Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

+1 -2

include/linux/netfilter/nfnetlink.h

··· 43 43 int nfnetlink_send(struct sk_buff *skb, struct net *net, u32 portid, 44 44 unsigned int group, int echo, gfp_t flags); 45 45 int nfnetlink_set_err(struct net *net, u32 portid, u32 group, int error); 46 - int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u32 portid, 47 - int flags); 46 + int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u32 portid); 48 47 49 48 static inline u16 nfnl_msg_type(u8 subsys, u8 msg_type) 50 49 {

+1 -1

net/ipv4/netfilter/nf_nat_pptp.c

··· 3 3 * nf_nat_pptp.c 4 4 * 5 5 * NAT support for PPTP (Point to Point Tunneling Protocol). 6 - * PPTP is a a protocol for creating virtual private networks. 6 + * PPTP is a protocol for creating virtual private networks. 7 7 * It is a specification defined by Microsoft and some vendors 8 8 * working with Microsoft. PPTP is built on top of a modified 9 9 * version of the Internet Generic Routing Encapsulation Protocol.

+1 -1

net/netfilter/nf_conntrack_pptp.c

··· 1 1 // SPDX-License-Identifier: GPL-2.0-only 2 2 /* 3 3 * Connection tracking support for PPTP (Point to Point Tunneling Protocol). 4 - * PPTP is a a protocol for creating virtual private networks. 4 + * PPTP is a protocol for creating virtual private networks. 5 5 * It is a specification defined by Microsoft and some vendors 6 6 * working with Microsoft. PPTP is built on top of a modified 7 7 * version of the Internet Generic Routing Encapsulation Protocol.

+1 -1

net/netfilter/nf_conntrack_proto_tcp.c

··· 1152 1152 && (old_state == TCP_CONNTRACK_SYN_RECV 1153 1153 || old_state == TCP_CONNTRACK_ESTABLISHED) 1154 1154 && new_state == TCP_CONNTRACK_ESTABLISHED) { 1155 - /* Set ASSURED if we see see valid ack in ESTABLISHED 1155 + /* Set ASSURED if we see valid ack in ESTABLISHED 1156 1156 after SYN_RECV or a valid answer for a picked up 1157 1157 connection. */ 1158 1158 set_bit(IPS_ASSURED_BIT, &ct->status);

+10 -16

net/netfilter/nf_conntrack_proto_udp.c

··· 81 81 return false; 82 82 } 83 83 84 - static void nf_conntrack_udp_refresh_unreplied(struct nf_conn *ct, 85 - struct sk_buff *skb, 86 - enum ip_conntrack_info ctinfo, 87 - u32 extra_jiffies) 88 - { 89 - if (unlikely(ctinfo == IP_CT_ESTABLISHED_REPLY && 90 - ct->status & IPS_NAT_CLASH)) 91 - nf_ct_kill(ct); 92 - else 93 - nf_ct_refresh_acct(ct, ctinfo, skb, extra_jiffies); 94 - } 95 - 96 84 /* Returns verdict for packet, and may modify conntracktype */ 97 85 int nf_conntrack_udp_packet(struct nf_conn *ct, 98 86 struct sk_buff *skb, ··· 112 124 113 125 nf_ct_refresh_acct(ct, ctinfo, skb, extra); 114 126 127 + /* never set ASSURED for IPS_NAT_CLASH, they time out soon */ 128 + if (unlikely((ct->status & IPS_NAT_CLASH))) 129 + return NF_ACCEPT; 130 + 115 131 /* Also, more likely to be important, and not a probe */ 116 132 if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status)) 117 133 nf_conntrack_event_cache(IPCT_ASSURED, ct); 118 134 } else { 119 - nf_conntrack_udp_refresh_unreplied(ct, skb, ctinfo, 120 - timeouts[UDP_CT_UNREPLIED]); 135 + nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[UDP_CT_UNREPLIED]); 121 136 } 122 137 return NF_ACCEPT; 123 138 } ··· 197 206 if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) { 198 207 nf_ct_refresh_acct(ct, ctinfo, skb, 199 208 timeouts[UDP_CT_REPLIED]); 209 + 210 + if (unlikely((ct->status & IPS_NAT_CLASH))) 211 + return NF_ACCEPT; 212 + 200 213 /* Also, more likely to be important, and not a probe */ 201 214 if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status)) 202 215 nf_conntrack_event_cache(IPCT_ASSURED, ct); 203 216 } else { 204 - nf_conntrack_udp_refresh_unreplied(ct, skb, ctinfo, 205 - timeouts[UDP_CT_UNREPLIED]); 217 + nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[UDP_CT_UNREPLIED]); 206 218 } 207 219 return NF_ACCEPT; 208 220 }

