All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH net 0/2] Netfilter fixes for net
@ 2021-06-02 12:44 Pablo Neira Ayuso
  2021-06-02 12:44 ` [PATCH net 1/2] netfilter: nft_ct: skip expectations for confirmed conntrack Pablo Neira Ayuso
  2021-06-02 12:44 ` [PATCH net 2/2] netfilter: nfnetlink_cthelper: hit EBUSY on updates if size mismatches Pablo Neira Ayuso
  0 siblings, 2 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2021-06-02 12:44 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev, kuba

Hi,

The following patchset contains Netfilter fixes for net:

1) Do not allow to add conntrack helper extension for confirmed
   conntracks in the nf_tables ct expectation support.

2) Fix bogus EBUSY in nfnetlink_cthelper when NFCTH_PRIV_DATA_LEN
   is passed on userspace helper updates.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thank you!

----------------------------------------------------------------

The following changes since commit b000372627ce9dbbe641dafbf40db0718276ab77:

  MAINTAINERS: nfc mailing lists are subscribers-only (2021-06-01 17:09:28 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 8971ee8b087750a23f3cd4dc55bff2d0303fd267:

  netfilter: nfnetlink_cthelper: hit EBUSY on updates if size mismatches (2021-06-02 12:43:50 +0200)

----------------------------------------------------------------
Pablo Neira Ayuso (2):
      netfilter: nft_ct: skip expectations for confirmed conntrack
      netfilter: nfnetlink_cthelper: hit EBUSY on updates if size mismatches

 net/netfilter/nfnetlink_cthelper.c | 8 ++++++--
 net/netfilter/nft_ct.c             | 2 +-
 2 files changed, 7 insertions(+), 3 deletions(-)

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [PATCH net 1/2] netfilter: nft_ct: skip expectations for confirmed conntrack
  2021-06-02 12:44 [PATCH net 0/2] Netfilter fixes for net Pablo Neira Ayuso
@ 2021-06-02 12:44 ` Pablo Neira Ayuso
  2021-06-03 21:00   ` patchwork-bot+netdevbpf
  2021-06-02 12:44 ` [PATCH net 2/2] netfilter: nfnetlink_cthelper: hit EBUSY on updates if size mismatches Pablo Neira Ayuso
  1 sibling, 1 reply; 4+ messages in thread
From: Pablo Neira Ayuso @ 2021-06-02 12:44 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev, kuba

nft_ct_expect_obj_eval() calls nf_ct_ext_add() for a confirmed
conntrack entry. However, nf_ct_ext_add() can only be called for
!nf_ct_is_confirmed().

[ 1825.349056] WARNING: CPU: 0 PID: 1279 at net/netfilter/nf_conntrack_extend.c:48 nf_ct_xt_add+0x18e/0x1a0 [nf_conntrack]
[ 1825.351391] RIP: 0010:nf_ct_ext_add+0x18e/0x1a0 [nf_conntrack]
[ 1825.351493] Code: 41 5c 41 5d 41 5e 41 5f c3 41 bc 0a 00 00 00 e9 15 ff ff ff ba 09 00 00 00 31 f6 4c 89 ff e8 69 6c 3d e9 eb 96 45 31 ed eb cd <0f> 0b e9 b1 fe ff ff e8 86 79 14 e9 eb bf 0f 1f 40 00 0f 1f 44 00
[ 1825.351721] RSP: 0018:ffffc90002e1f1e8 EFLAGS: 00010202
[ 1825.351790] RAX: 000000000000000e RBX: ffff88814f5783c0 RCX: ffffffffc0e4f887
[ 1825.351881] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88814f578440
[ 1825.351971] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff88814f578447
[ 1825.352060] R10: ffffed1029eaf088 R11: 0000000000000001 R12: ffff88814f578440
[ 1825.352150] R13: ffff8882053f3a00 R14: 0000000000000000 R15: 0000000000000a20
[ 1825.352240] FS:  00007f992261c900(0000) GS:ffff889faec00000(0000) knlGS:0000000000000000
[ 1825.352343] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1825.352417] CR2: 000056070a4d1158 CR3: 000000015efe0000 CR4: 0000000000350ee0
[ 1825.352508] Call Trace:
[ 1825.352544]  nf_ct_helper_ext_add+0x10/0x60 [nf_conntrack]
[ 1825.352641]  nft_ct_expect_obj_eval+0x1b8/0x1e0 [nft_ct]
[ 1825.352716]  nft_do_chain+0x232/0x850 [nf_tables]

Add the ct helper extension only for unconfirmed conntrack. Skip rule
evaluation if the ct helper extension does not exist. Thus, you can
only create expectations from the first packet.

It should be possible to remove this limitation by adding a new action
to attach a generic ct helper to the first packet. Then, use this ct
helper extension from follow up packets to create the ct expectation.

While at it, add a missing check to skip the template conntrack too
and remove check for IPCT_UNTRACK which is implicit to !ct.

