Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'nf-next-26-01-20' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next
Florian Westphal says:
====================
Subject: netfilter: updates for net-next
1) Speed up nftables transactions after earlier transaction failed.
Due to a (harmeless) bug we remained in slow paranoia mode until
a successful transaction completes.
2) Allow generic tracker to resolve clashes, this avoids very rare
packet drops. From Yuto Hamaguchi.
3) Increase the cleanup budget to 64 entries in nf_conncount to reap
more entries in one go, from Fernando Fernandez Mancera.
4) Allow icmp trackers to resolve clashes, this avoids very rare
initial packet drop with test cases that have high-frequency pings.
After this all trackers except tcp and sctp allow clash resolution.
5) Disentangle netfilter headers, don't include nftables/xtables headers
in subsystems that are unrelated.
6) Don't rely on implicit includes coming from nf_conntrack_proto_gre.h.
7) Allow nfnetlink_queue nfq instance struct to get accounted via memcg,
from Scott Mitchell.
8) Reject bogus xt target/match data upfront via netlink policiy in
nft_compat interface rather than relying on x_tables API to do it.
9) Fix nf_conncount breakage when trying to limit loopback flows via
prerouting rule, from Fernando Fernandez Mancera.
This is a recent breakage but not seen as urgent enough to rush this
via net tree at this late stage in development cycle.
10) Fix a possible off-by-one when parsing tcp option in xtables tcpmss
match. Also handled via -next due to late stage in development
cycle.
* tag 'nf-next-26-01-20' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next:
netfilter: xt_tcpmss: check remaining length before reading optlen
netfilter: nf_conncount: fix tracking of connections from localhost
netfilter: nft_compat: add more restrictions on netlink attributes
netfilter: nfnetlink_queue: nfqnl_instance GFP_ATOMIC -> GFP_KERNEL_ACCOUNT allocation
netfilter: nf_conntrack: don't rely on implicit includes
netfilter: don't include xt and nftables.h in unrelated subsystems
netfilter: nf_conntrack: enable icmp clash support
netfilter: nf_conncount: increase the connection clean up limit to 64
netfilter: nf_conntrack: Add allow_clash to generic protocol handler
netfilter: nf_tables: reset table validation state on abort
====================
Link: https://patch.msgid.link/20260120191803.22208-1-fw@strlen.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+102
-60
-1
include/linux/audit.h
-1
include/linux/audit.h
-3
include/linux/netfilter/nf_conntrack_proto_gre.h
-3
include/linux/netfilter/nf_conntrack_proto_gre.h
+1
include/net/netfilter/nf_conntrack.h
+1
include/net/netfilter/nf_conntrack.h
+1
include/net/netfilter/nf_conntrack_count.h
+1
include/net/netfilter/nf_conntrack_count.h
···
13
13
u32 last_gc; /* jiffies at most recent gc */
14
14
struct list_head head; /* connections with the same filtering key */
15
15
unsigned int count; /* length of list */
16
+
unsigned int last_gc_count; /* length of list at most recent gc */
16
17
};
17
18
18
19
struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int keylen);
+1
-1
include/net/netfilter/nf_conntrack_tuple.h
+1
-1
include/net/netfilter/nf_conntrack_tuple.h
-1
include/net/netfilter/nf_tables.h
-1
include/net/netfilter/nf_tables.h
+1
-2
net/bridge/netfilter/nf_conntrack_bridge.c
+1
-2
net/bridge/netfilter/nf_conntrack_bridge.c
+23
-7
net/netfilter/nf_conncount.c
+23
-7
net/netfilter/nf_conncount.c
···
34
34
35
35
#define CONNCOUNT_SLOTS 256U
36
36
37
-
#define CONNCOUNT_GC_MAX_NODES 8
38
-
#define MAX_KEYLEN 5
37
+
#define CONNCOUNT_GC_MAX_NODES 8
38
+
#define CONNCOUNT_GC_MAX_COLLECT 64
