Change-Id: Ib2651454b29eda36bb83b86be8b5224005d066bd
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Add inet_proto_csum_replace16 for incrementally updating IPv6 pseudo header
checksums for IPv6 NAT.
Change-Id: I80a55dbe36fcdca94f1a838d9f3778d9f1d60e9d
Signed-off-by: Patrick McHardy <kaber@trash.net>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
ICMPv6 error messages are tracked by extracting the conntrack tuple of
the inner packet and looking up the corresponding conntrack entry. Tuple
extraction uses the ->get_l4proto() callback, which in case of fragments
returns NEXTHDR_FRAGMENT instead of the upper protocol, even for the
first fragment when the entire next header is present, resulting in a
failure to find the correct connection tracking entry.
This patch changes ipv6_get_l4proto() to use ipv6_skip_exthdr() instead
of nf_ct_ipv6_skip_exthdr() in order to skip fragment headers when the
fragment offset is zero.
Change-Id: I21754fe3124e7bda300b8b6e5ebf3c3588cbd0ee
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
IPv4 conntrack defragments incoming packet at the PRE_ROUTING hook and
(in case of forwarded packets) refragments them at POST_ROUTING
independent of the IP_DF flag. Refragmentation uses the dst_mtu() of
the local route without caring about the original fragment sizes,
thereby breaking PMTUD.
This patch fixes this by keeping track of the largest received fragment
with IP_DF set and generates an ICMP fragmentation required error during
refragmentation if that size exceeds the MTU.
Change-Id: Ibac77b728baba05841286ea5a8a2089d56e6ad65
Signed-off-by: Patrick McHardy <kaber@trash.net>
Acked-by: Eric Dumazet <edumazet@google.com>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
The IPv6 conntrack fragmentation currently has a couple of shortcomings.
Fragmentes are collected in PREROUTING/OUTPUT, are defragmented, the
defragmented packet is then passed to conntrack, the resulting conntrack
information is attached to each original fragment and the fragments then
continue their way through the stack.
Helper invocation occurs in the POSTROUTING hook, at which point only
the original fragments are available. The result of this is that
fragmented packets are never passed to helpers.
This patch improves the situation in the following way:
- If a reassembled packet belongs to a connection that has a helper
assigned, the reassembled packet is passed through the stack instead
of the original fragments.
- During defragmentation, the largest received fragment size is stored.
On output, the packet is refragmented if required. If the largest
received fragment size exceeds the outgoing MTU, a "packet too big"
message is generated, thus behaving as if the original fragments
were passed through the stack from an outside point of view.
- The ipv6_helper() hook function can't receive fragments anymore for
connections using a helper, so it is switched to use ipv6_skip_exthdr()
instead of the netfilter specific nf_ct_ipv6_skip_exthdr() and the
reassembled packets are passed to connection tracking helpers.
The result of this is that we can properly track fragmented packets, but
still generate ICMPv6 Packet too big messages if we would have before.
This patch is also required as a precondition for IPv6 NAT, where NAT
helpers might enlarge packets up to a point that they require
fragmentation. In that case we can't generate Packet too big messages
since the proper MTU can't be calculated in all cases (f.i. when
changing textual representation of a variable amount of addresses),
so the packet is transparently fragmented iff the original packet or
fragments would have fit the outgoing MTU.
IPVS parts by Jesper Dangaard Brouer <brouer@redhat.com>.
Change-Id: I75d83668e7de723fb271232f475f46f4037a4a4f
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Conflicts:
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
net/ipv6/netfilter/nf_conntrack_reasm.c
Conflicts are due to the fact that Samsung backported
commit 6aafeef03b9d9ecf255f3a80ed85ee070260e1ae :
netfilter: push reasm skb through instead of original frag skbs
in latest source drop.
This patch allows the FTP helper to pickup the sequence tracking from
the first packet seen. This is useful to fix the breakage of the first
FTP command after the failover while using conntrackd to synchronize
states.
The seq_aft_nl_num field in struct nf_ct_ftp_info has been shrinked to
16-bits (enough for what it does), so we can use the remaining 16-bits
to store the flags while using the same size for the private FTP helper
data.
Change-Id: I0a6bdfce32aff13ecaf672e59f0356f12968c8c3
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Change-Id: Ic5ccad6d30a2af01a2d42898cc0aa7bc8f1069f6
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Change-Id: I487170c3721fe37dbd115e637bc86602721ab0f4
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Add IPv6 support to the SIP NAT helper. There are no functional differences
to IPv4 NAT, just different formats for addresses.
Change-Id: I151f527731d4724606203ca82244b5aad4b9e026
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Change-Id: I5553a5456028e11ab80f4687fc8ebb140d6f49d9
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Change-Id: I9bd1d3d33459e97009b09af06a0c28913d507e5d
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
In (c7232c9 netfilter: add protocol independent NAT core), the
hooks were accidentally modified:
SNAT hooks are POST_ROUTING and LOCAL_IN (before it was LOCAL_OUT).
DNAT hooks are PRE_ROUTING and LOCAL_OUT (before it was LOCAL_IN).
Change-Id: I06cd07a03ddcc4ad65672b7218eee9f9d97283e4
Signed-off-by: Elison Niven <elison.niven@cyberoam.com>
Signed-off-by: Sanket Shah <sanket.shah@cyberoam.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
hlist walk in find_appropriate_src() is not protected anymore by rcu_read_lock(),
so rcu_read_unlock() is unnecessary if in_range() matches.
This bug was added in (c7232c9 netfilter: add protocol independent NAT core).
Change-Id: I8c40a6a0367e16934de163f7485155bf6544f06d
Signed-off-by: Ulrich Weber <ulrich.weber@sophos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
(c7232c9 netfilter: add protocol independent NAT core) added
incorrect locking for the module auto-load case in ctnetlink_parse_nat.
That function is always called from ctnetlink_create_conntrack which
requires no locking.
Change-Id: Ibe18fe88e50a41081077b9e581b4572778747237
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
(c7232c9 netfilter: add protocol independent NAT core) introduced a
problem that leads to crashing during boot due to NULL pointer
dereference. It seems that xt_nat calls xt_register_target() before
xt_init():
net/netfilter/x_tables.c:static struct xt_af *xt; is NULL and we crash on
xt_register_target(struct xt_target *target)
{
u_int8_t af = target->family;
int ret;
ret = mutex_lock_interruptible(&xt[af].mutex);
...
Fix this by changing the linking order, to make sure that x_tables
comes before xt_nat.
Change-Id: Ie346a65d9d1beedc6724a1187132bf75ae6070e4
Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Convert the IPv4 NAT implementation to a protocol independent core and
address family specific modules.
Change-Id: I926b42af53b37c96fb654021e7f568450e8c63c0
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
For mangling IPv6 packets the protocol header offset needs to be known
by the NAT packet mangling functions. Add a so far unused protoff argument
and convert the conntrack and NAT helpers to use it in preparation of
IPv6 NAT.
Change-Id: I8910efcf9411b509a065cf84e8277d1d04315700
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
The NAT helpers currently only handle IPv4 packets correctly. Restrict
invocation of the helpers to IPv4 in preparation of IPv6 NAT.
Change-Id: I13c7c924d461e2dce9faa34ec47716aca881a1bc
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Within SIP messages IPv6 addresses are enclosed in square brackets in most
cases, with the exception of the "received=" header parameter. Currently
the helper fails to parse enclosed addresses.
This patch:
- changes the SIP address parsing function to enforce square brackets
when required, and accept them when not required but present, as
recommended by RFC 5118.
- adds a new SDP address parsing function that never accepts square
brackets since SDP doesn't use them.
With these changes, the SIP helper correctly parses all test messages
from RFC 5118 (Session Initiation Protocol (SIP) Torture Test Messages
for Internet Protocol Version 6 (IPv6)).
Change-Id: Ifc681cd2a52c0bb98adedcfe790fd0c10c21eb07
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Commit 3a8fc53a (netfilter: nf_ct_helper: allocate 16 bytes for the helper
and policy names) introduced a bug in the SIP helper, the helper name is
sprinted to the sip_names array instead of instead of into the helper
structure. This breaks the helper match and the /proc/net/nf_conntrack_expect
output.
Change-Id: Ib5284f8837db76a49706fef4210f213730eee946
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
This patch fixes compilation with NF_CONNTRACK_EVENTS=n and
NETFILTER_NETLINK_QUEUE_CT=y.
I'm leaving all those static inline functions that calculate the size
of the event message out of the ifdef area of NF_CONNTRACK_EVENTS since
they will not be included by gcc in case they are unused.
Change-Id: I6c8bb7c1fee7ffd7ba78c2a078d1b4d21ca91164
Reported-by: Randy Dunlap <rdunlap@xenotime.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
This patch fixes a sparse warning due to missing include header file.
Change-Id: I55d011febe6bc4a26a7e6f76ae61f70a2ba5d7e8
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
LD init/built-in.o
net/built-in.o:(.data+0x4408): undefined reference to `nf_nat_tcp_seq_adjust'
make: *** [vmlinux] Error 1
This patch adds a new pointer hook (nfq_ct_nat_hook) similar to other existing
in Netfilter to solve our complicated configuration dependencies.
Change-Id: I2eb32634f81fa9d78419821c2e77f9ee81bbd2de
Reported-by: Valdis Kletnieks <valdis.kletnieks@vt.edu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
This removes some sparse warnings.
Change-Id: I6dcedbf5f68f01d7b8af4347ac3e4a2a4422ea62
Reported-by: Fengguang Wu <wfg@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
In "9cb0176 netfilter: add glue code to integrate nfnetlink_queue and ctnetlink"
the compilation with NF_CONNTRACK disabled is broken. This patch fixes this
issue.
I have moved the conntrack part into nfnetlink_queue_ct.c to avoid
peppering the entire nfnetlink_queue.c code with ifdefs.
I also needed to rename nfnetlink_queue.c to nfnetlink_queue_pkt.c
to update the net/netfilter/Makefile to support conditional compilation
of the conntrack integration.
This patch also adds CONFIG_NETFILTER_QUEUE_CT in case you want to explicitly
disable the integration between nf_conntrack and nfnetlink_queue.
Change-Id: Ie0c36b95fa2c4d00f4154809b5fd7a03ea70284b
Reported-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
This patch fixes the compilation of net/netfilter/nfnetlink_cthelper.c
if CONFIG_NF_CONNTRACK is not set.
This patch also moves the definition of the cthelper infrastructure to
the scope of NF_CONNTRACK things.
I have also renamed NETFILTER_NETLINK_CTHELPER by NF_CT_NETLINK_HELPER,
to use similar names to other nf_conntrack_netlink extensions. Better now
that this has been only for two days in David's tree.
Two new dependencies have been added:
* NF_CT_NETLINK
* NETFILTER_NETLINK_QUEUE
Since these infrastructure requires both ctnetlink and nfqueue.
Change-Id: Ife7776f6c755586d11e291c8d5fb6b6008bec5de
Reported-by: Randy Dunlap <rdunlap@xenotime.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
This patch modifies __nf_ct_try_assign_helper in a way that invalidates support
for the following scenario:
1) attach the helper A for first time when the conntrack is created
2) attach new (different) helper B due to changes the reply tuple caused by NAT
eg. port redirection from TCP/21 to TCP/5060 with both FTP and SIP helpers
loaded, which seems to be a quite unorthodox scenario.
I can provide a more elaborated patch to support this scenario but explicit
helper attachment provides a better solution for this since now the use can
attach the helpers consistently, without relying on the automatic helper
lookup magic.
This patch fixes a possible out of bound zeroing of the conntrack helper
extension if the helper B uses more memory for its private data than
helper A.
Change-Id: I577ee23b1555108c975fe4fa8810e47f855aea6e
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
The patch 1afc56794e03: "netfilter: nf_ct_helper: implement variable
length helper private data" from Jun 7, 2012, leads to the following
Smatch complaint:
net/netfilter/nf_conntrack_netlink.c:1231 ctnetlink_change_helper()
error: we previously assumed 'help->helper' could be null (see line 1228)
This NULL dereference can be triggered with the following sequence:
1) attach the helper for first time when the conntrack is created.
