aboutsummaryrefslogtreecommitdiffstats
path: root/net/openvswitch
diff options
context:
space:
mode:
authorDavid S. Miller <davem@davemloft.net>2016-03-28 15:38:59 -0400
committerDavid S. Miller <davem@davemloft.net>2016-03-28 15:38:59 -0400
commit0c84ea17ff22df83d72b20e336ae69d6035c8bbf (patch)
tree594d47b721ee7d6b8252c39bfcb38ae6bc6b5682 /net/openvswitch
parent0e3e7999703e7df93a9deee8ba89b604c5fd662d (diff)
parent29421198c3a860092e27c2ad8499dfe603398817 (diff)
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains Netfilter fixes for you net tree, they are: 1) There was a race condition between parallel save/swap and delete, which resulted a kernel crash due to the increase ref for save, swap, wrong ref decrease operations. Reported and fixed by Vishwanath Pai. 2) OVS should call into CT NAT for packets of new expected connections only when the conntrack state is persisted with the 'commit' option to the OVS CT action. From Jarno Rajahalme. 3) Resolve kconfig dependencies with new OVS NAT support. From Arnd Bergmann. 4) Early validation of entry->target_offset to make sure it doesn't take us out from the blob, from Florian Westphal. 5) Again early validation of entry->next_offset to make sure it doesn't take out from the blob, also from Florian. 6) Check that entry->target_offset is always of of sizeof(struct xt_entry) for unconditional entries, when checking both from check_underflow() and when checking for loops in mark_source_chains(), again from Florian. 7) Fix inconsistent behaviour in nfnetlink_queue when NFQA_CFG_F_FAIL_OPEN is set and netlink_unicast() fails due to buffer overrun, we have to reinject the packet as the user expects. 8) Enforce nul-terminated table names from getsockopt GET_ENTRIES requests. 9) Don't assume skb->sk is set from nft_bridge_reject and synproxy, this fixes a recent update of the code to namespaceify ip_default_ttl, patch from Liping Zhang. This batch comes with four patches to validate x_tables blobs coming from userspace. CONFIG_USERNS exposes the x_tables interface to unpriviledged users and to be honest this interface never received the attention for this move away from the CAP_NET_ADMIN domain. Florian is working on another round with more patches with more sanity checks, so expect a bit more Netfilter fixes in this development cycle than usual. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/openvswitch')
-rw-r--r--net/openvswitch/Kconfig4
-rw-r--r--net/openvswitch/conntrack.c21
2 files changed, 14 insertions, 11 deletions
diff --git a/net/openvswitch/Kconfig b/net/openvswitch/Kconfig
index 234a73344c6e..ce947292ae77 100644
--- a/net/openvswitch/Kconfig
+++ b/net/openvswitch/Kconfig
@@ -7,7 +7,9 @@ config OPENVSWITCH
7 depends on INET 7 depends on INET
8 depends on !NF_CONNTRACK || \ 8 depends on !NF_CONNTRACK || \
9 (NF_CONNTRACK && ((!NF_DEFRAG_IPV6 || NF_DEFRAG_IPV6) && \ 9 (NF_CONNTRACK && ((!NF_DEFRAG_IPV6 || NF_DEFRAG_IPV6) && \
10 (!NF_NAT || NF_NAT))) 10 (!NF_NAT || NF_NAT) && \
11 (!NF_NAT_IPV4 || NF_NAT_IPV4) && \
12 (!NF_NAT_IPV6 || NF_NAT_IPV6)))
11 select LIBCRC32C 13 select LIBCRC32C
12 select MPLS 14 select MPLS
13 select NET_MPLS_GSO 15 select NET_MPLS_GSO
diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
index f8a8d4390a8a..1b9d286756be 100644
--- a/net/openvswitch/conntrack.c
+++ b/net/openvswitch/conntrack.c
@@ -535,14 +535,15 @@ static int ovs_ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct,
535 switch (ctinfo) { 535 switch (ctinfo) {
536 case IP_CT_RELATED: 536 case IP_CT_RELATED:
537 case IP_CT_RELATED_REPLY: 537 case IP_CT_RELATED_REPLY:
538 if (skb->protocol == htons(ETH_P_IP) && 538 if (IS_ENABLED(CONFIG_NF_NAT_IPV4) &&
539 skb->protocol == htons(ETH_P_IP) &&
539 ip_hdr(skb)->protocol == IPPROTO_ICMP) { 540 ip_hdr(skb)->protocol == IPPROTO_ICMP) {
540 if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo, 541 if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo,
541 hooknum)) 542 hooknum))
542 err = NF_DROP; 543 err = NF_DROP;
543 goto push; 544 goto push;
544#if IS_ENABLED(CONFIG_NF_NAT_IPV6) 545 } else if (IS_ENABLED(CONFIG_NF_NAT_IPV6) &&
545 } else if (skb->protocol == htons(ETH_P_IPV6)) { 546 skb->protocol == htons(ETH_P_IPV6)) {
546 __be16 frag_off; 547 __be16 frag_off;
547 u8 nexthdr = ipv6_hdr(skb)->nexthdr; 548 u8 nexthdr = ipv6_hdr(skb)->nexthdr;
548 int hdrlen = ipv6_skip_exthdr(skb, 549 int hdrlen = ipv6_skip_exthdr(skb,
@@ -557,7 +558,6 @@ static int ovs_ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct,
557 err = NF_DROP; 558 err = NF_DROP;
558 goto push; 559 goto push;
559 } 560 }
560#endif
561 } 561 }
562 /* Non-ICMP, fall thru to initialize if needed. */ 562 /* Non-ICMP, fall thru to initialize if needed. */
563 case IP_CT_NEW: 563 case IP_CT_NEW:
@@ -664,11 +664,12 @@ static int ovs_ct_nat(struct net *net, struct sw_flow_key *key,
664 664
665 /* Determine NAT type. 665 /* Determine NAT type.
666 * Check if the NAT type can be deduced from the tracked connection. 666 * Check if the NAT type can be deduced from the tracked connection.
667 * Make sure expected traffic is NATted only when committing. 667 * Make sure new expected connections (IP_CT_RELATED) are NATted only
668 * when committing.
668 */ 669 */
669 if (info->nat & OVS_CT_NAT && ctinfo != IP_CT_NEW && 670 if (info->nat & OVS_CT_NAT && ctinfo != IP_CT_NEW &&
670 ct->status & IPS_NAT_MASK && 671 ct->status & IPS_NAT_MASK &&
671 (!(ct->status & IPS_EXPECTED_BIT) || info->commit)) { 672 (ctinfo != IP_CT_RELATED || info->commit)) {
672 /* NAT an established or related connection like before. */ 673 /* NAT an established or related connection like before. */
673 if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) 674 if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY)
674 /* This is the REPLY direction for a connection 675 /* This is the REPLY direction for a connection
@@ -1239,7 +1240,8 @@ static bool ovs_ct_nat_to_attr(const struct ovs_conntrack_info *info,
1239 } 1240 }
1240 1241
1241 if (info->range.flags & NF_NAT_RANGE_MAP_IPS) { 1242 if (info->range.flags & NF_NAT_RANGE_MAP_IPS) {
1242 if (info->family == NFPROTO_IPV4) { 1243 if (IS_ENABLED(CONFIG_NF_NAT_IPV4) &&
1244 info->family == NFPROTO_IPV4) {
1243 if (nla_put_in_addr(skb, OVS_NAT_ATTR_IP_MIN, 1245 if (nla_put_in_addr(skb, OVS_NAT_ATTR_IP_MIN,
1244 info->range.min_addr.ip) || 1246 info->range.min_addr.ip) ||
1245 (info->range.max_addr.ip 1247 (info->range.max_addr.ip
@@ -1247,8 +1249,8 @@ static bool ovs_ct_nat_to_attr(const struct ovs_conntrack_info *info,
1247 (nla_put_in_addr(skb, OVS_NAT_ATTR_IP_MAX, 1249 (nla_put_in_addr(skb, OVS_NAT_ATTR_IP_MAX,
1248 info->range.max_addr.ip)))) 1250 info->range.max_addr.ip))))
1249 return false; 1251 return false;
1250#if IS_ENABLED(CONFIG_NF_NAT_IPV6) 1252 } else if (IS_ENABLED(CONFIG_NF_NAT_IPV6) &&
1251 } else if (info->family == NFPROTO_IPV6) { 1253 info->family == NFPROTO_IPV6) {
1252 if (nla_put_in6_addr(skb, OVS_NAT_ATTR_IP_MIN, 1254 if (nla_put_in6_addr(skb, OVS_NAT_ATTR_IP_MIN,
1253 &info->range.min_addr.in6) || 1255 &info->range.min_addr.in6) ||
1254 (memcmp(&info->range.max_addr.in6, 1256 (memcmp(&info->range.max_addr.in6,
@@ -1257,7 +1259,6 @@ static bool ovs_ct_nat_to_attr(const struct ovs_conntrack_info *info,
1257 (nla_put_in6_addr(skb, OVS_NAT_ATTR_IP_MAX, 1259 (nla_put_in6_addr(skb, OVS_NAT_ATTR_IP_MAX,
1258 &info->range.max_addr.in6)))) 1260 &info->range.max_addr.in6))))
1259 return false; 1261 return false;
1260#endif
1261 } else { 1262 } else {
1262 return false; 1263 return false;
1263 } 1264 }
generated by cgit v1.2.2 (git 2.25.0) at 2025-02-24 10:47:01 -0500