* [PATCH 0/4] netfilter fixes @ 2010-03-25 17:54 kaber 2010-03-25 17:54 ` [PATCH 1/4] netfilter: xt_recent: fix regression in rules using a zero hit_count kaber 2010-03-25 18:49 ` [PATCH 0/4] netfilter fixes David Miller 0 siblings, 2 replies; 8+ messages in thread From: kaber @ 2010-03-25 17:54 UTC (permalink / raw) To: davem; +Cc: netfilter-devel, netdev Hi Dave, following are four netfilter fixes for 2.6.34, fixing: - a regression in the recent match, introduced during 2.6.33 - a crash after a failed memory allocation in xt_hashlimit seq_file handling - an incorrect hook priority of the IPv6 raw table - a missing 'break' in the IPv6 xt_hashlimit netmask calculation include/linux/netfilter_ipv6.h | 1 + net/ipv6/netfilter/ip6table_raw.c | 2 +- net/netfilter/xt_hashlimit.c | 4 +++- net/netfilter/xt_recent.c | 2 +- 4 files changed, 6 insertions(+), 3 deletions(-) Please apply or pull from: git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master Thanks! PS: this is my first "live" attempt at using git-send-email, so appologies in advance in case I made any mistakes. ^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 1/4] netfilter: xt_recent: fix regression in rules using a zero hit_count 2010-03-25 17:54 [PATCH 0/4] netfilter fixes kaber @ 2010-03-25 17:54 ` kaber 2010-03-25 17:54 ` [PATCH 2/4] netfilter: xt_hashlimit: dl_seq_stop() fix kaber 2010-03-25 18:49 ` [PATCH 0/4] netfilter fixes David Miller 1 sibling, 1 reply; 8+ messages in thread From: kaber @ 2010-03-25 17:54 UTC (permalink / raw) To: davem; +Cc: netfilter-devel, netdev From: Patrick McHardy <kaber@trash.net> Commit 8ccb92ad (netfilter: xt_recent: fix false match) fixed supposedly false matches in rules using a zero hit_count. As it turns out there is nothing false about these matches and people are actually using entries with a hit_count of zero to make rules dependant on addresses inserted manually through /proc. Since this slipped past the eyes of three reviewers, instead of reverting the commit in question, this patch explicitly checks for a hit_count of zero to make the intentions more clear. Reported-by: Thomas Jarosch <thomas.jarosch@intra2net.com> Tested-by: Thomas Jarosch <thomas.jarosch@intra2net.com> Cc: stable@kernel.org Signed-off-by: Patrick McHardy <kaber@trash.net> --- net/netfilter/xt_recent.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c index 7073dbb..971d172 100644 --- a/net/netfilter/xt_recent.c +++ b/net/netfilter/xt_recent.c @@ -267,7 +267,7 @@ recent_mt(const struct sk_buff *skb, const struct xt_match_param *par) for (i = 0; i < e->nstamps; i++) { if (info->seconds && time_after(time, e->stamps[i])) continue; - if (info->hit_count && ++hits >= info->hit_count) { + if (!info->hit_count || ++hits >= info->hit_count) { ret = !ret; break; } -- 1.6.5.7 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 2/4] netfilter: xt_hashlimit: dl_seq_stop() fix 2010-03-25 17:54 ` [PATCH 1/4] netfilter: xt_recent: fix regression in rules using a zero hit_count kaber @ 2010-03-25 17:54 ` kaber 2010-03-25 17:54 ` [PATCH 3/4] netfilter: ip6table_raw: fix table priority kaber 2010-03-25 19:47 ` [PATCH] netfilter: CLUSTERIP: clusterip_seq_stop() fix Eric Dumazet 0 siblings, 2 replies; 8+ messages in thread From: kaber @ 2010-03-25 17:54 UTC (permalink / raw) To: davem; +Cc: netfilter-devel, netdev From: Eric Dumazet <eric.dumazet@gmail.com> If dl_seq_start() memory allocation fails, we crash later in dl_seq_stop(), trying to kfree(ERR_PTR(-ENOMEM)) Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net> --- net/netfilter/xt_hashlimit.