netfilter: ctnetlink: force null nat binding on insert

Quoting Andrey Vagin: When a conntrack is created by kernel, it is initialized (sets IPS_{DST,SRC}_NAT_DONE_BIT bits in nf_nat_setup_info) and only then it is added in hashes (__nf_conntrack_hash_insert), so one conntract can't be initialized from a few threads concurrently. ctnetlink can add an uninitialized conntrack (w/o IPS_{DST,SRC}_NAT_DONE_BIT) in hashes, then a few threads can look up this conntrack and start initialize it concurrently. It's dangerous, because BUG can be triggered from nf_nat_setup_info. Fix this race by always setting up nat, even if no CTA_NAT_ attribute was requested before inserting the ct into the hash table. In absence of CTA_NAT_ attribute, a null binding is created. This alters current behaviour: Before this patch, the first packet matching the newly injected conntrack would be run through the nat table since nf_nat_initialized() returns false. IOW, this forces ctnetlink users to specify the desired nat transformation on ct creation time. Thanks for Florian Westphal, this patch is based on his original patch to address this problem, including this patch description. Reported-By: Andrey Vagin <avagin@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Florian Westphal <fw@strlen.de>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2014-02-16 06:15:43 -0500
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2014-02-17 18:13:51 -0500
commit: 0eba801b64cc8284d9024c7ece30415a2b981a72 (patch)
tree: a2d1b4f667231451a801b8099d54bc322b8f3ce7 /net
parent: f627ed91d85ed7a189ec8b3b045a0d831e1655e2 (diff)
2 files changed, 49 insertions, 42 deletions
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index bb322d0beb48..b9f0e0374322 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1310,27 +1310,22 @@ ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[])
 }
 static int
-ctnetlink_change_nat(struct nf_conn *ct, const struct nlattr * const cda[])
+ctnetlink_setup_nat(struct nf_conn *ct, const struct nlattr * const cda[])
 {
 #ifdef CONFIG_NF_NAT_NEEDED
        int ret;
-        if (cda[CTA_NAT_DST]) {
+        ret = ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_DST,
-                ret = ctnetlink_parse_nat_setup(ct,
+                                        cda[CTA_NAT_DST]);
-                                                NF_NAT_MANIP_DST,
+        if (ret < 0)
-                                                cda[CTA_NAT_DST]);
+                return ret;
-                if (ret < 0)
-                        return ret;
+        ret = ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_SRC,
-        }
+                                        cda[CTA_NAT_SRC]);
-        if (cda[CTA_NAT_SRC]) {
+        return ret;
-                ret = ctnetlink_parse_nat_setup(ct,
-                                                NF_NAT_MANIP_SRC,
-                                                cda[CTA_NAT_SRC]);
-                if (ret < 0)
-                        return ret;
-        }
-        return 0;
 #else
+        if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC])
+                return 0;
        return -EOPNOTSUPP;
 #endif
 }
@@ -1659,11 +1654,9 @@ ctnetlink_create_conntrack(struct net *net, u16 zone,
                        goto err2;
        }
-        if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST]) {
+        err = ctnetlink_setup_nat(ct, cda);
-                err = ctnetlink_change_nat(ct, cda);
+        if (err < 0)
-                if (err < 0)
+                goto err2;
-                        goto err2;
-        }
        nf_ct_acct_ext_add(ct, GFP_ATOMIC);
        nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index d3f5cd6dd962..52ca952b802c 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -432,15 +432,15 @@ nf_nat_setup_info(struct nf_conn *ct,
 }
 EXPORT_SYMBOL(nf_nat_setup_info);
-unsigned int
+static unsigned int
-nf_nat_alloc_null_binding(struct nf_conn *ct, unsigned int hooknum)
+__nf_nat_alloc_null_binding(struct nf_conn *ct, enum nf_nat_manip_type manip)
 {
        /* Force range to this IP; let proto decide mapping for
         * per-proto parts (hence not IP_NAT_RANGE_PROTO_SPECIFIED).
         * Use reply in case it's already been mangled (eg local packet).
         */
        union nf_inet_addr ip =
-                (HOOK2MANIP(hooknum) == NF_NAT_MANIP_SRC ?
+                (manip == NF_NAT_MANIP_SRC ?
                ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3 :
                ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3);
        struct nf_nat_range range = {
@@ -448,7 +448,13 @@ nf_nat_alloc_null_binding(struct nf_conn *ct, unsigned int hooknum)
                .min_addr       = ip,
                .max_addr       = ip,
        };
-        return nf_nat_setup_info(ct, &range, HOOK2MANIP(hooknum));
+        return nf_nat_setup_info(ct, &range, manip);
+}
+unsigned int
+nf_nat_alloc_null_binding(struct nf_conn *ct, unsigned int hooknum)
+{
+        return __nf_nat_alloc_null_binding(ct, HOOK2MANIP(hooknum));
 }
 EXPORT_SYMBOL_GPL(nf_nat_alloc_null_binding);
@@ -702,9 +708,9 @@ static const struct nla_policy nat_nla_policy[CTA_NAT_MAX+1] = {
 static int
 nfnetlink_parse_nat(const struct nlattr *nat,
-                    const struct nf_conn *ct, struct nf_nat_range *range)
+                    const struct nf_conn *ct, struct nf_nat_range *range,
+                    const struct nf_nat_l3proto *l3proto)
 {
-        const struct nf_nat_l3proto *l3proto;
        struct nlattr *tb[CTA_NAT_MAX+1];
        int err;
@@ -714,38 +720,46 @@ nfnetlink_parse_nat(const struct nlattr *nat,
        if (err < 0)
                return err;
-        rcu_read_lock();
-        l3proto = __nf_nat_l3proto_find(nf_ct_l3num(ct));
-        if (l3proto == NULL) {
-                err = -EAGAIN;
-                goto out;
-        }
        err = l3proto->nlattr_to_range(tb, range);
        if (err < 0)
-                goto out;
+                return err;
        if (!tb[CTA_NAT_PROTO])
-                goto out;
+                return 0;
-        err = nfnetlink_parse_nat_proto(tb[CTA_NAT_PROTO], ct, range);
+        return nfnetlink_parse_nat_proto(tb[CTA_NAT_PROTO], ct, range);
-out:
-        rcu_read_unlock();
-        return err;
 }
+/* This function is called under rcu_read_lock() */
 static int
 nfnetlink_parse_nat_setup(struct nf_conn *ct,
                          enum nf_nat_manip_type manip,
                          const struct nlattr *attr)
 {
        struct nf_nat_range range;
+        const struct nf_nat_l3proto *l3proto;
        int err;
-        err = nfnetlink_parse_nat(attr, ct, &range);
+        /* Should not happen, restricted to creating new conntracks
+         * via ctnetlink.
+         */
+        if (WARN_ON_ONCE(nf_nat_initialized(ct, manip)))
+                return -EEXIST;
+        /* Make sure that L3 NAT is there by when we call nf_nat_setup_info to
+         * attach the null binding, otherwise this may oops.
