netfilter 00/03: netfilter fixes

netfilter 00/03: netfilter fixes

[Patrick McHardy]

Hi Dave,

following are three fixes for netfilter:

- fix for NAT RCU races related to ct_extend
- fix for a memory leak in a H.323 module init error path
- fix for a crash when unloading the H.323 module while H.245 expectation
  or connections are active

Please apply, thanks.


 include/net/netfilter/nf_conntrack_extend.h |    1 +
 net/ipv4/netfilter/nf_nat_core.c            |    3 +--
 net/netfilter/nf_conntrack_extend.c         |    9 ++++++++-
 net/netfilter/nf_conntrack_h323_main.c      |   22 +++++++++++++++-------
 4 files changed, 25 insertions(+), 10 deletions(-)

Patrick McHardy (3):
      netfilter: nf_nat: fix RCU races
      netfilter: nf_conntrack_h323: fix memory leak in module initialization error path
      netfilter: nf_conntrack_h323: fix module unload crash

Re: netfilter 00/03: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Tue, 17 Jun 2008 16:03:51 +0200 (MEST)

> following are three fixes for netfilter:
> 
> - fix for NAT RCU races related to ct_extend
> - fix for a memory leak in a H.323 module init error path
> - fix for a crash when unloading the H.323 module while H.245 expectation
>   or connections are active
> 
> Please apply, thanks.

Applied to net-2.6, and I'll push back out to kernel.org after some
build sanity checks.

Thanks!

netfilter 00/03: netfilter fixes

[Patrick McHardy]

Hi Dave,

following are some netfilter fixes for 2.6.28, containing:

- restauration of a lost #ifdef to fix user-triggerable WARN_ONs in the
  NAT code. Also queued for -stable.

- restauration of ebtables dependencies that got lost during a Kconfig
  restructuring

- a slightly more involved patch from Pablo to remove the bogus NAT module
  dependencies from ctnetlink. It could be argued whether this qualifies as
  a real bugfix since its mainly a "it shouldn't be like this" thing and
  everything works properly, in my opinion it does though because of all
  the side effects that even just loading the NAT module causes. A somewhat
  fitting analogy would be an IPv6 module dependency in, lets say, TCP :)

Please apply, thanks.


 include/linux/netfilter/nfnetlink.h  |    3 +
 include/net/netfilter/nf_nat_core.h  |    8 ++
 net/bridge/netfilter/Kconfig         |    1 +
 net/ipv4/netfilter/nf_defrag_ipv4.c  |    3 +-
 net/ipv4/netfilter/nf_nat_core.c     |   97 ++++++++++++++++++++++
 net/netfilter/nf_conntrack_core.c    |    7 ++
 net/netfilter/nf_conntrack_netlink.c |  151 ++++++++++++++--------------------
 net/netfilter/nfnetlink.c            |   12 ++-
 8 files changed, 188 insertions(+), 94 deletions(-)

Pablo Neira Ayuso (1):
      netfilter: ctnetlink: remove bogus module dependency between ctnetlink and nf_nat

Patrick McHardy (2):
      netfilter: restore lost #ifdef guarding defrag exception
      netfilter: fix ebtables dependencies

netfilter 00/03: netfilter fixes

[Patrick McHardy]

Hi Dave,

the following three patches for 2.6.28 fix a couple of netfilter issues:

- a conntrack creation race in ctnetlink that can cause NULL pointer
  dereferences in ctnetlink and duplicate conntrack entries.

- a missing const qualifier that got lost during the encapsulation of
  iptables target parameters

- a crash with bridge netfilter and GRE caused by a missing update_pmtu()
  function for the fake dst_entry.

Please apply, thanks.


 include/linux/netfilter/x_tables.h   |    2 +-
 net/bridge/br_netfilter.c            |   13 +++++++++++++
 net/netfilter/nf_conntrack_core.c    |    2 --
 net/netfilter/nf_conntrack_netlink.c |    5 +++--
 4 files changed, 17 insertions(+), 5 deletions(-)

Herbert Xu (1):
      bridge: netfilter: fix update_pmtu crash with GRE

Jan Engelhardt (1):
      netfilter: xtables: add missing const qualifier to xt_tgchk_param

Patrick McHardy (1):
      netfilter: ctnetlink: fix conntrack creation race

netfilter 00/03: netfilter fixes

[Patrick McHardy]

Hi Dave,

the following patches fix three netfilter bugs:

- an incorrect dependency for the new LED target, added by myself to fix
  the compilation problem reported one or two weeks ago

- a fix for the ip6_tables "lock free counters" regression caused by a
  missing return statement

- a fix for a regression in .29, causing conntrack expectation refresh to
  create a new expectation instead of refreshing the existing one.

