* [PATCH 0/7] Netfilter fixes for net
@ 2019-08-14 9:24 Pablo Neira Ayuso
2019-08-14 9:24 ` [PATCH 1/7] selftests: netfilter: extend flowtable test script for ipsec Pablo Neira Ayuso
` (7 more replies)
0 siblings, 8 replies; 36+ messages in thread
From: Pablo Neira Ayuso @ 2019-08-14 9:24 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi,
This patchset contains Netfilter fixes for net:
1) Extend selftest to cover flowtable with ipsec, from Florian Westphal.
2) Fix interaction of ipsec with flowtable, also from Florian.
3) User-after-free with bound set to rule that fails to load.
4) Adjust state and timeout for flows that expire.
5) Timeout update race with flows in teardown state.
6) Ensure conntrack id hash calculation use invariants as input,
from Dirk Morris.
7) Do not push flows into flowtable for TCP fin/rst packets.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit 5e5412c365a32e452daa762eac36121cb8a370bb:
net/socket: fix GCC8+ Wpacked-not-aligned warnings (2019-08-03 11:02:46 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to dfe42be15fde16232340b8b2a57c359f51cc10d9:
netfilter: nft_flow_offload: skip tcp rst and fin packets (2019-08-14 11:09:07 +0200)
----------------------------------------------------------------
Dirk Morris (1):
netfilter: conntrack: Use consistent ct id hash calculation
Florian Westphal (2):
selftests: netfilter: extend flowtable test script for ipsec
netfilter: nf_flow_table: fix offload for flows that are subject to xfrm
Pablo Neira Ayuso (4):
netfilter: nf_tables: use-after-free in failing rule with bound set
netfilter: nf_flow_table: conntrack picks up expired flows
netfilter: nf_flow_table: teardown flow timeout race
netfilter: nft_flow_offload: skip tcp rst and fin packets
include/net/netfilter/nf_tables.h | 9 +++-
net/netfilter/nf_conntrack_core.c | 16 ++++----
net/netfilter/nf_flow_table_core.c | 43 +++++++++++++------
net/netfilter/nf_flow_table_ip.c | 43 +++++++++++++++++++
net/netfilter/nf_tables_api.c | 15 ++++---
net/netfilter/nft_flow_offload.c | 9 ++--
tools/testing/selftests/netfilter/nft_flowtable.sh | 48 ++++++++++++++++++++++
7 files changed, 153 insertions(+), 30 deletions(-)
^ permalink raw reply [flat|nested] 36+ messages in thread* [PATCH 1/7] selftests: netfilter: extend flowtable test script for ipsec
2019-08-14 9:24 [PATCH 0/7] Netfilter fixes for net Pablo Neira Ayuso
@ 2019-08-14 9:24 ` Pablo Neira Ayuso
2019-08-14 9:24 ` [PATCH 2/7] netfilter: nf_flow_table: fix offload for flows that are subject to xfrm Pablo Neira Ayuso
` (6 subsequent siblings)
7 siblings, 0 replies; 36+ messages in thread
From: Pablo Neira Ayuso @ 2019-08-14 9:24 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Florian Westphal <fw@strlen.de>
'flow offload' expression should not offload flows that will be subject
to ipsec, but it does.
This results in a connectivity blackhole for the affected flows -- first
packets will go through (offload happens after established state is
reached), but all remaining ones bypass ipsec encryption and are thus
discarded by the peer.
This can be worked around by adding "rt ipsec exists accept"
before the 'flow offload' rule matches.
This test case will fail, support for such flows is added in
next patch.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
tools/testing/selftests/netfilter/nft_flowtable.sh | 48 ++++++++++++++++++++++
1 file changed, 48 insertions(+)
diff --git a/tools/testing/selftests/netfilter/nft_flowtable.sh b/tools/testing/selftests/netfilter/nft_flowtable.sh
index fe52488a6f72..16571ac1dab4 100755
--- a/tools/testing/selftests/netfilter/nft_flowtable.sh
+++ b/tools/testing/selftests/netfilter/nft_flowtable.sh
@@ -321,4 +321,52 @@ else
ip netns exec nsr1 nft list ruleset
fi
+KEY_SHA="0x"$(ps -xaf | sha1sum | cut -d " " -f 1)
+KEY_AES="0x"$(ps -xaf | md5sum | cut -d " " -f 1)
+SPI1=$RANDOM
+SPI2=$RANDOM
+
+if [ $SPI1 -eq $SPI2 ]; then
+ SPI2=$((SPI2+1))
+fi
+
+do_esp() {
+ local ns=$1
+ local me=$2
+ local remote=$3
+ local lnet=$4
+ local rnet=$5
+ local spi_out=$6
+ local spi_in=$7
+
+ ip -net $ns xfrm state add src $remote dst $me proto esp spi $spi_in enc aes $KEY_AES auth sha1 $KEY_SHA mode tunnel sel src $rnet dst $lnet
+ ip -net $ns xfrm state add src $me dst $remote proto esp spi $spi_out enc aes $KEY_AES auth sha1 $KEY_SHA mode tunnel sel src $lnet dst $rnet
+
+ # to encrypt packets as they go out (includes forwarded packets that need encapsulation)
+ ip -net $ns xfrm policy add src $lnet dst $rnet dir out tmpl src $me dst $remote proto esp mode tunnel priority 1 action allow
+ # to fwd decrypted packets after esp processing:
+ ip -net $ns xfrm policy add src $rnet dst $lnet dir fwd tmpl src $remote dst $me proto esp mode tunnel priority 1 action allow
+
+}
+
+do_esp nsr1 192.168.10.1 192.168.10.2 10.0.1.0/24 10.0.2.0/24 $SPI1 $SPI2
+
+do_esp nsr2 192.168.10.2 192.168.10.1 10.0.2.0/24 10.0.1.0/24 $SPI2 $SPI1
+
+ip netns exec nsr1 nft delete table ip nat
+
+# restore default routes
+ip -net ns2 route del 192.168.10.1 via 10.0.2.1
+ip -net ns2 route add default via 10.0.2.1
+ip -net ns2 route add default via dead:2::1
+
+test_tcp_forwarding ns1 ns2
+if [ $? -eq 0 ] ;then
+ echo "PASS: ipsec tunnel mode for ns1/ns2"
+else
+ echo "FAIL: ipsec tunnel mode for ns1/ns2"
+ ip netns exec nsr1 nft list ruleset 1>&2
+ ip netns exec nsr1 cat /proc/net/xfrm_stat 1>&2
+fi
+
exit $ret
--
2.11.0
^ permalink raw reply related [flat|nested] 36+ messages in thread* [PATCH 2/7] netfilter: nf_flow_table: fix offload for flows that are subject to xfrm
2019-08-14 9:24 [PATCH 0/7] Netfilter fixes for net Pablo Neira Ayuso
2019-08-14 9:24 ` [PATCH 1/7] selftests: netfilter: extend flowtable test script for ipsec Pablo Neira Ayuso
@ 2019-08-14 9:24 ` Pablo Neira Ayuso
2019-08-14 9:24 ` [PATCH 3/7] netfilter: nf_tables: use-after-free in failing rule with bound set Pablo Neira Ayuso
` (5 subsequent siblings)
7 siblings, 0 replies; 36+ messages in thread
From: Pablo Neira Ayuso @ 2019-08-14 9:24 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Florian Westphal <fw@strlen.de>
This makes the previously added 'encap test' pass.
Because its possible that the xfrm dst entry becomes stale while such
a flow is offloaded, we need to call dst_check() -- the notifier that
handles this for non-tunneled traffic isn't sufficient, because SA or
or policies might have changed.
If dst becomes stale the flow offload entry will be tagged for teardown
and packets will be passed to 'classic' forwarding path.
Removing the entry right away is problematic, as this would
introduce a race condition with the gc worker.
In case flow is long-lived, it could eventually be offloaded again
once the gc worker removes the entry from the flow table.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_flow_table_ip.c | 43 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 43 insertions(+)
diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
index cdfc33517e85..d68c801dd614 100644
--- a/net/netfilter/nf_flow_table_ip.c
+++ b/net/netfilter/nf_flow_table_ip.c
@@ -214,6 +214,25 @@ static bool nf_flow_exceeds_mtu(const struct sk_buff *skb, unsigned int mtu)
return true;
}
+static int nf_flow_offload_dst_check(struct dst_entry *dst)
+{
+ if (unlikely(dst_xfrm(dst)))
+ return dst_check(dst, 0) ? 0 : -1;
+
+ return 0;
+}
+
+static unsigned int nf_flow_xmit_xfrm(struct sk_buff *skb,
+ const struct nf_hook_state *state,
+ struct dst_entry *dst)
+{
+ skb_orphan(skb);
+ skb_dst_set_noref(skb, dst);
+ skb->tstamp = 0;
+ dst_output(state->net, state->sk, skb);
+ return NF_STOLEN;
+}
+
unsigned int
nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
const struct nf_hook_state *state)
@@ -254,6 +273,11 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
if (nf_flow_state_check(flow, ip_hdr(skb)->protocol, skb, thoff))
return NF_ACCEPT;
+ if (nf_flow_offload_dst_check(&rt->dst)) {
+ flow_offload_teardown(flow);
+ return NF_ACCEPT;
+ }
+
if (nf_flow_nat_ip(flow, skb, thoff, dir) < 0)
return NF_DROP;
@@ -261,6 +285,13 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
iph = ip_hdr(skb);
ip_decrease_ttl(iph);
+ if (unlikely(dst_xfrm(&rt->dst))) {
+ memset(skb->cb, 0, sizeof(struct inet_skb_parm));
+ IPCB(skb)->iif = skb->dev->ifindex;
+ IPCB(skb)->flags = IPSKB_FORWARDED;
+ return nf_flow_xmit_xfrm(skb, state, &rt->dst);
+ }
+
skb->dev = outdev;
nexthop = rt_nexthop(rt, flow->tuplehash[!dir].tuple.src_v4.s_addr);
skb_dst_set_noref(skb, &rt->dst);
@@ -467,6 +498,11 @@ nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
sizeof(*ip6h)))
return NF_ACCEPT;
+ if (nf_flow_offload_dst_check(&rt->dst)) {
+ flow_offload_teardown(flow);
+ return NF_ACCEPT;
+ }
+
if (skb_try_make_writable(skb, sizeof(*ip6h)))
return NF_DROP;
@@ -477,6 +513,13 @@ nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
ip6h = ipv6_hdr(skb);
ip6h->hop_limit--;
+ if (unlikely(dst_xfrm(&rt->dst))) {
+ memset(skb->cb, 0, sizeof(struct inet6_skb_parm));
+ IP6CB(skb)->iif = skb->dev->ifindex;
+ IP6CB(skb)->flags = IP6SKB_FORWARDED;
+ return nf_flow_xmit_xfrm(skb, state, &rt->dst);
+ }
+
skb->dev = outdev;
nexthop = rt6_nexthop(rt, &flow->tuplehash[!dir].tuple.src_v6);
skb_dst_set_noref(skb, &rt->dst);
--
2.11.0
^ permalink raw reply related [flat|nested] 36+ messages in thread* [PATCH 3/7] netfilter: nf_tables: use-after-free in failing rule with bound set
2019-08-14 9:24 [PATCH 0/7] Netfilter fixes for net Pablo Neira Ayuso
2019-08-14 9:24 ` [PATCH 1/7] selftests: netfilter: extend flowtable test script for ipsec Pablo Neira Ayuso
2019-08-14 9:24 ` [PATCH 2/7] netfilter: nf_flow_table: fix offload for flows that are subject to xfrm Pablo Neira Ayuso
@ 2019-08-14 9:24 ` Pablo Neira Ayuso
2019-08-14 9:24 ` [PATCH 4/7] netfilter: nf_flow_table: conntrack picks up expired flows Pablo Neira Ayuso
` (4 subsequent siblings)
7 siblings, 0 replies; 36+ messages in thread
From: Pablo Neira Ayuso @ 2019-08-14 9:24 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
If a rule that has already a bound anonymous set fails to be added, the
preparation phase releases the rule and the bound set. However, the
transaction object from the abort path still has a reference to the set
object that is stale, leading to a use-after-free when checking for the
set->bound field. Add a new field to the transaction that specifies if
the set is bound, so the abort path can skip releasing it since the rule
command owns it and it takes care of releasing it. After this update,
the set->bound field is removed.
