[NETFILTER 00/06]: Netfilter fixes

[NETFILTER 00/06]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

following are a few small netfilter fixes and a patch to finally
add the bridge netfilter deferred hooks to feature-removal-schedule
and disable them by default, which classifies as a huge bugfix in
my opinion :)

Please apply, thanks.


 Documentation/feature-removal-schedule.txt   |   16 ++++++++++++++++
 include/linux/netfilter_bridge.h             |    2 ++
 net/bridge/br_netfilter.c                    |    5 +++++
 net/ipv4/netfilter/ip_conntrack_standalone.c |    4 ++--
 net/ipv4/netfilter/ip_nat_snmp_basic.c       |    4 ++--
 net/netfilter/Kconfig                        |    4 ++--
 net/netfilter/nf_conntrack_standalone.c      |    4 ++--
 net/netfilter/nf_queue.c                     |    9 ++++-----
 net/netfilter/xt_physdev.c                   |   15 +++++++++++++++
 net/netfilter/xt_pkttype.c                   |   12 +++++++++++-
 10 files changed, 61 insertions(+), 14 deletions(-)

Adrian Bunk:
      [NETFILTER]: conntrack: fix SYSCTL=n compile

Patrick McHardy:
      [NETFILTER]: nf_queue: handle NF_STOP and unknown verdicts in nf_reinject
      [NETFILTER]: SNMP NAT: fix byteorder confusion
      [NETFILTER]: bridge netfilter: add deferred output hooks to feature-removal-schedule
      [NETFILTER]: Demote xt_sctp to EXPERIMENTAL

Phil Oester:
      [NETFILTER]: xt_pkttype: fix mismatches on locally generated packets

[NETFILTER 01/06]: nf_queue: handle NF_STOP and unknown verdicts in nf_reinject

[Patrick McHardy]

[NETFILTER]: nf_queue: handle NF_STOP and unknown verdicts in nf_reinject

In case of an unknown verdict or NF_STOP the packet leaks. Unknown verdicts
can happen when userspace is buggy. Reinject the packet in case of NF_STOP,
drop on unknown verdicts.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 559fa54b6c0d2813de1d4753964587fc3655bbf1
tree b160176d29bdf8ff93cf6491533e41104fa19f93
parent 440848a8e33fc1927bab45bd73f6c8e042ea7abd
author Patrick McHardy <kaber@trash.net> Tue, 25 Jul 2006 00:02:11 +0200
committer Patrick McHardy <kaber@trash.net> Tue, 25 Jul 2006 00:02:11 +0200

 net/netfilter/nf_queue.c |    9 ++++-----
 1 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index bb6fcee..662a869 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -219,21 +219,20 @@ #endif
 
 	switch (verdict & NF_VERDICT_MASK) {
 	case NF_ACCEPT:
+	case NF_STOP:
 		info->okfn(skb);
+	case NF_STOLEN:
 		break;
-
 	case NF_QUEUE:
 		if (!nf_queue(&skb, elem, info->pf, info->hook, 
 			      info->indev, info->outdev, info->okfn,
 			      verdict >> NF_VERDICT_BITS))
 			goto next_hook;
 		break;
+	default:
+		kfree_skb(skb);
 	}
 	rcu_read_unlock();
-
-	if (verdict == NF_DROP)
-		kfree_skb(skb);
-
 	kfree(info);
 	return;
 }

[NETFILTER 02/06]: conntrack: fix SYSCTL=n compile

[Patrick McHardy]

[NETFILTER]: conntrack: fix SYSCTL=n compile

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 4aed24265c0b6270d328362ff66b51fed56a9d1a
tree fd66f207da170da399330d7dbc26691b8a8a7488
parent 559fa54b6c0d2813de1d4753964587fc3655bbf1
author Adrian Bunk <bunk@stusta.de> Tue, 25 Jul 2006 00:04:54 +0200
committer Patrick McHardy <kaber@trash.net> Tue, 25 Jul 2006 00:04:54 +0200

 net/ipv4/netfilter/ip_conntrack_standalone.c |    4 ++--
 net/netfilter/nf_conntrack_standalone.c      |    4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/ipv4/netfilter/ip_conntrack_standalone.c b/net/ipv4/netfilter/ip_conntrack_standalone.c
index 7bd3c22..7a9fa04 100644
--- a/net/ipv4/netfilter/ip_conntrack_standalone.c
+++ b/net/ipv4/netfilter/ip_conntrack_standalone.c
@@ -534,6 +534,8 @@ static struct nf_hook_ops ip_conntrack_o
 
 /* Sysctl support */
 
+int ip_conntrack_checksum = 1;
+
 #ifdef CONFIG_SYSCTL
 
 /* From ip_conntrack_core.c */
@@ -568,8 +570,6 @@ extern unsigned int ip_ct_generic_timeou
 static int log_invalid_proto_min = 0;
 static int log_invalid_proto_max = 255;
 
-int ip_conntrack_checksum = 1;
-
 static struct ctl_table_header *ip_ct_sysctl_header;
 
 static ctl_table ip_ct_sysctl_table[] = {
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 5fcab2e..4ef8366 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -428,6 +428,8 @@ #endif /* CONFIG_PROC_FS */
 
 /* Sysctl support */
 
+int nf_conntrack_checksum = 1;
+
 #ifdef CONFIG_SYSCTL
 
 /* From nf_conntrack_core.c */
@@ -459,8 +461,6 @@ extern unsigned int nf_ct_generic_timeou
 static int log_invalid_proto_min = 0;
 static int log_invalid_proto_max = 255;
 
-int nf_conntrack_checksum = 1;
-
 static struct ctl_table_header *nf_ct_sysctl_header;
 
 static ctl_table nf_ct_sysctl_table[] = {

[NETFILTER 03/06]: SNMP NAT: fix byteorder confusion

[Patrick McHardy]

[NETFILTER]: SNMP NAT: fix byteorder confusion

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 91ce3a69f0154c527da6e4a47c8784383981a222
tree c72655288441f9148a03ed2a3a42ed0c6706fa51
parent 4aed24265c0b6270d328362ff66b51fed56a9d1a
author Patrick McHardy <kaber@trash.net> Tue, 25 Jul 2006 00:05:13 +0200
committer Patrick McHardy <kaber@trash.net> Tue, 25 Jul 2006 00:05:13 +0200

 net/ipv4/netfilter/ip_nat_snmp_basic.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/netfilter/ip_nat_snmp_basic.c b/net/ipv4/netfilter/ip_nat_snmp_basic.c
index 0b1b416..18b7fbd 100644
--- a/net/ipv4/netfilter/ip_nat_snmp_basic.c
+++ b/net/ipv4/netfilter/ip_nat_snmp_basic.c
@@ -1255,9 +1255,9 @@ static int help(struct sk_buff **pskb,
 	struct udphdr *udph = (struct udphdr *)((u_int32_t *)iph + iph->ihl);
 
 	/* SNMP replies and originating SNMP traps get mangled */
-	if (udph->source == ntohs(SNMP_PORT) && dir != IP_CT_DIR_REPLY)
+	if (udph->source == htons(SNMP_PORT) && dir != IP_CT_DIR_REPLY)
 		return NF_ACCEPT;
-	if (udph->dest == ntohs(SNMP_TRAP_PORT) && dir != IP_CT_DIR_ORIGINAL)
+	if (udph->dest == htons(SNMP_TRAP_PORT) && dir != IP_CT_DIR_ORIGINAL)
 		return NF_ACCEPT;
 
 	/* No NAT? */

[NETFILTER 04/06]: xt_pkttype: fix mismatches on locally generated packets

[Patrick McHardy]

[NETFILTER]: xt_pkttype: fix mismatches on locally generated packets

Locally generated broadcast and multicast packets have pkttype set to
PACKET_LOOPBACK instead of PACKET_BROADCAST or PACKET_MULTICAST. This
causes the pkttype match to fail to match packets of either type.

The below patch remedies this by using the daddr as a hint as to
broadcast|multicast. While not pretty, this seems like the only way
to solve the problem short of just noting this as a limitation of the
match.

This resolves netfilter bugzilla #484

Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 9a713120692b6601fa2abf506862bc40c16459ba
tree 3dbfa7b16367fbe36adcd374b8f62dfde89769fa
parent 91ce3a69f0154c527da6e4a47c8784383981a222
author Phil Oester <kernel@linuxace.com> Tue, 25 Jul 2006 00:05:39 +0200
committer Patrick McHardy <kaber@trash.net> Tue, 25 Jul 2006 00:05:39 +0200

 net/netfilter/xt_pkttype.c |   12 +++++++++++-
 1 files changed, 11 insertions(+), 1 deletions(-)

diff --git a/net/netfilter/xt_pkttype.c b/net/netfilter/xt_pkttype.c
index 3ac703b..d2f5320 100644
--- a/net/netfilter/xt_pkttype.c
+++ b/net/netfilter/xt_pkttype.c
@@ -9,6 +9,8 @@ #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/if_ether.h>
 #include <linux/if_packet.h>
+#include <linux/in.h>
+#include <linux/ip.h>
 
 #include <linux/netfilter/xt_pkttype.h>
 #include <linux/netfilter/x_tables.h>
@@ -28,9 +30,17 @@ static int match(const struct sk_buff *s
       unsigned int protoff,
       int *hotdrop)
 {
+	u_int8_t type;
 	const struct xt_pkttype_info *info = matchinfo;
 
-	return (skb->pkt_type == info->pkttype) ^ info->invert;
+	if (skb->pkt_type == PACKET_LOOPBACK)
+		type = (MULTICAST(skb->nh.iph->daddr)
+			? PACKET_MULTICAST
+			: PACKET_BROADCAST);
+	else
+		type = skb->pkt_type;
+
+	return (type == info->pkttype) ^ info->invert;
 }
 
 static struct xt_match pkttype_match = {

[NETFILTER 05/06]: bridge netfilter: add deferred output hooks to feature-removal-schedule

[Patrick McHardy]

[NETFILTER]: bridge netfilter: add deferred output hooks to feature-removal-schedule

Add bridge netfilter deferred output hooks to feature-removal-schedule and
disable them by default. Until their removal they will be activated by the
physdev match when needed.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 6484ca45f549ab966c21d2e1da36f3d0d14a20a2
tree 6b7cccfacd48e55cd0d713d55ba6e655187cd965
parent 9a713120692b6601fa2abf506862bc40c16459ba
author Patrick McHardy <kaber@trash.net> Tue, 25 Jul 2006 05:04:32 +0200
committer Patrick McHardy <kaber@trash.net> Tue, 25 Jul 2006 05:04:32 +0200

 Documentation/feature-removal-schedule.txt |   16 ++++++++++++++++
 include/linux/netfilter_bridge.h           |    2 ++
 net/bridge/br_netfilter.c                  |    5 +++++
 net/netfilter/xt_physdev.c                 |   15 +++++++++++++++
 4 files changed, 38 insertions(+), 0 deletions(-)

diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt
index 9d3a077..87851ef 100644
--- a/Documentation/feature-removal-schedule.txt
+++ b/Documentation/feature-removal-schedule.txt
@@ -258,3 +258,19 @@ Why:	These drivers never compiled since 
 Who:	Jean Delvare <khali@linux-fr.org>
 
 ---------------------------
+
+What:	Bridge netfilter deferred IPv4/IPv6 output hook calling
+When:	January 2007
+Why:	The deferred output hooks are a layering violation causing unusual
+	and broken behaviour on bridge devices. Examples of things they
+	break include QoS classifation using the MARK or CLASSIFY targets,
+	the IPsec policy match and connection tracking with VLANs on a
+	bridge. Their only use is to enable bridge output port filtering
+	within iptables with the physdev match, which can also be done by
+	combining iptables and ebtables using netfilter marks. Until it
+	will get removed the hook deferral is disabled by default and is
+	only enabled when needed.
+
+Who:	Patrick McHardy <kaber@trash.net>
+
+---------------------------
diff --git a/include/linux/netfilter_bridge.h b/include/linux/netfilter_bridge.h
index 8776402..31f02ba 100644
--- a/include/linux/netfilter_bridge.h
+++ b/include/linux/netfilter_bridge.h
@@ -79,6 +79,8 @@ struct bridge_skb_cb {
 		__u32 ipv4;
 	} daddr;
 };
+
+extern int brnf_deferred_hooks;
 #endif /* CONFIG_BRIDGE_NETFILTER */
 
 #endif /* __KERNEL__ */
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index cbc8a38..05b3de8 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -61,6 +61,9 @@ #else
 #define brnf_filter_vlan_tagged 1
 #endif
 
+int brnf_deferred_hooks;
+EXPORT_SYMBOL_GPL(brnf_deferred_hooks);
+
 static __be16 inline vlan_proto(const struct sk_buff *skb)
 {
 	return vlan_eth_hdr(skb)->h_vlan_encapsulated_proto;
@@ -890,6 +893,8 @@ #ifdef CONFIG_SYSCTL
 				return NF_ACCEPT;
 			else if (ip->version == 6 && !brnf_call_ip6tables)
 				return NF_ACCEPT;
+			else if (!brnf_deferred_hooks)
+				return NF_ACCEPT;
 #endif
 			if (hook == NF_IP_POST_ROUTING)
 				return NF_ACCEPT;
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index 5fe4c9d..a9f4f6f 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -113,6 +113,21 @@ checkentry(const char *tablename,
 	if (!(info->bitmask & XT_PHYSDEV_OP_MASK) ||
 	    info->bitmask & ~XT_PHYSDEV_OP_MASK)
 		return 0;
+	if (brnf_deferred_hooks == 0 &&
+	    info->bitmask & XT_PHYSDEV_OP_OUT &&
+	    (!(info->bitmask & XT_PHYSDEV_OP_BRIDGED) ||
+	     info->invert & XT_PHYSDEV_OP_BRIDGED) &&
+	    hook_mask & ((1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_FORWARD) |
+	                 (1 << NF_IP_POST_ROUTING))) {
+		printk(KERN_WARNING "physdev match: using --physdev-out in the "
+		       "OUTPUT, FORWARD and POSTROUTING chains for non-bridged "
+		       "traffic is deprecated and breaks other things, it will "
+		       "be removed in January 2007. See Documentation/"
+		       "feature-removal-schedule.txt for details. This doesn't "
+		       "affect you in case you're using it for purely bridged "
+		       "traffic.\n");
+		brnf_deferred_hooks = 1;
+	}
 	return 1;
 }
 

[NETFILTER 06/06]: Demote xt_sctp to EXPERIMENTAL

[Patrick McHardy]

[NETFILTER]: Demote xt_sctp to EXPERIMENTAL

After the recent problems with all the SCTP stuff it seems reasonable
to mark this as experimental.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 330dabc0d6886c4c23e94cfc66bf9281c2796629
tree d2ebe43ffc642107c62318f54d882f841acc6902
parent 6484ca45f549ab966c21d2e1da36f3d0d14a20a2
author Patrick McHardy <kaber@trash.net> Tue, 25 Jul 2006 05:05:06 +0200
committer Patrick McHardy <kaber@trash.net> Tue, 25 Jul 2006 05:05:06 +0200

 net/netfilter/Kconfig |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 42a178a..a9894dd 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -386,8 +386,8 @@ config NETFILTER_XT_MATCH_REALM
 	  <file:Documentation/modules.txt>.  If unsure, say `N'.
 
 config NETFILTER_XT_MATCH_SCTP
-	tristate  '"sctp" protocol match support'
-	depends on NETFILTER_XTABLES
+	tristate  '"sctp" protocol match support (EXPERIMENTAL)'
+	depends on NETFILTER_XTABLES && EXPERIMENTAL
 	help
 	  With this option enabled, you will be able to use the 
 	  `sctp' match in order to match on SCTP source/destination ports

Re: [NETFILTER 00/06]: Netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Tue, 25 Jul 2006 05:26:54 +0200 (MEST)

> following are a few small netfilter fixes and a patch to finally
> add the bridge netfilter deferred hooks to feature-removal-schedule
> and disable them by default, which classifies as a huge bugfix in
> my opinion :)
> 
> Please apply, thanks.

Applied, thanks a lot Patrick.