* [PATCH 0/2] netfilter fixes for net
@ 2013-12-13 18:24 Pablo Neira Ayuso
2013-12-13 18:24 ` [PATCH 1/2] netfilter: SYNPROXY target: restrict to INPUT/FORWARD Pablo Neira Ayuso
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2013-12-13 18:24 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains two Netfilter fixes for your net
tree, they are:
* Fix endianness in nft_reject, the NFTA_REJECT_TYPE netlink attributes
was not converted to network byte order as needed by all nfnetlink
subsystems, from Eric Leblond.
* Restrict SYNPROXY target to INPUT and FORWARD chains, this avoid a
possible crash due to misconfigurations, from Patrick McHardy.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
Thanks!
----------------------------------------------------------------
The following changes since commit 8afdd99a1315e759de04ad6e2344f0c5f17ecb1b:
udp: ipv4: fix an use after free in __udp4_lib_rcv() (2013-12-10 22:58:40 -0500)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
for you to fetch changes up to a3adadf3018102c24754e0b53a5515c40fbaff4a:
netfilter: nft_reject: fix endianness in dump function (2013-12-12 09:37:39 +0100)
----------------------------------------------------------------
Eric Leblond (1):
netfilter: nft_reject: fix endianness in dump function
Patrick McHardy (1):
netfilter: SYNPROXY target: restrict to INPUT/FORWARD
net/ipv4/netfilter/ipt_SYNPROXY.c | 1 +
net/ipv4/netfilter/nft_reject_ipv4.c | 2 +-
net/ipv6/netfilter/ip6t_SYNPROXY.c | 1 +
3 files changed, 3 insertions(+), 1 deletion(-)
Eric Leblond (1):
netfilter: nft_reject: fix endianness in dump function
Patrick McHardy (1):
netfilter: SYNPROXY target: restrict to INPUT/FORWARD
net/ipv4/netfilter/ipt_SYNPROXY.c | 1 +
net/ipv4/netfilter/nft_reject_ipv4.c | 2 +-
net/ipv6/netfilter/ip6t_SYNPROXY.c | 1 +
3 files changed, 3 insertions(+), 1 deletion(-)
--
1.7.10.4
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 1/2] netfilter: SYNPROXY target: restrict to INPUT/FORWARD
2013-12-13 18:24 [PATCH 0/2] netfilter fixes for net Pablo Neira Ayuso
@ 2013-12-13 18:24 ` Pablo Neira Ayuso
2013-12-13 18:24 ` [PATCH 2/2] netfilter: nft_reject: fix endianness in dump function Pablo Neira Ayuso
2013-12-17 20:07 ` [PATCH 0/2] netfilter fixes for net David Miller
2 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2013-12-13 18:24 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Patrick McHardy <kaber@trash.net>
Fix a crash in synproxy_send_tcp() when using the SYNPROXY target in the
PREROUTING chain caused by missing routing information.
