Pablo Neira Ayuso | 26 Nov 13:18 2014

[PATCH -next] netfilter: combine IPv4 and IPv6 nf_nat_redirect code in one module

This resolves linking problems with CONFIG_IPV6=n:

net/built-in.o: In function `redirect_tg6':
xt_REDIRECT.c:(.text+0x6d021): undefined reference to `nf_nat_redirect_ipv6'

Reported-by: Andreas Ruprecht <rupran <at> einserver.de>
Reported-by: Or Gerlitz <ogerlitz <at> mellanox.com>
Signed-off-by: Pablo Neira Ayuso <pablo <at> netfilter.org>
---
 include/net/netfilter/ipv4/nf_nat_redirect.h |    9 --
 include/net/netfilter/ipv6/nf_nat_redirect.h |    8 --
 include/net/netfilter/nf_nat_redirect.h      |   12 +++
 net/ipv4/netfilter/Kconfig                   |    6 --
 net/ipv4/netfilter/Makefile                  |    1 -
 net/ipv4/netfilter/nf_nat_redirect_ipv4.c    |   82 -----------------
 net/ipv4/netfilter/nft_redir_ipv4.c          |    2 +-
 net/ipv6/netfilter/Kconfig                   |    6 --
 net/ipv6/netfilter/Makefile                  |    1 -
 net/ipv6/netfilter/nf_nat_redirect_ipv6.c    |   75 ---------------
 net/ipv6/netfilter/nft_redir_ipv6.c          |    2 +-
 net/netfilter/Kconfig                        |   10 +-
 net/netfilter/Makefile                       |    1 +
 net/netfilter/nf_nat_redirect.c              |  127 ++++++++++++++++++++++++++
 net/netfilter/xt_REDIRECT.c                  |    3 +-
 15 files changed, 151 insertions(+), 194 deletions(-)
 delete mode 100644 include/net/netfilter/ipv4/nf_nat_redirect.h
 delete mode 100644 include/net/netfilter/ipv6/nf_nat_redirect.h
 create mode 100644 include/net/netfilter/nf_nat_redirect.h
 delete mode 100644 net/ipv4/netfilter/nf_nat_redirect_ipv4.c
 delete mode 100644 net/ipv6/netfilter/nf_nat_redirect_ipv6.c
(Continue reading)

Alvaro Neira Ayuso | 26 Nov 12:07 2014
Picon

[nft PATCH v2] evaluate: reject: fix crash on NULL location with bridge and tcp reset

If we use tcp reset with a network protocol that tcp is not supported,
we display an error. This error use the reject.expr location which is NULL,
therefore we have a crash. This patch replaces it using the reject statement
to display the error like:

Rule:
 nft add bridge filter input ether type vlan reject with tcp reset
Output:
 <cmdline>:1:46-51: Error: cannot reject this ether type
 add rule bridge filter input ether type vlan reject with tcp reset
                              ~~~~~~~~~~~~~~~ ^^^^^^

Signed-off-by: Alvaro Neira Ayuso <alvaroneay <at> gmail.com>
---
[changes in v2]
* Enhanced title and description

 src/evaluate.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/evaluate.c b/src/evaluate.c
index 3eeb614..00e55b7 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
 <at>  <at>  -1277,7 +1277,7  <at>  <at>  static int stmt_evaluate_reject_bridge_family(struct eval_ctx *ctx,
 		case __constant_htons(ETH_P_IPV6):
 			break;
 		default:
-			return stmt_binary_error(ctx, stmt->reject.expr,
+			return stmt_binary_error(ctx, stmt,
(Continue reading)

Alvaro Neira Ayuso | 26 Nov 10:21 2014
Picon

[PATCH nf 1/2 v4] bridge: export nft_reject_ip*hdr_validate functions

This patch exports the functions nft_reject_iphdr_validate and
nft_reject_ip6hdr_validate to use it in follow up patches.
These functions check if the ethernet header is correct.

