netfilter 00/03: netfilter fixes

netfilter 00/03: netfilter fixes

[Patrick McHardy]

Hi Dave,

following are three fixes for netfilter:

- fix for NAT RCU races related to ct_extend
- fix for a memory leak in a H.323 module init error path
- fix for a crash when unloading the H.323 module while H.245 expectation
  or connections are active

Please apply, thanks.


 include/net/netfilter/nf_conntrack_extend.h |    1 +
 net/ipv4/netfilter/nf_nat_core.c            |    3 +--
 net/netfilter/nf_conntrack_extend.c         |    9 ++++++++-
 net/netfilter/nf_conntrack_h323_main.c      |   22 +++++++++++++++-------
 4 files changed, 25 insertions(+), 10 deletions(-)

Patrick McHardy (3):
      netfilter: nf_nat: fix RCU races
      netfilter: nf_conntrack_h323: fix memory leak in module initialization error path
      netfilter: nf_conntrack_h323: fix module unload crash

Re: netfilter 00/03: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Tue, 17 Jun 2008 16:03:51 +0200 (MEST)

> following are three fixes for netfilter:
> 
> - fix for NAT RCU races related to ct_extend
> - fix for a memory leak in a H.323 module init error path
> - fix for a crash when unloading the H.323 module while H.245 expectation
>   or connections are active
> 
> Please apply, thanks.

Applied to net-2.6, and I'll push back out to kernel.org after some
build sanity checks.

Thanks!

netfilter 00/03: netfilter fixes

[Patrick McHardy]

Hi Dave,

following are some netfilter fixes for 2.6.28, containing:

- restauration of a lost #ifdef to fix user-triggerable WARN_ONs in the
  NAT code. Also queued for -stable.

- restauration of ebtables dependencies that got lost during a Kconfig
  restructuring

- a slightly more involved patch from Pablo to remove the bogus NAT module
  dependencies from ctnetlink. It could be argued whether this qualifies as
  a real bugfix since its mainly a "it shouldn't be like this" thing and
  everything works properly, in my opinion it does though because of all
  the side effects that even just loading the NAT module causes. A somewhat
  fitting analogy would be an IPv6 module dependency in, lets say, TCP :)

Please apply, thanks.


 include/linux/netfilter/nfnetlink.h  |    3 +
 include/net/netfilter/nf_nat_core.h  |    8 ++
 net/bridge/netfilter/Kconfig         |    1 +
 net/ipv4/netfilter/nf_defrag_ipv4.c  |    3 +-
 net/ipv4/netfilter/nf_nat_core.c     |   97 ++++++++++++++++++++++
 net/netfilter/nf_conntrack_core.c    |    7 ++
 net/netfilter/nf_conntrack_netlink.c |  151 ++++++++++++++--------------------
 net/netfilter/nfnetlink.c            |   12 ++-
 8 files changed, 188 insertions(+), 94 deletions(-)

Pablo Neira Ayuso (1):
      netfilter: ctnetlink: remove bogus module dependency between ctnetlink and nf_nat

Patrick McHardy (2):
      netfilter: restore lost #ifdef guarding defrag exception
      netfilter: fix ebtables dependencies

netfilter 01/03: restore lost

[Patrick McHardy]

commit 88e2364d9db799fec118e5a97f282762cdfb0d1a
Author: Patrick McHardy <kaber@trash.net>
Date:   Mon Oct 13 15:43:20 2008 +0200

    netfilter: restore lost #ifdef guarding defrag exception
    
    Nir Tzachar <nir.tzachar@gmail.com> reported a warning when sending
    fragments over loopback with NAT:
    
    [ 6658.338121] WARNING: at net/ipv4/netfilter/nf_nat_standalone.c:89 nf_nat_fn+0x33/0x155()
    
    The reason is that defragmentation is skipped for already tracked connections.
    This is wrong in combination with NAT and ip_conntrack actually had some ifdefs
    to avoid this behaviour when NAT is compiled in.
    
    The entire "optimization" may seem a bit silly, for now simply restoring the
    lost #ifdef is the easiest solution until we can come up with something better.
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/ipv4/netfilter/nf_defrag_ipv4.c b/net/ipv4/netfilter/nf_defrag_ipv4.c
index aa2c50a..fa2d6b6 100644
--- a/net/ipv4/netfilter/nf_defrag_ipv4.c
+++ b/net/ipv4/netfilter/nf_defrag_ipv4.c
@@ -41,12 +41,13 @@ static unsigned int ipv4_conntrack_defrag(unsigned int hooknum,
 					  int (*okfn)(struct sk_buff *))
 {
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
+#if !defined(CONFIG_NF_NAT) && !defined(CONFIG_NF_NAT_MODULE)
 	/* Previously seen (loopback)?  Ignore.  Do this before
 	   fragment check. */
 	if (skb->nfct)
 		return NF_ACCEPT;
 #endif
-
+#endif
 	/* Gather fragments. */
 	if (ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)) {
 		if (nf_ct_ipv4_gather_frags(skb,

netfilter 02/03: fix ebtables dependencies

[Patrick McHardy]

commit 0a536ab6cb2021d764921a42ad22a5aadee8fbb8
Author: Patrick McHardy <kaber@trash.net>
Date:   Tue Oct 14 13:51:08 2008 +0200

    netfilter: fix ebtables dependencies
    
    Ingo Molnar reported a build error with ebtables:
    
    ERROR: "ebt_register_table" [net/bridge/netfilter/ebtable_filter.ko] undefined!
    ERROR: "ebt_do_table" [net/bridge/netfilter/ebtable_filter.ko] undefined!
    ERROR: "ebt_unregister_table" [net/bridge/netfilter/ebtable_filter.ko] undefined!
    ERROR: "ebt_register_table" [net/bridge/netfilter/ebtable_broute.ko] undefined!
    ERROR: "ebt_do_table" [net/bridge/netfilter/ebtable_broute.ko] undefined!
    ERROR: "ebt_unregister_table" [net/bridge/netfilter/ebtable_broute.ko] undefined!
    make[1]: *** [__modpost] Error 1
    make: *** [modules] Error 2
    
    This reason is a missing dependencies that got lost during Kconfig cleanups.
    Restore it.
    
    Tested-by: Ingo Molnar <mingo@elte.hu>
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig
index 366d3e9..ba6f73e 100644
--- a/net/bridge/netfilter/Kconfig
+++ b/net/bridge/netfilter/Kconfig
@@ -4,6 +4,7 @@
 
 menuconfig BRIDGE_NF_EBTABLES
 	tristate "Ethernet Bridge tables (ebtables) support"
+	depends on BRIDGE && BRIDGE_NETFILTER
 	select NETFILTER_XTABLES
 	help
 	  ebtables is a general, extensible frame/packet identification

netfilter 03/03: ctnetlink: remove bogus module dependency between ctnetlink and nf_nat

[Patrick McHardy]

commit 006bd260d57b89db8503d41896094c5d2d996723
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Tue Oct 14 15:50:49 2008 +0200

    netfilter: ctnetlink: remove bogus module dependency between ctnetlink and nf_nat
    
    This patch removes the module dependency between ctnetlink and
    nf_nat by means of an indirect call that is initialized when
    nf_nat is loaded. Now, nf_conntrack_netlink only requires
    nf_conntrack and nfnetlink.
    
    This patch puts nfnetlink_parse_nat_setup_hook into the
    nf_conntrack_core to avoid dependencies between ctnetlink,
    nf_conntrack_ipv4 and nf_conntrack_ipv6.
    
    This patch also introduces the function ctnetlink_change_nat
    that is only invoked from the creation path. Actually, the
    nat handling cannot be invoked from the update path since
    this is not allowed. By introducing this function, we remove
    the useless nat handling in the update path and we avoid
    deadlock-prone code.
    
    This patch also adds the required EAGAIN logic for nfnetlink.
    
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
index 0d8424f..7d8e045 100644
--- a/include/linux/netfilter/nfnetlink.h
+++ b/include/linux/netfilter/nfnetlink.h
@@ -78,6 +78,9 @@ extern int nfnetlink_send(struct sk_buff *skb, u32 pid, unsigned group,
 			  int echo);
 extern int nfnetlink_unicast(struct sk_buff *skb, u_int32_t pid, int flags);
 
+extern void nfnl_lock(void);
+extern void nfnl_unlock(void);
+
 #define MODULE_ALIAS_NFNL_SUBSYS(subsys) \
 	MODULE_ALIAS("nfnetlink-subsys-" __stringify(subsys))
 
diff --git a/include/net/netfilter/nf_nat_core.h b/include/net/netfilter/nf_nat_core.h
index f29eeb9..5868406 100644
--- a/include/net/netfilter/nf_nat_core.h
+++ b/include/net/netfilter/nf_nat_core.h
@@ -25,4 +25,12 @@ static inline int nf_nat_initialized(struct nf_conn *ct,
 	else
 		return test_bit(IPS_DST_NAT_DONE_BIT, &ct->status);
 }
+
+struct nlattr;
+
+extern int
+(*nfnetlink_parse_nat_setup_hook)(struct nf_conn *ct,
+				  enum nf_nat_manip_type manip,
+				  struct nlattr *attr);
+
 #endif /* _NF_NAT_CORE_H */
diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c
index 2ac9eaf..a65cf69 100644
--- a/net/ipv4/netfilter/nf_nat_core.c
+++ b/net/ipv4/netfilter/nf_nat_core.c
@@ -584,6 +584,98 @@ static struct nf_ct_ext_type nat_extend __read_mostly = {
 	.flags		= NF_CT_EXT_F_PREALLOC,
 };
 
+#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
+
+#include <linux/netfilter/nfnetlink.h>
+#include <linux/netfilter/nfnetlink_conntrack.h>
+
+static const struct nla_policy protonat_nla_policy[CTA_PROTONAT_MAX+1] = {
+	[CTA_PROTONAT_PORT_MIN]	= { .type = NLA_U16 },
+	[CTA_PROTONAT_PORT_MAX]	= { .type = NLA_U16 },
+};
+
+static int nfnetlink_parse_nat_proto(struct nlattr *attr,
+				     const struct nf_conn *ct,
+				     struct nf_nat_range *range)
+{
+	struct nlattr *tb[CTA_PROTONAT_MAX+1];
+	const struct nf_nat_protocol *npt;
+	int err;
+
+	err = nla_parse_nested(tb, CTA_PROTONAT_MAX, attr, protonat_nla_policy);
+	if (err < 0)
+		return err;
+
+	npt = nf_nat_proto_find_get(nf_ct_protonum(ct));
+	if (npt->nlattr_to_range)
+		err = npt->nlattr_to_range(tb, range);
+	nf_nat_proto_put(npt);
+	return err;
+}
+
+static const struct nla_policy nat_nla_policy[CTA_NAT_MAX+1] = {
+	[CTA_NAT_MINIP]		= { .type = NLA_U32 },
+	[CTA_NAT_MAXIP]		= { .type = NLA_U32 },
+};
+
+static int
+nfnetlink_parse_nat(struct nlattr *nat,
+		    const struct nf_conn *ct, struct nf_nat_range *range)
+{
+	struct nlattr *tb[CTA_NAT_MAX+1];
+	int err;
+
+	memset(range, 0, sizeof(*range));
+
+	err = nla_parse_nested(tb, CTA_NAT_MAX, nat, nat_nla_policy);
+	if (err < 0)
+		return err;
+
+	if (tb[CTA_NAT_MINIP])
+		range->min_ip = nla_get_be32(tb[CTA_NAT_MINIP]);
+
+	if (!tb[CTA_NAT_MAXIP])
+		range->max_ip = range->min_ip;
+	else
+		range->max_ip = nla_get_be32(tb[CTA_NAT_MAXIP]);
+
+	if (range->min_ip)
+		range->flags |= IP_NAT_RANGE_MAP_IPS;
+
+	if (!tb[CTA_NAT_PROTO])
+		return 0;
+
+	err = nfnetlink_parse_nat_proto(tb[CTA_NAT_PROTO], ct, range);
+	if (err < 0)
+		return err;
+
+	return 0;
+}
+
+static int
+nfnetlink_parse_nat_setup(struct nf_conn *ct,
+			  enum nf_nat_manip_type manip,
+			  struct nlattr *attr)
+{
+	struct nf_nat_range range;
+
+	if (nfnetlink_parse_nat(attr, ct, &range) < 0)
+		return -EINVAL;
+	if (nf_nat_initialized(ct, manip))
+		return -EEXIST;
+
+	return nf_nat_setup_info(ct, &range, manip);
+}
+#else
+static int
+nfnetlink_parse_nat_setup(struct nf_conn *ct,
+			  enum nf_nat_manip_type manip,
+			  struct nlattr *attr)
+{
+	return -EOPNOTSUPP;
+}
+#endif
+
 static int __net_init nf_nat_net_init(struct net *net)
 {
 	net->ipv4.nat_bysource = nf_ct_alloc_hashtable(&nf_nat_htable_size,
@@ -654,6 +746,9 @@ static int __init nf_nat_init(void)
 
 	BUG_ON(nf_nat_seq_adjust_hook != NULL);
 	rcu_assign_pointer(nf_nat_seq_adjust_hook, nf_nat_seq_adjust);
+	BUG_ON(nfnetlink_parse_nat_setup_hook != NULL);
+	rcu_assign_pointer(nfnetlink_parse_nat_setup_hook,
+			   nfnetlink_parse_nat_setup);
 	return 0;
 
  cleanup_extend:
@@ -667,10 +762,12 @@ static void __exit nf_nat_cleanup(void)
 	nf_ct_l3proto_put(l3proto);
 	nf_ct_extend_unregister(&nat_extend);
 	rcu_assign_pointer(nf_nat_seq_adjust_hook, NULL);
+	rcu_assign_pointer(nfnetlink_parse_nat_setup_hook, NULL);
 	synchronize_net();
 }
 
 MODULE_LICENSE("GPL");
+MODULE_ALIAS("nf-nat-ipv4");
 
 module_init(nf_nat_init);
 module_exit(nf_nat_cleanup);
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 27de3c7..622d7c6 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -38,9 +38,16 @@
 #include <net/netfilter/nf_conntrack_core.h>
 #include <net/netfilter/nf_conntrack_extend.h>
 #include <net/netfilter/nf_conntrack_acct.h>
+#include <net/netfilter/nf_nat.h>
 
 #define NF_CONNTRACK_VERSION	"0.5.0"
 
+unsigned int
+(*nfnetlink_parse_nat_setup_hook)(struct nf_conn *ct,
+				  enum nf_nat_manip_type manip,
+				  struct nlattr *attr) __read_mostly;
+EXPORT_SYMBOL_GPL(nfnetlink_parse_nat_setup_hook);
+
 DEFINE_SPINLOCK(nf_conntrack_lock);
 EXPORT_SYMBOL_GPL(nf_conntrack_lock);
 
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index cadfd15..08e82d6 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -689,71 +689,6 @@ ctnetlink_parse_tuple(struct nlattr *cda[], struct nf_conntrack_tuple *tuple,
 	return 0;
 }
 
