Re: [PATCH nft] parser: Removed LOOKUP token
Máté Ecklwrote: > It is never used. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nft] parser: Removed LOOKUP token
It is never used. Signed-off-by: Máté Eckl--- src/parser_bison.y | 1 - 1 file changed, 1 deletion(-) diff --git a/src/parser_bison.y b/src/parser_bison.y index ee3600d..dcd4683 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -181,7 +181,6 @@ int nft_lex(void *, void *, void *); %token DASH"-" %token AT "@" %token VMAP"vmap" -%token LOOKUP "lookup" %token INCLUDE "include" %token DEFINE "define" -- ecklm -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH iptables-compat 2/3] iptables-compat: do not fail on restore if user chain exists
On Fri, May 04, 2018 at 12:06:32PM +0200, Arturo Borrero Gonzalez wrote: > On 4 May 2018 at 11:49, Pablo Neira Ayusowrote: > > > > +int nft_table_flush(struct nft_handle *h, const char *table) > > +{ > > + struct nftnl_table *r; > > + int ret = 0; > > + > > + nft_fn = nft_table_flush; > > + > > + r = nftnl_table_alloc(); > > + if (r == NULL) > > + goto err; > > + > > + nftnl_table_set_str(r, NFTNL_TABLE_NAME, table); > > + > > + batch_table_add(h, NFT_COMPAT_TABLE_FLUSH, r); > > +err: > > + /* the core expects 1 for success and 0 for error */ > > + return ret == 0 ? 1 : 0; > > +} > > + > > it seems ret is never set to something meaningful? Indeed, will fix this before applying. Actually, I could revisit all return values in the compat code. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH ghak81 RFC V1 1/5] audit: normalize loginuid read access
Recognizing that the loginuid is an internal audit value, use an access function to retrieve the audit loginuid value for the task rather than reaching directly into the task struct to get it. Signed-off-by: Richard Guy Briggs--- kernel/auditsc.c | 16 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 479c031..f3817d0 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -374,7 +374,7 @@ static int audit_field_compare(struct task_struct *tsk, case AUDIT_COMPARE_EGID_TO_OBJ_GID: return audit_compare_gid(cred->egid, name, f, ctx); case AUDIT_COMPARE_AUID_TO_OBJ_UID: - return audit_compare_uid(tsk->loginuid, name, f, ctx); + return audit_compare_uid(audit_get_loginuid(tsk), name, f, ctx); case AUDIT_COMPARE_SUID_TO_OBJ_UID: return audit_compare_uid(cred->suid, name, f, ctx); case AUDIT_COMPARE_SGID_TO_OBJ_GID: @@ -385,7 +385,7 @@ static int audit_field_compare(struct task_struct *tsk, return audit_compare_gid(cred->fsgid, name, f, ctx); /* uid comparisons */ case AUDIT_COMPARE_UID_TO_AUID: - return audit_uid_comparator(cred->uid, f->op, tsk->loginuid); + return audit_uid_comparator(cred->uid, f->op, audit_get_loginuid(tsk)); case AUDIT_COMPARE_UID_TO_EUID: return audit_uid_comparator(cred->uid, f->op, cred->euid); case AUDIT_COMPARE_UID_TO_SUID: @@ -394,11 +394,11 @@ static int audit_field_compare(struct task_struct *tsk, return audit_uid_comparator(cred->uid, f->op, cred->fsuid); /* auid comparisons */ case AUDIT_COMPARE_AUID_TO_EUID: - return audit_uid_comparator(tsk->loginuid, f->op, cred->euid); + return audit_uid_comparator(audit_get_loginuid(tsk), f->op, cred->euid); case AUDIT_COMPARE_AUID_TO_SUID: - return audit_uid_comparator(tsk->loginuid, f->op, cred->suid); + return audit_uid_comparator(audit_get_loginuid(tsk), f->op, cred->suid); case AUDIT_COMPARE_AUID_TO_FSUID: - return audit_uid_comparator(tsk->loginuid, f->op, cred->fsuid); + return audit_uid_comparator(audit_get_loginuid(tsk), f->op, cred->fsuid); /* euid comparisons */ case AUDIT_COMPARE_EUID_TO_SUID: return audit_uid_comparator(cred->euid, f->op, cred->suid); @@ -611,7 +611,7 @@ static int audit_filter_rules(struct task_struct *tsk, result = match_tree_refs(ctx, rule->tree); break; case AUDIT_LOGINUID: - result = audit_uid_comparator(tsk->loginuid, f->op, f->uid); + result = audit_uid_comparator(audit_get_loginuid(tsk), f->op, f->uid); break; case AUDIT_LOGINUID_SET: result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val); @@ -2287,8 +2287,8 @@ int audit_signal_info(int sig, struct task_struct *t) (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1 || sig == SIGUSR2)) { audit_sig_pid = task_tgid_nr(tsk); - if (uid_valid(tsk->loginuid)) - audit_sig_uid = tsk->loginuid; + if (uid_valid(audit_get_loginuid(tsk))) + audit_sig_uid = audit_get_loginuid(tsk); else audit_sig_uid = uid; security_task_getsecid(tsk, _sig_sid); -- 1.8.3.1 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH ghak81 RFC V1 2/5] audit: convert sessionid unset to a macro
Use a macro, "AUDIT_SID_UNSET", to replace each instance of initialization and comparison to an audit session ID. Signed-off-by: Richard Guy Briggs--- include/linux/audit.h | 2 +- include/net/xfrm.h | 2 +- include/uapi/linux/audit.h | 1 + init/init_task.c | 2 +- kernel/auditsc.c | 4 ++-- 5 files changed, 6 insertions(+), 5 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 75d5b03..5f86f7c 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -513,7 +513,7 @@ static inline kuid_t audit_get_loginuid(struct task_struct *tsk) } static inline unsigned int audit_get_sessionid(struct task_struct *tsk) { - return -1; + return AUDIT_SID_UNSET; } static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) { } diff --git a/include/net/xfrm.h b/include/net/xfrm.h index a872379..fcce8ee 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -751,7 +751,7 @@ static inline void xfrm_audit_helper_usrinfo(bool task_valid, audit_get_loginuid(current) : INVALID_UID); const unsigned int ses = task_valid ? audit_get_sessionid(current) : - (unsigned int) -1; + AUDIT_SID_UNSET; audit_log_format(audit_buf, " auid=%u ses=%u", auid, ses); audit_log_task_context(audit_buf); diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 4e61a9e..04f9bd2 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -465,6 +465,7 @@ struct audit_tty_status { }; #define AUDIT_UID_UNSET (unsigned int)-1 +#define AUDIT_SID_UNSET ((unsigned int)-1) /* audit_rule_data supports filter rules with both integer and string * fields. It corresponds with AUDIT_ADD_RULE, AUDIT_DEL_RULE and diff --git a/init/init_task.c b/init/init_task.c index 3ac6e75..c788f91 100644 --- a/init/init_task.c +++ b/init/init_task.c @@ -119,7 +119,7 @@ struct task_struct init_task .thread_node= LIST_HEAD_INIT(init_signals.thread_head), #ifdef CONFIG_AUDITSYSCALL .loginuid = INVALID_UID, - .sessionid = (unsigned int)-1, + .sessionid = AUDIT_SID_UNSET, #endif #ifdef CONFIG_PERF_EVENTS .perf_event_mutex = __MUTEX_INITIALIZER(init_task.perf_event_mutex), diff --git a/kernel/auditsc.c b/kernel/auditsc.c index f3817d0..6e3ceb9 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2050,7 +2050,7 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid, int audit_set_loginuid(kuid_t loginuid) { struct task_struct *task = current; - unsigned int oldsessionid, sessionid = (unsigned int)-1; + unsigned int oldsessionid, sessionid = AUDIT_SID_UNSET; kuid_t oldloginuid; int rc; @@ -2064,7 +2064,7 @@ int audit_set_loginuid(kuid_t loginuid) /* are we setting or clearing? */ if (uid_valid(loginuid)) { sessionid = (unsigned int)atomic_inc_return(_id); - if (unlikely(sessionid == (unsigned int)-1)) + if (unlikely(sessionid == AUDIT_SID_UNSET)) sessionid = (unsigned int)atomic_inc_return(_id); } -- 1.8.3.1 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH ghak81 RFC V1 0/5] audit: group task params
Group the audit parameters for each task into one structure. In particular, remove the loginuid and sessionid values and the audit context pointer from the task structure, replacing them with an audit task information structure to contain them. Use access functions to access audit values. Note: Use static allocation of the audit task information structure initially. Dynamic allocation was considered and attempted, but isn't ready yet. Static allocation has the limitation that future audit task information structure changes would cause a visible change to the rest of the kernel, whereas dynamic allocation would mostly hide any future changes. The first four access normalization patches could stand alone. Passes audit-testsuite. Richard Guy Briggs (5): audit: normalize loginuid read access audit: convert sessionid unset to a macro audit: use inline function to get audit context audit: use inline function to set audit context audit: collect audit task parameters MAINTAINERS | 2 +- include/linux/audit.h| 30 ++--- include/linux/audit_task.h | 31 ++ include/linux/sched.h| 6 +-- include/net/xfrm.h | 4 +- include/uapi/linux/audit.h | 1 + init/init_task.c | 8 +++- kernel/audit.c | 4 +- kernel/audit_watch.c | 2 +- kernel/auditsc.c | 82 ++-- kernel/fork.c| 2 +- net/bridge/netfilter/ebtables.c | 2 +- net/core/dev.c | 2 +- net/netfilter/x_tables.c | 2 +- net/netlabel/netlabel_user.c | 2 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/integrity_audit.c | 2 +- security/lsm_audit.c | 2 +- security/selinux/hooks.c | 4 +- security/selinux/selinuxfs.c | 6 +-- security/selinux/ss/services.c | 12 +++--- 21 files changed, 129 insertions(+), 79 deletions(-) create mode 100644 include/linux/audit_task.h -- 1.8.3.1 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH ghak81 RFC V1 4/5] audit: use inline function to set audit context