Reported-by: Nicki P. <xastx@gmx.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/ipv4/netfilter/ipt_SYNPROXY.c | 1 +
net/ipv6/netfilter/ip6t_SYNPROXY.c | 1 +
2 files changed, 2 insertions(+)
diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c b/net/ipv4/netfilter/ipt_SYNPROXY.c
index f13bd91..a313c3f 100644
--- a/net/ipv4/netfilter/ipt_SYNPROXY.c
+++ b/net/ipv4/netfilter/ipt_SYNPROXY.c
@@ -423,6 +423,7 @@ static void synproxy_tg4_destroy(const struct xt_tgdtor_param *par)
static struct xt_target synproxy_tg4_reg __read_mostly = {
.name = "SYNPROXY",
.family = NFPROTO_IPV4,
+ .hooks = (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_FORWARD),
.target = synproxy_tg4,
.targetsize = sizeof(struct xt_synproxy_info),
.checkentry = synproxy_tg4_check,
diff --git a/net/ipv6/netfilter/ip6t_SYNPROXY.c b/net/ipv6/netfilter/ip6t_SYNPROXY.c
index f78f41a..a0d1727 100644
--- a/net/ipv6/netfilter/ip6t_SYNPROXY.c
+++ b/net/ipv6/netfilter/ip6t_SYNPROXY.c
@@ -446,6 +446,7 @@ static void synproxy_tg6_destroy(const struct xt_tgdtor_param *par)
static struct xt_target synproxy_tg6_reg __read_mostly = {
.name = "SYNPROXY",
.family = NFPROTO_IPV6,
+ .hooks = (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_FORWARD),
.target = synproxy_tg6,
.targetsize = sizeof(struct xt_synproxy_info),
.checkentry = synproxy_tg6_check,
--
1.7.10.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2] netfilter: nft_reject: fix endianness in dump function
2013-12-13 18:24 [PATCH 0/2] netfilter fixes for net Pablo Neira Ayuso
2013-12-13 18:24 ` [PATCH 1/2] netfilter: SYNPROXY target: restrict to INPUT/FORWARD Pablo Neira Ayuso
@ 2013-12-13 18:24 ` Pablo Neira Ayuso
2013-12-17 20:07 ` [PATCH 0/2] netfilter fixes for net David Miller
2 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2013-12-13 18:24 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Eric Leblond <eric@regit.org>
The dump function in nft_reject_ipv4 was not converting a u32
field to network order before sending it to userspace, this
needs to happen for consistency with other nf_tables and
nfnetlink subsystems.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/ipv4/netfilter/nft_reject_ipv4.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv4/netfilter/nft_reject_ipv4.c b/net/ipv4/netfilter/nft_reject_ipv4.c
index fff5ba1..4a5e94a 100644
--- a/net/ipv4/netfilter/nft_reject_ipv4.c
+++ b/net/ipv4/netfilter/nft_reject_ipv4.c
@@ -72,7 +72,7 @@ static int nft_reject_dump(struct sk_buff *skb, const struct nft_expr *expr)
{
const struct nft_reject *priv = nft_expr_priv(expr);
- if (nla_put_be32(skb, NFTA_REJECT_TYPE, priv->type))
+ if (nla_put_be32(skb, NFTA_REJECT_TYPE, htonl(priv->type)))
goto nla_put_failure;
switch (priv->type) {
--
1.7.10.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 0/2] netfilter fixes for net
2013-12-13 18:24 [PATCH 0/2] netfilter fixes for net Pablo Neira Ayuso
2013-12-13 18:24 ` [PATCH 1/2] netfilter: SYNPROXY target: restrict to INPUT/FORWARD Pablo Neira Ayuso
2013-12-13 18:24 ` [PATCH 2/2] netfilter: nft_reject: fix endianness in dump function Pablo Neira Ayuso
@ 2013-12-17 20:07 ` David Miller
2 siblings, 0 replies; 4+ messages in thread
From: David Miller @ 2013-12-17 20:07 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 13 Dec 2013 19:24:57 +0100
> The following patchset contains two Netfilter fixes for your net
> tree, they are:
>
> * Fix endianness in nft_reject, the NFTA_REJECT_TYPE netlink attributes
> was not converted to network byte order as needed by all nfnetlink
> subsystems, from Eric Leblond.
>
> * Restrict SYNPROXY target to INPUT and FORWARD chains, this avoid a
> possible crash due to misconfigurations, from Patrick McHardy.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-12-17 20:07 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-12-13 18:24 [PATCH 0/2] netfilter fixes for net Pablo Neira Ayuso
2013-12-13 18:24 ` [PATCH 1/2] netfilter: SYNPROXY target: restrict to INPUT/FORWARD Pablo Neira Ayuso
2013-12-13 18:24 ` [PATCH 2/2] netfilter: nft_reject: fix endianness in dump function Pablo Neira Ayuso
2013-12-17 20:07 ` [PATCH 0/2] netfilter fixes for net David Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.