diff options
Diffstat (limited to 'net')
| -rw-r--r-- | net/bridge/netfilter/ebt_ip6.c | 8 | ||||
| -rw-r--r-- | net/ipv4/netfilter/ipt_SYNPROXY.c | 1 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6t_SYNPROXY.c | 1 | ||||
| -rw-r--r-- | net/netfilter/Kconfig | 2 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_core.c | 3 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_seqadj.c | 4 | ||||
| -rw-r--r-- | net/netfilter/nf_synproxy_core.c | 7 | ||||
| -rw-r--r-- | net/netfilter/nft_compat.c | 19 |
8 files changed, 29 insertions, 16 deletions
diff --git a/net/bridge/netfilter/ebt_ip6.c b/net/bridge/netfilter/ebt_ip6.c index 99c85668f551..17fd5f2cb4b8 100644 --- a/net/bridge/netfilter/ebt_ip6.c +++ b/net/bridge/netfilter/ebt_ip6.c | |||
| @@ -48,10 +48,12 @@ ebt_ip6_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
| 48 | if (info->bitmask & EBT_IP6_TCLASS && | 48 | if (info->bitmask & EBT_IP6_TCLASS && |
| 49 | FWINV(info->tclass != ipv6_get_dsfield(ih6), EBT_IP6_TCLASS)) | 49 | FWINV(info->tclass != ipv6_get_dsfield(ih6), EBT_IP6_TCLASS)) |
| 50 | return false; | 50 | return false; |
| 51 | if (FWINV(ipv6_masked_addr_cmp(&ih6->saddr, &info->smsk, | 51 | if ((info->bitmask & EBT_IP6_SOURCE && |
| 52 | &info->saddr), EBT_IP6_SOURCE) || | 52 | FWINV(ipv6_masked_addr_cmp(&ih6->saddr, &info->smsk, |
| 53 | &info->saddr), EBT_IP6_SOURCE)) || | ||
| 54 | (info->bitmask & EBT_IP6_DEST && | ||
| 53 | FWINV(ipv6_masked_addr_cmp(&ih6->daddr, &info->dmsk, | 55 | FWINV(ipv6_masked_addr_cmp(&ih6->daddr, &info->dmsk, |
| 54 | &info->daddr), EBT_IP6_DEST)) | 56 | &info->daddr), EBT_IP6_DEST))) |
| 55 | return false; | 57 | return false; |
| 56 | if (info->bitmask & EBT_IP6_PROTO) { | 58 | if (info->bitmask & EBT_IP6_PROTO) { |
| 57 | uint8_t nexthdr = ih6->nexthdr; | 59 | uint8_t nexthdr = ih6->nexthdr; |
diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c b/net/ipv4/netfilter/ipt_SYNPROXY.c index 01cffeaa0085..f13bd91d9a56 100644 --- a/net/ipv4/netfilter/ipt_SYNPROXY.c +++ b/net/ipv4/netfilter/ipt_SYNPROXY.c | |||
| @@ -244,6 +244,7 @@ synproxy_recv_client_ack(const struct synproxy_net *snet, | |||
| 244 | 244 | ||
| 245 | this_cpu_inc(snet->stats->cookie_valid); | 245 | this_cpu_inc(snet->stats->cookie_valid); |
| 246 | opts->mss = mss; | 246 | opts->mss = mss; |
| 247 | opts->options |= XT_SYNPROXY_OPT_MSS; | ||
| 247 | 248 | ||
| 248 | if (opts->options & XT_SYNPROXY_OPT_TIMESTAMP) | 249 | if (opts->options & XT_SYNPROXY_OPT_TIMESTAMP) |
| 249 | synproxy_check_timestamp_cookie(opts); | 250 | synproxy_check_timestamp_cookie(opts); |
diff --git a/net/ipv6/netfilter/ip6t_SYNPROXY.c b/net/ipv6/netfilter/ip6t_SYNPROXY.c index bf9f612c1bc2..f78f41aca8e9 100644 --- a/net/ipv6/netfilter/ip6t_SYNPROXY.c +++ b/net/ipv6/netfilter/ip6t_SYNPROXY.c | |||
| @@ -259,6 +259,7 @@ synproxy_recv_client_ack(const struct synproxy_net *snet, | |||
| 259 | 259 | ||
| 260 | this_cpu_inc(snet->stats->cookie_valid); | 260 | this_cpu_inc(snet->stats->cookie_valid); |
| 261 | opts->mss = mss; | 261 | opts->mss = mss; |
| 262 | opts->options |= XT_SYNPROXY_OPT_MSS; | ||
| 262 | 263 | ||
