[PATCH nf] netfilter: IDLETIMER: be syzkaller friendly

From: Eric Dumazet We had one report from syzkaller [1] First issue is that INIT_WORK() should be done before mod_timer() or we risk timer being fired too soon, even with a 1 second timer. Second issue is that we need to reject too big info->timeout to avoid overflows in

Re: [PATCH net] netfilter: unlock xt_table earlier in __do_replace

Xin Long wrote: > Now it's doing cleanup_entry for oldinfo under the xt_table lock, > but it's not really necessary. After the replacement job is done > in xt_replace_table, oldinfo is not used elsewhere any more, and > it can be freed without xt_table lock safely. Right.

Re: [PATCH] inet: don't call skb_orphan if tproxy happens in layer 2

On Fri, Feb 16, 2018 at 12:07:06PM +0100, Florian Westphal wrote: > Gregory Vander Schueren wrote: > > [ cc netdev ] > > > If sysctl bridge-nf-call-iptables is enabled, iptables chains are already > > traversed from the bridging code. In such case, tproxy

Re: [PATCH v4] netfilter : add NAT support for shifted portmap ranges

Op 30/01/2018 om 14:02 schreef Thierry Du Tre: > This is a patch proposal to support shifted ranges in portmaps. > (i.e. tcp/udp incoming port 5000-5100 on WAN redirected to LAN > 192.168.1.5:2000-2100) > > Currently DNAT only works for single port or identical port ranges. > (i.e. ports

Re: [PATCH] inet: don't call skb_orphan if tproxy happens in layer 2

Gregory Vander Schueren wrote: [ cc netdev ] > If sysctl bridge-nf-call-iptables is enabled, iptables chains are already > traversed from the bridging code. In such case, tproxy already happened when > reaching ip_rcv. Thus no need to call skb_orphan as this

[PATCH nf 0/2] netfilter: ipt_CLUSTERIP: two more fixes

During code audit I found two more bugs in CLUSTERIP, first one is a refcount leak, second is possible use-after free due to kfree() of rcu-protected (and already visible) structure. I think its time to remove this target, so, if anyone has a good reason to not nuke it in nf-next please let me

[PATCH nf 2/2] netfilter: ipt_CLUSTERIP: put config instead of freeing it

Once struct is added to per-netns list it becomes visible to other cpus, so we cannot use kfree(). Also delay setting entries refcount to 1 until after everything is initialised so that when we call clusterip_config_put() in this spot entries is still zero. Signed-off-by: Florian Westphal

[PATCH nf 1/2] netfilter: ipt_CLUSTERIP: put config struct if we can't increment ct refcount

This needs to put() the entry to avoid a resource leak in error path. Signed-off-by: Florian Westphal --- net/ipv4/netfilter/ipt_CLUSTERIP.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c

[PATCH net] netfilter: unlock xt_table earlier in __do_replace

Now it's doing cleanup_entry for oldinfo under the xt_table lock, but it's not really necessary. After the replacement job is done in xt_replace_table, oldinfo is not used elsewhere any more, and it can be freed without xt_table lock safely. The important thing is that rtnl_lock is called in some

Re: [PATCH] inet: don't call skb_orphan if tproxy happens in layer 2

Hi Florian & Pablo, Thank your very much for your quick feedback. On 02/16/2018 12:28 PM, Pablo Neira Ayuso wrote: On Fri, Feb 16, 2018 at 12:07:06PM +0100, Florian Westphal wrote: Gregory Vander Schueren wrote: [ cc netdev ] If sysctl

Re: [PATCH RFC 0/4] net: add bpfilter

Florian Westphal wrote: > Daniel Borkmann wrote: > Several questions spinning at the moment, I will probably come up with > more: ... and here there are some more ... One of the many pain points of xtables design is the assumption of 'used only by

Re: [PATCH RFC 0/4] net: add bpfilter

Hi Florian, thanks for your feedback! More inline: On 02/16/2018 03:57 PM, Florian Westphal wrote: > Daniel Borkmann wrote: >> This is a very rough and early proof of concept that implements bpfilter. > > [..] > >> Also, as a benefit from such design, we get BPF JIT

Re: [PATCH RFC 0/4] net: add bpfilter

Daniel Borkmann wrote: > This is a very rough and early proof of concept that implements bpfilter. [..] > Also, as a benefit from such design, we get BPF JIT compilation on x86_64, > arm64, ppc64, sparc64, mips64, s390x and arm32, but also rule offloading > into HW for

[PATCH RFC 1/4] modules: allow insmod load regular elf binaries

From: Alexei Starovoitov Signed-off-by: Alexei Starovoitov --- fs/exec.c | 40 +++- include/linux/binfmts.h | 1 + include/linux/umh.h | 4 kernel/module.c | 33

[PATCH RFC 0/4] net: add bpfilter

This is a very rough and early proof of concept that implements bpfilter. The basic idea of bpfilter is that it can process iptables queries and translate them in user space into BPF programs which can then get attached at various locations. For simplicity, in this RFC we demo attaching them to

[PATCH RFC 4/4] bpf: rough bpfilter codegen example hack

Signed-off-by: Daniel Borkmann --- include/uapi/linux/bpf.h| 31 +++-- kernel/bpf/syscall.c| 39 +++--- net/bpfilter/Makefile | 2 +- net/bpfilter/bpfilter.c | 59 + net/bpfilter/bpfilter_mod.h | 285

[PATCH RFC 3/4] net: initial bpfilter skeleton

From: "David S. Miller" Signed-off-by: David S. Miller Signed-off-by: Alexei Starovoitov --- include/linux/bpfilter.h | 13 +++ include/uapi/linux/bpfilter.h | 200 ++ net/Kconfig

[PATCH RFC 2/4] bpf: introduce bpfilter commands

From: Alexei Starovoitov Signed-off-by: Alexei Starovoitov --- include/uapi/linux/bpf.h | 16 kernel/bpf/syscall.c | 41 + 2 files changed, 57 insertions(+) diff --git a/include/uapi/linux/bpf.h

[PATCH] netfilter: increase IPSTATS_MIB_CSUMERRORS stat

In the ip_rcv, IPSTATS_MIB_CSUMERRORS is increased when checksum error is occurred. bridge netfilter routine should increase IPSTATS_MIB_CSUMERRORS. Signed-off-by: Taehee Yoo --- net/bridge/br_netfilter_hooks.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff

[PATCH nf-next] net: netfilter: nf_tables_api: Use id allocation.

In nf_tables_set_alloc_name function, remove get_zeroed_page find_first_zero_bit and set_bit functions. Instead use ida_simple_get function as it simplifies the code. Signed-off-by: Varsha Rao --- net/netfilter/nf_tables_api.c | 27 +++ 1 file

Re: [PATCH RFC 0/4] net: add bpfilter

Hi Florian, On 02/16/2018 05:14 PM, Florian Westphal wrote: > Florian Westphal wrote: >> Daniel Borkmann wrote: >> Several questions spinning at the moment, I will probably come up with >> more: > > ... and here there are some more ... > > One of the many

Re: [PATCH RFC 0/4] net: add bpfilter

From: Florian Westphal Date: Fri, 16 Feb 2018 15:57:27 +0100 > 4. Do you plan to reimplement connection tracking in userspace? > If no, how will the bpf program interact with it? The natural way to handle this, as with anything BPF related, is with appropriate BPF helpers which

Re: [PATCH RFC 0/4] net: add bpfilter

From: Florian Westphal Date: Fri, 16 Feb 2018 17:14:08 +0100 > Any particular reason why translating iptables rather than nftables > (it should be possible to monitor the nftables changes that are > announced by kernel and act on those)? As Daniel said, iptables is by far the