Eric Lee / smarc-fsl-linux-kernel

15 Mar, 2020

1 commit

16 Jan, 2020

1 commit

27 Aug, 2019

1 commit

  • d0a8d877d   netfilter: nft_dynset: support for element deletion ... Browse Code »

    This patch implements the delete operation from the ruleset.

    It implements a new delete() function in nft_set_rhash. It is simpler
    to use than the already existing remove(), because it only takes the set
    and the key as arguments, whereas remove() expects a full
    nft_set_elem structure.

    Signed-off-by: Ander Juaristi
    Signed-off-by: Pablo Neira Ayuso

    Ander Juaristi
     

13 Aug, 2019

1 commit

  • 5785cf15f   netfilter: nf_tables: add missing prototypes. ... Browse Code »

    Sparse rightly complains about undeclared symbols.

    CHECK net/netfilter/nft_set_hash.c
    net/netfilter/nft_set_hash.c:647:21: warning: symbol 'nft_set_rhash_type' was not declared. Should it be static?
    net/netfilter/nft_set_hash.c:670:21: warning: symbol 'nft_set_hash_type' was not declared. Should it be static?
    net/netfilter/nft_set_hash.c:690:21: warning: symbol 'nft_set_hash_fast_type' was not declared. Should it be static?
    CHECK net/netfilter/nft_set_bitmap.c
    net/netfilter/nft_set_bitmap.c:296:21: warning: symbol 'nft_set_bitmap_type' was not declared. Should it be static?
    CHECK net/netfilter/nft_set_rbtree.c
    net/netfilter/nft_set_rbtree.c:470:21: warning: symbol 'nft_set_rbtree_type' was not declared. Should it be static?

    Include nf_tables_core.h rather than nf_tables.h to pick up the additional definitions.

    Signed-off-by: Valdis Kletnieks
    Signed-off-by: Pablo Neira Ayuso

    Valdis Klētnieks
     

19 Jun, 2019

1 commit

  • d2912cb15   treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 ... Browse Code »

    Based on 2 normalized pattern(s):

    this program is free software you can redistribute it and or modify
    it under the terms of the gnu general public license version 2 as
    published by the free software foundation

    this program is free software you can redistribute it and or modify
    it under the terms of the gnu general public license version 2 as
    published by the free software foundation #

    extracted by the scancode license scanner the SPDX license identifier

    GPL-2.0-only

    has been chosen to replace the boilerplate/reference in 4122 file(s).

    Signed-off-by: Thomas Gleixner
    Reviewed-by: Enrico Weigelt
    Reviewed-by: Kate Stewart
    Reviewed-by: Allison Randal
    Cc: linux-spdx@vger.kernel.org
    Link: https://lkml.kernel.org/r/20190604081206.933168790@linutronix.de
    Signed-off-by: Greg Kroah-Hartman

    Thomas Gleixner
     

27 Feb, 2019

3 commits

28 Sep, 2018

1 commit

21 Sep, 2018

1 commit

17 Aug, 2018

1 commit

  • 4ef360dd6   netfilter: nft_set: fix allocation size overflow in privsize callback. ... Browse Code »

    In order to determine allocation size of set, ->privsize is invoked.
    At this point, both desc->size and size of each data structure of set
    are used. desc->size means number of element that is given by user.
    desc->size is u32 type. so that upperlimit of set element is 4294967295.
    but return type of ->privsize is also u32. hence overflow can occurred.

