* [PATCH AUTOSEL 4.19 320/671] netfilter: nft_flow_offload: add entry to flowtable after confirmation
[not found] <20200116170509.12787-1-sashal@kernel.org>
@ 2020-01-16 16:59 ` Sasha Levin
2020-01-16 16:59 ` [PATCH AUTOSEL 4.19 349/671] netfilter: ebtables: CONFIG_COMPAT: reject trailing data after last rule Sasha Levin
` (2 subsequent siblings)
3 siblings, 0 replies; 4+ messages in thread
From: Sasha Levin @ 2020-01-16 16:59 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Pablo Neira Ayuso, Sasha Levin, netfilter-devel, coreteam, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit 270a8a297f42ecff82060aaa53118361f09c1f7d ]
This is fixing flow offload for UDP traffic where packets only follow
one single direction.
The flow_offload_fixup_tcp() mechanism works fine in case that the
offloaded entry remains in SYN_RECV state, given sequence tracking is
reset and that conntrack handles syn+ack packets as a retransmission, ie.
sES + synack => sIG
for reply traffic.
Fixes: a3c90f7a2323 ("netfilter: nf_tables: flow offload expression")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_flow_offload.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c
index 1ef8cb789c41..166edea0e452 100644
--- a/net/netfilter/nft_flow_offload.c
+++ b/net/netfilter/nft_flow_offload.c
@@ -103,8 +103,7 @@ static void nft_flow_offload_eval(const struct nft_expr *expr,
ct->status & IPS_SEQ_ADJUST)
goto out;
- if (ctinfo == IP_CT_NEW ||
- ctinfo == IP_CT_RELATED)
+ if (!nf_ct_is_confirmed(ct))
goto out;
if (test_and_set_bit(IPS_OFFLOAD_BIT, &ct->status))
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH AUTOSEL 4.19 349/671] netfilter: ebtables: CONFIG_COMPAT: reject trailing data after last rule
[not found] <20200116170509.12787-1-sashal@kernel.org>
2020-01-16 16:59 ` [PATCH AUTOSEL 4.19 320/671] netfilter: nft_flow_offload: add entry to flowtable after confirmation Sasha Levin
@ 2020-01-16 16:59 ` Sasha Levin
2020-01-16 16:59 ` [PATCH AUTOSEL 4.19 355/671] netfilter: nf_tables: correct NFT_LOGLEVEL_MAX value Sasha Levin
2020-01-16 17:02 ` [PATCH AUTOSEL 4.19 524/671] netfilter: ctnetlink: honor IPS_OFFLOAD flag Sasha Levin
3 siblings, 0 replies; 4+ messages in thread
From: Sasha Levin @ 2020-01-16 16:59 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Florian Westphal, Tetsuo Handa, Pablo Neira Ayuso, Sasha Levin,
netfilter-devel, coreteam, bridge, netdev
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 680f6af5337c98d116e4f127cea7845339dba8da ]
If userspace provides a rule blob with trailing data after last target,
we trigger a splat, then convert ruleset to 64bit format (with trailing
data), then pass that to do_replace_finish() which then returns -EINVAL.
Erroring out right away avoids the splat plus unneeded translation and
error unwind.
Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support")
Reported-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/netfilter/ebtables.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 785e19afd6aa..f59230e4fc29 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -2165,7 +2165,9 @@ static int compat_copy_entries(unsigned char *data, unsigned int size_user,
if (ret < 0)
return ret;
- WARN_ON(size_remaining);
+ if (size_remaining)
+ return -EINVAL;
+
return state->buf_kern_offset;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH AUTOSEL 4.19 355/671] netfilter: nf_tables: correct NFT_LOGLEVEL_MAX value
[not found] <20200116170509.12787-1-sashal@kernel.org>
2020-01-16 16:59 ` [PATCH AUTOSEL 4.19 320/671] netfilter: nft_flow_offload: add entry to flowtable after confirmation Sasha Levin
2020-01-16 16:59 ` [PATCH AUTOSEL 4.19 349/671] netfilter: ebtables: CONFIG_COMPAT: reject trailing data after last rule Sasha Levin
@ 2020-01-16 16:59 ` Sasha Levin
2020-01-16 17:02 ` [PATCH AUTOSEL 4.19 524/671] netfilter: ctnetlink: honor IPS_OFFLOAD flag Sasha Levin
3 siblings, 0 replies; 4+ messages in thread
From: Sasha Levin @ 2020-01-16 16:59 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Florian Westphal, Pablo Neira Ayuso, Sasha Levin,
netfilter-devel, coreteam
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 92285a079eedfe104a773a7c4293f77a01f456fb ]
should be same as NFT_LOGLEVEL_AUDIT, so use -, not +.
Fixes: 7eced5ab5a73 ("netfilter: nf_tables: add NFT_LOGLEVEL_* enumeration and use it")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/uapi/linux/netfilter/nf_tables.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 325ec6ef0a76..5eac62e1b68d 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -1128,7 +1128,7 @@ enum nft_log_level {
NFT_LOGLEVEL_AUDIT,
__NFT_LOGLEVEL_MAX
};
-#define NFT_LOGLEVEL_MAX (__NFT_LOGLEVEL_MAX + 1)
+#define NFT_LOGLEVEL_MAX (__NFT_LOGLEVEL_MAX - 1)
/**
* enum nft_queue_attributes - nf_tables queue expression netlink attributes
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH AUTOSEL 4.19 524/671] netfilter: ctnetlink: honor IPS_OFFLOAD flag
[not found] <20200116170509.12787-1-sashal@kernel.org>
` (2 preceding siblings ...)
2020-01-16 16:59 ` [PATCH AUTOSEL 4.19 355/671] netfilter: nf_tables: correct NFT_LOGLEVEL_MAX value Sasha Levin
@ 2020-01-16 17:02 ` Sasha Levin
3 siblings, 0 replies; 4+ messages in thread
From: Sasha Levin @ 2020-01-16 17:02 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Pablo Neira Ayuso, Sasha Levin, netfilter-devel, coreteam, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit b067fa009c884401d23846251031c1f14d8a9c77 ]
If this flag is set, timeout and state are irrelevant to userspace.
Fixes: 90964016e5d3 ("netfilter: nf_conntrack: add IPS_OFFLOAD status bit")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_conntrack_netlink.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 7ba9ea55816a..31fa94064a62 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -555,10 +555,8 @@ ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
goto nla_put_failure;
if (ctnetlink_dump_status(skb, ct) < 0 ||
- ctnetlink_dump_timeout(skb, ct) < 0 ||
ctnetlink_dump_acct(skb, ct, type) < 0 ||
ctnetlink_dump_timestamp(skb, ct) < 0 ||
- ctnetlink_dump_protoinfo(skb, ct) < 0 ||
ctnetlink_dump_helpinfo(skb, ct) < 0 ||
ctnetlink_dump_mark(skb, ct) < 0 ||
ctnetlink_dump_secctx(skb, ct) < 0 ||
@@ -570,6 +568,11 @@ ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
ctnetlink_dump_ct_synproxy(skb, ct) < 0)
goto nla_put_failure;
+ if (!test_bit(IPS_OFFLOAD_BIT, &ct->status) &&
+ (ctnetlink_dump_timeout(skb, ct) < 0 ||
+ ctnetlink_dump_protoinfo(skb, ct) < 0))
+ goto nla_put_failure;
+
nlmsg_end(skb, nlh);
return skb->len;
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread