Re: [nft PATCH] Review switch statements for unmarked fall through cases

Phil Sutter wrote: > Regarding empty fall through (which seems to be the reason for your > NACK): There was but a single fall through comment for an empty case in > the whole code, and there are literally hundreds of them. Covscan didn't > complain about those, hence why I think even

Re: [nft PATCH] Review switch statements for unmarked fall through cases

Phil Sutter wrote: > While revisiting all of them, clear a few oddities as well: > > - There's no point in marking empty fall through cases: They are easy to > spot and a common concept when using switch(). NACK, sorry. There a source-code checkers that flag this (they have

[PATCH nft] doc: add example for rule add/delete

also mention that 'ip' is used when the family gets omitted. Signed-off-by: Florian Westphal <f...@strlen.de> --- doc/nft.xml | 27 +++ 1 file changed, 27 insertions(+) diff --git a/doc/nft.xml b/doc/nft.xml index 2b88727c941b..1039b03e06ce 100644 --- a/doc/nft.xml

[PATCH nft] doc: remove ipv6 address FIXME

Signed-off-by: Florian Westphal <f...@strlen.de> --- doc/nft.xml | 12 +++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/doc/nft.xml b/doc/nft.xml index 2b88727..b6b5506 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -1663,7 +1663,10 @@ filter output ip daddr loc

[PATCH nf-next 08/11] netfilter: compat: prepare xt_compat_init_offsets to return errors

should have no impact, function still always returns 0. This patch is only to ease review. Signed-off-by: Florian Westphal <f...@strlen.de> --- include/linux/netfilter/x_tables.h | 2 +- net/bridge/netfilter/ebtables.c| 10 -- net/ipv4/netfilter/arp_tables.c| 10 +++--

[PATCH nf-next 07/11] netfilter: x_tables: add counters allocation wrapper

allows to have size checks in a single spot. This is supposed to reduce oom situations when fuzz-testing xtables. Signed-off-by: Florian Westphal <f...@strlen.de> --- include/linux/netfilter/x_tables.h | 1 + net/ipv4/netfilter/arp_tables.c| 2 +- net/ipv4/netfilter/ip_tables.c

[PATCH nf-next 11/11] netfilter: x_tables: ensure last rule in base chain matches underflow/policy

be pr_debug but in case this break rulesets somehow its useful to know why blob was rejected. Signed-off-by: Florian Westphal <f...@strlen.de> --- net/ipv4/netfilter/arp_tables.c | 17 - net/ipv4/netfilter/ip_tables.c | 17 - net/ipv6/netfilter/ip6_tables.

[PATCH nf-next 10/11] netfilter: x_tables: make sure compat af mutex is held

Signed-off-by: Florian Westphal <f...@strlen.de> --- net/netfilter/x_tables.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index 33724b08b8f0..7521e8a72c06 100644 --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_ta

[PATCH nf-next 09/11] netfilter: compat: reject huge allocation requests

with fuzzing by avoiding oom-killer. Signed-off-by: Florian Westphal <f...@strlen.de> --- net/netfilter/x_tables.c | 26 ++ 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index e878c85a9268..33724b08b8f0

[PATCH nf-next 05/11] netfilter: x_tables: cap allocations at 512 mbyte

Arbitrary limit, however, this still allows huge rulesets (> 1 million rules). This helps with automated fuzzer as it prevents oom-killer invocation. Signed-off-by: Florian Westphal <f...@strlen.de> --- net/netfilter/x_tables.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) d

[PATCH nf-next 06/11] netfilter: x_tables: limit allocation requests for blob rule heads

This is a very conservative limit (134217728 rules), but good enough to not trigger frequent oom from syzkaller. Signed-off-by: Florian Westphal <f...@strlen.de> --- net/netfilter/x_tables.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/netfilter/x_tables.c b/net/net

[PATCH nf-next 03/11] netfilter: x_tables: move hook entry checks into core

Allow followup patch to change on location instead of three. Signed-off-by: Florian Westphal <f...@strlen.de> --- include/linux/netfilter/x_tables.h | 2 ++ net/ipv4/netfilter/arp_tables.c| 13 +++-- net/ipv4/netfilter/ip_tables.c | 13 +++-- net/ipv6/net

[PATCH nf-next 04/11] netfilter: x_tables: enforce unique and ascending entry points

in the rule blob. One base chain that is referenced multiple times in hook blob is then only printed once. Signed-off-by: Florian Westphal <f...@strlen.de> --- net/netfilter/x_tables.c | 31 ++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/net/net

[PATCH nf-next 02/11] netfilter: x_tables: check error target size too

Check that userspace ERROR target (custom user-defined chains) match expected format, and the chain name is null terminated. This is irrelevant for kernel, but iptables itself relies on sane input when it dumps rules from kernel. Signed-off-by: Florian Westphal <f...@strlen.de> --

[PATCH nf-next 01/11] netfilter: x_tables: check standard verdicts in core

hecked in more detail later on when loop-detection is performed. Signed-off-by: Florian Westphal <f...@strlen.de> --- net/ipv4/netfilter/arp_tables.c | 5 - net/ipv4/netfilter/ip_tables.c | 5 - net/ipv6/netfilter/ip6_tables.c | 5 - net/netfilter/x_tables.c

[PATCH nf-next 00/11] netfilter: x_tables: add more checks on rule blob format

syzkaller managed to trigger various interesting features, such as ability to create rulesets that can't be shown with iptables(8). These patches add more checks/restrictions to the x_tables validation of the blob coming in from userspace. In particular: 1. check error target name is

Re: [nft] nftables: Fixing Bug 1219 - handle rt0 and rt2 properly

Ahmed Abdelsalam wrote: > > Ahmed Abdelsalam wrote: > > > Type 0 and 2 of the IPv6 Routing extension header are not handled > > > properly by exthdr_init_raw() in src/exthdr.c > > > > > > In order to fix the bug, we extended the "enum nft_exthdr_op" to

Re: [nft] nftables: Fixing Bug 1219 - handle rt0 and rt2 properly

Ahmed Abdelsalam wrote: > Type 0 and 2 of the IPv6 Routing extension header are not handled > properly by exthdr_init_raw() in src/exthdr.c > > In order to fix the bug, we extended the "enum nft_exthdr_op" to > differentiate between rt, rt0, and rt2. > > This patch should

[PATCH nft] doc: mention meta l4proto and ipv6 nexthdr issue wrt. extension headers

Signed-off-by: Florian Westphal <f...@strlen.de> --- doc/nft.xml | 26 +- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/doc/nft.xml b/doc/nft.xml index bddc527f19a7..2b88727c941b 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -2523,6 +2523,9 @@ filter

Re: PROBLEM: "netfilter: on sockopt() acquire sock lock only in the required scope" breaks at least sshuttle

Luke Bratch wrote: > Hello > > [1.] One line summary of the problem: > > The patch "netfilter: on sockopt() acquire sock lock only in the required > scope" breaks at least sshuttle. > > [2.] Full description of the problem/report: > > sshuttle does not work in at least

[PATCH nft 5/5] tests: add raw payload test cases.

Signed-off-by: Florian Westphal <f...@strlen.de> --- tests/py/any/rawpayload.t | 19 +++ tests/py/any/rawpayload.t.payload | 49 +++ tests/py/arp/arp.t| 2 ++ tests/py/arp/arp.t.payload| 10 tests/

[PATCH nft 4/5] doc: document raw protocol expression

Signed-off-by: Florian Westphal <f...@strlen.de> --- doc/nft.xml | 59 +++ 1 file changed, 59 insertions(+) diff --git a/doc/nft.xml b/doc/nft.xml index 6748265c8ae8..bddc527f19a7 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -

[PATCH nft 0/5] payload: make raw protocl expressions work

This patch series aims to make raw payload expressions work. Raw payload expressions use following syntax: @base,offset,length which tells nftables user wants to read 'length' bits off 'offset' bits relative to @base. base can be either ll,nh, or th. See patch 4 for documentation update. This

[PATCH nft 1/5] payload: use integer_type when initializing a raw expression

The invalid type prints prominent "[invalid]", so prefer integer type in raw expressions. Signed-off-by: Florian Westphal <f...@strlen.de> --- src/payload.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/payload.c b/src/payload.c index 7ca170edbb6d..a1e7e77ed5c5

[PATCH nft 2/5] payload: don't resolve expressions using the inet pseudoheader

Else, '@ll,0,8' will be mapped to 'inet nfproto', but thats not correct (inet is a pseudo header). Signed-off-by: Florian Westphal <f...@strlen.de> --- src/payload.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/payload.c b/src/payload.c index a1e7e77ed5c5..ef437b

