* [PATCH 0/2] Netfilter/IPVS fixes for net
@ 2013-06-21 0:38 Pablo Neira Ayuso
2013-06-21 0:38 ` [PATCH 1/2] ipvs: SCTP ports should be writable in ICMP packets Pablo Neira Ayuso
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2013-06-21 0:38 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains two fixes for Netfilter/IPVS, they are:
* A skb leak fix in fragmentation handling in case that helpers are in place,
it occurs since the IPV6 NAT infrastructure, from Phil Oester.
* Fix SCTP port mangling in ICMP packets, from Julian Anastasov.
Specifically, the first one should find its path to -stable asap. I can take
care myself of it once this hits Linus' tree, let me know what you prefer.
You can pull these changes from:
Julian Anastasov (1):
ipvs: SCTP ports should be writable in ICMP packets
Phil Oester (1):
netfilter: nf_conntrack_ipv6: Plug sk_buff leak in fragment handling
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 2 +-
net/netfilter/ipvs/ip_vs_core.c | 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)
--
1.7.10.4
^ permalink raw reply [flat|nested] 5+ messages in thread* [PATCH 1/2] ipvs: SCTP ports should be writable in ICMP packets
2013-06-21 0:38 [PATCH 0/2] Netfilter/IPVS fixes for net Pablo Neira Ayuso
@ 2013-06-21 0:38 ` Pablo Neira Ayuso
2013-06-21 0:38 ` [PATCH 2/2] netfilter: nf_conntrack_ipv6: Plug sk_buff leak in fragment handling Pablo Neira Ayuso
2013-06-24 7:20 ` [PATCH 0/2] Netfilter/IPVS fixes for net David Miller
2 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2013-06-21 0:38 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Julian Anastasov <ja@ssi.bg>
Make sure that SCTP ports are writable when embedded in ICMP
from client, so that ip_vs_nat_icmp can translate them safely.
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
---
net/netfilter/ipvs/ip_vs_core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index 05565d2..23b8eb5 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -1442,7 +1442,8 @@ ignore_ipip:
/* do the statistics and put it back */
ip_vs_in_stats(cp, skb);
- if (IPPROTO_TCP == cih->protocol || IPPROTO_UDP == cih->protocol)
+ if (IPPROTO_TCP == cih->protocol || IPPROTO_UDP == cih->protocol ||
+ IPPROTO_SCTP == cih->protocol)
offset += 2 * sizeof(__u16);
verdict = ip_vs_icmp_xmit(skb, cp, pp, offset, hooknum, &ciph);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/2] netfilter: nf_conntrack_ipv6: Plug sk_buff leak in fragment handling
2013-06-21 0:38 [PATCH 0/2] Netfilter/IPVS fixes for net Pablo Neira Ayuso
2013-06-21 0:38 ` [PATCH 1/2] ipvs: SCTP ports should be writable in ICMP packets Pablo Neira Ayuso
@ 2013-06-21 0:38 ` Pablo Neira Ayuso
2013-06-24 7:20 ` [PATCH 0/2] Netfilter/IPVS fixes for net David Miller
2 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2013-06-21 0:38 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Phil Oester <kernel@linuxace.com>
In commit 4cdd3408 ("netfilter: nf_conntrack_ipv6: improve fragmentation
handling"), an sk_buff leak was introduced when dealing with reassembled
packets by grabbing a reference to the original skb instead of the
reassembled skb. At this point, the leak only impacted conntracks with an
associated helper.
In commit 58a317f1 ("netfilter: ipv6: add IPv6 NAT support"), the bug was
expanded to include all reassembled packets with unconfirmed conntracks.
Fix this by grabbing a reference to the proper reassembled skb. This
closes netfilter bugzilla #823.
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 97bcf2b..c9b6a6e 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -204,7 +204,7 @@ static unsigned int __ipv6_conntrack_in(struct net *net,
if (ct != NULL && !nf_ct_is_untracked(ct)) {
help = nfct_help(ct);
if ((help && help->helper) || !nf_ct_is_confirmed(ct)) {
- nf_conntrack_get_reasm(skb);
+ nf_conntrack_get_reasm(reasm);
NF_HOOK_THRESH(NFPROTO_IPV6, hooknum, reasm,
(struct net_device *)in,
(struct net_device *)out,
--
1.7.10.4
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH 0/2] Netfilter/IPVS fixes for net
2013-06-21 0:38 [PATCH 0/2] Netfilter/IPVS fixes for net Pablo Neira Ayuso
2013-06-21 0:38 ` [PATCH 1/2] ipvs: SCTP ports should be writable in ICMP packets Pablo Neira Ayuso
2013-06-21 0:38 ` [PATCH 2/2] netfilter: nf_conntrack_ipv6: Plug sk_buff leak in fragment handling Pablo Neira Ayuso
@ 2013-06-24 7:20 ` David Miller
2013-06-24 9:28 ` Pablo Neira Ayuso
2 siblings, 1 reply; 5+ messages in thread
From: David Miller @ 2013-06-24 7:20 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 21 Jun 2013 02:38:39 +0200
> You can pull these changes from:
>
>
No URL specified :-)
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2013-06-24 9:28 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-06-21 0:38 [PATCH 0/2] Netfilter/IPVS fixes for net Pablo Neira Ayuso
2013-06-21 0:38 ` [PATCH 1/2] ipvs: SCTP ports should be writable in ICMP packets Pablo Neira Ayuso
2013-06-21 0:38 ` [PATCH 2/2] netfilter: nf_conntrack_ipv6: Plug sk_buff leak in fragment handling Pablo Neira Ayuso
2013-06-24 7:20 ` [PATCH 0/2] Netfilter/IPVS fixes for net David Miller
2013-06-24 9:28 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).