Linux kernel development work - see feature branches https://git.zx2c4.com/linux-dev/atom/net/netfilter?h=linus%2Fmaster 2022-06-21T08:50:41Z 2022-06-21T08:50:41Z Florian Westphal fw@strlen.de 2022-06-20T14:17:31Z urn:sha1:fcd53c51d03709bc429822086f1e9b3e88904284 Now that the egress function can be called from egress hook, we need to avoid recursive calls into the nf_tables traverser, else crash. Fixes: f87b9464d152 ("netfilter: nft_fwd_netdev: Support egress hook") Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2022-06-21T08:50:40Z Florian Westphal fw@strlen.de 2022-06-20T14:17:30Z urn:sha1:574a5b85dc3b9ab672ff3fba0ee020f927960648 Eric reports skb_under_panic when using dup/fwd via bond+egress hook. Before pushing mac header, we should make sure that we're called from ingress to put back what was pulled earlier. In egress case, the MAC header is already there; we should leave skb alone. While at it be more careful here: skb might have been altered and headroom reduced, so add a skb_cow() before so that headroom is increased if necessary. nf_do_netdev_egress() assumes skb ownership (it normally ends with a call to dev_queue_xmit), so we must free the packet on error. Fixes: f87b9464d152 ("netfilter: nft_fwd_netdev: Support egress hook") Reported-by: Eric Garver <eric@garver.life> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2022-06-17T21:31:20Z Florian Westphal fw@strlen.de 2022-06-15T13:36:54Z urn:sha1:394e771684f7a2cd4e154647bff50084c31bc7cf syzbot reports: BUG: KASAN: slab-out-of-bounds in __list_del_entry_valid+0xcc/0xf0 lib/list_debug.c:42 [..] list_del include/linux/list.h:148 [inline] cttimeout_net_exit+0x211/0x540 net/netfilter/nfnetlink_cttimeout.c:617 Problem is the wrong name of the list member, so container_of() result is wrong. Reported-by: <syzbot+92968395eedbdbd3617d@syzkaller.appspotmail.com> Fixes: 78222bacfca9 ("netfilter: cttimeout: decouple unlink and free on netns destruction") Signed-off-by: Florian Westphal <fw@strlen.de> 2022-06-08T10:30:59Z Florian Westphal fw@strlen.de 2022-05-18T18:15:31Z urn:sha1:b1fd94e704571f98b21027340eecf821b2bdffba bh might occur while updating per-cpu rnd_state from user context, ie. local_out path. BUG: using smp_processor_id() in preemptible [00000000] code: nginx/2725 caller is nft_ng_random_eval+0x24/0x54 [nft_numgen] Call Trace: check_preemption_disabled+0xde/0xe0 nft_ng_random_eval+0x24/0x54 [nft_numgen] Use the random driver instead, this also avoids need for local prandom state. Moreover, prandom now uses the random driver since d4150779e60f ("random32: use real rng for non-deterministic randomness"). Based on earlier patch from Pablo Neira. Fixes: 6b2faee0ca91 ("netfilter: nft_meta: place prandom handling in a helper") Fixes: 978d8f9055c3 ("netfilter: nft_numgen: add map lookups for numgen random operations") Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2022-06-06T17:19:15Z Pablo Neira Ayuso pablo@netfilter.org 2022-06-06T15:31:29Z urn:sha1:3a41c64d9c1185a2f3a184015e2a9b78bfc99c71 If user requests for NFT_CHAIN_HW_OFFLOAD, then check if either device provides the .ndo_setup_tc interface or there is an indirect flow block that has been registered. Otherwise, bail out early from the preparation phase. Moreover, validate that family == NFPROTO_NETDEV and hook is NF_NETDEV_INGRESS. Fixes: c9626a2cbdb2 ("netfilter: nf_tables: add hardware offload support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2022-06-06T15:31:46Z Pablo Neira Ayuso pablo@netfilter.org 2022-06-06T15:15:57Z urn:sha1:9dd732e0bdf538b1b76dc7c157e2b5e560ff30d3 Abort path release flow rule object, however, commit path does not. Update code to destroy these objects before releasing the transaction. Fixes: c9626a2cbdb2 ("netfilter: nf_tables: add hardware offload support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2022-06-06T15:31:46Z Pablo Neira Ayuso pablo@netfilter.org 2022-06-05T11:40:06Z urn:sha1:c271cc9febaaa1bcbc0842d1ee30466aa6148ea8 Release the list of new hooks that are pending to be registered in case that unsupported flowtable flags are provided. Fixes: 78d9f48f7f44 ("netfilter: nf_tables: add devices to existing flowtable") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2022-06-02T21:31:11Z Pablo Neira Ayuso pablo@netfilter.org 2022-06-01T15:49:36Z urn:sha1:2c9e4559773c261900c674a86b8e455911675d71 The hook list is used if nft_trans_flowtable_update(trans) == true. However, initialize this list for other cases for safety reasons. Fixes: 78d9f48f7f44 ("netfilter: nf_tables: add devices to existing flowtable") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2022-06-02T07:49:49Z Pablo Neira Ayuso pablo@netfilter.org 2022-05-30T16:40:06Z urn:sha1:b6d9014a3335194590abdd2a2471ef5147a67645 Remove inactive bool field in nft_hook object that was introduced in abadb2f865d7 ("netfilter: nf_tables: delete devices from flowtable"). Move stale flowtable hooks to transaction list instead. Deleting twice the same device does not result in ENOENT. Fixes: abadb2f865d7 ("netfilter: nf_tables: delete devices from flowtable") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2022-06-01T14:01:54Z Pablo Neira Ayuso pablo@netfilter.org 2022-06-01T14:00:00Z urn:sha1:ab5e5c062f67c5ae8cd07f0632ffa62dc0e7d169 Use kfree_rcu(ptr, rcu) variant instead as described by ae089831ff28 ("netfilter: nf_tables: prefer kfree_rcu(ptr, rcu) variant"). Fixes: f9a43007d3f7 ("netfilter: nf_tables: double hook unregistration in netns path") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>