* [PATCH net 0/4] Netfilter fixes for net
@ 2020-11-21 12:35 Pablo Neira Ayuso
2020-11-21 12:35 ` [PATCH net 1/4] netfilter: nftables_offload: set address type in control dissector Pablo Neira Ayuso
` (3 more replies)
0 siblings, 4 replies; 20+ messages in thread
From: Pablo Neira Ayuso @ 2020-11-21 12:35 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Hi,
The following patchset contains Netfilter fixes for net:
1) Fix missing control data in flow dissector, otherwise IP address
matching in hardware offload infra does not work.
2) Fix hardware offload match on prefix IP address when userspace
does not send a bitwise expression to represent the prefix.
3) Insufficient validation of IPSET_ATTR_IPADDR_IPV6 reported
by syzbot.
4) Remove spurious reports on nf_tables when lockdep gets disabled,
from Florian Westphal.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thank you.
----------------------------------------------------------------
The following changes since commit 849920c703392957f94023f77ec89ca6cf119d43:
devlink: Add missing genlmsg_cancel() in devlink_nl_sb_port_pool_fill() (2020-11-14 16:23:19 -0800)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 986fbd9842ba114c74b4fb61c4dc146d87a55316:
netfilter: nf_tables: avoid false-postive lockdep splat (2020-11-20 10:18:39 +0100)
----------------------------------------------------------------
Eric Dumazet (1):
netfilter: ipset: prevent uninit-value in hash_ip6_add
Florian Westphal (1):
netfilter: nf_tables: avoid false-postive lockdep splat
Pablo Neira Ayuso (2):
netfilter: nftables_offload: set address type in control dissector
netfilter: nftables_offload: build mask based from the matching bytes
include/net/netfilter/nf_tables_offload.h | 7 ++++
net/netfilter/ipset/ip_set_core.c | 3 +-
net/netfilter/nf_tables_api.c | 3 +-
net/netfilter/nf_tables_offload.c | 18 ++++++++
net/netfilter/nft_cmp.c | 8 ++--
net/netfilter/nft_meta.c | 16 +++----
net/netfilter/nft_payload.c | 70 +++++++++++++++++++++++--------
7 files changed, 93 insertions(+), 32 deletions(-)
^ permalink raw reply [flat|nested] 20+ messages in thread
* [PATCH net 1/4] netfilter: nftables_offload: set address type in control dissector
2020-11-21 12:35 [PATCH net 0/4] Netfilter fixes for net Pablo Neira Ayuso
@ 2020-11-21 12:35 ` Pablo Neira Ayuso
2020-11-22 0:44 ` Jakub Kicinski
2020-11-21 12:35 ` [PATCH net 2/4] netfilter: nftables_offload: build mask based from the matching bytes Pablo Neira Ayuso
` (2 subsequent siblings)
3 siblings, 1 reply; 20+ messages in thread
From: Pablo Neira Ayuso @ 2020-11-21 12:35 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
If the address type is missing through the control dissector, then
matching on IPv4 and IPv6 addresses does not work. Set it accordingly so
rules that specify an IP address succesfully match on packets.
Fixes: c9626a2cbdb2 ("netfilter: nf_tables: add hardware offload support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_tables_offload.h | 4 ++++
net/netfilter/nf_tables_offload.c | 18 ++++++++++++++++++
net/netfilter/nft_payload.c | 4 ++++
3 files changed, 26 insertions(+)
diff --git a/include/net/netfilter/nf_tables_offload.h b/include/net/netfilter/nf_tables_offload.h
index ea7d1d78b92d..bddd34c5bd79 100644
--- a/include/net/netfilter/nf_tables_offload.h
+++ b/include/net/netfilter/nf_tables_offload.h
@@ -37,6 +37,7 @@ void nft_offload_update_dependency(struct nft_offload_ctx *ctx,
struct nft_flow_key {
struct flow_dissector_key_basic basic;
+ struct flow_dissector_key_control control;
union {
struct flow_dissector_key_ipv4_addrs ipv4;
struct flow_dissector_key_ipv6_addrs ipv6;
@@ -62,6 +63,9 @@ struct nft_flow_rule {
#define NFT_OFFLOAD_F_ACTION (1 << 0)
+void nft_flow_rule_set_addr_type(struct nft_flow_rule *flow,
+ enum flow_dissector_key_id addr_type);
+
struct nft_rule;
struct nft_flow_rule *nft_flow_rule_create(struct net *net, const struct nft_rule *rule);
void nft_flow_rule_destroy(struct nft_flow_rule *flow);
diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c
index 9f625724a20f..9a3c5ac057b6 100644
--- a/net/netfilter/nf_tables_offload.c
+++ b/net/netfilter/nf_tables_offload.c
@@ -28,6 +28,24 @@ static struct nft_flow_rule *nft_flow_rule_alloc(int num_actions)
return flow;
}
+void nft_flow_rule_set_addr_type(struct nft_flow_rule *flow,
+ enum flow_dissector_key_id addr_type)
+{
+ struct nft_flow_match *match = &flow->match;
+ struct nft_flow_key *mask = &match->mask;
+ struct nft_flow_key *key = &match->key;
+
+ if (match->dissector.used_keys & BIT(FLOW_DISSECTOR_KEY_CONTROL))
+ return;
+
+ key->control.addr_type = addr_type;
+ mask->control.addr_type = 0xffff;
+ match->dissector.used_keys |= BIT(FLOW_DISSECTOR_KEY_CONTROL);
+ match->dissector.offset[FLOW_DISSECTOR_KEY_CONTROL] =
+ offsetof(struct nft_flow_key, control);
+}
+EXPORT_SYMBOL_GPL(nft_flow_rule_set_addr_type);
+
struct nft_flow_rule *nft_flow_rule_create(struct net *net,
const struct nft_rule *rule)
{
diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
index dcd3c7b8a367..bbf811d030d5 100644
--- a/net/netfilter/nft_payload.c
+++ b/net/netfilter/nft_payload.c
@@ -244,6 +244,7 @@ static int nft_payload_offload_ip(struct nft_offload_ctx *ctx,
NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_IPV4_ADDRS, ipv4, src,
sizeof(struct in_addr), reg);
+ nft_flow_rule_set_addr_type(flow, FLOW_DISSECTOR_KEY_IPV4_ADDRS);
break;
case offsetof(struct iphdr, daddr):
if (priv->len != sizeof(struct in_addr))
@@ -251,6 +252,7 @@ static int nft_payload_offload_ip(struct nft_offload_ctx *ctx,
NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_IPV4_ADDRS, ipv4, dst,
sizeof(struct in_addr), reg);
+ nft_flow_rule_set_addr_type(flow, FLOW_DISSECTOR_KEY_IPV4_ADDRS);
break;
case offsetof(struct iphdr, protocol):
if (priv->len != sizeof(__u8))
@@ -280,6 +282,7 @@ static int nft_payload_offload_ip6(struct nft_offload_ctx *ctx,
NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_IPV6_ADDRS, ipv6, src,
sizeof(struct in6_addr), reg);
+ nft_flow_rule_set_addr_type(flow, FLOW_DISSECTOR_KEY_IPV6_ADDRS);
break;
case offsetof(struct ipv6hdr, daddr):
if (priv->len != sizeof(struct in6_addr))
@@ -287,6 +290,7 @@ static int nft_payload_offload_ip6(struct nft_offload_ctx *ctx,
NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_IPV6_ADDRS, ipv6, dst,
sizeof(struct in6_addr), reg);
+ nft_flow_rule_set_addr_type(flow, FLOW_DISSECTOR_KEY_IPV6_ADDRS);
break;
case offsetof(struct ipv6hdr, nexthdr):
if (priv->len != sizeof(__u8))
--
2.20.1
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [PATCH net 2/4] netfilter: nftables_offload: build mask based from the matching bytes
2020-11-21 12:35 [PATCH net 0/4] Netfilter fixes for net Pablo Neira Ayuso
2020-11-21 12:35 ` [PATCH net 1/4] netfilter: nftables_offload: set address type in control dissector Pablo Neira Ayuso
@ 2020-11-21 12:35 ` Pablo Neira Ayuso
2020-11-21 12:36 ` [PATCH net 3/4] netfilter: ipset: prevent uninit-value in hash_ip6_add Pablo Neira Ayuso
2020-11-21 12:36 ` [PATCH net 4/4] netfilter: nf_tables: avoid false-postive lockdep splat Pablo Neira Ayuso
3 siblings, 0 replies; 20+ messages in thread
From: Pablo Neira Ayuso @ 2020-11-21 12:35 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Userspace might match on prefix bytes of header fields if they are on
the byte boundary, this requires that the mask is adjusted accordingly.
