[PATCH 0/5] Netfilter updates for net-next

[PATCH 0/5] Netfilter updates for net-next

[pablo]

From: Pablo Neira Ayuso <pablo@netfilter.org>

Hi David,

The following patchset contains four Netfilter updates, mostly targeting
to fix issues added with IPv6 NAT, and one little IPVS update for net-next:

* Remove unneeded conditional free of skb in nfnetlink_queue, from
  Wei Yongjun.

* One semantic path from coccinelle detected the use of list_del +
  INIT_LIST_HEAD, instead of list_del_init, again from Wei Yongjun.

* Fix out-of-bound memory access in the NAT address selection, from
  Florian Westphal. This was introduced with the IPv6 NAT patches.

* Two fixes for crashes that were introduced in the recently merged
  IPv6 NAT support, from myself.

You can pull these changes from:

git://1984.lsi.us.es/nf-next master

Thanks!

Florian Westphal (1):
  netfilter: nf_nat: fix out-of-bounds access in address selection

Pablo Neira Ayuso (2):
  netfilter: fix crash during boot if NAT has been compiled built-in
  netfilter: ctnetlink: fix module auto-load in ctnetlink_parse_nat

Wei Yongjun (2):
  netfilter: nfnetlink_queue: remove pointless conditional before kfree_skb()
  ipvs: use list_del_init instead of list_del/INIT_LIST_HEAD

 net/netfilter/Makefile               |    2 +-
 net/netfilter/ipvs/ip_vs_ctl.c       |    3 +--
 net/netfilter/nf_conntrack_netlink.c |    3 ---
 net/netfilter/nf_nat_core.c          |    2 +-
 net/netfilter/nfnetlink_queue_core.c |    3 +--
 5 files changed, 4 insertions(+), 9 deletions(-)

-- 
1.7.10.4

[PATCH 1/5] netfilter: fix crash during boot if NAT has been compiled built-in

[pablo]

From: Pablo Neira Ayuso <pablo@netfilter.org>

(c7232c9 netfilter: add protocol independent NAT core) introduced a
problem that leads to crashing during boot due to NULL pointer
dereference. It seems that xt_nat calls xt_register_target() before
xt_init():

net/netfilter/x_tables.c:static struct xt_af *xt; is NULL and we crash on
xt_register_target(struct xt_target *target)
{
        u_int8_t af = target->family;
        int ret;

        ret = mutex_lock_interruptible(&xt[af].mutex);
...

Fix this by changing the linking order, to make sure that x_tables
comes before xt_nat.

Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/Makefile |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 98244d4..0baa3f1 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -47,7 +47,6 @@ nf_nat-y	:= nf_nat_core.o nf_nat_proto_unknown.o nf_nat_proto_common.o \
 		   nf_nat_proto_udp.o nf_nat_proto_tcp.o nf_nat_helper.o
 
 obj-$(CONFIG_NF_NAT) += nf_nat.o
-obj-$(CONFIG_NF_NAT) += xt_nat.o
 
 # NAT protocols (nf_nat)
 obj-$(CONFIG_NF_NAT_PROTO_DCCP) += nf_nat_proto_dccp.o
@@ -71,6 +70,7 @@ obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
 obj-$(CONFIG_NETFILTER_XT_MARK) += xt_mark.o
 obj-$(CONFIG_NETFILTER_XT_CONNMARK) += xt_connmark.o
 obj-$(CONFIG_NETFILTER_XT_SET) += xt_set.o
+obj-$(CONFIG_NF_NAT) += xt_nat.o
 
 # targets
 obj-$(CONFIG_NETFILTER_XT_TARGET_AUDIT) += xt_AUDIT.o
-- 
1.7.10.4

[PATCH 2/5] netfilter: nf_nat: fix out-of-bounds access in address selection

[pablo]

From: Florian Westphal <fw@strlen.de>

include/linux/jhash.h:138:16: warning: array subscript is above array bounds
[jhash2() expects the number of u32 in the key]

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_nat_core.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index 29d4452..1816ad3 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -255,7 +255,7 @@ find_best_ips_proto(u16 zone, struct nf_conntrack_tuple *tuple,
 	 * client coming from the same IP (some Internet Banking sites
 	 * like this), even across reboots.
 	 */
-	j = jhash2((u32 *)&tuple->src.u3, sizeof(tuple->src.u3),
+	j = jhash2((u32 *)&tuple->src.u3, sizeof(tuple->src.u3) / sizeof(u32),
 		   range->flags & NF_NAT_RANGE_PERSISTENT ?
 			0 : (__force u32)tuple->dst.u3.all[max] ^ zone);
 
-- 
1.7.10.4

[PATCH 3/5] netfilter: nfnetlink_queue: remove pointless conditional before kfree_skb()

[pablo]

From: Wei Yongjun <yongjun_wei@trendmicro.com.cn>

Remove pointless conditional before kfree_skb().

Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nfnetlink_queue_core.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
index c0496a5..5c2d78d 100644
--- a/net/netfilter/nfnetlink_queue_core.c
+++ b/net/netfilter/nfnetlink_queue_core.c
@@ -406,8 +406,7 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
 	return skb;
 
 nla_put_failure:
-	if (skb)
-		kfree_skb(skb);
+	kfree_skb(skb);
 	net_err_ratelimited("nf_queue: error creating packet message\n");
 	return NULL;
 }
-- 
1.7.10.4

[PATCH 4/5] ipvs: use list_del_init instead of list_del/INIT_LIST_HEAD

[pablo]

From: Wei Yongjun <yongjun_wei@trendmicro.com.cn>

Using list_del_init() instead of list_del() + INIT_LIST_HEAD().

spatch with a semantic match is used to found this problem.
(http://coccinelle.lip6.fr/)

Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Acked-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/ipvs/ip_vs_ctl.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 767cc12..37b38d0 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -539,8 +539,7 @@ static int ip_vs_rs_unhash(struct ip_vs_dest *dest)
 	 * Remove it from the rs_table table.
 	 */
 	if (!list_empty(&dest->d_list)) {
-		list_del(&dest->d_list);
-		INIT_LIST_HEAD(&dest->d_list);
+		list_del_init(&dest->d_list);
 	}
 
 	return 1;
-- 
1.7.10.4

[PATCH 5/5] netfilter: ctnetlink: fix module auto-load in ctnetlink_parse_nat

[pablo]

From: Pablo Neira Ayuso <pablo@netfilter.org>

(c7232c9 netfilter: add protocol independent NAT core) added
incorrect locking for the module auto-load case in ctnetlink_parse_nat.

That function is always called from ctnetlink_create_conntrack which
requires no locking.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_conntrack_netlink.c |    3 ---
 1 file changed, 3 deletions(-)

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index a205bd6..090d267 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1120,16 +1120,13 @@ ctnetlink_parse_nat_setup(struct nf_conn *ct,
 	if (err == -EAGAIN) {
 #ifdef CONFIG_MODULES
 		rcu_read_unlock();
-		spin_unlock_bh(&nf_conntrack_lock);
 		nfnl_unlock();
 		if (request_module("nf-nat-%u", nf_ct_l3num(ct)) < 0) {
 			nfnl_lock();
-			spin_lock_bh(&nf_conntrack_lock);
 			rcu_read_lock();
 			return -EOPNOTSUPP;
 		}
 		nfnl_lock();
-		spin_lock_bh(&nf_conntrack_lock);
 		rcu_read_lock();
 #else
 		err = -EOPNOTSUPP;
-- 
1.7.10.4

Re: [PATCH 0/5] Netfilter updates for net-next

[David Miller]

From: pablo@netfilter.org
Date: Thu, 13 Sep 2012 13:01:27 +0200

> The following patchset contains four Netfilter updates, mostly targeting
> to fix issues added with IPv6 NAT, and one little IPVS update for net-next:
> 
> * Remove unneeded conditional free of skb in nfnetlink_queue, from
>   Wei Yongjun.
> 
> * One semantic path from coccinelle detected the use of list_del +
>   INIT_LIST_HEAD, instead of list_del_init, again from Wei Yongjun.
> 
> * Fix out-of-bound memory access in the NAT address selection, from
>   Florian Westphal. This was introduced with the IPv6 NAT patches.
> 
> * Two fixes for crashes that were introduced in the recently merged
>   IPv6 NAT support, from myself.
> 
> You can pull these changes from:
> 
> git://1984.lsi.us.es/nf-next master

Also pulled, thanks a lot.

[PATCH 0/5] Netfilter updates for net-next

[Pablo Neira Ayuso]

Hi David,

The following patchset contains a small batch of Netfilter
updates for your net-next tree, they are:

* Three patches that provide more accurate error reporting to
  user-space, instead of -EPERM, in IPv4/IPv6 netfilter re-routing
  code and NAT, from Patrick McHardy.

