linux-stable/net/ipv6
Florian Westphal 0d7df906a0 netfilter: x_tables: ensure last rule in base chain matches underflow/policy
Harmless from kernel point of view, but again iptables assumes that
this is true when decoding ruleset coming from kernel.

If a (syzkaller generated) ruleset doesn't have the underflow/policy
stored as the last rule in the base chain, then iptables will abort()
because it doesn't find the chain policy.

libiptc assumes that the policy is the last rule in the basechain, which
is only true for iptables-generated rulesets.

Unfortunately this needs code duplication -- the functions need the
struct layout of the rule head, but that is different for
ip/ip6/arptables.

NB: pr_warn could be pr_debug but in case this break rulesets somehow its
useful to know why blob was rejected.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2018-03-05 23:15:44 +01:00
..
ila net: Convert ila_net_ops 2018-02-27 11:01:39 -05:00
netfilter netfilter: x_tables: ensure last rule in base chain matches underflow/policy 2018-03-05 23:15:44 +01:00
addrconf.c ipv6: allow userspace to add IFA_F_OPTIMISTIC addresses 2018-03-01 13:43:06 -05:00
addrconf_core.c net: ipv6: Make inet6addr_validator a blocking notifier 2017-10-20 13:15:07 +01:00
addrlabel.c net: Convert fib6_net_ops, ipv6_addr_label_ops and ip6_segments_ops 2018-02-19 14:19:11 -05:00
af_inet6.c net: Convert inet6_net_ops 2018-02-19 14:19:09 -05:00
ah6.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-11-15 11:56:19 -08:00
anycast.c net/ipv6: Pass skb to route lookup 2018-03-04 13:04:22 -05:00
calipso.c net, calipso: convert calipso_doi.refcount from atomic_t to refcount_t 2017-07-04 22:35:16 +01:00
datagram.c net: ipv6: Allow connect to linklocal address from socket bound to vrf 2018-01-08 14:11:18 -05:00
esp6.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-01-17 00:10:42 -05:00
esp6_offload.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-01-23 13:51:56 -05:00
exthdrs.c ipv6: sr: fix TLVs not being copied using setsockopt 2018-01-10 16:03:55 -05:00
exthdrs_core.c inet: whitespace cleanup 2018-02-28 11:43:28 -05:00
exthdrs_offload.c
fib6_notifier.c net: Add module reference to FIB notifiers 2017-09-01 20:33:42 -07:00
fib6_rules.c net/ipv6: Pass skb to route lookup 2018-03-04 13:04:22 -05:00
fou6.c fou: make local function static 2017-05-21 13:42:36 -04:00
icmp.c net/ipv6: Add support for path selection using hash of 5-tuple 2018-03-04 13:04:23 -05:00
inet6_connection_sock.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-01-28 10:33:06 -05:00
inet6_hashtables.c inet: Add a 2nd listener hashtable (port+addr) 2017-12-03 10:18:28 -05:00
ip6_checksum.c udplite: fix partial checksum initialization 2018-02-16 15:57:42 -05:00
ip6_fib.c net/ipv6: Pass skb to route lookup 2018-03-04 13:04:22 -05:00
ip6_flowlabel.c net: Convert ip6_flowlabel_net_ops 2018-02-19 14:19:11 -05:00
ip6_gre.c gre: add sequence number for collect md mode. 2018-03-04 18:35:02 -05:00
ip6_icmp.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ip6_input.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-04-20 10:35:33 -04:00
ip6_offload.c gso: fix payload length when gso_size is zero 2017-10-08 10:12:15 -07:00
ip6_offload.h
ip6_output.c ip6mr: Make mroute_sk rcu-based 2018-03-01 13:13:23 -05:00
ip6_tunnel.c net/ipv6: Pass skb to route lookup 2018-03-04 13:04:22 -05:00
ip6_udp_tunnel.c ip6_udp_tunnel: remove unused IPCB related codes 2016-11-02 15:18:36 -04:00
ip6_vti.c net/ipv6: Pass skb to route lookup 2018-03-04 13:04:22 -05:00
ip6mr.c ipmr, ip6mr: Unite dumproute flows 2018-03-01 13:13:23 -05:00
ipcomp6.c net: inet: Support UID-based routing in IP protocols. 2016-11-04 14:45:23 -04:00
ipv6_sockglue.c inet: whitespace cleanup 2018-02-28 11:43:28 -05:00
Kconfig ipmr,ipmr6: Define a uniform vif_device 2018-03-01 13:13:23 -05:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mcast.c net/ipv6: Pass skb to route lookup 2018-03-04 13:04:22 -05:00
mcast_snoop.c
mip6.c ktime: Get rid of ktime_equal() 2016-12-25 17:21:23 +01:00
ndisc.c net: Convert icmpv6_sk_ops, ndisc_net_ops and igmp6_net_ops 2018-02-19 14:19:10 -05:00
netfilter.c netfilter: remove struct nf_afinfo and its helper functions 2018-01-08 18:11:02 +01:00
output_core.c net: accept UFO datagrams from tuntap and packet 2017-11-24 01:37:35 +09:00
ping.c net: Convert ping_v6_net_ops 2018-02-19 14:19:11 -05:00
proc.c inet: whitespace cleanup 2018-02-28 11:43:28 -05:00
protocol.c net: Add sysctl to toggle early demux for tcp and udp 2017-03-24 13:17:07 -07:00
raw.c net: Convert raw6_net_ops, udplite6_net_ops, ipv6_proc_ops, if6_proc_net_ops and ip6_route_net_late_ops 2018-02-19 14:19:10 -05:00
reassembly.c net: Convert ip6_frags_ops 2018-02-19 14:19:11 -05:00
route.c net/ipv6: Add support for path selection using hash of 5-tuple 2018-03-04 13:04:23 -05:00
seg6.c net: Convert fib6_net_ops, ipv6_addr_label_ops and ip6_segments_ops 2018-02-19 14:19:11 -05:00
seg6_hmac.c ipv6: sr: Use ARRAY_SIZE macro 2017-09-01 18:35:23 -07:00
seg6_iptunnel.c ipv6: sr: add support for encapsulation of L2 frames 2017-08-25 17:10:23 -07:00
seg6_local.c net/ipv6: Pass skb to route lookup 2018-03-04 13:04:22 -05:00
sit.c net: Convert sit_net_ops 2018-02-27 11:01:38 -05:00
syncookies.c tcp: Namespace-ify sysctl_tcp_workaround_signed_windows 2017-10-28 19:24:38 +09:00
sysctl_net_ipv6.c net/ipv6: Add support for path selection using hash of 5-tuple 2018-03-04 13:04:23 -05:00
tcp_ipv6.c net: Convert tcpv6_net_ops 2018-02-19 14:19:10 -05:00
tcpv6_offload.c gso: validate gso_type in GSO handlers 2018-01-22 16:01:30 -05:00
tunnel6.c
udp.c net: delete /proc THIS_MODULE references 2018-01-16 15:01:33 -05:00
udp_impl.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
udp_offload.c gso: validate gso_type in GSO handlers 2018-01-22 16:01:30 -05:00
udplite.c net: Convert ip_tables_net_ops, udplite6_net_ops and xt_net_ops 2018-02-19 14:19:12 -05:00
xfrm6_input.c xfrm: Reinject transport-mode packets through tasklet 2017-12-19 08:23:21 +01:00
xfrm6_mode_beet.c networking: make skb_pull & friends return void pointers 2017-06-16 11:48:39 -04:00
xfrm6_mode_ro.c ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() 2017-06-02 13:57:27 -04:00
xfrm6_mode_transport.c ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() 2017-06-02 13:57:27 -04:00
xfrm6_mode_tunnel.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-01-24 23:44:15 -05:00
xfrm6_output.c xfrm: Add an IPsec hardware offloading API 2017-04-14 10:06:10 +02:00
xfrm6_policy.c net: Convert xfrm6_net_ops 2018-02-19 14:19:11 -05:00
xfrm6_protocol.c xfrm: input: constify xfrm_input_afinfo 2017-02-09 10:22:17 +01:00
xfrm6_state.c inet: whitespace cleanup 2018-02-28 11:43:28 -05:00
xfrm6_tunnel.c net: Convert simple pernet_operations 2018-02-27 11:01:35 -05:00