[PATCH nft 3/5] src: make raw payloads work

tax. Signed-off-by: Florian Westphal <f...@strlen.de> --- include/expression.h | 1 + src/evaluate.c | 3 +++ src/parser_bison.y | 3 +++ src/payload.c| 2 +- 4 files changed, 8 insertions(+), 1 deletion(-) diff --git a/include/expression.h b/include/expression.h index 0a0e

Re: [PATCH nf] netfilter: ipvs: flag ct as needing s/dnat in original direction

Julian Anastasov <j...@ssi.bg> wrote: > On Sat, 24 Feb 2018, Florian Westphal wrote: > > > FTP passive mode got broken by this change: > > - if (.. && nfct_nat(ct)) { > > + if (.. (ct->status & IPS_NAT_MASK)) { > > Looks like this chec

Re: [iptables PATCH] iptables: add xtables-compat.8 manpage

Arturo Borrero Gonzalez wrote: > Copied back from the downstream Debian package. applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at

Re: [PATCH] src: Print error and exit for empty string

Harsha Sharma wrote: > Print error message and exit. For e.g. > > nft -c " " > nft: no command specified > > Without this patch, it segfaults. Right. > strcat(buf, " "); > } > strcat(buf, "\n"); > + > +

Re: [nft PATCH v2 1/3] nftables: rearrange files and examples

Arturo Borrero Gonzalez <art...@netfilter.org> wrote: > On 24 February 2018 at 23:07, Florian Westphal <f...@strlen.de> wrote: > > Any reason why this doesn't use > > #! @sbindir@nft -f ? > I didn't expect we were using these files for development activities. ok,

Re: [nft PATCH v2 2/3] examples: add ct helper examples

Arturo Borrero Gonzalez wrote: > Include some examples in the nftables tarball on using the ct helper > infraestructure, inspired from wiki.nftables.org. > > Signed-off-by: Arturo Borrero Gonzalez > --- > v2: fix some typos > >

Re: [nft PATCH v2 1/3] nftables: rearrange files and examples

Arturo Borrero Gonzalez wrote: > Concatenate all family/hook examples into a single one by means of includes. > > Put all example files under examples/. Use the '.nft' prefix and mark > them as executable files. Use a static shebang declaration, since these > are examples

[PATCH nf] netfilter: ipvs: flag ct as needing s/dnat in original direction

tfilter: ipvs: don't check for presence of nat extension") Signed-off-by: Florian Westphal <f...@strlen.de> --- net/netfilter/ipvs/ip_vs_nfct.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/net/netfilter/ipvs/ip_vs_nfct.c b/net/netfilter/ipvs/ip_vs_nfct.c in

Re: [NFT PATCH 1/3] nftables: rearrange files and examples

Arturo Borrero Gonzalez wrote: > Concatenate all family/hook examples into a single one. Oh? I actually liked the 'atomic' versions, because i could run nft -f /etc/nftables/ipv4-filter to get empty 'iptables' filter. -- To unsubscribe from this list: send the line

Re: [PATCH RFC 0/4] net: add bpfilter

Pablo Neira Ayuso wrote: > On Tue, Feb 20, 2018 at 05:52:54PM -0800, Alexei Starovoitov wrote: > > On Tue, Feb 20, 2018 at 11:44:31AM +0100, Pablo Neira Ayuso wrote: > > > > > > Don't get me wrong, no software is safe from security issues, but if you > > > don't abstract

Re: shift by n bits while performing '--restore-mark'

; Date: Mon, 12 Feb 2018 13:41:29 +1300 > Subject: [PATCH] libxt_CONNMARK: Support bit-shifting for --restore,set and > save-mark > > Added bit-shifting operations for --restore & set & save-mark. > > Signed-off-by: Jack Ma <jack...@alliedtelesis.co.nz> > Signed-off

Re: [PATCH RFC 0/4] net: add bpfilter

David Miller wrote: > From: Phil Sutter > Date: Mon, 19 Feb 2018 18:14:11 +0100 > > > OK, so reading between the lines you're saying that nftables project > > has failed to provide an adequate successor to iptables? > > Whilst it is great that the atomic table

Re: [PATCH RFC 0/4] net: add bpfilter

David Miller <da...@davemloft.net> wrote: > From: Florian Westphal <f...@strlen.de> > Date: Mon, 19 Feb 2018 15:53:14 +0100 > > > Sure, but looking at all the things that were added to iptables > > to alleviate some of the issues (ipset for instance) show that w

