From: Gao Feng
Because the type of expecting, the member of nf_conn_help, is u8, it
would overflow after reach U8_MAX(255). So it doesn't work when we
configure the max_expected exceeds 255 with expect policy.
Now add the check for max_expected. Return the -EINVAL when it
From: Gao Feng
Because the type of expecting, the member of nf_conn_help, is u8, it
would overflow after reach U8_MAX(255). So it doesn't work when we
configure the max_expected exceeds 255 with expect policy.
Now add the check for max_expected. Return the -EINVAL when it
From: Gao Feng
The return value type of function nf_nat_mangle_tcp/udp_packet is
int, but actually it is used as bool type. And most codes follow
this rule, for example, the sip, h323, and ftp. But some codes treat
the return value as NF_ACCEPT and NF_DROP, like amanda and irc.
From: Gao Feng
In the commit 93557f53e1fb ("netfilter: nf_conntrack: nf_conntrack snmp
helper"), the snmp_helper is replaced by nf_nat_snmp_hook. So the
snmp_helper is never registered. But it still tries to unregister the
snmp_helper, it could cause the panic.
Now remove the
From: Gao Feng
When invoke __nf_conntrack_helper_find, it needs the rcu lock to
protect the helper module which would not be unloaded.
Now there are two caller nf_conntrack_helper_try_module_get and
ctnetlink_create_expect which don't hold rcu lock. And the other
callers left
From: Gao Feng
The expect check func "__nf_ct_expect_check" asks the master_help is
necessary. So it is unnecessary to go ahead in ctnetlink_alloc_expect
when there is no help.
Actually the commit bc01befdcf3e ("netfilter: ctnetlink: add support
for user-space expectation
From: Gao Feng
Make sure every proto nat module owns one struct nat_helper at least,
and it only uses its nat_helper.
1. Every proto nat module registers one nat_helper at least;
2. Replace the expectfn with nat_helper in the nf_conntrack_expect;
It is helpful to maintain the
From: Gao Feng
Rename struct nf_ct_helper_expectfn to nf_ct_nat_helper, and rename
other functions or variables which refer to it.
The new name is better than the old one.
Signed-off-by: Gao Feng
---
v5: Register one nat_helper for every nat module, per Pablo
From: Gao Feng
Because the conntrack NAT module could be rmmod anytime, so we should
really leave things in clean state if such thing happens and make sure
we don't leave any packet running over code that will be gone after the
removal.
We only removed the expectations when
From: Gao Feng
These patches are used to refine the codes of helper expectfn, and
enhance its robust, including fixing possible panic bug.
Gao Feng (3):
netfilter: helper: Rename struct nf_ct_helper_expectfn to
nf_ct_nat_helper
netfilter: nat_helper: Make sure every
From: Gao Feng
Because the conntrack NAT module could be rmmod anytime, so we should
really leave things in clean state if such thing happens and make sure
we don't leave any packet running over code that will be gone after
the removal.
We only removed the expectations when
From: Gao Feng
Rename struct nf_ct_helper_expectfn to nf_ct_nat_helper, and rename
other functions or variables which refer to it.
The new name is better than the old one.
Signed-off-by: Gao Feng
---
v3: Rename the nf_ct_helper_expectfn, func, and member, per
From: Gao Feng
There is no rcu_read_lock during ctlink gets the helper and inserts the
expectation. So there is one possible use-after-free issue when unload
the helper module.
For example:
CPU1CPU2
ctlink gets the helper
From: Gao Feng
Because these two functions return the nf_ct_helper_expectfn pointer
which should be protected by rcu lock. So it should makes sure the
caller should hold the rcu lock, not inside these functions.
Signed-off-by: Gao Feng
---
v2: Shorter
From: Gao Feng
When invoke __nf_conntrack_helper_find, it needs the rcu lock to
protect the helper module which would not be unloaded.
