[GIT PULL nf 0/2] IPVS Fixes for v3.13

[GIT PULL nf 0/2] IPVS Fixes for v3.13

[Simon Horman]

Hi Pablo,

please consider the following fixes for IPVS for v3.13.
Or alternatively for v3.14.

This pull-request consists of two patches from Jesper Dangaard Brouer to
resolve sequence number problems introduced by 41d73ec053d2 (netfilter:
nf_conntrack: make sequence number adjustments usuable without NAT) in
v3.11-rc7.

I believe they are -stable candidates back to v3.11.


The following changes since commit 443d20fd188208aa4df2118ad49f9168e411016d:

  netfilter: nf_ct_timestamp: Fix BUG_ON after netns deletion (2013-12-20 14:58:29 +0100)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/horms/ipvs.git tags/ipvs-fixes-for-v3.13

for you to fetch changes up to b25adce1606427fd88da08f5203714cada7f6a98:

  ipvs: correct usage/allocation of seqadj ext in ipvs (2013-12-27 12:30:02 +0900)

----------------------------------------------------------------
IPVS Fixes for v3.13

Two patches from Jesper Dangaard Brouer to resolve sequence number problems
introduced by 41d73ec053d2 (netfilter: nf_conntrack: make sequence number
adjustments usuable without NAT) in v3.11-rc7.

----------------------------------------------------------------
Jesper Dangaard Brouer (2):
      netfilter: WARN about wrong usage of sequence number adjustments
      ipvs: correct usage/allocation of seqadj ext in ipvs

 net/netfilter/ipvs/ip_vs_nfct.c     | 6 ++++++
 net/netfilter/nf_conntrack_seqadj.c | 5 +++++
 2 files changed, 11 insertions(+)

[PATCH nf 1/2] netfilter: WARN about wrong usage of sequence number adjustments

[Simon Horman]

From: Jesper Dangaard Brouer <brouer@redhat.com>

Since commit 41d73ec053d2 (netfilter: nf_conntrack: make sequence
number adjustments usuable without NAT), the sequence number extension
is dynamically allocated.

Instead of dying, give a WARN splash, in case of wrong usage of the
seqadj code, e.g. when forgetting to allocate via nfct_seqadj_ext_add().

Wrong usage have been seen in the IPVS code path.

Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
---
 net/netfilter/nf_conntrack_seqadj.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/netfilter/nf_conntrack_seqadj.c b/net/netfilter/nf_conntrack_seqadj.c
index 17c1bcb..b2d38da 100644
--- a/net/netfilter/nf_conntrack_seqadj.c
+++ b/net/netfilter/nf_conntrack_seqadj.c
@@ -36,6 +36,11 @@ int nf_ct_seqadj_set(struct nf_conn *ct, enum ip_conntrack_info ctinfo,
 	if (off == 0)
 		return 0;
 
+	if (unlikely(!seqadj)) {
+		WARN(1, "Wrong seqadj usage, missing nfct_seqadj_ext_add()\n");
+		return 0;
+	}
+
 	set_bit(IPS_SEQ_ADJUST_BIT, &ct->status);
 
 	spin_lock_bh(&ct->lock);
-- 
1.8.4

[PATCH nf 2/2] ipvs: correct usage/allocation of seqadj ext in ipvs

[Simon Horman]

From: Jesper Dangaard Brouer <brouer@redhat.com>

The IPVS FTP helper ip_vs_ftp could trigger an OOPS in nf_ct_seqadj_set,
after commit 41d73ec053d2 (netfilter: nf_conntrack: make sequence number
adjustments usuable without NAT).

This is because, the seqadj ext is now allocated dynamically, and the
IPVS code didn't handle this situation.  Fix this in the IPVS nfct
code by invoking the alloc function nfct_seqadj_ext_add().

Fixes: 41d73ec053d2 (netfilter: nf_conntrack: make sequence number adjustments usuable without NAT)
Suggested-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
---
 net/netfilter/ipvs/ip_vs_nfct.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/netfilter/ipvs/ip_vs_nfct.c b/net/netfilter/ipvs/ip_vs_nfct.c
index c8beafd..5a355a4 100644
--- a/net/netfilter/ipvs/ip_vs_nfct.c
+++ b/net/netfilter/ipvs/ip_vs_nfct.c
@@ -63,6 +63,7 @@
 #include <net/ip_vs.h>
 #include <net/netfilter/nf_conntrack_core.h>
 #include <net/netfilter/nf_conntrack_expect.h>
+#include <net/netfilter/nf_conntrack_seqadj.h>
 #include <net/netfilter/nf_conntrack_helper.h>
 #include <net/netfilter/nf_conntrack_zones.h>
 
@@ -97,6 +98,11 @@ ip_vs_update_conntrack(struct sk_buff *skb, struct ip_vs_conn *cp, int outin)
 	if (CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL)
 		return;
 
+	/* Applications may adjust TCP seqs */
+	if (cp->app && nf_ct_protonum(ct) == IPPROTO_TCP &&
+	    !nfct_seqadj(ct) && !nfct_seqadj_ext_add(ct))
+		return;
+
 	/*
 	 * The connection is not yet in the hashtable, so we update it.
 	 * CIP->VIP will remain the same, so leave the tuple in
-- 
1.8.4

Re: [GIT PULL nf 0/2] IPVS Fixes for v3.13

[Pablo Neira Ayuso]

On Fri, Dec 27, 2013 at 12:37:35PM +0900, Simon Horman wrote:
> Hi Pablo,
> 
> please consider the following fixes for IPVS for v3.13.
> Or alternatively for v3.14.
> 
> This pull-request consists of two patches from Jesper Dangaard Brouer to
> resolve sequence number problems introduced by 41d73ec053d2 (netfilter:
> nf_conntrack: make sequence number adjustments usuable without NAT) in
> v3.11-rc7.
> 
> I believe they are -stable candidates back to v3.11.
> 
> 
> The following changes since commit 443d20fd188208aa4df2118ad49f9168e411016d:
> 
>   netfilter: nf_ct_timestamp: Fix BUG_ON after netns deletion (2013-12-20 14:58:29 +0100)
> 
> are available in the git repository at:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/horms/ipvs.git tags/ipvs-fixes-for-v3.13

Pulled, thanks Simon.