1. 26 1月, 2018 1 次提交
  2. 24 1月, 2018 1 次提交
  3. 23 1月, 2018 2 次提交
  4. 20 1月, 2018 2 次提交
  5. 19 1月, 2018 2 次提交
    • W
      ipv6: don't let tb6_root node share routes with other node · 591ff9ea
      Wei Wang 提交于
      After commit 4512c43e, if we add a route to the subtree of tb6_root
      which does not have any route attached to it yet, the current code will
      let tb6_root and the node in the subtree share the same route.
      This could cause problem cause tb6_root has RTN_INFO flag marked and the
      tree repair and clean up code will not work properly.
      This commit makes sure tb6_root->leaf points back to null_entry instead
      of sharing route with other node.
      
      It fixes the following syzkaller reported issue:
      BUG: KASAN: use-after-free in ipv6_prefix_equal include/net/ipv6.h:540 [inline]
      BUG: KASAN: use-after-free in fib6_add_1+0x165f/0x1790 net/ipv6/ip6_fib.c:618
      Read of size 8 at addr ffff8801bc043498 by task syz-executor5/19819
      
      CPU: 1 PID: 19819 Comm: syz-executor5 Not tainted 4.15.0-rc7+ #186
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:17 [inline]
       dump_stack+0x194/0x257 lib/dump_stack.c:53
       print_address_description+0x73/0x250 mm/kasan/report.c:252
       kasan_report_error mm/kasan/report.c:351 [inline]
       kasan_report+0x25b/0x340 mm/kasan/report.c:409
       __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
       ipv6_prefix_equal include/net/ipv6.h:540 [inline]
       fib6_add_1+0x165f/0x1790 net/ipv6/ip6_fib.c:618
       fib6_add+0x5fa/0x1540 net/ipv6/ip6_fib.c:1214
       __ip6_ins_rt+0x6c/0x90 net/ipv6/route.c:1003
       ip6_route_add+0x141/0x190 net/ipv6/route.c:2790
       ipv6_route_ioctl+0x4db/0x6b0 net/ipv6/route.c:3299
       inet6_ioctl+0xef/0x1e0 net/ipv6/af_inet6.c:520
       sock_do_ioctl+0x65/0xb0 net/socket.c:958
       sock_ioctl+0x2c2/0x440 net/socket.c:1055
       vfs_ioctl fs/ioctl.c:46 [inline]
       do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686
       SYSC_ioctl fs/ioctl.c:701 [inline]
       SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
       entry_SYSCALL_64_fastpath+0x23/0x9a
      RIP: 0033:0x452ac9
      RSP: 002b:00007fd42b321c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000010
      RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000452ac9
      RDX: 0000000020fd7000 RSI: 000000000000890b RDI: 0000000000000013
      RBP: 000000000000049e R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f4f70
      R13: 00000000ffffffff R14: 00007fd42b3226d4 R15: 0000000000000000
      
      Fixes: 4512c43e ("ipv6: remove null_entry before adding default route")
      Signed-off-by: NWei Wang <weiwan@google.com>
      Acked-by: NEric Dumazet <edumazet@google.com>
      Acked-by: NMartin KaFai Lau <kafai@fb.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      591ff9ea
    • A
      ip6_gre: init dev->mtu and dev->hard_header_len correctly · 128bb975
      Alexey Kodanev 提交于
      Commit b05229f4 ("gre6: Cleanup GREv6 transmit path,
      call common GRE functions") moved dev->mtu initialization
      from ip6gre_tunnel_setup() to ip6gre_tunnel_init(), as a
      result, the previously set values, before ndo_init(), are
      reset in the following cases:
      
      * rtnl_create_link() can update dev->mtu from IFLA_MTU
        parameter.
      
      * ip6gre_tnl_link_config() is invoked before ndo_init() in
        netlink and ioctl setup, so ndo_init() can reset MTU
        adjustments with the lower device MTU as well, dev->mtu
        and dev->hard_header_len.
      
        Not applicable for ip6gretap because it has one more call
        to ip6gre_tnl_link_config(tunnel, 1) in ip6gre_tap_init().
      
      Fix the first case by updating dev->mtu with 'tb[IFLA_MTU]'
      parameter if a user sets it manually on a device creation,
      and fix the second one by moving ip6gre_tnl_link_config()
      call after register_netdevice().
      
      Fixes: b05229f4 ("gre6: Cleanup GREv6 transmit path, call common GRE functions")
      Fixes: db2ec95d ("ip6_gre: Fix MTU setting")
      Signed-off-by: NAlexey Kodanev <alexey.kodanev@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      128bb975
  6. 17 1月, 2018 1 次提交
    • A
      net: delete /proc THIS_MODULE references · 96890d62
      Alexey Dobriyan 提交于
      /proc has been ignoring struct file_operations::owner field for 10 years.
      Specifically, it started with commit 786d7e16
      ("Fix rmmod/read/write races in /proc entries"). Notice the chunk where
      inode->i_fop is initialized with proxy struct file_operations for
      regular files:
      
      	-               if (de->proc_fops)
      	-                       inode->i_fop = de->proc_fops;
      	+               if (de->proc_fops) {
      	+                       if (S_ISREG(inode->i_mode))
      	+                               inode->i_fop = &proc_reg_file_ops;
      	+                       else
      	+                               inode->i_fop = de->proc_fops;
      	+               }
      
      VFS stopped pinning module at this point.
      Signed-off-by: NAlexey Dobriyan <adobriyan@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      96890d62
  7. 16 1月, 2018 6 次提交
    • A
      netfilter: nf_defrag: move NF_CONNTRACK bits into #ifdef · 41e4b391
      Arnd Bergmann 提交于
      We cannot access the skb->_nfct field when CONFIG_NF_CONNTRACK is
      disabled:
      
      net/ipv4/netfilter/nf_defrag_ipv4.c: In function 'ipv4_conntrack_defrag':
      net/ipv4/netfilter/nf_defrag_ipv4.c:83:9: error: 'struct sk_buff' has no member named '_nfct'
      net/ipv6/netfilter/nf_defrag_ipv6_hooks.c: In function 'ipv6_defrag':
      net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:68:9: error: 'struct sk_buff' has no member named '_nfct'
      
      Both functions already have an #ifdef for this, so let's move the
      check in there.
      
      Fixes: 902d6a4c ("netfilter: nf_defrag: Skip defrag if NOTRACK is set")
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      41e4b391
    • A
      netfilter: nf_defrag: mark xt_table structures 'const' again · b069b37a
      Arnd Bergmann 提交于
      As a side-effect of adding the module option, we now get a section
      mismatch warning:
      
      WARNING: net/ipv4/netfilter/iptable_raw.o(.data+0x1c): Section mismatch in reference from the variable packet_raw to the function .init.text:iptable_raw_table_init()
      The variable packet_raw references
      the function __init iptable_raw_table_init()
      If the reference is valid then annotate the
      variable with __init* or __refdata (see linux/init.h) or name the variable:
      *_template, *_timer, *_sht, *_ops, *_probe, *_probe_one, *_console
      
      Apparently it's ok to link to a __net_init function from .rodata but not
      from .data. We can address this by rearranging the logic so that the
      structure is read-only again. Instead of writing to the .priority field
      later, we have an extra copies of the structure with that flag. An added
      advantage is that that we don't have writable function pointers with this
      approach.
      
      Fixes: 902d6a4c ("netfilter: nf_defrag: Skip defrag if NOTRACK is set")
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      b069b37a
    • S
      netfilter: ipv6: nf_defrag: Pass on packets to stack per RFC2460 · 83f1999c
      Subash Abhinov Kasiviswanathan 提交于
      ipv6_defrag pulls network headers before fragment header. In case of
      an error, the netfilter layer is currently dropping these packets.
      This results in failure of some IPv6 standards tests which passed on
      older kernels due to the netfilter framework using cloning.
      
      The test case run here is a check for ICMPv6 error message replies
      when some invalid IPv6 fragments are sent. This specific test case is
      listed in https://www.ipv6ready.org/docs/Core_Conformance_Latest.pdf
      in the Extension Header Processing Order section.
      
      A packet with unrecognized option Type 11 is sent and the test expects
      an ICMP error in line with RFC2460 section 4.2 -
      
      11 - discard the packet and, only if the packet's Destination
           Address was not a multicast address, send an ICMP Parameter
           Problem, Code 2, message to the packet's Source Address,
           pointing to the unrecognized Option Type.
      
      Since netfilter layer now drops all invalid IPv6 frag packets, we no
      longer see the ICMP error message and fail the test case.
      
