12 files changed, 67 insertions, 39 deletions
diff --git a/MAINTAINERS b/MAINTAINERS
index 3d7782b9f90d..50955f90ed7e 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -5509,18 +5509,18 @@ F:	Documentation/networking/s2io.txt
 F:      Documentation/networking/vxge.txt
 F:      drivers/net/ethernet/neterion/
-NETFILTER/IPTABLES/IPCHAINS
+NETFILTER/IPTABLES
-P:      Harald Welte
-P:      Jozsef Kadlecsik
 M:      Pablo Neira Ayuso <pablo@netfilter.org>
 M:      Patrick McHardy <kaber@trash.net>
+M:      Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
 L:      netfilter-devel@vger.kernel.org
 L:      netfilter@vger.kernel.org
 L:      coreteam@netfilter.org
 W:      http://www.netfilter.org/
 W:      http://www.iptables.org/
-T:      git git://1984.lsi.us.es/nf
+Q:      http://patchwork.ozlabs.org/project/netfilter-devel/list/
-T:      git git://1984.lsi.us.es/nf-next
+T:      git git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
+T:      git git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git
 S:      Supported
 F:      include/linux/netfilter*
 F:      include/linux/netfilter/
diff --git a/include/net/netfilter/nf_log.h b/include/net/netfilter/nf_log.h
index 31f1fb9eb784..99eac12d040b 100644
--- a/include/net/netfilter/nf_log.h
+++ b/include/net/netfilter/nf_log.h
@@ -30,7 +30,8 @@ struct nf_loginfo {
        } u;
 };
-typedef void nf_logfn(u_int8_t pf,
+typedef void nf_logfn(struct net *net,
+                      u_int8_t pf,
                      unsigned int hooknum,
                      const struct sk_buff *skb,
                      const struct net_device *in,
diff --git a/include/net/netfilter/nfnetlink_log.h b/include/net/netfilter/nfnetlink_log.h
index e2dec42c2db2..5ca3f14f0998 100644
--- a/include/net/netfilter/nfnetlink_log.h
+++ b/include/net/netfilter/nfnetlink_log.h
@@ -2,7 +2,8 @@
 #define _KER_NFNETLINK_LOG_H
 void
-nfulnl_log_packet(u_int8_t pf,
+nfulnl_log_packet(struct net *net,
+                  u_int8_t pf,
                  unsigned int hooknum,
                  const struct sk_buff *skb,
                  const struct net_device *in,
diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c
index 9878eb8204c5..19c37a4929bc 100644
--- a/net/bridge/netfilter/ebt_log.c
+++ b/net/bridge/netfilter/ebt_log.c
@@ -72,13 +72,12 @@ print_ports(const struct sk_buff *skb, uint8_t protocol, int offset)
 }
 static void
-ebt_log_packet(u_int8_t pf, unsigned int hooknum,
+ebt_log_packet(struct net *net, u_int8_t pf, unsigned int hooknum,
-   const struct sk_buff *skb, const struct net_device *in,
+               const struct sk_buff *skb, const struct net_device *in,
-   const struct net_device *out, const struct nf_loginfo *loginfo,
+               const struct net_device *out, const struct nf_loginfo *loginfo,
-   const char *prefix)
+               const char *prefix)
 {
        unsigned int bitmask;
-        struct net *net = dev_net(in ? in : out);
        /* FIXME: Disabled from containers until syslog ns is supported */
        if (!net_eq(net, &init_net))
@@ -191,7 +190,7 @@ ebt_log_tg(struct sk_buff *skb, const struct xt_action_param *par)
                nf_log_packet(net, NFPROTO_BRIDGE, par->hooknum, skb,
                              par->in, par->out, &li, "%s", info->prefix);
        else
-                ebt_log_packet(NFPROTO_BRIDGE, par->hooknum, skb, par->in,
+                ebt_log_packet(net, NFPROTO_BRIDGE, par->hooknum, skb, par->in,
                               par->out, &li, info->prefix);
        return EBT_CONTINUE;
 }
diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c
index fc1905c51417..df0364aa12d5 100644
--- a/net/bridge/netfilter/ebt_ulog.c
+++ b/net/bridge/netfilter/ebt_ulog.c
@@ -131,14 +131,16 @@ static struct sk_buff *ulog_alloc_skb(unsigned int size)
        return skb;
 }
-static void ebt_ulog_packet(unsigned int hooknr, const struct sk_buff *skb,
+static void ebt_ulog_packet(struct net *net, unsigned int hooknr,
-   const struct net_device *in, const struct net_device *out,
+                            const struct sk_buff *skb,
-   const struct ebt_ulog_info *uloginfo, const char *prefix)
+                            const struct net_device *in,
+                            const struct net_device *out,
+                            const struct ebt_ulog_info *uloginfo,
+                            const char *prefix)
 {
        ebt_ulog_packet_msg_t *pm;
        size_t size, copy_len;
        struct nlmsghdr *nlh;
-        struct net *net = dev_net(in ? in : out);
        struct ebt_ulog_net *ebt = ebt_ulog_pernet(net);
        unsigned int group = uloginfo->nlgroup;
        ebt_ulog_buff_t *ub = &ebt->ulog_buffers[group];
@@ -233,7 +235,7 @@ unlock:
 }
 /* this function is registered with the netfilter core */
-static void ebt_log_packet(u_int8_t pf, unsigned int hooknum,
+static void ebt_log_packet(struct net *net, u_int8_t pf, unsigned int hooknum,
   const struct sk_buff *skb, const struct net_device *in,
   const struct net_device *out, const struct nf_loginfo *li,
   const char *prefix)
@@ -252,13 +254,15 @@ static void ebt_log_packet(u_int8_t pf, unsigned int hooknum,
                strlcpy(loginfo.prefix, prefix, sizeof(loginfo.prefix));
        }
-        ebt_ulog_packet(hooknum, skb, in, out, &loginfo, prefix);
+        ebt_ulog_packet(net, hooknum, skb, in, out, &loginfo, prefix);
 }
 static unsigned int
 ebt_ulog_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
-        ebt_ulog_packet(par->hooknum, skb, par->in, par->out,
+        struct net *net = dev_net(par->in ? par->in : par->out);
+        ebt_ulog_packet(net, par->hooknum, skb, par->in, par->out,
                        par->targinfo, NULL);
        return EBT_CONTINUE;
 }
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
index f8a222cb6448..cf08218ddbcf 100644
--- a/net/ipv4/netfilter/ipt_ULOG.c
+++ b/net/ipv4/netfilter/ipt_ULOG.c
@@ -162,7 +162,8 @@ static struct sk_buff *ulog_alloc_skb(unsigned int size)
        return skb;
 }
-static void ipt_ulog_packet(unsigned int hooknum,
+static void ipt_ulog_packet(struct net *net,
+                            unsigned int hooknum,
                            const struct sk_buff *skb,
                            const struct net_device *in,
                            const struct net_device *out,
@@ -174,7 +175,6 @@ static void ipt_ulog_packet(unsigned int hooknum,
        size_t size, copy_len;
        struct nlmsghdr *nlh;
        struct timeval tv;
-        struct net *net = dev_net(in ? in : out);
        struct ulog_net *ulog = ulog_pernet(net);
        /* ffs == find first bit set, necessary because userspace
@@ -291,12 +291,15 @@ alloc_failure:
 static unsigned int
 ulog_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
-        ipt_ulog_packet(par->hooknum, skb, par->in, par->out,
+        struct net *net = dev_net(par->in ? par->in : par->out);
+        ipt_ulog_packet(net, par->hooknum, skb, par->in, par->out,
                        par->targinfo, NULL);
        return XT_CONTINUE;
 }
-static void ipt_logfn(u_int8_t pf,
+static void ipt_logfn(struct net *net,
+                      u_int8_t pf,
                      unsigned int hooknum,
                      const struct sk_buff *skb,
                      const struct net_device *in,
@@ -318,7 +321,7 @@ static void ipt_logfn(u_int8_t pf,
                strlcpy(loginfo.prefix, prefix, sizeof(loginfo.prefix));
        }
-        ipt_ulog_packet(hooknum, skb, in, out, &loginfo, prefix);
+        ipt_ulog_packet(net, hooknum, skb, in, out, &loginfo, prefix);
 }
 static int ulog_tg_check(const struct xt_tgchk_param *par)
diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
index 388656d5a9ec..3b18dd1be7d9 100644
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
@@ -148,7 +148,7 @@ void nf_log_packet(struct net *net,
                va_start(args, fmt);
                vsnprintf(prefix, sizeof(prefix), fmt, args);
                va_end(args);
-                logger->logfn(pf, hooknum, skb, in, out, loginfo, prefix);
+                logger->logfn(net, pf, hooknum, skb, in, out, loginfo, prefix);
        }
        rcu_read_unlock();
 }
@@ -368,17 +368,20 @@ static int __net_init nf_log_net_init(struct net *net)
        return 0;
 out_sysctl:
+#ifdef CONFIG_PROC_FS
        /* For init_net: errors will trigger panic, don't unroll on error. */
        if (!net_eq(net, &init_net))
                remove_proc_entry("nf_log", net->nf.proc_netfilter);
+#endif
        return ret;
 }
 static void __net_exit nf_log_net_exit(struct net *net)
 {
        netfilter_log_sysctl_exit(net);
+#ifdef CONFIG_PROC_FS
        remove_proc_entry("nf_log", net->nf.proc_netfilter);
+#endif
 }
 static struct pernet_operations nf_log_net_ops = {
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index faf1e9300d8a..962e9792e317 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -602,7 +602,8 @@ static struct nf_loginfo default_loginfo = {
 /* log handler for internal netfilter logging api */
 void
-nfulnl_log_packet(u_int8_t pf,
+nfulnl_log_packet(struct net *net,
+                  u_int8_t pf,
                  unsigned int hooknum,
                  const struct sk_buff *skb,
                  const struct net_device *in,
@@ -615,7 +616,6 @@ nfulnl_log_packet(u_int8_t pf,
        const struct nf_loginfo *li;
        unsigned int qthreshold;
        unsigned int plen;
-        struct net *net = dev_net(in ? in : out);
        struct nfnl_log_net *log = nfnl_log_pernet(net);
        if (li_user && li_user->type == NF_LOG_TYPE_ULOG)
@@ -1045,7 +1045,9 @@ static int __net_init nfnl_log_net_init(struct net *net)
 static void __net_exit nfnl_log_net_exit(struct net *net)
 {
+#ifdef CONFIG_PROC_FS
        remove_proc_entry("nfnetlink_log", net->nf.proc_netfilter);
+#endif
 }
 static struct pernet_operations nfnl_log_net_ops = {
diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
index 2e0e835baf72..4e27fa035814 100644
--- a/net/netfilter/nfnetlink_queue_core.c
+++ b/net/netfilter/nfnetlink_queue_core.c
@@ -1285,7 +1285,9 @@ static int __net_init nfnl_queue_net_init(struct net *net)
 static void __net_exit nfnl_queue_net_exit(struct net *net)
 {
+#ifdef CONFIG_PROC_FS
        remove_proc_entry("nfnetlink_queue", net->nf.proc_netfilter);
+#endif
 }
 static struct pernet_operations nfnl_queue_net_ops = {
diff --git a/net/netfilter/xt_LOG.c b/net/netfilter/xt_LOG.c
index fe573f6c9e91..491c7d821a0b 100644
--- a/net/netfilter/xt_LOG.c
+++ b/net/netfilter/xt_LOG.c
@@ -466,7 +466,8 @@ log_packet_common(struct sbuff *m,
 static void
-ipt_log_packet(u_int8_t pf,
+ipt_log_packet(struct net *net,
+               u_int8_t pf,
               unsigned int hooknum,
               const struct sk_buff *skb,
               const struct net_device *in,
@@ -475,7 +476,6 @@ ipt_log_packet(u_int8_t pf,
               const char *prefix)
 {
        struct sbuff *m;
-        struct net *net = dev_net(in ? in : out);
        /* FIXME: Disabled from containers until syslog ns is supported */
        if (!net_eq(net, &init_net))
@@ -797,7 +797,8 @@ fallback:
 }
 static void
-ip6t_log_packet(u_int8_t pf,
+ip6t_log_packet(struct net *net,
+                u_int8_t pf,
                unsigned int hooknum,
                const struct sk_buff *skb,
                const struct net_device *in,
@@ -806,7 +807,6 @@ ip6t_log_packet(u_int8_t pf,
                const char *prefix)
 {
        struct sbuff *m;
-        struct net *net = dev_net(in ? in : out);
        /* FIXME: Disabled from containers until syslog ns is supported */
        if (!net_eq(net, &init_net))
@@ -833,17 +833,18 @@ log_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
        const struct xt_log_info *loginfo = par->targinfo;
        struct nf_loginfo li;
+        struct net *net = dev_net(par->in ? par->in : par->out);
        li.type = NF_LOG_TYPE_LOG;
        li.u.log.level = loginfo->level;
        li.u.log.logflags = loginfo->logflags;
        if (par->family == NFPROTO_IPV4)
-                ipt_log_packet(NFPROTO_IPV4, par->hooknum, skb, par->in,
+                ipt_log_packet(net, NFPROTO_IPV4, par->hooknum, skb, par->in,
                               par->out, &li, loginfo->prefix);
 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
        else if (par->family == NFPROTO_IPV6)
