[PATCH net 0/2] Netfilter fixes for net

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH net 0/2] Netfilter fixes for net
@ 2024-01-03 11:29 Pablo Neira Ayuso
  2024-01-03 11:30 ` [PATCH net 1/2] netfilter: nf_nat: fix action not being set for all ct states Pablo Neira Ayuso
  2024-01-03 11:30 ` [PATCH net 2/2] netfilter: nft_immediate: drop chain reference counter on error Pablo Neira Ayuso
  0 siblings, 2 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2024-01-03 11:29 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet, fw

Hi,

The following patchset contains Netfilter fixes for net:

1) Fix nat packets in the related state in OVS, from Brad Cowie.

2) Drop chain reference counter on error path in case chain binding
   fails.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-01-03

Thanks.

----------------------------------------------------------------

The following changes since commit 9bf2e9165f90dc9f416af53c902be7e33930f728:

  net: qrtr: ns: Return 0 if server port is not present (2024-01-01 18:41:29 +0000)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-01-03

for you to fetch changes up to b29be0ca8e816119ccdf95cc7d7c7be9bde005f1:

  netfilter: nft_immediate: drop chain reference counter on error (2024-01-03 11:17:17 +0100)

----------------------------------------------------------------
netfilter pull request 24-01-03

----------------------------------------------------------------
Brad Cowie (1):
      netfilter: nf_nat: fix action not being set for all ct states

Pablo Neira Ayuso (1):
      netfilter: nft_immediate: drop chain reference counter on error

 net/netfilter/nf_nat_ovs.c    | 3 ++-
 net/netfilter/nft_immediate.c | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH net 1/2] netfilter: nf_nat: fix action not being set for all ct states
  2024-01-03 11:29 [PATCH net 0/2] Netfilter fixes for net Pablo Neira Ayuso
@ 2024-01-03 11:30 ` Pablo Neira Ayuso
  2024-01-04  2:10   ` patchwork-bot+netdevbpf
  2024-01-03 11:30 ` [PATCH net 2/2] netfilter: nft_immediate: drop chain reference counter on error Pablo Neira Ayuso
  1 sibling, 1 reply; 4+ messages in thread
From: Pablo Neira Ayuso @ 2024-01-03 11:30 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet, fw

From: Brad Cowie <brad@faucet.nz>

This fixes openvswitch's handling of nat packets in the related state.

In nf_ct_nat_execute(), which is called from nf_ct_nat(), ICMP/ICMPv6
packets in the IP_CT_RELATED or IP_CT_RELATED_REPLY state, which have
not been dropped, will follow the goto, however the placement of the
goto label means that updating the action bit field will be bypassed.

This causes ovs_nat_update_key() to not be called from ovs_ct_nat()
which means the openvswitch match key for the ICMP/ICMPv6 packet is not
updated and the pre-nat value will be retained for the key, which will
result in the wrong openflow rule being matched for that packet.

Move the goto label above where the action bit field is being set so
that it is updated in all cases where the packet is accepted.

Fixes: ebddb1404900 ("net: move the nat function to nf_nat_ovs for ovs and tc")
Signed-off-by: Brad Cowie <brad@faucet.nz>
Reviewed-by: Simon Horman <horms@kernel.org>
Acked-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_nat_ovs.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_nat_ovs.c b/net/netfilter/nf_nat_ovs.c
index 551abd2da614..0f9a559f6207 100644
--- a/net/netfilter/nf_nat_ovs.c
+++ b/net/netfilter/nf_nat_ovs.c
@@ -75,9 +75,10 @@ static int nf_ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct,
 	}

 	err = nf_nat_packet(ct, ctinfo, hooknum, skb);
+out:
 	if (err == NF_ACCEPT)
 		*action |= BIT(maniptype);
-out:
+
 	return err;
 }

-- 
2.30.2

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH net 1/2] netfilter: nf_nat: fix action not being set for all ct states
  2024-01-03 11:30 ` [PATCH net 1/2] netfilter: nf_nat: fix action not being set for all ct states Pablo Neira Ayuso
@ 2024-01-04  2:10   ` patchwork-bot+netdevbpf
  0 siblings, 0 replies; 4+ messages in thread
From: patchwork-bot+netdevbpf @ 2024-01-04  2:10 UTC (permalink / raw)
  To: Pablo Neira Ayuso
  Cc: netfilter-devel, davem, netdev, kuba, pabeni, edumazet, fw

Hello:

This series was applied to netdev/net.git (main)
by Pablo Neira Ayuso <pablo@netfilter.org>:

On Wed,  3 Jan 2024 12:30:00 +0100 you wrote:
> From: Brad Cowie <brad@faucet.nz>
> 
> This fixes openvswitch's handling of nat packets in the related state.
> 
> In nf_ct_nat_execute(), which is called from nf_ct_nat(), ICMP/ICMPv6
> packets in the IP_CT_RELATED or IP_CT_RELATED_REPLY state, which have
> not been dropped, will follow the goto, however the placement of the
> goto label means that updating the action bit field will be bypassed.
> 
> [...]

Here is the summary with links:
  - [net,1/2] netfilter: nf_nat: fix action not being set for all ct states
    https://git.kernel.org/netdev/net/c/e6345d2824a3
  - [net,2/2] netfilter: nft_immediate: drop chain reference counter on error
    https://git.kernel.org/netdev/net/c/b29be0ca8e81

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH net 2/2] netfilter: nft_immediate: drop chain reference counter on error
  2024-01-03 11:29 [PATCH net 0/2] Netfilter fixes for net Pablo Neira Ayuso
  2024-01-03 11:30 ` [PATCH net 1/2] netfilter: nf_nat: fix action not being set for all ct states Pablo Neira Ayuso
@ 2024-01-03 11:30 ` Pablo Neira Ayuso
  1 sibling, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2024-01-03 11:30 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet, fw

In the init path, nft_data_init() bumps the chain reference counter,
decrement it on error by following the error path which calls
nft_data_release() to restore it.

Fixes: 4bedf9eee016 ("netfilter: nf_tables: fix chain binding transaction logic")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nft_immediate.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immediate.c
index fccb3cf7749c..6475c7abc1fe 100644
--- a/net/netfilter/nft_immediate.c
+++ b/net/netfilter/nft_immediate.c
@@ -78,7 +78,7 @@ static int nft_immediate_init(const struct nft_ctx *ctx,
 		case NFT_GOTO:
 			err = nf_tables_bind_chain(ctx, chain);
 			if (err < 0)
-				return err;
+				goto err1;
 			break;
 		default:
 			break;
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2024-01-04  2:10 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-01-03 11:29 [PATCH net 0/2] Netfilter fixes for net Pablo Neira Ayuso
2024-01-03 11:30 ` [PATCH net 1/2] netfilter: nf_nat: fix action not being set for all ct states Pablo Neira Ayuso
2024-01-04  2:10   ` patchwork-bot+netdevbpf
2024-01-03 11:30 ` [PATCH net 2/2] netfilter: nft_immediate: drop chain reference counter on error Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).