linux/net/netfilter, branch v3.16Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
https://git.shady.money/linux/atom?h=v3.162014-07-16T00:39:28Zipvs: avoid netns exit crash on ip_vs_conn_drop_conntrack2014-07-16T00:39:28ZJulian Anastasovja@ssi.bg2014-07-10T06:24:01Zurn:sha1:2627b7e15c5064ddd5e578e4efd948d48d531a3f
commit 8f4e0a18682d91 ("IPVS netns exit causes crash in conntrack")
added second ip_vs_conn_drop_conntrack call instead of just adding
the needed check. As result, the first call still can cause
crash on netns exit. Remove it.
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Hans Schillstrom <hans@schillstrom.com>
Signed-off-by: Simon Horman <horms@verge.net.au>
netfilter: nf_tables: 64bit stats need some extra synchronization2014-07-14T10:00:17ZEric Dumazetedumazet@google.com2014-07-09T13:14:06Zurn:sha1:ce355e209feb030945dae4c358c02f29a84f3f8b
Use generic u64_stats_sync infrastructure to get proper 64bit stats,
even on 32bit arches, at no extra cost for 64bit arches.
Without this fix, 32bit arches can have some wrong counters at the time
the carry is propagated into upper word.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: set NLM_F_DUMP_INTR if netlink dumping is stale2014-07-14T10:00:16ZPablo Neira Ayusopablo@netfilter.org2014-07-01T10:23:12Zurn:sha1:38e029f14a9702f71d5953246df9f722bca49017
An updater may interfer with the dumping of any of the object lists.
Fix this by using a per-net generation counter and use the
nl_dump_check_consistent() interface so the NLM_F_DUMP_INTR flag is set
to notify userspace that it has to restart the dump since an updater
has interfered.
This patch also replaces the existing consistency checking code in the
rule dumping path since it is broken. Basically, the value that the
dump callback returns is not propagated to userspace via
netlink_dump_start().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: safe RCU iteration on list when dumping2014-07-14T09:20:45ZPablo Neira Ayusopablo@netfilter.org2014-07-01T09:49:18Zurn:sha1:e688a7f8c6cb7a18aae7e55ccdd175f0ad9e69c0
The dump operation through netlink is not protected by the nfnl_lock.
Thus, a reader process can be dumping any of the existing object
lists while another process can be updating the list content.
This patch resolves this situation by protecting all the object
lists with RCU in the netlink dump path which is the reader side.
The updater path is already protected via nfnl_lock, so use list
manipulation RCU-safe operations.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: skip transaction if no update flags in tables2014-06-30T09:44:24ZPablo Neira Ayusopablo@netfilter.org2014-06-27T16:51:39Zurn:sha1:63283dd21ed2bf25a71909a820ed3e8fe412e15d
Skip transaction handling for table updates with no changes in
the flags. This fixes a crash when passing the table flag with all
bits unset.
Reported-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_nat: fix oops on netns removal2014-06-16T11:58:54ZFlorian Westphalfw@strlen.de2014-06-07T19:17:04Zurn:sha1:945b2b2d259d1a4364a2799e80e8ff32f8c6ee6f
Quoting Samu Kallio:
Basically what's happening is, during netns cleanup,
nf_nat_net_exit gets called before ipv4_net_exit. As I understand
it, nf_nat_net_exit is supposed to kill any conntrack entries which
have NAT context (through nf_ct_iterate_cleanup), but for some
reason this doesn't happen (perhaps something else is still holding
refs to those entries?).
When ipv4_net_exit is called, conntrack entries (including those
with NAT context) are cleaned up, but the
nat_bysource hashtable is long gone - freed in nf_nat_net_exit. The
bug happens when attempting to free a conntrack entry whose NAT hash
'prev' field points to a slot in the freed hash table (head for that
bin).
We ignore conntracks with null nat bindings. But this is wrong,
as these are in bysource hash table as well.
Restore nat-cleaning for the netns-is-being-removed case.
bug:
https://bugzilla.kernel.org/show_bug.cgi?id=65191
Fixes: c2d421e1718 ('netfilter: nf_nat: fix race when unloading protocol modules')
Reported-by: Samu Kallio <samu.kallio@aberdeencloud.com>
Debugged-by: Samu Kallio <samu.kallio@aberdeencloud.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Tested-by: Samu Kallio <samu.kallio@aberdeencloud.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: ctnetlink: add zone size to length2014-06-16T11:53:03ZKen-ichirou MATSUZAWAchamas@h4.dion.ne.jp2014-06-16T11:52:34Zurn:sha1:4a001068d790366bbf64ee927a363f752abafa71
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Merge branch 'ipvs'2014-06-16T11:22:33ZPablo Neira Ayusopablo@netfilter.org2014-06-16T11:20:39Zurn:sha1:98ca74f4d5b44e58d926a38ae160f1ff9573687e
Simon Horman says:
====================
Fix for panic due use of tot_stats estimator outside of CONFIG_SYSCTL
It has been present since v3.6.39.
====================
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nft_nat: don't dump port information if unset2014-06-16T11:08:14ZPablo Neira Ayusopablo@netfilter.org2014-06-13T11:45:38Zurn:sha1:915136065b7ca75af4cae06281e4dc43926edbfe
Don't include port information attributes if they are unset.
Reported-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: indicate family when dumping set elements2014-06-16T11:08:09ZPablo Neira Ayusopablo@netfilter.org2014-06-11T17:05:28Zurn:sha1:6403d96254c7c44fdfa163248b1198c714c65f6a
Set the nfnetlink header that indicates the family of this element.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>