[PATCH 0/6] netfilter: netfilter fixes

[PATCH 0/6] netfilter: netfilter fixes

[kaber]

Hi Dave,

the following patches against net-2.6.git fix a few netfilter problems:

- tproxy is not properly handling time-wait sockets, from Eric

- a fix for use of an uninitizalized variable in the TCP SIP tracking,
  from Simon

- a fix for TCP RST routing with bridges, from Changli

- a fix for a RCU race in nf_ct_ext_create(), from Eric

- a checksum calculation fix for the SNMP NAT helper, from myself,
  based on a patch from Clark Weng and Stephen

- a fix for incorrectly skipped conntrack defragmentation with the tun
  driver. from Jiri Olsa

Please apply or pull from:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master

Thanks!

[PATCH 1/6] netfilter: tproxy: nf_tproxy_assign_sock() can handle tw sockets

[kaber]

From: Eric Dumazet <eric.dumazet@gmail.com>

transparent field of a socket is either inet_twsk(sk)->tw_transparent
for timewait sockets, or inet_sk(sk)->transparent for other sockets
(TCP/UDP).

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 net/netfilter/nf_tproxy_core.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

diff --git a/net/netfilter/nf_tproxy_core.c b/net/netfilter/nf_tproxy_core.c
index 5490fc3..daab8c4 100644
--- a/net/netfilter/nf_tproxy_core.c
+++ b/net/netfilter/nf_tproxy_core.c
@@ -70,7 +70,11 @@ nf_tproxy_destructor(struct sk_buff *skb)
 int
 nf_tproxy_assign_sock(struct sk_buff *skb, struct sock *sk)
 {
-	if (inet_sk(sk)->transparent) {
+	bool transparent = (sk->sk_state == TCP_TIME_WAIT) ?
+				inet_twsk(sk)->tw_transparent :
+				inet_sk(sk)->transparent;
+
+	if (transparent) {
 		skb_orphan(skb);
 		skb->sk = sk;
 		skb->destructor = nf_tproxy_destructor;
-- 
1.7.1

[PATCH 2/6] netfilter: nf_ct_sip: default to NF_ACCEPT in sip_help_tcp()

[kaber]

From: Simon Horman <horms@verge.net.au>

I initially noticed this because of the compiler warning below, but it
does seem to be a valid concern in the case where ct_sip_get_header()
returns 0 in the first iteration of the while loop.

net/netfilter/nf_conntrack_sip.c: In function 'sip_help_tcp':
net/netfilter/nf_conntrack_sip.c:1379: warning: 'ret' may be used uninitialized in this function

Signed-off-by: Simon Horman <horms@verge.net.au>
[Patrick: changed NF_DROP to NF_ACCEPT]
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 net/netfilter/nf_conntrack_sip.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 53d8922..f64de95 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -1376,7 +1376,7 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
 	unsigned int msglen, origlen;
 	const char *dptr, *end;
 	s16 diff, tdiff = 0;
-	int ret;
+	int ret = NF_ACCEPT;
 	typeof(nf_nat_sip_seq_adjust_hook) nf_nat_sip_seq_adjust;
 
 	if (ctinfo != IP_CT_ESTABLISHED &&
-- 
1.7.1

[PATCH 3/6] netfilter: fix ipt_REJECT TCP RST routing for indev == outdev

[kaber]

From: Changli Gao <xiaosuo@gmail.com>

ip_route_me_harder can't create the route cache when the outdev is the same
with the indev for the skbs whichout a valid protocol set.

__mkroute_input functions has this check:
1998         if (skb->protocol != htons(ETH_P_IP)) {
1999                 /* Not IP (i.e. ARP). Do not create route, if it is
2000                  * invalid for proxy arp. DNAT routes are always valid.
2001                  *
2002                  * Proxy arp feature have been extended to allow, ARP
2003                  * replies back to the same interface, to support
2004                  * Private VLAN switch technologies. See arp.c.
2005                  */
2006                 if (out_dev == in_dev &&
2007                     IN_DEV_PROXY_ARP_PVLAN(in_dev) == 0) {
2008                         err = -EINVAL;
2009                         goto cleanup;
2010                 }
2011         }

This patch gives the new skb a valid protocol to bypass this check. In order
to make ipt_REJECT work with bridges, you also need to enable ip_forward.

This patch also fixes a regression. When we used skb_copy_expand(), we
didn't have this issue stated above, as the protocol was properly set.

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 net/ipv4/netfilter/ipt_REJECT.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index b254daf..43eec80 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -112,6 +112,7 @@ static void send_reset(struct sk_buff *oldskb, int hook)
 	/* ip_route_me_harder expects skb->dst to be set */
 	skb_dst_set_noref(nskb, skb_dst(oldskb));
 
+	nskb->protocol = htons(ETH_P_IP);
 	if (ip_route_me_harder(nskb, addr_type))
 		goto free_nskb;
 
-- 
1.7.1

[PATCH 4/6] netfilter: fix a race in nf_ct_ext_create()

[kaber]

From: Eric Dumazet <Eric Dumazet>

As soon as rcu_read_unlock() is called, there is no guarantee current
thread can safely derefence t pointer, rcu protected.

Fix is to copy t->alloc_size in a temporary variable.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Reviewed-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 net/netfilter/nf_conntrack_extend.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/net/netfilter/nf_conntrack_extend.c b/net/netfilter/nf_conntrack_extend.c
index 7dcf7a4..8d9e4c9 100644
--- a/net/netfilter/nf_conntrack_extend.c
+++ b/net/netfilter/nf_conntrack_extend.c
@@ -48,15 +48,17 @@ nf_ct_ext_create(struct nf_ct_ext **ext, enum nf_ct_ext_id id, gfp_t gfp)
 {
 	unsigned int off, len;
 	struct nf_ct_ext_type *t;
+	size_t alloc_size;
 
 	rcu_read_lock();
 	t = rcu_dereference(nf_ct_ext_types[id]);
 	BUG_ON(t == NULL);
 	off = ALIGN(sizeof(struct nf_ct_ext), t->align);
 	len = off + t->len;
+	alloc_size = t->alloc_size;
 	rcu_read_unlock();
 
-	*ext = kzalloc(t->alloc_size, gfp);
+	*ext = kzalloc(alloc_size, gfp);
 	if (!*ext)
 		return NULL;
 
-- 
1.7.1

[PATCH 5/6] netfilter: nf_nat_snmp: fix checksum calculation (v4)

[kaber]

From: Patrick McHardy <kaber@trash.net>

Fix checksum calculation in nf_nat_snmp_basic.

Based on patches by Clark Wang <wtweeker@163.com> and
Stephen Hemminger <shemminger@vyatta.com>.

https://bugzilla.kernel.org/show_bug.cgi?id=17622

Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 net/ipv4/netfilter/nf_nat_snmp_basic.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c b/net/ipv4/netfilter/nf_nat_snmp_basic.c
index 1679e2c..ee5f419 100644
--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c
+++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
@@ -893,13 +893,15 @@ static void fast_csum(__sum16 *csum,
 	unsigned char s[4];
 
 	if (offset & 1) {
-		s[0] = s[2] = 0;
+		s[0] = ~0;
 		s[1] = ~*optr;
+		s[2] = 0;
 		s[3] = *nptr;
 	} else {
-		s[1] = s[3] = 0;
 		s[0] = ~*optr;
+		s[1] = ~0;
 		s[2] = *nptr;
+		s[3] = 0;
 	}
 
 	*csum = csum_fold(csum_partial(s, 4, ~csum_unfold(*csum)));
-- 
1.7.1

[PATCH 6/6] netfilter: nf_conntrack_defrag: check socket type before touching nodefrag flag

[kaber]

From: Jiri Olsa <jolsa@redhat.com>

we need to check proper socket type within ipv4_conntrack_defrag
function before referencing the nodefrag flag.

For example the tun driver receive path produces skbs with
AF_UNSPEC socket type, and so current code is causing unwanted
fragmented packets going out.

Signed-off-by: Jiri Olsa <jolsa@redhat.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 net/ipv4/netfilter/nf_defrag_ipv4.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/net/ipv4/netfilter/nf_defrag_ipv4.c b/net/ipv4/netfilter/nf_defrag_ipv4.c
index eab8de3..f3a9b42 100644
--- a/net/ipv4/netfilter/nf_defrag_ipv4.c
+++ b/net/ipv4/netfilter/nf_defrag_ipv4.c
@@ -66,9 +66,11 @@ static unsigned int ipv4_conntrack_defrag(unsigned int hooknum,
 					  const struct net_device *out,
 					  int (*okfn)(struct sk_buff *))
 {
+	struct sock *sk = skb->sk;
 	struct inet_sock *inet = inet_sk(skb->sk);
 
-	if (inet && inet->nodefrag)
+	if (sk && (sk->sk_family == PF_INET) &&
+	    inet->nodefrag)
 		return NF_ACCEPT;
 
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
-- 
1.7.1

Re: [PATCH 4/6] netfilter: fix a race in nf_ct_ext_create()

[Eric Dumazet]

Le mercredi 22 septembre 2010 à 09:17 +0200, kaber@trash.net a écrit :
> From: Eric Dumazet <Eric Dumazet>
> 

strange email address ;)

> As soon as rcu_read_unlock() is called, there is no guarantee current
> thread can safely derefence t pointer, rcu protected.
> 
> Fix is to copy t->alloc_size in a temporary variable.
> 
> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
> Reviewed-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
> Signed-off-by: Patrick McHardy <kaber@trash.net>
> ---
>  net/netfilter/nf_conntrack_extend.c |    4 +++-
>  1 files changed, 3 insertions(+), 1 deletions(-)
> 
> diff --git a/net/netfilter/nf_conntrack_extend.c b/net/netfilter/nf_conntrack_extend.c
> index 7dcf7a4..8d9e4c9 100644
> --- a/net/netfilter/nf_conntrack_extend.c
> +++ b/net/netfilter/nf_conntrack_extend.c
> @@ -48,15 +48,17 @@ nf_ct_ext_create(struct nf_ct_ext **ext, enum nf_ct_ext_id id, gfp_t gfp)
>  {
>  	unsigned int off, len;
>  	struct nf_ct_ext_type *t;
> +	size_t alloc_size;
>  
>  	rcu_read_lock();
>  	t = rcu_dereference(nf_ct_ext_types[id]);
>  	BUG_ON(t == NULL);
>  	off = ALIGN(sizeof(struct nf_ct_ext), t->align);
>  	len = off + t->len;
> +	alloc_size = t->alloc_size;
>  	rcu_read_unlock();
>  
> -	*ext = kzalloc(t->alloc_size, gfp);
> +	*ext = kzalloc(alloc_size, gfp);
>  	if (!*ext)
>  		return NULL;
>  


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 4/6] netfilter: fix a race in nf_ct_ext_create()

[Patrick McHardy]

Am 22.09.2010 09:23, schrieb Eric Dumazet:
> Le mercredi 22 septembre 2010 à 09:17 +0200, kaber@trash.net a écrit :
>> From: Eric Dumazet <Eric Dumazet>
>>
> 
> strange email address ;)

Indeed, cut-and-paste error, sorry :)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/6] netfilter: netfilter fixes

[David Miller]

From: kaber@trash.net
Date: Wed, 22 Sep 2010 09:17:28 +0200

> Please apply or pull from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master

Patrick I can't pull from this, it's not based upon net-2.6

It looks like it's based upon Linus's tree, because when I pull
I get a bunch of changes that are in Linus's tree but aren't
in net-2.6

Please base all future pull requests on net-2.6, thanks.

I'll apply these patches by hand (and also this will allow me
to fix Eric's author email in that one patch).

Thanks again.

Re: [PATCH 0/6] netfilter: netfilter fixes

[Patrick McHardy]

Am 22.09.2010 22:12, schrieb David Miller:
> From: kaber@trash.net
> Date: Wed, 22 Sep 2010 09:17:28 +0200
> 
>> Please apply or pull from:
>>
>> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master
> 
> Patrick I can't pull from this, it's not based upon net-2.6

Indeed, that's what I've always based my nf-2.6 tree on for one
or two years now, but this time I made a fresh clone at a quite
late time because of my absence.

> It looks like it's based upon Linus's tree, because when I pull
> I get a bunch of changes that are in Linus's tree but aren't
> in net-2.6

I didn't notice that, sorry.

> Please base all future pull requests on net-2.6, thanks.

Sure, will do.

> I'll apply these patches by hand (and also this will allow me
> to fix Eric's author email in that one patch).
> 
> Thanks again.

Thanks Dave!