Commit f4926d51 authored by David S. Miller's avatar David S. Miller

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for net, they are:

1) Unaligned atomic access in ipset, from Russell King.

2) Missing module description, from Rob Gill.

3) Patches to fix a module unload causing NULL pointer dereference in
   xtables, from David Wilder. For the record, I posting here his cover
   letter explaining the problem:

    A crash happened on ppc64le when running ltp network tests triggered by
    "rmmod iptable_mangle".

    See previous discussion in this thread:
    https://lists.openwall.net/netdev/2020/06/03/161 .

    In the crash I found in iptable_mangle_hook() that
    state->net->ipv4.iptable_mangle=NULL causing a NULL pointer dereference.
    net->ipv4.iptable_mangle is set to NULL in +iptable_mangle_net_exit() and
    called when ip_mangle modules is unloaded. A rmmod task was found running
    in the crash dump.  A 2nd crash showed the same problem when running
    "rmmod iptable_filter" (net->ipv4.iptable_filter=NULL).

    To fix this I added .pre_exit hook in all iptable_foo.c. The pre_exit will
    un-register the underlying hook and exit would do the table freeing. The
    netns core does an unconditional +synchronize_rcu after the pre_exit hooks
    insuring no packets are in flight that have picked up the pointer before
    completing the un-register.

    These patches include changes for both iptables and ip6tables.

    We tested this fix with ltp running iptables01.sh and iptables01.sh -6 a
    loop for 72 hours.

4) Add a selftest for conntrack helper assignment, from Florian Westphal.
====================
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 206e7323 619ae8e0
...@@ -25,6 +25,12 @@ ...@@ -25,6 +25,12 @@
int ipt_register_table(struct net *net, const struct xt_table *table, int ipt_register_table(struct net *net, const struct xt_table *table,
const struct ipt_replace *repl, const struct ipt_replace *repl,
const struct nf_hook_ops *ops, struct xt_table **res); const struct nf_hook_ops *ops, struct xt_table **res);
void ipt_unregister_table_pre_exit(struct net *net, struct xt_table *table,
const struct nf_hook_ops *ops);
void ipt_unregister_table_exit(struct net *net, struct xt_table *table);
void ipt_unregister_table(struct net *net, struct xt_table *table, void ipt_unregister_table(struct net *net, struct xt_table *table,
const struct nf_hook_ops *ops); const struct nf_hook_ops *ops);
......
...@@ -29,6 +29,9 @@ int ip6t_register_table(struct net *net, const struct xt_table *table, ...@@ -29,6 +29,9 @@ int ip6t_register_table(struct net *net, const struct xt_table *table,
const struct nf_hook_ops *ops, struct xt_table **res); const struct nf_hook_ops *ops, struct xt_table **res);
void ip6t_unregister_table(struct net *net, struct xt_table *table, void ip6t_unregister_table(struct net *net, struct xt_table *table,
const struct nf_hook_ops *ops); const struct nf_hook_ops *ops);
void ip6t_unregister_table_pre_exit(struct net *net, struct xt_table *table,
const struct nf_hook_ops *ops);
void ip6t_unregister_table_exit(struct net *net, struct xt_table *table);
extern unsigned int ip6t_do_table(struct sk_buff *skb, extern unsigned int ip6t_do_table(struct sk_buff *skb,
const struct nf_hook_state *state, const struct nf_hook_state *state,
struct xt_table *table); struct xt_table *table);
......
...@@ -155,3 +155,4 @@ module_exit(nft_meta_bridge_module_exit); ...@@ -155,3 +155,4 @@ module_exit(nft_meta_bridge_module_exit);
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_AUTHOR("wenxu <wenxu@ucloud.cn>"); MODULE_AUTHOR("wenxu <wenxu@ucloud.cn>");
MODULE_ALIAS_NFT_AF_EXPR(AF_BRIDGE, "meta"); MODULE_ALIAS_NFT_AF_EXPR(AF_BRIDGE, "meta");
MODULE_DESCRIPTION("Support for bridge dedicated meta key");
...@@ -455,3 +455,4 @@ module_exit(nft_reject_bridge_module_exit); ...@@ -455,3 +455,4 @@ module_exit(nft_reject_bridge_module_exit);
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
MODULE_ALIAS_NFT_AF_EXPR(AF_BRIDGE, "reject"); MODULE_ALIAS_NFT_AF_EXPR(AF_BRIDGE, "reject");
MODULE_DESCRIPTION("Reject packets from bridge via nftables");
...@@ -1797,11 +1797,22 @@ int ipt_register_table(struct net *net, const struct xt_table *table, ...@@ -1797,11 +1797,22 @@ int ipt_register_table(struct net *net, const struct xt_table *table,
return ret; return ret;
} }
void ipt_unregister_table_pre_exit(struct net *net, struct xt_table *table,
const struct nf_hook_ops *ops)
{
nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks));
}
void ipt_unregister_table_exit(struct net *net, struct xt_table *table)
{
__ipt_unregister_table(net, table);
}
void ipt_unregister_table(struct net *net, struct xt_table *table, void ipt_unregister_table(struct net *net, struct xt_table *table,
const struct nf_hook_ops *ops) const struct nf_hook_ops *ops)
{ {
if (ops) if (ops)
nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks)); ipt_unregister_table_pre_exit(net, table, ops);