Now there are two caller nf_conntrack_helper_try_module_get and
ctnetlink_create_expect which don't hold rcu lock. And the other
callers left
From: Gao Feng
There are two nf_conntrack_l4proto_udp4 declarations in the head file
nf_conntrack_ipv4.h. Now remove one which is not enbraced by the macro
CONFIG_NF_CT_PROTO_UDPLITE.
Signed-off-by: Gao Feng
---
include/net/netfilter/ipv4/nf_conntrack_ipv4.h
From: Gao Feng
All l4_proto->new callbacks don't use the param timeouts currently,
so remove it from param list. Then the variable timeouts isn't used
as right value in init_conntrack, so remove it too.
Signed-off-by: Gao Feng
---
From: Gao Feng
Current SYNPROXY codes return NF_DROP during normal TCP handshaking,
it is not friendly to caller. Because the nf_hook_slow would treat
the NF_DROP as an error, and return -EPERM.
As a result, it may cause the top caller think it meets one error.
So use NF_STOLEN
From: Gao Feng
The __nf_nat_alloc_null_binding invokes nf_nat_setup_info which may
return NF_DROP when memory is exhausted, so convert NF_DROP to -ENOMEM
to make ctnetlink happy. Or ctnetlink_setup_nat treats it as a success
when one error NF_DROP happens actully.
From: Gao Feng
1. Return one error when try to delete all timeouts and meet one erorr;
2. Delete the condition block when fail to delete specified timeout.
It is more clear that it would stop the loop when find one matched timeout.
Signed-off-by: Gao Feng
---
From: Gao Feng
Current codes invoke wrongly nf_ct_netns_get in the destroy routine,
it should use nf_ct_netns_put, not nf_ct_netns_get.
It could cause some modules could not be unloaded.
Signed-off-by: Gao Feng
---
net/ipv4/netfilter/ipt_CLUSTERIP.c | 2 +-
1
From: Gao Feng
When nf_ct_timeout_ext_add failed in xt_ct_set_timeout, it should
free the timeout refcnt.
Now goto the err_put_timeout error handler instead of going ahead.
Signed-off-by: Gao Feng
---
net/netfilter/xt_CT.c | 2 +-
1 file changed, 1
From: Gao Feng
The function ctnl_untimeout is used to untimeout every conntrack
which is using the timeout. But it is necessary to add one barrier
synchronize_rcu because of racing. Maybe one conntrack has already
owned this timeout, but it is not inserted into unconfirmed list
From: Gao Feng
Return -EOPNOTSUPP instead of success when l4proto doesn't support
set the timeout attribute.
It is better to return error when fail to set timeout.
Signed-off-by: Gao Feng
---
net/netfilter/nfnetlink_cttimeout.c | 2 +-
1 file changed, 1
From: Gao Feng
When nf_ct_timeout_ext_add failed in xt_ct_set_timeout, it should
free the timeout refcnt.
Now goto the err_put_timeout error handler instead of going ahead.
Signed-off-by: Gao Feng
---
v2: Keep the ret = -ENOMEM, per Gao Feng
v1: initial
From: Gao Feng
The current call path of nf_ct_tcp_seqadj_set is the following.
nfqnl_recv_verdict->ctnetlink_glue_hook->ctnetlink_glue_seqadj
->nf_ct_tcp_seqadj_set.
It couldn't make sure the TCP header is in the linear data part.
So use the skb_header_pointer instead of the
From: Gao Feng
Current SYNPROXY codes return NF_DROP during normal TCP handshaking,
it is not friendly to caller. Because the nf_hook_slow would treat
the NF_DROP as an error, and return -EPERM.
As a result, it may cause the top caller think it meets one error.
So use NF_STOLEN
From: Gao Feng
The function ctnl_untimeout is used to untimeout every conntrack
which is using the timeout. But it is necessary to add one barrier
synchronize_rcu because of racing. Maybe one conntrack has already
owned this timeout, but it is not inserted into unconfirmed list
From: Gao Feng
There are two cases which causes refcnt leak.
