Commit 71e15f76 authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 



Pablo Neira Ayuso says:

====================
Netfilter/IPVS fixes for net

The following patchset contains Netfilter/IPVS fixes for your net tree:

1) Fix crash when dumping rules after conversion to RCU,
   from Florian Westphal.

2) Fix incorrect hook reinjection from nf_queue in case NF_REPEAT,
   from Jagdish Motwani.

3) Fix check for route existence in fib extension, from Phil Sutter.

4) Fix use after free in ip_vs_in() hook, from YueHaibing.

5) Check for veth existence from netfilter selftests,
   from Jeffrin Jose T.

6) Checksum corruption in UDP NAT helpers due to typo,
   from Florian Westphal.

7) Pass up packets to classic forwarding path regardless of
   IPv4 DF bit, patch for the flowtable infrastructure from Florian.

8) Set liberal TCP tracking for flows that are placed in the
   flowtable, in case they need to go back to classic forwarding path,
   also from Florian.

9) Don't add flow with sequence adjustment to flowtable, from Florian.

10) Skip IPv4 options from IPv6 datapath in flowtable, from Florian.

11) Add selftest for the flowtable infrastructure, from Florian.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents b5730061 2de03b45

include/net/netfilter/nft_fib.h

+1 −1
Original line number Diff line number Diff line
@@ -34,5 +34,5 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs, 
		   const struct nft_pktinfo *pkt);



void nft_fib_store_result(void *reg, const struct nft_fib *priv,

			  const struct nft_pktinfo *pkt, int index);

			  const struct net_device *dev);

#endif

net/ipv4/netfilter/nft_fib_ipv4.c

+3 −20
Original line number Diff line number Diff line
@@ -58,11 +58,6 @@ void nft_fib4_eval_type(const struct nft_expr *expr, struct nft_regs *regs, 
}

EXPORT_SYMBOL_GPL(nft_fib4_eval_type);



static int get_ifindex(const struct net_device *dev)

{

	return dev ? dev->ifindex : 0;

}



void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs,

		   const struct nft_pktinfo *pkt)

{
@@ -94,8 +89,7 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs, 


	if (nft_hook(pkt) == NF_INET_PRE_ROUTING &&

	    nft_fib_is_loopback(pkt->skb, nft_in(pkt))) {

		nft_fib_store_result(dest, priv, pkt,

				     nft_in(pkt)->ifindex);

		nft_fib_store_result(dest, priv, nft_in(pkt));

		return;

	}
@@ -108,8 +102,7 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs, 
	if (ipv4_is_zeronet(iph->saddr)) {

		if (ipv4_is_lbcast(iph->daddr) ||

		    ipv4_is_local_multicast(iph->daddr)) {

			nft_fib_store_result(dest, priv, pkt,

					     get_ifindex(pkt->skb->dev));

			nft_fib_store_result(dest, priv, pkt->skb->dev);

			return;

		}

	}
@@ -150,17 +143,7 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs, 
		found = oif;

	}



	switch (priv->result) {

	case NFT_FIB_RESULT_OIF:

		*dest = found->ifindex;

		break;

	case NFT_FIB_RESULT_OIFNAME:

		strncpy((char *)dest, found->name, IFNAMSIZ);

		break;

	default:

		WARN_ON_ONCE(1);

		break;

	}

	nft_fib_store_result(dest, priv, found);

}

EXPORT_SYMBOL_GPL(nft_fib4_eval);

net/ipv6/netfilter/nft_fib_ipv6.c

+2 −14
Original line number Diff line number Diff line
@@ -169,8 +169,7 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs, 


	if (nft_hook(pkt) == NF_INET_PRE_ROUTING &&

	    nft_fib_is_loopback(pkt->skb, nft_in(pkt))) {

		nft_fib_store_result(dest, priv, pkt,

				     nft_in(pkt)->ifindex);

		nft_fib_store_result(dest, priv, nft_in(pkt));

		return;

	}
@@ -187,18 +186,7 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs, 
	if (oif && oif != rt->rt6i_idev->dev)

		goto put_rt_err;



	switch (priv->result) {

	case NFT_FIB_RESULT_OIF:

		*dest = rt->rt6i_idev->dev->ifindex;

		break;

	case NFT_FIB_RESULT_OIFNAME:

		strncpy((char *)dest, rt->rt6i_idev->dev->name, IFNAMSIZ);

		break;

	default:

		WARN_ON_ONCE(1);

		break;

	}



	nft_fib_store_result(dest, priv, rt->rt6i_idev->dev);

 put_rt_err:

	ip6_rt_put(rt);

}

net/netfilter/ipvs/ip_vs_core.c

+1 −1
Original line number Diff line number Diff line
@@ -2312,7 +2312,6 @@ static void __net_exit __ip_vs_cleanup(struct net *net) 
{

	struct netns_ipvs *ipvs = net_ipvs(net);



	nf_unregister_net_hooks(net, ip_vs_ops, ARRAY_SIZE(ip_vs_ops));

	ip_vs_service_net_cleanup(ipvs);	/* ip_vs_flush() with locks */

	ip_vs_conn_net_cleanup(ipvs);

	ip_vs_app_net_cleanup(ipvs);
@@ -2327,6 +2326,7 @@ static void __net_exit __ip_vs_dev_cleanup(struct net *net) 
{

	struct netns_ipvs *ipvs = net_ipvs(net);

	EnterFunction(2);

	nf_unregister_net_hooks(net, ip_vs_ops, ARRAY_SIZE(ip_vs_ops));

	ipvs->enable = 0;	/* Disable packet reception */

	smp_wmb();

	ip_vs_sync_net_cleanup(ipvs);

net/netfilter/nf_flow_table_ip.c

+1 −2
Original line number Diff line number Diff line
@@ -244,8 +244,7 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb, 
	rt = (struct rtable *)flow->tuplehash[dir].tuple.dst_cache;

	outdev = rt->dst.dev;



	if (unlikely(nf_flow_exceeds_mtu(skb, flow->tuplehash[dir].tuple.mtu)) &&

	    (ip_hdr(skb)->frag_off & htons(IP_DF)) != 0)

	if (unlikely(nf_flow_exceeds_mtu(skb, flow->tuplehash[dir].tuple.mtu)))

		return NF_ACCEPT;



	if (skb_try_make_writable(skb, sizeof(*iph)))

CRA Git | Maintained and supported by SUSTech CRA and CCSE