* [PATCH 0/3] Netfilter fixes for net
@ 2019-06-17 22:42 Pablo Neira Ayuso
2019-06-17 22:42 ` [PATCH 1/3] netfilter: nf_tables: fix module autoload with inet family Pablo Neira Ayuso
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2019-06-17 22:42 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
1) Module autoload for masquerade and redirection does not work.
2) Leak in unqueued packets in nf_ct_frag6_queue(). Ignore duplicated
fragments, pretend they are placed into the queue. Patches from
Guillaume Nault.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit 100f6d8e09905c59be45b6316f8f369c0be1b2d8:
net: correct zerocopy refcnt with udp MSG_MORE (2019-05-30 15:54:04 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 8a3dca632538c550930ce8bafa8c906b130d35cf:
netfilter: ipv6: nf_defrag: accept duplicate fragments again (2019-06-07 14:49:01 +0200)
----------------------------------------------------------------
Guillaume Nault (2):
netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments
netfilter: ipv6: nf_defrag: accept duplicate fragments again
Pablo Neira Ayuso (1):
netfilter: nf_tables: fix module autoload with inet family
net/ipv6/netfilter/nf_conntrack_reasm.c | 22 ++++++++++++----------
net/netfilter/nft_masq.c | 3 +--
net/netfilter/nft_redir.c | 3 +--
3 files changed, 14 insertions(+), 14 deletions(-)
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 1/3] netfilter: nf_tables: fix module autoload with inet family
2019-06-17 22:42 [PATCH 0/3] Netfilter fixes for net Pablo Neira Ayuso
@ 2019-06-17 22:42 ` Pablo Neira Ayuso
2019-06-17 22:42 ` [PATCH 2/3] netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments Pablo Neira Ayuso
2019-06-17 22:42 ` [PATCH 3/3] netfilter: ipv6: nf_defrag: accept duplicate fragments again Pablo Neira Ayuso
2 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2019-06-17 22:42 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Use MODULE_ALIAS_NFT_EXPR() to make happy the inet family with nat.
Fixes: 63ce3940f3ab ("netfilter: nft_redir: add inet support")
Fixes: 071657d2c38c ("netfilter: nft_masq: add inet support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_masq.c | 3 +--
net/netfilter/nft_redir.c | 3 +--
2 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nft_masq.c b/net/netfilter/nft_masq.c
index 86fd90085eaf..8c1612d6bc2c 100644
--- a/net/netfilter/nft_masq.c
+++ b/net/netfilter/nft_masq.c
@@ -307,5 +307,4 @@ module_exit(nft_masq_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo@debian.org>");
-MODULE_ALIAS_NFT_AF_EXPR(AF_INET6, "masq");
-MODULE_ALIAS_NFT_AF_EXPR(AF_INET, "masq");
+MODULE_ALIAS_NFT_EXPR("masq");
diff --git a/net/netfilter/nft_redir.c b/net/netfilter/nft_redir.c
index da74fdc4a684..8787e9f8ed71 100644
--- a/net/netfilter/nft_redir.c
+++ b/net/netfilter/nft_redir.c
@@ -294,5 +294,4 @@ module_exit(nft_redir_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo@debian.org>");
-MODULE_ALIAS_NFT_AF_EXPR(AF_INET, "redir");
-MODULE_ALIAS_NFT_AF_EXPR(AF_INET6, "redir");
+MODULE_ALIAS_NFT_EXPR("nat");
--
2.11.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/3] netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments
2019-06-17 22:42 [PATCH 0/3] Netfilter fixes for net Pablo Neira Ayuso
2019-06-17 22:42 ` [PATCH 1/3] netfilter: nf_tables: fix module autoload with inet family Pablo Neira Ayuso
@ 2019-06-17 22:42 ` Pablo Neira Ayuso
2019-06-17 22:42 ` [PATCH 3/3] netfilter: ipv6: nf_defrag: accept duplicate fragments again Pablo Neira Ayuso
2 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2019-06-17 22:42 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Guillaume Nault <gnault@redhat.com>
With commit 997dd9647164 ("net: IP6 defrag: use rbtrees in
nf_conntrack_reasm.c"), nf_ct_frag6_reasm() is now called from
nf_ct_frag6_queue(). With this change, nf_ct_frag6_queue() can fail
after the skb has been added to the fragment queue and
nf_ct_frag6_gather() was adapted to handle this case.
But nf_ct_frag6_queue() can still fail before the fragment has been
queued. nf_ct_frag6_gather() can't handle this case anymore, because it
has no way to know if nf_ct_frag6_queue() queued the fragment before
failing. If it didn't, the skb is lost as the error code is overwritten
with -EINPROGRESS.
Fix this by setting -EINPROGRESS directly in nf_ct_frag6_queue(), so
that nf_ct_frag6_gather() can propagate the error as is.
Fixes: 997dd9647164 ("net: IP6 defrag: use rbtrees in nf_conntrack_reasm.c")
Signed-off-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/ipv6/netfilter/nf_conntrack_reasm.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 3de0e9b0a482..5b3f65e29b6f 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -293,7 +293,11 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
skb->_skb_refdst = 0UL;
err = nf_ct_frag6_reasm(fq, skb, prev, dev);
skb->_skb_refdst = orefdst;
- return err;
+
+ /* After queue has assumed skb ownership, only 0 or
+ * -EINPROGRESS must be returned.
+ */
+ return err ? -EINPROGRESS : 0;
}
skb_dst_drop(skb);
@@ -480,12 +484,6 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user)
ret = 0;
}
- /* after queue has assumed skb ownership, only 0 or -EINPROGRESS
- * must be returned.
- */
- if (ret)
- ret = -EINPROGRESS;
-
spin_unlock_bh(&fq->q.lock);
inet_frag_put(&fq->q);
return ret;
--
2.11.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 3/3] netfilter: ipv6: nf_defrag: accept duplicate fragments again
2019-06-17 22:42 [PATCH 0/3] Netfilter fixes for net Pablo Neira Ayuso
2019-06-17 22:42 ` [PATCH 1/3] netfilter: nf_tables: fix module autoload with inet family Pablo Neira Ayuso
2019-06-17 22:42 ` [PATCH 2/3] netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments Pablo Neira Ayuso
@ 2019-06-17 22:42 ` Pablo Neira Ayuso
2 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2019-06-17 22:42 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Guillaume Nault <gnault@redhat.com>
When fixing the skb leak introduced by the conversion to rbtree, I
forgot about the special case of duplicate fragments. The condition
under the 'insert_error' label isn't effective anymore as
nf_ct_frg6_gather() doesn't override the returned value anymore. So
duplicate fragments now get NF_DROP verdict.
To accept duplicate fragments again, handle them specially as soon as
inet_frag_queue_insert() reports them. Return -EINPROGRESS which will
translate to NF_STOLEN verdict, like any accepted fragment. However,
such packets don't carry any new information and aren't queued, so we
just drop them immediately.
Fixes: a0d56cb911ca ("netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments")
Signed-off-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/ipv6/netfilter/nf_conntrack_reasm.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 5b3f65e29b6f..8951de8b568f 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -265,8 +265,14 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
prev = fq->q.fragments_tail;
err = inet_frag_queue_insert(&fq->q, skb, offset, end);
- if (err)
+ if (err) {
+ if (err == IPFRAG_DUP) {
+ /* No error for duplicates, pretend they got queued. */
+ kfree_skb(skb);
+ return -EINPROGRESS;
+ }
goto insert_error;
+ }
if (dev)
fq->iif = dev->ifindex;
@@ -304,8 +310,6 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
return -EINPROGRESS;
insert_error:
- if (err == IPFRAG_DUP)
- goto err;
inet_frag_kill(&fq->q);
err:
skb_dst_drop(skb);
--
2.11.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-06-17 22:42 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-17 22:42 [PATCH 0/3] Netfilter fixes for net Pablo Neira Ayuso
2019-06-17 22:42 ` [PATCH 1/3] netfilter: nf_tables: fix module autoload with inet family Pablo Neira Ayuso
2019-06-17 22:42 ` [PATCH 2/3] netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments Pablo Neira Ayuso
2019-06-17 22:42 ` [PATCH 3/3] netfilter: ipv6: nf_defrag: accept duplicate fragments again Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.