Eric Lee / smarc-fsl-linux-kernel | Embedian Git Server

07 Mar, 2017

1 commit

c56e3956c netfilter: nf_tables: validate the expr explicitly after init successfully ... Browse Code »

When we want to validate the expr's dependency or hooks, we must do two
things to accomplish it. First, write a X_validate callback function
and point ->validate to it. Second, call X_validate in init routine.
This is very common, such as fib, nat, reject expr and so on ...

It is a little ugly, since we will call X_validate in the expr's init
routine, it's better to do it in nf_tables_newexpr. So we can avoid to
do this again and again. After doing this, the second step listed above
is not useful anymore, remove them now.

Patch was tested by nftables/tests/py/nft-test.py and
nftables/tests/shell/run-tests.sh.

Signed-off-by: Liping Zhang
Signed-off-by: Pablo Neira Ayuso

Liping Zhang
2017-03-07 01:22:12 +0800

25 Aug, 2016

1 commit

89e1f6d2b netfilter: nft_reject: restrict to INPUT/FORWARD/OUTPUT ... Browse Code »

After I add the nft rule "nft add rule filter prerouting reject
with tcp reset", kernel panic happened on my system:
NULL pointer dereference at ...
IP: [] nf_send_reset+0xaf/0x400
Call Trace:
[] ? nf_reject_ip_tcphdr_get+0x160/0x160
[] nft_reject_ipv4_eval+0x61/0xb0 [nft_reject_ipv4]
[] nft_do_chain+0x1fa/0x890 [nf_tables]
[] ? __nft_trace_packet+0x170/0x170 [nf_tables]
[] ? nf_ct_invert_tuple+0xb0/0xc0 [nf_conntrack]
[] ? nf_nat_setup_info+0x5d4/0x650 [nf_nat]
[...]

Because in the PREROUTING chain, routing information is not exist,
then we will dereference the NULL pointer and oops happen.

So we restrict reject expression to INPUT, FORWARD and OUTPUT chain.
This is consistent with iptables REJECT target.

Signed-off-by: Liping Zhang
Signed-off-by: Pablo Neira Ayuso

Liping Zhang
2016-08-25 18:55:34 +0800

28 Apr, 2015

1 commit

129d23a56 netfilter; Add some missing default cases to switch statements in nft_reject. ... Browse Code »

This fixes:

====================
net/netfilter/nft_reject.c: In function ‘nft_reject_dump’:
net/netfilter/nft_reject.c:61:2: warning: enumeration value ‘NFT_REJECT_TCP_RST’ not handled in switch [-Wswitch]
switch (priv->type) {
^
net/netfilter/nft_reject.c:61:2: warning: enumeration value ‘NFT_REJECT_ICMPX_UNREACH’ not handled in switch [-Wswi\
tch]
net/netfilter/nft_reject_inet.c: In function ‘nft_reject_inet_dump’:
net/netfilter/nft_reject_inet.c:105:2: warning: enumeration value ‘NFT_REJECT_TCP_RST’ not handled in switch [-Wswi\
tch]
switch (priv->type) {
^
====================

Signed-off-by: David S. Miller

David S. Miller
2015-04-28 01:20:34 +0800

08 Oct, 2014

1 commit

f0d1f04f0 netfilter: fix wrong arithmetics regarding NFT_REJECT_ICMPX_MAX ... Browse Code »

NFT_REJECT_ICMPX_MAX should be __NFT_REJECT_ICMPX_MAX - 1.

nft_reject_icmp_code() and nft_reject_icmpv6_code() are called from the
packet path, so BUG_ON in case we try to access an unknown abstracted
ICMP code. This should not happen since we already validate this from
nft_reject_{inet,bridge}_init().

Fixes: 51b0a5d ("netfilter: nft_reject: introduce icmp code abstraction for inet and bridge")
Reported-by: Dan Carpenter
Signed-off-by: Pablo Neira Ayuso

Pablo Neira Ayuso
2014-10-08 02:16:31 +0800

03 Oct, 2014

1 commit

51b0a5d8c netfilter: nft_reject: introduce icmp code abstraction for inet and bridge ... Browse Code »

This patch introduces the NFT_REJECT_ICMPX_UNREACH type which provides
an abstraction to the ICMP and ICMPv6 codes that you can use from the
inet and bridge tables, they are:

* NFT_REJECT_ICMPX_NO_ROUTE: no route to host - network unreachable
* NFT_REJECT_ICMPX_PORT_UNREACH: port unreachable
* NFT_REJECT_ICMPX_HOST_UNREACH: host unreachable
* NFT_REJECT_ICMPX_ADMIN_PROHIBITED: administratevely prohibited

You can still use the specific codes when restricting the rule to match
the corresponding layer 3 protocol.

I decided to not overload the existing NFT_REJECT_ICMP_UNREACH to have
different semantics depending on the table family and to allow the user
to specify ICMP family specific codes if they restrict it to the
corresponding family.

Signed-off-by: Pablo Neira Ayuso

Pablo Neira Ayuso
2014-10-03 00:29:57 +0800

06 Feb, 2014

1 commit

cc4723ca3 netfilter: nft_reject: split up reject module into IPv4 and IPv6 specifc parts ... Browse Code »

Currently the nft_reject module depends on symbols from ipv6. This is
wrong since no generic module should force IPv6 support to be loaded.
Split up the module into AF-specific and a generic part.

Signed-off-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso

Patrick McHardy
2014-02-06 16:44:10 +0800

08 Jan, 2014

2 commits

c9484874e netfilter: nf_tables: add hook ops to struct nft_pktinfo ... Browse Code »

Multi-family tables need the AF from the hook ops. Add a pointer to the
hook ops and replace usage of the hooknum member in struct nft_pktinfo.

Signed-off-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso

Patrick McHardy
2014-01-08 06:50:43 +0800
688d18636 netfilter: nft_reject: fix compilation warning if NF_TABLES_IPV6 is disabled ... Browse Code »

net/netfilter/nft_reject.c: In function 'nft_reject_eval':
net/netfilter/nft_reject.c:37:14: warning: unused variable 'net' [-Wunused-variable]

Reported-by: kbuild test robot
Signed-off-by: Pablo Neira Ayuso

Pablo Neira Ayuso
2014-01-08 06:50:43 +0800

31 Dec, 2013

1 commit

bee11dc78 netfilter: nft_reject: support for IPv6 and TCP reset ... Browse Code »

This patch moves nft_reject_ipv4 to nft_reject and adds support
for IPv6 protocol. This patch uses functions included in nf_reject.h
to implement reject by TCP reset.

The code has to be build as a module if NF_TABLES_IPV6 is also a
module to avoid compilation error due to usage of IPv6 functions.
This has been done in Kconfig by using the construct:

depends on NF_TABLES_IPV6 || !NF_TABLES_IPV6

This seems a bit weird in terms of syntax but works perfectly.

Signed-off-by: Eric Leblond
Signed-off-by: Pablo Neira Ayuso

Eric Leblond
2013-12-31 01:15:38 +0800