04 Sep, 2017

1 commit

• 44d6e2f27   net: Replace NF_CT_ASSERT() with WARN_ON(). ... Browse Code »

  This patch removes NF_CT_ASSERT() and instead uses WARN_ON().

  Signed-off-by: Varsha Rao

  Varsha Rao

  2017-09-04 19:25:19 +0800  

09 Apr, 2017

1 commit

• 0c7930e57   netfilter: make it safer during the inet6_dev->addr_list traversal ... Browse Code »

  inet6_dev->addr_list is protected by inet6_dev->lock, so only using
  rcu_read_lock is not enough, we should acquire read_lock_bh(&idev->lock)
  before the inet6_dev->addr_list traversal.

  Signed-off-by: Liping Zhang
  Signed-off-by: Pablo Neira Ayuso

  Liping Zhang

  2017-04-09 05:52:16 +0800  

27 Oct, 2015

1 commit

• 94f9cd814   netfilter: nf_nat_redirect: add missing NULL pointer check ... Browse Code »

  Commit 8b13eddfdf04cbfa561725cfc42d6868fe896f56 ("netfilter: refactor NAT
  redirect IPv4 to use it from nf_tables") has introduced a trivial logic
  change which can result in the following crash.

  BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
  IP: [] nf_nat_redirect_ipv4+0x2d/0xa0 [nf_nat_redirect]
  PGD 3ba662067 PUD 3ba661067 PMD 0
  Oops: 0000 [#1] SMP
  Modules linked in: ipv6(E) xt_REDIRECT(E) nf_nat_redirect(E) xt_tcpudp(E) iptable_nat(E) nf_conntrack_ipv4(E) nf_defrag_ipv4(E) nf_nat_ipv4(E) nf_nat(E) nf_conntrack(E) ip_tables(E) x_tables(E) binfmt_misc(E) xfs(E) libcrc32c(E) evbug(E) evdev(E) psmouse(E) i2c_piix4(E) i2c_core(E) acpi_cpufreq(E) button(E) ext4(E) crc16(E) jbd2(E) mbcache(E) dm_mirror(E) dm_region_hash(E) dm_log(E) dm_mod(E)
  CPU: 0 PID: 2536 Comm: ip Tainted: G E 4.1.7-15.23.amzn1.x86_64 #1
  Hardware name: Xen HVM domU, BIOS 4.2.amazon 05/06/2015
  task: ffff8800eb438000 ti: ffff8803ba664000 task.ti: ffff8803ba664000
  [...]
  Call Trace:
  
  [] redirect_tg4+0x15/0x20 [xt_REDIRECT]
  [] ipt_do_table+0x2b9/0x5e1 [ip_tables]
  [] iptable_nat_do_chain+0x25/0x30 [iptable_nat]
  [] nf_nat_ipv4_fn+0x13d/0x1f0 [nf_nat_ipv4]
  [] ? iptable_nat_ipv4_fn+0x20/0x20 [iptable_nat]
  [] nf_nat_ipv4_in+0x2e/0x90 [nf_nat_ipv4]
  [] iptable_nat_ipv4_in+0x15/0x20 [iptable_nat]
  [] nf_iterate+0x57/0x80
  [] nf_hook_slow+0x97/0x100
  [] ip_rcv+0x314/0x400

  unsigned int
  nf_nat_redirect_ipv4(struct sk_buff *skb,
  ...
  {
  ...
  rcu_read_lock();
  indev = __in_dev_get_rcu(skb->dev);
  if (indev != NULL) {
  ifa = indev->ifa_list;
  newdst = ifa->ifa_local;
  Signed-off-by: Pablo Neira Ayuso

  Munehisa Kamata

  2015-10-27 13:54:56 +0800  

27 Nov, 2014

1 commit

• b59eaf9e2   netfilter: combine IPv4 and IPv6 nf_nat_redirect code in one module ... Browse Code »

  This resolves linking problems with CONFIG_IPV6=n:

  net/built-in.o: In function `redirect_tg6':
  xt_REDIRECT.c:(.text+0x6d021): undefined reference to `nf_nat_redirect_ipv6'

  Reported-by: Andreas Ruprecht
  Reported-by: Or Gerlitz
  Signed-off-by: Pablo Neira Ayuso

  Pablo Neira Ayuso

  2014-11-27 20:08:42 +0800