Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3d2dd617 authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 



Pablo Neira Ayuso says:

====================
Netfilter fixes for net

This is a large batch of Netfilter fixes for net, they are:

1) Three patches to fix NAT conversion to rhashtable: Switch to rhlist
   structure that allows to have several objects with the same key.
   Moreover, fix wrong comparison logic in nf_nat_bysource_cmp() as this is
   expecting a return value similar to memcmp(). Change location of
   the nat_bysource field in the nf_conn structure to avoid zeroing
   this as it breaks interaction with SLAB_DESTROY_BY_RCU and lead us
   to crashes. From Florian Westphal.

2) Don't allow malformed fragments go through in IPv6, drop them,
   otherwise we hit GPF, patch from Florian Westphal.

3) Fix crash if attributes are missing in nft_range, from Liping Zhang.

4) Fix arptables 32-bits userspace 64-bits kernel compat, from Hongxu Jia.

5) Two patches from David Ahern to fix netfilter interaction with vrf.
   From David Ahern.

6) Fix element timeout calculation in nf_tables, we take milliseconds
   from userspace, but we use jiffies from kernelspace. Patch from
   Anders K.  Pedersen.

7) Missing validation length netlink attribute for nft_hash, from
   Laura Garcia.

8) Fix nf_conntrack_helper documentation, we don't default to off
   anymore for a bit of time so let's get this in sync with the code.

I know is late but I think these are important, specifically the NAT
bits, as they are mostly addressing fallout from recent changes. I also
read there are chances to have -rc8, if that is the case, that would
also give us a bit more time to test this.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents aa196eed 17a49cd5

Documentation/networking/nf_conntrack-sysctl.txt

+5 −2
Original line number Diff line number Diff line
@@ -62,10 +62,13 @@ nf_conntrack_generic_timeout - INTEGER (seconds) 
	protocols.



nf_conntrack_helper - BOOLEAN

	0 - disabled

	not 0 - enabled (default)

	0 - disabled (default)

	not 0 - enabled



	Enable automatic conntrack helper assignment.

	If disabled it is required to set up iptables rules to assign

	helpers to connections.  See the CT target description in the

	iptables-extensions(8) man page for further information.



nf_conntrack_icmp_timeout - INTEGER (seconds)

	default 30

include/net/netfilter/nf_conntrack.h

+3 −3
Original line number Diff line number Diff line
@@ -100,6 +100,9 @@ struct nf_conn { 


	possible_net_t ct_net;



#if IS_ENABLED(CONFIG_NF_NAT)

	struct rhlist_head nat_bysource;

#endif

	/* all members below initialized via memset */

	u8 __nfct_init_offset[0];
@@ -117,9 +120,6 @@ struct nf_conn { 
	/* Extensions */

	struct nf_ct_ext *ext;



#if IS_ENABLED(CONFIG_NF_NAT)

	struct rhash_head	nat_bysource;

#endif

	/* Storage reserved for other modules, must be the last member */

	union nf_conntrack_proto proto;

};

include/net/netfilter/nf_tables.h

+1 −1
Original line number Diff line number Diff line
@@ -313,7 +313,7 @@ void nft_unregister_set(struct nft_set_ops *ops); 
 * 	@size: maximum set size

 * 	@nelems: number of elements

 * 	@ndeact: number of deactivated elements queued for removal

 * 	@timeout: default timeout value in msecs

 *	@timeout: default timeout value in jiffies

 * 	@gc_int: garbage collection interval in msecs

 *	@policy: set parameterization (see enum nft_set_policies)

 *	@udlen: user data length

net/ipv4/netfilter.c

+4 −1
Original line number Diff line number Diff line
@@ -24,10 +24,11 @@ int ip_route_me_harder(struct net *net, struct sk_buff *skb, unsigned int addr_t 
	struct flowi4 fl4 = {};

	__be32 saddr = iph->saddr;

	__u8 flags = skb->sk ? inet_sk_flowi_flags(skb->sk) : 0;

	struct net_device *dev = skb_dst(skb)->dev;

	unsigned int hh_len;



	if (addr_type == RTN_UNSPEC)

		addr_type = inet_addr_type(net, saddr);

		addr_type = inet_addr_type_dev_table(net, dev, saddr);

	if (addr_type == RTN_LOCAL || addr_type == RTN_UNICAST)

		flags |= FLOWI_FLAG_ANYSRC;

	else
@@ -40,6 +41,8 @@ int ip_route_me_harder(struct net *net, struct sk_buff *skb, unsigned int addr_t 
	fl4.saddr = saddr;

	fl4.flowi4_tos = RT_TOS(iph->tos);

	fl4.flowi4_oif = skb->sk ? skb->sk->sk_bound_dev_if : 0;

	if (!fl4.flowi4_oif)

		fl4.flowi4_oif = l3mdev_master_ifindex(dev);

	fl4.flowi4_mark = skb->mark;

	fl4.flowi4_flags = flags;

	rt = ip_route_output_key(net, &fl4);

net/ipv4/netfilter/arp_tables.c

+2 −2
Original line number Diff line number Diff line
@@ -1201,8 +1201,8 @@ static int translate_compat_table(struct xt_table_info **pinfo, 


	newinfo->number = compatr->num_entries;

	for (i = 0; i < NF_ARP_NUMHOOKS; i++) {

		newinfo->hook_entry[i] = info->hook_entry[i];

		newinfo->underflow[i] = info->underflow[i];

		newinfo->hook_entry[i] = compatr->hook_entry[i];

		newinfo->underflow[i] = compatr->underflow[i];

	}

	entry1 = newinfo->entries;

	pos = entry1;