[PATCH nf-next 0/4] netfilter: handle race w. module removal and nfqueue

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH nf-next 0/4] netfilter: handle race w. module removal and nfqueue
@ 2017-07-24 16:57 Florian Westphal
  2017-07-24 16:57 ` [PATCH nf-next 1/4] netfilter: expect: add and use nf_ct_expect_iterate helpers Florian Westphal
                   ` (3 more replies)
  0 siblings, 4 replies; 6+ messages in thread
From: Florian Westphal @ 2017-07-24 16:57 UTC (permalink / raw)
  To: netfilter-devel

There is a long-standing race that occurs with module removal (such as helpers)
nfqueue, and unconfirmed (not in hash table) conntracks.

The main issue is that
a). unconfirmed conntracks can't safely be mangled from other cpu (we assume
    exclusive access to grow/alter the extension area) and
b). nfqueued skbs leave RCU protection

This series address this by making the queue event similar to a confirm event:

Just as we do not commit 'dying' conntracks to the main table, refuse
to queue dying and unconfirmed conntracks to userspace.

Combined with a 'drop queued skbs' when a module exit path calls
the ct_iterate_destroy function this closes the hole, see patch #4 for details.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH nf-next 1/4] netfilter: expect: add and use nf_ct_expect_iterate helpers
  2017-07-24 16:57 [PATCH nf-next 0/4] netfilter: handle race w. module removal and nfqueue Florian Westphal
@ 2017-07-24 16:57 ` Florian Westphal
  2017-07-24 16:57 ` [PATCH nf-next 2/4] netfilter: add and use nf_ct_unconfirmed_destroy Florian Westphal
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 6+ messages in thread
From: Florian Westphal @ 2017-07-24 16:57 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Florian Westphal

We have several spots that open-code a expect walk, add a helper
that is similar to nf_ct_iterate_destroy/nf_ct_iterate_cleanup.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 include/net/netfilter/nf_conntrack_expect.h |  5 +++
 net/netfilter/nf_conntrack_expect.c         | 54 +++++++++++++++++++++++++
 net/netfilter/nf_conntrack_helper.c         | 34 +++++++---------
 net/netfilter/nf_conntrack_netlink.c        | 63 ++++++++++-------------------
 4 files changed, 95 insertions(+), 61 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h
index 2ba54feaccd8..818def011110 100644
--- a/include/net/netfilter/nf_conntrack_expect.h
+++ b/include/net/netfilter/nf_conntrack_expect.h
@@ -107,6 +107,11 @@ void nf_ct_remove_expectations(struct nf_conn *ct);
 void nf_ct_unexpect_related(struct nf_conntrack_expect *exp);
 bool nf_ct_remove_expect(struct nf_conntrack_expect *exp);
 
+void nf_ct_expect_iterate_destroy(bool (*iter)(struct nf_conntrack_expect *e, void *data), void *data);
+void nf_ct_expect_iterate_net(struct net *net,
+			      bool (*iter)(struct nf_conntrack_expect *e, void *data),
+                              void *data, u32 portid, int report);
+
 /* Allocate space for an expectation: this is mandatory before calling
    nf_ct_expect_related.  You will have to call put afterwards. */
 struct nf_conntrack_expect *nf_ct_expect_alloc(struct nf_conn *me);
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index 899c2c36da13..e65d9b27dd39 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -474,6 +474,60 @@ int nf_ct_expect_related_report(struct nf_conntrack_expect *expect,
 }
 EXPORT_SYMBOL_GPL(nf_ct_expect_related_report);
 
+void nf_ct_expect_iterate_destroy(bool (*iter)(struct nf_conntrack_expect *e, void *data),
+				  void *data)
+{
+	struct nf_conntrack_expect *exp;
+	const struct hlist_node *next;
+	unsigned int i;
+
+	spin_lock_bh(&nf_conntrack_expect_lock);
+
+	for (i = 0; i < nf_ct_expect_hsize; i++) {
+		hlist_for_each_entry_safe(exp, next,
+					  &nf_ct_expect_hash[i],
+					  hnode) {
+			if (iter(exp, data) && del_timer(&exp->timeout)) {
+				nf_ct_unlink_expect(exp);
+				nf_ct_expect_put(exp);
+			}
+		}
+	}
+
+	spin_unlock_bh(&nf_conntrack_expect_lock);
+}
+EXPORT_SYMBOL_GPL(nf_ct_expect_iterate_destroy);
+
+void nf_ct_expect_iterate_net(struct net *net,
+			      bool (*iter)(struct nf_conntrack_expect *e, void *data),
+			      void *data,
+			      u32 portid, int report)
+{
+	struct nf_conntrack_expect *exp;
+	const struct hlist_node *next;
+	unsigned int i;
+
+	spin_lock_bh(&nf_conntrack_expect_lock);
+
+	for (i = 0; i < nf_ct_expect_hsize; i++) {
+		hlist_for_each_entry_safe(exp, next,
+					  &nf_ct_expect_hash[i],
+					  hnode) {
+
+			if (!net_eq(nf_ct_exp_net(exp), net))
+				continue;
+
+			if (iter(exp, data) && del_timer(&exp->timeout)) {
+				nf_ct_unlink_expect_report(exp, portid, report);
+				nf_ct_expect_put(exp);
+			}
+		}
+	}
+
+	spin_unlock_bh(&nf_conntrack_expect_lock);
+}
+EXPORT_SYMBOL_GPL(nf_ct_expect_iterate_net);
+
 #ifdef CONFIG_NF_CONNTRACK_PROCFS
 struct ct_expect_iter_state {
 	struct seq_net_private p;
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index 9129bb3b5153..551a1eddf0fa 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -437,12 +437,22 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
 }
 EXPORT_SYMBOL_GPL(nf_conntrack_helper_register);
 
-void nf_conntrack_helper_unregister(struct nf_conntrack_helper *me)
+static bool expect_iter_me(struct nf_conntrack_expect *exp, void *data)
 {
-	struct nf_conntrack_expect *exp;
-	const struct hlist_node *next;
-	unsigned int i;
+	struct nf_conn_help *help = nfct_help(exp->master);
+	const struct nf_conntrack_helper *me = data;
+	const struct nf_conntrack_helper *this;
+
+	if (exp->helper == me)
+		return true;
 
+	this = rcu_dereference_protected(help->helper,
+					 lockdep_is_held(&nf_conntrack_expect_lock));
+	return this == me;
+}
+
+void nf_conntrack_helper_unregister(struct nf_conntrack_helper *me)
+{
 	mutex_lock(&nf_ct_helper_mutex);
 	hlist_del_rcu(&me->hnode);
 	nf_ct_helper_count--;
@@ -453,21 +463,7 @@ void nf_conntrack_helper_unregister(struct nf_conntrack_helper *me)
 	 */
 	synchronize_rcu();
 
-	/* Get rid of expectations */
-	spin_lock_bh(&nf_conntrack_expect_lock);
-	for (i = 0; i < nf_ct_expect_hsize; i++) {
-		hlist_for_each_entry_safe(exp, next,
-					  &nf_ct_expect_hash[i], hnode) {
-			struct nf_conn_help *help = nfct_help(exp->master);
-			if ((rcu_dereference_protected(
-					help->helper,
-					lockdep_is_held(&nf_conntrack_expect_lock)
-					) == me || exp->helper == me))
-				nf_ct_remove_expect(exp);
-		}
-	}
-	spin_unlock_bh(&nf_conntrack_expect_lock);
-
+	nf_ct_expect_iterate_destroy(expect_iter_me, NULL);
 	nf_ct_iterate_destroy(unhelp, me);
 }
 EXPORT_SYMBOL_GPL(nf_conntrack_helper_unregister);
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 7999e70c3bfb..5eaa4730e700 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -2910,6 +2910,21 @@ static int ctnetlink_get_expect(struct net *net, struct sock *ctnl,
 	return err == -EAGAIN ? -ENOBUFS : err;
 }
 
+static bool expect_iter_name(struct nf_conntrack_expect *exp, void *data)
+{
+	const struct nf_conn_help *m_help;
+	const char *name = data;
+
+	m_help = nfct_help(exp->master);
+
+	return strcmp(m_help->helper->name, name) == 0;
+}
+
+static bool expect_iter_all(struct nf_conntrack_expect *exp, void *data)
+{
+	return true;
+}
+
 static int ctnetlink_del_expect(struct net *net, struct sock *ctnl,
 				struct sk_buff *skb, const struct nlmsghdr *nlh,
 				const struct nlattr * const cda[],
@@ -2918,10 +2933,8 @@ static int ctnetlink_del_expect(struct net *net, struct sock *ctnl,
 	struct nf_conntrack_expect *exp;
 	struct nf_conntrack_tuple tuple;
 	struct nfgenmsg *nfmsg = nlmsg_data(nlh);
-	struct hlist_node *next;
 	u_int8_t u3 = nfmsg->nfgen_family;
 	struct nf_conntrack_zone zone;
-	unsigned int i;
 	int err;
 
 	if (cda[CTA_EXPECT_TUPLE]) {
@@ -2961,49 +2974,15 @@ static int ctnetlink_del_expect(struct net *net, struct sock *ctnl,
 		nf_ct_expect_put(exp);
 	} else if (cda[CTA_EXPECT_HELP_NAME]) {
 		char *name = nla_data(cda[CTA_EXPECT_HELP_NAME]);
-		struct nf_conn_help *m_help;
 
-		/* delete all expectations for this helper */
-		spin_lock_bh(&nf_conntrack_expect_lock);
-		for (i = 0; i < nf_ct_expect_hsize; i++) {
-			hlist_for_each_entry_safe(exp, next,
-						  &nf_ct_expect_hash[i],
-						  hnode) {
-
-				if (!net_eq(nf_ct_exp_net(exp), net))
-					continue;
-
-				m_help = nfct_help(exp->master);
-				if (!strcmp(m_help->helper->name, name) &&
-				    del_timer(&exp->timeout)) {
-					nf_ct_unlink_expect_report(exp,
-							NETLINK_CB(skb).portid,
-							nlmsg_report(nlh));
-					nf_ct_expect_put(exp);
-				}
-			}
-		}
-		spin_unlock_bh(&nf_conntrack_expect_lock);
+		nf_ct_expect_iterate_net(net, expect_iter_name, name,
+					 NETLINK_CB(skb).portid,
+					 nlmsg_report(nlh));
 	} else {
 		/* This basically means we have to flush everything*/
-		spin_lock_bh(&nf_conntrack_expect_lock);
-		for (i = 0; i < nf_ct_expect_hsize; i++) {
-			hlist_for_each_entry_safe(exp, next,
-						  &nf_ct_expect_hash[i],
-						  hnode) {
-
-				if (!net_eq(nf_ct_exp_net(exp), net))
-					continue;
-
-				if (del_timer(&exp->timeout)) {
-					nf_ct_unlink_expect_report(exp,
-							NETLINK_CB(skb).portid,
-							nlmsg_report(nlh));
-					nf_ct_expect_put(exp);
-				}
-			}
-		}
-		spin_unlock_bh(&nf_conntrack_expect_lock);
+		nf_ct_expect_iterate_net(net, expect_iter_all, NULL,
+					 NETLINK_CB(skb).portid,
+					 nlmsg_report(nlh));
 	}
 
 	return 0;
-- 
2.13.0


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [PATCH nf-next 2/4] netfilter: add and use nf_ct_unconfirmed_destroy
  2017-07-24 16:57 [PATCH nf-next 0/4] netfilter: handle race w. module removal and nfqueue Florian Westphal
  2017-07-24 16:57 ` [PATCH nf-next 1/4] netfilter: expect: add and use nf_ct_expect_iterate helpers Florian Westphal
@ 2017-07-24 16:57 ` Florian Westphal
  2017-07-24 16:57 ` [PATCH nf-next 3/4] netfilter: conntrack: destroy functions need to free queued packets Florian Westphal
  2017-07-24 16:57 ` [PATCH nf-next 4/4] netfilter: nfnetlink_queue: don't queue dying conntracks to userspace Florian Westphal
  3 siblings, 0 replies; 6+ messages in thread
From: Florian Westphal @ 2017-07-24 16:57 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Florian Westphal

This also removes __nf_ct_unconfirmed_destroy() call from
nf_ct_iterate_cleanup_net, so that function can be used only
when missing conntracks from unconfirmed list isn't a problem.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 include/net/netfilter/nf_conntrack.h |  3 +++
 net/netfilter/nf_conntrack_core.c    | 15 +++++++++++----
 net/netfilter/nfnetlink_cttimeout.c  |  1 +
 3 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index 48407569585d..6e6f678aaac7 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -224,6 +224,9 @@ extern s32 (*nf_ct_nat_offset)(const struct nf_conn *ct,
 			       enum ip_conntrack_dir dir,
 			       u32 seq);
 
+/* Set all unconfirmed conntrack as dying */
+void nf_ct_unconfirmed_destroy(struct net *);
+
 /* Iterate over all conntracks: if iter returns true, it's deleted. */
 void nf_ct_iterate_cleanup_net(struct net *net,
 			       int (*iter)(struct nf_conn *i, void *data),
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 9979f46c81dc..c8b87eaa17a2 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1689,6 +1689,17 @@ __nf_ct_unconfirmed_destroy(struct net *net)
 	}
 }
 
+void nf_ct_unconfirmed_destroy(struct net *net)
+{
+	might_sleep();
+
+	if (atomic_read(&net->ct.count) > 0) {
+		__nf_ct_unconfirmed_destroy(net);
+		synchronize_net();
+	}
+}
+EXPORT_SYMBOL_GPL(nf_ct_unconfirmed_destroy);
+
 void nf_ct_iterate_cleanup_net(struct net *net,
 			       int (*iter)(struct nf_conn *i, void *data),
 			       void *data, u32 portid, int report)
@@ -1700,14 +1711,10 @@ void nf_ct_iterate_cleanup_net(struct net *net,
 	if (atomic_read(&net->ct.count) == 0)
 		return;
 
-	__nf_ct_unconfirmed_destroy(net);
-
 	d.iter = iter;
 	d.data = data;
 	d.net = net;
 
-	synchronize_net();
-
 	nf_ct_iterate_cleanup(iter_net_only, &d, portid, report);
 }
 EXPORT_SYMBOL_GPL(nf_ct_iterate_cleanup_net);
diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c
index 400e9ae97153..83c8da48df59 100644
--- a/net/netfilter/nfnetlink_cttimeout.c
+++ b/net/netfilter/nfnetlink_cttimeout.c
@@ -572,6 +572,7 @@ static void __net_exit cttimeout_net_exit(struct net *net)
 {
 	struct ctnl_timeout *cur, *tmp;
 
+	nf_ct_unconfirmed_destroy(net);
 	ctnl_untimeout(net, NULL);
 
 	list_for_each_entry_safe(cur, tmp, &net->nfct_timeout_list, head) {
-- 
2.13.0


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [PATCH nf-next 3/4] netfilter: conntrack: destroy functions need to free queued packets
  2017-07-24 16:57 [PATCH nf-next 0/4] netfilter: handle race w. module removal and nfqueue Florian Westphal
  2017-07-24 16:57 ` [PATCH nf-next 1/4] netfilter: expect: add and use nf_ct_expect_iterate helpers Florian Westphal
  2017-07-24 16:57 ` [PATCH nf-next 2/4] netfilter: add and use nf_ct_unconfirmed_destroy Florian Westphal
@ 2017-07-24 16:57 ` Florian Westphal
  2017-07-24 16:57 ` [PATCH nf-next 4/4] netfilter: nfnetlink_queue: don't queue dying conntracks to userspace Florian Westphal
  3 siblings, 0 replies; 6+ messages in thread
From: Florian Westphal @ 2017-07-24 16:57 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Florian Westphal

queued skbs might be using conntrack extensions that are being removed,
such as timeout.  This happens for skbs that have a skb->nfct in
unconfirmed state (i.e., not in hash table yet).

This is destructive, but there are only two use cases:
 - module removal (rare)
 - netns cleanup (most likely no conntracks exist, and if they do,
   they are removed anyway later on).

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/nf_conntrack_core.c | 4 ++++
 net/netfilter/nf_queue.c          | 1 +
 2 files changed, 5 insertions(+)

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index c8b87eaa17a2..258077980a93 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -56,6 +56,8 @@
 #include <net/netfilter/nf_nat_helper.h>
 #include <net/netns/hash.h>

+#include "nf_internals.h"
+
 #define NF_CONNTRACK_VERSION	"0.5.0"

 int (*nfnetlink_parse_nat_setup_hook)(struct nf_conn *ct,
@@ -1695,6 +1697,7 @@ void nf_ct_unconfirmed_destroy(struct net *net)

 	if (atomic_read(&net->ct.count) > 0) {
 		__nf_ct_unconfirmed_destroy(net);
+		nf_queue_nf_hook_drop(net);
 		synchronize_net();
 	}
 }
@@ -1740,6 +1743,7 @@ nf_ct_iterate_destroy(int (*iter)(struct nf_conn *i, void *data), void *data)
 		if (atomic_read(&net->ct.count) == 0)
 			continue;
 		__nf_ct_unconfirmed_destroy(net);
+		nf_queue_nf_hook_drop(net);
 	}
 	rtnl_unlock();

diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index 043850c9d154..4f4d80a58fb5 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -109,6 +109,7 @@ unsigned int nf_queue_nf_hook_drop(struct net *net)

 	return count;
 }
+EXPORT_SYMBOL_GPL(nf_queue_nf_hook_drop);

 static int __nf_queue(struct sk_buff *skb, const struct nf_hook_state *state,
 		      struct nf_hook_entry *hook_entry, unsigned int queuenum)
-- 
2.13.0

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [PATCH nf-next 4/4] netfilter: nfnetlink_queue: don't queue dying conntracks to userspace
  2017-07-24 16:57 [PATCH nf-next 0/4] netfilter: handle race w. module removal and nfqueue Florian Westphal
                   ` (2 preceding siblings ...)
  2017-07-24 16:57 ` [PATCH nf-next 3/4] netfilter: conntrack: destroy functions need to free queued packets Florian Westphal
@ 2017-07-24 16:57 ` Florian Westphal
  2017-07-25 19:19   ` kbuild test robot
  3 siblings, 1 reply; 6+ messages in thread
From: Florian Westphal @ 2017-07-24 16:57 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Florian Westphal

When skb is queued to userspace it leaves softirq/rcu protection.
skb->nfct (via conntrack extensions such as helper) could then reference
modules that no longer exist if the conntrack was not yet confirmed.

nf_ct_iterate_destroy() will set the DYING bit for unconfirmed
conntracks, we therefore solve this race as follows:

1. take the queue spinlock.
2. check if the conntrack is unconfirmed and has dying bit set.
   In this case, we must discard skb while we're still inside
   rcu read-side section.
3. If nf_ct_iterate_destroy() is called right after the packet is queued
   to userspace, it will be removed from the queue via
   nf_ct_iterate_destroy -> nf_queue_nf_hook_drop.

When userspace sends the verdict (nfnetlink takes rcu read lock), there
are two cases to consider:

1. nf_ct_iterate_destroy() was called while packet was out.
   In this case, skb will have been removed from the queue already
   and no reinject takes place as we won't find a matching entry for the
   packet id.

2. nf_ct_iterate_destroy() gets called right after verdict callback
   found and removed the skb from queue list.

   In this case, skb->nfct is marked as dying but it is still valid.
   The skb will be dropped either in nf_conntrack_confirm (we don't
   insert DYING conntracks into hash table) or when we try to queue
   the skb again, but either events don't occur before the rcu read lock
   is dropped.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/nfnetlink_queue.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 16fa04086880..91e2500ab4e7 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -28,11 +28,11 @@
 #include <linux/netfilter_bridge.h>
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nfnetlink_queue.h>
-#include <linux/netfilter/nf_conntrack_common.h>
 #include <linux/list.h>
 #include <net/sock.h>
 #include <net/tcp_states.h>
 #include <net/netfilter/nf_queue.h>
+#include <net/netfilter/nf_conntrack.h>
 #include <net/netns/generic.h>

 #include <linux/atomic.h>
@@ -612,6 +612,18 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
 	return NULL;
 }

+static bool nf_ct_drop_unconfirmed(const struct nf_queue_entry *entry)
+{
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+	static const unsigned long flags = IPS_CONFIRMED | IPS_DYING;
+	const struct nf_conn *ct = (void *)skb_nfct(entry->skb);
+
+	if (ct && ((ct->status & flags) == IPS_DYING))
+		return true;
+#endif
+	return false;
+}
+
 static int
 __nfqnl_enqueue_packet(struct net *net, struct nfqnl_instance *queue,
 			struct nf_queue_entry *entry)
@@ -628,6 +640,9 @@ __nfqnl_enqueue_packet(struct net *net, struct nfqnl_instance *queue,
 	}
 	spin_lock_bh(&queue->lock);

