[PATCH 3/3 nf-next] netfilter: nf_tables: fix use-after-free in nf_tables_rule_destroy

The nft_expr_ops might be freed in the nf_tables_expr_destroy but after this, a member of nft_expr_ops is used. Steps to reproduce: $iptables-compat -I OUTPUT -m cpu --cpu 0 $iptables-compat -F Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- net/netfilter/nf_tables_api.

[PATCH 1/3 nf-next] netfilter: nf_tables: add release callback in nft_expr_type

This patch adds the new release callback to release resources allocated in nft_expr_type->select_ops. This release callback can be used by error path in the nf_tables_newrule routine. Only the select_ops of the nft_compat.c allocates memory and holds modules so far. Signed-off-by: Taehee

[PATCH 0/3 nf-next] fix module leak and use-after-free

ces allocated in nft_expr_type->select_ops. The second patch modifies the error path of the nf_table_newrule by using nft_expr_type->release callback. The third patch solve use-after-free problem in nf_tables_rule_destroy. Taehee Yoo (3): netfilter: nf_tables: add release callback in nft_

[PATCH nf] netfilter: nf_tables: fix out-of-bounds in nft_chain_commit_update

Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- net/netfilter/nf_tables_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 9134cc4..32bc32f 100644 --- a/net/netfilter/nf_tables_api.c +++ b/n

[PATCH nf-next] netfilter: xtables: use ipt_get_target_c instead of ipt_get_target

ipt_get_target is used to get struct xt_entry_target and ipt_get_target_c is used to get const struct xt_entry_target. However in the ipt_do_table, ipt_get_target is used to get const struct xt_entry_target. it should be replaced by ipt_get_target_c. Signed-off-by: Taehee Yoo <ap420...@gmail.

[PATCH nf-next] netfilter: ebtables: add ebt_get_target and ebt_get_target_c

ebt_get_target similar to {ip/ip6/arp}t_get_target. and ebt_get_target_c similar to {ip/ip6/arp}t_get_target_c. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- include/uapi/linux/netfilter_bridge/ebtables.h | 6 ++ net/bridge/netfilter/ebtables.c

[PATCH nf-next] netfilter: x_tables: remove duplicate ip6t_get_target function call

In the check_target, ip6t_get_target is called twice. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- net/ipv6/netfilter/ip6_tables.c | 1 - 1 file changed, 1 deletion(-) diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index 0045087..0772f44 100644 ---

[PATCH nf-next] netfilter: ebtables: remove EBT_MATCH and EBT_NOMATCH

. but, we can use operation '!' simply. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- include/linux/netfilter_bridge/ebtables.h | 4 net/bridge/netfilter/ebtables.c | 2 +- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/include/linux/netfilter_bridge/ebtable

[PATCH nf-next] netfilter: ebtables: add ebt_free_table_info function

A ebt_free_table_info frees all of chainstacks. It similar to xt_free_table_info. this inline function reduces code line. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- net/bridge/netfilter/ebtables.c | 39 +++ 1 file changed, 15 insertions(

[PATCH nf-next] netfilter: add __exit mark to helper modules

There are no __exit mark in the helper modules. because these exit functions used to be called by init function but now that is not. so we can add __exit mark. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- net/netfilter/nf_conntrack_ftp.c | 3 +-- net/netfilter/nf_conntrack_irc.

[PATCH] netfilter: ebtables: use ADD_COUNTER macro

xtables uses ADD_COUNTER macro to increase packet and byte count. ebtables also can use this. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- net/bridge/netfilter/ebtables.c | 17 ++--- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/net/bridge/netfilter/ebta

[PATCH] netfilter: increase IPSTATS_MIB_CSUMERRORS stat

In the ip_rcv, IPSTATS_MIB_CSUMERRORS is increased when checksum error is occurred. bridge netfilter routine should increase IPSTATS_MIB_CSUMERRORS. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- net/bridge/br_netfilter_hooks.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)

[PATCH] netfilter: nf_conntrack_broadcast: remove useless parameter

parameter protoff in nf_conntrack_broadcast_help is not used anywhere. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- include/net/netfilter/nf_conntrack_helper.h | 3 +-- net/netfilter/nf_conntrack_broadcast.c | 1 - net/netfilter/nf_conntrack_netbios_ns.c | 5 +++-- net/net

[PATCH] netfilter: xt_cluster: get rid of xt_cluster_ipv6_is_multicast

If use the ipv6_addr_is_multicast instead of xt_cluster_ipv6_is_multicast, then we can reduce code size. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- net/netfilter/xt_cluster.c | 10 +- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/net/netfilter/xt_cluster.c

[PATCH] netfilter: nfnetlink_acct: remove useless parameter

parameter skb in nfnl_acct_overquota is not used anywhere. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- include/linux/netfilter/nfnetlink_acct.h | 3 +-- net/netfilter/nfnetlink_acct.c | 3 +-- net/netfilter/xt_nfacct.c| 2 +- 3 files changed, 3 insertions

[PATCH] netfilter: remove useless prototype

prototype nf_ct_nat_offset is not used anymore. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- include/net/netfilter/nf_conntrack.h | 5 - 1 file changed, 5 deletions(-) diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h index f5223bf..0

Re: [RFC PATCH] netfilter: nf_nat_snmp_basic: snmp_version() can be static

2017-12-26 12:25 GMT+09:00 kbuild test robot : > > Fixes: 499b2f89cea8 ("netfilter: nf_nat_snmp_basic: use asn1 decoder library") > Signed-off-by: Fengguang Wu > --- > nf_nat_snmp_basic_main.c |4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-)

[PATCH V5 4/5] netfilter: nf_nat_snmp_basic: use nf_ct_helper_log

Use nf_ct_helper_log to write log message. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- V5 : - fix sparse error V4 : - rename nf_nat_snmp_basic.c to nf_nat_snmp_basic_main.c to fix compile error V3 : - be separated by previous patch. V2 : - Add missing nf_nat_snmp_basic.asn

[PATCH V5 5/5] netfilter: nf_nat_snmp_basic: use asn1 decoder library

mangles only first octet of IPv4 address. but after this patch, the SNMP ALG mangles whole IPv4 Address. And SNMPv3 is not supported. I tested with snmp commands such ans snmpd, snmpwalk, snmptrap. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- V5 : - fix sparse error V4 : -

[PATCH V5 2/5] netfilter: nf_nat_snmp_basic: remove debug parameter

To see debug message of nf_nat_snmp_basic, we should set debug value when we insert this module. but it is inconvenient and only using of the dynamic debugging is enough to debug. This patch just removes debug code. then in the next patch, debugging code will be added. Signed-off-by: Taehee Yoo

[PATCH V5 3/5] netfilter: nf_nat_snmp_basic: replace ctinfo with dir.

The snmp_translate() receives ctinfo data to get dir value only. because of caller already has dir value, we just replace ctinfo with dir. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- V5 : - fix sparse error V4 : - rename nf_nat_snmp_basic.c to nf_nat_snmp_basic_main.c to fix c

[PATCH V5 1/5] netfilter: nf_nat_snmp_basic: remove useless comment

Remove comments that do not let us know important information. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- V5 : - fix sparse error V4 : - rename nf_nat_snmp_basic.c to nf_nat_snmp_basic_main.c to fix compile error V3 : - be separated by previous patch. V2 : - Add m

[PATCH V5 0/5] netfilter: nf_nat_snmp_basic: use ASN.1 decoder

/debug/dynamic_debug/control V5 : - fix sparse error V4 : - rename nf_nat_snmp_basic.c to nf_nat_snmp_basic_main.c to fix compile error V3 : - be separated by previous patch. V2 : - Add missing nf_nat_snmp_basic.asn1 file V1 : - Initial patch Taehee Yoo (5): netfilter: nf_nat_snmp_basic:

[PATCH V4 5/5] netfilter: nf_nat_snmp_basic: use asn1 decoder library

mangles only first octet of IPv4 address. but after this patch, the SNMP ALG mangles whole IPv4 Address. And SNMPv3 is not supported. I tested with snmp commands such ans snmpd, snmpwalk, snmptrap. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- V4 : - rename nf_nat_snmp_b

[PATCH V4 3/5] netfilter: nf_nat_snmp_basic: replace ctinfo with dir.

The snmp_translate() receives ctinfo data to get dir value only. because of caller already has dir value, we just replace ctinfo with dir. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- V4 : - rename nf_nat_snmp_basic.c to nf_nat_snmp_basic_main.c to fix compile error V3 : - be sep

[PATCH V4 4/5] netfilter: nf_nat_snmp_basic: use nf_ct_helper_log

Use nf_ct_helper_log to write log message. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- V4 : - rename nf_nat_snmp_basic.c to nf_nat_snmp_basic_main.c to fix compile error V3 : - be separated by previous patch. V2 : - Add missing nf_nat_snmp_basic.asn1 file V1 : - Initial

[PATCH V4 1/5] netfilter: nf_nat_snmp_basic: remove useless comment

Remove comments that do not let us know important information. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- V4 : - rename nf_nat_snmp_basic.c to nf_nat_snmp_basic_main.c to fix compile error V3 : - be separated by previous patch. V2 : - Add missing nf_nat_snmp_basic.asn1 fi

[PATCH V4 2/5] netfilter: nf_nat_snmp_basic: remove debug parameter

To see debug message of nf_nat_snmp_basic, we should set debug value when we insert this module. but it is inconvenient and only using of the dynamic debugging is enough to debug. This patch just removes debug code. then in the next patch, debugging code will be added. Signed-off-by: Taehee Yoo

[PATCH V4 0/5] netfilter: nf_nat_snmp_basic: use ASN.1 decoder

ys/kernel/debug/dynamic_debug/control V4 : - rename nf_nat_snmp_basic.c to nf_nat_snmp_basic_main.c to fix compile error V3 : - be separated by previous patch. V2 : - Add missing nf_nat_snmp_basic.asn1 file V1 : - Initial patch Taehee Yoo (5): netfilter: nf_nat_snmp_basic: remove useless comment

inquiry for behavior of xt_RATEEST.

Hi, I found strange result while I test netfilter with RATEEST target and rateest match. please look at below test environment and result. #Network PC1(192.168.4.2) < ---> FW1(192.168.4.1) PC2(192.168.5.2) < ---> FW2(192.168.5.1) FW1 kernel version : before

[PATCH V3 3/5] netfilter: nf_nat_snmp_basic: replace ctinfo with dir.

The snmp_translate() receives ctinfo data to get dir value only. because of caller already has dir value, we just replace ctinfo with dir. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- V3 : - be separated by previous patch. V2 : - Add missing nf_nat_snmp_basic.asn1 file V1 : - I

[PATCH V3 5/5] netfilter: nf_nat_snmp_basic: use asn1 decoder library

mangles only first octet of IPv4 address. but after this patch, the SNMP ALG mangles whole IPv4 Address. And SNMPv3 is not supported. I tested with snmp commands such ans snmpd, snmpwalk, snmptrap. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- V3 : - be separated by previous patch. V2 :

[PATCH V3 1/5] netfilter: nf_nat_snmp_basic: remove useless comment

Remove comments that do not let us know important information. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- V3 : - be separated by previous patch. V2 : - Add missing nf_nat_snmp_basic.asn1 file V1 : - Initial patch net/ipv4/netfilter/nf_nat_snmp_basic.

[PATCH V3 4/5] netfilter: nf_nat_snmp_basic: use nf_ct_helper_log

Use nf_ct_helper_log to write log message. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- V3 : - be separated by previous patch. V2 : - Add missing nf_nat_snmp_basic.asn1 file V1 : - Initial patch net/ipv4/netfilter/nf_nat_snmp_basic.c | 11 ++- 1 file changed, 6 inse

[PATCH V3 0/5] netfilter: nf_nat_snmp_basic: use ASN.1 decoder

c +p' > /sys/kernel/debug/dynamic_debug/control V3 : - be separated by previous patch. V2 : - Add missing nf_nat_snmp_basic.asn1 file V1 : - Initial patch Taehee Yoo (5): netfilter: nf_nat_snmp_basic: remove useless comment netfilter: nf_nat_snmp_basic: remove debug parameter netfilter: n

[PATCH V3 2/5] netfilter: nf_nat_snmp_basic: remove debug parameter

To see debug message of nf_nat_snmp_basic, we should set debug value when we insert this module. but it is inconvenient and only using of the dynamic debugging is enough to debug. This patch just removes debug code. then in the next patch, debugging code will be added. Signed-off-by: Taehee Yoo

Re: [PATCH v2] netfilter: nf_nat_snmp_basic: use asn1 decoder library

Hi Pablo I apologize for late reply. 2017-11-13 22:50 GMT+09:00 Pablo Neira Ayuso <pa...@netfilter.org>: > Hi Taehee, > > On Tue, Nov 07, 2017 at 11:58:36PM +0900, Taehee Yoo wrote: >> The basic SNMP ALG parse snmp ASN.1 payload >> however, since 2012 linux kernel pr