-                ip6t_log_packet(NFPROTO_IPV6, par->hooknum, skb, par->in,
+                ip6t_log_packet(net, NFPROTO_IPV6, par->hooknum, skb, par->in,
                                par->out, &li, loginfo->prefix);
 #endif
        else
diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c
index a17dd0f589b2..fb7497c928a0 100644
--- a/net/netfilter/xt_NFLOG.c
+++ b/net/netfilter/xt_NFLOG.c
@@ -26,13 +26,14 @@ nflog_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
        const struct xt_nflog_info *info = par->targinfo;
        struct nf_loginfo li;
+        struct net *net = dev_net(par->in ? par->in : par->out);
        li.type              = NF_LOG_TYPE_ULOG;
        li.u.ulog.copy_len   = info->len;
        li.u.ulog.group      = info->group;
        li.u.ulog.qthreshold = info->threshold;
-        nfulnl_log_packet(par->family, par->hooknum, skb, par->in,
+        nfulnl_log_packet(net, par->family, par->hooknum, skb, par->in,
                          par->out, &li, info->prefix);
        return XT_CONTINUE;
 }
diff --git a/net/netfilter/xt_TCPOPTSTRIP.c b/net/netfilter/xt_TCPOPTSTRIP.c
index 25fd1c4e1eec..1eb1a44bfd3d 100644
--- a/net/netfilter/xt_TCPOPTSTRIP.c
+++ b/net/netfilter/xt_TCPOPTSTRIP.c
@@ -30,17 +30,28 @@ static inline unsigned int optlen(const u_int8_t *opt, unsigned int offset)
 static unsigned int
 tcpoptstrip_mangle_packet(struct sk_buff *skb,
-                          const struct xt_tcpoptstrip_target_info *info,
+                          const struct xt_action_param *par,
                          unsigned int tcphoff, unsigned int minlen)
 {
+        const struct xt_tcpoptstrip_target_info *info = par->targinfo;
        unsigned int optl, i, j;
        struct tcphdr *tcph;
        u_int16_t n, o;
        u_int8_t *opt;
+        int len;
+        /* This is a fragment, no TCP header is available */
+        if (par->fragoff != 0)
+                return XT_CONTINUE;
        if (!skb_make_writable(skb, skb->len))
                return NF_DROP;
+        len = skb->len - tcphoff;
+        if (len < (int)sizeof(struct tcphdr) ||
+            tcp_hdr(skb)->doff * 4 > len)
+                return NF_DROP;
        tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
        opt  = (u_int8_t *)tcph;
@@ -76,7 +87,7 @@ tcpoptstrip_mangle_packet(struct sk_buff *skb,
 static unsigned int
 tcpoptstrip_tg4(struct sk_buff *skb, const struct xt_action_param *par)
 {
-        return tcpoptstrip_mangle_packet(skb, par->targinfo, ip_hdrlen(skb),
+        return tcpoptstrip_mangle_packet(skb, par, ip_hdrlen(skb),
               sizeof(struct iphdr) + sizeof(struct tcphdr));
 }
@@ -94,7 +105,7 @@ tcpoptstrip_tg6(struct sk_buff *skb, const struct xt_action_param *par)
        if (tcphoff < 0)
                return NF_DROP;
-        return tcpoptstrip_mangle_packet(skb, par->targinfo, tcphoff,
+        return tcpoptstrip_mangle_packet(skb, par, tcphoff,
               sizeof(*ipv6h) + sizeof(struct tcphdr));
 }
 #endif

diff --git a/MAINTAINERS b/MAINTAINERS index 3d7782b9f90d..50955f90ed7e 100644 --- a/MAINTAINERS +++ b/MAINTAINERS
@@ -5509,18 +5509,18 @@ F: Documentation/networking/s2io.txt
5509	F: Documentation/networking/vxge.txt	5509	F: Documentation/networking/vxge.txt
5510	F: drivers/net/ethernet/neterion/	5510	F: drivers/net/ethernet/neterion/
5511		5511
5512	NETFILTER/IPTABLES/IPCHAINS	5512	NETFILTER/IPTABLES
5513	P: Harald Welte
5514	P: Jozsef Kadlecsik
5515	M: Pablo Neira Ayuso <pablo@netfilter.org>	5513	M: Pablo Neira Ayuso <pablo@netfilter.org>
5516	M: Patrick McHardy <kaber@trash.net>	5514	M: Patrick McHardy <kaber@trash.net>
		5515	M: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
5517	L: netfilter-devel@vger.kernel.org	5516	L: netfilter-devel@vger.kernel.org
5518	L: netfilter@vger.kernel.org	5517	L: netfilter@vger.kernel.org
5519	L: coreteam@netfilter.org	5518	L: coreteam@netfilter.org
5520	W: http://www.netfilter.org/	5519	W: http://www.netfilter.org/
5521	W: http://www.iptables.org/	5520	W: http://www.iptables.org/
5522	T: git git://1984.lsi.us.es/nf	5521	Q: http://patchwork.ozlabs.org/project/netfilter-devel/list/
5523	T: git git://1984.lsi.us.es/nf-next	5522	T: git git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
		5523	T: git git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git
5524	S: Supported	5524	S: Supported
5525	F: include/linux/netfilter*	5525	F: include/linux/netfilter*
5526	F: include/linux/netfilter/	5526	F: include/linux/netfilter/


diff --git a/include/net/netfilter/nf_log.h b/include/net/netfilter/nf_log.h index 31f1fb9eb784..99eac12d040b 100644 --- a/include/net/netfilter/nf_log.h +++ b/include/net/netfilter/nf_log.h
@@ -30,7 +30,8 @@ struct nf_loginfo {
30	} u;	30	} u;
31	};	31	};
32		32
33	typedef void nf_logfn(u_int8_t pf,	33	typedef void nf_logfn(struct net *net,
		34	u_int8_t pf,
34	unsigned int hooknum,	35	unsigned int hooknum,
35	const struct sk_buff *skb,	36	const struct sk_buff *skb,
36	const struct net_device *in,	37	const struct net_device *in,


diff --git a/include/net/netfilter/nfnetlink_log.h b/include/net/netfilter/nfnetlink_log.h index e2dec42c2db2..5ca3f14f0998 100644 --- a/include/net/netfilter/nfnetlink_log.h +++ b/include/net/netfilter/nfnetlink_log.h
@@ -2,7 +2,8 @@
2	#define _KER_NFNETLINK_LOG_H	2	#define _KER_NFNETLINK_LOG_H
3		3
4	void	4	void
5	nfulnl_log_packet(u_int8_t pf,	5	nfulnl_log_packet(struct net *net,
		6	u_int8_t pf,
6	unsigned int hooknum,	7	unsigned int hooknum,
7	const struct sk_buff *skb,	8	const struct sk_buff *skb,
8	const struct net_device *in,	9	const struct net_device *in,


diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c index 9878eb8204c5..19c37a4929bc 100644 --- a/net/bridge/netfilter/ebt_log.c +++ b/net/bridge/netfilter/ebt_log.c
@@ -72,13 +72,12 @@ print_ports(const struct sk_buff *skb, uint8_t protocol, int offset)
72	}	72	}
73		73
74	static void	74	static void
75	ebt_log_packet(u_int8_t pf, unsigned int hooknum,	75	ebt_log_packet(struct net *net, u_int8_t pf, unsigned int hooknum,
76	const struct sk_buff skb, const struct net_device in,	76	const struct sk_buff skb, const struct net_device in,
77	const struct net_device out, const struct nf_loginfo loginfo,	77	const struct net_device out, const struct nf_loginfo loginfo,
78	const char *prefix)	78	const char *prefix)
79	{	79	{
80	unsigned int bitmask;	80	unsigned int bitmask;
81	struct net *net = dev_net(in ? in : out);
82		81
83	/* FIXME: Disabled from containers until syslog ns is supported */	82	/* FIXME: Disabled from containers until syslog ns is supported */
84	if (!net_eq(net, &init_net))	83	if (!net_eq(net, &init_net))
@@ -191,7 +190,7 @@ ebt_log_tg(struct sk_buff skb, const struct xt_action_param par)
191	nf_log_packet(net, NFPROTO_BRIDGE, par->hooknum, skb,	190	nf_log_packet(net, NFPROTO_BRIDGE, par->hooknum, skb,
192	par->in, par->out, &li, "%s", info->prefix);	191	par->in, par->out, &li, "%s", info->prefix);
193	else	192	else
194	ebt_log_packet(NFPROTO_BRIDGE, par->hooknum, skb, par->in,	193	ebt_log_packet(net, NFPROTO_BRIDGE, par->hooknum, skb, par->in,
195	par->out, &li, info->prefix);	194	par->out, &li, info->prefix);
196	return EBT_CONTINUE;	195	return EBT_CONTINUE;
197	}	196	}


diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c index fc1905c51417..df0364aa12d5 100644 --- a/net/bridge/netfilter/ebt_ulog.c +++ b/net/bridge/netfilter/ebt_ulog.c
@@ -131,14 +131,16 @@ static struct sk_buff *ulog_alloc_skb(unsigned int size)
131	return skb;	131	return skb;
132	}	132	}
133		133
134	static void ebt_ulog_packet(unsigned int hooknr, const struct sk_buff *skb,	134	static void ebt_ulog_packet(struct net *net, unsigned int hooknr,
135	const struct net_device in, const struct net_device out,	135	const struct sk_buff *skb,
136	const struct ebt_ulog_info uloginfo, const char prefix)	136	const struct net_device *in,
		137	const struct net_device *out,
		138	const struct ebt_ulog_info *uloginfo,
		139	const char *prefix)
137	{	140	{
138	ebt_ulog_packet_msg_t *pm;	141	ebt_ulog_packet_msg_t *pm;
139	size_t size, copy_len;	142	size_t size, copy_len;
140	struct nlmsghdr *nlh;	143	struct nlmsghdr *nlh;
141	struct net *net = dev_net(in ? in : out);
142	struct ebt_ulog_net *ebt = ebt_ulog_pernet(net);	144	struct ebt_ulog_net *ebt = ebt_ulog_pernet(net);
143	unsigned int group = uloginfo->nlgroup;	145	unsigned int group = uloginfo->nlgroup;
144	ebt_ulog_buff_t *ub = &ebt->ulog_buffers[group];	146	ebt_ulog_buff_t *ub = &ebt->ulog_buffers[group];
@@ -233,7 +235,7 @@ unlock:
233	}	235	}
234		236
235	/* this function is registered with the netfilter core */	237	/* this function is registered with the netfilter core */
236	static void ebt_log_packet(u_int8_t pf, unsigned int hooknum,	238	static void ebt_log_packet(struct net *net, u_int8_t pf, unsigned int hooknum,
237	const struct sk_buff skb, const struct net_device in,	239	const struct sk_buff skb, const struct net_device in,
238	const struct net_device out, const struct nf_loginfo li,	240	const struct net_device out, const struct nf_loginfo li,
239	const char *prefix)	241	const char *prefix)
@@ -252,13 +254,15 @@ static void ebt_log_packet(u_int8_t pf, unsigned int hooknum,
252	strlcpy(loginfo.prefix, prefix, sizeof(loginfo.prefix));	254	strlcpy(loginfo.prefix, prefix, sizeof(loginfo.prefix));
253	}	255	}
254		256
255	ebt_ulog_packet(hooknum, skb, in, out, &loginfo, prefix);	257	ebt_ulog_packet(net, hooknum, skb, in, out, &loginfo, prefix);
256	}	258	}
257		259
258	static unsigned int	260	static unsigned int
259	ebt_ulog_tg(struct sk_buff skb, const struct xt_action_param par)	261	ebt_ulog_tg(struct sk_buff skb, const struct xt_action_param par)
260	{	262	{
261	ebt_ulog_packet(par->hooknum, skb, par->in, par->out,	263	struct net *net = dev_net(par->in ? par->in : par->out);
		264
		265	ebt_ulog_packet(net, par->hooknum, skb, par->in, par->out,
262	par->targinfo, NULL);	266	par->targinfo, NULL);
263	return EBT_CONTINUE;	267	return EBT_CONTINUE;
264	}	268	}


diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c index f8a222cb6448..cf08218ddbcf 100644 --- a/net/ipv4/netfilter/ipt_ULOG.c +++ b/net/ipv4/netfilter/ipt_ULOG.c
@@ -162,7 +162,8 @@ static struct sk_buff *ulog_alloc_skb(unsigned int size)
162	return skb;	162	return skb;
163	}	163	}
164		164
165	static void ipt_ulog_packet(unsigned int hooknum,	165	static void ipt_ulog_packet(struct net *net,
		166	unsigned int hooknum,
166	const struct sk_buff *skb,	167	const struct sk_buff *skb,
167	const struct net_device *in,	168	const struct net_device *in,
168	const struct net_device *out,	169	const struct net_device *out,
@@ -174,7 +175,6 @@ static void ipt_ulog_packet(unsigned int hooknum,
174	size_t size, copy_len;	175	size_t size, copy_len;
175	struct nlmsghdr *nlh;	176	struct nlmsghdr *nlh;
176	struct timeval tv;	177	struct timeval tv;
177	struct net *net = dev_net(in ? in : out);
178	struct ulog_net *ulog = ulog_pernet(net);	178	struct ulog_net *ulog = ulog_pernet(net);
179		179
180	/* ffs == find first bit set, necessary because userspace	180	/* ffs == find first bit set, necessary because userspace
@@ -291,12 +291,15 @@ alloc_failure:
291	static unsigned int	291	static unsigned int
292	ulog_tg(struct sk_buff skb, const struct xt_action_param par)	292	ulog_tg(struct sk_buff skb, const struct xt_action_param par)
293	{	293	{
294	ipt_ulog_packet(par->hooknum, skb, par->in, par->out,	294	struct net *net = dev_net(par->in ? par->in : par->out);
		295
		296	ipt_ulog_packet(net, par->hooknum, skb, par->in, par->out,
295	par->targinfo, NULL);	297	par->targinfo, NULL);
296	return XT_CONTINUE;	298	return XT_CONTINUE;
297	}	299	}
298		300
299	static void ipt_logfn(u_int8_t pf,	301	static void ipt_logfn(struct net *net,
		302	u_int8_t pf,
300	unsigned int hooknum,	303	unsigned int hooknum,
301	const struct sk_buff *skb,	304	const struct sk_buff *skb,
302	const struct net_device *in,	305	const struct net_device *in,
@@ -318,7 +321,7 @@ static void ipt_logfn(u_int8_t pf,
318	strlcpy(loginfo.prefix, prefix, sizeof(loginfo.prefix));	321	strlcpy(loginfo.prefix, prefix, sizeof(loginfo.prefix));
319	}	322	}
320		323
321	ipt_ulog_packet(hooknum, skb, in, out, &loginfo, prefix);	324	ipt_ulog_packet(net, hooknum, skb, in, out, &loginfo, prefix);
322	}	325	}
323		326
