pm24.git/net/bridge/netfilter, branch v5.7Unnamed repository; edit this file 'description' to name the repository.
https://git.kobert.dev/pm24.git/atom?h=v5.72020-05-25T18:39:05Znetfilter: nft_reject_bridge: enable reject with bridge vlan2020-05-25T18:39:05ZMichael Braunmichael-dev@fami-braun.de2020-05-06T09:46:25Zurn:sha1:e9c284ec4b41c827f4369973d2792992849e4fa5
Currently, using the bridge reject target with tagged packets
results in untagged packets being sent back.
Fix this by mirroring the vlan id as well.
Fixes: 85f5b3086a04 ("netfilter: bridge: add reject support")
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: Replace zero-length array with flexible-array member2020-03-15T14:20:16ZGustavo A. R. Silvagustavo@embeddedor.com2020-02-20T13:59:14Zurn:sha1:6daf14140129d30207ed6a0a69851fa6a3636bda
The current codebase makes use of the zero-length array language
extension to the C90 standard, but the preferred mechanism to declare
variable-length types such as these ones is a flexible array member[1][2],
introduced in C99:
struct foo {
int stuff;
struct boo array[];
};
By making use of the mechanism above, we will get a compiler warning
in case the flexible array does not occur last in the structure, which
will help us prevent some kind of undefined behavior bugs from being
inadvertently introduced[3] to the codebase from now on.
Also, notice that, dynamic memory allocations won't be affected by
this change:
"Flexible array members have incomplete type, and so the sizeof operator
may not be applied. As a quirk of the original implementation of
zero-length arrays, sizeof evaluates to zero."[1]
Lastly, fix checkpatch.pl warning
WARNING: __aligned(size) is preferred over __attribute__((aligned(size)))
in net/bridge/netfilter/ebtables.c
This issue was found with the help of Coccinelle.
[1] https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html
[2] https://github.com/KSPP/linux/issues/21
[3] commit 76497732932f ("cxgb3/l2t: Fix undefined behaviour")
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: ebtables: compat: reject all padding in matches/watchers2019-12-20T01:12:27ZFlorian Westphalfw@strlen.de2019-12-15T02:49:25Zurn:sha1:e608f631f0ba5f1fc5ee2e260a3a35d13107cbfe
syzbot reported following splat:
BUG: KASAN: vmalloc-out-of-bounds in size_entry_mwt net/bridge/netfilter/ebtables.c:2063 [inline]
BUG: KASAN: vmalloc-out-of-bounds in compat_copy_entries+0x128b/0x1380 net/bridge/netfilter/ebtables.c:2155
Read of size 4 at addr ffffc900004461f4 by task syz-executor267/7937
CPU: 1 PID: 7937 Comm: syz-executor267 Not tainted 5.5.0-rc1-syzkaller #0
size_entry_mwt net/bridge/netfilter/ebtables.c:2063 [inline]
compat_copy_entries+0x128b/0x1380 net/bridge/netfilter/ebtables.c:2155
compat_do_replace+0x344/0x720 net/bridge/netfilter/ebtables.c:2249
compat_do_ebt_set_ctl+0x22f/0x27e net/bridge/netfilter/ebtables.c:2333
[..]
Because padding isn't considered during computation of ->buf_user_offset,
"total" is decremented by fewer bytes than it should.
Therefore, the first part of
if (*total < sizeof(*entry) || entry->next_offset < sizeof(*entry))
will pass, -- it should not have. This causes oob access:
entry->next_offset is past the vmalloced size.
Reject padding and check that computed user offset (sum of ebt_entry
structure plus all individual matches/watchers/targets) is same
value that userspace gave us as the offset of the next entry.
Reported-by: syzbot+f68108fed972453a0ad4@syzkaller.appspotmail.com
Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
bridge: ebtables: don't crash when using dnat target in output chains2019-11-04T19:58:34ZFlorian Westphalfw@strlen.de2019-11-03T19:54:28Zurn:sha1:b23c0742c2ce7e33ed79d10e451f70fdb5ca85d1
xt_in() returns NULL in the output hook, skip the pkt_type change for
that case, redirection only makes sense in broute/prerouting hooks.
Reported-by: Tom Yan <tom.ty89@gmail.com>
Cc: Linus Lüssing <linus.luessing@c0d3.blue>
Fixes: cf3cb246e277d ("bridge: ebtables: fix reception of frames DNAT-ed to bridge device/port")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ipv4: fix IPSKB_FRAG_PMTU handling with fragmentation2019-10-21T17:46:42ZEric Dumazetedumazet@google.com2019-10-19T16:26:37Zurn:sha1:e7a409c3f46cb0dbc7bfd4f6f9421d53e92614a5
This patch removes the iph field from the state structure, which is not
properly initialized. Instead, add a new field to make the "do we want
to set DF" be the state bit and move the code to set the DF flag from
ip_frag_next().
Joint work with Pablo and Linus.
Fixes: 19c3401a917b ("net: ipv4: place control buffer handling away from fragmentation iterators")
Reported-by: Patrick Schönthaler <patrick@notvads.ovh>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
net: ensure correct skb->tstamp in various fragmenters2019-10-18T17:02:37ZEric Dumazetedumazet@google.com2019-10-17T01:00:56Zurn:sha1:9669fffc1415bb0c30e5d2ec98a8e1c3a418cb9c
Thomas found that some forwarded packets would be stuck
in FQ packet scheduler because their skb->tstamp contained
timestamps far in the future.
We thought we addressed this point in commit 8203e2d844d3
("net: clear skb->tstamp in forwarding paths") but there
is still an issue when/if a packet needs to be fragmented.
In order to meet EDT requirements, we have to make sure all
fragments get the original skb->tstamp.
Note that this original skb->tstamp should be zero in
forwarding path, but might have a non zero value in
output path if user decided so.
Fixes: fb420d5d91c1 ("tcp/fq: move back to CLOCK_MONOTONIC")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Thomas Bartschies <Thomas.Bartschies@cvk.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
netfilter: move nf_bridge_frag_data struct definition to a more appropriate header.2019-09-13T10:35:33ZJeremy Sowdenjeremy@azazel.net2019-09-13T08:13:09Zurn:sha1:46705b070c279b352bbbe8118d78aa31b0768245
There is a struct definition function in nf_conntrack_bridge.h which is
not specific to conntrack and is used elswhere in netfilter. Move it
into netfilter_bridge.h.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: update include directives.2019-09-13T10:33:06ZJeremy Sowdenjeremy@azazel.net2019-09-13T08:13:05Zurn:sha1:40d102cde0a2aabb5e542ab1ab1aa4aaa1fd4372
Include some headers in files which require them, and remove others
which are not required.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: inline xt_hashlimit, ebt_802_3 and xt_physdev headers2019-09-13T10:32:48ZJeremy Sowdenjeremy@azazel.net2019-09-13T08:13:04Zurn:sha1:85cfbc25e5c5ee83307aba05eec4b04517890038
Three netfilter headers are only included once. Inline their contents
at those sites and remove them.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nft_meta_bridge: Fix get NFT_META_BRI_IIFVPROTO in network byteorder2019-08-30T00:49:04Zwenxuwenxu@ucloud.cn2019-08-28T15:02:33Zurn:sha1:daf1de9078792a4d60e36aa7ecf3aadca65277c2
Get the vlan_proto of ingress bridge in network byteorder as userspace
expects. Otherwise this is inconsistent with NFT_META_PROTOCOL.
Fixes: 2a3a93ef0ba5 ("netfilter: nft_meta_bridge: Add NFT_META_BRI_IIFVPROTO support")
Signed-off-by: wenxu <wenxu@ucloud.cn>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>