Use NFT_OFFLOAD_MATCH_EXACT() for meta since prefix byte matching is not
allowed for this type of selector.
Fixes: c9626a2cbdb2 ("netfilter: nf_tables: add hardware offload support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_tables_offload.h | 3 ++
net/netfilter/nft_cmp.c | 8 +--
net/netfilter/nft_meta.c | 16 +++---
net/netfilter/nft_payload.c | 66 +++++++++++++++++------
4 files changed, 64 insertions(+), 29 deletions(-)
diff --git a/include/net/netfilter/nf_tables_offload.h b/include/net/netfilter/nf_tables_offload.h
index bddd34c5bd79..1d34fe154fe0 100644
--- a/include/net/netfilter/nf_tables_offload.h
+++ b/include/net/netfilter/nf_tables_offload.h
@@ -78,6 +78,9 @@ int nft_flow_rule_offload_commit(struct net *net);
offsetof(struct nft_flow_key, __base.__field); \
(__reg)->len = __len; \
(__reg)->key = __key; \
+
+#define NFT_OFFLOAD_MATCH_EXACT(__key, __base, __field, __len, __reg) \
+ NFT_OFFLOAD_MATCH(__key, __base, __field, __len, __reg) \
memset(&(__reg)->mask, 0xff, (__reg)->len);
int nft_chain_offload_priority(struct nft_base_chain *basechain);
diff --git a/net/netfilter/nft_cmp.c b/net/netfilter/nft_cmp.c
index bc079d68a536..00e563a72d3d 100644
--- a/net/netfilter/nft_cmp.c
+++ b/net/netfilter/nft_cmp.c
@@ -123,11 +123,11 @@ static int __nft_cmp_offload(struct nft_offload_ctx *ctx,
u8 *mask = (u8 *)&flow->match.mask;
u8 *key = (u8 *)&flow->match.key;
- if (priv->op != NFT_CMP_EQ || reg->len != priv->len)
+ if (priv->op != NFT_CMP_EQ || priv->len > reg->len)
return -EOPNOTSUPP;
- memcpy(key + reg->offset, &priv->data, priv->len);
- memcpy(mask + reg->offset, ®->mask, priv->len);
+ memcpy(key + reg->offset, &priv->data, reg->len);
+ memcpy(mask + reg->offset, ®->mask, reg->len);
flow->match.dissector.used_keys |= BIT(reg->key);
flow->match.dissector.offset[reg->key] = reg->base_offset;
@@ -137,7 +137,7 @@ static int __nft_cmp_offload(struct nft_offload_ctx *ctx,
nft_reg_load16(priv->data.data) != ARPHRD_ETHER)
return -EOPNOTSUPP;
- nft_offload_update_dependency(ctx, &priv->data, priv->len);
+ nft_offload_update_dependency(ctx, &priv->data, reg->len);
return 0;
}
diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index b37bd02448d8..bf4b3ad5314c 100644
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -724,22 +724,22 @@ static int nft_meta_get_offload(struct nft_offload_ctx *ctx,
switch (priv->key) {
case NFT_META_PROTOCOL:
- NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_BASIC, basic, n_proto,
- sizeof(__u16), reg);
+ NFT_OFFLOAD_MATCH_EXACT(FLOW_DISSECTOR_KEY_BASIC, basic, n_proto,
+ sizeof(__u16), reg);
nft_offload_set_dependency(ctx, NFT_OFFLOAD_DEP_NETWORK);
break;
case NFT_META_L4PROTO:
- NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_BASIC, basic, ip_proto,
- sizeof(__u8), reg);
+ NFT_OFFLOAD_MATCH_EXACT(FLOW_DISSECTOR_KEY_BASIC, basic, ip_proto,
+ sizeof(__u8), reg);
nft_offload_set_dependency(ctx, NFT_OFFLOAD_DEP_TRANSPORT);
break;
case NFT_META_IIF:
- NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_META, meta,
- ingress_ifindex, sizeof(__u32), reg);
+ NFT_OFFLOAD_MATCH_EXACT(FLOW_DISSECTOR_KEY_META, meta,
+ ingress_ifindex, sizeof(__u32), reg);
break;
case NFT_META_IIFTYPE:
- NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_META, meta,
- ingress_iftype, sizeof(__u16), reg);
+ NFT_OFFLOAD_MATCH_EXACT(FLOW_DISSECTOR_KEY_META, meta,
+ ingress_iftype, sizeof(__u16), reg);
break;
default:
return -EOPNOTSUPP;
diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
index bbf811d030d5..47d4e0e21651 100644
--- a/net/netfilter/nft_payload.c
+++ b/net/netfilter/nft_payload.c
@@ -165,6 +165,34 @@ static int nft_payload_dump(struct sk_buff *skb, const struct nft_expr *expr)
return -1;
}
+static bool nft_payload_offload_mask(struct nft_offload_reg *reg,
+ u32 priv_len, u32 field_len)
+{
+ unsigned int remainder, delta, k;
+ struct nft_data mask = {};
+ __be32 remainder_mask;
+
+ if (priv_len == field_len) {
+ memset(®->mask, 0xff, priv_len);
+ return true;
+ } else if (priv_len > field_len) {
+ return false;
+ }
+
+ memset(&mask, 0xff, field_len);
+ remainder = priv_len % sizeof(u32);
+ if (remainder) {
+ k = priv_len / sizeof(u32);
+ delta = field_len - priv_len;
+ remainder_mask = htonl(~((1 << (delta * BITS_PER_BYTE)) - 1));
+ mask.data[k] = (__force u32)remainder_mask;
+ }
+
+ memcpy(®->mask, &mask, field_len);
+
+ return true;
+}
+
static int nft_payload_offload_ll(struct nft_offload_ctx *ctx,
struct nft_flow_rule *flow,
const struct nft_payload *priv)
@@ -173,21 +201,21 @@ static int nft_payload_offload_ll(struct nft_offload_ctx *ctx,
switch (priv->offset) {
case offsetof(struct ethhdr, h_source):
- if (priv->len != ETH_ALEN)
+ if (!nft_payload_offload_mask(reg, priv->len, ETH_ALEN))
return -EOPNOTSUPP;
NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_ETH_ADDRS, eth_addrs,
src, ETH_ALEN, reg);
break;
case offsetof(struct ethhdr, h_dest):
- if (priv->len != ETH_ALEN)
+ if (!nft_payload_offload_mask(reg, priv->len, ETH_ALEN))
return -EOPNOTSUPP;
NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_ETH_ADDRS, eth_addrs,
dst, ETH_ALEN, reg);
break;
case offsetof(struct ethhdr, h_proto):
- if (priv->len != sizeof(__be16))
+ if (!nft_payload_offload_mask(reg, priv->len, sizeof(__be16)))
return -EOPNOTSUPP;
NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_BASIC, basic,
@@ -195,14 +223,14 @@ static int nft_payload_offload_ll(struct nft_offload_ctx *ctx,
nft_offload_set_dependency(ctx, NFT_OFFLOAD_DEP_NETWORK);
break;
case offsetof(struct vlan_ethhdr, h_vlan_TCI):
- if (priv->len != sizeof(__be16))
+ if (!nft_payload_offload_mask(reg, priv->len, sizeof(__be16)))
return -EOPNOTSUPP;
NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_VLAN, vlan,
vlan_tci, sizeof(__be16), reg);
