diff options
| author | David S. Miller <davem@davemloft.net> | 2016-06-07 20:14:10 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2016-06-07 20:14:10 -0400 |
| commit | 32565644580de57e67b700f7ddbf658e0fc43a35 (patch) | |
| tree | a5f4d7974762b4f85bf9c95c4812abc50d30b8e8 /net | |
| parent | ce3cf4ec0305919fc69a972f6c2b2efd35d36abc (diff) | |
| parent | 3ec10d3a2ba591c87da94219c1e46b02ae97757a (diff) | |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says:
====================
Netfilter/IPVS fixes for net
The following patchset contains two Netfilter/IPVS fixes for your net
tree, they are:
1) Fix missing alignment in next offset calculation for standard
targets, introduced in the previous merge window, patch from
Florian Westphal.
2) Fix to correct the handling of outgoing connections which use the
SIP-pe such that the binding of a real-server is updated when needed.
This was an omission from changes introduced by Marco Angaroni in
the previous merge window too, to allow handling of outgoing
connections by the SIP-pe. Patch and report came via Simon Horman.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/netfilter/ipvs/ip_vs_conn.c | 5 | ||||
| -rw-r--r-- | net/netfilter/ipvs/ip_vs_core.c | 5 | ||||
| -rw-r--r-- | net/netfilter/x_tables.c | 4 |
3 files changed, 8 insertions, 6 deletions
diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c index 2cb3c626cd43..096a45103f14 100644 --- a/net/netfilter/ipvs/ip_vs_conn.c +++ b/net/netfilter/ipvs/ip_vs_conn.c | |||
| @@ -762,7 +762,7 @@ static int expire_quiescent_template(struct netns_ipvs *ipvs, | |||
| 762 | * If available, return 1, otherwise invalidate this connection | 762 | * If available, return 1, otherwise invalidate this connection |
| 763 | * template and return 0. | 763 | * template and return 0. |
| 764 | */ | 764 | */ |
| 765 | int ip_vs_check_template(struct ip_vs_conn *ct) | 765 | int ip_vs_check_template(struct ip_vs_conn *ct, struct ip_vs_dest *cdest) |
| 766 | { | 766 | { |
| 767 | struct ip_vs_dest *dest = ct->dest; | 767 | struct ip_vs_dest *dest = ct->dest; |
| 768 | struct netns_ipvs *ipvs = ct->ipvs; | 768 | struct netns_ipvs *ipvs = ct->ipvs; |
| @@ -772,7 +772,8 @@ int ip_vs_check_template(struct ip_vs_conn *ct) | |||
| 772 | */ | 772 | */ |
| 773 | if ((dest == NULL) || | 773 | if ((dest == NULL) || |
| 774 | !(dest->flags & IP_VS_DEST_F_AVAILABLE) || | 774 | !(dest->flags & IP_VS_DEST_F_AVAILABLE) || |
| 775 | expire_quiescent_template(ipvs, dest)) { | 775 | expire_quiescent_template(ipvs, dest) || |
| 776 | (cdest && (dest != cdest))) { | ||
| 776 | IP_VS_DBG_BUF(9, "check_template: dest not available for " | 777 | IP_VS_DBG_BUF(9, "check_template: dest not available for " |
| 777 | "protocol %s s:%s:%d v:%s:%d " | 778 | "protocol %s s:%s:%d v:%s:%d " |
| 778 | "-> d:%s:%d\n", | 779 | "-> d:%s:%d\n", |
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c index 1207f20d24e4..2c1b498a7a27 100644 --- a/net/netfilter/ipvs/ip_vs_core.c +++ b/net/netfilter/ipvs/ip_vs_core.c | |||
| @@ -321,7 +321,7 @@ ip_vs_sched_persist(struct ip_vs_service *svc, | |||
| 321 | 321 | ||
| 322 | /* Check if a template already exists */ | 322 | /* Check if a template already exists */ |
| 323 | ct = ip_vs_ct_in_get(¶m); | 323 | ct = ip_vs_ct_in_get(¶m); |
| 324 | if (!ct || !ip_vs_check_template(ct)) { | 324 | if (!ct || !ip_vs_check_template(ct, NULL)) { |
| 325 | struct ip_vs_scheduler *sched; | 325 | struct ip_vs_scheduler *sched; |
| 326 | 326 | ||
| 327 | /* | 327 | /* |
| @@ -1154,7 +1154,8 @@ struct ip_vs_conn *ip_vs_new_conn_out(struct ip_vs_service *svc, | |||
| 1154 | vport, ¶m) < 0) | 1154 | vport, ¶m) < 0) |
| 1155 | return NULL; | 1155 | return NULL; |
| 1156 | ct = ip_vs_ct_in_get(¶m); | 1156 | ct = ip_vs_ct_in_get(¶m); |
| 1157 | if (!ct) { | 1157 | /* check if template exists and points to the same dest */ |
| 1158 | if (!ct || !ip_vs_check_template(ct, dest)) { | ||
| 1158 | ct = ip_vs_conn_new(¶m, dest->af, daddr, dport, | 1159 | ct = ip_vs_conn_new(¶m, dest->af, daddr, dport, |
| 1159 | IP_VS_CONN_F_TEMPLATE, dest, 0); | 1160 | IP_VS_CONN_F_TEMPLATE, dest, 0); |
| 1160 | if (!ct) { | 1161 | if (!ct) { |
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index c69c892231d7..2675d580c490 100644 --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c | |||
| @@ -612,7 +612,7 @@ int xt_compat_check_entry_offsets(const void *base, const char *elems, | |||
| 612 | return -EINVAL; | 612 | return -EINVAL; |
| 613 | 613 | ||
| 614 | if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 && | 614 | if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 && |
| 615 | target_offset + sizeof(struct compat_xt_standard_target) != next_offset) | 615 | COMPAT_XT_ALIGN(target_offset + sizeof(struct compat_xt_standard_target)) != next_offset) |
| 616 | return -EINVAL; | 616 | return -EINVAL; |
| 617 | 617 | ||
| 618 | /* compat_xt_entry match has less strict aligment requirements, | 618 | /* compat_xt_entry match has less strict aligment requirements, |
| @@ -694,7 +694,7 @@ int xt_check_entry_offsets(const void *base, | |||
| 694 | return -EINVAL; | 694 | return -EINVAL; |
| 695 | 695 | ||
| 696 | if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 && | 696 | if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 && |
| 697 | target_offset + sizeof(struct xt_standard_target) != next_offset) | 697 | XT_ALIGN(target_offset + sizeof(struct xt_standard_target)) != next_offset) |
| 698 | return -EINVAL; | 698 | return -EINVAL; |
| 699 | 699 | ||
| 700 | return xt_check_entry_match(elems, base + target_offset, | 700 | return xt_check_entry_match(elems, base + target_offset, |