Commit 59717f39 authored by David S. Miller's avatar David S. Miller

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for net:

1) Do not allow to add conntrack helper extension for confirmed
   conntracks in the nf_tables ct expectation support.

2) Fix bogus EBUSY in nfnetlink_cthelper when NFCTH_PRIV_DATA_LEN
   is passed on userspace helper updates.
====================
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents ab00f3e0 8971ee8b
...@@ -380,10 +380,14 @@ static int ...@@ -380,10 +380,14 @@ static int
nfnl_cthelper_update(const struct nlattr * const tb[], nfnl_cthelper_update(const struct nlattr * const tb[],
struct nf_conntrack_helper *helper) struct nf_conntrack_helper *helper)
{ {
u32 size;
int ret; int ret;
if (tb[NFCTH_PRIV_DATA_LEN]) if (tb[NFCTH_PRIV_DATA_LEN]) {
size = ntohl(nla_get_be32(tb[NFCTH_PRIV_DATA_LEN]));
if (size != helper->data_len)
return -EBUSY; return -EBUSY;
}
if (tb[NFCTH_POLICY]) { if (tb[NFCTH_POLICY]) {
ret = nfnl_cthelper_update_policy(helper, tb[NFCTH_POLICY]); ret = nfnl_cthelper_update_policy(helper, tb[NFCTH_POLICY]);
......
...@@ -1217,7 +1217,7 @@ static void nft_ct_expect_obj_eval(struct nft_object *obj, ...@@ -1217,7 +1217,7 @@ static void nft_ct_expect_obj_eval(struct nft_object *obj,
struct nf_conn *ct; struct nf_conn *ct;
ct = nf_ct_get(pkt->skb, &ctinfo); ct = nf_ct_get(pkt->skb, &ctinfo);
if (!ct || ctinfo == IP_CT_UNTRACKED) { if (!ct || nf_ct_is_confirmed(ct) || nf_ct_is_template(ct)) {
regs->verdict.code = NFT_BREAK; regs->verdict.code = NFT_BREAK;
return; return;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment