should have no impact, function still always returns 0.
This patch is only to ease review.
Signed-off-by: Florian Westphal
---
include/linux/netfilter/x_tables.h | 2 +-
net/bridge/netfilter/ebtables.c| 10 --
net/ipv4/netfilter/arp_tables.c| 10 +++---
net/ipv4/netfilter/ip
allows to have size checks in a single spot.
This is supposed to reduce oom situations when fuzz-testing xtables.
Signed-off-by: Florian Westphal
---
include/linux/netfilter/x_tables.h | 1 +
net/ipv4/netfilter/arp_tables.c| 2 +-
net/ipv4/netfilter/ip_tables.c | 2 +-
net/ipv6/netfil
Harmless from kernel point of view, but again iptables assumes that
this is true when decoding ruleset coming from kernel.
If a (syzkaller generated) ruleset doesn't have the underflow/policy
stored as the last rule in the base chain, then iptables will abort()
because it doesn't find the chain po
Signed-off-by: Florian Westphal
---
net/netfilter/x_tables.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 33724b08b8f0..7521e8a72c06 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -582,6 +582,8 @@ int
no need to bother even trying to allocating huge compat offset arrays,
such ruleset is rejected later on anyway becaus we refuse to allocate
overly large rule blobs.
However, compat translation happens before blob allocation, so we should
add a check there too.
This is supposed to help with fuzzi
Arbitrary limit, however, this still allows huge rulesets
(> 1 million rules). This helps with automated fuzzer as it prevents
oom-killer invocation.
Signed-off-by: Florian Westphal
---
net/netfilter/x_tables.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/
This is a very conservative limit (134217728 rules), but good
enough to not trigger frequent oom from syzkaller.
Signed-off-by: Florian Westphal
---
net/netfilter/x_tables.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index dc68ac496
Allow followup patch to change on location instead of three.
Signed-off-by: Florian Westphal
---
include/linux/netfilter/x_tables.h | 2 ++
net/ipv4/netfilter/arp_tables.c| 13 +++--
net/ipv4/netfilter/ip_tables.c | 13 +++--
net/ipv6/netfilter/ip6_tables.c| 13 +++--
Harmless from kernel point of view, but iptables assumes that this is
true when decoding a ruleset.
iptables walks the dumped blob from kernel, and, for each entry that
creates a new chain it prints out rule/chain information.
Base chains (hook entry points) are thus only shown when they appear
in
Check that userspace ERROR target (custom user-defined chains) match
expected format, and the chain name is null terminated.
This is irrelevant for kernel, but iptables itself relies on sane input
when it dumps rules from kernel.
Signed-off-by: Florian Westphal
---
net/netfilter/x_tables.c | 23
Userspace must provide a valid verdict to the standard target.
The verdict can be either a jump (signed int > 0), or a return code.
Allowed return codes are either RETURN (pop from stack), NF_ACCEPT, DROP
and QUEUE (latter is allowed for legacy reasons).
Jump offsets (verdict > 0) are checked in
syzkaller managed to trigger various interesting features, such
as ability to create rulesets that can't be shown with iptables(8).
These patches add more checks/restrictions to the x_tables validation
of the blob coming in from userspace.
In particular:
1. check error target name is null-termina
Ahmed Abdelsalam wrote:
> > Ahmed Abdelsalam wrote:
> > > Type 0 and 2 of the IPv6 Routing extension header are not handled
> > > properly by exthdr_init_raw() in src/exthdr.c
> > >
> > > In order to fix the bug, we extended the "enum nft_exthdr_op" to
> > > differentiate between rt, rt0, and rt
Hi Florian,
On Tue, 27 Feb 2018 17:33:53 +0100
Florian Westphal wrote:
> Ahmed Abdelsalam wrote:
> > Type 0 and 2 of the IPv6 Routing extension header are not handled
> > properly by exthdr_init_raw() in src/exthdr.c
> >
> > In order to fix the bug, we extended the "enum nft_exthdr_op" to
> >
Use the right loop index, not the number of device in the array that we
need to remove, the following message uncovered the problem:
[ 5437.044119] hook not found, pf 5 num 0
[ 5437.044140] WARNING: CPU: 2 PID: 24983 at net/netfilter/core.c:376
__nf_unregister_net_hook+0x250/0x280
Signed-off-by:
If the netdevice is already part of a flowtable, return EBUSY. I cannot
find a valid usecase for having two flowtables bound to the same
netdevice. We can still have two flowtable where the device set is
disjoint.
Signed-off-by: Pablo Neira Ayuso
---
v2: number of devices in flowtable may be equa
Ahmed Abdelsalam wrote:
> Type 0 and 2 of the IPv6 Routing extension header are not handled
> properly by exthdr_init_raw() in src/exthdr.c
>
> In order to fix the bug, we extended the "enum nft_exthdr_op" to
> differentiate between rt, rt0, and rt2.
>
> This patch should fix the bug. We tested
Type 0 and 2 of the IPv6 Routing extension header are not handled
properly by exthdr_init_raw() in src/exthdr.c
In order to fix the bug, we extended the "enum nft_exthdr_op" to
differentiate between rt, rt0, and rt2.
This patch should fix the bug. We tested the patch against the
same configuratio
Type 0 and 2 of the IPv6 Routing extension header are not handled
properlyby exthdr_init_raw() in src/exthdr.c
In order to fix the bug, we extended the "enum nft_exthdr_op" to
differentiate between rt, rt0, and rt2.
In this patch we extended the kernel implementation of nf_tables to
recognize the
In kernel 3.18 the union bpf_attr does not have a pathname attribute and
BPF_OBJ_GET is also not defined in these versions.
This was added in Linux commit b2197755b263 ("bpf: add support for
persistent maps/progs"). Check for the BPF_FS_MAGIC define which was
also added in this Linux commit and onl
Signed-off-by: Florian Westphal
---
doc/nft.xml | 26 +-
1 file changed, 25 insertions(+), 1 deletion(-)
diff --git a/doc/nft.xml b/doc/nft.xml
index bddc527f19a7..2b88727c941b 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -2523,6 +2523,9 @@ filter output icmpv6 type { ec
Luke Bratch wrote:
> Hello
>
> [1.] One line summary of the problem:
>
> The patch "netfilter: on sockopt() acquire sock lock only in the required
> scope" breaks at least sshuttle.
>
> [2.] Full description of the problem/report:
>
> sshuttle does not work in at least kernel 4.9.84 or kernel
Hello
[1.] One line summary of the problem:
The patch "netfilter: on sockopt() acquire sock lock only in the
required scope" breaks at least sshuttle.
[2.] Full description of the problem/report:
sshuttle does not work in at least kernel 4.9.84 or kernel 4.14.22 (and
I suspect the other lat
23 matches
Mail list logo
