* [PATCH 1/5] netfilter: nf_conntrack: silence warning on falling back to vmalloc()
2015-08-10 17:58 [PATCH 0/5] Netfilter fixes for net Pablo Neira Ayuso
@ 2015-08-10 17:58 ` Pablo Neira Ayuso
2015-08-10 17:58 ` [PATCH 2/5] netfilter: nf_conntrack: checking for IS_ERR() instead of NULL Pablo Neira Ayuso
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2015-08-10 17:58 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Since 88eab472ec21 ("netfilter: conntrack: adjust nf_conntrack_buckets default
value"), the hashtable can easily hit this warning. We got reports from users
that are getting this message in a quite spamming fashion, so better silence
this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Florian Westphal <fw@strlen.de>
---
net/netfilter/nf_conntrack_core.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 651039a..f168099 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1544,10 +1544,8 @@ void *nf_ct_alloc_hashtable(unsigned int *sizep, int nulls)
sz = nr_slots * sizeof(struct hlist_nulls_head);
hash = (void *)__get_free_pages(GFP_KERNEL | __GFP_NOWARN | __GFP_ZERO,
get_order(sz));
- if (!hash) {
- printk(KERN_WARNING "nf_conntrack: falling back to vmalloc.\n");
+ if (!hash)
hash = vzalloc(sz);
- }
if (hash && nulls)
for (i = 0; i < nr_slots; i++)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 2/5] netfilter: nf_conntrack: checking for IS_ERR() instead of NULL
2015-08-10 17:58 [PATCH 0/5] Netfilter fixes for net Pablo Neira Ayuso
2015-08-10 17:58 ` [PATCH 1/5] netfilter: nf_conntrack: silence warning on falling back to vmalloc() Pablo Neira Ayuso
@ 2015-08-10 17:58 ` Pablo Neira Ayuso
2015-08-10 17:58 ` [PATCH 3/5] netfilter: conntrack: Use flags in nf_ct_tmpl_alloc() Pablo Neira Ayuso
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2015-08-10 17:58 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Dan Carpenter <dan.carpenter@oracle.com>
We recently changed this from nf_conntrack_alloc() to nf_ct_tmpl_alloc()
so the error handling needs to changed to check for NULL instead of
IS_ERR().
Fixes: 0838aa7fcfcd ('netfilter: fix netns dependencies with conntrack templates')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_synproxy_core.c | 4 +---
net/netfilter/xt_CT.c | 5 +++--
2 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
index 71f1e9f..d7f1685 100644
--- a/net/netfilter/nf_synproxy_core.c
+++ b/net/netfilter/nf_synproxy_core.c
@@ -353,10 +353,8 @@ static int __net_init synproxy_net_init(struct net *net)
int err = -ENOMEM;
ct = nf_ct_tmpl_alloc(net, 0, GFP_KERNEL);
- if (IS_ERR(ct)) {
- err = PTR_ERR(ct);
+ if (!ct)
goto err1;
- }
if (!nfct_seqadj_ext_add(ct))
goto err2;
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
index c663003..43ddeee 100644
--- a/net/netfilter/xt_CT.c
+++ b/net/netfilter/xt_CT.c
@@ -202,9 +202,10 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par,
goto err1;
ct = nf_ct_tmpl_alloc(par->net, info->zone, GFP_KERNEL);
- ret = PTR_ERR(ct);
- if (IS_ERR(ct))
+ if (!ct) {
+ ret = -ENOMEM;
goto err2;
+ }
ret = 0;
if ((info->ct_events || info->exp_events) &&
--
1.7.10.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 3/5] netfilter: conntrack: Use flags in nf_ct_tmpl_alloc()
2015-08-10 17:58 [PATCH 0/5] Netfilter fixes for net Pablo Neira Ayuso
2015-08-10 17:58 ` [PATCH 1/5] netfilter: nf_conntrack: silence warning on falling back to vmalloc() Pablo Neira Ayuso
2015-08-10 17:58 ` [PATCH 2/5] netfilter: nf_conntrack: checking for IS_ERR() instead of NULL Pablo Neira Ayuso
@ 2015-08-10 17:58 ` Pablo Neira Ayuso
2015-08-10 17:58 ` [PATCH 4/5] netfilter: ip6t_SYNPROXY: fix NULL pointer dereference Pablo Neira Ayuso
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2015-08-10 17:58 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Joe Stringer <joestringer@nicira.com>
The flags were ignored for this function when it was introduced. Also
fix the style problem in kzalloc.
Fixes: 0838aa7fc (netfilter: fix netns dependencies with conntrack
templates)
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_conntrack_core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index f168099..3c20d02 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -292,7 +292,7 @@ struct nf_conn *nf_ct_tmpl_alloc(struct net *net, u16 zone, gfp_t flags)
{
struct nf_conn *tmpl;
- tmpl = kzalloc(sizeof(struct nf_conn), GFP_KERNEL);
+ tmpl = kzalloc(sizeof(*tmpl), flags);
if (tmpl == NULL)
return NULL;
@@ -303,7 +303,7 @@ struct nf_conn *nf_ct_tmpl_alloc(struct net *net, u16 zone, gfp_t flags)
if (zone) {
struct nf_conntrack_zone *nf_ct_zone;
- nf_ct_zone = nf_ct_ext_add(tmpl, NF_CT_EXT_ZONE, GFP_ATOMIC);
+ nf_ct_zone = nf_ct_ext_add(tmpl, NF_CT_EXT_ZONE, flags);
if (!nf_ct_zone)
goto out_free;
nf_ct_zone->id = zone;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 4/5] netfilter: ip6t_SYNPROXY: fix NULL pointer dereference
2015-08-10 17:58 [PATCH 0/5] Netfilter fixes for net Pablo Neira Ayuso
` (2 preceding siblings ...)
2015-08-10 17:58 ` [PATCH 3/5] netfilter: conntrack: Use flags in nf_ct_tmpl_alloc() Pablo Neira Ayuso
@ 2015-08-10 17:58 ` Pablo Neira Ayuso
2015-08-10 17:58 ` [PATCH 5/5] netfilter: SYNPROXY: fix sending window update to client Pablo Neira Ayuso
2015-08-11 4:08 ` [PATCH 0/5] Netfilter fixes for net David Miller
5 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2015-08-10 17:58 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Phil Sutter <phil@nwl.cc>
This happens when networking namespaces are enabled.
Suggested-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/ipv6/netfilter/ip6t_SYNPROXY.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/net/ipv6/netfilter/ip6t_SYNPROXY.c b/net/ipv6/netfilter/ip6t_SYNPROXY.c
index 6edb7b1..bcebc24 100644
--- a/net/ipv6/netfilter/ip6t_SYNPROXY.c
+++ b/net/ipv6/netfilter/ip6t_SYNPROXY.c
@@ -37,12 +37,13 @@ synproxy_build_ip(struct sk_buff *skb, const struct in6_addr *saddr,
}
static void
-synproxy_send_tcp(const struct sk_buff *skb, struct sk_buff *nskb,
+synproxy_send_tcp(const struct synproxy_net *snet,
+ const struct sk_buff *skb, struct sk_buff *nskb,
struct nf_conntrack *nfct, enum ip_conntrack_info ctinfo,
struct ipv6hdr *niph, struct tcphdr *nth,
unsigned int tcp_hdr_size)
{
- struct net *net = nf_ct_net((struct nf_conn *)nfct);
+ struct net *net = nf_ct_net(snet->tmpl);
struct dst_entry *dst;
struct flowi6 fl6;
@@ -83,7 +84,8 @@ free_nskb:
}
static void
-synproxy_send_client_synack(const struct sk_buff *skb, const struct tcphdr *th,
+synproxy_send_client_synack(const struct synproxy_net *snet,
+ const struct sk_buff *skb, const struct tcphdr *th,
const struct synproxy_options *opts)
{
struct sk_buff *nskb;
@@ -119,7 +121,7 @@ synproxy_send_client_synack(const struct sk_buff *skb, const struct tcphdr *th,
synproxy_build_options(nth, opts);
- synproxy_send_tcp(skb, nskb, skb->nfct, IP_CT_ESTABLISHED_REPLY,
+ synproxy_send_tcp(snet, skb, nskb, skb->nfct, IP_CT_ESTABLISHED_REPLY,
niph, nth, tcp_hdr_size);
}
@@ -163,7 +165,7 @@ synproxy_send_server_syn(const struct synproxy_net *snet,
synproxy_build_options(nth, opts);
- synproxy_send_tcp(skb, nskb, &snet->tmpl->ct_general, IP_CT_NEW,
+ synproxy_send_tcp(snet, skb, nskb, &snet->tmpl->ct_general, IP_CT_NEW,
niph, nth, tcp_hdr_size);
}
@@ -203,7 +205,7 @@ synproxy_send_server_ack(const struct synproxy_net *snet,
synproxy_build_options(nth, opts);
- synproxy_send_tcp(skb, nskb, NULL, 0, niph, nth, tcp_hdr_size);
+ synproxy_send_tcp(snet, skb, nskb, NULL, 0, niph, nth, tcp_hdr_size);
}
static void
@@ -241,7 +243,7 @@ synproxy_send_client_ack(const struct synproxy_net *snet,
synproxy_build_options(nth, opts);
- synproxy_send_tcp(skb, nskb, NULL, 0, niph, nth, tcp_hdr_size);
+ synproxy_send_tcp(snet, skb, nskb, NULL, 0, niph, nth, tcp_hdr_size);
}
static bool
@@ -301,7 +303,7 @@ synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par)
XT_SYNPROXY_OPT_SACK_PERM |
XT_SYNPROXY_OPT_ECN);
- synproxy_send_client_synack(skb, th, &opts);
+ synproxy_send_client_synack(snet, skb, th, &opts);
return NF_DROP;
} else if (th->ack && !(th->fin || th->rst || th->syn)) {
--
1.7.10.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 5/5] netfilter: SYNPROXY: fix sending window update to client
2015-08-10 17:58 [PATCH 0/5] Netfilter fixes for net Pablo Neira Ayuso
` (3 preceding siblings ...)
2015-08-10 17:58 ` [PATCH 4/5] netfilter: ip6t_SYNPROXY: fix NULL pointer dereference Pablo Neira Ayuso
@ 2015-08-10 17:58 ` Pablo Neira Ayuso
2015-08-11 4:08 ` [PATCH 0/5] Netfilter fixes for net David Miller
5 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2015-08-10 17:58 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Phil Sutter <phil@nwl.cc>
Upon receipt of SYNACK from the server, ipt_SYNPROXY first sends back an ACK to
finish the server handshake, then calls nf_ct_seqadj_init() to initiate
sequence number adjustment of forwarded packets to the client and finally sends
a window update to the client to unblock it's TX queue.
Since synproxy_send_client_ack() does not set synproxy_send_tcp()'s nfct
parameter, no sequence number adjustment happens and the client receives the
window update with incorrect sequence number. Depending on client TCP
implementation, this leads to a significant delay (until a window probe is
being sent).
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/ipv4/netfilter/ipt_SYNPROXY.c | 3 ++-
net/ipv6/netfilter/ip6t_SYNPROXY.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c b/net/ipv4/netfilter/ipt_SYNPROXY.c
index fe8cc18..95ea633e 100644
--- a/net/ipv4/netfilter/ipt_SYNPROXY.c
+++ b/net/ipv4/netfilter/ipt_SYNPROXY.c
@@ -226,7 +226,8 @@ synproxy_send_client_ack(const struct synproxy_net *snet,
synproxy_build_options(nth, opts);
- synproxy_send_tcp(skb, nskb, NULL, 0, niph, nth, tcp_hdr_size);
+ synproxy_send_tcp(skb, nskb, skb->nfct, IP_CT_ESTABLISHED_REPLY,
+ niph, nth, tcp_hdr_size);
}
static bool
diff --git a/net/ipv6/netfilter/ip6t_SYNPROXY.c b/net/ipv6/netfilter/ip6t_SYNPROXY.c
index bcebc24..ebbb754 100644
--- a/net/ipv6/netfilter/ip6t_SYNPROXY.c
+++ b/net/ipv6/netfilter/ip6t_SYNPROXY.c
@@ -243,7 +243,8 @@ synproxy_send_client_ack(const struct synproxy_net *snet,
synproxy_build_options(nth, opts);
- synproxy_send_tcp(snet, skb, nskb, NULL, 0, niph, nth, tcp_hdr_size);
+ synproxy_send_tcp(snet, skb, nskb, skb->nfct, IP_CT_ESTABLISHED_REPLY,
+ niph, nth, tcp_hdr_size);
}
static bool
--
1.7.10.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 0/5] Netfilter fixes for net
2015-08-10 17:58 [PATCH 0/5] Netfilter fixes for net Pablo Neira Ayuso
` (4 preceding siblings ...)
2015-08-10 17:58 ` [PATCH 5/5] netfilter: SYNPROXY: fix sending window update to client Pablo Neira Ayuso
@ 2015-08-11 4:08 ` David Miller
5 siblings, 0 replies; 7+ messages in thread
From: David Miller @ 2015-08-11 4:08 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 10 Aug 2015 19:58:34 +0200
> The following patchset contains five Netfilter fixes for your net tree,
> they are:
>
> 1) Silence a warning on falling back to vmalloc(). Since 88eab472ec21, we can
> easily hit this warning message, that gets users confused. So let's get rid
> of it.
>
> 2) Recently when porting the template object allocation on top of kmalloc to
> fix the netns dependencies between x_tables and conntrack, the error
> checks where left unchanged. Remove IS_ERR() and check for NULL instead.
> Patch from Dan Carpenter.
>
> 3) Don't ignore gfp_flags in the new nf_ct_tmpl_alloc() function, from
> Joe Stringer.
>
> 4) Fix a crash due to NULL pointer dereference in ip6t_SYNPROXY, patch from
> Phil Sutter.
>
> 5) The sequence number of the Syn+ack that is sent from SYNPROXY to clients is
> not adjusted through our NAT infrastructure, as a result the client may
> ignore this TCP packet and TCP flow hangs until the client probes us. Also
> from Phil Sutter.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 7+ messages in thread