netfilter 00/03: netfilter -stable fixes

netfilter 00/03: netfilter -stable fixes

[Patrick McHardy]

The following three patches for -stable fix a number of netfilter
regressions:

- revision lookup for x_tables matches and targets registering with
  the new NFPROTO_UNSPEC is broken, causing failures when using
  features not offered by revision 0. New regression in 2.6.28.

- ebtables interprets return values from matches in the inverted
  sense. New regression in 2.6.28.

- the conntrack timeout sysctls for ICMP/ICMPv6 are broken on big
  endian due to a mismatch between the data type size and the size
  registered with the sysctls. Seems to be a regression from the
  switch from ip_conntrack to nf_conntrack.

Please apply, thanks.


 net/bridge/netfilter/ebtables.c                |    2 +-
 net/ipv4/netfilter/nf_conntrack_proto_icmp.c   |    2 +-
 net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c |    2 +-
 net/netfilter/x_tables.c                       |    8 ++++++++
 4 files changed, 11 insertions(+), 3 deletions(-)

Patrick McHardy (3):
      netfilter: x_tables: fix match/target revision lookup
      netfilter: ebtables: fix inversion in match code
      netfilter: nf_conntrack: fix ICMP/ICMPv6 timeout sysctls on big-endian

netfilter 01/03: x_tables: fix match/target revision lookup

[Patrick McHardy]

commit 2a95ec76ab10585ce54a64300b9bf9b76f10269d
Author: Patrick McHardy <kaber@trash.net>
Date:   Mon Jan 19 15:10:50 2009 +0100

    netfilter: x_tables: fix match/target revision lookup
    
    Upstream commit 656caff:
    
    Commit 55b69e91 (netfilter: implement NFPROTO_UNSPEC as a wildcard
    for extensions) broke revision probing for matches and targets that
    are registered with NFPROTO_UNSPEC.
    
    Fix by continuing the search on the NFPROTO_UNSPEC list if nothing
    is found on the af-specific lists.
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 89837a4..bfbf521 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -273,6 +273,10 @@ static int match_revfn(u8 af, const char *name, u8 revision, int *bestp)
 				have_rev = 1;
 		}
 	}
+
+	if (af != NFPROTO_UNSPEC && !have_rev)
+		return match_revfn(NFPROTO_UNSPEC, name, revision, bestp);
+
 	return have_rev;
 }
 
@@ -289,6 +293,10 @@ static int target_revfn(u8 af, const char *name, u8 revision, int *bestp)
 				have_rev = 1;
 		}
 	}
+
+	if (af != NFPROTO_UNSPEC && !have_rev)
+		return target_revfn(NFPROTO_UNSPEC, name, revision, bestp);
+
 	return have_rev;
 }
 

netfilter 02/03: ebtables: fix inversion in match code

[Patrick McHardy]

commit c4010504f06c2a6570599d26173e3917b0398410
Author: Patrick McHardy <kaber@trash.net>
Date:   Mon Jan 19 15:11:44 2009 +0100

    netfilter: ebtables: fix inversion in match code
    
    Upstream commit d61ba9f:
    
    Commit 8cc784ee (netfilter: change return types of match functions
    for ebtables extensions) broke ebtables matches by inverting the
    sense of match/nomatch.
    
    Reported-by: Matt Cross <matthltc@us.ibm.com>
    Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 0fa208e..05f198d 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -80,7 +80,7 @@ static inline int ebt_do_match (struct ebt_entry_match *m,
 {
 	par->match     = m->u.match;
 	par->matchinfo = m->data;
-	return m->u.match->match(skb, par);
+	return m->u.match->match(skb, par) ? EBT_MATCH : EBT_NOMATCH;
 }
 
 static inline int ebt_dev_check(char *entry, const struct net_device *device)

netfilter 03/03: nf_conntrack: fix ICMP/ICMPv6 timeout sysctls on big-endian

[Patrick McHardy]

commit bc387c0ade1aed3bc450bef23313215a06e0592c
Author: Patrick McHardy <kaber@trash.net>
Date:   Mon Jan 19 15:13:28 2009 +0100

    netfilter: nf_conntrack: fix ICMP/ICMPv6 timeout sysctls on big-endian
    
    Upstream commit 71320af:
    
    An old bug crept back into the ICMP/ICMPv6 conntrack protocols: the timeout
    values are defined as unsigned longs, the sysctl's maxsize is set to
    sizeof(unsigned int). Use unsigned int for the timeout values as in the
    other conntrack protocols.
    
    Reported-by: Jean-Mickael Guerin <jean-mickael.guerin@6wind.com>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
index 4e88792..625707a 100644
--- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -20,7 +20,7 @@
 #include <net/netfilter/nf_conntrack_core.h>
 #include <net/netfilter/nf_log.h>
 
-static unsigned long nf_ct_icmp_timeout __read_mostly = 30*HZ;
+static unsigned int nf_ct_icmp_timeout __read_mostly = 30*HZ;
 
 static bool icmp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
 			      struct nf_conntrack_tuple *tuple)
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index 0572617..7cd13e5 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -26,7 +26,7 @@
 #include <net/netfilter/ipv6/nf_conntrack_icmpv6.h>
 #include <net/netfilter/nf_log.h>
 
-static unsigned long nf_ct_icmpv6_timeout __read_mostly = 30*HZ;
+static unsigned int nf_ct_icmpv6_timeout __read_mostly = 30*HZ;
 
 static bool icmpv6_pkt_to_tuple(const struct sk_buff *skb,
 				unsigned int dataoff,