1. 31 Oct, 2014 10 commits
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · e3a88f9c
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      netfilter/ipvs fixes for net
      
      The following patchset contains fixes for netfilter/ipvs. This round of
      fixes is larger than usual at this stage, specifically because of the
      nf_tables bridge reject fixes that I would like to see in 3.18. The
      patches are:
      
      1) Fix a null-pointer dereference that may occur when logging
         errors. This problem was introduced by 4a4739d5 ("ipvs: Pull
         out crosses_local_route_boundary logic") in v3.17-rc5.
      
      2) Update hook mask in nft_reject_bridge so we can also filter out
         packets from there. This fixes 36d2af59 ("netfilter: nf_tables: allow
         to filter from prerouting and postrouting"), which needs this chunk
         to work.
      
      3) Two patches to refactor common code to forge the IPv4 and IPv6
         reject packets from the bridge. These are required by the nf_tables
         reject bridge fix.
      
      4) Fix nft_reject_bridge by avoiding the use of the IP stack to reject
         packets from the bridge. The idea is to forge the reject packets and
         inject them to the original port via br_deliver() which is now
         exported for that purpose.
      
      5) Restrict nft_reject_bridge to bridge prerouting and input hooks.
         the original skbuff may cloned after prerouting when the bridge stack
         needs to flood it to several bridge ports, it is too late to reject
         the traffic.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e3a88f9c
    • Pablo Neira Ayuso's avatar
      netfilter: nft_reject_bridge: restrict reject to prerouting and input · 127917c2
      Pablo Neira Ayuso authored
      Restrict the reject expression to the prerouting and input bridge
      hooks. If we allow this to be used from forward or any other later
      bridge hook, if the frame is flooded to several ports, we'll end up
      sending several reject packets, one per cloned packet.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      127917c2
    • Pablo Neira Ayuso's avatar
      netfilter: nft_reject_bridge: don't use IP stack to reject traffic · 523b929d
      Pablo Neira Ayuso authored
      If the packet is received via the bridge stack, this cannot reject
      packets from the IP stack.
      
      This adds functions to build the reject packet and send it from the
      bridge stack. Comments and assumptions on this patch:
      
      1) Validate the IPv4 and IPv6 headers before further processing,
         given that the packet comes from the bridge stack, we cannot assume
         they are clean. Truncated packets are dropped, we follow similar
         approach in the existing iptables match/target extensions that need
         to inspect layer 4 headers that is not available. This also includes
         packets that are directed to multicast and broadcast ethernet
         addresses.
      
      2) br_deliver() is exported to inject the reject packet via
         bridge localout -> postrouting. So the approach is similar to what
         we already do in the iptables reject target. The reject packet is
         sent to the bridge port from which we have received the original
         packet.
      
      3) The reject packet is forged based on the original packet. The TTL
         is set based on sysctl_ip_default_ttl for IPv4 and per-net
         ipv6.devconf_all hoplimit for IPv6.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      523b929d
    • Pablo Neira Ayuso's avatar
      netfilter: nf_reject_ipv6: split nf_send_reset6() in smaller functions · 8bfcdf66
      Pablo Neira Ayuso authored
      That can be reused by the reject bridge expression to build the reject
      packet. The new functions are:
      
      * nf_reject_ip6_tcphdr_get(): to sanitize and to obtain the TCP header.
      * nf_reject_ip6hdr_put(): to build the IPv6 header.
      * nf_reject_ip6_tcphdr_put(): to build the TCP header.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      8bfcdf66
    • Pablo Neira Ayuso's avatar
      netfilter: nf_reject_ipv4: split nf_send_reset() in smaller functions · 052b9498
      Pablo Neira Ayuso authored
      That can be reused by the reject bridge expression to build the reject
      packet. The new functions are:
      
      * nf_reject_ip_tcphdr_get(): to sanitize and to obtain the TCP header.
      * nf_reject_iphdr_put(): to build the IPv4 header.
      * nf_reject_ip_tcphdr_put(): to build the TCP header.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      052b9498
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables_bridge: update hook_mask to allow {pre,post}routing · 4d87716c
      Pablo Neira Ayuso authored
      Fixes: 36d2af59 ("netfilter: nf_tables: allow to filter from prerouting and postrouting")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      4d87716c
    • Ben Hutchings's avatar
      drivers/net: macvtap and tun depend on INET · de11b0e8
      Ben Hutchings authored
      These drivers now call ipv6_proxy_select_ident(), which is defined
      only if CONFIG_INET is enabled.  However, they have really depended
      on CONFIG_INET for as long as they have allowed sending GSO packets
      from userland.
      Reported-by: default avatarkbuild test robot <fengguang.wu@intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Fixes: f43798c2 ("tun: Allow GSO using virtio_net_hdr")
      Fixes: b9fb9ee0 ("macvtap: add GSO/csum offload support")
      Fixes: 5188cd44 ("drivers/net, ipv6: Select IPv6 fragment idents for virtio UFO packets")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      de11b0e8
    • David S. Miller's avatar
      Merge branch 'ufo-fix' · c1304b21
      David S. Miller authored
      Ben Hutchings says:
      
      ====================
      drivers/net,ipv6: Fix IPv6 fragment ID selection for virtio
      
      The virtio net protocol supports UFO but does not provide for passing a
      fragment ID for fragmentation of IPv6 packets.  We used to generate a
      fragment ID wherever such a packet was fragmented, but currently we
      always use ID=0!
      
      v2: Add blank lines after declarations
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c1304b21
    • Ben Hutchings's avatar
      drivers/net, ipv6: Select IPv6 fragment idents for virtio UFO packets · 5188cd44
      Ben Hutchings authored
      UFO is now disabled on all drivers that work with virtio net headers,
      but userland may try to send UFO/IPv6 packets anyway.  Instead of
      sending with ID=0, we should select identifiers on their behalf (as we
      used to).
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Fixes: 916e4cf4 ("ipv6: reuse ip6_frag_id from ip6_ufo_append_data")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5188cd44
    • Ben Hutchings's avatar
      drivers/net: Disable UFO through virtio · 3d0ad094
      Ben Hutchings authored
      IPv6 does not allow fragmentation by routers, so there is no
      fragmentation ID in the fixed header.  UFO for IPv6 requires the ID to
      be passed separately, but there is no provision for this in the virtio
      net protocol.
      
      Until recently our software implementation of UFO/IPv6 generated a new
      ID, but this was a bug.  Now we will use ID=0 for any UFO/IPv6 packet
      passed through a tap, which is even worse.
      
      Unfortunately there is no distinction between UFO/IPv4 and v6
      features, so disable UFO on taps and virtio_net completely until we
      have a proper solution.
      
      We cannot depend on VM managers respecting the tap feature flags, so
      keep accepting UFO packets but log a warning the first time we do
      this.
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Fixes: 916e4cf4 ("ipv6: reuse ip6_frag_id from ip6_ufo_append_data")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3d0ad094
  2. 30 Oct, 2014 16 commits
  3. 29 Oct, 2014 6 commits
  4. 28 Oct, 2014 8 commits