github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-05 21:15:53 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
Linux kernel source tree
1,141,181 Commits 1 Branch 933 Tags 20 GiB
C 97%
Assembly 1%
Shell 0.6%
Rust 0.5%
Python 0.4%
Other 0.3%
a1512f11ec
Go to file
Florian Westphal a1512f11ec netfilter: br_netfilter: disable sabotage_in hook after first suppression 
[ Upstream commit 2b272bb558 ]

When using a xfrm interface in a bridged setup (the outgoing device is
bridged), the incoming packets in the xfrm interface are only tracked
in the outgoing direction.

$ brctl show
bridge name     interfaces
br_eth1         eth1

$ conntrack -L
tcp 115 SYN_SENT src=192... dst=192... [UNREPLIED] ...

If br_netfilter is enabled, the first (encrypted) packet is received onR
eth1, conntrack hooks are called from br_netfilter emulation which
allocates nf_bridge info for this skb.

If the packet is for local machine, skb gets passed up the ip stack.
The skb passes through ip prerouting a second time. br_netfilter
ip_sabotage_in supresses the re-invocation of the hooks.

After this, skb gets decrypted in xfrm layer and appears in
network stack a second time (after decryption).

Then, ip_sabotage_in is called again and suppresses netfilter
hook invocation, even though the bridge layer never called them
for the plaintext incarnation of the packet.

Free the bridge info after the first suppression to avoid this.

I was unable to figure out where the regression comes from, as far as i
can see br_netfilter always had this problem; i did not expect that skb
is looped again with different headers.

Fixes: c4b0e771f9 ("netfilter: avoid using skb->nf_bridge directly")
Reported-and-tested-by: Wolfgang Nothdurft <wolfgang@linogate.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-02-09 11:28:08 +01:00
arch use less confusing names for iov_iter direction initializers 2023-02-09 11:28:04 +01:00
block block, bfq: fix uaf for bfqq in bic_set_bfqq() 2023-02-09 11:28:06 +01:00
certs certs: make system keyring depend on built-in x509 parser 2022-09-24 04:31:18 +09:00
crypto use less confusing names for iov_iter direction initializers 2023-02-09 11:28:04 +01:00
Documentation dt-bindings: i2c: renesas,rzv2m: Fix SoC specific string 2023-02-01 08:34:51 +01:00
drivers drm/i915/adlp: Fix typo for reference clock 2023-02-09 11:28:07 +01:00
fs fscache: Use wait_on_bit() to wait for the freeing of relinquished volume 2023-02-09 11:28:06 +01:00
include use less confusing names for iov_iter direction initializers 2023-02-09 11:28:04 +01:00
init gcc: disable -Warray-bounds for gcc-11 too 2023-01-14 10:33:43 +01:00
io_uring use less confusing names for iov_iter direction initializers 2023-02-09 11:28:04 +01:00
ipc ipc: fix memory leak in init_mqueue_fs() 2022-12-31 13:32:01 +01:00
kernel use less confusing names for iov_iter direction initializers 2023-02-09 11:28:04 +01:00
lib netlink: prevent potential spectre v1 gadgets 2023-02-01 08:34:43 +01:00
LICENSES LICENSES/LGPL-2.1: Add LGPL-2.1-or-later as valid identifiers 2021-12-16 14:33:10 +01:00
mm use less confusing names for iov_iter direction initializers 2023-02-09 11:28:04 +01:00
net netfilter: br_netfilter: disable sabotage_in hook after first suppression 2023-02-09 11:28:08 +01:00
rust rust: print: avoid evaluating arguments in pr_* macros in unsafe blocks 2023-02-06 08:06:34 +01:00
samples ftrace: Export ftrace_free_filter() to modules 2023-02-01 08:34:37 +01:00
scripts Fix up more non-executable files marked executable 2023-02-01 08:34:49 +01:00
security use less confusing names for iov_iter direction initializers 2023-02-09 11:28:04 +01:00
sound ALSA: firewire-motu: fix unreleased lock warning in hwdep device 2023-02-09 11:28:08 +01:00
tools selftests/filesystems: grant executable permission to run_fat_tests.sh 2023-02-09 11:28:01 +01:00
usr usr/gen_init_cpio.c: remove unnecessary -1 values from int file 2022-10-03 14:21:44 -07:00
virt kvm/vfio: Fix potential deadlock on vfio group_lock 2023-02-01 08:34:36 +01:00
.clang-format inet: ping: use hlist_nulls rcu iterator during lookup 2022-12-01 12:42:46 +01:00
.cocciconfig
.get_maintainer.ignore get_maintainer: add Alan to .get_maintainer.ignore 2022-08-20 15:17:44 -07:00
.gitattributes .gitattributes: use 'dts' diff driver for dts files 2019-12-04 19:44:11 -08:00
.gitignore Kbuild: add Rust support 2022-09-28 09:02:20 +02:00
.mailmap 9 hotfixes. 6 for MM, 3 for other areas. Four of these patches address 2022-12-10 17:10:52 -08:00
.rustfmt.toml rust: add .rustfmt.toml 2022-09-28 09:02:20 +02:00
COPYING COPYING: state that all contributions really are covered by this file 2020-02-10 13:32:20 -08:00
CREDITS MAINTAINERS: Remove Michal Marek from Kbuild maintainers 2022-11-16 14:53:00 +09:00
Kbuild Kbuild updates for v6.1 2022-10-10 12:00:45 -07:00
Kconfig kbuild: ensure full rebuild when the compiler is updated 2020-05-12 13:28:33 +09:00
MAINTAINERS panic: Expose "warn_count" to sysfs 2023-01-24 07:24:41 +01:00
Makefile Linux 6.1.10 2023-02-06 08:06:34 +01:00
README

README 

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.