[PATCH nf 1/1] netfilter: expect: Make sure the max_expected limit is effective

From: Gao Feng Because the type of expecting, the member of nf_conn_help, is u8, it would overflow after reach U8_MAX(255). So it doesn't work when we configure the max_expected exceeds 255 with expect policy. Now add the check for max_expected. Return the -EINVAL when it

[PATCH nf v2 1/1] netfilter: expect: Make sure the max_expected limit is effective

From: Gao Feng Because the type of expecting, the member of nf_conn_help, is u8, it would overflow after reach U8_MAX(255). So it doesn't work when we configure the max_expected exceeds 255 with expect policy. Now add the check for max_expected. Return the -EINVAL when it

[PATCH nf-next v2 1/1] netfilter: nat: Correct the return value check for nat mangled packet

From: Gao Feng The return value type of function nf_nat_mangle_tcp/udp_packet is int, but actually it is used as bool type. And most codes follow this rule, for example, the sip, h323, and ftp. But some codes treat the return value as NF_ACCEPT and NF_DROP, like amanda and irc.

[PATCH nf v5 1/1] netfilter: snmp: Fix one possible panic when snmp_trap_helper fail to register

From: Gao Feng In the commit 93557f53e1fb ("netfilter: nf_conntrack: nf_conntrack snmp helper"), the snmp_helper is replaced by nf_nat_snmp_hook. So the snmp_helper is never registered. But it still tries to unregister the snmp_helper, it could cause the panic. Now remove the

[PATCH nf v3 1/1] netfilter: helper: Add the rcu lock when call __nf_conntrack_helper_find

From: Gao Feng When invoke __nf_conntrack_helper_find, it needs the rcu lock to protect the helper module which would not be unloaded. Now there are two caller nf_conntrack_helper_try_module_get and ctnetlink_create_expect which don't hold rcu lock. And the other callers left

[PATCH nf-next 1/1] netfilter: ctlink: Return error directly when create expect without help

From: Gao Feng The expect check func "__nf_ct_expect_check" asks the master_help is necessary. So it is unnecessary to go ahead in ctnetlink_alloc_expect when there is no help. Actually the commit bc01befdcf3e ("netfilter: ctnetlink: add support for user-space expectation

[PATCH nf v5 2/3] netfilter: nat_helper: Make sure every proto nat module uses its nat_helper

From: Gao Feng Make sure every proto nat module owns one struct nat_helper at least, and it only uses its nat_helper. 1. Every proto nat module registers one nat_helper at least; 2. Replace the expectfn with nat_helper in the nf_conntrack_expect; It is helpful to maintain the

[PATCH nf v5 1/3] netfilter: helper: Rename struct nf_ct_helper_expectfn to nf_ct_nat_helper

From: Gao Feng Rename struct nf_ct_helper_expectfn to nf_ct_nat_helper, and rename other functions or variables which refer to it. The new name is better than the old one. Signed-off-by: Gao Feng --- v5: Register one nat_helper for every nat module, per Pablo

[PATCH nf v5 3/3] netfilter: nat_helper: Remove the expectations when its module is unloaded

From: Gao Feng Because the conntrack NAT module could be rmmod anytime, so we should really leave things in clean state if such thing happens and make sure we don't leave any packet running over code that will be gone after the removal. We only removed the expectations when

[PATCH nf v5 0/3] Refine the robust of helper expectfn

From: Gao Feng These patches are used to refine the codes of helper expectfn, and enhance its robust, including fixing possible panic bug. Gao Feng (3): netfilter: helper: Rename struct nf_ct_helper_expectfn to nf_ct_nat_helper netfilter: nat_helper: Make sure every

[PATCH nf v4 2/2] netfilter: helper: Fix possible panic caused by invoking expectfn unloaded

From: Gao Feng Because the conntrack NAT module could be rmmod anytime, so we should really leave things in clean state if such thing happens and make sure we don't leave any packet running over code that will be gone after the removal. We only removed the expectations when

