[NETFILTER 00/03]: Netfilter fixes

[NETFILTER 00/03]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

following are three netfilter fixes for 2.6.20, fixing a problem with ICMP
translation in the new nf_nat code and two bugs in the new PPTP helper port
breaking NAT of PPTP connections.

Please apply, thanks.


 net/ipv4/netfilter/Makefile       |   20 ++++++++++----------
 net/ipv4/netfilter/nf_nat_pptp.c  |    4 ++--
 net/netfilter/nf_conntrack_pptp.c |    2 +-
 3 files changed, 13 insertions(+), 13 deletions(-)

Patrick McHardy:
      [NETFILTER]: nf_nat: fix ICMP translation with statically linked conntrack
      [NETFILTER]: nf_nat_pptp: fix expectation removal
      [NETFILTER]: nf_conntrack_pptp: fix NAT setup of expected GRE connections

[NETFILTER 01/03]: nf_nat: fix ICMP translation with statically linked conntrack

[Patrick McHardy]

[NETFILTER]: nf_nat: fix ICMP translation with statically linked conntrack

When nf_nat/nf_conntrack_ipv4 are linked statically, nf_nat is initialized
before nf_conntrack_ipv4, which makes the nf_ct_l3proto_find_get(AF_INET)
call during nf_nat initialization return the generic l3proto instead of
the AF_INET specific one. This breaks ICMP error translation since the
generic protocol always initializes the IPs in the tuple to 0.

Change the linking order and put nf_conntrack_ipv4 first.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 7093c7d9fd00eff7cc3edba17fc8f8e1e6644da7
tree 26626579bb6e50d89602a81b181261a047d0f451
parent eef40519c526f6446a0bf8ecc666af30f2eb5bfa
author Patrick McHardy <kaber@trash.net> Wed, 24 Jan 2007 21:02:56 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 25 Jan 2007 01:17:14 +0100

 net/ipv4/netfilter/Makefile |   20 ++++++++++----------
 1 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index 15e741a..16d177b 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -4,6 +4,14 @@ #
 
 # objects for the standalone - connection tracking / NAT
 ip_conntrack-objs	:= ip_conntrack_standalone.o ip_conntrack_core.o ip_conntrack_proto_generic.o ip_conntrack_proto_tcp.o ip_conntrack_proto_udp.o ip_conntrack_proto_icmp.o
+# objects for l3 independent conntrack
+nf_conntrack_ipv4-objs  :=  nf_conntrack_l3proto_ipv4.o nf_conntrack_proto_icmp.o
+ifeq ($(CONFIG_NF_CONNTRACK_PROC_COMPAT),y)
+ifeq ($(CONFIG_PROC_FS),y)
+nf_conntrack_ipv4-objs	+= nf_conntrack_l3proto_ipv4_compat.o
+endif
+endif
+
 ip_nat-objs	:= ip_nat_core.o ip_nat_helper.o ip_nat_proto_unknown.o ip_nat_proto_tcp.o ip_nat_proto_udp.o ip_nat_proto_icmp.o
 nf_nat-objs	:= nf_nat_core.o nf_nat_helper.o nf_nat_proto_unknown.o nf_nat_proto_tcp.o nf_nat_proto_udp.o nf_nat_proto_icmp.o
 ifneq ($(CONFIG_NF_NAT),)
@@ -20,6 +28,8 @@ ip_nat_h323-objs := ip_nat_helper_h323.o
 
 # connection tracking
 obj-$(CONFIG_IP_NF_CONNTRACK) += ip_conntrack.o
+obj-$(CONFIG_NF_CONNTRACK_IPV4) += nf_conntrack_ipv4.o
+
 obj-$(CONFIG_IP_NF_NAT) += ip_nat.o
 obj-$(CONFIG_NF_NAT) += nf_nat.o
 
@@ -106,13 +116,3 @@ obj-$(CONFIG_IP_NF_ARPFILTER) += arptabl
 
 obj-$(CONFIG_IP_NF_QUEUE) += ip_queue.o
 
-# objects for l3 independent conntrack
-nf_conntrack_ipv4-objs  :=  nf_conntrack_l3proto_ipv4.o nf_conntrack_proto_icmp.o
-ifeq ($(CONFIG_NF_CONNTRACK_PROC_COMPAT),y)
-ifeq ($(CONFIG_PROC_FS),y)
-nf_conntrack_ipv4-objs	+= nf_conntrack_l3proto_ipv4_compat.o
-endif
-endif
-
-# l3 independent conntrack
-obj-$(CONFIG_NF_CONNTRACK_IPV4) += nf_conntrack_ipv4.o

[NETFILTER 02/03]: nf_nat_pptp: fix expectation removal

[Patrick McHardy]

[NETFILTER]: nf_nat_pptp: fix expectation removal

When removing the expectation for the opposite direction, the PPTP NAT
helper initializes the tuple for lookup with the addresses of the
opposite direction, which makes the lookup fail.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 3cb4aaf49a15b7dd30fe3ef882fa22f0255a3679
tree f5e8179acac4065f5e5917007e6a0e6d9343cc30
parent 7093c7d9fd00eff7cc3edba17fc8f8e1e6644da7
author Patrick McHardy <kaber@trash.net> Wed, 24 Jan 2007 21:05:28 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 25 Jan 2007 01:17:16 +0100

 net/ipv4/netfilter/nf_nat_pptp.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/netfilter/nf_nat_pptp.c b/net/ipv4/netfilter/nf_nat_pptp.c
index 0ae45b7..5df4fca 100644
--- a/net/ipv4/netfilter/nf_nat_pptp.c
+++ b/net/ipv4/netfilter/nf_nat_pptp.c
@@ -72,9 +72,9 @@ static void pptp_nat_expected(struct nf_
 		DEBUGP("we are PAC->PNS\n");
 		/* build tuple for PNS->PAC */
 		t.src.l3num = AF_INET;
-		t.src.u3.ip = master->tuplehash[exp->dir].tuple.src.u3.ip;
+		t.src.u3.ip = master->tuplehash[!exp->dir].tuple.src.u3.ip;
 		t.src.u.gre.key = nat_pptp_info->pns_call_id;
-		t.dst.u3.ip = master->tuplehash[exp->dir].tuple.dst.u3.ip;
+		t.dst.u3.ip = master->tuplehash[!exp->dir].tuple.dst.u3.ip;
 		t.dst.u.gre.key = nat_pptp_info->pac_call_id;
 		t.dst.protonum = IPPROTO_GRE;
 	}

[NETFILTER 03/03]: nf_conntrack_pptp: fix NAT setup of expected GRE connections

[Patrick McHardy]

[NETFILTER]: nf_conntrack_pptp: fix NAT setup of expected GRE connections

When an expected connection arrives, the NAT helper should be called to
set up NAT similar to the master connection. The PPTP conntrack helper
incorrectly checks whether the _expected_ connection has NAT setup before
calling the NAT helper (which is never the case), instead of checkeing
whether the _master_ connection is NATed.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 279422af9b3aa7a2646f6a0c73d2add4aa43e77b
tree 50be0d46d88950d02ccd409c949d550b1c759adc
parent 3cb4aaf49a15b7dd30fe3ef882fa22f0255a3679
author Patrick McHardy <kaber@trash.net> Wed, 24 Jan 2007 21:08:09 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 25 Jan 2007 01:17:16 +0100

 net/netfilter/nf_conntrack_pptp.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/netfilter/nf_conntrack_pptp.c b/net/netfilter/nf_conntrack_pptp.c
index f0ff00e..c59df3b 100644
--- a/net/netfilter/nf_conntrack_pptp.c
+++ b/net/netfilter/nf_conntrack_pptp.c
@@ -113,7 +113,7 @@ static void pptp_expectfn(struct nf_conn
 
 	rcu_read_lock();
 	nf_nat_pptp_expectfn = rcu_dereference(nf_nat_pptp_hook_expectfn);
-	if (nf_nat_pptp_expectfn && ct->status & IPS_NAT_MASK)
+	if (nf_nat_pptp_expectfn && ct->master->status & IPS_NAT_MASK)
 		nf_nat_pptp_expectfn(ct, exp);
 	else {
 		struct nf_conntrack_tuple inv_t;

Re: [NETFILTER 00/03]: Netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Thu, 25 Jan 2007 01:21:56 +0100 (MET)

> following are three netfilter fixes for 2.6.20, fixing a problem with ICMP
> translation in the new nf_nat code and two bugs in the new PPTP helper port
> breaking NAT of PPTP connections.
> 
> Please apply, thanks.

All applied, thanks a lot Patrick.

Re: [NETFILTER 00/03]: Netfilter fixes

[Jorge Bastos]

David,
I have kernel 2.6.20-rc6 and i can't make pptp connections, only 2.6.20-rc5 
with the patch patrick provided me.
In wich version did you apply this?

Jorge



----- Original Message ----- 
From: "David Miller" <davem@davemloft.net>
To: <kaber@trash.net>
Cc: <netfilter-devel@lists.netfilter.org>
Sent: Friday, January 26, 2007 9:08 AM
Subject: Re: [NETFILTER 00/03]: Netfilter fixes


> From: Patrick McHardy <kaber@trash.net>
> Date: Thu, 25 Jan 2007 01:21:56 +0100 (MET)
>
>> following are three netfilter fixes for 2.6.20, fixing a problem with 
>> ICMP
>> translation in the new nf_nat code and two bugs in the new PPTP helper 
>> port
>> breaking NAT of PPTP connections.
>>
>> Please apply, thanks.
>
> All applied, thanks a lot Patrick.
>
> 

[NETFILTER 00/03]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

following are a few more netfilter fixes for 2.6.20, fixing a division
by zero in the connbytes match (I will pass this one on to -stable as
well) and two problems with the SIP conntrack helper.

Please apply, thanks.


 net/ipv4/netfilter/ip_conntrack_sip.c |   10 ++++++++--
 net/netfilter/nf_conntrack_sip.c      |   10 ++++++++--
 net/netfilter/xt_connbytes.c          |   29 ++++++++++++-----------------
 3 files changed, 28 insertions(+), 21 deletions(-)

Lars Immisch:
      [NETFILTER]: SIP conntrack: fix skipping over user info in SIP headers

Patrick McHardy:
      [NETFILTER]: xt_connbytes: fix division by zero
      [NETFILTER]: SIP conntrack: fix out of bounds memory access

Re: [NETFILTER 00/03]: Netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Tue, 30 Jan 2007 19:16:27 +0100 (MET)

> Hi Dave,
> 
> following are a few more netfilter fixes for 2.6.20, fixing a division
> by zero in the connbytes match (I will pass this one on to -stable as
> well) and two problems with the SIP conntrack helper.
> 
> Please apply, thanks.

I sucked these all in, please push that one to -stable, thanks.

[NETFILTER 00/03]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

following are three more patches for some nasty netfilter bugs, fixing incorrect
conntrack classification of IPv6 fragments, a crash in nfnetlink_log with briding
and a missing terminating zero-byte in the nfnetlink_log prefix message.

Please apply, thanks.


 net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c |    1 +
 net/netfilter/nfnetlink_log.c                  |    4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

Patrick McHardy:
      [NETFILTER]: nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED
      [NETFILTER]: nfnetlink_log: zero-terminate prefix
      [NETFILTER]: nfnetlink_log: fix crash on bridged packet

Re: [NETFILTER 00/03]: Netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Tue,  6 Mar 2007 08:44:01 +0100 (MET)

> Hi Dave,
> 
> following are three more patches for some nasty netfilter bugs, fixing incorrect
> conntrack classification of IPv6 fragments, a crash in nfnetlink_log with briding
> and a missing terminating zero-byte in the nfnetlink_log prefix message.
> 
> Please apply, thanks.

All 3 patches applied, thank you.

[NETFILTER 00/03]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

these patches fix improper textsearch_prepare return value checks in the amanda
conntrack helper, the iptables compat crash reported by Jan Engelhardt and some
connection tracking helper unload races.

Please apply, thanks.


 include/linux/netfilter_ipv4/ip_tables.h       |   17 +++++
 net/ipv4/netfilter/ip_tables.c                 |   81 +++++++++++++++++++------
 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |   13 ++--
 net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c |    9 ++
 net/netfilter/nf_conntrack_amanda.c            |   12 +--
 net/netfilter/nf_conntrack_core.c              |   26 +++++---
 net/netfilter/nf_conntrack_expect.c            |    4 +
 net/netfilter/nf_conntrack_helper.c            |    2 
 net/netfilter/nf_conntrack_netlink.c           |   34 +++++++---
 net/netfilter/nf_conntrack_proto_gre.c         |    2 
 10 files changed, 147 insertions(+), 53 deletions(-)

Akinobu Mita (1):
      [NETFILTER]: nf_conntrack_amanda: fix textsearch_prepare() error check

Dmitry Mishin (1):
      [NETFILTER]: ip_tables: fix compat related crash

Patrick McHardy (1):
      [NETFILTER]: nf_conntrack: fix helper module unload races

[NETFILTER 00/03]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

these patches fix a few netfilter bugs: failure to load IPv4 connection tracking
when loading the NAT module, an invalid return code in ctnetlink and a possible
NULL pointer dereference in ipt_recent. I'll pass the NULL pointer fix to
-stable once its upstream.

Please apply, thanks.


 include/net/netfilter/ipv4/nf_conntrack_ipv4.h |    2 ++
 net/ipv4/netfilter/ipt_recent.c                |    7 ++++++-
 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |    6 ++++++
 net/ipv4/netfilter/nf_nat_standalone.c         |    2 +-
 net/netfilter/nf_conntrack_netlink.c           |   17 +++++++++--------
 5 files changed, 24 insertions(+), 10 deletions(-)

Jesper Juhl (1):
      [NETFILTER]: ipt_recent: avoid a possible NULL pointer deref in recent_seq_open()

Pablo Neira Ayuso (1):
      [NETFILTER]: ctnetlink: return EEXIST instead of EINVAL for existing nat'ed conntracks

Patrick McHardy (1):
      [NETFILTER]: nf_nat: add symbolic dependency on IPv4 conntrack

Re: [NETFILTER 00/03]: Netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Mon,  6 Aug 2007 15:29:03 +0200 (MEST)

> these patches fix a few netfilter bugs: failure to load IPv4 connection tracking
> when loading the NAT module, an invalid return code in ctnetlink and a possible
> NULL pointer dereference in ipt_recent. I'll pass the NULL pointer fix to
> -stable once its upstream.
> 
> Please apply, thanks.

Applied, thanks Patrick.

I really wish those dependencies could be worked out in a nicer
way than calling NULL functions in the needed module.

Re: [NETFILTER 00/03]: Netfilter fixes

[Patrick McHardy]

David Miller wrote:
> From: Patrick McHardy <kaber@trash.net>
> Date: Mon,  6 Aug 2007 15:29:03 +0200 (MEST)
>
>   
>> these patches fix a few netfilter bugs: failure to load IPv4 connection tracking
>> when loading the NAT module, an invalid return code in ctnetlink and a possible
>> NULL pointer dereference in ipt_recent. I'll pass the NULL pointer fix to
>> -stable once its upstream.
>>
>> Please apply, thanks.
>>     
>
> Applied, thanks Patrick.
>
> I really wish those dependencies could be worked out in a nicer
> way than calling NULL functions in the needed module.
>   

Its not very pretty, I agree. In this case we could have used
indirect dependencies and request_module, but I actually prefer
the symbol dependency because its visible in lsmod, which makes
it easier to figure out what needs to be unloaded first to
remove a module.

[NETFILTER 00/03]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

these three patches fix a nf_nat memset error, leading to misbehaviour
when unloading and reloading the NAT module, a regression from the
bridge netfilter deferred hook removal causing double invocation of the
POSTROUTING hook for packets forwarded between two bridge devices and
consolidate the nf_sockopt code. I'll push the memset and bridge fixes
to -stable once they hit Linus' tree.

Please apply, thanks.


 net/bridge/br_netfilter.c        |    3 +
 net/ipv4/netfilter/nf_nat_core.c |    2 +-
 net/netfilter/nf_sockopt.c       |  106 ++++++++++++++++----------------------
 3 files changed, 48 insertions(+), 63 deletions(-)

Li Zefan (1):
      [NETFILTER]: nf_nat: fix memset error

Patrick McHardy (1):
      [NETFILTER]: bridge: fix double POSTROUTING hook invocation

Pavel Emelyanov (1):
      [NETFILTER]: Consolidate nf_sockopt and compat_nf_sockopt

[NETFILTER 00/03]: Netfilter fixes

[Patrick McHardy]

Hi Herbert,

these patches for 2.6.24 fix a number of netfilter bugs: a refcount leak in a
CONNMARK and CONNSECMARK error path, a network triggerable WARN_ON in the
IPv6 TCPMSS target and an endless loop caused by passing a zero-length pattern
to the string match.

Please apply, thanks.


 lib/textsearch.c               |    8 ++++++--
 net/netfilter/xt_CONNMARK.c    |   10 +++++-----
 net/netfilter/xt_CONNSECMARK.c |   10 +++++-----
 net/netfilter/xt_TCPMSS.c      |    4 +---
 4 files changed, 17 insertions(+), 15 deletions(-)

Jan Engelhardt (1):
      [NETFILTER]: fix forgotten module release in xt_CONNMARK and xt_CONNSECMARK

Pablo Neira Ayuso (1):
      [TEXTSEARCH]: Do not allow zero length patterns in the textsearch infrastructure

Patrick McHardy (1):
      [NETFILTER]: xt_TCPMSS: remove network triggerable WARN_ON

Re: [NETFILTER 00/03]: Netfilter fixes

[Herbert Xu]

On Fri, Nov 30, 2007 at 12:57:12AM +0100, Patrick McHardy wrote:
> 
> these patches for 2.6.24 fix a number of netfilter bugs: a refcount leak in a
> CONNMARK and CONNSECMARK error path, a network triggerable WARN_ON in the
> IPv6 TCPMSS target and an endless loop caused by passing a zero-length pattern
> to the string match.
> 
> Please apply, thanks.

All applied.  Thanks a lot Patrick.
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

[NETFILTER 00/03]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

these three patches fix (again) skb_over_panic caused by netfilter queueing,
a namespace leak when reading /proc/net/xxx_tables_names and incorrect error
handling in the TCPOPTSTRIP target.

Please apply, thanks.


 net/ipv4/netfilter/ip_queue.c   |    5 ++---
 net/ipv6/netfilter/ip6_queue.c  |    5 ++---
 net/netfilter/nfnetlink_queue.c |    5 ++---
 net/netfilter/x_tables.c        |    2 +-
 net/netfilter/xt_TCPOPTSTRIP.c  |    2 +-
 5 files changed, 8 insertions(+), 11 deletions(-)

Arnaud Ebalard (1):
      [NETFILTER]: {nfnetlink,ip,ip6}_queue: fix skb_over_panic when enlarging packets

Pavel Emelyanov (1):
      [NETFILTER]: x_tables: fix net namespace leak when reading /proc/net/xxx_tables_names

Roel Kluin (1):
      [NETFILTER]: xt_TCPOPTSTRIP: signed tcphoff for	ipv6_skip_exthdr() retval

Re: [NETFILTER 00/03]: Netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Tue, 29 Apr 2008 00:06:40 +0200 (MEST)

> these three patches fix (again) skb_over_panic caused by netfilter queueing,
> a namespace leak when reading /proc/net/xxx_tables_names and incorrect error
> handling in the TCPOPTSTRIP target.
> 
> Please apply, thanks.

All 3 patches applied, thanks Patrick.