* [PATCH net 0/7] Netfilter fixes for net @ 2021-04-12 22:30 Pablo Neira Ayuso 2021-04-12 22:30 ` [PATCH net 1/7] netfilter: flowtable: fix NAT IPv6 offload mangling Pablo Neira Ayuso ` (6 more replies) 0 siblings, 7 replies; 18+ messages in thread From: Pablo Neira Ayuso @ 2021-04-12 22:30 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev, kuba Hi, The following patchset contains Netfilter fixes for net: 1) Fix NAT IPv6 offload in the flowtable. 2) icmpv6 is printed as unknown in /proc/net/nf_conntrack. 3) Use div64_u64() in nft_limit, from Eric Dumazet. 4) Use pre_exit to unregister ebtables and arptables hooks, from Florian Westphal. 5) Fix out-of-bound memset in x_tables compat match/target, also from Florian. 6) Clone set elements expression to ensure proper initialization. Please, pull these changes from: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git Thanks! ---------------------------------------------------------------- The following changes since commit 9adc89af724f12a03b47099cd943ed54e877cd59: net: let skb_orphan_partial wake-up waiters. (2021-03-30 13:57:28 -0700) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD for you to fetch changes up to 4d8f9065830e526c83199186c5f56a6514f457d2: netfilter: nftables: clone set element expression template (2021-04-13 00:19:05 +0200) ---------------------------------------------------------------- Eric Dumazet (1): netfilter: nft_limit: avoid possible divide error in nft_limit_init Florian Westphal (3): netfilter: bridge: add pre_exit hooks for ebtable unregistration netfilter: arp_tables: add pre_exit hook for table unregister netfilter: x_tables: fix compat match/target pad out-of-bound write Pablo Neira Ayuso (3): netfilter: flowtable: fix NAT IPv6 offload mangling netfilter: conntrack: do not print icmpv6 as unknown via /proc netfilter: nftables: clone set element expression template include/linux/netfilter_arp/arp_tables.h | 5 ++-- include/linux/netfilter_bridge/ebtables.h | 5 ++-- net/bridge/netfilter/ebtable_broute.c | 8 +++++- net/bridge/netfilter/ebtable_filter.c | 8 +++++- net/bridge/netfilter/ebtable_nat.c | 8 +++++- net/bridge/netfilter/ebtables.c | 30 ++++++++++++++++++-- net/ipv4/netfilter/arp_tables.c | 11 ++++++-- net/ipv4/netfilter/arptable_filter.c | 10 ++++++- net/ipv4/netfilter/ip_tables.c | 2 ++ net/ipv6/netfilter/ip6_tables.c | 2 ++ net/netfilter/nf_conntrack_standalone.c | 1 + net/netfilter/nf_flow_table_offload.c | 6 ++-- net/netfilter/nf_tables_api.c | 46 +++++++++++++++++++++++-------- net/netfilter/nft_limit.c | 4 +-- net/netfilter/x_tables.c | 10 ++----- 15 files changed, 118 insertions(+), 38 deletions(-) ^ permalink raw reply [flat|nested] 18+ messages in thread
* [PATCH net 1/7] netfilter: flowtable: fix NAT IPv6 offload mangling 2021-04-12 22:30 [PATCH net 0/7] Netfilter fixes for net Pablo Neira Ayuso @ 2021-04-12 22:30 ` Pablo Neira Ayuso 2021-04-12 23:20 ` patchwork-bot+netdevbpf 2021-04-12 22:30 ` [PATCH net 2/7] netfilter: conntrack: do not print icmpv6 as unknown via /proc Pablo Neira Ayuso ` (5 subsequent siblings) 6 siblings, 1 reply; 18+ messages in thread From: Pablo Neira Ayuso @ 2021-04-12 22:30 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev, kuba Fix out-of-bound access in the address array. Fixes: 5c27d8d76ce8 ("netfilter: nf_flow_table_offload: add IPv6 support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- net/netfilter/nf_flow_table_offload.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c index 2a6993fa40d7..1c5460e7bce8 100644 --- a/net/netfilter/nf_flow_table_offload.c +++ b/net/netfilter/nf_flow_table_offload.c @@ -305,12 +305,12 @@ static void flow_offload_ipv6_mangle(struct nf_flow_rule *flow_rule, const __be32 *addr, const __be32 *mask) { struct flow_action_entry *entry; - int i; + int i, j; - for (i = 0; i < sizeof(struct in6_addr) / sizeof(u32); i += sizeof(u32)) { + for (i = 0, j = 0; i < sizeof(struct in6_addr) / sizeof(u32); i += sizeof(u32), j++) { entry = flow_action_entry_next(flow_rule); flow_offload_mangle(entry, FLOW_ACT_MANGLE_HDR_TYPE_IP6, - offset + i, &addr[i], mask); + offset + i, &addr[j], mask); } } -- 2.20.1 ^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [PATCH net 1/7] netfilter: flowtable: fix NAT IPv6 offload mangling 2021-04-12 22:30 ` [PATCH net 1/7] netfilter: flowtable: fix NAT IPv6 offload mangling Pablo Neira Ayuso @ 2021-04-12 23:20 ` patchwork-bot+netdevbpf 0 siblings, 0 replies; 18+ messages in thread From: patchwork-bot+netdevbpf @ 2021-04-12 23:20 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter-devel, davem, netdev, kuba Hello: This series was applied to netdev/net.git (refs/heads/master): On Tue, 13 Apr 2021 00:30:53 +0200 you wrote: > Fix out-of-bound access in the address array. > > Fixes: 5c27d8d76ce8 ("netfilter: nf_flow_table_offload: add IPv6 support") > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> > --- > net/netfilter/nf_flow_table_offload.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) Here is the summary with links: - [net,1/7] netfilter: flowtable: fix NAT IPv6 offload mangling https://git.kernel.org/netdev/net/c/0e07e25b481a - [net,2/7] netfilter: conntrack: do not print icmpv6 as unknown via /proc https://git.kernel.org/netdev/net/c/fbea31808ca1 - [net,3/7] netfilter: nft_limit: avoid possible divide error in nft_limit_init https://git.kernel.org/netdev/net/c/b895bdf5d643 - [net,4/7] netfilter: bridge: add pre_exit hooks for ebtable unregistration https://git.kernel.org/netdev/net/c/7ee3c61dcd28 - [net,5/7] netfilter: arp_tables: add pre_exit hook for table unregister https://git.kernel.org/netdev/net/c/d163a925ebbc - [net,6/7] netfilter: x_tables: fix compat match/target pad out-of-bound write https://git.kernel.org/netdev/net/c/b29c457a6511 - [net,7/7] netfilter: nftables: clone set element expression template https://git.kernel.org/netdev/net/c/4d8f9065830e You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html ^ permalink raw reply [flat|nested] 18+ messages in thread
* [PATCH net 2/7] netfilter: conntrack: do not print icmpv6 as unknown via /proc 2021-04-12 22:30 [PATCH net 0/7] Netfilter fixes for net Pablo Neira Ayuso 2021-04-12 22:30 ` [PATCH net 1/7] netfilter: flowtable: fix NAT IPv6 offload mangling Pablo Neira Ayuso @ 2021-04-12 22:30 ` Pablo Neira Ayuso 2021-04-12 22:30 ` [PATCH net 3/7] netfilter: nft_limit: avoid possible divide error in nft_limit_init Pablo Neira Ayuso ` (4 subsequent siblings) 6 siblings, 0 replies; 18+ messages in thread From: Pablo Neira Ayuso @ 2021-04-12 22:30 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev, kuba /proc/net/nf_conntrack shows icmpv6 as unknown. Fixes: 09ec82f5af99 ("netfilter: conntrack: remove protocol name from l4proto struct") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- net/netfilter/nf_conntrack_standalone.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index 0ee702d374b0..c6c0cb465664 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -266,6 +266,7 @@ static const char* l4proto_name(u16 proto) case IPPROTO_GRE: return "gre"; case IPPROTO_SCTP: return "sctp"; case IPPROTO_UDPLITE: return "udplite"; + case IPPROTO_ICMPV6: return "icmpv6"; } return "unknown"; -- 2.20.1 ^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH net 3/7] netfilter: nft_limit: avoid possible divide error in nft_limit_init 2021-04-12 22:30 [PATCH net 0/7] Netfilter fixes for net Pablo Neira Ayuso 2021-04-12 22:30 ` [PATCH net 1/7] netfilter: flowtable: fix NAT IPv6 offload mangling Pablo Neira Ayuso 2021-04-12 22:30 ` [PATCH net 2/7] netfilter: conntrack: do not print icmpv6 as unknown via /proc Pablo Neira Ayuso @ 2021-04-12 22:30 ` Pablo Neira Ayuso 2021-04-12 22:30 ` [PATCH net 4/7] netfilter: bridge: add pre_exit hooks for ebtable unregistration Pablo Neira Ayuso ` (3 subsequent siblings) 6 siblings, 0 replies; 18+ messages in thread From: Pablo Neira Ayuso @ 2021-04-12 22:30 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev, kuba From: Eric Dumazet <edumazet@google.com> div_u64() divides u64 by u32. nft_limit_init() wants to divide u64 by u64, use the appropriate math function (div64_u64) divide error: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 8390 Comm: syz-executor188 Not tainted 5.12.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:div_u64_rem include/linux/math64.h:28 [inline] RIP: 0010:div_u64 include/linux/math64.h:127 [inline] RIP: 0010:nft_limit_init+0x2a2/0x5e0 net/netfilter/nft_limit.c:85 Code: ef 4c 01 eb 41 0f 92 c7 48 89 de e8 38 a5 22 fa 4d 85 ff 0f 85 97 02 00 00 e8 ea 9e 22 fa 4c 0f af f3 45 89 ed 31 d2 4c 89 f0 <49> f7 f5 49 89 c6 e8 d3 9e 22 fa 48 8d 7d 48 48 b8 00 00 00 00 00 RSP: 0018:ffffc90009447198 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000200000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff875152e6 RDI: 0000000000000003 RBP: ffff888020f80908 R08: 0000200000000000 R09: 0000000000000000 R10: ffffffff875152d8 R11: 0000000000000000 R12: ffffc90009447270 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 000000000097a300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200001c4 CR3: 0000000026a52000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: nf_tables_newexpr net/netfilter/nf_tables_api.c:2675 [inline] nft_expr_init+0x145/0x2d0 net/netfilter/nf_tables_api.c:2713 nft_set_elem_expr_alloc+0x27/0x280 net/netfilter/nf_tables_api.c:5160 nf_tables_newset+0x1997/0x3150 net/netfilter/nf_tables_api.c:4321 nfnetlink_rcv_batch+0x85a/0x21b0 net/netfilter/nfnetlink.c:456 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:580 [inline] nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:598 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae Fixes: c26844eda9d4 ("netfilter: nf_tables: Fix nft limit burst handling") Fixes: 3e0f64b7dd31 ("netfilter: nft_limit: fix packet ratelimiting") Signed-off-by: Eric Dumazet <edumazet@google.com> Diagnosed-by: Luigi Rizzo <lrizzo@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- net/netfilter/nft_limit.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nft_limit.c b/net/netfilter/nft_limit.c index 0e2c315c3b5e..82ec27bdf941 100644 --- a/net/netfilter/nft_limit.c +++ b/net/netfilter/nft_limit.c @@ -76,13 +76,13 @@ static int nft_limit_init(struct nft_limit *limit, return -EOVERFLOW; if (pkts) { - tokens = div_u64(limit->nsecs, limit->rate) * limit->burst; + tokens = div64_u64(limit->nsecs, limit->rate) * limit->burst; } else { /* The token bucket size limits the number of tokens can be * accumulated. tokens_max specifies the bucket size. * tokens_max = unit * (rate + burst) / rate. */ - tokens = div_u64(limit->nsecs * (limit->rate + limit->burst), + tokens = div64_u64(limit->nsecs * (limit->rate + limit->burst), limit->rate); } -- 2.20.1 ^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH net 4/7] netfilter: bridge: add pre_exit hooks for ebtable unregistration 2021-04-12 22:30 [PATCH net 0/7] Netfilter fixes for net Pablo Neira Ayuso ` (2 preceding siblings ...) 2021-04-12 22:30 ` [PATCH net 3/7] netfilter: nft_limit: avoid possible divide error in nft_limit_init Pablo Neira Ayuso @ 2021-04-12 22:30 ` Pablo Neira Ayuso 2021-04-12 22:30 ` [PATCH net 5/7] netfilter: arp_tables: add pre_exit hook for table unregister Pablo Neira Ayuso ` (2 subsequent siblings) 6 siblings, 0 replies; 18+ messages in thread From: Pablo Neira Ayuso @ 2021-04-12 22:30 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev, kuba From: Florian Westphal <fw@strlen.de> Just like ip/ip6/arptables, the hooks have to be removed, then synchronize_rcu() has to be called to make sure no more packets are being processed before the ruleset data is released. Place the hook unregistration in the pre_exit hook, then call the new ebtables pre_exit function from there. Years ago, when first netns support got added for netfilter+ebtables, this used an older (now removed) netfilter hook unregister API, that did a unconditional synchronize_rcu(). Now that all is done with call_rcu, ebtable_{filter,nat,broute} pernet exit handlers may free the ebtable ruleset while packets are still in flight. This can only happens on module removal, not during netns exit. The new function expects the table name, not the table struct. This is because upcoming patch set (targeting -next) will remove all net->xt.{nat,filter,broute}_table instances, this makes it necessary to avoid external references to those member variables. The existing APIs will be converted, so follow the upcoming scheme of passing name + hook type instead. Fixes: aee12a0a3727e ("ebtables: remove nf_hook_register usage") Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- include/linux/netfilter_bridge/ebtables.h | 5 ++-- net/bridge/netfilter/ebtable_broute.c | 8 +++++- net/bridge/netfilter/ebtable_filter.c | 8 +++++- net/bridge/netfilter/ebtable_nat.c | 8 +++++- net/bridge/netfilter/ebtables.c | 30 ++++++++++++++++++++--- 5 files changed, 51 insertions(+), 8 deletions(-) diff --git a/include/linux/netfilter_bridge/ebtables.h b/include/linux/netfilter_bridge/ebtables.h index 2f5c4e6ecd8a..3a956145a25c 100644 --- a/include/linux/netfilter_bridge/ebtables.h +++ b/include/linux/netfilter_bridge/ebtables.h @@ -110,8 +110,9 @@ extern int ebt_register_table(struct net *net, const struct ebt_table *table, const struct nf_hook_ops *ops, struct ebt_table **res); -extern void ebt_unregister_table(struct net *net, struct ebt_table *table, - const struct nf_hook_ops *); +extern void ebt_unregister_table(struct net *net, struct ebt_table *table); +void ebt_unregister_table_pre_exit(struct net *net, const char *tablename, + const struct nf_hook_ops *ops); extern unsigned int ebt_do_table(struct sk_buff *skb, const struct nf_hook_state *state, struct ebt_table *table); diff --git a/net/bridge/netfilter/ebtable_broute.c b/net/bridge/netfilter/ebtable_broute.c index 66e7af165494..32bc2821027f 100644 --- a/net/bridge/netfilter/ebtable_broute.c +++ b/net/bridge/netfilter/ebtable_broute.c @@ -105,14 +105,20 @@ static int __net_init broute_net_init(struct net *net) &net->xt.broute_table); } +static void __net_exit broute_net_pre_exit(struct net *net) +{ + ebt_unregister_table_pre_exit(net, "broute", &ebt_ops_broute); +} + static void __net_exit broute_net_exit(struct net *net) { - ebt_unregister_table(net, net->xt.broute_table, &ebt_ops_broute); + ebt_unregister_table(net, net->xt.broute_table); } static struct pernet_operations broute_net_ops = { .init = broute_net_init, .exit = broute_net_exit, + .pre_exit = broute_net_pre_exit, }; static int __init ebtable_broute_init(void) diff --git a/net/bridge/netfilter/ebtable_filter.c b/net/bridge/netfilter/ebtable_filter.c index 78cb9b21022d..bcf982e12f16 100644 --- a/net/bridge/netfilter/ebtable_filter.c +++ b/net/bridge/netfilter/ebtable_filter.c @@ -99,14 +99,20 @@ static int __net_init frame_filter_net_init(struct net *net) &net->xt.frame_filter); } +static void __net_exit frame_filter_net_pre_exit(struct net *net) +{ + ebt_unregister_table_pre_exit(net, "filter", ebt_ops_filter); +} + static void __net_exit frame_filter_net_exit(struct net *net) { - ebt_unregister_table(net, net->xt.frame_filter, ebt_ops_filter); + ebt_unregister_table(net, net->xt.frame_filter); } static struct pernet_operations frame_filter_net_ops = { .init = frame_filter_net_init, .exit = frame_filter_net_exit, + .pre_exit = frame_filter_net_pre_exit, }; static int __init ebtable_filter_init(void) diff --git a/net/bridge/netfilter/ebtable_nat.c b/net/bridge/netfilter/ebtable_nat.c index 0888936ef853..0d092773f816 100644 --- a/net/bridge/netfilter/ebtable_nat.c +++ b/net/bridge/netfilter/ebtable_nat.c @@ -99,14 +99,20 @@ static int __net_init frame_nat_net_init(struct net *net) &net->xt.frame_nat); } +static void __net_exit frame_nat_net_pre_exit(struct net *net) +{ + ebt_unregister_table_pre_exit(net, "nat", ebt_ops_nat); +} + static void __net_exit frame_nat_net_exit(struct net *net) { - ebt_unregister_table(net, net->xt.frame_nat, ebt_ops_nat); + ebt_unregister_table(net, net->xt.frame_nat); } static struct pernet_operations frame_nat_net_ops = { .init = frame_nat_net_init, .exit = frame_nat_net_exit, + .pre_exit = frame_nat_net_pre_exit, }; static int __init ebtable_nat_init(void) diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index ebe33b60efd6..d481ff24a150 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c @@ -1232,10 +1232,34 @@ int ebt_register_table(struct net *net, const struct ebt_table *input_table, return ret; } -void ebt_unregister_table(struct net *net, struct ebt_table *table, - const struct nf_hook_ops *ops) +static struct ebt_table *__ebt_find_table(struct net *net, const char *name) +{ + struct ebt_table *t; + + mutex_lock(&ebt_mutex); + + list_for_each_entry(t, &net->xt.tables[NFPROTO_BRIDGE], list) { + if (strcmp(t->name, name) == 0) { + mutex_unlock(&ebt_mutex); + return t; + } + } + + mutex_unlock(&ebt_mutex); + return NULL; +} + +void ebt_unregister_table_pre_exit(struct net *net, const char *name, const struct nf_hook_ops *ops) +{ + struct ebt_table *table = __ebt_find_table(net, name); + + if (table) + nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks)); +} +EXPORT_SYMBOL(ebt_unregister_table_pre_exit); + +void ebt_unregister_table(struct net *net, struct ebt_table *table) { - nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks)); __ebt_unregister_table(net, table); } -- 2.20.1 ^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH net 5/7] netfilter: arp_tables: add pre_exit hook for table unregister 2021-04-12 22:30 [PATCH net 0/7] Netfilter fixes for net Pablo Neira Ayuso ` (3 preceding siblings ...) 2021-04-12 22:30 ` [PATCH net 4/7] netfilter: bridge: add pre_exit hooks for ebtable unregistration Pablo Neira Ayuso @ 2021-04-12 22:30 ` Pablo Neira Ayuso 2021-04-12 22:30 ` [PATCH net 6/7] netfilter: x_tables: fix compat match/target pad out-of-bound write Pablo Neira Ayuso 2021-04-12 22:30 ` [PATCH net 7/7] netfilter: nftables: clone set element expression template Pablo Neira Ayuso 6 siblings, 0 replies; 18+ messages in thread From: Pablo Neira Ayuso @ 2021-04-12 22:30 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev, kuba From: Florian Westphal <fw@strlen.de> Same problem that also existed in iptables/ip(6)tables, when arptable_filter is removed there is no longer a wait period before the table/ruleset is free'd. Unregister the hook in pre_exit, then remove the table in the exit function. This used to work correctly because the old nf_hook_unregister API did unconditional synchronize_net. The per-net hook unregister function uses call_rcu instead. Fixes: b9e69e127397 ("netfilter: xtables: don't hook tables by default") Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- include/linux/netfilter_arp/arp_tables.h | 5 +++-- net/ipv4/netfilter/arp_tables.c | 9 +++++++-- net/ipv4/netfilter/arptable_filter.c | 10 +++++++++- 3 files changed, 19 insertions(+), 5 deletions(-) diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h index 7d3537c40ec9..26a13294318c 100644 --- a/include/linux/netfilter_arp/arp_tables.h +++ b/include/linux/netfilter_arp/arp_tables.h @@ -52,8 +52,9 @@ extern void *arpt_alloc_initial_table(const struct xt_table *); int arpt_register_table(struct net *net, const struct xt_table *table, const struct arpt_replace *repl, const struct nf_hook_ops *ops, struct xt_table **res); -void arpt_unregister_table(struct net *net, struct xt_table *table, - const struct nf_hook_ops *ops); +void arpt_unregister_table(struct net *net, struct xt_table *table); +void arpt_unregister_table_pre_exit(struct net *net, struct xt_table *table, + const struct nf_hook_ops *ops); extern unsigned int arpt_do_table(struct sk_buff *skb, const struct nf_hook_state *state, struct xt_table *table); diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index d1e04d2b5170..6c26533480dd 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c @@ -1539,10 +1539,15 @@ int arpt_register_table(struct net *net, return ret; } -void arpt_unregister_table(struct net *net, struct xt_table *table, - const struct nf_hook_ops *ops) +void arpt_unregister_table_pre_exit(struct net *net, struct xt_table *table, + const struct nf_hook_ops *ops) { nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks)); +} +EXPORT_SYMBOL(arpt_unregister_table_pre_exit); + +void arpt_unregister_table(struct net *net, struct xt_table *table) +{ __arpt_unregister_table(net, table); } diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c index c216b9ad3bb2..6c300ba5634e 100644 --- a/net/ipv4/netfilter/arptable_filter.c +++ b/net/ipv4/netfilter/arptable_filter.c @@ -56,16 +56,24 @@ static int __net_init arptable_filter_table_init(struct net *net) return err; } +static void __net_exit arptable_filter_net_pre_exit(struct net *net) +{ + if (net->ipv4.arptable_filter) + arpt_unregister_table_pre_exit(net, net->ipv4.arptable_filter, + arpfilter_ops); +} + static void __net_exit arptable_filter_net_exit(struct net *net) { if (!net->ipv4.arptable_filter) return; - arpt_unregister_table(net, net->ipv4.arptable_filter, arpfilter_ops); + arpt_unregister_table(net, net->ipv4.arptable_filter); net->ipv4.arptable_filter = NULL; } static struct pernet_operations arptable_filter_net_ops = { .exit = arptable_filter_net_exit, + .pre_exit = arptable_filter_net_pre_exit, }; static int __init arptable_filter_init(void) -- 2.20.1 ^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH net 6/7] netfilter: x_tables: fix compat match/target pad out-of-bound write 2021-04-12 22:30 [PATCH net 0/7] Netfilter fixes for net Pablo Neira Ayuso ` (4 preceding siblings ...) 2021-04-12 22:30 ` [PATCH net 5/7] netfilter: arp_tables: add pre_exit hook for table unregister Pablo Neira Ayuso @ 2021-04-12 22:30 ` Pablo Neira Ayuso 2021-04-12 22:30 ` [PATCH net 7/7] netfilter: nftables: clone set element expression template Pablo Neira Ayuso 6 siblings, 0 replies; 18+ messages in thread From: Pablo Neira Ayuso @ 2021-04-12 22:30 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev, kuba From: Florian Westphal <fw@strlen.de> xt_compat_match/target_from_user doesn't check that zeroing the area to start of next rule won't write past end of allocated ruleset blob. Remove this code and zero the entire blob beforehand. Reported-by: syzbot+cfc0247ac173f597aaaa@syzkaller.appspotmail.com Reported-by: Andy Nguyen <theflow@google.com> Fixes: 9fa492cdc160c ("[NETFILTER]: x_tables: simplify compat API") Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- net/ipv4/netfilter/arp_tables.c | 2 ++ net/ipv4/netfilter/ip_tables.c | 2 ++ net/ipv6/netfilter/ip6_tables.c | 2 ++ net/netfilter/x_tables.c | 10 ++-------- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index 6c26533480dd..d6d45d820d79 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c @@ -1193,6 +1193,8 @@ static int translate_compat_table(struct net *net, if (!newinfo) goto out_unlock; + memset(newinfo->entries, 0, size); + newinfo->number = compatr->num_entries; for (i = 0; i < NF_ARP_NUMHOOKS; i++) { newinfo->hook_entry[i] = compatr->hook_entry[i]; diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index f15bc21d7301..f77ea0dbe656 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c @@ -1428,6 +1428,8 @@ translate_compat_table(struct net *net, if (!newinfo) goto out_unlock; + memset(newinfo->entries, 0, size); + newinfo->number = compatr->num_entries; for (i = 0; i < NF_INET_NUMHOOKS; i++) { newinfo->hook_entry[i] = compatr->hook_entry[i]; diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index 2e2119bfcf13..eb2b5404806c 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c @@ -1443,6 +1443,8 @@ translate_compat_table(struct net *net, if (!newinfo) goto out_unlock; + memset(newinfo->entries, 0, size); + newinfo->number = compatr->num_entries; for (i = 0; i < NF_INET_NUMHOOKS; i++) { newinfo->hook_entry[i] = compatr->hook_entry[i]; diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index 6bd31a7a27fc..92e9d4ebc5e8 100644 --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c @@ -733,7 +733,7 @@ void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, { const struct xt_match *match = m->u.kernel.match; struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m; - int pad, off = xt_compat_match_offset(match); + int off = xt_compat_match_offset(match); u_int16_t msize = cm->u.user.match_size; char name[sizeof(m->u.user.name)]; @@ -743,9 +743,6 @@ void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, match->compat_from_user(m->data, cm->data); else memcpy(m->data, cm->data, msize - sizeof(*cm)); - pad = XT_ALIGN(match->matchsize) - match->matchsize; - if (pad > 0) - memset(m->data + match->matchsize, 0, pad); msize += off; m->u.user.match_size = msize; @@ -1116,7 +1113,7 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr, { const struct xt_target *target = t->u.kernel.target; struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t; - int pad, off = xt_compat_target_offset(target); + int off = xt_compat_target_offset(target); u_int16_t tsize = ct->u.user.target_size; char name[sizeof(t->u.user.name)]; @@ -1126,9 +1123,6 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr, target->compat_from_user(t->data, ct->data); else memcpy(t->data, ct->data, tsize - sizeof(*ct)); - pad = XT_ALIGN(target->targetsize) - target->targetsize; - if (pad > 0) - memset(t->data + target->targetsize, 0, pad); tsize += off; t->u.user.target_size = tsize; -- 2.20.1 ^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH net 7/7] netfilter: nftables: clone set element expression template 2021-04-12 22:30 [PATCH net 0/7] Netfilter fixes for net Pablo Neira Ayuso ` (5 preceding siblings ...) 2021-04-12 22:30 ` [PATCH net 6/7] netfilter: x_tables: fix compat match/target pad out-of-bound write Pablo Neira Ayuso @ 2021-04-12 22:30 ` Pablo Neira Ayuso 6 siblings, 0 replies; 18+ messages in thread From: Pablo Neira Ayuso @ 2021-04-12 22:30 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev, kuba memcpy() breaks when using connlimit in set elements. Use nft_expr_clone() to initialize the connlimit expression list, otherwise connlimit garbage collector crashes when walking on the list head copy. [ 493.064656] Workqueue: events_power_efficient nft_rhash_gc [nf_tables] [ 493.064685] RIP: 0010:find_or_evict+0x5a/0x90 [nf_conncount] [ 493.064694] Code: 2b 43 40 83 f8 01 77 0d 48 c7 c0 f5 ff ff ff 44 39 63 3c 75 df 83 6d 18 01 48 8b 43 08 48 89 de 48 8b 13 48 8b 3d ee 2f 00 00 <48> 89 42 08 48 89 10 48 b8 00 01 00 00 00 00 ad de 48 89 03 48 83 [ 493.064699] RSP: 0018:ffffc90000417dc0 EFLAGS: 00010297 [ 493.064704] RAX: 0000000000000000 RBX: ffff888134f38410 RCX: 0000000000000000 [ 493.064708] RDX: 0000000000000000 RSI: ffff888134f38410 RDI: ffff888100060cc0 [ 493.064711] RBP: ffff88812ce594a8 R08: ffff888134f38438 R09: 00000000ebb9025c [ 493.064714] R10: ffffffff8219f838 R11: 0000000000000017 R12: 0000000000000001 [ 493.064718] R13: ffffffff82146740 R14: ffff888134f38410 R15: 0000000000000000 [ 493.064721] FS: 0000000000000000(0000) GS:ffff88840e440000(0000) knlGS:0000000000000000 [ 493.064725] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 493.064729] CR2: 0000000000000008 CR3: 00000001330aa002 CR4: 00000000001706e0 [ 493.064733] Call Trace: [ 493.064737] nf_conncount_gc_list+0x8f/0x150 [nf_conncount] [ 493.064746] nft_rhash_gc+0x106/0x390 [nf_tables] Reported-by: Laura Garcia Liebana <nevola@gmail.com> Fixes: 409444522976 ("netfilter: nf_tables: add elements with stateful expressions") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- net/netfilter/nf_tables_api.c | 46 ++++++++++++++++++++++++++--------- 1 file changed, 34 insertions(+), 12 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index f57f1a6ba96f..589d2f6978d3 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -5295,16 +5295,35 @@ int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set, return -ENOMEM; } -static void nft_set_elem_expr_setup(const struct nft_set_ext *ext, int i, - struct nft_expr *expr_array[]) +static int nft_set_elem_expr_setup(struct nft_ctx *ctx, + const struct nft_set_ext *ext, + struct nft_expr *expr_array[], + u32 num_exprs) { struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext); - struct nft_expr *expr = nft_setelem_expr_at(elem_expr, elem_expr->size); + struct nft_expr *expr; + int i, err; + + for (i = 0; i < num_exprs; i++) { + expr = nft_setelem_expr_at(elem_expr, elem_expr->size); + err = nft_expr_clone(expr, expr_array[i]); + if (err < 0) + goto err_elem_expr_setup; + + elem_expr->size += expr_array[i]->ops->size; + nft_expr_destroy(ctx, expr_array[i]); + expr_array[i] = NULL; + } + + return 0; + +err_elem_expr_setup: + for (; i < num_exprs; i++) { + nft_expr_destroy(ctx, expr_array[i]); + expr_array[i] = NULL; + } - memcpy(expr, expr_array[i], expr_array[i]->ops->size); - elem_expr->size += expr_array[i]->ops->size; - kfree(expr_array[i]); - expr_array[i] = NULL; + return -ENOMEM; } static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, @@ -5556,12 +5575,15 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, *nft_set_ext_obj(ext) = obj; obj->use++; } - for (i = 0; i < num_exprs; i++) - nft_set_elem_expr_setup(ext, i, expr_array); + err = nft_set_elem_expr_setup(ctx, ext, expr_array, num_exprs); + if (err < 0) + goto err_elem_expr; trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set); - if (trans == NULL) - goto err_trans; + if (trans == NULL) { + err = -ENOMEM; + goto err_elem_expr; + } ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK; err = set->ops->insert(ctx->net, set, &elem, &ext2); @@ -5605,7 +5627,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, set->ops->remove(ctx->net, set, &elem); err_element_clash: kfree(trans); -err_trans: +err_elem_expr: if (obj) obj->use--; -- 2.20.1 ^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH net 0/7] Netfilter fixes for net @ 2021-12-09 0:08 Pablo Neira Ayuso 0 siblings, 0 replies; 18+ messages in thread From: Pablo Neira Ayuso @ 2021-12-09 0:08 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev, kuba Hi, The following patchset contains Netfilter fixes for net: 1) Fix bogus compilter warning in nfnetlink_queue, from Florian Westphal. 2) Don't run conntrack on vrf with !dflt qdisc, from Nicolas Dichtel. 3) Fix nft_pipapo bucket load in AVX2 lookup routine for six 8-bit groups, from Stefano Brivio. 4) Break rule evaluation on malformed TCP options. 5) Use socat instead of nc in selftests/netfilter/nft_zones_many.sh, also from Florian 6) Fix KCSAN data-race in conntrack timeout updates, from Eric Dumazet. Please, pull these changes from: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git Thanks. ---------------------------------------------------------------- The following changes since commit 34d8778a943761121f391b7921f79a7adbe1feaf: MAINTAINERS: s390/net: add Alexandra and Wenjia as maintainer (2021-11-30 12:20:07 +0000) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD for you to fetch changes up to 802a7dc5cf1bef06f7b290ce76d478138408d6b1: netfilter: conntrack: annotate data-races around ct->timeout (2021-12-08 01:29:15 +0100) ---------------------------------------------------------------- Eric Dumazet (1): netfilter: conntrack: annotate data-races around ct->timeout Florian Westphal (2): netfilter: nfnetlink_queue: silence bogus compiler warning selftests: netfilter: switch zone stress to socat Nicolas Dichtel (1): vrf: don't run conntrack on vrf with !dflt qdisc Pablo Neira Ayuso (1): netfilter: nft_exthdr: break evaluation if setting TCP option fails Stefano Brivio (2): nft_set_pipapo: Fix bucket load in AVX2 lookup routine for six 8-bit groups selftests: netfilter: Add correctness test for mac,net set type drivers/net/vrf.c | 8 +++--- include/net/netfilter/nf_conntrack.h | 6 ++--- net/netfilter/nf_conntrack_core.c | 6 ++--- net/netfilter/nf_conntrack_netlink.c | 2 +- net/netfilter/nf_flow_table_core.c | 4 +-- net/netfilter/nfnetlink_queue.c | 2 +- net/netfilter/nft_exthdr.c | 11 +++++--- net/netfilter/nft_set_pipapo_avx2.c | 2 +- tools/testing/selftests/netfilter/conntrack_vrf.sh | 30 +++++++++++++++++++--- .../selftests/netfilter/nft_concat_range.sh | 24 ++++++++++++++--- .../testing/selftests/netfilter/nft_zones_many.sh | 19 +++++++++----- 11 files changed, 82 insertions(+), 32 deletions(-) ^ permalink raw reply [flat|nested] 18+ messages in thread
* [PATCH net 0/7] Netfilter fixes for net @ 2022-05-18 21:38 Pablo Neira Ayuso 0 siblings, 0 replies; 18+ messages in thread From: Pablo Neira Ayuso @ 2022-05-18 21:38 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni Hi, This patchset contains Netfilter fixes for net: 1) Reduce number of hardware offload retries from flowtable datapath which might hog system with retries, from Felix Fietkau. 2) Skip neighbour lookup for PPPoE device, fill_forward_path() already provides this and set on destination address from fill_forward_path for PPPoE device, also from Felix. 4) When combining PPPoE on top of a VLAN device, set info->outdev to the PPPoE device so software offload works, from Felix. 5) Fix TCP teardown flowtable state, races with conntrack gc might result in resetting the state to ESTABLISHED and the time to one day. Joint work with Oz Shlomo and Sven Auhagen. 6) Call dst_check() from flowtable datapath to check if dst is stale instead of doing it from garbage collector path. 7) Disable register tracking infrastructure, either user-space or kernel need to pre-fetch keys inconditionally, otherwise register tracking assumes data is already available in register that might not well be there, leading to incorrect reductions. Please, pull these changes from: git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git Thanks. ---------------------------------------------------------------- The following changes since commit f3f19f939c11925dadd3f4776f99f8c278a7017b: Merge tag 'net-5.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net (2022-05-12 11:51:45 -0700) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD for you to fetch changes up to 9e539c5b6d9c5b996e45105921ee9dd955c0f535: netfilter: nf_tables: disable expression reduction infra (2022-05-18 17:34:26 +0200) ---------------------------------------------------------------- Felix Fietkau (4): netfilter: flowtable: fix excessive hw offload attempts after failure netfilter: nft_flow_offload: skip dst neigh lookup for ppp devices net: fix dev_fill_forward_path with pppoe + bridge netfilter: nft_flow_offload: fix offload with pppoe + vlan Pablo Neira Ayuso (2): netfilter: flowtable: fix TCP flow teardown netfilter: nf_tables: disable expression reduction infra Ritaro Takenaka (1): netfilter: flowtable: move dst_check to packet path drivers/net/ppp/pppoe.c | 1 + include/linux/netdevice.h | 2 +- net/core/dev.c | 2 +- net/netfilter/nf_flow_table_core.c | 60 +++++++------------------------------- net/netfilter/nf_flow_table_ip.c | 19 ++++++++++++ net/netfilter/nf_tables_api.c | 11 +------ net/netfilter/nft_flow_offload.c | 28 +++++++++++------- 7 files changed, 51 insertions(+), 72 deletions(-) ^ permalink raw reply [flat|nested] 18+ messages in thread
* [PATCH net 0/7] Netfilter fixes for net @ 2022-06-06 21:20 Pablo Neira Ayuso 0 siblings, 0 replies; 18+ messages in thread From: Pablo Neira Ayuso @ 2022-06-06 21:20 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet Hi, The following patchset contains Netfilter fixes for net: 1) Fix NAT support for NFPROTO_INET without layer 3 address, from Florian Westphal. 2) Use kfree_rcu(ptr, rcu) variant in nf_tables clean_net path. 3) Use list to collect flowtable hooks to be deleted. 4) Initialize list of hook field in flowtable transaction. 5) Release hooks on error for flowtable updates. 6) Memleak in hardware offload rule commit and abort paths. 7) Early bail out in case device does not support for hardware offload. This adds a new interface to net/core/flow_offload.c to check if the flow indirect block list is empty. Please, pull these changes from: git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git Thanks. ---------------------------------------------------------------- The following changes since commit 0a375c822497ed6ad6b5da0792a12a6f1af10c0b: tcp: tcp_rtx_synack() can be called from process context (2022-05-31 21:40:10 -0700) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD for you to fetch changes up to 3a41c64d9c1185a2f3a184015e2a9b78bfc99c71: netfilter: nf_tables: bail out early if hardware offload is not supported (2022-06-06 19:19:15 +0200) ---------------------------------------------------------------- Florian Westphal (1): netfilter: nat: really support inet nat without l3 address Pablo Neira Ayuso (6): netfilter: nf_tables: use kfree_rcu(ptr, rcu) to release hooks in clean_net path netfilter: nf_tables: delete flowtable hooks via transaction list netfilter: nf_tables: always initialize flowtable hook list in transaction netfilter: nf_tables: release new hooks on unsupported flowtable flags netfilter: nf_tables: memleak flow rule from commit path netfilter: nf_tables: bail out early if hardware offload is not supported include/net/flow_offload.h | 1 + include/net/netfilter/nf_tables.h | 1 - include/net/netfilter/nf_tables_offload.h | 2 +- net/core/flow_offload.c | 6 ++++ net/netfilter/nf_tables_api.c | 54 ++++++++++++---------------- net/netfilter/nf_tables_offload.c | 23 +++++++++++- net/netfilter/nft_nat.c | 3 +- tools/testing/selftests/netfilter/nft_nat.sh | 43 ++++++++++++++++++++++ 8 files changed, 98 insertions(+), 35 deletions(-) ^ permalink raw reply [flat|nested] 18+ messages in thread
* [PATCH net 0/7] Netfilter fixes for net @ 2023-01-02 16:40 Pablo Neira Ayuso 0 siblings, 0 replies; 18+ messages in thread From: Pablo Neira Ayuso @ 2023-01-02 16:40 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet Hi, The following patchset contains Netfilter fixes for net: 1) Use signed integer in ipv6_skip_exthdr() called from nf_confirm(). Reported by static analysis tooling, patch from Florian Westphal. 2) Missing set type checks in nf_tables: Validate that set declaration matches the an existing set type, otherwise bail out with EEXIST. Currently, nf_tables silently accepts the re-declaration with a different type but it bails out later with EINVAL when the user adds entries to the set. This fix is relatively large because it requires two preparation patches that are included in this batch. 3) Do not ignore updates of timeout and gc_interval parameters in existing sets. 4) Fix a hang when 0/0 subnets is added to a hash:net,port,net type of ipset. Except hash:net,port,net and hash:net,iface, the set types don't support 0/0 and the auxiliary functions rely on this fact. So 0/0 needs a special handling in hash:net,port,net which was missing (hash:net,iface was not affected by this bug), from Jozsef Kadlecsik. 5) When adding/deleting large number of elements in one step in ipset, it can take a reasonable amount of time and can result in soft lockup errors. This patch is a complete rework of the previous version in order to use a smaller internal batch limit and at the same time removing the external hard limit to add arbitrary number of elements in one step. Also from Jozsef Kadlecsik. Except for patch #1, which fixes a bug introduced in the previous net-next development cycle, anything else has been broken for several releases. Please, pull these changes from: git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git Thanks. ---------------------------------------------------------------- The following changes since commit 19e72b064fc32cd58f6fc0b1eb64ac2e4f770e76: net: fec: check the return value of build_skb() (2022-12-20 11:33:24 -0800) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD for you to fetch changes up to 5e29dc36bd5e2166b834ceb19990d9e68a734d7d: netfilter: ipset: Rework long task execution when adding/deleting entries (2023-01-02 15:10:05 +0100) ---------------------------------------------------------------- Florian Westphal (1): netfilter: conntrack: fix ipv6 exthdr error check Jozsef Kadlecsik (2): netfilter: ipset: fix hash:net,port,net hang with /0 subnet netfilter: ipset: Rework long task execution when adding/deleting entries Pablo Neira Ayuso (4): netfilter: nf_tables: consolidate set description netfilter: nf_tables: add function to create set stateful expressions netfilter: nf_tables: perform type checking for existing sets netfilter: nf_tables: honor set timeout and garbage collection updates include/linux/netfilter/ipset/ip_set.h | 2 +- include/net/netfilter/nf_tables.h | 25 ++- net/netfilter/ipset/ip_set_core.c | 7 +- net/netfilter/ipset/ip_set_hash_ip.c | 14 +- net/netfilter/ipset/ip_set_hash_ipmark.c | 13 +- net/netfilter/ipset/ip_set_hash_ipport.c | 13 +- net/netfilter/ipset/ip_set_hash_ipportip.c | 13 +- net/netfilter/ipset/ip_set_hash_ipportnet.c | 13 +- net/netfilter/ipset/ip_set_hash_net.c | 17 +- net/netfilter/ipset/ip_set_hash_netiface.c | 15 +- net/netfilter/ipset/ip_set_hash_netnet.c | 23 +-- net/netfilter/ipset/ip_set_hash_netport.c | 19 +- net/netfilter/ipset/ip_set_hash_netportnet.c | 40 ++-- net/netfilter/nf_conntrack_proto.c | 7 +- net/netfilter/nf_tables_api.c | 261 ++++++++++++++++++--------- 15 files changed, 293 insertions(+), 189 deletions(-) ^ permalink raw reply [flat|nested] 18+ messages in thread
* [PATCH net 0/7] Netfilter fixes for net @ 2024-04-11 11:28 Pablo Neira Ayuso 2024-04-11 11:39 ` Paolo Abeni 0 siblings, 1 reply; 18+ messages in thread From: Pablo Neira Ayuso @ 2024-04-11 11:28 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet, fw Hi, The following patchset contains Netfilter fixes for net: Patches #1 and #2 add missing rcu read side lock when iterating over expression and object type list which could race with module removal. Patch #3 prevents promisc packet from visiting the bridge/input hook to amend a recent fix to address conntrack confirmation race in br_netfilter and nf_conntrack_bridge. Patch #4 adds and uses iterate decorator type to fetch the current pipapo set backend datastructure view when netlink dumps the set elements. Patch #5 fixes removal of duplicate elements in the pipapo set backend. Patch #6 flowtable validates pppoe header before accessing it. Patch #7 fixes flowtable datapath for pppoe packets, otherwise lookup fails and pppoe packets follow classic path. Please, pull these changes from: git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-04-11 Thanks. ---------------------------------------------------------------- The following changes since commit 19fa4f2a85d777a8052e869c1b892a2f7556569d: r8169: fix LED-related deadlock on module removal (2024-04-10 10:44:29 +0100) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-04-11 for you to fetch changes up to 6db5dc7b351b9569940cd1cf445e237c42cd6d27: netfilter: flowtable: incorrect pppoe tuple (2024-04-11 12:14:10 +0200) ---------------------------------------------------------------- netfilter pull request 24-04-11 ---------------------------------------------------------------- Florian Westphal (1): netfilter: nft_set_pipapo: do not free live element Pablo Neira Ayuso (4): netfilter: br_netfilter: skip conntrack input hook for promisc packets netfilter: nft_set_pipapo: walk over current view on netlink dump netfilter: flowtable: validate pppoe header netfilter: flowtable: incorrect pppoe tuple Ziyang Xuan (2): netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() include/net/netfilter/nf_flow_table.h | 12 +++++++++++- include/net/netfilter/nf_tables.h | 14 ++++++++++++++ net/bridge/br_input.c | 15 +++++++++++---- net/bridge/br_netfilter_hooks.c | 6 ++++++ net/bridge/br_private.h | 1 + net/bridge/netfilter/nf_conntrack_bridge.c | 14 ++++++++++---- net/netfilter/nf_flow_table_inet.c | 3 ++- net/netfilter/nf_flow_table_ip.c | 10 ++++++---- net/netfilter/nf_tables_api.c | 22 ++++++++++++++++++---- net/netfilter/nft_set_pipapo.c | 19 ++++++++++++------- 10 files changed, 91 insertions(+), 25 deletions(-) ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH net 0/7] Netfilter fixes for net 2024-04-11 11:28 Pablo Neira Ayuso @ 2024-04-11 11:39 ` Paolo Abeni 2024-04-11 11:42 ` Pablo Neira Ayuso 0 siblings, 1 reply; 18+ messages in thread From: Paolo Abeni @ 2024-04-11 11:39 UTC (permalink / raw) To: Pablo Neira Ayuso, netfilter-devel; +Cc: davem, netdev, kuba, edumazet, fw On Thu, 2024-04-11 at 13:28 +0200, Pablo Neira Ayuso wrote: > Hi, > > The following patchset contains Netfilter fixes for net: > > Patches #1 and #2 add missing rcu read side lock when iterating over > expression and object type list which could race with module removal. > > Patch #3 prevents promisc packet from visiting the bridge/input hook > to amend a recent fix to address conntrack confirmation race > in br_netfilter and nf_conntrack_bridge. > > Patch #4 adds and uses iterate decorator type to fetch the current > pipapo set backend datastructure view when netlink dumps the > set elements. > > Patch #5 fixes removal of duplicate elements in the pipapo set backend. > > Patch #6 flowtable validates pppoe header before accessing it. > > Patch #7 fixes flowtable datapath for pppoe packets, otherwise lookup > fails and pppoe packets follow classic path. > > Please, pull these changes from: > > git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-04-11 > > Thanks. > > ---------------------------------------------------------------- > > The following changes since commit 19fa4f2a85d777a8052e869c1b892a2f7556569d: > > r8169: fix LED-related deadlock on module removal (2024-04-10 10:44:29 +0100) > > are available in the Git repository at: > > git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-04-11 > > for you to fetch changes up to 6db5dc7b351b9569940cd1cf445e237c42cd6d27: > > netfilter: flowtable: incorrect pppoe tuple (2024-04-11 12:14:10 +0200) > > ---------------------------------------------------------------- > netfilter pull request 24-04-11 > > ---------------------------------------------------------------- > Florian Westphal (1): > netfilter: nft_set_pipapo: do not free live element > > Pablo Neira Ayuso (4): > netfilter: br_netfilter: skip conntrack input hook for promisc packets > netfilter: nft_set_pipapo: walk over current view on netlink dump > netfilter: flowtable: validate pppoe header > netfilter: flowtable: incorrect pppoe tuple > > Ziyang Xuan (2): > netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() > netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() > > include/net/netfilter/nf_flow_table.h | 12 +++++++++++- > include/net/netfilter/nf_tables.h | 14 ++++++++++++++ > net/bridge/br_input.c | 15 +++++++++++---- > net/bridge/br_netfilter_hooks.c | 6 ++++++ > net/bridge/br_private.h | 1 + > net/bridge/netfilter/nf_conntrack_bridge.c | 14 ++++++++++---- > net/netfilter/nf_flow_table_inet.c | 3 ++- > net/netfilter/nf_flow_table_ip.c | 10 ++++++---- > net/netfilter/nf_tables_api.c | 22 ++++++++++++++++++---- > net/netfilter/nft_set_pipapo.c | 19 ++++++++++++------- > 10 files changed, 91 insertions(+), 25 deletions(-) Whoops, I'm finishing testing right now todays PR, I hope it's not a big issue if this lands later? Thanks, Paolo ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH net 0/7] Netfilter fixes for net 2024-04-11 11:39 ` Paolo Abeni @ 2024-04-11 11:42 ` Pablo Neira Ayuso 2024-04-11 11:58 ` Paolo Abeni 0 siblings, 1 reply; 18+ messages in thread From: Pablo Neira Ayuso @ 2024-04-11 11:42 UTC (permalink / raw) To: Paolo Abeni; +Cc: netfilter-devel, davem, netdev, kuba, edumazet, fw On Thu, Apr 11, 2024 at 01:39:30PM +0200, Paolo Abeni wrote: > On Thu, 2024-04-11 at 13:28 +0200, Pablo Neira Ayuso wrote: > > Hi, > > > > The following patchset contains Netfilter fixes for net: > > > > Patches #1 and #2 add missing rcu read side lock when iterating over > > expression and object type list which could race with module removal. > > > > Patch #3 prevents promisc packet from visiting the bridge/input hook > > to amend a recent fix to address conntrack confirmation race > > in br_netfilter and nf_conntrack_bridge. > > > > Patch #4 adds and uses iterate decorator type to fetch the current > > pipapo set backend datastructure view when netlink dumps the > > set elements. > > > > Patch #5 fixes removal of duplicate elements in the pipapo set backend. > > > > Patch #6 flowtable validates pppoe header before accessing it. > > > > Patch #7 fixes flowtable datapath for pppoe packets, otherwise lookup > > fails and pppoe packets follow classic path. > > > > Please, pull these changes from: > > > > git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-04-11 > > > > Thanks. > > > > ---------------------------------------------------------------- > > > > The following changes since commit 19fa4f2a85d777a8052e869c1b892a2f7556569d: > > > > r8169: fix LED-related deadlock on module removal (2024-04-10 10:44:29 +0100) > > > > are available in the Git repository at: > > > > git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-04-11 > > > > for you to fetch changes up to 6db5dc7b351b9569940cd1cf445e237c42cd6d27: > > > > netfilter: flowtable: incorrect pppoe tuple (2024-04-11 12:14:10 +0200) > > > > ---------------------------------------------------------------- > > netfilter pull request 24-04-11 > > > > ---------------------------------------------------------------- > > Florian Westphal (1): > > netfilter: nft_set_pipapo: do not free live element > > > > Pablo Neira Ayuso (4): > > netfilter: br_netfilter: skip conntrack input hook for promisc packets > > netfilter: nft_set_pipapo: walk over current view on netlink dump > > netfilter: flowtable: validate pppoe header > > netfilter: flowtable: incorrect pppoe tuple > > > > Ziyang Xuan (2): > > netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() > > netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() > > > > include/net/netfilter/nf_flow_table.h | 12 +++++++++++- > > include/net/netfilter/nf_tables.h | 14 ++++++++++++++ > > net/bridge/br_input.c | 15 +++++++++++---- > > net/bridge/br_netfilter_hooks.c | 6 ++++++ > > net/bridge/br_private.h | 1 + > > net/bridge/netfilter/nf_conntrack_bridge.c | 14 ++++++++++---- > > net/netfilter/nf_flow_table_inet.c | 3 ++- > > net/netfilter/nf_flow_table_ip.c | 10 ++++++---- > > net/netfilter/nf_tables_api.c | 22 ++++++++++++++++++---- > > net/netfilter/nft_set_pipapo.c | 19 ++++++++++++------- > > 10 files changed, 91 insertions(+), 25 deletions(-) > > Whoops, I'm finishing testing right now todays PR, I hope it's not a > big issue if this lands later? Apologies, I am working at full steam here, I could not deliver any sooner. ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH net 0/7] Netfilter fixes for net 2024-04-11 11:42 ` Pablo Neira Ayuso @ 2024-04-11 11:58 ` Paolo Abeni 2024-04-11 15:30 ` Pablo Neira Ayuso 0 siblings, 1 reply; 18+ messages in thread From: Paolo Abeni @ 2024-04-11 11:58 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter-devel, davem, netdev, kuba, edumazet, fw On Thu, 2024-04-11 at 13:42 +0200, Pablo Neira Ayuso wrote: > On Thu, Apr 11, 2024 at 01:39:30PM +0200, Paolo Abeni wrote: > > On Thu, 2024-04-11 at 13:28 +0200, Pablo Neira Ayuso wrote: > > > Hi, > > > > > > The following patchset contains Netfilter fixes for net: > > > > > > Patches #1 and #2 add missing rcu read side lock when iterating over > > > expression and object type list which could race with module removal. > > > > > > Patch #3 prevents promisc packet from visiting the bridge/input hook > > > to amend a recent fix to address conntrack confirmation race > > > in br_netfilter and nf_conntrack_bridge. > > > > > > Patch #4 adds and uses iterate decorator type to fetch the current > > > pipapo set backend datastructure view when netlink dumps the > > > set elements. > > > > > > Patch #5 fixes removal of duplicate elements in the pipapo set backend. > > > > > > Patch #6 flowtable validates pppoe header before accessing it. > > > > > > Patch #7 fixes flowtable datapath for pppoe packets, otherwise lookup > > > fails and pppoe packets follow classic path. > > > > > > Please, pull these changes from: > > > > > > git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-04-11 > > > > > > Thanks. > > > > > > ---------------------------------------------------------------- > > > > > > The following changes since commit 19fa4f2a85d777a8052e869c1b892a2f7556569d: > > > > > > r8169: fix LED-related deadlock on module removal (2024-04-10 10:44:29 +0100) > > > > > > are available in the Git repository at: > > > > > > git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-04-11 > > > > > > for you to fetch changes up to 6db5dc7b351b9569940cd1cf445e237c42cd6d27: > > > > > > netfilter: flowtable: incorrect pppoe tuple (2024-04-11 12:14:10 +0200) > > > > > > ---------------------------------------------------------------- > > > netfilter pull request 24-04-11 > > > > > > ---------------------------------------------------------------- > > > Florian Westphal (1): > > > netfilter: nft_set_pipapo: do not free live element > > > > > > Pablo Neira Ayuso (4): > > > netfilter: br_netfilter: skip conntrack input hook for promisc packets > > > netfilter: nft_set_pipapo: walk over current view on netlink dump > > > netfilter: flowtable: validate pppoe header > > > netfilter: flowtable: incorrect pppoe tuple > > > > > > Ziyang Xuan (2): > > > netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() > > > netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() > > > > > > include/net/netfilter/nf_flow_table.h | 12 +++++++++++- > > > include/net/netfilter/nf_tables.h | 14 ++++++++++++++ > > > net/bridge/br_input.c | 15 +++++++++++---- > > > net/bridge/br_netfilter_hooks.c | 6 ++++++ > > > net/bridge/br_private.h | 1 + > > > net/bridge/netfilter/nf_conntrack_bridge.c | 14 ++++++++++---- > > > net/netfilter/nf_flow_table_inet.c | 3 ++- > > > net/netfilter/nf_flow_table_ip.c | 10 ++++++---- > > > net/netfilter/nf_tables_api.c | 22 ++++++++++++++++++---- > > > net/netfilter/nft_set_pipapo.c | 19 ++++++++++++------- > > > 10 files changed, 91 insertions(+), 25 deletions(-) > > > > Whoops, I'm finishing testing right now todays PR, I hope it's not a > > big issue if this lands later? > > Apologies, I am working at full steam here, I could not deliver any sooner. I'm sorry, I was likely unclear, the above was just a question (not a complain): do you have strong preference for these fixes to land into today's PR? (the answer is unclear to me) Thanks! Paolo ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH net 0/7] Netfilter fixes for net 2024-04-11 11:58 ` Paolo Abeni @ 2024-04-11 15:30 ` Pablo Neira Ayuso 0 siblings, 0 replies; 18+ messages in thread From: Pablo Neira Ayuso @ 2024-04-11 15:30 UTC (permalink / raw) To: Paolo Abeni; +Cc: netfilter-devel, davem, netdev, kuba, edumazet, fw On Thu, Apr 11, 2024 at 01:58:37PM +0200, Paolo Abeni wrote: > On Thu, 2024-04-11 at 13:42 +0200, Pablo Neira Ayuso wrote: > > On Thu, Apr 11, 2024 at 01:39:30PM +0200, Paolo Abeni wrote: > > > On Thu, 2024-04-11 at 13:28 +0200, Pablo Neira Ayuso wrote: > > > > Hi, > > > > > > > > The following patchset contains Netfilter fixes for net: > > > > > > > > Patches #1 and #2 add missing rcu read side lock when iterating over > > > > expression and object type list which could race with module removal. > > > > > > > > Patch #3 prevents promisc packet from visiting the bridge/input hook > > > > to amend a recent fix to address conntrack confirmation race > > > > in br_netfilter and nf_conntrack_bridge. > > > > > > > > Patch #4 adds and uses iterate decorator type to fetch the current > > > > pipapo set backend datastructure view when netlink dumps the > > > > set elements. > > > > > > > > Patch #5 fixes removal of duplicate elements in the pipapo set backend. > > > > > > > > Patch #6 flowtable validates pppoe header before accessing it. > > > > > > > > Patch #7 fixes flowtable datapath for pppoe packets, otherwise lookup > > > > fails and pppoe packets follow classic path. > > > > > > > > Please, pull these changes from: > > > > > > > > git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-04-11 > > > > > > > > Thanks. > > > > > > > > ---------------------------------------------------------------- > > > > > > > > The following changes since commit 19fa4f2a85d777a8052e869c1b892a2f7556569d: > > > > > > > > r8169: fix LED-related deadlock on module removal (2024-04-10 10:44:29 +0100) > > > > > > > > are available in the Git repository at: > > > > > > > > git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-04-11 > > > > > > > > for you to fetch changes up to 6db5dc7b351b9569940cd1cf445e237c42cd6d27: > > > > > > > > netfilter: flowtable: incorrect pppoe tuple (2024-04-11 12:14:10 +0200) > > > > > > > > ---------------------------------------------------------------- > > > > netfilter pull request 24-04-11 > > > > > > > > ---------------------------------------------------------------- > > > > Florian Westphal (1): > > > > netfilter: nft_set_pipapo: do not free live element > > > > > > > > Pablo Neira Ayuso (4): > > > > netfilter: br_netfilter: skip conntrack input hook for promisc packets > > > > netfilter: nft_set_pipapo: walk over current view on netlink dump > > > > netfilter: flowtable: validate pppoe header > > > > netfilter: flowtable: incorrect pppoe tuple > > > > > > > > Ziyang Xuan (2): > > > > netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() > > > > netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() > > > > > > > > include/net/netfilter/nf_flow_table.h | 12 +++++++++++- > > > > include/net/netfilter/nf_tables.h | 14 ++++++++++++++ > > > > net/bridge/br_input.c | 15 +++++++++++---- > > > > net/bridge/br_netfilter_hooks.c | 6 ++++++ > > > > net/bridge/br_private.h | 1 + > > > > net/bridge/netfilter/nf_conntrack_bridge.c | 14 ++++++++++---- > > > > net/netfilter/nf_flow_table_inet.c | 3 ++- > > > > net/netfilter/nf_flow_table_ip.c | 10 ++++++---- > > > > net/netfilter/nf_tables_api.c | 22 ++++++++++++++++++---- > > > > net/netfilter/nft_set_pipapo.c | 19 ++++++++++++------- > > > > 10 files changed, 91 insertions(+), 25 deletions(-) > > > > > > Whoops, I'm finishing testing right now todays PR, I hope it's not a > > > big issue if this lands later? > > > > Apologies, I am working at full steam here, I could not deliver any sooner. > > I'm sorry, I was likely unclear, the above was just a question (not a > complain): do you have strong preference for these fixes to land into > today's PR? (the answer is unclear to me) No problem Paolo, I can miss this flight, it is OK. ^ permalink raw reply [flat|nested] 18+ messages in thread
end of thread, other threads:[~2024-04-11 15:30 UTC | newest] Thread overview: 18+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-04-12 22:30 [PATCH net 0/7] Netfilter fixes for net Pablo Neira Ayuso 2021-04-12 22:30 ` [PATCH net 1/7] netfilter: flowtable: fix NAT IPv6 offload mangling Pablo Neira Ayuso 2021-04-12 23:20 ` patchwork-bot+netdevbpf 2021-04-12 22:30 ` [PATCH net 2/7] netfilter: conntrack: do not print icmpv6 as unknown via /proc Pablo Neira Ayuso 2021-04-12 22:30 ` [PATCH net 3/7] netfilter: nft_limit: avoid possible divide error in nft_limit_init Pablo Neira Ayuso 2021-04-12 22:30 ` [PATCH net 4/7] netfilter: bridge: add pre_exit hooks for ebtable unregistration Pablo Neira Ayuso 2021-04-12 22:30 ` [PATCH net 5/7] netfilter: arp_tables: add pre_exit hook for table unregister Pablo Neira Ayuso 2021-04-12 22:30 ` [PATCH net 6/7] netfilter: x_tables: fix compat match/target pad out-of-bound write Pablo Neira Ayuso 2021-04-12 22:30 ` [PATCH net 7/7] netfilter: nftables: clone set element expression template Pablo Neira Ayuso 2021-12-09 0:08 [PATCH net 0/7] Netfilter fixes for net Pablo Neira Ayuso 2022-05-18 21:38 Pablo Neira Ayuso 2022-06-06 21:20 Pablo Neira Ayuso 2023-01-02 16:40 Pablo Neira Ayuso 2024-04-11 11:28 Pablo Neira Ayuso 2024-04-11 11:39 ` Paolo Abeni 2024-04-11 11:42 ` Pablo Neira Ayuso 2024-04-11 11:58 ` Paolo Abeni 2024-04-11 15:30 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).