Eric Lee / smarc-fsl-linux-kernel

04 Sep, 2017

1 commit

01 Aug, 2017

1 commit

24 Jul, 2017

1 commit

  • 56a97e701   netfilter: expect: add to hash table after expect init ... Browse Code »

    assuming we have lockless readers we should make sure they can only
    see expectations that have already been initialized.

    hlist_add_head_rcu acts as memory barrier, move it after timer setup.

    Theoretically we could crash due to a del_timer() on other cpu
    seeing garbage data.

    Signed-off-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Florian Westphal
     

17 Jul, 2017

1 commit

  • 36ac344e1   netfilter: expect: fix crash when putting uninited expectation ... Browse Code »

    We crash in __nf_ct_expect_check, it calls nf_ct_remove_expect on the
    uninitialised expectation instead of existing one, so del_timer chokes
    on random memory address.

    Fixes: ec0e3f01114ad32711243 ("netfilter: nf_ct_expect: Add nf_ct_remove_expect()")
    Reported-by: Sergey Kvachonok
    Tested-by: Sergey Kvachonok
    Cc: Gao Feng
    Signed-off-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Florian Westphal
     

01 May, 2017

1 commit

  • a01aa920b   Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next ... Browse Code »

    Pablo Neira Ayuso says:

    ====================
    Netfilter/IPVS updates for net-next

    The following patchset contains Netfilter updates for your net-next
    tree. A large bunch of code cleanups, simplify the conntrack extension
    codebase, get rid of the fake conntrack object, speed up netns by
    selective synchronize_net() calls. More specifically, they are:

    1) Check for ct->status bit instead of using nfct_nat() from IPVS and
    Netfilter codebase, patch from Florian Westphal.

    2) Use kcalloc() wherever possible in the IPVS code, from Varsha Rao.

    3) Simplify FTP IPVS helper module registration path, from Arushi Singhal.

    4) Introduce nft_is_base_chain() helper function.

    5) Enforce expectation limit from userspace conntrack helper,
    from Gao Feng.

    6) Add nf_ct_remove_expect() helper function, from Gao Feng.

    7) NAT mangle helper function return boolean, from Gao Feng.

    8) ctnetlink_alloc_expect() should only work for conntrack with
    helpers, from Gao Feng.

    9) Add nfnl_msg_type() helper function to nfnetlink to build the
    netlink message type.

    10) Get rid of unnecessary cast on void, from simran singhal.

    11) Use seq_puts()/seq_putc() instead of seq_printf() where possible,
    also from simran singhal.

    12) Use list_prev_entry() from nf_tables, from simran signhal.

    13) Remove unnecessary & on pointer function in the Netfilter and IPVS
    code.

    14) Remove obsolete comment on set of rules per CPU in ip6_tables,
    no longer true. From Arushi Singhal.

    15) Remove duplicated nf_conntrack_l4proto_udplite4, from Gao Feng.

    16) Remove unnecessary nested rcu_read_lock() in
    __nf_nat_decode_session(). Code running from hooks are already
    guaranteed to run under RCU read side.

    17) Remove deadcode in nf_tables_getobj(), from Aaron Conole.

    18) Remove double assignment in nf_ct_l4proto_pernet_unregister_one(),
    also from Aaron.

    19) Get rid of unsed __ip_set_get_netlink(), from Aaron Conole.

    20) Don't propagate NF_DROP error to userspace via ctnetlink in
    __nf_nat_alloc_null_binding() function, from Gao Feng.

    21) Revisit nf_ct_deliver_cached_events() to remove unnecessary checks,
    from Gao Feng.

    22) Kill the fake untracked conntrack objects, use ctinfo instead to
    annotate a conntrack object is untracked, from Florian Westphal.

    23) Remove nf_ct_is_untracked(), now obsolete since we have no
    conntrack template anymore, from Florian.

    24) Add event mask support to nft_ct, also from Florian.

