tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for net, they are:

1) Unaligned atomic access in ipset, from Russell King.

2) Missing module description, from Rob Gill.

3) Patches to fix a module unload causing NULL pointer dereference in
xtables, from David Wilder. For the record, I posting here his cover
letter explaining the problem:

A crash happened on ppc64le when running ltp network tests triggered by
"rmmod iptable_mangle".

See previous discussion in this thread:
https://lists.openwall.net/netdev/2020/06/03/161 .

In the crash I found in iptable_mangle_hook() that
state->net->ipv4.iptable_mangle=NULL causing a NULL pointer dereference.
net->ipv4.iptable_mangle is set to NULL in +iptable_mangle_net_exit() and
called when ip_mangle modules is unloaded. A rmmod task was found running
in the crash dump. A 2nd crash showed the same problem when running
"rmmod iptable_filter" (net->ipv4.iptable_filter=NULL).

To fix this I added .pre_exit hook in all iptable_foo.c. The pre_exit will
un-register the underlying hook and exit would do the table freeing. The
netns core does an unconditional +synchronize_rcu after the pre_exit hooks
insuring no packets are in flight that have picked up the pointer before
completing the un-register.

These patches include changes for both iptables and ip6tables.

We tested this fix with ltp running iptables01.sh and iptables01.sh -6 a
loop for 72 hours.

4) Add a selftest for conntrack helper assignment, from Florian Westphal.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

David S. Miller f4926d51 206e7323

+344 -16
+6
include/linux/netfilter_ipv4/ip_tables.h
··· 25 25 int ipt_register_table(struct net *net, const struct xt_table *table, 26 26 const struct ipt_replace *repl, 27 27 const struct nf_hook_ops *ops, struct xt_table **res); 28 + 29 + void ipt_unregister_table_pre_exit(struct net *net, struct xt_table *table, 30 + const struct nf_hook_ops *ops); 31 + 32 + void ipt_unregister_table_exit(struct net *net, struct xt_table *table); 33 + 28 34 void ipt_unregister_table(struct net *net, struct xt_table *table, 29 35 const struct nf_hook_ops *ops); 30 36
+3
include/linux/netfilter_ipv6/ip6_tables.h
··· 29 29 const struct nf_hook_ops *ops, struct xt_table **res); 30 30 void ip6t_unregister_table(struct net *net, struct xt_table *table, 31 31 const struct nf_hook_ops *ops); 32 + void ip6t_unregister_table_pre_exit(struct net *net, struct xt_table *table, 33 + const struct nf_hook_ops *ops); 34 + void ip6t_unregister_table_exit(struct net *net, struct xt_table *table); 32 35 extern unsigned int ip6t_do_table(struct sk_buff *skb, 33 36 const struct nf_hook_state *state, 34 37 struct xt_table *table);
+1
net/bridge/netfilter/nft_meta_bridge.c
··· 155 155 MODULE_LICENSE("GPL"); 156 156 MODULE_AUTHOR("wenxu <wenxu@ucloud.cn>"); 157 157 MODULE_ALIAS_NFT_AF_EXPR(AF_BRIDGE, "meta"); 158 + MODULE_DESCRIPTION("Support for bridge dedicated meta key");
+1
net/bridge/netfilter/nft_reject_bridge.c
··· 455 455 MODULE_LICENSE("GPL"); 456 456 MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); 457 457 MODULE_ALIAS_NFT_AF_EXPR(AF_BRIDGE, "reject"); 458 + MODULE_DESCRIPTION("Reject packets from bridge via nftables");
+14 -1
net/ipv4/netfilter/ip_tables.c
··· 1797 1797 return ret; 1798 1798 } 1799 1799 1800 + void ipt_unregister_table_pre_exit(struct net *net, struct xt_table *table, 1801 + const struct nf_hook_ops *ops) 1802 + { 1803 + nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks)); 1804 + } 1805 + 1806 + void ipt_unregister_table_exit(struct net *net, struct xt_table *table) 1807 + { 1808 + __ipt_unregister_table(net, table); 1809 + } 1810 + 1800 1811 void ipt_unregister_table(struct net *net, struct xt_table *table, 1801 1812 const struct nf_hook_ops *ops) 1802 1813 { 1803 1814 if (ops) 1804 - nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks)); 1815 + ipt_unregister_table_pre_exit(net, table, ops); 1805 1816 __ipt_unregister_table(net, table); 1806 1817 } 1807 1818 ··· 1969 1958 1970 1959 EXPORT_SYMBOL(ipt_register_table); 1971 1960 EXPORT_SYMBOL(ipt_unregister_table); 1961 + EXPORT_SYMBOL(ipt_unregister_table_pre_exit); 1962 + EXPORT_SYMBOL(ipt_unregister_table_exit); 1972 1963 EXPORT_SYMBOL(ipt_do_table); 1973 1964 module_init(ip_tables_init); 1974 1965 module_exit(ip_tables_fini);
+1
net/ipv4/netfilter/ipt_SYNPROXY.c
··· 118 118 119 119 MODULE_LICENSE("GPL"); 120 120 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); 121 + MODULE_DESCRIPTION("Intercept TCP connections and establish them using syncookies");
+9 -1
net/ipv4/netfilter/iptable_filter.c
··· 72 72 return 0; 73 73 } 74 74 75 + static void __net_exit iptable_filter_net_pre_exit(struct net *net) 76 + { 77 + if (net->ipv4.iptable_filter) 78 + ipt_unregister_table_pre_exit(net, net->ipv4.iptable_filter, 79 + filter_ops); 80 + } 81 + 75 82 static void __net_exit iptable_filter_net_exit(struct net *net) 76 83 { 77 84 if (!net->ipv4.iptable_filter) 78 85 return; 79 - ipt_unregister_table(net, net->ipv4.iptable_filter, filter_ops); 86 + ipt_unregister_table_exit(net, net->ipv4.iptable_filter); 80 87 net->ipv4.iptable_filter = NULL; 81 88 } 82 89 83 90 static struct pernet_operations iptable_filter_net_ops = { 84 91 .init = iptable_filter_net_init, 92 + .pre_exit = iptable_filter_net_pre_exit, 85 93 .exit = iptable_filter_net_exit, 86 94 }; 87 95
+9 -1
net/ipv4/netfilter/iptable_mangle.c
··· 100 100 return ret; 101 101 } 102 102 103 + static void __net_exit iptable_mangle_net_pre_exit(struct net *net) 104 + { 105 + if (net->ipv4.iptable_mangle) 106 + ipt_unregister_table_pre_exit(net, net->ipv4.iptable_mangle, 107 + mangle_ops); 108 + } 109 + 103 110 static void __net_exit iptable_mangle_net_exit(struct net *net) 104 111 { 105 112 if (!net->ipv4.iptable_mangle) 106 113 return; 107 - ipt_unregister_table(net, net->ipv4.iptable_mangle, mangle_ops); 114 + ipt_unregister_table_exit(net, net->ipv4.iptable_mangle); 108 115 net->ipv4.iptable_mangle = NULL; 109 116 } 110 117 111 118 static struct pernet_operations iptable_mangle_net_ops = { 119 + .pre_exit = iptable_mangle_net_pre_exit, 112 120 .exit = iptable_mangle_net_exit, 113 121 }; 114 122
+8 -2
net/ipv4/netfilter/iptable_nat.c
··· 113 113 return ret; 114 114 } 115 115 116 + static void __net_exit iptable_nat_net_pre_exit(struct net *net) 117 + { 118 + if (net->ipv4.nat_table) 119 + ipt_nat_unregister_lookups(net); 120 + } 121 + 116 122 static void __net_exit iptable_nat_net_exit(struct net *net) 117 123 { 118 124 if (!net->ipv4.nat_table) 119 125 return; 120 - ipt_nat_unregister_lookups(net); 121 - ipt_unregister_table(net, net->ipv4.nat_table, NULL); 126 + ipt_unregister_table_exit(net, net->ipv4.nat_table); 122 127 net->ipv4.nat_table = NULL; 123 128 } 124 129 125 130 static struct pernet_operations iptable_nat_net_ops = { 131 + .pre_exit = iptable_nat_net_pre_exit, 126 132 .exit = iptable_nat_net_exit, 127 133 }; 128 134
+9 -1
net/ipv4/netfilter/iptable_raw.c