Fixes: 857b46027d6f ("netfilter: nft_ct: add ct expectations support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nft_ct.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index 0592a9456084..337e22d8b40b 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -1217,7 +1217,7 @@ static void nft_ct_expect_obj_eval(struct nft_object *obj,
 	struct nf_conn *ct;
 
 	ct = nf_ct_get(pkt->skb, &ctinfo);
-	if (!ct || ctinfo == IP_CT_UNTRACKED) {
+	if (!ct || nf_ct_is_confirmed(ct) || nf_ct_is_template(ct)) {
 		regs->verdict.code = NFT_BREAK;
 		return;
 	}
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH net 2/2] netfilter: nfnetlink_cthelper: hit EBUSY on updates if size mismatches
  2021-06-02 12:44 [PATCH net 0/2] Netfilter fixes for net Pablo Neira Ayuso
  2021-06-02 12:44 ` [PATCH net 1/2] netfilter: nft_ct: skip expectations for confirmed conntrack Pablo Neira Ayuso
@ 2021-06-02 12:44 ` Pablo Neira Ayuso
  1 sibling, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2021-06-02 12:44 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev, kuba

The private helper data size cannot be updated. However, updates that
contain NFCTH_PRIV_DATA_LEN might bogusly hit EBUSY even if the size is
the same.

Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nfnetlink_cthelper.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c
index 322ac5dd5402..752b10cae524 100644
--- a/net/netfilter/nfnetlink_cthelper.c
+++ b/net/netfilter/nfnetlink_cthelper.c
@@ -380,10 +380,14 @@ static int
 nfnl_cthelper_update(const struct nlattr * const tb[],
 		     struct nf_conntrack_helper *helper)
 {
+	u32 size;
 	int ret;
 
-	if (tb[NFCTH_PRIV_DATA_LEN])
-		return -EBUSY;
+	if (tb[NFCTH_PRIV_DATA_LEN]) {
+		size = ntohl(nla_get_be32(tb[NFCTH_PRIV_DATA_LEN]));
+		if (size != helper->data_len)
+			return -EBUSY;
+	}
 
 	if (tb[NFCTH_POLICY]) {
 		ret = nfnl_cthelper_update_policy(helper, tb[NFCTH_POLICY]);
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH net 1/2] netfilter: nft_ct: skip expectations for confirmed conntrack
  2021-06-02 12:44 ` [PATCH net 1/2] netfilter: nft_ct: skip expectations for confirmed conntrack Pablo Neira Ayuso
@ 2021-06-03 21:00   ` patchwork-bot+netdevbpf
  0 siblings, 0 replies; 4+ messages in thread
From: patchwork-bot+netdevbpf @ 2021-06-03 21:00 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel, davem, netdev, kuba

Hello:

This series was applied to netdev/net.git (refs/heads/master):

On Wed,  2 Jun 2021 14:44:29 +0200 you wrote:
> nft_ct_expect_obj_eval() calls nf_ct_ext_add() for a confirmed
> conntrack entry. However, nf_ct_ext_add() can only be called for
> !nf_ct_is_confirmed().
> 
> [ 1825.349056] WARNING: CPU: 0 PID: 1279 at net/netfilter/nf_conntrack_extend.c:48 nf_ct_xt_add+0x18e/0x1a0 [nf_conntrack]
> [ 1825.351391] RIP: 0010:nf_ct_ext_add+0x18e/0x1a0 [nf_conntrack]
> [ 1825.351493] Code: 41 5c 41 5d 41 5e 41 5f c3 41 bc 0a 00 00 00 e9 15 ff ff ff ba 09 00 00 00 31 f6 4c 89 ff e8 69 6c 3d e9 eb 96 45 31 ed eb cd <0f> 0b e9 b1 fe ff ff e8 86 79 14 e9 eb bf 0f 1f 40 00 0f 1f 44 00
> [ 1825.351721] RSP: 0018:ffffc90002e1f1e8 EFLAGS: 00010202
> [ 1825.351790] RAX: 000000000000000e RBX: ffff88814f5783c0 RCX: ffffffffc0e4f887
> [ 1825.351881] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88814f578440
> [ 1825.351971] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff88814f578447
> [ 1825.352060] R10: ffffed1029eaf088 R11: 0000000000000001 R12: ffff88814f578440
> [ 1825.352150] R13: ffff8882053f3a00 R14: 0000000000000000 R15: 0000000000000a20
> [ 1825.352240] FS:  00007f992261c900(0000) GS:ffff889faec00000(0000) knlGS:0000000000000000
> [ 1825.352343] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 1825.352417] CR2: 000056070a4d1158 CR3: 000000015efe0000 CR4: 0000000000350ee0
> [ 1825.352508] Call Trace:
> [ 1825.352544]  nf_ct_helper_ext_add+0x10/0x60 [nf_conntrack]
> [ 1825.352641]  nft_ct_expect_obj_eval+0x1b8/0x1e0 [nft_ct]
> [ 1825.352716]  nft_do_chain+0x232/0x850 [nf_tables]
> 
> [...]

Here is the summary with links:
  - [net,1/2] netfilter: nft_ct: skip expectations for confirmed conntrack
    https://git.kernel.org/netdev/net/c/1710eb913bdc
  - [net,2/2] netfilter: nfnetlink_cthelper: hit EBUSY on updates if size mismatches
    https://git.kernel.org/netdev/net/c/8971ee8b0877

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-06-03 21:00 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-02 12:44 [PATCH net 0/2] Netfilter fixes for net Pablo Neira Ayuso
2021-06-02 12:44 ` [PATCH net 1/2] netfilter: nft_ct: skip expectations for confirmed conntrack Pablo Neira Ayuso
2021-06-03 21:00   ` patchwork-bot+netdevbpf
2021-06-02 12:44 ` [PATCH net 2/2] netfilter: nfnetlink_cthelper: hit EBUSY on updates if size mismatches Pablo Neira Ayuso

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.