Eric Lee / smarc-fsl-linux-kernel

03 Nov, 2016

1 commit

25 Aug, 2016

1 commit

  • 89e1f6d2b   netfilter: nft_reject: restrict to INPUT/FORWARD/OUTPUT ... Browse Code »

    After I add the nft rule "nft add rule filter prerouting reject
    with tcp reset", kernel panic happened on my system:
    NULL pointer dereference at ...
    IP: [] nf_send_reset+0xaf/0x400
    Call Trace:
    [] ? nf_reject_ip_tcphdr_get+0x160/0x160
    [] nft_reject_ipv4_eval+0x61/0xb0 [nft_reject_ipv4]
    [] nft_do_chain+0x1fa/0x890 [nf_tables]
    [] ? __nft_trace_packet+0x170/0x170 [nf_tables]
    [] ? nf_ct_invert_tuple+0xb0/0xc0 [nf_conntrack]
    [] ? nf_nat_setup_info+0x5d4/0x650 [nf_nat]
    [...]

    Because in the PREROUTING chain, routing information is not exist,
    then we will dereference the NULL pointer and oops happen.

    So we restrict reject expression to INPUT, FORWARD and OUTPUT chain.
    This is consistent with iptables REJECT target.

    Signed-off-by: Liping Zhang
    Signed-off-by: Pablo Neira Ayuso

    Liping Zhang
     

30 Sep, 2015

1 commit

19 Sep, 2015

1 commit

  • 6aa187f21   netfilter: nf_tables: kill nft_pktinfo.ops ... Browse Code »

    - Add nft_pktinfo.pf to replace ops->pf
    - Add nft_pktinfo.hook to replace ops->hooknum

    This simplifies the code, makes it more readable, and likely reduces
    cache line misses. Maintainability is enhanced as the details of
    nft_hook_ops are of no concern to the recpients of nft_pktinfo.

    Signed-off-by: "Eric W. Biederman"
    Signed-off-by: Pablo Neira Ayuso

    Eric W. Biederman
     

13 Apr, 2015

1 commit

  • a55e22e92   netfilter: nf_tables: get rid of NFT_REG_VERDICT usage ... Browse Code »

    Replace the array of registers passed to expressions by a struct nft_regs,
    containing the verdict as a seperate member, which aliases to the
    NFT_REG_VERDICT register.

    This is needed to seperate the verdict from the data registers completely,
    so their size can be changed.

    Signed-off-by: Patrick McHardy
    Signed-off-by: Pablo Neira Ayuso

    Patrick McHardy
     

09 Apr, 2015

1 commit

  • c1f866767   netfilter: Fix switch statement warnings with recent gcc. ... Browse Code »

    More recent GCC warns about two kinds of switch statement uses:

    1) Switching on an enumeration, but not having an explicit case
    statement for all members of the enumeration. To show the
    compiler this is intentional, we simply add a default case
    with nothing more than a break statement.

    2) Switching on a boolean value. I think this warning is dumb
    but nevertheless you get it wholesale with -Wswitch.

    This patch cures all such warnings in netfilter.

    Signed-off-by: David S. Miller
    Acked-by: Pablo Neira Ayuso

    David Miller
     

03 Mar, 2015

1 commit

  • ee586bbc2   netfilter: reject: don't send icmp error if csum is invalid ... Browse Code »

    tcp resets are never emitted if the packet that triggers the
    reject/reset has an invalid checksum.

    For icmp error responses there was no such check.
    It allows to distinguish icmp response generated via

    iptables -I INPUT -p udp --dport 42 -j REJECT

    and those emitted by network stack (won't respond if csum is invalid,
    REJECT does).

    Arguably its possible to avoid this by using conntrack and only
    using REJECT with -m conntrack NEW/RELATED.

    However, this doesn't work when connection tracking is not in use
    or when using nf_conntrack_checksum=0.

    Furthermore, sending errors in response to invalid csums doesn't make
    much sense so just add similar test as in nf_send_reset.

    Validate csum if needed and only send the response if it is ok.