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Please note that the git tree will bring in a merge commit of Linus'
tree from 2 days ago.

Thanks!


 include/net/netfilter/nf_conntrack_expect.h |    5 +++-
 net/ipv6/netfilter/ip6_tables.c             |    2 +
 net/netfilter/Kconfig                       |    2 +-
 net/netfilter/nf_conntrack_expect.c         |   30 +++++---------------------
 4 files changed, 13 insertions(+), 26 deletions(-)

Alex Riesen (1):
      netfilter: fix selection of "LED" target in netfilter

Eric Dumazet (1):
      netfilter: ip6tables regression fix

Pablo Neira Ayuso (1):
      netfilter: ctnetlink: fix regression in expectation handling

Re: netfilter 00/03: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Wed,  8 Apr 2009 18:52:16 +0200 (MEST)

> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Pulled, thanks Patrick.

netfilter 00/03: netfilter fixes

[Patrick McHardy]

Hi Dave,

the following three patches fix two netfilter bugs introduced during the merge
window and re-add support for a feature that accidentally got dropped with the
SAME target removal:

- a missing list initialization of the nf_log logger lists

- a missing conversion to use the hlist_nulls list function in connection tracking
  helper unregistration

- support for persistent multi-range NAT mappings

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Thanks!


 include/net/netfilter/nf_nat.h      |    1 +
 net/ipv4/netfilter/nf_nat_core.c    |    3 ++-
 net/netfilter/nf_conntrack_helper.c |    2 +-
 net/netfilter/nf_log.c              |    4 ++++
 4 files changed, 8 insertions(+), 2 deletions(-)

Eric Dumazet (1):
      netfilter: nf_log regression fix

Patrick McHardy (2):
      netfilter: nf_conntrack: fix crash when unloading helpers
      netfilter: nf_nat: add support for persistent mappings

Re: netfilter 00/03: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Thu, 16 Apr 2009 19:16:22 +0200 (MEST)

> the following three patches fix two netfilter bugs introduced during the merge
> window and re-add support for a feature that accidentally got dropped with the
> SAME target removal:
> 
> - a missing list initialization of the nf_log logger lists
> 
> - a missing conversion to use the hlist_nulls list function in connection tracking
>   helper unregistration
> 
> - support for persistent multi-range NAT mappings
> 
> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Pulled, thanks a lot!

netfilter 00/03: netfilter fixes

[Patrick McHardy]

Hi Dave,

following are two netfilter fixes for 2.6.31 and a MAINTAINERS update:

- a fix for the nf_conntrack_alloc() race from Eric
- a fix for incorrect invocation of nf_log_packet() in the new osf match
- a patch to add my netfilter git tree to MAINTAINERS

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master

Thanks!


 Documentation/RCU/rculist_nulls.txt |    7 ++++++-
 MAINTAINERS                         |    1 +
 net/netfilter/nf_conntrack_core.c   |   21 ++++++++++++++++++---
 net/netfilter/xt_osf.c              |    5 +++--
 4 files changed, 28 insertions(+), 6 deletions(-)

Eric Dumazet (1):
      netfilter: nf_conntrack: nf_conntrack_alloc() fixes

Joe Perches (1):
      netfilter: add netfilter git to MAINTAINERS

Patrick McHardy (1):
      netfilter: xt_osf: fix nf_log_packet() arguments

Re: netfilter 00/03: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Thu, 16 Jul 2009 14:26:44 +0200 (MEST)

> following are two netfilter fixes for 2.6.31 and a MAINTAINERS update:
> 
> - a fix for the nf_conntrack_alloc() race from Eric
> - a fix for incorrect invocation of nf_log_packet() in the new osf match
> - a patch to add my netfilter git tree to MAINTAINERS
> 
> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master

Pulled, thanks a lot Patrick!

netfilter 00/03: netfilter fixes

[Patrick McHardy]

Hi Dave,

following are three netfilter fixes for net-next, fixing:

- the NAT issue reported by Stephen, which was caused by inverted logic
  in NF_HOOK_COND(), causing it to skip the POST_ROUTING hook invocation

- an assertion in ct_extend, caused by invalid ordering in ctnetlink
  when setting up new conntracks. Additionally it is invalid to
  attach helpers to existing conntracks, which is disabled by this
  patch.

