[PATCH net 0/6] Netfilter fixes for net

[PATCH net 0/6] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Add selftest for nft_synproxy, from Florian Westphal.

2) xt_socket destroy path incorrectly disables IPv4 defrag for
   IPv6 traffic (typo), from Eric Dumazet.

3) Fix exit value selftest nft_concat_range.sh, from Hangbin Liu.

4) nft_synproxy disables the IPv4 hooks if the IPv6 hooks fail
   to be registered.

5) disable rp_filter on router in selftest nft_fib.sh, also
   from Hangbin Liu.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 7db788ad627aabff2b74d4f1a3b68516d0fee0d7:

  nfp: flower: fix ida_idx not being released (2022-02-08 21:06:35 -0800)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to bbe4c0896d25009a7c86285d2ab024eed4374eea:

  selftests: netfilter: disable rp_filter on router (2022-02-11 00:01:04 +0100)

----------------------------------------------------------------
Eric Dumazet (1):
      netfilter: xt_socket: fix a typo in socket_mt_destroy()

Florian Westphal (1):
      selftests: netfilter: add synproxy test

Hangbin Liu (2):
      selftests: netfilter: fix exit value for nft_concat_range
      selftests: netfilter: disable rp_filter on router

Pablo Neira Ayuso (2):
      netfilter: nft_synproxy: unregister hooks on init error path
      selftests: netfilter: synproxy test requires nf_conntrack

 net/netfilter/nft_synproxy.c                       |   4 +-
 net/netfilter/xt_socket.c                          |   2 +-
 tools/testing/selftests/netfilter/Makefile         |   2 +-
 .../selftests/netfilter/nft_concat_range.sh        |   2 +-
 tools/testing/selftests/netfilter/nft_fib.sh       |   1 +
 tools/testing/selftests/netfilter/nft_synproxy.sh  | 117 +++++++++++++++++++++
 6 files changed, 124 insertions(+), 4 deletions(-)
 create mode 100755 tools/testing/selftests/netfilter/nft_synproxy.sh

[PATCH net 1/6] selftests: netfilter: add synproxy test

[Pablo Neira Ayuso]

From: Florian Westphal <fw@strlen.de>

Simple test for synproxy feature, iperf3 should be intercepted
by synproxy netns, but connection should still succeed.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 tools/testing/selftests/netfilter/Makefile    |   2 +-
 .../selftests/netfilter/nft_synproxy.sh       | 115 ++++++++++++++++++
 2 files changed, 116 insertions(+), 1 deletion(-)
 create mode 100755 tools/testing/selftests/netfilter/nft_synproxy.sh

diff --git a/tools/testing/selftests/netfilter/Makefile b/tools/testing/selftests/netfilter/Makefile
index ffca314897c4..e4f845dd942b 100644
--- a/tools/testing/selftests/netfilter/Makefile
+++ b/tools/testing/selftests/netfilter/Makefile
@@ -6,7 +6,7 @@ TEST_PROGS := nft_trans_stress.sh nft_fib.sh nft_nat.sh bridge_brouter.sh \
 	nft_concat_range.sh nft_conntrack_helper.sh \
 	nft_queue.sh nft_meta.sh nf_nat_edemux.sh \
 	ipip-conntrack-mtu.sh conntrack_tcp_unreplied.sh \
-	conntrack_vrf.sh
+	conntrack_vrf.sh nft_synproxy.sh
 
 LDLIBS = -lmnl
 TEST_GEN_FILES =  nf-queue
diff --git a/tools/testing/selftests/netfilter/nft_synproxy.sh b/tools/testing/selftests/netfilter/nft_synproxy.sh
new file mode 100755
index 000000000000..09bb95c87198
--- /dev/null
+++ b/tools/testing/selftests/netfilter/nft_synproxy.sh
@@ -0,0 +1,115 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+#
+
+# Kselftest framework requirement - SKIP code is 4.
+ksft_skip=4
+ret=0
+
+rnd=$(mktemp -u XXXXXXXX)
+nsr="nsr-$rnd"	# synproxy machine
+ns1="ns1-$rnd"  # iperf client
+ns2="ns2-$rnd"  # iperf server
+
+checktool (){
+	if ! $1 > /dev/null 2>&1; then
+		echo "SKIP: Could not $2"
+		exit $ksft_skip
+	fi
+}
+
+checktool "nft --version" "run test without nft tool"
+checktool "ip -Version" "run test without ip tool"
+checktool "iperf3 --version" "run test without iperf3"
+checktool "ip netns add $nsr" "create net namespace"
+
+ip netns add $ns1
+ip netns add $ns2
+
+cleanup() {
+	ip netns pids $ns1 | xargs kill 2>/dev/null
+	ip netns pids $ns2 | xargs kill 2>/dev/null
+	ip netns del $ns1
+	ip netns del $ns2
+
+	ip netns del $nsr
+}
+
+trap cleanup EXIT
+
+ip link add veth0 netns $nsr type veth peer name eth0 netns $ns1
+ip link add veth1 netns $nsr type veth peer name eth0 netns $ns2
+
+for dev in lo veth0 veth1; do
+ip -net $nsr link set $dev up
+done
+
+ip -net $nsr addr add 10.0.1.1/24 dev veth0
+ip -net $nsr addr add 10.0.2.1/24 dev veth1
+
+ip netns exec $nsr sysctl -q net.ipv4.conf.veth0.forwarding=1
+ip netns exec $nsr sysctl -q net.ipv4.conf.veth1.forwarding=1
+ip netns exec $nsr sysctl -q net.netfilter.nf_conntrack_tcp_loose=0
+
+for n in $ns1 $ns2; do
+  ip -net $n link set lo up
+  ip -net $n link set eth0 up
+done
+ip -net $ns1 addr add 10.0.1.99/24 dev eth0
+ip -net $ns2 addr add 10.0.2.99/24 dev eth0
+ip -net $ns1 route add default via 10.0.1.1
+ip -net $ns2 route add default via 10.0.2.1
+
+# test basic connectivity
+if ! ip netns exec $ns1 ping -c 1 -q 10.0.2.99 > /dev/null; then
+  echo "ERROR: $ns1 cannot reach $ns2" 1>&2
+  exit 1
+fi
+
+if ! ip netns exec $ns2 ping -c 1 -q 10.0.1.99 > /dev/null; then
+  echo "ERROR: $ns2 cannot reach $ns1" 1>&2
+  exit 1
+fi
+
+ip netns exec $ns2 iperf3 -s > /dev/null 2>&1 &
+# ip netns exec $nsr tcpdump -vvv -n -i veth1 tcp | head -n 10 &
+
+sleep 1
+
+ip netns exec $nsr nft -f - <<EOF
+table inet filter {
+   chain prerouting {
+      type filter hook prerouting priority -300; policy accept;
+      meta iif veth0 tcp flags syn counter notrack
+   }
+
+  chain forward {
+      type filter hook forward priority 0; policy accept;
+
+      ct state new,established counter accept
+
+      meta iif veth0 meta l4proto tcp ct state untracked,invalid synproxy mss 1460 sack-perm timestamp
+
+      ct state invalid counter drop
+
+      # make ns2 unreachable w.o. tcp synproxy
+      tcp flags syn counter drop
+   }
+}
+EOF
+if [ $? -ne 0 ]; then
+	echo "SKIP: Cannot add nft synproxy"
+	exit $ksft_skip
+fi
+
+ip netns exec $ns1 timeout 5 iperf3 -c 10.0.2.99 -n $((1 * 1024 * 1024)) > /dev/null
+
+if [ $? -ne 0 ]; then
+	echo "FAIL: iperf3 returned an error" 1>&2
+	ret=$?
+	ip netns exec $nsr nft list ruleset
+else
+	echo "PASS: synproxy connection successful"
+fi
+
+exit $ret
-- 
2.30.2

[PATCH net 2/6] netfilter: xt_socket: fix a typo in socket_mt_destroy()

[Pablo Neira Ayuso]

From: Eric Dumazet <edumazet@google.com>

Calling nf_defrag_ipv4_disable() instead of nf_defrag_ipv6_disable()
was probably not the intent.

I found this by code inspection, while chasing a possible issue in TPROXY.

Fixes: de8c12110a13 ("netfilter: disable defrag once its no longer needed")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/xt_socket.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 5e6459e11605..662e5eb1cc39 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -221,7 +221,7 @@ static void socket_mt_destroy(const struct xt_mtdtor_param *par)
 	if (par->family == NFPROTO_IPV4)
 		nf_defrag_ipv4_disable(par->net);
 	else if (par->family == NFPROTO_IPV6)
-		nf_defrag_ipv4_disable(par->net);
+		nf_defrag_ipv6_disable(par->net);
 }
 
 static struct xt_match socket_mt_reg[] __read_mostly = {
-- 
2.30.2

[PATCH net 3/6] selftests: netfilter: fix exit value for nft_concat_range

[Pablo Neira Ayuso]

From: Hangbin Liu <liuhangbin@gmail.com>

When the nft_concat_range test failed, it exit 1 in the code
specifically.