-#ifdef CONFIG_NF_NAT_NEEDED
-static const struct nla_policy protonat_nla_policy[CTA_PROTONAT_MAX+1] = {
-	[CTA_PROTONAT_PORT_MIN]	= { .type = NLA_U16 },
-	[CTA_PROTONAT_PORT_MAX]	= { .type = NLA_U16 },
-};
-
-static int nfnetlink_parse_nat_proto(struct nlattr *attr,
-				     const struct nf_conn *ct,
-				     struct nf_nat_range *range)
-{
-	struct nlattr *tb[CTA_PROTONAT_MAX+1];
-	const struct nf_nat_protocol *npt;
-	int err;
-
-	err = nla_parse_nested(tb, CTA_PROTONAT_MAX, attr, protonat_nla_policy);
-	if (err < 0)
-		return err;
-
-	npt = nf_nat_proto_find_get(nf_ct_protonum(ct));
-	if (npt->nlattr_to_range)
-		err = npt->nlattr_to_range(tb, range);
-	nf_nat_proto_put(npt);
-	return err;
-}
-
-static const struct nla_policy nat_nla_policy[CTA_NAT_MAX+1] = {
-	[CTA_NAT_MINIP]		= { .type = NLA_U32 },
-	[CTA_NAT_MAXIP]		= { .type = NLA_U32 },
-};
-
-static inline int
-nfnetlink_parse_nat(struct nlattr *nat,
-		    const struct nf_conn *ct, struct nf_nat_range *range)
-{
-	struct nlattr *tb[CTA_NAT_MAX+1];
-	int err;
-
-	memset(range, 0, sizeof(*range));
-
-	err = nla_parse_nested(tb, CTA_NAT_MAX, nat, nat_nla_policy);
-	if (err < 0)
-		return err;
-
-	if (tb[CTA_NAT_MINIP])
-		range->min_ip = nla_get_be32(tb[CTA_NAT_MINIP]);
-
-	if (!tb[CTA_NAT_MAXIP])
-		range->max_ip = range->min_ip;
-	else
-		range->max_ip = nla_get_be32(tb[CTA_NAT_MAXIP]);
-
-	if (range->min_ip)
-		range->flags |= IP_NAT_RANGE_MAP_IPS;
-
-	if (!tb[CTA_NAT_PROTO])
-		return 0;
-
-	err = nfnetlink_parse_nat_proto(tb[CTA_NAT_PROTO], ct, range);
-	if (err < 0)
-		return err;
-
-	return 0;
-}
-#endif
-
 static inline int
 ctnetlink_parse_help(struct nlattr *attr, char **helper_name)
 {
@@ -879,6 +814,34 @@ out:
 }
 
 static int
+ctnetlink_parse_nat_setup(struct nf_conn *ct,
+			  enum nf_nat_manip_type manip,
+			  struct nlattr *attr)
+{
+	typeof(nfnetlink_parse_nat_setup_hook) parse_nat_setup;
+
+	parse_nat_setup = rcu_dereference(nfnetlink_parse_nat_setup_hook);
+	if (!parse_nat_setup) {
+#ifdef CONFIG_KMOD
+		rcu_read_unlock();
+		nfnl_unlock();
+		if (request_module("nf-nat-ipv4") < 0) {
+			nfnl_lock();
+			rcu_read_lock();
+			return -EOPNOTSUPP;
+		}
+		nfnl_lock();
+		rcu_read_lock();
+		if (nfnetlink_parse_nat_setup_hook)
+			return -EAGAIN;
+#endif
+		return -EOPNOTSUPP;
+	}
+
+	return parse_nat_setup(ct, manip, attr);
+}
+
+static int
 ctnetlink_change_status(struct nf_conn *ct, struct nlattr *cda[])
 {
 	unsigned long d;
@@ -897,31 +860,6 @@ ctnetlink_change_status(struct nf_conn *ct, struct nlattr *cda[])
 		/* ASSURED bit can only be set */
 		return -EBUSY;
 
