01 May, 2017
1 commit
-
Pablo Neira Ayuso says:
====================
Netfilter/IPVS updates for net-nextThe following patchset contains Netfilter updates for your net-next
tree. A large bunch of code cleanups, simplify the conntrack extension
codebase, get rid of the fake conntrack object, speed up netns by
selective synchronize_net() calls. More specifically, they are:1) Check for ct->status bit instead of using nfct_nat() from IPVS and
Netfilter codebase, patch from Florian Westphal.2) Use kcalloc() wherever possible in the IPVS code, from Varsha Rao.
3) Simplify FTP IPVS helper module registration path, from Arushi Singhal.
4) Introduce nft_is_base_chain() helper function.
5) Enforce expectation limit from userspace conntrack helper,
from Gao Feng.6) Add nf_ct_remove_expect() helper function, from Gao Feng.
7) NAT mangle helper function return boolean, from Gao Feng.
8) ctnetlink_alloc_expect() should only work for conntrack with
helpers, from Gao Feng.9) Add nfnl_msg_type() helper function to nfnetlink to build the
netlink message type.10) Get rid of unnecessary cast on void, from simran singhal.
11) Use seq_puts()/seq_putc() instead of seq_printf() where possible,
also from simran singhal.12) Use list_prev_entry() from nf_tables, from simran signhal.
13) Remove unnecessary & on pointer function in the Netfilter and IPVS
code.14) Remove obsolete comment on set of rules per CPU in ip6_tables,
no longer true. From Arushi Singhal.15) Remove duplicated nf_conntrack_l4proto_udplite4, from Gao Feng.
16) Remove unnecessary nested rcu_read_lock() in
__nf_nat_decode_session(). Code running from hooks are already
guaranteed to run under RCU read side.17) Remove deadcode in nf_tables_getobj(), from Aaron Conole.
18) Remove double assignment in nf_ct_l4proto_pernet_unregister_one(),
also from Aaron.19) Get rid of unsed __ip_set_get_netlink(), from Aaron Conole.
20) Don't propagate NF_DROP error to userspace via ctnetlink in
__nf_nat_alloc_null_binding() function, from Gao Feng.21) Revisit nf_ct_deliver_cached_events() to remove unnecessary checks,
from Gao Feng.22) Kill the fake untracked conntrack objects, use ctinfo instead to
annotate a conntrack object is untracked, from Florian Westphal.23) Remove nf_ct_is_untracked(), now obsolete since we have no
conntrack template anymore, from Florian.24) Add event mask support to nft_ct, also from Florian.
25) Move nf_conn_help structure to
include/net/netfilter/nf_conntrack_helper.h.26) Add a fixed 32 bytes scratchpad area for conntrack helpers.
Thus, we don't deal with variable conntrack extensions anymore.
Make sure userspace conntrack helper doesn't go over that size.
Remove variable size ct extension infrastructure now this code
got no more clients. From Florian Westphal.27) Restore offset and length of nf_ct_ext structure to 8 bytes now
that wraparound is not possible any longer, also from Florian.28) Allow to get rid of unassured flows under stress in conntrack,
this applies to DCCP, SCTP and TCP protocols, from Florian.29) Shrink size of nf_conntrack_ecache structure, from Florian.
30) Use TCP_MAX_WSCALE instead of hardcoded 14 in TCP tracker,
from Gao Feng.31) Register SYNPROXY hooks on demand, from Florian Westphal.
32) Use pernet hook whenever possible, instead of global hook
registration, from Florian Westphal.33) Pass hook structure to ebt_register_table() to consolidate some
infrastructure code, from Florian Westphal.34) Use consume_skb() and return NF_STOLEN, instead of NF_DROP in the
SYNPROXY code, to make sure device stats are not fooled, patch
from Gao Feng.35) Remove NF_CT_EXT_F_PREALLOC this kills quite some code that we
don't need anymore if we just select a fixed size instead of
expensive runtime time calculation of this. From Florian.36) Constify nf_ct_extend_register() and nf_ct_extend_unregister(),
from Florian.37) Simplify nf_ct_ext_add(), this kills nf_ct_ext_create(), from
Florian.38) Attach NAT extension on-demand from masquerade and pptp helper
path, from Florian.39) Get rid of useless ip_vs_set_state_timeout(), from Aaron Conole.
