Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c0e41fa7 authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 



Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for your net tree,
they are:

1) Fix missing initialization of tuple structure in nfnetlink_cthelper
   to avoid mismatches when looking up to attach userspace helpers to
   flows, from Ian Wilson.

2) Fix potential crash in nft_hash when we hit -EAGAIN in
   nft_hash_walk(), from Herbert Xu.

3) We don't need to indicate the hook information to update the
   basechain default policy in nf_tables.

4) Restore tracing over nfnetlink_log due to recent rework to
   accomodate logging infrastructure into nf_tables.

5) Fix wrong IP6T_INV_PROTO check in xt_TPROXY.

6) Set IP6T_F_PROTO flag in nft_compat so we can use SYNPROXY6 and
   REJECT6 from xt over nftables.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents f40bff42 749177cc

include/net/netfilter/nf_log.h

+10 −0
Original line number Diff line number Diff line
@@ -79,6 +79,16 @@ void nf_log_packet(struct net *net, 
		   const struct nf_loginfo *li,

		   const char *fmt, ...);



__printf(8, 9)

void nf_log_trace(struct net *net,

		  u_int8_t pf,

		  unsigned int hooknum,

		  const struct sk_buff *skb,

		  const struct net_device *in,

		  const struct net_device *out,

		  const struct nf_loginfo *li,

		  const char *fmt, ...);



struct nf_log_buf;



struct nf_log_buf *nf_log_buf_open(void);

net/ipv4/netfilter/ip_tables.c

+3 −3
Original line number Diff line number Diff line
@@ -272,7 +272,7 @@ static void trace_packet(const struct sk_buff *skb, 
		    &chainname, &comment, &rulenum) != 0)

			break;



	nf_log_packet(net, AF_INET, hook, skb, in, out, &trace_loginfo,

	nf_log_trace(net, AF_INET, hook, skb, in, out, &trace_loginfo,

		     "TRACE: %s:%s:%s:%u ",

		     tablename, chainname, comment, rulenum);

}

net/ipv6/netfilter/ip6_tables.c

+3 −3
Original line number Diff line number Diff line
@@ -298,7 +298,7 @@ static void trace_packet(const struct sk_buff *skb, 
		    &chainname, &comment, &rulenum) != 0)

			break;



	nf_log_packet(net, AF_INET6, hook, skb, in, out, &trace_loginfo,

	nf_log_trace(net, AF_INET6, hook, skb, in, out, &trace_loginfo,

		     "TRACE: %s:%s:%s:%u ",

		     tablename, chainname, comment, rulenum);

}

net/netfilter/nf_log.c

+24 −0
Original line number Diff line number Diff line
@@ -212,6 +212,30 @@ void nf_log_packet(struct net *net, 
}

EXPORT_SYMBOL(nf_log_packet);



void nf_log_trace(struct net *net,

		  u_int8_t pf,

		  unsigned int hooknum,

		  const struct sk_buff *skb,

		  const struct net_device *in,

		  const struct net_device *out,

		  const struct nf_loginfo *loginfo, const char *fmt, ...)

{

	va_list args;

	char prefix[NF_LOG_PREFIXLEN];

	const struct nf_logger *logger;



	rcu_read_lock();

	logger = rcu_dereference(net->nf.nf_loggers[pf]);

	if (logger) {

		va_start(args, fmt);

		vsnprintf(prefix, sizeof(prefix), fmt, args);

		va_end(args);

		logger->logfn(net, pf, hooknum, skb, in, out, loginfo, prefix);

	}

	rcu_read_unlock();

}

EXPORT_SYMBOL(nf_log_trace);



#define S_SIZE (1024 - (sizeof(unsigned int) + 1))



struct nf_log_buf {

net/netfilter/nf_tables_api.c

+4 −1
Original line number Diff line number Diff line
@@ -1225,7 +1225,10 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb, 


	if (nla[NFTA_CHAIN_POLICY]) {

		if ((chain != NULL &&

		    !(chain->flags & NFT_BASE_CHAIN)) ||

		    !(chain->flags & NFT_BASE_CHAIN)))

			return -EOPNOTSUPP;



		if (chain == NULL &&

		    nla[NFTA_CHAIN_HOOK] == NULL)

			return -EOPNOTSUPP;