29 May, 2013
1 commit
-
In dump_ipv6_packet(), the "recurse" parameter is zero only if
dumping contents of a packet embedded into an ICMPv6 error
message. Therefore we want to log packet mark if recurse is
non-zero, not when it is zero.Signed-off-by: Michal Kubecek
Signed-off-by: Pablo Neira Ayuso
15 May, 2013
1 commit
-
Since (69b34fb netfilter: xt_LOG: add net namespace support
for xt_LOG), we hit this:[ 4224.708977] BUG: unable to handle kernel NULL pointer dereference at 0000000000000388
[ 4224.709074] IP: [] ipt_log_packet+0x29/0x270when callling log functions from conntrack both in and out
are NULL i.e. the net pointer is invalid.Adding struct net *net in call to nf_logfn() will secure that
there always is a vaild net ptr.Reported as netfilter's bugzilla bug 818:
https://bugzilla.netfilter.org/show_bug.cgi?id=818Reported-by: Ronald
Signed-off-by: Hans Schillstrom
Signed-off-by: Pablo Neira Ayuso
06 Apr, 2013
1 commit
-
Add pernet support to xt_LOG by means of the new nf_log_set
function added in (30e0c6a netfilter: nf_log: prepare net
namespace support for loggers).Since syslog ns has yet not been implemented, we don't want
the containers to DDOS host's syslogd. So only enable ebt_log
only from init_net and wait for syslog ns supportSigned-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso
03 Oct, 2012
1 commit
-
Pull user namespace changes from Eric Biederman:
"This is a mostly modest set of changes to enable basic user namespace
support. This allows the code to code to compile with user namespaces
enabled and removes the assumption there is only the initial user
namespace. Everything is converted except for the most complex of the
filesystems: autofs4, 9p, afs, ceph, cifs, coda, fuse, gfs2, ncpfs,
nfs, ocfs2 and xfs as those patches need a bit more review.The strategy is to push kuid_t and kgid_t values are far down into
subsystems and filesystems as reasonable. Leaving the make_kuid and
from_kuid operations to happen at the edge of userspace, as the values
come off the disk, and as the values come in from the network.
Letting compile type incompatible compile errors (present when user
namespaces are enabled) guide me to find the issues.The most tricky areas have been the places where we had an implicit
union of uid and gid values and were storing them in an unsigned int.
Those places were converted into explicit unions. I made certain to
handle those places with simple trivial patches.Out of that work I discovered we have generic interfaces for storing
quota by projid. I had never heard of the project identifiers before.
Adding full user namespace support for project identifiers accounts
for most of the code size growth in my git tree.Ultimately there will be work to relax privlige checks from
"capable(FOO)" to "ns_capable(user_ns, FOO)" where it is safe allowing
root in a user names to do those things that today we only forbid to
non-root users because it will confuse suid root applications.While I was pushing kuid_t and kgid_t changes deep into the audit code
I made a few other cleanups. I capitalized on the fact we process
netlink messages in the context of the message sender. I removed
usage of NETLINK_CRED, and started directly using current->tty.Some of these patches have also made it into maintainer trees, with no
problems from identical code from different trees showing up in
linux-next.After reading through all of this code I feel like I might be able to
win a game of kernel trivial pursuit."Fix up some fairly trivial conflicts in netfilter uid/git logging code.
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: (107 commits)
userns: Convert the ufs filesystem to use kuid/kgid where appropriate
userns: Convert the udf filesystem to use kuid/kgid where appropriate
userns: Convert ubifs to use kuid/kgid
userns: Convert squashfs to use kuid/kgid where appropriate
userns: Convert reiserfs to use kuid and kgid where appropriate
userns: Convert jfs to use kuid/kgid where appropriate
userns: Convert jffs2 to use kuid and kgid where appropriate
userns: Convert hpfs to use kuid and kgid where appropriate
userns: Convert btrfs to use kuid/kgid where appropriate
userns: Convert bfs to use kuid/kgid where appropriate
userns: Convert affs to use kuid/kgid wherwe appropriate
userns: On alpha modify linux_to_osf_stat to use convert from kuids and kgids
userns: On ia64 deal with current_uid and current_gid being kuid and kgid
userns: On ppc convert current_uid from a kuid before printing.
