netfilter 00/04: netfilter fixes

netfilter 00/04: netfilter fixes

[Patrick McHardy]

Hi Dave,

the following patches for 2.6.29 fix a few netfilter bugs:

- avoid event delivery for conntracks dropped because of clashes (from Pablo)

- fix for a ctnetlink crash during expectation creation caused by a missing
  initialization. Also from Pablo.

- a fix for correctly handling NF_DROP return values from the conntrack
  ->packet() callbacks. From Christoph Pasch.

- reordering of the header checks in IPv6 conntrack reassembly to avoid an
  incorrect log message with NEXTHDR_NONE. Also from Christoph.

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Thanks!


 include/net/netfilter/nf_conntrack_core.h |    3 ++-
 net/ipv6/netfilter/nf_conntrack_reasm.c   |    8 ++++----
 net/netfilter/nf_conntrack_core.c         |    2 +-
 net/netfilter/nf_conntrack_netlink.c      |    1 +
 net/netfilter/nf_conntrack_proto_tcp.c    |    4 ++--
 5 files changed, 10 insertions(+), 8 deletions(-)

Christoph Paasch (2):
      netfilter: conntrack: fix dropping packet after l4proto->packet()
      netfilter: conntrack: check for NEXTHDR_NONE before header sanity checking

Pablo Neira Ayuso (2):
      netfilter: conntrack: don't deliver events for racy packets
      netfilter: ctnetlink: fix crash during expectation creation

Re: netfilter 00/04: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Mon, 16 Mar 2009 17:08:42 +0100 (MET)

> the following patches for 2.6.29 fix a few netfilter bugs:
> 
> - avoid event delivery for conntracks dropped because of clashes (from Pablo)
> 
> - fix for a ctnetlink crash during expectation creation caused by a missing
>   initialization. Also from Pablo.
> 
> - a fix for correctly handling NF_DROP return values from the conntrack
>   ->packet() callbacks. From Christoph Pasch.
> 
> - reordering of the header checks in IPv6 conntrack reassembly to avoid an
>   incorrect log message with NEXTHDR_NONE. Also from Christoph.
> 
> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Pulled, thanks a lot!

netfilter 00/04: netfilter fixes

[Patrick McHardy]

Hi Dave,

the following patches fix a couple of netfilter bugs:

- missing inclusion of linux/types.h in xt_LED.h

- an incorrect length check in the ipv6header match, causing
  mismatches on packets ending with NEXTHDR_NONE

- an incorrect check in the new cluster match, causing rules using
  32 nodes to fail loading

- incorrect ctnetlink event types for user-generated events

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Thanks!


 include/linux/netfilter/xt_LED.h     |    2 ++
 include/linux/netfilter/xt_cluster.h |    2 ++
 net/ipv6/netfilter/ip6t_ipv6header.c |    6 +++---
 net/netfilter/xt_cluster.c           |    8 +++++++-
 4 files changed, 14 insertions(+), 4 deletions(-)

Christoph Paasch (1):
      netfilter: ip6t_ipv6header: fix match on packets ending with NEXTHDR_NONE

Pablo Neira Ayuso (1):
      netfilter: xt_cluster: fix use of cluster match with 32 nodes

Patrick McHardy (1):
      netfilter: add missing linux/types.h include to xt_LED.h

netfilter 01/04: add missing linux/types.h include to xt_LED.h

[Patrick McHardy]

commit a7ca7fccacc029958fd09985e7f3529b90ec791d
Author: Patrick McHardy <kaber@trash.net>
Date:   Tue May 5 14:31:12 2009 +0200

    netfilter: add missing linux/types.h include to xt_LED.h
    
    Pointed out by Dave Miller:
    
      CHECK   include/linux/netfilter (57 files)
    /home/davem/src/GIT/net-2.6/usr/include/linux/netfilter/xt_LED.h:6: found __[us]{8,16,32,64} type without #include <linux/types.h>
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/include/linux/netfilter/xt_LED.h b/include/linux/netfilter/xt_LED.h
index 4c91a0d..f5509e7 100644
--- a/include/linux/netfilter/xt_LED.h
+++ b/include/linux/netfilter/xt_LED.h
@@ -1,6 +1,8 @@
 #ifndef _XT_LED_H
 #define _XT_LED_H
 
