Re: [PATCH net v2] netfilter: nat: cope with negative port range

Eric Dumazet wrote: > On Wed, 2018-02-14 at 12:13 +0100, Paolo Abeni wrote: > > syzbot reported a division by 0 bug in the netfilter nat code: > > > Adding the relevant check at parse time could break existing > > setup, moreover we would need to read/write such values

Re: [PATCH net v2] netfilter: nat: cope with negative port range

On Wed, Feb 14, 2018 at 01:30:37PM +0100, Florian Westphal wrote: > Eric Dumazet wrote: > > On Wed, 2018-02-14 at 12:13 +0100, Paolo Abeni wrote: > > > syzbot reported a division by 0 bug in the netfilter nat code: > > > > > Adding the relevant check at parse time could

Re: [bisected] Forwarded packets occasionally has loopback output interface in Netfilter

On man, 2018-01-22 at 15:54 +0100, Anders K. Pedersen | Cohaesio wrote: > On tor, 2018-01-11 at 10:18 -0800, Wei Wang wrote: > > On Thu, Jan 11, 2018 at 9:25 AM, Anders K. Pedersen | Cohaesio > > wrote: > > > On tir, 2017-12-26 at 12:05 +0100, Anders K. Pedersen | Cohaesio > >

Re: [PATCH net v2] netfilter: nat: cope with negative port range

On Wed, 2018-02-14 at 13:30 +0100, Florian Westphal wrote: > Eric Dumazet wrote: > > On Wed, 2018-02-14 at 12:13 +0100, Paolo Abeni wrote: > > > syzbot reported a division by 0 bug in the netfilter nat code: > > > Adding the relevant check at parse time could break

Re: [PATCH net v2] netfilter: nat: cope with negative port range

On Wed, Feb 14, 2018 at 04:45:31PM +0100, Paolo Abeni wrote: > Hi, > > On Wed, 2018-02-14 at 14:51 +0100, Pablo Neira Ayuso wrote: > > On Wed, Feb 14, 2018 at 01:30:37PM +0100, Florian Westphal wrote: > > > Eric Dumazet wrote: > > > > On Wed, 2018-02-14 at 12:13 +0100,

[PATCH nft 2/6] payload: add payload_dependency_release() helper function

Wrap code that releases existing dependencies that we have just annotated in the context structure. Signed-off-by: Pablo Neira Ayuso --- src/payload.c | 22 +- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/src/payload.c b/src/payload.c

[PATCH nft 0/6] rework dependency removal (v2)

Hi, This patchset aims to address what Florian reported time ago [1]. This is skipping removal of protocol key payload expressions at network base for the netdev, bridge and inet. It would better to annotate all redundant expressions and add a later stage, where we can do smarter simplifications

[PATCH nft 1/6] src: pass family to payload_dependency_kill()

This context information is very relevant when deciding if a redundant dependency needs to be removed or not, specifically for the inet, bridge and netdev families. This new parameter is used by follow up patch entitled ("payload: add payload_should_dependency_kill()"). Signed-off-by: Pablo Neira

[PATCH nft 5/6] payload: add payload_may_dependency_kill()

Payload protocol key expressions at network base are meaningful in the netdev, bridge and inet families, do not exercise the redundant dependency removal in those cases since it breaks rule semantics. Signed-off-by: Pablo Neira Ayuso --- src/payload.c | 31

[PATCH nft 4/6] src: get rid of __payload_dependency_kill()

Use payload_dependency_release() instead. Signed-off-by: Pablo Neira Ayuso --- include/payload.h | 3 +-- src/netlink_delinearize.c | 9 +++-- src/payload.c | 15 +-- 3 files changed, 9 insertions(+), 18 deletions(-) diff --git

[PATCH nft 6/6] netlink_delinearize: add meta_may_dependency_kill()

Do not exercise dependency removal for protocol key network payload expressions in bridge, netdev and inet families from meta expressions, more specifically: * inet: nfproto and ether type. * netdev and bridge: meta protocol and ether type. need to be left in place. Signed-off-by: Pablo Neira

[PATCH nft 3/6] src: add payload_dependency_exists()

This helper function tells us if there is already a protocol key payload expression, ie. those with EXPR_F_PROTOCOL flag set on, that we might want to remove since we can infer from another expression in the upper protocol base, eg. ip protocol tcp tcp dport 22 'ip protocol tcp' can be

Re: [PATCH net v2] netfilter: nat: cope with negative port range

Hi, On Wed, 2018-02-14 at 14:51 +0100, Pablo Neira Ayuso wrote: > On Wed, Feb 14, 2018 at 01:30:37PM +0100, Florian Westphal wrote: > > Eric Dumazet wrote: > > > On Wed, 2018-02-14 at 12:13 +0100, Paolo Abeni wrote: > > > > syzbot reported a division by 0 bug in the

Re: Overlapping IP networks no longer allowed?

