1. 09 Aug, 2021 1 commit
    • Florian Westphal's avatar
      netfilter: x_tables: never register tables by default · fdacd57c
      Florian Westphal authored
      For historical reasons x_tables still register tables by default in the
      initial namespace.
      Only newly created net namespaces add the hook on demand.
      
      This means that the init_net always pays hook cost, even if no filtering
      rules are added (e.g. only used inside a single netns).
      
      Note that the hooks are added even when 'iptables -L' is called.
      This is because there is no way to tell 'iptables -A' and 'iptables -L'
      apart at kernel level.
      
      The only solution would be to register the table, but delay hook
      registration until the first rule gets added (or policy gets changed).
      
      That however means that counters are not hooked either, so 'iptables -L'
      would always show 0-counters even when traffic is flowing which might be
      unexpected.
      
      This keeps table and hook registration consistent with what is already done
      in non-init netns: first iptables(-save) invocation registers both table
      and hooks.
      
      This applies the same solution adopted for ebtables.
      All tables register a template that contains the l3 family, the name
      and a constructor function that is called when the initial table has to
      be added.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      fdacd57c
  2. 05 Aug, 2021 2 commits
    • Florian Westphal's avatar
      netfilter: ctnetlink: allow to filter dump by status bits · 9344988d
      Florian Westphal authored
      If CTA_STATUS is present, but CTA_STATUS_MASK is not, then the
      mask is automatically set to 'status', so that kernel returns those
      entries that have all of the requested bits set.
      
      This makes more sense than using a all-one mask since we'd hardly
      ever find a match.
      
      There are no other checks for status bits, so if e.g. userspace
      sets impossible combinations it will get an empty dump.
      
      If kernel would reject unknown status bits, then a program that works on
      a future kernel that has IPS_FOO bit fails on old kernels.
      
      Same for 'impossible' combinations:
      
      Kernel never sets ASSURED without first having set SEEN_REPLY, but its
      possible that a future kernel could do so.
      
      Therefore no sanity tests other than a 0-mask.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      9344988d
    • Florian Westphal's avatar
      netfilter: ctnetlink: add and use a helper for mark parsing · ff1199db
      Florian Westphal authored
      ctnetlink dumps can be filtered based on the connmark.
      
      Prepare for status bit filtering by using a named structure and by
      moving the mark parsing code to a helper.
      
      Else ctnetlink_alloc_filter size grows a bit too big for my taste
      when status handling is added.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      ff1199db
  3. 02 Aug, 2021 1 commit
    • Florian Westphal's avatar
      netfilter: ebtables: do not hook tables by default · 87663c39
      Florian Westphal authored
      If any of these modules is loaded, hooks get registered in all netns:
      
      Before: 'unshare -n nft list hooks' shows:
      family bridge hook prerouting {
      	-2147483648 ebt_broute
      	-0000000300 ebt_nat_hook
      }
      family bridge hook input {
      	-0000000200 ebt_filter_hook
      }
      family bridge hook forward {
      	-0000000200 ebt_filter_hook
      }
      family bridge hook output {
      	+0000000100 ebt_nat_hook
      	+0000000200 ebt_filter_hook
      }
      family bridge hook postrouting {
      	+0000000300 ebt_nat_hook
      }
      
      This adds 'template 'tables' for ebtables.
      
      Each ebtable_foo registers the table as a template, with an init function
      that gets called once the first get/setsockopt call is made.
      
      ebtables core then searches the (per netns) list of tables.
      If no table is found, it searches the list of templates instead.
      If a template entry exists, the init function is called which will
      enable the table and register the hooks (so packets are diverted
      to the table).
      
      If no entry is found in the template list, request_module is called.
      
      After this, hook registration is delayed until the 'ebtables'
      (set/getsockopt) request is made for a given table and will only
      happen in the specific namespace.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      87663c39
  4. 01 Aug, 2021 5 commits
  5. 30 Jul, 2021 14 commits
  6. 29 Jul, 2021 17 commits