netfilter 00/07: netfilter fixes

netfilter 00/07: netfilter fixes

[Patrick McHardy]

Hi Dave,

following are some netfilter fixes for 2.6.28:

- the fix for the ctnetlink compilation error reported by Benjamin and Ingo

- removal of an obsolete ctnetlink depenency on NAT

- two fixes for the netfilter protocol value decoupling: use of NFPROTO
  constants in struct netns_xt and use of NFPROTO constants for ARP hooks

- a fix for iprange inverted matching

- a fix for a memory leak in SNMP NAT

- a fix for an oops in recent_seq_start()

The iprange and SNMP NAT patches are also queued for -stable.

Please apply, thanks.


 include/net/netns/x_tables.h           |    4 ++--
 net/bridge/br_netfilter.c              |    2 +-
 net/ipv4/arp.c                         |    4 ++--
 net/ipv4/netfilter/nf_nat_snmp_basic.c |    1 +
 net/netfilter/Kconfig                  |    1 -
 net/netfilter/nf_conntrack_netlink.c   |    2 ++
 net/netfilter/xt_NFQUEUE.c             |    2 +-
 net/netfilter/xt_iprange.c             |    8 ++++----
 net/netfilter/xt_recent.c              |   10 ++++------
 9 files changed, 17 insertions(+), 17 deletions(-)

Alexey Dobriyan (2):
      netfilter: xt_iprange: fix range inversion match
      netfilter: xt_recent: use proc_create_data()

Jan Engelhardt (1):
      netfilter: replace old NF_ARP calls with NFPROTO_ARP

Pablo Neira Ayuso (1):
      netfilter: fix compilation error with NAT=n

Patrick McHardy (2):
      netfilter: ctnetlink: remove obsolete NAT dependency from Kconfig
      netfilter: netns: use NFPROTO_NUMPROTO instead of NUMPROTO for tables array

Ilpo Jarvinen (1):
      netfilter: snmp nat leaks memory in case of failure

netfilter 01/07: ctnetlink: remove obsolete NAT dependency from Kconfig

[Patrick McHardy]

commit 2bb419e1548ba64e2eee5c7d8c900ad4b8dcf965
Author: Patrick McHardy <kaber@trash.net>
Date:   Sat Oct 18 15:20:56 2008 +0200

    netfilter: ctnetlink: remove obsolete NAT dependency from Kconfig
    
    Now that ctnetlink doesn't have any NAT module depenencies anymore,
    we can also remove them from Kconfig.
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 78892cf..25dcef9 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -271,7 +271,6 @@ config NF_CONNTRACK_TFTP
 config NF_CT_NETLINK
 	tristate 'Connection tracking netlink interface'
 	select NETFILTER_NETLINK
-	depends on NF_NAT=n || NF_NAT
 	default m if NETFILTER_ADVANCED=n
 	help
 	  This option enables support for a netlink-based userspace interface

netfilter 02/07: netns: use NFPROTO_NUMPROTO instead of NUMPROTO for tables array

[Patrick McHardy]

commit 40ebc9cf6a56fef77d064b901e896207d7110db3
Author: Patrick McHardy <kaber@trash.net>
Date:   Sat Oct 18 15:20:56 2008 +0200

    netfilter: netns: use NFPROTO_NUMPROTO instead of NUMPROTO for tables array
    
    The netfilter families have been decoupled from regular protocol families.
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/include/net/netns/x_tables.h b/include/net/netns/x_tables.h
index 0cb63ed..b809397 100644
--- a/include/net/netns/x_tables.h
+++ b/include/net/netns/x_tables.h
@@ -2,9 +2,9 @@
 #define __NETNS_X_TABLES_H
 
 #include <linux/list.h>
-#include <linux/net.h>
+#include <linux/netfilter.h>
 
 struct netns_xt {
-	struct list_head tables[NPROTO];
+	struct list_head tables[NFPROTO_NUMPROTO];
 };
 #endif

netfilter 03/07: xt_iprange: fix range inversion match

[Patrick McHardy]

commit 22e6543a9c21a1674ab5c1feddd141305a665dbd
Author: Alexey Dobriyan <adobriyan@gmail.com>
Date:   Sat Oct 18 15:20:56 2008 +0200

    netfilter: xt_iprange: fix range inversion match
    
    Inverted IPv4 v1 and IPv6 v0 matches don't match anything since 2.6.25-rc1!
    
    Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
    Acked-by: Jan Engelhardt <jengelh@medozas.de>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/netfilter/xt_iprange.c b/net/netfilter/xt_iprange.c
index 6f62c36..7ac54ea 100644
--- a/net/netfilter/xt_iprange.c
+++ b/net/netfilter/xt_iprange.c
@@ -61,7 +61,7 @@ iprange_mt4(const struct sk_buff *skb, const struct xt_match_param *par)
 	if (info->flags & IPRANGE_SRC) {
 		m  = ntohl(iph->saddr) < ntohl(info->src_min.ip);
 		m |= ntohl(iph->saddr) > ntohl(info->src_max.ip);
-		m ^= info->flags & IPRANGE_SRC_INV;
+		m ^= !!(info->flags & IPRANGE_SRC_INV);
 		if (m) {
 			pr_debug("src IP " NIPQUAD_FMT " NOT in range %s"
 			         NIPQUAD_FMT "-" NIPQUAD_FMT "\n",
@@ -75,7 +75,7 @@ iprange_mt4(const struct sk_buff *skb, const struct xt_match_param *par)
 	if (info->flags & IPRANGE_DST) {
 		m  = ntohl(iph->daddr) < ntohl(info->dst_min.ip);
 		m |= ntohl(iph->daddr) > ntohl(info->dst_max.ip);
-		m ^= info->flags & IPRANGE_DST_INV;
+		m ^= !!(info->flags & IPRANGE_DST_INV);
 		if (m) {
 			pr_debug("dst IP " NIPQUAD_FMT " NOT in range %s"
 			         NIPQUAD_FMT "-" NIPQUAD_FMT "\n",
@@ -114,14 +114,14 @@ iprange_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
 	if (info->flags & IPRANGE_SRC) {
 		m  = iprange_ipv6_sub(&iph->saddr, &info->src_min.in6) < 0;
 		m |= iprange_ipv6_sub(&iph->saddr, &info->src_max.in6) > 0;
-		m ^= info->flags & IPRANGE_SRC_INV;
+		m ^= !!(info->flags & IPRANGE_SRC_INV);
 		if (m)
 			return false;
 	}
 	if (info->flags & IPRANGE_DST) {
 		m  = iprange_ipv6_sub(&iph->daddr, &info->dst_min.in6) < 0;
 		m |= iprange_ipv6_sub(&iph->daddr, &info->dst_max.in6) > 0;
-		m ^= info->flags & IPRANGE_DST_INV;
+		m ^= !!(info->flags & IPRANGE_DST_INV);
 		if (m)
 			return false;
 	}

netfilter 04/07: snmp nat leaks memory in case of failure

[Patrick McHardy]

commit f935265f6041e490715ec31c7f918b8c348b5b95
Author: \"Ilpo Jarvinen\ <ilpo.jarvinen@helsinki.fi>
Date:   Sat Oct 18 15:20:56 2008 +0200

    netfilter: snmp nat leaks memory in case of failure
    
    Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c b/net/ipv4/netfilter/nf_nat_snmp_basic.c
index ffeaffc..8303e4b 100644
--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c
+++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
@@ -742,6 +742,7 @@ static unsigned char snmp_object_decode(struct asn1_ctx *ctx,
 			*obj = kmalloc(sizeof(struct snmp_object) + len,
 				       GFP_ATOMIC);
 			if (*obj == NULL) {
+				kfree(p);
 				kfree(id);
 				if (net_ratelimit())
 					printk("OOM in bsalg (%d)\n", __LINE__);

netfilter 05/07: xt_recent: use proc_create_data()

[Patrick McHardy]

commit 2b86e1165f44022907ab31293a22286b6d783254
Author: Alexey Dobriyan <adobriyan@gmail.com>
Date:   Sat Oct 18 15:20:57 2008 +0200

    netfilter: xt_recent: use proc_create_data()
    
    Fixes a crash in recent_seq_start:
    
