netfilter 00/06: netfilter fixes

netfilter 00/06: netfilter fixes

[Patrick McHardy]

Hi Dave,

the following patches for 2.6.27 contain fixes for some netfilter issues:

- a fix for inverted destination address matching in the addrtype match

- a fix to make linux/netfilter.h directly includable in userspace by
  moving necessary includes outside of #ifdef __KERNEL__

- three ctnetlink fixes for sleep inside locked section and double
  helper assignment

- a change to use secure_ipv4_port_ephemeral() for NAT port randomization
  to avoid concerns about leaking prng state

Please apply, thanks.


 drivers/char/random.c                    |    1 +
 include/linux/netfilter.h                |    4 +-
 net/ipv4/netfilter/ipt_addrtype.c        |    2 +-
 net/ipv4/netfilter/nf_nat_proto_common.c |    8 +++++-
 net/netfilter/nf_conntrack_netlink.c     |   36 ++++++++++++++++-------------
 5 files changed, 30 insertions(+), 21 deletions(-)

Anders Grafström (1):
      netfilter: ipt_addrtype: Fix matching of inverted destination address type

Matt Kraai (1):
      netfilter: Move linux/in.h and linux/in6.h inclusions outside of #ifdef __KERNEL__

Pablo Neira Ayuso (3):
      netfilter: ctnetlink: fix double helper assignation for NAT'ed conntracks
      netfilter: ctnetlink: fix sleep in read-side lock section
      netfilter: ctnetlink: sleepable allocation with spin lock bh

Stephen Hemminger (1):
      nf_nat: use secure_ipv4_port_ephemeral() for NAT port randomization
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

netfilter 01/06: Move linux/in.h and linux/in6.h inclusions outside of

[Patrick McHardy]

netfilter: Move linux/in.h and linux/in6.h inclusions outside of #ifdef __KERNEL__

netfilter.h can't be used in userspace without including linux/in.h
and linux/in6.h first. netfilter.h includes its own linux/in.h and
linux/in6.h include statements, these are stripped by make
headers-install because they are inside #ifdef __KERNEL__ however.
Move them out to fix this.

Signed-off-by: Matt Kraai <kraai@ftbfs.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 4f5e031a4fb1872eb30d473fef4706eddf58aa8f
tree 935aaca025e96dafbd80e80f2d482e519e9a2edb
parent 08013fa353fdcfc0a03cae805393abfc56722387
author Matt Kraai <kraai@ftbfs.org> Mon, 18 Aug 2008 13:17:03 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 18 Aug 2008 13:17:03 +0200

 include/linux/netfilter.h |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 0c5eb7e..6060e56 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -7,13 +7,13 @@
 #include <linux/net.h>
 #include <linux/netdevice.h>
 #include <linux/if.h>
-#include <linux/in.h>
-#include <linux/in6.h>
 #include <linux/wait.h>
 #include <linux/list.h>
 #include <net/net_namespace.h>
 #endif
 #include <linux/types.h>
+#include <linux/in.h>
+#include <linux/in6.h>
 #include <linux/compiler.h>
 
 /* Responses from hook functions. */

netfilter 02/06: ipt_addrtype: fix matching of inverted destination address type

[Patrick McHardy]

netfilter: ipt_addrtype: Fix matching of inverted destination address type

This patch fixes matching of inverted destination address type.

Signed-off-by: Anders Grafström <grfstrm@users.sourceforge.net>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 132fbda27191848d809ac4c4e5841581371aafd8
tree 173c192bca62e2e89ba6a2e54fa85e6d2aa69b02
parent 4f5e031a4fb1872eb30d473fef4706eddf58aa8f
author Anders Grafström <grfstrm@users.sourceforge.net> Mon, 18 Aug 2008 13:17:03 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 18 Aug 2008 13:17:03 +0200

 net/ipv4/netfilter/ipt_addrtype.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/ipv4/netfilter/ipt_addrtype.c b/net/ipv4/netfilter/ipt_addrtype.c
index 49587a4..462a22c 100644
--- a/net/ipv4/netfilter/ipt_addrtype.c
+++ b/net/ipv4/netfilter/ipt_addrtype.c
@@ -70,7 +70,7 @@ addrtype_mt_v1(const struct sk_buff *skb, const struct net_device *in,
 		       (info->flags & IPT_ADDRTYPE_INVERT_SOURCE);
 	if (ret && info->dest)
 		ret &= match_type(dev, iph->daddr, info->dest) ^
-		       (info->flags & IPT_ADDRTYPE_INVERT_DEST);
+		       !!(info->flags & IPT_ADDRTYPE_INVERT_DEST);
 	return ret;
 }
 
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

netfilter 03/06: ctnetlink: fix double helper assignation for NAT'ed conntracks

[Patrick McHardy]

netfilter: ctnetlink: fix double helper assignation for NAT'ed conntracks

If we create a conntrack that has NAT handlings and a helper, the helper
is assigned twice. This happens because nf_nat_setup_info() - via
nf_conntrack_alter_reply() - sets the helper before ctnetlink, which
indeed does not check if the conntrack already has a helper as it thinks that
it is a brand new conntrack.

The fix moves the helper assignation before the set of the status flags.
This avoids a bogus assertion in __nf_ct_ext_add (if netfilter assertions are
enabled) which checks that the conntrack must not be confirmed.

This problem was introduced in 2.6.23 with the netfilter extension
infrastructure.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 4a58ff2a369c6020ece596812f819641f9d19820
tree 7c640e1ffb18d61e9ef3a097e2b2ab00eb529c52
parent 132fbda27191848d809ac4c4e5841581371aafd8
author Pablo Neira Ayuso <pablo@netfilter.org> Mon, 18 Aug 2008 13:17:03 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 18 Aug 2008 13:17:03 +0200

 net/netfilter/nf_conntrack_netlink.c |   34 +++++++++++++++++++---------------
 1 files changed, 19 insertions(+), 15 deletions(-)

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 105a616..d1fb2f8 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1136,16 +1136,33 @@ ctnetlink_create_conntrack(struct nlattr *cda[],
 	ct->timeout.expires = jiffies + ct->timeout.expires * HZ;
 	ct->status |= IPS_CONFIRMED;
 
+	rcu_read_lock();
+	helper = __nf_ct_helper_find(rtuple);
+	if (helper) {
+		help = nf_ct_helper_ext_add(ct, GFP_KERNEL);
+		if (help == NULL) {
+			rcu_read_unlock();
+			err = -ENOMEM;
+			goto err;
+		}
+		/* not in hash table yet so not strictly necessary */
+		rcu_assign_pointer(help->helper, helper);
+	}
+
 	if (cda[CTA_STATUS]) {
 		err = ctnetlink_change_status(ct, cda);
-		if (err < 0)
+		if (err < 0) {
+			rcu_read_unlock();
 			goto err;
+		}
 	}
 
 	if (cda[CTA_PROTOINFO]) {
 		err = ctnetlink_change_protoinfo(ct, cda);
-		if (err < 0)
+		if (err < 0) {
+			rcu_read_unlock();
 			goto err;
+		}
 	}
 
 	nf_ct_acct_ext_add(ct, GFP_KERNEL);
@@ -1155,19 +1172,6 @@ ctnetlink_create_conntrack(struct nlattr *cda[],
 		ct->mark = ntohl(nla_get_be32(cda[CTA_MARK]));
 #endif
 
-	rcu_read_lock();
-	helper = __nf_ct_helper_find(rtuple);
-	if (helper) {
-		help = nf_ct_helper_ext_add(ct, GFP_KERNEL);
-		if (help == NULL) {
-			rcu_read_unlock();
-			err = -ENOMEM;
-			goto err;
-		}
-		/* not in hash table yet so not strictly necessary */
-		rcu_assign_pointer(help->helper, helper);
-	}
-
 	/* setup master conntrack: this is a confirmed expectation */
 	if (master_ct) {
 		__set_bit(IPS_EXPECTED_BIT, &ct->status);

netfilter 04/06: ctnetlink: fix sleep in read-side lock section

[Patrick McHardy]

netfilter: ctnetlink: fix sleep in read-side lock section

Fix allocation with GFP_KERNEL in ctnetlink_create_conntrack() under
read-side lock sections.

This problem was introduced in 2.6.25.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 3b198ff714ffc62115554f821e80f22d817b2b17
tree 48aa718f0375e5a110357682f789800c85516969
parent 4a58ff2a369c6020ece596812f819641f9d19820
author Pablo Neira Ayuso <pablo@netfilter.org> Mon, 18 Aug 2008 13:17:04 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 18 Aug 2008 13:17:04 +0200

 net/netfilter/nf_conntrack_netlink.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index d1fb2f8..a5b95cc 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1139,7 +1139,7 @@ ctnetlink_create_conntrack(struct nlattr *cda[],
 	rcu_read_lock();
 	helper = __nf_ct_helper_find(rtuple);
 	if (helper) {
-		help = nf_ct_helper_ext_add(ct, GFP_KERNEL);
+		help = nf_ct_helper_ext_add(ct, GFP_ATOMIC);
 		if (help == NULL) {
 			rcu_read_unlock();
 			err = -ENOMEM;

netfilter 05/06: ctnetlink: sleepable allocation with spin lock bh

[Patrick McHardy]

netfilter: ctnetlink: sleepable allocation with spin lock bh

This patch removes a GFP_KERNEL allocation while holding a spin lock with
bottom halves disabled in ctnetlink_change_helper().

This problem was introduced in 2.6.23 with the netfilter extension
infrastructure.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit be6e3721aa813e40f20d84d7925f9cf5cd8eef2d
tree ef2d78c9f5567c3a060b1d19f0b366726f6adf74
parent 3b198ff714ffc62115554f821e80f22d817b2b17
author Pablo Neira Ayuso <pablo@netfilter.org> Mon, 18 Aug 2008 13:17:04 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 18 Aug 2008 13:17:04 +0200

 net/netfilter/nf_conntrack_netlink.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index a5b95cc..a875203 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -968,7 +968,7 @@ ctnetlink_change_helper(struct nf_conn *ct, struct nlattr *cda[])
 		/* need to zero data of old helper */
 		memset(&help->help, 0, sizeof(help->help));
 	} else {
-		help = nf_ct_helper_ext_add(ct, GFP_KERNEL);
+		help = nf_ct_helper_ext_add(ct, GFP_ATOMIC);
 		if (help == NULL)
 			return -ENOMEM;
 	}

nf_nat 06/06: use secure_ipv4_port_ephemeral() for NAT port randomization

[Patrick McHardy]

nf_nat: use secure_ipv4_port_ephemeral() for NAT port randomization

Use incoming network tuple as seed for NAT port randomization.
This avoids concerns of leaking net_random() bits, and also gives better
port distribution. Don't have NAT server, compile tested only.

Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>

[ added missing EXPORT_SYMBOL_GPL ]

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 288787c6d3d50245d718537142800762d7ff1181
tree da622065f39a1adeb8323ab2549f8638adaffbd6
parent be6e3721aa813e40f20d84d7925f9cf5cd8eef2d
author Stephen Hemminger <shemminger@vyatta.com> Mon, 18 Aug 2008 18:35:09 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 18 Aug 2008 18:35:09 +0200

 drivers/char/random.c                    |    1 +
 net/ipv4/netfilter/nf_nat_proto_common.c |    8 ++++++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/char/random.c b/drivers/char/random.c
index e0d0e37..1838aa3 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -1571,6 +1571,7 @@ u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)
 
 	return half_md4_transform(hash, keyptr->secret);
 }
+EXPORT_SYMBOL_GPL(secure_ipv4_port_ephemeral);
 
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
 u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
diff --git a/net/ipv4/netfilter/nf_nat_proto_common.c b/net/ipv4/netfilter/nf_nat_proto_common.c
index 91537f1..6c4f11f 100644
--- a/net/ipv4/netfilter/nf_nat_proto_common.c
+++ b/net/ipv4/netfilter/nf_nat_proto_common.c
@@ -73,9 +73,13 @@ bool nf_nat_proto_unique_tuple(struct nf_conntrack_tuple *tuple,
 		range_size = ntohs(range->max.all) - min + 1;
 	}
 
-	off = *rover;
 	if (range->flags & IP_NAT_RANGE_PROTO_RANDOM)
-		off = net_random();
+		off = secure_ipv4_port_ephemeral(tuple->src.u3.ip, tuple->dst.u3.ip,
+						 maniptype == IP_NAT_MANIP_SRC
+						 ? tuple->dst.u.all
+						 : tuple->src.u.all);
+	else
+		off = *rover;
 
 	for (i = 0; i < range_size; i++, off++) {
 		*portptr = htons(min + off % range_size);

Re: netfilter 01/06: Move linux/in.h and linux/in6.h inclusions outside of

[Jan Engelhardt]

On Monday 2008-08-18 12:51, Patrick McHardy wrote:

>netfilter: Move linux/in.h and linux/in6.h inclusions outside of #ifdef __KERNEL__
>
>netfilter.h can't be used in userspace without including linux/in.h
>and linux/in6.h first. netfilter.h includes its own linux/in.h and
>linux/in6.h include statements, these are stripped by make
>headers-install because they are inside #ifdef __KERNEL__ however.
>Move them out to fix this.

Humm - no, I do not think this is right.


$ cat test2.c 
#include <netinet/in.h>

/* simulate netfilter.h as proposed */
#include <linux/in.h>
struct nf_inet_addr {
        struct in_addr inet4;
};
/* end simul */

int main(void)
{
}

yields:

In file included from test2.c:2:
/usr/include/linux/in.h:26: error: redeclaration of enumerator ‘IPPROTO_IP’
/usr/include/netinet/in.h:34: error: previous definition of ‘IPPROTO_IP’ was
/here
[...many more...]


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: netfilter 01/06: Move linux/in.h and linux/in6.h inclusions outside of

[Patrick McHardy]

Jan Engelhardt wrote:
> On Monday 2008-08-18 12:51, Patrick McHardy wrote:
> 
>> netfilter: Move linux/in.h and linux/in6.h inclusions outside of #ifdef __KERNEL__
>>
>> netfilter.h can't be used in userspace without including linux/in.h
>> and linux/in6.h first. netfilter.h includes its own linux/in.h and
>> linux/in6.h include statements, these are stripped by make
>> headers-install because they are inside #ifdef __KERNEL__ however.
>> Move them out to fix this.
> 
> Humm - no, I do not think this is right.
> 
> 
> $ cat test2.c 
> #include <netinet/in.h>
> 
> /* simulate netfilter.h as proposed */
> #include <linux/in.h>

Hmm good point. Dave, please drop this patch.

Re: netfilter 01/06: Move linux/in.h and linux/in6.h inclusions outside of

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Mon, 18 Aug 2008 19:01:12 +0200

> Jan Engelhardt wrote:
> > On Monday 2008-08-18 12:51, Patrick McHardy wrote:
> > 
> >> netfilter: Move linux/in.h and linux/in6.h inclusions outside of #ifdef __KERNEL__
> >>
> >> netfilter.h can't be used in userspace without including linux/in.h
> >> and linux/in6.h first. netfilter.h includes its own linux/in.h and
> >> linux/in6.h include statements, these are stripped by make
> >> headers-install because they are inside #ifdef __KERNEL__ however.
> >> Move them out to fix this.
> > 
> > Humm - no, I do not think this is right.
> > 
> > 
> > $ cat test2.c 
> > #include <netinet/in.h>
> > 
> > /* simulate netfilter.h as proposed */
> > #include <linux/in.h>
> 
> Hmm good point. Dave, please drop this patch.

Ok.

Re: netfilter 02/06: ipt_addrtype: fix matching of inverted destination address type

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Mon, 18 Aug 2008 18:51:51 +0200 (MEST)

> netfilter: ipt_addrtype: Fix matching of inverted destination address type
> 
> This patch fixes matching of inverted destination address type.
> 
> Signed-off-by: Anders Grafström <grfstrm@users.sourceforge.net>
> Signed-off-by: Patrick McHardy <kaber@trash.net>

Applied.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: netfilter 03/06: ctnetlink: fix double helper assignation for NAT'ed conntracks

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Mon, 18 Aug 2008 18:51:52 +0200 (MEST)

> netfilter: ctnetlink: fix double helper assignation for NAT'ed conntracks
> 
> If we create a conntrack that has NAT handlings and a helper, the helper
> is assigned twice. This happens because nf_nat_setup_info() - via
> nf_conntrack_alter_reply() - sets the helper before ctnetlink, which
> indeed does not check if the conntrack already has a helper as it thinks that
> it is a brand new conntrack.
> 
> The fix moves the helper assignation before the set of the status flags.
> This avoids a bogus assertion in __nf_ct_ext_add (if netfilter assertions are
> enabled) which checks that the conntrack must not be confirmed.
> 
> This problem was introduced in 2.6.23 with the netfilter extension
> infrastructure.
> 
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> Signed-off-by: Patrick McHardy <kaber@trash.net>

Aplied.

Re: netfilter 04/06: ctnetlink: fix sleep in read-side lock section

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Mon, 18 Aug 2008 18:51:54 +0200 (MEST)

> netfilter: ctnetlink: fix sleep in read-side lock section
> 
> Fix allocation with GFP_KERNEL in ctnetlink_create_conntrack() under
> read-side lock sections.
> 
> This problem was introduced in 2.6.25.
> 
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> Signed-off-by: Patrick McHardy <kaber@trash.net>

Applied, thanks.

Re: netfilter 05/06: ctnetlink: sleepable allocation with spin lock bh

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Mon, 18 Aug 2008 18:51:55 +0200 (MEST)

> netfilter: ctnetlink: sleepable allocation with spin lock bh
> 
> This patch removes a GFP_KERNEL allocation while holding a spin lock with
> bottom halves disabled in ctnetlink_change_helper().
> 
> This problem was introduced in 2.6.23 with the netfilter extension
> infrastructure.
> 
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> Signed-off-by: Patrick McHardy <kaber@trash.net>

Applied.

Re: nf_nat 06/06: use secure_ipv4_port_ephemeral() for NAT port randomization

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Mon, 18 Aug 2008 18:51:56 +0200 (MEST)

> nf_nat: use secure_ipv4_port_ephemeral() for NAT port randomization
> 
> Use incoming network tuple as seed for NAT port randomization.
> This avoids concerns of leaking net_random() bits, and also gives better
> port distribution. Don't have NAT server, compile tested only.
> 
> Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
> 
> [ added missing EXPORT_SYMBOL_GPL ]
> 
> Signed-off-by: Patrick McHardy <kaber@trash.net>

Applied.