[NETFILTER 00/02]: Netfilter fixes

[NETFILTER 00/02]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

following are two more fixes for 2.6.18. The ulog patch fixes an old
crash in ulog that has hit quite a few people so far. I'm going to push
it to -stable as well.

Please apply, thanks.


 net/bridge/netfilter/ebt_ulog.c |    6 +++
 net/ipv4/netfilter/arp_tables.c |   54 +++++++++++++++++++++++--------
 net/ipv4/netfilter/ip_tables.c  |   66 +++++++++++++++++++++++++++++---------
 net/ipv4/netfilter/ipt_ULOG.c   |   10 +++++
 net/ipv6/netfilter/ip6_tables.c |   68 +++++++++++++++++++++++++++++-----------
 net/netfilter/nfnetlink_log.c   |    6 +++
 6 files changed, 162 insertions(+), 48 deletions(-)

Mark Huang:
      [NETFILTER]: ulog: fix panic on SMP kernels

Patrick McHardy:
      [NETFILTER]: {arp,ip,ip6}_tables: proper error recovery in init path

Re: [NETFILTER 00/02]: Netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Sat, 12 Aug 2006 02:25:35 +0200 (MEST)

> following are two more fixes for 2.6.18. The ulog patch fixes an old
> crash in ulog that has hit quite a few people so far. I'm going to push
> it to -stable as well.
> 
> Please apply, thanks.

Both applied, thanks Patrick.

[NETFILTER 00/02]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

following are two netfilter fixes for 2.6.20, fixing a memory leak in
ctnetlink and a compile failure of the state match on PPC.

Please apply, thanks.


 include/net/netfilter/nf_conntrack_compat.h |    1 +
 net/ipv4/netfilter/ip_conntrack_netlink.c   |    2 +-
 net/netfilter/nf_conntrack_netlink.c        |    2 +-
 3 files changed, 3 insertions(+), 2 deletions(-)

Mikael Pettersson:
      [NETFILTER]: fix xt_state compile failure

Patrick McHardy:
      [NETFILTER]: ctnetlink: fix leak in ctnetlink_create_conntrack error path

[NETFILTER 00/02]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

following are two more netfilter fixes for 2.6.20, fixing H.323 compilation with
IPV6=m and NF_CONNTRACK_H323=y (Adrian's patch) and another compile failure with
NF_CONNTRACK_MARK=n (same for IP_NF_CONNTRACK_MARK=n).

Please apply, thanks.


 net/ipv4/netfilter/ip_conntrack_netlink.c |    2 ++
 net/netfilter/Kconfig                     |    2 +-
 net/netfilter/nf_conntrack_netlink.c      |    2 ++
 3 files changed, 5 insertions(+), 1 deletion(-)

Adrian Bunk:
      [NETFILTER]: nf_conntrack_h323: fix compile error with CONFIG_IPV6=m, CONFIG_NF_CONNTRACK_H323=y

Max Kellermann:
      [NETFILTER]: ctnetlink: fix compile failure with NF_CONNTRACK_MARK=n

[NETFILTER 01/02]: ctnetlink: fix compile failure with NF_CONNTRACK_MARK=n

[Patrick McHardy]

[NETFILTER]: ctnetlink: fix compile failure with NF_CONNTRACK_MARK=n

  CC      net/netfilter/nf_conntrack_netlink.o
net/netfilter/nf_conntrack_netlink.c: In function 'ctnetlink_conntrack_event':
net/netfilter/nf_conntrack_netlink.c:392: error: 'struct nf_conn' has no member named 'mark'
make[3]: *** [net/netfilter/nf_conntrack_netlink.o] Error 1