Recognizing that the audit context is an internal audit value, use an access function to set the audit context pointer for the task rather than reaching directly into the task struct to set it. Signed-off-by: Richard Guy Briggs--- include/linux/audit.h | 8 kernel/auditsc.c | 6 +++--- kernel/fork.c | 2 +- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 93e4c61..dba0d45 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -235,6 +235,10 @@ extern void __audit_inode_child(struct inode *parent, extern void __audit_seccomp(unsigned long syscall, long signr, int code); extern void __audit_ptrace(struct task_struct *t); +static inline void audit_set_context(struct task_struct *task, struct audit_context *ctx) +{ + task->audit_context = ctx; +} static inline struct audit_context *audit_context(struct task_struct *task) { return task->audit_context; @@ -472,6 +476,10 @@ static inline bool audit_dummy_context(void) { return true; } +static inline void audit_set_context(struct task_struct *task, struct audit_context *ctx) +{ + task->audit_context = ctx; +} static inline struct audit_context *audit_context(struct task_struct *task) { return NULL; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index a4bbdcc..f294e4a 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -865,7 +865,7 @@ static inline struct audit_context *audit_take_context(struct task_struct *tsk, audit_filter_inodes(tsk, context); } - tsk->audit_context = NULL; + audit_set_context(tsk, NULL); return context; } @@ -952,7 +952,7 @@ int audit_alloc(struct task_struct *tsk) } context->filterkey = key; - tsk->audit_context = context; + audit_set_context(tsk, context); set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT); return 0; } @@ -1590,7 +1590,7 @@ void __audit_syscall_exit(int success, long return_code) kfree(context->filterkey); context->filterkey = NULL; } - tsk->audit_context = context; + audit_set_context(tsk, context); } static inline void handle_one(const struct inode *inode) diff --git a/kernel/fork.c b/kernel/fork.c index 242c8c9..cd18448 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -1713,7 +1713,7 @@ static __latent_entropy struct task_struct *copy_process( p->start_time = ktime_get_ns(); p->real_start_time = ktime_get_boot_ns(); p->io_context = NULL; - p->audit_context = NULL; + audit_set_context(p, NULL); cgroup_fork(p); #ifdef CONFIG_NUMA p->mempolicy = mpol_dup(p->mempolicy); -- 1.8.3.1 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH ghak81 RFC V1 3/5] audit: use inline function to get audit context
Recognizing that the audit context is an internal audit value, use an access function to retrieve the audit context pointer for the task rather than reaching directly into the task struct to get it. Signed-off-by: Richard Guy Briggs--- include/linux/audit.h| 16 --- include/net/xfrm.h | 2 +- kernel/audit.c | 4 +-- kernel/audit_watch.c | 2 +- kernel/auditsc.c | 52 ++-- net/bridge/netfilter/ebtables.c | 2 +- net/core/dev.c | 2 +- net/netfilter/x_tables.c | 2 +- net/netlabel/netlabel_user.c | 2 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/integrity_audit.c | 2 +- security/lsm_audit.c | 2 +- security/selinux/hooks.c | 4 +-- security/selinux/selinuxfs.c | 6 ++--- security/selinux/ss/services.c | 12 - 15 files changed, 60 insertions(+), 52 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 5f86f7c..93e4c61 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -235,26 +235,30 @@ extern void __audit_inode_child(struct inode *parent, extern void __audit_seccomp(unsigned long syscall, long signr, int code); extern void __audit_ptrace(struct task_struct *t); +static inline struct audit_context *audit_context(struct task_struct *task) +{ + return task->audit_context; +} static inline bool audit_dummy_context(void) { - void *p = current->audit_context; + void *p = audit_context(current); return !p || *(int *)p; } static inline void audit_free(struct task_struct *task) { - if (unlikely(task->audit_context)) + if (unlikely(audit_context(task))) __audit_free(task); } static inline void audit_syscall_entry(int major, unsigned long a0, unsigned long a1, unsigned long a2, unsigned long a3) { - if (unlikely(current->audit_context)) + if (unlikely(audit_context(current))) __audit_syscall_entry(major, a0, a1, a2, a3); } static inline void audit_syscall_exit(void *pt_regs) { - if (unlikely(current->audit_context)) { + if (unlikely(audit_context(current))) { int success = is_syscall_success(pt_regs); long return_code = regs_return_value(pt_regs); @@ -468,6 +472,10 @@ static inline bool audit_dummy_context(void) { return true; } +static inline struct audit_context *audit_context(struct task_struct *task) +{ + return NULL; +} static inline struct filename *audit_reusename(const __user char *name) { return NULL; diff --git a/include/net/xfrm.h b/include/net/xfrm.h index fcce8ee..2788332 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -736,7 +736,7 @@ static inline struct audit_buffer *xfrm_audit_start(const char *op) if (audit_enabled == 0) return NULL; - audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, + audit_buf = audit_log_start(audit_context(current), GFP_ATOMIC, AUDIT_MAC_IPSEC_EVENT); if (audit_buf == NULL) return NULL; diff --git a/kernel/audit.c b/kernel/audit.c index e9f9a90..9a03603 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1099,7 +1099,7 @@ static void audit_log_feature_change(int which, u32 old_feature, u32 new_feature if (audit_enabled == AUDIT_OFF) return; - ab = audit_log_start(current->audit_context, + ab = audit_log_start(audit_context(current), GFP_KERNEL, AUDIT_FEATURE_CHANGE); if (!ab) return; @@ -2317,7 +2317,7 @@ void audit_log_link_denied(const char *operation) return; /* Generate AUDIT_ANOM_LINK with subject, operation, outcome. */ - ab = audit_log_start(current->audit_context, GFP_KERNEL, + ab = audit_log_start(audit_context(current), GFP_KERNEL, AUDIT_ANOM_LINK); if (!ab) return; diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c index 9eb8b35..8b596c4 100644 --- a/kernel/audit_watch.c +++ b/kernel/audit_watch.c @@ -274,7 +274,7 @@ static void audit_update_watch(struct audit_parent *parent, /* If the update involves invalidating rules, do the inode-based * filtering now, so we don't omit records. */ if (invalidating && !audit_dummy_context()) - audit_filter_inodes(current, current->audit_context); + audit_filter_inodes(current, audit_context(current)); /* updating ino will likely change which audit_hash_list we * are on so we need a new watch for the new list */ diff --git
[PATCH ghak81 RFC V1 5/5] audit: collect audit task parameters
The audit-related parameters in struct task_struct should ideally be collected together and accessed through a standard audit API. Collect the existing loginuid, sessionid and audit_context together in a new struct audit_task_info pointer called "audit" in struct task_struct. Use kmem_cache to manage this pool of memory. Un-inline audit_free() to be able to always recover that memory. See: https://github.com/linux-audit/audit-kernel/issues/81 Signed-off-by: Richard Guy Briggs--- MAINTAINERS| 2 +- include/linux/audit.h | 8 include/linux/audit_task.h | 31 +++ include/linux/sched.h | 6 ++ init/init_task.c | 8 ++-- kernel/auditsc.c | 4 ++-- 6 files changed, 46 insertions(+), 13 deletions(-) create mode 100644 include/linux/audit_task.h diff --git a/MAINTAINERS b/MAINTAINERS index 0a1410d..8c7992d 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -2510,7 +2510,7 @@ L:linux-au...@redhat.com (moderated for non-subscribers) W: https://github.com/linux-audit T: git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git S: Supported -F: include/linux/audit.h +F: include/linux/audit*.h F: include/uapi/linux/audit.h F: kernel/audit* diff --git a/include/linux/audit.h b/include/linux/audit.h index dba0d45..1324969 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -237,11 +237,11 @@ extern void __audit_inode_child(struct inode *parent, static inline void audit_set_context(struct task_struct *task, struct audit_context *ctx) { - task->audit_context = ctx; + task->audit.ctx = ctx; } static inline struct audit_context *audit_context(struct task_struct *task) { - return task->audit_context; + return task->audit.ctx; } static inline bool audit_dummy_context(void) { @@ -330,12 +330,12 @@ extern int auditsc_get_stamp(struct audit_context *ctx, static inline kuid_t audit_get_loginuid(struct task_struct *tsk) { - return tsk->loginuid; + return tsk->audit.loginuid; } static inline unsigned int audit_get_sessionid(struct task_struct *tsk) { - return tsk->sessionid; + return tsk->audit.sessionid; } extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); diff --git a/include/linux/audit_task.h b/include/linux/audit_task.h new file mode 100644 index 000..d4b3a20 --- /dev/null +++ b/include/linux/audit_task.h @@ -0,0 +1,31 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* audit_task.h -- definition of audit_task_info structure + * + * Copyright 2018 Red Hat Inc., Raleigh, North Carolina. + * All Rights Reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * Written by Richard Guy Briggs + * + */ + +#ifndef _LINUX_AUDIT_TASK_H_ +#define _LINUX_AUDIT_TASK_H_ + +struct audit_context; +struct audit_task_info { + kuid_t loginuid; + unsigned intsessionid; + struct audit_context*ctx; +}; + +#endif diff --git a/include/linux/sched.h b/include/linux/sched.h index b3d697f..b58eca0 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -27,9 +27,9 @@ #include #include #include +#include /* task_struct member predeclarations (sorted alphabetically): */ -struct audit_context; struct backing_dev_info; struct bio_list; struct blk_plug; @@ -832,10 +832,8 @@ struct task_struct { struct callback_head*task_works; - struct audit_context*audit_context; #ifdef CONFIG_AUDITSYSCALL - kuid_t loginuid; - unsigned intsessionid; + struct audit_task_info audit; #endif struct seccomp seccomp; diff --git a/init/init_task.c b/init/init_task.c index c788f91..d33260d 100644 --- a/init/init_task.c +++ b/init/init_task.c @@ -9,6 +9,7 @@ #include #include #include +#include #include #include @@ -118,8 +119,11 @@ struct task_struct init_task .thread_group = LIST_HEAD_INIT(init_task.thread_group), .thread_node= LIST_HEAD_INIT(init_signals.thread_head), #ifdef CONFIG_AUDITSYSCALL - .loginuid = INVALID_UID, - .sessionid = AUDIT_SID_UNSET, + .audit = { + .loginuid = INVALID_UID, + .sessionid = AUDIT_SID_UNSET, + .ctx= NULL, + }, #endif #ifdef CONFIG_PERF_EVENTS
[PATCH nf] netfilter: core: add missing __rcu annotation
removes following sparse error: net/netfilter/core.c:598:30: warning: incorrect type in argument 1 (different address spaces) net/netfilter/core.c:598:30:expected struct nf_hook_entries **e net/netfilter/core.c:598:30:got struct nf_hook_entries [noderef] ** Signed-off-by: Florian Westphal--- net/netfilter/core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/netfilter/core.c b/net/netfilter/core.c index 0f6b8172fb9a..206fb2c4c319 100644 --- a/net/netfilter/core.c +++ b/net/netfilter/core.c @@ -585,7 +585,8 @@ void (*nf_nat_decode_session_hook)(struct sk_buff *, struct flowi *); EXPORT_SYMBOL(nf_nat_decode_session_hook); #endif -static void __net_init __netfilter_net_init(struct nf_hook_entries **e, int max) +static void __net_init +__netfilter_net_init(struct nf_hook_entries __rcu **e, int max) { int h; -- 2.16.1 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] netfilter: nf_queue: Replace conntrack entry
Hi Kristian, Thank you for the patch! Yet something to improve: [auto build test ERROR on nf-next/master] [also build test ERROR on v4.17-rc3 next-20180503] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url: https://github.com/0day-ci/linux/commits/Kristian-Evensen/netfilter-nf_queue-Replace-conntrack-entry/20180504-051218 base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master config: x86_64-randconfig-s5-05041850 (attached as .config) compiler: gcc-7 (Debian 7.3.0-16) 7.3.0 reproduce: # save the attached .config to linux build tree make ARCH=x86_64 All errors (new ones prefixed by >>): net/netfilter/nfnetlink_queue.o: In function `nfqnl_update_ct': >> net/netfilter/nfnetlink_queue.c:1062: undefined reference to >> `nf_ct_l3proto_find_get' >> net/netfilter/nfnetlink_queue.c:1069: undefined reference to >> `nf_ct_l4proto_find_get' >> net/netfilter/nfnetlink_queue.c:1071: undefined reference to >> `nf_ct_get_tuple' >> net/netfilter/nfnetlink_queue.c:1079: undefined reference to >> `nf_conntrack_find_get' vim +1062 net/netfilter/nfnetlink_queue.c 1046 1047 #if IS_ENABLED(CONFIG_NF_CONNTRACK) 1048 static void nfqnl_update_ct(struct net *net, struct sk_buff *skb) 1049 { 1050 const struct nf_conntrack_l3proto *l3proto; 1051 const struct nf_conntrack_l4proto *l4proto; 1052 struct nf_conntrack_tuple_hash *h; 1053 struct nf_conntrack_tuple tuple; 1054 enum ip_conntrack_info ctinfo; 1055 struct nf_conn *ct = NULL; 1056 unsigned int dataoff; 1057 u16 l3num; 1058 u8 l4num; 1059 1060 ct = nf_ct_get(skb, ); 1061 l3num = nf_ct_l3num(ct); > 1062 l3proto = nf_ct_l3proto_find_get(l3num); 1063 1064 if (l3proto->get_l4proto(skb, skb_network_offset(skb), , 1065 ) <= 0) { 1066 return; 1067 } 1068 > 1069 l4proto = nf_ct_l4proto_find_get(l3num, l4num); 1070 > 1071 if (!nf_ct_get_tuple(skb, skb_network_offset(skb), dataoff, > l3num, 1072 l4num, net, , l3proto, l4proto)) { 1073 return; 1074 } 1075 1076 #if IS_ENABLED(CONFIG_NF_CONNTRACK_ZONES) 1077 h = nf_conntrack_find_get(net, >zone, ); 1078 #else > 1079 h = nf_conntrack_find_get(net, NULL, ); 1080 #endif 1081 1082 if (h) { 1083 pr_debug("%s: tuple %u %pI4:%hu -> %pI4:%hu\n", __func__, 1084 tuple.dst.protonum, , 1085 ntohs(tuple.src.u.all), , 1086 ntohs(tuple.dst.u.all)); 1087 nf_ct_put(ct); 1088 ct = nf_ct_tuplehash_to_ctrack(h); 1089 nf_ct_set(skb, ct, IP_CT_NEW); 1090 } 1091 } 1092 #endif 1093 --- 0-DAY kernel test infrastructureOpen Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation .config.gz Description: application/gzip
Re: [PATCH 1/1] netfilter: Fix handling simultaneous open in TCP conntrack
Hi Pablo, [Sorry for the delay.] On Fri, 27 Apr 2018, Pablo Neira Ayuso wrote: > On Sat, Apr 21, 2018 at 01:43:48PM +0200, Jozsef Kadlecsik wrote: > > Dominique Martinet reported a TCP hang problem when simultaneous open > > was used. The problem is that the tcp_conntracks state table is not > > smart enough to handle the case. The state table could be fixed by > > introducing a new state, but that would require more lines of code > > compared to this patch, due to the required backward compatibility > > with ctnetlink. > > BTW, what is exactly the problem in ctnetlink. I think probably there is > a way to do some mapping to avoid this. Thanks! There's nothing wrong with ctnetlink, I was too terse. If a new state is introduced, then there'd be a hole in several internal tables (tcp_conntrack_names, tcp_timeouts, tcp_conntracks state table) and that'd be ugly. However if the states are renumbered in order to get rid of the holes, then that'd broke the backward compatibility in ctnetlink - and userspace anyway, because the constants are exposed through uapi/linux/netfilter/nf_conntrack_tcp.h. Or some mapping could be used as you suggest but that seems to be overkill compared to the few lines of code in the patch. Best regards, Jozsef - E-mail : kad...@blackhole.kfki.hu, kadlecsik.joz...@wigner.mta.hu PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH iptables-compat 2/3] iptables-compat: do not fail on restore if user chain exists
On 4 May 2018 at 11:49, Pablo Neira Ayusowrote: > > +int nft_table_flush(struct nft_handle *h, const char *table) > +{ > + struct nftnl_table *r; > + int ret = 0; > + > + nft_fn = nft_table_flush; > + > + r = nftnl_table_alloc(); > + if (r == NULL) > + goto err; > + > + nftnl_table_set_str(r, NFTNL_TABLE_NAME, table); > + > + batch_table_add(h, NFT_COMPAT_TABLE_FLUSH, r); > +err: > + /* the core expects 1 for success and 0 for error */ > + return ret == 0 ? 1 : 0; > +} > + it seems ret is never set to something meaningful? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH iptables-compat 2/3] iptables-compat: do not fail on restore if user chain exists
The following snippet fails if user chain FOO exists, but it should not fail: iptables-compat -F iptables-compat -N FOO iptables-compat-save > foo iptables-compat-restore < foo Reported-by: Florian WestphalSigned-off-by: Pablo Neira Ayuso --- iptables/nft-shared.h | 2 +- iptables/nft.c | 25 + iptables/nft.h | 1 + iptables/xtables-restore.c | 6 +++--- 4 files changed, 30 insertions(+), 4 deletions(-) diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h index e13a1a8563c3..1520d613b528 100644 --- a/iptables/nft-shared.h +++ b/iptables/nft-shared.h @@ -255,7 +255,7 @@ struct nft_xt_restore_cb { int (*chain_user_add)(struct nft_handle *h, const char *chain, const char *table); - int (*rule_flush)(struct nft_handle *h, const char *chain, const char *table); + int (*table_flush)(struct nft_handle *h, const char *table); int (*do_command)(struct nft_handle *h, int argc, char *argv[], char **table, bool restore); diff --git a/iptables/nft.c b/iptables/nft.c index e60923d6ecbf..5858e01e52ac 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -262,6 +262,7 @@ enum obj_update_type { NFT_COMPAT_RULE_REPLACE, NFT_COMPAT_RULE_DELETE, NFT_COMPAT_RULE_FLUSH, + NFT_COMPAT_TABLE_FLUSH, }; enum obj_action { @@ -1283,6 +1284,25 @@ next: return 1; } +int nft_table_flush(struct nft_handle *h, const char *table) +{ + struct nftnl_table *r; + int ret = 0; + + nft_fn = nft_table_flush; + + r = nftnl_table_alloc(); + if (r == NULL) + goto err; + + nftnl_table_set_str(r, NFTNL_TABLE_NAME, table); + + batch_table_add(h, NFT_COMPAT_TABLE_FLUSH, r); +err: + /* the core expects 1 for success and 0 for error */ + return ret == 0 ? 1 : 0; +} + static void __nft_rule_flush(struct nft_handle *h, const char *table, const char *chain) { @@ -2294,6 +2314,11 @@ static int nft_action(struct nft_handle *h, int action) nft_compat_rule_batch_add(h, NFT_MSG_DELRULE, 0, seq++, n->rule); break; + case NFT_COMPAT_TABLE_FLUSH: + nft_compat_table_batch_add(h, NFT_MSG_DELTABLE, + 0, + seq++, n->table); + break; } h->obj_list_num--; diff --git a/iptables/nft.h b/iptables/nft.h index aaf3cbe0c0e3..2d5c37e5b502 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -58,6 +58,7 @@ struct nftnl_chain_list; int nft_for_each_table(struct nft_handle *h, int (*func)(struct nft_handle *h, const char *tablename, bool counters), bool counters); bool nft_table_find(struct nft_handle *h, const char *tablename); int nft_table_purge_chains(struct nft_handle *h, const char *table, struct nftnl_chain_list *list); +int nft_table_flush(struct nft_handle *h, const char *table); /* * Operations with chains. diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c index fc39ad9c4fa5..3de496f85387 100644 --- a/iptables/xtables-restore.c +++ b/iptables/xtables-restore.c @@ -191,7 +191,7 @@ struct nft_xt_restore_cb restore_cb = { .commit = nft_commit, .abort = nft_abort, .chains_purge = nft_table_purge_chains, - .rule_flush = nft_rule_flush, + .table_flush= nft_table_flush, .chain_del = chain_delete, .do_command = do_commandx, .chain_set = nft_chain_set, @@ -270,8 +270,8 @@ void xtables_restore_parse(struct nft_handle *h, if (noflush == 0) { DEBUGP("Cleaning all chains of table '%s'\n", table); - if (cb->rule_flush) - cb->rule_flush(h, NULL, table); + if (cb->table_flush) + cb->table_flush(h, table); } ret = 1; -- 2.11.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH iptables-compat 1/3] iptables-compat: remove non-batching routines
This is only needed by 3.16, which was released 8 months after nftables was merged upstream. That kernel version supports a reduced featureset. Signed-off-by: Pablo Neira Ayuso--- iptables/nft.c | 157 +++-- iptables/nft.h | 3 -- 2 files changed, 7 insertions(+), 153 deletions(-) diff --git a/iptables/nft.c b/iptables/nft.c index e7cb827bb132..e60923d6ecbf 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -517,30 +517,6 @@ struct builtin_table xtables_bridge[TABLES_MAX] = { }, }; -int nft_table_add(struct nft_handle *h, struct nftnl_table *t, uint16_t flags) -{ - char buf[MNL_SOCKET_BUFFER_SIZE]; - struct nlmsghdr *nlh; - int ret; - - nlh = nftnl_table_nlmsg_build_hdr(buf, NFT_MSG_NEWTABLE, h->family, - NLM_F_ACK|flags, h->seq); - nftnl_table_nlmsg_build_payload(nlh, t); - nftnl_table_free(t); - -#ifdef NLDEBUG - char tmp[1024]; - - nft_table_snprintf(tmp, sizeof(tmp), t, 0, 0); - printf("DEBUG: table: %s\n", tmp); - mnl_nlmsg_fprintf(stdout, nlh, nlh->nlmsg_len, sizeof(struct nfgenmsg)); -#endif - - ret = mnl_talk(h, nlh, NULL, NULL); - - return (ret == 0 || (ret == -1 && errno == EEXIST)) ? 0 : -1; -} - static int nft_table_builtin_add(struct nft_handle *h, struct builtin_table *_t) { @@ -556,10 +532,7 @@ static int nft_table_builtin_add(struct nft_handle *h, nftnl_table_set(t, NFTNL_TABLE_NAME, (char *)_t->name); - if (h->batch_support) - ret = batch_table_add(h, NFT_COMPAT_TABLE_ADD, t); - else - ret = nft_table_add(h, t, NLM_F_EXCL); + ret = batch_table_add(h, NFT_COMPAT_TABLE_ADD, t); if (ret == 0) _t->initialized = true; @@ -587,29 +560,6 @@ nft_chain_builtin_alloc(struct builtin_table *table, return c; } -int nft_chain_add(struct nft_handle *h, struct nftnl_chain *c, uint16_t flags) -{ - char buf[MNL_SOCKET_BUFFER_SIZE]; - struct nlmsghdr *nlh; - - /* NLM_F_CREATE requests module autoloading */ - nlh = nftnl_chain_nlmsg_build_hdr(buf, NFT_MSG_NEWCHAIN, h->family, - NLM_F_ACK|flags|NLM_F_CREATE, - h->seq); - nftnl_chain_nlmsg_build_payload(nlh, c); - nftnl_chain_free(c); - -#ifdef NLDEBUG - char tmp[1024]; - - nft_chain_snprintf(tmp, sizeof(tmp), c, 0, 0); - printf("DEBUG: chain: %s\n", tmp); - mnl_nlmsg_fprintf(stdout, nlh, nlh->nlmsg_len, sizeof(struct nfgenmsg)); -#endif - - return mnl_talk(h, nlh, NULL, NULL); -} - static void nft_chain_builtin_add(struct nft_handle *h, struct builtin_table *table, struct builtin_chain *chain) @@ -620,10 +570,7 @@ static void nft_chain_builtin_add(struct nft_handle *h, if (c == NULL) return; - if (h->batch_support) - batch_chain_add(h, NFT_COMPAT_CHAIN_ADD, c); - else - nft_chain_add(h, c, NLM_F_EXCL); + batch_chain_add(h, NFT_COMPAT_CHAIN_ADD, c); } /* find if built-in table already exists */ @@ -713,49 +660,6 @@ static bool nft_chain_builtin(struct nftnl_chain *c) return nftnl_chain_get(c, NFTNL_CHAIN_HOOKNUM) != NULL; } -static bool mnl_batch_supported(struct nft_handle *h) -{ - char buf[MNL_SOCKET_BUFFER_SIZE]; - uint32_t seq = 1; - int ret; - - mnl_nftnl_batch_begin(h->batch, seq++); - - nftnl_set_nlmsg_build_hdr(mnl_nlmsg_batch_current(h->batch), - NFT_MSG_NEWSET, AF_INET, - NLM_F_ACK, seq++); - mnl_nlmsg_batch_next(h->batch); - - mnl_nftnl_batch_end(h->batch, seq++); - - ret = mnl_socket_sendto(h->nl, mnl_nlmsg_batch_head(h->batch), - mnl_nlmsg_batch_size(h->batch)); - if (ret < 0) - goto err; - - mnl_nlmsg_batch_reset(h->batch); - - ret = mnl_socket_recvfrom(h->nl, buf, sizeof(buf)); - while (ret > 0) { - ret = mnl_cb_run(buf, ret, 0, mnl_socket_get_portid(h->nl), -NULL, NULL); - if (ret <= 0) - break; - - ret = mnl_socket_recvfrom(h->nl, buf, sizeof(buf)); - } - - /* We're sending an incomplete message to see if the kernel supports -* set messages in batches. EINVAL means that we sent an incomplete -* message with missing attributes. The kernel just ignores messages -* that we cannot include in the batch. -*/ - return (ret == -1 && errno == EINVAL) ? true : false; -err: - mnl_nlmsg_batch_reset(h->batch); - return ret; -} - static int nft_restart(struct nft_handle *h) { mnl_socket_close(h->nl);
[PATCH iptables-compat 3/3] iptables-compat: chains are purge out already from table flush
Remove dead code that uses the ancient non-batch netlink API. Chains are already purged out from table flush. Signed-off-by: Pablo Neira Ayuso--- iptables/nft-shared.h | 2 -- iptables/nft.c | 45 - iptables/xtables-restore.c | 5 - 3 files changed, 52 deletions(-) diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h index 1520d613b528..79bea410c4d8 100644 --- a/iptables/nft-shared.h +++ b/iptables/nft-shared.h @@ -245,8 +245,6 @@ struct nftnl_chain_list; struct nft_xt_restore_cb { void (*table_new)(struct nft_handle *h, const char *table); struct nftnl_chain_list *(*chain_list)(struct nft_handle *h); - int (*chains_purge)(struct nft_handle *h, const char *table, - struct nftnl_chain_list *clist); void (*chain_del)(struct nftnl_chain_list *clist, const char *curtable, const char *chain); int (*chain_set)(struct nft_handle *h, const char *table, diff --git a/iptables/nft.c b/iptables/nft.c index 5858e01e52ac..2e8e0ae60b9d 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -1397,18 +1397,6 @@ int nft_chain_user_add(struct nft_handle *h, const char *chain, const char *tabl #define NLM_F_NONREC 0x100 /* Do not delete recursively*/ #endif -static int __nft_chain_del(struct nft_handle *h, struct nftnl_chain *c) -{ - char buf[MNL_SOCKET_BUFFER_SIZE]; - struct nlmsghdr *nlh; - - nlh = nftnl_chain_nlmsg_build_hdr(buf, NFT_MSG_DELCHAIN, h->family, - NLM_F_NONREC | NLM_F_ACK, h->seq); - nftnl_chain_nlmsg_build_payload(nlh, c); - - return mnl_talk(h, nlh, NULL, NULL); -} - int nft_chain_user_del(struct nft_handle *h, const char *chain, const char *table) { struct nftnl_chain_list *list; @@ -1666,39 +1654,6 @@ err: return ret == 0 ? 1 : 0; } -int nft_table_purge_chains(struct nft_handle *h, const char *this_table, - struct nftnl_chain_list *chain_list) -{ - struct nftnl_chain_list_iter *iter; - struct nftnl_chain *chain_obj; - - iter = nftnl_chain_list_iter_create(chain_list); - if (iter == NULL) - return 0; - - chain_obj = nftnl_chain_list_iter_next(iter); - while (chain_obj != NULL) { - const char *table = - nftnl_chain_get_str(chain_obj, NFTNL_CHAIN_TABLE); - - if (strcmp(this_table, table) != 0) - goto next; - - if (nft_chain_builtin(chain_obj)) - goto next; - - if ( __nft_chain_del(h, chain_obj) < 0) { - if (errno != EBUSY) - return -1; - } -next: - chain_obj = nftnl_chain_list_iter_next(iter); - } - nftnl_chain_list_iter_destroy(iter); - - return 0; -} - static int __nft_rule_del(struct nft_handle *h, struct nftnl_rule_list *list, struct nftnl_rule *r) { diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c index 3de496f85387..a33a659341db 100644 --- a/iptables/xtables-restore.c +++ b/iptables/xtables-restore.c @@ -190,7 +190,6 @@ struct nft_xt_restore_cb restore_cb = { .chain_list = get_chain_list, .commit = nft_commit, .abort = nft_abort, - .chains_purge = nft_table_purge_chains, .table_flush= nft_table_flush, .chain_del = chain_delete, .do_command = do_commandx, @@ -245,10 +244,6 @@ void xtables_restore_parse(struct nft_handle *h, } in_table = 0; - /* Purge out unused chains in this table */ - if (!p->testing && cb->chains_purge) - cb->chains_purge(h, curtable, chain_list); - } else if ((buffer[0] == '*') && (!in_table)) { /* New table */ char *table; -- 2.11.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH ebtables] Fix musl libc compatibility
Conflicting definitions of struct ethhdr between the kernel and musl libc provides headers causes a build failure: In file included from .../usr/include/netinet/ether.h:8:0, from useful_functions.c:28: .../usr/include/netinet/if_ether.h:107:8: error: redefinition of ‘struct ethhdr’ struct ethhdr { ^~ In file included from include/linux/netfilter_bridge.h:8:0, from include/linux/netfilter_bridge/ebtables.h:17, from include/ebtables_u.h:27, from useful_functions.c:25: include/linux/if_ether.h:119:8: note: originally defined here struct ethhdr { ^~ Recent enough versions kernel headers allow the libc to suppress conflicting kernel definitions. Include the libc proivded netinet/ether.h before kernel headers to suppress the conflicting definition of struct ethhdr. Signed-off-by: Baruch Siach--- include/ebtables_u.h | 1 + 1 file changed, 1 insertion(+) diff --git a/include/ebtables_u.h b/include/ebtables_u.h index c8589969bd8e..4824a145964e 100644 --- a/include/ebtables_u.h +++ b/include/ebtables_u.h @@ -24,6 +24,7 @@ #ifndef EBTABLES_U_H #define EBTABLES_U_H #include +#include #include #include -- 2.17.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH][PING] Hide private symbols in libnfnetlink
On Fri, May 4, 2018 at 1:23 AM, Jan Engelhardtwrote: > On Thursday 2018-05-03 17:03, Yuri Gribov wrote: > >>Hi all, >> >>Here's the updated version of the patch. >> >>diff --git a/src/Makefile.am b/src/Makefile.am >>index d0098cc..d91c9f7 100644 >>--- a/src/Makefile.am >>+++ b/src/Makefile.am >>@@ -3,7 +3,8 @@ include $(top_srcdir)/Make_global.am >> lib_LTLIBRARIES = libnfnetlink.la >> >> libnfnetlink_la_LDFLAGS = -Wc,-nostartfiles \ >>--version-info $(LIBVERSION) >>+-version-info $(LIBVERSION) \ >>+-Wl,--version-script=$(srcdir)/nfnl.version >> libnfnetlink_la_SOURCES = libnfnetlink.c iftable.c rtnl.c >> >> noinst_HEADERS = iftable.h rtnl.h > > Another additional line will be needed, > > EXTRA_libnfnetlink_la_DEPENDENCIES = nfnl.version > > otherwise the linker won't rerun if the .version file gets modified. Yup, reproduced. Attaching fixed patch. -Y 0001-Hide-private-symbols-v5.patch Description: Binary data