Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v6.8 2024-02-08T11:10:19Z 2024-02-08T11:10:19Z Florian Westphal fw@strlen.de 2024-02-06T16:54:18Z urn:sha1:f82777e8ce6c039cdcacbcf1eb8619b99a20c06d Only override userspace verdict if the ct hook returns something other than ACCEPT. Else, this replaces NF_REPEAT (run all hooks again) with NF_ACCEPT (move to next hook). Fixes: 6291b3a67ad5 ("netfilter: conntrack: convert nf_conntrack_update to netfilter verdicts") Reported-by: l.6diay@passmail.com Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2023-10-18T08:26:43Z Florian Westphal fw@strlen.de 2023-10-11T07:59:36Z urn:sha1:6291b3a67ad55102f163f6a636bc540e460f892d This function calls helpers that can return nf-verdicts, but then those get converted to -1/0 as thats what the caller expects. Theoretically NF_DROP could have an errno number set in the upper 24 bits of the return value. Or any of those helpers could return NF_STOLEN, which would result in use-after-free. This is fine as-is, the called functions don't do this yet. But its better to avoid possible future problems if the upcoming patchset to add NF_DROP_REASON() support gains further users, so remove the 0/-1 translation from the picture and pass the verdicts down to the caller. Signed-off-by: Florian Westphal <fw@strlen.de> 2023-06-10T07:11:41Z Eric Dumazet edumazet@google.com 2023-06-08T19:17:37Z urn:sha1:d457a0e329b0bfd3a1450e0b1a18cd2b47a25a08 Move declarations into include/net/gso.h and code into net/core/gso.c Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Stanislav Fomichev <sdf@google.com> Reviewed-by: Simon Horman <simon.horman@corigine.com> Reviewed-by: David Ahern <dsahern@kernel.org> Link: https://lore.kernel.org/r/20230608191738.3947077-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2023-03-30T20:20:09Z Eric Sage eric_sage@apple.com 2023-03-27T17:44:49Z urn:sha1:28c1b6df436819a7ed8a781835766e45139771a3 This enables associating a socket with a v1 net_cls cgroup. Useful for applying a per-cgroup policy when processing packets in userspace. Signed-off-by: Eric Sage <eric_sage@apple.com> Signed-off-by: Florian Westphal <fw@strlen.de> 2022-07-26T19:12:42Z Florian Westphal fw@strlen.de 2022-07-26T10:42:06Z urn:sha1:99a63d36cb3ed5ca3aa6fcb64cffbeaf3b0fb164 Domingo Dirutigliano and Nicola Guerrera report kernel panic when sending nf_queue verdict with 1-byte nfta_payload attribute. The IP/IPv6 stack pulls the IP(v6) header from the packet after the input hook. If user truncates the packet below the header size, this skb_pull() will result in a malformed skb (skb->len < 0). Fixes: 7af4cc3fa158 ("[NETFILTER]: Add "nfnetlink_queue" netfilter queue handler over nfnetlink") Reported-by: Domingo Dirutigliano <pwnzer0tt1@proton.me> Signed-off-by: Florian Westphal <fw@strlen.de> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org> 2022-03-03T19:55:12Z Jakub Kicinski kuba@kernel.org 2022-03-03T19:55:12Z urn:sha1:80901bff812984624918d9d03f9286e3245ee9a5 net/batman-adv/hard-interface.c commit 690bb6fb64f5 ("batman-adv: Request iflink once in batadv-on-batadv check") commit 6ee3c393eeb7 ("batman-adv: Demote batadv-on-batadv skip error message") https://lore.kernel.org/all/20220302163049.101957-1-sw@simonwunderlich.de/ net/smc/af_smc.c commit 4d08b7b57ece ("net/smc: Fix cleanup when register ULP fails") commit 462791bbfa35 ("net/smc: add sysctl interface for SMC") https://lore.kernel.org/all/20220302112209.355def40@canb.auug.org.au/ Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2022-03-03T14:38:48Z Martin KaFai Lau kafai@fb.com 2022-03-02T19:56:15Z urn:sha1:80fcec675112bd2f697ca1ca74ceb923c53cd569 If skb has the (rcv) timestamp available, nfnetlink_{log, queue}.c logs/outputs it to the userspace. When the locally generated skb is looping from egress to ingress over a virtual interface (e.g. veth, loopback...), skb->tstamp may have the delivery time before it is known that will be delivered locally and received by another sk. Like handling the delivery time in network tapping, use ktime_get_real() to get the (rcv) timestamp. The earlier added helper skb_tstamp_cond() is used to do this. false is passed to the second 'cond' arg such that doing ktime_get_real() or not only depends on the netstamp_needed_key static key. Signed-off-by: Martin KaFai Lau <kafai@fb.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2022-03-01T10:50:35Z Florian Westphal fw@strlen.de 2022-02-28T05:22:22Z urn:sha1:c3873070247d9e3c7a6b0cf9bf9b45e8018427b1 Eric Dumazet says: The sock_hold() side seems suspect, because there is no guarantee that sk_refcnt is not already 0. On failure, we cannot queue the packet and need to indicate an error. The packet will be dropped by the caller. v2: split skb prefetch hunk into separate change Fixes: 271b72c7fa82c ("udp: RCU handling for Unicast packets.") Reported-by: Eric Dumazet <eric.dumazet@gmail.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Florian Westphal <fw@strlen.de> 2022-02-09T11:04:03Z Nicolas Dichtel nicolas.dichtel@6wind.com 2022-02-04T10:21:43Z urn:sha1:98eee88b8decb47ed9bacd0bbd698a36c1983a8a This is a follow up of the previous patch that enables to get skb->priority. It's now posssible to set it also. Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Acked-by: Florian Westphal <fw@strlen.de> Reported-by: kernel test robot <lkp@intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2022-02-04T05:30:27Z Nicolas Dichtel nicolas.dichtel@6wind.com 2022-01-17T20:56:13Z urn:sha1:8b5413647262dda8d8d0e07e14ea1de9ac7cf0b2 This info could be useful to improve traffic analysis. Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Acked-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>