All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH nf 0/2] netfilter: fix two nf_dup bugs with egress hook
@ 2022-06-20 14:17 Florian Westphal
  2022-06-20 14:17 ` [PATCH nf 1/2] netfilter: nf_dup_netdev: do not push mac header a second time Florian Westphal
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Florian Westphal @ 2022-06-20 14:17 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Florian Westphal

We need to be more careful now that nf_dup is exposed to new
egress hook.

When called from egress hook, we need to skip push of mac header,
this is only ok for ingress invocation.

Also add a  recursion counter to prevent re-entry into the expression.

Florian Westphal (2):
  netfilter: nf_dup_netdev: do not push mac header a second time
  netfilter: nf_dup_netdev: add and use recursion counter

 net/netfilter/nf_dup_netdev.c | 25 +++++++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

-- 
2.35.1


^ permalink raw reply	[flat|nested] 4+ messages in thread
* [PATCH nf 1/2] netfilter: nf_dup_netdev: do not push mac header a second time
  2022-06-20 14:17 [PATCH nf 0/2] netfilter: fix two nf_dup bugs with egress hook Florian Westphal
@ 2022-06-20 14:17 ` Florian Westphal
  2022-06-20 14:17 ` [PATCH nf 2/2] netfilter: nf_dup_netdev: add and use recursion counter Florian Westphal
  2022-06-21  8:48 ` [PATCH nf 0/2] netfilter: fix two nf_dup bugs with egress hook Pablo Neira Ayuso
  2 siblings, 0 replies; 4+ messages in thread
From: Florian Westphal @ 2022-06-20 14:17 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Florian Westphal, Eric Garver

Eric reports skb_under_panic when using dup/fwd via bond+egress hook.
Before pushing mac header, we should make sure that we're called from
ingress to put back what was pulled earlier.

In egress case, the MAC header is already there; we should leave skb
alone.

While at it be more careful here: skb might have been altered and
headroom reduced, so add a skb_cow() before so that headroom is
increased if necessary.

nf_do_netdev_egress() assumes skb ownership (it normally ends with
a call to dev_queue_xmit), so we must free the packet on error.

Fixes: f87b9464d152 ("netfilter: nft_fwd_netdev: Support egress hook")
Reported-by: Eric Garver <eric@garver.life>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/nf_dup_netdev.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/net/netfilter/nf_dup_netdev.c b/net/netfilter/nf_dup_netdev.c
index 7873bd1389c3..13b7f6a66086 100644
--- a/net/netfilter/nf_dup_netdev.c
+++ b/net/netfilter/nf_dup_netdev.c
@@ -13,10 +13,16 @@
 #include <net/netfilter/nf_tables_offload.h>
 #include <net/netfilter/nf_dup_netdev.h>
 
-static void nf_do_netdev_egress(struct sk_buff *skb, struct net_device *dev)
+static void nf_do_netdev_egress(struct sk_buff *skb, struct net_device *dev,
+				enum nf_dev_hooks hook)
 {
-	if (skb_mac_header_was_set(skb))
+	if (hook == NF_NETDEV_INGRESS && skb_mac_header_was_set(skb)) {
+		if (skb_cow_head(skb, skb->mac_len)) {
+			kfree_skb(skb);
+			return;
+		}
 		skb_push(skb, skb->mac_len);
+	}
 
 	skb->dev = dev;
 	skb_clear_tstamp(skb);
@@ -33,7 +39,7 @@ void nf_fwd_netdev_egress(const struct nft_pktinfo *pkt, int oif)
 		return;
 	}
 
-	nf_do_netdev_egress(pkt->skb, dev);
+	nf_do_netdev_egress(pkt->skb, dev, nft_hook(pkt));
 }
 EXPORT_SYMBOL_GPL(nf_fwd_netdev_egress);
 
@@ -48,7 +54,7 @@ void nf_dup_netdev_egress(const struct nft_pktinfo *pkt, int oif)
 
 	skb = skb_clone(pkt->skb, GFP_ATOMIC);
 	if (skb)
-		nf_do_netdev_egress(skb, dev);
+		nf_do_netdev_egress(skb, dev, nft_hook(pkt));
 }
 EXPORT_SYMBOL_GPL(nf_dup_netdev_egress);
 
