From: Luis Henriques <luis.henriques@canonical.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH -stable] netfilter: ipt_rpfilter: remove the nh_scope test in rpfilter_lookup_reverse
Date: Mon, 14 Dec 2015 17:12:56 +0000 [thread overview]
Message-ID: <20151214171256.GD3120@ares> (raw)
In-Reply-To: <1450095436-24855-4-git-send-email-pablo@netfilter.org>
On Mon, Dec 14, 2015 at 01:17:14PM +0100, Pablo Neira Ayuso wrote:
> From: lucien <lucien.xin@gmail.com>
>
> [ upstream commit cc4998febd567d1c671684abce5595344bd4e8b2 ]
>
> --accept-local option works for res.type == RTN_LOCAL, which should be
> from the local table, but there, the fib_info's nh->nh_scope =
> RT_SCOPE_NOWHERE ( > RT_SCOPE_HOST). in fib_create_info().
>
> if (cfg->fc_scope == RT_SCOPE_HOST) {
> struct fib_nh *nh = fi->fib_nh;
>
> /* Local address is added. */
> if (nhs != 1 || nh->nh_gw)
> goto err_inval;
> nh->nh_scope = RT_SCOPE_NOWHERE; <===
> nh->nh_dev = dev_get_by_index(net, fi->fib_nh->nh_oif);
> err = -ENODEV;
> if (!nh->nh_dev)
> goto failure;
>
> but in our rpfilter_lookup_reverse():
>
> if (dev_match || flags & XT_RPFILTER_LOOSE)
> return FIB_RES_NH(res).nh_scope <= RT_SCOPE_HOST;
>
> if nh->nh_scope > RT_SCOPE_HOST, it will fail. --accept-local option
> will never be passed.
>
> it seems the test is bogus and can be removed to fix this issue.
>
> if (dev_match || flags & XT_RPFILTER_LOOSE)
> return FIB_RES_NH(res).nh_scope <= RT_SCOPE_HOST;
>
> ipv6 does not have this issue.
>
> Cc: <stable@vger.kernel.org> # 3.14.x
> Cc: <stable@vger.kernel.org> # 3.18.x
> Cc: <stable@vger.kernel.org> # 4.1.x
> Cc: <stable@vger.kernel.org> # 4.2.x
Thanks, I'm queuing this one and the next 2 to the 3.16 kernel as well
(some of the other patches had already been included).
Cheers,
--
Luís
> Signed-off-by: Xin Long <lucien.xin@gmail.com>
> Acked-by: Florian Westphal <fw@strlen.de>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
> net/ipv4/netfilter/ipt_rpfilter.c | 4 +---
> 1 file changed, 1 insertion(+), 3 deletions(-)
>
> diff --git a/net/ipv4/netfilter/ipt_rpfilter.c b/net/ipv4/netfilter/ipt_rpfilter.c
> index 8618fd1..c4ffc9d 100644
> --- a/net/ipv4/netfilter/ipt_rpfilter.c
> +++ b/net/ipv4/netfilter/ipt_rpfilter.c
> @@ -61,9 +61,7 @@ static bool rpfilter_lookup_reverse(struct flowi4 *fl4,
> if (FIB_RES_DEV(res) == dev)
> dev_match = true;
> #endif
> - if (dev_match || flags & XT_RPFILTER_LOOSE)
> - return FIB_RES_NH(res).nh_scope <= RT_SCOPE_HOST;
> - return dev_match;
> + return dev_match || flags & XT_RPFILTER_LOOSE;
> }
>
> static bool rpfilter_is_local(const struct sk_buff *skb)
> --
> 2.1.4
>
> --
> To unsubscribe from this list: send the line "unsubscribe stable" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Luis Henriques <luis.henriques@canonical.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH -stable] netfilter: ipt_rpfilter: remove the nh_scope test in rpfilter_lookup_reverse
Date: Mon, 14 Dec 2015 17:12:56 +0000 [thread overview]
Message-ID: <20151214171256.GD3120@ares> (raw)
In-Reply-To: <1450095436-24855-4-git-send-email-pablo@netfilter.org>
On Mon, Dec 14, 2015 at 01:17:14PM +0100, Pablo Neira Ayuso wrote:
> From: lucien <lucien.xin@gmail.com>
>
> [ upstream commit cc4998febd567d1c671684abce5595344bd4e8b2 ]
>
> --accept-local option works for res.type == RTN_LOCAL, which should be
> from the local table, but there, the fib_info's nh->nh_scope =
> RT_SCOPE_NOWHERE ( > RT_SCOPE_HOST). in fib_create_info().
>
> if (cfg->fc_scope == RT_SCOPE_HOST) {
> struct fib_nh *nh = fi->fib_nh;
>
> /* Local address is added. */
> if (nhs != 1 || nh->nh_gw)
> goto err_inval;
> nh->nh_scope = RT_SCOPE_NOWHERE; <===
> nh->nh_dev = dev_get_by_index(net, fi->fib_nh->nh_oif);
> err = -ENODEV;
> if (!nh->nh_dev)
> goto failure;
>
> but in our rpfilter_lookup_reverse():
>
> if (dev_match || flags & XT_RPFILTER_LOOSE)
> return FIB_RES_NH(res).nh_scope <= RT_SCOPE_HOST;
>
> if nh->nh_scope > RT_SCOPE_HOST, it will fail. --accept-local option
> will never be passed.
>
> it seems the test is bogus and can be removed to fix this issue.
>
> if (dev_match || flags & XT_RPFILTER_LOOSE)
> return FIB_RES_NH(res).nh_scope <= RT_SCOPE_HOST;
>
> ipv6 does not have this issue.
>
> Cc: <stable@vger.kernel.org> # 3.14.x
> Cc: <stable@vger.kernel.org> # 3.18.x
> Cc: <stable@vger.kernel.org> # 4.1.x
> Cc: <stable@vger.kernel.org> # 4.2.x
Thanks, I'm queuing this one and the next 2 to the 3.16 kernel as well
(some of the other patches had already been included).
Cheers,
--
Lu�s
> Signed-off-by: Xin Long <lucien.xin@gmail.com>
> Acked-by: Florian Westphal <fw@strlen.de>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
> net/ipv4/netfilter/ipt_rpfilter.c | 4 +---
> 1 file changed, 1 insertion(+), 3 deletions(-)
>
> diff --git a/net/ipv4/netfilter/ipt_rpfilter.c b/net/ipv4/netfilter/ipt_rpfilter.c
> index 8618fd1..c4ffc9d 100644
> --- a/net/ipv4/netfilter/ipt_rpfilter.c
> +++ b/net/ipv4/netfilter/ipt_rpfilter.c
> @@ -61,9 +61,7 @@ static bool rpfilter_lookup_reverse(struct flowi4 *fl4,
> if (FIB_RES_DEV(res) == dev)
> dev_match = true;
> #endif
> - if (dev_match || flags & XT_RPFILTER_LOOSE)
> - return FIB_RES_NH(res).nh_scope <= RT_SCOPE_HOST;
> - return dev_match;
> + return dev_match || flags & XT_RPFILTER_LOOSE;
> }
>
> static bool rpfilter_is_local(const struct sk_buff *skb)
> --
> 2.1.4
>
> --
> To unsubscribe from this list: send the line "unsubscribe stable" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2015-12-14 17:12 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-14 12:17 [PATCH -stable] netfilter: nf_log: don't zap all loggers on unregister Pablo Neira Ayuso
2015-12-14 12:17 ` [PATCH -stable-3.18] netfilter: nft_compat: fix module refcount underflow Pablo Neira Ayuso
2015-12-14 12:17 ` [PATCH -stable] netfilter: nft_compat: skip family comparison in case of NFPROTO_UNSPEC Pablo Neira Ayuso
2015-12-14 12:17 ` [PATCH -stable] netfilter: ipt_rpfilter: remove the nh_scope test in rpfilter_lookup_reverse Pablo Neira Ayuso
2015-12-14 17:12 ` Luis Henriques [this message]
2015-12-14 17:12 ` Luis Henriques
2015-12-14 12:17 ` [PATCH -stable] netfilter: nf_tables: fix bogus warning in nft_data_uninit() Pablo Neira Ayuso
2015-12-14 12:17 ` [PATCH -stable] netfilter: ip6t_SYNPROXY: fix NULL pointer dereference Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151214171256.GD3120@ares \
--to=luis.henriques@canonical.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.