+         */
+        l3proto = __nf_nat_l3proto_find(nf_ct_l3num(ct));
+        if (l3proto == NULL)
+                return -EAGAIN;
+        /* No NAT information has been passed, allocate the null-binding */
+        if (attr == NULL)
+                return __nf_nat_alloc_null_binding(ct, manip);
+        err = nfnetlink_parse_nat(attr, ct, &range, l3proto);
        if (err < 0)
                return err;
-        if (nf_nat_initialized(ct, manip))
-                return -EEXIST;
        return nf_nat_setup_info(ct, &range, manip);
 }
author	Pablo Neira Ayuso <pablo@netfilter.org>	2014-02-16 06:15:43 -0500
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2014-02-17 18:13:51 -0500
commit	0eba801b64cc8284d9024c7ece30415a2b981a72 (patch)
tree	a2d1b4f667231451a801b8099d54bc322b8f3ce7 /net
parent	f627ed91d85ed7a189ec8b3b045a0d831e1655e2 (diff)

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index bb322d0beb48..b9f0e0374322 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1310,27 +1310,22 @@ ctnetlink_change_status(struct nf_conn ct, const struct nlattr const cda[])
1310	}	1310	}
1311		1311
1312	static int	1312	static int
1313	ctnetlink_change_nat(struct nf_conn ct, const struct nlattr const cda[])	1313	ctnetlink_setup_nat(struct nf_conn ct, const struct nlattr const cda[])
1314	{	1314	{
1315	#ifdef CONFIG_NF_NAT_NEEDED	1315	#ifdef CONFIG_NF_NAT_NEEDED
1316	int ret;	1316	int ret;
1317		1317
1318	if (cda[CTA_NAT_DST]) {	1318	ret = ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_DST,
1319	ret = ctnetlink_parse_nat_setup(ct,	1319	cda[CTA_NAT_DST]);
1320	NF_NAT_MANIP_DST,	1320	if (ret < 0)
1321	cda[CTA_NAT_DST]);	1321	return ret;
1322	if (ret < 0)	1322
1323	return ret;	1323	ret = ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_SRC,
1324	}	1324	cda[CTA_NAT_SRC]);
1325	if (cda[CTA_NAT_SRC]) {	1325	return ret;
1326	ret = ctnetlink_parse_nat_setup(ct,
1327	NF_NAT_MANIP_SRC,
1328	cda[CTA_NAT_SRC]);
1329	if (ret < 0)
1330	return ret;
1331	}
1332	return 0;
1333	#else	1326	#else
		1327	if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC])
		1328	return 0;
1334	return -EOPNOTSUPP;	1329	return -EOPNOTSUPP;
1335	#endif	1330	#endif
1336	}	1331	}
@@ -1659,11 +1654,9 @@ ctnetlink_create_conntrack(struct net *net, u16 zone,
1659	goto err2;	1654	goto err2;
1660	}	1655	}
1661		1656
1662	if (cda[CTA_NAT_SRC] \|\| cda[CTA_NAT_DST]) {	1657	err = ctnetlink_setup_nat(ct, cda);
1663	err = ctnetlink_change_nat(ct, cda);	1658	if (err < 0)
1664	if (err < 0)	1659	goto err2;
1665	goto err2;
1666	}
1667		1660
1668	nf_ct_acct_ext_add(ct, GFP_ATOMIC);	1661	nf_ct_acct_ext_add(ct, GFP_ATOMIC);
1669	nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);	1662	nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);


diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c index d3f5cd6dd962..52ca952b802c 100644 --- a/net/netfilter/nf_nat_core.c +++ b/net/netfilter/nf_nat_core.c
@@ -432,15 +432,15 @@ nf_nat_setup_info(struct nf_conn *ct,
432	}	432	}
433	EXPORT_SYMBOL(nf_nat_setup_info);	433	EXPORT_SYMBOL(nf_nat_setup_info);
434		434
435	unsigned int	435	static unsigned int
436	nf_nat_alloc_null_binding(struct nf_conn *ct, unsigned int hooknum)	436	__nf_nat_alloc_null_binding(struct nf_conn *ct, enum nf_nat_manip_type manip)
437	{	437	{
438	/* Force range to this IP; let proto decide mapping for	438	/* Force range to this IP; let proto decide mapping for
439	* per-proto parts (hence not IP_NAT_RANGE_PROTO_SPECIFIED).	439	* per-proto parts (hence not IP_NAT_RANGE_PROTO_SPECIFIED).
440	* Use reply in case it's already been mangled (eg local packet).	440	* Use reply in case it's already been mangled (eg local packet).
441	*/	441	*/
442	union nf_inet_addr ip =	442	union nf_inet_addr ip =
443	(HOOK2MANIP(hooknum) == NF_NAT_MANIP_SRC ?	443	(manip == NF_NAT_MANIP_SRC ?
444	ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3 :	444	ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3 :
445	ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3);	445	ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3);
446	struct nf_nat_range range = {	446	struct nf_nat_range range = {
@@ -448,7 +448,13 @@ nf_nat_alloc_null_binding(struct nf_conn *ct, unsigned int hooknum)
448	.min_addr = ip,	448	.min_addr = ip,
449	.max_addr = ip,	449	.max_addr = ip,
450	};	450	};
451	return nf_nat_setup_info(ct, &range, HOOK2MANIP(hooknum));	451	return nf_nat_setup_info(ct, &range, manip);
		452	}
		453
		454	unsigned int
		455	nf_nat_alloc_null_binding(struct nf_conn *ct, unsigned int hooknum)
		456	{
		457	return __nf_nat_alloc_null_binding(ct, HOOK2MANIP(hooknum));
452	}	458	}
453	EXPORT_SYMBOL_GPL(nf_nat_alloc_null_binding);	459	EXPORT_SYMBOL_GPL(nf_nat_alloc_null_binding);
454		460
@@ -702,9 +708,9 @@ static const struct nla_policy nat_nla_policy[CTA_NAT_MAX+1] = {
702		708
703	static int	709	static int
704	nfnetlink_parse_nat(const struct nlattr *nat,	710	nfnetlink_parse_nat(const struct nlattr *nat,
705	const struct nf_conn ct, struct nf_nat_range range)	711	const struct nf_conn ct, struct nf_nat_range range,
		712	const struct nf_nat_l3proto *l3proto)
706	{	713	{
707	const struct nf_nat_l3proto *l3proto;
708	struct nlattr *tb[CTA_NAT_MAX+1];	714	struct nlattr *tb[CTA_NAT_MAX+1];
709	int err;	715	int err;
710		716
@@ -714,38 +720,46 @@ nfnetlink_parse_nat(const struct nlattr *nat,
714	if (err < 0)	720	if (err < 0)
715	return err;	721	return err;
716		722
717	rcu_read_lock();
718	l3proto = __nf_nat_l3proto_find(nf_ct_l3num(ct));
719	if (l3proto == NULL) {
720	err = -EAGAIN;
721	goto out;
722	}
723	err = l3proto->nlattr_to_range(tb, range);	723	err = l3proto->nlattr_to_range(tb, range);
724	if (err < 0)	724	if (err < 0)
725	goto out;	725	return err;
726		726
727	if (!tb[CTA_NAT_PROTO])	727	if (!tb[CTA_NAT_PROTO])
728	goto out;	728	return 0;
729		729
730	err = nfnetlink_parse_nat_proto(tb[CTA_NAT_PROTO], ct, range);	730	return nfnetlink_parse_nat_proto(tb[CTA_NAT_PROTO], ct, range);
731	out:
732	rcu_read_unlock();
733	return err;
734	}	731	}
735		732
		733	/* This function is called under rcu_read_lock() */
736	static int	734	static int
737	nfnetlink_parse_nat_setup(struct nf_conn *ct,	735	nfnetlink_parse_nat_setup(struct nf_conn *ct,
738	enum nf_nat_manip_type manip,	736	enum nf_nat_manip_type manip,
739	const struct nlattr *attr)	737	const struct nlattr *attr)
740	{	738	{
741	struct nf_nat_range range;	739	struct nf_nat_range range;
		740	const struct nf_nat_l3proto *l3proto;
742	int err;	741	int err;
743		742
744	err = nfnetlink_parse_nat(attr, ct, &range);	743	/* Should not happen, restricted to creating new conntracks
		744	* via ctnetlink.
		745	*/
		746	if (WARN_ON_ONCE(nf_nat_initialized(ct, manip)))
		747	return -EEXIST;
		748
		749	/* Make sure that L3 NAT is there by when we call nf_nat_setup_info to
		750	* attach the null binding, otherwise this may oops.
		751	*/
		752	l3proto = __nf_nat_l3proto_find(nf_ct_l3num(ct));
		753	if (l3proto == NULL)
		754	return -EAGAIN;
		755
		756	/* No NAT information has been passed, allocate the null-binding */
		757	if (attr == NULL)
		758	return __nf_nat_alloc_null_binding(ct, manip);
		759
		760	err = nfnetlink_parse_nat(attr, ct, &range, l3proto);
745	if (err < 0)	761	if (err < 0)
746	return err;	762	return err;
747	if (nf_nat_initialized(ct, manip))
748	return -EEXIST;
749		763
750	return nf_nat_setup_info(ct, &range, manip);	764	return nf_nat_setup_info(ct, &range, manip);
751	}	765	}