20 Mar, 2018
4 commits
-
In preparation to enabling -Wvla, remove VLA and replace it
with dynamic memory allocation.>From a security viewpoint, the use of Variable Length Arrays can be
a vector for stack overflow attacks. Also, in general, as the code
evolves it is easy to lose track of how big a VLA can get. Thus, we
can end up having segfaults that are hard to debug.Also, fixed as part of the directive to remove all VLAs from
the kernel: https://lkml.org/lkml/2018/3/7/621While at it, remove likely() notation which is not necessary from the
control plane code.Signed-off-by: Gustavo A. R. Silva
Signed-off-by: Pablo Neira Ayuso -
All existing keys, except the NFT_CT_SRC and NFT_CT_DST are assumed to
have strict datatypes. This is causing problems with sets and
concatenations given the specific length of these keys is not known.Signed-off-by: Pablo Neira Ayuso
Acked-by: Florian Westphal -
Currently, nf_conncount_count() counts the number of connections that
matches key and inserts a conntrack 'tuple' with the same key into the
accounting data structure. This patch supports another use case that only
counts the number of connections where 'tuple' is not provided. Therefore,
proper changes are made on nf_conncount_count() to support the case where
'tuple' is NULL. This could be useful for querying statistics or
debugging purpose.Signed-off-by: Yi-Hung Wei
Acked-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
Remove parameter 'family' in nf_conncount_count() and count_tree().
It is because the parameter is not useful after commit 625c556118f3
("netfilter: connlimit: split xt_connlimit into front and backend").Signed-off-by: Yi-Hung Wei
Acked-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
14 Mar, 2018
2 commits
-
Assign true or false to boolean variables instead of an integer value.
This issue was detected with the help of Coccinelle.
Signed-off-by: Gustavo A. R. Silva
Signed-off-by: Simon Horman
Signed-off-by: Pablo Neira Ayuso -
I placed the helpers within CONFIG_COMPAT section, move them
outside.Fixes: 472ebdcd15ebdb ("netfilter: x_tables: check error target size too")
Fixes: 07a9da51b4b6ae ("netfilter: x_tables: check standard verdicts in core")
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
06 Mar, 2018
28 commits
-
Signed-off-by: Geert Uytterhoeven
Signed-off-by: Pablo Neira Ayuso -
As suggested by Eric, we need to make the xt_rateest
hash table and its lock per netns to reduce lock
contentions.Cc: Florian Westphal
Cc: Eric Dumazet
Cc: Pablo Neira Ayuso
Signed-off-by: Cong Wang
Reviewed-by: Eric Dumazet
Signed-off-by: Pablo Neira Ayuso -
Harmless from kernel point of view, but again iptables assumes that
this is true when decoding ruleset coming from kernel.If a (syzkaller generated) ruleset doesn't have the underflow/policy
stored as the last rule in the base chain, then iptables will abort()
because it doesn't find the chain policy.libiptc assumes that the policy is the last rule in the basechain, which
is only true for iptables-generated rulesets.Unfortunately this needs code duplication -- the functions need the
struct layout of the rule head, but that is different for
ip/ip6/arptables.NB: pr_warn could be pr_debug but in case this break rulesets somehow its
useful to know why blob was rejected.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
no need to bother even trying to allocating huge compat offset arrays,
such ruleset is rejected later on anyway becaus we refuse to allocate
overly large rule blobs.However, compat translation happens before blob allocation, so we should
add a check there too.This is supposed to help with fuzzing by avoiding oom-killer.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
should have no impact, function still always returns 0.
This patch is only to ease review.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
allows to have size checks in a single spot.
This is supposed to reduce oom situations when fuzz-testing xtables.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
This is a very conservative limit (134217728 rules), but good
enough to not trigger frequent oom from syzkaller.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
Arbitrary limit, however, this still allows huge rulesets
(> 1 million rules). This helps with automated fuzzer as it prevents
oom-killer invocation.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
Harmless from kernel point of view, but iptables assumes that this is
true when decoding a ruleset.iptables walks the dumped blob from kernel, and, for each entry that
creates a new chain it prints out rule/chain information.
Base chains (hook entry points) are thus only shown when they appear
in the rule blob. One base chain that is referenced multiple times
in hook blob is then only printed once.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
Allow followup patch to change on location instead of three.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
Check that userspace ERROR target (custom user-defined chains) match
expected format, and the chain name is null terminated.This is irrelevant for kernel, but iptables itself relies on sane input
when it dumps rules from kernel.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
Userspace must provide a valid verdict to the standard target.
The verdict can be either a jump (signed int > 0), or a return code.
Allowed return codes are either RETURN (pop from stack), NF_ACCEPT, DROP
and QUEUE (latter is allowed for legacy reasons).Jump offsets (verdict > 0) are checked in more detail later on when
loop-detection is performed.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
Now it's doing cleanup_entry for oldinfo under the xt_table lock,
but it's not really necessary. After the replacement job is done
in xt_replace_table, oldinfo is not used elsewhere any more, and
it can be freed without xt_table lock safely.The important thing is that rtnl_lock is called in some xt_target
destroy, which means rtnl_lock, a big lock is used in xt_table
lock, a smaller one. It usually could be the reason why a dead
lock may happen.Besides, all xt_target/match checkentry is called out of xt_table
lock. It's better also to move all cleanup_entry calling out of
xt_table lock, just as do_replace_finish does for ebtables.Signed-off-by: Xin Long
Signed-off-by: Pablo Neira Ayuso -
Return statements in functions returning bool should use
true/false instead of 1/0.This issue was detected with the help of Coccinelle.
Signed-off-by: Gustavo A. R. Silva
Signed-off-by: Pablo Neira Ayuso -
parameter protoff in nf_conntrack_broadcast_help is not used anywhere.
Signed-off-by: Taehee Yoo
Signed-off-by: Pablo Neira Ayuso -
If use the ipv6_addr_is_multicast instead of xt_cluster_ipv6_is_multicast,
then we can reduce code size.Signed-off-by: Taehee Yoo
Signed-off-by: Pablo Neira Ayuso -
parameter skb in nfnl_acct_overquota is not used anywhere.
Signed-off-by: Taehee Yoo
Signed-off-by: Pablo Neira Ayuso -
Fixes: 3ecbfd65f50e ("netfilter: nf_tables: allocate handle and delete objects via handle")
Signed-off-by: Fengguang Wu
Signed-off-by: Pablo Neira Ayuso -
Antoine Tenart says:
====================
net: mvpp2: jumbo frames supportThis series enable jumbo frames support in the Marvell PPv2 driver. The
first 2 patches rework the buffer management, then two patches prepare for
the final patch which adds the jumbo frames support into the driver.This is based on top of net-next, and was tested on a mcbin.
Thanks!
AntoineSince v1:
- Improved the Tx FIFO initialization comment.
- Improved the pool sanity check in mvpp2_bm_pool_use().
- Fixed pool related comments.
- Cosmetic fixes (used BIT() whenever possible).
====================Signed-off-by: David S. Miller
-
This patch adds the support for jumbo frames in the Marvell PPv2 driver.
A third buffer pool is added with 10KB buffers, which is used if the MTU
is higher than 1518B for packets larger than 1518B. Please note only the
port 0 supports hardware checksum offload due to the Tx FIFO size
limitation.Signed-off-by: Stefan Chulski
[Antoine: cosmetic cleanup, commit message]
Signed-off-by: Antoine Tenart
Signed-off-by: David S. Miller -
This patch adds the NETIF_F_IPV6_CSUM to the driver's features to enable
UDP/TCP checksum over IPv6. No extra configuration of the engine is
needed on top of the IPv4 counterpart, which already is in the features
list (NETIF_F_IP_CSUM).Signed-off-by: Antoine Tenart
Signed-off-by: David S. Miller -
This patch sets the Tx FIFO data size on port 0 to 10kB. This prepares
the PPv2 driver for the Jumbo frame support addition as the hardware
will need big enough Tx FIFO buffers when dealing with frames going
through an interface with an MTU of 9000.Signed-off-by: Yan Markman
[Antoine: commit message, small reworks.]
