Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 26420d9c authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 



Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for your net tree:

1) Missing module autoloadfor icmp and icmpv6 x_tables matches,
   from Florian Westphal.

2) Possible non-linear access to TCP header from tproxy, from
   Mate Eckl.

3) Do not allow rbtree to be used for single elements, this patch
   moves all set backend into one single module since such thing
   can only happen if hashtable module is explicitly blacklisted,
   which should not ever be done.

4) Reject error and standard targets from nft_compat for sanity
   reasons, they are never used from there.

5) Don't crash on double hashsize module parameter, from Andrey
   Ryabinin.

6) Drop dst on skb before placing it in the fragmentation
   reassembly queue, from Florian Westphal.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 6508b678 84379c9a

include/net/netfilter/nf_tables_core.h

+6 −0
Original line number Diff line number Diff line
@@ -65,4 +65,10 @@ extern const struct nft_expr_ops nft_payload_fast_ops; 
extern struct static_key_false nft_counters_enabled;

extern struct static_key_false nft_trace_enabled;



extern struct nft_set_type nft_set_rhash_type;

extern struct nft_set_type nft_set_hash_type;

extern struct nft_set_type nft_set_hash_fast_type;

extern struct nft_set_type nft_set_rbtree_type;

extern struct nft_set_type nft_set_bitmap_type;



#endif /* _NET_NF_TABLES_CORE_H */

include/net/netfilter/nf_tproxy.h

+2 −2
Original line number Diff line number Diff line
@@ -64,7 +64,7 @@ nf_tproxy_handle_time_wait4(struct net *net, struct sk_buff *skb, 
 * belonging to established connections going through that one.

 */

struct sock *

nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb, void *hp,

nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb,

		      const u8 protocol,

		      const __be32 saddr, const __be32 daddr,

		      const __be16 sport, const __be16 dport,
@@ -103,7 +103,7 @@ nf_tproxy_handle_time_wait6(struct sk_buff *skb, int tproto, int thoff, 
			    struct sock *sk);



struct sock *

nf_tproxy_get_sock_v6(struct net *net, struct sk_buff *skb, int thoff, void *hp,

nf_tproxy_get_sock_v6(struct net *net, struct sk_buff *skb, int thoff,

		      const u8 protocol,

		      const struct in6_addr *saddr, const struct in6_addr *daddr,

		      const __be16 sport, const __be16 dport,

net/ipv4/netfilter/ip_tables.c

+1 −0
Original line number Diff line number Diff line
@@ -1898,6 +1898,7 @@ static struct xt_match ipt_builtin_mt[] __read_mostly = { 
		.checkentry = icmp_checkentry,

		.proto      = IPPROTO_ICMP,

		.family     = NFPROTO_IPV4,

		.me	    = THIS_MODULE,

	},

};

net/ipv4/netfilter/nf_tproxy_ipv4.c

+12 −6
Original line number Diff line number Diff line
@@ -37,7 +37,7 @@ nf_tproxy_handle_time_wait4(struct net *net, struct sk_buff *skb, 
		 * to a listener socket if there's one */

		struct sock *sk2;



		sk2 = nf_tproxy_get_sock_v4(net, skb, hp, iph->protocol,

		sk2 = nf_tproxy_get_sock_v4(net, skb, iph->protocol,

					    iph->saddr, laddr ? laddr : iph->daddr,

					    hp->source, lport ? lport : hp->dest,

					    skb->dev, NF_TPROXY_LOOKUP_LISTENER);
@@ -71,7 +71,7 @@ __be32 nf_tproxy_laddr4(struct sk_buff *skb, __be32 user_laddr, __be32 daddr) 
EXPORT_SYMBOL_GPL(nf_tproxy_laddr4);



struct sock *

nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb, void *hp,

nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb,

		      const u8 protocol,

		      const __be32 saddr, const __be32 daddr,

		      const __be16 sport, const __be16 dport,
@@ -79,16 +79,21 @@ nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb, void *hp, 
		      const enum nf_tproxy_lookup_t lookup_type)

{

	struct sock *sk;

	struct tcphdr *tcph;



	switch (protocol) {

	case IPPROTO_TCP:

	case IPPROTO_TCP: {

		struct tcphdr _hdr, *hp;



		hp = skb_header_pointer(skb, ip_hdrlen(skb),

					sizeof(struct tcphdr), &_hdr);

		if (hp == NULL)

			return NULL;



		switch (lookup_type) {

		case NF_TPROXY_LOOKUP_LISTENER:

			tcph = hp;

			sk = inet_lookup_listener(net, &tcp_hashinfo, skb,

						    ip_hdrlen(skb) +

						      __tcp_hdrlen(tcph),

						      __tcp_hdrlen(hp),

						    saddr, sport,

						    daddr, dport,

						    in->ifindex, 0);
@@ -110,6 +115,7 @@ nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb, void *hp, 
			BUG();

		}

		break;

		}

	case IPPROTO_UDP:

		sk = udp4_lib_lookup(net, saddr, sport, daddr, dport,

				     in->ifindex);

net/ipv6/netfilter/ip6_tables.c

+1 −0
Original line number Diff line number Diff line
@@ -1909,6 +1909,7 @@ static struct xt_match ip6t_builtin_mt[] __read_mostly = { 
		.checkentry = icmp6_checkentry,

		.proto      = IPPROTO_ICMPV6,

		.family     = NFPROTO_IPV6,

		.me	    = THIS_MODULE,

	},

};