* [PATCH 0/2] netfilter fixes for net
@ 2013-04-19 1:16 Pablo Neira Ayuso
2013-04-19 1:16 ` [PATCH 1/2] netfilter: ipset: bitmap:ip,mac: fix listing with timeout Pablo Neira Ayuso
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2013-04-19 1:16 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
If time allows, please consider pulling the following patchset contains two
late Netfilter fixes, they are:
* Skip broadcast/multicast locally generated traffic in the rpfilter,
(closes netfilter bugzilla #814), from Florian Westphal.
* Fix missing elements in the listing of ipset bitmap ip,mac set
type with timeout support enabled, from Jozsef Kadlecsik.
The following changes since commit c2d421e171868586939c328dfb91bab840fe4c49:
netfilter: nf_nat: fix race when unloading protocol modules (2013-04-12 11:46:31 +0200)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
for you to fetch changes up to f83a7ea2075ca896f2dbf07672bac9cf3682ff74:
netfilter: xt_rpfilter: skip locally generated broadcast/multicast, too (2013-04-19 00:11:59 +0200)
----------------------------------------------------------------
Florian Westphal (1):
netfilter: xt_rpfilter: skip locally generated broadcast/multicast, too
Jozsef Kadlecsik (1):
netfilter: ipset: bitmap:ip,mac: fix listing with timeout
net/ipv4/netfilter/ipt_rpfilter.c | 8 +++++++-
net/ipv6/netfilter/ip6t_rpfilter.c | 8 +++++++-
net/netfilter/ipset/ip_set_bitmap_ipmac.c | 6 +++++-
3 files changed, 19 insertions(+), 3 deletions(-)
^ permalink raw reply [flat|nested] 4+ messages in thread* [PATCH 1/2] netfilter: ipset: bitmap:ip,mac: fix listing with timeout
2013-04-19 1:16 [PATCH 0/2] netfilter fixes for net Pablo Neira Ayuso
@ 2013-04-19 1:16 ` Pablo Neira Ayuso
2013-04-19 1:16 ` [PATCH 2/2] netfilter: xt_rpfilter: skip locally generated broadcast/multicast, too Pablo Neira Ayuso
2013-04-19 18:25 ` [PATCH 0/2] netfilter fixes for net David Miller
2 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2013-04-19 1:16 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
The type when timeout support was enabled, could not list all elements,
just the first ones which could fit into one netlink message: it just
did not continue listing after the first message.
Reported-by: Yoann JUET <yoann.juet@univ-nantes.fr>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Tested-by: Yoann JUET <yoann.juet@univ-nantes.fr>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/ipset/ip_set_bitmap_ipmac.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
index 0f92dc2..d7df6ac 100644
--- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c
+++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
@@ -339,7 +339,11 @@ bitmap_ipmac_tlist(const struct ip_set *set,
nla_put_failure:
nla_nest_cancel(skb, nested);
ipset_nest_end(skb, atd);
- return -EMSGSIZE;
+ if (unlikely(id == first)) {
+ cb->args[2] = 0;
+ return -EMSGSIZE;
+ }
+ return 0;
}
static int
--
1.7.10.4
^ permalink raw reply related [flat|nested] 4+ messages in thread* [PATCH 2/2] netfilter: xt_rpfilter: skip locally generated broadcast/multicast, too
2013-04-19 1:16 [PATCH 0/2] netfilter fixes for net Pablo Neira Ayuso
2013-04-19 1:16 ` [PATCH 1/2] netfilter: ipset: bitmap:ip,mac: fix listing with timeout Pablo Neira Ayuso
@ 2013-04-19 1:16 ` Pablo Neira Ayuso
2013-04-19 18:25 ` [PATCH 0/2] netfilter fixes for net David Miller
2 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2013-04-19 1:16 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Florian Westphal <fw@strlen.de>
Alex Efros reported rpfilter module doesn't match following packets:
IN=br.qemu SRC=192.168.2.1 DST=192.168.2.255 [ .. ]
(netfilter bugzilla #814).
Problem is that network stack arranges for the locally generated broadcasts
to appear on the interface they were sent out, so the IFF_LOOPBACK check
doesn't trigger.
