Skip to content

Commit 2ba7e7e

Browse files
author
Paolo Abeni
committed
Merge tag 'nf-23-06-21' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf
Pablo Neira Ayuso says: ==================== Netfilter/IPVS fixes for net This is v3, including a crash fix for patch 01/14. The following patchset contains Netfilter/IPVS fixes for net: 1) Fix UDP segmentation with IPVS tunneled traffic, from Terin Stock. 2) Fix chain binding transaction logic, add a bound flag to rule transactions. Remove incorrect logic in nft_data_hold() and nft_data_release(). 3) Add a NFT_TRANS_PREPARE_ERROR deactivate state to deal with releasing the set/chain as a follow up to 1240eb9 ("netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE") 4) Drop map element references from preparation phase instead of set destroy path, otherwise bogus EBUSY with transactions such as: flush chain ip x y delete chain ip x w where chain ip x y contains jump/goto from set elements. 5) Pipapo set type does not regard generation mask from the walk iteration. 6) Fix reference count underflow in set element reference to stateful object. 7) Several patches to tighten the nf_tables API: - disallow set element updates of bound anonymous set - disallow unbound anonymous set/chain at the end of transaction. - disallow updates of anonymous set. - disallow timeout configuration for anonymous sets. 8) Fix module reference leak in chain updates. 9) Fix nfnetlink_osf module autoload. 10) Fix deletion of basechain when NFTA_CHAIN_HOOK is specified as in iptables-nft. This Netfilter batch is larger than usual at this stage, I am aware we are fairly late in the -rc cycle, if you prefer to route them through net-next, please let me know. netfilter pull request 23-06-21 * tag 'nf-23-06-21' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: netfilter: nf_tables: Fix for deleting base chains with payload netfilter: nfnetlink_osf: fix module autoload netfilter: nf_tables: drop module reference after updating chain netfilter: nf_tables: disallow timeout for anonymous sets netfilter: nf_tables: disallow updates of anonymous sets netfilter: nf_tables: reject unbound chain set before commit phase netfilter: nf_tables: reject unbound anonymous set before commit phase netfilter: nf_tables: disallow element updates of bound anonymous sets netfilter: nf_tables: fix underflow in object reference counter netfilter: nft_set_pipapo: .walk does not deal with generations netfilter: nf_tables: drop map element references from preparation phase netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain netfilter: nf_tables: fix chain binding transaction logic ipvs: align inner_mac_header for encapsulation ==================== Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Paolo Abeni <[email protected]>
2 parents a9628e8 + 42e344f commit 2ba7e7e

File tree

10 files changed

+446
-98
lines changed

10 files changed

+446
-98
lines changed

include/net/netfilter/nf_tables.h

Lines changed: 29 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -472,7 +472,8 @@ struct nft_set_ops {
472472
int (*init)(const struct nft_set *set,
473473
const struct nft_set_desc *desc,
474474
const struct nlattr * const nla[]);
475-
void (*destroy)(const struct nft_set *set);
475+
void (*destroy)(const struct nft_ctx *ctx,
476+
const struct nft_set *set);
476477
void (*gc_init)(const struct nft_set *set);
477478

478479
unsigned int elemsize;
@@ -809,6 +810,8 @@ int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
809810
struct nft_expr *expr_array[]);
810811
void nft_set_elem_destroy(const struct nft_set *set, void *elem,
811812
bool destroy_expr);
813+
void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
814+
const struct nft_set *set, void *elem);
812815

813816
/**
814817
* struct nft_set_gc_batch_head - nf_tables set garbage collection batch
@@ -901,6 +904,7 @@ struct nft_expr_type {
901904

902905
enum nft_trans_phase {
903906
NFT_TRANS_PREPARE,
907+
NFT_TRANS_PREPARE_ERROR,
904908
NFT_TRANS_ABORT,
905909
NFT_TRANS_COMMIT,
906910
NFT_TRANS_RELEASE
@@ -1009,7 +1013,10 @@ static inline struct nft_userdata *nft_userdata(const struct nft_rule *rule)
10091013
return (void *)&rule->data[rule->dlen];
10101014
}
10111015

1012-
void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule);
1016+
void nft_rule_expr_activate(const struct nft_ctx *ctx, struct nft_rule *rule);
1017+
void nft_rule_expr_deactivate(const struct nft_ctx *ctx, struct nft_rule *rule,
1018+
enum nft_trans_phase phase);
1019+
void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule);
10131020

10141021
static inline void nft_set_elem_update_expr(const struct nft_set_ext *ext,
10151022
struct nft_regs *regs,
@@ -1104,6 +1111,8 @@ int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set,
11041111
const struct nft_set_iter *iter,
11051112
struct nft_set_elem *elem);
11061113
int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set);
1114+
int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain);
1115+
void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain);
11071116

11081117
enum nft_chain_types {
11091118
NFT_CHAIN_T_DEFAULT = 0,
@@ -1140,11 +1149,17 @@ int nft_chain_validate_dependency(const struct nft_chain *chain,
11401149
int nft_chain_validate_hooks(const struct nft_chain *chain,
11411150
unsigned int hook_flags);
11421151

