Re: [PATCH nf 1/7] netfilter: x_tables: remove pr_info where possible

Pablo Neira Ayuso wrote: > On Wed, Feb 07, 2018 at 02:48:22PM +0100, Florian Westphal wrote: > > remove several pr_info messages that cannot be triggered with iptables. > > > > Signed-off-by: Florian Westphal > > --- > > net/ipv4/netfilter/ipt_ECN.c | 10

Re: [PATCH nf 7/7] netfilter: x_tables: use pr ratelimiting in all remaining spots

Pablo Neira Ayuso wrote: > > --- a/net/bridge/netfilter/ebt_among.c > > +++ b/net/bridge/netfilter/ebt_among.c > > @@ -187,17 +187,17 @@ static int ebt_among_mt_check(const struct > > xt_mtchk_param *par) > > expected_length += ebt_mac_wormhash_size(wh_src); > > > >

Re: [PATCH nf 2/7] netfilter: x_tables: prefer pr_debug where possible

Pablo Neira Ayuso wrote: > On Wed, Feb 07, 2018 at 02:48:23PM +0100, Florian Westphal wrote: > > prefer pr_debug for cases where error is usually not seen by users. > > checkpatch complains due to lines > 80 but adding a newline doesn't > > make things any more readable. > >

Re: [PATCH nf 7/7] netfilter: x_tables: use pr ratelimiting in all remaining spots

On Wed, Feb 07, 2018 at 08:23:23PM +0100, Florian Westphal wrote: > Pablo Neira Ayuso wrote: > > > --- a/net/bridge/netfilter/ebt_among.c > > > +++ b/net/bridge/netfilter/ebt_among.c > > > @@ -187,17 +187,17 @@ static int ebt_among_mt_check(const struct > > > xt_mtchk_param

Re: [netfilter-core] kernel panic: Out of memory and no killable processes... (2)

On Wed, 7 Feb 2018 18:44:39 +0100 Pablo Neira Ayuso wrote: > Hi, > > On Wed, Jan 31, 2018 at 09:19:16AM +0100, Michal Hocko wrote: > [...] > > Yeah, we do not BUG but rather fail instead. See __vmalloc_node_range. > > My excavation tools pointed me to "VM: Rework vmalloc

Re: [PATCH 00/11] Netfilter fixes for net

From: Pablo Neira Ayuso Date: Wed, 7 Feb 2018 18:42:18 +0100 > The following patchset contains Netfilter fixes for you net tree, they > are: ... > You can pull these changes from: > > git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git Pulled, thanks Pablo. >

Re: [PATCH RFC 2/4] netlink: add generic object description infrastructure

On 02/06/2018 05:37 PM, Pablo Neira Ayuso wrote: > This patch allows netlink busses to provide object descriptions to > userspace, in terms of supported attributes and its corresponding > datatypes. > > Userspace sends a requests that looks like: > > netlink header > NLA_DESC_REQ_BUS

linux-next: Signed-off-by missing for commit in the netfilter tree

Hi all, Commit d8ed9600581d ("netfilter: remove useless prototype") is missing a Signed-off-by from its committer. -- Cheers, Stephen Rothwell -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo

[Patch net] ipt_CLUSTERIP: fix a race condition of proc file creation

There is a race condition between clusterip_config_entry_put() and clusterip_config_init(), after we release the spinlock in clusterip_config_entry_put(), a new proc file with a same IP could be created immediately since it is already removed from the configs list, therefore it triggers this

Re: WARNING: proc registration bug in clusterip_tg_check

On Tue, 2018-02-06 at 22:42 -0800, Cong Wang wrote: > On Tue, Feb 6, 2018 at 6:27 AM, syzbot > wrote: > > Hello, > > > > syzbot hit the following crash on net-next commit > > 617aebe6a97efa539cc4b8a52adccd89596e6be0 (Sun Feb 4 00:25:42 2018

[PATCH] netfilter: nf_flow_offload: fix use-after-free and a resource leak

flow_offload_del frees the flow, so all associated resource must be freed before. Since the ct entry in struct flow_offload_entry was allocated by flow_offload_alloc, it should be freed by flow_offload_free to take care of the error handling path when flow_offload_add fails. While at it, make