__ipt_unregister_table(net, table); __ipt_unregister_table(net, table);
} }
...@@ -1958,6 +1969,8 @@ static void __exit ip_tables_fini(void) ...@@ -1958,6 +1969,8 @@ static void __exit ip_tables_fini(void)
EXPORT_SYMBOL(ipt_register_table); EXPORT_SYMBOL(ipt_register_table);
EXPORT_SYMBOL(ipt_unregister_table); EXPORT_SYMBOL(ipt_unregister_table);
EXPORT_SYMBOL(ipt_unregister_table_pre_exit);
EXPORT_SYMBOL(ipt_unregister_table_exit);
EXPORT_SYMBOL(ipt_do_table); EXPORT_SYMBOL(ipt_do_table);
module_init(ip_tables_init); module_init(ip_tables_init);
module_exit(ip_tables_fini); module_exit(ip_tables_fini);
...@@ -118,3 +118,4 @@ module_exit(synproxy_tg4_exit); ...@@ -118,3 +118,4 @@ module_exit(synproxy_tg4_exit);
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_DESCRIPTION("Intercept TCP connections and establish them using syncookies");
...@@ -72,16 +72,24 @@ static int __net_init iptable_filter_net_init(struct net *net) ...@@ -72,16 +72,24 @@ static int __net_init iptable_filter_net_init(struct net *net)
return 0; return 0;
} }
static void __net_exit iptable_filter_net_pre_exit(struct net *net)
{
if (net->ipv4.iptable_filter)
ipt_unregister_table_pre_exit(net, net->ipv4.iptable_filter,
filter_ops);
}
static void __net_exit iptable_filter_net_exit(struct net *net) static void __net_exit iptable_filter_net_exit(struct net *net)
{ {
if (!net->ipv4.iptable_filter) if (!net->ipv4.iptable_filter)
return; return;
ipt_unregister_table(net, net->ipv4.iptable_filter, filter_ops); ipt_unregister_table_exit(net, net->ipv4.iptable_filter);
net->ipv4.iptable_filter = NULL; net->ipv4.iptable_filter = NULL;
} }
static struct pernet_operations iptable_filter_net_ops = { static struct pernet_operations iptable_filter_net_ops = {
.init = iptable_filter_net_init, .init = iptable_filter_net_init,
.pre_exit = iptable_filter_net_pre_exit,
.exit = iptable_filter_net_exit, .exit = iptable_filter_net_exit,
}; };
......
...@@ -100,15 +100,23 @@ static int __net_init iptable_mangle_table_init(struct net *net) ...@@ -100,15 +100,23 @@ static int __net_init iptable_mangle_table_init(struct net *net)
return ret; return ret;
} }
static void __net_exit iptable_mangle_net_pre_exit(struct net *net)
{
if (net->ipv4.iptable_mangle)
ipt_unregister_table_pre_exit(net, net->ipv4.iptable_mangle,
mangle_ops);
}
static void __net_exit iptable_mangle_net_exit(struct net *net) static void __net_exit iptable_mangle_net_exit(struct net *net)
{ {
if (!net->ipv4.iptable_mangle) if (!net->ipv4.iptable_mangle)
return; return;
ipt_unregister_table(net, net->ipv4.iptable_mangle, mangle_ops); ipt_unregister_table_exit(net, net->ipv4.iptable_mangle);
net->ipv4.iptable_mangle = NULL; net->ipv4.iptable_mangle = NULL;
} }
static struct pernet_operations iptable_mangle_net_ops = { static struct pernet_operations iptable_mangle_net_ops = {
.pre_exit = iptable_mangle_net_pre_exit,
.exit = iptable_mangle_net_exit, .exit = iptable_mangle_net_exit,
}; };
......
...@@ -113,16 +113,22 @@ static int __net_init iptable_nat_table_init(struct net *net) ...@@ -113,16 +113,22 @@ static int __net_init iptable_nat_table_init(struct net *net)
return ret; return ret;
} }
static void __net_exit iptable_nat_net_pre_exit(struct net *net)
{
if (net->ipv4.nat_table)
ipt_nat_unregister_lookups(net);
}
static void __net_exit iptable_nat_net_exit(struct net *net) static void __net_exit iptable_nat_net_exit(struct net *net)
{ {
if (!net->ipv4.nat_table) if (!net->ipv4.nat_table)
return; return;
ipt_nat_unregister_lookups(net); ipt_unregister_table_exit(net, net->ipv4.nat_table);
ipt_unregister_table(net, net->ipv4.nat_table, NULL);
net->ipv4.nat_table = NULL; net->ipv4.nat_table = NULL;
} }
static struct pernet_operations iptable_nat_net_ops = { static struct pernet_operations iptable_nat_net_ops = {
.pre_exit = iptable_nat_net_pre_exit,
.exit = iptable_nat_net_exit, .exit = iptable_nat_net_exit,
}; };
......
...@@ -67,15 +67,23 @@ static int __net_init iptable_raw_table_init(struct net *net) ...@@ -67,15 +67,23 @@ static int __net_init iptable_raw_table_init(struct net *net)
return ret; return ret;
} }
static void __net_exit iptable_raw_net_pre_exit(struct net *net)
{
if (net->ipv4.iptable_raw)
ipt_unregister_table_pre_exit(net, net->ipv4.iptable_raw,
rawtable_ops);
}
static void __net_exit iptable_raw_net_exit(struct net *net) static void __net_exit iptable_raw_net_exit(struct net *net)
{ {
if (!net->ipv4.iptable_raw) if (!net->ipv4.iptable_raw)
return; return;
ipt_unregister_table(net, net->ipv4.iptable_raw, rawtable_ops); ipt_unregister_table_exit(net, net->ipv4.iptable_raw);
net->ipv4.iptable_raw = NULL; net->ipv4.iptable_raw = NULL;
} }
static struct pernet_operations iptable_raw_net_ops = { static struct pernet_operations iptable_raw_net_ops = {
.pre_exit = iptable_raw_net_pre_exit,
.exit = iptable_raw_net_exit, .exit = iptable_raw_net_exit,
}; };
......
...@@ -62,16 +62,23 @@ static int __net_init iptable_security_table_init(struct net *net) ...@@ -62,16 +62,23 @@ static int __net_init iptable_security_table_init(struct net *net)
return ret; return ret;
} }
static void __net_exit iptable_security_net_pre_exit(struct net *net)
{
if (net->ipv4.iptable_security)
ipt_unregister_table_pre_exit(net, net->ipv4.iptable_security,
sectbl_ops);
}
static void __net_exit iptable_security_net_exit(struct net *net) static void __net_exit iptable_security_net_exit(struct net *net)
{ {
if (!net->ipv4.iptable_security) if (!net->ipv4.iptable_security)
return; return;
ipt_unregister_table_exit(net, net->ipv4.iptable_security);
ipt_unregister_table(net, net->ipv4.iptable_security, sectbl_ops);
net->ipv4.iptable_security = NULL; net->ipv4.iptable_security = NULL;
} }
static struct pernet_operations iptable_security_net_ops = { static struct pernet_operations iptable_security_net_ops = {
.pre_exit = iptable_security_net_pre_exit,
.exit = iptable_security_net_exit, .exit = iptable_security_net_exit,
}; };
......
...@@ -34,3 +34,4 @@ module_exit(nf_flow_ipv4_module_exit); ...@@ -34,3 +34,4 @@ module_exit(nf_flow_ipv4_module_exit);
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
MODULE_ALIAS_NF_FLOWTABLE(AF_INET); MODULE_ALIAS_NF_FLOWTABLE(AF_INET);
MODULE_DESCRIPTION("Netfilter flow table support");
...@@ -107,3 +107,4 @@ module_exit(nft_dup_ipv4_module_exit); ...@@ -107,3 +107,4 @@ module_exit(nft_dup_ipv4_module_exit);
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
MODULE_ALIAS_NFT_AF_EXPR(AF_INET, "dup"); MODULE_ALIAS_NFT_AF_EXPR(AF_INET, "dup");
MODULE_DESCRIPTION("IPv4 nftables packet duplication support");
...@@ -210,3 +210,4 @@ module_exit(nft_fib4_module_exit); ...@@ -210,3 +210,4 @@ module_exit(nft_fib4_module_exit);
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_AUTHOR("Florian Westphal <fw@strlen.de>"); MODULE_AUTHOR("Florian Westphal <fw@strlen.de>");
MODULE_ALIAS_NFT_AF_EXPR(2, "fib"); MODULE_ALIAS_NFT_AF_EXPR(2, "fib");
MODULE_DESCRIPTION("nftables fib / ip route lookup support");
...@@ -71,3 +71,4 @@ module_exit(nft_reject_ipv4_module_exit); ...@@ -71,3 +71,4 @@ module_exit(nft_reject_ipv4_module_exit);
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_ALIAS_NFT_AF_EXPR(AF_INET, "reject"); MODULE_ALIAS_NFT_AF_EXPR(AF_INET, "reject");
MODULE_DESCRIPTION("IPv4 packet rejection for nftables");
...@@ -1807,11 +1807,22 @@ int ip6t_register_table(struct net *net, const struct xt_table *table, ...@@ -1807,11 +1807,22 @@ int ip6t_register_table(struct net *net, const struct xt_table *table,
return ret; return ret;
} }
void ip6t_unregister_table_pre_exit(struct net *net, struct xt_table *table,
const struct nf_hook_ops *ops)
{
nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks));
}
void ip6t_unregister_table_exit(struct net *net, struct xt_table *table)
{
__ip6t_unregister_table(net, table);
}
void ip6t_unregister_table(struct net *net, struct xt_table *table, void ip6t_unregister_table(struct net *net, struct xt_table *table,
const struct nf_hook_ops *ops) const struct nf_hook_ops *ops)
{ {
if (ops) if (ops)
nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks)); ip6t_unregister_table_pre_exit(net, table, ops);
__ip6t_unregister_table(net, table); __ip6t_unregister_table(net, table);
} }
...@@ -1969,6 +1980,8 @@ static void __exit ip6_tables_fini(void) ...@@ -1969,6 +1980,8 @@ static void __exit ip6_tables_fini(void)
EXPORT_SYMBOL(ip6t_register_table); EXPORT_SYMBOL(ip6t_register_table);
EXPORT_SYMBOL(ip6t_unregister_table); EXPORT_SYMBOL(ip6t_unregister_table);
EXPORT_SYMBOL(ip6t_unregister_table_pre_exit);
EXPORT_SYMBOL(ip6t_unregister_table_exit);
EXPORT_SYMBOL(ip6t_do_table); EXPORT_SYMBOL(ip6t_do_table);
module_init(ip6_tables_init); module_init(ip6_tables_init);
......
...@@ -121,3 +121,4 @@ module_exit(synproxy_tg6_exit); ...@@ -121,3 +121,4 @@ module_exit(synproxy_tg6_exit);
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_DESCRIPTION("Intercept IPv6 TCP connections and establish them using syncookies");
...@@ -73,16 +73,24 @@ static int __net_init ip6table_filter_net_init(struct net *net) ...@@ -73,16 +73,24 @@ static int __net_init ip6table_filter_net_init(struct net *net)
return 0; return 0;
} }
static void __net_exit ip6table_filter_net_pre_exit(struct net *net)
{
if (net->ipv6.ip6table_filter)
ip6t_unregister_table_pre_exit(net, net->ipv6.ip6table_filter,
filter_ops);
}
static void __net_exit ip6table_filter_net_exit(struct net *net) static void __net_exit ip6table_filter_net_exit(struct net *net)
{ {
if (!net->ipv6.ip6table_filter) if (!net->ipv6.ip6table_filter)
return; return;
ip6t_unregister_table(net, net->ipv6.ip6table_filter, filter_ops); ip6t_unregister_table_exit(net, net->ipv6.ip6table_filter);
net->ipv6.ip6table_filter = NULL; net->ipv6.ip6table_filter = NULL;
} }
static struct pernet_operations ip6table_filter_net_ops = { static struct pernet_operations ip6table_filter_net_ops = {
.init = ip6table_filter_net_init, .init = ip6table_filter_net_init,
.pre_exit = ip6table_filter_net_pre_exit,
.exit = ip6table_filter_net_exit, .exit = ip6table_filter_net_exit,
}; };
......
...@@ -93,16 +93,24 @@ static int __net_init ip6table_mangle_table_init(struct net *net) ...@@ -93,16 +93,24 @@ static int __net_init ip6table_mangle_table_init(struct net *net)
return ret; return ret;
} }
static void __net_exit ip6table_mangle_net_pre_exit(struct net *net)
{
if (net->ipv6.ip6table_mangle)
ip6t_unregister_table_pre_exit(net, net->ipv6.ip6table_mangle,
mangle_ops);
}
static void __net_exit ip6table_mangle_net_exit(struct net *net) static void __net_exit ip6table_mangle_net_exit(struct net *net)
{ {
if (!net->ipv6.ip6table_mangle) if (!net->ipv6.ip6table_mangle)
return; return;
ip6t_unregister_table(net, net->ipv6.ip6table_mangle, mangle_ops); ip6t_unregister_table_exit(net, net->ipv6.ip6table_mangle);
net->ipv6.ip6table_mangle = NULL; net->ipv6.ip6table_mangle = NULL;
} }
static struct pernet_operations ip6table_mangle_net_ops = { static struct pernet_operations ip6table_mangle_net_ops = {
.pre_exit = ip6table_mangle_net_pre_exit,
.exit = ip6table_mangle_net_exit, .exit = ip6table_mangle_net_exit,
}; };
......
...@@ -114,16 +114,22 @@ static int __net_init ip6table_nat_table_init(struct net *net) ...@@ -114,16 +114,22 @@ static int __net_init ip6table_nat_table_init(struct net *net)
return ret; return ret;
} }
static void __net_exit ip6table_nat_net_pre_exit(struct net *net)
{
if (net->ipv6.ip6table_nat)
ip6t_nat_unregister_lookups(net);
}
static void __net_exit ip6table_nat_net_exit(struct net *net) static void __net_exit ip6table_nat_net_exit(struct net *net)
{ {
if (!net->ipv6.ip6table_nat) if (!net->ipv6.ip6table_nat)
return; return;
ip6t_nat_unregister_lookups(net); ip6t_unregister_table_exit(net, net->ipv6.ip6table_nat);
ip6t_unregister_table(net, net->ipv6.ip6table_nat, NULL);
net->ipv6.ip6table_nat = NULL; net->ipv6.ip6table_nat = NULL;
} }
static struct pernet_operations ip6table_nat_net_ops = { static struct pernet_operations ip6table_nat_net_ops = {
.pre_exit = ip6table_nat_net_pre_exit,
.exit = ip6table_nat_net_exit, .exit = ip6table_nat_net_exit,
}; };
......
...@@ -66,15 +66,23 @@ static int __net_init ip6table_raw_table_init(struct net *net) ...@@ -66,15 +66,23 @@ static int __net_init ip6table_raw_table_init(struct net *net)
return ret; return ret;
} }
static void __net_exit ip6table_raw_net_pre_exit(struct net *net)
{
if (net->ipv6.ip6table_raw)
ip6t_unregister_table_pre_exit(net, net->ipv6.ip6table_raw,
rawtable_ops);
}
static void __net_exit ip6table_raw_net_exit(struct net *net) static void __net_exit ip6table_raw_net_exit(struct net *net)
{ {
if (!net->ipv6.ip6table_raw) if (!net->ipv6.ip6table_raw)
return; return;
ip6t_unregister_table(net, net->ipv6.ip6table_raw, rawtable_ops); ip6t_unregister_table_exit(net, net->ipv6.ip6table_raw);
net->ipv6.ip6table_raw = NULL; net->ipv6.ip6table_raw = NULL;
} }
static struct pernet_operations ip6table_raw_net_ops = { static struct pernet_operations ip6table_raw_net_ops = {
.pre_exit = ip6table_raw_net_pre_exit,
.exit = ip6table_raw_net_exit, .exit = ip6table_raw_net_exit,
}; };
......
...@@ -61,15 +61,23 @@ static int __net_init ip6table_security_table_init(struct net *net) ...@@ -61,15 +61,23 @@ static int __net_init ip6table_security_table_init(struct net *net)
return ret; return ret;
} }
static void __net_exit ip6table_security_net_pre_exit(struct net *net)
{
if (net->ipv6.ip6table_security)
ip6t_unregister_table_pre_exit(net, net->ipv6.ip6table_security,
sectbl_ops);
}
static void __net_exit ip6table_security_net_exit(struct net *net) static void __net_exit ip6table_security_net_exit(struct net *net)
{ {
if (!net->ipv6.ip6table_security) if (!net->ipv6.ip6table_security)
return; return;
ip6t_unregister_table(net, net->ipv6.ip6table_security, sectbl_ops); ip6t_unregister_table_exit(net, net->ipv6.ip6table_security);
net->ipv6.ip6table_security = NULL; net->ipv6.ip6table_security = NULL;
} }
static struct pernet_operations ip6table_security_net_ops = { static struct pernet_operations ip6table_security_net_ops = {
.pre_exit = ip6table_security_net_pre_exit,
.exit = ip6table_security_net_exit, .exit = ip6table_security_net_exit,
}; };
......
...@@ -35,3 +35,4 @@ module_exit(nf_flow_ipv6_module_exit); ...@@ -35,3 +35,4 @@ module_exit(nf_flow_ipv6_module_exit);
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
MODULE_ALIAS_NF_FLOWTABLE(AF_INET6); MODULE_ALIAS_NF_FLOWTABLE(AF_INET6);
MODULE_DESCRIPTION("Netfilter flow table IPv6 module");
...@@ -105,3 +105,4 @@ module_exit(nft_dup_ipv6_module_exit); ...@@ -105,3 +105,4 @@ module_exit(nft_dup_ipv6_module_exit);
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
MODULE_ALIAS_NFT_AF_EXPR(AF_INET6, "dup"); MODULE_ALIAS_NFT_AF_EXPR(AF_INET6, "dup");
MODULE_DESCRIPTION("IPv6 nftables packet duplication support");
...@@ -255,3 +255,4 @@ module_exit(nft_fib6_module_exit); ...@@ -255,3 +255,4 @@ module_exit(nft_fib6_module_exit);
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_AUTHOR("Florian Westphal <fw@strlen.de>"); MODULE_AUTHOR("Florian Westphal <fw@strlen.de>");
MODULE_ALIAS_NFT_AF_EXPR(10, "fib"); MODULE_ALIAS_NFT_AF_EXPR(10, "fib");
MODULE_DESCRIPTION("nftables fib / ipv6 route lookup support");
...@@ -72,3 +72,4 @@ module_exit(nft_reject_ipv6_module_exit); ...@@ -72,3 +72,4 @@ module_exit(nft_reject_ipv6_module_exit);
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_ALIAS_NFT_AF_EXPR(AF_INET6, "reject"); MODULE_ALIAS_NFT_AF_EXPR(AF_INET6, "reject");
MODULE_DESCRIPTION("IPv6 packet rejection for nftables");
...@@ -460,6 +460,8 @@ ip_set_elem_len(struct ip_set *set, struct nlattr *tb[], size_t len, ...@@ -460,6 +460,8 @@ ip_set_elem_len(struct ip_set *set, struct nlattr *tb[], size_t len,
for (id = 0; id < IPSET_EXT_ID_MAX; id++) { for (id = 0; id < IPSET_EXT_ID_MAX; id++) {
if (!add_extension(id, cadt_flags, tb)) if (!add_extension(id, cadt_flags, tb))
continue; continue;
if (align < ip_set_extensions[id].align)
align = ip_set_extensions[id].align;
len = ALIGN(len, ip_set_extensions[id].align); len = ALIGN(len, ip_set_extensions[id].align);
set->offset[id] = len; set->offset[id] = len;
set->extensions |= ip_set_extensions[id].type; set->extensions |= ip_set_extensions[id].type;
......
...@@ -73,3 +73,4 @@ EXPORT_SYMBOL_GPL(nft_fwd_dup_netdev_offload); ...@@ -73,3 +73,4 @@ EXPORT_SYMBOL_GPL(nft_fwd_dup_netdev_offload);
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
MODULE_DESCRIPTION("Netfilter packet duplication support");
...@@ -594,3 +594,4 @@ module_exit(nf_flow_table_module_exit); ...@@ -594,3 +594,4 @@ module_exit(nf_flow_table_module_exit);
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
MODULE_DESCRIPTION("Netfilter flow table module");
...@@ -72,3 +72,4 @@ module_exit(nf_flow_inet_module_exit); ...@@ -72,3 +72,4 @@ module_exit(nf_flow_inet_module_exit);
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
MODULE_ALIAS_NF_FLOWTABLE(1); /* NFPROTO_INET */ MODULE_ALIAS_NF_FLOWTABLE(1); /* NFPROTO_INET */
MODULE_DESCRIPTION("Netfilter flow table mixed IPv4/IPv6 module");
...@@ -1237,3 +1237,4 @@ EXPORT_SYMBOL_GPL(nf_synproxy_ipv6_fini); ...@@ -1237,3 +1237,4 @@ EXPORT_SYMBOL_GPL(nf_synproxy_ipv6_fini);
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_DESCRIPTION("nftables SYNPROXY expression support");
...@@ -33,6 +33,7 @@ ...@@ -33,6 +33,7 @@
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>"); MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK, NETLINK_NETFILTER); MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK, NETLINK_NETFILTER);
MODULE_DESCRIPTION("Netfilter messages via netlink socket");
#define nfnl_dereference_protected(id) \ #define nfnl_dereference_protected(id) \
rcu_dereference_protected(table[(id)].subsys, \ rcu_dereference_protected(table[(id)].subsys, \
......
