1. 04 5月, 2014 1 次提交
    • D
      netfilter: nfnetlink: Fix use after free when it fails to process batch · ecd15dd7
      Denys Fedoryshchenko 提交于
      This bug manifests when calling the nft command line tool without
      nf_tables kernel support.
      
      kernel message:
      [   44.071555] Netfilter messages via NETLINK v0.30.
      [   44.072253] BUG: unable to handle kernel NULL pointer dereference at 0000000000000119
      [   44.072264] IP: [<ffffffff8171db1f>] netlink_getsockbyportid+0xf/0x70
      [   44.072272] PGD 7f2b74067 PUD 7f2b73067 PMD 0
      [   44.072277] Oops: 0000 [#1] SMP
      [...]
      [   44.072369] Call Trace:
      [   44.072373]  [<ffffffff8171fd81>] netlink_unicast+0x91/0x200
      [   44.072377]  [<ffffffff817206c9>] netlink_ack+0x99/0x110
      [   44.072381]  [<ffffffffa004b951>] nfnetlink_rcv+0x3c1/0x408 [nfnetlink]
      [   44.072385]  [<ffffffff8171fde3>] netlink_unicast+0xf3/0x200
      [   44.072389]  [<ffffffff817201ef>] netlink_sendmsg+0x2ff/0x740
      [   44.072394]  [<ffffffff81044752>] ? __mmdrop+0x62/0x90
      [   44.072398]  [<ffffffff816dafdb>] sock_sendmsg+0x8b/0xc0
      [   44.072403]  [<ffffffff812f1af5>] ? copy_user_enhanced_fast_string+0x5/0x10
      [   44.072406]  [<ffffffff816dbb6c>] ? move_addr_to_kernel+0x2c/0x50
      [   44.072410]  [<ffffffff816db423>] ___sys_sendmsg+0x3c3/0x3d0
      [   44.072415]  [<ffffffff811301ba>] ? handle_mm_fault+0xa9a/0xc60
      [   44.072420]  [<ffffffff811362d6>] ? mmap_region+0x166/0x5a0
      [   44.072424]  [<ffffffff817da84c>] ? __do_page_fault+0x1dc/0x510
      [   44.072428]  [<ffffffff812b8b2c>] ? apparmor_capable+0x1c/0x60
      [   44.072435]  [<ffffffff817d6e9a>] ? _raw_spin_unlock_bh+0x1a/0x20
      [   44.072439]  [<ffffffff816dfc86>] ? release_sock+0x106/0x150
      [   44.072443]  [<ffffffff816dc212>] __sys_sendmsg+0x42/0x80
      [   44.072446]  [<ffffffff816dc262>] SyS_sendmsg+0x12/0x20
      [   44.072450]  [<ffffffff817df616>] system_call_fastpath+0x1a/0x1f
      Signed-off-by: NDenys Fedoryshchenko <nuclearcat@nuclearcat.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      ecd15dd7
  2. 25 4月, 2014 2 次提交
  3. 23 4月, 2014 2 次提交
    • R
      netlink: have netlink per-protocol bind function return an error code. · 4f520900
      Richard Guy Briggs 提交于
      Have the netlink per-protocol optional bind function return an int error code
      rather than void to signal a failure.
      
      This will enable netlink protocols to perform extra checks including
      capabilities and permissions verifications when updating memberships in
      multicast groups.
      
      In netlink_bind() and netlink_setsockopt() the call to the per-protocol bind
      function was moved above the multicast group update to prevent any access to
      the multicast socket groups before checking with the per-protocol bind
      function.  This will enable the per-protocol bind function to be used to check
      permissions which could be denied before making them available, and to avoid
      the messy job of undoing the addition should the per-protocol bind function
      fail.
      
      The netfilter subsystem seems to be the only one currently using the
      per-protocol bind function.
      Signed-off-by: NRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4f520900
    • R
      netlink: simplify nfnetlink_bind · bfe4bc71
      Richard Guy Briggs 提交于
      Remove duplicity and simplify code flow by moving the rcu_read_unlock() above
      the condition and let the flow control exit naturally at the end of the
      function.
      Signed-off-by: NRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      bfe4bc71
  4. 25 2月, 2014 1 次提交
  5. 09 11月, 2013 1 次提交
  6. 15 10月, 2013 1 次提交
    • P
      netfilter: nfnetlink: add batch support and use it from nf_tables · 0628b123
      Pablo Neira Ayuso 提交于
      This patch adds a batch support to nfnetlink. Basically, it adds
      two new control messages:
      
      * NFNL_MSG_BATCH_BEGIN, that indicates the beginning of a batch,
        the nfgenmsg->res_id indicates the nfnetlink subsystem ID.
      
      * NFNL_MSG_BATCH_END, that results in the invocation of the
        ss->commit callback function. If not specified or an error
        ocurred in the batch, the ss->abort function is invoked
        instead.
      
      The end message represents the commit operation in nftables, the
      lack of end message results in an abort. This patch also adds the
      .call_batch function that is only called from the batch receival
      path.
      
      This patch adds atomic rule updates and dumps based on
      bitmask generations. This allows to atomically commit a set of
      rule-set updates incrementally without altering the internal
      state of existing nf_tables expressions/matches/targets.
      
      The idea consists of using a generation cursor of 1 bit and
      a bitmask of 2 bits per rule. Assuming the gencursor is 0,
      then the genmask (expressed as a bitmask) can be interpreted
      as:
      
      00 active in the present, will be active in the next generation.
      01 inactive in the present, will be active in the next generation.
      10 active in the present, will be deleted in the next generation.
       ^
       gencursor
      
      Once you invoke the transition to the next generation, the global
      gencursor is updated:
      
      00 active in the present, will be active in the next generation.
      01 active in the present, needs to zero its future, it becomes 00.
      10 inactive in the present, delete now.
      ^
      gencursor
      
      If a dump is in progress and nf_tables enters a new generation,
      the dump will stop and return -EBUSY to let userspace know that
      it has to retry again. In order to invalidate dumps, a global
      genctr counter is increased everytime nf_tables enters a new
      generation.
      
      This new operation can be used from the user-space utility
      that controls the firewall, eg.
      
      nft -f restore
      
      The rule updates contained in `file' will be applied atomically.
      
      cat file
      -----
      add filter INPUT ip saddr 1.1.1.1 counter accept #1
      del filter INPUT ip daddr 2.2.2.2 counter drop   #2
      -EOF-
      
      Note that the rule 1 will be inactive until the transition to the
      next generation, the rule 2 will be evicted in the next generation.
      
      There is a penalty during the rule update due to the branch
      misprediction in the packet matching framework. But that should be
      quickly resolved once the iteration over the commit list that
      contain rules that require updates is finished.
      
      Event notification happens once the rule-set update has been
      committed. So we skip notifications is case the rule-set update
      is aborted, which can happen in case that the rule-set is tested
      to apply correctly.
      
      This patch squashed the following patches from Pablo:
      
      * nf_tables: atomic rule updates and dumps
      * nf_tables: get rid of per rule list_head for commits
      * nf_tables: use per netns commit list
      * nfnetlink: add batch support and use it from nf_tables
      * nf_tables: all rule updates are transactional
      * nf_tables: attach replacement rule after stale one
      * nf_tables: do not allow deletion/replacement of stale rules
      * nf_tables: remove unused NFTA_RULE_FLAGS
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      0628b123
  7. 20 4月, 2013 2 次提交
  8. 29 3月, 2013 1 次提交
  9. 04 3月, 2013 1 次提交
  10. 05 2月, 2013 1 次提交
  11. 19 11月, 2012 1 次提交
    • E
      net: Allow userns root to control llc, netfilter, netlink, packet, and xfrm · df008c91
      Eric W. Biederman 提交于
      Allow an unpriviled user who has created a user namespace, and then
      created a network namespace to effectively use the new network
      namespace, by reducing capable(CAP_NET_ADMIN) and
      capable(CAP_NET_RAW) calls to be ns_capable(net->user_ns,
      CAP_NET_ADMIN), or capable(net->user_ns, CAP_NET_RAW) calls.
      
      Allow creation of af_key sockets.
      Allow creation of llc sockets.
      Allow creation of af_packet sockets.
      
      Allow sending xfrm netlink control messages.
      
      Allow binding to netlink multicast groups.
      Allow sending to netlink multicast groups.
      Allow adding and dropping netlink multicast groups.
      Allow sending to all netlink multicast groups and port ids.
      
      Allow reading the netfilter SO_IP_SET socket option.
      Allow sending netfilter netlink messages.
      Allow setting and getting ip_vs netfilter socket options.
      Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      df008c91
  12. 09 9月, 2012 1 次提交
  13. 05 7月, 2012 1 次提交
  14. 30 6月, 2012 2 次提交
  15. 29 6月, 2012 1 次提交
  16. 16 4月, 2012 1 次提交
  17. 29 3月, 2012 1 次提交
  18. 13 1月, 2012 1 次提交
  19. 06 1月, 2012 1 次提交
  20. 02 8月, 2011 1 次提交
  21. 18 7月, 2011 1 次提交
  22. 13 5月, 2010 1 次提交
  23. 21 3月, 2010 1 次提交
  24. 17 3月, 2010 1 次提交
  25. 13 1月, 2010 1 次提交
  26. 25 8月, 2009 1 次提交
  27. 03 6月, 2009 2 次提交
    • P
      netfilter: conntrack: replace notify chain by function pointer · e34d5c1a
      Pablo Neira Ayuso 提交于
      This patch removes the notify chain infrastructure and replace it
      by a simple function pointer. This issue has been mentioned in the
      mailing list several times: the use of the notify chain adds
      too much overhead for something that is only used by ctnetlink.
      
      This patch also changes nfnetlink_send(). It seems that gfp_any()
      returns GFP_KERNEL for user-context request, like those via
      ctnetlink, inside the RCU read-side section which is not valid.
      Using GFP_KERNEL is also evil since netlink may schedule(),
      this leads to "scheduling while atomic" bug reports.
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      e34d5c1a
    • P
      netfilter: nfnetlink: cleanup for nfnetlink_rcv_msg() function · f49c857f
      Pablo Neira Ayuso 提交于
      This patch cleans up the message handling path in two aspects:
      
       * it uses NLMSG_LENGTH() instead of NLMSG_SPACE() like rtnetlink
      does in this case to check if there is enough room for the
      Netlink/nfnetlink headers. No need to check for the padding room.
      
       * it removes a redundant header size checking that has been
       already do at the beginning of the function.
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      f49c857f
  28. 17 4月, 2009 1 次提交
  29. 23 3月, 2009 1 次提交
  30. 17 10月, 2008 1 次提交
  31. 15 10月, 2008 1 次提交
    • P
      netfilter: ctnetlink: remove bogus module dependency between ctnetlink and nf_nat · e6a7d3c0
      Pablo Neira Ayuso 提交于
      This patch removes the module dependency between ctnetlink and
      nf_nat by means of an indirect call that is initialized when
      nf_nat is loaded. Now, nf_conntrack_netlink only requires
      nf_conntrack and nfnetlink.
      
      This patch puts nfnetlink_parse_nat_setup_hook into the
      nf_conntrack_core to avoid dependencies between ctnetlink,
      nf_conntrack_ipv4 and nf_conntrack_ipv6.
      
      This patch also introduces the function ctnetlink_change_nat
      that is only invoked from the creation path. Actually, the
      nat handling cannot be invoked from the update path since
      this is not allowed. By introducing this function, we remove
      the useless nat handling in the update path and we avoid
      deadlock-prone code.
      
      This patch also adds the required EAGAIN logic for nfnetlink.
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e6a7d3c0
  32. 29 1月, 2008 1 次提交
  33. 11 10月, 2007 3 次提交