But when part of, or all of the test passed, it will failed the
[ ${passed} -eq 0 ] check and thus exit with 1, which is the same
exit value with failure result. Fix it by exit 0 when passed is not 0.

Fixes: 611973c1e06f ("selftests: netfilter: Introduce tests for sets with range concatenation")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 tools/testing/selftests/netfilter/nft_concat_range.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/testing/selftests/netfilter/nft_concat_range.sh b/tools/testing/selftests/netfilter/nft_concat_range.sh
index df322e47a54f..b35010cc7f6a 100755
--- a/tools/testing/selftests/netfilter/nft_concat_range.sh
+++ b/tools/testing/selftests/netfilter/nft_concat_range.sh
@@ -1601,4 +1601,4 @@ for name in ${TESTS}; do
 	done
 done
 
-[ ${passed} -eq 0 ] && exit ${KSELFTEST_SKIP}
+[ ${passed} -eq 0 ] && exit ${KSELFTEST_SKIP} || exit 0
-- 
2.30.2

[PATCH net 4/6] netfilter: nft_synproxy: unregister hooks on init error path

[Pablo Neira Ayuso]

Disable the IPv4 hooks if the IPv6 hooks fail to be registered.

Fixes: ad49d86e07a4 ("netfilter: nf_tables: Add synproxy support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nft_synproxy.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nft_synproxy.c b/net/netfilter/nft_synproxy.c
index a0109fa1e92d..1133e06f3c40 100644
--- a/net/netfilter/nft_synproxy.c
+++ b/net/netfilter/nft_synproxy.c
@@ -191,8 +191,10 @@ static int nft_synproxy_do_init(const struct nft_ctx *ctx,
 		if (err)
 			goto nf_ct_failure;
 		err = nf_synproxy_ipv6_init(snet, ctx->net);
-		if (err)
+		if (err) {
+			nf_synproxy_ipv4_fini(snet, ctx->net);
 			goto nf_ct_failure;
+		}
 		break;
 	}
 
-- 
2.30.2

[PATCH net 5/6] selftests: netfilter: synproxy test requires nf_conntrack

[Pablo Neira Ayuso]

Otherwise, this test does not find the sysctl entry in place:

 sysctl: cannot stat /proc/sys/net/netfilter/nf_conntrack_tcp_loose: No such file or directory
 iperf3: error - unable to send control message: Bad file descriptor
 FAIL: iperf3 returned an error

Fixes: 7152303cbec4 ("selftests: netfilter: add synproxy test")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 tools/testing/selftests/netfilter/nft_synproxy.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tools/testing/selftests/netfilter/nft_synproxy.sh b/tools/testing/selftests/netfilter/nft_synproxy.sh
index 09bb95c87198..b62933b680d6 100755
--- a/tools/testing/selftests/netfilter/nft_synproxy.sh
+++ b/tools/testing/selftests/netfilter/nft_synproxy.sh
@@ -23,6 +23,8 @@ checktool "ip -Version" "run test without ip tool"
 checktool "iperf3 --version" "run test without iperf3"
 checktool "ip netns add $nsr" "create net namespace"
 
+modprobe -q nf_conntrack
+
 ip netns add $ns1
 ip netns add $ns2
 
-- 
2.30.2

[PATCH net 6/6] selftests: netfilter: disable rp_filter on router

[Pablo Neira Ayuso]

From: Hangbin Liu <liuhangbin@gmail.com>

Some distros may enable rp_filter by default. After ns1 change addr to
10.0.2.99 and set default router to 10.0.2.1, while the connected router
address is still 10.0.1.1. The router will not reply the arp request
from ns1. Fix it by setting the router's veth0 rp_filter to 0.

Before the fix:
  # ./nft_fib.sh
  PASS: fib expression did not cause unwanted packet drops
  Netns nsrouter-HQkDORO2 fib counter doesn't match expected packet count of 1 for 1.1.1.1
  table inet filter {
          chain prerouting {
                  type filter hook prerouting priority filter; policy accept;
                  ip daddr 1.1.1.1 fib saddr . iif oif missing counter packets 0 bytes 0 drop
                  ip6 daddr 1c3::c01d fib saddr . iif oif missing counter packets 0 bytes 0 drop
          }
  }

After the fix:
  # ./nft_fib.sh
  PASS: fib expression did not cause unwanted packet drops
  PASS: fib expression did drop packets for 1.1.1.1
  PASS: fib expression did drop packets for 1c3::c01d

Fixes: 82944421243e ("selftests: netfilter: add fib test case")
Signed-off-by: Yi Chen <yiche@redhat.com>
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 tools/testing/selftests/netfilter/nft_fib.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/testing/selftests/netfilter/nft_fib.sh b/tools/testing/selftests/netfilter/nft_fib.sh
index 6caf6ac8c285..695a1958723f 100755
--- a/tools/testing/selftests/netfilter/nft_fib.sh
+++ b/tools/testing/selftests/netfilter/nft_fib.sh
@@ -174,6 +174,7 @@ test_ping() {
 ip netns exec ${nsrouter} sysctl net.ipv6.conf.all.forwarding=1 > /dev/null
 ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null
 ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null
+ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth0.rp_filter=0 > /dev/null
 
 sleep 3
 
-- 
2.30.2

Re: [PATCH net 1/6] selftests: netfilter: add synproxy test

[patchwork-bot+netdevbpf]

Hello:

This series was applied to netdev/net.git (master)
by Pablo Neira Ayuso <pablo@netfilter.org>:

On Fri, 11 Feb 2022 00:10:16 +0100 you wrote:
> From: Florian Westphal <fw@strlen.de>
> 
> Simple test for synproxy feature, iperf3 should be intercepted
> by synproxy netns, but connection should still succeed.
> 
> Signed-off-by: Florian Westphal <fw@strlen.de>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> 
> [...]

Here is the summary with links:
  - [net,1/6] selftests: netfilter: add synproxy test
    https://git.kernel.org/netdev/net/c/7152303cbec4
  - [net,2/6] netfilter: xt_socket: fix a typo in socket_mt_destroy()
    https://git.kernel.org/netdev/net/c/75063c9294fb
  - [net,3/6] selftests: netfilter: fix exit value for nft_concat_range
    https://git.kernel.org/netdev/net/c/2e71ec1a725a
  - [net,4/6] netfilter: nft_synproxy: unregister hooks on init error path
    https://git.kernel.org/netdev/net/c/2b4e5fb4d377
  - [net,5/6] selftests: netfilter: synproxy test requires nf_conntrack
    https://git.kernel.org/netdev/net/c/249749c88906
  - [net,6/6] selftests: netfilter: disable rp_filter on router
    https://git.kernel.org/netdev/net/c/bbe4c0896d25

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

[PATCH net 0/6] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

Patch #1 unlike early commit path stage which triggers a call to abort,
         an explicit release of the batch is required on abort, otherwise
         mutex is released and commit_list remains in place.

Patch #2 release mutex after nft_gc_seq_end() in commit path, otherwise
         async GC worker could collect expired objects.

Patch #3 flush pending destroy work in module removal path, otherwise UaF
         is possible.

Patch #4 and #6 restrict the table dormant flag with basechain updates
	 to fix state inconsistency in the hook registration.

Patch #5 adds missing RCU read side lock to flowtable type to avoid races
	 with module removal.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-04-04

Thanks.

----------------------------------------------------------------

The following changes since commit 72076fc9fe60b9143cd971fd8737718719bc512e:

  Revert "tg3: Remove residual error handling in tg3_suspend" (2024-04-04 10:51:01 +0200)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-04-04

for you to fetch changes up to 1bc83a019bbe268be3526406245ec28c2458a518:

  netfilter: nf_tables: discard table flag update with pending basechain deletion (2024-04-04 11:38:35 +0200)

----------------------------------------------------------------
netfilter pull request 24-04-04

----------------------------------------------------------------
Pablo Neira Ayuso (5):
      netfilter: nf_tables: release batch on table validation from abort path
      netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path
      netfilter: nf_tables: flush pending destroy work before exit_net release
      netfilter: nf_tables: reject new basechain after table flag update
      netfilter: nf_tables: discard table flag update with pending basechain deletion

Ziyang Xuan (1):
      netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()

 net/netfilter/nf_tables_api.c | 50 +++++++++++++++++++++++++++++--------------
 1 file changed, 34 insertions(+), 16 deletions(-)

[PATCH net 0/6] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) TCP conntrack now only evaluates window negotiation for packets in
   the REPLY direction, from Ryan Schaefer. Otherwise SYN retransmissions
   trigger incorrect window scale negotiation. From Ryan Schaefer.

2) Restrict tunnel objects to NFPROTO_NETDEV which is where it makes sense
   to use this object type.

3) Fix conntrack pick up from the middle of SCTP_CID_SHUTDOWN_ACK packets.
   From Xin Long.

4) Another attempt from Jozsef Kadlecsik to address the slow down of the
   swap command in ipset.

5) Replace a BUG_ON by WARN_ON_ONCE in nf_log, and consolidate check for
   the case that the logger is NULL from the read side lock section.

6) Address lack of sanitization for custom expectations. Restrict layer 3
   and 4 families to what it is supported by userspace.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-01-31

Thanks.

----------------------------------------------------------------

The following changes since commit a2933a8759a62269754e54733d993b19de870e84:

  selftests: bonding: do not test arp/ns target with mode balance-alb/tlb (2024-01-25 09:50:54 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-01-31

for you to fetch changes up to 8059918a1377f2f1fff06af4f5a4ed3d5acd6bc4:

  netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations (2024-01-31 23:14:14 +0100)

----------------------------------------------------------------
netfilter pull request 24-01-31

----------------------------------------------------------------
Jozsef Kadlecsik (1):
      netfilter: ipset: fix performance regression in swap operation

Pablo Neira Ayuso (3):
      netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV
      netfilter: nf_log: replace BUG_ON by WARN_ON_ONCE when putting logger
      netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations

Ryan Schaefer (1):
      netfilter: conntrack: correct window scaling with retransmitted SYN

Xin Long (1):
      netfilter: conntrack: check SCTP_CID_SHUTDOWN_ACK for vtag setting in sctp_new

 include/linux/netfilter/ipset/ip_set.h  |  4 ++++
 include/net/netfilter/nf_tables.h       |  2 ++
 net/netfilter/ipset/ip_set_bitmap_gen.h | 14 ++++++++++---
 net/netfilter/ipset/ip_set_core.c       | 37 +++++++++++++++++++++++++--------
 net/netfilter/ipset/ip_set_hash_gen.h   | 15 ++++++++++---
 net/netfilter/ipset/ip_set_list_set.c   | 13 +++++++++---
 net/netfilter/nf_conntrack_proto_sctp.c |  2 +-
 net/netfilter/nf_conntrack_proto_tcp.c  | 10 +++++----
 net/netfilter/nf_log.c                  |  7 ++++---
 net/netfilter/nf_tables_api.c           | 14 ++++++++-----
 net/netfilter/nft_ct.c                  | 24 +++++++++++++++++++++
 net/netfilter/nft_tunnel.c              |  1 +
 12 files changed, 112 insertions(+), 31 deletions(-)

[PATCH net 0/6] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Update nf_tables kdoc to keep it in sync with the code, from George Guo.

2) Handle NETDEV_UNREGISTER event for inet/ingress basechain.

3) Reject configuration that cause nft_limit to overflow, from Florian Westphal.

4) Restrict anonymous set/map names to 16 bytes, from Florian Westphal.

5) Disallow to encode queue number and error in verdicts. This reverts
   a patch which seems to have introduced an early attempt to support for
   nfqueue maps, which is these days supported via nft_queue expression.

6) Sanitize family via .validate for expressions that explicitly refer
   to NF_INET_* hooks.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-01-24

Thanks.

----------------------------------------------------------------

The following changes since commit 32f2a0afa95fae0d1ceec2ff06e0e816939964b8:

  net/sched: flower: Fix chain template offload (2024-01-24 01:33:59 +0000)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-01-24

for you to fetch changes up to d0009effa8862c20a13af4cb7475d9771b905693:

  netfilter: nf_tables: validate NFPROTO_* family (2024-01-24 20:02:40 +0100)

----------------------------------------------------------------
netfilter pull request 24-01-24

----------------------------------------------------------------
Florian Westphal (3):
      netfilter: nft_limit: reject configurations that cause integer overflow
      netfilter: nf_tables: restrict anonymous set and map names to 16 bytes
      netfilter: nf_tables: reject QUEUE/DROP verdict parameters

George Guo (1):
      netfilter: nf_tables: cleanup documentation

Pablo Neira Ayuso (2):
      netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain
      netfilter: nf_tables: validate NFPROTO_* family

 include/net/netfilter/nf_tables.h | 49 +++++++++++++++++++++++++++++++--------
 net/netfilter/nf_tables_api.c     | 20 ++++++++--------
 net/netfilter/nft_chain_filter.c  | 11 +++++++--
 net/netfilter/nft_compat.c        | 12 ++++++++++
 net/netfilter/nft_flow_offload.c  |  5 ++++
 net/netfilter/nft_limit.c         | 23 ++++++++++++------
 net/netfilter/nft_nat.c           |  5 ++++
 net/netfilter/nft_rt.c            |  5 ++++
 net/netfilter/nft_socket.c        |  5 ++++
 net/netfilter/nft_synproxy.c      |  7 ++++--
 net/netfilter/nft_tproxy.c        |  5 ++++
 net/netfilter/nft_xfrm.c          |  5 ++++
 12 files changed, 121 insertions(+), 31 deletions(-)

[PATCH net 0/6] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Incorrect nf_defrag registration for bpf link infra, from D. Wythe.

