1. 10 Sep, 2018 2 commits
    • Pablo Neira Ayuso's avatar
      netfilter: conntrack: timeout interface depend on CONFIG_NF_CONNTRACK_TIMEOUT · a874752a
      Pablo Neira Ayuso authored
      Now that cttimeout support for nft_ct is in place, these should depend
      on CONFIG_NF_CONNTRACK_TIMEOUT otherwise we can crash when dumping the
      policy if this option is not enabled.
      
      [   71.600121] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
      [...]
      [   71.600141] CPU: 3 PID: 7612 Comm: nft Not tainted 4.18.0+ #246
      [...]
      [   71.600188] Call Trace:
      [   71.600201]  ? nft_ct_timeout_obj_dump+0xc6/0xf0 [nft_ct]
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      a874752a
    • Florian Westphal's avatar
      netfilter: conntrack: reset tcp maxwin on re-register · f94e6380
      Florian Westphal authored
      Doug Smythies says:
        Sometimes it is desirable to temporarily disable, or clear,
        the iptables rule set on a computer being controlled via a
        secure shell session (SSH). While unwise on an internet facing
        computer, I also do it often on non-internet accessible computers
        while testing. Recently, this has become problematic, with the
        SSH session being dropped upon re-load of the rule set.
      
      The problem is that when all rules are deleted, conntrack hooks get
      unregistered.
      
      In case the rules are re-added later, its possible that tcp window
      has moved far enough so that all packets are considered invalid (out of
      window) until entry expires (which can take forever, default
      established timeout is 5 days).
      
      Fix this by clearing maxwin of existing tcp connections on register.
      
      v2: don't touch entries on hook removal.
      v3: remove obsolete expiry check.
      Reported-by: default avatarDoug Smythies <dsmythies@telus.net>
      Fixes: 4d3a57f2 ("netfilter: conntrack: do not enable connection tracking unless needed")
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      f94e6380
  2. 31 Aug, 2018 2 commits
    • Taehee Yoo's avatar
      netfilter: nf_tables: release chain in flushing set · 7acfda53
      Taehee Yoo authored
      When element of verdict map is deleted, the delete routine should
      release chain. however, flush element of verdict map routine doesn't
      release chain.
      
      test commands:
         %nft add table ip filter
         %nft add chain ip filter c1
         %nft add map ip filter map1 { type ipv4_addr : verdict \; }
         %nft add element ip filter map1 { 1 : jump c1 }
         %nft flush map ip filter map1
         %nft flush ruleset
      
      splat looks like:
      [ 4895.170899] kernel BUG at net/netfilter/nf_tables_api.c:1415!
      [ 4895.178114] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
      [ 4895.178880] CPU: 0 PID: 1670 Comm: nft Not tainted 4.18.0+ #55
      [ 4895.178880] RIP: 0010:nf_tables_chain_destroy.isra.28+0x39/0x220 [nf_tables]
      [ 4895.178880] Code: fc ff df 53 48 89 fb 48 83 c7 50 48 89 fa 48 c1 ea 03 0f b6 04 02 84 c0 74 09 3c 03 7f 05 e8 3e 4c 25 e1 8b 43 50 85 c0 74 02 <0f> 0b 48 89 da 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02
      [ 4895.228342] RSP: 0018:ffff88010b98f4c0 EFLAGS: 00010202
      [ 4895.234841] RAX: 0000000000000001 RBX: ffff8801131c6968 RCX: ffff8801146585b0
      [ 4895.234841] RDX: 1ffff10022638d37 RSI: ffff8801191a9348 RDI: ffff8801131c69b8
      [ 4895.234841] RBP: ffff8801146585a8 R08: 1ffff1002323526a R09: 0000000000000000
      [ 4895.234841] R10: 0000000000000000 R11: 0000000000000000 R12: dead000000000200
      [ 4895.234841] R13: dead000000000100 R14: ffffffffa3638af8 R15: dffffc0000000000
      [ 4895.234841] FS:  00007f6d188e6700(0000) GS:ffff88011b600000(0000) knlGS:0000000000000000
      [ 4895.234841] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 4895.234841] CR2: 00007ffe72b8df88 CR3: 000000010e2d4000 CR4: 00000000001006f0
      [ 4895.234841] Call Trace:
      [ 4895.234841]  nf_tables_commit+0x2704/0x2c70 [nf_tables]
      [ 4895.234841]  ? nfnetlink_rcv_batch+0xa4f/0x11b0 [nfnetlink]
      [ 4895.234841]  ? nf_tables_setelem_notify.constprop.48+0x1a0/0x1a0 [nf_tables]
      [ 4895.323824]  ? __lock_is_held+0x9d/0x130
      [ 4895.323824]  ? kasan_unpoison_shadow+0x30/0x40
      [ 4895.333299]  ? kasan_kmalloc+0xa9/0xc0
      [ 4895.333299]  ? kmem_cache_alloc_trace+0x2c0/0x310
      [ 4895.333299]  ? nfnetlink_rcv_batch+0xa4f/0x11b0 [nfnetlink]
      [ 4895.333299]  nfnetlink_rcv_batch+0xdb9/0x11b0 [nfnetlink]
      [ 4895.333299]  ? debug_show_all_locks+0x290/0x290
      [ 4895.333299]  ? nfnetlink_net_init+0x150/0x150 [nfnetlink]
      [ 4895.333299]  ? sched_clock_cpu+0xe5/0x170
      [ 4895.333299]  ? sched_clock_local+0xff/0x130
      [ 4895.333299]  ? sched_clock_cpu+0xe5/0x170
      [ 4895.333299]  ? find_held_lock+0x39/0x1b0
      [ 4895.333299]  ? sched_clock_local+0xff/0x130
      [ 4895.333299]  ? memset+0x1f/0x40
      [ 4895.333299]  ? nla_parse+0x33/0x260
      [ 4895.333299]  ? ns_capable_common+0x6e/0x110
      [ 4895.333299]  nfnetlink_rcv+0x2c0/0x310 [nfnetlink]
      [ ... ]
      
      Fixes: 59105446 ("netfilter: nf_tables: revisit chain/object refcounting from elements")
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      7acfda53
    • Florian Westphal's avatar
      netfilter: kconfig: nat related expression depend on nftables core · e0758412
      Florian Westphal authored
      NF_TABLES_IPV4 is now boolean so it is possible to set
      
      NF_TABLES=m
      NF_TABLES_IPV4=y
      NFT_CHAIN_NAT_IPV4=y
      
      which causes:
      nft_chain_nat_ipv4.c:(.text+0x6d): undefined reference to `nft_do_chain'
      
      Wrap NFT_CHAIN_NAT_IPV4 and related nat expressions with NF_TABLES to
      restore the dependency.
      Reported-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Fixes: 02c7b25e ("netfilter: nf_tables: build-in filter chain type")
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Acked-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      e0758412
  3. 29 Aug, 2018 2 commits
    • Florian Westphal's avatar
      netfilter: nf_tables: rework ct timeout set support · 0434ccdc
      Florian Westphal authored
      Using a private template is problematic:
      
      1. We can't assign both a zone and a timeout policy
         (zone assigns a conntrack template, so we hit problem 1)
      2. Using a template needs to take care of ct refcount, else we'll
         eventually free the private template due to ->use underflow.
      
      This patch reworks template policy to instead work with existing conntrack.
      
      As long as such conntrack has not yet been placed into the hash table
      (unconfirmed) we can still add the timeout extension.
      
      The only caveat is that we now need to update/correct ct->timeout to
      reflect the initial/new state, otherwise the conntrack entry retains the
      default 'new' timeout.
      
      Side effect of this change is that setting the policy must
      now occur from chains that are evaluated *after* the conntrack lookup
      has taken place.
      
      No released kernel contains the timeout policy feature yet, so this change
      should be ok.
      
      Changes since v2:
       - don't handle 'ct is confirmed case'
       - after previous patch, no need to special-case tcp/dccp/sctp timeout
         anymore
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      0434ccdc
    • Florian Westphal's avatar
      netfilter: conntrack: place 'new' timeout in first location too · ef39078d
      Florian Westphal authored
      tcp, sctp and dccp trackers re-use the userspace ctnetlink states
      to index their timeout arrays, which means timeout[0] is never
      used.  Copy the 'new' state (syn-sent, dccp-request, ..) to 0 as well
      so external users can simply read it off timeouts[0] without need to
      differentiate dccp/sctp/tcp and udp/icmp/gre/generic.
      
      The alternative is to map all array accesses to 'i - 1', but that
      is a much more intrusive change.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      ef39078d
  4. 24 Aug, 2018 1 commit
  5. 23 Aug, 2018 22 commits
  6. 21 Aug, 2018 11 commits