      To fix this, save the transport header. If defrag is unable to process
      the packet due to RFC2460, restore the transport header and allow packet
      to be processed by stack. There is no change for other packet
      processing paths.
      
      Tested by confirming that stack sends an ICMP error when it receives
      these packets. Also tested that fragmented ICMP pings succeed.
      
      v1->v2: Instead of cloning always, save the transport_header and
      restore it in case of this specific error. Update the title and
      commit message accordingly.
      Signed-off-by: NSubash Abhinov Kasiviswanathan <subashab@codeaurora.org>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      83f1999c
    • I
      ipv6: Fix build with gcc-4.4.5 · 6802f3ad
      Ido Schimmel 提交于
      Emil reported the following compiler errors:
      
      net/ipv6/route.c: In function `rt6_sync_up`:
      net/ipv6/route.c:3586: error: unknown field `nh_flags` specified in initializer
      net/ipv6/route.c:3586: warning: missing braces around initializer
      net/ipv6/route.c:3586: warning: (near initialization for `arg.<anonymous>`)
      net/ipv6/route.c: In function `rt6_sync_down_dev`:
      net/ipv6/route.c:3695: error: unknown field `event` specified in initializer
      net/ipv6/route.c:3695: warning: missing braces around initializer
      net/ipv6/route.c:3695: warning: (near initialization for `arg.<anonymous>`)
      
      Problem is with the named initializers for the anonymous union members.
      Fix this by adding curly braces around the initialization.
      
      Fixes: 4c981e28 ("ipv6: Prepare to handle multiple netdev events")
      Signed-off-by: NIdo Schimmel <idosch@mellanox.com>
      Reported-by: NEmil S Tantilov <emils.tantilov@gmail.com>
      Tested-by: NEmil S Tantilov <emils.tantilov@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6802f3ad
    • E
      ipv6: ip6_make_skb() needs to clear cork.base.dst · 95ef498d
      Eric Dumazet 提交于
      In my last patch, I missed fact that cork.base.dst was not initialized
      in ip6_make_skb() :
      
      If ip6_setup_cork() returns an error, we might attempt a dst_release()
      on some random pointer.
      
      Fixes: 862c03ee ("ipv6: fix possible mem leaks in ipv6_make_skb()")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      95ef498d
    • M
      ipv6: fix udpv6 sendmsg crash caused by too small MTU · 749439bf
      Mike Maloney 提交于
      The logic in __ip6_append_data() assumes that the MTU is at least large
      enough for the headers.  A device's MTU may be adjusted after being
      added while sendmsg() is processing data, resulting in
      __ip6_append_data() seeing any MTU.  For an mtu smaller than the size of
      the fragmentation header, the math results in a negative 'maxfraglen',
      which causes problems when refragmenting any previous skb in the
      skb_write_queue, leaving it possibly malformed.
      
      Instead sendmsg returns EINVAL when the mtu is calculated to be less
      than IPV6_MIN_MTU.
      