[ 24.649883] Unable to handle kernel paging request at virtual address 0000000000040434
[ 24.657858] Mem abort info:
[ 24.660686] ESR = 0x96000004
[ 24.663769] Exception class = DABT (current EL), IL = 32 bits
[ 24.669725] SET = 0, FnV = 0
[ 24.672804] EA = 0, S1PTW = 0
[ 24.675975] Data abort info:
[ 24.678880] ISV = 0, ISS = 0x00000004
[ 24.682743] CM = 0, WnR = 0
[ 24.685723] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000428952000
[ 24.692207] [0000000000040434] pgd=0000000000000000
[ 24.697119] Internal error: Oops: 96000004 [#1] SMP
[...]
[ 24.889414] Call trace:
[ 24.891870] __nf_tables_abort+0x3f0/0x7a0
[ 24.895984] nf_tables_abort+0x20/0x40
[ 24.899750] nfnetlink_rcv_batch+0x17c/0x588
[ 24.904037] nfnetlink_rcv+0x13c/0x190
[ 24.907803] netlink_unicast+0x18c/0x208
[ 24.911742] netlink_sendmsg+0x1b0/0x350
[ 24.915682] sock_sendmsg+0x4c/0x68
[ 24.919185] ___sys_sendmsg+0x288/0x2c8
[ 24.923037] __sys_sendmsg+0x7c/0xd0
[ 24.926628] __arm64_sys_sendmsg+0x2c/0x38
[ 24.930744] el0_svc_common.constprop.0+0x94/0x158
[ 24.935556] el0_svc_handler+0x34/0x90
[ 24.939322] el0_svc+0x8/0xc
[ 24.942216] Code: 37280300 f9404023 91014262 aa1703e0 (f9401863)
[ 24.948336] ---[ end trace cebbb9dcbed3b56f ]---
Fixes: f6ac85858976 ("netfilter: nf_tables: unbind set in rule from commit path")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_tables.h | 9 +++++++--
net/netfilter/nf_tables_api.c | 15 ++++++++++-----
2 files changed, 17 insertions(+), 7 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 9b624566b82d..475d6f28ca67 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -421,8 +421,7 @@ struct nft_set {
unsigned char *udata;
/* runtime data below here */
const struct nft_set_ops *ops ____cacheline_aligned;
- u16 flags:13,
- bound:1,
+ u16 flags:14,
genmask:2;
u8 klen;
u8 dlen;
@@ -1348,12 +1347,15 @@ struct nft_trans_rule {
struct nft_trans_set {
struct nft_set *set;
u32 set_id;
+ bool bound;
};
#define nft_trans_set(trans) \
(((struct nft_trans_set *)trans->data)->set)
#define nft_trans_set_id(trans) \
(((struct nft_trans_set *)trans->data)->set_id)
+#define nft_trans_set_bound(trans) \
+ (((struct nft_trans_set *)trans->data)->bound)
struct nft_trans_chain {
bool update;
@@ -1384,12 +1386,15 @@ struct nft_trans_table {
struct nft_trans_elem {
struct nft_set *set;
struct nft_set_elem elem;
+ bool bound;
};
#define nft_trans_elem_set(trans) \
(((struct nft_trans_elem *)trans->data)->set)
#define nft_trans_elem(trans) \
(((struct nft_trans_elem *)trans->data)->elem)
+#define nft_trans_elem_set_bound(trans) \
+ (((struct nft_trans_elem *)trans->data)->bound)
struct nft_trans_obj {
struct nft_object *obj;
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 605a7cfe7ca7..88abbddf8967 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -138,9 +138,14 @@ static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
return;
list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
- if (trans->msg_type == NFT_MSG_NEWSET &&
- nft_trans_set(trans) == set) {
- set->bound = true;
+ switch (trans->msg_type) {
+ case NFT_MSG_NEWSET:
+ if (nft_trans_set(trans) == set)
+ nft_trans_set_bound(trans) = true;
+ break;
+ case NFT_MSG_NEWSETELEM:
+ if (nft_trans_elem_set(trans) == set)
+ nft_trans_elem_set_bound(trans) = true;
break;
}
}
@@ -6906,7 +6911,7 @@ static int __nf_tables_abort(struct net *net)
break;
case NFT_MSG_NEWSET:
trans->ctx.table->use--;
- if (nft_trans_set(trans)->bound) {
+ if (nft_trans_set_bound(trans)) {
nft_trans_destroy(trans);
break;
}
@@ -6918,7 +6923,7 @@ static int __nf_tables_abort(struct net *net)
nft_trans_destroy(trans);
break;
case NFT_MSG_NEWSETELEM:
- if (nft_trans_elem_set(trans)->bound) {
+ if (nft_trans_elem_set_bound(trans)) {
nft_trans_destroy(trans);
break;
}
--
2.11.0
^ permalink raw reply related [flat|nested] 36+ messages in thread* [PATCH 4/7] netfilter: nf_flow_table: conntrack picks up expired flows
2019-08-14 9:24 [PATCH 0/7] Netfilter fixes for net Pablo Neira Ayuso
` (2 preceding siblings ...)
2019-08-14 9:24 ` [PATCH 3/7] netfilter: nf_tables: use-after-free in failing rule with bound set Pablo Neira Ayuso
@ 2019-08-14 9:24 ` Pablo Neira Ayuso
2019-08-14 9:24 ` [PATCH 5/7] netfilter: nf_flow_table: teardown flow timeout race Pablo Neira Ayuso
` (3 subsequent siblings)
7 siblings, 0 replies; 36+ messages in thread
From: Pablo Neira Ayuso @ 2019-08-14 9:24 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Update conntrack entry to pick up expired flows, otherwise the conntrack
entry gets stuck with the internal offload timeout (one day). The TCP
state also needs to be adjusted to ESTABLISHED state and tracking is set
to liberal mode in order to give conntrack a chance to pick up the
expired flow.
Fixes: ac2a66665e23 ("netfilter: add generic flow table infrastructure")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_flow_table_core.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
index e3d797252a98..68a24471ffee 100644
--- a/net/netfilter/nf_flow_table_core.c
+++ b/net/netfilter/nf_flow_table_core.c
@@ -111,7 +111,7 @@ static void flow_offload_fixup_tcp(struct ip_ct_tcp *tcp)
#define NF_FLOWTABLE_TCP_PICKUP_TIMEOUT (120 * HZ)
#define NF_FLOWTABLE_UDP_PICKUP_TIMEOUT (30 * HZ)
-static void flow_offload_fixup_ct_state(struct nf_conn *ct)
+static void flow_offload_fixup_ct(struct nf_conn *ct)
{
const struct nf_conntrack_l4proto *l4proto;
unsigned int timeout;
@@ -208,6 +208,11 @@ int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow)
}
EXPORT_SYMBOL_GPL(flow_offload_add);
+static inline bool nf_flow_has_expired(const struct flow_offload *flow)
+{
+ return (__s32)(flow->timeout - (u32)jiffies) <= 0;
+}
+
static void flow_offload_del(struct nf_flowtable *flow_table,
struct flow_offload *flow)
{
@@ -223,6 +228,9 @@ static void flow_offload_del(struct nf_flowtable *flow_table,
e = container_of(flow, struct flow_offload_entry, flow);
clear_bit(IPS_OFFLOAD_BIT, &e->ct->status);
+ if (nf_flow_has_expired(flow))
+ flow_offload_fixup_ct(e->ct);
+
flow_offload_free(flow);
}
@@ -233,7 +241,7 @@ void flow_offload_teardown(struct flow_offload *flow)
flow->flags |= FLOW_OFFLOAD_TEARDOWN;
e = container_of(flow, struct flow_offload_entry, flow);
- flow_offload_fixup_ct_state(e->ct);
+ flow_offload_fixup_ct(e->ct);
}
EXPORT_SYMBOL_GPL(flow_offload_teardown);
@@ -298,11 +306,6 @@ nf_flow_table_iterate(struct nf_flowtable *flow_table,
return err;
}
-static inline bool nf_flow_has_expired(const struct flow_offload *flow)
-{
- return (__s32)(flow->timeout - (u32)jiffies) <= 0;
-}
-
static void nf_flow_offload_gc_step(struct flow_offload *flow, void *data)
{
struct nf_flowtable *flow_table = data;
--
2.11.0
^ permalink raw reply related [flat|nested] 36+ messages in thread* [PATCH 5/7] netfilter: nf_flow_table: teardown flow timeout race
2019-08-14 9:24 [PATCH 0/7] Netfilter fixes for net Pablo Neira Ayuso
` (3 preceding siblings ...)
2019-08-14 9:24 ` [PATCH 4/7] netfilter: nf_flow_table: conntrack picks up expired flows Pablo Neira Ayuso
@ 2019-08-14 9:24 ` Pablo Neira Ayuso
2019-08-14 9:24 ` [PATCH 6/7] netfilter: conntrack: Use consistent ct id hash calculation Pablo Neira Ayuso
` (2 subsequent siblings)
7 siblings, 0 replies; 36+ messages in thread
From: Pablo Neira Ayuso @ 2019-08-14 9:24 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Flows that are in teardown state (due to RST / FIN TCP packet) still
have their offload flag set on. Hence, the conntrack garbage collector
may race to undo the timeout adjustment that the fixup routine performs,
leaving the conntrack entry in place with the internal offload timeout
(one day).
Update teardown flow state to ESTABLISHED and set tracking to liberal,
then once the offload bit is cleared, adjust timeout if it is more than
the default fixup timeout (conntrack might already have set a lower
timeout from the packet path).
Fixes: da5984e51063 ("netfilter: nf_flow_table: add support for sending flows back to the slow path")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_flow_table_core.c | 34 +++++++++++++++++++++++++---------
1 file changed, 25 insertions(+), 9 deletions(-)
diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
index 68a24471ffee..80a8f9ae4c93 100644
--- a/net/netfilter/nf_flow_table_core.c
+++ b/net/netfilter/nf_flow_table_core.c
@@ -111,15 +111,16 @@ static void flow_offload_fixup_tcp(struct ip_ct_tcp *tcp)
#define NF_FLOWTABLE_TCP_PICKUP_TIMEOUT (120 * HZ)
#define NF_FLOWTABLE_UDP_PICKUP_TIMEOUT (30 * HZ)
-static void flow_offload_fixup_ct(struct nf_conn *ct)
+static inline __s32 nf_flow_timeout_delta(unsigned int timeout)
+{
+ return (__s32)(timeout - (u32)jiffies);
+}
+
+static void flow_offload_fixup_ct_timeout(struct nf_conn *ct)
{
const struct nf_conntrack_l4proto *l4proto;
+ int l4num = nf_ct_protonum(ct);
unsigned int timeout;
- int l4num;
-
- l4num = nf_ct_protonum(ct);
- if (l4num == IPPROTO_TCP)
- flow_offload_fixup_tcp(&ct->proto.tcp);
l4proto = nf_ct_l4proto_find(l4num);
if (!l4proto)
@@ -132,7 +133,20 @@ static void flow_offload_fixup_ct(struct nf_conn *ct)
else
return;
- ct->timeout = nfct_time_stamp + timeout;
+ if (nf_flow_timeout_delta(ct->timeout) > (__s32)timeout)
+ ct->timeout = nfct_time_stamp + timeout;
+}
+
+static void flow_offload_fixup_ct_state(struct nf_conn *ct)
+{
+ if (nf_ct_protonum(ct) == IPPROTO_TCP)
+ flow_offload_fixup_tcp(&ct->proto.tcp);
+}
+
+static void flow_offload_fixup_ct(struct nf_conn *ct)
+{
+ flow_offload_fixup_ct_state(ct);
+ flow_offload_fixup_ct_timeout(ct);
}
void flow_offload_free(struct flow_offload *flow)
@@ -210,7 +224,7 @@ EXPORT_SYMBOL_GPL(flow_offload_add);
static inline bool nf_flow_has_expired(const struct flow_offload *flow)
{
- return (__s32)(flow->timeout - (u32)jiffies) <= 0;
+ return nf_flow_timeout_delta(flow->timeout) <= 0;
}
static void flow_offload_del(struct nf_flowtable *flow_table,
@@ -230,6 +244,8 @@ static void flow_offload_del(struct nf_flowtable *flow_table,
if (nf_flow_has_expired(flow))
flow_offload_fixup_ct(e->ct);
+ else if (flow->flags & FLOW_OFFLOAD_TEARDOWN)
+ flow_offload_fixup_ct_timeout(e->ct);
flow_offload_free(flow);
}
@@ -241,7 +257,7 @@ void flow_offload_teardown(struct flow_offload *flow)
flow->flags |= FLOW_OFFLOAD_TEARDOWN;
e = container_of(flow, struct flow_offload_entry, flow);
- flow_offload_fixup_ct(e->ct);
+ flow_offload_fixup_ct_state(e->ct);
}
EXPORT_SYMBOL_GPL(flow_offload_teardown);
--
2.11.0
^ permalink raw reply related [flat|nested] 36+ messages in thread* [PATCH 6/7] netfilter: conntrack: Use consistent ct id hash calculation
2019-08-14 9:24 [PATCH 0/7] Netfilter fixes for net Pablo Neira Ayuso
` (4 preceding siblings ...)
2019-08-14 9:24 ` [PATCH 5/7] netfilter: nf_flow_table: teardown flow timeout race Pablo Neira Ayuso
@ 2019-08-14 9:24 ` Pablo Neira Ayuso
2019-08-14 9:24 ` [PATCH 7/7] netfilter: nft_flow_offload: skip tcp rst and fin packets Pablo Neira Ayuso
2019-08-15 21:02 ` [PATCH 0/7] Netfilter fixes for net David Miller
7 siblings, 0 replies; 36+ messages in thread
From: Pablo Neira Ayuso @ 2019-08-14 9:24 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Dirk Morris <dmorris@metaloft.com>
Change ct id hash calculation to only use invariants.
Currently the ct id hash calculation is based on some fields that can
change in the lifetime on a conntrack entry in some corner cases. The
current hash uses the whole tuple which contains an hlist pointer which
will change when the conntrack is placed on the dying list resulting in
a ct id change.
This patch also removes the reply-side tuple and extension pointer from
the hash calculation so that the ct id will will not change from
initialization until confirmation.
Fixes: 3c79107631db1f7 ("netfilter: ctnetlink: don't use conntrack/expect object addresses as id")
Signed-off-by: Dirk Morris <dmorris@metaloft.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_conntrack_core.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index a542761e90d1..81a8ef42b88d 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -453,13 +453,12 @@ EXPORT_SYMBOL_GPL(nf_ct_invert_tuple);
* table location, we assume id gets exposed to userspace.
*
* Following nf_conn items do not change throughout lifetime
- * of the nf_conn after it has been committed to main hash table:
+ * of the nf_conn:
*
* 1. nf_conn address
- * 2. nf_conn->ext address
- * 3. nf_conn->master address (normally NULL)
- * 4. tuple
- * 5. the associated net namespace
+ * 2. nf_conn->master address (normally NULL)
+ * 3. the associated net namespace
+ * 4. the original direction tuple
*/
u32 nf_ct_get_id(const struct nf_conn *ct)
{
@@ -469,9 +468,10 @@ u32 nf_ct_get_id(const struct nf_conn *ct)
net_get_random_once(&ct_id_seed, sizeof(ct_id_seed));
a = (unsigned long)ct;
- b = (unsigned long)ct->master ^ net_hash_mix(nf_ct_net(ct));
- c = (unsigned long)ct->ext;
- d = (unsigned long)siphash(&ct->tuplehash, sizeof(ct->tuplehash),
+ b = (unsigned long)ct->master;
+ c = (unsigned long)nf_ct_net(ct);
+ d = (unsigned long)siphash(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
+ sizeof(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple),
&ct_id_seed);
#ifdef CONFIG_64BIT
return siphash_4u64((u64)a, (u64)b, (u64)c, (u64)d, &ct_id_seed);
--
2.11.0
^ permalink raw reply related [flat|nested] 36+ messages in thread* [PATCH 7/7] netfilter: nft_flow_offload: skip tcp rst and fin packets
2019-08-14 9:24 [PATCH 0/7] Netfilter fixes for net Pablo Neira Ayuso
` (5 preceding siblings ...)
2019-08-14 9:24 ` [PATCH 6/7] netfilter: conntrack: Use consistent ct id hash calculation Pablo Neira Ayuso
@ 2019-08-14 9:24 ` Pablo Neira Ayuso
2019-08-15 21:02 ` [PATCH 0/7] Netfilter fixes for net David Miller
7 siblings, 0 replies; 36+ messages in thread
From: Pablo Neira Ayuso @ 2019-08-14 9:24 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
TCP rst and fin packets do not qualify to place a flow into the
flowtable. Most likely there will be no more packets after connection
closure. Without this patch, this flow entry expires and connection
tracking picks up the entry in ESTABLISHED state using the fixup
timeout, which makes this look inconsistent to the user for a connection
that is actually already closed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_flow_offload.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c
index aa5f571d4361..060a4ed46d5e 100644
--- a/net/netfilter/nft_flow_offload.c
+++ b/net/netfilter/nft_flow_offload.c
@@ -72,11 +72,11 @@ static void nft_flow_offload_eval(const struct nft_expr *expr,
{
struct nft_flow_offload *priv = nft_expr_priv(expr);
struct nf_flowtable *flowtable = &priv->flowtable->data;
+ struct tcphdr _tcph, *tcph = NULL;
enum ip_conntrack_info ctinfo;
struct nf_flow_route route;
struct flow_offload *flow;
enum ip_conntrack_dir dir;
- bool is_tcp = false;
struct nf_conn *ct;
int ret;
@@ -89,7 +89,10 @@ static void nft_flow_offload_eval(const struct nft_expr *expr,
switch (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum) {
case IPPROTO_TCP:
- is_tcp = true;
+ tcph = skb_header_pointer(pkt->skb, pkt->xt.thoff,
+ sizeof(_tcph), &_tcph);
+ if (unlikely(!tcph || tcph->fin || tcph->rst))
+ goto out;
break;
case IPPROTO_UDP:
break;
@@ -115,7 +118,7 @@ static void nft_flow_offload_eval(const struct nft_expr *expr,
if (!flow)
goto err_flow_alloc;
- if (is_tcp) {
+ if (tcph) {
ct->proto.tcp.seen[0].flags |= IP_CT_TCP_FLAG_BE_LIBERAL;
ct->proto.tcp.seen[1].flags |= IP_CT_TCP_FLAG_BE_LIBERAL;
}
--
2.11.0
^ permalink raw reply related [flat|nested] 36+ messages in thread* Re: [PATCH 0/7] Netfilter fixes for net
2019-08-14 9:24 [PATCH 0/7] Netfilter fixes for net Pablo Neira Ayuso
` (6 preceding siblings ...)
2019-08-14 9:24 ` [PATCH 7/7] netfilter: nft_flow_offload: skip tcp rst and fin packets Pablo Neira Ayuso
@ 2019-08-15 21:02 ` David Miller
7 siblings, 0 replies; 36+ messages in thread
From: David Miller @ 2019-08-15 21:02 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 14 Aug 2019 11:24:33 +0200
> This patchset contains Netfilter fixes for net:
>
> 1) Extend selftest to cover flowtable with ipsec, from Florian Westphal.
>
> 2) Fix interaction of ipsec with flowtable, also from Florian.
>
> 3) User-after-free with bound set to rule that fails to load.
>
> 4) Adjust state and timeout for flows that expire.
>
> 5) Timeout update race with flows in teardown state.
>
> 6) Ensure conntrack id hash calculation use invariants as input,
> from Dirk Morris.
>
> 7) Do not push flows into flowtable for TCP fin/rst packets.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks.
^ permalink raw reply [flat|nested] 36+ messages in thread
* [PATCH 0/7] Netfilter fixes for net
@ 2020-10-22 17:29 Pablo Neira Ayuso
2020-10-22 19:16 ` Jakub Kicinski
0 siblings, 1 reply; 36+ messages in thread
From: Pablo Neira Ayuso @ 2020-10-22 17:29 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Hi Jakub,
The following patchset contains Netfilter fixes for net:
1) Update debugging in IPVS tcp protocol handler to make it easier
to understand, from longguang.yue
2) Update TCP tracker to deal with keepalive packet after
re-registration, from Franceso Ruggeri.
3) Missing IP6SKB_FRAGMENTED from netfilter fragment reassembly,
from Georg Kohmann.
4) Fix bogus packet drop in ebtables nat extensions, from
Thimothee Cocault.
5) Fix typo in flowtable documentation.
6) Reset skb timestamp in nft_fwd_netdev.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit df6afe2f7c19349de2ee560dc62ea4d9ad3ff889:
nexthop: Fix performance regression in nexthop deletion (2020-10-19 20:07:15 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to c77761c8a59405cb7aa44188b30fffe13fbdd02d:
netfilter: nf_fwd_netdev: clear timestamp in forwarding path (2020-10-22 14:49:36 +0200)
----------------------------------------------------------------
Francesco Ruggeri (1):
netfilter: conntrack: connection timeout after re-register
Georg Kohmann (1):
netfilter: Drop fragmented ndisc packets assembled in netfilter
Jeremy Sowden (1):
docs: nf_flowtable: fix typo.
Pablo Neira Ayuso (1):
netfilter: nf_fwd_netdev: clear timestamp in forwarding path
Saeed Mirzamohammadi (1):
netfilter: nftables_offload: KASAN slab-out-of-bounds Read in nft_flow_rule_create
Timothée COCAULT (1):
netfilter: ebtables: Fixes dropping of small packets in bridge nat
longguang.yue (1):
ipvs: adjust the debug info in function set_tcp_state
Documentation/networking/nf_flowtable.rst | 2 +-
include/net/netfilter/nf_tables.h | 6 ++++++
net/bridge/netfilter/ebt_dnat.c | 2 +-
net/bridge/netfilter/ebt_redirect.c | 2 +-
net/bridge/netfilter/ebt_snat.c | 2 +-
net/ipv6/netfilter/nf_conntrack_reasm.c | 1 +
net/netfilter/ipvs/ip_vs_proto_tcp.c | 10 ++++++----
net/netfilter/nf_conntrack_proto_tcp.c | 19 +++++++++++++------
net/netfilter/nf_dup_netdev.c | 1 +
net/netfilter/nf_tables_api.c | 6 +++---
net/netfilter/nf_tables_offload.c | 4 ++--
net/netfilter/nft_fwd_netdev.c | 1 +
12 files changed, 37 insertions(+), 19 deletions(-)
^ permalink raw reply [flat|nested] 36+ messages in thread* Re: [PATCH 0/7] Netfilter fixes for net
2020-10-22 17:29 Pablo Neira Ayuso
@ 2020-10-22 19:16 ` Jakub Kicinski
0 siblings, 0 replies; 36+ messages in thread
From: Jakub Kicinski @ 2020-10-22 19:16 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, davem, netdev
On Thu, 22 Oct 2020 19:29:18 +0200 Pablo Neira Ayuso wrote:
> Hi Jakub,
>
> The following patchset contains Netfilter fixes for net:
>
> 1) Update debugging in IPVS tcp protocol handler to make it easier
> to understand, from longguang.yue
>
> 2) Update TCP tracker to deal with keepalive packet after
> re-registration, from Franceso Ruggeri.
>
> 3) Missing IP6SKB_FRAGMENTED from netfilter fragment reassembly,
> from Georg Kohmann.
>
> 4) Fix bogus packet drop in ebtables nat extensions, from
> Thimothee Cocault.
>
> 5) Fix typo in flowtable documentation.
>
> 6) Reset skb timestamp in nft_fwd_netdev.
Pulled, please remember about that [PATCH net] tag if you can, thanks!
^ permalink raw reply [flat|nested] 36+ messages in thread
* [PATCH 0/7] Netfilter fixes for net
@ 2020-06-25 18:26 Pablo Neira Ayuso
2020-06-25 19:59 ` David Miller
0 siblings, 1 reply; 36+ messages in thread
From: Pablo Neira Ayuso @ 2020-06-25 18:26 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Hi,
The following patchset contains Netfilter fixes for net, they are:
1) Unaligned atomic access in ipset, from Russell King.
2) Missing module description, from Rob Gill.
3) Patches to fix a module unload causing NULL pointer dereference in
xtables, from David Wilder. For the record, I posting here his cover
letter explaining the problem:
A crash happened on ppc64le when running ltp network tests triggered by
"rmmod iptable_mangle".
See previous discussion in this thread:
https://lists.openwall.net/netdev/2020/06/03/161 .
In the crash I found in iptable_mangle_hook() that
state->net->ipv4.iptable_mangle=NULL causing a NULL pointer dereference.
net->ipv4.iptable_mangle is set to NULL in +iptable_mangle_net_exit() and
called when ip_mangle modules is unloaded. A rmmod task was found running
in the crash dump. A 2nd crash showed the same problem when running
"rmmod iptable_filter" (net->ipv4.iptable_filter=NULL).
To fix this I added .pre_exit hook in all iptable_foo.c. The pre_exit will
un-register the underlying hook and exit would do the table freeing. The
netns core does an unconditional +synchronize_rcu after the pre_exit hooks
insuring no packets are in flight that have picked up the pointer before
completing the un-register.
These patches include changes for both iptables and ip6tables.
We tested this fix with ltp running iptables01.sh and iptables01.sh -6 a
loop for 72 hours.
4) Add a selftest for conntrack helper assignment, from Florian Westphal.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thank you.
----------------------------------------------------------------
The following changes since commit 67c20de35a3cc2e2cd940f95ebd85ed0a765315a:
net: Add MODULE_DESCRIPTION entries to network modules (2020-06-20 21:33:57 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 619ae8e0697a6fb85b99b19137590c7c337c579e:
selftests: netfilter: add test case for conntrack helper assignment (2020-06-25 00:50:31 +0200)
----------------------------------------------------------------
David Wilder (4):
netfilter: iptables: Split ipt_unregister_table() into pre_exit and exit helpers.
netfilter: iptables: Add a .pre_exit hook in all iptable_foo.c.
netfilter: ip6tables: Split ip6t_unregister_table() into pre_exit and exit helpers.
netfilter: ip6tables: Add a .pre_exit hook in all ip6table_foo.c.
Florian Westphal (1):
selftests: netfilter: add test case for conntrack helper assignment
Rob Gill (1):
netfilter: Add MODULE_DESCRIPTION entries to kernel modules
Russell King (1):
netfilter: ipset: fix unaligned atomic access
include/linux/netfilter_ipv4/ip_tables.h | 6 +
include/linux/netfilter_ipv6/ip6_tables.h | 3 +
net/bridge/netfilter/nft_meta_bridge.c | 1 +
net/bridge/netfilter/nft_reject_bridge.c | 1 +
net/ipv4/netfilter/ip_tables.c | 15 +-
net/ipv4/netfilter/ipt_SYNPROXY.c | 1 +
net/ipv4/netfilter/iptable_filter.c | 10 +-
net/ipv4/netfilter/iptable_mangle.c | 10 +-
net/ipv4/netfilter/iptable_nat.c | 10 +-
net/ipv4/netfilter/iptable_raw.c | 10 +-
net/ipv4/netfilter/iptable_security.c | 11 +-
net/ipv4/netfilter/nf_flow_table_ipv4.c | 1 +
net/ipv4/netfilter/nft_dup_ipv4.c | 1 +
net/ipv4/netfilter/nft_fib_ipv4.c | 1 +
net/ipv4/netfilter/nft_reject_ipv4.c | 1 +
net/ipv6/netfilter/ip6_tables.c | 15 +-
net/ipv6/netfilter/ip6t_SYNPROXY.c | 1 +
net/ipv6/netfilter/ip6table_filter.c | 10 +-
net/ipv6/netfilter/ip6table_mangle.c | 10 +-
net/ipv6/netfilter/ip6table_nat.c | 10 +-
net/ipv6/netfilter/ip6table_raw.c | 10 +-
net/ipv6/netfilter/ip6table_security.c | 10 +-
net/ipv6/netfilter/nf_flow_table_ipv6.c | 1 +
net/ipv6/netfilter/nft_dup_ipv6.c | 1 +
net/ipv6/netfilter/nft_fib_ipv6.c | 1 +
net/ipv6/netfilter/nft_reject_ipv6.c | 1 +
net/netfilter/ipset/ip_set_core.c | 2 +
net/netfilter/nf_dup_netdev.c | 1 +
net/netfilter/nf_flow_table_core.c | 1 +
net/netfilter/nf_flow_table_inet.c | 1 +
net/netfilter/nf_synproxy_core.c | 1 +
net/netfilter/nfnetlink.c | 1 +
net/netfilter/nft_compat.c | 1 +
net/netfilter/nft_connlimit.c | 1 +
net/netfilter/nft_counter.c | 1 +
net/netfilter/nft_ct.c | 1 +
net/netfilter/nft_dup_netdev.c | 1 +
net/netfilter/nft_fib_inet.c | 1 +
net/netfilter/nft_fib_netdev.c | 1 +
net/netfilter/nft_flow_offload.c | 1 +
net/netfilter/nft_hash.c | 1 +
net/netfilter/nft_limit.c | 1 +
net/netfilter/nft_log.c | 1 +
net/netfilter/nft_masq.c | 1 +
net/netfilter/nft_nat.c | 1 +
net/netfilter/nft_numgen.c | 1 +
net/netfilter/nft_objref.c | 1 +
net/netfilter/nft_osf.c | 1 +
net/netfilter/nft_queue.c | 1 +
net/netfilter/nft_quota.c | 1 +
net/netfilter/nft_redir.c | 1 +
net/netfilter/nft_reject.c | 1 +
net/netfilter/nft_reject_inet.c | 1 +
net/netfilter/nft_synproxy.c | 1 +
net/netfilter/nft_tunnel.c | 1 +
net/netfilter/xt_nat.c | 1 +
tools/testing/selftests/netfilter/Makefile | 2 +-
.../selftests/netfilter/nft_conntrack_helper.sh | 175 +++++++++++++++++++++
58 files changed, 344 insertions(+), 16 deletions(-)
create mode 100755 tools/testing/selftests/netfilter/nft_conntrack_helper.sh
^ permalink raw reply [flat|nested] 36+ messages in thread* [PATCH 0/7] Netfilter fixes for net
@ 2020-04-07 22:29 Pablo Neira Ayuso
2020-04-08 1:08 ` David Miller
0 siblings, 1 reply; 36+ messages in thread
From: Pablo Neira Ayuso @ 2020-04-07 22:29 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter fixes for net, they are:
1) Fix spurious overlap condition in the rbtree tree, from Stefano Brivio.
2) Fix possible uninitialized pointer dereference in nft_lookup.
3) IDLETIMER v1 target matches the Android layout, from
Maciej Zenczykowski.
4) Dangling pointer in nf_tables_set_alloc_name, from Eric Dumazet.
5) Fix RCU warning splat in ipset find_set_type(), from Amol Grover.
6) Report EOPNOTSUPP on unsupported set flags and object types in sets.
7) Add NFT_SET_CONCAT flag to provide consistent error reporting
when users defines set with ranges in concatenations in old kernels.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thank you.
----------------------------------------------------------------
The following changes since commit 0452800f6db4ed0a42ffb15867c0acfd68829f6a:
net: dsa: mt7530: fix null pointer dereferencing in port5 setup (2020-04-03 16:10:32 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to ef516e8625ddea90b3a0313f3a0b0baa83db7ac2:
netfilter: nf_tables: reintroduce the NFT_SET_CONCAT flag (2020-04-07 18:23:04 +0200)
----------------------------------------------------------------
Amol Grover (1):
netfilter: ipset: Pass lockdep expression to RCU lists
Eric Dumazet (1):
netfilter: nf_tables: do not leave dangling pointer in nf_tables_set_alloc_name
Maciej Żenczykowski (1):
netfilter: xt_IDLETIMER: target v1 - match Android layout
Pablo Neira Ayuso (3):
netfilter: nf_tables: do not update stateful expressions if lookup is inverted
netfilter: nf_tables: report EOPNOTSUPP on unsupported flags/object type
netfilter: nf_tables: reintroduce the NFT_SET_CONCAT flag
Stefano Brivio (1):
netfilter: nft_set_rbtree: Drop spurious condition for overlap detection on insertion
include/net/netfilter/nf_tables.h | 2 +-
include/uapi/linux/netfilter/nf_tables.h | 2 ++
include/uapi/linux/netfilter/xt_IDLETIMER.h | 1 +
net/netfilter/ipset/ip_set_core.c | 3 ++-
net/netfilter/nf_tables_api.c | 7 ++++---
net/netfilter/nft_lookup.c | 12 +++++++-----
net/netfilter/nft_set_bitmap.c | 1 -
net/netfilter/nft_set_rbtree.c | 23 +++++++++++------------
net/netfilter/xt_IDLETIMER.c | 3 +++
9 files changed, 31 insertions(+), 23 deletions(-)
^ permalink raw reply [flat|nested] 36+ messages in thread* Re: [PATCH 0/7] Netfilter fixes for net
2020-04-07 22:29 Pablo Neira Ayuso
@ 2020-04-08 1:08 ` David Miller
0 siblings, 0 replies; 36+ messages in thread
From: David Miller @ 2020-04-08 1:08 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 8 Apr 2020 00:29:29 +0200
> The following patchset contains Netfilter fixes for net, they are:
>
> 1) Fix spurious overlap condition in the rbtree tree, from Stefano Brivio.
>
> 2) Fix possible uninitialized pointer dereference in nft_lookup.
>
> 3) IDLETIMER v1 target matches the Android layout, from
> Maciej Zenczykowski.
>
> 4) Dangling pointer in nf_tables_set_alloc_name, from Eric Dumazet.
>
> 5) Fix RCU warning splat in ipset find_set_type(), from Amol Grover.
>
> 6) Report EOPNOTSUPP on unsupported set flags and object types in sets.
>
> 7) Add NFT_SET_CONCAT flag to provide consistent error reporting
> when users defines set with ranges in concatenations in old kernels.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks.
^ permalink raw reply [flat|nested] 36+ messages in thread
* [PATCH 0/7] Netfilter fixes for net
@ 2020-03-24 22:32 Pablo Neira Ayuso
2020-03-25 0:31 ` David Miller
0 siblings, 1 reply; 36+ messages in thread
From: Pablo Neira Ayuso @ 2020-03-24 22:32 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi,
The following patchset contains Netfilter fixes for net:
1) A new selftest for nf_queue, from Florian Westphal. This test
covers two recent fixes: 07f8e4d0fddb ("tcp: also NULL skb->dev
when copy was needed") and b738a185beaa ("tcp: ensure skb->dev is
NULL before leaving TCP stack").
2) The fwd action breaks with ifb. For safety in next extensions,
make sure the fwd action only runs from ingress until it is extended
to be used from a different hook.
3) The pipapo set type now reports EEXIST in case of subrange overlaps.
Update the rbtree set to validate range overlaps, so far this
validation is only done only from userspace. From Stefano Brivio.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thank you.
----------------------------------------------------------------
The following changes since commit 749f6f6843115b424680f1aada3c0dd613ad807c:
net: phy: dp83867: w/a for fld detect threshold bootstrapping issue (2020-03-21 20:09:57 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to a64d558d8cf98424cc5eb9ae6631782cd8bf789c:
selftests: netfilter: add nfqueue test case (2020-03-24 20:00:12 +0100)
----------------------------------------------------------------
Florian Westphal (1):
selftests: netfilter: add nfqueue test case
Pablo Neira Ayuso (3):
netfilter: nf_tables: Allow set back-ends to report partial overlaps on insertion
netfilter: nft_fwd_netdev: validate family and chain type
netfilter: nft_fwd_netdev: allow to redirect to ifb via ingress
Stefano Brivio (3):
netfilter: nft_set_pipapo: Separate partial and complete overlap cases on insertion
netfilter: nft_set_rbtree: Introduce and use nft_rbtree_interval_start()
netfilter: nft_set_rbtree: Detect partial overlaps on insertion
net/netfilter/nf_tables_api.c | 5 +
net/netfilter/nft_fwd_netdev.c | 13 +
net/netfilter/nft_set_pipapo.c | 34 ++-
net/netfilter/nft_set_rbtree.c | 87 +++++-
tools/testing/selftests/netfilter/Makefile | 6 +-
tools/testing/selftests/netfilter/config | 6 +
tools/testing/selftests/netfilter/nf-queue.c | 352 +++++++++++++++++++++++++
tools/testing/selftests/netfilter/nft_queue.sh | 332 +++++++++++++++++++++++
8 files changed, 818 insertions(+), 17 deletions(-)
create mode 100644 tools/testing/selftests/netfilter/nf-queue.c
create mode 100755 tools/testing/selftests/netfilter/nft_queue.sh
^ permalink raw reply [flat|nested] 36+ messages in thread* Re: [PATCH 0/7] Netfilter fixes for net
2020-03-24 22:32 Pablo Neira Ayuso
@ 2020-03-25 0:31 ` David Miller
0 siblings, 0 replies; 36+ messages in thread
From: David Miller @ 2020-03-25 0:31 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 24 Mar 2020 23:32:13 +0100
> The following patchset contains Netfilter fixes for net:
>
> 1) A new selftest for nf_queue, from Florian Westphal. This test
> covers two recent fixes: 07f8e4d0fddb ("tcp: also NULL skb->dev
> when copy was needed") and b738a185beaa ("tcp: ensure skb->dev is
> NULL before leaving TCP stack").
>
> 2) The fwd action breaks with ifb. For safety in next extensions,
> make sure the fwd action only runs from ingress until it is extended
> to be used from a different hook.
>
> 3) The pipapo set type now reports EEXIST in case of subrange overlaps.
> Update the rbtree set to validate range overlaps, so far this
> validation is only done only from userspace. From Stefano Brivio.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 36+ messages in thread
* [PATCH 0/7] Netfilter fixes for net
@ 2020-01-25 17:34 Pablo Neira Ayuso
2020-01-25 20:40 ` David Miller
0 siblings, 1 reply; 36+ messages in thread
From: Pablo Neira Ayuso @ 2020-01-25 17:34 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi,
The following patchset contains Netfilter fixes for net:
1) Missing netlink attribute sanity check for NFTA_OSF_DREG,
from Florian Westphal.
2) Use bitmap infrastructure in ipset to fix KASAN slab-out-of-bounds
reads, from Jozsef Kadlecsik.
3) Missing initial CLOSED state in new sctp connection through
ctnetlink events, from Jiri Wiesner.
4) Missing check for NFT_CHAIN_HW_OFFLOAD in nf_tables offload
indirect block infrastructure, from wenxu.
5) Add __nft_chain_type_get() to sanity check family and chain type.
6) Autoload modules from the nf_tables abort path to fix races
reported by syzbot.
7) Remove unnecessary skb->csum update on inet_proto_csum_replace16(),
from Praveen Chaudhary.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thank you.
----------------------------------------------------------------
The following changes since commit e02d9c4c68dc0ca08ded9487720bba775c09669b:
Merge branch 'bnxt_en-fixes' (2020-01-18 14:38:30 +0100)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 189c9b1e94539b11c80636bc13e9cf47529e7bba:
net: Fix skb->csum update in inet_proto_csum_replace16(). (2020-01-24 20:54:30 +0100)
----------------------------------------------------------------
Florian Westphal (1):
netfilter: nft_osf: add missing check for DREG attribute
Jiri Wiesner (1):
netfilter: conntrack: sctp: use distinct states for new SCTP connections
Kadlecsik József (1):
netfilter: ipset: use bitmap infrastructure completely
Pablo Neira Ayuso (2):
netfilter: nf_tables: add __nft_chain_type_get()
netfilter: nf_tables: autoload modules from the abort path
Praveen Chaudhary (1):
net: Fix skb->csum update in inet_proto_csum_replace16().
wenxu (1):
netfilter: nf_tables_offload: fix check the chain offload flag
include/linux/netfilter/ipset/ip_set.h | 7 --
include/linux/netfilter/nfnetlink.h | 2 +-
include/net/netns/nftables.h | 1 +
net/core/utils.c | 20 +++-
net/netfilter/ipset/ip_set_bitmap_gen.h | 2 +-
net/netfilter/ipset/ip_set_bitmap_ip.c | 6 +-
net/netfilter/ipset/ip_set_bitmap_ipmac.c | 6 +-
net/netfilter/ipset/ip_set_bitmap_port.c | 6 +-
net/netfilter/nf_conntrack_proto_sctp.c | 6 +-
net/netfilter/nf_tables_api.c | 155 +++++++++++++++++++++---------
net/netfilter/nf_tables_offload.c | 2 +-
net/netfilter/nfnetlink.c | 6 +-
net/netfilter/nft_osf.c | 3 +
13 files changed, 146 insertions(+), 76 deletions(-)
^ permalink raw reply [flat|nested] 36+ messages in thread* [PATCH 0/7] Netfilter fixes for net
@ 2019-01-14 21:29 Pablo Neira Ayuso
2019-01-15 21:32 ` David Miller
0 siblings, 1 reply; 36+ messages in thread
From: Pablo Neira Ayuso @ 2019-01-14 21:29 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
This is the first batch of Netfilter fixes for your net tree:
1) Fix endless loop in nf_tables rules netlink dump, from Phil Sutter.
