Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for your net tree,
they are:

1) Fix chain filtering when dumping rules via nf_tables_dump_rules().

2) Fix accidental change in NF_CT_STATE_UNTRACKED_BIT through uapi,
introduced when removing the untracked conntrack object, from
Florian Westphal.

3) Fix potential nul-dereference when releasing dump filter in
nf_tables_dump_obj_done(), patch from Hangbin Liu.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

David S. Miller 8 years ago f737be8d 6926e041

+6 -4

2 changed files

expand all

include

uapi

linux

netfilter

nf_conntrack_common.h

net

netfilter

nf_tables_api.c

+1 -1

include/uapi/linux/netfilter/nf_conntrack_common.h

··· 36 36 37 37 #define NF_CT_STATE_INVALID_BIT (1 << 0) 38 38 #define NF_CT_STATE_BIT(ctinfo) (1 << ((ctinfo) % IP_CT_IS_REPLY + 1)) 39 - #define NF_CT_STATE_UNTRACKED_BIT (1 << (IP_CT_UNTRACKED + 1)) 39 + #define NF_CT_STATE_UNTRACKED_BIT (1 << 6) 40 40 41 41 /* Bitset representing status of connection. */ 42 42 enum ip_conntrack_status {

+5 -3

net/netfilter/nf_tables_api.c

··· 2072 2072 continue; 2073 2073 2074 2074 list_for_each_entry_rcu(chain, &table->chains, list) { 2075 - if (ctx && ctx->chain[0] && 2075 + if (ctx && ctx->chain && 2076 2076 strcmp(ctx->chain, chain->name) != 0) 2077 2077 continue; 2078 2078 ··· 4665 4665 { 4666 4666 struct nft_obj_filter *filter = cb->data; 4667 4667 4668 - kfree(filter->table); 4669 - kfree(filter); 4668 + if (filter) { 4669 + kfree(filter->table); 4670 + kfree(filter); 4671 + } 4670 4672 4671 4673 return 0; 4672 4674 }