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c index 9e9c489..70d561a 100644 --- a/net/netfilter/xt_hashlimit.c +++ b/net/netfilter/xt_hashlimit.c @@ -879,7 +879,8 @@ static void dl_seq_stop(struct seq_file *s, void *v) struct xt_hashlimit_htable *htable = s->private; unsigned int *bucket = (unsigned int *)v; - kfree(bucket); + if (!IS_ERR(bucket)) + kfree(bucket); spin_unlock_bh(&htable->lock); } -- 1.6.5.7 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 3/4] netfilter: ip6table_raw: fix table priority 2010-03-25 17:54 ` [PATCH 2/4] netfilter: xt_hashlimit: dl_seq_stop() fix kaber @ 2010-03-25 17:54 ` kaber 2010-03-25 17:54 ` [PATCH 4/4] netfilter: xt_hashlimit: IPV6 bugfix kaber 2010-03-25 19:47 ` [PATCH] netfilter: CLUSTERIP: clusterip_seq_stop() fix Eric Dumazet 1 sibling, 1 reply; 8+ messages in thread From: kaber @ 2010-03-25 17:54 UTC (permalink / raw) To: davem; +Cc: netfilter-devel, netdev From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> The order of the IPv6 raw table is currently reversed, that makes impossible to use the NOTRACK target in IPv6: for example if someone enters ip6tables -t raw -A PREROUTING -p tcp --dport 80 -j NOTRACK and if we receive fragmented packets then the first fragment will be untracked and thus skip nf_ct_frag6_gather (and conntrack), while all subsequent fragments enter nf_ct_frag6_gather and reassembly will never successfully be finished. Singed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> --- include/linux/netfilter_ipv6.h | 1 + net/ipv6/netfilter/ip6table_raw.c | 2 +- 2 files changed, 2 insertions(+), 1 deletions(-) diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h index d654873..1f7e300 100644 --- a/include/linux/netfilter_ipv6.h +++ b/include/linux/netfilter_ipv6.h @@ -59,6 +59,7 @@ enum nf_ip6_hook_priorities { NF_IP6_PRI_FIRST = INT_MIN, NF_IP6_PRI_CONNTRACK_DEFRAG = -400, + NF_IP6_PRI_RAW = -300, NF_IP6_PRI_SELINUX_FIRST = -225, NF_IP6_PRI_CONNTRACK = -200, NF_IP6_PRI_MANGLE = -150, diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c index aef31a2..b9cf7cd 100644 --- a/net/ipv6/netfilter/ip6table_raw.c +++ b/net/ipv6/netfilter/ip6table_raw.c @@ -13,7 +13,7 @@ static const struct xt_table packet_raw = { .valid_hooks = RAW_VALID_HOOKS, .me = THIS_MODULE, .af = NFPROTO_IPV6, - .priority = NF_IP6_PRI_FIRST, + .priority = NF_IP6_PRI_RAW, }; /* The work comes in here from netfilter.c. */ -- 1.6.5.7 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 4/4] netfilter: xt_hashlimit: IPV6 bugfix 2010-03-25 17:54 ` [PATCH 3/4] netfilter: ip6table_raw: fix table priority kaber @ 2010-03-25 17:54 ` kaber 0 siblings, 0 replies; 8+ messages in thread From: kaber @ 2010-03-25 17:54 UTC (permalink / raw) To: davem; +Cc: netfilter-devel, netdev From: Eric Dumazet <eric.dumazet@gmail.com> A missing break statement in hashlimit_ipv6_mask(), and masks between /64 and /95 are not working at all... Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net> --- net/netfilter/xt_hashlimit.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c index 70d561a..215a648 100644 --- a/net/netfilter/xt_hashlimit.c +++ b/net/netfilter/xt_hashlimit.c @@ -493,6 +493,7 @@ static void hashlimit_ipv6_mask(__be32 *i, unsigned int p) case 64 ... 95: i[2] = maskl(i[2], p - 64); i[3] = 0; + break; case 96 ... 127: i[3] = maskl(i[3], p - 96); break; -- 1.6.5.7 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH] netfilter: CLUSTERIP: clusterip_seq_stop() fix 2010-03-25 17:54 ` [PATCH 2/4] netfilter: xt_hashlimit: dl_seq_stop() fix kaber 2010-03-25 17:54 ` [PATCH 3/4] netfilter: ip6table_raw: fix table priority kaber @ 2010-03-25 19:47 ` Eric Dumazet 2010-04-01 10:54 ` Patrick McHardy 1 sibling, 1 reply; 8+ messages in thread From: Eric Dumazet @ 2010-03-25 19:47 UTC (permalink / raw) To: Patrick McHardy; +Cc: netfilter-devel, netdev, David Miller If clusterip_seq_start() memory allocation fails, we crash later in clusterip_seq_start(), trying to kfree(ERR_PTR(-ENOMEM)) Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> --- diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c index 0886f96..afa937b 100644 --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c @@ -600,7 +600,8 @@ static void *clusterip_seq_next(struct seq_file *s, void *v, loff_t *pos) static void clusterip_seq_stop(struct seq_file *s, void *v) { - kfree(v); + if (!IS_ERR(v)) + kfree(v); } static int clusterip_seq_show(struct seq_file *s, void *v) ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH] netfilter: CLUSTERIP: clusterip_seq_stop() fix 2010-03-25 19:47 ` [PATCH] netfilter: CLUSTERIP: clusterip_seq_stop() fix Eric Dumazet @ 2010-04-01 10:54 ` Patrick McHardy 0 siblings, 0 replies; 8+ messages in thread From: Patrick McHardy @ 2010-04-01 10:54 UTC (permalink / raw) To: Eric Dumazet; +Cc: netfilter-devel, netdev, David Miller Eric Dumazet wrote: > If clusterip_seq_start() memory allocation fails, we crash later in > clusterip_seq_start(), trying to kfree(ERR_PTR(-ENOMEM)) Applied, thanks Eric. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 0/4] netfilter fixes 2010-03-25 17:54 [PATCH 0/4] netfilter fixes kaber 2010-03-25 17:54 ` [PATCH 1/4] netfilter: xt_recent: fix regression in rules using a zero hit_count kaber @ 2010-03-25 18:49 ` David Miller 1 sibling, 0 replies; 8+ messages in thread From: David Miller @ 2010-03-25 18:49 UTC (permalink / raw) To: kaber; +Cc: netfilter-devel, netdev From: kaber@trash.net Date: Thu, 25 Mar 2010 18:54:42 +0100 > Please apply or pull from: > > git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master Pulled, thanks a lot Patrick. ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2010-04-01 10:54 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2010-03-25 17:54 [PATCH 0/4] netfilter fixes kaber 2010-03-25 17:54 ` [PATCH 1/4] netfilter: xt_recent: fix regression in rules using a zero hit_count kaber 2010-03-25 17:54 ` [PATCH 2/4] netfilter: xt_hashlimit: dl_seq_stop() fix kaber 2010-03-25 17:54 ` [PATCH 3/4] netfilter: ip6table_raw: fix table priority kaber 2010-03-25 17:54 ` [PATCH 4/4] netfilter: xt_hashlimit: IPV6 bugfix kaber 2010-03-25 19:47 ` [PATCH] netfilter: CLUSTERIP: clusterip_seq_stop() fix Eric Dumazet 2010-04-01 10:54 ` Patrick McHardy 2010-03-25 18:49 ` [PATCH 0/4] netfilter fixes David Miller
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).