      Found by syzkaller:
      kernel BUG at ./include/linux/skbuff.h:2064!
      invalid opcode: 0000 [#1] SMP KASAN
      Dumping ftrace buffer:
         (ftrace buffer empty)
      Modules linked in:
      CPU: 1 PID: 14216 Comm: syz-executor5 Not tainted 4.13.0-rc4+ #2
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      task: ffff8801d0b68580 task.stack: ffff8801ac6b8000
      RIP: 0010:__skb_pull include/linux/skbuff.h:2064 [inline]
      RIP: 0010:__ip6_make_skb+0x18cf/0x1f70 net/ipv6/ip6_output.c:1617
      RSP: 0018:ffff8801ac6bf570 EFLAGS: 00010216
      RAX: 0000000000010000 RBX: 0000000000000028 RCX: ffffc90003cce000
      RDX: 00000000000001b8 RSI: ffffffff839df06f RDI: ffff8801d9478ca0
      RBP: ffff8801ac6bf780 R08: ffff8801cc3f1dbc R09: 0000000000000000
      R10: ffff8801ac6bf7a0 R11: 43cb4b7b1948a9e7 R12: ffff8801cc3f1dc8
      R13: ffff8801cc3f1d40 R14: 0000000000001036 R15: dffffc0000000000
      FS:  00007f43d740c700(0000) GS:ffff8801dc100000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007f7834984000 CR3: 00000001d79b9000 CR4: 00000000001406e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       ip6_finish_skb include/net/ipv6.h:911 [inline]
       udp_v6_push_pending_frames+0x255/0x390 net/ipv6/udp.c:1093
       udpv6_sendmsg+0x280d/0x31a0 net/ipv6/udp.c:1363
       inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:762
       sock_sendmsg_nosec net/socket.c:633 [inline]
       sock_sendmsg+0xca/0x110 net/socket.c:643
       SYSC_sendto+0x352/0x5a0 net/socket.c:1750
       SyS_sendto+0x40/0x50 net/socket.c:1718
       entry_SYSCALL_64_fastpath+0x1f/0xbe
      RIP: 0033:0x4512e9
      RSP: 002b:00007f43d740bc08 EFLAGS: 00000216 ORIG_RAX: 000000000000002c
      RAX: ffffffffffffffda RBX: 00000000007180a8 RCX: 00000000004512e9
      RDX: 000000000000002e RSI: 0000000020d08000 RDI: 0000000000000005
      RBP: 0000000000000086 R08: 00000000209c1000 R09: 000000000000001c
      R10: 0000000000040800 R11: 0000000000000216 R12: 00000000004b9c69
      R13: 00000000ffffffff R14: 0000000000000005 R15: 00000000202c2000
      Code: 9e 01 fe e9 c5 e8 ff ff e8 7f 9e 01 fe e9 4a ea ff ff 48 89 f7 e8 52 9e 01 fe e9 aa eb ff ff e8 a8 b6 cf fd 0f 0b e8 a1 b6 cf fd <0f> 0b 49 8d 45 78 4d 8d 45 7c 48 89 85 78 fe ff ff 49 8d 85 ba
      RIP: __skb_pull include/linux/skbuff.h:2064 [inline] RSP: ffff8801ac6bf570
      RIP: __ip6_make_skb+0x18cf/0x1f70 net/ipv6/ip6_output.c:1617 RSP: ffff8801ac6bf570
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NMike Maloney <maloney@google.com>
      Reviewed-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      749439bf
  8. 11 1月, 2018 8 次提交
    • S
      netfilter: nf_defrag: Skip defrag if NOTRACK is set · 902d6a4c
      Subash Abhinov Kasiviswanathan 提交于
      conntrack defrag is needed only if some module like CONNTRACK or NAT
      explicitly requests it. For plain forwarding scenarios, defrag is
      not needed and can be skipped if NOTRACK is set in a rule.
      
      Since conntrack defrag is currently higher priority than raw table,
      setting NOTRACK is not sufficient. We need to move raw to a higher
      priority for iptables only.
      
      This is achieved by introducing a module parameter "raw_before_defrag"
      which allows to change the priority of raw table to place it before
      defrag. By default, the parameter is disabled and the priority of raw
      table is NF_IP_PRI_RAW to support legacy behavior. If the module
      parameter is enabled, then the priority of the raw table is set to
      NF_IP_PRI_RAW_BEFORE_DEFRAG.
      Signed-off-by: NSubash Abhinov Kasiviswanathan <subashab@codeaurora.org>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      902d6a4c
    • M
      ipv6: sr: fix TLVs not being copied using setsockopt · ccc12b11
      Mathieu Xhonneux 提交于
      Function ipv6_push_rthdr4 allows to add an IPv6 Segment Routing Header
      to a socket through setsockopt, but the current implementation doesn't
      copy possible TLVs at the end of the SRH received from userspace.
      
      Therefore, the execution of the following branch if (sr_has_hmac(sr_phdr))
      { ... } will never complete since the len and type fields of a possible
      HMAC TLV are not copied, hence seg6_get_tlv_hmac will return an error,
      and the HMAC will not be computed.
      
      This commit adds a memcpy in case TLVs have been appended to the SRH.
      
      Fixes: a149e7c7 ("ipv6: sr: add support for SRH injection through setsockopt")
      Acked-by: NDavid Lebrun <dlebrun@google.com>
      Signed-off-by: NMathieu Xhonneux <m.xhonneux@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ccc12b11
    • E
      ipv6: fix possible mem leaks in ipv6_make_skb() · 862c03ee
      Eric Dumazet 提交于
      ip6_setup_cork() might return an error, while memory allocations have
      been done and must be rolled back.
      
      Fixes: 6422398c ("ipv6: introduce ipv6_make_skb")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Cc: Vlad Yasevich <vyasevich@gmail.com>
      Reported-by: NMike Maloney <maloney@google.com>
      Acked-by: NMike Maloney <maloney@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      862c03ee
    • I
      ipv6: Add support for non-equal-cost multipath · 398958ae
      Ido Schimmel 提交于
      The use of hash-threshold instead of modulo-N makes it trivial to add
      support for non-equal-cost multipath.
      
      Instead of dividing the multipath hash function's output space equally
      between the nexthops, each nexthop is assigned a region size which is
      proportional to its weight.
      Signed-off-by: NIdo Schimmel <idosch@mellanox.com>
      Acked-by: NDavid Ahern <dsahern@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      398958ae
    • I
      ipv6: Use hash-threshold instead of modulo-N · 3d709f69
      Ido Schimmel 提交于
      Now that each nexthop stores its region boundary in the multipath hash
      function's output space, we can use hash-threshold instead of modulo-N
      in multipath selection.
      
      This reduces the number of checks we need to perform during lookup, as
      dead and linkdown nexthops are assigned a negative region boundary. In
      addition, in contrast to modulo-N, only flows near region boundaries are
      affected when a nexthop is added or removed.
      Signed-off-by: NIdo Schimmel <idosch@mellanox.com>
      Acked-by: NDavid Ahern <dsahern@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3d709f69
    • I
      ipv6: Use a 31-bit multipath hash · 7696c06a
      Ido Schimmel 提交于
      The hash thresholds assigned to IPv6 nexthops are in the range of
      [-1, 2^31 - 1], where a negative value is assigned to nexthops that
      should not be considered during multipath selection.
      
      Therefore, in a similar fashion to IPv4, we need to use the upper
      31-bits of the multipath hash for multipath selection.
      Signed-off-by: NIdo Schimmel <idosch@mellanox.com>
      Acked-by: NDavid Ahern <dsahern@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7696c06a
    • I
      ipv6: Calculate hash thresholds for IPv6 nexthops · d7dedee1
      Ido Schimmel 提交于
      Before we convert IPv6 to use hash-threshold instead of modulo-N, we
      first need each nexthop to store its region boundary in the hash
      function's output space.
      
      The boundary is calculated by dividing the output space equally between
      the different active nexthops. That is, nexthops that are not dead or
      linkdown.
      
      The boundaries are rebalanced whenever a nexthop is added or removed to
      a multipath route and whenever a nexthop becomes active or inactive.
      Signed-off-by: NIdo Schimmel <idosch@mellanox.com>
      Acked-by: NDavid Ahern <dsahern@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d7dedee1
    • A
      netfilter: improve flow table Kconfig dependencies · a0a97f2a
      Arnd Bergmann 提交于
      The newly added NF_FLOW_TABLE options cause some build failures in
      randconfig kernels:
      
      - when CONFIG_NF_CONNTRACK is disabled, or is a loadable module but
        NF_FLOW_TABLE is built-in:
      
        In file included from net/netfilter/nf_flow_table.c:8:0:
        include/net/netfilter/nf_conntrack.h:59:22: error: field 'ct_general' has incomplete type
          struct nf_conntrack ct_general;
        include/net/netfilter/nf_conntrack.h: In function 'nf_ct_get':
        include/net/netfilter/nf_conntrack.h:148:15: error: 'const struct sk_buff' has no member named '_nfct'
        include/net/netfilter/nf_conntrack.h: In function 'nf_ct_put':
        include/net/netfilter/nf_conntrack.h:157:2: error: implicit declaration of function 'nf_conntrack_put'; did you mean 'nf_ct_put'? [-Werror=implicit-function-declaration]
      
        net/netfilter/nf_flow_table.o: In function `nf_flow_offload_work_gc':
        (.text+0x1540): undefined reference to `nf_ct_delete'
      
      - when CONFIG_NF_TABLES is disabled:
      
        In file included from net/ipv6/netfilter/nf_flow_table_ipv6.c:13:0:
        include/net/netfilter/nf_tables.h: In function 'nft_gencursor_next':
        include/net/netfilter/nf_tables.h:1189:14: error: 'const struct net' has no member named 'nft'; did you mean 'nf'?
      
       - when CONFIG_NF_FLOW_TABLE_INET is enabled, but NF_FLOW_TABLE_IPV4
        or NF_FLOW_TABLE_IPV6 are not, or are loadable modules
      
        net/netfilter/nf_flow_table_inet.o: In function `nf_flow_offload_inet_hook':
        nf_flow_table_inet.c:(.text+0x94): undefined reference to `nf_flow_offload_ipv6_hook'
        nf_flow_table_inet.c:(.text+0x40): undefined reference to `nf_flow_offload_ip_hook'
      
      - when CONFIG_NF_FLOW_TABLES is disabled, but the other options are
        enabled:
      
        net/netfilter/nf_flow_table_inet.o: In function `nf_flow_offload_inet_hook':
        nf_flow_table_inet.c:(.text+0x6c): undefined reference to `nf_flow_offload_ipv6_hook'
        net/netfilter/nf_flow_table_inet.o: In function `nf_flow_inet_module_exit':
        nf_flow_table_inet.c:(.exit.text+0x8): undefined reference to `nft_unregister_flowtable_type'
        net/netfilter/nf_flow_table_inet.o: In function `nf_flow_inet_module_init':
        nf_flow_table_inet.c:(.init.text+0x8): undefined reference to `nft_register_flowtable_type'
        net/ipv4/netfilter/nf_flow_table_ipv4.o: In function `nf_flow_ipv4_module_exit':
        nf_flow_table_ipv4.c:(.exit.text+0x8): undefined reference to `nft_unregister_flowtable_type'
        net/ipv4/netfilter/nf_flow_table_ipv4.o: In function `nf_flow_ipv4_module_init':
        nf_flow_table_ipv4.c:(.init.text+0x8): undefined reference to `nft_register_flowtable_type'
      
      This adds additional Kconfig dependencies to ensure that NF_CONNTRACK and NF_TABLES
      are always visible from NF_FLOW_TABLE, and that the internal dependencies between
      the four new modules are met.
      
      Fixes: 7c23b629 ("netfilter: flow table support for the mixed IPv4/IPv6 family")
      Fixes: 09952107 ("netfilter: flow table support for IPv6")
      Fixes: 97add9f0 ("netfilter: flow table support for IPv4")
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      a0a97f2a
  9. 10 1月, 2018 7 次提交
    • A
      netfilter: add IPv6 segment routing header 'srh' match · 202a8ff5
      Ahmed Abdelsalam 提交于
      It allows matching packets based on Segment Routing Header
      (SRH) information.
      The implementation considers revision 7 of the SRH draft.
      https://tools.ietf.org/html/draft-ietf-6man-segment-routing-header-07
      
      Currently supported match options include:
      (1) Next Header
      (2) Hdr Ext Len
      (3) Segments Left
      (4) Last Entry
      (5) Tag value of SRH
      Signed-off-by: NAhmed Abdelsalam <amsalam20@gmail.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      202a8ff5
    • W
      99eadf67
    • P
      netfilter: nf_tables: get rid of struct nft_af_info abstraction · 98319cb9
      Pablo Neira Ayuso 提交于
      Remove the infrastructure to register/unregister nft_af_info structure,
      this structure stores no useful information anymore.
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      98319cb9
    • P
      netfilter: nf_tables: get rid of pernet families · dd4cbef7
      Pablo Neira Ayuso 提交于
      Now that we have a single table list for each netns, we can get rid of
      one pointer per family and the global afinfo list, thus, shrinking
      struct netns for nftables that now becomes 64 bytes smaller.
      
      And call __nft_release_afinfo() from __net_exit path accordingly to
      release netnamespace objects on removal.
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      dd4cbef7
    • P
      netfilter: nf_tables: remove nhooks field from struct nft_af_info · fe19c04c
      Pablo Neira Ayuso 提交于
      We already validate the hook through bitmask, so this check is
      superfluous. When removing this, this patch is also fixing a bug in the
      new flowtable codebase, since ctx->afi points to the table family
      instead of the netdev family which is where the flowtable is really
      hooked in.
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      fe19c04c
    • W
      ipv6: remove null_entry before adding default route · 4512c43e
      Wei Wang 提交于
      In the current code, when creating a new fib6 table, tb6_root.leaf gets
      initialized to net->ipv6.ip6_null_entry.
      If a default route is being added with rt->rt6i_metric = 0xffffffff,
      fib6_add() will add this route after net->ipv6.ip6_null_entry. As
      null_entry is shared, it could cause problem.
      
      In order to fix it, set fn->leaf to NULL before calling
      fib6_add_rt2node() when trying to add the first default route.
      And reset fn->leaf to null_entry when adding fails or when deleting the
      last default route.
      
      syzkaller reported the following issue which is fixed by this commit:
      
      WARNING: suspicious RCU usage
      4.15.0-rc5+ #171 Not tainted
      -----------------------------
      net/ipv6/ip6_fib.c:1702 suspicious rcu_dereference_protected() usage!
      
      other info that might help us debug this:
      
      rcu_scheduler_active = 2, debug_locks = 1
      4 locks held by swapper/0/0:
       #0:  ((&net->ipv6.ip6_fib_timer)){+.-.}, at: [<00000000d43f631b>] lockdep_copy_map include/linux/lockdep.h:178 [inline]
       #0:  ((&net->ipv6.ip6_fib_timer)){+.-.}, at: [<00000000d43f631b>] call_timer_fn+0x1c6/0x820 kernel/time/timer.c:1310
       #1:  (&(&net->ipv6.fib6_gc_lock)->rlock){+.-.}, at: [<000000002ff9d65c>] spin_lock_bh include/linux/spinlock.h:315 [inline]
       #1:  (&(&net->ipv6.fib6_gc_lock)->rlock){+.-.}, at: [<000000002ff9d65c>] fib6_run_gc+0x9d/0x3c0 net/ipv6/ip6_fib.c:2007
       #2:  (rcu_read_lock){....}, at: [<0000000091db762d>] __fib6_clean_all+0x0/0x3a0 net/ipv6/ip6_fib.c:1560
       #3:  (&(&tb->tb6_lock)->rlock){+.-.}, at: [<000000009e503581>] spin_lock_bh include/linux/spinlock.h:315 [inline]
       #3:  (&(&tb->tb6_lock)->rlock){+.-.}, at: [<000000009e503581>] __fib6_clean_all+0x1d0/0x3a0 net/ipv6/ip6_fib.c:1948
      
      stack backtrace:
      CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.15.0-rc5+ #171
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:17 [inline]
       dump_stack+0x194/0x257 lib/dump_stack.c:53
       lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4585
       fib6_del+0xcaa/0x11b0 net/ipv6/ip6_fib.c:1701
       fib6_clean_node+0x3aa/0x4f0 net/ipv6/ip6_fib.c:1892
       fib6_walk_continue+0x46c/0x8a0 net/ipv6/ip6_fib.c:1815
       fib6_walk+0x91/0xf0 net/ipv6/ip6_fib.c:1863
       fib6_clean_tree+0x1e6/0x340 net/ipv6/ip6_fib.c:1933
       __fib6_clean_all+0x1f4/0x3a0 net/ipv6/ip6_fib.c:1949
       fib6_clean_all net/ipv6/ip6_fib.c:1960 [inline]
       fib6_run_gc+0x16b/0x3c0 net/ipv6/ip6_fib.c:2016
       fib6_gc_timer_cb+0x20/0x30 net/ipv6/ip6_fib.c:2033
       call_timer_fn+0x228/0x820 kernel/time/timer.c:1320
       expire_timers kernel/time/timer.c:1357 [inline]
       __run_timers+0x7ee/0xb70 kernel/time/timer.c:1660
       run_timer_softirq+0x4c/0xb0 kernel/time/timer.c:1686
       __do_softirq+0x2d7/0xb85 kernel/softirq.c:285
       invoke_softirq kernel/softirq.c:365 [inline]
       irq_exit+0x1cc/0x200 kernel/softirq.c:405
       exiting_irq arch/x86/include/asm/apic.h:540 [inline]
       smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052
       apic_timer_interrupt+0xa9/0xb0 arch/x86/entry/entry_64.S:904
       </IRQ>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Fixes: 66f5d6ce ("ipv6: replace rwlock with rcu and spinlock in fib6_table")
      Signed-off-by: NWei Wang <weiwan@google.com>
      Acked-by: NMartin KaFai Lau <kafai@fb.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4512c43e
    • C
      ipv6: use ARRAY_SIZE for array sizing calculation on array seg6_action_table · 709af180
      Colin Ian King 提交于
      Use the ARRAY_SIZE macro on array seg6_action_table to determine size of
      the array. Improvement suggested by coccinelle.
      Signed-off-by: NColin Ian King <colin.king@canonical.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      709af180
  10. 09 1月, 2018 10 次提交
新手
引导
客服 返回
顶部