··· 67 67 return ret; 68 68 } 69 69 70 + static void __net_exit iptable_raw_net_pre_exit(struct net *net) 71 + { 72 + if (net->ipv4.iptable_raw) 73 + ipt_unregister_table_pre_exit(net, net->ipv4.iptable_raw, 74 + rawtable_ops); 75 + } 76 + 70 77 static void __net_exit iptable_raw_net_exit(struct net *net) 71 78 { 72 79 if (!net->ipv4.iptable_raw) 73 80 return; 74 - ipt_unregister_table(net, net->ipv4.iptable_raw, rawtable_ops); 81 + ipt_unregister_table_exit(net, net->ipv4.iptable_raw); 75 82 net->ipv4.iptable_raw = NULL; 76 83 } 77 84 78 85 static struct pernet_operations iptable_raw_net_ops = { 86 + .pre_exit = iptable_raw_net_pre_exit, 79 87 .exit = iptable_raw_net_exit, 80 88 }; 81 89
+9 -2
net/ipv4/netfilter/iptable_security.c
··· 62 62 return ret; 63 63 } 64 64 65 + static void __net_exit iptable_security_net_pre_exit(struct net *net) 66 + { 67 + if (net->ipv4.iptable_security) 68 + ipt_unregister_table_pre_exit(net, net->ipv4.iptable_security, 69 + sectbl_ops); 70 + } 71 + 65 72 static void __net_exit iptable_security_net_exit(struct net *net) 66 73 { 67 74 if (!net->ipv4.iptable_security) 68 75 return; 69 - 70 - ipt_unregister_table(net, net->ipv4.iptable_security, sectbl_ops); 76 + ipt_unregister_table_exit(net, net->ipv4.iptable_security); 71 77 net->ipv4.iptable_security = NULL; 72 78 } 73 79 74 80 static struct pernet_operations iptable_security_net_ops = { 81 + .pre_exit = iptable_security_net_pre_exit, 75 82 .exit = iptable_security_net_exit, 76 83 }; 77 84
+1
net/ipv4/netfilter/nf_flow_table_ipv4.c
··· 34 34 MODULE_LICENSE("GPL"); 35 35 MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); 36 36 MODULE_ALIAS_NF_FLOWTABLE(AF_INET); 37 + MODULE_DESCRIPTION("Netfilter flow table support");
+1
net/ipv4/netfilter/nft_dup_ipv4.c
··· 107 107 MODULE_LICENSE("GPL"); 108 108 MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); 109 109 MODULE_ALIAS_NFT_AF_EXPR(AF_INET, "dup"); 110 + MODULE_DESCRIPTION("IPv4 nftables packet duplication support");
+1
net/ipv4/netfilter/nft_fib_ipv4.c
··· 210 210 MODULE_LICENSE("GPL"); 211 211 MODULE_AUTHOR("Florian Westphal <fw@strlen.de>"); 212 212 MODULE_ALIAS_NFT_AF_EXPR(2, "fib"); 213 + MODULE_DESCRIPTION("nftables fib / ip route lookup support");
+1
net/ipv4/netfilter/nft_reject_ipv4.c
··· 71 71 MODULE_LICENSE("GPL"); 72 72 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); 73 73 MODULE_ALIAS_NFT_AF_EXPR(AF_INET, "reject"); 74 + MODULE_DESCRIPTION("IPv4 packet rejection for nftables");
+14 -1
net/ipv6/netfilter/ip6_tables.c
··· 1807 1807 return ret; 1808 1808 } 1809 1809 1810 + void ip6t_unregister_table_pre_exit(struct net *net, struct xt_table *table, 1811 + const struct nf_hook_ops *ops) 1812 + { 1813 + nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks)); 1814 + } 1815 + 1816 + void ip6t_unregister_table_exit(struct net *net, struct xt_table *table) 1817 + { 1818 + __ip6t_unregister_table(net, table); 1819 + } 1820 + 1810 1821 void ip6t_unregister_table(struct net *net, struct xt_table *table, 1811 1822 const struct nf_hook_ops *ops) 1812 1823 { 1813 1824 if (ops) 1814 - nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks)); 1825 + ip6t_unregister_table_pre_exit(net, table, ops); 1815 1826 __ip6t_unregister_table(net, table); 1816 1827 } 1817 1828 ··· 1980 1969 1981 1970 EXPORT_SYMBOL(ip6t_register_table); 1982 1971 EXPORT_SYMBOL(ip6t_unregister_table); 1972 + EXPORT_SYMBOL(ip6t_unregister_table_pre_exit); 1973 + EXPORT_SYMBOL(ip6t_unregister_table_exit); 1983 1974 EXPORT_SYMBOL(ip6t_do_table); 1984 1975 1985 1976 module_init(ip6_tables_init);
+1
net/ipv6/netfilter/ip6t_SYNPROXY.c