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH nf 2/2] netfilter: nf_dup_netdev: add and use recursion counter
  2022-06-20 14:17 [PATCH nf 0/2] netfilter: fix two nf_dup bugs with egress hook Florian Westphal
  2022-06-20 14:17 ` [PATCH nf 1/2] netfilter: nf_dup_netdev: do not push mac header a second time Florian Westphal
@ 2022-06-20 14:17 ` Florian Westphal
  2022-06-21  8:48 ` [PATCH nf 0/2] netfilter: fix two nf_dup bugs with egress hook Pablo Neira Ayuso
  2 siblings, 0 replies; 4+ messages in thread
From: Florian Westphal @ 2022-06-20 14:17 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Florian Westphal

Now that the egress function can be called from egress hook, we need
to avoid recursive calls into the nf_tables traverser, else crash.

Fixes: f87b9464d152 ("netfilter: nft_fwd_netdev: Support egress hook")
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/nf_dup_netdev.c | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/net/netfilter/nf_dup_netdev.c b/net/netfilter/nf_dup_netdev.c
index 13b7f6a66086..a8e2425e43b0 100644
--- a/net/netfilter/nf_dup_netdev.c
+++ b/net/netfilter/nf_dup_netdev.c
@@ -13,20 +13,31 @@
 #include <net/netfilter/nf_tables_offload.h>
 #include <net/netfilter/nf_dup_netdev.h>
 
+#define NF_RECURSION_LIMIT	2
+
+static DEFINE_PER_CPU(u8, nf_dup_skb_recursion);
+
 static void nf_do_netdev_egress(struct sk_buff *skb, struct net_device *dev,
 				enum nf_dev_hooks hook)
 {
+	if (__this_cpu_read(nf_dup_skb_recursion) > NF_RECURSION_LIMIT)
+		goto err;
+
 	if (hook == NF_NETDEV_INGRESS && skb_mac_header_was_set(skb)) {
-		if (skb_cow_head(skb, skb->mac_len)) {
-			kfree_skb(skb);
-			return;
-		}
+		if (skb_cow_head(skb, skb->mac_len))
+			goto err;
+
 		skb_push(skb, skb->mac_len);
 	}
 
 	skb->dev = dev;
 	skb_clear_tstamp(skb);
+	__this_cpu_inc(nf_dup_skb_recursion);
 	dev_queue_xmit(skb);
+	__this_cpu_dec(nf_dup_skb_recursion);
+	return;
+err:
+	kfree_skb(skb);
 }
 
 void nf_fwd_netdev_egress(const struct nft_pktinfo *pkt, int oif)
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH nf 0/2] netfilter: fix two nf_dup bugs with egress hook
  2022-06-20 14:17 [PATCH nf 0/2] netfilter: fix two nf_dup bugs with egress hook Florian Westphal
  2022-06-20 14:17 ` [PATCH nf 1/2] netfilter: nf_dup_netdev: do not push mac header a second time Florian Westphal
  2022-06-20 14:17 ` [PATCH nf 2/2] netfilter: nf_dup_netdev: add and use recursion counter Florian Westphal
@ 2022-06-21  8:48 ` Pablo Neira Ayuso
  2 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2022-06-21  8:48 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netfilter-devel

On Mon, Jun 20, 2022 at 04:17:29PM +0200, Florian Westphal wrote:
> We need to be more careful now that nf_dup is exposed to new
> egress hook.
> 
> When called from egress hook, we need to skip push of mac header,
> this is only ok for ingress invocation.
> 
> Also add a  recursion counter to prevent re-entry into the expression.

Series applied, thanks

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-06-21  8:49 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-20 14:17 [PATCH nf 0/2] netfilter: fix two nf_dup bugs with egress hook Florian Westphal
2022-06-20 14:17 ` [PATCH nf 1/2] netfilter: nf_dup_netdev: do not push mac header a second time Florian Westphal
2022-06-20 14:17 ` [PATCH nf 2/2] netfilter: nf_dup_netdev: add and use recursion counter Florian Westphal
2022-06-21  8:48 ` [PATCH nf 0/2] netfilter: fix two nf_dup bugs with egress hook Pablo Neira Ayuso

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.