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit de4fee1de939b8a5422020822195dea4b25e142b
tree 0d8bdc11e791cec75d5c61ecdbdd9d26f80df9ea
parent 91ddce838eb24a62844bdfc1aaca0a364343ad02
author Max Kellermann <max@duempel.org> Fri, 02 Feb 2007 14:09:40 +0100
committer Patrick McHardy <kaber@trash.net> Fri, 02 Feb 2007 14:09:40 +0100

 net/ipv4/netfilter/ip_conntrack_netlink.c |    2 ++
 net/netfilter/nf_conntrack_netlink.c      |    2 ++
 2 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/net/ipv4/netfilter/ip_conntrack_netlink.c b/net/ipv4/netfilter/ip_conntrack_netlink.c
index 6f31fad..7f70b08 100644
--- a/net/ipv4/netfilter/ip_conntrack_netlink.c
+++ b/net/ipv4/netfilter/ip_conntrack_netlink.c
@@ -374,9 +374,11 @@ static int ctnetlink_conntrack_event(str
 		    && ctnetlink_dump_helpinfo(skb, ct) < 0)
 		    	goto nfattr_failure;
 
+#ifdef CONFIG_IP_NF_CONNTRACK_MARK
 		if ((events & IPCT_MARK || ct->mark)
 		    && ctnetlink_dump_mark(skb, ct) < 0)
 		    	goto nfattr_failure;
+#endif
 
 		if (events & IPCT_COUNTER_FILLING &&
 		    (ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 811e3e7..c64f029 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -389,9 +389,11 @@ static int ctnetlink_conntrack_event(str
 		    && ctnetlink_dump_helpinfo(skb, ct) < 0)
 		    	goto nfattr_failure;
 
+#ifdef CONFIG_NF_CONNTRACK_MARK
 		if ((events & IPCT_MARK || ct->mark)
 		    && ctnetlink_dump_mark(skb, ct) < 0)
 		    	goto nfattr_failure;
+#endif
 
 		if (events & IPCT_COUNTER_FILLING &&
 		    (ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||

[NETFILTER 02/02]: nf_conntrack_h323: fix compile error with CONFIG_IPV6=m, CONFIG_NF_CONNTRACK_H323=y

[Patrick McHardy]

[NETFILTER]: nf_conntrack_h323: fix compile error with CONFIG_IPV6=m, CONFIG_NF_CONNTRACK_H323=y

Fix this by letting NF_CONNTRACK_H323 depend on (IPV6 || IPV6=n).

Signed-off-by: Adrian Bunk <bunk@stusta.de>

---
commit c204236dae38644133e5713d59d81e3e0abac384
tree eda435df6adf784f5778c988e4cffe5ce328673e
parent de4fee1de939b8a5422020822195dea4b25e142b
author Adrian Bunk <bunk@stusta.de> Sat, 03 Feb 2007 02:28:44 +0100
committer Patrick McHardy <kaber@trash.net> Sat, 03 Feb 2007 02:28:44 +0100

 net/netfilter/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 2a2bcb3..80107d4 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -165,7 +165,7 @@ config NF_CONNTRACK_FTP
 
 config NF_CONNTRACK_H323
 	tristate "H.323 protocol support (EXPERIMENTAL)"
-	depends on EXPERIMENTAL && NF_CONNTRACK
+	depends on EXPERIMENTAL && NF_CONNTRACK && (IPV6 || IPV6=n)
 	help
 	  H.323 is a VoIP signalling protocol from ITU-T. As one of the most
 	  important VoIP protocols, it is widely used by voice hardware and

Re: [NETFILTER 00/02]: Netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Sat,  3 Feb 2007 02:46:22 +0100 (MET)

> Hi Dave,
> 
> following are two more netfilter fixes for 2.6.20, fixing H.323 compilation with
> IPV6=m and NF_CONNTRACK_H323=y (Adrian's patch) and another compile failure with
> NF_CONNTRACK_MARK=n (same for IP_NF_CONNTRACK_MARK=n).
> 
> Please apply, thanks.

Applied, thanks Patrick.

[NETFILTER 00/02]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

following are two netfilter fixes for 2.6.22, adding a few new SIP message
types that are necessary to get Jerome's setup working, and a patch to
forbid changing helpers of an existing connection to avoid races while
changing the helper private area.

Please apply, thanks.


 net/netfilter/nf_conntrack_netlink.c |    3 +--
 net/netfilter/nf_conntrack_sip.c     |    3 +++
 2 files changed, 4 insertions(+), 2 deletions(-)

Jerome Borsboom (1):
      [NETFILTER]: nf_conntrack_sip: add missing message types containing RTP info

Yasuyuki Kozakai (1):
      [NETFILTER]: nfctnetlink: Don't allow to change helper

Re: [NETFILTER 00/02]: Netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Fri, 22 Jun 2007 13:47:30 +0200 (MEST)

> Hi Dave,
> 
> following are two netfilter fixes for 2.6.22, adding a few new SIP message
> types that are necessary to get Jerome's setup working, and a patch to
> forbid changing helpers of an existing connection to avoid races while
> changing the helper private area.
> 
> Please apply, thanks.

Both patches applied, thanks Patrick!

[NETFILTER 00/02]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

these patches fix an incorrect warning message in IPv4 connection tracking
and the module unload deadlock notices by Neil Horman.

Please apply, thanks.


 include/linux/netfilter.h                      |    5 +--
 net/bridge/netfilter/ebtables.c                |    1 +
 net/ipv4/ipvs/ip_vs_ctl.c                      |    1 +
 net/ipv4/netfilter/arp_tables.c                |    1 +
 net/ipv4/netfilter/ip_tables.c                 |    1 +
 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |   11 ++----
 net/ipv6/netfilter/ip6_tables.c                |    1 +
 net/netfilter/nf_sockopt.c                     |   36 +++++++----------------
 8 files changed, 22 insertions(+), 35 deletions(-)

Neil Horman (1):
      [NETFILTER]: Fix/improve deadlock condition on module removal netfilter

Patrick McHardy (1):
      [NETFILTER]: nf_conntrack_ipv4: fix "Frag of proto ..." messages

[NETFILTER 00/02]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

following are two netfilter fixes, adding missing IPv6 module aliases
to a few matches and targets and fixing TCP conntrack connection
reopening. I'll also push the conntrack patch to -stable once it
hits upstream.

Please apply. thanks.


 net/netfilter/nf_conntrack_proto_tcp.c |   35 ++++++++++++-------------------
 net/netfilter/xt_CLASSIFY.c            |    1 +
 net/netfilter/xt_CONNMARK.c            |    1 +
 net/netfilter/xt_NOTRACK.c             |    1 +
 net/netfilter/xt_connbytes.c           |    1 +
 net/netfilter/xt_connmark.c            |    1 +
 net/netfilter/xt_dccp.c                |    1 +
 net/netfilter/xt_sctp.c                |    1 +
 net/netfilter/xt_tcpmss.c              |    1 +
 9 files changed, 22 insertions(+), 21 deletions(-)

Jan Engelhardt (1):
      [NETFILTER]: x_tables: add missing ip6t_modulename aliases

Jozsef Kadlecsik (1):
      [NETFILTER]: nf_conntrack_tcp: fix connection reopening

[NETFILTER 00/02]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

these two patches contain a follow-up fix to the TCP conntrack connection
reopening problem and a fix for the sctp match, which uses ARRAY_SIZE on
a pointer instead of an array.

Please apply, thanks.


 include/linux/netfilter/xt_sctp.h      |   13 +++++--------
 net/netfilter/nf_conntrack_proto_tcp.c |   11 +++++++----
 net/netfilter/xt_sctp.c                |   18 ++++++++----------
 3 files changed, 20 insertions(+), 22 deletions(-)

Jozsef Kadlecsik (1):
      [NETFILTER]: nf_conntrack_tcp: fix connection reopening fix

Li Zefan (1):
      [NETFILTER]: xt_sctp: fix mistake to pass a pointer where array is required

[NETFILTER 00/02]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

these two patches fix a missing bit on conntrack entries with master
connections created through ctnetlink and some brokeness in the
iptables compat code, causing it to use pointers dumped to userspace
and copied back again to the kernel without any checks for validity.

Pleasy apply, thanks.


 net/ipv4/netfilter/ip_tables.c       |   57 +++++++--------------------------
 net/netfilter/nf_conntrack_netlink.c |    4 ++-
 net/netfilter/x_tables.c             |    8 +++-
 3 files changed, 21 insertions(+), 48 deletions(-)

Pablo Neira Ayuso (1):
      [NETFILTER]: ctnetlink: set expected bit for related conntracks

Patrick McHardy (1):
      [NETFILTER]: ip_tables: fix compat copy race