Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4ecdf770 authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 



Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for you net tree:

1) Remove duplicated include at the end of UDP conntrack, from Yue Haibing.

2) Restore conntrack dependency on xt_cluster, from Martin Willi.

3) Fix splat with GSO skbs from the checksum target, from Florian Westphal.

4) Rework ct timeout support, the template strategy to attach custom timeouts
   is not correct since it will not work in conjunction with conntrack zones
   and we have a possible free after use when removing the rule due to missing
   refcounting. To fix these problems, do not use conntrack template at all
   and set custom timeout on the already valid conntrack object. This
   fix comes with a preparation patch to simplify timeout adjustment by
   initializating the first position of the timeout array for all of the
   existing trackers. Patchset from Florian Westphal.

5) Fix missing dependency on from IPv4 chain NAT type, from Florian.

6) Release chain reference counter from the flush path, from Taehee Yoo.

7) After flushing an iptables ruleset, conntrack hooks are unregistered
   and entries are left stale to be cleaned up by the timeout garbage
   collector. No TCP tracking is done on established flows by this time.
   If ruleset is reloaded, then hooks are registered again and TCP
   tracking is restored, which considers packets to be invalid. Clear
   window tracking to exercise TCP flow pickup from the middle given that
   history is lost for us. Again from Florian.

8) Fix crash from netlink interface with CONFIG_NF_CONNTRACK_TIMEOUT=y
   and CONFIG_NF_CT_NETLINK_TIMEOUT=n.

9) Broken CT target due to returning incorrect type from
   ctnl_timeout_find_get().

10) Solve conntrack clash on NF_REPEAT verdicts too, from Michal Vaner.

11) Missing conversion of hashlimit sysctl interface to new API, from
    Cong Wang.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 7c5cca35 1286df26

include/net/netfilter/nf_conntrack_timeout.h

+1 −1
Original line number Diff line number Diff line
@@ -30,7 +30,7 @@ struct nf_conn_timeout { 
};



static inline unsigned int *

nf_ct_timeout_data(struct nf_conn_timeout *t)

nf_ct_timeout_data(const struct nf_conn_timeout *t)

{

	struct nf_ct_timeout *timeout;

net/ipv4/netfilter/Kconfig

+5 −3
Original line number Diff line number Diff line
@@ -106,6 +106,10 @@ config NF_NAT_IPV4 


if NF_NAT_IPV4



config NF_NAT_MASQUERADE_IPV4

	bool



if NF_TABLES

config NFT_CHAIN_NAT_IPV4

	depends on NF_TABLES_IPV4

	tristate "IPv4 nf_tables nat chain support"
@@ -115,9 +119,6 @@ config NFT_CHAIN_NAT_IPV4 
	  packet transformations such as the source, destination address and

	  source and destination ports.



config NF_NAT_MASQUERADE_IPV4

	bool



config NFT_MASQ_IPV4

	tristate "IPv4 masquerading support for nf_tables"

	depends on NF_TABLES_IPV4
@@ -135,6 +136,7 @@ config NFT_REDIR_IPV4 
	help

	  This is the expression that provides IPv4 redirect support for

	  nf_tables.

endif # NF_TABLES



config NF_NAT_SNMP_BASIC

	tristate "Basic SNMP-ALG support"

net/netfilter/Kconfig

+6 −6
Original line number Diff line number Diff line
@@ -771,13 +771,13 @@ config NETFILTER_XT_TARGET_CHECKSUM 
	depends on NETFILTER_ADVANCED

	---help---

	  This option adds a `CHECKSUM' target, which can be used in the iptables mangle

	  table.

	  table to work around buggy DHCP clients in virtualized environments.



	  You can use this target to compute and fill in the checksum in

	  a packet that lacks a checksum.  This is particularly useful,

	  if you need to work around old applications such as dhcp clients,

	  that do not work well with checksum offloads, but don't want to disable

	  checksum offload in your device.

	  Some old DHCP clients drop packets because they are not aware

	  that the checksum would normally be offloaded to hardware and

	  thus should be considered valid.

	  This target can be used to fill in the checksum using iptables

	  when such packets are sent via a virtual network device.



	  To compile it as a module, choose M here.  If unsure, say N.

net/netfilter/nf_conntrack_proto.c

+26 −0
Original line number Diff line number Diff line
@@ -776,9 +776,26 @@ static const struct nf_hook_ops ipv6_conntrack_ops[] = { 
};

#endif



static int nf_ct_tcp_fixup(struct nf_conn *ct, void *_nfproto)

{

	u8 nfproto = (unsigned long)_nfproto;



	if (nf_ct_l3num(ct) != nfproto)

		return 0;



	if (nf_ct_protonum(ct) == IPPROTO_TCP &&

	    ct->proto.tcp.state == TCP_CONNTRACK_ESTABLISHED) {

		ct->proto.tcp.seen[0].td_maxwin = 0;

		ct->proto.tcp.seen[1].td_maxwin = 0;

	}



	return 0;

