Netfilter-Devel Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH 0/2] Netfilter/IPVS fixes for net
@ 2020-07-23 22:35 Pablo Neira Ayuso
  2020-07-23 22:35 ` [PATCH 1/2] netfilter: nf_tables: fix nat hook table deletion Pablo Neira Ayuso
                   ` (2 more replies)
  0 siblings, 3 replies; 11+ messages in thread
From: Pablo Neira Ayuso @ 2020-07-23 22:35 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

Hi,

The following patchset contains Netfilter/IPVS fixes for net:

1) Fix NAT hook deletion when table is dormant, from Florian Westphal.

2) Fix IPVS sync stalls, from guodeqing.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thank you.

----------------------------------------------------------------

The following changes since commit 1d61e21852d3161f234b9656797669fe185c251b:

  qed: Disable "MFW indication via attention" SPAM every 5 minutes (2020-07-14 15:15:44 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 8210e344ccb798c672ab237b1a4f241bda08909b:

  ipvs: fix the connection sync failed in some cases (2020-07-22 01:21:34 +0200)

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: nf_tables: fix nat hook table deletion

guodeqing (1):
      ipvs: fix the connection sync failed in some cases

 net/netfilter/ipvs/ip_vs_sync.c | 12 ++++++++----
 net/netfilter/nf_tables_api.c   | 41 ++++++++++++++---------------------------
 2 files changed, 22 insertions(+), 31 deletions(-)

^ permalink raw reply	[flat|nested] 11+ messages in thread

* [PATCH 1/2] netfilter: nf_tables: fix nat hook table deletion
  2020-07-23 22:35 [PATCH 0/2] Netfilter/IPVS fixes for net Pablo Neira Ayuso
@ 2020-07-23 22:35 ` Pablo Neira Ayuso
  2020-07-23 22:35 ` [PATCH 2/2] ipvs: fix the connection sync failed in some cases Pablo Neira Ayuso
  2020-07-24  0:22 ` [PATCH 0/2] Netfilter/IPVS fixes for net David Miller
  2 siblings, 0 replies; 11+ messages in thread
From: Pablo Neira Ayuso @ 2020-07-23 22:35 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

From: Florian Westphal <fw@strlen.de>

sybot came up with following transaction:
 add table ip syz0
 add chain ip syz0 syz2 { type nat hook prerouting priority 0; policy accept; }
 add table ip syz0 { flags dormant; }
 delete chain ip syz0 syz2
 delete table ip syz0

which yields:
hook not found, pf 2 num 0
WARNING: CPU: 0 PID: 6775 at net/netfilter/core.c:413 __nf_unregister_net_hook+0x3e6/0x4a0 net/netfilter/core.c:413
[..]
 nft_unregister_basechain_hooks net/netfilter/nf_tables_api.c:206 [inline]
 nft_table_disable net/netfilter/nf_tables_api.c:835 [inline]
 nf_tables_table_disable net/netfilter/nf_tables_api.c:868 [inline]
 nf_tables_commit+0x32d3/0x4d70 net/netfilter/nf_tables_api.c:7550
 nfnetlink_rcv_batch net/netfilter/nfnetlink.c:486 [inline]
 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:544 [inline]
 nfnetlink_rcv+0x14a5/0x1e50 net/netfilter/nfnetlink.c:562
 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]

Problem is that when I added ability to override base hook registration
to make nat basechains register with the nat core instead of netfilter
core, I forgot to update nft_table_disable() to use that instead of
the 'raw' hook register interface.

In syzbot transaction, the basechain is of 'nat' type. Its registered
with the nat core.  The switch to 'dormant mode' attempts to delete from
netfilter core instead.

After updating nft_table_disable/enable to use the correct helper,
nft_(un)register_basechain_hooks can be folded into the only remaining
caller.

Because nft_trans_table_enable() won't do anything when the DORMANT flag
is set, remove the flag first, then re-add it in case re-enablement
fails, else this patch breaks sequence:

add table ip x { flags dormant; }
/* add base chains */
add table ip x

The last 'add' will remove the dormant flags, but won't have any other
effect -- base chains are not registered.
Then, next 'set dormant flag' will create another 'hook not found'
splat.

Reported-by: syzbot+2570f2c036e3da5db176@syzkaller.appspotmail.com
Fixes: 4e25ceb80b58 ("netfilter: nf_tables: allow chain type to override hook register")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_tables_api.c | 41 ++++++++++++-----------------------
 1 file changed, 14 insertions(+), 27 deletions(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 7647ecfa0d40..88325b264737 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -188,24 +188,6 @@ static void nft_netdev_unregister_hooks(struct net *net,
 		nf_unregister_net_hook(net, &hook->ops);
 }
 
-static int nft_register_basechain_hooks(struct net *net, int family,
-					struct nft_base_chain *basechain)
-{
-	if (family == NFPROTO_NETDEV)
-		return nft_netdev_register_hooks(net, &basechain->hook_list);
-
-	return nf_register_net_hook(net, &basechain->ops);
-}
-
-static void nft_unregister_basechain_hooks(struct net *net, int family,
-					   struct nft_base_chain *basechain)
-{
-	if (family == NFPROTO_NETDEV)
-		nft_netdev_unregister_hooks(net, &basechain->hook_list);
-	else
-		nf_unregister_net_hook(net, &basechain->ops);
-}
-
 static int nf_tables_register_hook(struct net *net,
 				   const struct nft_table *table,
 				   struct nft_chain *chain)
@@ -223,7 +205,10 @@ static int nf_tables_register_hook(struct net *net,
 	if (basechain->type->ops_register)
 		return basechain->type->ops_register(net, ops);
 
-	return nft_register_basechain_hooks(net, table->family, basechain);
+	if (table->family == NFPROTO_NETDEV)
+		return nft_netdev_register_hooks(net, &basechain->hook_list);
+
+	return nf_register_net_hook(net, &basechain->ops);
 }
 
 static void nf_tables_unregister_hook(struct net *net,
@@ -242,7 +227,10 @@ static void nf_tables_unregister_hook(struct net *net,
 	if (basechain->type->ops_unregister)
 		return basechain->type->ops_unregister(net, ops);
 
-	nft_unregister_basechain_hooks(net, table->family, basechain);
+	if (table->family == NFPROTO_NETDEV)
+		nft_netdev_unregister_hooks(net, &basechain->hook_list);
+	else
+		nf_unregister_net_hook(net, &basechain->ops);
 }
 
 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
@@ -832,8 +820,7 @@ static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
 		if (cnt && i++ == cnt)
 			break;
 
-		nft_unregister_basechain_hooks(net, table->family,
-					       nft_base_chain(chain));
+		nf_tables_unregister_hook(net, table, chain);
 	}
 }
 
@@ -848,8 +835,7 @@ static int nf_tables_table_enable(struct net *net, struct nft_table *table)
 		if (!nft_is_base_chain(chain))
 			continue;
 
-		err = nft_register_basechain_hooks(net, table->family,
-						   nft_base_chain(chain));
+		err = nf_tables_register_hook(net, table, chain);
 		if (err < 0)
 			goto err_register_hooks;
 
@@ -894,11 +880,12 @@ static int nf_tables_updtable(struct nft_ctx *ctx)
 		nft_trans_table_enable(trans) = false;
 	} else if (!(flags & NFT_TABLE_F_DORMANT) &&
 		   ctx->table->flags & NFT_TABLE_F_DORMANT) {
+		ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
 		ret = nf_tables_table_enable(ctx->net, ctx->table);
-		if (ret >= 0) {
-			ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
+		if (ret >= 0)
 			nft_trans_table_enable(trans) = true;
-		}
+		else
+			ctx->table->flags |= NFT_TABLE_F_DORMANT;
 	}
 	if (ret < 0)
 		goto err;
-- 
2.20.1


^ permalink raw reply	[flat|nested] 11+ messages in thread

* [PATCH 2/2] ipvs: fix the connection sync failed in some cases
  2020-07-23 22:35 [PATCH 0/2] Netfilter/IPVS fixes for net Pablo Neira Ayuso
  2020-07-23 22:35 ` [PATCH 1/2] netfilter: nf_tables: fix nat hook table deletion Pablo Neira Ayuso
@ 2020-07-23 22:35 ` Pablo Neira Ayuso
  2020-07-24  0:22 ` [PATCH 0/2] Netfilter/IPVS fixes for net David Miller
  2 siblings, 0 replies; 11+ messages in thread
From: Pablo Neira Ayuso @ 2020-07-23 22:35 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

