Commit 859191b2 authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 



Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for net:

1) Incorrect netlink report logic in flowtable and genID.

2) Add a selftest to check that wireguard passes the right sk
   to ip_route_me_harder, from Jason A. Donenfeld.

3) Pass the actual sk to ip_route_me_harder(), also from Jason.

4) Missing expression validation of updates via nft --check.

5) Update byte and packet counters regardless of whether they
   match, from Stefano Brivio.
====================

Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents 20149e9e 7d10e62c

include/linux/netfilter/nfnetlink.h

+8 −1
Original line number Diff line number Diff line
@@ -24,6 +24,12 @@ struct nfnl_callback { 
	const u_int16_t attr_count;		/* number of nlattr's */

};



enum nfnl_abort_action {

	NFNL_ABORT_NONE		= 0,

	NFNL_ABORT_AUTOLOAD,

	NFNL_ABORT_VALIDATE,

};



struct nfnetlink_subsystem {

	const char *name;

	__u8 subsys_id;			/* nfnetlink subsystem ID */
@@ -31,7 +37,8 @@ struct nfnetlink_subsystem { 
	const struct nfnl_callback *cb;	/* callback for individual types */

	struct module *owner;

	int (*commit)(struct net *net, struct sk_buff *skb);

	int (*abort)(struct net *net, struct sk_buff *skb, bool autoload);

	int (*abort)(struct net *net, struct sk_buff *skb,

		     enum nfnl_abort_action action);

	void (*cleanup)(struct net *net);

	bool (*valid_genid)(struct net *net, u32 genid);

};

include/linux/netfilter_ipv4.h

+1 −1
Original line number Diff line number Diff line
@@ -16,7 +16,7 @@ struct ip_rt_info { 
	u_int32_t mark;

};



int ip_route_me_harder(struct net *net, struct sk_buff *skb, unsigned addr_type);

int ip_route_me_harder(struct net *net, struct sock *sk, struct sk_buff *skb, unsigned addr_type);



struct nf_queue_entry;

include/linux/netfilter_ipv6.h

+5 −5
Original line number Diff line number Diff line
@@ -42,7 +42,7 @@ struct nf_ipv6_ops { 
#if IS_MODULE(CONFIG_IPV6)

	int (*chk_addr)(struct net *net, const struct in6_addr *addr,

			const struct net_device *dev, int strict);

	int (*route_me_harder)(struct net *net, struct sk_buff *skb);

	int (*route_me_harder)(struct net *net, struct sock *sk, struct sk_buff *skb);

	int (*dev_get_saddr)(struct net *net, const struct net_device *dev,

		       const struct in6_addr *daddr, unsigned int srcprefs,

		       struct in6_addr *saddr);
@@ -143,9 +143,9 @@ static inline int nf_br_ip6_fragment(struct net *net, struct sock *sk, 
#endif

}



int ip6_route_me_harder(struct net *net, struct sk_buff *skb);

int ip6_route_me_harder(struct net *net, struct sock *sk, struct sk_buff *skb);



static inline int nf_ip6_route_me_harder(struct net *net, struct sk_buff *skb)

static inline int nf_ip6_route_me_harder(struct net *net, struct sock *sk, struct sk_buff *skb)

{

#if IS_MODULE(CONFIG_IPV6)

	const struct nf_ipv6_ops *v6_ops = nf_get_ipv6_ops();
@@ -153,9 +153,9 @@ static inline int nf_ip6_route_me_harder(struct net *net, struct sk_buff *skb) 
	if (!v6_ops)

		return -EHOSTUNREACH;



	return v6_ops->route_me_harder(net, skb);

	return v6_ops->route_me_harder(net, sk, skb);

#elif IS_BUILTIN(CONFIG_IPV6)

	return ip6_route_me_harder(net, skb);

	return ip6_route_me_harder(net, sk, skb);

#else

	return -EHOSTUNREACH;

#endif

net/ipv4/netfilter.c

+5 −3
Original line number Diff line number Diff line
@@ -17,17 +17,19 @@ 
#include <net/netfilter/nf_queue.h>



/* route_me_harder function, used by iptable_nat, iptable_mangle + ip_queue */

int ip_route_me_harder(struct net *net, struct sk_buff *skb, unsigned int addr_type)

int ip_route_me_harder(struct net *net, struct sock *sk, struct sk_buff *skb, unsigned int addr_type)

{

	const struct iphdr *iph = ip_hdr(skb);

	struct rtable *rt;

	struct flowi4 fl4 = {};

	__be32 saddr = iph->saddr;

	const struct sock *sk = skb_to_full_sk(skb);

	__u8 flags = sk ? inet_sk_flowi_flags(sk) : 0;

	__u8 flags;

	struct net_device *dev = skb_dst(skb)->dev;

	unsigned int hh_len;



	sk = sk_to_full_sk(sk);

	flags = sk ? inet_sk_flowi_flags(sk) : 0;



	if (addr_type == RTN_UNSPEC)

		addr_type = inet_addr_type_dev_table(net, dev, saddr);

	if (addr_type == RTN_LOCAL || addr_type == RTN_UNICAST)

net/ipv4/netfilter/iptable_mangle.c

+1 −1
Original line number Diff line number Diff line
@@ -62,7 +62,7 @@ ipt_mangle_out(struct sk_buff *skb, const struct nf_hook_state *state) 
		    iph->daddr != daddr ||

		    skb->mark != mark ||

		    iph->tos != tos) {

			err = ip_route_me_harder(state->net, skb, RTN_UNSPEC);

			err = ip_route_me_harder(state->net, state->sk, skb, RTN_UNSPEC);

			if (err < 0)

				ret = NF_DROP_ERR(err);

		}