mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-01-01 10:43:43 +00:00
netfilter pull request 24-01-18
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEN9lkrMBJgcdVAPub1V2XiooUIOQFAmWpTnYACgkQ1V2XiooU IOQYpw//ZL9MkD3EIAB/D7dtqj7Oz9XssIqN/RDqq1NEFojH6u1OxRB2cYOxtvRD iAUf3LLPY/NucEFoEHmNWg3mmG9mwwkXMIikJrGa9QmEfr/a5XBQSfSUB3rf8F9F bLvQ056Zb0g+jJTi8iOYOouN1O4LIhfZveVJQf72tmw3Gqw87Sc1HGJL1x/QHhvb 0vWzCb2AQOOyRVSLE3uYJYXI3AU/owM+axBUDk8RNmgkeJLDdwN8E56UQIW1X6Y9 i0Xp5QZfH4KGj8Ffy/mcCmYYItGldVViZuvqB8qBKV6+PhMNbqHuQQsRLbL5M0GS oFeRmaUfuJfxLF9lm3SUDtELFXNlzeW4kK/wOGUMcXlg3fZHmJx+TfWg9N86ANqC ripNA8hrQO6wuBIk7DByykS8tkCWyS17s4r2hxU/3uTAHv9KxsLymE82YrDzGL1e Er9qd4waGnfZWCgLirJ/YMmPvVP33yJ3JSmjclp/3m54pijiejzsuUNDlUiMG1EE ekAawU91X/NuTGAtr+JGUG5TyHwWxodIKxPWGSf7Zes39jJzqDGydA56+A5w2Qdr aWSzDY1fMEfb9gegpd42lW+hhN+ZLzZuKuA8m3SxCXQx7/1dU+AzV21B93endzlL VxRO10W5LqxODsm0jl8rOdcOvBsC1gqLaf9kZQlGU6BG1AHYfEs= =DHHp -----END PGP SIGNATURE----- Merge tag 'nf-24-01-18' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following batch contains Netfilter fixes for net. Slightly larger than usual because this batch includes several patches to tighten the nf_tables control plane to reject inconsistent configuration: 1) Restrict NFTA_SET_POLICY to NFT_SET_POL_PERFORMANCE and NFT_SET_POL_MEMORY. 2) Bail out if a nf_tables expression registers more than 16 netlink attributes which is what struct nft_expr_info allows. 3) Bail out if NFT_EXPR_STATEFUL provides no .clone interface, remove existing fallback to memcpy() when cloning which might accidentally duplicate memory reference to the same object. 4) Fix br_netfilter interaction with neighbour layer. This requires three preparation patches: - Use nf_bridge_get_physinif() in nfnetlink_log - Use nf_bridge_info_exists() to check in br_netfilter context is available in nf_queue. - Pass net to nf_bridge_get_physindev() And finally, the fix which replaces physindev with physinif in nf_bridge_info. Patches from Pavel Tikhomirov. 5) Catch-all deactivation happens in the transaction, hence this oneliner to check for the next generation. This bug uncovered after the removal of the _BUSY bit, which happened in set elements back in summer 2023. 6) Ensure set (total) key length size and concat field length description is consistent, otherwise bail out. 7) Skip set element with the _DEAD flag on from the netlink dump path. A tests occasionally shows that dump is mismatching because GC might lose race to get rid of this element while a netlink dump is in progress. 8) Reject NFT_SET_CONCAT for field_count < 1. 9) Use IP6_INC_STATS in ipvs to fix preemption BUG splat, patch from Fedor Pchelkin. * tag 'nf-24-01-18' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: ipvs: avoid stat macros calls from preemptible context netfilter: nf_tables: reject NFT_SET_CONCAT with not field length description netfilter: nf_tables: skip dead set elements in netlink dump netfilter: nf_tables: do not allow mismatch field size and set key length netfilter: nf_tables: check if catch-all set element is active in next generation netfilter: bridge: replace physindev with physinif in nf_bridge_info netfilter: propagate net to nf_bridge_get_physindev netfilter: nf_queue: remove excess nf_bridge variable netfilter: nfnetlink_log: use proper helper for fetching physinif netfilter: nft_limit: do not ignore unsupported flags netfilter: nf_tables: bail out if stateful expression provides no .clone netfilter: nf_tables: validate .maxattr at expression registration netfilter: nf_tables: reject invalid set policy ==================== Link: https://lore.kernel.org/r/20240118161726.14838-1-pablo@netfilter.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
This commit is contained in:
commit
925781a471
@ -42,7 +42,7 @@ static inline int nf_bridge_get_physinif(const struct sk_buff *skb)
|
||||
if (!nf_bridge)
|
||||
return 0;
|
||||
|
||||
return nf_bridge->physindev ? nf_bridge->physindev->ifindex : 0;
|
||||
return nf_bridge->physinif;
|
||||
}
|
||||
|
||||
static inline int nf_bridge_get_physoutif(const struct sk_buff *skb)
|
||||
@ -56,11 +56,11 @@ static inline int nf_bridge_get_physoutif(const struct sk_buff *skb)
|
||||
}
|
||||
|
||||
static inline struct net_device *
|
||||
nf_bridge_get_physindev(const struct sk_buff *skb)
|
||||
nf_bridge_get_physindev(const struct sk_buff *skb, struct net *net)
|
||||
{
|
||||
const struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
|
||||
|
||||
return nf_bridge ? nf_bridge->physindev : NULL;
|
||||
return nf_bridge ? dev_get_by_index_rcu(net, nf_bridge->physinif) : NULL;
|
||||
}
|
||||
|
||||
static inline struct net_device *
|
||||
|
@ -295,7 +295,7 @@ struct nf_bridge_info {
|
||||
u8 bridged_dnat:1;
|
||||
u8 sabotage_in_done:1;
|
||||
__u16 frag_max_size;
|
||||
struct net_device *physindev;
|
||||
int physinif;
|
||||
|
||||
/* always valid & non-NULL from FORWARD on, for physdev match */
|
||||
struct net_device *physoutdev;
|
||||
|
@ -279,8 +279,17 @@ int br_nf_pre_routing_finish_bridge(struct net *net, struct sock *sk, struct sk_
|
||||
|
||||
if ((READ_ONCE(neigh->nud_state) & NUD_CONNECTED) &&
|
||||
READ_ONCE(neigh->hh.hh_len)) {
|
||||
struct net_device *br_indev;
|
||||
|
||||
br_indev = nf_bridge_get_physindev(skb, net);
|
||||
if (!br_indev) {
|
||||
neigh_release(neigh);
|
||||
goto free_skb;
|
||||
}
|
||||
|
||||
neigh_hh_bridge(&neigh->hh, skb);
|
||||
skb->dev = nf_bridge->physindev;
|
||||
skb->dev = br_indev;
|
||||
|
||||
ret = br_handle_frame_finish(net, sk, skb);
|
||||
} else {
|
||||
/* the neighbour function below overwrites the complete
|
||||
@ -352,12 +361,18 @@ br_nf_ipv4_daddr_was_changed(const struct sk_buff *skb,
|
||||
*/
|
||||
static int br_nf_pre_routing_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
|
||||
{
|
||||
struct net_device *dev = skb->dev;
|
||||
struct net_device *dev = skb->dev, *br_indev;
|
||||
struct iphdr *iph = ip_hdr(skb);
|
||||
struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
|
||||
struct rtable *rt;
|
||||
int err;
|
||||
|
||||
br_indev = nf_bridge_get_physindev(skb, net);
|
||||
if (!br_indev) {
|
||||
kfree_skb(skb);
|
||||
return 0;
|
||||
}
|
||||
|
||||
nf_bridge->frag_max_size = IPCB(skb)->frag_max_size;
|
||||
|
||||
if (nf_bridge->pkt_otherhost) {
|
||||
@ -397,7 +412,7 @@ static int br_nf_pre_routing_finish(struct net *net, struct sock *sk, struct sk_
|
||||
} else {
|
||||
if (skb_dst(skb)->dev == dev) {
|
||||
bridged_dnat:
|
||||
skb->dev = nf_bridge->physindev;
|
||||
skb->dev = br_indev;
|
||||
nf_bridge_update_protocol(skb);
|
||||
nf_bridge_push_encap_header(skb);
|
||||
br_nf_hook_thresh(NF_BR_PRE_ROUTING,
|
||||
@ -410,7 +425,7 @@ static int br_nf_pre_routing_finish(struct net *net, struct sock *sk, struct sk_
|
||||
skb->pkt_type = PACKET_HOST;
|
||||
}
|
||||
} else {
|
||||
rt = bridge_parent_rtable(nf_bridge->physindev);
|
||||
rt = bridge_parent_rtable(br_indev);
|
||||
if (!rt) {
|
||||
kfree_skb(skb);
|
||||
return 0;
|
||||
@ -419,7 +434,7 @@ static int br_nf_pre_routing_finish(struct net *net, struct sock *sk, struct sk_
|
||||
skb_dst_set_noref(skb, &rt->dst);
|
||||
}
|
||||
|
||||
skb->dev = nf_bridge->physindev;
|
||||
skb->dev = br_indev;
|
||||
nf_bridge_update_protocol(skb);
|
||||
nf_bridge_push_encap_header(skb);
|
||||
br_nf_hook_thresh(NF_BR_PRE_ROUTING, net, sk, skb, skb->dev, NULL,
|
||||
@ -456,7 +471,7 @@ struct net_device *setup_pre_routing(struct sk_buff *skb, const struct net *net)
|
||||
}
|
||||
|
||||
nf_bridge->in_prerouting = 1;
|
||||
nf_bridge->physindev = skb->dev;
|
||||
nf_bridge->physinif = skb->dev->ifindex;
|
||||
skb->dev = brnf_get_logical_dev(skb, skb->dev, net);
|
||||
|
||||
if (skb->protocol == htons(ETH_P_8021Q))
|
||||
@ -553,7 +568,11 @@ static int br_nf_forward_finish(struct net *net, struct sock *sk, struct sk_buff
|
||||
if (skb->protocol == htons(ETH_P_IPV6))
|
||||
nf_bridge->frag_max_size = IP6CB(skb)->frag_max_size;
|
||||
|
||||
in = nf_bridge->physindev;
|
||||
in = nf_bridge_get_physindev(skb, net);
|
||||
if (!in) {
|
||||
kfree_skb(skb);
|
||||
return 0;
|
||||
}
|
||||
if (nf_bridge->pkt_otherhost) {
|
||||
skb->pkt_type = PACKET_OTHERHOST;
|
||||
nf_bridge->pkt_otherhost = false;
|
||||
@ -899,6 +918,13 @@ static unsigned int ip_sabotage_in(void *priv,
|
||||
static void br_nf_pre_routing_finish_bridge_slow(struct sk_buff *skb)
|
||||
{
|
||||
struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
|
||||
struct net_device *br_indev;
|
||||
|
||||
br_indev = nf_bridge_get_physindev(skb, dev_net(skb->dev));
|
||||
if (!br_indev) {
|
||||
kfree_skb(skb);
|
||||
return;
|
||||
}
|
||||
|
||||
skb_pull(skb, ETH_HLEN);
|
||||
nf_bridge->bridged_dnat = 0;
|
||||
@ -908,7 +934,7 @@ static void br_nf_pre_routing_finish_bridge_slow(struct sk_buff *skb)
|
||||
skb_copy_to_linear_data_offset(skb, -(ETH_HLEN - ETH_ALEN),
|
||||
nf_bridge->neigh_header,
|
||||
ETH_HLEN - ETH_ALEN);
|
||||
skb->dev = nf_bridge->physindev;
|
||||
skb->dev = br_indev;
|
||||
|
||||
nf_bridge->physoutdev = NULL;
|
||||
br_handle_frame_finish(dev_net(skb->dev), NULL, skb);
|
||||
|
@ -102,9 +102,15 @@ static int br_nf_pre_routing_finish_ipv6(struct net *net, struct sock *sk, struc
|
||||
{
|
||||
struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
|
||||
struct rtable *rt;
|
||||
struct net_device *dev = skb->dev;
|
||||
struct net_device *dev = skb->dev, *br_indev;
|
||||
const struct nf_ipv6_ops *v6ops = nf_get_ipv6_ops();
|
||||
|
||||
br_indev = nf_bridge_get_physindev(skb, net);
|
||||
if (!br_indev) {
|
||||
kfree_skb(skb);
|
||||
return 0;
|
||||
}
|
||||
|
||||
nf_bridge->frag_max_size = IP6CB(skb)->frag_max_size;
|
||||
|
||||
if (nf_bridge->pkt_otherhost) {
|
||||
@ -122,7 +128,7 @@ static int br_nf_pre_routing_finish_ipv6(struct net *net, struct sock *sk, struc
|
||||
}
|
||||
|
||||
if (skb_dst(skb)->dev == dev) {
|
||||
skb->dev = nf_bridge->physindev;
|
||||
skb->dev = br_indev;
|
||||
nf_bridge_update_protocol(skb);
|
||||
nf_bridge_push_encap_header(skb);
|
||||
br_nf_hook_thresh(NF_BR_PRE_ROUTING,
|
||||
@ -133,7 +139,7 @@ static int br_nf_pre_routing_finish_ipv6(struct net *net, struct sock *sk, struc
|
||||
ether_addr_copy(eth_hdr(skb)->h_dest, dev->dev_addr);
|
||||
skb->pkt_type = PACKET_HOST;
|
||||
} else {
|
||||
rt = bridge_parent_rtable(nf_bridge->physindev);
|
||||
rt = bridge_parent_rtable(br_indev);
|
||||
if (!rt) {
|
||||
kfree_skb(skb);
|
||||
return 0;
|
||||
@ -142,7 +148,7 @@ static int br_nf_pre_routing_finish_ipv6(struct net *net, struct sock *sk, struc
|
||||
skb_dst_set_noref(skb, &rt->dst);
|
||||
}
|
||||
|
||||
skb->dev = nf_bridge->physindev;
|
||||
skb->dev = br_indev;
|
||||
nf_bridge_update_protocol(skb);
|
||||
nf_bridge_push_encap_header(skb);
|
||||
br_nf_hook_thresh(NF_BR_PRE_ROUTING, net, sk, skb,
|
||||
|
@ -239,7 +239,6 @@ static int nf_reject_fill_skb_dst(struct sk_buff *skb_in)
|
||||
void nf_send_reset(struct net *net, struct sock *sk, struct sk_buff *oldskb,
|
||||
int hook)
|
||||
{
|
||||
struct net_device *br_indev __maybe_unused;
|
||||
struct sk_buff *nskb;
|
||||
struct iphdr *niph;
|
||||
const struct tcphdr *oth;
|
||||
@ -289,9 +288,13 @@ void nf_send_reset(struct net *net, struct sock *sk, struct sk_buff *oldskb,
|
||||
* build the eth header using the original destination's MAC as the
|
||||
* source, and send the RST packet directly.
|
||||
*/
|
||||
br_indev = nf_bridge_get_physindev(oldskb);
|
||||
if (br_indev) {
|
||||
if (nf_bridge_info_exists(oldskb)) {
|
||||
struct ethhdr *oeth = eth_hdr(oldskb);
|
||||
struct net_device *br_indev;
|
||||
|
||||
br_indev = nf_bridge_get_physindev(oldskb, net);
|
||||
if (!br_indev)
|
||||
goto free_nskb;
|
||||
|
||||
nskb->dev = br_indev;
|
||||
niph->tot_len = htons(nskb->len);
|
||||
|
@ -278,7 +278,6 @@ static int nf_reject6_fill_skb_dst(struct sk_buff *skb_in)
|
||||
void nf_send_reset6(struct net *net, struct sock *sk, struct sk_buff *oldskb,
|
||||
int hook)
|
||||
{
|
||||
struct net_device *br_indev __maybe_unused;
|
||||
struct sk_buff *nskb;
|
||||
struct tcphdr _otcph;
|
||||
const struct tcphdr *otcph;
|
||||
@ -354,9 +353,15 @@ void nf_send_reset6(struct net *net, struct sock *sk, struct sk_buff *oldskb,
|
||||
* build the eth header using the original destination's MAC as the
|
||||
* source, and send the RST packet directly.
|
||||
*/
|
||||
br_indev = nf_bridge_get_physindev(oldskb);
|
||||
if (br_indev) {
|
||||
if (nf_bridge_info_exists(oldskb)) {
|
||||
struct ethhdr *oeth = eth_hdr(oldskb);
|
||||
struct net_device *br_indev;
|
||||
|
||||
br_indev = nf_bridge_get_physindev(oldskb, net);
|
||||
if (!br_indev) {
|
||||
kfree_skb(nskb);
|
||||
return;
|
||||
}
|
||||
|
||||
nskb->dev = br_indev;
|
||||
nskb->protocol = htons(ETH_P_IPV6);
|
||||
|
@ -138,9 +138,9 @@ hash_netiface4_data_next(struct hash_netiface4_elem *next,
|
||||
#include "ip_set_hash_gen.h"
|
||||
|
||||
#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
|
||||
static const char *get_physindev_name(const struct sk_buff *skb)
|
||||
static const char *get_physindev_name(const struct sk_buff *skb, struct net *net)
|
||||
{
|
||||
struct net_device *dev = nf_bridge_get_physindev(skb);
|
||||
struct net_device *dev = nf_bridge_get_physindev(skb, net);
|
||||
|
||||
return dev ? dev->name : NULL;
|
||||
}
|
||||
@ -177,7 +177,7 @@ hash_netiface4_kadt(struct ip_set *set, const struct sk_buff *skb,
|
||||
|
||||
if (opt->cmdflags & IPSET_FLAG_PHYSDEV) {
|
||||
#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
|
||||
const char *eiface = SRCDIR ? get_physindev_name(skb) :
|
||||
const char *eiface = SRCDIR ? get_physindev_name(skb, xt_net(par)) :
|
||||
get_physoutdev_name(skb);
|
||||
|
||||
if (!eiface)
|
||||
@ -395,7 +395,7 @@ hash_netiface6_kadt(struct ip_set *set, const struct sk_buff *skb,
|
||||
|
||||
if (opt->cmdflags & IPSET_FLAG_PHYSDEV) {
|
||||
#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
|
||||
const char *eiface = SRCDIR ? get_physindev_name(skb) :
|
||||
const char *eiface = SRCDIR ? get_physindev_name(skb, xt_net(par)) :
|
||||
get_physoutdev_name(skb);
|
||||
|
||||
if (!eiface)
|
||||
|
@ -271,7 +271,7 @@ static inline bool decrement_ttl(struct netns_ipvs *ipvs,
|
||||
skb->dev = dst->dev;
|
||||
icmpv6_send(skb, ICMPV6_TIME_EXCEED,
|
||||
ICMPV6_EXC_HOPLIMIT, 0);
|
||||
__IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS);
|
||||
IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS);
|
||||
|
||||
return false;
|
||||
}
|
||||
@ -286,7 +286,7 @@ static inline bool decrement_ttl(struct netns_ipvs *ipvs,
|
||||
{
|
||||
if (ip_hdr(skb)->ttl <= 1) {
|
||||
/* Tell the sender its packet died... */
|
||||
__IP_INC_STATS(net, IPSTATS_MIB_INHDRERRORS);
|
||||
IP_INC_STATS(net, IPSTATS_MIB_INHDRERRORS);
|
||||
icmp_send(skb, ICMP_TIME_EXCEEDED, ICMP_EXC_TTL, 0);
|
||||
return false;
|
||||
}
|
||||
|
@ -111,7 +111,8 @@ nf_log_dump_packet_common(struct nf_log_buf *m, u8 pf,
|
||||
unsigned int hooknum, const struct sk_buff *skb,
|
||||
const struct net_device *in,
|
||||
const struct net_device *out,
|
||||
const struct nf_loginfo *loginfo, const char *prefix)
|
||||
