diff options
| author | David S. Miller <davem@davemloft.net> | 2013-02-14 13:16:04 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2013-02-14 13:16:04 -0500 |
| commit | 306dbf9e5509da5aa8a787f13231442bc3ba697a (patch) | |
| tree | 4c320850df35decb34e4b2f5a9d9ef7f9258abe1 /net | |
| parent | f350ca03703133c94fe742f6fa6ff0fd8f5a9a09 (diff) | |
| parent | 894e2ac82bd0029adce7ad6c8d25501fdd82c994 (diff) | |
Merge branch 'master' of git://1984.lsi.us.es/nf
Pablo Neira Ayuso says:
====================
The following patchset contains three Netfilter fixes, they are:
* Fix conntrack helper re-assignment after NAT mangling if only if
the same helper is attached to the conntrack again, from Florian
Westphal.
* Don't allow the creation of conntrack entries via ctnetlink if the
original and reply tuples are missing, from Florian Westphal.
* Fix broken sysctl interface in nf_ct_reasm while adding netns support
to it, from Michal Kubecek.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/ipv6/netfilter/nf_conntrack_reasm.c | 6 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_helper.c | 4 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_netlink.c | 3 |
3 files changed, 9 insertions, 4 deletions
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c index 3dacecc99065..0156d07d732f 100644 --- a/net/ipv6/netfilter/nf_conntrack_reasm.c +++ b/net/ipv6/netfilter/nf_conntrack_reasm.c | |||
| @@ -97,9 +97,9 @@ static int nf_ct_frag6_sysctl_register(struct net *net) | |||
| 97 | if (table == NULL) | 97 | if (table == NULL) |
| 98 | goto err_alloc; | 98 | goto err_alloc; |
| 99 | 99 | ||
| 100 | table[0].data = &net->ipv6.frags.high_thresh; | 100 | table[0].data = &net->nf_frag.frags.timeout; |
| 101 | table[1].data = &net->ipv6.frags.low_thresh; | 101 | table[1].data = &net->nf_frag.frags.low_thresh; |
| 102 | table[2].data = &net->ipv6.frags.timeout; | 102 | table[2].data = &net->nf_frag.frags.high_thresh; |
| 103 | } | 103 | } |
| 104 | 104 | ||
| 105 | hdr = register_net_sysctl(net, "net/netfilter", table); | 105 | hdr = register_net_sysctl(net, "net/netfilter", table); |
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c index 884f2b39319a..91527d5ba018 100644 --- a/net/netfilter/nf_conntrack_helper.c +++ b/net/netfilter/nf_conntrack_helper.c | |||
| @@ -236,7 +236,9 @@ int __nf_ct_try_assign_helper(struct nf_conn *ct, struct nf_conn *tmpl, | |||
| 236 | /* We only allow helper re-assignment of the same sort since | 236 | /* We only allow helper re-assignment of the same sort since |
| 237 | * we cannot reallocate the helper extension area. | 237 | * we cannot reallocate the helper extension area. |
| 238 | */ | 238 | */ |
| 239 | if (help->helper != helper) { | 239 | struct nf_conntrack_helper *tmp = rcu_dereference(help->helper); |
| 240 | |||
| 241 | if (tmp && tmp->help != helper->help) { | ||
| 240 | RCU_INIT_POINTER(help->helper, NULL); | 242 | RCU_INIT_POINTER(help->helper, NULL); |
| 241 | goto out; | 243 | goto out; |
| 242 | } | 244 | } |
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 627b0e50b238..a081915e0531 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c | |||
| @@ -1705,6 +1705,9 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb, | |||
| 1705 | if (nlh->nlmsg_flags & NLM_F_CREATE) { | 1705 | if (nlh->nlmsg_flags & NLM_F_CREATE) { |
| 1706 | enum ip_conntrack_events events; | 1706 | enum ip_conntrack_events events; |
| 1707 | 1707 | ||
| 1708 | if (!cda[CTA_TUPLE_ORIG] || !cda[CTA_TUPLE_REPLY]) | ||
| 1709 | return -EINVAL; | ||
| 1710 | |||
| 1708 | ct = ctnetlink_create_conntrack(net, zone, cda, &otuple, | 1711 | ct = ctnetlink_create_conntrack(net, zone, cda, &otuple, |
| 1709 | &rtuple, u3); | 1712 | &rtuple, u3); |
| 1710 | if (IS_ERR(ct)) | 1713 | if (IS_ERR(ct)) |