[NETFILTER 00/06]: Netfilter Update

[NETFILTER 00/06]: Netfilter Update

[Patrick McHardy]

Hi Dave,

following is a small netfilter update. Nothing exciting, just minor fixes and
a missing helptext. Please apply, thanks.


 net/ipv4/netfilter/arp_tables.c         |    3 ++-
 net/ipv4/netfilter/ip_queue.c           |   12 ++++++++++--
 net/ipv4/netfilter/ip_tables.c          |    3 ++-
 net/ipv6/netfilter/ip6_tables.c         |    3 ++-
 net/netfilter/Kconfig                   |    5 ++++-
 net/netfilter/nf_conntrack_netlink.c    |    1 +
 net/netfilter/nf_conntrack_proto_sctp.c |    2 ++
 net/netfilter/nfnetlink_queue.c         |   12 ++++++++++--
 net/netfilter/xt_sctp.c                 |    2 +-
 net/netfilter/xt_tcpudp.c               |    2 +-
 10 files changed, 35 insertions(+), 10 deletions(-)

Jorge Matias:
      [NETFILTER]: xt_sctp: fix --chunk-types matching

Patrick McHardy:
      [NETFILTER]: x_tables: fix xt_register_table error propagation
      [NETFILTER]: ip_queue/nfnetlink_queue: drop bridge port references when dev disappears
      [NETFILTER]: statistic match: add missing Kconfig help text

Yasuyuki Kozakai:
      [NETFILTER]: nf_conntrack: Fix undefined references to local_bh_*

Yuri Gushin:
      [NETFILTER]: xt_tcpudp: fix double unregistration in error path

[NETFILTER 01/06]: x_tables: fix xt_register_table error propagation

[Patrick McHardy]

[NETFILTER]: x_tables: fix xt_register_table error propagation

When xt_register_table fails the error is not properly propagated back.
Based on patch by Lepton Wu <ytht.net@gmail.com>.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit c223657397019f91ab8f7a7b8b417eae4a378c72
tree 016c6c6cd56cd11ef4d4250ab083da1894df03eb
parent 80cd9e86e65901f97f3c77b914985cff387d331d
author Patrick McHardy <kaber@trash.net> Mon, 19 Jun 2006 16:48:07 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 19 Jun 2006 16:48:07 +0200

 net/ipv4/netfilter/arp_tables.c |    3 ++-
 net/ipv4/netfilter/ip_tables.c  |    3 ++-
 net/ipv6/netfilter/ip6_tables.c |    3 ++-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index d0d1919..ad39bf6 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1120,7 +1120,8 @@ int arpt_register_table(struct arpt_tabl
 		return ret;
 	}
 
-	if (xt_register_table(table, &bootstrap, newinfo) != 0) {
+	ret = xt_register_table(table, &bootstrap, newinfo);
+	if (ret != 0) {
 		xt_free_table_info(newinfo);
 		return ret;
 	}
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index cee3397..101ad98 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -2113,7 +2113,8 @@ int ipt_register_table(struct xt_table *
 		return ret;
 	}
 
-	if (xt_register_table(table, &bootstrap, newinfo) != 0) {
+	ret = xt_register_table(table, &bootstrap, newinfo);
+	if (ret != 0) {
 		xt_free_table_info(newinfo);
 		return ret;
 	}
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 2e72f89..0b5bd55 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1281,7 +1281,8 @@ int ip6t_register_table(struct xt_table 
 		return ret;
 	}
 
-	if (xt_register_table(table, &bootstrap, newinfo) != 0) {
+	ret = xt_register_table(table, &bootstrap, newinfo);
+	if (ret != 0) {
 		xt_free_table_info(newinfo);
 		return ret;
 	}

[NETFILTER 02/06]: nf_conntrack: Fix undefined references to local_bh_*

[Patrick McHardy]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 2251 bytes --]

[NETFILTER]: nf_conntrack: Fix undefined references to local_bh_*

  CC      net/netfilter/nf_conntrack_proto_sctp.o
net/netfilter/nf_conntrack_proto_sctp.c: In function `sctp_print_conntrack':
net/netfilter/nf_conntrack_proto_sctp.c:206: warning: implicit declaration of function `local_bh_disable'
net/netfilter/nf_conntrack_proto_sctp.c:208: warning: implicit declaration of function `local_bh_enable'
  CC      net/netfilter/nf_conntrack_netlink.o
net/netfilter/nf_conntrack_netlink.c: In function `ctnetlink_dump_table':
net/netfilter/nf_conntrack_netlink.c:429: warning: implicit declaration of function `local_bh_disable'
net/netfilter/nf_conntrack_netlink.c:452: warning: implicit declaration of function `local_bh_enable'

Spotted by Toralf Förster

Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 7cb7437f3a26e2054d315a9baea52f9d825a7286
tree 72c74e7b320d2763b3ba2e7387cf3f003c250b67
parent c223657397019f91ab8f7a7b8b417eae4a378c72
author Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Mon, 19 Jun 2006 16:48:59 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 19 Jun 2006 16:48:59 +0200

 net/netfilter/nf_conntrack_netlink.c    |    1 +
 net/netfilter/nf_conntrack_proto_sctp.c |    2 ++
 2 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index b8c7c56..af48459 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -29,6 +29,7 @@ #include <linux/skbuff.h>
 #include <linux/errno.h>
 #include <linux/netlink.h>
 #include <linux/spinlock.h>
+#include <linux/interrupt.h>
 #include <linux/notifier.h>
 
 #include <linux/netfilter.h>
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 0c6da49..0839b70 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -28,6 +28,8 @@ #include <linux/ip.h>
 #include <linux/sctp.h>
 #include <linux/string.h>
 #include <linux/seq_file.h>
+#include <linux/spinlock.h>
+#include <linux/interrupt.h>
 
 #include <net/netfilter/nf_conntrack.h>
 #include <net/netfilter/nf_conntrack_protocol.h>

[NETFILTER 03/06]: xt_tcpudp: fix double unregistration in error path

[Patrick McHardy]

[NETFILTER]: xt_tcpudp: fix double unregistration in error path

"xt_unregister_match(AF_INET, &tcp_matchstruct)" is called twice,
leaving "udp_matchstruct" registered, in case of a failure in the
registration of the udp6 structure.

Signed-off-by: Yuri Gushin <yuri@ecl-labs.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit a81302ac4c22da108602d0c053c168a700c81e32
tree b420da32ec06dd3d9e9a42b581bcfcc05b6eee53
parent 7cb7437f3a26e2054d315a9baea52f9d825a7286
author Yuri Gushin <yuri@ecl-labs.org> Mon, 19 Jun 2006 16:59:55 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 19 Jun 2006 16:59:55 +0200

 net/netfilter/xt_tcpudp.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
index 1b61dac..a9a63aa 100644
--- a/net/netfilter/xt_tcpudp.c
+++ b/net/netfilter/xt_tcpudp.c
@@ -260,7 +260,7 @@ static int __init xt_tcpudp_init(void)
 	return ret;
 
 out_unreg_udp:
-	xt_unregister_match(&tcp_matchstruct);
+	xt_unregister_match(&udp_matchstruct);
 out_unreg_tcp6:
 	xt_unregister_match(&tcp6_matchstruct);
 out_unreg_tcp:

[NETFILTER 04/06]: xt_sctp: fix --chunk-types matching

[Patrick McHardy]

[NETFILTER]: xt_sctp: fix --chunk-types matching

xt_sctp uses an incorrect header offset when --chunk-types is used.

Signed-off-by: Jorge Matias <jorge.matias@motorola.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 9565b859bc682e4c208f73e83adb21a7f86d0143
tree 7823e21bbe10b265fe011cb895f30160789210ad
parent a81302ac4c22da108602d0c053c168a700c81e32
author Jorge Matias <jorge.matias@motorola.com> Mon, 19 Jun 2006 18:04:28 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 19 Jun 2006 18:04:28 +0200

 net/netfilter/xt_sctp.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
index b5110e5..919c037 100644
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -151,7 +151,7 @@ match(const struct sk_buff *skb,
 		&& SCCHECK(((ntohs(sh->dest) >= info->dpts[0]) 
 			&& (ntohs(sh->dest) <= info->dpts[1])), 
 			XT_SCTP_DEST_PORTS, info->flags, info->invflags)
-		&& SCCHECK(match_packet(skb, protoff,
+		&& SCCHECK(match_packet(skb, protoff + sizeof (sctp_sctphdr_t),
 					info->chunkmap, info->chunk_match_type,
  					info->flag_info, info->flag_count, 
 					hotdrop),

[NETFILTER 05/06]: ip_queue/nfnetlink_queue: drop bridge port references when dev disappears

[Patrick McHardy]

[NETFILTER]: ip_queue/nfnetlink_queue: drop bridge port references when dev disappears

When a device that is acting as a bridge port is unregistered, the
ip_queue/nfnetlink_queue notifier doesn't check if its one of
physindev/physoutdev and doesn't release the references if it is.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 5e9d63f46ae2805245fcc9ec58f844d1347bd469
tree 96f0d37e0f70100ba2b31b7eaa5453125a4d6ac4
parent 9565b859bc682e4c208f73e83adb21a7f86d0143
author Patrick McHardy <kaber@trash.net> Mon, 26 Jun 2006 17:15:02 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 26 Jun 2006 17:15:02 +0200

 net/ipv4/netfilter/ip_queue.c   |   12 ++++++++++--
 net/netfilter/nfnetlink_queue.c |   12 ++++++++++--
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/net/ipv4/netfilter/ip_queue.c b/net/ipv4/netfilter/ip_queue.c
index b93f049..213d116 100644
--- a/net/ipv4/netfilter/ip_queue.c
+++ b/net/ipv4/netfilter/ip_queue.c
@@ -457,11 +457,19 @@ dev_cmp(struct ipq_queue_entry *entry, u
 	if (entry->info->indev)
 		if (entry->info->indev->ifindex == ifindex)
 			return 1;
-			
 	if (entry->info->outdev)
 		if (entry->info->outdev->ifindex == ifindex)
 			return 1;
-
+#ifdef CONFIG_BRIDGE_NETFILTER
+	if (entry->skb->nf_bridge) {
+		if (entry->skb->nf_bridge->physindev &&
+		    entry->skb->nf_bridge->physindev->ifindex == ifindex)
+			return 1;
+		if (entry->skb->nf_bridge->physoutdev &&
+		    entry->skb->nf_bridge->physoutdev->ifindex == ifindex)
+		    	return 1;
+	}
+#endif
 	return 0;
 }
 
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 86a4ac3..49ef41e 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -680,11 +680,19 @@ dev_cmp(struct nfqnl_queue_entry *entry,
 	if (entinf->indev)
 		if (entinf->indev->ifindex == ifindex)
 			return 1;
-			
 	if (entinf->outdev)
 		if (entinf->outdev->ifindex == ifindex)
 			return 1;
-
+#ifdef CONFIG_BRIDGE_NETFILTER
+	if (entry->skb->nf_bridge) {
+		if (entry->skb->nf_bridge->physindev &&
+		    entry->skb->nf_bridge->physindev->ifindex == ifindex)
+			return 1;
+		if (entry->skb->nf_bridge->physoutdev &&
+		    entry->skb->nf_bridge->physoutdev->ifindex == ifindex)
+			return 1;
+	}
+#endif
 	return 0;
 }
 

[NETFILTER 06/06]: statistic match: add missing Kconfig help text

[Patrick McHardy]

[NETFILTER]: statistic match: add missing Kconfig help text

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 761a7b483e46977e51f703ec5ff5d5861f328eb8
tree 18b8e54efc62a8c6d03ae8fba782b1b0c5d1f18f
parent 5e9d63f46ae2805245fcc9ec58f844d1347bd469
author Patrick McHardy <kaber@trash.net> Mon, 26 Jun 2006 17:17:25 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 26 Jun 2006 17:17:25 +0200

 net/netfilter/Kconfig |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index b1622b7..42a178a 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -411,7 +411,10 @@ config NETFILTER_XT_MATCH_STATISTIC
 	tristate '"statistic" match support'
 	depends on NETFILTER_XTABLES
 	help
-	  statistic module
+	  This option adds a `statistic' match, which allows you to match
+	  on packets periodically or randomly with a given percentage.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
 
 config NETFILTER_XT_MATCH_STRING
 	tristate  '"string" match support'

Re: [NETFILTER 00/06]: Netfilter Update

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Mon, 26 Jun 2006 17:43:07 +0200 (MEST)

> following is a small netfilter update. Nothing exciting, just minor fixes and
> a missing helptext. Please apply, thanks.

All applied, thanks Patrick.

[NETFILTER 00/06]: Netfilter update

[Patrick McHardy]

Hi Dave,

following are a few netfilter patches for 2.6.22, adding support for filtering
encapsulated PPPoE and gratuitous ARP packets in bridge netfilter, compat
support for ipt_ULOG (as mentioned in the other thread, 32 bit userspace can
already deal with log messages sent by a 64 bit kernel, but the kernel
currently does not support adding new rules from a 32 bit iptables binary),
some misc netfilter logging cleanup and support for using HW checksumming
for forwarded packets mangled by NAT helpers.

Please apply, thanks.



 Documentation/networking/ip-sysctl.txt   |    7 ++
 include/linux/if_pppox.h                 |    3 +
 include/linux/netfilter_bridge.h         |   11 +++-
 include/linux/netfilter_bridge/ebt_arp.h |    4 +
 include/linux/sysctl.h                   |    1 
 net/bridge/br_netfilter.c                |   77 +++++++++++++++++++++++++++++--
 net/bridge/netfilter/ebt_arp.c           |   48 ++++++++-----------
 net/bridge/netfilter/ebt_log.c           |   12 +---
 net/ipv4/netfilter/ipt_LOG.c             |   12 +---
 net/ipv4/netfilter/ipt_ULOG.c            |   40 ++++++++++++++++
 net/ipv4/netfilter/nf_nat_helper.c       |   49 ++++++++++++++-----
 net/ipv6/netfilter/ip6t_LOG.c            |   12 +---
 net/netfilter/nfnetlink_log.c            |    5 --
 13 files changed, 206 insertions(+), 75 deletions(-)

Bart De Schuymer (1):
      [NETFILTER]: ebt_arp: add gratuitous arp filtering

Michael Milner (1):
      [NETFILTER]: bridge-nf: filter bridged IPv4/IPv6 encapsulated in pppoe traffic

Patrick McHardy (4):
      [NETFILTER]: nf_nat: use HW checksumming when possible
      [NETFILTER]: {eb,ip6,ip}t_LOG: remove remains of LOG target overloading
      [NETFILTER]: nfnetlink_log: remove fallback to group 0
      [NETFILTER]: ipt_ULOG: add compat conversion functions

Re: [NETFILTER 00/06]: Netfilter update

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Fri, 13 Apr 2007 05:00:08 +0200 (MEST)

> Hi Dave,
> 
> following are a few netfilter patches for 2.6.22, adding support for filtering
> encapsulated PPPoE and gratuitous ARP packets in bridge netfilter, compat
> support for ipt_ULOG (as mentioned in the other thread, 32 bit userspace can
> already deal with log messages sent by a 64 bit kernel, but the kernel
> currently does not support adding new rules from a 32 bit iptables binary),
> some misc netfilter logging cleanup and support for using HW checksumming
> for forwarded packets mangled by NAT helpers.
> 
> Please apply, thanks.

All looks good, applied, thanks Patrick.