Commit 18255457 authored by David S. Miller's avatar David S. Miller

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains five Netfilter fixes for your net tree,
they are:

1) Silence a warning on falling back to vmalloc(). Since 88eab472, we can
   easily hit this warning message, that gets users confused. So let's get rid
   of it.

2) Recently when porting the template object allocation on top of kmalloc to
   fix the netns dependencies between x_tables and conntrack, the error
   checks where left unchanged. Remove IS_ERR() and check for NULL instead.
   Patch from Dan Carpenter.

3) Don't ignore gfp_flags in the new nf_ct_tmpl_alloc() function, from
   Joe Stringer.

4) Fix a crash due to NULL pointer dereference in ip6t_SYNPROXY, patch from
   Phil Sutter.

5) The sequence number of the Syn+ack that is sent from SYNPROXY to clients is
   not adjusted through our NAT infrastructure, as a result the client may
   ignore this TCP packet and TCP flow hangs until the client probes us.  Also
   from Phil Sutter.
====================
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 875a74b6 3c16241c
...@@ -226,7 +226,8 @@ synproxy_send_client_ack(const struct synproxy_net *snet, ...@@ -226,7 +226,8 @@ synproxy_send_client_ack(const struct synproxy_net *snet,
synproxy_build_options(nth, opts); synproxy_build_options(nth, opts);
synproxy_send_tcp(skb, nskb, NULL, 0, niph, nth, tcp_hdr_size); synproxy_send_tcp(skb, nskb, skb->nfct, IP_CT_ESTABLISHED_REPLY,
niph, nth, tcp_hdr_size);
} }
static bool static bool
......
...@@ -37,12 +37,13 @@ synproxy_build_ip(struct sk_buff *skb, const struct in6_addr *saddr, ...@@ -37,12 +37,13 @@ synproxy_build_ip(struct sk_buff *skb, const struct in6_addr *saddr,
} }
static void static void
synproxy_send_tcp(const struct sk_buff *skb, struct sk_buff *nskb, synproxy_send_tcp(const struct synproxy_net *snet,
const struct sk_buff *skb, struct sk_buff *nskb,
struct nf_conntrack *nfct, enum ip_conntrack_info ctinfo, struct nf_conntrack *nfct, enum ip_conntrack_info ctinfo,
struct ipv6hdr *niph, struct tcphdr *nth, struct ipv6hdr *niph, struct tcphdr *nth,
unsigned int tcp_hdr_size) unsigned int tcp_hdr_size)
{ {
struct net *net = nf_ct_net((struct nf_conn *)nfct); struct net *net = nf_ct_net(snet->tmpl);
struct dst_entry *dst; struct dst_entry *dst;
struct flowi6 fl6; struct flowi6 fl6;
...@@ -83,7 +84,8 @@ synproxy_send_tcp(const struct sk_buff *skb, struct sk_buff *nskb, ...@@ -83,7 +84,8 @@ synproxy_send_tcp(const struct sk_buff *skb, struct sk_buff *nskb,
} }
static void static void
synproxy_send_client_synack(const struct sk_buff *skb, const struct tcphdr *th, synproxy_send_client_synack(const struct synproxy_net *snet,
const struct sk_buff *skb, const struct tcphdr *th,
const struct synproxy_options *opts) const struct synproxy_options *opts)
{ {
struct sk_buff *nskb; struct sk_buff *nskb;
...@@ -119,7 +121,7 @@ synproxy_send_client_synack(const struct sk_buff *skb, const struct tcphdr *th, ...@@ -119,7 +121,7 @@ synproxy_send_client_synack(const struct sk_buff *skb, const struct tcphdr *th,
synproxy_build_options(nth, opts); synproxy_build_options(nth, opts);
synproxy_send_tcp(skb, nskb, skb->nfct, IP_CT_ESTABLISHED_REPLY, synproxy_send_tcp(snet, skb, nskb, skb->nfct, IP_CT_ESTABLISHED_REPLY,
niph, nth, tcp_hdr_size); niph, nth, tcp_hdr_size);
} }
...@@ -163,7 +165,7 @@ synproxy_send_server_syn(const struct synproxy_net *snet, ...@@ -163,7 +165,7 @@ synproxy_send_server_syn(const struct synproxy_net *snet,
synproxy_build_options(nth, opts); synproxy_build_options(nth, opts);
synproxy_send_tcp(skb, nskb, &snet->tmpl->ct_general, IP_CT_NEW, synproxy_send_tcp(snet, skb, nskb, &snet->tmpl->ct_general, IP_CT_NEW,
niph, nth, tcp_hdr_size); niph, nth, tcp_hdr_size);
} }
...@@ -203,7 +205,7 @@ synproxy_send_server_ack(const struct synproxy_net *snet, ...@@ -203,7 +205,7 @@ synproxy_send_server_ack(const struct synproxy_net *snet,
synproxy_build_options(nth, opts); synproxy_build_options(nth, opts);
synproxy_send_tcp(skb, nskb, NULL, 0, niph, nth, tcp_hdr_size); synproxy_send_tcp(snet, skb, nskb, NULL, 0, niph, nth, tcp_hdr_size);
} }
static void static void
...@@ -241,7 +243,8 @@ synproxy_send_client_ack(const struct synproxy_net *snet, ...@@ -241,7 +243,8 @@ synproxy_send_client_ack(const struct synproxy_net *snet,
synproxy_build_options(nth, opts); synproxy_build_options(nth, opts);
synproxy_send_tcp(skb, nskb, NULL, 0, niph, nth, tcp_hdr_size); synproxy_send_tcp(snet, skb, nskb, skb->nfct, IP_CT_ESTABLISHED_REPLY,
niph, nth, tcp_hdr_size);
} }
static bool static bool
...@@ -301,7 +304,7 @@ synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par) ...@@ -301,7 +304,7 @@ synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par)
XT_SYNPROXY_OPT_SACK_PERM | XT_SYNPROXY_OPT_SACK_PERM |
XT_SYNPROXY_OPT_ECN); XT_SYNPROXY_OPT_ECN);
synproxy_send_client_synack(skb, th, &opts); synproxy_send_client_synack(snet, skb, th, &opts);
return NF_DROP; return NF_DROP;
} else if (th->ack && !(th->fin || th->rst || th->syn)) { } else if (th->ack && !(th->fin || th->rst || th->syn)) {
......
...@@ -292,7 +292,7 @@ struct nf_conn *nf_ct_tmpl_alloc(struct net *net, u16 zone, gfp_t flags) ...@@ -292,7 +292,7 @@ struct nf_conn *nf_ct_tmpl_alloc(struct net *net, u16 zone, gfp_t flags)
{ {
struct nf_conn *tmpl; struct nf_conn *tmpl;
tmpl = kzalloc(sizeof(struct nf_conn), GFP_KERNEL); tmpl = kzalloc(sizeof(*tmpl), flags);
if (tmpl == NULL) if (tmpl == NULL)
return NULL; return NULL;
...@@ -303,7 +303,7 @@ struct nf_conn *nf_ct_tmpl_alloc(struct net *net, u16 zone, gfp_t flags) ...@@ -303,7 +303,7 @@ struct nf_conn *nf_ct_tmpl_alloc(struct net *net, u16 zone, gfp_t flags)
if (zone) { if (zone) {
struct nf_conntrack_zone *nf_ct_zone; struct nf_conntrack_zone *nf_ct_zone;
nf_ct_zone = nf_ct_ext_add(tmpl, NF_CT_EXT_ZONE, GFP_ATOMIC); nf_ct_zone = nf_ct_ext_add(tmpl, NF_CT_EXT_ZONE, flags);
if (!nf_ct_zone) if (!nf_ct_zone)
goto out_free; goto out_free;
nf_ct_zone->id = zone; nf_ct_zone->id = zone;
...@@ -1544,10 +1544,8 @@ void *nf_ct_alloc_hashtable(unsigned int *sizep, int nulls) ...@@ -1544,10 +1544,8 @@ void *nf_ct_alloc_hashtable(unsigned int *sizep, int nulls)
sz = nr_slots * sizeof(struct hlist_nulls_head); sz = nr_slots * sizeof(struct hlist_nulls_head);
hash = (void *)__get_free_pages(GFP_KERNEL | __GFP_NOWARN | __GFP_ZERO, hash = (void *)__get_free_pages(GFP_KERNEL | __GFP_NOWARN | __GFP_ZERO,
get_order(sz)); get_order(sz));
if (!hash) { if (!hash)
printk(KERN_WARNING "nf_conntrack: falling back to vmalloc.\n");
hash = vzalloc(sz); hash = vzalloc(sz);
}
if (hash && nulls) if (hash && nulls)
for (i = 0; i < nr_slots; i++) for (i = 0; i < nr_slots; i++)
......
...@@ -353,10 +353,8 @@ static int __net_init synproxy_net_init(struct net *net) ...@@ -353,10 +353,8 @@ static int __net_init synproxy_net_init(struct net *net)
int err = -ENOMEM; int err = -ENOMEM;
ct = nf_ct_tmpl_alloc(net, 0, GFP_KERNEL); ct = nf_ct_tmpl_alloc(net, 0, GFP_KERNEL);
if (IS_ERR(ct)) { if (!ct)
err = PTR_ERR(ct);
goto err1; goto err1;
}
if (!nfct_seqadj_ext_add(ct)) if (!nfct_seqadj_ext_add(ct))
goto err2; goto err2;
......
...@@ -202,9 +202,10 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par, ...@@ -202,9 +202,10 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par,
goto err1; goto err1;
ct = nf_ct_tmpl_alloc(par->net, info->zone, GFP_KERNEL); ct = nf_ct_tmpl_alloc(par->net, info->zone, GFP_KERNEL);
ret = PTR_ERR(ct); if (!ct) {
if (IS_ERR(ct)) ret = -ENOMEM;
goto err2; goto err2;
}
ret = 0; ret = 0;
if ((info->ct_events || info->exp_events) && if ((info->ct_events || info->exp_events) &&
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment