netfilter 00/04: netfilter fixes

netfilter 00/04: netfilter fixes

[Patrick McHardy]

Hi Dave,

the following patches for 2.6.29 fix a few netfilter bugs:

- avoid event delivery for conntracks dropped because of clashes (from Pablo)

- fix for a ctnetlink crash during expectation creation caused by a missing
  initialization. Also from Pablo.

- a fix for correctly handling NF_DROP return values from the conntrack
  ->packet() callbacks. From Christoph Pasch.

- reordering of the header checks in IPv6 conntrack reassembly to avoid an
  incorrect log message with NEXTHDR_NONE. Also from Christoph.

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Thanks!


 include/net/netfilter/nf_conntrack_core.h |    3 ++-
 net/ipv6/netfilter/nf_conntrack_reasm.c   |    8 ++++----
 net/netfilter/nf_conntrack_core.c         |    2 +-
 net/netfilter/nf_conntrack_netlink.c      |    1 +
 net/netfilter/nf_conntrack_proto_tcp.c    |    4 ++--
 5 files changed, 10 insertions(+), 8 deletions(-)

Christoph Paasch (2):
      netfilter: conntrack: fix dropping packet after l4proto->packet()
      netfilter: conntrack: check for NEXTHDR_NONE before header sanity checking

Pablo Neira Ayuso (2):
      netfilter: conntrack: don't deliver events for racy packets
      netfilter: ctnetlink: fix crash during expectation creation

netfilter 01/04: conntrack: don't deliver events for racy packets

[Patrick McHardy]

commit b1e93a68ca41e7e73766f95ba32ca05cf9052e15
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Mon Mar 16 15:06:42 2009 +0100

    netfilter: conntrack: don't deliver events for racy packets
    
    This patch skips the delivery of conntrack events if the packet
    was drop due to a race condition in the conntrack insertion.
    
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h
index c25068e..5a449b4 100644
--- a/include/net/netfilter/nf_conntrack_core.h
+++ b/include/net/netfilter/nf_conntrack_core.h
@@ -62,7 +62,8 @@ static inline int nf_conntrack_confirm(struct sk_buff *skb)
 	if (ct && ct != &nf_conntrack_untracked) {
 		if (!nf_ct_is_confirmed(ct) && !nf_ct_is_dying(ct))
 			ret = __nf_conntrack_confirm(skb);
-		nf_ct_deliver_cached_events(ct);
+		if (likely(ret == NF_ACCEPT))
+			nf_ct_deliver_cached_events(ct);
 	}
 	return ret;
 }

netfilter 02/04: ctnetlink: fix crash during expectation creation

[Patrick McHardy]

commit 626ba8fbac9156a94a80be46ffd2f2ce9e4e89a0
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Mon Mar 16 15:50:51 2009 +0100

    netfilter: ctnetlink: fix crash during expectation creation
    
    This patch fixes a possible crash due to the missing initialization
    of the expectation class when nf_ct_expect_related() is called.
    
    Reported-by: BORBELY Zoltan <bozo@andrews.hu>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index cb78aa0..ed6d873 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1780,6 +1780,7 @@ ctnetlink_create_expect(struct nlattr *cda[], u_int8_t u3, u32 pid, int report)
 		goto out;
 	}
 
+	exp->class = 0;
 	exp->expectfn = NULL;
 	exp->flags = 0;
 	exp->master = ct;

netfilter 03/04: conntrack: fix dropping packet after l4proto->packet()

[Patrick McHardy]

commit ec8d540969da9a70790e9028d57b5b577dd7aa77
Author: Christoph Paasch <christoph.paasch@gmail.com>
Date:   Mon Mar 16 15:51:29 2009 +0100

    netfilter: conntrack: fix dropping packet after l4proto->packet()
    
    We currently use the negative value in the conntrack code to encode
    the packet verdict in the error. As NF_DROP is equal to 0, inverting
    NF_DROP makes no sense and, as a result, no packets are ever dropped.
    
