Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v5.3 2019-09-03T20:55:42Z 2019-09-03T20:55:42Z Pablo Neira Ayuso pablo@netfilter.org 2019-09-02T17:37:43Z urn:sha1:110e48725db6262f260f10727d0fb2d3d25895e4 Set up the default timeout for this new entry otherwise the garbage collector might quickly remove it right after the flowtable insertion. Fixes: ac2a66665e23 ("netfilter: add generic flow table infrastructure") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2019-09-03T20:55:41Z Pablo Neira Ayuso pablo@netfilter.org 2019-09-02T17:37:42Z urn:sha1:b067fa009c884401d23846251031c1f14d8a9c77 If this flag is set, timeout and state are irrelevant to userspace. Fixes: 90964016e5d3 ("netfilter: nf_conntrack: add IPS_OFFLOAD status bit") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2019-09-03T20:53:56Z Leonardo Bras leonardo@linux.ibm.com 2019-08-30T18:13:53Z urn:sha1:88209141392a4a2521a2f67c13d7db5e84efbb58 If IPv6 is disabled on boot (ipv6.disable=1), but nft_fib_inet ends up dealing with a IPv6 packet, it causes a kernel panic in fib6_node_lookup_1(), crashing in bad_page_fault. The panic is caused by trying to deference a very low address (0x38 in ppc64le), due to ipv6.fib6_main_tbl = NULL. BUG: Kernel NULL pointer dereference at 0x00000038 The kernel panic was reproduced in a host that disabled IPv6 on boot and have to process guest packets (coming from a bridge) using it's ip6tables. Terminate rule evaluation when packet protocol is IPv6 but the ipv6 module is not loaded. Signed-off-by: Leonardo Bras <leonardo@linux.ibm.com> Acked-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2019-09-02T21:20:59Z Fernando Fernandez Mancera ffmancera@riseup.net 2019-09-01T09:48:08Z urn:sha1:039b1f4f24ecc8493b6bb9d70b4b78750d1b35c2 The socket assignment is wrong, see skb_orphan(): When skb->destructor callback is not set, but skb->sk is set, this hits BUG(). Link: https://bugzilla.redhat.com/show_bug.cgi?id=1651813 Fixes: 554ced0a6e29 ("netfilter: nf_tables: add support for native socket matching") Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2019-08-29T14:38:05Z Florian Westphal fw@strlen.de 2019-08-27T19:23:45Z urn:sha1:de20900fbe1c4fd36de25a7a5a43223254ecf0d0 If 'fq' qdisc is used and a program has requested timestamps, skb->tstamp needs to be cleared, else fq will treat these as 'transmit time'. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2019-08-27T15:46:13Z Florian Westphal fw@strlen.de 2019-08-27T11:24:52Z urn:sha1:478553fd1b6f819390b64a2e13ac756c4d1a2836 When I merged the extension sysctl tables with the main one I forgot to reset them on netns creation. They currently read/write init_net settings. Fixes: d912dec12428 ("netfilter: conntrack: merge acct and helper sysctl table with main one") Fixes: cb2833ed0044 ("netfilter: conntrack: merge ecache and timestamp sysctl tables with main one") Reported-by: Shmulik Ladkani <shmulik.ladkani@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2019-08-27T11:01:05Z Thomas Jarosch thomas.jarosch@intra2net.com 2019-08-21T14:14:28Z urn:sha1:3a069024d371125227de3ac8fa74223fcf473520 The find_pattern() debug output was printing the 'skip' character. This can be a NULL-byte and messes up further pr_debug() output. Output without the fix: kernel: nf_conntrack_ftp: Pattern matches! kernel: nf_conntrack_ftp: Skipped up to `<7>nf_conntrack_ftp: find_pattern `PORT': dlen = 8 kernel: nf_conntrack_ftp: find_pattern `EPRT': dlen = 8 Output with the fix: kernel: nf_conntrack_ftp: Pattern matches! kernel: nf_conntrack_ftp: Skipped up to 0x0 delimiter! kernel: nf_conntrack_ftp: Match succeeded! kernel: nf_conntrack_ftp: conntrack_ftp: match `172,17,0,100,200,207' (20 bytes at 4150681645) kernel: nf_conntrack_ftp: find_pattern `PORT': dlen = 8 Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2019-08-27T10:58:28Z Todd Seidelmann tseidelmann@linode.com 2019-08-21T15:47:53Z urn:sha1:3cf2f450fff304be9cf4868bf0df17f253bc5b1c Simplify the check in physdev_mt_check() to emit an error message only when passed an invalid chain (ie, NF_INET_LOCAL_OUT). This avoids cluttering up the log with errors against valid rules. For large/heavily modified rulesets, current behavior can quickly overwhelm the ring buffer, because this function gets called on every change, regardless of the rule that was changed. Signed-off-by: Todd Seidelmann <tseidelmann@linode.com> Acked-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2019-08-19T07:34:21Z Juliana Rodrigueiro juliana.rodrigueiro@intra2net.com 2019-08-16T15:02:22Z urn:sha1:89a26cd4b501e9511d3cd3d22327fc76a75a38b3 When running a 64-bit kernel with a 32-bit iptables binary, the size of the xt_nfacct_match_info struct diverges. kernel: sizeof(struct xt_nfacct_match_info) : 40 iptables: sizeof(struct xt_nfacct_match_info)) : 36 Trying to append nfacct related rules results in an unhelpful message. Although it is suggested to look for more information in dmesg, nothing can be found there. # iptables -A <chain> -m nfacct --nfacct-name <acct-object> iptables: Invalid argument. Run `dmesg' for more information. This patch fixes the memory misalignment by enforcing 8-byte alignment within the struct's first revision. This solution is often used in many other uapi netfilter headers. Signed-off-by: Juliana Rodrigueiro <juliana.rodrigueiro@intra2net.com> Acked-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2019-08-19T07:34:20Z Pablo Neira Ayuso pablo@netfilter.org 2019-08-16T09:23:58Z urn:sha1:14c415862c0630e01712a4eeaf6159a2b1b6d2a4 The netlink attribute policy for NFTA_FLOW_TABLE_NAME is missing. Fixes: a3c90f7a2323 ("netfilter: nf_tables: flow offload expression") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>