diff options
| author | David S. Miller <davem@davemloft.net> | 2014-10-20 11:57:47 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2014-10-20 11:57:47 -0400 |
| commit | ce8ec4896749783bd6cdc457e6012cfc18e09c8b (patch) | |
| tree | 3d58d88f4e4030ddf0f926ac2ef52c3ee2c9f65a /net/ipv6 | |
| parent | 95ff88688781db2f64042e69bd499e518bbb36e5 (diff) | |
| parent | 1e2d56a5d33a7e1fcd21ed3859f52596d02708b0 (diff) | |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says:
====================
netfilter fixes for net
The following patchset contains netfilter fixes for your net tree,
they are:
1) Fix missing MODULE_LICENSE() in the new nf_reject_ipv{4,6} modules.
2) Restrict nat and masq expressions to the nat chain type. Otherwise,
users may crash their kernel if they attach a nat/masq rule to a non
nat chain.
3) Fix hook validation in nft_compat when non-base chains are used.
Basically, initialize hook_mask to zero.
4) Make sure you use match/targets in nft_compat from the right chain
type. The existing validation relies on the table name which can be
avoided by
5) Better netlink attribute validation in nft_nat. This expression has
to reject the configuration when no address and proto configurations
are specified.
6) Interpret NFTA_NAT_REG_*_MAX if only if NFTA_NAT_REG_*_MIN is set.
Yet another sanity check to reject incorrect configurations from
userspace.
7) Conditional NAT attribute dumping depending on the existing
configuration.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6')
| -rw-r--r-- | net/ipv6/netfilter/nf_reject_ipv6.c | 4 | ||||
| -rw-r--r-- | net/ipv6/netfilter/nft_masq_ipv6.c | 1 |
2 files changed, 5 insertions, 0 deletions
diff --git a/net/ipv6/netfilter/nf_reject_ipv6.c b/net/ipv6/netfilter/nf_reject_ipv6.c index 5f5f0438d74d..20d9defc6c59 100644 --- a/net/ipv6/netfilter/nf_reject_ipv6.c +++ b/net/ipv6/netfilter/nf_reject_ipv6.c | |||
| @@ -5,6 +5,8 @@ | |||
| 5 | * it under the terms of the GNU General Public License version 2 as | 5 | * it under the terms of the GNU General Public License version 2 as |
| 6 | * published by the Free Software Foundation. | 6 | * published by the Free Software Foundation. |
| 7 | */ | 7 | */ |
| 8 | |||
| 9 | #include <linux/module.h> | ||
| 8 | #include <net/ipv6.h> | 10 | #include <net/ipv6.h> |
| 9 | #include <net/ip6_route.h> | 11 | #include <net/ip6_route.h> |
| 10 | #include <net/ip6_fib.h> | 12 | #include <net/ip6_fib.h> |
| @@ -161,3 +163,5 @@ void nf_send_reset6(struct net *net, struct sk_buff *oldskb, int hook) | |||
| 161 | ip6_local_out(nskb); | 163 | ip6_local_out(nskb); |
| 162 | } | 164 | } |
| 163 | EXPORT_SYMBOL_GPL(nf_send_reset6); | 165 | EXPORT_SYMBOL_GPL(nf_send_reset6); |
| 166 | |||
| 167 | MODULE_LICENSE("GPL"); | ||
diff --git a/net/ipv6/netfilter/nft_masq_ipv6.c b/net/ipv6/netfilter/nft_masq_ipv6.c index 556262f40761..8a7ac685076d 100644 --- a/net/ipv6/netfilter/nft_masq_ipv6.c +++ b/net/ipv6/netfilter/nft_masq_ipv6.c | |||
| @@ -39,6 +39,7 @@ static const struct nft_expr_ops nft_masq_ipv6_ops = { | |||
| 39 | .eval = nft_masq_ipv6_eval, | 39 | .eval = nft_masq_ipv6_eval, |
| 40 | .init = nft_masq_init, | 40 | .init = nft_masq_init, |
| 41 | .dump = nft_masq_dump, | 41 | .dump = nft_masq_dump, |
| 42 | .validate = nft_masq_validate, | ||
| 42 | }; | 43 | }; |
| 43 | 44 | ||
| 44 | static struct nft_expr_type nft_masq_ipv6_type __read_mostly = { | 45 | static struct nft_expr_type nft_masq_ipv6_type __read_mostly = { |