25 Sep, 2016
1 commit
-
All of the callers of nf_hook_slow already hold the rcu_read_lock, so this
cleanup removes the recursive call. This is just a cleanup, as the locking
code gracefully handles this situation.Signed-off-by: Aaron Conole
Signed-off-by: Pablo Neira Ayuso
17 Aug, 2016
1 commit
-
Otherwise, if nfnetlink_log.ko is not loaded, we cannot add rules
to log packets to the userspace when we specify it with arp family,
such as:# nft add rule arp filter input log group 0
:1:1-37: Error: Could not process rule: No such file or
directory
add rule arp filter input log group 0
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^Signed-off-by: Liping Zhang
Signed-off-by: Pablo Neira Ayuso
24 Jun, 2016
1 commit
-
li->u.ulog.copy_len is currently ignored by the kernel, we should truncate
the packet to either li->u.ulog.copy_len (if set) or copy_range before
sending it to userspace. 0 is a valid input for copy_len, so add a new
flag to indicate whether this was option was specified by the user or not.Add two flags to indicate whether nflog-size/copy_len was set or not.
XT_NFLOG_F_COPY_LEN is for XT_NFLOG and NFLOG_F_COPY_LEN for nfnetlink_logOn the userspace side, this was initially represented by the option
nflog-range, this will be replaced by --nflog-size now. --nflog-range would
still exist but does not do anything.Reported-by: Joe Dollard
Reviewed-by: Josh Hunt
Signed-off-by: Vishwanath Pai
Signed-off-by: Pablo Neira Ayuso
19 Feb, 2016
1 commit
-
Following mmapped netlink removal this code can be simplified by
removing the alloc wrapper.Signed-off-by: Florian Westphal
Signed-off-by: David S. Miller
08 Jan, 2016
1 commit
-
This patch stops processing options for unknown command.
Signed-off-by: Ken-ichirou MATSUZAWA
Signed-off-by: Pablo Neira Ayuso
29 Dec, 2015
1 commit
-
Adapt callsites to avoid recurrent lookup of the netns pointer.
Signed-off-by: Pablo Neira Ayuso
09 Dec, 2015
1 commit
-
Change return type of nfulnl_set_timeout() and nfulnl_set_qthresh() to
be void.This patch changes the return type of the static methods
nfulnl_set_timeout() and nfulnl_set_qthresh() to be void, as there is no
justification and no need for these methods to return int.Signed-off-by: Rami Rosen
Signed-off-by: Pablo Neira Ayuso
25 Nov, 2015
1 commit
-
Various files are owned by root with 0440 permission. Reading them is
impossible in an unprivileged user namespace, interfering with firewall
tools. For instance, iptables-save relies on /proc/net/ip_tables_names
contents to dump only loaded tables.This patch assigned ownership of the following files to root in the
current namespace:- /proc/net/*_tables_names
- /proc/net/*_tables_matches
- /proc/net/*_tables_targets
- /proc/net/nf_conntrack
- /proc/net/nf_conntrack_expect
- /proc/net/netfilter/nfnetlink_logA mapping for root must be available, so this order should be followed:
unshare(CLONE_NEWUSER);
/* Setup the mapping */
unshare(CLONE_NEWNET);Signed-off-by: Philip Whineray
Signed-off-by: Pablo Neira Ayuso
11 Nov, 2015
1 commit
-
After a recent (correct) change, gcc started warning about the use
of the 'flags' variable in nfulnl_recv_config()net/netfilter/nfnetlink_log.c: In function 'nfulnl_recv_config':
net/netfilter/nfnetlink_log.c:320:14: warning: 'flags' may be used uninitialized in this function [-Wmaybe-uninitialized]
net/netfilter/nfnetlink_log.c:828:6: note: 'flags' was declared hereThe warning first shows up in ARM s3c2410_defconfig with gcc-4.3 or
higher (including 5.2.1, which is the latest version I checked) I
tried working around it by rearranging the code but had no success
with that.As a last resort, this initializes the variable to zero, which shuts
up the warning, but means that we don't get a warning if the code
is ever changed in a way that actually causes the variable to be
used without first being written.Signed-off-by: Arnd Bergmann
Fixes: 8cbc870829ec ("netfilter: nfnetlink_log: validate dependencies to avoid breaking atomicity")
Signed-off-by: Pablo Neira Ayuso
17 Oct, 2015
1 commit
-
This merge resolves conflicts with 75aec9df3a78 ("bridge: Remove
br_nf_push_frag_xmit_sk") as part of Eric Biederman's effort to improve
netns support in the network stack that reached upstream via David's
net-next tree.Signed-off-by: Pablo Neira Ayuso
Conflicts:
net/bridge/br_netfilter_hooks.c
15 Oct, 2015
2 commits
-
Check that dependencies are fulfilled before updating the logger
instance, otherwise we can leave things in intermediate state on errors
in nfulnl_recv_config().[ Ken-ichirou reports that this is also fixing missing instance refcnt drop
on error introduced in his patch 914eebf2f434 ("netfilter: nfnetlink_log:
autoload nf_conntrack_netlink module NFQA_CFG_F_CONNTRACK config flag"). ]Signed-off-by: Pablo Neira Ayuso
Tested-by: Ken-ichirou MATSUZAWA -
This patch consolidates the check for valid logger instance once we have
passed the command handling:The config message that we receive may contain the following info:
1) Command only: We always get a valid instance pointer if we just
created it. In case that the instance is being destroyed or the
command is unknown, we jump to exit path of nfulnl_recv_config().
This patch doesn't modify this handling.2) Config only: In this case, the instance must always exist since the
user is asking for configuration updates. If the instance doesn't exist
this returns -ENODEV.3) No command and no configs are specified: This case is rare. The
user is sending us a config message with neither commands nor
config options. In this case, we have to check if the instance exists
and bail out otherwise. Before this patch, it was possible to send a
config message with no command and no config updates for an
unexisting instance without triggering an error. So this is the only
case that changes.Signed-off-by: Pablo Neira Ayuso
Tested-by: Ken-ichirou MATSUZAWA
13 Oct, 2015
1 commit
-
This patch enables to load nf_conntrack_netlink module if
NFULNL_CFG_F_CONNTRACK config flag is specified.Signed-off-by: Ken-ichirou MATSUZAWA
Signed-off-by: Pablo Neira Ayuso
05 Oct, 2015
2 commits
-
This patch enables to include the conntrack information together
with the packet that is sent to user-space via NFLOG, then a
user-space program can acquire NATed information by this NFULA_CT
attribute.Including the conntrack information is optional, you can set it
via NFULNL_CFG_F_CONNTRACK flag with the NFULA_CFG_FLAGS attribute
like NFQUEUE.Signed-off-by: Ken-ichirou MATSUZAWA
Signed-off-by: Pablo Neira Ayuso -
The __build_packet_message function fills a nfulnl_msg_packet_timestamp
structure that uses 64-bit seconds and is therefore y2038 safe, but
it uses an intermediate 'struct timespec' which is not.This trivially changes the code to use 'struct timespec64' instead,
to correct the result on 32-bit architectures.Signed-off-by: Arnd Bergmann
Cc: Pablo Neira Ayuso
Cc: Patrick McHardy
Cc: Jozsef Kadlecsik
Cc: netfilter-devel@vger.kernel.org
Cc: coreteam@netfilter.org
Acked-by: Pablo Neira Ayuso
Signed-off-by: David S. Miller
19 Jun, 2015
1 commit
-
This appears to have been a dead macro in both nfnetlink_log.c and
nfnetlink_queue_core.c since these pieces of code were added in 2005.Signed-off-by: "Eric W. Biederman"
Signed-off-by: Pablo Neira Ayuso
20 May, 2015
1 commit
-
nfnetlink_{log,queue}_init() register the netlink callback nf*_rcv_nl_event
before registering the pernet_subsys, but the callback relies on data
structures allocated by pernet init functions.When nfnetlink_{log,queue} is loaded, if a netlink message is received after
the netlink callback is registered but before the pernet_subsys is registered,
the kernel will panic in the sequencenfulnl_rcv_nl_event
nfnl_log_pernet
net_generic
BUG_ON(id == 0) where id is nfnl_log_net_id.The panic can be easily reproduced in 4.0.3 by:
while true ;do modprobe nfnetlink_log ; rmmod nfnetlink_log ; done &
while true ;do ip netns add dummy ; ip netns del dummy ; done &This patch moves register_pernet_subsys to earlier in nfnetlink_log_init.
Notice that the BUG_ON hit in 4.0.3 was recently removed in 2591ffd308
["netns: remove BUG_ONs from net_generic()"].Signed-off-by: Francesco Ruggeri
Signed-off-by: Pablo Neira Ayuso
14 Apr, 2015
2 commits
-
The printed values are all of type unsigned integer, therefore use
%u instead of %d. Otherwise an user can face negative values.Signed-off-by: Richard Weinberger
Acked-by: Pablo Neira Ayuso
Signed-off-by: David S. Miller -
The netlink portid is an unsigned integer, use this type
also in netfilter.Signed-off-by: Richard Weinberger
Acked-by: Pablo Neira Ayuso
Signed-off-by: David S. Miller
08 Apr, 2015
1 commit
-
right now we store this in the nf_bridge_info struct, accessible
via skb->nf_bridge. This patch prepares removal of this pointer from skb:Instead of using skb->nf_bridge->x, we use helpers to obtain the in/out
device (or ifindexes).Followup patches to netfilter will then allow nf_bridge_info to be
obtained by a call into the br_netfilter core, rather than keeping a
pointer to it in sk_buff.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
24 Mar, 2015
1 commit
-
Pablo Neira Ayuso says:
====================
Netfilter updates for net-nextThe following patchset contains Netfilter updates for net-next.
Basically, more incremental updates for br_netfilter from Florian
Westphal, small nf_tables updates (including one fix for rb-tree
locking) and small two-liner to add extra validation for the REJECT6
target.More specifically, they are:
1) Use the conntrack status flags from br_netfilter to know that DNAT is
happening. Patch for Florian Westphal.2) nf_bridge->physoutdev == NULL already indicates that the traffic is
bridged, so let's get rid of the BRNF_BRIDGED flag. Also from Florian.3) Another patch to prepare voidization of seq_printf/seq_puts/seq_putc,
from Joe Perches.4) Consolidation of nf_tables_newtable() error path.
5) Kill nf_bridge_pad used by br_netfilter from ip_fragment(),
from Florian Westphal.6) Access rb-tree root node inside the lock and remove unnecessary
locking from the get path (we already hold nfnl_lock there), from
Patrick McHardy.7) You cannot use a NFT_SET_ELEM_INTERVAL_END when the set doesn't
support interval, also from Patrick.8) Enforce IP6T_F_PROTO from ip6t_REJECT to make sure the core is
actually restricting matches to TCP.
====================Signed-off-by: David S. Miller
18 Mar, 2015
2 commits
-
The seq_printf/seq_puts/seq_putc return values, because they
are frequently misused, will eventually be converted to void.See: commit 1f33c41c03da ("seq_file: Rename seq_overflow() to
seq_has_overflowed() and make public")Miscellanea:
o realign arguments
Signed-off-by: Joe Perches
Signed-off-by: Pablo Neira Ayuso -
Upcoming request sockets have TCP_NEW_SYN_RECV state and should
be special cased a bit like TCP_TIME_WAIT sockets.Signed-off-by; Eric Dumazet
Signed-off-by: David S. Miller
25 Nov, 2014
1 commit
-
Pablo Neira Ayuso says:
====================
netfilter/ipvs updates for net-nextThe following patchset contains Netfilter updates for your net-next
tree, this includes the NAT redirection support for nf_tables, the
cgroup support for nft meta and conntrack zone support for the connlimit
match. Coming after those, a bunch of sparse warning fixes, missing
netns bits and cleanups. More specifically, they are:1) Prepare IPv4 and IPv6 NAT redirect code to use it from nf_tables,
patches from Arturo Borrero.2) Introduce the nf_tables redir expression, from Arturo Borrero.
3) Remove an unnecessary assignment in ip_vs_xmit/__ip_vs_get_out_rt().
Patch from Alex Gartrell.4) Add nft_log_dereference() macro to the nf_log infrastructure, patch
from Marcelo Leitner.5) Add some extra validation when registering logger families, also
from Marcelo.6) Some spelling cleanups from stephen hemminger.
7) Fix sparse warning in nf_logger_find_get().
8) Add cgroup support to nf_tables meta, patch from Ana Rey.
9) A Kconfig fix for the new redir expression and fix sparse warnings in
the new redir expression.10) Fix several sparse warnings in the netfilter tree, from
Florian Westphal.11) Reduce verbosity when OOM in nfnetlink_log. User can basically do
nothing when this situation occurs.12) Add conntrack zone support to xt_connlimit, again from Florian.
13) Add netnamespace support to the h323 conntrack helper, contributed
by Vasily Averin.14) Remove unnecessary nul-pointer checks before free_percpu() and
module_put(), from Markus Elfring.15) Use pr_fmt in nfnetlink_log, again patch from Marcelo Leitner.
====================Signed-off-by: David S. Miller
20 Nov, 2014
1 commit
-
Signed-off-by: Marcelo Ricardo Leitner
Signed-off-by: Pablo Neira Ayuso
13 Nov, 2014
1 commit
-
In case of OOM, there's nothing userspace can do.
If there's no room to put the payload in __build_packet_message(),
jump to nla_put_failure which already performs the corresponding
error reporting.Signed-off-by: Pablo Neira Ayuso
24 Oct, 2014
3 commits
-
The kernel should reserve enough room in the skb so that the DONE
message can always be appended. However, in case of e.g. new attribute
erronously not being size-accounted for, __nfulnl_send() will still
try to put next nlmsg into this full skbuf, causing the skb to be stuck
forever and blocking delivery of further messages.Fix issue by releasing skb immediately after nlmsg_put error and
WARN() so we can track down the cause of such size mismatch.[ fw@strlen.de: add tailroom/len info to WARN ]
Signed-off-by: Houcheng Lin
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
don't try to queue payloads > 0xffff - NLA_HDRLEN, it does not work.
The nla length includes the size of the nla struct, so anything larger
results in u16 integer overflow.This patch is similar to
9cefbbc9c8f9abe (netfilter: nfnetlink_queue: cleanup copy_range usage).Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
We currently neither account for the nlattr size, nor do we consider
the size of the trailing NLMSG_DONE when allocating nlmsg skb.This can result in nflog to stop working, as __nfulnl_send() re-tries
sending forever if it failed to append NLMSG_DONE (which will never
work if buffer is not large enough).Reported-by: Houcheng Lin
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
03 Oct, 2014
1 commit
-
In 34666d4 ("netfilter: bridge: move br_netfilter out of the core"),
the bridge netfilter code has been modularized.Use IS_ENABLED instead of ifdef to cover the module case.
Fixes: 34666d4 ("netfilter: bridge: move br_netfilter out of the core")
Signed-off-by: Pablo Neira Ayuso
27 Jun, 2014
1 commit
-
Before this patch, the nf_loginfo parameter specified the logging
configuration in case the specified default logger was loaded. This
patch updates the semantics of the nf_loginfo parameter in
nf_log_packet() which now indicates the logger that you explicitly
want to use.Thus, nf_log_packet() is exposed as an unified interface which
internally routes the log message to the corresponding logger type
by family.The module dependencies are expressed by the new nf_logger_find_get()
and nf_logger_put() functions which bump the logger module refcount.
Thus, you can not remove logger modules that are used by rules anymore.Another important effect of this change is that the family specific
module is only loaded when required. Therefore, xt_LOG and nft_log
will just trigger the autoload of the nf_log_{ip,ip6} modules
according to the family.Signed-off-by: Pablo Neira Ayuso
26 Jun, 2014
1 commit
-
Now that legacy ulog targets are not available anymore in the tree, we
can have up to two possible loggers:1) The plain text logging via kernel logging ring.
2) The nfnetlink_log infrastructure which delivers log messages
to userspace.This patch replaces the list of loggers by an array of two pointers
per family for each possible logger and it also introduces a new field
to the nf_logger structure which indicates the position in the logger
array (based on the logger type).This prepares a follow up patch that consolidates the nf_log_packet()
interface by allowing to specify the logger as parameter.Signed-off-by: Pablo Neira Ayuso
25 Feb, 2014
1 commit
-
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
18 Dec, 2013
1 commit
-
Steven Rostedt and Arnaldo Carvalho de Melo reported a panic
when access the files /proc/sys/net/netfilter/nf_log/*.This problem will occur when we do:
echo nfnetlink_log > /proc/sys/net/netfilter/nf_log/any_file
rmmod nfnetlink_logand then access the files.