* Update copyright statements in Netfilter filters of
  Patrick McHardy, from himself.

* Add Kconfig dependency on the raw/mangle tables to the
  rpfilter, from Florian Westphal.

The following changes since commit 6b0ee8c036ecb3ac92e18e6ca0dca7bff88beaf0:

  scm: Stop passing struct cred (2013-04-07 18:58:55 -0400)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master

for you to fetch changes up to d37d696804a83479f240b397670a07ccb53a7417:

  netfilter: xt_rpfilter: depend on raw or mangle table (2013-04-19 00:22:55 +0200)

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: xt_rpfilter: depend on raw or mangle table

Patrick McHardy (4):
      netfilter: ipv4: propagate routing errors from ip_route_me_harder()
      netfilter: ipv6: propagate routing errors from ip6_route_me_harder()
      netfilter: nat: propagate errors from xfrm_me_harder()
      netfilter: add my copyright statements

 net/ipv4/netfilter.c                               |   15 ++++++++-----
 net/ipv4/netfilter/Kconfig                         |    2 +-
 net/ipv4/netfilter/arp_tables.c                    |    1 +
 net/ipv4/netfilter/ip_tables.c                     |    1 +
 net/ipv4/netfilter/ipt_ULOG.c                      |    1 +
 net/ipv4/netfilter/iptable_mangle.c                |    9 +++++---
 net/ipv4/netfilter/iptable_nat.c                   |   23 +++++++++++++-------
 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c     |    1 +
 .../netfilter/nf_conntrack_l3proto_ipv4_compat.c   |    1 +
 net/ipv4/netfilter/nf_conntrack_proto_icmp.c       |    1 +
 net/ipv4/netfilter/nf_nat_h323.c                   |    1 +
 net/ipv4/netfilter/nf_nat_pptp.c                   |    2 ++
 net/ipv4/netfilter/nf_nat_proto_gre.c              |    2 ++
 net/ipv4/netfilter/nf_nat_snmp_basic.c             |    2 ++
 net/ipv6/netfilter.c                               |   12 +++++++---
 net/ipv6/netfilter/Kconfig                         |    2 +-
 net/ipv6/netfilter/ip6_tables.c                    |    1 +
 net/ipv6/netfilter/ip6t_REJECT.c                   |    2 ++
 net/ipv6/netfilter/ip6table_mangle.c               |    9 +++++---
 net/ipv6/netfilter/ip6table_nat.c                  |   23 +++++++++++++-------
 net/netfilter/core.c                               |    1 +
 net/netfilter/nf_conntrack_amanda.c                |    1 +
 net/netfilter/nf_conntrack_core.c                  |    1 +
 net/netfilter/nf_conntrack_ecache.c                |    8 ++++---
 net/netfilter/nf_conntrack_expect.c                |    1 +
 net/netfilter/nf_conntrack_ftp.c                   |    1 +
 net/netfilter/nf_conntrack_h323_main.c             |    1 +
 net/netfilter/nf_conntrack_helper.c                |    1 +
 net/netfilter/nf_conntrack_irc.c                   |    1 +
 net/netfilter/nf_conntrack_pptp.c                  |    2 ++
 net/netfilter/nf_conntrack_proto.c                 |    1 +
 net/netfilter/nf_conntrack_proto_gre.c             |    1 +
 net/netfilter/nf_conntrack_proto_sctp.c            |    3 +++
 net/netfilter/nf_conntrack_proto_tcp.c             |    2 ++
 net/netfilter/nf_conntrack_proto_udp.c             |    1 +
 net/netfilter/nf_conntrack_standalone.c            |    1 +
 net/netfilter/nf_conntrack_tftp.c                  |    2 +-
 net/netfilter/nf_nat_amanda.c                      |    1 +
 net/netfilter/nf_nat_core.c                        |    9 ++++----
 net/netfilter/nf_nat_helper.c                      |    1 +
 net/netfilter/nf_queue.c                           |    5 +++++
 net/netfilter/nfnetlink_log.c                      |    1 +
 net/netfilter/x_tables.c                           |    1 +
 net/netfilter/xt_TCPMSS.c                          |    1 +
 net/netfilter/xt_conntrack.c                       |    1 +
 net/netfilter/xt_hashlimit.c                       |    1 +
 net/netfilter/xt_limit.c                           |    1 +
 47 files changed, 122 insertions(+), 40 deletions(-)

