1. 15 May, 2014 1 commit
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: fix trace of matching non-terminal rule · 3b084e99
      Pablo Neira Ayuso authored
      Add the corresponding trace if we have a full match in a non-terminal
      rule. Note that the traces will look slightly different than in
      x_tables since the log message after all expressions have been
      evaluated (contrary to x_tables, that emits it before the target
      action). This manifests in two differences in nf_tables wrt. x_tables:
      
      1) The rule that enables the tracing is included in the trace.
      
      2) If the rule emits some log message, that is shown before the
         trace log message.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      3b084e99
  2. 12 May, 2014 4 commits
  3. 10 May, 2014 1 commit
  4. 09 May, 2014 1 commit
  5. 05 May, 2014 2 commits
    • Vasily Averin's avatar
      bridge: superfluous skb->nfct check in br_nf_dev_queue_xmit · aff09ce3
      Vasily Averin authored
      Currently bridge can silently drop ipv4 fragments.
      If node have loaded nf_defrag_ipv4 module but have no nf_conntrack_ipv4,
      br_nf_pre_routing defragments incoming ipv4 fragments
      but nfct check in br_nf_dev_queue_xmit does not allow re-fragment combined
      packet back, and therefore it is dropped in br_dev_queue_push_xmit without
      incrementing of any failcounters
      
      It seems the only way to hit the ip_fragment code in the bridge xmit
      path is to have a fragment list whose reassembled fragments go over
      the mtu. This only happens if nf_defrag is enabled. Thanks to
      Florian Westphal for providing feedback to clarify this.
      
      Defragmentation ipv4 is required not only in conntracks but at least in
      TPROXY target and socket match, therefore #ifdef is changed from
      NF_CONNTRACK_IPV4 to NF_DEFRAG_IPV4
      Signed-off-by: default avatarVasily Averin <vvs@openvz.org>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      aff09ce3
    • Vasily Averin's avatar
      ipv4: fix "conntrack zones" support for defrag user check in ip_expire · 7c3d5ab1
      Vasily Averin authored
      Defrag user check in ip_expire was not updated after adding support for
      "conntrack zones".
      
      This bug manifests as a RFC violation, since the router will send
      the icmp time exceeeded message when using conntrack zones.
      Signed-off-by: default avatarVasily Averin <vvs@openvz.org>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      7c3d5ab1
  6. 04 May, 2014 2 commits
    • Denys Fedoryshchenko's avatar
      netfilter: nfnetlink: Fix use after free when it fails to process batch · ecd15dd7
      Denys Fedoryshchenko authored
      This bug manifests when calling the nft command line tool without
      nf_tables kernel support.
      
      kernel message:
      [   44.071555] Netfilter messages via NETLINK v0.30.
      [   44.072253] BUG: unable to handle kernel NULL pointer dereference at 0000000000000119
      [   44.072264] IP: [<ffffffff8171db1f>] netlink_getsockbyportid+0xf/0x70
      [   44.072272] PGD 7f2b74067 PUD 7f2b73067 PMD 0
      [   44.072277] Oops: 0000 [#1] SMP
      [...]
      [   44.072369] Call Trace:
      [   44.072373]  [<ffffffff8171fd81>] netlink_unicast+0x91/0x200
      [   44.072377]  [<ffffffff817206c9>] netlink_ack+0x99/0x110
      [   44.072381]  [<ffffffffa004b951>] nfnetlink_rcv+0x3c1/0x408 [nfnetlink]
      [   44.072385]  [<ffffffff8171fde3>] netlink_unicast+0xf3/0x200
      [   44.072389]  [<ffffffff817201ef>] netlink_sendmsg+0x2ff/0x740
      [   44.072394]  [<ffffffff81044752>] ? __mmdrop+0x62/0x90
      [   44.072398]  [<ffffffff816dafdb>] sock_sendmsg+0x8b/0xc0
      [   44.072403]  [<ffffffff812f1af5>] ? copy_user_enhanced_fast_string+0x5/0x10
      [   44.072406]  [<ffffffff816dbb6c>] ? move_addr_to_kernel+0x2c/0x50
      [   44.072410]  [<ffffffff816db423>] ___sys_sendmsg+0x3c3/0x3d0
      [   44.072415]  [<ffffffff811301ba>] ? handle_mm_fault+0xa9a/0xc60
      [   44.072420]  [<ffffffff811362d6>] ? mmap_region+0x166/0x5a0
      [   44.072424]  [<ffffffff817da84c>] ? __do_page_fault+0x1dc/0x510
      [   44.072428]  [<ffffffff812b8b2c>] ? apparmor_capable+0x1c/0x60
      [   44.072435]  [<ffffffff817d6e9a>] ? _raw_spin_unlock_bh+0x1a/0x20
      [   44.072439]  [<ffffffff816dfc86>] ? release_sock+0x106/0x150
      [   44.072443]  [<ffffffff816dc212>] __sys_sendmsg+0x42/0x80
      [   44.072446]  [<ffffffff816dc262>] SyS_sendmsg+0x12/0x20
      [   44.072450]  [<ffffffff817df616>] system_call_fastpath+0x1a/0x1f
      Signed-off-by: default avatarDenys Fedoryshchenko <nuclearcat@nuclearcat.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      ecd15dd7
    • Florian Westphal's avatar
      netfilter: ipv4: defrag: set local_df flag on defragmented skb · 895162b1
      Florian Westphal authored
      else we may fail to forward skb even if original fragments do fit
      outgoing link mtu:
      
      1. remote sends 2k packets in two 1000 byte frags, DF set
      2. we want to forward but only see '2k > mtu and DF set'
      3. we then send icmp error saying that outgoing link is 1500
      
      But original sender never sent a packet that would not fit
      the outgoing link.
      
      Setting local_df makes outgoing path test size vs.
      IPCB(skb)->frag_max_size, so we will still send the correct
      error in case the largest original size did not fit
      outgoing link mtu.
      Reported-by: default avatarMaxime Bizon <mbizon@freebox.fr>
      Suggested-by: default avatarMaxime Bizon <mbizon@freebox.fr>
      Fixes: 5f2d04f1 (ipv4: fix path MTU discovery with connection tracking)
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      895162b1
  7. 29 Apr, 2014 1 commit
  8. 28 Apr, 2014 12 commits
  9. 27 Apr, 2014 5 commits
  10. 26 Apr, 2014 11 commits