As -m rpfilter is restricted to PREROUTING, we can check for existing
rtable instead, it catches locally-generated broad/multicast case, too.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/ipv4/netfilter/ipt_rpfilter.c | 8 +++++++-
net/ipv6/netfilter/ip6t_rpfilter.c | 8 +++++++-
2 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/netfilter/ipt_rpfilter.c b/net/ipv4/netfilter/ipt_rpfilter.c
index c301300..c49dcd0 100644
--- a/net/ipv4/netfilter/ipt_rpfilter.c
+++ b/net/ipv4/netfilter/ipt_rpfilter.c
@@ -66,6 +66,12 @@ static bool rpfilter_lookup_reverse(struct flowi4 *fl4,
return dev_match;
}
+static bool rpfilter_is_local(const struct sk_buff *skb)
+{
+ const struct rtable *rt = skb_rtable(skb);
+ return rt && (rt->rt_flags & RTCF_LOCAL);
+}
+
static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_rpfilter_info *info;
@@ -76,7 +82,7 @@ static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
info = par->matchinfo;
invert = info->flags & XT_RPFILTER_INVERT;
- if (par->in->flags & IFF_LOOPBACK)
+ if (rpfilter_is_local(skb))
return true ^ invert;
iph = ip_hdr(skb);
diff --git a/net/ipv6/netfilter/ip6t_rpfilter.c b/net/ipv6/netfilter/ip6t_rpfilter.c
index 5060d54..e0983f3 100644
--- a/net/ipv6/netfilter/ip6t_rpfilter.c
+++ b/net/ipv6/netfilter/ip6t_rpfilter.c
@@ -71,6 +71,12 @@ static bool rpfilter_lookup_reverse6(const struct sk_buff *skb,
return ret;
}
+static bool rpfilter_is_local(const struct sk_buff *skb)
+{
+ const struct rt6_info *rt = (const void *) skb_dst(skb);
+ return rt && (rt->rt6i_flags & RTF_LOCAL);
+}
+
static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_rpfilter_info *info = par->matchinfo;
@@ -78,7 +84,7 @@ static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
struct ipv6hdr *iph;
bool invert = info->flags & XT_RPFILTER_INVERT;
- if (par->in->flags & IFF_LOOPBACK)
+ if (rpfilter_is_local(skb))
return true ^ invert;
iph = ipv6_hdr(skb);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH 0/2] netfilter fixes for net
2013-04-19 1:16 [PATCH 0/2] netfilter fixes for net Pablo Neira Ayuso
2013-04-19 1:16 ` [PATCH 1/2] netfilter: ipset: bitmap:ip,mac: fix listing with timeout Pablo Neira Ayuso
2013-04-19 1:16 ` [PATCH 2/2] netfilter: xt_rpfilter: skip locally generated broadcast/multicast, too Pablo Neira Ayuso
@ 2013-04-19 18:25 ` David Miller
2 siblings, 0 replies; 4+ messages in thread
From: David Miller @ 2013-04-19 18:25 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 19 Apr 2013 03:16:00 +0200
> If time allows, please consider pulling the following patchset contains two
> late Netfilter fixes, they are:
>
> * Skip broadcast/multicast locally generated traffic in the rpfilter,
> (closes netfilter bugzilla #814), from Florian Westphal.
>
> * Fix missing elements in the listing of ipset bitmap ip,mac set
> type with timeout support enabled, from Jozsef Kadlecsik.
>
> The following changes since commit c2d421e171868586939c328dfb91bab840fe4c49:
>
> netfilter: nf_nat: fix race when unloading protocol modules (2013-04-12 11:46:31 +0200)
>
> are available in the git repository at:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-04-19 18:25 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-04-19 1:16 [PATCH 0/2] netfilter fixes for net Pablo Neira Ayuso
2013-04-19 1:16 ` [PATCH 1/2] netfilter: ipset: bitmap:ip,mac: fix listing with timeout Pablo Neira Ayuso
2013-04-19 1:16 ` [PATCH 2/2] netfilter: xt_rpfilter: skip locally generated broadcast/multicast, too Pablo Neira Ayuso
2013-04-19 18:25 ` [PATCH 0/2] netfilter fixes for net David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).