- an skb leak in nf_queue when userspace returns NF_STOLEN as verdict

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6.git master

Thanks!


 include/linux/netfilter.h            |    5 +++--
 net/netfilter/nf_conntrack_netlink.c |   22 +++++++++++-----------
 net/netfilter/nf_queue.c             |    2 +-
 3 files changed, 15 insertions(+), 14 deletions(-)

Eric Dumazet (1):
      netfilter: nf_queue: fix NF_STOLEN skb leak

Pablo Neira Ayuso (1):
      netfilter: ctnetlink: fix creation of conntrack with helpers

Patrick McHardy (1):
      netfilter: restore POST_ROUTING hook in NF_HOOK_COND

netfilter 01/03: restore POST_ROUTING hook in NF_HOOK_COND

[Patrick McHardy]

commit 4bac6b180771f7ef5275b1a6d88e630ca3a3d6f0
Author: Patrick McHardy <kaber@trash.net>
Date:   Fri Feb 19 08:03:28 2010 +0100

    netfilter: restore POST_ROUTING hook in NF_HOOK_COND
    
    Commit 2249065 ("netfilter: get rid of the grossness in netfilter.h")
    inverted the logic for conditional hook invocation, breaking the
    POST_ROUTING hook invoked by ip_output().
    
    Correct the logic and remove an unnecessary initialization.
    
    Reported-by: Stephen Hemminger <shemminger@vyatta.com>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 7007945..89341c3 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -212,8 +212,9 @@ NF_HOOK_COND(uint8_t pf, unsigned int hook, struct sk_buff *skb,
 	     struct net_device *in, struct net_device *out,
 	     int (*okfn)(struct sk_buff *), bool cond)
 {
-	int ret = 1;
-	if (cond ||
+	int ret;
+
+	if (!cond ||
 	    (ret = nf_hook_thresh(pf, hook, skb, in, out, okfn, INT_MIN) == 1))
 		ret = okfn(skb);
 	return ret;

netfilter 02/03: ctnetlink: fix creation of conntrack with helpers

[Patrick McHardy]

commit a88e22adf5aad79b6e2ddd1bf0109c2ba8b46b0e
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Fri Feb 19 14:24:39 2010 +0100

    netfilter: ctnetlink: fix creation of conntrack with helpers
    
    This patch fixes a bug that triggers an assertion if you create
    a conntrack entry with a helper and netfilter debugging is enabled.
    Basically, we hit the assertion because the confirmation flag is
    set before the conntrack extensions are added. To fix this, we
    move the extension addition before the aforementioned flag is
    set.
    
    This patch also removes the possibility of setting a helper for
    existing conntracks. This operation would also trigger the
    assertion since we are not allowed to add new extensions for
    existing conntracks. We know noone that could benefit from
    this operation sanely.
    
    Thanks to Eric Dumazet for initial posting a preliminary patch
    to address this issue.
    
    Reported-by: David Ramblewski <David.Ramblewski@atosorigin.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 8b05f36..2b2af63 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1077,9 +1077,8 @@ ctnetlink_change_helper(struct nf_conn *ct, const struct nlattr * const cda[])
 		/* need to zero data of old helper */
 		memset(&help->help, 0, sizeof(help->help));
 	} else {
-		help = nf_ct_helper_ext_add(ct, GFP_ATOMIC);
-		if (help == NULL)
-			return -ENOMEM;
+		/* we cannot set a helper for an existing conntrack */
+		return -EOPNOTSUPP;
 	}
 
 	rcu_assign_pointer(help->helper, helper);
@@ -1263,7 +1262,6 @@ ctnetlink_create_conntrack(struct net *net, u16 zone,
 	ct->timeout.expires = ntohl(nla_get_be32(cda[CTA_TIMEOUT]));
 
 	ct->timeout.expires = jiffies + ct->timeout.expires * HZ;
-	ct->status |= IPS_CONFIRMED;
 
 	rcu_read_lock();
  	if (cda[CTA_HELP]) {
@@ -1314,14 +1312,19 @@ ctnetlink_create_conntrack(struct net *net, u16 zone,
 			goto err2;
 	}
 
-	if (cda[CTA_STATUS]) {
-		err = ctnetlink_change_status(ct, cda);
+	if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST]) {
+		err = ctnetlink_change_nat(ct, cda);
 		if (err < 0)
 			goto err2;
 	}
 
-	if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST]) {
-		err = ctnetlink_change_nat(ct, cda);
+	nf_ct_acct_ext_add(ct, GFP_ATOMIC);
+	nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC);
+	/* we must add conntrack extensions before confirmation. */
+	ct->status |= IPS_CONFIRMED;
+
+	if (cda[CTA_STATUS]) {
+		err = ctnetlink_change_status(ct, cda);
 		if (err < 0)
 			goto err2;
 	}
@@ -1340,9 +1343,6 @@ ctnetlink_create_conntrack(struct net *net, u16 zone,
 			goto err2;
 	}
 
-	nf_ct_acct_ext_add(ct, GFP_ATOMIC);
-	nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC);
-
 #if defined(CONFIG_NF_CONNTRACK_MARK)
 	if (cda[CTA_MARK])
 		ct->mark = ntohl(nla_get_be32(cda[CTA_MARK]));

netfilter 03/03: nf_queue: fix NF_STOLEN skb leak

[Patrick McHardy]

commit 64507fdbc29c3a622180378210ecea8659b14e40
Author: Eric Dumazet <eric.dumazet@gmail.com>
Date:   Fri Feb 19 15:28:38 2010 +0100

    netfilter: nf_queue: fix NF_STOLEN skb leak
    
    commit 3bc38712e3a6e059 (handle NF_STOP and unknown verdicts in
    nf_reinject) was a partial fix to packet leaks.
    
    If user asks NF_STOLEN status, we must free the skb as well.
    
    Reported-by: Afi Gjermund <afigjermund@gmail.com>
    Signed-off-by: Eric DUmazet <eric.dumazet@gmail.com>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index 3a6fd77..ba095fd 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -265,7 +265,6 @@ void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict)
 		local_bh_disable();
 		entry->okfn(skb);
 		local_bh_enable();
-	case NF_STOLEN:
 		break;
 	case NF_QUEUE:
 		if (!__nf_queue(skb, elem, entry->pf, entry->hook,
@@ -273,6 +272,7 @@ void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict)
 				verdict >> NF_VERDICT_BITS))
 			goto next_hook;
 		break;
+	case NF_STOLEN:
 	default:
 		kfree_skb(skb);
 	}

Re: netfilter 00/03: netfilter fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Fri, 19 Feb 2010 18:02:06 +0100 (MET)

> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6.git master

Pulled, thanks patrick.

Re: netfilter 03/03: nf_queue: fix NF_STOLEN skb leak

[Ondřej Slanina]

Hi,
I know that this patch were applied a long time ago but unfortunately I 
worked all the time on old 2.6.32 kernel. I am confused, because 
documentation said that returning NF_STOLEN means that netfilter release 
ownership of this skb and my hook/queue function is responsible for 
deallocating of this skb. But from now, It's true only for function 
registered by nf_register_hooks (for example defrag function still uses 
NF_STOLEN verdict when performing packed defragmentation). For function 
registered by nf_register_queue_handler() it's not true, because NF_STOLEN 
wil free skb! It's the same as NF_DROP. I have no chance to get ownership of 
skb after call to nf_reinject. Or I am missed something ?
Best Regards,
Ondrej Slanina


-----Původní zpráva----- 
From: Patrick McHardy
Sent: Friday, February 19, 2010 6:02 PM
To: davem@davemloft.net
Cc: netdev@vger.kernel.org ; Patrick McHardy ; 
netfilter-devel@vger.kernel.org
Subject: netfilter 03/03: nf_queue: fix NF_STOLEN skb leak

commit 64507fdbc29c3a622180378210ecea8659b14e40
Author: Eric Dumazet <eric.dumazet@gmail.com>
Date:   Fri Feb 19 15:28:38 2010 +0100

    netfilter: nf_queue: fix NF_STOLEN skb leak

    commit 3bc38712e3a6e059 (handle NF_STOP and unknown verdicts in
    nf_reinject) was a partial fix to packet leaks.

    If user asks NF_STOLEN status, we must free the skb as well.

    Reported-by: Afi Gjermund <afigjermund@gmail.com>
    Signed-off-by: Eric DUmazet <eric.dumazet@gmail.com>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index 3a6fd77..ba095fd 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -265,7 +265,6 @@ void nf_reinject(struct nf_queue_entry *entry, unsigned 
int verdict)
  local_bh_disable();
  entry->okfn(skb);
  local_bh_enable();
- case NF_STOLEN:
  break;
  case NF_QUEUE:
  if (!__nf_queue(skb, elem, entry->pf, entry->hook,
@@ -273,6 +272,7 @@ void nf_reinject(struct nf_queue_entry *entry, unsigned 
int verdict)
  verdict >> NF_VERDICT_BITS))
  goto next_hook;
  break;
+ case NF_STOLEN:
  default:
  kfree_skb(skb);
  }
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" 
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html