...@@ -902,3 +902,4 @@ MODULE_LICENSE("GPL"); ...@@ -902,3 +902,4 @@ MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
MODULE_ALIAS_NFT_EXPR("match"); MODULE_ALIAS_NFT_EXPR("match");
MODULE_ALIAS_NFT_EXPR("target"); MODULE_ALIAS_NFT_EXPR("target");
MODULE_DESCRIPTION("x_tables over nftables support");
...@@ -280,3 +280,4 @@ MODULE_LICENSE("GPL"); ...@@ -280,3 +280,4 @@ MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo Neira Ayuso"); MODULE_AUTHOR("Pablo Neira Ayuso");
MODULE_ALIAS_NFT_EXPR("connlimit"); MODULE_ALIAS_NFT_EXPR("connlimit");
MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_CONNLIMIT); MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_CONNLIMIT);
MODULE_DESCRIPTION("nftables connlimit rule support");
...@@ -303,3 +303,4 @@ MODULE_LICENSE("GPL"); ...@@ -303,3 +303,4 @@ MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_ALIAS_NFT_EXPR("counter"); MODULE_ALIAS_NFT_EXPR("counter");
MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_COUNTER); MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_COUNTER);
MODULE_DESCRIPTION("nftables counter rule support");
...@@ -1345,3 +1345,4 @@ MODULE_ALIAS_NFT_EXPR("notrack"); ...@@ -1345,3 +1345,4 @@ MODULE_ALIAS_NFT_EXPR("notrack");
MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_CT_HELPER); MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_CT_HELPER);
MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_CT_TIMEOUT); MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_CT_TIMEOUT);
MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_CT_EXPECT); MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_CT_EXPECT);
MODULE_DESCRIPTION("Netfilter nf_tables conntrack module");
...@@ -102,3 +102,4 @@ module_exit(nft_dup_netdev_module_exit); ...@@ -102,3 +102,4 @@ module_exit(nft_dup_netdev_module_exit);
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
MODULE_ALIAS_NFT_AF_EXPR(5, "dup"); MODULE_ALIAS_NFT_AF_EXPR(5, "dup");
MODULE_DESCRIPTION("nftables netdev packet duplication support");
...@@ -76,3 +76,4 @@ module_exit(nft_fib_inet_module_exit); ...@@ -76,3 +76,4 @@ module_exit(nft_fib_inet_module_exit);
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_AUTHOR("Florian Westphal <fw@strlen.de>"); MODULE_AUTHOR("Florian Westphal <fw@strlen.de>");
MODULE_ALIAS_NFT_AF_EXPR(1, "fib"); MODULE_ALIAS_NFT_AF_EXPR(1, "fib");
MODULE_DESCRIPTION("nftables fib inet support");
...@@ -85,3 +85,4 @@ module_exit(nft_fib_netdev_module_exit); ...@@ -85,3 +85,4 @@ module_exit(nft_fib_netdev_module_exit);
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo M. Bermudo Garay <pablombg@gmail.com>"); MODULE_AUTHOR("Pablo M. Bermudo Garay <pablombg@gmail.com>");
MODULE_ALIAS_NFT_AF_EXPR(5, "fib"); MODULE_ALIAS_NFT_AF_EXPR(5, "fib");
MODULE_DESCRIPTION("nftables netdev fib lookups support");
...@@ -286,3 +286,4 @@ module_exit(nft_flow_offload_module_exit); ...@@ -286,3 +286,4 @@ module_exit(nft_flow_offload_module_exit);
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
MODULE_ALIAS_NFT_EXPR("flow_offload"); MODULE_ALIAS_NFT_EXPR("flow_offload");
MODULE_DESCRIPTION("nftables hardware flow offload module");
...@@ -248,3 +248,4 @@ module_exit(nft_hash_module_exit); ...@@ -248,3 +248,4 @@ module_exit(nft_hash_module_exit);
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_AUTHOR("Laura Garcia <nevola@gmail.com>"); MODULE_AUTHOR("Laura Garcia <nevola@gmail.com>");
MODULE_ALIAS_NFT_EXPR("hash"); MODULE_ALIAS_NFT_EXPR("hash");
MODULE_DESCRIPTION("Netfilter nftables hash module");
...@@ -372,3 +372,4 @@ MODULE_LICENSE("GPL"); ...@@ -372,3 +372,4 @@ MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_ALIAS_NFT_EXPR("limit"); MODULE_ALIAS_NFT_EXPR("limit");
MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_LIMIT); MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_LIMIT);
MODULE_DESCRIPTION("nftables limit expression support");
...@@ -298,3 +298,4 @@ module_exit(nft_log_module_exit); ...@@ -298,3 +298,4 @@ module_exit(nft_log_module_exit);
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_ALIAS_NFT_EXPR("log"); MODULE_ALIAS_NFT_EXPR("log");
MODULE_DESCRIPTION("Netfilter nf_tables log module");
...@@ -305,3 +305,4 @@ module_exit(nft_masq_module_exit); ...@@ -305,3 +305,4 @@ module_exit(nft_masq_module_exit);
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo@debian.org>"); MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo@debian.org>");
MODULE_ALIAS_NFT_EXPR("masq"); MODULE_ALIAS_NFT_EXPR("masq");
MODULE_DESCRIPTION("Netfilter nftables masquerade expression support");
...@@ -402,3 +402,4 @@ module_exit(nft_nat_module_exit); ...@@ -402,3 +402,4 @@ module_exit(nft_nat_module_exit);
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_AUTHOR("Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>"); MODULE_AUTHOR("Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>");
MODULE_ALIAS_NFT_EXPR("nat"); MODULE_ALIAS_NFT_EXPR("nat");
MODULE_DESCRIPTION("Network Address Translation support");
...@@ -217,3 +217,4 @@ module_exit(nft_ng_module_exit); ...@@ -217,3 +217,4 @@ module_exit(nft_ng_module_exit);
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_AUTHOR("Laura Garcia <nevola@gmail.com>"); MODULE_AUTHOR("Laura Garcia <nevola@gmail.com>");
MODULE_ALIAS_NFT_EXPR("numgen"); MODULE_ALIAS_NFT_EXPR("numgen");
MODULE_DESCRIPTION("nftables number generator module");
...@@ -252,3 +252,4 @@ module_exit(nft_objref_module_exit); ...@@ -252,3 +252,4 @@ module_exit(nft_objref_module_exit);
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
MODULE_ALIAS_NFT_EXPR("objref"); MODULE_ALIAS_NFT_EXPR("objref");
MODULE_DESCRIPTION("nftables stateful object reference module");
...@@ -149,3 +149,4 @@ module_exit(nft_osf_module_exit); ...@@ -149,3 +149,4 @@ module_exit(nft_osf_module_exit);
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_AUTHOR("Fernando Fernandez <ffmancera@riseup.net>"); MODULE_AUTHOR("Fernando Fernandez <ffmancera@riseup.net>");
MODULE_ALIAS_NFT_EXPR("osf"); MODULE_ALIAS_NFT_EXPR("osf");
MODULE_DESCRIPTION("nftables passive OS fingerprint support");
...@@ -216,3 +216,4 @@ module_exit(nft_queue_module_exit); ...@@ -216,3 +216,4 @@ module_exit(nft_queue_module_exit);
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_AUTHOR("Eric Leblond <eric@regit.org>"); MODULE_AUTHOR("Eric Leblond <eric@regit.org>");
MODULE_ALIAS_NFT_EXPR("queue"); MODULE_ALIAS_NFT_EXPR("queue");
MODULE_DESCRIPTION("Netfilter nftables queue module");
...@@ -254,3 +254,4 @@ MODULE_LICENSE("GPL"); ...@@ -254,3 +254,4 @@ MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
MODULE_ALIAS_NFT_EXPR("quota"); MODULE_ALIAS_NFT_EXPR("quota");
MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_QUOTA); MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_QUOTA);
MODULE_DESCRIPTION("Netfilter nftables quota module");
...@@ -292,3 +292,4 @@ module_exit(nft_redir_module_exit); ...@@ -292,3 +292,4 @@ module_exit(nft_redir_module_exit);
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo@debian.org>"); MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo@debian.org>");
MODULE_ALIAS_NFT_EXPR("redir"); MODULE_ALIAS_NFT_EXPR("redir");
MODULE_DESCRIPTION("Netfilter nftables redirect support");
...@@ -119,3 +119,4 @@ EXPORT_SYMBOL_GPL(nft_reject_icmpv6_code); ...@@ -119,3 +119,4 @@ EXPORT_SYMBOL_GPL(nft_reject_icmpv6_code);
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_DESCRIPTION("Netfilter x_tables over nftables module");
...@@ -149,3 +149,4 @@ module_exit(nft_reject_inet_module_exit); ...@@ -149,3 +149,4 @@ module_exit(nft_reject_inet_module_exit);
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_ALIAS_NFT_AF_EXPR(1, "reject"); MODULE_ALIAS_NFT_AF_EXPR(1, "reject");
MODULE_DESCRIPTION("Netfilter nftables reject inet support");
...@@ -388,3 +388,4 @@ MODULE_LICENSE("GPL"); ...@@ -388,3 +388,4 @@ MODULE_LICENSE("GPL");
MODULE_AUTHOR("Fernando Fernandez <ffmancera@riseup.net>"); MODULE_AUTHOR("Fernando Fernandez <ffmancera@riseup.net>");
MODULE_ALIAS_NFT_EXPR("synproxy"); MODULE_ALIAS_NFT_EXPR("synproxy");
MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_SYNPROXY); MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_SYNPROXY);
MODULE_DESCRIPTION("nftables SYNPROXY expression support");
...@@ -719,3 +719,4 @@ MODULE_LICENSE("GPL"); ...@@ -719,3 +719,4 @@ MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
MODULE_ALIAS_NFT_EXPR("tunnel"); MODULE_ALIAS_NFT_EXPR("tunnel");
MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_TUNNEL); MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_TUNNEL);
MODULE_DESCRIPTION("nftables tunnel expression support");
...@@ -244,3 +244,4 @@ MODULE_ALIAS("ipt_SNAT"); ...@@ -244,3 +244,4 @@ MODULE_ALIAS("ipt_SNAT");
MODULE_ALIAS("ipt_DNAT"); MODULE_ALIAS("ipt_DNAT");
MODULE_ALIAS("ip6t_SNAT"); MODULE_ALIAS("ip6t_SNAT");
MODULE_ALIAS("ip6t_DNAT"); MODULE_ALIAS("ip6t_DNAT");
MODULE_DESCRIPTION("SNAT and DNAT targets support");
...@@ -3,7 +3,7 @@ ...@@ -3,7 +3,7 @@
TEST_PROGS := nft_trans_stress.sh nft_nat.sh bridge_brouter.sh \ TEST_PROGS := nft_trans_stress.sh nft_nat.sh bridge_brouter.sh \
conntrack_icmp_related.sh nft_flowtable.sh ipvs.sh \ conntrack_icmp_related.sh nft_flowtable.sh ipvs.sh \
nft_concat_range.sh \ nft_concat_range.sh nft_conntrack_helper.sh \
nft_queue.sh nft_queue.sh
LDLIBS = -lmnl LDLIBS = -lmnl
......