    25) Move nf_conn_help structure to
    include/net/netfilter/nf_conntrack_helper.h.

    26) Add a fixed 32 bytes scratchpad area for conntrack helpers.
    Thus, we don't deal with variable conntrack extensions anymore.
    Make sure userspace conntrack helper doesn't go over that size.
    Remove variable size ct extension infrastructure now this code
    got no more clients. From Florian Westphal.

    27) Restore offset and length of nf_ct_ext structure to 8 bytes now
    that wraparound is not possible any longer, also from Florian.

    28) Allow to get rid of unassured flows under stress in conntrack,
    this applies to DCCP, SCTP and TCP protocols, from Florian.

    29) Shrink size of nf_conntrack_ecache structure, from Florian.

    30) Use TCP_MAX_WSCALE instead of hardcoded 14 in TCP tracker,
    from Gao Feng.

    31) Register SYNPROXY hooks on demand, from Florian Westphal.

    32) Use pernet hook whenever possible, instead of global hook
    registration, from Florian Westphal.

    33) Pass hook structure to ebt_register_table() to consolidate some
    infrastructure code, from Florian Westphal.

    34) Use consume_skb() and return NF_STOLEN, instead of NF_DROP in the
    SYNPROXY code, to make sure device stats are not fooled, patch
    from Gao Feng.

    35) Remove NF_CT_EXT_F_PREALLOC this kills quite some code that we
    don't need anymore if we just select a fixed size instead of
    expensive runtime time calculation of this. From Florian.

    36) Constify nf_ct_extend_register() and nf_ct_extend_unregister(),
    from Florian.

    37) Simplify nf_ct_ext_add(), this kills nf_ct_ext_create(), from
    Florian.

    38) Attach NAT extension on-demand from masquerade and pptp helper
    path, from Florian.

    39) Get rid of useless ip_vs_set_state_timeout(), from Aaron Conole.

    40) Speed up netns by selective calls of synchronize_net(), from
    Florian Westphal.

    41) Silence stack size warning gcc in 32-bit arch in snmp helper,
    from Florian.

    42) Inconditionally call nf_ct_ext_destroy(), even if we have no
    extensions, to deal with the NF_NAT_MANIP_SRC case. Patch from
    Liping Zhang.
    ====================

    Signed-off-by: David S. Miller

    David S. Miller
     

16 Apr, 2017

1 commit

09 Apr, 2017

1 commit

  • 7cddd967b   netfilter: nf_ct_expect: use proper RCU list traversal/update APIs ... Browse Code »

    We should use proper RCU list APIs to manipulate help->expectations,
    as we can dump the conntrack's expectations via nfnetlink, i.e. in
    ctnetlink_exp_ct_dump_table(), where only rcu_read_lock is acquired.

    So for list traversal, use hlist_for_each_entry_rcu; for list add/del,
    use hlist_add_head_rcu and hlist_del_rcu.

    Signed-off-by: Liping Zhang
    Signed-off-by: Pablo Neira Ayuso

    Liping Zhang
     

07 Apr, 2017

2 commits

17 Mar, 2017

1 commit

  • b54ab92b8   netfilter: refcounter conversions ... Browse Code »

    refcount_t type and corresponding API (see include/linux/refcount.h)
    should be used instead of atomic_t when the variable is used as
    a reference counter. This allows to avoid accidental
    refcounter overflows that might lead to use-after-free
    situations.

    Signed-off-by: Elena Reshetova
    Signed-off-by: Hans Liljestrand
    Signed-off-by: Kees Cook
    Signed-off-by: David Windsor
    Signed-off-by: Pablo Neira Ayuso

    Reshetova, Elena
     

27 Feb, 2017

1 commit

  • 4b86c459c   netfilter: nf_ct_expect: Change __nf_ct_expect_check() return value. ... Browse Code »

    Commit 4dee62b1b9b4 ("netfilter: nf_ct_expect: nf_ct_expect_insert()
    returns void") inadvertently changed the successful return value of
    nf_ct_expect_related_report() from 0 to 1 due to
    __nf_ct_expect_check() returning 1 on success. Prevent this
    regression in the future by changing the return value of
    __nf_ct_expect_check() to 0 on success.

