Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next

Pablo Neira Ayuso says: ==================== The following patchset contains a small batch of Netfilter updates for your net-next tree, they are: * Three patches that provide more accurate error reporting to user-space, instead of -EPERM, in IPv4/IPv6 netfilter re-routing code and NAT, from Patrick McHardy. * Update copyright statements in Netfilter filters of Patrick McHardy, from himself. * Add Kconfig dependency on the raw/mangle tables to the rpfilter, from Florian Westphal. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2013-04-19 17:55:29 -0400
committer: David S. Miller <davem@davemloft.net> 2013-04-19 17:55:29 -0400
commit: 95a06161e6b903ad5b96285cb57c8df3b7c8ad34 (patch)
tree: 38aceebbb625e4b5186d8c8afe85f9c73ccd6478 /net/ipv6
parent: bb5b052f751b309b5181686741c724a66c5cb15a (diff)
parent: d37d696804a83479f240b397670a07ccb53a7417 (diff)
6 files changed, 34 insertions, 15 deletions
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 429089cb073d..72836f40b730 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -1,3 +1,9 @@
+/*
+ * IPv6 specific functions of netfilter core
+ *
+ * Rusty Russell (C) 2000 -- This code is GPL.
+ * Patrick McHardy (C) 2006-2012
+ */
 #include <linux/kernel.h>
 #include <linux/init.h>
 #include <linux/ipv6.h>
@@ -29,7 +35,7 @@ int ip6_route_me_harder(struct sk_buff *skb)
                IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
                LIMIT_NETDEBUG(KERN_DEBUG "ip6_route_me_harder: No more route.\n");
                dst_release(dst);
-                return -EINVAL;
+                return dst->error;
        }
        /* Drop old route. */
@@ -43,7 +49,7 @@ int ip6_route_me_harder(struct sk_buff *skb)
                skb_dst_set(skb, NULL);
                dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), skb->sk, 0);
                if (IS_ERR(dst))
-                        return -1;
+                        return PTR_ERR(dst);
                skb_dst_set(skb, dst);
        }
 #endif
@@ -53,7 +59,7 @@ int ip6_route_me_harder(struct sk_buff *skb)
        if (skb_headroom(skb) < hh_len &&
            pskb_expand_head(skb, HH_DATA_ALIGN(hh_len - skb_headroom(skb)),
                             0, GFP_ATOMIC))
-                return -1;
+                return -ENOMEM;
        return 0;
 }
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index c72532a60d88..4433ab40e7de 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -105,7 +105,7 @@ config IP6_NF_MATCH_MH
 config IP6_NF_MATCH_RPFILTER
        tristate '"rpfilter" reverse path filter match support'
-        depends on NETFILTER_ADVANCED
+        depends on NETFILTER_ADVANCED && (IP6_NF_MANGLE || IP6_NF_RAW)
        ---help---
          This option allows you to match packets whose replies would
          go out via the interface the packet came in.
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 8861b1ef420e..44400c216dc6 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -3,6 +3,7 @@
 *
 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
 * Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org>
+ * Copyright (c) 2006-2010 Patrick McHardy <kaber@trash.net>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index ed3b427b2841..70f9abc0efe9 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -7,6 +7,8 @@
 * Authors:
 *      Yasuyuki Kozakai        <yasuyuki.kozakai@toshiba.co.jp>
 *
+ * Copyright (c) 2005-2007 Patrick McHardy <kaber@trash.net>
+ *
 * Based on net/ipv4/netfilter/ipt_REJECT.c
 *
 * This program is free software; you can redistribute it and/or
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index 6134a1ebfb1b..e075399d8b72 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -38,7 +38,7 @@ ip6t_mangle_out(struct sk_buff *skb, const struct net_device *out)
        struct in6_addr saddr, daddr;
        u_int8_t hop_limit;
        u_int32_t flowlabel, mark;
+        int err;
 #if 0
        /* root is playing with raw sockets. */
        if (skb->len < sizeof(struct iphdr) ||
@@ -65,8 +65,11 @@ ip6t_mangle_out(struct sk_buff *skb, const struct net_device *out)
             !ipv6_addr_equal(&ipv6_hdr(skb)->daddr, &daddr) ||
             skb->mark != mark ||
             ipv6_hdr(skb)->hop_limit != hop_limit ||
-             flowlabel != *((u_int32_t *)ipv6_hdr(skb))))
+             flowlabel != *((u_int32_t *)ipv6_hdr(skb)))) {
-                return ip6_route_me_harder(skb) == 0 ? ret : NF_DROP;
+                err = ip6_route_me_harder(skb);
+                if (err < 0)
+                        ret = NF_DROP_ERR(err);
+        }
        return ret;
 }
diff --git a/net/ipv6/netfilter/ip6table_nat.c b/net/ipv6/netfilter/ip6table_nat.c
index e0e788d25b14..6383f90efda8 100644
--- a/net/ipv6/netfilter/ip6table_nat.c
+++ b/net/ipv6/netfilter/ip6table_nat.c
@@ -179,6 +179,7 @@ nf_nat_ipv6_out(unsigned int hooknum,
 #ifdef CONFIG_XFRM
        const struct nf_conn *ct;
        enum ip_conntrack_info ctinfo;
+        int err;
 #endif
        unsigned int ret;
@@ -197,9 +198,11 @@ nf_nat_ipv6_out(unsigned int hooknum,
                                      &ct->tuplehash[!dir].tuple.dst.u3) ||
                    (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMPV6 &&
                     ct->tuplehash[dir].tuple.src.u.all !=
-                     ct->tuplehash[!dir].tuple.dst.u.all))
+                     ct->tuplehash[!dir].tuple.dst.u.all)) {
-                        if (nf_xfrm_me_harder(skb, AF_INET6) < 0)
+                        err = nf_xfrm_me_harder(skb, AF_INET6);
-                                ret = NF_DROP;
+                        if (err < 0)
+                                ret = NF_DROP_ERR(err);
+                }
        }
 #endif
        return ret;
@@ -215,6 +218,7 @@ nf_nat_ipv6_local_fn(unsigned int hooknum,
        const struct nf_conn *ct;
        enum ip_conntrack_info ctinfo;
        unsigned int ret;
+        int err;
        /* root is playing with raw sockets. */
        if (skb->len < sizeof(struct ipv6hdr))
@@ -227,16 +231,19 @@ nf_nat_ipv6_local_fn(unsigned int hooknum,
                if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.dst.u3,
                                      &ct->tuplehash[!dir].tuple.src.u3)) {
-                        if (ip6_route_me_harder(skb))
+                        err = ip6_route_me_harder(skb);
-                                ret = NF_DROP;
+                        if (err < 0)
+                                ret = NF_DROP_ERR(err);
                }
 #ifdef CONFIG_XFRM
                else if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) &&
                         ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMPV6 &&
                         ct->tuplehash[dir].tuple.dst.u.all !=
-                         ct->tuplehash[!dir].tuple.src.u.all)
+                         ct->tuplehash[!dir].tuple.src.u.all) {
-                        if (nf_xfrm_me_harder(skb, AF_INET6))
+                        err = nf_xfrm_me_harder(skb, AF_INET6);
-                                ret = NF_DROP;
+                        if (err < 0)
+                                ret = NF_DROP_ERR(err);
+                }
 #endif
        }
        return ret;
author	David S. Miller <davem@davemloft.net>	2013-04-19 17:55:29 -0400
committer	David S. Miller <davem@davemloft.net>	2013-04-19 17:55:29 -0400
commit	95a06161e6b903ad5b96285cb57c8df3b7c8ad34 (patch)
tree	38aceebbb625e4b5186d8c8afe85f9c73ccd6478 /net/ipv6
parent	bb5b052f751b309b5181686741c724a66c5cb15a (diff)
parent	d37d696804a83479f240b397670a07ccb53a7417 (diff)

diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c index 429089cb073d..72836f40b730 100644 --- a/net/ipv6/netfilter.c +++ b/net/ipv6/netfilter.c
@@ -1,3 +1,9 @@
		1	/*
		2	* IPv6 specific functions of netfilter core
		3	*
		4	* Rusty Russell (C) 2000 -- This code is GPL.
		5	* Patrick McHardy (C) 2006-2012
		6	*/
1	#include <linux/kernel.h>	7	#include <linux/kernel.h>
2	#include <linux/init.h>	8	#include <linux/init.h>
3	#include <linux/ipv6.h>	9	#include <linux/ipv6.h>
@@ -29,7 +35,7 @@ int ip6_route_me_harder(struct sk_buff *skb)
29	IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);	35	IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
30	LIMIT_NETDEBUG(KERN_DEBUG "ip6_route_me_harder: No more route.\n");	36	LIMIT_NETDEBUG(KERN_DEBUG "ip6_route_me_harder: No more route.\n");
31	dst_release(dst);	37	dst_release(dst);
32	return -EINVAL;	38	return dst->error;
33	}	39	}
34		40
35	/* Drop old route. */	41	/* Drop old route. */
@@ -43,7 +49,7 @@ int ip6_route_me_harder(struct sk_buff *skb)
43	skb_dst_set(skb, NULL);	49	skb_dst_set(skb, NULL);
44	dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), skb->sk, 0);	50	dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), skb->sk, 0);
45	if (IS_ERR(dst))	51	if (IS_ERR(dst))
46	return -1;	52	return PTR_ERR(dst);
47	skb_dst_set(skb, dst);	53	skb_dst_set(skb, dst);
48	}	54	}
49	#endif	55	#endif
@@ -53,7 +59,7 @@ int ip6_route_me_harder(struct sk_buff *skb)
53	if (skb_headroom(skb) < hh_len &&	59	if (skb_headroom(skb) < hh_len &&
54	pskb_expand_head(skb, HH_DATA_ALIGN(hh_len - skb_headroom(skb)),	60	pskb_expand_head(skb, HH_DATA_ALIGN(hh_len - skb_headroom(skb)),
55	0, GFP_ATOMIC))	61	0, GFP_ATOMIC))
56	return -1;	62	return -ENOMEM;
57		63
58	return 0;	64	return 0;
59	}	65	}


diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig index c72532a60d88..4433ab40e7de 100644 --- a/net/ipv6/netfilter/Kconfig +++ b/net/ipv6/netfilter/Kconfig
@@ -105,7 +105,7 @@ config IP6_NF_MATCH_MH
105		105
106	config IP6_NF_MATCH_RPFILTER	106	config IP6_NF_MATCH_RPFILTER
107	tristate '"rpfilter" reverse path filter match support'	107	tristate '"rpfilter" reverse path filter match support'
108	depends on NETFILTER_ADVANCED	108	depends on NETFILTER_ADVANCED && (IP6_NF_MANGLE \|\| IP6_NF_RAW)
109	---help---	109	---help---
110	This option allows you to match packets whose replies would	110	This option allows you to match packets whose replies would
111	go out via the interface the packet came in.	111	go out via the interface the packet came in.


diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index 8861b1ef420e..44400c216dc6 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c
@@ -3,6 +3,7 @@
3	*	3	*
4	* Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling	4	* Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
5	* Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org>	5	* Copyright (C) 2000-2005 Netfilter Core Team <coreteam@netfilter.org>
		6	* Copyright (c) 2006-2010 Patrick McHardy <kaber@trash.net>
6	*	7	*
7	* This program is free software; you can redistribute it and/or modify	8	* This program is free software; you can redistribute it and/or modify
8	* it under the terms of the GNU General Public License version 2 as	9	* it under the terms of the GNU General Public License version 2 as


diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c index ed3b427b2841..70f9abc0efe9 100644 --- a/net/ipv6/netfilter/ip6t_REJECT.c +++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -7,6 +7,8 @@
7	* Authors:	7	* Authors:
8	* Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>	8	* Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
9	*	9	*
		10	* Copyright (c) 2005-2007 Patrick McHardy <kaber@trash.net>
		11	*
10	* Based on net/ipv4/netfilter/ipt_REJECT.c	12	* Based on net/ipv4/netfilter/ipt_REJECT.c
11	*	13	*
12	* This program is free software; you can redistribute it and/or	14	* This program is free software; you can redistribute it and/or


diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c index 6134a1ebfb1b..e075399d8b72 100644 --- a/net/ipv6/netfilter/ip6table_mangle.c +++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -38,7 +38,7 @@ ip6t_mangle_out(struct sk_buff skb, const struct net_device out)
38	struct in6_addr saddr, daddr;	38	struct in6_addr saddr, daddr;
39	u_int8_t hop_limit;	39	u_int8_t hop_limit;
40	u_int32_t flowlabel, mark;	40	u_int32_t flowlabel, mark;
41		41	int err;
42	#if 0	42	#if 0
43	/* root is playing with raw sockets. */	43	/* root is playing with raw sockets. */
44	if (skb->len < sizeof(struct iphdr) \|\|	44	if (skb->len < sizeof(struct iphdr) \|\|
@@ -65,8 +65,11 @@ ip6t_mangle_out(struct sk_buff skb, const struct net_device out)
65	!ipv6_addr_equal(&ipv6_hdr(skb)->daddr, &daddr) \|\|	65	!ipv6_addr_equal(&ipv6_hdr(skb)->daddr, &daddr) \|\|
66	skb->mark != mark \|\|	66	skb->mark != mark \|\|
67	ipv6_hdr(skb)->hop_limit != hop_limit \|\|	67	ipv6_hdr(skb)->hop_limit != hop_limit \|\|
68	flowlabel != ((u_int32_t )ipv6_hdr(skb))))	68	flowlabel != ((u_int32_t )ipv6_hdr(skb)))) {
69	return ip6_route_me_harder(skb) == 0 ? ret : NF_DROP;	69	err = ip6_route_me_harder(skb);
		70	if (err < 0)
		71	ret = NF_DROP_ERR(err);
		72	}
70		73
71	return ret;	74	return ret;
72	}	75	}


diff --git a/net/ipv6/netfilter/ip6table_nat.c b/net/ipv6/netfilter/ip6table_nat.c index e0e788d25b14..6383f90efda8 100644 --- a/net/ipv6/netfilter/ip6table_nat.c +++ b/net/ipv6/netfilter/ip6table_nat.c
@@ -179,6 +179,7 @@ nf_nat_ipv6_out(unsigned int hooknum,
179	#ifdef CONFIG_XFRM	179	#ifdef CONFIG_XFRM
180	const struct nf_conn *ct;	180	const struct nf_conn *ct;
181	enum ip_conntrack_info ctinfo;	181	enum ip_conntrack_info ctinfo;
		182	int err;
182	#endif	183	#endif
183	unsigned int ret;	184	unsigned int ret;
184		185
@@ -197,9 +198,11 @@ nf_nat_ipv6_out(unsigned int hooknum,
197	&ct->tuplehash[!dir].tuple.dst.u3) \|\|	198	&ct->tuplehash[!dir].tuple.dst.u3) \|\|
198	(ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMPV6 &&	199	(ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMPV6 &&
199	ct->tuplehash[dir].tuple.src.u.all !=	200	ct->tuplehash[dir].tuple.src.u.all !=
200	ct->tuplehash[!dir].tuple.dst.u.all))	201	ct->tuplehash[!dir].tuple.dst.u.all)) {
201	if (nf_xfrm_me_harder(skb, AF_INET6) < 0)	202	err = nf_xfrm_me_harder(skb, AF_INET6);
202	ret = NF_DROP;	203	if (err < 0)
		204	ret = NF_DROP_ERR(err);
		205	}
203	}	206	}
204	#endif	207	#endif
205	return ret;	208	return ret;
@@ -215,6 +218,7 @@ nf_nat_ipv6_local_fn(unsigned int hooknum,
215	const struct nf_conn *ct;	218	const struct nf_conn *ct;
216	enum ip_conntrack_info ctinfo;	219	enum ip_conntrack_info ctinfo;
217	unsigned int ret;	220	unsigned int ret;
		221	int err;
218		222
219	/* root is playing with raw sockets. */	223	/* root is playing with raw sockets. */
220	if (skb->len < sizeof(struct ipv6hdr))	224	if (skb->len < sizeof(struct ipv6hdr))
@@ -227,16 +231,19 @@ nf_nat_ipv6_local_fn(unsigned int hooknum,
227		231
228	if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.dst.u3,	232	if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.dst.u3,
229	&ct->tuplehash[!dir].tuple.src.u3)) {	233	&ct->tuplehash[!dir].tuple.src.u3)) {
230	if (ip6_route_me_harder(skb))	234	err = ip6_route_me_harder(skb);
231	ret = NF_DROP;	235	if (err < 0)
		236	ret = NF_DROP_ERR(err);
232	}	237	}
233	#ifdef CONFIG_XFRM	238	#ifdef CONFIG_XFRM
234	else if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) &&	239	else if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) &&
235	ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMPV6 &&	240	ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMPV6 &&
236	ct->tuplehash[dir].tuple.dst.u.all !=	241	ct->tuplehash[dir].tuple.dst.u.all !=
237	ct->tuplehash[!dir].tuple.src.u.all)	242	ct->tuplehash[!dir].tuple.src.u.all) {
238	if (nf_xfrm_me_harder(skb, AF_INET6))	243	err = nf_xfrm_me_harder(skb, AF_INET6);
239	ret = NF_DROP;	244	if (err < 0)
		245	ret = NF_DROP_ERR(err);
		246	}
240	#endif	247	#endif
241	}	248	}
242	return ret;	249	return ret;