··· 121 121 122 122 MODULE_LICENSE("GPL"); 123 123 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); 124 + MODULE_DESCRIPTION("Intercept IPv6 TCP connections and establish them using syncookies");
+9 -1
net/ipv6/netfilter/ip6table_filter.c
··· 73 73 return 0; 74 74 } 75 75 76 + static void __net_exit ip6table_filter_net_pre_exit(struct net *net) 77 + { 78 + if (net->ipv6.ip6table_filter) 79 + ip6t_unregister_table_pre_exit(net, net->ipv6.ip6table_filter, 80 + filter_ops); 81 + } 82 + 76 83 static void __net_exit ip6table_filter_net_exit(struct net *net) 77 84 { 78 85 if (!net->ipv6.ip6table_filter) 79 86 return; 80 - ip6t_unregister_table(net, net->ipv6.ip6table_filter, filter_ops); 87 + ip6t_unregister_table_exit(net, net->ipv6.ip6table_filter); 81 88 net->ipv6.ip6table_filter = NULL; 82 89 } 83 90 84 91 static struct pernet_operations ip6table_filter_net_ops = { 85 92 .init = ip6table_filter_net_init, 93 + .pre_exit = ip6table_filter_net_pre_exit, 86 94 .exit = ip6table_filter_net_exit, 87 95 }; 88 96
+9 -1
net/ipv6/netfilter/ip6table_mangle.c
··· 93 93 return ret; 94 94 } 95 95 96 + static void __net_exit ip6table_mangle_net_pre_exit(struct net *net) 97 + { 98 + if (net->ipv6.ip6table_mangle) 99 + ip6t_unregister_table_pre_exit(net, net->ipv6.ip6table_mangle, 100 + mangle_ops); 101 + } 102 + 96 103 static void __net_exit ip6table_mangle_net_exit(struct net *net) 97 104 { 98 105 if (!net->ipv6.ip6table_mangle) 99 106 return; 100 107 101 - ip6t_unregister_table(net, net->ipv6.ip6table_mangle, mangle_ops); 108 + ip6t_unregister_table_exit(net, net->ipv6.ip6table_mangle); 102 109 net->ipv6.ip6table_mangle = NULL; 103 110 } 104 111 105 112 static struct pernet_operations ip6table_mangle_net_ops = { 113 + .pre_exit = ip6table_mangle_net_pre_exit, 106 114 .exit = ip6table_mangle_net_exit, 107 115 }; 108 116
+8 -2
net/ipv6/netfilter/ip6table_nat.c
··· 114 114 return ret; 115 115 } 116 116 117 + static void __net_exit ip6table_nat_net_pre_exit(struct net *net) 118 + { 119 + if (net->ipv6.ip6table_nat) 120 + ip6t_nat_unregister_lookups(net); 121 + } 122 + 117 123 static void __net_exit ip6table_nat_net_exit(struct net *net) 118 124 { 119 125 if (!net->ipv6.ip6table_nat) 120 126 return; 121 - ip6t_nat_unregister_lookups(net); 122 - ip6t_unregister_table(net, net->ipv6.ip6table_nat, NULL); 127 + ip6t_unregister_table_exit(net, net->ipv6.ip6table_nat); 123 128 net->ipv6.ip6table_nat = NULL; 124 129 } 125 130 126 131 static struct pernet_operations ip6table_nat_net_ops = { 132 + .pre_exit = ip6table_nat_net_pre_exit, 127 133 .exit = ip6table_nat_net_exit, 128 134 }; 129 135
+9 -1
net/ipv6/netfilter/ip6table_raw.c
··· 66 66 return ret; 67 67 } 68 68 69 + static void __net_exit ip6table_raw_net_pre_exit(struct net *net) 70 + { 71 + if (net->ipv6.ip6table_raw) 72 + ip6t_unregister_table_pre_exit(net, net->ipv6.ip6table_raw, 73 + rawtable_ops); 74 + } 75 + 69 76 static void __net_exit ip6table_raw_net_exit(struct net *net) 70 77 { 71 78 if (!net->ipv6.ip6table_raw) 72 79 return; 73 - ip6t_unregister_table(net, net->ipv6.ip6table_raw, rawtable_ops); 80 + ip6t_unregister_table_exit(net, net->ipv6.ip6table_raw); 74 81 net->ipv6.ip6table_raw = NULL; 75 82 } 76 83 77 84 static struct pernet_operations ip6table_raw_net_ops = { 85 + .pre_exit = ip6table_raw_net_pre_exit, 78 86 .exit = ip6table_raw_net_exit, 79 87 }; 80 88
+9 -1
net/ipv6/netfilter/ip6table_security.c
