* [PATCH] netfilter: fix mangle tables back
@ 2010-02-11 16:12 Alexey Dobriyan
2010-02-11 16:25 ` Jan Engelhardt
0 siblings, 1 reply; 9+ messages in thread
From: Alexey Dobriyan @ 2010-02-11 16:12 UTC (permalink / raw)
To: kaber, jengelh; +Cc: netfilter-devel
Calling POST_ROUTING hook with NULL input device is not going to work.
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
---
net/ipv4/netfilter/iptable_mangle.c | 2 +-
net/ipv6/netfilter/ip6table_mangle.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -85,7 +85,7 @@ iptable_mangle_hook(unsigned int hook,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- if (hook == NF_INET_LOCAL_OUT)
+ if (hook == NF_INET_LOCAL_OUT || hook == NF_INET_POST_ROUTING)
return ipt_local_hook(hook, skb, in, out, okfn);
/* PREROUTING/INPUT/FORWARD: */
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -79,7 +79,7 @@ ip6table_mangle_hook(unsigned int hook, struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- if (hook == NF_INET_LOCAL_OUT)
+ if (hook == NF_INET_LOCAL_OUT || hook == NF_INET_POST_ROUTING)
return ip6t_local_out_hook(hook, skb, out, okfn);
/* INPUT/FORWARD */
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] netfilter: fix mangle tables back
2010-02-11 16:12 [PATCH] netfilter: fix mangle tables back Alexey Dobriyan
@ 2010-02-11 16:25 ` Jan Engelhardt
2010-02-11 16:34 ` Patrick McHardy
0 siblings, 1 reply; 9+ messages in thread
From: Jan Engelhardt @ 2010-02-11 16:25 UTC (permalink / raw)
To: Alexey Dobriyan; +Cc: kaber, netfilter-devel
On Thursday 2010-02-11 17:12, Alexey Dobriyan wrote:
>Calling POST_ROUTING hook with NULL input device is not going to work.
>
>--- a/net/ipv4/netfilter/iptable_mangle.c
>+++ b/net/ipv4/netfilter/iptable_mangle.c
>@@ -85,7 +85,7 @@ iptable_mangle_hook(unsigned int hook,
> const struct net_device *out,
> int (*okfn)(struct sk_buff *))
> {
>- if (hook == NF_INET_LOCAL_OUT)
>+ if (hook == NF_INET_LOCAL_OUT || hook == NF_INET_POST_ROUTING)
> return ipt_local_hook(hook, skb, in, out, okfn);
>
> /* PREROUTING/INPUT/FORWARD: */
postrouting did not call ipt_local_hook before, so why now?
>--- a/net/ipv6/netfilter/ip6table_mangle.c
>+++ b/net/ipv6/netfilter/ip6table_mangle.c
>@@ -79,7 +79,7 @@ ip6table_mangle_hook(unsigned int hook, struct sk_buff *skb,
> const struct net_device *in, const struct net_device *out,
> int (*okfn)(struct sk_buff *))
> {
>- if (hook == NF_INET_LOCAL_OUT)
>+ if (hook == NF_INET_LOCAL_OUT || hook == NF_INET_POST_ROUTING)
> return ip6t_local_out_hook(hook, skb, out, okfn);
>
> /* INPUT/FORWARD */
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] netfilter: fix mangle tables back
2010-02-11 16:25 ` Jan Engelhardt
@ 2010-02-11 16:34 ` Patrick McHardy
2010-02-11 17:07 ` Jan Engelhardt
2010-02-11 17:15 ` Alexey Dobriyan
0 siblings, 2 replies; 9+ messages in thread
From: Patrick McHardy @ 2010-02-11 16:34 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Alexey Dobriyan, netfilter-devel
Jan Engelhardt wrote:
> On Thursday 2010-02-11 17:12, Alexey Dobriyan wrote:
>
>> Calling POST_ROUTING hook with NULL input device is not going to work.
>>
>> --- a/net/ipv4/netfilter/iptable_mangle.c
>> +++ b/net/ipv4/netfilter/iptable_mangle.c
>> @@ -85,7 +85,7 @@ iptable_mangle_hook(unsigned int hook,
>> const struct net_device *out,
>> int (*okfn)(struct sk_buff *))
>> {
>> - if (hook == NF_INET_LOCAL_OUT)
>> + if (hook == NF_INET_LOCAL_OUT || hook == NF_INET_POST_ROUTING)
>> return ipt_local_hook(hook, skb, in, out, okfn);
>>
>> /* PREROUTING/INPUT/FORWARD: */
>
> postrouting did not call ipt_local_hook before, so why now?
What Alexey meant is that
/* PREROUTING/INPUT/FORWARD: */
return ipt_do_table(skb, hook, in, out,
dev_net(in)->ipv4.iptable_mangle);
dev_net(in) for a NULL device won't work. Passing them to the local
hook won't work either however since we perform rerouting there.
I'm confused now why this didn't crash here so far ...
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] netfilter: fix mangle tables back
2010-02-11 16:34 ` Patrick McHardy
@ 2010-02-11 17:07 ` Jan Engelhardt
2010-02-11 17:13 ` Patrick McHardy
2010-02-11 17:15 ` Alexey Dobriyan
1 sibling, 1 reply; 9+ messages in thread
From: Jan Engelhardt @ 2010-02-11 17:07 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Alexey Dobriyan, netfilter-devel
On Thursday 2010-02-11 17:34, Patrick McHardy wrote:
>Jan Engelhardt wrote:
>> On Thursday 2010-02-11 17:12, Alexey Dobriyan wrote:
>>
>>> Calling POST_ROUTING hook with NULL input device is not going to work.
>>>
>>> --- a/net/ipv4/netfilter/iptable_mangle.c
>>> +++ b/net/ipv4/netfilter/iptable_mangle.c
>>> @@ -85,7 +85,7 @@ iptable_mangle_hook(unsigned int hook,
>>> const struct net_device *out,
>>> int (*okfn)(struct sk_buff *))
>>> {
>>> - if (hook == NF_INET_LOCAL_OUT)
>>> + if (hook == NF_INET_LOCAL_OUT || hook == NF_INET_POST_ROUTING)
>>> return ipt_local_hook(hook, skb, in, out, okfn);
>>>
>>> /* PREROUTING/INPUT/FORWARD: */
>>
>> postrouting did not call ipt_local_hook before, so why now?
>
>What Alexey meant is that
>
> /* PREROUTING/INPUT/FORWARD: */
> return ipt_do_table(skb, hook, in, out,
> dev_net(in)->ipv4.iptable_mangle);
>
>dev_net(in) for a NULL device won't work. Passing them to the local
>hook won't work either however since we perform rerouting there.
>I'm confused now why this didn't crash here so far ...
Before, ipt_post_routing_hook just called
return ipt_do_table(skb, hook, in, out,
dev_net(out)->ipv4.iptable_mangle);
Not caring about whether in and out are NULL or not,
because ipt_do_table checks for NULL.
Now, iptable_mangle_hook still just calls ipt_do_table, so
nothing really changed, thus nothing broke.
Thus the confusion this patch introduces.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] netfilter: fix mangle tables back
2010-02-11 17:07 ` Jan Engelhardt
@ 2010-02-11 17:13 ` Patrick McHardy
0 siblings, 0 replies; 9+ messages in thread
From: Patrick McHardy @ 2010-02-11 17:13 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Alexey Dobriyan, netfilter-devel
Jan Engelhardt wrote:
> On Thursday 2010-02-11 17:34, Patrick McHardy wrote:
>> Jan Engelhardt wrote:
>>> On Thursday 2010-02-11 17:12, Alexey Dobriyan wrote:
>>>
>>>> Calling POST_ROUTING hook with NULL input device is not going to work.
>>>>
>>>> --- a/net/ipv4/netfilter/iptable_mangle.c
>>>> +++ b/net/ipv4/netfilter/iptable_mangle.c
>>>> @@ -85,7 +85,7 @@ iptable_mangle_hook(unsigned int hook,
>>>> const struct net_device *out,
>>>> int (*okfn)(struct sk_buff *))
>>>> {
>>>> - if (hook == NF_INET_LOCAL_OUT)
>>>> + if (hook == NF_INET_LOCAL_OUT || hook == NF_INET_POST_ROUTING)
>>>> return ipt_local_hook(hook, skb, in, out, okfn);
>>>>
>>>> /* PREROUTING/INPUT/FORWARD: */
>>> postrouting did not call ipt_local_hook before, so why now?
>> What Alexey meant is that
>>
>> /* PREROUTING/INPUT/FORWARD: */
>> return ipt_do_table(skb, hook, in, out,
>> dev_net(in)->ipv4.iptable_mangle);
>>
>> dev_net(in) for a NULL device won't work. Passing them to the local
>> hook won't work either however since we perform rerouting there.
>> I'm confused now why this didn't crash here so far ...
>
> Before, ipt_post_routing_hook just called
>
> return ipt_do_table(skb, hook, in, out,
> dev_net(out)->ipv4.iptable_mangle);
>
> Not caring about whether in and out are NULL or not,
> because ipt_do_table checks for NULL.
Its using the device to get to the table:
dev_net(in)->ipv4.iptable_mangle
The only reason why it doesn't crash for me is that the
machine I'm testing this on doesn't use network namespaces.
Please fix this up.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] netfilter: fix mangle tables back
2010-02-11 16:34 ` Patrick McHardy
2010-02-11 17:07 ` Jan Engelhardt
@ 2010-02-11 17:15 ` Alexey Dobriyan
2010-02-11 17:24 ` Patrick McHardy
1 sibling, 1 reply; 9+ messages in thread
From: Alexey Dobriyan @ 2010-02-11 17:15 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Jan Engelhardt, netfilter-devel
On Thu, Feb 11, 2010 at 05:34:30PM +0100, Patrick McHardy wrote:
> Jan Engelhardt wrote:
> > On Thursday 2010-02-11 17:12, Alexey Dobriyan wrote:
> >
> >> Calling POST_ROUTING hook with NULL input device is not going to work.
> >>
> >> --- a/net/ipv4/netfilter/iptable_mangle.c
> >> +++ b/net/ipv4/netfilter/iptable_mangle.c
> >> @@ -85,7 +85,7 @@ iptable_mangle_hook(unsigned int hook,
> >> const struct net_device *out,
> >> int (*okfn)(struct sk_buff *))
> >> {
> >> - if (hook == NF_INET_LOCAL_OUT)
> >> + if (hook == NF_INET_LOCAL_OUT || hook == NF_INET_POST_ROUTING)
> >> return ipt_local_hook(hook, skb, in, out, okfn);
> >>
> >> /* PREROUTING/INPUT/FORWARD: */
> >
> > postrouting did not call ipt_local_hook before, so why now?
>
> What Alexey meant is that
>
> /* PREROUTING/INPUT/FORWARD: */
> return ipt_do_table(skb, hook, in, out,
> dev_net(in)->ipv4.iptable_mangle);
>
> dev_net(in) for a NULL device won't work. Passing them to the local
> hook won't work either however since we perform rerouting there.
> I'm confused now why this didn't crash here so far ...
It did crashed, that's why I noticed it.
But now I can't reproduce it too. Hopefully this patch is correct.
[PATCH] netfilter: fix mangle tables
In POST_ROUTING hook, calling dev_net(in) is going to oops.
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
---
net/ipv4/netfilter/iptable_mangle.c | 4 +++-
net/ipv6/netfilter/ip6table_mangle.c | 4 +++-
2 files changed, 6 insertions(+), 2 deletions(-)
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -87,7 +87,9 @@ iptable_mangle_hook(unsigned int hook,
{
if (hook == NF_INET_LOCAL_OUT)
return ipt_local_hook(hook, skb, in, out, okfn);
-
+ if (hook == NF_INET_POST_ROUTING)
+ return ipt_do_table(skb, hook, in, out,
+ dev_net(out)->ipv4.iptable_mangle);
/* PREROUTING/INPUT/FORWARD: */
return ipt_do_table(skb, hook, in, out,
dev_net(in)->ipv4.iptable_mangle);
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -81,7 +81,9 @@ ip6table_mangle_hook(unsigned int hook, struct sk_buff *skb,
{
if (hook == NF_INET_LOCAL_OUT)
return ip6t_local_out_hook(hook, skb, out, okfn);
-
+ if (hook == NF_INET_POST_ROUTING)
+ return ip6t_do_table(skb, hook, in, out,
+ dev_net(out)->ipv6.ip6table_mangle);
/* INPUT/FORWARD */
return ip6t_do_table(skb, hook, in, out,
dev_net(in)->ipv6.ip6table_mangle);
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] netfilter: fix mangle tables back
2010-02-11 17:15 ` Alexey Dobriyan
@ 2010-02-11 17:24 ` Patrick McHardy
2010-02-11 17:27 ` Alexey Dobriyan
0 siblings, 1 reply; 9+ messages in thread
From: Patrick McHardy @ 2010-02-11 17:24 UTC (permalink / raw)
To: Alexey Dobriyan; +Cc: Jan Engelhardt, netfilter-devel
Alexey Dobriyan wrote:
> On Thu, Feb 11, 2010 at 05:34:30PM +0100, Patrick McHardy wrote:
>> Jan Engelhardt wrote:
>>> On Thursday 2010-02-11 17:12, Alexey Dobriyan wrote:
>>>
>>>> Calling POST_ROUTING hook with NULL input device is not going to work.
>>>>
>>>> --- a/net/ipv4/netfilter/iptable_mangle.c
>>>> +++ b/net/ipv4/netfilter/iptable_mangle.c
>>>> @@ -85,7 +85,7 @@ iptable_mangle_hook(unsigned int hook,
>>>> const struct net_device *out,
>>>> int (*okfn)(struct sk_buff *))
>>>> {
>>>> - if (hook == NF_INET_LOCAL_OUT)
>>>> + if (hook == NF_INET_LOCAL_OUT || hook == NF_INET_POST_ROUTING)
>>>> return ipt_local_hook(hook, skb, in, out, okfn);
>>>>
>>>> /* PREROUTING/INPUT/FORWARD: */
>>> postrouting did not call ipt_local_hook before, so why now?
>> What Alexey meant is that
>>
>> /* PREROUTING/INPUT/FORWARD: */
>> return ipt_do_table(skb, hook, in, out,
>> dev_net(in)->ipv4.iptable_mangle);
>>
>> dev_net(in) for a NULL device won't work. Passing them to the local
>> hook won't work either however since we perform rerouting there.
>> I'm confused now why this didn't crash here so far ...
>
> It did crashed, that's why I noticed it.
> But now I can't reproduce it too. Hopefully this patch is correct.
It looks correct to me. Will try to reproduce the crash
just to make sure.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] netfilter: fix mangle tables back
2010-02-11 17:24 ` Patrick McHardy
@ 2010-02-11 17:27 ` Alexey Dobriyan
2010-02-11 17:42 ` Patrick McHardy
0 siblings, 1 reply; 9+ messages in thread
From: Alexey Dobriyan @ 2010-02-11 17:27 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Jan Engelhardt, netfilter-devel
On Thu, Feb 11, 2010 at 06:24:48PM +0100, Patrick McHardy wrote:
> It looks correct to me. Will try to reproduce the crash
> just to make sure.
Just CONFIG_NET_NS=y and it will crash.
Arrgh!
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] netfilter: fix mangle tables back
2010-02-11 17:27 ` Alexey Dobriyan
@ 2010-02-11 17:42 ` Patrick McHardy
0 siblings, 0 replies; 9+ messages in thread
From: Patrick McHardy @ 2010-02-11 17:42 UTC (permalink / raw)
To: Alexey Dobriyan; +Cc: Jan Engelhardt, netfilter-devel
Alexey Dobriyan wrote:
> On Thu, Feb 11, 2010 at 06:24:48PM +0100, Patrick McHardy wrote:
>> It looks correct to me. Will try to reproduce the crash
>> just to make sure.
>
> Just CONFIG_NET_NS=y and it will crash.
Indeed. Patch applied, thanks Alexey.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2010-02-11 17:42 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-02-11 16:12 [PATCH] netfilter: fix mangle tables back Alexey Dobriyan
2010-02-11 16:25 ` Jan Engelhardt
2010-02-11 16:34 ` Patrick McHardy
2010-02-11 17:07 ` Jan Engelhardt
2010-02-11 17:13 ` Patrick McHardy
2010-02-11 17:15 ` Alexey Dobriyan
2010-02-11 17:24 ` Patrick McHardy
2010-02-11 17:27 ` Alexey Dobriyan
2010-02-11 17:42 ` Patrick McHardy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).