    test commands:
    %nft add table ip filter
    %nft add set ip filter hash1 { type ipv4_addr \; size 4294967295 \; }
    %nft list ruleset

    splat looks like:
    [ 1239.202910] kasan: CONFIG_KASAN_INLINE enabled
    [ 1239.208788] kasan: GPF could be caused by NULL-ptr deref or user memory access
    [ 1239.217625] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
    [ 1239.219329] CPU: 0 PID: 1603 Comm: nft Not tainted 4.18.0-rc5+ #7
    [ 1239.229091] RIP: 0010:nft_hash_walk+0x1d2/0x310 [nf_tables_set]
    [ 1239.229091] Code: 84 d2 7f 10 4c 89 e7 89 44 24 38 e8 d8 5a 17 e0 8b 44 24 38 48 8d 7b 10 41 0f b6 0c 24 48 89 fa 48 89 fe 48 c1 ea 03 83 e6 07 0f b6 14 3a 40 38 f2 7f 1a 84 d2 74 16
    [ 1239.229091] RSP: 0018:ffff8801118cf358 EFLAGS: 00010246
    [ 1239.229091] RAX: 0000000000000000 RBX: 0000000000020400 RCX: 0000000000000001
    [ 1239.229091] RDX: 0000000000004082 RSI: 0000000000000000 RDI: 0000000000020410
    [ 1239.229091] RBP: ffff880114d5a988 R08: 0000000000007e94 R09: ffff880114dd8030
    [ 1239.229091] R10: ffff880114d5a988 R11: ffffed00229bb006 R12: ffff8801118cf4d0
    [ 1239.229091] R13: ffff8801118cf4d8 R14: 0000000000000000 R15: dffffc0000000000
    [ 1239.229091] FS: 00007f5a8fe0b700(0000) GS:ffff88011b600000(0000) knlGS:0000000000000000
    [ 1239.229091] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [ 1239.229091] CR2: 00007f5a8ecc27b0 CR3: 000000010608e000 CR4: 00000000001006f0
    [ 1239.229091] Call Trace:
    [ 1239.229091] ? nft_hash_remove+0xf0/0xf0 [nf_tables_set]
    [ 1239.229091] ? memset+0x1f/0x40
    [ 1239.229091] ? __nla_reserve+0x9f/0xb0
    [ 1239.229091] ? memcpy+0x34/0x50
    [ 1239.229091] nf_tables_dump_set+0x9a1/0xda0 [nf_tables]
    [ 1239.229091] ? __kmalloc_reserve.isra.29+0x2e/0xa0
    [ 1239.229091] ? nft_chain_hash_obj+0x630/0x630 [nf_tables]
    [ 1239.229091] ? nf_tables_commit+0x2c60/0x2c60 [nf_tables]
    [ 1239.229091] netlink_dump+0x470/0xa20
    [ 1239.229091] __netlink_dump_start+0x5ae/0x690
    [ 1239.229091] nft_netlink_dump_start_rcu+0xd1/0x160 [nf_tables]
    [ 1239.229091] nf_tables_getsetelem+0x2e5/0x4b0 [nf_tables]
    [ 1239.229091] ? nft_get_set_elem+0x440/0x440 [nf_tables]
    [ 1239.229091] ? nft_chain_hash_obj+0x630/0x630 [nf_tables]
    [ 1239.229091] ? nf_tables_dump_obj_done+0x70/0x70 [nf_tables]
    [ 1239.229091] ? nla_parse+0xab/0x230
    [ 1239.229091] ? nft_get_set_elem+0x440/0x440 [nf_tables]
    [ 1239.229091] nfnetlink_rcv_msg+0x7f0/0xab0 [nfnetlink]
    [ 1239.229091] ? nfnetlink_bind+0x1d0/0x1d0 [nfnetlink]
    [ 1239.229091] ? debug_show_all_locks+0x290/0x290
    [ 1239.229091] ? sched_clock_cpu+0x132/0x170
    [ 1239.229091] ? find_held_lock+0x39/0x1b0
    [ 1239.229091] ? sched_clock_local+0x10d/0x130
    [ 1239.229091] netlink_rcv_skb+0x211/0x320
    [ 1239.229091] ? nfnetlink_bind+0x1d0/0x1d0 [nfnetlink]
    [ 1239.229091] ? netlink_ack+0x7b0/0x7b0
    [ 1239.229091] ? ns_capable_common+0x6e/0x110
    [ 1239.229091] nfnetlink_rcv+0x2d1/0x310 [nfnetlink]
    [ 1239.229091] ? nfnetlink_rcv_batch+0x10f0/0x10f0 [nfnetlink]
    [ 1239.229091] ? netlink_deliver_tap+0x829/0x930
    [ 1239.229091] ? lock_acquire+0x265/0x2e0
    [ 1239.229091] netlink_unicast+0x406/0x520
    [ 1239.509725] ? netlink_attachskb+0x5b0/0x5b0
    [ 1239.509725] ? find_held_lock+0x39/0x1b0
    [ 1239.509725] netlink_sendmsg+0x987/0xa20
    [ 1239.509725] ? netlink_unicast+0x520/0x520
    [ 1239.509725] ? _copy_from_user+0xa9/0xc0
    [ 1239.509725] __sys_sendto+0x21a/0x2c0
    [ 1239.509725] ? __ia32_sys_getpeername+0xa0/0xa0
    [ 1239.509725] ? retint_kernel+0x10/0x10
    [ 1239.509725] ? sched_clock_cpu+0x132/0x170
    [ 1239.509725] ? find_held_lock+0x39/0x1b0
    [ 1239.509725] ? lock_downgrade+0x540/0x540
    [ 1239.509725] ? up_read+0x1c/0x100
    [ 1239.509725] ? __do_page_fault+0x763/0x970
    [ 1239.509725] ? retint_user+0x18/0x18
    [ 1239.509725] __x64_sys_sendto+0x177/0x180
    [ 1239.509725] do_syscall_64+0xaa/0x360
    [ 1239.509725] entry_SYSCALL_64_after_hwframe+0x49/0xbe
    [ 1239.509725] RIP: 0033:0x7f5a8f468e03
    [ 1239.509725] Code: 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb d0 0f 1f 84 00 00 00 00 00 83 3d 49 c9 2b 00 00 75 13 49 89 ca b8 2c 00 00 00 0f 05 3d 01 f0 ff ff 73 34 c3 48 83 ec 08 e8
    [ 1239.509725] RSP: 002b:00007ffd78d0b778 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
    [ 1239.509725] RAX: ffffffffffffffda RBX: 00007ffd78d0c890 RCX: 00007f5a8f468e03
    [ 1239.509725] RDX: 0000000000000034 RSI: 00007ffd78d0b7e0 RDI: 0000000000000003
    [ 1239.509725] RBP: 00007ffd78d0b7d0 R08: 00007f5a8f15c160 R09: 000000000000000c
    [ 1239.509725] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd78d0b7e0
    [ 1239.509725] R13: 0000000000000034 R14: 00007f5a8f9aff60 R15: 00005648040094b0
    [ 1239.509725] Modules linked in: nf_tables_set nf_tables nfnetlink ip_tables x_tables
    [ 1239.670713] ---[ end trace 39375adcda140f11 ]---
    [ 1239.676016] RIP: 0010:nft_hash_walk+0x1d2/0x310 [nf_tables_set]
    [ 1239.682834] Code: 84 d2 7f 10 4c 89 e7 89 44 24 38 e8 d8 5a 17 e0 8b 44 24 38 48 8d 7b 10 41 0f b6 0c 24 48 89 fa 48 89 fe 48 c1 ea 03 83 e6 07 0f b6 14 3a 40 38 f2 7f 1a 84 d2 74 16
    [ 1239.705108] RSP: 0018:ffff8801118cf358 EFLAGS: 00010246
    [ 1239.711115] RAX: 0000000000000000 RBX: 0000000000020400 RCX: 0000000000000001
    [ 1239.719269] RDX: 0000000000004082 RSI: 0000000000000000 RDI: 0000000000020410
    [ 1239.727401] RBP: ffff880114d5a988 R08: 0000000000007e94 R09: ffff880114dd8030
    [ 1239.735530] R10: ffff880114d5a988 R11: ffffed00229bb006 R12: ffff8801118cf4d0
    [ 1239.743658] R13: ffff8801118cf4d8 R14: 0000000000000000 R15: dffffc0000000000
    [ 1239.751785] FS: 00007f5a8fe0b700(0000) GS:ffff88011b600000(0000) knlGS:0000000000000000
    [ 1239.760993] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [ 1239.767560] CR2: 00007f5a8ecc27b0 CR3: 000000010608e000 CR4: 00000000001006f0
    [ 1239.775679] Kernel panic - not syncing: Fatal exception
    [ 1239.776630] Kernel Offset: 0x1f000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
    [ 1239.776630] Rebooting in 5 seconds..

    Fixes: 20a69341f2d0 ("netfilter: nf_tables: add netlink set API")
    Signed-off-by: Taehee Yoo
    Signed-off-by: Pablo Neira Ayuso

    Taehee Yoo
     

18 Jul, 2018

1 commit

  • 9970a8e40   netfilter: nft_set_hash: add rcu_barrier() in the nft_rhash_destroy() ... Browse Code »

    GC of set uses call_rcu() to destroy elements.
    So that elements would be destroyed after destroying sets and chains.
    But, elements should be destroyed before destroying sets and chains.
    In order to wait calling call_rcu(), a rcu_barrier() is added.

    In order to test correctly, below patch should be applied.
    https://patchwork.ozlabs.org/patch/940883/

    test scripts:
    %cat test.nft
    table ip aa {
    map map1 {
    type ipv4_addr : verdict; flags timeout;
    elements = {
    0 : jump a0,
    1 : jump a0,
    2 : jump a0,
    3 : jump a0,
    4 : jump a0,
    5 : jump a0,
    6 : jump a0,
    7 : jump a0,
    8 : jump a0,
    9 : jump a0,
    }
    timeout 1s;
    }
    chain a0 {
    }
    }
    flush ruleset

    [ ... ]

    table ip aa {
    map map1 {
    type ipv4_addr : verdict; flags timeout;
    elements = {
    0 : jump a0,
    1 : jump a0,
    2 : jump a0,
    3 : jump a0,
    4 : jump a0,
    5 : jump a0,
    6 : jump a0,
    7 : jump a0,
    8 : jump a0,
    9 : jump a0,
    }
    timeout 1s;
    }
    chain a0 {
    }
    }
    flush ruleset

    Splat looks like:
    [ 200.795603] kernel BUG at net/netfilter/nf_tables_api.c:1363!
    [ 200.806944] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
    [ 200.812253] CPU: 1 PID: 1582 Comm: nft Not tainted 4.17.0+ #24
    [ 200.820297] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/08/2015
    [ 200.830309] RIP: 0010:nf_tables_chain_destroy.isra.34+0x62/0x240 [nf_tables]
    [ 200.838317] Code: 43 50 85 c0 74 26 48 8b 45 00 48 8b 4d 08 ba 54 05 00 00 48 c7 c6 60 6d 29 c0 48 c7 c7 c0 65 29 c0
    4c 8b 40 08 e8 58 e5 fd f8 0b 48 89 da 48 b8 00 00 00 00 00 fc ff
    [ 200.860366] RSP: 0000:ffff880118dbf4d0 EFLAGS: 00010282
    [ 200.866354] RAX: 0000000000000061 RBX: ffff88010cdeaf08 RCX: 0000000000000000
    [ 200.874355] RDX: 0000000000000061 RSI: 0000000000000008 RDI: ffffed00231b7e90
    [ 200.882361] RBP: ffff880118dbf4e8 R08: ffffed002373bcfb R09: ffffed002373bcfa
    [ 200.890354] R10: 0000000000000000 R11: ffffed002373bcfb R12: dead000000000200
    [ 200.898356] R13: dead000000000100 R14: ffffffffbb62af38 R15: dffffc0000000000
    [ 200.906354] FS: 00007fefc31fd700(0000) GS:ffff88011b800000(0000) knlGS:0000000000000000
    [ 200.915533] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [ 200.922355] CR2: 0000557f1c8e9128 CR3: 0000000106880000 CR4: 00000000001006e0
    [ 200.930353] Call Trace:
    [ 200.932351] ? nf_tables_commit+0x26f6/0x2c60 [nf_tables]
    [ 200.939525] ? nf_tables_setelem_notify.constprop.49+0x1a0/0x1a0 [nf_tables]
    [ 200.947525] ? nf_tables_delchain+0x6e0/0x6e0 [nf_tables]
    [ 200.952383] ? nft_add_set_elem+0x1700/0x1700 [nf_tables]
    [ 200.959532] ? nla_parse+0xab/0x230
    [ 200.963529] ? nfnetlink_rcv_batch+0xd06/0x10d0 [nfnetlink]
    [ 200.968384] ? nfnetlink_net_init+0x130/0x130 [nfnetlink]
    [ 200.975525] ? debug_show_all_locks+0x290/0x290
    [ 200.980363] ? debug_show_all_locks+0x290/0x290
    [ 200.986356] ? sched_clock_cpu+0x132/0x170
    [ 200.990352] ? find_held_lock+0x39/0x1b0
    [ 200.994355] ? sched_clock_local+0x10d/0x130
    [ 200.999531] ? memset+0x1f/0x40

    Fixes: 9d0982927e79 ("netfilter: nft_hash: add support for timeouts")
    Signed-off-by: Taehee Yoo
    Signed-off-by: Pablo Neira Ayuso

    Taehee Yoo
     

07 Jul, 2018

1 commit

03 Jun, 2018

1 commit

  • 79b174ade   netfilter: nf_tables: garbage collection for stateful expressions ... Browse Code »

    Use garbage collector to schedule removal of elements based of feedback
    from expression that this element comes with. Therefore, the garbage
    collector is not guided by timeout expirations in this new mode.

    The new connlimit expression sets on the NFT_EXPR_GC flag to enable this
    behaviour, the dynset expression needs to explicitly enable the garbage
    collector via set->ops->gc_init call.

    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     

24 Apr, 2018

1 commit

  • 71cc0873e   netfilter: nf_tables: Simplify set backend selection ... Browse Code »

    Drop nft_set_type's ability to act as a container of multiple backend
    implementations it chooses from. Instead consolidate the whole selection
    logic in nft_select_set_ops() and the actual backend provided estimate()
    callback.

    This turns nf_tables_set_types into a list containing all available
    backends which is traversed when selecting one matching userspace
    requested criteria.

    Also, this change allows to embed nft_set_ops structure into
    nft_set_type and pull flags field into the latter as it's only used
    during selection phase.

    A crucial part of this change is to make sure the new layout respects
    hash backend constraints formerly enforced by nft_hash_select_ops()
    function: This is achieved by introduction of a specific estimate()
    callback for nft_hash_fast_ops which returns false for key lengths != 4.
    In turn, nft_hash_estimate() is changed to return false for key lengths
    == 4 so it won't be chosen by accident. Also, both callbacks must return
    false for unbounded sets as their size estimate depends on a known
    maximum element count.

    Note that this patch partially reverts commit 4f2921ca21b71 ("netfilter:
    nf_tables: meter: pick a set backend that supports updates") by making
    nft_set_ops_candidate() not explicitly look for an update callback but
    make NFT_SET_EVAL a regular backend feature flag which is checked along
    with the others. This way all feature requirements are checked in one
    go.

    Signed-off-by: Phil Sutter
    Signed-off-by: Pablo Neira Ayuso

    Phil Sutter
     

20 Mar, 2018

1 commit

  • 4f2921ca2   netfilter: nf_tables: meter: pick a set backend that supports updates ... Browse Code »

    in nftables, 'meter' can be used to instantiate a hash-table at run
    time:

    rule add filter forward iif "internal" meter hostacct { ip saddr counter}
    nft list meter ip filter hostacct
    table ip filter {
    meter hostacct {
    type ipv4_addr
    elements = { 192.168.0.1 : counter packets 8 bytes 2672, ..

    because elemets get added on the fly, the kernel must chose a set
    backend type that implements the ->update() function, otherwise
    rule insertion fails with EOPNOTSUPP.

    Therefore, skip set types that lack ->update, and also
    make sure we do not discard a (bad) candidate when we did yet
    find any candidate at all. This could happen when userspace prefers
    low memory footprint -- the set implementation currently checked might
    not be a fit at all. Make sure we pick it anyway (!bops). In
    case next candidate is a better fix, it will be chosen instead.

    But in case nothing else is found we at least have a non-ideal
    match rather than no match at all.

    Fixes: 6c03ae210ce3 ("netfilter: nft_set_hash: add non-resizable hashtable implementation")
    Signed-off-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Florian Westphal
     

06 Mar, 2018

1 commit

11 Dec, 2017

1 commit

  • 97a6ec4ac   rhashtable: Change rhashtable_walk_start to return void ... Browse Code »

    Most callers of rhashtable_walk_start don't care about a resize event
    which is indicated by a return value of -EAGAIN. So calls to
    rhashtable_walk_start are wrapped wih code to ignore -EAGAIN. Something
    like this is common:

    ret = rhashtable_walk_start(rhiter);
    if (ret && ret != -EAGAIN)
    goto out;

    Since zero and -EAGAIN are the only possible return values from the
    function this check is pointless. The condition never evaluates to true.

    This patch changes rhashtable_walk_start to return void. This simplifies
    code for the callers that ignore -EAGAIN. For the few cases where the
    caller cares about the resize event, particularly where the table can be
    walked in mulitple parts for netlink or seq file dump, the function
    rhashtable_walk_start_check has been added that returns -EAGAIN on a
    resize event.

    Signed-off-by: Tom Herbert
    Acked-by: Herbert Xu
    Signed-off-by: David S. Miller

    Tom Herbert
     

08 Nov, 2017

1 commit

  • 2eb3ed33e   Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next ... Browse Code »

    Pablo Neira Ayuso says:

    ====================
    Netfilter/IPVS updates for net-next

    The following patchset contains Netfilter/IPVS updates for your net-next
    tree, they are:

    1) Speed up table replacement on busy systems with large tables
    (and many cores) in x_tables. Now xt_replace_table() synchronizes by
    itself by waiting until all cpus had an even seqcount and we use no
    use seqlock when fetching old counters, from Florian Westphal.

    2) Add nf_l4proto_log_invalid() and nf_ct_l4proto_log_invalid() to speed
    up packet processing in the fast path when logging is not enabled, from
    Florian Westphal.

    3) Precompute masked address from configuration plane in xt_connlimit,
    from Florian.

    4) Don't use explicit size for set selection if performance set policy
    is selected.

    5) Allow to get elements from an existing set in nf_tables.

    6) Fix incorrect check in nft_hash_deactivate(), from Florian.

    7) Cache netlink attribute size result in l4proto->nla_size, from
    Florian.

    8) Handle NFPROTO_INET in nf_ct_netns_get() from conntrack core.

    9) Use power efficient workqueue in conntrack garbage collector, from
    Vincent Guittot.

    10) Remove unnecessary parameter, in conntrack l4proto functions, also
    from Florian.

    11) Constify struct nf_conntrack_l3proto definitions, from Florian.

    12) Remove all typedefs in nf_conntrack_h323 via coccinelle semantic
    patch, from Harsha Sharma.

    13) Don't store address in the rbtree nodes in xt_connlimit, they are
    never used, from Florian.

    14) Fix out of bound access in the conntrack h323 helper, patch from
    Eric Sesterhenn.

    15) Print symbols for the address returned with %pS in IPVS, from
    Helge Deller.

    16) Proc output should only display its own netns in IPVS, from
    KUWAZAWA Takuya.

    17) Small clean up in size_entry_mwt(), from Colin Ian King.

    18) Use test_and_clear_bit from nf_nat_proto_clean() instead of separated
    non-atomic test and then clear bit, from Florian Westphal.

    19) Consolidate prefix length maps in ipset, from Aaron Conole.

    20) Fix sparse warnings in ipset, from Jozsef Kadlecsik.

    21) Simplify list_set_memsize(), from simran singhal.
    ====================

    Signed-off-by: David S. Miller

    David S. Miller
     

07 Nov, 2017

1 commit

06 Nov, 2017

1 commit

25 Oct, 2017

1 commit

  • 0414c78f1   netfilter: nft_set_hash: disable fast_ops for 2-len keys ... Browse Code »

    jhash_1word of a u16 is a different value from jhash of the same u16 with
    length 2.
    Since elements are always inserted in sets using jhash over the actual
    klen, this would lead to incorrect lookups on fixed-size sets with a key
    length of 2, as they would be inserted with hash value jhash(key, 2) and
    looked up with hash value jhash_1word(key), which is different.

    Example reproducer(v4.13+), using anonymous sets which always have a
    fixed size:

    table inet t {
    chain c {
    type filter hook output priority 0; policy accept;
    tcp dport { 10001, 10003, 10005, 10007, 10009 } counter packets 4 bytes 240 reject
    tcp dport 10001 counter packets 4 bytes 240 reject
    tcp dport 10003 counter packets 4 bytes 240 reject
    tcp dport 10005 counter packets 4 bytes 240 reject
    tcp dport 10007 counter packets 0 bytes 0 reject
    tcp dport 10009 counter packets 4 bytes 240 reject
    }
    }

    then use nc -z localhost to probe; incorrectly hashed ports will
    pass through the set lookup and increment the counter of an individual
    rule.

    jhash being seeded with a random value, it is not deterministic which
    ports will incorrectly hash, but in testing with 5 ports in the set I
    always had 4 or 5 with an incorrect hash value.

    Signed-off-by: Anatole Denis
    Signed-off-by: Pablo Neira Ayuso

    Anatole Denis
     

29 May, 2017

8 commits

15 May, 2017

1 commit

07 Apr, 2017

1 commit

  • 68ad546ae   netfilter: Remove unnecessary cast on void pointer ... Browse Code »

    The following Coccinelle script was used to detect this:
    @r@
    expression x;
    void* e;
    type T;
    identifier f;
    @@
    (
    *((T *)e)
    |
    ((T *)x)[...]
    |
    ((T*)x)->f
    |

    - (T*)
    e
    )

    Unnecessary parantheses are also remove.

    Signed-off-by: simran singhal
    Reviewed-by: Stephen Hemminger
    Signed-off-by: Pablo Neira Ayuso

    simran singhal
     

12 Feb, 2017

1 commit

08 Feb, 2017

4 commits

25 Jan, 2017

1 commit

07 Dec, 2016

2 commits

  • 8411b6442   netfilter: nf_tables: support for set flushing ... Browse Code »

    This patch adds support for set flushing, that consists of walking over
    the set elements if the NFTA_SET_ELEM_LIST_ELEMENTS attribute is set.
    This patch requires the following changes:

    1) Add set->ops->deactivate_one() operation: This allows us to
    deactivate an element from the set element walk path, given we can
    skip the lookup that happens in ->deactivate().

    2) Add a new nft_trans_alloc_gfp() function since we need to allocate
    transactions using GFP_ATOMIC given the set walk path happens with
    held rcu_read_lock.

    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     
  • 37df5301a   netfilter: nft_set: introduce nft_{hash, rbtree}_deactivate_one() ... Browse Code »

    This new function allows us to deactivate one single element, this is
    required by the set flush command that comes in a follow up patch.

    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso