1. 23 6月, 2015 2 次提交
    • E
      netfilter: nf_qeueue: Drop queue entries on nf_unregister_hook · 8405a8ff
      Eric W. Biederman 提交于
      Add code to nf_unregister_hook to flush the nf_queue when a hook is
      unregistered.  This guarantees that the pointer that the nf_queue code
      retains into the nf_hook list will remain valid while a packet is
      queued.
      
      I tested what would happen if we do not flush queued packets and was
      trivially able to obtain the oops below.  All that was required was
      to stop the nf_queue listening process, to delete all of the nf_tables,
      and to awaken the nf_queue listening process.
      
      > BUG: unable to handle kernel paging request at 0000000100000001
      > IP: [<0000000100000001>] 0x100000001
      > PGD b9c35067 PUD 0
      > Oops: 0010 [#1] SMP
      > Modules linked in:
      > CPU: 0 PID: 519 Comm: lt-nfqnl_test Not tainted
      > task: ffff8800b9c8c050 ti: ffff8800ba9d8000 task.ti: ffff8800ba9d8000
      > RIP: 0010:[<0000000100000001>]  [<0000000100000001>] 0x100000001
      > RSP: 0018:ffff8800ba9dba40  EFLAGS: 00010a16
      > RAX: ffff8800bab48a00 RBX: ffff8800ba9dba90 RCX: ffff8800ba9dba90
      > RDX: ffff8800b9c10128 RSI: ffff8800ba940900 RDI: ffff8800bab48a00
      > RBP: ffff8800b9c10128 R08: ffffffff82976660 R09: ffff8800ba9dbb28
      > R10: dead000000100100 R11: dead000000200200 R12: ffff8800ba940900
      > R13: ffffffff8313fd50 R14: ffff8800b9c95200 R15: 0000000000000000
      > FS:  00007fb91fc34700(0000) GS:ffff8800bfa00000(0000) knlGS:0000000000000000
      > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      > CR2: 0000000100000001 CR3: 00000000babfb000 CR4: 00000000000007f0
      > Stack:
      >  ffffffff8206ab0f ffffffff82982240 ffff8800bab48a00 ffff8800b9c100a8
      >  ffff8800b9c10100 0000000000000001 ffff8800ba940900 ffff8800b9c10128
      >  ffffffff8206bd65 ffff8800bfb0d5e0 ffff8800bab48a00 0000000000014dc0
      > Call Trace:
      >  [<ffffffff8206ab0f>] ? nf_iterate+0x4f/0xa0
      >  [<ffffffff8206bd65>] ? nf_reinject+0x125/0x190
      >  [<ffffffff8206dee5>] ? nfqnl_recv_verdict+0x255/0x360
      >  [<ffffffff81386290>] ? nla_parse+0x80/0xf0
      >  [<ffffffff8206c42c>] ? nfnetlink_rcv_msg+0x13c/0x240
      >  [<ffffffff811b2fec>] ? __memcg_kmem_get_cache+0x4c/0x150
      >  [<ffffffff8206c2f0>] ? nfnl_lock+0x20/0x20
      >  [<ffffffff82068159>] ? netlink_rcv_skb+0xa9/0xc0
      >  [<ffffffff820677bf>] ? netlink_unicast+0x12f/0x1c0
      >  [<ffffffff82067ade>] ? netlink_sendmsg+0x28e/0x650
      >  [<ffffffff81fdd814>] ? sock_sendmsg+0x44/0x50
      >  [<ffffffff81fde07b>] ? ___sys_sendmsg+0x2ab/0x2c0
      >  [<ffffffff810e8f73>] ? __wake_up+0x43/0x70
      >  [<ffffffff8141a134>] ? tty_write+0x1c4/0x2a0
      >  [<ffffffff81fde9f4>] ? __sys_sendmsg+0x44/0x80
      >  [<ffffffff823ff8d7>] ? system_call_fastpath+0x12/0x6a
      > Code:  Bad RIP value.
      > RIP  [<0000000100000001>] 0x100000001
      >  RSP <ffff8800ba9dba40>
      > CR2: 0000000100000001
      > ---[ end trace 08eb65d42362793f ]---
      
