Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 61c5923a authored by David S. Miller's avatar David S. Miller
Browse files

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 



Pablo Neira Ayuso says:

====================
The following patchset contains Netfilter fixes for you net tree,
mostly targeted to ipset, they are:

* Fix ICMPv6 NAT due to wrong comparison, code instead of type, from
  Phil Oester.

* Fix RCU race in conntrack extensions release path, from Michal Kubecek.

* Fix missing inversion in the userspace ipset test command match if
  the nomatch option is specified, from Jozsef Kadlecsik.

* Skip layer 4 protocol matching in ipset in case of IPv6 fragments,
  also from Jozsef Kadlecsik.

* Fix sequence adjustment in nfnetlink_queue due to using the netlink
  skb instead of the network skb, from Gao feng.

* Make sure we cannot swap of sets with different layer 3 family in
  ipset, from Jozsef Kadlecsik.

* Fix possible bogus matching in ipset if hash sets with net elements
  are used, from Oliver Smith.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 2936b6ab 0a0d80eb

include/linux/netfilter/ipset/ip_set.h

+4 −2
Original line number Diff line number Diff line
@@ -296,10 +296,12 @@ ip_set_eexist(int ret, u32 flags) 


/* Match elements marked with nomatch */

static inline bool

ip_set_enomatch(int ret, u32 flags, enum ipset_adt adt)

ip_set_enomatch(int ret, u32 flags, enum ipset_adt adt, struct ip_set *set)

{

	return adt == IPSET_TEST &&

	       ret == -ENOTEMPTY && ((flags >> 16) & IPSET_FLAG_NOMATCH);

	       (set->type->features & IPSET_TYPE_NOMATCH) &&

	       ((flags >> 16) & IPSET_FLAG_NOMATCH) &&

	       (ret > 0 || ret == -ENOTEMPTY);

}



/* Check the NLA_F_NET_BYTEORDER flag */

include/net/netfilter/nf_conntrack_extend.h

+1 −1
Original line number Diff line number Diff line
@@ -86,7 +86,7 @@ static inline void nf_ct_ext_destroy(struct nf_conn *ct) 
static inline void nf_ct_ext_free(struct nf_conn *ct)

{

	if (ct->ext)

		kfree(ct->ext);

		kfree_rcu(ct->ext, rcu);

}



/* Add this type, returns pointer to data or NULL. */

net/ipv6/netfilter/nf_nat_proto_icmpv6.c

+2 −2
Original line number Diff line number Diff line
@@ -69,8 +69,8 @@ icmpv6_manip_pkt(struct sk_buff *skb, 
	hdr = (struct icmp6hdr *)(skb->data + hdroff);

	l3proto->csum_update(skb, iphdroff, &hdr->icmp6_cksum,

			     tuple, maniptype);

	if (hdr->icmp6_code == ICMPV6_ECHO_REQUEST ||

	    hdr->icmp6_code == ICMPV6_ECHO_REPLY) {

	if (hdr->icmp6_type == ICMPV6_ECHO_REQUEST ||

	    hdr->icmp6_type == ICMPV6_ECHO_REPLY) {

		inet_proto_csum_replace2(&hdr->icmp6_cksum, skb,

					 hdr->icmp6_identifier,

					 tuple->src.u.icmp.id, 0);

net/netfilter/ipset/ip_set_core.c

+2 −3
Original line number Diff line number Diff line
@@ -1052,7 +1052,7 @@ ip_set_swap(struct sock *ctnl, struct sk_buff *skb, 
	 * Not an artificial restriction anymore, as we must prevent

	 * possible loops created by swapping in setlist type of sets. */

	if (!(from->type->features == to->type->features &&

	      from->type->family == to->type->family))

	      from->family == to->family))

		return -IPSET_ERR_TYPE_MISMATCH;



	strncpy(from_name, from->name, IPSET_MAXNAMELEN);
@@ -1489,8 +1489,7 @@ ip_set_utest(struct sock *ctnl, struct sk_buff *skb, 
	if (ret == -EAGAIN)

		ret = 1;



	return (ret < 0 && ret != -ENOTEMPTY) ? ret :

		ret > 0 ? 0 : -IPSET_ERR_EXIST;

	return ret > 0 ? 0 : -IPSET_ERR_EXIST;

}



/* Get headed data of a set */

net/netfilter/ipset/ip_set_getport.c

+2 −2
Original line number Diff line number Diff line
@@ -116,12 +116,12 @@ ip_set_get_ip6_port(const struct sk_buff *skb, bool src, 
{

	int protoff;

	u8 nexthdr;

	__be16 frag_off;

	__be16 frag_off = 0;



	nexthdr = ipv6_hdr(skb)->nexthdr;

	protoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr,

				   &frag_off);

	if (protoff < 0)

	if (protoff < 0 || (frag_off & htons(~0x7)) != 0)

		return false;



	return get_port(skb, nexthdr, protoff, src, port, proto);