Re: [Patch nf] ipvs: initialize tbl->entries in ip_vs_lblc_init_svc()
Hello, On Mon, 23 Apr 2018, Cong Wang wrote: > Similarly, tbl->entries is not initialized after kmalloc(), > therefore causes an uninit-value warning in ip_vs_lblc_check_expire(), > as reported by syzbot. > > Reported-by:> Cc: Simon Horman > Cc: Julian Anastasov > Cc: Pablo Neira Ayuso > Signed-off-by: Cong Wang Thanks! Acked-by: Julian Anastasov > --- > net/netfilter/ipvs/ip_vs_lblc.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/net/netfilter/ipvs/ip_vs_lblc.c b/net/netfilter/ipvs/ip_vs_lblc.c > index 3057e453bf31..83918119ceb8 100644 > --- a/net/netfilter/ipvs/ip_vs_lblc.c > +++ b/net/netfilter/ipvs/ip_vs_lblc.c > @@ -371,6 +371,7 @@ static int ip_vs_lblc_init_svc(struct ip_vs_service *svc) > tbl->counter = 1; > tbl->dead = false; > tbl->svc = svc; > + atomic_set(>entries, 0); > > /* >*Hook periodic timer for garbage collection > -- > 2.13.0 Regards -- Julian Anastasov -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [Patch nf] ipvs: initialize tbl->entries after allocation
Hello, On Mon, 23 Apr 2018, Cong Wang wrote: > tbl->entries is not initialized after kmalloc(), therefore > causes an uninit-value warning in ip_vs_lblc_check_expire() > as reported by syzbot. > > Reported-by:> Cc: Simon Horman > Cc: Julian Anastasov > Cc: Pablo Neira Ayuso > Signed-off-by: Cong Wang Thanks! Acked-by: Julian Anastasov > --- > net/netfilter/ipvs/ip_vs_lblcr.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/net/netfilter/ipvs/ip_vs_lblcr.c > b/net/netfilter/ipvs/ip_vs_lblcr.c > index 92adc04557ed..bc2bc5eebcb8 100644 > --- a/net/netfilter/ipvs/ip_vs_lblcr.c > +++ b/net/netfilter/ipvs/ip_vs_lblcr.c > @@ -534,6 +534,7 @@ static int ip_vs_lblcr_init_svc(struct ip_vs_service *svc) > tbl->counter = 1; > tbl->dead = false; > tbl->svc = svc; > + atomic_set(>entries, 0); > > /* >*Hook periodic timer for garbage collection > -- > 2.13.0 Regards -- Julian Anastasov -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v5] libxt_CONNMARK: Support bit-shifting for --restore,set and save-mark
This patch adds a new feature to iptables that allow bitshifting for --restore,set and save-mark operations. This allows existing logic operators (and, or and xor) and mask to co-operate with new bitshift operations. The intention is to provide uses with more fexible uses of skb->mark and ct->mark. For example, users can save extra bits in skb->mark: skb->mark = ct->mark << 8; Change since v2: 1) Fix invalid data pointer caster which would result in loss of the significance. Change since v3: 1) Fix serveral indentation problems. Change since v4: 1) Hide 'shift' operations when it is not set. Reviewed-by: Florian WestphalSigned-off-by: Jack Ma --- extensions/libxt_CONNMARK.c | 293 -- include/linux/netfilter/xt_connmark.h | 5 + 2 files changed, 285 insertions(+), 13 deletions(-) diff --git a/extensions/libxt_CONNMARK.c b/extensions/libxt_CONNMARK.c index 94984cdc..1a859456 100644 --- a/extensions/libxt_CONNMARK.c +++ b/extensions/libxt_CONNMARK.c @@ -32,28 +32,42 @@ struct xt_connmark_target_info { }; enum { + D_SHIFT_LEFT = 0, + D_SHIFT_RIGHT, +}; + +enum { O_SET_MARK = 0, O_SAVE_MARK, O_RESTORE_MARK, O_AND_MARK, O_OR_MARK, O_XOR_MARK, + O_LEFT_SHIFT_MARK, + O_RIGHT_SHIFT_MARK, O_SET_XMARK, O_CTMASK, O_NFMASK, O_MASK, - F_SET_MARK = 1 << O_SET_MARK, - F_SAVE_MARK= 1 << O_SAVE_MARK, - F_RESTORE_MARK = 1 << O_RESTORE_MARK, - F_AND_MARK = 1 << O_AND_MARK, - F_OR_MARK = 1 << O_OR_MARK, - F_XOR_MARK = 1 << O_XOR_MARK, - F_SET_XMARK= 1 << O_SET_XMARK, - F_CTMASK = 1 << O_CTMASK, - F_NFMASK = 1 << O_NFMASK, - F_MASK = 1 << O_MASK, - F_OP_ANY = F_SET_MARK | F_SAVE_MARK | F_RESTORE_MARK | -F_AND_MARK | F_OR_MARK | F_XOR_MARK | F_SET_XMARK, + F_SET_MARK = 1 << O_SET_MARK, + F_SAVE_MARK= 1 << O_SAVE_MARK, + F_RESTORE_MARK = 1 << O_RESTORE_MARK, + F_AND_MARK = 1 << O_AND_MARK, + F_OR_MARK = 1 << O_OR_MARK, + F_XOR_MARK = 1 << O_XOR_MARK, + F_LEFT_SHIFT_MARK = 1 << O_LEFT_SHIFT_MARK, + F_RIGHT_SHIFT_MARK = 1 << O_RIGHT_SHIFT_MARK, + F_SET_XMARK= 1 << O_SET_XMARK, + F_CTMASK = 1 << O_CTMASK, + F_NFMASK = 1 << O_NFMASK, + F_MASK = 1 << O_MASK, + F_OP_ANY = F_SET_MARK | F_SAVE_MARK | F_RESTORE_MARK | +F_AND_MARK | F_OR_MARK | F_XOR_MARK | F_SET_XMARK, +}; + +static const char *const xt_connmark_shift_ops[] = { + "left-shift-mark", + "right-shift-mark" }; static void CONNMARK_help(void) @@ -104,6 +118,36 @@ static const struct xt_option_entry connmark_tg_opts[] = { }; #undef s +#define s struct xt_connmark_tginfo2 +static const struct xt_option_entry connmark_tg_opts_v2[] = { + {.name = "set-xmark", .id = O_SET_XMARK, .type = XTTYPE_MARKMASK32, +.excl = F_OP_ANY}, + {.name = "set-mark", .id = O_SET_MARK, .type = XTTYPE_MARKMASK32, +.excl = F_OP_ANY}, + {.name = "and-mark", .id = O_AND_MARK, .type = XTTYPE_UINT32, +.excl = F_OP_ANY}, + {.name = "or-mark", .id = O_OR_MARK, .type = XTTYPE_UINT32, +.excl = F_OP_ANY}, + {.name = "xor-mark", .id = O_XOR_MARK, .type = XTTYPE_UINT32, +.excl = F_OP_ANY}, + {.name = "save-mark", .id = O_SAVE_MARK, .type = XTTYPE_NONE, +.excl = F_OP_ANY}, + {.name = "restore-mark", .id = O_RESTORE_MARK, .type = XTTYPE_NONE, +.excl = F_OP_ANY}, + {.name = "left-shift-mark", .id = O_LEFT_SHIFT_MARK, .type = XTTYPE_UINT8, +.min = 0, .max = 32}, + {.name = "right-shift-mark", .id = O_RIGHT_SHIFT_MARK, .type = XTTYPE_UINT8, +.min = 0, .max = 32}, + {.name = "ctmask", .id = O_CTMASK, .type = XTTYPE_UINT32, +.excl = F_MASK, .flags = XTOPT_PUT, XTOPT_POINTER(s, ctmask)}, + {.name = "nfmask", .id = O_NFMASK, .type = XTTYPE_UINT32, +.excl = F_MASK, .flags = XTOPT_PUT, XTOPT_POINTER(s, nfmask)}, + {.name = "mask", .id = O_MASK, .type = XTTYPE_UINT32, +.excl = F_CTMASK | F_NFMASK}, + XTOPT_TABLEEND, +}; +#undef s + static void connmark_tg_help(void) { printf( @@ -122,6 +166,15 @@ static void connmark_tg_help(void) ); } +static void connmark_tg_help_v2(void) +{ + connmark_tg_help(); + printf( +" --left-shift-mark value Left shift the ctmark with bits\n" +" --right-shift-mark value Right shift the ctmark with bits\n" +); +} + static void connmark_tg_init(struct xt_entry_target *target) { struct xt_connmark_tginfo1 *info = (void *)target->data; @@ -134,6 +187,18 @@ static void connmark_tg_init(struct xt_entry_target
[PATCH v4] libxt_CONNMARK: Support bit-shifting for --restore,set and save-mark
This patch adds a new feature to iptables that allow bitshifting for --restore,set and save-mark operations. This allows existing logic operators (and, or and xor) and mask to co-operate with new bitshift operations. The intention is to provide uses with more fexible uses of skb->mark and ct->mark. For example, users can save extra bits in skb->mark: skb->mark = ct->mark << 8; Change since v2: 1) Fix invalid data pointer caster which would result in loss of the significance. Change since v3: 1) Fix serveral indentation problems. Reviewed-by: Florian WestphalSigned-off-by: Jack Ma --- extensions/libxt_CONNMARK.c | 286 -- include/linux/netfilter/xt_connmark.h | 5 + 2 files changed, 279 insertions(+), 12 deletions(-) diff --git a/extensions/libxt_CONNMARK.c b/extensions/libxt_CONNMARK.c index 94984cdc..cc9116c9 100644 --- a/extensions/libxt_CONNMARK.c +++ b/extensions/libxt_CONNMARK.c @@ -32,30 +32,42 @@ struct xt_connmark_target_info { }; enum { + D_SHIFT_LEFT = 0, + D_SHIFT_RIGHT, +}; + +enum { O_SET_MARK = 0, O_SAVE_MARK, O_RESTORE_MARK, O_AND_MARK, O_OR_MARK, O_XOR_MARK, + O_LEFT_SHIFT_MARK, + O_RIGHT_SHIFT_MARK, O_SET_XMARK, O_CTMASK, O_NFMASK, O_MASK, - F_SET_MARK = 1 << O_SET_MARK, - F_SAVE_MARK= 1 << O_SAVE_MARK, - F_RESTORE_MARK = 1 << O_RESTORE_MARK, - F_AND_MARK = 1 << O_AND_MARK, - F_OR_MARK = 1 << O_OR_MARK, - F_XOR_MARK = 1 << O_XOR_MARK, - F_SET_XMARK= 1 << O_SET_XMARK, - F_CTMASK = 1 << O_CTMASK, - F_NFMASK = 1 << O_NFMASK, - F_MASK = 1 << O_MASK, - F_OP_ANY = F_SET_MARK | F_SAVE_MARK | F_RESTORE_MARK | -F_AND_MARK | F_OR_MARK | F_XOR_MARK | F_SET_XMARK, + F_SET_MARK = 1 << O_SET_MARK, + F_SAVE_MARK= 1 << O_SAVE_MARK, + F_RESTORE_MARK = 1 << O_RESTORE_MARK, + F_AND_MARK = 1 << O_AND_MARK, + F_OR_MARK = 1 << O_OR_MARK, + F_XOR_MARK = 1 << O_XOR_MARK, + F_LEFT_SHIFT_MARK = 1 << O_LEFT_SHIFT_MARK, + F_RIGHT_SHIFT_MARK = 1 << O_RIGHT_SHIFT_MARK, + F_SET_XMARK= 1 << O_SET_XMARK, + F_CTMASK = 1 << O_CTMASK, + F_NFMASK = 1 << O_NFMASK, + F_MASK = 1 << O_MASK, + F_OP_ANY = F_SET_MARK | F_SAVE_MARK | F_RESTORE_MARK | +F_AND_MARK | F_OR_MARK | F_XOR_MARK | F_SET_XMARK, }; +static const char *const xt_connmark_shift_ops[] = + { "left-shift-mark", "right-shift-mark" }; + static void CONNMARK_help(void) { printf( @@ -104,6 +116,36 @@ static const struct xt_option_entry connmark_tg_opts[] = { }; #undef s +#define s struct xt_connmark_tginfo2 +static const struct xt_option_entry connmark_tg_opts_v2[] = { + {.name = "set-xmark", .id = O_SET_XMARK, .type = XTTYPE_MARKMASK32, +.excl = F_OP_ANY}, + {.name = "set-mark", .id = O_SET_MARK, .type = XTTYPE_MARKMASK32, +.excl = F_OP_ANY}, + {.name = "and-mark", .id = O_AND_MARK, .type = XTTYPE_UINT32, +.excl = F_OP_ANY}, + {.name = "or-mark", .id = O_OR_MARK, .type = XTTYPE_UINT32, +.excl = F_OP_ANY}, + {.name = "xor-mark", .id = O_XOR_MARK, .type = XTTYPE_UINT32, +.excl = F_OP_ANY}, + {.name = "save-mark", .id = O_SAVE_MARK, .type = XTTYPE_NONE, +.excl = F_OP_ANY}, + {.name = "restore-mark", .id = O_RESTORE_MARK, .type = XTTYPE_NONE, +.excl = F_OP_ANY}, + {.name = "left-shift-mark", .id = O_LEFT_SHIFT_MARK, .type = XTTYPE_UINT8, +.min = 0, .max = 32}, + {.name = "right-shift-mark", .id = O_RIGHT_SHIFT_MARK, .type = XTTYPE_UINT8, +.min = 0, .max = 32}, + {.name = "ctmask", .id = O_CTMASK, .type = XTTYPE_UINT32, +.excl = F_MASK, .flags = XTOPT_PUT, XTOPT_POINTER(s, ctmask)}, + {.name = "nfmask", .id = O_NFMASK, .type = XTTYPE_UINT32, +.excl = F_MASK, .flags = XTOPT_PUT, XTOPT_POINTER(s, nfmask)}, + {.name = "mask", .id = O_MASK, .type = XTTYPE_UINT32, +.excl = F_CTMASK | F_NFMASK}, + XTOPT_TABLEEND, +}; +#undef s + static void connmark_tg_help(void) { printf( @@ -122,6 +164,15 @@ static void connmark_tg_help(void) ); } +static void connmark_tg_help_v2(void) +{ + connmark_tg_help(); + printf( +" --left-shift-mark value Left shift the ctmark with bits\n" +" --right-shift-mark value Right shift the ctmark with bits\n" +); +} + static void connmark_tg_init(struct xt_entry_target *target) { struct xt_connmark_tginfo1 *info = (void *)target->data; @@ -134,6 +185,18 @@ static void connmark_tg_init(struct xt_entry_target *target) info->nfmask = UINT32_MAX; } +static void
