Eric Lee / smarc-fsl-linux-kernel

16 Jul, 2019

1 commit

  • 05ba4c895   netfilter: Update obsolete comments referring to ip_conntrack ... Browse Code »

    In 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.") the new
    generic nf_conntrack was introduced, and it came to supersede the old
    ip_conntrack.

    This change updates (some) of the obsolete comments referring to old
    file/function names of the ip_conntrack mechanism, as well as removes a
    few self-referencing comments that we shouldn't maintain anymore.

    I did not update any comments referring to historical actions (e.g,
    comments like "this file was derived from ..." were left untouched, even
    if the referenced file is no longer here).

    Signed-off-by: Yonatan Goldschmidt
    Signed-off-by: Pablo Neira Ayuso

    Yonatan Goldschmidt
     

29 Jun, 2019

2 commits

  • 7c3d310d8   Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf ... Browse Code »

    Pablo Neira Ayuso says:

    ====================
    Netfilter/IPVS fixes for net

    The following patchset contains Netfilter fixes for net:

    1) Fix memleak reported by syzkaller when registering IPVS hooks,
    patch from Julian Anastasov.

    2) Fix memory leak in start_sync_thread, also from Julian.

    3) Fix conntrack deletion via ctnetlink, from Felix Kaechele.

    4) Fix reject for ICMP due to incorrect checksum handling, from
    He Zhe.
    ====================

    Signed-off-by: David S. Miller

    David S. Miller
     
  • 5d1549847   netfilter: Fix remainder of pseudo-header protocol 0 ... Browse Code »

    Since v5.1-rc1, some types of packets do not get unreachable reply with the
    following iptables setting. Fox example,

    $ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT
    $ ping 127.0.0.1 -c 1
    PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
    — 127.0.0.1 ping statistics —
    1 packets transmitted, 0 received, 100% packet loss, time 0ms

    We should have got the following reply from command line, but we did not.
    From 127.0.0.1 icmp_seq=1 Destination Port Unreachable

    Yi Zhao reported it and narrowed it down to:
    7fc38225363d ("netfilter: reject: skip csum verification for protocols that don't support it"),

    This is because nf_ip_checksum still expects pseudo-header protocol type 0 for
    packets that are of neither TCP or UDP, and thus ICMP packets are mistakenly
    treated as TCP/UDP.

    This patch corrects the conditions in nf_ip_checksum and all other places that
    still call it with protocol 0.

    Fixes: 7fc38225363d ("netfilter: reject: skip csum verification for protocols that don't support it")
    Reported-by: Yi Zhao
    Signed-off-by: He Zhe
    Signed-off-by: Pablo Neira Ayuso

    He Zhe
     

19 Jun, 2019

1 commit

  • d2912cb15   treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 ... Browse Code »

    Based on 2 normalized pattern(s):

    this program is free software you can redistribute it and or modify
    it under the terms of the gnu general public license version 2 as
    published by the free software foundation

    this program is free software you can redistribute it and or modify
    it under the terms of the gnu general public license version 2 as
    published by the free software foundation #

    extracted by the scancode license scanner the SPDX license identifier

    GPL-2.0-only

    has been chosen to replace the boilerplate/reference in 4122 file(s).

    Signed-off-by: Thomas Gleixner
    Reviewed-by: Enrico Weigelt
    Reviewed-by: Kate Stewart
    Reviewed-by: Allison Randal
    Cc: linux-spdx@vger.kernel.org
    Link: https://lkml.kernel.org/r/20190604081206.933168790@linutronix.de
    Signed-off-by: Greg Kroah-Hartman

    Thomas Gleixner
     

13 Apr, 2019

1 commit

  • 1025ce752   netfilter: conntrack: don't set related state for different outer address ... Browse Code »

    Luca Moro says:
    ------
    The issue lies in the filtering of ICMP and ICMPv6 errors that include an
    inner IP datagram.
    For these packets, icmp_error_message() extract the ICMP error and inner
    layer to search of a known state.
    If a state is found the packet is tagged as related (IP_CT_RELATED).

    The problem is that there is no correlation check between the inner and
    outer layer of the packet.
    So one can encapsulate an error with an inner layer matching a known state,
    while its outer layer is directed to a filtered host.
    In this case the whole packet will be tagged as related.
    This has various implications from a rule bypass (if a rule to related
    trafic is allow), to a known state oracle.

    Unfortunately, we could not find a real statement in a RFC on how this case
    should be filtered.
    The closest we found is RFC5927 (Section 4.3) but it is not very clear.

    A possible fix would be to check that the inner IP source is the same than
    the outer destination.

    We believed this kind of attack was not documented yet, so we started to
    write a blog post about it.
    You can find it attached to this mail (sorry for the extract quality).
    It contains more technical details, PoC and discussion about the identified
    behavior.
    We discovered later that
    https://www.gont.com.ar/papers/filtering-of-icmp-error-messages.pdf
    described a similar attack concept in 2004 but without the stateful
    filtering in mind.
    -----

    This implements above suggested fix:
    In icmp(v6) error handler, take outer destination address, then pass
    that into the common function that does the "related" association.

    After obtaining the nf_conn of the matching inner-headers connection,
    check that the destination address of the opposite direction tuple
    is the same as the outer address and only set RELATED if thats the case.

