xt_recent cleanups, xt_SYSRQ

xt_recent cleanups, xt_SYSRQ

[Jan Engelhardt]

The following changes since commit 5c2a54214ae988708d84e3269dc99176b086ec1a:

  netfilter: xt_recent: explain if module parameters are wrong (2012-07-10 22:50:59 +0200)

are available in the git repository at:
  git://git.inai.de/linux master

Jan Engelhardt (4):
      netfilter: xt_recent: remove ip_list_hash_size parameter
      netfilter: cleanup use of the term "IPs"
      netfilter: use permission mnemonics in module_param
      netfilter: xtables: inclusion of xt_SYSRQ

 net/ipv4/netfilter/ipt_ULOG.c                  |    6 +-
 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |    2 +-
 net/ipv4/netfilter/nf_nat_snmp_basic.c         |    2 +-
 net/netfilter/Kconfig                          |   12 +
 net/netfilter/Makefile                         |    1 +
 net/netfilter/ipset/ip_set_core.c              |    2 +-
 net/netfilter/ipvs/Kconfig                     |   15 +-
 net/netfilter/ipvs/ip_vs_conn.c                |    2 +-
 net/netfilter/ipvs/ip_vs_ftp.c                 |    2 +-
 net/netfilter/nf_conntrack_acct.c              |    2 +-
 net/netfilter/nf_conntrack_amanda.c            |    4 +-
 net/netfilter/nf_conntrack_core.c              |    2 +-
 net/netfilter/nf_conntrack_expect.c            |    2 +-
 net/netfilter/nf_conntrack_ftp.c               |    4 +-
 net/netfilter/nf_conntrack_h323_main.c         |    6 +-
 net/netfilter/nf_conntrack_helper.c            |    3 +-
 net/netfilter/nf_conntrack_irc.c               |    6 +-
 net/netfilter/nf_conntrack_sane.c              |    2 +-
 net/netfilter/nf_conntrack_sip.c               |    8 +-
 net/netfilter/nf_conntrack_tftp.c              |    2 +-
 net/netfilter/nf_conntrack_timestamp.c         |    2 +-
 net/netfilter/xt_SYSRQ.c                       |  361 ++++++++++++++++++++++++
 net/netfilter/xt_recent.c                      |   11 +-
 23 files changed, 417 insertions(+), 42 deletions(-)
 create mode 100644 net/netfilter/xt_SYSRQ.c

[PATCH 1/4] netfilter: xt_recent: remove ip_list_hash_size parameter

[Jan Engelhardt]

This module parameter has no effect, since the user-specified value is
overriden by the init function anyway.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 net/netfilter/xt_recent.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index c426497..b980b3f 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -50,7 +50,6 @@ static unsigned int ip_list_uid = 0;
 static unsigned int ip_list_gid = 0;
 module_param(ip_list_tot, uint, 0400);
 module_param(ip_pkt_list_tot, uint, 0400);
-module_param(ip_list_hash_size, uint, 0400);
 module_param(ip_list_perms, uint, 0400);
 module_param(ip_list_uid, uint, S_IRUGO | S_IWUSR);
 module_param(ip_list_gid, uint, S_IRUGO | S_IWUSR);
-- 
1.7.7

[PATCH 2/4] netfilter: cleanup use of the term "IPs"

[Jan Engelhardt]

Seen meticulously, we have two IPs these days (Internet Protocol 4,
and 6). Clean up and explicitly use "IP addresses" to disambiguate.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 net/netfilter/ipvs/Kconfig |   15 ++++++++-------
 net/netfilter/xt_recent.c  |    4 ++--
 2 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/net/netfilter/ipvs/Kconfig b/net/netfilter/ipvs/Kconfig
index f987138..e098980 100644
--- a/net/netfilter/ipvs/Kconfig
+++ b/net/netfilter/ipvs/Kconfig
@@ -238,13 +238,14 @@ config IP_VS_SH_TAB_BITS
 	range 4 20
 	default 8
 	---help---
-	  The source hashing scheduler maps source IPs to destinations
-	  stored in a hash table. This table is tiled by each destination
-	  until all slots in the table are filled. When using weights to
-	  allow destinations to receive more connections, the table is
-	  tiled an amount proportional to the weights specified. The table
-	  needs to be large enough to effectively fit all the destinations
-	  multiplied by their respective weights.
+	  The source hashing scheduler maps source IP addresses to
+	  destinations stored in a hash table. This table is tiled by
+	  each destination until all slots in the table are filled.
+	  When using weights to allow destinations to receive more
+	  connections, the table is tiled an amount proportional to
+	  the weights specified. The table needs to be large enough
+	  to effectively fit all the destinations multiplied by their
+	  respective weights.
 
 comment 'IPVS application helper'
 
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index b980b3f..0acc17f 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -53,9 +53,9 @@ module_param(ip_pkt_list_tot, uint, 0400);
 module_param(ip_list_perms, uint, 0400);
 module_param(ip_list_uid, uint, S_IRUGO | S_IWUSR);
 module_param(ip_list_gid, uint, S_IRUGO | S_IWUSR);
-MODULE_PARM_DESC(ip_list_tot, "number of IPs to remember per list (>0)");
+MODULE_PARM_DESC(ip_list_tot, "number of IP addresses to remember per list (>0)");
 MODULE_PARM_DESC(ip_pkt_list_tot, "number of packets per IP address to remember (1-255)");
-MODULE_PARM_DESC(ip_list_hash_size, "size of hash table used to look up IPs");
+MODULE_PARM_DESC(ip_list_hash_size, "size of hash table used to look up IP addresses");
 MODULE_PARM_DESC(ip_list_perms, "permissions on /proc/net/xt_recent/* files");
 MODULE_PARM_DESC(ip_list_uid, "default owner of /proc/net/xt_recent/* files");
 MODULE_PARM_DESC(ip_list_gid, "default owning group of /proc/net/xt_recent/* files");
-- 
1.7.7

[PATCH 3/4] netfilter: use permission mnemonics in module_param

[Jan Engelhardt]

Noticed the inconsistent use while going over xt_recent; cleanup the
mode numbers, replacing them by the simpler mnemonics they go by.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 net/ipv4/netfilter/ipt_ULOG.c                  |    6 +++---
 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |    2 +-
 net/ipv4/netfilter/nf_nat_snmp_basic.c         |    2 +-
 net/netfilter/ipset/ip_set_core.c              |    2 +-
 net/netfilter/ipvs/ip_vs_conn.c                |    2 +-
 net/netfilter/ipvs/ip_vs_ftp.c                 |    2 +-
 net/netfilter/nf_conntrack_acct.c              |    2 +-
 net/netfilter/nf_conntrack_amanda.c            |    4 ++--
 net/netfilter/nf_conntrack_core.c              |    2 +-
 net/netfilter/nf_conntrack_expect.c            |    2 +-
 net/netfilter/nf_conntrack_ftp.c               |    4 ++--
 net/netfilter/nf_conntrack_h323_main.c         |    6 +++---
 net/netfilter/nf_conntrack_helper.c            |    3 ++-
 net/netfilter/nf_conntrack_irc.c               |    6 +++---
 net/netfilter/nf_conntrack_sane.c              |    2 +-
 net/netfilter/nf_conntrack_sip.c               |    8 ++++----
 net/netfilter/nf_conntrack_tftp.c              |    2 +-
 net/netfilter/nf_conntrack_timestamp.c         |    2 +-
 net/netfilter/xt_recent.c                      |    6 +++---
 19 files changed, 33 insertions(+), 32 deletions(-)

diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
index 1109f7f..06417ea 100644
--- a/net/ipv4/netfilter/ipt_ULOG.c
+++ b/net/ipv4/netfilter/ipt_ULOG.c
@@ -58,15 +58,15 @@ MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK, NETLINK_NFLOG);
 #define ULOG_MAXNLGROUPS	32		/* numer of nlgroups */
 
 static unsigned int nlbufsiz = NLMSG_GOODSIZE;
-module_param(nlbufsiz, uint, 0400);
+module_param(nlbufsiz, uint, S_IRUSR);
 MODULE_PARM_DESC(nlbufsiz, "netlink buffer size");
 
 static unsigned int flushtimeout = 10;
-module_param(flushtimeout, uint, 0600);
+module_param(flushtimeout, uint, S_IRUSR | S_IWUSR);
 MODULE_PARM_DESC(flushtimeout, "buffer flush timeout (hundredths of a second)");
 
 static bool nflog = true;
-module_param(nflog, bool, 0400);
+module_param(nflog, bool, S_IRUSR);
 MODULE_PARM_DESC(nflog, "register as internal netfilter logging module");
 
 /* global data structures */
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index e7ff2dc..0853b0c 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -414,7 +414,7 @@ struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4 __read_mostly = {
 };
 
 module_param_call(hashsize, nf_conntrack_set_hashsize, param_get_uint,
-		  &nf_conntrack_htable_size, 0600);
+		  &nf_conntrack_htable_size, S_IRUSR | S_IWUSR);
 
 MODULE_ALIAS("nf_conntrack-" __stringify(AF_INET));
 MODULE_ALIAS("ip_conntrack");
diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c b/net/ipv4/netfilter/nf_nat_snmp_basic.c
index bac7122..6029cdc 100644
--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c
+++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
@@ -1309,4 +1309,4 @@ static void __exit nf_nat_snmp_basic_fini(void)
 module_init(nf_nat_snmp_basic_init);
 module_exit(nf_nat_snmp_basic_fini);
 
-module_param(debug, int, 0600);
+module_param(debug, int, S_IRUSR | S_IWUSR);
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 9730882..d5db0da 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -35,7 +35,7 @@ static ip_set_id_t ip_set_max = CONFIG_IP_SET_MAX; /* max number of sets */
 
 static unsigned int max_sets;
 
-module_param(max_sets, int, 0600);
+module_param(max_sets, int, S_IRUSR | S_IWUSR);
 MODULE_PARM_DESC(max_sets, "maximal number of sets");
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c
index 1548df9..699b71a 100644
--- a/net/netfilter/ipvs/ip_vs_conn.c
+++ b/net/netfilter/ipvs/ip_vs_conn.c
@@ -49,7 +49,7 @@
  * Connection hash size. Default is what was selected at compile time.
 */
 static int ip_vs_conn_tab_bits = CONFIG_IP_VS_TAB_BITS;
-module_param_named(conn_tab_bits, ip_vs_conn_tab_bits, int, 0444);
+module_param_named(conn_tab_bits, ip_vs_conn_tab_bits, int, S_IRUGO);
 MODULE_PARM_DESC(conn_tab_bits, "Set connections' hash size");
 
 /* size and mask values */
diff --git a/net/netfilter/ipvs/ip_vs_ftp.c b/net/netfilter/ipvs/ip_vs_ftp.c
index b20b29c..d114170 100644
--- a/net/netfilter/ipvs/ip_vs_ftp.c
+++ b/net/netfilter/ipvs/ip_vs_ftp.c
@@ -54,7 +54,7 @@
  */
 static unsigned int ports_count = 1;
 static unsigned short ports[IP_VS_APP_MAX_PORTS] = {21, 0};
-module_param_array(ports, ushort, &ports_count, 0444);
+module_param_array(ports, ushort, &ports_count, S_IRUGO);
 MODULE_PARM_DESC(ports, "Ports to monitor for FTP control commands");
 
 
diff --git a/net/netfilter/nf_conntrack_acct.c b/net/netfilter/nf_conntrack_acct.c
index d61e078..6746733 100644
--- a/net/netfilter/nf_conntrack_acct.c
+++ b/net/netfilter/nf_conntrack_acct.c
@@ -20,7 +20,7 @@
 
 static bool nf_ct_acct __read_mostly;
 
-module_param_named(acct, nf_ct_acct, bool, 0644);
+module_param_named(acct, nf_ct_acct, bool, S_IRUGO | S_IWUSR);
 MODULE_PARM_DESC(acct, "Enable connection tracking flow accounting.");
 
 #ifdef CONFIG_SYSCTL
diff --git a/net/netfilter/nf_conntrack_amanda.c b/net/netfilter/nf_conntrack_amanda.c
index f2de8c5..d451b06 100644
--- a/net/netfilter/nf_conntrack_amanda.c
+++ b/net/netfilter/nf_conntrack_amanda.c
@@ -33,9 +33,9 @@ MODULE_LICENSE("GPL");
 MODULE_ALIAS("ip_conntrack_amanda");
 MODULE_ALIAS_NFCT_HELPER("amanda");
 
-module_param(master_timeout, uint, 0600);
+module_param(master_timeout, uint, S_IRUSR | S_IWUSR);
 MODULE_PARM_DESC(master_timeout, "timeout for the master connection");
-module_param(ts_algo, charp, 0400);
+module_param(ts_algo, charp, S_IRUSR);
 MODULE_PARM_DESC(ts_algo, "textsearch algorithm to use (default kmp)");
 
 unsigned int (*nf_nat_amanda_hook)(struct sk_buff *skb,
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index cf48755..fb73c76 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1458,7 +1458,7 @@ int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp)
 EXPORT_SYMBOL_GPL(nf_conntrack_set_hashsize);
 
 module_param_call(hashsize, nf_conntrack_set_hashsize, param_get_uint,
-		  &nf_conntrack_htable_size, 0600);
+		  &nf_conntrack_htable_size, S_IRUSR | S_IWUSR);
 
 void nf_ct_untracked_status_or(unsigned long bits)
 {
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index 45cf602..d5f7093 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -602,7 +602,7 @@ static void exp_proc_remove(struct net *net)
 #endif /* CONFIG_NF_CONNTRACK_PROCFS */
 }
 
-module_param_named(expect_hashsize, nf_ct_expect_hsize, uint, 0400);
+module_param_named(expect_hashsize, nf_ct_expect_hsize, uint, S_IRUSR);
 
 int nf_conntrack_expect_init(struct net *net)
 {
diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index 4bb771d..6eab10a 100644
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -40,10 +40,10 @@ static DEFINE_SPINLOCK(nf_ftp_lock);
 #define MAX_PORTS 8
 static u_int16_t ports[MAX_PORTS];
 static unsigned int ports_c;
-module_param_array(ports, ushort, &ports_c, 0400);
+module_param_array(ports, ushort, &ports_c, S_IRUSR);
 
 static bool loose;
-module_param(loose, bool, 0600);
+module_param(loose, bool, S_IRUSR | S_IWUSR);
 
 unsigned int (*nf_nat_ftp_hook)(struct sk_buff *skb,
 				enum ip_conntrack_info ctinfo,
diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c
index 4283b20..4073cd0 100644
--- a/net/netfilter/nf_conntrack_h323_main.c
+++ b/net/netfilter/nf_conntrack_h323_main.c
@@ -35,15 +35,15 @@
 
