[00/05]: Netfilter fixes for 2.6.16

[00/05]: Netfilter fixes for 2.6.16

[Patrick McHardy]

Hi Dave,

following are my pending netfilter fixes (without the IPsec fixes which
I sent seperately) for 2.6.16. Please apply.


 
 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |    5 -----
 net/ipv6/icmp.c                                |    6 ++++++
 net/ipv6/netfilter/ip6t_REJECT.c               |    2 ++
 net/netfilter/Kconfig                          |    6 +++---
 net/netfilter/nf_conntrack_core.c              |    5 +++++
 net/netfilter/nf_conntrack_proto_tcp.c         |    4 +++-
 net/netfilter/nf_conntrack_proto_udp.c         |    4 +++-
 7 files changed, 22 insertions(+), 10 deletions(-)

Yasuyuki Kozakai:
      [NETFILTER]: x_tables: fix dependencies of conntrack related modules
      [NETFILTER]: nf_conntrack: move registration of __nf_ct_attach
      [NETFILTER]: attach conntrack to TCP RST generated by ip6t_REJECT
      [NETFILTER]: attach conntrack to locally generated ICMPv6 error
      [NETFILTER]: nf_conntrack: Fix TCP/UDP HW checksum handling for IPv6 packet

[NETFILTER 01/05]: x_tables: fix dependencies of conntrack related modules

[Patrick McHardy]

[NETFILTER]: x_tables: fix dependencies of conntrack related modules

NF_CONNTRACK_MARK is bool and depends on NF_CONNTRACK which is tristate.
If a variable depends on NF_CONNTRACK_MARK and doesn't take care about
NF_CONNTRACK, it can be y even if NF_CONNTRACK isn't y.
NF_CT_ACCT have same issue, too.

Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 1a99739a0044eae74cc17a6ae168bb30b49932d8
tree e307cf1590b62e3f5ee9eb5607fe6e262069c3d6
parent ee68cea2c26b7a8222f9020f54d22c6067011e8b
author Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Wed, 15 Feb 2006 10:52:02 +0100
committer Patrick McHardy <kaber@trash.net> Wed, 15 Feb 2006 10:52:02 +0100

 net/netfilter/Kconfig |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 0e55012..a8e5544 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -126,7 +126,7 @@ config NETFILTER_XT_TARGET_CONNMARK
 	tristate  '"CONNMARK" target support'
 	depends on NETFILTER_XTABLES
 	depends on IP_NF_MANGLE || IP6_NF_MANGLE
-	depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK_IPV4)
+	depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK)
 	help
 	  This option adds a `CONNMARK' target, which allows one to manipulate
 	  the connection mark value.  Similar to the MARK target, but
@@ -187,7 +187,7 @@ config NETFILTER_XT_MATCH_COMMENT
 config NETFILTER_XT_MATCH_CONNBYTES
 	tristate  '"connbytes" per-connection counter match support'
 	depends on NETFILTER_XTABLES
-	depends on (IP_NF_CONNTRACK && IP_NF_CT_ACCT) || NF_CT_ACCT
+	depends on (IP_NF_CONNTRACK && IP_NF_CT_ACCT) || (NF_CT_ACCT && NF_CONNTRACK)
 	help
 	  This option adds a `connbytes' match, which allows you to match the
 	  number of bytes and/or packets for each direction within a connection.
@@ -198,7 +198,7 @@ config NETFILTER_XT_MATCH_CONNBYTES
 config NETFILTER_XT_MATCH_CONNMARK
 	tristate  '"connmark" connection mark match support'
 	depends on NETFILTER_XTABLES
-	depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || NF_CONNTRACK_MARK
+	depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK)
 	help
 	  This option adds a `connmark' match, which allows you to match the
 	  connection mark value previously set for the session by `CONNMARK'. 

[NETFILTER 02/05]: nf_conntrack: move registration of __nf_ct_attach

[Patrick McHardy]

[NETFILTER]: nf_conntrack: move registration of __nf_ct_attach

Move registration of __nf_ct_attach to nf_conntrack_core to make it usable
for IPv6 connection tracking as well.

Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit cb4fe8d7dc75acc6aa0f3ac21b286a3e2f8bc492
tree 1e24f1628e341fa43c4972f347ab54aee1196aa1
parent 1a99739a0044eae74cc17a6ae168bb30b49932d8
author Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Wed, 15 Feb 2006 11:01:49 +0100
committer Patrick McHardy <kaber@trash.net> Wed, 15 Feb 2006 11:01:49 +0100

 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |    5 -----
 net/netfilter/nf_conntrack_core.c              |    5 +++++
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 167619f..6c8624a 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -529,15 +529,10 @@ static int init_or_cleanup(int init)
 		goto cleanup_localinops;
 	}
 #endif
-
-	/* For use by REJECT target */
-	ip_ct_attach = __nf_conntrack_attach;
-
 	return ret;
 
  cleanup:
 	synchronize_net();
-	ip_ct_attach = NULL;
 #ifdef CONFIG_SYSCTL
  	unregister_sysctl_table(nf_ct_ipv4_sysctl_header);
  cleanup_localinops:
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 0ce337a..d622ddf 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1556,6 +1556,8 @@ void nf_conntrack_cleanup(void)
 {
 	int i;
 
+	ip_ct_attach = NULL;
+
 	/* This makes sure all current packets have passed through
 	   netfilter framework.  Roll on, two-stage module
 	   delete... */
@@ -1715,6 +1717,9 @@ int __init nf_conntrack_init(void)
 		nf_ct_l3protos[i] = &nf_conntrack_generic_l3proto;
         write_unlock_bh(&nf_conntrack_lock);
 
+	/* For use by REJECT target */
+	ip_ct_attach = __nf_conntrack_attach;
+
 	/* Set up fake conntrack:
 	    - to never be deleted, not in any hashes */
 	atomic_set(&nf_conntrack_untracked.ct_general.use, 1);

[NETFILTER 03/05]: nf_conntrack: attach conntrack to TCP RST generated by ip6t_REJECT

[Patrick McHardy]

[NETFILTER]: nf_conntrack: attach conntrack to TCP RST generated by ip6t_REJECT

TCP RSTs generated by the REJECT target should be associated with the
conntrack of the original TCP packet. Since the conntrack entry is
usually not is the hash tables, it must be manually attached.

Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 257b70114334c5cee6f8b1f4789f49cc570fac45
tree 04960622d91d8961e323ac0788d4bff4b602bfab
parent cb4fe8d7dc75acc6aa0f3ac21b286a3e2f8bc492
author Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Wed, 15 Feb 2006 11:05:49 +0100
committer Patrick McHardy <kaber@trash.net> Wed, 15 Feb 2006 11:05:49 +0100

 net/ipv6/netfilter/ip6t_REJECT.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index c745717..0e6d1d4 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -160,6 +160,8 @@ static void send_reset(struct sk_buff *o
 				      csum_partial((char *)tcph,
 						   sizeof(struct tcphdr), 0));
 
+	nf_ct_attach(nskb, oldskb);
+
 	NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
 		dst_output);
 }

[NETFILTER 04/05]: nf_conntrack: attach conntrack to locally generated ICMPv6 error

[Patrick McHardy]

[NETFILTER]: nf_conntrack: attach conntrack to locally generated ICMPv6 error

Locally generated ICMPv6 errors should be associated with the conntrack
of the original packet. Since the conntrack entry may not be in the hash
tables (for the first packet), it must be manually attached.

Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit a01ef7ba3866e0c920f804f153166f162bcb2a1f
tree 8a164639758c51e7f41453ed1736a49e0456becc
parent 257b70114334c5cee6f8b1f4789f49cc570fac45
author Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Wed, 15 Feb 2006 11:08:54 +0100
committer Patrick McHardy <kaber@trash.net> Wed, 15 Feb 2006 11:08:54 +0100

 net/ipv6/icmp.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index fcf8831..21eb725 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -42,6 +42,7 @@
 #include <linux/net.h>
 #include <linux/skbuff.h>
 #include <linux/init.h>
+#include <linux/netfilter.h>
 
