Re: [PATCH nf-next,v3 3/3] netfilter: nfnetlink_queue: resolve clash for unconfirmed conntracks
Hi Pablo, I love your patch! Yet something to improve: [auto build test ERROR on nf-next/master] [also build test ERROR on v4.17-rc5] [cannot apply to nf/master next-20180517] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url: https://github.com/0day-ci/linux/commits/Pablo-Neira-Ayuso/netfilter-add-struct-nf_ct_hook-and-use-it/20180518-093914 base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master config: mips-fuloong2e_defconfig (attached as .config) compiler: mips64el-linux-gnuabi64-gcc (Debian 7.2.0-11) 7.2.0 reproduce: wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # save the attached .config to linux build tree make.cross ARCH=mips All errors (new ones prefixed by >>): >> ERROR: "nf_ct_hook" [net/netfilter/nfnetlink_queue.ko] undefined! --- 0-DAY kernel test infrastructureOpen Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation .config.gz Description: application/gzip
Re: [PATCH ghak81 V3 1/3] audit: use new audit_context access funciton for seccomp_actions_logged
On Wed, May 16, 2018 at 7:55 AM, Richard Guy Briggswrote: > On the rebase of the following commit on the new seccomp actions_logged > function, one audit_context access was missed. > > commit cdfb6b341f0f2409aba24b84f3b4b2bba50be5c5 > ("audit: use inline function to get audit context") > > Signed-off-by: Richard Guy Briggs > --- > kernel/auditsc.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) Merged into audit/next, thanks for the follow-up. > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index cbab0da..f3d3dc6 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -2497,7 +2497,7 @@ void audit_seccomp_actions_logged(const char *names, > const char *old_names, > if (!audit_enabled) > return; > > - ab = audit_log_start(current->audit_context, GFP_KERNEL, > + ab = audit_log_start(audit_context(), GFP_KERNEL, > AUDIT_CONFIG_CHANGE); > if (unlikely(!ab)) > return; > -- > 1.8.3.1 -- paul moore www.paul-moore.com -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH ghak81 V3 3/3] audit: collect audit task parameters
On Wed, May 16, 2018 at 7:55 AM, Richard Guy Briggswrote: > The audit-related parameters in struct task_struct should ideally be > collected together and accessed through a standard audit API. > > Collect the existing loginuid, sessionid and audit_context together in a > new struct audit_task_info called "audit" in struct task_struct. > > Use kmem_cache to manage this pool of memory. > Un-inline audit_free() to be able to always recover that memory. > > See: https://github.com/linux-audit/audit-kernel/issues/81 > > Signed-off-by: Richard Guy Briggs > --- > include/linux/audit.h | 34 -- > include/linux/sched.h | 5 + > init/init_task.c | 3 +-- > init/main.c | 2 ++ > kernel/auditsc.c | 51 > ++- > kernel/fork.c | 2 +- > 6 files changed, 71 insertions(+), 26 deletions(-) As discussed on-list and offline, I'm going to hold off on this change until the audit container ID work is father along. That is the main driver for this change, and until that is closer to ready I just can't justify the extra overhead. > diff --git a/include/linux/audit.h b/include/linux/audit.h > index 69c7847..4f824c4 100644 > --- a/include/linux/audit.h > +++ b/include/linux/audit.h > @@ -216,8 +216,15 @@ static inline void audit_log_task_info(struct > audit_buffer *ab, > > /* These are defined in auditsc.c */ > /* Public API */ > +struct audit_task_info { > + kuid_t loginuid; > + unsigned intsessionid; > + struct audit_context*ctx; > +}; > +extern struct audit_task_info init_struct_audit; > +extern void __init audit_task_init(void); > extern int audit_alloc(struct task_struct *task); > -extern void __audit_free(struct task_struct *task); > +extern void audit_free(struct task_struct *task); > extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long > a1, > unsigned long a2, unsigned long a3); > extern void __audit_syscall_exit(int ret_success, long ret_value); > @@ -239,12 +246,15 @@ extern void audit_seccomp_actions_logged(const char > *names, > > static inline void audit_set_context(struct task_struct *task, struct > audit_context *ctx) > { > - task->audit_context = ctx; > + task->audit->ctx = ctx; > } > > static inline struct audit_context *audit_context(void) > { > - return current->audit_context; > + if (current->audit) > + return current->audit->ctx; > + else > + return NULL; > } > > static inline bool audit_dummy_context(void) > @@ -252,11 +262,7 @@ static inline bool audit_dummy_context(void) > void *p = audit_context(); > return !p || *(int *)p; > } > -static inline void audit_free(struct task_struct *task) > -{ > - if (unlikely(task->audit_context)) > - __audit_free(task); > -} > + > static inline void audit_syscall_entry(int major, unsigned long a0, >unsigned long a1, unsigned long a2, >unsigned long a3) > @@ -328,12 +334,18 @@ extern int auditsc_get_stamp(struct audit_context *ctx, > > static inline kuid_t audit_get_loginuid(struct task_struct *tsk) > { > - return tsk->loginuid; > + if (tsk->audit) > + return tsk->audit->loginuid; > + else > + return INVALID_UID; > } > > static inline unsigned int audit_get_sessionid(struct task_struct *tsk) > { > - return tsk->sessionid; > + if (tsk->audit) > + return tsk->audit->sessionid; > + else > + return AUDIT_SID_UNSET; > } > > extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); > @@ -458,6 +470,8 @@ static inline void audit_fanotify(unsigned int response) > extern int audit_n_rules; > extern int audit_signals; > #else /* CONFIG_AUDITSYSCALL */ > +static inline void __init audit_task_init(void) > +{ } > static inline int audit_alloc(struct task_struct *task) > { > return 0; > diff --git a/include/linux/sched.h b/include/linux/sched.h > index b3d697f..6a5db0e 100644 > --- a/include/linux/sched.h > +++ b/include/linux/sched.h > @@ -29,7 +29,6 @@ > #include > > /* task_struct member predeclarations (sorted alphabetically): */ > -struct audit_context; > struct backing_dev_info; > struct bio_list; > struct blk_plug; > @@ -832,10 +831,8 @@ struct task_struct { > > struct callback_head*task_works; > > - struct audit_context*audit_context; > #ifdef CONFIG_AUDITSYSCALL > - kuid_t loginuid; > - unsigned intsessionid; > + struct audit_task_info *audit; > #endif > struct seccomp seccomp; > > diff --git a/init/init_task.c b/init/init_task.c > index
Re: [PATCH ghak81 V3 2/3] audit: normalize loginuid read access
On Wed, May 16, 2018 at 7:55 AM, Richard Guy Briggswrote: > Recognizing that the loginuid is an internal audit value, use an access > function to retrieve the audit loginuid value for the task rather than > reaching directly into the task struct to get it. > > Signed-off-by: Richard Guy Briggs > --- > kernel/auditsc.c | 24 +++- > 1 file changed, 15 insertions(+), 9 deletions(-) Also merged into audit/next. > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index f3d3dc6..ef3e189 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -374,7 +374,7 @@ static int audit_field_compare(struct task_struct *tsk, > case AUDIT_COMPARE_EGID_TO_OBJ_GID: > return audit_compare_gid(cred->egid, name, f, ctx); > case AUDIT_COMPARE_AUID_TO_OBJ_UID: > - return audit_compare_uid(tsk->loginuid, name, f, ctx); > + return audit_compare_uid(audit_get_loginuid(tsk), name, f, > ctx); > case AUDIT_COMPARE_SUID_TO_OBJ_UID: > return audit_compare_uid(cred->suid, name, f, ctx); > case AUDIT_COMPARE_SGID_TO_OBJ_GID: > @@ -385,7 +385,8 @@ static int audit_field_compare(struct task_struct *tsk, > return audit_compare_gid(cred->fsgid, name, f, ctx); > /* uid comparisons */ > case AUDIT_COMPARE_UID_TO_AUID: > - return audit_uid_comparator(cred->uid, f->op, tsk->loginuid); > + return audit_uid_comparator(cred->uid, f->op, > + audit_get_loginuid(tsk)); > case AUDIT_COMPARE_UID_TO_EUID: > return audit_uid_comparator(cred->uid, f->op, cred->euid); > case AUDIT_COMPARE_UID_TO_SUID: > @@ -394,11 +395,14 @@ static int audit_field_compare(struct task_struct *tsk, > return audit_uid_comparator(cred->uid, f->op, cred->fsuid); > /* auid comparisons */ > case AUDIT_COMPARE_AUID_TO_EUID: > - return audit_uid_comparator(tsk->loginuid, f->op, cred->euid); > + return audit_uid_comparator(audit_get_loginuid(tsk), f->op, > + cred->euid); > case AUDIT_COMPARE_AUID_TO_SUID: > - return audit_uid_comparator(tsk->loginuid, f->op, cred->suid); > + return audit_uid_comparator(audit_get_loginuid(tsk), f->op, > + cred->suid); > case AUDIT_COMPARE_AUID_TO_FSUID: > - return audit_uid_comparator(tsk->loginuid, f->op, > cred->fsuid); > + return audit_uid_comparator(audit_get_loginuid(tsk), f->op, > + cred->fsuid); > /* euid comparisons */ > case AUDIT_COMPARE_EUID_TO_SUID: > return audit_uid_comparator(cred->euid, f->op, cred->suid); > @@ -611,7 +615,8 @@ static int audit_filter_rules(struct task_struct *tsk, > result = match_tree_refs(ctx, rule->tree); > break; > case AUDIT_LOGINUID: > - result = audit_uid_comparator(tsk->loginuid, f->op, > f->uid); > + result = audit_uid_comparator(audit_get_loginuid(tsk), > + f->op, f->uid); > break; > case AUDIT_LOGINUID_SET: > result = audit_comparator(audit_loginuid_set(tsk), > f->op, f->val); > @@ -2278,14 +2283,15 @@ int audit_signal_info(int sig, struct task_struct *t) > { > struct audit_aux_data_pids *axp; > struct audit_context *ctx = audit_context(); > - kuid_t uid = current_uid(), t_uid = task_uid(t); > + kuid_t uid = current_uid(), auid, t_uid = task_uid(t); > > if (auditd_test_task(t) && > (sig == SIGTERM || sig == SIGHUP || > sig == SIGUSR1 || sig == SIGUSR2)) { > audit_sig_pid = task_tgid_nr(current); > - if (uid_valid(current->loginuid)) > - audit_sig_uid = current->loginuid; > + auid = audit_get_loginuid(current); > + if (uid_valid(auid)) > + audit_sig_uid = auid; > else > audit_sig_uid = uid; > security_task_getsecid(current, _sig_sid); > -- > 1.8.3.1 > -- paul moore www.paul-moore.com -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 11/40] ipv6/flowlabel: simplify pid namespace lookup
Christoph Hellwigwrites: > On Thu, May 17, 2018 at 12:28:01AM -0500, Eric W. Biederman wrote: >> > struct pid_namespace *proc_pid_namespace(struct inode *inode) >> > { >> >// maybe warn on for s_magic not on procfs?? >> >return inode->i_sb->s_fs_info; >> > } >> >> That should work. Ideally out of line for the proc_fs.h version. >> Basically it should be a cousin of PDE_DATA. > > The version in Al's tree is inline and without the warning as > I didn't want to drag in the magic.h include. Please look at it for > additional comments, I can send incremental fixups if needed. Sounds good. Eric -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nft 0/7] Python test fixes
Máté Ecklwrote: > This sereis of patches fix or supplement files related to python tests that I > have met during my first test case. > > Máté Eckl (7): > test: Specify python version in nft-test.py > test: Small typo fixes in the python tests README > test/py: Updated test file structure descripion in README > test: py: print_msg refactor > test: py: print path of the logfile > test: py: Added paylad file description to README > test: py: Make diff functions use print_* functions > > tests/py/README | 51 +--- > tests/py/nft-test.py | 31 +++ > 2 files changed, 55 insertions(+), 27 deletions(-) Series applied, thank you. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [nft PATCH] nft.8: Document limitation of reject statement in bridge family
Phil Sutterwrote: > Bridge family allows reject statement in prerouting and input chains > only. Users can't know without looking at kernel code. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nft 1/2] Introduce socket matching
Máté Ecklwrote: > +socket_stmt : SOCKET EXISTS /* with the actual > implementation we cannot match abscence */ I think we should go for a native expression. I'll leave it up to you what you'd like to do next. There are a few options: 1. First go for TPROXY in nft (i.e. finish userspace syntax first) 2. add socket expression for nf_tables. 3. add support for SYNPROXY (outside of your original proposal, but this can be done via nft_compat without loss of functionality). I think 1 or 2 would make most sense, let me know. In case you go for #2, i would go for net/netfilter/nft_socket.c, you'll need a way to serialize the socket_stmt data via new netlink attributes. You can look at 2fa841938c648fe4359691f41e8e1f37ff1a3aa2 for a commit that added a new expression. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nf-next] netfilter: nft_meta: fix wrong value dereference in nft_meta_set_eval
Taehee Yoowrote: > In the nft_meta_set_eval, nftrace value is dereferenced as u32 from sreg. > But correct type is u8. so that sometimes incorrect value is dereferenced. Acked-by: Florian Westphal -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nf-next] netfilter: nft_meta: fix wrong value dereference in nft_meta_set_eval
In the nft_meta_set_eval, nftrace value is dereferenced as u32 from sreg. But correct type is u8. so that sometimes incorrect value is dereferenced. Steps to reproduce: %nft add table ip filter %nft add chain ip filter input { type filter hook input priority 4\; } %nft add rule ip filter input nftrace set 0 %nft monitor Sometimes, we can see trace messages. trace id 16767227 ip filter input packet: iif "enp2s0" ether saddr xx:xx:xx:xx:xx:xx ether daddr xx:xx:xx:xx:xx:xx ip saddr 192.168.0.1 ip daddr 255.255.255.255 ip dscp cs0 ip ecn not-ect ip trace id 16767227 ip filter input rule nftrace set 0 (verdict continue) trace id 16767227 ip filter input verdict continue trace id 16767227 ip filter input Signed-off-by: Taehee Yoo--- net/netfilter/nft_meta.c | 14 -- 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c index 5348bd0..1105a23 100644 --- a/net/netfilter/nft_meta.c +++ b/net/netfilter/nft_meta.c @@ -259,7 +259,7 @@ static void nft_meta_set_eval(const struct nft_expr *expr, struct sk_buff *skb = pkt->skb; u32 *sreg = >data[meta->sreg]; u32 value = *sreg; - u8 pkt_type; + u8 value8; switch (meta->key) { case NFT_META_MARK: @@ -269,15 +269,17 @@ static void nft_meta_set_eval(const struct nft_expr *expr, skb->priority = value; break; case NFT_META_PKTTYPE: - pkt_type = nft_reg_load8(sreg); + value8 = nft_reg_load8(sreg); - if (skb->pkt_type != pkt_type && - skb_pkt_type_ok(pkt_type) && + if (skb->pkt_type != value8 && + skb_pkt_type_ok(value8) && skb_pkt_type_ok(skb->pkt_type)) - skb->pkt_type = pkt_type; + skb->pkt_type = value8; break; case NFT_META_NFTRACE: - skb->nf_trace = !!value; + value8 = nft_reg_load8(sreg); + + skb->nf_trace = !!value8; break; default: WARN_ON(1); -- 2.9.3 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nft 1/2] Introduce socket matching
Máté Ecklwrote: > Originally I also added the following lines but it made the print too slow for > the test to pass. > > It printed the following warning: > inet/socket.t: WARNING: line 8: 'add rule ip sockip4 sockchain socket > exists': 'socket exists' mismatches 'socke' > inet/socket.t: WARNING: line 9: 'add rule ip sockip4 sockchain socket > flags transparent': 'socket flags transparent' mismatches 'socket' > > To be honest I don't know what this criterion means so if it is important > please > notify me. > > diff --git a/src/statement.c b/src/statement.c > index ff6a98a..ec3b0c0 100644 > --- a/src/statement.c > +++ b/src/statement.c > @@ -183,6 +183,10 @@ static void socket_stmt_print(const struct stmt *stmt, > struct output_ctx *octx) >*existance_str = (s->exists) ? "exists" : "missing"; > > nft_print(octx, "socket"); > + > + if(octx->stateless) > + return; This test makes no sense, socket match has no state. This is for 'nft -s' which e.g. prints 'counter' instead of 'counter x packets y bytes'. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2] netfilter: properly initialize xt_table_info structure
On Thu, May 17, 2018 at 12:42:00PM +0200, Jan Engelhardt wrote: > > On Thursday 2018-05-17 12:09, Greg Kroah-Hartman wrote: > >> > --- a/net/netfilter/x_tables.c > >> > +++ b/net/netfilter/x_tables.c > >> > @@ -1183,11 +1183,10 @@ struct xt_table_info > >> > *xt_alloc_table_info(unsigned int size) > >> > * than shoot all processes down before realizing there is > >> > nothing > >> > * more to reclaim. > >> > */ > >> > -info = kvmalloc(sz, GFP_KERNEL | __GFP_NORETRY); > >> > +info = kvzalloc(sz, GFP_KERNEL | __GFP_NORETRY); > >> > if (!info) > >> > return NULL; > >> > >> I am curious, what particular path does not later overwrite the whole zone > >> ? > > > >In do_ipt_get_ctl, the IPT_SO_GET_ENTRIES: option uses a len value that > >can be larger than the size of the structure itself. > > > >Then the data is copied to userspace in copy_entries_to_user() for ipv4 > >and v6, and that's where the "bad data" > > If the kernel incorrectly copies more bytes than it should, isn't that > a sign that may be going going past the end of the info buffer? > (And thus, zeroing won't truly fix the issue) No, the buffer size is correct, we just aren't filling up the whole buffer as the data requested is smaller than the buffer size. thanks, greg k-h -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH libmnl] examples: add arp cache dump example
Adding ARP example in order to dump the info in the form: index= family= dst= lladdr= state= Signed-off-by: Laura Garcia Liebana--- examples/rtnl/Makefile.am | 6 +- examples/rtnl/rtnl-arp-dump.c | 161 ++ 2 files changed, 166 insertions(+), 1 deletion(-) create mode 100644 examples/rtnl/rtnl-arp-dump.c diff --git a/examples/rtnl/Makefile.am b/examples/rtnl/Makefile.am index 24769b6..e56365c 100644 --- a/examples/rtnl/Makefile.am +++ b/examples/rtnl/Makefile.am @@ -6,7 +6,8 @@ check_PROGRAMS = rtnl-addr-dump \ rtnl-link-set \ rtnl-route-add \ rtnl-route-dump \ -rtnl-route-event +rtnl-route-event \ +rtnl-arp-dump rtnl_addr_dump_SOURCES = rtnl-addr-dump.c rtnl_addr_dump_LDADD = ../../src/libmnl.la @@ -34,3 +35,6 @@ rtnl_route_dump_LDADD = ../../src/libmnl.la rtnl_route_event_SOURCES = rtnl-route-event.c rtnl_route_event_LDADD = ../../src/libmnl.la + +rtnl_arp_dump_SOURCES = rtnl-arp-dump.c +rtnl_arp_dump_LDADD = ../../src/libmnl.la diff --git a/examples/rtnl/rtnl-arp-dump.c b/examples/rtnl/rtnl-arp-dump.c new file mode 100644 index 000..fc0f205 --- /dev/null +++ b/examples/rtnl/rtnl-arp-dump.c @@ -0,0 +1,161 @@ +/* This example is placed in the public domain. */ +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include + +static int data_attr_cb(const struct nlattr *attr, void *data) +{ + const struct nlattr **tb = data; + int type = mnl_attr_get_type(attr); + + /* skip unsupported attribute in user-space */ + if (mnl_attr_type_valid(attr, IFA_MAX) < 0) + return MNL_CB_OK; + + switch(type) { + case NDA_DST: + if (mnl_attr_validate(attr, MNL_TYPE_BINARY) < 0) { + perror("mnl_attr_validate"); + return MNL_CB_ERROR; + } + break; + case NDA_LLADDR: + if (mnl_attr_validate(attr, MNL_TYPE_BINARY) < 0) { + perror("mnl_attr_validate"); + return MNL_CB_ERROR; + } + break; + } + tb[type] = attr; + return MNL_CB_OK; +} + +static int data_cb(const struct nlmsghdr *nlh, void *data) +{ + struct nlattr *tb[IFA_MAX + 1] = {}; + struct ndmsg *ndm = mnl_nlmsg_get_payload(nlh); + + printf("index=%d family=%d ", ndm->ndm_ifindex, ndm->ndm_family); + + mnl_attr_parse(nlh, sizeof(*ndm), data_attr_cb, tb); + printf("dst="); + if (tb[NDA_DST]) { + void *addr = mnl_attr_get_payload(tb[NDA_DST]); + char out[INET6_ADDRSTRLEN]; + + if (inet_ntop(ndm->ndm_family, addr, out, sizeof(out))) + printf("%s ", out); + } + + mnl_attr_parse(nlh, sizeof(*ndm), data_attr_cb, tb); + printf("lladdr="); + if (tb[NDA_LLADDR]) { + void *addr = mnl_attr_get_payload(tb[NDA_LLADDR]); + unsigned char lladdr[6] = {0}; + + if (memcpy(, addr, 6)) + printf("%02x:%02x:%02x:%02x:%02x:%02x ", lladdr[0], lladdr[1], lladdr[2], lladdr[3], lladdr[4], lladdr[5]); + } + + printf("state="); + switch(ndm->ndm_state) { + case NUD_INCOMPLETE: + printf("incomplete "); + break; + case NUD_REACHABLE: + printf("reachable "); + break; + case NUD_STALE: + printf("stale "); + break; + case NUD_DELAY: + printf("delay "); + break; + case NUD_PROBE: + printf("probe "); + break; + case NUD_FAILED: + printf("failed "); + break; + case NUD_NOARP: + printf("noarp "); + break; + case NUD_PERMANENT: + printf("permanent "); + break; + default: + printf("%d ", ndm->ndm_state); + break; + } + + printf("\n"); + return MNL_CB_OK; +} + +int main(int argc, char *argv[]) +{ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + struct rtgenmsg *rt; + int ret; + unsigned int seq, portid; + + if (argc != 2) { + fprintf(stderr, "Usage: %s \n", argv[0]); + exit(EXIT_FAILURE); + } + + nlh = mnl_nlmsg_put_header(buf); + nlh->nlmsg_type = RTM_GETNEIGH; + nlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP; + nlh->nlmsg_seq = seq = time(NULL); + + rt = mnl_nlmsg_put_extra_header(nlh, sizeof(struct rtgenmsg)); + if (strcmp(argv[1], "inet") == 0) + rt->rtgen_family = AF_INET; + else if (strcmp(argv[1], "inet6") == 0) +
Re: [PATCH nf-next 0/2] netfilter: nft map lookups support for number generator expressions
On Fri, May 11, 2018 at 12:13:26AM +0200, Laura Garcia Liebana wrote: > The following patches complete the implementation of map lookups > using as a key the given number generator like incremental, random or > the different hash algorithms supported. This is useful for load > balancing use cases but also for dynamic map lookups using these > expressions. Series applied, thanks Laura. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nf-next] netfilter: fix fallout from xt/nf osf separation
On Tue, May 08, 2018 at 10:05:38AM +0200, Florian Westphal wrote: > Stephen Rothwell says: > today's linux-next build (x86_64 allmodconfig) produced this warning: > ./usr/include/linux/netfilter/nf_osf.h:25: found __[us]{8,16,32,64} type > without #include > > Fix that up and also move kernel-private struct out of uapi (it was not > exposed in any released kernel version). > > tested via allmodconfig build + make headers_check. Applied, thanks Florian. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nf-next] netfilter: nf_tables: remove old nf_log based tracing
