summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* ipset: list:set: Decrease refcount synchronously on deletion and replaceStefano Brivio2018-07-163-19/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 45040978c899 ("netfilter: ipset: Fix set:list type crash when flush/dump set in parallel") postponed decreasing set reference counters to the RCU callback. An 'ipset del' command can terminate before the RCU grace period is elapsed, and if sets are listed before then, the reference counter shown in userspace will be wrong: # ipset create h hash:ip; ipset create l list:set; ipset add l # ipset del l h; ipset list h Name: h Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 88 References: 1 Number of entries: 0 Members: # sleep 1; ipset list h Name: h Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 88 References: 0 Number of entries: 0 Members: Fix this by making the reference count update synchronous again. As a result, when sets are listed, ip_set_name_byindex() might now fetch a set whose reference count is already zero. Instead of relying on the reference count to protect against concurrent set renaming, grab ip_set_ref_lock as reader and copy the name, while holding the same lock in ip_set_rename() as writer instead. Reported-by: Li Shuang <shuali@redhat.com> Fixes: 45040978c899 ("netfilter: ipset: Fix set:list type crash when flush/dump set in parallel") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: forbid family for hash:mac setsFlorent Fourcot2018-06-041-1/+4
| | | | | | | | | | | | | | | | | | | | | | Userspace `ipset` command forbids family option for hash:mac type: ipset create test hash:mac family inet4 ipset v6.30: Unknown argument: `family' However, this check is not done in kernel itself. When someone use external netlink applications (pyroute2 python library for example), one can create hash:mac with invalid family and inconsistant results from userspace (`ipset` command cannot read set content anymore). This patch enforce the logic in kernel, and forbids insertion of hash:mac with a family set. Since IP_SET_PROTO_UNDEF is defined only for hash:mac, this patch has no impact on other hash:* sets Signed-off-by: Florent Fourcot <florent.fourcot@wifirst.fr> Signed-off-by: Victorien Molle <victorien.molle@wifirst.fr> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Limit max timeout value to (UINT_MAX >> 1)/MSEC_PER_SECJozsef Kadlecsik2018-06-014-10/+13
| | | | | | | | Due to the negative value condition in msecs_to_jiffies(), the real max possible timeout value must be set to (UINT_MAX >> 1)/MSEC_PER_SEC. Neutron Soutmun proposed the proper fix, but an insufficient one was applied, see https://patchwork.ozlabs.org/patch/400405/.
* List timing out entries with "timeout 1" instead of zero timeout valueJozsef Kadlecsik2018-06-011-2/+8
| | | | | | | | | | | | When listing sets with timeout support, there's a probability that just timing out entries with "0" timeout value is listed/saved. However when restoring the saved list, the zero timeout value means permanent elelements. The new behaviour is that timing out entries are listed with "timeout 1" instead of zero. Fixes bugzilla #1258.
* tests/check_klog.sh: Try dmesg too, don't let shell terminate scriptStefano Brivio2018-05-301-0/+4
| | | | | | | | | | | | | Some hosts might not use /var/log/kern.log for kernel messages, so if we can't find a match there, try dmesg next. If no matches are found, don't let the shell terminate the script, so that we have a chance to try dmesg and actually echo "no match!" if no matches are found: set +e before the setname loop. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: xt_set: Check hook mask correctlySerhey Popovych2018-05-301-1/+1
| | | | | | | | | | | | | | | | | | Inserting rule before one with SET target we get error with warning in dmesg(1) output: # iptables -A FORWARD -t mangle -j SET --map-set test src --map-prio # iptables -I FORWARD 1 -t mangle -j ACCEPT iptables: Invalid argument. Run `dmesg' for more information. # dmesg |tail -n1 [268578.026643] mapping of prio or/and queue is allowed only from \ OUTPUT/FORWARD/POSTROUTING chains Rather than checking for supported hook bits for SET target check for unsupported one as done in all rest of matches and targets. Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset 6.38 releasedv6.38Jozsef Kadlecsik2018-04-102-1/+4
|
* Fix API version number (reported by Jan Engelhardt)Jozsef Kadlecsik2018-04-101-1/+1
|
* ipset 6.37 releasedv6.37Jozsef Kadlecsik2018-04-103-1/+8
|
* Fix parsing service names for portsJozsef Kadlecsik2018-04-106-11/+38
| | | | | | Parsing is attempted both for numbers and service names and the temporary stored error message triggered to reset the state parameters about the set. Reported by Yuri D'Elia.
* netfilter: ipset: Use is_zero_ether_addr instead of static and memcmpJoe Perches2018-04-101-5/+2
| | | | | | | | | | | | | | | | | | To make the test a bit clearer and to reduce object size a little. Miscellanea: o remove now unnecessary static const array $ size ip_set_hash_mac.o* text data bss dec hex filename 22822 4619 64 27505 6b71 ip_set_hash_mac.o.allyesconfig.new 22932 4683 64 27679 6c1f ip_set_hash_mac.o.allyesconfig.old 10443 1040 0 11483 2cdb ip_set_hash_mac.o.defconfig.new 10507 1040 0 11547 2d1b ip_set_hash_mac.o.defconfig.old Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset 6.36 releasedv6.36Jozsef Kadlecsik2018-03-033-1/+14
|
* Use 'ss' in runtest.sh but fall back to deprecated 'net-tools' commandJozsef Kadlecsik2018-03-031-4/+14
| | | | Fixes bugzilla id #1209.
* Remove duplicate module descriptionJozsef Kadlecsik2018-01-291-8/+1
|
* netfilter: remove messages print and boot/module load timePablo Neira Ayuso2018-01-291-1/+2
| | | | | | | | | | | | | | | | | | | | | | | Several reasons for this: * Several modules maintain internal version numbers, that they print at boot/module load time, that are not exposed to userspace, as a primitive mechanism to make revision number control from the earlier days of Netfilter. * IPset shows the protocol version at boot/module load time, instead display this via module description, as Jozsef suggested. * Remove copyright notice at boot/module load time in two spots, the Netfilter codebase is a collective development effort, if we would have to display copyrights for each contributor at boot/module load time for each extensions we have, we would probably fill up logs with lots of useless information - from a technical standpoint. So let's be consistent and remove them all. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* build: do install libipset/args.hJan Engelhardt2018-01-231-0/+1
| | | | | | | | libipset/types.h includes args.h, therefore args.h must be installed too. Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Add test to verify wraparound fixJozsef Kadlecsik2018-01-121-0/+6
|
* Fix wraparound bug introduced in commit 48596a8ddc46Jozsef Kadlecsik2018-01-126-63/+63
| | | | | | | | | The patch "netfilter: ipset: Fix adding an IPv4 range containing more than 2^31 addresses" introduced a wraparound bug, which could lead to memory exhaustion when adding an x.x.x.x-255.255.255.255 range to any hash:*net* types. Fixes Netfilter's bugzilla id #1212, reported by Thomas Schwark.
* ipset 6.35 releasedv6.35Jozsef Kadlecsik2018-01-063-1/+22
|
* netfilter: mark expected switch fall-throughsGustavo A. R. Silva2018-01-061-1/+1
| | | | | | | | | In preparation to enabling -Wimplicit-fallthrough, mark switch cases where we are expecting to fall through. Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com> Signed-off-by: Simon Horman <horms@verge.net.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* License cleanup: add SPDX GPL-2.0 license identifier to files with no licenseGreg Kroah-Hartman2018-01-065-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Many source files in the tree are missing licensing information, which makes it harder for compliance tools to determine the correct license. By default all files without license information are under the default license of the kernel, which is GPL version 2. Update the files which contain no license information with the 'GPL-2.0' SPDX license identifier. The SPDX identifier is a legally binding shorthand, which can be used instead of the full boiler plate text. This patch is based on work done by Thomas Gleixner and Kate Stewart and Philippe Ombredanne. How this work was done: Patches were generated and checked against linux-4.14-rc6 for a subset of the use cases: - file had no licensing information it it. - file was a */uapi/* one with no licensing information in it, - file was a */uapi/* one with existing licensing information, Further patches will be generated in subsequent months to fix up cases where non-standard license headers were used, and references to license had to be inferred by heuristics based on keywords. The analysis to determine which SPDX License Identifier to be applied to a file was done in a spreadsheet of side by side results from of the output of two independent scanners (ScanCode & Windriver) producing SPDX tag:value files created by Philippe Ombredanne. Philippe prepared the base worksheet, and did an initial spot review of a few 1000 files. The 4.13 kernel was the starting point of the analysis with 60,537 files assessed. Kate Stewart did a file by file comparison of the scanner results in the spreadsheet to determine which SPDX license identifier(s) to be applied to the file. She confirmed any determination that was not immediately clear with lawyers working with the Linux Foundation. Criteria used to select files for SPDX license identifier tagging was: - Files considered eligible had to be source code files. - Make and config files were included as candidates if they contained >5 lines of source - File already had some variant of a license header in it (even if <5 lines). All documentation files were explicitly excluded. The following heuristics were used to determine which SPDX license identifiers to apply. - when both scanners couldn't find any license traces, file was considered to have no license information in it, and the top level COPYING file license applied. For non */uapi/* files that summary was: SPDX license identifier # files ---------------------------------------------------|------- GPL-2.0 11139 and resulted in the first patch in this series. If that file was a */uapi/* path one, it was "GPL-2.0 WITH Linux-syscall-note" otherwise it was "GPL-2.0". Results of that was: SPDX license identifier # files ---------------------------------------------------|------- GPL-2.0 WITH Linux-syscall-note 930 and resulted in the second patch in this series. - if a file had some form of licensing information in it, and was one of the */uapi/* ones, it was denoted with the Linux-syscall-note if any GPL family license was found in the file or had no licensing in it (per prior point). Results summary: SPDX license identifier # files ---------------------------------------------------|------ GPL-2.0 WITH Linux-syscall-note 270 GPL-2.0+ WITH Linux-syscall-note 169 ((GPL-2.0 WITH Linux-syscall-note) OR BSD-2-Clause) 21 ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) 17 LGPL-2.1+ WITH Linux-syscall-note 15 GPL-1.0+ WITH Linux-syscall-note 14 ((GPL-2.0+ WITH Linux-syscall-note) OR BSD-3-Clause) 5 LGPL-2.0+ WITH Linux-syscall-note 4 LGPL-2.1 WITH Linux-syscall-note 3 ((GPL-2.0 WITH Linux-syscall-note) OR MIT) 3 ((GPL-2.0 WITH Linux-syscall-note) AND MIT) 1 and that resulted in the third patch in this series. - when the two scanners agreed on the detected license(s), that became the concluded license(s). - when there was disagreement between the two scanners (one detected a license but the other didn't, or they both detected different licenses) a manual inspection of the file occurred. - In most cases a manual inspection of the information in the file resulted in a clear resolution of the license that should apply (and which scanner probably needed to revisit its heuristics). - When it was not immediately clear, the license identifier was confirmed with lawyers working with the Linux Foundation. - If there was any question as to the appropriate license identifier, the file was flagged for further research and to be revisited later in time. In total, over 70 hours of logged manual review was done on the spreadsheet to determine the SPDX license identifiers to apply to the source files by Kate, Philippe, Thomas and, in some cases, confirmation by lawyers working with the Linux Foundation. Kate also obtained a third independent scan of the 4.13 code base from FOSSology, and compared selected files where the other two scanners disagreed against that SPDX file, to see if there was new insights. The Windriver scanner is based on an older version of FOSSology in part, so they are related. Thomas did random spot checks in about 500 files from the spreadsheets for the uapi headers and agreed with SPDX license identifier in the files he inspected. For the non-uapi files Thomas did random spot checks in about 15000 files. In initial set of patches against 4.14-rc6, 3 files were found to have copy/paste license identifier errors, and have been fixed to reflect the correct identifier. Additionally Philippe spent 10 hours this week doing a detailed manual inspection and review of the 12,461 patched files from the initial patch version early this week with: - a full scancode scan run, collecting the matched texts, detected license ids and scores - reviewing anything where there was a license detected (about 500+ files) to ensure that the applied SPDX license was correct - reviewing anything where there was no detection but the patch license was not GPL-2.0 WITH Linux-syscall-note to ensure that the applied SPDX license was correct This produced a worksheet with 20 files needing minor correction. This worksheet was then exported into 3 different .csv files for the different types of files to be modified. These .csv files were then reviewed by Greg. Thomas wrote a script to parse the csv files and add the proper SPDX tag to the file, in the format that the file expected. This script was further refined by Greg based on the output to detect more types of files automatically and to distinguish between header and source .c files (which need different comment types.) Finally Greg ran the script using the .csv files to generate the patches. Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org> Reviewed-by: Philippe Ombredanne <pombredanne@nexb.com> Reviewed-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Backport patch: netfilter: ipset: use nfnl_mutex_is_lockedJozsef Kadlecsik2018-01-042-0/+15
|
* Missing nfnl_lock()/nfnl_unlock() is added to ip_set_net_exit()Jozsef Kadlecsik2018-01-041-0/+2
| | | | | Patch "netfilter: ipset: use nfnl_mutex_is_locked" is added the real mutex locking check, which revealed the missing locking in ip_set_net_exit().
* netfilter: ipset: use nfnl_mutex_is_lockedFlorian Westphal2018-01-041-1/+1
| | | | | | | | Check that we really hold nfnl mutex here instead of relying on correct usage alone. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: add resched points during set listingFlorian Westphal2018-01-043-2/+2
| | | | | | | | | | | | | | When sets are extremely large we can get softlockup during ipset -L. We could fix this by adding cond_resched_rcu() at the right location during iteration, but this only works if RCU nesting depth is 1. At this time entire variant->list() is called under under rcu_read_lock_bh. This used to be a read_lock_bh() but as rcu doesn't really lock anything, it does not appear to be needed, so remove it (ipset increments set reference count before this, so a set deletion should not be possible). Reported-by: Li Shuang <shuali@redhat.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* Fix "don't update counters" mode when counters used at the matchingJozsef Kadlecsik2018-01-0410-128/+131
| | | | The matching of the counters was not taken into account, fixed.
* Backport patch: netfilter: ipset: Convert timers to use timer_setup()Jozsef Kadlecsik2018-01-038-15/+67
|
* Userspace revision handling is reworkedJozsef Kadlecsik2018-01-0226-7829/+5122
| | | | | | | | | | | In order to make it simpler and more straightforward to express the revisions of the set type, all keywords and their parsing are separated from the individual set types. All backward compatibility arguments are recognized and ignored arguments are supported. Recognized but ignored arguments will be removed in a later release.
* netfilter: ipset: use swap macro instead of _manually_ swapping valuesGustavo A. R. Silva2017-11-063-18/+6
| | | | | | | | | | Make use of the swap macro and remove unnecessary variables tmp. This makes the code easier to read and maintain. This code was detected with the help of Coccinelle. Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Fix race between dump and swapRoss Lagerwall2017-09-281-2/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix a race between ip_set_dump_start() and ip_set_swap(). The race is as follows: * Without holding the ref lock, ip_set_swap() checks ref_netlink of the set and it is 0. * ip_set_dump_start() takes a reference on the set. * ip_set_swap() does the swap (even though it now has a non-zero reference count). * ip_set_dump_start() gets the set from ip_set_list again which is now a different set since it has been swapped. * ip_set_dump_start() calls __ip_set_put_netlink() and hits a BUG_ON due to the reference count being 0. Fix this race by extending the critical region in which the ref lock is held to include checking the ref counts. The race can be reproduced with the following script: while :; do ipset destroy hash_ip1 ipset destroy hash_ip2 ipset create hash_ip1 hash:ip family inet hashsize 1024 \ maxelem 500000 ipset create hash_ip2 hash:ip family inet hashsize 300000 \ maxelem 500000 ipset create hash_ip3 hash:ip family inet hashsize 1024 \ maxelem 500000 ipset save & ipset swap hash_ip3 hash_ip2 ipset destroy hash_ip3 wait done Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: pernet ops must be unregistered lastFlorian Westphal2017-09-261-17/+26
| | | | | | | | | | | | | | | | Removing the ipset module leaves a small window where one cpu performs module removal while another runs a command like 'ipset flush'. ipset uses net_generic(), unregistering the pernet ops frees this storage area. Fix it by first removing the user-visible api handlers and the pernet ops last. Fixes: 1785e8f473082 ("netfiler: ipset: Add net namespace for ipset") Reported-by: Li Shuang <shuali@redhat.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Replace the last reference to u_int8_t with uint8_t.Jozsef Kadlecsik2017-09-261-1/+1
|
* Revert "ipset: fix build with musl"Jozsef Kadlecsik2017-09-261-2/+0
| | | | | | This reverts commit 992723e3712a09037338aa9e5506a080e24d1642. The single u_int8_t usage was a leftover.
* ipset: fix build with muslStijn Tintel2017-09-251-0/+2
| | | | | | | | | Include sys/types.h for u_int8_t and define _GNU_SOURCE for musl to expose it. Fixes: 54802b2c2826 ("Report if the option is supported by a newer kernel release") Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset 6.34 releasedv6.34Jozsef Kadlecsik2017-09-233-1/+17
|
* testsuite: Make sure it can be run over ssh :-)Jozsef Kadlecsik2017-09-236-32/+43
|
* Reset state after a command failed, when multiple ones are issued.Jozsef Kadlecsik2017-09-231-0/+1
| | | | Fixes bugzilla id #1158 reported by Dimitri Grischin.
* Handle padding attribute properly in userspace.Jozsef Kadlecsik2017-09-232-0/+9
|
* Add test file missing from patch previous patch.Jozsef Kadlecsik2017-09-231-0/+9
|
* Test to check the fix to add an IPv4 range containing more than 2^31 addressesJozsef Kadlecsik2017-09-181-0/+10
|
* Fix adding an IPv4 range containing more than 2^31 addressesJozsef Kadlecsik2017-09-1810-22/+24
| | | | | | | Wrong comparison prevented the hash types to add a range with more than 2^31 addresses but reported as a success. Fixes bugzilla id #1005, reported by Oleg Serditov and Oliver Ford.
* Fix the include guards on the include/libipset/linux_ip_set*.hJozsef Kadlecsik2017-09-145-14/+23
| | | | | | | The include guards did not prevent including the "same" userspace and kernel header files. Fixes bugzilla id #1139, reported and solution suggested by Quentin Armitage.
* New function added in commit 54802b2c is missing from libipset.mapJozsef Kadlecsik2017-09-141-0/+5
| | | | | | The patch title was "Report if the option is supported by a newer kernel release" Fixes bugzilla id #1182, reported by irherder@gmail.com.
* ipset 6.33 releasedv6.33Jozsef Kadlecsik2017-09-123-1/+25
|
* Backport patch: sctp: remove the typedef sctp_sctphdr_tJozsef Kadlecsik2017-09-113-0/+16
|
* Backport patch: netfilter: nfnetlink: extended ACK reportingJozsef Kadlecsik2017-09-113-20/+47
|
* ipset: remove unused function __ip_set_get_netlinkAaron Conole2017-09-111-8/+0
| | | | | | | | There are no in-tree callers. Signed-off-by: Aaron Conole <aconole@bytheb.org> Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Backport patch: netlink: pass extended ACK struct to parsing functionsJozsef Kadlecsik2017-09-113-19/+39
|
* Backport patch netlink: extended ACK reportingJozsef Kadlecsik2017-09-113-1/+18
|
* netfilter: Remove exceptional & on function nameArushi Singhal2017-09-111-1/+1
| | | | | | | | | | | | | | | | | | | | | | Remove & from function pointers to conform to the style found elsewhere in the file. Done using the following semantic patch // <smpl> @r@ identifier f; @@ f(...) { ... } @@ identifier r.f; @@ - &f + f // </smpl> Signed-off-by: Arushi Singhal <arushisinghal19971997@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>