diff options
| author | David S. Miller <davem@davemloft.net> | 2015-01-15 00:53:17 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2015-01-15 00:53:17 -0500 |
| commit | 3f3558bb512e0762d5a4573a4aaf038d7a616e92 (patch) | |
| tree | 1e2b43d410093e949209ca33614f5cdfdd16e80e /net/netfilter | |
| parent | 9a6b4b392de4569e83ecfd6f382f3369f250b52f (diff) | |
| parent | a6391a924cf5a16761ccd6b45094a7d5b9aeebac (diff) | |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Conflicts:
drivers/net/xen-netfront.c
Minor overlapping changes in xen-netfront.c, mostly to do
with some buffer management changes alongside the split
of stats into TX and RX.
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netfilter')
| -rw-r--r-- | net/netfilter/ipvs/ip_vs_ftp.c | 10 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_core.c | 20 | ||||
| -rw-r--r-- | net/netfilter/nf_tables_api.c | 14 | ||||
| -rw-r--r-- | net/netfilter/nfnetlink.c | 5 | ||||
| -rw-r--r-- | net/netfilter/nft_nat.c | 8 |
5 files changed, 30 insertions, 27 deletions
diff --git a/net/netfilter/ipvs/ip_vs_ftp.c b/net/netfilter/ipvs/ip_vs_ftp.c index 1d5341f3761d..5d3daae98bf0 100644 --- a/net/netfilter/ipvs/ip_vs_ftp.c +++ b/net/netfilter/ipvs/ip_vs_ftp.c | |||
| @@ -183,6 +183,8 @@ static int ip_vs_ftp_out(struct ip_vs_app *app, struct ip_vs_conn *cp, | |||
| 183 | struct nf_conn *ct; | 183 | struct nf_conn *ct; |
| 184 | struct net *net; | 184 | struct net *net; |
| 185 | 185 | ||
| 186 | *diff = 0; | ||
| 187 | |||
| 186 | #ifdef CONFIG_IP_VS_IPV6 | 188 | #ifdef CONFIG_IP_VS_IPV6 |
| 187 | /* This application helper doesn't work with IPv6 yet, | 189 | /* This application helper doesn't work with IPv6 yet, |
| 188 | * so turn this into a no-op for IPv6 packets | 190 | * so turn this into a no-op for IPv6 packets |
| @@ -191,8 +193,6 @@ static int ip_vs_ftp_out(struct ip_vs_app *app, struct ip_vs_conn *cp, | |||
| 191 | return 1; | 193 | return 1; |
| 192 | #endif | 194 | #endif |
| 193 | 195 | ||
| 194 | *diff = 0; | ||
| 195 | |||
| 196 | /* Only useful for established sessions */ | 196 | /* Only useful for established sessions */ |
| 197 | if (cp->state != IP_VS_TCP_S_ESTABLISHED) | 197 | if (cp->state != IP_VS_TCP_S_ESTABLISHED) |
| 198 | return 1; | 198 | return 1; |
| @@ -322,6 +322,9 @@ static int ip_vs_ftp_in(struct ip_vs_app *app, struct ip_vs_conn *cp, | |||
| 322 | struct ip_vs_conn *n_cp; | 322 | struct ip_vs_conn *n_cp; |
| 323 | struct net *net; | 323 | struct net *net; |
| 324 | 324 | ||
| 325 | /* no diff required for incoming packets */ | ||
| 326 | *diff = 0; | ||
| 327 | |||
| 325 | #ifdef CONFIG_IP_VS_IPV6 | 328 | #ifdef CONFIG_IP_VS_IPV6 |
| 326 | /* This application helper doesn't work with IPv6 yet, | 329 | /* This application helper doesn't work with IPv6 yet, |
| 327 | * so turn this into a no-op for IPv6 packets | 330 | * so turn this into a no-op for IPv6 packets |
| @@ -330,9 +333,6 @@ static int ip_vs_ftp_in(struct ip_vs_app *app, struct ip_vs_conn *cp, | |||
| 330 | return 1; | 333 | return 1; |
| 331 | #endif | 334 | #endif |
| 332 | 335 | ||
| 333 | /* no diff required for incoming packets */ | ||
| 334 | *diff = 0; | ||
| 335 | |||
| 336 | /* Only useful for established sessions */ | 336 | /* Only useful for established sessions */ |
| 337 | if (cp->state != IP_VS_TCP_S_ESTABLISHED) | 337 | if (cp->state != IP_VS_TCP_S_ESTABLISHED) |
| 338 | return 1; | 338 | return 1; |
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index a11674806707..46d1b26a468e 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c | |||
| @@ -611,16 +611,15 @@ __nf_conntrack_confirm(struct sk_buff *skb) | |||
| 611 | */ | 611 | */ |
| 612 | NF_CT_ASSERT(!nf_ct_is_confirmed(ct)); | 612 | NF_CT_ASSERT(!nf_ct_is_confirmed(ct)); |
| 613 | pr_debug("Confirming conntrack %p\n", ct); | 613 | pr_debug("Confirming conntrack %p\n", ct); |
| 614 | /* We have to check the DYING flag inside the lock to prevent | 614 | /* We have to check the DYING flag after unlink to prevent |
| 615 | a race against nf_ct_get_next_corpse() possibly called from | 615 | * a race against nf_ct_get_next_corpse() possibly called from |
| 616 | user context, else we insert an already 'dead' hash, blocking | 616 | * user context, else we insert an already 'dead' hash, blocking |
| 617 | further use of that particular connection -JM */ | 617 | * further use of that particular connection -JM. |
| 618 | */ | ||
| 619 | nf_ct_del_from_dying_or_unconfirmed_list(ct); | ||
| 618 | 620 | ||
| 619 | if (unlikely(nf_ct_is_dying(ct))) { | 621 | if (unlikely(nf_ct_is_dying(ct))) |
| 620 | nf_conntrack_double_unlock(hash, reply_hash); | 622 | goto out; |
| 621 | local_bh_enable(); | ||
| 622 | return NF_ACCEPT; | ||
| 623 | } | ||
| 624 | 623 | ||
| 625 | /* See if there's one in the list already, including reverse: | 624 | /* See if there's one in the list already, including reverse: |
| 626 | NAT could have grabbed it without realizing, since we're | 625 | NAT could have grabbed it without realizing, since we're |
| @@ -636,8 +635,6 @@ __nf_conntrack_confirm(struct sk_buff *skb) | |||
| 636 | zone == nf_ct_zone(nf_ct_tuplehash_to_ctrack(h))) | 635 | zone == nf_ct_zone(nf_ct_tuplehash_to_ctrack(h))) |
| 637 | goto out; | 636 | goto out; |
| 638 | 637 | ||
| 639 | nf_ct_del_from_dying_or_unconfirmed_list(ct); | ||
| 640 | |||
| 641 | /* Timer relative to confirmation time, not original | 638 | /* Timer relative to confirmation time, not original |
| 642 | setting time, otherwise we'd get timer wrap in | 639 | setting time, otherwise we'd get timer wrap in |
| 643 | weird delay cases. */ | 640 | weird delay cases. */ |
| @@ -673,6 +670,7 @@ __nf_conntrack_confirm(struct sk_buff *skb) | |||
| 673 | return NF_ACCEPT; | 670 | return NF_ACCEPT; |
| 674 | 671 | ||
| 675 | out: | 672 | out: |
| 673 | nf_ct_add_to_dying_list(ct); | ||
| 676 | nf_conntrack_double_unlock(hash, reply_hash); | 674 | nf_conntrack_double_unlock(hash, reply_hash); |
| 677 | NF_CT_STAT_INC(net, insert_failed); | 675 | NF_CT_STAT_INC(net, insert_failed); |
| 678 | local_bh_enable(); | 676 | local_bh_enable(); |
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 129a8daa4abf..3b3ddb4fb9ee 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c | |||
| @@ -713,16 +713,12 @@ static int nft_flush_table(struct nft_ctx *ctx) | |||
| 713 | struct nft_chain *chain, *nc; | 713 | struct nft_chain *chain, *nc; |
| 714 | struct nft_set *set, *ns; | 714 | struct nft_set *set, *ns; |
| 715 | 715 | ||
| 716 | list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) { | 716 | list_for_each_entry(chain, &ctx->table->chains, list) { |
| 717 | ctx->chain = chain; | 717 | ctx->chain = chain; |
| 718 | 718 | ||
| 719 | err = nft_delrule_by_chain(ctx); | 719 | err = nft_delrule_by_chain(ctx); |
| 720 | if (err < 0) | 720 | if (err < 0) |
| 721 | goto out; | 721 | goto out; |
| 722 | |||
| 723 | err = nft_delchain(ctx); | ||
| 724 | if (err < 0) | ||
| 725 | goto out; | ||
| 726 | } | 722 | } |
| 727 | 723 | ||
| 728 | list_for_each_entry_safe(set, ns, &ctx->table->sets, list) { | 724 | list_for_each_entry_safe(set, ns, &ctx->table->sets, list) { |
| @@ -735,6 +731,14 @@ static int nft_flush_table(struct nft_ctx *ctx) | |||
| 735 | goto out; | 731 | goto out; |
| 736 | } | 732 | } |
| 737 | 733 | ||
| 734 | list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) { | ||
| 735 | ctx->chain = chain; | ||
| 736 | |||
| 737 | err = nft_delchain(ctx); | ||
| 738 | if (err < 0) | ||
| 739 | goto out; | ||
| 740 | } | ||
| 741 | |||
| 738 | err = nft_deltable(ctx); | 742 | err = nft_deltable(ctx); |
| 739 | out: | 743 | out: |
| 740 | return err; | 744 | return err; |
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c index cde4a6702fa3..c421d94c4652 100644 --- a/net/netfilter/nfnetlink.c +++ b/net/netfilter/nfnetlink.c | |||
| @@ -321,7 +321,8 @@ replay: | |||
| 321 | nlh = nlmsg_hdr(skb); | 321 | nlh = nlmsg_hdr(skb); |
| 322 | err = 0; | 322 | err = 0; |
| 323 | 323 | ||
| 324 | if (nlh->nlmsg_len < NLMSG_HDRLEN) { | 324 | if (nlmsg_len(nlh) < sizeof(struct nfgenmsg) || |
| 325 | skb->len < nlh->nlmsg_len) { | ||
| 325 | err = -EINVAL; | 326 | err = -EINVAL; |
| 326 | goto ack; | 327 | goto ack; |
| 327 | } | 328 | } |
| @@ -469,7 +470,7 @@ static int nfnetlink_bind(struct net *net, int group) | |||
| 469 | int type; | 470 | int type; |
| 470 | 471 | ||
| 471 | if (group <= NFNLGRP_NONE || group > NFNLGRP_MAX) | 472 | if (group <= NFNLGRP_NONE || group > NFNLGRP_MAX) |
| 472 | return -EINVAL; | 473 | return 0; |
| 473 | 474 | ||
| 474 | type = nfnl_group2type[group]; | 475 | type = nfnl_group2type[group]; |
| 475 | 476 | ||
diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c index afe2b0b45ec4..aff54fb1c8a0 100644 --- a/net/netfilter/nft_nat.c +++ b/net/netfilter/nft_nat.c | |||
| @@ -65,10 +65,10 @@ static void nft_nat_eval(const struct nft_expr *expr, | |||
| 65 | } | 65 | } |
| 66 | 66 | ||
| 67 | if (priv->sreg_proto_min) { | 67 | if (priv->sreg_proto_min) { |
| 68 | range.min_proto.all = (__force __be16) | 68 | range.min_proto.all = |
| 69 | data[priv->sreg_proto_min].data[0]; | 69 | *(__be16 *)&data[priv->sreg_proto_min].data[0]; |
| 70 | range.max_proto.all = (__force __be16) | 70 | range.max_proto.all = |
| 71 | data[priv->sreg_proto_max].data[0]; | 71 | *(__be16 *)&data[priv->sreg_proto_max].data[0]; |
| 72 | range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED; | 72 | range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED; |
| 73 | } | 73 | } |
| 74 | 74 | ||