Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f5646501 authored by Flavio Leitner's avatar Flavio Leitner Committed by David S. Miller
Browse files

netfilter: check if the socket netns is correct. 



Netfilter assumes that if the socket is present in the skb, then
it can be used because that reference is cleaned up while the skb
is crossing netns.

We want to change that to preserve the socket reference in a future
patch, so this is a preparation updating netfilter to check if the
socket netns matches before use it.

Signed-off-by: default avatarFlavio Leitner <fbl@redhat.com>
Acked-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 003504a2

include/net/netfilter/nf_log.h

+2 −1
Original line number Original line Diff line number Diff line
@@ -106,7 +106,8 @@ int nf_log_dump_udp_header(struct nf_log_buf *m, const struct sk_buff *skb, 
int nf_log_dump_tcp_header(struct nf_log_buf *m, const struct sk_buff *skb,

int nf_log_dump_tcp_header(struct nf_log_buf *m, const struct sk_buff *skb,

			   u8 proto, int fragment, unsigned int offset,

			   u8 proto, int fragment, unsigned int offset,

			   unsigned int logflags);

			   unsigned int logflags);

void nf_log_dump_sk_uid_gid(struct nf_log_buf *m, struct sock *sk);

void nf_log_dump_sk_uid_gid(struct net *net, struct nf_log_buf *m,

			    struct sock *sk);

void nf_log_dump_packet_common(struct nf_log_buf *m, u_int8_t pf,

void nf_log_dump_packet_common(struct nf_log_buf *m, u_int8_t pf,

			       unsigned int hooknum, const struct sk_buff *skb,

			       unsigned int hooknum, const struct sk_buff *skb,

			       const struct net_device *in,

			       const struct net_device *in,

net/ipv4/netfilter/nf_log_ipv4.c

+4 −4
Original line number Original line Diff line number Diff line
@@ -35,7 +35,7 @@ static const struct nf_loginfo default_loginfo = { 
};

};





/* One level of recursion won't kill us */

/* One level of recursion won't kill us */

static void dump_ipv4_packet(struct nf_log_buf *m,

static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m,

			     const struct nf_loginfo *info,

			     const struct nf_loginfo *info,

			     const struct sk_buff *skb, unsigned int iphoff)

			     const struct sk_buff *skb, unsigned int iphoff)

{

{
@@ -183,7 +183,7 @@ static void dump_ipv4_packet(struct nf_log_buf *m, 
			/* Max length: 3+maxlen */

			/* Max length: 3+maxlen */

			if (!iphoff) { /* Only recurse once. */

			if (!iphoff) { /* Only recurse once. */

				nf_log_buf_add(m, "[");

				nf_log_buf_add(m, "[");

				dump_ipv4_packet(m, info, skb,

				dump_ipv4_packet(net, m, info, skb,

					    iphoff + ih->ihl*4+sizeof(_icmph));

					    iphoff + ih->ihl*4+sizeof(_icmph));

				nf_log_buf_add(m, "] ");

				nf_log_buf_add(m, "] ");

			}

			}
@@ -251,7 +251,7 @@ static void dump_ipv4_packet(struct nf_log_buf *m, 




	/* Max length: 15 "UID=4294967295 " */

	/* Max length: 15 "UID=4294967295 " */

	if ((logflags & NF_LOG_UID) && !iphoff)

	if ((logflags & NF_LOG_UID) && !iphoff)

		nf_log_dump_sk_uid_gid(m, skb->sk);

		nf_log_dump_sk_uid_gid(net, m, skb->sk);





	/* Max length: 16 "MARK=0xFFFFFFFF " */

	/* Max length: 16 "MARK=0xFFFFFFFF " */

	if (!iphoff && skb->mark)

	if (!iphoff && skb->mark)
@@ -333,7 +333,7 @@ static void nf_log_ip_packet(struct net *net, u_int8_t pf, 
	if (in != NULL)

	if (in != NULL)

		dump_ipv4_mac_header(m, loginfo, skb);

		dump_ipv4_mac_header(m, loginfo, skb);





	dump_ipv4_packet(m, loginfo, skb, 0);

	dump_ipv4_packet(net, m, loginfo, skb, 0);





	nf_log_buf_close(m);

	nf_log_buf_close(m);

}

}

net/ipv6/netfilter/nf_log_ipv6.c

+4 −4
Original line number Original line Diff line number Diff line
@@ -36,7 +36,7 @@ static const struct nf_loginfo default_loginfo = { 
};

};





/* One level of recursion won't kill us */

/* One level of recursion won't kill us */

static void dump_ipv6_packet(struct nf_log_buf *m,

static void dump_ipv6_packet(struct net *net, struct nf_log_buf *m,

			     const struct nf_loginfo *info,

			     const struct nf_loginfo *info,

			     const struct sk_buff *skb, unsigned int ip6hoff,

			     const struct sk_buff *skb, unsigned int ip6hoff,

			     int recurse)

			     int recurse)
@@ -258,7 +258,7 @@ static void dump_ipv6_packet(struct nf_log_buf *m, 
			/* Max length: 3+maxlen */

			/* Max length: 3+maxlen */

			if (recurse) {

			if (recurse) {

				nf_log_buf_add(m, "[");

				nf_log_buf_add(m, "[");

				dump_ipv6_packet(m, info, skb,

				dump_ipv6_packet(net, m, info, skb,

						 ptr + sizeof(_icmp6h), 0);

						 ptr + sizeof(_icmp6h), 0);

				nf_log_buf_add(m, "] ");

				nf_log_buf_add(m, "] ");

			}

			}
@@ -278,7 +278,7 @@ static void dump_ipv6_packet(struct nf_log_buf *m, 




	/* Max length: 15 "UID=4294967295 " */

	/* Max length: 15 "UID=4294967295 " */

	if ((logflags & NF_LOG_UID) && recurse)

	if ((logflags & NF_LOG_UID) && recurse)

		nf_log_dump_sk_uid_gid(m, skb->sk);

		nf_log_dump_sk_uid_gid(net, m, skb->sk);





	/* Max length: 16 "MARK=0xFFFFFFFF " */

	/* Max length: 16 "MARK=0xFFFFFFFF " */

	if (recurse && skb->mark)

	if (recurse && skb->mark)
@@ -365,7 +365,7 @@ static void nf_log_ip6_packet(struct net *net, u_int8_t pf, 
	if (in != NULL)

	if (in != NULL)

		dump_ipv6_mac_header(m, loginfo, skb);

		dump_ipv6_mac_header(m, loginfo, skb);





	dump_ipv6_packet(m, loginfo, skb, skb_network_offset(skb), 1);

	dump_ipv6_packet(net, m, loginfo, skb, skb_network_offset(skb), 1);





	nf_log_buf_close(m);

	nf_log_buf_close(m);

}

}

net/netfilter/nf_conntrack_broadcast.c

+1 −1
Original line number Original line Diff line number Diff line
@@ -32,7 +32,7 @@ int nf_conntrack_broadcast_help(struct sk_buff *skb, 
	__be32 mask = 0;

	__be32 mask = 0;





	/* we're only interested in locally generated packets */

	/* we're only interested in locally generated packets */

	if (skb->sk == NULL)

	if (skb->sk == NULL || !net_eq(nf_ct_net(ct), sock_net(skb->sk)))

		goto out;

		goto out;

	if (rt == NULL || !(rt->rt_flags & RTCF_BROADCAST))

	if (rt == NULL || !(rt->rt_flags & RTCF_BROADCAST))

		goto out;

		goto out;

net/netfilter/nf_log_common.c

+3 −2
Original line number Original line Diff line number Diff line
@@ -132,9 +132,10 @@ int nf_log_dump_tcp_header(struct nf_log_buf *m, const struct sk_buff *skb, 
}

}

EXPORT_SYMBOL_GPL(nf_log_dump_tcp_header);

EXPORT_SYMBOL_GPL(nf_log_dump_tcp_header);





void nf_log_dump_sk_uid_gid(struct nf_log_buf *m, struct sock *sk)

void nf_log_dump_sk_uid_gid(struct net *net, struct nf_log_buf *m,

			    struct sock *sk)

{

{

	if (!sk || !sk_fullsock(sk))

	if (!sk || !sk_fullsock(sk) || !net_eq(net, sock_net(sk)))

		return;

		return;





	read_lock_bh(&sk->sk_callback_lock);

	read_lock_bh(&sk->sk_callback_lock);