From patchwork Sun Mar 23 10:09:16 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 14026478 X-Patchwork-Delegate: kuba@kernel.org Received: from mail.netfilter.org (mail.netfilter.org [217.70.190.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 993FC202960; Sun, 23 Mar 2025 10:09:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.190.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742724574; cv=none; b=ui/hh0XCoCzrVz/BXjM9MyDkv5cMgjSvvBcgB+EOtrMPCfZBsL0Vu7ze8hXQd97zfaQHx3Wss0eYvKqS9jta3PjaZBWVZHEfR+8k9WfcTg39fJ89U618iZMmvIHsG94yLmYLFWmknjUOySBEu/2Mo7/wVl5Q8g08MoXUgOYXsdM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742724574; c=relaxed/simple; bh=7QkvyVWfkvcKoHD03Ld5JEn6xNCnCPkjuGUzo5KLVMk=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=uzJTY5tjuis91wom07/k9WVf+sKypIrqs9lFTCKbHl0DQ41qV5yQj/QhaDGNy64p+WBUd90t4bHnFmai04ogndaOADRtF9tPAUZTfpzhpuAeRv+10m7it6k9wSPHEuC6ptEjx6cPfT8aVoUbHjmA6YK7hXg2nnN7sfi+ENQ8/H0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org; spf=pass smtp.mailfrom=netfilter.org; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b=Q/qvOsRp; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b=FVcx9vhA; arc=none smtp.client-ip=217.70.190.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=netfilter.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b="Q/qvOsRp"; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b="FVcx9vhA" Received: by mail.netfilter.org (Postfix, from userid 109) id EBC526039A; Sun, 23 Mar 2025 11:09:30 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org; s=2025; t=1742724570; bh=Jrj1Vudvlv3gJxIDFeWNyBbhMb72tRZRUB+3BFHOJRU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Q/qvOsRpsk5NM4Od/i02pGrMGChSeBAFh4OQ9Amm2Kjen6fuMSKwaN2nsppWFfnyJ MMvUq6gp3kjW00Sc1wDILUhAdMydnfOx9JGeEb8wES0o52kaM4oEc67MGeJ1cdS+Z9 PFTIKAoyibVPoNteZGIYRxLqXYD66YXjQQGBhBQzvQIlwrjad/x/IwC03/mIRa31W0 mJK8cGY6ws6GKIcw2iIjeh0r2VLjzuXFteOIsEVmsBsvG5WkMx5pWvByrjWfMIduex /HfyRma385edCO2GLZQZ6+QgX+omikVgwPTRqpJU397ThJAI3VvzDxarBMi88m8Arw W1DrYRFBiDYoQ== X-Spam-Level: Received: from localhost.localdomain (mail-agni [217.70.190.124]) by mail.netfilter.org (Postfix) with ESMTPSA id 4B2F360386; Sun, 23 Mar 2025 11:09:27 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org; s=2025; t=1742724567; bh=Jrj1Vudvlv3gJxIDFeWNyBbhMb72tRZRUB+3BFHOJRU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=FVcx9vhARl65FYppfRLuIiUsIXKclNztobhGK+SOU4w839Gn2tJgNKwF9PBA6yLIU cvKdGD8fAcMFJZtaWKtXpFP9114yEZmY1oNm815ETtYJnvC9+sksZ02b79AmWnWnT1 ExK5POurvGWaaPu8th4laLW+aJ2Qn+d8VJZ0GFPWW8LD6bQhDz0zi92t7EQF51hei+ 440dwJL3QA/TvJxufrCrwW1jpFxhguZm46POmz+MYTZb3xTHGehN3hbcZV9lLn6JKm ZGewoUjVS6ElVLZWNFL2srUIBU4R6JTHALf3MFvo0fNsN1AldCaXMzRPBiHyL5Xcdg 7H+Fnz0x9wdCA== From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org, pabeni@redhat.com, edumazet@google.com, fw@strlen.de, horms@kernel.org Subject: [PATCH net-next 1/7] netfilter: xt_hashlimit: replace vmalloc calls with kvmalloc Date: Sun, 23 Mar 2025 11:09:16 +0100 Message-Id: <20250323100922.59983-2-pablo@netfilter.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20250323100922.59983-1-pablo@netfilter.org> References: <20250323100922.59983-1-pablo@netfilter.org> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Denis Kirjanov Replace vmalloc allocations with kvmalloc since kvmalloc is more flexible in memory allocation Signed-off-by: Denis Kirjanov Reviewed-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- net/netfilter/xt_hashlimit.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c index fa02aab56724..3b507694e81e 100644 --- a/net/netfilter/xt_hashlimit.c +++ b/net/netfilter/xt_hashlimit.c @@ -15,7 +15,6 @@ #include #include #include -#include #include #include #include @@ -294,8 +293,7 @@ static int htable_create(struct net *net, struct hashlimit_cfg3 *cfg, if (size < 16) size = 16; } - /* FIXME: don't use vmalloc() here or anywhere else -HW */ - hinfo = vmalloc(struct_size(hinfo, hash, size)); + hinfo = kvmalloc(struct_size(hinfo, hash, size), GFP_KERNEL); if (hinfo == NULL) return -ENOMEM; *out_hinfo = hinfo; @@ -303,7 +301,7 @@ static int htable_create(struct net *net, struct hashlimit_cfg3 *cfg, /* copy match config into hashtable config */ ret = cfg_copy(&hinfo->cfg, (void *)cfg, 3); if (ret) { - vfree(hinfo); + kvfree(hinfo); return ret; } @@ -322,7 +320,7 @@ static int htable_create(struct net *net, struct hashlimit_cfg3 *cfg, hinfo->rnd_initialized = false; hinfo->name = kstrdup(name, GFP_KERNEL); if (!hinfo->name) { - vfree(hinfo); + kvfree(hinfo); return -ENOMEM; } spin_lock_init(&hinfo->lock); @@ -344,7 +342,7 @@ static int htable_create(struct net *net, struct hashlimit_cfg3 *cfg, ops, hinfo); if (hinfo->pde == NULL) { kfree(hinfo->name); - vfree(hinfo); + kvfree(hinfo); return -ENOMEM; } hinfo->net = net; @@ -433,7 +431,7 @@ static void htable_put(struct xt_hashlimit_htable *hinfo) cancel_delayed_work_sync(&hinfo->gc_work); htable_selective_cleanup(hinfo, true); kfree(hinfo->name); - vfree(hinfo); + kvfree(hinfo); } } From patchwork Sun Mar 23 10:09:17 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 14026479 X-Patchwork-Delegate: kuba@kernel.org Received: from mail.netfilter.org (mail.netfilter.org [217.70.190.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8F38D20409F; Sun, 23 Mar 2025 10:09:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.190.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742724577; cv=none; b=fV0SZx0SEwnzxFxUyUCHf0QJs7aTl4NqNbG+dxlIRSbiS6U1bgKBeqtZY8cinyjVxEFd2B80QxSdLB8zulAYC6L+yF3M0VdBdbDLP8/mTPL9td2E2bwpYHWMvtWEjy35Ir+bKGfMBxIFfyPo9/px3pS2Q4Bu3CDUZoULvzrgfVE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742724577; c=relaxed/simple; bh=fSowlrrngOwsDNZt8FbmBBamwAyDsrQjSR6Ir/QH+vc=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=YKquVBMurXR2omn9euG3wpWqRA01deMGZQqPFGZqCV0yFEarLmuWRszUXHDpcDCzPZZ4RG2Xcz2F9ijbuBF8XAcvC8sEkoJNNz/TR80/6CvPmYo/ozddqXEvtXTrAMr8CExhqXerQZI66Btg/A31bNf1hYpr9Y4dDVn8otrAKqs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org; spf=pass smtp.mailfrom=netfilter.org; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b=kbig0TpY; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b=mk2T0NuB; arc=none smtp.client-ip=217.70.190.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=netfilter.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b="kbig0TpY"; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b="mk2T0NuB" Received: by mail.netfilter.org (Postfix, from userid 109) id B950D60395; Sun, 23 Mar 2025 11:09:32 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org; s=2025; t=1742724572; bh=vHknCH8VVQ63SXtgAfiqydpIO92QyJPlZQQnn20OiWk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kbig0TpY0/OoGjMRDyiOk3G8foYtiG72AGc9Q5eVICUesAm1BhSsjBsH9XFmyAOc0 G7OGuIqMLYfuEFbo9YTlY71lxhN0qR6vCGcAHQpqXBdawijfyeFZjTAXtRutBlYaq2 2BmBvMUiZ3DcQ+ignzXhEZhzicsuzclVTubUyByMifaMOHqEh3JNR3ObMrGKVo6791 STU3aARrsg2EvfCPPoh+huwNSnROH6AyF0yx0TtO94D6WutZGmgQNQcfMuwkLVeOC0 lMj5TzQvnc31dqoMOax6PsxVsqEY0BLfB16GVVvEt3a9xekNkTSAnxcRBsB9LlIjQY LTx85iPYU4SGQ== X-Spam-Level: Received: from localhost.localdomain (mail-agni [217.70.190.124]) by mail.netfilter.org (Postfix) with ESMTPSA id 1AB8E6038C; Sun, 23 Mar 2025 11:09:28 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org; s=2025; t=1742724568; bh=vHknCH8VVQ63SXtgAfiqydpIO92QyJPlZQQnn20OiWk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mk2T0NuBt1lP1n5PlxAdCm5EGr61xw9LAwjcfdrYN1WFttl9VM3HmZA9ZK0SGu+tg zA2VGS2uD5oT/fewiXhfuLjtkAoT0YotYB3i2ODlPIKhZjZ1+NzscR75sUNtVKrhcB 7rWoBNH6QnQFBq0OkEBLNDXcPOW122TYp96neDYZhI1K9XqNW1jIhVobnyjYnUcH29 rpwg8uRpFm2Hj58u/KifEEj13MVtwUcFKVAQHXXbSP6/na++FpeqrMU+a6Upo9G7xR VwxC6JDXntA64AKjSrpUg8MVAzAve7LJsjVYxUYzwKggxPYa3ZNWekegT6/6SzABb3 mBWTvbsgzeWMg== From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org, pabeni@redhat.com, edumazet@google.com, fw@strlen.de, horms@kernel.org Subject: [PATCH net-next 2/7] netfilter: conntrack: Bound nf_conntrack sysctl writes Date: Sun, 23 Mar 2025 11:09:17 +0100 Message-Id: <20250323100922.59983-3-pablo@netfilter.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20250323100922.59983-1-pablo@netfilter.org> References: <20250323100922.59983-1-pablo@netfilter.org> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Nicolas Bouchinet nf_conntrack_max and nf_conntrack_expect_max sysctls were authorized to be written any negative value, which would then be stored in the unsigned int variables nf_conntrack_max and nf_ct_expect_max variables. While the do_proc_dointvec_conv function is supposed to limit writing handled by proc_dointvec proc_handler to INT_MAX. Such a negative value being written in an unsigned int leads to a very high value, exceeding this limit. Moreover, the nf_conntrack_expect_max sysctl documentation specifies the minimum value is 1. The proc_handlers have thus been updated to proc_dointvec_minmax in order to specify the following write bounds : * Bound nf_conntrack_max sysctl writings between SYSCTL_ZERO and SYSCTL_INT_MAX. * Bound nf_conntrack_expect_max sysctl writings between SYSCTL_ONE and SYSCTL_INT_MAX as defined in the sysctl documentation. With this patch applied, sysctl writes outside the defined in the bound will thus lead to a write error : ``` sysctl -w net.netfilter.nf_conntrack_expect_max=-1 sysctl: setting key "net.netfilter.nf_conntrack_expect_max": Invalid argument ``` Signed-off-by: Nicolas Bouchinet Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_conntrack_standalone.