[PATCH v2] netfilter: nf_nat_snmp_basic: use asn1 decoder library

mangles only first octet of IPv4 address. but after this patch, the SNMP ALG mangles whole IPv4 Address. And SNMPv3 is not supported. I tested with snmp commands such ans snmpd, snmpwalk, snmptrap. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- v2: - Add missing nf_nat_snmp_basic.asn1 fi

Re: [PATCH] netfilter: nf_nat_snmp_basic: use asn1 decoder library

2017-11-06 23:44 GMT+09:00 Pablo Neira Ayuso <pa...@netfilter.org>: > On Sun, Oct 29, 2017 at 09:34:53PM +0900, Taehee Yoo wrote: >> The basic SNMP ALG parse snmp ASN.1 payload >> however, since 2012 linux kernel provide ASN.1 decoder library. >> If we use ASN.1 decoder

[PATCH] netfilter: nf_nat_snmp_basic: use asn1 decoder library

mangles only first octet of IPv4 address. but after this patch, the SNMP ALG mangles whole IPv4 Address. And SNMPv3 is not supported. I tested with snmp commands such ans snmpd, snmpwalk, snmptrap. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- net/ipv4/netfilter/Kconfig |1

[PATCH V2] netfilter: xt_TEE: Fix potential deadlock when TEE target is inserted

_mutex); [ 115.427760]lock(sk_lock-AF_INET); [ 115.434723] lock(rtnl_mutex); [ 115.438267] [ 115.438267] *** DEADLOCK *** [ ... ] Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- V2: - Do not modify the xt_TEE.h V1: - Initial version net/netfil

Re: [PATCH] netfilter: xt_TEE: Fix potential deadlock when TEE target is inserted

2017-09-04 0:32 GMT+09:00 Jan Engelhardt <jeng...@inai.de>: > > On Sunday 2017-09-03 16:30, Taehee Yoo wrote: > >>When xt_TEE target is inserted, lockdep warns about possible >>DEADLOCK situation. to avoid deadlock situation >>the register_netdevice_notifier() shou

[PATCH] netfilter: xt_TEE: Fix potential deadlock when TEE target is inserted

_mutex); [ 115.427760]lock(sk_lock-AF_INET); [ 115.434723] lock(rtnl_mutex); [ 115.438267] [ 115.438267] *** DEADLOCK *** [ ... ] Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- include/uapi/linux/netfilter/xt_TEE.h | 3 +- net/netfil

[PATCH] netfilter: ipt_CLUSTERIP: Fix potential deadlock when CLUSTERIP target is inserted

lock(rtnl_mutex); [ 148.996708]lock(sk_lock-AF_INET); [ 149.003559] lock(rtnl_mutex); [ 149.007103] *** DEADLOCK *** [ ... ] Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- net/ipv4/netfilter/ipt_CLUSTERIP.c | 70 +- 1

[PATCH] netfilter: xt_NFLOG: use nf_log_packet instead of nfulnl_log_packet.

The nfulnl_log_packet() is added to make sure that the NFLOG target works as only user-space logger. but now, nf_log_packet() can find proper log function using NF_LOG_TYPE_ULOG and NF_LOG_TYPE_LOG. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- include/net/netfilter/nfnetlink_log.

[PATCH] netfilter: connlimit: merge root4 and root6.

-by: Taehee Yoo <ap420...@gmail.com> --- net/netfilter/xt_connlimit.c | 23 --- 1 file changed, 8 insertions(+), 15 deletions(-) diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c index 97589b8..ffa8eec 100644 --- a/net/netfilter/xt_connlimit.c +++

[PATCH] netfilter: xtables: Remove unused variable in compat_copy_entry_from_user()

The target variable is not used in the compat_copy_entry_from_user(). So It can be removed. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- net/ipv4/netfilter/arp_tables.c | 2 -- net/ipv4/netfilter/ip_tables.c | 2 -- 2 files changed, 4 deletions(-) diff --git a/net/ipv4/net

[PATCH V3] netfilter: x_tables: Fix use-after-free in ipt_do_table.

+0x60/0x60 [ ... ] After this patch, only when verdict is XT_CONTINUE, ipt_do_table() tries to get ip header. Also arpt_do_table() is modified because it has same bug. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- V3: - Modified arpt_do_table() is added. V2: - Change commit log messag

Re: [PATCH V2] netfilter: x_tables: Fix use-after-free in ipt_do_table.

2017-07-26 20:06 GMT+09:00 Pablo Neira Ayuso <pa...@netfilter.org>: > On Wed, Jul 26, 2017 at 11:27:16AM +0200, Florian Westphal wrote: >> Taehee Yoo <ap420...@gmail.com> wrote: >> > If verdict is NF_STOLEN in the SYNPROXY target, >> > the skb is consumed. &g

Re: [PATCH V2] netfilter: Remove duplicated rcu_read_lock.

2017-06-20 3:04 GMT+09:00 Pablo Neira Ayuso <pa...@netfilter.org>: > On Tue, Jun 06, 2017 at 12:21:25AM +0900, Taehee Yoo wrote: >> diff --git a/net/netfilter/nfnetlink_queue.c >> b/net/netfilter/nfnetlink_queue.c >> index 8a0f218..bb27e99 100644 >> --- a/net/net

[PATCH V2] netfilter: Remove duplicated rcu_read_lock.

. xt_osf_match_packet -xt_match.match --nf_hook() Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- V2: - Remove comments. - The rcu_read_lock under below functions are removed. - {tcp, udp, sctp}_app_conn_bind, - ip_vs_bypass_xmit, - ip_vs_bypass_xmit_v6, - ip_vs_na

Re: [PATCH] netfilter: Remove duplicated rcu_read_lock.

2017-05-24 21:25 GMT+09:00 Julian Anastasov : > > Hello, > > The IPVS part from patch looks good but can be extended > to also remove rcu_read_lock and rcu_read_unlock from: > > 1. all app_conn_bind methods because ip_vs_bind_app() is called > always under RCU lock

[PATCH] netfilter: Remove duplicated rcu_read_lock.

() 17. check_hlist -count_tree --count_them ---connlimit_mt ---xt_match.match nf_hook() 18. hashlimit_mt_common -hashlimit_mt_v1 --xt_match.match ---nf_hook() -hashlimit_mt --xt_match.match ---nf_hook() 19. xt_osf_match_packet -xt_match.match --nf_hook() Signed-off-by: Taehee Yoo <ap

Re: [PATCH] netfilter: nat: remove rcu_read_lock in __nf_nat_decode_session.

Thank you for your review! 2017-04-07 4:51 GMT+09:00 Pablo Neira Ayuso <pa...@netfilter.org>: > On Tue, Mar 28, 2017 at 12:28:50AM +0900, Taehee Yoo wrote: >> __nf_nat_decode_session is called from nf_nat_decode_session as decodefn. >> before calling decodefn, it already

[PATCH] netfilter: nat: remove rcu_read_lock in __nf_nat_decode_session.

__nf_nat_decode_session is called from nf_nat_decode_session as decodefn. before calling decodefn, it already set rcu_read_lock. so rcu_read_lock in __nf_nat_decode_session can be removed. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- net/netfilter/nf_nat_core.c | 7 ++- 1 file c

Re: [PATCH 1/2] netfilter: helper: Fix incorrect helper name.

org/patch/565170, > http://patchwork.ozlabs.org/patch/565171 > > But they are not accepted until now. > Is there any problem now? > > Best Regards > Feng > > On Sun, May 22, 2016 at 11:03 PM, Taehee Yoo <ap420...@gmail.com> wrote: >> >> 2016-05-17 19:38 G

Re: [PATCH 1/2] netfilter: helper: Fix incorrect helper name.

2016-05-17 19:38 GMT+09:00 Pablo Neira Ayuso <pa...@netfilter.org>: > On Sat, May 14, 2016 at 10:19:16PM +0900, Taehee Yoo wrote: >> when register to helper, each helper adds port to name. >> correct form is 'protocol name-port' but irc, sip and tftp adds >>

[PATCH 2/2] netfilter: helper: Fix helper unregister count.

helpers should unregister the only registered ports. but, helper cannot have correct registered ports value when failed to register. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- net/netfilter/nf_conntrack_ftp.c | 1 + net/netfilter/nf_conntrack_irc.c | 1 + net/net

[PATCH 1/2] netfilter: helper: Fix incorrect helper name.

when register to helper, each helper adds port to name. correct form is 'protocol name-port' but irc, sip and tftp adds a iterator value. so it fix it. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- net/netfilter/nf_conntrack_irc.c | 2 +- net/netfilter/nf_conntrack_sip.c | 2 +

<    1   2