Netdev Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH 0/2] netfilter fixes for net
@ 2013-04-19  1:16 Pablo Neira Ayuso
  2013-04-19  1:16 ` [PATCH 1/2] netfilter: ipset: bitmap:ip,mac: fix listing with timeout Pablo Neira Ayuso
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2013-04-19  1:16 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

Hi David,

If time allows, please consider pulling the following patchset contains two
late Netfilter fixes, they are:

* Skip broadcast/multicast locally generated traffic in the rpfilter,
  (closes netfilter bugzilla #814), from Florian Westphal.

* Fix missing elements in the listing of ipset bitmap ip,mac set
  type with timeout support enabled, from Jozsef Kadlecsik.

The following changes since commit c2d421e171868586939c328dfb91bab840fe4c49:

  netfilter: nf_nat: fix race when unloading protocol modules (2013-04-12 11:46:31 +0200)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master

for you to fetch changes up to f83a7ea2075ca896f2dbf07672bac9cf3682ff74:

  netfilter: xt_rpfilter: skip locally generated broadcast/multicast, too (2013-04-19 00:11:59 +0200)

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: xt_rpfilter: skip locally generated broadcast/multicast, too

Jozsef Kadlecsik (1):
      netfilter: ipset: bitmap:ip,mac: fix listing with timeout

 net/ipv4/netfilter/ipt_rpfilter.c         |    8 +++++++-
 net/ipv6/netfilter/ip6t_rpfilter.c        |    8 +++++++-
 net/netfilter/ipset/ip_set_bitmap_ipmac.c |    6 +++++-
 3 files changed, 19 insertions(+), 3 deletions(-)


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH 1/2] netfilter: ipset: bitmap:ip,mac: fix listing with timeout
  2013-04-19  1:16 [PATCH 0/2] netfilter fixes for net Pablo Neira Ayuso
@ 2013-04-19  1:16 ` Pablo Neira Ayuso
  2013-04-19  1:16 ` [PATCH 2/2] netfilter: xt_rpfilter: skip locally generated broadcast/multicast, too Pablo Neira Ayuso
  2013-04-19 18:25 ` [PATCH 0/2] netfilter fixes for net David Miller
  2 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2013-04-19  1:16 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

The type when timeout support was enabled, could not list all elements,
just the first ones which could fit into one netlink message: it just
did not continue listing after the first message.

Reported-by: Yoann JUET <yoann.juet@univ-nantes.fr>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Tested-by: Yoann JUET <yoann.juet@univ-nantes.fr>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/ipset/ip_set_bitmap_ipmac.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
index 0f92dc2..d7df6ac 100644
--- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c
+++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
@@ -339,7 +339,11 @@ bitmap_ipmac_tlist(const struct ip_set *set,
 nla_put_failure:
 	nla_nest_cancel(skb, nested);
 	ipset_nest_end(skb, atd);
-	return -EMSGSIZE;
+	if (unlikely(id == first)) {
+		cb->args[2] = 0;
+		return -EMSGSIZE;
+	}
+	return 0;
 }
 
 static int
-- 
1.7.10.4

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH 2/2] netfilter: xt_rpfilter: skip locally generated broadcast/multicast, too
  2013-04-19  1:16 [PATCH 0/2] netfilter fixes for net Pablo Neira Ayuso
  2013-04-19  1:16 ` [PATCH 1/2] netfilter: ipset: bitmap:ip,mac: fix listing with timeout Pablo Neira Ayuso
@ 2013-04-19  1:16 ` Pablo Neira Ayuso
  2013-04-19 18:25 ` [PATCH 0/2] netfilter fixes for net David Miller
  2 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2013-04-19  1:16 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

From: Florian Westphal <fw@strlen.de>

Alex Efros reported rpfilter module doesn't match following packets:
IN=br.qemu SRC=192.168.2.1 DST=192.168.2.255 [ .. ]
(netfilter bugzilla #814).

Problem is that network stack arranges for the locally generated broadcasts
to appear on the interface they were sent out, so the IFF_LOOPBACK check
doesn't trigger.

