netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org
Subject: [PATCH 0/7] Netfilter fixes for net
Date: Thu, 25 Jun 2020 20:26:28 +0200	[thread overview]
Message-ID: <20200625182635.1958-1-pablo@netfilter.org> (raw)

Hi,

The following patchset contains Netfilter fixes for net, they are:

1) Unaligned atomic access in ipset, from Russell King.

2) Missing module description, from Rob Gill.

3) Patches to fix a module unload causing NULL pointer dereference in
   xtables, from David Wilder. For the record, I posting here his cover
   letter explaining the problem:

    A crash happened on ppc64le when running ltp network tests triggered by
    "rmmod iptable_mangle".

    See previous discussion in this thread:
    https://lists.openwall.net/netdev/2020/06/03/161 .

    In the crash I found in iptable_mangle_hook() that
    state->net->ipv4.iptable_mangle=NULL causing a NULL pointer dereference.
    net->ipv4.iptable_mangle is set to NULL in +iptable_mangle_net_exit() and
    called when ip_mangle modules is unloaded. A rmmod task was found running
    in the crash dump.  A 2nd crash showed the same problem when running
    "rmmod iptable_filter" (net->ipv4.iptable_filter=NULL).

    To fix this I added .pre_exit hook in all iptable_foo.c. The pre_exit will
    un-register the underlying hook and exit would do the table freeing. The
    netns core does an unconditional +synchronize_rcu after the pre_exit hooks
    insuring no packets are in flight that have picked up the pointer before
    completing the un-register.

    These patches include changes for both iptables and ip6tables.

    We tested this fix with ltp running iptables01.sh and iptables01.sh -6 a
    loop for 72 hours.

4) Add a selftest for conntrack helper assignment, from Florian Westphal.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thank you.

----------------------------------------------------------------

The following changes since commit 67c20de35a3cc2e2cd940f95ebd85ed0a765315a:

  net: Add MODULE_DESCRIPTION entries to network modules (2020-06-20 21:33:57 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 619ae8e0697a6fb85b99b19137590c7c337c579e:

  selftests: netfilter: add test case for conntrack helper assignment (2020-06-25 00:50:31 +0200)

----------------------------------------------------------------
David Wilder (4):
      netfilter: iptables: Split ipt_unregister_table() into pre_exit and exit helpers.
      netfilter: iptables: Add a .pre_exit hook in all iptable_foo.c.
      netfilter: ip6tables: Split ip6t_unregister_table() into pre_exit and exit helpers.
      netfilter: ip6tables: Add a .pre_exit hook in all ip6table_foo.c.

Florian Westphal (1):
      selftests: netfilter: add test case for conntrack helper assignment

Rob Gill (1):
      netfilter: Add MODULE_DESCRIPTION entries to kernel modules

Russell King (1):
      netfilter: ipset: fix unaligned atomic access

 include/linux/netfilter_ipv4/ip_tables.h           |   6 +
 include/linux/netfilter_ipv6/ip6_tables.h          |   3 +
 net/bridge/netfilter/nft_meta_bridge.c             |   1 +
 net/bridge/netfilter/nft_reject_bridge.c           |   1 +
 net/ipv4/netfilter/ip_tables.c                     |  15 +-
 net/ipv4/netfilter/ipt_SYNPROXY.c                  |   1 +
 net/ipv4/netfilter/iptable_filter.c                |  10 +-
 net/ipv4/netfilter/iptable_mangle.c                |  10 +-
 net/ipv4/netfilter/iptable_nat.c                   |  10 +-
 net/ipv4/netfilter/iptable_raw.c                   |  10 +-
 net/ipv4/netfilter/iptable_security.c              |  11 +-
 net/ipv4/netfilter/nf_flow_table_ipv4.c            |   1 +
 net/ipv4/netfilter/nft_dup_ipv4.c                  |   1 +
 net/ipv4/netfilter/nft_fib_ipv4.c                  |   1 +
 net/ipv4/netfilter/nft_reject_ipv4.c               |   1 +
 net/ipv6/netfilter/ip6_tables.c                    |  15 +-
 net/ipv6/netfilter/ip6t_SYNPROXY.c                 |   1 +
 net/ipv6/netfilter/ip6table_filter.c               |  10 +-
 net/ipv6/netfilter/ip6table_mangle.c               |  10 +-
 net/ipv6/netfilter/ip6table_nat.c                  |  10 +-
 net/ipv6/netfilter/ip6table_raw.c                  |  10 +-
 net/ipv6/netfilter/ip6table_security.c             |  10 +-
 net/ipv6/netfilter/nf_flow_table_ipv6.c            |   1 +
 net/ipv6/netfilter/nft_dup_ipv6.c                  |   1 +
 net/ipv6/netfilter/nft_fib_ipv6.c                  |   1 +
 net/ipv6/netfilter/nft_reject_ipv6.c               |   1 +
 net/netfilter/ipset/ip_set_core.c                  |   2 +
 net/netfilter/nf_dup_netdev.c                      |   1 +
 net/netfilter/nf_flow_table_core.c                 |   1 +
 net/netfilter/nf_flow_table_inet.c                 |   1 +
 net/netfilter/nf_synproxy_core.c                   |   1 +
 net/netfilter/nfnetlink.c                          |   1 +
 net/netfilter/nft_compat.c                         |   1 +
 net/netfilter/nft_connlimit.c                      |   1 +
 net/netfilter/nft_counter.c                        |   1 +
 net/netfilter/nft_ct.c                             |   1 +
 net/netfilter/nft_dup_netdev.c                     |   1 +
 net/netfilter/nft_fib_inet.c                       |   1 +
 net/netfilter/nft_fib_netdev.c                     |   1 +
 net/netfilter/nft_flow_offload.c                   |   1 +
 net/netfilter/nft_hash.c                           |   1 +
 net/netfilter/nft_limit.c                          |   1 +
 net/netfilter/nft_log.c                            |   1 +
 net/netfilter/nft_masq.c                           |   1 +
 net/netfilter/nft_nat.c                            |   1 +
 net/netfilter/nft_numgen.c                         |   1 +
 net/netfilter/nft_objref.c                         |   1 +
 net/netfilter/nft_osf.c                            |   1 +
 net/netfilter/nft_queue.c                          |   1 +
 net/netfilter/nft_quota.c                          |   1 +
 net/netfilter/nft_redir.c                          |   1 +
 net/netfilter/nft_reject.c                         |   1 +
 net/netfilter/nft_reject_inet.c                    |   1 +
 net/netfilter/nft_synproxy.c                       |   1 +
 net/netfilter/nft_tunnel.c                         |   1 +
 net/netfilter/xt_nat.c                             |   1 +
 tools/testing/selftests/netfilter/Makefile         |   2 +-
 .../selftests/netfilter/nft_conntrack_helper.sh    | 175 +++++++++++++++++++++
 58 files changed, 344 insertions(+), 16 deletions(-)
 create mode 100755 tools/testing/selftests/netfilter/nft_conntrack_helper.sh

             reply	other threads:[~2020-06-25 18:27 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-25 18:26 Pablo Neira Ayuso [this message]
2020-06-25 18:26 ` [PATCH 1/7] netfilter: ipset: fix unaligned atomic access Pablo Neira Ayuso
2020-06-25 18:26 ` [PATCH 2/7] netfilter: Add MODULE_DESCRIPTION entries to kernel modules Pablo Neira Ayuso
2020-06-25 18:26 ` [PATCH 3/7] netfilter: iptables: Split ipt_unregister_table() into pre_exit and exit helpers Pablo Neira Ayuso
2020-06-25 18:26 ` [PATCH 4/7] netfilter: iptables: Add a .pre_exit hook in all iptable_foo.c Pablo Neira Ayuso
2020-06-25 18:26 ` [PATCH 5/7] netfilter: ip6tables: Split ip6t_unregister_table() into pre_exit and exit helpers Pablo Neira Ayuso
2020-06-25 18:26 ` [PATCH 6/7] netfilter: ip6tables: Add a .pre_exit hook in all ip6table_foo.c Pablo Neira Ayuso
2020-06-25 18:26 ` [PATCH 7/7] selftests: netfilter: add test case for conntrack helper assignment Pablo Neira Ayuso
2020-06-25 19:59 ` [PATCH 0/7] Netfilter fixes for net David Miller
  -- strict thread matches above, loose matches on Subject: below --
2020-10-22 17:29 Pablo Neira Ayuso
2020-10-22 19:16 ` Jakub Kicinski
2020-04-07 22:29 Pablo Neira Ayuso
2020-04-08  1:08 ` David Miller
2020-03-24 22:32 Pablo Neira Ayuso
2020-03-25  0:31 ` David Miller
2020-01-25 17:34 Pablo Neira Ayuso
2020-01-25 20:40 ` David Miller
2019-08-14  9:24 Pablo Neira Ayuso
2019-08-15 21:02 ` David Miller
2019-01-14 21:29 Pablo Neira Ayuso
2019-01-15 21:32 ` David Miller
2016-08-30 11:26 Pablo Neira Ayuso
2016-08-31  5:02 ` David Miller
2016-06-17 18:25 Pablo Neira Ayuso
2016-06-18  2:50 ` David Miller
2016-06-01 12:03 Pablo Neira Ayuso
2016-06-02  0:54 ` David Miller
2015-07-08  9:48 Pablo Neira Ayuso
2015-07-09  7:03 ` David Miller
2014-10-20  8:10 [PATCH 0/7] netfilter " Pablo Neira Ayuso
2014-10-20 15:58 ` David Miller
2013-11-21  9:05 Pablo Neira Ayuso
2013-11-21 17:45 ` David Miller
2013-09-17 22:21 Pablo Neira Ayuso
2013-09-18  0:23 ` David Miller
2013-09-17 22:07 Pablo Neira Ayuso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200625182635.1958-1-pablo@netfilter.org \
    --to=pablo@netfilter.org \
    --cc=davem@davemloft.net \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).