[NETFILTER 00/02]: Netfilter fixes

[NETFILTER 00/02]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

following are two more fixes for 2.6.18. The ulog patch fixes an old
crash in ulog that has hit quite a few people so far. I'm going to push
it to -stable as well.

Please apply, thanks.


 net/bridge/netfilter/ebt_ulog.c |    6 +++
 net/ipv4/netfilter/arp_tables.c |   54 +++++++++++++++++++++++--------
 net/ipv4/netfilter/ip_tables.c  |   66 +++++++++++++++++++++++++++++---------
 net/ipv4/netfilter/ipt_ULOG.c   |   10 +++++
 net/ipv6/netfilter/ip6_tables.c |   68 +++++++++++++++++++++++++++++-----------
 net/netfilter/nfnetlink_log.c   |    6 +++
 6 files changed, 162 insertions(+), 48 deletions(-)

Mark Huang:
      [NETFILTER]: ulog: fix panic on SMP kernels

Patrick McHardy:
      [NETFILTER]: {arp,ip,ip6}_tables: proper error recovery in init path

Re: [NETFILTER 00/02]: Netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Sat, 12 Aug 2006 02:25:35 +0200 (MEST)

> following are two more fixes for 2.6.18. The ulog patch fixes an old
> crash in ulog that has hit quite a few people so far. I'm going to push
> it to -stable as well.
> 
> Please apply, thanks.

Both applied, thanks Patrick.

[NETFILTER 00/02]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

following are two netfilter fixes for 2.6.20, fixing a memory leak in
ctnetlink and a compile failure of the state match on PPC.

Please apply, thanks.


 include/net/netfilter/nf_conntrack_compat.h |    1 +
 net/ipv4/netfilter/ip_conntrack_netlink.c   |    2 +-
 net/netfilter/nf_conntrack_netlink.c        |    2 +-
 3 files changed, 3 insertions(+), 2 deletions(-)

Mikael Pettersson:
      [NETFILTER]: fix xt_state compile failure

Patrick McHardy:
      [NETFILTER]: ctnetlink: fix leak in ctnetlink_create_conntrack error path

[NETFILTER 00/02]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

following are two more netfilter fixes for 2.6.20, fixing H.323 compilation with
IPV6=m and NF_CONNTRACK_H323=y (Adrian's patch) and another compile failure with
NF_CONNTRACK_MARK=n (same for IP_NF_CONNTRACK_MARK=n).

Please apply, thanks.


 net/ipv4/netfilter/ip_conntrack_netlink.c |    2 ++
 net/netfilter/Kconfig                     |    2 +-
 net/netfilter/nf_conntrack_netlink.c      |    2 ++
 3 files changed, 5 insertions(+), 1 deletion(-)

Adrian Bunk:
      [NETFILTER]: nf_conntrack_h323: fix compile error with CONFIG_IPV6=m, CONFIG_NF_CONNTRACK_H323=y

Max Kellermann:
      [NETFILTER]: ctnetlink: fix compile failure with NF_CONNTRACK_MARK=n

Re: [NETFILTER 00/02]: Netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Sat,  3 Feb 2007 02:46:22 +0100 (MET)

> Hi Dave,
> 
> following are two more netfilter fixes for 2.6.20, fixing H.323 compilation with
> IPV6=m and NF_CONNTRACK_H323=y (Adrian's patch) and another compile failure with
> NF_CONNTRACK_MARK=n (same for IP_NF_CONNTRACK_MARK=n).
> 
> Please apply, thanks.

Applied, thanks Patrick.

[NETFILTER 00/02]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

following are two netfilter fixes for 2.6.22, adding a few new SIP message
types that are necessary to get Jerome's setup working, and a patch to
forbid changing helpers of an existing connection to avoid races while
changing the helper private area.

Please apply, thanks.


 net/netfilter/nf_conntrack_netlink.c |    3 +--
 net/netfilter/nf_conntrack_sip.c     |    3 +++
 2 files changed, 4 insertions(+), 2 deletions(-)

Jerome Borsboom (1):
      [NETFILTER]: nf_conntrack_sip: add missing message types containing RTP info

Yasuyuki Kozakai (1):
      [NETFILTER]: nfctnetlink: Don't allow to change helper

[NETFILTER 01/02]: nf_conntrack_sip: add missing message types containing RTP info

[Patrick McHardy]

[NETFILTER]: nf_conntrack_sip: add missing message types containing RTP info

Signed-off-by: Jerome Borsboom <j.borsboom@erasmusmc.nl>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 845abcbe6c8ef918b3499e820aafe4d26119c737
tree a07a4b377afbcfcb3cae6c93e50fc09c3006dd29
parent 188e1f81ba31af1b65a2f3611df4c670b092bbac
author Jerome Borsboom <j.borsboom@erasmusmc.nl> Mon, 18 Jun 2007 14:56:42 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 18 Jun 2007 14:56:42 +0200

 net/netfilter/nf_conntrack_sip.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 7aaa8c9..1b5c6c1 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -442,6 +442,9 @@ static int sip_help(struct sk_buff **pskb,
 
 	/* RTP info only in some SDP pkts */
 	if (memcmp(dptr, "INVITE", sizeof("INVITE") - 1) != 0 &&
+	    memcmp(dptr, "UPDATE", sizeof("UPDATE") - 1) != 0 &&
+	    memcmp(dptr, "SIP/2.0 180", sizeof("SIP/2.0 180") - 1) != 0 &&
+	    memcmp(dptr, "SIP/2.0 183", sizeof("SIP/2.0 183") - 1) != 0 &&
 	    memcmp(dptr, "SIP/2.0 200", sizeof("SIP/2.0 200") - 1) != 0) {
 		goto out;
 	}

[NETFILTER 02/02]: nfctnetlink: Don't allow to change helper

[Patrick McHardy]

[NETFILTER]: nfctnetlink: Don't allow to change helper

There is no realistic situation to change helper (Who wants IRC helper to
track FTP traffic ?). Moreover, if we want to do that, we need to fix race
issue by nfctnetlink and running helper. That will add overhead to packet
processing. It wouldn't pay. So this rejects the request to change
helper. The requests to add or remove helper are accepted as ever.

Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 4c56b708f2c447527749492fd53e85d1e1483f02
tree 6d3f9fd34752e010f5c597a5e2b1611469cb2917
parent 845abcbe6c8ef918b3499e820aafe4d26119c737
author Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Wed, 20 Jun 2007 14:52:57 +0200
committer Patrick McHardy <kaber@trash.net> Wed, 20 Jun 2007 14:52:57 +0200

 net/netfilter/nf_conntrack_netlink.c |    3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 3f73327..d0fe3d7 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -869,8 +869,7 @@ ctnetlink_change_helper(struct nf_conn *ct, struct nfattr *cda[])
 		return 0;
 
 	if (help->helper)
-		/* we had a helper before ... */
-		nf_ct_remove_expectations(ct);
+		return -EBUSY;
 
 	/* need to zero data of old helper */
 	memset(&help->help, 0, sizeof(help->help));

Re: [NETFILTER 00/02]: Netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Fri, 22 Jun 2007 13:47:30 +0200 (MEST)

> Hi Dave,
> 
> following are two netfilter fixes for 2.6.22, adding a few new SIP message
> types that are necessary to get Jerome's setup working, and a patch to
> forbid changing helpers of an existing connection to avoid races while
> changing the helper private area.
> 
> Please apply, thanks.

Both patches applied, thanks Patrick!

[NETFILTER 00/02]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

these patches fix an incorrect warning message in IPv4 connection tracking
and the module unload deadlock notices by Neil Horman.

Please apply, thanks.


 include/linux/netfilter.h                      |    5 +--
 net/bridge/netfilter/ebtables.c                |    1 +
 net/ipv4/ipvs/ip_vs_ctl.c                      |    1 +
 net/ipv4/netfilter/arp_tables.c                |    1 +
 net/ipv4/netfilter/ip_tables.c                 |    1 +
 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |   11 ++----
 net/ipv6/netfilter/ip6_tables.c                |    1 +
 net/netfilter/nf_sockopt.c                     |   36 +++++++----------------
 8 files changed, 22 insertions(+), 35 deletions(-)

Neil Horman (1):
      [NETFILTER]: Fix/improve deadlock condition on module removal netfilter

Patrick McHardy (1):
      [NETFILTER]: nf_conntrack_ipv4: fix "Frag of proto ..." messages

[NETFILTER 00/02]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

following are two netfilter fixes, adding missing IPv6 module aliases
to a few matches and targets and fixing TCP conntrack connection
reopening. I'll also push the conntrack patch to -stable once it
hits upstream.

Please apply. thanks.


 net/netfilter/nf_conntrack_proto_tcp.c |   35 ++++++++++++-------------------
 net/netfilter/xt_CLASSIFY.c            |    1 +
 net/netfilter/xt_CONNMARK.c            |    1 +
 net/netfilter/xt_NOTRACK.c             |    1 +
 net/netfilter/xt_connbytes.c           |    1 +
 net/netfilter/xt_connmark.c            |    1 +
 net/netfilter/xt_dccp.c                |    1 +
 net/netfilter/xt_sctp.c                |    1 +
 net/netfilter/xt_tcpmss.c              |    1 +
 9 files changed, 22 insertions(+), 21 deletions(-)

Jan Engelhardt (1):
      [NETFILTER]: x_tables: add missing ip6t_modulename aliases

Jozsef Kadlecsik (1):
      [NETFILTER]: nf_conntrack_tcp: fix connection reopening

[NETFILTER 00/02]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

these two patches contain a follow-up fix to the TCP conntrack connection
reopening problem and a fix for the sctp match, which uses ARRAY_SIZE on
a pointer instead of an array.

Please apply, thanks.


 include/linux/netfilter/xt_sctp.h      |   13 +++++--------
 net/netfilter/nf_conntrack_proto_tcp.c |   11 +++++++----
 net/netfilter/xt_sctp.c                |   18 ++++++++----------
 3 files changed, 20 insertions(+), 22 deletions(-)

Jozsef Kadlecsik (1):
      [NETFILTER]: nf_conntrack_tcp: fix connection reopening fix

Li Zefan (1):
      [NETFILTER]: xt_sctp: fix mistake to pass a pointer where array is required

[NETFILTER 00/02]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

these two patches fix a missing bit on conntrack entries with master
connections created through ctnetlink and some brokeness in the
iptables compat code, causing it to use pointers dumped to userspace
and copied back again to the kernel without any checks for validity.

Pleasy apply, thanks.


 net/ipv4/netfilter/ip_tables.c       |   57 +++++++--------------------------
 net/netfilter/nf_conntrack_netlink.c |    4 ++-
 net/netfilter/x_tables.c             |    8 +++-
 3 files changed, 21 insertions(+), 48 deletions(-)

Pablo Neira Ayuso (1):
      [NETFILTER]: ctnetlink: set expected bit for related conntracks

Patrick McHardy (1):
      [NETFILTER]: ip_tables: fix compat copy race