linux.git/net/netfilter/nft_socket.c, branch v5.19 Linux kernel source tree netfilter: nft_socket: only do sk lookups when indev is available 2022-04-28T14:15:23+00:00 Florian Westphal fw@strlen.de 2022-04-28T07:39:21+00:00 743b83f15d4069ea57c3e40996bf4a1077e0cdc1 Check if the incoming interface is available and NFT_BREAK in case neither skb->sk nor input device are set. Because nf_sk_lookup_slow*() assume packet headers are in the 'in' direction, use in postrouting is not going to yield a meaningful result. Same is true for the forward chain, so restrict the use to prerouting, input and output. Use in output work if a socket is already attached to the skb. Fixes: 554ced0a6e29 ("netfilter: nf_tables: add support for native socket matching") Reported-and-tested-by: Topi Miettinen <toiwoton@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Check if the incoming interface is available and NFT_BREAK
in case neither skb->sk nor input device are set.

Because nf_sk_lookup_slow*() assume packet headers are in the
'in' direction, use in postrouting is not going to yield a meaningful
result.  Same is true for the forward chain, so restrict the use
to prerouting, input and output.

Use in output work if a socket is already attached to the skb.

Fixes: 554ced0a6e29 ("netfilter: nf_tables: add support for native socket matching")
Reported-and-tested-by: Topi Miettinen <toiwoton@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nft_socket: make cgroup match work in input too 2022-04-11T10:12:46+00:00 Florian Westphal fw@strlen.de 2022-04-09T11:20:19+00:00 05ae2fba821c4d122ab4ba3e52144e21586c4010 cgroupv2 helper function ignores the already-looked up sk and uses skb->sk instead. Just pass sk from the calling function instead; this will make cgroup matching work for udp and tcp in input even when edemux did not set skb->sk already. Fixes: e0bb96db96f8 ("netfilter: nft_socket: add support for cgroupsv2") Signed-off-by: Florian Westphal <fw@strlen.de> Tested-by: Topi Miettinen <toiwoton@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
cgroupv2 helper function ignores the already-looked up sk
and uses skb->sk instead.

Just pass sk from the calling function instead; this will
make cgroup matching work for udp and tcp in input even when
edemux did not set skb->sk already.

Fixes: e0bb96db96f8 ("netfilter: nft_socket: add support for cgroupsv2")
Signed-off-by: Florian Westphal <fw@strlen.de>
Tested-by: Topi Miettinen <toiwoton@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nft_socket: track register operations 2022-03-19T23:29:47+00:00 Pablo Neira Ayuso pablo@netfilter.org 2022-03-14T17:23:09+00:00 d77a721d212d48e2ff62334e00cc4cfcad751ff5 Check if the destination register already contains the data that this socket expression performs. This allows to skip this redundant operation. If the destination contains a different selector, update the register tracking information. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Check if the destination register already contains the data that this
socket expression performs. This allows to skip this redundant
operation.  If the destination contains a different selector, update the
register tracking information.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nft_socket: fix build with CONFIG_SOCK_CGROUP_DATA=n 2021-04-27T20:34:05+00:00 Arnd Bergmann arnd@arndb.de 2021-04-27T19:45:19+00:00 7acc0bb490c85012bcbda142b6755fd1fdf1fba1 In some configurations, the sock_cgroup_ptr() function is not available: net/netfilter/nft_socket.c: In function 'nft_sock_get_eval_cgroupv2': net/netfilter/nft_socket.c:47:16: error: implicit declaration of function 'sock_cgroup_ptr'; did you mean 'obj_cgroup_put'? [-Werror=implicit-function-declaration] 47 | cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data); | ^~~~~~~~~~~~~~~ | obj_cgroup_put net/netfilter/nft_socket.c:47:14: error: assignment to 'struct cgroup *' from 'int' makes pointer from integer without a cast [-Werror=int-conversion] 47 | cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data); | ^ Change the caller to match the same #ifdef check, only calling it when the function is defined. Fixes: e0bb96db96f8 ("netfilter: nft_socket: add support for cgroupsv2") Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
In some configurations, the sock_cgroup_ptr() function is not available:

net/netfilter/nft_socket.c: In function 'nft_sock_get_eval_cgroupv2':
net/netfilter/nft_socket.c:47:16: error: implicit declaration of function 'sock_cgroup_ptr'; did you mean 'obj_cgroup_put'? [-Werror=implicit-function-declaration]
   47 |         cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
      |                ^~~~~~~~~~~~~~~
      |                obj_cgroup_put
net/netfilter/nft_socket.c:47:14: error: assignment to 'struct cgroup *' from 'int' makes pointer from integer without a cast [-Werror=int-conversion]
   47 |         cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
      |              ^

Change the caller to match the same #ifdef check, only calling it
when the function is defined.

Fixes: e0bb96db96f8 ("netfilter: nft_socket: add support for cgroupsv2")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nft_socket: fix an unused variable warning 2021-04-27T20:34:00+00:00 Arnd Bergmann arnd@arndb.de 2021-04-27T19:45:18+00:00 8a7363f8497900e33d4ac391315e8a8d53a03d89 The variable is only used in an #ifdef, causing a harmless warning: net/netfilter/nft_socket.c: In function 'nft_socket_init': net/netfilter/nft_socket.c:137:27: error: unused variable 'level' [-Werror=unused-variable] 137 | unsigned int len, level; | ^~~~~ Move it into the same #ifdef block. Fixes: e0bb96db96f8 ("netfilter: nft_socket: add support for cgroupsv2") Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
The variable is only used in an #ifdef, causing a harmless warning:

net/netfilter/nft_socket.c: In function 'nft_socket_init':
net/netfilter/nft_socket.c:137:27: error: unused variable 'level' [-Werror=unused-variable]
  137 |         unsigned int len, level;
      |                           ^~~~~

Move it into the same #ifdef block.

Fixes: e0bb96db96f8 ("netfilter: nft_socket: add support for cgroupsv2")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nft_socket: add support for cgroupsv2 2021-04-26T01:20:07+00:00 Pablo Neira Ayuso pablo@netfilter.org 2021-04-20T23:12:44+00:00 e0bb96db96f8ca94349344a2ea7bebc6f8cefdae Allow to match on the cgroupsv2 id from ancestor level. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Allow to match on the cgroupsv2 id from ancestor level.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nftables: add nft_parse_register_store() and use it 2021-01-27T22:16:02+00:00 Pablo Neira Ayuso pablo@netfilter.org 2021-01-25T17:27:22+00:00 345023b0db315648ccc3c1a36aee88304a8b4d91 This new function combines the netlink register attribute parser and the store validation function. This update requires to replace: enum nft_registers dreg:8; in many of the expression private areas otherwise compiler complains with: error: cannot take address of bit-field ‘dreg’ when passing the register field as reference. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
This new function combines the netlink register attribute parser
and the store validation function.

This update requires to replace:

        enum nft_registers      dreg:8;

in many of the expression private areas otherwise compiler complains
with:

        error: cannot take address of bit-field ‘dreg’

when passing the register field as reference.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nft_socket: add wildcard support 2020-08-29T11:04:44+00:00 Balazs Scheidler bazsi77@gmail.com 2020-08-29T06:19:15+00:00 67407a406db337acdaabecd3747d160d89a929e4 Add NFT_SOCKET_WILDCARD to match to wildcard socket listener. Signed-off-by: Balazs Scheidler <bazsi77@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Add NFT_SOCKET_WILDCARD to match to wildcard socket listener.

Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nft_socket: fix erroneous socket assignment 2019-09-02T21:20:59+00:00 Fernando Fernandez Mancera ffmancera@riseup.net 2019-09-01T09:48:08+00:00 039b1f4f24ecc8493b6bb9d70b4b78750d1b35c2 The socket assignment is wrong, see skb_orphan(): When skb->destructor callback is not set, but skb->sk is set, this hits BUG(). Link: https://bugzilla.redhat.com/show_bug.cgi?id=1651813 Fixes: 554ced0a6e29 ("netfilter: nf_tables: add support for native socket matching") Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
The socket assignment is wrong, see skb_orphan():
When skb->destructor callback is not set, but skb->sk is set, this hits BUG().

Link: https://bugzilla.redhat.com/show_bug.cgi?id=1651813
Fixes: 554ced0a6e29 ("netfilter: nf_tables: add support for native socket matching")
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nft_socket: Expose socket mark 2018-07-18T09:26:52+00:00 Máté Eckl ecklm94@gmail.com 2018-07-12T15:48:06+00:00 7d25f8851a2c03319bfa8e56bb40bde2c4621392 Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>