1152+
static inline bool nft_chain_binding(const struct nft_chain *chain)
1153+
{
1154+
return chain->flags & NFT_CHAIN_BINDING;
1155+
}
1156+
11431157
static inline bool nft_chain_is_bound(struct nft_chain *chain)
11441158
{
11451159
return (chain->flags & NFT_CHAIN_BINDING) && chain->bound;
11461160
}
11471161

1162+
int nft_chain_add(struct nft_table *table, struct nft_chain *chain);
11481163
void nft_chain_del(struct nft_chain *chain);
11491164
void nf_tables_chain_destroy(struct nft_ctx *ctx);
11501165

@@ -1558,13 +1573,15 @@ static inline void nft_set_elem_clear_busy(struct nft_set_ext *ext)
15581573
* struct nft_trans - nf_tables object update in transaction
15591574
*
15601575
* @list: used internally
1576+
* @binding_list: list of objects with possible bindings
15611577
* @msg_type: message type
15621578
* @put_net: ctx->net needs to be put
15631579
* @ctx: transaction context
15641580
* @data: internal information related to the transaction
15651581
*/
15661582
struct nft_trans {
15671583
struct list_head list;
1584+
struct list_head binding_list;
15681585
int msg_type;
15691586
bool put_net;
15701587
struct nft_ctx ctx;
@@ -1575,6 +1592,7 @@ struct nft_trans_rule {
15751592
struct nft_rule *rule;
15761593
struct nft_flow_rule *flow;
15771594
u32 rule_id;
1595+
bool bound;
15781596
};
15791597

15801598
#define nft_trans_rule(trans) \
@@ -1583,6 +1601,8 @@ struct nft_trans_rule {
15831601
(((struct nft_trans_rule *)trans->data)->flow)
15841602
#define nft_trans_rule_id(trans) \
15851603
(((struct nft_trans_rule *)trans->data)->rule_id)
1604+
#define nft_trans_rule_bound(trans) \
1605+
(((struct nft_trans_rule *)trans->data)->bound)
15861606

15871607
struct nft_trans_set {
15881608
struct nft_set *set;
@@ -1607,15 +1627,19 @@ struct nft_trans_set {
16071627
(((struct nft_trans_set *)trans->data)->gc_int)
16081628

16091629
struct nft_trans_chain {
1630+
struct nft_chain *chain;
16101631
bool update;
16111632
char *name;
16121633
struct nft_stats __percpu *stats;
16131634
u8 policy;
1635+
bool bound;
16141636
u32 chain_id;
16151637
struct nft_base_chain *basechain;
16161638
struct list_head hook_list;
16171639
};
16181640

1641+
#define nft_trans_chain(trans) \
1642+
(((struct nft_trans_chain *)trans->data)->chain)
16191643
#define nft_trans_chain_update(trans) \
16201644
(((struct nft_trans_chain *)trans->data)->update)
16211645
#define nft_trans_chain_name(trans) \
@@ -1624,6 +1648,8 @@ struct nft_trans_chain {
16241648
(((struct nft_trans_chain *)trans->data)->stats)
16251649
#define nft_trans_chain_policy(trans) \
16261650
(((struct nft_trans_chain *)trans->data)->policy)
1651+
#define nft_trans_chain_bound(trans) \
1652+
(((struct nft_trans_chain *)trans->data)->bound)
16271653
#define nft_trans_chain_id(trans) \
16281654
(((struct nft_trans_chain *)trans->data)->chain_id)
16291655
#define nft_trans_basechain(trans) \
@@ -1700,6 +1726,7 @@ static inline int nft_request_module(struct net *net, const char *fmt, ...) { re
17001726
struct nftables_pernet {
17011727
struct list_head tables;
17021728
struct list_head commit_list;
1729+
struct list_head binding_list;
17031730
struct list_head module_list;
17041731
struct list_head notify_list;
17051732
struct mutex commit_mutex;

net/netfilter/ipvs/ip_vs_xmit.c

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1207,6 +1207,7 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
12071207
skb->transport_header = skb->network_header;
12081208

12091209
skb_set_inner_ipproto(skb, next_protocol);
1210+
skb_set_inner_mac_header(skb, skb_inner_network_offset(skb));
12101211

12111212
if (tun_type == IP_VS_CONN_F_TUNNEL_TYPE_GUE) {
12121213
bool check = false;
@@ -1349,6 +1350,7 @@ ip_vs_tunnel_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
13491350
skb->transport_header = skb->network_header;
13501351

13511352
skb_set_inner_ipproto(skb, next_protocol);
1353+
skb_set_inner_mac_header(skb, skb_inner_network_offset(skb));
13521354

13531355
if (tun_type == IP_VS_CONN_F_TUNNEL_TYPE_GUE) {
13541356
bool check = false;

0 commit comments

Comments
 (0)