Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf (b9a40729) · Commits · e / devices / android_kernel_fairphone_FP5

net/ipv4/ip_sockglue.c

+4 −10

Original line number	Diff line number	Diff line
		@@ -1255,11 +1255,8 @@ int ip_setsockopt(struct sock *sk, int level,
		if (err == -ENOPROTOOPT && optname != IP_HDRINCL &&
		optname != IP_IPSEC_POLICY &&
		optname != IP_XFRM_POLICY &&
		!ip_mroute_opt(optname)) {
		lock_sock(sk);
		!ip_mroute_opt(optname))
		err = nf_setsockopt(sk, PF_INET, optname, optval, optlen);
		release_sock(sk);
		}
		#endif
		return err;
		}
		@@ -1284,12 +1281,9 @@ int compat_ip_setsockopt(struct sock *sk, int level, int optname,
		if (err == -ENOPROTOOPT && optname != IP_HDRINCL &&
		optname != IP_IPSEC_POLICY &&
		optname != IP_XFRM_POLICY &&
		!ip_mroute_opt(optname)) {
		lock_sock(sk);
		err = compat_nf_setsockopt(sk, PF_INET, optname,
		optval, optlen);
		release_sock(sk);
		}
		!ip_mroute_opt(optname))
		err = compat_nf_setsockopt(sk, PF_INET, optname, optval,
		optlen);
		#endif
		return err;
		}

net/ipv4/netfilter/ipt_CLUSTERIP.c

+13 −3

Original line number	Diff line number	Diff line
		@@ -431,7 +431,7 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par)
		struct ipt_clusterip_tgt_info *cipinfo = par->targinfo;
		const struct ipt_entry *e = par->entryinfo;
		struct clusterip_config *config;
		int ret;
		int ret, i;

		if (par->nft_compat) {
		pr_err("cannot use CLUSTERIP target from nftables compat\n");
		@@ -450,8 +450,18 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par)
		pr_info("Please specify destination IP\n");
		return -EINVAL;
		}

		/* FIXME: further sanity checks */
		if (cipinfo->num_local_nodes > ARRAY_SIZE(cipinfo->local_nodes)) {
		pr_info("bad num_local_nodes %u\n", cipinfo->num_local_nodes);
		return -EINVAL;
		}
		for (i = 0; i < cipinfo->num_local_nodes; i++) {
		if (cipinfo->local_nodes[i] - 1 >=
		sizeof(config->local_nodes) * 8) {
		pr_info("bad local_nodes[%d] %u\n",
		i, cipinfo->local_nodes[i]);
		return -EINVAL;
		}
		}

		config = clusterip_config_find_get(par->net, e->ip.dst.s_addr, 1);
		if (!config) {

net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c

+5 −1

Original line number	Diff line number	Diff line
		@@ -213,15 +213,19 @@ getorigdst(struct sock sk, int optval, void __user user, int *len)
		struct nf_conntrack_tuple tuple;

		memset(&tuple, 0, sizeof(tuple));

		lock_sock(sk);
		tuple.src.u3.ip = inet->inet_rcv_saddr;
		tuple.src.u.tcp.port = inet->inet_sport;
		tuple.dst.u3.ip = inet->inet_daddr;
		tuple.dst.u.tcp.port = inet->inet_dport;
		tuple.src.l3num = PF_INET;
		tuple.dst.protonum = sk->sk_protocol;
		release_sock(sk);

		/* We only do TCP and SCTP at the moment: is there a better way? */
		if (sk->sk_protocol != IPPROTO_TCP && sk->sk_protocol != IPPROTO_SCTP) {
		if (tuple.dst.protonum != IPPROTO_TCP &&
		tuple.dst.protonum != IPPROTO_SCTP) {
		pr_debug("SO_ORIGINAL_DST: Not a TCP/SCTP socket\n");
		return -ENOPROTOOPT;
		}

net/ipv6/ipv6_sockglue.c

+5 −12

Original line number	Diff line number	Diff line
		@@ -923,12 +923,8 @@ int ipv6_setsockopt(struct sock *sk, int level, int optname,
		#ifdef CONFIG_NETFILTER
		/* we need to exclude all possible ENOPROTOOPTs except default case */
		if (err == -ENOPROTOOPT && optname != IPV6_IPSEC_POLICY &&
		optname != IPV6_XFRM_POLICY) {
		lock_sock(sk);
		err = nf_setsockopt(sk, PF_INET6, optname, optval,
		optlen);
		release_sock(sk);
		}
		optname != IPV6_XFRM_POLICY)
		err = nf_setsockopt(sk, PF_INET6, optname, optval, optlen);
		#endif
		return err;
		}
		@@ -958,12 +954,9 @@ int compat_ipv6_setsockopt(struct sock *sk, int level, int optname,
		#ifdef CONFIG_NETFILTER
		/* we need to exclude all possible ENOPROTOOPTs except default case */
		if (err == -ENOPROTOOPT && optname != IPV6_IPSEC_POLICY &&
		optname != IPV6_XFRM_POLICY) {
		lock_sock(sk);
		err = compat_nf_setsockopt(sk, PF_INET6, optname,
		optval, optlen);
		release_sock(sk);
		}
		optname != IPV6_XFRM_POLICY)
		err = compat_nf_setsockopt(sk, PF_INET6, optname, optval,
		optlen);
		#endif
		return err;
		}

net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c

+12 −6

Original line number	Diff line number	Diff line
		@@ -221,20 +221,27 @@ static const struct nf_hook_ops ipv6_conntrack_ops[] = {
		static int
		ipv6_getorigdst(struct sock sk, int optval, void __user user, int *len)
		{
		const struct inet_sock *inet = inet_sk(sk);
		struct nf_conntrack_tuple tuple = { .src.l3num = NFPROTO_IPV6 };
		const struct ipv6_pinfo *inet6 = inet6_sk(sk);
		const struct inet_sock *inet = inet_sk(sk);
		const struct nf_conntrack_tuple_hash *h;
		struct sockaddr_in6 sin6;
		struct nf_conntrack_tuple tuple = { .src.l3num = NFPROTO_IPV6 };
		struct nf_conn *ct;
		__be32 flow_label;
		int bound_dev_if;

		lock_sock(sk);
		tuple.src.u3.in6 = sk->sk_v6_rcv_saddr;
		tuple.src.u.tcp.port = inet->inet_sport;
		tuple.dst.u3.in6 = sk->sk_v6_daddr;
		tuple.dst.u.tcp.port = inet->inet_dport;
		tuple.dst.protonum = sk->sk_protocol;
		bound_dev_if = sk->sk_bound_dev_if;
		flow_label = inet6->flow_label;
		release_sock(sk);

		if (sk->sk_protocol != IPPROTO_TCP && sk->sk_protocol != IPPROTO_SCTP)
		if (tuple.dst.protonum != IPPROTO_TCP &&
		tuple.dst.protonum != IPPROTO_SCTP)
		return -ENOPROTOOPT;

		if (len < 0 \|\| (unsigned int) len < sizeof(sin6))
		@@ -252,14 +259,13 @@ ipv6_getorigdst(struct sock sk, int optval, void __user user, int *len)

		sin6.sin6_family = AF_INET6;
		sin6.sin6_port = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u.tcp.port;
		sin6.sin6_flowinfo = inet6->flow_label & IPV6_FLOWINFO_MASK;
		sin6.sin6_flowinfo = flow_label & IPV6_FLOWINFO_MASK;
		memcpy(&sin6.sin6_addr,
		&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3.in6,
		sizeof(sin6.sin6_addr));

		nf_ct_put(ct);
		sin6.sin6_scope_id = ipv6_iface_scope_id(&sin6.sin6_addr,
		sk->sk_bound_dev_if);
		sin6.sin6_scope_id = ipv6_iface_scope_id(&sin6.sin6_addr, bound_dev_if);
		return copy_to_user(user, &sin6, sizeof(sin6)) ? -EFAULT : 0;
		}