2) Skip inactive elements in pipapo set backend walk to avoid double
   deactivation, from Florian Westphal.

3) Fix NFT_*_F_PRESENT check with big endian arch, also from Florian.

4) Bail out if number of expressions in NFTA_DYNSET_EXPRESSIONS mismatch
   stateful expressions in set declaration.

5) Honor family in table lookup by handle. Broken since 4.16.

6) Use sk_callback_lock to protect access to sk->sk_socket in xt_owner.
   sock_orphan() might zap this pointer, from Phil Sutter.

All of these fixes address broken stuff for several releases.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-23-12-06

Thanks.

----------------------------------------------------------------

The following changes since commit 54d4434da824460a190d547404530eff12a7907d:

  Merge branch 'hv_netvsc-fix-race-of-netvsc-vf-register-and-slave-bit' (2023-11-21 13:15:05 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-23-12-06

for you to fetch changes up to 7ae836a3d630e146b732fe8ef7d86b243748751f:

  netfilter: xt_owner: Fix for unsafe access of sk->sk_socket (2023-12-06 17:52:15 +0100)

----------------------------------------------------------------
netfilter pull request 23-12-06

----------------------------------------------------------------
D. Wythe (1):
      netfilter: bpf: fix bad registration on nf_defrag

Florian Westphal (2):
      netfilter: nft_set_pipapo: skip inactive elements during set walk
      netfilter: nf_tables: fix 'exist' matching on bigendian arches

Pablo Neira Ayuso (2):
      netfilter: nf_tables: bail out on mismatching dynset and set expressions
      netfilter: nf_tables: validate family when identifying table via handle

Phil Sutter (1):
      netfilter: xt_owner: Fix for unsafe access of sk->sk_socket

 net/netfilter/nf_bpf_link.c    | 10 +++++-----
 net/netfilter/nf_tables_api.c  |  5 +++--
 net/netfilter/nft_dynset.c     | 13 +++++++++----
 net/netfilter/nft_exthdr.c     |  4 ++--
 net/netfilter/nft_fib.c        |  8 ++++++--
 net/netfilter/nft_set_pipapo.c |  3 +++
 net/netfilter/xt_owner.c       | 16 ++++++++++++----
 7 files changed, 40 insertions(+), 19 deletions(-)

[PATCH net 0/6] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Remove unused variable causing compilation warning in nft_set_rbtree,
   from Yang Li. This unused variable is a left over from previous
   merge window.

2) Possible return of uninitialized in nf_conntrack_bridge, from
   Linkui Xiao. This is there since nf_conntrack_bridge is available.

3) Fix incorrect pointer math in nft_byteorder, from Dan Carpenter.
   Problem has been there since 2016.

4) Fix bogus error in destroy set element command. Problem is there
   since this new destroy command was added.

5) Fix race condition in ipset between swap and destroy commands and
   add/del/test control plane. This problem is there since ipset was
   merged.

6) Split async and sync catchall GC in two function to fix unsafe
   iteration over RCU. This is a fix-for-fix that was included in
   the previous pull request.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-23-11-15

Thanks.

----------------------------------------------------------------

The following changes since commit 4b7b492615cf3017190f55444f7016812b66611d:

  af_unix: fix use-after-free in unix_stream_read_actor() (2023-11-14 10:51:13 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-23-11-15

for you to fetch changes up to 8837ba3e58ea1e3d09ae36db80b1e80853aada95:

  netfilter: nf_tables: split async and sync catchall in two functions (2023-11-14 16:16:21 +0100)

----------------------------------------------------------------
netfilter pull request 23-11-15

----------------------------------------------------------------
Dan Carpenter (1):
      netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval()

Jozsef Kadlecsik (1):
      netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test

Linkui Xiao (1):
      netfilter: nf_conntrack_bridge: initialize err to 0

Pablo Neira Ayuso (2):
      netfilter: nf_tables: bogus ENOENT when destroying element which does not exist
      netfilter: nf_tables: split async and sync catchall in two functions

Yang Li (1):
      netfilter: nft_set_rbtree: Remove unused variable nft_net

 include/net/netfilter/nf_tables.h          |  4 +-
 net/bridge/netfilter/nf_conntrack_bridge.c |  2 +-
 net/netfilter/ipset/ip_set_core.c          | 14 +++----
 net/netfilter/nf_tables_api.c              | 60 ++++++++++++++++--------------
 net/netfilter/nft_byteorder.c              |  5 ++-
 net/netfilter/nft_meta.c                   |  2 +-
 net/netfilter/nft_set_rbtree.c             |  2 -
 7 files changed, 47 insertions(+), 42 deletions(-)

[PATCH net 0/6] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Fix missing overflow use refcount checks in nf_tables.

2) Do not set IPS_ASSURED for IPS_NAT_CLASH entries in GRE tracker,
   from Florian Westphal.

3) Bail out if nf_ct_helper_hash is NULL before registering helper,
   from Florent Revest.

4) Use siphash() instead siphash_4u64() to fix performance regression,
   also from Florian.

5) Do not allow to add rules to removed chains via ID,
   from Thadeu Lima de Souza Cascardo.

6) Fix oob read access in byteorder expression, also from Thadeu.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-23-07-06

Thanks.

----------------------------------------------------------------

The following changes since commit c451410ca7e3d8eeb31d141fc20c200e21754ba4:

  Merge branch 'mptcp-fixes' (2023-07-05 10:51:14 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-23-07-06

for you to fetch changes up to caf3ef7468f7534771b5c44cd8dbd6f7f87c2cbd:

  netfilter: nf_tables: prevent OOB access in nft_byteorder_eval (2023-07-06 00:53:14 +0200)

----------------------------------------------------------------
netfilter pull request 23-07-06

----------------------------------------------------------------
Florent Revest (1):
      netfilter: conntrack: Avoid nf_ct_helper_hash uses after free

Florian Westphal (2):
      netfilter: conntrack: gre: don't set assured flag for clash entries
      netfilter: conntrack: don't fold port numbers into addresses before hashing

Pablo Neira Ayuso (1):
      netfilter: nf_tables: report use refcount overflow

Thadeu Lima de Souza Cascardo (2):
      netfilter: nf_tables: do not ignore genmask when looking up chain by id
      netfilter: nf_tables: prevent OOB access in nft_byteorder_eval

 include/net/netfilter/nf_conntrack_tuple.h |   3 +
 include/net/netfilter/nf_tables.h          |  31 ++++-
 net/netfilter/nf_conntrack_core.c          |  20 ++--
 net/netfilter/nf_conntrack_helper.c        |   4 +
 net/netfilter/nf_conntrack_proto_gre.c     |  10 +-
 net/netfilter/nf_tables_api.c              | 174 ++++++++++++++++++-----------
 net/netfilter/nft_byteorder.c              |  14 +--
 net/netfilter/nft_flow_offload.c           |   6 +-
 net/netfilter/nft_immediate.c              |   8 +-
 net/netfilter/nft_objref.c                 |   8 +-
 10 files changed, 178 insertions(+), 100 deletions(-)

[PATCH net 0/6] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Reset shift on Boyer-Moore string match for each block,
   from Jeremy Sowden.

2) Fix acccess to non-linear area in DCCP conntrack helper,
   from Florian Westphal.

3) Fix kernel-doc warnings, by Randy Dunlap.

4) Bail out if expires= does not show in SIP helper message,
   or make ct_sip_parse_numerical_param() tristate and report
   error if expires= cannot be parsed.

5) Unbind non-anonymous set in case rule construction fails.

6) Fix underflow in chain reference counter in case set element
   already exists or it cannot be created.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-23-06-27

Thanks.

----------------------------------------------------------------

The following changes since commit 6709d4b7bc2e079241fdef15d1160581c5261c10:

  net: nfc: Fix use-after-free caused by nfc_llcp_find_local (2023-06-26 10:57:23 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-23-06-27

for you to fetch changes up to b389139f12f287b8ed2e2628b72df89a081f0b59:

  netfilter: nf_tables: fix underflow in chain reference counter (2023-06-26 17:18:55 +0200)

----------------------------------------------------------------
netfilter pull request 23-06-27

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one

Ilia.Gavrilov (1):
      netfilter: nf_conntrack_sip: fix the ct_sip_parse_numerical_param() return value.

Jeremy Sowden (1):
      lib/ts_bm: reset initial match offset for every block of text

Pablo Neira Ayuso (2):
      netfilter: nf_tables: unbind non-anonymous set if rule construction fails
      netfilter: nf_tables: fix underflow in chain reference counter

Randy Dunlap (1):
      linux/netfilter.h: fix kernel-doc warnings

 include/linux/netfilter.h               |  4 +--
 lib/ts_bm.c                             |  4 ++-
 net/netfilter/nf_conntrack_proto_dccp.c | 52 +++++++++++++++++++++++++++++++--
 net/netfilter/nf_conntrack_sip.c        |  2 +-
 net/netfilter/nf_tables_api.c           |  6 +++-
 5 files changed, 60 insertions(+), 8 deletions(-)

[PATCH net 0/6] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Don't refresh timeout for SCTP flows in CLOSED state.

2) Don't allow access to transport header if fragment offset is set on.

3) Reinitialize internal conntrack state for retransmitted TCP
   syn-ack packet.

4) Update MAINTAINER file to add the Netfilter group tree. Moving
   forward, Florian Westphal has access to this tree so he can also
   send pull requests.

5) Set on IPS_HELPER for entries created via ctnetlink, otherwise NAT
   might zap it.

All patches from Florian Westphal.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit ed14fc7a79ab43e9f2cb1fa9c1733fdc133bba30:

  net: sparx5: Fix get_stat64 crash in tcpdump (2022-02-03 19:01:15 -0800)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to d1ca60efc53d665cf89ed847a14a510a81770b81:

  netfilter: ctnetlink: disable helper autoassign (2022-02-04 05:39:57 +0100)

----------------------------------------------------------------
Florian Westphal (6):
      netfilter: conntrack: don't refresh sctp entries in closed state
      netfilter: nft_payload: don't allow th access for fragments
      netfilter: conntrack: move synack init code to helper
      netfilter: conntrack: re-init state for retransmitted syn-ack
      MAINTAINERS: netfilter: update git links
      netfilter: ctnetlink: disable helper autoassign

 MAINTAINERS                                        |  4 +-
 include/uapi/linux/netfilter/nf_conntrack_common.h |  2 +-
 net/netfilter/nf_conntrack_netlink.c               |  3 +-
 net/netfilter/nf_conntrack_proto_sctp.c            |  9 ++++
 net/netfilter/nf_conntrack_proto_tcp.c             | 59 +++++++++++++++-------
 net/netfilter/nft_exthdr.c                         |  2 +-
 net/netfilter/nft_payload.c                        |  9 ++--
 7 files changed, 61 insertions(+), 27 deletions(-)

[PATCH net 0/6] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Memleak in commit audit error path, from Dongliang Mu.

2) Avoid possible false sharing for flowtable timeout updates
   and nft_last use.

3) Adjust conntrack timestamp due to garbage collection delay,
   from Florian Westphal.

4) Fix nft_nat without layer 3 address for the inet family.

5) Fix compilation warning in nfnl_hook when ingress support
   is disabled, from Arnd Bergmann.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 5f119ba1d5771bbf46d57cff7417dcd84d3084ba:

  net: decnet: Fix sleeping inside in af_decnet (2021-07-16 14:06:16 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 217e26bd87b2930856726b48a4e71c768b8c9bf5:

  netfilter: nfnl_hook: fix unused variable warning (2021-07-23 14:45:03 +0200)

----------------------------------------------------------------
Arnd Bergmann (1):
      netfilter: nfnl_hook: fix unused variable warning

Dongliang Mu (1):
      netfilter: nf_tables: fix audit memory leak in nf_tables_commit

Florian Westphal (1):
      netfilter: conntrack: adjust stop timestamp to real expiry value

Pablo Neira Ayuso (3):
      netfilter: flowtable: avoid possible false sharing
      netfilter: nft_last: avoid possible false sharing
      netfilter: nft_nat: allow to specify layer 4 protocol NAT only

 net/netfilter/nf_conntrack_core.c  |  7 ++++++-
 net/netfilter/nf_flow_table_core.c |  6 +++++-
 net/netfilter/nf_tables_api.c      | 12 ++++++++++++
 net/netfilter/nfnetlink_hook.c     |  2 ++
 net/netfilter/nft_last.c           | 20 +++++++++++++-------
 net/netfilter/nft_nat.c            |  4 +++-
 6 files changed, 41 insertions(+), 10 deletions(-)