 /* Parameters */
 static unsigned int default_rrq_ttl __read_mostly = 300;
-module_param(default_rrq_ttl, uint, 0600);
+module_param(default_rrq_ttl, uint, S_IRUSR | S_IWUSR);
 MODULE_PARM_DESC(default_rrq_ttl, "use this TTL if it's missing in RRQ");
 
 static int gkrouted_only __read_mostly = 1;
-module_param(gkrouted_only, int, 0600);
+module_param(gkrouted_only, int, S_IRUSR | S_IWUSR);
 MODULE_PARM_DESC(gkrouted_only, "only accept calls from gatekeeper");
 
 static bool callforward_filter __read_mostly = true;
-module_param(callforward_filter, bool, 0600);
+module_param(callforward_filter, bool, S_IRUSR | S_IWUSR);
 MODULE_PARM_DESC(callforward_filter, "only create call forwarding expectations "
 				     "if both endpoints are on different sides "
 				     "(determined by routing information)");
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index c4bc637..0d241ca 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -37,7 +37,8 @@ EXPORT_SYMBOL_GPL(nf_ct_helper_hsize);
 static unsigned int nf_ct_helper_count __read_mostly;
 
 static bool nf_ct_auto_assign_helper __read_mostly = true;
-module_param_named(nf_conntrack_helper, nf_ct_auto_assign_helper, bool, 0644);
+module_param_named(nf_conntrack_helper, nf_ct_auto_assign_helper,
+		   bool, S_IRUGO | S_IWUSR);
 MODULE_PARM_DESC(nf_conntrack_helper,
 		 "Enable automatic conntrack helper assignment (default 1)");
 
diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c
index 009c52c..b680bbb 100644
--- a/net/netfilter/nf_conntrack_irc.c
+++ b/net/netfilter/nf_conntrack_irc.c
@@ -44,12 +44,12 @@ MODULE_LICENSE("GPL");
 MODULE_ALIAS("ip_conntrack_irc");
 MODULE_ALIAS_NFCT_HELPER("irc");
 
-module_param_array(ports, ushort, &ports_c, 0400);
+module_param_array(ports, ushort, &ports_c, S_IRUSR);
 MODULE_PARM_DESC(ports, "port numbers of IRC servers");
-module_param(max_dcc_channels, uint, 0400);
+module_param(max_dcc_channels, uint, S_IRUSR);
 MODULE_PARM_DESC(max_dcc_channels, "max number of expected DCC channels per "
 				   "IRC session");
-module_param(dcc_timeout, uint, 0400);
+module_param(dcc_timeout, uint, S_IRUSR);
 MODULE_PARM_DESC(dcc_timeout, "timeout on for unestablished DCC channels");
 
 static const char *const dccprotos[] = {
diff --git a/net/netfilter/nf_conntrack_sane.c b/net/netfilter/nf_conntrack_sane.c
index 295429f..fae8eac 100644
--- a/net/netfilter/nf_conntrack_sane.c
+++ b/net/netfilter/nf_conntrack_sane.c
@@ -40,7 +40,7 @@ static DEFINE_SPINLOCK(nf_sane_lock);
 #define MAX_PORTS 8
 static u_int16_t ports[MAX_PORTS];
 static unsigned int ports_c;
-module_param_array(ports, ushort, &ports_c, 0400);
+module_param_array(ports, ushort, &ports_c, S_IRUSR);
 
 struct sane_request {
 	__be32 RPC_code;
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 758a1ba..e93a767 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -35,20 +35,20 @@ MODULE_ALIAS_NFCT_HELPER("sip");
 #define MAX_PORTS	8
 static unsigned short ports[MAX_PORTS];
 static unsigned int ports_c;
-module_param_array(ports, ushort, &ports_c, 0400);
+module_param_array(ports, ushort, &ports_c, S_IRUSR);
 MODULE_PARM_DESC(ports, "port numbers of SIP servers");
 
 static unsigned int sip_timeout __read_mostly = SIP_TIMEOUT;
-module_param(sip_timeout, uint, 0600);
+module_param(sip_timeout, uint, S_IRUSR | S_IWUSR);
 MODULE_PARM_DESC(sip_timeout, "timeout for the master SIP session");
 
 static int sip_direct_signalling __read_mostly = 1;
-module_param(sip_direct_signalling, int, 0600);
+module_param(sip_direct_signalling, int, S_IRUSR | S_IWUSR);
 MODULE_PARM_DESC(sip_direct_signalling, "expect incoming calls from registrar "
 					"only (default 1)");
 
 static int sip_direct_media __read_mostly = 1;
-module_param(sip_direct_media, int, 0600);
+module_param(sip_direct_media, int, S_IRUSR | S_IWUSR);
 MODULE_PARM_DESC(sip_direct_media, "Expect Media streams between signalling "
 				   "endpoints only (default 1)");
 
diff --git a/net/netfilter/nf_conntrack_tftp.c b/net/netfilter/nf_conntrack_tftp.c
index 81fc61c..136714e 100644
--- a/net/netfilter/nf_conntrack_tftp.c
+++ b/net/netfilter/nf_conntrack_tftp.c
@@ -27,7 +27,7 @@ MODULE_ALIAS_NFCT_HELPER("tftp");
 #define MAX_PORTS 8
 static unsigned short ports[MAX_PORTS];
 static unsigned int ports_c;
-module_param_array(ports, ushort, &ports_c, 0400);
+module_param_array(ports, ushort, &ports_c, S_IRUSR);
 MODULE_PARM_DESC(ports, "Port numbers of TFTP servers");
 
 unsigned int (*nf_nat_tftp_hook)(struct sk_buff *skb,
diff --git a/net/netfilter/nf_conntrack_timestamp.c b/net/netfilter/nf_conntrack_timestamp.c
index dbb364f6..06fd0d3 100644
--- a/net/netfilter/nf_conntrack_timestamp.c
+++ b/net/netfilter/nf_conntrack_timestamp.c
@@ -17,7 +17,7 @@
 
 static bool nf_ct_tstamp __read_mostly;
 
-module_param_named(tstamp, nf_ct_tstamp, bool, 0644);
+module_param_named(tstamp, nf_ct_tstamp, bool, S_IRUGO | S_IWUSR);
 MODULE_PARM_DESC(tstamp, "Enable connection tracking flow timestamping.");
 
 #ifdef CONFIG_SYSCTL
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index 0acc17f..54d9d7d 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -48,9 +48,9 @@ static unsigned int ip_list_hash_size = 0;
 static unsigned int ip_list_perms = 0644;
 static unsigned int ip_list_uid = 0;
 static unsigned int ip_list_gid = 0;
-module_param(ip_list_tot, uint, 0400);
-module_param(ip_pkt_list_tot, uint, 0400);
-module_param(ip_list_perms, uint, 0400);
+module_param(ip_list_tot, uint, S_IRUSR);
+module_param(ip_pkt_list_tot, uint, S_IRUSR);
+module_param(ip_list_perms, uint, S_IRUSR);
 module_param(ip_list_uid, uint, S_IRUGO | S_IWUSR);
 module_param(ip_list_gid, uint, S_IRUGO | S_IWUSR);
 MODULE_PARM_DESC(ip_list_tot, "number of IP addresses to remember per list (>0)");
-- 
1.7.7

[PATCH 4/4] netfilter: xtables: inclusion of xt_SYSRQ

[Jan Engelhardt]

The SYSRQ target will allow to remotely invoke sysrq on the local
machine. Authentication is by means of a pre-shared key that can
either be transmitted plaintext or digest-secured.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 net/netfilter/Kconfig    |   12 ++
 net/netfilter/Makefile   |    1 +
 net/netfilter/xt_SYSRQ.c |  361 ++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 374 insertions(+), 0 deletions(-)
 create mode 100644 net/netfilter/xt_SYSRQ.c

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index c19b214..fbe8e40 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -644,6 +644,18 @@ config NETFILTER_XT_TARGET_RATEEST
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
+config NETFILTER_XT_TARGET_SYSRQ
+	tristate '"SYSRQ" - remote sysrq invocation'
+	depends on NETFILTER_ADVANCED
+	---help---
+	This option enables the "SYSRQ" target which can be used to trigger
+	sysrq from a remote machine using a magic UDP packet with a pre-shared
+	password. This is useful when the receiving host has locked up in an
+	Oops yet still can process incoming packets.
+
+	Besides plaintext packets, digest-secured SYSRQ requests will be
+	supported when CONFIG_CRYPTO is enabled.
+
 config NETFILTER_XT_TARGET_TEE
 	tristate '"TEE" - packet cloning to alternate destination'
 	depends on NETFILTER_ADVANCED
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 1c5160f..68881c8 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -70,6 +70,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_RATEEST) += xt_RATEEST.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
+obj-$(CONFIG_NETFILTER_XT_TARGET_SYSRQ) += xt_SYSRQ.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_TPROXY) += xt_TPROXY.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP) += xt_TCPOPTSTRIP.o
diff --git a/net/netfilter/xt_SYSRQ.c b/net/netfilter/xt_SYSRQ.c
new file mode 100644
index 0000000..885b902
--- /dev/null
+++ b/net/netfilter/xt_SYSRQ.c
@@ -0,0 +1,361 @@
+/*
+ *	"SYSRQ" target extension for Xtables
+ *	Copyright © Jan Engelhardt, 2008-2012
+ *
+ *	Based upon the ipt_SYSRQ idea by Marek Zalem <marek [at] terminus sk>
+ *	Security additions John Haxby <john.haxby [at] oracle com>
+ *
+ *	This program is free software; you can redistribute it and/or
+ *	modify it under the terms of the GNU General Public License
+ *	version 2 or later as published by the Free Software Foundation.
+ */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+#include <linux/in.h>
+#include <linux/ip.h>
+#include <linux/ipv6.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/sysrq.h>
+#include <linux/udp.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/crypto.h>
+#include <linux/scatterlist.h>
+#include <net/ip.h>
+
+#if defined(CONFIG_CRYPTO) || defined(CRYPTO_CONFIG_MODULE)
+#	define WITH_CRYPTO 1
+#endif
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+#	define WITH_IPV6 1
+#endif
+
+static bool sysrq_once;
+static char sysrq_password[64];
+static char sysrq_hash[16] = "sha1";
+static long sysrq_seqno;
+static int sysrq_debug;
+module_param_string(password, sysrq_password, sizeof(sysrq_password),
+		    S_IRUSR | S_IWUSR);
+module_param_string(hash, sysrq_hash, sizeof(sysrq_hash), S_IRUSR);
+module_param_named(seqno, sysrq_seqno, long, S_IRUSR | S_IWUSR);
+module_param_named(debug, sysrq_debug, int, S_IRUSR | S_IWUSR);
+MODULE_PARM_DESC(password, "password for remote sysrq");
+MODULE_PARM_DESC(hash, "hash algorithm, default sha1");
+MODULE_PARM_DESC(seqno, "sequence number for remote sysrq");
+MODULE_PARM_DESC(debug, "debugging: 0=off, 1=on");
+
+#ifdef WITH_CRYPTO
+static struct crypto_hash *sysrq_tfm;
+static int sysrq_digest_size;
+static unsigned char *sysrq_digest_password;
+static unsigned char *sysrq_digest;
+static char *sysrq_hexdigest;
+
+/*
+ * The data is of the form "<requests>,<seqno>,<salt>,<hash>" where <requests>
+ * is a series of sysrq requests; <seqno> is a sequence number that must be
+ * greater than the last sequence number; <salt> is some random bytes; and
+ * <hash> is the hash of everything up to and including the preceding ","
+ * together with "<dstaddr>,<password>".
+ *
+ * For example
+ *
+ *   salt=$RANDOM
+ *   req="s,$(date +%s),$salt"
+ *   echo "$req,$(echo -n $req,10.10.25.1,secret | sha1sum | cut -c1-40)"
+ *
+ * You will want a better salt and password than that though :-)
+ */
+static unsigned int sysrq_tg(const void *pdata, uint16_t len)
+{
+	const char *data = pdata;
+	int i, n;
+	struct scatterlist sg[2];
+	struct hash_desc desc;
+	int ret;
+	long new_seqno = 0;
+
+	if (*sysrq_password == '\0') {
+		if (!sysrq_once)
+			pr_info("No password set\n");
+		sysrq_once = true;
+		return NF_DROP;
+	}
+	if (len == 0)
+		return NF_DROP;
+
+	for (i = 0; sysrq_password[i] != '\0' &&
+	     sysrq_password[i] != '\n'; ++i)
+		/* loop */;
+	sysrq_password[i] = '\0';
+
+	i = 0;
+	for (n = 0; n < len - 1; ++n) {
+		if (i == 1 && '0' <= data[n] && data[n] <= '9')
+			new_seqno = 10L * new_seqno + data[n] - '0';
+		if (data[n] == ',' && ++i == 3)
+			break;
+	}
+	++n;
+	if (i != 3) {
+		if (sysrq_debug)
+			pr_info("badly formatted request\n");
+		return NF_DROP;
+	}
+	if (sysrq_seqno >= new_seqno) {
+		if (sysrq_debug)
+			pr_info("old sequence number ignored\n");
+		return NF_DROP;
+	}
+
+	desc.tfm   = sysrq_tfm;
+	desc.flags = 0;
+	ret = crypto_hash_init(&desc);
+	if (ret != 0)
+		goto hash_fail;
+	sg_init_table(sg, 2);
+	sg_set_buf(&sg[0], data, n);
+	i = strlen(sysrq_digest_password);
+	sg_set_buf(&sg[1], sysrq_digest_password, i);
+	ret = crypto_hash_digest(&desc, sg, n + i, sysrq_digest);
+	if (ret != 0)
+		goto hash_fail;
+
+	for (i = 0; i < sysrq_digest_size; ++i) {
+		sysrq_hexdigest[2*i] =
+			"0123456789abcdef"[(sysrq_digest[i] >> 4) & 0xf];
+		sysrq_hexdigest[2*i+1] =
+			"0123456789abcdef"[sysrq_digest[i] & 0xf];
+	}
+	sysrq_hexdigest[2*sysrq_digest_size] = '\0';
+	if (len - n < sysrq_digest_size * 2) {
+		if (sysrq_debug)
+			pr_info("Short digest, expected %s\n",
