iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

netfilter pull request 2023-07-20

Browse Source 
-----BEGIN PGP SIGNATURE-----
 
 iQJBBAABCAArFiEEgKkgxbID4Gn1hq6fcJGo2a1f9gAFAmS5ZXQNHGZ3QHN0cmxl
 bi5kZQAKCRBwkajZrV/2AArEEAC0M0dhcZIh91Z0l3kLl9fjcc9Ee6qowYo+srYK
 N3H80JIinVOdzlAnqUVq3aiy+1RROqhX+t5WyYuKdHC1ujLzbcQT0LzDN1RiAjvl
 57d49+jfFulRmbqerl22/u4bmOA3j7sdSQwztfmTx+dCR+ap2z7ghRlhwuOx0orq
 JDl4f/UX8ZWCIeQfmq/FjtsZVNI1af6oKy6G+c9y0Xjj/1jUvF/y3Xe3/Xbn1H14
 mkkonZPBnA0Xw9dAaaMmcM/JxhO1R4KEUVKxP7L78XtU/FmxbWP8K3xU91ExaR6q
 MnzDkbL7Z+k68Jf2vuxwldwkcmCJDuCibBmbgWeDhW2qAutCQGraxewnp405zPmR
 KzRVYtWxBbA5FFZWXSfHscURLG9pdzIMFruu5Vm8gzzefpQ0502IaQn1YRcYj10a
 sMvCep2x79kUvoI4hwW07eo2y5+rBIRjPu5sCv5MWENxf75XLHjqJeje+q8NKhoD
 +YGP2tWe7Pm0Ekr3Ju8TH8LDGBbmNt5FVdZCCIOOeNYp5cOLLNyupWyB86Vsjrn8
 FLnxe8xb95+2EnfA5aj7VAJtdmtDvCESDRVp30PxWSNgeltV+hBJbAUdYsaBK607
 /zOm18KreDUPNQrXTH81a9gu8tYF50zez5bTHjDOw7yatwN7etRuhNyKkOSiQoC8
 OiGA6A==
 =0qzt
 -----END PGP SIGNATURE-----

Merge tag 'nf-23-07-20' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf

Florian Westphal says:

====================
Netfilter fixes for net:

The following patchset contains Netfilter fixes for net:

1. Fix spurious -EEXIST error from userspace due to
   padding holes, this was broken since 4.9 days
   when 'ignore duplicate entries on insert' feature was
   added.

2. Fix a sched-while-atomic bug, present since 5.19.

3. Properly remove elements if they lack an "end range".
   nft userspace always sets an end range attribute, even
   when its the same as the start, but the abi doesn't
   have such a restriction. Always broken since it was
   added in 5.6, all three from myself.

4 + 5: Bound chain needs to be skipped in netns release
   and on rule flush paths, from Pablo Neira.

* tag 'nf-23-07-20' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
  netfilter: nf_tables: skip bound chain on rule flush
  netfilter: nf_tables: skip bound chain in netns release path
  netfilter: nft_set_pipapo: fix improper element removal
  netfilter: nf_tables: can't schedule in nft_chain_validate
  netfilter: nf_tables: fix spurious set element insertion failure
====================

Link: https://lore.kernel.org/r/20230720165143.30208-1-fw@strlen.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
This commit is contained in:
Jakub Kicinski 2023-07-20 12:54:21 -07:00
commit 9b39f75897
2 changed files with 15 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
net/netfilter/nf_tables_api.c
View File

@ -3685,8 +3685,6 @@ int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
if (err < 0)
return err;
}
cond_resched();
}
return 0;
@ -3710,6 +3708,8 @@ static int nft_table_validate(struct net *net, const struct nft_table *table)
err = nft_chain_validate(&ctx, chain);
if (err < 0)
return err;
cond_resched();
}
return 0;
@ -4087,6 +4087,8 @@ static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info,
list_for_each_entry(chain, &table->chains, list) {
if (!nft_is_active_next(net, chain))
continue;
if (nft_chain_is_bound(chain))
continue;
ctx.chain = chain;
err = nft_delrule_by_chain(&ctx);
@ -10517,6 +10519,9 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
if (!tb[NFTA_VERDICT_CODE])
return -EINVAL;
/* zero padding hole for memcmp */
memset(data, 0, sizeof(*data));
data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
switch (data->verdict.code) {
@ -10799,6 +10804,9 @@ static void __nft_release_table(struct net *net, struct nft_table *table)
ctx.family = table->family;
ctx.table = table;
list_for_each_entry(chain, &table->chains, list) {
if (nft_chain_is_bound(chain))
continue;
ctx.chain = chain;
list_for_each_entry_safe(rule, nr, &chain->rules, list) {
list_del(&rule->list);

6
net/netfilter/nft_set_pipapo.c
View File

@ -1929,7 +1929,11 @@ static void nft_pipapo_remove(const struct net *net, const struct nft_set *set,
int i, start, rules_fx;
match_start = data;
match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data;
if (nft_set_ext_exists(&e->ext, NFT_SET_EXT_KEY_END))
match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data;
else
match_end = data;
start = first_rule;
rules_fx = rules_f0;