[PATCH 0/3] netfilter fixes for 3.7-rc8

[PATCH 0/3] netfilter fixes for 3.7-rc8

[pablo]

From: Pablo Neira Ayuso <pablo@netfilter.org>

Hi David,

The following patchset contains three Netfilter fixes, they are:

* Fix conntrack helper re-assignment after NAT mangling if only if
  the same helper is attached to the conntrack again, from Florian
  Westphal.

* Don't allow the creation of conntrack entries via ctnetlink if the
  original and reply tuples are missing, from Florian Westphal.

* Fix broken sysctl interface in nf_ct_reasm while adding netns support
  to it, from Michal Kubecek.

Again, these are coming very late but they seem small and non-intrusive to me.
If case your verdict is positive, you can pull this changes from:

git://1984.lsi.us.es/nf master

Thanks!

Florian Westphal (2):
  netfilter: ctnetlink: don't permit ct creation with random tuple
  netfilter: nf_ct_helper: don't discard helper if it is actually the same

Michal Kubeček (1):
  netfilter: nf_ct_reasm: fix per-netns sysctl initialization

 net/ipv6/netfilter/nf_conntrack_reasm.c |    6 +++---
 net/netfilter/nf_conntrack_helper.c     |    4 +++-
 net/netfilter/nf_conntrack_netlink.c    |    3 +++
 3 files changed, 9 insertions(+), 4 deletions(-)

-- 
1.7.10.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 1/3] netfilter: ctnetlink: don't permit ct creation with random tuple

[pablo]

From: Florian Westphal <fw@strlen.de>

Userspace can cause kernel panic by not specifying orig/reply
tuple: kernel will create a tuple with random stack values.

Problem is that tuple.dst.dir will be random, too, which
causes nf_ct_tuplehash_to_ctrack() to return garbage.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@gnumonks.org>
---
 net/netfilter/nf_conntrack_netlink.c |    3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 627b0e5..a081915 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1705,6 +1705,9 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
 		if (nlh->nlmsg_flags & NLM_F_CREATE) {
 			enum ip_conntrack_events events;
 
+			if (!cda[CTA_TUPLE_ORIG] || !cda[CTA_TUPLE_REPLY])
+				return -EINVAL;
+
 			ct = ctnetlink_create_conntrack(net, zone, cda, &otuple,
 							&rtuple, u3);
 			if (IS_ERR(ct))
-- 
1.7.10.4

[PATCH 2/3] netfilter: nf_ct_helper: don't discard helper if it is actually the same

[pablo]

From: Florian Westphal <fw@strlen.de>

commit (32f5376 netfilter: nf_ct_helper: disable automatic helper
re-assignment of different type) broke transparent proxy scenarios.

For example, initial helper lookup might yield "ftp" (dport 21),
while re-lookup after REDIRECT yields "ftp-2121".

This causes the autoassign code to toss the ftp helper, even
though these are just different instances of the same helper.

Change the test to check for the helper function address instead
of the helper address, as suggested by Pablo.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@gnumonks.org>
---
 net/netfilter/nf_conntrack_helper.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index 884f2b3..91527d5 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -236,7 +236,9 @@ int __nf_ct_try_assign_helper(struct nf_conn *ct, struct nf_conn *tmpl,
 		/* We only allow helper re-assignment of the same sort since
 		 * we cannot reallocate the helper extension area.
 		 */
-		if (help->helper != helper) {
+		struct nf_conntrack_helper *tmp = rcu_dereference(help->helper);
+
+		if (tmp && tmp->help != helper->help) {
 			RCU_INIT_POINTER(help->helper, NULL);
 			goto out;
 		}
-- 
1.7.10.4

[PATCH 3/3] netfilter: nf_ct_reasm: fix per-netns sysctl initialization

[pablo]

From: Michal Kubeček <mkubecek@suse.cz>

Adjusting of data pointers in net/netfilter/nf_conntrack_frag6_*
sysctl table for other namespaces points to wrong netns_frags
structure and has reversed order of entries.

Problem introduced by commit c038a767cd69 in 3.7-rc1

Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/ipv6/netfilter/nf_conntrack_reasm.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 3dacecc..0156d07 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -97,9 +97,9 @@ static int nf_ct_frag6_sysctl_register(struct net *net)
 		if (table == NULL)
 			goto err_alloc;
 
-		table[0].data = &net->ipv6.frags.high_thresh;
-		table[1].data = &net->ipv6.frags.low_thresh;
-		table[2].data = &net->ipv6.frags.timeout;
+		table[0].data = &net->nf_frag.frags.timeout;
+		table[1].data = &net->nf_frag.frags.low_thresh;
+		table[2].data = &net->nf_frag.frags.high_thresh;
 	}
 
 	hdr = register_net_sysctl(net, "net/netfilter", table);
-- 
1.7.10.4

Re: [PATCH 0/3] netfilter fixes for 3.7-rc8

[David Miller]

From: pablo@netfilter.org
Date: Wed, 13 Feb 2013 21:38:30 +0100

> The following patchset contains three Netfilter fixes, they are:
> 
> * Fix conntrack helper re-assignment after NAT mangling if only if
>   the same helper is attached to the conntrack again, from Florian
>   Westphal.
> 
> * Don't allow the creation of conntrack entries via ctnetlink if the
>   original and reply tuples are missing, from Florian Westphal.
> 
> * Fix broken sysctl interface in nf_ct_reasm while adding netns support
>   to it, from Michal Kubecek.
> 
> Again, these are coming very late but they seem small and non-intrusive to me.
> If case your verdict is positive, you can pull this changes from:
> 
> git://1984.lsi.us.es/nf master

Pulled, thanks Pablo.