* [PATCH 0/3] ipset patches for nf
@ 2019-11-01 16:35 Jozsef Kadlecsik
2019-11-01 16:35 ` [PATCH 1/3] netfilter: ipset: Fix an error code in ip_set_sockfn_get() Jozsef Kadlecsik
` (3 more replies)
0 siblings, 4 replies; 7+ messages in thread
From: Jozsef Kadlecsik @ 2019-11-01 16:35 UTC (permalink / raw)
To: netfilter-devel; +Cc: Pablo Neira Ayuso
Hi Pablo,
Please pull the next ipset patches for the nf tree:
- Fix the error code in ip_set_sockfn_get() when copy_to_user() is used,
from Dan Carpenter.
- The IPv6 part was missed when fixing copying the right MAC address
in the patch "netfilter: ipset: Copy the right MAC address in bitmap:ip,mac
and hash:ip,mac sets", it is completed now by Stefano Brivio.
- ipset nla_policies are fixed to fully support NL_VALIDATE_STRICT and
the code is converted from deprecated parsings to verified ones.
Best regards,
Jozsef
The following changes since commit 3da09663209d6732c74cb7b6d5890b8dea9cf6f3:
Merge branch 'hv_netvsc-fix-error-handling-in-netvsc_attach-set_features' (2019-10-30 18:17:36 -0700)
are available in the Git repository at:
it://blackhole.kfki.hu/nf e2eaf4585997c8576d
for you to fetch changes up to e2eaf4585997c8576d28b2028d7a937c9c710011:
netfilter: ipset: Fix nla_policies to fully support NL_VALIDATE_STRICT (2019-11-01 17:13:18 +0100)
----------------------------------------------------------------
Dan Carpenter (1):
netfilter: ipset: Fix an error code in ip_set_sockfn_get()
Jozsef Kadlecsik (1):
netfilter: ipset: Fix nla_policies to fully support NL_VALIDATE_STRICT
Stefano Brivio (1):
netfilter: ipset: Copy the right MAC address in hash:ip,mac IPv6 sets
net/netfilter/ipset/ip_set_core.c | 49 +++++++++++++++++++++-----------
net/netfilter/ipset/ip_set_hash_ipmac.c | 2 +-
net/netfilter/ipset/ip_set_hash_net.c | 1 +
net/netfilter/ipset/ip_set_hash_netnet.c | 1 +
4 files changed, 36 insertions(+), 17 deletions(-)
^ permalink raw reply [flat|nested] 7+ messages in thread* [PATCH 1/3] netfilter: ipset: Fix an error code in ip_set_sockfn_get() 2019-11-01 16:35 [PATCH 0/3] ipset patches for nf Jozsef Kadlecsik @ 2019-11-01 16:35 ` Jozsef Kadlecsik 2019-11-01 16:35 ` [PATCH 2/3] netfilter: ipset: Copy the right MAC address in hash:ip,mac IPv6 sets Jozsef Kadlecsik ` (2 subsequent siblings) 3 siblings, 0 replies; 7+ messages in thread From: Jozsef Kadlecsik @ 2019-11-01 16:35 UTC (permalink / raw) To: netfilter-devel; +Cc: Pablo Neira Ayuso From: Dan Carpenter <dan.carpenter@oracle.com> The copy_to_user() function returns the number of bytes remaining to be copied. In this code, that positive return is checked at the end of the function and we return zero/success. What we should do instead is return -EFAULT. Fixes: a7b4f989a629 ("netfilter: ipset: IP set core support") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_core.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c index e64d5f9a89dd..e7288eab7512 100644 --- a/net/netfilter/ipset/ip_set_core.c +++ b/net/netfilter/ipset/ip_set_core.c @@ -2069,8 +2069,9 @@ ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len) } req_version->version = IPSET_PROTOCOL; - ret = copy_to_user(user, req_version, - sizeof(struct ip_set_req_version)); + if (copy_to_user(user, req_version, + sizeof(struct ip_set_req_version))) + ret = -EFAULT; goto done; } case IP_SET_OP_GET_BYNAME: { @@ -2129,7 +2130,8 @@ ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len) } /* end of switch(op) */ copy: - ret = copy_to_user(user, data, copylen); + if (copy_to_user(user, data, copylen)) + ret = -EFAULT; done: vfree(data); -- 2.20.1 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 2/3] netfilter: ipset: Copy the right MAC address