* [PATCH net 00/11] Netfilter fixes for net
@ 2021-07-07 16:18 Pablo Neira Ayuso
2021-07-07 16:18 ` [PATCH net 01/11] selftest: netfilter: add test case for unreplied tcp connections Pablo Neira Ayuso
` (10 more replies)
0 siblings, 11 replies; 13+ messages in thread
From: Pablo Neira Ayuso @ 2021-07-07 16:18 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Hi,
The following patchset contains Netfilter fixes for net:
1) Do not refresh timeout in SYN_SENT for syn retransmissions.
Add selftest for unreplied TCP connection, from Florian Westphal.
2) Fix null dereference from error path with hardware offload
in nftables.
3) Remove useless nf_ct_gre_keymap_flush() from netns exit path,
from Vasily Averin.
4) Missing rcu read-lock side in ctnetlink helper info dump,
also from Vasily.
5) Do not mark RST in the reply direction coming after SYN packet
for an out-of-sync entry, from Ali Abdallah and Florian Westphal.
6) Add tcp_ignore_invalid_rst sysctl to allow to disable out of
segment RSTs, from Ali.
7) KCSAN fix for nf_conntrack_all_lock(), from Manfred Spraul.
8) Honor NFTA_LAST_SET in nft_last.
9) Fix incorrect arithmetics when restore last_jiffies in nft_last.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit 5140aaa4604ba96685dc04b4d2dde3384bbaecef:
s390: iucv: Avoid field over-reading memcpy() (2021-07-01 15:54:01 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to d322957ebfb9c21c2c72b66680f7c3ccd724e081:
netfilter: uapi: refer to nfnetlink_conntrack.h, not nf_conntrack_netlink.h (2021-07-07 17:39:15 +0200)
----------------------------------------------------------------
Ali Abdallah (2):
netfilter: conntrack: improve RST handling when tuple is re-used
netfilter: conntrack: add new sysctl to disable RST check
Colin Ian King (1):
netfilter: nf_tables: Fix dereference of null pointer flow
Duncan Roe (1):
netfilter: uapi: refer to nfnetlink_conntrack.h, not nf_conntrack_netlink.h
Florian Westphal (2):
selftest: netfilter: add test case for unreplied tcp connections
netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state
Manfred Spraul (1):
netfilter: conntrack: Mark access for KCSAN
Pablo Neira Ayuso (2):
netfilter: nft_last: honor NFTA_LAST_SET on restoration
netfilter: nft_last: incorrect arithmetics when restoring last used
Vasily Averin (2):
netfilter: conntrack: nf_ct_gre_keymap_flush() removal
netfilter: ctnetlink: suspicious RCU usage in ctnetlink_dump_helpinfo
Documentation/networking/nf_conntrack-sysctl.rst | 6 +
include/net/netfilter/nf_conntrack_core.h | 1 -
include/net/netns/conntrack.h | 1 +
include/uapi/linux/netfilter/nfnetlink_log.h | 2 +-
include/uapi/linux/netfilter/nfnetlink_queue.h | 4 +-
net/netfilter/nf_conntrack_core.c | 11 +-
net/netfilter/nf_conntrack_netlink.c | 3 +
net/netfilter/nf_conntrack_proto.c | 7 -
net/netfilter/nf_conntrack_proto_gre.c | 13 --
net/netfilter/nf_conntrack_proto_tcp.c | 69 ++++++---
net/netfilter/nf_conntrack_standalone.c | 10 ++
net/netfilter/nf_tables_api.c | 3 +-
net/netfilter/nft_last.c | 12 +-
tools/testing/selftests/netfilter/Makefile | 2 +-
.../selftests/netfilter/conntrack_tcp_unreplied.sh | 167 +++++++++++++++++++++
15 files changed, 262 insertions(+), 49 deletions(-)
create mode 100755 tools/testing/selftests/netfilter/conntrack_tcp_unreplied.sh
^ permalink raw reply [flat|nested] 13+ messages in thread
* [PATCH net 01/11] selftest: netfilter: add test case for unreplied tcp connections
2021-07-07 16:18 [PATCH net 00/11] Netfilter fixes for net Pablo Neira Ayuso
@ 2021-07-07 16:18 ` Pablo Neira Ayuso
2021-07-07 21:10 ` patchwork-bot+netdevbpf
2021-07-07 16:18 ` [PATCH net 02/11] netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state Pablo Neira Ayuso
` (9 subsequent siblings)
10 siblings, 1 reply; 13+ messages in thread
From: Pablo Neira Ayuso @ 2021-07-07 16:18 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
From: Florian Westphal <fw@strlen.de>
TCP connections in UNREPLIED state (only SYN seen) can be kept alive
indefinitely, as each SYN re-sets the timeout.
This means that even if a peer has closed its socket the entry
never times out.
This also prevents re-evaluation of configured NAT rules.
Add a test case that sets SYN timeout to 10 seconds, then check
that the nat redirection added later eventually takes effect.
This is based off a repro script from Antonio Ojea.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
tools/testing/selftests/netfilter/Makefile | 2 +-
.../netfilter/conntrack_tcp_unreplied.sh | 167 ++++++++++++++++++
2 files changed, 168 insertions(+), 1 deletion(-)
create mode 100755 tools/testing/selftests/netfilter/conntrack_tcp_unreplied.sh
diff --git a/tools/testing/selftests/netfilter/Makefile b/tools/testing/selftests/netfilter/Makefile
index cd6430b39982..8748199ac109 100644
--- a/tools/testing/selftests/netfilter/Makefile
+++ b/tools/testing/selftests/netfilter/Makefile
@@ -5,7 +5,7 @@ TEST_PROGS := nft_trans_stress.sh nft_fib.sh nft_nat.sh bridge_brouter.sh \
conntrack_icmp_related.sh nft_flowtable.sh ipvs.sh \
nft_concat_range.sh nft_conntrack_helper.sh \
nft_queue.sh nft_meta.sh nf_nat_edemux.sh \
- ipip-conntrack-mtu.sh
+ ipip-conntrack-mtu.sh conntrack_tcp_unreplied.sh
LDLIBS = -lmnl
TEST_GEN_FILES = nf-queue
diff --git a/tools/testing/selftests/netfilter/conntrack_tcp_unreplied.sh b/tools/testing/selftests/netfilter/conntrack_tcp_unreplied.sh
new file mode 100755
index 000000000000..e7d7bf13cff5
--- /dev/null
+++ b/tools/testing/selftests/netfilter/conntrack_tcp_unreplied.sh
@@ -0,0 +1,167 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+#
+# Check that UNREPLIED tcp conntrack will eventually timeout.
