Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d471c6f7 authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 



Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for net:

1) br_netfilter drops IPv6 packets if ipv6 is disabled, from Leonardo Bras.

2) nft_socket hits BUG() due to illegal skb->sk caching, patch from
   Fernando Fernandez Mancera.

3) nft_fib_netdev could be called with ipv6 disabled, leading to crash
   in the fib lookup, also from Leonardo.

4) ctnetlink honors IPS_OFFLOAD flag, just like nf_conntrack sysctl does.

5) Properly set up flowtable entry timeout, otherwise immediate
   removal by garbage collector might occur.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents e33b4325 110e4872

net/bridge/br_netfilter_hooks.c

+4 −0
Original line number Diff line number Diff line
@@ -496,6 +496,10 @@ static unsigned int br_nf_pre_routing(void *priv, 
		if (!brnet->call_ip6tables &&

		    !br_opt_get(br, BROPT_NF_CALL_IP6TABLES))

			return NF_ACCEPT;

		if (!ipv6_mod_enabled()) {

			pr_warn_once("Module ipv6 is disabled, so call_ip6tables is not supported.");

			return NF_DROP;

		}



		nf_bridge_pull_encap_header_rcsum(skb);

		return br_nf_pre_routing_ipv6(priv, skb, state);

net/netfilter/nf_conntrack_netlink.c

+5 −2
Original line number Diff line number Diff line
@@ -553,10 +553,8 @@ ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type, 
		goto nla_put_failure;



	if (ctnetlink_dump_status(skb, ct) < 0 ||

	    ctnetlink_dump_timeout(skb, ct) < 0 ||

	    ctnetlink_dump_acct(skb, ct, type) < 0 ||

	    ctnetlink_dump_timestamp(skb, ct) < 0 ||

	    ctnetlink_dump_protoinfo(skb, ct) < 0 ||

	    ctnetlink_dump_helpinfo(skb, ct) < 0 ||

	    ctnetlink_dump_mark(skb, ct) < 0 ||

	    ctnetlink_dump_secctx(skb, ct) < 0 ||
@@ -568,6 +566,11 @@ ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type, 
	    ctnetlink_dump_ct_synproxy(skb, ct) < 0)

		goto nla_put_failure;



	if (!test_bit(IPS_OFFLOAD_BIT, &ct->status) &&

	    (ctnetlink_dump_timeout(skb, ct) < 0 ||

	     ctnetlink_dump_protoinfo(skb, ct) < 0))

		goto nla_put_failure;



	nlmsg_end(skb, nlh);

	return skb->len;

net/netfilter/nf_flow_table_core.c

+1 −1
Original line number Diff line number Diff line
@@ -217,7 +217,7 @@ int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow) 
		return err;

	}



	flow->timeout = (u32)jiffies;

	flow->timeout = (u32)jiffies + NF_FLOW_TIMEOUT;

	return 0;

}

EXPORT_SYMBOL_GPL(flow_offload_add);

net/netfilter/nft_fib_netdev.c

+3 −0
Original line number Diff line number Diff line
@@ -14,6 +14,7 @@ 
#include <linux/netfilter/nf_tables.h>

#include <net/netfilter/nf_tables_core.h>

#include <net/netfilter/nf_tables.h>

#include <net/ipv6.h>



#include <net/netfilter/nft_fib.h>
@@ -34,6 +35,8 @@ static void nft_fib_netdev_eval(const struct nft_expr *expr, 
		}

		break;

	case ETH_P_IPV6:

		if (!ipv6_mod_enabled())

			break;

		switch (priv->result) {

		case NFT_FIB_RESULT_OIF:

		case NFT_FIB_RESULT_OIFNAME:

net/netfilter/nft_socket.c

+3 −3
Original line number Diff line number Diff line
@@ -47,9 +47,6 @@ static void nft_socket_eval(const struct nft_expr *expr, 
		return;

	}



	/* So that subsequent socket matching not to require other lookups. */

	skb->sk = sk;



	switch(priv->key) {

	case NFT_SOCKET_TRANSPARENT:

		nft_reg_store8(dest, inet_sk_transparent(sk));
@@ -66,6 +63,9 @@ static void nft_socket_eval(const struct nft_expr *expr, 
		WARN_ON(1);

		regs->verdict.code = NFT_BREAK;

	}



	if (sk != skb->sk)

		sock_gen_put(sk);

}



static const struct nla_policy nft_socket_policy[NFTA_SOCKET_MAX + 1] = {