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index 502cf10aab41..2f666751c7e7 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -618,7 +618,9 @@ static struct ctl_table nf_ct_sysctl_table[] = { .data = &nf_conntrack_max, .maxlen = sizeof(int), .mode = 0644, - .proc_handler = proc_dointvec, + .proc_handler = proc_dointvec_minmax, + .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_INT_MAX, }, [NF_SYSCTL_CT_COUNT] = { .procname = "nf_conntrack_count", @@ -654,7 +656,9 @@ static struct ctl_table nf_ct_sysctl_table[] = { .data = &nf_ct_expect_max, .maxlen = sizeof(int), .mode = 0644, - .proc_handler = proc_dointvec, + .proc_handler = proc_dointvec_minmax, + .extra1 = SYSCTL_ONE, + .extra2 = SYSCTL_INT_MAX, }, [NF_SYSCTL_CT_ACCT] = { .procname = "nf_conntrack_acct", @@ -947,7 +951,9 @@ static struct ctl_table nf_ct_netfilter_table[] = { .data = &nf_conntrack_max, .maxlen = sizeof(int), .mode = 0644, - .proc_handler = proc_dointvec, + .proc_handler = proc_dointvec_minmax, + .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_INT_MAX, }, }; From patchwork Sun Mar 23 10:09:18 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 14026480 X-Patchwork-Delegate: kuba@kernel.org Received: from mail.netfilter.org (mail.netfilter.org [217.70.190.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A86AD202960; Sun, 23 Mar 2025 10:09:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.190.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742724578; cv=none; b=nhoCSJBwbL34rxRkj8SCGhLAXtXxNOdzxiXY+63nnHQ+go/oYC1fW8UJtmA7wILe5M+A1F2w8CPn3Y27UybvO1IbOhAbiIDXJnsYGLZvMSQS4ef5fXocW80nAggRn/Z6Vn428oYJXEreVFNMMqAwKNC/mvoLMKobIEtCLaM1iaU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742724578; c=relaxed/simple; bh=jHRQI1afRCduUTVINkX4kzU0h6QsudO5WWIJG2tq5SE=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=CB9IMUe6h1BfjZYaR3straZPBIlIJUhwbHep8naaZkSqaOxTOEQU/6Vt95G+sbMkv+YtbXOKdfIVyIxJnn4L7wP9D4lhS/oK1fxxan+G+2pZOrLbKKZQmOGzln4wWJFqbEJEHQyVV7LxSLakFsI4SPNL2wTT/1iPvAFfDYolx7s= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org; spf=pass smtp.mailfrom=netfilter.org; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b=wJ3elm7D; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b=rGdNDddr; arc=none smtp.client-ip=217.70.190.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=netfilter.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b="wJ3elm7D"; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b="rGdNDddr" Received: by mail.netfilter.org (Postfix, from userid 109) id 274B76037B; Sun, 23 Mar 2025 11:09:35 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org; s=2025; t=1742724575; bh=nKuBMBTjSQWadtU3KjEOfqhEgNBodhsp4nQpaPd9hX0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=wJ3elm7DSe+2nvF0UBIW+CWbDT74KnrfLXLcY66KXS3mxH3HbRilSawg0k4WpZyzS pVcnh+LDVBVW8ZFdGz1GmvjaHot4LCV+nVpgKRLyImlL+4yU9xCxGogJy0XhDUDYvH 5a0j+bw7ig54qYrs+kivjRB4I7W78c3rYSmzvu1Rwx6Vm3F+TzRW7XfM8wPAYWewr1 NqsWGZKlEkF3s+kQ/C9hnc9weSqECP6MgLBuw+MlQQcWZnyP+nspGWvLYgAFvhSwn3 cKyColoEEWo4VFaGHvRAHIxC1QGscMe3k8XgEXO/veJyC6VaR3OJRIqzC8mt+jdsiK /zfc8AZNXvI7g== X-Spam-Level: Received: from localhost.localdomain (mail-agni [217.70.190.124]) by mail.netfilter.org (Postfix) with ESMTPSA id D08F06037B; Sun, 23 Mar 2025 11:09:28 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org; s=2025; t=1742724569; bh=nKuBMBTjSQWadtU3KjEOfqhEgNBodhsp4nQpaPd9hX0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rGdNDddrrdGAXVqWz5JDuU8tyiezq+oDFQwjvIOVjVhYIU++ovujUpEJb83tLl+89 Xp5fFlVY3qAGS4tlJ18Kku+e4UwG8rNoBstIfBR6p/ZktGxMFqL0LHWrBHYdG2LaSy 2JiuOsfRlD0/7EN6t63F6tBZedbgvseyssmUiKgP9kNy9zyrbHg1G6b+6ZEZxLy55Z HLhoKz1ENgIUonq5Nb5GkaFUMKEapZE0fiFmOVx6McPixnZ+cLBfzi7oOWSuvAVeNH fAxYMPYPvIEG0U2PQmD6FRHoEzxOoNfDT1bYHb8PIw3H/XA0ivzQMczrfQags79avf LAxyw811wxcIg== From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org, pabeni@redhat.com, edumazet@google.com, fw@strlen.de, horms@kernel.org Subject: [PATCH net-next 3/7] netfilter: fib: avoid lookup if socket is available Date: Sun, 23 Mar 2025 11:09:18 +0100 Message-Id: <20250323100922.59983-4-pablo@netfilter.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20250323100922.59983-1-pablo@netfilter.org> References: <20250323100922.59983-1-pablo@netfilter.org> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Florian Westphal In case the fib match is used from the input hook we can avoid the fib lookup if early demux assigned a socket for us: check that the input interface matches sk-cached one. Rework the existing 'lo bypass' logic to first check sk, then for loopback interface type to elide the fib lookup. This speeds up fib matching a little, before: 93.08 GBit/s (no rules at all) 75.1 GBit/s ("fib saddr . iif oif missing drop" in prerouting) 75.62 GBit/s ("fib saddr . iif oif missing drop" in input) After: 92.48 GBit/s (no rules at all) 75.62 GBit/s (fib rule in prerouting) 90.37 GBit/s (fib rule in input). Numbers for the 'no rules' and 'prerouting' are expected to closely match in-between runs, the 3rd/input test case exercises the the 'avoid lookup if cached ifindex in sk matches' case. Test used iperf3 via veth interface, lo can't be used due to existing loopback test. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nft_fib.h | 21 +++++++++++++++++++++ net/ipv4/netfilter/nft_fib_ipv4.c | 11 +++++------ net/ipv6/netfilter/nft_fib_ipv6.c | 19 ++++++++++--------- 3 files changed, 36 insertions(+), 15 deletions(-) diff --git a/include/net/netfilter/nft_fib.h b/include/net/netfilter/nft_fib.h index 38cae7113de4..6e202ed5e63f 100644 --- a/include/net/netfilter/nft_fib.h +++ b/include/net/netfilter/nft_fib.h @@ -18,6 +18,27 @@ nft_fib_is_loopback(const struct sk_buff *skb, const struct net_device *in) return skb->pkt_type == PACKET_LOOPBACK || in->flags & IFF_LOOPBACK; } +static inline bool nft_fib_can_skip(const struct nft_pktinfo *pkt) +{ + const struct net_device *indev = nft_in(pkt); + const struct sock *sk; + + switch (nft_hook(pkt)) { + case NF_INET_PRE_ROUTING: + case NF_INET_INGRESS: + case NF_INET_LOCAL_IN: + break; + default: + return false; + } + + sk = pkt->skb->sk; + if (sk && sk_fullsock(sk)) + return sk->sk_rx_dst_ifindex == indev->ifindex; + + return nft_fib_is_loopback(pkt->skb, indev); +} + int nft_fib_dump(struct sk_buff *skb, const struct nft_expr *expr, bool reset); int nft_fib_init(const struct nft_ctx *ctx, const struct nft_expr *expr, const struct nlattr * const tb[]); diff --git a/net/ipv4/netfilter/nft_fib_ipv4.c b/net/ipv4/netfilter/nft_fib_ipv4.c index 625adbc42037..9082ca17e845 100644 --- a/net/ipv4/netfilter/nft_fib_ipv4.c +++ b/net/ipv4/netfilter/nft_fib_ipv4.c @@ -71,6 +71,11 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs, const struct net_device *oif; const struct net_device *found; + if (nft_fib_can_skip(pkt)) { + nft_fib_store_result(dest, priv, nft_in(pkt)); + return; + } + /* * Do not set flowi4_oif, it restricts results (for example, asking * for oif 3 will get RTN_UNICAST result even if the daddr exits @@ -85,12 +90,6 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs, else oif = NULL; - if (nft_hook(pkt) == NF_INET_PRE_ROUTING && - nft_fib_is_loopback(pkt->skb, nft_in(pkt))) { - nft_fib_store_result(dest, priv, nft_in(pkt)); - return; - } - iph = skb_header_pointer(pkt->skb, noff, sizeof(_iph), &_iph); if (!iph) { regs->verdict.code = NFT_BREAK; diff --git a/net/ipv6/netfilter/nft_fib_ipv6.c b/net/ipv6/netfilter/nft_fib_ipv6.c index c9f1634b3838..7fd9d7b21cd4 100644 --- a/net/ipv6/netfilter/nft_fib_ipv6.c +++ b/net/ipv6/netfilter/nft_fib_ipv6.c @@ -170,6 +170,11 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs, struct rt6_info *rt; int lookup_flags; + if (nft_fib_can_skip(pkt)) { + nft_fib_store_result(dest, priv, nft_in(pkt)); + return; + } + if (priv->flags & NFTA_FIB_F_IIF) oif = nft_in(pkt); else if (priv->flags & NFTA_FIB_F_OIF) @@ -181,17 +186,13 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs, return; } - lookup_flags = nft_fib6_flowi_init(&fl6, priv, pkt, oif, iph); - - if (nft_hook(pkt) == NF_INET_PRE_ROUTING || - nft_hook(pkt) == NF_INET_INGRESS) { - if (nft_fib_is_loopback(pkt->skb, nft_in(pkt)) || - nft_fib_v6_skip_icmpv6(pkt->skb, pkt->tprot, iph)) { - nft_fib_store_result(dest, priv, nft_in(pkt)); - return; - } + if (nft_fib_v6_skip_icmpv6(pkt->skb, pkt->tprot, iph)) { + nft_fib_store_result(dest, priv, nft_in(pkt)); + return; } + lookup_flags = nft_fib6_flowi_init(&fl6, priv, pkt, oif, iph); + *dest = 0; rt = (void *)ip6_route_lookup(nft_net(pkt), &fl6, pkt->skb, lookup_flags); From patchwork Sun Mar 23 10:09:19 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 14026481 X-Patchwork-Delegate: kuba@kernel.org Received: from mail.netfilter.org (mail.netfilter.org [217.70.190.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 324172040B0; Sun, 23 Mar 2025 10:09:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.190.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742724578; cv=none; b=HPNrwz5so4w0iiSUpTyCk1k6y2Pd5F+e2zK/HPCS84N4VWSBC6QE0lkSUAra07rvZO6M/jNHNVv7OZNMjjzrCMs0nJMoZ5+0i5uEwvHhMd3YjrlGsh6G3tQ1rxaPluJYWAoG+qnH2c38hz3UPNLsehXGetyfN3Zi2dGl8RGTH5o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742724578; c=relaxed/simple; bh=7zwdiFHicc4iI3K/IKh0LCbUIX6GZibKN6q9zCdM/AM=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=DnDp1ElQ/Z6UgAsEQlEMzHlviLqqlCNweAMKDufzmNqmrO9QG/7Dd1ty9lmWWzK05nTJ/KgJhGtNCbpeBq0r5JKevoKnwYVz3OCS7iSXZnvSFbRpHBzPA6UWkR0X019aNso8G1cXCwgjzRUpIzxyVqRJTdhSHvF0Z2cz7cXITUw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org; spf=pass smtp.mailfrom=netfilter.org; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b=MCf5pBoy; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b=HBiwCSLH; arc=none smtp.client-ip=217.70.190.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=netfilter.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b="MCf5pBoy"; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b="HBiwCSLH" Received: by mail.netfilter.org (Postfix, from userid 109) id 4AD716038E; Sun, 23 Mar 2025 11:09:35 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org; s=2025; t=1742724575; bh=bK81nLzy0SkMf0Wl3kQXs8QOHc2xTpHZMZTdxV5LO4c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=MCf5pBoyvzR8uc8xrQQYm4hGB/lUiqDHT3sX4ZkBl86Z1i4X1VGOfHBP5/WWSxt7w Fbra9jZLM3ZA5g85B+CDMcVVtOsW9DrHV8VL5aveucp1JuJFDkCHnP+8Kk7GW3taBZ xsvmx0+rm6wwKg/Xm7AlfYXP8p4hhAOYrngXfeX8qsVJstJEizyutB6Z8btqjv8ZBO 4wNlRHKcenOnsbrag6+O0qeNufIDRVnte2MiLAgAOZfB8fhQGgDQqZm0IRqfhVuu+Y HB2x6xV1L+LO57NoSOmrrPRaEX2E4RD+zmEr1CW38+O3f80bS7bJQrxcX+RxcrVX4k OCTubj9S/P9FA== X-Spam-Level: Received: from localhost.localdomain (mail-agni [217.70.190.124]) by mail.netfilter.org (Postfix) with ESMTPSA id 8847560385; Sun, 23 Mar 2025 11:09:29 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org; s=2025; t=1742724569; bh=bK81nLzy0SkMf0Wl3kQXs8QOHc2xTpHZMZTdxV5LO4c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=HBiwCSLHFGssInLYyfyVCvOCohgQ8x4llQ/yVNE4SiGxMdPIfugswnLZKzlai8YgG 0ETnh8xGTOkl22WJVVVRY1PIvG+tcRkpGYqzPxonV0SwNDhv3F7Wh9So3gxisDwhlt Ggg11xxffHCszlDOLfilr0+s0lwNldUnOzzP2cDYYsEkMt+kIzMY5BcNaQVfcNWIM3 mMWpn6YO7FWHYxUgy1m4MI1SS+stXq0ZstCvcMsVZlplxOseHz8p5Lm0Z/l9KnCVeJ mxW38Abxv+uopV7lE20Ee9BLw9Dv/u77m0Q9V0fg8kTTtWAGLaxG722ZH+aNcSL+b/ ayUeBAXifGYoA== From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org, pabeni@redhat.com, edumazet@google.com, fw@strlen.de, horms@kernel.org Subject: [PATCH net-next 4/7] netfilter: nfnetlink_queue: Initialize ctx to avoid memory allocation error Date: Sun, 23 Mar 2025 11:09:19 +0100 Message-Id: <20250323100922.59983-5-pablo@netfilter.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20250323100922.59983-1-pablo@netfilter.org> References: <20250323100922.59983-1-pablo@netfilter.org> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Chenyuan Yang It is possible that ctx in nfqnl_build_packet_message() could be used before it is properly initialize, which is only initialized by nfqnl_get_sk_secctx(). This patch corrects this problem by initializing the lsmctx to a safe value when it is declared. This is similar to the commit 35fcac7a7c25 ("audit: Initialize lsmctx to avoid memory allocation error"). Fixes: 2d470c778120 ("lsm: replace context+len with lsm_context") Signed-off-by: Chenyuan Yang Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nfnetlink_queue.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index 5c913987901a..8b7b39d8a109 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -567,7 +567,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, enum ip_conntrack_info ctinfo = 0; const struct nfnl_ct_hook *nfnl_ct; bool csum_verify; - struct lsm_context ctx; + struct lsm_context ctx = { NULL, 0, 0 }; int seclen = 0; ktime_t tstamp; From patchwork Sun Mar 23 10:09:20 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 14026482 X-Patchwork-Delegate: kuba@kernel.org Received: from mail.netfilter.org (mail.netfilter.org [217.70.190.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 598FF202961; Sun, 23 Mar 2025 10:09:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.190.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742724579; cv=none; b=iKK92aYLH4a0IO3zEpH1rKavdBH0eltCgIi9Nsz5pDTVHWUHPvD5Cogny7zMIGNF+Pdz8c2FEZPoA9KdsMFFegn5q0dPhKih/7y9qNvtxbbQJV7QNpH5wKaHet4AA27+QL7GZirhGuybFql3Mx2msCN2Om+RZtS5FPa6Yeq6NuQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742724579; c=relaxed/simple; bh=rOqpHGHNwl9/pY8Ur0kiio4YM2OwQsSbVjYJlGfDptk=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=oq9YreCt5Pz0s+369WWitNVTtThrFoWhzmf9DV0FGLm2HfjhCOOtuC73m4evwtaUnQHJvaDK7WR/In02cyVdi5Blk3MioFTv2tCCaLBE1S/hDxe6L9Jgd5x+W8zwB8GihJmEnQZ+ZMYguCM9/YqPDsMLNSFG7OFoCb+dYPQaKRs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org; spf=pass smtp.mailfrom=netfilter.org; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b=ucWFTi5w; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b=KS9Ai1yC; arc=none smtp.client-ip=217.70.190.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=netfilter.