netfilter 00/03: netfilter -stable fixes

netfilter 00/03: netfilter -stable fixes

[Patrick McHardy]

The following three patches for -stable fix some netfilter issues:

- a regression in the iprange match, causing mismatches with inversion
- a memory leak in the SNMP NAT helper
- a lost #ifdef, allowing user-triggerable WARN_ONs with NETFILTER_DEBUG
  (and some minor runtime misbehaviour)

Please apply, thanks.


 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |    2 ++
 net/ipv4/netfilter/nf_nat_snmp_basic.c         |    1 +
 net/netfilter/xt_iprange.c                     |    8 ++++----
 3 files changed, 7 insertions(+), 4 deletions(-)

Patrick McHardy (3):
      netfilter: xt_iprange: fix range inversion match
      netfilter: snmp nat leaks memory in case of failure
      netfilter: restore lost #ifdef guarding defrag exception

netfilter 01/03: xt_iprange: fix range inversion match

[Patrick McHardy]

commit 3e533fa616520e6b068bc0b284fe801f05719e07
Author: Patrick McHardy <kaber@trash.net>
Date:   Wed Oct 22 19:34:06 2008 +0200

    netfilter: xt_iprange: fix range inversion match
    
    Upstream commit 6def1eb48:
    
    Inverted IPv4 v1 and IPv6 v0 matches don't match anything since 2.6.25-rc1!
    
    Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
    Acked-by: Jan Engelhardt <jengelh@medozas.de>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/netfilter/xt_iprange.c b/net/netfilter/xt_iprange.c
index c63e933..4b5741b 100644
--- a/net/netfilter/xt_iprange.c
+++ b/net/netfilter/xt_iprange.c
@@ -67,7 +67,7 @@ iprange_mt4(const struct sk_buff *skb, const struct net_device *in,
 	if (info->flags & IPRANGE_SRC) {
 		m  = ntohl(iph->saddr) < ntohl(info->src_min.ip);
 		m |= ntohl(iph->saddr) > ntohl(info->src_max.ip);
-		m ^= info->flags & IPRANGE_SRC_INV;
+		m ^= !!(info->flags & IPRANGE_SRC_INV);
 		if (m) {
 			pr_debug("src IP " NIPQUAD_FMT " NOT in range %s"
 			         NIPQUAD_FMT "-" NIPQUAD_FMT "\n",
@@ -81,7 +81,7 @@ iprange_mt4(const struct sk_buff *skb, const struct net_device *in,
 	if (info->flags & IPRANGE_DST) {
 		m  = ntohl(iph->daddr) < ntohl(info->dst_min.ip);
 		m |= ntohl(iph->daddr) > ntohl(info->dst_max.ip);
-		m ^= info->flags & IPRANGE_DST_INV;
+		m ^= !!(info->flags & IPRANGE_DST_INV);
 		if (m) {
 			pr_debug("dst IP " NIPQUAD_FMT " NOT in range %s"
 			         NIPQUAD_FMT "-" NIPQUAD_FMT "\n",
@@ -123,14 +123,14 @@ iprange_mt6(const struct sk_buff *skb, const struct net_device *in,
 	if (info->flags & IPRANGE_SRC) {
 		m  = iprange_ipv6_sub(&iph->saddr, &info->src_min.in6) < 0;
 		m |= iprange_ipv6_sub(&iph->saddr, &info->src_max.in6) > 0;
-		m ^= info->flags & IPRANGE_SRC_INV;
+		m ^= !!(info->flags & IPRANGE_SRC_INV);
 		if (m)
 			return false;
 	}
 	if (info->flags & IPRANGE_DST) {
 		m  = iprange_ipv6_sub(&iph->daddr, &info->dst_min.in6) < 0;
 		m |= iprange_ipv6_sub(&iph->daddr, &info->dst_max.in6) > 0;
-		m ^= info->flags & IPRANGE_DST_INV;
+		m ^= !!(info->flags & IPRANGE_DST_INV);
 		if (m)
 			return false;
 	}

netfilter 02/03: snmp nat leaks memory in case of failure

[Patrick McHardy]

commit 6339355779208471ab254e13f31aa0d3217ee6fd
Author: Patrick McHardy <kaber@trash.net>
Date:   Wed Oct 22 19:34:40 2008 +0200

    netfilter: snmp nat leaks memory in case of failure
    
    Upstream commit 311670f3e:
    
    Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c b/net/ipv4/netfilter/nf_nat_snmp_basic.c
index ffeaffc..8303e4b 100644
--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c
+++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
@@ -742,6 +742,7 @@ static unsigned char snmp_object_decode(struct asn1_ctx *ctx,
 			*obj = kmalloc(sizeof(struct snmp_object) + len,
 				       GFP_ATOMIC);
 			if (*obj == NULL) {
+				kfree(p);
 				kfree(id);
 				if (net_ratelimit())
 					printk("OOM in bsalg (%d)\n", __LINE__);
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

netfilter 03/03: restore lost ifdef guarding defrag exception

[Patrick McHardy]

commit 3f3fb9fddbcb725482679fe3552e3003494c2d85
Author: Patrick McHardy <kaber@trash.net>
Date:   Wed Oct 22 19:36:23 2008 +0200

    netfilter: restore lost #ifdef guarding defrag exception
    
    Upstream commit 38f7ac3eb:
    
