23 Oct, 2019

1 commit

• d54725cd1   netfilter: nf_tables: support for multiple devices per netdev hook ... Browse Code »

  This patch allows you to register one netdev basechain to multiple
  devices. This adds a new NFTA_HOOK_DEVS netlink attribute to specify
  the list of netdevices. Basechains store a list of hooks.

  Signed-off-by: Pablo Neira Ayuso

  Pablo Neira Ayuso

  2019-10-23 19:01:34 +0800  

20 Jul, 2019

1 commit

• dfee0e99b   netfilter: bridge: make NF_TABLES_BRIDGE tristate ... Browse Code »

  The new nft_meta_bridge code fails to link as built-in when NF_TABLES
  is a loadable module.

  net/bridge/netfilter/nft_meta_bridge.o: In function `nft_meta_bridge_get_eval':
  nft_meta_bridge.c:(.text+0x1e8): undefined reference to `nft_meta_get_eval'
  net/bridge/netfilter/nft_meta_bridge.o: In function `nft_meta_bridge_get_init':
  nft_meta_bridge.c:(.text+0x468): undefined reference to `nft_meta_get_init'
  nft_meta_bridge.c:(.text+0x49c): undefined reference to `nft_parse_register'
  nft_meta_bridge.c:(.text+0x4cc): undefined reference to `nft_validate_register_store'
  net/bridge/netfilter/nft_meta_bridge.o: In function `nft_meta_bridge_module_exit':
  nft_meta_bridge.c:(.exit.text+0x14): undefined reference to `nft_unregister_expr'
  net/bridge/netfilter/nft_meta_bridge.o: In function `nft_meta_bridge_module_init':
  nft_meta_bridge.c:(.init.text+0x14): undefined reference to `nft_register_expr'
  net/bridge/netfilter/nft_meta_bridge.o:(.rodata+0x60): undefined reference to `nft_meta_get_dump'
  net/bridge/netfilter/nft_meta_bridge.o:(.rodata+0x88): undefined reference to `nft_meta_set_eval'

  This can happen because the NF_TABLES_BRIDGE dependency itself is just a
  'bool'. Make the symbol a 'tristate' instead so Kconfig can propagate the
  dependencies correctly.

  Fixes: 30e103fe24de ("netfilter: nft_meta: move bridge meta keys into nft_meta_bridge")
  Signed-off-by: Arnd Bergmann
  Signed-off-by: Pablo Neira Ayuso

  Arnd Bergmann

  2019-07-20 00:08:14 +0800  

17 Aug, 2018

2 commits

• 6a48de014   netfilter: nf_tables: don't prevent event handler from device cleanup on netns exit ... Browse Code »

  When a netnsamespace exits, the nf_tables pernet_ops will remove all rules.
  However, there is one caveat:

  Base chains that register ingress hooks will cause use-after-free:
  device is already gone at that point.

  The device event handlers prevent this from happening:
  netns exit synthesizes unregister events for all devices.

  However, an improper fix for a race condition made the notifiers a no-op
  in case they get called from netns exit path, so revert that part.

  This is safe now as the previous patch fixed nf_tables pernet ops
  and device notifier initialisation ordering.

  Fixes: 0a2cf5ee432c2 ("netfilter: nf_tables: close race between netns exit and rmmod")
  Signed-off-by: Florian Westphal
  Signed-off-by: Pablo Neira Ayuso

  Florian Westphal

  2018-08-17 01:37:03 +0800  
• d209df3e7   netfilter: nf_tables: fix register ordering ... Browse Code »

  We must register nfnetlink ops last, as that exposes nf_tables to
  userspace. Without this, we could theoretically get nfnetlink request
  before net->nft state has been initialized.

  Fixes: 99633ab29b213 ("netfilter: nf_tables: complete net namespace support")
  Signed-off-by: Florian Westphal
  Signed-off-by: Pablo Neira Ayuso

  Florian Westphal

  2018-08-17 01:37:02 +0800  

18 Jul, 2018

1 commit

• f102d66b3   netfilter: nf_tables: use dedicated mutex to guard transactions ... Browse Code »

  Continue to use nftnl subsys mutex to protect (un)registration of hook types,
  expressions and so on, but force batch operations to do their own
  locking.

  This allows distinct net namespaces to perform transactions in parallel.

  Signed-off-by: Florian Westphal
  Signed-off-by: Pablo Neira Ayuso

  Florian Westphal

  2018-07-18 17:26:48 +0800  

13 Jun, 2018

1 commit

• 0a2cf5ee4   netfilter: nf_tables: close race between netns exit and rmmod ... Browse Code »

  If net namespace is exiting while nf_tables module is being removed
  we can oops:

  BUG: unable to handle kernel NULL pointer dereference at 0000000000000040
  IP: nf_tables_flowtable_event+0x43/0xf0 [nf_tables]
  PGD 0 P4D 0
  Oops: 0000 [#1] SMP PTI
  Modules linked in: nf_tables(-) nfnetlink [..]
  unregister_netdevice_notifier+0xdd/0x130
  nf_tables_module_exit+0x24/0x3a [nf_tables]
  SyS_delete_module+0x1c5/0x240
  do_syscall_64+0x74/0x190

  Avoid this by attempting to take reference on the net namespace from
  the notifiers. If it fails the namespace is exiting already, and nft
  core is taking care of cleanup work.

  We also need to make sure the netdev hook type gets removed
  before netns ops removal, else notifier might be invoked with device
  event for a netns where net->nft was never initialised (because
  pernet ops was removed beforehand).

  Signed-off-by: Florian Westphal
  Signed-off-by: Pablo Neira Ayuso

  Florian Westphal

  2018-06-13 01:28:18 +0800  

30 Mar, 2018

1 commit

• 02c7b25e5   netfilter: nf_tables: build-in filter chain type ... Browse Code »

  One module per supported filter chain family type takes too much memory
  for very little code - too much modularization - place all chain filter
  definitions in one single file.

  Signed-off-by: Pablo Neira Ayuso

  Pablo Neira Ayuso

  2018-03-30 17:29:19 +0800