| Message ID | 1320877188-1972-1-git-send-email-fw@strlen.de |
|---|---|
| State | Awaiting Upstream, archived |
| Delegated to: | David Miller |
| Headers | show |
From: Florian Westphal <fw@strlen.de> Date: Wed, 9 Nov 2011 23:19:44 +0100 > Version 3 of the ipv4/v6 reverse path filter matches discussed > during nfws 2011. I fully support these changes, please feel free to merge them in via the netfilter tree and to add my ack: Acked-by: David S. Miller <davem@davemloft.net> -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Mon, Nov 14, 2011 at 12:47:16AM -0500, David Miller wrote: > From: Florian Westphal <fw@strlen.de> > Date: Wed, 9 Nov 2011 23:19:44 +0100 > > > Version 3 of the ipv4/v6 reverse path filter matches discussed > > during nfws 2011. > > I fully support these changes, please feel free to merge them in > via the netfilter tree and to add my ack: > > Acked-by: David S. Miller <davem@davemloft.net> Thanks for taking the time to review this, I need some time to test it here but I think we'll get it into net-next soon. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi Florian, On Wed, Nov 09, 2011 at 11:19:44PM +0100, Florian Westphal wrote: > Userspace part is stored in my iptables repository on > http://git.breakpoint.cc/cgi-bin/gitweb.cgi?p=fw/iptables.git (branch 'xt_rpfilter_9'). I have taken this into iptables, now it is available in the rpfilter branch. One inquiry, I need to know copyright / license details for this extensions/libxt_rpfilter.c I remember that Harald insisted that having one copyright notice per .c file is a good practise (even if this doesn't seem to happen in other iptables extensions files). No need to resend the patch, I can ammend the patch with the copyright / licensing header. See extensions/libxt_cluster.c for reference. > Kernel patches are located in the 'xt_rpfilter_9' branch on > http://git.breakpoint.cc/cgi-bin/gitweb.cgi?p=fw/nf-next.git. Applied to my nf-next tree. http://1984.lsi.us.es/git/net-next/ thanks Florian. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Pablo Neira Ayuso <pablo@netfilter.org> wrote: > On Wed, Nov 09, 2011 at 11:19:44PM +0100, Florian Westphal wrote: > > Userspace part is stored in my iptables repository on > > http://git.breakpoint.cc/cgi-bin/gitweb.cgi?p=fw/iptables.git (branch 'xt_rpfilter_9'). > > I have taken this into iptables, now it is available in the rpfilter > branch. Thanks Pablo. > One inquiry, I need to know copyright / license details for this > extensions/libxt_rpfilter.c > [..] > No need to resend the patch, I can ammend the patch with the copyright > / licensing header. > > See extensions/libxt_cluster.c for reference. In this case, please amend it to include the same GPL-2 boilerplate as libxt_cluster.c has. Thanks, Florian -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Version 3 of the ipv4/v6 reverse path filter matches discussed during nfws 2011. Major change since v2 is that the ipv4 version no longer tries to determine the (likely) input interface for the reverse test. To obtain that information, an additional lookup would be required (first obtain oif, then use that oif as iif in the reversed lookup -- this is what the existing rpf in fib_validate_source() does). While its certainly possible to mimic fib_validate_source more closely, doing so has certain side effects: - either pay additonal rt lookup cost - or, attach the input route early on ourselves, so ipv4 stack does not need to do it (which can then cause strange effects when using policy routing, as marking in pre-routing has no effect when done after -m rpfilter ...) 2nd change is a new "--invert" flag to permit one-line dropping ("-m rpfilter --invert -j DROP") of packets that failed the reverse path lookup test. Userspace part is stored in my iptables repository on http://git.breakpoint.cc/cgi-bin/gitweb.cgi?p=fw/iptables.git (branch 'xt_rpfilter_9'). Kernel patches are located in the 'xt_rpfilter_9' branch on http://git.breakpoint.cc/cgi-bin/gitweb.cgi?p=fw/nf-next.git. Patches will be sent as followup to this email. Summary of changes: The following changes since commit e56c57d0d3fdbbdf583d3af96bfb803b8dfa713e: net: rename sk_clone to sk_clone_lock (2011-11-08 17:07:07 -0500) are available in the git repository at: git://git.breakpoint.cc/fw/nf-next.git xt_rpfilter_9 Florian Westphal (4): net: ipv4: export fib_lookup and fib_table_lookup netfilter: add ipv4 reverse path filter match ipv6: add ip6_route_lookup netfilter: add ipv6 reverse path filter match include/linux/netfilter/xt_rpfilter.h | 23 ++++++ include/net/ip6_route.h | 2 + net/ipv4/fib_rules.c | 1 + net/ipv4/fib_trie.c | 1 + net/ipv4/netfilter/Kconfig | 10 +++ net/ipv4/netfilter/Makefile | 1 + net/ipv4/netfilter/ipt_rpfilter.c | 141 +++++++++++++++++++++++++++++++++ net/ipv6/netfilter/Kconfig | 10 +++ net/ipv6/netfilter/Makefile | 1 + net/ipv6/netfilter/ip6t_rpfilter.c | 133 +++++++++++++++++++++++++++++++ net/ipv6/route.c | 7 ++ 11 files changed, 330 insertions(+), 0 deletions(-) create mode 100644 include/linux/netfilter/xt_rpfilter.h create mode 100644 net/ipv4/netfilter/ipt_rpfilter.c create mode 100644 net/ipv6/netfilter/ip6t_rpfilter.c -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html