40) Speed up netns by selective calls of synchronize_net(), from
Florian Westphal.41) Silence stack size warning gcc in 32-bit arch in snmp helper,
from Florian.42) Inconditionally call nf_ct_ext_destroy(), even if we have no
extensions, to deal with the NF_NAT_MANIP_SRC case. Patch from
Liping Zhang.
====================Signed-off-by: David S. Miller
15 Apr, 2017
1 commit
-
There are no in-tree callers.
Signed-off-by: Aaron Conole
Acked-by: Jozsef Kadlecsik
Signed-off-by: Pablo Neira Ayuso
14 Apr, 2017
2 commits
-
Pass the new extended ACK reporting struct to all of the generic
netlink parsing functions. For now, pass NULL in almost all callers
(except for some in the core.)Signed-off-by: Johannes Berg
Signed-off-by: David S. Miller -
Add the base infrastructure and UAPI for netlink extended ACK
reporting. All "manual" calls to netlink_ack() pass NULL for now and
thus don't get extended ACK reporting.Big thanks goes to Pablo Neira Ayuso for not only bringing up the
whole topic at netconf (again) but also coming up with the nlattr
passing trick and various other ideas.Signed-off-by: Johannes Berg
Reviewed-by: David Ahern
Signed-off-by: David S. Miller
08 Apr, 2017
1 commit
-
Remove & from function pointers to conform to the style found elsewhere
in the file. Done using the following semantic patch//
@r@
identifier f;
@@f(...) { ... }
@@
identifier r.f;
@@- &f
+ f
//Signed-off-by: Arushi Singhal
Signed-off-by: Pablo Neira Ayuso
07 Apr, 2017
2 commits
-
The following Coccinelle script was used to detect this:
@r@
expression x;
void* e;
type T;
identifier f;
@@
(
*((T *)e)
|
((T *)x)[...]
|
((T*)x)->f
|- (T*)
e
)Unnecessary parantheses are also remove.
Signed-off-by: simran singhal
Reviewed-by: Stephen Hemminger
Signed-off-by: Pablo Neira Ayuso -
Add and use nfnl_msg_type() function to replace opencoded nfnetlink
message type. I suggested this change, Arushi Singhal made an initial
patch to address this but was missing several spots.Signed-off-by: Pablo Neira Ayuso
20 Feb, 2017
2 commits
-
If we use before/after to add an element to an empty list it will cause
a kernel panic.$> cat crash.restore
create a hash:ip
create b hash:ip
create test list:set timeout 5 size 4
add test b before a$> ipset -R < crash.restore
Executing the above will crash the kernel.
Signed-off-by: Vishwanath Pai
Reviewed-by: Josh Hunt
Signed-off-by: Jozsef Kadlecsik -
Wrong index was used and therefore when shrinking a hash bucket at
deleting an entry, valid entries could be evicted as well.
Thanks to Eric Ewanco for the thorough bugreport.Fixes netfilter bugzilla #1119
Signed-off-by: Jozsef Kadlecsik
18 Nov, 2016
1 commit
-
Make struct pernet_operations::id unsigned.
There are 2 reasons to do so:
1)
This field is really an index into an zero based array and
thus is unsigned entity. Using negative value is out-of-bound
access by definition.2)
On x86_64 unsigned 32-bit data which are mixed with pointers
via array indexing or offsets added or subtracted to pointers
are preffered to signed 32-bit data."int" being used as an array index needs to be sign-extended
to 64-bit before being used.void f(long *p, int i)
{
g(p[i]);
}roughly translates to
movsx rsi, esi
mov rdi, [rsi+...]
call gMOVSX is 3 byte instruction which isn't necessary if the variable is
unsigned because x86_64 is zero extending by default.Now, there is net_generic() function which, you guessed it right, uses
"int" as an array index:static inline void *net_generic(const struct net *net, int id)
{
...
ptr = ng->ptr[id - 1];
...
}And this function is used a lot, so those sign extensions add up.
Patch snipes ~1730 bytes on allyesconfig kernel (without all junk
messing with code generation):add/remove: 0/0 grow/shrink: 70/598 up/down: 396/-2126 (-1730)
Unfortunately some functions actually grow bigger.