2) remove the helper module or detach the helper from the conntrack
via ctnetlink.
3) attach helper again (the same or different one, no matter) to the
that existing conntrack again via ctnetlink.
This patch fixes the problem by removing the use case that allows you
to re-assign again a helper for one conntrack entry via ctnetlink since
I cannot find any practical use for it.
Change-Id: I67a0a67f6a21f76f869f2f35d3d20225a78dc76e
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
We can now define conntrack extensions of variable size. This
patch is useful to get rid of these unions:
union nf_conntrack_help
union nf_conntrack_proto
union nf_conntrack_nat_help
Change-Id: Ic0bb64cf40f40160731563561623dc1e2eb0b2d1
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
This attribute can be used to modify and to dump the internal
protocol information.
Change-Id: I3c3d0450ab109711b548674b202a152e7954d61f
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
This patch uses the new variable length conntrack extensions.
Instead of using union nf_conntrack_help that contain all the
helper private data information, we allocate variable length
area to store the private helper data.
This patch includes the modification of all existing helpers.
It also includes a couple of include header to avoid compilation
warnings.
Change-Id: I2b855f3687c16ac0996053006d0543ad05411acd
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
This patch modifies the struct nf_conntrack_helper to allocate
the room for the helper name. The maximum length is 16 bytes
(this was already introduced in 2.6.24).
For the maximum length for expectation policy names, I have
also selected 16 bytes.
This patch is required by the follow-up patch to support
user-space connection tracking helpers.
Change-Id: Ia30551309be64fc2001a5c3fa3e02a22f4dddf54
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
User-space programs that receive traffic via NFQUEUE may mangle packets.
If NAT is enabled, this usually puzzles sequence tracking, leading to
traffic disruptions.
With this patch, nfnl_queue will make the corresponding NAT TCP sequence
adjustment if:
1) The packet has been mangled,
2) the NFQA_CFG_F_CONNTRACK flag has been set, and
3) NAT is detected.
There are some records on the Internet complaning about this issue:
http://stackoverflow.com/questions/260757/packet-mangling-utilities-besides-iptables
By now, we only support TCP since we have no helpers for DCCP or SCTP.
Better to add this if we ever have some helper over those layer 4 protocols.
Change-Id: I166a2f27c3235edddc554ab0146e3f7f7a50399a
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
This patch allows you to include the conntrack information together
with the packet that is sent to user-space via NFQUEUE.
Previously, there was no integration between ctnetlink and
nfnetlink_queue. If you wanted to access conntrack information
from your libnetfilter_queue program, you required to query
ctnetlink from user-space to obtain it. Thus, delaying the packet
processing even more.
Including the conntrack information is optional, you can set it
via NFQA_CFG_F_CONNTRACK flag with the new NFQA_CFG_FLAGS attribute.
Change-Id: I71ca3e300e73c9eb9ed7a9d90e28e2e7cf5318de
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
There are good reasons to supports helpers in user-space instead:
* Rapid connection tracking helper development, as developing code
in user-space is usually faster.
* Reliability: A buggy helper does not crash the kernel. Moreover,
we can monitor the helper process and restart it in case of problems.
* Security: Avoid complex string matching and mangling in kernel-space
running in privileged mode. Going further, we can even think about
running user-space helpers as a non-root process.
* Extensibility: It allows the development of very specific helpers (most
likely non-standard proprietary protocols) that are very likely not to be
accepted for mainline inclusion in the form of kernel-space connection
tracking helpers.
This patch adds the infrastructure to allow the implementation of
user-space conntrack helpers by means of the new nfnetlink subsystem
`nfnetlink_cthelper' and the existing queueing infrastructure
(nfnetlink_queue).
I had to add the new hook NF_IP6_PRI_CONNTRACK_HELPER to register
ipv[4|6]_helper which results from splitting ipv[4|6]_confirm into
two pieces. This change is required not to break NAT sequence
adjustment and conntrack confirmation for traffic that is enqueued
to our user-space conntrack helpers.