    Reported-by: Luca Moro
    Signed-off-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Florian Westphal
     

18 Jan, 2019

6 commits

03 Nov, 2018

1 commit

21 Sep, 2018

4 commits

  • dd2934a95   netfilter: conntrack: remove l3->l4 mapping information ... Browse Code »

    l4 protocols are demuxed by l3num, l4num pair.

    However, almost all l4 trackers are l3 agnostic.

    Only exceptions are:
    - gre, icmp (ipv4 only)
    - icmpv6 (ipv6 only)

    This commit gets rid of the l3 mapping, l4 trackers can now be looked up
    by their IPPROTO_XXX value alone, which gets rid of the additional l3
    indirection.

    For icmp, ipcmp6 and gre, add a check on state->pf and
    return -NF_ACCEPT in case we're asked to track e.g. icmpv6-in-ipv4,
    this seems more fitting than using the generic tracker.

    Additionally we can kill the 2nd l4proto definitions that were needed
    for v4/v6 split -- they are now the same so we can use single l4proto
    struct for each protocol, rather than two.

    The EXPORT_SYMBOLs can be removed as all these object files are
    part of nf_conntrack with no external references.

    Signed-off-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Florian Westphal
     
  • ca2ca6e1c   netfilter: conntrack: remove unused proto arg from netns init functions ... Browse Code »

    Its unused, next patch will remove l4proto->l3proto number to simplify
    l4 protocol demuxer lookup.

    Signed-off-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Florian Westphal
     
  • 6fe78fa48   netfilter: conntrack: remove error callback and handle icmp from core ... Browse Code »

    icmp(v6) are the only two layer four protocols that need the error()
    callback (to handle icmp errors that are related to an established
    connections, e.g. packet too big, port unreachable and the like).

    Remove the error callback and handle these two special cases from the core.

    Signed-off-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Florian Westphal
     
  • 83d213fd9   netfilter: conntrack: deconstify packet callback skb pointer ... Browse Code »

    Only two protocols need the ->error() function: icmp and icmpv6.
    This is because icmp error mssages might be RELATED to an existing
    connection (e.g. PMTUD, port unreachable and the like), and their
    ->error() handlers do this.

    The error callback is already optional, so remove it for
    udp and call them from ->packet() instead.

    As the error() callback can call checksum functions that write to
    skb->csum*, the const qualifier has to be removed as well.

    Signed-off-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Florian Westphal
     

20 Sep, 2018

2 commits

  • 9976fc6e6   netfilter: conntrack: remove the l4proto->new() function ... Browse Code »

    ->new() gets invoked after ->error() and before ->packet() if
    a conntrack lookup has found no result for the tuple.

    We can fold it into ->packet() -- the packet() implementations
    can check if the conntrack is confirmed (new) or not
    (already in hash).

    If its unconfirmed, the conntrack isn't in the hash yet so current
    skb created a new conntrack entry.

    Only relevant side effect -- if packet() doesn't return NF_ACCEPT
    but -NF_ACCEPT (or drop), while the conntrack was just created,
    then the newly allocated conntrack is freed right away, rather than not
    created in the first place.

    Signed-off-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Florian Westphal
     
  • 93e66024b   netfilter: conntrack: pass nf_hook_state to packet and error handlers ... Browse Code »

    nf_hook_state contains all the hook meta-information: netns, protocol family,
    hook location, and so on.

    Instead of only passing selected information, pass a pointer to entire
    structure.

    This will allow to merge the error and the packet handlers and remove
    the ->new() function in followup patches.

    Signed-off-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Florian Westphal
     

11 Sep, 2018

1 commit

  • a874752a1   netfilter: conntrack: timeout interface depend on CONFIG_NF_CONNTRACK_TIMEOUT ... Browse Code »

    Now that cttimeout support for nft_ct is in place, these should depend
    on CONFIG_NF_CONNTRACK_TIMEOUT otherwise we can crash when dumping the
    policy if this option is not enabled.

    [ 71.600121] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
    [...]
    [ 71.600141] CPU: 3 PID: 7612 Comm: nft Not tainted 4.18.0+ #246
    [...]
    [ 71.600188] Call Trace:
    [ 71.600201] ? nft_ct_timeout_obj_dump+0xc6/0xf0 [nft_ct]

    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     

17 Jul, 2018

1 commit

  • a0ae2562c   netfilter: conntrack: remove l3proto abstraction ... Browse Code »

    This unifies ipv4 and ipv6 protocol trackers and removes the l3proto
    abstraction.

    This gets rid of all l3proto indirect calls and the need to do
    a lookup on the function to call for l3 demux.

    It increases module size by only a small amount (12kbyte), so this reduces
    size because nf_conntrack.ko is useless without either nf_conntrack_ipv4
    or nf_conntrack_ipv6 module.

    before:
    text data bss dec hex filename
    7357 1088 0 8445 20fd nf_conntrack_ipv4.ko
    7405 1084 4 8493 212d nf_conntrack_ipv6.ko
    72614 13689 236 86539 1520b nf_conntrack.ko
    19K nf_conntrack_ipv4.ko
    19K nf_conntrack_ipv6.ko
    179K nf_conntrack.ko

    after:
    text data bss dec hex filename
    79277 13937 236 93450 16d0a nf_conntrack.ko
    191K nf_conntrack.ko

    Signed-off-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Florian Westphal