netfilter 00/03: netfilter -stable fixes

netfilter 00/03: netfilter -stable fixes

[Patrick McHardy]

The following three patches for -stable fix a number of netfilter
regressions:

- revision lookup for x_tables matches and targets registering with
  the new NFPROTO_UNSPEC is broken, causing failures when using
  features not offered by revision 0. New regression in 2.6.28.

- ebtables interprets return values from matches in the inverted
  sense. New regression in 2.6.28.

- the conntrack timeout sysctls for ICMP/ICMPv6 are broken on big
  endian due to a mismatch between the data type size and the size
  registered with the sysctls. Seems to be a regression from the
  switch from ip_conntrack to nf_conntrack.

Please apply, thanks.


 net/bridge/netfilter/ebtables.c                |    2 +-
 net/ipv4/netfilter/nf_conntrack_proto_icmp.c   |    2 +-
 net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c |    2 +-
 net/netfilter/x_tables.c                       |    8 ++++++++
 4 files changed, 11 insertions(+), 3 deletions(-)

Patrick McHardy (3):
      netfilter: x_tables: fix match/target revision lookup
      netfilter: ebtables: fix inversion in match code
      netfilter: nf_conntrack: fix ICMP/ICMPv6 timeout sysctls on big-endian

netfilter 01/03: x_tables: fix match/target revision lookup

[Patrick McHardy]

commit 2a95ec76ab10585ce54a64300b9bf9b76f10269d
Author: Patrick McHardy <kaber@trash.net>
Date:   Mon Jan 19 15:10:50 2009 +0100

    netfilter: x_tables: fix match/target revision lookup
    
    Upstream commit 656caff:
    
    Commit 55b69e91 (netfilter: implement NFPROTO_UNSPEC as a wildcard
    for extensions) broke revision probing for matches and targets that
    are registered with NFPROTO_UNSPEC.
    
    Fix by continuing the search on the NFPROTO_UNSPEC list if nothing
    is found on the af-specific lists.
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 89837a4..bfbf521 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -273,6 +273,10 @@ static int match_revfn(u8 af, const char *name, u8 revision, int *bestp)
 				have_rev = 1;
 		}
 	}
+
+	if (af != NFPROTO_UNSPEC && !have_rev)
+		return match_revfn(NFPROTO_UNSPEC, name, revision, bestp);
+
 	return have_rev;
 }
 
@@ -289,6 +293,10 @@ static int target_revfn(u8 af, const char *name, u8 revision, int *bestp)
 				have_rev = 1;
 		}
 	}
+
+	if (af != NFPROTO_UNSPEC && !have_rev)
+		return target_revfn(NFPROTO_UNSPEC, name, revision, bestp);
+
 	return have_rev;
 }
 

netfilter 02/03: ebtables: fix inversion in match code

[Patrick McHardy]

commit c4010504f06c2a6570599d26173e3917b0398410
Author: Patrick McHardy <kaber@trash.net>
Date:   Mon Jan 19 15:11:44 2009 +0100

    netfilter: ebtables: fix inversion in match code
    
    Upstream commit d61ba9f:
    
    Commit 8cc784ee (netfilter: change return types of match functions
    for ebtables extensions) broke ebtables matches by inverting the
    sense of match/nomatch.
    
    Reported-by: Matt Cross <matthltc@us.ibm.com>
    Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 0fa208e..05f198d 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -80,7 +80,7 @@ static inline int ebt_do_match (struct ebt_entry_match *m,
 {
 	par->match     = m->u.match;
 	par->matchinfo = m->data;
-	return m->u.match->match(skb, par);
+	return m->u.match->match(skb, par) ? EBT_MATCH : EBT_NOMATCH;
 }
 
 static inline int ebt_dev_check(char *entry, const struct net_device *device)

netfilter 03/03: nf_conntrack: fix ICMP/ICMPv6 timeout sysctls on big-endian

[Patrick McHardy]

commit bc387c0ade1aed3bc450bef23313215a06e0592c
Author: Patrick McHardy <kaber@trash.net>
Date:   Mon Jan 19 15:13:28 2009 +0100

    netfilter: nf_conntrack: fix ICMP/ICMPv6 timeout sysctls on big-endian
    
    Upstream commit 71320af:
    
    An old bug crept back into the ICMP/ICMPv6 conntrack protocols: the timeout
    values are defined as unsigned longs, the sysctl's maxsize is set to
    sizeof(unsigned int). Use unsigned int for the timeout values as in the
    other conntrack protocols.
    
    Reported-by: Jean-Mickael Guerin <jean-mickael.guerin@6wind.com>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
index 4e88792..625707a 100644
--- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -20,7 +20,7 @@
 #include <net/netfilter/nf_conntrack_core.h>
 #include <net/netfilter/nf_log.h>
 
-static unsigned long nf_ct_icmp_timeout __read_mostly = 30*HZ;
+static unsigned int nf_ct_icmp_timeout __read_mostly = 30*HZ;
 
 static bool icmp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
 			      struct nf_conntrack_tuple *tuple)
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index 0572617..7cd13e5 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -26,7 +26,7 @@
 #include <net/netfilter/ipv6/nf_conntrack_icmpv6.h>
 #include <net/netfilter/nf_log.h>
 
-static unsigned long nf_ct_icmpv6_timeout __read_mostly = 30*HZ;
+static unsigned int nf_ct_icmpv6_timeout __read_mostly = 30*HZ;
 
 static bool icmpv6_pkt_to_tuple(const struct sk_buff *skb,
 				unsigned int dataoff,

netfilter 00/03: netfilter -stable fixes

[Patrick McHardy]

The following three patches for -stable fix some netfilter issues:

- a regression in the iprange match, causing mismatches with inversion
- a memory leak in the SNMP NAT helper
- a lost #ifdef, allowing user-triggerable WARN_ONs with NETFILTER_DEBUG
  (and some minor runtime misbehaviour)

Please apply, thanks.


 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |    2 ++
 net/ipv4/netfilter/nf_nat_snmp_basic.c         |    1 +
 net/netfilter/xt_iprange.c                     |    8 ++++----
 3 files changed, 7 insertions(+), 4 deletions(-)

Patrick McHardy (3):
      netfilter: xt_iprange: fix range inversion match
      netfilter: snmp nat leaks memory in case of failure
      netfilter: restore lost #ifdef guarding defrag exception

Re: netfilter 00/03: netfilter -stable fixes

[Krzysztof Oledzki]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 455 bytes --]



On Wed, 22 Oct 2008, Patrick McHardy wrote:

> The following three patches for -stable fix some netfilter issues:
>
> - a regression in the iprange match, causing mismatches with inversion
> - a memory leak in the SNMP NAT helper
> - a lost #ifdef, allowing user-triggerable WARN_ONs with NETFILTER_DEBUG
>  (and some minor runtime misbehaviour)

Which kernels need above patches? Only 2.6.27 or also 2.6.25/2.6.26?

Best regards,

 			Krzysztof Olędzki

Re: netfilter 00/03: netfilter -stable fixes

[Patrick McHardy]

Krzysztof Oledzki wrote:
> On Wed, 22 Oct 2008, Patrick McHardy wrote:
> 
>> The following three patches for -stable fix some netfilter issues:
>>
>> - a regression in the iprange match, causing mismatches with inversion
>> - a memory leak in the SNMP NAT helper
>> - a lost #ifdef, allowing user-triggerable WARN_ONs with NETFILTER_DEBUG
>>  (and some minor runtime misbehaviour)
> 
> Which kernels need above patches? Only 2.6.27 or also 2.6.25/2.6.26?

I think all three patches are also needed for 2.6.25 and 2.6.26.

Re: netfilter 00/03: netfilter -stable fixes

[Krzysztof Oledzki]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 728 bytes --]



On Fri, 24 Oct 2008, Patrick McHardy wrote:

> Krzysztof Oledzki wrote:
>> On Wed, 22 Oct 2008, Patrick McHardy wrote:
>> 
>>> The following three patches for -stable fix some netfilter issues:
>>> 
>>> - a regression in the iprange match, causing mismatches with inversion
>>> - a memory leak in the SNMP NAT helper
>>> - a lost #ifdef, allowing user-triggerable WARN_ONs with NETFILTER_DEBUG
>>>  (and some minor runtime misbehaviour)
>> 
>> Which kernels need above patches? Only 2.6.27 or also 2.6.25/2.6.26?
>
> I think all three patches are also needed for 2.6.25 and 2.6.26.

Thank you for the confirmation.

Greg, could you please put above patches info queue-2.6.25/queue-2.6.26?

Best regards,

 			Krzysztof Olędzki

Re: netfilter 00/03: netfilter -stable fixes

[Greg KH]

On Tue, Oct 28, 2008 at 03:13:32AM +0100, Krzysztof Oledzki wrote:
>
>
> On Fri, 24 Oct 2008, Patrick McHardy wrote:
>
>> Krzysztof Oledzki wrote:
>>> On Wed, 22 Oct 2008, Patrick McHardy wrote:
>>>> The following three patches for -stable fix some netfilter issues:
>>>> - a regression in the iprange match, causing mismatches with inversion
>>>> - a memory leak in the SNMP NAT helper
>>>> - a lost #ifdef, allowing user-triggerable WARN_ONs with NETFILTER_DEBUG
>>>>  (and some minor runtime misbehaviour)
>>> Which kernels need above patches? Only 2.6.27 or also 2.6.25/2.6.26?
>>
>> I think all three patches are also needed for 2.6.25 and 2.6.26.
>
> Thank you for the confirmation.
>
> Greg, could you please put above patches info queue-2.6.25/queue-2.6.26?

Will do, thanks.

greg k-h

netfilter 00/03: netfilter -stable fixes

[Patrick McHardy]

These three patches fix some bugs in netfilter:

- a crash when setting up a conntrack with NAT mappings through ctnetlink
  fails after the NAT mappings are set up. Regression present since a
  couple of versions.

- a module unload crash in the H.323 conntrack helper

- a memory leak in the module init function, which is not very important
  itself, but it made easier to use the upstream patch for the module
  unload crash

Please apply, thanks.


 net/netfilter/nf_conntrack_core.c      |    3 +--
 net/netfilter/nf_conntrack_h323_main.c |   22 +++++++++++++++-------
 2 files changed, 16 insertions(+), 9 deletions(-)

Patrick McHardy (3):
      netfilter: nf_conntrack: fix ctnetlink related crash in nf_nat_setup_info()
      netfilter: nf_conntrack_h323: fix memory leak in module initialization error path
      netfilter: nf_conntrack_h323: fix module unload crash