On Fri, May 11, 2018 at 09:55:39PM +0200, Florian Westphal wrote: > nfnetlink tracing is available since nft 0.6 (June 2016). > Remove old nf_log based tracing to avoid rule counter in main loop. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nf-next,v3 3/3] netfilter: nfnetlink_queue: resolve clash for unconfirmed conntracks
In nfqueue, two consecutive skbuffs may race to create the conntrack entry. Hence, the one that loses the race gets dropped due to clash in the insertion into the hashes from the nf_conntrack_confirm() path. This patch adds a new nf_conntrack_update() function which searches for possible clashes and resolve them. NAT mangling for the packet losing race is corrected by using the conntrack information that won race. In order to avoid direct module dependencies with conntrack and NAT, the nf_ct_hook and nf_nat_hook structures are used for this purpose. Signed-off-by: Pablo Neira Ayuso--- v3: move nf_ct_get() and nf_ct_is_confirmed() symbols to nf_conntrack_core.c to address kbuild robot reports. include/linux/netfilter.h | 5 +++ net/netfilter/nf_conntrack_core.c | 77 +++ net/netfilter/nf_nat_core.c | 41 + net/netfilter/nfnetlink_queue.c | 28 -- 4 files changed, 132 insertions(+), 19 deletions(-) diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h index e0080c04d309..58660a7af928 100644 --- a/include/linux/netfilter.h +++ b/include/linux/netfilter.h @@ -325,11 +325,15 @@ int nf_reroute(struct sk_buff *skb, struct nf_queue_entry *entry); struct nf_conn; enum nf_nat_manip_type; struct nlattr; +enum ip_conntrack_dir; struct nf_nat_hook { int (*parse_nat_setup)(struct nf_conn *ct, enum nf_nat_manip_type manip, const struct nlattr *attr); void (*decode_session)(struct sk_buff *skb, struct flowi *fl); + unsigned int (*manip_pkt)(struct sk_buff *skb, struct nf_conn *ct, + enum nf_nat_manip_type mtype, + enum ip_conntrack_dir dir); }; extern struct nf_nat_hook __rcu *nf_nat_hook; @@ -393,6 +397,7 @@ struct nf_conn; enum ip_conntrack_info; struct nf_ct_hook { + int (*update)(struct net *net, struct sk_buff *skb); void (*destroy)(struct nf_conntrack *); }; extern struct nf_ct_hook __rcu *nf_ct_hook; diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 8d109d750073..946b28610162 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -1607,6 +1607,82 @@ static void nf_conntrack_attach(struct sk_buff *nskb, const struct sk_buff *skb) nf_conntrack_get(skb_nfct(nskb)); } +static int nf_conntrack_update(struct net *net, struct sk_buff *skb) +{ + const struct nf_conntrack_l3proto *l3proto; + const struct nf_conntrack_l4proto *l4proto; + struct nf_conntrack_tuple_hash *h; + struct nf_conntrack_tuple tuple; + enum ip_conntrack_info ctinfo; + struct nf_nat_hook *nat_hook; + unsigned int dataoff, status; + struct nf_conn *ct; + u16 l3num; + u8 l4num; + + ct = nf_ct_get(skb, ); + if (!ct || nf_ct_is_confirmed(ct)) + return 0; + + l3num = nf_ct_l3num(ct); + l3proto = nf_ct_l3proto_find_get(l3num); + + if (l3proto->get_l4proto(skb, skb_network_offset(skb), , +) <= 0) + return -1; + + l4proto = nf_ct_l4proto_find_get(l3num, l4num); + + if (!nf_ct_get_tuple(skb, skb_network_offset(skb), dataoff, l3num, +l4num, net, , l3proto, l4proto)) + return -1; + + if (ct->status & IPS_SRC_NAT) { + memcpy(tuple.src.u3.all, + ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.all, + sizeof(tuple.src.u3.all)); + tuple.src.u.all = + ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.all; + } + + if (ct->status & IPS_DST_NAT) { + memcpy(tuple.dst.u3.all, + ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3.all, + sizeof(tuple.dst.u3.all)); + tuple.dst.u.all = + ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u.all; + } + + h = nf_conntrack_find_get(net, >zone, ); + if (!h) + return 0; + + /* Store status bits of the conntrack that is clashing to re-do NAT +* mangling according to what it has been done already to this packet. +*/ + status = ct->status; + + nf_ct_put(ct); + ct = nf_ct_tuplehash_to_ctrack(h); + nf_ct_set(skb, ct, ctinfo); + + nat_hook = rcu_dereference(nf_nat_hook); + if (!nat_hook) + return 0; + + if (status & IPS_SRC_NAT && + nat_hook->manip_pkt(skb, ct, NF_NAT_MANIP_SRC, + IP_CT_DIR_ORIGINAL) == NF_DROP) + return -1; + + if (status & IPS_DST_NAT && + nat_hook->manip_pkt(skb, ct, NF_NAT_MANIP_DST, + IP_CT_DIR_ORIGINAL) == NF_DROP) + return -1; + + return 0; +} + /*
[PATCH nf-next,v3 1/3] netfilter: add struct nf_ct_hook and use it
Move the nf_ct_destroy indirection to the struct nf_ct_hook. Signed-off-by: Pablo Neira Ayuso--- v3: no changes include/linux/netfilter.h | 7 ++- net/netfilter/core.c | 14 +++--- net/netfilter/nf_conntrack_core.c | 9 ++--- 3 files changed, 19 insertions(+), 11 deletions(-) diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h index 85a1a0b32c66..9991a286d9b1 100644 --- a/include/linux/netfilter.h +++ b/include/linux/netfilter.h @@ -374,13 +374,18 @@ nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family) extern void (*ip_ct_attach)(struct sk_buff *, const struct sk_buff *) __rcu; void nf_ct_attach(struct sk_buff *, const struct sk_buff *); -extern void (*nf_ct_destroy)(struct nf_conntrack *) __rcu; #else static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {} #endif struct nf_conn; enum ip_conntrack_info; + +struct nf_ct_hook { + void (*destroy)(struct nf_conntrack *); +}; +extern struct nf_ct_hook __rcu *nf_ct_hook; + struct nlattr; struct nfnl_ct_hook { diff --git a/net/netfilter/core.c b/net/netfilter/core.c index 0f6b8172fb9a..cec1c0585949 100644 --- a/net/netfilter/core.c +++ b/net/netfilter/core.c @@ -543,6 +543,9 @@ void (*ip_ct_attach)(struct sk_buff *, const struct sk_buff *) __rcu __read_mostly; EXPORT_SYMBOL(ip_ct_attach); +struct nf_ct_hook __rcu *nf_ct_hook __read_mostly; +EXPORT_SYMBOL_GPL(nf_ct_hook); + void nf_ct_attach(struct sk_buff *new, const struct sk_buff *skb) { void (*attach)(struct sk_buff *, const struct sk_buff *); @@ -557,17 +560,14 @@ void nf_ct_attach(struct sk_buff *new, const struct sk_buff *skb) } EXPORT_SYMBOL(nf_ct_attach); -void (*nf_ct_destroy)(struct nf_conntrack *) __rcu __read_mostly; -EXPORT_SYMBOL(nf_ct_destroy); - void nf_conntrack_destroy(struct nf_conntrack *nfct) { - void (*destroy)(struct nf_conntrack *); + struct nf_ct_hook *ct_hook; rcu_read_lock(); - destroy = rcu_dereference(nf_ct_destroy); - BUG_ON(destroy == NULL); - destroy(nfct); + ct_hook = rcu_dereference(nf_ct_hook); + BUG_ON(ct_hook == NULL); + ct_hook->destroy(nfct); rcu_read_unlock(); } EXPORT_SYMBOL(nf_conntrack_destroy); diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 605441727008..8b2a8644d955 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -1813,8 +1813,7 @@ void nf_conntrack_cleanup_start(void) void nf_conntrack_cleanup_end(void) { - RCU_INIT_POINTER(nf_ct_destroy, NULL); - + RCU_INIT_POINTER(nf_ct_hook, NULL); cancel_delayed_work_sync(_gc_work.dwork); nf_ct_free_hashtable(nf_conntrack_hash, nf_conntrack_htable_size); @@ -2131,11 +2130,15 @@ int nf_conntrack_init_start(void) return ret; } +static struct nf_ct_hook nf_conntrack_hook = { + .destroy= destroy_conntrack, +}; + void nf_conntrack_init_end(void) { /* For use by REJECT target */ RCU_INIT_POINTER(ip_ct_attach, nf_conntrack_attach); - RCU_INIT_POINTER(nf_ct_destroy, destroy_conntrack); + RCU_INIT_POINTER(nf_ct_hook, _conntrack_hook); } /* -- 2.11.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nf-next,v3 2/3] netfilter: add struct nf_nat_hook and use it
