aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorDavid S. Miller <davem@davemloft.net>2016-12-01 11:04:41 -0500
committerDavid S. Miller <davem@davemloft.net>2016-12-01 11:04:41 -0500
commit3d2dd617fb3c6430e438038070d2d2fb423725f9 (patch)
tree62c8fe66d560bf9cb0d889b4888c0ea6705b5663 /net
parentaa196eed3d80d4b003b04a270712b978a012a939 (diff)
parent17a49cd549d9dc8707dc9262210166455c612dde (diff)
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says: ==================== Netfilter fixes for net This is a large batch of Netfilter fixes for net, they are: 1) Three patches to fix NAT conversion to rhashtable: Switch to rhlist structure that allows to have several objects with the same key. Moreover, fix wrong comparison logic in nf_nat_bysource_cmp() as this is expecting a return value similar to memcmp(). Change location of the nat_bysource field in the nf_conn structure to avoid zeroing this as it breaks interaction with SLAB_DESTROY_BY_RCU and lead us to crashes. From Florian Westphal. 2) Don't allow malformed fragments go through in IPv6, drop them, otherwise we hit GPF, patch from Florian Westphal. 3) Fix crash if attributes are missing in nft_range, from Liping Zhang. 4) Fix arptables 32-bits userspace 64-bits kernel compat, from Hongxu Jia. 5) Two patches from David Ahern to fix netfilter interaction with vrf. From David Ahern. 6) Fix element timeout calculation in nf_tables, we take milliseconds from userspace, but we use jiffies from kernelspace. Patch from Anders K. Pedersen. 7) Missing validation length netlink attribute for nft_hash, from Laura Garcia. 8) Fix nf_conntrack_helper documentation, we don't default to off anymore for a bit of time so let's get this in sync with the code. I know is late but I think these are important, specifically the NAT bits, as they are mostly addressing fallout from recent changes. I also read there are chances to have -rc8, if that is the case, that would also give us a bit more time to test this. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/ipv4/netfilter.c5
-rw-r--r--net/ipv4/netfilter/arp_tables.c4
-rw-r--r--net/ipv6/netfilter/nf_conntrack_reasm.c4
-rw-r--r--net/ipv6/netfilter/nf_defrag_ipv6_hooks.c2
-rw-r--r--net/ipv6/netfilter/nf_reject_ipv6.c1
-rw-r--r--net/netfilter/nf_nat_core.c49
-rw-r--r--net/netfilter/nf_tables_api.c14
-rw-r--r--net/netfilter/nft_hash.c7
-rw-r--r--net/netfilter/nft_range.c6
9 files changed, 60 insertions, 32 deletions
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index c3776ff6749f..b3cc1335adbc 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -24,10 +24,11 @@ int ip_route_me_harder(struct net *net, struct sk_buff *skb, unsigned int addr_t
24 struct flowi4 fl4 = {}; 24 struct flowi4 fl4 = {};
25 __be32 saddr = iph->saddr; 25 __be32 saddr = iph->saddr;
26 __u8 flags = skb->sk ? inet_sk_flowi_flags(skb->sk) : 0; 26 __u8 flags = skb->sk ? inet_sk_flowi_flags(skb->sk) : 0;
27 struct net_device *dev = skb_dst(skb)->dev;
27 unsigned int hh_len; 28 unsigned int hh_len;
28 29
29 if (addr_type == RTN_UNSPEC) 30 if (addr_type == RTN_UNSPEC)
30 addr_type = inet_addr_type(net, saddr); 31 addr_type = inet_addr_type_dev_table(net, dev, saddr);
31 if (addr_type == RTN_LOCAL || addr_type == RTN_UNICAST) 32 if (addr_type == RTN_LOCAL || addr_type == RTN_UNICAST)
32 flags |= FLOWI_FLAG_ANYSRC; 33 flags |= FLOWI_FLAG_ANYSRC;
33 else 34 else
@@ -40,6 +41,8 @@ int ip_route_me_harder(struct net *net, struct sk_buff *skb, unsigned int addr_t
40 fl4.saddr = saddr; 41 fl4.saddr = saddr;
41 fl4.flowi4_tos = RT_TOS(iph->tos); 42 fl4.flowi4_tos = RT_TOS(iph->tos);
42 fl4.flowi4_oif = skb->sk ? skb->sk->sk_bound_dev_if : 0; 43 fl4.flowi4_oif = skb->sk ? skb->sk->sk_bound_dev_if : 0;
44 if (!fl4.flowi4_oif)
45 fl4.flowi4_oif = l3mdev_master_ifindex(dev);
43 fl4.flowi4_mark = skb->mark; 46 fl4.flowi4_mark = skb->mark;
44 fl4.flowi4_flags = flags; 47 fl4.flowi4_flags = flags;
45 rt = ip_route_output_key(net, &fl4); 48 rt = ip_route_output_key(net, &fl4);
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index b31df597fd37..697538464e6e 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1201,8 +1201,8 @@ static int translate_compat_table(struct xt_table_info **pinfo,
1201 1201
1202 newinfo->number = compatr->num_entries; 1202 newinfo->number = compatr->num_entries;
1203 for (i = 0; i < NF_ARP_NUMHOOKS; i++) { 1203 for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
1204 newinfo->hook_entry[i] = info->hook_entry[i]; 1204 newinfo->hook_entry[i] = compatr->hook_entry[i];
1205 newinfo->underflow[i] = info->underflow[i]; 1205 newinfo->underflow[i] = compatr->underflow[i];
1206 } 1206 }
1207 entry1 = newinfo->entries; 1207 entry1 = newinfo->entries;
1208 pos = entry1; 1208 pos = entry1;
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index e4347aeb2e65..9948b5ce52da 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -576,11 +576,11 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user)
576 /* Jumbo payload inhibits frag. header */ 576 /* Jumbo payload inhibits frag. header */
577 if (ipv6_hdr(skb)->payload_len == 0) { 577 if (ipv6_hdr(skb)->payload_len == 0) {
578 pr_debug("payload len = 0\n"); 578 pr_debug("payload len = 0\n");
579 return -EINVAL; 579 return 0;
580 } 580 }
581 581
582 if (find_prev_fhdr(skb, &prevhdr, &nhoff, &fhoff) < 0) 582 if (find_prev_fhdr(skb, &prevhdr, &nhoff, &fhoff) < 0)
583 return -EINVAL; 583 return 0;
584 584
585 if (!pskb_may_pull(skb, fhoff + sizeof(*fhdr))) 585 if (!pskb_may_pull(skb, fhoff + sizeof(*fhdr)))
586 return -ENOMEM; 586 return -ENOMEM;
diff --git a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
index f7aab5ab93a5..f06b0471f39f 100644
--- a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
+++ b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
@@ -69,7 +69,7 @@ static unsigned int ipv6_defrag(void *priv,
69 if (err == -EINPROGRESS) 69 if (err == -EINPROGRESS)
70 return NF_STOLEN; 70 return NF_STOLEN;
71 71
72 return NF_ACCEPT; 72 return err == 0 ? NF_ACCEPT : NF_DROP;
73} 73}
74 74
75static struct nf_hook_ops ipv6_defrag_ops[] = { 75static struct nf_hook_ops ipv6_defrag_ops[] = {
diff --git a/net/ipv6/netfilter/nf_reject_ipv6.c b/net/ipv6/netfilter/nf_reject_ipv6.c
index a5400223fd74..10090400c72f 100644
--- a/net/ipv6/netfilter/nf_reject_ipv6.c
+++ b/net/ipv6/netfilter/nf_reject_ipv6.c
@@ -156,6 +156,7 @@ void nf_send_reset6(struct net *net, struct sk_buff *oldskb, int hook)
156 fl6.daddr = oip6h->saddr; 156 fl6.daddr = oip6h->saddr;
157 fl6.fl6_sport = otcph->dest; 157 fl6.fl6_sport = otcph->dest;
158 fl6.fl6_dport = otcph->source; 158 fl6.fl6_dport = otcph->source;
159 fl6.flowi6_oif = l3mdev_master_ifindex(skb_dst(oldskb)->dev);
159 security_skb_classify_flow(oldskb, flowi6_to_flowi(&fl6)); 160 security_skb_classify_flow(oldskb, flowi6_to_flowi(&fl6));
160 dst = ip6_route_output(net, NULL, &fl6); 161 dst = ip6_route_output(net, NULL, &fl6);
161 if (dst->error) { 162 if (dst->error) {
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index bbb8f3df79f7..5b9c884a452e 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -42,7 +42,7 @@ struct nf_nat_conn_key {
42 const struct nf_conntrack_zone *zone; 42 const struct nf_conntrack_zone *zone;
43}; 43};
44 44
45static struct rhashtable nf_nat_bysource_table; 45static struct rhltable nf_nat_bysource_table;
46 46
47inline const struct nf_nat_l3proto * 47inline const struct nf_nat_l3proto *
48__nf_nat_l3proto_find(u8 family) 48__nf_nat_l3proto_find(u8 family)
@@ -193,9 +193,12 @@ static int nf_nat_bysource_cmp(struct rhashtable_compare_arg *arg,
193 const struct nf_nat_conn_key *key = arg->key; 193 const struct nf_nat_conn_key *key = arg->key;
194 const struct nf_conn *ct = obj; 194 const struct nf_conn *ct = obj;
195 195
196 return same_src(ct, key->tuple) && 196 if (!same_src(ct, key->tuple) ||
197 net_eq(nf_ct_net(ct), key->net) && 197 !net_eq(nf_ct_net(ct), key->net) ||
198 nf_ct_zone_equal(ct, key->zone, IP_CT_DIR_ORIGINAL); 198 !nf_ct_zone_equal(ct, key->zone, IP_CT_DIR_ORIGINAL))
199 return 1;
200
201 return 0;
199} 202}
200 203
201static struct rhashtable_params nf_nat_bysource_params = { 204static struct rhashtable_params nf_nat_bysource_params = {
@@ -204,7 +207,6 @@ static struct rhashtable_params nf_nat_bysource_params = {
204 .obj_cmpfn = nf_nat_bysource_cmp, 207 .obj_cmpfn = nf_nat_bysource_cmp,
205 .nelem_hint = 256, 208 .nelem_hint = 256,
206 .min_size = 1024, 209 .min_size = 1024,
207 .nulls_base = (1U << RHT_BASE_SHIFT),
208}; 210};
209 211
210/* Only called for SRC manip */ 212/* Only called for SRC manip */
@@ -223,12 +225,15 @@ find_appropriate_src(struct net *net,
223 .tuple = tuple, 225 .tuple = tuple,
224 .zone = zone 226 .zone = zone
225 }; 227 };
228 struct rhlist_head *hl;
226 229
227 ct = rhashtable_lookup_fast(&nf_nat_bysource_table, &key, 230 hl = rhltable_lookup(&nf_nat_bysource_table, &key,
228 nf_nat_bysource_params); 231 nf_nat_bysource_params);
229 if (!ct) 232 if (!hl)
230 return 0; 233 return 0;
231 234
235 ct = container_of(hl, typeof(*ct), nat_bysource);
236
232 nf_ct_invert_tuplepr(result, 237 nf_ct_invert_tuplepr(result,
233 &ct->tuplehash[IP_CT_DIR_REPLY].tuple); 238 &ct->tuplehash[IP_CT_DIR_REPLY].tuple);
234 result->dst = tuple->dst; 239 result->dst = tuple->dst;
@@ -446,11 +451,17 @@ nf_nat_setup_info(struct nf_conn *ct,
446 } 451 }
447 452
448 if (maniptype == NF_NAT_MANIP_SRC) { 453 if (maniptype == NF_NAT_MANIP_SRC) {
454 struct nf_nat_conn_key key = {
455 .net = nf_ct_net(ct),
456 .tuple = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
457 .zone = nf_ct_zone(ct),
458 };
449 int err; 459 int err;
450 460
451 err = rhashtable_insert_fast(&nf_nat_bysource_table, 461 err = rhltable_insert_key(&nf_nat_bysource_table,
452 &ct->nat_bysource, 462 &key,
453 nf_nat_bysource_params); 463 &ct->nat_bysource,
464 nf_nat_bysource_params);
454 if (err) 465 if (err)
455 return NF_DROP; 466 return NF_DROP;
456 } 467 }
@@ -567,8 +578,8 @@ static int nf_nat_proto_clean(struct nf_conn *ct, void *data)
567 * will delete entry from already-freed table. 578 * will delete entry from already-freed table.
568 */ 579 */
569 ct->status &= ~IPS_NAT_DONE_MASK; 580 ct->status &= ~IPS_NAT_DONE_MASK;
570 rhashtable_remove_fast(&nf_nat_bysource_table, &ct->nat_bysource, 581 rhltable_remove(&nf_nat_bysource_table, &ct->nat_bysource,
571 nf_nat_bysource_params); 582 nf_nat_bysource_params);
572 583
573 /* don't delete conntrack. Although that would make things a lot 584 /* don't delete conntrack. Although that would make things a lot
574 * simpler, we'd end up flushing all conntracks on nat rmmod. 585 * simpler, we'd end up flushing all conntracks on nat rmmod.
