Vishwanath Pai [Thu, 17 Aug 2017 05:23:55 +0000 (01:23 -0400)]
netfilter: ipset: ipset list may return wrong member count for set with timeout
Simple testcase:
$ ipset create test hash:ip timeout 5
$ ipset add test 1.2.3.4
$ ipset add test 1.2.2.2
$ sleep 5
$ ipset l
Name: test
Type: hash:ip
Revision: 5
Header: family inet hashsize 1024 maxelem 65536 timeout 5
Size in memory: 296
References: 0
Number of entries: 2
Members:
We return "Number of entries: 2" but no members are listed. That is
because mtype_list runs "ip_set_timeout_expired" and does not list the
expired entries, but set->elements is never upated (until mtype_gc
cleans it up later).
Reviewed-by: Joshua Hunt <johunt@akamai.com> Signed-off-by: Vishwanath Pai <vpai@akamai.com>
The prefixlen maps used here are identical, and have been since
introduction. It seems to make sense to use a single large map,
that the preprocessor will fill appropriately.
simran singhal [Tue, 21 Mar 2017 12:19:53 +0000 (17:49 +0530)]
netfilter: ipset: Remove unnecessary cast on void pointer
The following Coccinelle script was used to detect this:
@r@
expression x;
void* e;
type T;
identifier f;
@@
(
*((T *)e)
|
((T *)x)[...]
|
((T*)x)->f
|
Jozsef Kadlecsik [Sun, 12 Mar 2017 17:27:45 +0000 (18:27 +0100)]
Fix possible truncated output in ipset output buffer handling
Omri Bahumi and Yoni Lavi discovered that due to the inproper
handling of the ipset output buffer, the output may be truncated.
So for example in an "ipset save" output, instead of 192.168.0.0/24,
just 192.168.0.0 printed. If one use "ipset save" and then "ipset restore"
to restore the sets, this may lead to wrong firewall rules at the end.
Jozsef Kadlecsik [Thu, 16 Feb 2017 19:47:30 +0000 (20:47 +0100)]
Fix bug: sometimes valid entries in hash:* types of sets were evicted
Wrong index was used and therefore when shrinking a hash bucket at
deleting an entry, valid entries could be evicted as well.
Thanks to Eric Ewanco for the thorough bugreport.
net/netfilter/ipset/ip_set_hash_ipmac.c:70:8-9: WARNING: return of 0/1 in function 'hash_ipmac4_data_list' with return type bool
net/netfilter/ipset/ip_set_hash_ipmac.c:178:8-9: WARNING: return of 0/1 in function 'hash_ipmac6_data_list' with return type bool
Return statements in functions returning bool should use
true/false instead of 1/0.
Generated by: scripts/coccinelle/misc/boolreturn.cocci
Elad Raz [Thu, 13 Oct 2016 18:52:54 +0000 (20:52 +0200)]
netfilter: ipset: Fixing unnamed union init
In continue to proposed Vinson Lee's post [1], this patch fixes compilation
issues founded at gcc 4.4.7. The initialization of .cidr field of unnamed
unions causes compilation error in gcc 4.4.x.
Jiri Pirko [Tue, 11 Oct 2016 20:09:08 +0000 (22:09 +0200)]
net: sched: fix skb->protocol use in case of accelerated vlan path
tc code implicitly considers skb->protocol even in case of accelerated
vlan paths and expects vlan protocol type here. However, on rx path,
if the vlan header was already stripped, skb->protocol contains value
of next header. Similar situation is on tx path.
So for skbs that use skb->vlan_tci for tagging, use skb->vlan_proto instead.
Reported-by: Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: Jiri Pirko <jiri@resnulli.us> Acked-by: Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Neutron Soutmun [Thu, 23 Jun 2016 10:22:11 +0000 (17:22 +0700)]
ipset: Backports for the nla_put_net64() API changes
* Backports the patch "libnl: nla_put_net64():align on a 64-bit area" [1]
by Nicolas Dichtel <nicolas.dichtel@6wind.com>
* Since the nla_put_net64() API has been changed, therefore, the
ip_set_compat.h.in should provides the macro IPSET_NLA_PUT_NET64 that
point to the nla_put_net64() with appropriate number of arguments.
The build script should distinguish the API changes by detect for
the existence of nla_put_64bit() function in include/net/netlink.h.
This function was added in the same patches set and called by
the nla_put_be64() that called by nla_put_net64() respectively.
netfilter: ipset: use setup_timer() and mod_timer().
Use setup_timer() and instead of init_timer(), being the preferred way
of setting up a timer.
Also, quoting the mod_timer() function comment:
-> mod_timer() is a more efficient way to update the expire field of an
active timer (if the timer is inactive it will be activated).
Use setup_timer() and mod_timer() to setup and arm a timer, making the
code compact and easier to read.
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
netfilter: ipset: use setup_timer() and mod_timer().
Use setup_timer() and instead of init_timer(), being the preferred way
of setting up a timer.
Also, quoting the mod_timer() function comment:
-> mod_timer() is a more efficient way to update the expire field of an
active timer (if the timer is inactive it will be activated).
Use setup_timer() and mod_timer() to setup and arm a timer, making the
code compact and easier to read.
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
netfilter: ipset: use setup_timer() and mod_timer().
Use setup_timer() and instead of init_timer(), being the preferred way
of setting up a timer.
Also, quoting the mod_timer() function comment:
-> mod_timer() is a more efficient way to update the expire field of an
active timer (if the timer is inactive it will be activated).
Use setup_timer() and mod_timer() to setup and arm a timer, making the
code compact and easier to read.
