* [PATCH 0/3] Netfilter fixes for net
@ 2019-06-17 22:42 Pablo Neira Ayuso
2019-06-17 22:42 ` [PATCH 1/3] netfilter: nf_tables: fix module autoload with inet family Pablo Neira Ayuso
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2019-06-17 22:42 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
1) Module autoload for masquerade and redirection does not work.
2) Leak in unqueued packets in nf_ct_frag6_queue(). Ignore duplicated
fragments, pretend they are placed into the queue. Patches from
Guillaume Nault.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit 100f6d8e09905c59be45b6316f8f369c0be1b2d8:
net: correct zerocopy refcnt with udp MSG_MORE (2019-05-30 15:54:04 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 8a3dca632538c550930ce8bafa8c906b130d35cf:
netfilter: ipv6: nf_defrag: accept duplicate fragments again (2019-06-07 14:49:01 +0200)
----------------------------------------------------------------
Guillaume Nault (2):
netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments
netfilter: ipv6: nf_defrag: accept duplicate fragments again
Pablo Neira Ayuso (1):
netfilter: nf_tables: fix module autoload with inet family
net/ipv6/netfilter/nf_conntrack_reasm.c | 22 ++++++++++++----------
net/netfilter/nft_masq.c | 3 +--
net/netfilter/nft_redir.c | 3 +--
3 files changed, 14 insertions(+), 14 deletions(-)
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 1/3] netfilter: nf_tables: fix module autoload with inet family
2019-06-17 22:42 [PATCH 0/3] Netfilter fixes for net Pablo Neira Ayuso
@ 2019-06-17 22:42 ` Pablo Neira Ayuso
2019-06-17 22:42 ` [PATCH 2/3] netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments Pablo Neira Ayuso
2019-06-17 22:42 ` [PATCH 3/3] netfilter: ipv6: nf_defrag: accept duplicate fragments again Pablo Neira Ayuso
2 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2019-06-17 22:42 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Use MODULE_ALIAS_NFT_EXPR() to make happy the inet family with nat.
Fixes: 63ce3940f3ab ("netfilter: nft_redir: add inet support")
Fixes: 071657d2c38c ("netfilter: nft_masq: add inet support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_masq.c | 3 +--
net/netfilter/nft_redir.c | 3 +--
2 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nft_masq.c b/net/netfilter/nft_masq.c
index 86fd90085eaf..8c1612d6bc2c 100644
--- a/net/netfilter/nft_masq.c
+++ b/net/netfilter/nft_masq.c
@@ -307,5 +307,4 @@ module_exit(nft_masq_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo@debian.org>");
-MODULE_ALIAS_NFT_AF_EXPR(AF_INET6, "masq");
-MODULE_ALIAS_NFT_AF_EXPR(AF_INET, "masq");
+MODULE_ALIAS_NFT_EXPR("masq");
diff --git a/net/netfilter/nft_redir.c b/net/netfilter/nft_redir.c
index da74fdc4a684..8787e9f8ed71 100644
--- a/net/netfilter/nft_redir.c
+++ b/net/netfilter/nft_redir.c
@@ -294,5 +294,4 @@ module_exit(nft_redir_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo@debian.org>");
-MODULE_ALIAS_NFT_AF_EXPR(AF_INET, "redir");
-MODULE_ALIAS_NFT_AF_EXPR(AF_INET6, "redir");
+MODULE_ALIAS_NFT_EXPR("nat");
--
2.11.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/3] netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments
2019-06-17 22:42 [PATCH 0/3] Netfilter fixes for net Pablo Neira Ayuso
2019-06-17 22:42 ` [PATCH 1/3] netfilter: nf_tables: fix module autoload with inet family Pablo Neira Ayuso
@ 2019-06-17 22:42 ` Pablo Neira Ayuso
2019-06-17 22:42 ` [PATCH 3/3] netfilter: ipv6: nf_defrag: accept duplicate fragments again Pablo Neira Ayuso
2 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2019-06-17 22:42 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Guillaume Nault <gnault@redhat.com>
With commit 997dd9647164 ("net: IP6 defrag: use rbtrees in
nf_conntrack_reasm.c"), nf_ct_frag6_reasm() is now called from
nf_ct_frag6_queue(). With this change, nf_ct_frag6_queue() can fail
after the skb has been added to the fragment queue and
nf_ct_frag6_gather() was adapted to handle this case.
But nf_ct_frag6_queue() can still fail before the fragment has been
queued. nf_ct_frag6_gather() can't handle this case anymore, because it
has no way to know if nf_ct_frag6_queue() queued the fragment before
failing. If it didn't, the skb is lost as the error code is overwritten
with -EINPROGRESS.
Fix this by setting -EINPROGRESS directly in nf_ct_frag6_queue(), so
that nf_ct_frag6_gather() can propagate the error as is.
Fixes: 997dd9647164 ("net: IP6 defrag: use rbtrees in nf_conntrack_reasm.c")
Signed-off-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/ipv6/netfilter/nf_conntrack_reasm.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 3de0e9b0a482..5b3f65e29b6f 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -293,7 +293,11 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
skb->_skb_refdst = 0UL;
err = nf_ct_frag6_reasm(fq, skb, prev, dev);
skb->_skb_refdst = orefdst;
- return err;
+
+ /* After queue has assumed skb ownership, only 0 or
+ * -EINPROGRESS must be returned.
+ */
+ return err ? -EINPROGRESS : 0;
}
skb_dst_drop(skb);
@@ -480,12 +484,6 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user)
ret = 0;
}
- /* after queue has assumed skb ownership, only 0 or -EINPROGRESS
- * must be returned.
- */
- if (ret)
- ret = -EINPROGRESS;
-
spin_unlock_bh(&fq->q.lock);
inet_frag_put(&fq->q);
return ret;
--
2.11.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 3/3] netfilter: ipv6: nf_defrag: accept duplicate fragments again
2019-06-17 22:42 [PATCH 0/3] Netfilter fixes for net Pablo Neira Ayuso
2019-06-17 22:42 ` [PATCH 1/3] netfilter: nf_tables: fix module autoload with inet family Pablo Neira Ayuso
2019-06-17 22:42 ` [PATCH 2/3] netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments Pablo Neira Ayuso
@ 2019-06-17 22:42 ` Pablo Neira Ayuso
2 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2019-06-17 22:42 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Guillaume Nault <gnault@redhat.com>
When fixing the skb leak introduced by the conversion to rbtree, I
forgot about the special case of duplicate fragments. The condition
under the 'insert_error' label isn't effective anymore as
nf_ct_frg6_gather() doesn't override the returned value anymore. So
duplicate fragments now get NF_DROP verdict.
To accept duplicate fragments again, handle them specially as soon as
inet_frag_queue_insert() reports them. Return -EINPROGRESS which will
translate to NF_STOLEN verdict, like any accepted fragment. However,
such packets don't carry any new information and aren't queued, so we
just drop them immediately.
Fixes: a0d56cb911ca ("netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments")
Signed-off-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/ipv6/netfilter/nf_conntrack_reasm.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 5b3f65e29b6f..8951de8b568f 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -265,8 +265,14 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
prev = fq->q.fragments_tail;
err = inet_frag_queue_insert(&fq->q, skb, offset, end);
- if (err)
+ if (err) {
+ if (err == IPFRAG_DUP) {
+ /* No error for duplicates, pretend they got queued. */
+ kfree_skb(skb);
+ return -EINPROGRESS;
+ }
goto insert_error;
+ }
if (dev)
fq->iif = dev->ifindex;
@@ -304,8 +310,6 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
return -EINPROGRESS;
insert_error:
- if (err == IPFRAG_DUP)
- goto err;
inet_frag_kill(&fq->q);
err:
skb_dst_drop(skb);
--
2.11.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-06-17 22:42 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-17 22:42 [PATCH 0/3] Netfilter fixes for net Pablo Neira Ayuso
2019-06-17 22:42 ` [PATCH 1/3] netfilter: nf_tables: fix module autoload with inet family Pablo Neira Ayuso
2019-06-17 22:42 ` [PATCH 2/3] netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments Pablo Neira Ayuso
2019-06-17 22:42 ` [PATCH 3/3] netfilter: ipv6: nf_defrag: accept duplicate fragments again Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).