* netfilter -stable 00/04: Netfilter -stable fixes
@ 2009-09-17 11:58 Patrick McHardy
2009-09-17 11:58 ` netfilter -stable 01/04: nf_nat: fix inverted logic for persistent NAT mappings Patrick McHardy
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Patrick McHardy @ 2009-09-17 11:58 UTC (permalink / raw)
To: stable; +Cc: netdev, Patrick McHardy, netfilter-devel, davem
The following four patches fix a couple of netfilter regressions:
- inverted logic for persistent NAT mappings, causing source mappings to
multiple addresses to incorrectly use persistent addresses unless
configured to do so
- conntrack cleanup in non-init namespaces
- a bridge netfilter in_device refcount leak
- an inverted return value in the ebt_ulog checkentry function, causing
validation to fail unconditionally
Please apply, thanks!
net/bridge/br_netfilter.c | 2 +-
net/bridge/netfilter/ebt_ulog.c | 2 +-
net/ipv4/netfilter/nf_nat_core.c | 2 +-
net/netfilter/nf_conntrack_core.c | 6 +++---
4 files changed, 6 insertions(+), 6 deletions(-)
Patrick McHardy (4):
netfilter: nf_nat: fix inverted logic for persistent NAT mappings
netfilter: nf_conntrack: netns fix re reliable conntrack event delivery
netfilter: bridge: refcount fix
netfilter: ebt_ulog: fix checkentry return value
^ permalink raw reply [flat|nested] 5+ messages in thread
* netfilter -stable 01/04: nf_nat: fix inverted logic for persistent NAT mappings
2009-09-17 11:58 netfilter -stable 00/04: Netfilter -stable fixes Patrick McHardy
@ 2009-09-17 11:58 ` Patrick McHardy
2009-09-17 11:58 ` netfilter -stable 02/04: nf_conntrack: netns fix re reliable conntrack event delivery Patrick McHardy
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Patrick McHardy @ 2009-09-17 11:58 UTC (permalink / raw)
To: stable; +Cc: netdev, Patrick McHardy, netfilter-devel, davem
commit c9aa9e5a37216258a9d18e42e764f423c818ad4f
Author: Patrick McHardy <kaber@trash.net>
Date: Thu Sep 17 13:27:42 2009 +0200
netfilter: nf_nat: fix inverted logic for persistent NAT mappings
Upstream commit cce5a5c3:
Kernel 2.6.30 introduced a patch [1] for the persistent option in the
netfilter SNAT target. This is exactly what we need here so I had a quick look
at the code and noticed that the patch is wrong. The logic is simply inverted.
The patch below fixes this.
Also note that because of this the default behavior of the SNAT target has
changed since kernel 2.6.30 as it now ignores the destination IP in choosing
the source IP for nating (which should only be the case if the persistent
option is set).
[1] http://git.eu.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=98d500d66cb7940747b424b245fc6a51ecfbf005
Signed-off-by: Maximilian Engelhardt <maxi@daemonizer.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c
index 3229e0a..b6ddd56 100644
--- a/net/ipv4/netfilter/nf_nat_core.c
+++ b/net/ipv4/netfilter/nf_nat_core.c
@@ -212,7 +212,7 @@ find_best_ips_proto(struct nf_conntrack_tuple *tuple,
maxip = ntohl(range->max_ip);
j = jhash_2words((__force u32)tuple->src.u3.ip,
range->flags & IP_NAT_RANGE_PERSISTENT ?
- (__force u32)tuple->dst.u3.ip : 0, 0);
+ 0 : (__force u32)tuple->dst.u3.ip, 0);
j = ((u64)j * (maxip - minip + 1)) >> 32;
*var_ipp = htonl(minip + j);
}
^ permalink raw reply related [flat|nested] 5+ messages in thread
* netfilter -stable 02/04: nf_conntrack: netns fix re reliable conntrack event delivery
2009-09-17 11:58 netfilter -stable 00/04: Netfilter -stable fixes Patrick McHardy
2009-09-17 11:58 ` netfilter -stable 01/04: nf_nat: fix inverted logic for persistent NAT mappings Patrick McHardy
@ 2009-09-17 11:58 ` Patrick McHardy
2009-09-17 11:58 ` netfilter -stable 03/04: bridge: refcount fix Patrick McHardy
2009-09-17 11:58 ` netfilter -stable 04/04: ebt_ulog: fix checkentry return value Patrick McHardy
3 siblings, 0 replies; 5+ messages in thread
From: Patrick McHardy @ 2009-09-17 11:58 UTC (permalink / raw)
To: stable; +Cc: netdev, Patrick McHardy, netfilter-devel, davem
commit 352a76c896217cfa1d61a49e5b2e3f1e9760943f
Author: Patrick McHardy <kaber@trash.net>
Date: Thu Sep 17 13:28:48 2009 +0200
netfilter: nf_conntrack: netns fix re reliable conntrack event delivery
Upstream commit ee254fa4:
Conntracks in netns other than init_net dying list were never killed.
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index b5869b9..b8614c6 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1089,14 +1089,14 @@ void nf_conntrack_flush_report(struct net *net, u32 pid, int report)
}
EXPORT_SYMBOL_GPL(nf_conntrack_flush_report);
-static void nf_ct_release_dying_list(void)
+static void nf_ct_release_dying_list(struct net *net)
{
struct nf_conntrack_tuple_hash *h;
struct nf_conn *ct;
struct hlist_nulls_node *n;
spin_lock_bh(&nf_conntrack_lock);
- hlist_nulls_for_each_entry(h, n, &init_net.ct.dying, hnnode) {
+ hlist_nulls_for_each_entry(h, n, &net->ct.dying, hnnode) {
ct = nf_ct_tuplehash_to_ctrack(h);
/* never fails to remove them, no listeners at this point */
nf_ct_kill(ct);
@@ -1115,7 +1115,7 @@ static void nf_conntrack_cleanup_net(struct net *net)
{
i_see_dead_people:
nf_ct_iterate_cleanup(net, kill_all, NULL);
- nf_ct_release_dying_list();
+ nf_ct_release_dying_list(net);
if (atomic_read(&net->ct.count) != 0) {
schedule();
goto i_see_dead_people;
^ permalink raw reply related [flat|nested] 5+ messages in thread
* netfilter -stable 03/04: bridge: refcount fix
2009-09-17 11:58 netfilter -stable 00/04: Netfilter -stable fixes Patrick McHardy
2009-09-17 11:58 ` netfilter -stable 01/04: nf_nat: fix inverted logic for persistent NAT mappings Patrick McHardy
2009-09-17 11:58 ` netfilter -stable 02/04: nf_conntrack: netns fix re reliable conntrack event delivery Patrick McHardy
@ 2009-09-17 11:58 ` Patrick McHardy
2009-09-17 11:58 ` netfilter -stable 04/04: ebt_ulog: fix checkentry return value Patrick McHardy
3 siblings, 0 replies; 5+ messages in thread
From: Patrick McHardy @ 2009-09-17 11:58 UTC (permalink / raw)
To: stable; +Cc: netdev, Patrick McHardy, netfilter-devel, davem
commit 9f3150b57714f4e22c5f34eef484f1b38bb811b0
Author: Patrick McHardy <kaber@trash.net>
Date: Thu Sep 17 13:30:49 2009 +0200
netfilter: bridge: refcount fix
Upstream commit f3abc9b9:
commit f216f082b2b37c4943f1e7c393e2786648d48f6f
([NETFILTER]: bridge netfilter: deal with martians correctly)
added a refcount leak on in_dev.
Instead of using in_dev_get(), we can use __in_dev_get_rcu(),
as netfilter hooks are running under rcu_read_lock(), as pointed
by Patrick.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index d22f611..991fe40 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -359,7 +359,7 @@ static int br_nf_pre_routing_finish(struct sk_buff *skb)
},
.proto = 0,
};
- struct in_device *in_dev = in_dev_get(dev);
+ struct in_device *in_dev = __in_dev_get_rcu(dev);
/* If err equals -EHOSTUNREACH the error is due to a
* martian destination or due to the fact that
^ permalink raw reply related [flat|nested] 5+ messages in thread
* netfilter -stable 04/04: ebt_ulog: fix checkentry return value
2009-09-17 11:58 netfilter -stable 00/04: Netfilter -stable fixes Patrick McHardy
` (2 preceding siblings ...)
2009-09-17 11:58 ` netfilter -stable 03/04: bridge: refcount fix Patrick McHardy
@ 2009-09-17 11:58 ` Patrick McHardy
3 siblings, 0 replies; 5+ messages in thread
From: Patrick McHardy @ 2009-09-17 11:58 UTC (permalink / raw)
To: stable; +Cc: netdev, Patrick McHardy, netfilter-devel, davem
commit 0ca92f7712ddfd00f47417ff66edbb27c4740fec
Author: Patrick McHardy <kaber@trash.net>
Date: Thu Sep 17 13:31:35 2009 +0200
netfilter: ebt_ulog: fix checkentry return value
Upstream commit 8a56df0a:
Commit 19eda87 (netfilter: change return types of check functions for
Ebtables extensions) broke the ebtables ulog module by missing a return
value conversion.
Signed-off-by: Patrick McHardy <kaber@trash.net>
diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c
index 133eeae..ce50688 100644
--- a/net/bridge/netfilter/ebt_ulog.c
+++ b/net/bridge/netfilter/ebt_ulog.c
@@ -266,7 +266,7 @@ static bool ebt_ulog_tg_check(const struct xt_tgchk_param *par)
if (uloginfo->qthreshold > EBT_ULOG_MAX_QLEN)
uloginfo->qthreshold = EBT_ULOG_MAX_QLEN;
- return 0;
+ return true;
}
static struct xt_target ebt_ulog_tg_reg __read_mostly = {
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2009-09-17 11:58 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-09-17 11:58 netfilter -stable 00/04: Netfilter -stable fixes Patrick McHardy
2009-09-17 11:58 ` netfilter -stable 01/04: nf_nat: fix inverted logic for persistent NAT mappings Patrick McHardy
2009-09-17 11:58 ` netfilter -stable 02/04: nf_conntrack: netns fix re reliable conntrack event delivery Patrick McHardy
2009-09-17 11:58 ` netfilter -stable 03/04: bridge: refcount fix Patrick McHardy
2009-09-17 11:58 ` netfilter -stable 04/04: ebt_ulog: fix checkentry return value Patrick McHardy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.