@@ -698,8 +709,8 @@ static void nf_nat_cleanup_conntrack(struct nf_conn *ct)
698 if (!nat) 709 if (!nat)
699 return; 710 return;
700 711
701 rhashtable_remove_fast(&nf_nat_bysource_table, &ct->nat_bysource, 712 rhltable_remove(&nf_nat_bysource_table, &ct->nat_bysource,
702 nf_nat_bysource_params); 713 nf_nat_bysource_params);
703} 714}
704 715
705static struct nf_ct_ext_type nat_extend __read_mostly = { 716static struct nf_ct_ext_type nat_extend __read_mostly = {
@@ -834,13 +845,13 @@ static int __init nf_nat_init(void)
834{ 845{
835 int ret; 846 int ret;
836 847
837 ret = rhashtable_init(&nf_nat_bysource_table, &nf_nat_bysource_params); 848 ret = rhltable_init(&nf_nat_bysource_table, &nf_nat_bysource_params);
838 if (ret) 849 if (ret)
839 return ret; 850 return ret;
840 851
841 ret = nf_ct_extend_register(&nat_extend); 852 ret = nf_ct_extend_register(&nat_extend);
842 if (ret < 0) { 853 if (ret < 0) {
843 rhashtable_destroy(&nf_nat_bysource_table); 854 rhltable_destroy(&nf_nat_bysource_table);
844 printk(KERN_ERR "nf_nat_core: Unable to register extension\n"); 855 printk(KERN_ERR "nf_nat_core: Unable to register extension\n");
845 return ret; 856 return ret;
846 } 857 }
@@ -864,7 +875,7 @@ static int __init nf_nat_init(void)
864 return 0; 875 return 0;
865 876
866 cleanup_extend: 877 cleanup_extend:
867 rhashtable_destroy(&nf_nat_bysource_table); 878 rhltable_destroy(&nf_nat_bysource_table);
868 nf_ct_extend_unregister(&nat_extend); 879 nf_ct_extend_unregister(&nat_extend);
869 return ret; 880 return ret;
870} 881}
@@ -883,7 +894,7 @@ static void __exit nf_nat_cleanup(void)
883 for (i = 0; i < NFPROTO_NUMPROTO; i++) 894 for (i = 0; i < NFPROTO_NUMPROTO; i++)
884 kfree(nf_nat_l4protos[i]); 895 kfree(nf_nat_l4protos[i]);
885 896
886 rhashtable_destroy(&nf_nat_bysource_table); 897 rhltable_destroy(&nf_nat_bysource_table);
887} 898}
888 899
889MODULE_LICENSE("GPL"); 900MODULE_LICENSE("GPL");
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 026581b04ea8..e5194f6f906c 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -2570,7 +2570,8 @@ static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2570 } 2570 }
2571 2571
2572 if (set->timeout && 2572 if (set->timeout &&
2573 nla_put_be64(skb, NFTA_SET_TIMEOUT, cpu_to_be64(set->timeout), 2573 nla_put_be64(skb, NFTA_SET_TIMEOUT,
2574 cpu_to_be64(jiffies_to_msecs(set->timeout)),
2574 NFTA_SET_PAD)) 2575 NFTA_SET_PAD))
2575 goto nla_put_failure; 2576 goto nla_put_failure;
2576 if (set->gc_int && 2577 if (set->gc_int &&
@@ -2859,7 +2860,8 @@ static int nf_tables_newset(struct net *net, struct sock *nlsk,
2859 if (nla[NFTA_SET_TIMEOUT] != NULL) { 2860 if (nla[NFTA_SET_TIMEOUT] != NULL) {
2860 if (!(flags & NFT_SET_TIMEOUT)) 2861 if (!(flags & NFT_SET_TIMEOUT))
2861 return -EINVAL; 2862 return -EINVAL;
2862 timeout = be64_to_cpu(nla_get_be64(nla[NFTA_SET_TIMEOUT])); 2863 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
2864 nla[NFTA_SET_TIMEOUT])));
2863 } 2865 }
2864 gc_int = 0; 2866 gc_int = 0;
2865 if (nla[NFTA_SET_GC_INTERVAL] != NULL) { 2867 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
@@ -3178,7 +3180,8 @@ static int nf_tables_fill_setelem(struct sk_buff *skb,
3178 3180
3179 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) && 3181 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3180 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT, 3182 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3181 cpu_to_be64(*nft_set_ext_timeout(ext)), 3183 cpu_to_be64(jiffies_to_msecs(
