* [NETFILTER 00/03]: Netfilter fixes
@ 2007-11-13 10:55 Patrick McHardy
2007-11-13 10:55 ` [NETFILTER 01/03]: nf_nat: fix memset error Patrick McHardy
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Patrick McHardy @ 2007-11-13 10:55 UTC (permalink / raw)
To: davem; +Cc: Patrick McHardy, netfilter-devel
Hi Dave,
these three patches fix a nf_nat memset error, leading to misbehaviour
when unloading and reloading the NAT module, a regression from the
bridge netfilter deferred hook removal causing double invocation of the
POSTROUTING hook for packets forwarded between two bridge devices and
consolidate the nf_sockopt code. I'll push the memset and bridge fixes
to -stable once they hit Linus' tree.
Please apply, thanks.
net/bridge/br_netfilter.c | 3 +
net/ipv4/netfilter/nf_nat_core.c | 2 +-
net/netfilter/nf_sockopt.c | 106 ++++++++++++++++----------------------
3 files changed, 48 insertions(+), 63 deletions(-)
Li Zefan (1):
[NETFILTER]: nf_nat: fix memset error
Patrick McHardy (1):
[NETFILTER]: bridge: fix double POSTROUTING hook invocation
Pavel Emelyanov (1):
[NETFILTER]: Consolidate nf_sockopt and compat_nf_sockopt
^ permalink raw reply [flat|nested] 7+ messages in thread* [NETFILTER 01/03]: nf_nat: fix memset error 2007-11-13 10:55 [NETFILTER 00/03]: Netfilter fixes Patrick McHardy @ 2007-11-13 10:55 ` Patrick McHardy 2007-11-13 10:57 ` David Miller 2007-11-13 10:55 ` [NETFILTER 02/03]: Consolidate nf_sockopt and compat_nf_sockopt Patrick McHardy 2007-11-13 10:55 ` [NETFILTER 03/03]: bridge: fix double POSTROUTING hook invocation Patrick McHardy 2 siblings, 1 reply; 7+ messages in thread From: Patrick McHardy @ 2007-11-13 10:55 UTC (permalink / raw) To: davem; +Cc: Patrick McHardy, netfilter-devel [NETFILTER]: nf_nat: fix memset error The size passing to memset is the size of a pointer. Signed-off-by: Li Zefan <lizf@cn.fujitsu.com> Signed-off-by: Patrick McHardy <kaber@trash.net> --- commit dd9e04a6e68abf79470ef26e242ce516bba37b3d tree 0d6b56e83d643661a9726931a577d6626a2cfb3f parent 325d22df7b19e0116aff3391d3a03f73d0634ded author Li Zefan <lizf@cn.fujitsu.com> Tue, 13 Nov 2007 11:24:16 +0100 committer Patrick McHardy <kaber@trash.net> Tue, 13 Nov 2007 11:24:16 +0100 net/ipv4/netfilter/nf_nat_core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c index 56e93f6..70e7997 100644 --- a/net/ipv4/netfilter/nf_nat_core.c +++ b/net/ipv4/netfilter/nf_nat_core.c @@ -681,7 +681,7 @@ static int clean_nat(struct nf_conn *i, void *data) if (!nat) return 0; - memset(nat, 0, sizeof(nat)); + memset(nat, 0, sizeof(*nat)); i->status &= ~(IPS_NAT_MASK | IPS_NAT_DONE_MASK | IPS_SEQ_ADJUST); return 0; } ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [NETFILTER 01/03]: nf_nat: fix memset error 2007-11-13 10:55 ` [NETFILTER 01/03]: nf_nat: fix memset error Patrick McHardy @ 2007-11-13 10:57 ` David Miller 0 siblings, 0 replies; 7+ messages in thread From: David Miller @ 2007-11-13 10:57 UTC (permalink / raw) To: kaber; +Cc: netfilter-devel From: Patrick McHardy <kaber@trash.net> Date: Tue, 13 Nov 2007 11:55:41 +0100 (MET) > [NETFILTER]: nf_nat: fix memset error > > The size passing to memset is the size of a pointer. > > Signed-off-by: Li Zefan <lizf@cn.fujitsu.com> > Signed-off-by: Patrick McHardy <kaber@trash.net> Applied. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [NETFILTER 02/03]: Consolidate nf_sockopt and compat_nf_sockopt 2007-11-13 10:55 [NETFILTER 00/03]: Netfilter fixes Patrick McHardy 2007-11-13 10:55 ` [NETFILTER 01/03]: nf_nat: fix memset error Patrick McHardy @ 2007-11-13 10:55 ` Patrick McHardy 2007-11-13 10:58 ` David Miller 2007-11-13 10:55 ` [NETFILTER 03/03]: bridge: fix double POSTROUTING hook invocation Patrick McHardy 2 siblings, 1 reply; 7+ messages in thread From: Patrick McHardy @ 2007-11-13 10:55 UTC (permalink / raw) To: davem; +Cc: Patrick McHardy, netfilter-devel [NETFILTER]: Consolidate nf_sockopt and compat_nf_sockopt Both lookup the nf_sockopt_ops object to call the get/set callbacks from, but they perform it in a completely similar way. Introduce the helper for finding the ops. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: Patrick McHardy <kaber@trash.net> --- commit c94ac2cb9896fbed3065dc08216a7d13b98f0d92 tree 2e4bd21d850cef9bbc53be588dc7590636232a4b parent dd9e04a6e68abf79470ef26e242ce516bba37b3d author Pavel Emelyanov <xemul@openvz.org> Tue, 13 Nov 2007 11:24:17 +0100 committer Patrick McHardy <kaber@trash.net> Tue, 13 Nov 2007 11:24:17 +0100 net/netfilter/nf_sockopt.c | 106 ++++++++++++++++++-------------------------- 1 files changed, 44 insertions(+), 62 deletions(-) diff --git a/net/netfilter/nf_sockopt.c b/net/netfilter/nf_sockopt.c index 2dfac32..87bc144 100644 --- a/net/netfilter/nf_sockopt.c +++ b/net/netfilter/nf_sockopt.c @@ -60,46 +60,57 @@ void nf_unregister_sockopt(struct nf_sockopt_ops *reg) } EXPORT_SYMBOL(nf_unregister_sockopt); -/* Call get/setsockopt() */ -static int nf_sockopt(struct sock *sk, int pf, int val, - char __user *opt, int *len, int get) +static struct nf_sockopt_ops *nf_sockopt_find(struct sock *sk, int pf, + int val, int get) { struct nf_sockopt_ops *ops; - int ret; if (sk->sk_net != &init_net) - return -ENOPROTOOPT; + return ERR_PTR(-ENOPROTOOPT); if (mutex_lock_interruptible(&nf_sockopt_mutex) != 0) - return -EINTR; + return ERR_PTR(-EINTR); list_for_each_entry(ops, &nf_sockopts, list) { if (ops->pf == pf) { if (!try_module_get(ops->owner)) goto out_nosup; + if (get) { - if (val >= ops->get_optmin - && val < ops->get_optmax) { - mutex_unlock(&nf_sockopt_mutex); - ret = ops->get(sk, val, opt, len); + if (val >= ops->get_optmin && + val < ops->get_optmax) goto out; - } } else { - if (val >= ops->set_optmin - && val < ops->set_optmax) { - mutex_unlock(&nf_sockopt_mutex); - ret = ops->set(sk, val, opt, *len); + if (val >= ops->set_optmin && + val < ops->set_optmax) goto out; - } } module_put(ops->owner); } } - out_nosup: +out_nosup: + ops = ERR_PTR(-ENOPROTOOPT); +out: mutex_unlock(&nf_sockopt_mutex); - return -ENOPROTOOPT; + return ops; +} + +/* Call get/setsockopt() */ +static int nf_sockopt(struct sock *sk, int pf, int val, + char __user *opt, int *len, int get) +{ + struct nf_sockopt_ops *ops; + int ret; + + ops = nf_sockopt_find(sk, pf, val, get); + if (IS_ERR(ops)) + return PTR_ERR(ops); + + if (get) + ret = ops->get(sk, val, opt, len); + else + ret = ops->set(sk, val, opt, *len); - out: module_put(ops->owner); return ret; } @@ -124,51 +135,22 @@ static int compat_nf_sockopt(struct sock *sk, int pf, int val, struct nf_sockopt_ops *ops; int ret; - if (sk->sk_net != &init_net) - return -ENOPROTOOPT; - - - if (mutex_lock_interruptible(&nf_sockopt_mutex) != 0) - return -EINTR; - - list_for_each_entry(ops, &nf_sockopts, list) { - if (ops->pf == pf) { - if (!try_module_get(ops->owner)) - goto out_nosup; - - if (get) { - if (val >= ops->get_optmin - && val < ops->get_optmax) { - mutex_unlock(&nf_sockopt_mutex); - if (ops->compat_get) - ret = ops->compat_get(sk, - val, opt, len); - else - ret = ops->get(sk, - val, opt, len); - goto out; - } - } else { - if (val >= ops->set_optmin - && val < ops->set_optmax) { - mutex_unlock(&nf_sockopt_mutex); - if (ops->compat_set) - ret = ops->compat_set(sk, - val, opt, *len); - else - ret = ops->set(sk, - val, opt, *len); - goto out; - } - } - module_put(ops->owner); - } + ops = nf_sockopt_find(sk, pf, val, get); + if (IS_ERR(ops)) + return PTR_ERR(ops); + + if (get) { + if (ops->compat_get) + ret = ops->compat_get(sk, val, opt, len); + else + ret = ops->get(sk, val, ops, len); + } else { + if (ops->compat_set) + ret = ops->compat_set(sk, val, ops, *len); + else + ret = ops->set(sk, val, ops, *len); } - out_nosup: - mutex_unlock(&nf_sockopt_mutex); - return -ENOPROTOOPT; - out: module_put(ops->owner); return ret; } ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [NETFILTER 02/03]: Consolidate nf_sockopt and compat_nf_sockopt 2007-11-13 10:55 ` [NETFILTER 02/03]: Consolidate nf_sockopt and compat_nf_sockopt Patrick McHardy @ 2007-11-13 10:58 ` David Miller 0 siblings, 0 replies; 7+ messages in thread From: David Miller @ 2007-11-13 10:58 UTC (permalink / raw) To: kaber; +Cc: netfilter-devel From: Patrick McHardy <kaber@trash.net> Date: Tue, 13 Nov 2007 11:55:42 +0100 (MET) > [NETFILTER]: Consolidate nf_sockopt and compat_nf_sockopt > > Both lookup the nf_sockopt_ops object to call the get/set callbacks > from, but they perform it in a completely similar way. > > Introduce the helper for finding the ops. > > Signed-off-by: Pavel Emelyanov <xemul@openvz.org> > Signed-off-by: Patrick McHardy <kaber@trash.net> Applied. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [NETFILTER 03/03]: bridge: fix double POSTROUTING hook invocation 2007-11-13 10:55 [NETFILTER 00/03]: Netfilter fixes Patrick McHardy 2007-11-13 10:55 ` [NETFILTER 01/03]: nf_nat: fix memset error Patrick McHardy 2007-11-13 10:55 ` [NETFILTER 02/03]: Consolidate nf_sockopt and compat_nf_sockopt Patrick McHardy @ 2007-11-13 10:55 ` Patrick McHardy 2007-11-13 10:59 ` David Miller 2 siblings, 1 reply; 7+ messages in thread From: Patrick McHardy @ 2007-11-13 10:55 UTC (permalink / raw) To: davem; +Cc: Patrick McHardy, netfilter-devel [NETFILTER]: bridge: fix double POSTROUTING hook invocation Packets routed between bridges have the POST_ROUTING hook invoked twice since bridging mistakes them for bridged packets because they have skb->nf_bridge set. Signed-off-by: Patrick McHardy <kaber@trash.net> --- commit 87a1cd0a4fc1f5ac17e2e752668ae324c595b1fd tree 38c7fdb13f7232bf77fb78ce4292a4bb1cdd5dfd parent c94ac2cb9896fbed3065dc08216a7d13b98f0d92 author Patrick McHardy <kaber@trash.net> Tue, 13 Nov 2007 11:24:18 +0100 committer Patrick McHardy <kaber@trash.net> Tue, 13 Nov 2007 11:24:18 +0100 net/bridge/br_netfilter.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c index da22f90..c1757c7 100644 --- a/net/bridge/br_netfilter.c +++ b/net/bridge/br_netfilter.c @@ -766,6 +766,9 @@ static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff *skb, if (!nf_bridge) return NF_ACCEPT; + if (!(nf_bridge->mask & (BRNF_BRIDGED | BRNF_BRIDGED_DNAT))) + return NF_ACCEPT; + if (!realoutdev) return NF_DROP; ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [NETFILTER 03/03]: bridge: fix double POSTROUTING hook invocation 2007-11-13 10:55 ` [NETFILTER 03/03]: bridge: fix double POSTROUTING hook invocation Patrick McHardy @ 2007-11-13 10:59 ` David Miller 0 siblings, 0 replies; 7+ messages in thread From: David Miller @ 2007-11-13 10:59 UTC (permalink / raw) To: kaber; +Cc: netfilter-devel From: Patrick McHardy <kaber@trash.net> Date: Tue, 13 Nov 2007 11:55:44 +0100 (MET) > [NETFILTER]: bridge: fix double POSTROUTING hook invocation > > Packets routed between bridges have the POST_ROUTING hook invoked > twice since bridging mistakes them for bridged packets because > they have skb->nf_bridge set. > > Signed-off-by: Patrick McHardy <kaber@trash.net> Also applied, thanks Patrick. ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2007-11-13 10:59 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2007-11-13 10:55 [NETFILTER 00/03]: Netfilter fixes Patrick McHardy 2007-11-13 10:55 ` [NETFILTER 01/03]: nf_nat: fix memset error Patrick McHardy 2007-11-13 10:57 ` David Miller 2007-11-13 10:55 ` [NETFILTER 02/03]: Consolidate nf_sockopt and compat_nf_sockopt Patrick McHardy 2007-11-13 10:58 ` David Miller 2007-11-13 10:55 ` [NETFILTER 03/03]: bridge: fix double POSTROUTING hook invocation Patrick McHardy 2007-11-13 10:59 ` David Miller
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).