··· 61 61 return ret; 62 62 } 63 63 64 + static void __net_exit ip6table_security_net_pre_exit(struct net *net) 65 + { 66 + if (net->ipv6.ip6table_security) 67 + ip6t_unregister_table_pre_exit(net, net->ipv6.ip6table_security, 68 + sectbl_ops); 69 + } 70 + 64 71 static void __net_exit ip6table_security_net_exit(struct net *net) 65 72 { 66 73 if (!net->ipv6.ip6table_security) 67 74 return; 68 - ip6t_unregister_table(net, net->ipv6.ip6table_security, sectbl_ops); 75 + ip6t_unregister_table_exit(net, net->ipv6.ip6table_security); 69 76 net->ipv6.ip6table_security = NULL; 70 77 } 71 78 72 79 static struct pernet_operations ip6table_security_net_ops = { 80 + .pre_exit = ip6table_security_net_pre_exit, 73 81 .exit = ip6table_security_net_exit, 74 82 }; 75 83
+1
net/ipv6/netfilter/nf_flow_table_ipv6.c
··· 35 35 MODULE_LICENSE("GPL"); 36 36 MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); 37 37 MODULE_ALIAS_NF_FLOWTABLE(AF_INET6); 38 + MODULE_DESCRIPTION("Netfilter flow table IPv6 module");
+1
net/ipv6/netfilter/nft_dup_ipv6.c
··· 105 105 MODULE_LICENSE("GPL"); 106 106 MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); 107 107 MODULE_ALIAS_NFT_AF_EXPR(AF_INET6, "dup"); 108 + MODULE_DESCRIPTION("IPv6 nftables packet duplication support");
+1
net/ipv6/netfilter/nft_fib_ipv6.c
··· 255 255 MODULE_LICENSE("GPL"); 256 256 MODULE_AUTHOR("Florian Westphal <fw@strlen.de>"); 257 257 MODULE_ALIAS_NFT_AF_EXPR(10, "fib"); 258 + MODULE_DESCRIPTION("nftables fib / ipv6 route lookup support");
+1
net/ipv6/netfilter/nft_reject_ipv6.c
··· 72 72 MODULE_LICENSE("GPL"); 73 73 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); 74 74 MODULE_ALIAS_NFT_AF_EXPR(AF_INET6, "reject"); 75 + MODULE_DESCRIPTION("IPv6 packet rejection for nftables");
+2
net/netfilter/ipset/ip_set_core.c
··· 460 460 for (id = 0; id < IPSET_EXT_ID_MAX; id++) { 461 461 if (!add_extension(id, cadt_flags, tb)) 462 462 continue; 463 + if (align < ip_set_extensions[id].align) 464 + align = ip_set_extensions[id].align; 463 465 len = ALIGN(len, ip_set_extensions[id].align); 464 466 set->offset[id] = len; 465 467 set->extensions |= ip_set_extensions[id].type;
+1
net/netfilter/nf_dup_netdev.c
··· 73 73 74 74 MODULE_LICENSE("GPL"); 75 75 MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); 76 + MODULE_DESCRIPTION("Netfilter packet duplication support");
+1
net/netfilter/nf_flow_table_core.c
··· 594 594 595 595 MODULE_LICENSE("GPL"); 596 596 MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); 597 + MODULE_DESCRIPTION("Netfilter flow table module");
+1
net/netfilter/nf_flow_table_inet.c
··· 72 72 MODULE_LICENSE("GPL"); 73 73 MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); 74 74 MODULE_ALIAS_NF_FLOWTABLE(1); /* NFPROTO_INET */ 75 + MODULE_DESCRIPTION("Netfilter flow table mixed IPv4/IPv6 module");
+1
net/netfilter/nf_synproxy_core.c
··· 1237 1237 1238 1238 MODULE_LICENSE("GPL"); 1239 1239 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); 1240 + MODULE_DESCRIPTION("nftables SYNPROXY expression support");
+1
net/netfilter/nfnetlink.c
··· 33 33 MODULE_LICENSE("GPL"); 34 34 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>"); 35 35 MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK, NETLINK_NETFILTER); 36 + MODULE_DESCRIPTION("Netfilter messages via netlink socket"); 36 37 37 38 #define nfnl_dereference_protected(id) \ 38 39 rcu_dereference_protected(table[(id)].subsys, \
+1
net/netfilter/nft_compat.c
··· 902 902 MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); 903 903 MODULE_ALIAS_NFT_EXPR("match"); 904 904 MODULE_ALIAS_NFT_EXPR("target"); 905 + MODULE_DESCRIPTION("x_tables over nftables support");
+1
net/netfilter/nft_connlimit.c
··· 280 280 MODULE_AUTHOR("Pablo Neira Ayuso"); 281 281 MODULE_ALIAS_NFT_EXPR("connlimit"); 282 282 MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_CONNLIMIT); 283 + MODULE_DESCRIPTION("nftables connlimit rule support");
+1
net/netfilter/nft_counter.c
··· 303 303 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); 304 304 MODULE_ALIAS_NFT_EXPR("counter"); 305 305 MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_COUNTER); 306 + MODULE_DESCRIPTION("nftables counter rule support");
+1
net/netfilter/nft_ct.c
··· 1345 1345 MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_CT_HELPER); 1346 1346 MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_CT_TIMEOUT); 1347 1347 MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_CT_EXPECT); 1348 + MODULE_DESCRIPTION("Netfilter nf_tables conntrack module");
+1
net/netfilter/nft_dup_netdev.c
··· 102 102 MODULE_LICENSE("GPL"); 103 103 MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); 104 104 MODULE_ALIAS_NFT_AF_EXPR(5, "dup"); 105 + MODULE_DESCRIPTION("nftables netdev packet duplication support");
+1
net/netfilter/nft_fib_inet.c
··· 76 76 MODULE_LICENSE("GPL"); 77 77 MODULE_AUTHOR("Florian Westphal <fw@strlen.de>"); 78 78 MODULE_ALIAS_NFT_AF_EXPR(1, "fib"); 79 + MODULE_DESCRIPTION("nftables fib inet support");
+1
net/netfilter/nft_fib_netdev.c
··· 85 85 MODULE_LICENSE("GPL"); 86 86 MODULE_AUTHOR("Pablo M. Bermudo Garay <pablombg@gmail.com>"); 87 87 MODULE_ALIAS_NFT_AF_EXPR(5, "fib"); 88 + MODULE_DESCRIPTION("nftables netdev fib lookups support");
+1
net/netfilter/nft_flow_offload.c
··· 286 286 MODULE_LICENSE("GPL"); 287 287 MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); 288 288 MODULE_ALIAS_NFT_EXPR("flow_offload"); 289 + MODULE_DESCRIPTION("nftables hardware flow offload module");
+1
net/netfilter/nft_hash.c
··· 248 248 MODULE_LICENSE("GPL"); 249 249 MODULE_AUTHOR("Laura Garcia <nevola@gmail.com>"); 250 250 MODULE_ALIAS_NFT_EXPR("hash"); 251 + MODULE_DESCRIPTION("Netfilter nftables hash module");
+1
net/netfilter/nft_limit.c
··· 372 372 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); 373 373 MODULE_ALIAS_NFT_EXPR("limit"); 374 374 MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_LIMIT); 375 + MODULE_DESCRIPTION("nftables limit expression support");
+1
net/netfilter/nft_log.c
··· 298 298 MODULE_LICENSE("GPL"); 299 299 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); 300 300 MODULE_ALIAS_NFT_EXPR("log"); 301 + MODULE_DESCRIPTION("Netfilter nf_tables log module");
+1
net/netfilter/nft_masq.c
··· 305 305 MODULE_LICENSE("GPL"); 306 306 MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo@debian.org>"); 307 307 MODULE_ALIAS_NFT_EXPR("masq"); 308 + MODULE_DESCRIPTION("Netfilter nftables masquerade expression support");
+1
net/netfilter/nft_nat.c
··· 402 402 MODULE_LICENSE("GPL"); 403 403 MODULE_AUTHOR("Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>"); 404 404 MODULE_ALIAS_NFT_EXPR("nat"); 405 + MODULE_DESCRIPTION("Network Address Translation support");
+1
net/netfilter/nft_numgen.c
··· 217 217 MODULE_LICENSE("GPL"); 218 218 MODULE_AUTHOR("Laura Garcia <nevola@gmail.com>"); 219 219 MODULE_ALIAS_NFT_EXPR("numgen"); 220 + MODULE_DESCRIPTION("nftables number generator module");
+1
net/netfilter/nft_objref.c
··· 252 252 MODULE_LICENSE("GPL"); 253 253 MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); 254 254 MODULE_ALIAS_NFT_EXPR("objref"); 255 + MODULE_DESCRIPTION("nftables stateful object reference module");
