* [PATCH 1/5] netfilter: bridge: Drops IPv6 packets if IPv6 module is not loaded
2019-09-04 19:36 [PATCH 0/5] Netfilter fixes for net Pablo Neira Ayuso
@ 2019-09-04 19:36 ` Pablo Neira Ayuso
2019-09-04 19:36 ` [PATCH 2/5] netfilter: nft_socket: fix erroneous socket assignment Pablo Neira Ayuso
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2019-09-04 19:36 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Leonardo Bras <leonardo@linux.ibm.com>
A kernel panic can happen if a host has disabled IPv6 on boot and have to
process guest packets (coming from a bridge) using it's ip6tables.
IPv6 packets need to be dropped if the IPv6 module is not loaded, and the
host ip6tables will be used.
Signed-off-by: Leonardo Bras <leonardo@linux.ibm.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/bridge/br_netfilter_hooks.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index d3f9592f4ff8..af7800103e51 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -496,6 +496,10 @@ static unsigned int br_nf_pre_routing(void *priv,
if (!brnet->call_ip6tables &&
!br_opt_get(br, BROPT_NF_CALL_IP6TABLES))
return NF_ACCEPT;
+ if (!ipv6_mod_enabled()) {
+ pr_warn_once("Module ipv6 is disabled, so call_ip6tables is not supported.");
+ return NF_DROP;
+ }
nf_bridge_pull_encap_header_rcsum(skb);
return br_nf_pre_routing_ipv6(priv, skb, state);
--
2.11.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 2/5] netfilter: nft_socket: fix erroneous socket assignment
2019-09-04 19:36 [PATCH 0/5] Netfilter fixes for net Pablo Neira Ayuso
2019-09-04 19:36 ` [PATCH 1/5] netfilter: bridge: Drops IPv6 packets if IPv6 module is not loaded Pablo Neira Ayuso
@ 2019-09-04 19:36 ` Pablo Neira Ayuso
2019-09-04 19:36 ` [PATCH 3/5] netfilter: nft_fib_netdev: Terminate rule eval if protocol=IPv6 and ipv6 module is disabled Pablo Neira Ayuso
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2019-09-04 19:36 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Fernando Fernandez Mancera <ffmancera@riseup.net>
The socket assignment is wrong, see skb_orphan():
When skb->destructor callback is not set, but skb->sk is set, this hits BUG().
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1651813
Fixes: 554ced0a6e29 ("netfilter: nf_tables: add support for native socket matching")
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_socket.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/nft_socket.c b/net/netfilter/nft_socket.c
index d7f3776dfd71..637ce3e8c575 100644
--- a/net/netfilter/nft_socket.c
+++ b/net/netfilter/nft_socket.c
@@ -47,9 +47,6 @@ static void nft_socket_eval(const struct nft_expr *expr,
return;
}
- /* So that subsequent socket matching not to require other lookups. */
- skb->sk = sk;
-
switch(priv->key) {
case NFT_SOCKET_TRANSPARENT:
nft_reg_store8(dest, inet_sk_transparent(sk));
@@ -66,6 +63,9 @@ static void nft_socket_eval(const struct nft_expr *expr,
WARN_ON(1);
regs->verdict.code = NFT_BREAK;
}
+
+ if (sk != skb->sk)
+ sock_gen_put(sk);
}
static const struct nla_policy nft_socket_policy[NFTA_SOCKET_MAX + 1] = {
--
2.11.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 3/5] netfilter: nft_fib_netdev: Terminate rule eval if protocol=IPv6 and ipv6 module is disabled
2019-09-04 19:36 [PATCH 0/5] Netfilter fixes for net Pablo Neira Ayuso
2019-09-04 19:36 ` [PATCH 1/5] netfilter: bridge: Drops IPv6 packets if IPv6 module is not loaded Pablo Neira Ayuso
2019-09-04 19:36 ` [PATCH 2/5] netfilter: nft_socket: fix erroneous socket assignment Pablo Neira Ayuso
@ 2019-09-04 19:36 ` Pablo Neira Ayuso
2019-09-04 19:36 ` [PATCH 4/5] netfilter: ctnetlink: honor IPS_OFFLOAD flag Pablo Neira Ayuso
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2019-09-04 19:36 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Leonardo Bras <leonardo@linux.ibm.com>
If IPv6 is disabled on boot (ipv6.disable=1), but nft_fib_inet ends up
dealing with a IPv6 packet, it causes a kernel panic in
fib6_node_lookup_1(), crashing in bad_page_fault.
The panic is caused by trying to deference a very low address (0x38
in ppc64le), due to ipv6.fib6_main_tbl = NULL.
BUG: Kernel NULL pointer dereference at 0x00000038
The kernel panic was reproduced in a host that disabled IPv6 on boot and
have to process guest packets (coming from a bridge) using it's ip6tables.
Terminate rule evaluation when packet protocol is IPv6 but the ipv6 module
is not loaded.
Signed-off-by: Leonardo Bras <leonardo@linux.ibm.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_fib_netdev.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netfilter/nft_fib_netdev.c b/net/netfilter/nft_fib_netdev.c
index 2cf3f32fe6d2..a2e726ae7f07 100644
--- a/net/netfilter/nft_fib_netdev.c
+++ b/net/netfilter/nft_fib_netdev.c
@@ -14,6 +14,7 @@
#include <linux/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables_core.h>
#include <net/netfilter/nf_tables.h>
+#include <net/ipv6.h>
#include <net/netfilter/nft_fib.h>
@@ -34,6 +35,8 @@ static void nft_fib_netdev_eval(const struct nft_expr *expr,
}
break;
case ETH_P_IPV6:
+ if (!ipv6_mod_enabled())
+ break;
switch (priv->result) {
case NFT_FIB_RESULT_OIF:
case NFT_FIB_RESULT_OIFNAME:
--
2.11.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 4/5] netfilter: ctnetlink: honor IPS_OFFLOAD flag
2019-09-04 19:36 [PATCH 0/5] Netfilter fixes for net Pablo Neira Ayuso
` (2 preceding siblings ...)
2019-09-04 19:36 ` [PATCH 3/5] netfilter: nft_fib_netdev: Terminate rule eval if protocol=IPv6 and ipv6 module is disabled Pablo Neira Ayuso
@ 2019-09-04 19:36 ` Pablo Neira Ayuso
2019-09-04 19:36 ` [PATCH 5/5] netfilter: nf_flow_table: set default timeout after successful insertion Pablo Neira Ayuso
2019-09-04 22:04 ` [PATCH 0/5] Netfilter fixes for net David Miller
5 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2019-09-04 19:36 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
If this flag is set, timeout and state are irrelevant to userspace.
Fixes: 90964016e5d3 ("netfilter: nf_conntrack: add IPS_OFFLOAD status bit")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_conntrack_netlink.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 6aa01eb6fe99..e2d13cd18875 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -553,10 +553,8 @@ ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
goto nla_put_failure;
if (ctnetlink_dump_status(skb, ct) < 0 ||
- ctnetlink_dump_timeout(skb, ct) < 0 ||
ctnetlink_dump_acct(skb, ct, type) < 0 ||
ctnetlink_dump_timestamp(skb, ct) < 0 ||
- ctnetlink_dump_protoinfo(skb, ct) < 0 ||
ctnetlink_dump_helpinfo(skb, ct) < 0 ||
ctnetlink_dump_mark(skb, ct) < 0 ||
ctnetlink_dump_secctx(skb, ct) < 0 ||
@@ -568,6 +566,11 @@ ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
ctnetlink_dump_ct_synproxy(skb, ct) < 0)
goto nla_put_failure;
+ if (!test_bit(IPS_OFFLOAD_BIT, &ct->status) &&
+ (ctnetlink_dump_timeout(skb, ct) < 0 ||
+ ctnetlink_dump_protoinfo(skb, ct) < 0))
+ goto nla_put_failure;
+
nlmsg_end(skb, nlh);
return skb->len;
--
2.11.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 5/5] netfilter: nf_flow_table: set default timeout after successful insertion
2019-09-04 19:36 [PATCH 0/5] Netfilter fixes for net Pablo Neira Ayuso
` (3 preceding siblings ...)
2019-09-04 19:36 ` [PATCH 4/5] netfilter: ctnetlink: honor IPS_OFFLOAD flag Pablo Neira Ayuso
@ 2019-09-04 19:36 ` Pablo Neira Ayuso
2019-09-04 22:04 ` [PATCH 0/5] Netfilter fixes for net David Miller
5 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2019-09-04 19:36 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Set up the default timeout for this new entry otherwise the garbage
collector might quickly remove it right after the flowtable insertion.
Fixes: ac2a66665e23 ("netfilter: add generic flow table infrastructure")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_flow_table_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
index 80a8f9ae4c93..a0b4bf654de2 100644
--- a/net/netfilter/nf_flow_table_core.c
+++ b/net/netfilter/nf_flow_table_core.c
@@ -217,7 +217,7 @@ int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow)
return err;
}
- flow->timeout = (u32)jiffies;
+ flow->timeout = (u32)jiffies + NF_FLOW_TIMEOUT;
return 0;
}
EXPORT_SYMBOL_GPL(flow_offload_add);
--
2.11.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 0/5] Netfilter fixes for net
2019-09-04 19:36 [PATCH 0/5] Netfilter fixes for net Pablo Neira Ayuso
` (4 preceding siblings ...)
2019-09-04 19:36 ` [PATCH 5/5] netfilter: nf_flow_table: set default timeout after successful insertion Pablo Neira Ayuso
@ 2019-09-04 22:04 ` David Miller
5 siblings, 0 replies; 7+ messages in thread
From: David Miller @ 2019-09-04 22:04 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 4 Sep 2019 21:36:41 +0200
> The following patchset contains Netfilter fixes for net:
>
> 1) br_netfilter drops IPv6 packets if ipv6 is disabled, from Leonardo Bras.
>
> 2) nft_socket hits BUG() due to illegal skb->sk caching, patch from
> Fernando Fernandez Mancera.
>
> 3) nft_fib_netdev could be called with ipv6 disabled, leading to crash
> in the fib lookup, also from Leonardo.
>
> 4) ctnetlink honors IPS_OFFLOAD flag, just like nf_conntrack sysctl does.
>
> 5) Properly set up flowtable entry timeout, otherwise immediate
> removal by garbage collector might occur.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks.
^ permalink raw reply [flat|nested] 7+ messages in thread