As -m rpfilter is restricted to PREROUTING, we can check for existing
rtable instead, it catches locally-generated broad/multicast case, too.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/ipv4/netfilter/ipt_rpfilter.c  |    8 +++++++-
 net/ipv6/netfilter/ip6t_rpfilter.c |    8 +++++++-
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/netfilter/ipt_rpfilter.c b/net/ipv4/netfilter/ipt_rpfilter.c
index c301300..c49dcd0 100644
--- a/net/ipv4/netfilter/ipt_rpfilter.c
+++ b/net/ipv4/netfilter/ipt_rpfilter.c
@@ -66,6 +66,12 @@ static bool rpfilter_lookup_reverse(struct flowi4 *fl4,
 	return dev_match;
 }
 
+static bool rpfilter_is_local(const struct sk_buff *skb)
+{
+	const struct rtable *rt = skb_rtable(skb);
+	return rt && (rt->rt_flags & RTCF_LOCAL);
+}
+
 static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct xt_rpfilter_info *info;
@@ -76,7 +82,7 @@ static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
 	info = par->matchinfo;
 	invert = info->flags & XT_RPFILTER_INVERT;
 
-	if (par->in->flags & IFF_LOOPBACK)
+	if (rpfilter_is_local(skb))
 		return true ^ invert;
 
 	iph = ip_hdr(skb);
diff --git a/net/ipv6/netfilter/ip6t_rpfilter.c b/net/ipv6/netfilter/ip6t_rpfilter.c
index 5060d54..e0983f3 100644
--- a/net/ipv6/netfilter/ip6t_rpfilter.c
+++ b/net/ipv6/netfilter/ip6t_rpfilter.c
@@ -71,6 +71,12 @@ static bool rpfilter_lookup_reverse6(const struct sk_buff *skb,
 	return ret;
 }
 
+static bool rpfilter_is_local(const struct sk_buff *skb)
+{
+	const struct rt6_info *rt = (const void *) skb_dst(skb);
+	return rt && (rt->rt6i_flags & RTF_LOCAL);
+}
+
 static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct xt_rpfilter_info *info = par->matchinfo;
@@ -78,7 +84,7 @@ static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
 	struct ipv6hdr *iph;
 	bool invert = info->flags & XT_RPFILTER_INVERT;
 
-	if (par->in->flags & IFF_LOOPBACK)
+	if (rpfilter_is_local(skb))
 		return true ^ invert;
 
 	iph = ipv6_hdr(skb);
-- 
1.7.10.4


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH 0/2] netfilter fixes for net
  2013-04-19  1:16 [PATCH 0/2] netfilter fixes for net Pablo Neira Ayuso
  2013-04-19  1:16 ` [PATCH 1/2] netfilter: ipset: bitmap:ip,mac: fix listing with timeout Pablo Neira Ayuso
  2013-04-19  1:16 ` [PATCH 2/2] netfilter: xt_rpfilter: skip locally generated broadcast/multicast, too Pablo Neira Ayuso
@ 2013-04-19 18:25 ` David Miller
  2 siblings, 0 replies; 4+ messages in thread
From: David Miller @ 2013-04-19 18:25 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, netdev

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 19 Apr 2013 03:16:00 +0200

> If time allows, please consider pulling the following patchset contains two
> late Netfilter fixes, they are:
> 
> * Skip broadcast/multicast locally generated traffic in the rpfilter,
>   (closes netfilter bugzilla #814), from Florian Westphal.
> 
> * Fix missing elements in the listing of ipset bitmap ip,mac set
>   type with timeout support enabled, from Jozsef Kadlecsik.
> 
> The following changes since commit c2d421e171868586939c328dfb91bab840fe4c49:
> 
>   netfilter: nf_nat: fix race when unloading protocol modules (2013-04-12 11:46:31 +0200)
> 
> are available in the git repository at:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master

Pulled, thanks Pablo.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-04-19  1:16 [PATCH 0/2] netfilter fixes for net Pablo Neira Ayuso
2013-04-19  1:16 ` [PATCH 1/2] netfilter: ipset: bitmap:ip,mac: fix listing with timeout Pablo Neira Ayuso
2013-04-19  1:16 ` [PATCH 2/2] netfilter: xt_rpfilter: skip locally generated broadcast/multicast, too Pablo Neira Ayuso
2013-04-19 18:25 ` [PATCH 0/2] netfilter fixes for net David Miller

Netdev Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/netdev/0 netdev/git/0.git
	git clone --mirror https://lore.kernel.org/netdev/1 netdev/git/1.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netdev netdev/ https://lore.kernel.org/netdev \
		netdev@vger.kernel.org netdev@archiver.kernel.org
	public-inbox-index netdev

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.netdev


AGPL code for this site: git clone https://public-inbox.org/ public-inbox