+29 -32

net/netfilter/nf_tables_api.c

··· 815 815 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0, 816 816 family, table); 817 817 if (err < 0) 818 - goto err; 818 + goto err_fill_table_info; 819 819 820 - return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); 820 + return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 821 821 822 - err: 822 + err_fill_table_info: 823 823 kfree_skb(skb2); 824 824 return err; 825 825 } ··· 1563 1563 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0, 1564 1564 family, table, chain); 1565 1565 if (err < 0) 1566 - goto err; 1566 + goto err_fill_chain_info; 1567 1567 1568 - return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); 1568 + return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 1569 1569 1570 - err: 1570 + err_fill_chain_info: 1571 1571 kfree_skb(skb2); 1572 1572 return err; 1573 1573 } ··· 3008 3008 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0, 3009 3009 family, table, chain, rule, NULL); 3010 3010 if (err < 0) 3011 - goto err; 3011 + goto err_fill_rule_info; 3012 3012 3013 - return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); 3013 + return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 3014 3014 3015 - err: 3015 + err_fill_rule_info: 3016 3016 kfree_skb(skb2); 3017 3017 return err; 3018 3018 } ··· 3968 3968 3969 3969 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0); 3970 3970 if (err < 0) 3971 - goto err; 3971 + goto err_fill_set_info; 3972 3972 3973 - return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); 3973 + return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 3974 3974 3975 - err: 3975 + err_fill_set_info: 3976 3976 kfree_skb(skb2); 3977 3977 return err; 3978 3978 } ··· 4860 4860 err = -ENOMEM; 4861 4861 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC); 4862 4862 if (skb == NULL) 4863 - goto err1; 4863 + return err; 4864 4864 4865 4865 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid, 4866 4866 NFT_MSG_NEWSETELEM, 0, set, &elem); 4867 4867 if (err < 0) 4868 - goto err2; 4868 + goto err_fill_setelem; 4869 4869 4870 - err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT); 4871 - /* This avoids a loop in nfnetlink. */ 4872 - if (err < 0) 4873 - goto err1; 4870 + return nfnetlink_unicast(skb, ctx->net, ctx->portid); 4874 4871 4875 - return 0; 4876 - err2: 4872 + err_fill_setelem: 4877 4873 kfree_skb(skb); 4878 - err1: 4879 - /* this avoids a loop in nfnetlink. */ 4880 - return err == -EAGAIN ? -ENOBUFS : err; 4874 + return err; 4881 4875 } 4882 4876 4883 4877 /* called with rcu_read_lock held */ ··· 6176 6182 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0, 6177 6183 family, table, obj, reset); 6178 6184 if (err < 0) 6179 - goto err; 6185 + goto err_fill_obj_info; 6180 6186 6181 - return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); 6182 - err: 6187 + return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 6188 + 6189 + err_fill_obj_info: 6183 6190 kfree_skb(skb2); 6184 6191 return err; 6185 6192 } ··· 7040 7045 NFT_MSG_NEWFLOWTABLE, 0, family, 7041 7046 flowtable, &flowtable->hook_list); 7042 7047 if (err < 0) 7043 - goto err; 7048 + goto err_fill_flowtable_info; 7044 7049 7045 - return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); 7046 - err: 7050 + return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 7051 + 7052 + err_fill_flowtable_info: 7047 7053 kfree_skb(skb2); 7048 7054 return err; 7049 7055 } ··· 7230 7234 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid, 7231 7235 nlh->nlmsg_seq); 7232 7236 if (err < 0) 7233 - goto err; 7237 + goto err_fill_gen_info; 7234 7238 7235 - return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); 7236 - err: 7239 + return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 7240 + 7241 + err_fill_gen_info: 7237 7242 kfree_skb(skb2); 7238 7243 return err; 7239 7244 }

+8 -3

net/netfilter/nfnetlink.c

··· 149 149 } 150 150 EXPORT_SYMBOL_GPL(nfnetlink_set_err); 151 151 152 - int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u32 portid, 153 - int flags) 152 + int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u32 portid) 154 153 { 155 - return netlink_unicast(net->nfnl, skb, portid, flags); 154 + int err; 155 + 156 + err = nlmsg_unicast(net->nfnl, skb, portid); 157 + if (err == -EAGAIN) 158 + err = -ENOBUFS; 159 + 160 + return err; 156 161 } 157 162 EXPORT_SYMBOL_GPL(nfnetlink_unicast); 158 163

+1 -2

net/netfilter/nfnetlink_log.c

··· 356 356 goto out; 357 357 } 358 358 } 359 - nfnetlink_unicast(inst->skb, inst->net, inst->peer_portid, 360 - MSG_DONTWAIT); 359 + nfnetlink_unicast(inst->skb, inst->net, inst->peer_portid); 361 360 out: 362 361 inst->qlen = 0; 363 362 inst->skb = NULL;

+1 -1

net/netfilter/nfnetlink_queue.c

··· 681 681 *packet_id_ptr = htonl(entry->id); 682 682 683 683 /* nfnetlink_unicast will either free the nskb or add it to a socket */ 684 - err = nfnetlink_unicast(nskb, net, queue->peer_portid, MSG_DONTWAIT); 684 + err = nfnetlink_unicast(nskb, net, queue->peer_portid); 685 685 if (err < 0) { 686 686 if (queue->flags & NFQA_CFG_F_FAIL_OPEN) { 687 687 failopen = 1;

+1 -1

net/netfilter/nft_flow_offload.c

··· 102 102 } 103 103 104 104 if (nf_ct_ext_exist(ct, NF_CT_EXT_HELPER) || 105 - ct->status & IPS_SEQ_ADJUST) 105 + ct->status & (IPS_SEQ_ADJUST | IPS_NAT_CLASH)) 106 106 goto out; 107 107 108 108 if (!nf_ct_is_confirmed(ct))

+1 -1

net/netfilter/xt_recent.c

··· 640 640 struct recent_table *t; 641 641 642 642 /* recent_net_exit() is called before recent_mt_destroy(). Make sure 643 - * that the parent xt_recent proc entry is is empty before trying to 643 + * that the parent xt_recent proc entry is empty before trying to 644 644 * remove it. 645 645 */ 646 646 spin_lock_bh(&recent_lock);

