Commit 2e99c07f authored by David S. Miller's avatar David S. Miller
Browse files

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 



Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for your net tree,
they are:

* Fix nf_trace in nftables if XT_TRACE=n, from Florian Westphal.

* Don't use the fast payload operation in nf_tables if the length is
  not power of 2 or it is not aligned, from Nikolay Aleksandrov.

* Fix missing break statement the inet flavour of nft_reject, which
  results in evaluating IPv4 packets with the IPv6 evaluation routine,
  from Patrick McHardy.

* Fix wrong kconfig symbol in nft_meta to match the routing realm,
  from Paul Bolle.

* Allocate the NAT null binding when creating new conntracks via
  ctnetlink to avoid that several packets race at initializing the
  the conntrack NAT extension, original patch from Florian Westphal,
  revisited version from me.

* Fix DNAT handling in the snmp NAT helper, the same handling was being
  done for SNAT and DNAT and 2.4 already contains that fix, from
  Francois-Xavier Le Bail.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 960dfc4e 0eba801b

include/linux/skbuff.h

+4 −1
Original line number Diff line number Diff line
@@ -2725,7 +2725,7 @@ static inline void nf_reset(struct sk_buff *skb) 


static inline void nf_reset_trace(struct sk_buff *skb)

{

#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)

#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) || defined(CONFIG_NF_TABLES)

	skb->nf_trace = 0;

#endif

}
@@ -2742,6 +2742,9 @@ static inline void __nf_copy(struct sk_buff *dst, const struct sk_buff *src) 
	dst->nf_bridge  = src->nf_bridge;

	nf_bridge_get(src->nf_bridge);

#endif

#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) || defined(CONFIG_NF_TABLES)

	dst->nf_trace = src->nf_trace;

#endif

}



static inline void nf_copy(struct sk_buff *dst, const struct sk_buff *src)

net/core/skbuff.c

+0 −3
Original line number Diff line number Diff line
@@ -707,9 +707,6 @@ static void __copy_skb_header(struct sk_buff *new, const struct sk_buff *old) 
	new->mark		= old->mark;

	new->skb_iif		= old->skb_iif;

	__nf_copy(new, old);

#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)

	new->nf_trace		= old->nf_trace;

#endif

#ifdef CONFIG_NET_SCHED

	new->tc_index		= old->tc_index;

#ifdef CONFIG_NET_CLS_ACT

net/ipv4/ip_output.c

+0 −3
Original line number Diff line number Diff line
@@ -422,9 +422,6 @@ static void ip_copy_metadata(struct sk_buff *to, struct sk_buff *from) 
	to->tc_index = from->tc_index;

#endif

	nf_copy(to, from);

#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)

	to->nf_trace = from->nf_trace;

#endif

#if defined(CONFIG_IP_VS) || defined(CONFIG_IP_VS_MODULE)

	to->ipvs_property = from->ipvs_property;

#endif

net/ipv4/netfilter/nf_nat_snmp_basic.c

+2 −2
Original line number Diff line number Diff line
@@ -1198,8 +1198,8 @@ static int snmp_translate(struct nf_conn *ct, 
		map.to = NOCT1(&ct->tuplehash[!dir].tuple.dst.u3.ip);

	} else {

		/* DNAT replies */

		map.from = NOCT1(&ct->tuplehash[dir].tuple.src.u3.ip);

		map.to = NOCT1(&ct->tuplehash[!dir].tuple.dst.u3.ip);

		map.from = NOCT1(&ct->tuplehash[!dir].tuple.src.u3.ip);

		map.to = NOCT1(&ct->tuplehash[dir].tuple.dst.u3.ip);

	}



	if (map.from == map.to)

net/ipv6/ip6_output.c

+0 −3
Original line number Diff line number Diff line
@@ -530,9 +530,6 @@ static void ip6_copy_metadata(struct sk_buff *to, struct sk_buff *from) 
	to->tc_index = from->tc_index;

#endif

	nf_copy(to, from);

#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)

	to->nf_trace = from->nf_trace;

#endif

	skb_copy_secmark(to, from);

}

CRA Git | Maintained and supported by SUSTech CRA and CCSE