    Reference: http://bugzilla.redhat.com/show_bug.cgi?id=1169829
    Signed-off-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Florian Westphal
     

13 Nov, 2014

1 commit

  • 567686443   netfilter: fix various sparse warnings ... Browse Code »

    net/bridge/br_netfilter.c:870:6: symbol 'br_netfilter_enable' was not declared. Should it be static?
    no; add include
    net/ipv4/netfilter/nft_reject_ipv4.c:22:6: symbol 'nft_reject_ipv4_eval' was not declared. Should it be static?
    yes
    net/ipv6/netfilter/nf_reject_ipv6.c:16:6: symbol 'nf_send_reset6' was not declared. Should it be static?
    no; add include
    net/ipv6/netfilter/nft_reject_ipv6.c:22:6: symbol 'nft_reject_ipv6_eval' was not declared. Should it be static?
    yes
    net/netfilter/core.c:33:32: symbol 'nf_ipv6_ops' was not declared. Should it be static?
    no; add include
    net/netfilter/xt_DSCP.c:40:57: cast truncates bits from constant value (ffffff03 becomes 3)
    net/netfilter/xt_DSCP.c:57:59: cast truncates bits from constant value (ffffff03 becomes 3)
    add __force, 3 is what we want.
    net/ipv4/netfilter/nf_log_arp.c:77:6: symbol 'nf_log_arp_packet' was not declared. Should it be static?
    yes
    net/ipv4/netfilter/nf_reject_ipv4.c:17:6: symbol 'nf_send_reset' was not declared. Should it be static?
    no; add include

    Signed-off-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Florian Westphal
     

03 Oct, 2014

1 commit

  • 51b0a5d8c   netfilter: nft_reject: introduce icmp code abstraction for inet and bridge ... Browse Code »

    This patch introduces the NFT_REJECT_ICMPX_UNREACH type which provides
    an abstraction to the ICMP and ICMPv6 codes that you can use from the
    inet and bridge tables, they are:

    * NFT_REJECT_ICMPX_NO_ROUTE: no route to host - network unreachable
    * NFT_REJECT_ICMPX_PORT_UNREACH: port unreachable
    * NFT_REJECT_ICMPX_HOST_UNREACH: host unreachable
    * NFT_REJECT_ICMPX_ADMIN_PROHIBITED: administratevely prohibited

    You can still use the specific codes when restricting the rule to match
    the corresponding layer 3 protocol.

    I decided to not overload the existing NFT_REJECT_ICMP_UNREACH to have
    different semantics depending on the table family and to allow the user
    to specify ICMP family specific codes if they restrict it to the
    corresponding family.

    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     

06 Feb, 2014

2 commits

31 Dec, 2013

1 commit

  • bee11dc78   netfilter: nft_reject: support for IPv6 and TCP reset ... Browse Code »

    This patch moves nft_reject_ipv4 to nft_reject and adds support
    for IPv6 protocol. This patch uses functions included in nf_reject.h
    to implement reject by TCP reset.

    The code has to be build as a module if NF_TABLES_IPV6 is also a
    module to avoid compilation error due to usage of IPv6 functions.
    This has been done in Kconfig by using the construct:

    depends on NF_TABLES_IPV6 || !NF_TABLES_IPV6

    This seems a bit weird in terms of syntax but works perfectly.

    Signed-off-by: Eric Leblond
    Signed-off-by: Pablo Neira Ayuso

    Eric Leblond
     

14 Oct, 2013

2 commits

  • ef1f7df91   netfilter: nf_tables: expression ops overloading ... Browse Code »

    Split the expression ops into two parts and support overloading of
    the runtime expression ops based on the requested function through
    a ->select_ops() callback.

    This can be used to provide optimized implementations, for instance
    for loading small aligned amounts of data from the packet or inlining
    frequently used operations into the main evaluation loop.

    Signed-off-by: Patrick McHardy
    Signed-off-by: Pablo Neira Ayuso

    Patrick McHardy
     
  • 96518518c   netfilter: add nftables ... Browse Code »

    This patch adds nftables which is the intended successor of iptables.
    This packet filtering framework reuses the existing netfilter hooks,
    the connection tracking system, the NAT subsystem, the transparent
    proxying engine, the logging infrastructure and the userspace packet
    queueing facilities.

    In a nutshell, nftables provides a pseudo-state machine with 4 general
    purpose registers of 128 bits and 1 specific purpose register to store
    verdicts. This pseudo-machine comes with an extensible instruction set,
    a.k.a. "expressions" in the nftables jargon. The expressions included
    in this patch provide the basic functionality, they are:

    * bitwise: to perform bitwise operations.
    * byteorder: to change from host/network endianess.
    * cmp: to compare data with the content of the registers.
    * counter: to enable counters on rules.
    * ct: to store conntrack keys into register.
    * exthdr: to match IPv6 extension headers.
    * immediate: to load data into registers.
    * limit: to limit matching based on packet rate.
    * log: to log packets.
    * meta: to match metainformation that usually comes with the skbuff.
    * nat: to perform Network Address Translation.
    * payload: to fetch data from the packet payload and store it into
    registers.
    * reject (IPv4 only): to explicitly close connection, eg. TCP RST.

    Using this instruction-set, the userspace utility 'nft' can transform
    the rules expressed in human-readable text representation (using a
    new syntax, inspired by tcpdump) to nftables bytecode.

    nftables also inherits the table, chain and rule objects from
    iptables, but in a more configurable way, and it also includes the
    original datatype-agnostic set infrastructure with mapping support.
    This set infrastructure is enhanced in the follow up patch (netfilter:
    nf_tables: add netlink set API).

    This patch includes the following components:

    * the netlink API: net/netfilter/nf_tables_api.c and
    include/uapi/netfilter/nf_tables.h
    * the packet filter core: net/netfilter/nf_tables_core.c
    * the expressions (described above): net/netfilter/nft_*.c
    * the filter tables: arp, IPv4, IPv6 and bridge:
    net/ipv4/netfilter/nf_tables_ipv4.c
    net/ipv6/netfilter/nf_tables_ipv6.c
    net/ipv4/netfilter/nf_tables_arp.c
    net/bridge/netfilter/nf_tables_bridge.c
    * the NAT table (IPv4 only):
    net/ipv4/netfilter/nf_table_nat_ipv4.c
    * the route table (similar to mangle):
    net/ipv4/netfilter/nf_table_route_ipv4.c
    net/ipv6/netfilter/nf_table_route_ipv6.c
    * internal definitions under:
    include/net/netfilter/nf_tables.h
    include/net/netfilter/nf_tables_core.h
    * It also includes an skeleton expression:
    net/netfilter/nft_expr_template.c
    and the preliminary implementation of the meta target
    net/netfilter/nft_meta_target.c

    It also includes a change in struct nf_hook_ops to add a new
    pointer to store private data to the hook, that is used to store
    the rule list per chain.

    This patch is based on the patch from Patrick McHardy, plus merged
    accumulated cleanups, fixes and small enhancements to the nftables
    code that has been done since 2009, which are:

    From Patrick McHardy:
    * nf_tables: adjust netlink handler function signatures
    * nf_tables: only retry table lookup after successful table module load
    * nf_tables: fix event notification echo and avoid unnecessary messages
    * nft_ct: add l3proto support
    * nf_tables: pass expression context to nft_validate_data_load()
    * nf_tables: remove redundant definition
    * nft_ct: fix maxattr initialization
    * nf_tables: fix invalid event type in nf_tables_getrule()
    * nf_tables: simplify nft_data_init() usage
    * nf_tables: build in more core modules
    * nf_tables: fix double lookup expression unregistation
    * nf_tables: move expression initialization to nf_tables_core.c
    * nf_tables: build in payload module
    * nf_tables: use NFPROTO constants
    * nf_tables: rename pid variables to portid
    * nf_tables: save 48 bits per rule
    * nf_tables: introduce chain rename
    * nf_tables: check for duplicate names on chain rename
    * nf_tables: remove ability to specify handles for new rules
    * nf_tables: return error for rule change request
    * nf_tables: return error for NLM_F_REPLACE without rule handle
    * nf_tables: include NLM_F_APPEND/NLM_F_REPLACE flags in rule notification
    * nf_tables: fix NLM_F_MULTI usage in netlink notifications
    * nf_tables: include NLM_F_APPEND in rule dumps

    From Pablo Neira Ayuso:
    * nf_tables: fix stack overflow in nf_tables_newrule
    * nf_tables: nft_ct: fix compilation warning
    * nf_tables: nft_ct: fix crash with invalid packets
    * nft_log: group and qthreshold are 2^16
    * nf_tables: nft_meta: fix socket uid,gid handling
    * nft_counter: allow to restore counters
    * nf_tables: fix module autoload
    * nf_tables: allow to remove all rules placed in one chain
    * nf_tables: use 64-bits rule handle instead of 16-bits
    * nf_tables: fix chain after rule deletion
    * nf_tables: improve deletion performance
    * nf_tables: add missing code in route chain type
    * nf_tables: rise maximum number of expressions from 12 to 128
    * nf_tables: don't delete table if in use
    * nf_tables: fix basechain release

    From Tomasz Bursztyka:
    * nf_tables: Add support for changing users chain's name
    * nf_tables: Change chain's name to be fixed sized
    * nf_tables: Add support for replacing a rule by another one
    * nf_tables: Update uapi nftables netlink header documentation

    From Florian Westphal:
    * nft_log: group is u16, snaplen u32

    From Phil Oester:
    * nf_tables: operational limit match

    Signed-off-by: Patrick McHardy
    Signed-off-by: Pablo Neira Ayuso

    Patrick McHardy