[PATCH 0/5] Netfilter/IPVS fixes for net

[PATCH 0/5] Netfilter/IPVS fixes for net

[Pablo Neira Ayuso]

Hi David,

The following patchset contains five fixes for Netfilter/IPVS, they are:

* A skb leak fix in fragmentation handling in case that helpers are in place,
  it occurs since the IPV6 NAT infrastructure, from Phil Oester.

* Fix SCTP port mangling in ICMP packets for IPVS, from Julian Anastasov.

* Fix event delivery in ctnetlink regarding the new connlabel infrastructure,
  from Florian Westphal.

* Fix mangling in the SIP NAT helper, from Balazs Peter Odor.

* Fix crash in ipt_ULOG introduced while adding netnamespace support,
  from Gao Feng.

I'll take care of passing several of these patches to -stable once they hit
Linus' tree.

You can pull these changes from:

git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master

Thanks!

----------------------------------------------------------------

The following changes since commit b396966c4688522863572927cb30aa874b3ec504:

  netfilter: xt_TCPMSS: Fix missing fragmentation handling (2013-06-12 11:06:19 +0200)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master

for you to fetch changes up to c8fc51cfa758be945c6113a4b446e0159070f768:

  netfilter: ipt_ULOG: fix incorrect setting of ulog timer (2013-06-24 17:10:44 +0200)

----------------------------------------------------------------
Balazs Peter Odor (1):
      netfilter: nf_nat_sip: fix mangling

Florian Westphal (1):
      netfilter: ctnetlink: send event when conntrack label was modified

Gao feng (1):
      netfilter: ipt_ULOG: fix incorrect setting of ulog timer

Julian Anastasov (1):
      ipvs: SCTP ports should be writable in ICMP packets

Phil Oester (1):
      netfilter: nf_conntrack_ipv6: Plug sk_buff leak in fragment handling

 net/ipv4/netfilter/ipt_ULOG.c                  |   12 ++++++++----
 net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c |    2 +-
 net/netfilter/ipvs/ip_vs_core.c                |    3 ++-
 net/netfilter/nf_conntrack_labels.c            |    2 +-
 net/netfilter/nf_conntrack_netlink.c           |    1 +
 net/netfilter/nf_nat_sip.c                     |    3 ++-
 6 files changed, 15 insertions(+), 8 deletions(-)

[PATCH 1/5] ipvs: SCTP ports should be writable in ICMP packets

[Pablo Neira Ayuso]

From: Julian Anastasov <ja@ssi.bg>

Make sure that SCTP ports are writable when embedded in ICMP
from client, so that ip_vs_nat_icmp can translate them safely.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
---
 net/netfilter/ipvs/ip_vs_core.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index 05565d2..23b8eb5 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -1442,7 +1442,8 @@ ignore_ipip:
 
 	/* do the statistics and put it back */
 	ip_vs_in_stats(cp, skb);
-	if (IPPROTO_TCP == cih->protocol || IPPROTO_UDP == cih->protocol)
+	if (IPPROTO_TCP == cih->protocol || IPPROTO_UDP == cih->protocol ||
+	    IPPROTO_SCTP == cih->protocol)
 		offset += 2 * sizeof(__u16);
 	verdict = ip_vs_icmp_xmit(skb, cp, pp, offset, hooknum, &ciph);
 
-- 
1.7.10.4

[PATCH 2/5] netfilter: nf_conntrack_ipv6: Plug sk_buff leak in fragment handling

[Pablo Neira Ayuso]

From: Phil Oester <kernel@linuxace.com>

In commit 4cdd3408 ("netfilter: nf_conntrack_ipv6: improve fragmentation
handling"), an sk_buff leak was introduced when dealing with reassembled
packets by grabbing a reference to the original skb instead of the
reassembled skb.  At this point, the leak only impacted conntracks with an
associated helper.

In commit 58a317f1 ("netfilter: ipv6: add IPv6 NAT support"), the bug was
expanded to include all reassembled packets with unconfirmed conntracks.

Fix this by grabbing a reference to the proper reassembled skb.  This
closes netfilter bugzilla #823.

Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 97bcf2b..c9b6a6e 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -204,7 +204,7 @@ static unsigned int __ipv6_conntrack_in(struct net *net,
 		if (ct != NULL && !nf_ct_is_untracked(ct)) {
 			help = nfct_help(ct);
 			if ((help && help->helper) || !nf_ct_is_confirmed(ct)) {
-				nf_conntrack_get_reasm(skb);
+				nf_conntrack_get_reasm(reasm);
 				NF_HOOK_THRESH(NFPROTO_IPV6, hooknum, reasm,
 					       (struct net_device *)in,
 					       (struct net_device *)out,
-- 
1.7.10.4

[PATCH 3/5] netfilter: nf_nat_sip: fix mangling

[Pablo Neira Ayuso]

From: Balazs Peter Odor <balazs@obiserver.hu>

In (b20ab9c netfilter: nf_ct_helper: better logging for dropped packets)
there were some missing brackets around the logging information, thus
always returning drop.

Closes https://bugzilla.kernel.org/show_bug.cgi?id=60061

Signed-off-by: Balazs Peter Odor <balazs@obiserver.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_nat_sip.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_nat_sip.c b/net/netfilter/nf_nat_sip.c
index 96ccdf7..dac11f7 100644
--- a/net/netfilter/nf_nat_sip.c
+++ b/net/netfilter/nf_nat_sip.c
@@ -230,9 +230,10 @@ static unsigned int nf_nat_sip(struct sk_buff *skb, unsigned int protoff,
 					&ct->tuplehash[!dir].tuple.src.u3,
 					false);
 			if (!mangle_packet(skb, protoff, dataoff, dptr, datalen,
-					   poff, plen, buffer, buflen))
+					   poff, plen, buffer, buflen)) {
 				nf_ct_helper_log(skb, ct, "cannot mangle received");
 				return NF_DROP;
+			}
 		}
 
 		/* The rport= parameter (RFC 3581) contains the port number
-- 
1.7.10.4

Re: [PATCH 0/5] Netfilter/IPVS fixes for net

[David Miller]

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 24 Jun 2013 17:15:44 +0200

> The following patchset contains five fixes for Netfilter/IPVS, they are:
> 
> * A skb leak fix in fragmentation handling in case that helpers are in place,
>   it occurs since the IPV6 NAT infrastructure, from Phil Oester.
> 
> * Fix SCTP port mangling in ICMP packets for IPVS, from Julian Anastasov.
> 
> * Fix event delivery in ctnetlink regarding the new connlabel infrastructure,
>   from Florian Westphal.
> 
> * Fix mangling in the SIP NAT helper, from Balazs Peter Odor.
> 
> * Fix crash in ipt_ULOG introduced while adding netnamespace support,
>   from Gao Feng.
> 
> I'll take care of passing several of these patches to -stable once they hit
> Linus' tree.
> 
> You can pull these changes from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master

Pulled, thanks.

[PATCH 0/5] Netfilter/IPVS fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter/IPVS fixes for net:

1) Fix crash on flowtable due to race between garbage collection
   and insertion.

2) Restore callback unbinding in netfilter offloads.

3) Fix races on IPVS module removal, from Davide Caratti.

4) Make old_secure_tcp per-netns to fix sysbot report,
   from Eric Dumazet.

5) Validate matching length in netfilter offloads, from wenxu.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thank you.

----------------------------------------------------------------

The following changes since commit 6c5d9c2a6bedbb3c3c14253776320c0ee564f064:

  ipv6: include <net/addrconf.h> for missing declarations (2019-10-22 15:17:03 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 52b33b4f8186669ab88b56cf5b2812e3996ef289:

  Merge tag 'ipvs-fixes-for-v5.4' of https://git.kernel.org/pub/scm/linux/kernel/git/horms/ipvs (2019-10-26 12:42:45 +0200)

----------------------------------------------------------------
Davide Caratti (1):
      ipvs: don't ignore errors in case refcounting ip_vs module fails

Eric Dumazet (1):
      ipvs: move old_secure_tcp into struct netns_ipvs

Pablo Neira Ayuso (3):
      netfilter: nf_flow_table: set timeout before insertion into hashes
      netfilter: nf_tables_offload: restore basechain deletion
      Merge tag 'ipvs-fixes-for-v5.4' of https://git.kernel.org/.../horms/ipvs

wenxu (1):
      netfilter: nft_payload: fix missing check for matching length in offloads

 include/net/ip_vs.h                |  1 +
 net/netfilter/ipvs/ip_vs_app.c     | 12 ++++++++++--
 net/netfilter/ipvs/ip_vs_ctl.c     | 29 +++++++++++------------------
 net/netfilter/ipvs/ip_vs_pe.c      |  3 ++-
 net/netfilter/ipvs/ip_vs_sched.c   |  3 ++-
 net/netfilter/ipvs/ip_vs_sync.c    | 13 ++++++++++---
 net/netfilter/nf_flow_table_core.c |  3 ++-
 net/netfilter/nf_tables_offload.c  |  2 +-
 net/netfilter/nft_payload.c        | 38 ++++++++++++++++++++++++++++++++++++++
 9 files changed, 77 insertions(+), 27 deletions(-)

Re: [PATCH 0/5] Netfilter/IPVS fixes for net

[David Miller]

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sun, 27 Oct 2019 13:02:16 +0100

> The following patchset contains Netfilter/IPVS fixes for net:
> 
> 1) Fix crash on flowtable due to race between garbage collection
>    and insertion.
> 
> 2) Restore callback unbinding in netfilter offloads.
> 
> 3) Fix races on IPVS module removal, from Davide Caratti.
> 
> 4) Make old_secure_tcp per-netns to fix sysbot report,
>    from Eric Dumazet.
> 
> 5) Validate matching length in netfilter offloads, from wenxu.

Pulled, thanks.