Signed-off-by: Alvaro Neira Ayuso <alvaroneay <at> gmail.com>
---
[no changes in v4]

 include/net/netfilter/nf_tables_bridge.h |    7 ++++
 net/bridge/netfilter/nf_tables_bridge.c  |   48 +++++++++++++++++++++++++++
 net/bridge/netfilter/nft_reject_bridge.c |   52 +++---------------------------
 3 files changed, 60 insertions(+), 47 deletions(-)
 create mode 100644 include/net/netfilter/nf_tables_bridge.h

diff --git a/include/net/netfilter/nf_tables_bridge.h b/include/net/netfilter/nf_tables_bridge.h
new file mode 100644
index 0000000..511fb79
--- /dev/null
+++ b/include/net/netfilter/nf_tables_bridge.h
 <at>  <at>  -0,0 +1,7  <at>  <at> 
+#ifndef _NET_NF_TABLES_BRIDGE_H
+#define _NET_NF_TABLES_BRIDGE_H
+
+int nft_bridge_iphdr_validate(struct sk_buff *skb);
+int nft_bridge_ip6hdr_validate(struct sk_buff *skb);
+
+#endif /* _NET_NF_TABLES_BRIDGE_H */
diff --git a/net/bridge/netfilter/nf_tables_bridge.c b/net/bridge/netfilter/nf_tables_bridge.c
index 074c557..d468c19 100644
--- a/net/bridge/netfilter/nf_tables_bridge.c
(Continue reading)

NuSkooler | 25 Nov 22:35 2014
Picon

Custom Module for Userspace Proxy

Hello all --

I have been handed a kernel module who's purpose is to redirect all
TCP/IP traffic to a localhost proxy for inspection/modification. This
module works on various Linux system and (our target) Android up to
version 5.0 (Lollipop).

The way the module works is a bit of a hack (I believe): A new
protocol is registered by copying IPv4's and replacing a few
functions. Packets are marked with a magic # using SKB's 'mark' member
as to prevent a proxy loop. At least one problem is that as of Android
5.0, the 'mark' member is being used for other purposes by the system.
Another issue is I need to add IPv6 support and the symbols are not
exported/available to just port over the protocol hack described
above.

Before anyone asks: The reason a new module is used instead of just
using IPTables rules is mostly so we can send up additional metadata
to userspace about connections (PID, process path, etc.)

This brings me to my real question: What is the proper way (where to
hook into/etc.) to go about achieving this for IPv4 and IPv6 TCP/IP?
TL;DR, I need to:
1) Redirect new connections to a localhost proxy
2) Send additional metadata about said connections to userspace (PID,
etc.). Currently this is done via the protocol hack and using
getsockop/setsockopt() for IPC and tuple lookups.

Another way to possibly describe what I'm attempting to achieve: The
way this is written for the Windows platform is via a WFP Connection
(Continue reading)

Alvaro Neira Ayuso | 25 Nov 14:15 2014
Picon

[PATCH nf 1/2 v3] bridge: export nft_reject_ip*hdr_validate functions

This patch exports the functions nft_reject_iphdr_validate and
nft_reject_ip6hdr_validate to use it in follow up patches.
These functions check if the ethernet header is correct.

Signed-off-by: Alvaro Neira Ayuso <alvaroneay <at> gmail.com>
---
[no changes in v3]

 include/net/netfilter/nf_tables_bridge.h |    7 ++++
 net/bridge/netfilter/nf_tables_bridge.c  |   48 +++++++++++++++++++++++++++
 net/bridge/netfilter/nft_reject_bridge.c |   52 +++---------------------------
 3 files changed, 60 insertions(+), 47 deletions(-)
 create mode 100644 include/net/netfilter/nf_tables_bridge.h

diff --git a/include/net/netfilter/nf_tables_bridge.h b/include/net/netfilter/nf_tables_bridge.h
new file mode 100644
index 0000000..511fb79
--- /dev/null
+++ b/include/net/netfilter/nf_tables_bridge.h
 <at>  <at>  -0,0 +1,7  <at>  <at> 
+#ifndef _NET_NF_TABLES_BRIDGE_H
+#define _NET_NF_TABLES_BRIDGE_H
+
+int nft_bridge_iphdr_validate(struct sk_buff *skb);
+int nft_bridge_ip6hdr_validate(struct sk_buff *skb);
+
+#endif /* _NET_NF_TABLES_BRIDGE_H */
diff --git a/net/bridge/netfilter/nf_tables_bridge.c b/net/bridge/netfilter/nf_tables_bridge.c
index 074c557..d468c19 100644
--- a/net/bridge/netfilter/nf_tables_bridge.c
(Continue reading)

Arturo Borrero Gonzalez | 25 Nov 13:53 2014
Picon

[nft] segfault, bitmask datatype without parse() function

Hi,

It seems there is a segfault in nft.

How to reproduce:

% nft add rule inet filter ct state established,related accept

==28442== Jump to the invalid address stated on the next line
==28442==    at 0x0: ???
==28442==    by 0x4099EA: symbolic_constant_parse (datatype.c:133)
==28442==    by 0x40BFD8: expr_evaluate (evaluate.c:199)
==28442==    by 0x40D524: list_member_evaluate (evaluate.c:597)
==28442==    by 0x40C25B: expr_evaluate (evaluate.c:649)
==28442==    by 0x40C103: expr_evaluate (evaluate.c:879)
==28442==    by 0x40D908: stmt_evaluate (evaluate.c:1103)
==28442==    by 0x40DF27: rule_evaluate (evaluate.c:1727)
==28442==    by 0x40E0A6: chain_evaluate (evaluate.c:1788)
==28442==    by 0x40E4CE: cmd_evaluate (evaluate.c:1807)
==28442==    by 0x423757: nft_parse (parser_bison.y:549)
==28442==    by 0x4061CC: nft_run (main.c:231)
==28442==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==28442==
==28442==
==28442== Process terminating with default action of signal 11 (SIGSEGV)
==28442==  Bad permissions for mapped region at address 0x0
==28442==    at 0x0: ???
==28442==    by 0x4099EA: symbolic_constant_parse (datatype.c:133)
==28442==    by 0x40BFD8: expr_evaluate (evaluate.c:199)
==28442==    by 0x40D524: list_member_evaluate (evaluate.c:597)
(Continue reading)

Pablo Neira Ayuso | 25 Nov 00:38 2014

[PATCH nft] src: restore nft --debug and add missing \

Add -DDEBUG to enable --debug option by default as it used to be before
the autotools conversion.

The missing \ at the end of the line causes LIBMNL_CFLAGS and
LIBNFTNL_CFLAGS to be ignored. This causes build failure if the libmnl
or libnftnl headers are not in a path that's already searched by the C
compiler. Reported by David Kozub.

Fixes: 5fa8e49 ("build: autotools conversion")
Signed-off-by: Pablo Neira Ayuso <pablo <at> netfilter.org>
---
 <at> Daniel: Your patch clashes with mine:
http://patchwork.ozlabs.org/patch/413457/

So I have merged your change to mine. Please, feel free to post your
Acked-by / Signed-off-by and I'll append it to this patch. Thanks.

 src/Makefile.am |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Makefile.am b/src/Makefile.am
index 0a67810..d53c347 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
 <at>  <at>  -3,7 +3,7  <at>  <at>  sbin_PROGRAMS = nft
 CLEANFILES = scanner.c parser_bison.c

 AM_CPPFLAGS = -I$(top_srcdir)/include
-AM_CPPFLAGS += -DDEFAULT_INCLUDE_PATH="\"${sysconfdir}\""
+AM_CPPFLAGS += -DDEFAULT_INCLUDE_PATH="\"${sysconfdir}\"" -DDEBUG \
(Continue reading)

Pablo Neira Ayuso | 25 Nov 00:14 2014

[PATCH 1/2 nf] Revert "netfilter: conntrack: fix race in __nf_conntrack_confirm against get_next_corpse"

This reverts commit 5195c14c8b27cc0b18220ddbf0e5ad3328a04187.

If the conntrack clashes with an existing one, it is left out of
the unconfirmed, thus, crashing when dropping the packet and
releasing the conntrack.

Reported-by: Daniel Borkmann <dborkman <at> redhat.com>
Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=88841
Signed-off-by: Pablo Neira Ayuso <pablo <at> netfilter.org>
---
I prefer to revert the original fix and replace it by the follow up to
pass one single patch to -stable.

 net/netfilter/nf_conntrack_core.c |   14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 2c69975..5016a69 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
 <at>  <at>  -611,16 +611,12  <at>  <at>  __nf_conntrack_confirm(struct sk_buff *skb)
 	 */
 	NF_CT_ASSERT(!nf_ct_is_confirmed(ct));
 	pr_debug("Confirming conntrack %p\n", ct);
-
-	/* We have to check the DYING flag after unlink to prevent
-	 * a race against nf_ct_get_next_corpse() possibly called from
-	 * user context, else we insert an already 'dead' hash, blocking
-	 * further use of that particular connection -JM.
-	 */
(Continue reading)