+#
+
+# Kselftest framework requirement - SKIP code is 4.
+ksft_skip=4
+ret=0
+
+waittime=20
+sfx=$(mktemp -u "XXXXXXXX")
+ns1="ns1-$sfx"
+ns2="ns2-$sfx"
+
+nft --version > /dev/null 2>&1
+if [ $? -ne 0 ];then
+ echo "SKIP: Could not run test without nft tool"
+ exit $ksft_skip
+fi
+
+ip -Version > /dev/null 2>&1
+if [ $? -ne 0 ];then
+ echo "SKIP: Could not run test without ip tool"
+ exit $ksft_skip
+fi
+
+cleanup() {
+ ip netns pids $ns1 | xargs kill 2>/dev/null
+ ip netns pids $ns2 | xargs kill 2>/dev/null
+
+ ip netns del $ns1
+ ip netns del $ns2
+}
+
+ipv4() {
+ echo -n 192.168.$1.2
+}
+
+check_counter()
+{
+ ns=$1
+ name=$2
+ expect=$3
+ local lret=0
+
+ cnt=$(ip netns exec $ns2 nft list counter inet filter "$name" | grep -q "$expect")
+ if [ $? -ne 0 ]; then
+ echo "ERROR: counter $name in $ns2 has unexpected value (expected $expect)" 1>&2
+ ip netns exec $ns2 nft list counter inet filter "$name" 1>&2
+ lret=1
+ fi
+
+ return $lret
+}
+
+# Create test namespaces
+ip netns add $ns1 || exit 1
+
+trap cleanup EXIT
+
+ip netns add $ns2 || exit 1
+
+# Connect the namespace to the host using a veth pair
+ip -net $ns1 link add name veth1 type veth peer name veth2
+ip -net $ns1 link set netns $ns2 dev veth2
+
+ip -net $ns1 link set up dev lo
+ip -net $ns2 link set up dev lo
+ip -net $ns1 link set up dev veth1
+ip -net $ns2 link set up dev veth2
+
+ip -net $ns2 addr add 10.11.11.2/24 dev veth2
+ip -net $ns2 route add default via 10.11.11.1
+
+ip netns exec $ns2 sysctl -q net.ipv4.conf.veth2.forwarding=1
+
+# add a rule inside NS so we enable conntrack
+ip netns exec $ns1 iptables -A INPUT -m state --state established,related -j ACCEPT
+
+ip -net $ns1 addr add 10.11.11.1/24 dev veth1
+ip -net $ns1 route add 10.99.99.99 via 10.11.11.2
+
+# Check connectivity works
+ip netns exec $ns1 ping -q -c 2 10.11.11.2 >/dev/null || exit 1
+
+ip netns exec $ns2 nc -l -p 8080 < /dev/null &
+
+# however, conntrack entries are there
+
+ip netns exec $ns2 nft -f - <<EOF
+table inet filter {
+ counter connreq { }
+ counter redir { }
+ chain input {
+ type filter hook input priority 0; policy accept;
+ ct state new tcp flags syn ip daddr 10.99.99.99 tcp dport 80 counter name "connreq" accept
+ ct state new ct status dnat tcp dport 8080 counter name "redir" accept
+ }
+}
+EOF
+if [ $? -ne 0 ]; then
+ echo "ERROR: Could not load nft rules"
+ exit 1
+fi
+
+ip netns exec $ns2 sysctl -q net.netfilter.nf_conntrack_tcp_timeout_syn_sent=10
+
+echo "INFO: connect $ns1 -> $ns2 to the virtual ip"
+ip netns exec $ns1 bash -c 'while true ; do
+ nc -p 60000 10.99.99.99 80
+ sleep 1
+ done' &
+
+sleep 1
+
+ip netns exec $ns2 nft -f - <<EOF
+table inet nat {
+ chain prerouting {
+ type nat hook prerouting priority 0; policy accept;
+ ip daddr 10.99.99.99 tcp dport 80 redirect to :8080
+ }
+}
+EOF
+if [ $? -ne 0 ]; then
+ echo "ERROR: Could not load nat redirect"
+ exit 1
+fi
+
+count=$(ip netns exec $ns2 conntrack -L -p tcp --dport 80 2>/dev/null | wc -l)
+if [ $count -eq 0 ]; then
+ echo "ERROR: $ns2 did not pick up tcp connection from peer"
+ exit 1
+fi
+
+echo "INFO: NAT redirect added in ns $ns2, waiting for $waittime seconds for nat to take effect"
+for i in $(seq 1 $waittime); do
+ echo -n "."
+
+ sleep 1
+
+ count=$(ip netns exec $ns2 conntrack -L -p tcp --reply-port-src 8080 2>/dev/null | wc -l)
+ if [ $count -gt 0 ]; then
+ echo
+ echo "PASS: redirection took effect after $i seconds"
+ break
+ fi
+
+ m=$((i%20))
+ if [ $m -eq 0 ]; then
+ echo " waited for $i seconds"
+ fi
+done
+
+expect="packets 1 bytes 60"
+check_counter "$ns2" "redir" "$expect"
+if [ $? -ne 0 ]; then
+ ret=1
+fi
+
+if [ $ret -eq 0 ];then
+ echo "PASS: redirection counter has expected values"
+else
+ echo "ERROR: no tcp connection was redirected"
+fi
+
+exit $ret
--
2.20.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH net 02/11] netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state
2021-07-07 16:18 [PATCH net 00/11] Netfilter fixes for net Pablo Neira Ayuso
2021-07-07 16:18 ` [PATCH net 01/11] selftest: netfilter: add test case for unreplied tcp connections Pablo Neira Ayuso
@ 2021-07-07 16:18 ` Pablo Neira Ayuso
2021-07-07 16:18 ` [PATCH net 03/11] netfilter: nf_tables: Fix dereference of null pointer flow Pablo Neira Ayuso
` (8 subsequent siblings)
10 siblings, 0 replies; 13+ messages in thread
From: Pablo Neira Ayuso @ 2021-07-07 16:18 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
From: Florian Westphal <fw@strlen.de>
Consider:
client -----> conntrack ---> Host
client sends a SYN, but $Host is unreachable/silent.
