[PATCH 0/3] netfilter fixes for your net tree

[PATCH 0/3] netfilter fixes for your net tree

[pablo]

From: Pablo Neira Ayuso <pablo@netfilter.org>

Hi David,

The following patchset contains Netfilter fixes for your net tree,
they are:

* Don't generate audit log message if audit is not enabled, from Gao Feng.

* Fix logging formatting for packets dropped by helpers, by Joe Perches.

* Fix a compilation warning in nfnetlink if CONFIG_PROVE_RCU is not set,
  from Paul Bolle.

You can pull these changes from:

git://1984.lsi.us.es/nf master

Thanks!

Gao feng (1):
  netfilter: xt_AUDIT: only generate audit log when audit enabled

Joe Perches (1):
  netfilter: nf_ct_helper: Fix logging for dropped packets

Paul Bolle (1):
  netfilter: nfnetlink: silence warning if CONFIG_PROVE_RCU isn't set

 net/netfilter/nf_conntrack_helper.c |   11 ++++++++++-
 net/netfilter/nfnetlink.c           |    7 +------
 net/netfilter/xt_AUDIT.c            |    3 +++
 3 files changed, 14 insertions(+), 7 deletions(-)

-- 
1.7.10.4

[PATCH 1/3] netfilter: nf_ct_helper: Fix logging for dropped packets

[pablo]

From: Joe Perches <joe@perches.com>

Update nf_ct_helper_log to emit args along with the format.

Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_conntrack_helper.c |   11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index 013cdf6..bb4188f 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -341,6 +341,13 @@ void nf_ct_helper_log(struct sk_buff *skb, const struct nf_conn *ct,
 {
 	const struct nf_conn_help *help;
 	const struct nf_conntrack_helper *helper;
+	struct va_format vaf;
+	va_list args;
+
+	va_start(args, fmt);
+
+	vaf.fmt = fmt;
+	vaf.va = &args;
 
 	/* Called from the helper function, this call never fails */
 	help = nfct_help(ct);
@@ -349,7 +356,9 @@ void nf_ct_helper_log(struct sk_buff *skb, const struct nf_conn *ct,
 	helper = rcu_dereference(help->helper);
 
 	nf_log_packet(nf_ct_l3num(ct), 0, skb, NULL, NULL, NULL,
-		      "nf_ct_%s: dropping packet: %s ", helper->name, fmt);
+		      "nf_ct_%s: dropping packet: %pV ", helper->name, &vaf);
+
+	va_end(args);
 }
 EXPORT_SYMBOL_GPL(nf_ct_helper_log);
 
-- 
1.7.10.4

[PATCH 2/3] netfilter: xt_AUDIT: only generate audit log when audit enabled

[pablo]

From: Gao feng <gaofeng@cn.fujitsu.com>

We should stop generting audit log if audit is disabled.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
Acked-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/xt_AUDIT.c |    3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
index ba92824..3228d7f 100644
--- a/net/netfilter/xt_AUDIT.c
+++ b/net/netfilter/xt_AUDIT.c
@@ -124,6 +124,9 @@ audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
 	const struct xt_audit_info *info = par->targinfo;
 	struct audit_buffer *ab;
 
+	if (audit_enabled == 0)
+		goto errout;
+
 	ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT);
 	if (ab == NULL)
 		goto errout;
-- 
1.7.10.4

[PATCH 3/3] netfilter: nfnetlink: silence warning if CONFIG_PROVE_RCU isn't set

[pablo]

From: Paul Bolle <pebolle@tiscali.nl>

Since commit c14b78e7decd0d1d5add6a4604feb8609fe920a9 ("netfilter:
nfnetlink: add mutex per subsystem") building nefnetlink.o without
CONFIG_PROVE_RCU set, triggers this GCC warning:
    net/netfilter/nfnetlink.c:65:22: warning: ‘nfnl_get_lock’ defined but not used [-Wunused-function]

The cause of that warning is, in short, that rcu_lockdep_assert()
compiles away if CONFIG_PROVE_RCU is not set. Silence this warning by
open coding nfnl_get_lock() in the sole place it was called, which
allows to remove that function.

Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nfnetlink.c |    7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index d578ec2..0b1b32c 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -62,11 +62,6 @@ void nfnl_unlock(__u8 subsys_id)
 }
 EXPORT_SYMBOL_GPL(nfnl_unlock);
 
-static struct mutex *nfnl_get_lock(__u8 subsys_id)
-{
-	return &table[subsys_id].mutex;
-}
-
 int nfnetlink_subsys_register(const struct nfnetlink_subsystem *n)
 {
 	nfnl_lock(n->subsys_id);
@@ -199,7 +194,7 @@ replay:
 			rcu_read_unlock();
 			nfnl_lock(subsys_id);
 			if (rcu_dereference_protected(table[subsys_id].subsys,
-				lockdep_is_held(nfnl_get_lock(subsys_id))) != ss ||
+				lockdep_is_held(&table[subsys_id].mutex)) != ss ||
 			    nfnetlink_find_client(type, ss) != nc)
 				err = -EAGAIN;
 			else if (nc->call)
-- 
1.7.10.4

Re: [PATCH 0/3] netfilter fixes for your net tree

[David Miller]

From: pablo@netfilter.org
Date: Thu,  7 Mar 2013 11:59:59 +0100

> The following patchset contains Netfilter fixes for your net tree,
> they are:
> 
> * Don't generate audit log message if audit is not enabled, from Gao Feng.
> 
> * Fix logging formatting for packets dropped by helpers, by Joe Perches.
> 
> * Fix a compilation warning in nfnetlink if CONFIG_PROVE_RCU is not set,
>   from Paul Bolle.
> 
> You can pull these changes from:
> 
> git://1984.lsi.us.es/nf master

Pulled, but keep in mind that if there are any bugs in these changes I
know exactly where you are. :-)