netfilter 00/05: netfilter fixes

netfilter 00/05: netfilter fixes

[Patrick McHardy]

Hi Dave,

the following five patches contain netfilter fixes for 2.6.29:

- a patch from Eric Leblond to fix tuple inversion for IPv6 Node Information
  Requests in IPv6 conntrack

- a patch from Eric Leblond to ignore ICMPv6 negotiation messages in IPv6
  conntrack since it can't track multicast communication. This prevents
  those packets from getting marked as INVALID.

- two ctnetlink fixes from Pablo to fix a small inconsistency in conntrack
  creation wrt. NAT sequence number adjustment settings and to fix netlink
  unicast delivery of responses messages.

- a patch from Qu Haoran to fix the SCTP match when matching on the entire
  chunkmap.

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Thanks!


 net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c |   25 ++++++++++++++++++++++-
 net/netfilter/nf_conntrack_netlink.c           |   15 ++++++++++++-
 net/netfilter/xt_sctp.c                        |    2 +-
 3 files changed, 37 insertions(+), 5 deletions(-)

Eric Leblond (2):
      netfilter: fix tuple inversion for Node information request
      netfilter: nf_conntrack_ipv6: don't track ICMPv6 negotiation message

Pablo Neira Ayuso (2):
      netfilter: ctnetlink: allow changing NAT sequence adjustment in creation
      netfilter: ctnetlink: fix echo if not subscribed to any	multicast group

Qu Haoran (1):
      netfilter: xt_sctp: sctp chunk mapping doesn't work

Re: netfilter 00/05: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Mon,  9 Feb 2009 17:39:27 +0100 (MET)

> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

I was going to pull from your tree and take it like that, but when I
pulled I got 5 real changes and 50 merges with net-2.6, yikes! :-)

If there was one or two merge changesets in there, I would have
taken it.  But anything more than that for a tree containing
5 bug fixes is excessive.

I'll apply these as patches, but I really do want to be able to
pull from your trees so please try to provide a cleaner tree
next time.

Thanks!

Re: netfilter 00/05: netfilter fixes

[Patrick McHardy]

David Miller wrote:
> From: Patrick McHardy <kaber@trash.net>
> Date: Mon,  9 Feb 2009 17:39:27 +0100 (MET)
> 
>> Please apply or pull from:
>>
>> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git
> 
> I was going to pull from your tree and take it like that, but when I
> pulled I got 5 real changes and 50 merges with net-2.6, yikes! :-)

Ugh sorry, thats happening automatically, but it usually doesn't show
up since it should be fast forwards. I'll have a look at what went
wrong.

> If there was one or two merge changesets in there, I would have
> taken it.  But anything more than that for a tree containing
> 5 bug fixes is excessive.
> 
> I'll apply these as patches, but I really do want to be able to
> pull from your trees so please try to provide a cleaner tree
> next time.

I'll make sure of it, sorry.

Re: netfilter 00/05: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Mon, 09 Feb 2009 23:47:07 +0100

> David Miller wrote:
> > From: Patrick McHardy <kaber@trash.net>
> > Date: Mon,  9 Feb 2009 17:39:27 +0100 (MET)
> > 
> >> Please apply or pull from:
> >>
> >> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git
> > I was going to pull from your tree and take it like that, but when I
> > pulled I got 5 real changes and 50 merges with net-2.6, yikes! :-)
> 
> Ugh sorry, thats happening automatically, but it usually doesn't show
> up since it should be fast forwards. I'll have a look at what went
> wrong.

I think you got a change into your tree locally, this went via net-2.6
and thereafterwards it started using merges.  But that's just a guess.

> > If there was one or two merge changesets in there, I would have
> > taken it.  But anything more than that for a tree containing
> > 5 bug fixes is excessive.
> > I'll apply these as patches, but I really do want to be able to
> > pull from your trees so please try to provide a cleaner tree
> > next time.
> 
> I'll make sure of it, sorry.

Want some suggestions for work flow? :-)

1) For net-2.6 just clone Linus's tree, pull net-2.6 once as it is
   right now, then leave it alone.

   Periodically sync your origin (which is Linus's tree) via
   "git fetch origin".  This just grabs the objects.

   Then you can just go "git request-pull origin $(GIT_URL)" and
   it'll just work.

   Since the likelyhood for conflicts in the net-2.6 tree with
   your netfilter work is incredibly unlikely, doing a merge
   should never be necessary.  But if it is just go
   "git pull origin".

2) For net-next-2.6 use net-next-2.6 as your "origin" (you can change
   this in .git/config), conflicts are more likely so every once in
   a while a "git pull origin" will be necessary.

If that doesn't work out or feel comfortable for you, that's
fine.

Re: netfilter 00/05: netfilter fixes

[Patrick McHardy]

David Miller wrote:
> From: Patrick McHardy <kaber@trash.net>
> Date: Mon, 09 Feb 2009 23:47:07 +0100
> 
>> David Miller wrote:
>>> From: Patrick McHardy <kaber@trash.net>
>>> Date: Mon,  9 Feb 2009 17:39:27 +0100 (MET)
>>>
>>>> Please apply or pull from:
>>>>
>>>> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git
>>> I was going to pull from your tree and take it like that, but when I
>>> pulled I got 5 real changes and 50 merges with net-2.6, yikes! :-)
>> Ugh sorry, thats happening automatically, but it usually doesn't show
>> up since it should be fast forwards. I'll have a look at what went
>> wrong.
> 
> I think you got a change into your tree locally, this went via net-2.6
> and thereafterwards it started using merges.  But that's just a guess.

Yes, probably, although I really never commit to my mirrored trees.
It might have something to do with my disk dying last week and the
restore I did :)

> Want some suggestions for work flow? :-)
> 
> 1) For net-2.6 just clone Linus's tree, pull net-2.6 once as it is
>    right now, then leave it alone.
> 
>    Periodically sync your origin (which is Linus's tree) via
>    "git fetch origin".  This just grabs the objects.
> 
>    Then you can just go "git request-pull origin $(GIT_URL)" and
>    it'll just work.
> 
>    Since the likelyhood for conflicts in the net-2.6 tree with
>    your netfilter work is incredibly unlikely, doing a merge
>    should never be necessary.  But if it is just go
>    "git pull origin".
> 
> 2) For net-next-2.6 use net-next-2.6 as your "origin" (you can change
>    this in .git/config), conflicts are more likely so every once in
>    a while a "git pull origin" will be necessary.
> 
> If that doesn't work out or feel comfortable for you, that's
> fine.

I'll try that, maybe starting with net-2.6 since that tree is
easier to maintain for me. My workflow is quite out of sync
with modern git commands, some of my scripts are still adapted
from bitkeeper times :)

Re: netfilter 00/05: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Tue, 10 Feb 2009 00:36:06 +0100

> My workflow is quite out of sync with modern git commands, some of
> my scripts are still adapted from bitkeeper times :)

You poor thing, I should buy you some beer :-)

But to be honest I had a caveman like mentality about
using GIT and it took me a long time to get to the
current way I do things:

1) Dark ages:

	Fresh git clone, add patches, push to Linus.
	Repeat, rebasing every time.

2) Brain enabled:

	Stable git clone, used over and over again.

	After Linus pulls, remember HEAD and use that as
	base for next pull request.

	Pull in Linus's tree occaisionally when conflicts
	might be possible.

3) Full enlightenment:

	Stable git clone, used over and over again.

	Track Linus's tree using "git fetch origin"

	When conflicts are possible "git pull origin"

	All pull requests are sent using "origin" as
	the base.

Re: netfilter 00/05: netfilter fixes

[Patrick McHardy]

David Miller wrote:
> From: Patrick McHardy <kaber@trash.net>
> Date: Tue, 10 Feb 2009 00:36:06 +0100
> 
>> My workflow is quite out of sync with modern git commands, some of
>> my scripts are still adapted from bitkeeper times :)
> 
> You poor thing, I should buy you some beer :-)
> 
> But to be honest I had a caveman like mentality about
> using GIT and it took me a long time to get to the
> current way I do things:
> 
> 1) Dark ages:
> 
> 	Fresh git clone, add patches, push to Linus.
> 	Repeat, rebasing every time.
> 
> 2) Brain enabled:
> 
> 	Stable git clone, used over and over again.
> 
> 	After Linus pulls, remember HEAD and use that as
> 	base for next pull request.
> 
> 	Pull in Linus's tree occaisionally when conflicts
> 	might be possible.
> 
> 3) Full enlightenment:
> 
> 	Stable git clone, used over and over again.
> 
> 	Track Linus's tree using "git fetch origin"
> 
> 	When conflicts are possible "git pull origin"
> 
> 	All pull requests are sent using "origin" as
> 	the base.

I'll skip step 2 and will send a perfect pull request soon :)

netfilter 00/05: netfilter fixes

[Patrick McHardy]

Hi Dave,

the following patches fix a couple of netfilter bugs:

- fix for use of unintialized values in the recent match compat proc handling
  from Jan Engelhardt

- Removal of an incorrect TProxy dependency on conntrack from
  Laszlo Attila Toth

- Addition of missing netlink options for the DCCP conntrack protocol,
  from Pablo

- Fix for a conntrack protocol registration regression in 2.6.30-rc from myself

- A fix for bridge-netfilter re-fragmentation of VLAN packets defragmented
  by conntrack from Saikiran Madugula

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Thanks!


 include/linux/netfilter/nfnetlink_conntrack.h |    1 +
 net/bridge/br_netfilter.c                     |   10 +++++++++-
 net/netfilter/Kconfig                         |    4 ++--
 net/netfilter/nf_conntrack_proto_dccp.c       |   16 +++++++++++++++-
 net/netfilter/nf_conntrack_proto_udplite.c    |    1 +
 net/netfilter/xt_recent.c                     |    9 ++++-----
 6 files changed, 32 insertions(+), 9 deletions(-)

Jan Engelhardt (1):
      netfilter: xt_recent: fix stack overread in compat code

Laszlo Attila Toth (1):
      netfilter: Kconfig: TProxy doesn't depend on NF_CONNTRACK

Pablo Neira Ayuso (1):
      netfilter: nf_ct_dccp: add missing role attributes for DCCP

Patrick McHardy (1):
      netfilter: nf_ct_dccp/udplite: fix protocol registration error

hummerbliss@gmail.com (1):
      netfilter: bridge: allow fragmentation of VLAN packets traversing a bridge

Re: netfilter 00/05: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Fri, 24 Apr 2009 17:44:01 +0200 (MEST)

> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Pulled, thanks Patrick.

It would be nice to see this fixed:

  CHECK   include/linux/netfilter (57 files)
/home/davem/src/GIT/net-2.6/usr/include/linux/netfilter/xt_LED.h:6: found __[us]{8,16,32,64} type without #include <linux/types.h>
  LD      vmlinux

Thanks!

Re: netfilter 00/05: netfilter fixes

[Patrick McHardy]

David Miller wrote:
> From: Patrick McHardy <kaber@trash.net>
> Date: Fri, 24 Apr 2009 17:44:01 +0200 (MEST)
> 
>> Please apply or pull from:
>>
>> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git
> 
> Pulled, thanks Patrick.
> 
> It would be nice to see this fixed:
> 
>   CHECK   include/linux/netfilter (57 files)
> /home/davem/src/GIT/net-2.6/usr/include/linux/netfilter/xt_LED.h:6: found __[us]{8,16,32,64} type without #include <linux/types.h>

Appologies for my silence over the past week, holidays and a swine
cold kept me away from the computer .)

I've queued a fix for this, thanks.

netfilter 00/05: netfilter fixes

[Patrick McHardy]

Hi Dave,

the following patches fix a couple of bugs in netfilter and IPVS:

- a fix for a crash triggered by fragmentes received by bridge netfilter being
  combined with fragments received on non-bridge devices from myself

- a fix for IPVS synchronization on connection close from Xiaotian Feng

- a fix for use of uninitialized fields in IPVS from Simon Horman

- a patch to document the minimal required iptables version from Jan Engelhardt

I'll also push the fragment fix to stable (forgot to add CC before committing)
once it hits mainline.

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master

Thanks!


 Documentation/Changes                          |    2 ++
 include/net/ip.h                               |    1 +
 include/net/ipv6.h                             |    8 ++++++++
 include/net/netfilter/ipv6/nf_conntrack_ipv6.h |    2 +-
 net/ipv4/netfilter/nf_defrag_ipv4.c            |   21 +++++++++++++++++----
 net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c |   19 +++++++++++++++++--
 net/ipv6/netfilter/nf_conntrack_reasm.c        |    7 ++++---
 net/ipv6/reassembly.c                          |    5 ++++-
 net/netfilter/ipvs/ip_vs_core.c                |    1 +
 net/netfilter/ipvs/ip_vs_ctl.c                 |    4 ++++
 10 files changed, 59 insertions(+), 11 deletions(-)

Jan Engelhardt (1):
      netfilter: xtables: document minimal required version

Patrick McHardy (2):
      ipv6: reassembly: use seperate reassembly queues for conntrack and local delivery
      netfilter: fix crashes in bridge netfilter caused by fragment jumps

Simon Horman (1):
      ipvs: zero usvc and udest

Xiaotian Feng (1):
      ipvs: fix synchronization on connection close

netfilter 01/05: xtables: document minimal required version

[Patrick McHardy]

commit 7a92263705435d046d37a0990d0edfcb517f7ad3
Author: Jan Engelhardt <jengelh@medozas.de>
Date:   Mon Dec 14 14:52:10 2009 +0100

    netfilter: xtables: document minimal required version
    
    For both .33 and .32-stable.
    
    Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
    Cc: stable@kernel.org
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/Documentation/Changes b/Documentation/Changes
index 6d0f1ef..f08b313 100644
--- a/Documentation/Changes
+++ b/Documentation/Changes
@@ -49,6 +49,8 @@ o  oprofile               0.9                     # oprofiled --version
 o  udev                   081                     # udevinfo -V
 o  grub                   0.93                    # grub --version
 o  mcelog		  0.6
+o  iptables               1.4.1                   # iptables -V
+
 
 Kernel compilation
 ==================

ipvs 02/05: fix synchronization on connection close

[Patrick McHardy]

commit 9abfe315de96aa5c9878b2f627542bc54901c6e9
Author: Xiaotian Feng <dfeng@redhat.com>
Date:   Mon Dec 14 16:38:21 2009 +0100

    ipvs: fix synchronization on connection close
    
    commit 9d3a0de makes slaves expire as they would do on the master
    with much shorter timeouts. But it introduces another problem:
    When we close a connection, on master server the connection became
    CLOSE_WAIT/TIME_WAIT, it was synced to slaves, but if master is
    finished within it's timeouts (CLOSE), it will not be synced to
    slaves. Then slaves will be kept on CLOSE_WAIT/TIME_WAIT until
    timeout reaches. Thus we should also sync with CLOSE.
    
    Cc: Wensong Zhang <wensong@linux-vs.org>
    Cc: Simon Horman <horms@verge.net.au>
    Cc: Julian Anastasov <ja@ssi.bg>
    Cc: David S. Miller <davem@davemloft.net>
    Signed-off-by: Xiaotian Feng <dfeng@redhat.com>
    Acked-by: Simon Horman <horms@verge.net.au>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index b95699f..847ffca 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -1366,6 +1366,7 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb,
 	       == sysctl_ip_vs_sync_threshold[0])) ||
 	     ((cp->protocol == IPPROTO_TCP) && (cp->old_state != cp->state) &&
 	      ((cp->state == IP_VS_TCP_S_FIN_WAIT) ||
+	       (cp->state == IP_VS_TCP_S_CLOSE) ||
 	       (cp->state == IP_VS_TCP_S_CLOSE_WAIT) ||
 	       (cp->state == IP_VS_TCP_S_TIME_WAIT)))))
 		ip_vs_sync_conn(cp);

ipv6 03/05: reassembly: use seperate reassembly queues for conntrack and local delivery

[Patrick McHardy]

commit 0b5ccb2ee250136dd7385b1c7da28417d0d4d32d
Author: Patrick McHardy <kaber@trash.net>
Date:   Tue Dec 15 16:59:18 2009 +0100

    ipv6: reassembly: use seperate reassembly queues for conntrack and local delivery
    
    Currently the same reassembly queue might be used for packets reassembled
    by conntrack in different positions in the stack (PREROUTING/LOCAL_OUT),
    as well as local delivery. This can cause "packet jumps" when the fragment
    completing a reassembled packet is queued from a different position in the
    stack than the previous ones.
    
    Add a "user" identifier to the reassembly queue key to seperate the queues
    of each caller, similar to what we do for IPv4.
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index 92db861..d691603 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -350,8 +350,15 @@ static inline int ipv6_prefix_equal(const struct in6_addr *a1,
 
 struct inet_frag_queue;
 
+enum ip6_defrag_users {
+	IP6_DEFRAG_LOCAL_DELIVER,
+	IP6_DEFRAG_CONNTRACK_IN,
+	IP6_DEFRAG_CONNTRACK_OUT,
+};
+
 struct ip6_create_arg {
 	__be32 id;
+	u32 user;
 	struct in6_addr *src;
 	struct in6_addr *dst;
 };
diff --git a/include/net/netfilter/ipv6/nf_conntrack_ipv6.h b/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
index abc55ad..1ee717e 100644
--- a/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
+++ b/include/net/netfilter/ipv6/nf_conntrack_ipv6.h
@@ -9,7 +9,7 @@ extern struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6;
 
 extern int nf_ct_frag6_init(void);
 extern void nf_ct_frag6_cleanup(void);
-extern struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb);
+extern struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb, u32 user);
 extern void nf_ct_frag6_output(unsigned int hooknum, struct sk_buff *skb,
 			       struct net_device *in,
 			       struct net_device *out,
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 5f2ec20..c0a82fe 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -187,6 +187,16 @@ out:
 	return nf_conntrack_confirm(skb);
 }
 
+static enum ip6_defrag_users nf_ct6_defrag_user(unsigned int hooknum,
+						struct sk_buff *skb)
+{
+	if (hooknum == NF_INET_PRE_ROUTING)
+		return IP6_DEFRAG_CONNTRACK_IN;
+	else
+		return IP6_DEFRAG_CONNTRACK_OUT;
+
+}
+
 static unsigned int ipv6_defrag(unsigned int hooknum,
 				struct sk_buff *skb,
 				const struct net_device *in,
@@ -199,8 +209,7 @@ static unsigned int ipv6_defrag(unsigned int hooknum,
 	if (skb->nfct)
 		return NF_ACCEPT;
 
-	reasm = nf_ct_frag6_gather(skb);
-
+	reasm = nf_ct_frag6_gather(skb, nf_ct6_defrag_user(hooknum, skb));
 	/* queued */
 	if (reasm == NULL)
 		return NF_STOLEN;
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index e0b9424..312c20a 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -168,13 +168,14 @@ out:
 /* Creation primitives. */
 
 static __inline__ struct nf_ct_frag6_queue *
-fq_find(__be32 id, struct in6_addr *src, struct in6_addr *dst)
+fq_find(__be32 id, u32 user, struct in6_addr *src, struct in6_addr *dst)
 {
 	struct inet_frag_queue *q;
 	struct ip6_create_arg arg;
 	unsigned int hash;
 
 	arg.id = id;
+	arg.user = user;
 	arg.src = src;
 	arg.dst = dst;
 
@@ -559,7 +560,7 @@ find_prev_fhdr(struct sk_buff *skb, u8 *prevhdrp, int *prevhoff, int *fhoff)
 	return 0;
 }
 
-struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb)
+struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb, u32 user)
 {
 	struct sk_buff *clone;
 	struct net_device *dev = skb->dev;
@@ -605,7 +606,7 @@ struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb)
 	if (atomic_read(&nf_init_frags.mem) > nf_init_frags.high_thresh)
 		nf_ct_frag6_evictor();
 
-	fq = fq_find(fhdr->identification, &hdr->saddr, &hdr->daddr);
+	fq = fq_find(fhdr->identification, user, &hdr->saddr, &hdr->daddr);
 	if (fq == NULL) {
 		pr_debug("Can't find and can't create new queue\n");
 		goto ret_orig;
diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
index 4d98549..3b3a956 100644
--- a/net/ipv6/reassembly.c
+++ b/net/ipv6/reassembly.c
@@ -72,6 +72,7 @@ struct frag_queue
 	struct inet_frag_queue	q;
 
 	__be32			id;		/* fragment id		*/
+	u32			user;
 	struct in6_addr		saddr;
 	struct in6_addr		daddr;
 
@@ -141,7 +142,7 @@ int ip6_frag_match(struct inet_frag_queue *q, void *a)
 	struct ip6_create_arg *arg = a;
 
 	fq = container_of(q, struct frag_queue, q);
-	return (fq->id == arg->id &&
+	return (fq->id == arg->id && fq->user == arg->user &&
 			ipv6_addr_equal(&fq->saddr, arg->src) &&
 			ipv6_addr_equal(&fq->daddr, arg->dst));
 }
@@ -163,6 +164,7 @@ void ip6_frag_init(struct inet_frag_queue *q, void *a)
 	struct ip6_create_arg *arg = a;
 
 	fq->id = arg->id;
+	fq->user = arg->user;
 	ipv6_addr_copy(&fq->saddr, arg->src);
 	ipv6_addr_copy(&fq->daddr, arg->dst);
 }
@@ -243,6 +245,7 @@ fq_find(struct net *net, __be32 id, struct in6_addr *src, struct in6_addr *dst,
 	unsigned int hash;
 
 	arg.id = id;
+	arg.user = IP6_DEFRAG_LOCAL_DELIVER;
 	arg.src = src;
 	arg.dst = dst;
 

netfilter 04/05: fix crashes in bridge netfilter caused by fragment jumps

[Patrick McHardy]

commit 8fa9ff6849bb86c59cc2ea9faadf3cb2d5223497
Author: Patrick McHardy <kaber@trash.net>
Date:   Tue Dec 15 16:59:59 2009 +0100

    netfilter: fix crashes in bridge netfilter caused by fragment jumps
    
    When fragments from bridge netfilter are passed to IPv4 or IPv6 conntrack
    and a reassembly queue with the same fragment key already exists from
    reassembling a similar packet received on a different device (f.i. with
    multicasted fragments), the reassembled packet might continue on a different
    codepath than where the head fragment originated. This can cause crashes
    in bridge netfilter when a fragment received on a non-bridge device (and
    thus with skb->nf_bridge == NULL) continues through the bridge netfilter
    code.
    
    Add a new reassembly identifier for packets originating from bridge
    netfilter and use it to put those packets in insolated queues.
    
    Fixes http://bugzilla.kernel.org/show_bug.cgi?id=14805
    
    Reported-and-Tested-by: Chong Qiao <qiaochong@loongson.cn>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/include/net/ip.h b/include/net/ip.h
index e6b9d12..85108cf 100644
--- a/include/net/ip.h
+++ b/include/net/ip.h
@@ -337,6 +337,7 @@ enum ip_defrag_users {
 	IP_DEFRAG_CALL_RA_CHAIN,
 	IP_DEFRAG_CONNTRACK_IN,
 	IP_DEFRAG_CONNTRACK_OUT,
+	IP_DEFRAG_CONNTRACK_BRIDGE_IN,
 	IP_DEFRAG_VS_IN,
 	IP_DEFRAG_VS_OUT,
 	IP_DEFRAG_VS_FWD
diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index d691603..ccab594 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -354,6 +354,7 @@ enum ip6_defrag_users {
 	IP6_DEFRAG_LOCAL_DELIVER,
 	IP6_DEFRAG_CONNTRACK_IN,
 	IP6_DEFRAG_CONNTRACK_OUT,
+	IP6_DEFRAG_CONNTRACK_BRIDGE_IN,
 };
 
 struct ip6_create_arg {
diff --git a/net/ipv4/netfilter/nf_defrag_ipv4.c b/net/ipv4/netfilter/nf_defrag_ipv4.c
index fa2d6b6..331ead3 100644
--- a/net/ipv4/netfilter/nf_defrag_ipv4.c
+++ b/net/ipv4/netfilter/nf_defrag_ipv4.c
@@ -14,6 +14,7 @@
 #include <net/route.h>
 #include <net/ip.h>
 
+#include <linux/netfilter_bridge.h>
 #include <linux/netfilter_ipv4.h>
 #include <net/netfilter/ipv4/nf_defrag_ipv4.h>
 
@@ -34,6 +35,20 @@ static int nf_ct_ipv4_gather_frags(struct sk_buff *skb, u_int32_t user)
 	return err;
 }
 
+static enum ip_defrag_users nf_ct_defrag_user(unsigned int hooknum,
+					      struct sk_buff *skb)
+{
+#ifdef CONFIG_BRIDGE_NETFILTER
+	if (skb->nf_bridge &&
+	    skb->nf_bridge->mask & BRNF_NF_BRIDGE_PREROUTING)
+		return IP_DEFRAG_CONNTRACK_BRIDGE_IN;
+#endif
+	if (hooknum == NF_INET_PRE_ROUTING)
+		return IP_DEFRAG_CONNTRACK_IN;
+	else
+		return IP_DEFRAG_CONNTRACK_OUT;
+}
+
 static unsigned int ipv4_conntrack_defrag(unsigned int hooknum,
 					  struct sk_buff *skb,
 					  const struct net_device *in,
@@ -50,10 +65,8 @@ static unsigned int ipv4_conntrack_defrag(unsigned int hooknum,
 #endif
 	/* Gather fragments. */
 	if (ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)) {
-		if (nf_ct_ipv4_gather_frags(skb,
-					    hooknum == NF_INET_PRE_ROUTING ?
-					    IP_DEFRAG_CONNTRACK_IN :
-					    IP_DEFRAG_CONNTRACK_OUT))
+		enum ip_defrag_users user = nf_ct_defrag_user(hooknum, skb);
+		if (nf_ct_ipv4_gather_frags(skb, user))
 			return NF_STOLEN;
 	}
 	return NF_ACCEPT;
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index c0a82fe..0956eba 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -20,6 +20,7 @@
 #include <net/ipv6.h>
 #include <net/inet_frag.h>
 
+#include <linux/netfilter_bridge.h>
 #include <linux/netfilter_ipv6.h>
 #include <net/netfilter/nf_conntrack.h>
 #include <net/netfilter/nf_conntrack_helper.h>
@@ -190,6 +191,11 @@ out:
 static enum ip6_defrag_users nf_ct6_defrag_user(unsigned int hooknum,
 						struct sk_buff *skb)
 {
+#ifdef CONFIG_BRIDGE_NETFILTER
+	if (skb->nf_bridge &&
+	    skb->nf_bridge->mask & BRNF_NF_BRIDGE_PREROUTING)
+		return IP6_DEFRAG_CONNTRACK_BRIDGE_IN;
+#endif
 	if (hooknum == NF_INET_PRE_ROUTING)
 		return IP6_DEFRAG_CONNTRACK_IN;
 	else

ipvs 05/05: zero usvc and udest

[Patrick McHardy]

commit 258c889362aa95d0ab534b38ce8c15d3009705b1
Author: Simon Horman <horms@verge.net.au>
Date:   Tue Dec 15 17:01:25 2009 +0100

    ipvs: zero usvc and udest
    
    Make sure that any otherwise uninitialised fields of usvc are zero.
    
    This has been obvserved to cause a problem whereby the port of
    fwmark services may end up as a non-zero value which causes
    scheduling of a destination server to fail for persisitent services.
    
    As observed by Deon van der Merwe <dvdm@truteq.co.za>.
    This fix suggested by Julian Anastasov <ja@ssi.bg>.
    
    For good measure also zero udest.
    
    Cc: Deon van der Merwe <dvdm@truteq.co.za>
    Acked-by: Julian Anastasov <ja@ssi.bg>
    Signed-off-by: Simon Horman <horms@verge.net.au>
    Cc: stable@kernel.org
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index e55a686..6bde12d 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -2714,6 +2714,8 @@ static int ip_vs_genl_parse_service(struct ip_vs_service_user_kern *usvc,
 	if (!(nla_af && (nla_fwmark || (nla_port && nla_protocol && nla_addr))))
 		return -EINVAL;
 
+	memset(usvc, 0, sizeof(*usvc));
+
 	usvc->af = nla_get_u16(nla_af);
 #ifdef CONFIG_IP_VS_IPV6
 	if (usvc->af != AF_INET && usvc->af != AF_INET6)
@@ -2901,6 +2903,8 @@ static int ip_vs_genl_parse_dest(struct ip_vs_dest_user_kern *udest,
 	if (!(nla_addr && nla_port))
 		return -EINVAL;
 
+	memset(udest, 0, sizeof(*udest));
+
 	nla_memcpy(&udest->addr, nla_addr, sizeof(udest->addr));
 	udest->port = nla_get_u16(nla_port);
 

Re: netfilter 00/05: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Tue, 15 Dec 2009 17:14:27 +0100 (MET)

> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master

Pulled, thanks a lot Patrick.

netfilter 00/05: netfilter fixes

[Patrick McHardy]

Hi Dave,

following are the bugfixes for nf_conntrack discussed over the past
days, as well as a bugfix for the use of pointer to a local variable
outside the scope of the variable:

- a fix for use count initialization of the "untracked" conntrack,
  fixing freeing of memory in the data section

- a patch for per netns conntrack cache pointers to fix issues
  with SLAB_DESTROY_BY_RCU

- a patch to disable conntrack expect hash size modification at runtime

- a patch for xtables to fix out of scope usage of a local variable

- a patch to fix conntrack hash resizing with multiple namespaces by
  moving the hashsize into the per netns data

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master

Please note: I forgot to add "Cc: stable@kernel.org" to two of these
patches and manually added it to the patch files, so I'd appreciate
if you could apply the patches manually instead of pulling from the
git tree this time.

Thanks!


 include/net/netns/conntrack.h                      |    3 +
 include/net/netns/ipv4.h                           |    1 +
 net/ipv4/netfilter/arp_tables.c                    |    4 +-
 net/ipv4/netfilter/ip_tables.c                     |    4 +-
 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c     |    2 +-
 .../netfilter/nf_conntrack_l3proto_ipv4_compat.c   |    4 +-
 net/ipv4/netfilter/nf_nat_core.c                   |   22 ++--
 net/ipv6/netfilter/ip6_tables.c                    |    4 +-
 net/netfilter/nf_conntrack_core.c                  |  116 +++++++++++---------
 net/netfilter/nf_conntrack_expect.c                |    4 +-
 net/netfilter/nf_conntrack_helper.c                |    2 +-
 net/netfilter/nf_conntrack_netlink.c               |    2 +-
 net/netfilter/nf_conntrack_standalone.c            |    7 +-
 13 files changed, 93 insertions(+), 82 deletions(-)

Alexey Dobriyan (2):
      netfilter: nf_conntrack: restrict runtime expect hashsize modifications
      netfilter: xtables: compat out of scope fix

Eric Dumazet (1):
      netfilter: nf_conntrack: per netns nf_conntrack_cachep

Patrick McHardy (2):
      netfilter: nf_conntrack: fix memory corruption with multiple namespaces
      netfilter: nf_conntrack: fix hash resizing with namespaces

Re: netfilter 00/05: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Mon,  8 Feb 2010 18:10:26 +0100 (MET)

> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master
> 
> Please note: I forgot to add "Cc: stable@kernel.org" to two of these
> patches and manually added it to the patch files, so I'd appreciate
> if you could apply the patches manually instead of pulling from the
> git tree this time.

Ok, I'll apply these by hand.

Thanks Patrick.

Re: netfilter 00/05: netfilter fixes

[Patrick McHardy]

David Miller wrote:
> From: Patrick McHardy <kaber@trash.net>
> Date: Mon,  8 Feb 2010 18:10:26 +0100 (MET)
> 
>> Please apply or pull from:
>>
>> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master
>>
>> Please note: I forgot to add "Cc: stable@kernel.org" to two of these
>> patches and manually added it to the patch files, so I'd appreciate
>> if you could apply the patches manually instead of pulling from the
>> git tree this time.
> 
> Ok, I'll apply these by hand.

Thanks Dave. I plan to submit a first batch of patches queued for
net-next-2.6 soon, however these fixes introduced a large number
of conflicts. If you could merge net-2.6 into net-next-2.6 I'll
resolve them and send a pull request.

Thanks!

Re: netfilter 00/05: netfilter fixes

[Jan Engelhardt]

On Tuesday 2010-02-09 18:33, Patrick McHardy wrote:

>David Miller wrote:
>> From: Patrick McHardy <kaber@trash.net>
>> Date: Mon,  8 Feb 2010 18:10:26 +0100 (MET)
>> 
>>> Please apply or pull from:
>>>
>>> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master
>>>
>>> Please note: I forgot to add "Cc: stable@kernel.org" to two of these
>>> patches and manually added it to the patch files, so I'd appreciate
>>> if you could apply the patches manually instead of pulling from the
>>> git tree this time.
>> 
>> Ok, I'll apply these by hand.
>
>Thanks Dave. I plan to submit a first batch of patches queued for
>net-next-2.6 soon, however these fixes introduced a large number
>of conflicts. If you could merge net-2.6 into net-next-2.6 I'll
>resolve them and send a pull request.

Ah that is a good opportunity then to rebase my pending -next patches, 
to reduce conflicts you would have to solve when merging things after 
the conflict resolution.

Re: netfilter 00/05: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Tue, 09 Feb 2010 18:33:17 +0100

> If you could merge net-2.6 into net-next-2.6 I'll
> resolve them and send a pull request.

Done.

Re: netfilter 00/05: netfilter fixes

[Patrick McHardy]

Jan Engelhardt wrote:
> On Tuesday 2010-02-09 18:33, Patrick McHardy wrote:
> 
>> Thanks Dave. I plan to submit a first batch of patches queued for
>> net-next-2.6 soon, however these fixes introduced a large number
>> of conflicts. If you could merge net-2.6 into net-next-2.6 I'll
>> resolve them and send a pull request.
> 
> Ah that is a good opportunity then to rebase my pending -next patches, 
> to reduce conflicts you would have to solve when merging things after 
> the conflict resolution.

I've merged the current net-next tree and pushed it out.