[PATCH nft 2/4] netlink: netlink_list_chains() callers always wants all existing chains
Remove dead code, callers always need this to dump all of the existing chains. Signed-off-by: Pablo Neira Ayuso--- src/netlink.c | 16 +--- 1 file changed, 1 insertion(+), 15 deletions(-) diff --git a/src/netlink.c b/src/netlink.c index d668fa8cdea3..8e34553635d0 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -711,7 +711,6 @@ int netlink_list_chains(struct netlink_ctx *ctx, const struct handle *h, const struct location *loc) { struct nftnl_chain_list *chain_cache; - struct chain *chain; chain_cache = mnl_nft_chain_dump(ctx, h->family); if (chain_cache == NULL) { @@ -725,20 +724,7 @@ int netlink_list_chains(struct netlink_ctx *ctx, const struct handle *h, nftnl_chain_list_foreach(chain_cache, list_chain_cb, ctx); nftnl_chain_list_free(chain_cache); - /* Caller wants all existing chains */ - if (h->chain == NULL) - return 0; - - /* Check if this chain exists, otherwise return an error */ - list_for_each_entry(chain, >list, list) { - if (strcmp(chain->handle.chain, h->chain) == 0) - return 0; - } - - return netlink_io_error(ctx, NULL, - "Could not find chain `%s' in table `%s': %s", - h->chain, h->table, - strerror(ENOENT)); + return 0; } int netlink_flush_chain(struct netlink_ctx *ctx, const struct cmd *cmd) -- 2.11.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nft 3/4] netlink: don't pass location to netlink_list_*() function
Not needed anymore. Signed-off-by: Pablo Neira Ayuso--- include/netlink.h | 18 ++ src/netlink.c | 23 --- src/rule.c| 18 +++--- 3 files changed, 21 insertions(+), 38 deletions(-) diff --git a/include/netlink.h b/include/netlink.h index 81eaaa25cbeb..58b37d3cd572 100644 --- a/include/netlink.h +++ b/include/netlink.h @@ -129,8 +129,7 @@ extern int netlink_rename_chain_batch(struct netlink_ctx *ctx, const struct cmd *cmd); extern int netlink_delete_chain_batch(struct netlink_ctx *ctx, const struct cmd *cmd); -extern int netlink_list_chains(struct netlink_ctx *ctx, const struct handle *h, - const struct location *loc); +extern int netlink_list_chains(struct netlink_ctx *ctx, const struct handle *h); extern int netlink_flush_chain(struct netlink_ctx *ctx, const struct cmd *cmd); extern struct chain *netlink_delinearize_chain(struct netlink_ctx *ctx, const struct nftnl_chain *nlc); @@ -139,10 +138,8 @@ extern int netlink_add_table_batch(struct netlink_ctx *ctx, const struct cmd *cmd, uint32_t flags); extern int netlink_delete_table_batch(struct netlink_ctx *ctx, const struct cmd *cmd); -extern int netlink_list_tables(struct netlink_ctx *ctx, const struct handle *h, - const struct location *loc); -extern int netlink_list_table(struct netlink_ctx *ctx, const struct handle *h, - const struct location *loc); +extern int netlink_list_tables(struct netlink_ctx *ctx, const struct handle *h); +extern int netlink_list_table(struct netlink_ctx *ctx, const struct handle *h); extern int netlink_flush_table(struct netlink_ctx *ctx, const struct cmd *cmd); extern struct table *netlink_delinearize_table(struct netlink_ctx *ctx, const struct nftnl_table *nlt); @@ -151,8 +148,7 @@ extern int netlink_add_set_batch(struct netlink_ctx *ctx, const struct cmd *cmd, uint32_t flags); extern int netlink_delete_set_batch(struct netlink_ctx *ctx, const struct cmd *cmd); -extern int netlink_list_sets(struct netlink_ctx *ctx, const struct handle *h, -const struct location *loc); +extern int netlink_list_sets(struct netlink_ctx *ctx, const struct handle *h); extern struct set *netlink_delinearize_set(struct netlink_ctx *ctx, const struct nftnl_set *nls); @@ -174,8 +170,7 @@ extern int netlink_delinearize_setelem(struct nftnl_set_elem *nlse, const struct set *set, struct nft_cache *cache); -extern int netlink_list_objs(struct netlink_ctx *ctx, const struct handle *h, -const struct location *loc); +extern int netlink_list_objs(struct netlink_ctx *ctx, const struct handle *h); extern int netlink_reset_objs(struct netlink_ctx *ctx, const struct cmd *cmd, uint32_t type, bool dump); extern int netlink_add_obj(struct netlink_ctx *ctx, const struct cmd *cmd, @@ -186,8 +181,7 @@ extern struct obj *netlink_delinearize_obj(struct netlink_ctx *ctx, struct nftnl_obj *nlo); extern int netlink_list_flowtables(struct netlink_ctx *ctx, - const struct handle *h, - const struct location *loc); + const struct handle *h); extern int netlink_add_flowtable(struct netlink_ctx *ctx, const struct cmd *cmd, uint32_t flags); extern int netlink_delete_flowtable(struct netlink_ctx *ctx, diff --git a/src/netlink.c b/src/netlink.c index 8e34553635d0..9e11af5d026f 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -550,8 +550,7 @@ static int list_rule_cb(struct nftnl_rule *nlr, void *arg) return 0; } -static int netlink_list_rules(struct netlink_ctx *ctx, const struct handle *h, - const struct location *loc) +static int netlink_list_rules(struct netlink_ctx *ctx, const struct handle *h) { struct nftnl_rule_list *rule_cache; @@ -707,8 +706,7 @@ static int list_chain_cb(struct nftnl_chain *nlc, void *arg) return 0; } -int netlink_list_chains(struct netlink_ctx *ctx, const struct handle *h, - const struct location *loc) +int netlink_list_chains(struct netlink_ctx *ctx, const struct handle *h) { struct nftnl_chain_list *chain_cache; @@ -787,8 +785,7 @@ static int list_table_cb(struct nftnl_table *nlt, void *arg) return 0; } -int netlink_list_tables(struct netlink_ctx *ctx, const struct handle *h, -
[PATCH nft 4/4] netlink: remove unused function declarations
Signed-off-by: Pablo Neira Ayuso--- include/netlink.h | 4 1 file changed, 4 deletions(-) diff --git a/include/netlink.h b/include/netlink.h index 58b37d3cd572..92bae138bf91 100644 --- a/include/netlink.h +++ b/include/netlink.h @@ -110,10 +110,6 @@ extern void netlink_linearize_rule(struct netlink_ctx *ctx, extern struct rule *netlink_delinearize_rule(struct netlink_ctx *ctx, struct nftnl_rule *r); -extern int netlink_add_rule(struct netlink_ctx *ctx, const struct handle *h, - const struct rule *rule, uint32_t flags); -extern int netlink_delete_rule(struct netlink_ctx *ctx, const struct handle *h, - const struct location *loc); extern int netlink_add_rule_batch(struct netlink_ctx *ctx, const struct cmd *cmd, uint32_t flags); -- 2.11.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nft 1/4] netlink: pass cmd object to netlink function calls
Simplify function footprint. Signed-off-by: Pablo Neira Ayuso--- include/netlink.h | 78 ++--- src/netlink.c | 127 +- src/rule.c| 87 - 3 files changed, 129 insertions(+), 163 deletions(-) diff --git a/include/netlink.h b/include/netlink.h index 240441dde5dd..81eaaa25cbeb 100644 --- a/include/netlink.h +++ b/include/netlink.h @@ -115,48 +115,42 @@ extern int netlink_add_rule(struct netlink_ctx *ctx, const struct handle *h, extern int netlink_delete_rule(struct netlink_ctx *ctx, const struct handle *h, const struct location *loc); extern int netlink_add_rule_batch(struct netlink_ctx *ctx, - const struct handle *h, - const struct rule *rule, uint32_t flags); + const struct cmd *cmd, + uint32_t flags); extern int netlink_del_rule_batch(struct netlink_ctx *ctx, - const struct handle *h, - const struct location *loc); + const struct cmd *cmd); extern int netlink_replace_rule_batch(struct netlink_ctx *ctx, + const struct cmd *cmd); + +extern int netlink_add_chain_batch(struct netlink_ctx *ctx, + const struct cmd *cmd, uint32_t flags); +extern int netlink_rename_chain_batch(struct netlink_ctx *ctx, const struct handle *h, - const struct rule *rule, - const struct location *loc); - -extern int netlink_add_chain_batch(struct netlink_ctx *ctx, const struct handle *h, -const struct location *loc, -const struct chain *chain, uint32_t flags); -extern int netlink_rename_chain_batch(struct netlink_ctx *ctx, const struct handle *h, - const struct location *loc, const char *name); -extern int netlink_delete_chain_batch(struct netlink_ctx *ctx, const struct handle *h, - const struct location *loc); + const struct cmd *cmd); +extern int netlink_delete_chain_batch(struct netlink_ctx *ctx, + const struct cmd *cmd); extern int netlink_list_chains(struct netlink_ctx *ctx, const struct handle *h, const struct location *loc); -extern int netlink_flush_chain(struct netlink_ctx *ctx, const struct handle *h, - const struct location *loc); +extern int netlink_flush_chain(struct netlink_ctx *ctx, const struct cmd *cmd); extern struct chain *netlink_delinearize_chain(struct netlink_ctx *ctx, const struct nftnl_chain *nlc); -extern int netlink_add_table_batch(struct netlink_ctx *ctx, const struct handle *h, -const struct location *loc, -const struct table *table, uint32_t flags); -extern int netlink_delete_table_batch(struct netlink_ctx *ctx, const struct handle *h, - const struct location *loc); +extern int netlink_add_table_batch(struct netlink_ctx *ctx, + const struct cmd *cmd, uint32_t flags); +extern int netlink_delete_table_batch(struct netlink_ctx *ctx, + const struct cmd *cmd); extern int netlink_list_tables(struct netlink_ctx *ctx, const struct handle *h, const struct location *loc); extern int netlink_list_table(struct netlink_ctx *ctx, const struct handle *h, const struct location *loc); -extern int netlink_flush_table(struct netlink_ctx *ctx, const struct handle *h, - const struct location *loc); +extern int netlink_flush_table(struct netlink_ctx *ctx, const struct cmd *cmd); extern struct table *netlink_delinearize_table(struct netlink_ctx *ctx, const struct nftnl_table *nlt); -extern int netlink_add_set_batch(struct netlink_ctx *ctx, const struct handle *h, - struct set *set, uint32_t flags); -extern int netlink_delete_set_batch(struct netlink_ctx *ctx, const struct handle *h, - const struct location *loc); +extern int netlink_add_set_batch(struct netlink_ctx *ctx, const struct cmd *cmd, +uint32_t flags); +extern int netlink_delete_set_batch(struct netlink_ctx *ctx, + const struct cmd *cmd); extern int netlink_list_sets(struct netlink_ctx *ctx, const struct handle *h, const struct location *loc);
[Patch nf] ipvs: initialize tbl->entries in ip_vs_lblc_init_svc()
Similarly, tbl->entries is not initialized after kmalloc(), therefore causes an uninit-value warning in ip_vs_lblc_check_expire(), as reported by syzbot. Reported-by:Cc: Simon Horman Cc: Julian Anastasov Cc: Pablo Neira Ayuso Signed-off-by: Cong Wang --- net/netfilter/ipvs/ip_vs_lblc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/netfilter/ipvs/ip_vs_lblc.c b/net/netfilter/ipvs/ip_vs_lblc.c index 3057e453bf31..83918119ceb8 100644 --- a/net/netfilter/ipvs/ip_vs_lblc.c +++ b/net/netfilter/ipvs/ip_vs_lblc.c @@ -371,6 +371,7 @@ static int ip_vs_lblc_init_svc(struct ip_vs_service *svc) tbl->counter = 1; tbl->dead = false; tbl->svc = svc; + atomic_set(>entries, 0); /* *Hook periodic timer for garbage collection -- 2.13.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[Patch nf] ipvs: initialize tbl->entries after allocation
tbl->entries is not initialized after kmalloc(), therefore causes an uninit-value warning in ip_vs_lblc_check_expire() as reported by syzbot. Reported-by:Cc: Simon Horman Cc: Julian Anastasov Cc: Pablo Neira Ayuso Signed-off-by: Cong Wang --- net/netfilter/ipvs/ip_vs_lblcr.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/netfilter/ipvs/ip_vs_lblcr.c b/net/netfilter/ipvs/ip_vs_lblcr.c index 92adc04557ed..bc2bc5eebcb8 100644 --- a/net/netfilter/ipvs/ip_vs_lblcr.c +++ b/net/netfilter/ipvs/ip_vs_lblcr.c @@ -534,6 +534,7 @@ static int ip_vs_lblcr_init_svc(struct ip_vs_service *svc) tbl->counter = 1; tbl->dead = false; tbl->svc = svc; + atomic_set(>entries, 0); /* *Hook periodic timer for garbage collection -- 2.13.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 00/12] Netfilter/IPVS fixes for net
From: Pablo Neira AyusoDate: Mon, 23 Apr 2018 19:57:02 +0200 > The following patchset contains Netfilter/IPVS fixes for your net tree, > they are: ... > You can pull these changes from: > > git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git Pulled, thank you. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [nf-next] netfilter: extend SRH match to support matching previous, next and last SID
On Mon, 23 Apr 2018 22:08:44 +0200 Florian Westphalwrote: > Ahmed Abdelsalam wrote: > > > > @@ -50,6 +62,12 @@ struct ip6t_srh { > > > > __u8segs_left; > > > > __u8last_entry; > > > > __u16 tag; > > > > + struct in6_addr psid_addr; > > > > + struct in6_addr nsid_addr; > > > > + struct in6_addr lsid_addr; > > > > + struct in6_addr psid_msk; > > > > + struct in6_addr nsid_msk; > > > > + struct in6_addr lsid_msk; > > > > > > This is changing something exposed through UAPI, so you will need a > > > new revision for this. > > > > Could you please advice what should be done in this case? > > You need to add > struct ip6t_srh_v1 { > /* copy of struct ip6t_srh here */ > > /* new fields go here */ > }; > > > Look at xt_conntrack.c, conntrack_mt_reg[] for an example of > multi-revision match. > > You can probably re-origanise code to avoid too much duplication. > See 5a786232eb69a1f870ddc0cfd69d5bdef241a2ea in nf.git for an example, > it makes v0 into a v1 struct at runtime and re-uses new v1 code > for old v0. > > Thanks Florian! -- Ahmed Abdelsalam -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [nf-next] netfilter: extend SRH match to support matching previous, next and last SID
Ahmed Abdelsalamwrote: > > > @@ -50,6 +62,12 @@ struct ip6t_srh { > > > __u8segs_left; > > > __u8last_entry; > > > __u16 tag; > > > + struct in6_addr psid_addr; > > > + struct in6_addr nsid_addr; > > > + struct in6_addr lsid_addr; > > > + struct in6_addr psid_msk; > > > + struct in6_addr nsid_msk; > > > + struct in6_addr lsid_msk; > > > > This is changing something exposed through UAPI, so you will need a > > new revision for this. > > Could you please advice what should be done in this case? You need to add struct ip6t_srh_v1 { /* copy of struct ip6t_srh here */ /* new fields go here */ }; Look at xt_conntrack.c, conntrack_mt_reg[] for an example of multi-revision match. You can probably re-origanise code to avoid too much duplication. See 5a786232eb69a1f870ddc0cfd69d5bdef241a2ea in nf.git for an example, it makes v0 into a v1 struct at runtime and re-uses new v1 code for old v0. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [nf-next] netfilter: extend SRH match to support matching previous, next and last SID
On Mon, 23 Apr 2018 19:30:47 +0200 Pablo Neira Ayusowrote: > On Mon, Apr 23, 2018 at 05:48:22AM -0500, Ahmed Abdelsalam wrote: > > Signed-off-by: Ahmed Abdelsalam > > --- > > include/uapi/linux/netfilter_ipv6/ip6t_srh.h | 22 +-- > > net/ipv6/netfilter/ip6t_srh.c| 41 > > +++- > > 2 files changed, 60 insertions(+), 3 deletions(-) > > > > diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_srh.h > > b/include/uapi/linux/netfilter_ipv6/ip6t_srh.h > > index f3cc0ef..9808382 100644 > > --- a/include/uapi/linux/netfilter_ipv6/ip6t_srh.h > > +++ b/include/uapi/linux/netfilter_ipv6/ip6t_srh.h > > @@ -17,7 +17,10 @@ > > #define IP6T_SRH_LAST_GT0x0100 > > #define IP6T_SRH_LAST_LT0x0200 > > #define IP6T_SRH_TAG0x0400 > > -#define IP6T_SRH_MASK 0x07FF > > +#define IP6T_SRH_PSID 0x0800 > > +#define IP6T_SRH_NSID 0x1000 > > +#define IP6T_SRH_LSID 0x2000 > > +#define IP6T_SRH_MASK 0x3FFF > > > > /* Values for "mt_invflags" field in struct ip6t_srh */ > > #define IP6T_SRH_INV_NEXTHDR0x0001 > > @@ -31,7 +34,10 @@ > > #define IP6T_SRH_INV_LAST_GT0x0100 > > #define IP6T_SRH_INV_LAST_LT0x0200 > > #define IP6T_SRH_INV_TAG0x0400 > > -#define IP6T_SRH_INV_MASK 0x07FF > > +#define IP6T_SRH_INV_PSID 0x0800 > > +#define IP6T_SRH_INV_NSID 0x1000 > > +#define IP6T_SRH_INV_LSID 0x2000 > > +#define IP6T_SRH_INV_MASK 0x3FFF > > > > /** > > * struct ip6t_srh - SRH match options > > @@ -40,6 +46,12 @@ > > * @ segs_left: Segments left field of SRH > > * @ last_entry: Last entry field of SRH > > * @ tag: Tag field of SRH > > + * @ psid_addr: Address of previous SID in SRH SID list > > + * @ nsid_addr: Address of NEXT SID in SRH SID list > > + * @ lsid_addr: Address of LAST SID in SRH SID list > > + * @ psid_msk: Mask of previous SID in SRH SID list > > + * @ nsid_msk: Mask of next SID in SRH SID list > > + * @ lsid_msk: MAsk of last SID in SRH SID list > > * @ mt_flags: match options > > * @ mt_invflags: Invert the sense of match options > > */ > > @@ -50,6 +62,12 @@ struct ip6t_srh { > > __u8segs_left; > > __u8last_entry; > > __u16 tag; > > + struct in6_addr psid_addr; > > + struct in6_addr nsid_addr; > > + struct in6_addr lsid_addr; > > + struct in6_addr psid_msk; > > + struct in6_addr nsid_msk; > > + struct in6_addr lsid_msk; > > This is changing something exposed through UAPI, so you will need a > new revision for this. Could you please advice what should be done in this case? > > > __u16 mt_flags; > > __u16 mt_invflags; > > }; > > diff --git a/net/ipv6/netfilter/ip6t_srh.c b/net/ipv6/netfilter/ip6t_srh.c > > index 33719d5..2b5cc73 100644 > > --- a/net/ipv6/netfilter/ip6t_srh.c > > +++ b/net/ipv6/netfilter/ip6t_srh.c > > @@ -30,7 +30,9 @@ static bool srh_mt6(const struct sk_buff *skb, struct > > xt_action_param *par) > > const struct ip6t_srh *srhinfo = par->matchinfo; > > struct ipv6_sr_hdr *srh; > > struct ipv6_sr_hdr _srh; > > - int hdrlen, srhoff = 0; > > + int hdrlen, psidoff, nsidoff, lsidoff, srhoff = 0; > > + struct in6_addr *psid, *nsid, *lsid; > > + struct in6_addr _psid, _nsid, _lsid; > > Could you rearrange variable definitions? ie. longest line first, eg. > > int hdrlen, psidoff, nsidoff, lsidoff, srhoff = 0; > const struct ip6t_srh *srhinfo = par->matchinfo; > struct in6_addr *psid, *nsid, *lsid; > struct ipv6_sr_hdr *srh; > struct ipv6_sr_hdr _srh; > Ok I will re-arrange them in reverse christmas tree form. Ahmed -- Ahmed Abdelsalam -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 12/12] netfilter: xt_connmark: do not cast xt_connmark_tginfo1 to xt_connmark_tginfo2
These structures have different layout, fill xt_connmark_tginfo2 with old fields in xt_connmark_tginfo1. Based on patch from Jack Ma. Fixes: 472a73e00757 ("netfilter: xt_conntrack: Support bit-shifting for CONNMARK & MARK targets.") Signed-off-by: Pablo Neira Ayuso--- net/netfilter/xt_connmark.c | 38 ++ 1 file changed, 22 insertions(+), 16 deletions(-) diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c index 4b424e6caf3e..94df000abb92 100644 --- a/net/netfilter/xt_connmark.c +++ b/net/netfilter/xt_connmark.c @@ -36,9 +36,7 @@ MODULE_ALIAS("ipt_connmark"); MODULE_ALIAS("ip6t_connmark"); static unsigned int -connmark_tg_shift(struct sk_buff *skb, - const struct xt_connmark_tginfo1 *info, - u8 shift_bits, u8 shift_dir) +connmark_tg_shift(struct sk_buff *skb, const struct xt_connmark_tginfo2 *info) { enum ip_conntrack_info ctinfo; u_int32_t new_targetmark; @@ -52,10 +50,11 @@ connmark_tg_shift(struct sk_buff *skb, switch (info->mode) { case XT_CONNMARK_SET: newmark = (ct->mark & ~info->ctmask) ^ info->ctmark; - if (shift_dir == D_SHIFT_RIGHT) - newmark >>= shift_bits; + if (info->shift_dir == D_SHIFT_RIGHT) + newmark >>= info->shift_bits; else - newmark <<= shift_bits; + newmark <<= info->shift_bits; + if (ct->mark != newmark) { ct->mark = newmark; nf_conntrack_event_cache(IPCT_MARK, ct); @@ -63,10 +62,11 @@ connmark_tg_shift(struct sk_buff *skb, break; case XT_CONNMARK_SAVE: new_targetmark = (skb->mark & info->nfmask); - if (shift_dir == D_SHIFT_RIGHT) - new_targetmark >>= shift_bits; + if (info->shift_dir == D_SHIFT_RIGHT) + new_targetmark >>= info->shift_bits; else - new_targetmark <<= shift_bits; + new_targetmark <<= info->shift_bits; + newmark = (ct->mark & ~info->ctmask) ^ new_targetmark; if (ct->mark != newmark) { @@ -76,10 +76,11 @@ connmark_tg_shift(struct sk_buff *skb, break; case XT_CONNMARK_RESTORE: new_targetmark = (ct->mark & info->ctmask); - if (shift_dir == D_SHIFT_RIGHT) - new_targetmark >>= shift_bits; + if (info->shift_dir == D_SHIFT_RIGHT) + new_targetmark >>= info->shift_bits; else - new_targetmark <<= shift_bits; + new_targetmark <<= info->shift_bits; + newmark = (skb->mark & ~info->nfmask) ^ new_targetmark; skb->mark = newmark; @@ -92,8 +93,14 @@ static unsigned int connmark_tg(struct sk_buff *skb, const struct xt_action_param *par) { const struct xt_connmark_tginfo1 *info = par->targinfo; - - return connmark_tg_shift(skb, info, 0, 0); + const struct xt_connmark_tginfo2 info2 = { + .ctmark = info->ctmark, + .ctmask = info->ctmask, + .nfmask = info->nfmask, + .mode = info->mode, + }; + + return connmark_tg_shift(skb, ); } static unsigned int @@ -101,8 +108,7 @@ connmark_tg_v2(struct sk_buff *skb, const struct xt_action_param *par) { const struct xt_connmark_tginfo2 *info = par->targinfo; - return connmark_tg_shift(skb, (const struct xt_connmark_tginfo1 *)info, -info->shift_bits, info->shift_dir); + return connmark_tg_shift(skb, info); } static int connmark_tg_check(const struct xt_tgchk_param *par) -- 2.11.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 11/12] netfilter: nf_tables: fix out-of-bounds in nft_chain_commit_update
From: Taehee YooWhen chain name is changed, nft_chain_commit_update is called. In the nft_chain_commit_update, trans->ctx.chain->name has old chain name and nft_trans_chain_name(trans) has new chain name. If new chain name is longer than old chain name, KASAN warns slab-out-of-bounds. [ 175.015012] BUG: KASAN: slab-out-of-bounds in strcpy+0x9e/0xb0 [ 175.022735] Write of size 1 at addr 880114e022da by task iptables-compat/1458 [ 175.031353] CPU: 0 PID: 1458 Comm: iptables-compat Not tainted 4.16.0-rc7+ #146 [ 175.031353] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/08/2015 [ 175.031353] Call Trace: [ 175.031353] dump_stack+0x68/0xa0 [ 175.031353] print_address_description+0xd0/0x260 [ 175.031353] ? strcpy+0x9e/0xb0 [ 175.031353] kasan_report+0x234/0x350 [ 175.031353] __asan_report_store1_noabort+0x1c/0x20 [ 175.031353] strcpy+0x9e/0xb0 [ 175.031353] nf_tables_commit+0x1ccc/0x2990 [ 175.031353] nfnetlink_rcv+0x141e/0x16c0 [ 175.031353] ? nfnetlink_net_init+0x150/0x150 [ 175.031353] ? lock_acquire+0x370/0x370 [ 175.031353] ? lock_acquire+0x370/0x370 [ 175.031353] netlink_unicast+0x444/0x640 [ 175.031353] ? netlink_attachskb+0x700/0x700 [ 175.031353] ? _copy_from_iter_full+0x180/0x740 [ 175.031353] ? kasan_check_write+0x14/0x20 [ 175.031353] ? _copy_from_user+0x9b/0xd0 [ 175.031353] netlink_sendmsg+0x845/0xc70 [ ... ] Steps to reproduce: iptables-compat -N 1 iptables-compat -E 1 a Signed-off-by: Taehee Yoo Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_tables_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 102ad873acb4..04d4e3772584 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -5745,7 +5745,7 @@ static void nft_chain_commit_update(struct nft_trans *trans) struct nft_base_chain *basechain; if (nft_trans_chain_name(trans)) - strcpy(trans->ctx.chain->name, nft_trans_chain_name(trans)); + swap(trans->ctx.chain->name, nft_trans_chain_name(trans)); if (!nft_is_base_chain(trans->ctx.chain)) return; -- 2.11.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 03/12] netfilter: ebtables: don't attempt to allocate 0-sized compat array
From: Florian WestphalDmitry reports 32bit ebtables on 64bit kernel got broken by a recent change that returns -EINVAL when ruleset has no entries. ebtables however only counts user-defined chains, so for the initial table nentries will be 0. Don't try to allocate the compat array in this case, as no user defined rules exist no rule will need 64bit translation. Reported-by: Dmitry Vyukov Fixes: 7d7d7e02111e9 ("netfilter: compat: reject huge allocation requests") Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- net/bridge/netfilter/ebtables.c | 11 ++- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index 032e0fe45940..28a4c3490359 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c @@ -1825,13 +1825,14 @@ static int compat_table_info(const struct ebt_table_info *info, { unsigned int size = info->entries_size; const void *entries = info->entries; - int ret; newinfo->entries_size = size; - - ret = xt_compat_init_offsets(NFPROTO_BRIDGE, info->nentries); - if (ret) - return ret; + if (info->nentries) { + int ret = xt_compat_init_offsets(NFPROTO_BRIDGE, +info->nentries); + if (ret) + return ret; + } return EBT_ENTRY_ITERATE(entries, size, compat_calc_entry, info, entries, newinfo); -- 2.11.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 05/12] netfilter: conntrack: silent a memory leak warning
From: Cong WangThe following memory leak is false postive: unreferenced object 0x8f37f156fb38 (size 128): comm "softirq", pid 0, jiffies 4294899665 (age 11.292s) hex dump (first 32 bytes): 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 30 00 20 00 48 6b 6b 6b 6b 6b 6b 6b 0. .Hkkk backtrace: [<4fda266a>] __kmalloc_track_caller+0x10d/0x141 [<7b0a7e3c>] __krealloc+0x45/0x62 [ ] nf_ct_ext_add+0xdc/0x133 [<99b47fd8>] init_conntrack+0x1b1/0x392 [<86dc36ec>] nf_conntrack_in+0x1ee/0x34b [<940592de>] nf_hook_slow+0x36/0x95 [ ] nf_hook.constprop.43+0x1c3/0x1dd [ ] __ip_local_out+0xae/0xb4 [<3e4192a6>] ip_local_out+0x17/0x33 [ ] igmp_ifc_timer_expire+0x23e/0x26f [<6a8f3032>] call_timer_fn+0x14c/0x2a5 [<650c1725>] __run_timers.part.34+0x150/0x182 [<90e6946e>] run_timer_softirq+0x2a/0x4c [<4d1e7293>] __do_softirq+0x1d1/0x3c2 [<4643557d>] irq_exit+0x53/0xa2 [<29ddee8f>] smp_apic_timer_interrupt+0x22a/0x235 because __krealloc() is not supposed to release the old memory and it is released later via kfree_rcu(). Since this is the only external user of __krealloc(), just mark it as not leak here. Signed-off-by: Cong Wang Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_conntrack_extend.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/netfilter/nf_conntrack_extend.c b/net/netfilter/nf_conntrack_extend.c index 9fe0ddc333fb..bd71a828ebde 100644 --- a/net/netfilter/nf_conntrack_extend.c +++ b/net/netfilter/nf_conntrack_extend.c @@ -71,6 +71,7 @@ void *nf_ct_ext_add(struct nf_conn *ct, enum nf_ct_ext_id id, gfp_t gfp) rcu_read_unlock(); alloc = max(newlen, NF_CT_EXT_PREALLOC); + kmemleak_not_leak(old); new = __krealloc(old, alloc, gfp); if (!new) return NULL; -- 2.11.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 04/12] netfilter: xt_connmark: Add bit mapping for bit-shift operation.
From: Jack MaWith the addition of bit-shift operations, we are able to shift ct/skbmark based on user requirements. However, this change might also cause the most left/right hand- side mark to be accidentially lost during shift operations. This patch adds the ability to 'grep' certain bits based on ctmask or nfmask out of the original mark. Then, apply shift operations to achieve a new mapping between ctmark and skb->mark. For example: If someone would like save the fourth F bits of ctmark 0xFFF(F)000F into the seventh hexadecimal (0) skb->mark 0xABC000(0)E. new_targetmark = (ctmark & ctmask) >> 12; (new) skb->mark = (skb->mark &~nfmask) ^ new_targetmark; This will preserve the other bits that are not related to this operation. Fixes: 472a73e00757 ("netfilter: xt_conntrack: Support bit-shifting for CONNMARK & MARK targets.") Reviewed-by: Florian Westphal Signed-off-by: Jack Ma Signed-off-by: Pablo Neira Ayuso --- net/netfilter/xt_connmark.c | 19 +++ 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c index 773da82190dc..4b424e6caf3e 100644 --- a/net/netfilter/xt_connmark.c +++ b/net/netfilter/xt_connmark.c @@ -41,6 +41,7 @@ connmark_tg_shift(struct sk_buff *skb, u8 shift_bits, u8 shift_dir) { enum ip_conntrack_info ctinfo; + u_int32_t new_targetmark; struct nf_conn *ct; u_int32_t newmark; @@ -61,24 +62,26 @@ connmark_tg_shift(struct sk_buff *skb, } break; case XT_CONNMARK_SAVE: - newmark = (ct->mark & ~info->ctmask) ^ - (skb->mark & info->nfmask); + new_targetmark = (skb->mark & info->nfmask); if (shift_dir == D_SHIFT_RIGHT) - newmark >>= shift_bits; + new_targetmark >>= shift_bits; else - newmark <<= shift_bits; + new_targetmark <<= shift_bits; + newmark = (ct->mark & ~info->ctmask) ^ + new_targetmark; if (ct->mark != newmark) { ct->mark = newmark; nf_conntrack_event_cache(IPCT_MARK, ct); } break; case XT_CONNMARK_RESTORE: - newmark = (skb->mark & ~info->nfmask) ^ - (ct->mark & info->ctmask); + new_targetmark = (ct->mark & info->ctmask); if (shift_dir == D_SHIFT_RIGHT) - newmark >>= shift_bits; + new_targetmark >>= shift_bits; else - newmark <<= shift_bits; + new_targetmark <<= shift_bits; + newmark = (skb->mark & ~info->nfmask) ^ + new_targetmark; skb->mark = newmark; break; } -- 2.11.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 09/12] netfilter: conntrack: include kmemleak.h for kmemleak_not_leak()
From: Stephen RothwellAfter merging the netfilter tree, today's linux-next build (powerpc ppc64_defconfig) failed like this: net/netfilter/nf_conntrack_extend.c: In function 'nf_ct_ext_add': net/netfilter/nf_conntrack_extend.c:74:2: error: implicit declaration of function 'kmemleak_not_leak' [-Werror=implicit-function-declaration] kmemleak_not_leak(old); ^ cc1: some warnings being treated as errors Fixes: 114aa35d06d4 ("netfilter: conntrack: silent a memory leak warning") Signed-off-by: Stephen Rothwell Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_conntrack_extend.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/netfilter/nf_conntrack_extend.c b/net/netfilter/nf_conntrack_extend.c index bd71a828ebde..277bbfe26478 100644 --- a/net/netfilter/nf_conntrack_extend.c +++ b/net/netfilter/nf_conntrack_extend.c @@ -9,6 +9,7 @@ * 2 of the License, or (at your option) any later version. */ #include +#include #include #include #include -- 2.11.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 10/12] netfilter: nf_tables: NAT chain and extensions require NF_TABLES
Move these options inside the scope of the 'if' NF_TABLES and NF_TABLES_IPV6 dependencies. This patch fixes: net/ipv6/netfilter/nft_chain_nat_ipv6.o: In function `nft_nat_do_chain': >> net/ipv6/netfilter/nft_chain_nat_ipv6.c:37: undefined reference to >> `nft_do_chain' net/ipv6/netfilter/nft_chain_nat_ipv6.o: In function `nft_chain_nat_ipv6_exit': >> net/ipv6/netfilter/nft_chain_nat_ipv6.c:94: undefined reference to >> `nft_unregister_chain_type' net/ipv6/netfilter/nft_chain_nat_ipv6.o: In function `nft_chain_nat_ipv6_init': >> net/ipv6/netfilter/nft_chain_nat_ipv6.c:87: undefined reference to >> `nft_register_chain_type' that happens with: CONFIG_NF_TABLES=m CONFIG_NFT_CHAIN_NAT_IPV6=y Fixes: 02c7b25e5f54 ("netfilter: nf_tables: build-in filter chain type") Reported-by: kbuild test robotSigned-off-by: Pablo Neira Ayuso --- net/ipv6/netfilter/Kconfig | 55 +++--- 1 file changed, 28 insertions(+), 27 deletions(-) diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig index ccbfa83e4bb0..ce77bcc2490c 100644 --- a/net/ipv6/netfilter/Kconfig +++ b/net/ipv6/netfilter/Kconfig @@ -48,6 +48,34 @@ config NFT_CHAIN_ROUTE_IPV6 fields such as the source, destination, flowlabel, hop-limit and the packet mark. +if NF_NAT_IPV6 + +config NFT_CHAIN_NAT_IPV6 + tristate "IPv6 nf_tables nat chain support" + help + This option enables the "nat" chain for IPv6 in nf_tables. This + chain type is used to perform Network Address Translation (NAT) + packet transformations such as the source, destination address and + source and destination ports. + +config NFT_MASQ_IPV6 + tristate "IPv6 masquerade support for nf_tables" + depends on NFT_MASQ + select NF_NAT_MASQUERADE_IPV6 + help + This is the expression that provides IPv4 masquerading support for + nf_tables. + +config NFT_REDIR_IPV6 + tristate "IPv6 redirect support for nf_tables" + depends on NFT_REDIR + select NF_NAT_REDIRECT + help + This is the expression that provides IPv4 redirect support for + nf_tables. + +endif # NF_NAT_IPV6 + config NFT_REJECT_IPV6 select NF_REJECT_IPV6 default NFT_REJECT @@ -107,39 +135,12 @@ config NF_NAT_IPV6 if NF_NAT_IPV6 -config NFT_CHAIN_NAT_IPV6 - depends on NF_TABLES_IPV6 - tristate "IPv6 nf_tables nat chain support" - help - This option enables the "nat" chain for IPv6 in nf_tables. This - chain type is used to perform Network Address Translation (NAT) - packet transformations such as the source, destination address and - source and destination ports. - config NF_NAT_MASQUERADE_IPV6 tristate "IPv6 masquerade support" help This is the kernel functionality to provide NAT in the masquerade flavour (automatic source address selection) for IPv6. -config NFT_MASQ_IPV6 - tristate "IPv6 masquerade support for nf_tables" - depends on NF_TABLES_IPV6 - depends on NFT_MASQ - select NF_NAT_MASQUERADE_IPV6 - help - This is the expression that provides IPv4 masquerading support for - nf_tables. - -config NFT_REDIR_IPV6 - tristate "IPv6 redirect support for nf_tables" - depends on NF_TABLES_IPV6 - depends on NFT_REDIR - select NF_NAT_REDIRECT - help - This is the expression that provides IPv4 redirect support for - nf_tables. - endif # NF_NAT_IPV6 config IP6_NF_IPTABLES -- 2.11.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 01/12] netfilter: nf_conntrack_sip: allow duplicate SDP expectations
From: Florian WestphalCallum Sinclair reported SIP IP Phone errors that he tracked down to such phones sending session descriptions for different media types but with same port numbers. The expect core will only 'refresh' existing expectation if it is from same master AND same expectation class (media type). As expectation class is different, we get an error. The SIP connection tracking code will then 1). drop the SDP packet 2). if an rtp expectation was already installed successfully, error on rtcp expectation will cancel the rtp one. Make the expect core report back to caller when the conflict is due to different expectation class and have SIP tracker ignore soft-error. Reported-by: Callum Sinclair Tested-by: Callum Sinclair Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_conntrack_expect.c | 5 - net/netfilter/nf_conntrack_sip.c| 16 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c index 8ef21d9f9a00..4b2b3d53acfc 100644 --- a/net/netfilter/nf_conntrack_expect.c +++ b/net/netfilter/nf_conntrack_expect.c @@ -252,7 +252,7 @@ static inline int expect_clash(const struct nf_conntrack_expect *a, static inline int expect_matches(const struct nf_conntrack_expect *a, const struct nf_conntrack_expect *b) { - return a->master == b->master && a->class == b->class && + return a->master == b->master && nf_ct_tuple_equal(>tuple, >tuple) && nf_ct_tuple_mask_equal(>mask, >mask) && net_eq(nf_ct_net(a->master), nf_ct_net(b->master)) && @@ -421,6 +421,9 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect) h = nf_ct_expect_dst_hash(net, >tuple); hlist_for_each_entry_safe(i, next, _ct_expect_hash[h], hnode) { if (expect_matches(i, expect)) { + if (i->class != expect->class) + return -EALREADY; + if (nf_ct_remove_expect(i)) break; } else if (expect_clash(i, expect)) { diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c index 4dbb5bad4363..908e51e2dc2b 100644 --- a/net/netfilter/nf_conntrack_sip.c +++ b/net/netfilter/nf_conntrack_sip.c @@ -938,11 +938,19 @@ static int set_expected_rtp_rtcp(struct sk_buff *skb, unsigned int protoff, datalen, rtp_exp, rtcp_exp, mediaoff, medialen, daddr); else { - if (nf_ct_expect_related(rtp_exp) == 0) { - if (nf_ct_expect_related(rtcp_exp) != 0) - nf_ct_unexpect_related(rtp_exp); - else + /* -EALREADY handling works around end-points that send +* SDP messages with identical port but different media type, +* we pretend expectation was set up. +*/ + int errp = nf_ct_expect_related(rtp_exp); + + if (errp == 0 || errp == -EALREADY) { + int errcp = nf_ct_expect_related(rtcp_exp); + + if (errcp == 0 || errcp == -EALREADY) ret = NF_ACCEPT; + else if (errp == 0) + nf_ct_unexpect_related(rtp_exp); } } nf_ct_expect_put(rtcp_exp); -- 2.11.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 08/12] netfilter: nf_tables: free set name in error path
From: Florian Westphalset->name must be free'd here in case ops->init fails. Fixes: 387454901bd6 ("netfilter: nf_tables: Allow set names of up to 255 chars") Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_tables_api.c | 8 +--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index b1984f8f7253..102ad873acb4 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -3212,18 +3212,20 @@ static int nf_tables_newset(struct net *net, struct sock *nlsk, err = ops->init(set, , nla); if (err < 0) - goto err2; + goto err3; err = nft_trans_set_add(, NFT_MSG_NEWSET, set); if (err < 0) - goto err3; + goto err4; list_add_tail_rcu(>list, >sets); table->use++; return 0; -err3: +err4: ops->destroy(set); +err3: + kfree(set->name); err2: kvfree(set); err1: -- 2.11.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 00/12] Netfilter/IPVS fixes for net
Hi David, The following patchset contains Netfilter/IPVS fixes for your net tree, they are: 1) Fix SIP conntrack with phones sending session descriptions for different media types but same port numbers, from Florian Westphal. 2) Fix incorrect rtnl_lock mutex logic from IPVS sync thread, from Julian Anastasov. 3) Skip compat array allocation in ebtables if there is no entries, also from Florian. 4) Do not lose left/right bits when shifting marks from xt_connmark, from Jack Ma. 5) Silence false positive memleak in conntrack extensions, from Cong Wang. 6) Fix CONFIG_NF_REJECT_IPV6=m link problems, from Arnd Bergmann. 7) Cannot kfree rule that is already in list in nf_tables, switch order so this error handling is not required, from Florian Westphal. 8) Release set name in error path, from Florian. 9) include kmemleak.h in nf_conntrack_extend.c, from Stepheh Rothwell. 10) NAT chain and extensions depend on NF_TABLES. 11) Out of bound access when renaming chains, from Taehee Yoo. 12) Incorrect casting in xt_connmark leads to wrong bitshifting. You can pull these changes from: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git Thanks. The following changes since commit a2ac99905f1ea8b15997a6ec39af69aa28a3653b: vhost-net: set packet weight of tx polling to 2 * vq size (2018-04-09 11:01:37 -0400) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD for you to fetch changes up to 5a786232eb69a1f870ddc0cfd69d5bdef241a2ea: netfilter: xt_connmark: do not cast xt_connmark_tginfo1 to xt_connmark_tginfo2 (2018-04-19 16:19:28 +0200) Arnd Bergmann (1): netfilter: fix CONFIG_NF_REJECT_IPV6=m link error Cong Wang (1): netfilter: conntrack: silent a memory leak warning Florian Westphal (4): netfilter: nf_conntrack_sip: allow duplicate SDP expectations netfilter: ebtables: don't attempt to allocate 0-sized compat array netfilter: nf_tables: can't fail after linking rule into active rule list netfilter: nf_tables: free set name in error path Jack Ma (1): netfilter: xt_connmark: Add bit mapping for bit-shift operation. Julian Anastasov (1): ipvs: fix rtnl_lock lockups caused by start_sync_thread Pablo Neira Ayuso (2): netfilter: nf_tables: NAT chain and extensions require NF_TABLES netfilter: xt_connmark: do not cast xt_connmark_tginfo1 to xt_connmark_tginfo2 Stephen Rothwell (1): netfilter: conntrack: include kmemleak.h for kmemleak_not_leak() Taehee Yoo (1): netfilter: nf_tables: fix out-of-bounds in nft_chain_commit_update net/bridge/netfilter/ebtables.c | 11 +-- net/ipv6/netfilter/Kconfig | 55 ++--- net/netfilter/Kconfig | 1 + net/netfilter/ipvs/ip_vs_ctl.c | 8 -- net/netfilter/ipvs/ip_vs_sync.c | 155 +++- net/netfilter/nf_conntrack_expect.c | 5 +- net/netfilter/nf_conntrack_extend.c | 2 + net/netfilter/nf_conntrack_sip.c| 16 +++- net/netfilter/nf_tables_api.c | 69 net/netfilter/xt_connmark.c | 49 +++- 10 files changed, 200 insertions(+), 171 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [nf-next] netfilter: extend SRH match to support matching previous, next and last SID
On Mon, Apr 23, 2018 at 05:48:22AM -0500, Ahmed Abdelsalam wrote: > IPv6 Segment Routing Header (SRH) contains a list of SIDs to be crossed by > SR encapsulated packet. Each SID is encoded as an IPv6 prefix. > > When a Firewall receives an SR encapsulated packet, it should be able to > identify which node previously processed the packet (previous SID), which > node is going to process the packet next (next SID), and which node is the > last to process the packet (last SID) which represent the final destination > of the packet in case of inline SR mode. > > An example use-case of using these features could be SID list that includes > two firewalls. When the second firewall receives a packet, it can check > whether the packet has been processed by the first firewall or not. Based on > that check, it decides to apply all rules, apply just subset of the rules, > or totally skip all rules and forward the packet to the next SID. > > This patch extends SRH match to support matching previous SID, next SID, and > last SID. > > Signed-off-by: Ahmed Abdelsalam> --- > include/uapi/linux/netfilter_ipv6/ip6t_srh.h | 22 +-- > net/ipv6/netfilter/ip6t_srh.c| 41 > +++- > 2 files changed, 60 insertions(+), 3 deletions(-) > > diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_srh.h > b/include/uapi/linux/netfilter_ipv6/ip6t_srh.h > index f3cc0ef..9808382 100644 > --- a/include/uapi/linux/netfilter_ipv6/ip6t_srh.h > +++ b/include/uapi/linux/netfilter_ipv6/ip6t_srh.h > @@ -17,7 +17,10 @@ > #define IP6T_SRH_LAST_GT0x0100 > #define IP6T_SRH_LAST_LT0x0200 > #define IP6T_SRH_TAG0x0400 > -#define IP6T_SRH_MASK 0x07FF > +#define IP6T_SRH_PSID 0x0800 > +#define IP6T_SRH_NSID 0x1000 > +#define IP6T_SRH_LSID 0x2000 > +#define IP6T_SRH_MASK 0x3FFF > > /* Values for "mt_invflags" field in struct ip6t_srh */ > #define IP6T_SRH_INV_NEXTHDR0x0001 > @@ -31,7 +34,10 @@ > #define IP6T_SRH_INV_LAST_GT0x0100 > #define IP6T_SRH_INV_LAST_LT0x0200 > #define IP6T_SRH_INV_TAG0x0400 > -#define IP6T_SRH_INV_MASK 0x07FF > +#define