Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

Pablo Neira Ayuso says:

====================
netfilter fixes for net

The following patchset contains fixes for your net tree, they are:

* Remove extra quote from connlimit configuration in Kconfig, from
  Randy Dunlap.

* Fix missing mss option in syn packets sent to the backend in our
  new synproxy target, from Martin Topholm.

* Use window scale announced by client when sending the forged
  syn to the backend, from Martin Topholm.

* Fix IPv6 address comparison in ebtables, from Luís Fernando
  Cornachioni Estrozi.

* Fix wrong endianess in sequence adjustment which breaks helpers
  in NAT configurations, from Phil Oester.

* Fix the error path handling of nft_compat, from me.

* Make sure the global conntrack counter is decremented after the
  object has been released, also from me.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

8 files changed, 29 insertions, 16 deletions

diff --git a/net/bridge/netfilter/ebt_ip6.c b/net/bridge/netfilter/ebt_ip6.c
index 99c85668f551..17fd5f2cb4b8 100644
--- a/net/bridge/netfilter/ebt_ip6.c
+++ b/net/bridge/netfilter/ebt_ip6.c
@@ -48,10 +48,12 @@ ebt_ip6_mt(const struct sk_buff *skb, struct xt_action_param *par)
         if (info->bitmask & EBT_IP6_TCLASS &&
            FWINV(info->tclass != ipv6_get_dsfield(ih6), EBT_IP6_TCLASS))
                 return false;
-        if (FWINV(ipv6_masked_addr_cmp(&ih6->saddr, &info->smsk,
-                                       &info->saddr), EBT_IP6_SOURCE) ||
+        if ((info->bitmask & EBT_IP6_SOURCE &&
+            FWINV(ipv6_masked_addr_cmp(&ih6->saddr, &info->smsk,
+                                       &info->saddr), EBT_IP6_SOURCE)) ||
+            (info->bitmask & EBT_IP6_DEST &&
             FWINV(ipv6_masked_addr_cmp(&ih6->daddr, &info->dmsk,
-                                       &info->daddr), EBT_IP6_DEST))
+                                       &info->daddr), EBT_IP6_DEST)))
                 return false;
         if (info->bitmask & EBT_IP6_PROTO) {
                 uint8_t nexthdr = ih6->nexthdr;
diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c b/net/ipv4/netfilter/ipt_SYNPROXY.c
index 01cffeaa0085..f13bd91d9a56 100644
--- a/net/ipv4/netfilter/ipt_SYNPROXY.c
+++ b/net/ipv4/netfilter/ipt_SYNPROXY.c
@@ -244,6 +244,7 @@ synproxy_recv_client_ack(const struct synproxy_net *snet,
 
         this_cpu_inc(snet->stats->cookie_valid);
         opts->mss = mss;
+        opts->options |= XT_SYNPROXY_OPT_MSS;
 
         if (opts->options & XT_SYNPROXY_OPT_TIMESTAMP)
                 synproxy_check_timestamp_cookie(opts);
diff --git a/net/ipv6/netfilter/ip6t_SYNPROXY.c b/net/ipv6/netfilter/ip6t_SYNPROXY.c
index bf9f612c1bc2..f78f41aca8e9 100644
--- a/net/ipv6/netfilter/ip6t_SYNPROXY.c
+++ b/net/ipv6/netfilter/ip6t_SYNPROXY.c
@@ -259,6 +259,7 @@ synproxy_recv_client_ack(const struct synproxy_net *snet,
 
         this_cpu_inc(snet->stats->cookie_valid);
         opts->mss = mss;
+        opts->options |= XT_SYNPROXY_OPT_MSS;
 
         if (opts->options & XT_SYNPROXY_OPT_TIMESTAMP)
                 synproxy_check_timestamp_cookie(opts);
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 48acec17e27a..c3398cd99b94 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -909,7 +909,7 @@ config NETFILTER_XT_MATCH_CONNLABEL
           connection simultaneously.
 
 config NETFILTER_XT_MATCH_CONNLIMIT
-        tristate '"connlimit" match support"'
+        tristate '"connlimit" match support'
         depends on NF_CONNTRACK
         depends on NETFILTER_ADVANCED
         ---help---
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index e22d950c60b3..43549eb7a7be 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -764,9 +764,10 @@ void nf_conntrack_free(struct nf_conn *ct)
         struct net *net = nf_ct_net(ct);
 
         nf_ct_ext_destroy(ct);
-        atomic_dec(&net->ct.count);
         nf_ct_ext_free(ct);
         kmem_cache_free(net->ct.nf_conntrack_cachep, ct);
+        smp_mb__before_atomic_dec();
+        atomic_dec(&net->ct.count);
 }
 EXPORT_SYMBOL_GPL(nf_conntrack_free);
 
diff --git a/net/netfilter/nf_conntrack_seqadj.c b/net/netfilter/nf_conntrack_seqadj.c
index 5f9bfd060dea..17c1bcb182c6 100644
--- a/net/netfilter/nf_conntrack_seqadj.c
+++ b/net/netfilter/nf_conntrack_seqadj.c
@@ -41,8 +41,8 @@ int nf_ct_seqadj_set(struct nf_conn *ct, enum ip_conntrack_info ctinfo,
         spin_lock_bh(&ct->lock);
         this_way = &seqadj->seq[dir];
         if (this_way->offset_before == this_way->offset_after ||
-            before(this_way->correction_pos, seq)) {
-                this_way->correction_pos = seq;
+            before(this_way->correction_pos, ntohl(seq))) {
+                this_way->correction_pos = ntohl(seq);
                 this_way->offset_before  = this_way->offset_after;
                 this_way->offset_after  += off;
         }
diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
index cdf4567ba9b3..9858e3e51a3a 100644
--- a/net/netfilter/nf_synproxy_core.c
+++ b/net/netfilter/nf_synproxy_core.c
@@ -151,9 +151,10 @@ void synproxy_init_timestamp_cookie(const struct xt_synproxy_info *info,
         opts->tsecr = opts->tsval;
         opts->tsval = tcp_time_stamp & ~0x3f;
 
-        if (opts->options & XT_SYNPROXY_OPT_WSCALE)
-                opts->tsval |= info->wscale;
-        else
+        if (opts->options & XT_SYNPROXY_OPT_WSCALE) {
+                opts->tsval |= opts->wscale;
+                opts->wscale = info->wscale;
+        } else
                 opts->tsval |= 0xf;
 
         if (opts->options & XT_SYNPROXY_OPT_SACK_PERM)
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index a82667c64729..da0c1f4ada12 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -128,7 +128,7 @@ static const struct nla_policy nft_rule_compat_policy[NFTA_RULE_COMPAT_MAX + 1]
         [NFTA_RULE_COMPAT_FLAGS]        = { .type = NLA_U32 },
 };
 
-static u8 nft_parse_compat(const struct nlattr *attr, bool *inv)
+static int nft_parse_compat(const struct nlattr *attr, u8 *proto, bool *inv)
 {
         struct nlattr *tb[NFTA_RULE_COMPAT_MAX+1];
         u32 flags;
@@ -148,7 +148,8 @@ static u8 nft_parse_compat(const struct nlattr *attr, bool *inv)
         if (flags & NFT_RULE_COMPAT_F_INV)
                 *inv = true;
 
-        return ntohl(nla_get_be32(tb[NFTA_RULE_COMPAT_PROTO]));
+        *proto = ntohl(nla_get_be32(tb[NFTA_RULE_COMPAT_PROTO]));
+        return 0;
 }
 
 static int
@@ -166,8 +167,11 @@ nft_target_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
 
         target_compat_from_user(target, nla_data(tb[NFTA_TARGET_INFO]), info);
 
-        if (ctx->nla[NFTA_RULE_COMPAT])
-                proto = nft_parse_compat(ctx->nla[NFTA_RULE_COMPAT], &inv);
+        if (ctx->nla[NFTA_RULE_COMPAT]) {
+                ret = nft_parse_compat(ctx->nla[NFTA_RULE_COMPAT], &proto, &inv);
+                if (ret < 0)
+                        goto err;
+        }
 
         nft_target_set_tgchk_param(&par, ctx, target, info, &e, proto, inv);
 
@@ -356,8 +360,11 @@ nft_match_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
 
         match_compat_from_user(match, nla_data(tb[NFTA_MATCH_INFO]), info);
 
-        if (ctx->nla[NFTA_RULE_COMPAT])
-                proto = nft_parse_compat(ctx->nla[NFTA_RULE_COMPAT], &inv);
+        if (ctx->nla[NFTA_RULE_COMPAT]) {
+                ret = nft_parse_compat(ctx->nla[NFTA_RULE_COMPAT], &proto, &inv);
+                if (ret < 0)
+                        goto err;
+        }
 
         nft_match_set_mtchk_param(&par, ctx, match, info, &e, proto, inv);