39
+
#define MAX_KEYLEN 5
39
40
40
41
/* we will save the tuples of all connections we care about */
41
42
struct nf_conncount_tuple {
···
179
178
return -ENOENT;
180
179
181
180
if (ct && nf_ct_is_confirmed(ct)) {
182
-
err = -EEXIST;
183
-
goto out_put;
181
+
/* local connections are confirmed in postrouting so confirmation
182
+
* might have happened before hitting connlimit
183
+
*/
184
+
if (skb->skb_iif != LOOPBACK_IFINDEX) {
185
+
err = -EEXIST;
186
+
goto out_put;
187
+
}
188
+
189
+
/* this is likely a local connection, skip optimization to avoid
190
+
* adding duplicates from a 'packet train'
191
+
*/
192
+
goto check_connections;
184
193
}
185
194
186
-
if ((u32)jiffies == list->last_gc)
195
+
if ((u32)jiffies == list->last_gc &&
196
+
(list->count - list->last_gc_count) < CONNCOUNT_GC_MAX_COLLECT)
187
197
goto add_new_node;
188
198
199
+
check_connections:
189
200
/* check the saved connections */
190
201
list_for_each_entry_safe(conn, conn_n, &list->head, node) {
191
-
if (collect > CONNCOUNT_GC_MAX_NODES)
202
+
if (collect > CONNCOUNT_GC_MAX_COLLECT)
192
203
break;
193
204
194
205
found = find_or_evict(net, list, conn);
···
243
230
nf_ct_put(found_ct);
244
231
}
245
232
list->last_gc = (u32)jiffies;
233
+
list->last_gc_count = list->count;
246
234
247
235
add_new_node:
248
236
if (WARN_ON_ONCE(list->count > INT_MAX)) {
···
291
277
spin_lock_init(&list->list_lock);
292
278
INIT_LIST_HEAD(&list->head);
293
279
list->count = 0;
280
+
list->last_gc_count = 0;
294
281
list->last_gc = (u32)jiffies;
295
282
}
296
283
EXPORT_SYMBOL_GPL(nf_conncount_list_init);
···
331
316
}
332
317
333
318
nf_ct_put(found_ct);
334
-
if (collected > CONNCOUNT_GC_MAX_NODES)
319
+
if (collected > CONNCOUNT_GC_MAX_COLLECT)
335
320
break;
336
321
}
337
322
338
323
if (!list->count)
339
324
ret = true;
340
325
list->last_gc = (u32)jiffies;
326
+
list->last_gc_count = list->count;
341
327
342
328
return ret;
343
329
}
+1
net/netfilter/nf_conntrack_bpf.c
+1
net/netfilter/nf_conntrack_bpf.c
+1
net/netfilter/nf_conntrack_h323_main.c
+1
net/netfilter/nf_conntrack_h323_main.c
+1
net/netfilter/nf_conntrack_netlink.c
+1
net/netfilter/nf_conntrack_netlink.c
+1
net/netfilter/nf_conntrack_proto_generic.c
+1
net/netfilter/nf_conntrack_proto_generic.c
+2
net/netfilter/nf_conntrack_proto_gre.c
+2
net/netfilter/nf_conntrack_proto_gre.c
···
33
33
#include <linux/skbuff.h>
34
34
#include <linux/slab.h>
35
35
#include <net/dst.h>
36
+
#include <net/gre.h>
36
37
#include <net/net_namespace.h>
37
38
#include <net/netns/generic.h>
38
39
#include <net/netfilter/nf_conntrack_l4proto.h>
39
40
#include <net/netfilter/nf_conntrack_helper.h>
40
41
#include <net/netfilter/nf_conntrack_core.h>
41
42
#include <net/netfilter/nf_conntrack_timeout.h>
43
+
#include <net/pptp.h>
42
44
#include <linux/netfilter/nf_conntrack_proto_gre.h>
43
45
#include <linux/netfilter/nf_conntrack_pptp.h>
44
46
+1
net/netfilter/nf_conntrack_proto_icmp.c
+1
net/netfilter/nf_conntrack_proto_icmp.c
+1
net/netfilter/nf_conntrack_proto_icmpv6.c
+1
net/netfilter/nf_conntrack_proto_icmpv6.c
+2
net/netfilter/nf_flow_table_ip.c
+2
net/netfilter/nf_flow_table_ip.c
+1
net/netfilter/nf_flow_table_offload.c
+1
net/netfilter/nf_flow_table_offload.c
+1
net/netfilter/nf_flow_table_path.c
+1
net/netfilter/nf_flow_table_path.c
+3
net/netfilter/nf_nat_ovs.c
+3
net/netfilter/nf_nat_ovs.c
···
2
2
/* Support nat functions for openvswitch and used by OVS and TC conntrack. */
3
3
4
4
#include <net/netfilter/nf_nat.h>
5
+
#include <net/ipv6.h>
6
+
#include <linux/ip.h>
7
+
#include <linux/if_vlan.h>
5
8
6
9
/* Modelled after nf_nat_ipv[46]_fn().
7
10
* range is only used for new, uninitialized NAT state.
+1
net/netfilter/nf_nat_proto.c
+1
net/netfilter/nf_nat_proto.c
+1
net/netfilter/nf_synproxy_core.c
+1
net/netfilter/nf_synproxy_core.c
+8
net/netfilter/nf_tables_api.c
+8
net/netfilter/nf_tables_api.c
···
14
14
#include <linux/rhashtable.h>
15
15
#include <linux/audit.h>
16
16
#include <linux/netfilter.h>
17
+
#include <linux/netfilter_ipv4.h>
17
18
#include <linux/netfilter/nfnetlink.h>
18
19
#include <linux/netfilter/nf_tables.h>
19
20
#include <net/netfilter/nf_flow_table.h>
···
11536
11535
gc_seq = nft_gc_seq_begin(nft_net);
11537
11536
ret = __nf_tables_abort(net, action);
11538
11537
nft_gc_seq_end(nft_net, gc_seq);
11538
+
11539
+
if (action == NFNL_ABORT_NONE) {
11540
+
struct nft_table *table;
11541
+
11542
+
list_for_each_entry(table, &nft_net->tables, list)
11543
+
table->validate_state = NFT_VALIDATE_SKIP;
11544
+
}
11539
11545
11540
11546
WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
11541
11547
+34
-41
net/netfilter/nfnetlink_queue.c
+34
-41
net/netfilter/nfnetlink_queue.c
···
121
121
unsigned int h;
122
122
int err;
123
123
124
-
spin_lock(&q->instances_lock);
125
-
if (instance_lookup(q, queue_num)) {
126
-
err = -EEXIST;
127
-
goto out_unlock;
128
-
}
129
-
130
-
inst = kzalloc(sizeof(*inst), GFP_ATOMIC);
131
-
if (!inst) {
132
-
err = -ENOMEM;
133
-
goto out_unlock;
134
-
}
124
+
inst = kzalloc(sizeof(*inst), GFP_KERNEL_ACCOUNT);
125
+
if (!inst)
126
+
return ERR_PTR(-ENOMEM);
135
127
136
128
inst->queue_num = queue_num;
137
129
inst->peer_portid = portid;
···
133
141
spin_lock_init(&inst->lock);
134
142
INIT_LIST_HEAD(&inst->queue_list);
135
143
144
+
spin_lock(&q->instances_lock);
145
+
if (instance_lookup(q, queue_num)) {
146
+
err = -EEXIST;
147
+
goto out_unlock;
148
+
}
149
+
136
150
if (!try_module_get(THIS_MODULE)) {
137
151
err = -EAGAIN;
138
-
goto out_free;
152
+
goto out_unlock;
139
153
}
140
154
141
155
h = instance_hashfn(queue_num);
···
151
153
152
154
return inst;
153
155
154
-
out_free:
155
-
kfree(inst);
156
156
out_unlock:
157
157
spin_unlock(&q->instances_lock);
158
+
kfree(inst);
158
159
return ERR_PTR(err);
159
160
}
160
161
···
1495
1498
struct nfqnl_msg_config_cmd *cmd = NULL;
1496
1499
struct nfqnl_instance *queue;
1497
1500
__u32 flags = 0, mask = 0;
1498
-
int ret = 0;
1501
+
1502
+
WARN_ON_ONCE(!lockdep_nfnl_is_held(NFNL_SUBSYS_QUEUE));
1499
1503
1500
1504
if (nfqa[NFQA_CFG_CMD]) {
1501
1505
cmd = nla_data(nfqa[NFQA_CFG_CMD]);
···
1542
1544
}
1543
1545
}
1544
1546
1547
+
/* Lookup queue under RCU. After peer_portid check (or for new queue
1548
+
* in BIND case), the queue is owned by the socket sending this message.
1549
+
* A socket cannot simultaneously send a message and close, so while
1550
+
* processing this CONFIG message, nfqnl_rcv_nl_event() (triggered by
1551
+
* socket close) cannot destroy this queue. Safe to use without RCU.
1552
+
*/
1545
1553
rcu_read_lock();
1546
1554
queue = instance_lookup(q, queue_num);
1547
1555
if (queue && queue->peer_portid != NETLINK_CB(skb).portid) {
1548
-
ret = -EPERM;
1549
-
goto err_out_unlock;
1556
+
rcu_read_unlock();
1557
+
return -EPERM;
1550
1558
}
1559
+
rcu_read_unlock();
1551
1560
1552
1561
if (cmd != NULL) {
1553
1562
switch (cmd->command) {
1554
1563
case NFQNL_CFG_CMD_BIND:
1555
-
if (queue) {
1556
-
ret = -EBUSY;
1557
-
goto err_out_unlock;
1558
-
}
1559
-
queue = instance_create(q, queue_num,
1560
-
NETLINK_CB(skb).portid);
1561
-
if (IS_ERR(queue)) {
1562
-
ret = PTR_ERR(queue);
1563
-
goto err_out_unlock;
1564
-
}
1564
+
if (queue)
1565
+
return -EBUSY;
1566
+
queue = instance_create(q, queue_num, NETLINK_CB(skb).portid);
1567
+
if (IS_ERR(queue))
1568
+
return PTR_ERR(queue);
1565
1569
break;
1566
1570
case NFQNL_CFG_CMD_UNBIND:
1567
-
if (!queue) {
1568
-
ret = -ENODEV;
1569
-
goto err_out_unlock;
1570
-
}
1571
+
if (!queue)
1572
+
return -ENODEV;
1571
1573
instance_destroy(q, queue);
1572
-
goto err_out_unlock;
1574
+
return 0;
1573
1575
case NFQNL_CFG_CMD_PF_BIND:
1574
1576
case NFQNL_CFG_CMD_PF_UNBIND:
1575
1577
break;
1576
1578
default:
1577
-
ret = -ENOTSUPP;
1578
-
goto err_out_unlock;
1579
+
return -EOPNOTSUPP;
1579
1580
}
1580
1581
}
1581
1582
1582
-
if (!queue) {
1583
-
ret = -ENODEV;
1584
-
goto err_out_unlock;
1585
-
}
1583
+
if (!queue)
1584
+
return -ENODEV;
1586
1585
1587
1586
if (nfqa[NFQA_CFG_PARAMS]) {
1588
1587
struct nfqnl_msg_config_params *params =
···
1604
1609
spin_unlock_bh(&queue->lock);
1605
1610
}
1606
1611
1607
-
err_out_unlock:
1608
-
rcu_read_unlock();
1609
-
return ret;
1612
+
return 0;
1610
1613
}
1611
1614
1612
1615
static const struct nfnl_callback nfqnl_cb[NFQNL_MSG_MAX] = {
+10
-3
net/netfilter/nft_compat.c
+10
-3
net/netfilter/nft_compat.c
···
134
134
}
135
135
136
136
static const struct nla_policy nft_target_policy[NFTA_TARGET_MAX + 1] = {
137
-
[NFTA_TARGET_NAME] = { .type = NLA_NUL_STRING },
137
+
[NFTA_TARGET_NAME] = { .type = NLA_NUL_STRING,
138
+
.len = XT_EXTENSION_MAXNAMELEN, },
138
139
[NFTA_TARGET_REV] = NLA_POLICY_MAX(NLA_BE32, 255),
139
140
[NFTA_TARGET_INFO] = { .type = NLA_BINARY },
140
141
};
···
435
434
}
436
435
437
436
static const struct nla_policy nft_match_policy[NFTA_MATCH_MAX + 1] = {
438
-
[NFTA_MATCH_NAME] = { .type = NLA_NUL_STRING },
437
+
[NFTA_MATCH_NAME] = { .type = NLA_NUL_STRING,
438
+
.len = XT_EXTENSION_MAXNAMELEN },
439
439
[NFTA_MATCH_REV] = NLA_POLICY_MAX(NLA_BE32, 255),
440
440
[NFTA_MATCH_INFO] = { .type = NLA_BINARY },
441
441
};
···
695
693
696
694
name = nla_data(tb[NFTA_COMPAT_NAME]);
697
695
rev = ntohl(nla_get_be32(tb[NFTA_COMPAT_REV]));
698
-
target = ntohl(nla_get_be32(tb[NFTA_COMPAT_TYPE]));
696
+
/* x_tables api checks for 'target == 1' to mean target,
697
+
* everything else means 'match'.
698
+
* In x_tables world, the number is set by kernel, not
699
+
* userspace.
700
+
*/
701
+
target = nla_get_be32(tb[NFTA_COMPAT_TYPE]) == htonl(1);
699
702
700
703
switch(family) {
701
704
case AF_INET:
+1
net/netfilter/nft_flow_offload.c
+1
net/netfilter/nft_flow_offload.c
+1
net/netfilter/nft_synproxy.c
+1
net/netfilter/nft_synproxy.c
+1
-1
net/netfilter/xt_tcpmss.c
+1
-1
net/netfilter/xt_tcpmss.c
+2
net/sched/act_ct.c
+2
net/sched/act_ct.c
···
13
13
#include <linux/skbuff.h>
14
14
#include <linux/rtnetlink.h>
15
15
#include <linux/pkt_cls.h>
16
+
#include <linux/if_tunnel.h>
16
17
#include <linux/ip.h>
17
18
#include <linux/ipv6.h>
18
19
#include <linux/rhashtable.h>
20
+
#include <net/gre.h>
19
21
#include <net/netlink.h>
20
22
#include <net/pkt_sched.h>
21
23
#include <net/pkt_cls.h>