IP6T_SRH_INV_PSID 0x0800 > +#define IP6T_SRH_INV_NSID 0x1000 > +#define IP6T_SRH_INV_LSID 0x2000 > +#define IP6T_SRH_INV_MASK 0x3FFF > > /** > * struct ip6t_srh - SRH match options > @@ -40,6 +46,12 @@ > * @ segs_left: Segments left field of SRH > * @ last_entry: Last entry field of SRH > * @ tag: Tag field of SRH > + * @ psid_addr: Address of previous SID in SRH SID list > + * @ nsid_addr: Address of NEXT SID in SRH SID list > + * @ lsid_addr: Address of LAST SID in SRH SID list > + * @ psid_msk: Mask of previous SID in SRH SID list > + * @ nsid_msk: Mask of next SID in SRH SID list > + * @ lsid_msk: MAsk of last SID in SRH SID list > * @ mt_flags: match options > * @ mt_invflags: Invert the sense of match options > */ > @@ -50,6 +62,12 @@ struct ip6t_srh { > __u8segs_left; > __u8last_entry; > __u16 tag; > + struct in6_addr psid_addr; > + struct in6_addr nsid_addr; > + struct in6_addr lsid_addr; > + struct in6_addr psid_msk; > + struct in6_addr nsid_msk; > + struct in6_addr lsid_msk; This is changing something exposed through UAPI, so you will need a new revision for this. > __u16 mt_flags; > __u16 mt_invflags; > }; > diff --git a/net/ipv6/netfilter/ip6t_srh.c b/net/ipv6/netfilter/ip6t_srh.c > index 33719d5..2b5cc73 100644 > --- a/net/ipv6/netfilter/ip6t_srh.c > +++ b/net/ipv6/netfilter/ip6t_srh.c > @@ -30,7 +30,9 @@ static bool srh_mt6(const struct sk_buff *skb, struct > xt_action_param *par) > const struct ip6t_srh *srhinfo = par->matchinfo; > struct ipv6_sr_hdr *srh; > struct ipv6_sr_hdr _srh; > - int hdrlen, srhoff = 0; > + int hdrlen, psidoff, nsidoff, lsidoff, srhoff = 0; > + struct in6_addr *psid, *nsid, *lsid; > + struct in6_addr _psid, _nsid, _lsid; Could you rearrange variable definitions? ie. longest line first, eg. int hdrlen, psidoff, nsidoff, lsidoff, srhoff = 0; const struct ip6t_srh *srhinfo = par->matchinfo; struct in6_addr *psid, *nsid, *lsid; struct ipv6_sr_hdr *srh; struct ipv6_sr_hdr _srh; Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH iptables] ebtables-compat: add 'vlan' match extension
Signed-off-by: Florian Westphal--- extensions/libebt_vlan.c | 226 ++ extensions/libebt_vlan.txlate | 11 ++ iptables/xtables-eb.c | 1 + 3 files changed, 238 insertions(+) create mode 100644 extensions/libebt_vlan.c create mode 100644 extensions/libebt_vlan.txlate diff --git a/extensions/libebt_vlan.c b/extensions/libebt_vlan.c new file mode 100644 index ..4e2ea0fcb7cd --- /dev/null +++ b/extensions/libebt_vlan.c @@ -0,0 +1,226 @@ +/* ebt_vlan + * + * Authors: + * Bart De Schuymer + * Nick Fedchik + * June, 2002 + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "iptables/nft.h" +#include "iptables/nft-bridge.h" + +#define NAME_VLAN_ID"id" +#define NAME_VLAN_PRIO "prio" +#define NAME_VLAN_ENCAP "encap" + +#define VLAN_ID'1' +#define VLAN_PRIO '2' +#define VLAN_ENCAP '3' + +static const struct option brvlan_opts[] = { + {"vlan-id" , required_argument, NULL, VLAN_ID}, + {"vlan-prio" , required_argument, NULL, VLAN_PRIO}, + {"vlan-encap", required_argument, NULL, VLAN_ENCAP}, + XT_GETOPT_TABLEEND, +}; + +/* + * option inverse flags definition + */ +#define OPT_VLAN_ID 0x01 +#define OPT_VLAN_PRIO 0x02 +#define OPT_VLAN_ENCAP 0x04 +#define OPT_VLAN_FLAGS (OPT_VLAN_ID | OPT_VLAN_PRIO | OPT_VLAN_ENCAP) + +static void brvlan_print_help(void) +{ + printf( +"vlan options:\n" +"--vlan-id [!] id : vlan-tagged frame identifier, 0,1-4096 (integer)\n" +"--vlan-prio [!] prio : Priority-tagged frame's user priority, 0-7 (integer)\n" +"--vlan-encap [!] encap : Encapsulated frame protocol (hexadecimal or name)\n"); +} + +static struct ethertypeent *vlan_getethertypeent(FILE *etherf, const char *name) +{ + static struct ethertypeent et_ent; + char *e, *found_name; + char line[1024]; + + while ((e = fgets(line, sizeof(line), etherf))) { + char *endptr, *cp; + + if (*e == '#') + continue; + + cp = strpbrk(e, "#\n"); + if (cp == NULL) + continue; + *cp = '\0'; + found_name = e; + + cp = strpbrk(e, " \t"); + if (cp == NULL) + continue; + + *cp++ = '\0'; + while (*cp == ' ' || *cp == '\t') + cp++; + e = strpbrk(cp, " \t"); + if (e != NULL) + *e++ = '\0'; + + et_ent.e_ethertype = strtol(cp, , 16); + if (*endptr != '\0' || + (et_ent.e_ethertype < ETH_ZLEN || et_ent.e_ethertype > 0x)) + continue; // skip invalid etherproto type entry + + if (strcasecmp(found_name, name) == 0) + return (_ent); + + if (e != NULL) { + cp = e; + while (cp && *cp) { + if (*cp == ' ' || *cp == '\t') { + cp++; + continue; + } + e = cp; + cp = strpbrk(cp, " \t"); + if (cp != NULL) + *cp++ = '\0'; + if (strcasecmp(e, name) == 0) + return (_ent); + e = cp; + } + } + } + + return NULL; +} + +static struct ethertypeent *brvlan_getethertypebyname(const char *name) +{ + struct ethertypeent *e; + FILE *etherf; + + etherf = fopen(_PATH_ETHERTYPES, "r"); + + e = vlan_getethertypeent(etherf, name); + fclose(etherf); + return (e); +} + +static int +brvlan_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + struct ebt_vlan_info *vlaninfo = (struct ebt_vlan_info *) (*match)->data; + struct ethertypeent *ethent; + char *end; + struct ebt_vlan_info local; + + switch (c) { + case VLAN_ID: + EBT_CHECK_OPTION(flags, OPT_VLAN_ID); + if (invert) + vlaninfo->invflags |= EBT_VLAN_ID; + local.id = strtoul(optarg, , 10); + if (local.id > 4094 || *end != '\0') + xtables_error(PARAMETER_PROBLEM, "Invalid --vlan-id range ('%s')", optarg); + vlaninfo->id = local.id; + vlaninfo->bitmask |= EBT_VLAN_ID; + break; + case VLAN_PRIO: + EBT_CHECK_OPTION(flags, OPT_VLAN_PRIO); + if (invert) + vlaninfo->invflags |= EBT_VLAN_PRIO; +
[PATCH iptables] ebtables-compat: add 'pkttype' match extension
Signed-off-by: Florian Westphal--- extensions/libebt_pkttype.c | 119 +++ extensions/libebt_pkttype.txlate | 20 +++ iptables/xtables-eb.c| 1 + 3 files changed, 140 insertions(+) create mode 100644 extensions/libebt_pkttype.c create mode 100644 extensions/libebt_pkttype.txlate diff --git a/extensions/libebt_pkttype.c b/extensions/libebt_pkttype.c new file mode 100644 index ..4e2d19de7983 --- /dev/null +++ b/extensions/libebt_pkttype.c @@ -0,0 +1,119 @@ +/* ebt_pkttype + * + * Authors: + * Bart De Schuymer + * + * April, 2003 + */ + +#include +#include +#include +#include +#include +#include +#include +#include + +static const char *classes[] = { + "host", + "broadcast", + "multicast", + "otherhost", + "outgoing", + "loopback", + "fastroute", +}; + +static const struct option brpkttype_opts[] = +{ + { "pkttype-type", required_argument, 0, '1' }, + { 0 } +}; + +static void brpkttype_print_help(void) +{ + printf( +"pkttype options:\n" +"--pkttype-type[!] type: class the packet belongs to\n" +"Possible values: broadcast, multicast, host, otherhost, or any other byte value (which would be pretty useless).\n"); +} + + +static int brpkttype_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + struct ebt_pkttype_info *ptinfo = (struct ebt_pkttype_info *)(*match)->data; + char *end; + long int i; + + switch (c) { + case '1': + if (invert) + ptinfo->invert = 1; + i = strtol(optarg, , 16); + if (*end != '\0') { + for (i = 0; i < ARRAY_SIZE(classes); i++) { + if (!strcasecmp(optarg, classes[i])) + break; + } + if (i >= ARRAY_SIZE(classes)) + xtables_error(PARAMETER_PROBLEM, "Could not parse class '%s'", optarg); + } + if (i < 0 || i > 255) + xtables_error(PARAMETER_PROBLEM, "Problem with specified pkttype class"); + ptinfo->pkt_type = (uint8_t)i; + break; + default: + return 0; + } + return 1; +} + + +static void brpkttype_print(const void *ip, const struct xt_entry_match *match, int numeric) +{ + struct ebt_pkttype_info *pt = (struct ebt_pkttype_info *)match->data; + + printf("--pkttype-type %s", pt->invert ? "! " : ""); + + if (pt->pkt_type < ARRAY_SIZE(classes)) + printf("%s ", classes[pt->pkt_type]); + else + printf("%d ", pt->pkt_type); +} + +static int brpkttype_xlate(struct xt_xlate *xl, + const struct xt_xlate_mt_params *params) +{ + const struct ebt_pkttype_info *info = (const void*)params->match->data; + + xt_xlate_add(xl, "meta pkttype %s", info->invert ? "!= " : ""); + + if (info->pkt_type < 3) + xt_xlate_add(xl, "%s ", classes[info->pkt_type]); + else if (info->pkt_type == 3) + xt_xlate_add(xl, "other "); + else + xt_xlate_add(xl, "%d ", info->pkt_type); + + return 1; +} + +static struct xtables_match brpkttype_match = { + .name = "pkttype", + .version= XTABLES_VERSION, + .family = NFPROTO_BRIDGE, + .size = XT_ALIGN(sizeof(struct ebt_pkttype_info)), + .userspacesize = XT_ALIGN(sizeof(struct ebt_pkttype_info)), + .help = brpkttype_print_help, + .parse = brpkttype_parse, + .print = brpkttype_print, + .xlate = brpkttype_xlate, + .extra_opts = brpkttype_opts, +}; + +void _init(void) +{ + xtables_register_match(_match); +} diff --git a/extensions/libebt_pkttype.txlate b/extensions/libebt_pkttype.txlate new file mode 100644 index ..94d016d9e70e --- /dev/null +++ b/extensions/libebt_pkttype.txlate @@ -0,0 +1,20 @@ +ebtables-translate -A INPUT --pkttype-type host +nft add rule bridge filter INPUT meta pkttype host counter + +ebtables-translate -A INPUT ! --pkttype-type broadcast +nft add rule bridge filter INPUT meta pkttype != broadcast counter + +ebtables-translate -A INPUT --pkttype-type ! multicast +nft add rule bridge filter INPUT meta pkttype != multicast counter + +ebtables-translate -A INPUT --pkttype-type otherhost +nft add rule bridge filter INPUT meta pkttype other counter + +ebtables-translate -A INPUT --pkttype-type outgoing +nft add rule bridge filter INPUT meta pkttype 4 counter + +ebtables-translate -A INPUT --pkttype-type loopback +nft add rule bridge filter INPUT meta pkttype 5 counter + +ebtables-translate -A INPUT --pkttype-type fastroute +nft
KMSAN: uninit-value in ip_vs_lblcr_check_expire
Hello, syzbot hit the following crash on https://github.com/google/kmsan.git/master commit d2d741e5d1898dfde1a75ea3d29a9a3e2edf0617 (Sun Apr 22 15:05:22 2018 +) kmsan: add initialization for shmem pages syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=3dfdea57819073a04f21 So far this crash happened 2 times on https://github.com/google/kmsan.git/master. Unfortunately, I don't have any reproducer for this crash yet. Raw console output: https://syzkaller.appspot.com/x/log.txt?id=6285034612850688 Kernel config: https://syzkaller.appspot.com/x/.config?id=328654897048964367 compiler: clang version 7.0.0 (trunk 329391) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+3dfdea57819073a04...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. RDX: RSI: 2080 RDI: 0013 RBP: 0072bea0 R08: R09: R10: R11: 0246 R12: 0014 R13: 04f3 R14: 006fa768 R15: == BUG: KMSAN: uninit-value in ip_vs_lblcr_check_expire+0x1551/0x1600 net/netfilter/ipvs/ip_vs_lblcr.c:479 CPU: 0 PID: 13883 Comm: syz-executor4 Not tainted 4.16.0+ #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683 ip_vs_lblcr_check_expire+0x1551/0x1600 net/netfilter/ipvs/ip_vs_lblcr.c:479 call_timer_fn+0x26a/0x5a0 kernel/time/timer.c:1326 expire_timers kernel/time/timer.c:1363 [inline] __run_timers+0xda7/0x11c0 kernel/time/timer.c:1666 run_timer_softirq+0x43/0x70 kernel/time/timer.c:1692 __do_softirq+0x56d/0x93d kernel/softirq.c:285 invoke_softirq kernel/softirq.c:365 [inline] irq_exit+0x202/0x240 kernel/softirq.c:405 exiting_irq+0xe/0x10 arch/x86/include/asm/apic.h:541 smp_apic_timer_interrupt+0x64/0x90 arch/x86/kernel/apic/apic.c:1055 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:857 RIP: 0010:native_restore_fl arch/x86/include/asm/irqflags.h:37 [inline] RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:78 [inline] RIP: 0010:dump_stack+0x1af/0x1d0 lib/dump_stack.c:58 RSP: 0018:880156a2ef00 EFLAGS: 0286 ORIG_RAX: ff12 RAX: 8801fddc2590 RBX: 88014f62c418 RCX: 8800 RDX: 8801fd9c2590 RSI: b000 RDI: ea00 RBP: 880156a2ef48 R08: 0108 R09: 0002 R10: R11: R12: cf000109 R13: 0286 R14: R15: fail_dump lib/fault-inject.c:51 [inline] should_fail+0x87b/0xab0 lib/fault-inject.c:149 should_failslab+0x279/0x2a0 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:422 [inline] slab_alloc_node mm/slub.c:2663 [inline] slab_alloc mm/slub.c:2745 [inline] kmem_cache_alloc+0x136/0xb90 mm/slub.c:2750 dst_alloc+0x295/0x860 net/core/dst.c:104 __ip6_dst_alloc net/ipv6/route.c:361 [inline] ip6_rt_cache_alloc+0x445/0xd00 net/ipv6/route.c:1061 ip6_pol_route+0x3f19/0x5da0 net/ipv6/route.c:1751 ip6_pol_route_output+0xe6/0x110 net/ipv6/route.c:1892 fib6_rule_lookup+0x494/0x720 net/ipv6/fib6_rules.c:87 ip6_route_output_flags+0x4fa/0x590 net/ipv6/route.c:1920 ip6_dst_lookup_tail+0x2fe/0x1a60 net/ipv6/ip6_output.c:992 ip6_dst_lookup_flow+0xfc/0x270 net/ipv6/ip6_output.c:1093 rawv6_sendmsg+0x1b05/0x4fb0 net/ipv6/raw.c:908 inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046 __sys_sendmsg net/socket.c:2080 [inline] SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091 SyS_sendmsg+0x54/0x80 net/socket.c:2087 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x455389 RSP: 002b:7fa5b1000c68 EFLAGS: 0246 ORIG_RAX: 002e RAX: ffda RBX: 7fa5b10016d4 RCX: 00455389 RDX: RSI: 2080 RDI: 0013 RBP: 0072bea0 R08: R09: R10: R11: 0246 R12: 0014 R13: 04f3 R14: 006fa768 R15: Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_alloc_meta_for_pages+0x161/0x3a0 mm/kmsan/kmsan.c:814 kmsan_alloc_page+0x82/0xe0 mm/kmsan/kmsan.c:868 __alloc_pages_nodemask+0xf5b/0x5dc0 mm/page_alloc.c:4283 alloc_pages_current+0x6b5/0x970 mm/mempolicy.c:2055 alloc_pages include/linux/gfp.h:494 [inline] kmalloc_order mm/slab_common.c:1164
KMSAN: uninit-value in ip_vs_lblc_check_expire
Hello, syzbot hit the following crash on https://github.com/google/kmsan.git/master commit d2d741e5d1898dfde1a75ea3d29a9a3e2edf0617 (Sun Apr 22 15:05:22 2018 +) kmsan: add initialization for shmem pages syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=3e9695f147fb529aa9bc So far this crash happened 3 times on https://github.com/google/kmsan.git/master. Unfortunately, I don't have any reproducer for this crash yet. Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5822255644803072 Kernel config: https://syzkaller.appspot.com/x/.config?id=328654897048964367 compiler: clang version 7.0.0 (trunk 329391) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+3e9695f147fb529aa...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. kernel msg: ebtables bug: please report to author: bad policy == BUG: KMSAN: uninit-value in ip_vs_lblc_check_expire+0xe62/0xf10 net/netfilter/ipvs/ip_vs_lblc.c:315 CPU: 0 PID: 11383 Comm: syz-executor3 Not tainted 4.16.0+ #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683 ip_vs_lblc_check_expire+0xe62/0xf10 net/netfilter/ipvs/ip_vs_lblc.c:315 call_timer_fn+0x26a/0x5a0 kernel/time/timer.c:1326 expire_timers kernel/time/timer.c:1363 [inline] __run_timers+0xda7/0x11c0 kernel/time/timer.c:1666 run_timer_softirq+0x43/0x70 kernel/time/timer.c:1692 __do_softirq+0x56d/0x93d kernel/softirq.c:285 invoke_softirq kernel/softirq.c:365 [inline] irq_exit+0x202/0x240 kernel/softirq.c:405 exiting_irq+0xe/0x10 arch/x86/include/asm/apic.h:541 smp_apic_timer_interrupt+0x64/0x90 arch/x86/kernel/apic/apic.c:1055 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:857 RIP: 0010:native_restore_fl arch/x86/include/asm/irqflags.h:37 [inline] RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:78 [inline] RIP: 0010:vprintk_emit+0xcb2/0xff0 kernel/printk/printk.c:1899 RSP: 0018:8801c2a1f0d8 EFLAGS: 0296 ORIG_RAX: ff12 RAX: 0296 RBX: 8801574c4418 RCX: 0004 RDX: c900033a6000 RSI: 01bf RDI: 01c0 RBP: 8801c2a1f1f8 R08: 00219bfd8445 R09: 8801fd6d615d R10: R11: R12: R13: 8b300430 R14: R15: vprintk_default+0x90/0xa0 kernel/printk/printk.c:1955 vprintk_func+0x517/0x700 kernel/printk/printk_safe.c:379 printk+0x1b6/0x1f0 kernel/printk/printk.c:1991 translate_table+0x474/0x5e10 net/bridge/netfilter/ebtables.c:846 do_replace_finish+0x1258/0x2ea0 net/bridge/netfilter/ebtables.c:1002 do_replace+0x707/0x770 net/bridge/netfilter/ebtables.c:1141 do_ebt_set_ctl+0x2ab/0x3c0 net/bridge/netfilter/ebtables.c:1518 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x476/0x4d0 net/netfilter/nf_sockopt.c:115 ip_setsockopt+0x24b/0x2b0 net/ipv4/ip_sockglue.c:1261 udp_setsockopt+0x108/0x1b0 net/ipv4/udp.c:2406 ipv6_setsockopt+0x30c/0x340 net/ipv6/ipv6_sockglue.c:917 udpv6_setsockopt+0x110/0x1c0 net/ipv6/udp.c:1422 sock_common_setsockopt+0x136/0x170 net/core/sock.c:2975 SYSC_setsockopt+0x4b8/0x570 net/socket.c:1849 SyS_setsockopt+0x76/0xa0 net/socket.c:1828 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x455389 RSP: 002b:7f470c9e3c68 EFLAGS: 0246 ORIG_RAX: 0036 RAX: ffda RBX: 7f470c9e46d4 RCX: 00455389 RDX: 0080 RSI: RDI: 0013 RBP: 0072bea0 R08: 0dd0 R09: R10: 2dc0 R11: 0246 R12: R13: 051d R14: 006fab58 R15: Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_alloc_meta_for_pages+0x161/0x3a0 mm/kmsan/kmsan.c:814 kmsan_alloc_page+0x82/0xe0 mm/kmsan/kmsan.c:868 __alloc_pages_nodemask+0xf5b/0x5dc0 mm/page_alloc.c:4283 alloc_pages_current+0x6b5/0x970 mm/mempolicy.c:2055 alloc_pages include/linux/gfp.h:494 [inline] kmalloc_order mm/slab_common.c:1164 [inline] kmalloc_order_trace+0xb9/0x390 mm/slab_common.c:1175 kmalloc_large include/linux/slab.h:446 [inline] __kmalloc+0x332/0x350 mm/slub.c:3778 kmalloc include/linux/slab.h:517 [inline] ip_vs_lblc_init_svc+0x57/0x310 net/netfilter/ipvs/ip_vs_lblc.c:355 ip_vs_bind_scheduler+0xa4/0x1e0 net/netfilter/ipvs/ip_vs_sched.c:51 ip_vs_add_service+0xa91/0x1d70 net/netfilter/ipvs/ip_vs_ctl.c:1265 do_ip_vs_set_ctl+0x25c8/0x2790
[nf-next] netfilter: extend SRH match to support matching previous, next and last SID
IPv6 Segment Routing Header (SRH) contains a list of SIDs to be crossed by SR encapsulated packet. Each SID is encoded as an IPv6 prefix. When a Firewall receives an SR encapsulated packet, it should be able to identify which node previously processed the packet (previous SID), which node is going to process the packet next (next SID), and which node is the last to process the packet (last SID) which represent the final destination of the packet in case of inline SR mode. An example use-case of using these features could be SID list that includes two firewalls. When the second firewall receives a packet, it can check whether the packet has been processed by the first firewall or not. Based on that check, it decides to apply all rules, apply just subset of the rules, or totally skip all rules and forward the packet to the next SID. This patch extends SRH match to support matching previous SID, next SID, and last SID. Signed-off-by: Ahmed Abdelsalam--- include/uapi/linux/netfilter_ipv6/ip6t_srh.h | 22 +-- net/ipv6/netfilter/ip6t_srh.c| 41 +++- 2 files changed, 60 insertions(+), 3 deletions(-) diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_srh.h b/include/uapi/linux/netfilter_ipv6/ip6t_srh.h index f3cc0ef..9808382 100644 --- a/include/uapi/linux/netfilter_ipv6/ip6t_srh.h +++ b/include/uapi/linux/netfilter_ipv6/ip6t_srh.h @@ -17,7 +17,10 @@ #define IP6T_SRH_LAST_GT0x0100 #define IP6T_SRH_LAST_LT0x0200 #define IP6T_SRH_TAG0x0400 -#define IP6T_SRH_MASK 0x07FF +#define IP6T_SRH_PSID 0x0800 +#define IP6T_SRH_NSID 0x1000 +#define IP6T_SRH_LSID 0x2000 +#define IP6T_SRH_MASK 0x3FFF /* Values for "mt_invflags" field in struct ip6t_srh */ #define IP6T_SRH_INV_NEXTHDR0x0001 @@ -31,7 +34,10 @@ #define IP6T_SRH_INV_LAST_GT0x0100 #define IP6T_SRH_INV_LAST_LT0x0200 #define IP6T_SRH_INV_TAG0x0400 -#define IP6T_SRH_INV_MASK 0x07FF +#define IP6T_SRH_INV_PSID 0x0800 +#define IP6T_SRH_INV_NSID 0x1000 +#define IP6T_SRH_INV_LSID 0x2000 +#define IP6T_SRH_INV_MASK 0x3FFF /** * struct ip6t_srh - SRH match options @@ -40,6 +46,12 @@ * @ segs_left: Segments left field of SRH * @ last_entry: Last entry field of SRH * @ tag: Tag field of SRH + * @ psid_addr: Address of previous SID in SRH SID list + * @ nsid_addr: Address of NEXT SID in SRH SID list + * @ lsid_addr: Address of LAST SID in SRH SID list + * @ psid_msk: Mask of previous SID in SRH SID list + * @ nsid_msk: Mask of next SID in SRH SID list + * @ lsid_msk: MAsk of last SID in SRH SID list * @ mt_flags: match options * @ mt_invflags: Invert the sense of match options */ @@ -50,6 +62,12 @@ struct ip6t_srh { __u8segs_left; __u8last_entry; __u16 tag; + struct in6_addr psid_addr; + struct in6_addr nsid_addr; + struct in6_addr lsid_addr; + struct in6_addr psid_msk; + struct in6_addr nsid_msk; + struct in6_addr lsid_msk; __u16 mt_flags; __u16 mt_invflags; }; diff --git a/net/ipv6/netfilter/ip6t_srh.c b/net/ipv6/netfilter/ip6t_srh.c index 33719d5..2b5cc73 100644 --- a/net/ipv6/netfilter/ip6t_srh.c +++ b/net/ipv6/netfilter/ip6t_srh.c @@ -30,7 +30,9 @@ static bool srh_mt6(const struct sk_buff *skb, struct xt_action_param *par) const struct ip6t_srh *srhinfo = par->matchinfo; struct ipv6_sr_hdr *srh; struct ipv6_sr_hdr _srh; - int hdrlen, srhoff = 0; + int hdrlen, psidoff, nsidoff, lsidoff, srhoff = 0; + struct in6_addr *psid, *nsid, *lsid; + struct in6_addr _psid, _nsid, _lsid; if (ipv6_find_hdr(skb, , IPPROTO_ROUTING, NULL, NULL) < 0) return false; @@ -114,6 +116,43 @@ static bool srh_mt6(const struct sk_buff *skb, struct xt_action_param *par) if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_TAG, !(srh->tag == srhinfo->tag))) return false; + + /* Previous SID matching */ + if (srhinfo->mt_flags & IP6T_SRH_PSID) { + if (srh->segments_left == srh->first_segment) + return false; + psidoff = srhoff + sizeof(struct ipv6_sr_hdr) + + ((srh->segments_left + 1) * sizeof(struct in6_addr)); + psid = skb_header_pointer(skb, psidoff, sizeof(_psid), &_psid); + if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_PSID, + ipv6_masked_addr_cmp(psid, >psid_msk, +>psid_addr))) + return false; + } + + /* Next SID matching */ + if
[iptables 2/2] extensions: libip6t_srh: add test-cases for matching previous, next and last SID
This patch adds some test-cases to "libip6t_srh.t" for matching previous SID, next SID, and last SID. Signed-off-by: Ahmed Abdelsalam--- extensions/libip6t_srh.t | 4 1 file changed, 4 insertions(+) diff --git a/extensions/libip6t_srh.t b/extensions/libip6t_srh.t index 08897d5..88a379e 100644 --- a/extensions/libip6t_srh.t +++ b/extensions/libip6t_srh.t @@ -23,4 +23,8 @@ -m srh ! --srh-tag 0;=;OK -m srh --srh-next-hdr 17 --srh-segs-left-eq 1 --srh-last-entry-eq 4 --srh-tag 0;=;OK -m srh ! --srh-next-hdr 17 ! --srh-segs-left-eq 0 --srh-tag 0;=;OK +-m srh --srh-psid A::2/64 --srh-nsid B2::/128 --srh-lsid C::/0;=;OK +-m srh ! --srh-psid A::2/64 ! --srh-nsid B2::/128 ! --srh-lsid C::/0;=;OK +-m srh --srh-psid A::2 --srh-nsid B2:: --srh-lsid C::;=;OK +-m srh ! --srh-psid A::2 ! --srh-nsid B2:: ! --srh-lsid C::;=;OK -m srh;=;OK -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[iptables 1/2] extensions: libip6t_srh: support matching previous, next and last SID
This patch extends the libip6t_srh shared library to support matching previous SID, next SID, and last SID. Signed-off-by: Ahmed Abdelsalam--- extensions/libip6t_srh.c| 65 - include/linux/netfilter_ipv6/ip6t_srh.h | 22 ++- 2 files changed, 84 insertions(+), 3 deletions(-) diff --git a/extensions/libip6t_srh.c b/extensions/libip6t_srh.c index ac0ae08..5acc2ee 100644 --- a/extensions/libip6t_srh.c +++ b/extensions/libip6t_srh.c @@ -22,6 +22,9 @@ enum { O_SRH_LAST_GT, O_SRH_LAST_LT, O_SRH_TAG, + O_SRH_PSID, + O_SRH_NSID, + O_SRH_LSID, }; static void srh_help(void) @@ -38,7 +41,10 @@ static void srh_help(void) "[!] --srh-last-entry-eq last_entry Last Entry value of SRH\n" "[!] --srh-last-entry-gt last_entry Last Entry value of SRH\n" "[!] --srh-last-entry-lt last_entry Last Entry value of SRH\n" -"[!] --srh-tag tag Tag value of SRH\n"); +"[!] --srh-tag tag Tag value of SRH\n" +"[!] --srh-psidaddr[/mask] SRH previous SID\n" +"[!] --srh-nsidaddr[/mask] SRH next SID\n" +"[!] --srh-lsidaddr[/mask] SRH Last SID\n"); } #define s struct ip6t_srh @@ -65,6 +71,12 @@ static const struct xt_option_entry srh_opts[] = { .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, last_entry)}, { .name = "srh-tag", .id = O_SRH_TAG, .type = XTTYPE_UINT16, .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, tag)}, + { .name = "srh-psid", .id = O_SRH_PSID, .type = XTTYPE_HOSTMASK, + .flags = XTOPT_INVERT}, + { .name = "srh-nsid", .id = O_SRH_NSID, .type = XTTYPE_HOSTMASK, + .flags = XTOPT_INVERT}, + { .name = "srh-lsid", .id = O_SRH_LSID, .type = XTTYPE_HOSTMASK, + .flags = XTOPT_INVERT}, { } }; #undef s @@ -75,6 +87,12 @@ static void srh_init(struct xt_entry_match *m) srhinfo->mt_flags = 0; srhinfo->mt_invflags = 0; + memset(srhinfo->psid_addr.s6_addr, 0, sizeof(srhinfo->psid_addr.s6_addr)); + memset(srhinfo->nsid_addr.s6_addr, 0, sizeof(srhinfo->nsid_addr.s6_addr)); + memset(srhinfo->lsid_addr.s6_addr, 0, sizeof(srhinfo->lsid_addr.s6_addr)); + memset(srhinfo->psid_msk.s6_addr, 0, sizeof(srhinfo->psid_msk.s6_addr)); + memset(srhinfo->nsid_msk.s6_addr, 0, sizeof(srhinfo->nsid_msk.s6_addr)); + memset(srhinfo->lsid_msk.s6_addr, 0, sizeof(srhinfo->lsid_msk.s6_addr)); } static void srh_parse(struct xt_option_call *cb) @@ -138,6 +156,27 @@ static void srh_parse(struct xt_option_call *cb) if (cb->invert) srhinfo->mt_invflags |= IP6T_SRH_INV_TAG; break; + case O_SRH_PSID: + srhinfo->mt_flags |= IP6T_SRH_PSID; + srhinfo->psid_addr = cb->val.haddr.in6; + srhinfo->psid_msk = cb->val.hmask.in6; + if (cb->invert) + srhinfo->mt_invflags |= IP6T_SRH_INV_PSID; + break; + case O_SRH_NSID: + srhinfo->mt_flags |= IP6T_SRH_NSID; + srhinfo->nsid_addr = cb->val.haddr.in6; + srhinfo->nsid_msk = cb->val.hmask.in6; + if (cb->invert) + srhinfo->mt_invflags |= IP6T_SRH_INV_NSID; + break; + case O_SRH_LSID: + srhinfo->mt_flags |= IP6T_SRH_LSID; + srhinfo->lsid_addr = cb->val.haddr.in6; + srhinfo->lsid_msk = cb->val.hmask.in6; + if (cb->invert) + srhinfo->mt_invflags |= IP6T_SRH_INV_LSID; + break; } } @@ -180,6 +219,18 @@ static void srh_print(const void *ip, const struct xt_entry_match *match, if (srhinfo->mt_flags & IP6T_SRH_TAG) printf(" tag:%s%d", srhinfo->mt_invflags & IP6T_SRH_INV_TAG ? "!" : "", srhinfo->tag); + if (srhinfo->mt_flags & IP6T_SRH_PSID) + printf(" psid %s %s/%u", srhinfo->mt_invflags & IP6T_SRH_INV_PSID ? "!" : "", + xtables_ip6addr_to_numeric(>psid_addr), + xtables_ip6mask_to_cidr(>psid_msk)); + if (srhinfo->mt_flags & IP6T_SRH_NSID) + printf(" nsid %s %s/%u", srhinfo->mt_invflags & IP6T_SRH_INV_NSID ? "!" : "", + xtables_ip6addr_to_numeric(>nsid_addr), + xtables_ip6mask_to_cidr(>nsid_msk)); + if (srhinfo->mt_flags & IP6T_SRH_LSID) + printf(" lsid %s %s/%u", srhinfo->mt_invflags & IP6T_SRH_INV_LSID ? "!" : "", + xtables_ip6addr_to_numeric(>lsid_addr), + xtables_ip6mask_to_cidr(>lsid_msk)); } static void srh_save(const void *ip, const struct xt_entry_match *match) @@ -219,6 +270,18 @@ static void
[PATCH nf-next] netfilter: nf_tables: enable hashing of one element
The modulus in the hash function was limited to > 1 as initially there was no sense to create a hashing of just one element. Nevertheless, there are certain cases specially for load balancing where this case needs to be addressed. This patch fixes the following error. Error: Could not process rule: Numerical result out of range add rule ip nftlb lb01 dnat to jhash ip saddr mod 1 map { 0: 192.168.0.10 } ^^^ The solution comes to force the hash to 0 when the modulus is 1. Signed-off-by: Laura Garcia Liebana--- net/netfilter/nft_hash.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c index 24f2f7567ddb..1c4f791552d0 100644 --- a/net/netfilter/nft_hash.c +++ b/net/netfilter/nft_hash.c @@ -53,7 +53,11 @@ static void nft_symhash_eval(const struct nft_expr *expr, struct sk_buff *skb = pkt->skb; u32 h; - h = reciprocal_scale(__skb_get_hash_symmetric(skb), priv->modulus); + if (priv->modulus) + h = reciprocal_scale(__skb_get_hash_symmetric(skb), +priv->modulus); + else + h = 0; regs->data[priv->dreg] = h + priv->offset; } @@ -97,7 +101,7 @@ static int nft_jhash_init(const struct nft_ctx *ctx, priv->len = len; priv->modulus = ntohl(nla_get_be32(tb[NFTA_HASH_MODULUS])); - if (priv->modulus <= 1) + if (priv->modulus < 1) return -ERANGE; if (priv->offset + priv->modulus - 1 < priv->offset) -- 2.11.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
KMSAN: uninit-value in ebt_stp_mt_check
Hello, syzbot hit the following crash on https://github.com/google/kmsan.git/master commit a7f95e9c8a95e9fbb388c3999b61a17667cd3bbe (Sat Apr 21 13:50:22 2018 +) kmsan: disable assembly checksums syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=5c06e318fc558cc27823 So far this crash happened 3 times on https://github.com/google/kmsan.git/master. C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5411555638247424 syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=6309829995921408 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=4546610964987904 Kernel config: https://syzkaller.appspot.com/x/.config?id=328654897048964367 compiler: clang version 7.0.0 (trunk 329391) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+5c06e318fc558cc27...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. == BUG: KMSAN: uninit-value in ebt_stp_mt_check+0x248/0x410 net/bridge/netfilter/ebt_stp.c:164 CPU: 0 PID: 4520 Comm: syzkaller565841 Not tainted 4.16.0+ #85 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683 ebt_stp_mt_check+0x248/0x410 net/bridge/netfilter/ebt_stp.c:164 xt_check_match+0x1449/0x1660 net/netfilter/x_tables.c:499 ebt_check_match net/bridge/netfilter/ebtables.c:374 [inline] ebt_check_entry net/bridge/netfilter/ebtables.c:704 [inline] translate_table+0x3ffd/0x5e10 net/bridge/netfilter/ebtables.c:945 do_replace_finish+0x1258/0x2ea0 net/bridge/netfilter/ebtables.c:1002 do_replace+0x707/0x770 net/bridge/netfilter/ebtables.c:1141 do_ebt_set_ctl+0x2ab/0x3c0 net/bridge/netfilter/ebtables.c:1518 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x476/0x4d0 net/netfilter/nf_sockopt.c:115 ip_setsockopt+0x24b/0x2b0 net/ipv4/ip_sockglue.c:1261 dccp_setsockopt+0x1c3/0x1f0 net/dccp/proto.c:576 sock_common_setsockopt+0x136/0x170 net/core/sock.c:2975 SYSC_setsockopt+0x4b8/0x570 net/socket.c:1849 SyS_setsockopt+0x76/0xa0 net/socket.c:1828 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x445d39 RSP: 002b:7efff4e14da8 EFLAGS: 0246 ORIG_RAX: 0036 RAX: ffda RBX: 006dac24 RCX: 00445d39 RDX: 0080 RSI: RDI: 0003 RBP: R08: 0358 R09: R10: 28c0 R11: 0246 R12: 006dac20 R13: 006567646972625f R14: 6f745f3168746576 R15: 0002 Local variable description: mtpar.i@translate_table Variable was created at: translate_table+0xb9/0x5e10 net/bridge/netfilter/ebtables.c:833 do_replace_finish+0x1258/0x2ea0 net/bridge/netfilter/ebtables.c:1002 == --- This bug is generated by a dumb bot. It may contain errors. See https://goo.gl/tpsmEJ for details. Direct all questions to syzkal...@googlegroups.com. syzbot will keep track of this bug report. If you forgot to add the Reported-by tag, once the fix for this bug is merged into any tree, please reply to this email with: #syz fix: exact-commit-title If you want to test a patch for this bug, please reply with: #syz test: git://repo/address.git branch and provide the patch inline or as an attachment. To mark this as a duplicate of another syzbot report, please reply with: #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report, please reply with: #syz invalid Note: if the crash happens again, it will cause creation of a new bug report. Note: all commands must start from beginning of the line in the email body. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html