Since the nf_loggers of netns hasn't been unset, it will point
to the memory that has been freed.This bug is introduced by commit 9368a53c ("netfilter: nfnetlink_log:
add net namespace support for nfnetlink_log").[17261.822047] BUG: unable to handle kernel paging request at ffffffffa0d49090
[17261.822056] IP: [] nf_log_proc_dostring+0xf0/0x1d0
[...]
[17261.822226] Call Trace:
[17261.822235] [] ? security_capable+0x18/0x20
[17261.822240] [] ? ns_capable+0x29/0x50
[17261.822247] [] ? net_ctl_permissions+0x1f/0x90
[17261.822254] [] proc_sys_call_handler+0xb3/0xc0
[17261.822258] [] proc_sys_read+0x11/0x20
[17261.822265] [] vfs_read+0x9e/0x170
[17261.822270] [] SyS_read+0x49/0xa0
[17261.822276] [] ? __audit_syscall_exit+0x1f6/0x2a0
[17261.822283] [] system_call_fastpath+0x16/0x1b
[17261.822285] Code: cc 81 4d 63 e4 4c 89 45 88 48 89 4d 90 e8 19 03 0d 00 4b 8b 84 e5 28 08 00 00 48 8b 4d 90 4c 8b 45 88 48 85 c0 0f 84 a8 00 00 00 8b 40 10 48 89 43 08 48 89 df 4c 89 f2 31 f6 e8 4b 35 af ff
[17261.822329] RIP [] nf_log_proc_dostring+0xf0/0x1d0
[17261.822334] RSP
[17261.822336] CR2: ffffffffa0d49090
[17261.822340] ---[ end trace a14ce54c0897a90d ]---Reported-by: Arnaldo Carvalho de Melo
Reported-by: Steven Rostedt
Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso
01 Oct, 2013
1 commit
-
Use proper net struct to allocate skb, otherwise
netlink mmap will be of no effect.Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso
05 Aug, 2013
1 commit
-
These structs have a "_pad" member. Also the "phw" structs have an 8
byte "hw_addr[]" array but sometimes only the first 6 bytes are
initialized.Signed-off-by: Dan Carpenter
Signed-off-by: Pablo Neira Ayuso
15 May, 2013
1 commit
-
Since (69b34fb netfilter: xt_LOG: add net namespace support
for xt_LOG), we hit this:[ 4224.708977] BUG: unable to handle kernel NULL pointer dereference at 0000000000000388
[ 4224.709074] IP: [] ipt_log_packet+0x29/0x270when callling log functions from conntrack both in and out
are NULL i.e. the net pointer is invalid.Adding struct net *net in call to nf_logfn() will secure that
there always is a vaild net ptr.Reported as netfilter's bugzilla bug 818:
https://bugzilla.netfilter.org/show_bug.cgi?id=818Reported-by: Ronald
Signed-off-by: Hans Schillstrom
Signed-off-by: Pablo Neira Ayuso
06 May, 2013
1 commit
-
This patch fixes the following compilation error:
net/netfilter/nf_log.c:373:38: error: 'struct netns_nf' has no member named 'proc_netfilter'
if procfs is not set.
The netns support for nf_log, nfnetlink_log and nfnetlink_queue_core
requires CONFIG_PROC_FS in the removal path of their respective
/proc interface since net->nf.proc_netfilter is undefined in that
case.Reported-by: Fengguang Wu
Signed-off-by: Pablo Neira Ayuso
Acked-by: Gao feng
20 Apr, 2013
2 commits
-
Pablo Neira Ayuso says:
====================
The following patchset contains a small batch of Netfilter
updates for your net-next tree, they are:* Three patches that provide more accurate error reporting to
user-space, instead of -EPERM, in IPv4/IPv6 netfilter re-routing
code and NAT, from Patrick McHardy.* Update copyright statements in Netfilter filters of
Patrick McHardy, from himself.* Add Kconfig dependency on the raw/mangle tables to the
rpfilter, from Florian Westphal.
====================Signed-off-by: David S. Miller
-
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller