linux/net/netfilter/nfnetlink_queue.c, branch v4.6 Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v4.6 2016-03-28T15:59:20Z netfilter: nfnetlink_queue: honor NFQA_CFG_F_FAIL_OPEN when netlink unicast fails 2016-03-28T15:59:20Z Pablo Neira Ayuso pablo@netfilter.org 2016-03-23T11:58:01Z urn:sha1:931401137f60fc299256bbc221c0b756be31c32c When netlink unicast fails to deliver the message to userspace, we should also check if the NFQA_CFG_F_FAIL_OPEN flag is set so we reinject the packet back to the stack. I think the user expects no packet drops when this flag is set due to queueing to userspace errors, no matter if related to the internal queue or when sending the netlink message to userspace. The userspace application will still get the ENOBUFS error via recvmsg() so the user still knows that, with the current configuration that is in place, the userspace application is not consuming the messages at the pace that the kernel needs. Reported-by: "Yigal Reiss (yreiss)" <yreiss@cisco.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Tested-by: "Yigal Reiss (yreiss)" <yreiss@cisco.com> nfnetlink: Revert "nfnetlink: add support for memory mapped netlink" 2016-02-18T16:42:22Z Florian Westphal fw@strlen.de 2016-02-18T14:03:28Z urn:sha1:c5b0db3263b92526bc0c1b6380c0c99f91f069fc reverts commit 3ab1f683bf8b ("nfnetlink: add support for memory mapped netlink")' Like previous commits in the series, remove wrappers that are not needed after mmapped netlink removal. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: David S. Miller <davem@davemloft.net> netfilter: nfnetlink_queue: autoload nf_conntrack_netlink module NFQA_CFG_F_CONNTRACK config flag 2016-01-08T12:25:06Z Ken-ichirou MATSUZAWA chamaken@gmail.com 2016-01-05T00:32:59Z urn:sha1:71b2e5f5ca3b163b90e487a96fd0cabbaf16792b This patch enables to load nf_conntrack_netlink module if NFQA_CFG_F_CONNTRACK config flag is specified. Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: nfnetlink_queue: just returns error for unknown command 2016-01-08T12:25:05Z Ken-ichirou MATSUZAWA chamaken@gmail.com 2016-01-05T00:31:40Z urn:sha1:21c3c971d1eb5d5598ddb1eda2fc3e4d2c992182 This patch stops processing options for unknown command. Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: nfnetlink_queue: don't handle options after unbind 2016-01-08T12:25:04Z Ken-ichirou MATSUZAWA chamaken@gmail.com 2016-01-05T00:29:54Z urn:sha1:17bc6b4884340b045e779be38ba9f574256866a2 This patch stops processing after destroying a queue instance. Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: nfnetlink_queue: validate dependencies to avoid breaking atomicity 2016-01-08T12:25:03Z Ken-ichirou MATSUZAWA chamaken@gmail.com 2016-01-05T00:28:05Z urn:sha1:60d2c7f9ab1cac8b2d44307b660eb7813091dbf0 Check that dependencies are fulfilled before updating the queue instance, otherwise we can leave things in intermediate state on errors in nfqnl_recv_config(). Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: nfnetlink: pass down netns pointer to call() and call_rcu() 2015-12-28T17:41:41Z Pablo Neira Ayuso pablo@netfilter.org 2015-12-15T17:41:56Z urn:sha1:7b8002a1511fcbcb0596cac90d67ad5c8182d0aa Adapt callsites to avoid recurrent lookup of the netns pointer. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: nfnetlink_queue: Unregister pernet subsys in case of init failure 2015-12-09T13:46:47Z Nikolay Borisov kernel@kyup.com 2015-12-07T10:13:26Z urn:sha1:639e077b43d9c54ffb1e1b54a2de54597ceae1d8 Commit 3bfe049807c2403 ("netfilter: nfnetlink_{log,queue}: Register pernet in first place") reorganised the initialisation order of the pernet_subsys to avoid "use-before-initialised" condition. However, in doing so the cleanup logic in nfnetlink_queue got botched in that the pernet_subsys wasn't cleaned in case nfnetlink_subsys_register failed. This patch adds the necessary cleanup routine call. Fixes: 3bfe049807c2403 ("netfilter: nfnetlink_{log,queue}: Register pernet in first place") Signed-off-by: Nikolay Borisov <kernel@kyup.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: nfnetlink_queue: avoid harmless unnitialized variable warnings 2015-11-23T10:22:26Z Arnd Bergmann arnd@arndb.de 2015-11-19T12:49:59Z urn:sha1:8e662164abb4a8fde701a46e1431980f9e325742 Several ARM default configurations give us warnings on recent compilers about potentially uninitialized variables in the nfnetlink code in two functions: net/netfilter/nfnetlink_queue.c: In function 'nfqnl_build_packet_message': net/netfilter/nfnetlink_queue.c:519:19: warning: 'nfnl_ct' may be used uninitialized in this function [-Wmaybe-uninitialized] if (ct && nfnl_ct->build(skb, ct, ctinfo, NFQA_CT, NFQA_CT_INFO) < 0) Moving the rcu_dereference(nfnl_ct_hook) call outside of the conditional code avoids the warning without forcing us to preinitialize the variable. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Fixes: a4b4766c3ceb ("netfilter: nfnetlink_queue: rename related to nfqueue attaching conntrack info") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: make nf_queue_entry_get_refs return void 2015-10-16T16:22:23Z Florian Westphal fw@strlen.de 2015-10-13T12:33:27Z urn:sha1:ed78d09d59ba9764b7454e8e1ccbb0072a55b6d7 We don't care if module is being unloaded anymore since hook unregister handling will destroy queue entries using that hook. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>