From: Florian Westphal <fw@strlen.de>
To: pablo@netfilter.org
Cc: netfilter-devel@vger.kernel.org, stable@kernel.org,
alexander.levin@verizon.com
Subject: [stable, xtables] fix validation of jumps
Date: Mon, 1 Aug 2016 20:38:19 +0200 [thread overview]
Message-ID: <1470076704-13325-1-git-send-email-fw@strlen.de> (raw)
The various stable kernels suffer from one of the following
problems:
- They don't have 36472341017529e ("netfilter: x_tables: validate targets of jumps").
In that case there is no validation which is problematic with unpriv netns support
or when using unprivileged containers.
- They have a faulty backport of this commit and xtables is completely
broken (kernel freeze since we iterate over random memory contents).
This affects current 3.18.y and 4.1.y kernels for example.
- They have a correct backport of this commit, which causes problems
with large rulesets (depending on machine, 1k or more; but even on
fast machines rulesets with more than 10k rules cause softlockup during
iptables-restore and friends).
These patches all contain the same backport but amended so it applies
to the indicated stable branch.
For 3.12:
- adjust for extra debug printks and lack of 36472341017529e.
(The 36472341017529e commit is superseded by this).
For 3.14:
- adjust for extra debug printks and lack of kvfree.
This backport is only needed to speed up rule validation.
For 3.18:
- adjust for extra debug printks and broken 36472341017529e backport.
This backport is needed to make xtables work, we currently walk
over random memory content so any iptables -A ... command will either
fail or lock up.
For 4.1.y: same as 3.18.
For 4.4: Same as 3.14 -- backport is only needed to speed up ruleset
validtion.
The 4.4 backport will also apply to the 4.6.y tree.
I briefly tested all the kernels with these patches applied and
the large dummy ruleset from the commit message.
next reply other threads:[~2016-08-01 19:46 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-01 18:38 Florian Westphal [this message]
2016-08-01 18:38 ` [PATCH -stable 3.12.y] netfilter: x_tables: speed up jump target validation Florian Westphal
2016-08-01 18:38 ` [PATCH -stable 3.14.y] " Florian Westphal
2016-08-01 18:38 ` [PATCH -stable 3.18.y] " Florian Westphal
2016-08-01 18:38 ` [PATCH -stable 4.1.y] " Florian Westphal
2016-08-02 18:26 ` Levin, Alexander
2016-08-02 19:51 ` Florian Westphal
2016-08-03 12:24 ` Levin, Alexander
2016-08-01 18:38 ` [PATCH -stable 4.4.y] " Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1470076704-13325-1-git-send-email-fw@strlen.de \
--to=fw@strlen.de \
--cc=alexander.levin@verizon.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stable@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).