From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 09/16] netfilter: xt_socket: Fix broken IPv6 handling
Date: Wed, 3 May 2017 11:32:04 +0200 [thread overview]
Message-ID: <1493803931-2837-10-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1493803931-2837-1-git-send-email-pablo@netfilter.org>
From: Peter Tirsek <peter@tirsek.com>
Commit 834184b1f3a4 ("netfilter: defrag: only register defrag
functionality if needed") used the outdated XT_SOCKET_HAVE_IPV6 macro
which was removed earlier in commit 8db4c5be88f6 ("netfilter: move
socket lookup infrastructure to nf_socket_ipv{4,6}.c"). With that macro
never being defined, the xt_socket match emits an "Unknown family 10"
warning when used with IPv6:
WARNING: CPU: 0 PID: 1377 at net/netfilter/xt_socket.c:160 socket_mt_enable_defrag+0x47/0x50 [xt_socket]
Unknown family 10
Modules linked in: xt_socket nf_socket_ipv4 nf_socket_ipv6 nf_defrag_ipv4 [...]
CPU: 0 PID: 1377 Comm: ip6tables-resto Not tainted 4.10.10 #1
Hardware name: [...]
Call Trace:
? __warn+0xe7/0x100
? socket_mt_enable_defrag+0x47/0x50 [xt_socket]
? socket_mt_enable_defrag+0x47/0x50 [xt_socket]
? warn_slowpath_fmt+0x39/0x40
? socket_mt_enable_defrag+0x47/0x50 [xt_socket]
? socket_mt_v2_check+0x12/0x40 [xt_socket]
? xt_check_match+0x6b/0x1a0 [x_tables]
? xt_find_match+0x93/0xd0 [x_tables]
? xt_request_find_match+0x20/0x80 [x_tables]
? translate_table+0x48e/0x870 [ip6_tables]
? translate_table+0x577/0x870 [ip6_tables]
? walk_component+0x3a/0x200
? kmalloc_order+0x1d/0x50
? do_ip6t_set_ctl+0x181/0x490 [ip6_tables]
? filename_lookup+0xa5/0x120
? nf_setsockopt+0x3a/0x60
? ipv6_setsockopt+0xb0/0xc0
? sock_common_setsockopt+0x23/0x30
? SyS_socketcall+0x41d/0x630
? vfs_read+0xfa/0x120
? do_fast_syscall_32+0x7a/0x110
? entry_SYSENTER_32+0x47/0x71
This patch brings the conditional back in line with how the rest of the
file handles IPv6.
Fixes: 834184b1f3a4 ("netfilter: defrag: only register defrag functionality if needed")
Signed-off-by: Peter Tirsek <peter@tirsek.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/xt_socket.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 770bbec878f1..e75ef39669c5 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -152,7 +152,7 @@ static int socket_mt_enable_defrag(struct net *net, int family)
switch (family) {
case NFPROTO_IPV4:
return nf_defrag_ipv4_enable(net);
-#ifdef XT_SOCKET_HAVE_IPV6
+#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
case NFPROTO_IPV6:
return nf_defrag_ipv6_enable(net);
#endif
--
2.1.4
next prev parent reply other threads:[~2017-05-03 9:32 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-03 9:31 [PATCH 00/16] Netfilter/IPVS/OVS fixes for net Pablo Neira Ayuso
2017-05-03 9:31 ` [PATCH 01/16] netfilter: xt_CT: fix refcnt leak on error path Pablo Neira Ayuso
2017-05-03 9:31 ` [PATCH 02/16] openvswitch: Delete conntrack entry clashing with an expectation Pablo Neira Ayuso
2017-05-03 9:31 ` [PATCH 03/16] netfilter: nf_ct_helper: permit cthelpers with different names via nfnetlink Pablo Neira Ayuso
2017-05-03 9:31 ` [PATCH 04/16] netfilter: nft_set_bitmap: free dummy elements when destroy the set Pablo Neira Ayuso
2017-05-03 9:32 ` [PATCH 05/16] netfilter: ctnetlink: drop the incorrect cthelper module request Pablo Neira Ayuso
2017-05-03 9:32 ` [PATCH 06/16] netfilter: ctnetlink: fix deadlock due to acquire _expect_lock twice Pablo Neira Ayuso
2017-05-03 9:32 ` [PATCH 07/16] netfilter: ctnetlink: make it safer when updating ct->status Pablo Neira Ayuso
2017-05-03 9:32 ` [PATCH 08/16] netfilter: ctnetlink: acquire ct->lock before operating nf_ct_seqadj Pablo Neira Ayuso
2017-05-03 9:32 ` Pablo Neira Ayuso [this message]
2017-05-03 9:32 ` [PATCH 10/16] bridge: ebtables: fix reception of frames DNAT-ed to bridge device/port Pablo Neira Ayuso
2017-05-03 9:32 ` [PATCH 11/16] netfilter: nft_dynset: continue to next expr if _OP_ADD succeeded Pablo Neira Ayuso
2017-05-03 9:32 ` [PATCH 12/16] netfilter: Wrong icmp6 checksum for ICMPV6_TIME_EXCEED in reverse SNATv6 path Pablo Neira Ayuso
2017-05-03 9:32 ` [PATCH 13/16] ipvs: explicitly forbid ipv6 service/dest creation if ipv6 mod is disabled Pablo Neira Ayuso
2017-05-03 9:32 ` [PATCH 14/16] netfilter: x_tables: unlock on error in xt_find_table_lock() Pablo Neira Ayuso
2017-05-03 9:32 ` [PATCH 15/16] netfilter: update MAINTAINERS file Pablo Neira Ayuso
2017-05-03 9:32 ` [PATCH 16/16] netfilter: nf_tables: check if same extensions are set when adding elements Pablo Neira Ayuso
2017-05-03 14:11 ` [PATCH 00/16] Netfilter/IPVS/OVS fixes for net David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1493803931-2837-10-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).