1. 25 9月, 2016 10 次提交
    • L
      netfilter: nft_ct: unnecessary to require dir when use ct l3proto/protocol · d767ff2c
      Liping Zhang 提交于
      Currently, if the user want to match ct l3proto, we must specify the
      direction, for example:
        # nft add rule filter input ct original l3proto ipv4
                                       ^^^^^^^^
      Otherwise, error message will be reported:
        # nft add rule filter input ct l3proto ipv4
        nft add rule filter input ct l3proto ipv4
        <cmdline>:1:1-38: Error: Could not process rule: Invalid argument
        add rule filter input ct l3proto ipv4
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
      
      Actually, there's no need to require NFTA_CT_DIRECTION attr, because
      ct l3proto and protocol are unrelated to direction.
      
      And for compatibility, even if the user specify the NFTA_CT_DIRECTION
      attr, do not report error, just skip it.
      Signed-off-by: NLiping Zhang <liping.zhang@spreadtrum.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      d767ff2c
    • G
      netfilter: seqadj: Fix the wrong ack adjust for the RST packet without ack · 8d11350f
      Gao Feng 提交于
      It is valid that the TCP RST packet which does not set ack flag, and bytes
      of ack number are zero. But current seqadj codes would adjust the "0" ack
      to invalid ack number. Actually seqadj need to check the ack flag before
      adjust it for these RST packets.
      
      The following is my test case
      
      client is 10.26.98.245, and add one iptable rule:
      iptables  -I INPUT -p tcp --sport 12345 -m connbytes --connbytes 2:
      --connbytes-dir reply --connbytes-mode packets -j REJECT --reject-with
      tcp-reset
      This iptables rule could generate on TCP RST without ack flag.
      
      server:10.172.135.55
      Enable the synproxy with seqadjust by the following iptables rules
      iptables -t raw -A PREROUTING -i eth0 -p tcp -d 10.172.135.55 --dport 12345
      -m tcp --syn -j CT --notrack
      
      iptables -A INPUT -i eth0 -p tcp -d 10.172.135.55 --dport 12345 -m conntrack
      --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7
      --mss 1460
      iptables -A OUTPUT -o eth0 -p tcp -s 10.172.135.55 --sport 12345 -m conntrack
      --ctstate INVALID,UNTRACKED -m tcp --tcp-flags SYN,RST,ACK SYN,ACK -j ACCEPT
      
      The following is my test result.
      
      1. packet trace on client
      root@routers:/tmp# tcpdump -i eth0 tcp port 12345 -n
      tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
      listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
      IP 10.26.98.245.45154 > 10.172.135.55.12345: Flags [S], seq 3695959829,
      win 29200, options [mss 1460,sackOK,TS val 452367884 ecr 0,nop,wscale 7],
      length 0
      IP 10.172.135.55.12345 > 10.26.98.245.45154: Flags [S.], seq 546723266,
      ack 3695959830, win 0, options [mss 1460,sackOK,TS val 15643479 ecr 452367884,
      nop,wscale 7], length 0
      IP 10.26.98.245.45154 > 10.172.135.55.12345: Flags [.], ack 1, win 229,
      options [nop,nop,TS val 452367885 ecr 15643479], length 0
      IP 10.172.135.55.12345 > 10.26.98.245.45154: Flags [.], ack 1, win 226,
      options [nop,nop,TS val 15643479 ecr 452367885], length 0
      IP 10.26.98.245.45154 > 10.172.135.55.12345: Flags [R], seq 3695959830,
      win 0, length 0
      
      2. seqadj log on server
      [62873.867319] Adjusting sequence number from 602341895->546723267,
      ack from 3695959830->3695959830
      [62873.867644] Adjusting sequence number from 602341895->546723267,
      ack from 3695959830->3695959830
      [62873.869040] Adjusting sequence number from 3695959830->3695959830,
      ack from 0->55618628
      
      To summarize, it is clear that the seqadj codes adjust the 0 ack when receive
      one TCP RST packet without ack.
      Signed-off-by: NGao Feng <fgao@ikuai8.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      8d11350f
    • A
      netfilter: replace list_head with single linked list · e3b37f11
      Aaron Conole 提交于
      The netfilter hook list never uses the prev pointer, and so can be trimmed to
      be a simple singly-linked list.
      
      In addition to having a more light weight structure for hook traversal,
      struct net becomes 5568 bytes (down from 6400) and struct net_device becomes
      2176 bytes (down from 2240).
      Signed-off-by: NAaron Conole <aconole@bytheb.org>
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      e3b37f11
    • A
      netfilter: nf_queue: whitespace cleanup · 54f17bbc
      Aaron Conole 提交于
      A future patch will modify the hook drop and outfn functions.  This will
      cause the line lengths to take up too much space.  This is simply a
      readability change.
      Signed-off-by: NAaron Conole <aconole@bytheb.org>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      54f17bbc
    • A
      netfilter: Only allow sane values in nf_register_net_hook · d4bb5caa
      Aaron Conole 提交于
      This commit adds an upfront check for sane values to be passed when
      registering a netfilter hook.  This will be used in a future patch for a
      simplified hook list traversal.
      Signed-off-by: NAaron Conole <aconole@bytheb.org>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      d4bb5caa
    • A
      netfilter: Remove explicit rcu_read_lock in nf_hook_slow · e2361cb9
      Aaron Conole 提交于
      All of the callers of nf_hook_slow already hold the rcu_read_lock, so this
      cleanup removes the recursive call.  This is just a cleanup, as the locking
      code gracefully handles this situation.
      Signed-off-by: NAaron Conole <aconole@bytheb.org>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      e2361cb9
    • A
      netfilter: call nf_hook_ingress with rcu_read_lock · 2c1e2703
      Aaron Conole 提交于
      This commit ensures that the rcu read-side lock is held while the
      ingress hook is called.  This ensures that a call to nf_hook_slow (and
      ultimately nf_ingress) will be read protected.
      Signed-off-by: NAaron Conole <aconole@bytheb.org>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      2c1e2703
    • F
      netfilter: call nf_hook_state_init with rcu_read_lock held · fe72926b
      Florian Westphal 提交于
      This makes things simpler because we can store the head of the list
      in the nf_state structure without worrying about concurrent add/delete
      of hook elements from the list.
      
      A future commit will make use of this to implement a simpler
      linked-list.
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NAaron Conole <aconole@bytheb.org>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      fe72926b
    • F
      netfilter: bridge: add and use br_nf_hook_thresh · c5136b15
      Florian Westphal 提交于
      This replaces the last uses of NF_HOOK_THRESH().
      Followup patch will remove it and rename nf_hook_thresh.
      
      The reason is that inet (non-bridge) netfilter no longer invokes the
      hooks from hooks, so we do no longer need the thresh value to skip hooks
      with a lower priority.
      
      The bridge netfilter however may need to do this. br_nf_hook_thresh is a
      wrapper that is supposed to do this, i.e. only call hooks with a
      priority that exceeds NF_BR_PRI_BRNF.
      
      It's used only in the recursion cases of br_netfilter.  It invokes
      nf_hook_slow while holding an rcu read-side critical section to make a
      future cleanup simpler.
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NAaron Conole <aconole@bytheb.org>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      c5136b15
    • G
      netfilter: xt_TCPMSS: Refactor the codes to decrease one condition check and more readable · 50f4c7b7
      Gao Feng 提交于
      The origin codes perform two condition checks with dst_mtu(skb_dst(skb))
      and in_mtu. And the last statement is "min(dst_mtu(skb_dst(skb)),
      in_mtu) - minlen". It may let reader think about how about the result.
      Would it be negative.
      
      Now assign the result of min(dst_mtu(skb_dst(skb)), in_mtu) to a new
      variable, then only perform one condition check, and it is more readable.
      Signed-off-by: NGao Feng <fgao@ikuai8.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      50f4c7b7
  2. 23 9月, 2016 8 次提交
  3. 22 9月, 2016 1 次提交
  4. 13 9月, 2016 14 次提交
  5. 09 9月, 2016 2 次提交
  6. 07 9月, 2016 5 次提交
新手
引导
客服 返回
顶部