netfilter 00/04: netfilter fixes

netfilter 00/04: netfilter fixes

[Patrick McHardy]

Hi Dave,

the following patches for 2.6.29 fix a few netfilter bugs:

- avoid event delivery for conntracks dropped because of clashes (from Pablo)

- fix for a ctnetlink crash during expectation creation caused by a missing
  initialization. Also from Pablo.

- a fix for correctly handling NF_DROP return values from the conntrack
  ->packet() callbacks. From Christoph Pasch.

- reordering of the header checks in IPv6 conntrack reassembly to avoid an
  incorrect log message with NEXTHDR_NONE. Also from Christoph.

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Thanks!


 include/net/netfilter/nf_conntrack_core.h |    3 ++-
 net/ipv6/netfilter/nf_conntrack_reasm.c   |    8 ++++----
 net/netfilter/nf_conntrack_core.c         |    2 +-
 net/netfilter/nf_conntrack_netlink.c      |    1 +
 net/netfilter/nf_conntrack_proto_tcp.c    |    4 ++--
 5 files changed, 10 insertions(+), 8 deletions(-)

Christoph Paasch (2):
      netfilter: conntrack: fix dropping packet after l4proto->packet()
      netfilter: conntrack: check for NEXTHDR_NONE before header sanity checking

Pablo Neira Ayuso (2):
      netfilter: conntrack: don't deliver events for racy packets
      netfilter: ctnetlink: fix crash during expectation creation

netfilter 01/04: conntrack: don't deliver events for racy packets

[Patrick McHardy]

commit b1e93a68ca41e7e73766f95ba32ca05cf9052e15
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Mon Mar 16 15:06:42 2009 +0100

    netfilter: conntrack: don't deliver events for racy packets
    
    This patch skips the delivery of conntrack events if the packet
    was drop due to a race condition in the conntrack insertion.
    
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h
index c25068e..5a449b4 100644
--- a/include/net/netfilter/nf_conntrack_core.h
+++ b/include/net/netfilter/nf_conntrack_core.h
@@ -62,7 +62,8 @@ static inline int nf_conntrack_confirm(struct sk_buff *skb)
 	if (ct && ct != &nf_conntrack_untracked) {
 		if (!nf_ct_is_confirmed(ct) && !nf_ct_is_dying(ct))
 			ret = __nf_conntrack_confirm(skb);
-		nf_ct_deliver_cached_events(ct);
+		if (likely(ret == NF_ACCEPT))
+			nf_ct_deliver_cached_events(ct);
 	}
 	return ret;
 }

netfilter 02/04: ctnetlink: fix crash during expectation creation

[Patrick McHardy]

commit 626ba8fbac9156a94a80be46ffd2f2ce9e4e89a0
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Mon Mar 16 15:50:51 2009 +0100

    netfilter: ctnetlink: fix crash during expectation creation
    
    This patch fixes a possible crash due to the missing initialization
    of the expectation class when nf_ct_expect_related() is called.
    
    Reported-by: BORBELY Zoltan <bozo@andrews.hu>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index cb78aa0..ed6d873 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1780,6 +1780,7 @@ ctnetlink_create_expect(struct nlattr *cda[], u_int8_t u3, u32 pid, int report)
 		goto out;
 	}
 
+	exp->class = 0;
 	exp->expectfn = NULL;
 	exp->flags = 0;
 	exp->master = ct;

netfilter 03/04: conntrack: fix dropping packet after l4proto->packet()

[Patrick McHardy]

commit ec8d540969da9a70790e9028d57b5b577dd7aa77
Author: Christoph Paasch <christoph.paasch@gmail.com>
Date:   Mon Mar 16 15:51:29 2009 +0100

    netfilter: conntrack: fix dropping packet after l4proto->packet()
    
    We currently use the negative value in the conntrack code to encode
    the packet verdict in the error. As NF_DROP is equal to 0, inverting
    NF_DROP makes no sense and, as a result, no packets are ever dropped.
    
    Signed-off-by: Christoph Paasch <christoph.paasch@gmail.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 90ce9dd..f4935e3 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -726,7 +726,7 @@ nf_conntrack_in(struct net *net, u_int8_t pf, unsigned int hooknum,
 	NF_CT_ASSERT(skb->nfct);
 
 	ret = l4proto->packet(ct, skb, dataoff, ctinfo, pf, hooknum);
-	if (ret < 0) {
+	if (ret <= 0) {
 		/* Invalid: inverse of the return code tells
 		 * the netfilter core what to do */
 		pr_debug("nf_conntrack_in: Can't track with proto module\n");
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index a1edb9c..f3fd154 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -859,7 +859,7 @@ static int tcp_packet(struct nf_conn *ct,
 			 */
 			if (nf_ct_kill(ct))
 				return -NF_REPEAT;
-			return -NF_DROP;
+			return NF_DROP;
 		}
 		/* Fall through */
 	case TCP_CONNTRACK_IGNORE:
@@ -892,7 +892,7 @@ static int tcp_packet(struct nf_conn *ct,
 				nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
 					  "nf_ct_tcp: killing out of sync session ");
 			nf_ct_kill(ct);
-			return -NF_DROP;
+			return NF_DROP;
 		}
 		ct->proto.tcp.last_index = index;
 		ct->proto.tcp.last_dir = dir;

netfilter 04/04: conntrack: check for NEXTHDR_NONE before header sanity checking

[Patrick McHardy]

commit d1238d5337e8e53cddea77c2a26d26b6eb5a982f
Author: Christoph Paasch <christoph.paasch@gmail.com>
Date:   Mon Mar 16 15:52:11 2009 +0100

    netfilter: conntrack: check for NEXTHDR_NONE before header sanity checking
    
    NEXTHDR_NONE doesn't has an IPv6 option header, so the first check
    for the length will always fail and results in a confusing message
    "too short" if debugging enabled. With this patch, we check for
    NEXTHDR_NONE before length sanity checkings are done.
    
    Signed-off-by: Christoph Paasch <christoph.paasch@gmail.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index ed4d79a..058a5e4 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -528,14 +528,14 @@ find_prev_fhdr(struct sk_buff *skb, u8 *prevhdrp, int *prevhoff, int *fhoff)
 		if (!ipv6_ext_hdr(nexthdr)) {
 			return -1;
 		}
-		if (len < (int)sizeof(struct ipv6_opt_hdr)) {
-			pr_debug("too short\n");
-			return -1;
-		}
 		if (nexthdr == NEXTHDR_NONE) {
 			pr_debug("next header is none\n");
 			return -1;
 		}
+		if (len < (int)sizeof(struct ipv6_opt_hdr)) {
+			pr_debug("too short\n");
+			return -1;
+		}
 		if (skb_copy_bits(skb, start, &hdr, sizeof(hdr)))
 			BUG();
 		if (nexthdr == NEXTHDR_AUTH)

Re: netfilter 00/04: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Mon, 16 Mar 2009 17:08:42 +0100 (MET)

> the following patches for 2.6.29 fix a few netfilter bugs:
> 
> - avoid event delivery for conntracks dropped because of clashes (from Pablo)
> 
> - fix for a ctnetlink crash during expectation creation caused by a missing
>   initialization. Also from Pablo.
> 
> - a fix for correctly handling NF_DROP return values from the conntrack
>   ->packet() callbacks. From Christoph Pasch.
> 
> - reordering of the header checks in IPv6 conntrack reassembly to avoid an
>   incorrect log message with NEXTHDR_NONE. Also from Christoph.
> 
> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Pulled, thanks a lot!