Re: [nft PATCH] Enable automerge feature for anonymous sets

On Wed, 7 Feb 2018, Pablo Neira Ayuso wrote: > On Tue, Feb 06, 2018 at 07:18:47PM +0100, Phil Sutter wrote: > > Automatic merging of adjacent/overlapping ranges upon insertion has > > clear benefits performance- and readability-wise. The drawbacks which > > led to disabling it by default don't

[PATCH] Spelling fixes

Signed-off-by: Ville Skyttä --- INSTALL | 2 +- doc/nft.xml | 2 +- include/datatype.h | 2 +- src/exthdr.c| 4 ++--

Re: [nft PATCH] Enable automerge feature for anonymous sets

Hi Pablo, On Wed, Feb 07, 2018 at 12:39:43AM +0100, Pablo Neira Ayuso wrote: > On Tue, Feb 06, 2018 at 07:18:47PM +0100, Phil Sutter wrote: > > Automatic merging of adjacent/overlapping ranges upon insertion has > > clear benefits performance- and readability-wise. The drawbacks which > > led to

Re: WARNING: proc registration bug in clusterip_tg_check

You dropped syzbot from CC ;) Add syzbot+03218bcdba6aa7644...@syzkaller.appspotmail.com to To or CC. On Wed, Feb 7, 2018 at 11:42 AM, syzbot wrote: >> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git >> master > > > Can't find the

Re: [PATCH] netfilter: nf_flow_offload: fix use-after-free and a resource leak

On Wed, Feb 07, 2018 at 09:49:02AM +0100, Felix Fietkau wrote: > flow_offload_del frees the flow, so all associated resource must be > freed before. > > Since the ct entry in struct flow_offload_entry was allocated by > flow_offload_alloc, it should be freed by flow_offload_free to take care > of

Re: [PATCH] netfilter: remove useless prototype

On Wed, Feb 07, 2018 at 11:50:41AM +0900, Taehee Yoo wrote: > prototype nf_ct_nat_offset is not used anymore. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at

Re: WARNING: proc registration bug in clusterip_tg_check

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master Can't find the corresponding bug. I can't reproduce the issue locally, so asking the syzbot to test the tentive fix for me (and hoping I did not mess with the tag/format) ---

Re: WARNING: proc registration bug in clusterip_tg_check

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master I can't reproduce the issue locally, so asking the syzbot to test the tentive fix for me (and hoping I did not mess with the tag/format) --- net/ipv4/netfilter/ipt_CLUSTERIP.c | 30 +++--- 1

WARNING: proc registration bug in clusterip_tg_check

Hello, syzbot tried to test the proposed patch but build/boot failed: kernel build failed: failed to run /usr/bin/make [make bzImage -j 32 CC=/syzkaller/gcc/bin/gcc]: exit status 2 scripts/kconfig/conf --silentoldconfig Kconfig CHK include/config/kernel.release CHK

Re: WARNING: proc registration bug in clusterip_tg_check

Paolo Abeni wrote: [ pruning CC list ] > #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master > > I can't reproduce the issue locally, so asking the syzbot to test the > tentive fix for me (and hoping I did not mess with the tag/format) I can

[PATCH nf] netfilter: add back stackpointer size checks

The rationale for removing the check is only correct for rulesets generated by ip(6)tables. In iptables, a jump can only occur to a user-defined chain, i.e. because we size the stack based on number of user-defined chains we cannot exceed stack size. However, the underlying binary format has no

netfilter: x_tables: ratelimit most printks

Aeons ago, before namespaces, there was no need to ratelimit this: all of these error messages got triggered in response to iptables commands, which need CAP_NET_ADMIN. Nowadays we have namespaces, so its better to ratelimit these. This should also help fuzzing (syzkaller), as it can generate a

[PATCH nf 7/7] netfilter: x_tables: use pr ratelimiting in all remaining spots

Signed-off-by: Florian Westphal --- net/bridge/netfilter/ebt_among.c | 10 net/bridge/netfilter/ebt_limit.c | 4 ++-- net/ipv4/netfilter/ipt_ECN.c | 2 +- net/ipv4/netfilter/ipt_REJECT.c | 4 ++-- net/ipv6/netfilter/ip6t_REJECT.c | 4 ++--

[PATCH nf 1/7] netfilter: x_tables: remove pr_info where possible

remove several pr_info messages that cannot be triggered with iptables. Signed-off-by: Florian Westphal --- net/ipv4/netfilter/ipt_ECN.c | 10 -- net/netfilter/xt_HL.c| 13 +++-- net/netfilter/xt_LED.c | 4 +--- net/netfilter/xt_cgroup.c| 4

