* [PATCH 1/8] netfilter: nfnetlink_log: unset nf_loggers for netns when unloading module
2013-12-28 22:02 [PATCH 0/8] Netfilter/IPVS fixes for net Pablo Neira Ayuso
@ 2013-12-28 22:03 ` Pablo Neira Ayuso
2013-12-28 22:03 ` [PATCH 2/8] netfilter: nft_exthdr: call ipv6_find_hdr() with explicitly initialized offset Pablo Neira Ayuso
` (7 subsequent siblings)
8 siblings, 0 replies; 13+ messages in thread
From: Pablo Neira Ayuso @ 2013-12-28 22:03 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Gao feng <gaofeng@cn.fujitsu.com>
Steven Rostedt and Arnaldo Carvalho de Melo reported a panic
when access the files /proc/sys/net/netfilter/nf_log/*.
This problem will occur when we do:
echo nfnetlink_log > /proc/sys/net/netfilter/nf_log/any_file
rmmod nfnetlink_log
and then access the files.
Since the nf_loggers of netns hasn't been unset, it will point
to the memory that has been freed.
This bug is introduced by commit 9368a53c ("netfilter: nfnetlink_log:
add net namespace support for nfnetlink_log").
[17261.822047] BUG: unable to handle kernel paging request at ffffffffa0d49090
[17261.822056] IP: [<ffffffff8157aba0>] nf_log_proc_dostring+0xf0/0x1d0
[...]
[17261.822226] Call Trace:
[17261.822235] [<ffffffff81297b98>] ? security_capable+0x18/0x20
[17261.822240] [<ffffffff8106fa09>] ? ns_capable+0x29/0x50
[17261.822247] [<ffffffff8163d25f>] ? net_ctl_permissions+0x1f/0x90
[17261.822254] [<ffffffff81216613>] proc_sys_call_handler+0xb3/0xc0
[17261.822258] [<ffffffff81216651>] proc_sys_read+0x11/0x20
[17261.822265] [<ffffffff811a80de>] vfs_read+0x9e/0x170
[17261.822270] [<ffffffff811a8c09>] SyS_read+0x49/0xa0
[17261.822276] [<ffffffff810e6496>] ? __audit_syscall_exit+0x1f6/0x2a0
[17261.822283] [<ffffffff81656e99>] system_call_fastpath+0x16/0x1b
[17261.822285] Code: cc 81 4d 63 e4 4c 89 45 88 48 89 4d 90 e8 19 03 0d 00 4b 8b 84 e5 28 08 00 00 48 8b 4d 90 4c 8b 45 88 48 85 c0 0f 84 a8 00 00 00 <48> 8b 40 10 48 89 43 08 48 89 df 4c 89 f2 31 f6 e8 4b 35 af ff
[17261.822329] RIP [<ffffffff8157aba0>] nf_log_proc_dostring+0xf0/0x1d0
[17261.822334] RSP <ffff880274d3fe28>
[17261.822336] CR2: ffffffffa0d49090
[17261.822340] ---[ end trace a14ce54c0897a90d ]---
Reported-by: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
Reported-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nfnetlink_log.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 3c4b69e..a155d19 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -1053,6 +1053,7 @@ static void __net_exit nfnl_log_net_exit(struct net *net)
#ifdef CONFIG_PROC_FS
remove_proc_entry("nfnetlink_log", net->nf.proc_netfilter);
#endif
+ nf_log_unset(net, &nfulnl_logger);
}
static struct pernet_operations nfnl_log_net_ops = {
--
1.7.10.4
^ permalink raw reply related [flat|nested] 13+ messages in thread* [PATCH 2/8] netfilter: nft_exthdr: call ipv6_find_hdr() with explicitly initialized offset
2013-12-28 22:02 [PATCH 0/8] Netfilter/IPVS fixes for net Pablo Neira Ayuso
2013-12-28 22:03 ` [PATCH 1/8] netfilter: nfnetlink_log: unset nf_loggers for netns when unloading module Pablo Neira Ayuso
@ 2013-12-28 22:03 ` Pablo Neira Ayuso
2013-12-28 22:03 ` [PATCH 3/8] netfilter: nf_ct_timestamp: Fix BUG_ON after netns deletion Pablo Neira Ayuso
` (6 subsequent siblings)
8 siblings, 0 replies; 13+ messages in thread
From: Pablo Neira Ayuso @ 2013-12-28 22:03 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Daniel Borkmann <dborkman@redhat.com>
In nft's nft_exthdr_eval() routine we process IPv6 extension header
through invoking ipv6_find_hdr(), but we call it with an uninitialized
offset variable that contains some stack value. In ipv6_find_hdr()
we then test if the value of offset != 0 and call skb_header_pointer()
on that offset in order to map struct ipv6hdr into it. Fix it up by
initializing offset to 0 as it was probably intended to be.