#!/bin/bash
#
# This tests connection tracking helper assignment:
# 1. can attach ftp helper to a connection from nft ruleset.
# 2. auto-assign still works.
#
# Kselftest framework requirement - SKIP code is 4.
ksft_skip=4
ret=0
sfx=$(mktemp -u "XXXXXXXX")
ns1="ns1-$sfx"
ns2="ns2-$sfx"
testipv6=1
cleanup()
{
ip netns del ${ns1}
ip netns del ${ns2}
}
nft --version > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without nft tool"
exit $ksft_skip
fi
ip -Version > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without ip tool"
exit $ksft_skip
fi
conntrack -V > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without conntrack tool"
exit $ksft_skip
fi
which nc >/dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without netcat tool"
exit $ksft_skip
fi
trap cleanup EXIT
ip netns add ${ns1}
ip netns add ${ns2}
ip link add veth0 netns ${ns1} type veth peer name veth0 netns ${ns2} > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: No virtual ethernet pair device support in kernel"
exit $ksft_skip
fi
ip -net ${ns1} link set lo up
ip -net ${ns1} link set veth0 up
ip -net ${ns2} link set lo up
ip -net ${ns2} link set veth0 up
ip -net ${ns1} addr add 10.0.1.1/24 dev veth0
ip -net ${ns1} addr add dead:1::1/64 dev veth0
ip -net ${ns2} addr add 10.0.1.2/24 dev veth0
ip -net ${ns2} addr add dead:1::2/64 dev veth0
load_ruleset_family() {
local family=$1
local ns=$2
ip netns exec ${ns} nft -f - <<EOF
table $family raw {
ct helper ftp {
type "ftp" protocol tcp
}
chain pre {
type filter hook prerouting priority 0; policy accept;
tcp dport 2121 ct helper set "ftp"
}
chain output {
type filter hook output priority 0; policy accept;
tcp dport 2121 ct helper set "ftp"
}
}
EOF
return $?
}
check_for_helper()
{
local netns=$1
local message=$2
local port=$3
ip netns exec ${netns} conntrack -L -p tcp --dport $port 2> /dev/null |grep -q 'helper=ftp'
if [ $? -ne 0 ] ; then
echo "FAIL: ${netns} did not show attached helper $message" 1>&2
ret=1
fi
echo "PASS: ${netns} connection on port $port has ftp helper attached" 1>&2
return 0
}
test_helper()
{
local port=$1
local msg=$2
sleep 3 | ip netns exec ${ns2} nc -w 2 -l -p $port > /dev/null &
sleep 1
sleep 1 | ip netns exec ${ns1} nc -w 2 10.0.1.2 $port > /dev/null &
check_for_helper "$ns1" "ip $msg" $port
check_for_helper "$ns2" "ip $msg" $port
wait
if [ $testipv6 -eq 0 ] ;then
return 0
fi
ip netns exec ${ns1} conntrack -F 2> /dev/null
ip netns exec ${ns2} conntrack -F 2> /dev/null
sleep 3 | ip netns exec ${ns2} nc -w 2 -6 -l -p $port > /dev/null &
sleep 1
sleep 1 | ip netns exec ${ns1} nc -w 2 -6 dead:1::2 $port > /dev/null &
check_for_helper "$ns1" "ipv6 $msg" $port
check_for_helper "$ns2" "ipv6 $msg" $port
wait
}
load_ruleset_family ip ${ns1}
if [ $? -ne 0 ];then
echo "FAIL: ${ns1} cannot load ip ruleset" 1>&2
exit 1
fi
load_ruleset_family ip6 ${ns1}
if [ $? -ne 0 ];then
echo "SKIP: ${ns1} cannot load ip6 ruleset" 1>&2
testipv6=0
fi
load_ruleset_family inet ${ns2}
if [ $? -ne 0 ];then
echo "SKIP: ${ns1} cannot load inet ruleset" 1>&2
load_ruleset_family ip ${ns2}
if [ $? -ne 0 ];then
echo "FAIL: ${ns2} cannot load ip ruleset" 1>&2
exit 1
fi
if [ $testipv6 -eq 1 ] ;then
load_ruleset_family ip6 ${ns2}
if [ $? -ne 0 ];then
echo "FAIL: ${ns2} cannot load ip6 ruleset" 1>&2
exit 1
fi
fi
fi
test_helper 2121 "set via ruleset"
ip netns exec ${ns1} sysctl -q 'net.netfilter.nf_conntrack_helper=1'
ip netns exec ${ns2} sysctl -q 'net.netfilter.nf_conntrack_helper=1'
test_helper 21 "auto-assign"
exit $ret
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment