netfilter 00/03: netfilter fixes

netfilter 00/03: netfilter fixes

[Patrick McHardy]

Hi Dave,

the following three patches fix two netfilter bugs introduced during the merge
window and re-add support for a feature that accidentally got dropped with the
SAME target removal:

- a missing list initialization of the nf_log logger lists

- a missing conversion to use the hlist_nulls list function in connection tracking
  helper unregistration

- support for persistent multi-range NAT mappings

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Thanks!


 include/net/netfilter/nf_nat.h      |    1 +
 net/ipv4/netfilter/nf_nat_core.c    |    3 ++-
 net/netfilter/nf_conntrack_helper.c |    2 +-
 net/netfilter/nf_log.c              |    4 ++++
 4 files changed, 8 insertions(+), 2 deletions(-)

Eric Dumazet (1):
      netfilter: nf_log regression fix

Patrick McHardy (2):
      netfilter: nf_conntrack: fix crash when unloading helpers
      netfilter: nf_nat: add support for persistent mappings

netfilter 01/03: nf_log regression fix

[Patrick McHardy]

commit b6f0a3652ea9d2296fdc98c3b2c96603be611c4d
Author: Eric Dumazet <dada1@cosmosbay.com>
Date:   Wed Apr 15 12:16:19 2009 +0200

    netfilter: nf_log regression fix
    
    commit ca735b3aaa945626ba65a3e51145bfe4ecd9e222
    'netfilter: use a linked list of loggers'
    introduced an array of list_head in "struct nf_logger", but
    forgot to initialize it in nf_log_register(). This resulted
    in oops when calling nf_log_unregister() at module unload time.
    
    Reported-and-tested-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
    Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
    Acked-by: Eric Leblond <eric@inl.fr>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
index 8bb998f..beb3731 100644
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
@@ -36,10 +36,14 @@ static struct nf_logger *__find_logger(int pf, const char *str_logger)
 int nf_log_register(u_int8_t pf, struct nf_logger *logger)
 {
 	const struct nf_logger *llog;
+	int i;
 
 	if (pf >= ARRAY_SIZE(nf_loggers))
 		return -EINVAL;
 
+	for (i = 0; i < ARRAY_SIZE(logger->list); i++)
+		INIT_LIST_HEAD(&logger->list[i]);
+
 	mutex_lock(&nf_log_mutex);
 
 	if (pf == NFPROTO_UNSPEC) {

netfilter 02/03: nf_conntrack: fix crash when unloading helpers

[Patrick McHardy]

commit 38fb0afcd8761f8858e27135ed89a65117e2019c
Author: Patrick McHardy <kaber@trash.net>
Date:   Wed Apr 15 12:45:08 2009 +0200

    netfilter: nf_conntrack: fix crash when unloading helpers
    
    Commit ea781f197d (netfilter: nf_conntrack: use SLAB_DESTROY_BY_RCU and)
    get rid of call_rcu() was missing one conversion to the hlist_nulls
    functions, causing a crash when unloading conntrack helper modules.
    
    Reported-and-tested-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index 30b8e90..0fa5a42 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -176,7 +176,7 @@ static void __nf_conntrack_helper_unregister(struct nf_conntrack_helper *me,
 	}
 
 	/* Get rid of expecteds, set helpers to NULL. */
-	hlist_for_each_entry(h, nn, &net->ct.unconfirmed, hnnode)
+	hlist_nulls_for_each_entry(h, nn, &net->ct.unconfirmed, hnnode)
 		unhelp(h, me);
 	for (i = 0; i < nf_conntrack_htable_size; i++) {
 		hlist_nulls_for_each_entry(h, nn, &net->ct.hash[i], hnnode)

netfilter 03/03: nf_nat: add support for persistent mappings

[Patrick McHardy]

commit 98d500d66cb7940747b424b245fc6a51ecfbf005
Author: Patrick McHardy <kaber@trash.net>
Date:   Thu Apr 16 18:33:01 2009 +0200

    netfilter: nf_nat: add support for persistent mappings
    
    The removal of the SAME target accidentally removed one feature that is
    not available from the normal NAT targets so far, having multi-range
    mappings that use the same mapping for each connection from a single
    client. The current behaviour is to choose the address from the range
    based on source and destination IP, which breaks when communicating
    with sites having multiple addresses that require all connections to
    originate from the same IP address.
    
    Introduce a IP_NAT_RANGE_PERSISTENT option that controls whether the
    destination address is taken into account for selecting addresses.
    
    http://bugzilla.kernel.org/show_bug.cgi?id=12954
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/include/net/netfilter/nf_nat.h b/include/net/netfilter/nf_nat.h
index 9dc1039..8df0b7f 100644
--- a/include/net/netfilter/nf_nat.h
+++ b/include/net/netfilter/nf_nat.h
@@ -18,6 +18,7 @@ enum nf_nat_manip_type
 #define IP_NAT_RANGE_MAP_IPS 1
 #define IP_NAT_RANGE_PROTO_SPECIFIED 2
 #define IP_NAT_RANGE_PROTO_RANDOM 4
+#define IP_NAT_RANGE_PERSISTENT 8
 
 /* NAT sequence number modifications */
 struct nf_nat_seq {
diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c
index fe65187..3229e0a 100644
--- a/net/ipv4/netfilter/nf_nat_core.c
+++ b/net/ipv4/netfilter/nf_nat_core.c
@@ -211,7 +211,8 @@ find_best_ips_proto(struct nf_conntrack_tuple *tuple,
 	minip = ntohl(range->min_ip);
 	maxip = ntohl(range->max_ip);
 	j = jhash_2words((__force u32)tuple->src.u3.ip,
-			 (__force u32)tuple->dst.u3.ip, 0);
+			 range->flags & IP_NAT_RANGE_PERSISTENT ?
+				(__force u32)tuple->dst.u3.ip : 0, 0);
 	j = ((u64)j * (maxip - minip + 1)) >> 32;
 	*var_ipp = htonl(minip + j);
 }

Re: netfilter 00/03: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Thu, 16 Apr 2009 19:16:22 +0200 (MEST)

> the following three patches fix two netfilter bugs introduced during the merge
> window and re-add support for a feature that accidentally got dropped with the
> SAME target removal:
> 
> - a missing list initialization of the nf_log logger lists
> 
> - a missing conversion to use the hlist_nulls list function in connection tracking
>   helper unregistration
> 
> - support for persistent multi-range NAT mappings
> 
> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Pulled, thanks a lot!

netfilter 00/03: netfilter fixes

[Patrick McHardy]

Hi Dave,

following are three netfilter fixes for net-next, fixing:

- the NAT issue reported by Stephen, which was caused by inverted logic
  in NF_HOOK_COND(), causing it to skip the POST_ROUTING hook invocation

- an assertion in ct_extend, caused by invalid ordering in ctnetlink
  when setting up new conntracks. Additionally it is invalid to
  attach helpers to existing conntracks, which is disabled by this
  patch.

- an skb leak in nf_queue when userspace returns NF_STOLEN as verdict

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6.git master

Thanks!


 include/linux/netfilter.h            |    5 +++--
 net/netfilter/nf_conntrack_netlink.c |   22 +++++++++++-----------
 net/netfilter/nf_queue.c             |    2 +-
 3 files changed, 15 insertions(+), 14 deletions(-)

Eric Dumazet (1):
      netfilter: nf_queue: fix NF_STOLEN skb leak

Pablo Neira Ayuso (1):
      netfilter: ctnetlink: fix creation of conntrack with helpers

Patrick McHardy (1):
      netfilter: restore POST_ROUTING hook in NF_HOOK_COND

Re: netfilter 00/03: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Fri, 19 Feb 2010 18:02:06 +0100 (MET)

> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6.git master

Pulled, thanks patrick.

netfilter 00/03: netfilter fixes

[Patrick McHardy]

Hi Dave,

following are two netfilter fixes for 2.6.31 and a MAINTAINERS update:

- a fix for the nf_conntrack_alloc() race from Eric
- a fix for incorrect invocation of nf_log_packet() in the new osf match
- a patch to add my netfilter git tree to MAINTAINERS

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master

Thanks!


 Documentation/RCU/rculist_nulls.txt |    7 ++++++-
 MAINTAINERS                         |    1 +
 net/netfilter/nf_conntrack_core.c   |   21 ++++++++++++++++++---
 net/netfilter/xt_osf.c              |    5 +++--
 4 files changed, 28 insertions(+), 6 deletions(-)

Eric Dumazet (1):
      netfilter: nf_conntrack: nf_conntrack_alloc() fixes

Joe Perches (1):
      netfilter: add netfilter git to MAINTAINERS

Patrick McHardy (1):
      netfilter: xt_osf: fix nf_log_packet() arguments

Re: netfilter 00/03: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Thu, 16 Jul 2009 14:26:44 +0200 (MEST)

> following are two netfilter fixes for 2.6.31 and a MAINTAINERS update:
> 
> - a fix for the nf_conntrack_alloc() race from Eric
> - a fix for incorrect invocation of nf_log_packet() in the new osf match
> - a patch to add my netfilter git tree to MAINTAINERS
> 
> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master

Pulled, thanks a lot Patrick!

netfilter 00/03: netfilter fixes

[Patrick McHardy]

Hi Dave,

the following patches fix three netfilter bugs:

- an incorrect dependency for the new LED target, added by myself to fix
  the compilation problem reported one or two weeks ago

- a fix for the ip6_tables "lock free counters" regression caused by a
  missing return statement

- a fix for a regression in .29, causing conntrack expectation refresh to
  create a new expectation instead of refreshing the existing one.

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Please note that the git tree will bring in a merge commit of Linus'
tree from 2 days ago.

Thanks!


 include/net/netfilter/nf_conntrack_expect.h |    5 +++-
 net/ipv6/netfilter/ip6_tables.c             |    2 +
 net/netfilter/Kconfig                       |    2 +-
 net/netfilter/nf_conntrack_expect.c         |   30 +++++---------------------
 4 files changed, 13 insertions(+), 26 deletions(-)

Alex Riesen (1):
      netfilter: fix selection of "LED" target in netfilter

Eric Dumazet (1):
      netfilter: ip6tables regression fix

Pablo Neira Ayuso (1):
      netfilter: ctnetlink: fix regression in expectation handling

Re: netfilter 00/03: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Wed,  8 Apr 2009 18:52:16 +0200 (MEST)

> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Pulled, thanks Patrick.

netfilter 00/03: netfilter fixes

[Patrick McHardy]

Hi Dave,

the following three patches for 2.6.28 fix a couple of netfilter issues:

- a conntrack creation race in ctnetlink that can cause NULL pointer
  dereferences in ctnetlink and duplicate conntrack entries.

- a missing const qualifier that got lost during the encapsulation of
  iptables target parameters

- a crash with bridge netfilter and GRE caused by a missing update_pmtu()
  function for the fake dst_entry.

Please apply, thanks.


 include/linux/netfilter/x_tables.h   |    2 +-
 net/bridge/br_netfilter.c            |   13 +++++++++++++
 net/netfilter/nf_conntrack_core.c    |    2 --
 net/netfilter/nf_conntrack_netlink.c |    5 +++--
 4 files changed, 17 insertions(+), 5 deletions(-)

Herbert Xu (1):
      bridge: netfilter: fix update_pmtu crash with GRE

Jan Engelhardt (1):
      netfilter: xtables: add missing const qualifier to xt_tgchk_param

Patrick McHardy (1):
      netfilter: ctnetlink: fix conntrack creation race

netfilter 00/03: netfilter fixes

[Patrick McHardy]

Hi Dave,

following are some netfilter fixes for 2.6.28, containing:

- restauration of a lost #ifdef to fix user-triggerable WARN_ONs in the
  NAT code. Also queued for -stable.

- restauration of ebtables dependencies that got lost during a Kconfig
  restructuring

- a slightly more involved patch from Pablo to remove the bogus NAT module
  dependencies from ctnetlink. It could be argued whether this qualifies as
  a real bugfix since its mainly a "it shouldn't be like this" thing and
  everything works properly, in my opinion it does though because of all
  the side effects that even just loading the NAT module causes. A somewhat
  fitting analogy would be an IPv6 module dependency in, lets say, TCP :)

Please apply, thanks.


 include/linux/netfilter/nfnetlink.h  |    3 +
 include/net/netfilter/nf_nat_core.h  |    8 ++
 net/bridge/netfilter/Kconfig         |    1 +
 net/ipv4/netfilter/nf_defrag_ipv4.c  |    3 +-
 net/ipv4/netfilter/nf_nat_core.c     |   97 ++++++++++++++++++++++
 net/netfilter/nf_conntrack_core.c    |    7 ++
 net/netfilter/nf_conntrack_netlink.c |  151 ++++++++++++++--------------------
 net/netfilter/nfnetlink.c            |   12 ++-
 8 files changed, 188 insertions(+), 94 deletions(-)

Pablo Neira Ayuso (1):
      netfilter: ctnetlink: remove bogus module dependency between ctnetlink and nf_nat

Patrick McHardy (2):
      netfilter: restore lost #ifdef guarding defrag exception
      netfilter: fix ebtables dependencies

netfilter 00/03: netfilter fixes

[Patrick McHardy]

Hi Dave,

following are three fixes for netfilter:

- fix for NAT RCU races related to ct_extend
- fix for a memory leak in a H.323 module init error path
- fix for a crash when unloading the H.323 module while H.245 expectation
  or connections are active

Please apply, thanks.


 include/net/netfilter/nf_conntrack_extend.h |    1 +
 net/ipv4/netfilter/nf_nat_core.c            |    3 +--
 net/netfilter/nf_conntrack_extend.c         |    9 ++++++++-
 net/netfilter/nf_conntrack_h323_main.c      |   22 +++++++++++++++-------
 4 files changed, 25 insertions(+), 10 deletions(-)

Patrick McHardy (3):
      netfilter: nf_nat: fix RCU races
      netfilter: nf_conntrack_h323: fix memory leak in module initialization error path
      netfilter: nf_conntrack_h323: fix module unload crash

Re: netfilter 00/03: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Tue, 17 Jun 2008 16:03:51 +0200 (MEST)

> following are three fixes for netfilter:
> 
> - fix for NAT RCU races related to ct_extend
> - fix for a memory leak in a H.323 module init error path
> - fix for a crash when unloading the H.323 module while H.245 expectation
>   or connections are active
> 
> Please apply, thanks.

Applied to net-2.6, and I'll push back out to kernel.org after some
build sanity checks.

Thanks!