Client eventually gives up and the conntrack entry will time out.
However, if the client is restarted with same addr/port pair, it
may prevent the conntrack entry from timing out.
This is noticeable when the existing conntrack entry has no NAT
transformation or an outdated one and port reuse happens either
on client or due to a NAT middlebox.
This change prevents refresh of the timeout for SYN retransmits,
so entry is going away after nf_conntrack_tcp_timeout_syn_sent
seconds (default: 60).
Entry will be re-created on next connection attempt, but then
nat rules will be evaluated again.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_conntrack_proto_tcp.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index f7e8baf59b51..eb4de92077a8 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -1134,6 +1134,16 @@ int nf_conntrack_tcp_packet(struct nf_conn *ct,
nf_ct_kill_acct(ct, ctinfo, skb);
return NF_ACCEPT;
}
+
+ if (index == TCP_SYN_SET && old_state == TCP_CONNTRACK_SYN_SENT) {
+ /* do not renew timeout on SYN retransmit.
+ *
+ * Else port reuse by client or NAT middlebox can keep
+ * entry alive indefinitely (including nat info).
+ */
+ return NF_ACCEPT;
+ }
+
/* ESTABLISHED without SEEN_REPLY, i.e. mid-connection
* pickup with loose=1. Avoid large ESTABLISHED timeout.
*/
--
2.20.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH net 03/11] netfilter: nf_tables: Fix dereference of null pointer flow
2021-07-07 16:18 [PATCH net 00/11] Netfilter fixes for net Pablo Neira Ayuso
2021-07-07 16:18 ` [PATCH net 01/11] selftest: netfilter: add test case for unreplied tcp connections Pablo Neira Ayuso
2021-07-07 16:18 ` [PATCH net 02/11] netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state Pablo Neira Ayuso
@ 2021-07-07 16:18 ` Pablo Neira Ayuso
2021-07-07 16:18 ` [PATCH net 04/11] netfilter: conntrack: nf_ct_gre_keymap_flush() removal Pablo Neira Ayuso
` (7 subsequent siblings)
10 siblings, 0 replies; 13+ messages in thread
From: Pablo Neira Ayuso @ 2021-07-07 16:18 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
From: Colin Ian King <colin.king@canonical.com>
In the case where chain->flags & NFT_CHAIN_HW_OFFLOAD is false then
nft_flow_rule_create is not called and flow is NULL. The subsequent
error handling execution via label err_destroy_flow_rule will lead
to a null pointer dereference on flow when calling nft_flow_rule_destroy.
Since the error path to err_destroy_flow_rule has to cater for null
and non-null flows, only call nft_flow_rule_destroy if flow is non-null
to fix this issue.
Addresses-Coverity: ("Explicity null dereference")
Fixes: 3c5e44622011 ("netfilter: nf_tables: memleak in hw offload abort path")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_api.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 390d4466567f..de182d1f7c4e 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3446,7 +3446,8 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
return 0;
err_destroy_flow_rule:
- nft_flow_rule_destroy(flow);
+ if (flow)
+ nft_flow_rule_destroy(flow);
err_release_rule:
nf_tables_rule_release(&ctx, rule);
err_release_expr:
--
2.20.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH net 04/11] netfilter: conntrack: nf_ct_gre_keymap_flush() removal
2021-07-07 16:18 [PATCH net 00/11] Netfilter fixes for net Pablo Neira Ayuso
` (2 preceding siblings ...)
2021-07-07 16:18 ` [PATCH net 03/11] netfilter: nf_tables: Fix dereference of null pointer flow Pablo Neira Ayuso
@ 2021-07-07 16:18 ` Pablo Neira Ayuso
2021-07-07 16:18 ` [PATCH net 05/11] netfilter: ctnetlink: suspicious RCU usage in ctnetlink_dump_helpinfo Pablo Neira Ayuso
` (6 subsequent siblings)
10 siblings, 0 replies; 13+ messages in thread
From: Pablo Neira Ayuso @ 2021-07-07 16:18 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
From: Vasily Averin <vvs@virtuozzo.com>
nf_ct_gre_keymap_flush() is useless.
It is called from nf_conntrack_cleanup_net_list() only and tries to remove
nf_ct_gre_keymap entries from pernet gre keymap list. Though:
a) at this point the list should already be empty, all its entries were
deleted during the conntracks cleanup, because
nf_conntrack_cleanup_net_list() executes nf_ct_iterate_cleanup(kill_all)
before nf_conntrack_proto_pernet_fini():
nf_conntrack_cleanup_net_list
+- nf_ct_iterate_cleanup
| nf_ct_put
| nf_conntrack_put
| nf_conntrack_destroy
| destroy_conntrack
| destroy_gre_conntrack
| nf_ct_gre_keymap_destroy
`- nf_conntrack_proto_pernet_fini
nf_ct_gre_keymap_flush
b) Let's say we find that the keymap list is not empty. This means netns
still has a conntrack associated with gre, in which case we should not free
its memory, because this will lead to a double free and related crashes.
However I doubt it could have gone unnoticed for years, obviously
this does not happen in real life. So I think we can remove
both nf_ct_gre_keymap_flush() and nf_conntrack_proto_pernet_fini().