+				sysrq_hexdigest);
+		return NF_DROP;
+	}
+	if (strncmp(data + n, sysrq_hexdigest, sysrq_digest_size * 2) != 0) {
+		if (sysrq_debug)
+			pr_info("Bad digest, expected %s\n", sysrq_hexdigest);
+		return NF_DROP;
+	}
+
+	/* Now we trust the requester */
+	sysrq_seqno = new_seqno;
+	for (i = 0; i < len && data[i] != ','; ++i) {
+		pr_info("SysRq %c\n", data[i]);
+		handle_sysrq(data[i]);
+	}
+	return NF_ACCEPT;
+
+ hash_fail:
+	pr_warning("digest failure\n");
+	return NF_DROP;
+}
+#else
+static unsigned int sysrq_tg(const void *pdata, uint16_t len)
+{
+	const char *data = pdata;
+	char c;
+
+	if (*sysrq_password == '\0') {
+		if (!sysrq_once)
+			pr_info("No password set\n");
+		sysrq_once = true;
+		return NF_DROP;
+	}
+
+	if (len == 0)
+		return NF_DROP;
+
+	c = *data;
+	if (strncmp(&data[1], sysrq_password, len - 1) != 0) {
+		pr_warning("Failed attempt - password mismatch\n");
+		return NF_DROP;
+	}
+
+	handle_sysrq(c, NULL);
+	return NF_ACCEPT;
+}
+#endif
+
+static unsigned int
+sysrq_tg4(struct sk_buff *skb, const struct xt_action_param *par)
+{
+	const struct iphdr *iph;
+	const struct udphdr *udph;
+	uint16_t len;
+
+	if (skb_linearize(skb) < 0)
+		return NF_DROP;
+
+	iph = ip_hdr(skb);
+	if (iph->protocol != IPPROTO_UDP && iph->protocol != IPPROTO_UDPLITE)
+		return NF_DROP;
+
+	udph = (const void *)iph + ip_hdrlen(skb);
+	len  = ntohs(udph->len) - sizeof(struct udphdr);
+
+	if (sysrq_debug)
+		pr_info(": %pI4:%u -> :%u len=%u\n", &iph->saddr,
+			htons(udph->source), htons(udph->dest), len);
+#ifdef WITH_CRYPTO
+	sprintf(sysrq_digest_password, "%pI4,%s", &iph->daddr, sysrq_password);
+#endif
+	return sysrq_tg((void *)udph + sizeof(struct udphdr), len);
+}
+
+#ifdef WITH_IPV6
+static unsigned int
+sysrq_tg6(struct sk_buff *skb, const struct xt_action_param *par)
+{
+	const struct ipv6hdr *iph;
+	const struct udphdr *udph;
+	unsigned short frag_off;
+	unsigned int th_off;
+	uint16_t len;
+
+	if (skb_linearize(skb) < 0)
+		return NF_DROP;
+
+	iph = ipv6_hdr(skb);
+	if (ipv6_find_hdr(skb, &th_off, IPPROTO_UDP, &frag_off, NULL) < 0 ||
+	    ipv6_find_hdr(skb, &th_off, IPPROTO_UDPLITE,
+	                  &frag_off, NULL) < 0 ||
+	    frag_off > 0)
+		return NF_DROP;
+
+	udph = (const void *)iph + th_off;
+	len  = ntohs(udph->len) - sizeof(struct udphdr);
+
+	if (sysrq_debug)
+		pr_info("%pI6:%hu -> :%hu len=%u\n", &iph->saddr,
+			ntohs(udph->source), ntohs(udph->dest), len);
+#ifdef WITH_CRYPTO
+	sprintf(sysrq_digest_password, "%pI6,%s", &iph->daddr, sysrq_password);
+#endif
+	return sysrq_tg((void *)udph + sizeof(struct udphdr), len);
+}
+#endif
+
+static int sysrq_tg_check(const struct xt_tgchk_param *par)
+{
+	if (par->target->family == NFPROTO_IPV4) {
+		const struct ipt_entry *entry = par->entryinfo;
+
+		if ((entry->ip.proto != IPPROTO_UDP &&
+		    entry->ip.proto != IPPROTO_UDPLITE) ||
+		    entry->ip.invflags & XT_INV_PROTO)
+			goto out;
+	} else if (par->target->family == NFPROTO_IPV6) {
+		const struct ip6t_entry *entry = par->entryinfo;
+
+		if ((entry->ipv6.proto != IPPROTO_UDP &&
+		    entry->ipv6.proto != IPPROTO_UDPLITE) ||
+		    entry->ipv6.invflags & XT_INV_PROTO)
+			goto out;
+	}
+
+	return 0;
+
+ out:
+	pr_info("only available for UDP and UDP-Lite");
+	return -EINVAL;
+}
+
+static struct xt_target sysrq_tg_reg[] __read_mostly = {
+	{
+		.name       = "SYSRQ",
+		.revision   = 1,
+		.family     = NFPROTO_IPV4,
+		.target     = sysrq_tg4,
+		.checkentry = sysrq_tg_check,
+		.me         = THIS_MODULE,
+	},
+#ifdef WITH_IPV6
+	{
+		.name       = "SYSRQ",
+		.revision   = 1,
+		.family     = NFPROTO_IPV6,
+		.target     = sysrq_tg6,
+		.checkentry = sysrq_tg_check,
+		.me         = THIS_MODULE,
+	},
+#endif
+};
+
+static void sysrq_crypto_exit(void)
+{
+#ifdef WITH_CRYPTO
+	if (sysrq_tfm)
+		crypto_free_hash(sysrq_tfm);
+	if (sysrq_digest)
+		kfree(sysrq_digest);
+	if (sysrq_hexdigest)
+		kfree(sysrq_hexdigest);
+	if (sysrq_digest_password)
+		kfree(sysrq_digest_password);
+#endif
+}
+
+static int __init sysrq_crypto_init(void)
+{
+#if defined(WITH_CRYPTO)
+	struct timeval now;
+	int ret;
+
+	sysrq_tfm = crypto_alloc_hash(sysrq_hash, 0, CRYPTO_ALG_ASYNC);
+	if (IS_ERR(sysrq_tfm)) {
+		pr_err("Could not find or load %s hash\n", sysrq_hash);
+		sysrq_tfm = NULL;
+		ret = PTR_ERR(sysrq_tfm);
+		goto fail;
+	}
+	sysrq_digest_size = crypto_hash_digestsize(sysrq_tfm);
+	sysrq_digest = kmalloc(sysrq_digest_size, GFP_KERNEL);
+	ret = -ENOMEM;
+	if (sysrq_digest == NULL)
+		goto fail;
+	sysrq_hexdigest = kmalloc(2 * sysrq_digest_size + 1, GFP_KERNEL);
+	if (sysrq_hexdigest == NULL)
+		goto fail;
+	sysrq_digest_password = kmalloc(sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:255.255.255.255") +
+					sizeof(sysrq_password), GFP_KERNEL);
+	if (sysrq_digest_password == NULL)
+		goto fail;
+	do_gettimeofday(&now);
+	sysrq_seqno = now.tv_sec;
+	return 0;
+
+ fail:
+	sysrq_crypto_exit();
+	return ret;
+#else
+	pr_info("compiled without crypto\n");
+#endif
+	return -EINVAL;
+}
+
+static int __init sysrq_tg_init(void)
+{
+	if (sysrq_crypto_init() < 0)
+		pr_info("starting without crypto\n");
+	return xt_register_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
+}
+
+static void __exit sysrq_tg_exit(void)
+{
+	sysrq_crypto_exit();
+	xt_unregister_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
+}
+
+module_init(sysrq_tg_init);
+module_exit(sysrq_tg_exit);
+MODULE_DESCRIPTION("Xtables: triggering SYSRQ remotely");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@inai.de>");
+MODULE_AUTHOR("John Haxby <john.haxby@oracle.com>");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_SYSRQ");
+MODULE_ALIAS("ip6t_SYSRQ");
-- 
1.7.7

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 1/4] netfilter: xt_recent: remove ip_list_hash_size parameter

[Pablo Neira Ayuso]

On Wed, Jul 11, 2012 at 01:52:27AM +0200, Jan Engelhardt wrote:
> This module parameter has no effect, since the user-specified value is
> overriden by the init function anyway.

My only concern with this is to break existing configuration that sets
that module parameter.

I wonder if it's useful to fix this module parameter to make it work
instead.

> Signed-off-by: Jan Engelhardt <jengelh@inai.de>
> ---
>  net/netfilter/xt_recent.c |    1 -
>  1 files changed, 0 insertions(+), 1 deletions(-)
> 
> diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
> index c426497..b980b3f 100644
> --- a/net/netfilter/xt_recent.c
> +++ b/net/netfilter/xt_recent.c
> @@ -50,7 +50,6 @@ static unsigned int ip_list_uid = 0;
>  static unsigned int ip_list_gid = 0;
>  module_param(ip_list_tot, uint, 0400);
>  module_param(ip_pkt_list_tot, uint, 0400);
> -module_param(ip_list_hash_size, uint, 0400);
>  module_param(ip_list_perms, uint, 0400);
>  module_param(ip_list_uid, uint, S_IRUGO | S_IWUSR);
>  module_param(ip_list_gid, uint, S_IRUGO | S_IWUSR);
> -- 
> 1.7.7
> 

Re: [PATCH 2/4] netfilter: cleanup use of the term "IPs"

[Pablo Neira Ayuso]

On Wed, Jul 11, 2012 at 01:52:28AM +0200, Jan Engelhardt wrote:
> Seen meticulously, we have two IPs these days (Internet Protocol 4,
> and 6). Clean up and explicitly use "IP addresses" to disambiguate.
> 
> Signed-off-by: Jan Engelhardt <jengelh@inai.de>
> ---
>  net/netfilter/ipvs/Kconfig |   15 ++++++++-------
>  net/netfilter/xt_recent.c  |    4 ++--
>  2 files changed, 10 insertions(+), 9 deletions(-)
> 
> diff --git a/net/netfilter/ipvs/Kconfig b/net/netfilter/ipvs/Kconfig
> index f987138..e098980 100644
> --- a/net/netfilter/ipvs/Kconfig
> +++ b/net/netfilter/ipvs/Kconfig
> @@ -238,13 +238,14 @@ config IP_VS_SH_TAB_BITS
>  	range 4 20
>  	default 8
>  	---help---
> -	  The source hashing scheduler maps source IPs to destinations
> -	  stored in a hash table. This table is tiled by each destination
> -	  until all slots in the table are filled. When using weights to
> -	  allow destinations to receive more connections, the table is
> -	  tiled an amount proportional to the weights specified. The table
> -	  needs to be large enough to effectively fit all the destinations
> -	  multiplied by their respective weights.
> +	  The source hashing scheduler maps source IP addresses to
> +	  destinations stored in a hash table. This table is tiled by
> +	  each destination until all slots in the table are filled.
> +	  When using weights to allow destinations to receive more
> +	  connections, the table is tiled an amount proportional to
> +	  the weights specified. The table needs to be large enough
> +	  to effectively fit all the destinations multiplied by their
> +	  respective weights.
>  
>  comment 'IPVS application helper'
>  
> diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
> index b980b3f..0acc17f 100644
> --- a/net/netfilter/xt_recent.c
> +++ b/net/netfilter/xt_recent.c
> @@ -53,9 +53,9 @@ module_param(ip_pkt_list_tot, uint, 0400);
>  module_param(ip_list_perms, uint, 0400);
>  module_param(ip_list_uid, uint, S_IRUGO | S_IWUSR);
>  module_param(ip_list_gid, uint, S_IRUGO | S_IWUSR);
> -MODULE_PARM_DESC(ip_list_tot, "number of IPs to remember per list (>0)");
> +MODULE_PARM_DESC(ip_list_tot, "number of IP addresses to remember per list (>0)");
>  MODULE_PARM_DESC(ip_pkt_list_tot, "number of packets per IP address to remember (1-255)");
> -MODULE_PARM_DESC(ip_list_hash_size, "size of hash table used to look up IPs");
> +MODULE_PARM_DESC(ip_list_hash_size, "size of hash table used to look up IP addresses");

Isn't it this the module parameter that you just delete it in the
previous patch?

>  MODULE_PARM_DESC(ip_list_perms, "permissions on /proc/net/xt_recent/* files");
>  MODULE_PARM_DESC(ip_list_uid, "default owner of /proc/net/xt_recent/* files");
>  MODULE_PARM_DESC(ip_list_gid, "default owning group of /proc/net/xt_recent/* files");
> -- 
> 1.7.7
> 

Re: [PATCH 4/4] netfilter: xtables: inclusion of xt_SYSRQ

[Pablo Neira Ayuso]

On Wed, Jul 11, 2012 at 01:52:30AM +0200, Jan Engelhardt wrote:
> The SYSRQ target will allow to remotely invoke sysrq on the local
> machine. Authentication is by means of a pre-shared key that can
> either be transmitted plaintext or digest-secured.
> 
> Signed-off-by: Jan Engelhardt <jengelh@inai.de>
> ---
>  net/netfilter/Kconfig    |   12 ++
>  net/netfilter/Makefile   |    1 +
>  net/netfilter/xt_SYSRQ.c |  361 ++++++++++++++++++++++++++++++++++++++++++++++
>  3 files changed, 374 insertions(+), 0 deletions(-)
>  create mode 100644 net/netfilter/xt_SYSRQ.c
> 
> diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
> index c19b214..fbe8e40 100644
> --- a/net/netfilter/Kconfig
> +++ b/net/netfilter/Kconfig
> @@ -644,6 +644,18 @@ config NETFILTER_XT_TARGET_RATEEST
>  
>  	  To compile it as a module, choose M here.  If unsure, say N.
>  
> +config NETFILTER_XT_TARGET_SYSRQ
> +	tristate '"SYSRQ" - remote sysrq invocation'
> +	depends on NETFILTER_ADVANCED
> +	---help---
> +	This option enables the "SYSRQ" target which can be used to trigger
> +	sysrq from a remote machine using a magic UDP packet with a pre-shared
> +	password. This is useful when the receiving host has locked up in an
> +	Oops yet still can process incoming packets.
> +
> +	Besides plaintext packets, digest-secured SYSRQ requests will be
> +	supported when CONFIG_CRYPTO is enabled.

I guess this is useful for user, eg. you can reboot your crashed
system from your office in case that cheap comodity hardware without
remote management tools (eg. HP's ILO or Dell's iDRAC).

Still, I think that including this in Netfilter is a bit of abuse
since this is out of the scope of providing some firewalling feature.

People willing to use this should be able to use without requiring
Netfilter at all.

If you have interest in pushing this into mainline, I think this
deserves to be generalized and included somewhere into the networking
tree and provide some genetlink interface to configure it.

Re: [PATCH 4/4] netfilter: xtables: inclusion of xt_SYSRQ

[Jan Engelhardt]

On Thursday 2012-07-12 17:49, Pablo Neira Ayuso wrote:
>> +config NETFILTER_XT_TARGET_SYSRQ
>> +	tristate '"SYSRQ" - remote sysrq invocation'
>
>I guess this is useful for user, eg. you can reboot your crashed
>system from your office in case that cheap comodity hardware without
>remote management tools (eg. HP's ILO or Dell's iDRAC).
>
>Still, I think that including this in Netfilter is a bit of abuse
>since this is out of the scope of providing some firewalling feature.

David Miller has stated his opinion already last year, and he's
for the Netfilter variant:
http://markmail.org/message/d7kpczdbtpcxwli6

Re: [PATCH 4/4] netfilter: xtables: inclusion of xt_SYSRQ

[Florian Westphal]

Jan Engelhardt <jengelh@inai.de> wrote:
> On Thursday 2012-07-12 17:49, Pablo Neira Ayuso wrote:
> >> +config NETFILTER_XT_TARGET_SYSRQ
> >> +	tristate '"SYSRQ" - remote sysrq invocation'
> >
> >I guess this is useful for user, eg. you can reboot your crashed
> >system from your office in case that cheap comodity hardware without
> >remote management tools (eg. HP's ILO or Dell's iDRAC).
> >
> >Still, I think that including this in Netfilter is a bit of abuse
> >since this is out of the scope of providing some firewalling feature.
> 
> David Miller has stated his opinion already last year, and he's
> for the Netfilter variant:
> http://markmail.org/message/d7kpczdbtpcxwli6

We now have udp encap support also for ipv6, so this could now
be solved outside of netfilter without impacting the ability to
filter sysreq packets.

Re: [PATCH 4/4] netfilter: xtables: inclusion of xt_SYSRQ

[Jan Engelhardt]

On Thursday 2012-07-12 22:26, Florian Westphal wrote:

>Jan Engelhardt <jengelh@inai.de> wrote:
>> On Thursday 2012-07-12 17:49, Pablo Neira Ayuso wrote:
>> >> +config NETFILTER_XT_TARGET_SYSRQ
>> >> +	tristate '"SYSRQ" - remote sysrq invocation'
>> >
>> >I guess this is useful for user, eg. you can reboot your crashed
>> >system from your office in case that cheap comodity hardware without
>> >remote management tools (eg. HP's ILO or Dell's iDRAC).
>> >
>> >Still, I think that including this in Netfilter is a bit of abuse
>> >since this is out of the scope of providing some firewalling feature.
>> 
>> David Miller has stated his opinion already last year, and he's
>> for the Netfilter variant:
>> http://markmail.org/message/d7kpczdbtpcxwli6
>
>We now have udp encap support also for ipv6, so this could now
>be solved outside of netfilter without impacting the ability to
>filter sysreq packets.

How does xt_SYSRQ inhibit filtering sysrq packets?

Re: [PATCH 4/4] netfilter: xtables: inclusion of xt_SYSRQ

[Florian Westphal]

Jan Engelhardt <jengelh@inai.de> wrote:
> >Jan Engelhardt <jengelh@inai.de> wrote:
> >> David Miller has stated his opinion already last year, and he's
> >> for the Netfilter variant:
> >> http://markmail.org/message/d7kpczdbtpcxwli6
> >
> >We now have udp encap support also for ipv6, so this could now
> >be solved outside of netfilter without impacting the ability to
> >filter sysreq packets.
> 
> How does xt_SYSRQ inhibit filtering sysrq packets?

Not at all.  But the last 'do it outside of netfilter' approaches
suffered from that.  With encap sockets this should no longer be a
problem.

Re: [PATCH 4/4] netfilter: xtables: inclusion of xt_SYSRQ

[Jan Engelhardt]

On Thursday 2012-07-12 22:35, Florian Westphal wrote:

>Jan Engelhardt <jengelh@inai.de> wrote:
>> >Jan Engelhardt <jengelh@inai.de> wrote:
>> >> David Miller has stated his opinion already last year, and he's
>> >> for the Netfilter variant:
>> >> http://markmail.org/message/d7kpczdbtpcxwli6
>> >
>> >We now have udp encap support also for ipv6, so this could now
>> >be solved outside of netfilter without impacting the ability to
>> >filter sysreq packets.
>> 
>> How does xt_SYSRQ inhibit filtering sysrq packets?
>
>Not at all.  But the last 'do it outside of netfilter' approaches
>suffered from that.  With encap sockets this should no longer be a
>problem.

People like using Xtables because it's simple and they know how to
use it (or at least, the frontend). The biggest strength is that
users can _combine it with existing extensions_. All that seems
impossible with the sysrq-ping patch.

(You know how they hate it when they have to cross a "boundary" like
iptables-nfmark-tc and iptables-nfmark-iproute).

Re: [PATCH 4/4] netfilter: xtables: inclusion of xt_SYSRQ

[Pablo Neira Ayuso]

On Thu, Jul 12, 2012 at 06:25:13PM +0200, Jan Engelhardt wrote:
> 
> On Thursday 2012-07-12 17:49, Pablo Neira Ayuso wrote:
> >> +config NETFILTER_XT_TARGET_SYSRQ
> >> +	tristate '"SYSRQ" - remote sysrq invocation'
> >
> >I guess this is useful for user, eg. you can reboot your crashed
> >system from your office in case that cheap comodity hardware without
> >remote management tools (eg. HP's ILO or Dell's iDRAC).
> >
> >Still, I think that including this in Netfilter is a bit of abuse
> >since this is out of the scope of providing some firewalling feature.
> 
> David Miller has stated his opinion already last year, and he's
> for the Netfilter variant:
> http://markmail.org/message/d7kpczdbtpcxwli6

I think that affirmation is true in the context of:

[PATCH]: Add Network Sysrq Support

but not sure it's out of it.

He probably prefered the Netfilter option because, comparing it to the
Netfilter approach, it looks nicer. Well, just look at all those sysfs
and proc interfaces he was proposing for that approach (it seems quite
ugly to me).

You can use the udp_encap hook (that Florian mentioned) plus some
genetlink interface and little user-space tool to make it out of
netfilter. Most of the xt_SYSRQ code can be reused and the genetlink
interface plus one library can be added with little extra work.

@David: just to put you into context. Jan is proposing to merge
xt_SYSRQ into mainstream, we are discussing if it would be better to
make it out of it (so people do not depend on the firewalling
utilities to get it working) based on a different proposal described
above.

Re: [PATCH 4/4] netfilter: xtables: inclusion of xt_SYSRQ

[Maciej Żenczykowski]

On Fri, Jul 13, 2012 at 2:16 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Thu, Jul 12, 2012 at 06:25:13PM +0200, Jan Engelhardt wrote:
>>
>> On Thursday 2012-07-12 17:49, Pablo Neira Ayuso wrote:
>> >> +config NETFILTER_XT_TARGET_SYSRQ
>> >> +  tristate '"SYSRQ" - remote sysrq invocation'
>> >
>> >I guess this is useful for user, eg. you can reboot your crashed
>> >system from your office in case that cheap comodity hardware without
>> >remote management tools (eg. HP's ILO or Dell's iDRAC).
>> >
>> >Still, I think that including this in Netfilter is a bit of abuse
>> >since this is out of the scope of providing some firewalling feature.
>>
>> David Miller has stated his opinion already last year, and he's
>> for the Netfilter variant:
>> http://markmail.org/message/d7kpczdbtpcxwli6
>
> I think that affirmation is true in the context of:
>
> [PATCH]: Add Network Sysrq Support
>
> but not sure it's out of it.
>
> He probably prefered the Netfilter option because, comparing it to the
> Netfilter approach, it looks nicer. Well, just look at all those sysfs
> and proc interfaces he was proposing for that approach (it seems quite
> ugly to me).
>
> You can use the udp_encap hook (that Florian mentioned) plus some
> genetlink interface and little user-space tool to make it out of
> netfilter. Most of the xt_SYSRQ code can be reused and the genetlink
> interface plus one library can be added with little extra work.
>
> @David: just to put you into context. Jan is proposing to merge
> xt_SYSRQ into mainstream, we are discussing if it would be better to
> make it out of it (so people do not depend on the firewalling
> utilities to get it working) based on a different proposal described
> above.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

For this to be truly useful, it has to work when all of userspace is
dead and unresponsive (oom hell, swap hell, hdd disconnected, etc),
and as such from the moment the magic packet gets received, to the
command (reboot/etc) being executed it has to be a fully kernel based
solution - preferably within the network softirq.

