* netfilter -stable: {ip,ip6,arp}_tables: fix incorrect loop detection
@ 2009-04-06 15:31 Patrick McHardy
2009-04-22 0:05 ` patch netfilter-ip-ip6-arp-_tables-fix-incorrect-loop-detection.patch queued to 2.6.29-stable tree chrisw
0 siblings, 1 reply; 2+ messages in thread
From: Patrick McHardy @ 2009-04-06 15:31 UTC (permalink / raw)
To: stable; +Cc: Netfilter Development Mailinglist, David S. Miller
[-- Attachment #1: Type: text/plain, Size: 183 bytes --]
This patch fixes a long-standing regression in the *tables loop
checking algorithm, causing false positives. The regression has
been introduced around 2.6.20.
Please apply, thanks.
[-- Attachment #2: loop-fix.diff --]
[-- Type: text/x-patch, Size: 2808 bytes --]
commit 2a95edbf4d9827b047c00169947d13fde210dc1d
Author: Patrick McHardy <kaber@trash.net>
Date: Mon Apr 6 17:27:51 2009 +0200
netfilter: {ip,ip6,arp}_tables: fix incorrect loop detection
Upstream commit 1f9352ae:
Commit e1b4b9f ([NETFILTER]: {ip,ip6,arp}_tables: fix exponential worst-case
search for loops) introduced a regression in the loop detection algorithm,
causing sporadic incorrectly detected loops.
When a chain has already been visited during the check, it is treated as
having a standard target containing a RETURN verdict directly at the
beginning in order to not check it again. The real target of the first
rule is then incorrectly treated as STANDARD target and checked not to
contain invalid verdicts.
Fix by making sure the rule does actually contain a standard target.
Based on patch by Francis Dupont <Francis_Dupont@isc.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 7ea88b6..39879ae 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -374,7 +374,9 @@ static int mark_source_chains(struct xt_table_info *newinfo,
&& unconditional(&e->arp)) || visited) {
unsigned int oldpos, size;
- if (t->verdict < -NF_MAX_VERDICT - 1) {
+ if ((strcmp(t->target.u.user.name,
+ ARPT_STANDARD_TARGET) == 0) &&
+ t->verdict < -NF_MAX_VERDICT - 1) {
duprintf("mark_source_chains: bad "
"negative verdict (%i)\n",
t->verdict);
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index ef8b6ca..ec362a3 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -496,7 +496,9 @@ mark_source_chains(struct xt_table_info *newinfo,
&& unconditional(&e->ip)) || visited) {
unsigned int oldpos, size;
- if (t->verdict < -NF_MAX_VERDICT - 1) {
+ if ((strcmp(t->target.u.user.name,
+ IPT_STANDARD_TARGET) == 0) &&
+ t->verdict < -NF_MAX_VERDICT - 1) {
duprintf("mark_source_chains: bad "
"negative verdict (%i)\n",
t->verdict);
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index a33485d..def375b 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -525,7 +525,9 @@ mark_source_chains(struct xt_table_info *newinfo,
&& unconditional(&e->ipv6)) || visited) {
unsigned int oldpos, size;
- if (t->verdict < -NF_MAX_VERDICT - 1) {
+ if ((strcmp(t->target.u.user.name,
+ IP6T_STANDARD_TARGET) == 0) &&
+ t->verdict < -NF_MAX_VERDICT - 1) {
duprintf("mark_source_chains: bad "
"negative verdict (%i)\n",
t->verdict);
^ permalink raw reply related [flat|nested] 2+ messages in thread
* patch netfilter-ip-ip6-arp-_tables-fix-incorrect-loop-detection.patch queued to 2.6.29-stable tree
2009-04-06 15:31 netfilter -stable: {ip,ip6,arp}_tables: fix incorrect loop detection Patrick McHardy
@ 2009-04-22 0:05 ` chrisw
0 siblings, 0 replies; 2+ messages in thread
From: chrisw @ 2009-04-22 0:05 UTC (permalink / raw)
To: kaber, chrisw, davem, Francis_Dupont, netfilter-devel
Cc: stable, stable-commits
This is a note to let you know that we have just queued up the patch titled
Subject: netfilter: {ip, ip6, arp}_tables: fix incorrect loop detection
to the 2.6.29-stable tree. Its filename is
netfilter-ip-ip6-arp-_tables-fix-incorrect-loop-detection.patch
A git repo of this tree can be found at
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
>From stable-bounces@linux.kernel.org Mon Apr 6 15:33:13 2009
Message-ID: <49DA2051.5030507@trash.net>
Date: Mon, 06 Apr 2009 17:31:29 +0200
From: Patrick McHardy <kaber@trash.net>
To: stable@kernel.org
Cc: Netfilter Development Mailinglist <netfilter-devel@vger.kernel.org>, "David S. Miller" <davem@davemloft.net>
Subject: netfilter: {ip, ip6, arp}_tables: fix incorrect loop detection
upstream commit: 1f9352ae2253a97b07b34dcf16ffa3b4ca12c558
Commit e1b4b9f ([NETFILTER]: {ip,ip6,arp}_tables: fix exponential worst-case
search for loops) introduced a regression in the loop detection algorithm,
causing sporadic incorrectly detected loops.
When a chain has already been visited during the check, it is treated as
having a standard target containing a RETURN verdict directly at the
beginning in order to not check it again. The real target of the first
rule is then incorrectly treated as STANDARD target and checked not to
contain invalid verdicts.
Fix by making sure the rule does actually contain a standard target.
Based on patch by Francis Dupont <Francis_Dupont@isc.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
---
net/ipv4/netfilter/arp_tables.c | 4 +++-
net/ipv4/netfilter/ip_tables.c | 4 +++-
net/ipv6/netfilter/ip6_tables.c | 4 +++-
3 files changed, 9 insertions(+), 3 deletions(-)
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -374,7 +374,9 @@ static int mark_source_chains(struct xt_
&& unconditional(&e->arp)) || visited) {
unsigned int oldpos, size;
- if (t->verdict < -NF_MAX_VERDICT - 1) {
+ if ((strcmp(t->target.u.user.name,
+ ARPT_STANDARD_TARGET) == 0) &&
+ t->verdict < -NF_MAX_VERDICT - 1) {
duprintf("mark_source_chains: bad "
"negative verdict (%i)\n",
t->verdict);
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -496,7 +496,9 @@ mark_source_chains(struct xt_table_info
&& unconditional(&e->ip)) || visited) {
unsigned int oldpos, size;
- if (t->verdict < -NF_MAX_VERDICT - 1) {
+ if ((strcmp(t->target.u.user.name,
+ IPT_STANDARD_TARGET) == 0) &&
+ t->verdict < -NF_MAX_VERDICT - 1) {
duprintf("mark_source_chains: bad "
"negative verdict (%i)\n",
t->verdict);
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -525,7 +525,9 @@ mark_source_chains(struct xt_table_info
&& unconditional(&e->ipv6)) || visited) {
unsigned int oldpos, size;
- if (t->verdict < -NF_MAX_VERDICT - 1) {
+ if ((strcmp(t->target.u.user.name,
+ IP6T_STANDARD_TARGET) == 0) &&
+ t->verdict < -NF_MAX_VERDICT - 1) {
duprintf("mark_source_chains: bad "
"negative verdict (%i)\n",
t->verdict);
Patches currently in stable-queue which might be from kaber@trash.net are
queue-2.6.29/netfilter-ip-ip6-arp-_tables-fix-incorrect-loop-detection.patch
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2009-04-22 0:11 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-04-06 15:31 netfilter -stable: {ip,ip6,arp}_tables: fix incorrect loop detection Patrick McHardy
2009-04-22 0:05 ` patch netfilter-ip-ip6-arp-_tables-fix-incorrect-loop-detection.patch queued to 2.6.29-stable tree chrisw
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).