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b="ucWFTi5w"; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b="KS9Ai1yC" Received: by mail.netfilter.org (Postfix, from userid 109) id 1350560388; Sun, 23 Mar 2025 11:09:37 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org; s=2025; t=1742724577; bh=XVSnIVyEAuZW6XuwUEPtfkpY//fKTddknSRx2uKsKwQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ucWFTi5weOr6g+a1+88wYYS4iNae0GgiQXANw+82bUOBgfOBfOGll2uVQBlEmkHRD bLkI8Tfm0O1shq32012Yqkd/Apc5FPEUpeHNvfOnj9IKmDhcYxMjmlQ2lJPe10rAwM ElvKnOW2VAUzcza/IOx/FSi1oSiPODVmStK4OvN2axP7Dge5o4L+JOPgfdj6TrIO6G J2xC78wQrMyo2cLM7ZuolhhFo2hjn9JhWtOuDhlEuJU+Hu2yJWGkmdGQpz0NmzRgNC 8JzbhV7i4J00fEJp2MqIk1r5huTrnLtTZrBaHxwx8I2zNYmDzUskBajCAsk6hDOUWu 8B2W5qJ88pmRw== X-Spam-Level: Received: from localhost.localdomain (mail-agni [217.70.190.124]) by mail.netfilter.org (Postfix) with ESMTPSA id 409CE60392; Sun, 23 Mar 2025 11:09:30 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org; s=2025; t=1742724570; bh=XVSnIVyEAuZW6XuwUEPtfkpY//fKTddknSRx2uKsKwQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=KS9Ai1yCqpwwOTa+vgMj0kHbCQJuspyUi/7VU/1b1JYskrE0ar28CUMhYer+3t90L Z4RBRNeOGVBBpsxBQE/UQJNbDFhopWTHfBeuEqUAY5hsOUZFK+FQNU79jsAQId0tDv 7wgU9EUXCKsu9aXrGw6+tfgtLmay8YW8YiXuZq4OJaL1puS//M0iP9C+xZlAV4q3FE FAAUoAYJTSEYAOfsCIaWKEPeV/vrzJkd5/51/v8bKJsYgwkw4ZPz9/+rCeFkvlHkRv jeXQMgb+8gJYL947mo2Zn3xLI+f2xZpiWtnTY9KTozCEIMGLuETNYl/NoNNoOj0xd7 wjbTjkQnnFt3w== From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org, pabeni@redhat.com, edumazet@google.com, fw@strlen.de, horms@kernel.org Subject: [PATCH net-next 5/7] netfilter: xtables: Use strscpy() instead of strscpy_pad() Date: Sun, 23 Mar 2025 11:09:20 +0100 Message-Id: <20250323100922.59983-6-pablo@netfilter.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20250323100922.59983-1-pablo@netfilter.org> References: <20250323100922.59983-1-pablo@netfilter.org> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Thorsten Blum kzalloc() already zero-initializes the destination buffer, making strscpy() sufficient for safely copying the name. The additional NUL- padding performed by strscpy_pad() is unnecessary. The size parameter is optional, and strscpy() automatically determines the size of the destination buffer using sizeof() if the argument is omitted. This makes the explicit sizeof() call unnecessary; remove it. No functional changes intended. Signed-off-by: Thorsten Blum Reviewed-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- net/netfilter/xt_repldata.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/xt_repldata.h b/net/netfilter/xt_repldata.h index 5d1fb7018dba..600060ca940a 100644 --- a/net/netfilter/xt_repldata.h +++ b/net/netfilter/xt_repldata.h @@ -29,7 +29,7 @@ if (tbl == NULL) \ return NULL; \ term = (struct type##_error *)&(((char *)tbl)[term_offset]); \ - strscpy_pad(tbl->repl.name, info->name, sizeof(tbl->repl.name)); \ + strscpy(tbl->repl.name, info->name); \ *term = (struct type##_error)typ2##_ERROR_INIT; \ tbl->repl.valid_hooks = hook_mask; \ tbl->repl.num_entries = nhooks + 1; \ From patchwork Sun Mar 23 10:09:21 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 14026483 X-Patchwork-Delegate: kuba@kernel.org Received: from mail.netfilter.org (mail.netfilter.org [217.70.190.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6BE082046BA; Sun, 23 Mar 2025 10:09:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.190.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742724582; cv=none; b=hkcu+GixcryrC15ZRRTL9omGt/k6pnnqlqHWvKmKg3MCW5tCb7dv4RBEf1XcyqB69Z8sERlTTYom4upHATCeIIqTMVeRlNlD2/T7qb0UG+5/MbJeiNNMQsb+Q4wG7/OkaTm4KKWmA02oLhgy2QG9FHrRMfFW29m43GNoufVk1j8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742724582; c=relaxed/simple; bh=skjBFm4VsHvUy4ROh29RH8vR06Jp+tpdNcfEaHTYunQ=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=hKVmdbuX/bY8wVrg2pstcbwoMdqv3JQBiUuskusaQc9h6vHSNvL8IDMtAZdsKRqqY11+2UAF1IaJtAzp1gs3sIeRiD2d6HO5aSz+KaDikgzYzlX5GJBBTX5lxihtIIZovHYDQBfhELd1FVP89l63AmKwB1iSoC9dG9QJ/O7WQ5A= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org; spf=pass smtp.mailfrom=netfilter.org; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b=eizaFSTr; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b=fa8piBQm; arc=none smtp.client-ip=217.70.190.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=netfilter.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b="eizaFSTr"; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b="fa8piBQm" Received: by mail.netfilter.org (Postfix, from userid 109) id DEAA060368; Sun, 23 Mar 2025 11:09:38 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org; s=2025; t=1742724578; bh=omr6ZM2zjx54mM6ySJGjmMyiPaprG3/GDWWt7yMXFEc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=eizaFSTrMTst3QIZQ7+97eoYLewW9Cm0ZZ8AE2i9rsX18IAYP0Wd2ecrAjhrXbOoK h5Tx2OW+62Y2llDEsr9fSYu39ldx/ujU282l/YPGkiC2/LcvI9AQr2N6V6Rr4G3mEZ uq1AMV2bENuiSbUunk6VAfo626Jup/OmXo9u6/pIZQN2GpuJxUdFmVfnldAhMOe0CY 8fB6cL/6mo/stG9Z6qsvlglRQXyy1PsnNGRtz6FP/tJSQ9+USmhMbmLF1zDwY1858y pBhzkkazsoomTUDvWx5ZHbePFiEgzQ1vM7pW4TgdCGNSRUBOG3KLflgmOJcGwWns8C li004t0NIn89w== X-Spam-Level: Received: from localhost.localdomain (mail-agni [217.70.190.124]) by mail.netfilter.org (Postfix) with ESMTPSA id D87CC60390; Sun, 23 Mar 2025 11:09:30 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org; s=2025; t=1742724571; bh=omr6ZM2zjx54mM6ySJGjmMyiPaprG3/GDWWt7yMXFEc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fa8piBQm7Q7G/Hq73YDFSpatestCnYZYGEcOxRCxxzYe9NgjnqxGW0CFwTfbYtknh JIi/qhSyfo18PukOVZNNpy0ihk6c2znZd51YZbpqaGzdXtFCsQeOlWdcN89vdq37lc b7cQuAv+dnJkVRPz8plbHRMuKWRs0JZo0r4R4QEdVtsoy5i1em9/GMvwh0AXUu1V4O PJNmVNnP0AhMr7mDVs4Hzey663nGk6LYNkn5b2vPONIfw79giagMeXO/7Z/vmwi+Db N+Z4KO62eee/5r1UmtRN+Ge9k1QBiAIxX5eGk7Dh2p21ZAqiPNwond7PlGRZrYmBiU VR5SGZjALPkbg== From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org, pabeni@redhat.com, edumazet@google.com, fw@strlen.de, horms@kernel.org Subject: [PATCH net-next 6/7] netfilter: socket: Lookup orig tuple for IPv6 SNAT Date: Sun, 23 Mar 2025 11:09:21 +0100 Message-Id: <20250323100922.59983-7-pablo@netfilter.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20250323100922.59983-1-pablo@netfilter.org> References: <20250323100922.59983-1-pablo@netfilter.org> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Maxim Mikityanskiy nf_sk_lookup_slow_v4 does the conntrack lookup for IPv4 packets to restore the original 5-tuple in case of SNAT, to be able to find the right socket (if any). Then socket_match() can correctly check whether the socket was transparent. However, the IPv6 counterpart (nf_sk_lookup_slow_v6) lacks this conntrack lookup, making xt_socket fail to match on the socket when the packet was SNATed. Add the same logic to nf_sk_lookup_slow_v6. IPv6 SNAT is used in Kubernetes clusters for pod-to-world packets, as pods' addresses are in the fd00::/8 ULA subnet and need to be replaced with the node's external address. Cilium leverages Envoy to enforce L7 policies, and Envoy uses transparent sockets. Cilium inserts an iptables prerouting rule that matches on `-m socket --transparent` and redirects the packets to localhost, but it fails to match SNATed IPv6 packets due to that missing conntrack lookup. Closes: https://github.com/cilium/cilium/issues/37932 Fixes: eb31628e37a0 ("netfilter: nf_tables: Add support for IPv6 NAT") Signed-off-by: Maxim Mikityanskiy Reviewed-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- net/ipv6/netfilter/nf_socket_ipv6.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/net/ipv6/netfilter/nf_socket_ipv6.c b/net/ipv6/netfilter/nf_socket_ipv6.c index a7690ec62325..9ea5ef56cb27 100644 --- a/net/ipv6/netfilter/nf_socket_ipv6.c +++ b/net/ipv6/netfilter/nf_socket_ipv6.c @@ -103,6 +103,10 @@ struct sock *nf_sk_lookup_slow_v6(struct net *net, const struct sk_buff *skb, struct sk_buff *data_skb = NULL; int doff = 0; int thoff = 0, tproto; +#if IS_ENABLED(CONFIG_NF_CONNTRACK) + enum ip_conntrack_info ctinfo; + struct nf_conn const *ct; +#endif tproto = ipv6_find_hdr(skb, &thoff, -1, NULL, NULL); if (tproto < 0) { @@ -136,6 +140,25 @@ struct sock *nf_sk_lookup_slow_v6(struct net *net, const struct sk_buff *skb, return NULL; } +#if IS_ENABLED(CONFIG_NF_CONNTRACK) + /* Do the lookup with the original socket address in + * case this is a reply packet of an established + * SNAT-ted connection. + */ + ct = nf_ct_get(skb, &ctinfo); + if (ct && + ((tproto != IPPROTO_ICMPV6 && + ctinfo == IP_CT_ESTABLISHED_REPLY) || + (tproto == IPPROTO_ICMPV6 && + ctinfo == IP_CT_RELATED_REPLY)) && + (ct->status & IPS_SRC_NAT_DONE)) { + daddr = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.in6; + dport = (tproto == IPPROTO_TCP) ? + ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.tcp.port : + ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.udp.port; + } +#endif + return nf_socket_get_sock_v6(net, data_skb, doff, tproto, saddr, daddr, sport, dport, indev); } From patchwork Sun Mar 23 10:09:22 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 14026484 X-Patchwork-Delegate: kuba@kernel.org Received: from mail.netfilter.org (mail.netfilter.org [217.70.190.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 279F220485D; Sun, 23 Mar 2025 10:09:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.190.