* [PATCH net 0/5] Netfilter fixes for net
@ 2022-01-20 12:52 Pablo Neira Ayuso
2022-01-20 12:52 ` [PATCH net 1/5] netfilter: nf_conntrack_netbios_ns: fix helper module alias Pablo Neira Ayuso
` (4 more replies)
0 siblings, 5 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2022-01-20 12:52 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Hi,
The following patchset contains Netfilter fixes for net:
1) Incorrect helper module alias in netbios_ns, from Florian Westphal.
2) Remove unused variable in nf_tables.
3) Uninitialized last expression in nf_tables register tracking.
4) Memleak in nft_connlimit after moving stateful data out of the
expression data area.
5) Bogus invalid stats update when NF_REPEAT is returned, from Florian.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit 7d6019b602de660bfc6a542a68630006ace83b90:
Revert "net: vertexcom: default to disabled on kbuild" (2022-01-10 21:11:07 -0800)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 830af2eba40327abec64325a5b08b1e85c37a2e0:
netfilter: conntrack: don't increment invalid counter on NF_REPEAT (2022-01-16 00:55:27 +0100)
----------------------------------------------------------------
Florian Westphal (2):
netfilter: nf_conntrack_netbios_ns: fix helper module alias
netfilter: conntrack: don't increment invalid counter on NF_REPEAT
Pablo Neira Ayuso (3):
netfilter: nf_tables: remove unused variable
netfilter: nf_tables: set last expression in register tracking area
netfilter: nft_connlimit: memleak if nf_ct_netns_get() fails
net/netfilter/nf_conntrack_core.c | 8 +++++---
net/netfilter/nf_conntrack_netbios_ns.c | 5 +++--
net/netfilter/nf_tables_api.c | 4 +---
net/netfilter/nft_connlimit.c | 11 ++++++++++-
4 files changed, 19 insertions(+), 9 deletions(-)
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH net 1/5] netfilter: nf_conntrack_netbios_ns: fix helper module alias
2022-01-20 12:52 [PATCH net 0/5] Netfilter fixes for net Pablo Neira Ayuso
@ 2022-01-20 12:52 ` Pablo Neira Ayuso
2022-01-21 6:00 ` patchwork-bot+netdevbpf
2022-01-20 12:52 ` [PATCH net 2/5] netfilter: nf_tables: remove unused variable Pablo Neira Ayuso
` (3 subsequent siblings)
4 siblings, 1 reply; 7+ messages in thread
From: Pablo Neira Ayuso @ 2022-01-20 12:52 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
From: Florian Westphal <fw@strlen.de>
The helper gets registered as 'netbios-ns', not netbios_ns.
Intentionally not adding a fixes-tag because i don't want this to go to
stable. This wasn't noticed for a very long time so no so no need to risk
regressions.
Reported-by: Yi Chen <yiche@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_conntrack_netbios_ns.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_conntrack_netbios_ns.c b/net/netfilter/nf_conntrack_netbios_ns.c
index 7f19ee259609..55415f011943 100644
--- a/net/netfilter/nf_conntrack_netbios_ns.c
+++ b/net/netfilter/nf_conntrack_netbios_ns.c
@@ -20,13 +20,14 @@
#include <net/netfilter/nf_conntrack_helper.h>
#include <net/netfilter/nf_conntrack_expect.h>
+#define HELPER_NAME "netbios-ns"
#define NMBD_PORT 137
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_DESCRIPTION("NetBIOS name service broadcast connection tracking helper");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ip_conntrack_netbios_ns");
-MODULE_ALIAS_NFCT_HELPER("netbios_ns");
+MODULE_ALIAS_NFCT_HELPER(HELPER_NAME);
static unsigned int timeout __read_mostly = 3;
module_param(timeout, uint, 0400);
@@ -44,7 +45,7 @@ static int netbios_ns_help(struct sk_buff *skb, unsigned int protoff,
}
static struct nf_conntrack_helper helper __read_mostly = {
- .name = "netbios-ns",
+ .name = HELPER_NAME,
.tuple.src.l3num = NFPROTO_IPV4,
.tuple.src.u.udp.port = cpu_to_be16(NMBD_PORT),
.tuple.dst.protonum = IPPROTO_UDP,
--
2.30.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH net 2/5] netfilter: nf_tables: remove unused variable
2022-01-20 12:52 [PATCH net 0/5] Netfilter fixes for net Pablo Neira Ayuso
2022-01-20 12:52 ` [PATCH net 1/5] netfilter: nf_conntrack_netbios_ns: fix helper module alias Pablo Neira Ayuso
@ 2022-01-20 12:52 ` Pablo Neira Ayuso
2022-01-20 12:52 ` [PATCH net 3/5] netfilter: nf_tables: set last expression in register tracking area Pablo Neira Ayuso
` (2 subsequent siblings)
4 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2022-01-20 12:52 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
> Remove unused variable and fix missing initialization.
>
> >> net/netfilter/nf_tables_api.c:8266:6: warning: variable 'i' set but not used [-Wunused-but-set-variable]
> int i;
> ^
Fixes: 2c865a8a28a1 ("netfilter: nf_tables: add rule blob layout")
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_api.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 77938b1042f3..1cde8cd0d1a7 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -8264,14 +8264,12 @@ static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *cha
void *data, *data_boundary;
struct nft_rule_dp *prule;
struct nft_rule *rule;
- int i;
/* already handled or inactive chain? */
if (chain->blob_next || !nft_is_active_next(net, chain))
return 0;
rule = list_entry(&chain->rules, struct nft_rule, list);
- i = 0;
data_size = 0;
list_for_each_entry_continue(rule, &chain->rules, list) {
--
2.30.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH net 3/5] netfilter: nf_tables: set last expression in register tracking area
2022-01-20 12:52 [PATCH net 0/5] Netfilter fixes for net Pablo Neira Ayuso
2022-01-20 12:52 ` [PATCH net 1/5] netfilter: nf_conntrack_netbios_ns: fix helper module alias Pablo Neira Ayuso
2022-01-20 12:52 ` [PATCH net 2/5] netfilter: nf_tables: remove unused variable Pablo Neira Ayuso
@ 2022-01-20 12:52 ` Pablo Neira Ayuso
2022-01-20 12:52 ` [PATCH net 4/5] netfilter: nft_connlimit: memleak if nf_ct_netns_get() fails Pablo Neira Ayuso
2022-01-20 12:52 ` [PATCH net 5/5] netfilter: conntrack: don't increment invalid counter on NF_REPEAT Pablo Neira Ayuso
4 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2022-01-20 12:52 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
nft_rule_for_each_expr() sets on last to nft_rule_last(), however, this
is coming after track.last field is set on.
Use nft_expr_last() to set track.last accordingly.
Fixes: 12e4ecfa244b ("netfilter: nf_tables: add register tracking infrastructure")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_api.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 1cde8cd0d1a7..cf454f8ca2b0 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -8299,7 +8299,7 @@ static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *cha
return -ENOMEM;
size = 0;
- track.last = last;
+ track.last = nft_expr_last(rule);
nft_rule_for_each_expr(expr, last, rule) {
track.cur = expr;
--
2.30.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH net 4/5] netfilter: nft_connlimit: memleak if nf_ct_netns_get() fails
2022-01-20 12:52 [PATCH net 0/5] Netfilter fixes for net Pablo Neira Ayuso
` (2 preceding siblings ...)
2022-01-20 12:52 ` [PATCH net 3/5] netfilter: nf_tables: set last expression in register tracking area Pablo Neira Ayuso
@ 2022-01-20 12:52 ` Pablo Neira Ayuso
2022-01-20 12:52 ` [PATCH net 5/5] netfilter: conntrack: don't increment invalid counter on NF_REPEAT Pablo Neira Ayuso
4 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2022-01-20 12:52 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Check if nf_ct_netns_get() fails then release the limit object
previously allocated via kmalloc().
Fixes: 37f319f37d90 ("netfilter: nft_connlimit: move stateful fields out of expression data")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_connlimit.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_connlimit.c b/net/netfilter/nft_connlimit.c
index 7d00a1452b1d..3362417ebfdb 100644
--- a/net/netfilter/nft_connlimit.c
+++ b/net/netfilter/nft_connlimit.c
@@ -62,6 +62,7 @@ static int nft_connlimit_do_init(const struct nft_ctx *ctx,
{
bool invert = false;
u32 flags, limit;
+ int err;
if (!tb[NFTA_CONNLIMIT_COUNT])
return -EINVAL;
@@ -84,7 +85,15 @@ static int nft_connlimit_do_init(const struct nft_ctx *ctx,
priv->limit = limit;
priv->invert = invert;
- return nf_ct_netns_get(ctx->net, ctx->family);
+ err = nf_ct_netns_get(ctx->net, ctx->family);
+ if (err < 0)
+ goto err_netns;
+
+ return 0;
+err_netns:
+ kfree(priv->list);
+
+ return err;
}
static void nft_connlimit_do_destroy(const struct nft_ctx *ctx,
--
2.30.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH net 5/5] netfilter: conntrack: don't increment invalid counter on NF_REPEAT
2022-01-20 12:52 [PATCH net 0/5] Netfilter fixes for net Pablo Neira Ayuso
` (3 preceding siblings ...)