break;
case offsetof(struct vlan_ethhdr, h_vlan_encapsulated_proto):
- if (priv->len != sizeof(__be16))
+ if (!nft_payload_offload_mask(reg, priv->len, sizeof(__be16)))
return -EOPNOTSUPP;
NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_VLAN, vlan,
@@ -210,7 +238,7 @@ static int nft_payload_offload_ll(struct nft_offload_ctx *ctx,
nft_offload_set_dependency(ctx, NFT_OFFLOAD_DEP_NETWORK);
break;
case offsetof(struct vlan_ethhdr, h_vlan_TCI) + sizeof(struct vlan_hdr):
- if (priv->len != sizeof(__be16))
+ if (!nft_payload_offload_mask(reg, priv->len, sizeof(__be16)))
return -EOPNOTSUPP;
NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_CVLAN, vlan,
@@ -218,7 +246,7 @@ static int nft_payload_offload_ll(struct nft_offload_ctx *ctx,
break;
case offsetof(struct vlan_ethhdr, h_vlan_encapsulated_proto) +
sizeof(struct vlan_hdr):
- if (priv->len != sizeof(__be16))
+ if (!nft_payload_offload_mask(reg, priv->len, sizeof(__be16)))
return -EOPNOTSUPP;
NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_CVLAN, vlan,
@@ -239,7 +267,8 @@ static int nft_payload_offload_ip(struct nft_offload_ctx *ctx,
switch (priv->offset) {
case offsetof(struct iphdr, saddr):
- if (priv->len != sizeof(struct in_addr))
+ if (!nft_payload_offload_mask(reg, priv->len,
+ sizeof(struct in_addr)))
return -EOPNOTSUPP;
NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_IPV4_ADDRS, ipv4, src,
@@ -247,7 +276,8 @@ static int nft_payload_offload_ip(struct nft_offload_ctx *ctx,
nft_flow_rule_set_addr_type(flow, FLOW_DISSECTOR_KEY_IPV4_ADDRS);
break;
case offsetof(struct iphdr, daddr):
- if (priv->len != sizeof(struct in_addr))
+ if (!nft_payload_offload_mask(reg, priv->len,
+ sizeof(struct in_addr)))
return -EOPNOTSUPP;
NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_IPV4_ADDRS, ipv4, dst,
@@ -255,7 +285,7 @@ static int nft_payload_offload_ip(struct nft_offload_ctx *ctx,
nft_flow_rule_set_addr_type(flow, FLOW_DISSECTOR_KEY_IPV4_ADDRS);
break;
case offsetof(struct iphdr, protocol):
- if (priv->len != sizeof(__u8))
+ if (!nft_payload_offload_mask(reg, priv->len, sizeof(__u8)))
return -EOPNOTSUPP;
NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_BASIC, basic, ip_proto,
@@ -277,7 +307,8 @@ static int nft_payload_offload_ip6(struct nft_offload_ctx *ctx,
switch (priv->offset) {
case offsetof(struct ipv6hdr, saddr):
- if (priv->len != sizeof(struct in6_addr))
+ if (!nft_payload_offload_mask(reg, priv->len,
+ sizeof(struct in6_addr)))
return -EOPNOTSUPP;
NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_IPV6_ADDRS, ipv6, src,
@@ -285,7 +316,8 @@ static int nft_payload_offload_ip6(struct nft_offload_ctx *ctx,
nft_flow_rule_set_addr_type(flow, FLOW_DISSECTOR_KEY_IPV6_ADDRS);
break;
case offsetof(struct ipv6hdr, daddr):
- if (priv->len != sizeof(struct in6_addr))
+ if (!nft_payload_offload_mask(reg, priv->len,
+ sizeof(struct in6_addr)))
return -EOPNOTSUPP;
NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_IPV6_ADDRS, ipv6, dst,
@@ -293,7 +325,7 @@ static int nft_payload_offload_ip6(struct nft_offload_ctx *ctx,
nft_flow_rule_set_addr_type(flow, FLOW_DISSECTOR_KEY_IPV6_ADDRS);
break;
case offsetof(struct ipv6hdr, nexthdr):
- if (priv->len != sizeof(__u8))
+ if (!nft_payload_offload_mask(reg, priv->len, sizeof(__u8)))
return -EOPNOTSUPP;
NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_BASIC, basic, ip_proto,
@@ -335,14 +367,14 @@ static int nft_payload_offload_tcp(struct nft_offload_ctx *ctx,
switch (priv->offset) {
case offsetof(struct tcphdr, source):
- if (priv->len != sizeof(__be16))
+ if (!nft_payload_offload_mask(reg, priv->len, sizeof(__be16)))
return -EOPNOTSUPP;
NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_PORTS, tp, src,
sizeof(__be16), reg);
break;
case offsetof(struct tcphdr, dest):
- if (priv->len != sizeof(__be16))
+ if (!nft_payload_offload_mask(reg, priv->len, sizeof(__be16)))
return -EOPNOTSUPP;
NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_PORTS, tp, dst,
@@ -363,14 +395,14 @@ static int nft_payload_offload_udp(struct nft_offload_ctx *ctx,
switch (priv->offset) {
case offsetof(struct udphdr, source):
- if (priv->len != sizeof(__be16))
+ if (!nft_payload_offload_mask(reg, priv->len, sizeof(__be16)))
return -EOPNOTSUPP;
NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_PORTS, tp, src,
sizeof(__be16), reg);
break;
case offsetof(struct udphdr, dest):
- if (priv->len != sizeof(__be16))
+ if (!nft_payload_offload_mask(reg, priv->len, sizeof(__be16)))
return -EOPNOTSUPP;
NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_PORTS, tp, dst,
--
2.20.1
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [PATCH net 3/4] netfilter: ipset: prevent uninit-value in hash_ip6_add
2020-11-21 12:35 [PATCH net 0/4] Netfilter fixes for net Pablo Neira Ayuso
2020-11-21 12:35 ` [PATCH net 1/4] netfilter: nftables_offload: set address type in control dissector Pablo Neira Ayuso
2020-11-21 12:35 ` [PATCH net 2/4] netfilter: nftables_offload: build mask based from the matching bytes Pablo Neira Ayuso
@ 2020-11-21 12:36 ` Pablo Neira Ayuso
2020-11-21 12:36 ` [PATCH net 4/4] netfilter: nf_tables: avoid false-postive lockdep splat Pablo Neira Ayuso
3 siblings, 0 replies; 20+ messages in thread
From: Pablo Neira Ayuso @ 2020-11-21 12:36 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
From: Eric Dumazet <edumazet@google.com>
syzbot found that we are not validating user input properly
before copying 16 bytes [1].
Using NLA_BINARY in ipaddr_policy[] for IPv6 address is not correct,
since it ensures at most 16 bytes were provided.
We should instead make sure user provided exactly 16 bytes.
In old kernels (before v4.20), fix would be to remove the NLA_BINARY,
since NLA_POLICY_EXACT_LEN() was not yet available.
[1]
BUG: KMSAN: uninit-value in hash_ip6_add+0x1cba/0x3a50 net/netfilter/ipset/ip_set_hash_gen.h:892
CPU: 1 PID: 11611 Comm: syz-executor.0 Not tainted 5.10.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x21c/0x280 lib/dump_stack.c:118
kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
__msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197
hash_ip6_add+0x1cba/0x3a50 net/netfilter/ipset/ip_set_hash_gen.h:892
hash_ip6_uadt+0x976/0xbd0 net/netfilter/ipset/ip_set_hash_ip.c:267
call_ad+0x329/0xd00 net/netfilter/ipset/ip_set_core.c:1720
ip_set_ad+0x111f/0x1440 net/netfilter/ipset/ip_set_core.c:1808
ip_set_uadd+0xf6/0x110 net/netfilter/ipset/ip_set_core.c:1833
nfnetlink_rcv_msg+0xc7d/0xdf0 net/netfilter/nfnetlink.c:252
netlink_rcv_skb+0x70a/0x820 net/netlink/af_netlink.c:2494
nfnetlink_rcv+0x4f0/0x4380 net/netfilter/nfnetlink.c:600
netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
netlink_unicast+0x11da/0x14b0 net/netlink/af_netlink.c:1330
netlink_sendmsg+0x173c/0x1840 net/netlink/af_netlink.c:1919
sock_sendmsg_nosec net/socket.c:651 [inline]
sock_sendmsg net/socket.c:671 [inline]
____sys_sendmsg+0xc7a/0x1240 net/socket.c:2353
___sys_sendmsg net/socket.c:2407 [inline]
__sys_sendmsg+0x6d5/0x830 net/socket.c:2440
__do_sys_sendmsg net/socket.c:2449 [inline]
__se_sys_sendmsg+0x97/0xb0 net/socket.c:2447
__x64_sys_sendmsg+0x4a/0x70 net/socket.c:2447
do_syscall_64+0x9f/0x140 arch/x86/entry/common.c:48
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45deb9
Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fe2e503fc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000029ec0 RCX: 000000000045deb9
RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000003
RBP: 000000000118bf60 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c
R13: 000000000169fb7f R14: 00007fe2e50409c0 R15: 000000000118bf2c
Uninit was stored to memory at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]
kmsan_internal_chain_origin+0xad/0x130 mm/kmsan/kmsan.c:289
__msan_chain_origin+0x57/0xa0 mm/kmsan/kmsan_instr.c:147
ip6_netmask include/linux/netfilter/ipset/pfxlen.h:49 [inline]
hash_ip6_netmask net/netfilter/ipset/ip_set_hash_ip.c:185 [inline]
hash_ip6_uadt+0xb1c/0xbd0 net/netfilter/ipset/ip_set_hash_ip.c:263
call_ad+0x329/0xd00 net/netfilter/ipset/ip_set_core.c:1720
ip_set_ad+0x111f/0x1440 net/netfilter/ipset/ip_set_core.c:1808
ip_set_uadd+0xf6/0x110 net/netfilter/ipset/ip_set_core.c:1833
nfnetlink_rcv_msg+0xc7d/0xdf0 net/netfilter/nfnetlink.c:252
netlink_rcv_skb+0x70a/0x820 net/netlink/af_netlink.c:2494
nfnetlink_rcv+0x4f0/0x4380 net/netfilter/nfnetlink.c:600
netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
netlink_unicast+0x11da/0x14b0 net/netlink/af_netlink.c:1330
netlink_sendmsg+0x173c/0x1840 net/netlink/af_netlink.c:1919
sock_sendmsg_nosec net/socket.c:651 [inline]
sock_sendmsg net/socket.c:671 [inline]
____sys_sendmsg+0xc7a/0x1240 net/socket.c:2353
___sys_sendmsg net/socket.c:2407 [inline]
__sys_sendmsg+0x6d5/0x830 net/socket.c:2440
__do_sys_sendmsg net/socket.c:2449 [inline]
__se_sys_sendmsg+0x97/0xb0 net/socket.c:2447
__x64_sys_sendmsg+0x4a/0x70 net/socket.c:2447
do_syscall_64+0x9f/0x140 arch/x86/entry/common.c:48
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Uninit was stored to memory at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]
kmsan_internal_chain_origin+0xad/0x130 mm/kmsan/kmsan.c:289
kmsan_memcpy_memmove_metadata+0x25e/0x2d0 mm/kmsan/kmsan.c:226
kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:246
__msan_memcpy+0x46/0x60 mm/kmsan/kmsan_instr.c:110
ip_set_get_ipaddr6+0x2cb/0x370 net/netfilter/ipset/ip_set_core.c:310
hash_ip6_uadt+0x439/0xbd0 net/netfilter/ipset/ip_set_hash_ip.c:255
call_ad+0x329/0xd00 net/netfilter/ipset/ip_set_core.c:1720
ip_set_ad+0x111f/0x1440 net/netfilter/ipset/ip_set_core.c:1808
ip_set_uadd+0xf6/0x110 net/netfilter/ipset/ip_set_core.c:1833
nfnetlink_rcv_msg+0xc7d/0xdf0 net/netfilter/nfnetlink.c:252
netlink_rcv_skb+0x70a/0x820 net/netlink/af_netlink.c:2494
nfnetlink_rcv+0x4f0/0x4380 net/netfilter/nfnetlink.c:600
netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
netlink_unicast+0x11da/0x14b0 net/netlink/af_netlink.c:1330
netlink_sendmsg+0x173c/0x1840 net/netlink/af_netlink.c:1919
sock_sendmsg_nosec net/socket.c:651 [inline]
sock_sendmsg net/socket.c:671 [inline]
____sys_sendmsg+0xc7a/0x1240 net/socket.c:2353
___sys_sendmsg net/socket.c:2407 [inline]
__sys_sendmsg+0x6d5/0x830 net/socket.c:2440
__do_sys_sendmsg net/socket.c:2449 [inline]
__se_sys_sendmsg+0x97/0xb0 net/socket.c:2447
__x64_sys_sendmsg+0x4a/0x70 net/socket.c:2447
do_syscall_64+0x9f/0x140 arch/x86/entry/common.c:48
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Uninit was created at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]
kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104
kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76
slab_alloc_node mm/slub.c:2906 [inline]
__kmalloc_node_track_caller+0xc61/0x15f0 mm/slub.c:4512
__kmalloc_reserve net/core/skbuff.c:142 [inline]
__alloc_skb+0x309/0xae0 net/core/skbuff.c:210
alloc_skb include/linux/skbuff.h:1094 [inline]
netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline]
netlink_sendmsg+0xdb8/0x1840 net/netlink/af_netlink.c:1894
sock_sendmsg_nosec net/socket.c:651 [inline]
sock_sendmsg net/socket.c:671 [inline]
____sys_sendmsg+0xc7a/0x1240 net/socket.c:2353
___sys_sendmsg net/socket.c:2407 [inline]
__sys_sendmsg+0x6d5/0x830 net/socket.c:2440
__do_sys_sendmsg net/socket.c:2449 [inline]
__se_sys_sendmsg+0x97/0xb0 net/socket.c:2447
__x64_sys_sendmsg+0x4a/0x70 net/socket.c:2447
do_syscall_64+0x9f/0x140 arch/x86/entry/common.c:48
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Fixes: a7b4f989a629 ("netfilter: ipset: IP set core support")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Acked-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/ipset/ip_set_core.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 7cff6e5e7445..2b19189a930f 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -271,8 +271,7 @@ flag_nested(const struct nlattr *nla)
static const struct nla_policy ipaddr_policy[IPSET_ATTR_IPADDR_MAX + 1] = {
[IPSET_ATTR_IPADDR_IPV4] = { .type = NLA_U32 },
- [IPSET_ATTR_IPADDR_IPV6] = { .type = NLA_BINARY,
- .len = sizeof(struct in6_addr) },
+ [IPSET_ATTR_IPADDR_IPV6] = NLA_POLICY_EXACT_LEN(sizeof(struct in6_addr)),
};
int
--
2.20.1
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [PATCH net 4/4] netfilter: nf_tables: avoid false-postive lockdep splat
2020-11-21 12:35 [PATCH net 0/4] Netfilter fixes for net Pablo Neira Ayuso
` (2 preceding siblings ...)
2020-11-21 12:36 ` [PATCH net 3/4] netfilter: ipset: prevent uninit-value in hash_ip6_add Pablo Neira Ayuso
@ 2020-11-21 12:36 ` Pablo Neira Ayuso
3 siblings, 0 replies; 20+ messages in thread
From: Pablo Neira Ayuso @ 2020-11-21 12:36 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
From: Florian Westphal <fw@strlen.de>
There are reports wrt lockdep splat in nftables, e.g.:
------------[ cut here ]------------
WARNING: CPU: 2 PID: 31416 at net/netfilter/nf_tables_api.c:622
lockdep_nfnl_nft_mutex_not_held+0x28/0x38 [nf_tables]
...
These are caused by an earlier, unrelated bug such as a n ABBA deadlock
in a different subsystem.
In such an event, lockdep is disabled and lockdep_is_held returns true
unconditionally. This then causes the WARN() in nf_tables.
Make the WARN conditional on lockdep still active to avoid this.
Fixes: f102d66b335a417 ("netfilter: nf_tables: use dedicated mutex to guard transactions")
Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
Link: https://lore.kernel.org/linux-kselftest/CA+G9fYvFUpODs+NkSYcnwKnXm62tmP=ksLeBPmB+KFrB2rvCtQ@mail.gmail.com/
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_api.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 0f58e98542be..23abf1578594 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -619,7 +619,8 @@ static int nft_request_module(struct net *net, const char *fmt, ...)
static void lockdep_nfnl_nft_mutex_not_held(void)
{
#ifdef CONFIG_PROVE_LOCKING
- WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
+ if (debug_locks)
+ WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
#endif
}
--
2.20.1
^ permalink raw reply related [flat|nested] 20+ messages in thread
* Re: [PATCH net 1/4] netfilter: nftables_offload: set address type in control dissector
2020-11-21 12:35 ` [PATCH net 1/4] netfilter: nftables_offload: set address type in control dissector Pablo Neira Ayuso
@ 2020-11-22 0:44 ` Jakub Kicinski
2020-11-22 10:49 ` Pablo Neira Ayuso
0 siblings, 1 reply; 20+ messages in thread
From: Jakub Kicinski @ 2020-11-22 0:44 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, davem, netdev
On Sat, 21 Nov 2020 13:35:58 +0100 Pablo Neira Ayuso wrote:
> If the address type is missing through the control dissector, then
> matching on IPv4 and IPv6 addresses does not work.
Doesn't work where? Are you talking about a specific driver?
> Set it accordingly so
> rules that specify an IP address succesfully match on packets.
>
> Fixes: c9626a2cbdb2 ("netfilter: nf_tables: add hardware offload support")
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
> include/net/netfilter/nf_tables_offload.h | 4 ++++
> net/netfilter/nf_tables_offload.c | 18 ++++++++++++++++++
> net/netfilter/nft_payload.c | 4 ++++
> 3 files changed, 26 insertions(+)
>
> diff --git a/include/net/netfilter/nf_tables_offload.h b/include/net/netfilter/nf_tables_offload.h
> index ea7d1d78b92d..bddd34c5bd79 100644
> --- a/include/net/netfilter/nf_tables_offload.h
> +++ b/include/net/netfilter/nf_tables_offload.h
> @@ -37,6 +37,7 @@ void nft_offload_update_dependency(struct nft_offload_ctx *ctx,
>
> struct nft_flow_key {
> struct flow_dissector_key_basic basic;
> + struct flow_dissector_key_control control;
> union {
> struct flow_dissector_key_ipv4_addrs ipv4;
> struct flow_dissector_key_ipv6_addrs ipv6;
> @@ -62,6 +63,9 @@ struct nft_flow_rule {
>
> #define NFT_OFFLOAD_F_ACTION (1 << 0)
>
> +void nft_flow_rule_set_addr_type(struct nft_flow_rule *flow,
> + enum flow_dissector_key_id addr_type);
> +
> struct nft_rule;
> struct nft_flow_rule *nft_flow_rule_create(struct net *net, const struct nft_rule *rule);
> void nft_flow_rule_destroy(struct nft_flow_rule *flow);
> diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c
> index 9f625724a20f..9a3c5ac057b6 100644
> --- a/net/netfilter/nf_tables_offload.c
> +++ b/net/netfilter/nf_tables_offload.c
> @@ -28,6 +28,24 @@ static struct nft_flow_rule *nft_flow_rule_alloc(int num_actions)
> return flow;
> }
>
> +void nft_flow_rule_set_addr_type(struct nft_flow_rule *flow,
> + enum flow_dissector_key_id addr_type)
> +{
> + struct nft_flow_match *match = &flow->match;
> + struct nft_flow_key *mask = &match->mask;
> + struct nft_flow_key *key = &match->key;
> +
> + if (match->dissector.used_keys & BIT(FLOW_DISSECTOR_KEY_CONTROL))
> + return;
> +
> + key->control.addr_type = addr_type;
> + mask->control.addr_type = 0xffff;
> + match->dissector.used_keys |= BIT(FLOW_DISSECTOR_KEY_CONTROL);
> + match->dissector.offset[FLOW_DISSECTOR_KEY_CONTROL] =
> + offsetof(struct nft_flow_key, control);
Why is this injecting the match conditionally?
> +}
> +EXPORT_SYMBOL_GPL(nft_flow_rule_set_addr_type);
And why is this exported?
nf_tables-objs := nf_tables_core.o nf_tables_api.o nft_chain_filter.o \
nf_tables_trace.o nft_immediate.o nft_cmp.o nft_range.o \
nft_bitwise.o nft_byteorder.o nft_payload.o nft_lookup.o \
^^^^^^^^^^^^^
nft_dynset.o nft_meta.o nft_rt.o nft_exthdr.o \
nft_chain_route.o nf_tables_offload.o \
^^^^^^^^^^^^^^^^^^^
nft_set_hash.o nft_set_bitmap.o nft_set_rbtree.o \
nft_set_pipapo.o
These are linked together.
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH net 1/4] netfilter: nftables_offload: set address type in control dissector
2020-11-22 0:44 ` Jakub Kicinski
@ 2020-11-22 10:49 ` Pablo Neira Ayuso
0 siblings, 0 replies; 20+ messages in thread
From: Pablo Neira Ayuso @ 2020-11-22 10:49 UTC (permalink / raw)
To: Jakub Kicinski; +Cc: netfilter-devel, davem, netdev
On Sat, Nov 21, 2020 at 04:44:42PM -0800, Jakub Kicinski wrote:
> On Sat, 21 Nov 2020 13:35:58 +0100 Pablo Neira Ayuso wrote:
> > If the address type is missing through the control dissector, then
> > matching on IPv4 and IPv6 addresses does not work.
>
> Doesn't work where? Are you talking about a specific driver?
No.
It does not work for any kind of match, the control flow dissector
needs to be set on.
^ permalink raw reply [flat|nested] 20+ messages in thread
* [PATCH net 0/4] Netfilter fixes for net
@ 2024-03-28 3:18 Pablo Neira Ayuso
0 siblings, 0 replies; 20+ messages in thread
From: Pablo Neira Ayuso @ 2024-03-28 3:18 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
Hi,
The following patchset contains Netfilter fixes for net:
Patch #1 reject destroy chain command to delete device hooks in netdev
family, hence, only delchain commands are allowed.
Patch #2 reject table flag update interference with netdev basechain
hook updates, this can leave hooks in inconsistent
registration/unregistration state.
Patch #3 do not unregister netdev basechain hooks if table is dormant.
Otherwise, splat with double unregistration is possible.
Patch #4 fixes Kconfig to allow to restore IP_NF_ARPTABLES,
from Kuniyuki Iwashima.
There are a more fixes still in progress on my side that need more work.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-03-28
Thanks.
----------------------------------------------------------------
The following changes since commit d24b03535e5eb82e025219c2f632b485409c898f:
nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet (2024-03-22 09:41:39 +0000)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-03-28
for you to fetch changes up to 15fba562f7a9f04322b8bfc8f392e04bb93d81be:
netfilter: arptables: Select NETFILTER_FAMILY_ARP when building arp_tables.c (2024-03-28 03:54:02 +0100)
----------------------------------------------------------------
netfilter pull request 24-03-28
----------------------------------------------------------------
Kuniyuki Iwashima (1):
netfilter: arptables: Select NETFILTER_FAMILY_ARP when building arp_tables.c
Pablo Neira Ayuso (3):
netfilter: nf_tables: reject destroy command to remove basechain hooks
netfilter: nf_tables: reject table flag and netdev basechain updates
netfilter: nf_tables: skip netdev hook unregistration if table is dormant
net/ipv4/netfilter/Kconfig | 1 +
net/netfilter/nf_tables_api.c | 50 ++++++++++++++++++++++++++++++++++++-------
2 files changed, 43 insertions(+), 8 deletions(-)
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH net 0/4] Netfilter fixes for net
2023-03-10 11:08 ` Jeremy Sowden
@ 2023-03-10 11:44 ` Pablo Neira Ayuso
0 siblings, 0 replies; 20+ messages in thread
From: Pablo Neira Ayuso @ 2023-03-10 11:44 UTC (permalink / raw)
To: Jeremy Sowden; +Cc: netfilter-devel
On Fri, Mar 10, 2023 at 11:08:56AM +0000, Jeremy Sowden wrote:
> On 2023-03-09, at 18:46:51 +0100, Pablo Neira Ayuso wrote:
> > The following patchset contains Netfilter fixes for net:
> >
> > 1) nft_parse_register_load() gets an incorrect datatype size
> > as input, from Jeremy Sowden.
> >
> > 2) incorrect maximum netlink attribute in nft_redir, also
> > from Jeremy.
> >
> > Please, pull these changes from:
> >
> > git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git
>
> Have you actually pushed these changes to nf.git? Can't see them. :)
Oh, I pushed out to master, not main...
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH net 0/4] Netfilter fixes for net
2023-03-09 17:46 Pablo Neira Ayuso
@ 2023-03-10 11:08 ` Jeremy Sowden
2023-03-10 11:44 ` Pablo Neira Ayuso
0 siblings, 1 reply; 20+ messages in thread
From: Jeremy Sowden @ 2023-03-10 11:08 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 499 bytes --]
On 2023-03-09, at 18:46:51 +0100, Pablo Neira Ayuso wrote:
> The following patchset contains Netfilter fixes for net:
>
> 1) nft_parse_register_load() gets an incorrect datatype size
> as input, from Jeremy Sowden.
>
> 2) incorrect maximum netlink attribute in nft_redir, also
> from Jeremy.
>
> Please, pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git
Have you actually pushed these changes to nf.git? Can't see them. :)
J.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 20+ messages in thread
* [PATCH net 0/4] Netfilter fixes for net
@ 2023-03-09 17:46 Pablo Neira Ayuso
2023-03-10 11:08 ` Jeremy Sowden
0 siblings, 1 reply; 20+ messages in thread
From: Pablo Neira Ayuso @ 2023-03-09 17:46 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
Hi,
The following patchset contains Netfilter fixes for net:
1) nft_parse_register_load() gets an incorrect datatype size
as input, from Jeremy Sowden.
2) incorrect maximum netlink attribute in nft_redir, also
from Jeremy.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit 37d9df224d1eec1b434fe9ffa40104c756478c29:
ynl: re-license uniformly under GPL-2.0 OR BSD-3-Clause (2023-03-07 13:44:30 -0800)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD
for you to fetch changes up to 493924519b1fe3faab13ee621a43b0d0939abab1:
netfilter: nft_redir: correct value of inet type `.maxattrs` (2023-03-08 12:26:42 +0100)
----------------------------------------------------------------
Jeremy Sowden (4):
netfilter: nft_nat: correct length for loading protocol registers
netfilter: nft_masq: correct length for loading protocol registers
netfilter: nft_redir: correct length for loading protocol registers
netfilter: nft_redir: correct value of inet type `.maxattrs`
net/netfilter/nft_masq.c | 2 +-
net/netfilter/nft_nat.c | 2 +-
net/netfilter/nft_redir.c | 4 ++--
3 files changed, 4 insertions(+), 4 deletions(-)
^ permalink raw reply [flat|nested] 20+ messages in thread
* [PATCH net 0/4] Netfilter fixes for net
@ 2023-01-24 18:39 Pablo Neira Ayuso
0 siblings, 0 replies; 20+ messages in thread
From: Pablo Neira Ayuso @ 2023-01-24 18:39 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
Hi,
The following patchset contains Netfilter fixes for net:
1) Perform SCTP vtag verification for ABORT/SHUTDOWN_COMPLETE according
to RFC 9260, Sect 8.5.1.
2) Fix infinite loop if SCTP chunk size is zero in for_each_sctp_chunk().
And remove useless check in this macro too.
3) Revert DATA_SENT state in the SCTP tracker, this was applied in the
previous merge window. Next patch in this series provides a more
simple approach to multihoming support.
4) Unify HEARTBEAT_ACKED and ESTABLISHED states for SCTP multihoming
support, use default ESTABLISHED of 210 seconds based on
heartbeat timeout * maximum number of retransmission + round-trip timeout.
Otherwise, SCTP conntrack entry that represents secondary paths
remain stale in the table for up to 5 days.
This is a slightly large batch with fixes for the SCTP connection
tracking helper, all patches from Sriram Yagnaraman.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit 208a21107ef0ae86c92078caf84ce80053e73f7a:
Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue (2023-01-23 22:36:59 -0800)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD
for you to fetch changes up to a44b7651489f26271ac784b70895e8a85d0cebf4:
netfilter: conntrack: unify established states for SCTP paths (2023-01-24 09:52:52 +0100)
----------------------------------------------------------------
Sriram Yagnaraman (4):
netfilter: conntrack: fix vtag checks for ABORT/SHUTDOWN_COMPLETE
netfilter: conntrack: fix bug in for_each_sctp_chunk
Revert "netfilter: conntrack: add sctp DATA_SENT state"
netfilter: conntrack: unify established states for SCTP paths
Documentation/networking/nf_conntrack-sysctl.rst | 10 +-
include/uapi/linux/netfilter/nf_conntrack_sctp.h | 3 +-
include/uapi/linux/netfilter/nfnetlink_cttimeout.h | 3 +-
net/netfilter/nf_conntrack_proto_sctp.c | 170 +++++++++------------
net/netfilter/nf_conntrack_standalone.c | 16 --
5 files changed, 77 insertions(+), 125 deletions(-)
^ permalink raw reply [flat|nested] 20+ messages in thread
* [PATCH net 0/4] Netfilter fixes for net
@ 2022-11-30 12:19 Pablo Neira Ayuso
0 siblings, 0 replies; 20+ messages in thread
From: Pablo Neira Ayuso @ 2022-11-30 12:19 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
Hi,
The following patchset contains Netfilter fixes for net:
1) Check for interval validity in all concatenation fields in
nft_set_pipapo, from Stefano Brivio.
2) Missing preemption disabled in conntrack and flowtable stat
updates, from Xin Long.
3) Fix compilation warning when CONFIG_NF_CONNTRACK_MARK=n.
Except for 3) which was a bug introduced in a recent fix in 6.1-rc.
Anything else, broken for several releases.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit f2fc2280faabafc8df83ee007699d21f7a6301fe:
Merge branch 'wwan-iosm-fixes' (2022-11-28 11:31:59 +0000)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD
for you to fetch changes up to 1feeae071507ad65cf9f462a1bdd543a4bf89e71:
netfilter: ctnetlink: fix compilation warning after data race fixes in ct mark (2022-11-30 13:08:49 +0100)
----------------------------------------------------------------
Pablo Neira Ayuso (1):
netfilter: ctnetlink: fix compilation warning after data race fixes in ct mark
Stefano Brivio (1):
netfilter: nft_set_pipapo: Actually validate intervals in fields after the first one
Xin Long (2):
netfilter: flowtable_offload: fix using __this_cpu_add in preemptible
netfilter: conntrack: fix using __this_cpu_add in preemptible
net/netfilter/nf_conntrack_core.c | 6 +++---
net/netfilter/nf_conntrack_netlink.c | 19 ++++++++++---------
net/netfilter/nf_flow_table_offload.c | 6 +++---
net/netfilter/nft_set_pipapo.c | 5 +++--
4 files changed, 19 insertions(+), 17 deletions(-)
^ permalink raw reply [flat|nested] 20+ messages in thread
* [PATCH net 0/4] Netfilter fixes for net
@ 2022-05-27 9:20 Pablo Neira Ayuso
0 siblings, 0 replies; 20+ messages in thread
From: Pablo Neira Ayuso @ 2022-05-27 9:20 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni
Hi,
The following contain more Netfilter fixes for net:
1) syzbot warning in nfnetlink bind, from Florian.
2) Refetch conntrack after __nf_conntrack_confirm(), from Florian Westphal.
3) Move struct nf_ct_timeout back at the bottom of the ctnl_time, to
where it before recent update, also from Florian.
4) Add NL_SET_BAD_ATTR() to nf_tables netlink for proper set element
commands error reporting.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit 02ded5a173619b11728b8bf75a3fd995a2c1ff28:
net: dsa: mv88e6xxx: Fix refcount leak in mv88e6xxx_mdios_register (2022-05-27 08:02:33 +0100)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD
for you to fetch changes up to b53c116642502b0c85ecef78bff4f826a7dd4145:
netfilter: nf_tables: set element extended ACK reporting support (2022-05-27 11:16:38 +0200)
----------------------------------------------------------------
Florian Westphal (3):
netfilter: nfnetlink: fix warn in nfnetlink_unbind
netfilter: conntrack: re-fetch conntrack after insertion
netfilter: cttimeout: fix slab-out-of-bounds read in cttimeout_net_exit
Pablo Neira Ayuso (1):
netfilter: nf_tables: set element extended ACK reporting support
include/net/netfilter/nf_conntrack_core.h | 7 ++++++-
net/netfilter/nf_tables_api.c | 12 +++++++++---
net/netfilter/nfnetlink.c | 24 +++++-------------------
net/netfilter/nfnetlink_cttimeout.c | 5 +++--
4 files changed, 23 insertions(+), 25 deletions(-)
^ permalink raw reply [flat|nested] 20+ messages in thread
* [PATCH net 0/4] Netfilter fixes for net
@ 2022-04-25 9:16 Pablo Neira Ayuso
0 siblings, 0 replies; 20+ messages in thread
From: Pablo Neira Ayuso @ 2022-04-25 9:16 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Hi,
The following patchset contains Netfilter fixes for net:
1) Fix incorrect printing of memory size of IPVS connection hash table,
from Pengcheng Yang.
2) Fix spurious EEXIST errors in nft_set_rbtree.
3) Remove leftover empty flowtable file, from Rongguang Wei.
4) Fix ip6_route_me_harder() with vrf driver, from Martin Willi.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit 4cf35a2b627a020fe1a6b6fc7a6a12394644e474:
net: mscc: ocelot: fix broken IP multicast flooding (2022-04-19 10:33:33 +0200)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD
for you to fetch changes up to 8ddffdb9442a9d60b4a6e679ac48d7d21403a674:
netfilter: Update ip6_route_me_harder to consider L3 domain (2022-04-25 11:09:20 +0200)
----------------------------------------------------------------
Martin Willi (1):
netfilter: Update ip6_route_me_harder to consider L3 domain
Pablo Neira Ayuso (1):
netfilter: nft_set_rbtree: overlap detection with element re-addition after deletion
Pengcheng Yang (1):
ipvs: correctly print the memory size of ip_vs_conn_tab
Rongguang Wei (1):
netfilter: flowtable: Remove the empty file
net/ipv4/netfilter/nf_flow_table_ipv4.c | 0
net/ipv6/netfilter.c | 10 ++++++++--
net/netfilter/ipvs/ip_vs_conn.c | 2 +-
net/netfilter/nft_set_rbtree.c | 6 +++++-
4 files changed, 14 insertions(+), 4 deletions(-)
delete mode 100644 net/ipv4/netfilter/nf_flow_table_ipv4.c
^ permalink raw reply [flat|nested] 20+ messages in thread
* [PATCH net 0/4] Netfilter fixes for net
@ 2022-01-06 21:51 Pablo Neira Ayuso
0 siblings, 0 replies; 20+ messages in thread
From: Pablo Neira Ayuso @ 2022-01-06 21:51 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Hi,
The following patchset contains Netfilter fixes for net:
1) Refcount leak in ipt_CLUSTERIP rule loading path, from Xin Xiong.
2) Use socat in netfilter selftests, from Hangbin Liu.
3) Skip layer checksum 4 update for IP fragments.
4) Missing allocation of pcpu scratch maps on clone in
nft_set_pipapo, from Florian Westphal.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit 1d5a474240407c38ca8c7484a656ee39f585399c:
sfc: The RX page_ring is optional (2022-01-04 18:14:21 -0800)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 23c54263efd7cb605e2f7af72717a2a951999217:
netfilter: nft_set_pipapo: allocate pcpu scratch maps on clone (2022-01-06 10:43:24 +0100)
----------------------------------------------------------------
Florian Westphal (1):
netfilter: nft_set_pipapo: allocate pcpu scratch maps on clone
Hangbin Liu (1):
selftests: netfilter: switch to socat for tests using -q option
Pablo Neira Ayuso (1):
netfilter: nft_payload: do not update layer 4 checksum when mangling fragments
Xin Xiong (1):
netfilter: ipt_CLUSTERIP: fix refcount leak in clusterip_tg_check()
net/ipv4/netfilter/ipt_CLUSTERIP.c | 5 ++++-
net/netfilter/nft_payload.c | 3 +++
net/netfilter/nft_set_pipapo.c | 8 ++++++++
tools/testing/selftests/netfilter/ipip-conntrack-mtu.sh | 9 +++++----
tools/testing/selftests/netfilter/nf_nat_edemux.sh | 10 +++++-----
5 files changed, 25 insertions(+), 10 deletions(-)
^ permalink raw reply [flat|nested] 20+ messages in thread
* [PATCH net 0/4] Netfilter fixes for net
@ 2021-02-05 0:17 Pablo Neira Ayuso
0 siblings, 0 replies; 20+ messages in thread
From: Pablo Neira Ayuso @ 2021-02-05 0:17 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Hi,
The following patchset contains Netfilter fixes for net:
1) Fix combination of --reap and --update in xt_recent that triggers
UAF, from Jozsef Kadlecsik.
2) Fix current year in nft_meta selftest, from Fabian Frederick.
3) Fix possible UAF in the netns destroy path of nftables.
4) Fix incorrect checksum calculation when mangling ports in flowtable,
from Sven Auhagen.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit 44a674d6f79867d5652026f1cc11f7ba8a390183:
Merge tag 'mlx5-fixes-2021-01-26' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux (2021-01-27 19:18:37 -0800)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 8d6bca156e47d68551750a384b3ff49384c67be3:
netfilter: flowtable: fix tcp and udp header checksum update (2021-02-04 01:10:14 +0100)
----------------------------------------------------------------
Fabian Frederick (1):
selftests: netfilter: fix current year
Jozsef Kadlecsik (1):
netfilter: xt_recent: Fix attempt to update deleted entry
Pablo Neira Ayuso (1):
netfilter: nftables: fix possible UAF over chains from packet path in netns
Sven Auhagen (1):
netfilter: flowtable: fix tcp and udp header checksum update
net/netfilter/nf_flow_table_core.c | 4 ++--
net/netfilter/nf_tables_api.c | 25 +++++++++++++++++++------
net/netfilter/xt_recent.c | 12 ++++++++++--
tools/testing/selftests/netfilter/nft_meta.sh | 2 +-
4 files changed, 32 insertions(+), 11 deletions(-)
^ permalink raw reply [flat|nested] 20+ messages in thread
* [PATCH net 0/4] Netfilter fixes for net
@ 2020-12-18 12:04 Pablo Neira Ayuso
0 siblings, 0 replies; 20+ messages in thread
From: Pablo Neira Ayuso @ 2020-12-18 12:04 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Hi Jakub, David,
The following patchset contains Netfilter fixes for net:
1) Incorrect loop in error path of nft_set_elem_expr_clone(),
from Colin Ian King.
2) Missing xt_table_get_private_protected() to access table
private data in x_tables, from Subash Abhinov Kasiviswanathan.
3) Possible oops in ipset hash type resize, from Vasily Averin.
4) Fix shift-out-of-bounds in ipset hash type, also from Vasily.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit 3db1a3fa98808aa90f95ec3e0fa2fc7abf28f5c9:
Merge tag 'staging-5.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging (2020-12-15 14:18:40 -0800)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 5c8193f568ae16f3242abad6518dc2ca6c8eef86:
netfilter: ipset: fix shift-out-of-bounds in htable_bits() (2020-12-17 19:44:52 +0100)
----------------------------------------------------------------
Colin Ian King (1):
netfilter: nftables: fix incorrect increment of loop counter
Subash Abhinov Kasiviswanathan (1):
netfilter: x_tables: Update remaining dereference to RCU
Vasily Averin (2):
netfilter: ipset: fixes possible oops in mtype_resize
netfilter: ipset: fix shift-out-of-bounds in htable_bits()
net/ipv4/netfilter/arp_tables.c | 2 +-
net/ipv4/netfilter/ip_tables.c | 2 +-
net/ipv6/netfilter/ip6_tables.c | 2 +-
net/netfilter/ipset/ip_set_hash_gen.h | 42 +++++++++++++++--------------------
net/netfilter/nf_tables_api.c | 4 ++--
5 files changed, 23 insertions(+), 29 deletions(-)
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH net 0/4] Netfilter fixes for net
2020-12-09 22:18 [PATCH net 0/4] Netfilter fixes for net Pablo Neira Ayuso
@ 2020-12-10 2:59 ` David Miller
0 siblings, 0 replies; 20+ messages in thread
From: David Miller @ 2020-12-10 2:59 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, kuba
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 9 Dec 2020 23:18:06 +0100
> Hi Jakub, David,
>
> The following patchset contains Netfilter fixes for net:
>
> 1) Switch to RCU in x_tables to fix possible NULL pointer dereference,
> from Subash Abhinov Kasiviswanathan.
>
> 2) Fix netlink dump of dynset timeouts later than 23 days.
>
> 3) Add comment for the indirect serialization of the nft commit mutex
> with rtnl_mutex.
>
> 4) Remove bogus check for confirmed conntrack when matching on the
> conntrack ID, from Brett Mastbergen.
>
> Please, pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
>
Pulled, thanks.
^ permalink raw reply [flat|nested] 20+ messages in thread
* [PATCH net 0/4] Netfilter fixes for net
@ 2020-12-09 22:18 Pablo Neira Ayuso
2020-12-10 2:59 ` David Miller
0 siblings, 1 reply; 20+ messages in thread
From: Pablo Neira Ayuso @ 2020-12-09 22:18 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Hi Jakub, David,
The following patchset contains Netfilter fixes for net:
1) Switch to RCU in x_tables to fix possible NULL pointer dereference,
from Subash Abhinov Kasiviswanathan.
2) Fix netlink dump of dynset timeouts later than 23 days.
3) Add comment for the indirect serialization of the nft commit mutex
with rtnl_mutex.
4) Remove bogus check for confirmed conntrack when matching on the
conntrack ID, from Brett Mastbergen.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit 819f56bad110cb27a8be3232467986e2baebe069:
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec (2020-12-07 18:29:54 -0800)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 2d94b20b95b009eec1a267dcf026b01af627c0cd:
netfilter: nft_ct: Remove confirmation check for NFT_CT_ID (2020-12-09 10:31:58 +0100)
----------------------------------------------------------------
Brett Mastbergen (1):
netfilter: nft_ct: Remove confirmation check for NFT_CT_ID
Pablo Neira Ayuso (2):
netfilter: nft_dynset: fix timeouts later than 23 days
netfilter: nftables: comment indirect serialization of commit_mutex with rtnl_mutex
Subash Abhinov Kasiviswanathan (1):
netfilter: x_tables: Switch synchronization to RCU
include/linux/netfilter/x_tables.h | 5 +++-
include/net/netfilter/nf_tables.h | 4 ++++
net/ipv4/netfilter/arp_tables.c | 14 +++++------
net/ipv4/netfilter/ip_tables.c | 14 +++++------
net/ipv6/netfilter/ip6_tables.c | 14 +++++------
net/netfilter/nf_tables_api.c | 8 +++++--
net/netfilter/nft_ct.c | 2 --
net/netfilter/nft_dynset.c | 8 ++++---
net/netfilter/x_tables.c | 49 ++++++++++++--------------------------
9 files changed, 55 insertions(+), 63 deletions(-)
^ permalink raw reply [flat|nested] 20+ messages in thread
end of thread, other threads:[~2024-03-28 3:19 UTC | newest]
Thread overview: 20+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-21 12:35 [PATCH net 0/4] Netfilter fixes for net Pablo Neira Ayuso
2020-11-21 12:35 ` [PATCH net 1/4] netfilter: nftables_offload: set address type in control dissector Pablo Neira Ayuso
2020-11-22 0:44 ` Jakub Kicinski
2020-11-22 10:49 ` Pablo Neira Ayuso
2020-11-21 12:35 ` [PATCH net 2/4] netfilter: nftables_offload: build mask based from the matching bytes Pablo Neira Ayuso
2020-11-21 12:36 ` [PATCH net 3/4] netfilter: ipset: prevent uninit-value in hash_ip6_add Pablo Neira Ayuso
2020-11-21 12:36 ` [PATCH net 4/4] netfilter: nf_tables: avoid false-postive lockdep splat Pablo Neira Ayuso
2020-12-09 22:18 [PATCH net 0/4] Netfilter fixes for net Pablo Neira Ayuso
2020-12-10 2:59 ` David Miller
2020-12-18 12:04 Pablo Neira Ayuso
2021-02-05 0:17 Pablo Neira Ayuso
2022-01-06 21:51 Pablo Neira Ayuso
2022-04-25 9:16 Pablo Neira Ayuso
2022-05-27 9:20 Pablo Neira Ayuso
2022-11-30 12:19 Pablo Neira Ayuso
2023-01-24 18:39 Pablo Neira Ayuso
2023-03-09 17:46 Pablo Neira Ayuso
2023-03-10 11:08 ` Jeremy Sowden
2023-03-10 11:44 ` Pablo Neira Ayuso
2024-03-28 3:18 Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.