netfilter 00/04: netfilter fixes

netfilter 00/04: netfilter fixes

[Patrick McHardy]

Hi Dave,

the following patches for 2.6.29 fix a few netfilter bugs:

- avoid event delivery for conntracks dropped because of clashes (from Pablo)

- fix for a ctnetlink crash during expectation creation caused by a missing
  initialization. Also from Pablo.

- a fix for correctly handling NF_DROP return values from the conntrack
  ->packet() callbacks. From Christoph Pasch.

- reordering of the header checks in IPv6 conntrack reassembly to avoid an
  incorrect log message with NEXTHDR_NONE. Also from Christoph.

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Thanks!


 include/net/netfilter/nf_conntrack_core.h |    3 ++-
 net/ipv6/netfilter/nf_conntrack_reasm.c   |    8 ++++----
 net/netfilter/nf_conntrack_core.c         |    2 +-
 net/netfilter/nf_conntrack_netlink.c      |    1 +
 net/netfilter/nf_conntrack_proto_tcp.c    |    4 ++--
 5 files changed, 10 insertions(+), 8 deletions(-)

Christoph Paasch (2):
      netfilter: conntrack: fix dropping packet after l4proto->packet()
      netfilter: conntrack: check for NEXTHDR_NONE before header sanity checking

Pablo Neira Ayuso (2):
      netfilter: conntrack: don't deliver events for racy packets
      netfilter: ctnetlink: fix crash during expectation creation

Re: netfilter 00/04: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Mon, 16 Mar 2009 17:08:42 +0100 (MET)

> the following patches for 2.6.29 fix a few netfilter bugs:
> 
> - avoid event delivery for conntracks dropped because of clashes (from Pablo)
> 
> - fix for a ctnetlink crash during expectation creation caused by a missing
>   initialization. Also from Pablo.
> 
> - a fix for correctly handling NF_DROP return values from the conntrack
>   ->packet() callbacks. From Christoph Pasch.
> 
> - reordering of the header checks in IPv6 conntrack reassembly to avoid an
>   incorrect log message with NEXTHDR_NONE. Also from Christoph.
> 
> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Pulled, thanks a lot!

netfilter 00/04: netfilter fixes

[Patrick McHardy]

Hi Dave,

the following patches fix a couple of netfilter bugs:

- missing inclusion of linux/types.h in xt_LED.h

- an incorrect length check in the ipv6header match, causing
  mismatches on packets ending with NEXTHDR_NONE

- an incorrect check in the new cluster match, causing rules using
  32 nodes to fail loading

- incorrect ctnetlink event types for user-generated events

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Thanks!


 include/linux/netfilter/xt_LED.h     |    2 ++
 include/linux/netfilter/xt_cluster.h |    2 ++
 net/ipv6/netfilter/ip6t_ipv6header.c |    6 +++---
 net/netfilter/xt_cluster.c           |    8 +++++++-
 4 files changed, 14 insertions(+), 4 deletions(-)

Christoph Paasch (1):
      netfilter: ip6t_ipv6header: fix match on packets ending with NEXTHDR_NONE

Pablo Neira Ayuso (1):
      netfilter: xt_cluster: fix use of cluster match with 32 nodes

Patrick McHardy (1):
      netfilter: add missing linux/types.h include to xt_LED.h

Re: netfilter 00/04: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Tue,  5 May 2009 18:47:42 +0200 (MEST)

> the following patches fix a couple of netfilter bugs:
...
> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Pulled, thanks a lot Patrick!

netfilter 00/04: netfilter fixes

[Patrick McHardy]

Hi Dave,

following are four netfilter fixes for 2.6.30, containing:

- a patch from Jozsef to fix accepting invalid RST packets in TCP conntrack
- a patch from Pablo to properly propagate DCCP conntrack state changes
- a patch from Jesper to fix an invalid return value in a xt_hashlimit
  seq_file function
- another patch from Pablo to fix undersized skb allocation in nfnetlink_log

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Thanks!


 include/linux/netfilter/nf_conntrack_tcp.h |    4 ++++
 net/netfilter/nf_conntrack_proto_dccp.c    |    4 ++++
 net/netfilter/nf_conntrack_proto_tcp.c     |   18 ++++++++++++++++++
 net/netfilter/nfnetlink_log.c              |    6 ++++++
 net/netfilter/xt_hashlimit.c               |    2 +-
 5 files changed, 33 insertions(+), 1 deletions(-)

Jesper Dangaard Brouer (1):
      netfilter: xt_hashlimit does a wrong SEQ_SKIP

Jozsef Kadlecsik (1):
      netfilter: nf_ct_tcp: fix accepting invalid RST segments

Pablo Neira Ayuso (2):
      netfilter: nf_ct_dccp: add missing DCCP protocol changes in event cache
      netfilter: nfnetlink_log: fix wrong skbuff size	calculation

Re: netfilter 00/04: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Wed, 27 May 2009 16:35:24 +0200 (MEST)

> following are four netfilter fixes for 2.6.30, containing:
> 
> - a patch from Jozsef to fix accepting invalid RST packets in TCP conntrack
> - a patch from Pablo to properly propagate DCCP conntrack state changes
> - a patch from Jesper to fix an invalid return value in a xt_hashlimit
>   seq_file function
> - another patch from Pablo to fix undersized skb allocation in nfnetlink_log
> 
> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Pulled, thanks Patrick.

In the future, can you please explicitly specify the branch name, even
if it is just 'master', in your GIT URLs for me to pull from?

GIT requires that it always be specified, therefore if you put it
there at the end of the URL I can just cut and paste it into my
command line.

Thanks!

Re: netfilter 00/04: netfilter fixes

[Patrick McHardy]

David Miller wrote:
> From: Patrick McHardy <kaber@trash.net>
> Date: Wed, 27 May 2009 16:35:24 +0200 (MEST)
> 
>> following are four netfilter fixes for 2.6.30, containing:
>>
>> - a patch from Jozsef to fix accepting invalid RST packets in TCP conntrack
>> - a patch from Pablo to properly propagate DCCP conntrack state changes
>> - a patch from Jesper to fix an invalid return value in a xt_hashlimit
>>   seq_file function
>> - another patch from Pablo to fix undersized skb allocation in nfnetlink_log
>>
>> Please apply or pull from:
>>
>> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git
> 
> Pulled, thanks Patrick.
> 
> In the future, can you please explicitly specify the branch name, even
> if it is just 'master', in your GIT URLs for me to pull from?
> 
> GIT requires that it always be specified, therefore if you put it
> there at the end of the URL I can just cut and paste it into my
> command line.

Sure, will do :)

netfilter 00/04: netfilter fixes

[Patrick McHardy]

Hi Dave,

following are four netfilter fixes for 2.6.31:

- Jesper's rcu_barrier() patch to fix conntrack module unload races

- a patch to fix false positives in TCP conntrack unacknowledged data
  detection, resulting in very short timeout values

- a missing linux/types.h include in xt_osf.h

- a fix for a conntrack match regression introduced with the last revision:
  the state member in the configuration struct isn't able to hold all valid
  values. This unfortunately needs a new revision.

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master

Thanks!


 include/linux/netfilter/xt_conntrack.h |   13 ++++++
 include/linux/netfilter/xt_osf.h       |    2 +
 include/net/netfilter/nf_conntrack.h   |    4 +-
 net/ipv4/netfilter/nf_nat_helper.c     |   17 +++++---
 net/netfilter/nf_conntrack_expect.c    |    4 +-
 net/netfilter/nf_conntrack_extend.c    |    2 +-
 net/netfilter/nf_conntrack_proto_tcp.c |    6 +-
 net/netfilter/xt_conntrack.c           |   66 +++++++++++++++++++++++++++++---
 8 files changed, 95 insertions(+), 19 deletions(-)

Jan Engelhardt (1):
      netfilter: xtables: conntrack match revision 2

Jaswinder Singh Rajput (1):
      netfilter: headers_check fix: linux/netfilter/xt_osf.h

Jesper Dangaard Brouer (1):
      nf_conntrack: Use rcu_barrier()

Patrick McHardy (1):
      netfilter: tcp conntrack: fix unacknowledged data detection with NAT

nf_conntrack 01/04: Use rcu_barrier()

[Patrick McHardy]

commit 308ff823ebd749a94d3b6ac26b95bc0eb114c39e
Author: Jesper Dangaard Brouer <hawk@comx.dk>
Date:   Thu Jun 25 16:32:52 2009 +0200

    nf_conntrack: Use rcu_barrier()
    
    RCU barriers, rcu_barrier(), is inserted two places.
    
     In nf_conntrack_expect.c nf_conntrack_expect_fini() before the
     kmem_cache_destroy().  Firstly to make sure the callback to the
     nf_ct_expect_free_rcu() code is still around.  Secondly because I'm
     unsure about the consequence of having in flight
     nf_ct_expect_free_rcu/kmem_cache_free() calls while doing a
     kmem_cache_destroy() slab destroy.
    
     And in nf_conntrack_extend.c nf_ct_extend_unregister(), inorder to
     wait for completion of callbacks to __nf_ct_ext_free_rcu(), which is
     invoked by __nf_ct_ext_add().  It might be more efficient to call
     rcu_barrier() in nf_conntrack_core.c nf_conntrack_cleanup_net(), but
     thats make it more difficult to read the code (as the callback code
     in located in nf_conntrack_extend.c).
    
    Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index afde8f9..2032dfe 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -617,8 +617,10 @@ err1:
 void nf_conntrack_expect_fini(struct net *net)
 {
 	exp_proc_remove(net);
-	if (net_eq(net, &init_net))
+	if (net_eq(net, &init_net)) {
+		rcu_barrier(); /* Wait for call_rcu() before destroy */
 		kmem_cache_destroy(nf_ct_expect_cachep);
+	}
 	nf_ct_free_hashtable(net->ct.expect_hash, net->ct.expect_vmalloc,
 			     nf_ct_expect_hsize);
 }
diff --git a/net/netfilter/nf_conntrack_extend.c b/net/netfilter/nf_conntrack_extend.c
index 4b2c769..fef95be 100644
--- a/net/netfilter/nf_conntrack_extend.c
+++ b/net/netfilter/nf_conntrack_extend.c
@@ -186,6 +186,6 @@ void nf_ct_extend_unregister(struct nf_ct_ext_type *type)
 	rcu_assign_pointer(nf_ct_ext_types[type->id], NULL);
 	update_alloc_size(type);
 	mutex_unlock(&nf_ct_ext_type_mutex);
-	synchronize_rcu();
+	rcu_barrier(); /* Wait for completion of call_rcu()'s */
 }
 EXPORT_SYMBOL_GPL(nf_ct_extend_unregister);

netfilter 02/04: tcp conntrack: fix unacknowledged data detection with NAT

[Patrick McHardy]

commit a3a9f79e361e864f0e9d75ebe2a0cb43d17c4272
Author: Patrick McHardy <kaber@trash.net>
Date:   Mon Jun 29 14:07:56 2009 +0200

    netfilter: tcp conntrack: fix unacknowledged data detection with NAT
    
    When NAT helpers change the TCP packet size, the highest seen sequence
    number needs to be corrected. This is currently only done upwards, when
    the packet size is reduced the sequence number is unchanged. This causes
    TCP conntrack to falsely detect unacknowledged data and decrease the
    timeout.
    
    Fix by updating the highest seen sequence number in both directions after
    packet mangling.
    
    Tested-by: Krzysztof Piotr Oledzki <ole@ans.pl>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index a632689..cbdd628 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -258,8 +258,8 @@ static inline bool nf_ct_kill(struct nf_conn *ct)
 /* Update TCP window tracking data when NAT mangles the packet */
 extern void nf_conntrack_tcp_update(const struct sk_buff *skb,
 				    unsigned int dataoff,
-				    struct nf_conn *ct,
-				    int dir);
+				    struct nf_conn *ct, int dir,
+				    s16 offset);
 
 /* Fake conntrack entry for untracked connections */
 extern struct nf_conn nf_conntrack_untracked;
diff --git a/net/ipv4/netfilter/nf_nat_helper.c b/net/ipv4/netfilter/nf_nat_helper.c
index 155c008..09172a6 100644
--- a/net/ipv4/netfilter/nf_nat_helper.c
+++ b/net/ipv4/netfilter/nf_nat_helper.c
@@ -191,7 +191,8 @@ nf_nat_mangle_tcp_packet(struct sk_buff *skb,
 				    ct, ctinfo);
 		/* Tell TCP window tracking about seq change */
 		nf_conntrack_tcp_update(skb, ip_hdrlen(skb),
-					ct, CTINFO2DIR(ctinfo));
+					ct, CTINFO2DIR(ctinfo),
+					(int)rep_len - (int)match_len);
 
 		nf_conntrack_event_cache(IPCT_NATSEQADJ, ct);
 	}
@@ -377,6 +378,7 @@ nf_nat_seq_adjust(struct sk_buff *skb,
 	struct tcphdr *tcph;
 	int dir;
 	__be32 newseq, newack;
+	s16 seqoff, ackoff;
 	struct nf_conn_nat *nat = nfct_nat(ct);
 	struct nf_nat_seq *this_way, *other_way;
 
@@ -390,15 +392,18 @@ nf_nat_seq_adjust(struct sk_buff *skb,
 
 	tcph = (void *)skb->data + ip_hdrlen(skb);
 	if (after(ntohl(tcph->seq), this_way->correction_pos))
-		newseq = htonl(ntohl(tcph->seq) + this_way->offset_after);
+		seqoff = this_way->offset_after;
 	else
-		newseq = htonl(ntohl(tcph->seq) + this_way->offset_before);
+		seqoff = this_way->offset_before;
 
 	if (after(ntohl(tcph->ack_seq) - other_way->offset_before,
 		  other_way->correction_pos))
-		newack = htonl(ntohl(tcph->ack_seq) - other_way->offset_after);
+		ackoff = other_way->offset_after;
 	else
-		newack = htonl(ntohl(tcph->ack_seq) - other_way->offset_before);
+		ackoff = other_way->offset_before;
+
+	newseq = htonl(ntohl(tcph->seq) + seqoff);
+	newack = htonl(ntohl(tcph->ack_seq) - ackoff);
 
 	inet_proto_csum_replace4(&tcph->check, skb, tcph->seq, newseq, 0);
 	inet_proto_csum_replace4(&tcph->check, skb, tcph->ack_seq, newack, 0);
@@ -413,7 +418,7 @@ nf_nat_seq_adjust(struct sk_buff *skb,
 	if (!nf_nat_sack_adjust(skb, tcph, ct, ctinfo))
 		return 0;
 
-	nf_conntrack_tcp_update(skb, ip_hdrlen(skb), ct, dir);
+	nf_conntrack_tcp_update(skb, ip_hdrlen(skb), ct, dir, seqoff);
 
 	return 1;
 }
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 33fc0a4..97a82ba 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -720,8 +720,8 @@ static bool tcp_in_window(const struct nf_conn *ct,
 /* Caller must linearize skb at tcp header. */
 void nf_conntrack_tcp_update(const struct sk_buff *skb,
 			     unsigned int dataoff,
-			     struct nf_conn *ct,
-			     int dir)
+			     struct nf_conn *ct, int dir,
+			     s16 offset)
 {
 	const struct tcphdr *tcph = (const void *)skb->data + dataoff;
 	const struct ip_ct_tcp_state *sender = &ct->proto.tcp.seen[dir];
@@ -734,7 +734,7 @@ void nf_conntrack_tcp_update(const struct sk_buff *skb,
 	/*
 	 * We have to worry for the ack in the reply packet only...
 	 */
-	if (after(end, ct->proto.tcp.seen[dir].td_end))
+	if (ct->proto.tcp.seen[dir].td_end + offset == end)
 		ct->proto.tcp.seen[dir].td_end = end;
 	ct->proto.tcp.last_end = end;
 	spin_unlock_bh(&ct->lock);

netfilter 03/04: headers_check fix: linux/netfilter/xt_osf.h

[Patrick McHardy]

commit 8a3af79361e85db6fec4173ef1916322471c19e3
Author: Jaswinder Singh Rajput <jaswinderrajput@gmail.com>
Date:   Mon Jun 29 14:28:27 2009 +0200

    netfilter: headers_check fix: linux/netfilter/xt_osf.h
    
    fix the following 'make headers_check' warnings:
    
      usr/include/linux/netfilter/xt_osf.h:40: found __[us]{8,16,32,64} type without #include <linux/types.h>
    
    Signed-off-by: Jaswinder Singh Rajput <jaswinderrajput@gmail.com>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/include/linux/netfilter/xt_osf.h b/include/linux/netfilter/xt_osf.h
index fd2272e..18afa49 100644
--- a/include/linux/netfilter/xt_osf.h
+++ b/include/linux/netfilter/xt_osf.h
@@ -20,6 +20,8 @@
 #ifndef _XT_OSF_H
 #define _XT_OSF_H
 
+#include <linux/types.h>
+
 #define MAXGENRELEN		32
 
 #define XT_OSF_GENRE		(1<<0)

netfilter 04/04: xtables: conntrack match revision 2

[Patrick McHardy]

commit d6d3f08b0fd998b647a05540cedd11a067b72867
Author: Jan Engelhardt <jengelh@medozas.de>
Date:   Mon Jun 29 14:31:46 2009 +0200

    netfilter: xtables: conntrack match revision 2
    
    As reported by Philip, the UNTRACKED state bit does not fit within
    the 8-bit state_mask member. Enlarge state_mask and give status_mask
    a few more bits too.
    
    Reported-by: Philip Craig <philipc@snapgear.com>
    References: http://markmail.org/thread/b7eg6aovfh4agyz7
    Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/include/linux/netfilter/xt_conntrack.h b/include/linux/netfilter/xt_conntrack.h
index 3430c77..7ae0533 100644
--- a/include/linux/netfilter/xt_conntrack.h
+++ b/include/linux/netfilter/xt_conntrack.h
@@ -81,4 +81,17 @@ struct xt_conntrack_mtinfo1 {
 	__u8 state_mask, status_mask;
 };
 
+struct xt_conntrack_mtinfo2 {
+	union nf_inet_addr origsrc_addr, origsrc_mask;
+	union nf_inet_addr origdst_addr, origdst_mask;
+	union nf_inet_addr replsrc_addr, replsrc_mask;
+	union nf_inet_addr repldst_addr, repldst_mask;
+	__u32 expires_min, expires_max;
+	__u16 l4proto;
+	__be16 origsrc_port, origdst_port;
+	__be16 replsrc_port, repldst_port;
+	__u16 match_flags, invert_flags;
+	__u16 state_mask, status_mask;
+};
+
 #endif /*_XT_CONNTRACK_H*/
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index 0b7139f..fc58180 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -129,7 +129,7 @@ conntrack_addrcmp(const union nf_inet_addr *kaddr,
 
 static inline bool
 conntrack_mt_origsrc(const struct nf_conn *ct,
-                     const struct xt_conntrack_mtinfo1 *info,
+                     const struct xt_conntrack_mtinfo2 *info,
 		     u_int8_t family)
 {
 	return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3,
@@ -138,7 +138,7 @@ conntrack_mt_origsrc(const struct nf_conn *ct,
 
 static inline bool
 conntrack_mt_origdst(const struct nf_conn *ct,
-                     const struct xt_conntrack_mtinfo1 *info,
+                     const struct xt_conntrack_mtinfo2 *info,
 		     u_int8_t family)
 {
 	return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3,
@@ -147,7 +147,7 @@ conntrack_mt_origdst(const struct nf_conn *ct,
 
 static inline bool
 conntrack_mt_replsrc(const struct nf_conn *ct,
-                     const struct xt_conntrack_mtinfo1 *info,
+                     const struct xt_conntrack_mtinfo2 *info,
 		     u_int8_t family)
 {
 	return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3,
@@ -156,7 +156,7 @@ conntrack_mt_replsrc(const struct nf_conn *ct,
 
 static inline bool
 conntrack_mt_repldst(const struct nf_conn *ct,
-                     const struct xt_conntrack_mtinfo1 *info,
+                     const struct xt_conntrack_mtinfo2 *info,
 		     u_int8_t family)
 {
 	return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3,
@@ -164,7 +164,7 @@ conntrack_mt_repldst(const struct nf_conn *ct,
 }
 
 static inline bool
-ct_proto_port_check(const struct xt_conntrack_mtinfo1 *info,
+ct_proto_port_check(const struct xt_conntrack_mtinfo2 *info,
                     const struct nf_conn *ct)
 {
 	const struct nf_conntrack_tuple *tuple;
@@ -204,7 +204,7 @@ ct_proto_port_check(const struct xt_conntrack_mtinfo1 *info,
 static bool
 conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 {
-	const struct xt_conntrack_mtinfo1 *info = par->matchinfo;
+	const struct xt_conntrack_mtinfo2 *info = par->matchinfo;
 	enum ip_conntrack_info ctinfo;
 	const struct nf_conn *ct;
 	unsigned int statebit;
@@ -278,6 +278,16 @@ conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	return true;
 }
 
+static bool
+conntrack_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
+{
+	const struct xt_conntrack_mtinfo2 *const *info = par->matchinfo;
+	struct xt_match_param newpar = *par;
+
+	newpar.matchinfo = *info;
+	return conntrack_mt(skb, &newpar);
+}
+
 static bool conntrack_mt_check(const struct xt_mtchk_param *par)
 {
 	if (nf_ct_l3proto_try_module_get(par->family) < 0) {
@@ -288,11 +298,45 @@ static bool conntrack_mt_check(const struct xt_mtchk_param *par)
 	return true;
 }
 
+static bool conntrack_mt_check_v1(const struct xt_mtchk_param *par)
+{
+	struct xt_conntrack_mtinfo1 *info = par->matchinfo;
+	struct xt_conntrack_mtinfo2 *up;
+	int ret = conntrack_mt_check(par);
+
+	if (ret < 0)
+		return ret;
+
+	up = kmalloc(sizeof(*up), GFP_KERNEL);
+	if (up == NULL) {
+		nf_ct_l3proto_module_put(par->family);
+		return -ENOMEM;
+	}
+
+	/*
+	 * The strategy here is to minimize the overhead of v1 matching,
+	 * by prebuilding a v2 struct and putting the pointer into the
+	 * v1 dataspace.
+	 */
+	memcpy(up, info, offsetof(typeof(*info), state_mask));
+	up->state_mask  = info->state_mask;
+	up->status_mask = info->status_mask;
+	*(void **)info  = up;
+	return true;
+}
+
 static void conntrack_mt_destroy(const struct xt_mtdtor_param *par)
 {
 	nf_ct_l3proto_module_put(par->family);
 }
 
+static void conntrack_mt_destroy_v1(const struct xt_mtdtor_param *par)
+{
+	struct xt_conntrack_mtinfo2 **info = par->matchinfo;
+	kfree(*info);
+	conntrack_mt_destroy(par);
+}
+
 #ifdef CONFIG_COMPAT
 struct compat_xt_conntrack_info
 {
@@ -363,6 +407,16 @@ static struct xt_match conntrack_mt_reg[] __read_mostly = {
 		.revision   = 1,
 		.family     = NFPROTO_UNSPEC,
 		.matchsize  = sizeof(struct xt_conntrack_mtinfo1),
+		.match      = conntrack_mt_v1,
+		.checkentry = conntrack_mt_check_v1,
+		.destroy    = conntrack_mt_destroy_v1,
+		.me         = THIS_MODULE,
+	},
+	{
+		.name       = "conntrack",
+		.revision   = 2,
+		.family     = NFPROTO_UNSPEC,
+		.matchsize  = sizeof(struct xt_conntrack_mtinfo2),
 		.match      = conntrack_mt,
 		.checkentry = conntrack_mt_check,
 		.destroy    = conntrack_mt_destroy,

[PATCH] MAINTAINERS: Add NETFILTER git

[Joe Perches]

On Mon, 2009-06-29 at 16:20 +0200, Patrick McHardy wrote:
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Do you think this should be added to MAINTAINERS?

Signed-off-by: Joe Perches <joe@perches.com>

diff --git a/MAINTAINERS b/MAINTAINERS
index fa2a16d..a5042de 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -4044,6 +4044,7 @@ L:	netfilter@vger.kernel.org
 L:	coreteam@netfilter.org
 W:	http://www.netfilter.org/
 W:	http://www.iptables.org/
+T:	git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git
 S:	Supported
 F:	include/linux/netfilter*
 F:	include/linux/netfilter/

Re: netfilter 00/04: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Mon, 29 Jun 2009 16:20:13 +0200 (MEST)

> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master
> 
> Thanks!

Pulled, thanks a lot Patrick!

Re: [PATCH] MAINTAINERS: Add NETFILTER git

[Patrick McHardy]

Joe Perches wrote:
> On Mon, 2009-06-29 at 16:20 +0200, Patrick McHardy wrote:
>> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git
> 
> Do you think this should be added to MAINTAINERS?

Applied, thanks.

netfilter 00/04: netfilter fixes

[Patrick McHardy]

Hi Dave,

the following patches fix a couple of bugs in netfilter and IPVS:

- use lib/gcd in IPVS

- add missing boundary checks for IPVS ioctl arguments, from Arjan

- fix an out-of-bounds read in FTP conntrack, from myself

- add missing CAP_NET_ADMIN check to ebtables, from Florian Westphal.
  ebtables userspace uses IP RAW sockets to address ebtables, which
  enforce CAP_NET_RAW. Any other IP socket type allows unpriviledged
  access to the ebtables ruleset.

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master

Thanks!


 net/bridge/netfilter/ebtables.c  |    6 ++++++
 net/netfilter/ipvs/Kconfig       |    3 ++-
 net/netfilter/ipvs/ip_vs_ctl.c   |   14 +++++++++++++-
 net/netfilter/ipvs/ip_vs_wrr.c   |   15 +--------------
 net/netfilter/nf_conntrack_ftp.c |   18 +++++++++---------
 5 files changed, 31 insertions(+), 25 deletions(-)

Arjan van de Ven (1):
      ipvs: Add boundary check on ioctl arguments

Florian Fainelli (1):
      ipvs: ip_vs_wrr.c: use lib/gcd.c

Florian Westphal (1):
      netfilter: ebtables: enforce CAP_NET_ADMIN

Patrick McHardy (1):
      netfilter: nf_ct_ftp: fix out of bounds read in update_nl_seq()

Re: netfilter 00/04: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Fri,  8 Jan 2010 17:42:07 +0100 (MET)

> the following patches fix a couple of bugs in netfilter and IPVS:
> 
> - use lib/gcd in IPVS
> 
> - add missing boundary checks for IPVS ioctl arguments, from Arjan
> 
> - fix an out-of-bounds read in FTP conntrack, from myself
> 
> - add missing CAP_NET_ADMIN check to ebtables, from Florian Westphal.
>   ebtables userspace uses IP RAW sockets to address ebtables, which
>   enforce CAP_NET_RAW. Any other IP socket type allows unpriviledged
>   access to the ebtables ruleset.
> 
> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master

Pulled, thanks Patrick.