1. 28 Sep, 2012 3 commits
  2. 24 Sep, 2012 4 commits
    • Pablo Neira Ayuso's avatar
      netfilter: nfnetlink_queue: add NFQA_CAP_LEN attribute · 6ee584be
      Pablo Neira Ayuso authored
      This patch adds the NFQA_CAP_LEN attribute that allows us to know
      what is the real packet size from user-space (even if we decided
      to retrieve just a few bytes from the packet instead of all of it).
      
      Security software that inspects packets should always check for
      this new attribute to make sure that it is inspecting the entire
      packet.
      
      This also helps to provide a workaround for the problem described
      in: http://marc.info/?l=netfilter-devel&m=134519473212536&w=2
      
      
      
      Original idea from Florian Westphal.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      6ee584be
    • Pablo Neira Ayuso's avatar
      netfilter: nfnetlink_queue: fix maximum packet length to userspace · ba8d3b0b
      Pablo Neira Ayuso authored
      
      
      The packets that we send via NFQUEUE are encapsulated in the NFQA_PAYLOAD
      attribute. The length of the packet in userspace is obtained via
      attr->nla_len field. This field contains the size of the Netlink
      attribute header plus the packet length.
      
      If the maximum packet length is specified, ie. 65535 bytes, and
      packets in the range of (65531,65535] are sent to userspace, the
      attr->nla_len overflows and it reports bogus lengths to the
      application.
      
      To fix this, this patch limits the maximum packet length to 65531
      bytes. If larger packet length is specified, the packet that we
      send to user-space is truncated to 65531 bytes.
      
      To support 65535 bytes packets, we have to revisit the idea of
      the 32-bits Netlink attribute length.
      Reported-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      ba8d3b0b
    • Pablo Neira Ayuso's avatar
      netfilter: nf_ct_ftp: add sequence tracking pickup facility for injected entries · 7be54ca4
      Pablo Neira Ayuso authored
      
      
      This patch allows the FTP helper to pickup the sequence tracking from
      the first packet seen. This is useful to fix the breakage of the first
      FTP command after the failover while using conntrackd to synchronize
      states.
      
      The seq_aft_nl_num field in struct nf_ct_ftp_info has been shrinked to
      16-bits (enough for what it does), so we can use the remaining 16-bits
      to store the flags while using the same size for the private FTP helper
      data.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      7be54ca4
    • Florian Westphal's avatar
      netfilter: xt_time: add support to ignore day transition · 54eb3df3
      Florian Westphal authored
      
      
      Currently, if you want to do something like:
      "match Monday, starting 23:00, for two hours"
      You need two rules, one for Mon 23:00 to 0:00 and one for Tue 0:00-1:00.
      
      The rule: --weekdays Mo --timestart 23:00  --timestop 01:00
      
      looks correct, but it will first match on monday from midnight to 1 a.m.
      and then again for another hour from 23:00 onwards.
      
      This permits userspace to explicitly ignore the day transition and
      match for a single, continuous time period instead.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      54eb3df3
  3. 22 Sep, 2012 4 commits
  4. 21 Sep, 2012 6 commits
    • Jozsef Kadlecsik's avatar
      netfilter: ipset: Check and reject crazy /0 input parameters · b9fed748
      Jozsef Kadlecsik authored
      
      
      bitmap:ip and bitmap:ip,mac type did not reject such a crazy range
      when created and using such a set results in a kernel crash.
      The hash types just silently ignored such parameters.
      
      Reject invalid /0 input parameters explicitely.
      Signed-off-by: default avatarJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
      b9fed748
    • Jozsef Kadlecsik's avatar
    • Jan Engelhardt's avatar
      netfilter: combine ipt_REDIRECT and ip6t_REDIRECT · 2cbc78a2
      Jan Engelhardt authored
      
      
      Combine more modules since the actual code is so small anyway that the
      kmod metadata and the module in its loaded state totally outweighs the
      combined actual code size.
      
      IP_NF_TARGET_REDIRECT becomes a compat option; IP6_NF_TARGET_REDIRECT
      is completely eliminated since it has not see a release yet.
      Signed-off-by: default avatarJan Engelhardt <jengelh@inai.de>
      Acked-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      2cbc78a2
    • Jan Engelhardt's avatar
      netfilter: combine ipt_NETMAP and ip6t_NETMAP · b3d54b3e
      Jan Engelhardt authored
      
      
      Combine more modules since the actual code is so small anyway that the
      kmod metadata and the module in its loaded state totally outweighs the
      combined actual code size.
      
      IP_NF_TARGET_NETMAP becomes a compat option; IP6_NF_TARGET_NETMAP
      is completely eliminated since it has not see a release yet.
      Signed-off-by: default avatarJan Engelhardt <jengelh@inai.de>
      Acked-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      b3d54b3e
    • Ulrich Weber's avatar
      netfilter: nf_nat: remove obsolete rcu_read_unlock call · 136251d0
      Ulrich Weber authored
      hlist walk in find_appropriate_src() is not protected anymore by rcu_read_lock(),
      so rcu_read_unlock() is unnecessary if in_range() matches.
      
      This bug was added in (c7232c99
      
       netfilter: add protocol independent NAT core).
      Signed-off-by: default avatarUlrich Weber <ulrich.weber@sophos.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      136251d0
    • Patrick McHardy's avatar
      netfilter: nf_nat: fix oops when unloading protocol modules · b0cdb1d9
      Patrick McHardy authored
      
      
      When unloading a protocol module nf_ct_iterate_cleanup() is used to
      remove all conntracks using the protocol from the bysource hash and
      clean their NAT sections. Since the conntrack isn't actually killed,
      the NAT callback is invoked twice, once for each direction, which
      causes an oops when trying to delete it from the bysource hash for
      the second time.
      
      The same oops can also happen when removing both an L3 and L4 protocol
      since the cleanup function doesn't check whether the conntrack has
      already been cleaned up.
      
      Pid: 4052, comm: modprobe Not tainted 3.6.0-rc3-test-nat-unload-fix+ #32 Red Hat KVM
      RIP: 0010:[<ffffffffa002c303>]  [<ffffffffa002c303>] nf_nat_proto_clean+0x73/0xd0 [nf_nat]
      RSP: 0018:ffff88007808fe18  EFLAGS: 00010246
      RAX: 0000000000000000 RBX: ffff8800728550c0 RCX: ffff8800756288b0
      RDX: dead000000200200 RSI: ffff88007808fe88 RDI: ffffffffa002f208
      RBP: ffff88007808fe28 R08: ffff88007808e000 R09: 0000000000000000
      R10: dead000000200200 R11: dead000000100100 R12: ffffffff81c6dc00
      R13: ffff8800787582b8 R14: ffff880078758278 R15: ffff88007808fe88
      FS:  00007f515985d700(0000) GS:ffff88007cd00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      CR2: 00007f515986a000 CR3: 000000007867a000 CR4: 00000000000006e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Process modprobe (pid: 4052, threadinfo ffff88007808e000, task ffff8800756288b0)
      Stack:
       ffff88007808fe68 ffffffffa002c290 ffff88007808fe78 ffffffff815614e3
       ffffffff00000000 00000aeb00000246 ffff88007808fe68 ffffffff81c6dc00
       ffff88007808fe88 ffffffffa00358a0 0000000000000000 000000000040f5b0
      Call Trace:
       [<ffffffffa002c290>] ? nf_nat_net_exit+0x50/0x50 [nf_nat]
       [<ffffffff815614e3>] nf_ct_iterate_cleanup+0xc3/0x170
       [<ffffffffa002c55a>] nf_nat_l3proto_unregister+0x8a/0x100 [nf_nat]
       [<ffffffff812a0303>] ? compat_prepare_timeout+0x13/0xb0
       [<ffffffffa0035848>] nf_nat_l3proto_ipv4_exit+0x10/0x23 [nf_nat_ipv4]
       ...
      
      To fix this,
      
      - check whether the conntrack has already been cleaned up in
        nf_nat_proto_clean
      
      - change nf_ct_iterate_cleanup() to only invoke the callback function
        once for each conntrack (IP_CT_DIR_ORIGINAL).
      
      The second change doesn't affect other callers since when conntracks are
      actually killed, both directions are removed from the hash immediately
      and the callback is already only invoked once. If it is not killed, the
      second callback invocation will always return the same decision not to
      kill it.
      Reported-by: default avatarJesper Dangaard Brouer <brouer@redhat.com>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Acked-by: default avatarJesper Dangaard Brouer <brouer@redhat.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      b0cdb1d9
  5. 12 Sep, 2012 2 commits
    • Pablo Neira Ayuso's avatar
      netfilter: ctnetlink: fix module auto-load in ctnetlink_parse_nat · c7cbb917
      Pablo Neira Ayuso authored
      (c7232c99
      
       netfilter: add protocol independent NAT core) added
      incorrect locking for the module auto-load case in ctnetlink_parse_nat.
      
      That function is always called from ctnetlink_create_conntrack which
      requires no locking.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      c7cbb917
    • Joe Perches's avatar
      netfilter: log: Fix log-level processing · 16af511a
      Joe Perches authored
      auto75914331@hushmail.com reports that iptables does not correctly
      output the KERN_<level>.
      
      $IPTABLES -A RULE_0_in  -j LOG  --log-level notice --log-prefix "DENY  in: "
      
      result with linux 3.6-rc5
      Sep 12 06:37:29 xxxxx kernel: <5>DENY  in: IN=eth0 OUT= MAC=.......
      
      result with linux 3.5.3 and older:
      Sep  9 10:43:01 xxxxx kernel: DENY  in: IN=eth0 OUT= MAC......
      
      commit 04d2c8c8
      
      
      ("printk: convert the format for KERN_<LEVEL> to a 2 byte pattern")
      updated the syslog header style but did not update netfilter uses.
      
      Do so.
      
      Use KERN_SOH and string concatenation instead of "%c" KERN_SOH_ASCII
      as suggested by Eric Dumazet.
      Signed-off-by: default avatarJoe Perches <joe@perches.com>
      cc: auto75914331@hushmail.com
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      16af511a
  6. 10 Sep, 2012 2 commits
  7. 09 Sep, 2012 4 commits
  8. 08 Sep, 2012 1 commit
  9. 06 Sep, 2012 1 commit
  10. 05 Sep, 2012 1 commit
  11. 03 Sep, 2012 6 commits
    • Michael Wang's avatar
      netfilter: pass 'nf_hook_ops' instead of 'list_head' to nf_queue() · 1c15b677
      Michael Wang authored
      
      
      Since 'list_for_each_continue_rcu' has already been replaced by
      'list_for_each_entry_continue_rcu', pass 'list_head' to nf_queue() as a
      parameter can not benefit us any more.
      
      This patch will replace 'list_head' with 'nf_hook_ops' as the parameter of
      nf_queue() and __nf_queue() to save code.
      Signed-off-by: default avatarMichael Wang <wangyun@linux.vnet.ibm.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      1c15b677
    • Michael Wang's avatar
      netfilter: pass 'nf_hook_ops' instead of 'list_head' to nf_iterate() · 2a6decfd
      Michael Wang authored
      
      
      Since 'list_for_each_continue_rcu' has already been replaced by
      'list_for_each_entry_continue_rcu', pass 'list_head' to nf_iterate() as a
      parameter can not benefit us any more.
      
      This patch will replace 'list_head' with 'nf_hook_ops' as the parameter of
      nf_iterate() to save code.
      Signed-off-by: default avatarMichael Wang <wangyun@linux.vnet.ibm.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      2a6decfd
    • Cong Wang's avatar
      netfilter: remove xt_NOTRACK · 96550501
      Cong Wang authored
      
      
      It was scheduled to be removed for a long time.
      
      Cc: Pablo Neira Ayuso <pablo@netfilter.org>
      Cc: Patrick McHardy <kaber@trash.net>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: netfilter@vger.kernel.org
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      96550501
    • Pablo Neira Ayuso's avatar
      netfilter: nf_conntrack: add nf_ct_timeout_lookup · 84b5ee93
      Pablo Neira Ayuso authored
      
      
      This patch adds the new nf_ct_timeout_lookup function to encapsulate
      the timeout policy attachment that is called in the nf_conntrack_in
      path.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      84b5ee93
    • Pablo Neira Ayuso's avatar
      netfilter: xt_CT: refactorize xt_ct_tg_check · 236df005
      Pablo Neira Ayuso authored
      
      
      This patch adds xt_ct_set_helper and xt_ct_set_timeout to reduce
      the size of xt_ct_tg_check.
      
      This aims to improve code mantainability by splitting xt_ct_tg_check
      in smaller chunks.
      
      Suggested by Eric Dumazet.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      236df005
    • Pablo Neira Ayuso's avatar
      netfilter: xt_socket: fix compilation warnings with gcc 4.7 · 6703aa74
      Pablo Neira Ayuso authored
      
      
      This patch fixes compilation warnings in xt_socket with gcc-4.7.
      
      In file included from net/netfilter/xt_socket.c:22:0:
      net/netfilter/xt_socket.c: In function ‘socket_mt6_v1’:
      include/net/netfilter/nf_tproxy_core.h:175:23: warning: ‘sport’ may be used uninitialized in this function [-Wmaybe-uninitialized]
      net/netfilter/xt_socket.c:265:16: note: ‘sport’ was declared here
      In file included from net/netfilter/xt_socket.c:22:0:
      include/net/netfilter/nf_tproxy_core.h:175:23: warning: ‘dport’ may be used uninitialized in this function [-Wmaybe-uninitialized]
      net/netfilter/xt_socket.c:265:9: note: ‘dport’ was declared here
      In file included from net/netfilter/xt_socket.c:22:0:
      include/net/netfilter/nf_tproxy_core.h:175:6: warning: ‘saddr’ may be used uninitialized in this function [-Wmaybe-uninitialized]
      net/netfilter/xt_socket.c:264:27: note: ‘saddr’ was declared here
      In file included from net/netfilter/xt_socket.c:22:0:
      include/net/netfilter/nf_tproxy_core.h:175:6: warning: ‘daddr’ may be used uninitialized in this function [-Wmaybe-uninitialized]
      net/netfilter/xt_socket.c:264:19: note: ‘daddr’ was declared here
      In file included from net/netfilter/xt_socket.c:22:0:
      net/netfilter/xt_socket.c: In function ‘socket_match.isra.4’:
      include/net/netfilter/nf_tproxy_core.h:75:2: warning: ‘protocol’ may be used uninitialized in this function [-Wmaybe-uninitialized]
      net/netfilter/xt_socket.c:113:5: note: ‘protocol’ was declared here
      In file included from include/net/tcp.h:37:0,
                       from net/netfilter/xt_socket.c:17:
      include/net/inet_hashtables.h:356:45: warning: ‘sport’ may be used uninitialized in this function [-Wmaybe-uninitialized]
      net/netfilter/xt_socket.c:112:16: note: ‘sport’ was declared here
      In file included from net/netfilter/xt_socket.c:22:0:
      include/net/netfilter/nf_tproxy_core.h:106:23: warning: ‘dport’ may be used uninitialized in this function [-Wmaybe-uninitialized]
      net/netfilter/xt_socket.c:112:9: note: ‘dport’ was declared here
      In file included from include/net/tcp.h:37:0,
                       from net/netfilter/xt_socket.c:17:
      include/net/inet_hashtables.h:356:15: warning: ‘saddr’ may be used uninitialized in this function [-Wmaybe-uninitialized]
      net/netfilter/xt_socket.c:111:16: note: ‘saddr’ was declared here
      In file included from include/net/tcp.h:37:0,
                       from net/netfilter/xt_socket.c:17:
      include/net/inet_hashtables.h:356:15: warning: ‘daddr’ may be used uninitialized in this function [-Wmaybe-uninitialized]
      net/netfilter/xt_socket.c:111:9: note: ‘daddr’ was declared here
      In file included from net/netfilter/xt_socket.c:22:0:
      net/netfilter/xt_socket.c: In function ‘socket_mt6_v1’:
      include/net/netfilter/nf_tproxy_core.h:175:23: warning: ‘sport’ may be used uninitialized in this function [-Wmaybe-uninitialized]
      net/netfilter/xt_socket.c:268:16: note: ‘sport’ was declared here
      In file included from net/netfilter/xt_socket.c:22:0:
      include/net/netfilter/nf_tproxy_core.h:175:23: warning: ‘dport’ may be used uninitialized in this function [-Wmaybe-uninitialized]
      net/netfilter/xt_socket.c:268:9: note: ‘dport’ was declared here
      In file included from net/netfilter/xt_socket.c:22:0:
      include/net/netfilter/nf_tproxy_core.h:175:6: warning: ‘saddr’ may be used uninitialized in this function [-Wmaybe-uninitialized]
      net/netfilter/xt_socket.c:267:27: note: ‘saddr’ was declared here
      In file included from net/netfilter/xt_socket.c:22:0:
      include/net/netfilter/nf_tproxy_core.h:175:6: warning: ‘daddr’ may be used uninitialized in this function [-Wmaybe-uninitialized]
      net/netfilter/xt_socket.c:267:19: note: ‘daddr’ was declared here
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      6703aa74
  12. 31 Aug, 2012 1 commit
  13. 30 Aug, 2012 5 commits