Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e0831ef7 authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 



Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for your net tree:

1) Remove a direct dependency with IPv6 introduced by the
   sip_external_media feature, from Alin Nastac.

2) Fix bogus ENOENT when removing interval elements from set.

3) Set transport_header from br_netfilter to mimic the stack
   behaviour, this partially fixes a checksum validation bug
   from the SCTP connection tracking, from Xin Long.

4) Fix undefined reference to symbol in xt_TEE, due to missing
   Kconfig dependencies, from Arnd Bergmann.

5) Check for NULL in skb_header_pointer() calls in ip6t_shr,
   from Kangjie Lu.

6) Fix bogus EBUSY when removing an existing conntrack helper from
   a transaction.

7) Fix module autoload of the redirect extension.

8) Remove duplicated transition in flowtable diagram in the existing
   documentation.

9) Missing .release_ops call from error path in newrule() which
   results module refcount leak, from Taehee Yoo.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents ceabee6c b25a31bf

Documentation/networking/nf_flowtable.txt

+4 −4
Original line number Diff line number Diff line
@@ -44,10 +44,10 @@ including the Netfilter hooks and the flowtable fastpath bypass. 
     /         \    /          \     |Routing |   /            \

  -->  ingress  ---> prerouting ---> |decision|   | postrouting |--> neigh_xmit

     \_________/    \__________/     ----------   \____________/          ^

       |      ^          |               |               ^                |

   flowtable  |          |          ____\/___            |                |

       |      |          |         /         \           |                |

    __\/___   |          --------->| forward |------------                |

       |      ^                          |               ^                |

   flowtable  |                     ____\/___            |                |

       |      |                    /         \           |                |

    __\/___   |                    | forward |------------                |

    |-----|   |                    \_________/                            |

    |-----|   |                 'flow offload' rule                       |

    |-----|   |                   adds entry to                           |

net/bridge/br_netfilter_hooks.c

+1 −0
Original line number Diff line number Diff line
@@ -502,6 +502,7 @@ static unsigned int br_nf_pre_routing(void *priv, 
	nf_bridge->ipv4_daddr = ip_hdr(skb)->daddr;



	skb->protocol = htons(ETH_P_IP);

	skb->transport_header = skb->network_header + ip_hdr(skb)->ihl * 4;



	NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, state->net, state->sk, skb,

		skb->dev, NULL,

net/bridge/br_netfilter_ipv6.c

+2 −0
Original line number Diff line number Diff line
@@ -235,6 +235,8 @@ unsigned int br_nf_pre_routing_ipv6(void *priv, 
	nf_bridge->ipv6_daddr = ipv6_hdr(skb)->daddr;



	skb->protocol = htons(ETH_P_IPV6);

	skb->transport_header = skb->network_header + sizeof(struct ipv6hdr);



	NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, state->net, state->sk, skb,

		skb->dev, NULL,

		br_nf_pre_routing_finish_ipv6);

net/ipv6/netfilter/ip6t_srh.c

+6 −0
Original line number Diff line number Diff line
@@ -210,6 +210,8 @@ static bool srh1_mt6(const struct sk_buff *skb, struct xt_action_param *par) 
		psidoff = srhoff + sizeof(struct ipv6_sr_hdr) +

			  ((srh->segments_left + 1) * sizeof(struct in6_addr));

		psid = skb_header_pointer(skb, psidoff, sizeof(_psid), &_psid);

		if (!psid)

			return false;

		if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_PSID,

				ipv6_masked_addr_cmp(psid, &srhinfo->psid_msk,

						     &srhinfo->psid_addr)))
@@ -223,6 +225,8 @@ static bool srh1_mt6(const struct sk_buff *skb, struct xt_action_param *par) 
		nsidoff = srhoff + sizeof(struct ipv6_sr_hdr) +

			  ((srh->segments_left - 1) * sizeof(struct in6_addr));

		nsid = skb_header_pointer(skb, nsidoff, sizeof(_nsid), &_nsid);

		if (!nsid)

			return false;

		if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_NSID,

				ipv6_masked_addr_cmp(nsid, &srhinfo->nsid_msk,

						     &srhinfo->nsid_addr)))
@@ -233,6 +237,8 @@ static bool srh1_mt6(const struct sk_buff *skb, struct xt_action_param *par) 
	if (srhinfo->mt_flags & IP6T_SRH_LSID) {

		lsidoff = srhoff + sizeof(struct ipv6_sr_hdr);

		lsid = skb_header_pointer(skb, lsidoff, sizeof(_lsid), &_lsid);

		if (!lsid)

			return false;

		if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_LSID,

				ipv6_masked_addr_cmp(lsid, &srhinfo->lsid_msk,

						     &srhinfo->lsid_addr)))

net/netfilter/Kconfig

+1 −0
Original line number Diff line number Diff line
@@ -1007,6 +1007,7 @@ config NETFILTER_XT_TARGET_TEE 
	depends on NETFILTER_ADVANCED

	depends on IPV6 || IPV6=n

	depends on !NF_CONNTRACK || NF_CONNTRACK

	depends on IP6_NF_IPTABLES || !IP6_NF_IPTABLES

	select NF_DUP_IPV4

	select NF_DUP_IPV6 if IP6_NF_IPTABLES

	---help---