Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf (a26aea20) · Commits · 戴 / test

include/linux/netfilter/nf_conntrack_sctp.h

+2 −0

Original line number	Diff line number	Diff line
		@@ -9,6 +9,8 @@ struct ip_ct_sctp {
		enum sctp_conntrack state;

		__be32 vtag[IP_CT_DIR_MAX];
		u8 last_dir;
		u8 flags;
		};

		#endif /* _NF_CONNTRACK_SCTP_H */

include/net/netfilter/nf_tables.h

+2 −0

Original line number	Diff line number	Diff line
		@@ -143,6 +143,8 @@ static inline u64 nft_reg_load64(const u32 *sreg)
		static inline void nft_data_copy(u32 dst, const struct nft_data src,
		unsigned int len)
		{
		if (len % NFT_REG32_SIZE)
		dst[len / NFT_REG32_SIZE] = 0;
		memcpy(dst, src, len);
		}

include/uapi/linux/netfilter/nf_tables.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -133,7 +133,7 @@ enum nf_tables_msg_types {
		* @NFTA_LIST_ELEM: list element (NLA_NESTED)
		*/
		enum nft_list_attributes {
		NFTA_LIST_UNPEC,
		NFTA_LIST_UNSPEC,
		NFTA_LIST_ELEM,
		__NFTA_LIST_MAX
		};

net/netfilter/nf_conntrack_proto_sctp.c

+35 −4

Original line number	Diff line number	Diff line
		@@ -62,6 +62,8 @@ static const unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] = {
		[SCTP_CONNTRACK_HEARTBEAT_ACKED] = 210 SECS,
		};

		#define SCTP_FLAG_HEARTBEAT_VTAG_FAILED 1

		#define sNO SCTP_CONNTRACK_NONE
		#define sCL SCTP_CONNTRACK_CLOSED
		#define sCW SCTP_CONNTRACK_COOKIE_WAIT
		@@ -369,6 +371,7 @@ int nf_conntrack_sctp_packet(struct nf_conn *ct,
		u_int32_t offset, count;
		unsigned int *timeouts;
		unsigned long map[256 / sizeof(unsigned long)] = { 0 };
		bool ignore = false;

		if (sctp_error(skb, dataoff, state))
		return -NF_ACCEPT;
		@@ -427,15 +430,39 @@ int nf_conntrack_sctp_packet(struct nf_conn *ct,
		/* Sec 8.5.1 (D) */
		if (sh->vtag != ct->proto.sctp.vtag[dir])
		goto out_unlock;
		} else if (sch->type == SCTP_CID_HEARTBEAT \|\|
		sch->type == SCTP_CID_HEARTBEAT_ACK) {
		} else if (sch->type == SCTP_CID_HEARTBEAT) {
		if (ct->proto.sctp.vtag[dir] == 0) {
		pr_debug("Setting %d vtag %x for dir %d\n", sch->type, sh->vtag, dir);
		ct->proto.sctp.vtag[dir] = sh->vtag;
		} else if (sh->vtag != ct->proto.sctp.vtag[dir]) {
		if (test_bit(SCTP_CID_DATA, map) \|\| ignore)
		goto out_unlock;

		ct->proto.sctp.flags \|= SCTP_FLAG_HEARTBEAT_VTAG_FAILED;
		ct->proto.sctp.last_dir = dir;
		ignore = true;
		continue;
		} else if (ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) {
		ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED;
		}
		} else if (sch->type == SCTP_CID_HEARTBEAT_ACK) {
		if (ct->proto.sctp.vtag[dir] == 0) {
		pr_debug("Setting vtag %x for dir %d\n",
		sh->vtag, dir);
		ct->proto.sctp.vtag[dir] = sh->vtag;
		} else if (sh->vtag != ct->proto.sctp.vtag[dir]) {
		pr_debug("Verification tag check failed\n");
		if (test_bit(SCTP_CID_DATA, map) \|\| ignore)
		goto out_unlock;

		if ((ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) == 0 \|\|
		ct->proto.sctp.last_dir == dir)
		goto out_unlock;

		ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED;
		ct->proto.sctp.vtag[dir] = sh->vtag;
		ct->proto.sctp.vtag[!dir] = 0;
		} else if (ct->proto.sctp.flags & SCTP_FLAG_HEARTBEAT_VTAG_FAILED) {
		ct->proto.sctp.flags &= ~SCTP_FLAG_HEARTBEAT_VTAG_FAILED;
		}
		}

		@@ -470,6 +497,10 @@ int nf_conntrack_sctp_packet(struct nf_conn *ct,
		}
		spin_unlock_bh(&ct->lock);

		/* allow but do not refresh timeout */
		if (ignore)
		return NF_ACCEPT;

		timeouts = nf_ct_timeout_lookup(ct);
		if (!timeouts)
		timeouts = nf_sctp_pernet(nf_ct_net(ct))->timeouts;

net/netfilter/nf_tables_api.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -3770,7 +3770,8 @@ static int nf_tables_fill_set(struct sk_buff skb, const struct nft_ctx ctx,
		goto nla_put_failure;
		}

		if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
		if (set->udata &&
		nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
		goto nla_put_failure;

		nest = nla_nest_start_noflag(skb, NFTA_SET_DESC);

Admin message