tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains five Netfilter fixes for your net tree,
they are:

1) Silence a warning on falling back to vmalloc(). Since 88eab472ec21, we can
easily hit this warning message, that gets users confused. So let's get rid
of it.

2) Recently when porting the template object allocation on top of kmalloc to
fix the netns dependencies between x_tables and conntrack, the error
checks where left unchanged. Remove IS_ERR() and check for NULL instead.
Patch from Dan Carpenter.

3) Don't ignore gfp_flags in the new nf_ct_tmpl_alloc() function, from
Joe Stringer.

4) Fix a crash due to NULL pointer dereference in ip6t_SYNPROXY, patch from
Phil Sutter.

5) The sequence number of the Syn+ack that is sent from SYNPROXY to clients is
not adjusted through our NAT infrastructure, as a result the client may
ignore this TCP packet and TCP flow hangs until the client probes us. Also
from Phil Sutter.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

David S. Miller 18255457 875a74b6

+20 -19
+2 -1
net/ipv4/netfilter/ipt_SYNPROXY.c
··· 226 226 227 227 synproxy_build_options(nth, opts); 228 228 229 - synproxy_send_tcp(skb, nskb, NULL, 0, niph, nth, tcp_hdr_size); 229 + synproxy_send_tcp(skb, nskb, skb->nfct, IP_CT_ESTABLISHED_REPLY, 230 + niph, nth, tcp_hdr_size); 230 231 } 231 232 232 233 static bool
+11 -8
net/ipv6/netfilter/ip6t_SYNPROXY.c
··· 37 37 } 38 38 39 39 static void 40 - synproxy_send_tcp(const struct sk_buff *skb, struct sk_buff *nskb, 40 + synproxy_send_tcp(const struct synproxy_net *snet, 41 + const struct sk_buff *skb, struct sk_buff *nskb, 41 42 struct nf_conntrack *nfct, enum ip_conntrack_info ctinfo, 42 43 struct ipv6hdr *niph, struct tcphdr *nth, 43 44 unsigned int tcp_hdr_size) 44 45 { 45 - struct net *net = nf_ct_net((struct nf_conn *)nfct); 46 + struct net *net = nf_ct_net(snet->tmpl); 46 47 struct dst_entry *dst; 47 48 struct flowi6 fl6; 48 49 ··· 84 83 } 85 84 86 85 static void 87 - synproxy_send_client_synack(const struct sk_buff *skb, const struct tcphdr *th, 86 + synproxy_send_client_synack(const struct synproxy_net *snet, 87 + const struct sk_buff *skb, const struct tcphdr *th, 88 88 const struct synproxy_options *opts) 89 89 { 90 90 struct sk_buff *nskb; ··· 121 119 122 120 synproxy_build_options(nth, opts); 123 121 124 - synproxy_send_tcp(skb, nskb, skb->nfct, IP_CT_ESTABLISHED_REPLY, 122 + synproxy_send_tcp(snet, skb, nskb, skb->nfct, IP_CT_ESTABLISHED_REPLY, 125 123 niph, nth, tcp_hdr_size); 126 124 } 127 125 ··· 165 163 166 164 synproxy_build_options(nth, opts); 167 165 168 - synproxy_send_tcp(skb, nskb, &snet->tmpl->ct_general, IP_CT_NEW, 166 + synproxy_send_tcp(snet, skb, nskb, &snet->tmpl->ct_general, IP_CT_NEW, 169 167 niph, nth, tcp_hdr_size); 170 168 } 171 169 ··· 205 203 206 204 synproxy_build_options(nth, opts); 207 205 208 - synproxy_send_tcp(skb, nskb, NULL, 0, niph, nth, tcp_hdr_size); 206 + synproxy_send_tcp(snet, skb, nskb, NULL, 0, niph, nth, tcp_hdr_size); 209 207 } 210 208 211 209 static void ··· 243 241 244 242 synproxy_build_options(nth, opts); 245 243 246 - synproxy_send_tcp(skb, nskb, NULL, 0, niph, nth, tcp_hdr_size); 244 + synproxy_send_tcp(snet, skb, nskb, skb->nfct, IP_CT_ESTABLISHED_REPLY, 245 + niph, nth, tcp_hdr_size); 247 246 } 248 247 249 248 static bool ··· 304 301 XT_SYNPROXY_OPT_SACK_PERM | 305 302 XT_SYNPROXY_OPT_ECN); 306 303 307 - synproxy_send_client_synack(skb, th, &opts); 304 + synproxy_send_client_synack(snet, skb, th, &opts); 308 305 return NF_DROP; 309 306 310 307 } else if (th->ack && !(th->fin || th->rst || th->syn)) {
+3 -5
net/netfilter/nf_conntrack_core.c
··· 292 292 { 293 293 struct nf_conn *tmpl; 294 294 295 - tmpl = kzalloc(sizeof(struct nf_conn), GFP_KERNEL); 295 + tmpl = kzalloc(sizeof(*tmpl), flags); 296 296 if (tmpl == NULL) 297 297 return NULL; 298 298 ··· 303 303 if (zone) { 304 304 struct nf_conntrack_zone *nf_ct_zone; 305 305 306 - nf_ct_zone = nf_ct_ext_add(tmpl, NF_CT_EXT_ZONE, GFP_ATOMIC); 306 + nf_ct_zone = nf_ct_ext_add(tmpl, NF_CT_EXT_ZONE, flags); 307 307 if (!nf_ct_zone) 308 308 goto out_free; 309 309 nf_ct_zone->id = zone; ··· 1544 1544 sz = nr_slots * sizeof(struct hlist_nulls_head); 1545 1545 hash = (void *)__get_free_pages(GFP_KERNEL | __GFP_NOWARN | __GFP_ZERO, 1546 1546 get_order(sz)); 1547 - if (!hash) { 1548 - printk(KERN_WARNING "nf_conntrack: falling back to vmalloc.\n"); 1547 + if (!hash) 1549 1548 hash = vzalloc(sz); 1550 - } 1551 1549 1552 1550 if (hash && nulls) 1553 1551 for (i = 0; i < nr_slots; i++)
+1 -3
net/netfilter/nf_synproxy_core.c
··· 353 353 int err = -ENOMEM; 354 354 355 355 ct = nf_ct_tmpl_alloc(net, 0, GFP_KERNEL); 356 - if (IS_ERR(ct)) { 357 - err = PTR_ERR(ct); 356 + if (!ct) 358 357 goto err1; 359 - } 360 358 361 359 if (!nfct_seqadj_ext_add(ct)) 362 360 goto err2;
+3 -2
net/netfilter/xt_CT.c
··· 202 202 goto err1; 203 203 204 204 ct = nf_ct_tmpl_alloc(par->net, info->zone, GFP_KERNEL); 205 - ret = PTR_ERR(ct); 206 - if (IS_ERR(ct)) 205 + if (!ct) { 206 + ret = -ENOMEM; 207 207 goto err2; 208 + } 208 209 209 210 ret = 0; 210 211 if ((info->ct_events || info->exp_events) &&