[NETFILTER 00/07]: Netfilter fixes for 2.6.17

[NETFILTER 00/07]: Netfilter fixes for 2.6.17

[Patrick McHardy]

Hi Dave,

following are a couple of netfilter fixes for 2.6.17. The whitespace
problem is fixed now, apparently sed doesn't understand \t. I guess
I'm lucky that it didn't start stripping trailing t's :)


 include/linux/netfilter/x_tables.h           |    4 ++++
 net/ipv4/netfilter/Kconfig                   |    2 +-
 net/ipv6/netfilter/ip6_tables.c              |   13 -------------
 net/netfilter/nf_conntrack_core.c            |   15 ++++-----------
 net/netfilter/nf_conntrack_l3proto_generic.c |    1 -
 net/netfilter/x_tables.c                     |    2 +-
 net/sched/act_ipt.c                          |    5 +++++
 7 files changed, 15 insertions(+), 27 deletions(-)

Dmitry Mishin:
      [NETFILTER]: x_tables: move table->lock initialization

Patrick McHardy:
      [NETFILTER]: Fix compat_xt_counters alignment for non-x86
      [NETFILTER]: ip6_tables: remove broken comefrom debugging
      [NETFILTER]: ipt action: use xt_check_target for basic verification

Thomas Voegtle:
      [NETFILTER]: ULOG target is not obsolete

Yasuyuki Kozakai:
      [NETFILTER]: nf_conntrack: Fix module refcount dropping too far
      [NETFILTER]: nf_conntrack: kill unused callback init_conntrack

[NETFILTER 01/07]: nf_conntrack: Fix module refcount dropping too far

[Patrick McHardy]

[NETFILTER]: nf_conntrack: Fix module refcount dropping too far

If nf_ct_l3proto_find_get() fails to get the refcount of
nf_ct_l3proto_generic, nf_ct_l3proto_put() will drop the refcount
too far.

This gets rid of '.me = THIS_MODULE' of nf_ct_l3proto_generic so that
nf_ct_l3proto_find_get() doesn't try to get refcount of it.
It's OK because its symbol is usable until nf_conntrack.ko is unloaded.

This also kills unnecessary NULL pointer check as well.
__nf_ct_proto_find() allways returns non-NULL pointer.

Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit bc79a39fcc0cb09ed73ba0052cb87c2893f4f65f
tree a2702573ee2acdc6fb865921a94042ef8d14f0f5
parent 5a7b46b369419493bab4de67b1526e9f76b22a7f
author Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Fri, 21 Apr 2006 01:19:00 +0200
committer Patrick McHardy <kaber@trash.net> Fri, 21 Apr 2006 01:19:00 +0200

 net/netfilter/nf_conntrack_core.c            |   12 ++++--------
 net/netfilter/nf_conntrack_l3proto_generic.c |    1 -
 2 files changed, 4 insertions(+), 9 deletions(-)

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index e581190..e302222 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -208,10 +208,8 @@ nf_ct_proto_find_get(u_int16_t l3proto, 
 
 	preempt_disable();
 	p = __nf_ct_proto_find(l3proto, protocol);
-	if (p) {
-		if (!try_module_get(p->me))
-			p = &nf_conntrack_generic_protocol;
-	}
+	if (!try_module_get(p->me))
+		p = &nf_conntrack_generic_protocol;
 	preempt_enable();
 	
 	return p;
@@ -229,10 +227,8 @@ nf_ct_l3proto_find_get(u_int16_t l3proto
 
 	preempt_disable();
 	p = __nf_ct_l3proto_find(l3proto);
-	if (p) {
-		if (!try_module_get(p->me))
-			p = &nf_conntrack_generic_l3proto;
-	}
+	if (!try_module_get(p->me))
+		p = &nf_conntrack_generic_l3proto;
 	preempt_enable();
 
 	return p;
diff --git a/net/netfilter/nf_conntrack_l3proto_generic.c b/net/netfilter/nf_conntrack_l3proto_generic.c
index 7de4f06..3fc58e4 100644
--- a/net/netfilter/nf_conntrack_l3proto_generic.c
+++ b/net/netfilter/nf_conntrack_l3proto_generic.c
@@ -94,5 +94,4 @@ struct nf_conntrack_l3proto nf_conntrack
 	.print_conntrack = generic_print_conntrack,
 	.prepare	 = generic_prepare,
 	.get_features	 = generic_get_features,
-	.me		 = THIS_MODULE,
 };

[NETFILTER 02/07]: ULOG target is not obsolete

[Patrick McHardy]

[NETFILTER]: ULOG target is not obsolete

The backend part is obsoleted, but the target itself is still needed.

Signed-off-by: Thomas Voegtle <tv@lio96.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 40c6dcb49ac3f091e30fa105c347cc25776e8b72
tree 2e826e3e3c47a7c5ba0fc5d070a05b090bc30a02
parent bc79a39fcc0cb09ed73ba0052cb87c2893f4f65f
author Thomas Voegtle <tv@lio96.de> Fri, 21 Apr 2006 01:19:15 +0200
committer Patrick McHardy <kaber@trash.net> Fri, 21 Apr 2006 01:19:15 +0200

 net/ipv4/netfilter/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index c60fd5c..3d560de 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -345,7 +345,7 @@ config IP_NF_TARGET_LOG
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config IP_NF_TARGET_ULOG
-	tristate "ULOG target support (OBSOLETE)"
+	tristate "ULOG target support"
 	depends on IP_NF_IPTABLES
 	---help---
 

[NETFILTER 03/07]: Fix compat_xt_counters alignment for non-x86

[Patrick McHardy]

[NETFILTER]: Fix compat_xt_counters alignment for non-x86

Some (?) non-x86 architectures require 8byte alignment for u_int64_t
even when compiled for 32bit, using u_int32_t in compat_xt_counters
breaks on these architectures, use u_int64_t for everything but x86.

Reported by Andreas Schwab <schwab@suse.de>.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 030e806c1db0d3a278585b83475d1a6f9a874788
tree ef069a86e4ac0a1572ea51f7090b0e57df00052f
parent 40c6dcb49ac3f091e30fa105c347cc25776e8b72
author Patrick McHardy <kaber@trash.net> Fri, 21 Apr 2006 01:19:29 +0200
committer Patrick McHardy <kaber@trash.net> Fri, 21 Apr 2006 01:19:29 +0200

 include/linux/netfilter/x_tables.h |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index f6bdef8..3870145 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -361,7 +361,11 @@ struct compat_xt_entry_target
 
 struct compat_xt_counters
 {
+#if defined(CONFIG_X86_64) || defined(CONFIG_IA64)
 	u_int32_t cnt[4];
+#else
+	u_int64_t cnt[2];
+#endif
 };
 
 struct compat_xt_counters_info

[NETFILTER 04/07]: nf_conntrack: kill unused callback init_conntrack

[Patrick McHardy]

[NETFILTER]: nf_conntrack: kill unused callback init_conntrack

Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 81d5f60a185910989bc5778e3ea7ee03bda7f36d
tree 03c41d336c6528c11e024a1e42e100281cc0bd3e
parent 030e806c1db0d3a278585b83475d1a6f9a874788
author Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Fri, 21 Apr 2006 01:21:30 +0200
committer Patrick McHardy <kaber@trash.net> Fri, 21 Apr 2006 01:21:30 +0200

 net/netfilter/nf_conntrack_core.c |    3 ---
 1 files changed, 0 insertions(+), 3 deletions(-)

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index e302222..f9b83f9 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -178,9 +178,6 @@ static struct {
 	/* allocated slab cache + modules which uses this slab cache */
 	int use;
 
-	/* Initialization */
-	int (*init_conntrack)(struct nf_conn *, u_int32_t);
-
 } nf_ct_cache[NF_CT_F_NUM];
 
 /* protect members of nf_ct_cache except of "use" */

[NETFILTER 05/07]: ip6_tables: remove broken comefrom debugging

[Patrick McHardy]

[NETFILTER]: ip6_tables: remove broken comefrom debugging

The introduction of x_tables broke comefrom debugging, remove it from
ip6_tables as well (ip_tables already got removed).

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 1d7a13058df694ded6411b12931f3dd42f8193a4
tree c1f64b340b6adc83cec030d6a5d365521cd14003
parent 81d5f60a185910989bc5778e3ea7ee03bda7f36d
author Patrick McHardy <kaber@trash.net> Fri, 21 Apr 2006 01:25:26 +0200
committer Patrick McHardy <kaber@trash.net> Fri, 21 Apr 2006 01:25:26 +0200

 net/ipv6/netfilter/ip6_tables.c |   13 -------------
 1 files changed, 0 insertions(+), 13 deletions(-)

diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 642b4b1..0a67303 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -288,19 +288,6 @@ ip6t_do_table(struct sk_buff **pskb,
 	table_base = (void *)private->entries[smp_processor_id()];
 	e = get_entry(table_base, private->hook_entry[hook]);
 
-#ifdef CONFIG_NETFILTER_DEBUG
-	/* Check noone else using our table */
-	if (((struct ip6t_entry *)table_base)->comefrom != 0xdead57ac
-	    && ((struct ip6t_entry *)table_base)->comefrom != 0xeeeeeeec) {
-		printk("ASSERT: CPU #%u, %s comefrom(%p) = %X\n",
-		       smp_processor_id(),
-		       table->name,
-		       &((struct ip6t_entry *)table_base)->comefrom,
-		       ((struct ip6t_entry *)table_base)->comefrom);
-	}
-	((struct ip6t_entry *)table_base)->comefrom = 0x57acc001;
-#endif
-
 	/* For return from builtin chain */
 	back = get_entry(table_base, private->underflow[hook]);
 

[NETFILTER 06/07]: x_tables: move table->lock initialization

[Patrick McHardy]

[NETFILTER]: x_tables: move table->lock initialization

xt_table->lock should be initialized before xt_replace_table() call, which
uses it. This patch removes strict requirement that table should define
lock before registering.

Signed-off-by: Dmitry Mishin <dim@openvz.org>
Signed-off-by: Kirill Korotaev <dev@openvz.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 81b536eef7989c16a2d59ced319aafaaf9e3ed03
tree f412294f1c7862db8e0b7d457fdfe85036c32c94
parent 1d7a13058df694ded6411b12931f3dd42f8193a4
author Dmitry Mishin <dim@openvz.org> Fri, 21 Apr 2006 01:29:07 +0200
committer Patrick McHardy <kaber@trash.net> Fri, 21 Apr 2006 01:29:07 +0200

 net/netfilter/x_tables.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 00cf0a4..17abf60 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -529,6 +529,7 @@ int xt_register_table(struct xt_table *t
 
 	/* Simplifies replace_table code. */
 	table->private = bootstrap;
+	rwlock_init(&table->lock);
 	if (!xt_replace_table(table, 0, newinfo, &ret))
 		goto unlock;
 
@@ -538,7 +539,6 @@ int xt_register_table(struct xt_table *t
 	/* save number of initial entries */
 	private->initial_entries = private->number;
 
-	rwlock_init(&table->lock);
 	list_prepend(&xt[table->af].tables, table);
 
 	ret = 0;

[NETFILTER 07/07]: ipt action: use xt_check_target for basic verification

[Patrick McHardy]

[NETFILTER]: ipt action: use xt_check_target for basic verification

The targets don't do the basic verification themselves anymore so
the ipt action needs to take care of it.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 42a2de55185ffa55f70e289e708d492eae2685c5
tree 49d5316c896a1801f2f1abedb73b8e052522c6c9
parent 81b536eef7989c16a2d59ced319aafaaf9e3ed03
author Patrick McHardy <kaber@trash.net> Fri, 21 Apr 2006 03:03:53 +0200
committer Patrick McHardy <kaber@trash.net> Fri, 21 Apr 2006 03:03:53 +0200

 net/sched/act_ipt.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c
index 6056d20..37640c6 100644
--- a/net/sched/act_ipt.c
+++ b/net/sched/act_ipt.c
@@ -69,6 +69,11 @@ ipt_init_target(struct ipt_entry_target 
 	DPRINTK("ipt_init_target: found %s\n", target->name);
 	t->u.kernel.target = target;
 
+	ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t),
+			      table, hook, 0, 0);
+	if (ret)
+		return ret;
+
 	if (t->u.kernel.target->checkentry
 	    && !t->u.kernel.target->checkentry(table, NULL,
 		    			       t->u.kernel.target, t->data,

Re: [NETFILTER 00/07]: Netfilter fixes for 2.6.17

[David S. Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Fri, 21 Apr 2006 03:06:48 +0200 (MEST)

> following are a couple of netfilter fixes for 2.6.17. The whitespace
> problem is fixed now, apparently sed doesn't understand \t. I guess
> I'm lucky that it didn't start stripping trailing t's :)

:-)  All applied, thanks Patrick.