This is a semmingly random artefact of code generation with register
allocator being used differently. gcc decides that some variable
needs to live in new r8+ registers and every access now requires REX
prefix. Or it is shifted into r12, so [r12+0] addressing mode has to be
used which is longer than [r8]However, overall balance is in negative direction:
add/remove: 0/0 grow/shrink: 70/598 up/down: 396/-2126 (-1730)
function old new delta
nfsd4_lock 3886 3959 +73
tipc_link_build_proto_msg 1096 1140 +44
mac80211_hwsim_new_radio 2776 2808 +32
tipc_mon_rcv 1032 1058 +26
svcauth_gss_legacy_init 1413 1429 +16
tipc_bcbase_select_primary 379 392 +13
nfsd4_exchange_id 1247 1260 +13
nfsd4_setclientid_confirm 782 793 +11
...
put_client_renew_locked 494 480 -14
ip_set_sockfn_get 730 716 -14
geneve_sock_add 829 813 -16
nfsd4_sequence_done 721 703 -18
nlmclnt_lookup_host 708 686 -22
nfsd4_lockt 1085 1063 -22
nfs_get_client 1077 1050 -27
tcf_bpf_init 1106 1076 -30
nfsd4_encode_fattr 5997 5930 -67
Total: Before=154856051, After=154854321, chg -0.00%Signed-off-by: Alexey Dobriyan
Signed-off-by: David S. Miller
10 Nov, 2016
16 commits
-
net/netfilter/ipset/ip_set_hash_ipmac.c:70:8-9: WARNING: return of 0/1 in function 'hash_ipmac4_data_list' with return type bool
net/netfilter/ipset/ip_set_hash_ipmac.c:178:8-9: WARNING: return of 0/1 in function 'hash_ipmac6_data_list' with return type boolReturn statements in functions returning bool should use
true/false instead of 1/0.
Generated by: scripts/coccinelle/misc/boolreturn.cocciCC: Tomasz Chilinski
Signed-off-by: Fengguang Wu
Signed-off-by: Jozsef Kadlecsik -
Use setup_timer() and instead of init_timer(), being the preferred way
of setting up a timer.Also, quoting the mod_timer() function comment:
-> mod_timer() is a more efficient way to update the expire field of an
active timer (if the timer is inactive it will be activated).Use setup_timer() and mod_timer() to setup and arm a timer, making the
code compact and easier to read.Signed-off-by: Muhammad Falak R Wani
Signed-off-by: Jozsef Kadlecsik -
Introduce the hash:ipmac type.
Signed-off-by: Tomasz Chili??ski
Signed-off-by: Jozsef Kadlecsik -
The calculation of the full allocated memory did not take
into account the size of the base hash bucket structure at some
places.Signed-off-by: Jozsef Kadlecsik
-
The set full case (with net_ratelimit()-ed pr_warn()) is already
handled, simply jump there.Signed-off-by: Jozsef Kadlecsik
-
Before this patch struct htype created at the first source
of ip_set_hash_gen.h and it is common for both IPv4 and IPv6
set variants.Make struct htype per ipset family and use NLEN to make
nets array fixed size to simplify struct htype allocation.Ported from a patch proposed by Sergey Popovich .
Signed-off-by: Jozsef Kadlecsik
-
Exit as easly as possible on error and use RCU_INIT_POINTER()
as set is not seen at creation time.Signed-off-by: Jozsef Kadlecsik
-
Data for hashing required to be array of u32. Make sure that
element data always multiple of u32.Ported from a patch proposed by Sergey Popovich .
Signed-off-by: Jozsef Kadlecsik
-
Hash types define HOST_MASK before inclusion of ip_set_hash_gen.h
and the only place where NLEN needed to be calculated at runtime
is *_create() method.Ported from a patch proposed by Sergey Popovich .
Signed-off-by: Jozsef Kadlecsik
-
Remove one leve of intendation by using continue while
iterating over elements in bucket.Ported from a patch proposed by Sergey Popovich .
Signed-off-by: Jozsef Kadlecsik
-
Remove redundant parameters nets_length and dsize, because
they can be get from other parameters.Ported from a patch proposed by Sergey Popovich .
Signed-off-by: Jozsef Kadlecsik
-
Non-static (i.e. comment) extension was not counted into the memory
size. A new internal counter is introduced for this. In the case of
the hash types the sizes of the arrays are counted there as well so
that we can avoid to scan the whole set when just the header data
is requested.Signed-off-by: Jozsef Kadlecsik
-
It is better to list the set elements for all set types, thus the
header information is uniform. Element counts are therefore added
to the bitmap and list types.Signed-off-by: Jozsef Kadlecsik
-
It would be useful for userspace to query the size of an ipset hash,
however, this data is not exposed to userspace outside of counting the
number of member entries. This patch uses the attribute
IPSET_ATTR_ELEMENTS to indicate the size in the the header that is
exported to userspace. This field is then printed by the userspace
tool for hashes.Signed-off-by: Eric B Munson
Cc: Pablo Neira Ayuso
Cc: Josh Hunt
Cc: netfilter-devel@vger.kernel.org
Signed-off-by: Jozsef Kadlecsik -
Hash types already has it's memsize calculation code in separate
functions. Clean up and do the same for *bitmap* and *list* sets.Ported from a patch proposed by Sergey Popovich .
Suggested-by: Sergey Popovich
Signed-off-by: Jozsef Kadlecsik -
Use struct ip_set_skbinfo in struct ip_set_ext instead of open
coded fields and assign structure members in get/init helpers
instead of copying members one by one. Explicitly note that
struct ip_set_skbinfo must be padded to prevent non-aligned
access in the extension blob.Ported from a patch proposed by Sergey Popovich .
Suggested-by: Sergey Popovich
Signed-off-by: Jozsef Kadlecsik
03 Nov, 2016
1 commit
-
Place pointer to hook state in xt_action_param structure instead of
copying the fields that we need. After this change xt_action_param fits
into one cacheline.This patch also adds a set of new wrapper functions to fetch relevant
hook state structure fields.Signed-off-by: Pablo Neira Ayuso
28 Mar, 2016
1 commit
-
This fix adds a new reference counter (ref_netlink) for the struct ip_set.
The other reference counter (ref) can be swapped out by ip_set_swap and we
need a separate counter to keep track of references for netlink events
like dump. Using the same ref counter for dump causes a race condition
which can be demonstrated by the following script:ipset create hash_ip1 hash:ip family inet hashsize 1024 maxelem 500000 \
counters
ipset create hash_ip2 hash:ip family inet hashsize 300000 maxelem 500000 \
counters
ipset create hash_ip3 hash:ip family inet hashsize 1024 maxelem 500000 \
countersipset save &
ipset swap hash_ip3 hash_ip2
ipset destroy hash_ip3 /* will crash the machine */Swap will exchange the values of ref so destroy will see ref = 0 instead of
ref = 1. With this fix in place swap will not succeed because ipset save
still has ref_netlink on the set (ip_set_swap doesn't swap ref_netlink).Both delete and swap will error out if ref_netlink != 0 on the set.
Note: The changes to *_head functions is because previously we would
increment ref whenever we called these functions, we don't do that
anymore.Reviewed-by: Joshua Hunt
Signed-off-by: Vishwanath Pai
Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Pablo Neira Ayuso
09 Mar, 2016
1 commit
-
Julia Lawall pointed out that IPSET_ATTR_ETHER netlink attribute length
was not checked explicitly, just for the maximum possible size. Malicious
netlink clients could send shorter attribute and thus resulting a kernel
read after the buffer.The patch adds the explicit length checkings.
Reported-by: Julia Lawall
Signed-off-by: Jozsef Kadlecsik
25 Feb, 2016
1 commit
-
Flushing/listing entries was not RCU safe, so parallel flush/dump
could lead to kernel crash. Bug reported by Deniz Eren.Fixes netfilter bugzilla id #1050.
Signed-off-by: Jozsef Kadlecsik
13 Jan, 2016
1 commit
-
Jozsef says:
The correct behaviour is that if we have
ipset create test1 hash:net,iface
ipset add test1 0.0.0.0/0,eth0
iptables -A INPUT -m set --match-set test1 src,srcthen the rule should match for any traffic coming in through eth0.
This removes the -EINVAL runtime test to make matching work
in case packet arrived via the specified interface.Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1297092
Signed-off-by: Florian Westphal
Acked-by: Jozsef Kadlecsik
Signed-off-by: Pablo Neira Ayuso
29 Dec, 2015
1 commit
-
Adapt callsites to avoid recurrent lookup of the netns pointer.
Signed-off-by: Pablo Neira Ayuso
07 Nov, 2015
3 commits
-
When all entries are expired/all slots are empty, release the bucket.
Signed-off-by: Jozsef Kadlecsik
-
Incorrect index was used when the data blob was shrinked at expiration,
which could lead to falsely expired entries and memory leak when
the comment extension was used too.Signed-off-by: Jozsef Kadlecsik
-
The data extensions in ipset lacked the proper memory alignment and
thus could lead to kernel crash on several architectures. Therefore
the structures have been reorganized and alignment attributes added
where needed. The patch was tested on armv7h by Gerhard Wiesinger and
on x86_64, sparc64 by Jozsef Kadlecsik.Reported-by: Gerhard Wiesinger
Tested-by: Gerhard Wiesinger
Tested-by: Jozsef Kadlecsik
Signed-off-by: Jozsef Kadlecsik
24 Oct, 2015
1 commit
-
Conflicts:
net/ipv6/xfrm6_output.c
net/openvswitch/flow_netlink.c
net/openvswitch/vport-gre.c
net/openvswitch/vport-vxlan.c
net/openvswitch/vport.c
net/openvswitch/vport.hThe openvswitch conflicts were overlapping changes. One was
the egress tunnel info fix in 'net' and the other was the
vport ->send() op simplification in 'net-next'.The xfrm6_output.c conflicts was also a simplification
overlapping a bug fix.Signed-off-by: David S. Miller
17 Oct, 2015
1 commit
-
Commit 00590fdd5be0 introduced RCU locking in list type and in
doing so introduced a memory allocation in list_set_add, which
is done in an atomic context, due to the fact that ipset rcu
list modifications are serialised with a spin lock. The reason
why we can't use a mutex is that in addition to modifying the
list with ipset commands, it's also being modified when a
particular ipset rule timeout expires aka garbage collection.
This gc is triggered from set_cleanup_entries, which in turn
is invoked from a timer thus requiring the lock to be bh-safe.Concretely the following call chain can lead to "sleeping function
called in atomic context" splat:
call_ad -> list_set_uadt -> list_set_uadd -> kzalloc(, GFP_KERNEL).
And since GFP_KERNEL allows initiating direct reclaim thus
potentially sleeping in the allocation path.To fix the issue change the allocation type to GFP_ATOMIC, to
correctly reflect that it is occuring in an atomic context.Fixes: 00590fdd5be0 ("netfilter: ipset: Introduce RCU locking in list type")
Signed-off-by: Nikolay Borisov
Acked-by: Jozsef Kadlecsik
Signed-off-by: Pablo Neira Ayuso
19 Sep, 2015
1 commit
-
Signed-off-by: "Eric W. Biederman"
Signed-off-by: Pablo Neira Ayuso
29 Aug, 2015
2 commits
-
In continue to proposed Vinson Lee's post [1], this patch fixes compilation
issues founded at gcc 4.4.7. The initialization of .cidr field of unnamed
unions causes compilation error in gcc 4.4.x.References
Visible links
[1] https://lkml.org/lkml/2015/7/5/74Signed-off-by: Elad Raz
Signed-off-by: Pablo Neira Ayuso -
Dave Jones reported that KASan detected out of bounds access in hash:net*
types:[ 23.139532] ==================================================================
[ 23.146130] BUG: KASan: out of bounds access in hash_net4_add_cidr+0x1db/0x220 at addr ffff8800d4844b58
[ 23.152937] Write of size 4 by task ipset/457
[ 23.159742] =============================================================================
[ 23.166672] BUG kmalloc-512 (Not tainted): kasan: bad access detected
[ 23.173641] -----------------------------------------------------------------------------
[ 23.194668] INFO: Allocated in hash_net_create+0x16a/0x470 age=7 cpu=1 pid=456
[ 23.201836] __slab_alloc.constprop.66+0x554/0x620
[ 23.208994] __kmalloc+0x2f2/0x360
[ 23.216105] hash_net_create+0x16a/0x470
[ 23.223238] ip_set_create+0x3e6/0x740
[ 23.230343] nfnetlink_rcv_msg+0x599/0x640
[ 23.237454] netlink_rcv_skb+0x14f/0x190
[ 23.244533] nfnetlink_rcv+0x3f6/0x790
[ 23.251579] netlink_unicast+0x272/0x390
[ 23.258573] netlink_sendmsg+0x5a1/0xa50
[ 23.265485] SYSC_sendto+0x1da/0x2c0
[ 23.272364] SyS_sendto+0xe/0x10
[ 23.279168] entry_SYSCALL_64_fastpath+0x12/0x6fThe bug is fixed in the patch and the testsuite is extended in ipset
to check cidr handling more thoroughly.Signed-off-by: Jozsef Kadlecsik
