diff options
| author | David S. Miller <davem@davemloft.net> | 2017-02-27 09:17:43 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2017-02-27 09:17:43 -0500 |
| commit | 4ca257eed6adf58d325c39c320a06dbcd34c43db (patch) | |
| tree | d9fd5197a37746f4b0622ed162dccc26a8f26519 | |
| parent | 51fb60eb162ab84c5edf2ae9c63cf0b878e5547e (diff) | |
| parent | 13aa5a8f498dacd5f1a8e35be72af47e630fb8c6 (diff) | |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says:
====================
Netfilter fixes for net
The following patchset contains netfilter fixes for you net tree,
they are:
1) Missing ct zone size in the nft_ct initialization path, patch
from Florian Westphal.
2) Two patches for netfilter uapi headers, one to remove unnecessary
sysctl.h inclusion and another to fix compilation of xt_hashlimit.h
in userspace, from Dmitry V. Levin.
3) Patch to fix a sloppy change in nf_ct_expect that incorrectly
simplified nf_ct_expect_related_report() in the previous nf-next
batch. This also includes another patch for __nf_ct_expect_check()
to report success by returning 0 to keep it consistent with other
existing functions. From Jarno Rajahalme.
4) The ->walk() iterator of the new bitmap set type goes over the real
bitmap size, this results in incorrect dumps when NFTA_SET_USERDATA
is used.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | include/uapi/linux/netfilter.h | 1 | ||||
| -rw-r--r-- | include/uapi/linux/netfilter/xt_hashlimit.h | 1 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_expect.c | 6 | ||||
| -rw-r--r-- | net/netfilter/nft_ct.c | 1 | ||||
| -rw-r--r-- | net/netfilter/nft_set_bitmap.c | 2 |
5 files changed, 6 insertions, 5 deletions
diff --git a/include/uapi/linux/netfilter.h b/include/uapi/linux/netfilter.h index 7550e9176a54..c111a91adcc0 100644 --- a/include/uapi/linux/netfilter.h +++ b/include/uapi/linux/netfilter.h | |||
| @@ -3,7 +3,6 @@ | |||
| 3 | 3 | ||
| 4 | #include <linux/types.h> | 4 | #include <linux/types.h> |
| 5 | #include <linux/compiler.h> | 5 | #include <linux/compiler.h> |
| 6 | #include <linux/sysctl.h> | ||
| 7 | #include <linux/in.h> | 6 | #include <linux/in.h> |
| 8 | #include <linux/in6.h> | 7 | #include <linux/in6.h> |
| 9 | 8 | ||
diff --git a/include/uapi/linux/netfilter/xt_hashlimit.h b/include/uapi/linux/netfilter/xt_hashlimit.h index 3efc0ca18345..79da349f1060 100644 --- a/include/uapi/linux/netfilter/xt_hashlimit.h +++ b/include/uapi/linux/netfilter/xt_hashlimit.h | |||
| @@ -2,6 +2,7 @@ | |||
| 2 | #define _UAPI_XT_HASHLIMIT_H | 2 | #define _UAPI_XT_HASHLIMIT_H |
| 3 | 3 | ||
| 4 | #include <linux/types.h> | 4 | #include <linux/types.h> |
| 5 | #include <linux/limits.h> | ||
| 5 | #include <linux/if.h> | 6 | #include <linux/if.h> |
| 6 | 7 | ||
| 7 | /* timings are in milliseconds. */ | 8 | /* timings are in milliseconds. */ |
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c index e19a69787d99..4b2e1fb28bb4 100644 --- a/net/netfilter/nf_conntrack_expect.c +++ b/net/netfilter/nf_conntrack_expect.c | |||
| @@ -410,7 +410,7 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect) | |||
| 410 | struct net *net = nf_ct_exp_net(expect); | 410 | struct net *net = nf_ct_exp_net(expect); |
| 411 | struct hlist_node *next; | 411 | struct hlist_node *next; |
| 412 | unsigned int h; | 412 | unsigned int h; |
| 413 | int ret = 1; | 413 | int ret = 0; |
| 414 | 414 | ||
| 415 | if (!master_help) { | 415 | if (!master_help) { |
| 416 | ret = -ESHUTDOWN; | 416 | ret = -ESHUTDOWN; |
| @@ -460,14 +460,14 @@ int nf_ct_expect_related_report(struct nf_conntrack_expect *expect, | |||
| 460 | 460 | ||
| 461 | spin_lock_bh(&nf_conntrack_expect_lock); | 461 | spin_lock_bh(&nf_conntrack_expect_lock); |
| 462 | ret = __nf_ct_expect_check(expect); | 462 | ret = __nf_ct_expect_check(expect); |
| 463 | if (ret <= 0) | 463 | if (ret < 0) |
| 464 | goto out; | 464 | goto out; |
| 465 | 465 | ||
| 466 | nf_ct_expect_insert(expect); | 466 | nf_ct_expect_insert(expect); |
| 467 | 467 | ||
| 468 | spin_unlock_bh(&nf_conntrack_expect_lock); | 468 | spin_unlock_bh(&nf_conntrack_expect_lock); |
| 469 | nf_ct_expect_event_report(IPEXP_NEW, expect, portid, report); | 469 | nf_ct_expect_event_report(IPEXP_NEW, expect, portid, report); |
| 470 | return ret; | 470 | return 0; |
| 471 | out: | 471 | out: |
| 472 | spin_unlock_bh(&nf_conntrack_expect_lock); | 472 | spin_unlock_bh(&nf_conntrack_expect_lock); |
| 473 | return ret; | 473 | return ret; |
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c index c6b8022c0e47..bf548a7a71ec 100644 --- a/net/netfilter/nft_ct.c +++ b/net/netfilter/nft_ct.c | |||
| @@ -528,6 +528,7 @@ static int nft_ct_set_init(const struct nft_ctx *ctx, | |||
| 528 | if (!nft_ct_tmpl_alloc_pcpu()) | 528 | if (!nft_ct_tmpl_alloc_pcpu()) |
| 529 | return -ENOMEM; | 529 | return -ENOMEM; |
| 530 | nft_ct_pcpu_template_refcnt++; | 530 | nft_ct_pcpu_template_refcnt++; |
| 531 | len = sizeof(u16); | ||
| 531 | break; | 532 | break; |
| 532 | #endif | 533 | #endif |
| 533 | default: | 534 | default: |
diff --git a/net/netfilter/nft_set_bitmap.c b/net/netfilter/nft_set_bitmap.c index 97f9649bcc7e..152d226552c1 100644 --- a/net/netfilter/nft_set_bitmap.c +++ b/net/netfilter/nft_set_bitmap.c | |||
| @@ -258,7 +258,7 @@ static int nft_bitmap_init(const struct nft_set *set, | |||
| 258 | { | 258 | { |
| 259 | struct nft_bitmap *priv = nft_set_priv(set); | 259 | struct nft_bitmap *priv = nft_set_priv(set); |
| 260 | 260 | ||
| 261 | priv->bitmap_size = nft_bitmap_total_size(set->klen); | 261 | priv->bitmap_size = nft_bitmap_size(set->klen); |
| 262 | 262 | ||
| 263 | return 0; | 263 | return 0; |
| 264 | } | 264 | } |