Signed-off-by: Antoine Tenart
Signed-off-by: David S. Miller -
The buffer free routine is updated to release only given a number of
buffers, and the destroy routine now checks the actual number of buffers
in the (BPPI and BPPE) HW counters before draining the pools. This
change helps getting jumbo frames support.Signed-off-by: Stefan Chulski
[Antoine: cosmetic cleanup, commit message]
Signed-off-by: Antoine Tenart
Signed-off-by: David S. Miller -
This patch configures the buffer manager long pool for all ports part of
the same CP. Long pool separation between ports is redundant since there
are no performance improvement when different pools are used.Signed-off-by: Stefan Chulski
[Antoine: cosmetic cleanup, commit message]
Signed-off-by: Antoine Tenart
Signed-off-by: David S. Miller -
This fixes the following kernel-doc warning:
./include/net/dst.h:366: warning: Function parameter or member 'net' not described in 'skb_tunnel_rx'
Fixes: ea23192e8e57 ("tunnels: harmonize cleanup done on skb on rx path")
Signed-off-by: Jonathan Neuschäfer
Signed-off-by: David S. Miller -
The other dst_cache_{get,set}_ip{4,6} functions, and the doc comment for
dst_cache_set_ip6 use 'saddr' for their source address parameter. Rename
the parameter to increase consistency.This fixes the following kernel-doc warnings:
./include/net/dst_cache.h:58: warning: Function parameter or member 'addr' not described in 'dst_cache_set_ip6'
./include/net/dst_cache.h:58: warning: Excess function parameter 'saddr' description in 'dst_cache_set_ip6'Fixes: 911362c70df5 ("net: add dst_cache support")
Signed-off-by: Jonathan Neuschäfer
Signed-off-by: David S. Miller -
Signed-off-by: Jonathan Neuschäfer
Signed-off-by: David S. Miller
05 Mar, 2018
6 commits
-
Kirill Tkhai says:
====================
Converting pernet_operations (part #4)this series continues to review and to convert pernet_operations
to make them possible to be executed in parallel for several
net namespaces in the same time. The patches touch mostly netfilter,
also there are small number of changes in other places.
====================Signed-off-by: David S. Miller
-
These pernet_operations register and unregister sysctl.
nf_conntrack_l4proto_gre4->init_net is simple memory
initializer. Also, exit method removes gre keymap_list,
which is per-net. This looks safe to be executed
in parallel with other pernet_operations.Signed-off-by: Kirill Tkhai
Signed-off-by: David S. Miller -
These pernet_operations register and unregister
two conntrack notifiers, and they seem to be safe
to be executed in parallel.General/not related to async pernet_operations JFI:
ctnetlink_net_exit_batch() actions are grouped in batch,
and this could look like there is synchronize_rcu()
is forgotten. But there is synchronize_rcu() on module
exit patch (in ctnetlink_exit()), so this batch may
be reworked as simple .exit method.Signed-off-by: Kirill Tkhai
Signed-off-by: David S. Miller -
These pernet_operations register and unregister sysctl and /proc
entries. Exit batch method also waits till all per-net conntracks
are dead. Thus, they are safe to be marked as async.Signed-off-by: Kirill Tkhai
Signed-off-by: David S. Miller -
These pernet_operations initialize and destroy
net_generic(net, ip_set_net_id)-related data.
Since ip_set is under CONFIG_IP_SET, it's easy
to watch drivers, which depend on this config.
All of them are in net/netfilter/ipset directory,
except of net/netfilter/xt_set.c. There are no
more drivers, which use ip_set, and all of
the above don't register another pernet_operations.
Also, there are is no indirect users, as header
file include/linux/netfilter/ipset/ip_set.h does
not define indirect users by something like this:#ifdef CONFIG_IP_SET
extern func(void);
#else
static inline func(void);
#endifSo, there are no more pernet operations, dereferencing
net_generic(net, ip_set_net_id).ip_set_net_ops are OK to be executed in parallel
for several net, so we mark them as async.Signed-off-by: Kirill Tkhai
Signed-off-by: David S. Miller -
These pernet_operations initialize and destroy
pernet net_generic(net, fou_net_id) list.
The rest of net_generic(net, fou_net_id) accesses
may happen after netlink message, and in-tree
pernet_operations do not send FOU_GENL_NAME messages.
So, these pernet_operations are safe to be marked
as async.Signed-off-by: Kirill Tkhai
Signed-off-by: David S. Miller
