Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2df5d103 authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 



Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for your net tree,
they are:

1) Allow nf_tables reject expression from input, forward and output hooks,
   since only there the routing information is available, otherwise we crash.

2) Fix unsafe list iteration when flushing timeout and accouting objects.

3) Fix refcount leak on timeout policy parsing failure.

4) Unlink timeout object for unconfirmed conntracks too

5) Missing validation of pkttype mangling from bridge family.

6) Fix refcount leak on ebtables on second lookup for the specific
   bridge match extension, this patch from Sabrina Dubroca.

7) Remove unnecessary ip_hdr() in nf_tables_netdev family.

Patches from 1-5 and 7 from Liping Zhang.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 15543692 c73c2484

include/net/netfilter/nft_meta.h

+4 −0
Original line number Diff line number Diff line
@@ -36,4 +36,8 @@ void nft_meta_set_eval(const struct nft_expr *expr, 
void nft_meta_set_destroy(const struct nft_ctx *ctx,

			  const struct nft_expr *expr);



int nft_meta_set_validate(const struct nft_ctx *ctx,

			  const struct nft_expr *expr,

			  const struct nft_data **data);



#endif

include/net/netfilter/nft_reject.h

+4 −0
Original line number Diff line number Diff line
@@ -8,6 +8,10 @@ struct nft_reject { 


extern const struct nla_policy nft_reject_policy[];



int nft_reject_validate(const struct nft_ctx *ctx,

			const struct nft_expr *expr,

			const struct nft_data **data);



int nft_reject_init(const struct nft_ctx *ctx,

		    const struct nft_expr *expr,

		    const struct nlattr * const tb[]);

net/bridge/netfilter/ebtables.c

+2 −0
Original line number Diff line number Diff line
@@ -368,6 +368,8 @@ ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par, 


	match = xt_find_match(NFPROTO_BRIDGE, m->u.name, 0);

	if (IS_ERR(match) || match->family != NFPROTO_BRIDGE) {

		if (!IS_ERR(match))

			module_put(match->me);

		request_module("ebt_%s", m->u.name);

		match = xt_find_match(NFPROTO_BRIDGE, m->u.name, 0);

	}

net/bridge/netfilter/nft_meta_bridge.c

+1 −0
Original line number Diff line number Diff line
@@ -86,6 +86,7 @@ static const struct nft_expr_ops nft_meta_bridge_set_ops = { 
	.init		= nft_meta_set_init,

	.destroy	= nft_meta_set_destroy,

	.dump		= nft_meta_set_dump,

	.validate	= nft_meta_set_validate,

};



static const struct nft_expr_ops *

net/ipv4/netfilter/nft_reject_ipv4.c

+1 −0
Original line number Diff line number Diff line
@@ -46,6 +46,7 @@ static const struct nft_expr_ops nft_reject_ipv4_ops = { 
	.eval		= nft_reject_ipv4_eval,

	.init		= nft_reject_init,

	.dump		= nft_reject_dump,

	.validate	= nft_reject_validate,

};



static struct nft_expr_type nft_reject_ipv4_type __read_mostly = {