in hash:ip,mac IPv6 sets 2019-11-01 16:35 [PATCH 0/3] ipset patches for nf Jozsef Kadlecsik 2019-11-01 16:35 ` [PATCH 1/3] netfilter: ipset: Fix an error code in ip_set_sockfn_get() Jozsef Kadlecsik @ 2019-11-01 16:35 ` Jozsef Kadlecsik 2019-11-01 16:35 ` [PATCH 3/3] netfilter: ipset: Fix nla_policies to fully support NL_VALIDATE_STRICT Jozsef Kadlecsik 2019-11-04 19:15 ` [PATCH 0/3] ipset patches for nf Pablo Neira Ayuso 3 siblings, 0 replies; 7+ messages in thread From: Jozsef Kadlecsik @ 2019-11-01 16:35 UTC (permalink / raw) To: netfilter-devel; +Cc: Pablo Neira Ayuso From: Stefano Brivio <sbrivio@redhat.com> Same as commit 1b4a75108d5b ("netfilter: ipset: Copy the right MAC address in bitmap:ip,mac and hash:ip,mac sets"), another copy and paste went wrong in commit 8cc4ccf58379 ("netfilter: ipset: Allow matching on destination MAC address for mac and ipmac sets"). When I fixed this for IPv4 in 1b4a75108d5b, I didn't realise that hash:ip,mac sets also support IPv6 as family, and this is covered by a separate function, hash_ipmac6_kadt(). In hash:ip,mac sets, the first dimension is the IP address, and the second dimension is the MAC address: check the IPSET_DIM_TWO_SRC flag in flags while deciding which MAC address to copy, destination or source. This way, mixing source and destination matches for the two dimensions of ip,mac hash type works as expected, also for IPv6. With this setup: ip netns add A ip link add veth1 type veth peer name veth2 netns A ip addr add 2001:db8::1/64 dev veth1 ip -net A addr add 2001:db8::2/64 dev veth2 ip link set veth1 up ip -net A link set veth2 up dst=$(ip netns exec A cat /sys/class/net/veth2/address) ip netns exec A ipset create test_hash hash:ip,mac family inet6 ip netns exec A ipset add test_hash 2001:db8::1,${dst} ip netns exec A ip6tables -A INPUT -p icmpv6 --icmpv6-type 135 -j ACCEPT ip netns exec A ip6tables -A INPUT -m set ! --match-set test_hash src,dst -j DROP ipset now correctly matches a test packet: # ping -c1 2001:db8::2 >/dev/null # echo $? 0 Reported-by: Chen, Yi <yiche@redhat.com> Fixes: 8cc4ccf58379 ("netfilter: ipset: Allow matching on destination MAC address for mac and ipmac sets") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_hash_ipmac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/ipset/ip_set_hash_ipmac.c b/net/netfilter/ipset/ip_set_hash_ipmac.c index 24d8f4df4230..4ce563eb927d 100644 --- a/net/netfilter/ipset/ip_set_hash_ipmac.c +++ b/net/netfilter/ipset/ip_set_hash_ipmac.c @@ -209,7 +209,7 @@ hash_ipmac6_kadt(struct ip_set *set, const struct sk_buff *skb, (skb_mac_header(skb) + ETH_HLEN) > skb->data) return -EINVAL; - if (opt->flags & IPSET_DIM_ONE_SRC) + if (opt->flags & IPSET_DIM_TWO_SRC) ether_addr_copy(e.ether, eth_hdr(skb)->h_source); else ether_addr_copy(e.ether, eth_hdr(skb)->h_dest); -- 2.20.1 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 3/3] netfilter: ipset: Fix nla_policies to fully support NL_VALIDATE_STRICT 2019-11-01 16:35 [PATCH 0/3] ipset patches for nf Jozsef Kadlecsik 2019-11-01 16:35 ` [PATCH 1/3] netfilter: ipset: Fix an error code in ip_set_sockfn_get() Jozsef Kadlecsik 2019-11-01 16:35 ` [PATCH 2/3] netfilter: ipset: Copy the right MAC address in hash:ip,mac IPv6 sets Jozsef Kadlecsik @ 2019-11-01 16:35 ` Jozsef Kadlecsik 2019-11-04 19:15 ` [PATCH 0/3] ipset patches for nf Pablo Neira Ayuso 3 siblings, 0 replies; 7+ messages in thread From: Jozsef Kadlecsik @ 2019-11-01 16:35 UTC (permalink / raw) To: netfilter-devel; +Cc: Pablo Neira Ayuso Since v5.2 (commit "netlink: re-add parse/validate functions in strict mode") NL_VALIDATE_STRICT is enabled. Fix the ipset nla_policies which did not support strict mode and convert from deprecated parsings to verified ones. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_core.c | 41 ++++++++++++++++-------- net/netfilter/ipset/ip_set_hash_net.c | 1 + net/netfilter/ipset/ip_set_hash_netnet.c | 1 + 3 files changed, 30 insertions(+), 13 deletions(-) diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c index e7288eab7512..d73d1828216a 100644 --- a/net/netfilter/ipset/ip_set_core.c +++ b/net/netfilter/ipset/ip_set_core.c @@ -296,7 +296,8 @@ ip_set_get_ipaddr4(struct nlattr *nla, __be32 *ipaddr) if (unlikely(!flag_nested(nla))) return -IPSET_ERR_PROTOCOL; - if (nla_parse_nested_deprecated(tb, IPSET_ATTR_IPADDR_MAX, nla, ipaddr_policy, NULL)) + if (nla_parse_nested(tb, IPSET_ATTR_IPADDR_MAX, nla, + ipaddr_policy, NULL)) return -IPSET_ERR_PROTOCOL; if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_IPADDR_IPV4))) return -IPSET_ERR_PROTOCOL; @@ -314,7 +315,8 @@ ip_set_get_ipaddr6(struct nlattr *nla, union nf_inet_addr *ipaddr) if (unlikely(!flag_nested(nla))) return -IPSET_ERR_PROTOCOL; - if (nla_parse_nested_deprecated(tb, IPSET_ATTR_IPADDR_MAX, nla, ipaddr_policy, NULL)) + if (nla_parse_nested(tb, IPSET_ATTR_IPADDR_MAX, nla, + ipaddr_policy, NULL)) return -IPSET_ERR_PROTOCOL; if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_IPADDR_IPV6))) return -IPSET_ERR_PROTOCOL; @@ -934,7 +936,8 @@ static int ip_set_create(struct net *net, struct sock *ctnl, /* Without holding any locks, create private part. */ if (attr[IPSET_ATTR_DATA] && - nla_parse_nested_deprecated(tb, IPSET_ATTR_CREATE_MAX, attr[IPSET_ATTR_DATA], set->type->create_policy, NULL)) { + nla_parse_nested(tb, IPSET_ATTR_CREATE_MAX, attr[IPSET_ATTR_DATA], + set->type->create_policy, NULL)) { ret = -IPSET_ERR_PROTOCOL; goto put_out; } @@ -1281,6 +1284,14 @@ dump_attrs(struct nlmsghdr *nlh) } } +static const struct nla_policy +ip_set_dump_policy[IPSET_ATTR_CMD_MAX + 1] = { + [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 }, + [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING, + .len = IPSET_MAXNAMELEN - 1 }, + [IPSET_ATTR_FLAGS] = { .type = NLA_U32 }, +}; + static int dump_init(struct netlink_callback *cb, struct ip_set_net *inst) { @@ -1292,9 +1303,9 @@ dump_init(struct netlink_callback *cb, struct ip_set_net *inst) ip_set_id_t index; int ret; - ret = nla_parse_deprecated(cda, IPSET_ATTR_CMD_MAX, attr, - nlh->nlmsg_len - min_len, - ip_set_setname_policy, NULL); + ret = nla_parse(cda, IPSET_ATTR_CMD_MAX, attr, + nlh->nlmsg_len - min_len, + ip_set_dump_policy, NULL); if (ret) return ret; @@ -1543,9 +1554,9 @@ call_ad(struct sock *ctnl, struct sk_buff *skb, struct ip_set *set, memcpy(&errmsg->msg, nlh, nlh->nlmsg_len); cmdattr = (void *)&errmsg->msg + min_len; - ret = nla_parse_deprecated(cda, IPSET_ATTR_CMD_MAX, cmdattr, - nlh->nlmsg_len - min_len, - ip_set_adt_policy, NULL); + ret = nla_parse(cda, IPSET_ATTR_CMD_MAX, cmdattr, + nlh->nlmsg_len - min_len, ip_set_adt_policy, + NULL); if (ret) { nlmsg_free(skb2); @@ -1596,7 +1607,9 @@ static int ip_set_ad(struct net *net, struct sock *ctnl, use_lineno = !!attr[IPSET_ATTR_LINENO]; if (attr[IPSET_ATTR_DATA]) { - if (nla_parse_nested_deprecated(tb, IPSET_ATTR_ADT_MAX, attr[IPSET_ATTR_DATA], set->type->adt_policy, NULL)) + if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, + attr[IPSET_ATTR_DATA], + set->type->adt_policy, NULL)) return -IPSET_ERR_PROTOCOL; ret = call_ad(ctnl, skb, set, tb, adt, flags, use_lineno); @@ -1606,7 +1619,8 @@ static int ip_set_ad(struct net *net, struct sock *ctnl, nla_for_each_nested(nla, attr[IPSET_ATTR_ADT], nla_rem) { if (nla_type(nla) != IPSET_ATTR_DATA || !flag_nested(nla) || - nla_parse_nested_deprecated(tb, IPSET_ATTR_ADT_MAX, nla, set->type->adt_policy, NULL)) + nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, nla, + set->type->adt_policy, NULL)) return -IPSET_ERR_PROTOCOL; ret = call_ad(ctnl, skb, set, tb, adt, flags, use_lineno); @@ -1655,7 +1669,8 @@ static int ip_set_utest(struct net *net, struct sock *ctnl, struct sk_buff *skb, if (!set) return -ENOENT; - if (nla_parse_nested_deprecated(tb, IPSET_ATTR_ADT_MAX, attr[IPSET_ATTR_DATA], set->type->adt_policy, NULL)) + if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, attr[IPSET_ATTR_DATA], + set->type->adt_policy, NULL)) return -IPSET_ERR_PROTOCOL; rcu_read_lock_bh(); @@ -1961,7 +1976,7 @@ static const struct nfnl_callback ip_set_netlink_subsys_cb[IPSET_MSG_MAX] = { [IPSET_CMD_LIST] = { .call = ip_set_dump, .attr_count = IPSET_ATTR_CMD_MAX, - .policy = ip_set_setname_policy, + .policy = ip_set_dump_policy, }, [IPSET_CMD_SAVE] = { .call = ip_set_dump, diff --git a/net/netfilter/ipset/ip_set_hash_net.c b/net/netfilter/ipset/ip_set_hash_net.c index c259cbc3ef45..3d932de0ad29 100644 --- a/net/netfilter/ipset/ip_set_hash_net.c +++ b/net/netfilter/ipset/ip_set_hash_net.c @@ -368,6 +368,7 @@ static struct ip_set_type hash_net_type __read_mostly = { [IPSET_ATTR_IP_TO] = { .type = NLA_NESTED }, [IPSET_ATTR_CIDR] = { .type = NLA_U8 }, [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, + [IPSET_ATTR_LINENO] = { .type = NLA_U32 }, [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 }, [IPSET_ATTR_BYTES] = { .type = NLA_U64 }, [IPSET_ATTR_PACKETS] = { .type = NLA_U64 }, diff --git a/net/netfilter/ipset/ip_set_hash_netnet.c b/net/netfilter/ipset/ip_set_hash_netnet.c index a3ae69bfee66..4398322fad59 100644 --- a/net/netfilter/ipset/ip_set_hash_netnet.c +++ b/net/netfilter/ipset/ip_set_hash_netnet.c @@ -476,6 +476,7 @@ static struct ip_set_type hash_netnet_type __read_mostly = { [IPSET_ATTR_CIDR] = { .type = NLA_U8 }, [IPSET_ATTR_CIDR2] = { .type = NLA_U8 }, [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, + [IPSET_ATTR_LINENO] = { .type = NLA_U32 }, [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 }, [IPSET_ATTR_BYTES] = { .type = NLA_U64 }, [IPSET_ATTR_PACKETS] = { .type = NLA_U64 }, -- 2.20.1 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 0/3] ipset patches for nf 2019-11-01 16:35 [PATCH 0/3] ipset patches for nf Jozsef Kadlecsik ` (2 preceding siblings ...) 2019-11-01 16:35 ` [PATCH 3/3] netfilter: ipset: Fix nla_policies to fully support NL_VALIDATE_STRICT Jozsef Kadlecsik @ 2019-11-04 19:15 ` Pablo Neira Ayuso 3 siblings, 0 replies; 7+ messages in thread From: Pablo Neira Ayuso @ 2019-11-04 19:15 UTC (permalink / raw) To: Jozsef Kadlecsik; +Cc: netfilter-devel On Fri, Nov 01, 2019 at 05:35:51PM +0100, Jozsef Kadlecsik wrote: > Hi Pablo, > > Please pull the next ipset patches for the nf tree: > > - Fix the error code in ip_set_sockfn_get() when copy_to_user() is used, > from Dan Carpenter. > - The IPv6 part was missed when fixing copying the right MAC address > in the patch "netfilter: ipset: Copy the right MAC address in bitmap:ip,mac > and hash:ip,mac sets", it is completed now by Stefano Brivio. > - ipset nla_policies are fixed to fully support NL_VALIDATE_STRICT and > the code is converted from deprecated parsings to verified ones. Applied, thanks! ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 0/3] ipset patches for nf
@ 2015-11-07 12:42 Jozsef Kadlecsik
2015-11-08 21:42 ` Pablo Neira Ayuso
0 siblings, 1 reply; 7+ messages in thread
From: Jozsef Kadlecsik @ 2015-11-07 12:42 UTC (permalink / raw)
To: netfilter-devel; +Cc: Pablo Neira Ayuso
Hi Pablo,
Please apply the next bugfixes against the nf tree.
- Fix extensions alignment in ipset: Gerhard Wiesinger reported
that the missing data aligments lead to crash on non-intel
architecture. The patch was tested on armv7h by Gerhard Wiesinger
and on x86_64 and sparc64 by me.
- An incorrect index at the hash:* types could lead to
falsely early expired entries and memory leak when the comment
extension was used too.
- Release empty hash bucket block when all entries are expired or
all slots are empty instead of shrinkig the data part to zero.
Best regards,
Jozsef
----
The following changes since commit 212cd0895330b775f2db49451f046a5ca4e5704b:
selinux: fix random read in selinux_ip_postroute_compat() (2015-11-05 16:45:51 -0500)
are available in the git repository at:
git://blackhole.kfki.hu/nf master
for you to fetch changes up to 0aae24eb409fc429f54ca3809f904f1b91e295e0:
netfilter: ipset: Fix hash type expire: release empty hash bucket block (2015-11-07 11:28:49 +0100)
----------------------------------------------------------------
Jozsef Kadlecsik (3):
netfilter: ipset: Fix extension alignment
netfilter: ipset: Fix hash:* type expiration
netfilter: ipset: Fix hash type expire: release empty hash bucket block
include/linux/netfilter/ipset/ip_set.h | 2 +-
net/netfilter/ipset/ip_set_bitmap_gen.h | 17 +++++----------
net/netfilter/ipset/ip_set_bitmap_ip.c | 14 ++++--------
net/netfilter/ipset/ip_set_bitmap_ipmac.c | 64 +++++++++++++++++++++++++-----------------------------
net/netfilter/ipset/ip_set_bitmap_port.c | 18 ++++++---------
net/netfilter/ipset/ip_set_core.c | 14 +++++++-----
net/netfilter/ipset/ip_set_hash_gen.h | 26 ++++++++++++++--------
net/netfilter/ipset/ip_set_list_set.c | 5 +++--
8 files changed, 75 insertions(+), 85 deletions(-)
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH 0/3] ipset patches for nf 2015-11-07 12:42 Jozsef Kadlecsik @ 2015-11-08 21:42 ` Pablo Neira Ayuso 0 siblings, 0 replies; 7+ messages in thread From: Pablo Neira Ayuso @ 2015-11-08 21:42 UTC (permalink / raw) To: Jozsef Kadlecsik; +Cc: netfilter-devel On Sat, Nov 07, 2015 at 01:42:22PM +0100, Jozsef Kadlecsik wrote: > Hi Pablo, > > Please apply the next bugfixes against the nf tree. > > - Fix extensions alignment in ipset: Gerhard Wiesinger reported > that the missing data aligments lead to crash on non-intel > architecture. The patch was tested on armv7h by Gerhard Wiesinger > and on x86_64 and sparc64 by me. > - An incorrect index at the hash:* types could lead to > falsely early expired entries and memory leak when the comment > extension was used too. > - Release empty hash bucket block when all entries are expired or > all slots are empty instead of shrinkig the data part to zero. Pulled, thanks Jozsef. ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2019-11-04 19:15 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-11-01 16:35 [PATCH 0/3] ipset patches for nf Jozsef Kadlecsik 2019-11-01 16:35 ` [PATCH 1/3] netfilter: ipset: Fix an error code in ip_set_sockfn_get() Jozsef Kadlecsik 2019-11-01 16:35 ` [PATCH 2/3] netfilter: ipset: Copy the right MAC address in hash:ip,mac IPv6 sets Jozsef Kadlecsik 2019-11-01 16:35 ` [PATCH 3/3] netfilter: ipset: Fix nla_policies to fully support NL_VALIDATE_STRICT Jozsef Kadlecsik 2019-11-04 19:15 ` [PATCH 0/3] ipset patches for nf Pablo Neira Ayuso -- strict thread matches above, loose matches on Subject: below -- 2015-11-07 12:42 Jozsef Kadlecsik 2015-11-08 21:42 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).