Anything relying on userspace (outside of initial configuration) is
not acceptable.

Re: [PATCH 4/4] netfilter: xtables: inclusion of xt_SYSRQ

[Pablo Neira Ayuso]

On Fri, Jul 13, 2012 at 06:43:36PM -0700, Maciej Żenczykowski wrote:
> On Fri, Jul 13, 2012 at 2:16 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > On Thu, Jul 12, 2012 at 06:25:13PM +0200, Jan Engelhardt wrote:
> >>
> >> On Thursday 2012-07-12 17:49, Pablo Neira Ayuso wrote:
> >> >> +config NETFILTER_XT_TARGET_SYSRQ
> >> >> +  tristate '"SYSRQ" - remote sysrq invocation'
> >> >
> >> >I guess this is useful for user, eg. you can reboot your crashed
> >> >system from your office in case that cheap comodity hardware without
> >> >remote management tools (eg. HP's ILO or Dell's iDRAC).
> >> >
> >> >Still, I think that including this in Netfilter is a bit of abuse
> >> >since this is out of the scope of providing some firewalling feature.
> >>
> >> David Miller has stated his opinion already last year, and he's
> >> for the Netfilter variant:
> >> http://markmail.org/message/d7kpczdbtpcxwli6
> >
> > I think that affirmation is true in the context of:
> >
> > [PATCH]: Add Network Sysrq Support
> >
> > but not sure it's out of it.
> >
> > He probably prefered the Netfilter option because, comparing it to the
> > Netfilter approach, it looks nicer. Well, just look at all those sysfs
> > and proc interfaces he was proposing for that approach (it seems quite
> > ugly to me).
> >
> > You can use the udp_encap hook (that Florian mentioned) plus some
> > genetlink interface and little user-space tool to make it out of
> > netfilter. Most of the xt_SYSRQ code can be reused and the genetlink
> > interface plus one library can be added with little extra work.
> >
> > @David: just to put you into context. Jan is proposing to merge
> > xt_SYSRQ into mainstream, we are discussing if it would be better to
> > make it out of it (so people do not depend on the firewalling
> > utilities to get it working) based on a different proposal described
> > above.
> > --
> > To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> For this to be truly useful, it has to work when all of userspace is
> dead and unresponsive (oom hell, swap hell, hdd disconnected, etc),
> and as such from the moment the magic packet gets received, to the
> command (reboot/etc) being executed it has to be a fully kernel based
> solution - preferably within the network softirq.
> 
> Anything relying on userspace (outside of initial configuration) is
> not acceptable.

So far, nobody mentioned the possibility any sort of user-space daemon
;-).

That user-space tool would be used to configure it through genetlink
outside of netfilter. That's all.

And I think everybody here still think this is useful, what we're
discussing is the nicer approach.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 4/4] netfilter: xtables: inclusion of xt_SYSRQ

[Aft nix]

On Sat, Jul 14, 2012 at 7:11 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Fri, Jul 13, 2012 at 06:43:36PM -0700, Maciej Żenczykowski wrote:
>> On Fri, Jul 13, 2012 at 2:16 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>> > On Thu, Jul 12, 2012 at 06:25:13PM +0200, Jan Engelhardt wrote:
>> >>
>> >> On Thursday 2012-07-12 17:49, Pablo Neira Ayuso wrote:
>> >> >> +config NETFILTER_XT_TARGET_SYSRQ
>> >> >> +  tristate '"SYSRQ" - remote sysrq invocation'
>> >> >
>> >> >I guess this is useful for user, eg. you can reboot your crashed
>> >> >system from your office in case that cheap comodity hardware without
>> >> >remote management tools (eg. HP's ILO or Dell's iDRAC).
>> >> >
>> >> >Still, I think that including this in Netfilter is a bit of abuse
>> >> >since this is out of the scope of providing some firewalling feature.
>> >>
>> >> David Miller has stated his opinion already last year, and he's
>> >> for the Netfilter variant:
>> >> http://markmail.org/message/d7kpczdbtpcxwli6
>> >
>> > I think that affirmation is true in the context of:
>> >
>> > [PATCH]: Add Network Sysrq Support
>> >
>> > but not sure it's out of it.
>> >
>> > He probably prefered the Netfilter option because, comparing it to the
>> > Netfilter approach, it looks nicer. Well, just look at all those sysfs
>> > and proc interfaces he was proposing for that approach (it seems quite
>> > ugly to me).
>> >
>> > You can use the udp_encap hook (that Florian mentioned) plus some
>> > genetlink interface and little user-space tool to make it out of
>> > netfilter. Most of the xt_SYSRQ code can be reused and the genetlink
>> > interface plus one library can be added with little extra work.
>> >
>> > @David: just to put you into context. Jan is proposing to merge
>> > xt_SYSRQ into mainstream, we are discussing if it would be better to
>> > make it out of it (so people do not depend on the firewalling
>> > utilities to get it working) based on a different proposal described
>> > above.
>> > --
>> > To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
>> > the body of a message to majordomo@vger.kernel.org
>> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>> For this to be truly useful, it has to work when all of userspace is
>> dead and unresponsive (oom hell, swap hell, hdd disconnected, etc),
>> and as such from the moment the magic packet gets received, to the
>> command (reboot/etc) being executed it has to be a fully kernel based
>> solution - preferably within the network softirq.
>>
>> Anything relying on userspace (outside of initial configuration) is
>> not acceptable.
>
> So far, nobody mentioned the possibility any sort of user-space daemon
> ;-).
>
> That user-space tool would be used to configure it through genetlink
> outside of netfilter. That's all.
>
> And I think everybody here still think this is useful, what we're
> discussing is the nicer approach.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Hi Jan,

I don't know if it goes to main line kernel eventually, i want this feature
right now. Right now i have to physically go the office rack to reboot in a
case of kernel crash. Office IT people don't provide IPKVM stuffs in development
servers, they only give it to "production" severs.

I really think its nice touch. Is it available in xtable-addons, or i
just apply your patch directly?

Cheers.

-- 
-aft
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 4/4] netfilter: xtables: inclusion of xt_SYSRQ

[Jan Engelhardt]

On Saturday 2012-07-14 16:49, Aft nix wrote:
>>> > @David: just to put you into context. Jan is proposing to merge
>>> > xt_SYSRQ into mainstream, we are discussing if it would be better to
>>> > make it out of it (so people do not depend on the firewalling
>>> > utilities to get it working) based on a different proposal described
>>> > above.
>
>Hi Jan,
>
>I don't know if it goes to main line kernel eventually, i want this feature
>right now. Right now i have to physically go the office rack to reboot in a
>case of kernel crash. Office IT people don't provide IPKVM stuffs in development
>servers, they only give it to "production" severs.
>
>I really think its nice touch. Is it available in xtable-addons, or i
>just apply your patch directly?

It is in Xt-a, and I try to upstream it.

Again, I emphasize that xt_SYSRQ can be combined with other matches
of Xtables, and that why it should be merged rather than a separate
subsystem of some kind.