Basic operation, in a few steps:
1) Register user-space helper by means of `nfct':
nfct helper add ftp inet tcp
[ It must be a valid existing helper supported by conntrack-tools ]
2) Add rules to enable the FTP user-space helper which is
used to track traffic going to TCP port 21.
For locally generated packets:
iptables -I OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp
For non-locally generated packets:
iptables -I PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp
3) Run the test conntrackd in helper mode (see example files under
doc/helper/conntrackd.conf
conntrackd
4) Generate FTP traffic going, if everything is OK, then conntrackd
should create expectations (you can check that with `conntrack':
conntrack -E expect
[NEW] 301 proto=6 src=192.168.1.136 dst=130.89.148.12 sport=0 dport=54037 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.1.136 master-dst=130.89.148.12 sport=57127 dport=21 class=0 helper=ftp
[DESTROY] 301 proto=6 src=192.168.1.136 dst=130.89.148.12 sport=0 dport=54037 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.1.136 master-dst=130.89.148.12 sport=57127 dport=21 class=0 helper=ftp
This confirms that our test helper is receiving packets including the
conntrack information, and adding expectations in kernel-space.
The user-space helper can also store its private tracking information
in the conntrack structure in the kernel via the CTA_HELP_INFO. The
kernel will consider this a binary blob whose layout is unknown. This
information will be included in the information that is transfered
to user-space via glue code that integrates nfnetlink_queue and
ctnetlink.
Change-Id: I24fc2d733fe0bdcf813c09b2467cd89f6dcd1454
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Implement a new "fail-open" mode where packets are not dropped
upon queue-full condition. This mode can be enabled/disabled per
queue using netlink NFQA_CFG_FLAGS & NFQA_CFG_MASK attributes.
Change-Id: Ibe58610239603d0080fabab640b142d6c15f257e
Signed-off-by: Krishna Kumar <krkumar2@in.ibm.com>
Signed-off-by: Vivek Kashyap <vivk@us.ibm.com>
Signed-off-by: Sridhar Samudrala <samudrala@us.ibm.com>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
It was scheduled to be removed.
Change-Id: I8ad3a555a10f2159d8bc7bd658e43aaa5ebfc519
Cc: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
This patch addresses two issues:
a) Fix usage of u32 and __be32 that causes endianess warnings via sparse.
b) Ensure consistent hashing in a cluster that is composed of big and
little endian systems. Thus, we obtain the same hash mark in an
heterogeneous cluster.
Change-Id: I662dc1be766e980737cdbfc82bb976ddaa2b3d9d
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Hans Schillstrom <hans@schillstrom.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
nf_conntrack_l4proto.h is included twice.
Change-Id: I73015602349da6637a713b96b3d65b9228355b2d
Signed-off-by: Eldad Zack <eldad@fogrefinery.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Use:
((u64)(HASH_VAL * HASH_SIZE)) >> 32
as suggested by David S. Miller.
Change-Id: Ia7fd1f069c9f85aefade40e5611af110218c9835
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
There is a typo in the error checking and "&&" was used instead of "||".
If skb_header_pointer() returns NULL then it leads to a NULL
dereference.
Change-Id: I615b83c78fed401f49a8686a9f8e2b4cd771fafa
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Hans Schillstrom <hans.schillstrom@ericsson.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
The target allows you to create rules in the "raw" and "mangle" tables
which set the skbuff mark by means of hash calculation within a given
range. The nfmark can influence the routing method (see "Use netfilter
MARK value as routing key") and can also be used by other subsystems to
change their behaviour.
[ Part of this patch has been refactorized and modified by Pablo Neira Ayuso ]
Change-Id: I504008d7754cde2d4e58576dfd6520e203ad5312
Signed-off-by: Hans Schillstrom <hans.schillstrom@ericsson.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
This patch adds the flags parameter to ipv6_find_hdr. This flags
allows us to:
* know if this is a fragment.
* stop at the AH header, so the information contained in that header
can be used for some specific packet handling.
This patch also adds the offset parameter for inspection of one
inner IPv6 header that is contained in error messages.
Change-Id: I8aa13399597dcb72c73084bcd7f8ca4156326357
Signed-off-by: Hans Schillstrom <hans.schillstrom@ericsson.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
This patch removes ip_queue support which was marked as obsolete
years ago. The nfnetlink_queue modules provides more advanced
user-space packet queueing mechanism.
This patch also removes capability code included in SELinux that
refers to ip_queue. Otherwise, we break compilation.
Several warning has been sent regarding this to the mailing list
in the past month without anyone rising the hand to stop this
with some strong argument.
Change-Id: I62ab355af31e708b3c1000f2252c8196fb8ba428
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Explicit helper attachment via the CT target is broken with NAT
if non-standard ports are used. This problem was hidden behind
the automatic helper assignment routine. Thus, it becomes more
noticeable now that we can disable the automatic helper assignment
with Eric Leblond's:
9e8ac5a netfilter: nf_ct_helper: allow to disable automatic helper assignment
Basically, nf_conntrack_alter_reply asks for looking up the helper
up if NAT is enabled. Unfortunately, we don't have the conntrack
template at that point anymore.
Since we don't want to rely on the automatic helper assignment,
we can skip the second look-up and stick to the helper that was
attached by iptables. With the CT target, the user is in full
control of helper attachment, thus, the policy is to trust what
the user explicitly configures via iptables (no automatic magic
anymore).
Interestingly, this bug was hidden by the automatic helper look-up
code. But it can be easily trigger if you attach the helper in
a non-standard port, eg.
iptables -I PREROUTING -t raw -p tcp --dport 8888 \
-j CT --helper ftp
And you disabled the automatic helper assignment.
I added the IPS_HELPER_BIT that allows us to differenciate between
a helper that has been explicitly attached and those that have been
automatically assigned. I didn't come up with a better solution
(having backward compatibility in mind).
Change-Id: I5f450b80b5383f99bc5d9e3b309138be8e5d1626
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
This refreshes the "timeout" attribute in existing expectations if one is
given.
The use case for this would be for userspace helpers to extend the lifetime
of the expectation when requested, as this is not possible right now
without deleting/recreating the expectation.
I use this specifically for forwarding DCERPC traffic through:
DCERPC has a port mapper daemon that chooses a (seemingly) random port for
future traffic to go to. We expect this traffic (with a reasonable
timeout), but sometimes the port mapper will tell the client to continue
using the same port. This allows us to extend the expectation accordingly.
Change-Id: Ie8726bba7777d04344bdf1d1079cb47082e40687
Signed-off-by: Kelvie Wong <kelvie@ieee.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
This patch allows you to disable automatic conntrack helper
lookup based on TCP/UDP ports, eg.
echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper
[ Note: flows that already got a helper will keep using it even
if automatic helper assignment has been disabled ]
Once this behaviour has been disabled, you have to explicitly
use the iptables CT target to attach helper to flows.
There are good reasons to stop supporting automatic helper
assignment, for further information, please read:
http://www.netfilter.org/news.html#2012-04-03
This patch also adds one message to inform that automatic helper
assignment is deprecated and it will be removed soon (this is
spotted only once, with the first flow that gets a helper attached
to make it as less annoying as possible).
Change-Id: Ibda7950c07d11c131f440ab83bd685d666743724
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Change-Id: I5be53c05582e77471fba08a58dbf1ea1871fd824
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
The generic HID driver is obviously not a special driver, so move it
outside of the special drivers menu. Explain the usage and make the
default follow the HID setting. This should simplify migration from
older kernels. While at it, remove the redundant HID_SUPPORT option
and modify the HID and USB_HID entries to better explain the bus
structure.
Change-Id: Ifef2d51a225dae40d685f4bfdde157e57774be48
Reported-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Henrik Rydberg <rydberg@euromail.se>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Patrick McHardy
Pablo Neira Ayuso
Elison Niven
Ulrich Weber
Krishna Kumar
Cong Wang
Hans Schillstrom
Eldad Zack
Dan Carpenter
Hans Schillstrom
Kelvie Wong
Eric Leblond
David S. Miller
Kevin F. Haggerty
Henrik Rydberg