linux/net/ipv4/netfilter, branch v3.18Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
https://git.shady.money/linux/atom?h=v3.182014-11-10T16:56:28Znetfilter: nft_masq: fix uninitialized range in nft_masq_{ipv4, ipv6}_eval2014-11-10T16:56:28ZDaniel Borkmanndborkman@redhat.com2014-11-07T14:34:54Zurn:sha1:6b96686ecffcbea85dcb502e4584e4a20a2bfb29
When transferring from the original range in nf_nat_masquerade_{ipv4,ipv6}()
we copy over values from stack in from min_proto/max_proto due to uninitialized
range variable in both, nft_masq_{ipv4,ipv6}_eval. As we only initialize
flags at this time from nft_masq struct, just zero out the rest.
Fixes: 9ba1f726bec09 ("netfilter: nf_tables: add new nft_masq expression")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_reject_ipv4: split nf_send_reset() in smaller functions2014-10-31T11:49:05ZPablo Neira Ayusopablo@netfilter.org2014-10-25T16:24:57Zurn:sha1:052b9498eea532deb5de75277a53f6e0623215dc
That can be reused by the reject bridge expression to build the reject
packet. The new functions are:
* nf_reject_ip_tcphdr_get(): to sanitize and to obtain the TCP header.
* nf_reject_iphdr_put(): to build the IPv4 header.
* nf_reject_ip_tcphdr_put(): to build the TCP header.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: restrict nat/masq expressions to nat chain type2014-10-13T18:42:00ZPablo Neira Ayusopablo@netfilter.org2014-10-13T17:50:22Zurn:sha1:7210e4e38f945dfa173c4a4e59ad827c9ecad541
This adds the missing validation code to avoid the use of nat/masq from
non-nat chains. The validation assumes two possible configuration
scenarios:
1) Use of nat from base chain that is not of nat type. Reject this
configuration from the nft_*_init() path of the expression.
2) Use of nat from non-base chain. In this case, we have to wait until
the non-base chain is referenced by at least one base chain via
jump/goto. This is resolved from the nft_*_validate() path which is
called from nf_tables_check_loops().
The user gets an -EOPNOTSUPP in both cases.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: missing module license in the nf_reject_ipvX modules2014-10-11T12:59:41ZPablo Neira Ayusopablo@netfilter.org2014-10-10T09:25:20Zurn:sha1:ab2d7251d666995740da17b2a51ca545ac5dd037
[ 23.545204] nf_reject_ipv4: module license 'unspecified' taints kernel.
Fixes: c8d7b98 ("netfilter: move nf_send_resetX() code to nf_reject_ipvX modules")
Reported-by: Dave Young <dyoung@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nft_masq: register/unregister notifiers on module init/exit2014-10-03T12:24:35ZArturo Borreroarturo.borrero.glez@gmail.com2014-10-03T12:13:36Zurn:sha1:8da4cc1b10c1aeba090d1d862b17174e4dbd50a4
We have to register the notifiers in the masquerade expression from
the the module _init and _exit path.
This fixes crashes when removing the masquerade rule with no
ipt_MASQUERADE support in place (which was masking the problem).
Fixes: 9ba1f72 ("netfilter: nf_tables: add new nft_masq expression")
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: use IS_ENABLED(CONFIG_BRIDGE_NETFILTER)2014-10-02T16:30:54ZPablo Neira Ayusopablo@netfilter.org2014-10-01T09:19:17Zurn:sha1:1109a90c01177e8f4a5fd95c5b685ad02f1fe9bb
In 34666d4 ("netfilter: bridge: move br_netfilter out of the core"),
the bridge netfilter code has been modularized.
Use IS_ENABLED instead of ifdef to cover the module case.
Fixes: 34666d4 ("netfilter: bridge: move br_netfilter out of the core")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: move nf_send_resetX() code to nf_reject_ipvX modules2014-10-02T16:30:49ZPablo Neira Ayusopablo@netfilter.org2014-09-26T12:35:15Zurn:sha1:c8d7b98bec43faaa6583c3135030be5eb4693acb
Move nf_send_reset() and nf_send_reset6() to nf_reject_ipv4 and
nf_reject_ipv6 respectively. This code is shared by x_tables and
nf_tables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nft_reject: introduce icmp code abstraction for inet and bridge2014-10-02T16:29:57ZPablo Neira Ayusopablo@netfilter.org2014-09-26T12:35:14Zurn:sha1:51b0a5d8c21a91801bbef9bcc8639dc0b206c6cd
This patch introduces the NFT_REJECT_ICMPX_UNREACH type which provides
an abstraction to the ICMP and ICMPv6 codes that you can use from the
inet and bridge tables, they are:
* NFT_REJECT_ICMPX_NO_ROUTE: no route to host - network unreachable
* NFT_REJECT_ICMPX_PORT_UNREACH: port unreachable
* NFT_REJECT_ICMPX_HOST_UNREACH: host unreachable
* NFT_REJECT_ICMPX_ADMIN_PROHIBITED: administratevely prohibited
You can still use the specific codes when restricting the rule to match
the corresponding layer 3 protocol.
I decided to not overload the existing NFT_REJECT_ICMP_UNREACH to have
different semantics depending on the table family and to allow the user
to specify ICMP family specific codes if they restrict it to the
corresponding family.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: masquerading needs to be independent of x_tables in Kconfig2014-09-12T07:40:18ZPablo Neira Ayusopablo@netfilter.org2014-09-11T15:51:27Zurn:sha1:0bbe80e571c7b866afd92a98edd32a969467a7a9
Users are starting to test nf_tables with no x_tables support. Therefore,
masquerading needs to be indenpendent of it from Kconfig.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: NFT_CHAIN_NAT_IPV* is independent of NFT_NAT2014-09-12T07:40:17ZPablo Neira Ayusopablo@netfilter.org2014-09-11T15:42:00Zurn:sha1:3e8dc212a0e68a9a90c97f34a92c4cdd97d19dd3
Now that we have masquerading support in nf_tables, the NAT chain can
be use with it, not only for SNAT/DNAT. So make this chain type
independent of it.
While at it, move it inside the scope of 'if NF_NAT_IPV*' to simplify
dependencies.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>