tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge branch 'main' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for net:

1) Restore ctnetlink zero mark in events and dump, from Ivan Delalande.

2) Fix deadlock due to missing disabled bh in tproxy, from Florian Westphal.

3) Safer maximum chain load in conntrack, from Eric Dumazet.

* 'main' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
netfilter: conntrack: adopt safer max chain length
netfilter: tproxy: fix deadlock due to missing BH disable
netfilter: ctnetlink: revert to dumping mark regardless of event type
====================

Link: https://lore.kernel.org/r/20230307100424.2037-1-pablo@netfilter.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>

Paolo Abeni 775c73df 757b56a6

+18 -11
+7
include/net/netfilter/nf_tproxy.h
··· 17 17 return false; 18 18 } 19 19 20 + static inline void nf_tproxy_twsk_deschedule_put(struct inet_timewait_sock *tw) 21 + { 22 + local_bh_disable(); 23 + inet_twsk_deschedule_put(tw); 24 + local_bh_enable(); 25 + } 26 + 20 27 /* assign a socket to the skb -- consumes sk */ 21 28 static inline void nf_tproxy_assign_sock(struct sk_buff *skb, struct sock *sk) 22 29 {
+1 -1
net/ipv4/netfilter/nf_tproxy_ipv4.c
··· 38 38 hp->source, lport ? lport : hp->dest, 39 39 skb->dev, NF_TPROXY_LOOKUP_LISTENER); 40 40 if (sk2) { 41 - inet_twsk_deschedule_put(inet_twsk(sk)); 41 + nf_tproxy_twsk_deschedule_put(inet_twsk(sk)); 42 42 sk = sk2; 43 43 } 44 44 }
+1 -1
net/ipv6/netfilter/nf_tproxy_ipv6.c
··· 63 63 lport ? lport : hp->dest, 64 64 skb->dev, NF_TPROXY_LOOKUP_LISTENER); 65 65 if (sk2) { 66 - inet_twsk_deschedule_put(inet_twsk(sk)); 66 + nf_tproxy_twsk_deschedule_put(inet_twsk(sk)); 67 67 sk = sk2; 68 68 } 69 69 }
+2 -2
net/netfilter/nf_conntrack_core.c
··· 96 96 #define GC_SCAN_MAX_DURATION msecs_to_jiffies(10) 97 97 #define GC_SCAN_EXPIRED_MAX (64000u / HZ) 98 98 99 - #define MIN_CHAINLEN 8u 100 - #define MAX_CHAINLEN (32u - MIN_CHAINLEN) 99 + #define MIN_CHAINLEN 50u 100 + #define MAX_CHAINLEN (80u - MIN_CHAINLEN) 101 101 102 102 static struct conntrack_gc_work conntrack_gc_work; 103 103
+7 -7
net/netfilter/nf_conntrack_netlink.c
··· 328 328 } 329 329 330 330 #ifdef CONFIG_NF_CONNTRACK_MARK 331 - static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct) 331 + static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct, 332 + bool dump) 332 333 { 333 334 u32 mark = READ_ONCE(ct->mark); 334 335 335 - if (!mark) 336 + if (!mark && !dump) 336 337 return 0; 337 338 338 339 if (nla_put_be32(skb, CTA_MARK, htonl(mark))) ··· 344 343 return -1; 345 344 } 346 345 #else 347 - #define ctnetlink_dump_mark(a, b) (0) 346 + #define ctnetlink_dump_mark(a, b, c) (0) 348 347 #endif 349 348 350 349 #ifdef CONFIG_NF_CONNTRACK_SECMARK ··· 549 548 static int ctnetlink_dump_info(struct sk_buff *skb, struct nf_conn *ct) 550 549 { 551 550 if (ctnetlink_dump_status(skb, ct) < 0 || 552 - ctnetlink_dump_mark(skb, ct) < 0 || 551 + ctnetlink_dump_mark(skb, ct, true) < 0 || 553 552 ctnetlink_dump_secctx(skb, ct) < 0 || 554 553 ctnetlink_dump_id(skb, ct) < 0 || 555 554 ctnetlink_dump_use(skb, ct) < 0 || ··· 832 831 } 833 832 834 833 #ifdef CONFIG_NF_CONNTRACK_MARK 835 - if (events & (1 << IPCT_MARK) && 836 - ctnetlink_dump_mark(skb, ct) < 0) 834 + if (ctnetlink_dump_mark(skb, ct, events & (1 << IPCT_MARK))) 837 835 goto nla_put_failure; 838 836 #endif 839 837 nlmsg_end(skb, nlh); ··· 2735 2735 goto nla_put_failure; 2736 2736 2737 2737 #ifdef CONFIG_NF_CONNTRACK_MARK 2738 - if (ctnetlink_dump_mark(skb, ct) < 0) 2738 + if (ctnetlink_dump_mark(skb, ct, true) < 0) 2739 2739 goto nla_put_failure; 2740 2740 #endif 2741 2741 if (ctnetlink_dump_labels(skb, ct) < 0)