| 263 | if (opts->options & XT_SYNPROXY_OPT_TIMESTAMP) | 264 | if (opts->options & XT_SYNPROXY_OPT_TIMESTAMP) |
| 264 | synproxy_check_timestamp_cookie(opts); | 265 | synproxy_check_timestamp_cookie(opts); |
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 48acec17e27a..c3398cd99b94 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig | |||
| @@ -909,7 +909,7 @@ config NETFILTER_XT_MATCH_CONNLABEL | |||
| 909 | connection simultaneously. | 909 | connection simultaneously. |
| 910 | 910 | ||
| 911 | config NETFILTER_XT_MATCH_CONNLIMIT | 911 | config NETFILTER_XT_MATCH_CONNLIMIT |
| 912 | tristate '"connlimit" match support"' | 912 | tristate '"connlimit" match support' |
| 913 | depends on NF_CONNTRACK | 913 | depends on NF_CONNTRACK |
| 914 | depends on NETFILTER_ADVANCED | 914 | depends on NETFILTER_ADVANCED |
| 915 | ---help--- | 915 | ---help--- |
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index e22d950c60b3..43549eb7a7be 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c | |||
| @@ -764,9 +764,10 @@ void nf_conntrack_free(struct nf_conn *ct) | |||
| 764 | struct net *net = nf_ct_net(ct); | 764 | struct net *net = nf_ct_net(ct); |
| 765 | 765 | ||
| 766 | nf_ct_ext_destroy(ct); | 766 | nf_ct_ext_destroy(ct); |
| 767 | atomic_dec(&net->ct.count); | ||
| 768 | nf_ct_ext_free(ct); | 767 | nf_ct_ext_free(ct); |
| 769 | kmem_cache_free(net->ct.nf_conntrack_cachep, ct); | 768 | kmem_cache_free(net->ct.nf_conntrack_cachep, ct); |
| 769 | smp_mb__before_atomic_dec(); | ||
| 770 | atomic_dec(&net->ct.count); | ||
| 770 | } | 771 | } |
| 771 | EXPORT_SYMBOL_GPL(nf_conntrack_free); | 772 | EXPORT_SYMBOL_GPL(nf_conntrack_free); |
| 772 | 773 | ||
diff --git a/net/netfilter/nf_conntrack_seqadj.c b/net/netfilter/nf_conntrack_seqadj.c index 5f9bfd060dea..17c1bcb182c6 100644 --- a/net/netfilter/nf_conntrack_seqadj.c +++ b/net/netfilter/nf_conntrack_seqadj.c | |||
| @@ -41,8 +41,8 @@ int nf_ct_seqadj_set(struct nf_conn *ct, enum ip_conntrack_info ctinfo, | |||
| 41 | spin_lock_bh(&ct->lock); | 41 | spin_lock_bh(&ct->lock); |
| 42 | this_way = &seqadj->seq[dir]; | 42 | this_way = &seqadj->seq[dir]; |
| 43 | if (this_way->offset_before == this_way->offset_after || | 43 | if (this_way->offset_before == this_way->offset_after || |
| 44 | before(this_way->correction_pos, seq)) { | 44 | before(this_way->correction_pos, ntohl(seq))) { |
| 45 | this_way->correction_pos = seq; | 45 | this_way->correction_pos = ntohl(seq); |
| 46 | this_way->offset_before = this_way->offset_after; | 46 | this_way->offset_before = this_way->offset_after; |
| 47 | this_way->offset_after += off; | 47 | this_way->offset_after += off; |
| 48 | } | 48 | } |
diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c index cdf4567ba9b3..9858e3e51a3a 100644 --- a/net/netfilter/nf_synproxy_core.c +++ b/net/netfilter/nf_synproxy_core.c | |||
| @@ -151,9 +151,10 @@ void synproxy_init_timestamp_cookie(const struct xt_synproxy_info *info, | |||
| 151 | opts->tsecr = opts->tsval; | 151 | opts->tsecr = opts->tsval; |
| 152 | opts->tsval = tcp_time_stamp & ~0x3f; | 152 | opts->tsval = tcp_time_stamp & ~0x3f; |
| 153 | 153 | ||
