kernel/linux.git/include/net/netfilter, branch v5.13.1Linux kernel stable tree (mirror)https://git.radix-linux.su/kernel/linux.git/atom?h=v5.13.12021-05-24T15:49:57+00:00netfilter: nf_tables: fix table flag updates2021-05-24T15:49:57+00:00Pablo Neira Ayusopablo@netfilter.org2021-05-24T15:10:18+00:00urn:sha1:179d9ba5559a756f4322583388b3213fe4e391b0
The dormant flag need to be updated from the preparation phase,
otherwise, two consecutive requests to dorm a table in the same batch
might try to remove the same hooks twice, resulting in the following
warning:
hook not found, pf 3 num 0
WARNING: CPU: 0 PID: 334 at net/netfilter/core.c:480 __nf_unregister_net_hook+0x1eb/0x610 net/netfilter/core.c:480
Modules linked in:
CPU: 0 PID: 334 Comm: kworker/u4:5 Not tainted 5.12.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
RIP: 0010:__nf_unregister_net_hook+0x1eb/0x610 net/netfilter/core.c:480
This patch is a partial revert of 0ce7cf4127f1 ("netfilter: nftables:
update table flags from the commit phase") to restore the previous
behaviour.
However, there is still another problem: A batch containing a series of
dorm-wakeup-dorm table and vice-versa also trigger the warning above
since hook unregistration happens from the preparation phase, while hook
registration occurs from the commit phase.
To fix this problem, this patch adds two internal flags to annotate the
original dormant flag status which are __NFT_TABLE_F_WAS_DORMANT and
__NFT_TABLE_F_WAS_AWAKEN, to restore it from the abort path.
The __NFT_TABLE_F_UPDATE bitmask allows to handle the dormant flag update
with one single transaction.
Reported-by: syzbot+7ad5cd1615f2d89c6e7e@syzkaller.appspotmail.com
Fixes: 0ce7cf4127f1 ("netfilter: nftables: update table flags from the commit phase")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: flowtable: Remove redundant hw refresh bit2021-05-13T23:34:26+00:00Roi Dayanroid@nvidia.com2021-05-10T11:50:24+00:00urn:sha1:c07531c01d8284aedaf95708ea90e76d11af0e21
Offloading conns could fail for multiple reasons and a hw refresh bit is
set to try to reoffload it in next sw packet.
But it could be in some cases and future points that the hw refresh bit
is not set but a refresh could succeed.
Remove the hw refresh bit and do offload refresh if requested.
There won't be a new work entry if a work is already pending
anyway as there is the hw pending bit.
Fixes: 8b3646d6e0c4 ("net/sched: act_ct: Support refreshing the flow table entries")
Signed-off-by: Roi Dayan <roid@nvidia.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nftables: add catch-all set element support2021-04-27T16:06:29+00:00Pablo Neira Ayusopablo@netfilter.org2021-04-27T16:05:55+00:00urn:sha1:aaa31047a6d25da0fa101da1ed544e1247949b40
This patch extends the set infrastructure to add a special catch-all set
element. If the lookup fails to find an element (or range) in the set,
then the catch-all element is selected. Users can specify a mapping,
expression(s) and timeout to be attached to the catch-all element.
This patch adds a catchall list to the set, this list might contain more
than one single catch-all element (e.g. in case that the catch-all
element is removed and a new one is added in the same transaction).
However, most of the time, there will be either one element or no
elements at all in this list.
The catch-all element is identified via NFT_SET_ELEM_CATCHALL flag and
such special element has no NFTA_SET_ELEM_KEY attribute. There is a new
nft_set_elem_catchall object that stores a reference to the dummy
catch-all element (catchall->elem) whose layout is the same of the set
element type to reuse the existing set element codebase.
The set size does not apply to the catch-all element, users can define a
catch-all element even if the set is full.
The check for valid set element flags hava been updates to report
EOPNOTSUPP in case userspace requests flags that are not supported when
using new userspace nftables and old kernel.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nftables: add nft_pernet() helper function2021-04-26T01:58:17+00:00Pablo Neira Ayusopablo@netfilter.org2021-04-22T22:17:08+00:00urn:sha1:d59d2f82f984df44b31c5d7837fc2f62268b7571
Consolidate call to net_generic(net, nf_tables_net_id) in this
wrapper function.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: disable defrag once its no longer needed2021-04-26T01:20:07+00:00Florian Westphalfw@strlen.de2021-04-21T07:45:40+00:00urn:sha1:de8c12110a130337c8e7e7b8250de0580e644dee
When I changed defrag hooks to no longer get registered by default I
intentionally made it so that registration can only be un-done by unloading
the nf_defrag_ipv4/6 module.
In hindsight this was too conservative; there is no reason to keep defrag
on while there is no feature dependency anymore.
Moreover, this won't work if user isn't allowed to remove nf_defrag module.
This adds the disable() functions for both ipv4 and ipv6 and calls them
from conntrack, TPROXY and the xtables socket module.
ipvs isn't converted here, it will behave as before this patch and
will need module removal.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nat: move nf_xfrm_me_harder to where it is used2021-04-26T01:20:07+00:00Florian Westphalfw@strlen.de2021-04-19T16:16:49+00:00urn:sha1:885e8c68247cc2a9f1761a3d66fd274247a0faaf
remove the export and make it static.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nftables: counter hardware offload support2021-04-18T20:04:49+00:00Pablo Neira Ayusopablo@netfilter.org2021-04-15T18:10:18+00:00urn:sha1:b72920f6e4a9d6607b723d69b7f412c829769c75
This patch adds the .offload_stats operation to synchronize hardware
stats with the expression data. Update the counter expression to use
this new interface. The hardware stats are retrieved from the netlink
dump path via FLOW_CLS_STATS command to the driver.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nftables_offload: VLAN id needs host byteorder in flow dissector2021-04-18T20:02:21+00:00Pablo Neira Ayusopablo@netfilter.org2021-04-12T12:20:15+00:00urn:sha1:ff4d90a89d3d4d9814e0a2696509a7d495be4163
The flow dissector representation expects the VLAN id in host byteorder.
Add the NFT_OFFLOAD_F_NETWORK2HOST flag to swap the bytes from nft_cmp.
Fixes: a82055af5959 ("netfilter: nft_payload: add VLAN offload support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nft_payload: fix C-VLAN offload support2021-04-18T20:02:21+00:00Pablo Neira Ayusopablo@netfilter.org2021-04-12T12:11:39+00:00urn:sha1:14c20643ef9457679cc6934d77adc24296505214
- add another struct flow_dissector_key_vlan for C-VLAN
- update layer 3 dependency to allow to match on IPv4/IPv6
Fixes: 89d8fd44abfb ("netfilter: nft_payload: add C-VLAN offload support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: flowtable: Add FLOW_OFFLOAD_XMIT_UNSPEC xmit type2021-04-13T11:47:00+00:00Roi Dayanroid@nvidia.com2021-04-13T08:06:05+00:00urn:sha1:78ed0a9bc6db76f8e5f5f4cb0d2b2f0d1bb21b24
It could be xmit type was not set and would default to FLOW_OFFLOAD_XMIT_NEIGH
and in this type the gc expect to have a route info.
Fix that by adding FLOW_OFFLOAD_XMIT_UNSPEC which defaults to 0.
Fixes: 8b9229d15877 ("netfilter: flowtable: dst_check() from garbage collector path")
Signed-off-by: Roi Dayan <roid@nvidia.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>