-	if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST]) {
-#ifndef CONFIG_NF_NAT_NEEDED
-		return -EOPNOTSUPP;
-#else
-		struct nf_nat_range range;
-
-		if (cda[CTA_NAT_DST]) {
-			if (nfnetlink_parse_nat(cda[CTA_NAT_DST], ct,
-						&range) < 0)
-				return -EINVAL;
-			if (nf_nat_initialized(ct, IP_NAT_MANIP_DST))
-				return -EEXIST;
-			nf_nat_setup_info(ct, &range, IP_NAT_MANIP_DST);
-		}
-		if (cda[CTA_NAT_SRC]) {
-			if (nfnetlink_parse_nat(cda[CTA_NAT_SRC], ct,
-						&range) < 0)
-				return -EINVAL;
-			if (nf_nat_initialized(ct, IP_NAT_MANIP_SRC))
-				return -EEXIST;
-			nf_nat_setup_info(ct, &range, IP_NAT_MANIP_SRC);
-		}
-#endif
-	}
-
 	/* Be careful here, modifying NAT bits can screw up things,
 	 * so don't let users modify them directly if they don't pass
 	 * nf_nat_range. */
@@ -929,6 +867,31 @@ ctnetlink_change_status(struct nf_conn *ct, struct nlattr *cda[])
 	return 0;
 }
 
+static int
+ctnetlink_change_nat(struct nf_conn *ct, struct nlattr *cda[])
+{
+#ifdef CONFIG_NF_NAT_NEEDED
+	int ret;
+
+	if (cda[CTA_NAT_DST]) {
+		ret = ctnetlink_parse_nat_setup(ct,
+						IP_NAT_MANIP_DST,
+						cda[CTA_NAT_DST]);
+		if (ret < 0)
+			return ret;
+	}
+	if (cda[CTA_NAT_SRC]) {
+		ret = ctnetlink_parse_nat_setup(ct,
+						IP_NAT_MANIP_SRC,
+						cda[CTA_NAT_SRC]);
+		if (ret < 0)
+			return ret;
+	}
+	return 0;
+#else
+	return -EOPNOTSUPP;
+#endif
+}
 
 static inline int
 ctnetlink_change_helper(struct nf_conn *ct, struct nlattr *cda[])
@@ -1157,6 +1120,14 @@ ctnetlink_create_conntrack(struct nlattr *cda[],
 		}
 	}
 
+	if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST]) {
+		err = ctnetlink_change_nat(ct, cda);
+		if (err < 0) {
+			rcu_read_unlock();
+			goto err;
+		}
+	}
+
 	if (cda[CTA_PROTOINFO]) {
 		err = ctnetlink_change_protoinfo(ct, cda);
 		if (err < 0) {
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index b75c9c4..4739f9f 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -44,15 +44,17 @@ static struct sock *nfnl = NULL;
 static const struct nfnetlink_subsystem *subsys_table[NFNL_SUBSYS_COUNT];
 static DEFINE_MUTEX(nfnl_mutex);
 
-static inline void nfnl_lock(void)
+void nfnl_lock(void)
 {
 	mutex_lock(&nfnl_mutex);
 }
+EXPORT_SYMBOL_GPL(nfnl_lock);
 
-static inline void nfnl_unlock(void)
+void nfnl_unlock(void)
 {
 	mutex_unlock(&nfnl_mutex);
 }
+EXPORT_SYMBOL_GPL(nfnl_unlock);
 
 int nfnetlink_subsys_register(const struct nfnetlink_subsystem *n)
 {
@@ -132,6 +134,7 @@ static int nfnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 		return 0;
 
 	type = nlh->nlmsg_type;
+replay:
 	ss = nfnetlink_get_subsys(type);
 	if (!ss) {
 #ifdef CONFIG_KMOD
@@ -165,7 +168,10 @@ static int nfnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 		} else
 			return -EINVAL;
 
-		return nc->call(nfnl, skb, nlh, cda);
+		err = nc->call(nfnl, skb, nlh, cda);
+		if (err == -EAGAIN)
+			goto replay;
+		return err;
 	}
 }
 

Re: netfilter 01/03: restore lost

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Tue, 14 Oct 2008 16:48:46 +0200 (MEST)

>     netfilter: restore lost #ifdef guarding defrag exception

Applied.

Re: netfilter 02/03: fix ebtables dependencies

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Tue, 14 Oct 2008 16:48:47 +0200 (MEST)

>     netfilter: fix ebtables dependencies

Applied.

Re: netfilter 03/03: ctnetlink: remove bogus module dependency between ctnetlink and nf_nat

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Tue, 14 Oct 2008 16:48:48 +0200 (MEST)

>     netfilter: ctnetlink: remove bogus module dependency between ctnetlink and nf_nat

Ok, I applied this too.

You've used up your "borderline patch" quota for this release,
so please no more stuff like this :-)

Thanks!

netfilter 00/03: netfilter fixes

[Patrick McHardy]

Hi Dave,

the following three patches for 2.6.28 fix a couple of netfilter issues:

- a conntrack creation race in ctnetlink that can cause NULL pointer
  dereferences in ctnetlink and duplicate conntrack entries.

- a missing const qualifier that got lost during the encapsulation of
  iptables target parameters

- a crash with bridge netfilter and GRE caused by a missing update_pmtu()
  function for the fake dst_entry.

Please apply, thanks.


 include/linux/netfilter/x_tables.h   |    2 +-
 net/bridge/br_netfilter.c            |   13 +++++++++++++
 net/netfilter/nf_conntrack_core.c    |    2 --
 net/netfilter/nf_conntrack_netlink.c |    5 +++--
 4 files changed, 17 insertions(+), 5 deletions(-)

Herbert Xu (1):
      bridge: netfilter: fix update_pmtu crash with GRE

Jan Engelhardt (1):
      netfilter: xtables: add missing const qualifier to xt_tgchk_param

Patrick McHardy (1):
      netfilter: ctnetlink: fix conntrack creation race

netfilter 00/03: netfilter fixes

[Patrick McHardy]

Hi Dave,

the following patches fix three netfilter bugs:

- an incorrect dependency for the new LED target, added by myself to fix
  the compilation problem reported one or two weeks ago

- a fix for the ip6_tables "lock free counters" regression caused by a
  missing return statement

- a fix for a regression in .29, causing conntrack expectation refresh to
  create a new expectation instead of refreshing the existing one.

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Please note that the git tree will bring in a merge commit of Linus'
tree from 2 days ago.

Thanks!


 include/net/netfilter/nf_conntrack_expect.h |    5 +++-
 net/ipv6/netfilter/ip6_tables.c             |    2 +
 net/netfilter/Kconfig                       |    2 +-
 net/netfilter/nf_conntrack_expect.c         |   30 +++++---------------------
 4 files changed, 13 insertions(+), 26 deletions(-)

Alex Riesen (1):
      netfilter: fix selection of "LED" target in netfilter

Eric Dumazet (1):
      netfilter: ip6tables regression fix

Pablo Neira Ayuso (1):
      netfilter: ctnetlink: fix regression in expectation handling

Re: netfilter 00/03: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Wed,  8 Apr 2009 18:52:16 +0200 (MEST)

> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Pulled, thanks Patrick.

netfilter 00/03: netfilter fixes

[Patrick McHardy]

Hi Dave,

the following three patches fix two netfilter bugs introduced during the merge
window and re-add support for a feature that accidentally got dropped with the
SAME target removal:

- a missing list initialization of the nf_log logger lists

- a missing conversion to use the hlist_nulls list function in connection tracking
  helper unregistration

- support for persistent multi-range NAT mappings

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Thanks!


 include/net/netfilter/nf_nat.h      |    1 +
 net/ipv4/netfilter/nf_nat_core.c    |    3 ++-
 net/netfilter/nf_conntrack_helper.c |    2 +-
 net/netfilter/nf_log.c              |    4 ++++
 4 files changed, 8 insertions(+), 2 deletions(-)

Eric Dumazet (1):
      netfilter: nf_log regression fix

Patrick McHardy (2):
      netfilter: nf_conntrack: fix crash when unloading helpers
      netfilter: nf_nat: add support for persistent mappings

Re: netfilter 00/03: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Thu, 16 Apr 2009 19:16:22 +0200 (MEST)

> the following three patches fix two netfilter bugs introduced during the merge
> window and re-add support for a feature that accidentally got dropped with the
> SAME target removal:
> 
> - a missing list initialization of the nf_log logger lists
> 
> - a missing conversion to use the hlist_nulls list function in connection tracking
>   helper unregistration
> 
> - support for persistent multi-range NAT mappings
> 
> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Pulled, thanks a lot!

netfilter 00/03: netfilter fixes

[Patrick McHardy]

Hi Dave,

following are two netfilter fixes for 2.6.31 and a MAINTAINERS update:

- a fix for the nf_conntrack_alloc() race from Eric
- a fix for incorrect invocation of nf_log_packet() in the new osf match
- a patch to add my netfilter git tree to MAINTAINERS

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master

Thanks!


 Documentation/RCU/rculist_nulls.txt |    7 ++++++-
 MAINTAINERS                         |    1 +
 net/netfilter/nf_conntrack_core.c   |   21 ++++++++++++++++++---
 net/netfilter/xt_osf.c              |    5 +++--
 4 files changed, 28 insertions(+), 6 deletions(-)

Eric Dumazet (1):
      netfilter: nf_conntrack: nf_conntrack_alloc() fixes

Joe Perches (1):
      netfilter: add netfilter git to MAINTAINERS

Patrick McHardy (1):
      netfilter: xt_osf: fix nf_log_packet() arguments

Re: netfilter 00/03: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Thu, 16 Jul 2009 14:26:44 +0200 (MEST)

> following are two netfilter fixes for 2.6.31 and a MAINTAINERS update:
> 
> - a fix for the nf_conntrack_alloc() race from Eric
> - a fix for incorrect invocation of nf_log_packet() in the new osf match
> - a patch to add my netfilter git tree to MAINTAINERS
> 
> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master

Pulled, thanks a lot Patrick!

netfilter 00/03: netfilter fixes

[Patrick McHardy]

Hi Dave,

following are three netfilter fixes for net-next, fixing:

- the NAT issue reported by Stephen, which was caused by inverted logic
  in NF_HOOK_COND(), causing it to skip the POST_ROUTING hook invocation

- an assertion in ct_extend, caused by invalid ordering in ctnetlink
  when setting up new conntracks. Additionally it is invalid to
  attach helpers to existing conntracks, which is disabled by this
  patch.

- an skb leak in nf_queue when userspace returns NF_STOLEN as verdict

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6.git master

Thanks!


 include/linux/netfilter.h            |    5 +++--
 net/netfilter/nf_conntrack_netlink.c |   22 +++++++++++-----------
 net/netfilter/nf_queue.c             |    2 +-
 3 files changed, 15 insertions(+), 14 deletions(-)

Eric Dumazet (1):
      netfilter: nf_queue: fix NF_STOLEN skb leak

Pablo Neira Ayuso (1):
      netfilter: ctnetlink: fix creation of conntrack with helpers

Patrick McHardy (1):
      netfilter: restore POST_ROUTING hook in NF_HOOK_COND

Re: netfilter 00/03: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Fri, 19 Feb 2010 18:02:06 +0100 (MET)

> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6.git master

Pulled, thanks patrick.