David Kozub | 24 Nov 22:17 2014
Picon

[PATCH] build: add missing \ in src/Makefile.am (AM_CPPFLAGS)

The missing \ at the end of the line causes LIBMNL_CFLAGS and LIBNFTNL_CFLAGS
to be ignored. This causes build failure if the libmnl or libnftnl headers are
not in a path that's already searched by the C compiler.
---
 src/Makefile.am | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Makefile.am b/src/Makefile.am
index 0a67810..1ca06f3 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
 <at>  <at>  -3,7 +3,7  <at>  <at>  sbin_PROGRAMS = nft
 CLEANFILES = scanner.c parser_bison.c

 AM_CPPFLAGS = -I$(top_srcdir)/include
-AM_CPPFLAGS += -DDEFAULT_INCLUDE_PATH="\"${sysconfdir}\""
+AM_CPPFLAGS += -DDEFAULT_INCLUDE_PATH="\"${sysconfdir}\"" \
 		${LIBMNL_CFLAGS} ${LIBNFTNL_CFLAGS}

 AM_CFLAGS = -Wall								\
--

-- 
2.1.3

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Daniel Borkmann | 24 Nov 22:15 2014
Picon

Fwd: [Bug 88841] New: Kernel crash after a few minutes

I think commit 5195c14c8b27c ("netfilter: conntrack: fix race in __nf_conntrack_confirm
against get_next_corpse") seems to be causing the issue.

-------- Original Message --------
Subject: [Bug 88841] New: Kernel crash after a few minutes
Date: Mon, 24 Nov 2014 18:03:13 +0000
From: bugzilla-daemon <at> bugzilla.kernel.org
To: dborkman <at> redhat.com

https://bugzilla.kernel.org/show_bug.cgi?id=88841

             Bug ID: 88841
            Summary: Kernel crash after a few minutes
            Product: Networking
            Version: 2.5
     Kernel Version: 3.18-rc6
           Hardware: x86-64
                 OS: Linux
               Tree: Mainline
             Status: NEW
           Severity: high
           Priority: P1
          Component: Netfilter/Iptables
           Assignee: networking_netfilter-iptables <at> kernel-bugs.osdl.org
           Reporter: jp.pozzi <at> izzop.net
         Regression: No

Created attachment 158701
   --> https://bugzilla.kernel.org/attachment.cgi?id=158701&action=edit
.config file
(Continue reading)

Jozsef Kadlecsik | 24 Nov 22:05 2014
Picon

[ANNOUNCE] ipset 6.24 released

Hi,

I'm happy to announce ipset 6.24, which includes a couple of fixes,
backports from the kernel tree and a nice performance improvement by
the introduction of RCUs at the set level instead of the rwlocks.

Userspace changes:
  - The "extra" subdirectory for kernel modules may have a full subtree
    (reported by Jesper Dangaard Brouer)
  - Add more compatibility checkings to support older kernel releases
  - Make_global.am: Don't include host headers (Baruch Siach)
  - Alignment problem between 64bit kernel 32bit userspace fixed
    (reported by Sven-Haegar Koch)
  - Add script to check libipset.map for missing symbols
  - Update libipset.map with ipset_parse_tcp_udp_port (Thomas Backlund)
  - libipset: Bump lib version and update map file (Neutron Soutmun)
  - Bash utilities updated
  - ipset: Fix hyphen used as minus sign in manpage (Neutron Soutmun)
Kernel part changes:
  - netfilter: ipset: small potential read beyond the end of buffer
    (Dan Carpenter)
  - Fix parallel resizing and listing of the same set
  - styles warned by checkpatch.pl fixed
  - Introduce RCU in all set types instead of rwlock per set
    (performance tested by Jesper Dangaard Brouer)
  - Remove rbtree from hash:net,iface in order to run under RCU
  - Explicitly add padding elements to hash:net,net and hash:net,port,net
  - Allocate the proper size of memory when /0 networks are supported
  - Simplify cidr handling for hash:*net* types
  - Indicate when /0 networks are supported
(Continue reading)


Gmane