* [PATCH 0/5] Netfilter/IPVS fixes for net
@ 2013-06-24 15:15 Pablo Neira Ayuso
2013-06-24 15:15 ` [PATCH 1/5] ipvs: SCTP ports should be writable in ICMP packets Pablo Neira Ayuso
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2013-06-24 15:15 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains five fixes for Netfilter/IPVS, they are:
* A skb leak fix in fragmentation handling in case that helpers are in place,
it occurs since the IPV6 NAT infrastructure, from Phil Oester.
* Fix SCTP port mangling in ICMP packets for IPVS, from Julian Anastasov.
* Fix event delivery in ctnetlink regarding the new connlabel infrastructure,
from Florian Westphal.
* Fix mangling in the SIP NAT helper, from Balazs Peter Odor.
* Fix crash in ipt_ULOG introduced while adding netnamespace support,
from Gao Feng.
I'll take care of passing several of these patches to -stable once they hit
Linus' tree.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
Thanks!
----------------------------------------------------------------
The following changes since commit b396966c4688522863572927cb30aa874b3ec504:
netfilter: xt_TCPMSS: Fix missing fragmentation handling (2013-06-12 11:06:19 +0200)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
for you to fetch changes up to c8fc51cfa758be945c6113a4b446e0159070f768:
netfilter: ipt_ULOG: fix incorrect setting of ulog timer (2013-06-24 17:10:44 +0200)
----------------------------------------------------------------
Balazs Peter Odor (1):
netfilter: nf_nat_sip: fix mangling
Florian Westphal (1):
netfilter: ctnetlink: send event when conntrack label was modified
Gao feng (1):
netfilter: ipt_ULOG: fix incorrect setting of ulog timer
Julian Anastasov (1):
ipvs: SCTP ports should be writable in ICMP packets
Phil Oester (1):
netfilter: nf_conntrack_ipv6: Plug sk_buff leak in fragment handling
net/ipv4/netfilter/ipt_ULOG.c | 12 ++++++++----
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 2 +-
net/netfilter/ipvs/ip_vs_core.c | 3 ++-
net/netfilter/nf_conntrack_labels.c | 2 +-
net/netfilter/nf_conntrack_netlink.c | 1 +
net/netfilter/nf_nat_sip.c | 3 ++-
6 files changed, 15 insertions(+), 8 deletions(-)
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/5] ipvs: SCTP ports should be writable in ICMP packets
2013-06-24 15:15 [PATCH 0/5] Netfilter/IPVS fixes for net Pablo Neira Ayuso
@ 2013-06-24 15:15 ` Pablo Neira Ayuso
2013-06-24 15:15 ` [PATCH 2/5] netfilter: nf_conntrack_ipv6: Plug sk_buff leak in fragment handling Pablo Neira Ayuso
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2013-06-24 15:15 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Julian Anastasov <ja@ssi.bg>
Make sure that SCTP ports are writable when embedded in ICMP
from client, so that ip_vs_nat_icmp can translate them safely.
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
---
net/netfilter/ipvs/ip_vs_core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index 05565d2..23b8eb5 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -1442,7 +1442,8 @@ ignore_ipip:
/* do the statistics and put it back */
ip_vs_in_stats(cp, skb);
- if (IPPROTO_TCP == cih->protocol || IPPROTO_UDP == cih->protocol)
+ if (IPPROTO_TCP == cih->protocol || IPPROTO_UDP == cih->protocol ||
+ IPPROTO_SCTP == cih->protocol)
offset += 2 * sizeof(__u16);
verdict = ip_vs_icmp_xmit(skb, cp, pp, offset, hooknum, &ciph);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/5] netfilter: nf_conntrack_ipv6: Plug sk_buff leak in fragment handling
2013-06-24 15:15 [PATCH 0/5] Netfilter/IPVS fixes for net Pablo Neira Ayuso
2013-06-24 15:15 ` [PATCH 1/5] ipvs: SCTP ports should be writable in ICMP packets Pablo Neira Ayuso
@ 2013-06-24 15:15 ` Pablo Neira Ayuso
2013-06-24 15:15 ` [PATCH 3/5] netfilter: nf_nat_sip: fix mangling Pablo Neira Ayuso
2013-06-24 19:47 ` [PATCH 0/5] Netfilter/IPVS fixes for net David Miller
3 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2013-06-24 15:15 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Phil Oester <kernel@linuxace.com>
In commit 4cdd3408 ("netfilter: nf_conntrack_ipv6: improve fragmentation
handling"), an sk_buff leak was introduced when dealing with reassembled
packets by grabbing a reference to the original skb instead of the
reassembled skb. At this point, the leak only impacted conntracks with an
associated helper.
In commit 58a317f1 ("netfilter: ipv6: add IPv6 NAT support"), the bug was
expanded to include all reassembled packets with unconfirmed conntracks.
Fix this by grabbing a reference to the proper reassembled skb. This
closes netfilter bugzilla #823.
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 97bcf2b..c9b6a6e 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -204,7 +204,7 @@ static unsigned int __ipv6_conntrack_in(struct net *net,
if (ct != NULL && !nf_ct_is_untracked(ct)) {
help = nfct_help(ct);
if ((help && help->helper) || !nf_ct_is_confirmed(ct)) {
- nf_conntrack_get_reasm(skb);
+ nf_conntrack_get_reasm(reasm);
NF_HOOK_THRESH(NFPROTO_IPV6, hooknum, reasm,
(struct net_device *)in,
(struct net_device *)out,
--
1.7.10.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 3/5] netfilter: nf_nat_sip: fix mangling
2013-06-24 15:15 [PATCH 0/5] Netfilter/IPVS fixes for net Pablo Neira Ayuso
2013-06-24 15:15 ` [PATCH 1/5] ipvs: SCTP ports should be writable in ICMP packets Pablo Neira Ayuso
2013-06-24 15:15 ` [PATCH 2/5] netfilter: nf_conntrack_ipv6: Plug sk_buff leak in fragment handling Pablo Neira Ayuso
@ 2013-06-24 15:15 ` Pablo Neira Ayuso
2013-06-24 19:47 ` [PATCH 0/5] Netfilter/IPVS fixes for net David Miller
3 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2013-06-24 15:15 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Balazs Peter Odor <balazs@obiserver.hu>
In (b20ab9c netfilter: nf_ct_helper: better logging for dropped packets)
there were some missing brackets around the logging information, thus
always returning drop.
Closes https://bugzilla.kernel.org/show_bug.cgi?id=60061
Signed-off-by: Balazs Peter Odor <balazs@obiserver.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_nat_sip.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_nat_sip.c b/net/netfilter/nf_nat_sip.c
index 96ccdf7..dac11f7 100644
--- a/net/netfilter/nf_nat_sip.c
+++ b/net/netfilter/nf_nat_sip.c
@@ -230,9 +230,10 @@ static unsigned int nf_nat_sip(struct sk_buff *skb, unsigned int protoff,
&ct->tuplehash[!dir].tuple.src.u3,
false);
if (!mangle_packet(skb, protoff, dataoff, dptr, datalen,
- poff, plen, buffer, buflen))
+ poff, plen, buffer, buflen)) {
nf_ct_helper_log(skb, ct, "cannot mangle received");
return NF_DROP;
+ }
}
/* The rport= parameter (RFC 3581) contains the port number
--
1.7.10.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 0/5] Netfilter/IPVS fixes for net
2013-06-24 15:15 [PATCH 0/5] Netfilter/IPVS fixes for net Pablo Neira Ayuso
` (2 preceding siblings ...)
2013-06-24 15:15 ` [PATCH 3/5] netfilter: nf_nat_sip: fix mangling Pablo Neira Ayuso
@ 2013-06-24 19:47 ` David Miller
3 siblings, 0 replies; 5+ messages in thread
From: David Miller @ 2013-06-24 19:47 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 24 Jun 2013 17:15:44 +0200
> The following patchset contains five fixes for Netfilter/IPVS, they are:
>
> * A skb leak fix in fragmentation handling in case that helpers are in place,
> it occurs since the IPV6 NAT infrastructure, from Phil Oester.
>
> * Fix SCTP port mangling in ICMP packets for IPVS, from Julian Anastasov.
>
> * Fix event delivery in ctnetlink regarding the new connlabel infrastructure,
> from Florian Westphal.
>
> * Fix mangling in the SIP NAT helper, from Balazs Peter Odor.
>
> * Fix crash in ipt_ULOG introduced while adding netnamespace support,
> from Gao Feng.
>
> I'll take care of passing several of these patches to -stable once they hit
> Linus' tree.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
Pulled, thanks.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2013-06-24 19:47 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-06-24 15:15 [PATCH 0/5] Netfilter/IPVS fixes for net Pablo Neira Ayuso
2013-06-24 15:15 ` [PATCH 1/5] ipvs: SCTP ports should be writable in ICMP packets Pablo Neira Ayuso
2013-06-24 15:15 ` [PATCH 2/5] netfilter: nf_conntrack_ipv6: Plug sk_buff leak in fragment handling Pablo Neira Ayuso
2013-06-24 15:15 ` [PATCH 3/5] netfilter: nf_nat_sip: fix mangling Pablo Neira Ayuso
2013-06-24 19:47 ` [PATCH 0/5] Netfilter/IPVS fixes for net David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).