Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit acced9d2 authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 



Pablo Neira Ayuso says:

====================
Netfilter/IPVS fixes for net

The following patchset contains Netfilter/IPVS fixes for your net tree:

1) Add a selftest for icmp packet too big errors with conntrack, from
   Florian Westphal.

2) Validate inner header in ICMP error message does not lie to us
   in conntrack, also from Florian.

3) Initialize ct->timeout to calm down KASAN, from Alexander Potapenko.

4) Skip ICMP error messages from tunnels in IPVS, from Julian Anastasov.

5) Use a hash to expose conntrack and expectation ID, from Florian Westphal.

6) Prevent shift wrap in nft_chain_parse_hook(), from Dan Carpenter.

7) Fix broken ICMP ID randomization with NAT, also from Florian.

8) Remove WARN_ON in ebtables compat that is reached via syzkaller,
   from Florian Westphal.

9) Fix broken timestamps since fb420d5d ("tcp/fq: move back to
   CLOCK_MONOTONIC"), from Florian.

10) Fix logging of invalid packets in conntrack, from Andrei Vagin.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 26d1b858 d4866805

include/net/netfilter/nf_conntrack.h

+2 −0
Original line number Diff line number Diff line
@@ -316,6 +316,8 @@ struct nf_conn *nf_ct_tmpl_alloc(struct net *net, 
				 gfp_t flags);

void nf_ct_tmpl_free(struct nf_conn *tmpl);



u32 nf_ct_get_id(const struct nf_conn *ct);



static inline void

nf_ct_set(struct sk_buff *skb, struct nf_conn *ct, enum ip_conntrack_info info)

{

include/net/netfilter/nf_conntrack_l4proto.h

+6 −0
Original line number Diff line number Diff line
@@ -75,6 +75,12 @@ bool nf_conntrack_invert_icmp_tuple(struct nf_conntrack_tuple *tuple, 
bool nf_conntrack_invert_icmpv6_tuple(struct nf_conntrack_tuple *tuple,

				      const struct nf_conntrack_tuple *orig);



int nf_conntrack_inet_error(struct nf_conn *tmpl, struct sk_buff *skb,

			    unsigned int dataoff,

			    const struct nf_hook_state *state,

			    u8 l4proto,

			    union nf_inet_addr *outer_daddr);



int nf_conntrack_icmpv4_error(struct nf_conn *tmpl,

			      struct sk_buff *skb,

			      unsigned int dataoff,

net/bridge/netfilter/ebtables.c

+2 −1
Original line number Diff line number Diff line
@@ -2032,7 +2032,8 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32, 
		if (match_kern)

			match_kern->match_size = ret;



		if (WARN_ON(type == EBT_COMPAT_TARGET && size_left))

		/* rule should have no remaining data after target */

		if (type == EBT_COMPAT_TARGET && size_left)

			return -EINVAL;



		match32 = (struct compat_ebt_entry_mwt *) buf;

net/netfilter/ipvs/ip_vs_core.c

+1 −1
Original line number Diff line number Diff line
@@ -1678,7 +1678,7 @@ ip_vs_in_icmp(struct netns_ipvs *ipvs, struct sk_buff *skb, int *related, 
	if (!cp) {

		int v;



		if (!sysctl_schedule_icmp(ipvs))

		if (ipip || !sysctl_schedule_icmp(ipvs))

			return NF_ACCEPT;



		if (!ip_vs_try_to_schedule(ipvs, AF_INET, skb, pd, &v, &cp, &ciph))

net/netfilter/nf_conntrack_core.c

+38 −5
Original line number Diff line number Diff line
@@ -25,6 +25,7 @@ 
#include <linux/slab.h>

#include <linux/random.h>

#include <linux/jhash.h>

#include <linux/siphash.h>

#include <linux/err.h>

#include <linux/percpu.h>

#include <linux/moduleparam.h>
@@ -449,6 +450,40 @@ nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse, 
}

EXPORT_SYMBOL_GPL(nf_ct_invert_tuple);



/* Generate a almost-unique pseudo-id for a given conntrack.

 *

 * intentionally doesn't re-use any of the seeds used for hash

 * table location, we assume id gets exposed to userspace.

 *

 * Following nf_conn items do not change throughout lifetime

 * of the nf_conn after it has been committed to main hash table:

 *

 * 1. nf_conn address

 * 2. nf_conn->ext address

 * 3. nf_conn->master address (normally NULL)

 * 4. tuple

 * 5. the associated net namespace

 */

u32 nf_ct_get_id(const struct nf_conn *ct)

{

	static __read_mostly siphash_key_t ct_id_seed;

	unsigned long a, b, c, d;



	net_get_random_once(&ct_id_seed, sizeof(ct_id_seed));



	a = (unsigned long)ct;

	b = (unsigned long)ct->master ^ net_hash_mix(nf_ct_net(ct));

	c = (unsigned long)ct->ext;

	d = (unsigned long)siphash(&ct->tuplehash, sizeof(ct->tuplehash),

				   &ct_id_seed);

#ifdef CONFIG_64BIT

	return siphash_4u64((u64)a, (u64)b, (u64)c, (u64)d, &ct_id_seed);

#else

	return siphash_4u32((u32)a, (u32)b, (u32)c, (u32)d, &ct_id_seed);

#endif

}

EXPORT_SYMBOL_GPL(nf_ct_get_id);



static void

clean_from_lists(struct nf_conn *ct)

{
@@ -982,12 +1017,9 @@ __nf_conntrack_confirm(struct sk_buff *skb) 


	/* set conntrack timestamp, if enabled. */

	tstamp = nf_conn_tstamp_find(ct);

	if (tstamp) {

		if (skb->tstamp == 0)

			__net_timestamp(skb);

	if (tstamp)

		tstamp->start = ktime_get_real_ns();



		tstamp->start = ktime_to_ns(skb->tstamp);

	}

	/* Since the lookup is lockless, hash insertion must be done after

	 * starting the timer and setting the CONFIRMED bit. The RCU barriers

	 * guarantee that no other CPU can find the conntrack before the above
@@ -1350,6 +1382,7 @@ __nf_conntrack_alloc(struct net *net, 
	/* save hash for reusing when confirming */

	*(unsigned long *)(&ct->tuplehash[IP_CT_DIR_REPLY].hnnode.pprev) = hash;

	ct->status = 0;

	ct->timeout = 0;

	write_pnet(&ct->ct_net, net);

	memset(&ct->__nfct_init_offset[0], 0,

	       offsetof(struct nf_conn, proto) -