netfilter 00/02: netfilter fixes

netfilter 00/02: netfilter fixes

[Patrick McHardy]

Hi Dave,

the following two patches contain the GRE conntrack netns fix for an
oops on unload from Alexey and the preparatory patch, introducing
register_pernet_gen_subsys/unregister_pernet_gen_subsys.

Please apply, thanks.


 include/net/net_namespace.h            |    2 ++
 net/core/net_namespace.c               |   32 ++++++++++++++++++++++++++++++++
 net/netfilter/nf_conntrack_proto_gre.c |    4 ++--
 3 files changed, 36 insertions(+), 2 deletions(-)

Alexey Dobriyan (2):
      netns: add register_pernet_gen_subsys/unregister_pernet_gen_subsys
      netfilter: nf_conntrack_proto_gre: switch to register_pernet_gen_subsys()

netfilter 00/02: netfilter fixes

[Patrick McHardy]

Hi Dave,

the following two patches fix two netfilter bugs:

- missing socket notification for ctnetlink skb allocation errors

- an incorrect return code in nfnetlink for netlink_kernel_create() failure

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Thanks!


 net/netfilter/nf_conntrack_netlink.c |   10 ++++++----
 net/netfilter/nfnetlink.c            |    2 +-
 2 files changed, 7 insertions(+), 5 deletions(-)

Pablo Neira Ayuso (2):
      netfilter: ctnetlink: report error if event message allocation fails
      netfilter: nfnetlink: return ENOMEM if we fail to create netlink socket

Re: netfilter 00/02: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Fri, 17 Apr 2009 18:09:13 +0200 (MEST)

> the following two patches fix two netfilter bugs:
> 
> - missing socket notification for ctnetlink skb allocation errors
> 
> - an incorrect return code in nfnetlink for netlink_kernel_create() failure
> 
> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Pulled, thanks a lot!

netfilter 00/02: Netfilter fixes

[Patrick McHardy]

Hi Dave,

following are two patches for netfilter, fixing

- a positive errno return value in the osf match

- a sleeping function called under RCU lock in the nf_log seq_show function

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master

Thanks!


 net/netfilter/nf_log.c |   18 +++++-------------
 net/netfilter/xt_osf.c |    2 +-
 2 files changed, 6 insertions(+), 14 deletions(-)

Roel Kluin (1):
      netfilter: xt_osf: fix xt_osf_remove_callback() return value

Wu Fengguang (1):
      netfilter: nf_log: fix sleeping function called from invalid context in seq_show()

netfilter 00/02: netfilter fixes

[Patrick McHardy]

Hi Dave,

the following two patches fix two bugs in netfilter:

- an off-by-one in SIP conntrack short header parsing, causing mismatches
  with UAs not inserting a space after the colon

- a missing initialization in ctnetlink when dumping an expectation mask,
  causing an invalid layer 4 protocol number to be used

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master

Thanks!


 net/netfilter/nf_conntrack_netlink.c |    3 ++-
 net/netfilter/nf_conntrack_sip.c     |    2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

Patrick McHardy (2):
      netfilter: nf_conntrack_sip: fix off-by-one in compact header parsing
      netfilter: ctnetlink: fix expectation mask dump

netfilter 01/02: nf_conntrack_sip: fix off-by-one in compact header parsing

[Patrick McHardy]

commit 135d01899b1fba17045961febff7e5141db6048f
Author: Patrick McHardy <kaber@trash.net>
Date:   Tue Jan 19 19:06:59 2010 +0100

    netfilter: nf_conntrack_sip: fix off-by-one in compact header parsing
    
    In a string like "v:SIP/2.0..." it was checking for !isalpha('S') when it
    meant to be inspecting the ':'.
    
    Patch by Greg Alexander <greqcs@galexander.org>
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 4b57216..023966b 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -376,7 +376,7 @@ int ct_sip_get_header(const struct nf_conn *ct, const char *dptr,
 			dptr += hdr->len;
 		else if (hdr->cname && limit - dptr >= hdr->clen + 1 &&
 			 strnicmp(dptr, hdr->cname, hdr->clen) == 0 &&
-			 !isalpha(*(dptr + hdr->clen + 1)))
+			 !isalpha(*(dptr + hdr->clen)))
 			dptr += hdr->clen;
 		else
 			continue;

netfilter 02/02: ctnetlink: fix expectation mask dump

[Patrick McHardy]

commit e578756c35859a459d78d8416195bc5f5ff897d0
Author: Patrick McHardy <kaber@trash.net>
Date:   Tue Jan 26 17:04:02 2010 +0100

    netfilter: ctnetlink: fix expectation mask dump
    
    The protocol number is not initialized, so userspace can't interpret
    the layer 4 data properly.
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 59d8064..42f21c0 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1437,8 +1437,9 @@ ctnetlink_exp_dump_mask(struct sk_buff *skb,
 	struct nlattr *nest_parms;
 
 	memset(&m, 0xFF, sizeof(m));
-	m.src.u.all = mask->src.u.all;
 	memcpy(&m.src.u3, &mask->src.u3, sizeof(m.src.u3));
+	m.src.u.all = mask->src.u.all;
+	m.dst.protonum = tuple->dst.protonum;
 
 	nest_parms = nla_nest_start(skb, CTA_EXPECT_MASK | NLA_F_NESTED);
 	if (!nest_parms)

Re: netfilter 00/02: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Tue,  2 Feb 2010 17:27:37 +0100 (MET)

> the following two patches fix two bugs in netfilter:
> 
> - an off-by-one in SIP conntrack short header parsing, causing mismatches
>   with UAs not inserting a space after the colon
> 
> - a missing initialization in ctnetlink when dumping an expectation mask,
>   causing an invalid layer 4 protocol number to be used
> 
> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master

Pulled, thanks Patrick.