[PATCH 0/3] Netfilter/IPVS fixes for net

[PATCH 0/3] Netfilter/IPVS fixes for net

[Pablo Neira Ayuso]

Hi David,

The following patchset contains Netfilter/IPVS fixes for your net tree,
they are:

1) Maintain all DSCP and ECN bits for IPv6 tun forwarding. This
   resolves an inconsistency between IPv4 and IPv6 behaviour.
   Patch from Alex Gartrell via Simon Horman.

2) Fix unnoticeable blink in xt_LED when the led-always-blink option is
   used, from Jiri Prchal.

3) Add missing return in nft_del_setelem(), otherwise this results in a
   double call of nft_data_uninit() in the nf_tables code, from Thomas Graf.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit 2627b7e15c5064ddd5e578e4efd948d48d531a3f:

  ipvs: avoid netns exit crash on ip_vs_conn_drop_conntrack (2014-07-16 09:39:28 +0900)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master

for you to fetch changes up to 0dc1362562a2e8b82a6be8d3ae307a234f28f9bc:

  netfilter: nf_tables: Avoid duplicate call to nft_data_uninit() for same key (2014-08-01 18:14:49 +0200)

----------------------------------------------------------------
Alex Gartrell (1):
      ipvs: Maintain all DSCP and ECN bits for ipv6 tun forwarding

Jiri Prchal (1):
      netfilter: xt_LED: fix too short led-always-blink

Thomas Graf (1):
      netfilter: nf_tables: Avoid duplicate call to nft_data_uninit() for same key

 net/netfilter/ipvs/ip_vs_xmit.c |    2 +-
 net/netfilter/nf_tables_api.c   |    1 +
 net/netfilter/xt_LED.c          |   10 +++++++---
 3 files changed, 9 insertions(+), 4 deletions(-)

[PATCH 1/3] ipvs: Maintain all DSCP and ECN bits for ipv6 tun forwarding

[Pablo Neira Ayuso]

From: Alex Gartrell <agartrell@fb.com>

Previously, only the four high bits of the tclass were maintained in the
ipv6 case.  This matches the behavior of ipv4, though whether or not we
should reflect ECN bits may be up for debate.

Signed-off-by: Alex Gartrell <agartrell@fb.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
---
 net/netfilter/ipvs/ip_vs_xmit.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
index 73ba1cc..6f70bdd 100644
--- a/net/netfilter/ipvs/ip_vs_xmit.c
+++ b/net/netfilter/ipvs/ip_vs_xmit.c
@@ -967,8 +967,8 @@ ip_vs_tunnel_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
 	iph->nexthdr		=	IPPROTO_IPV6;
 	iph->payload_len	=	old_iph->payload_len;
 	be16_add_cpu(&iph->payload_len, sizeof(*old_iph));
-	iph->priority		=	old_iph->priority;
 	memset(&iph->flow_lbl, 0, sizeof(iph->flow_lbl));
+	ipv6_change_dsfield(iph, 0, ipv6_get_dsfield(old_iph));
 	iph->daddr = cp->daddr.in6;
 	iph->saddr = saddr;
 	iph->hop_limit		=	old_iph->hop_limit;
-- 
1.7.10.4

[PATCH 2/3] netfilter: xt_LED: fix too short led-always-blink

[Pablo Neira Ayuso]

From: Jiri Prchal <jiri.prchal@aksignal.cz>

If led-always-blink is set, then between switch led OFF and ON
is almost zero time. So blink is invisible. This use oneshot led trigger
with fixed time 50ms witch is enough to see blink.

Signed-off-by: Jiri Prchal <jiri.prchal@aksignal.cz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/xt_LED.c |   10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/net/netfilter/xt_LED.c b/net/netfilter/xt_LED.c
index 993de2b..92c71cd 100644
--- a/net/netfilter/xt_LED.c
+++ b/net/netfilter/xt_LED.c
@@ -50,11 +50,14 @@ struct xt_led_info_internal {
 	struct timer_list timer;
 };
 
+#define XT_LED_BLINK_DELAY 50 /* ms */
+
 static unsigned int
 led_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
 	const struct xt_led_info *ledinfo = par->targinfo;
 	struct xt_led_info_internal *ledinternal = ledinfo->internal_data;
+	unsigned long led_delay = XT_LED_BLINK_DELAY;
 
 	/*
 	 * If "always blink" is enabled, and there's still some time until the
@@ -62,9 +65,10 @@ led_tg(struct sk_buff *skb, const struct xt_action_param *par)
 	 */
 	if ((ledinfo->delay > 0) && ledinfo->always_blink &&
 	    timer_pending(&ledinternal->timer))
-		led_trigger_event(&ledinternal->netfilter_led_trigger, LED_OFF);
-
-	led_trigger_event(&ledinternal->netfilter_led_trigger, LED_FULL);
+		led_trigger_blink_oneshot(&ledinternal->netfilter_led_trigger,
+					  &led_delay, &led_delay, 1);
+	else
+		led_trigger_event(&ledinternal->netfilter_led_trigger, LED_FULL);
 
 	/* If there's a positive delay, start/update the timer */
 	if (ledinfo->delay > 0) {
-- 
1.7.10.4

[PATCH 3/3] netfilter: nf_tables: Avoid duplicate call to nft_data_uninit() for same key

[Pablo Neira Ayuso]

From: Thomas Graf <tgraf@suug.ch>

nft_del_setelem() currently calls nft_data_uninit() twice on the same
key. Once to release the key which is guaranteed to be NFT_DATA_VALUE
and a second time in the error path to which it falls through.

The second call has been harmless so far though because the type
passed is always NFT_DATA_VALUE which is currently a no-op.

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_tables_api.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 8746ff9..b35ba83 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3218,6 +3218,7 @@ static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
 	if (set->flags & NFT_SET_MAP)
 		nft_data_uninit(&elem.data, set->dtype);
 
+	return 0;
 err2:
 	nft_data_uninit(&elem.key, desc.type);
 err1:
-- 
1.7.10.4

Re: [PATCH 0/3] Netfilter/IPVS fixes for net

[David Miller]

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri,  1 Aug 2014 18:40:36 +0200

> The following patchset contains Netfilter/IPVS fixes for your net tree,
> they are:
> 
> 1) Maintain all DSCP and ECN bits for IPv6 tun forwarding. This
>    resolves an inconsistency between IPv4 and IPv6 behaviour.
>    Patch from Alex Gartrell via Simon Horman.
> 
> 2) Fix unnoticeable blink in xt_LED when the led-always-blink option is
>    used, from Jiri Prchal.
> 
> 3) Add missing return in nft_del_setelem(), otherwise this results in a
>    double call of nft_data_uninit() in the nf_tables code, from Thomas Graf.
> 
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thanks Pablo.

[PATCH 0/3] Netfilter/IPVS fixes for net

[Pablo Neira Ayuso]

Hi David,

The following patchset contains Netfilter/IPVS fixes for net:

1) Missing structure initialization in ebtables causes splat with
   32-bit user level on a 64-bit kernel, from Francesco Ruggeri.

2) Missing dependency on nf_defrag in IPVS IPv6 codebase, from
   Andrea Claudi.

3) Fix possible use-after-free from release path of target extensions.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit cf657d22ee1f0e887326a92169f2e28dc932fd10:

  net/x25: do not hold the cpu too long in x25_new_lci() (2019-02-11 13:20:14 -0800)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 753c111f655e38bbd52fc01321266633f022ebe2:

  netfilter: nft_compat: use-after-free when deleting targets (2019-02-13 18:14:54 +0100)

----------------------------------------------------------------
Andrea Claudi (1):
      ipvs: fix dependency on nf_defrag_ipv6

Francesco Ruggeri (1):
      netfilter: compat: initialize all fields in xt_init

Pablo Neira Ayuso (1):
      netfilter: nft_compat: use-after-free when deleting targets

 net/netfilter/ipvs/Kconfig      |  1 +
 net/netfilter/ipvs/ip_vs_core.c | 10 ++++------
 net/netfilter/ipvs/ip_vs_ctl.c  | 10 ++++++++++
 net/netfilter/nft_compat.c      |  3 ++-
 net/netfilter/x_tables.c        |  2 +-
 5 files changed, 18 insertions(+), 8 deletions(-)

Re: [PATCH 0/3] Netfilter/IPVS fixes for net

[David Miller]

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 13 Feb 2019 18:47:55 +0100

> The following patchset contains Netfilter/IPVS fixes for net:
> 
> 1) Missing structure initialization in ebtables causes splat with
>    32-bit user level on a 64-bit kernel, from Francesco Ruggeri.
> 
> 2) Missing dependency on nf_defrag in IPVS IPv6 codebase, from
>    Andrea Claudi.
> 
> 3) Fix possible use-after-free from release path of target extensions.
> 
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thanks Pablo.