Commit c2c11289 authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 



Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for net, they are:

1) Fix spurious overlap condition in the rbtree tree, from Stefano Brivio.

2) Fix possible uninitialized pointer dereference in nft_lookup.

3) IDLETIMER v1 target matches the Android layout, from
   Maciej Zenczykowski.

4) Dangling pointer in nf_tables_set_alloc_name, from Eric Dumazet.

5) Fix RCU warning splat in ipset find_set_type(), from Amol Grover.

6) Report EOPNOTSUPP on unsupported set flags and object types in sets.

7) Add NFT_SET_CONCAT flag to provide consistent error reporting
   when users defines set with ranges in concatenations in old kernels.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 63bef48f ef516e86

include/net/netfilter/nf_tables.h

+1 −1
Original line number Diff line number Diff line
@@ -901,7 +901,7 @@ static inline void nft_set_elem_update_expr(const struct nft_set_ext *ext, 
{

	struct nft_expr *expr;



	if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR)) {

	if (__nft_set_ext_exists(ext, NFT_SET_EXT_EXPR)) {

		expr = nft_set_ext_expr(ext);

		expr->ops->eval(expr, regs, pkt);

	}

include/uapi/linux/netfilter/nf_tables.h

+2 −0
Original line number Diff line number Diff line
@@ -276,6 +276,7 @@ enum nft_rule_compat_attributes { 
 * @NFT_SET_TIMEOUT: set uses timeouts

 * @NFT_SET_EVAL: set can be updated from the evaluation path

 * @NFT_SET_OBJECT: set contains stateful objects

 * @NFT_SET_CONCAT: set contains a concatenation

 */

enum nft_set_flags {

	NFT_SET_ANONYMOUS		= 0x1,
@@ -285,6 +286,7 @@ enum nft_set_flags { 
	NFT_SET_TIMEOUT			= 0x10,

	NFT_SET_EVAL			= 0x20,

	NFT_SET_OBJECT			= 0x40,

	NFT_SET_CONCAT			= 0x80,

};



/**

include/uapi/linux/netfilter/xt_IDLETIMER.h

+1 −0
Original line number Diff line number Diff line
@@ -48,6 +48,7 @@ struct idletimer_tg_info_v1 { 


	char label[MAX_IDLETIMER_LABEL_SIZE];



	__u8 send_nl_msg;   /* unused: for compatibility with Android */

	__u8 timer_type;



	/* for kernel module internal use only */

net/netfilter/ipset/ip_set_core.c

+2 −1
Original line number Diff line number Diff line
@@ -86,7 +86,8 @@ find_set_type(const char *name, u8 family, u8 revision) 
{

	struct ip_set_type *type;



	list_for_each_entry_rcu(type, &ip_set_type_list, list)

	list_for_each_entry_rcu(type, &ip_set_type_list, list,

				lockdep_is_held(&ip_set_type_mutex))

		if (STRNCMP(type->name, name) &&

		    (type->family == family ||

		     type->family == NFPROTO_UNSPEC) &&

net/netfilter/nf_tables_api.c

+4 −3
Original line number Diff line number Diff line
@@ -3542,6 +3542,7 @@ cont: 
			continue;

		if (!strcmp(set->name, i->name)) {

			kfree(set->name);

			set->name = NULL;

			return -ENFILE;

		}

	}
@@ -3961,8 +3962,8 @@ static int nf_tables_newset(struct net *net, struct sock *nlsk, 
		if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |

			      NFT_SET_INTERVAL | NFT_SET_TIMEOUT |

			      NFT_SET_MAP | NFT_SET_EVAL |

			      NFT_SET_OBJECT))

			return -EINVAL;

			      NFT_SET_OBJECT | NFT_SET_CONCAT))

			return -EOPNOTSUPP;

		/* Only one of these operations is supported */

		if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==

			     (NFT_SET_MAP | NFT_SET_OBJECT))
@@ -4000,7 +4001,7 @@ static int nf_tables_newset(struct net *net, struct sock *nlsk, 
		objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));

		if (objtype == NFT_OBJECT_UNSPEC ||

		    objtype > NFT_OBJECT_MAX)

			return -EINVAL;

			return -EOPNOTSUPP;

	} else if (flags & NFT_SET_OBJECT)

		return -EINVAL;

	else

CRA Git | Maintained and supported by SUSTech CRA and CCSE