+	if (nf_ct_drop_unconfirmed(entry))
+		goto err_out_free_nskb;
+
 	if (queue->queue_total >= queue->queue_maxlen) {
 		if (queue->flags & NFQA_CFG_F_FAIL_OPEN) {
 			failopen = 1;
-- 
2.13.0

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH nf-next 4/4] netfilter: nfnetlink_queue: don't queue dying conntracks to userspace
  2017-07-24 16:57 ` [PATCH nf-next 4/4] netfilter: nfnetlink_queue: don't queue dying conntracks to userspace Florian Westphal
@ 2017-07-25 19:19   ` kbuild test robot
  0 siblings, 0 replies; 6+ messages in thread
From: kbuild test robot @ 2017-07-25 19:19 UTC (permalink / raw)
  To: Florian Westphal; +Cc: kbuild-all, netfilter-devel, Florian Westphal

[-- Attachment #1: Type: text/plain, Size: 35180 bytes --]

Hi Florian,

[auto build test ERROR on nf-next/master]

url:    https://github.com/0day-ci/linux/commits/Florian-Westphal/netfilter-handle-race-w-module-removal-and-nfqueue/20170726-024704
base:   https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
config: x86_64-randconfig-x002-201730 (attached as .config)
compiler: gcc-6 (Debian 6.2.0-3) 6.2.0 20160901
reproduce:
        # save the attached .config to linux build tree
        make ARCH=x86_64 

All errors (new ones prefixed by >>):

   In file included from net/netfilter/nfnetlink_queue.c:35:0:
   include/net/netfilter/nf_conntrack.h:65:22: error: field 'ct_general' has incomplete type
     struct nf_conntrack ct_general;
                         ^~~~~~~~~~
   include/net/netfilter/nf_conntrack.h: In function 'nf_ct_get':
>> include/net/netfilter/nf_conntrack.h:154:15: error: 'const struct sk_buff' has no member named '_nfct'
     *ctinfo = skb->_nfct & NFCT_INFOMASK;
                  ^~
   include/net/netfilter/nf_conntrack.h:156:31: error: 'const struct sk_buff' has no member named '_nfct'
     return (struct nf_conn *)(skb->_nfct & NFCT_PTRMASK);
                                  ^~
   include/net/netfilter/nf_conntrack.h: In function 'nf_ct_put':
   include/net/netfilter/nf_conntrack.h:163:2: error: implicit declaration of function 'nf_conntrack_put' [-Werror=implicit-function-declaration]
     nf_conntrack_put(&ct->ct_general);
     ^~~~~~~~~~~~~~~~
   include/net/netfilter/nf_conntrack.h: In function 'nf_ct_set':
>> include/net/netfilter/nf_conntrack.h:327:5: error: 'struct sk_buff' has no member named '_nfct'
     skb->_nfct = (unsigned long)ct | info;
        ^~
   In file included from include/uapi/linux/stddef.h:1:0,
                    from include/linux/stddef.h:4,
                    from include/uapi/linux/posix_types.h:4,
                    from include/uapi/linux/types.h:13,
                    from include/linux/types.h:5,
                    from include/linux/list.h:4,
                    from include/linux/module.h:9,
                    from net/netfilter/nfnetlink_queue.c:17:
   net/netfilter/nfnetlink_queue.c: At top level:
   include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'strcpy' which is not static
       ______f = {     \
       ^
   include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
    #define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
                          ^~~~~~~~~~
   include/linux/string.h:390:2: note: in expansion of macro 'if'
     if (p_size == (size_t)-1 && q_size == (size_t)-1)
     ^~
   include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'kmemdup' which is not static
       ______f = {     \
       ^
   include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
    #define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
                          ^~~~~~~~~~
   include/linux/string.h:380:2: note: in expansion of macro 'if'
     if (p_size < size)
     ^~
   include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'kmemdup' which is not static
       ______f = {     \
       ^
   include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
    #define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
                          ^~~~~~~~~~
   include/linux/string.h:378:2: note: in expansion of macro 'if'
     if (__builtin_constant_p(size) && p_size < size)
     ^~
   include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'memchr_inv' which is not static
       ______f = {     \
       ^
   include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
    #define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
                          ^~~~~~~~~~
   include/linux/string.h:369:2: note: in expansion of macro 'if'
     if (p_size < size)
     ^~
   include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'memchr_inv' which is not static
       ______f = {     \
       ^
   include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
    #define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
                          ^~~~~~~~~~
   include/linux/string.h:367:2: note: in expansion of macro 'if'
     if (__builtin_constant_p(size) && p_size < size)
     ^~
   include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'memchr' which is not static
       ______f = {     \
       ^
   include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
    #define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
                          ^~~~~~~~~~
   include/linux/string.h:358:2: note: in expansion of macro 'if'
     if (p_size < size)
     ^~
   include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'memchr' which is not static
       ______f = {     \
       ^
   include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
    #define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
                          ^~~~~~~~~~
   include/linux/string.h:356:2: note: in expansion of macro 'if'
     if (__builtin_constant_p(size) && p_size < size)
     ^~
   include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'memcmp' which is not static
       ______f = {     \
       ^
   include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
    #define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
                          ^~~~~~~~~~
   include/linux/string.h:348:2: note: in expansion of macro 'if'
     if (p_size < size || q_size < size)
     ^~
   include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'memcmp' which is not static
       ______f = {     \
       ^
   include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
    #define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
                          ^~~~~~~~~~
   include/linux/string.h:345:3: note: in expansion of macro 'if'
      if (q_size < size)
      ^~
   include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'memcmp' which is not static
       ______f = {     \
       ^
   include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
    #define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
                          ^~~~~~~~~~
   include/linux/string.h:343:3: note: in expansion of macro 'if'
      if (p_size < size)
--
   In file included from net//netfilter/nfnetlink_queue.c:35:0:
   include/net/netfilter/nf_conntrack.h:65:22: error: field 'ct_general' has incomplete type
     struct nf_conntrack ct_general;
                         ^~~~~~~~~~
   include/net/netfilter/nf_conntrack.h: In function 'nf_ct_get':
>> include/net/netfilter/nf_conntrack.h:154:15: error: 'const struct sk_buff' has no member named '_nfct'
     *ctinfo = skb->_nfct & NFCT_INFOMASK;
                  ^~
   include/net/netfilter/nf_conntrack.h:156:31: error: 'const struct sk_buff' has no member named '_nfct'
     return (struct nf_conn *)(skb->_nfct & NFCT_PTRMASK);
                                  ^~
   include/net/netfilter/nf_conntrack.h: In function 'nf_ct_put':
   include/net/netfilter/nf_conntrack.h:163:2: error: implicit declaration of function 'nf_conntrack_put' [-Werror=implicit-function-declaration]
     nf_conntrack_put(&ct->ct_general);
     ^~~~~~~~~~~~~~~~
   include/net/netfilter/nf_conntrack.h: In function 'nf_ct_set':
>> include/net/netfilter/nf_conntrack.h:327:5: error: 'struct sk_buff' has no member named '_nfct'
     skb->_nfct = (unsigned long)ct | info;
        ^~
   In file included from include/uapi/linux/stddef.h:1:0,
                    from include/linux/stddef.h:4,
                    from include/uapi/linux/posix_types.h:4,
                    from include/uapi/linux/types.h:13,
                    from include/linux/types.h:5,
                    from include/linux/list.h:4,
                    from include/linux/module.h:9,
                    from net//netfilter/nfnetlink_queue.c:17:
   net//netfilter/nfnetlink_queue.c: At top level:
   include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'strcpy' which is not static
       ______f = {     \
       ^
   include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
    #define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
                          ^~~~~~~~~~
   include/linux/string.h:390:2: note: in expansion of macro 'if'
     if (p_size == (size_t)-1 && q_size == (size_t)-1)
     ^~
   include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'kmemdup' which is not static
       ______f = {     \
       ^
   include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
    #define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
                          ^~~~~~~~~~
   include/linux/string.h:380:2: note: in expansion of macro 'if'
     if (p_size < size)
     ^~
   include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'kmemdup' which is not static
       ______f = {     \
       ^
   include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
    #define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
                          ^~~~~~~~~~
   include/linux/string.h:378:2: note: in expansion of macro 'if'
     if (__builtin_constant_p(size) && p_size < size)
     ^~
   include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'memchr_inv' which is not static
       ______f = {     \
       ^
   include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
    #define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
                          ^~~~~~~~~~
   include/linux/string.h:369:2: note: in expansion of macro 'if'
     if (p_size < size)
     ^~
   include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'memchr_inv' which is not static
       ______f = {     \
       ^
   include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
    #define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
                          ^~~~~~~~~~
   include/linux/string.h:367:2: note: in expansion of macro 'if'
     if (__builtin_constant_p(size) && p_size < size)
     ^~
   include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'memchr' which is not static
       ______f = {     \
       ^
   include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
    #define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
                          ^~~~~~~~~~
   include/linux/string.h:358:2: note: in expansion of macro 'if'
     if (p_size < size)
     ^~
   include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'memchr' which is not static
       ______f = {     \
       ^
   include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
    #define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
                          ^~~~~~~~~~
   include/linux/string.h:356:2: note: in expansion of macro 'if'
     if (__builtin_constant_p(size) && p_size < size)
     ^~
   include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'memcmp' which is not static
       ______f = {     \
       ^
   include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
    #define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
                          ^~~~~~~~~~
   include/linux/string.h:348:2: note: in expansion of macro 'if'
     if (p_size < size || q_size < size)
     ^~
   include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'memcmp' which is not static
       ______f = {     \
       ^
   include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
    #define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
                          ^~~~~~~~~~
   include/linux/string.h:345:3: note: in expansion of macro 'if'
      if (q_size < size)
      ^~
   include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'memcmp' which is not static
       ______f = {     \
       ^
   include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
    #define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
                          ^~~~~~~~~~
   include/linux/string.h:343:3: note: in expansion of macro 'if'
      if (p_size < size)

