* [PATCH 0/6] Netfilter fixes for net
@ 2017-02-27 11:35 Pablo Neira Ayuso
2017-02-27 11:35 ` [PATCH 1/6] netfilter: nft_ct: fix random validation errors for zone set support Pablo Neira Ayuso
` (6 more replies)
0 siblings, 7 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2017-02-27 11:35 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains netfilter fixes for you net tree,
they are:
1) Missing ct zone size in the nft_ct initialization path, patch
from Florian Westphal.
2) Two patches for netfilter uapi headers, one to remove unnecessary
sysctl.h inclusion and another to fix compilation of xt_hashlimit.h
in userspace, from Dmitry V. Levin.
3) Patch to fix a sloppy change in nf_ct_expect that incorrectly
simplified nf_ct_expect_related_report() in the previous nf-next
batch. This also includes another patch for __nf_ct_expect_check()
to report success by returning 0 to keep it consistent with other
existing functions. From Jarno Rajahalme.
4) The ->walk() iterator of the new bitmap set type goes over the real
bitmap size, this results in incorrect dumps when NFTA_SET_USERDATA
is used.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit 9c4713701c01e4cef6e2315c2818abc919ffb0de:
bpf: Fix bpf_xdp_event_output (2017-02-23 13:53:42 -0500)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 13aa5a8f498dacd5f1a8e35be72af47e630fb8c6:
netfilter: nft_set_bitmap: incorrect bitmap size (2017-02-26 21:00:19 +0100)
----------------------------------------------------------------
Dmitry V. Levin (2):
uapi: stop including linux/sysctl.h in uapi/linux/netfilter.h
uapi: fix linux/netfilter/xt_hashlimit.h userspace compilation error
Florian Westphal (1):
netfilter: nft_ct: fix random validation errors for zone set support
Jarno Rajahalme (2):
netfilter: nf_ct_expect: nf_ct_expect_related_report(): Return zero on success.
netfilter: nf_ct_expect: Change __nf_ct_expect_check() return value.
Pablo Neira Ayuso (1):
netfilter: nft_set_bitmap: incorrect bitmap size
include/uapi/linux/netfilter.h | 1 -
include/uapi/linux/netfilter/xt_hashlimit.h | 1 +
net/netfilter/nf_conntrack_expect.c | 6 +++---
net/netfilter/nft_ct.c | 1 +
net/netfilter/nft_set_bitmap.c | 2 +-
5 files changed, 6 insertions(+), 5 deletions(-)
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 1/6] netfilter: nft_ct: fix random validation errors for zone set support
2017-02-27 11:35 [PATCH 0/6] Netfilter fixes for net Pablo Neira Ayuso
@ 2017-02-27 11:35 ` Pablo Neira Ayuso
2017-02-27 11:35 ` [PATCH 2/6] uapi: stop including linux/sysctl.h in uapi/linux/netfilter.h Pablo Neira Ayuso
` (5 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2017-02-27 11:35 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Florian Westphal <fw@strlen.de>
Dan reports:
net/netfilter/nft_ct.c:549 nft_ct_set_init()
error: uninitialized symbol 'len'.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Fixes: edee4f1e924582 ("netfilter: nft_ct: add zone id set support")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_ct.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index c6b8022c0e47..bf548a7a71ec 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -528,6 +528,7 @@ static int nft_ct_set_init(const struct nft_ctx *ctx,
if (!nft_ct_tmpl_alloc_pcpu())
return -ENOMEM;
nft_ct_pcpu_template_refcnt++;
+ len = sizeof(u16);
break;
#endif
default:
--
2.1.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 2/6] uapi: stop including linux/sysctl.h in uapi/linux/netfilter.h
2017-02-27 11:35 [PATCH 0/6] Netfilter fixes for net Pablo Neira Ayuso
2017-02-27 11:35 ` [PATCH 1/6] netfilter: nft_ct: fix random validation errors for zone set support Pablo Neira Ayuso
@ 2017-02-27 11:35 ` Pablo Neira Ayuso
2017-02-27 11:35 ` [PATCH 3/6] uapi: fix linux/netfilter/xt_hashlimit.h userspace compilation error Pablo Neira Ayuso
` (4 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2017-02-27 11:35 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: "Dmitry V. Levin" <ldv@altlinux.org>
linux/netfilter.h is the last uapi header file that includes
linux/sysctl.h but it does not depend on definitions provided
by this essentially dead header file.
Suggested-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/uapi/linux/netfilter.h | 1 -
1 file changed, 1 deletion(-)
diff --git a/include/uapi/linux/netfilter.h b/include/uapi/linux/netfilter.h
index 7550e9176a54..c111a91adcc0 100644
--- a/include/uapi/linux/netfilter.h
+++ b/include/uapi/linux/netfilter.h
@@ -3,7 +3,6 @@
#include <linux/types.h>
#include <linux/compiler.h>
-#include <linux/sysctl.h>
#include <linux/in.h>
#include <linux/in6.h>
--
2.1.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 3/6] uapi: fix linux/netfilter/xt_hashlimit.h userspace compilation error
2017-02-27 11:35 [PATCH 0/6] Netfilter fixes for net Pablo Neira Ayuso
2017-02-27 11:35 ` [PATCH 1/6] netfilter: nft_ct: fix random validation errors for zone set support Pablo Neira Ayuso
2017-02-27 11:35 ` [PATCH 2/6] uapi: stop including linux/sysctl.h in uapi/linux/netfilter.h Pablo Neira Ayuso
@ 2017-02-27 11:35 ` Pablo Neira Ayuso
2017-02-27 11:35 ` [PATCH 4/6] netfilter: nf_ct_expect: nf_ct_expect_related_report(): Return zero on success Pablo Neira Ayuso
` (3 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2017-02-27 11:35 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: "Dmitry V. Levin" <ldv@altlinux.org>
Include <linux/limits.h> like some of uapi/linux/netfilter/xt_*.h
headers do to fix the following linux/netfilter/xt_hashlimit.h
userspace compilation error:
/usr/include/linux/netfilter/xt_hashlimit.h:90:12: error: 'NAME_MAX' undeclared here (not in a function)
char name[NAME_MAX];
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/uapi/linux/netfilter/xt_hashlimit.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/uapi/linux/netfilter/xt_hashlimit.h b/include/uapi/linux/netfilter/xt_hashlimit.h
index 3efc0ca18345..79da349f1060 100644
--- a/include/uapi/linux/netfilter/xt_hashlimit.h
+++ b/include/uapi/linux/netfilter/xt_hashlimit.h
@@ -2,6 +2,7 @@
#define _UAPI_XT_HASHLIMIT_H
#include <linux/types.h>
+#include <linux/limits.h>
#include <linux/if.h>
/* timings are in milliseconds. */
--
2.1.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 4/6] netfilter: nf_ct_expect: nf_ct_expect_related_report(): Return zero on success.
2017-02-27 11:35 [PATCH 0/6] Netfilter fixes for net Pablo Neira Ayuso
` (2 preceding siblings ...)
2017-02-27 11:35 ` [PATCH 3/6] uapi: fix linux/netfilter/xt_hashlimit.h userspace compilation error Pablo Neira Ayuso
@ 2017-02-27 11:35 ` Pablo Neira Ayuso
2017-02-27 11:35 ` [PATCH 5/6] netfilter: nf_ct_expect: Change __nf_ct_expect_check() return value Pablo Neira Ayuso
` (2 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2017-02-27 11:35 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Jarno Rajahalme <jarno@ovn.org>
Commit 4dee62b1b9b4 ("netfilter: nf_ct_expect: nf_ct_expect_insert()
returns void") inadvertently changed the successful return value of
nf_ct_expect_related_report() from 0 to 1, which caused openvswitch
conntrack integration fail in FTP test cases.
Fix this by always returning zero on the success code path.
Fixes: 4dee62b1b9b4 ("netfilter: nf_ct_expect: nf_ct_expect_insert() returns void")
Signed-off-by: Jarno Rajahalme <jarno@ovn.org>
Acked-by: Joe Stringer <joe@ovn.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_conntrack_expect.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index e19a69787d99..d6ace69d57dc 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -467,7 +467,7 @@ int nf_ct_expect_related_report(struct nf_conntrack_expect *expect,
spin_unlock_bh(&nf_conntrack_expect_lock);
nf_ct_expect_event_report(IPEXP_NEW, expect, portid, report);
- return ret;
+ return 0;
out:
spin_unlock_bh(&nf_conntrack_expect_lock);
return ret;
--
2.1.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 5/6] netfilter: nf_ct_expect: Change __nf_ct_expect_check() return value.
2017-02-27 11:35 [PATCH 0/6] Netfilter fixes for net Pablo Neira Ayuso
` (3 preceding siblings ...)
2017-02-27 11:35 ` [PATCH 4/6] netfilter: nf_ct_expect: nf_ct_expect_related_report(): Return zero on success Pablo Neira Ayuso
@ 2017-02-27 11:35 ` Pablo Neira Ayuso
2017-02-27 11:35 ` [PATCH 6/6] netfilter: nft_set_bitmap: incorrect bitmap size Pablo Neira Ayuso
2017-02-27 14:19 ` [PATCH 0/6] Netfilter fixes for net David Miller
6 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2017-02-27 11:35 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Jarno Rajahalme <jarno@ovn.org>
Commit 4dee62b1b9b4 ("netfilter: nf_ct_expect: nf_ct_expect_insert()
returns void") inadvertently changed the successful return value of
nf_ct_expect_related_report() from 0 to 1 due to
__nf_ct_expect_check() returning 1 on success. Prevent this
regression in the future by changing the return value of
__nf_ct_expect_check() to 0 on success.
Signed-off-by: Jarno Rajahalme <jarno@ovn.org>
Acked-by: Joe Stringer <joe@ovn.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_conntrack_expect.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index d6ace69d57dc..4b2e1fb28bb4 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -410,7 +410,7 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect)
struct net *net = nf_ct_exp_net(expect);
struct hlist_node *next;
unsigned int h;
- int ret = 1;
+ int ret = 0;
if (!master_help) {
ret = -ESHUTDOWN;
@@ -460,7 +460,7 @@ int nf_ct_expect_related_report(struct nf_conntrack_expect *expect,
spin_lock_bh(&nf_conntrack_expect_lock);
ret = __nf_ct_expect_check(expect);
- if (ret <= 0)
+ if (ret < 0)
goto out;
nf_ct_expect_insert(expect);
--
2.1.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 6/6] netfilter: nft_set_bitmap: incorrect bitmap size
2017-02-27 11:35 [PATCH 0/6] Netfilter fixes for net Pablo Neira Ayuso
` (4 preceding siblings ...)
2017-02-27 11:35 ` [PATCH 5/6] netfilter: nf_ct_expect: Change __nf_ct_expect_check() return value Pablo Neira Ayuso
@ 2017-02-27 11:35 ` Pablo Neira Ayuso
2017-02-27 14:19 ` [PATCH 0/6] Netfilter fixes for net David Miller
6 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2017-02-27 11:35 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
priv->bitmap_size stores the real bitmap size, instead of the full
struct nft_bitmap object.
Fixes: 665153ff5752 ("netfilter: nf_tables: add bitmap set type")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_set_bitmap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nft_set_bitmap.c b/net/netfilter/nft_set_bitmap.c
index 97f9649bcc7e..152d226552c1 100644
--- a/net/netfilter/nft_set_bitmap.c
+++ b/net/netfilter/nft_set_bitmap.c
@@ -258,7 +258,7 @@ static int nft_bitmap_init(const struct nft_set *set,
{
struct nft_bitmap *priv = nft_set_priv(set);
- priv->bitmap_size = nft_bitmap_total_size(set->klen);
+ priv->bitmap_size = nft_bitmap_size(set->klen);
return 0;
}
--
2.1.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH 0/6] Netfilter fixes for net
2017-02-27 11:35 [PATCH 0/6] Netfilter fixes for net Pablo Neira Ayuso
` (5 preceding siblings ...)
2017-02-27 11:35 ` [PATCH 6/6] netfilter: nft_set_bitmap: incorrect bitmap size Pablo Neira Ayuso
@ 2017-02-27 14:19 ` David Miller
6 siblings, 0 replies; 8+ messages in thread
From: David Miller @ 2017-02-27 14:19 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 27 Feb 2017 12:35:36 +0100
> The following patchset contains netfilter fixes for you net tree,
> they are:
>
> 1) Missing ct zone size in the nft_ct initialization path, patch
> from Florian Westphal.
>
> 2) Two patches for netfilter uapi headers, one to remove unnecessary
> sysctl.h inclusion and another to fix compilation of xt_hashlimit.h
> in userspace, from Dmitry V. Levin.
>
> 3) Patch to fix a sloppy change in nf_ct_expect that incorrectly
> simplified nf_ct_expect_related_report() in the previous nf-next
> batch. This also includes another patch for __nf_ct_expect_check()
> to report success by returning 0 to keep it consistent with other
> existing functions. From Jarno Rajahalme.
>
> 4) The ->walk() iterator of the new bitmap set type goes over the real
> bitmap size, this results in incorrect dumps when NFTA_SET_USERDATA
> is used.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2017-02-27 14:19 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-02-27 11:35 [PATCH 0/6] Netfilter fixes for net Pablo Neira Ayuso
2017-02-27 11:35 ` [PATCH 1/6] netfilter: nft_ct: fix random validation errors for zone set support Pablo Neira Ayuso
2017-02-27 11:35 ` [PATCH 2/6] uapi: stop including linux/sysctl.h in uapi/linux/netfilter.h Pablo Neira Ayuso
2017-02-27 11:35 ` [PATCH 3/6] uapi: fix linux/netfilter/xt_hashlimit.h userspace compilation error Pablo Neira Ayuso
2017-02-27 11:35 ` [PATCH 4/6] netfilter: nf_ct_expect: nf_ct_expect_related_report(): Return zero on success Pablo Neira Ayuso
2017-02-27 11:35 ` [PATCH 5/6] netfilter: nf_ct_expect: Change __nf_ct_expect_check() return value Pablo Neira Ayuso
2017-02-27 11:35 ` [PATCH 6/6] netfilter: nft_set_bitmap: incorrect bitmap size Pablo Neira Ayuso
2017-02-27 14:19 ` [PATCH 0/6] Netfilter fixes for net David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).