2) Reference counter leak in object from the error path, from Taehee Yoo.
3) Selective rule dump requires table and chain.
4) Fix DNAT with nft_flow_offload reverse route lookup, from wenxu.
5) Use GFP_KERNEL_ACCOUNT in vmalloc allocation from ebtables, from
Shakeel Butt.
6) Set ifindex from route to fix interaction with VRF slave device,
also from wenxu.
7) Use nfct_help() to check for conntrack helper, IPS_HELPER status
flag is only set from explicit helpers via -j CT, from Henry Yen.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit a0071840d2040ea1b27e5a008182b09b88defc15:
lan743x: Remove phy_read from link status change function (2019-01-08 16:26:12 -0500)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 2314e879747e82896f51cce4488f6a00f3e1af7b:
netfilter: nft_flow_offload: fix checking method of conntrack helper (2019-01-14 12:50:59 +0100)
----------------------------------------------------------------
Henry Yen (1):
netfilter: nft_flow_offload: fix checking method of conntrack helper
Pablo Neira Ayuso (1):
netfilter: nf_tables: selective rule dump needs table to be specified
Phil Sutter (1):
netfilter: nf_tables: Fix for endless loop when dumping ruleset
Shakeel Butt (1):
netfilter: ebtables: account ebt_table_info to kmemcg
Taehee Yoo (1):
netfilter: nf_tables: fix leaking object reference count
wenxu (2):
netfilter: nft_flow_offload: Fix reverse route lookup
netfilter: nft_flow_offload: fix interaction with vrf slave device
include/net/netfilter/nf_flow_table.h | 1 -
net/bridge/netfilter/ebtables.c | 6 ++++--
net/netfilter/nf_flow_table_core.c | 5 +++--
net/netfilter/nf_tables_api.c | 14 +++++++-------
net/netfilter/nft_flow_offload.c | 13 ++++++++-----
5 files changed, 22 insertions(+), 17 deletions(-)
^ permalink raw reply [flat|nested] 36+ messages in thread* Re: [PATCH 0/7] Netfilter fixes for net
2019-01-14 21:29 Pablo Neira Ayuso
@ 2019-01-15 21:32 ` David Miller
0 siblings, 0 replies; 36+ messages in thread
From: David Miller @ 2019-01-15 21:32 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 14 Jan 2019 22:29:33 +0100
> This is the first batch of Netfilter fixes for your net tree:
>
> 1) Fix endless loop in nf_tables rules netlink dump, from Phil Sutter.
>
> 2) Reference counter leak in object from the error path, from Taehee Yoo.
>
> 3) Selective rule dump requires table and chain.
>
> 4) Fix DNAT with nft_flow_offload reverse route lookup, from wenxu.
>
> 5) Use GFP_KERNEL_ACCOUNT in vmalloc allocation from ebtables, from
> Shakeel Butt.
>
> 6) Set ifindex from route to fix interaction with VRF slave device,
> also from wenxu.
>
> 7) Use nfct_help() to check for conntrack helper, IPS_HELPER status
> flag is only set from explicit helpers via -j CT, from Henry Yen.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 36+ messages in thread
* [PATCH 0/7] Netfilter fixes for net
@ 2016-08-30 11:26 Pablo Neira Ayuso
2016-08-31 5:02 ` David Miller
0 siblings, 1 reply; 36+ messages in thread
From: Pablo Neira Ayuso @ 2016-08-30 11:26 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter fixes for your net tree,
they are:
1) Allow nf_tables reject expression from input, forward and output hooks,
since only there the routing information is available, otherwise we crash.
2) Fix unsafe list iteration when flushing timeout and accouting objects.
3) Fix refcount leak on timeout policy parsing failure.
4) Unlink timeout object for unconfirmed conntracks too
5) Missing validation of pkttype mangling from bridge family.
6) Fix refcount leak on ebtables on second lookup for the specific
bridge match extension, this patch from Sabrina Dubroca.
7) Remove unnecessary ip_hdr() in nf_tables_netdev family.
Patches from 1-5 and 7 from Liping Zhang.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit 51af96b53469f3b8cfcfe0504d0ff87239175b78:
mlxsw: router: Enable neighbors to be created on stacked devices (2016-08-24 09:39:04 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to c73c2484901139c28383b58eabcbf4d613e91518:
netfilter: nf_tables_netdev: remove redundant ip_hdr assignment (2016-08-30 11:41:04 +0200)
----------------------------------------------------------------
Liping Zhang (6):
netfilter: nft_reject: restrict to INPUT/FORWARD/OUTPUT
netfilter: nfnetlink: use list_for_each_entry_safe to delete all objects
netfilter: cttimeout: put back l4proto when replacing timeout policy
netfilter: cttimeout: unlink timeout objs in the unconfirmed ct lists
netfilter: nft_meta: improve the validity check of pkttype set expr
netfilter: nf_tables_netdev: remove redundant ip_hdr assignment
Sabrina Dubroca (1):
netfilter: ebtables: put module reference when an incorrect extension is found
include/net/netfilter/nft_meta.h | 4 +++
include/net/netfilter/nft_reject.h | 4 +++
net/bridge/netfilter/ebtables.c | 2 ++
net/bridge/netfilter/nft_meta_bridge.c | 1 +
net/ipv4/netfilter/nft_reject_ipv4.c | 1 +
net/ipv6/netfilter/nft_reject_ipv6.c | 1 +
net/netfilter/nf_tables_netdev.c | 1 -
net/netfilter/nfnetlink_acct.c | 6 ++---
net/netfilter/nfnetlink_cttimeout.c | 49 +++++++++++++++++++---------------
net/netfilter/nft_meta.c | 17 +++++++++---
net/netfilter/nft_reject.c | 16 +++++++++++
net/netfilter/nft_reject_inet.c | 7 ++++-
12 files changed, 79 insertions(+), 30 deletions(-)
^ permalink raw reply [flat|nested] 36+ messages in thread* [PATCH 0/7] Netfilter fixes for net
@ 2016-06-17 18:25 Pablo Neira Ayuso
2016-06-18 2:50 ` David Miller
0 siblings, 1 reply; 36+ messages in thread
From: Pablo Neira Ayuso @ 2016-06-17 18:25 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter fixes for your net tree,
they are rather small patches but fixing several outstanding bugs in
nf_conntrack and nf_tables, as well as minor problems with missing
SYNPROXY header uapi installation:
1) Oneliner not to leak conntrack kmemcache on module removal, this
problem was introduced in the previous merge window, patch from
Florian Westphal.
2) Two fixes for insufficient ruleset loop validation, one due to
incorrect flag check in nf_tables_bind_set() and another related to
silly wrong generation mask logic from the walk path, from Liping
Zhang.
3) Fix double-free of anonymous sets on error, this fix simplifies the
code to let the abort path take care of releasing the set object,
also from Liping Zhang.
4) The introduction of helper function for transactions broke the skip
inactive rules logic from the nft_do_chain(), again from Liping
Zhang.
5) Two patches to install uapi xt_SYNPROXY.h header and calm down
kbuild robot due to missing #include <linux/types.h>.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit 61e0979a497b07f5a82f3050e37ecc7093e2971d:
Merge branch 'ovs-notifications' (2016-06-14 22:21:45 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 1463847e93fe693e89c52b03ab4ede6800d717c1:
netfilter: xt_SYNPROXY: include missing <linux/types.h> (2016-06-17 13:47:40 +0200)
----------------------------------------------------------------
Florian Westphal (1):
netfilter: conntrack: destroy kmemcache on module removal
Liping Zhang (3):
netfilter: nf_tables: fix wrong check of NFT_SET_MAP in nf_tables_bind_set
netfilter: nf_tables: fix wrong destroy anonymous sets if binding fails
netfilter: nf_tables: fix a wrong check to skip the inactive rules
Pablo Neira Ayuso (3):
netfilter: nf_tables: reject loops from set element jump to chain
netfilter: xt_SYNPROXY: add missing header to Kbuild
netfilter: xt_SYNPROXY: include missing <linux/types.h>
include/net/netfilter/nf_tables.h | 1 +
include/uapi/linux/netfilter/Kbuild | 1 +
include/uapi/linux/netfilter/xt_SYNPROXY.h | 2 ++
net/netfilter/nf_conntrack_core.c | 2 ++
net/netfilter/nf_tables_api.c | 24 +++++++++++-------------
net/netfilter/nf_tables_core.c | 2 +-
net/netfilter/nft_hash.c | 3 +--
net/netfilter/nft_rbtree.c | 3 +--
8 files changed, 20 insertions(+), 18 deletions(-)
^ permalink raw reply [flat|nested] 36+ messages in thread* Re: [PATCH 0/7] Netfilter fixes for net
2016-06-17 18:25 Pablo Neira Ayuso
@ 2016-06-18 2:50 ` David Miller
0 siblings, 0 replies; 36+ messages in thread
From: David Miller @ 2016-06-18 2:50 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 17 Jun 2016 20:25:12 +0200
> The following patchset contains Netfilter fixes for your net tree,
> they are rather small patches but fixing several outstanding bugs in
> nf_conntrack and nf_tables, as well as minor problems with missing
> SYNPROXY header uapi installation:
...
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 36+ messages in thread
* [PATCH 0/7] Netfilter fixes for net
@ 2016-06-01 12:03 Pablo Neira Ayuso
2016-06-02 0:54 ` David Miller
0 siblings, 1 reply; 36+ messages in thread
From: Pablo Neira Ayuso @ 2016-06-01 12:03 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter fixes for your net tree,
they are:
1) Fix incorrect timestamp in nfnetlink_queue introduced when addressing
y2038 safe timestamp, from Florian Westphal.
2) Get rid of leftover conntrack definition from the previous merge
window, oneliner from Florian.
3) Make nf_queue handler pernet to resolve race on dereferencing the
hook state structure with netns removal, from Eric Biederman.
