Netfilter-Devel Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH 0/5] Netfilter fixes for net
@ 2015-08-10 17:58 Pablo Neira Ayuso
  2015-08-10 17:58 ` [PATCH 1/5] netfilter: nf_conntrack: silence warning on falling back to vmalloc() Pablo Neira Ayuso
                   ` (5 more replies)
  0 siblings, 6 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2015-08-10 17:58 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

Hi David,

The following patchset contains five Netfilter fixes for your net tree,
they are:

1) Silence a warning on falling back to vmalloc(). Since 88eab472ec21, we can
   easily hit this warning message, that gets users confused. So let's get rid
   of it.

2) Recently when porting the template object allocation on top of kmalloc to
   fix the netns dependencies between x_tables and conntrack, the error
   checks where left unchanged. Remove IS_ERR() and check for NULL instead.
   Patch from Dan Carpenter.

3) Don't ignore gfp_flags in the new nf_ct_tmpl_alloc() function, from
   Joe Stringer.

4) Fix a crash due to NULL pointer dereference in ip6t_SYNPROXY, patch from
   Phil Sutter.

5) The sequence number of the Syn+ack that is sent from SYNPROXY to clients is
   not adjusted through our NAT infrastructure, as a result the client may
   ignore this TCP packet and TCP flow hangs until the client probes us.  Also
   from Phil Sutter.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit 15f1bb1f1e067be7088ed43ef23d59629bd24348:

  qlcnic: Fix corruption while copying (2015-07-29 23:57:26 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master

for you to fetch changes up to 3c16241c445303a90529565e7437e1f240acfef2:

  netfilter: SYNPROXY: fix sending window update to client (2015-08-10 13:55:07 +0200)

----------------------------------------------------------------
Dan Carpenter (1):
      netfilter: nf_conntrack: checking for IS_ERR() instead of NULL

Joe Stringer (1):
      netfilter: conntrack: Use flags in nf_ct_tmpl_alloc()

Pablo Neira Ayuso (1):
      netfilter: nf_conntrack: silence warning on falling back to vmalloc()

Phil Sutter (2):
      netfilter: ip6t_SYNPROXY: fix NULL pointer dereference
      netfilter: SYNPROXY: fix sending window update to client

 net/ipv4/netfilter/ipt_SYNPROXY.c  |    3 ++-
 net/ipv6/netfilter/ip6t_SYNPROXY.c |   19 +++++++++++--------
 net/netfilter/nf_conntrack_core.c  |    8 +++-----
 net/netfilter/nf_synproxy_core.c   |    4 +---
 net/netfilter/xt_CT.c              |    5 +++--
 5 files changed, 20 insertions(+), 19 deletions(-)

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH 1/5] netfilter: nf_conntrack: silence warning on falling back to vmalloc()
  2015-08-10 17:58 [PATCH 0/5] Netfilter fixes for net Pablo Neira Ayuso
@ 2015-08-10 17:58 ` Pablo Neira Ayuso
  2015-08-10 17:58 ` [PATCH 2/5] netfilter: nf_conntrack: checking for IS_ERR() instead of NULL Pablo Neira Ayuso
                   ` (4 subsequent siblings)
  5 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2015-08-10 17:58 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

Since 88eab472ec21 ("netfilter: conntrack: adjust nf_conntrack_buckets default
value"), the hashtable can easily hit this warning. We got reports from users
that are getting this message in a quite spamming fashion, so better silence
this.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/nf_conntrack_core.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 651039a..f168099 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1544,10 +1544,8 @@ void *nf_ct_alloc_hashtable(unsigned int *sizep, int nulls)
 	sz = nr_slots * sizeof(struct hlist_nulls_head);
 	hash = (void *)__get_free_pages(GFP_KERNEL | __GFP_NOWARN | __GFP_ZERO,
 					get_order(sz));
-	if (!hash) {
-		printk(KERN_WARNING "nf_conntrack: falling back to vmalloc.\n");
+	if (!hash)
 		hash = vzalloc(sz);
-	}
 
 	if (hash && nulls)
 		for (i = 0; i < nr_slots; i++)
-- 
1.7.10.4

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH 2/5] netfilter: nf_conntrack: checking for IS_ERR() instead of NULL
  2015-08-10 17:58 [PATCH 0/5] Netfilter fixes for net Pablo Neira Ayuso
  2015-08-10 17:58 ` [PATCH 1/5] netfilter: nf_conntrack: silence warning on falling back to vmalloc() Pablo Neira Ayuso
@ 2015-08-10 17:58 ` Pablo Neira Ayuso
  2015-08-10 17:58 ` [PATCH 3/5] netfilter: conntrack: Use flags in nf_ct_tmpl_alloc() Pablo Neira Ayuso
                   ` (3 subsequent siblings)
  5 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2015-08-10 17:58 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

From: Dan Carpenter <dan.carpenter@oracle.com>

We recently changed this from nf_conntrack_alloc() to nf_ct_tmpl_alloc()
so the error handling needs to changed to check for NULL instead of
IS_ERR().