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742724582; cv=none; b=tZx6ZF8bhjJICkCr685WUGcXzqPMGdBDLMpAFe2+M4yt6JJOVPv0187GCr/SULIQECHIDmvAttNAZnzL/Nfom41k9hbYwds7hxzUVzyYlwaEBWxR0MynsuhjnJm2vRk5i79crkFkulRZ3KwOXAUXMsYXE8pQ6wRWGmJ6cFeuSxE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742724582; c=relaxed/simple; bh=QhuhP3Q5194hpVotIuU3j+gcmWT7kJrKKYmSWaF/yXc=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=konO/hSpdr5chbFm8/DSLTUlG7Gjw/tqBe+NuDJ+jVPqjgs3L5fA4yhewxezFYh6kUyZxbeA9zqR+h9fbcuk+y8Ko/gtm/giCMZuZ39xVvNTdwXCUM1oo/73Tn6NWoA7yXLK5XiAUGecdaIqulXuvLooamNDdvmqMeybKtBQvME= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org; spf=pass smtp.mailfrom=netfilter.org; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b=dHXUFEiV; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b=NiKAqkwz; arc=none smtp.client-ip=217.70.190.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=netfilter.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b="dHXUFEiV"; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b="NiKAqkwz" Received: by mail.netfilter.org (Postfix, from userid 109) id E12C960375; Sun, 23 Mar 2025 11:09:39 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org; s=2025; t=1742724579; bh=VFibVsSDp6IqETRP8ko5IpEqx5FRNNS1CgZpXEmKwaE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=dHXUFEiV4nn/7q7V5pJGUh1ykzOFblMIO9dHoBH3WwGwV8krSXrcS3e9GXXSiwK90 G6b0meBGrGAFp23cDRNanFaW9o2C96yPFLYxhEBfq7hkpf22A7PLk8rXlbTZftqYb5 aWkAcyaJXGOP3kNv/Wzq3Dm9CkYzYjJ9/jmP65GxvGlV9k56K9BstOTkZw3D/fE1cO CPIRaCwqXfI2CUGDq8JEU1kwLhwUTmN8JjCQRIhoA9eqKltvIwoRflBCLgzXwSUkA4 GtiZ53QZ3kmh198XJiqmUXE4AXs/UEQbx/NGIBuyIxaYL+ZdvwFZxTNR9VdQaIKSo3 XBE1/vBquDTDQ== X-Spam-Level: Received: from localhost.localdomain (mail-agni [217.70.190.124]) by mail.netfilter.org (Postfix) with ESMTPSA id 67CA760386; Sun, 23 Mar 2025 11:09:31 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org; s=2025; t=1742724571; bh=VFibVsSDp6IqETRP8ko5IpEqx5FRNNS1CgZpXEmKwaE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=NiKAqkwzhnQ4Z4GNFNh58EFQYzpLB+NSjDE8FOxiNq3pVeVv0+69xLWXICUXcWTIw JAxZtu7PRiWeDQmv/RGDec/a7VeNFTJmpe0qj7Bvko3QO9onNT2Wfix3KFMRZsf9j+ Tt+CGFbLLe54Dod13zppBldMMcS3b0tq6j23Kga1ffMADibCHBz48plWM7tsMGkCWD DRblfLCjcyN+91yEkvAbqjJzYs9GixBuqfxhNZQW34WH71Q6H2KqTfGznDoFkGfIN1 1E6qLLzK7eQuuR+8f6phmWHvBtKK0QzqRrp+2OKhDdmOYo4SfsA64rtq793CQ2xgsK 3mfY/LGGRAzvg== From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org, pabeni@redhat.com, edumazet@google.com, fw@strlen.de, horms@kernel.org Subject: [PATCH net-next 7/7] netfilter: nf_tables: Only use nf_skip_indirect_calls() when MITIGATION_RETPOLINE Date: Sun, 23 Mar 2025 11:09:22 +0100 Message-Id: <20250323100922.59983-8-pablo@netfilter.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20250323100922.59983-1-pablo@netfilter.org> References: <20250323100922.59983-1-pablo@netfilter.org> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: WangYuli 1. MITIGATION_RETPOLINE is x86-only (defined in arch/x86/Kconfig), so no need to AND with CONFIG_X86 when checking if enabled. 2. Remove unused declaration of nf_skip_indirect_calls() when MITIGATION_RETPOLINE is disabled to avoid warnings. 3. Declare nf_skip_indirect_calls() and nf_skip_indirect_calls_enable() as inline when MITIGATION_RETPOLINE is enabled, as they are called only once and have simple logic. Fix follow error with clang-21 when W=1e: net/netfilter/nf_tables_core.c:39:20: error: unused function 'nf_skip_indirect_calls' [-Werror,-Wunused-function] 39 | static inline bool nf_skip_indirect_calls(void) { return false; } | ^~~~~~~~~~~~~~~~~~~~~~ 1 error generated. make[4]: *** [scripts/Makefile.build:207: net/netfilter/nf_tables_core.o] Error 1 make[3]: *** [scripts/Makefile.build:465: net/netfilter] Error 2 make[3]: *** Waiting for unfinished jobs.... Fixes: d8d760627855 ("netfilter: nf_tables: add static key to skip retpoline workarounds") Co-developed-by: Wentao Guan Signed-off-by: Wentao Guan Signed-off-by: WangYuli Acked-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_tables_core.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c index 75598520b0fa..6557a4018c09 100644 --- a/net/netfilter/nf_tables_core.c +++ b/net/netfilter/nf_tables_core.c @@ -21,25 +21,22 @@ #include #include -#if defined(CONFIG_MITIGATION_RETPOLINE) && defined(CONFIG_X86) - +#ifdef CONFIG_MITIGATION_RETPOLINE static struct static_key_false nf_tables_skip_direct_calls; -static bool nf_skip_indirect_calls(void) +static inline bool nf_skip_indirect_calls(void) { return static_branch_likely(&nf_tables_skip_direct_calls); } -static void __init nf_skip_indirect_calls_enable(void) +static inline void __init nf_skip_indirect_calls_enable(void) { if (!cpu_feature_enabled(X86_FEATURE_RETPOLINE)) static_branch_enable(&nf_tables_skip_direct_calls); } #else -static inline bool nf_skip_indirect_calls(void) { return false; } - static inline void nf_skip_indirect_calls_enable(void) { } -#endif +#endif /* CONFIG_MITIGATION_RETPOLINE */ static noinline void __nft_trace_packet(const struct nft_pktinfo *pkt, const struct nft_verdict *verdict,