Gh0st
/
linux
mirror of https://github.com/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux/net/netfilter
History
Shmulik Ladkani 98589a0998 netfilter: xt_bpf: Fix XT_BPF_MODE_FD_PINNED mode of 'xt_bpf_info_v1' 
Commit 2c16d60332 ("netfilter: xt_bpf: support ebpf") introduced
support for attaching an eBPF object by an fd, with the
'bpf_mt_check_v1' ABI expecting the '.fd' to be specified upon each
IPT_SO_SET_REPLACE call.

However this breaks subsequent iptables calls:

 # iptables -A INPUT -m bpf --object-pinned /sys/fs/bpf/xxx -j ACCEPT
 # iptables -A INPUT -s 5.6.7.8 -j ACCEPT
 iptables: Invalid argument. Run `dmesg' for more information.

That's because iptables works by loading existing rules using
IPT_SO_GET_ENTRIES to userspace, then issuing IPT_SO_SET_REPLACE with
the replacement set.

However, the loaded 'xt_bpf_info_v1' has an arbitrary '.fd' number
(from the initial "iptables -m bpf" invocation) - so when 2nd invocation
occurs, userspace passes a bogus fd number, which leads to
'bpf_mt_check_v1' to fail.

One suggested solution [1] was to hack iptables userspace, to perform a
"entries fixup" immediatley after IPT_SO_GET_ENTRIES, by opening a new,
process-local fd per every 'xt_bpf_info_v1' entry seen.

However, in [2] both Pablo Neira Ayuso and Willem de Bruijn suggested to
depricate the xt_bpf_info_v1 ABI dealing with pinned ebpf objects.

This fix changes the XT_BPF_MODE_FD_PINNED behavior to ignore the given
'.fd' and instead perform an in-kernel lookup for the bpf object given
the provided '.path'.

It also defines an alias for the XT_BPF_MODE_FD_PINNED mode, named
XT_BPF_MODE_PATH_PINNED, to better reflect the fact that the user is
expected to provide the path of the pinned object.

Existing XT_BPF_MODE_FD_ELF behavior (non-pinned fd mode) is preserved.

References: [1] https://marc.info/?l=netfilter-devel&m=150564724607440&w=2
            [2] https://marc.info/?l=netfilter-devel&m=150575727129880&w=2

Reported-by: Rafael Buchbinder <rafi@rbk.ms>
Signed-off-by: Shmulik Ladkani <shmulik.ladkani@gmail.com>
Acked-by: Willem de Bruijn <willemb@google.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 		2017-10-09 15:18:04 +02:00
..
ipset netfilter: ipset: Fix race between dump and swap 2017-09-29 12:15:14 +02:00
ipvs netfilter: ipvs: full-functionality option for ECN encapsulation in tunnel 2017-09-26 14:06:33 +02:00
Kconfig netfilter: nf_tables: add fib expression to the netdev family 2017-07-31 19:01:40 +02:00
Makefile netfilter: nf_tables: add fib expression to the netdev family 2017-07-31 19:01:40 +02:00
core.c netfilter: core: remove erroneous warn_on 2017-09-08 18:55:52 +02:00
nf_conntrack_acct.c
nf_conntrack_amanda.c netfilter: use nf_conntrack_helpers_register when possible 2017-06-19 19:13:21 +02:00
nf_conntrack_broadcast.c netfilter: Remove duplicated rcu_read_lock. 2017-07-24 13:24:46 +02:00
nf_conntrack_core.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-09-06 14:45:08 -07:00
nf_conntrack_ecache.c
nf_conntrack_expect.c net: Replace NF_CT_ASSERT() with WARN_ON(). 2017-09-04 13:25:19 +02:00
nf_conntrack_extend.c net: Replace NF_CT_ASSERT() with WARN_ON(). 2017-09-04 13:25:19 +02:00
nf_conntrack_ftp.c
nf_conntrack_h323_asn1.c
nf_conntrack_h323_main.c netfilter: use nf_conntrack_helpers_register when possible 2017-06-19 19:13:21 +02:00
nf_conntrack_h323_types.c
nf_conntrack_helper.c netfilter: expect: add and use nf_ct_expect_iterate helpers 2017-07-31 19:09:38 +02:00
nf_conntrack_irc.c
nf_conntrack_l3proto_generic.c netfilter: conntrack: place print_tuple in procfs part 2017-08-24 18:52:32 +02:00
nf_conntrack_labels.c
nf_conntrack_netbios_ns.c
nf_conntrack_netlink.c netfilter: conntrack: make protocol tracker pointers const 2017-08-24 18:52:33 +02:00
nf_conntrack_pptp.c netfilter: Remove duplicated rcu_read_lock. 2017-07-24 13:24:46 +02:00
nf_conntrack_proto.c netfilter: conntrack: make protocol tracker pointers const 2017-08-24 18:52:33 +02:00
nf_conntrack_proto_dccp.c netfilter: remove unused hooknum arg from packet functions 2017-09-04 13:25:18 +02:00
nf_conntrack_proto_generic.c netfilter: remove unused hooknum arg from packet functions 2017-09-04 13:25:18 +02:00
nf_conntrack_proto_gre.c netfilter: remove unused hooknum arg from packet functions 2017-09-04 13:25:18 +02:00
nf_conntrack_proto_sctp.c netfilter: remove unused hooknum arg from packet functions 2017-09-04 13:25:18 +02:00
nf_conntrack_proto_tcp.c netfilter: remove unused hooknum arg from packet functions 2017-09-04 13:25:18 +02:00
nf_conntrack_proto_udp.c netfilter: remove unused hooknum arg from packet functions 2017-09-04 13:25:18 +02:00
nf_conntrack_sane.c
nf_conntrack_seqadj.c
nf_conntrack_sip.c netfilter: Remove duplicated rcu_read_lock. 2017-07-24 13:24:46 +02:00
nf_conntrack_snmp.c
nf_conntrack_standalone.c net: Replace NF_CT_ASSERT() with WARN_ON(). 2017-09-04 13:25:19 +02:00
nf_conntrack_tftp.c
nf_conntrack_timeout.c
nf_conntrack_timestamp.c
nf_dup_netdev.c netfilter: dup: resolve warnings about missing prototypes 2017-05-29 11:32:36 +02:00
nf_internals.h netfilter: Remove NFDEBUG() 2017-08-28 18:05:50 +02:00
nf_log.c
nf_log_common.c
nf_log_netdev.c
nf_nat_amanda.c
nf_nat_core.c netfilter: nat: Do not use ARRAY_SIZE() on spinlocks to fix zero div 2017-09-18 17:33:23 +02:00
nf_nat_ftp.c
nf_nat_helper.c
nf_nat_irc.c
nf_nat_proto_common.c
nf_nat_proto_dccp.c
nf_nat_proto_sctp.c sctp: remove the typedef sctp_sctphdr_t 2017-07-01 09:08:41 -07:00
nf_nat_proto_tcp.c
nf_nat_proto_udp.c
nf_nat_proto_unknown.c
nf_nat_redirect.c net: Replace NF_CT_ASSERT() with WARN_ON(). 2017-09-04 13:25:19 +02:00
nf_nat_sip.c
nf_nat_tftp.c
nf_queue.c netfilter: convert hook list to an array 2017-08-28 17:44:00 +02:00
nf_sockopt.c netfilter: Remove NFDEBUG() 2017-08-28 18:05:50 +02:00
nf_synproxy_core.c
nf_tables_api.c netfilter: nf_tables: do not dump chain counters if not enabled 2017-10-06 14:49:19 +02:00
nf_tables_core.c netfilter: constify nf_loginfo structures 2017-08-02 14:25:59 +02:00
nf_tables_inet.c
nf_tables_netdev.c
nf_tables_trace.c netfilter: nf_tables: Allow chain name of up to 255 chars 2017-07-31 20:41:57 +02:00
nfnetlink.c netfilter: nfnetlink: Improve input length sanitization in nfnetlink_rcv 2017-07-17 13:27:46 +02:00
nfnetlink_acct.c netfilter: nfnetlink: extended ACK reporting 2017-06-19 19:38:24 +02:00
nfnetlink_cthelper.c netfilter: nfnetlink: extended ACK reporting 2017-06-19 19:38:24 +02:00
nfnetlink_cttimeout.c netfilter: conntrack: make protocol tracker pointers const 2017-08-24 18:52:33 +02:00
nfnetlink_log.c netfilter: constify nf_loginfo structures 2017-08-02 14:25:59 +02:00
nfnetlink_queue.c netfilter: nfnetlink_queue: don't queue dying conntracks to userspace 2017-07-31 19:09:39 +02:00
nft_bitwise.c
nft_byteorder.c
nft_cmp.c
nft_compat.c netfilter: nft_compat: check extension hook mask only if set 2017-07-19 11:53:30 +02:00
nft_counter.c netfilter: nf_tables: add select_ops for stateful objects 2017-09-04 13:25:09 +02:00
nft_ct.c netfilter: nf_tables: add select_ops for stateful objects 2017-09-04 13:25:09 +02:00
nft_dup_netdev.c
nft_dynset.c
nft_exthdr.c netfilter: fix a few (harmless) sparse warnings 2017-08-28 17:42:56 +02:00
nft_fib.c
nft_fib_inet.c
nft_fib_netdev.c netfilter: nf_tables: add fib expression to the netdev family 2017-07-31 19:01:40 +02:00
nft_fwd_netdev.c
nft_hash.c
nft_immediate.c
nft_limit.c netfilter: nft_limit: add stateful object type 2017-09-04 13:25:16 +02:00
nft_log.c
nft_lookup.c
nft_masq.c
nft_meta.c
nft_nat.c
nft_numgen.c
nft_objref.c netfilter: nf_tables: add select_ops for stateful objects 2017-09-04 13:25:09 +02:00
nft_payload.c netfilter: fix a few (harmless) sparse warnings 2017-08-28 17:42:56 +02:00
nft_queue.c
nft_quota.c netfilter: nf_tables: add select_ops for stateful objects 2017-09-04 13:25:09 +02:00
nft_range.c
nft_redir.c
nft_reject.c
nft_reject_inet.c
nft_rt.c netfilter: rt: account for tcp header size too 2017-08-28 18:14:30 +02:00
nft_set_bitmap.c netfilter: nf_tables: pass set description to ->privsize 2017-05-29 12:46:18 +02:00
nft_set_hash.c netfilter: nft_set_hash: add lookup variant for fixed size hashtable 2017-05-29 12:46:22 +02:00
nft_set_rbtree.c netfilter: nft_set_rbtree: use seqcount to avoid lock in most cases 2017-07-31 20:41:59 +02:00
x_tables.c netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user 2017-10-06 15:04:05 +02:00
xt_AUDIT.c
xt_CHECKSUM.c
xt_CLASSIFY.c
xt_CONNSECMARK.c
xt_CT.c netfilter: conntrack: make protocol tracker pointers const 2017-08-24 18:52:33 +02:00
xt_DSCP.c
xt_HL.c
xt_HMARK.c
xt_IDLETIMER.c
xt_LED.c
xt_LOG.c
xt_NETMAP.c net: Replace NF_CT_ASSERT() with WARN_ON(). 2017-09-04 13:25:19 +02:00
xt_NFLOG.c
xt_NFQUEUE.c
xt_RATEEST.c
xt_REDIRECT.c
xt_SECMARK.c
xt_TCPMSS.c netfilter: Remove duplicated rcu_read_lock. 2017-07-24 13:24:46 +02:00
xt_TCPOPTSTRIP.c
xt_TEE.c
xt_TPROXY.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2017-09-03 17:08:42 -07:00
xt_TRACE.c
xt_addrtype.c netfilter: Remove duplicated rcu_read_lock. 2017-07-24 13:24:46 +02:00
xt_bpf.c netfilter: xt_bpf: Fix XT_BPF_MODE_FD_PINNED mode of 'xt_bpf_info_v1' 2017-10-09 15:18:04 +02:00
xt_cgroup.c
xt_cluster.c
xt_comment.c
xt_connbytes.c
xt_connlabel.c
xt_connlimit.c netfilter: connlimit: merge root4 and root6. 2017-08-19 13:07:53 +02:00
xt_connmark.c
xt_conntrack.c
xt_cpu.c
xt_dccp.c
xt_devgroup.c
xt_dscp.c
xt_ecn.c
xt_esp.c
xt_hashlimit.c netfilter: xt_hashlimit: fix build error caused by 64bit division 2017-09-08 18:55:53 +02:00
xt_helper.c
xt_hl.c
xt_ipcomp.c
xt_iprange.c
xt_ipvs.c
xt_l2tp.c
xt_length.c
xt_limit.c
xt_mac.c
xt_mark.c
xt_multiport.c
xt_nat.c net: Replace NF_CT_ASSERT() with WARN_ON(). 2017-09-04 13:25:19 +02:00
xt_nfacct.c
xt_osf.c netfilter: Remove duplicated rcu_read_lock. 2017-07-24 13:24:46 +02:00
xt_owner.c
xt_physdev.c
xt_pkttype.c
xt_policy.c
xt_quota.c
xt_rateest.c
xt_realm.c
xt_recent.c netfilter: remove unused variable 2017-07-25 12:31:37 -07:00
xt_repldata.h
xt_sctp.c sctp: remove the typedef sctp_chunkhdr_t 2017-07-01 09:08:41 -07:00
xt_set.c
xt_socket.c netfilter: xt_socket: Restore mark from full sockets only 2017-09-26 20:04:34 +02:00
xt_state.c
xt_statistic.c
xt_string.c
xt_tcpmss.c
xt_tcpudp.c
xt_time.c
xt_u32.c