+#include <linux/types.h>
+
 struct xt_led_info {
 	char id[27];        /* Unique ID for this trigger in the LED class */
 	__u8 always_blink;  /* Blink even if the LED is already on */

netfilter 02/04: ip6t_ipv6header: fix match on packets ending with NEXTHDR_NONE

[Patrick McHardy]

commit b98b4947cb79d670fceca0e951c092eea93e9baa
Author: Christoph Paasch <christoph.paasch@gmail.com>
Date:   Tue May 5 15:32:16 2009 +0200

    netfilter: ip6t_ipv6header: fix match on packets ending with NEXTHDR_NONE
    
    As packets ending with NEXTHDR_NONE don't have a last extension header,
    the check for the length needs to be after the check for NEXTHDR_NONE.
    
    Signed-off-by: Christoph Paasch <christoph.paasch@gmail.com>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c
index 14e6724..91490ad 100644
--- a/net/ipv6/netfilter/ip6t_ipv6header.c
+++ b/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -50,14 +50,14 @@ ipv6header_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
 		struct ipv6_opt_hdr _hdr;
 		int hdrlen;
 
-		/* Is there enough space for the next ext header? */
-		if (len < (int)sizeof(struct ipv6_opt_hdr))
-			return false;
 		/* No more exthdr -> evaluate */
 		if (nexthdr == NEXTHDR_NONE) {
 			temp |= MASK_NONE;
 			break;
 		}
+		/* Is there enough space for the next ext header? */
+		if (len < (int)sizeof(struct ipv6_opt_hdr))
+			return false;
 		/* ESP -> evaluate */
 		if (nexthdr == NEXTHDR_ESP) {
 			temp |= MASK_ESP;

netfilter 03/04: xt_cluster: fix use of cluster match with 32 nodes

[Patrick McHardy]

commit 280f37afa2c270ff029cb420b34396aa002909c3
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Tue May 5 17:46:07 2009 +0200

    netfilter: xt_cluster: fix use of cluster match with 32 nodes
    
    This patch fixes a problem when you use 32 nodes in the cluster
    match:
    
    % iptables -I PREROUTING -t mangle -i eth0 -m cluster \
      --cluster-total-nodes  32  --cluster-local-node  32 \
      --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff
    iptables: Invalid argument. Run `dmesg' for more information.
    % dmesg | tail -1
    xt_cluster: this node mask cannot be higher than the total number of nodes
    
    The problem is related to this checking:
    
    if (info->node_mask >= (1 << info->total_nodes)) {
    	printk(KERN_ERR "xt_cluster: this node mask cannot be "
    			"higher than the total number of nodes\n");
    	return false;
    }
    
    (1 << 32) is 1. Thus, the checking fails.
    
    BTW, I said this before but I insist: I have only tested the cluster
    match with 2 nodes getting ~45% extra performance in an active-active setup.
    The maximum limit of 32 nodes is still completely arbitrary. I'd really
    appreciate if people that have more nodes in their setups let me know.
    
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/include/linux/netfilter/xt_cluster.h b/include/linux/netfilter/xt_cluster.h
index 5e0a0d0..8866826 100644
--- a/include/linux/netfilter/xt_cluster.h
+++ b/include/linux/netfilter/xt_cluster.h
@@ -12,4 +12,6 @@ struct xt_cluster_match_info {
 	u_int32_t		flags;
 };
 
+#define XT_CLUSTER_NODES_MAX	32
+
 #endif /* _XT_CLUSTER_MATCH_H */
diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c
index 6c48476..69a639f 100644
--- a/net/netfilter/xt_cluster.c
+++ b/net/netfilter/xt_cluster.c
@@ -135,7 +135,13 @@ static bool xt_cluster_mt_checkentry(const struct xt_mtchk_param *par)
 {
 	struct xt_cluster_match_info *info = par->matchinfo;
 
-	if (info->node_mask >= (1 << info->total_nodes)) {
+	if (info->total_nodes > XT_CLUSTER_NODES_MAX) {
+		printk(KERN_ERR "xt_cluster: you have exceeded the maximum "
+				"number of cluster nodes (%u > %u)\n",
+				info->total_nodes, XT_CLUSTER_NODES_MAX);
+		return false;
+	}
+	if (info->node_mask >= (1ULL << info->total_nodes)) {
 		printk(KERN_ERR "xt_cluster: this node mask cannot be "
 				"higher than the total number of nodes\n");
 		return false;

netfilter 04/04: ctnetlink: fix wrong message type in user updates

[Patrick McHardy]

commit fecc1133b66af6e0cd49115a248f34bbb01f180a
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Tue May 5 17:48:26 2009 +0200

    netfilter: ctnetlink: fix wrong message type in user updates
    
    This patch fixes the wrong message type that are triggered by
    user updates, the following commands:
    
    (term1)# conntrack -I -p tcp -s 1.1.1.1 -d 2.2.2.2 -t 10 --sport 10 --dport 20 --state LISTEN
    (term1)# conntrack -U -p tcp -s 1.1.1.1 -d 2.2.2.2 -t 10 --sport 10 --dport 20 --state SYN_SENT
    (term1)# conntrack -U -p tcp -s 1.1.1.1 -d 2.2.2.2 -t 10 --sport 10 --dport 20 --state SYN_RECV
    
    only trigger event message of type NEW, when only the first is NEW
    while others should be UPDATE.
    
    (term2)# conntrack -E
        [NEW] tcp      6 10 LISTEN src=1.1.1.1 dst=2.2.2.2 sport=10 dport=20 [UNREPLIED] src=2.2.2.2 dst=1.1.1.1 sport=20 dport=10 mark=0
        [NEW] tcp      6 10 SYN_SENT src=1.1.1.1 dst=2.2.2.2 sport=10 dport=20 [UNREPLIED] src=2.2.2.2 dst=1.1.1.1 sport=20 dport=10 mark=0
        [NEW] tcp      6 10 SYN_RECV src=1.1.1.1 dst=2.2.2.2 sport=10 dport=20 [UNREPLIED] src=2.2.2.2 dst=1.1.1.1 sport=20 dport=10 mark=0
    
    This patch also removes IPCT_REFRESH from the bitmask since it is
    not of any use.
    
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 0ea36e0..fd77619 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1186,28 +1186,6 @@ ctnetlink_change_conntrack(struct nf_conn *ct, struct nlattr *cda[])
 	return 0;
 }
 
-static inline void
-ctnetlink_event_report(struct nf_conn *ct, u32 pid, int report)
-{
-	unsigned int events = 0;
-
-	if (test_bit(IPS_EXPECTED_BIT, &ct->status))
-		events |= IPCT_RELATED;
-	else
-		events |= IPCT_NEW;
-
-	nf_conntrack_event_report(IPCT_STATUS |
-				  IPCT_HELPER |
-				  IPCT_REFRESH |
-				  IPCT_PROTOINFO |
-				  IPCT_NATSEQADJ |
-				  IPCT_MARK |
-				  events,
-				  ct,
-				  pid,
-				  report);
-}
-
 static struct nf_conn *
 ctnetlink_create_conntrack(struct nlattr *cda[],
 			   struct nf_conntrack_tuple *otuple,
@@ -1373,6 +1351,7 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
 		err = -ENOENT;
 		if (nlh->nlmsg_flags & NLM_F_CREATE) {
 			struct nf_conn *ct;
+			enum ip_conntrack_events events;
 
 			ct = ctnetlink_create_conntrack(cda, &otuple,
 							&rtuple, u3);
@@ -1383,9 +1362,18 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
 			err = 0;
 			nf_conntrack_get(&ct->ct_general);
 			spin_unlock_bh(&nf_conntrack_lock);
-			ctnetlink_event_report(ct,
-					       NETLINK_CB(skb).pid,
-					       nlmsg_report(nlh));
+			if (test_bit(IPS_EXPECTED_BIT, &ct->status))
+				events = IPCT_RELATED;
+			else
+				events = IPCT_NEW;
+
+			nf_conntrack_event_report(IPCT_STATUS |
+						  IPCT_HELPER |
+						  IPCT_PROTOINFO |
+						  IPCT_NATSEQADJ |
+						  IPCT_MARK | events,
+						  ct, NETLINK_CB(skb).pid,
+						  nlmsg_report(nlh));
 			nf_ct_put(ct);
 		} else
 			spin_unlock_bh(&nf_conntrack_lock);
@@ -1404,9 +1392,13 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
 		if (err == 0) {
 			nf_conntrack_get(&ct->ct_general);
 			spin_unlock_bh(&nf_conntrack_lock);
-			ctnetlink_event_report(ct,
-					       NETLINK_CB(skb).pid,
-					       nlmsg_report(nlh));
+			nf_conntrack_event_report(IPCT_STATUS |
+						  IPCT_HELPER |
+						  IPCT_PROTOINFO |
+						  IPCT_NATSEQADJ |
+						  IPCT_MARK,
+						  ct, NETLINK_CB(skb).pid,
+						  nlmsg_report(nlh));
 			nf_ct_put(ct);
 		} else
 			spin_unlock_bh(&nf_conntrack_lock);

Re: netfilter 00/04: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Tue,  5 May 2009 18:47:42 +0200 (MEST)

> the following patches fix a couple of netfilter bugs:
...
> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Pulled, thanks a lot Patrick!

netfilter 00/04: netfilter fixes

[Patrick McHardy]

Hi Dave,

following are four netfilter fixes for 2.6.30, containing:

- a patch from Jozsef to fix accepting invalid RST packets in TCP conntrack
- a patch from Pablo to properly propagate DCCP conntrack state changes
- a patch from Jesper to fix an invalid return value in a xt_hashlimit
  seq_file function
- another patch from Pablo to fix undersized skb allocation in nfnetlink_log

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Thanks!


 include/linux/netfilter/nf_conntrack_tcp.h |    4 ++++
 net/netfilter/nf_conntrack_proto_dccp.c    |    4 ++++
 net/netfilter/nf_conntrack_proto_tcp.c     |   18 ++++++++++++++++++
 net/netfilter/nfnetlink_log.c              |    6 ++++++
 net/netfilter/xt_hashlimit.c               |    2 +-
 5 files changed, 33 insertions(+), 1 deletions(-)

Jesper Dangaard Brouer (1):
      netfilter: xt_hashlimit does a wrong SEQ_SKIP

Jozsef Kadlecsik (1):
      netfilter: nf_ct_tcp: fix accepting invalid RST segments

Pablo Neira Ayuso (2):
      netfilter: nf_ct_dccp: add missing DCCP protocol changes in event cache
      netfilter: nfnetlink_log: fix wrong skbuff size	calculation

Re: netfilter 00/04: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Wed, 27 May 2009 16:35:24 +0200 (MEST)

> following are four netfilter fixes for 2.6.30, containing:
> 
> - a patch from Jozsef to fix accepting invalid RST packets in TCP conntrack
> - a patch from Pablo to properly propagate DCCP conntrack state changes
> - a patch from Jesper to fix an invalid return value in a xt_hashlimit
>   seq_file function
> - another patch from Pablo to fix undersized skb allocation in nfnetlink_log
> 
> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Pulled, thanks Patrick.

In the future, can you please explicitly specify the branch name, even
if it is just 'master', in your GIT URLs for me to pull from?

GIT requires that it always be specified, therefore if you put it
there at the end of the URL I can just cut and paste it into my
command line.

Thanks!

Re: netfilter 00/04: netfilter fixes

[Patrick McHardy]

David Miller wrote:
> From: Patrick McHardy <kaber@trash.net>
> Date: Wed, 27 May 2009 16:35:24 +0200 (MEST)
> 
>> following are four netfilter fixes for 2.6.30, containing:
>>
>> - a patch from Jozsef to fix accepting invalid RST packets in TCP conntrack
>> - a patch from Pablo to properly propagate DCCP conntrack state changes
>> - a patch from Jesper to fix an invalid return value in a xt_hashlimit
>>   seq_file function
>> - another patch from Pablo to fix undersized skb allocation in nfnetlink_log
>>
>> Please apply or pull from:
>>
>> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git
> 
> Pulled, thanks Patrick.
> 
> In the future, can you please explicitly specify the branch name, even
> if it is just 'master', in your GIT URLs for me to pull from?
> 
> GIT requires that it always be specified, therefore if you put it
> there at the end of the URL I can just cut and paste it into my
> command line.

Sure, will do :)

netfilter 00/04: netfilter fixes

[Patrick McHardy]

Hi Dave,

following are four netfilter fixes for 2.6.31:

- Jesper's rcu_barrier() patch to fix conntrack module unload races

- a patch to fix false positives in TCP conntrack unacknowledged data
  detection, resulting in very short timeout values

- a missing linux/types.h include in xt_osf.h

- a fix for a conntrack match regression introduced with the last revision:
  the state member in the configuration struct isn't able to hold all valid
  values. This unfortunately needs a new revision.

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master

Thanks!


 include/linux/netfilter/xt_conntrack.h |   13 ++++++
 include/linux/netfilter/xt_osf.h       |    2 +
 include/net/netfilter/nf_conntrack.h   |    4 +-
 net/ipv4/netfilter/nf_nat_helper.c     |   17 +++++---
 net/netfilter/nf_conntrack_expect.c    |    4 +-
 net/netfilter/nf_conntrack_extend.c    |    2 +-
 net/netfilter/nf_conntrack_proto_tcp.c |    6 +-
 net/netfilter/xt_conntrack.c           |   66 +++++++++++++++++++++++++++++---
 8 files changed, 95 insertions(+), 19 deletions(-)

Jan Engelhardt (1):
      netfilter: xtables: conntrack match revision 2

Jaswinder Singh Rajput (1):
      netfilter: headers_check fix: linux/netfilter/xt_osf.h

Jesper Dangaard Brouer (1):
      nf_conntrack: Use rcu_barrier()

Patrick McHardy (1):
      netfilter: tcp conntrack: fix unacknowledged data detection with NAT

Re: netfilter 00/04: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Mon, 29 Jun 2009 16:20:13 +0200 (MEST)

> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master
> 
> Thanks!

Pulled, thanks a lot Patrick!

netfilter 00/04: netfilter fixes

[Patrick McHardy]

Hi Dave,

the following patches fix a couple of bugs in netfilter and IPVS:

- use lib/gcd in IPVS

- add missing boundary checks for IPVS ioctl arguments, from Arjan

- fix an out-of-bounds read in FTP conntrack, from myself

- add missing CAP_NET_ADMIN check to ebtables, from Florian Westphal.
  ebtables userspace uses IP RAW sockets to address ebtables, which
  enforce CAP_NET_RAW. Any other IP socket type allows unpriviledged
  access to the ebtables ruleset.

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master

Thanks!


 net/bridge/netfilter/ebtables.c  |    6 ++++++
 net/netfilter/ipvs/Kconfig       |    3 ++-
 net/netfilter/ipvs/ip_vs_ctl.c   |   14 +++++++++++++-
 net/netfilter/ipvs/ip_vs_wrr.c   |   15 +--------------
 net/netfilter/nf_conntrack_ftp.c |   18 +++++++++---------
 5 files changed, 31 insertions(+), 25 deletions(-)

Arjan van de Ven (1):
      ipvs: Add boundary check on ioctl arguments

Florian Fainelli (1):
      ipvs: ip_vs_wrr.c: use lib/gcd.c

Florian Westphal (1):
      netfilter: ebtables: enforce CAP_NET_ADMIN

Patrick McHardy (1):
      netfilter: nf_ct_ftp: fix out of bounds read in update_nl_seq()

Re: netfilter 00/04: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Fri,  8 Jan 2010 17:42:07 +0100 (MET)

> the following patches fix a couple of bugs in netfilter and IPVS:
> 
> - use lib/gcd in IPVS
> 
> - add missing boundary checks for IPVS ioctl arguments, from Arjan
> 
> - fix an out-of-bounds read in FTP conntrack, from myself
> 
> - add missing CAP_NET_ADMIN check to ebtables, from Florian Westphal.
>   ebtables userspace uses IP RAW sockets to address ebtables, which
>   enforce CAP_NET_RAW. Any other IP socket type allows unpriviledged
>   access to the ebtables ruleset.
> 
> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master

Pulled, thanks Patrick.