[PATCH nf v4 1/2] netfilter: helper: Rename struct nf_ct_helper_expectfn to nf_ct_nat_helper

From: Gao Feng Rename struct nf_ct_helper_expectfn to nf_ct_nat_helper, and rename other functions or variables which refer to it. The new name is better than the old one. Signed-off-by: Gao Feng --- v3: Rename the nf_ct_helper_expectfn, func, and member, per

[PATCH RESENT nf 1/1] netfilter: ctlink: Fix one possible use-after-free in ctnetlink_create_expect

From: Gao Feng There is no rcu_read_lock during ctlink gets the helper and inserts the expectation. So there is one possible use-after-free issue when unload the helper module. For example: CPU1CPU2 ctlink gets the helper

[PATCH nf-next v2 1/1] netfilter: helper: Remove useless rcu lock when get expectfn

From: Gao Feng Because these two functions return the nf_ct_helper_expectfn pointer which should be protected by rcu lock. So it should makes sure the caller should hold the rcu lock, not inside these functions. Signed-off-by: Gao Feng --- v2: Shorter

[PATCH nf v2 1/1] netfilter: helper: Add the rcu lock when call __nf_conntrack_helper_find

From: Gao Feng When invoke __nf_conntrack_helper_find, it needs the rcu lock to protect the helper module which would not be unloaded. Now there are two caller nf_conntrack_helper_try_module_get and ctnetlink_create_expect which don't hold rcu lock. And the other callers left

[PATCH nf-next 1/1] netfilter: udplite4: Remove duplicated udplite4 declaration

From: Gao Feng There are two nf_conntrack_l4proto_udp4 declarations in the head file nf_conntrack_ipv4.h. Now remove one which is not enbraced by the macro CONFIG_NF_CT_PROTO_UDPLITE. Signed-off-by: Gao Feng --- include/net/netfilter/ipv4/nf_conntrack_ipv4.h

[PATCH nf-next 1/1] netfilter: Remove useless variable timeouts in init_conntrack

From: Gao Feng All l4_proto->new callbacks don't use the param timeouts currently, so remove it from param list. Then the variable timeouts isn't used as right value in init_conntrack, so remove it too. Signed-off-by: Gao Feng ---

[PATCH nf-next v2 1/1] netfilter: SYNPROXY: Return NF_STOLEN instead of NF_DROP during handshaking

From: Gao Feng Current SYNPROXY codes return NF_DROP during normal TCP handshaking, it is not friendly to caller. Because the nf_hook_slow would treat the NF_DROP as an error, and return -EPERM. As a result, it may cause the top caller think it meets one error. So use NF_STOLEN

[PATCH nf 1/1] netfilter: nf_nat: Fix return NF_DROP in nfnetlink_parse_nat_setup

From: Gao Feng The __nf_nat_alloc_null_binding invokes nf_nat_setup_info which may return NF_DROP when memory is exhausted, so convert NF_DROP to -ENOMEM to make ctnetlink happy. Or ctnetlink_setup_nat treats it as a success when one error NF_DROP happens actully.

[PATCH nf-next 1/1] netfilter: cttimeout: Refine cttimeout_del_timeout

From: Gao Feng 1. Return one error when try to delete all timeouts and meet one erorr; 2. Delete the condition block when fail to delete specified timeout. It is more clear that it would stop the loop when find one matched timeout. Signed-off-by: Gao Feng ---

[PATCH nf 1/1] netfilter: CLUSTERIP: Fix one wrong refcnt usage

From: Gao Feng Current codes invoke wrongly nf_ct_netns_get in the destroy routine, it should use nf_ct_netns_put, not nf_ct_netns_get. It could cause some modules could not be unloaded. Signed-off-by: Gao Feng --- net/ipv4/netfilter/ipt_CLUSTERIP.c | 2 +- 1

