linux.git/net/netfilter, branch v3.16-rc5 Linux kernel source tree netfilter: nf_nat: fix oops on netns removal 2014-06-16T11:58:54+00:00 Florian Westphal fw@strlen.de 2014-06-07T19:17:04+00:00 945b2b2d259d1a4364a2799e80e8ff32f8c6ee6f Quoting Samu Kallio: Basically what's happening is, during netns cleanup, nf_nat_net_exit gets called before ipv4_net_exit. As I understand it, nf_nat_net_exit is supposed to kill any conntrack entries which have NAT context (through nf_ct_iterate_cleanup), but for some reason this doesn't happen (perhaps something else is still holding refs to those entries?). When ipv4_net_exit is called, conntrack entries (including those with NAT context) are cleaned up, but the nat_bysource hashtable is long gone - freed in nf_nat_net_exit. The bug happens when attempting to free a conntrack entry whose NAT hash 'prev' field points to a slot in the freed hash table (head for that bin). We ignore conntracks with null nat bindings. But this is wrong, as these are in bysource hash table as well. Restore nat-cleaning for the netns-is-being-removed case. bug: https://bugzilla.kernel.org/show_bug.cgi?id=65191 Fixes: c2d421e1718 ('netfilter: nf_nat: fix race when unloading protocol modules') Reported-by: Samu Kallio <samu.kallio@aberdeencloud.com> Debugged-by: Samu Kallio <samu.kallio@aberdeencloud.com> Signed-off-by: Florian Westphal <fw@strlen.de> Tested-by: Samu Kallio <samu.kallio@aberdeencloud.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Quoting Samu Kallio:

 Basically what's happening is, during netns cleanup,
 nf_nat_net_exit gets called before ipv4_net_exit. As I understand
 it, nf_nat_net_exit is supposed to kill any conntrack entries which
 have NAT context (through nf_ct_iterate_cleanup), but for some
 reason this doesn't happen (perhaps something else is still holding
 refs to those entries?).

 When ipv4_net_exit is called, conntrack entries (including those
 with NAT context) are cleaned up, but the
 nat_bysource hashtable is long gone - freed in nf_nat_net_exit. The
 bug happens when attempting to free a conntrack entry whose NAT hash
 'prev' field points to a slot in the freed hash table (head for that
 bin).

We ignore conntracks with null nat bindings.  But this is wrong,
as these are in bysource hash table as well.

Restore nat-cleaning for the netns-is-being-removed case.

bug:
https://bugzilla.kernel.org/show_bug.cgi?id=65191

Fixes: c2d421e1718 ('netfilter: nf_nat: fix race when unloading protocol modules')
Reported-by: Samu Kallio <samu.kallio@aberdeencloud.com>
Debugged-by: Samu Kallio <samu.kallio@aberdeencloud.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Tested-by: Samu Kallio <samu.kallio@aberdeencloud.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: ctnetlink: add zone size to length 2014-06-16T11:53:03+00:00 Ken-ichirou MATSUZAWA chamas@h4.dion.ne.jp 2014-06-16T11:52:34+00:00 4a001068d790366bbf64ee927a363f752abafa71 Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Merge branch 'ipvs' 2014-06-16T11:22:33+00:00 Pablo Neira Ayuso pablo@netfilter.org 2014-06-16T11:20:39+00:00 98ca74f4d5b44e58d926a38ae160f1ff9573687e Simon Horman says: ==================== Fix for panic due use of tot_stats estimator outside of CONFIG_SYSCTL It has been present since v3.6.39. ==================== Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Simon Horman says:

====================
Fix for panic due use of tot_stats estimator outside of CONFIG_SYSCTL

It has been present since v3.6.39.
====================

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nft_nat: don't dump port information if unset 2014-06-16T11:08:14+00:00 Pablo Neira Ayuso pablo@netfilter.org 2014-06-13T11:45:38+00:00 915136065b7ca75af4cae06281e4dc43926edbfe Don't include port information attributes if they are unset. Reported-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Don't include port information attributes if they are unset.

Reported-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: indicate family when dumping set elements 2014-06-16T11:08:09+00:00 Pablo Neira Ayuso pablo@netfilter.org 2014-06-11T17:05:28+00:00 6403d96254c7c44fdfa163248b1198c714c65f6a Set the nfnetlink header that indicates the family of this element. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Set the nfnetlink header that indicates the family of this element.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nft_compat: call {target, match}->destroy() to cleanup entry 2014-06-16T11:08:04+00:00 Pablo Neira Ayuso pablo@netfilter.org 2014-06-11T12:27:46+00:00 3d9b142131ef0cde259dbac5cce36f570fcb4902 Otherwise, the reference to external objects (eg. modules) are not released when the rules are removed. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Otherwise, the reference to external objects (eg. modules) are not
released when the rules are removed.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: fix wrong type in transaction when replacing rules 2014-06-16T11:07:58+00:00 Pablo Neira Ayuso pablo@netfilter.org 2014-06-10T08:53:03+00:00 ac904ac835ac7879a9374dc3ef1e5cb75d9c7ceb In b380e5c ("netfilter: nf_tables: add message type to transactions"), I used the wrong message type in the rule replacement case. The rule that is replaced needs to be handled as a deleted rule. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
In b380e5c ("netfilter: nf_tables: add message type to transactions"),
I used the wrong message type in the rule replacement case. The rule
that is replaced needs to be handled as a deleted rule.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: decrement chain use counter when replacing rules 2014-06-16T11:07:50+00:00 Pablo Neira Ayuso pablo@netfilter.org 2014-06-10T08:53:02+00:00 ac34b861979ec5057d686c890b1b8f8661e9b99f Thus, the chain use counter remains with the same value after the rule replacement. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Thus, the chain use counter remains with the same value after the
rule replacement.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: use u32 for chain use counter 2014-06-16T11:07:44+00:00 Pablo Neira Ayuso pablo@netfilter.org 2014-06-10T08:53:01+00:00 a0a7379e16b6e4c229d082f24c7e3ef9e812ed46 Since 4fefee5 ("netfilter: nf_tables: allow to delete several objects from a batch"), every new rule bumps the chain use counter. However, this is limited to 16 bits, which means that it will overrun after 2^16 rules. Use a u32 chain counter and check for overflows (just like we do for table objects). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Since 4fefee5 ("netfilter: nf_tables: allow to delete several objects
from a batch"), every new rule bumps the chain use counter. However,
this is limited to 16 bits, which means that it will overrun after
2^16 rules.

Use a u32 chain counter and check for overflows (just like we do for
table objects).

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: use RCU-safe list insertion when replacing rules 2014-06-16T11:07:29+00:00 Pablo Neira Ayuso pablo@netfilter.org 2014-06-10T08:53:00+00:00 5bc5c307653cbf8fe9da6cbd8ae6c6bd5b86ff4b The patch 5e94846 ("netfilter: nf_tables: add insert operation") did not include RCU-safe list insertion when replacing rules. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
The patch 5e94846 ("netfilter: nf_tables: add insert operation") did
not include RCU-safe list insertion when replacing rules.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>