Eric Lee / smarc-fsl-linux-kernel

25 Sep, 2016

1 commit

17 Aug, 2016

1 commit

  • 2497b8462   netfilter: nfnetlink_log: add "nf-logger-3-1" module alias name ... Browse Code »

    Otherwise, if nfnetlink_log.ko is not loaded, we cannot add rules
    to log packets to the userspace when we specify it with arp family,
    such as:

    # nft add rule arp filter input log group 0
    :1:1-37: Error: Could not process rule: No such file or
    directory
    add rule arp filter input log group 0
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

    Signed-off-by: Liping Zhang
    Signed-off-by: Pablo Neira Ayuso

    Liping Zhang
     

24 Jun, 2016

1 commit

  • 7643507fe   netfilter: xt_NFLOG: nflog-range does not truncate packets ... Browse Code »

    li->u.ulog.copy_len is currently ignored by the kernel, we should truncate
    the packet to either li->u.ulog.copy_len (if set) or copy_range before
    sending it to userspace. 0 is a valid input for copy_len, so add a new
    flag to indicate whether this was option was specified by the user or not.

    Add two flags to indicate whether nflog-size/copy_len was set or not.
    XT_NFLOG_F_COPY_LEN is for XT_NFLOG and NFLOG_F_COPY_LEN for nfnetlink_log

    On the userspace side, this was initially represented by the option
    nflog-range, this will be replaced by --nflog-size now. --nflog-range would
    still exist but does not do anything.

    Reported-by: Joe Dollard
    Reviewed-by: Josh Hunt
    Signed-off-by: Vishwanath Pai
    Signed-off-by: Pablo Neira Ayuso

    Vishwanath Pai
     

19 Feb, 2016

1 commit

08 Jan, 2016

1 commit

29 Dec, 2015

1 commit

09 Dec, 2015

1 commit

  • 23509fcd4   netfilter: nfnetlink_log: Change setter functions to be void ... Browse Code »

    Change return type of nfulnl_set_timeout() and nfulnl_set_qthresh() to
    be void.

    This patch changes the return type of the static methods
    nfulnl_set_timeout() and nfulnl_set_qthresh() to be void, as there is no
    justification and no need for these methods to return int.

    Signed-off-by: Rami Rosen
    Signed-off-by: Pablo Neira Ayuso

    Rosen, Rami
     

25 Nov, 2015

1 commit

  • f13f2aeed   netfilter: Set /proc/net entries owner to root in namespace ... Browse Code »

    Various files are owned by root with 0440 permission. Reading them is
    impossible in an unprivileged user namespace, interfering with firewall
    tools. For instance, iptables-save relies on /proc/net/ip_tables_names
    contents to dump only loaded tables.

    This patch assigned ownership of the following files to root in the
    current namespace:

    - /proc/net/*_tables_names
    - /proc/net/*_tables_matches
    - /proc/net/*_tables_targets
    - /proc/net/nf_conntrack
    - /proc/net/nf_conntrack_expect
    - /proc/net/netfilter/nfnetlink_log

    A mapping for root must be available, so this order should be followed:

    unshare(CLONE_NEWUSER);
    /* Setup the mapping */
    unshare(CLONE_NEWNET);

    Signed-off-by: Philip Whineray
    Signed-off-by: Pablo Neira Ayuso

    Philip Whineray
     

11 Nov, 2015

1 commit

  • c872a2d9e   netfilter: nfnetlink_log: work around uninitialized variable warning ... Browse Code »

    After a recent (correct) change, gcc started warning about the use
    of the 'flags' variable in nfulnl_recv_config()

    net/netfilter/nfnetlink_log.c: In function 'nfulnl_recv_config':
    net/netfilter/nfnetlink_log.c:320:14: warning: 'flags' may be used uninitialized in this function [-Wmaybe-uninitialized]
    net/netfilter/nfnetlink_log.c:828:6: note: 'flags' was declared here

    The warning first shows up in ARM s3c2410_defconfig with gcc-4.3 or
    higher (including 5.2.1, which is the latest version I checked) I
    tried working around it by rearranging the code but had no success
    with that.

    As a last resort, this initializes the variable to zero, which shuts
    up the warning, but means that we don't get a warning if the code
    is ever changed in a way that actually causes the variable to be
    used without first being written.

    Signed-off-by: Arnd Bergmann
    Fixes: 8cbc870829ec ("netfilter: nfnetlink_log: validate dependencies to avoid breaking atomicity")
    Signed-off-by: Pablo Neira Ayuso

    Arnd Bergmann
     

17 Oct, 2015

1 commit

15 Oct, 2015

2 commits

  • 8cbc87082   netfilter: nfnetlink_log: validate dependencies to avoid breaking atomicity ... Browse Code »

    Check that dependencies are fulfilled before updating the logger
    instance, otherwise we can leave things in intermediate state on errors
    in nfulnl_recv_config().

    [ Ken-ichirou reports that this is also fixing missing instance refcnt drop
    on error introduced in his patch 914eebf2f434 ("netfilter: nfnetlink_log:
    autoload nf_conntrack_netlink module NFQA_CFG_F_CONNTRACK config flag"). ]

    Signed-off-by: Pablo Neira Ayuso
    Tested-by: Ken-ichirou MATSUZAWA

    Pablo Neira
     
  • 336a3b3ee   netfilter: nfnetlink_log: consolidate check for instance in nfulnl_recv_config() ... Browse Code »

    This patch consolidates the check for valid logger instance once we have
    passed the command handling:

    The config message that we receive may contain the following info:

    1) Command only: We always get a valid instance pointer if we just
    created it. In case that the instance is being destroyed or the
    command is unknown, we jump to exit path of nfulnl_recv_config().
    This patch doesn't modify this handling.

    2) Config only: In this case, the instance must always exist since the
    user is asking for configuration updates. If the instance doesn't exist
    this returns -ENODEV.

    3) No command and no configs are specified: This case is rare. The
    user is sending us a config message with neither commands nor
    config options. In this case, we have to check if the instance exists
    and bail out otherwise. Before this patch, it was possible to send a
    config message with no command and no config updates for an
    unexisting instance without triggering an error. So this is the only
    case that changes.

    Signed-off-by: Pablo Neira Ayuso
    Tested-by: Ken-ichirou MATSUZAWA

    Pablo Neira Ayuso
     

13 Oct, 2015

1 commit

05 Oct, 2015

2 commits

  • a29a9a585   netfilter: nfnetlink_log: allow to attach conntrack ... Browse Code »

    This patch enables to include the conntrack information together
    with the packet that is sent to user-space via NFLOG, then a
    user-space program can acquire NATed information by this NFULA_CT
    attribute.

    Including the conntrack information is optional, you can set it
    via NFULNL_CFG_F_CONNTRACK flag with the NFULA_CFG_FLAGS attribute
    like NFQUEUE.

    Signed-off-by: Ken-ichirou MATSUZAWA
    Signed-off-by: Pablo Neira Ayuso

    Ken-ichirou MATSUZAWA
     
  • f6389ecbc   nfnetlink: use y2038 safe timestamp ... Browse Code »

    The __build_packet_message function fills a nfulnl_msg_packet_timestamp
    structure that uses 64-bit seconds and is therefore y2038 safe, but
    it uses an intermediate 'struct timespec' which is not.

    This trivially changes the code to use 'struct timespec64' instead,
    to correct the result on 32-bit architectures.

    Signed-off-by: Arnd Bergmann
    Cc: Pablo Neira Ayuso
    Cc: Patrick McHardy
    Cc: Jozsef Kadlecsik
    Cc: netfilter-devel@vger.kernel.org
    Cc: coreteam@netfilter.org
    Acked-by: Pablo Neira Ayuso
    Signed-off-by: David S. Miller

    Arnd Bergmann
     

19 Jun, 2015

1 commit

20 May, 2015

1 commit

  • 3bfe04980   netfilter: nfnetlink_{log,queue}: Register pernet in first place ... Browse Code »

    nfnetlink_{log,queue}_init() register the netlink callback nf*_rcv_nl_event
    before registering the pernet_subsys, but the callback relies on data
    structures allocated by pernet init functions.

    When nfnetlink_{log,queue} is loaded, if a netlink message is received after
    the netlink callback is registered but before the pernet_subsys is registered,
    the kernel will panic in the sequence

    nfulnl_rcv_nl_event
    nfnl_log_pernet
    net_generic
    BUG_ON(id == 0) where id is nfnl_log_net_id.

    The panic can be easily reproduced in 4.0.3 by:

    while true ;do modprobe nfnetlink_log ; rmmod nfnetlink_log ; done &
    while true ;do ip netns add dummy ; ip netns del dummy ; done &

    This patch moves register_pernet_subsys to earlier in nfnetlink_log_init.

    Notice that the BUG_ON hit in 4.0.3 was recently removed in 2591ffd308
    ["netns: remove BUG_ONs from net_generic()"].

    Signed-off-by: Francesco Ruggeri
    Signed-off-by: Pablo Neira Ayuso

    Francesco Ruggeri
     

14 Apr, 2015

2 commits

08 Apr, 2015

1 commit

  • c737b7c45   netfilter: bridge: add helpers for fetching physin/outdev ... Browse Code »

    right now we store this in the nf_bridge_info struct, accessible
    via skb->nf_bridge. This patch prepares removal of this pointer from skb:

    Instead of using skb->nf_bridge->x, we use helpers to obtain the in/out
    device (or ifindexes).

    Followup patches to netfilter will then allow nf_bridge_info to be
    obtained by a call into the br_netfilter core, rather than keeping a
    pointer to it in sk_buff.

    Signed-off-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Florian Westphal
     

24 Mar, 2015

1 commit

  • 40451fd01   Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next ... Browse Code »

    Pablo Neira Ayuso says:

    ====================
    Netfilter updates for net-next

    The following patchset contains Netfilter updates for net-next.
    Basically, more incremental updates for br_netfilter from Florian
    Westphal, small nf_tables updates (including one fix for rb-tree
    locking) and small two-liner to add extra validation for the REJECT6
    target.

    More specifically, they are:

    1) Use the conntrack status flags from br_netfilter to know that DNAT is
    happening. Patch for Florian Westphal.

    2) nf_bridge->physoutdev == NULL already indicates that the traffic is
    bridged, so let's get rid of the BRNF_BRIDGED flag. Also from Florian.

    3) Another patch to prepare voidization of seq_printf/seq_puts/seq_putc,
    from Joe Perches.

    4) Consolidation of nf_tables_newtable() error path.

    5) Kill nf_bridge_pad used by br_netfilter from ip_fragment(),
    from Florian Westphal.

    6) Access rb-tree root node inside the lock and remove unnecessary
    locking from the get path (we already hold nfnl_lock there), from
    Patrick McHardy.

    7) You cannot use a NFT_SET_ELEM_INTERVAL_END when the set doesn't
    support interval, also from Patrick.

    8) Enforce IP6T_F_PROTO from ip6t_REJECT to make sure the core is
    actually restricting matches to TCP.
    ====================

    Signed-off-by: David S. Miller

    David S. Miller
     

18 Mar, 2015

2 commits

25 Nov, 2014

1 commit

  • 958d03b01   Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next ... Browse Code »

    Pablo Neira Ayuso says:

    ====================
    netfilter/ipvs updates for net-next

    The following patchset contains Netfilter updates for your net-next
    tree, this includes the NAT redirection support for nf_tables, the
    cgroup support for nft meta and conntrack zone support for the connlimit
    match. Coming after those, a bunch of sparse warning fixes, missing
    netns bits and cleanups. More specifically, they are:

    1) Prepare IPv4 and IPv6 NAT redirect code to use it from nf_tables,
    patches from Arturo Borrero.

    2) Introduce the nf_tables redir expression, from Arturo Borrero.

    3) Remove an unnecessary assignment in ip_vs_xmit/__ip_vs_get_out_rt().
    Patch from Alex Gartrell.

    4) Add nft_log_dereference() macro to the nf_log infrastructure, patch
    from Marcelo Leitner.

    5) Add some extra validation when registering logger families, also
    from Marcelo.

    6) Some spelling cleanups from stephen hemminger.

    7) Fix sparse warning in nf_logger_find_get().

    8) Add cgroup support to nf_tables meta, patch from Ana Rey.

    9) A Kconfig fix for the new redir expression and fix sparse warnings in
    the new redir expression.

    10) Fix several sparse warnings in the netfilter tree, from
    Florian Westphal.

    11) Reduce verbosity when OOM in nfnetlink_log. User can basically do
    nothing when this situation occurs.

    12) Add conntrack zone support to xt_connlimit, again from Florian.

    13) Add netnamespace support to the h323 conntrack helper, contributed
    by Vasily Averin.

    14) Remove unnecessary nul-pointer checks before free_percpu() and
    module_put(), from Markus Elfring.

    15) Use pr_fmt in nfnetlink_log, again patch from Marcelo Leitner.
    ====================

    Signed-off-by: David S. Miller

    David S. Miller
     

20 Nov, 2014

1 commit

13 Nov, 2014

1 commit

24 Oct, 2014

3 commits

  • b51d3fa36   netfilter: nf_log: release skbuff on nlmsg put failure ... Browse Code »

    The kernel should reserve enough room in the skb so that the DONE
    message can always be appended. However, in case of e.g. new attribute
    erronously not being size-accounted for, __nfulnl_send() will still
    try to put next nlmsg into this full skbuf, causing the skb to be stuck
    forever and blocking delivery of further messages.

    Fix issue by releasing skb immediately after nlmsg_put error and
    WARN() so we can track down the cause of such size mismatch.

    [ fw@strlen.de: add tailroom/len info to WARN ]

    Signed-off-by: Houcheng Lin
    Signed-off-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Houcheng Lin
     
  • c1e7dc91e   netfilter: nfnetlink_log: fix maximum packet length logged to userspace ... Browse Code »

    don't try to queue payloads > 0xffff - NLA_HDRLEN, it does not work.
    The nla length includes the size of the nla struct, so anything larger
    results in u16 integer overflow.

    This patch is similar to
    9cefbbc9c8f9abe (netfilter: nfnetlink_queue: cleanup copy_range usage).

    Signed-off-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Florian Westphal
     
  • 9dfa1dfe4   netfilter: nf_log: account for size of NLMSG_DONE attribute ... Browse Code »

    We currently neither account for the nlattr size, nor do we consider
    the size of the trailing NLMSG_DONE when allocating nlmsg skb.

    This can result in nflog to stop working, as __nfulnl_send() re-tries
    sending forever if it failed to append NLMSG_DONE (which will never
    work if buffer is not large enough).

    Reported-by: Houcheng Lin
    Signed-off-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Florian Westphal
     

03 Oct, 2014

1 commit

27 Jun, 2014

1 commit

  • fab4085f4   netfilter: log: nf_log_packet() as real unified interface ... Browse Code »

    Before this patch, the nf_loginfo parameter specified the logging
    configuration in case the specified default logger was loaded. This
    patch updates the semantics of the nf_loginfo parameter in
    nf_log_packet() which now indicates the logger that you explicitly
    want to use.

    Thus, nf_log_packet() is exposed as an unified interface which
    internally routes the log message to the corresponding logger type
    by family.

    The module dependencies are expressed by the new nf_logger_find_get()
    and nf_logger_put() functions which bump the logger module refcount.
    Thus, you can not remove logger modules that are used by rules anymore.

    Another important effect of this change is that the family specific
    module is only loaded when required. Therefore, xt_LOG and nft_log
    will just trigger the autoload of the nf_log_{ip,ip6} modules
    according to the family.

    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     

26 Jun, 2014

1 commit

  • 5962815a6   netfilter: nf_log: use an array of loggers instead of list ... Browse Code »

    Now that legacy ulog targets are not available anymore in the tree, we
    can have up to two possible loggers:

    1) The plain text logging via kernel logging ring.
    2) The nfnetlink_log infrastructure which delivers log messages
    to userspace.

    This patch replaces the list of loggers by an array of two pointers
    per family for each possible logger and it also introduces a new field
    to the nf_logger structure which indicates the position in the logger
    array (based on the logger type).

    This prepares a follow up patch that consolidates the nf_log_packet()
    interface by allowing to specify the logger as parameter.

    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     

25 Feb, 2014

1 commit

18 Dec, 2013

1 commit

  • 45c2aff64   netfilter: nfnetlink_log: unset nf_loggers for netns when unloading module ... Browse Code »

    Steven Rostedt and Arnaldo Carvalho de Melo reported a panic
    when access the files /proc/sys/net/netfilter/nf_log/*.

    This problem will occur when we do:

    echo nfnetlink_log > /proc/sys/net/netfilter/nf_log/any_file
    rmmod nfnetlink_log

    and then access the files.

    Since the nf_loggers of netns hasn't been unset, it will point
    to the memory that has been freed.

    This bug is introduced by commit 9368a53c ("netfilter: nfnetlink_log:
    add net namespace support for nfnetlink_log").

    [17261.822047] BUG: unable to handle kernel paging request at ffffffffa0d49090
    [17261.822056] IP: [] nf_log_proc_dostring+0xf0/0x1d0
    [...]
    [17261.822226] Call Trace:
    [17261.822235] [] ? security_capable+0x18/0x20
    [17261.822240] [] ? ns_capable+0x29/0x50
    [17261.822247] [] ? net_ctl_permissions+0x1f/0x90
    [17261.822254] [] proc_sys_call_handler+0xb3/0xc0
    [17261.822258] [] proc_sys_read+0x11/0x20
    [17261.822265] [] vfs_read+0x9e/0x170
    [17261.822270] [] SyS_read+0x49/0xa0
    [17261.822276] [] ? __audit_syscall_exit+0x1f6/0x2a0
    [17261.822283] [] system_call_fastpath+0x16/0x1b
    [17261.822285] Code: cc 81 4d 63 e4 4c 89 45 88 48 89 4d 90 e8 19 03 0d 00 4b 8b 84 e5 28 08 00 00 48 8b 4d 90 4c 8b 45 88 48 85 c0 0f 84 a8 00 00 00 8b 40 10 48 89 43 08 48 89 df 4c 89 f2 31 f6 e8 4b 35 af ff
    [17261.822329] RIP [] nf_log_proc_dostring+0xf0/0x1d0
    [17261.822334] RSP
    [17261.822336] CR2: ffffffffa0d49090
    [17261.822340] ---[ end trace a14ce54c0897a90d ]---

    Reported-by: Arnaldo Carvalho de Melo
    Reported-by: Steven Rostedt
    Signed-off-by: Gao feng
    Signed-off-by: Pablo Neira Ayuso

    Gao feng
     

01 Oct, 2013

1 commit

05 Aug, 2013

1 commit

15 May, 2013

1 commit

  • 8cdb46da0   netfilter: log: netns NULL ptr bug when calling from conntrack ... Browse Code »

    Since (69b34fb netfilter: xt_LOG: add net namespace support
    for xt_LOG), we hit this:

    [ 4224.708977] BUG: unable to handle kernel NULL pointer dereference at 0000000000000388
    [ 4224.709074] IP: [] ipt_log_packet+0x29/0x270

    when callling log functions from conntrack both in and out
    are NULL i.e. the net pointer is invalid.

    Adding struct net *net in call to nf_logfn() will secure that
    there always is a vaild net ptr.

    Reported as netfilter's bugzilla bug 818:
    https://bugzilla.netfilter.org/show_bug.cgi?id=818

    Reported-by: Ronald
    Signed-off-by: Hans Schillstrom
    Signed-off-by: Pablo Neira Ayuso

    Hans Schillstrom
     

06 May, 2013

1 commit

  • e778f56e2   netfilter: nf_{log,queue}: fix compilation without CONFIG_PROC_FS ... Browse Code »

    This patch fixes the following compilation error:

    net/netfilter/nf_log.c:373:38: error: 'struct netns_nf' has no member named 'proc_netfilter'

    if procfs is not set.

    The netns support for nf_log, nfnetlink_log and nfnetlink_queue_core
    requires CONFIG_PROC_FS in the removal path of their respective
    /proc interface since net->nf.proc_netfilter is undefined in that
    case.

    Reported-by: Fengguang Wu
    Signed-off-by: Pablo Neira Ayuso
    Acked-by: Gao feng

    Pablo Neira Ayuso
     

20 Apr, 2013

2 commits