tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nftables

Pablo Neira Ayuso says:

====================
This batch contains fives nf_tables patches for your net-next tree,
they are:

* Fix possible use after free in the module removal path of the
x_tables compatibility layer, from Dan Carpenter.

* Add filter chain type for the bridge family, from myself.

* Fix Kconfig dependencies of the nf_tables bridge family with
the core, from myself.

* Fix sparse warnings in nft_nat, from Tomasz Bursztyka.

* Remove duplicated include in the IPv4 family support for nf_tables,
from Wei Yongjun.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

David S. Miller f8785c55 72c39a0a

+52 -11
+1
net/bridge/netfilter/Kconfig
··· 3 3 # 4 4 # 5 5 config NF_TABLES_BRIDGE 6 + depends on NF_TABLES 6 7 tristate "Ethernet Bridge nf_tables support" 7 8 8 9 menuconfig BRIDGE_NF_EBTABLES
+39 -2
net/bridge/netfilter/nf_tables_bridge.c
··· 1 1 /* 2 2 * Copyright (c) 2008 Patrick McHardy <kaber@trash.net> 3 + * Copyright (c) 2013 Pablo Neira Ayuso <pablo@netfilter.org> 3 4 * 4 5 * This program is free software; you can redistribute it and/or modify 5 6 * it under the terms of the GNU General Public License version 2 as ··· 48 47 .exit = nf_tables_bridge_exit_net, 49 48 }; 50 49 50 + static unsigned int 51 + nft_do_chain_bridge(const struct nf_hook_ops *ops, 52 + struct sk_buff *skb, 53 + const struct net_device *in, 54 + const struct net_device *out, 55 + int (*okfn)(struct sk_buff *)) 56 + { 57 + struct nft_pktinfo pkt; 58 + 59 + nft_set_pktinfo(&pkt, ops, skb, in, out); 60 + 61 + return nft_do_chain_pktinfo(&pkt, ops); 62 + } 63 + 64 + static struct nf_chain_type filter_bridge = { 65 + .family = NFPROTO_BRIDGE, 66 + .name = "filter", 67 + .type = NFT_CHAIN_T_DEFAULT, 68 + .hook_mask = (1 << NF_BR_LOCAL_IN) | 69 + (1 << NF_BR_FORWARD) | 70 + (1 << NF_BR_LOCAL_OUT), 71 + .fn = { 72 + [NF_BR_LOCAL_IN] = nft_do_chain_bridge, 73 + [NF_BR_FORWARD] = nft_do_chain_bridge, 74 + [NF_BR_LOCAL_OUT] = nft_do_chain_bridge, 75 + }, 76 + }; 77 + 51 78 static int __init nf_tables_bridge_init(void) 52 79 { 53 - return register_pernet_subsys(&nf_tables_bridge_net_ops); 80 + int ret; 81 + 82 + nft_register_chain_type(&filter_bridge); 83 + ret = register_pernet_subsys(&nf_tables_bridge_net_ops); 84 + if (ret < 0) 85 + nft_unregister_chain_type(&filter_bridge); 86 + 87 + return ret; 54 88 } 55 89 56 90 static void __exit nf_tables_bridge_exit(void) 57 91 { 58 - return unregister_pernet_subsys(&nf_tables_bridge_net_ops); 92 + unregister_pernet_subsys(&nf_tables_bridge_net_ops); 93 + nft_unregister_chain_type(&filter_bridge); 59 94 } 60 95 61 96 module_init(nf_tables_bridge_init);
-1
net/ipv4/netfilter/nf_tables_ipv4.c
··· 16 16 #include <net/netfilter/nf_tables.h> 17 17 #include <net/net_namespace.h> 18 18 #include <net/ip.h> 19 - #include <net/net_namespace.h> 20 19 #include <net/netfilter/nf_tables_ipv4.h> 21 20 22 21 static unsigned int nft_ipv4_output(const struct nf_hook_ops *ops,
+4 -4
net/netfilter/nft_compat.c
··· 634 634 635 635 static void nft_match_release(void) 636 636 { 637 - struct nft_xt *nft_match; 637 + struct nft_xt *nft_match, *tmp; 638 638 639 - list_for_each_entry(nft_match, &nft_match_list, head) 639 + list_for_each_entry_safe(nft_match, tmp, &nft_match_list, head) 640 640 kfree(nft_match); 641 641 } 642 642 ··· 705 705 706 706 static void nft_target_release(void) 707 707 { 708 - struct nft_xt *nft_target; 708 + struct nft_xt *nft_target, *tmp; 709 709 710 - list_for_each_entry(nft_target, &nft_target_list, head) 710 + list_for_each_entry_safe(nft_target, tmp, &nft_target_list, head) 711 711 kfree(nft_target); 712 712 } 713 713
+8 -4
net/netfilter/nft_nat.c
··· 47 47 memset(&range, 0, sizeof(range)); 48 48 if (priv->sreg_addr_min) { 49 49 if (priv->family == AF_INET) { 50 - range.min_addr.ip = data[priv->sreg_addr_min].data[0]; 51 - range.max_addr.ip = data[priv->sreg_addr_max].data[0]; 50 + range.min_addr.ip = (__force __be32) 51 + data[priv->sreg_addr_min].data[0]; 52 + range.max_addr.ip = (__force __be32) 53 + data[priv->sreg_addr_max].data[0]; 52 54 53 55 } else { 54 56 memcpy(range.min_addr.ip6, ··· 64 62 } 65 63 66 64 if (priv->sreg_proto_min) { 67 - range.min_proto.all = data[priv->sreg_proto_min].data[0]; 68 - range.max_proto.all = data[priv->sreg_proto_max].data[0]; 65 + range.min_proto.all = (__force __be16) 66 + data[priv->sreg_proto_min].data[0]; 67 + range.max_proto.all = (__force __be16) 68 + data[priv->sreg_proto_max].data[0]; 69 69 range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED; 70 70 } 71 71