Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

Pablo Neira Ayuso says:

====================
The following patchset contains Netfilter fixes for your net tree, they are:

1) Fix a leak in IPVS, the sysctl table is not released accordingly when
   destroying a netns, patch from Tommi Rantala.

2) Fix a build error when TPROXY and socket are built-in but IPv6 defrag is
   compiled as module, from Florian Westphal.

3) Fix TCP tracket wrt. RFC5961 challenge ACK when in LAST_ACK state, patch
   from Jesper Dangaard Brouer.

4) Fix a bogus WARN_ON() in nf_tables when deleting a set element that stores
   a map, from Mirek Kratochvil.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

5 files changed, 42 insertions, 5 deletions

diff --git a/include/uapi/linux/netfilter/nf_conntrack_tcp.h b/include/uapi/linux/netfilter/nf_conntrack_tcp.h
index 9993a421201c..ef9f80f0f529 100644
--- a/include/uapi/linux/netfilter/nf_conntrack_tcp.h
+++ b/include/uapi/linux/netfilter/nf_conntrack_tcp.h
@@ -42,6 +42,9 @@ enum tcp_conntrack {
 /* The field td_maxack has been set */
 #define IP_CT_TCP_FLAG_MAXACK_SET               0x20
 
+/* Marks possibility for expected RFC5961 challenge ACK */
+#define IP_CT_EXP_CHALLENGE_ACK                 0x40
+
 struct nf_ct_tcp_flags {
         __u8 flags;
         __u8 mask;
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index f70e34a68f70..a0f3e6a3c7d1 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -863,6 +863,7 @@ config NETFILTER_XT_TARGET_TPROXY
         depends on NETFILTER_XTABLES
         depends on NETFILTER_ADVANCED
         depends on (IPV6 || IPV6=n)
+        depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
         depends on IP_NF_MANGLE
         select NF_DEFRAG_IPV4
         select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
@@ -1356,6 +1357,7 @@ config NETFILTER_XT_MATCH_SOCKET
         depends on NETFILTER_ADVANCED
         depends on !NF_CONNTRACK || NF_CONNTRACK
         depends on (IPV6 || IPV6=n)
+        depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
         select NF_DEFRAG_IPV4
         select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
         help
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 49532672f66d..285eae3a1454 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -3823,6 +3823,9 @@ static void __net_exit ip_vs_control_net_cleanup_sysctl(struct net *net)
         cancel_work_sync(&ipvs->defense_work.work);
         unregister_net_sysctl_table(ipvs->sysctl_hdr);
         ip_vs_stop_estimator(net, &ipvs->tot_stats);
+
+        if (!net_eq(net, &init_net))
+                kfree(ipvs->sysctl_tbl);
 }
 
 #else
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 5caa0c41bf26..70383de72054 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -202,7 +202,7 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
  *      sES -> sES      :-)
  *      sFW -> sCW      Normal close request answered by ACK.
  *      sCW -> sCW
- *      sLA -> sTW      Last ACK detected.
+ *      sLA -> sTW      Last ACK detected (RFC5961 challenged)
  *      sTW -> sTW      Retransmitted last ACK. Remain in the same state.
  *      sCL -> sCL
  */
@@ -261,7 +261,7 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
  *      sES -> sES      :-)
  *      sFW -> sCW      Normal close request answered by ACK.
  *      sCW -> sCW
- *      sLA -> sTW      Last ACK detected.
+ *      sLA -> sTW      Last ACK detected (RFC5961 challenged)
  *      sTW -> sTW      Retransmitted last ACK.
  *      sCL -> sCL
  */
@@ -906,6 +906,7 @@ static int tcp_packet(struct nf_conn *ct,
                                         1 : ct->proto.tcp.last_win;
                         ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_scale =
                                 ct->proto.tcp.last_wscale;
+                        ct->proto.tcp.last_flags &= ~IP_CT_EXP_CHALLENGE_ACK;
                         ct->proto.tcp.seen[ct->proto.tcp.last_dir].flags =
                                 ct->proto.tcp.last_flags;
                         memset(&ct->proto.tcp.seen[dir], 0,
@@ -923,7 +924,9 @@ static int tcp_packet(struct nf_conn *ct,
                  * may be in sync but we are not. In that case, we annotate
                  * the TCP options and let the packet go through. If it is a
                  * valid SYN packet, the server will reply with a SYN/ACK, and
-                 * then we'll get in sync. Otherwise, the server ignores it. */
+                 * then we'll get in sync. Otherwise, the server potentially
+                 * responds with a challenge ACK if implementing RFC5961.
+                 */
                 if (index == TCP_SYN_SET && dir == IP_CT_DIR_ORIGINAL) {
                         struct ip_ct_tcp_state seen = {};
 
@@ -939,6 +942,13 @@ static int tcp_packet(struct nf_conn *ct,
                                 ct->proto.tcp.last_flags |=
                                         IP_CT_TCP_FLAG_SACK_PERM;
                         }
+                        /* Mark the potential for RFC5961 challenge ACK,
+                         * this pose a special problem for LAST_ACK state
+                         * as ACK is intrepretated as ACKing last FIN.
+                         */
+                        if (old_state == TCP_CONNTRACK_LAST_ACK)
+                                ct->proto.tcp.last_flags |=
+                                        IP_CT_EXP_CHALLENGE_ACK;
                 }
                 spin_unlock_bh(&ct->lock);
                 if (LOG_INVALID(net, IPPROTO_TCP))
@@ -970,6 +980,25 @@ static int tcp_packet(struct nf_conn *ct,
                         nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
                                   "nf_ct_tcp: invalid state ");
                 return -NF_ACCEPT;
+        case TCP_CONNTRACK_TIME_WAIT:
+                /* RFC5961 compliance cause stack to send "challenge-ACK"
+                 * e.g. in response to spurious SYNs.  Conntrack MUST
+                 * not believe this ACK is acking last FIN.
+                 */
+                if (old_state == TCP_CONNTRACK_LAST_ACK &&
+                    index == TCP_ACK_SET &&
+                    ct->proto.tcp.last_dir != dir &&
+                    ct->proto.tcp.last_index == TCP_SYN_SET &&
+                    (ct->proto.tcp.last_flags & IP_CT_EXP_CHALLENGE_ACK)) {
+                        /* Detected RFC5961 challenge ACK */
+                        ct->proto.tcp.last_flags &= ~IP_CT_EXP_CHALLENGE_ACK;
+                        spin_unlock_bh(&ct->lock);
+                        if (LOG_INVALID(net, IPPROTO_TCP))
+                                nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
+                                      "nf_ct_tcp: challenge-ACK ignored ");
+                        return NF_ACCEPT; /* Don't change state */
+                }
+                break;
         case TCP_CONNTRACK_CLOSE:
                 if (index == TCP_RST_SET
                     && (ct->proto.tcp.seen[!dir].flags & IP_CT_TCP_FLAG_MAXACK_SET)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index ad9d11fb29fd..34ded09317e7 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -4472,9 +4472,9 @@ EXPORT_SYMBOL_GPL(nft_data_init);
  */
 void nft_data_uninit(const struct nft_data *data, enum nft_data_types type)
 {
-        switch (type) {
-        case NFT_DATA_VALUE:
+        if (type < NFT_DATA_VERDICT)
                 return;
+        switch (type) {
         case NFT_DATA_VERDICT:
                 return nft_verdict_uninit(data);
         default: