From 5f7340eff8f68f41b7e5c7ad47ec4cd1ea1afb40 Mon Sep 17 00:00:00 2001 From: Eric Leblond Date: Tue, 4 Nov 2008 14:21:08 +0100 Subject: netfilter: xt_NFLOG: don't call nf_log_packet in NFLOG module. This patch modifies xt_NFLOG to suppress the call to nf_log_packet() function. The call of this wrapper in xt_NFLOG was causing NFLOG to use the first initialized module. Thus, if ipt_ULOG is loaded before nfnetlink_log all NFLOG rules are treated as plain LOG rules. Signed-off-by: Eric Leblond Signed-off-by: Patrick McHardy --- include/net/netfilter/nfnetlink_log.h | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 include/net/netfilter/nfnetlink_log.h (limited to 'include/net') diff --git a/include/net/netfilter/nfnetlink_log.h b/include/net/netfilter/nfnetlink_log.h new file mode 100644 index 000000000000..9b67f948a8d7 --- /dev/null +++ b/include/net/netfilter/nfnetlink_log.h @@ -0,0 +1,14 @@ +#ifndef _KER_NFNETLINK_LOG_H +#define _KER_NFNETLINK_LOG_H + +void +nfulnl_log_packet(unsigned int pf, + unsigned int hooknum, + const struct sk_buff *skb, + const struct net_device *in, + const struct net_device *out, + const struct nf_loginfo *li_user, + const char *prefix); + +#endif /* _KER_NFNETLINK_LOG_H */ + -- cgit v1.2.1 From 8157e6d16af86e4a8d31a035db7be02a8a171c26 Mon Sep 17 00:00:00 2001 From: Alexey Dobriyan Date: Tue, 4 Nov 2008 14:29:03 +0100 Subject: netfilter: netns ebtables: ebtable_broute in netns Signed-off-by: Alexey Dobriyan Signed-off-by: Patrick McHardy --- include/net/netns/x_tables.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'include/net') diff --git a/include/net/netns/x_tables.h b/include/net/netns/x_tables.h index b8093971ccb4..055e684d29b6 100644 --- a/include/net/netns/x_tables.h +++ b/include/net/netns/x_tables.h @@ -4,7 +4,10 @@ #include #include +struct ebt_table; + struct netns_xt { struct list_head tables[NFPROTO_NUMPROTO]; + struct ebt_table *broute_table; }; #endif -- cgit v1.2.1 From 4aad10938d4e4e8364b664cd5420c3bfeb9b679b Mon Sep 17 00:00:00 2001 From: Alexey Dobriyan Date: Tue, 4 Nov 2008 14:29:58 +0100 Subject: netfilter: netns ebtables: ebtable_filter in netns Signed-off-by: Alexey Dobriyan Signed-off-by: Patrick McHardy --- include/net/netns/x_tables.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include/net') diff --git a/include/net/netns/x_tables.h b/include/net/netns/x_tables.h index 055e684d29b6..d258e16c894e 100644 --- a/include/net/netns/x_tables.h +++ b/include/net/netns/x_tables.h @@ -9,5 +9,6 @@ struct ebt_table; struct netns_xt { struct list_head tables[NFPROTO_NUMPROTO]; struct ebt_table *broute_table; + struct ebt_table *frame_filter; }; #endif -- cgit v1.2.1 From b71b30a626fd0e43c825a05036e7a2c3f377a563 Mon Sep 17 00:00:00 2001 From: Alexey Dobriyan Date: Tue, 4 Nov 2008 14:30:46 +0100 Subject: netfilter: netns ebtables: ebtable_nat in netns Signed-off-by: Alexey Dobriyan Signed-off-by: Patrick McHardy --- include/net/netns/x_tables.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include/net') diff --git a/include/net/netns/x_tables.h b/include/net/netns/x_tables.h index d258e16c894e..9554a644a8f8 100644 --- a/include/net/netns/x_tables.h +++ b/include/net/netns/x_tables.h @@ -10,5 +10,6 @@ struct netns_xt { struct list_head tables[NFPROTO_NUMPROTO]; struct ebt_table *broute_table; struct ebt_table *frame_filter; + struct ebt_table *frame_nat; }; #endif -- cgit v1.2.1 From 4dc06f9633444f426ef9960c53426f2d2ded64ac Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Mon, 17 Nov 2008 16:01:42 +0100 Subject: netfilter: nf_conntrack: connection tracking helper name persistent aliases This patch adds the macro MODULE_ALIAS_NFCT_HELPER that defines a way to provide generic and persistent aliases for the connection tracking helpers. This next patch requires this patch. Signed-off-by: Pablo Neira Ayuso Signed-off-by: Patrick McHardy --- include/net/netfilter/nf_conntrack.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'include/net') diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h index b76a8685b5b5..f11255e1ea35 100644 --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h @@ -298,5 +298,8 @@ do { \ local_bh_enable(); \ } while (0) +#define MODULE_ALIAS_NFCT_HELPER(helper) \ + MODULE_ALIAS("nfct-helper-" helper) + #endif /* __KERNEL__ */ #endif /* _NF_CONNTRACK_H */ -- cgit v1.2.1 From 226c0c0ef2abdf91b8d9cce1aaf7d4635a5e5926 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 18 Nov 2008 11:54:05 +0100 Subject: netfilter: ctnetlink: helper modules load-on-demand support This patch adds module loading for helpers via ctnetlink. * Creation path: We support explicit and implicit helper assignation. For the explicit case, we try to load the module. If the module is correctly loaded and the helper is present, we return EAGAIN to re-start the creation. Otherwise, we return EOPNOTSUPP. * Update path: release the spin lock, load the module and check. If it is present, then return EAGAIN to re-start the update. This patch provides a refactorized function to lookup-and-set the connection tracking helper. The function removes the exported symbol __nf_ct_helper_find as it has not clients anymore. Signed-off-by: Pablo Neira Ayuso Signed-off-by: Patrick McHardy --- include/net/netfilter/nf_conntrack_helper.h | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'include/net') diff --git a/include/net/netfilter/nf_conntrack_helper.h b/include/net/netfilter/nf_conntrack_helper.h index f8060ab5a083..66d65a7caa39 100644 --- a/include/net/netfilter/nf_conntrack_helper.h +++ b/include/net/netfilter/nf_conntrack_helper.h @@ -38,9 +38,6 @@ struct nf_conntrack_helper unsigned int expect_class_max; }; -extern struct nf_conntrack_helper * -__nf_ct_helper_find(const struct nf_conntrack_tuple *tuple); - extern struct nf_conntrack_helper * __nf_conntrack_helper_find_byname(const char *name); @@ -49,6 +46,8 @@ extern void nf_conntrack_helper_unregister(struct nf_conntrack_helper *); extern struct nf_conn_help *nf_ct_helper_ext_add(struct nf_conn *ct, gfp_t gfp); +extern int __nf_ct_try_assign_helper(struct nf_conn *ct, gfp_t flags); + static inline struct nf_conn_help *nfct_help(const struct nf_conn *ct) { return nf_ct_ext_find(ct, NF_CT_EXT_HELPER); -- cgit v1.2.1 From 19abb7b090a6bce88d4e9b2914a0367f4f684432 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 18 Nov 2008 11:56:20 +0100 Subject: netfilter: ctnetlink: deliver events for conntracks changed from userspace As for now, the creation and update of conntracks via ctnetlink do not propagate an event to userspace. This can result in inconsistent situations if several userspace processes modify the connection tracking table by means of ctnetlink at the same time. Specifically, using the conntrack command line tool and conntrackd at the same time can trigger unconsistencies. This patch also modifies the event cache infrastructure to pass the process PID and the ECHO flag to nfnetlink_send() to report back to userspace if the process that triggered the change needs so. Based on a suggestion from Patrick McHardy. Signed-off-by: Pablo Neira Ayuso Signed-off-by: Patrick McHardy --- include/net/netfilter/nf_conntrack.h | 2 +- include/net/netfilter/nf_conntrack_ecache.h | 57 +++++++++++++++++++++++++++-- include/net/netfilter/nf_conntrack_expect.h | 2 + 3 files changed, 56 insertions(+), 5 deletions(-) (limited to 'include/net') diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h index f11255e1ea35..2e0c53641cbe 100644 --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h @@ -199,7 +199,7 @@ __nf_conntrack_find(struct net *net, const struct nf_conntrack_tuple *tuple); extern void nf_conntrack_hash_insert(struct nf_conn *ct); -extern void nf_conntrack_flush(struct net *net); +extern void nf_conntrack_flush(struct net *net, u32 pid, int report); extern bool nf_ct_get_tuplepr(const struct sk_buff *skb, unsigned int nhoff, u_int16_t l3num, diff --git a/include/net/netfilter/nf_conntrack_ecache.h b/include/net/netfilter/nf_conntrack_ecache.h index 1285ff26a014..0ff0dc69ca4a 100644 --- a/include/net/netfilter/nf_conntrack_ecache.h +++ b/include/net/netfilter/nf_conntrack_ecache.h @@ -17,6 +17,13 @@ struct nf_conntrack_ecache { unsigned int events; }; +/* This structure is passed to event handler */ +struct nf_ct_event { + struct nf_conn *ct; + u32 pid; + int report; +}; + extern struct atomic_notifier_head nf_conntrack_chain; extern int nf_conntrack_register_notifier(struct notifier_block *nb); extern int nf_conntrack_unregister_notifier(struct notifier_block *nb); @@ -39,22 +46,56 @@ nf_conntrack_event_cache(enum ip_conntrack_events event, struct nf_conn *ct) local_bh_enable(); } -static inline void nf_conntrack_event(enum ip_conntrack_events event, - struct nf_conn *ct) +static inline void +nf_conntrack_event_report(enum ip_conntrack_events event, + struct nf_conn *ct, + u32 pid, + int report) { + struct nf_ct_event item = { + .ct = ct, + .pid = pid, + .report = report + }; if (nf_ct_is_confirmed(ct) && !nf_ct_is_dying(ct)) - atomic_notifier_call_chain(&nf_conntrack_chain, event, ct); + atomic_notifier_call_chain(&nf_conntrack_chain, event, &item); } +static inline void +nf_conntrack_event(enum ip_conntrack_events event, struct nf_conn *ct) +{ + nf_conntrack_event_report(event, ct, 0, 0); +} + +struct nf_exp_event { + struct nf_conntrack_expect *exp; + u32 pid; + int report; +}; + extern struct atomic_notifier_head nf_ct_expect_chain; extern int nf_ct_expect_register_notifier(struct notifier_block *nb); extern int nf_ct_expect_unregister_notifier(struct notifier_block *nb); +static inline void +nf_ct_expect_event_report(enum ip_conntrack_expect_events event, + struct nf_conntrack_expect *exp, + u32 pid, + int report) +{ + struct nf_exp_event item = { + .exp = exp, + .pid = pid, + .report = report + }; + atomic_notifier_call_chain(&nf_ct_expect_chain, event, &item); +} + static inline void nf_ct_expect_event(enum ip_conntrack_expect_events event, struct nf_conntrack_expect *exp) { - atomic_notifier_call_chain(&nf_ct_expect_chain, event, exp); + nf_ct_expect_event_report(event, exp, 0, 0); } extern int nf_conntrack_ecache_init(struct net *net); @@ -66,9 +107,17 @@ static inline void nf_conntrack_event_cache(enum ip_conntrack_events event, struct nf_conn *ct) {} static inline void nf_conntrack_event(enum ip_conntrack_events event, struct nf_conn *ct) {} +static inline void nf_conntrack_event_report(enum ip_conntrack_events event, + struct nf_conn *ct, + u32 pid, + int report) {} static inline void nf_ct_deliver_cached_events(const struct nf_conn *ct) {} static inline void nf_ct_expect_event(enum ip_conntrack_expect_events event, struct nf_conntrack_expect *exp) {} +static inline void nf_ct_expect_event_report(enum ip_conntrack_expect_events e, + struct nf_conntrack_expect *exp, + u32 pid, + int report) {} static inline void nf_ct_event_cache_flush(struct net *net) {} static inline int nf_conntrack_ecache_init(struct net *net) diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h index 37a7fc1164b0..ab17a159ac66 100644 --- a/include/net/netfilter/nf_conntrack_expect.h +++ b/include/net/netfilter/nf_conntrack_expect.h @@ -100,6 +100,8 @@ void nf_ct_expect_init(struct nf_conntrack_expect *, unsigned int, u_int8_t, u_int8_t, const __be16 *, const __be16 *); void nf_ct_expect_put(struct nf_conntrack_expect *exp); int nf_ct_expect_related(struct nf_conntrack_expect *expect); +int nf_ct_expect_related_report(struct nf_conntrack_expect *expect, + u32 pid, int report); #endif /*_NF_CONNTRACK_EXPECT_H*/ -- cgit v1.2.1 From d9e150071d18b5c87ba7a097af4063a5ad0c6a0c Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Tue, 18 Nov 2008 12:16:52 +0100 Subject: netfilter: nfnetlink_log: fix warning and prototype mismatch net/netfilter/nfnetlink_log.c:537:1: warning: symbol 'nfulnl_log_packet' was not declared. Should it be static? Including the proper header also revealed an incorrect prototype. Signed-off-by: Patrick McHardy --- include/net/netfilter/nfnetlink_log.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include/net') diff --git a/include/net/netfilter/nfnetlink_log.h b/include/net/netfilter/nfnetlink_log.h index 9b67f948a8d7..b0569ff0775e 100644 --- a/include/net/netfilter/nfnetlink_log.h +++ b/include/net/netfilter/nfnetlink_log.h @@ -2,7 +2,7 @@ #define _KER_NFNETLINK_LOG_H void -nfulnl_log_packet(unsigned int pf, +nfulnl_log_packet(u_int8_t pf, unsigned int hooknum, const struct sk_buff *skb, const struct net_device *in, -- cgit v1.2.1 From 65f233fb1669e6c990cd1d7fd308ac7dc66dc207 Mon Sep 17 00:00:00 2001 From: Ingo Molnar Date: Tue, 25 Nov 2008 18:20:13 +0100 Subject: netfilter: fix warning in net/netfilter/nf_conntrack_proto_tcp.c fix this warning: net/netfilter/nf_conntrack_proto_tcp.c: In function \u2018tcp_in_window\u2019: net/netfilter/nf_conntrack_proto_tcp.c:491: warning: unused variable \u2018net\u2019 net/netfilter/nf_conntrack_proto_tcp.c: In function \u2018tcp_packet\u2019: net/netfilter/nf_conntrack_proto_tcp.c:812: warning: unused variable \u2018net\u2019 Signed-off-by: Ingo Molnar Signed-off-by: Patrick McHardy --- include/net/netfilter/nf_conntrack_l4proto.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include/net') diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h index 7f2f43c77284..debdaf75cecf 100644 --- a/include/net/netfilter/nf_conntrack_l4proto.h +++ b/include/net/netfilter/nf_conntrack_l4proto.h @@ -129,7 +129,7 @@ extern const struct nla_policy nf_ct_port_nla_policy[]; && net_ratelimit()) #endif #else -#define LOG_INVALID(net, proto) 0 +static inline int LOG_INVALID(struct net *net, int proto) { return 0; } #endif /* CONFIG_SYSCTL */ #endif /*_NF_CONNTRACK_PROTOCOL_H*/ -- cgit v1.2.1