4) Ensure clean exit on unregistered helper ports, from Taehee Yoo.
5) Restore FLOWI_FLAG_KNOWN_NH in nf_dup_ipv6. This got lost while
generalizing xt_TEE to add packet duplication support in nf_tables,
from Paolo Abeni.
6) Insufficient netlink NFTA_SET_TABLE attribute check in
nf_tables_getset(), from Phil Turnbull.
7) Reject helper registration on duplicated ports via modparams.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit 1b7cc307a88377b0c948f9cbc36d026b272fe6e3:
Merge branch 'bnxt_en-fixes' (2016-05-11 23:46:09 -0400)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 893e093c786c4256d52809eed697e9d70a6f6643:
netfilter: nf_ct_helper: bail out on duplicated helpers (2016-05-31 11:57:18 +0200)
----------------------------------------------------------------
Eric W. Biederman (1):
netfilter: nf_queue: Make the queue_handler pernet
Florian Westphal (2):
netfilter: nfnetlink_queue: fix timestamp attribute
netfilter: conntrack: remove leftover binary sysctl define
Pablo Neira Ayuso (1):
netfilter: nf_ct_helper: bail out on duplicated helpers
Paolo Abeni (1):
netfilter: nf_dup_ipv6: set again FLOWI_FLAG_KNOWN_NH at flowi6_flags
Phil Turnbull (1):
netfilter: nf_tables: validate NFTA_SET_TABLE parameter
Taehee Yoo (1):
netfilter: nf_ct_helper: Fix helper unregister count.
include/net/netfilter/nf_queue.h | 4 ++--
include/net/netns/netfilter.h | 2 ++
net/ipv6/netfilter/nf_dup_ipv6.c | 1 +
net/netfilter/nf_conntrack_ftp.c | 1 +
net/netfilter/nf_conntrack_helper.c | 9 ++++-----
net/netfilter/nf_conntrack_irc.c | 1 +
net/netfilter/nf_conntrack_sane.c | 1 +
net/netfilter/nf_conntrack_sip.c | 1 +
net/netfilter/nf_conntrack_standalone.c | 2 --
net/netfilter/nf_conntrack_tftp.c | 1 +
net/netfilter/nf_queue.c | 17 ++++++++---------
net/netfilter/nf_tables_api.c | 2 ++
net/netfilter/nfnetlink_queue.c | 20 +++++++++++++-------
13 files changed, 37 insertions(+), 25 deletions(-)
^ permalink raw reply [flat|nested] 36+ messages in thread* [PATCH 0/7] Netfilter fixes for net
@ 2015-07-08 9:48 Pablo Neira Ayuso
2015-07-09 7:03 ` David Miller
0 siblings, 1 reply; 36+ messages in thread
From: Pablo Neira Ayuso @ 2015-07-08 9:48 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter fixes for your net tree. This batch
mostly comes with patches to address fallout from the previous merge window
cycle, they are:
1) Use entry->state.hook_list from nf_queue() instead of the global nf_hooks
which is not valid when used from NFPROTO_NETDEV, this should cause no
problems though since we have no userspace queueing for that family, but
let's fix this now for the sake of correctness. Patch from Eric W. Biederman.
2) Fix compilation breakage in bridge netfilter if CONFIG_NF_DEFRAG_IPV4 is not
set, from Bernhard Thaler.
3) Use percpu jumpstack in arptables too, now that there's a single copy of the
rule blob we can't store the return address there anymore. Patch from
Florian Westphal.
4) Fix a skb leak in the xmit path of bridge netfilter, problem there since
2.6.37 although it should be not possible to hit invalid traffic there, also
from Florian.
5) Eric Leblond reports that when loading a large ruleset with many missing
modules after a fresh boot, nf_tables can take long time commit it. Fix this
by processing the full batch until the end, even on missing modules, then
abort only once and restart processing.
6) Add bridge netfilter files to the MAINTAINER files.
7) Fix a net_device refcount leak in the new IPV6 bridge netfilter code, from
Julien Grall.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit 4da3064d1775810f10f7ddc1c34c3f1ff502a654:
Merge tag 'devicetree-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/glikely/linux (2015-07-01 19:40:18 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
for you to fetch changes up to 86e8971800381c3a8d8d9327f83b1f97ccb04a4f:
netfilter: bridge: Use __in6_dev_get rather than in6_dev_get in br_validate_ipv6 (2015-07-08 11:02:16 +0200)
----------------------------------------------------------------
Bernhard Thaler (1):
netfilter: bridge: fix CONFIG_NF_DEFRAG_IPV4/6 related warnings/errors
Eric W. Biederman (1):
netfilter: nf_queue: Don't recompute the hook_list head
Florian Westphal (2):
netfilter: arptables: use percpu jumpstack
netfilter: bridge: don't leak skb in error paths
Julien Grall (1):
netfilter: bridge: Use __in6_dev_get rather than in6_dev_get in br_validate_ipv6
Pablo Neira Ayuso (2):
netfilter: nfnetlink: keep going batch handling on missing modules
MAINTAINER: add bridge netfilter
MAINTAINERS | 1 +
net/bridge/br_netfilter_hooks.c | 16 +++++++++++-----
net/bridge/br_netfilter_ipv6.c | 2 +-
net/ipv4/netfilter/arp_tables.c | 25 ++++++++++++++++---------
net/netfilter/nf_queue.c | 2 +-
net/netfilter/nfnetlink.c | 38 +++++++++++++++++++++++++-------------
6 files changed, 55 insertions(+), 29 deletions(-)
^ permalink raw reply [flat|nested] 36+ messages in thread* [PATCH 0/7] netfilter fixes for net
@ 2014-10-20 8:10 Pablo Neira Ayuso
2014-10-20 15:58 ` David Miller
0 siblings, 1 reply; 36+ messages in thread
From: Pablo Neira Ayuso @ 2014-10-20 8:10 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains netfilter fixes for your net tree,
they are:
1) Fix missing MODULE_LICENSE() in the new nf_reject_ipv{4,6} modules.
2) Restrict nat and masq expressions to the nat chain type. Otherwise,
users may crash their kernel if they attach a nat/masq rule to a non
nat chain.
3) Fix hook validation in nft_compat when non-base chains are used.
Basically, initialize hook_mask to zero.
4) Make sure you use match/targets in nft_compat from the right chain
type. The existing validation relies on the table name which can be
avoided by
5) Better netlink attribute validation in nft_nat. This expression has
to reject the configuration when no address and proto configurations
are specified.
6) Interpret NFTA_NAT_REG_*_MAX if only if NFTA_NAT_REG_*_MIN is set.
Yet another sanity check to reject incorrect configurations from
userspace.
7) Conditional NAT attribute dumping depending on the existing
configuration.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit 01d2d484e49e9bc0ed9b5fdaf345a0e2bf35ffed:
Merge branch 'bcmgenet_systemport' (2014-10-10 15:39:22 -0400)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
for you to fetch changes up to 1e2d56a5d33a7e1fcd21ed3859f52596d02708b0:
netfilter: nft_nat: dump attributes if they are set (2014-10-18 14:16:13 +0200)
----------------------------------------------------------------
Pablo Neira Ayuso (7):
netfilter: missing module license in the nf_reject_ipvX modules
netfilter: nf_tables: restrict nat/masq expressions to nat chain type
netfilter: nft_compat: fix hook validation for non-base chains
netfilter: nft_compat: validate chain type in match/target
netfilter: nft_nat: insufficient attribute validation
netfilter: nft_nat: NFTA_NAT_REG_ADDR_MAX depends on NFTA_NAT_REG_ADDR_MIN
netfilter: nft_nat: dump attributes if they are set
include/net/netfilter/nf_tables.h | 3 ++
include/net/netfilter/nft_masq.h | 3 ++
net/ipv4/netfilter/nf_reject_ipv4.c | 3 ++
net/ipv4/netfilter/nft_masq_ipv4.c | 1 +
net/ipv6/netfilter/nf_reject_ipv6.c | 4 ++
net/ipv6/netfilter/nft_masq_ipv6.c | 1 +
net/netfilter/nf_tables_api.c | 14 ++++++
net/netfilter/nft_compat.c | 79 ++++++++++++++++++++++++++++----
net/netfilter/nft_masq.c | 12 +++++
net/netfilter/nft_nat.c | 86 ++++++++++++++++++++++-------------
10 files changed, 165 insertions(+), 41 deletions(-)
^ permalink raw reply [flat|nested] 36+ messages in thread* [PATCH 0/7] netfilter fixes for net
@ 2013-11-21 9:05 Pablo Neira Ayuso
2013-11-21 17:45 ` David Miller
0 siblings, 1 reply; 36+ messages in thread
From: Pablo Neira Ayuso @ 2013-11-21 9:05 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David!
The following patchset contains fixes for your net tree, they are:
* Remove extra quote from connlimit configuration in Kconfig, from
Randy Dunlap.
* Fix missing mss option in syn packets sent to the backend in our
new synproxy target, from Martin Topholm.
* Use window scale announced by client when sending the forged
syn to the backend, from Martin Topholm.
* Fix IPv6 address comparison in ebtables, from Luís Fernando
Cornachioni Estrozi.
* Fix wrong endianess in sequence adjustment which breaks helpers
in NAT configurations, from Phil Oester.
* Fix the error path handling of nft_compat, from me.
* Make sure the global conntrack counter is decremented after the
object has been released, also from me.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
Thanks!
----------------------------------------------------------------
The following changes since commit 42a2d923cc349583ebf6fdd52a7d35e1c2f7e6bd:
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next (2013-11-13 17:40:34 +0900)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
for you to fetch changes up to acab78b99633f12aa2b697474562e19c5718a1ca:
netfilter: ebt_ip6: fix source and destination matching (2013-11-19 15:33:29 +0100)
----------------------------------------------------------------
Luís Fernando Cornachioni Estrozi (1):
netfilter: ebt_ip6: fix source and destination matching
Martin Topholm (2):
netfilter: synproxy: send mss option to backend
netfilter: synproxy: correct wscale option passing
Pablo Neira Ayuso (2):
netfilter: nft_compat: fix error path in nft_parse_compat()
netfilter: nf_conntrack: decrement global counter after object release
Phil Oester (1):
netfilter: fix wrong byte order in nf_ct_seqadj_set internal information
Randy Dunlap (1):
netfilter: fix connlimit Kconfig prompt string
net/bridge/netfilter/ebt_ip6.c | 8 +++++---
net/ipv4/netfilter/ipt_SYNPROXY.c | 1 +
net/ipv6/netfilter/ip6t_SYNPROXY.c | 1 +
net/netfilter/Kconfig | 2 +-
net/netfilter/nf_conntrack_core.c | 3 ++-
net/netfilter/nf_conntrack_seqadj.c | 4 ++--
net/netfilter/nf_synproxy_core.c | 7 ++++---
net/netfilter/nft_compat.c | 19 +++++++++++++------
8 files changed, 29 insertions(+), 16 deletions(-)
^ permalink raw reply [flat|nested] 36+ messages in thread* Re: [PATCH 0/7] netfilter fixes for net
2013-11-21 9:05 Pablo Neira Ayuso
@ 2013-11-21 17:45 ` David Miller
0 siblings, 0 replies; 36+ messages in thread
From: David Miller @ 2013-11-21 17:45 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 21 Nov 2013 10:05:21 +0100
> The following patchset contains fixes for your net tree, they are:
>
> * Remove extra quote from connlimit configuration in Kconfig, from
> Randy Dunlap.
>
> * Fix missing mss option in syn packets sent to the backend in our
> new synproxy target, from Martin Topholm.
>
> * Use window scale announced by client when sending the forged
> syn to the backend, from Martin Topholm.
>
> * Fix IPv6 address comparison in ebtables, from Luís Fernando
> Cornachioni Estrozi.
>
> * Fix wrong endianess in sequence adjustment which breaks helpers
> in NAT configurations, from Phil Oester.
>
> * Fix the error path handling of nft_compat, from me.
>
> * Make sure the global conntrack counter is decremented after the
> object has been released, also from me.
Pulled, thanks a lot Pablo.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 36+ messages in thread
* [PATCH 0/7] netfilter fixes for net
@ 2013-09-17 22:21 Pablo Neira Ayuso
2013-09-18 0:23 ` David Miller
0 siblings, 1 reply; 36+ messages in thread
From: Pablo Neira Ayuso @ 2013-09-17 22:21 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Resending pull request email, previous one was missing the pull request
information itself, sorry.
--
Hi David,
The following patchset contains Netfilter fixes for you net tree,
mostly targeted to ipset, they are:
* Fix ICMPv6 NAT due to wrong comparison, code instead of type, from
Phil Oester.
* Fix RCU race in conntrack extensions release path, from Michal Kubecek.
* Fix missing inversion in the userspace ipset test command match if
the nomatch option is specified, from Jozsef Kadlecsik.
* Skip layer 4 protocol matching in ipset in case of IPv6 fragments,
also from Jozsef Kadlecsik.
* Fix sequence adjustment in nfnetlink_queue due to using the netlink
skb instead of the network skb, from Gao feng.
* Make sure we cannot swap of sets with different layer 3 family in
ipset, from Jozsef Kadlecsik.
* Fix possible bogus matching in ipset if hash sets with net elements
are used, from Oliver Smith.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
Thanks!
----------------------------------------------------------------
The following changes since commit c19d65c95c6d472d69829fea7d473228493d5245:
bnx2x: Fix configuration of doorbell block (2013-09-09 17:06:14 -0400)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
for you to fetch changes up to 0a0d80eb39aa465b7bdf6f7754d0ba687eb3d2a7:
netfilter: nfnetlink_queue: use network skb for sequence adjustment (2013-09-17 13:05:12 +0200)
----------------------------------------------------------------
Gao feng (1):
netfilter: nfnetlink_queue: use network skb for sequence adjustment
Jozsef Kadlecsik (3):
netfilter: ipset: Skip really non-first fragments for IPv6 when getting port/protocol
netfilter: ipset: Consistent userspace testing with nomatch flag
netfilter: ipset: Validate the set family and not the set type family at swapping
Michal Kubeček (1):
netfilter: nf_conntrack: use RCU safe kfree for conntrack extensions
Oliver Smith (1):
netfilter: ipset: Fix serious failure in CIDR tracking
Phil Oester (1):
netfilter: nf_nat_proto_icmpv6:: fix wrong comparison in icmpv6_manip_pkt
include/linux/netfilter/ipset/ip_set.h | 6 ++++--
include/net/netfilter/nf_conntrack_extend.h | 2 +-
net/ipv6/netfilter/nf_nat_proto_icmpv6.c | 4 ++--
net/netfilter/ipset/ip_set_core.c | 5 ++---
net/netfilter/ipset/ip_set_getport.c | 4 ++--
net/netfilter/ipset/ip_set_hash_gen.h | 28 +++++++++++++++------------
net/netfilter/ipset/ip_set_hash_ipportnet.c | 4 ++--
net/netfilter/ipset/ip_set_hash_net.c | 4 ++--
net/netfilter/ipset/ip_set_hash_netiface.c | 4 ++--
net/netfilter/ipset/ip_set_hash_netport.c | 4 ++--
net/netfilter/nfnetlink_queue_core.c | 2 +-
11 files changed, 36 insertions(+), 31 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 36+ messages in thread* Re: [PATCH 0/7] netfilter fixes for net
2013-09-17 22:21 Pablo Neira Ayuso
@ 2013-09-18 0:23 ` David Miller
0 siblings, 0 replies; 36+ messages in thread
From: David Miller @ 2013-09-18 0:23 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 18 Sep 2013 00:21:59 +0200
> The following patchset contains Netfilter fixes for you net tree,
> mostly targeted to ipset, they are:
...
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
Looks good, pulled, thanks a lot.
^ permalink raw reply [flat|nested] 36+ messages in thread
* [PATCH 0/7] netfilter fixes for net
@ 2013-09-17 22:07 Pablo Neira Ayuso
0 siblings, 0 replies; 36+ messages in thread
From: Pablo Neira Ayuso @ 2013-09-17 22:07 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter fixes for you net tree,
they are:
* Fix ICMPv6 NAT due to wrong comparison, code instead of type, from
Phil Oester.
* Fix RCU race in conntrack extensions release path, from Michal Kubecek.
* Fix missing inversion in the userspace ipset test command match if
the nomatch option is specified, from Jozsef Kadlecsik.
* Skip layer 4 protocol matching in ipset in case of IPv6 fragments,
also from Jozsef Kadlecsik.
* Fix sequence adjustment in nfnetlink_queue due to using the netlink
skb instead of the network skb, from Gao feng.
* Make sure we cannot swap of sets with different layer 3 family in
ipset, from Jozsef Kadlecsik.
* Fix possible bogus matching in ipset if hash sets with net elements
are used, from Oliver Smith.
Gao feng (1):
netfilter: nfnetlink_queue: use network skb for sequence adjustment
Jozsef Kadlecsik (3):
netfilter: ipset: Skip really non-first fragments for IPv6 when getting port/protocol
netfilter: ipset: Consistent userspace testing with nomatch flag
netfilter: ipset: Validate the set family and not the set type family at swapping
Michal Kubeček (1):
netfilter: nf_conntrack: use RCU safe kfree for conntrack extensions
Oliver Smith (1):
netfilter: ipset: Fix serious failure in CIDR tracking
Phil Oester (1):
netfilter: nf_nat_proto_icmpv6:: fix wrong comparison in icmpv6_manip_pkt
include/linux/netfilter/ipset/ip_set.h | 6 ++++--
include/net/netfilter/nf_conntrack_extend.h | 2 +-
net/ipv6/netfilter/nf_nat_proto_icmpv6.c | 4 ++--
net/netfilter/ipset/ip_set_core.c | 5 ++---
net/netfilter/ipset/ip_set_getport.c | 4 ++--
net/netfilter/ipset/ip_set_hash_gen.h | 28 +++++++++++++++------------
net/netfilter/ipset/ip_set_hash_ipportnet.c | 4 ++--
net/netfilter/ipset/ip_set_hash_net.c | 4 ++--
net/netfilter/ipset/ip_set_hash_netiface.c | 4 ++--
net/netfilter/ipset/ip_set_hash_netport.c | 4 ++--
net/netfilter/nfnetlink_queue_core.c | 2 +-
11 files changed, 36 insertions(+), 31 deletions(-)
--
1.7.10.4
^ permalink raw reply [flat|nested] 36+ messages in thread
end of thread, other threads:[~2020-10-22 19:16 UTC | newest]
Thread overview: 36+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-14 9:24 [PATCH 0/7] Netfilter fixes for net Pablo Neira Ayuso
2019-08-14 9:24 ` [PATCH 1/7] selftests: netfilter: extend flowtable test script for ipsec Pablo Neira Ayuso
2019-08-14 9:24 ` [PATCH 2/7] netfilter: nf_flow_table: fix offload for flows that are subject to xfrm Pablo Neira Ayuso
2019-08-14 9:24 ` [PATCH 3/7] netfilter: nf_tables: use-after-free in failing rule with bound set Pablo Neira Ayuso
2019-08-14 9:24 ` [PATCH 4/7] netfilter: nf_flow_table: conntrack picks up expired flows Pablo Neira Ayuso
2019-08-14 9:24 ` [PATCH 5/7] netfilter: nf_flow_table: teardown flow timeout race Pablo Neira Ayuso
2019-08-14 9:24 ` [PATCH 6/7] netfilter: conntrack: Use consistent ct id hash calculation Pablo Neira Ayuso
2019-08-14 9:24 ` [PATCH 7/7] netfilter: nft_flow_offload: skip tcp rst and fin packets Pablo Neira Ayuso
2019-08-15 21:02 ` [PATCH 0/7] Netfilter fixes for net David Miller
-- strict thread matches above, loose matches on Subject: below --
2020-10-22 17:29 Pablo Neira Ayuso
2020-10-22 19:16 ` Jakub Kicinski
2020-06-25 18:26 Pablo Neira Ayuso
2020-06-25 19:59 ` David Miller
2020-04-07 22:29 Pablo Neira Ayuso
2020-04-08 1:08 ` David Miller
2020-03-24 22:32 Pablo Neira Ayuso
2020-03-25 0:31 ` David Miller
2020-01-25 17:34 Pablo Neira Ayuso
2020-01-25 20:40 ` David Miller
2019-01-14 21:29 Pablo Neira Ayuso
2019-01-15 21:32 ` David Miller
2016-08-30 11:26 Pablo Neira Ayuso
2016-08-31 5:02 ` David Miller
2016-06-17 18:25 Pablo Neira Ayuso
2016-06-18 2:50 ` David Miller
2016-06-01 12:03 Pablo Neira Ayuso
2016-06-02 0:54 ` David Miller
2015-07-08 9:48 Pablo Neira Ayuso
2015-07-09 7:03 ` David Miller
2014-10-20 8:10 [PATCH 0/7] netfilter " Pablo Neira Ayuso
2014-10-20 15:58 ` David Miller
2013-11-21 9:05 Pablo Neira Ayuso
2013-11-21 17:45 ` David Miller
2013-09-17 22:21 Pablo Neira Ayuso
2013-09-18 0:23 ` David Miller
2013-09-17 22:07 Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).