) | iph->flow_lbl[2];
+
+ dst = ip6_route_output(dev_net(skb->dev), NULL, &fl);
+ if (dst == NULL)
+ return false;
+
+ dst_release(skb_dst(skb));
+ skb_dst_set(skb, dst);
+ skb->dev = dst->dev;
+ skb->protocol = htons(ETH_P_IPV6);
+ return true;
+}
+
+static unsigned int
+tee_tg6(struct sk_buff *skb, const struct xt_target_param *par)
+{
+ const struct xt_tee_tginfo *info = par->targinfo;
+
+#ifdef WITH_CONNTRACK
+ if (skb->nfct == &tee_track.ct_general)
+ return NF_DROP;
+#endif
+ if ((skb = skb_copy(skb, GFP_ATOMIC)) == NULL)
+ return XT_CONTINUE;
+
+#ifdef WITH_CONNTRACK
+ nf_conntrack_put(skb->nfct);
+ skb->nfct = &tee_track.ct_general;
+ skb->nfctinfo = IP_CT_NEW;
+ nf_conntrack_get(skb->nfct);
+#endif
+ if (tee_tg_route6(skb, info))
+ tee_tg_send(skb);
+
+ return XT_CONTINUE;
+}
+#endif /* WITH_IPV6 */
+
+static int tee_tg_check(const struct xt_tgchk_param *par)
+{
+ const struct xt_tee_tginfo *info = par->targinfo;
+
+ /* 0.0.0.0 and :: not allowed */
+ return memcmp(&info->gw, &tee_zero_address,
+ sizeof(tee_zero_address)) != 0;
+}
+
+static struct xt_target tee_tg_reg[] __read_mostly = {
+ {
+ .name = "TEE",
+ .revision = 0,
+ .family = NFPROTO_IPV4,
+ .target = tee_tg4,
+ .targetsize = sizeof(struct xt_tee_tginfo),
+ .checkentry = tee_tg_check,
+ .me = THIS_MODULE,
+ },
+#ifdef WITH_IPV6
+ {
+ .name = "TEE",
+ .revision = 0,
+ .family = NFPROTO_IPV6,
+ .target = tee_tg6,
+ .targetsize = sizeof(struct xt_tee_tginfo),
+ .checkentry = tee_tg_check,
+ .me = THIS_MODULE,
+ },
+#endif
+};
+
+static int __init tee_tg_init(void)
+{
+#ifdef WITH_CONNTRACK
+ /*
+ * Set up fake conntrack (stolen from raw.patch):
+ * - to never be deleted, not in any hashes
+ */
+ atomic_set(&tee_track.ct_general.use, 1);
+
+ /* - and look it like as a confirmed connection */
+ set_bit(IPS_CONFIRMED_BIT, &tee_track.status);
+
+ /* Initialize fake conntrack so that NAT will skip it */
+ tee_track.status |= IPS_NAT_DONE_MASK;
+#endif
+ return xt_register_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
+}
+
+static void __exit tee_tg_exit(void)
+{
+ xt_unregister_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
+}
+
+module_init(tee_tg_init);
+module_exit(tee_tg_exit);
+MODULE_AUTHOR("Sebastian Claßen <sebastian.classen@freenet.ag>");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_DESCRIPTION("Xtables: Reroute packet copy");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_TEE");
+MODULE_ALIAS("ip6t_TEE");
--
1.7.0.2
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 46+ messages in thread
* [PATCH 9/9] netfilter: xtables: inclusion of xt_condition
2010-03-17 13:18 nf-next: checks and three modules Jan Engelhardt
` (7 preceding siblings ...)
2010-03-17 13:19 ` [PATCH 8/9] netfilter: xtables: inclusion of xt_TEE Jan Engelhardt
@ 2010-03-17 13:19 ` Jan Engelhardt
8 siblings, 0 replies; 46+ messages in thread
From: Jan Engelhardt @ 2010-03-17 13:19 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
xt_condition can be used by userspace to influence decisions in rules
by means of togglable variables without having to reload the entire
ruleset.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/Kbuild | 1 +
include/linux/netfilter/xt_condition.h | 12 ++
net/netfilter/Kconfig | 8 +
net/netfilter/Makefile | 1 +
net/netfilter/xt_condition.c | 243 ++++++++++++++++++++++++++++++++
5 files changed, 265 insertions(+), 0 deletions(-)
create mode 100644 include/linux/netfilter/xt_condition.h
create mode 100644 net/netfilter/xt_condition.c
diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild
index 48767cd..6b67603 100644
--- a/include/linux/netfilter/Kbuild
+++ b/include/linux/netfilter/Kbuild
@@ -19,6 +19,7 @@ header-y += xt_TCPOPTSTRIP.h
header-y += xt_TEE.h
header-y += xt_TPROXY.h
header-y += xt_comment.h
+header-y += xt_condition.h
header-y += xt_connbytes.h
header-y += xt_connlimit.h
header-y += xt_connmark.h
diff --git a/include/linux/netfilter/xt_condition.h b/include/linux/netfilter/xt_condition.h
new file mode 100644
index 0000000..0fd1b75
--- /dev/null
+++ b/include/linux/netfilter/xt_condition.h
@@ -0,0 +1,12 @@
+#ifndef _XT_CONDITION_H
+#define _XT_CONDITION_H
+
+struct xt_condition_mtinfo {
+ char name[31];
+ __u8 invert;
+
+ /* Used internally by the kernel */
+ void *condvar __attribute__((aligned(8)));
+};
+
+#endif /* _XT_CONDITION_H */
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index bfd9b6f..dd74e7d 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -624,6 +624,14 @@ config NETFILTER_XT_MATCH_COMMENT
If you want to compile it as a module, say M here and read
<file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
+config NETFILTER_XT_MATCH_CONDITION
+ tristate '"condition" match support'
+ depends on NETFILTER_ADVANCED
+ depends on PROC_FS
+ ---help---
+ This option allows you to match firewall rules against condition
+ variables stored in the /proc/net/nf_condition directory.
+
config NETFILTER_XT_MATCH_CONNBYTES
tristate '"connbytes" per-connection counter match support'
depends on NF_CONNTRACK
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index f032195..e75d5fa 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -66,6 +66,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_TRACE) += xt_TRACE.o
# matches
obj-$(CONFIG_NETFILTER_XT_MATCH_CLUSTER) += xt_cluster.o
obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_CONDITION) += xt_condition.o
obj-$(CONFIG_NETFILTER_XT_MATCH_CONNBYTES) += xt_connbytes.o
obj-$(CONFIG_NETFILTER_XT_MATCH_CONNLIMIT) += xt_connlimit.o
obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRACK) += xt_conntrack.o
diff --git a/net/netfilter/xt_condition.c b/net/netfilter/xt_condition.c
new file mode 100644
index 0000000..f1ae67a
--- /dev/null
+++ b/net/netfilter/xt_condition.c
@@ -0,0 +1,243 @@
+/*
+ * "condition" match extension for Xtables
+ *
+ * Description: This module allows firewall rules to match using
+ * condition variables available through procfs.
+ *
+ * Authors:
+ * Stephane Ouellette <ouellettes [at] videotron ca>, 2002-10-22
+ * Massimiliano Hofer <max [at] nucleus it>, 2006-05-15
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License; either version 2
+ * or 3 of the License, as published by the Free Software Foundation.
+ */
+#include <linux/kernel.h>
+#include <linux/list.h>
+#include <linux/module.h>
+#include <linux/proc_fs.h>
+#include <linux/spinlock.h>
+#include <linux/string.h>
+#include <linux/version.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_condition.h>
+#include <asm/uaccess.h>
+
+/* Defaults, these can be overridden on the module command-line. */
+static unsigned int condition_list_perms = S_IRUSR | S_IWUSR;
+static unsigned int condition_uid_perms;
+static unsigned int condition_gid_perms;
+
+MODULE_AUTHOR("Stephane Ouellette <ouellettes@videotron.ca>");
+MODULE_AUTHOR("Massimiliano Hofer <max@nucleus.it>");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_DESCRIPTION("Allows rules to match against condition variables");
+MODULE_LICENSE("GPL");
+module_param(condition_list_perms, uint, S_IRUSR | S_IWUSR);
+MODULE_PARM_DESC(condition_list_perms, "permissions on /proc/net/nf_condition/* files");
+module_param(condition_uid_perms, uint, S_IRUSR | S_IWUSR);
+MODULE_PARM_DESC(condition_uid_perms, "user owner of /proc/net/nf_condition/* files");
+module_param(condition_gid_perms, uint, S_IRUSR | S_IWUSR);
+MODULE_PARM_DESC(condition_gid_perms, "group owner of /proc/net/nf_condition/* files");
+MODULE_ALIAS("ipt_condition");
+MODULE_ALIAS("ip6t_condition");
+
+struct condition_variable {
+ struct list_head list;
+ struct proc_dir_entry *status_proc;
+ unsigned int refcount;
+ bool enabled;
+};
+
+/* proc_lock is a user context only semaphore used for write access */
+/* to the conditions' list. */
+static struct mutex proc_lock;
+
+static LIST_HEAD(conditions_list);
+static struct proc_dir_entry *proc_net_condition;
+
+static int condition_proc_read(char __user *buffer, char **start, off_t offset,
+ int length, int *eof, void *data)
+{
+ const struct condition_variable *var = data;
+
+ buffer[0] = var->enabled ? '1' : '0';
+ buffer[1] = '\n';
+ if (length >= 2)
+ *eof = true;
+ return 2;
+}
+
+static int condition_proc_write(struct file *file, const char __user *buffer,
+ unsigned long length, void *data)
+{
+ struct condition_variable *var = data;
+ char newval;
+
+ if (length > 0) {
+ if (get_user(newval, buffer) != 0)
+ return -EFAULT;
+ /* Match only on the first character */
+ switch (newval) {
+ case '0':
+ var->enabled = false;
+ break;
+ case '1':
+ var->enabled = true;
+ break;
+ }
+ }
+ return length;
+}
+
+static bool
+condition_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+{
+ const struct xt_condition_mtinfo *info = par->matchinfo;
+ const struct condition_variable *var = info->condvar;
+ bool x;
+
+ rcu_read_lock();
+ x = rcu_dereference(var->enabled);
+ rcu_read_unlock();
+
+ return x ^ info->invert;
+}
+
+static int condition_mt_check(const struct xt_mtchk_param *par)
+{
+ struct xt_condition_mtinfo *info = par->matchinfo;
+ struct condition_variable *var;
+
+ /* Forbid certain names */
+ if (*info->name == '\0' || *info->name == '.' ||
+ info->name[sizeof(info->name)-1] != '\0' ||
+ memchr(info->name, '/', sizeof(info->name)) != NULL) {
+ printk(KERN_INFO KBUILD_MODNAME ": name not allowed or too "
+ "long: \"%.*s\"\n", (unsigned int)sizeof(info->name),
+ info->name);
+ return false;
+ }
+ /*
+ * Let's acquire the lock, check for the condition and add it
+ * or increase the reference counter.
+ */
+ if (mutex_lock_interruptible(&proc_lock) != 0)
+ return -EINTR;
+
+ list_for_each_entry(var, &conditions_list, list) {
+ if (strcmp(info->name, var->status_proc->name) == 0) {
+ ++var->refcount;
+ mutex_unlock(&proc_lock);
+ info->condvar = var;
+ return true;
+ }
+ }
+
+ /* At this point, we need to allocate a new condition variable. */
+ var = kmalloc(sizeof(struct condition_variable), GFP_KERNEL);
+ if (var == NULL) {
+ mutex_unlock(&proc_lock);
+ return -ENOMEM;
+ }
+
+ /* Create the condition variable's proc file entry. */
+ var->status_proc = create_proc_entry(info->name, condition_list_perms,
+ proc_net_condition);
+ if (var->status_proc == NULL) {
+ kfree(var);
+ mutex_unlock(&proc_lock);
+ return -ENOMEM;
+ }
+
+ var->refcount = 1;
+ var->enabled = false;
+ var->status_proc->data = var;
+ wmb();
+ var->status_proc->read_proc = condition_proc_read;
+ var->status_proc->write_proc = condition_proc_write;
+ list_add_rcu(&var->list, &conditions_list);
+ var->status_proc->uid = condition_uid_perms;
+ var->status_proc->gid = condition_gid_perms;
+ mutex_unlock(&proc_lock);
+ info->condvar = var;
+ return true;
+}
+
+static void condition_mt_destroy(const struct xt_mtdtor_param *par)
+{
+ const struct xt_condition_mtinfo *info = par->matchinfo;
+ struct condition_variable *var = info->condvar;
+
+ mutex_lock(&proc_lock);
+ if (--var->refcount == 0) {
+ list_del_rcu(&var->list);
+ remove_proc_entry(var->status_proc->name, proc_net_condition);
+ mutex_unlock(&proc_lock);
+ /*
+ * synchronize_rcu() would be good enough, but
+ * synchronize_net() guarantees that no packet
+ * will go out with the old rule after
+ * succesful removal.
+ */
+ synchronize_net();
+ kfree(var);
+ return;
+ }
+ mutex_unlock(&proc_lock);
+}
+
+static struct xt_match condition_mt_reg __read_mostly = {
+ .name = "condition",
+ .revision = 1,
+ .family = NFPROTO_UNSPEC,
+ .matchsize = sizeof(struct xt_condition_mtinfo),
+ .match = condition_mt,
+ .checkentry = condition_mt_check,
+ .destroy = condition_mt_destroy,
+ .me = THIS_MODULE,
+};
+
+static const char *const dir_name = "nf_condition";
+
+static int __net_init condnet_mt_init(struct net *net)
+{
+ int ret;
+
+ proc_net_condition = proc_mkdir(dir_name, net->proc_net);
+ if (proc_net_condition == NULL)
+ return -EACCES;
+
+ ret = xt_register_match(&condition_mt_reg);
+ if (ret < 0) {
+ remove_proc_entry(dir_name, net->proc_net);
+ return ret;
+ }
+
+ return 0;
+}
+
+static void __net_exit condnet_mt_exit(struct net *net)
+{
+ xt_unregister_match(&condition_mt_reg);
+ remove_proc_entry(dir_name, net->proc_net);
+}
+
+static struct pernet_operations condition_mt_netops = {
+ .init = condnet_mt_init,
+ .exit = condnet_mt_exit,
+};
+
+static int __init condition_mt_init(void)
+{
+ mutex_init(&proc_lock);
+ return register_pernet_subsys(&condition_mt_netops);
+}
+
+static void __exit condition_mt_exit(void)
+{
+ unregister_pernet_subsys(&condition_mt_netops);
+}
+
+module_init(condition_mt_init);
+module_exit(condition_mt_exit);
--
1.7.0.2
^ permalink raw reply related [flat|nested] 46+ messages in thread
* Re: [PATCH 3/9] netfilter: xtables: restrict TCPMSS to mangle table as intended
2010-03-17 13:18 ` [PATCH 3/9] netfilter: xtables: restrict TCPMSS to mangle table as intended Jan Engelhardt
@ 2010-03-17 13:30 ` Patrick McHardy
2010-03-17 13:34 ` Jan Engelhardt
0 siblings, 1 reply; 46+ messages in thread
From: Patrick McHardy @ 2010-03-17 13:30 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> References: http://bugs.debian.org/567050
> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
So we removed those artificial restrictions in other modules
just to introduce them somewhere else?
Sorry, I'm not applying this.
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [PATCH 5/9] netfilter: xtables: limit xt_mac to ethernet devices
2010-03-17 13:19 ` [PATCH 5/9] netfilter: xtables: limit xt_mac to ethernet devices Jan Engelhardt
@ 2010-03-17 13:31 ` Patrick McHardy
2010-03-17 13:37 ` Jan Engelhardt
0 siblings, 1 reply; 46+ messages in thread
From: Patrick McHardy @ 2010-03-17 13:31 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> I do not see a point of allowing the MAC module to work with devices
> that don't possibly have one, e.g. various tunnel interfaces such as
> tun and sit.
> @@ -29,6 +30,8 @@ static bool mac_mt(const struct sk_buff *skb, const struct xt_match_param *par)
> const struct xt_mac_info *info = par->matchinfo;
> bool ret;
>
> + if (skb->dev == NULL || skb->dev->type != ARPHRD_ETHER)
> + return false;
What about the ~60 ARPHRD values that are not tunnels and sit?
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [PATCH 3/9] netfilter: xtables: restrict TCPMSS to mangle table as intended
2010-03-17 13:30 ` Patrick McHardy
@ 2010-03-17 13:34 ` Jan Engelhardt
2010-03-17 13:36 ` Patrick McHardy
0 siblings, 1 reply; 46+ messages in thread
From: Jan Engelhardt @ 2010-03-17 13:34 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel
On Wednesday 2010-03-17 14:30, Patrick McHardy wrote:
>Jan Engelhardt wrote:
>> References: http://bugs.debian.org/567050
>> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
>
>So we removed those artificial restrictions in other modules
>just to introduce them somewhere else?
Couldn't MSS be relevant to routing?
Just trying to figure out how the manpage came to mention it would need
to be limited.
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [PATCH 8/9] netfilter: xtables: inclusion of xt_TEE
2010-03-17 13:19 ` [PATCH 8/9] netfilter: xtables: inclusion of xt_TEE Jan Engelhardt
@ 2010-03-17 13:35 ` Patrick McHardy
2010-03-17 13:43 ` Jan Engelhardt
2010-03-20 2:03 ` Jan Engelhardt
0 siblings, 2 replies; 46+ messages in thread
From: Patrick McHardy @ 2010-03-17 13:35 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> +static void tee_tg_send(struct sk_buff *skb)
> +{
> + const struct dst_entry *dst = skb_dst(skb);
> + const struct net_device *dev = dst->dev;
> + unsigned int hh_len = LL_RESERVED_SPACE(dev);
> +
> + /* Be paranoid, rather than too clever. */
> + if (unlikely(skb_headroom(skb) < hh_len && dev->header_ops != NULL)) {
> + struct sk_buff *skb2;
> +
> + skb2 = skb_realloc_headroom(skb, LL_RESERVED_SPACE(dev));
> + if (skb2 == NULL) {
> + kfree_skb(skb);
> + return;
> + }
> + if (skb->sk != NULL)
> + skb_set_owner_w(skb2, skb->sk);
> + kfree_skb(skb);
> + skb = skb2;
> + }
> +
> + if (dst->hh != NULL) {
> + neigh_hh_output(dst->hh, skb);
> + } else if (dst->neighbour != NULL) {
> + dst->neighbour->output(skb);
> + } else {
> + if (net_ratelimit())
> + pr_debug(KBUILD_MODNAME
> + "no hdr & no neighbour cache!\n");
> + kfree_skb(skb);
> + }
> +}
Remind me again why we need this duplicated output function?
> +
> +/*
> + * To detect and deter routed packet loopback when using the --tee option, we
> + * take a page out of the raw.patch book: on the copied skb, we set up a fake
> + * ->nfct entry, pointing to the local &route_tee_track. We skip routing
> + * packets when we see they already have that ->nfct.
> + */
> +static unsigned int
> +tee_tg4(struct sk_buff *skb, const struct xt_target_param *par)
> +{
> + const struct xt_tee_tginfo *info = par->targinfo;
> +
> +#ifdef WITH_CONNTRACK
> + if (skb->nfct == &tee_track.ct_general) {
> + /*
> + * Loopback - a packet we already routed, is to be
> + * routed another time. Avoid that, now.
> + */
> + if (net_ratelimit())
> + pr_debug(KBUILD_MODNAME "loopback - DROP!\n");
> + return NF_DROP;
> + }
> +#endif
> + if (!skb_make_writable(skb, sizeof(struct iphdr)))
> + return XT_CONTINUE;
> + /*
> + * If we are in INPUT, the checksum must be recalculated since
> + * the length could have changed as a result of defragmentation.
> + */
> + if (par->hooknum == NF_INET_LOCAL_IN) {
> + struct iphdr *iph = ip_hdr(skb);
> +
> + iph->check = 0;
> + iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl);
> + }
I guess it might make sense to decrease the TTL by one to
avoid TEE loops between two hosts.
> + /*
> + * Copy the skb, and route the copy. Will later return %XT_CONTINUE for
> + * the original skb, which should continue on its way as if nothing has
> + * happened. The copy should be independently delivered to the TEE
> + * --gateway.
> + */
> + skb = skb_copy(skb, GFP_ATOMIC);
> + if (skb == NULL)
> + return XT_CONTINUE;
> +
> +#ifdef WITH_CONNTRACK
> + nf_conntrack_put(skb->nfct);
> + skb->nfct = &tee_track.ct_general;
> + skb->nfctinfo = IP_CT_NEW;
> + nf_conntrack_get(skb->nfct);
> +#endif
> + /*
> + * Normally, we would just use ip_local_out. Because iph->check is
> + * already correct, we could take a shortcut and call dst_output
> + * [forwards to ip_output] directly. ip_output however will invoke
> + * Netfilter hooks and cause reentrancy. So we skip that too and go
> + * directly to ip_finish_output. Since we should not do XFRM, control
> + * passes to ip_finish_output2. That function is not exported, so it is
> + * copied here as tee_ip_direct_send.
> + *
> + * We do no XFRM on the cloned packet on purpose! The choice of
> + * iptables match options will control whether the raw packet or the
> + * transformed version is cloned.
> + *
> + * Also on purpose, no fragmentation is done, to preserve the
> + * packet as best as possible.
> + */
> + if (tee_tg_route4(skb, info))
> + tee_tg_send(skb);
> +
> + return XT_CONTINUE;
> +}
> +
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [PATCH 3/9] netfilter: xtables: restrict TCPMSS to mangle table as intended
2010-03-17 13:34 ` Jan Engelhardt
@ 2010-03-17 13:36 ` Patrick McHardy
0 siblings, 0 replies; 46+ messages in thread
From: Patrick McHardy @ 2010-03-17 13:36 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> On Wednesday 2010-03-17 14:30, Patrick McHardy wrote:
>> Jan Engelhardt wrote:
>>> References: http://bugs.debian.org/567050
>>> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
>> So we removed those artificial restrictions in other modules
>> just to introduce them somewhere else?
>
> Couldn't MSS be relevant to routing?
> Just trying to figure out how the manpage came to mention it would need
> to be limited.
Because it mangles the packet. But I don't see any point in restricting
those modules to the mangle table, the only thing that is really special
about it is rerouting.
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [PATCH 5/9] netfilter: xtables: limit xt_mac to ethernet devices
2010-03-17 13:31 ` Patrick McHardy
@ 2010-03-17 13:37 ` Jan Engelhardt
2010-03-17 13:40 ` Patrick McHardy
0 siblings, 1 reply; 46+ messages in thread
From: Jan Engelhardt @ 2010-03-17 13:37 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel
On Wednesday 2010-03-17 14:31, Patrick McHardy wrote:
>Jan Engelhardt wrote:
>> I do not see a point of allowing the MAC module to work with devices
>> that don't possibly have one, e.g. various tunnel interfaces such as
>> tun and sit.
>
>> @@ -29,6 +30,8 @@ static bool mac_mt(const struct sk_buff *skb, const struct xt_match_param *par)
>> const struct xt_mac_info *info = par->matchinfo;
>> bool ret;
>>
>> + if (skb->dev == NULL || skb->dev->type != ARPHRD_ETHER)
>> + return false;
>
>What about the ~60 ARPHRD values that are not tunnels and sit?
xt_mac uses eth_hdr(skb), so it makes sense to limit it to ethernet, as
we cannot be sure of the exact frame formats of other link layers.
Do you have an alternate proposal?
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [PATCH 2/9] netfilter: xtables: slightly more detailed checkentry return values
2010-03-17 13:18 ` [PATCH 2/9] netfilter: xtables: slightly more detailed checkentry return values Jan Engelhardt
@ 2010-03-17 13:39 ` Patrick McHardy
2010-03-17 14:05 ` Jan Engelhardt
0 siblings, 1 reply; 46+ messages in thread
From: Patrick McHardy @ 2010-03-17 13:39 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> When extended status codes are available, such as ENOMEM on failed
> allocations, or subsequent functions (e.g. nf_ct_get_l3proto), passing
> them up to userspace seems like a good idea compared to just always
> EINVAL.
> diff --git a/net/bridge/netfilter/ebt_802_3.c b/net/bridge/netfilter/ebt_802_3.c
> index 5d11767..7b6f4c4 100644
> --- a/net/bridge/netfilter/ebt_802_3.c
> +++ b/net/bridge/netfilter/ebt_802_3.c
> @@ -36,7 +36,7 @@ ebt_802_3_mt(const struct sk_buff *skb, const struct xt_match_param *par)
> return true;
> }
>
> -static bool ebt_802_3_mt_check(const struct xt_mtchk_param *par)
> +static int ebt_802_3_mt_check(const struct xt_mtchk_param *par)
> {
> const struct ebt_802_3_info *info = par->matchinfo;
Sigh, so we're basically going back to the old signatures. I guess
this makes sense, however iptables has special interpretations of
errno values. How will this interact?
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [PATCH 5/9] netfilter: xtables: limit xt_mac to ethernet devices
2010-03-17 13:37 ` Jan Engelhardt
@ 2010-03-17 13:40 ` Patrick McHardy
0 siblings, 0 replies; 46+ messages in thread
From: Patrick McHardy @ 2010-03-17 13:40 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> On Wednesday 2010-03-17 14:31, Patrick McHardy wrote:
>> Jan Engelhardt wrote:
>>> I do not see a point of allowing the MAC module to work with devices
>>> that don't possibly have one, e.g. various tunnel interfaces such as
>>> tun and sit.
>>> @@ -29,6 +30,8 @@ static bool mac_mt(const struct sk_buff *skb, const struct xt_match_param *par)
>>> const struct xt_mac_info *info = par->matchinfo;
>>> bool ret;
>>>
>>> + if (skb->dev == NULL || skb->dev->type != ARPHRD_ETHER)
>>> + return false;
>> What about the ~60 ARPHRD values that are not tunnels and sit?
>
> xt_mac uses eth_hdr(skb), so it makes sense to limit it to ethernet, as
> we cannot be sure of the exact frame formats of other link layers.
> Do you have an alternate proposal?
OK, sounds fine.
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [PATCH 8/9] netfilter: xtables: inclusion of xt_TEE
2010-03-17 13:35 ` Patrick McHardy
@ 2010-03-17 13:43 ` Jan Engelhardt
2010-03-17 13:55 ` Patrick McHardy
2010-03-20 2:03 ` Jan Engelhardt
1 sibling, 1 reply; 46+ messages in thread
From: Jan Engelhardt @ 2010-03-17 13:43 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel
On Wednesday 2010-03-17 14:35, Patrick McHardy wrote:
>Jan Engelhardt wrote:
>> +static void tee_tg_send(struct sk_buff *skb)
>> +{
>> + const struct dst_entry *dst = skb_dst(skb);
>> + const struct net_device *dev = dst->dev;
>> + unsigned int hh_len = LL_RESERVED_SPACE(dev);
>> +
>> + /* Be paranoid, rather than too clever. */
>> + if (unlikely(skb_headroom(skb) < hh_len && dev->header_ops != NULL)) {
>> + struct sk_buff *skb2;
>> +
>> + skb2 = skb_realloc_headroom(skb, LL_RESERVED_SPACE(dev));
>> + if (skb2 == NULL) {
>> + kfree_skb(skb);
>> + return;
>> + }
>> + if (skb->sk != NULL)
>> + skb_set_owner_w(skb2, skb->sk);
>> + kfree_skb(skb);
>> + skb = skb2;
>> + }
>> +
>> + if (dst->hh != NULL) {
>> + neigh_hh_output(dst->hh, skb);
>> + } else if (dst->neighbour != NULL) {
>> + dst->neighbour->output(skb);
>> + } else {
>> + if (net_ratelimit())
>> + pr_debug(KBUILD_MODNAME
>> + "no hdr & no neighbour cache!\n");
>> + kfree_skb(skb);
>> + }
>> +}
>
>Remind me again why we need this duplicated output function?
You did not yet approve of the reentrancy patch :-)
There is a comment block further below (at: "Normally, we would just use
ip_local_out.", quoted below) that explains the exact reasons.
>> + if (par->hooknum == NF_INET_LOCAL_IN) {
>> + struct iphdr *iph = ip_hdr(skb);
>> +
>> + iph->check = 0;
>> + iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl);
>> + }
>
>I guess it might make sense to decrease the TTL by one to
>avoid TEE loops between two hosts.
Sounds like a good idea. If the TTL of an incoming packet is already 1,
the administrator could use careful TTL boosting aka. -j HL/TTL --hl-inc 1.
Just one thing: as packets are manually sent out by xt_TEE currently,
is there any routing/output code left that still checks for ->ttl == 0
when it was decreased just before the hooknum check?
>> + /*
>> + * Normally, we would just use ip_local_out. Because iph->check is
>> + * already correct, we could take a shortcut and call dst_output
>> + * [forwards to ip_output] directly. ip_output however will invoke
>> + * Netfilter hooks and cause reentrancy. So we skip that too and go
>> + * directly to ip_finish_output. Since we should not do XFRM, control
>> + * passes to ip_finish_output2. That function is not exported, so it is
>> + * copied here as tee_ip_direct_send.
>> + *
>> + * We do no XFRM on the cloned packet on purpose! The choice of
>> + * iptables match options will control whether the raw packet or the
>> + * transformed version is cloned.
>> + *
>> + * Also on purpose, no fragmentation is done, to preserve the
>> + * packet as best as possible.
>> + */
>> + if (tee_tg_route4(skb, info))
>> + tee_tg_send(skb);
>> +
>> + return XT_CONTINUE;
>> +}
>> +
>
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [PATCH 8/9] netfilter: xtables: inclusion of xt_TEE
2010-03-17 13:43 ` Jan Engelhardt
@ 2010-03-17 13:55 ` Patrick McHardy
2010-03-23 1:55 ` Jan Engelhardt
0 siblings, 1 reply; 46+ messages in thread
From: Patrick McHardy @ 2010-03-17 13:55 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> On Wednesday 2010-03-17 14:35, Patrick McHardy wrote:
>> Jan Engelhardt wrote:
>>> +static void tee_tg_send(struct sk_buff *skb)
>>> +{
>>> + const struct dst_entry *dst = skb_dst(skb);
>>> + const struct net_device *dev = dst->dev;
>>> + unsigned int hh_len = LL_RESERVED_SPACE(dev);
>>> +
>>> + /* Be paranoid, rather than too clever. */
>>> + if (unlikely(skb_headroom(skb) < hh_len && dev->header_ops != NULL)) {
>>> + struct sk_buff *skb2;
>>> +
>>> + skb2 = skb_realloc_headroom(skb, LL_RESERVED_SPACE(dev));
>>> + if (skb2 == NULL) {
>>> + kfree_skb(skb);
>>> + return;
>>> + }
>>> + if (skb->sk != NULL)
>>> + skb_set_owner_w(skb2, skb->sk);
>>> + kfree_skb(skb);
>>> + skb = skb2;
>>> + }
>>> +
>>> + if (dst->hh != NULL) {
>>> + neigh_hh_output(dst->hh, skb);
>>> + } else if (dst->neighbour != NULL) {
>>> + dst->neighbour->output(skb);
>>> + } else {
>>> + if (net_ratelimit())
>>> + pr_debug(KBUILD_MODNAME
>>> + "no hdr & no neighbour cache!\n");
>>> + kfree_skb(skb);
>>> + }
>>> +}
>> Remind me again why we need this duplicated output function?
>
> You did not yet approve of the reentrancy patch :-)
>
> There is a comment block further below (at: "Normally, we would just use
> ip_local_out.", quoted below) that explains the exact reasons.
>>>> + /*
>>>> + * Normally, we would just use ip_local_out. Because iph->check is
>>>> + * already correct, we could take a shortcut and call dst_output
>>>> + * [forwards to ip_output] directly. ip_output however will invoke
>>>> + * Netfilter hooks and cause reentrancy. So we skip that too and go
>>>> + * directly to ip_finish_output. Since we should not do XFRM, control
>>>> + * passes to ip_finish_output2. That function is not exported, so it is
>>>> + * copied here as tee_ip_direct_send.
>>>> + *
>>>> + * We do no XFRM on the cloned packet on purpose! The choice of
>>>> + * iptables match options will control whether the raw packet or the
>>>> + * transformed version is cloned.
>>>> + *
>>>> + * Also on purpose, no fragmentation is done, to preserve the
>>>> + * packet as best as possible.
>>>> + */
You can use dst_output() and set IPSKB_REROUTED to skip the hook
invocation. This will potentially perform fragmentation however.
>
>>> + if (par->hooknum == NF_INET_LOCAL_IN) {
>>> + struct iphdr *iph = ip_hdr(skb);
>>> +
>>> + iph->check = 0;
>>> + iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl);
>>> + }
>> I guess it might make sense to decrease the TTL by one to
>> avoid TEE loops between two hosts.
>
> Sounds like a good idea. If the TTL of an incoming packet is already 1,
> the administrator could use careful TTL boosting aka. -j HL/TTL --hl-inc 1.
>
> Just one thing: as packets are manually sent out by xt_TEE currently,
> is there any routing/output code left that still checks for ->ttl == 0
> when it was decreased just before the hooknum check?
No, that's only done in the forward path.
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [PATCH 7/9] netfilter: xtables: inclusion of xt_SYSRQ
2010-03-17 13:19 ` [PATCH 7/9] netfilter: xtables: inclusion of xt_SYSRQ Jan Engelhardt
@ 2010-03-17 13:56 ` Patrick McHardy
2010-03-17 14:11 ` John Haxby
2010-03-17 14:21 ` Jan Engelhardt
0 siblings, 2 replies; 46+ messages in thread
From: Patrick McHardy @ 2010-03-17 13:56 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> The SYSRQ target will allow to remotely invoke sysrq on the local
> machine. Authentication is by means of a pre-shared key that can
> either be transmitted plaintext or digest-secured.
Lets deal with the other modules first while I make up my mind.
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [PATCH 2/9] netfilter: xtables: slightly more detailed checkentry return values
2010-03-17 13:39 ` Patrick McHardy
@ 2010-03-17 14:05 ` Jan Engelhardt
2010-03-17 14:16 ` Patrick McHardy
0 siblings, 1 reply; 46+ messages in thread
From: Jan Engelhardt @ 2010-03-17 14:05 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel
On Wednesday 2010-03-17 14:39, Patrick McHardy wrote:
>Jan Engelhardt wrote:
>> When extended status codes are available, such as ENOMEM on failed
>> allocations, or subsequent functions (e.g. nf_ct_get_l3proto), passing
>> them up to userspace seems like a good idea compared to just always
>> EINVAL.
>
>> diff --git a/net/bridge/netfilter/ebt_802_3.c b/net/bridge/netfilter/ebt_802_3.c
>> index 5d11767..7b6f4c4 100644
>> --- a/net/bridge/netfilter/ebt_802_3.c
>> +++ b/net/bridge/netfilter/ebt_802_3.c
>> @@ -36,7 +36,7 @@ ebt_802_3_mt(const struct sk_buff *skb, const struct xt_match_param *par)
>> return true;
>> }
>>
>> -static bool ebt_802_3_mt_check(const struct xt_mtchk_param *par)
>> +static int ebt_802_3_mt_check(const struct xt_mtchk_param *par)
>> {
>> const struct ebt_802_3_info *info = par->matchinfo;
>
>Sigh, so we're basically going back to the old signatures.
To err is human :-)
>I guess this makes sense, however iptables has special interpretations
>of errno values. How will this interact?
Since we are "just going back", the effect should be none - dig out
an old iptables and kernel and you get the same environment.
Well, libiptc prints a few specialized error messages for certain
codes (cf libiptc.c, TC_STRERROR), else uses plain libc strerror.
Besides handling EAGAIN, there seems to be no special errno handling.
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [PATCH 7/9] netfilter: xtables: inclusion of xt_SYSRQ
2010-03-17 13:56 ` Patrick McHardy
@ 2010-03-17 14:11 ` John Haxby
2010-03-17 14:43 ` Patrick McHardy
2010-03-17 14:21 ` Jan Engelhardt
1 sibling, 1 reply; 46+ messages in thread
From: John Haxby @ 2010-03-17 14:11 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Jan Engelhardt, netfilter-devel
On 17/03/10 13:56, Patrick McHardy wrote:
> Jan Engelhardt wrote:
>
>> The SYSRQ target will allow to remotely invoke sysrq on the local
>> machine. Authentication is by means of a pre-shared key that can
>> either be transmitted plaintext or digest-secured.
>>
> Lets deal with the other modules first while I make up my mind.
>
I'm happy to defend the security aspects of this module, if that's
what's concerning you.
I do know that there are quite a few people here who want to be able to
do remote sysrq -- they used to have a "crash trolley" consisting of a
PS/2 keyboard and a monitor. Unfortunately most of their new machines
only have USB and you can't hotplug a USB keyboard in many of the
circumstances for which you want to (for example) trigger a crash.
I guess that also means I'm happy to produce valid use-cases.
jch
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [PATCH 2/9] netfilter: xtables: slightly more detailed checkentry return values
2010-03-17 14:05 ` Jan Engelhardt
@ 2010-03-17 14:16 ` Patrick McHardy
2010-03-17 14:27 ` Jan Engelhardt
0 siblings, 1 reply; 46+ messages in thread
From: Patrick McHardy @ 2010-03-17 14:16 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> On Wednesday 2010-03-17 14:39, Patrick McHardy wrote:
>> Jan Engelhardt wrote:
>>> When extended status codes are available, such as ENOMEM on failed
>>> allocations, or subsequent functions (e.g. nf_ct_get_l3proto), passing
>>> them up to userspace seems like a good idea compared to just always
>>> EINVAL.
>>> diff --git a/net/bridge/netfilter/ebt_802_3.c b/net/bridge/netfilter/ebt_802_3.c
>>> index 5d11767..7b6f4c4 100644
>>> --- a/net/bridge/netfilter/ebt_802_3.c
>>> +++ b/net/bridge/netfilter/ebt_802_3.c
>>> @@ -36,7 +36,7 @@ ebt_802_3_mt(const struct sk_buff *skb, const struct xt_match_param *par)
>>> return true;
>>> }
>>>
>>> -static bool ebt_802_3_mt_check(const struct xt_mtchk_param *par)
>>> +static int ebt_802_3_mt_check(const struct xt_mtchk_param *par)
>>> {
>>> const struct ebt_802_3_info *info = par->matchinfo;
>> Sigh, so we're basically going back to the old signatures.
>
> To err is human :-)
>
>> I guess this makes sense, however iptables has special interpretations
>> of errno values. How will this interact?
>
> Since we are "just going back", the effect should be none - dig out
> an old iptables and kernel and you get the same environment.
No, we're now returning additional errno values from modules.
> Well, libiptc prints a few specialized error messages for certain
> codes (cf libiptc.c, TC_STRERROR), else uses plain libc strerror.
That's what I was talking about. Unfortunately quite a few
of the reasonable combinations have special meaning, f.i.
TC_INIT/ENOENT, TC_INIT/EINVAL, ...
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [PATCH 7/9] netfilter: xtables: inclusion of xt_SYSRQ
2010-03-17 13:56 ` Patrick McHardy
2010-03-17 14:11 ` John Haxby
@ 2010-03-17 14:21 ` Jan Engelhardt
2010-03-17 14:24 ` Patrick McHardy
1 sibling, 1 reply; 46+ messages in thread
From: Jan Engelhardt @ 2010-03-17 14:21 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel
On Wednesday 2010-03-17 14:56, Patrick McHardy wrote:
>Jan Engelhardt wrote:
>> The SYSRQ target will allow to remotely invoke sysrq on the local
>> machine. Authentication is by means of a pre-shared key that can
>> either be transmitted plaintext or digest-secured.
>
>Lets deal with the other modules first while I make up my mind.
John Haxby wanted to see xt_SYSRQ mainlined[1]
[1] http://comments.gmane.org/gmane.comp.security.firewalls.netfilter.devel/32706
xt_condition's submission was triggered by reappearing souls on IRC (you
might want to visit that sometimes ;-)
16.03.2010/20:27 < mancha> "no web access" is a nice toggle to have as
are others
I personally use it too; somehow I find (when leaving the house)
echo 1 >/proc/net/nf_condition/allow_from_university
more integrated than having to keep two iptables-restore rulesets in
sync.
xt_TEE is something network people really seem to love[2,3] for logging.
[2] http://www.bjou.de/blog/2008/05/howto-copyteeclone-network-traffic-using-iptables/
[3] http://www-rocq.inria.fr/imara/dw/users/oliviermehani/2008phd/rtmapsplatform
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [PATCH 7/9] netfilter: xtables: inclusion of xt_SYSRQ
2010-03-17 14:21 ` Jan Engelhardt
@ 2010-03-17 14:24 ` Patrick McHardy
0 siblings, 0 replies; 46+ messages in thread
From: Patrick McHardy @ 2010-03-17 14:24 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> On Wednesday 2010-03-17 14:56, Patrick McHardy wrote:
>
>> Jan Engelhardt wrote:
>>> The SYSRQ target will allow to remotely invoke sysrq on the local
>>> machine. Authentication is by means of a pre-shared key that can
>>> either be transmitted plaintext or digest-secured.
>> Lets deal with the other modules first while I make up my mind.
>
> John Haxby wanted to see xt_SYSRQ mainlined[1]
> [1] http://comments.gmane.org/gmane.comp.security.firewalls.netfilter.devel/32706
>
>
> xt_condition's submission was triggered by reappearing souls on IRC (you
> might want to visit that sometimes ;-)
> 16.03.2010/20:27 < mancha> "no web access" is a nice toggle to have as
> are others
> I personally use it too; somehow I find (when leaving the house)
> echo 1 >/proc/net/nf_condition/allow_from_university
> more integrated than having to keep two iptables-restore rulesets in
> sync.
Yes, I know its used by quite a few people, so it makes sense to
merge it.
> xt_TEE is something network people really seem to love[2,3] for logging.
> [2] http://www.bjou.de/blog/2008/05/howto-copyteeclone-network-traffic-using-iptables/
> [3] http://www-rocq.inria.fr/imara/dw/users/oliviermehani/2008phd/rtmapsplatform
Also agreed on TEE, we just need to get rid of the duplicated output
function. It shouldn't be *that* hard, worst case we need to add
some further restrictions on the possible hooks.
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [PATCH 2/9] netfilter: xtables: slightly more detailed checkentry return values
2010-03-17 14:16 ` Patrick McHardy
@ 2010-03-17 14:27 ` Jan Engelhardt
2010-03-17 14:36 ` Patrick McHardy
0 siblings, 1 reply; 46+ messages in thread
From: Jan Engelhardt @ 2010-03-17 14:27 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel
On Wednesday 2010-03-17 15:16, Patrick McHardy wrote:
>>> I guess this makes sense, however iptables has special interpretations
>>> of errno values. How will this interact?
>>
>> Since we are "just going back", the effect should be none - dig out
>> an old iptables and kernel and you get the same environment.
>
>No, we're now returning additional errno values from modules.
>
>> Well, libiptc prints a few specialized error messages for certain
>> codes (cf libiptc.c, TC_STRERROR), else uses plain libc strerror.
>
>That's what I was talking about. Unfortunately quite a few
>of the reasonable combinations have special meaning, f.i.
>TC_INIT/ENOENT, TC_INIT/EINVAL, ...
We need only be concerned about TC_COMMIT (which calls setsockopt
with SO_SET_REPLACE, which leads to checkentry).
TC_COMMIT returns 0 or 1, with errno set from what setsockopt
left - this will be the error code, as it is also just propagated
inside the kernel, if I read it right.
So flow control ends up at iptables-standalone.c at the end
and the errno code is just used for printing/choosing an error code.
If I missed something, please enlighten me.
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [PATCH 2/9] netfilter: xtables: slightly more detailed checkentry return values
2010-03-17 14:27 ` Jan Engelhardt
@ 2010-03-17 14:36 ` Patrick McHardy
2010-03-17 14:40 ` Patrick McHardy
0 siblings, 1 reply; 46+ messages in thread
From: Patrick McHardy @ 2010-03-17 14:36 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> On Wednesday 2010-03-17 15:16, Patrick McHardy wrote:
>>>> I guess this makes sense, however iptables has special interpretations
>>>> of errno values. How will this interact?
>>> Since we are "just going back", the effect should be none - dig out
>>> an old iptables and kernel and you get the same environment.
>> No, we're now returning additional errno values from modules.
>>
>>> Well, libiptc prints a few specialized error messages for certain
>>> codes (cf libiptc.c, TC_STRERROR), else uses plain libc strerror.
>> That's what I was talking about. Unfortunately quite a few
>> of the reasonable combinations have special meaning, f.i.
>> TC_INIT/ENOENT, TC_INIT/EINVAL, ...
>
> We need only be concerned about TC_COMMIT (which calls setsockopt
> with SO_SET_REPLACE, which leads to checkentry).
>
> TC_COMMIT returns 0 or 1, with errno set from what setsockopt
> left - this will be the error code, as it is also just propagated
> inside the kernel, if I read it right.
>
> So flow control ends up at iptables-standalone.c at the end
> and the errno code is just used for printing/choosing an error code.
>
> If I missed something, please enlighten me.
OK that seems mostly fine. Basically its just the NULL/ENOENT
interpretation that might be confusing.
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [PATCH 2/9] netfilter: xtables: slightly more detailed checkentry return values
2010-03-17 14:36 ` Patrick McHardy
@ 2010-03-17 14:40 ` Patrick McHardy
2010-03-17 21:54 ` Jan Engelhardt
0 siblings, 1 reply; 46+ messages in thread
From: Patrick McHardy @ 2010-03-17 14:40 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Patrick McHardy wrote:
> Jan Engelhardt wrote:
>> On Wednesday 2010-03-17 15:16, Patrick McHardy wrote:
>>>>> I guess this makes sense, however iptables has special interpretations
>>>>> of errno values. How will this interact?
>>>> Since we are "just going back", the effect should be none - dig out
>>>> an old iptables and kernel and you get the same environment.
>>> No, we're now returning additional errno values from modules.
>>>
>>>> Well, libiptc prints a few specialized error messages for certain
>>>> codes (cf libiptc.c, TC_STRERROR), else uses plain libc strerror.
>>> That's what I was talking about. Unfortunately quite a few
>>> of the reasonable combinations have special meaning, f.i.
>>> TC_INIT/ENOENT, TC_INIT/EINVAL, ...
>> We need only be concerned about TC_COMMIT (which calls setsockopt
>> with SO_SET_REPLACE, which leads to checkentry).
>>
>> TC_COMMIT returns 0 or 1, with errno set from what setsockopt
>> left - this will be the error code, as it is also just propagated
>> inside the kernel, if I read it right.
>>
>> So flow control ends up at iptables-standalone.c at the end
>> and the errno code is just used for printing/choosing an error code.
>>
>> If I missed something, please enlighten me.
>
> OK that seems mostly fine. Basically its just the NULL/ENOENT
> interpretation that might be confusing.
One more thing though - I really don't like the strange mix of booleans
and errno codes. If you want to change this, please switch to the
standard convention of 0 == no error, < 0 == errno code. For unspecific
errors you can simply return EINVAL as the xt_check_*() functions
currently do.
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [PATCH 7/9] netfilter: xtables: inclusion of xt_SYSRQ
2010-03-17 14:11 ` John Haxby
@ 2010-03-17 14:43 ` Patrick McHardy
2010-03-20 1:47 ` Jan Engelhardt
0 siblings, 1 reply; 46+ messages in thread
From: Patrick McHardy @ 2010-03-17 14:43 UTC (permalink / raw)
To: John Haxby; +Cc: Jan Engelhardt, netfilter-devel
John Haxby wrote:
> On 17/03/10 13:56, Patrick McHardy wrote:
>> Jan Engelhardt wrote:
>>
>>> The SYSRQ target will allow to remotely invoke sysrq on the local
>>> machine. Authentication is by means of a pre-shared key that can
>>> either be transmitted plaintext or digest-secured.
>>>
>> Lets deal with the other modules first while I make up my mind.
>>
>
>
> I'm happy to defend the security aspects of this module, if that's
> what's concerning you.
>
> I do know that there are quite a few people here who want to be able to
> do remote sysrq -- they used to have a "crash trolley" consisting of a
> PS/2 keyboard and a monitor. Unfortunately most of their new machines
> only have USB and you can't hotplug a USB keyboard in many of the
> circumstances for which you want to (for example) trigger a crash.
>
> I guess that also means I'm happy to produce valid use-cases.
It seems useful to me, I'm mainly wondering whether there's a chance
that we'll get kdboe support in the forseeable future, which would
make this pretty much obsolete I guess.
I also want to wait a bit to see whether there are any comments from
other developers since I guess most haven't looked at this module so
far.
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [PATCH 2/9] netfilter: xtables: slightly more detailed checkentry return values
2010-03-17 14:40 ` Patrick McHardy
@ 2010-03-17 21:54 ` Jan Engelhardt
2010-03-18 11:14 ` Patrick McHardy
0 siblings, 1 reply; 46+ messages in thread
From: Jan Engelhardt @ 2010-03-17 21:54 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel
On Wednesday 2010-03-17 15:40, Patrick McHardy wrote:
>>
>> OK that seems mostly fine. Basically its just the NULL/ENOENT
>> interpretation that might be confusing.
>
>One more thing though - I really don't like the strange mix of booleans
>and errno codes. If you want to change this,
I'm pretty indifferent, but what if I don't want to change it? :-)
Is it so bad to keep EINVAL and unspecified-error separated at the extension
level?
>please switch to the
>standard convention of 0 == no error, < 0 == errno code. For unspecific
>errors you can simply return EINVAL as the xt_check_*() functions
>currently do.
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [PATCH 2/9] netfilter: xtables: slightly more detailed checkentry return values
2010-03-17 21:54 ` Jan Engelhardt
@ 2010-03-18 11:14 ` Patrick McHardy
0 siblings, 0 replies; 46+ messages in thread
From: Patrick McHardy @ 2010-03-18 11:14 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> On Wednesday 2010-03-17 15:40, Patrick McHardy wrote:
>>> OK that seems mostly fine. Basically its just the NULL/ENOENT
>>> interpretation that might be confusing.
>> One more thing though - I really don't like the strange mix of booleans
>> and errno codes. If you want to change this,
>
> I'm pretty indifferent, but what if I don't want to change it? :-)
s/If/When/ :)
> Is it so bad to keep EINVAL and unspecified-error separated at the extension
> level?
It diverges from the well established return conventions in the kernel
for no reason. That's inviting bugs.
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [PATCH 7/9] netfilter: xtables: inclusion of xt_SYSRQ
2010-03-17 14:43 ` Patrick McHardy
@ 2010-03-20 1:47 ` Jan Engelhardt
2010-03-22 15:14 ` John Haxby
0 siblings, 1 reply; 46+ messages in thread
From: Jan Engelhardt @ 2010-03-20 1:47 UTC (permalink / raw)
To: Patrick McHardy; +Cc: John Haxby, netfilter-devel
On Wednesday 2010-03-17 15:43, Patrick McHardy wrote:
>>
>> I'm happy to defend the security aspects of this module, if that's
>> what's concerning you.
>>
>> I do know that there are quite a few people here who want to be able to
>> do remote sysrq -- they used to have a "crash trolley" consisting of a
>> PS/2 keyboard and a monitor. Unfortunately most of their new machines
>> only have USB and you can't hotplug a USB keyboard in many of the
>> circumstances for which you want to (for example) trigger a crash.
>>
>> I guess that also means I'm happy to produce valid use-cases.
>
>It seems useful to me, I'm mainly wondering whether there's a chance
>that we'll get kdboe support in the forseeable future, which would
>make this pretty much obsolete I guess.
Well once there's kdboe, we can reevaluate and delete it again.
Which brings me to the point: is kdboe even secured?
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [PATCH 8/9] netfilter: xtables: inclusion of xt_TEE
2010-03-17 13:35 ` Patrick McHardy
2010-03-17 13:43 ` Jan Engelhardt
@ 2010-03-20 2:03 ` Jan Engelhardt
2010-03-22 16:58 ` Patrick McHardy
1 sibling, 1 reply; 46+ messages in thread
From: Jan Engelhardt @ 2010-03-20 2:03 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel
On Wednesday 2010-03-17 14:35, Patrick McHardy wrote:
>Jan Engelhardt wrote:
>> +static void tee_tg_send(struct sk_buff *skb)
>> +{
>> + const struct dst_entry *dst = skb_dst(skb);
>> + const struct net_device *dev = dst->dev;
>> + unsigned int hh_len = LL_RESERVED_SPACE(dev);
>> +
>> + /* Be paranoid, rather than too clever. */
...
>
>Remind me again why we need this duplicated output function?
:
>> + /*
>> + * Normally, we would just use ip_local_out. Because iph->check is
>> + * already correct, we could take a shortcut and call dst_output
>> + * [forwards to ip_output] directly. ip_output however will invoke
>> + * Netfilter hooks
[ok we can skip these with IPSKB_REROUTED]
>> and cause reentrancy. So we skip that too and go
>> + * directly to ip_finish_output.
And since we don't want fragmentation, we would need to call
ip_finish_output2. That function is not exported, so it is copied. I
am not even sure what the IPv4 layer does when it has to fragment a
fragment (because fragments don't seem to carry IP_DF).
Setting IP_DF on the cloned skb could possibly lead to a Packet Too
Big being sent back to the original sender - which should probably be
avoided too.
So removing the copied code does not look that easy.
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [PATCH 7/9] netfilter: xtables: inclusion of xt_SYSRQ
2010-03-20 1:47 ` Jan Engelhardt
@ 2010-03-22 15:14 ` John Haxby
2010-03-22 16:49 ` Patrick McHardy
0 siblings, 1 reply; 46+ messages in thread
From: John Haxby @ 2010-03-22 15:14 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Patrick McHardy, netfilter-devel
On 20/03/10 01:47, Jan Engelhardt wrote:
> On Wednesday 2010-03-17 15:43, Patrick McHardy wrote:
>
>> It seems useful to me, I'm mainly wondering whether there's a chance
>> that we'll get kdboe support in the forseeable future, which would
>> make this pretty much obsolete I guess.
>>
> Well once there's kdboe, we can reevaluate and delete it again.
> Which brings me to the point: is kdboe even secured?
>
And does it have the useful low-overhead that xt_SYSRQ has which means
it works even when the rest of the system is in deep trouble?
(I can't find kbdoe, google has let me down.)
jch
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [PATCH 7/9] netfilter: xtables: inclusion of xt_SYSRQ
2010-03-22 15:14 ` John Haxby
@ 2010-03-22 16:49 ` Patrick McHardy
0 siblings, 0 replies; 46+ messages in thread
From: Patrick McHardy @ 2010-03-22 16:49 UTC (permalink / raw)
To: John Haxby; +Cc: Jan Engelhardt, netfilter-devel
John Haxby wrote:
> On 20/03/10 01:47, Jan Engelhardt wrote:
>> On Wednesday 2010-03-17 15:43, Patrick McHardy wrote:
>>
>>> It seems useful to me, I'm mainly wondering whether there's a chance
>>> that we'll get kdboe support in the forseeable future, which would
>>> make this pretty much obsolete I guess.
>>>
>> Well once there's kdboe, we can reevaluate and delete it again.
>> Which brings me to the point: is kdboe even secured?
>>
>
>
> And does it have the useful low-overhead that xt_SYSRQ has which means
> it works even when the rest of the system is in deep trouble?
I guess it should. But from what I could find, there are no plans to
merge this
in the near term.
>
> (I can't find kbdoe, google has let me down.)
Perhaps try kdboe :)
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [PATCH 8/9] netfilter: xtables: inclusion of xt_TEE
2010-03-20 2:03 ` Jan Engelhardt
@ 2010-03-22 16:58 ` Patrick McHardy
2010-03-22 17:45 ` Jan Engelhardt
0 siblings, 1 reply; 46+ messages in thread
From: Patrick McHardy @ 2010-03-22 16:58 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> On Wednesday 2010-03-17 14:35, Patrick McHardy wrote:
>>> + /*
>>> + * Normally, we would just use ip_local_out. Because iph->check is
>>> + * already correct, we could take a shortcut and call dst_output
>>> + * [forwards to ip_output] directly. ip_output however will invoke
>>> + * Netfilter hooks
>>>
> [ok we can skip these with IPSKB_REROUTED]
>
>
>>> and cause reentrancy. So we skip that too and go
>>> + * directly to ip_finish_output.
>>>
>
> And since we don't want fragmentation, we would need to call
> ip_finish_output2. That function is not exported, so it is copied. I
> am not even sure what the IPv4 layer does when it has to fragment a
> fragment (because fragments don't seem to carry IP_DF).
>
I guess whether someone wants fragmentation is a question of the specific
use case. In many possible cases conntrack might have defragmented the
packet previously to reaching TEE, so it might actually be necessary to
refragment the packet.
> Setting IP_DF on the cloned skb could possibly lead to a Packet Too
> Big being sent back to the original sender - which should probably be
> avoided too.
>
Indeed. This might also happen if the packet is passed through another
router of course.
>
> So removing the copied code does not look that easy.
>
Well, worst case export the original function in case of duplicating it.
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [PATCH 8/9] netfilter: xtables: inclusion of xt_TEE
2010-03-22 16:58 ` Patrick McHardy
@ 2010-03-22 17:45 ` Jan Engelhardt
2010-03-23 12:04 ` Patrick McHardy
0 siblings, 1 reply; 46+ messages in thread
From: Jan Engelhardt @ 2010-03-22 17:45 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel
On Monday 2010-03-22 17:58, Patrick McHardy wrote:
>>
>>>> and cause reentrancy. So we skip that too and go
>>>> + * directly to ip_finish_output.
>>
>> And since we don't want fragmentation, we would need to call
>> ip_finish_output2. That function is not exported, so it is copied. I
>> am not even sure what the IPv4 layer does when it has to fragment a
>> fragment (because fragments don't seem to carry IP_DF).
>
>I guess whether someone wants fragmentation is a question of the specific
>use case. In many possible cases conntrack might have defragmented the
>packet previously to reaching TEE, so it might actually be necessary to
>refragment the packet.
Aww..true.
>> Setting IP_DF on the cloned skb could possibly lead to a Packet Too
>> Big being sent back to the original sender - which should probably be
>> avoided too.
>
>Indeed. This might also happen if the packet is passed through another
>router of course.
Right. So let's set IP_DF on the teed packet and let the sender
reduce its packet size to accomodate for the (hidden) tee route :)
Is it ok if the Packet Too Big notification is received by the
original sender much later than an acknowledgement in reception to
the packet?
# Topology
digraph {
A -- internet_cloud;
internet_cloud -- R;
R -- B [label="mtu=1500"];
R -- C [label="mtu=1480"];
};
1. A->B TCP received by R
2. R clones to C
3. B receives and responds with TCP ACK
4. A receives ACK
5. A receives the PMTU update from R while trying to send to C
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [PATCH 8/9] netfilter: xtables: inclusion of xt_TEE
2010-03-17 13:55 ` Patrick McHardy
@ 2010-03-23 1:55 ` Jan Engelhardt
2010-03-23 11:57 ` Patrick McHardy
2010-03-26 2:39 ` Jan Engelhardt
0 siblings, 2 replies; 46+ messages in thread
From: Jan Engelhardt @ 2010-03-23 1:55 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel
On Wednesday 2010-03-17 14:55, Patrick McHardy wrote:
>>>> + if (dst->hh != NULL) {
>>>> + neigh_hh_output(dst->hh, skb);
>>>> + } else if (dst->neighbour != NULL) {
>>>> + dst->neighbour->output(skb);
>>>> + } else {
>>>> + if (net_ratelimit())
>>>> + pr_debug(KBUILD_MODNAME
>>>> + "no hdr & no neighbour cache!\n");
>>>> + kfree_skb(skb);
>>>> + }
>>>> +}
>>> Remind me again why we need this duplicated output function?
>
>You can use dst_output() and set IPSKB_REROUTED to skip the hook
>invocation. This will potentially perform fragmentation however.
We don't have IPSKB_REROUTED for IPv6 currently.
While I was pondering adding that, I noticed another upside-down
world:
- iptables POSTROUTING is invoked before outgoing fragmentation
(verified using ping -s 65000 localhost, and watching with both
ipt_LOG and tcpdump.)
- ip6tables POSTROUTING is invoked after outgoing fragmentation
Also, if I am reading right, POSTROUTING is invoked twice for v6
multicast.
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [PATCH 8/9] netfilter: xtables: inclusion of xt_TEE
2010-03-23 1:55 ` Jan Engelhardt
@ 2010-03-23 11:57 ` Patrick McHardy
2010-03-26 2:39 ` Jan Engelhardt
1 sibling, 0 replies; 46+ messages in thread
From: Patrick McHardy @ 2010-03-23 11:57 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> On Wednesday 2010-03-17 14:55, Patrick McHardy wrote:
>>>>> + if (dst->hh != NULL) {
>>>>> + neigh_hh_output(dst->hh, skb);
>>>>> + } else if (dst->neighbour != NULL) {
>>>>> + dst->neighbour->output(skb);
>>>>> + } else {
>>>>> + if (net_ratelimit())
>>>>> + pr_debug(KBUILD_MODNAME
>>>>> + "no hdr & no neighbour cache!\n");
>>>>> + kfree_skb(skb);
>>>>> + }
>>>>> +}
>>>> Remind me again why we need this duplicated output function?
>> You can use dst_output() and set IPSKB_REROUTED to skip the hook
>> invocation. This will potentially perform fragmentation however.
>
> We don't have IPSKB_REROUTED for IPv6 currently.
>
> While I was pondering adding that, I noticed another upside-down
> world:
>
> - iptables POSTROUTING is invoked before outgoing fragmentation
> (verified using ping -s 65000 localhost, and watching with both
> ipt_LOG and tcpdump.)
>
> - ip6tables POSTROUTING is invoked after outgoing fragmentation
That's correct. We used to invoke IPv4 POST_ROUTING after fragmentation
as well just to defragment the packets in conntrack immediately
afterwards, but that got changed during the netfilter-ipsec integration.
Ideally IPv6 would behave like IPv4.
> Also, if I am reading right, POSTROUTING is invoked twice for v6
> multicast.
I can see one invocation for loopback and one for non-loopback.
That's fine.
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [PATCH 8/9] netfilter: xtables: inclusion of xt_TEE
2010-03-22 17:45 ` Jan Engelhardt
@ 2010-03-23 12:04 ` Patrick McHardy
2010-03-23 12:29 ` Jan Engelhardt
0 siblings, 1 reply; 46+ messages in thread
From: Patrick McHardy @ 2010-03-23 12:04 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> On Monday 2010-03-22 17:58, Patrick McHardy wrote:
>>>
>>>>> and cause reentrancy. So we skip that too and go
>>>>> + * directly to ip_finish_output.
>>> And since we don't want fragmentation, we would need to call
>>> ip_finish_output2. That function is not exported, so it is copied. I
>>> am not even sure what the IPv4 layer does when it has to fragment a
>>> fragment (because fragments don't seem to carry IP_DF).
>> I guess whether someone wants fragmentation is a question of the specific
>> use case. In many possible cases conntrack might have defragmented the
>> packet previously to reaching TEE, so it might actually be necessary to
>> refragment the packet.
>
> Aww..true.
>
>>> Setting IP_DF on the cloned skb could possibly lead to a Packet Too
>>> Big being sent back to the original sender - which should probably be
>>> avoided too.
>> Indeed. This might also happen if the packet is passed through another
>> router of course.
>
> Right. So let's set IP_DF on the teed packet and let the sender
> reduce its packet size to accomodate for the (hidden) tee route :)
>
> Is it ok if the Packet Too Big notification is received by the
> original sender much later than an acknowledgement in reception to
> the packet?
I think its the responsibility of the admin to make sure that
doesn't happen.
