Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ce8ec489 authored Oct 20, 2014 by David S. Miller

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf



Pablo Neira Ayuso says:

====================
netfilter fixes for net

The following patchset contains netfilter fixes for your net tree,
they are:

1) Fix missing MODULE_LICENSE() in the new nf_reject_ipv{4,6} modules.

2) Restrict nat and masq expressions to the nat chain type. Otherwise,
   users may crash their kernel if they attach a nat/masq rule to a non
   nat chain.

3) Fix hook validation in nft_compat when non-base chains are used.
   Basically, initialize hook_mask to zero.

4) Make sure you use match/targets in nft_compat from the right chain
   type. The existing validation relies on the table name which can be
   avoided by

5) Better netlink attribute validation in nft_nat. This expression has
   to reject the configuration when no address and proto configurations
   are specified.

6) Interpret NFTA_NAT_REG_*_MAX if only if NFTA_NAT_REG_*_MIN is set.
   Yet another sanity check to reject incorrect configurations from
   userspace.

7) Conditional NAT attribute dumping depending on the existing
   configuration.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

parents 95ff8868 1e2d56a5

include/net/netfilter/nf_tables.h

+3 −0

Original line number	Diff line number	Diff line
		@@ -530,6 +530,9 @@ enum nft_chain_type {
		NFT_CHAIN_T_MAX
		};

		int nft_chain_validate_dependency(const struct nft_chain *chain,
		enum nft_chain_type type);

		struct nft_stats {
		u64 bytes;
		u64 pkts;

include/net/netfilter/nft_masq.h

+3 −0

Original line number	Diff line number	Diff line
		@@ -13,4 +13,7 @@ int nft_masq_init(const struct nft_ctx *ctx,

		int nft_masq_dump(struct sk_buff skb, const struct nft_expr expr);

		int nft_masq_validate(const struct nft_ctx ctx, const struct nft_expr expr,
		const struct nft_data **data);

		#endif /* _NFT_MASQ_H_ */

net/ipv4/netfilter/nf_reject_ipv4.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -6,6 +6,7 @@
		* published by the Free Software Foundation.
		*/

		#include <linux/module.h>
		#include <net/ip.h>
		#include <net/tcp.h>
		#include <net/route.h>
		@@ -125,3 +126,5 @@ void nf_send_reset(struct sk_buff *oldskb, int hook)
		kfree_skb(nskb);
		}
		EXPORT_SYMBOL_GPL(nf_send_reset);

		MODULE_LICENSE("GPL");

net/ipv4/netfilter/nft_masq_ipv4.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -39,6 +39,7 @@ static const struct nft_expr_ops nft_masq_ipv4_ops = {
		.eval = nft_masq_ipv4_eval,
		.init = nft_masq_init,
		.dump = nft_masq_dump,
		.validate = nft_masq_validate,
		};

		static struct nft_expr_type nft_masq_ipv4_type __read_mostly = {

net/ipv6/netfilter/nf_reject_ipv6.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -5,6 +5,8 @@
		* it under the terms of the GNU General Public License version 2 as
		* published by the Free Software Foundation.
		*/

		#include <linux/module.h>
		#include <net/ipv6.h>
		#include <net/ip6_route.h>
		#include <net/ip6_fib.h>
		@@ -161,3 +163,5 @@ void nf_send_reset6(struct net net, struct sk_buff oldskb, int hook)
		ip6_local_out(nskb);
		}
		EXPORT_SYMBOL_GPL(nf_send_reset6);

		MODULE_LICENSE("GPL");