vim +154 include/net/netfilter/nf_conntrack.h

f8eb24a89a Patrick McHardy        2006-11-29   55  
ea781f197d Eric Dumazet           2009-03-25   56  struct nf_conn {
f330a7fdbe Florian Westphal       2016-08-25   57  	/* Usage count in here is 1 for hash table, 1 per skb,
b476b72a0f Jesper Dangaard Brouer 2014-03-03   58  	 * plus 1 for any connection(s) we are `master' for
b476b72a0f Jesper Dangaard Brouer 2014-03-03   59  	 *
a9e419dc7b Florian Westphal       2017-01-23   60  	 * Hint, SKB address this struct and refcnt via skb->_nfct and
b476b72a0f Jesper Dangaard Brouer 2014-03-03   61  	 * helpers nf_conntrack_get() and nf_conntrack_put().
b476b72a0f Jesper Dangaard Brouer 2014-03-03   62  	 * Helper nf_ct_put() equals nf_conntrack_put() by dec refcnt,
b476b72a0f Jesper Dangaard Brouer 2014-03-03   63  	 * beware nf_ct_get() is different and don't inc refcnt.
b476b72a0f Jesper Dangaard Brouer 2014-03-03   64  	 */
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  @65  	struct nf_conntrack ct_general;
9fb9cbb108 Yasuyuki Kozakai       2005-11-09   66  
440f0d5885 Patrick McHardy        2009-06-10   67  	spinlock_t	lock;
b7779d06f9 Jesper Dangaard Brouer 2014-03-03   68  	u16		cpu;
440f0d5885 Patrick McHardy        2009-06-10   69  
6c8dee9842 Florian Westphal       2016-06-11   70  #ifdef CONFIG_NF_CONNTRACK_ZONES
6c8dee9842 Florian Westphal       2016-06-11   71  	struct nf_conntrack_zone zone;
6c8dee9842 Florian Westphal       2016-06-11   72  #endif
9fb9cbb108 Yasuyuki Kozakai       2005-11-09   73  	/* XXX should I move this to the tail ? - Y.K */
9fb9cbb108 Yasuyuki Kozakai       2005-11-09   74  	/* These are my tuples; original and reply */
9fb9cbb108 Yasuyuki Kozakai       2005-11-09   75  	struct nf_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX];
9fb9cbb108 Yasuyuki Kozakai       2005-11-09   76  
9fb9cbb108 Yasuyuki Kozakai       2005-11-09   77  	/* Have we seen traffic both ways yet? (bitset) */
9fb9cbb108 Yasuyuki Kozakai       2005-11-09   78  	unsigned long status;
9fb9cbb108 Yasuyuki Kozakai       2005-11-09   79  
f330a7fdbe Florian Westphal       2016-08-25   80  	/* jiffies32 when this ct is considered dead */
f330a7fdbe Florian Westphal       2016-08-25   81  	u32 timeout;
9fb9cbb108 Yasuyuki Kozakai       2005-11-09   82  
0c5c9fb551 Eric W. Biederman      2015-03-11   83  	possible_net_t ct_net;
0c5c9fb551 Eric W. Biederman      2015-03-11   84  
5173bc679d Florian Westphal       2016-11-23   85  #if IS_ENABLED(CONFIG_NF_NAT)
5173bc679d Florian Westphal       2016-11-23   86  	struct rhlist_head nat_bysource;
5173bc679d Florian Westphal       2016-11-23   87  #endif
c41884ce05 Florian Westphal       2014-11-24   88  	/* all members below initialized via memset */
c41884ce05 Florian Westphal       2014-11-24   89  	u8 __nfct_init_offset[0];
c41884ce05 Florian Westphal       2014-11-24   90  
c41884ce05 Florian Westphal       2014-11-24   91  	/* If we were expected by an expectation, this will be it */
c41884ce05 Florian Westphal       2014-11-24   92  	struct nf_conn *master;
c41884ce05 Florian Westphal       2014-11-24   93  
9fb9cbb108 Yasuyuki Kozakai       2005-11-09   94  #if defined(CONFIG_NF_CONNTRACK_MARK)
9fb9cbb108 Yasuyuki Kozakai       2005-11-09   95  	u_int32_t mark;
9fb9cbb108 Yasuyuki Kozakai       2005-11-09   96  #endif
9fb9cbb108 Yasuyuki Kozakai       2005-11-09   97  
7c9728c393 James Morris           2006-06-09   98  #ifdef CONFIG_NF_CONNTRACK_SECMARK
7c9728c393 James Morris           2006-06-09   99  	u_int32_t secmark;
7c9728c393 James Morris           2006-06-09  100  #endif
7c9728c393 James Morris           2006-06-09  101  
ecfab2c9fe Yasuyuki Kozakai       2007-07-07  102  	/* Extensions */
ecfab2c9fe Yasuyuki Kozakai       2007-07-07  103  	struct nf_ct_ext *ext;
e5fc9e7a66 Changli Gao            2010-11-12  104  
e5fc9e7a66 Changli Gao            2010-11-12  105  	/* Storage reserved for other modules, must be the last member */
e5fc9e7a66 Changli Gao            2010-11-12  106  	union nf_conntrack_proto proto;
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  107  };
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  108  
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  109  static inline struct nf_conn *
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  110  nf_ct_tuplehash_to_ctrack(const struct nf_conntrack_tuple_hash *hash)
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  111  {
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  112  	return container_of(hash, struct nf_conn,
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  113  			    tuplehash[hash->tuple.dst.dir]);
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  114  }
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  115  
5e8fbe2ac8 Patrick McHardy        2008-04-14  116  static inline u_int16_t nf_ct_l3num(const struct nf_conn *ct)
5e8fbe2ac8 Patrick McHardy        2008-04-14  117  {
5e8fbe2ac8 Patrick McHardy        2008-04-14  118  	return ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
5e8fbe2ac8 Patrick McHardy        2008-04-14  119  }
5e8fbe2ac8 Patrick McHardy        2008-04-14  120  
5e8fbe2ac8 Patrick McHardy        2008-04-14  121  static inline u_int8_t nf_ct_protonum(const struct nf_conn *ct)
5e8fbe2ac8 Patrick McHardy        2008-04-14  122  {
5e8fbe2ac8 Patrick McHardy        2008-04-14  123  	return ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum;
5e8fbe2ac8 Patrick McHardy        2008-04-14  124  }
5e8fbe2ac8 Patrick McHardy        2008-04-14  125  
f2f3e38c63 Pablo Neira Ayuso      2009-06-02  126  #define nf_ct_tuple(ct, dir) (&(ct)->tuplehash[dir].tuple)
f2f3e38c63 Pablo Neira Ayuso      2009-06-02  127  
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  128  /* get master conntrack via master expectation */
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  129  #define master_ct(conntr) (conntr->master)
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  130  
5a1fb391d8 Alexey Dobriyan        2008-10-08  131  extern struct net init_net;
5a1fb391d8 Alexey Dobriyan        2008-10-08  132  
5a1fb391d8 Alexey Dobriyan        2008-10-08  133  static inline struct net *nf_ct_net(const struct nf_conn *ct)
5a1fb391d8 Alexey Dobriyan        2008-10-08  134  {
c2d9ba9bce Eric Dumazet           2010-06-01  135  	return read_pnet(&ct->ct_net);
5a1fb391d8 Alexey Dobriyan        2008-10-08  136  }
5a1fb391d8 Alexey Dobriyan        2008-10-08  137  
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  138  /* Alter reply tuple (maybe alter helper). */
4e77be4637 Joe Perches            2013-09-23  139  void nf_conntrack_alter_reply(struct nf_conn *ct,
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  140  			      const struct nf_conntrack_tuple *newreply);
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  141  
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  142  /* Is this tuple taken? (ignoring any belonging to the given
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  143     conntrack). */
4e77be4637 Joe Perches            2013-09-23  144  int nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple,
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  145  			     const struct nf_conn *ignored_conntrack);
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  146  
3032230920 Florian Westphal       2017-01-23  147  #define NFCT_INFOMASK	7UL
a9e419dc7b Florian Westphal       2017-01-23  148  #define NFCT_PTRMASK	~(NFCT_INFOMASK)
3032230920 Florian Westphal       2017-01-23  149  
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  150  /* Return conntrack_info and tuple hash for given skb. */
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  151  static inline struct nf_conn *
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  152  nf_ct_get(const struct sk_buff *skb, enum ip_conntrack_info *ctinfo)
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  153  {
a9e419dc7b Florian Westphal       2017-01-23 @154  	*ctinfo = skb->_nfct & NFCT_INFOMASK;
a9e419dc7b Florian Westphal       2017-01-23  155  
a9e419dc7b Florian Westphal       2017-01-23 @156  	return (struct nf_conn *)(skb->_nfct & NFCT_PTRMASK);
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  157  }
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  158  
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  159  /* decrement reference count on a conntrack */
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  160  static inline void nf_ct_put(struct nf_conn *ct)
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  161  {
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  162  	NF_CT_ASSERT(ct);
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  163  	nf_conntrack_put(&ct->ct_general);
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  164  }
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  165  
b9f78f9fca Pablo Neira Ayuso      2006-03-22  166  /* Protocol module loading */
4e77be4637 Joe Perches            2013-09-23  167  int nf_ct_l3proto_try_module_get(unsigned short l3proto);
4e77be4637 Joe Perches            2013-09-23  168  void nf_ct_l3proto_module_put(unsigned short l3proto);
b9f78f9fca Pablo Neira Ayuso      2006-03-22  169  
ecb2421b5d Florian Westphal       2016-11-15  170  /* load module; enable/disable conntrack in this namespace */
ecb2421b5d Florian Westphal       2016-11-15  171  int nf_ct_netns_get(struct net *net, u8 nfproto);
ecb2421b5d Florian Westphal       2016-11-15  172  void nf_ct_netns_put(struct net *net, u8 nfproto);
ecb2421b5d Florian Westphal       2016-11-15  173  
ea781f197d Eric Dumazet           2009-03-25  174  /*
ea781f197d Eric Dumazet           2009-03-25  175   * Allocate a hashtable of hlist_head (if nulls == 0),
ea781f197d Eric Dumazet           2009-03-25  176   * or hlist_nulls_head (if nulls == 1)
ea781f197d Eric Dumazet           2009-03-25  177   */
4e77be4637 Joe Perches            2013-09-23  178  void *nf_ct_alloc_hashtable(unsigned int *sizep, int nulls);
ea781f197d Eric Dumazet           2009-03-25  179  
4e77be4637 Joe Perches            2013-09-23  180  void nf_ct_free_hashtable(void *hash, unsigned int size);
ac565e5fc1 Patrick McHardy        2007-07-07  181  
4e77be4637 Joe Perches            2013-09-23  182  int nf_conntrack_hash_check_insert(struct nf_conn *ct);
02982c27ba Florian Westphal       2013-07-29  183  bool nf_ct_delete(struct nf_conn *ct, u32 pid, int report);
c1d10adb4a Pablo Neira Ayuso      2006-01-05  184  
4e77be4637 Joe Perches            2013-09-23  185  bool nf_ct_get_tuplepr(const struct sk_buff *skb, unsigned int nhoff,
a31f1adc09 Eric W. Biederman      2015-09-18  186  		       u_int16_t l3num, struct net *net,
a31f1adc09 Eric W. Biederman      2015-09-18  187  		       struct nf_conntrack_tuple *tuple);
4e77be4637 Joe Perches            2013-09-23  188  bool nf_ct_invert_tuplepr(struct nf_conntrack_tuple *inverse,
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  189  			  const struct nf_conntrack_tuple *orig);
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  190  
4e77be4637 Joe Perches            2013-09-23  191  void __nf_ct_refresh_acct(struct nf_conn *ct, enum ip_conntrack_info ctinfo,
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  192  			  const struct sk_buff *skb,
4e77be4637 Joe Perches            2013-09-23  193  			  unsigned long extra_jiffies, int do_acct);
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  194  
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  195  /* Refresh conntrack for this many jiffies and do accounting */
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  196  static inline void nf_ct_refresh_acct(struct nf_conn *ct,
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  197  				      enum ip_conntrack_info ctinfo,
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  198  				      const struct sk_buff *skb,
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  199  				      unsigned long extra_jiffies)
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  200  {
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  201  	__nf_ct_refresh_acct(ct, ctinfo, skb, extra_jiffies, 1);
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  202  }
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  203  
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  204  /* Refresh conntrack for this many jiffies */
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  205  static inline void nf_ct_refresh(struct nf_conn *ct,
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  206  				 const struct sk_buff *skb,
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  207  				 unsigned long extra_jiffies)
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  208  {
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  209  	__nf_ct_refresh_acct(ct, 0, skb, extra_jiffies, 0);
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  210  }
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  211  
718d4ad98e Fabian Hugelshofer     2008-06-09  212  /* kill conntrack and do accounting */
ad66713f5a Florian Westphal       2016-08-25  213  bool nf_ct_kill_acct(struct nf_conn *ct, enum ip_conntrack_info ctinfo,
ad66713f5a Florian Westphal       2016-08-25  214  		     const struct sk_buff *skb);
718d4ad98e Fabian Hugelshofer     2008-06-09  215  
718d4ad98e Fabian Hugelshofer     2008-06-09  216  /* kill conntrack without accounting */
4c88949800 David S. Miller        2008-07-14  217  static inline bool nf_ct_kill(struct nf_conn *ct)
718d4ad98e Fabian Hugelshofer     2008-06-09  218  {
ad66713f5a Florian Westphal       2016-08-25  219  	return nf_ct_delete(ct, 0, 0);
718d4ad98e Fabian Hugelshofer     2008-06-09  220  }
51091764f2 Patrick McHardy        2008-06-09  221  
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  222  /* These are for NAT.  Icky. */
2d89c68ac7 Patrick McHardy        2013-07-28  223  extern s32 (*nf_ct_nat_offset)(const struct nf_conn *ct,
f9dd09c7f7 Jozsef Kadlecsik       2009-11-06  224  			       enum ip_conntrack_dir dir,
f9dd09c7f7 Jozsef Kadlecsik       2009-11-06  225  			       u32 seq);
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  226  
d171e8b544 Florian Westphal       2017-07-24  227  /* Set all unconfirmed conntrack as dying */
d171e8b544 Florian Westphal       2017-07-24  228  void nf_ct_unconfirmed_destroy(struct net *);
d171e8b544 Florian Westphal       2017-07-24  229  
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  230  /* Iterate over all conntracks: if iter returns true, it's deleted. */
9fd6452d67 Florian Westphal       2017-05-21  231  void nf_ct_iterate_cleanup_net(struct net *net,
c655bc6896 Florian Westphal       2013-07-29  232  			       int (*iter)(struct nf_conn *i, void *data),
c655bc6896 Florian Westphal       2013-07-29  233  			       void *data, u32 portid, int report);
308ac9143e Daniel Borkmann        2015-08-08  234  
2843fb6998 Florian Westphal       2017-05-21  235  /* also set unconfirmed conntracks as dying. Only use in module exit path. */
2843fb6998 Florian Westphal       2017-05-21  236  void nf_ct_iterate_destroy(int (*iter)(struct nf_conn *i, void *data),
2843fb6998 Florian Westphal       2017-05-21  237  			   void *data);
2843fb6998 Florian Westphal       2017-05-21  238  
308ac9143e Daniel Borkmann        2015-08-08  239  struct nf_conntrack_zone;
308ac9143e Daniel Borkmann        2015-08-08  240  
4e77be4637 Joe Perches            2013-09-23  241  void nf_conntrack_free(struct nf_conn *ct);
308ac9143e Daniel Borkmann        2015-08-08  242  struct nf_conn *nf_conntrack_alloc(struct net *net,
308ac9143e Daniel Borkmann        2015-08-08  243  				   const struct nf_conntrack_zone *zone,
5a1fb391d8 Alexey Dobriyan        2008-10-08  244  				   const struct nf_conntrack_tuple *orig,
b891c5a831 Pablo Neira Ayuso      2008-07-08  245  				   const struct nf_conntrack_tuple *repl,
b891c5a831 Pablo Neira Ayuso      2008-07-08  246  				   gfp_t gfp);
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  247  
b2a15a604d Patrick McHardy        2010-02-03  248  static inline int nf_ct_is_template(const struct nf_conn *ct)
b2a15a604d Patrick McHardy        2010-02-03  249  {
b2a15a604d Patrick McHardy        2010-02-03  250  	return test_bit(IPS_TEMPLATE_BIT, &ct->status);
b2a15a604d Patrick McHardy        2010-02-03  251  }
b2a15a604d Patrick McHardy        2010-02-03  252  
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  253  /* It's confirmed if it is, or has been in the hash table. */
d51ed8367b Florian Westphal       2016-07-08  254  static inline int nf_ct_is_confirmed(const struct nf_conn *ct)
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  255  {
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  256  	return test_bit(IPS_CONFIRMED_BIT, &ct->status);
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  257  }
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  258  
d51ed8367b Florian Westphal       2016-07-08  259  static inline int nf_ct_is_dying(const struct nf_conn *ct)
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  260  {
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  261  	return test_bit(IPS_DYING_BIT, &ct->status);
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  262  }
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  263  
42c1edd345 Julian Anastasov       2011-06-16  264  /* Packet is received from loopback */
42c1edd345 Julian Anastasov       2011-06-16  265  static inline bool nf_is_loopback_packet(const struct sk_buff *skb)
42c1edd345 Julian Anastasov       2011-06-16  266  {
42c1edd345 Julian Anastasov       2011-06-16  267  	return skb->dev && skb->skb_iif && skb->dev->flags & IFF_LOOPBACK;
42c1edd345 Julian Anastasov       2011-06-16  268  }
42c1edd345 Julian Anastasov       2011-06-16  269  
f330a7fdbe Florian Westphal       2016-08-25  270  #define nfct_time_stamp ((u32)(jiffies))
f330a7fdbe Florian Westphal       2016-08-25  271  
c8607e0200 Florian Westphal       2016-07-06  272  /* jiffies until ct expires, 0 if already expired */
c8607e0200 Florian Westphal       2016-07-06  273  static inline unsigned long nf_ct_expires(const struct nf_conn *ct)
c8607e0200 Florian Westphal       2016-07-06  274  {
f330a7fdbe Florian Westphal       2016-08-25  275  	s32 timeout = ct->timeout - nfct_time_stamp;
c8607e0200 Florian Westphal       2016-07-06  276  
c8607e0200 Florian Westphal       2016-07-06  277  	return timeout > 0 ? timeout : 0;
c8607e0200 Florian Westphal       2016-07-06  278  }
c8607e0200 Florian Westphal       2016-07-06  279  
f330a7fdbe Florian Westphal       2016-08-25  280  static inline bool nf_ct_is_expired(const struct nf_conn *ct)
f330a7fdbe Florian Westphal       2016-08-25  281  {
f330a7fdbe Florian Westphal       2016-08-25  282  	return (__s32)(ct->timeout - nfct_time_stamp) <= 0;
f330a7fdbe Florian Westphal       2016-08-25  283  }
f330a7fdbe Florian Westphal       2016-08-25  284  
f330a7fdbe Florian Westphal       2016-08-25  285  /* use after obtaining a reference count */
f330a7fdbe Florian Westphal       2016-08-25  286  static inline bool nf_ct_should_gc(const struct nf_conn *ct)
f330a7fdbe Florian Westphal       2016-08-25  287  {
f330a7fdbe Florian Westphal       2016-08-25  288  	return nf_ct_is_expired(ct) && nf_ct_is_confirmed(ct) &&
f330a7fdbe Florian Westphal       2016-08-25  289  	       !nf_ct_is_dying(ct);
f330a7fdbe Florian Westphal       2016-08-25  290  }
f330a7fdbe Florian Westphal       2016-08-25  291  
34641c6d00 Paul Gortmaker         2011-08-29  292  struct kernel_param;
34641c6d00 Paul Gortmaker         2011-08-29  293  
4e77be4637 Joe Perches            2013-09-23  294  int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp);
3183ab8997 Florian Westphal       2016-06-22  295  int nf_conntrack_hash_resize(unsigned int hashsize);
92e47ba883 Liping Zhang           2016-08-13  296  
92e47ba883 Liping Zhang           2016-08-13  297  extern struct hlist_nulls_head *nf_conntrack_hash;
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  298  extern unsigned int nf_conntrack_htable_size;
92e47ba883 Liping Zhang           2016-08-13  299  extern seqcount_t nf_conntrack_generation;
e478075c6f Hagen Paul Pfeifer     2009-02-20  300  extern unsigned int nf_conntrack_max;
9fb9cbb108 Yasuyuki Kozakai       2005-11-09  301  
92e47ba883 Liping Zhang           2016-08-13  302  /* must be called with rcu read lock held */
92e47ba883 Liping Zhang           2016-08-13  303  static inline void
92e47ba883 Liping Zhang           2016-08-13  304  nf_conntrack_get_ht(struct hlist_nulls_head **hash, unsigned int *hsize)
92e47ba883 Liping Zhang           2016-08-13  305  {
92e47ba883 Liping Zhang           2016-08-13  306  	struct hlist_nulls_head *hptr;
92e47ba883 Liping Zhang           2016-08-13  307  	unsigned int sequence, hsz;
92e47ba883 Liping Zhang           2016-08-13  308  
92e47ba883 Liping Zhang           2016-08-13  309  	do {
92e47ba883 Liping Zhang           2016-08-13  310  		sequence = read_seqcount_begin(&nf_conntrack_generation);
92e47ba883 Liping Zhang           2016-08-13  311  		hsz = nf_conntrack_htable_size;
92e47ba883 Liping Zhang           2016-08-13  312  		hptr = nf_conntrack_hash;
92e47ba883 Liping Zhang           2016-08-13  313  	} while (read_seqcount_retry(&nf_conntrack_generation, sequence));
92e47ba883 Liping Zhang           2016-08-13  314  
92e47ba883 Liping Zhang           2016-08-13  315  	*hash = hptr;
92e47ba883 Liping Zhang           2016-08-13  316  	*hsize = hsz;
92e47ba883 Liping Zhang           2016-08-13  317  }
92e47ba883 Liping Zhang           2016-08-13  318  
308ac9143e Daniel Borkmann        2015-08-08  319  struct nf_conn *nf_ct_tmpl_alloc(struct net *net,
308ac9143e Daniel Borkmann        2015-08-08  320  				 const struct nf_conntrack_zone *zone,
308ac9143e Daniel Borkmann        2015-08-08  321  				 gfp_t flags);
9cf94eab8b Daniel Borkmann        2015-08-31  322  void nf_ct_tmpl_free(struct nf_conn *tmpl);
e53376bef2 Pablo Neira Ayuso      2014-02-03  323  
c74454fadd Florian Westphal       2017-01-23  324  static inline void
c74454fadd Florian Westphal       2017-01-23  325  nf_ct_set(struct sk_buff *skb, struct nf_conn *ct, enum ip_conntrack_info info)
c74454fadd Florian Westphal       2017-01-23  326  {
a9e419dc7b Florian Westphal       2017-01-23 @327  	skb->_nfct = (unsigned long)ct | info;
c74454fadd Florian Westphal       2017-01-23  328  }
c74454fadd Florian Westphal       2017-01-23  329  

:::::: The code at line 154 was first introduced by commit
:::::: a9e419dc7be6997409dca6d1b9daf3cc7046902f netfilter: merge ctinfo into nfct pointer storage area

:::::: TO: Florian Westphal <fw@strlen.de>
:::::: CC: Pablo Neira Ayuso <pablo@netfilter.org>

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all                   Intel Corporation

[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 28205 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2017-07-25 19:19 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-07-24 16:57 [PATCH nf-next 0/4] netfilter: handle race w. module removal and nfqueue Florian Westphal
2017-07-24 16:57 ` [PATCH nf-next 1/4] netfilter: expect: add and use nf_ct_expect_iterate helpers Florian Westphal
2017-07-24 16:57 ` [PATCH nf-next 2/4] netfilter: add and use nf_ct_unconfirmed_destroy Florian Westphal
2017-07-24 16:57 ` [PATCH nf-next 3/4] netfilter: conntrack: destroy functions need to free queued packets Florian Westphal
2017-07-24 16:57 ` [PATCH nf-next 4/4] netfilter: nfnetlink_queue: don't queue dying conntracks to userspace Florian Westphal
2017-07-25 19:19   ` kbuild test robot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).