 #ifdef CONFIG_SYSCTL
 #include <linux/sysctl.h>
@@ -255,6 +256,7 @@ out:
 struct icmpv6_msg {
 	struct sk_buff	*skb;
 	int		offset;
+	uint8_t		type;
 };
 
 static int icmpv6_getfrag(void *from, char *to, int offset, int len, int odd, struct sk_buff *skb)
@@ -266,6 +268,8 @@ static int icmpv6_getfrag(void *from, ch
 	csum = skb_copy_and_csum_bits(org_skb, msg->offset + offset,
 				      to, len, csum);
 	skb->csum = csum_block_add(skb->csum, csum, odd);
+	if (!(msg->type & ICMPV6_INFOMSG_MASK))
+		nf_ct_attach(skb, org_skb);
 	return 0;
 }
 
@@ -403,6 +407,7 @@ void icmpv6_send(struct sk_buff *skb, in
 
 	msg.skb = skb;
 	msg.offset = skb->nh.raw - skb->data;
+	msg.type = type;
 
 	len = skb->len - msg.offset;
 	len = min_t(unsigned int, len, IPV6_MIN_MTU - sizeof(struct ipv6hdr) -sizeof(struct icmp6hdr));
@@ -500,6 +505,7 @@ static void icmpv6_echo_reply(struct sk_
 
 	msg.skb = skb;
 	msg.offset = 0;
+	msg.type = ICMPV6_ECHO_REPLY;
 
 	err = ip6_append_data(sk, icmpv6_getfrag, &msg, skb->len + sizeof(struct icmp6hdr),
 				sizeof(struct icmp6hdr), hlimit, tclass, NULL, &fl,

[NETFILTER 05/05]: nf_conntrack: Fix TCP/UDP HW checksum handling for IPv6 packet

[Patrick McHardy]

[NETFILTER]: nf_conntrack: Fix TCP/UDP HW checksum handling for IPv6 packet

If skb->ip_summed is CHECKSUM_HW here, skb->csum includes checksum
of actual IPv6 header and extension headers. Then such excess
checksum must be subtruct when nf_conntrack calculates TCP/UDP checksum
with pseudo IPv6 header. Spotted by Ben Skeggs.

Signeded-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signeded-off-by: Patrick McHardy <kaber@trash.net>

---
commit ede836cd3164896d741dff1a8d7c1dc0b9b1fdf6
tree a2503b7297d25266e6d06a7f17ce5b7e740fd42a
parent a01ef7ba3866e0c920f804f153166f162bcb2a1f
author Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Wed, 15 Feb 2006 11:13:55 +0100
committer Patrick McHardy <kaber@trash.net> Wed, 15 Feb 2006 11:13:55 +0100

 net/netfilter/nf_conntrack_proto_tcp.c |    4 +++-
 net/netfilter/nf_conntrack_proto_udp.c |    4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index df99138..6492ed6 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -864,7 +864,9 @@ static int csum6(const struct sk_buff *s
 {
 	return csum_ipv6_magic(&skb->nh.ipv6h->saddr, &skb->nh.ipv6h->daddr,
 			       skb->len - dataoff, IPPROTO_TCP,
-			       skb->ip_summed == CHECKSUM_HW ? skb->csum
+			       skb->ip_summed == CHECKSUM_HW
+			       ? csum_sub(skb->csum,
+					  skb_checksum(skb, 0, dataoff, 0))
 			       : skb_checksum(skb, dataoff, skb->len - dataoff,
 					      0));
 }
diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c
index 4264dd0..831d206 100644
--- a/net/netfilter/nf_conntrack_proto_udp.c
+++ b/net/netfilter/nf_conntrack_proto_udp.c
@@ -161,7 +161,9 @@ static int csum6(const struct sk_buff *s
 {
 	return csum_ipv6_magic(&skb->nh.ipv6h->saddr, &skb->nh.ipv6h->daddr,
 			       skb->len - dataoff, IPPROTO_UDP,
-			       skb->ip_summed == CHECKSUM_HW ? skb->csum
+			       skb->ip_summed == CHECKSUM_HW
+			       ? csum_sub(skb->csum,
+					  skb_checksum(skb, 0, dataoff, 0))
 			       : skb_checksum(skb, dataoff, skb->len - dataoff,
 					      0));
 }

Re: [NETFILTER 01/05]: x_tables: fix dependencies of conntrack related modules

[David S. Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Thu, 16 Feb 2006 00:00:28 +0100 (MET)

> [NETFILTER]: x_tables: fix dependencies of conntrack related modules
> 
> NF_CONNTRACK_MARK is bool and depends on NF_CONNTRACK which is tristate.
> If a variable depends on NF_CONNTRACK_MARK and doesn't take care about
> NF_CONNTRACK, it can be y even if NF_CONNTRACK isn't y.
> NF_CT_ACCT have same issue, too.
> 
> Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
> Signed-off-by: Patrick McHardy <kaber@trash.net>

Applied, thanks.

Re: [NETFILTER 02/05]: nf_conntrack: move registration of __nf_ct_attach

[David S. Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Thu, 16 Feb 2006 00:00:29 +0100 (MET)

> [NETFILTER]: nf_conntrack: move registration of __nf_ct_attach
> 
> Move registration of __nf_ct_attach to nf_conntrack_core to make it usable
> for IPv6 connection tracking as well.
> 
> Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
> Signed-off-by: Patrick McHardy <kaber@trash.net>

Applied.

Re: [NETFILTER 03/05]: nf_conntrack: attach conntrack to TCP RST generated by ip6t_REJECT

[David S. Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Thu, 16 Feb 2006 00:00:31 +0100 (MET)

> [NETFILTER]: nf_conntrack: attach conntrack to TCP RST generated by ip6t_REJECT
> 
> TCP RSTs generated by the REJECT target should be associated with the
> conntrack of the original TCP packet. Since the conntrack entry is
> usually not is the hash tables, it must be manually attached.
> 
> Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
> Signed-off-by: Patrick McHardy <kaber@trash.net>

Applied.

Does the ipv4 REJECT target do this too?

Re: [NETFILTER 04/05]: nf_conntrack: attach conntrack to locally generated ICMPv6 error

[David S. Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Thu, 16 Feb 2006 00:00:32 +0100 (MET)

> [NETFILTER]: nf_conntrack: attach conntrack to locally generated ICMPv6 error
> 
> Locally generated ICMPv6 errors should be associated with the conntrack
> of the original packet. Since the conntrack entry may not be in the hash
> tables (for the first packet), it must be manually attached.
> 
> Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
> Signed-off-by: Patrick McHardy <kaber@trash.net>

Applied, thanks.

Re: [NETFILTER 05/05]: nf_conntrack: Fix TCP/UDP HW checksum handling for IPv6 packet

[David S. Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Thu, 16 Feb 2006 00:00:33 +0100 (MET)

> [NETFILTER]: nf_conntrack: Fix TCP/UDP HW checksum handling for IPv6 packet
> 
> If skb->ip_summed is CHECKSUM_HW here, skb->csum includes checksum
> of actual IPv6 header and extension headers. Then such excess
> checksum must be subtruct when nf_conntrack calculates TCP/UDP checksum
> with pseudo IPv6 header. Spotted by Ben Skeggs.
> 
> Signeded-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
> Signeded-off-by: Patrick McHardy <kaber@trash.net>

Goot catch.

Applied, thanks.

Re: [NETFILTER 03/05]: nf_conntrack: attach conntrack to TCP RST generated by ip6t_REJECT

[Patrick McHardy]

David S. Miller wrote:
> From: Patrick McHardy <kaber@trash.net>
> Date: Thu, 16 Feb 2006 00:00:31 +0100 (MET)
> 
> 
>>[NETFILTER]: nf_conntrack: attach conntrack to TCP RST generated by ip6t_REJECT
>>
>>TCP RSTs generated by the REJECT target should be associated with the
>>conntrack of the original TCP packet. Since the conntrack entry is
>>usually not is the hash tables, it must be manually attached.
>>
> 
> Applied.
> 
> Does the ipv4 REJECT target do this too?
> 

Yes, IPv4 does the same for both TCP RSTs and ICMP errors.