openkylin
/
linux
mirror of https://gitee.com/openkylin/linux.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity
linux/net/netfilter
History
Pablo Neira Ayuso 8588ac097b netfilter: nf_tables: reject loops from set element jump to chain 
Liping Zhang says:

"Users may add such a wrong nft rules successfully, which will cause an
endless jump loop:

  # nft add rule filter test tcp dport vmap {1: jump test}

This is because before we commit, the element in the current anonymous
set is inactive, so osp->walk will skip this element and miss the
validate check."

To resolve this problem, this patch passes the generation mask to the
walk function through the iter container structure depending on the code
path:

1) If we're dumping the elements, then we have to check if the element
   is active in the current generation. Thus, we check for the current
   bit in the genmask.

2) If we're checking for loops, then we have to check if the element is
   active in the next generation, as we're in the middle of a
   transaction. Thus, we check for the next bit in the genmask.

Based on original patch from Liping Zhang.

Reported-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Tested-by: Liping Zhang <liping.zhang@spreadtrum.com>
 		2016-06-15 12:17:23 +02:00
..
ipset netfilter: ipset: fix race condition in ipset save, swap and delete 2016-03-28 17:57:45 +02:00
ipvs ipvs: update real-server binding of outgoing connections in SIP-pe 2016-06-06 09:47:25 +09:00
Kconfig netfilter: tee: select NF_DUP_IPV6 unconditionally 2016-02-08 12:58:28 +01:00
Makefile netfilter: nf_tables: add forward expression to the netdev family 2016-01-04 17:48:38 +01:00
core.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-10-24 06:54:12 -07:00
nf_conntrack_acct.c netfilter: Remove uses of seq_<foo> return values 2015-03-18 10:51:35 +01:00
nf_conntrack_amanda.c net: Remove state argument from skb_find_text() 2015-02-22 15:59:54 -05:00
nf_conntrack_broadcast.c
nf_conntrack_core.c netfilter: conntrack: destroy kmemcache on module removal 2016-06-15 12:17:22 +02:00
nf_conntrack_ecache.c netfilter: conntrack: move expectation event helper to ecache.c 2016-04-12 23:01:57 +02:00
nf_conntrack_expect.c netfilter: conntrack: use a single expectation table for all namespaces 2016-05-06 11:50:01 +02:00
nf_conntrack_extend.c
nf_conntrack_ftp.c netfilter: nf_ct_helper: Fix helper unregister count. 2016-05-30 12:21:22 +02:00
nf_conntrack_h323_asn1.c
nf_conntrack_h323_main.c ipv6: Remove external dependency on rt6i_gateway and RTF_ANYCAST 2015-05-25 13:25:33 -04:00
nf_conntrack_h323_types.c
nf_conntrack_helper.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 2016-06-01 17:54:19 -07:00
nf_conntrack_irc.c netfilter: nf_ct_helper: Fix helper unregister count. 2016-05-30 12:21:22 +02:00
nf_conntrack_l3proto_generic.c netfilter: Convert print_tuple functions to return void 2014-11-05 14:10:33 -05:00
nf_conntrack_labels.c netfilter: connlabels: change nf_connlabels_get bit arg to 'highest used' 2016-04-18 20:39:48 +02:00
nf_conntrack_netbios_ns.c
nf_conntrack_netlink.c netfilter: conntrack: use a single expectation table for all namespaces 2016-05-06 11:50:01 +02:00
nf_conntrack_pptp.c netfilter: nf_conntrack: push zone object into functions 2015-08-11 12:29:01 +02:00
nf_conntrack_proto.c netfilter: nf_conntrack: remove dead code 2014-01-03 23:41:37 +01:00
nf_conntrack_proto_dccp.c libnl: nla_put_be64(): align on a 64-bit area 2016-04-23 20:13:24 -04:00
nf_conntrack_proto_generic.c netfilter: nf_conntrack: Add a struct net parameter to l4_pkt_to_tuple 2015-09-18 22:00:04 +02:00
nf_conntrack_proto_gre.c netfilter: nf_conntrack: Add a struct net parameter to l4_pkt_to_tuple 2015-09-18 22:00:04 +02:00
nf_conntrack_proto_sctp.c netfilter: conntrack: don't acquire lock during seq_printf 2016-04-19 20:26:25 +02:00
nf_conntrack_proto_tcp.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2016-04-24 00:12:08 -04:00
nf_conntrack_proto_udp.c netfilter: conntrack: introduce clash resolution on insertion race 2016-05-05 16:39:50 +02:00
nf_conntrack_proto_udplite.c netfilter: conntrack: introduce clash resolution on insertion race 2016-05-05 16:39:50 +02:00
nf_conntrack_sane.c netfilter: nf_ct_helper: Fix helper unregister count. 2016-05-30 12:21:22 +02:00
nf_conntrack_seqadj.c net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool 2015-08-17 21:33:06 -07:00
nf_conntrack_sip.c netfilter: nf_ct_helper: Fix helper unregister count. 2016-05-30 12:21:22 +02:00
nf_conntrack_snmp.c
nf_conntrack_standalone.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 2016-06-01 17:54:19 -07:00
nf_conntrack_tftp.c netfilter: nf_ct_helper: Fix helper unregister count. 2016-05-30 12:21:22 +02:00
nf_conntrack_timeout.c netfilter: cttimeout: add netns support 2015-12-14 12:48:58 +01:00
nf_conntrack_timestamp.c netfilter: nf_ct_timestamp: Fix BUG_ON after netns deletion 2013-12-20 14:58:29 +01:00
nf_dup_netdev.c net: remove skb_sender_cpu_clear() 2016-03-01 17:36:47 -05:00
nf_internals.h netfilter: nf_queue: fix nf_queue_nf_hook_drop() 2015-07-23 16:17:58 +02:00
nf_log.c netfilter: nf_log: wait for rcu grace after logger unregistration 2015-09-17 13:37:31 +02:00
nf_log_common.c netfilter: bridge: add helpers for fetching physin/outdev 2015-04-08 16:49:08 +02:00
nf_nat_amanda.c
nf_nat_core.c netfilter: conntrack: use a single nat bysource table for all namespaces 2016-05-09 16:45:49 +02:00
nf_nat_ftp.c
nf_nat_helper.c
nf_nat_irc.c netfilter: nf_nat: fix access to uninitialized buffer in IRC NAT helper 2014-01-06 14:17:17 +01:00
nf_nat_proto_common.c netfilter: use IS_ENABLED() macro 2014-06-30 11:38:03 +02:00
nf_nat_proto_dccp.c net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool 2015-08-17 21:33:06 -07:00
nf_nat_proto_sctp.c netfilter: use IS_ENABLED() macro 2014-06-30 11:38:03 +02:00
nf_nat_proto_tcp.c net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool 2015-08-17 21:33:06 -07:00
nf_nat_proto_udp.c net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool 2015-08-17 21:33:06 -07:00
nf_nat_proto_udplite.c net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool 2015-08-17 21:33:06 -07:00
nf_nat_proto_unknown.c
nf_nat_redirect.c netfilter: nf_nat_redirect: add missing NULL pointer check 2015-10-27 06:54:56 +01:00
nf_nat_sip.c netfilter: replace strnicmp with strncasecmp 2014-10-14 02:18:24 +02:00
nf_nat_tftp.c
nf_queue.c netfilter: nf_queue: Make the queue_handler pernet 2016-05-25 11:54:22 +02:00
nf_sockopt.c netfilter: don't use mutex_lock_interruptible() 2014-08-08 16:47:23 +02:00
nf_synproxy_core.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 2015-09-05 21:57:42 -07:00
nf_tables_api.c netfilter: nf_tables: reject loops from set element jump to chain 2016-06-15 12:17:23 +02:00
nf_tables_core.c netfilter: nf_tables: fix nf_log_trace based tracing 2015-12-09 16:53:46 +01:00
nf_tables_inet.c netfilter: nf_tables: release objects on netns destruction 2015-12-28 18:34:35 +01:00
nf_tables_netdev.c netfilter: nf_tables_netdev: fix error path in module initialization 2016-01-18 13:53:37 +01:00
nf_tables_trace.c libnl: nla_put_be64(): align on a 64-bit area 2016-04-23 20:13:24 -04:00
nfnetlink.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-02-23 00:09:14 -05:00
nfnetlink_acct.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-05-15 13:32:48 -04:00
nfnetlink_cthelper.c netfilter: nfnetlink: pass down netns pointer to call() and call_rcu() 2015-12-28 18:41:41 +01:00
nfnetlink_cttimeout.c netfilter: conntrack: use a single hashtable for all namespaces 2016-05-05 16:39:47 +02:00
nfnetlink_log.c nfnetlink: remove nfnetlink_alloc_skb 2016-02-18 11:42:19 -05:00
nfnetlink_queue.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 2016-06-01 17:54:19 -07:00
nft_bitwise.c netfilter: nf_tables: support variable sized data in nft_data_init() 2015-04-13 17:17:30 +02:00
nft_byteorder.c netfilter: nft_byteorder: avoid unneeded le/be conversion steps 2016-01-13 14:02:59 +01:00
nft_cmp.c netfilter: nf_tables: support variable sized data in nft_data_init() 2015-04-13 17:17:30 +02:00
nft_compat.c netfilter: nft_compat: check match/targetinfo attr size 2016-03-11 11:37:56 +01:00
nft_counter.c libnl: nla_put_be64(): align on a 64-bit area 2016-04-23 20:13:24 -04:00
nft_ct.c netfilter: nftables: add connlabel set support 2016-05-05 16:27:59 +02:00
nft_dup_netdev.c netfilter: nf_tables: add packet duplication to the netdev family 2016-01-03 21:04:23 +01:00
nft_dynset.c libnl: nla_put_be64(): align on a 64-bit area 2016-04-23 20:13:24 -04:00
nft_exthdr.c netfilter: nf_tables: switch registers to 32 bit addressing 2015-04-13 17:17:29 +02:00
nft_fwd_netdev.c netfilter: nf_tables: add forward expression to the netdev family 2016-01-04 17:48:38 +01:00
nft_hash.c netfilter: nf_tables: reject loops from set element jump to chain 2016-06-15 12:17:23 +02:00
nft_immediate.c netfilter: nf_tables: support variable sized data in nft_data_init() 2015-04-13 17:17:30 +02:00
nft_limit.c libnl: nla_put_be64(): align on a 64-bit area 2016-04-23 20:13:24 -04:00
nft_log.c netfilter: nf_tables: Use pkt->net instead of computing net from the passed net_devices 2015-09-18 21:58:49 +02:00
nft_lookup.c netfilter: nf_tables: add flag to indicate set contains expressions 2015-04-13 20:12:32 +02:00
nft_masq.c netfilter: nft_masq: support port range 2016-03-02 20:05:27 +01:00
nft_meta.c netfilter: meta: add PRANDOM support 2016-02-29 13:55:59 +01:00
nft_nat.c netfilter: nf_tables: switch registers to 32 bit addressing 2015-04-13 17:17:29 +02:00
nft_payload.c netfilter: nft_payload: add packet mangling support 2015-11-25 13:54:51 +01:00
nft_queue.c netfilter: nf_tables: kill nft_pktinfo.ops 2015-09-18 21:58:01 +02:00
nft_rbtree.c netfilter: nf_tables: reject loops from set element jump to chain 2016-06-15 12:17:23 +02:00
nft_redir.c netfilter: nf_tables: add register parsing/dumping helpers 2015-04-13 17:17:28 +02:00
nft_reject.c netfilter; Add some missing default cases to switch statements in nft_reject. 2015-04-27 13:20:34 -04:00
nft_reject_inet.c ipv4: Push struct net down into nf_send_reset 2015-09-29 20:21:31 +02:00
x_tables.c netfilter: x_tables: don't reject valid target size on some architectures 2016-06-02 14:09:33 +02:00
xt_AUDIT.c netfilter: Convert uses of __constant_<foo> to <foo> 2014-03-13 14:13:19 +01:00
xt_CHECKSUM.c
xt_CLASSIFY.c
xt_CONNSECMARK.c
xt_CT.c netfilter: cttimeout: add netns support 2015-12-14 12:48:58 +01:00
xt_DSCP.c netfilter: fix various sparse warnings 2014-11-13 12:14:42 +01:00
xt_HL.c
xt_HMARK.c net: use reciprocal_scale() helper 2014-08-23 12:21:21 -07:00
xt_IDLETIMER.c netfilter: IDLETIMER: fix race condition when destroy the target 2016-04-29 14:28:48 +02:00
xt_LED.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2014-08-05 18:46:26 -07:00
xt_LOG.c netfilter: x_tables: Use par->net instead of computing from the passed net devices 2015-09-18 21:58:25 +02:00
xt_NETMAP.c
xt_NFLOG.c netfilter: x_tables: Use par->net instead of computing from the passed net devices 2015-09-18 21:58:25 +02:00
xt_NFQUEUE.c netfilter: xt_NFQUEUE: separate reusable code 2013-12-07 23:20:45 +01:00
xt_RATEEST.c net: sched: make bstats per cpu and estimator RCU safe 2014-09-30 01:02:26 -04:00
xt_REDIRECT.c netfilter: combine IPv4 and IPv6 nf_nat_redirect code in one module 2014-11-27 13:08:42 +01:00
xt_SECMARK.c
xt_TCPMSS.c netfilter: xt_TCPMSS: handle CHECKSUM_COMPLETE in tcpmss_tg6() 2016-01-18 12:18:17 +01:00
xt_TCPOPTSTRIP.c net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool 2015-08-17 21:33:06 -07:00
xt_TEE.c netfilter: tee: select NF_DUP_IPV6 unconditionally 2016-02-08 12:58:28 +01:00
xt_TPROXY.c inet: refactor inet[6]_lookup functions to take skb 2016-02-11 03:54:14 -05:00
xt_TRACE.c
xt_addrtype.c netfilter: x_tables: Use par->net instead of computing from the passed net devices 2015-09-18 21:58:25 +02:00
xt_bpf.c net: filter: split 'struct sk_filter' into socket and bpf parts 2014-08-02 15:03:58 -07:00
xt_cgroup.c netfilter: implement xt_cgroup cgroup2 path match 2015-12-14 20:34:55 +01:00
xt_cluster.c net: use reciprocal_scale() helper 2014-08-23 12:21:21 -07:00
xt_comment.c
xt_connbytes.c netfilter: Convert pr_warning to pr_warn 2014-09-10 12:40:10 -07:00
xt_connlabel.c netfilter: connlabels: change nf_connlabels_get bit arg to 'highest used' 2016-04-18 20:39:48 +02:00
xt_connlimit.c netfilter: nf_conntrack: Add a struct net parameter to l4_pkt_to_tuple 2015-09-18 22:00:04 +02:00
xt_connmark.c netfilter: Fix FSF address in file headers 2013-12-06 12:37:57 -05:00
xt_conntrack.c
xt_cpu.c
xt_dccp.c
xt_devgroup.c
xt_dscp.c
xt_ecn.c
xt_esp.c
xt_hashlimit.c netfilter: Remove checks of seq_printf() return values 2014-11-05 14:11:02 -05:00
xt_helper.c
xt_hl.c
xt_ipcomp.c netfilter: xt_ipcomp: Use ntohs to ease sparse warning 2014-02-19 11:41:25 +01:00
xt_iprange.c
xt_ipvs.c ipvs: Pass ipvs into conn_out_get 2015-09-24 09:34:41 +09:00
xt_l2tp.c netfilter: introduce l2tp match extension 2014-01-09 21:36:39 +01:00
xt_length.c
xt_limit.c
xt_mac.c
xt_mark.c netfilter: xt_MARK: Add ARP support 2015-05-14 13:00:27 +02:00
xt_multiport.c
xt_nat.c
xt_nfacct.c netfilter: nfacct: per network namespace support 2015-08-07 11:50:56 +02:00
xt_osf.c netfilter: xt_osf: remove unused variable 2016-02-29 13:59:43 +01:00
xt_owner.c netfilter: xt_owner: use skb_to_full_sk() helper 2015-11-08 20:56:39 -05:00
xt_physdev.c netfilter: physdev: use helpers 2015-04-08 16:49:09 +02:00
xt_pkttype.c
xt_policy.c
xt_quota.c
xt_rateest.c
xt_realm.c
xt_recent.c netfilter: x_tables: Use par->net instead of computing from the passed net devices 2015-09-18 21:58:25 +02:00
xt_repldata.h net: netfilter: LLVMLinux: vlais-netfilter 2014-06-07 11:44:39 -07:00
xt_sctp.c
xt_set.c netfilter: ipset: Fix coding styles reported by checkpatch.pl 2015-06-14 10:40:18 +02:00
xt_socket.c tcp/dccp: do not touch listener sk_refcnt under synflood 2016-04-04 22:11:20 -04:00
xt_state.c
xt_statistic.c net: replace macros net_random and net_srandom with direct calls to prandom 2014-01-14 15:15:25 -08:00
xt_string.c net: Remove state argument from skb_find_text() 2015-02-22 15:59:54 -05:00
xt_tcpmss.c
xt_tcpudp.c
xt_time.c
xt_u32.c