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_conntrack_core.h | 1 -
net/netfilter/nf_conntrack_core.c | 1 -
net/netfilter/nf_conntrack_proto.c | 7 -------
net/netfilter/nf_conntrack_proto_gre.c | 13 -------------
4 files changed, 22 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h
index 09f2efea0b97..13807ea94cd2 100644
--- a/include/net/netfilter/nf_conntrack_core.h
+++ b/include/net/netfilter/nf_conntrack_core.h
@@ -30,7 +30,6 @@ void nf_conntrack_cleanup_net(struct net *net);
void nf_conntrack_cleanup_net_list(struct list_head *net_exit_list);
void nf_conntrack_proto_pernet_init(struct net *net);
-void nf_conntrack_proto_pernet_fini(struct net *net);
int nf_conntrack_proto_init(void);
void nf_conntrack_proto_fini(void);
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 96ba19fc8155..085a11f1eb43 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -2457,7 +2457,6 @@ void nf_conntrack_cleanup_net_list(struct list_head *net_exit_list)
}
list_for_each_entry(net, net_exit_list, exit_list) {
- nf_conntrack_proto_pernet_fini(net);
nf_conntrack_ecache_pernet_fini(net);
nf_conntrack_expect_pernet_fini(net);
free_percpu(net->ct.stat);
diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
index 55647409a9be..8f7a9837349c 100644
--- a/net/netfilter/nf_conntrack_proto.c
+++ b/net/netfilter/nf_conntrack_proto.c
@@ -697,13 +697,6 @@ void nf_conntrack_proto_pernet_init(struct net *net)
#endif
}
-void nf_conntrack_proto_pernet_fini(struct net *net)
-{
-#ifdef CONFIG_NF_CT_PROTO_GRE
- nf_ct_gre_keymap_flush(net);
-#endif
-}
-
module_param_call(hashsize, nf_conntrack_set_hashsize, param_get_uint,
&nf_conntrack_htable_size, 0600);
diff --git a/net/netfilter/nf_conntrack_proto_gre.c b/net/netfilter/nf_conntrack_proto_gre.c
index db11e403d818..728eeb0aea87 100644
--- a/net/netfilter/nf_conntrack_proto_gre.c
+++ b/net/netfilter/nf_conntrack_proto_gre.c
@@ -55,19 +55,6 @@ static inline struct nf_gre_net *gre_pernet(struct net *net)
return &net->ct.nf_ct_proto.gre;
}
-void nf_ct_gre_keymap_flush(struct net *net)
-{
- struct nf_gre_net *net_gre = gre_pernet(net);
- struct nf_ct_gre_keymap *km, *tmp;
-
- spin_lock_bh(&keymap_lock);
- list_for_each_entry_safe(km, tmp, &net_gre->keymap_list, list) {
- list_del_rcu(&km->list);
- kfree_rcu(km, rcu);
- }
- spin_unlock_bh(&keymap_lock);
-}
-
static inline int gre_key_cmpfn(const struct nf_ct_gre_keymap *km,
const struct nf_conntrack_tuple *t)
{
--
2.20.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH net 05/11] netfilter: ctnetlink: suspicious RCU usage in ctnetlink_dump_helpinfo
2021-07-07 16:18 [PATCH net 00/11] Netfilter fixes for net Pablo Neira Ayuso
` (3 preceding siblings ...)
2021-07-07 16:18 ` [PATCH net 04/11] netfilter: conntrack: nf_ct_gre_keymap_flush() removal Pablo Neira Ayuso
@ 2021-07-07 16:18 ` Pablo Neira Ayuso
2021-07-07 16:18 ` [PATCH net 06/11] netfilter: conntrack: improve RST handling when tuple is re-used Pablo Neira Ayuso
` (5 subsequent siblings)
10 siblings, 0 replies; 13+ messages in thread
From: Pablo Neira Ayuso @ 2021-07-07 16:18 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
From: Vasily Averin <vvs@virtuozzo.com>
Two patches listed below removed ctnetlink_dump_helpinfo call from under
rcu_read_lock. Now its rcu_dereference generates following warning:
=============================
WARNING: suspicious RCU usage
5.13.0+ #5 Not tainted
-----------------------------
net/netfilter/nf_conntrack_netlink.c:221 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
stack backtrace:
CPU: 1 PID: 2251 Comm: conntrack Not tainted 5.13.0+ #5
Call Trace:
dump_stack+0x7f/0xa1
ctnetlink_dump_helpinfo+0x134/0x150 [nf_conntrack_netlink]
ctnetlink_fill_info+0x2c2/0x390 [nf_conntrack_netlink]
ctnetlink_dump_table+0x13f/0x370 [nf_conntrack_netlink]
netlink_dump+0x10c/0x370
__netlink_dump_start+0x1a7/0x260
ctnetlink_get_conntrack+0x1e5/0x250 [nf_conntrack_netlink]
nfnetlink_rcv_msg+0x613/0x993 [nfnetlink]
netlink_rcv_skb+0x50/0x100
nfnetlink_rcv+0x55/0x120 [nfnetlink]
netlink_unicast+0x181/0x260
netlink_sendmsg+0x23f/0x460
sock_sendmsg+0x5b/0x60
__sys_sendto+0xf1/0x160
__x64_sys_sendto+0x24/0x30
do_syscall_64+0x36/0x70
entry_SYSCALL_64_after_hwframe+0x44/0xae
Fixes: 49ca022bccc5 ("netfilter: ctnetlink: don't dump ct extensions of unconfirmed conntracks")
Fixes: 0b35f6031a00 ("netfilter: Remove duplicated rcu_read_lock.")
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_conntrack_netlink.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 4e1a9dba7077..e81af33b233b 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -218,6 +218,7 @@ static int ctnetlink_dump_helpinfo(struct sk_buff *skb,
if (!help)
return 0;
+ rcu_read_lock();
helper = rcu_dereference(help->helper);
if (!helper)
goto out;
@@ -233,9 +234,11 @@ static int ctnetlink_dump_helpinfo(struct sk_buff *skb,
nla_nest_end(skb, nest_helper);
out:
+ rcu_read_unlock();
return 0;
nla_put_failure:
+ rcu_read_unlock();
return -1;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH net 06/11] netfilter: conntrack: improve RST handling when tuple is re-used
2021-07-07 16:18 [PATCH net 00/11] Netfilter fixes for net Pablo Neira Ayuso
` (4 preceding siblings ...)
