Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit fc14963f authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 



Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for your net tree,
they are:

1) Fix incorrect timestamp in nfnetlink_queue introduced when addressing
   y2038 safe timestamp, from Florian Westphal.

2) Get rid of leftover conntrack definition from the previous merge
   window, oneliner from Florian.

3) Make nf_queue handler pernet to resolve race on dereferencing the
   hook state structure with netns removal, from Eric Biederman.

4) Ensure clean exit on unregistered helper ports, from Taehee Yoo.

5) Restore FLOWI_FLAG_KNOWN_NH in nf_dup_ipv6. This got lost while
   generalizing xt_TEE to add packet duplication support in nf_tables,
   from Paolo Abeni.

6) Insufficient netlink NFTA_SET_TABLE attribute check in
   nf_tables_getset(), from Phil Turnbull.

7) Reject helper registration on duplicated ports via modparams.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 31843af4 893e093c

include/net/netfilter/nf_queue.h

+2 −2
Original line number Diff line number Diff line
@@ -28,8 +28,8 @@ struct nf_queue_handler { 
						struct nf_hook_ops *ops);

};



void nf_register_queue_handler(const struct nf_queue_handler *qh);

void nf_unregister_queue_handler(void);

void nf_register_queue_handler(struct net *net, const struct nf_queue_handler *qh);

void nf_unregister_queue_handler(struct net *net);

void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict);



void nf_queue_entry_get_refs(struct nf_queue_entry *entry);

include/net/netns/netfilter.h

+2 −0
Original line number Diff line number Diff line
@@ -5,11 +5,13 @@ 


struct proc_dir_entry;

struct nf_logger;

struct nf_queue_handler;



struct netns_nf {

#if defined CONFIG_PROC_FS

	struct proc_dir_entry *proc_netfilter;

#endif

	const struct nf_queue_handler __rcu *queue_handler;

	const struct nf_logger __rcu *nf_loggers[NFPROTO_NUMPROTO];

#ifdef CONFIG_SYSCTL

	struct ctl_table_header *nf_log_dir_header;

net/ipv6/netfilter/nf_dup_ipv6.c

+1 −0
Original line number Diff line number Diff line
@@ -33,6 +33,7 @@ static bool nf_dup_ipv6_route(struct net *net, struct sk_buff *skb, 
	fl6.daddr = *gw;

	fl6.flowlabel = (__force __be32)(((iph->flow_lbl[0] & 0xF) << 16) |

			(iph->flow_lbl[1] << 8) | iph->flow_lbl[2]);

	fl6.flowi6_flags = FLOWI_FLAG_KNOWN_NH;

	dst = ip6_route_output(net, NULL, &fl6);

	if (dst->error) {

		dst_release(dst);

net/netfilter/nf_conntrack_ftp.c

+1 −0
Original line number Diff line number Diff line
@@ -632,6 +632,7 @@ static int __init nf_conntrack_ftp_init(void) 
			if (ret) {

				pr_err("failed to register helper for pf: %d port: %d\n",

				       ftp[i][j].tuple.src.l3num, ports[i]);

				ports_c = i;

				nf_conntrack_ftp_fini();

				return ret;

			}

net/netfilter/nf_conntrack_helper.c

+4 −5
Original line number Diff line number Diff line
@@ -361,9 +361,10 @@ EXPORT_SYMBOL_GPL(nf_ct_helper_log); 


int nf_conntrack_helper_register(struct nf_conntrack_helper *me)

{

	int ret = 0;

	struct nf_conntrack_helper *cur;

	struct nf_conntrack_tuple_mask mask = { .src.u.all = htons(0xFFFF) };

	unsigned int h = helper_hash(&me->tuple);

	struct nf_conntrack_helper *cur;

	int ret = 0;



	BUG_ON(me->expect_policy == NULL);

	BUG_ON(me->expect_class_max >= NF_CT_MAX_EXPECT_CLASSES);
@@ -371,9 +372,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me) 


	mutex_lock(&nf_ct_helper_mutex);

	hlist_for_each_entry(cur, &nf_ct_helper_hash[h], hnode) {

		if (strncmp(cur->name, me->name, NF_CT_HELPER_NAME_LEN) == 0 &&

		    cur->tuple.src.l3num == me->tuple.src.l3num &&

		    cur->tuple.dst.protonum == me->tuple.dst.protonum) {

		if (nf_ct_tuple_src_mask_cmp(&cur->tuple, &me->tuple, &mask)) {

			ret = -EEXIST;

			goto out;

		}