[PATCH 0/4] netfilter updates for net tree

[PATCH 0/4] netfilter updates for net tree

[pablo]

From: Pablo Neira Ayuso <pablo@netfilter.org>

Hi Dave,

The following patches contains updates for your current net tree:

* A couple for bugfixes for ipset from Jozsef.

* Revert the user-space expectation helper support from myself.
  I decided to do this because I found problems specifically
  regarding NAT setups. I didn't throw the towel though. I'm
  working one new infrastructure. My plan is to submit it for
  net-next once it's open and it passes developers scrutiny
  (still work in progress):

 http://1984.lsi.us.es/git/net-next/commit/?h=cthelper&id=4e690f548859eec5a3dad151dec9c12bac17c014

* Fix one compilation warning if ip6tables is disabled in
  xt_hashlimit.

You can pull these changes from:

git://1984.lsi.us.es/net nf

Thanks.

Jozsef Kadlecsik (2):
  netfilter: ipset: autoload set type modules safely
  netfilter: ipset: dumping error triggered removing references twice

Pablo Neira Ayuso (1):
  netfilter: revert user-space expectation helper support

Stephen Rothwell (1):
  netfilter: xt_hashlimit: fix unused variable warning if IPv6 disabled

 include/linux/netfilter/nf_conntrack_common.h |    4 ---
 include/linux/netfilter/xt_CT.h               |    3 +-
 net/netfilter/ipset/ip_set_core.c             |   37 ++++++++++++++++++-------
 net/netfilter/nf_conntrack_helper.c           |   12 --------
 net/netfilter/nf_conntrack_netlink.c          |    4 ---
 net/netfilter/xt_CT.c                         |    8 ++---
 net/netfilter/xt_hashlimit.c                  |    5 +++-
 7 files changed, 35 insertions(+), 38 deletions(-)

-- 
1.7.7.3

[PATCH 1/4] netfilter: xt_hashlimit: fix unused variable warning if IPv6 disabled

[pablo]

From: Stephen Rothwell <sfr@canb.auug.org.au>

Fixes this warning when CONFIG_IP6_NF_IPTABLES is not enabled:

net/netfilter/xt_hashlimit.c: In function ‘hashlimit_init_dst’:
net/netfilter/xt_hashlimit.c:448:9: warning: unused variable ‘frag_off’ [-Wunused-variable]

Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/xt_hashlimit.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 8e49921..d95f9c9 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -445,7 +445,6 @@ hashlimit_init_dst(const struct xt_hashlimit_htable *hinfo,
 {
 	__be16 _ports[2], *ports;
 	u8 nexthdr;
-	__be16 frag_off;
 	int poff;
 
 	memset(dst, 0, sizeof(*dst));
@@ -466,6 +465,9 @@ hashlimit_init_dst(const struct xt_hashlimit_htable *hinfo,
 		break;
 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
 	case NFPROTO_IPV6:
+	{
+		__be16 frag_off;
+
 		if (hinfo->cfg.mode & XT_HASHLIMIT_HASH_DIP) {
 			memcpy(&dst->ip6.dst, &ipv6_hdr(skb)->daddr,
 			       sizeof(dst->ip6.dst));
@@ -485,6 +487,7 @@ hashlimit_init_dst(const struct xt_hashlimit_htable *hinfo,
 		if ((int)protoff < 0)
 			return -1;
 		break;
+	}
 #endif
 	default:
 		BUG();
-- 
1.7.7.3

[PATCH 2/4] netfilter: revert user-space expectation helper support

[pablo]

From: Pablo Neira Ayuso <pablo@netfilter.org>

This patch partially reverts:
3d058d7 netfilter: rework user-space expectation helper support
that was applied during the 3.2 development cycle.

After this patch, the tree remains just like before patch bc01bef,
that initially added the preliminary infrastructure.

I decided to partially revert this patch because the approach
that I proposed to resolve this problem is broken in NAT setups.
Moreover, a new infrastructure will be submitted for the 3.3.x
development cycle that resolve the existing issues while
providing a neat solution.

Since nobody has been seriously using this infrastructure in
user-space, the removal of this feature should affect any know
FOSS project (to my knowledge).

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/linux/netfilter/nf_conntrack_common.h |    4 ----
 include/linux/netfilter/xt_CT.h               |    3 +--
 net/netfilter/nf_conntrack_helper.c           |   12 ------------
 net/netfilter/nf_conntrack_netlink.c          |    4 ----
 net/netfilter/xt_CT.c                         |    8 +++-----
 5 files changed, 4 insertions(+), 27 deletions(-)

diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h
index 9e3a283..0d3dd66 100644
--- a/include/linux/netfilter/nf_conntrack_common.h
+++ b/include/linux/netfilter/nf_conntrack_common.h
@@ -83,10 +83,6 @@ enum ip_conntrack_status {
 	/* Conntrack is a fake untracked entry */
 	IPS_UNTRACKED_BIT = 12,
 	IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT),
-
-	/* Conntrack has a userspace helper. */
-	IPS_USERSPACE_HELPER_BIT = 13,
-	IPS_USERSPACE_HELPER = (1 << IPS_USERSPACE_HELPER_BIT),
 };
 
 /* Connection tracking event types */
diff --git a/include/linux/netfilter/xt_CT.h b/include/linux/netfilter/xt_CT.h
index 6390f09..b56e768 100644
--- a/include/linux/netfilter/xt_CT.h
+++ b/include/linux/netfilter/xt_CT.h
@@ -3,8 +3,7 @@
 
 #include <linux/types.h>
 
-#define XT_CT_NOTRACK		0x1
-#define XT_CT_USERSPACE_HELPER	0x2
+#define XT_CT_NOTRACK	0x1
 
 struct xt_ct_target_info {
 	__u16 flags;
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index 299fec9..bbe23ba 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -121,18 +121,6 @@ int __nf_ct_try_assign_helper(struct nf_conn *ct, struct nf_conn *tmpl,
 	int ret = 0;
 
 	if (tmpl != NULL) {
-		/* we've got a userspace helper. */
-		if (tmpl->status & IPS_USERSPACE_HELPER) {
-			help = nf_ct_helper_ext_add(ct, flags);
-			if (help == NULL) {
-				ret = -ENOMEM;
-				goto out;
-			}
-			rcu_assign_pointer(help->helper, NULL);
-			__set_bit(IPS_USERSPACE_HELPER_BIT, &ct->status);
-			ret = 0;
-			goto out;
-		}
 		help = nfct_help(tmpl);
 		if (help != NULL)
 			helper = help->helper;
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 2a4834b..9307b03 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -2042,10 +2042,6 @@ ctnetlink_create_expect(struct net *net, u16 zone,
 	}
 	help = nfct_help(ct);
 	if (!help) {
-		err = -EOPNOTSUPP;
-		goto out;
-	}
-	if (test_bit(IPS_USERSPACE_HELPER_BIT, &ct->status)) {
 		if (!cda[CTA_EXPECT_TIMEOUT]) {
 			err = -EINVAL;
 			goto out;
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
index 8e87123..0221d10 100644
--- a/net/netfilter/xt_CT.c
+++ b/net/netfilter/xt_CT.c
@@ -62,8 +62,8 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par)
 	int ret = 0;
 	u8 proto;
 
-	if (info->flags & ~(XT_CT_NOTRACK | XT_CT_USERSPACE_HELPER))
-		return -EOPNOTSUPP;
+	if (info->flags & ~XT_CT_NOTRACK)
+		return -EINVAL;
 
 	if (info->flags & XT_CT_NOTRACK) {
 		ct = nf_ct_untracked_get();
@@ -92,9 +92,7 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par)
 				  GFP_KERNEL))
 		goto err3;
 
-	if (info->flags & XT_CT_USERSPACE_HELPER) {
-		__set_bit(IPS_USERSPACE_HELPER_BIT, &ct->status);
-	} else if (info->helper[0]) {
+	if (info->helper[0]) {
 		ret = -ENOENT;
 		proto = xt_ct_find_proto(par);
 		if (!proto) {
-- 
1.7.7.3

[PATCH 3/4] netfilter: ipset: autoload set type modules safely

[pablo]

From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

Jan Engelhardt noticed when userspace requests a set type unknown
to the kernel, it can lead to a loop due to the unsafe type module
loading. The issue is fixed in this patch.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/ipset/ip_set_core.c |   36 ++++++++++++++++++++++++++----------
 1 files changed, 26 insertions(+), 10 deletions(-)

diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 86137b5..0f8e5f2 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -77,35 +77,42 @@ find_set_type(const char *name, u8 family, u8 revision)
 }
 
 /* Unlock, try to load a set type module and lock again */
-static int
-try_to_load_type(const char *name)
+static bool
+load_settype(const char *name)
 {
 	nfnl_unlock();
 	pr_debug("try to load ip_set_%s\n", name);
 	if (request_module("ip_set_%s", name) < 0) {
 		pr_warning("Can't find ip_set type %s\n", name);
 		nfnl_lock();
-		return -IPSET_ERR_FIND_TYPE;
+		return false;
 	}
 	nfnl_lock();
-	return -EAGAIN;
+	return true;
 }
 
 /* Find a set type and reference it */
+#define find_set_type_get(name, family, revision, found)	\
+	__find_set_type_get(name, family, revision, found, false)
+
 static int
-find_set_type_get(const char *name, u8 family, u8 revision,
-		  struct ip_set_type **found)
+__find_set_type_get(const char *name, u8 family, u8 revision,
+		    struct ip_set_type **found, bool retry)
 {
 	struct ip_set_type *type;
 	int err;
 
+	if (retry && !load_settype(name))
+		return -IPSET_ERR_FIND_TYPE;
+
 	rcu_read_lock();
 	*found = find_set_type(name, family, revision);
 	if (*found) {
 		err = !try_module_get((*found)->me) ? -EFAULT : 0;
 		goto unlock;
 	}
-	/* Make sure the type is loaded but we don't support the revision */
+	/* Make sure the type is already loaded
+	 * but we don't support the revision */
 	list_for_each_entry_rcu(type, &ip_set_type_list, list)
 		if (STREQ(type->name, name)) {
 			err = -IPSET_ERR_FIND_TYPE;
@@ -113,7 +120,8 @@ find_set_type_get(const char *name, u8 family, u8 revision,
 		}
 	rcu_read_unlock();
 
-	return try_to_load_type(name);
+	return retry ? -IPSET_ERR_FIND_TYPE :
+		__find_set_type_get(name, family, revision, found, true);
 
 unlock:
 	rcu_read_unlock();
@@ -124,12 +132,19 @@ unlock:
  * If we succeeded, the supported minimal and maximum revisions are
  * filled out.
  */
+#define find_set_type_minmax(name, family, min, max) \
+	__find_set_type_minmax(name, family, min, max, false)
+
 static int
-find_set_type_minmax(const char *name, u8 family, u8 *min, u8 *max)
+__find_set_type_minmax(const char *name, u8 family, u8 *min, u8 *max,
+		       bool retry)
 {
 	struct ip_set_type *type;
 	bool found = false;
 
+	if (retry && !load_settype(name))
+		return -IPSET_ERR_FIND_TYPE;
+
 	*min = 255; *max = 0;
 	rcu_read_lock();
 	list_for_each_entry_rcu(type, &ip_set_type_list, list)
@@ -145,7 +160,8 @@ find_set_type_minmax(const char *name, u8 family, u8 *min, u8 *max)
 	if (found)
 		return 0;
 
-	return try_to_load_type(name);
+	return retry ? -IPSET_ERR_FIND_TYPE :
+		__find_set_type_minmax(name, family, min, max, true);
 }
 
 #define family_name(f)	((f) == AF_INET ? "inet" : \
-- 
1.7.7.3

[PATCH 4/4] netfilter: ipset: dumping error triggered removing references twice

[pablo]

From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

If there was a dumping error in the middle, the set-specific variable was
not zeroed out and thus the 'done' function of the dumping wrongly tried
to release the already released reference of the set. The already released
reference was caught by __ip_set_put and triggered a kernel BUG message.
Reported by Jean-Philippe Menil.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/ipset/ip_set_core.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 0f8e5f2..32dbf0f 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1142,6 +1142,7 @@ release_refcount:
 	if (ret || !cb->args[2]) {
 		pr_debug("release set %s\n", ip_set_list[index]->name);
 		ip_set_put_byindex(index);
+		cb->args[2] = 0;
 	}
 out:
 	if (nlh) {
-- 
1.7.7.3

Re: [PATCH 0/4] netfilter updates for net tree

[David Miller]

From: pablo@netfilter.org
Date: Tue, 17 Jan 2012 12:04:45 +0100

> You can pull these changes from:
> 
> git://1984.lsi.us.es/net nf
> 
> Thanks.
> 
> Jozsef Kadlecsik (2):
>   netfilter: ipset: autoload set type modules safely
>   netfilter: ipset: dumping error triggered removing references twice
> 
> Pablo Neira Ayuso (1):
>   netfilter: revert user-space expectation helper support
> 
> Stephen Rothwell (1):
>   netfilter: xt_hashlimit: fix unused variable warning if IPv6 disabled

Pulled, thanks!

[PATCH 0/4] netfilter updates for net tree

[pablo]

From: Pablo Neira Ayuso <pablo@netfilter.org>

Hi David,

The following are four fixes for your net tree:

* One fix for NFQUEUE if used in bridge mode when GRO/GSO skbs
  are enqueued from Florian Westphal.

* One fix from Joerg Willmann to fix wrong alignment in ebtables
  on PPC.

* One fix for soft lockup for ctnetlink from Jozsef Kadlecsik.

* One fix for IPVS from Simon Horman.

Please, pull these changes from:

	git://1984.lsi.us.es/net nf

Thanks!

Florian Westphal (1):
  netfilter: nf_queue: fix queueing of bridged gro skbs

Joerg Willmann (1):
  netfilter: ebtables: fix alignment problem in ppc

Jozsef Kadlecsik (1):
  netfilter: ctnetlink: fix soft lockup when netlink adds new entries

Simon Horman (1):
  ipvs: fix matching of fwmark templates during scheduling

 include/linux/netfilter_bridge/ebtables.h |    4 +-
 net/netfilter/ipvs/ip_vs_core.c           |    2 +-
 net/netfilter/nf_conntrack_netlink.c      |   43 +++++++++++------------------
 net/netfilter/nf_queue.c                  |   40 +++++++++++++++++++++-----
 4 files changed, 51 insertions(+), 38 deletions(-)

-- 
1.7.7.3

Re: [PATCH 0/4] netfilter updates for net tree

[David Miller]

From: pablo@netfilter.org
Date: Thu, 23 Feb 2012 01:02:22 +0100

> The following are four fixes for your net tree:
> 
> * One fix for NFQUEUE if used in bridge mode when GRO/GSO skbs
>   are enqueued from Florian Westphal.
> 
> * One fix from Joerg Willmann to fix wrong alignment in ebtables
>   on PPC.
> 
> * One fix for soft lockup for ctnetlink from Jozsef Kadlecsik.
> 
> * One fix for IPVS from Simon Horman.
> 
> Please, pull these changes from:
> 
> 	git://1984.lsi.us.es/net nf

Pulled, thanks Pablo.