Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1d605701 authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 



Pablo Neira Ayuso says:

====================
The following patchset contains Netfilter fixes for your net tree, they are:

1) Fix a leak in IPVS, the sysctl table is not released accordingly when
   destroying a netns, patch from Tommi Rantala.

2) Fix a build error when TPROXY and socket are built-in but IPv6 defrag is
   compiled as module, from Florian Westphal.

3) Fix TCP tracket wrt. RFC5961 challenge ACK when in LAST_ACK state, patch
   from Jesper Dangaard Brouer.

4) Fix a bogus WARN_ON() in nf_tables when deleting a set element that stores
   a map, from Mirek Kratochvil.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 7e140696 960bd2c2

include/uapi/linux/netfilter/nf_conntrack_tcp.h

+3 −0
Original line number Diff line number Diff line
@@ -42,6 +42,9 @@ enum tcp_conntrack { 
/* The field td_maxack has been set */

#define IP_CT_TCP_FLAG_MAXACK_SET		0x20



/* Marks possibility for expected RFC5961 challenge ACK */

#define IP_CT_EXP_CHALLENGE_ACK 		0x40



struct nf_ct_tcp_flags {

	__u8 flags;

	__u8 mask;

net/netfilter/Kconfig

+2 −0
Original line number Diff line number Diff line
@@ -863,6 +863,7 @@ config NETFILTER_XT_TARGET_TPROXY 
	depends on NETFILTER_XTABLES

	depends on NETFILTER_ADVANCED

	depends on (IPV6 || IPV6=n)

	depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)

	depends on IP_NF_MANGLE

	select NF_DEFRAG_IPV4

	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
@@ -1356,6 +1357,7 @@ config NETFILTER_XT_MATCH_SOCKET 
	depends on NETFILTER_ADVANCED

	depends on !NF_CONNTRACK || NF_CONNTRACK

	depends on (IPV6 || IPV6=n)

	depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)

	select NF_DEFRAG_IPV4

	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES

	help

net/netfilter/ipvs/ip_vs_ctl.c

+3 −0
Original line number Diff line number Diff line
@@ -3823,6 +3823,9 @@ static void __net_exit ip_vs_control_net_cleanup_sysctl(struct net *net) 
	cancel_work_sync(&ipvs->defense_work.work);

	unregister_net_sysctl_table(ipvs->sysctl_hdr);

	ip_vs_stop_estimator(net, &ipvs->tot_stats);



	if (!net_eq(net, &init_net))

		kfree(ipvs->sysctl_tbl);

}



#else

net/netfilter/nf_conntrack_proto_tcp.c

+32 −3
Original line number Diff line number Diff line
@@ -202,7 +202,7 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = { 
 *	sES -> sES	:-)

 *	sFW -> sCW	Normal close request answered by ACK.

 *	sCW -> sCW

 *	sLA -> sTW	Last ACK detected.

 *	sLA -> sTW	Last ACK detected (RFC5961 challenged)

 *	sTW -> sTW	Retransmitted last ACK. Remain in the same state.

 *	sCL -> sCL

 */
@@ -261,7 +261,7 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = { 
 *	sES -> sES	:-)

 *	sFW -> sCW	Normal close request answered by ACK.

 *	sCW -> sCW

 *	sLA -> sTW	Last ACK detected.

 *	sLA -> sTW	Last ACK detected (RFC5961 challenged)

 *	sTW -> sTW	Retransmitted last ACK.

 *	sCL -> sCL

 */
@@ -906,6 +906,7 @@ static int tcp_packet(struct nf_conn *ct, 
					1 : ct->proto.tcp.last_win;

			ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_scale =

				ct->proto.tcp.last_wscale;

			ct->proto.tcp.last_flags &= ~IP_CT_EXP_CHALLENGE_ACK;

			ct->proto.tcp.seen[ct->proto.tcp.last_dir].flags =

				ct->proto.tcp.last_flags;

			memset(&ct->proto.tcp.seen[dir], 0,
@@ -923,7 +924,9 @@ static int tcp_packet(struct nf_conn *ct, 
		 * may be in sync but we are not. In that case, we annotate

		 * the TCP options and let the packet go through. If it is a

		 * valid SYN packet, the server will reply with a SYN/ACK, and

		 * then we'll get in sync. Otherwise, the server ignores it. */

		 * then we'll get in sync. Otherwise, the server potentially

		 * responds with a challenge ACK if implementing RFC5961.

		 */

		if (index == TCP_SYN_SET && dir == IP_CT_DIR_ORIGINAL) {

			struct ip_ct_tcp_state seen = {};
@@ -939,6 +942,13 @@ static int tcp_packet(struct nf_conn *ct, 
				ct->proto.tcp.last_flags |=

					IP_CT_TCP_FLAG_SACK_PERM;

			}

			/* Mark the potential for RFC5961 challenge ACK,

			 * this pose a special problem for LAST_ACK state

			 * as ACK is intrepretated as ACKing last FIN.

			 */

			if (old_state == TCP_CONNTRACK_LAST_ACK)

				ct->proto.tcp.last_flags |=

					IP_CT_EXP_CHALLENGE_ACK;

		}

		spin_unlock_bh(&ct->lock);

		if (LOG_INVALID(net, IPPROTO_TCP))
@@ -970,6 +980,25 @@ static int tcp_packet(struct nf_conn *ct, 
			nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,

				  "nf_ct_tcp: invalid state ");

		return -NF_ACCEPT;

	case TCP_CONNTRACK_TIME_WAIT:

		/* RFC5961 compliance cause stack to send "challenge-ACK"

		 * e.g. in response to spurious SYNs.  Conntrack MUST

		 * not believe this ACK is acking last FIN.

		 */

		if (old_state == TCP_CONNTRACK_LAST_ACK &&

		    index == TCP_ACK_SET &&

		    ct->proto.tcp.last_dir != dir &&

		    ct->proto.tcp.last_index == TCP_SYN_SET &&

		    (ct->proto.tcp.last_flags & IP_CT_EXP_CHALLENGE_ACK)) {

			/* Detected RFC5961 challenge ACK */

			ct->proto.tcp.last_flags &= ~IP_CT_EXP_CHALLENGE_ACK;

			spin_unlock_bh(&ct->lock);

			if (LOG_INVALID(net, IPPROTO_TCP))

				nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,

				      "nf_ct_tcp: challenge-ACK ignored ");

			return NF_ACCEPT; /* Don't change state */

		}

		break;

	case TCP_CONNTRACK_CLOSE:

		if (index == TCP_RST_SET

		    && (ct->proto.tcp.seen[!dir].flags & IP_CT_TCP_FLAG_MAXACK_SET)

net/netfilter/nf_tables_api.c

+2 −2
Original line number Diff line number Diff line
@@ -4472,9 +4472,9 @@ EXPORT_SYMBOL_GPL(nft_data_init); 
 */

void nft_data_uninit(const struct nft_data *data, enum nft_data_types type)

{

	switch (type) {

	case NFT_DATA_VALUE:

	if (type < NFT_DATA_VERDICT)

		return;

	switch (type) {

	case NFT_DATA_VERDICT:

		return nft_verdict_uninit(data);

	default: