linux/net/ipv6/netfilter
Florian Westphal 09d9686047 netfilter: x_tables: do compat validation via translate_table
This looks like refactoring, but its also a bug fix.

Problem is that the compat path (32bit iptables, 64bit kernel) lacks a few
sanity tests that are done in the normal path.

For example, we do not check for underflows and the base chain policies.

While its possible to also add such checks to the compat path, its more
copy&pastry, for instance we cannot reuse check_underflow() helper as
e->target_offset differs in the compat case.

Other problem is that it makes auditing for validation errors harder; two
places need to be checked and kept in sync.

At a high level 32 bit compat works like this:
1- initial pass over blob:
   validate match/entry offsets, bounds checking
   lookup all matches and targets
   do bookkeeping wrt. size delta of 32/64bit structures
   assign match/target.u.kernel pointer (points at kernel
   implementation, needed to access ->compatsize etc.)

2- allocate memory according to the total bookkeeping size to
   contain the translated ruleset

3- second pass over original blob:
   for each entry, copy the 32bit representation to the newly allocated
   memory.  This also does any special match translations (e.g.
   adjust 32bit to 64bit longs, etc).

4- check if ruleset is free of loops (chase all jumps)

5-first pass over translated blob:
   call the checkentry function of all matches and targets.

The alternative implemented by this patch is to drop steps 3&4 from the
compat process, the translation is changed into an intermediate step
rather than a full 1:1 translate_table replacement.

In the 2nd pass (step #3), change the 64bit ruleset back to a kernel
representation, i.e. put() the kernel pointer and restore ->u.user.name .

This gets us a 64bit ruleset that is in the format generated by a 64bit
iptables userspace -- we can then use translate_table() to get the
'native' sanity checks.

This has two drawbacks:

1. we re-validate all the match and target entry structure sizes even
though compat translation is supposed to never generate bogus offsets.
2. we put and then re-lookup each match and target.

THe upside is that we get all sanity tests and ruleset validations
provided by the normal path and can remove some duplicated compat code.

iptables-restore time of autogenerated ruleset with 300k chains of form
-A CHAIN0001 -m limit --limit 1/s -j CHAIN0002
-A CHAIN0002 -m limit --limit 1/s -j CHAIN0003

shows no noticeable differences in restore times:
old:   0m30.796s
new:   0m31.521s
64bit: 0m25.674s

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2016-04-14 00:30:40 +02:00
..
ip6_tables.c netfilter: x_tables: do compat validation via translate_table 2016-04-14 00:30:40 +02:00
ip6t_ah.c netfilter: ip6_tables: add flags parameter to ipv6_find_hdr() 2012-05-09 12:53:47 +02:00
ip6t_eui64.c netfilter: xtables: change hotdrop pointer to direct modification 2010-05-11 18:35:27 +02:00
ip6t_frag.c netfilter: ip6_tables: add flags parameter to ipv6_find_hdr() 2012-05-09 12:53:47 +02:00
ip6t_hbh.c netfilter: ip6_tables: add flags parameter to ipv6_find_hdr() 2012-05-09 12:53:47 +02:00
ip6t_ipv6header.c netfilter: remove unnecessary break after return 2014-07-15 16:27:00 -07:00
ip6t_MASQUERADE.c netfilter: nf_nat: generalize IPv6 masquerading support for nf_tables 2014-09-09 16:31:29 +02:00
ip6t_mh.c netfilter: xtables: change hotdrop pointer to direct modification 2010-05-11 18:35:27 +02:00
ip6t_NPT.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-04-07 18:37:01 -04:00
ip6t_REJECT.c netfilter: x_tables: Use par->net instead of computing from the passed net devices 2015-09-18 21:58:25 +02:00
ip6t_rpfilter.c netfilter: x_tables: Use par->net instead of computing from the passed net devices 2015-09-18 21:58:25 +02:00
ip6t_rt.c netfilter: ip6_tables: add flags parameter to ipv6_find_hdr() 2012-05-09 12:53:47 +02:00
ip6t_SYNPROXY.c netfilter: ip6t_SYNPROXY: remove magic number for hop_limit 2016-03-29 13:31:17 +02:00
ip6table_filter.c netfilter: xtables: don't hook tables by default 2016-03-02 20:05:24 +01:00
ip6table_mangle.c netfilter: xtables: don't hook tables by default 2016-03-02 20:05:24 +01:00
ip6table_nat.c netfilter: xtables: don't hook tables by default 2016-03-02 20:05:24 +01:00
ip6table_raw.c netfilter: xtables: don't hook tables by default 2016-03-02 20:05:24 +01:00
ip6table_security.c netfilter: xtables: don't hook tables by default 2016-03-02 20:05:24 +01:00
Kconfig netfilter: nf_dup: add missing dependencies with NF_CONNTRACK 2015-12-10 18:17:06 +01:00
Makefile netfilter: nf_tables: add nft_dup expression 2015-08-07 11:49:49 +02:00
nf_conntrack_l3proto_ipv6.c netfilter: remove hook owner refcounting 2015-10-16 18:21:39 +02:00
nf_conntrack_proto_icmpv6.c netfilter: ipv6: whitespace around operators 2015-10-13 14:12:38 +02:00
nf_conntrack_reasm.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2015-12-14 20:31:16 +01:00
nf_defrag_ipv6_hooks.c netfilter: ipv6: avoid nf_iterate recursion 2015-11-23 17:54:45 +01:00
nf_dup_ipv6.c ipv4, ipv6: Pass net into ip_local_out and ip6_local_out 2015-10-08 04:27:02 -07:00
nf_log_ipv6.c netfilter: Use LOGLEVEL_<FOO> defines 2015-03-25 12:09:39 +01:00
nf_nat_l3proto_ipv6.c netfilter: Allow calling into nat helper without skb_dst. 2016-03-14 23:47:27 +01:00
nf_nat_masquerade_ipv6.c netfilter: conntrack: resched in nf_ct_iterate_cleanup 2016-02-01 00:15:26 +01:00
nf_nat_proto_icmpv6.c net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool 2015-08-17 21:33:06 -07:00
nf_reject_ipv6.c netfilter: ipv6: unnecessary to check whether ip6_route_output() returns NULL 2016-04-07 18:53:08 +02:00
nf_tables_ipv6.c netfilter: nf_tables: release objects on netns destruction 2015-12-28 18:34:35 +01:00
nft_chain_nat_ipv6.c netfilter: Pass priv instead of nf_hook_ops to netfilter hooks 2015-09-18 22:00:16 +02:00
nft_chain_route_ipv6.c netfilter: ipv6: code indentation 2015-10-13 14:12:38 +02:00
nft_dup_ipv6.c netfilter: Pass net to nf_dup_ipv4 and nf_dup_ipv6 2015-09-18 21:59:11 +02:00
nft_masq_ipv6.c netfilter: nft_masq: support port range 2016-03-02 20:05:27 +01:00
nft_redir_ipv6.c netfilter: nf_tables: kill nft_pktinfo.ops 2015-09-18 21:58:01 +02:00
nft_reject_ipv6.c netfilter: nf_tables: Use pkt->net instead of computing net from the passed net_devices 2015-09-18 21:58:49 +02:00