+37 -30

tools/testing/selftests/netfilter/nft_flowtable.sh

··· 11 11 # result in fragmentation and/or PMTU discovery. 12 12 # 13 13 # You can check with different Orgininator/Link/Responder MTU eg: 14 - # sh nft_flowtable.sh -o1000 -l500 -r100 14 + # nft_flowtable.sh -o8000 -l1500 -r2000 15 15 # 16 16 17 17 ··· 27 27 log_netns=$(sysctl -n net.netfilter.nf_log_all_netns) 28 28 29 29 checktool (){ 30 - $1 > /dev/null 2>&1 31 - if [ $? -ne 0 ];then 30 + if ! $1 > /dev/null 2>&1; then 32 31 echo "SKIP: Could not $2" 33 32 exit $ksft_skip 34 33 fi ··· 86 87 lmtu=1500 87 88 rmtu=2000 88 89 90 + usage(){ 91 + echo "nft_flowtable.sh [OPTIONS]" 92 + echo 93 + echo "MTU options" 94 + echo " -o originator" 95 + echo " -l link" 96 + echo " -r responder" 97 + exit 1 98 + } 99 + 89 100 while getopts "o:l:r:" o 90 101 do 91 102 case $o in 92 103 o) omtu=$OPTARG;; 93 104 l) lmtu=$OPTARG;; 94 105 r) rmtu=$OPTARG;; 106 + *) usage;; 95 107 esac 96 108 done 97 109 98 - ip -net nsr1 link set veth0 mtu $omtu 110 + if ! ip -net nsr1 link set veth0 mtu $omtu; then 111 + exit 1 112 + fi 113 + 99 114 ip -net ns1 link set eth0 mtu $omtu 100 115 101 - ip -net nsr2 link set veth1 mtu $rmtu 116 + if ! ip -net nsr2 link set veth1 mtu $rmtu; then 117 + exit 1 118 + fi 119 + 102 120 ip -net ns2 link set eth0 mtu $rmtu 103 121 104 122 # transfer-net between nsr1 and nsr2. ··· 136 120 ip -net ns$i route add default via 10.0.$i.1 137 121 ip -net ns$i addr add dead:$i::99/64 dev eth0 138 122 ip -net ns$i route add default via dead:$i::1 139 - ip netns exec ns$i sysctl net.ipv4.tcp_no_metrics_save=1 > /dev/null 123 + if ! ip netns exec ns$i sysctl net.ipv4.tcp_no_metrics_save=1 > /dev/null; then 124 + echo "ERROR: Check Originator/Responder values (problem during address addition)" 125 + exit 1 126 + fi 140 127 141 128 # don't set ip DF bit for first two tests 142 129 ip netns exec ns$i sysctl net.ipv4.ip_no_pmtu_disc=1 > /dev/null ··· 197 178 fi 198 179 199 180 # test basic connectivity 200 - ip netns exec ns1 ping -c 1 -q 10.0.2.99 > /dev/null 201 - if [ $? -ne 0 ];then 181 + if ! ip netns exec ns1 ping -c 1 -q 10.0.2.99 > /dev/null; then 202 182 echo "ERROR: ns1 cannot reach ns2" 1>&2 203 183 bash 204 184 exit 1 205 185 fi 206 186 207 - ip netns exec ns2 ping -c 1 -q 10.0.1.99 > /dev/null 208 - if [ $? -ne 0 ];then 187 + if ! ip netns exec ns2 ping -c 1 -q 10.0.1.99 > /dev/null; then 209 188 echo "ERROR: ns2 cannot reach ns1" 1>&2 210 189 exit 1 211 190 fi ··· 220 203 make_file() 221 204 { 222 205 name=$1 223 - who=$2 224 206 225 207 SIZE=$((RANDOM % (1024 * 8))) 226 208 TSIZE=$((SIZE * 1024)) ··· 238 222 out=$2 239 223 what=$3 240 224 241 - cmp "$in" "$out" > /dev/null 2>&1 242 - if [ $? -ne 0 ] ;then 225 + if ! cmp "$in" "$out" > /dev/null 2>&1; then 243 226 echo "FAIL: file mismatch for $what" 1>&2 244 227 ls -l "$in" 245 228 ls -l "$out" ··· 275 260 276 261 wait 277 262 278 - check_transfer "$ns1in" "$ns2out" "ns1 -> ns2" 279 - if [ $? -ne 0 ];then 263 + if ! check_transfer "$ns1in" "$ns2out" "ns1 -> ns2"; then 280 264 lret=1 281 265 fi 282 266 283 - check_transfer "$ns2in" "$ns1out" "ns1 <- ns2" 284 - if [ $? -ne 0 ];then 267 + if ! check_transfer "$ns2in" "$ns1out" "ns1 <- ns2"; then 285 268 lret=1 286 269 fi 287 270 ··· 308 295 return $lret 309 296 } 310 297 311 - make_file "$ns1in" "ns1" 312 - make_file "$ns2in" "ns2" 298 + make_file "$ns1in" 299 + make_file "$ns2in" 313 300 314 301 # First test: 315 302 # No PMTU discovery, nsr1 is expected to fragment packets from ns1 to ns2 as needed. 316 - test_tcp_forwarding ns1 ns2 317 - if [ $? -eq 0 ] ;then 303 + if test_tcp_forwarding ns1 ns2; then 318 304 echo "PASS: flow offloaded for ns1/ns2" 319 305 else 320 306 echo "FAIL: flow offload for ns1/ns2:" 1>&2 ··· 344 332 } 345 333 EOF 346 334 347 - test_tcp_forwarding_nat ns1 ns2 348 - 349 - if [ $? -eq 0 ] ;then 335 + if test_tcp_forwarding_nat ns1 ns2; then 350 336 echo "PASS: flow offloaded for ns1/ns2 with NAT" 351 337 else 352 338 echo "FAIL: flow offload for ns1/ns2 with NAT" 1>&2 ··· 356 346 # Same as second test, but with PMTU discovery enabled. 357 347 handle=$(ip netns exec nsr1 nft -a list table inet filter | grep something-to-grep-for | cut -d \# -f 2) 358 348 359 - ip netns exec nsr1 nft delete rule inet filter forward $handle 360 - if [ $? -ne 0 ] ;then 349 + if ! ip netns exec nsr1 nft delete rule inet filter forward $handle; then 361 350 echo "FAIL: Could not delete large-packet accept rule" 362 351 exit 1 363 352 fi ··· 364 355 ip netns exec ns1 sysctl net.ipv4.ip_no_pmtu_disc=0 > /dev/null 365 356 ip netns exec ns2 sysctl net.ipv4.ip_no_pmtu_disc=0 > /dev/null 366 357 367 - test_tcp_forwarding_nat ns1 ns2 368 - if [ $? -eq 0 ] ;then 358 + if test_tcp_forwarding_nat ns1 ns2; then 369 359 echo "PASS: flow offloaded for ns1/ns2 with NAT and pmtu discovery" 370 360 else 371 361 echo "FAIL: flow offload for ns1/ns2 with NAT and pmtu discovery" 1>&2 ··· 410 402 ip -net ns2 route add default via 10.0.2.1 411 403 ip -net ns2 route add default via dead:2::1 412 404 413 - test_tcp_forwarding ns1 ns2 414 - if [ $? -eq 0 ] ;then 405 + if test_tcp_forwarding ns1 ns2; then 415 406 echo "PASS: ipsec tunnel mode for ns1/ns2" 416 407 else 417 408 echo "FAIL: ipsec tunnel mode for ns1/ns2"