leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
a654de8fdc
linux/net
History
Pablo Neira Ayuso a654de8fdc netfilter: nf_tables: fix chain dependency validation 
The following ruleset:

 add table ip filter
 add chain ip filter input { type filter hook input priority 4; }
 add chain ip filter ap
 add rule ip filter input jump ap
 add rule ip filter ap masquerade

results in a panic, because the masquerade extension should be rejected
from the filter chain. The existing validation is missing a chain
dependency check when the rule is added to the non-base chain.

This patch fixes the problem by walking down the rules from the
basechains, searching for either immediate or lookup expressions, then
jumping to non-base chains and again walking down the rules to perform
the expression validation, so we make sure the full ruleset graph is
validated. This is done only once from the commit phase, in case of
problem, we abort the transaction and perform fine grain validation for
error reporting. This patch requires 003087911a ("netfilter:
nfnetlink: allow commit to fail") to achieve this behaviour.

This patch also adds a cleanup callback to nfnl batch interface to reset
the validate state from the exit path.

As a result of this patch, nf_tables_check_loops() doesn't use
->validate to check for loops, instead it just checks for immediate
expressions.

Reported-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2018-06-01 09:46:22 +02:00
..
6lowpan
9p Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-05-26 19:46:15 -04:00
802
8021q vlan: Add extack messages for link create 2018-05-17 17:08:55 -04:00
appletalk net: Use octal not symbolic permissions 2018-03-26 12:07:48 -04:00
atm net: atm: Fix potential Spectre v1 2018-05-04 12:52:47 -04:00
ax25 net: Use octal not symbolic permissions 2018-03-26 12:07:48 -04:00
batman-adv Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-05-26 19:46:15 -04:00
bluetooth Bluetooth: Add __hci_cmd_send function 2018-05-18 06:37:52 +02:00
bpf bpf: making bpf_prog_test run aware of possible data_end ptr change 2018-04-18 23:34:16 +02:00
bpfilter bpfilter: don't pass O_CREAT when opening console for debug 2018-05-24 09:36:49 -04:00
bridge net: bridge: add support for port isolation 2018-05-25 14:37:20 -04:00
caif net: caif: fix spelling mistake "UKNOWN" -> "UNKNOWN" 2018-04-19 13:37:10 -04:00
can net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00
ceph libceph: add osd_req_op_extent_osd_data_bvecs() 2018-05-10 10:15:05 +02:00
core net/ipv6: Udate fib6_table_lookup tracepoint 2018-05-24 23:01:15 -04:00
dcb net/dcb: Add dcbnl buffer attribute 2018-05-24 14:22:59 -07:00
dccp dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect() 2018-05-22 13:55:20 -04:00
decnet net: fib_rules: add extack support 2018-04-23 10:21:24 -04:00
dns_resolver KEYS: DNS: limit the length of option strings 2018-04-17 15:17:41 -04:00
dsa Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-05-21 16:01:54 -04:00
ethernet net: core: rework basic flow dissection helper 2018-05-08 00:02:36 -04:00
hsr
ieee802154 net: ieee802154: 6lowpan: fix frag reassembly 2018-04-23 20:56:24 +02:00
ife net: sched: ife: check on metadata length 2018-04-22 21:12:00 -04:00
ipv4 netfilter: nat: merge ipv4/ipv6 masquerade code into main nat module 2018-05-29 00:25:36 +02:00
ipv6 netfilter: nat: merge ipv4/ipv6 masquerade code into main nat module 2018-05-29 00:25:36 +02:00
iucv Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-03-23 11:31:58 -04:00
kcm net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00
key af_key: Always verify length of provided sadb_key 2018-04-09 07:06:38 +02:00
l2tp l2tp: consistent reference counting in procfs and debufs 2018-04-27 11:06:35 -04:00
l3mdev
lapb
llc llc: better deal with too small mtu 2018-05-08 00:11:40 -04:00
mac80211 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-05-26 19:46:15 -04:00
mac802154 net/mac802154: disambiguate mac80215 vs mac802154 trace events 2018-03-28 22:55:18 +02:00
mpls net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00
ncsi net/ncsi: prevent a couple array underflows 2018-05-17 16:27:39 -04:00
netfilter netfilter: nf_tables: fix chain dependency validation 2018-06-01 09:46:22 +02:00
netlabel
netlink net/netlink: make sure the headers line up actual value output 2018-05-04 13:00:57 -04:00
netrom net: Use octal not symbolic permissions 2018-03-26 12:07:48 -04:00
nfc
nsh nsh: fix infinite loop 2018-05-04 12:54:38 -04:00
openvswitch openvswitch: Support conntrack zone limit 2018-05-25 16:45:19 -04:00
packet Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-05-26 19:46:15 -04:00
phonet net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00
psample
qrtr net: qrtr: Expose tunneling endpoint to user space 2018-04-27 15:06:10 -04:00
rds Merge candidates for 4.17-rc 2018-05-24 14:12:05 -07:00
rfkill rfkill: Create rfkill-none LED trigger 2018-05-23 11:26:45 +02:00
rose net: Use octal not symbolic permissions 2018-03-26 12:07:48 -04:00
rxrpc rxrpc: Trace UDP transmission failure 2018-05-10 23:26:01 +01:00
sched Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-05-26 19:46:15 -04:00
sctp Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-05-26 19:46:15 -04:00
smc net/smc: longer delay when freeing client link groups 2018-05-23 16:02:35 -04:00
strparser strparser: Do not call mod_delayed_work with a timeout of LONG_MAX 2018-04-22 21:09:16 -04:00
sunrpc Merge candidates for 4.17-rc 2018-05-24 14:12:05 -07:00
switchdev
tipc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-05-11 20:53:22 -04:00
tls Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-05-21 16:01:54 -04:00
unix af_unix: remove redundant lockdep class 2018-04-04 11:13:40 -04:00
vmw_vsock VSOCK: make af_vsock.ko removable again 2018-04-17 09:44:30 -04:00
wimax
wireless Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-05-26 19:46:15 -04:00
x25 net: Use octal not symbolic permissions 2018-03-26 12:07:48 -04:00
xdp xsk: convert atomic_t to refcount_t 2018-05-22 10:25:06 +02:00
xfrm Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-05-11 20:53:22 -04:00
compat.c net: support compat 64-bit time in {s,g}etsockopt 2018-04-27 19:46:06 -04:00
Kconfig net: add skeleton of bpfilter kernel module 2018-05-23 13:23:40 -04:00
Makefile net: add skeleton of bpfilter kernel module 2018-05-23 13:23:40 -04:00
socket.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2018-04-05 11:56:35 -07:00
sysctl_net.c net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00