    Nir Tzachar <nir.tzachar@gmail.com> reported a warning when sending
    fragments over loopback with NAT:
    
    [ 6658.338121] WARNING: at net/ipv4/netfilter/nf_nat_standalone.c:89 nf_nat_fn+0x33/0x155()
    
    The reason is that defragmentation is skipped for already tracked connections.
    This is wrong in combination with NAT and ip_conntrack actually had some ifdefs
    to avoid this behaviour when NAT is compiled in.
    
    The entire "optimization" may seem a bit silly, for now simply restoring the
    lost #ifdef is the easiest solution until we can come up with something better.
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 5a955c4..7eb0b61 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -150,10 +150,12 @@ static unsigned int ipv4_conntrack_defrag(unsigned int hooknum,
 					  const struct net_device *out,
 					  int (*okfn)(struct sk_buff *))
 {
+#if !defined(CONFIG_NF_NAT) && !defined(CONFIG_NF_NAT_MODULE)
 	/* Previously seen (loopback)?  Ignore.  Do this before
 	   fragment check. */
 	if (skb->nfct)
 		return NF_ACCEPT;
+#endif
 
 	/* Gather fragments. */
 	if (ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)) {

Re: netfilter 00/03: netfilter -stable fixes

[Krzysztof Oledzki]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 455 bytes --]



On Wed, 22 Oct 2008, Patrick McHardy wrote:

> The following three patches for -stable fix some netfilter issues:
>
> - a regression in the iprange match, causing mismatches with inversion
> - a memory leak in the SNMP NAT helper
> - a lost #ifdef, allowing user-triggerable WARN_ONs with NETFILTER_DEBUG
>  (and some minor runtime misbehaviour)

Which kernels need above patches? Only 2.6.27 or also 2.6.25/2.6.26?

Best regards,

 			Krzysztof Olędzki

Re: netfilter 00/03: netfilter -stable fixes

[Patrick McHardy]

Krzysztof Oledzki wrote:
> On Wed, 22 Oct 2008, Patrick McHardy wrote:
> 
>> The following three patches for -stable fix some netfilter issues:
>>
>> - a regression in the iprange match, causing mismatches with inversion
>> - a memory leak in the SNMP NAT helper
>> - a lost #ifdef, allowing user-triggerable WARN_ONs with NETFILTER_DEBUG
>>  (and some minor runtime misbehaviour)
> 
> Which kernels need above patches? Only 2.6.27 or also 2.6.25/2.6.26?

I think all three patches are also needed for 2.6.25 and 2.6.26.

Re: netfilter 00/03: netfilter -stable fixes

[Krzysztof Oledzki]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 728 bytes --]



On Fri, 24 Oct 2008, Patrick McHardy wrote:

> Krzysztof Oledzki wrote:
>> On Wed, 22 Oct 2008, Patrick McHardy wrote:
>> 
>>> The following three patches for -stable fix some netfilter issues:
>>> 
>>> - a regression in the iprange match, causing mismatches with inversion
>>> - a memory leak in the SNMP NAT helper
>>> - a lost #ifdef, allowing user-triggerable WARN_ONs with NETFILTER_DEBUG
>>>  (and some minor runtime misbehaviour)
>> 
>> Which kernels need above patches? Only 2.6.27 or also 2.6.25/2.6.26?
>
> I think all three patches are also needed for 2.6.25 and 2.6.26.

Thank you for the confirmation.

Greg, could you please put above patches info queue-2.6.25/queue-2.6.26?

Best regards,

 			Krzysztof Olędzki

Re: netfilter 00/03: netfilter -stable fixes

[Greg KH]

On Tue, Oct 28, 2008 at 03:13:32AM +0100, Krzysztof Oledzki wrote:
>
>
> On Fri, 24 Oct 2008, Patrick McHardy wrote:
>
>> Krzysztof Oledzki wrote:
>>> On Wed, 22 Oct 2008, Patrick McHardy wrote:
>>>> The following three patches for -stable fix some netfilter issues:
>>>> - a regression in the iprange match, causing mismatches with inversion
>>>> - a memory leak in the SNMP NAT helper
>>>> - a lost #ifdef, allowing user-triggerable WARN_ONs with NETFILTER_DEBUG
>>>>  (and some minor runtime misbehaviour)
>>> Which kernels need above patches? Only 2.6.27 or also 2.6.25/2.6.26?
>>
>> I think all three patches are also needed for 2.6.25 and 2.6.26.
>
> Thank you for the confirmation.
>
> Greg, could you please put above patches info queue-2.6.25/queue-2.6.26?

Will do, thanks.

greg k-h