    Signed-off-by: Christoph Paasch <christoph.paasch@gmail.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 90ce9dd..f4935e3 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -726,7 +726,7 @@ nf_conntrack_in(struct net *net, u_int8_t pf, unsigned int hooknum,
 	NF_CT_ASSERT(skb->nfct);
 
 	ret = l4proto->packet(ct, skb, dataoff, ctinfo, pf, hooknum);
-	if (ret < 0) {
+	if (ret <= 0) {
 		/* Invalid: inverse of the return code tells
 		 * the netfilter core what to do */
 		pr_debug("nf_conntrack_in: Can't track with proto module\n");
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index a1edb9c..f3fd154 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -859,7 +859,7 @@ static int tcp_packet(struct nf_conn *ct,
 			 */
 			if (nf_ct_kill(ct))
 				return -NF_REPEAT;
-			return -NF_DROP;
+			return NF_DROP;
 		}
 		/* Fall through */
 	case TCP_CONNTRACK_IGNORE:
@@ -892,7 +892,7 @@ static int tcp_packet(struct nf_conn *ct,
 				nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
 					  "nf_ct_tcp: killing out of sync session ");
 			nf_ct_kill(ct);
-			return -NF_DROP;
+			return NF_DROP;
 		}
 		ct->proto.tcp.last_index = index;
 		ct->proto.tcp.last_dir = dir;

netfilter 04/04: conntrack: check for NEXTHDR_NONE before header sanity checking

[Patrick McHardy]

commit d1238d5337e8e53cddea77c2a26d26b6eb5a982f
Author: Christoph Paasch <christoph.paasch@gmail.com>
Date:   Mon Mar 16 15:52:11 2009 +0100

    netfilter: conntrack: check for NEXTHDR_NONE before header sanity checking
    
    NEXTHDR_NONE doesn't has an IPv6 option header, so the first check
    for the length will always fail and results in a confusing message
    "too short" if debugging enabled. With this patch, we check for
    NEXTHDR_NONE before length sanity checkings are done.
    
    Signed-off-by: Christoph Paasch <christoph.paasch@gmail.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index ed4d79a..058a5e4 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -528,14 +528,14 @@ find_prev_fhdr(struct sk_buff *skb, u8 *prevhdrp, int *prevhoff, int *fhoff)
 		if (!ipv6_ext_hdr(nexthdr)) {
 			return -1;
 		}
-		if (len < (int)sizeof(struct ipv6_opt_hdr)) {
-			pr_debug("too short\n");
-			return -1;
-		}
 		if (nexthdr == NEXTHDR_NONE) {
 			pr_debug("next header is none\n");
 			return -1;
 		}
+		if (len < (int)sizeof(struct ipv6_opt_hdr)) {
+			pr_debug("too short\n");
+			return -1;
+		}
 		if (skb_copy_bits(skb, start, &hdr, sizeof(hdr)))
 			BUG();
 		if (nexthdr == NEXTHDR_AUTH)

Re: netfilter 00/04: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Mon, 16 Mar 2009 17:08:42 +0100 (MET)

> the following patches for 2.6.29 fix a few netfilter bugs:
> 
> - avoid event delivery for conntracks dropped because of clashes (from Pablo)
> 
> - fix for a ctnetlink crash during expectation creation caused by a missing
>   initialization. Also from Pablo.
> 
> - a fix for correctly handling NF_DROP return values from the conntrack
>   ->packet() callbacks. From Christoph Pasch.
> 
> - reordering of the header checks in IPv6 conntrack reassembly to avoid an
>   incorrect log message with NEXTHDR_NONE. Also from Christoph.
> 
> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Pulled, thanks a lot!

netfilter 00/04: netfilter fixes

[Patrick McHardy]

Hi Dave,

the following patches fix a couple of netfilter bugs:

- missing inclusion of linux/types.h in xt_LED.h

- an incorrect length check in the ipv6header match, causing
  mismatches on packets ending with NEXTHDR_NONE

- an incorrect check in the new cluster match, causing rules using
  32 nodes to fail loading

- incorrect ctnetlink event types for user-generated events

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Thanks!