      Cc: stable@vger.kernel.org
      Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8405a8ff
    • E
      netfilter: nftables: Do not run chains in the wrong network namespace · fdab6a4c
      Eric W. Biederman 提交于
      Currenlty nf_tables chains added in one network namespace are being
      run in all network namespace.  The issues are myriad with the simplest
      being an unprivileged user can cause any network packets to be dropped.
      
      Address this by simply not running nf_tables chains in the wrong
      network namespace.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>
      Acked-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      fdab6a4c
  2. 19 6月, 2015 2 次提交
  3. 18 6月, 2015 2 次提交
    • H
      netfilter: xt_socket: add XT_SOCKET_RESTORESKMARK flag · 01555e74
      Harout Hedeshian 提交于
      xt_socket is useful for matching sockets with IP_TRANSPARENT and
      taking some action on the matching packets. However, it lacks the
      ability to match only a small subset of transparent sockets.
      
      Suppose there are 2 applications, each with its own set of transparent
      sockets. The first application wants all matching packets dropped,
      while the second application wants them forwarded somewhere else.
      
      Add the ability to retore the skb->mark from the sk_mark. The mark
      is only restored if a matching socket is found and the transparent /
      nowildcard conditions are satisfied.
      
      Now the 2 hypothetical applications can differentiate their sockets
      based on a mark value set with SO_MARK.
      
      iptables -t mangle -I PREROUTING -m socket --transparent \
                                                 --restore-skmark -j action
      iptables -t mangle -A action -m mark --mark 10 -j action2
      iptables -t mangle -A action -m mark --mark 11 -j action3
      Signed-off-by: NHarout Hedeshian <harouth@codeaurora.org>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      01555e74
    • R
      netfilter: nfnetlink_queue: add security context information · ef493bd9
      Roman Kubiak 提交于
      This patch adds an additional attribute when sending
      packet information via netlink in netfilter_queue module.
      It will send additional security context data, so that
      userspace applications can verify this context against
      their own security databases.
      Signed-off-by: NRoman Kubiak <r.kubiak@samsung.com>
      Acked-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      ef493bd9
  4. 16 6月, 2015 4 次提交
  5. 15 6月, 2015 1 次提交
  6. 14 6月, 2015 14 次提交
  7. 12 6月, 2015 2 次提交
  8. 27 5月, 2015 3 次提交
  9. 26 5月, 2015 4 次提交
    • M
      ipv6: Set FLOWI_FLAG_KNOWN_NH at flowi6_flags · 48e8aa6e
      Martin KaFai Lau 提交于
      The neighbor look-up used to depend on the rt6i_gateway (if
      there is a gateway) or the rt6i_dst (if it is a RTF_CACHE clone)
      as the nexthop address.  Note that rt6i_dst is set to fl6->daddr
      for the RTF_CACHE clone where fl6->daddr is the one used to do
      the route look-up.
      
      Now, we only create RTF_CACHE clone after encountering exception.
      When doing the neighbor look-up with a route that is neither a gateway
      nor a RTF_CACHE clone, the daddr in skb will be used as the nexthop.
      
      In some cases, the daddr in skb is not the one used to do
      the route look-up.  One example is in ip_vs_dr_xmit_v6() where the
      real nexthop server address is different from the one in the skb.
      
      This patch is going to follow the IPv4 approach and ask the
      ip6_pol_route() callers to set the FLOWI_FLAG_KNOWN_NH properly.
      