1. When nf_ct_timeout_ext_add failed in xt_ct_set_timeout, it should
free the timeout refcnt.
Now goto the err_put_timeout error handler instead of going ahead.
2. When the time policy is not found, we should call
From: Gao Feng
Current SYNPROXY codes return NF_DROP during normal TCP handshaking,
it is not friendly to caller. Because the nf_hook_slow would treat
the NF_DROP as an error, and return -EPERM.
As a result, it may cause the top caller think it meets one error.
For example, the
From: Gao Feng
The window scale may be enlarged from 14 to 15 according to the itef
draft https://tools.ietf.org/html/draft-nishida-tcpm-maxwin-03.
Use the macro TCP_MAX_WSCALE to support it easily with TCP stack in
the future.
Signed-off-by: Gao Feng
---
From: Gao Feng
The info->target is from userspace and it would be used directly.
So we need to add the sanity check to make sure it is a valid standard
target, although the ebtables tool has already checked it. Kernel need
to check anything from userspace.
If the target
From: Gao Feng
The info->target is from userspace and it would be used directly.
So we need to add the sanity check to make sure it is a valid standard
target, although the ebtables tool has already checked it. Kernel need
to check anything from userspace.
If the target
From: Gao Feng
Use the new helper function ebt_invalid_target instead of the old
macro INVALID_TARGET to enhance the readability.
Signed-off-by: Gao Feng
---
include/linux/netfilter_bridge/ebtables.h | 2 --
net/bridge/netfilter/ebt_dnat.c
From: Gao Feng
Use the new helper function ebt_invalid_target instead of the old
macro INVALID_TARGET and other duplicated codes to enhance the readability.
Signed-off-by: Gao Feng
---
v2: Replace the target check of ebt_mark/snat, per Pablo
From: Gao Feng
There are multiple proto nat modules which depend on the follow_master_nat
in the nf_nat_core. When this module is gone, all modules which refers to
it could not work well.
Now register one struct nf_ct_nat_helper in every proto nat module, it makes
sure
From: Gao Feng
Rename struct nf_ct_helper_expectfn to nf_ct_nat_helper, and rename
other functions or variables which refer to it.
The new name is better than the old one.
Signed-off-by: Gao Feng
---
v6: Rename the helper name of ftp, tftp.. to
From: Gao Feng
Because the conntrack NAT module could be rmmod anytime, so we should
really leave things in clean state if such thing happens and make sure
we don't leave any packet running over code that will be gone after the
removal.
We only removed the expectations
From: Gao Feng
The param of frag_safe_skb_hp, ipvsh, isn't used now. So remove it and
update the callers' codes too.
Signed-off-by: Gao Feng
---
Simon advise me send the patch to netfilter group
include/net/ip_vs.h | 3 +--
From: Gao Feng
The helper module would be unloaded after nf_conntrack_helper_unregister,
so it may cause a possible panic caused by race.
nf_ct_iterate_destroy(unhelp, me) reset the helper of conntrack as NULL,
but maybe someone has gotten the helper pointer during this period. Then
it would
From: Gao Feng
The helper and timeout strings are from user-space, we need to make
sure they are null terminated. If not, evil user could make kernel
read the unexpected memory, even print it when fail to find by the
following codes.
pr_info_ratelimited("No such helper \"%s\"\n", helper_name);
From: Gao Feng
The __IPS_MAX_BIT is used in __ctnetlink_change_status as the max bit
value. When add new bit IPS_OFFLOAD_BIT whose value is 14, we should
increase the __IPS_MAX_BIT too, from 14 to 15.
There is no any bug in current codes, although it lost one loop in
__ctnetlink_change_status.
From: Gao Feng
The helper and timeout strings are from user-space, we need to make
sure they are null terminated. If not, evil user could make kernel
read the unexpected memory, even print it when fail to find by the
following codes.
pr_info_ratelimited("No such helper \"%s\"\n", helper_name);
43 matches
Mail list logo