On Wed, Feb 14, 2018 at 07:02:32PM +0200, Mantas Mikulėnas wrote: > Hello, > > As of nftables 0.8.1, it seems I can no longer write anonymous sets > which contain overlapping networks (CIDR masks). > > For example, I want to write the following ruleset: > > #!/usr/bin/nft -f > define users = {

[PATCH nft] tests: add test case for sets updated from packet path

currently kernel may pick a set implementation that doesn't provide a ->update() function. This causes an error when user attempts to add the nftables rule that is supposed to add entries to the set. Signed-off-by: Florian Westphal --- Pablo, unless you have objections I would

Re: [PATCH nft] tests: add test case for sets updated from packet path

On Wed, Feb 14, 2018 at 05:40:17PM +0100, Florian Westphal wrote: > currently kernel may pick a set implementation that doesn't provide > a ->update() function. This causes an error when user attempts to > add the nftables rule that is supposed to add entries to the set. > > Signed-off-by:

[PATCH net v3] netfilter: nat: cope with negative port range

syzbot reported a division by 0 bug in the netfilter nat code: divide error: [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 4168 Comm: syzkaller034710 Not tainted 4.16.0-rc1+ #309 Hardware name: Google Google Compute Engine/Google Compute

Overlapping IP networks no longer allowed?

Hello, As of nftables 0.8.1, it seems I can no longer write anonymous sets which contain overlapping networks (CIDR masks). For example, I want to write the following ruleset: #!/usr/bin/nft -f define users = { 10.0.0.0/8, 193.219.181.192/26 } define admins = { 10.123.0.0/24, 31.220.42.129 }

[PATCH nf] netfilter: don't set F_IFACE on ipv6 fib lookups

"fib" starts to behave strangely when an ipv6 default route is added - the FIB lookup returns a route using 'oif' in this case. This behaviour was inherited from ip6tables rpfilter so change this as well. Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1221 Signed-off-by: Florian

Re: netfilter: x_tables: ratelimit most printks

On Wed, Feb 07, 2018 at 02:48:21PM +0100, Florian Westphal wrote: > Aeons ago, before namespaces, there was no need to ratelimit this: > all of these error messages got triggered in response to iptables > commands, which need CAP_NET_ADMIN. > > Nowadays we have namespaces, so its better to

Re: [PATCH nf RFC] netfilter: x_tables: only allow jumps to user-defined chains

On Wed, Feb 07, 2018 at 02:20:41PM +0100, Florian Westphal wrote: > This rejects rulesets where a jump occurs to a non-user defined chain. > This isn't limited in any way in the binary format (you can jump to > any rule you want within the blob structure), but iptables tools > do not offset such a

Re: [PATCH net v2] netfilter: drop outermost socket lock in getsockopt()

On Thu, Feb 08, 2018 at 12:19:00PM +0100, Paolo Abeni wrote: > The Syzbot reported a possible deadlock in the netfilter area caused by > rtnl lock, xt lock and socket lock being acquired with a different order > on different code paths, leading to the following backtrace: > >

Re: [Patch net v2] ipt_CLUSTERIP: fix a refcount bug in clusterip_config_find_get()

On Thu, Feb 08, 2018 at 01:53:52PM -0800, Cong Wang wrote: > In clusterip_config_find_get() we hold RCU read lock so it could > run concurrently with clusterip_config_entry_put(), as a result, > the refcnt could go back to 1 from 0, which leads to a double > list_del()... Just replace

Re: [PATCH nf] netfilter: add back stackpointer size checks

On Wed, Feb 07, 2018 at 01:46:25PM +0100, Florian Westphal wrote: > The rationale for removing the check is only correct for rulesets > generated by ip(6)tables. > > In iptables, a jump can only occur to a user-defined chain, i.e. > because we size the stack based on number of user-defined chains

Re: [PATCH net v2] netfilter: x_tables: fix missing timer initialization in xt_LED

On Mon, Feb 12, 2018 at 06:49:39PM +0100, Paolo Abeni wrote: > syzbot reported that xt_LED may try to use the ledinternal->timer > without previously initializing it: > > [ cut here ] > kernel BUG at kernel/time/timer.c:958! > invalid opcode: [#1] SMP KASAN > Dumping

Re: [PATCH nft] parser_bison: restore nft {import,export} ruleset

> On Wed, Feb 14, 2018 at 08:16:52PM +0100, Pablo Neira Ayuso wrote: >> On Thu, Feb 15, 2018 at 12:34:31AM +0530, Shyam Saini wrote: >> > Hi Pablo, >> > >> > On Thu, Feb 15, 2018 at 12:02 AM, Pablo Neira Ayuso >> > wrote: >> > > Restore original syntax for the yet

Re: [PATCH v2] .gitignore: ignore ASN.1 auto generated files

On Mon, Feb 12, 2018 at 09:45:42PM +0800, Zhu Lingshan wrote: > when build kernel with default configure, files: > > generatenet/ipv4/netfilter/nf_nat_snmp_basic-asn1.c > net/ipv4/netfilter/nf_nat_snmp_basic-asn1.h > > will be automatically generated by ASN.1 compiler, so > No need to track them

Re: [PATCH net v3] netfilter: nat: cope with negative port range

On Wed, Feb 14, 2018 at 05:21:19PM +0100, Paolo Abeni wrote: > syzbot reported a division by 0 bug in the netfilter nat code: > > divide error: [#1] SMP KASAN > Dumping ftrace buffer: > (ftrace buffer empty) > Modules linked in: > CPU: 1 PID: 4168 Comm: syzkaller034710 Not tainted

Re: [PATCH nft] parser_bison: restore nft {import,export} ruleset

Hi Pablo, On Thu, Feb 15, 2018 at 12:02 AM, Pablo Neira Ayuso wrote: > Restore original syntax for the yet experimental VM low-level json > representation. > > Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1224 > Signed-off-by: Pablo Neira Ayuso

Re: [PATCH nft] parser_bison: restore nft {import,export} ruleset

On Thu, Feb 15, 2018 at 12:34:31AM +0530, Shyam Saini wrote: > Hi Pablo, > > On Thu, Feb 15, 2018 at 12:02 AM, Pablo Neira Ayuso > wrote: > > Restore original syntax for the yet experimental VM low-level json > > representation. > > > > Closes:

Re: [PATCH nft] parser_bison: restore nft {import,export} ruleset

On Wed, Feb 14, 2018 at 08:16:52PM +0100, Pablo Neira Ayuso wrote: > On Thu, Feb 15, 2018 at 12:34:31AM +0530, Shyam Saini wrote: > > Hi Pablo, > > > > On Thu, Feb 15, 2018 at 12:02 AM, Pablo Neira Ayuso > > wrote: > > > Restore original syntax for the yet experimental VM

Re: [PATCH] configure: Make missing docbook2man an error if man build requested

On Wed, Feb 07, 2018 at 11:40:00AM +0200, Ville Skyttä wrote: > Previously, if man page build was enabled but no suitable docbook2man or > the like tool was found, build failed at a later stage with > undescriptive error message. Fail early and explicitly at configure > stage instead. Applied,

[PATCH libnftnl] examples: nft-set-del: fix set deletion

Signed-off-by: Pablo Neira Ayuso --- examples/nft-set-del.c | 33 - 1 file changed, 24 insertions(+), 9 deletions(-) diff --git a/examples/nft-set-del.c b/examples/nft-set-del.c index 5e1fad30d341..8c216df861d7 100644 ---

[PATCH libnftnl] set_elem: nftnl_set_elems_parse() returns 0 if set is empty

Instead of -1, which results n misleading error propagate to the caller with errno == 0 (success). Signed-off-by: Pablo Neira Ayuso --- src/set_elem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/set_elem.c b/src/set_elem.c index

Re: Overlapping IP networks no longer allowed?

Pablo Neira Ayuso wrote: > On Wed, Feb 14, 2018 at 07:02:32PM +0200, Mantas Mikulėnas wrote: > > Hello, > > > > As of nftables 0.8.1, it seems I can no longer write anonymous sets > > which contain overlapping networks (CIDR masks). > > > > For example, I want to write the

Re: shift by n bits while performing '--restore-mark'

Hi Florian, I attached two 'draft' patches in this email :) Thanks, JackFrom 6d811e63c9c777ed4287bc4547134c99e939b49d Mon Sep 17 00:00:00 2001 From: Jack Ma Date: Mon, 12 Feb 2018 13:41:29 +1300 Subject: [PATCH] libxt_CONNMARK: Support bit-shifting for --restore,set