3184 *nft_set_ext_timeout(ext))),
3182 NFTA_SET_ELEM_PAD)) 3185 NFTA_SET_ELEM_PAD))
3183 goto nla_put_failure; 3186 goto nla_put_failure;
3184 3187
@@ -3447,7 +3450,7 @@ void *nft_set_elem_init(const struct nft_set *set,
3447 memcpy(nft_set_ext_data(ext), data, set->dlen); 3450 memcpy(nft_set_ext_data(ext), data, set->dlen);
3448 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) 3451 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
3449 *nft_set_ext_expiration(ext) = 3452 *nft_set_ext_expiration(ext) =
3450 jiffies + msecs_to_jiffies(timeout); 3453 jiffies + timeout;
3451 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT)) 3454 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
3452 *nft_set_ext_timeout(ext) = timeout; 3455 *nft_set_ext_timeout(ext) = timeout;
3453 3456
@@ -3535,7 +3538,8 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3535 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) { 3538 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
3536 if (!(set->flags & NFT_SET_TIMEOUT)) 3539 if (!(set->flags & NFT_SET_TIMEOUT))
3537 return -EINVAL; 3540 return -EINVAL;
3538 timeout = be64_to_cpu(nla_get_be64(nla[NFTA_SET_ELEM_TIMEOUT])); 3541 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
3542 nla[NFTA_SET_ELEM_TIMEOUT])));
3539 } else if (set->flags & NFT_SET_TIMEOUT) { 3543 } else if (set->flags & NFT_SET_TIMEOUT) {
3540 timeout = set->timeout; 3544 timeout = set->timeout;
3541 } 3545 }
diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c
index baf694de3935..d5447a22275c 100644
--- a/net/netfilter/nft_hash.c
+++ b/net/netfilter/nft_hash.c
@@ -53,6 +53,7 @@ static int nft_hash_init(const struct nft_ctx *ctx,
53{ 53{
54 struct nft_hash *priv = nft_expr_priv(expr); 54 struct nft_hash *priv = nft_expr_priv(expr);
55 u32 len; 55 u32 len;
56 int err;
56 57
57 if (!tb[NFTA_HASH_SREG] || 58 if (!tb[NFTA_HASH_SREG] ||
58 !tb[NFTA_HASH_DREG] || 59 !tb[NFTA_HASH_DREG] ||
@@ -67,8 +68,10 @@ static int nft_hash_init(const struct nft_ctx *ctx,
67 priv->sreg = nft_parse_register(tb[NFTA_HASH_SREG]); 68 priv->sreg = nft_parse_register(tb[NFTA_HASH_SREG]);
68 priv->dreg = nft_parse_register(tb[NFTA_HASH_DREG]); 69 priv->dreg = nft_parse_register(tb[NFTA_HASH_DREG]);
69 70
70 len = ntohl(nla_get_be32(tb[NFTA_HASH_LEN])); 71 err = nft_parse_u32_check(tb[NFTA_HASH_LEN], U8_MAX, &len);
71 if (len == 0 || len > U8_MAX) 72 if (err < 0)
73 return err;
74 if (len == 0)
72 return -ERANGE; 75 return -ERANGE;
73 76
74 priv->len = len; 77 priv->len = len;
diff --git a/net/netfilter/nft_range.c b/net/netfilter/nft_range.c
index fbc88009ca2e..8f0aaaea1376 100644
--- a/net/netfilter/nft_range.c
+++ b/net/netfilter/nft_range.c
@@ -59,6 +59,12 @@ static int nft_range_init(const struct nft_ctx *ctx, const struct nft_expr *expr
59 int err; 59 int err;
60 u32 op; 60 u32 op;
61 61
62 if (!tb[NFTA_RANGE_SREG] ||
63 !tb[NFTA_RANGE_OP] ||
64 !tb[NFTA_RANGE_FROM_DATA] ||
65 !tb[NFTA_RANGE_TO_DATA])
66 return -EINVAL;
67
62 err = nft_data_init(NULL, &priv->data_from, sizeof(priv->data_from), 68 err = nft_data_init(NULL, &priv->data_from, sizeof(priv->data_from),
63 &desc_from, tb[NFTA_RANGE_FROM_DATA]); 69 &desc_from, tb[NFTA_RANGE_FROM_DATA]);
64 if (err < 0) 70 if (err < 0)
generated by cgit v1.2.2 (git 2.25.0) at 2025-04-11 18:37:25 -0400