08 Aug, 2014
4 commits
-
Convert a zero return value on error to a negative one, as returned
elsewhere in the function.A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)//
@@
identifier ret; expression e1,e2;
@@
(
if (\(ret < 0\|ret != 0\))
{ ... return ret; }
|
ret = 0
)
... when != ret = e1
when != &ret
*if(...)
{
... when != ret = e2
when forall
return ret;
}
//Signed-off-by: Julia Lawall
Signed-off-by: Pablo Neira Ayuso -
Eric Dumazet reports that getsockopt() or setsockopt() sometimes
returns -EINTR instead of -ENOPROTOOPT, causing headaches to
application developers.This patch replaces all the mutex_lock_interruptible() by mutex_lock()
in the netfilter tree, as there is no reason we should sleep for a
long time there.Reported-by: Eric Dumazet
Suggested-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso
Acked-by: Julian Anastasov -
Fix possible replacement of the per-cpu chain counters by null
pointer when updating an existing chain in the commit path.Reported-by: Matteo Croce
Signed-off-by: Pablo Neira Ayuso -
This should happen once the element has been effectively released in
the commit path, not before. This fixes a possible chain refcount leak
if the transaction is aborted.Reported-by: Thomas Graf
Signed-off-by: Pablo Neira Ayuso
06 Aug, 2014
1 commit
-
Conflicts:
drivers/net/Makefile
net/ipv6/sysctl_net_ipv6.cTwo ipv6_table_template[] additions overlap, so the index
of the ipv6_table[x] assignments needed to be adjusted.In the drivers/net/Makefile case, we've gotten rid of the
garbage whereby we had to list every single USB networking
driver in the top-level Makefile, there is just one
"USB_NETWORKING" that guards everything.Signed-off-by: David S. Miller
03 Aug, 2014
2 commits
-
The sizing of the hash table and the practice of requiring a lookup
to retrieve the pprev to be stored in the element cookie before the
deletion of an entry is left intact.Signed-off-by: Thomas Graf
Acked-by: Patrick McHardy
Reviewed-by: Nikolay Aleksandrov
Signed-off-by: David S. Miller -
clean up names related to socket filtering and bpf in the following way:
- everything that deals with sockets keeps 'sk_*' prefix
- everything that is pure BPF is changed to 'bpf_*' prefixsplit 'struct sk_filter' into
struct sk_filter {
atomic_t refcnt;
struct rcu_head rcu;
struct bpf_prog *prog;
};
and
struct bpf_prog {
u32 jited:1,
len:31;
struct sock_fprog_kern *orig_prog;
unsigned int (*bpf_func)(const struct sk_buff *skb,
const struct bpf_insn *filter);
union {
struct sock_filter insns[0];
struct bpf_insn insnsi[0];
struct work_struct work;
};
};
so that 'struct bpf_prog' can be used independent of sockets and cleans up
'unattached' bpf use casessplit SK_RUN_FILTER macro into:
SK_RUN_FILTER to be used with 'struct sk_filter *' and
BPF_PROG_RUN to be used with 'struct bpf_prog *'__sk_filter_release(struct sk_filter *) gains
__bpf_prog_release(struct bpf_prog *) helper functionalso perform related renames for the functions that work
with 'struct bpf_prog *', since they're on the same lines:sk_filter_size -> bpf_prog_size
sk_filter_select_runtime -> bpf_prog_select_runtime
sk_filter_free -> bpf_prog_free
sk_unattached_filter_create -> bpf_prog_create
sk_unattached_filter_destroy -> bpf_prog_destroy
sk_store_orig_filter -> bpf_prog_store_orig_filter
sk_release_orig_filter -> bpf_release_orig_filter
__sk_migrate_filter -> bpf_migrate_filter
__sk_prepare_filter -> bpf_prepare_filterAPI for attaching classic BPF to a socket stays the same:
sk_attach_filter(prog, struct sock *)/sk_detach_filter(struct sock *)
and SK_RUN_FILTER(struct sk_filter *, ctx) to execute a program
which is used by sockets, tun, af_packetAPI for 'unattached' BPF programs becomes:
bpf_prog_create(struct bpf_prog **)/bpf_prog_destroy(struct bpf_prog *)
and BPF_PROG_RUN(struct bpf_prog *, ctx) to execute a program
which is used by isdn, ppp, team, seccomp, ptp, xt_bpf, cls_bpf, test_bpfSigned-off-by: Alexei Starovoitov
Signed-off-by: David S. Miller
02 Aug, 2014
1 commit
-
nft_del_setelem() currently calls nft_data_uninit() twice on the same
key. Once to release the key which is guaranteed to be NFT_DATA_VALUE
and a second time in the error path to which it falls through.The second call has been harmless so far though because the type
passed is always NFT_DATA_VALUE which is currently a no-op.Signed-off-by: Thomas Graf
Signed-off-by: Pablo Neira Ayuso
01 Aug, 2014
3 commits
-
Pablo Neira Ayuso says:
====================
Netfilter updates for net-nextThe following patchset contains netfilter updates for net-next, they are:
1) Add the reject expression for the nf_tables bridge family, this
allows us to send explicit reject (TCP RST / ICMP dest unrech) to
the packets matching a rule.2) Simplify and consolidate the nf_tables set dumping logic. This uses
netlink control->data to filter out depending on the request.3) Perform garbage collection in xt_hashlimit using a workqueue instead
of a timer, which is problematic when many entries are in place in
the tables, from Eric Dumazet.4) Remove leftover code from the removed ulog target support, from
Paul Bolle.5) Dump unmodified flags in the netfilter packet accounting when resetting
counters, so userspace knows that a counter was in overquota situation,
from Alexey Perevalov.6) Fix wrong usage of the bitwise functions in nfnetlink_acct, also from
Alexey.7) Fix a crash when adding new set element with an empty NFTA_SET_ELEM_LIST
attribute.This patchset also includes a couple of cleanups for xt_LED from
Duan Jiong and for nf_conntrack_ipv4 (using coccinelle) from
Himangi Saraogi.
====================Signed-off-by: David S. Miller
-
Otherwise, the kernel oopses in nla_for_each_nested when iterating over
the unset attribute NFTA_SET_ELEM_LIST_ELEMENTS in the
nf_tables_{new,del}setelem() path.netlink: 65524 bytes leftover after parsing attributes in process `nft'.
[...]
Oops: 0000 [#1] SMP
[...]
CPU: 2 PID: 6287 Comm: nft Not tainted 3.16.0-rc2+ #169
RIP: 0010:[] [] nf_tables_newsetelem+0x82/0xec [nf_tables]
[...]
Call Trace:
[] nfnetlink_rcv+0x2e7/0x3d7 [nfnetlink]
[] ? nfnetlink_rcv+0x35c/0x3d7 [nfnetlink]
[] netlink_unicast+0xf8/0x17a
[] netlink_sendmsg+0x323/0x351
[...]Fix this by returning -EINVAL if this attribute is not set, which
doesn't make sense at all since those commands are there to add and to
delete elements from the set.Signed-off-by: Pablo Neira Ayuso
-
Bit helper functions were used for manipulation with NFACCT_F_OVERQUOTA,
but they are accepting pit position, but not a bit mask. As a result
not a third bit for NFACCT_F_OVERQUOTA was set, but forth. Such
behaviour was dangarous and could lead to unexpected overquota report
result.Signed-off-by: Alexey Perevalov
Signed-off-by: Pablo Neira Ayuso
31 Jul, 2014
2 commits
-
Signed-off-by: David S. Miller
-
NFNL_MSG_ACCT_GET_CTRZERO modifies dumped flags, in this case
client see unmodified (uncleared) counter value and cleared
overquota state - end user doesn't know anything about overquota state,
unless end user subscribed on overquota report.Signed-off-by: Alexey Perevalov
Signed-off-by: Pablo Neira Ayuso
25 Jul, 2014
2 commits
-
If led-always-blink is set, then between switch led OFF and ON
is almost zero time. So blink is invisible. This use oneshot led trigger
with fixed time 50ms witch is enough to see blink.Signed-off-by: Jiri Prchal
Signed-off-by: Pablo Neira Ayuso -
The function led_trigger_register() will only return -EEXIST when
error arises.Signed-off-by: Duan Jiong
Signed-off-by: Pablo Neira Ayuso
24 Jul, 2014
1 commit
-
xt_hashlimit cannot be used with large hash tables, because garbage
collector is run from a timer. If table is really big, its possible
to hold cpu for more than 500 msec, which is unacceptable.Switch to a work queue, and use proper scheduling points to remove
latencies spikes.Later, we also could switch to a smoother garbage collection done
at lookup time, one bucket at a time...Signed-off-by: Eric Dumazet
Cc: Florian Westphal
Cc: Patrick McHardy
Reviewed-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
22 Jul, 2014
2 commits
-
This patch uses the cb->data pointer that allows us to store the
context when dumping the set list. Thus, we don't need to parse the
original netlink message containing the dump request for each recvmsg()
call when dumping the set list. The different function flavours
depending on the dump criteria has been also merged into one single
generic function. This saves us ~100 lines of code.Signed-off-by: Pablo Neira Ayuso
-
Conflicts:
drivers/infiniband/hw/cxgb4/device.cThe cxgb4 conflict was simply overlapping changes.
Signed-off-by: David S. Miller
21 Jul, 2014
1 commit
-
Pablo Neira Ayuso says:
====================
Netfilter updates for net-nextThe following patchset contains updates for your net-next tree,
they are:1) Use kvfree() helper function from x_tables, from Eric Dumazet.
2) Remove extra timer from the conntrack ecache extension, use a
workqueue instead to redeliver lost events to userspace instead,
from Florian Westphal.3) Removal of the ulog targets for ebtables and iptables. The nflog
infrastructure superseded this almost 9 years ago, time to get rid
of this code.4) Replace the list of loggers by an array now that we can only have
two possible non-overlapping logger flavours, ie. kernel ring buffer
and netlink logging.5) Move Eric Dumazet's log buffer code to nf_log to reuse it from
all of the supported per-family loggers.6) Consolidate nf_log_packet() as an unified interface for packet logging.
After this patch, if the struct nf_loginfo is available, it explicitly
selects the logger that is used.7) Move ip and ip6 logging code from xt_LOG to the corresponding
per-family loggers. Thus, x_tables and nf_tables share the same code
for packet logging.8) Add generic ARP packet logger, which is used by nf_tables. The
format aims to be consistent with the output of xt_LOG.9) Add generic bridge packet logger. Again, this is used by nf_tables
and it routes the packets to the real family loggers. As a result,
we get consistent logging format for the bridge family. The ebt_log
logging code has been intentionally left in place not to break
backward compatibility since the logging output differs from xt_LOG.10) Update nft_log to explicitly request the required family logger when
needed.11) Finish nft_log so it supports arp, ip, ip6, bridge and inet families.
Allowing selection between netlink and kernel buffer ring logging.12) Several fixes coming after the netfilter core logging changes spotted
by robots.13) Use IS_ENABLED() macros whenever possible in the netfilter tree,
from Duan Jiong.14) Removal of a couple of unnecessary branch before kfree, from Fabian
Frederick.
====================Signed-off-by: David S. Miller
17 Jul, 2014
1 commit
-
Previously, only the four high bits of the tclass were maintained in the
ipv6 case. This matches the behavior of ipv4, though whether or not we
should reflect ECN bits may be up for debate.Signed-off-by: Alex Gartrell
Acked-by: Julian Anastasov
Signed-off-by: Simon Horman
16 Jul, 2014
3 commits
-
This code section cannot compile as it refer to non existing variable
It also pre-date git history.Signed-off-by: Yannick Brosseau
Signed-off-by: Simon Horman -
Fix checkpatch warning:
WARNING: kfree(NULL) is safe this check is probably not requiredSigned-off-by: Fabian Frederick
Signed-off-by: Simon Horman -
commit 8f4e0a18682d91 ("IPVS netns exit causes crash in conntrack")
added second ip_vs_conn_drop_conntrack call instead of just adding
the needed check. As result, the first call still can cause
crash on netns exit. Remove it.Signed-off-by: Julian Anastasov
Signed-off-by: Hans Schillstrom
Signed-off-by: Simon Horman
14 Jul, 2014
3 commits
-
Use generic u64_stats_sync infrastructure to get proper 64bit stats,
even on 32bit arches, at no extra cost for 64bit arches.Without this fix, 32bit arches can have some wrong counters at the time
the carry is propagated into upper word.Signed-off-by: Eric Dumazet
Signed-off-by: Pablo Neira Ayuso -
An updater may interfer with the dumping of any of the object lists.
Fix this by using a per-net generation counter and use the
nl_dump_check_consistent() interface so the NLM_F_DUMP_INTR flag is set
to notify userspace that it has to restart the dump since an updater
has interfered.This patch also replaces the existing consistency checking code in the
rule dumping path since it is broken. Basically, the value that the
dump callback returns is not propagated to userspace via
netlink_dump_start().Signed-off-by: Pablo Neira Ayuso
-
The dump operation through netlink is not protected by the nfnl_lock.
Thus, a reader process can be dumping any of the existing object
lists while another process can be updating the list content.This patch resolves this situation by protecting all the object
lists with RCU in the netlink dump path which is the reader side.
The updater path is already protected via nfnl_lock, so use list
manipulation RCU-safe operations.Signed-off-by: Pablo Neira Ayuso
30 Jun, 2014
2 commits
-
Skip transaction handling for table updates with no changes in
the flags. This fixes a crash when passing the table flag with all
bits unset.Reported-by: Ana Rey
Signed-off-by: Pablo Neira Ayuso -
replace:
#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
with
#if IS_ENABLED(CONFIG_NF_CT_NETLINK)replace:
#if !defined(CONFIG_NF_NAT) && !defined(CONFIG_NF_NAT_MODULE)
with
#if !IS_ENABLED(CONFIG_NF_NAT)replace:
#if !defined(CONFIG_NF_CONNTRACK) && !defined(CONFIG_NF_CONNTRACK_MODULE)
with
#if !IS_ENABLED(CONFIG_NF_CONNTRACK)And add missing:
IS_ENABLED(CONFIG_NF_CT_NETLINK)in net/ipv{4,6}/netfilter/nf_nat_l3proto_ipv{4,6}.c
Signed-off-by: Duan Jiong
Signed-off-by: Pablo Neira Ayuso
29 Jun, 2014
3 commits
-
net/netfilter/nft_log.c:79:44-45: Unneeded semicolon
Removes unneeded semicolon.
Generated by: scripts/coccinelle/misc/semicolon.cocci
CC: Pablo Neira Ayuso
Signed-off-by: Fengguang Wu
Signed-off-by: Pablo Neira Ayuso -
net/netfilter/xt_LOG.c: In function 'log_tg':
>> net/netfilter/xt_LOG.c:43: error: format not a string literal and no format argumentsFixes: fab4085 ("netfilter: log: nf_log_packet() as real unified interface")
Reported-by: Fengguang Wu
Signed-off-by: Pablo Neira Ayuso -
warning: (NETFILTER_XT_TARGET_LOG) selects NF_LOG_IPV6 which has unmet direct dependencies (NET && INET && IPV6 && NETFILTER && IP6_NF_IPTABLES && NETFILTER_ADVANCED)
warning: (NF_LOG_IPV4 && NF_LOG_IPV6) selects NF_LOG_COMMON which has unmet direct dependencies (NET && INET && NETFILTER && NF_CONNTRACK)Fixes: 83e96d4 ("netfilter: log: split family specific code to nf_log_{ip,ip6,common}.c files")
Reported-by: Fengguang Wu
Signed-off-by: Pablo Neira Ayuso
27 Jun, 2014
5 commits
-
Use the unified nf_log_packet() interface that allows us explicit
logger selection through the nf_loginfo structure.If you specify the group attribute, this means you want to receive
logging messages through nfnetlink_log. In that case, the snaplen
and qthreshold attributes allows you to tune internal aspects of
the netlink logging infrastructure.On the other hand, if the level is specified, then the plain text
format through the kernel logging ring is used instead, which is
also used by default if neither group nor level are indicated.Signed-off-by: Pablo Neira Ayuso
-
This includes the special handling for NFPROTO_INET. There is
no real inet logger since we don't see packets of this family.
However, rules are loaded using this special family type. So
let's just request both IPV4 and IPV6 loggers.Signed-off-by: Pablo Neira Ayuso
-
This adds the generic plain text packet loggger for bridged packets.
It routes the logging message to the real protocol packet logger.
I decided not to refactor the ebt_log code for two reasons:1) The ebt_log output is not consistent with the IPv4 and IPv6
Netfilter packet loggers. The output is different for no good
reason and it adds redundant code to handle packet logging.2) To avoid breaking backward compatibility for applications
outthere that are parsing the specific ebt_log output, the ebt_log
output has been left as is. So only nftables will use the new
consistent logging format for logged bridged packets.More decisions coming in this patch:
1) This also removes ebt_log as default logger for bridged packets.
Thus, nf_log_packet() routes packet to this new packet logger
instead. This doesn't break backward compatibility since
nf_log_packet() is not used to log packets in plain text format
from anywhere in the ebtables/netfilter bridge code.2) The new bridge packet logger also performs a lazy request to
register the real IPv4, ARP and IPv6 netfilter packet loggers.
If the real protocol logger is no available (not compiled or the
module is not available in the system, not packet logging happens.Signed-off-by: Pablo Neira Ayuso
-
Before this patch, the nf_loginfo parameter specified the logging
configuration in case the specified default logger was loaded. This
patch updates the semantics of the nf_loginfo parameter in
nf_log_packet() which now indicates the logger that you explicitly
want to use.Thus, nf_log_packet() is exposed as an unified interface which
internally routes the log message to the corresponding logger type
by family.The module dependencies are expressed by the new nf_logger_find_get()
and nf_logger_put() functions which bump the logger module refcount.
Thus, you can not remove logger modules that are used by rules anymore.Another important effect of this change is that the family specific
module is only loaded when required. Therefore, xt_LOG and nft_log
will just trigger the autoload of the nf_log_{ip,ip6} modules
according to the family.Signed-off-by: Pablo Neira Ayuso
-
The plain text logging is currently embedded into the xt_LOG target.
In order to be able to use the plain text logging from nft_log, as a
first step, this patch moves the family specific code to the following
files and Kconfig symbols:1) net/ipv4/netfilter/nf_log_ip.c: CONFIG_NF_LOG_IPV4
2) net/ipv6/netfilter/nf_log_ip6.c: CONFIG_NF_LOG_IPV6
3) net/netfilter/nf_log_common.c: CONFIG_NF_LOG_COMMONThese new modules will be required by xt_LOG and nft_log. This patch
is based on original patch from Arturo Borrero Gonzalez.Signed-off-by: Pablo Neira Ayuso
26 Jun, 2014
3 commits
-
This patch moves Eric Dumazet's log buffer implementation from the
xt_log.h header file to the core net/netfilter/nf_log.c. This also
includes the renaming of the structure and functions to avoid possible
undesired namespace clashes.This change allows us to use it from the arp and bridge packet logging
implementation in follow up patches. -
Now that legacy ulog targets are not available anymore in the tree, we
can have up to two possible loggers:1) The plain text logging via kernel logging ring.
2) The nfnetlink_log infrastructure which delivers log messages
to userspace.This patch replaces the list of loggers by an array of two pointers
per family for each possible logger and it also introduces a new field
to the nf_logger structure which indicates the position in the logger
array (based on the logger type).This prepares a follow up patch that consolidates the nf_log_packet()
interface by allowing to specify the logger as parameter.Signed-off-by: Pablo Neira Ayuso
-
This brings the (per-conntrack) ecache extension back to 24 bytes in size
(was 152 byte on x86_64 with lockdep on).When event delivery fails, re-delivery is attempted via work queue.
Redelivery is attempted at least every 0.1 seconds, but can happen
more frequently if userspace is not congested.The nf_ct_release_dying_list() function is removed.
With this patch, ownership of the to-be-redelivered conntracks
(on-dying-list-with-DYING-bit not yet set) is with the work queue,
which will release the references once event is out.Joint work with Pablo Neira Ayuso.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
25 Jun, 2014
1 commit
-
kvfree() helper can make xt_free_table_info() much cleaner.
Signed-off-by: Eric Dumazet
Signed-off-by: Pablo Neira Ayuso