1. 18 May, 2017 1 commit
  2. 16 May, 2017 1 commit
    • Gao Feng's avatar
      ebtables: arpreply: Add the standard target sanity check · c953d635
      Gao Feng authored
      The info->target comes from userspace and it would be used directly.
      So we need to add the sanity check to make sure it is a valid standard
      target, although the ebtables tool has already checked it. Kernel needs
      to validate anything coming from userspace.
      
      If the target is set as an evil value, it would break the ebtables
      and cause a panic. Because the non-standard target is treated as one
      offset.
      
      Now add one helper function ebt_invalid_target, and we would replace
      the macro INVALID_TARGET later.
      Signed-off-by: default avatarGao Feng <gfree.wind@vip.163.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      c953d635
  3. 15 May, 2017 10 commits
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: revisit chain/object refcounting from elements · 59105446
      Pablo Neira Ayuso authored
      Andreas reports that the following incremental update using our commit
      protocol doesn't work.
      
       # nft -f incremental-update.nft
       delete element ip filter client_to_any { 10.180.86.22 : goto CIn_1 }
       delete chain ip filter CIn_1
       ... Error: Could not process rule: Device or resource busy
      
      The existing code is not well-integrated into the commit phase protocol,
      since element deletions do not result in refcount decrement from the
      preparation phase. This results in bogus EBUSY errors like the one
      above.
      
      Two new functions come with this patch:
      
      * nft_set_elem_activate() function is used from the abort path, to
        restore the set element refcounting on objects that occurred from
        the preparation phase.
      
      * nft_set_elem_deactivate() that is called from nft_del_setelem() to
        decrement set element refcounting on objects from the preparation
        phase in the commit protocol.
      
      The nft_data_uninit() has been renamed to nft_data_release() since this
      function does not uninitialize any data store in the data register,
      instead just releases the references to objects. Moreover, a new
      function nft_data_hold() has been introduced to be used from
      nft_set_elem_activate().
      Reported-by: default avatarAndreas Schultz <aschultz@tpip.net>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      59105446
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: missing sanitization in data from userspace · 71df14b0
      Pablo Neira Ayuso authored
      Do not assume userspace always sends us NFT_DATA_VALUE for bitwise and
      cmp expressions. Although NFT_DATA_VERDICT does not make any sense, it
      is still possible to handcraft a netlink message using this incorrect
      data type.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      71df14b0
    • Liping Zhang's avatar
      netfilter: nf_tables: can't assume lock is acquired when dumping set elems · fa803605
      Liping Zhang authored
      When dumping the elements related to a specified set, we may invoke the
      nf_tables_dump_set with the NFNL_SUBSYS_NFTABLES lock not acquired. So
      we should use the proper rcu operation to avoid race condition, just
      like other nft dump operations.
      Signed-off-by: default avatarLiping Zhang <zlpnobody@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      fa803605
    • Eric Leblond's avatar
      netfilter: synproxy: fix conntrackd interaction · 87e94dbc
      Eric Leblond authored
      This patch fixes the creation of connection tracking entry from
      netlink when synproxy is used. It was missing the addition of
      the synproxy extension.
      
      This was causing kernel crashes when a conntrack entry created by
      conntrackd was used after the switch of traffic from active node
      to the passive node.
      Signed-off-by: default avatarEric Leblond <eric@regit.org>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      87e94dbc
    • Willem de Bruijn's avatar
      netfilter: xtables: zero padding in data_to_user · 324318f0
      Willem de Bruijn authored
      When looking up an iptables rule, the iptables binary compares the
      aligned match and target data (XT_ALIGN). In some cases this can
      exceed the actual data size to include padding bytes.
      
      Before commit f77bc5b2 ("iptables: use match, target and data
      copy_to_user helpers") the malloc()ed bytes were overwritten by the
      kernel with kzalloced contents, zeroing the padding and making the
      comparison succeed. After this patch, the kernel copies and clears
      only data, leaving the padding bytes undefined.
      
      Extend the clear operation from data size to aligned data size to
      include the padding bytes, if any.
      
      Padding bytes can be observed in both match and target, and the bug
      triggered, by issuing a rule with match icmp and target ACCEPT:
      
        iptables -t mangle -A INPUT -i lo -p icmp --icmp-type 1 -j ACCEPT
        iptables -t mangle -D INPUT -i lo -p icmp --icmp-type 1 -j ACCEPT
      
      Fixes: f77bc5b2 ("iptables: use match, target and data copy_to_user helpers")
      Reported-by: default avatarPaul Moore <pmoore@redhat.com>
      Reported-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      324318f0
    • Pablo Neira Ayuso's avatar
      Merge tag 'ipvs-fixes-for-v4.12' of http://git.kernel.org/pub/scm/linux/kernel/git/horms/ipvs · ff1e4300
      Pablo Neira Ayuso authored
      Simon Horman says:
      
      ====================
      IPVS Fixes for v4.12
      
      please consider this fix to IPVS for v4.12.
      
      * It is a fix from Julian Anastasov to only SNAT SNAT packet replies only for
        NATed connections
      
      My understanding is that this fix is appropriate for 4.9.25, 4.10.13, 4.11
      as well as the nf tree. Julian has separately posted backports for other
      -stable kernels; please see:
      
      * [PATCH 3.2.88,3.4.113 -stable 1/3] ipvs: SNAT packet replies only for
              NATed connections
      * [PATCH 3.10.105,3.12.73,3.16.43,4.1.39 -stable 2/3] ipvs: SNAT packet
              replies only for NATed connections
      * [PATCH 4.4.65 -stable 3/3] ipvs: SNAT packet replies only for NATed
              connections
      ====================
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      ff1e4300
    • Liping Zhang's avatar
      netfilter: nfnl_cthelper: reject del request if helper obj is in use · 9338d7b4
      Liping Zhang authored
      We can still delete the ct helper even if it is in use, this will cause
      a use-after-free error. In more detail, I mean:
        # nfct helper add ssdp inet udp
        # iptables -t raw -A OUTPUT -p udp -j CT --helper ssdp
        # nfct helper delete ssdp //--> oops, succeed!
        BUG: unable to handle kernel paging request at 000026ca
        IP: 0x26ca
        [...]
        Call Trace:
         ? ipv4_helper+0x62/0x80 [nf_conntrack_ipv4]
         nf_hook_slow+0x21/0xb0
         ip_output+0xe9/0x100
         ? ip_fragment.constprop.54+0xc0/0xc0
         ip_local_out+0x33/0x40
         ip_send_skb+0x16/0x80
         udp_send_skb+0x84/0x240
         udp_sendmsg+0x35d/0xa50
      
      So add reference count to fix this issue, if ct helper is used by
      others, reject the delete request.
      
      Apply this patch:
        # nfct helper delete ssdp
        nfct v1.4.3: netlink error: Device or resource busy
      Signed-off-by: default avatarLiping Zhang <zlpnobody@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      9338d7b4
    • Liping Zhang's avatar
      netfilter: introduce nf_conntrack_helper_put helper function · d91fc59c
      Liping Zhang authored
      And convert module_put invocation to nf_conntrack_helper_put, this is
      prepared for the followup patch, which will add a refcnt for cthelper,
      so we can reject the deleting request when cthelper is in use.
      Signed-off-by: default avatarLiping Zhang <zlpnobody@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      d91fc59c
    • Liping Zhang's avatar
      netfilter: don't setup nat info for confirmed ct · d110a394
      Liping Zhang authored
      We cannot setup nat info if the ct has been confirmed already, else,
      different cpu may race to handle the same ct. In extreme situation,
      we may hit the "BUG_ON(nf_nat_initialized(ct, maniptype))" in the
      nf_nat_setup_info.
      
      Also running the following commands will easily hit NF_CT_ASSERT in
      nf_conntrack_alter_reply:
        # nft flush ruleset
        # ping -c 2 -W 1 1.1.1.111 &
        # nft add table t
        # nft add chain t c {type nat hook postrouting priority 0 \;}
        # nft add rule t c snat to 4.5.6.7
        WARNING: CPU: 1 PID: 10065 at net/netfilter/nf_conntrack_core.c:1472
        nf_conntrack_alter_reply+0x9a/0x1a0 [nf_conntrack]
        [...]
        Call Trace:
         nf_nat_setup_info+0xad/0x840 [nf_nat]
         ? deactivate_slab+0x65d/0x6c0
         nft_nat_eval+0xcd/0x100 [nft_nat]
         nft_do_chain+0xff/0x5d0 [nf_tables]
         ? mark_held_locks+0x6f/0xa0
         ? __local_bh_enable_ip+0x70/0xa0
         ? trace_hardirqs_on_caller+0x11f/0x190
         ? ipt_do_table+0x310/0x610
         ? trace_hardirqs_on+0xd/0x10
         ? __local_bh_enable_ip+0x70/0xa0
         ? ipt_do_table+0x32b/0x610
         ? __lock_acquire+0x2ac/0x1580
         ? ipt_do_table+0x32b/0x610
         nft_nat_do_chain+0x65/0x80 [nft_chain_nat_ipv4]
         nf_nat_ipv4_fn+0x1ae/0x240 [nf_nat_ipv4]
         nf_nat_ipv4_out+0x4a/0xf0 [nf_nat_ipv4]
         nft_nat_ipv4_out+0x15/0x20 [nft_chain_nat_ipv4]
         nf_hook_slow+0x2c/0xf0
         ip_output+0x154/0x270
      
      So for the confirmed ct, just ignore it and return NF_ACCEPT.
      
      Fixes: 9a08ecfe ("netfilter: don't attach a nat extension by default")
      Signed-off-by: default avatarLiping Zhang <zlpnobody@gmail.com>
      Acked-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      d110a394
    • Matthias Kaehlcke's avatar
      netfilter: ctnetlink: Make some parameters integer to avoid enum mismatch · a2b7cbdd
      Matthias Kaehlcke authored
      Not all parameters passed to ctnetlink_parse_tuple() and
      ctnetlink_exp_dump_tuple() match the enum type in the signatures of these
      functions. Since this is intended change the argument type of to be an
      unsigned integer value.
      Signed-off-by: default avatarMatthias Kaehlcke <mka@chromium.org>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      a2b7cbdd
  4. 12 May, 2017 22 commits
  5. 11 May, 2017 6 commits