const struct nf_loginfo *loginfo, const char *prefix,
|
||||
struct net *net)
|
||||
{
|
||||
const struct net_device *physoutdev __maybe_unused;
|
||||
const struct net_device *physindev __maybe_unused;
|
||||
@ -121,7 +122,7 @@ nf_log_dump_packet_common(struct nf_log_buf *m, u8 pf,
|
||||
in ? in->name : "",
|
||||
out ? out->name : "");
|
||||
#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
|
||||
physindev = nf_bridge_get_physindev(skb);
|
||||
physindev = nf_bridge_get_physindev(skb, net);
|
||||
if (physindev && in != physindev)
|
||||
nf_log_buf_add(m, "PHYSIN=%s ", physindev->name);
|
||||
physoutdev = nf_bridge_get_physoutdev(skb);
|
||||
@ -148,7 +149,7 @@ static void nf_log_arp_packet(struct net *net, u_int8_t pf,
|
||||
loginfo = &default_loginfo;
|
||||
|
||||
nf_log_dump_packet_common(m, pf, hooknum, skb, in, out, loginfo,
|
||||
prefix);
|
||||
prefix, net);
|
||||
dump_arp_packet(m, loginfo, skb, skb_network_offset(skb));
|
||||
|
||||
nf_log_buf_close(m);
|
||||
@ -845,7 +846,7 @@ static void nf_log_ip_packet(struct net *net, u_int8_t pf,
|
||||
loginfo = &default_loginfo;
|
||||
|
||||
nf_log_dump_packet_common(m, pf, hooknum, skb, in,
|
||||
out, loginfo, prefix);
|
||||
out, loginfo, prefix, net);
|
||||
|
||||
if (in)
|
||||
dump_mac_header(m, loginfo, skb);
|
||||
@ -880,7 +881,7 @@ static void nf_log_ip6_packet(struct net *net, u_int8_t pf,
|
||||
loginfo = &default_loginfo;
|
||||
|
||||
nf_log_dump_packet_common(m, pf, hooknum, skb, in, out,
|
||||
loginfo, prefix);
|
||||
loginfo, prefix, net);
|
||||
|
||||
if (in)
|
||||
dump_mac_header(m, loginfo, skb);
|
||||
@ -916,7 +917,7 @@ static void nf_log_unknown_packet(struct net *net, u_int8_t pf,
|
||||
loginfo = &default_loginfo;
|
||||
|
||||
nf_log_dump_packet_common(m, pf, hooknum, skb, in, out, loginfo,
|
||||
prefix);
|
||||
prefix, net);
|
||||
|
||||
dump_mac_header(m, loginfo, skb);
|
||||
|
||||
|
@ -82,11 +82,9 @@ static void __nf_queue_entry_init_physdevs(struct nf_queue_entry *entry)
|
||||
{
|
||||
#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
|
||||
const struct sk_buff *skb = entry->skb;
|
||||
struct nf_bridge_info *nf_bridge;
|
||||
|
||||
nf_bridge = nf_bridge_info_get(skb);
|
||||
if (nf_bridge) {
|
||||
entry->physin = nf_bridge_get_physindev(skb);
|
||||
if (nf_bridge_info_exists(skb)) {
|
||||
entry->physin = nf_bridge_get_physindev(skb, entry->state.net);
|
||||
entry->physout = nf_bridge_get_physoutdev(skb);
|
||||
} else {
|
||||
entry->physin = NULL;
|
||||
|
@ -2977,6 +2977,9 @@ static int nf_tables_delchain(struct sk_buff *skb, const struct nfnl_info *info,
|
||||
*/
|
||||
int nft_register_expr(struct nft_expr_type *type)
|
||||
{
|
||||
if (WARN_ON_ONCE(type->maxattr > NFT_EXPR_MAXATTR))
|
||||
return -ENOMEM;
|
||||
|
||||
nfnl_lock(NFNL_SUBSYS_NFTABLES);
|
||||
if (type->family == NFPROTO_UNSPEC)
|
||||
list_add_tail_rcu(&type->list, &nf_tables_expressions);
|
||||
@ -3271,14 +3274,13 @@ int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src)
|
||||
{
|
||||
int err;
|
||||
|
||||
if (src->ops->clone) {
|
||||
dst->ops = src->ops;
|
||||
err = src->ops->clone(dst, src);
|
||||
if (err < 0)
|
||||
return err;
|
||||
} else {
|
||||
memcpy(dst, src, src->ops->size);
|
||||
}
|
||||
if (WARN_ON_ONCE(!src->ops->clone))
|
||||
return -EINVAL;
|
||||
|
||||
dst->ops = src->ops;
|
||||
err = src->ops->clone(dst, src);
|
||||
if (err < 0)
|
||||
return err;
|
||||
|
||||
__module_get(src->ops->type->owner);
|
||||
|
||||
@ -4811,8 +4813,8 @@ static int nft_set_desc_concat_parse(const struct nlattr *attr,
|
||||
static int nft_set_desc_concat(struct nft_set_desc *desc,
|
||||
const struct nlattr *nla)
|
||||
{
|
||||
u32 num_regs = 0, key_num_regs = 0;
|
||||
struct nlattr *attr;
|
||||
u32 num_regs = 0;
|
||||
int rem, err, i;
|
||||
|
||||
nla_for_each_nested(attr, nla, rem) {
|
||||
@ -4827,6 +4829,10 @@ static int nft_set_desc_concat(struct nft_set_desc *desc,
|
||||
for (i = 0; i < desc->field_count; i++)
|
||||
num_regs += DIV_ROUND_UP(desc->field_len[i], sizeof(u32));
|
||||
|
||||
key_num_regs = DIV_ROUND_UP(desc->klen, sizeof(u32));
|
||||
if (key_num_regs != num_regs)
|
||||
return -EINVAL;
|
||||
|
||||
if (num_regs > NFT_REG32_COUNT)
|
||||
return -E2BIG;
|
||||
|
||||
@ -5048,16 +5054,28 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
|
||||
}
|
||||
|
||||
desc.policy = NFT_SET_POL_PERFORMANCE;
|
||||
if (nla[NFTA_SET_POLICY] != NULL)
|
||||
if (nla[NFTA_SET_POLICY] != NULL) {
|
||||
desc.policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
|
||||
switch (desc.policy) {
|
||||
case NFT_SET_POL_PERFORMANCE:
|
||||
case NFT_SET_POL_MEMORY:
|
||||
break;
|
||||
default:
|
||||
return -EOPNOTSUPP;
|
||||
}
|
||||
}
|
||||
|
||||
if (nla[NFTA_SET_DESC] != NULL) {
|
||||
err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
|
||||
if (err < 0)
|
||||
return err;
|
||||
|
||||
if (desc.field_count > 1 && !(flags & NFT_SET_CONCAT))
|
||||
if (desc.field_count > 1) {
|
||||
if (!(flags & NFT_SET_CONCAT))
|
||||
return -EINVAL;
|
||||
} else if (flags & NFT_SET_CONCAT) {
|
||||
return -EINVAL;
|
||||
}
|
||||
} else if (flags & NFT_SET_CONCAT) {
|
||||
return -EINVAL;
|
||||
}
|
||||
@ -5704,7 +5722,7 @@ static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
|
||||
const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
|
||||
struct nft_set_dump_args *args;
|
||||
|
||||
if (nft_set_elem_expired(ext))
|
||||
if (nft_set_elem_expired(ext) || nft_set_elem_is_dead(ext))
|
||||
return 0;
|
||||
|
||||
args = container_of(iter, struct nft_set_dump_args, iter);
|
||||
@ -6568,7 +6586,7 @@ static int nft_setelem_catchall_deactivate(const struct net *net,
|
||||
|
||||
list_for_each_entry(catchall, &set->catchall_list, list) {
|
||||
ext = nft_set_elem_ext(set, catchall->elem);
|
||||
if (!nft_is_active(net, ext))
|
||||
if (!nft_is_active_next(net, ext))
|
||||
continue;
|
||||
|
||||
kfree(elem->priv);
|
||||
|
@ -508,7 +508,7 @@ __build_packet_message(struct nfnl_log_net *log,
|
||||
htonl(br_port_get_rcu(indev)->br->dev->ifindex)))
|
||||
goto nla_put_failure;
|
||||
} else {
|
||||
struct net_device *physindev;
|
||||
int physinif;
|
||||
|
||||
/* Case 2: indev is bridge group, we need to look for
|
||||
* physical device (when called from ipv4) */
|
||||
@ -516,10 +516,10 @@ __build_packet_message(struct nfnl_log_net *log,
|
||||
htonl(indev->ifindex)))
|
||||
goto nla_put_failure;
|
||||
|
||||
physindev = nf_bridge_get_physindev(skb);
|
||||
if (physindev &&
|
||||
physinif = nf_bridge_get_physinif(skb);
|
||||
if (physinif &&
|
||||
nla_put_be32(inst->skb, NFULA_IFINDEX_PHYSINDEV,
|
||||
htonl(physindev->ifindex)))
|
||||
htonl(physinif)))
|
||||
goto nla_put_failure;
|
||||
}
|
||||
#endif
|
||||
|
@ -58,6 +58,7 @@ static inline bool nft_limit_eval(struct nft_limit_priv *priv, u64 cost)
|
||||
static int nft_limit_init(struct nft_limit_priv *priv,
|
||||
const struct nlattr * const tb[], bool pkts)
|
||||
{
|
||||
bool invert = false;
|
||||
u64 unit, tokens;
|
||||
|
||||
if (tb[NFTA_LIMIT_RATE] == NULL ||
|
||||
@ -90,19 +91,23 @@ static int nft_limit_init(struct nft_limit_priv *priv,
|
||||
priv->rate);
|
||||
}
|
||||
|
||||
if (tb[NFTA_LIMIT_FLAGS]) {
|
||||
u32 flags = ntohl(nla_get_be32(tb[NFTA_LIMIT_FLAGS]));
|
||||
|
||||
if (flags & ~NFT_LIMIT_F_INV)
|
||||
return -EOPNOTSUPP;
|
||||
|
||||
if (flags & NFT_LIMIT_F_INV)
|
||||
invert = true;
|
||||
}
|
||||
|
||||
priv->limit = kmalloc(sizeof(*priv->limit), GFP_KERNEL_ACCOUNT);
|
||||
if (!priv->limit)
|
||||
return -ENOMEM;
|
||||
|
||||
priv->limit->tokens = tokens;
|
||||
priv->tokens_max = priv->limit->tokens;
|
||||
|
||||
if (tb[NFTA_LIMIT_FLAGS]) {
|
||||
u32 flags = ntohl(nla_get_be32(tb[NFTA_LIMIT_FLAGS]));
|
||||
|
||||
if (flags & NFT_LIMIT_F_INV)
|
||||
priv->invert = true;
|
||||
}
|
||||
priv->invert = invert;
|
||||
priv->limit->last = ktime_get_ns();
|
||||
spin_lock_init(&priv->limit->lock);
|
||||
|
||||
|
@ -59,7 +59,7 @@ physdev_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||
(!!outdev ^ !(info->invert & XT_PHYSDEV_OP_BRIDGED)))
|
||||
return false;
|
||||
|
||||
physdev = nf_bridge_get_physindev(skb);
|
||||
physdev = nf_bridge_get_physindev(skb, xt_net(par));
|
||||
indev = physdev ? physdev->name : NULL;
|
||||
|
||||
if ((info->bitmask & XT_PHYSDEV_OP_ISIN &&
|
||||
|
Loading…
Reference in New Issue
Block a user