* [PATCH 0/4] netfilter fixes @ 2010-03-25 17:54 kaber 2010-03-25 17:54 ` [PATCH 1/4] netfilter: xt_recent: fix regression in rules using a zero hit_count kaber 2010-03-25 18:49 ` [PATCH 0/4] netfilter fixes David Miller 0 siblings, 2 replies; 8+ messages in thread From: kaber @ 2010-03-25 17:54 UTC (permalink / raw) To: davem; +Cc: netfilter-devel, netdev Hi Dave, following are four netfilter fixes for 2.6.34, fixing: - a regression in the recent match, introduced during 2.6.33 - a crash after a failed memory allocation in xt_hashlimit seq_file handling - an incorrect hook priority of the IPv6 raw table - a missing 'break' in the IPv6 xt_hashlimit netmask calculation include/linux/netfilter_ipv6.h | 1 + net/ipv6/netfilter/ip6table_raw.c | 2 +- net/netfilter/xt_hashlimit.c | 4 +++- net/netfilter/xt_recent.c | 2 +- 4 files changed, 6 insertions(+), 3 deletions(-) Please apply or pull from: git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master Thanks! PS: this is my first "live" attempt at using git-send-email, so appologies in advance in case I made any mistakes. ^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 1/4] netfilter: xt_recent: fix regression in rules using a zero hit_count 2010-03-25 17:54 [PATCH 0/4] netfilter fixes kaber @ 2010-03-25 17:54 ` kaber 2010-03-25 17:54 ` [PATCH 2/4] netfilter: xt_hashlimit: dl_seq_stop() fix kaber 2010-03-25 18:49 ` [PATCH 0/4] netfilter fixes David Miller 1 sibling, 1 reply; 8+ messages in thread From: kaber @ 2010-03-25 17:54 UTC (permalink / raw) To: davem; +Cc: netfilter-devel, netdev From: Patrick McHardy <kaber@trash.net> Commit 8ccb92ad (netfilter: xt_recent: fix false match) fixed supposedly false matches in rules using a zero hit_count. As it turns out there is nothing false about these matches and people are actually using entries with a hit_count of zero to make rules dependant on addresses inserted manually through /proc. Since this slipped past the eyes of three reviewers, instead of reverting the commit in question, this patch explicitly checks for a hit_count of zero to make the intentions more clear. Reported-by: Thomas Jarosch <thomas.jarosch@intra2net.com> Tested-by: Thomas Jarosch <thomas.jarosch@intra2net.com> Cc: stable@kernel.org Signed-off-by: Patrick McHardy <kaber@trash.net> --- net/netfilter/xt_recent.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c index 7073dbb..971d172 100644 --- a/net/netfilter/xt_recent.c +++ b/net/netfilter/xt_recent.c @@ -267,7 +267,7 @@ recent_mt(const struct sk_buff *skb, const struct xt_match_param *par) for (i = 0; i < e->nstamps; i++) { if (info->seconds && time_after(time, e->stamps[i])) continue; - if (info->hit_count && ++hits >= info->hit_count) { + if (!info->hit_count || ++hits >= info->hit_count) { ret = !ret; break; } -- 1.6.5.7 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 2/4] netfilter: xt_hashlimit: dl_seq_stop() fix 2010-03-25 17:54 ` [PATCH 1/4] netfilter: xt_recent: fix regression in rules using a zero hit_count kaber @ 2010-03-25 17:54 ` kaber 2010-03-25 17:54 ` [PATCH 3/4] netfilter: ip6table_raw: fix table priority kaber 2010-03-25 19:47 ` [PATCH] netfilter: CLUSTERIP: clusterip_seq_stop() fix Eric Dumazet 0 siblings, 2 replies; 8+ messages in thread From: kaber @ 2010-03-25 17:54 UTC (permalink / raw) To: davem; +Cc: netfilter-devel, netdev From: Eric Dumazet <eric.dumazet@gmail.com> If dl_seq_start() memory allocation fails, we crash later in dl_seq_stop(), trying to kfree(ERR_PTR(-ENOMEM)) Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net> --- net/netfilter/xt_hashlimit.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c index 9e9c489..70d561a 100644 --- a/net/netfilter/xt_hashlimit.c +++ b/net/netfilter/xt_hashlimit.c @@ -879,7 +879,8 @@ static void dl_seq_stop(struct seq_file *s, void *v) struct xt_hashlimit_htable *htable = s->private; unsigned int *bucket = (unsigned int *)v; - kfree(bucket); + if (!IS_ERR(bucket)) + kfree(bucket); spin_unlock_bh(&htable->lock); } -- 1.6.5.7 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 3/4] netfilter: ip6table_raw: fix table priority 2010-03-25 17:54 ` [PATCH 2/4] netfilter: xt_hashlimit: dl_seq_stop() fix kaber @ 2010-03-25 17:54 ` kaber 2010-03-25 17:54 ` [PATCH 4/4] netfilter: xt_hashlimit: IPV6 bugfix kaber 2010-03-25 19:47 ` [PATCH] netfilter: CLUSTERIP: clusterip_seq_stop() fix Eric Dumazet 1 sibling, 1 reply; 8+ messages in thread From: kaber @ 2010-03-25 17:54 UTC (permalink / raw) To: davem; +Cc: netfilter-devel, netdev From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> The order of the IPv6 raw table is currently reversed, that makes impossible to use the NOTRACK target in IPv6: for example if someone enters ip6tables -t raw -A PREROUTING -p tcp --dport 80 -j NOTRACK and if we receive fragmented packets then the first fragment will be untracked and thus skip nf_ct_frag6_gather (and conntrack), while all subsequent fragments enter nf_ct_frag6_gather and reassembly will never successfully be finished. Singed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> --- include/linux/netfilter_ipv6.h | 1 + net/ipv6/netfilter/ip6table_raw.c | 2 +- 2 files changed, 2 insertions(+), 1 deletions(-) diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h index d654873..1f7e300 100644 --- a/include/linux/netfilter_ipv6.h +++ b/include/linux/netfilter_ipv6.h @@ -59,6 +59,7 @@ enum nf_ip6_hook_priorities { NF_IP6_PRI_FIRST = INT_MIN, NF_IP6_PRI_CONNTRACK_DEFRAG = -400, + NF_IP6_PRI_RAW = -300, NF_IP6_PRI_SELINUX_FIRST = -225, NF_IP6_PRI_CONNTRACK = -200, NF_IP6_PRI_MANGLE = -150, diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c index aef31a2..b9cf7cd 100644 --- a/net/ipv6/netfilter/ip6table_raw.c +++ b/net/ipv6/netfilter/ip6table_raw.c @@ -13,7 +13,7 @@ static const struct xt_table packet_raw = { .valid_hooks = RAW_VALID_HOOKS, .me = THIS_MODULE, .af = NFPROTO_IPV6, - .priority = NF_IP6_PRI_FIRST, + .priority = NF_IP6_PRI_RAW, }; /* The work comes in here from netfilter.c. */ -- 1.6.5.7 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 4/4] netfilter: xt_hashlimit: IPV6 bugfix 2010-03-25 17:54 ` [PATCH 3/4] netfilter: ip6table_raw: fix table priority kaber @ 2010-03-25 17:54 ` kaber 0 siblings, 0 replies; 8+ messages in thread From: kaber @ 2010-03-25 17:54 UTC (permalink / raw) To: davem; +Cc: netfilter-devel, netdev From: Eric Dumazet <eric.dumazet@gmail.com> A missing break statement in hashlimit_ipv6_mask(), and masks between /64 and /95 are not working at all... Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net> --- net/netfilter/xt_hashlimit.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c index 70d561a..215a648 100644 --- a/net/netfilter/xt_hashlimit.c +++ b/net/netfilter/xt_hashlimit.c @@ -493,6 +493,7 @@ static void hashlimit_ipv6_mask(__be32 *i, unsigned int p) case 64 ... 95: i[2] = maskl(i[2], p - 64); i[3] = 0; + break; case 96 ... 127: i[3] = maskl(i[3], p - 96); break; -- 1.6.5.7 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH] netfilter: CLUSTERIP: clusterip_seq_stop() fix 2010-03-25 17:54 ` [PATCH 2/4] netfilter: xt_hashlimit: dl_seq_stop() fix kaber 2010-03-25 17:54 ` [PATCH 3/4] netfilter: ip6table_raw: fix table priority kaber @ 2010-03-25 19:47 ` Eric Dumazet 2010-04-01 10:54 ` Patrick McHardy 1 sibling, 1 reply; 8+ messages in thread From: Eric Dumazet @ 2010-03-25 19:47 UTC (permalink / raw) To: Patrick McHardy; +Cc: netfilter-devel, netdev, David Miller If clusterip_seq_start() memory allocation fails, we crash later in clusterip_seq_start(), trying to kfree(ERR_PTR(-ENOMEM)) Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> --- diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c index 0886f96..afa937b 100644 --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c @@ -600,7 +600,8 @@ static void *clusterip_seq_next(struct seq_file *s, void *v, loff_t *pos) static void clusterip_seq_stop(struct seq_file *s, void *v) { - kfree(v); + if (!IS_ERR(v)) + kfree(v); } static int clusterip_seq_show(struct seq_file *s, void *v) ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH] netfilter: CLUSTERIP: clusterip_seq_stop() fix 2010-03-25 19:47 ` [PATCH] netfilter: CLUSTERIP: clusterip_seq_stop() fix Eric Dumazet @ 2010-04-01 10:54 ` Patrick McHardy 0 siblings, 0 replies; 8+ messages in thread From: Patrick McHardy @ 2010-04-01 10:54 UTC (permalink / raw) To: Eric Dumazet; +Cc: netfilter-devel, netdev, David Miller Eric Dumazet wrote: > If clusterip_seq_start() memory allocation fails, we crash later in > clusterip_seq_start(), trying to kfree(ERR_PTR(-ENOMEM)) Applied, thanks Eric. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 0/4] netfilter fixes 2010-03-25 17:54 [PATCH 0/4] netfilter fixes kaber 2010-03-25 17:54 ` [PATCH 1/4] netfilter: xt_recent: fix regression in rules using a zero hit_count kaber @ 2010-03-25 18:49 ` David Miller 1 sibling, 0 replies; 8+ messages in thread From: David Miller @ 2010-03-25 18:49 UTC (permalink / raw) To: kaber; +Cc: netfilter-devel, netdev From: kaber@trash.net Date: Thu, 25 Mar 2010 18:54:42 +0100 > Please apply or pull from: > > git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master Pulled, thanks a lot Patrick. ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2010-04-01 10:54 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2010-03-25 17:54 [PATCH 0/4] netfilter fixes kaber 2010-03-25 17:54 ` [PATCH 1/4] netfilter: xt_recent: fix regression in rules using a zero hit_count kaber 2010-03-25 17:54 ` [PATCH 2/4] netfilter: xt_hashlimit: dl_seq_stop() fix kaber 2010-03-25 17:54 ` [PATCH 3/4] netfilter: ip6table_raw: fix table priority kaber 2010-03-25 17:54 ` [PATCH 4/4] netfilter: xt_hashlimit: IPV6 bugfix kaber 2010-03-25 19:47 ` [PATCH] netfilter: CLUSTERIP: clusterip_seq_stop() fix Eric Dumazet 2010-04-01 10:54 ` Patrick McHardy 2010-03-25 18:49 ` [PATCH 0/4] netfilter fixes David Miller
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.