summaryrefslogtreecommitdiffstats
path: root/kernel
Commit message (Collapse)AuthorAgeFilesLines
* netfilter: ipset: use swap macro instead of _manually_ swapping valuesGustavo A. R. Silva2017-11-063-18/+6
| | | | | | | | | | Make use of the swap macro and remove unnecessary variables tmp. This makes the code easier to read and maintain. This code was detected with the help of Coccinelle. Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Fix race between dump and swapRoss Lagerwall2017-09-281-2/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix a race between ip_set_dump_start() and ip_set_swap(). The race is as follows: * Without holding the ref lock, ip_set_swap() checks ref_netlink of the set and it is 0. * ip_set_dump_start() takes a reference on the set. * ip_set_swap() does the swap (even though it now has a non-zero reference count). * ip_set_dump_start() gets the set from ip_set_list again which is now a different set since it has been swapped. * ip_set_dump_start() calls __ip_set_put_netlink() and hits a BUG_ON due to the reference count being 0. Fix this race by extending the critical region in which the ref lock is held to include checking the ref counts. The race can be reproduced with the following script: while :; do ipset destroy hash_ip1 ipset destroy hash_ip2 ipset create hash_ip1 hash:ip family inet hashsize 1024 \ maxelem 500000 ipset create hash_ip2 hash:ip family inet hashsize 300000 \ maxelem 500000 ipset create hash_ip3 hash:ip family inet hashsize 1024 \ maxelem 500000 ipset save & ipset swap hash_ip3 hash_ip2 ipset destroy hash_ip3 wait done Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: pernet ops must be unregistered lastFlorian Westphal2017-09-261-17/+26
| | | | | | | | | | | | | | | | Removing the ipset module leaves a small window where one cpu performs module removal while another runs a command like 'ipset flush'. ipset uses net_generic(), unregistering the pernet ops frees this storage area. Fix it by first removing the user-visible api handlers and the pernet ops last. Fixes: 1785e8f473082 ("netfiler: ipset: Add net namespace for ipset") Reported-by: Li Shuang <shuali@redhat.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset 6.34 releasedv6.34Jozsef Kadlecsik2017-09-231-0/+4
|
* Fix adding an IPv4 range containing more than 2^31 addressesJozsef Kadlecsik2017-09-1810-22/+24
| | | | | | | Wrong comparison prevented the hash types to add a range with more than 2^31 addresses but reported as a success. Fixes bugzilla id #1005, reported by Oleg Serditov and Oliver Ford.
* ipset 6.33 releasedv6.33Jozsef Kadlecsik2017-09-121-0/+19
|
* Backport patch: sctp: remove the typedef sctp_sctphdr_tJozsef Kadlecsik2017-09-112-0/+6
|
* Backport patch: netfilter: nfnetlink: extended ACK reportingJozsef Kadlecsik2017-09-112-18/+35
|
* ipset: remove unused function __ip_set_get_netlinkAaron Conole2017-09-111-8/+0
| | | | | | | | There are no in-tree callers. Signed-off-by: Aaron Conole <aconole@bytheb.org> Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Backport patch: netlink: pass extended ACK struct to parsing functionsJozsef Kadlecsik2017-09-112-19/+29
|
* Backport patch netlink: extended ACK reportingJozsef Kadlecsik2017-09-112-1/+8
|
* netfilter: Remove exceptional & on function nameArushi Singhal2017-09-111-1/+1
| | | | | | | | | | | | | | | | | | | | | | Remove & from function pointers to conform to the style found elsewhere in the file. Done using the following semantic patch // <smpl> @r@ identifier f; @@ f(...) { ... } @@ identifier r.f; @@ - &f + f // </smpl> Signed-off-by: Arushi Singhal <arushisinghal19971997@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Backport missing part of patch: netfilter: Remove unnecessary cast on void ↵Jozsef Kadlecsik2017-09-111-2/+1
| | | | pointer
* Backport nfnl_msg_type()Jozsef Kadlecsik2017-09-112-1/+9
|