      In the next patch, ip6_pol_route() will honor the FLOWI_FLAG_KNOWN_NH
      and create a RTF_CACHE clone.
      Signed-off-by: NMartin KaFai Lau <kafai@fb.com>
      Acked-by: NJulian Anastasov <ja@ssi.bg>
      Tested-by: NJulian Anastasov <ja@ssi.bg>
      Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
      Cc: Steffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      48e8aa6e
    • M
      ipv6: Add rt6_get_cookie() function · b197df4f
      Martin KaFai Lau 提交于
      Instead of doing the rt6->rt6i_node check whenever we need
      to get the route's cookie.  Refactor it into rt6_get_cookie().
      It is a prep work to handle FLOWI_FLAG_KNOWN_NH and also
      percpu rt6_info later.
      Signed-off-by: NMartin KaFai Lau <kafai@fb.com>
      Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
      Cc: Steffen Klassert <steffen.klassert@secunet.com>
      Cc: Julian Anastasov <ja@ssi.bg>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b197df4f
    • M
      ipv6: Remove external dependency on rt6i_gateway and RTF_ANYCAST · 2647a9b0
      Martin KaFai Lau 提交于
      When creating a RTF_CACHE route, RTF_ANYCAST is set based on rt6i_dst.
      Also, rt6i_gateway is always set to the nexthop while the nexthop
      could be a gateway or the rt6i_dst.addr.
      
      After removing the rt6i_dst and rt6i_src dependency in the last patch,
      we also need to stop the caller from depending on rt6i_gateway and
      RTF_ANYCAST.
      Signed-off-by: NMartin KaFai Lau <kafai@fb.com>
      Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
      Cc: Steffen Klassert <steffen.klassert@secunet.com>
      Cc: Julian Anastasov <ja@ssi.bg>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2647a9b0
    • M
      ipv6: Remove external dependency on rt6i_dst and rt6i_src · fd0273d7
      Martin KaFai Lau 提交于
      This patch removes the assumptions that the returned rt is always
      a RTF_CACHE entry with the rt6i_dst and rt6i_src containing the
      destination and source address.  The dst and src can be recovered from
      the calling site.
      
      We may consider to rename (rt6i_dst, rt6i_src) to
      (rt6i_key_dst, rt6i_key_src) later.
      Signed-off-by: NMartin KaFai Lau <kafai@fb.com>
      Reviewed-by: NHannes Frederic Sowa <hannes@stressinduktion.org>
      Cc: Steffen Klassert <steffen.klassert@secunet.com>
      Cc: Julian Anastasov <ja@ssi.bg>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      fd0273d7
  10. 20 5月, 2015 1 次提交
    • F
      netfilter: nfnetlink_{log,queue}: Register pernet in first place · 3bfe0498
      Francesco Ruggeri 提交于
      nfnetlink_{log,queue}_init() register the netlink callback nf*_rcv_nl_event
      before registering the pernet_subsys, but the callback relies on data
      structures allocated by pernet init functions.
      
      When nfnetlink_{log,queue} is loaded, if a netlink message is received after
      the netlink callback is registered but before the pernet_subsys is registered,
      the kernel will panic in the sequence
      
      nfulnl_rcv_nl_event
        nfnl_log_pernet
          net_generic
            BUG_ON(id == 0)  where id is nfnl_log_net_id.
      
      The panic can be easily reproduced in 4.0.3 by:
      
      while true ;do modprobe nfnetlink_log ; rmmod nfnetlink_log ; done &
      while true ;do ip netns add dummy ; ip netns del dummy ; done &
      
      This patch moves register_pernet_subsys to earlier in nfnetlink_log_init.
      
      Notice that the BUG_ON hit in 4.0.3 was recently removed in 2591ffd3
      ["netns: remove BUG_ONs from net_generic()"].
      Signed-off-by: NFrancesco Ruggeri <fruggeri@arista.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      3bfe0498
  11. 17 5月, 2015 1 次提交
  12. 16 5月, 2015 4 次提交
反馈
建议
客服 返回
顶部