2022-01-20 12:52 ` [PATCH net 4/5] netfilter: nft_connlimit: memleak if nf_ct_netns_get() fails Pablo Neira Ayuso
@ 2022-01-20 12:52 ` Pablo Neira Ayuso
4 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2022-01-20 12:52 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
From: Florian Westphal <fw@strlen.de>
The packet isn't invalid, REPEAT means we're trying again after cleaning
out a stale connection, e.g. via tcp tracker.
This caused increases of invalid stat counter in a test case involving
frequent connection reuse, even though no packet is actually invalid.
Fixes: 56a62e2218f5 ("netfilter: conntrack: fix NF_REPEAT handling")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_conntrack_core.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 894a325d39f2..d6aa5b47031e 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1924,15 +1924,17 @@ nf_conntrack_in(struct sk_buff *skb, const struct nf_hook_state *state)
pr_debug("nf_conntrack_in: Can't track with proto module\n");
nf_ct_put(ct);
skb->_nfct = 0;
- NF_CT_STAT_INC_ATOMIC(state->net, invalid);
- if (ret == -NF_DROP)
- NF_CT_STAT_INC_ATOMIC(state->net, drop);
/* Special case: TCP tracker reports an attempt to reopen a
* closed/aborted connection. We have to go back and create a
* fresh conntrack.
*/
if (ret == -NF_REPEAT)
goto repeat;
+
+ NF_CT_STAT_INC_ATOMIC(state->net, invalid);
+ if (ret == -NF_DROP)
+ NF_CT_STAT_INC_ATOMIC(state->net, drop);
+
ret = -ret;
goto out;
}
--
2.30.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH net 1/5] netfilter: nf_conntrack_netbios_ns: fix helper module alias
2022-01-20 12:52 ` [PATCH net 1/5] netfilter: nf_conntrack_netbios_ns: fix helper module alias Pablo Neira Ayuso
@ 2022-01-21 6:00 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 7+ messages in thread
From: patchwork-bot+netdevbpf @ 2022-01-21 6:00 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, davem, netdev, kuba
Hello:
This series was applied to netdev/net.git (master)
by Pablo Neira Ayuso <pablo@netfilter.org>:
On Thu, 20 Jan 2022 13:52:08 +0100 you wrote:
> From: Florian Westphal <fw@strlen.de>
>
> The helper gets registered as 'netbios-ns', not netbios_ns.
> Intentionally not adding a fixes-tag because i don't want this to go to
> stable. This wasn't noticed for a very long time so no so no need to risk
> regressions.
>
> [...]
Here is the summary with links:
- [net,1/5] netfilter: nf_conntrack_netbios_ns: fix helper module alias
https://git.kernel.org/netdev/net/c/0e906607b9c5
- [net,2/5] netfilter: nf_tables: remove unused variable
https://git.kernel.org/netdev/net/c/cf46eacbc156
- [net,3/5] netfilter: nf_tables: set last expression in register tracking area
https://git.kernel.org/netdev/net/c/fe75e84a8fe1
- [net,4/5] netfilter: nft_connlimit: memleak if nf_ct_netns_get() fails
https://git.kernel.org/netdev/net/c/7d70984a1ad4
- [net,5/5] netfilter: conntrack: don't increment invalid counter on NF_REPEAT
https://git.kernel.org/netdev/net/c/830af2eba403
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2022-01-21 6:00 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-20 12:52 [PATCH net 0/5] Netfilter fixes for net Pablo Neira Ayuso
2022-01-20 12:52 ` [PATCH net 1/5] netfilter: nf_conntrack_netbios_ns: fix helper module alias Pablo Neira Ayuso
2022-01-21 6:00 ` patchwork-bot+netdevbpf
2022-01-20 12:52 ` [PATCH net 2/5] netfilter: nf_tables: remove unused variable Pablo Neira Ayuso
2022-01-20 12:52 ` [PATCH net 3/5] netfilter: nf_tables: set last expression in register tracking area Pablo Neira Ayuso
2022-01-20 12:52 ` [PATCH net 4/5] netfilter: nft_connlimit: memleak if nf_ct_netns_get() fails Pablo Neira Ayuso
2022-01-20 12:52 ` [PATCH net 5/5] netfilter: conntrack: don't increment invalid counter on NF_REPEAT Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).