[NETFILTER 00/05]: Netfilter fixes

[NETFILTER 00/05]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

the following patches contain a few important iptables fixes from the OpenVZ
guys, a fix for a nf_conntrack regression from the listhelp.h removal and
a small Kconfig update. I'll pass the important ones on to -stable once
I've caught up with all the previous fixes.

Please apply, thanks.


 net/ipv4/netfilter/arp_tables.c   |   25 +++++++++-----
 net/ipv4/netfilter/ip_tables.c    |   67 +++++++++++++++++++-------------------
 net/ipv6/netfilter/Kconfig        |    2 -
 net/ipv6/netfilter/ip6_tables.c   |   24 +++++++++----
 net/netfilter/nf_conntrack_core.c |    3 +
 5 files changed, 69 insertions(+), 52 deletions(-)

Dmitry Mishin:
      [NETFILTER]: Missed and reordered checks in {arp,ip,ip6}_tables
      [NETFILTER]: ip_tables: compat code module refcounting fix

Martin Josefsson:
      [NETFILTER]: nf_conntrack: add missing unlock in get_next_corpse()

Peter Bieringer:
      [NETFILTER]: remove masq/NAT from ip6tables Kconfig help

Vasily Averin:
      [NETFILTER]: ip_tables: compat error way cleanup

[NETFILTER 00/05]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

following are a few netfilter fixes. The iptables hook validation fixes
are quite critical, so I'm going to send them to -stable along with Bart's
fix.

Please apply, thanks.


 include/linux/netfilter/nf_conntrack_pptp.h |    3 
 net/bridge/br_netfilter.c                   |   36 +++++-
 net/ipv4/netfilter/arp_tables.c             |   48 ++++-----
 net/ipv4/netfilter/ip_tables.c              |  146 ++++++++++++++--------------
 net/ipv6/netfilter/ip6_tables.c             |   59 ++++-------
 net/netfilter/nf_conntrack_expect.c         |   27 ++---
 6 files changed, 168 insertions(+), 151 deletions(-)

Bart De Schuymer:
      [NETFILTER]: bridge netfilter: deal with martians correctly

Dmitry Mishin:
      [NETFILTER]: Fix {ip,ip6,arp}_tables hook validation
      [NETFILTER]: Fix iptables compat hook validation

Yasuyuki Kozakai:
      [NETFILTER]: nf_conntrack: fix warning in PPTP helper
      [NETFILTER]: nf_conntrack: Don't try to find clashed expectation

Re: [NETFILTER 00/05]: Netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Mon,  4 Dec 2006 11:55:56 +0100 (MET)

> following are a few netfilter fixes. The iptables hook validation fixes
> are quite critical, so I'm going to send them to -stable along with Bart's
> fix.
> 
> Please apply, thanks.

All applied, thanks Patrick.

[NETFILTER 00/05]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

following are a few important netfilter fixes for 2.6.20, fixing a
REJECT target regression in 2.6.19, a nf_nat crash and an ebtables
crash. Also included are two patches to use the correct type for
iptables compat offsets and remove the EXPERIMENTAL mark from
nf_conntrack.

Please apply, thanks.


 net/bridge/netfilter/ebtables.c     |    3 ++-
 net/ipv4/netfilter.c                |    7 +++++--
 net/ipv4/netfilter/Kconfig          |    4 ++--
 net/ipv4/netfilter/ip_tables.c      |   10 +++++-----
 net/ipv4/netfilter/ipt_MASQUERADE.c |    5 ++++-
 net/netfilter/Kconfig               |   25 ++++++++++++-------------
 6 files changed, 30 insertions(+), 24 deletions(-)

Chuck Ebbert:
      [NETFILTER]: ebtables: don't compute gap before checking struct type

Dmitry Mishin:
      [NETFILTER]: compat offsets size change

Martin Josefsson:
      [NETFILTER]: nf_nat: fix MASQUERADE crash on device down

Patrick McHardy:
      [NETFILTER]: Fix routing of REJECT target generated packets in output chain
      [NETFILTER]: New connection tracking is not EXPERIMENTAL anymore

[NETFILTER 01/05]: compat offsets size change

[Patrick McHardy]

[NETFILTER]: compat offsets size change

Used by compat code offsets of entries should be 'unsigned int' as entries
array size has this dimension.

Signed-off-by: Dmitry Mishin <dim@openvz.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 50d2d72a7a584d3562c320c0d3a0f529c4c02e45
tree 8ce716848129163898c18ee1e206054f14c573d3
parent ef5db43a85df7269d22d6c1c38ceedc627c121e1
author Dmitry Mishin <dim@openvz.org> Thu, 04 Jan 2007 19:25:52 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 04 Jan 2007 19:25:52 +0100

 net/ipv4/netfilter/ip_tables.c |   10 +++++-----
 1 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 09696f1..fc1f153 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -919,13 +919,13 @@ copy_entries_to_user(unsigned int total_
 #ifdef CONFIG_COMPAT
 struct compat_delta {
 	struct compat_delta *next;
-	u_int16_t offset;
+	unsigned int offset;
 	short delta;
 };
 
 static struct compat_delta *compat_offsets = NULL;
 
-static int compat_add_offset(u_int16_t offset, short delta)
+static int compat_add_offset(unsigned int offset, short delta)
 {
 	struct compat_delta *tmp;
 
@@ -957,7 +957,7 @@ static void compat_flush_offsets(void)
 	}
 }
 
-static short compat_calc_jump(u_int16_t offset)
+static short compat_calc_jump(unsigned int offset)
 {
 	struct compat_delta *tmp;
 	short delta;
@@ -997,7 +997,7 @@ static int compat_calc_entry(struct ipt_
 		void *base, struct xt_table_info *newinfo)
 {
 	struct ipt_entry_target *t;
-	u_int16_t entry_offset;
+	unsigned int entry_offset;
 	int off, i, ret;
 
 	off = 0;
@@ -1467,7 +1467,7 @@ check_compat_entry_size_and_hooks(struct
 {
 	struct ipt_entry_target *t;
 	struct ipt_target *target;
-	u_int16_t entry_offset;
+	unsigned int entry_offset;
 	int ret, off, h, j;
 
 	duprintf("check_compat_entry_size_and_hooks %p\n", e);

[NETFILTER 02/05]: Fix routing of REJECT target generated packets in output chain

[Patrick McHardy]

[NETFILTER]: Fix routing of REJECT target generated packets in output chain

Packets generated by the REJECT target in the output chain have a local
destination address and a foreign source address. Make sure not to use
the foreign source address for the output route lookup.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit d07cae9fdafe28018fc58dadf7ae5666b324e4e3
tree f60015bbfd8da9d62479f10cc35328f71f20a792
parent 50d2d72a7a584d3562c320c0d3a0f529c4c02e45
author Patrick McHardy <kaber@trash.net> Thu, 04 Jan 2007 19:25:53 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 04 Jan 2007 19:25:53 +0100

 net/ipv4/netfilter.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index a689660..c47ce70 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -15,16 +15,19 @@ int ip_route_me_harder(struct sk_buff **
 	struct flowi fl = {};
 	struct dst_entry *odst;
 	unsigned int hh_len;
+	unsigned int type;
 
+	type = inet_addr_type(iph->saddr);
 	if (addr_type == RTN_UNSPEC)
-		addr_type = inet_addr_type(iph->saddr);
+		addr_type = type;
 
 	/* some non-standard hacks like ipt_REJECT.c:send_reset() can cause
 	 * packets with foreign saddr to appear on the NF_IP_LOCAL_OUT hook.
 	 */
 	if (addr_type == RTN_LOCAL) {
 		fl.nl_u.ip4_u.daddr = iph->daddr;
-		fl.nl_u.ip4_u.saddr = iph->saddr;
+		if (type == RTN_LOCAL)
+			fl.nl_u.ip4_u.saddr = iph->saddr;
 		fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
 		fl.oif = (*pskb)->sk ? (*pskb)->sk->sk_bound_dev_if : 0;
 		fl.mark = (*pskb)->mark;

[NETFILTER 03/05]: New connection tracking is not EXPERIMENTAL anymore

[Patrick McHardy]

[NETFILTER]: New connection tracking is not EXPERIMENTAL anymore

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit d137d1a8688da1e81415c8a6a33d283210408bf0
tree 5ca294e3d5c0f29674ac218bb6c2155a6baee58c
parent d07cae9fdafe28018fc58dadf7ae5666b324e4e3
author Patrick McHardy <kaber@trash.net> Thu, 04 Jan 2007 19:25:55 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 04 Jan 2007 19:25:55 +0100

 net/ipv4/netfilter/Kconfig |    4 ++--
 net/netfilter/Kconfig      |   25 ++++++++++++-------------
 2 files changed, 14 insertions(+), 15 deletions(-)

diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index f6026d4..47bd3ad 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -6,8 +6,8 @@ menu "IP: Netfilter Configuration"
 	depends on INET && NETFILTER
 
 config NF_CONNTRACK_IPV4
-	tristate "IPv4 connection tracking support (required for NAT) (EXPERIMENTAL)"
-	depends on EXPERIMENTAL && NF_CONNTRACK
+	tristate "IPv4 connection tracking support (required for NAT)"
+	depends on NF_CONNTRACK
 	---help---
 	  Connection tracking keeps a record of what packets have passed
 	  through your machine, in order to figure out how they are related
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 1b853c3..cd10e44 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -44,8 +44,7 @@ choice
 	depends on NF_CONNTRACK_ENABLED
 
 config NF_CONNTRACK_SUPPORT
-	bool "Layer 3 Independent Connection tracking (EXPERIMENTAL)"
-	depends on EXPERIMENTAL
+	bool "Layer 3 Independent Connection tracking"
 	help
 	  Layer 3 independent connection tracking is experimental scheme
 	  which generalize ip_conntrack to support other layer 3 protocols.
@@ -122,7 +121,7 @@ config NF_CONNTRACK_EVENTS
 
 config NF_CT_PROTO_GRE
 	tristate
-	depends on EXPERIMENTAL && NF_CONNTRACK
+	depends on NF_CONNTRACK
 
 config NF_CT_PROTO_SCTP
 	tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)'
@@ -136,8 +135,8 @@ config NF_CT_PROTO_SCTP
 	  Documentation/modules.txt.  If unsure, say `N'.
 
 config NF_CONNTRACK_AMANDA
-	tristate "Amanda backup protocol support (EXPERIMENTAL)"
-	depends on EXPERIMENTAL && NF_CONNTRACK
+	tristate "Amanda backup protocol support"
+	depends on NF_CONNTRACK
 	select TEXTSEARCH
 	select TEXTSEARCH_KMP
 	help
@@ -151,8 +150,8 @@ config NF_CONNTRACK_AMANDA
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config NF_CONNTRACK_FTP
-	tristate "FTP protocol support (EXPERIMENTAL)"
-	depends on EXPERIMENTAL && NF_CONNTRACK
+	tristate "FTP protocol support"
+	depends on NF_CONNTRACK
 	help
 	  Tracking FTP connections is problematic: special helpers are
 	  required for tracking them, and doing masquerading and other forms
@@ -184,8 +183,8 @@ config NF_CONNTRACK_H323
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config NF_CONNTRACK_IRC
-	tristate "IRC protocol support (EXPERIMENTAL)"
-	depends on EXPERIMENTAL && NF_CONNTRACK
+	tristate "IRC protocol support"
+	depends on NF_CONNTRACK
 	help
 	  There is a commonly-used extension to IRC called
 	  Direct Client-to-Client Protocol (DCC).  This enables users to send
@@ -218,8 +217,8 @@ config NF_CONNTRACK_NETBIOS_NS
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config NF_CONNTRACK_PPTP
-	tristate "PPtP protocol support (EXPERIMENTAL)"
-	depends on EXPERIMENTAL && NF_CONNTRACK
+	tristate "PPtP protocol support"
+	depends on NF_CONNTRACK
 	select NF_CT_PROTO_GRE
 	help
 	  This module adds support for PPTP (Point to Point Tunnelling
@@ -249,8 +248,8 @@ config NF_CONNTRACK_SIP
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config NF_CONNTRACK_TFTP
-	tristate "TFTP protocol support (EXPERIMENTAL)"
-	depends on EXPERIMENTAL && NF_CONNTRACK
+	tristate "TFTP protocol support"
+	depends on NF_CONNTRACK
 	help
 	  TFTP connection tracking helper, this is required depending
 	  on how restrictive your ruleset is.

[NETFILTER 04/05]: nf_nat: fix MASQUERADE crash on device down

[Patrick McHardy]

[NETFILTER]: nf_nat: fix MASQUERADE crash on device down

Check the return value of nfct_nat() in device_cmp(), we might very well
have non NAT conntrack entries as well (Netfilter bugzilla #528).

Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 36263425185d6993ca8af49ad6e7d1af66846d9c
tree 99089b7efc4c5c76d7afdc07f82537b9c525a799
parent d137d1a8688da1e81415c8a6a33d283210408bf0
author Martin Josefsson <gandalf@wlug.westbo.se> Thu, 04 Jan 2007 19:25:56 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 04 Jan 2007 19:25:56 +0100

 net/ipv4/netfilter/ipt_MASQUERADE.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c
index 28b9233..d669685 100644
--- a/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -127,10 +127,13 @@ #endif
 static inline int
 device_cmp(struct ip_conntrack *i, void *ifindex)
 {
+	int ret;
 #ifdef CONFIG_NF_NAT_NEEDED
 	struct nf_conn_nat *nat = nfct_nat(i);
+
+	if (!nat)
+		return 0;
 #endif
-	int ret;
 
 	read_lock_bh(&masq_lock);
 #ifdef CONFIG_NF_NAT_NEEDED

[NETFILTER 05/05]: ebtables: don't compute gap before checking struct type

[Patrick McHardy]

[NETFILTER]: ebtables: don't compute gap before checking struct type

We cannot compute the gap until we know we have a 'struct ebt_entry' and
not 'struct ebt_entries'.  Failure to check can cause crash.

Tested-by: Santiago Garcia Mantinan <manty@manty.net>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Chuck Ebbert <76306.1226@compuserve.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 5a6aa046d38ffffa96ee2c6cbba0ea7fa405abdf
tree d7215dd5b39707affd4ce0e70d313335ffd85611
parent 36263425185d6993ca8af49ad6e7d1af66846d9c
author Chuck Ebbert <76306.1226@compuserve.com> Thu, 04 Jan 2007 19:28:53 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 04 Jan 2007 19:28:53 +0100

 net/bridge/netfilter/ebtables.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index bee558a..6c84ccb 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -610,7 +610,7 @@ ebt_check_entry(struct ebt_entry *e, str
 	struct ebt_entry_target *t;
 	struct ebt_target *target;
 	unsigned int i, j, hook = 0, hookmask = 0;
-	size_t gap = e->next_offset - e->target_offset;
+	size_t gap;
 	int ret;
 
 	/* don't mess with the struct ebt_entries */
@@ -660,6 +660,7 @@ ebt_check_entry(struct ebt_entry *e, str
 	if (ret != 0)
 		goto cleanup_watchers;
 	t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
+	gap = e->next_offset - e->target_offset;
 	target = find_target_lock(t->u.name, &ret, &ebt_mutex);
 	if (!target)
 		goto cleanup_watchers;

Re: [NETFILTER 01/05]: compat offsets size change

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Thu,  4 Jan 2007 19:38:22 +0100 (MET)

> [NETFILTER]: compat offsets size change
> 
> Used by compat code offsets of entries should be 'unsigned int' as entries
> array size has this dimension.
> 
> Signed-off-by: Dmitry Mishin <dim@openvz.org>
> Signed-off-by: Patrick McHardy <kaber@trash.net>

Applied.

Re: [NETFILTER 02/05]: Fix routing of REJECT target generated packets in output chain

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Thu,  4 Jan 2007 19:38:23 +0100 (MET)

> [NETFILTER]: Fix routing of REJECT target generated packets in output chain
> 
> Packets generated by the REJECT target in the output chain have a local
> destination address and a foreign source address. Make sure not to use
> the foreign source address for the output route lookup.
> 
> Signed-off-by: Patrick McHardy <kaber@trash.net>

Applied.

Re: [NETFILTER 03/05]: New connection tracking is not EXPERIMENTAL anymore

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Thu,  4 Jan 2007 19:38:24 +0100 (MET)

> [NETFILTER]: New connection tracking is not EXPERIMENTAL anymore
> 
> Signed-off-by: Patrick McHardy <kaber@trash.net>

Applied, thanks for following up on this.

Re: [NETFILTER 04/05]: nf_nat: fix MASQUERADE crash on device down

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Thu,  4 Jan 2007 19:38:25 +0100 (MET)

> [NETFILTER]: nf_nat: fix MASQUERADE crash on device down
> 
> Check the return value of nfct_nat() in device_cmp(), we might very well
> have non NAT conntrack entries as well (Netfilter bugzilla #528).
> 
> Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se>
> Signed-off-by: Patrick McHardy <kaber@trash.net>

Applied, thanks.

Re: [NETFILTER 05/05]: ebtables: don't compute gap before checking struct type

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Thu,  4 Jan 2007 19:38:27 +0100 (MET)

> [NETFILTER]: ebtables: don't compute gap before checking struct type
> 
> We cannot compute the gap until we know we have a 'struct ebt_entry' and
> not 'struct ebt_entries'.  Failure to check can cause crash.
> 
> Tested-by: Santiago Garcia Mantinan <manty@manty.net>
> Acked-by: Al Viro <viro@zeniv.linux.org.uk>
> Signed-off-by: Chuck Ebbert <76306.1226@compuserve.com>
> Signed-off-by: Andrew Morton <akpm@osdl.org>
> Signed-off-by: Patrick McHardy <kaber@trash.net>

Also applied, thanks a lot.

[NETFILTER 00/05]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

these patches for 2.6.25 fix a couple of netfilter bugs: the
smp_processor_id() warning when using preemptible RCU reported
by multiple people, address and state matching in the new
xt_conntrack revision, and improper use of parenthesis in
the NF_QUEUE_NR macro.

Additionally there is a patch to make the NAT core behave similar
to the recently removed SAME target for SNAT, which fixes problems
when accesing certain multihomed sites.

Please apply, thanks.


 include/linux/netfilter.h         |    2 +-
 net/ipv4/netfilter/nf_nat_core.c  |   11 +++++++----
 net/netfilter/nf_conntrack_core.c |   15 ++++++++++++---
 net/netfilter/xt_conntrack.c      |    4 ++--
 4 files changed, 22 insertions(+), 10 deletions(-)

Jan Engelhardt (2):
      [NETFILTER]: xt_conntrack: fix missing boolean clamping
      [NETFILTER]: xt_conntrack: fix IPv4 address comparison

Patrick McHardy (3):
      [NETFILTER]: nf_conntrack: fix smp_processor_id() in preemptible code warning
      [NETFILTER]: nf_nat: always select same SNAT source for same host
      [NETFILTER]: Fix NF_QUEUE_NR() parenthesis