* [PATCH 1/6] netfilter: ctnetlink: don't add null bindings if no nat requested
2014-05-09 10:56 [PATCH 0/6] Netfilter fixes for net Pablo Neira Ayuso
@ 2014-05-09 10:56 ` Pablo Neira Ayuso
2014-05-09 10:56 ` [PATCH 2/6] netfilter: ipv4: defrag: set local_df flag on defragmented skb Pablo Neira Ayuso
` (5 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2014-05-09 10:56 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Florian Westphal <fw@strlen.de>
commit 0eba801b64cc8284d9024c7ece30415a2b981a72 tried to fix a race
where nat initialisation can happen after ctnetlink-created conntrack
has been created.
However, it causes the nat module(s) to be loaded needlessly on
systems that are not using NAT.
Fortunately, we do not have to create null bindings in that case.
conntracks injected via ctnetlink always have the CONFIRMED bit set,
which prevents addition of the nat extension in nf_nat_ipv4/6_fn().
We only need to make sure that either no nat extension is added
or that we've created both src and dst manips.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_conntrack_netlink.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index ccc46fa..5857963 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1336,6 +1336,9 @@ ctnetlink_setup_nat(struct nf_conn *ct, const struct nlattr * const cda[])
#ifdef CONFIG_NF_NAT_NEEDED
int ret;
+ if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC])
+ return 0;
+
ret = ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_DST,
cda[CTA_NAT_DST]);
if (ret < 0)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 2/6] netfilter: ipv4: defrag: set local_df flag on defragmented skb
2014-05-09 10:56 [PATCH 0/6] Netfilter fixes for net Pablo Neira Ayuso
2014-05-09 10:56 ` [PATCH 1/6] netfilter: ctnetlink: don't add null bindings if no nat requested Pablo Neira Ayuso
@ 2014-05-09 10:56 ` Pablo Neira Ayuso
2014-05-09 10:56 ` [PATCH 3/6] netfilter: nfnetlink: Fix use after free when it fails to process batch Pablo Neira Ayuso
` (4 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2014-05-09 10:56 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Florian Westphal <fw@strlen.de>
else we may fail to forward skb even if original fragments do fit
outgoing link mtu:
1. remote sends 2k packets in two 1000 byte frags, DF set
2. we want to forward but only see '2k > mtu and DF set'
3. we then send icmp error saying that outgoing link is 1500
But original sender never sent a packet that would not fit
the outgoing link.
Setting local_df makes outgoing path test size vs.
IPCB(skb)->frag_max_size, so we will still send the correct
error in case the largest original size did not fit
outgoing link mtu.
Reported-by: Maxime Bizon <mbizon@freebox.fr>
Suggested-by: Maxime Bizon <mbizon@freebox.fr>
Fixes: 5f2d04f1f9 (ipv4: fix path MTU discovery with connection tracking)
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/ipv4/netfilter/nf_defrag_ipv4.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/netfilter/nf_defrag_ipv4.c b/net/ipv4/netfilter/nf_defrag_ipv4.c
index 12e13bd..f40f321 100644
--- a/net/ipv4/netfilter/nf_defrag_ipv4.c
+++ b/net/ipv4/netfilter/nf_defrag_ipv4.c
@@ -22,7 +22,6 @@
#endif
#include <net/netfilter/nf_conntrack_zones.h>
-/* Returns new sk_buff, or NULL */
static int nf_ct_ipv4_gather_frags(struct sk_buff *skb, u_int32_t user)
{
int err;
@@ -33,8 +32,10 @@ static int nf_ct_ipv4_gather_frags(struct sk_buff *skb, u_int32_t user)
err = ip_defrag(skb, user);
local_bh_enable();
- if (!err)
+ if (!err) {
ip_send_check(ip_hdr(skb));
+ skb->local_df = 1;
+ }
return err;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 3/6] netfilter: nfnetlink: Fix use after free when it fails to process batch
2014-05-09 10:56 [PATCH 0/6] Netfilter fixes for net Pablo Neira Ayuso
2014-05-09 10:56 ` [PATCH 1/6] netfilter: ctnetlink: don't add null bindings if no nat requested Pablo Neira Ayuso
2014-05-09 10:56 ` [PATCH 2/6] netfilter: ipv4: defrag: set local_df flag on defragmented skb Pablo Neira Ayuso
@ 2014-05-09 10:56 ` Pablo Neira Ayuso
2014-05-09 10:56 ` [PATCH 4/6] ipv4: fix "conntrack zones" support for defrag user check in ip_expire Pablo Neira Ayuso
` (3 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2014-05-09 10:56 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Denys Fedoryshchenko <nuclearcat@nuclearcat.com>
This bug manifests when calling the nft command line tool without
nf_tables kernel support.
kernel message:
[ 44.071555] Netfilter messages via NETLINK v0.30.
[ 44.072253] BUG: unable to handle kernel NULL pointer dereference at 0000000000000119
[ 44.072264] IP: [<ffffffff8171db1f>] netlink_getsockbyportid+0xf/0x70
[ 44.072272] PGD 7f2b74067 PUD 7f2b73067 PMD 0
[ 44.072277] Oops: 0000 [#1] SMP
[...]
[ 44.072369] Call Trace:
[ 44.072373] [<ffffffff8171fd81>] netlink_unicast+0x91/0x200
[ 44.072377] [<ffffffff817206c9>] netlink_ack+0x99/0x110
[ 44.072381] [<ffffffffa004b951>] nfnetlink_rcv+0x3c1/0x408 [nfnetlink]
[ 44.072385] [<ffffffff8171fde3>] netlink_unicast+0xf3/0x200
[ 44.072389] [<ffffffff817201ef>] netlink_sendmsg+0x2ff/0x740
[ 44.072394] [<ffffffff81044752>] ? __mmdrop+0x62/0x90
[ 44.072398] [<ffffffff816dafdb>] sock_sendmsg+0x8b/0xc0
[ 44.072403] [<ffffffff812f1af5>] ? copy_user_enhanced_fast_string+0x5/0x10
[ 44.072406] [<ffffffff816dbb6c>] ? move_addr_to_kernel+0x2c/0x50
[ 44.072410] [<ffffffff816db423>] ___sys_sendmsg+0x3c3/0x3d0
[ 44.072415] [<ffffffff811301ba>] ? handle_mm_fault+0xa9a/0xc60
[ 44.072420] [<ffffffff811362d6>] ? mmap_region+0x166/0x5a0
[ 44.072424] [<ffffffff817da84c>] ? __do_page_fault+0x1dc/0x510
[ 44.072428] [<ffffffff812b8b2c>] ? apparmor_capable+0x1c/0x60
[ 44.072435] [<ffffffff817d6e9a>] ? _raw_spin_unlock_bh+0x1a/0x20
[ 44.072439] [<ffffffff816dfc86>] ? release_sock+0x106/0x150
[ 44.072443] [<ffffffff816dc212>] __sys_sendmsg+0x42/0x80
[ 44.072446] [<ffffffff816dc262>] SyS_sendmsg+0x12/0x20
[ 44.072450] [<ffffffff817df616>] system_call_fastpath+0x1a/0x1f
Signed-off-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nfnetlink.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index e009087..23ef77c 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -256,15 +256,15 @@ replay:
#endif
{
nfnl_unlock(subsys_id);
- kfree_skb(nskb);
- return netlink_ack(skb, nlh, -EOPNOTSUPP);
+ netlink_ack(skb, nlh, -EOPNOTSUPP);
+ return kfree_skb(nskb);
}
}
if (!ss->commit || !ss->abort) {
nfnl_unlock(subsys_id);
- kfree_skb(nskb);
- return netlink_ack(skb, nlh, -EOPNOTSUPP);
+ netlink_ack(skb, nlh, -EOPNOTSUPP);
+ return kfree_skb(skb);
}
while (skb->len >= nlmsg_total_size(0)) {
--
1.7.10.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 4/6] ipv4: fix "conntrack zones" support for defrag user check in ip_expire
2014-05-09 10:56 [PATCH 0/6] Netfilter fixes for net Pablo Neira Ayuso
` (2 preceding siblings ...)
2014-05-09 10:56 ` [PATCH 3/6] netfilter: nfnetlink: Fix use after free when it fails to process batch Pablo Neira Ayuso
@ 2014-05-09 10:56 ` Pablo Neira Ayuso
2014-05-09 10:56 ` [PATCH 5/6] bridge: superfluous skb->nfct check in br_nf_dev_queue_xmit Pablo Neira Ayuso
` (2 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2014-05-09 10:56 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Vasily Averin <vvs@parallels.com>
Defrag user check in ip_expire was not updated after adding support for
"conntrack zones".
This bug manifests as a RFC violation, since the router will send
the icmp time exceeeded message when using conntrack zones.
Signed-off-by: Vasily Averin <vvs@openvz.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/ipv4/ip_fragment.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index c10a3ce..ed32313 100644
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -232,8 +232,9 @@ static void ip_expire(unsigned long arg)
* "Fragment Reassembly Timeout" message, per RFC792.
*/
if (qp->user == IP_DEFRAG_AF_PACKET ||
- (qp->user == IP_DEFRAG_CONNTRACK_IN &&
- skb_rtable(head)->rt_type != RTN_LOCAL))
+ ((qp->user >= IP_DEFRAG_CONNTRACK_IN) &&
+ (qp->user <= __IP_DEFRAG_CONNTRACK_IN_END) &&
+ (skb_rtable(head)->rt_type != RTN_LOCAL)))
goto out_rcu_unlock;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 5/6] bridge: superfluous skb->nfct check in br_nf_dev_queue_xmit
2014-05-09 10:56 [PATCH 0/6] Netfilter fixes for net Pablo Neira Ayuso
` (3 preceding siblings ...)
2014-05-09 10:56 ` [PATCH 4/6] ipv4: fix "conntrack zones" support for defrag user check in ip_expire Pablo Neira Ayuso
@ 2014-05-09 10:56 ` Pablo Neira Ayuso
2014-05-09 10:56 ` [PATCH 6/6] netfilter: Fix potential use after free in ip6_route_me_harder() Pablo Neira Ayuso
2014-05-09 17:17 ` [PATCH 0/6] Netfilter fixes for net David Miller
6 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2014-05-09 10:56 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Vasily Averin <vvs@parallels.com>
Currently bridge can silently drop ipv4 fragments.
If node have loaded nf_defrag_ipv4 module but have no nf_conntrack_ipv4,
br_nf_pre_routing defragments incoming ipv4 fragments
but nfct check in br_nf_dev_queue_xmit does not allow re-fragment combined
packet back, and therefore it is dropped in br_dev_queue_push_xmit without
incrementing of any failcounters
It seems the only way to hit the ip_fragment code in the bridge xmit
path is to have a fragment list whose reassembled fragments go over
the mtu. This only happens if nf_defrag is enabled. Thanks to
Florian Westphal for providing feedback to clarify this.
Defragmentation ipv4 is required not only in conntracks but at least in
TPROXY target and socket match, therefore #ifdef is changed from
NF_CONNTRACK_IPV4 to NF_DEFRAG_IPV4
Signed-off-by: Vasily Averin <vvs@openvz.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/bridge/br_netfilter.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 80e1b0f..2acf7fa 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -859,12 +859,12 @@ static unsigned int br_nf_forward_arp(const struct nf_hook_ops *ops,
return NF_STOLEN;
}
-#if IS_ENABLED(CONFIG_NF_CONNTRACK_IPV4)
+#if IS_ENABLED(CONFIG_NF_DEFRAG_IPV4)
static int br_nf_dev_queue_xmit(struct sk_buff *skb)
{
int ret;
- if (skb->nfct != NULL && skb->protocol == htons(ETH_P_IP) &&
+ if (skb->protocol == htons(ETH_P_IP) &&
skb->len + nf_bridge_mtu_reduction(skb) > skb->dev->mtu &&
!skb_is_gso(skb)) {
if (br_parse_ip_options(skb))
--
1.7.10.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 6/6] netfilter: Fix potential use after free in ip6_route_me_harder()
2014-05-09 10:56 [PATCH 0/6] Netfilter fixes for net Pablo Neira Ayuso
` (4 preceding siblings ...)
2014-05-09 10:56 ` [PATCH 5/6] bridge: superfluous skb->nfct check in br_nf_dev_queue_xmit Pablo Neira Ayuso
@ 2014-05-09 10:56 ` Pablo Neira Ayuso
2014-05-09 17:17 ` [PATCH 0/6] Netfilter fixes for net David Miller
6 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2014-05-09 10:56 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Sergey Popovich <popovich_sergei@mail.ru>
Dst is released one line before we access it again with dst->error.
Fixes: 58e35d147128 netfilter: ipv6: propagate routing errors from
ip6_route_me_harder()
Signed-off-by: Sergey Popovich <popovich_sergei@mail.ru>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/ipv6/netfilter.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 95f3f1d..d38e6a8 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -30,13 +30,15 @@ int ip6_route_me_harder(struct sk_buff *skb)
.daddr = iph->daddr,
.saddr = iph->saddr,
};
+ int err;
dst = ip6_route_output(net, skb->sk, &fl6);
- if (dst->error) {
+ err = dst->error;
+ if (err) {
IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
LIMIT_NETDEBUG(KERN_DEBUG "ip6_route_me_harder: No more route.\n");
dst_release(dst);
- return dst->error;
+ return err;
}
/* Drop old route. */
--
1.7.10.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH 0/6] Netfilter fixes for net
2014-05-09 10:56 [PATCH 0/6] Netfilter fixes for net Pablo Neira Ayuso
` (5 preceding siblings ...)
2014-05-09 10:56 ` [PATCH 6/6] netfilter: Fix potential use after free in ip6_route_me_harder() Pablo Neira Ayuso
@ 2014-05-09 17:17 ` David Miller
6 siblings, 0 replies; 8+ messages in thread
From: David Miller @ 2014-05-09 17:17 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 9 May 2014 12:56:01 +0200
> The following batch contains netfilter fixes for your net tree, they are:
>
> 1) Fix use after free in nfnetlink when sending a batch for some
> unsupported subsystem, from Denys Fedoryshchenko.
>
> 2) Skip autoload of the nat module if no binding is specified via
> ctnetlink, from Florian Westphal.
>
> 3) Set local_df after netfilter defragmentation to avoid a bogus ICMP
> fragmentation needed in the forwarding path, also from Florian.
>
> 4) Fix potential user after free in ip6_route_me_harder() when returning
> the error code to the upper layers, from Sergey Popovich.
>
> 5) Skip possible bogus ICMP time exceeded emitted from the router (not
> valid according to RFC) if conntrack zones are used, from Vasily Averin.
>
> 6) Fix fragment handling when nf_defrag_ipv4 is loaded but nf_conntrack
> is not present, also from Vasily.
Pulled, thanks a lot Pablo.
^ permalink raw reply [flat|nested] 8+ messages in thread