1. 03 9月, 2015 1 次提交
    • D
      netfilter: nf_conntrack: make nf_ct_zone_dflt built-in · 62da9865
      Daniel Borkmann 提交于
      Fengguang reported, that some randconfig generated the following linker
      issue with nf_ct_zone_dflt object involved:
      
        [...]
        CC      init/version.o
        LD      init/built-in.o
        net/built-in.o: In function `ipv4_conntrack_defrag':
        nf_defrag_ipv4.c:(.text+0x93e95): undefined reference to `nf_ct_zone_dflt'
        net/built-in.o: In function `ipv6_defrag':
        nf_defrag_ipv6_hooks.c:(.text+0xe3ffe): undefined reference to `nf_ct_zone_dflt'
        make: *** [vmlinux] Error 1
      
      Given that configurations exist where we have a built-in part, which is
      accessing nf_ct_zone_dflt such as the two handlers nf_ct_defrag_user()
      and nf_ct6_defrag_user(), and a part that configures nf_conntrack as a
      module, we must move nf_ct_zone_dflt into a fixed, guaranteed built-in
      area when netfilter is configured in general.
      
      Therefore, split the more generic parts into a common header under
      include/linux/netfilter/ and move nf_ct_zone_dflt into the built-in
      section that already holds parts related to CONFIG_NF_CONNTRACK in the
      netfilter core. This fixes the issue on my side.
      
      Fixes: 308ac914 ("netfilter: nf_conntrack: push zone object into functions")
      Reported-by: NFengguang Wu <fengguang.wu@intel.com>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      62da9865
  2. 07 8月, 2015 1 次提交
  3. 16 7月, 2015 2 次提交
    • F
      netfilter: add and use jump label for xt_tee · dcebd315
      Florian Westphal 提交于
      Don't bother testing if we need to switch to alternate stack
      unless TEE target is used.
      Suggested-by: NEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      dcebd315
    • F
      netfilter: xtables: don't save/restore jumpstack offset · 7814b6ec
      Florian Westphal 提交于
      In most cases there is no reentrancy into ip/ip6tables.
      
      For skbs sent by REJECT or SYNPROXY targets, there is one level
      of reentrancy, but its not relevant as those targets issue an absolute
      verdict, i.e. the jumpstack can be clobbered since its not used
      after the target issues absolute verdict (ACCEPT, DROP, STOLEN, etc).
      
      So the only special case where it is relevant is the TEE target, which
      returns XT_CONTINUE.
      
      This patch changes ip(6)_do_table to always use the jump stack starting
      from 0.
      
      When we detect we're operating on an skb sent via TEE (percpu
      nf_skb_duplicated is 1) we switch to an alternate stack to leave
      the original one alone.
      
      Since there is no TEE support for arptables, it doesn't need to
      test if tee is active.
      
      The jump stack overflow tests are no longer needed as well --
      since ->stacksize is the largest call depth we cannot exceed it.
      
      A much better alternative to the external jumpstack would be to just
      declare a jumps[32] stack on the local stack frame, but that would mean
      we'd have to reject iptables rulesets that used to work before.
      
      Another alternative would be to start rejecting rulesets with a larger
      call depth, e.g. 1000 -- in this case it would be feasible to allocate the
      entire stack in the percpu area which would avoid one dereference.
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      7814b6ec
  4. 19 6月, 2015 1 次提交
    • F
      netfilter: xtables: fix warnings on 32bit platforms · dcb8f5c8
      Florian Westphal 提交于
      On 32bit archs gcc complains due to cast from void* to u64.
      Add intermediate casts to long to silence these warnings.
      
      include/linux/netfilter/x_tables.h:376:10: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
      include/linux/netfilter/x_tables.h:384:15: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
      include/linux/netfilter/x_tables.h:391:23: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
      include/linux/netfilter/x_tables.h:400:22: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
      
      Fixes: 71ae0dff ("netfilter: xtables: use percpu rule counters")
      Reported-by: Nkbuild test robot <fengguang.wu@intel.com>
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      dcb8f5c8
  5. 18 6月, 2015 1 次提交
  6. 16 6月, 2015 1 次提交
  7. 14 6月, 2015 5 次提交
  8. 12 6月, 2015 2 次提交
  9. 16 5月, 2015 1 次提交
    • P
      netfilter: x_tables: add context to know if extension runs from nft_compat · 55917a21
      Pablo Neira Ayuso 提交于
      Currently, we have four xtables extensions that cannot be used from the
      xt over nft compat layer. The problem is that they need real access to
      the full blown xt_entry to validate that the rule comes with the right
      dependencies. This check was introduced to overcome the lack of
      sufficient userspace dependency validation in iptables.
      
      To resolve this problem, this patch introduces a new field to the
      xt_tgchk_param structure that tell us if the extension is run from
      nft_compat context.
      
      The three affected extensions are:
      
      1) CLUSTERIP, this target has been superseded by xt_cluster. So just
         bail out by returning -EINVAL.
      
      2) TCPMSS. Relax the checking when used from nft_compat. If used with
         the wrong configuration, it will corrupt !syn packets by adding TCP
         MSS option.
      
      3) ebt_stp. Relax the check to make sure it uses the reserved
         destination MAC address for STP.
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Tested-by: NArturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
      55917a21
  10. 14 5月, 2015 2 次提交
  11. 01 4月, 2015 1 次提交
  12. 16 9月, 2014 2 次提交
  13. 25 8月, 2014 1 次提交
  14. 30 4月, 2014 1 次提交
  15. 08 4月, 2014 1 次提交
    • A
      netfilter: nf_conntrack: flush net_gre->keymap_list only from gre helper · 8142b227
      Andrey Vagin 提交于
      nf_ct_gre_keymap_flush() removes a nf_ct_gre_keymap object from
      net_gre->keymap_list and frees the object. But it doesn't clean
      a reference on this object from ct_pptp_info->keymap[dir].
      Then nf_ct_gre_keymap_destroy() may release the same object again.
      
      So nf_ct_gre_keymap_flush() can be called only when we are sure that
      when nf_ct_gre_keymap_destroy will not be called.
      
      nf_ct_gre_keymap is created by nf_ct_gre_keymap_add() and the right way
      to destroy it is to call nf_ct_gre_keymap_destroy().
      
      This patch marks nf_ct_gre_keymap_flush() as static, so this patch can
      break compilation of third party modules, which use
      nf_ct_gre_keymap_flush. I'm not sure this is the right way to deprecate
      this function.
      
      [  226.540793] general protection fault: 0000 [#1] SMP
      [  226.541750] Modules linked in: nf_nat_pptp nf_nat_proto_gre
      nf_conntrack_pptp nf_conntrack_proto_gre ip_gre ip_tunnel gre
      ppp_deflate bsd_comp ppp_async crc_ccitt ppp_generic slhc xt_nat
      iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat
      nf_conntrack veth tun bridge stp llc ppdev microcode joydev pcspkr
      serio_raw virtio_console virtio_balloon floppy parport_pc parport
      pvpanic i2c_piix4 virtio_net drm_kms_helper ttm ata_generic virtio_pci
      virtio_ring virtio drm i2c_core pata_acpi [last unloaded: ip_tunnel]
      [  226.541776] CPU: 0 PID: 49 Comm: kworker/u4:2 Not tainted 3.14.0-rc8+ #101
      [  226.541776] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
      [  226.541776] Workqueue: netns cleanup_net
      [  226.541776] task: ffff8800371e0000 ti: ffff88003730c000 task.ti: ffff88003730c000
      [  226.541776] RIP: 0010:[<ffffffff81389ba9>]  [<ffffffff81389ba9>] __list_del_entry+0x29/0xd0
      [  226.541776] RSP: 0018:ffff88003730dbd0  EFLAGS: 00010a83
      [  226.541776] RAX: 6b6b6b6b6b6b6b6b RBX: ffff8800374e6c40 RCX: dead000000200200
      [  226.541776] RDX: 6b6b6b6b6b6b6b6b RSI: ffff8800371e07d0 RDI: ffff8800374e6c40
      [  226.541776] RBP: ffff88003730dbd0 R08: 0000000000000000 R09: 0000000000000000
      [  226.541776] R10: 0000000000000001 R11: ffff88003730d92e R12: 0000000000000002
      [  226.541776] R13: ffff88007a4c42d0 R14: ffff88007aef0000 R15: ffff880036cf0018
      [  226.541776] FS:  0000000000000000(0000) GS:ffff88007fc00000(0000) knlGS:0000000000000000
      [  226.541776] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      [  226.541776] CR2: 00007f07f643f7d0 CR3: 0000000036fd2000 CR4: 00000000000006f0
      [  226.541776] Stack:
      [  226.541776]  ffff88003730dbe8 ffffffff81389c5d ffff8800374ffbe4 ffff88003730dc28
      [  226.541776]  ffffffffa0162a43 ffffffffa01627c5 ffff88007a4c42d0 ffff88007aef0000
      [  226.541776]  ffffffffa01651c0 ffff88007a4c45e0 ffff88007aef0000 ffff88003730dc40
      [  226.541776] Call Trace:
      [  226.541776]  [<ffffffff81389c5d>] list_del+0xd/0x30
      [  226.541776]  [<ffffffffa0162a43>] nf_ct_gre_keymap_destroy+0x283/0x2d0 [nf_conntrack_proto_gre]
      [  226.541776]  [<ffffffffa01627c5>] ? nf_ct_gre_keymap_destroy+0x5/0x2d0 [nf_conntrack_proto_gre]
      [  226.541776]  [<ffffffffa0162ab7>] gre_destroy+0x27/0x70 [nf_conntrack_proto_gre]
      [  226.541776]  [<ffffffffa0117de3>] destroy_conntrack+0x83/0x200 [nf_conntrack]
      [  226.541776]  [<ffffffffa0117d87>] ? destroy_conntrack+0x27/0x200 [nf_conntrack]
      [  226.541776]  [<ffffffffa0117d60>] ? nf_conntrack_hash_check_insert+0x2e0/0x2e0 [nf_conntrack]
      [  226.541776]  [<ffffffff81630142>] nf_conntrack_destroy+0x72/0x180
      [  226.541776]  [<ffffffff816300d5>] ? nf_conntrack_destroy+0x5/0x180
      [  226.541776]  [<ffffffffa011ef80>] ? kill_l3proto+0x20/0x20 [nf_conntrack]
      [  226.541776]  [<ffffffffa011847e>] nf_ct_iterate_cleanup+0x14e/0x170 [nf_conntrack]
      [  226.541776]  [<ffffffffa011f74b>] nf_ct_l4proto_pernet_unregister+0x5b/0x90 [nf_conntrack]
      [  226.541776]  [<ffffffffa0162409>] proto_gre_net_exit+0x19/0x30 [nf_conntrack_proto_gre]
      [  226.541776]  [<ffffffff815edf89>] ops_exit_list.isra.1+0x39/0x60
      [  226.541776]  [<ffffffff815eecc0>] cleanup_net+0x100/0x1d0
      [  226.541776]  [<ffffffff810a608a>] process_one_work+0x1ea/0x4f0
      [  226.541776]  [<ffffffff810a6028>] ? process_one_work+0x188/0x4f0
      [  226.541776]  [<ffffffff810a64ab>] worker_thread+0x11b/0x3a0
      [  226.541776]  [<ffffffff810a6390>] ? process_one_work+0x4f0/0x4f0
      [  226.541776]  [<ffffffff810af42d>] kthread+0xed/0x110
      [  226.541776]  [<ffffffff8173d4dc>] ? _raw_spin_unlock_irq+0x2c/0x40
      [  226.541776]  [<ffffffff810af340>] ? kthread_create_on_node+0x200/0x200
      [  226.541776]  [<ffffffff8174747c>] ret_from_fork+0x7c/0xb0
      [  226.541776]  [<ffffffff810af340>] ? kthread_create_on_node+0x200/0x200
      [  226.541776] Code: 00 00 55 48 8b 17 48 b9 00 01 10 00 00 00 ad de
      48 8b 47 08 48 89 e5 48 39 ca 74 29 48 b9 00 02 20 00 00 00 ad de 48
      39 c8 74 7a <4c> 8b 00 4c 39 c7 75 53 4c 8b 42 08 4c 39 c7 75 2b 48 89
      42 08
      [  226.541776] RIP  [<ffffffff81389ba9>] __list_del_entry+0x29/0xd0
      [  226.541776]  RSP <ffff88003730dbd0>
      [  226.612193] ---[ end trace 985ae23ddfcc357c ]---
      
      Cc: Pablo Neira Ayuso <pablo@netfilter.org>
      Cc: Patrick McHardy <kaber@trash.net>
      Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
      Cc: "David S. Miller" <davem@davemloft.net>
      Signed-off-by: NAndrey Vagin <avagin@openvz.org>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      8142b227
  16. 06 3月, 2014 3 次提交
  17. 25 2月, 2014 1 次提交
  18. 04 1月, 2014 1 次提交
  19. 22 10月, 2013 1 次提交
  20. 15 10月, 2013 1 次提交
    • P
      netfilter: nfnetlink: add batch support and use it from nf_tables · 0628b123
      Pablo Neira Ayuso 提交于
      This patch adds a batch support to nfnetlink. Basically, it adds
      two new control messages:
      
      * NFNL_MSG_BATCH_BEGIN, that indicates the beginning of a batch,
        the nfgenmsg->res_id indicates the nfnetlink subsystem ID.
      
      * NFNL_MSG_BATCH_END, that results in the invocation of the
        ss->commit callback function. If not specified or an error
        ocurred in the batch, the ss->abort function is invoked
        instead.
      
      The end message represents the commit operation in nftables, the
      lack of end message results in an abort. This patch also adds the
      .call_batch function that is only called from the batch receival
      path.
      
      This patch adds atomic rule updates and dumps based on
      bitmask generations. This allows to atomically commit a set of
      rule-set updates incrementally without altering the internal
      state of existing nf_tables expressions/matches/targets.
      
      The idea consists of using a generation cursor of 1 bit and
      a bitmask of 2 bits per rule. Assuming the gencursor is 0,
      then the genmask (expressed as a bitmask) can be interpreted
      as:
      
      00 active in the present, will be active in the next generation.
      01 inactive in the present, will be active in the next generation.
      10 active in the present, will be deleted in the next generation.
       ^
       gencursor
      
      Once you invoke the transition to the next generation, the global
      gencursor is updated:
      
      00 active in the present, will be active in the next generation.
      01 active in the present, needs to zero its future, it becomes 00.
      10 inactive in the present, delete now.
      ^
      gencursor
      
      If a dump is in progress and nf_tables enters a new generation,
      the dump will stop and return -EBUSY to let userspace know that
      it has to retry again. In order to invalidate dumps, a global
      genctr counter is increased everytime nf_tables enters a new
      generation.
      
      This new operation can be used from the user-space utility
      that controls the firewall, eg.
      
      nft -f restore
      
      The rule updates contained in `file' will be applied atomically.
      
      cat file
      -----
      add filter INPUT ip saddr 1.1.1.1 counter accept #1
      del filter INPUT ip daddr 2.2.2.2 counter drop   #2
      -EOF-
      
      Note that the rule 1 will be inactive until the transition to the
      next generation, the rule 2 will be evicted in the next generation.
      
      There is a penalty during the rule update due to the branch
      misprediction in the packet matching framework. But that should be
      quickly resolved once the iteration over the commit list that
      contain rules that require updates is finished.
      
      Event notification happens once the rule-set update has been
      committed. So we skip notifications is case the rule-set update
      is aborted, which can happen in case that the rule-set is tested
      to apply correctly.
      
      This patch squashed the following patches from Pablo:
      
      * nf_tables: atomic rule updates and dumps
      * nf_tables: get rid of per rule list_head for commits
      * nf_tables: use per netns commit list
      * nfnetlink: add batch support and use it from nf_tables
      * nf_tables: all rule updates are transactional
      * nf_tables: attach replacement rule after stale one
      * nf_tables: do not allow deletion/replacement of stale rules
      * nf_tables: remove unused NFTA_RULE_FLAGS
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      0628b123
  21. 01 10月, 2013 10 次提交
反馈
建议
客服 返回
顶部