* [NETFILTER -stable 01/02]: bridge: fix double POST_ROUTING invocation
@ 2008-01-29 18:08 Patrick McHardy
2008-02-06 23:28 ` patch netfilter-bridge-fix-double-post_routing-invocation.patch queued to -stable tree gregkh
0 siblings, 1 reply; 2+ messages in thread
From: Patrick McHardy @ 2008-01-29 18:08 UTC (permalink / raw)
To: stable; +Cc: David S. Miller, Netfilter Development Mailinglist
[-- Attachment #1: Type: text/plain, Size: 285 bytes --]
These two patches for stable-2.6.23 fix two problems with the
bridge netfilter code, a double POST_ROUTING hook invocation
with routing between two bridge devices, which breaks NAT,
and some net_device refcount leaks when queueing bridged
packets to userspace.
Please apply, thanks.
[-- Attachment #2: 01.diff --]
[-- Type: text/x-patch, Size: 2706 bytes --]
commit 42265d7441145c4310926c1dcce339e5bd82b601
Author: Patrick McHardy <kaber@trash.net>
Date: Tue Jan 29 19:02:30 2008 +0100
[NETFILTER]: bridge: fix double POST_ROUTING invocation
Upstream commit 2948d2ebbb98747b912ac6d0c864b4d02be8a6f5
The bridge code incorrectly causes two POST_ROUTING hook invocations
for DNATed packets that end up on the same bridge device. This
happens because packets with a changed destination address are passed
to dst_output() to make them go through the neighbour output function
again to build a new destination MAC address, before they will continue
through the IP hooks simulated by bridge netfilter.
The resulting hook order is:
PREROUTING (bridge netfilter)
POSTROUTING (dst_output -> ip_output)
FORWARD (bridge netfilter)
POSTROUTING (bridge netfilter)
The deferred hooks used to abort the first POST_ROUTING invocation,
but since the only thing bridge netfilter actually really wants is
a new MAC address, we can avoid going through the IP stack completely
by simply calling the neighbour output function directly.
Tested, reported and lots of data provided by: Damien Thebault <damien.thebault@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index fc13130..ce48d8c 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -247,8 +247,9 @@ static void __br_dnat_complain(void)
* Let us first consider the case that ip_route_input() succeeds:
*
* If skb->dst->dev equals the logical bridge device the packet
- * came in on, we can consider this bridging. We then call
- * skb->dst->output() which will make the packet enter br_nf_local_out()
+ * came in on, we can consider this bridging. The packet is passed
+ * through the neighbour output function to build a new destination
+ * MAC address, which will make the packet enter br_nf_local_out()
* not much later. In that function it is assured that the iptables
* FORWARD chain is traversed for the packet.
*
@@ -285,12 +286,17 @@ static int br_nf_pre_routing_finish_bridge(struct sk_buff *skb)
skb->nf_bridge->mask ^= BRNF_NF_BRIDGE_PREROUTING;
skb->dev = bridge_parent(skb->dev);
- if (!skb->dev)
- kfree_skb(skb);
- else {
+ if (skb->dev) {
+ struct dst_entry *dst = skb->dst;
+
nf_bridge_pull_encap_header(skb);
- skb->dst->output(skb);
+
+ if (dst->hh)
+ return neigh_hh_output(dst->hh, skb);
+ else if (dst->neighbour)
+ return dst->neighbour->output(skb);
}
+ kfree_skb(skb);
return 0;
}
^ permalink raw reply related [flat|nested] 2+ messages in thread* patch netfilter-bridge-fix-double-post_routing-invocation.patch queued to -stable tree
2008-01-29 18:08 [NETFILTER -stable 01/02]: bridge: fix double POST_ROUTING invocation Patrick McHardy
@ 2008-02-06 23:28 ` gregkh
0 siblings, 0 replies; 2+ messages in thread
From: gregkh @ 2008-02-06 23:28 UTC (permalink / raw)
To: kaber, damien.thebault, davem, gregkh, netfilter-devel
Cc: stable, stable-commits
This is a note to let you know that we have just queued up the patch titled
Subject: Netfilter: bridge: fix double POST_ROUTING invocation
to the 2.6.23-stable tree. Its filename is
netfilter-bridge-fix-double-post_routing-invocation.patch
A git repo of this tree can be found at
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
>From stable-bounces@linux.kernel.org Tue Jan 29 10:08:57 2008
From: Patrick McHardy <kaber@trash.net>
Date: Tue, 29 Jan 2008 19:08:25 +0100
Subject: Netfilter: bridge: fix double POST_ROUTING invocation
To: stable@kernel.org
Cc: Netfilter Development Mailinglist <netfilter-devel@vger.kernel.org>, "David S. Miller" <davem@davemloft.net>
Message-ID: <479F6B99.60005@trash.net>
From: Patrick McHardy <kaber@trash.net>
[NETFILTER]: bridge: fix double POST_ROUTING invocation
Upstream commit 2948d2ebbb98747b912ac6d0c864b4d02be8a6f5
The bridge code incorrectly causes two POST_ROUTING hook invocations
for DNATed packets that end up on the same bridge device. This
happens because packets with a changed destination address are passed
to dst_output() to make them go through the neighbour output function
again to build a new destination MAC address, before they will continue
through the IP hooks simulated by bridge netfilter.
The resulting hook order is:
PREROUTING (bridge netfilter)
POSTROUTING (dst_output -> ip_output)
FORWARD (bridge netfilter)
POSTROUTING (bridge netfilter)
The deferred hooks used to abort the first POST_ROUTING invocation,
but since the only thing bridge netfilter actually really wants is
a new MAC address, we can avoid going through the IP stack completely
by simply calling the neighbour output function directly.
Tested, reported and lots of data provided by: Damien Thebault <damien.thebault@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
net/bridge/br_netfilter.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -247,8 +247,9 @@ static void __br_dnat_complain(void)
* Let us first consider the case that ip_route_input() succeeds:
*
* If skb->dst->dev equals the logical bridge device the packet
- * came in on, we can consider this bridging. We then call
- * skb->dst->output() which will make the packet enter br_nf_local_out()
+ * came in on, we can consider this bridging. The packet is passed
+ * through the neighbour output function to build a new destination
+ * MAC address, which will make the packet enter br_nf_local_out()
* not much later. In that function it is assured that the iptables
* FORWARD chain is traversed for the packet.
*
@@ -285,12 +286,17 @@ static int br_nf_pre_routing_finish_brid
skb->nf_bridge->mask ^= BRNF_NF_BRIDGE_PREROUTING;
skb->dev = bridge_parent(skb->dev);
- if (!skb->dev)
- kfree_skb(skb);
- else {
+ if (skb->dev) {
+ struct dst_entry *dst = skb->dst;
+
nf_bridge_pull_encap_header(skb);
- skb->dst->output(skb);
+
+ if (dst->hh)
+ return neigh_hh_output(dst->hh, skb);
+ else if (dst->neighbour)
+ return dst->neighbour->output(skb);
}
+ kfree_skb(skb);
return 0;
}
Patches currently in stable-queue which might be from kaber@trash.net are
queue-2.6.23/netfilter-bridge-fix-double-post_routing-invocation.patch
queue-2.6.23/netfilter-bridge-netfilter-fix-net_device-refcnt-leaks.patch
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2008-02-06 23:30 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-01-29 18:08 [NETFILTER -stable 01/02]: bridge: fix double POST_ROUTING invocation Patrick McHardy
2008-02-06 23:28 ` patch netfilter-bridge-fix-double-post_routing-invocation.patch queued to -stable tree gregkh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.