netfilter 00/02: netfilter fixes

netfilter 00/02: netfilter fixes

[Patrick McHardy]

Hi Dave,

the following two patches contain the GRE conntrack netns fix for an
oops on unload from Alexey and the preparatory patch, introducing
register_pernet_gen_subsys/unregister_pernet_gen_subsys.

Please apply, thanks.


 include/net/net_namespace.h            |    2 ++
 net/core/net_namespace.c               |   32 ++++++++++++++++++++++++++++++++
 net/netfilter/nf_conntrack_proto_gre.c |    4 ++--
 3 files changed, 36 insertions(+), 2 deletions(-)

Alexey Dobriyan (2):
      netns: add register_pernet_gen_subsys/unregister_pernet_gen_subsys
      netfilter: nf_conntrack_proto_gre: switch to register_pernet_gen_subsys()

netfilter 00/02: netfilter fixes

[Patrick McHardy]

Hi Dave,

the following two patches fix two netfilter bugs:

- missing socket notification for ctnetlink skb allocation errors

- an incorrect return code in nfnetlink for netlink_kernel_create() failure

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Thanks!


 net/netfilter/nf_conntrack_netlink.c |   10 ++++++----
 net/netfilter/nfnetlink.c            |    2 +-
 2 files changed, 7 insertions(+), 5 deletions(-)

Pablo Neira Ayuso (2):
      netfilter: ctnetlink: report error if event message allocation fails
      netfilter: nfnetlink: return ENOMEM if we fail to create netlink socket

netfilter 01/02: ctnetlink: report error if event message allocation fails

[Patrick McHardy]

commit 150ace0db360373d2016a2497d252138a59c5ba8
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Fri Apr 17 17:47:31 2009 +0200

    netfilter: ctnetlink: report error if event message allocation fails
    
    This patch fixes an inconsistency that results in no error reports
    to user-space listeners if we fail to allocate the event message.
    
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index c6439c7..0ea36e0 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -512,7 +512,7 @@ static int ctnetlink_conntrack_event(struct notifier_block *this,
 
 	skb = ctnetlink_alloc_skb(tuple(ct, IP_CT_DIR_ORIGINAL), GFP_ATOMIC);
 	if (!skb)
-		return NOTIFY_DONE;
+		goto errout;
 
 	b = skb->tail;
 
@@ -591,8 +591,9 @@ static int ctnetlink_conntrack_event(struct notifier_block *this,
 nla_put_failure:
 	rcu_read_unlock();
 nlmsg_failure:
-	nfnetlink_set_err(0, group, -ENOBUFS);
 	kfree_skb(skb);
+errout:
+	nfnetlink_set_err(0, group, -ENOBUFS);
 	return NOTIFY_DONE;
 }
 #endif /* CONFIG_NF_CONNTRACK_EVENTS */
@@ -1564,7 +1565,7 @@ static int ctnetlink_expect_event(struct notifier_block *this,
 
 	skb = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
 	if (!skb)
-		return NOTIFY_DONE;
+		goto errout;
 
 	b = skb->tail;
 
@@ -1589,8 +1590,9 @@ static int ctnetlink_expect_event(struct notifier_block *this,
 nla_put_failure:
 	rcu_read_unlock();
 nlmsg_failure:
-	nfnetlink_set_err(0, 0, -ENOBUFS);
 	kfree_skb(skb);
+errout:
+	nfnetlink_set_err(0, 0, -ENOBUFS);
 	return NOTIFY_DONE;
 }
 #endif

netfilter 02/02: nfnetlink: return ENOMEM if we fail to create netlink socket

[Patrick McHardy]

commit a0142733a7ef2f3476e63938b330026a08c53f37
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Fri Apr 17 17:48:44 2009 +0200

    netfilter: nfnetlink: return ENOMEM if we fail to create netlink socket
    
    With this patch, nfnetlink returns -ENOMEM instead of -EPERM if we
    fail to create the nfnetlink netlink socket during the module
    loading. This is exactly what rtnetlink does in this case.
    
    Ideally, it would be better if we propagate the error that has
    happened in netlink_kernel_create(), however, this function still
    does not implement this yet.
    
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index 2785d66..b8ab37a 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -203,7 +203,7 @@ static int __init nfnetlink_init(void)
 				     nfnetlink_rcv, NULL, THIS_MODULE);
 	if (!nfnl) {
 		printk(KERN_ERR "cannot initialize nfnetlink!\n");
-		return -1;
+		return -ENOMEM;
 	}
 
 	return 0;

Re: netfilter 00/02: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Fri, 17 Apr 2009 18:09:13 +0200 (MEST)

> the following two patches fix two netfilter bugs:
> 
> - missing socket notification for ctnetlink skb allocation errors
> 
> - an incorrect return code in nfnetlink for netlink_kernel_create() failure
> 
> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Pulled, thanks a lot!

netfilter 00/02: Netfilter fixes

[Patrick McHardy]

Hi Dave,

following are two patches for netfilter, fixing

- a positive errno return value in the osf match

- a sleeping function called under RCU lock in the nf_log seq_show function

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master

Thanks!


 net/netfilter/nf_log.c |   18 +++++-------------
 net/netfilter/xt_osf.c |    2 +-
 2 files changed, 6 insertions(+), 14 deletions(-)

Roel Kluin (1):
      netfilter: xt_osf: fix xt_osf_remove_callback() return value

Wu Fengguang (1):
      netfilter: nf_log: fix sleeping function called from invalid context in seq_show()

netfilter 00/02: netfilter fixes

[Patrick McHardy]

Hi Dave,

the following two patches fix two bugs in netfilter:

- an off-by-one in SIP conntrack short header parsing, causing mismatches
  with UAs not inserting a space after the colon

- a missing initialization in ctnetlink when dumping an expectation mask,
  causing an invalid layer 4 protocol number to be used

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master

Thanks!


 net/netfilter/nf_conntrack_netlink.c |    3 ++-
 net/netfilter/nf_conntrack_sip.c     |    2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

Patrick McHardy (2):
      netfilter: nf_conntrack_sip: fix off-by-one in compact header parsing
      netfilter: ctnetlink: fix expectation mask dump

Re: netfilter 00/02: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Tue,  2 Feb 2010 17:27:37 +0100 (MET)

> the following two patches fix two bugs in netfilter:
> 
> - an off-by-one in SIP conntrack short header parsing, causing mismatches
>   with UAs not inserting a space after the colon
> 
> - a missing initialization in ctnetlink when dumping an expectation mask,
>   causing an invalid layer 4 protocol number to be used
> 
> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master

Pulled, thanks Patrick.