Patch "netfilter: core: only allow one nat hook per hook point" has been added to the 4.15-stable tree

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Patch "netfilter: core: only allow one nat hook per hook point" has been added to the 4.15-stable tree
@ 2018-04-09  9:36 gregkh
  2018-04-09  9:47 ` Florian Westphal
  0 siblings, 1 reply; 3+ messages in thread
From: gregkh @ 2018-04-09  9:36 UTC (permalink / raw)
  To: fw, alexander.levin, gregkh, pablo; +Cc: stable, stable-commits


This is a note to let you know that I've just added the patch titled

    netfilter: core: only allow one nat hook per hook point

to the 4.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netfilter-core-only-allow-one-nat-hook-per-hook-point.patch
and it can be found in the queue-4.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From foo@baz Mon Apr  9 10:16:32 CEST 2018
From: Florian Westphal <fw@strlen.de>
Date: Fri, 8 Dec 2017 17:01:54 +0100
Subject: netfilter: core: only allow one nat hook per hook point

From: Florian Westphal <fw@strlen.de>


[ Upstream commit f92b40a8b2645af38bd6814651c59c1e690db53d ]

The netfilter NAT core cannot deal with more than one NAT hook per hook
location (prerouting, input ...), because the NAT hooks install a NAT null
binding in case the iptables nat table (iptable_nat hooks) or the
corresponding nftables chain (nft nat hooks) doesn't specify a nat
transformation.

Null bindings are needed to detect port collsisions between NAT-ed and
non-NAT-ed connections.

This causes nftables NAT rules to not work when iptable_nat module is
loaded, and vice versa because nat binding has already been attached
when the second nat hook is consulted.

The netfilter core is not really the correct location to handle this
(hooks are just hooks, the core has no notion of what kinds of side
 effects a hook implements), but its the only place where we can check
for conflicts between both iptables hooks and nftables hooks without
adding dependencies.

So add nat annotation to hook_ops to describe those hooks that will
add NAT bindings and then make core reject if such a hook already exists.
The annotation fills a padding hole, in case further restrictions appar
we might change this to a 'u8 type' instead of bool.

iptables error if nft nat hook active:
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables v1.4.21: can't initialize iptables table `nat': File exists
Perhaps iptables or your kernel needs to be upgraded.

nftables error if iptables nat table present:
nft -f /etc/nftables/ipv4-nat
/usr/etc/nftables/ipv4-nat:3:1-2: Error: Could not process rule: File exists
table nat {
^^

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/netfilter.h         |    1 +
 net/ipv4/netfilter/iptable_nat.c  |    4 ++++
 net/ipv6/netfilter/ip6table_nat.c |    4 ++++
 net/netfilter/core.c              |    6 ++++++
 net/netfilter/nf_tables_api.c     |    2 ++
 5 files changed, 17 insertions(+)

--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -67,6 +67,7 @@ struct nf_hook_ops {
 	struct net_device	*dev;
 	void			*priv;
 	u_int8_t		pf;
+	bool			nat_hook;
 	unsigned int		hooknum;
 	/* Hooks are ordered in ascending priority. */
 	int			priority;
--- a/net/ipv4/netfilter/iptable_nat.c
+++ b/net/ipv4/netfilter/iptable_nat.c
@@ -72,6 +72,7 @@ static const struct nf_hook_ops nf_nat_i
 	{
 		.hook		= iptable_nat_ipv4_in,
 		.pf		= NFPROTO_IPV4,
+		.nat_hook	= true,
 		.hooknum	= NF_INET_PRE_ROUTING,
 		.priority	= NF_IP_PRI_NAT_DST,
 	},
@@ -79,6 +80,7 @@ static const struct nf_hook_ops nf_nat_i
 	{
 		.hook		= iptable_nat_ipv4_out,
 		.pf		= NFPROTO_IPV4,
+		.nat_hook	= true,
 		.hooknum	= NF_INET_POST_ROUTING,
 		.priority	= NF_IP_PRI_NAT_SRC,
 	},
@@ -86,6 +88,7 @@ static const struct nf_hook_ops nf_nat_i
 	{
 		.hook		= iptable_nat_ipv4_local_fn,
 		.pf		= NFPROTO_IPV4,
+		.nat_hook	= true,
 		.hooknum	= NF_INET_LOCAL_OUT,
 		.priority	= NF_IP_PRI_NAT_DST,
 	},
@@ -93,6 +96,7 @@ static const struct nf_hook_ops nf_nat_i
 	{
 		.hook		= iptable_nat_ipv4_fn,
 		.pf		= NFPROTO_IPV4,
+		.nat_hook	= true,
 		.hooknum	= NF_INET_LOCAL_IN,
 		.priority	= NF_IP_PRI_NAT_SRC,
 	},
--- a/net/ipv6/netfilter/ip6table_nat.c
+++ b/net/ipv6/netfilter/ip6table_nat.c
@@ -74,6 +74,7 @@ static const struct nf_hook_ops nf_nat_i
 	{
 		.hook		= ip6table_nat_in,
 		.pf		= NFPROTO_IPV6,
+		.nat_hook	= true,
 		.hooknum	= NF_INET_PRE_ROUTING,
 		.priority	= NF_IP6_PRI_NAT_DST,
 	},
@@ -81,6 +82,7 @@ static const struct nf_hook_ops nf_nat_i
 	{
 		.hook		= ip6table_nat_out,
 		.pf		= NFPROTO_IPV6,
+		.nat_hook	= true,
 		.hooknum	= NF_INET_POST_ROUTING,
 		.priority	= NF_IP6_PRI_NAT_SRC,
 	},
@@ -88,12 +90,14 @@ static const struct nf_hook_ops nf_nat_i
 	{
 		.hook		= ip6table_nat_local_fn,
 		.pf		= NFPROTO_IPV6,
+		.nat_hook	= true,
 		.hooknum	= NF_INET_LOCAL_OUT,
 		.priority	= NF_IP6_PRI_NAT_DST,
 	},
 	/* After packet filtering, change source */
 	{
 		.hook		= ip6table_nat_fn,
+		.nat_hook	= true,
 		.pf		= NFPROTO_IPV6,
 		.hooknum	= NF_INET_LOCAL_IN,
 		.priority	= NF_IP6_PRI_NAT_SRC,
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -135,6 +135,12 @@ nf_hook_entries_grow(const struct nf_hoo
 			++i;
 			continue;
 		}
+
+		if (reg->nat_hook && orig_ops[i]->nat_hook) {
+			kvfree(new);
+			return ERR_PTR(-EEXIST);
+		}
+
 		if (inserted || reg->priority > orig_ops[i]->priority) {
 			new_ops[nhooks] = (void *)orig_ops[i];
 			new->hooks[nhooks] = old->hooks[i];
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1400,6 +1400,8 @@ static int nf_tables_addchain(struct nft
 				ops->hook = hookfn;
 			if (afi->hook_ops_init)
 				afi->hook_ops_init(ops, i);
+			if (basechain->type->type == NFT_CHAIN_T_NAT)
+				ops->nat_hook = true;
 		}
 
 		chain->flags |= NFT_BASE_CHAIN;


Patches currently in stable-queue which might be from fw@strlen.de are

queue-4.15/netfilter-core-only-allow-one-nat-hook-per-hook-point.patch

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Patch "netfilter: core: only allow one nat hook per hook point" has been added to the 4.15-stable tree
  2018-04-09  9:36 Patch "netfilter: core: only allow one nat hook per hook point" has been added to the 4.15-stable tree gregkh
@ 2018-04-09  9:47 ` Florian Westphal
  2018-04-09 11:51   ` Greg KH
  0 siblings, 1 reply; 3+ messages in thread
From: Florian Westphal @ 2018-04-09  9:47 UTC (permalink / raw)
  To: gregkh; +Cc: fw, alexander.levin, pablo, stable, stable-commits

gregkh@linuxfoundation.org <gregkh@linuxfoundation.org> wrote:
> 
> This is a note to let you know that I've just added the patch titled
> 
>     netfilter: core: only allow one nat hook per hook point
> 
> to the 4.15-stable tree which can be found at:
>     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> 
> The filename of the patch is:
>      netfilter-core-only-allow-one-nat-hook-per-hook-point.patch
> and it can be found in the queue-4.15 subdirectory.
> 
> If you, or anyone else, feels it should not be added to the stable tree,
> please let <stable@vger.kernel.org> know about it.
> 
> 
> From foo@baz Mon Apr  9 10:16:32 CEST 2018
> From: Florian Westphal <fw@strlen.de>
> Date: Fri, 8 Dec 2017 17:01:54 +0100
> Subject: netfilter: core: only allow one nat hook per hook point
> 
> From: Florian Westphal <fw@strlen.de>

NAK.

This also needs
netfilter: nf_tables: permit second nat hook if colliding hook is going away

I would not add these to stable.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Patch "netfilter: core: only allow one nat hook per hook point" has been added to the 4.15-stable tree
  2018-04-09  9:47 ` Florian Westphal
@ 2018-04-09 11:51   ` Greg KH
  0 siblings, 0 replies; 3+ messages in thread
From: Greg KH @ 2018-04-09 11:51 UTC (permalink / raw)
  To: Florian Westphal; +Cc: alexander.levin, pablo, stable, stable-commits

On Mon, Apr 09, 2018 at 11:47:28AM +0200, Florian Westphal wrote:
> gregkh@linuxfoundation.org <gregkh@linuxfoundation.org> wrote:
> > 
> > This is a note to let you know that I've just added the patch titled
> > 
> >     netfilter: core: only allow one nat hook per hook point
> > 
> > to the 4.15-stable tree which can be found at:
> >     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> > 
> > The filename of the patch is:
> >      netfilter-core-only-allow-one-nat-hook-per-hook-point.patch
> > and it can be found in the queue-4.15 subdirectory.
> > 
> > If you, or anyone else, feels it should not be added to the stable tree,
> > please let <stable@vger.kernel.org> know about it.
> > 
> > 
> > From foo@baz Mon Apr  9 10:16:32 CEST 2018
> > From: Florian Westphal <fw@strlen.de>
> > Date: Fri, 8 Dec 2017 17:01:54 +0100
> > Subject: netfilter: core: only allow one nat hook per hook point
> > 
> > From: Florian Westphal <fw@strlen.de>
> 
> NAK.
> 
> This also needs
> netfilter: nf_tables: permit second nat hook if colliding hook is going away
> 
> I would not add these to stable.

Thank you for letting me know, now dropped from my tree.

greg k-h

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2018-04-09 11:51 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-04-09  9:36 Patch "netfilter: core: only allow one nat hook per hook point" has been added to the 4.15-stable tree gregkh
2018-04-09  9:47 ` Florian Westphal
2018-04-09 11:51   ` Greg KH

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).