Re: [PATCH RFC 0/4] net: add bpfilter

David Miller <da...@davemloft.net> wrote: > From: Florian Westphal <f...@strlen.de> > Date: Mon, 19 Feb 2018 15:59:35 +0100 > > > David Miller <da...@davemloft.net> wrote: > >> It also means that the scope of developers who can contribute and

Re: [PATCH RFC 0/4] net: add bpfilter

David Miller wrote: > From: Daniel Borkmann > Date: Mon, 19 Feb 2018 13:03:17 +0100 > > > Thought was that it would be more suitable to push all the complexity of > > such translation into user space which brings couple of additional > > advantages >

Re: [PATCH RFC 0/4] net: add bpfilter

David Miller wrote: > > How many of those wide-spread applications are you aware of? The two > > projects you have pointed out (docker and kubernetes) don't. As the > > assumption that many such tools would need to be supported drives a lot > > of the design decisions, I

[PATCH iptables] extensions: connmark: remove non-working translation

mask defines what to clear, for nfmark what to keep, i.e. we're supposed to only alter the lower bits of the ctmark. nftables can't do this at the moment because bitwise operator RHS requires immediate values. same is true for 'restore'. Signed-off-by: Florian Westphal <f...@strlen.de>

[PATCH iptables] extensions: mark: prefer plain 'set' over 'set mark and'

. In that case we can simply use an immediate value without need for logical operators. Signed-off-by: Florian Westphal <f...@strlen.de> --- extensions/libxt_CONNMARK.c | 6 +++--- extensions/libxt_CONNMARK.txlate | 3 +++ extensions/libxt_MARK.c | 6 +++--- exte

Re: [PATCH nf 1/2] netfilter: ipt_CLUSTERIP: put config struct if we can't increment ct refcount

kbuild test robot <l...@intel.com> wrote: > Hi Florian, > > I love your patch! Perhaps something to improve: > > [auto build test WARNING on nf/master] > > url: > https://github.com/0day-ci/linux/commits/Florian-Westphal/netfilter-ipt_CLUSTERIP-two-more-fixes/2

[PATCH nf] netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt

l4proto->manip_pkt() can cause reallocation of skb head so pointer to the ipv6 header must be reloaded. Reported-and-tested-by: <syzbot+10005f4292fc9cc89...@syzkaller.appspotmail.com> Fixes: 58a317f1061c89 ("netfilter: ipv6: add IPv6 NAT support") Signed-off-by: Florian Westp

[PATCH nf] netfilter: ebtables: convert BUG_ONs to WARN_ONs

All of these conditions are not fatal and should have been WARN_ONs from the get-go. Convert them to WARN_ONs and bail out. Signed-off-by: Florian Westphal <f...@strlen.de> --- diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index 3f536c7a3354..254ef9f49567

Re: [PATCH RFC 0/4] net: add bpfilter

Daniel Borkmann wrote: > As rule translation can potentially become very complex, this is performed > entirely in user space. In order to ease deployment, request_module() code > is extended to allow user mode helpers to be invoked. Idea is that user mode > helpers are built

Re: [PATCH] doc/nft.xml: fix typo

Duncan Roe wrote: > Signed-off-by: Duncan Roe > --- > doc/nft.xml | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a

[PATCH nft v2] nftables: basic support for extended netlink errors

and to succeed. However, given similar future bugs, kernel might have told us something like 'expression failed inititialisation' or 'set lacks update callback', which is much more helpful for developers to pinpoint the place where netlink processing failed on nftables kernel side. Signed-off-by: Flor

[PATCH iptables] extenstions: ecn: add tcp ecn/cwr translation

nft can match tcp flags, so add ece/cwr translation. Signed-off-by: Florian Westphal <f...@strlen.de> --- extensions/libxt_ecn.c | 50 + extensions/libxt_ecn.txlate | 6 ++ 2 files changed, 38 insertions(+), 18 deletions(-) diff

Re: [PATCH RFC 0/4] net: add bpfilter

Harald Welte wrote: > I believe _if_ one wants to use the approach of "hiding" eBPF behind > iptables, then either [..] > b) you must introduce new 'tables', like an 'xdp' table which then has >the notion of processing very early in processing, way before the >normal

Re: [PATCH RFC 0/4] net: add bpfilter

Florian Westphal <f...@strlen.de> wrote: > David Miller <da...@davemloft.net> wrote: > > From: Florian Westphal <f...@strlen.de> > > Date: Fri, 16 Feb 2018 17:14:08 +0100 > > > > > Any particular reason why translating iptables rather than

[PATCH nft] nftables: basic support for extended netlink errors

and to succeed. However, given similar future bugs, kernel might have told us something like 'expression failed inititialisation' or 'set lacks update callback', which is much more helpful for developers to pinpoint the place where netlink processing failed on nftables kernel side. Signed-off-by: Flor

Re: [PATCH RFC 0/4] net: add bpfilter

David Miller <da...@davemloft.net> wrote: > From: Florian Westphal <f...@strlen.de> > Date: Fri, 16 Feb 2018 17:14:08 +0100 > > > Any particular reason why translating iptables rather than nftables > > (it should be possible to monitor the nftables changes

Re: [PATCH RFC 0/4] net: add bpfilter

Daniel Borkmann <dan...@iogearbox.net> wrote: > Hi Florian, > > On 02/16/2018 05:14 PM, Florian Westphal wrote: > > Florian Westphal <f...@strlen.de> wrote: > >> Daniel Borkmann <dan...@iogearbox.net> wrote: > >> Several questions spinning at

Re: [PATCH RFC 0/4] net: add bpfilter

Florian Westphal <f...@strlen.de> wrote: > Daniel Borkmann <dan...@iogearbox.net> wrote: > Several questions spinning at the moment, I will probably come up with > more: ... and here there are some more ... One of the many pain points of xtables design is the assumption of '

Re: [PATCH RFC 0/4] net: add bpfilter

Daniel Borkmann wrote: > This is a very rough and early proof of concept that implements bpfilter. [..] > Also, as a benefit from such design, we get BPF JIT compilation on x86_64, > arm64, ppc64, sparc64, mips64, s390x and arm32, but also rule offloading > into HW for

[PATCH nf 2/2] netfilter: ipt_CLUSTERIP: put config instead of freeing it

Once struct is added to per-netns list it becomes visible to other cpus, so we cannot use kfree(). Also delay setting entries refcount to 1 until after everything is initialised so that when we call clusterip_config_put() in this spot entries is still zero. Signed-off-by: Florian Westphal &l

[PATCH nf 1/2] netfilter: ipt_CLUSTERIP: put config struct if we can't increment ct refcount

This needs to put() the entry to avoid a resource leak in error path. Signed-off-by: Florian Westphal <f...@strlen.de> --- net/ipv4/netfilter/ipt_CLUSTERIP.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/net

[PATCH nf 0/2] netfilter: ipt_CLUSTERIP: two more fixes

During code audit I found two more bugs in CLUSTERIP, first one is a refcount leak, second is possible use-after free due to kfree() of rcu-protected (and already visible) structure. I think its time to remove this target, so, if anyone has a good reason to not nuke it in nf-next please let me

Re: [PATCH] inet: don't call skb_orphan if tproxy happens in layer 2

Gregory Vander Schueren wrote: [ cc netdev ] > If sysctl bridge-nf-call-iptables is enabled, iptables chains are already > traversed from the bridging code. In such case, tproxy already happened when > reaching ip_rcv. Thus no need to call skb_orphan as this

Re: [PATCH net] netfilter: unlock xt_table earlier in __do_replace

Xin Long wrote: > Now it's doing cleanup_entry for oldinfo under the xt_table lock, > but it's not really necessary. After the replacement job is done > in xt_replace_table, oldinfo is not used elsewhere any more, and > it can be freed without xt_table lock safely. Right.

[PATCH nft] payload: don't decode past last valid template

Signed-off-by: Florian Westphal <f...@strlen.de> --- src/payload.c | 4 1 file changed, 4 insertions(+) diff --git a/src/payload.c b/src/payload.c index 60090accbcd8..63c9f7157e4e 100644 --- a/src/payload.c +++ b/src/payload.c @@ -618,6 +618,10 @@ void payload_expr_expand(struct lis

[PATCH nf] netfilter: don't set F_IFACE on ipv6 fib lookups

"fib" starts to behave strangely when an ipv6 default route is added - the FIB lookup returns a route using 'oif' in this case. This behaviour was inherited from ip6tables rpfilter so change this as well. Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1221 Signed-off-b

Re: Overlapping IP networks no longer allowed?

Pablo Neira Ayuso wrote: > On Wed, Feb 14, 2018 at 07:02:32PM +0200, Mantas Mikulėnas wrote: > > Hello, > > > > As of nftables 0.8.1, it seems I can no longer write anonymous sets > > which contain overlapping networks (CIDR masks). > > > > For example, I want to write the

[PATCH nft] tests: add test case for sets updated from packet path

currently kernel may pick a set implementation that doesn't provide a ->update() function. This causes an error when user attempts to add the nftables rule that is supposed to add entries to the set. Signed-off-by: Florian Westphal <f...@strlen.de> --- Pablo, unless you have objection

Re: [PATCH net v2] netfilter: nat: cope with negative port range

Eric Dumazet wrote: > On Wed, 2018-02-14 at 12:13 +0100, Paolo Abeni wrote: > > syzbot reported a division by 0 bug in the netfilter nat code: > > > Adding the relevant check at parse time could break existing > > setup, moreover we would need to read/write such values

Re: [PATCH net] netfilter: nat: cope with negative port range

Paolo Abeni wrote: > Fixes: c7232c9979cb ("netfilter: add protocol independent NAT core") are you sure? When I looked this was a day 0 bug, the code was just moved from ipv4. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message

[PATCH nf] netfilter: nf_nat: range size must be at least 1

divide error: [#1] SMP KASAN RIP: 0010:nf_nat_l4proto_unique_tuple+0x291/0x530 net/netfilter/nf_nat_proto_common.c:88 looks like a day 0 bug. Avoid this by forcing a min_range of 1. Reported-by: <syzbot+8012e198bd037f487...@syzkaller.appspotmail.com> Signed-off-by: Florian Westp

Re: general protection fault in ipt_do_table

syzbot wrote: > Hello, > > syzbot hit the following crash on net-next commit > 9a61df9e5f7471fe5be3e02bd0bed726b2761a54 (Sat Feb 10 03:32:41 2018 +) > Merge tag 'kbuild-v4.16-2' of >

[PATCH v2 nf 9/9] netfilter: x_tables: use pr ratelimiting in all remaining spots

Signed-off-by: Florian Westphal <f...@strlen.de> --- net/ipv4/netfilter/ipt_ECN.c | 2 +- net/ipv4/netfilter/ipt_REJECT.c| 4 ++-- net/ipv4/netfilter/ipt_rpfilter.c | 2 +- net/ipv6/netfilter/ip6t_REJECT.c | 4 ++-- net/ipv6/netfilter/ip6t_rpfilter.c | 2 +- net/ipv6/net

[PATCH v2 nf 8/9] netfilter: x_tables: use pr ratelimiting in matches/targets

all of these print simple error message - use single pr_ratelimit call. checkpatch complains about lines > 80 but this would require splitting several "literals" over multiple lines which is worse. Signed-off-by: Florian Westphal <f...@strlen.de> --- net/netfilter

[PATCH v2 nf 7/9] netfilter: x_tables: rate-limit table mismatch warnings

Signed-off-by: Florian Westphal <f...@strlen.de> --- no changes. net/ipv4/netfilter/ipt_rpfilter.c | 4 ++-- net/ipv6/netfilter/ip6t_rpfilter.c | 4 ++-- net/netfilter/xt_CONNSECMARK.c | 4 ++-- net/netfilter/xt_SECMARK.c | 4 ++-- 4 files changed, 8 insertions(+), 8 del

[PATCH v2 nf 1/9] netfilter: x_tables: remove pr_info where possible

remove several pr_info messages that cannot be triggered with iptables, the check is only to ensure input is sane. iptables(8) already prints error messages in these cases. Signed-off-by: Florian Westphal <f...@strlen.de> --- Changes since v2: - remove a few more pr_info (dscp, checksum

[PATCH v2 nf 2/9] netfilter: x_tables: use pr ratelimiting in xt core

most messages are converted to info, since they occur in response to wrong usage. Size mismatch however is a real error (xtables ABI bug) that should not occur. Signed-off-by: Florian Westphal <f...@strlen.de> --- changes since v1: - use info (not err) for most cases. net/net

[PATCH v2 nf 5/9] netfilter: xt_set: use pr ratelimiting

also convert this to info for consistency. These errors are informational message to user, given iptables doesn't have netlink extack equivalent. Signed-off-by: Florian Westphal <f...@strlen.de> --- patch is new in v2 (split away from different patch). net/netfilter/xt_set.

[PATCH v2 nf 6/9] netfilter: bridge: use pr ratelimiting

ebt_among still uses pr_err -- these errors indicate ebtables tool bug, not a usage error. Signed-off-by: Florian Westphal <f...@strlen.de> --- patch is new in v2 (split away from different patch). net/bridge/netfilter/ebt_among.c | 10 +- net/bridge/netfilter/ebt_limit.c | 4 +

[PATCH v2 nf 4/9] netfilter: xt_NFQUEUE: use pr ratelimiting

switch this to info, since these aren't really errors. We only use printk because we cannot report meaningful errors in the xtables framework. Signed-off-by: Florian Westphal <f...@strlen.de> --- Patch is new in v2. net/netfilter/xt_NFQUEUE.c | 8 +--- 1 file changed, 5 insertions

[PATCH v2 nf 0/9] netfilter: x_tables: use printk ratelimiting

Aeons ago, before namespaces, there was no need to ratelimit this: all of these error messages got triggered in response to iptables commands, which need CAP_NET_ADMIN. Nowadays we have namespaces, so its better to ratelimit these. This should also help fuzzing (syzkaller), as it can generate a

[PATCH v2 nf 3/9] netfilter: xt_CT: use pr ratelimiting

checkpatch complains about line > 80 but this would require splitting "literal" over two lines which is worse. Signed-off-by: Florian Westphal <f...@strlen.de> --- no changes since v1. net/netfilter/xt_CT.c | 25 + 1 file changed, 13 insertions(+), 12

Re: [Patch net v2] ipt_CLUSTERIP: fix a refcount bug in clusterip_config_find_get()

place refcount_inc() with > refcount_inc_not_zero(), as for c->refcount. Reviewed-by: Florian Westphal <f...@strlen.de> -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [Patch net] ipt_CLUSTERIP: fix a refcount bug in clusterip_config_find_get()

Cong Wang wrote: > In clusterip_config_find_get() we hold RCU read lock so it could > run concurrently with clusterip_config_entry_put(), as a result, > the refcnt could go back to 1 from 0, which leads to a double > list_del()... Just replace refcount_inc() with >

Re: [PATCH nf 7/7] netfilter: x_tables: use pr ratelimiting in all remaining spots

Pablo Neira Ayuso wrote: > > --- a/net/bridge/netfilter/ebt_among.c > > +++ b/net/bridge/netfilter/ebt_among.c > > @@ -187,17 +187,17 @@ static int ebt_among_mt_check(const struct > > xt_mtchk_param *par) > > expected_length += ebt_mac_wormhash_size(wh_src); > > > >

Re: [PATCH nf 2/7] netfilter: x_tables: prefer pr_debug where possible

Pablo Neira Ayuso <pa...@netfilter.org> wrote: > On Wed, Feb 07, 2018 at 02:48:23PM +0100, Florian Westphal wrote: > > prefer pr_debug for cases where error is usually not seen by users. > > checkpatch complains due to lines > 80 but adding a newline doesn't > >

Re: [PATCH nf 1/7] netfilter: x_tables: remove pr_info where possible

Pablo Neira Ayuso <pa...@netfilter.org> wrote: > On Wed, Feb 07, 2018 at 02:48:22PM +0100, Florian Westphal wrote: > > remove several pr_info messages that cannot be triggered with iptables. > > > > Signed-off-by: Florian Westphal <f...@strlen.de> > > ---

[PATCH nf 4/7] netfilter: x_tables: rate limit pr_err warnings

Signed-off-by: Florian Westphal <f...@strlen.de> --- net/netfilter/x_tables.c | 70 +++- 1 file changed, 34 insertions(+), 36 deletions(-) diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index 2f685ee1f9c8..0f81294dea7b

[PATCH nf 6/7] netfilter: x_tables: use pr ratelimiting

all of these print simple error message - use single pr_ratelimit call. checkpatch complains about lines > 80 but this would require splitting several "literals" over multiple lines which is worse. Signed-off-by: Florian Westphal <f...@strlen.de> --- net/netfilter

[PATCH nf 5/7] netfilter: x_tables: rate-limit table mismatch warnings

Signed-off-by: Florian Westphal <f...@strlen.de> --- net/ipv4/netfilter/ipt_rpfilter.c | 4 ++-- net/ipv6/netfilter/ip6t_rpfilter.c | 4 ++-- net/netfilter/xt_CONNSECMARK.c | 4 ++-- net/netfilter/xt_SECMARK.c | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff

[PATCH nf 2/7] netfilter: x_tables: prefer pr_debug where possible

prefer pr_debug for cases where error is usually not seen by users. checkpatch complains due to lines > 80 but adding a newline doesn't make things any more readable. Signed-off-by: Florian Westphal <f...@strlen.de> --- net/ipv4/netfilter/ipt_rpfilter.c | 2 +- net/ipv6/

[PATCH nf 3/7] netfilter: xt_CT: use pr ratelimiting

checkpatch complains about line > 80 but this would require splitting "literal" over two lines which is worse. Signed-off-by: Florian Westphal <f...@strlen.de> --- net/netfilter/xt_CT.c | 25 + 1 file changed, 13 insertions(+), 12 deletions(-) diff --

[PATCH nf 7/7] netfilter: x_tables: use pr ratelimiting in all remaining spots

Signed-off-by: Florian Westphal <f...@strlen.de> --- net/bridge/netfilter/ebt_among.c | 10 net/bridge/netfilter/ebt_limit.c | 4 ++-- net/ipv4/netfilter/ipt_ECN.c | 2 +- net/ipv4/netfilter/ipt_REJECT.c | 4 ++-- net/ipv6/netfilter/ip6t_REJECT.c | 4 ++-- net/ipv6/net

[PATCH nf 1/7] netfilter: x_tables: remove pr_info where possible

remove several pr_info messages that cannot be triggered with iptables. Signed-off-by: Florian Westphal <f...@strlen.de> --- net/ipv4/netfilter/ipt_ECN.c | 10 -- net/netfilter/xt_HL.c| 13 +++-- net/netfilter/xt_LED.c | 4 +--- net/netfilter/xt_cgroup.c

netfilter: x_tables: ratelimit most printks

Aeons ago, before namespaces, there was no need to ratelimit this: all of these error messages got triggered in response to iptables commands, which need CAP_NET_ADMIN. Nowadays we have namespaces, so its better to ratelimit these. This should also help fuzzing (syzkaller), as it can generate a

[PATCH nf RFC] netfilter: x_tables: only allow jumps to user-defined chains

by programs that don't call xtables(-restore) tools. This change also prevents the syzkaller reported crash as ruleset gets rejected. Reported-by: syzbot+e783f671527912cd9...@syzkaller.appspotmail.com Signed-off-by: Florian Westphal <f...@strlen.de> --- net/ipv4/netfilter/arp_tables.

[PATCH nf] netfilter: add back stackpointer size checks

. Fixes: 7814b6ec6d0d6 ("netfilter: xtables: don't save/restore jumpstack offset") Reported-by: syzbot+e783f671527912cd9...@syzkaller.appspotmail.com Signed-off-by: Florian Westphal <f...@strlen.de> --- net/ipv4/netfilter/arp_tables.c | 4 net/ipv4/netfilter/ip_tables.c | 7 +

Re: WARNING: proc registration bug in clusterip_tg_check

Paolo Abeni wrote: [ pruning CC list ] > #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master > > I can't reproduce the issue locally, so asking the syzbot to test the > tentive fix for me (and hoping I did not mess with the tag/format) I can

Re: shift by n bits while performing '--restore-mark'

Jack Ma wrote: > Our current condition is: > > 1) only 0xfff0 (three F available in skb->mark), but 0xf000 (five F > available in ct->mark) > > We wish to copy either 0xfff0 or 0x00fff000 from ct->mark into skb->mark, > > > What about '-j CONNMARK

Re: [Patch net v2] xt_RATEEST: acquire xt_rateest_mutex for hash insert

internal use and keep the > locking one for external. Looks good, thanks Cong. Reviewed-by: Florian Westphal <f...@strlen.de> -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo i

Re: KASAN: slab-out-of-bounds Read in clusterip_tg_check

syzbot wrote: #syz-fix: netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in clusterip_tg_check() -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More

Re: [Patch net] xt_RATEEST: acquire xt_rateest_mutex for hash insert

Cong Wang wrote: > On Wed, Jan 31, 2018 at 5:44 PM, Eric Dumazet wrote: > > On Wed, 2018-01-31 at 16:26 -0800, Cong Wang wrote: > >> rateest_hash is supposed to be protected by xt_rateest_mutex. > >> > >> Reported-by:

<    2   3   4   5   6   7   8   9   10   11   >