[PATCH nf 3/7] netfilter: xt_CT: use pr ratelimiting

checkpatch complains about line > 80 but this would require splitting "literal" over two lines which is worse. Signed-off-by: Florian Westphal --- net/netfilter/xt_CT.c | 25 + 1 file changed, 13 insertions(+), 12 deletions(-) diff --git

[PATCH nf 4/7] netfilter: x_tables: rate limit pr_err warnings

Signed-off-by: Florian Westphal --- net/netfilter/x_tables.c | 70 +++- 1 file changed, 34 insertions(+), 36 deletions(-) diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index 2f685ee1f9c8..0f81294dea7b 100644 ---

[PATCH nf 6/7] netfilter: x_tables: use pr ratelimiting

all of these print simple error message - use single pr_ratelimit call. checkpatch complains about lines > 80 but this would require splitting several "literals" over multiple lines which is worse. Signed-off-by: Florian Westphal --- net/netfilter/xt_HMARK.c| 24

[PATCH nf 5/7] netfilter: x_tables: rate-limit table mismatch warnings

Signed-off-by: Florian Westphal --- net/ipv4/netfilter/ipt_rpfilter.c | 4 ++-- net/ipv6/netfilter/ip6t_rpfilter.c | 4 ++-- net/netfilter/xt_CONNSECMARK.c | 4 ++-- net/netfilter/xt_SECMARK.c | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git

[PATCH nf 2/7] netfilter: x_tables: prefer pr_debug where possible

prefer pr_debug for cases where error is usually not seen by users. checkpatch complains due to lines > 80 but adding a newline doesn't make things any more readable. Signed-off-by: Florian Westphal --- net/ipv4/netfilter/ipt_rpfilter.c | 2 +-

Re: WARNING: proc registration bug in clusterip_tg_check

On Wed, 2018-02-07 at 09:43 +0100, Paolo Abeni wrote: > On Tue, 2018-02-06 at 22:42 -0800, Cong Wang wrote: > > On Tue, Feb 6, 2018 at 6:27 AM, syzbot > > wrote: > > > Hello, > > > > > > syzbot hit the following crash on net-next commit > >

Re: CPU load on queued_spin_lock_slowpath

Thanks for your advices. I will try to create the erroneous situation by triggering icmp error for existing connection and try non-tcp patch and kernel upgrade respectively. I will report the results at mail list. > On Tue, Feb 6, 2018, 7:10 AM Pablo Neira Ayuso wrote: >> >>

Re: [PATCH nf 7/7] netfilter: x_tables: use pr ratelimiting in all remaining spots

Hi Florian, Thanks for looking into this, comments below. On Wed, Feb 07, 2018 at 02:48:28PM +0100, Florian Westphal wrote: > Signed-off-by: Florian Westphal > --- > net/bridge/netfilter/ebt_among.c | 10 > net/bridge/netfilter/ebt_limit.c | 4 ++-- >

Re: [PATCH nf 2/7] netfilter: x_tables: prefer pr_debug where possible

On Wed, Feb 07, 2018 at 02:48:23PM +0100, Florian Westphal wrote: > prefer pr_debug for cases where error is usually not seen by users. > checkpatch complains due to lines > 80 but adding a newline doesn't > make things any more readable. > > Signed-off-by: Florian Westphal > ---

Re: [PATCH nf 1/7] netfilter: x_tables: remove pr_info where possible

On Wed, Feb 07, 2018 at 02:48:22PM +0100, Florian Westphal wrote: > remove several pr_info messages that cannot be triggered with iptables. > > Signed-off-by: Florian Westphal > --- > net/ipv4/netfilter/ipt_ECN.c | 10 -- > net/netfilter/xt_HL.c| 13 +++--

[PATCH 02/11] netfilter: ipv6: nf_defrag: Kill frag queue on RFC2460 failure

From: Subash Abhinov Kasiviswanathan Failures were seen in ICMPv6 fragmentation timeout tests if they were run after the RFC2460 failure tests. Kernel was not sending out the ICMPv6 fragment reassembly time exceeded packet after the fragmentation reassembly timeout of 1

[PATCH 03/11] netfilter: flowtable infrastructure depends on NETFILTER_INGRESS

config NF_FLOW_TABLE depends on NETFILTER_INGRESS. If users forget to enable this toggle, flowtable registration fails with EOPNOTSUPP. Moreover, turn 'select NF_FLOW_TABLE' in every flowtable family flavour into dependency instead, otherwise this new dependency on NETFILTER_INGRESS causes a

[PATCH 09/11] netfilter: nf_tables: fix flowtable free

Every flow_offload entry is added into the table twice. Because of this, rhashtable_free_and_destroy can't be used, since it would call kfree for each flow_offload object twice. This patch cleans up the flowtable via nf_flow_table_iterate() to schedule removal of entries by setting on the dying

[PATCH 11/11] netfilter: nf_flow_offload: fix use-after-free and a resource leak

From: Felix Fietkau flow_offload_del frees the flow, so all associated resource must be freed before. Since the ct entry in struct flow_offload_entry was allocated by flow_offload_alloc, it should be freed by flow_offload_free to take care of the error handling path when

[PATCH 05/11] netfilter: nft_flow_offload: wait for garbage collector to run after cleanup

If netdevice goes down, then flowtable entries are scheduled to be removed. Wait for garbage collector to have a chance to run so it can delete them from the hashtable. The flush call might sleep, so hold the nfnl mutex from nft_flow_table_iterate() instead of rcu read side lock. The use of the

[PATCH 06/11] netfilter: nft_flow_offload: no need to flush entries on module removal

nft_flow_offload module removal does not require to flush existing flowtables, it is valid to remove this module while keeping flowtables around. Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nft_flow_offload.c | 6 -- 1 file changed, 6 deletions(-) diff --git

[PATCH 01/11] netfilter: x_tables: make allocation less aggressive

From: Michal Hocko syzbot has noticed that xt_alloc_table_info can allocate a lot of memory. This is an admin only interface but an admin in a namespace is sufficient as well. eacd86ca3b03 ("net/netfilter/x_tables.c: use kvmalloc() in xt_alloc_table_info()") has changed the

[PATCH 07/11] netfilter: xt_RATEEST: acquire xt_rateest_mutex for hash insert

From: Cong Wang rateest_hash is supposed to be protected by xt_rateest_mutex, and, as suggested by Eric, lookup and insert should be atomic, so we should acquire the xt_rateest_mutex once for both. So introduce a non-locking helper for internal use and keep the locking

[PATCH 00/11] Netfilter fixes for net

Hi David, The following patchset contains Netfilter fixes for you net tree, they are: 1) Restore __GFP_NORETRY in xt_table allocations to mitigate effects of large memory allocation requests, from Michal Hocko. 2) Release IPv6 fragment queue in case of error in fragmentation header, this

[PATCH 04/11] netfilter: xt_cgroup: initialize info->priv in cgroup_mt_check_v1()

From: Cong Wang xt_cgroup_info_v1->priv is an internal pointer only used for kernel, we should not trust what user-space provides. Reported-by: Fixes: c38c4597e4bf ("netfilter: implement xt_cgroup cgroup2 path

[PATCH 08/11] netfilter: nft_flow_offload: move flowtable cleanup routines to nf_flow_table

Move the flowtable cleanup routines to nf_flow_table and expose the nf_flow_table_cleanup() helper function. Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_flow_table.h | 3 +++ net/netfilter/nf_flow_table.c | 24

Re: [netfilter-core] kernel panic: Out of memory and no killable processes... (2)

Hi, On Wed, Jan 31, 2018 at 09:19:16AM +0100, Michal Hocko wrote: [...] > Yeah, we do not BUG but rather fail instead. See __vmalloc_node_range. > My excavation tools pointed me to "VM: Rework vmalloc code to support mapping > of arbitray pages" > by Christoph back in 2002. So yes, we can safely

[PATCH nf RFC] netfilter: x_tables: only allow jumps to user-defined chains

This rejects rulesets where a jump occurs to a non-user defined chain. This isn't limited in any way in the binary format (you can jump to any rule you want within the blob structure), but iptables tools do not offset such a feature. Sending as RFC as this limits features that might be used by

WARNING: proc registration bug in clusterip_tg_check

Hello, syzbot tried to test the proposed patch but build/boot failed: kernel build failed: failed to run /usr/bin/make [make bzImage -j 32 CC=/syzkaller/gcc/bin/gcc]: exit status 2 scripts/kconfig/conf --silentoldconfig Kconfig CHK include/config/kernel.release CHK