 include/linux/netfilter/xt_LED.h     |    2 ++
 include/linux/netfilter/xt_cluster.h |    2 ++
 net/ipv6/netfilter/ip6t_ipv6header.c |    6 +++---
 net/netfilter/xt_cluster.c           |    8 +++++++-
 4 files changed, 14 insertions(+), 4 deletions(-)

Christoph Paasch (1):
      netfilter: ip6t_ipv6header: fix match on packets ending with NEXTHDR_NONE

Pablo Neira Ayuso (1):
      netfilter: xt_cluster: fix use of cluster match with 32 nodes

Patrick McHardy (1):
      netfilter: add missing linux/types.h include to xt_LED.h

Re: netfilter 00/04: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Tue,  5 May 2009 18:47:42 +0200 (MEST)

> the following patches fix a couple of netfilter bugs:
...
> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Pulled, thanks a lot Patrick!

netfilter 00/04: netfilter fixes

[Patrick McHardy]

Hi Dave,

following are four netfilter fixes for 2.6.30, containing:

- a patch from Jozsef to fix accepting invalid RST packets in TCP conntrack
- a patch from Pablo to properly propagate DCCP conntrack state changes
- a patch from Jesper to fix an invalid return value in a xt_hashlimit
  seq_file function
- another patch from Pablo to fix undersized skb allocation in nfnetlink_log

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Thanks!


 include/linux/netfilter/nf_conntrack_tcp.h |    4 ++++
 net/netfilter/nf_conntrack_proto_dccp.c    |    4 ++++
 net/netfilter/nf_conntrack_proto_tcp.c     |   18 ++++++++++++++++++
 net/netfilter/nfnetlink_log.c              |    6 ++++++
 net/netfilter/xt_hashlimit.c               |    2 +-
 5 files changed, 33 insertions(+), 1 deletions(-)

Jesper Dangaard Brouer (1):
      netfilter: xt_hashlimit does a wrong SEQ_SKIP

Jozsef Kadlecsik (1):
      netfilter: nf_ct_tcp: fix accepting invalid RST segments

Pablo Neira Ayuso (2):
      netfilter: nf_ct_dccp: add missing DCCP protocol changes in event cache
      netfilter: nfnetlink_log: fix wrong skbuff size	calculation

Re: netfilter 00/04: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Wed, 27 May 2009 16:35:24 +0200 (MEST)

> following are four netfilter fixes for 2.6.30, containing:
> 
> - a patch from Jozsef to fix accepting invalid RST packets in TCP conntrack
> - a patch from Pablo to properly propagate DCCP conntrack state changes
> - a patch from Jesper to fix an invalid return value in a xt_hashlimit
>   seq_file function
> - another patch from Pablo to fix undersized skb allocation in nfnetlink_log
> 
> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Pulled, thanks Patrick.

In the future, can you please explicitly specify the branch name, even
if it is just 'master', in your GIT URLs for me to pull from?

GIT requires that it always be specified, therefore if you put it
there at the end of the URL I can just cut and paste it into my
command line.

Thanks!

Re: netfilter 00/04: netfilter fixes

[Patrick McHardy]

David Miller wrote:
> From: Patrick McHardy <kaber@trash.net>
> Date: Wed, 27 May 2009 16:35:24 +0200 (MEST)
> 
>> following are four netfilter fixes for 2.6.30, containing:
>>
>> - a patch from Jozsef to fix accepting invalid RST packets in TCP conntrack
>> - a patch from Pablo to properly propagate DCCP conntrack state changes
>> - a patch from Jesper to fix an invalid return value in a xt_hashlimit
>>   seq_file function
>> - another patch from Pablo to fix undersized skb allocation in nfnetlink_log
>>
>> Please apply or pull from:
>>
>> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git
> 
> Pulled, thanks Patrick.
> 
> In the future, can you please explicitly specify the branch name, even
> if it is just 'master', in your GIT URLs for me to pull from?
> 
> GIT requires that it always be specified, therefore if you put it
> there at the end of the URL I can just cut and paste it into my
> command line.

Sure, will do :)

netfilter 00/04: netfilter fixes

[Patrick McHardy]

Hi Dave,

following are four netfilter fixes for 2.6.31:

- Jesper's rcu_barrier() patch to fix conntrack module unload races

- a patch to fix false positives in TCP conntrack unacknowledged data
  detection, resulting in very short timeout values

- a missing linux/types.h include in xt_osf.h

- a fix for a conntrack match regression introduced with the last revision:
  the state member in the configuration struct isn't able to hold all valid
  values. This unfortunately needs a new revision.

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master

Thanks!


 include/linux/netfilter/xt_conntrack.h |   13 ++++++
 include/linux/netfilter/xt_osf.h       |    2 +
 include/net/netfilter/nf_conntrack.h   |    4 +-
 net/ipv4/netfilter/nf_nat_helper.c     |   17 +++++---
 net/netfilter/nf_conntrack_expect.c    |    4 +-
 net/netfilter/nf_conntrack_extend.c    |    2 +-
 net/netfilter/nf_conntrack_proto_tcp.c |    6 +-
 net/netfilter/xt_conntrack.c           |   66 +++++++++++++++++++++++++++++---
 8 files changed, 95 insertions(+), 19 deletions(-)

Jan Engelhardt (1):
      netfilter: xtables: conntrack match revision 2

Jaswinder Singh Rajput (1):
      netfilter: headers_check fix: linux/netfilter/xt_osf.h

Jesper Dangaard Brouer (1):
      nf_conntrack: Use rcu_barrier()

Patrick McHardy (1):
      netfilter: tcp conntrack: fix unacknowledged data detection with NAT

Re: netfilter 00/04: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Mon, 29 Jun 2009 16:20:13 +0200 (MEST)

> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master
> 
> Thanks!

Pulled, thanks a lot Patrick!

netfilter 00/04: netfilter fixes

[Patrick McHardy]

Hi Dave,

the following patches fix a couple of bugs in netfilter and IPVS:

- use lib/gcd in IPVS

- add missing boundary checks for IPVS ioctl arguments, from Arjan

- fix an out-of-bounds read in FTP conntrack, from myself

- add missing CAP_NET_ADMIN check to ebtables, from Florian Westphal.
  ebtables userspace uses IP RAW sockets to address ebtables, which
  enforce CAP_NET_RAW. Any other IP socket type allows unpriviledged
  access to the ebtables ruleset.

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master

Thanks!


 net/bridge/netfilter/ebtables.c  |    6 ++++++
 net/netfilter/ipvs/Kconfig       |    3 ++-
 net/netfilter/ipvs/ip_vs_ctl.c   |   14 +++++++++++++-
 net/netfilter/ipvs/ip_vs_wrr.c   |   15 +--------------
 net/netfilter/nf_conntrack_ftp.c |   18 +++++++++---------
 5 files changed, 31 insertions(+), 25 deletions(-)

Arjan van de Ven (1):
      ipvs: Add boundary check on ioctl arguments

Florian Fainelli (1):
      ipvs: ip_vs_wrr.c: use lib/gcd.c

Florian Westphal (1):
      netfilter: ebtables: enforce CAP_NET_ADMIN

Patrick McHardy (1):
      netfilter: nf_ct_ftp: fix out of bounds read in update_nl_seq()

Re: netfilter 00/04: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Fri,  8 Jan 2010 17:42:07 +0100 (MET)

> the following patches fix a couple of bugs in netfilter and IPVS:
> 
> - use lib/gcd in IPVS
> 
> - add missing boundary checks for IPVS ioctl arguments, from Arjan
> 
> - fix an out-of-bounds read in FTP conntrack, from myself
> 
> - add missing CAP_NET_ADMIN check to ebtables, from Florian Westphal.
>   ebtables userspace uses IP RAW sockets to address ebtables, which
>   enforce CAP_NET_RAW. Any other IP socket type allows unpriviledged
>   access to the ebtables ruleset.
> 
> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master

Pulled, thanks Patrick.