tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says:
====================
Netfilter fixes for net
The following patchset contains Netfilter fixes for net:
1) Fix a deadlock when module is requested via netlink_bind()
in nfnetlink, from Florian Westphal.
2) Fix ipt_rpfilter and ip6t_rpfilter with VRF, from Miaohe Lin.
3) Skip master comparison in SIP helper to fix expectation clash
under two valid scenarios, from xiao ruizhu.
4) Remove obsolete comments in nf_conntrack codebase, from
Yonatan Goldschmidt.
5) Fix redirect extension module autoload, from Christian Hesse.
6) Fix incorrect mssg option sent to client in synproxy,
from Fernando Fernandez.
7) Fix incorrect window calculations in TCP conntrack, from
Florian Westphal.
8) Don't bail out when updating basechain policy due to recent
offload works, also from Florian.
9) Allow symhash to use modulus 1 as other hash extensions do,
from Laura.Garcia.
10) Missing NAT chain module autoload for the inet family,
from Phil Sutter.
11) Fix missing adjustment of TCP RST packet in synproxy,
from Fernando Fernandez.
12) Skip EAGAIN path when nft_meta_bridge is built-in or
not selected.
13) Conntrack bridge does not depend on nf_tables_bridge.
14) Turn NF_TABLES_BRIDGE into tristate to fix possible
link break of nft_meta_bridge, from Arnd Bergmann.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
+117
-82
+1
-2
include/linux/netfilter/nf_conntrack_h323_asn1.h
+1
-2
include/linux/netfilter/nf_conntrack_h323_asn1.h
···
1
1
/* SPDX-License-Identifier: GPL-2.0-only */
2
2
/****************************************************************************
3
-
* ip_conntrack_h323_asn1.h - BER and PER decoding library for H.323
4
-
* conntrack/NAT module.
3
+
* BER and PER decoding library for H.323 conntrack/NAT module.
5
4
*
6
5
* Copyright (c) 2006 by Jing Min Zhao <zhaojingmin@users.sourceforge.net>
7
6
*
+9
-3
include/net/netfilter/nf_conntrack_expect.h
+9
-3
include/net/netfilter/nf_conntrack_expect.h
···
76
76
#define NF_CT_EXPECT_CLASS_DEFAULT 0
77
77
#define NF_CT_EXPECT_MAX_CNT 255
78
78
79
+
/* Allow to reuse expectations with the same tuples from different master
80
+
* conntracks.
81
+
*/
82
+
#define NF_CT_EXP_F_SKIP_MASTER 0x1
83
+
79
84
int nf_conntrack_expect_pernet_init(struct net *net);
80
85
void nf_conntrack_expect_pernet_fini(struct net *net);
81
86
···
127
122
u_int8_t, const __be16 *, const __be16 *);
128
123
void nf_ct_expect_put(struct nf_conntrack_expect *exp);
129
124
int nf_ct_expect_related_report(struct nf_conntrack_expect *expect,
130
-
u32 portid, int report);
131
-
static inline int nf_ct_expect_related(struct nf_conntrack_expect *expect)
125
+
u32 portid, int report, unsigned int flags);
126
+
static inline int nf_ct_expect_related(struct nf_conntrack_expect *expect,
127
+
unsigned int flags)
132
128
{
133
-
return nf_ct_expect_related_report(expect, 0, 0);
129
+
return nf_ct_expect_related_report(expect, 0, 0, flags);
134
130
}
135
131
136
132
#endif /*_NF_CONNTRACK_EXPECT_H*/
+1
include/net/netfilter/nf_conntrack_synproxy.h
+1
include/net/netfilter/nf_conntrack_synproxy.h
+3
-3
net/bridge/netfilter/Kconfig
+3
-3
net/bridge/netfilter/Kconfig
···
6
6
menuconfig NF_TABLES_BRIDGE
7
7
depends on BRIDGE && NETFILTER && NF_TABLES
8
8
select NETFILTER_FAMILY_BRIDGE
9
-
bool "Ethernet Bridge nf_tables support"
9
+
tristate "Ethernet Bridge nf_tables support"
10
10
11
11
if NF_TABLES_BRIDGE
12
12
···
25
25
tristate "Bridge packet logging"
26
26
select NF_LOG_COMMON
27
27
28
+
endif # NF_TABLES_BRIDGE
29
+
28
30
config NF_CONNTRACK_BRIDGE
29
31
tristate "IPv4/IPV6 bridge connection tracking support"
30
32
depends on NF_CONNTRACK
···
40
38
infrastructure.
41
39
42
40
To compile it as a module, choose M here. If unsure, say N.
43
-
44
-
endif # NF_TABLES_BRIDGE
45
41
46
42
menuconfig BRIDGE_NF_EBTABLES
47
43
tristate "Ethernet Bridge tables (ebtables) support"
+2
-2
net/ipv4/netfilter/ipt_CLUSTERIP.c
+2
-2
net/ipv4/netfilter/ipt_CLUSTERIP.c
···
416
416
ctinfo == IP_CT_RELATED_REPLY))
417
417
return XT_CONTINUE;
418
418
419
-
/* ip_conntrack_icmp guarantees us that we only have ICMP_ECHO,
420
-
* TIMESTAMP, INFO_REQUEST or ADDRESS type icmp packets from here
419
+
/* nf_conntrack_proto_icmp guarantees us that we only have ICMP_ECHO,
420
+
* TIMESTAMP, INFO_REQUEST or ICMP_ADDRESS type icmp packets from here
421
421
* on, which all have an ID field [relevant for hashing]. */
422
422
423
423
hash = clusterip_hashfn(skb, cipinfo->config);
+2
net/ipv4/netfilter/ipt_SYNPROXY.c
+2
net/ipv4/netfilter/ipt_SYNPROXY.c
+1
net/ipv4/netfilter/ipt_rpfilter.c
+1
net/ipv4/netfilter/ipt_rpfilter.c
···
78
78
flow.flowi4_mark = info->flags & XT_RPFILTER_VALID_MARK ? skb->mark : 0;
79
79
flow.flowi4_tos = RT_TOS(iph->tos);
80
80
flow.flowi4_scope = RT_SCOPE_UNIVERSE;
81
+
flow.flowi4_oif = l3mdev_master_ifindex_rcu(xt_in(par));
81
82
82
83
return rpfilter_lookup_reverse(xt_net(par), &flow, xt_in(par), info->flags) ^ invert;
83
84
}
+6
-6
net/ipv4/netfilter/nf_nat_h323.c
+6
-6
net/ipv4/netfilter/nf_nat_h323.c
···
221
221
int ret;
222
222
223
223
rtp_exp->tuple.dst.u.udp.port = htons(nated_port);
224
-
ret = nf_ct_expect_related(rtp_exp);
224
+
ret = nf_ct_expect_related(rtp_exp, 0);
225
225
if (ret == 0) {
226
226
rtcp_exp->tuple.dst.u.udp.port =
227
227
htons(nated_port + 1);
228
-
ret = nf_ct_expect_related(rtcp_exp);
228
+
ret = nf_ct_expect_related(rtcp_exp, 0);
229
229
if (ret == 0)
230
230
break;
231
231
else if (ret == -EBUSY) {
···
296
296
int ret;
297
297
298
298
exp->tuple.dst.u.tcp.port = htons(nated_port);
299
-
ret = nf_ct_expect_related(exp);
299
+
ret = nf_ct_expect_related(exp, 0);
300
300
if (ret == 0)
301
301
break;
302
302
else if (ret != -EBUSY) {
···
352
352
int ret;
353
353
354
354
exp->tuple.dst.u.tcp.port = htons(nated_port);
355
-
ret = nf_ct_expect_related(exp);
355
+
ret = nf_ct_expect_related(exp, 0);
356
356
if (ret == 0)
357
357
break;
358
358
else if (ret != -EBUSY) {
···
444
444
int ret;
445
445
446
446
exp->tuple.dst.u.tcp.port = htons(nated_port);
447
-
ret = nf_ct_expect_related(exp);
447
+
ret = nf_ct_expect_related(exp, 0);
448
448
if (ret == 0)
449
449
break;
450
450
else if (ret != -EBUSY) {
···
537
537
int ret;
538
538
539
539
exp->tuple.dst.u.tcp.port = htons(nated_port);
540
-
ret = nf_ct_expect_related(exp);
540
+
ret = nf_ct_expect_related(exp, 0);
541
541
if (ret == 0)
542
542
break;
543
543
else if (ret != -EBUSY) {
+2
net/ipv6/netfilter/ip6t_SYNPROXY.c
+2
net/ipv6/netfilter/ip6t_SYNPROXY.c
+6
-2
net/ipv6/netfilter/ip6t_rpfilter.c
+6
-2
net/ipv6/netfilter/ip6t_rpfilter.c
···
55
55
if (rpfilter_addr_linklocal(&iph->saddr)) {
56
56
lookup_flags |= RT6_LOOKUP_F_IFACE;
57
57
fl6.flowi6_oif = dev->ifindex;
58
-
} else if ((flags & XT_RPFILTER_LOOSE) == 0)
58
+
/* Set flowi6_oif for vrf devices to lookup route in l3mdev domain. */
59
+
} else if (netif_is_l3_master(dev) || netif_is_l3_slave(dev) ||
60
+
(flags & XT_RPFILTER_LOOSE) == 0)
59
61
fl6.flowi6_oif = dev->ifindex;
60
62
61
63
rt = (void *)ip6_route_lookup(net, &fl6, skb, lookup_flags);
···
72
70
goto out;
73
71
}
74
72
75
-
if (rt->rt6i_idev->dev == dev || (flags & XT_RPFILTER_LOOSE))
73
+
if (rt->rt6i_idev->dev == dev ||
74
+
l3mdev_master_ifindex_rcu(rt->rt6i_idev->dev) == dev->ifindex ||
75
+
(flags & XT_RPFILTER_LOOSE))
76
76
ret = true;
77
77
out:
78
78
ip6_rt_put(rt);
+2
-4
net/netfilter/Kconfig
+2
-4
net/netfilter/Kconfig
···
223
223
of Network Address Translation on them.
224
224
225
225
This is FTP support on Layer 3 independent connection tracking.
226
-
Layer 3 independent connection tracking is experimental scheme
227
-
which generalize ip_conntrack to support other layer 3 protocols.
228
226
229
227
To compile it as a module, choose M here. If unsure, say N.
230
228
···
336
338
help
337
339
SIP is an application-layer control protocol that can establish,
338
340
modify, and terminate multimedia sessions (conferences) such as
339
-
Internet telephony calls. With the ip_conntrack_sip and
341
+
Internet telephony calls. With the nf_conntrack_sip and
340
342
the nf_nat_sip modules you can support the protocol on a connection
341
343
tracking/NATing firewall.
342
344
···
1311
1313
depends on NETFILTER_ADVANCED
1312
1314
help
1313
1315
Helper matching allows you to match packets in dynamic connections
1314
-
tracked by a conntrack-helper, ie. ip_conntrack_ftp
1316
+
tracked by a conntrack-helper, ie. nf_conntrack_ftp
1315
1317
1316
1318
To compile it as a module, choose M here. If unsure, say Y.
1317
1319
+1
-1
net/netfilter/ipvs/ip_vs_nfct.c
+1
-1
net/netfilter/ipvs/ip_vs_nfct.c
+1
-1
net/netfilter/nf_conntrack_amanda.c
+1
-1
net/netfilter/nf_conntrack_amanda.c
···
159
159
if (nf_nat_amanda && ct->status & IPS_NAT_MASK)
160
160
ret = nf_nat_amanda(skb, ctinfo, protoff,
161
161
off - dataoff, len, exp);
162
-
else if (nf_ct_expect_related(exp) != 0) {
162
+
else if (nf_ct_expect_related(exp, 0) != 0) {
163
163
nf_ct_helper_log(skb, ct, "cannot add expectation");
164
164
ret = NF_DROP;
165
165
}
+1
-1
net/netfilter/nf_conntrack_broadcast.c
+1
-1
net/netfilter/nf_conntrack_broadcast.c
+1
-3
net/netfilter/nf_conntrack_core.c
+1
-3
net/netfilter/nf_conntrack_core.c
···
1817
1817
#include <linux/netfilter/nfnetlink_conntrack.h>
1818
1818
#include <linux/mutex.h>
1819
1819
1820
-
/* Generic function for tcp/udp/sctp/dccp and alike. This needs to be
1821
-
* in ip_conntrack_core, since we don't want the protocols to autoload
1822
-
* or depend on ctnetlink */
1820
+
/* Generic function for tcp/udp/sctp/dccp and alike. */
1823
1821
int nf_ct_port_tuple_to_nlattr(struct sk_buff *skb,
1824
1822
const struct nf_conntrack_tuple *tuple)
1825
1823
{
+19
-7
net/netfilter/nf_conntrack_expect.c
+19
-7
net/netfilter/nf_conntrack_expect.c
···
249
249
static inline int expect_matches(const struct nf_conntrack_expect *a,
250
250
const struct nf_conntrack_expect *b)
251
251
{
252
-
return a->master == b->master &&
253
-
nf_ct_tuple_equal(&a->tuple, &b->tuple) &&
252
+
return nf_ct_tuple_equal(&a->tuple, &b->tuple) &&
254
253
nf_ct_tuple_mask_equal(&a->mask, &b->mask) &&
255
254
net_eq(nf_ct_net(a->master), nf_ct_net(b->master)) &&
256
255
nf_ct_zone_equal_any(a->master, nf_ct_zone(b->master));
256
+
}
257
+
258
+
static bool master_matches(const struct nf_conntrack_expect *a,
259
+
const struct nf_conntrack_expect *b,
260
+
unsigned int flags)
261
+
{
262
+
if (flags & NF_CT_EXP_F_SKIP_MASTER)
263
+
return true;
264
+
265
+
return a->master == b->master;
257
266
}
258
267
259
268
/* Generally a bad idea to call this: could have matched already. */
···
408
399
nf_ct_remove_expect(last);
409
400
}
410
401
411
-
static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect)
402
+
static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect,
403
+
unsigned int flags)
412
404
{
413
405
const struct nf_conntrack_expect_policy *p;
414
406
struct nf_conntrack_expect *i;
···
427
417
}
428
418
h = nf_ct_expect_dst_hash(net, &expect->tuple);
429
419
hlist_for_each_entry_safe(i, next, &nf_ct_expect_hash[h], hnode) {
430
-
if (expect_matches(i, expect)) {
431
-
if (i->class != expect->class)
420
+
if (master_matches(i, expect, flags) &&
421
+
expect_matches(i, expect)) {
422
+
if (i->class != expect->class ||
423
+
i->master != expect->master)
432
424
return -EALREADY;
433
425
434
426
if (nf_ct_remove_expect(i))
···
465
453
}
466
454
467
455
int nf_ct_expect_related_report(struct nf_conntrack_expect *expect,
468
-
u32 portid, int report)
456
+
u32 portid, int report, unsigned int flags)
469
457
{
470
458
int ret;
471
459
472
460
spin_lock_bh(&nf_conntrack_expect_lock);
473
-
ret = __nf_ct_expect_check(expect);
461
+
ret = __nf_ct_expect_check(expect, flags);
474
462
if (ret < 0)
475
463
goto out;
476
464
+1
-1
net/netfilter/nf_conntrack_ftp.c
+1
-1
net/netfilter/nf_conntrack_ftp.c
···
525
525
protoff, matchoff, matchlen, exp);
526
526
else {
527
527
/* Can't expect this? Best to drop packet now. */
528
-
if (nf_ct_expect_related(exp) != 0) {
528
+
if (nf_ct_expect_related(exp, 0) != 0) {
529
529
nf_ct_helper_log(skb, ct, "cannot add expectation");
530
530
ret = NF_DROP;
531
531
} else
+2
-3
net/netfilter/nf_conntrack_h323_asn1.c
+2
-3
net/netfilter/nf_conntrack_h323_asn1.c
···
1
1
// SPDX-License-Identifier: GPL-2.0-only
2
2
/*
3
-
* ip_conntrack_helper_h323_asn1.c - BER and PER decoding library for H.323
4
-
* conntrack/NAT module.
3
+
* BER and PER decoding library for H.323 conntrack/NAT module.
5
4
*
6
5
* Copyright (c) 2006 by Jing Min Zhao <zhaojingmin@users.sourceforge.net>
7
6
*
8
-
* See ip_conntrack_helper_h323_asn1.h for details.
7
+
* See nf_conntrack_helper_h323_asn1.h for details.
9
8
*/
10
9
11
10
#ifdef __KERNEL__
+9
-9
net/netfilter/nf_conntrack_h323_main.c
+9
-9
net/netfilter/nf_conntrack_h323_main.c
···
305
305
ret = nat_rtp_rtcp(skb, ct, ctinfo, protoff, data, dataoff,
306
306
taddr, port, rtp_port, rtp_exp, rtcp_exp);
307
307
} else { /* Conntrack only */
308
-
if (nf_ct_expect_related(rtp_exp) == 0) {
309
-
if (nf_ct_expect_related(rtcp_exp) == 0) {
308
+
if (nf_ct_expect_related(rtp_exp, 0) == 0) {
309
+
if (nf_ct_expect_related(rtcp_exp, 0) == 0) {
310
310
pr_debug("nf_ct_h323: expect RTP ");
311
311
nf_ct_dump_tuple(&rtp_exp->tuple);
312
312
pr_debug("nf_ct_h323: expect RTCP ");
···
364
364
ret = nat_t120(skb, ct, ctinfo, protoff, data, dataoff, taddr,
365
365
port, exp);
366
366
} else { /* Conntrack only */
367
-
if (nf_ct_expect_related(exp) == 0) {
367
+
if (nf_ct_expect_related(exp, 0) == 0) {
368
368
pr_debug("nf_ct_h323: expect T.120 ");
369
369
nf_ct_dump_tuple(&exp->tuple);
370
370
} else
···
701
701
ret = nat_h245(skb, ct, ctinfo, protoff, data, dataoff, taddr,
702
702
port, exp);
703
703
} else { /* Conntrack only */
704
-
if (nf_ct_expect_related(exp) == 0) {
704
+
if (nf_ct_expect_related(exp, 0) == 0) {
705
705
pr_debug("nf_ct_q931: expect H.245 ");
706
706
nf_ct_dump_tuple(&exp->tuple);
707
707
} else
···
825
825
protoff, data, dataoff,
826
826
taddr, port, exp);
827
827
} else { /* Conntrack only */
828
-
if (nf_ct_expect_related(exp) == 0) {
828
+
if (nf_ct_expect_related(exp, 0) == 0) {
829
829
pr_debug("nf_ct_q931: expect Call Forwarding ");
830
830
nf_ct_dump_tuple(&exp->tuple);
831
831
} else
···
1284
1284
ret = nat_q931(skb, ct, ctinfo, protoff, data,
1285
1285
taddr, i, port, exp);
1286
1286
} else { /* Conntrack only */
1287
-
if (nf_ct_expect_related(exp) == 0) {
1287
+
if (nf_ct_expect_related(exp, 0) == 0) {
1288
1288
pr_debug("nf_ct_ras: expect Q.931 ");
1289
1289
nf_ct_dump_tuple(&exp->tuple);
1290
1290
···
1349
1349
IPPROTO_UDP, NULL, &port);
1350
1350
exp->helper = nf_conntrack_helper_ras;
1351
1351
1352
-
if (nf_ct_expect_related(exp) == 0) {
1352
+
if (nf_ct_expect_related(exp, 0) == 0) {
1353
1353
pr_debug("nf_ct_ras: expect RAS ");
1354
1354
nf_ct_dump_tuple(&exp->tuple);
1355
1355
} else
···
1561
1561
exp->flags = NF_CT_EXPECT_PERMANENT;
1562
1562
exp->helper = nf_conntrack_helper_q931;
1563
1563
1564
-
if (nf_ct_expect_related(exp) == 0) {
1564
+
if (nf_ct_expect_related(exp, 0) == 0) {
1565
1565
pr_debug("nf_ct_ras: expect Q.931 ");
1566
1566
nf_ct_dump_tuple(&exp->tuple);
1567
1567
} else
···
1615
1615
exp->flags = NF_CT_EXPECT_PERMANENT;
1616
1616
exp->helper = nf_conntrack_helper_q931;
1617
1617
1618
-
if (nf_ct_expect_related(exp) == 0) {
1618
+
if (nf_ct_expect_related(exp, 0) == 0) {
1619
1619
pr_debug("nf_ct_ras: expect Q.931 ");
1620
1620
nf_ct_dump_tuple(&exp->tuple);
1621
1621
} else
+1
-1
net/netfilter/nf_conntrack_irc.c
+1
-1
net/netfilter/nf_conntrack_irc.c
+2
-2
net/netfilter/nf_conntrack_netlink.c
+2
-2
net/netfilter/nf_conntrack_netlink.c
···
2616
2616
if (IS_ERR(exp))
2617
2617
return PTR_ERR(exp);
2618
2618
2619
-
err = nf_ct_expect_related_report(exp, portid, report);
2619
+
err = nf_ct_expect_related_report(exp, portid, report, 0);
2620
2620
nf_ct_expect_put(exp);
2621
2621
return err;
2622
2622
}
···
3367
3367
goto err_rcu;
3368
3368
}
3369
3369
3370
-
err = nf_ct_expect_related_report(exp, portid, report);
3370
+
err = nf_ct_expect_related_report(exp, portid, report, 0);
3371
3371
nf_ct_expect_put(exp);
3372
3372
err_rcu:
3373
3373
rcu_read_unlock();
+2
-2
net/netfilter/nf_conntrack_pptp.c
+2
-2
net/netfilter/nf_conntrack_pptp.c
···
234
234
nf_nat_pptp_exp_gre = rcu_dereference(nf_nat_pptp_hook_exp_gre);
235
235
if (nf_nat_pptp_exp_gre && ct->status & IPS_NAT_MASK)
236
236
nf_nat_pptp_exp_gre(exp_orig, exp_reply);
237
-
if (nf_ct_expect_related(exp_orig) != 0)
237
+
if (nf_ct_expect_related(exp_orig, 0) != 0)
238
238
goto out_put_both;
239
-
if (nf_ct_expect_related(exp_reply) != 0)
239
+
if (nf_ct_expect_related(exp_reply, 0) != 0)
240
240
goto out_unexpect_orig;
241
241
242
242
/* Add GRE keymap entries */
-2
net/netfilter/nf_conntrack_proto_gre.c
-2
net/netfilter/nf_conntrack_proto_gre.c
+1
-1
net/netfilter/nf_conntrack_proto_icmp.c
+1
-1
net/netfilter/nf_conntrack_proto_icmp.c
+5
-3
net/netfilter/nf_conntrack_proto_tcp.c
+5
-3
net/netfilter/nf_conntrack_proto_tcp.c
···
472
472
struct ip_ct_tcp_state *receiver = &state->seen[!dir];
473
473
const struct nf_conntrack_tuple *tuple = &ct->tuplehash[dir].tuple;
474
474
__u32 seq, ack, sack, end, win, swin;
475
+
u16 win_raw;
475
476
s32 receiver_offset;
476
477
bool res, in_recv_win;
477
478
···
481
480
*/
482
481
seq = ntohl(tcph->seq);
483
482
ack = sack = ntohl(tcph->ack_seq);
484
-
win = ntohs(tcph->window);
483
+
win_raw = ntohs(tcph->window);
484
+
win = win_raw;
485
485
end = segment_seq_plus_len(seq, skb->len, dataoff, tcph);
486
486
487
487
if (receiver->flags & IP_CT_TCP_FLAG_SACK_PERM)
···
657
655
&& state->last_seq == seq
658
656
&& state->last_ack == ack
659
657
&& state->last_end == end
660
-
&& state->last_win == win)
658
+
&& state->last_win == win_raw)
661
659
state->retrans++;
662
660
else {
663
661
state->last_dir = dir;
664
662
state->last_seq = seq;
665
663
state->last_ack = ack;
666
664
state->last_end = end;
667
-
state->last_win = win;
665
+
state->last_win = win_raw;
668
666
state->retrans = 0;
669
667
}
670
668
}
+1
-1
net/netfilter/nf_conntrack_sane.c
+1
-1
net/netfilter/nf_conntrack_sane.c
+7
-3
net/netfilter/nf_conntrack_sip.c
+7
-3
net/netfilter/nf_conntrack_sip.c
···
977
977
/* -EALREADY handling works around end-points that send
978
978
* SDP messages with identical port but different media type,
979
979
* we pretend expectation was set up.
980
+
* It also works in the case that SDP messages are sent with
981
+
* identical expect tuples but for different master conntracks.
980
982
*/
981
-
int errp = nf_ct_expect_related(rtp_exp);
983
+
int errp = nf_ct_expect_related(rtp_exp,
984
+
NF_CT_EXP_F_SKIP_MASTER);
982
985
983
986
if (errp == 0 || errp == -EALREADY) {
984
-
int errcp = nf_ct_expect_related(rtcp_exp);
987
+
int errcp = nf_ct_expect_related(rtcp_exp,
988
+
NF_CT_EXP_F_SKIP_MASTER);
985
989
986
990
if (errcp == 0 || errcp == -EALREADY)
987
991
ret = NF_ACCEPT;
···
1300
1296
ret = hooks->expect(skb, protoff, dataoff, dptr, datalen,
1301
1297
exp, matchoff, matchlen);
1302
1298
else {
1303
-
if (nf_ct_expect_related(exp) != 0) {
1299
+
if (nf_ct_expect_related(exp, 0) != 0) {
1304
1300
nf_ct_helper_log(skb, ct, "cannot add expectation");
1305
1301
ret = NF_DROP;
1306
1302
} else
+1
-1
net/netfilter/nf_conntrack_tftp.c
+1
-1
net/netfilter/nf_conntrack_tftp.c
···
78
78
nf_nat_tftp = rcu_dereference(nf_nat_tftp_hook);
79
79
if (nf_nat_tftp && ct->status & IPS_NAT_MASK)
80
80
ret = nf_nat_tftp(skb, ctinfo, exp);
81
-
else if (nf_ct_expect_related(exp) != 0) {
81
+
else if (nf_ct_expect_related(exp, 0) != 0) {
82
82
nf_ct_helper_log(skb, ct, "cannot add expectation");
83
83
ret = NF_DROP;
84
84
}
+1
-1
net/netfilter/nf_nat_amanda.c
+1
-1
net/netfilter/nf_nat_amanda.c
+1
-1
net/netfilter/nf_nat_core.c
+1
-1
net/netfilter/nf_nat_core.c
···
519
519
* and NF_INET_LOCAL_OUT, we change the destination to map into the
520
520
* range. It might not be possible to get a unique tuple, but we try.
521
521
* At worst (or if we race), we will end up with a final duplicate in
522
-
* __ip_conntrack_confirm and drop the packet. */
522
+
* __nf_conntrack_confirm and drop the packet. */
523
523
static void
524
524
get_unique_tuple(struct nf_conntrack_tuple *tuple,
525
525
const struct nf_conntrack_tuple *orig_tuple,
+1
-1
net/netfilter/nf_nat_ftp.c
+1
-1
net/netfilter/nf_nat_ftp.c
+1
-1
net/netfilter/nf_nat_irc.c
+1
-1
net/netfilter/nf_nat_irc.c
+5
-3
net/netfilter/nf_nat_sip.c
+5
-3
net/netfilter/nf_nat_sip.c
···
414
414
int ret;
415
415
416
416
exp->tuple.dst.u.udp.port = htons(port);
417
-
ret = nf_ct_expect_related(exp);
417
+
ret = nf_ct_expect_related(exp, NF_CT_EXP_F_SKIP_MASTER);
418
418
if (ret == 0)
419
419
break;
420
420
else if (ret != -EBUSY) {
···
607
607
int ret;
608
608
609
609
rtp_exp->tuple.dst.u.udp.port = htons(port);
610
-
ret = nf_ct_expect_related(rtp_exp);
610
+
ret = nf_ct_expect_related(rtp_exp,
611
+
NF_CT_EXP_F_SKIP_MASTER);
611
612
if (ret == -EBUSY)
612
613
continue;
613
614
else if (ret < 0) {
···
616
615
break;
617
616
}
618
617
rtcp_exp->tuple.dst.u.udp.port = htons(port + 1);
619
-
ret = nf_ct_expect_related(rtcp_exp);
618
+
ret = nf_ct_expect_related(rtcp_exp,
619
+
NF_CT_EXP_F_SKIP_MASTER);
620
620
if (ret == 0)
621
621
break;
622
622
else if (ret == -EBUSY) {
+1
-1
net/netfilter/nf_nat_tftp.c
+1
-1
net/netfilter/nf_nat_tftp.c
···
30
30
= ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.udp.port;
31
31
exp->dir = IP_CT_DIR_REPLY;
32
32
exp->expectfn = nf_nat_follow_master;
33
-
if (nf_ct_expect_related(exp) != 0) {
33
+
if (nf_ct_expect_related(exp, 0) != 0) {
34
34
nf_ct_helper_log(skb, exp->master, "cannot add expectation");
35
35
return NF_DROP;
36
36
}
+4
-4
net/netfilter/nf_synproxy_core.c
+4
-4
net/netfilter/nf_synproxy_core.c
···
470
470
struct iphdr *iph, *niph;
471
471
struct tcphdr *nth;
472
472
unsigned int tcp_hdr_size;
473
-
u16 mss = opts->mss;
473
+
u16 mss = opts->mss_encode;
474
474
475
475
iph = ip_hdr(skb);
476
476
···
687
687
state = &ct->proto.tcp;
688
688
switch (state->state) {
689
689
case TCP_CONNTRACK_CLOSE:
690
-
if (th->rst && !test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
690
+
if (th->rst && CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL) {
691
691
nf_ct_seqadj_init(ct, ctinfo, synproxy->isn -
692
692
ntohl(th->seq) + 1);
693
693
break;
···
884
884
struct ipv6hdr *iph, *niph;
885
885
struct tcphdr *nth;
886
886
unsigned int tcp_hdr_size;
887
-
u16 mss = opts->mss;
887
+
u16 mss = opts->mss_encode;
888
888
889
889
iph = ipv6_hdr(skb);
890
890
···
1111
1111
state = &ct->proto.tcp;
1112
1112
switch (state->state) {
1113
1113
case TCP_CONNTRACK_CLOSE:
1114
-
if (th->rst && !test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
1114
+
if (th->rst && CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL) {
1115
1115
nf_ct_seqadj_init(ct, ctinfo, synproxy->isn -
1116
1116
ntohl(th->seq) + 1);
1117
1117
break;
+2
net/netfilter/nf_tables_api.c
+2
net/netfilter/nf_tables_api.c
+1
-1
net/netfilter/nfnetlink.c
+1
-1
net/netfilter/nfnetlink.c
+1
-1
net/netfilter/nft_chain_filter.c
+1
-1
net/netfilter/nft_chain_filter.c
+3
net/netfilter/nft_chain_nat.c
+3
net/netfilter/nft_chain_nat.c
+1
-1
net/netfilter/nft_ct.c
+1
-1
net/netfilter/nft_ct.c
+1
-1
net/netfilter/nft_hash.c
+1
-1
net/netfilter/nft_hash.c
+1
-1
net/netfilter/nft_meta.c
+1
-1
net/netfilter/nft_meta.c
···
546
546
if (tb[NFTA_META_DREG] && tb[NFTA_META_SREG])
547
547
return ERR_PTR(-EINVAL);
548
548
549
-
#ifdef CONFIG_NF_TABLES_BRIDGE
549
+
#if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE) && IS_MODULE(CONFIG_NFT_BRIDGE_META)
550
550
if (ctx->family == NFPROTO_BRIDGE)
551
551
return ERR_PTR(-EAGAIN);
552
552
#endif
+1
-1
net/netfilter/nft_redir.c
+1
-1
net/netfilter/nft_redir.c
+2
net/netfilter/nft_synproxy.c
+2
net/netfilter/nft_synproxy.c