[PATCH 0/2] A couple of netfilter fixes

[PATCH 0/2] A couple of netfilter fixes

[Pablo Neira Ayuso]

Hi Patrick,

Are we in time to put these patches into 2.6.30-rc?

---

Pablo Neira Ayuso (2):
      netfilter: conntrack: add support for DCCP handshake sequence to ctnetlink
      netfilter: nfnetlink_log: fix wrong skbuff size calculation


 include/linux/netfilter/nfnetlink_conntrack.h |    1 +
 net/netfilter/nf_conntrack_proto_dccp.c       |    7 +++++++
 net/netfilter/nfnetlink_log.c                 |    6 ++++++
 3 files changed, 14 insertions(+), 0 deletions(-)

[PATCH 1/2] netfilter: nfnetlink_log: fix wrong skbuff size calculation

[Pablo Neira Ayuso]

This problem was introduced in 72961ecf84d67d6359a1b30f9b2a8427f13e1e71
since no space was reserved for the new attributes NFULA_HWTYPE,
NFULA_HWLEN and NFULA_HWHEADER.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

 net/netfilter/nfnetlink_log.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index fd326ac..66a6dd5 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -581,6 +581,12 @@ nfulnl_log_packet(u_int8_t pf,
 		+ nla_total_size(sizeof(struct nfulnl_msg_packet_hw))
 		+ nla_total_size(sizeof(struct nfulnl_msg_packet_timestamp));
 
+	if (in && skb_mac_header_was_set(skb)) {
+		size +=   nla_total_size(skb->dev->hard_header_len)
+			+ nla_total_size(sizeof(u_int16_t))	/* hwtype */
+			+ nla_total_size(sizeof(u_int16_t));	/* hwlen */
+	}
+
 	spin_lock_bh(&inst->lock);
 
 	if (inst->flags & NFULNL_CFG_F_SEQ)

[PATCH 2/2] netfilter: conntrack: add support for DCCP handshake sequence to ctnetlink

[Pablo Neira Ayuso]

This patch adds CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ that exposes
the u64 handshake sequence number to user-space.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

 include/linux/netfilter/nfnetlink_conntrack.h |    1 +
 net/netfilter/nf_conntrack_proto_dccp.c       |    7 +++++++
 2 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/include/linux/netfilter/nfnetlink_conntrack.h b/include/linux/netfilter/nfnetlink_conntrack.h
index 1a865e4..ed4ef8d 100644
--- a/include/linux/netfilter/nfnetlink_conntrack.h
+++ b/include/linux/netfilter/nfnetlink_conntrack.h
@@ -101,6 +101,7 @@ enum ctattr_protoinfo_dccp {
 	CTA_PROTOINFO_DCCP_UNSPEC,
 	CTA_PROTOINFO_DCCP_STATE,
 	CTA_PROTOINFO_DCCP_ROLE,
+	CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ,
 	__CTA_PROTOINFO_DCCP_MAX,
 };
 #define CTA_PROTOINFO_DCCP_MAX (__CTA_PROTOINFO_DCCP_MAX - 1)
diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
index aee0d6b..0831b5e 100644
--- a/net/netfilter/nf_conntrack_proto_dccp.c
+++ b/net/netfilter/nf_conntrack_proto_dccp.c
@@ -639,6 +639,8 @@ static int dccp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
 	NLA_PUT_U8(skb, CTA_PROTOINFO_DCCP_STATE, ct->proto.dccp.state);
 	NLA_PUT_U8(skb, CTA_PROTOINFO_DCCP_ROLE,
 		   ct->proto.dccp.role[IP_CT_DIR_ORIGINAL]);
+	NLA_PUT_U64(skb, CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ,
+		    ct->proto.dccp.handshake_seq);
 	nla_nest_end(skb, nest_parms);
 	read_unlock_bh(&dccp_lock);
 	return 0;
@@ -651,6 +653,7 @@ nla_put_failure:
 static const struct nla_policy dccp_nla_policy[CTA_PROTOINFO_DCCP_MAX + 1] = {
 	[CTA_PROTOINFO_DCCP_STATE]	= { .type = NLA_U8 },
 	[CTA_PROTOINFO_DCCP_ROLE]	= { .type = NLA_U8 },
+	[CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ] = { .type = NLA_U64 },
 };
 
 static int nlattr_to_dccp(struct nlattr *cda[], struct nf_conn *ct)
@@ -683,6 +686,10 @@ static int nlattr_to_dccp(struct nlattr *cda[], struct nf_conn *ct)
 		ct->proto.dccp.role[IP_CT_DIR_ORIGINAL] = CT_DCCP_ROLE_SERVER;
 		ct->proto.dccp.role[IP_CT_DIR_REPLY] = CT_DCCP_ROLE_CLIENT;
 	}
+	if (tb[CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ]) {
+		ct->proto.dccp.handshake_seq =
+			nla_get_u64(tb[CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ]);
+	}
 	write_unlock_bh(&dccp_lock);
 	return 0;
 }

Re: [PATCH 1/2] netfilter: nfnetlink_log: fix wrong skbuff size calculation

[Patrick McHardy]

Pablo Neira Ayuso wrote:
> This problem was introduced in 72961ecf84d67d6359a1b30f9b2a8427f13e1e71
> since no space was reserved for the new attributes NFULA_HWTYPE,
> NFULA_HWLEN and NFULA_HWHEADER.

Applied, thanks Pablo.

Re: [PATCH 2/2] netfilter: conntrack: add support for DCCP handshake sequence to ctnetlink

[Patrick McHardy]

Pablo Neira Ayuso wrote:
> --- a/net/netfilter/nf_conntrack_proto_dccp.c
> +++ b/net/netfilter/nf_conntrack_proto_dccp.c
> @@ -639,6 +639,8 @@ static int dccp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
>  	NLA_PUT_U8(skb, CTA_PROTOINFO_DCCP_STATE, ct->proto.dccp.state);
>  	NLA_PUT_U8(skb, CTA_PROTOINFO_DCCP_ROLE,
>  		   ct->proto.dccp.role[IP_CT_DIR_ORIGINAL]);
> +	NLA_PUT_U64(skb, CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ,
> +		    ct->proto.dccp.handshake_seq);

This should use big endian byteorder.

Re: [PATCH 2/2] netfilter: conntrack: add support for DCCP handshake sequence to ctnetlink

[Pablo Neira Ayuso]

[-- Attachment #1: Type: text/plain, Size: 903 bytes --]

Patrick McHardy wrote:
> Pablo Neira Ayuso wrote:
>> --- a/net/netfilter/nf_conntrack_proto_dccp.c
>> +++ b/net/netfilter/nf_conntrack_proto_dccp.c
>> @@ -639,6 +639,8 @@ static int dccp_to_nlattr(struct sk_buff *skb,
>> struct nlattr *nla,
>>      NLA_PUT_U8(skb, CTA_PROTOINFO_DCCP_STATE, ct->proto.dccp.state);
>>      NLA_PUT_U8(skb, CTA_PROTOINFO_DCCP_ROLE,
>>             ct->proto.dccp.role[IP_CT_DIR_ORIGINAL]);
>> +    NLA_PUT_U64(skb, CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ,
>> +            ct->proto.dccp.handshake_seq);
> 
> This should use big endian byteorder.

dccp_hdr_seq() returns a value in host byte order, which is used to
assign the value to handshake_seq. So, we need to use cpu_to_be64() to
convert the value to network byte order as other attributes in ctnetlink
which are in network byte order, right? :)

Patch attached.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

[-- Attachment #2: ct-dccp-export-seq.patch --]
[-- Type: text/x-diff, Size: 2930 bytes --]

netfilter: conntrack: add support for DCCP handshake sequence to ctnetlink

This patch adds CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ that exposes
the u64 handshake sequence number to user-space.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

 include/linux/netfilter/nfnetlink_conntrack.h |    1 +
 include/net/netlink.h                         |    9 +++++++++
 net/netfilter/nf_conntrack_proto_dccp.c       |    7 +++++++
 3 files changed, 17 insertions(+), 0 deletions(-)


diff --git a/include/linux/netfilter/nfnetlink_conntrack.h b/include/linux/netfilter/nfnetlink_conntrack.h
index 1a865e4..ed4ef8d 100644
--- a/include/linux/netfilter/nfnetlink_conntrack.h
+++ b/include/linux/netfilter/nfnetlink_conntrack.h
@@ -101,6 +101,7 @@ enum ctattr_protoinfo_dccp {
 	CTA_PROTOINFO_DCCP_UNSPEC,
 	CTA_PROTOINFO_DCCP_STATE,
 	CTA_PROTOINFO_DCCP_ROLE,
+	CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ,
 	__CTA_PROTOINFO_DCCP_MAX,
 };
 #define CTA_PROTOINFO_DCCP_MAX (__CTA_PROTOINFO_DCCP_MAX - 1)
diff --git a/include/net/netlink.h b/include/net/netlink.h
index eddb502..007bdb0 100644
--- a/include/net/netlink.h
+++ b/include/net/netlink.h
@@ -940,6 +940,15 @@ static inline u64 nla_get_u64(const struct nlattr *nla)
 }
 
 /**
+ * nla_get_be64 - return payload of __be64 attribute
+ * @nla: __be64 netlink attribute
+ */
+static inline __be64 nla_get_be64(const struct nlattr *nla)
+{
+	return *(__be64 *) nla_data(nla);
+}
+
+/**
  * nla_get_flag - return payload of flag attribute
  * @nla: flag netlink attribute
  */
diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
index aee0d6b..2952269 100644
--- a/net/netfilter/nf_conntrack_proto_dccp.c
+++ b/net/netfilter/nf_conntrack_proto_dccp.c
@@ -639,6 +639,8 @@ static int dccp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
 	NLA_PUT_U8(skb, CTA_PROTOINFO_DCCP_STATE, ct->proto.dccp.state);
 	NLA_PUT_U8(skb, CTA_PROTOINFO_DCCP_ROLE,
 		   ct->proto.dccp.role[IP_CT_DIR_ORIGINAL]);
+	NLA_PUT_BE64(skb, CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ,
+		     cpu_to_be64(ct->proto.dccp.handshake_seq));
 	nla_nest_end(skb, nest_parms);
 	read_unlock_bh(&dccp_lock);
 	return 0;
@@ -651,6 +653,7 @@ nla_put_failure:
 static const struct nla_policy dccp_nla_policy[CTA_PROTOINFO_DCCP_MAX + 1] = {
 	[CTA_PROTOINFO_DCCP_STATE]	= { .type = NLA_U8 },
 	[CTA_PROTOINFO_DCCP_ROLE]	= { .type = NLA_U8 },
+	[CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ] = { .type = NLA_U64 },
 };
 
 static int nlattr_to_dccp(struct nlattr *cda[], struct nf_conn *ct)
@@ -683,6 +686,10 @@ static int nlattr_to_dccp(struct nlattr *cda[], struct nf_conn *ct)
 		ct->proto.dccp.role[IP_CT_DIR_ORIGINAL] = CT_DCCP_ROLE_SERVER;
 		ct->proto.dccp.role[IP_CT_DIR_REPLY] = CT_DCCP_ROLE_CLIENT;
 	}
+	if (tb[CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ]) {
+		ct->proto.dccp.handshake_seq =
+		be64_to_cpu(nla_get_be64(tb[CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ]));
+	}
 	write_unlock_bh(&dccp_lock);
 	return 0;
 }

Re: [PATCH 2/2] netfilter: conntrack: add support for DCCP handshake sequence to ctnetlink

[Patrick McHardy]

Pablo Neira Ayuso wrote:
> Patrick McHardy wrote:
>> Pablo Neira Ayuso wrote:
>>> --- a/net/netfilter/nf_conntrack_proto_dccp.c
>>> +++ b/net/netfilter/nf_conntrack_proto_dccp.c
>>> @@ -639,6 +639,8 @@ static int dccp_to_nlattr(struct sk_buff *skb,
>>> struct nlattr *nla,
>>>      NLA_PUT_U8(skb, CTA_PROTOINFO_DCCP_STATE, ct->proto.dccp.state);
>>>      NLA_PUT_U8(skb, CTA_PROTOINFO_DCCP_ROLE,
>>>             ct->proto.dccp.role[IP_CT_DIR_ORIGINAL]);
>>> +    NLA_PUT_U64(skb, CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ,
>>> +            ct->proto.dccp.handshake_seq);
>> This should use big endian byteorder.
> 
> dccp_hdr_seq() returns a value in host byte order, which is used to
> assign the value to handshake_seq. So, we need to use cpu_to_be64() to
> convert the value to network byte order as other attributes in ctnetlink
> which are in network byte order, right? :)

Absolutely :)

> Patch attached.

Applied to nf-next, thanks.

[PATCH 0/2] A couple of netfilter fixes

[Pablo Neira Ayuso]

Hi Patrick,

You can find two patches here. The former fixes flow recovery with
TCP window tracking enabled, it's been tested with the current snapshot
of conntrackd and the libnetfilter_* libraries. The latter defines
aligned_be64 to allow to compile user-space Netlink code without
adding an ad-hoc definition of that type.

Let me know if you consider that they can be qualified as fixes for
the -stable branch.

Thanks!

---

Pablo Neira Ayuso (2):
      netfilter: nf_ct_tcp: fix flow recovery with TCP window tracking enabled
      netfilter: nfnetlink_queue: add definition of aligned_be64 for user-space apps


 include/linux/netfilter/nfnetlink_queue.h |    6 ++++++
 net/netfilter/nf_conntrack_proto_tcp.c    |   10 +++++++++-
 2 files changed, 15 insertions(+), 1 deletions(-)

--
Under the asphalt, there's the orchard!