[PATCH nf 1/1] netfilter: xt_CT: Fix one possible memleak of timeout

From: Gao Feng When nf_ct_timeout_ext_add failed in xt_ct_set_timeout, it should free the timeout refcnt. Now goto the err_put_timeout error handler instead of going ahead. Signed-off-by: Gao Feng --- net/netfilter/xt_CT.c | 2 +- 1 file changed, 1

[PATCH nf 1/1] netfilter: cttimeout: Fix one possible use-after-free issue

From: Gao Feng The function ctnl_untimeout is used to untimeout every conntrack which is using the timeout. But it is necessary to add one barrier synchronize_rcu because of racing. Maybe one conntrack has already owned this timeout, but it is not inserted into unconfirmed list

[PATCH nf-next 1/1] netfilter: cttimeout: Return -EOPNOTSUPP if l4proto doesn't support

From: Gao Feng Return -EOPNOTSUPP instead of success when l4proto doesn't support set the timeout attribute. It is better to return error when fail to set timeout. Signed-off-by: Gao Feng --- net/netfilter/nfnetlink_cttimeout.c | 2 +- 1 file changed, 1

[PATCH nf v2 1/1] netfilter: xt_CT: Fix one possible memleak of timeout

From: Gao Feng When nf_ct_timeout_ext_add failed in xt_ct_set_timeout, it should free the timeout refcnt. Now goto the err_put_timeout error handler instead of going ahead. Signed-off-by: Gao Feng --- v2: Keep the ret = -ENOMEM, per Gao Feng v1: initial

[PATCH nf 1/1] netfilter: seqadj: Fix possible non-linear data access for TCP header

From: Gao Feng The current call path of nf_ct_tcp_seqadj_set is the following. nfqnl_recv_verdict->ctnetlink_glue_hook->ctnetlink_glue_seqadj ->nf_ct_tcp_seqadj_set. It couldn't make sure the TCP header is in the linear data part. So use the skb_header_pointer instead of the

[PATCH nf-next 1/1] netfilter: SYNPROXY: Return NF_STOLEN instead of NF_DROP during handshaking

From: Gao Feng Current SYNPROXY codes return NF_DROP during normal TCP handshaking, it is not friendly to caller. Because the nf_hook_slow would treat the NF_DROP as an error, and return -EPERM. As a result, it may cause the top caller think it meets one error. So use NF_STOLEN

[PATCH nf v2] netfilter: cttimeout: Fix one possible use-after-free issue

From: Gao Feng The function ctnl_untimeout is used to untimeout every conntrack which is using the timeout. But it is necessary to add one barrier synchronize_rcu because of racing. Maybe one conntrack has already owned this timeout, but it is not inserted into unconfirmed list

[PATCH nf v3] netfilter: xt_CT: fix refcnt leak on error path

From: Gao Feng There are two cases which causes refcnt leak. 1. When nf_ct_timeout_ext_add failed in xt_ct_set_timeout, it should free the timeout refcnt. Now goto the err_put_timeout error handler instead of going ahead. 2. When the time policy is not found, we should call

[PATCH nf-next v3] netfilter: SYNPROXY: Return NF_STOLEN instead of NF_DROP during handshaking

From: Gao Feng Current SYNPROXY codes return NF_DROP during normal TCP handshaking, it is not friendly to caller. Because the nf_hook_slow would treat the NF_DROP as an error, and return -EPERM. As a result, it may cause the top caller think it meets one error. For example, the

[PATCH nf-next] netfilter: tcp: Use TCP_MAX_WSCALE instead of literal 14

From: Gao Feng The window scale may be enlarged from 14 to 15 according to the itef draft https://tools.ietf.org/html/draft-nishida-tcpm-maxwin-03. Use the macro TCP_MAX_WSCALE to support it easily with TCP stack in the future. Signed-off-by: Gao Feng ---

[PATCH nf] ebtables: arpreply: Add the standard target sanity check

From: Gao Feng The info->target is from userspace and it would be used directly. So we need to add the sanity check to make sure it is a valid standard target, although the ebtables tool has already checked it. Kernel need to check anything from userspace. If the target

[PATCH nf v2] ebtables: arpreply: Add the standard target sanity check

From: Gao Feng The info->target is from userspace and it would be used directly. So we need to add the sanity check to make sure it is a valid standard target, although the ebtables tool has already checked it. Kernel need to check anything from userspace. If the target

[PATCH nf-next] netfilter: ebt: Use ebt_invalid_target instead of INVALID_TARGET

From: Gao Feng Use the new helper function ebt_invalid_target instead of the old macro INVALID_TARGET to enhance the readability. Signed-off-by: Gao Feng --- include/linux/netfilter_bridge/ebtables.h | 2 -- net/bridge/netfilter/ebt_dnat.c

[PATCH v2 nf-next] netfilter: ebt: Use new helper ebt_invalid_target to check target

From: Gao Feng Use the new helper function ebt_invalid_target instead of the old macro INVALID_TARGET and other duplicated codes to enhance the readability. Signed-off-by: Gao Feng --- v2: Replace the target check of ebt_mark/snat, per Pablo

[PATCH nf v6 2/3] netfilter: nat_helper: Register one nf_ct_nat_helper each proto nat module

From: Gao Feng There are multiple proto nat modules which depend on the follow_master_nat in the nf_nat_core. When this module is gone, all modules which refers to it could not work well. Now register one struct nf_ct_nat_helper in every proto nat module, it makes sure

[PATCH nf v6 1/3] netfilter: helper: Rename struct nf_ct_helper_expectfn to nf_ct_nat_helper

From: Gao Feng Rename struct nf_ct_helper_expectfn to nf_ct_nat_helper, and rename other functions or variables which refer to it. The new name is better than the old one. Signed-off-by: Gao Feng --- v6: Rename the helper name of ftp, tftp.. to

[PATCH nf v6 3/3] netfilter: nat_helper: Remove the expectations when its module is unloaded

From: Gao Feng Because the conntrack NAT module could be rmmod anytime, so we should really leave things in clean state if such thing happens and make sure we don't leave any packet running over code that will be gone after the removal. We only removed the expectations

[PATCH nf-next] netfilter: ipvs: Remove useless ipvsh param of frag_safe_skb_hp

From: Gao Feng The param of frag_safe_skb_hp, ipvsh, isn't used now. So remove it and update the callers' codes too. Signed-off-by: Gao Feng --- Simon advise me send the patch to netfilter group include/net/ip_vs.h | 3 +--

[PATCH nf] netfilter: helper: Fix possible panic after nf_conntrack_helper_unregister

From: Gao Feng The helper module would be unloaded after nf_conntrack_helper_unregister, so it may cause a possible panic caused by race. nf_ct_iterate_destroy(unhelp, me) reset the helper of conntrack as NULL, but maybe someone has gotten the helper pointer during this period. Then it would

[PATCH nf v2] netfilter: xt_CT: Reject the non-null terminated string from user space

From: Gao Feng The helper and timeout strings are from user-space, we need to make sure they are null terminated. If not, evil user could make kernel read the unexpected memory, even print it when fail to find by the following codes. pr_info_ratelimited("No such helper \"%s\"\n", helper_name);

[PATCH nf-next] netfilter: nf_conntrack: Increase __IPS_MAX_BIT with new bit IPS_OFFLOAD_BIT

From: Gao Feng The __IPS_MAX_BIT is used in __ctnetlink_change_status as the max bit value. When add new bit IPS_OFFLOAD_BIT whose value is 14, we should increase the __IPS_MAX_BIT too, from 14 to 15. There is no any bug in current codes, although it lost one loop in __ctnetlink_change_status.

[PATCH nf] netfilter: xt_CT: Force user-space strings as null terminated

From: Gao Feng The helper and timeout strings are from user-space, we need to make sure they are null terminated. If not, evil user could make kernel read the unexpected memory, even print it when fail to find by the following codes. pr_info_ratelimited("No such helper \"%s\"\n", helper_name);