From: guodeqing <geffrey.guo@huawei.com>

The sync_thread_backup only checks sk_receive_queue is empty or not,
there is a situation which cannot sync the connection entries when
sk_receive_queue is empty and sk_rmem_alloc is larger than sk_rcvbuf,
the sync packets are dropped in __udp_enqueue_schedule_skb, this is
because the packets in reader_queue is not read, so the rmem is
not reclaimed.

Here I add the check of whether the reader_queue of the udp sock is
empty or not to solve this problem.

Fixes: 2276f58ac589 ("udp: use a separate rx queue for packet reception")
Reported-by: zhouxudong <zhouxudong8@huawei.com>
Signed-off-by: guodeqing <geffrey.guo@huawei.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/ipvs/ip_vs_sync.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c
index 605e0f68f8bd..2b8abbfe018c 100644
--- a/net/netfilter/ipvs/ip_vs_sync.c
+++ b/net/netfilter/ipvs/ip_vs_sync.c
@@ -1717,6 +1717,8 @@ static int sync_thread_backup(void *data)
 {
 	struct ip_vs_sync_thread_data *tinfo = data;
 	struct netns_ipvs *ipvs = tinfo->ipvs;
+	struct sock *sk = tinfo->sock->sk;
+	struct udp_sock *up = udp_sk(sk);
 	int len;
 
 	pr_info("sync thread started: state = BACKUP, mcast_ifn = %s, "
@@ -1724,12 +1726,14 @@ static int sync_thread_backup(void *data)
 		ipvs->bcfg.mcast_ifn, ipvs->bcfg.syncid, tinfo->id);
 
 	while (!kthread_should_stop()) {
-		wait_event_interruptible(*sk_sleep(tinfo->sock->sk),
-			 !skb_queue_empty(&tinfo->sock->sk->sk_receive_queue)
-			 || kthread_should_stop());
+		wait_event_interruptible(*sk_sleep(sk),
+					 !skb_queue_empty_lockless(&sk->sk_receive_queue) ||
+					 !skb_queue_empty_lockless(&up->reader_queue) ||
+					 kthread_should_stop());
 
 		/* do we have data now? */
-		while (!skb_queue_empty(&(tinfo->sock->sk->sk_receive_queue))) {
+		while (!skb_queue_empty_lockless(&sk->sk_receive_queue) ||
+		       !skb_queue_empty_lockless(&up->reader_queue)) {
 			len = ip_vs_receive(tinfo->sock, tinfo->buf,
 					ipvs->bcfg.sync_maxlen);
 			if (len <= 0) {
-- 
2.20.1


^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [PATCH 0/2] Netfilter/IPVS fixes for net
  2020-07-23 22:35 [PATCH 0/2] Netfilter/IPVS fixes for net Pablo Neira Ayuso
  2020-07-23 22:35 ` [PATCH 1/2] netfilter: nf_tables: fix nat hook table deletion Pablo Neira Ayuso
  2020-07-23 22:35 ` [PATCH 2/2] ipvs: fix the connection sync failed in some cases Pablo Neira Ayuso
@ 2020-07-24  0:22 ` David Miller
  2 siblings, 0 replies; 11+ messages in thread
From: David Miller @ 2020-07-24  0:22 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, netdev

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 24 Jul 2020 00:35:06 +0200

> The following patchset contains Netfilter/IPVS fixes for net:
> 
> 1) Fix NAT hook deletion when table is dormant, from Florian Westphal.
> 
> 2) Fix IPVS sync stalls, from guodeqing.
> 
> Please, pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thank you.

