Hi,
The following patchset contains Netfilter fixes for net, they are:
1) Unaligned atomic access in ipset, from Russell King.
2) Missing module description, from Rob Gill.
3) Patches to fix a module unload causing NULL pointer dereference in
xtables, from David Wilder. For the record, I posting here his cover
letter explaining the problem:
A crash happened on ppc64le when running ltp network tests triggered by
"rmmod iptable_mangle".
See previous discussion in this thread:
https://lists.openwall.net/netdev/2020/06/03/161 .
In the crash I found in iptable_mangle_hook() that
state->net->ipv4.iptable_mangle=NULL causing a NULL pointer dereference.
net->ipv4.iptable_mangle is set to NULL in +iptable_mangle_net_exit() and
called when ip_mangle modules is unloaded. A rmmod task was found running
in the crash dump. A 2nd crash showed the same problem when running
"rmmod iptable_filter" (net->ipv4.iptable_filter=NULL).
To fix this I added .pre_exit hook in all iptable_foo.c. The pre_exit will
un-register the underlying hook and exit would do the table freeing. The
netns core does an unconditional +synchronize_rcu after the pre_exit hooks
insuring no packets are in flight that have picked up the pointer before
completing the un-register.
These patches include changes for both iptables and ip6tables.
We tested this fix with ltp running iptables01.sh and iptables01.sh -6 a
loop for 72 hours.
4) Add a selftest for conntrack helper assignment, from Florian Westphal.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thank you.
----------------------------------------------------------------
The following changes since commit 67c20de35a3cc2e2cd940f95ebd85ed0a765315a:
net: Add MODULE_DESCRIPTION entries to network modules (2020-06-20 21:33:57 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 619ae8e0697a6fb85b99b19137590c7c337c579e:
selftests: netfilter: add test case for conntrack helper assignment (2020-06-25 00:50:31 +0200)
----------------------------------------------------------------
David Wilder (4):
netfilter: iptables: Split ipt_unregister_table() into pre_exit and exit helpers.
netfilter: iptables: Add a .pre_exit hook in all iptable_foo.c.
netfilter: ip6tables: Split ip6t_unregister_table() into pre_exit and exit helpers.
netfilter: ip6tables: Add a .pre_exit hook in all ip6table_foo.c.
Florian Westphal (1):
selftests: netfilter: add test case for conntrack helper assignment
Rob Gill (1):
netfilter: Add MODULE_DESCRIPTION entries to kernel modules
Russell King (1):
netfilter: ipset: fix unaligned atomic access
include/linux/netfilter_ipv4/ip_tables.h | 6 +
include/linux/netfilter_ipv6/ip6_tables.h | 3 +
net/bridge/netfilter/nft_meta_bridge.c | 1 +
net/bridge/netfilter/nft_reject_bridge.c | 1 +
net/ipv4/netfilter/ip_tables.c | 15 +-
net/ipv4/netfilter/ipt_SYNPROXY.c | 1 +
net/ipv4/netfilter/iptable_filter.c | 10 +-
net/ipv4/netfilter/iptable_mangle.c | 10 +-
net/ipv4/netfilter/iptable_nat.c | 10 +-
net/ipv4/netfilter/iptable_raw.c | 10 +-
net/ipv4/netfilter/iptable_security.c | 11 +-
net/ipv4/netfilter/nf_flow_table_ipv4.c | 1 +
net/ipv4/netfilter/nft_dup_ipv4.c | 1 +
net/ipv4/netfilter/nft_fib_ipv4.c | 1 +
net/ipv4/netfilter/nft_reject_ipv4.c | 1 +
net/ipv6/netfilter/ip6_tables.c | 15 +-
net/ipv6/netfilter/ip6t_SYNPROXY.c | 1 +
net/ipv6/netfilter/ip6table_filter.c | 10 +-
net/ipv6/netfilter/ip6table_mangle.c | 10 +-
net/ipv6/netfilter/ip6table_nat.c | 10 +-
net/ipv6/netfilter/ip6table_raw.c | 10 +-
net/ipv6/netfilter/ip6table_security.c | 10 +-
net/ipv6/netfilter/nf_flow_table_ipv6.c | 1 +
net/ipv6/netfilter/nft_dup_ipv6.c | 1 +
net/ipv6/netfilter/nft_fib_ipv6.c | 1 +
net/ipv6/netfilter/nft_reject_ipv6.c | 1 +
net/netfilter/ipset/ip_set_core.c | 2 +
net/netfilter/nf_dup_netdev.c | 1 +
net/netfilter/nf_flow_table_core.c | 1 +
net/netfilter/nf_flow_table_inet.c | 1 +
net/netfilter/nf_synproxy_core.c | 1 +
net/netfilter/nfnetlink.c | 1 +
net/netfilter/nft_compat.c | 1 +
net/netfilter/nft_connlimit.c | 1 +
net/netfilter/nft_counter.c | 1 +
net/netfilter/nft_ct.c | 1 +
net/netfilter/nft_dup_netdev.c | 1 +
net/netfilter/nft_fib_inet.c | 1 +
net/netfilter/nft_fib_netdev.c | 1 +
net/netfilter/nft_flow_offload.c | 1 +
net/netfilter/nft_hash.c | 1 +
net/netfilter/nft_limit.c | 1 +
net/netfilter/nft_log.c | 1 +
net/netfilter/nft_masq.c | 1 +
net/netfilter/nft_nat.c | 1 +
net/netfilter/nft_numgen.c | 1 +
net/netfilter/nft_objref.c | 1 +
net/netfilter/nft_osf.c | 1 +
net/netfilter/nft_queue.c | 1 +
net/netfilter/nft_quota.c | 1 +
net/netfilter/nft_redir.c | 1 +
net/netfilter/nft_reject.c | 1 +
net/netfilter/nft_reject_inet.c | 1 +
net/netfilter/nft_synproxy.c | 1 +
net/netfilter/nft_tunnel.c | 1 +
net/netfilter/xt_nat.c | 1 +
tools/testing/selftests/netfilter/Makefile | 2 +-
.../selftests/netfilter/nft_conntrack_helper.sh | 175 +++++++++++++++++++++
58 files changed, 344 insertions(+), 16 deletions(-)
create mode 100755 tools/testing/selftests/netfilter/nft_conntrack_helper.sh
