Commit d753a050 authored Oct 19, 2022 by Jakub Kicinski

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

1) Missing flowi uid field in nft_fib expression, from Guillaume Nault.
   This is broken since the creation of the fib expression.

2) Relax sanity check to fix bogus EINVAL error when deleting elements
   belonging set intervals. Broken since 6.0-rc.

* git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
  netfilter: nf_tables: relax NFTA_SET_ELEM_KEY_END set flags requirements
  netfilter: rpfilter/fib: Set ->flowic_uid correctly for user namespaces.
====================

Link: https://lore.kernel.org/r/20221019065225.1006344-1-pablo@netfilter.org


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parents a1a824f4 96df8360

net/ipv4/netfilter/ipt_rpfilter.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -78,6 +78,7 @@ static bool rpfilter_mt(const struct sk_buff skb, struct xt_action_param par)
		flow.flowi4_tos = iph->tos & IPTOS_RT_MASK;
		flow.flowi4_scope = RT_SCOPE_UNIVERSE;
		flow.flowi4_l3mdev = l3mdev_master_ifindex_rcu(xt_in(par));
		flow.flowi4_uid = sock_net_uid(xt_net(par), NULL);

		return rpfilter_lookup_reverse(xt_net(par), &flow, xt_in(par), info->flags) ^ invert;
		}

net/ipv4/netfilter/nft_fib_ipv4.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -65,6 +65,7 @@ void nft_fib4_eval(const struct nft_expr expr, struct nft_regs regs,
		struct flowi4 fl4 = {
		.flowi4_scope = RT_SCOPE_UNIVERSE,
		.flowi4_iif = LOOPBACK_IFINDEX,
		.flowi4_uid = sock_net_uid(nft_net(pkt), NULL),
		};
		const struct net_device *oif;
		const struct net_device *found;

net/ipv6/netfilter/ip6t_rpfilter.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -40,6 +40,7 @@ static bool rpfilter_lookup_reverse6(struct net net, const struct sk_buff skb,
		.flowi6_l3mdev = l3mdev_master_ifindex_rcu(dev),
		.flowlabel = (* (__be32 *) iph) & IPV6_FLOWINFO_MASK,
		.flowi6_proto = iph->nexthdr,
		.flowi6_uid = sock_net_uid(net, NULL),
		.daddr = iph->saddr,
		};
		int lookup_flags;

net/ipv6/netfilter/nft_fib_ipv6.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -66,6 +66,7 @@ static u32 __nft_fib6_eval_type(const struct nft_fib *priv,
		struct flowi6 fl6 = {
		.flowi6_iif = LOOPBACK_IFINDEX,
		.flowi6_proto = pkt->tprot,
		.flowi6_uid = sock_net_uid(nft_net(pkt), NULL),
		};
		u32 ret = 0;

		@@ -163,6 +164,7 @@ void nft_fib6_eval(const struct nft_expr expr, struct nft_regs regs,
		struct flowi6 fl6 = {
		.flowi6_iif = LOOPBACK_IFINDEX,
		.flowi6_proto = pkt->tprot,
		.flowi6_uid = sock_net_uid(nft_net(pkt), NULL),
		};
		struct rt6_info *rt;
		int lookup_flags;

net/netfilter/nf_tables_api.c

+3 −2

Original line number	Diff line number	Diff line
		@@ -5865,8 +5865,9 @@ static bool nft_setelem_valid_key_end(const struct nft_set *set,
		(NFT_SET_CONCAT \| NFT_SET_INTERVAL)) {
		if (flags & NFT_SET_ELEM_INTERVAL_END)
		return false;
		if (!nla[NFTA_SET_ELEM_KEY_END] &&
		!(flags & NFT_SET_ELEM_CATCHALL))

		if (nla[NFTA_SET_ELEM_KEY_END] &&
		flags & NFT_SET_ELEM_CATCHALL)
		return false;
		} else {
		if (nla[NFTA_SET_ELEM_KEY_END])