netfilter 00/04: netfilter fixes

netfilter 00/04: netfilter fixes

[Patrick McHardy]

Hi Dave,

the following patches for 2.6.29 fix a few netfilter bugs:

- avoid event delivery for conntracks dropped because of clashes (from Pablo)

- fix for a ctnetlink crash during expectation creation caused by a missing
  initialization. Also from Pablo.

- a fix for correctly handling NF_DROP return values from the conntrack
  ->packet() callbacks. From Christoph Pasch.

- reordering of the header checks in IPv6 conntrack reassembly to avoid an
  incorrect log message with NEXTHDR_NONE. Also from Christoph.

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Thanks!


 include/net/netfilter/nf_conntrack_core.h |    3 ++-
 net/ipv6/netfilter/nf_conntrack_reasm.c   |    8 ++++----
 net/netfilter/nf_conntrack_core.c         |    2 +-
 net/netfilter/nf_conntrack_netlink.c      |    1 +
 net/netfilter/nf_conntrack_proto_tcp.c    |    4 ++--
 5 files changed, 10 insertions(+), 8 deletions(-)

Christoph Paasch (2):
      netfilter: conntrack: fix dropping packet after l4proto->packet()
      netfilter: conntrack: check for NEXTHDR_NONE before header sanity checking

Pablo Neira Ayuso (2):
      netfilter: conntrack: don't deliver events for racy packets
      netfilter: ctnetlink: fix crash during expectation creation

Re: netfilter 00/04: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Mon, 16 Mar 2009 17:08:42 +0100 (MET)

> the following patches for 2.6.29 fix a few netfilter bugs:
> 
> - avoid event delivery for conntracks dropped because of clashes (from Pablo)
> 
> - fix for a ctnetlink crash during expectation creation caused by a missing
>   initialization. Also from Pablo.
> 
> - a fix for correctly handling NF_DROP return values from the conntrack
>   ->packet() callbacks. From Christoph Pasch.
> 
> - reordering of the header checks in IPv6 conntrack reassembly to avoid an
>   incorrect log message with NEXTHDR_NONE. Also from Christoph.
> 
> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Pulled, thanks a lot!

netfilter 00/04: netfilter fixes

[Patrick McHardy]

Hi Dave,

the following patches fix a couple of netfilter bugs:

- missing inclusion of linux/types.h in xt_LED.h

- an incorrect length check in the ipv6header match, causing
  mismatches on packets ending with NEXTHDR_NONE

- an incorrect check in the new cluster match, causing rules using
  32 nodes to fail loading

- incorrect ctnetlink event types for user-generated events

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Thanks!


 include/linux/netfilter/xt_LED.h     |    2 ++
 include/linux/netfilter/xt_cluster.h |    2 ++
 net/ipv6/netfilter/ip6t_ipv6header.c |    6 +++---
 net/netfilter/xt_cluster.c           |    8 +++++++-
 4 files changed, 14 insertions(+), 4 deletions(-)

Christoph Paasch (1):
      netfilter: ip6t_ipv6header: fix match on packets ending with NEXTHDR_NONE

Pablo Neira Ayuso (1):
      netfilter: xt_cluster: fix use of cluster match with 32 nodes

Patrick McHardy (1):
      netfilter: add missing linux/types.h include to xt_LED.h

Re: netfilter 00/04: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Tue,  5 May 2009 18:47:42 +0200 (MEST)

> the following patches fix a couple of netfilter bugs:
...
> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Pulled, thanks a lot Patrick!

netfilter 00/04: netfilter fixes

[Patrick McHardy]

Hi Dave,

following are four netfilter fixes for 2.6.30, containing:

- a patch from Jozsef to fix accepting invalid RST packets in TCP conntrack
- a patch from Pablo to properly propagate DCCP conntrack state changes
- a patch from Jesper to fix an invalid return value in a xt_hashlimit
  seq_file function
- another patch from Pablo to fix undersized skb allocation in nfnetlink_log

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Thanks!


 include/linux/netfilter/nf_conntrack_tcp.h |    4 ++++
 net/netfilter/nf_conntrack_proto_dccp.c    |    4 ++++
 net/netfilter/nf_conntrack_proto_tcp.c     |   18 ++++++++++++++++++
 net/netfilter/nfnetlink_log.c              |    6 ++++++
 net/netfilter/xt_hashlimit.c               |    2 +-
 5 files changed, 33 insertions(+), 1 deletions(-)

Jesper Dangaard Brouer (1):
      netfilter: xt_hashlimit does a wrong SEQ_SKIP

Jozsef Kadlecsik (1):
      netfilter: nf_ct_tcp: fix accepting invalid RST segments

Pablo Neira Ayuso (2):
      netfilter: nf_ct_dccp: add missing DCCP protocol changes in event cache
      netfilter: nfnetlink_log: fix wrong skbuff size	calculation

netfilter 01/04: nf_ct_tcp: fix accepting invalid RST segments

[Patrick McHardy]

commit bfcaa50270e18f35220a11d46e98fc6232c24606
Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Date:   Mon May 25 17:23:15 2009 +0200

    netfilter: nf_ct_tcp: fix accepting invalid RST segments
    
    Robert L Mathews discovered that some clients send evil TCP RST segments,
    which are accepted by netfilter conntrack but discarded by the
    destination. Thus the conntrack entry is destroyed but the destination
    retransmits data until timeout.
    
    The same technique, i.e. sending properly crafted RST segments, can easily
    be used to bypass connlimit/connbytes based restrictions (the sample
    script written by Robert can be found in the netfilter mailing list
    archives).
    
    The patch below adds a new flag and new field to struct ip_ct_tcp_state so
    that checking RST segments can be made more strict and thus TCP conntrack
    can catch the invalid ones: the RST segment is accepted only if its
    sequence number higher than or equal to the highest ack we seen from the
    other direction. (The last_ack field cannot be reused because it is used
    to catch resent packets.)
    
    Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/include/linux/netfilter/nf_conntrack_tcp.h b/include/linux/netfilter/nf_conntrack_tcp.h
index 3066789..b2f384d 100644
--- a/include/linux/netfilter/nf_conntrack_tcp.h
+++ b/include/linux/netfilter/nf_conntrack_tcp.h
@@ -35,6 +35,9 @@ enum tcp_conntrack {
 /* Has unacknowledged data */
 #define IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED	0x10
 
+/* The field td_maxack has been set */
+#define IP_CT_TCP_FLAG_MAXACK_SET		0x20
+
 struct nf_ct_tcp_flags {
 	__u8 flags;
 	__u8 mask;
@@ -46,6 +49,7 @@ struct ip_ct_tcp_state {
 	u_int32_t	td_end;		/* max of seq + len */
 	u_int32_t	td_maxend;	/* max of ack + max(win, 1) */
 	u_int32_t	td_maxwin;	/* max(win) */
+	u_int32_t	td_maxack;	/* max of ack */
 	u_int8_t	td_scale;	/* window scale factor */
 	u_int8_t	flags;		/* per direction options */
 };
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index b5ccf2b..97a6e93 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -634,6 +634,14 @@ static bool tcp_in_window(const struct nf_conn *ct,
 			sender->td_end = end;
 			sender->flags |= IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED;
 		}
+		if (tcph->ack) {
+			if (!(sender->flags & IP_CT_TCP_FLAG_MAXACK_SET)) {
+				sender->td_maxack = ack;
+				sender->flags |= IP_CT_TCP_FLAG_MAXACK_SET;
+			} else if (after(ack, sender->td_maxack))
+				sender->td_maxack = ack;
+		}
+
 		/*
 		 * Update receiver data.
 		 */
@@ -919,6 +927,16 @@ static int tcp_packet(struct nf_conn *ct,
 		return -NF_ACCEPT;
 	case TCP_CONNTRACK_CLOSE:
 		if (index == TCP_RST_SET
+		    && (ct->proto.tcp.seen[!dir].flags & IP_CT_TCP_FLAG_MAXACK_SET)
+		    && before(ntohl(th->seq), ct->proto.tcp.seen[!dir].td_maxack)) {
+			/* Invalid RST  */
+			write_unlock_bh(&tcp_lock);
+			if (LOG_INVALID(net, IPPROTO_TCP))
+				nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
+					  "nf_ct_tcp: invalid RST ");
+			return -NF_ACCEPT;
+		}
+		if (index == TCP_RST_SET
 		    && ((test_bit(IPS_SEEN_REPLY_BIT, &ct->status)
 			 && ct->proto.tcp.last_index == TCP_SYN_SET)
 			|| (!test_bit(IPS_ASSURED_BIT, &ct->status)

netfilter 02/04: nf_ct_dccp: add missing DCCP protocol changes in event cache

[Patrick McHardy]

commit b38b1f616867c832301f24eaf259889494d495b3
Author: Pablo Neira Ayuso <Pablo Neira Ayuso>
Date:   Mon May 25 17:29:43 2009 +0200

    netfilter: nf_ct_dccp: add missing DCCP protocol changes in event cache
    
    This patch adds the missing protocol state-change event reporting
    for DCCP.
    
    $ sudo conntrack -E
        [NEW] dccp     33 240 src=192.168.0.2 dst=192.168.1.2 sport=57040 dport=5001 [UNREPLIED] src=192.168.1.2 dst=192.168.1.100 sport=5001 dport=57040
    
    With this patch:
    
    $ sudo conntrack -E
        [NEW] dccp     33 240 REQUEST src=192.168.0.2 dst=192.168.1.2 sport=57040 dport=5001 [UNREPLIED] src=192.168.1.2 dst=192.168.1.100 sport=5001 dport=57040
    
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
index 8e757dd..aee0d6b 100644
--- a/net/netfilter/nf_conntrack_proto_dccp.c
+++ b/net/netfilter/nf_conntrack_proto_dccp.c
@@ -22,6 +22,7 @@
 #include <linux/netfilter/nfnetlink_conntrack.h>
 #include <net/netfilter/nf_conntrack.h>
 #include <net/netfilter/nf_conntrack_l4proto.h>
+#include <net/netfilter/nf_conntrack_ecache.h>
 #include <net/netfilter/nf_log.h>
 
 static DEFINE_RWLOCK(dccp_lock);
@@ -553,6 +554,9 @@ static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb,
 	ct->proto.dccp.state = new_state;
 	write_unlock_bh(&dccp_lock);
 
+	if (new_state != old_state)
+		nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
+
 	dn = dccp_pernet(net);
 	nf_ct_refresh_acct(ct, ctinfo, skb, dn->dccp_timeout[new_state]);
 

netfilter 03/04: xt_hashlimit does a wrong SEQ_SKIP

[Patrick McHardy]

commit 683a04cebc63819a36b1db19843bd17771f05b55
Author: Jesper Dangaard Brouer <hawk@comx.dk>
Date:   Wed May 27 15:45:34 2009 +0200

    netfilter: xt_hashlimit does a wrong SEQ_SKIP
    
    The function dl_seq_show() returns 1 (equal to SEQ_SKIP) in case
    a seq_printf() call return -1.  It should return -1.
    
    This SEQ_SKIP behavior brakes processing the proc file e.g. via a
    pipe or just through less.
    
    Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index a5b5369..219dcdb 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -926,7 +926,7 @@ static int dl_seq_show(struct seq_file *s, void *v)
 	if (!hlist_empty(&htable->hash[*bucket])) {
 		hlist_for_each_entry(ent, pos, &htable->hash[*bucket], node)
 			if (dl_seq_real_show(ent, htable->family, s))
-				return 1;
+				return -1;
 	}
 	return 0;
 }

netfilter 04/04: nfnetlink_log: fix wrong skbuff size calculation

[Patrick McHardy]

commit eeff9beec3d2563c42cca41e66d4169592bb5475
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Wed May 27 15:49:11 2009 +0200

    netfilter: nfnetlink_log: fix wrong skbuff size	calculation
    
    This problem was introduced in 72961ecf84d67d6359a1b30f9b2a8427f13e1e71
    since no space was reserved for the new attributes NFULA_HWTYPE,
    NFULA_HWLEN and NFULA_HWHEADER.
    
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index fd326ac..66a6dd5 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -581,6 +581,12 @@ nfulnl_log_packet(u_int8_t pf,
 		+ nla_total_size(sizeof(struct nfulnl_msg_packet_hw))
 		+ nla_total_size(sizeof(struct nfulnl_msg_packet_timestamp));
 
+	if (in && skb_mac_header_was_set(skb)) {
+		size +=   nla_total_size(skb->dev->hard_header_len)
+			+ nla_total_size(sizeof(u_int16_t))	/* hwtype */
+			+ nla_total_size(sizeof(u_int16_t));	/* hwlen */
+	}
+
 	spin_lock_bh(&inst->lock);
 
 	if (inst->flags & NFULNL_CFG_F_SEQ)

Re: netfilter 00/04: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Wed, 27 May 2009 16:35:24 +0200 (MEST)

> following are four netfilter fixes for 2.6.30, containing:
> 
> - a patch from Jozsef to fix accepting invalid RST packets in TCP conntrack
> - a patch from Pablo to properly propagate DCCP conntrack state changes
> - a patch from Jesper to fix an invalid return value in a xt_hashlimit
>   seq_file function
> - another patch from Pablo to fix undersized skb allocation in nfnetlink_log
> 
> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Pulled, thanks Patrick.

In the future, can you please explicitly specify the branch name, even
if it is just 'master', in your GIT URLs for me to pull from?

GIT requires that it always be specified, therefore if you put it
there at the end of the URL I can just cut and paste it into my
command line.

Thanks!

Re: netfilter 00/04: netfilter fixes

[Patrick McHardy]

David Miller wrote:
> From: Patrick McHardy <kaber@trash.net>
> Date: Wed, 27 May 2009 16:35:24 +0200 (MEST)
> 
>> following are four netfilter fixes for 2.6.30, containing:
>>
>> - a patch from Jozsef to fix accepting invalid RST packets in TCP conntrack
>> - a patch from Pablo to properly propagate DCCP conntrack state changes
>> - a patch from Jesper to fix an invalid return value in a xt_hashlimit
>>   seq_file function
>> - another patch from Pablo to fix undersized skb allocation in nfnetlink_log
>>
>> Please apply or pull from:
>>
>> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git
> 
> Pulled, thanks Patrick.
> 
> In the future, can you please explicitly specify the branch name, even
> if it is just 'master', in your GIT URLs for me to pull from?
> 
> GIT requires that it always be specified, therefore if you put it
> there at the end of the URL I can just cut and paste it into my
> command line.

Sure, will do :)

netfilter 00/04: netfilter fixes

[Patrick McHardy]

Hi Dave,

following are four netfilter fixes for 2.6.31:

- Jesper's rcu_barrier() patch to fix conntrack module unload races

- a patch to fix false positives in TCP conntrack unacknowledged data
  detection, resulting in very short timeout values

- a missing linux/types.h include in xt_osf.h

- a fix for a conntrack match regression introduced with the last revision:
  the state member in the configuration struct isn't able to hold all valid
  values. This unfortunately needs a new revision.

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master

Thanks!


 include/linux/netfilter/xt_conntrack.h |   13 ++++++
 include/linux/netfilter/xt_osf.h       |    2 +
 include/net/netfilter/nf_conntrack.h   |    4 +-
 net/ipv4/netfilter/nf_nat_helper.c     |   17 +++++---
 net/netfilter/nf_conntrack_expect.c    |    4 +-
 net/netfilter/nf_conntrack_extend.c    |    2 +-
 net/netfilter/nf_conntrack_proto_tcp.c |    6 +-
 net/netfilter/xt_conntrack.c           |   66 +++++++++++++++++++++++++++++---
 8 files changed, 95 insertions(+), 19 deletions(-)

Jan Engelhardt (1):
      netfilter: xtables: conntrack match revision 2

Jaswinder Singh Rajput (1):
      netfilter: headers_check fix: linux/netfilter/xt_osf.h

Jesper Dangaard Brouer (1):
      nf_conntrack: Use rcu_barrier()

Patrick McHardy (1):
      netfilter: tcp conntrack: fix unacknowledged data detection with NAT

Re: netfilter 00/04: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Mon, 29 Jun 2009 16:20:13 +0200 (MEST)

> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master
> 
> Thanks!

Pulled, thanks a lot Patrick!

netfilter 00/04: netfilter fixes

[Patrick McHardy]

Hi Dave,

the following patches fix a couple of bugs in netfilter and IPVS:

- use lib/gcd in IPVS

- add missing boundary checks for IPVS ioctl arguments, from Arjan

- fix an out-of-bounds read in FTP conntrack, from myself

- add missing CAP_NET_ADMIN check to ebtables, from Florian Westphal.
  ebtables userspace uses IP RAW sockets to address ebtables, which
  enforce CAP_NET_RAW. Any other IP socket type allows unpriviledged
  access to the ebtables ruleset.

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master

Thanks!


 net/bridge/netfilter/ebtables.c  |    6 ++++++
 net/netfilter/ipvs/Kconfig       |    3 ++-
 net/netfilter/ipvs/ip_vs_ctl.c   |   14 +++++++++++++-
 net/netfilter/ipvs/ip_vs_wrr.c   |   15 +--------------
 net/netfilter/nf_conntrack_ftp.c |   18 +++++++++---------
 5 files changed, 31 insertions(+), 25 deletions(-)

Arjan van de Ven (1):
      ipvs: Add boundary check on ioctl arguments

Florian Fainelli (1):
      ipvs: ip_vs_wrr.c: use lib/gcd.c

Florian Westphal (1):
      netfilter: ebtables: enforce CAP_NET_ADMIN

Patrick McHardy (1):
      netfilter: nf_ct_ftp: fix out of bounds read in update_nl_seq()

Re: netfilter 00/04: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Fri,  8 Jan 2010 17:42:07 +0100 (MET)

> the following patches fix a couple of bugs in netfilter and IPVS:
> 
> - use lib/gcd in IPVS
> 
> - add missing boundary checks for IPVS ioctl arguments, from Arjan
> 
> - fix an out-of-bounds read in FTP conntrack, from myself
> 
> - add missing CAP_NET_ADMIN check to ebtables, from Florian Westphal.
>   ebtables userspace uses IP RAW sockets to address ebtables, which
>   enforce CAP_NET_RAW. Any other IP socket type allows unpriviledged
>   access to the ebtables ruleset.
> 
> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master

Pulled, thanks Patrick.