    Signed-off-by: Jarno Rajahalme
    Acked-by: Joe Stringer
    Signed-off-by: Pablo Neira Ayuso

    Jarno Rajahalme
     

25 Feb, 2017

1 commit

  • 7fb668ac7   netfilter: nf_ct_expect: nf_ct_expect_related_report(): Return zero on success. ... Browse Code »

    Commit 4dee62b1b9b4 ("netfilter: nf_ct_expect: nf_ct_expect_insert()
    returns void") inadvertently changed the successful return value of
    nf_ct_expect_related_report() from 0 to 1, which caused openvswitch
    conntrack integration fail in FTP test cases.

    Fix this by always returning zero on the success code path.

    Fixes: 4dee62b1b9b4 ("netfilter: nf_ct_expect: nf_ct_expect_insert() returns void")
    Signed-off-by: Jarno Rajahalme
    Acked-by: Joe Stringer
    Signed-off-by: Pablo Neira Ayuso

    Jarno Rajahalme
     

12 Feb, 2017

1 commit

09 Aug, 2016

1 commit

  • b173a28f6   netfilter: nf_ct_expect: remove the redundant slash when policy name is empty ... Browse Code »

    The 'name' filed in struct nf_conntrack_expect_policy{} is not a
    pointer, so check it is NULL or not will always return true. Even if the
    name is empty, slash will always be displayed like follows:
    # cat /proc/net/nf_conntrack_expect
    297 l3proto = 2 proto=6 src=1.1.1.1 dst=2.2.2.2 sport=1 dport=1025 ftp/
    ^

    Fixes: 3a8fc53a45c4 ("netfilter: nf_ct_helper: allocate 16 bytes for the helper and policy names")
    Signed-off-by: Liping Zhang
    Signed-off-by: Pablo Neira Ayuso

    Liping Zhang
     

06 May, 2016

3 commits

25 Apr, 2016

1 commit

25 Nov, 2015

1 commit

  • f13f2aeed   netfilter: Set /proc/net entries owner to root in namespace ... Browse Code »

    Various files are owned by root with 0440 permission. Reading them is
    impossible in an unprivileged user namespace, interfering with firewall
    tools. For instance, iptables-save relies on /proc/net/ip_tables_names
    contents to dump only loaded tables.

    This patch assigned ownership of the following files to root in the
    current namespace:

    - /proc/net/*_tables_names
    - /proc/net/*_tables_matches
    - /proc/net/*_tables_targets
    - /proc/net/nf_conntrack
    - /proc/net/nf_conntrack_expect
    - /proc/net/netfilter/nfnetlink_log

    A mapping for root must be available, so this order should be followed:

    unshare(CLONE_NEWUSER);
    /* Setup the mapping */
    unshare(CLONE_NEWNET);

    Signed-off-by: Philip Whineray
    Signed-off-by: Pablo Neira Ayuso

    Philip Whineray
     

18 Aug, 2015

1 commit

  • deedb5903   netfilter: nf_conntrack: add direction support for zones ... Browse Code »

    This work adds a direction parameter to netfilter zones, so identity
    separation can be performed only in original/reply or both directions
    (default). This basically opens up the possibility of doing NAT with
    conflicting IP address/port tuples from multiple, isolated tenants
    on a host (e.g. from a netns) without requiring each tenant to NAT
    twice resp. to use its own dedicated IP address to SNAT to, meaning
    overlapping tuples can be made unique with the zone identifier in
    original direction, where the NAT engine will then allocate a unique
    tuple in the commonly shared default zone for the reply direction.
    In some restricted, local DNAT cases, also port redirection could be
    used for making the reply traffic unique w/o requiring SNAT.

    The consensus we've reached and discussed at NFWS and since the initial
    implementation [1] was to directly integrate the direction meta data
    into the existing zones infrastructure, as opposed to the ct->mark
    approach we proposed initially.

    As we pass the nf_conntrack_zone object directly around, we don't have
    to touch all call-sites, but only those, that contain equality checks
    of zones. Thus, based on the current direction (original or reply),
    we either return the actual id, or the default NF_CT_DEFAULT_ZONE_ID.
    CT expectations are direction-agnostic entities when expectations are
    being compared among themselves, so we can only use the identifier
    in this case.

    Note that zone identifiers can not be included into the hash mix
    anymore as they don't contain a "stable" value that would be equal
    for both directions at all times, f.e. if only zone->id would
    unconditionally be xor'ed into the table slot hash, then replies won't
    find the corresponding conntracking entry anymore.

    If no particular direction is specified when configuring zones, the
    behaviour is exactly as we expect currently (both directions).

    Support has been added for the CT netlink interface as well as the
    x_tables raw CT target, which both already offer existing interfaces
    to user space for the configuration of zones.

    Below a minimal, simplified collision example (script in [2]) with
    netperf sessions:

    +--- tenant-1 ---+ mark := 1
    | netperf |--+
    +----------------+ | CT zone := mark [ORIGINAL]
    [ip,sport] := X +--------------+ +--- gateway ---+
    | mark routing |--| SNAT |-- ... +
    +--------------+ +---------------+ |
    +--- tenant-2 ---+ | ~~~|~~~
    | netperf |--+ +-----------+ |
    +----------------+ mark := 2 | netserver |------ ... +
    [ip,sport] := X +-----------+
    [ip,port] := Y
    On the gateway netns, example:

    iptables -t raw -A PREROUTING -j CT --zone mark --zone-dir ORIGINAL
    iptables -t nat -A POSTROUTING -o -j SNAT --to-source --random-fully

    iptables -t mangle -A PREROUTING -m conntrack --ctdir ORIGINAL -j CONNMARK --save-mark
    iptables -t mangle -A POSTROUTING -m conntrack --ctdir REPLY -j CONNMARK --restore-mark

    conntrack dump from gateway netns:

    netperf -H 10.1.1.2 -t TCP_STREAM -l60 -p12865,5555 from each tenant netns

    tcp 6 431995 ESTABLISHED src=40.1.1.1 dst=10.1.1.2 sport=5555 dport=12865 zone-orig=1
    src=10.1.1.2 dst=10.1.1.1 sport=12865 dport=1024
    [ASSURED] mark=1 secctx=system_u:object_r:unlabeled_t:s0 use=1

    tcp 6 431994 ESTABLISHED src=40.1.1.1 dst=10.1.1.2 sport=5555 dport=12865 zone-orig=2
    src=10.1.1.2 dst=10.1.1.1 sport=12865 dport=5555
    [ASSURED] mark=2 secctx=system_u:object_r:unlabeled_t:s0 use=1

    tcp 6 299 ESTABLISHED src=40.1.1.1 dst=10.1.1.2 sport=39438 dport=33768 zone-orig=1
    src=10.1.1.2 dst=10.1.1.1 sport=33768 dport=39438
    [ASSURED] mark=1 secctx=system_u:object_r:unlabeled_t:s0 use=1

    tcp 6 300 ESTABLISHED src=40.1.1.1 dst=10.1.1.2 sport=32889 dport=40206 zone-orig=2
    src=10.1.1.2 dst=10.1.1.1 sport=40206 dport=32889
    [ASSURED] mark=2 secctx=system_u:object_r:unlabeled_t:s0 use=2

    Taking this further, test script in [2] creates 200 tenants and runs
    original-tuple colliding netperf sessions each. A conntrack -L dump in
    the gateway netns also confirms 200 overlapping entries, all in ESTABLISHED
    state as expected.

    I also did run various other tests with some permutations of the script,
    to mention some: SNAT in random/random-fully/persistent mode, no zones (no
    overlaps), static zones (original, reply, both directions), etc.

    [1] http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/57412/
    [2] https://paste.fedoraproject.org/242835/65657871/

    Signed-off-by: Daniel Borkmann
    Signed-off-by: Pablo Neira Ayuso

    Daniel Borkmann
     

11 Aug, 2015

1 commit

  • 308ac9143   netfilter: nf_conntrack: push zone object into functions ... Browse Code »

    This patch replaces the zone id which is pushed down into functions
    with the actual zone object. It's a bigger one-time change, but
    needed for later on extending zones with a direction parameter, and
    thus decoupling this additional information from all call-sites.

    No functional changes in this patch.

    The default zone becomes a global const object, namely nf_ct_zone_dflt
    and will be returned directly in various cases, one being, when there's
    f.e. no zoning support.

    Signed-off-by: Daniel Borkmann
    Signed-off-by: Pablo Neira Ayuso

    Daniel Borkmann
     

22 Jul, 2015

1 commit

  • 4b31814d2   netfilter: nf_conntrack: Support expectations in different zones ... Browse Code »

    When zones were originally introduced, the expectation functions were
    all extended to perform lookup using the zone. However, insertion was
    not modified to check the zone. This means that two expectations which
    are intended to apply for different connections that have the same tuple
    but exist in different zones cannot both be tracked.

    Fixes: 5d0aa2ccd4 (netfilter: nf_conntrack: add support for "conntrack zones")
    Signed-off-by: Joe Stringer
    Signed-off-by: Pablo Neira Ayuso

    Joe Stringer
     

18 Mar, 2015

1 commit

  • 1ca9e4177   netfilter: Remove uses of seq_<foo> return values ... Browse Code »

    The seq_printf/seq_puts/seq_putc return values, because they
    are frequently misused, will eventually be converted to void.

    See: commit 1f33c41c03da ("seq_file: Rename seq_overflow() to
    seq_has_overflowed() and make public")

    Miscellanea:

    o realign arguments

    Signed-off-by: Joe Perches
    Signed-off-by: Pablo Neira Ayuso

    Joe Perches
     

24 Aug, 2014

1 commit

07 Mar, 2014

3 commits

  • ca7433df3   netfilter: conntrack: seperate expect locking from nf_conntrack_lock ... Browse Code »

    Netfilter expectations are protected with the same lock as conntrack
    entries (nf_conntrack_lock). This patch split out expectations locking
    to use it's own lock (nf_conntrack_expect_lock).

    Signed-off-by: Jesper Dangaard Brouer
    Signed-off-by: David S. Miller
    Reviewed-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Jesper Dangaard Brouer
     
  • e1b207dac   netfilter: avoid race with exp->master ct ... Browse Code »

    Preparation for disconnecting the nf_conntrack_lock from the
    expectations code. Once the nf_conntrack_lock is lifted, a race
    condition is exposed.

    The expectations master conntrack exp->master, can race with
    delete operations, as the refcnt increment happens too late in
    init_conntrack(). Race is against other CPUs invoking
    ->destroy() (destroy_conntrack()), or nf_ct_delete() (via timeout
    or early_drop()).

    Avoid this race in nf_ct_find_expectation() by using atomic_inc_not_zero(),
    and checking if nf_ct_is_dying() (path via nf_ct_delete()).

    Signed-off-by: Jesper Dangaard Brouer
    Signed-off-by: Florian Westphal
    Signed-off-by: David S. Miller
    Signed-off-by: Pablo Neira Ayuso

    Jesper Dangaard Brouer
     
  • b476b72a0   netfilter: trivial code cleanup and doc changes ... Browse Code »

    Changes while reading through the netfilter code.

    Added hint about how conntrack nf_conn refcnt is accessed.
    And renamed repl_hash to reply_hash for readability

    Signed-off-by: Jesper Dangaard Brouer
    Signed-off-by: David S. Miller
    Reviewed-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Jesper Dangaard Brouer
     

15 Jul, 2013

1 commit

20 Apr, 2013

2 commits

19 Apr, 2013

1 commit

  • f229f6ce4   netfilter: add my copyright statements ... Browse Code »

    Add copyright statements to all netfilter files which have had significant
    changes done by myself in the past.

    Some notes:

    - nf_conntrack_ecache.c was incorrectly attributed to Rusty and Netfilter
    Core Team when it got split out of nf_conntrack_core.c. The copyrights
    even state a date which lies six years before it was written. It was
    written in 2005 by Harald and myself.

    - net/ipv{4,6}/netfilter.c, net/netfitler/nf_queue.c were missing copyright
    statements. I've added the copyright statement from net/netfilter/core.c,
    where this code originated

    - for nf_conntrack_proto_tcp.c I've also added Jozsef, since I didn't want
    it to give the wrong impression

    Signed-off-by: Patrick McHardy
    Signed-off-by: Pablo Neira Ayuso

    Patrick McHardy
     

28 Feb, 2013

1 commit

  • b67bfe0d4   hlist: drop the node parameter from iterators ... Browse Code »

    I'm not sure why, but the hlist for each entry iterators were conceived

    list_for_each_entry(pos, head, member)

    The hlist ones were greedy and wanted an extra parameter:

    hlist_for_each_entry(tpos, pos, head, member)

    Why did they need an extra pos parameter? I'm not quite sure. Not only
    they don't really need it, it also prevents the iterator from looking
    exactly like the list iterator, which is unfortunate.

    Besides the semantic patch, there was some manual work required:

    - Fix up the actual hlist iterators in linux/list.h
    - Fix up the declaration of other iterators based on the hlist ones.
    - A very small amount of places were using the 'node' parameter, this
    was modified to use 'obj->member' instead.
    - Coccinelle didn't handle the hlist_for_each_entry_safe iterator
    properly, so those had to be fixed up manually.

    The semantic patch which is mostly the work of Peter Senna Tschudin is here:

    @@
    iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;

    type T;
    expression a,c,d,e;
    identifier b;
    statement S;
    @@

    -T b;

    [akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
    [akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
    [akpm@linux-foundation.org: checkpatch fixes]
    [akpm@linux-foundation.org: fix warnings]
    [akpm@linux-foudnation.org: redo intrusive kvm changes]
    Tested-by: Peter Senna Tschudin
    Acked-by: Paul E. McKenney
    Signed-off-by: Sasha Levin
    Cc: Wu Fengguang
    Cc: Marcelo Tosatti
    Cc: Gleb Natapov
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Sasha Levin
     

19 Feb, 2013

2 commits

  • ece31ffd5   net: proc: change proc_net_remove to remove_proc_entry ... Browse Code »

    proc_net_remove is only used to remove proc entries
    that under /proc/net,it's not a general function for
    removing proc entries of netns. if we want to remove
    some proc entries which under /proc/net/stat/, we still
    need to call remove_proc_entry.

    this patch use remove_proc_entry to replace proc_net_remove.
    we can remove proc_net_remove after this patch.

    Signed-off-by: Gao feng
    Signed-off-by: David S. Miller

    Gao feng
     
  • d4beaa66a   net: proc: change proc_net_fops_create to proc_create ... Browse Code »

    Right now, some modules such as bonding use proc_create
    to create proc entries under /proc/net/, and other modules
    such as ipv4 use proc_net_fops_create.

    It looks a little chaos.this patch changes all of
    proc_net_fops_create to proc_create. we can remove
    proc_net_fops_create after this patch.

    Signed-off-by: Gao feng
    Signed-off-by: David S. Miller

    Gao feng
     

23 Jan, 2013

1 commit

16 Aug, 2012

1 commit

  • 2614f8649   netfilter: nf_ct_expect: fix possible access to uninitialized timer ... Browse Code »

    In __nf_ct_expect_check, the function refresh_timer returns 1
    if a matching expectation is found and its timer is successfully
    refreshed. This results in nf_ct_expect_related returning 0.
    Note that at this point:

    - the passed expectation is not inserted in the expectation table
    and its timer was not initialized, since we have refreshed one
    matching/existing expectation.

    - nf_ct_expect_alloc uses kmem_cache_alloc, so the expectation
    timer is in some undefined state just after the allocation,
    until it is appropriately initialized.

    This can be a problem for the SIP helper during the expectation
    addition:

    ...
    if (nf_ct_expect_related(rtp_exp) == 0) {
    if (nf_ct_expect_related(rtcp_exp) != 0)
    nf_ct_unexpect_related(rtp_exp);
    ...

    Note that nf_ct_expect_related(rtp_exp) may return 0 for the timer refresh
    case that is detailed above. Then, if nf_ct_unexpect_related(rtcp_exp)
    returns != 0, nf_ct_unexpect_related(rtp_exp) is called, which does:

    spin_lock_bh(&nf_conntrack_lock);
    if (del_timer(&exp->timeout)) {
    nf_ct_unlink_expect(exp);
    nf_ct_expect_put(exp);
    }
    spin_unlock_bh(&nf_conntrack_lock);

    Note that del_timer always returns false if the timer has been
    initialized. However, the timer was not initialized since setup_timer
    was not called, therefore, the expectation timer remains in some
    undefined state. If I'm not missing anything, this may lead to the
    removal an unexistent expectation.

    To fix this, the optimization that allows refreshing an expectation
    is removed. Now nf_conntrack_expect_related looks more consistent
    to me since it always add the expectation in case that it returns
    success.

    Thanks to Patrick McHardy for participating in the discussion of
    this patch.

    I think this may be the source of the problem described by:
    http://marc.info/?l=netfilter-devel&m=134073514719421&w=2

    Reported-by: Rafal Fitt
    Acked-by: Patrick McHardy
    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     

16 May, 2012

1 commit

28 Dec, 2011

1 commit

23 Dec, 2011

1 commit

  • 3d058d7bc   netfilter: rework user-space expectation helper support ... Browse Code »
    43

    This partially reworks bc01befdcf3e40979eb518085a075cbf0aacede0
    which added userspace expectation support.

    This patch removes the nf_ct_userspace_expect_list since now we
    force to use the new iptables CT target feature to add the helper
    extension for conntracks that have attached expectations from
    userspace.

    A new version of the proof-of-concept code to implement userspace
    helpers from userspace is available at:

    http://people.netfilter.org/pablo/userspace-conntrack-helpers/nf-ftp-helper-POC.tar.bz2

    This patch also modifies the CT target to allow to set the
    conntrack's userspace helper status flags. This flag is used
    to tell the conntrack system to explicitly allocate the helper
    extension.

    This helper extension is useful to link the userspace expectations
    with the master conntrack that is being tracked from one userspace
    helper.

    This feature fixes a problem in the current approach of the
    userspace helper support. Basically, if the master conntrack that
    has got a userspace expectation vanishes, the expectations point to
    one invalid memory address. Thus, triggering an oops in the
    expectation deletion event path.

    I decided not to add a new revision of the CT target because
    I only needed to add a new flag for it. I'll document in this
    issue in the iptables manpage. I have also changed the return
    value from EINVAL to EOPNOTSUPP if one flag not supported is
    specified. Thus, in the future adding new features that only
    require a new flag can be added without a new revision.

    There is no official code using this in userspace (apart from
    the proof-of-concept) that uses this infrastructure but there
    will be some by beginning 2012.

    Reported-by: Sam Roberts
    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     

01 Nov, 2011

1 commit