Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ac196f8c authored by David S. Miller's avatar David S. Miller
Browse files

Merge branch 'master' of git://1984.lsi.us.es/nf 



Pablo Neira Ayuso says:

====================
The following batch contains Netfilter fixes for 3.8-rc1. They are
a mixture of old bugs that have passed unnoticed (I'll pass these to
stable) and more fresh ones from the previous merge window, they are:

* Fix for MAC address in 6in4 tunnels via NFLOG that results in ulogd
  showing up wrong address, from Bob Hockney.

* Fix a comment in nf_conntrack_ipv6, from Florent Fourcot.

* Fix a leak an error path in ctnetlink while creating an expectation,
  from Jesper Juhl.

* Fix missing ICMP time exceeded in the IPv6 defragmentation code, from
  Haibo Xi.

* Fix inconsistent handling of routing changes in MASQUERADE for the
  new connections case, from Andrew Collins.

* Fix a missing skb_reset_transport in ip[6]t_REJECT that leads to
  crashes in the ixgbe driver (since it seems to access the transport
  header with TSO enabled), from Mukund Jampala.

* Recover obsoleted NOTRACK target by including it into the CT and spot
  a warning via printk about being obsoleted. Many people don't check the
  scheduled to be removal file under Documentation, so we follow some
  less agressive approach to kill this in a year or so. Spotted by Florian
  Westphal, patch from myself.

* Fix race condition in xt_hashlimit that allows to create two or more
  entries, from myself.

* Fix crash if the CT is used due to the recently added facilities to
  consult the dying and unconfirmed conntrack lists, from myself.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 101e5c74 1310b955

include/net/netns/conntrack.h

+1 −0
Original line number Diff line number Diff line
@@ -71,6 +71,7 @@ struct netns_ct { 
	struct hlist_head	*expect_hash;

	struct hlist_nulls_head	unconfirmed;

	struct hlist_nulls_head	dying;

	struct hlist_nulls_head tmpl;

	struct ip_conntrack_stat __percpu *stat;

	struct nf_ct_event_notifier __rcu *nf_conntrack_event_cb;

	struct nf_exp_event_notifier __rcu *nf_expect_event_cb;

include/net/netns/x_tables.h

+1 −0
Original line number Diff line number Diff line
@@ -8,6 +8,7 @@ struct ebt_table; 


struct netns_xt {

	struct list_head tables[NFPROTO_NUMPROTO];

	bool notrack_deprecated_warning;

#if defined(CONFIG_BRIDGE_NF_EBTABLES) || \

    defined(CONFIG_BRIDGE_NF_EBTABLES_MODULE)

	struct ebt_table *broute_table;

net/ipv4/netfilter/ipt_REJECT.c

+1 −0
Original line number Diff line number Diff line
@@ -81,6 +81,7 @@ static void send_reset(struct sk_buff *oldskb, int hook) 
	niph->saddr	= oiph->daddr;

	niph->daddr	= oiph->saddr;



	skb_reset_transport_header(nskb);

	tcph = (struct tcphdr *)skb_put(nskb, sizeof(struct tcphdr));

	memset(tcph, 0, sizeof(*tcph));

	tcph->source	= oth->dest;

net/ipv4/netfilter/iptable_nat.c

+10 −5
Original line number Diff line number Diff line
@@ -124,23 +124,28 @@ nf_nat_ipv4_fn(unsigned int hooknum, 
			ret = nf_nat_rule_find(skb, hooknum, in, out, ct);

			if (ret != NF_ACCEPT)

				return ret;

		} else

		} else {

			pr_debug("Already setup manip %s for ct %p\n",

				 maniptype == NF_NAT_MANIP_SRC ? "SRC" : "DST",

				 ct);

			if (nf_nat_oif_changed(hooknum, ctinfo, nat, out))

				goto oif_changed;

		}

		break;



	default:

		/* ESTABLISHED */

		NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED ||

			     ctinfo == IP_CT_ESTABLISHED_REPLY);

		if (nf_nat_oif_changed(hooknum, ctinfo, nat, out)) {

			nf_ct_kill_acct(ct, ctinfo, skb);

			return NF_DROP;

		}

		if (nf_nat_oif_changed(hooknum, ctinfo, nat, out))

			goto oif_changed;

	}



	return nf_nat_packet(ct, ctinfo, hooknum, skb);



oif_changed:

	nf_ct_kill_acct(ct, ctinfo, skb);

	return NF_DROP;

}



static unsigned int

net/ipv6/netfilter/ip6t_REJECT.c

+1 −0
Original line number Diff line number Diff line
@@ -132,6 +132,7 @@ static void send_reset(struct net *net, struct sk_buff *oldskb) 
	ip6h->saddr = oip6h->daddr;

	ip6h->daddr = oip6h->saddr;



	skb_reset_transport_header(nskb);

	tcph = (struct tcphdr *)skb_put(nskb, sizeof(struct tcphdr));

	/* Truncate to length (no data) */

	tcph->doff = sizeof(struct tcphdr)/4;