* netfilter: ipset: ipset list may return wrong member count for set with timeoutVishwanath Pai2017-09-061-1/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | Simple testcase: $ ipset create test hash:ip timeout 5 $ ipset add test 1.2.3.4 $ ipset add test 1.2.2.2 $ sleep 5 $ ipset l Name: test Type: hash:ip Revision: 5 Header: family inet hashsize 1024 maxelem 65536 timeout 5 Size in memory: 296 References: 0 Number of entries: 2 Members: We return "Number of entries: 2" but no members are listed. That is because mtype_list runs "ip_set_timeout_expired" and does not list the expired entries, but set->elements is never upated (until mtype_gc cleans it up later). Reviewed-by: Joshua Hunt <johunt@akamai.com> Signed-off-by: Vishwanath Pai <vpai@akamai.com>
* netfilter: ipset: deduplicate prefixlen mapsAaron Conole2017-09-061-258/+137
| | | | | | | | The prefixlen maps used here are identical, and have been since introduction. It seems to make sense to use a single large map, that the preprocessor will fill appropriately. Signed-off-by: Aaron Conole <aconole@bytheb.org>
* Fix sparse warningsJozsef Kadlecsik2017-03-232-2/+2
|
* netfilter: ipset: Compress return logicsimran singhal2017-03-231-4/+1
| | | | | | | | Simplify function returns by merging assignment and return into one command line. Signed-off-by: simran singhal <singhalsimran0@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Remove unnecessary cast on void pointersimran singhal2017-03-232-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | The following Coccinelle script was used to detect this: @r@ expression x; void* e; type T; identifier f; @@ ( *((T *)e) | ((T *)x)[...] | ((T*)x)->f | - (T*) e ) Signed-off-by: simran singhal <singhalsimran0@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Compatibility: handle changes in 4.10 kernel treeJozsef Kadlecsik2017-03-234-17/+54
| | | | | Handle changes in struct xt_action_param and the new xt_family(), xt_net() interfaces (reported by Jan Engelhardt).
* ipset 6.31 releasedv6.31Jozsef Kadlecsik2017-02-191-0/+8
|
* netfilter: ipset: Null pointer exception in ipset list:setVishwanath Pai2017-02-161-3/+6
| | | | | | | | | | | | | | | | | | | If we use before/after to add an element to an empty list it will cause a kernel panic. $> cat crash.restore create a hash:ip create b hash:ip create test list:set timeout 5 size 4 add test b before a $> ipset -R < crash.restore Executing the above will crash the kernel. Signed-off-by: Vishwanath Pai <vpai@akamai.com> Reviewed-by: Josh Hunt <johunt@akamai.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix bug: sometimes valid entries in hash:* types of sets were evictedJozsef Kadlecsik2017-02-161-1/+1
| | | | | | | | Wrong index was used and therefore when shrinking a hash bucket at deleting an entry, valid entries could be evicted as well. Thanks to Eric Ewanco for the thorough bugreport. Fixes netfilter bugzilla #1119
* Correct copyright ownerJozsef Kadlecsik2016-11-102-2/+2
| | | | | | | The functions was not introduced by Sergey Popovich, he proposed only separating them into individual extension header files. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Revert patch "Correct rcu_dereference_bh_nfnl() usage"Jozsef Kadlecsik2016-11-101-6/+4
| | | | | | | The susbsystem param cannot be used to rely on subsystem mutex locking because the call is used in netlink dump context as well. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset 6.30 releasedv6.30Jozsef Kadlecsik2016-10-171-0/+20
|
* netfilter: ipset: hash: fix boolreturn.cocci warningskbuild test robot2016-10-151-4/+4
| | | | | | | | | | | | | net/netfilter/ipset/ip_set_hash_ipmac.c:70:8-9: WARNING: return of 0/1 in function 'hash_ipmac4_data_list' with return type bool net/netfilter/ipset/ip_set_hash_ipmac.c:178:8-9: WARNING: return of 0/1 in function 'hash_ipmac6_data_list' with return type bool Return statements in functions returning bool should use true/false instead of 1/0. Generated by: scripts/coccinelle/misc/boolreturn.cocci CC: Tomasz Chilinski <tomasz.chilinski@chilan.com> Signed-off-by: Fengguang Wu <fengguang.wu@intel.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix the nla_put_net64() API changes backportJozsef Kadlecsik2016-10-141-2/+2
| | | | | | | We must call nla_put_net64() because ipset uses net order in the netlink communication. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Fixing unnamed union initElad Raz2016-10-132-12/+32
| | | | | | | | | | | | | | | In continue to proposed Vinson Lee's post [1], this patch fixes compilation issues founded at gcc 4.4.7. The initialization of .cidr field of unnamed unions causes compilation error in gcc 4.4.x. References Visible links [1] https://lkml.org/lkml/2015/7/5/74 Signed-off-by: Elad Raz <eladr@mellanox.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: x_tables: Use par->net instead of computing from the passed net ↵Eric W. Biederman2016-10-132-6/+9
| | | | | | | | | | devices Backported from kernel tree. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Correct the reported memory size for bitmap:* typesJozsef Kadlecsik2016-10-132-4/+7
| | | | | | | The patch "Fix extension alignmen" (c7cf6f3b) removed counting the non-dynamic extensions into the used up memory area, fixed. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix coding styles reported by checkpatch.pl, already in kernelJozsef Kadlecsik2016-10-111-4/+3
|
* netfilter: x_tables: Pass struct net in xt_action_paramEric W. Biederman2016-10-112-0/+4
| | | | | | | | | | | As xt_action_param lives on the stack this does not bloat any persistent data structures. This is a first step in making netfilter code that needs to know which network namespace it is executing in simpler. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* net: sched: fix skb->protocol use in case of accelerated vlan pathJiri Pirko2016-10-112-1/+12
| | | | | | | | | | | | | | tc code implicitly considers skb->protocol even in case of accelerated vlan paths and expects vlan protocol type here. However, on rx path, if the vlan header was already stripped, skb->protocol contains value of next header. Similar situation is on tx path. So for skbs that use skb->vlan_tci for tagging, use skb->vlan_proto instead. Reported-by: Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: Jiri Pirko <jiri@resnulli.us> Acked-by: Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* Check IPSET_ATTR_ETHER netlink attribute length in hash:ipmac tooJozsef Kadlecsik2016-10-111-0/+2
| | | | | | The explicit length checking was missing, added. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: fix include files for compilationMikko Rapeli2016-10-113-0/+6
| | | | | | | | | Add missing header dependencies and other small changes so that each file compiles alone in userspace. Signed-off-by: Mikko Rapeli <mikko.rapeli@iki.fi> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Backports for the nla_put_net64() API changesNeutron Soutmun2016-06-284-7/+18
| | | | | | | | | | | | | | | | | | | * Backports the patch "libnl: nla_put_net64():align on a 64-bit area" [1] by Nicolas Dichtel <nicolas.dichtel@6wind.com> * Since the nla_put_net64() API has been changed, therefore, the ip_set_compat.h.in should provides the macro IPSET_NLA_PUT_NET64 that point to the nla_put_net64() with appropriate number of arguments. The build script should distinguish the API changes by detect for the existence of nla_put_64bit() function in include/net/netlink.h. This function was added in the same patches set and called by the nla_put_be64() that called by nla_put_net64() respectively. [1] https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit?id=e9bbe898cbe89b17ad3993c136aa13d0431cd537 Signed-off-by: Neutron Soutmun <neo.neutron@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: use setup_timer() and mod_timer().Muhammad Falak R Wani2016-05-191-5/+2
| | | | | | | | | | | | | | | Use setup_timer() and instead of init_timer(), being the preferred way of setting up a timer. Also, quoting the mod_timer() function comment: -> mod_timer() is a more efficient way to update the expire field of an active timer (if the timer is inactive it will be activated). Use setup_timer() and mod_timer() to setup and arm a timer, making the code compact and easier to read. Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: use setup_timer() and mod_timer().Muhammad Falak R Wani2016-05-191-5/+2
| | | | | | | | | | | | | | | Use setup_timer() and instead of init_timer(), being the preferred way of setting up a timer. Also, quoting the mod_timer() function comment: -> mod_timer() is a more efficient way to update the expire field of an active timer (if the timer is inactive it will be activated). Use setup_timer() and mod_timer() to setup and arm a timer, making the code compact and easier to read. Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: use setup_timer() and mod_timer().Muhammad Falak R Wani2016-05-191-5/+2
| | | | | | | | | | | | | | | Use setup_timer() and instead of init_timer(), being the preferred way of setting up a timer. Also, quoting the mod_timer() function comment: -> mod_timer() is a more efficient way to update the expire field of an active timer (if the timer is inactive it will be activated). Use setup_timer() and mod_timer() to setup and arm a timer, making the code compact and easier to read. Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* hash:ipmac type support added to ipsetTomasz Chilinski2016-05-053-1/+323
| | | | | Signed-off-by: Tomasz Chili??ski <tomasz.chilinski@chilan.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset 6.29 releasedv6.29Jozsef Kadlecsik2016-03-161-0/+3
|
* netfilter: ipset: fix race condition in ipset save, swap and deleteVishwanath Pai2016-03-165-8/+35
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fix adds a new reference counter (ref_netlink) for the struct ip_set. The other reference counter (ref) can be swapped out by ip_set_swap and we need a separate counter to keep track of references for netlink events like dump. Using the same ref counter for dump causes a race condition which can be demonstrated by the following script: ipset create hash_ip1 hash:ip family inet hashsize 1024 maxelem 500000 \ counters ipset create hash_ip2 hash:ip family inet hashsize 300000 maxelem 500000 \ counters ipset create hash_ip3 hash:ip family inet hashsize 1024 maxelem 500000 \ counters ipset save & ipset swap hash_ip3 hash_ip2 ipset destroy hash_ip3 /* will crash the machine */ Swap will exchange the values of ref so destroy will see ref = 0 instead of ref = 1. With this fix in place swap will not succeed because ipset save still has ref_netlink on the set (ip_set_swap doesn't swap ref_netlink). Both delete and swap will error out if ref_netlink != 0 on the set. Note: The changes to *_head functions is because previously we would increment ref whenever we called these functions, we don't do that anymore. Reviewed-by: Joshua Hunt <johunt@akamai.com> Signed-off-by: Vishwanath Pai <vpai@akamai.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset 6.28 releasedv6.28Jozsef Kadlecsik2016-03-121-0/+8
|
* netfilter: ipset: Check IPSET_ATTR_ETHER netlink attribute lengthJozsef Kadlecsik2016-03-082-1/+4
| | | | | | | | | | | | Julia Lawall pointed out that IPSET_ATTR_ETHER netlink attribute length was not checked explicitly, just for the maximum possible size. Malicious netlink clients could send shorter attribute and thus resulting a kernel read after the buffer. The patch adds the explicit length checkings. Reported-by: Julia Lawall <julia.lawall@lip6.fr> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix __aligned_u64 compatibility support for older kernel releasesJozsef Kadlecsik2016-02-292-5/+1
| | | | The issue was reported by Mart Frauenlob.
* Add compatibility to support EXPORT_SYMBOL_GPL in module.hJozsef Kadlecsik2016-02-241-0/+5
| | | | Fixes netfilter bugzilla id #1008
* Fix set:list type crash when flush/dump set in parallelJozsef Kadlecsik2016-02-242-30/+28
| | | | | | | Flushing/listing entries was not RCU safe, so parallel flush/dump could lead to kernel crash. Bug reported by Deniz Eren. Fixes netfilter bugzilla id #1050.
* netfilter: nfnetlink: pass down netns pointer to call() and call_rcu()Jozsef Kadlecsik2016-02-162-48/+58
| | | | Backport patch from Pablo Neira Ayuso <pablo@netfilter.org>
* netfilter: ipset: allow a 0 netmask with hash_netiface typeFlorian Westphal2016-01-131-4/+0
| | | | | | | | | | | | | | | | | Jozsef says: The correct behaviour is that if we have ipset create test1 hash:net,iface ipset add test1 0.0.0.0/0,eth0 iptables -A INPUT -m set --match-set test1 src,src then the rule should match for any traffic coming in through eth0. This removes the -EINVAL runtime test to make matching work in case packet arrived via the specified interface. Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1297092 Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>