2021-07-07 16:18 ` [PATCH net 05/11] netfilter: ctnetlink: suspicious RCU usage in ctnetlink_dump_helpinfo Pablo Neira Ayuso
@ 2021-07-07 16:18 ` Pablo Neira Ayuso
2021-07-07 16:18 ` [PATCH net 07/11] netfilter: conntrack: add new sysctl to disable RST check Pablo Neira Ayuso
` (4 subsequent siblings)
10 siblings, 0 replies; 13+ messages in thread
From: Pablo Neira Ayuso @ 2021-07-07 16:18 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
From: Ali Abdallah <aabdallah@suse.de>
If we receive a SYN packet in original direction on an existing
connection tracking entry, we let this SYN through because conntrack
might be out-of-sync.
Conntrack gets back in sync when server responds with SYN/ACK and state
gets updated accordingly.
However, if server replies with RST, this packet might be marked as
INVALID because td_maxack value reflects the *old* conntrack state
and not the state of the originator of the RST.
Avoid td_maxack-based checks if previous packet was a SYN.
Unfortunately that is not be enough: an out of order ACK in original
direction updates last_index, so we still end up marking valid RST.
Thus disable the sequence check when we are not in established state and
the received RST has a sequence of 0.
Because marking RSTs as invalid usually leads to unwanted timeouts,
also skip RST sequence checks if a conntrack entry is already closing.
Such entries can already be evicted via GC in case the table is full.
Co-developed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Ali Abdallah <aabdallah@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_conntrack_proto_tcp.c | 53 +++++++++++++++++---------
1 file changed, 36 insertions(+), 17 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index eb4de92077a8..b8ff67671e93 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -823,6 +823,22 @@ static noinline bool tcp_new(struct nf_conn *ct, const struct sk_buff *skb,
return true;
}
+static bool tcp_can_early_drop(const struct nf_conn *ct)
+{
+ switch (ct->proto.tcp.state) {
+ case TCP_CONNTRACK_FIN_WAIT:
+ case TCP_CONNTRACK_LAST_ACK:
+ case TCP_CONNTRACK_TIME_WAIT:
+ case TCP_CONNTRACK_CLOSE:
+ case TCP_CONNTRACK_CLOSE_WAIT:
+ return true;
+ default:
+ break;
+ }
+
+ return false;
+}
+
/* Returns verdict for packet, or -1 for invalid. */
int nf_conntrack_tcp_packet(struct nf_conn *ct,
struct sk_buff *skb,
@@ -1030,9 +1046,28 @@ int nf_conntrack_tcp_packet(struct nf_conn *ct,
if (index != TCP_RST_SET)
break;
- if (ct->proto.tcp.seen[!dir].flags & IP_CT_TCP_FLAG_MAXACK_SET) {
+ /* If we are closing, tuple might have been re-used already.
+ * last_index, last_ack, and all other ct fields used for
+ * sequence/window validation are outdated in that case.
+ *
+ * As the conntrack can already be expired by GC under pressure,
+ * just skip validation checks.
+ */
+ if (tcp_can_early_drop(ct))
+ goto in_window;
+
+ /* td_maxack might be outdated if we let a SYN through earlier */
+ if ((ct->proto.tcp.seen[!dir].flags & IP_CT_TCP_FLAG_MAXACK_SET) &&
+ ct->proto.tcp.last_index != TCP_SYN_SET) {
u32 seq = ntohl(th->seq);
+ /* If we are not in established state and SEQ=0 this is most
+ * likely an answer to a SYN we let go through above (last_index
+ * can be updated due to out-of-order ACKs).
+ */
+ if (seq == 0 && !nf_conntrack_tcp_established(ct))
+ break;
+
if (before(seq, ct->proto.tcp.seen[!dir].td_maxack)) {
/* Invalid RST */
spin_unlock_bh(&ct->lock);
@@ -1165,22 +1200,6 @@ int nf_conntrack_tcp_packet(struct nf_conn *ct,
return NF_ACCEPT;
}
-static bool tcp_can_early_drop(const struct nf_conn *ct)
-{
- switch (ct->proto.tcp.state) {
- case TCP_CONNTRACK_FIN_WAIT:
- case TCP_CONNTRACK_LAST_ACK:
- case TCP_CONNTRACK_TIME_WAIT:
- case TCP_CONNTRACK_CLOSE:
- case TCP_CONNTRACK_CLOSE_WAIT:
- return true;
- default:
- break;
- }
-
- return false;
-}
-
#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
#include <linux/netfilter/nfnetlink.h>
--
2.20.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH net 07/11] netfilter: conntrack: add new sysctl to disable RST check
2021-07-07 16:18 [PATCH net 00/11] Netfilter fixes for net Pablo Neira Ayuso
` (5 preceding siblings ...)
2021-07-07 16:18 ` [PATCH net 06/11] netfilter: conntrack: improve RST handling when tuple is re-used Pablo Neira Ayuso
@ 2021-07-07 16:18 ` Pablo Neira Ayuso
2021-07-07 16:18 ` [PATCH net 08/11] netfilter: conntrack: Mark access for KCSAN Pablo Neira Ayuso
` (3 subsequent siblings)
10 siblings, 0 replies; 13+ messages in thread
From: Pablo Neira Ayuso @ 2021-07-07 16:18 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
From: Ali Abdallah <ali.abdallah@suse.com>
This patch adds a new sysctl tcp_ignore_invalid_rst to disable marking
out of segments RSTs as INVALID.
Signed-off-by: Ali Abdallah <aabdallah@suse.de>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
Documentation/networking/nf_conntrack-sysctl.rst | 6 ++++++
include/net/netns/conntrack.h | 1 +
net/netfilter/nf_conntrack_proto_tcp.c | 6 +++++-
net/netfilter/nf_conntrack_standalone.c | 10 ++++++++++
4 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/Documentation/networking/nf_conntrack-sysctl.rst b/Documentation/networking/nf_conntrack-sysctl.rst
index 0467b30e4abe..d31ed6c1cb0d 100644
--- a/Documentation/networking/nf_conntrack-sysctl.rst
+++ b/Documentation/networking/nf_conntrack-sysctl.rst
@@ -110,6 +110,12 @@ nf_conntrack_tcp_be_liberal - BOOLEAN
Be conservative in what you do, be liberal in what you accept from others.
If it's non-zero, we mark only out of window RST segments as INVALID.
+nf_conntrack_tcp_ignore_invalid_rst - BOOLEAN
+ - 0 - disabled (default)
+ - 1 - enabled
+
+ If it's 1, we don't mark out of window RST segments as INVALID.
+
nf_conntrack_tcp_loose - BOOLEAN
- 0 - disabled
- not 0 - enabled (default)
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
index c3094b83a525..37e5300c7e5a 100644
--- a/include/net/netns/conntrack.h
+++ b/include/net/netns/conntrack.h
@@ -27,6 +27,7 @@ struct nf_tcp_net {
u8 tcp_loose;
u8 tcp_be_liberal;
u8 tcp_max_retrans;
+ u8 tcp_ignore_invalid_rst;
#if IS_ENABLED(CONFIG_NF_FLOW_TABLE)
unsigned int offload_timeout;
unsigned int offload_pickup;
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index b8ff67671e93..3259416f2ea4 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -1068,7 +1068,8 @@ int nf_conntrack_tcp_packet(struct nf_conn *ct,
if (seq == 0 && !nf_conntrack_tcp_established(ct))
break;
- if (before(seq, ct->proto.tcp.seen[!dir].td_maxack)) {
+ if (before(seq, ct->proto.tcp.seen[!dir].td_maxack) &&
+ !tn->tcp_ignore_invalid_rst) {
/* Invalid RST */
spin_unlock_bh(&ct->lock);
nf_ct_l4proto_log_invalid(skb, ct, state, "invalid rst");
@@ -1466,6 +1467,9 @@ void nf_conntrack_tcp_init_net(struct net *net)
*/
tn->tcp_be_liberal = 0;
+ /* If it's non-zero, we turn off RST sequence number check */
+ tn->tcp_ignore_invalid_rst = 0;
+
/* Max number of the retransmitted packets without receiving an (acceptable)
* ACK from the destination. If this number is reached, a shorter timer
* will be started.
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index f57a951c9b5e..214d9f9e499b 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -579,6 +579,7 @@ enum nf_ct_sysctl_index {
#endif
NF_SYSCTL_CT_PROTO_TCP_LOOSE,
NF_SYSCTL_CT_PROTO_TCP_LIBERAL,
+ NF_SYSCTL_CT_PROTO_TCP_IGNORE_INVALID_RST,
NF_SYSCTL_CT_PROTO_TCP_MAX_RETRANS,
NF_SYSCTL_CT_PROTO_TIMEOUT_UDP,
NF_SYSCTL_CT_PROTO_TIMEOUT_UDP_STREAM,
@@ -798,6 +799,14 @@ static struct ctl_table nf_ct_sysctl_table[] = {
.extra1 = SYSCTL_ZERO,
.extra2 = SYSCTL_ONE,
},
+ [NF_SYSCTL_CT_PROTO_TCP_IGNORE_INVALID_RST] = {
+ .procname = "nf_conntrack_tcp_ignore_invalid_rst",
+ .maxlen = sizeof(u8),
+ .mode = 0644,
+ .proc_handler = proc_dou8vec_minmax,
+ .extra1 = SYSCTL_ZERO,
+ .extra2 = SYSCTL_ONE,
+ },
[NF_SYSCTL_CT_PROTO_TCP_MAX_RETRANS] = {
.procname = "nf_conntrack_tcp_max_retrans",
.maxlen = sizeof(u8),
@@ -1004,6 +1013,7 @@ static void nf_conntrack_standalone_init_tcp_sysctl(struct net *net,
XASSIGN(LOOSE, &tn->tcp_loose);
XASSIGN(LIBERAL, &tn->tcp_be_liberal);
XASSIGN(MAX_RETRANS, &tn->tcp_max_retrans);
+ XASSIGN(IGNORE_INVALID_RST, &tn->tcp_ignore_invalid_rst);
#undef XASSIGN
#if IS_ENABLED(CONFIG_NF_FLOW_TABLE)
--
2.20.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH net 08/11] netfilter: conntrack: Mark access for KCSAN
2021-07-07 16:18 [PATCH net 00/11] Netfilter fixes for net Pablo Neira Ayuso
` (6 preceding siblings ...)
2021-07-07 16:18 ` [PATCH net 07/11] netfilter: conntrack: add new sysctl to disable RST check Pablo Neira Ayuso
@ 2021-07-07 16:18 ` Pablo Neira Ayuso
2021-07-07 16:18 ` [PATCH net 09/11] netfilter: nft_last: honor NFTA_LAST_SET on restoration Pablo Neira Ayuso
` (2 subsequent siblings)
10 siblings, 0 replies; 13+ messages in thread
From: Pablo Neira Ayuso @ 2021-07-07 16:18 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
From: Manfred Spraul <manfred@colorfullife.com>
KCSAN detected an data race with ipc/sem.c that is intentional.
As nf_conntrack_lock() uses the same algorithm: Update
nf_conntrack_core as well:
nf_conntrack_lock() contains
a1) spin_lock()
a2) smp_load_acquire(nf_conntrack_locks_all).
a1) actually accesses one lock from an array of locks.
nf_conntrack_locks_all() contains
b1) nf_conntrack_locks_all=true (normal write)
b2) spin_lock()
b3) spin_unlock()
b2 and b3 are done for every lock.
This guarantees that nf_conntrack_locks_all() prevents any
concurrent nf_conntrack_lock() owners:
If a thread past a1), then b2) will block until that thread releases
the lock.
If the threat is before a1, then b3)+a1) ensure the write b1) is
visible, thus a2) is guaranteed to see the updated value.
But: This is only the latest time when b1) becomes visible.
It may also happen that b1) is visible an undefined amount of time
before the b3). And thus KCSAN will notice a data race.
In addition, the compiler might be too clever.
Solution: Use WRITE_ONCE().
Signed-off-by: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_conntrack_core.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 085a11f1eb43..83c52df85870 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -149,7 +149,15 @@ static void nf_conntrack_all_lock(void)
spin_lock(&nf_conntrack_locks_all_lock);
- nf_conntrack_locks_all = true;
+ /* For nf_contrack_locks_all, only the latest time when another
+ * CPU will see an update is controlled, by the "release" of the
+ * spin_lock below.
+ * The earliest time is not controlled, an thus KCSAN could detect
+ * a race when nf_conntract_lock() reads the variable.
+ * WRITE_ONCE() is used to ensure the compiler will not
+ * optimize the write.
+ */
+ WRITE_ONCE(nf_conntrack_locks_all, true);
for (i = 0; i < CONNTRACK_LOCKS; i++) {
spin_lock(&nf_conntrack_locks[i]);
--
2.20.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH net 09/11] netfilter: nft_last: honor NFTA_LAST_SET on restoration
2021-07-07 16:18 [PATCH net 00/11] Netfilter fixes for net Pablo Neira Ayuso
` (7 preceding siblings ...)
2021-07-07 16:18 ` [PATCH net 08/11] netfilter: conntrack: Mark access for KCSAN Pablo Neira Ayuso
@ 2021-07-07 16:18 ` Pablo Neira Ayuso
2021-07-07 16:18 ` [PATCH net 10/11] netfilter: nft_last: incorrect arithmetics when restoring last used Pablo Neira Ayuso
2021-07-07 16:18 ` [PATCH net 11/11] netfilter: uapi: refer to nfnetlink_conntrack.h, not nf_conntrack_netlink.h Pablo Neira Ayuso
10 siblings, 0 replies; 13+ messages in thread
From: Pablo Neira Ayuso @ 2021-07-07 16:18 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
NFTA_LAST_SET tells us if this expression has ever seen a packet, do not
ignore this attribute when restoring the ruleset.
Fixes: 836382dc2471 ("netfilter: nf_tables: add last expression")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_last.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nft_last.c b/net/netfilter/nft_last.c
index 913ac45167f2..bbb352b64c73 100644
--- a/net/netfilter/nft_last.c
+++ b/net/netfilter/nft_last.c
@@ -23,15 +23,21 @@ static int nft_last_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
{
struct nft_last_priv *priv = nft_expr_priv(expr);
u64 last_jiffies;
+ u32 last_set = 0;
int err;
- if (tb[NFTA_LAST_MSECS]) {
+ if (tb[NFTA_LAST_SET]) {
+ last_set = ntohl(nla_get_be32(tb[NFTA_LAST_SET]));
+ if (last_set == 1)
+ priv->last_set = 1;
+ }
+
+ if (last_set && tb[NFTA_LAST_MSECS]) {
err = nf_msecs_to_jiffies64(tb[NFTA_LAST_MSECS], &last_jiffies);
if (err < 0)
return err;
priv->last_jiffies = jiffies + (unsigned long)last_jiffies;
- priv->last_set = 1;
}
return 0;
--
2.20.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH net 10/11] netfilter: nft_last: incorrect arithmetics when restoring last used
2021-07-07 16:18 [PATCH net 00/11] Netfilter fixes for net Pablo Neira Ayuso
` (8 preceding siblings ...)
2021-07-07 16:18 ` [PATCH net 09/11] netfilter: nft_last: honor NFTA_LAST_SET on restoration Pablo Neira Ayuso
@ 2021-07-07 16:18 ` Pablo Neira Ayuso
2021-07-07 16:18 ` [PATCH net 11/11] netfilter: uapi: refer to nfnetlink_conntrack.h, not nf_conntrack_netlink.h Pablo Neira Ayuso
10 siblings, 0 replies; 13+ messages in thread
From: Pablo Neira Ayuso @ 2021-07-07 16:18 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Subtract the jiffies that have passed by to current jiffies to fix last
used restoration.
Fixes: 836382dc2471 ("netfilter: nf_tables: add last expression")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_last.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nft_last.c b/net/netfilter/nft_last.c
index bbb352b64c73..8088b99f2ee3 100644
--- a/net/netfilter/nft_last.c
+++ b/net/netfilter/nft_last.c
@@ -37,7 +37,7 @@ static int nft_last_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
if (err < 0)
return err;
- priv->last_jiffies = jiffies + (unsigned long)last_jiffies;
+ priv->last_jiffies = jiffies - (unsigned long)last_jiffies;
}
return 0;
--
2.20.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH net 11/11] netfilter: uapi: refer to nfnetlink_conntrack.h, not nf_conntrack_netlink.h
2021-07-07 16:18 [PATCH net 00/11] Netfilter fixes for net Pablo Neira Ayuso
` (9 preceding siblings ...)
2021-07-07 16:18 ` [PATCH net 10/11] netfilter: nft_last: incorrect arithmetics when restoring last used Pablo Neira Ayuso
@ 2021-07-07 16:18 ` Pablo Neira Ayuso
10 siblings, 0 replies; 13+ messages in thread
From: Pablo Neira Ayuso @ 2021-07-07 16:18 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
From: Duncan Roe <duncan_roe@optusnet.com.au>
nf_conntrack_netlink.h does not exist, refer to nfnetlink_conntrack.h instead.
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/uapi/linux/netfilter/nfnetlink_log.h | 2 +-
include/uapi/linux/netfilter/nfnetlink_queue.h | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/include/uapi/linux/netfilter/nfnetlink_log.h b/include/uapi/linux/netfilter/nfnetlink_log.h
index 45c8d3b027e0..0af9c113d665 100644
--- a/include/uapi/linux/netfilter/nfnetlink_log.h
+++ b/include/uapi/linux/netfilter/nfnetlink_log.h
@@ -61,7 +61,7 @@ enum nfulnl_attr_type {
NFULA_HWTYPE, /* hardware type */
NFULA_HWHEADER, /* hardware header */
NFULA_HWLEN, /* hardware header length */
- NFULA_CT, /* nf_conntrack_netlink.h */
+ NFULA_CT, /* nfnetlink_conntrack.h */
NFULA_CT_INFO, /* enum ip_conntrack_info */
NFULA_VLAN, /* nested attribute: packet vlan info */
NFULA_L2HDR, /* full L2 header */
diff --git a/include/uapi/linux/netfilter/nfnetlink_queue.h b/include/uapi/linux/netfilter/nfnetlink_queue.h
index bcb2cb5d40b9..aed90c4df0c8 100644
--- a/include/uapi/linux/netfilter/nfnetlink_queue.h
+++ b/include/uapi/linux/netfilter/nfnetlink_queue.h
@@ -51,11 +51,11 @@ enum nfqnl_attr_type {
NFQA_IFINDEX_PHYSOUTDEV, /* __u32 ifindex */
NFQA_HWADDR, /* nfqnl_msg_packet_hw */
NFQA_PAYLOAD, /* opaque data payload */
- NFQA_CT, /* nf_conntrack_netlink.h */
+ NFQA_CT, /* nfnetlink_conntrack.h */
NFQA_CT_INFO, /* enum ip_conntrack_info */
NFQA_CAP_LEN, /* __u32 length of captured packet */
NFQA_SKB_INFO, /* __u32 skb meta information */
- NFQA_EXP, /* nf_conntrack_netlink.h */
+ NFQA_EXP, /* nfnetlink_conntrack.h */
NFQA_UID, /* __u32 sk uid */
NFQA_GID, /* __u32 sk gid */
NFQA_SECCTX, /* security context string */
--
2.20.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: [PATCH net 01/11] selftest: netfilter: add test case for unreplied tcp connections
2021-07-07 16:18 ` [PATCH net 01/11] selftest: netfilter: add test case for unreplied tcp connections Pablo Neira Ayuso
@ 2021-07-07 21:10 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 13+ messages in thread
From: patchwork-bot+netdevbpf @ 2021-07-07 21:10 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, davem, netdev, kuba
Hello:
This series was applied to netdev/net.git (refs/heads/master):
On Wed, 7 Jul 2021 18:18:34 +0200 you wrote:
> From: Florian Westphal <fw@strlen.de>
>
> TCP connections in UNREPLIED state (only SYN seen) can be kept alive
> indefinitely, as each SYN re-sets the timeout.
>
> This means that even if a peer has closed its socket the entry
> never times out.
>
> [...]
Here is the summary with links:
- [net,01/11] selftest: netfilter: add test case for unreplied tcp connections
https://git.kernel.org/netdev/net/c/37d220b58d52
- [net,02/11] netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state
https://git.kernel.org/netdev/net/c/e15d4cdf27cb
- [net,03/11] netfilter: nf_tables: Fix dereference of null pointer flow
https://git.kernel.org/netdev/net/c/4ca041f919f1
- [net,04/11] netfilter: conntrack: nf_ct_gre_keymap_flush() removal
https://git.kernel.org/netdev/net/c/a23f89a99906
- [net,05/11] netfilter: ctnetlink: suspicious RCU usage in ctnetlink_dump_helpinfo
https://git.kernel.org/netdev/net/c/c23a9fd209bc
- [net,06/11] netfilter: conntrack: improve RST handling when tuple is re-used
https://git.kernel.org/netdev/net/c/c4edc3ccbc63
- [net,07/11] netfilter: conntrack: add new sysctl to disable RST check
https://git.kernel.org/netdev/net/c/1da4cd82dd18
- [net,08/11] netfilter: conntrack: Mark access for KCSAN
https://git.kernel.org/netdev/net/c/cf4466ea47db
- [net,09/11] netfilter: nft_last: honor NFTA_LAST_SET on restoration
https://git.kernel.org/netdev/net/c/6ac4bac4ce48
- [net,10/11] netfilter: nft_last: incorrect arithmetics when restoring last used
https://git.kernel.org/netdev/net/c/d1b5b80da705
- [net,11/11] netfilter: uapi: refer to nfnetlink_conntrack.h, not nf_conntrack_netlink.h
https://git.kernel.org/netdev/net/c/d322957ebfb9
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2021-07-07 21:10 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-07 16:18 [PATCH net 00/11] Netfilter fixes for net Pablo Neira Ayuso
2021-07-07 16:18 ` [PATCH net 01/11] selftest: netfilter: add test case for unreplied tcp connections Pablo Neira Ayuso
2021-07-07 21:10 ` patchwork-bot+netdevbpf
2021-07-07 16:18 ` [PATCH net 02/11] netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state Pablo Neira Ayuso
2021-07-07 16:18 ` [PATCH net 03/11] netfilter: nf_tables: Fix dereference of null pointer flow Pablo Neira Ayuso
2021-07-07 16:18 ` [PATCH net 04/11] netfilter: conntrack: nf_ct_gre_keymap_flush() removal Pablo Neira Ayuso
2021-07-07 16:18 ` [PATCH net 05/11] netfilter: ctnetlink: suspicious RCU usage in ctnetlink_dump_helpinfo Pablo Neira Ayuso
2021-07-07 16:18 ` [PATCH net 06/11] netfilter: conntrack: improve RST handling when tuple is re-used Pablo Neira Ayuso
2021-07-07 16:18 ` [PATCH net 07/11] netfilter: conntrack: add new sysctl to disable RST check Pablo Neira Ayuso
2021-07-07 16:18 ` [PATCH net 08/11] netfilter: conntrack: Mark access for KCSAN Pablo Neira Ayuso
2021-07-07 16:18 ` [PATCH net 09/11] netfilter: nft_last: honor NFTA_LAST_SET on restoration Pablo Neira Ayuso
2021-07-07 16:18 ` [PATCH net 10/11] netfilter: nft_last: incorrect arithmetics when restoring last used Pablo Neira Ayuso
2021-07-07 16:18 ` [PATCH net 11/11] netfilter: uapi: refer to nfnetlink_conntrack.h, not nf_conntrack_netlink.h Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).