userns: Convert s390 getting uid and gid system calls to use kuid and kgid
userns: Convert s390 hypfs to use kuid and kgid where appropriate
userns: Convert binder ipc to use kuids
userns: Teach security_path_chown to take kuids and kgids
userns: Add user namespace support to IMA
userns: Convert EVM to deal with kuids and kgids in it's hmac computation
...
12 Sep, 2012
1 commit
-
auto75914331@hushmail.com reports that iptables does not correctly
output the KERN_.$IPTABLES -A RULE_0_in -j LOG --log-level notice --log-prefix "DENY in: "
result with linux 3.6-rc5
Sep 12 06:37:29 xxxxx kernel: DENY in: IN=eth0 OUT= MAC=.......result with linux 3.5.3 and older:
Sep 9 10:43:01 xxxxx kernel: DENY in: IN=eth0 OUT= MAC......commit 04d2c8c83d0
("printk: convert the format for KERN_ to a 2 byte pattern")
updated the syslog header style but did not update netfilter uses.Do so.
Use KERN_SOH and string concatenation instead of "%c" KERN_SOH_ASCII
as suggested by Eric Dumazet.Signed-off-by: Joe Perches
cc: auto75914331@hushmail.com
Signed-off-by: Pablo Neira Ayuso
06 Sep, 2012
1 commit
-
Sami Farin reported crashes in xt_LOG because it assumes skb->sk is a
full blown socket.Since (41063e9 ipv4: Early TCP socket demux), we can have skb->sk
pointing to a timewait socket.Same fix is needed in nfnetlink_log.
Diagnosed-by: Florian Westphal
Reported-by: Sami Farin
Signed-off-by: Eric Dumazet
Signed-off-by: Pablo Neira Ayuso
15 Aug, 2012
1 commit
-
xt_LOG always writes messages via sb_add via printk. Therefore when
xt_LOG logs the uid and gid of a socket a packet came from the
values should be converted to be in the initial user namespace.Thus making xt_LOG as user namespace safe as possible.
Cc: Pablo Neira Ayuso
Cc: Patrick McHardy
Acked-by: David S. Miller
Acked-by: Serge Hallyn
Signed-off-by: Eric W. Biederman
22 Mar, 2012
1 commit
-
This fixes the following linking error:
xt_LOG.c:(.text+0x789b1): undefined reference to `ip6t_ext_hdr'
ifdefs have to use CONFIG_IP6_NF_IPTABLES instead of CONFIG_IPV6.
Acked-by: Randy Dunlap
Signed-off-by: Pablo Neira Ayuso
08 Mar, 2012
2 commits
-
In 16059b5 netfilter: merge ipt_LOG and ip6_LOG into xt_LOG, we have
merged ipt_LOG and ip6t_LOG.However:
IN=wlan0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
SRC=213.150.61.61 DST=192.168.1.133 LEN=40 TOS=0x00 PREC=0x00 TTL=117
ID=10539 DF PROTO=TCP SPT=80 DPT=49013 WINDOW=0 RES=0x00 ACK RST
URGP=0 PROTO=UDPLITE SPT=80 DPT=49013 LEN=45843 PROTO=ICMP TYPE=0
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^Several missing break in the code led to including bogus layer-4
information. This patch fixes this problem.Signed-off-by: Richard Weinberger
Signed-off-by: Pablo Neira Ayuso -
ipt_LOG and ip6_LOG have a lot of common code, merge them
to reduce duplicate code.Signed-off-by: Richard Weinberger
Signed-off-by: Pablo Neira Ayuso