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Vishwanath Pai [Wed, 16 Mar 2016 08:03:30 +0000 (09:03 +0100)]
netfilter: ipset: fix race condition in ipset save, swap and delete
This fix adds a new reference counter (ref_netlink) for the struct ip_set.
The other reference counter (ref) can be swapped out by ip_set_swap and we
need a separate counter to keep track of references for netlink events
like dump. Using the same ref counter for dump causes a race condition
which can be demonstrated by the following script:
ipset swap hash_ip3 hash_ip2
ipset destroy hash_ip3 /* will crash the machine */
Swap will exchange the values of ref so destroy will see ref = 0 instead of
ref = 1. With this fix in place swap will not succeed because ipset save
still has ref_netlink on the set (ip_set_swap doesn't swap ref_netlink).
Both delete and swap will error out if ref_netlink != 0 on the set.
Note: The changes to *_head functions is because previously we would
increment ref whenever we called these functions, we don't do that
anymore.
Julia Lawall pointed out that IPSET_ATTR_ETHER netlink attribute length
was not checked explicitly, just for the maximum possible size. Malicious
netlink clients could send shorter attribute and thus resulting a kernel
read after the buffer.
The patch adds the explicit length checkings.
Reported-by: Julia Lawall <julia.lawall@lip6.fr> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Florian Westphal [Tue, 12 Jan 2016 16:07:05 +0000 (17:07 +0100)]
netfilter: ipset: allow a 0 netmask with hash_netiface type
Jozsef says:
The correct behaviour is that if we have
ipset create test1 hash:net,iface
ipset add test1 0.0.0.0/0,eth0
iptables -A INPUT -m set --match-set test1 src,src
then the rule should match for any traffic coming in through eth0.
This removes the -EINVAL runtime test to make matching work
in case packet arrived via the specified interface.
Olivier Blin [Wed, 6 Jan 2016 23:21:09 +0000 (00:21 +0100)]
Fix link with libtool >= 2.4.4
As of libtool-2.4.4, -ldl is no longer prepended to LIBS.
Since types.c needs dlopen() and dlerror(), use LIBADD_DLOPEN, as
suggested in libtool-2.4.4 release notes.
Incorrect index was used when the data blob was shrinked at expiration,
which could lead to falsely expired entries and memory leak when
the comment extension was used too.
The data extensions in ipset lacked the proper memory alignment and
thus could lead to kernel crash on several architectures. Therefore
the structures have been reorganized and alignment attributes added
where needed. The patch was tested on armv7h by Gerhard Wiesinger and
on x86_64, sparc64 by Jozsef Kadlecsik.
Reported-by: Gerhard Wiesinger <lists@wiesinger.com> Tested-by: Gerhard Wiesinger <lists@wiesinger.com> Tested-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Nikolay Borisov [Fri, 16 Oct 2015 06:40:28 +0000 (09:40 +0300)]
netfilter: ipset: Fix sleeping memory allocation in atomic context
Commit 00590fdd5be0 introduced RCU locking in list type and in
doing so introduced a memory allocation in list_set_add, which
is done in an atomic context, due to the fact that ipset rcu
list modifications are serialised with a spin lock. The reason
why we can't use a mutex is that in addition to modifying the
list with ipset commands, it's also being modified when a
particular ipset rule timeout expires aka garbage collection.
This gc is triggered from set_cleanup_entries, which in turn
is invoked from a timer thus requiring the lock to be bh-safe.
Concretely the following call chain can lead to "sleeping function
called in atomic context" splat:
call_ad -> list_set_uadt -> list_set_uadd -> kzalloc(, GFP_KERNEL).
And since GFP_KERNEL allows initiating direct reclaim thus
potentially sleeping in the allocation path.
To fix the issue change the allocation type to GFP_ATOMIC, to
correctly reflect that it is occuring in an atomic context.
Fixes: 00590fdd5be0 ("netfilter: ipset: Introduce RCU locking in list type") Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Nikolay Borisov <kernel@kyup.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Jozsef Kadlecsik [Fri, 26 Jun 2015 09:05:54 +0000 (11:05 +0200)]
Make NLEN compile time constant for hash types
Hash types define HOST_MASK before inclusion of ip_set_hash_gen.h
and the only place where NLEN needed to be calculated at runtime
is *_create() method.
Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>.
Jozsef Kadlecsik [Fri, 26 Jun 2015 07:40:14 +0000 (09:40 +0200)]
Count non-static extension memory into the set memory size for userspace
Non-static (i.e. comment) extension was not counted into the memory
size. A new internal counter is introduced for this. In the case of
the hash types the sizes of the arrays are counted there as well so
that we can avoid to scan the whole set when just the header data
is requested.
Andrew Morton [Thu, 25 Jun 2015 09:15:39 +0000 (11:15 +0200)]
net/netfilter/ipset: work around gcc-4.4.4 initializer bug
gcc-4.4.4 (at least) isn't able to handle the mixture of anonymous unions
and declaration-time intializers. Work around this.
net/netfilter/ipset/ip_set_hash_netnet.c: In function 'hash_netnet4_uadt':
net/netfilter/ipset/ip_set_hash_netnet.c:163: error: unknown field 'cidr' specified in initializer
net/netfilter/ipset/ip_set_hash_netnet.c:163: warning: missing braces around initializer
net/netfilter/ipset/ip_set_hash_netnet.c:163: warning: (near initialization for 'e.<anonymous>.ip')
...
Fixes: ea53ac5b630e813ae ("netfilter: ipset: Add hash:net,net module to kernel.) Cc: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
projects / ipset / log