[NETFILTER 00/02]: Netfilter fixes

[NETFILTER 00/02]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

following are two netfilter fixes for 2.6.20, fixing a memory leak in
ctnetlink and a compile failure of the state match on PPC.

Please apply, thanks.


 include/net/netfilter/nf_conntrack_compat.h |    1 +
 net/ipv4/netfilter/ip_conntrack_netlink.c   |    2 +-
 net/netfilter/nf_conntrack_netlink.c        |    2 +-
 3 files changed, 3 insertions(+), 2 deletions(-)

Mikael Pettersson:
      [NETFILTER]: fix xt_state compile failure

Patrick McHardy:
      [NETFILTER]: ctnetlink: fix leak in ctnetlink_create_conntrack error path

[NETFILTER 01/02]: ctnetlink: fix leak in ctnetlink_create_conntrack error path

[Patrick McHardy]

[NETFILTER]: ctnetlink: fix leak in ctnetlink_create_conntrack error path

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 2725df007db9ffd520ce9be463e1d73202709d9b
tree a94f13912dc2f5703e29a8335b025d775d6121a6
parent 8bebd24221e4690f6fd9d5158c42cf59cf2422ab
author Patrick McHardy <kaber@trash.net> Mon, 15 Jan 2007 09:25:33 +0100
committer Patrick McHardy <kaber@trash.net> Mon, 15 Jan 2007 09:25:33 +0100

 net/ipv4/netfilter/ip_conntrack_netlink.c |    2 +-
 net/netfilter/nf_conntrack_netlink.c      |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/netfilter/ip_conntrack_netlink.c b/net/ipv4/netfilter/ip_conntrack_netlink.c
index 5fcf91d..6f31fad 100644
--- a/net/ipv4/netfilter/ip_conntrack_netlink.c
+++ b/net/ipv4/netfilter/ip_conntrack_netlink.c
@@ -959,7 +959,7 @@ ctnetlink_create_conntrack(struct nfattr
 	if (cda[CTA_PROTOINFO-1]) {
 		err = ctnetlink_change_protoinfo(ct, cda);
 		if (err < 0)
-			return err;
+			goto err;
 	}
 
 #if defined(CONFIG_IP_NF_CONNTRACK_MARK)
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index bd1d2de..811e3e7 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -981,7 +981,7 @@ ctnetlink_create_conntrack(struct nfattr
 	if (cda[CTA_PROTOINFO-1]) {
 		err = ctnetlink_change_protoinfo(ct, cda);
 		if (err < 0)
-			return err;
+			goto err;
 	}
 
 #if defined(CONFIG_NF_CONNTRACK_MARK)

Re: [NETFILTER 01/02]: ctnetlink: fix leak in ctnetlink_create_conntrack error path

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Mon, 15 Jan 2007 10:22:52 +0100 (MET)

> [NETFILTER]: ctnetlink: fix leak in ctnetlink_create_conntrack error path
> 
> Signed-off-by: Patrick McHardy <kaber@trash.net>

Applied.

[NETFILTER 02/02]: fix xt_state compile failure

[Patrick McHardy]

[NETFILTER]: fix xt_state compile failure

In file included from net/netfilter/xt_state.c:13:
include/net/netfilter/nf_conntrack_compat.h: In function 'nf_ct_l3proto_try_module_get':
include/net/netfilter/nf_conntrack_compat.h:70: error: 'PF_INET' undeclared (first use in this function)
include/net/netfilter/nf_conntrack_compat.h:70: error: (Each undeclared identifier is reported only once
include/net/netfilter/nf_conntrack_compat.h:70: error: for each function it appears in.)
include/net/netfilter/nf_conntrack_compat.h:71: warning: control reaches end of non-void function
make[2]: *** [net/netfilter/xt_state.o] Error 1
make[1]: *** [net/netfilter] Error 2
make: *** [net] Error 2

A simple fix is to have nf_conntrack_compat.h #include <linux/socket.h>.

Signed-off-by: Mikael Pettersson <mikpe@it.uu.se>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit f8f00b3d4bf918190a6edd5b94bbee452b4f5d64
tree 72676d027ca247eb0ca171247c328860e3f043c3
parent 2725df007db9ffd520ce9be463e1d73202709d9b
author Mikael Pettersson <mikpe@it.uu.se> Mon, 15 Jan 2007 09:30:45 +0100
committer Patrick McHardy <kaber@trash.net> Mon, 15 Jan 2007 09:30:45 +0100

 include/net/netfilter/nf_conntrack_compat.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack_compat.h b/include/net/netfilter/nf_conntrack_compat.h
index b9ce5c8..6f84c1f 100644
--- a/include/net/netfilter/nf_conntrack_compat.h
+++ b/include/net/netfilter/nf_conntrack_compat.h
@@ -6,6 +6,7 @@ #ifdef __KERNEL__
 #if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE)
 
 #include <linux/netfilter_ipv4/ip_conntrack.h>
+#include <linux/socket.h>
 
 #ifdef CONFIG_IP_NF_CONNTRACK_MARK
 static inline u_int32_t *nf_ct_get_mark(const struct sk_buff *skb,

Re: [NETFILTER 02/02]: fix xt_state compile failure

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Mon, 15 Jan 2007 10:22:54 +0100 (MET)

> [NETFILTER]: fix xt_state compile failure
> 
> In file included from net/netfilter/xt_state.c:13:
> include/net/netfilter/nf_conntrack_compat.h: In function 'nf_ct_l3proto_try_module_get':
> include/net/netfilter/nf_conntrack_compat.h:70: error: 'PF_INET' undeclared (first use in this function)
> include/net/netfilter/nf_conntrack_compat.h:70: error: (Each undeclared identifier is reported only once
> include/net/netfilter/nf_conntrack_compat.h:70: error: for each function it appears in.)
> include/net/netfilter/nf_conntrack_compat.h:71: warning: control reaches end of non-void function
> make[2]: *** [net/netfilter/xt_state.o] Error 1
> make[1]: *** [net/netfilter] Error 2
> make: *** [net] Error 2
> 
> A simple fix is to have nf_conntrack_compat.h #include <linux/socket.h>.
> 
> Signed-off-by: Mikael Pettersson <mikpe@it.uu.se>
> Signed-off-by: Patrick McHardy <kaber@trash.net>

Applied, thanks Patrick.

[NETFILTER 00/02]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

these two patches fix a missing bit on conntrack entries with master
connections created through ctnetlink and some brokeness in the
iptables compat code, causing it to use pointers dumped to userspace
and copied back again to the kernel without any checks for validity.

Pleasy apply, thanks.


 net/ipv4/netfilter/ip_tables.c       |   57 +++++++--------------------------
 net/netfilter/nf_conntrack_netlink.c |    4 ++-
 net/netfilter/x_tables.c             |    8 +++-
 3 files changed, 21 insertions(+), 48 deletions(-)

Pablo Neira Ayuso (1):
      [NETFILTER]: ctnetlink: set expected bit for related conntracks

Patrick McHardy (1):
      [NETFILTER]: ip_tables: fix compat copy race

[NETFILTER 00/02]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

these two patches contain a follow-up fix to the TCP conntrack connection
reopening problem and a fix for the sctp match, which uses ARRAY_SIZE on
a pointer instead of an array.

Please apply, thanks.


 include/linux/netfilter/xt_sctp.h      |   13 +++++--------
 net/netfilter/nf_conntrack_proto_tcp.c |   11 +++++++----
 net/netfilter/xt_sctp.c                |   18 ++++++++----------
 3 files changed, 20 insertions(+), 22 deletions(-)

Jozsef Kadlecsik (1):
      [NETFILTER]: nf_conntrack_tcp: fix connection reopening fix

Li Zefan (1):
      [NETFILTER]: xt_sctp: fix mistake to pass a pointer where array is required

[NETFILTER 00/02]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

following are two netfilter fixes, adding missing IPv6 module aliases
to a few matches and targets and fixing TCP conntrack connection
reopening. I'll also push the conntrack patch to -stable once it
hits upstream.

Please apply. thanks.


 net/netfilter/nf_conntrack_proto_tcp.c |   35 ++++++++++++-------------------
 net/netfilter/xt_CLASSIFY.c            |    1 +
 net/netfilter/xt_CONNMARK.c            |    1 +
 net/netfilter/xt_NOTRACK.c             |    1 +
 net/netfilter/xt_connbytes.c           |    1 +
 net/netfilter/xt_connmark.c            |    1 +
 net/netfilter/xt_dccp.c                |    1 +
 net/netfilter/xt_sctp.c                |    1 +
 net/netfilter/xt_tcpmss.c              |    1 +
 9 files changed, 22 insertions(+), 21 deletions(-)

Jan Engelhardt (1):
      [NETFILTER]: x_tables: add missing ip6t_modulename aliases

Jozsef Kadlecsik (1):
      [NETFILTER]: nf_conntrack_tcp: fix connection reopening

[NETFILTER 00/02]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

these patches fix an incorrect warning message in IPv4 connection tracking
and the module unload deadlock notices by Neil Horman.

Please apply, thanks.


 include/linux/netfilter.h                      |    5 +--
 net/bridge/netfilter/ebtables.c                |    1 +
 net/ipv4/ipvs/ip_vs_ctl.c                      |    1 +
 net/ipv4/netfilter/arp_tables.c                |    1 +
 net/ipv4/netfilter/ip_tables.c                 |    1 +
 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |   11 ++----
 net/ipv6/netfilter/ip6_tables.c                |    1 +
 net/netfilter/nf_sockopt.c                     |   36 +++++++----------------
 8 files changed, 22 insertions(+), 35 deletions(-)

Neil Horman (1):
      [NETFILTER]: Fix/improve deadlock condition on module removal netfilter

Patrick McHardy (1):
      [NETFILTER]: nf_conntrack_ipv4: fix "Frag of proto ..." messages

[NETFILTER 00/02]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

following are two netfilter fixes for 2.6.22, adding a few new SIP message
types that are necessary to get Jerome's setup working, and a patch to
forbid changing helpers of an existing connection to avoid races while
changing the helper private area.

Please apply, thanks.


 net/netfilter/nf_conntrack_netlink.c |    3 +--
 net/netfilter/nf_conntrack_sip.c     |    3 +++
 2 files changed, 4 insertions(+), 2 deletions(-)

Jerome Borsboom (1):
      [NETFILTER]: nf_conntrack_sip: add missing message types containing RTP info

Yasuyuki Kozakai (1):
      [NETFILTER]: nfctnetlink: Don't allow to change helper

Re: [NETFILTER 00/02]: Netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Fri, 22 Jun 2007 13:47:30 +0200 (MEST)

> Hi Dave,
> 
> following are two netfilter fixes for 2.6.22, adding a few new SIP message
> types that are necessary to get Jerome's setup working, and a patch to
> forbid changing helpers of an existing connection to avoid races while
> changing the helper private area.
> 
> Please apply, thanks.

Both patches applied, thanks Patrick!

[NETFILTER 00/02]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

following are two more netfilter fixes for 2.6.20, fixing H.323 compilation with
IPV6=m and NF_CONNTRACK_H323=y (Adrian's patch) and another compile failure with
NF_CONNTRACK_MARK=n (same for IP_NF_CONNTRACK_MARK=n).

Please apply, thanks.


 net/ipv4/netfilter/ip_conntrack_netlink.c |    2 ++
 net/netfilter/Kconfig                     |    2 +-
 net/netfilter/nf_conntrack_netlink.c      |    2 ++
 3 files changed, 5 insertions(+), 1 deletion(-)

Adrian Bunk:
      [NETFILTER]: nf_conntrack_h323: fix compile error with CONFIG_IPV6=m, CONFIG_NF_CONNTRACK_H323=y

Max Kellermann:
      [NETFILTER]: ctnetlink: fix compile failure with NF_CONNTRACK_MARK=n

Re: [NETFILTER 00/02]: Netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Sat,  3 Feb 2007 02:46:22 +0100 (MET)

> Hi Dave,
> 
> following are two more netfilter fixes for 2.6.20, fixing H.323 compilation with
> IPV6=m and NF_CONNTRACK_H323=y (Adrian's patch) and another compile failure with
> NF_CONNTRACK_MARK=n (same for IP_NF_CONNTRACK_MARK=n).
> 
> Please apply, thanks.

Applied, thanks Patrick.

[NETFILTER 00/02]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

following are two more fixes for 2.6.18. The ulog patch fixes an old
crash in ulog that has hit quite a few people so far. I'm going to push
it to -stable as well.

Please apply, thanks.


 net/bridge/netfilter/ebt_ulog.c |    6 +++
 net/ipv4/netfilter/arp_tables.c |   54 +++++++++++++++++++++++--------
 net/ipv4/netfilter/ip_tables.c  |   66 +++++++++++++++++++++++++++++---------
 net/ipv4/netfilter/ipt_ULOG.c   |   10 +++++
 net/ipv6/netfilter/ip6_tables.c |   68 +++++++++++++++++++++++++++++-----------
 net/netfilter/nfnetlink_log.c   |    6 +++
 6 files changed, 162 insertions(+), 48 deletions(-)

Mark Huang:
      [NETFILTER]: ulog: fix panic on SMP kernels

Patrick McHardy:
      [NETFILTER]: {arp,ip,ip6}_tables: proper error recovery in init path

Re: [NETFILTER 00/02]: Netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Sat, 12 Aug 2006 02:25:35 +0200 (MEST)

> following are two more fixes for 2.6.18. The ulog patch fixes an old
> crash in ulog that has hit quite a few people so far. I'm going to push
> it to -stable as well.
> 
> Please apply, thanks.

Both applied, thanks Patrick.