| 154 | if (opts->options & XT_SYNPROXY_OPT_WSCALE) | 154 | if (opts->options & XT_SYNPROXY_OPT_WSCALE) { |
| 155 | opts->tsval |= info->wscale; | 155 | opts->tsval |= opts->wscale; |
| 156 | else | 156 | opts->wscale = info->wscale; |
| 157 | } else | ||
| 157 | opts->tsval |= 0xf; | 158 | opts->tsval |= 0xf; |
| 158 | 159 | ||
| 159 | if (opts->options & XT_SYNPROXY_OPT_SACK_PERM) | 160 | if (opts->options & XT_SYNPROXY_OPT_SACK_PERM) |
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c index a82667c64729..da0c1f4ada12 100644 --- a/net/netfilter/nft_compat.c +++ b/net/netfilter/nft_compat.c | |||
| @@ -128,7 +128,7 @@ static const struct nla_policy nft_rule_compat_policy[NFTA_RULE_COMPAT_MAX + 1] | |||
| 128 | [NFTA_RULE_COMPAT_FLAGS] = { .type = NLA_U32 }, | 128 | [NFTA_RULE_COMPAT_FLAGS] = { .type = NLA_U32 }, |
| 129 | }; | 129 | }; |
| 130 | 130 | ||
| 131 | static u8 nft_parse_compat(const struct nlattr *attr, bool *inv) | 131 | static int nft_parse_compat(const struct nlattr *attr, u8 *proto, bool *inv) |
| 132 | { | 132 | { |
| 133 | struct nlattr *tb[NFTA_RULE_COMPAT_MAX+1]; | 133 | struct nlattr *tb[NFTA_RULE_COMPAT_MAX+1]; |
| 134 | u32 flags; | 134 | u32 flags; |
| @@ -148,7 +148,8 @@ static u8 nft_parse_compat(const struct nlattr *attr, bool *inv) | |||
| 148 | if (flags & NFT_RULE_COMPAT_F_INV) | 148 | if (flags & NFT_RULE_COMPAT_F_INV) |
| 149 | *inv = true; | 149 | *inv = true; |
| 150 | 150 | ||
| 151 | return ntohl(nla_get_be32(tb[NFTA_RULE_COMPAT_PROTO])); | 151 | *proto = ntohl(nla_get_be32(tb[NFTA_RULE_COMPAT_PROTO])); |
| 152 | return 0; | ||
| 152 | } | 153 | } |
| 153 | 154 | ||
| 154 | static int | 155 | static int |
| @@ -166,8 +167,11 @@ nft_target_init(const struct nft_ctx *ctx, const struct nft_expr *expr, | |||
| 166 | 167 | ||
| 167 | target_compat_from_user(target, nla_data(tb[NFTA_TARGET_INFO]), info); | 168 | target_compat_from_user(target, nla_data(tb[NFTA_TARGET_INFO]), info); |
| 168 | 169 | ||
| 169 | if (ctx->nla[NFTA_RULE_COMPAT]) | 170 | if (ctx->nla[NFTA_RULE_COMPAT]) { |
| 170 | proto = nft_parse_compat(ctx->nla[NFTA_RULE_COMPAT], &inv); | 171 | ret = nft_parse_compat(ctx->nla[NFTA_RULE_COMPAT], &proto, &inv); |
| 172 | if (ret < 0) | ||
| 173 | goto err; | ||
| 174 | } | ||
| 171 | 175 | ||
| 172 | nft_target_set_tgchk_param(&par, ctx, target, info, &e, proto, inv); | 176 | nft_target_set_tgchk_param(&par, ctx, target, info, &e, proto, inv); |
| 173 | 177 | ||
| @@ -356,8 +360,11 @@ nft_match_init(const struct nft_ctx *ctx, const struct nft_expr *expr, | |||
| 356 | 360 | ||
| 357 | match_compat_from_user(match, nla_data(tb[NFTA_MATCH_INFO]), info); | 361 | match_compat_from_user(match, nla_data(tb[NFTA_MATCH_INFO]), info); |
| 358 | 362 | ||
| 359 | if (ctx->nla[NFTA_RULE_COMPAT]) | 363 | if (ctx->nla[NFTA_RULE_COMPAT]) { |
| 360 | proto = nft_parse_compat(ctx->nla[NFTA_RULE_COMPAT], &inv); | 364 | ret = nft_parse_compat(ctx->nla[NFTA_RULE_COMPAT], &proto, &inv); |
| 365 | if (ret < 0) | ||
| 366 | goto err; | ||
| 367 | } | ||
| 361 | 368 | ||
| 362 | nft_match_set_mtchk_param(&par, ctx, match, info, &e, proto, inv); | 369 | nft_match_set_mtchk_param(&par, ctx, match, info, &e, proto, inv); |
| 363 | 370 | ||