}



static int nf_ct_netns_do_get(struct net *net, u8 nfproto)

{

	struct nf_conntrack_net *cnet = net_generic(net, nf_conntrack_net_id);

	bool fixup_needed = false;

	int err = 0;



	mutex_lock(&nf_ct_proto_mutex);
@@ -798,6 +815,8 @@ static int nf_ct_netns_do_get(struct net *net, u8 nfproto) 
					    ARRAY_SIZE(ipv4_conntrack_ops));

		if (err)

			cnet->users4 = 0;

		else

			fixup_needed = true;

		break;

#if IS_ENABLED(CONFIG_IPV6)

	case NFPROTO_IPV6:
@@ -814,6 +833,8 @@ static int nf_ct_netns_do_get(struct net *net, u8 nfproto) 
					    ARRAY_SIZE(ipv6_conntrack_ops));

		if (err)

			cnet->users6 = 0;

		else

			fixup_needed = true;

		break;

#endif

	default:
@@ -822,6 +843,11 @@ static int nf_ct_netns_do_get(struct net *net, u8 nfproto) 
	}

 out_unlock:

	mutex_unlock(&nf_ct_proto_mutex);



	if (fixup_needed)

		nf_ct_iterate_cleanup_net(net, nf_ct_tcp_fixup,

					  (void *)(unsigned long)nfproto, 0, 0);



	return err;

}

net/netfilter/nf_conntrack_proto_dccp.c

+13 −6
Original line number Diff line number Diff line
@@ -675,7 +675,7 @@ static int nlattr_to_dccp(struct nlattr *cda[], struct nf_conn *ct) 
}

#endif



#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)

#ifdef CONFIG_NF_CONNTRACK_TIMEOUT



#include <linux/netfilter/nfnetlink.h>

#include <linux/netfilter/nfnetlink_cttimeout.h>
@@ -697,6 +697,8 @@ static int dccp_timeout_nlattr_to_obj(struct nlattr *tb[], 
			timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;

		}

	}



	timeouts[CTA_TIMEOUT_DCCP_UNSPEC] = timeouts[CTA_TIMEOUT_DCCP_REQUEST];

	return 0;

}
@@ -726,7 +728,7 @@ dccp_timeout_nla_policy[CTA_TIMEOUT_DCCP_MAX+1] = { 
	[CTA_TIMEOUT_DCCP_CLOSING]	= { .type = NLA_U32 },

	[CTA_TIMEOUT_DCCP_TIMEWAIT]	= { .type = NLA_U32 },

};

#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */

#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */



#ifdef CONFIG_SYSCTL

/* template, data assigned later */
@@ -827,6 +829,11 @@ static int dccp_init_net(struct net *net, u_int16_t proto) 
		dn->dccp_timeout[CT_DCCP_CLOSEREQ]	= 64 * HZ;

		dn->dccp_timeout[CT_DCCP_CLOSING]	= 64 * HZ;

		dn->dccp_timeout[CT_DCCP_TIMEWAIT]	= 2 * DCCP_MSL;



		/* timeouts[0] is unused, make it same as SYN_SENT so

		 * ->timeouts[0] contains 'new' timeout, like udp or icmp.

		 */

		dn->dccp_timeout[CT_DCCP_NONE] = dn->dccp_timeout[CT_DCCP_REQUEST];

	}



	return dccp_kmemdup_sysctl_table(net, pn, dn);
@@ -856,7 +863,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp4 = { 
	.nlattr_to_tuple	= nf_ct_port_nlattr_to_tuple,

	.nla_policy		= nf_ct_port_nla_policy,

#endif

#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)

#ifdef CONFIG_NF_CONNTRACK_TIMEOUT

	.ctnl_timeout		= {

		.nlattr_to_obj	= dccp_timeout_nlattr_to_obj,

		.obj_to_nlattr	= dccp_timeout_obj_to_nlattr,
@@ -864,7 +871,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp4 = { 
		.obj_size	= sizeof(unsigned int) * CT_DCCP_MAX,

		.nla_policy	= dccp_timeout_nla_policy,

	},

#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */

#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */

	.init_net		= dccp_init_net,

	.get_net_proto		= dccp_get_net_proto,

};
@@ -889,7 +896,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp6 = { 
	.nlattr_to_tuple	= nf_ct_port_nlattr_to_tuple,

	.nla_policy		= nf_ct_port_nla_policy,

#endif

#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)

#ifdef CONFIG_NF_CONNTRACK_TIMEOUT

	.ctnl_timeout		= {

		.nlattr_to_obj	= dccp_timeout_nlattr_to_obj,

		.obj_to_nlattr	= dccp_timeout_obj_to_nlattr,
@@ -897,7 +904,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp6 = { 
		.obj_size	= sizeof(unsigned int) * CT_DCCP_MAX,

		.nla_policy	= dccp_timeout_nla_policy,

	},

#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */

#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */

	.init_net		= dccp_init_net,

	.get_net_proto		= dccp_get_net_proto,

};