Re: [PATCH 0/5] Netfilter updates for net-next

[David Miller]

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 19 Apr 2013 03:23:52 +0200

> The following patchset contains a small batch of Netfilter
> updates for your net-next tree, they are:
> 
> * Three patches that provide more accurate error reporting to
>   user-space, instead of -EPERM, in IPv4/IPv6 netfilter re-routing
>   code and NAT, from Patrick McHardy.
> 
> * Update copyright statements in Netfilter filters of
>   Patrick McHardy, from himself.
> 
> * Add Kconfig dependency on the raw/mangle tables to the
>   rpfilter, from Florian Westphal.
 ...
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master

Pulled, thanks Pablo.

[PATCH 0/5] Netfilter updates for net-next

[Pablo Neira Ayuso]

Hi David,

A small batch with accumulated updates in nf-next, mostly IPVS updates,
they are:

1) Add 64-bits stats counters to IPVS, from Julian Anastasov.

2) Move NETFILTER_XT_MATCH_ADDRTYPE out of NETFILTER_ADVANCED as docker
seem to require this, from Anton Blanchard.

3) Use boolean instead of numeric value in set_match_v*(), from
coccinelle via Fengguang Wu.

4) Allows rescheduling of new connections in IPVS when port reuse is
detected, from Marcelo Ricardo Leitner.

5) Add missing bits to support arptables extensions from nft_compat,
from Arturo Borrero.

Patrick is preparing a large batch to enhance the set infrastructure,
named expressions among other things, that should follow up soon after
this batch.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git

Thanks!

----------------------------------------------------------------

The following changes since commit 4c1017aa80c95a74703139bb95c4ce0d130efe4d:

  netfilter: nft_lookup: add missing attribute validation for NFTA_LOOKUP_SET_ID (2015-01-30 19:08:20 +0100)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master

for you to fetch changes up to 5f15893943bfdc804e8703c5aa2c8dd8bf7ddf3f:

  netfilter: nft_compat: add support for arptables extensions (2015-03-02 12:28:13 +0100)

----------------------------------------------------------------
Anton Blanchard (1):
      netfilter: Don't hide NETFILTER_XT_MATCH_ADDRTYPE behind NETFILTER_ADVANCED

Arturo Borrero (1):
      netfilter: nft_compat: add support for arptables extensions

Julian Anastasov (1):
      ipvs: use 64-bit rates in stats

Marcelo Ricardo Leitner (1):
      ipvs: allow rescheduling of new connections when port reuse is detected

Wu Fengguang (1):
      netfilter: ipset: fix boolreturn.cocci warnings

 Documentation/networking/ipvs-sysctl.txt |   21 ++++
 include/net/ip_vs.h                      |   61 +++++++---
 include/uapi/linux/ip_vs.h               |    7 +-
 net/netfilter/Kconfig                    |    2 +-
 net/netfilter/ipvs/ip_vs_core.c          |   69 +++++++----
 net/netfilter/ipvs/ip_vs_ctl.c           |  182 ++++++++++++++++++++----------
 net/netfilter/ipvs/ip_vs_est.c           |  102 ++++++++---------
 net/netfilter/ipvs/ip_vs_sync.c          |   21 +++-
 net/netfilter/nft_compat.c               |    9 ++
 net/netfilter/xt_set.c                   |    4 +-
 10 files changed, 326 insertions(+), 152 deletions(-)

Re: [PATCH 0/5] Netfilter updates for net-next

[David Miller]

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon,  2 Mar 2015 12:43:42 +0100

> A small batch with accumulated updates in nf-next, mostly IPVS updates,
> they are:
> 
> 1) Add 64-bits stats counters to IPVS, from Julian Anastasov.
> 
> 2) Move NETFILTER_XT_MATCH_ADDRTYPE out of NETFILTER_ADVANCED as docker
> seem to require this, from Anton Blanchard.
> 
> 3) Use boolean instead of numeric value in set_match_v*(), from
> coccinelle via Fengguang Wu.
> 
> 4) Allows rescheduling of new connections in IPVS when port reuse is
> detected, from Marcelo Ricardo Leitner.
> 
> 5) Add missing bits to support arptables extensions from nft_compat,
> from Arturo Borrero.
> 
> Patrick is preparing a large batch to enhance the set infrastructure,
> named expressions among other things, that should follow up soon after
> this batch.
> 
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git

Pulled, thanks a lot Pablo.