From: Pablo Neira Ayuso
Date: Mon, 22 Apr 2019 22:47:51 +0200
> The following patchset contains Netfilter/IPVS fixes for your net tree:
...
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks Pablo.
Bail out if we go over the boundary, based on patch from Sebastian.
Reported-by: Sebastian Neef
Signed-off-by: Pablo Neira Ayuso
---
iptables/xshared.c | 46 --
1 file changed, 28 insertions(+), 18 deletions(-)
diff --git a/iptables/xshared.c b/iptab
From: Alexander Potapenko
KMSAN started reporting an error when accessing ct->timeout for the
first time without initialization:
BUG: KMSAN: uninit-value in __nf_ct_refresh_acct+0x1ae/0x470
net/netfilter/nf_conntrack_core.c:1765
...
dump_stack+0x173/0x1d0 lib/dump_stack.c:113
kmsan_report+0
From: Florian Westphal
It means userspace gave us a ruleset where there is some other
data after the ebtables target but before the beginning of the next rule.
Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support")
Reported-by: syzbot+659574e7bcc7f7eb4...@syzkaller.appspotmail.co
From: Florian Westphal
Sven Auhagen reported that a 2nd ping request will fail if 'fully-random'
mode is used.
Reason is that if no proto information is given, min/max are both 0,
so we set the icmp id to 0 instead of chosing a random value between
0 and 65535.
Update test case as well to catch
Hi David,
The following patchset contains Netfilter/IPVS fixes for your net tree:
1) Add a selftest for icmp packet too big errors with conntrack, from
Florian Westphal.
2) Validate inner header in ICMP error message does not lie to us
in conntrack, also from Florian.
3) Initialize ct->ti
From: Julian Anastasov
We can receive ICMP errors from client or from
tunneling real server. While the former can be
scheduled to real server, the latter should
not be scheduled, they are decapsulated only when
existing connection is found.
Fixes: 6044eeffafbe ("ipvs: attempt to schedule icmp pa
From: Florian Westphal
setting net.netfilter.nf_conntrack_timestamp=1 breaks xmit with fq
scheduler. skb->tstamp might be "refreshed" using ktime_get_real(),
but fq expects CLOCK_MONOTONIC.
This patch removes all places in netfilter that check/set skb->tstamp:
1. To fix the bogus "start" time
From: Florian Westphal
When an icmp error such as pkttoobig is received, conntrack checks
if the "inner" header (header of packet that did not fit link mtu)
is matches an existing connection, and, if so, sets that packet as
being related to the conntrack entry it found.
It was recently reported
From: Florian Westphal
else, we leak the addresses to userspace via ctnetlink events
and dumps.
Compute an ID on demand based on the immutable parts of nf_conn struct.
Another advantage compared to using an address is that there is no
immediate re-use of the same ID in case the conntrack entry
From: Dan Carpenter
I believe that "hook->num" can be up to UINT_MAX. Shifting more than
31 bits would is undefined in C but in practice it would lead to shift
wrapping. That would lead to an array overflow in nf_tables_addchain():
ops->hook = hook.type->hooks[ops->hooknum];
Fix
From: Andrei Vagin
It doesn't log a packet if sysctl_log_invalid isn't equal to protonum
OR sysctl_log_invalid isn't equal to IPPROTO_RAW. This sentence is
always true. I believe we need to replace OR to AND.
Cc: Florian Westphal
Fixes: c4f3db1595827 ("netfilter: conntrack: add and use
nf_l4pr
From: Florian Westphal
Luca Moro says:
--
The issue lies in the filtering of ICMP and ICMPv6 errors that include an
inner IP datagram.
For these packets, icmp_error_message() extract the ICMP error and inner
layer to search of a known state.
If a state is found the packet is tagged as relate
From: Pablo Neira Ayuso
[ Upstream commit 05b7639da55fb9866a1f4b7e8995232a6323 ]
Otherwise, we hit bogus ENOENT when removing elements.
Fixes: e701001e7cbe ("netfilter: nft_rbtree: allow adjacent intervals with
dynamic updates")
Reported-by: Václav Zindulka
Signed-off-by: Pablo Neira Ayus
From: Xin Long
[ Upstream commit e166e4fdaced850bee3d5ee12a5740258fb30587 ]
Since Commit 21d1196a35f5 ("ipv4: set transport header earlier"),
skb->transport_header has been always set before entering INET
netfilter. This patch is to set skb->transport_header for bridge
before entering INET netfi
From: Kangjie Lu
[ Upstream commit 6d65561f3d5ec933151939c543d006b79044e7a6 ]
skb_header_pointer may return NULL. The current code dereference
its return values without a NULL check.
The fix inserts the checks to avoid NULL pointer dereferences.
Fixes: 202a8ff545cc ("netfilter: add IPv6 segmen
From: Arnd Bergmann
[ Upstream commit d1fa381033eb718df5c602f64b6e88676138dfc6 ]
With NETFILTER_XT_TARGET_TEE=y and IP6_NF_IPTABLES=m, we get a link
error when referencing the NF_DUP_IPV6 module:
net/netfilter/xt_TEE.o: In function `tee_tg6':
xt_TEE.c:(.text+0x14): undefined reference to `nf_du
From: Pablo Neira Ayuso
[ Upstream commit 8ffcd32f64633926163cdd07a7d295c500a947d1 ]
Proper use counter updates when activating and deactivating the object,
otherwise, this hits bogus EBUSY error.
Fixes: cd5125d8f518 ("netfilter: nf_tables: split set destruction in deactivate
and destroy phase
From: Pablo Neira Ayuso
[ Upstream commit 05b7639da55fb9866a1f4b7e8995232a6323 ]
Otherwise, we hit bogus ENOENT when removing elements.
Fixes: e701001e7cbe ("netfilter: nft_rbtree: allow adjacent intervals with
dynamic updates")
Reported-by: Václav Zindulka
Signed-off-by: Pablo Neira Ayus
From: Xin Long
[ Upstream commit e166e4fdaced850bee3d5ee12a5740258fb30587 ]
Since Commit 21d1196a35f5 ("ipv4: set transport header earlier"),
skb->transport_header has been always set before entering INET
netfilter. This patch is to set skb->transport_header for bridge
before entering INET netfi
From: Arnd Bergmann
[ Upstream commit d1fa381033eb718df5c602f64b6e88676138dfc6 ]
With NETFILTER_XT_TARGET_TEE=y and IP6_NF_IPTABLES=m, we get a link
error when referencing the NF_DUP_IPV6 module:
net/netfilter/xt_TEE.o: In function `tee_tg6':
xt_TEE.c:(.text+0x14): undefined reference to `nf_du
From: Kangjie Lu
[ Upstream commit 6d65561f3d5ec933151939c543d006b79044e7a6 ]
skb_header_pointer may return NULL. The current code dereference
its return values without a NULL check.
The fix inserts the checks to avoid NULL pointer dereferences.
Fixes: 202a8ff545cc ("netfilter: add IPv6 segmen
From: Xin Long
[ Upstream commit e166e4fdaced850bee3d5ee12a5740258fb30587 ]
Since Commit 21d1196a35f5 ("ipv4: set transport header earlier"),
skb->transport_header has been always set before entering INET
netfilter. This patch is to set skb->transport_header for bridge
before entering INET netfi
From: Pablo Neira Ayuso
[ Upstream commit 05b7639da55fb9866a1f4b7e8995232a6323 ]
Otherwise, we hit bogus ENOENT when removing elements.
Fixes: e701001e7cbe ("netfilter: nft_rbtree: allow adjacent intervals with
dynamic updates")
Reported-by: Václav Zindulka
Signed-off-by: Pablo Neira Ayus
From: Xin Long
[ Upstream commit e166e4fdaced850bee3d5ee12a5740258fb30587 ]
Since Commit 21d1196a35f5 ("ipv4: set transport header earlier"),
skb->transport_header has been always set before entering INET
netfilter. This patch is to set skb->transport_header for bridge
before entering INET netfi
From: Pablo Neira Ayuso
[ Upstream commit 05b7639da55fb9866a1f4b7e8995232a6323 ]
Otherwise, we hit bogus ENOENT when removing elements.
Fixes: e701001e7cbe ("netfilter: nft_rbtree: allow adjacent intervals with
dynamic updates")
Reported-by: Václav Zindulka
Signed-off-by: Pablo Neira Ayus
From: Xin Long
[ Upstream commit e166e4fdaced850bee3d5ee12a5740258fb30587 ]
Since Commit 21d1196a35f5 ("ipv4: set transport header earlier"),
skb->transport_header has been always set before entering INET
netfilter. This patch is to set skb->transport_header for bridge
before entering INET netfi
On Mon, Apr 22, 2019 at 7:38 AM Neil Horman wrote:
> On Mon, Apr 08, 2019 at 11:39:07PM -0400, Richard Guy Briggs wrote:
> > Implement kernel audit container identifier.
>
> I'm sorry, I've lost track of this, where have we landed on it? Are we good
> for
> inclusion?
I haven't finished going th
Rename the leds documentation files to ReST, add an
index for them and adjust in order to produce a nice html
output via the Sphinx build system.
At its new index.rst, let's add a :orphan: while this is not linked to
the main index.rst file, in order to avoid build warnings.
Signed-off-by: Mauro
On Mon, Apr 08, 2019 at 11:39:07PM -0400, Richard Guy Briggs wrote:
> Implement kernel audit container identifier.
>
> This patchset is a fifth based on the proposal document (V3)
> posted:
> https://www.redhat.com/archives/linux-audit/2018-January/msg00014.html
>
> The first patch was the
The hook in my testcase is at NF_BR_FORWARD, and priority is -2.
And at this hook point both the entry->out and entry->in are not
bridge device.
But the dst was set to the bridge's fake_rtable.
Rundong Ge 于2019年4月22日周一 下午5:51写道:
>
> skb->dev is munged in setup_prerouting() to be bridge or vlan
skb->dev is munged in setup_prerouting() to be bridge or vlan device on
top of bridge.
--Yes, but br_nf_pre_routing_finish will set the skb->dev back to the phyindev.
Florian Westphal 于2019年4月22日周一 下午5:35写道:
>
> Rundong Ge wrote:
> > br_nf_pre_routing will call the NF_INET_PRE_ROUTING hooks, at
Rundong Ge wrote:
> br_nf_pre_routing will call the NF_INET_PRE_ROUTING hooks, at this
> time both entry->state.in and entry->state.out are not bridge device.
>
> NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, state->net, state->sk, skb,
> skb->dev, NULL,
> br_nf_pre_routing_finish);
skb->dev is mun
br_nf_pre_routing will call the NF_INET_PRE_ROUTING hooks, at this
time both entry->state.in and entry->state.out are not bridge device.
NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, state->net, state->sk, skb,
skb->dev, NULL,
br_nf_pre_routing_finish);
Pablo Neira Ayuso 于2019年4月22日周一 下午4:34写道:
>
>
On Mon, Apr 15, 2019 at 12:43:00AM +0200, Florian Westphal wrote:
> It means userspace gave us a ruleset where there is some other
> data after the ebtables target but before the beginning of the next rule.
Applied, thanks Florian.
On Wed, Apr 17, 2019 at 02:17:23AM +0200, Florian Westphal wrote:
> setting net.netfilter.nf_conntrack_timestamp=1 breaks xmit with fq
> scheduler. skb->tstamp might be "refreshed" using ktime_get_real(),
> but fq expects CLOCK_MONOTONIC.
>
> This patch removes all places in netfilter that check/
On Wed, Apr 17, 2019 at 09:49:44AM -0700, Andrei Vagin wrote:
> It doesn't log a packet if sysctl_log_invalid isn't equal to protonum
> OR sysctl_log_invalid isn't equal to IPPROTO_RAW. This sentence is
> always true. I believe we need to replace OR to AND.
Applied, thanks.
On Tue, Apr 09, 2019 at 06:56:12AM +, Rundong Ge wrote:
[...]
> diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
> index 0dcc359..57eb02d 100644
> --- a/net/netfilter/nfnetlink_queue.c
> +++ b/net/netfilter/nfnetlink_queue.c
> @@ -905,13 +905,25 @@ static void free
38 matches
Mail list logo