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [PATCH 0/2] Netfilter/IPVS fixes for net
  2019-02-18 23:08 Pablo Neira Ayuso
@ 2019-02-19  1:56 ` David Miller
  0 siblings, 0 replies; 11+ messages in thread
From: David Miller @ 2019-02-19  1:56 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, netdev

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 19 Feb 2019 00:08:21 +0100

> The following patchset contains Netfilter/IPVS fixes for net:
> 
> 1) Follow up patch to fix a compilation warning in a recent IPVS fix:
>    098e13f5b21d ("ipvs: fix dependency on nf_defrag_ipv6").
> 
> 2) Bogus ENOENT error on flush after rule deletion in the same batch,
>    reported by Phil Sutter.
> 
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Series applied, thanks.

^ permalink raw reply	[flat|nested] 11+ messages in thread

* [PATCH 0/2] Netfilter/IPVS fixes for net
@ 2019-02-18 23:08 Pablo Neira Ayuso
  2019-02-19  1:56 ` David Miller
  0 siblings, 1 reply; 11+ messages in thread
From: Pablo Neira Ayuso @ 2019-02-18 23:08 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

Hi David,

The following patchset contains Netfilter/IPVS fixes for net:

1) Follow up patch to fix a compilation warning in a recent IPVS fix:
   098e13f5b21d ("ipvs: fix dependency on nf_defrag_ipv6").

2) Bogus ENOENT error on flush after rule deletion in the same batch,
   reported by Phil Sutter.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit f9bcc9f3ee4fbbe8f11dfec76745476f5780517e:

  net: ethernet: freescale: set FEC ethtool regs version (2019-02-14 12:45:35 -0500)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to c93a49b9769e435990c82297aa0baa31e1538790:

  ipvs: fix warning on unused variable (2019-02-16 10:41:42 +0100)

----------------------------------------------------------------
Andrea Claudi (1):
      ipvs: fix warning on unused variable

Pablo Neira Ayuso (1):
      netfilter: nf_tables: fix flush after rule deletion in the same batch

 net/netfilter/ipvs/ip_vs_ctl.c | 3 ++-
 net/netfilter/nf_tables_api.c  | 3 +++
 2 files changed, 5 insertions(+), 1 deletion(-)

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [PATCH 0/2] Netfilter/IPVS fixes for net
  2016-06-06 22:38 Pablo Neira Ayuso
@ 2016-06-08  0:14 ` David Miller
  0 siblings, 0 replies; 11+ messages in thread
From: David Miller @ 2016-06-08  0:14 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, netdev

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue,  7 Jun 2016 00:38:15 +0200

> The following patchset contains two Netfilter/IPVS fixes for your net
> tree, they are:
> 
> 1) Fix missing alignment in next offset calculation for standard
>    targets, introduced in the previous merge window, patch from
>    Florian Westphal.
> 
> 2) Fix to correct the handling of outgoing connections which use the
>    SIP-pe such that the binding of a real-server is updated when needed.
>    This was an omission from changes introduced by Marco Angaroni in
>    the previous merge window too, to allow handling of outgoing
>    connections by the SIP-pe. Patch and report came via Simon Horman.

Pulled, thanks Pablo.

^ permalink raw reply	[flat|nested] 11+ messages in thread

* [PATCH 0/2] Netfilter/IPVS fixes for net
@ 2016-06-06 22:38 Pablo Neira Ayuso
  2016-06-08  0:14 ` David Miller
  0 siblings, 1 reply; 11+ messages in thread
From: Pablo Neira Ayuso @ 2016-06-06 22:38 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

Hi David,

The following patchset contains two Netfilter/IPVS fixes for your net
tree, they are:

1) Fix missing alignment in next offset calculation for standard
   targets, introduced in the previous merge window, patch from
   Florian Westphal.

2) Fix to correct the handling of outgoing connections which use the
   SIP-pe such that the binding of a real-server is updated when needed.
   This was an omission from changes introduced by Marco Angaroni in
   the previous merge window too, to allow handling of outgoing
   connections by the SIP-pe. Patch and report came via Simon Horman.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit 14b84e8654c89ed59f433654e6bb64c886d095cd:

  qed: fix qed_fill_link() error handling (2016-06-01 22:04:54 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 3ec10d3a2ba591c87da94219c1e46b02ae97757a:

  ipvs: update real-server binding of outgoing connections in SIP-pe (2016-06-06 09:47:25 +0900)

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: x_tables: don't reject valid target size on some architectures