+1
net/netfilter/nft_osf.c
··· 149 149 MODULE_LICENSE("GPL"); 150 150 MODULE_AUTHOR("Fernando Fernandez <ffmancera@riseup.net>"); 151 151 MODULE_ALIAS_NFT_EXPR("osf"); 152 + MODULE_DESCRIPTION("nftables passive OS fingerprint support");
+1
net/netfilter/nft_queue.c
··· 216 216 MODULE_LICENSE("GPL"); 217 217 MODULE_AUTHOR("Eric Leblond <eric@regit.org>"); 218 218 MODULE_ALIAS_NFT_EXPR("queue"); 219 + MODULE_DESCRIPTION("Netfilter nftables queue module");
+1
net/netfilter/nft_quota.c
··· 254 254 MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); 255 255 MODULE_ALIAS_NFT_EXPR("quota"); 256 256 MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_QUOTA); 257 + MODULE_DESCRIPTION("Netfilter nftables quota module");
+1
net/netfilter/nft_redir.c
··· 292 292 MODULE_LICENSE("GPL"); 293 293 MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo@debian.org>"); 294 294 MODULE_ALIAS_NFT_EXPR("redir"); 295 + MODULE_DESCRIPTION("Netfilter nftables redirect support");
+1
net/netfilter/nft_reject.c
··· 119 119 120 120 MODULE_LICENSE("GPL"); 121 121 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); 122 + MODULE_DESCRIPTION("Netfilter x_tables over nftables module");
+1
net/netfilter/nft_reject_inet.c
··· 149 149 MODULE_LICENSE("GPL"); 150 150 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); 151 151 MODULE_ALIAS_NFT_AF_EXPR(1, "reject"); 152 + MODULE_DESCRIPTION("Netfilter nftables reject inet support");
+1
net/netfilter/nft_synproxy.c
··· 388 388 MODULE_AUTHOR("Fernando Fernandez <ffmancera@riseup.net>"); 389 389 MODULE_ALIAS_NFT_EXPR("synproxy"); 390 390 MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_SYNPROXY); 391 + MODULE_DESCRIPTION("nftables SYNPROXY expression support");
+1
net/netfilter/nft_tunnel.c
··· 719 719 MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); 720 720 MODULE_ALIAS_NFT_EXPR("tunnel"); 721 721 MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_TUNNEL); 722 + MODULE_DESCRIPTION("nftables tunnel expression support");
+1
net/netfilter/xt_nat.c
··· 244 244 MODULE_ALIAS("ipt_DNAT"); 245 245 MODULE_ALIAS("ip6t_SNAT"); 246 246 MODULE_ALIAS("ip6t_DNAT"); 247 + MODULE_DESCRIPTION("SNAT and DNAT targets support");
+1 -1
tools/testing/selftests/netfilter/Makefile
··· 3 3 4 4 TEST_PROGS := nft_trans_stress.sh nft_nat.sh bridge_brouter.sh \ 5 5 conntrack_icmp_related.sh nft_flowtable.sh ipvs.sh \ 6 - nft_concat_range.sh \ 6 + nft_concat_range.sh nft_conntrack_helper.sh \ 7 7 nft_queue.sh 8 8 9 9 LDLIBS = -lmnl
+175
tools/testing/selftests/netfilter/nft_conntrack_helper.sh
··· 1 + #!/bin/bash 2 + # 3 + # This tests connection tracking helper assignment: 4 + # 1. can attach ftp helper to a connection from nft ruleset. 5 + # 2. auto-assign still works. 6 + # 7 + # Kselftest framework requirement - SKIP code is 4. 8 + ksft_skip=4 9 + ret=0 10 + 11 + sfx=$(mktemp -u "XXXXXXXX") 12 + ns1="ns1-$sfx" 13 + ns2="ns2-$sfx" 14 + testipv6=1 15 + 16 + cleanup() 17 + { 18 + ip netns del ${ns1} 19 + ip netns del ${ns2} 20 + } 21 + 22 + nft --version > /dev/null 2>&1 23 + if [ $? -ne 0 ];then 24 + echo "SKIP: Could not run test without nft tool" 25 + exit $ksft_skip 26 + fi 27 + 28 + ip -Version > /dev/null 2>&1 29 + if [ $? -ne 0 ];then 30 + echo "SKIP: Could not run test without ip tool" 31 + exit $ksft_skip 32 + fi 33 + 34 + conntrack -V > /dev/null 2>&1 35 + if [ $? -ne 0 ];then 36 + echo "SKIP: Could not run test without conntrack tool" 37 + exit $ksft_skip 38 + fi 39 + 40 + which nc >/dev/null 2>&1 41 + if [ $? -ne 0 ];then 42 + echo "SKIP: Could not run test without netcat tool" 43 + exit $ksft_skip 44 + fi 45 + 46 + trap cleanup EXIT 47 + 48 + ip netns add ${ns1} 49 + ip netns add ${ns2} 50 + 51 + ip link add veth0 netns ${ns1} type veth peer name veth0 netns ${ns2} > /dev/null 2>&1 52 + if [ $? -ne 0 ];then 53 + echo "SKIP: No virtual ethernet pair device support in kernel" 54 + exit $ksft_skip 55 + fi 56 + 57 + ip -net ${ns1} link set lo up 58 + ip -net ${ns1} link set veth0 up 59 + 60 + ip -net ${ns2} link set lo up 61 + ip -net ${ns2} link set veth0 up 62 + 63 + ip -net ${ns1} addr add 10.0.1.1/24 dev veth0 64 + ip -net ${ns1} addr add dead:1::1/64 dev veth0 65 + 66 + ip -net ${ns2} addr add 10.0.1.2/24 dev veth0 67 + ip -net ${ns2} addr add dead:1::2/64 dev veth0 68 + 69 + load_ruleset_family() { 70 + local family=$1 71 + local ns=$2 72 + 73 + ip netns exec ${ns} nft -f - <<EOF 74 + table $family raw { 75 + ct helper ftp { 76 + type "ftp" protocol tcp 77 + } 78 + chain pre { 79 + type filter hook prerouting priority 0; policy accept; 80 + tcp dport 2121 ct helper set "ftp" 81 + } 82 + chain output { 83 + type filter hook output priority 0; policy accept; 84 + tcp dport 2121 ct helper set "ftp" 85 + } 86 + } 87 + EOF 88 + return $? 89 + } 90 + 91 + check_for_helper() 92 + { 93 + local netns=$1 94 + local message=$2 95 + local port=$3 96 + 97 + ip netns exec ${netns} conntrack -L -p tcp --dport $port 2> /dev/null |grep -q 'helper=ftp' 98 + if [ $? -ne 0 ] ; then 99 + echo "FAIL: ${netns} did not show attached helper $message" 1>&2 100 + ret=1 101 + fi 102 + 103 + echo "PASS: ${netns} connection on port $port has ftp helper attached" 1>&2 104 + return 0 105 + } 106 + 107 + test_helper() 108 + { 109 + local port=$1 110 + local msg=$2 111 + 112 + sleep 3 | ip netns exec ${ns2} nc -w 2 -l -p $port > /dev/null & 113 + 114 + sleep 1 115 + sleep 1 | ip netns exec ${ns1} nc -w 2 10.0.1.2 $port > /dev/null & 116 + 117 + check_for_helper "$ns1" "ip $msg" $port 118 + check_for_helper "$ns2" "ip $msg" $port 119 + 120 + wait 121 + 122 + if [ $testipv6 -eq 0 ] ;then 123 + return 0 124 + fi 125 + 126 + ip netns exec ${ns1} conntrack -F 2> /dev/null 127 + ip netns exec ${ns2} conntrack -F 2> /dev/null 128 + 129 + sleep 3 | ip netns exec ${ns2} nc -w 2 -6 -l -p $port > /dev/null & 130 + 131 + sleep 1 132 + sleep 1 | ip netns exec ${ns1} nc -w 2 -6 dead:1::2 $port > /dev/null & 133 + 134 + check_for_helper "$ns1" "ipv6 $msg" $port 135 + check_for_helper "$ns2" "ipv6 $msg" $port 136 + 137 + wait 138 + } 139 + 140 + load_ruleset_family ip ${ns1} 141 + if [ $? -ne 0 ];then 142 + echo "FAIL: ${ns1} cannot load ip ruleset" 1>&2 143 + exit 1 144 + fi 145 + 146 + load_ruleset_family ip6 ${ns1} 147 + if [ $? -ne 0 ];then 148 + echo "SKIP: ${ns1} cannot load ip6 ruleset" 1>&2 149 + testipv6=0 150 + fi 151 + 152 + load_ruleset_family inet ${ns2} 153 + if [ $? -ne 0 ];then 154 + echo "SKIP: ${ns1} cannot load inet ruleset" 1>&2 155 + load_ruleset_family ip ${ns2} 156 + if [ $? -ne 0 ];then 157 + echo "FAIL: ${ns2} cannot load ip ruleset" 1>&2 158 + exit 1 159 + fi 160 + 161 + if [ $testipv6 -eq 1 ] ;then 162 + load_ruleset_family ip6 ${ns2} 163 + if [ $? -ne 0 ];then 164 + echo "FAIL: ${ns2} cannot load ip6 ruleset" 1>&2 165 + exit 1 166 + fi 167 + fi 168 + fi 169 + 170 + test_helper 2121 "set via ruleset" 171 + ip netns exec ${ns1} sysctl -q 'net.netfilter.nf_conntrack_helper=1' 172 + ip netns exec ${ns2} sysctl -q 'net.netfilter.nf_conntrack_helper=1' 173 + test_helper 21 "auto-assign" 174 + 175 + exit $ret