[NETFILTER 00/03]: Netfilter fixes

[NETFILTER 00/03]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

following are three netfilter fixes for 2.6.20, fixing a problem with ICMP
translation in the new nf_nat code and two bugs in the new PPTP helper port
breaking NAT of PPTP connections.

Please apply, thanks.


 net/ipv4/netfilter/Makefile       |   20 ++++++++++----------
 net/ipv4/netfilter/nf_nat_pptp.c  |    4 ++--
 net/netfilter/nf_conntrack_pptp.c |    2 +-
 3 files changed, 13 insertions(+), 13 deletions(-)

Patrick McHardy:
      [NETFILTER]: nf_nat: fix ICMP translation with statically linked conntrack
      [NETFILTER]: nf_nat_pptp: fix expectation removal
      [NETFILTER]: nf_conntrack_pptp: fix NAT setup of expected GRE connections

Re: [NETFILTER 00/03]: Netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Thu, 25 Jan 2007 01:21:56 +0100 (MET)

> following are three netfilter fixes for 2.6.20, fixing a problem with ICMP
> translation in the new nf_nat code and two bugs in the new PPTP helper port
> breaking NAT of PPTP connections.
> 
> Please apply, thanks.

All applied, thanks a lot Patrick.

Re: [NETFILTER 00/03]: Netfilter fixes

[Jorge Bastos]

David,
I have kernel 2.6.20-rc6 and i can't make pptp connections, only 2.6.20-rc5 
with the patch patrick provided me.
In wich version did you apply this?

Jorge



----- Original Message ----- 
From: "David Miller" <davem@davemloft.net>
To: <kaber@trash.net>
Cc: <netfilter-devel@lists.netfilter.org>
Sent: Friday, January 26, 2007 9:08 AM
Subject: Re: [NETFILTER 00/03]: Netfilter fixes


> From: Patrick McHardy <kaber@trash.net>
> Date: Thu, 25 Jan 2007 01:21:56 +0100 (MET)
>
>> following are three netfilter fixes for 2.6.20, fixing a problem with 
>> ICMP
>> translation in the new nf_nat code and two bugs in the new PPTP helper 
>> port
>> breaking NAT of PPTP connections.
>>
>> Please apply, thanks.
>
> All applied, thanks a lot Patrick.
>
> 

[NETFILTER 00/03]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

following are a few more netfilter fixes for 2.6.20, fixing a division
by zero in the connbytes match (I will pass this one on to -stable as
well) and two problems with the SIP conntrack helper.

Please apply, thanks.


 net/ipv4/netfilter/ip_conntrack_sip.c |   10 ++++++++--
 net/netfilter/nf_conntrack_sip.c      |   10 ++++++++--
 net/netfilter/xt_connbytes.c          |   29 ++++++++++++-----------------
 3 files changed, 28 insertions(+), 21 deletions(-)

Lars Immisch:
      [NETFILTER]: SIP conntrack: fix skipping over user info in SIP headers

Patrick McHardy:
      [NETFILTER]: xt_connbytes: fix division by zero
      [NETFILTER]: SIP conntrack: fix out of bounds memory access

Re: [NETFILTER 00/03]: Netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Tue, 30 Jan 2007 19:16:27 +0100 (MET)

> Hi Dave,
> 
> following are a few more netfilter fixes for 2.6.20, fixing a division
> by zero in the connbytes match (I will pass this one on to -stable as
> well) and two problems with the SIP conntrack helper.
> 
> Please apply, thanks.

I sucked these all in, please push that one to -stable, thanks.

[NETFILTER 00/03]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

following are three more patches for some nasty netfilter bugs, fixing incorrect
conntrack classification of IPv6 fragments, a crash in nfnetlink_log with briding
and a missing terminating zero-byte in the nfnetlink_log prefix message.

Please apply, thanks.


 net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c |    1 +
 net/netfilter/nfnetlink_log.c                  |    4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

Patrick McHardy:
      [NETFILTER]: nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED
      [NETFILTER]: nfnetlink_log: zero-terminate prefix
      [NETFILTER]: nfnetlink_log: fix crash on bridged packet

Re: [NETFILTER 00/03]: Netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Tue,  6 Mar 2007 08:44:01 +0100 (MET)

> Hi Dave,
> 
> following are three more patches for some nasty netfilter bugs, fixing incorrect
> conntrack classification of IPv6 fragments, a crash in nfnetlink_log with briding
> and a missing terminating zero-byte in the nfnetlink_log prefix message.
> 
> Please apply, thanks.

All 3 patches applied, thank you.

[NETFILTER 00/03]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

these patches fix improper textsearch_prepare return value checks in the amanda
conntrack helper, the iptables compat crash reported by Jan Engelhardt and some
connection tracking helper unload races.

Please apply, thanks.


 include/linux/netfilter_ipv4/ip_tables.h       |   17 +++++
 net/ipv4/netfilter/ip_tables.c                 |   81 +++++++++++++++++++------
 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |   13 ++--
 net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c |    9 ++
 net/netfilter/nf_conntrack_amanda.c            |   12 +--
 net/netfilter/nf_conntrack_core.c              |   26 +++++---
 net/netfilter/nf_conntrack_expect.c            |    4 +
 net/netfilter/nf_conntrack_helper.c            |    2 
 net/netfilter/nf_conntrack_netlink.c           |   34 +++++++---
 net/netfilter/nf_conntrack_proto_gre.c         |    2 
 10 files changed, 147 insertions(+), 53 deletions(-)

Akinobu Mita (1):
      [NETFILTER]: nf_conntrack_amanda: fix textsearch_prepare() error check

Dmitry Mishin (1):
      [NETFILTER]: ip_tables: fix compat related crash

Patrick McHardy (1):
      [NETFILTER]: nf_conntrack: fix helper module unload races

[NETFILTER 00/03]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

these patches fix a few netfilter bugs: failure to load IPv4 connection tracking
when loading the NAT module, an invalid return code in ctnetlink and a possible
NULL pointer dereference in ipt_recent. I'll pass the NULL pointer fix to
-stable once its upstream.

Please apply, thanks.


 include/net/netfilter/ipv4/nf_conntrack_ipv4.h |    2 ++
 net/ipv4/netfilter/ipt_recent.c                |    7 ++++++-
 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |    6 ++++++
 net/ipv4/netfilter/nf_nat_standalone.c         |    2 +-
 net/netfilter/nf_conntrack_netlink.c           |   17 +++++++++--------
 5 files changed, 24 insertions(+), 10 deletions(-)

Jesper Juhl (1):
      [NETFILTER]: ipt_recent: avoid a possible NULL pointer deref in recent_seq_open()

Pablo Neira Ayuso (1):
      [NETFILTER]: ctnetlink: return EEXIST instead of EINVAL for existing nat'ed conntracks

Patrick McHardy (1):
      [NETFILTER]: nf_nat: add symbolic dependency on IPv4 conntrack

Re: [NETFILTER 00/03]: Netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Mon,  6 Aug 2007 15:29:03 +0200 (MEST)

> these patches fix a few netfilter bugs: failure to load IPv4 connection tracking
> when loading the NAT module, an invalid return code in ctnetlink and a possible
> NULL pointer dereference in ipt_recent. I'll pass the NULL pointer fix to
> -stable once its upstream.
> 
> Please apply, thanks.

Applied, thanks Patrick.

I really wish those dependencies could be worked out in a nicer
way than calling NULL functions in the needed module.

Re: [NETFILTER 00/03]: Netfilter fixes

[Patrick McHardy]

David Miller wrote:
> From: Patrick McHardy <kaber@trash.net>
> Date: Mon,  6 Aug 2007 15:29:03 +0200 (MEST)
>
>   
>> these patches fix a few netfilter bugs: failure to load IPv4 connection tracking
>> when loading the NAT module, an invalid return code in ctnetlink and a possible
>> NULL pointer dereference in ipt_recent. I'll pass the NULL pointer fix to
>> -stable once its upstream.
>>
>> Please apply, thanks.
>>     
>
> Applied, thanks Patrick.
>
> I really wish those dependencies could be worked out in a nicer
> way than calling NULL functions in the needed module.
>   

Its not very pretty, I agree. In this case we could have used
indirect dependencies and request_module, but I actually prefer
the symbol dependency because its visible in lsmod, which makes
it easier to figure out what needs to be unloaded first to
remove a module.

[NETFILTER 00/03]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

these three patches fix a nf_nat memset error, leading to misbehaviour
when unloading and reloading the NAT module, a regression from the
bridge netfilter deferred hook removal causing double invocation of the
POSTROUTING hook for packets forwarded between two bridge devices and
consolidate the nf_sockopt code. I'll push the memset and bridge fixes
to -stable once they hit Linus' tree.

Please apply, thanks.


 net/bridge/br_netfilter.c        |    3 +
 net/ipv4/netfilter/nf_nat_core.c |    2 +-
 net/netfilter/nf_sockopt.c       |  106 ++++++++++++++++----------------------
 3 files changed, 48 insertions(+), 63 deletions(-)

Li Zefan (1):
      [NETFILTER]: nf_nat: fix memset error

Patrick McHardy (1):
      [NETFILTER]: bridge: fix double POSTROUTING hook invocation

Pavel Emelyanov (1):
      [NETFILTER]: Consolidate nf_sockopt and compat_nf_sockopt

[NETFILTER 00/03]: Netfilter fixes

[Patrick McHardy]

Hi Herbert,

these patches for 2.6.24 fix a number of netfilter bugs: a refcount leak in a
CONNMARK and CONNSECMARK error path, a network triggerable WARN_ON in the
IPv6 TCPMSS target and an endless loop caused by passing a zero-length pattern
to the string match.

Please apply, thanks.


 lib/textsearch.c               |    8 ++++++--
 net/netfilter/xt_CONNMARK.c    |   10 +++++-----
 net/netfilter/xt_CONNSECMARK.c |   10 +++++-----
 net/netfilter/xt_TCPMSS.c      |    4 +---
 4 files changed, 17 insertions(+), 15 deletions(-)

Jan Engelhardt (1):
      [NETFILTER]: fix forgotten module release in xt_CONNMARK and xt_CONNSECMARK

Pablo Neira Ayuso (1):
      [TEXTSEARCH]: Do not allow zero length patterns in the textsearch infrastructure

Patrick McHardy (1):
      [NETFILTER]: xt_TCPMSS: remove network triggerable WARN_ON

Re: [NETFILTER 00/03]: Netfilter fixes

[Herbert Xu]

On Fri, Nov 30, 2007 at 12:57:12AM +0100, Patrick McHardy wrote:
> 
> these patches for 2.6.24 fix a number of netfilter bugs: a refcount leak in a
> CONNMARK and CONNSECMARK error path, a network triggerable WARN_ON in the
> IPv6 TCPMSS target and an endless loop caused by passing a zero-length pattern
> to the string match.
> 
> Please apply, thanks.

All applied.  Thanks a lot Patrick.
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

[NETFILTER 00/03]: Netfilter fixes

[Patrick McHardy]

Hi Dave,

these three patches fix (again) skb_over_panic caused by netfilter queueing,
a namespace leak when reading /proc/net/xxx_tables_names and incorrect error
handling in the TCPOPTSTRIP target.

Please apply, thanks.


 net/ipv4/netfilter/ip_queue.c   |    5 ++---
 net/ipv6/netfilter/ip6_queue.c  |    5 ++---
 net/netfilter/nfnetlink_queue.c |    5 ++---
 net/netfilter/x_tables.c        |    2 +-
 net/netfilter/xt_TCPOPTSTRIP.c  |    2 +-
 5 files changed, 8 insertions(+), 11 deletions(-)

Arnaud Ebalard (1):
      [NETFILTER]: {nfnetlink,ip,ip6}_queue: fix skb_over_panic when enlarging packets

Pavel Emelyanov (1):
      [NETFILTER]: x_tables: fix net namespace leak when reading /proc/net/xxx_tables_names

Roel Kluin (1):
      [NETFILTER]: xt_TCPOPTSTRIP: signed tcphoff for	ipv6_skip_exthdr() retval

[NETFILTER 01/03]: xt_TCPOPTSTRIP: signed tcphoff for ipv6_skip_exthdr() retval

[Patrick McHardy]

[NETFILTER]: xt_TCPOPTSTRIP: signed tcphoff for	ipv6_skip_exthdr() retval

if tcphoff remains unsigned, a negative ipv6_skip_exthdr() return value will
go unnoticed,

Signed-off-by: Roel Kluin <12o3l@tiscali.nl>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 409c904821b52f9c4597ca87f3ab01b55183904e
tree 648fe90316d4c3d8e714ceefc9137325e8ef8417
parent 358c12953b88c5a06a57c33eb27c753b2e7934d1
author Roel Kluin <12o3l@tiscali.nl> Mon, 28 Apr 2008 20:58:54 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 28 Apr 2008 20:58:54 +0200

 net/netfilter/xt_TCPOPTSTRIP.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/netfilter/xt_TCPOPTSTRIP.c b/net/netfilter/xt_TCPOPTSTRIP.c
index 3b2aa56..9685b6f 100644
--- a/net/netfilter/xt_TCPOPTSTRIP.c
+++ b/net/netfilter/xt_TCPOPTSTRIP.c
@@ -90,7 +90,7 @@ tcpoptstrip_tg6(struct sk_buff *skb, const struct net_device *in,
 		const struct xt_target *target, const void *targinfo)
 {
 	struct ipv6hdr *ipv6h = ipv6_hdr(skb);
-	unsigned int tcphoff;
+	int tcphoff;
 	u_int8_t nexthdr;
 
 	nexthdr = ipv6h->nexthdr;

[NETFILTER 02/03]: x_tables: fix net namespace leak when reading /proc/net/xxx_tables_names

[Patrick McHardy]

[NETFILTER]: x_tables: fix net namespace leak when reading /proc/net/xxx_tables_names

The seq_open_net() call should be accompanied with seq_release_net() one.

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 6317c53b124105c288604f51d50e2c759f6f333b
tree dc91473a4ea1688a27c71f3a0336bfcee922b6c5
parent 409c904821b52f9c4597ca87f3ab01b55183904e
author Pavel Emelyanov <xemul@openvz.org> Tue, 29 Apr 2008 00:02:17 +0200
committer Patrick McHardy <kaber@trash.net> Tue, 29 Apr 2008 00:02:17 +0200

 net/netfilter/x_tables.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index f52f7f8..11b22ab 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -787,7 +787,7 @@ static const struct file_operations xt_table_ops = {
 	.open	 = xt_table_open,
 	.read	 = seq_read,
 	.llseek	 = seq_lseek,
-	.release = seq_release,
+	.release = seq_release_net,
 };
 
 static void *xt_match_seq_start(struct seq_file *seq, loff_t *pos)

[NETFILTER 03/03]: {nfnetlink,ip,ip6}_queue: fix skb_over_panic when enlarging packets

[Patrick McHardy]

[NETFILTER]: {nfnetlink,ip,ip6}_queue: fix skb_over_panic when enlarging packets

While reinjecting *bigger* modified versions of IPv6 packets using
libnetfilter_queue, things work fine on a 2.6.24 kernel (2.6.22 too)
but I get the following on recents kernels (2.6.25, trace below is
against today's net-2.6 git tree):

skb_over_panic: text:c04fddb0 len:696 put:632 head:f7592c00 data:f7592c00 tail:0xf7592eb8 end:0xf7592e80 dev:eth0
------------[ cut here ]------------
invalid opcode: 0000 [#1] PREEMPT 
Process sendd (pid: 3657, ti=f6014000 task=f77c31d0 task.ti=f6014000)
Stack: c071e638 c04fddb0 000002b8 00000278 f7592c00 f7592c00 f7592eb8 f7592e80 
       f763c000 f6bc5200 f7592c40 f6015c34 c04cdbfc f6bc5200 00000278 f6015c60 
       c04fddb0 00000020 f72a10c0 f751b420 00000001 0000000a 000002b8 c065582c 
Call Trace:
 [<c04fddb0>] ? nfqnl_recv_verdict+0x1c0/0x2e0
 [<c04cdbfc>] ? skb_put+0x3c/0x40
 [<c04fddb0>] ? nfqnl_recv_verdict+0x1c0/0x2e0
 [<c04fd115>] ? nfnetlink_rcv_msg+0xf5/0x160
 [<c04fd03e>] ? nfnetlink_rcv_msg+0x1e/0x160
 [<c04fd020>] ? nfnetlink_rcv_msg+0x0/0x160
 [<c04f8ed7>] ? netlink_rcv_skb+0x77/0xa0
 [<c04fcefc>] ? nfnetlink_rcv+0x1c/0x30
 [<c04f8c73>] ? netlink_unicast+0x243/0x2b0
 [<c04cfaba>] ? memcpy_fromiovec+0x4a/0x70
 [<c04f9406>] ? netlink_sendmsg+0x1c6/0x270
 [<c04c8244>] ? sock_sendmsg+0xc4/0xf0
 [<c011970d>] ? set_next_entity+0x1d/0x50
 [<c0133a80>] ? autoremove_wake_function+0x0/0x40
 [<c0118f9e>] ? __wake_up_common+0x3e/0x70
 [<c0342fbf>] ? n_tty_receive_buf+0x34f/0x1280
 [<c011d308>] ? __wake_up+0x68/0x70
 [<c02cea47>] ? copy_from_user+0x37/0x70
 [<c04cfd7c>] ? verify_iovec+0x2c/0x90
 [<c04c837a>] ? sys_sendmsg+0x10a/0x230
 [<c011967a>] ? __dequeue_entity+0x2a/0xa0
 [<c011970d>] ? set_next_entity+0x1d/0x50
 [<c0345397>] ? pty_write+0x47/0x60
 [<c033d59b>] ? tty_default_put_char+0x1b/0x20
 [<c011d2e9>] ? __wake_up+0x49/0x70
 [<c033df99>] ? tty_ldisc_deref+0x39/0x90
 [<c033ff20>] ? tty_write+0x1a0/0x1b0
 [<c04c93af>] ? sys_socketcall+0x7f/0x260
 [<c0102ff9>] ? sysenter_past_esp+0x6a/0x91
 [<c05f0000>] ? snd_intel8x0m_probe+0x270/0x6e0
 =======================
Code: 00 00 89 5c 24 14 8b 98 9c 00 00 00 89 54 24 0c 89 5c 24 10 8b 40 50 89 4c 24 04 c7 04 24 38 e6 71 c0 89 44 24 08 e8 c4 46 c5 ff <0f> 0b eb fe 55 89 e5 56 89 d6 53 89 c3 83 ec 0c 8b 40 50 39 d0 
EIP: [<c04ccdfc>] skb_over_panic+0x5c/0x60 SS:ESP 0068:f6015bf8


Looking at the code, I ended up in nfq_mangle() function (called by
nfqnl_recv_verdict()) which performs a call to skb_copy_expand() due to
the increased size of data passed to the function. AFAICT, it should ask
for 'diff' instead of 'diff - skb_tailroom(e->skb)'. Because the
resulting sk_buff has not enough space to support the skb_put(skb, diff)
call a few lines later, this results in the call to skb_over_panic().

The patch below asks for allocation of a copy with enough space for
mangled packet and the same amount of headroom as old sk_buff. While
looking at how the regression appeared (e2b58a67), I noticed the same
pattern in ipq_mangle_ipv6() and ipq_mangle_ipv4(). The patch corrects
those locations too.

Tested with bigger reinjected IPv6 packets (nfqnl_mangle() path), things
are ok (2.6.25 and today's net-2.6 git tree).

Signed-off-by: Arnaud Ebalard <arno@natisbad.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit b8bd109c63a5d0d72530c7f59fc2412b03fa75ac
tree 4587cc797b38f3f133f7d198ecb6ffeadbaaaf97
parent 6317c53b124105c288604f51d50e2c759f6f333b
author Arnaud Ebalard <arno@natisbad.org> Tue, 29 Apr 2008 00:02:25 +0200
committer Patrick McHardy <kaber@trash.net> Tue, 29 Apr 2008 00:02:25 +0200

 net/ipv4/netfilter/ip_queue.c   |    5 ++---
 net/ipv6/netfilter/ip6_queue.c  |    5 ++---
 net/netfilter/nfnetlink_queue.c |    5 ++---
 3 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/net/ipv4/netfilter/ip_queue.c b/net/ipv4/netfilter/ip_queue.c
index 719be29..26a37ce 100644
--- a/net/ipv4/netfilter/ip_queue.c
+++ b/net/ipv4/netfilter/ip_queue.c
@@ -296,9 +296,8 @@ ipq_mangle_ipv4(ipq_verdict_msg_t *v, struct nf_queue_entry *e)
 		if (v->data_len > 0xFFFF)
 			return -EINVAL;
 		if (diff > skb_tailroom(e->skb)) {
-			nskb = skb_copy_expand(e->skb, 0,
-					       diff - skb_tailroom(e->skb),
-					       GFP_ATOMIC);
+			nskb = skb_copy_expand(e->skb, skb_headroom(e->skb),
+					       diff, GFP_ATOMIC);
 			if (!nskb) {
 				printk(KERN_WARNING "ip_queue: error "
 				      "in mangle, dropping packet\n");
diff --git a/net/ipv6/netfilter/ip6_queue.c b/net/ipv6/netfilter/ip6_queue.c
index 92a36c9..2eff3ae 100644
--- a/net/ipv6/netfilter/ip6_queue.c
+++ b/net/ipv6/netfilter/ip6_queue.c
@@ -298,9 +298,8 @@ ipq_mangle_ipv6(ipq_verdict_msg_t *v, struct nf_queue_entry *e)
 		if (v->data_len > 0xFFFF)
 			return -EINVAL;
 		if (diff > skb_tailroom(e->skb)) {
-			nskb = skb_copy_expand(e->skb, 0,
-					       diff - skb_tailroom(e->skb),
-					       GFP_ATOMIC);
+			nskb = skb_copy_expand(e->skb, skb_headroom(e->skb),
+					       diff, GFP_ATOMIC);
 			if (!nskb) {
 				printk(KERN_WARNING "ip6_queue: OOM "
 				      "in mangle, dropping packet\n");
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 2c9fe5c..3447025 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -454,9 +454,8 @@ nfqnl_mangle(void *data, int data_len, struct nf_queue_entry *e)
 		if (data_len > 0xFFFF)
 			return -EINVAL;
 		if (diff > skb_tailroom(e->skb)) {
-			nskb = skb_copy_expand(e->skb, 0,
-					       diff - skb_tailroom(e->skb),
-					       GFP_ATOMIC);
+			nskb = skb_copy_expand(e->skb, skb_headroom(e->skb),
+					       diff, GFP_ATOMIC);
 			if (!nskb) {
 				printk(KERN_WARNING "nf_queue: OOM "
 				      "in mangle, dropping packet\n");

Re: [NETFILTER 00/03]: Netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Tue, 29 Apr 2008 00:06:40 +0200 (MEST)

> these three patches fix (again) skb_over_panic caused by netfilter queueing,
> a namespace leak when reading /proc/net/xxx_tables_names and incorrect error
> handling in the TCPOPTSTRIP target.
> 
> Please apply, thanks.

All 3 patches applied, thanks Patrick.