    BUG: unable to handle kernel NULL pointer dereference at 0000000000000100
    IP: [<ffffffffa002119c>] recent_seq_start+0x4c/0x90 [xt_recent]
    PGD 17d33c067 PUD 107afe067 PMD 0
    Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
    CPU 0
    Modules linked in: ipt_LOG xt_recent af_packet iptable_nat nf_nat nf_conntrack_ipv4 nf_conntrack nf_defrag_ipv4 xt_tcpudp iptable_filter ip_tables x_tables ext2 nls_utf8 fuse sr_mod cdrom [last unloaded: ntfs]
    Pid: 32373, comm: cat Not tainted 2.6.27-04ab591808565f968d4406f6435090ad671ebdab #6
    RIP: 0010:[<ffffffffa002119c>]  [<ffffffffa002119c>] recent_seq_start+0x4c/0x90 [xt_recent]
    RSP: 0018:ffff88015fed7e28  EFLAGS: 00010246
    ...
    
    Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index 4ebd4ca..280c471 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -318,15 +318,15 @@ static bool recent_mt_check(const struct xt_mtchk_param *par)
 	for (i = 0; i < ip_list_hash_size; i++)
 		INIT_LIST_HEAD(&t->iphash[i]);
 #ifdef CONFIG_PROC_FS
-	t->proc = proc_create(t->name, ip_list_perms, recent_proc_dir,
-		  &recent_mt_fops);
+	t->proc = proc_create_data(t->name, ip_list_perms, recent_proc_dir,
+		  &recent_mt_fops, t);
 	if (t->proc == NULL) {
 		kfree(t);
 		goto out;
 	}
 #ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT
-	t->proc_old = proc_create(t->name, ip_list_perms, proc_old_dir,
-		      &recent_old_fops);
+	t->proc_old = proc_create_data(t->name, ip_list_perms, proc_old_dir,
+		      &recent_old_fops, t);
 	if (t->proc_old == NULL) {
 		remove_proc_entry(t->name, proc_old_dir);
 		kfree(t);
@@ -334,11 +334,9 @@ static bool recent_mt_check(const struct xt_mtchk_param *par)
 	}
 	t->proc_old->uid   = ip_list_uid;
 	t->proc_old->gid   = ip_list_gid;
-	t->proc_old->data  = t;
 #endif
 	t->proc->uid       = ip_list_uid;
 	t->proc->gid       = ip_list_gid;
-	t->proc->data      = t;
 #endif
 	spin_lock_bh(&recent_lock);
 	list_add_tail(&t->list, &tables);

netfilter 06/07: fix compilation error with NAT=n

[Patrick McHardy]

commit 4cad11733aa8e182d7cfe39f9983940f2a7d0dc3
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Mon Oct 20 11:47:30 2008 +0200

    netfilter: fix compilation error with NAT=n
    
    This patch fixes the compilation of ctnetlink when the NAT support
    is not enabled.
    
    /home/benh/kernels/linux-powerpc/net/netfilter/nf_conntrack_netlink.c:819: warning: enum nf_nat_manip_type\u2019 declared inside parameter list
    /home/benh/kernels/linux-powerpc/net/netfilter/nf_conntrack_netlink.c:819: warning: its scope is only this definition or declaration, which is probably not what you want
    
    Reported-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Reported by: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 2e4ad96..a040d46 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -813,6 +813,7 @@ out:
 	return err;
 }
 
+#ifdef CONFIG_NF_NAT_NEEDED
 static int
 ctnetlink_parse_nat_setup(struct nf_conn *ct,
 			  enum nf_nat_manip_type manip,
@@ -840,6 +841,7 @@ ctnetlink_parse_nat_setup(struct nf_conn *ct,
 
 	return parse_nat_setup(ct, manip, attr);
 }
+#endif
 
 static int
 ctnetlink_change_status(struct nf_conn *ct, struct nlattr *cda[])

netfilter 07/07: replace old NF_ARP calls with NFPROTO_ARP

[Patrick McHardy]

commit 01ff237de9f0144bcc024721c3b9a0eac724b0fb
Author: Jan Engelhardt <jengelh@medozas.de>
Date:   Mon Oct 20 11:47:30 2008 +0200

    netfilter: replace old NF_ARP calls with NFPROTO_ARP
    
    (Supplements: ee999d8b9573df1b547aacdc6d79f86eb79c25cd)
    
    NFPROTO_ARP actually has a different value from NF_ARP, so ensure all
    callers use the new value so that packets _do_ get delivered to the
    registered hooks.
    
    Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index a4abed5..fa5cda4 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -719,7 +719,7 @@ static unsigned int br_nf_forward_arp(unsigned int hook, struct sk_buff *skb,
 		return NF_ACCEPT;
 	}
 	*d = (struct net_device *)in;
-	NF_HOOK(NF_ARP, NF_ARP_FORWARD, skb, (struct net_device *)in,
+	NF_HOOK(NFPROTO_ARP, NF_ARP_FORWARD, skb, (struct net_device *)in,
 		(struct net_device *)out, br_nf_forward_finish);
 
 	return NF_STOLEN;
diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index b043eda..1a9dd66 100644
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -663,7 +663,7 @@ out:
 void arp_xmit(struct sk_buff *skb)
 {
 	/* Send it off, maybe filter it using firewalling first.  */
-	NF_HOOK(NF_ARP, NF_ARP_OUT, skb, NULL, skb->dev, dev_queue_xmit);
+	NF_HOOK(NFPROTO_ARP, NF_ARP_OUT, skb, NULL, skb->dev, dev_queue_xmit);
 }
 
 /*
@@ -928,7 +928,7 @@ static int arp_rcv(struct sk_buff *skb, struct net_device *dev,
 
 	memset(NEIGH_CB(skb), 0, sizeof(struct neighbour_cb));
 
-	return NF_HOOK(NF_ARP, NF_ARP_IN, skb, dev, NULL, arp_process);
+	return NF_HOOK(NFPROTO_ARP, NF_ARP_IN, skb, dev, NULL, arp_process);
 
 freeskb:
 	kfree_skb(skb);
diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c
index 2cc1fff..f9977b3 100644
--- a/net/netfilter/xt_NFQUEUE.c
+++ b/net/netfilter/xt_NFQUEUE.c
@@ -48,7 +48,7 @@ static struct xt_target nfqueue_tg_reg[] __read_mostly = {
 	},
 	{
 		.name		= "NFQUEUE",
-		.family		= NF_ARP,
+		.family		= NFPROTO_ARP,
 		.target		= nfqueue_tg,
 		.targetsize	= sizeof(struct xt_NFQ_info),
 		.me		= THIS_MODULE,

Re: netfilter 00/07: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Mon, 20 Oct 2008 11:54:08 +0200 (MEST)

> following are some netfilter fixes for 2.6.28:

All applied, thanks.

netfilter 00/07: netfilter fixes

[Patrick McHardy]

Hi Dave,

the following patches fix a number of netfilter bugs:

- a conntrack race condition in death_by_timeout() when moving dying entries
  to the dying list. Fix from Eric Dumazet.

- a conntrack confirmation race condition that might lead to new conntrack
  entries becoming visible before they are fully set up.

- a conntrack lookup race condition that might lead to deleted conntrack
  entries being returned

- some sparse endianess fixes

- a fix for the nf_log proc handler, which is accessing userspace memory directly

- an incomplete initialization in the quota match, fix from Jan Engelhardt

- an incorrect comparison in the rateest match

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6.git master

Thanks!


 net/netfilter/nf_conntrack_core.c |   25 ++++++++++++++++++++-----
 net/netfilter/nf_log.c            |   16 +++++++++++-----
 net/netfilter/xt_NFQUEUE.c        |    8 ++++----
 net/netfilter/xt_cluster.c        |    8 ++++----
 net/netfilter/xt_quota.c          |    1 +
 net/netfilter/xt_rateest.c        |    2 +-
 6 files changed, 41 insertions(+), 19 deletions(-)

Eric Dumazet (1):
      netfilter: nf_conntrack: death_by_timeout() fix

Jan Engelhardt (1):
      netfilter: xt_quota: fix incomplete initialization

Patrick McHardy (5):
      netfilter: nf_conntrack: fix confirmation race condition
      netfilter: nf_conntrack: fix conntrack lookup race
      netfilter: fix some sparse endianess warnings
      netfilter: nf_log: fix direct userspace memory access in proc handler
      netfilter: xt_rateest: fix comparison with self

Re: netfilter 00/07: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Mon, 22 Jun 2009 14:53:49 +0200 (MEST)

> the following patches fix a number of netfilter bugs:
 ...
> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6.git master

Looks great, pulled, thanks a lot!