Marco Angaroni (1):
      ipvs: update real-server binding of outgoing connections in SIP-pe

 include/net/ip_vs.h             | 2 +-
 net/netfilter/ipvs/ip_vs_conn.c | 5 +++--
 net/netfilter/ipvs/ip_vs_core.c | 5 +++--
 net/netfilter/x_tables.c        | 4 ++--
 4 files changed, 9 insertions(+), 7 deletions(-)

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [PATCH 0/2] Netfilter/IPVS fixes for net
  2013-06-24  7:20 ` David Miller
@ 2013-06-24  9:28   ` Pablo Neira Ayuso
  0 siblings, 0 replies; 11+ messages in thread
From: Pablo Neira Ayuso @ 2013-06-24  9:28 UTC (permalink / raw)
  To: David Miller; +Cc: netfilter-devel, netdev

On Mon, Jun 24, 2013 at 12:20:28AM -0700, David Miller wrote:
> From: Pablo Neira Ayuso <pablo@netfilter.org>
> Date: Fri, 21 Jun 2013 02:38:39 +0200
> 
> > You can pull these changes from:
> > 
> > 
> 
> No URL specified :-)

Oops :-(, I puzzled with my pull request script, sorry.

Will retry asap.

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [PATCH 0/2] Netfilter/IPVS fixes for net
  2013-06-21  0:38 Pablo Neira Ayuso
@ 2013-06-24  7:20 ` David Miller
  2013-06-24  9:28   ` Pablo Neira Ayuso
  0 siblings, 1 reply; 11+ messages in thread
From: David Miller @ 2013-06-24  7:20 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, netdev

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 21 Jun 2013 02:38:39 +0200

> You can pull these changes from:
> 
> 

No URL specified :-)

^ permalink raw reply	[flat|nested] 11+ messages in thread

* [PATCH 0/2] Netfilter/IPVS fixes for net
@ 2013-06-21  0:38 Pablo Neira Ayuso
  2013-06-24  7:20 ` David Miller
  0 siblings, 1 reply; 11+ messages in thread
From: Pablo Neira Ayuso @ 2013-06-21  0:38 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

Hi David,

The following patchset contains two fixes for Netfilter/IPVS, they are:

* A skb leak fix in fragmentation handling in case that helpers are in place,
  it occurs since the IPV6 NAT infrastructure, from Phil Oester.

* Fix SCTP port mangling in ICMP packets, from Julian Anastasov.

Specifically, the first one should find its path to -stable asap. I can take
care myself of it once this hits Linus' tree, let me know what you prefer.

You can pull these changes from:


Julian Anastasov (1):
  ipvs: SCTP ports should be writable in ICMP packets

Phil Oester (1):
  netfilter: nf_conntrack_ipv6: Plug sk_buff leak in fragment handling

 net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c |    2 +-
 net/netfilter/ipvs/ip_vs_core.c                |    3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

-- 
1.7.10.4

^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, back to index

Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-23 22:35 [PATCH 0/2] Netfilter/IPVS fixes for net Pablo Neira Ayuso
2020-07-23 22:35 ` [PATCH 1/2] netfilter: nf_tables: fix nat hook table deletion Pablo Neira Ayuso
2020-07-23 22:35 ` [PATCH 2/2] ipvs: fix the connection sync failed in some cases Pablo Neira Ayuso
2020-07-24  0:22 ` [PATCH 0/2] Netfilter/IPVS fixes for net David Miller
  -- strict thread matches above, loose matches on Subject: below --
2019-02-18 23:08 Pablo Neira Ayuso
2019-02-19  1:56 ` David Miller
2016-06-06 22:38 Pablo Neira Ayuso
2016-06-08  0:14 ` David Miller
2013-06-21  0:38 Pablo Neira Ayuso
2013-06-24  7:20 ` David Miller
2013-06-24  9:28   ` Pablo Neira Ayuso

Netfilter-Devel Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/netfilter-devel/0 netfilter-devel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netfilter-devel netfilter-devel/ https://lore.kernel.org/netfilter-devel \
		netfilter-devel@vger.kernel.org
	public-inbox-index netfilter-devel

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.netfilter-devel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git