* [PATCH 0/6] Netfilter/nftables fixes for net
@ 2014-05-20 9:45 Pablo Neira Ayuso
2014-05-20 9:45 ` [PATCH 1/6] netfilter: nf_tables: reset rule number counter after jump and goto Pablo Neira Ayuso
` (6 more replies)
0 siblings, 7 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2014-05-20 9:45 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains nftables fixes for your net tree, they
are:
1) Fix crash when using the goto action in a rule by making sure that
we always fall back on the base chain. Otherwise, this may try to
access the counter memory area of non-base chains, which does not
exists.
2) Fix several aspects of the rule tracing that are currently broken:
* Reset rule number counter after goto/jump action, otherwise the
tracing reports a bogus rule number.
* Fix tracing of the goto action.
* Fix bogus rule number counter after goto.
* Fix missing return trace after finishing the walk through the
non-base chain.
* Fix missing trace when matching non-terminal rule.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit a8951d5814e1373807a94f79f7ccec7041325470:
netfilter: Fix potential use after free in ip6_route_me_harder() (2014-05-09 02:36:39 +0200)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
for you to fetch changes up to 3b084e99a3fabaeb0f9c65a0806cde30f0b2835e:
netfilter: nf_tables: fix trace of matching non-terminal rule (2014-05-15 19:44:20 +0200)
----------------------------------------------------------------
Pablo Neira Ayuso (6):
netfilter: nf_tables: reset rule number counter after jump and goto
netfilter: nf_tables: fix goto action
netfilter: nf_tables: fix tracing of the goto action
netfilter: nf_tables: fix bogus rulenum after goto action
netfilter: nf_tables: fix missing return trace at the end of non-base chain
netfilter: nf_tables: fix trace of matching non-terminal rule
net/netfilter/nf_tables_core.c | 49 +++++++++++++++++++---------------------
1 file changed, 23 insertions(+), 26 deletions(-)
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 1/6] netfilter: nf_tables: reset rule number counter after jump and goto
2014-05-20 9:45 [PATCH 0/6] Netfilter/nftables fixes for net Pablo Neira Ayuso
@ 2014-05-20 9:45 ` Pablo Neira Ayuso
2014-05-20 9:45 ` [PATCH 2/6] netfilter: nf_tables: fix goto action Pablo Neira Ayuso
` (5 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2014-05-20 9:45 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Otherwise we start incrementing the rule number counter from the
previous chain iteration.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
index 8041053..4368c58 100644
--- a/net/netfilter/nf_tables_core.c
+++ b/net/netfilter/nf_tables_core.c
@@ -123,7 +123,7 @@ nft_do_chain(struct nft_pktinfo *pkt, const struct nf_hook_ops *ops)
struct nft_data data[NFT_REG_MAX + 1];
unsigned int stackptr = 0;
struct nft_jumpstack jumpstack[NFT_JUMP_STACK_SIZE];
- int rulenum = 0;
+ int rulenum;
/*
* Cache cursor to avoid problems in case that the cursor is updated
* while traversing the ruleset.
@@ -131,6 +131,7 @@ nft_do_chain(struct nft_pktinfo *pkt, const struct nf_hook_ops *ops)
unsigned int gencursor = ACCESS_ONCE(chain->net->nft.gencursor);
do_chain:
+ rulenum = 0;
rule = list_entry(&chain->rules, struct nft_rule, list);
next_rule:
data[NFT_REG_VERDICT].verdict = NFT_CONTINUE;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 2/6] netfilter: nf_tables: fix goto action
2014-05-20 9:45 [PATCH 0/6] Netfilter/nftables fixes for net Pablo Neira Ayuso
2014-05-20 9:45 ` [PATCH 1/6] netfilter: nf_tables: reset rule number counter after jump and goto Pablo Neira Ayuso
@ 2014-05-20 9:45 ` Pablo Neira Ayuso
2014-05-20 9:45 ` [PATCH 3/6] netfilter: nf_tables: fix tracing of the " Pablo Neira Ayuso
` (4 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2014-05-20 9:45 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
This patch fixes a crash when trying to access the counters and the
default chain policy from the non-base chain that we have reached
via the goto chain. Fix this by falling back on the original base
chain after returning from the custom chain.
While fixing this, kill the inline function to account chain statistics
to improve source code readability.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_core.c | 28 ++++++++++------------------
1 file changed, 10 insertions(+), 18 deletions(-)
diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
index 4368c58..7d83a49 100644
--- a/net/netfilter/nf_tables_core.c
+++ b/net/netfilter/nf_tables_core.c
@@ -66,20 +66,6 @@ struct nft_jumpstack {
int rulenum;
};
-static inline void
-nft_chain_stats(const struct nft_chain *this, const struct nft_pktinfo *pkt,
- struct nft_jumpstack *jumpstack, unsigned int stackptr)
-{
- struct nft_stats __percpu *stats;
- const struct nft_chain *chain = stackptr ? jumpstack[0].chain : this;
-
- rcu_read_lock_bh();
- stats = rcu_dereference(nft_base_chain(chain)->stats);
- __this_cpu_inc(stats->pkts);
- __this_cpu_add(stats->bytes, pkt->skb->len);
- rcu_read_unlock_bh();
-}
-
enum nft_trace {
NFT_TRACE_RULE,
NFT_TRACE_RETURN,
@@ -117,12 +103,13 @@ static void nft_trace_packet(const struct nft_pktinfo *pkt,
unsigned int
nft_do_chain(struct nft_pktinfo *pkt, const struct nf_hook_ops *ops)
{
- const struct nft_chain *chain = ops->priv;
+ const struct nft_chain *chain = ops->priv, *basechain = chain;
const struct nft_rule *rule;
const struct nft_expr *expr, *last;
struct nft_data data[NFT_REG_MAX + 1];
unsigned int stackptr = 0;
struct nft_jumpstack jumpstack[NFT_JUMP_STACK_SIZE];
+ struct nft_stats __percpu *stats;
int rulenum;
/*
* Cache cursor to avoid problems in case that the cursor is updated
@@ -209,12 +196,17 @@ next_rule:
rulenum = jumpstack[stackptr].rulenum;
goto next_rule;
}
- nft_chain_stats(chain, pkt, jumpstack, stackptr);
if (unlikely(pkt->skb->nf_trace))
- nft_trace_packet(pkt, chain, ++rulenum, NFT_TRACE_POLICY);
+ nft_trace_packet(pkt, basechain, ++rulenum, NFT_TRACE_POLICY);
+
+ rcu_read_lock_bh();
+ stats = rcu_dereference(nft_base_chain(basechain)->stats);
+ __this_cpu_inc(stats->pkts);
+ __this_cpu_add(stats->bytes, pkt->skb->len);
+ rcu_read_unlock_bh();
- return nft_base_chain(chain)->policy;
+ return nft_base_chain(basechain)->policy;
}
EXPORT_SYMBOL_GPL(nft_do_chain);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 3/6] netfilter: nf_tables: fix tracing of the goto action
2014-05-20 9:45 [PATCH 0/6] Netfilter/nftables fixes for net Pablo Neira Ayuso
2014-05-20 9:45 ` [PATCH 1/6] netfilter: nf_tables: reset rule number counter after jump and goto Pablo Neira Ayuso
2014-05-20 9:45 ` [PATCH 2/6] netfilter: nf_tables: fix goto action Pablo Neira Ayuso
@ 2014-05-20 9:45 ` Pablo Neira Ayuso
2014-05-20 9:45 ` [PATCH 4/6] netfilter: nf_tables: fix bogus rulenum after " Pablo Neira Ayuso
` (3 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2014-05-20 9:45 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Add missing code to trace goto actions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_core.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
index 7d83a49..f55fb28 100644
--- a/net/netfilter/nf_tables_core.c
+++ b/net/netfilter/nf_tables_core.c
@@ -171,8 +171,12 @@ next_rule:
jumpstack[stackptr].rule = rule;
jumpstack[stackptr].rulenum = rulenum;
stackptr++;
- /* fall through */
+ chain = data[NFT_REG_VERDICT].chain;
+ goto do_chain;
case NFT_GOTO:
+ if (unlikely(pkt->skb->nf_trace))
+ nft_trace_packet(pkt, chain, rulenum, NFT_TRACE_RULE);
+
chain = data[NFT_REG_VERDICT].chain;
goto do_chain;
case NFT_RETURN:
--
1.7.10.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 4/6] netfilter: nf_tables: fix bogus rulenum after goto action
2014-05-20 9:45 [PATCH 0/6] Netfilter/nftables fixes for net Pablo Neira Ayuso
` (2 preceding siblings ...)
2014-05-20 9:45 ` [PATCH 3/6] netfilter: nf_tables: fix tracing of the " Pablo Neira Ayuso
@ 2014-05-20 9:45 ` Pablo Neira Ayuso
2014-05-20 9:45 ` [PATCH 5/6] netfilter: nf_tables: fix missing return trace at the end of non-base chain Pablo Neira Ayuso
` (2 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2014-05-20 9:45 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
After returning from the chain that we just went to with no matchings,
we get a bogus rule number in the trace. To fix this, we would need
to iterate over the list of remaining rules in the chain to update the
rule number counter.
Patrick suggested to set this to the maximum value since the default
base chain policy is the very last action when the processing the base
chain is over.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
index f55fb28..be08a96 100644
--- a/net/netfilter/nf_tables_core.c
+++ b/net/netfilter/nf_tables_core.c
@@ -202,7 +202,7 @@ next_rule:
}
if (unlikely(pkt->skb->nf_trace))
- nft_trace_packet(pkt, basechain, ++rulenum, NFT_TRACE_POLICY);
+ nft_trace_packet(pkt, basechain, -1, NFT_TRACE_POLICY);
rcu_read_lock_bh();
stats = rcu_dereference(nft_base_chain(basechain)->stats);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 5/6] netfilter: nf_tables: fix missing return trace at the end of non-base chain
2014-05-20 9:45 [PATCH 0/6] Netfilter/nftables fixes for net Pablo Neira Ayuso
` (3 preceding siblings ...)
2014-05-20 9:45 ` [PATCH 4/6] netfilter: nf_tables: fix bogus rulenum after " Pablo Neira Ayuso
@ 2014-05-20 9:45 ` Pablo Neira Ayuso
2014-05-20 9:45 ` [PATCH 6/6] netfilter: nf_tables: fix trace of matching non-terminal rule Pablo Neira Ayuso
2014-05-21 5:25 ` [PATCH 0/6] Netfilter/nftables fixes for net David Miller
6 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2014-05-20 9:45 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Display "return" for implicit rule at the end of a non-base chain,
instead of when popping chain from the stack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_core.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
index be08a96..421c36a 100644
--- a/net/netfilter/nf_tables_core.c
+++ b/net/netfilter/nf_tables_core.c
@@ -182,18 +182,16 @@ next_rule:
case NFT_RETURN:
if (unlikely(pkt->skb->nf_trace))
nft_trace_packet(pkt, chain, rulenum, NFT_TRACE_RETURN);
-
- /* fall through */
+ break;
case NFT_CONTINUE:
+ if (unlikely(pkt->skb->nf_trace && !(chain->flags & NFT_BASE_CHAIN)))
+ nft_trace_packet(pkt, chain, ++rulenum, NFT_TRACE_RETURN);
break;
default:
WARN_ON(1);
}
if (stackptr > 0) {
- if (unlikely(pkt->skb->nf_trace))
- nft_trace_packet(pkt, chain, ++rulenum, NFT_TRACE_RETURN);
-
stackptr--;
chain = jumpstack[stackptr].chain;
rule = jumpstack[stackptr].rule;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 6/6] netfilter: nf_tables: fix trace of matching non-terminal rule
2014-05-20 9:45 [PATCH 0/6] Netfilter/nftables fixes for net Pablo Neira Ayuso
` (4 preceding siblings ...)
2014-05-20 9:45 ` [PATCH 5/6] netfilter: nf_tables: fix missing return trace at the end of non-base chain Pablo Neira Ayuso
@ 2014-05-20 9:45 ` Pablo Neira Ayuso
2014-05-21 5:25 ` [PATCH 0/6] Netfilter/nftables fixes for net David Miller
6 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2014-05-20 9:45 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Add the corresponding trace if we have a full match in a non-terminal
rule. Note that the traces will look slightly different than in
x_tables since the log message after all expressions have been
evaluated (contrary to x_tables, that emits it before the target
action). This manifests in two differences in nf_tables wrt. x_tables:
1) The rule that enables the tracing is included in the trace.
2) If the rule emits some log message, that is shown before the
trace log message.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
index 421c36a..345acfb 100644
--- a/net/netfilter/nf_tables_core.c
+++ b/net/netfilter/nf_tables_core.c
@@ -144,8 +144,10 @@ next_rule:
switch (data[NFT_REG_VERDICT].verdict) {
case NFT_BREAK:
data[NFT_REG_VERDICT].verdict = NFT_CONTINUE;
- /* fall through */
+ continue;
case NFT_CONTINUE:
+ if (unlikely(pkt->skb->nf_trace))
+ nft_trace_packet(pkt, chain, rulenum, NFT_TRACE_RULE);
continue;
}
break;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH 0/6] Netfilter/nftables fixes for net
2014-05-20 9:45 [PATCH 0/6] Netfilter/nftables fixes for net Pablo Neira Ayuso
` (5 preceding siblings ...)
2014-05-20 9:45 ` [PATCH 6/6] netfilter: nf_tables: fix trace of matching non-terminal rule Pablo Neira Ayuso
@ 2014-05-21 5:25 ` David Miller
6 siblings, 0 replies; 8+ messages in thread
From: David Miller @ 2014-05-21 5:25 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 20 May 2014 11:45:20 +0200
> The following patchset contains nftables fixes for your net tree, they
> are:
...
Pulled, thanks a lot Pablo.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2014-05-21 5:25 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-05-20 9:45 [PATCH 0/6] Netfilter/nftables fixes for net Pablo Neira Ayuso
2014-05-20 9:45 ` [PATCH 1/6] netfilter: nf_tables: reset rule number counter after jump and goto Pablo Neira Ayuso
2014-05-20 9:45 ` [PATCH 2/6] netfilter: nf_tables: fix goto action Pablo Neira Ayuso
2014-05-20 9:45 ` [PATCH 3/6] netfilter: nf_tables: fix tracing of the " Pablo Neira Ayuso
2014-05-20 9:45 ` [PATCH 4/6] netfilter: nf_tables: fix bogus rulenum after " Pablo Neira Ayuso
2014-05-20 9:45 ` [PATCH 5/6] netfilter: nf_tables: fix missing return trace at the end of non-base chain Pablo Neira Ayuso
2014-05-20 9:45 ` [PATCH 6/6] netfilter: nf_tables: fix trace of matching non-terminal rule Pablo Neira Ayuso
2014-05-21 5:25 ` [PATCH 0/6] Netfilter/nftables fixes for net David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).