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [PATCH 8/9] netfilter: xtables: inclusion of xt_TEE
2010-03-23 12:04 ` Patrick McHardy
@ 2010-03-23 12:29 ` Jan Engelhardt
2010-03-23 12:38 ` Patrick McHardy
0 siblings, 1 reply; 46+ messages in thread
From: Jan Engelhardt @ 2010-03-23 12:29 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel
On Tuesday 2010-03-23 13:04, Patrick McHardy wrote:
>>
>>>> Setting IP_DF on the cloned skb could possibly lead to a Packet Too
>>>> Big being sent back to the original sender - which should probably be
>>>> avoided too.
>>> Indeed. This might also happen if the packet is passed through another
>>> router of course.
>>
>> Right. So let's set IP_DF on the teed packet and let the sender
>> reduce its packet size to accomodate for the (hidden) tee route :)
>>
>> Is it ok if the Packet Too Big notification is received by the
>> original sender much later than an acknowledgement in reception to
>> the packet?
>
>I think its the responsibility of the admin to make sure that
>doesn't happen.
Is that so?
1. sending the clone through a tunnel - admin can't do much about MTU getting
smaller here.
2. the PTB may take longer to reach the source due to internet
routing - nothing the admin can really influence either.
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [PATCH 8/9] netfilter: xtables: inclusion of xt_TEE
2010-03-23 12:29 ` Jan Engelhardt
@ 2010-03-23 12:38 ` Patrick McHardy
2010-03-23 12:46 ` Jan Engelhardt
0 siblings, 1 reply; 46+ messages in thread
From: Patrick McHardy @ 2010-03-23 12:38 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> On Tuesday 2010-03-23 13:04, Patrick McHardy wrote:
>>>>> Setting IP_DF on the cloned skb could possibly lead to a Packet Too
>>>>> Big being sent back to the original sender - which should probably be
>>>>> avoided too.
>>>> Indeed. This might also happen if the packet is passed through another
>>>> router of course.
>>> Right. So let's set IP_DF on the teed packet and let the sender
>>> reduce its packet size to accomodate for the (hidden) tee route :)
>>>
>>> Is it ok if the Packet Too Big notification is received by the
>>> original sender much later than an acknowledgement in reception to
>>> the packet?
>> I think its the responsibility of the admin to make sure that
>> doesn't happen.
>
> Is that so?
He's the one duplicating packets on purpose, so yes.
> 1. sending the clone through a tunnel - admin can't do much about MTU getting
> smaller here.
It either happens locally (before encapsulation) or for the
encapsulated packets, which isn't a problem.
> 2. the PTB may take longer to reach the source due to internet
> routing - nothing the admin can really influence either.
He should make sure any messages generated in response to duplicated
packets are not routed or dropped.
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [PATCH 8/9] netfilter: xtables: inclusion of xt_TEE
2010-03-23 12:38 ` Patrick McHardy
@ 2010-03-23 12:46 ` Jan Engelhardt
2010-03-23 13:45 ` Patrick McHardy
0 siblings, 1 reply; 46+ messages in thread
From: Jan Engelhardt @ 2010-03-23 12:46 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel
On Tuesday 2010-03-23 13:38, Patrick McHardy wrote:
>
>> 1. sending the clone through a tunnel - admin can't do much about MTU getting
>> smaller here.
>
>It either happens locally (before encapsulation) or for the
>encapsulated packets, which isn't a problem.
That is what I am referring to. Suppose -j TEE is using
a --gateway address whose route resolves to
default dev ipip0 [mtu 1480]
(There is no encapsulation or MTU decrease on the original path.) The
admin then has two possibilities, to either drop the clone, or coerce
the source in sending appropriately-sized packets.
>> 2. the PTB may take longer to reach the source due to internet
>> routing - nothing the admin can really influence either.
>
>He should make sure any messages generated in response to duplicated
>packets are not routed or dropped.
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [PATCH 8/9] netfilter: xtables: inclusion of xt_TEE
2010-03-23 12:46 ` Jan Engelhardt
@ 2010-03-23 13:45 ` Patrick McHardy
0 siblings, 0 replies; 46+ messages in thread
From: Patrick McHardy @ 2010-03-23 13:45 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> On Tuesday 2010-03-23 13:38, Patrick McHardy wrote:
>>> 1. sending the clone through a tunnel - admin can't do much about MTU getting
>>> smaller here.
>> It either happens locally (before encapsulation) or for the
>> encapsulated packets, which isn't a problem.
>
> That is what I am referring to. Suppose -j TEE is using
> a --gateway address whose route resolves to
>
> default dev ipip0 [mtu 1480]
>
> (There is no encapsulation or MTU decrease on the original path.) The
> admin then has two possibilities, to either drop the clone, or coerce
> the source in sending appropriately-sized packets.
True. He might also hack ipip to allow fragmentation of encapsulated
packets independant of the IP_DF flag of the original packet.
But in my opinion he should make sure not to send anything to the
source for duplicated packets.
BTW, I just noticed TEE is still using init_net. This should be
fixed.
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [PATCH 8/9] netfilter: xtables: inclusion of xt_TEE
2010-03-23 1:55 ` Jan Engelhardt
2010-03-23 11:57 ` Patrick McHardy
@ 2010-03-26 2:39 ` Jan Engelhardt
1 sibling, 0 replies; 46+ messages in thread
From: Jan Engelhardt @ 2010-03-26 2:39 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel
Patrick McHardy wrote:
>
>> - iptables POSTROUTING is invoked before outgoing fragmentation
>> (verified using ping -s 65000 localhost, and watching with both
>> ipt_LOG and tcpdump.)
>>
>> - ip6tables POSTROUTING is invoked after outgoing fragmentation
>
>That's correct. We used to invoke IPv4 POST_ROUTING after fragmentation
>as well just to defragment the packets in conntrack immediately
>afterwards, but that got changed during the netfilter-ipsec integration.
>
>Ideally IPv6 would behave like IPv4.
Can you elaborate? conntrack runs well before POSTROUTING,
so the choice of doing POSTROUTING before or after fragmentation
seems to have no effect (other than perhaps xfrm).
^ permalink raw reply [flat|nested] 46+ messages in thread
end of thread, other threads:[~2010-03-26 2:39 UTC | newest]
Thread overview: 46+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-03-17 13:18 nf-next: checks and three modules Jan Engelhardt
2010-03-17 13:18 ` [PATCH 1/9] netfilter: xtables: do without explicit XT_ALIGN Jan Engelhardt
2010-03-17 13:18 ` [PATCH 2/9] netfilter: xtables: slightly more detailed checkentry return values Jan Engelhardt
2010-03-17 13:39 ` Patrick McHardy
2010-03-17 14:05 ` Jan Engelhardt
2010-03-17 14:16 ` Patrick McHardy
2010-03-17 14:27 ` Jan Engelhardt
2010-03-17 14:36 ` Patrick McHardy
2010-03-17 14:40 ` Patrick McHardy
2010-03-17 21:54 ` Jan Engelhardt
2010-03-18 11:14 ` Patrick McHardy
2010-03-17 13:18 ` [PATCH 3/9] netfilter: xtables: restrict TCPMSS to mangle table as intended Jan Engelhardt
2010-03-17 13:30 ` Patrick McHardy
2010-03-17 13:34 ` Jan Engelhardt
2010-03-17 13:36 ` Patrick McHardy
2010-03-17 13:18 ` [PATCH 4/9] netfilter: xtables: clean up xt_mac match routine Jan Engelhardt
2010-03-17 13:19 ` [PATCH 5/9] netfilter: xtables: limit xt_mac to ethernet devices Jan Engelhardt
2010-03-17 13:31 ` Patrick McHardy
2010-03-17 13:37 ` Jan Engelhardt
2010-03-17 13:40 ` Patrick McHardy
2010-03-17 13:19 ` [PATCH 6/9] netfilter: xtables: resort osf kconfig text Jan Engelhardt
2010-03-17 13:19 ` [PATCH 7/9] netfilter: xtables: inclusion of xt_SYSRQ Jan Engelhardt
2010-03-17 13:56 ` Patrick McHardy
2010-03-17 14:11 ` John Haxby
2010-03-17 14:43 ` Patrick McHardy
2010-03-20 1:47 ` Jan Engelhardt
2010-03-22 15:14 ` John Haxby
2010-03-22 16:49 ` Patrick McHardy
2010-03-17 14:21 ` Jan Engelhardt
2010-03-17 14:24 ` Patrick McHardy
2010-03-17 13:19 ` [PATCH 8/9] netfilter: xtables: inclusion of xt_TEE Jan Engelhardt
2010-03-17 13:35 ` Patrick McHardy
2010-03-17 13:43 ` Jan Engelhardt
2010-03-17 13:55 ` Patrick McHardy
2010-03-23 1:55 ` Jan Engelhardt
2010-03-23 11:57 ` Patrick McHardy
2010-03-26 2:39 ` Jan Engelhardt
2010-03-20 2:03 ` Jan Engelhardt
2010-03-22 16:58 ` Patrick McHardy
2010-03-22 17:45 ` Jan Engelhardt
2010-03-23 12:04 ` Patrick McHardy
2010-03-23 12:29 ` Jan Engelhardt
2010-03-23 12:38 ` Patrick McHardy
2010-03-23 12:46 ` Jan Engelhardt
2010-03-23 13:45 ` Patrick McHardy
2010-03-17 13:19 ` [PATCH 9/9] netfilter: xtables: inclusion of xt_condition Jan Engelhardt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).