Fixes: 0838aa7fcfcd ('netfilter: fix netns dependencies with conntrack templates')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_synproxy_core.c |    4 +---
 net/netfilter/xt_CT.c            |    5 +++--
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
index 71f1e9f..d7f1685 100644
--- a/net/netfilter/nf_synproxy_core.c
+++ b/net/netfilter/nf_synproxy_core.c
@@ -353,10 +353,8 @@ static int __net_init synproxy_net_init(struct net *net)
 	int err = -ENOMEM;
 
 	ct = nf_ct_tmpl_alloc(net, 0, GFP_KERNEL);
-	if (IS_ERR(ct)) {
-		err = PTR_ERR(ct);
+	if (!ct)
 		goto err1;
-	}
 
 	if (!nfct_seqadj_ext_add(ct))
 		goto err2;
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
index c663003..43ddeee 100644
--- a/net/netfilter/xt_CT.c
+++ b/net/netfilter/xt_CT.c
@@ -202,9 +202,10 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par,
 		goto err1;
 
 	ct = nf_ct_tmpl_alloc(par->net, info->zone, GFP_KERNEL);
-	ret = PTR_ERR(ct);
-	if (IS_ERR(ct))
+	if (!ct) {
+		ret = -ENOMEM;
 		goto err2;
+	}
 
 	ret = 0;
 	if ((info->ct_events || info->exp_events) &&
-- 
1.7.10.4

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH 3/5] netfilter: conntrack: Use flags in nf_ct_tmpl_alloc()
  2015-08-10 17:58 [PATCH 0/5] Netfilter fixes for net Pablo Neira Ayuso
  2015-08-10 17:58 ` [PATCH 1/5] netfilter: nf_conntrack: silence warning on falling back to vmalloc() Pablo Neira Ayuso
  2015-08-10 17:58 ` [PATCH 2/5] netfilter: nf_conntrack: checking for IS_ERR() instead of NULL Pablo Neira Ayuso
@ 2015-08-10 17:58 ` Pablo Neira Ayuso
  2015-08-10 17:58 ` [PATCH 4/5] netfilter: ip6t_SYNPROXY: fix NULL pointer dereference Pablo Neira Ayuso
                   ` (2 subsequent siblings)
  5 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2015-08-10 17:58 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

From: Joe Stringer <joestringer@nicira.com>

The flags were ignored for this function when it was introduced. Also
fix the style problem in kzalloc.

Fixes: 0838aa7fc (netfilter: fix netns dependencies with conntrack
templates)
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_conntrack_core.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index f168099..3c20d02 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -292,7 +292,7 @@ struct nf_conn *nf_ct_tmpl_alloc(struct net *net, u16 zone, gfp_t flags)
 {
 	struct nf_conn *tmpl;
 
-	tmpl = kzalloc(sizeof(struct nf_conn), GFP_KERNEL);
+	tmpl = kzalloc(sizeof(*tmpl), flags);
 	if (tmpl == NULL)
 		return NULL;
 
@@ -303,7 +303,7 @@ struct nf_conn *nf_ct_tmpl_alloc(struct net *net, u16 zone, gfp_t flags)
 	if (zone) {
 		struct nf_conntrack_zone *nf_ct_zone;
 
-		nf_ct_zone = nf_ct_ext_add(tmpl, NF_CT_EXT_ZONE, GFP_ATOMIC);
+		nf_ct_zone = nf_ct_ext_add(tmpl, NF_CT_EXT_ZONE, flags);
 		if (!nf_ct_zone)
 			goto out_free;
 		nf_ct_zone->id = zone;
-- 
1.7.10.4


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH 4/5] netfilter: ip6t_SYNPROXY: fix NULL pointer dereference
  2015-08-10 17:58 [PATCH 0/5] Netfilter fixes for net Pablo Neira Ayuso
                   ` (2 preceding siblings ...)
  2015-08-10 17:58 ` [PATCH 3/5] netfilter: conntrack: Use flags in nf_ct_tmpl_alloc() Pablo Neira Ayuso
@ 2015-08-10 17:58 ` Pablo Neira Ayuso
  2015-08-10 17:58 ` [PATCH 5/5] netfilter: SYNPROXY: fix sending window update to client Pablo Neira Ayuso
  2015-08-11  4:08 ` [PATCH 0/5] Netfilter fixes for net David Miller
  5 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2015-08-10 17:58 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

From: Phil Sutter <phil@nwl.cc>

This happens when networking namespaces are enabled.

Suggested-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/ipv6/netfilter/ip6t_SYNPROXY.c |   18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/net/ipv6/netfilter/ip6t_SYNPROXY.c b/net/ipv6/netfilter/ip6t_SYNPROXY.c
index 6edb7b1..bcebc24 100644
--- a/net/ipv6/netfilter/ip6t_SYNPROXY.c
+++ b/net/ipv6/netfilter/ip6t_SYNPROXY.c
@@ -37,12 +37,13 @@ synproxy_build_ip(struct sk_buff *skb, const struct in6_addr *saddr,
 }
 
 static void
-synproxy_send_tcp(const struct sk_buff *skb, struct sk_buff *nskb,
+synproxy_send_tcp(const struct synproxy_net *snet,
+		  const struct sk_buff *skb, struct sk_buff *nskb,
 		  struct nf_conntrack *nfct, enum ip_conntrack_info ctinfo,
 		  struct ipv6hdr *niph, struct tcphdr *nth,
 		  unsigned int tcp_hdr_size)
 {
-	struct net *net = nf_ct_net((struct nf_conn *)nfct);
+	struct net *net = nf_ct_net(snet->tmpl);
 	struct dst_entry *dst;
 	struct flowi6 fl6;
 
@@ -83,7 +84,8 @@ free_nskb:
 }
 
 static void
-synproxy_send_client_synack(const struct sk_buff *skb, const struct tcphdr *th,
+synproxy_send_client_synack(const struct synproxy_net *snet,
+			    const struct sk_buff *skb, const struct tcphdr *th,
 			    const struct synproxy_options *opts)
 {
 	struct sk_buff *nskb;
@@ -119,7 +121,7 @@ synproxy_send_client_synack(const struct sk_buff *skb, const struct tcphdr *th,
 
 	synproxy_build_options(nth, opts);
 
-	synproxy_send_tcp(skb, nskb, skb->nfct, IP_CT_ESTABLISHED_REPLY,
+	synproxy_send_tcp(snet, skb, nskb, skb->nfct, IP_CT_ESTABLISHED_REPLY,
 			  niph, nth, tcp_hdr_size);
 }
 
@@ -163,7 +165,7 @@ synproxy_send_server_syn(const struct synproxy_net *snet,
 
 	synproxy_build_options(nth, opts);
 
-	synproxy_send_tcp(skb, nskb, &snet->tmpl->ct_general, IP_CT_NEW,
+	synproxy_send_tcp(snet, skb, nskb, &snet->tmpl->ct_general, IP_CT_NEW,
 			  niph, nth, tcp_hdr_size);
 }
 
@@ -203,7 +205,7 @@ synproxy_send_server_ack(const struct synproxy_net *snet,
 
 	synproxy_build_options(nth, opts);
 
-	synproxy_send_tcp(skb, nskb, NULL, 0, niph, nth, tcp_hdr_size);
+	synproxy_send_tcp(snet, skb, nskb, NULL, 0, niph, nth, tcp_hdr_size);
 }
 
 static void
@@ -241,7 +243,7 @@ synproxy_send_client_ack(const struct synproxy_net *snet,
 
 	synproxy_build_options(nth, opts);
 
-	synproxy_send_tcp(skb, nskb, NULL, 0, niph, nth, tcp_hdr_size);
+	synproxy_send_tcp(snet, skb, nskb, NULL, 0, niph, nth, tcp_hdr_size);
 }
 
 static bool
@@ -301,7 +303,7 @@ synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par)
 					  XT_SYNPROXY_OPT_SACK_PERM |
 					  XT_SYNPROXY_OPT_ECN);
 
-		synproxy_send_client_synack(skb, th, &opts);
+		synproxy_send_client_synack(snet, skb, th, &opts);
 		return NF_DROP;
 
 	} else if (th->ack && !(th->fin || th->rst || th->syn)) {
-- 
1.7.10.4

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH 5/5] netfilter: SYNPROXY: fix sending window update to client
  2015-08-10 17:58 [PATCH 0/5] Netfilter fixes for net Pablo Neira Ayuso
                   ` (3 preceding siblings ...)
  2015-08-10 17:58 ` [PATCH 4/5] netfilter: ip6t_SYNPROXY: fix NULL pointer dereference Pablo Neira Ayuso
@ 2015-08-10 17:58 ` Pablo Neira Ayuso
  2015-08-11  4:08 ` [PATCH 0/5] Netfilter fixes for net David Miller
  5 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2015-08-10 17:58 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

From: Phil Sutter <phil@nwl.cc>

Upon receipt of SYNACK from the server, ipt_SYNPROXY first sends back an ACK to
finish the server handshake, then calls nf_ct_seqadj_init() to initiate
sequence number adjustment of forwarded packets to the client and finally sends
a window update to the client to unblock it's TX queue.

Since synproxy_send_client_ack() does not set synproxy_send_tcp()'s nfct
parameter, no sequence number adjustment happens and the client receives the
window update with incorrect sequence number. Depending on client TCP
implementation, this leads to a significant delay (until a window probe is
being sent).

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/ipv4/netfilter/ipt_SYNPROXY.c  |    3 ++-
 net/ipv6/netfilter/ip6t_SYNPROXY.c |    3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c b/net/ipv4/netfilter/ipt_SYNPROXY.c
index fe8cc18..95ea633e 100644
--- a/net/ipv4/netfilter/ipt_SYNPROXY.c
+++ b/net/ipv4/netfilter/ipt_SYNPROXY.c
@@ -226,7 +226,8 @@ synproxy_send_client_ack(const struct synproxy_net *snet,
 
 	synproxy_build_options(nth, opts);
 
-	synproxy_send_tcp(skb, nskb, NULL, 0, niph, nth, tcp_hdr_size);
+	synproxy_send_tcp(skb, nskb, skb->nfct, IP_CT_ESTABLISHED_REPLY,
+	                  niph, nth, tcp_hdr_size);
 }
 
 static bool
diff --git a/net/ipv6/netfilter/ip6t_SYNPROXY.c b/net/ipv6/netfilter/ip6t_SYNPROXY.c
index bcebc24..ebbb754 100644
--- a/net/ipv6/netfilter/ip6t_SYNPROXY.c
+++ b/net/ipv6/netfilter/ip6t_SYNPROXY.c
@@ -243,7 +243,8 @@ synproxy_send_client_ack(const struct synproxy_net *snet,
 
 	synproxy_build_options(nth, opts);
 
-	synproxy_send_tcp(snet, skb, nskb, NULL, 0, niph, nth, tcp_hdr_size);
+	synproxy_send_tcp(snet, skb, nskb, skb->nfct, IP_CT_ESTABLISHED_REPLY,
+	                  niph, nth, tcp_hdr_size);
 }
 
 static bool
-- 
1.7.10.4


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH 0/5] Netfilter fixes for net
  2015-08-10 17:58 [PATCH 0/5] Netfilter fixes for net Pablo Neira Ayuso
                   ` (4 preceding siblings ...)
  2015-08-10 17:58 ` [PATCH 5/5] netfilter: SYNPROXY: fix sending window update to client Pablo Neira Ayuso
@ 2015-08-11  4:08 ` David Miller
  5 siblings, 0 replies; 7+ messages in thread
From: David Miller @ 2015-08-11  4:08 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, netdev

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 10 Aug 2015 19:58:34 +0200

> The following patchset contains five Netfilter fixes for your net tree,
> they are:
> 
> 1) Silence a warning on falling back to vmalloc(). Since 88eab472ec21, we can
>    easily hit this warning message, that gets users confused. So let's get rid
>    of it.
> 
> 2) Recently when porting the template object allocation on top of kmalloc to
>    fix the netns dependencies between x_tables and conntrack, the error
>    checks where left unchanged. Remove IS_ERR() and check for NULL instead.
>    Patch from Dan Carpenter.
> 
> 3) Don't ignore gfp_flags in the new nf_ct_tmpl_alloc() function, from
>    Joe Stringer.
> 
> 4) Fix a crash due to NULL pointer dereference in ip6t_SYNPROXY, patch from
>    Phil Sutter.
> 
> 5) The sequence number of the Syn+ack that is sent from SYNPROXY to clients is
>    not adjusted through our NAT infrastructure, as a result the client may
>    ignore this TCP packet and TCP flow hangs until the client probes us.  Also
>    from Phil Sutter.
> 
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thanks Pablo.

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, back to index

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-08-10 17:58 [PATCH 0/5] Netfilter fixes for net Pablo Neira Ayuso
2015-08-10 17:58 ` [PATCH 1/5] netfilter: nf_conntrack: silence warning on falling back to vmalloc() Pablo Neira Ayuso
2015-08-10 17:58 ` [PATCH 2/5] netfilter: nf_conntrack: checking for IS_ERR() instead of NULL Pablo Neira Ayuso
2015-08-10 17:58 ` [PATCH 3/5] netfilter: conntrack: Use flags in nf_ct_tmpl_alloc() Pablo Neira Ayuso
2015-08-10 17:58 ` [PATCH 4/5] netfilter: ip6t_SYNPROXY: fix NULL pointer dereference Pablo Neira Ayuso
2015-08-10 17:58 ` [PATCH 5/5] netfilter: SYNPROXY: fix sending window update to client Pablo Neira Ayuso
2015-08-11  4:08 ` [PATCH 0/5] Netfilter fixes for net David Miller

Netfilter-Devel Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/netfilter-devel/0 netfilter-devel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netfilter-devel netfilter-devel/ https://lore.kernel.org/netfilter-devel \
		netfilter-devel@vger.kernel.org
	public-inbox-index netfilter-devel

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.netfilter-devel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git