Fixes: 96518518cc41 ("netfilter: add nftables")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_exthdr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
index 8e0bb75..55c939f 100644
--- a/net/netfilter/nft_exthdr.c
+++ b/net/netfilter/nft_exthdr.c
@@ -31,7 +31,7 @@ static void nft_exthdr_eval(const struct nft_expr *expr,
{
struct nft_exthdr *priv = nft_expr_priv(expr);
struct nft_data *dest = &data[priv->dreg];
- unsigned int offset;
+ unsigned int offset = 0;
int err;
err = ipv6_find_hdr(pkt->skb, &offset, priv->type, NULL, NULL);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 13+ messages in thread* [PATCH 3/8] netfilter: nf_ct_timestamp: Fix BUG_ON after netns deletion
2013-12-28 22:02 [PATCH 0/8] Netfilter/IPVS fixes for net Pablo Neira Ayuso
2013-12-28 22:03 ` [PATCH 1/8] netfilter: nfnetlink_log: unset nf_loggers for netns when unloading module Pablo Neira Ayuso
2013-12-28 22:03 ` [PATCH 2/8] netfilter: nft_exthdr: call ipv6_find_hdr() with explicitly initialized offset Pablo Neira Ayuso
@ 2013-12-28 22:03 ` Pablo Neira Ayuso
2013-12-28 22:03 ` [PATCH 4/8] netfilter: WARN about wrong usage of sequence number adjustments Pablo Neira Ayuso
` (5 subsequent siblings)
8 siblings, 0 replies; 13+ messages in thread
From: Pablo Neira Ayuso @ 2013-12-28 22:03 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Helmut Schaa <helmut.schaa@googlemail.com>
When having nf_conntrack_timestamp enabled deleting a netns
can lead to the following BUG being triggered:
[63836.660000] Kernel bug detected[#1]:
[63836.660000] CPU: 0 PID: 0 Comm: swapper Not tainted 3.10.18 #14
[63836.660000] task: 802d9420 ti: 802d2000 task.ti: 802d2000
[63836.660000] $ 0 : 00000000 00000000 00000000 00000000
[63836.660000] $ 4 : 00000001 00000004 00000020 00000020
[63836.660000] $ 8 : 00000000 80064910 00000000 00000000
[63836.660000] $12 : 0bff0002 00000001 00000000 0a0a0abe
[63836.660000] $16 : 802e70a0 85f29d80 00000000 00000004
[63836.660000] $20 : 85fb62a0 00000002 802d3bc0 85fb62a0
[63836.660000] $24 : 00000000 87138110
[63836.660000] $28 : 802d2000 802d3b40 00000014 871327cc
[63836.660000] Hi : 000005ff
[63836.660000] Lo : f2edd000
[63836.660000] epc : 87138794 __nf_ct_ext_add_length+0xe8/0x1ec [nf_conntrack]
[63836.660000] Not tainted
[63836.660000] ra : 871327cc nf_conntrack_in+0x31c/0x7b8 [nf_conntrack]
[63836.660000] Status: 1100d403 KERNEL EXL IE
[63836.660000] Cause : 00800034
[63836.660000] PrId : 0001974c (MIPS 74Kc)
[63836.660000] Modules linked in: ath9k ath9k_common pppoe ppp_async iptable_nat ath9k_hw ath pppox ppp_generic nf_nat_ipv4 nf_conntrack_ipv4 mac80211 ipt_MASQUERADE cfg80211 xt_time xt_tcpudp xt_state xt_quota xt_policy xt_pkttype xt_owner xt_nat xt_multiport xt_mark xh
[63836.660000] Process swapper (pid: 0, threadinfo=802d2000, task=802d9420, tls=00000000)
[63836.660000] Stack : 802e70a0 871323d4 00000005 87080234 802e70a0 86d2a840 00000000 00000000
[63836.660000] Call Trace:
[63836.660000] [<87138794>] __nf_ct_ext_add_length+0xe8/0x1ec [nf_conntrack]
[63836.660000] [<871327cc>] nf_conntrack_in+0x31c/0x7b8 [nf_conntrack]
[63836.660000] [<801ff63c>] nf_iterate+0x90/0xec
[63836.660000] [<801ff730>] nf_hook_slow+0x98/0x164
[63836.660000] [<80205968>] ip_rcv+0x3e8/0x40c
[63836.660000] [<801d9754>] __netif_receive_skb_core+0x624/0x6a4
[63836.660000] [<801da124>] process_backlog+0xa4/0x16c
[63836.660000] [<801d9bb4>] net_rx_action+0x10c/0x1e0
[63836.660000] [<8007c5a4>] __do_softirq+0xd0/0x1bc
[63836.660000] [<8007c730>] do_softirq+0x48/0x68
[63836.660000] [<8007c964>] irq_exit+0x54/0x70
[63836.660000] [<80060830>] ret_from_irq+0x0/0x4
[63836.660000] [<8006a9f8>] r4k_wait_irqoff+0x18/0x1c
[63836.660000] [<8009cfb8>] cpu_startup_entry+0xa4/0x104
[63836.660000] [<802eb918>] start_kernel+0x394/0x3ac
[63836.660000]
[63836.660000]
Code: 00821021 8c420000 2c440001 <00040336> 90440011 92350010 90560010 2485ffff 02a5a821
[63837.040000] ---[ end trace ebf660c3ce3b55e7 ]---
[63837.050000] Kernel panic - not syncing: Fatal exception in interrupt
[63837.050000] Rebooting in 3 seconds..
Fix this by not unregistering the conntrack extension in the per-netns
cleanup code.
This bug was introduced in (73f4001 netfilter: nf_ct_tstamp: move
initialization out of pernet_operations).
Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_conntrack_timestamp.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/net/netfilter/nf_conntrack_timestamp.c b/net/netfilter/nf_conntrack_timestamp.c
index 902fb0a..7a394df 100644
--- a/net/netfilter/nf_conntrack_timestamp.c
+++ b/net/netfilter/nf_conntrack_timestamp.c
@@ -97,7 +97,6 @@ int nf_conntrack_tstamp_pernet_init(struct net *net)
void nf_conntrack_tstamp_pernet_fini(struct net *net)
{
nf_conntrack_tstamp_fini_sysctl(net);
- nf_ct_extend_unregister(&tstamp_extend);
}
int nf_conntrack_tstamp_init(void)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 13+ messages in thread* [PATCH 4/8] netfilter: WARN about wrong usage of sequence number adjustments
2013-12-28 22:02 [PATCH 0/8] Netfilter/IPVS fixes for net Pablo Neira Ayuso
` (2 preceding siblings ...)
2013-12-28 22:03 ` [PATCH 3/8] netfilter: nf_ct_timestamp: Fix BUG_ON after netns deletion Pablo Neira Ayuso
@ 2013-12-28 22:03 ` Pablo Neira Ayuso
2013-12-28 22:03 ` [PATCH 5/8] ipvs: correct usage/allocation of seqadj ext in ipvs Pablo Neira Ayuso
` (4 subsequent siblings)
8 siblings, 0 replies; 13+ messages in thread
From: Pablo Neira Ayuso @ 2013-12-28 22:03 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Jesper Dangaard Brouer <brouer@redhat.com>
Since commit 41d73ec053d2 (netfilter: nf_conntrack: make sequence
number adjustments usuable without NAT), the sequence number extension
is dynamically allocated.
Instead of dying, give a WARN splash, in case of wrong usage of the
seqadj code, e.g. when forgetting to allocate via nfct_seqadj_ext_add().
Wrong usage have been seen in the IPVS code path.
Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
---
net/netfilter/nf_conntrack_seqadj.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/netfilter/nf_conntrack_seqadj.c b/net/netfilter/nf_conntrack_seqadj.c
index 17c1bcb..b2d38da 100644
--- a/net/netfilter/nf_conntrack_seqadj.c
+++ b/net/netfilter/nf_conntrack_seqadj.c
@@ -36,6 +36,11 @@ int nf_ct_seqadj_set(struct nf_conn *ct, enum ip_conntrack_info ctinfo,
if (off == 0)
return 0;
+ if (unlikely(!seqadj)) {
+ WARN(1, "Wrong seqadj usage, missing nfct_seqadj_ext_add()\n");
+ return 0;
+ }
+
set_bit(IPS_SEQ_ADJUST_BIT, &ct->status);
spin_lock_bh(&ct->lock);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 13+ messages in thread* [PATCH 5/8] ipvs: correct usage/allocation of seqadj ext in ipvs
2013-12-28 22:02 [PATCH 0/8] Netfilter/IPVS fixes for net Pablo Neira Ayuso
` (3 preceding siblings ...)
2013-12-28 22:03 ` [PATCH 4/8] netfilter: WARN about wrong usage of sequence number adjustments Pablo Neira Ayuso
@ 2013-12-28 22:03 ` Pablo Neira Ayuso
2013-12-28 22:03 ` [PATCH 6/8] netfilter: nf_tables: fix dumping with large number of sets Pablo Neira Ayuso
` (3 subsequent siblings)
8 siblings, 0 replies; 13+ messages in thread
From: Pablo Neira Ayuso @ 2013-12-28 22:03 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Jesper Dangaard Brouer <brouer@redhat.com>
The IPVS FTP helper ip_vs_ftp could trigger an OOPS in nf_ct_seqadj_set,
after commit 41d73ec053d2 (netfilter: nf_conntrack: make sequence number
adjustments usuable without NAT).
This is because, the seqadj ext is now allocated dynamically, and the
IPVS code didn't handle this situation. Fix this in the IPVS nfct
code by invoking the alloc function nfct_seqadj_ext_add().
Fixes: 41d73ec053d2 (netfilter: nf_conntrack: make sequence number adjustments usuable without NAT)
Suggested-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
---
net/netfilter/ipvs/ip_vs_nfct.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/netfilter/ipvs/ip_vs_nfct.c b/net/netfilter/ipvs/ip_vs_nfct.c
index c8beafd..5a355a4 100644
--- a/net/netfilter/ipvs/ip_vs_nfct.c
+++ b/net/netfilter/ipvs/ip_vs_nfct.c
@@ -63,6 +63,7 @@
#include <net/ip_vs.h>
#include <net/netfilter/nf_conntrack_core.h>
#include <net/netfilter/nf_conntrack_expect.h>
+#include <net/netfilter/nf_conntrack_seqadj.h>
#include <net/netfilter/nf_conntrack_helper.h>
#include <net/netfilter/nf_conntrack_zones.h>
@@ -97,6 +98,11 @@ ip_vs_update_conntrack(struct sk_buff *skb, struct ip_vs_conn *cp, int outin)
if (CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL)
return;
+ /* Applications may adjust TCP seqs */
+ if (cp->app && nf_ct_protonum(ct) == IPPROTO_TCP &&
+ !nfct_seqadj(ct) && !nfct_seqadj_ext_add(ct))
+ return;
+
/*
* The connection is not yet in the hashtable, so we update it.
* CIP->VIP will remain the same, so leave the tuple in
--
1.7.10.4
^ permalink raw reply related [flat|nested] 13+ messages in thread* [PATCH 6/8] netfilter: nf_tables: fix dumping with large number of sets
2013-12-28 22:02 [PATCH 0/8] Netfilter/IPVS fixes for net Pablo Neira Ayuso
` (4 preceding siblings ...)
2013-12-28 22:03 ` [PATCH 5/8] ipvs: correct usage/allocation of seqadj ext in ipvs Pablo Neira Ayuso
@ 2013-12-28 22:03 ` Pablo Neira Ayuso
2013-12-28 22:03 ` [PATCH 7/8] netfilter: nf_tables: fix oops when updating table with user chains Pablo Neira Ayuso
` (2 subsequent siblings)
8 siblings, 0 replies; 13+ messages in thread
From: Pablo Neira Ayuso @ 2013-12-28 22:03 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
If not table name is specified, the dumping of the existing sets
may be incomplete with a sufficiently large number of sets and
tables. This patch fixes missing reset of the cursors after
finding the location of the last object that has been included
in the previous multi-part message.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_api.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index f93b7d0..d9fcd27 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -2098,17 +2098,21 @@ static int nf_tables_dump_sets_all(struct nft_ctx *ctx, struct sk_buff *skb,
struct netlink_callback *cb)
{
const struct nft_set *set;
- unsigned int idx = 0, s_idx = cb->args[0];
+ unsigned int idx, s_idx = cb->args[0];
struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
if (cb->args[1])
return skb->len;
list_for_each_entry(table, &ctx->afi->tables, list) {
- if (cur_table && cur_table != table)
- continue;
+ if (cur_table) {
+ if (cur_table != table)
+ continue;
+ cur_table = NULL;
+ }
ctx->table = table;
+ idx = 0;
list_for_each_entry(set, &ctx->table->sets, list) {
if (idx < s_idx)
goto cont;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 13+ messages in thread* [PATCH 7/8] netfilter: nf_tables: fix oops when updating table with user chains
2013-12-28 22:02 [PATCH 0/8] Netfilter/IPVS fixes for net Pablo Neira Ayuso
` (5 preceding siblings ...)
2013-12-28 22:03 ` [PATCH 6/8] netfilter: nf_tables: fix dumping with large number of sets Pablo Neira Ayuso
@ 2013-12-28 22:03 ` Pablo Neira Ayuso
2013-12-28 22:03 ` [PATCH 8/8] netfilter: nf_tables: fix wrong datatype in nft_validate_data_load() Pablo Neira Ayuso
2013-12-29 5:29 ` [PATCH 0/8] Netfilter/IPVS fixes for net David Miller
8 siblings, 0 replies; 13+ messages in thread
From: Pablo Neira Ayuso @ 2013-12-28 22:03 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
This patch fixes a crash while trying to deactivate a table that
contains user chains. You can reproduce it via:
% nft add table table1
% nft add chain table1 chain1
% nft-table-upd ip table1 dormant
[ 253.021026] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
[ 253.021114] IP: [<ffffffff8134cebd>] nf_register_hook+0x35/0x6f
[ 253.021167] PGD 30fa5067 PUD 30fa2067 PMD 0
[ 253.021208] Oops: 0000 [#1] SMP
[...]
[ 253.023305] Call Trace:
[ 253.023331] [<ffffffffa0885020>] nf_tables_newtable+0x11c/0x258 [nf_tables]
[ 253.023385] [<ffffffffa0878592>] nfnetlink_rcv_msg+0x1f4/0x226 [nfnetlink]
[ 253.023438] [<ffffffffa0878418>] ? nfnetlink_rcv_msg+0x7a/0x226 [nfnetlink]
[ 253.023491] [<ffffffffa087839e>] ? nfnetlink_bind+0x45/0x45 [nfnetlink]
[ 253.023542] [<ffffffff8134b47e>] netlink_rcv_skb+0x3c/0x88
[ 253.023586] [<ffffffffa0878973>] nfnetlink_rcv+0x3af/0x3e4 [nfnetlink]
[ 253.023638] [<ffffffff813fb0d4>] ? _raw_read_unlock+0x22/0x34
[ 253.023683] [<ffffffff8134af17>] netlink_unicast+0xe2/0x161
[ 253.023727] [<ffffffff8134b29a>] netlink_sendmsg+0x304/0x332
[ 253.023773] [<ffffffff8130d250>] __sock_sendmsg_nosec+0x25/0x27
[ 253.023820] [<ffffffff8130fb93>] sock_sendmsg+0x5a/0x7b
[ 253.023861] [<ffffffff8130d5d5>] ? copy_from_user+0x2a/0x2c
[ 253.023905] [<ffffffff8131066f>] ? move_addr_to_kernel+0x35/0x60
[ 253.023952] [<ffffffff813107b3>] SYSC_sendto+0x119/0x15c
[ 253.023995] [<ffffffff81401107>] ? sysret_check+0x1b/0x56
[ 253.024039] [<ffffffff8108dc30>] ? trace_hardirqs_on_caller+0x140/0x1db
[ 253.024090] [<ffffffff8120164e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
[ 253.024141] [<ffffffff81310caf>] SyS_sendto+0x9/0xb
[ 253.026219] [<ffffffff814010e2>] system_call_fastpath+0x16/0x1b
Reported-by: Alex Wei <alex.kern.mentor@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_api.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index d9fcd27..d65c80b 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -312,6 +312,9 @@ static int nf_tables_table_enable(struct nft_table *table)
int err, i = 0;
list_for_each_entry(chain, &table->chains, list) {
+ if (!(chain->flags & NFT_BASE_CHAIN))
+ continue;
+
err = nf_register_hook(&nft_base_chain(chain)->ops);
if (err < 0)
goto err;
@@ -321,6 +324,9 @@ static int nf_tables_table_enable(struct nft_table *table)
return 0;
err:
list_for_each_entry(chain, &table->chains, list) {
+ if (!(chain->flags & NFT_BASE_CHAIN))
+ continue;
+
if (i-- <= 0)
break;
@@ -333,8 +339,10 @@ static int nf_tables_table_disable(struct nft_table *table)
{
struct nft_chain *chain;
- list_for_each_entry(chain, &table->chains, list)
- nf_unregister_hook(&nft_base_chain(chain)->ops);
+ list_for_each_entry(chain, &table->chains, list) {
+ if (chain->flags & NFT_BASE_CHAIN)
+ nf_unregister_hook(&nft_base_chain(chain)->ops);
+ }
return 0;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 13+ messages in thread* [PATCH 8/8] netfilter: nf_tables: fix wrong datatype in nft_validate_data_load()
2013-12-28 22:02 [PATCH 0/8] Netfilter/IPVS fixes for net Pablo Neira Ayuso
` (6 preceding siblings ...)
2013-12-28 22:03 ` [PATCH 7/8] netfilter: nf_tables: fix oops when updating table with user chains Pablo Neira Ayuso
@ 2013-12-28 22:03 ` Pablo Neira Ayuso
2013-12-29 5:29 ` [PATCH 0/8] Netfilter/IPVS fixes for net David Miller
8 siblings, 0 replies; 13+ messages in thread
From: Pablo Neira Ayuso @ 2013-12-28 22:03 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
This patch fixes dictionary mappings, eg.
add rule ip filter input meta dnat set tcp dport map { 22 => 1.1.1.1, 23 => 2.2.2.2 }
The kernel was returning -EINVAL in nft_validate_data_load() since
the type of the set element data that is passed was the real userspace
datatype instead of NFT_DATA_VALUE.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_api.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index d65c80b..71a9f49 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -2382,7 +2382,9 @@ static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
enum nft_registers dreg;
dreg = nft_type_to_reg(set->dtype);
- return nft_validate_data_load(ctx, dreg, &elem->data, set->dtype);
+ return nft_validate_data_load(ctx, dreg, &elem->data,
+ set->dtype == NFT_DATA_VERDICT ?
+ NFT_DATA_VERDICT : NFT_DATA_VALUE);
}
int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
--
1.7.10.4
^ permalink raw reply related [flat|nested] 13+ messages in thread* Re: [PATCH 0/8] Netfilter/IPVS fixes for net
2013-12-28 22:02 [PATCH 0/8] Netfilter/IPVS fixes for net Pablo Neira Ayuso
` (7 preceding siblings ...)
2013-12-28 22:03 ` [PATCH 8/8] netfilter: nf_tables: fix wrong datatype in nft_validate_data_load() Pablo Neira Ayuso
@ 2013-12-29 5:29 ` David Miller
8 siblings, 0 replies; 13+ messages in thread
From: David Miller @ 2013-12-29 5:29 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sat, 28 Dec 2013 23:02:59 +0100
> This patchset contains four nf_tables fixes, one IPVS fix due to
> missing updates in the interaction with the new sedadj conntrack
> extension that was added to support the netfilter synproxy code,
> and a couple of one-liners to fix netnamespace netfilter issues.
> More specifically, they are:
...
> We don't usually have this amount of fixes by this time (as we're already
> in -rc5 of the development cycle), although half of them are related to
> nf_tables which is a relatively new thing, and I also belive that holidays
> have also delayed the flight of bugfixes to mainstream a bit.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
Pulled, thanks Pablo.
> P.S: Have a nice entrance to new year.
Same to you. :)
^ permalink raw reply [flat|nested] 13+ messages in thread