Move decode_session() and parse_nat_setup_hook() indirections to struct nf_nat_hook structure. Signed-off-by: Pablo Neira Ayuso--- v3: Move nf_nat_hook definition to linux/netfilter.h to address kbuild robot reports. include/linux/netfilter.h| 21 - include/net/netfilter/nf_nat_core.h | 7 --- net/netfilter/core.c | 8 +++- net/netfilter/nf_conntrack_core.c| 5 - net/netfilter/nf_conntrack_netlink.c | 10 +- net/netfilter/nf_nat_core.c | 23 --- 6 files changed, 36 insertions(+), 38 deletions(-) diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h index 9991a286d9b1..e0080c04d309 100644 --- a/include/linux/netfilter.h +++ b/include/linux/netfilter.h @@ -321,18 +321,29 @@ int nf_route(struct net *net, struct dst_entry **dst, struct flowi *fl, int nf_reroute(struct sk_buff *skb, struct nf_queue_entry *entry); #include -extern void (*nf_nat_decode_session_hook)(struct sk_buff *, struct flowi *); + +struct nf_conn; +enum nf_nat_manip_type; +struct nlattr; + +struct nf_nat_hook { + int (*parse_nat_setup)(struct nf_conn *ct, enum nf_nat_manip_type manip, + const struct nlattr *attr); + void (*decode_session)(struct sk_buff *skb, struct flowi *fl); +}; + +extern struct nf_nat_hook __rcu *nf_nat_hook; static inline void nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family) { #ifdef CONFIG_NF_NAT_NEEDED - void (*decodefn)(struct sk_buff *, struct flowi *); + struct nf_nat_hook *nat_hook; rcu_read_lock(); - decodefn = rcu_dereference(nf_nat_decode_session_hook); - if (decodefn) - decodefn(skb, fl); + nat_hook = rcu_dereference(nf_nat_hook); + if (nat_hook->decode_session) + nat_hook->decode_session(skb, fl); rcu_read_unlock(); #endif } diff --git a/include/net/netfilter/nf_nat_core.h b/include/net/netfilter/nf_nat_core.h index 235bd0e9a5aa..0654589c271e 100644 --- a/include/net/netfilter/nf_nat_core.h +++ b/include/net/netfilter/nf_nat_core.h @@ -22,11 +22,4 @@ static inline int nf_nat_initialized(struct nf_conn *ct, return ct->status & IPS_DST_NAT_DONE; } -struct nlattr; - -extern int -(*nfnetlink_parse_nat_setup_hook)(struct nf_conn *ct, - enum nf_nat_manip_type manip, - const struct nlattr *attr); - #endif /* _NF_NAT_CORE_H */ diff --git a/net/netfilter/core.c b/net/netfilter/core.c index cec1c0585949..8f917449b3be 100644 --- a/net/netfilter/core.c +++ b/net/netfilter/core.c @@ -546,6 +546,9 @@ EXPORT_SYMBOL(ip_ct_attach); struct nf_ct_hook __rcu *nf_ct_hook __read_mostly; EXPORT_SYMBOL_GPL(nf_ct_hook); +struct nf_nat_hook __rcu *nf_nat_hook __read_mostly; +EXPORT_SYMBOL_GPL(nf_nat_hook); + void nf_ct_attach(struct sk_buff *new, const struct sk_buff *skb) { void (*attach)(struct sk_buff *, const struct sk_buff *); @@ -580,11 +583,6 @@ const struct nf_conntrack_zone nf_ct_zone_dflt = { EXPORT_SYMBOL_GPL(nf_ct_zone_dflt); #endif /* CONFIG_NF_CONNTRACK */ -#ifdef CONFIG_NF_NAT_NEEDED -void (*nf_nat_decode_session_hook)(struct sk_buff *, struct flowi *); -EXPORT_SYMBOL(nf_nat_decode_session_hook); -#endif - static void __net_init __netfilter_net_init(struct nf_hook_entries **e, int max) { int h; diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 8b2a8644d955..8d109d750073 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -58,11 +58,6 @@ #include "nf_internals.h" -int (*nfnetlink_parse_nat_setup_hook)(struct nf_conn *ct, - enum nf_nat_manip_type manip, - const struct nlattr *attr) __read_mostly; -EXPORT_SYMBOL_GPL(nfnetlink_parse_nat_setup_hook); - __cacheline_aligned_in_smp spinlock_t nf_conntrack_locks[CONNTRACK_LOCKS]; EXPORT_SYMBOL_GPL(nf_conntrack_locks); diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index d807b8770be3..39327a42879f 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -1431,11 +1431,11 @@ ctnetlink_parse_nat_setup(struct nf_conn *ct, enum nf_nat_manip_type manip, const struct nlattr *attr) { - typeof(nfnetlink_parse_nat_setup_hook) parse_nat_setup; + struct nf_nat_hook *nat_hook; int err; - parse_nat_setup = rcu_dereference(nfnetlink_parse_nat_setup_hook); - if (!parse_nat_setup) { + nat_hook = rcu_dereference(nf_nat_hook); + if (!nat_hook) { #ifdef CONFIG_MODULES rcu_read_unlock(); nfnl_unlock(NFNL_SUBSYS_CTNETLINK); @@ -1446,13 +1446,13 @@ ctnetlink_parse_nat_setup(struct nf_conn *ct, }
Re: [PATCH nf] netfilter: nf_tables: fix NULL pointer dereference on nft_ct_helper_obj_dump()
On Wed, May 16, 2018 at 04:21:05PM +0200, Florian Westphal wrote: > Taehee Yoowrote: > > In the nft_ct_helper_obj_dump(), always priv->helper4 is dereferenced. > > But if family is ipv6, priv->helper6 should be dereferenced. > > > > Steps to reproduces: > > > >#test.nft > >table ip6 filter { > >ct helper ftp { > >type "ftp" protocol tcp > >} > >chain input { > >type filter hook input priority 4; > >ct helper set "ftp" > >} > >} > > Acked-by: Florian Westphal Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2] netfilter: properly initialize xt_table_info structure
On Thursday 2018-05-17 12:09, Greg Kroah-Hartman wrote: >> > --- a/net/netfilter/x_tables.c >> > +++ b/net/netfilter/x_tables.c >> > @@ -1183,11 +1183,10 @@ struct xt_table_info *xt_alloc_table_info(unsigned >> > int size) >> > * than shoot all processes down before realizing there is nothing >> > * more to reclaim. >> > */ >> > - info = kvmalloc(sz, GFP_KERNEL | __GFP_NORETRY); >> > + info = kvzalloc(sz, GFP_KERNEL | __GFP_NORETRY); >> >if (!info) >> >return NULL; >> >> I am curious, what particular path does not later overwrite the whole zone ? > >In do_ipt_get_ctl, the IPT_SO_GET_ENTRIES: option uses a len value that >can be larger than the size of the structure itself. > >Then the data is copied to userspace in copy_entries_to_user() for ipv4 >and v6, and that's where the "bad data" If the kernel incorrectly copies more bytes than it should, isn't that a sign that may be going going past the end of the info buffer? (And thus, zeroing won't truly fix the issue) And if the kernel copies too few (because it just does not have more data than userspace is requesting), what remains in the user buffer is the garbage that originally was there. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2] netfilter: properly initialize xt_table_info structure
On Thu, May 17, 2018 at 02:55:42AM -0700, Eric Dumazet wrote: > > > On 05/17/2018 02:34 AM, Greg Kroah-Hartman wrote: > > When allocating a xt_table_info structure, we should be clearing out the > > full amount of memory that was allocated, not just the "header" of the > > structure. Otherwise odd values could be passed to userspace, which is > > not a good thing. > > > > Cc: stable> > Signed-off-by: Greg Kroah-Hartman > > --- > > v2: use kvzalloc instead of kvmalloc/memset pair, as suggested by Michal > > Kubecek > > > > net/netfilter/x_tables.c | 3 +-- > > 1 file changed, 1 insertion(+), 2 deletions(-) > > > > diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c > > index cb7cb300c3bc..cd22bb9b66f3 100644 > > --- a/net/netfilter/x_tables.c > > +++ b/net/netfilter/x_tables.c > > @@ -1183,11 +1183,10 @@ struct xt_table_info *xt_alloc_table_info(unsigned > > int size) > > * than shoot all processes down before realizing there is nothing > > * more to reclaim. > > */ > > - info = kvmalloc(sz, GFP_KERNEL | __GFP_NORETRY); > > + info = kvzalloc(sz, GFP_KERNEL | __GFP_NORETRY); > > if (!info) > > return NULL; > > > > - memset(info, 0, sizeof(*info)); > > info->size = size; > > return info; > > } > > > > I am curious, what particular path does not later overwrite the whole zone ? The path back was long, adding Greg Hackman who helped to debug this to the To: to confirm that I got this correct... In do_ipt_get_ctl, the IPT_SO_GET_ENTRIES: option uses a len value that can be larger than the size of the structure itself. Then the data is copied to userspace in copy_entries_to_user() for ipv4 and v6, and that's where the "bad data" was noticed (a researcher was using a kernel patch to determine what the data was) Greg, that's the correct path here, right? > Do not get me wrong, this is not fast path, but these blobs can be huge. Yeah, I bet, but for "normal" cases the size should be small and all should be fine. thanks, greg k-h -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2] netfilter: properly initialize xt_table_info structure
On 05/17/2018 02:34 AM, Greg Kroah-Hartman wrote: > When allocating a xt_table_info structure, we should be clearing out the > full amount of memory that was allocated, not just the "header" of the > structure. Otherwise odd values could be passed to userspace, which is > not a good thing. > > Cc: stable> Signed-off-by: Greg Kroah-Hartman > --- > v2: use kvzalloc instead of kvmalloc/memset pair, as suggested by Michal > Kubecek > > net/netfilter/x_tables.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c > index cb7cb300c3bc..cd22bb9b66f3 100644 > --- a/net/netfilter/x_tables.c > +++ b/net/netfilter/x_tables.c > @@ -1183,11 +1183,10 @@ struct xt_table_info *xt_alloc_table_info(unsigned > int size) >* than shoot all processes down before realizing there is nothing >* more to reclaim. >*/ > - info = kvmalloc(sz, GFP_KERNEL | __GFP_NORETRY); > + info = kvzalloc(sz, GFP_KERNEL | __GFP_NORETRY); > if (!info) > return NULL; > > - memset(info, 0, sizeof(*info)); > info->size = size; > return info; > } > I am curious, what particular path does not later overwrite the whole zone ? Do not get me wrong, this is not fast path, but these blobs can be huge. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v2] netfilter: properly initialize xt_table_info structure
When allocating a xt_table_info structure, we should be clearing out the full amount of memory that was allocated, not just the "header" of the structure. Otherwise odd values could be passed to userspace, which is not a good thing. Cc: stableSigned-off-by: Greg Kroah-Hartman --- v2: use kvzalloc instead of kvmalloc/memset pair, as suggested by Michal Kubecek net/netfilter/x_tables.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index cb7cb300c3bc..cd22bb9b66f3 100644 --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c @@ -1183,11 +1183,10 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size) * than shoot all processes down before realizing there is nothing * more to reclaim. */ - info = kvmalloc(sz, GFP_KERNEL | __GFP_NORETRY); + info = kvzalloc(sz, GFP_KERNEL | __GFP_NORETRY); if (!info) return NULL; - memset(info, 0, sizeof(*info)); info->size = size; return info; } -- 2.17.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] netfilter: properly initialize xt_table_info structure
On Thu, May 17, 2018 at 10:59:51AM +0200, Michal Kubecek wrote: > On Thu, May 17, 2018 at 10:44:42AM +0200, Greg Kroah-Hartman wrote: > > When allocating a xt_table_info structure, we should be clearing out the > > full amount of memory that was allocated, not just the "header" of the > > structure. Otherwise odd values could be passed to userspace, which is > > not a good thing. > > > > Cc: stable> > Signed-off-by: Greg Kroah-Hartman > > --- > > net/netfilter/x_tables.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c > > index cb7cb300c3bc..a300e8252bb6 100644 > > --- a/net/netfilter/x_tables.c > > +++ b/net/netfilter/x_tables.c > > @@ -1187,7 +1187,7 @@ struct xt_table_info *xt_alloc_table_info(unsigned > > int size) > > if (!info) > > return NULL; > > > > - memset(info, 0, sizeof(*info)); > > + memset(info, 0, sz); > > info->size = size; > > return info; > > } > > -- > > 2.17.0 > > > > Or we can replace kvmalloc() by kvzalloc() and remove the memset(). That works for me too, either is sufficient to solve the problem. Let me go respin this, less lines of code is always better :) thanks, greg k-h -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] netfilter: properly initialize xt_table_info structure
On Thu, May 17, 2018 at 10:44:42AM +0200, Greg Kroah-Hartman wrote: > When allocating a xt_table_info structure, we should be clearing out the > full amount of memory that was allocated, not just the "header" of the > structure. Otherwise odd values could be passed to userspace, which is > not a good thing. > > Cc: stable> Signed-off-by: Greg Kroah-Hartman > --- > net/netfilter/x_tables.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c > index cb7cb300c3bc..a300e8252bb6 100644 > --- a/net/netfilter/x_tables.c > +++ b/net/netfilter/x_tables.c > @@ -1187,7 +1187,7 @@ struct xt_table_info *xt_alloc_table_info(unsigned int > size) > if (!info) > return NULL; > > - memset(info, 0, sizeof(*info)); > + memset(info, 0, sz); > info->size = size; > return info; > } > -- > 2.17.0 > Or we can replace kvmalloc() by kvzalloc() and remove the memset(). Michal Kubecek -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] netfilter: properly initialize xt_table_info structure
When allocating a xt_table_info structure, we should be clearing out the full amount of memory that was allocated, not just the "header" of the structure. Otherwise odd values could be passed to userspace, which is not a good thing. Cc: stableSigned-off-by: Greg Kroah-Hartman --- net/netfilter/x_tables.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index cb7cb300c3bc..a300e8252bb6 100644 --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c @@ -1187,7 +1187,7 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size) if (!info) return NULL; - memset(info, 0, sizeof(*info)); + memset(info, 0, sz); info->size = size; return info; } -- 2.17.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nft 1/2] Introduce socket matching
Originally I also added the following lines but it made the print too slow for the test to pass. It printed the following warning: inet/socket.t: WARNING: line 8: 'add rule ip sockip4 sockchain socket exists': 'socket exists' mismatches 'socke' inet/socket.t: WARNING: line 9: 'add rule ip sockip4 sockchain socket flags transparent': 'socket flags transparent' mismatches 'socket' To be honest I don't know what this criterion means so if it is important please notify me. diff --git a/src/statement.c b/src/statement.c index ff6a98a..ec3b0c0 100644 --- a/src/statement.c +++ b/src/statement.c @@ -183,6 +183,10 @@ static void socket_stmt_print(const struct stmt *stmt, struct output_ctx *octx) *existance_str = (s->exists) ? "exists" : "missing"; nft_print(octx, "socket"); + + if(octx->stateless) + return; + if (s->flags) { __u8 f = s->flags; -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nft 5/7] test: py: print path of the logfile
It is good to know that a log is generated even without browsing the nft-test.py source code. Also print_info function is introduced. Signed-off-by: Máté Eckl--- tests/py/README | 2 ++ tests/py/nft-test.py | 5 - 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/tests/py/README b/tests/py/README index a156032..0e12dfa 100644 --- a/tests/py/README +++ b/tests/py/README @@ -132,6 +132,8 @@ E) Meaning of messages: * A warning message means the rule input and output of nft mismatches. * An error message means the nft-tool shows an error when we add it or the listing is broken after the rule is added. +* An info message means something that is not necessarily related to any test + case and does not indicate faulty behaviour. F) Acknowledgements diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py index 2be4700..b536e9c 100755 --- a/tests/py/nft-test.py +++ b/tests/py/nft-test.py @@ -124,6 +124,8 @@ def print_error(reason, filename=None, lineno=None): def print_warning(reason, filename=None, lineno=None): print_msg(reason, "WARNING:", filename, lineno, Colors.YELLOW) +def print_info(reason, filename=None, lineno=None): +print_msg(reason, "INFO:", filename, lineno, Colors.GREEN) def color_differences(rule, other, color): rlen = len(rule) @@ -1350,8 +1352,9 @@ def main(): global log_file try: log_file = open(LOGFILE, 'w') +print_info("Log will be available at %s" % LOGFILE) except IOError: -print "Cannot open log file %s" % LOGFILE +print_error("Cannot open log file %s" % LOGFILE) return file_list = [] -- ecklm -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nft 0/7] Python test fixes
This sereis of patches fix or supplement files related to python tests that I have met during my first test case. Máté Eckl (7): test: Specify python version in nft-test.py test: Small typo fixes in the python tests README test/py: Updated test file structure descripion in README test: py: print_msg refactor test: py: print path of the logfile test: py: Added paylad file description to README test: py: Make diff functions use print_* functions tests/py/README | 51 +--- tests/py/nft-test.py | 31 +++ 2 files changed, 55 insertions(+), 27 deletions(-) -- ecklm -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nft 1/2] Introduce socket matching
Socket matching is achieved using the nft_compat interface. The list of known limitations of the current implementation are: * The absence of a corresponding socket cannot be matched (`socket missing`). * Only transparent socket flag can be matched, nowildcard is not a flag, it should be matched with a different expression if desired. Other options that can be set with `setsockopt` are unavailable. * Such a rule cannot be added to an `inet` table. In the long term native implementation might be worth it. Example: table ip stable { chain tchain { type filter hook prerouting priority -150; policy accept; socket flags transparent counter packets 12 bytes 608 mark set 0x0001 accept socket exists counter packets 52 bytes 3316 } } table ip6 stable { chain tchain { type filter hook prerouting priority -150; policy accept; socket flags transparent counter packets 0 bytes 0 mark set 0x0001 accept socket exists counter packets 0 bytes 0 } } Signed-off-by: Máté Eckl--- include/linux/netfilter/nf_tables.h | 4 include/statement.h | 10 + include/xt.h| 4 ++-- src/evaluate.c | 11 ++ src/netlink_delinearize.c | 19 src/netlink_linearize.c | 21 ++ src/parser_bison.y | 31 -- src/scanner.l | 3 +++ src/statement.c | 34 + src/xt.c| 2 +- 10 files changed, 134 insertions(+), 5 deletions(-) diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index 3395faf..31fd6f4 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -1284,6 +1284,10 @@ enum nft_fib_flags { NFTA_FIB_F_PRESENT = 1 << 5, /* check existence only */ }; +enum nft_socket_flags { + NFTA_SOCKET_TRANSPARENT = (1<<0), +}; + enum nft_ct_helper_attributes { NFTA_CT_HELPER_UNSPEC, NFTA_CT_HELPER_NAME, diff --git a/include/statement.h b/include/statement.h index de26549..84a8f3f 100644 --- a/include/statement.h +++ b/include/statement.h @@ -32,6 +32,13 @@ struct counter_stmt { extern struct stmt *counter_stmt_alloc(const struct location *loc); +struct socket_stmt { + bool exists; + __u8 flags; +}; + +extern struct stmt *socket_stmt_alloc(const struct location *loc, bool exists, __u8 flags); + struct exthdr_stmt { struct expr *expr; struct expr *val; @@ -248,6 +255,7 @@ extern struct stmt *xt_stmt_alloc(const struct location *loc); * @STMT_EXTHDR: extension header statement * @STMT_FLOW_OFFLOAD: flow offload statement * @STMT_MAP: map statement + * @STMT_SOCKET: socket statement */ enum stmt_types { STMT_INVALID, @@ -273,6 +281,7 @@ enum stmt_types { STMT_EXTHDR, STMT_FLOW_OFFLOAD, STMT_MAP, + STMT_SOCKET, }; /** @@ -335,6 +344,7 @@ struct stmt { struct objref_stmt objref; struct flow_stmtflow; struct map_stmt map; + struct socket_stmt socket; }; }; diff --git a/include/xt.h b/include/xt.h index 753511e..5b29522 100644 --- a/include/xt.h +++ b/include/xt.h @@ -14,7 +14,7 @@ void xt_stmt_release(const struct stmt *stmt); void netlink_parse_target(struct netlink_parse_ctx *ctx, const struct location *loc, const struct nftnl_expr *nle); -void netlink_parse_match(struct netlink_parse_ctx *ctx, +void xt_netlink_parse_match(struct netlink_parse_ctx *ctx, const struct location *loc, const struct nftnl_expr *nle); void stmt_xt_postprocess(struct rule_pp_ctx *rctx, struct stmt *stmt, @@ -28,7 +28,7 @@ static inline void xt_stmt_release(const struct stmt *stmt) {} static inline void netlink_parse_target(struct netlink_parse_ctx *ctx, const struct location *loc, const struct nftnl_expr *nle) {} -static inline void netlink_parse_match(struct netlink_parse_ctx *ctx, +static inline void xt_netlink_parse_match(struct netlink_parse_ctx *ctx, const struct location *loc, const struct nftnl_expr *nle) {} static inline void stmt_xt_postprocess(struct rule_pp_ctx *rctx, diff --git a/src/evaluate.c b/src/evaluate.c index 4eb36e2..5222f4e 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -2686,6 +2686,15 @@ static int stmt_evaluate_objref(struct eval_ctx *ctx, struct stmt *stmt) return 0; } +static int
[PATCH nft 3/7] test/py: Updated test file structure descripion in README
The order of the table and chain definitions have changed in test files. Now the name of the chain has to be specified in the definition of the table, so their order is reverted. Signed-off-by: Máté Eckl--- tests/py/README | 18 +- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tests/py/README b/tests/py/README index 005fe8e..a156032 100644 --- a/tests/py/README +++ b/tests/py/README @@ -64,11 +64,11 @@ A test file contains a set of rules that are added in the system. Here, an example of a test file: - *ip;test-ipv4 # line 1 - *ip6;test-ipv6 # line 2 - *inet;test-inet # line 3 + :input;type filter hook input priority 0# line 1 - :input;type filter hook input priority 0# line 4 + *ip;test-ipv4;input # line 2 + *ip6;test-ipv6;input# line 3 + *inet;test-inet;input # line 4 ah hdrlength != 11-23;ok;ah hdrlength < 11 ah hdrlength > 23 # line 5 - tcp dport != {22-25} # line 6 @@ -77,12 +77,12 @@ Here, an example of a test file: ?set1 192.168.3.8 192.168.3.9;ok# line 8 # This is a commented-line. # line 9 -Line 1 defines a table. The name of the table is 'test-ipv4' and the -family is ip. Lines 2 and 3 defines more tables for different families -so the rules in this test file are also tested there. +Line 1 defines a chain. The name of this chain is "input". The type is "filter", +the hook is "input" and the priority is 0. -Line 4 defines the chain. The name of this chain is "input". The type is -"filter", the hook is "input" and the priority is 0. +Line 2 defines a table. The name of the table is 'test-ipv4', the family is ip +and the chain to be added to it is 'input'. Lines 3 and 4 defines more tables for +different families so the rules in this test file are also tested there. Line 5 defines the rule, the ";" character is used as separator of several parts: -- ecklm -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nft 1/7] test: Specify python version in nft-test.py
/usr/bin/python is linked to different main version of python in different distributions (eg. 2 on debian, 3 on arch linux). Signed-off-by: Máté Eckl--- tests/py/nft-test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py index a41b95d..88a3b21 100755 --- a/tests/py/nft-test.py +++ b/tests/py/nft-test.py @@ -1,4 +1,4 @@ -#!/usr/bin/python +#!/usr/bin/python2 # # (C) 2014 by Ana Rey Botello # -- ecklm -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nft 6/7] test: py: Added paylad file description to README
Signed-off-by: Máté Eckl--- tests/py/README | 29 ++--- 1 file changed, 26 insertions(+), 3 deletions(-) diff --git a/tests/py/README b/tests/py/README index 0e12dfa..ed5dc58 100644 --- a/tests/py/README +++ b/tests/py/README @@ -104,7 +104,30 @@ Line 8 adds two elements into the 'set1' set: "192.168.3.8" and Line 9 uses the "#" symbol that means that this line is commented out. -D) The test folders +D) What is a payload file? + +A payload file contains info about the netlink message exchanged to achieve the +transaction. + +The output can be generated in two ways. Let's see an example via socket +matching. + + # generate an empty payload file + $ touch inet/socket.t.payload + + $ ./nft-test.py inet/socket.t # this will generate inet/socket.t.payload.got + + $ mv inet/socket.t.payload.got inet/socket.t.payload + +The other way is using nft --debug=netlink. This has a drawback over the former +option, as rules has to be run one by one and also a comment has to be added +before every rule in the payload file. + + $ nft --debug=netlink add rule ip sockip4 sockchain socket exists + ip sockip4 sockchain + [ match name socket rev 3 ] + +E) The test folders The test files are divided in several directories: ip, ip6, inet, arp, bridge and any. @@ -127,7 +150,7 @@ bridge and any. * "any" folder: Here are the test files are executed in ip, ip6, inet, arp and bridge tables. -E) Meaning of messages: +F) Meaning of messages: * A warning message means the rule input and output of nft mismatches. * An error message means the nft-tool shows an error when we add it or @@ -135,7 +158,7 @@ E) Meaning of messages: * An info message means something that is not necessarily related to any test case and does not indicate faulty behaviour. -F) Acknowledgements +G) Acknowledgements Thanks to the Outreach Program for Women (OPW) for sponsoring this test infrastructure and my mentor Pablo Neira. -- ecklm -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nft 7/7] test: py: Make diff functions use print_* functions
Signed-off-by: Máté Eckl--- tests/py/nft-test.py | 10 -- 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py index b536e9c..edc0b4b 100755 --- a/tests/py/nft-test.py +++ b/tests/py/nft-test.py @@ -161,15 +161,13 @@ def color_differences(rule, other, color): def print_differences_warning(filename, lineno, rule1, rule2, cmd): colored_rule1 = color_differences(rule1, rule2, Colors.YELLOW) colored_rule2 = color_differences(rule2, rule1, Colors.YELLOW) -reason = "'" + colored_rule1 + "' mismatches '" + colored_rule2 + "'" -print filename + ": " + Colors.YELLOW + "WARNING: " + Colors.ENDC + \ - "line: " + str(lineno + 1) + ": '" + cmd + "': " + reason +reason = "'%s': '%s' mismatches '%s'" % (cmd, colored_rule1, colored_rule2) +print_warning(reason, filename, lineno) def print_differences_error(filename, lineno, cmd): -reason = "Listing is broken." -print filename + ": " + Colors.RED + "ERROR: " + Colors.ENDC + "line: " + \ - str(lineno + 1) + ": '" + cmd + "': " + reason +reason = "'%s': Listing is broken." % cmd +print_error(reason, filename, lineno) def table_exist(table, filename, lineno): -- ecklm -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nft 2/2] test: Added test cases for socket matching
Signed-off-by: Máté Eckl--- tests/py/inet/socket.t | 10 ++ tests/py/inet/socket.t.payload | 8 2 files changed, 18 insertions(+) create mode 100644 tests/py/inet/socket.t create mode 100644 tests/py/inet/socket.t.payload diff --git a/tests/py/inet/socket.t b/tests/py/inet/socket.t new file mode 100644 index 000..7782c3c --- /dev/null +++ b/tests/py/inet/socket.t @@ -0,0 +1,10 @@ +:sockchain;type filter hook prerouting priority -150 + +*ip;sockip4;sockchain +*ip6;sockip6;sockchain + +# For now, it does not work for inet tables + +socket exists;ok +socket flags transparent;ok + diff --git a/tests/py/inet/socket.t.payload b/tests/py/inet/socket.t.payload new file mode 100644 index 000..05ece70 --- /dev/null +++ b/tests/py/inet/socket.t.payload @@ -0,0 +1,8 @@ +# socket exists +ip sockip4 sockchain + [ match name socket rev 3 ] + +# socket flags transparent +ip sockip4 sockchain + [ match name socket rev 3 ] + -- ecklm -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nft 2/7] test: Small typo fixes in the python tests README
Signed-off-by: Máté Eckl--- tests/py/README | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/py/README b/tests/py/README index 66f706f..005fe8e 100644 --- a/tests/py/README +++ b/tests/py/README @@ -77,7 +77,7 @@ Here, an example of a test file: ?set1 192.168.3.8 192.168.3.9;ok# line 8 # This is a commented-line. # line 9 -Line 1 defines a table. The name of the table is 'test-ip' and the +Line 1 defines a table. The name of the table is 'test-ipv4' and the family is ip. Lines 2 and 3 defines more tables for different families so the rules in this test file are also tested there. @@ -97,7 +97,7 @@ Line 6 is a marked line. This means that this rule is tested if '-e' is passed as argument to nft-test.py. Line 7 adds a new set. The name of this set is "set1" and the type -of this set is "ipv4_add". +of this set is "ipv4_addr". Line 8 adds two elements into the 'set1' set: "192.168.3.8" and "192.168.3.9". A whitespace separates the elements of the set. -- ecklm -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 11/40] ipv6/flowlabel: simplify pid namespace lookup
On Thu, May 17, 2018 at 12:28:01AM -0500, Eric W. Biederman wrote: > > struct pid_namespace *proc_pid_namespace(struct inode *inode) > > { > > // maybe warn on for s_magic not on procfs?? > > return inode->i_sb->s_fs_info; > > } > > That should work. Ideally out of line for the proc_fs.h version. > Basically it should be a cousin of PDE_DATA. The version in Al's tree is inline and without the warning as I didn't want to drag in the magic.h include. Please look at it for additional comments, I can send incremental fixups if needed. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html