Vasily Averin [Thu, 19 Nov 2020 13:59:51 +0000 (14:59 +0100)]
netfilter: ipset: enable memory accounting for ipset allocations
Currently netadmin inside non-trusted container can quickly allocate
whole node's memory via request of huge ipset hashtable.
Other ipset-related memory allocations should be restricted too.
The parameter defines the upper limit in any hash bucket at adding new entries
from userspace - if the limit would be exceeded, ipset doubles the hash size
and rehashes. It means the set may consume more memory but gives faster
evaluation at matching in the set.
The -exist flag was supported with the create, add and delete commands.
In order to gracefully handle the destroy command with nonexistent sets,
the -exist flag is added to destroy too.
Replace the existing /* fall through */ comments and its variants with
the new pseudo-keyword macro fallthrough[1]. Also, remove unnecessary
fall-through markings when it is the case.
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
netfilter: Replace zero-length array with flexible-array member
The current codebase makes use of the zero-length array language
extension to the C90 standard, but the preferred mechanism to declare
variable-length types such as these ones is a flexible array member[1][2],
introduced in C99:
struct foo {
int stuff;
struct boo array[];
};
By making use of the mechanism above, we will get a compiler warning
in case the flexible array does not occur last in the structure, which
will help us prevent some kind of undefined behavior bugs from being
inadvertently introduced[3] to the codebase from now on.
Also, notice that, dynamic memory allocations won't be affected by
this change:
"Flexible array members have incomplete type, and so the sizeof operator
may not be applied. As a quirk of the original implementation of
zero-length arrays, sizeof evaluates to zero."[1]
Lastly, fix checkpatch.pl warning
WARNING: __aligned(size) is preferred over __attribute__((aligned(size)))
in net/bridge/netfilter/ebtables.c
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Russell King [Wed, 10 Jun 2020 20:51:11 +0000 (21:51 +0100)]
netfiler: ipset: fix unaligned atomic access
When using ip_set with counters and comment, traffic causes the kernel
to panic on 32-bit ARM:
Alignment trap: not handling instruction e1b82f9f at [<bf01b0dc>]
Unhandled fault: alignment exception (0x221) at 0xea08133c
PC is at ip_set_match_extensions+0xe0/0x224 [ip_set]
The problem occurs when we try to update the 64-bit counters - the
faulting address above is not 64-bit aligned. The problem occurs
due to the way elements are allocated, for example:
If the element has a requirement for a member to be 64-bit aligned,
and set->dsize is not a multiple of 8, but is a multiple of four,
then every odd numbered elements will be misaligned - and hitting
an atomic64_add() on that element will cause the kernel to panic.
ip_set_elem_len() must return a size that is rounded to the maximum
alignment of any extension field stored in the element. This change
ensures that is the case.
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Phil Sutter [Thu, 14 May 2020 11:31:21 +0000 (13:31 +0200)]
netfilter: ipset: Fix subcounter update skip
If IPSET_FLAG_SKIP_SUBCOUNTER_UPDATE is set, user requested to not
update counters in sub sets. Therefore IPSET_FLAG_SKIP_COUNTER_UPDATE
must be set, not unset.
Fixes: 6e01781d1c80e ("netfilter: ipset: set match: add support to match the counters") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Stefano Brivio [Mon, 24 Feb 2020 17:52:43 +0000 (18:52 +0100)]
ipset: Update byte and packet counters regardless of whether they match
In ip_set_match_extensions(), for sets with counters, we take care of
updating counters themselves by calling ip_set_update_counter(), and of
checking if the given comparison and values match, by calling
ip_set_match_counter() if needed.
However, if a given comparison on counters doesn't match the configured
values, that doesn't mean the set entry itself isn't matching.
This fix restores the behaviour we had before commit 4750005a85f7
("netfilter: ipset: Fix "don't update counters" mode when counters used
at the matching"), without reintroducing the issue fixed there: back
then, mtype_data_match() first updated counters in any case, and then
took care of matching on counters.
Now, if the IPSET_FLAG_SKIP_COUNTER_UPDATE flag is set,
ip_set_update_counter() will anyway skip counter updates if desired.
The issue observed is illustrated by this reproducer:
ipset create c hash:ip counters
ipset add c 192.0.2.1
iptables -I INPUT -m set --match-set c src --bytes-gt 800 -j DROP
if we now send packets from 192.0.2.1, bytes and packets counters
for the entry as shown by 'ipset list' are always zero, and, no
matter how many bytes we send, the rule will never match, because
counters themselves are not updated.
Reported-by: Mithil Mhatre <mmhatre@redhat.com> Fixes: 4750005a85f7 ("netfilter: ipset: Fix "don't update counters" mode when counters used at the matching") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Serhey Popovych [Thu, 5 Mar 2020 15:28:24 +0000 (17:28 +0200)]
ip_set: Fix compatibility with kernels between v3.3 and v4.5
These kernels does not have in their @struct netlink_dump_control method
that is used to prepare for netlink dump ->start(). This affects all
kernels that does not contain commit fc9e50f5a5a4 ("netlink: add a start
callback for starting a netlink dump").
Introduce fake value of HAVE_NETLINK_DUMP_START_ARGS equal to 7 that
never spot in the wild and set HAVE_NETLINK_DUMP_START_ARGS to 4 only
after explicit test if ->start() is available.
Introduce --update-counters-first flag for the set target
Stefano Brivio reported that the patch 'netfilter: ipset:
Fix "don't update counters" mode when counters used at the matching'
changed the semantic of when the counters are updated. Before the patch
the counters were updated regardless of the results of the counter
matches, after the patch the counters were updated only if the counter
match conditions (if specified) matched the packet. In order to handle
both ways, the --update-counters-first flag is introduced: when the flag
is specified, the counters are updated before checking the counter match
conditions. Without the flag the current evaluation path (i.e. update
only if counter conditions match) works.
Serhey Popovych [Thu, 5 Mar 2020 15:28:23 +0000 (17:28 +0200)]
ip_set: Fix build on kernels without INIT_DEFERRABLE_WORK
There was macro rename in kernel with commit 203b42f73174 ("workqueue:
make deferrable delayed_work initializer names consistent") that renames
INIT_DELAYED_WORK_DEFERRABLE() to INIT_DEFERRABLE_WORK().
Jozsef Kadlecsik [Sat, 22 Feb 2020 10:24:20 +0000 (11:24 +0100)]
netfilter: ipset: Fix forceadd evaluation path
When the forceadd option is enabled, the hash:* types should find and replace
the first entry in the bucket with the new one if there are no reuseable
(deleted or timed out) entries. However, the position index was just not set
to zero and remained the invalid -1 if there were no reuseable entries.
Reported-by: syzbot+6a86565c74ebe30aea18@syzkaller.appspotmail.com Fixes: 23c42a403a9c ("netfilter: ipset: Introduction of new commands and protocol version 7") Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Serhey Popovych [Fri, 31 Jan 2020 16:28:34 +0000 (18:28 +0200)]
ip_set: Include kernel header instead of UAPI
This header is used to build kernel modules not userspace thus it is
correct to include linux/in.h kernel variant and not UAPI.
This fixes build on old and not widely supported systems like RHEL6 and
Debian GNU/Linux 7 (wheezy) before headers split to UAPI and kernel.
Fixes: 62d787ba5e66 ("netfilter: added missing includes to a number of header-files.") Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
netfilter: ipset: Fix "INFO: rcu detected stall in hash_xxx" reports
In the case of huge hash:* types of sets, due to the single spinlock of
a set the processing of the whole set under spinlock protection could take
too long.
There were four places where the whole hash table of the set was processed
from bucket to bucket under holding the spinlock:
- During resizing a set, the original set was locked to exclude kernel side
add/del element operations (userspace add/del is excluded by the
nfnetlink mutex). The original set is actually just read during the
resize, so the spinlocking is replaced with rcu locking of regions.
However, thus there can be parallel kernel side add/del of entries.
In order not to loose those operations a backlog is added and replayed
after the successful resize.
- Garbage collection of timed out entries was also protected by the spinlock.
In order not to lock too long, region locking is introduced and a single
region is processed in one gc go. Also, the simple timer based gc running
is replaced with a workqueue based solution. The internal book-keeping
(number of elements, size of extensions) is moved to region level due to
the region locking.
- Adding elements: when the max number of the elements is reached, the gc
was called to evict the timed out entries. The new approach is that the gc
is called just for the matching region, assuming that if the region
(proportionally) seems to be full, then the whole set does. We could scan
the other regions to check every entry under rcu locking, but for huge
sets it'd mean a slowdown at adding elements.
- Listing the set header data: when the set was defined with timeout
support, the garbage collector was called to clean up timed out entries
to get the correct element numbers and set size values. Now the set is
scanned to check non-timed out entries, without actually calling the gc
for the whole set.
Thanks to Florian Westphal for helping me to solve the SOFTIRQ-safe ->
SOFTIRQ-unsafe lock order issues during working on the patch.
Reported-by: syzbot+4b0e9d4ff3cf117837e5@syzkaller.appspotmail.com Reported-by: syzbot+c27b8d5010f45c666ed1@syzkaller.appspotmail.com Reported-by: syzbot+68a806795ac89df3aa1c@syzkaller.appspotmail.com Fixes: 23c42a403a9c ("netfilter: ipset: Introduction of new commands and protocol version 7") Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Serhey Popovych [Fri, 31 Jan 2020 16:28:34 +0000 (18:28 +0200)]
ip_set: Include kernel header instead of UAPI
This header is used to build kernel modules not userspace thus it is
correct to include linux/in.h kernel variant and not UAPI.
This fixes build on old and not widely supported systems like RHEL6 and
Debian GNU/Linux 7 (wheezy) before headers split to UAPI and kernel.
Fixes: 62d787ba5e66 ("netfilter: added missing includes to a number of header-files.") Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Jozsef Kadlecsik [Sat, 25 Jan 2020 17:55:06 +0000 (18:55 +0100)]
netfilter: ipset: fix suspicious RCU usage in find_set_and_id
find_set_and_id() is called when the NFNL_SUBSYS_IPSET mutex is held.
However, in the error path there can be a follow-up recvmsg() without
the mutex held. Use the start() function of struct netlink_dump_control
instead of dump() to verify and report if the specified set does not
exist.
Thanks to Pablo Neira Ayuso for helping me to understand the subleties
of the netlink protocol.
Jozsef Kadlecsik [Sun, 19 Jan 2020 11:04:13 +0000 (12:04 +0100)]
netfilter: ipset: use bitmap infrastructure completely
The bitmap allocation did not use full unsigned long sizes
when calculating the required size and that was triggered by KASAN
as slab-out-of-bounds read in several places. The patch fixes all
of them.
Cong Wang [Fri, 10 Jan 2020 19:53:08 +0000 (11:53 -0800)]
netfilter: fix a use-after-free in mtype_destroy()
map->members is freed by ip_set_free() right before using it in
mtype_ext_cleanup() again. So we just have to move it down.
Reported-by: syzbot+4c3cc6dbe7259dbf9054@syzkaller.appspotmail.com Fixes: 40cd63bf33b2 ("netfilter: ipset: Support extensions which need a per data destroy function") Cc: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Jozsef Kadlecsik <kadlec@netfilter.org> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Serhey Popovych [Fri, 29 Nov 2019 09:21:34 +0000 (11:21 +0200)]
ip_set: Pass init_net when @net is missing in match check params data structure
It is better to restrict ipsets to default network namespace on old
kernels that does not contain @net parameter in @struct xt_mtchk_param
(i.e. ones prior to commit a83d8e8d099f ("netfilter: xtables:
add struct xt_mtchk_param::net"), tag v2.6.34) instead of panicing
on them.
Found and tested on RHEL 6 with 2.6.32 kernels.
Fixes: 90e279db0cf5 ("Add more compatibility checkings to support older kernel releases") Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Serhey Popovych [Fri, 29 Nov 2019 09:21:33 +0000 (11:21 +0200)]
netfilter: xt_set: Do not restrict --map-set to the mangle table
While mangle table is primary place for packet modification setting
mark, traffic class priority or hardware NIC queue can be done in any
table with exception similar to using mark in policy-based routing
setups (configured with ip-rule(8)) should be done before routing
happens (i.e. in PREROUTING chain that usable in mangle or raw tables
only).
There is no such restriction in MARK target used to set packet mark and
CLASSIFY target used to set traffic class priority. Both are free to use
in any table. There is no known target that can modify hardware queue
for packet.
This helps in keeping filtering and packet modification rules together
in filter table.
Tested with rule in filter table with SET target using --map-prio and
HTB for scheduling packets at egress.
Serhey Popovych [Fri, 29 Nov 2019 09:21:32 +0000 (11:21 +0200)]
em_ipset: Build on old kernels
Make sure TCF_EM_IPSET defined and corresponds to current upstream value
if not defined in target kernel. You need iproute2 version that supports
em_ipset to communicate correctly. Include ip_set_compat.h after
pkt_cls.h to prevent TCF_EM_IPSET redefine error.
Detect skb->iif => skb->skb_iif rename after commit 8964be4a9a5c ("net:
rename skb->iif to skb->skb_iif").
Add dev_get_by_index_rcu() define pointing to __dev_get_by_index() to
build on RHEL6 kernels with explicit note that this may not work on all
architectures.
Always build em_ipset regardless of CONFIG_NET_EMATCH_IPSET option.
Serhey Popovych [Fri, 29 Nov 2019 09:21:31 +0000 (11:21 +0200)]
compat: Use skb_vlan_tag_present() instead of vlan_tx_tag_present()
Since RHEL6 provides it as preprocessor define and does not provide
vlan_tx_tag_present(). Add defines in case of vlan_tx_tag_present()
isn't available to back tc_skb_protocol() to old behaviour before
commit d8b9605d2697 ("net: sched: fix skb->protocol use in case
of accelerated vlan path").
Serhey Popovych [Fri, 29 Nov 2019 09:21:30 +0000 (11:21 +0200)]
configure.ac: Support building with old autoconf 2.63
This version found on RHEL6 making autoreconf fail with following error:
configure.ac:61: error: possibly undefined macro: AS_VAR_COPY
If this token and others are legitimate, please use m4_pattern_allow.
See the Autoconf documentation.
Apply fix from https://github.com/gdnsd/gdnsd/issues/85 to fix problem.
Serhey Popovych [Fri, 29 Nov 2019 09:21:29 +0000 (11:21 +0200)]
configure.ac: Build on kernels without skb->vlan_proto correctly
Support for EtherType other than ETH_P_8021Q for VLAN header introduced
with commit 86a9bad3ab6b ("net: vlan: add protocol argument to packet
tagging functions") in upstream kernel since v3.10.
To support build on older kernels check for ->vlan_proto presence in
@struct sk_buff and return htons(ETH_P_8021Q) when it is missing.
Serhey Popovych [Fri, 29 Nov 2019 09:21:27 +0000 (11:21 +0200)]
configure.ac: Better match for ipv6_skip_exthdr() frag_offp arg presence
On older kernels (i.e. ones before commit 5c3a0fd7d0fc ("ip*.h: Remove
extern from function prototypes") in upstream since v3.13) we fail to
match number of arguments ipv6_skip_exthdr() correctly. Configure
chooses 3 args, while function has actually 4 args.
This happens because on these kernels tab (\t) is used for intendation
between function result type and function name.
Fix by matching either space for kernels with mentioned change or tab
for older kernels to select number of arguments correctly.
Fix nla_policies to fully support NL_VALIDATE_STRICT
Since v5.2 (commit "netlink: re-add parse/validate functions in
strict mode") NL_VALIDATE_STRICT is enabled. Fix the ipset nla_policies
which did not support strict mode and thus the corresponding ipset
commands failed.
Thomas Gleixner [Thu, 31 Oct 2019 17:57:52 +0000 (18:57 +0100)]
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500
Based on 2 normalized pattern(s):
this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license version 2 as
published by the free software foundation
this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license version 2 as
published by the free software foundation #
extracted by the scancode license scanner the SPDX license identifier
GPL-2.0-only
has been chosen to replace the boilerplate/reference in 4122 file(s).
Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Enrico Weigelt <info@metux.net> Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org> Reviewed-by: Allison Randal <allison@lohutok.net> Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081206.933168790@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Kristian Evensen [Thu, 26 Sep 2019 10:06:45 +0000 (12:06 +0200)]
ipset: Add wildcard support to net,iface
The net,iface equal functions currently compares the full interface
names. In several cases, wildcard (or prefix) matching is useful. For
example, when converting a large iptables rule-set to make use of ipset,
I was able to significantly reduce the number of set elements by making
use of wildcard matching.
Wildcard matching is enabled by adding "wildcard" when adding an element
to a set. Internally, this causes the IPSET_FLAG_IFACE_WILDCARD-flag to
be set. When this flag is set, only the initial part of the interface
name is used for comparison.
Wildcard matching is done per element and not per set, as there are many
cases where mixing wildcard and non-wildcard elements are useful. This
means that is up to the user to handle (avoid) overlapping interface
names.
Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Stefano Brivio [Thu, 10 Oct 2019 17:18:14 +0000 (19:18 +0200)]
ipset: Copy the right MAC address in hash:ip,mac IPv6 sets
Same as commit 1b4a75108d5b ("netfilter: ipset: Copy the right MAC
address in bitmap:ip,mac and hash:ip,mac sets"), another copy and paste
went wrong in commit 8cc4ccf58379 ("netfilter: ipset: Allow matching on
destination MAC address for mac and ipmac sets").
When I fixed this for IPv4 in 1b4a75108d5b, I didn't realise that
hash:ip,mac sets also support IPv6 as family, and this is covered by a
separate function, hash_ipmac6_kadt().
In hash:ip,mac sets, the first dimension is the IP address, and the
second dimension is the MAC address: check the IPSET_DIM_TWO_SRC flag
in flags while deciding which MAC address to copy, destination or
source.
This way, mixing source and destination matches for the two dimensions
of ip,mac hash type works as expected, also for IPv6. With this setup:
ip netns add A
ip link add veth1 type veth peer name veth2 netns A
ip addr add 2001:db8::1/64 dev veth1
ip -net A addr add 2001:db8::2/64 dev veth2
ip link set veth1 up
ip -net A link set veth2 up
dst=$(ip netns exec A cat /sys/class/net/veth2/address)
ip netns exec A ipset create test_hash hash:ip,mac family inet6
ip netns exec A ipset add test_hash 2001:db8::1,${dst}
ip netns exec A ip6tables -A INPUT -p icmpv6 --icmpv6-type 135 -j ACCEPT
ip netns exec A ip6tables -A INPUT -m set ! --match-set test_hash src,dst -j DROP
ipset now correctly matches a test packet:
# ping -c1 2001:db8::2 >/dev/null
# echo $?
0
Reported-by: Chen, Yi <yiche@redhat.com> Fixes: 8cc4ccf58379 ("netfilter: ipset: Allow matching on destination MAC address for mac and ipmac sets") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Jeremy Sowden [Thu, 3 Oct 2019 19:56:03 +0000 (20:56 +0100)]
netfilter: ipset: move ip_set_comment functions from ip_set.h to ip_set_core.c.
Most of the functions are only called from within ip_set_core.c.
The exception is ip_set_init_comment. However, this is too complex to
be a good candidate for a static inline function. Move it to
ip_set_core.c, change its linkage to extern and export it, leaving a
declaration in ip_set.h.
ip_set_comment_free is only used as an extension destructor, so change
its prototype to match and drop cast.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Jeremy Sowden [Thu, 3 Oct 2019 19:56:02 +0000 (20:56 +0100)]
netfilter: ipset: remove inline from static functions in .c files.
The inline function-specifier should not be used for static functions
defined in .c files since it bloats the kernel. Instead leave the
compiler to decide which functions to inline.
While a couple of the files affected (ip_set_*_gen.h) are technically
headers, they contain templates for generating the common parts of
particular set-types and so we treat them like .c files.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Jeremy Sowden [Wed, 7 Aug 2019 14:16:59 +0000 (15:16 +0100)]
netfilter: added missing includes to a number of header-files.
A number of netfilter header-files used declarations and definitions
from other headers without including them. Added include directives to
make those declarations and definitions available.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Of these the first three were not included anywhere else. The last,
ip_set_timeout.h, was included in a couple of other places, but defined
inline functions which call other inline functions defined in ip_set.h,
so ip_set.h had to be included before it.
Inlined all four into ip_set.h, and updated the other files that
included ip_set_timeout.h.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Dan Carpenter [Sat, 24 Aug 2019 14:49:55 +0000 (17:49 +0300)]
netfilter: ipset: Fix an error code in ip_set_sockfn_get()
The copy_to_user() function returns the number of bytes remaining to be
copied. In this code, that positive return is checked at the end of the
function and we return zero/success. What we should do instead is
return -EFAULT.
Fixes: a7b4f989a629 ("netfilter: ipset: IP set core support") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Shijie Luo reported that when stress-testing ipset with multiple concurrent
create, rename, flush, list, destroy commands, it can result
ipset <version>: Broken LIST kernel message: missing DATA part!
error messages and broken list results. The problem was the rename operation
was not properly handled with respect of listing. The patch fixes the issue.
Reported-by: Shijie Luo <luoshijie1@huawei.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Stefano Brivio [Mon, 24 Jun 2019 13:20:12 +0000 (15:20 +0200)]
ipset: Copy the right MAC address in bitmap:ip,mac and hash:ip,mac sets
In commit 8cc4ccf58379 ("ipset: Allow matching on destination MAC address
for mac and ipmac sets"), ipset.git commit 1543514c46a7, I added to the
KADT functions for sets matching on MAC addreses the copy of source or
destination MAC address depending on the configured match.
This was done correctly for hash:mac, but for hash:ip,mac and
bitmap:ip,mac, copying and pasting the same code block presents an
obvious problem: in these two set types, the MAC address is the second
dimension, not the first one, and we are actually selecting the MAC
address depending on whether the first dimension (IP address) specifies
source or destination.
Fix this by checking for the IPSET_DIM_TWO_SRC flag in option flags.
This way, mixing source and destination matches for the two dimensions
of ip,mac set types works as expected. With this setup:
ip netns add A
ip link add veth1 type veth peer name veth2 netns A
ip addr add 192.0.2.1/24 dev veth1
ip -net A addr add 192.0.2.2/24 dev veth2
ip link set veth1 up
ip -net A link set veth2 up
dst=$(ip netns exec A cat /sys/class/net/veth2/address)
ip netns exec A ipset create test_bitmap bitmap:ip,mac range 192.0.0.0/16
ip netns exec A ipset add test_bitmap 192.0.2.1,${dst}
ip netns exec A iptables -A INPUT -m set ! --match-set test_bitmap src,dst -j DROP
ip netns exec A ipset create test_hash hash:ip,mac
ip netns exec A ipset add test_hash 192.0.2.1,${dst}
ip netns exec A iptables -A INPUT -m set ! --match-set test_hash src,dst -j DROP
ipset correctly matches a test packet:
# ping -c1 192.0.2.2 >/dev/null
# echo $?
0
Reported-by: Chen Yi <yiche@redhat.com> Fixes: 8cc4ccf58379 ("ipset: Allow matching on destination MAC address for mac and ipmac sets") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Stefano Brivio [Mon, 24 Jun 2019 13:20:11 +0000 (15:20 +0200)]
ipset: Actually allow destination MAC address for hash:ip,mac sets too
In commit 8cc4ccf58379 ("ipset: Allow matching on destination MAC address
for mac and ipmac sets"), ipset.git commit 1543514c46a7, I removed the
KADT check that prevents matching on destination MAC addresses for
hash:mac sets, but forgot to remove the same check for hash:ip,mac set.
Drop this check: functionality is now commented in man pages and there's
no reason to restrict to source MAC address matching anymore.
Reported-by: Chen Yi <yiche@redhat.com> Fixes: 8cc4ccf58379 ("ipset: Allow matching on destination MAC address for mac and ipmac sets") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Stefano Brivio [Sun, 26 May 2019 21:14:06 +0000 (23:14 +0200)]
ipset: Fix memory accounting for hash types on resize
If a fresh array block is allocated during resize, the current in-memory
set size should be increased by the size of the block, not replaced by it.
Before the fix, adding entries to a hash set type, leading to a table
resize, caused an inconsistent memory size to be reported. This becomes
more obvious when swapping sets with similar sizes:
# cat hash_ip_size.sh
#!/bin/sh
FAIL_RETRIES=10
tries=0
while [ ${tries} -lt ${FAIL_RETRIES} ]; do
ipset create t1 hash:ip
for i in `seq 1 4345`; do
ipset add t1 1.2.$((i / 255)).$((i % 255))
done
t1_init="$(ipset list t1|sed -n 's/Size in memory: \(.*\)/\1/p')"
ipset create t2 hash:ip
for i in `seq 1 4360`; do
ipset add t2 1.2.$((i / 255)).$((i % 255))
done
t2_init="$(ipset list t2|sed -n 's/Size in memory: \(.*\)/\1/p')"
ipset swap t1 t2
t1_swap="$(ipset list t1|sed -n 's/Size in memory: \(.*\)/\1/p')"
t2_swap="$(ipset list t2|sed -n 's/Size in memory: \(.*\)/\1/p')"
Florent Fourcot [Tue, 8 Jan 2019 19:37:33 +0000 (20:37 +0100)]
netfilter: ipset: remove useless memset() calls
One of the memset call is buggy: it does not erase full array, but only
pointer size.
Moreover, after a check, first step of nla_parse_nested/nla_parse is to
erase tb array as well. We can remove both calls safely.
Qian Cai [Sun, 2 Dec 2018 04:06:01 +0000 (23:06 -0500)]
netfilter/ipset: replace a strncpy() with strscpy()
To make overflows as obvious as possible and to prevent code from blithely
proceeding with a truncated string. This also has a side-effect to fix a
compilation warning when using GCC 8.2.1.
net/netfilter/ipset/ip_set_core.c: In function 'ip_set_sockfn_get':
net/netfilter/ipset/ip_set_core.c:2027:3: warning: 'strncpy' writing 32
bytes into a region of size 2 overflows the destination
[-Wstringop-overflow=]
Signed-off-by: Qian Cai <cai@gmx.us> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Pan Bian [Mon, 26 Nov 2018 10:42:10 +0000 (18:42 +0800)]
netfilter: ipset: do not call ipset_nest_end after nla_nest_cancel
In the error handling block, nla_nest_cancel(skb, atd) is called to
cancel the nest operation. But then, ipset_nest_end(skb, atd) is
unexpected called to end the nest operation. This patch calls the
ipset_nest_end only on the branch that nla_nest_cancel is
not called.
Fixes: 45040978c89("netfilter: ipset: Fix set:list type crash when
flush/dump set in parallel")
Signed-off-by: Pan Bian <bianpan2016@163.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Serhey Popovych [Sun, 18 Nov 2018 19:08:23 +0000 (21:08 +0200)]
configure.ac: Fix build regression on RHEL/CentOS/SL
This was introduced with commit 0f82228387ae ("Use more robust awk
patterns to check for backward compatibility") on RHEL 7.3+ because
it's kernel contains backported upstream commit 633c9a840d0b
("netfilter: nfnetlink: avoid recurrent netns lookups in call_batch")
that introduces @net of @struct net type parameter matched with $GREP
after $AWK returns whole @struct nfnl_callback.
This causes incorrect IPSET_CBFN() prototype choose for ->call()
of @struct nfnl_callback producing following warnings during the build:
.../ipset/ip_set_core.c:2007:3: warning: initialization from
incompatible pointer type [enabled by default]
.call = ip_set_destroy,
^
../ipset/ip_set_core.c:2007:3: warning: (near initialization
for ‘ip_set_netlink_subsys_cb[3].call’) [enabled by default]
Fix by matching pattern to the end of first function pointer in
@struct nfnl_callback instead of end of struct.
Jozsef Kadlecsik [Tue, 30 Oct 2018 21:30:30 +0000 (22:30 +0100)]
Correct workaround in patch "Fix calling ip_set() macro at dumping"
As Pablo pointed out, in order to fix the bogus warnings, there's
no need for the non-useful rcu_read_lock/unlock dancing. Call
rcu_dereference_raw() instead, the ref_netlink protects the set.
Jozsef Kadlecsik [Mon, 22 Oct 2018 20:25:09 +0000 (22:25 +0200)]
Introduction of new commands and protocol version 7
Two new commands (IPSET_CMD_GET_BYNAME, IPSET_CMD_GET_BYINDEX) are
introduced. The new commands makes possible to eliminate the getsockopt
operation (in iptables set/SET match/target) and thus use only netlink
communication between userspace and kernel for ipset. With the new
protocol version, userspace can exactly know which functionality is
supported by the running kernel.
Both the kernel and userspace is fully backward compatible.
License cleanup: add SPDX license identifier to uapi header files with no license
Many user space API headers are missing licensing information, which
makes it hard for compliance tools to determine the correct license.
By default are files without license information under the default
license of the kernel, which is GPLV2. Marking them GPLV2 would exclude
them from being included in non GPLV2 code, which is obviously not
intended. The user space API headers fall under the syscall exception
which is in the kernels COPYING file:
NOTE! This copyright does *not* cover user programs that use kernel
services by normal system calls - this is merely considered normal use
of the kernel, and does *not* fall under the heading of "derived work".
otherwise syscall usage would not be possible.
Update the files which contain no license information with an SPDX
license identifier. The chosen identifier is 'GPL-2.0 WITH
Linux-syscall-note' which is the officially assigned identifier for the
Linux syscall exception. SPDX license identifiers are a legally binding
shorthand, which can be used instead of the full boiler plate text.
This patch is based on work done by Thomas Gleixner and Kate Stewart and
Philippe Ombredanne. See the previous patch in this series for the
methodology of how this patch was researched.
Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org> Reviewed-by: Philippe Ombredanne <pombredanne@nexb.com> Reviewed-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>