netfilter 00/03: netfilter -stable fixes

netfilter 00/03: netfilter -stable fixes

[Patrick McHardy]

The following three patches for -stable fix some netfilter issues:

- a regression in the iprange match, causing mismatches with inversion
- a memory leak in the SNMP NAT helper
- a lost #ifdef, allowing user-triggerable WARN_ONs with NETFILTER_DEBUG
  (and some minor runtime misbehaviour)

Please apply, thanks.


 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |    2 ++
 net/ipv4/netfilter/nf_nat_snmp_basic.c         |    1 +
 net/netfilter/xt_iprange.c                     |    8 ++++----
 3 files changed, 7 insertions(+), 4 deletions(-)

Patrick McHardy (3):
      netfilter: xt_iprange: fix range inversion match
      netfilter: snmp nat leaks memory in case of failure
      netfilter: restore lost #ifdef guarding defrag exception

netfilter 01/03: xt_iprange: fix range inversion match

[Patrick McHardy]

commit 3e533fa616520e6b068bc0b284fe801f05719e07
Author: Patrick McHardy <kaber@trash.net>
Date:   Wed Oct 22 19:34:06 2008 +0200

    netfilter: xt_iprange: fix range inversion match
    
    Upstream commit 6def1eb48:
    
    Inverted IPv4 v1 and IPv6 v0 matches don't match anything since 2.6.25-rc1!
    
    Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
    Acked-by: Jan Engelhardt <jengelh@medozas.de>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/netfilter/xt_iprange.c b/net/netfilter/xt_iprange.c
index c63e933..4b5741b 100644
--- a/net/netfilter/xt_iprange.c
+++ b/net/netfilter/xt_iprange.c
@@ -67,7 +67,7 @@ iprange_mt4(const struct sk_buff *skb, const struct net_device *in,
 	if (info->flags & IPRANGE_SRC) {
 		m  = ntohl(iph->saddr) < ntohl(info->src_min.ip);
 		m |= ntohl(iph->saddr) > ntohl(info->src_max.ip);
-		m ^= info->flags & IPRANGE_SRC_INV;
+		m ^= !!(info->flags & IPRANGE_SRC_INV);
 		if (m) {
 			pr_debug("src IP " NIPQUAD_FMT " NOT in range %s"
 			         NIPQUAD_FMT "-" NIPQUAD_FMT "\n",
@@ -81,7 +81,7 @@ iprange_mt4(const struct sk_buff *skb, const struct net_device *in,
 	if (info->flags & IPRANGE_DST) {
 		m  = ntohl(iph->daddr) < ntohl(info->dst_min.ip);
 		m |= ntohl(iph->daddr) > ntohl(info->dst_max.ip);
-		m ^= info->flags & IPRANGE_DST_INV;
+		m ^= !!(info->flags & IPRANGE_DST_INV);
 		if (m) {
 			pr_debug("dst IP " NIPQUAD_FMT " NOT in range %s"
 			         NIPQUAD_FMT "-" NIPQUAD_FMT "\n",
@@ -123,14 +123,14 @@ iprange_mt6(const struct sk_buff *skb, const struct net_device *in,
 	if (info->flags & IPRANGE_SRC) {
 		m  = iprange_ipv6_sub(&iph->saddr, &info->src_min.in6) < 0;
 		m |= iprange_ipv6_sub(&iph->saddr, &info->src_max.in6) > 0;
-		m ^= info->flags & IPRANGE_SRC_INV;
+		m ^= !!(info->flags & IPRANGE_SRC_INV);
 		if (m)
 			return false;
 	}
 	if (info->flags & IPRANGE_DST) {
 		m  = iprange_ipv6_sub(&iph->daddr, &info->dst_min.in6) < 0;
 		m |= iprange_ipv6_sub(&iph->daddr, &info->dst_max.in6) > 0;
-		m ^= info->flags & IPRANGE_DST_INV;
+		m ^= !!(info->flags & IPRANGE_DST_INV);
 		if (m)
 			return false;
 	}

netfilter 02/03: snmp nat leaks memory in case of failure

[Patrick McHardy]

commit 6339355779208471ab254e13f31aa0d3217ee6fd
Author: Patrick McHardy <kaber@trash.net>
Date:   Wed Oct 22 19:34:40 2008 +0200

    netfilter: snmp nat leaks memory in case of failure
    
    Upstream commit 311670f3e:
    
    Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c b/net/ipv4/netfilter/nf_nat_snmp_basic.c
index ffeaffc..8303e4b 100644
--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c
+++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
@@ -742,6 +742,7 @@ static unsigned char snmp_object_decode(struct asn1_ctx *ctx,
 			*obj = kmalloc(sizeof(struct snmp_object) + len,
 				       GFP_ATOMIC);
 			if (*obj == NULL) {
+				kfree(p);
 				kfree(id);
 				if (net_ratelimit())
 					printk("OOM in bsalg (%d)\n", __LINE__);
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

netfilter 03/03: restore lost ifdef guarding defrag exception

[Patrick McHardy]

commit 3f3fb9fddbcb725482679fe3552e3003494c2d85
Author: Patrick McHardy <kaber@trash.net>
Date:   Wed Oct 22 19:36:23 2008 +0200

    netfilter: restore lost #ifdef guarding defrag exception
    
    Upstream commit 38f7ac3eb:
    
    Nir Tzachar <nir.tzachar@gmail.com> reported a warning when sending
    fragments over loopback with NAT:
    
    [ 6658.338121] WARNING: at net/ipv4/netfilter/nf_nat_standalone.c:89 nf_nat_fn+0x33/0x155()
    
    The reason is that defragmentation is skipped for already tracked connections.
    This is wrong in combination with NAT and ip_conntrack actually had some ifdefs
    to avoid this behaviour when NAT is compiled in.
    
    The entire "optimization" may seem a bit silly, for now simply restoring the
    lost #ifdef is the easiest solution until we can come up with something better.
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 5a955c4..7eb0b61 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -150,10 +150,12 @@ static unsigned int ipv4_conntrack_defrag(unsigned int hooknum,
 					  const struct net_device *out,
 					  int (*okfn)(struct sk_buff *))
 {
+#if !defined(CONFIG_NF_NAT) && !defined(CONFIG_NF_NAT_MODULE)
 	/* Previously seen (loopback)?  Ignore.  Do this before
 	   fragment check. */
 	if (skb->nfct)
 		return NF_ACCEPT;
+#endif
 
 	/* Gather fragments. */
 	if (ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)) {

Re: netfilter 00/03: netfilter -stable fixes

[Krzysztof Oledzki]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 455 bytes --]



On Wed, 22 Oct 2008, Patrick McHardy wrote:

> The following three patches for -stable fix some netfilter issues:
>
> - a regression in the iprange match, causing mismatches with inversion
> - a memory leak in the SNMP NAT helper
> - a lost #ifdef, allowing user-triggerable WARN_ONs with NETFILTER_DEBUG
>  (and some minor runtime misbehaviour)

Which kernels need above patches? Only 2.6.27 or also 2.6.25/2.6.26?

Best regards,

 			Krzysztof Olędzki

Re: netfilter 00/03: netfilter -stable fixes

[Patrick McHardy]

Krzysztof Oledzki wrote:
> On Wed, 22 Oct 2008, Patrick McHardy wrote:
> 
>> The following three patches for -stable fix some netfilter issues:
>>
>> - a regression in the iprange match, causing mismatches with inversion
>> - a memory leak in the SNMP NAT helper
>> - a lost #ifdef, allowing user-triggerable WARN_ONs with NETFILTER_DEBUG
>>  (and some minor runtime misbehaviour)
> 
> Which kernels need above patches? Only 2.6.27 or also 2.6.25/2.6.26?

I think all three patches are also needed for 2.6.25 and 2.6.26.

Re: netfilter 00/03: netfilter -stable fixes

[Krzysztof Oledzki]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 728 bytes --]



On Fri, 24 Oct 2008, Patrick McHardy wrote:

> Krzysztof Oledzki wrote:
>> On Wed, 22 Oct 2008, Patrick McHardy wrote:
>> 
>>> The following three patches for -stable fix some netfilter issues:
>>> 
>>> - a regression in the iprange match, causing mismatches with inversion
>>> - a memory leak in the SNMP NAT helper
>>> - a lost #ifdef, allowing user-triggerable WARN_ONs with NETFILTER_DEBUG
>>>  (and some minor runtime misbehaviour)
>> 
>> Which kernels need above patches? Only 2.6.27 or also 2.6.25/2.6.26?
>
> I think all three patches are also needed for 2.6.25 and 2.6.26.

Thank you for the confirmation.

Greg, could you please put above patches info queue-2.6.25/queue-2.6.26?

Best regards,

 			Krzysztof Olędzki

Re: netfilter 00/03: netfilter -stable fixes

[Greg KH]

On Tue, Oct 28, 2008 at 03:13:32AM +0100, Krzysztof Oledzki wrote:
>
>
> On Fri, 24 Oct 2008, Patrick McHardy wrote:
>
>> Krzysztof Oledzki wrote:
>>> On Wed, 22 Oct 2008, Patrick McHardy wrote:
>>>> The following three patches for -stable fix some netfilter issues:
>>>> - a regression in the iprange match, causing mismatches with inversion
>>>> - a memory leak in the SNMP NAT helper
>>>> - a lost #ifdef, allowing user-triggerable WARN_ONs with NETFILTER_DEBUG
>>>>  (and some minor runtime misbehaviour)
>>> Which kernels need above patches? Only 2.6.27 or also 2.6.25/2.6.26?
>>
>> I think all three patches are also needed for 2.6.25 and 2.6.26.
>
> Thank you for the confirmation.
>
> Greg, could you please put above patches info queue-2.6.25/queue-2.6.26?

Will do, thanks.

greg k-h

netfilter 00/03: netfilter -stable fixes

[Patrick McHardy]

The following three patches for -stable fix a number of netfilter
regressions:

- revision lookup for x_tables matches and targets registering with
  the new NFPROTO_UNSPEC is broken, causing failures when using
  features not offered by revision 0. New regression in 2.6.28.

- ebtables interprets return values from matches in the inverted
  sense. New regression in 2.6.28.

- the conntrack timeout sysctls for ICMP/ICMPv6 are broken on big
  endian due to a mismatch between the data type size and the size
  registered with the sysctls. Seems to be a regression from the
  switch from ip_conntrack to nf_conntrack.

Please apply, thanks.


 net/bridge/netfilter/ebtables.c                |    2 +-
 net/ipv4/netfilter/nf_conntrack_proto_icmp.c   |    2 +-
 net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c |    2 +-
 net/netfilter/x_tables.c                       |    8 ++++++++
 4 files changed, 11 insertions(+), 3 deletions(-)

Patrick McHardy (3):
      netfilter: x_tables: fix match/target revision lookup
      netfilter: ebtables: fix inversion in match code
      netfilter: nf_conntrack: fix ICMP/ICMPv6 timeout sysctls on big-endian

netfilter 00/03: netfilter -stable fixes

[Patrick McHardy]

These three patches fix some bugs in netfilter:

- a crash when setting up a conntrack with NAT mappings through ctnetlink
  fails after the NAT mappings are set up. Regression present since a
  couple of versions.

- a module unload crash in the H.323 conntrack helper

- a memory leak in the module init function, which is not very important
  itself, but it made easier to use the upstream patch for the module
  unload crash

Please apply, thanks.


 net/netfilter/nf_conntrack_core.c      |    3 +--
 net/netfilter/nf_conntrack_h323_main.c |   22 +++++++++++++++-------
 2 files changed, 16 insertions(+), 9 deletions(-)

Patrick McHardy (3):
      netfilter: nf_conntrack: fix ctnetlink related crash in nf_nat_setup_info()
      netfilter: nf_conntrack_h323: fix memory leak in module initialization error path
      netfilter: nf_conntrack_h323: fix module unload crash