[NETFILTER 00/04]: Netfilter fixes

[NETFILTER 00/04]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

following are a few more netfilter fixes for 2.6.20, fixing a
nf_conntrack_ipv6 crash when dealing with fragments, hanging
connections when loading the nf_nat module, an incorrect value
for a TCP connection tracking flag and compilation of arp_tables
userspace. I'll also pass on the relevant ones to -stable.

Please apply, thanks.


 include/linux/netfilter/nf_conntrack_tcp.h |    2 +-
 include/linux/netfilter_arp/arp_tables.h   |    1 +
 net/ipv4/netfilter/nf_nat_standalone.c     |    2 +-
 net/ipv6/netfilter/nf_conntrack_reasm.c    |    2 ++
 4 files changed, 5 insertions(+), 2 deletions(-)

Bart De Schuymer:
      [NETFILTER]: arp_tables: fix userspace compilation

Patrick McHardy:
      [NETFILTER]: nf_conntrack_ipv6: fix crash when handling fragments
      [NETFILTER]: nf_nat: fix hanging connections when loading the NAT module
      [NETFILTER]: tcp conntrack: fix IP_CT_TCP_FLAG_CLOSE_INIT value

[NETFILTER 01/04]: nf_conntrack_ipv6: fix crash when handling fragments

[Patrick McHardy]

[NETFILTER]: nf_conntrack_ipv6: fix crash when handling fragments

When IPv6 connection tracking splits up a defragmented packet into
its original fragments, the packets are taken from a list and are
passed to the network stack with skb->next still set. This causes
dev_hard_start_xmit to treat them as GSO fragments, resulting in
a use after free when connection tracking handles the next fragment.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 9a70cbbeb7bfa5194411b8a65b5c6372b93fa99d
tree d7ff95bc06655c96137f6c7a0eb7b2a4bae64b77
parent 3c1df52251d7d2243a88aa6ab00b6afeff666258
author Patrick McHardy <kaber@trash.net> Tue, 09 Jan 2007 11:59:59 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 09 Jan 2007 11:59:59 +0100

 net/ipv6/netfilter/nf_conntrack_reasm.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 37e5fca..d9c1540 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -835,6 +835,8 @@ void nf_ct_frag6_output(unsigned int hoo
 		s->nfct_reasm = skb;
 
 		s2 = s->next;
+		s->next = NULL;
+
 		NF_HOOK_THRESH(PF_INET6, hooknum, s, in, out, okfn,
 			       NF_IP6_PRI_CONNTRACK_DEFRAG + 1);
 		s = s2;

[NETFILTER 02/04]: arp_tables: fix userspace compilation

[Patrick McHardy]

[NETFILTER]: arp_tables: fix userspace compilation

The included patch translates arpt_counters to xt_counters, making
userspace arptables compile against recent kernels.

Signed-off-by: Bart De Schuymer <bdschuym@pandora.be>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 21f6325bc6e8e439cafcdc8d114d3c72743374a3
tree 126ad258b5e36580be61697979a76cc035b0e588
parent 9a70cbbeb7bfa5194411b8a65b5c6372b93fa99d
author Bart De Schuymer <bdschuym@pandora.be> Tue, 09 Jan 2007 12:01:42 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 09 Jan 2007 12:01:42 +0100

 include/linux/netfilter_arp/arp_tables.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h
index 0be2354..24c8786 100644
--- a/include/linux/netfilter_arp/arp_tables.h
+++ b/include/linux/netfilter_arp/arp_tables.h
@@ -190,6 +190,7 @@ struct arpt_replace
 
 /* The argument to ARPT_SO_ADD_COUNTERS. */
 #define arpt_counters_info xt_counters_info
+#define arpt_counters xt_counters
 
 /* The argument to ARPT_SO_GET_ENTRIES. */
 struct arpt_get_entries

[NETFILTER 03/04]: nf_nat: fix hanging connections when loading the NAT module

[Patrick McHardy]

[NETFILTER]: nf_nat: fix hanging connections when loading the NAT module

When loading the NAT module, existing connection tracking entries don't
have room for NAT information allocated and packets are dropped, causing
hanging connections. They really should be entered into the NAT table
as NULL mappings, but the current allocation scheme doesn't allow this.

For now simply accept those packets to avoid the hanging connections.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 36e2c322ad2424a161b8a2a89c251dc9c71764bb
tree e70f4a11972c8dbe079fef2c75a73e8266c95940
parent 21f6325bc6e8e439cafcdc8d114d3c72743374a3
author Patrick McHardy <kaber@trash.net> Tue, 09 Jan 2007 14:00:45 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 09 Jan 2007 14:00:45 +0100

 net/ipv4/netfilter/nf_nat_standalone.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c
index 730a7a4..00d6dea 100644
--- a/net/ipv4/netfilter/nf_nat_standalone.c
+++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -123,7 +123,7 @@ nf_nat_fn(unsigned int hooknum,
 
 	nat = nfct_nat(ct);
 	if (!nat)
-		return NF_DROP;
+		return NF_ACCEPT;
 
 	switch (ctinfo) {
 	case IP_CT_RELATED:

[NETFILTER 04/04]: tcp conntrack: fix IP_CT_TCP_FLAG_CLOSE_INIT value

[Patrick McHardy]

[NETFILTER]: tcp conntrack: fix IP_CT_TCP_FLAG_CLOSE_INIT value

IP_CT_TCP_FLAG_CLOSE_INIT is a flag and should have a value of 0x4 instead
of 0x3, which is IP_CT_TCP_FLAG_WINDOW_SCALE | IP_CT_TCP_FLAG_SACK_PERM.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 7931808e6b7fb622372dcff7dad12f39d9d1d943
tree a81259cc0e8bb657baed2582655a3e99a3f05351
parent 36e2c322ad2424a161b8a2a89c251dc9c71764bb
author Patrick McHardy <kaber@trash.net> Tue, 09 Jan 2007 15:27:34 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 09 Jan 2007 15:27:34 +0100

 include/linux/netfilter/nf_conntrack_tcp.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/include/linux/netfilter/nf_conntrack_tcp.h b/include/linux/netfilter/nf_conntrack_tcp.h
index 6b01ba2..2f4e98b 100644
--- a/include/linux/netfilter/nf_conntrack_tcp.h
+++ b/include/linux/netfilter/nf_conntrack_tcp.h
@@ -25,7 +25,7 @@ #define IP_CT_TCP_FLAG_WINDOW_SCALE		0x0
 #define IP_CT_TCP_FLAG_SACK_PERM		0x02
 
 /* This sender sent FIN first */
-#define IP_CT_TCP_FLAG_CLOSE_INIT		0x03
+#define IP_CT_TCP_FLAG_CLOSE_INIT		0x04
 
 #ifdef __KERNEL__
 

Re: [NETFILTER 00/04]: Netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Tue,  9 Jan 2007 17:29:52 +0100 (MET)

> Hi Dave,
> 
> following are a few more netfilter fixes for 2.6.20, fixing a
> nf_conntrack_ipv6 crash when dealing with fragments, hanging
> connections when loading the nf_nat module, an incorrect value
> for a TCP connection tracking flag and compilation of arp_tables
> userspace. I'll also pass on the relevant ones to -stable.
> 
> Please apply, thanks.

It all looks good, applied, thanks Patrick.