From 412662d204eca981458156fd64d9d5f3b533d7b6 Mon Sep 17 00:00:00 2001 From: Stephen Rothwell Date: Wed, 11 Jan 2012 11:52:17 +1100 Subject: netfilter: xt_hashlimit: fix unused variable warning if IPv6 disabled MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes this warning when CONFIG_IP6_NF_IPTABLES is not enabled: net/netfilter/xt_hashlimit.c: In function ‘hashlimit_init_dst’: net/netfilter/xt_hashlimit.c:448:9: warning: unused variable ‘frag_off’ [-Wunused-variable] Signed-off-by: Stephen Rothwell Signed-off-by: Pablo Neira Ayuso --- net/netfilter/xt_hashlimit.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'net/netfilter') diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c index 8e49921..d95f9c9 100644 --- a/net/netfilter/xt_hashlimit.c +++ b/net/netfilter/xt_hashlimit.c @@ -445,7 +445,6 @@ hashlimit_init_dst(const struct xt_hashlimit_htable *hinfo, { __be16 _ports[2], *ports; u8 nexthdr; - __be16 frag_off; int poff; memset(dst, 0, sizeof(*dst)); @@ -466,6 +465,9 @@ hashlimit_init_dst(const struct xt_hashlimit_htable *hinfo, break; #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) case NFPROTO_IPV6: + { + __be16 frag_off; + if (hinfo->cfg.mode & XT_HASHLIMIT_HASH_DIP) { memcpy(&dst->ip6.dst, &ipv6_hdr(skb)->daddr, sizeof(dst->ip6.dst)); @@ -485,6 +487,7 @@ hashlimit_init_dst(const struct xt_hashlimit_htable *hinfo, if ((int)protoff < 0) return -1; break; + } #endif default: BUG(); -- cgit v1.1 From 9bf04646b0b41c5438ed8a27c5f8dbe0ff40d756 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Sun, 15 Jan 2012 16:57:12 +0100 Subject: netfilter: revert user-space expectation helper support This patch partially reverts: 3d058d7 netfilter: rework user-space expectation helper support that was applied during the 3.2 development cycle. After this patch, the tree remains just like before patch bc01bef, that initially added the preliminary infrastructure. I decided to partially revert this patch because the approach that I proposed to resolve this problem is broken in NAT setups. Moreover, a new infrastructure will be submitted for the 3.3.x development cycle that resolve the existing issues while providing a neat solution. Since nobody has been seriously using this infrastructure in user-space, the removal of this feature should affect any know FOSS project (to my knowledge). Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_conntrack_helper.c | 12 ------------ net/netfilter/nf_conntrack_netlink.c | 4 ---- net/netfilter/xt_CT.c | 8 +++----- 3 files changed, 3 insertions(+), 21 deletions(-) (limited to 'net/netfilter') diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c index 299fec9..bbe23ba 100644 --- a/net/netfilter/nf_conntrack_helper.c +++ b/net/netfilter/nf_conntrack_helper.c @@ -121,18 +121,6 @@ int __nf_ct_try_assign_helper(struct nf_conn *ct, struct nf_conn *tmpl, int ret = 0; if (tmpl != NULL) { - /* we've got a userspace helper. */ - if (tmpl->status & IPS_USERSPACE_HELPER) { - help = nf_ct_helper_ext_add(ct, flags); - if (help == NULL) { - ret = -ENOMEM; - goto out; - } - rcu_assign_pointer(help->helper, NULL); - __set_bit(IPS_USERSPACE_HELPER_BIT, &ct->status); - ret = 0; - goto out; - } help = nfct_help(tmpl); if (help != NULL) helper = help->helper; diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 2a4834b..9307b03 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -2042,10 +2042,6 @@ ctnetlink_create_expect(struct net *net, u16 zone, } help = nfct_help(ct); if (!help) { - err = -EOPNOTSUPP; - goto out; - } - if (test_bit(IPS_USERSPACE_HELPER_BIT, &ct->status)) { if (!cda[CTA_EXPECT_TIMEOUT]) { err = -EINVAL; goto out; diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c index 8e87123..0221d10 100644 --- a/net/netfilter/xt_CT.c +++ b/net/netfilter/xt_CT.c @@ -62,8 +62,8 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par) int ret = 0; u8 proto; - if (info->flags & ~(XT_CT_NOTRACK | XT_CT_USERSPACE_HELPER)) - return -EOPNOTSUPP; + if (info->flags & ~XT_CT_NOTRACK) + return -EINVAL; if (info->flags & XT_CT_NOTRACK) { ct = nf_ct_untracked_get(); @@ -92,9 +92,7 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par) GFP_KERNEL)) goto err3; - if (info->flags & XT_CT_USERSPACE_HELPER) { - __set_bit(IPS_USERSPACE_HELPER_BIT, &ct->status); - } else if (info->helper[0]) { + if (info->helper[0]) { ret = -ENOENT; proto = xt_ct_find_proto(par); if (!proto) { -- cgit v1.1 From 088067f4f14d6ee5c6a196b015a560cbe7744224 Mon Sep 17 00:00:00 2001 From: Jozsef Kadlecsik Date: Tue, 17 Jan 2012 10:39:05 +0100 Subject: netfilter: ipset: autoload set type modules safely Jan Engelhardt noticed when userspace requests a set type unknown to the kernel, it can lead to a loop due to the unsafe type module loading. The issue is fixed in this patch. Signed-off-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso --- net/netfilter/ipset/ip_set_core.c | 36 ++++++++++++++++++++++++++---------- 1 file changed, 26 insertions(+), 10 deletions(-) (limited to 'net/netfilter') diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c index 86137b5..0f8e5f2 100644 --- a/net/netfilter/ipset/ip_set_core.c +++ b/net/netfilter/ipset/ip_set_core.c @@ -77,35 +77,42 @@ find_set_type(const char *name, u8 family, u8 revision) } /* Unlock, try to load a set type module and lock again */ -static int -try_to_load_type(const char *name) +static bool +load_settype(const char *name) { nfnl_unlock(); pr_debug("try to load ip_set_%s\n", name); if (request_module("ip_set_%s", name) < 0) { pr_warning("Can't find ip_set type %s\n", name); nfnl_lock(); - return -IPSET_ERR_FIND_TYPE; + return false; } nfnl_lock(); - return -EAGAIN; + return true; } /* Find a set type and reference it */ +#define find_set_type_get(name, family, revision, found) \ + __find_set_type_get(name, family, revision, found, false) + static int -find_set_type_get(const char *name, u8 family, u8 revision, - struct ip_set_type **found) +__find_set_type_get(const char *name, u8 family, u8 revision, + struct ip_set_type **found, bool retry) { struct ip_set_type *type; int err; + if (retry && !load_settype(name)) + return -IPSET_ERR_FIND_TYPE; + rcu_read_lock(); *found = find_set_type(name, family, revision); if (*found) { err = !try_module_get((*found)->me) ? -EFAULT : 0; goto unlock; } - /* Make sure the type is loaded but we don't support the revision */ + /* Make sure the type is already loaded + * but we don't support the revision */ list_for_each_entry_rcu(type, &ip_set_type_list, list) if (STREQ(type->name, name)) { err = -IPSET_ERR_FIND_TYPE; @@ -113,7 +120,8 @@ find_set_type_get(const char *name, u8 family, u8 revision, } rcu_read_unlock(); - return try_to_load_type(name); + return retry ? -IPSET_ERR_FIND_TYPE : + __find_set_type_get(name, family, revision, found, true); unlock: rcu_read_unlock(); @@ -124,12 +132,19 @@ unlock: * If we succeeded, the supported minimal and maximum revisions are * filled out. */ +#define find_set_type_minmax(name, family, min, max) \ + __find_set_type_minmax(name, family, min, max, false) + static int -find_set_type_minmax(const char *name, u8 family, u8 *min, u8 *max) +__find_set_type_minmax(const char *name, u8 family, u8 *min, u8 *max, + bool retry) { struct ip_set_type *type; bool found = false; + if (retry && !load_settype(name)) + return -IPSET_ERR_FIND_TYPE; + *min = 255; *max = 0; rcu_read_lock(); list_for_each_entry_rcu(type, &ip_set_type_list, list) @@ -145,7 +160,8 @@ find_set_type_minmax(const char *name, u8 family, u8 *min, u8 *max) if (found) return 0; - return try_to_load_type(name); + return retry ? -IPSET_ERR_FIND_TYPE : + __find_set_type_minmax(name, family, min, max, true); } #define family_name(f) ((f) == AF_INET ? "inet" : \ -- cgit v1.1 From be94db9ddac0d6ea76f479b04fb3a43314654c9f Mon Sep 17 00:00:00 2001 From: Jozsef Kadlecsik Date: Sat, 14 Jan 2012 16:42:13 +0100 Subject: netfilter: ipset: dumping error triggered removing references twice If there was a dumping error in the middle, the set-specific variable was not zeroed out and thus the 'done' function of the dumping wrongly tried to release the already released reference of the set. The already released reference was caught by __ip_set_put and triggered a kernel BUG message. Reported by Jean-Philippe Menil. Signed-off-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso --- net/netfilter/ipset/ip_set_core.c | 1 + 1 file changed, 1 insertion(+) (limited to 'net/netfilter') diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c index 0f8e5f2..32dbf0f 100644 --- a/net/netfilter/ipset/ip_set_core.c +++ b/net/netfilter/ipset/ip_set_core.c @@ -1142,6 +1142,7 @@ release_refcount: if (ret || !cb->args[2]) { pr_debug("release set %s\n", ip_set_list[index]->name); ip_set_put_byindex(index); + cb->args[2] = 0; } out: if (nlh) { -- cgit v1.1