324	static int ulog_tg_check(const struct xt_tgchk_param *par)	327	static int ulog_tg_check(const struct xt_tgchk_param *par)


diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c index 388656d5a9ec..3b18dd1be7d9 100644 --- a/net/netfilter/nf_log.c +++ b/net/netfilter/nf_log.c
@@ -148,7 +148,7 @@ void nf_log_packet(struct net *net,
148	va_start(args, fmt);	148	va_start(args, fmt);
149	vsnprintf(prefix, sizeof(prefix), fmt, args);	149	vsnprintf(prefix, sizeof(prefix), fmt, args);
150	va_end(args);	150	va_end(args);
151	logger->logfn(pf, hooknum, skb, in, out, loginfo, prefix);	151	logger->logfn(net, pf, hooknum, skb, in, out, loginfo, prefix);
152	}	152	}
153	rcu_read_unlock();	153	rcu_read_unlock();
154	}	154	}
@@ -368,17 +368,20 @@ static int __net_init nf_log_net_init(struct net *net)
368	return 0;	368	return 0;
369		369
370	out_sysctl:	370	out_sysctl:
		371	#ifdef CONFIG_PROC_FS
371	/* For init_net: errors will trigger panic, don't unroll on error. */	372	/* For init_net: errors will trigger panic, don't unroll on error. */
372	if (!net_eq(net, &init_net))	373	if (!net_eq(net, &init_net))
373	remove_proc_entry("nf_log", net->nf.proc_netfilter);	374	remove_proc_entry("nf_log", net->nf.proc_netfilter);
374		375	#endif
375	return ret;	376	return ret;
376	}	377	}
377		378
378	static void __net_exit nf_log_net_exit(struct net *net)	379	static void __net_exit nf_log_net_exit(struct net *net)
379	{	380	{
380	netfilter_log_sysctl_exit(net);	381	netfilter_log_sysctl_exit(net);
		382	#ifdef CONFIG_PROC_FS
381	remove_proc_entry("nf_log", net->nf.proc_netfilter);	383	remove_proc_entry("nf_log", net->nf.proc_netfilter);
		384	#endif
382	}	385	}
383		386
384	static struct pernet_operations nf_log_net_ops = {	387	static struct pernet_operations nf_log_net_ops = {


diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c index faf1e9300d8a..962e9792e317 100644 --- a/net/netfilter/nfnetlink_log.c +++ b/net/netfilter/nfnetlink_log.c
@@ -602,7 +602,8 @@ static struct nf_loginfo default_loginfo = {
602		602
603	/* log handler for internal netfilter logging api */	603	/* log handler for internal netfilter logging api */
604	void	604	void
605	nfulnl_log_packet(u_int8_t pf,	605	nfulnl_log_packet(struct net *net,
		606	u_int8_t pf,
606	unsigned int hooknum,	607	unsigned int hooknum,
607	const struct sk_buff *skb,	608	const struct sk_buff *skb,
608	const struct net_device *in,	609	const struct net_device *in,
@@ -615,7 +616,6 @@ nfulnl_log_packet(u_int8_t pf,
615	const struct nf_loginfo *li;	616	const struct nf_loginfo *li;
616	unsigned int qthreshold;	617	unsigned int qthreshold;
617	unsigned int plen;	618	unsigned int plen;
618	struct net *net = dev_net(in ? in : out);
619	struct nfnl_log_net *log = nfnl_log_pernet(net);	619	struct nfnl_log_net *log = nfnl_log_pernet(net);
620		620
621	if (li_user && li_user->type == NF_LOG_TYPE_ULOG)	621	if (li_user && li_user->type == NF_LOG_TYPE_ULOG)
@@ -1045,7 +1045,9 @@ static int __net_init nfnl_log_net_init(struct net *net)
1045		1045
1046	static void __net_exit nfnl_log_net_exit(struct net *net)	1046	static void __net_exit nfnl_log_net_exit(struct net *net)
1047	{	1047	{
		1048	#ifdef CONFIG_PROC_FS
1048	remove_proc_entry("nfnetlink_log", net->nf.proc_netfilter);	1049	remove_proc_entry("nfnetlink_log", net->nf.proc_netfilter);
		1050	#endif
1049	}	1051	}
1050		1052
1051	static struct pernet_operations nfnl_log_net_ops = {	1053	static struct pernet_operations nfnl_log_net_ops = {


diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c index 2e0e835baf72..4e27fa035814 100644 --- a/net/netfilter/nfnetlink_queue_core.c +++ b/net/netfilter/nfnetlink_queue_core.c
@@ -1285,7 +1285,9 @@ static int __net_init nfnl_queue_net_init(struct net *net)
1285		1285
1286	static void __net_exit nfnl_queue_net_exit(struct net *net)	1286	static void __net_exit nfnl_queue_net_exit(struct net *net)
1287	{	1287	{
		1288	#ifdef CONFIG_PROC_FS
1288	remove_proc_entry("nfnetlink_queue", net->nf.proc_netfilter);	1289	remove_proc_entry("nfnetlink_queue", net->nf.proc_netfilter);
		1290	#endif
1289	}	1291	}
1290		1292
1291	static struct pernet_operations nfnl_queue_net_ops = {	1293	static struct pernet_operations nfnl_queue_net_ops = {


diff --git a/net/netfilter/xt_LOG.c b/net/netfilter/xt_LOG.c index fe573f6c9e91..491c7d821a0b 100644 --- a/net/netfilter/xt_LOG.c +++ b/net/netfilter/xt_LOG.c
@@ -466,7 +466,8 @@ log_packet_common(struct sbuff *m,
466		466
467		467
468	static void	468	static void
469	ipt_log_packet(u_int8_t pf,	469	ipt_log_packet(struct net *net,
		470	u_int8_t pf,
470	unsigned int hooknum,	471	unsigned int hooknum,
471	const struct sk_buff *skb,	472	const struct sk_buff *skb,
472	const struct net_device *in,	473	const struct net_device *in,
@@ -475,7 +476,6 @@ ipt_log_packet(u_int8_t pf,
475	const char *prefix)	476	const char *prefix)
476	{	477	{
477	struct sbuff *m;	478	struct sbuff *m;
478	struct net *net = dev_net(in ? in : out);
479		479
480	/* FIXME: Disabled from containers until syslog ns is supported */	480	/* FIXME: Disabled from containers until syslog ns is supported */
481	if (!net_eq(net, &init_net))	481	if (!net_eq(net, &init_net))
@@ -797,7 +797,8 @@ fallback:
797	}	797	}
798		798
799	static void	799	static void
800	ip6t_log_packet(u_int8_t pf,	800	ip6t_log_packet(struct net *net,
		801	u_int8_t pf,
801	unsigned int hooknum,	802	unsigned int hooknum,
802	const struct sk_buff *skb,	803	const struct sk_buff *skb,
803	const struct net_device *in,	804	const struct net_device *in,
@@ -806,7 +807,6 @@ ip6t_log_packet(u_int8_t pf,
806	const char *prefix)	807	const char *prefix)
807	{	808	{
808	struct sbuff *m;	809	struct sbuff *m;
809	struct net *net = dev_net(in ? in : out);
810		810
811	/* FIXME: Disabled from containers until syslog ns is supported */	811	/* FIXME: Disabled from containers until syslog ns is supported */
812	if (!net_eq(net, &init_net))	812	if (!net_eq(net, &init_net))
@@ -833,17 +833,18 @@ log_tg(struct sk_buff skb, const struct xt_action_param par)
833	{	833	{
834	const struct xt_log_info *loginfo = par->targinfo;	834	const struct xt_log_info *loginfo = par->targinfo;
835	struct nf_loginfo li;	835	struct nf_loginfo li;
		836	struct net *net = dev_net(par->in ? par->in : par->out);
836		837
837	li.type = NF_LOG_TYPE_LOG;	838	li.type = NF_LOG_TYPE_LOG;
838	li.u.log.level = loginfo->level;	839	li.u.log.level = loginfo->level;
839	li.u.log.logflags = loginfo->logflags;	840	li.u.log.logflags = loginfo->logflags;
840		841
841	if (par->family == NFPROTO_IPV4)	842	if (par->family == NFPROTO_IPV4)
842	ipt_log_packet(NFPROTO_IPV4, par->hooknum, skb, par->in,	843	ipt_log_packet(net, NFPROTO_IPV4, par->hooknum, skb, par->in,
843	par->out, &li, loginfo->prefix);	844	par->out, &li, loginfo->prefix);
844	#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)	845	#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
845	else if (par->family == NFPROTO_IPV6)	846	else if (par->family == NFPROTO_IPV6)
846	ip6t_log_packet(NFPROTO_IPV6, par->hooknum, skb, par->in,	847	ip6t_log_packet(net, NFPROTO_IPV6, par->hooknum, skb, par->in,
847	par->out, &li, loginfo->prefix);	848	par->out, &li, loginfo->prefix);
848	#endif	849	#endif
849	else	850	else


diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c index a17dd0f589b2..fb7497c928a0 100644 --- a/net/netfilter/xt_NFLOG.c +++ b/net/netfilter/xt_NFLOG.c
@@ -26,13 +26,14 @@ nflog_tg(struct sk_buff skb, const struct xt_action_param par)
26	{	26	{
27	const struct xt_nflog_info *info = par->targinfo;	27	const struct xt_nflog_info *info = par->targinfo;
28	struct nf_loginfo li;	28	struct nf_loginfo li;
		29	struct net *net = dev_net(par->in ? par->in : par->out);
29		30
30	li.type = NF_LOG_TYPE_ULOG;	31	li.type = NF_LOG_TYPE_ULOG;
31	li.u.ulog.copy_len = info->len;	32	li.u.ulog.copy_len = info->len;
32	li.u.ulog.group = info->group;	33	li.u.ulog.group = info->group;
33	li.u.ulog.qthreshold = info->threshold;	34	li.u.ulog.qthreshold = info->threshold;
34		35
35	nfulnl_log_packet(par->family, par->hooknum, skb, par->in,	36	nfulnl_log_packet(net, par->family, par->hooknum, skb, par->in,
36	par->out, &li, info->prefix);	37	par->out, &li, info->prefix);
37	return XT_CONTINUE;	38	return XT_CONTINUE;
38	}	39	}


diff --git a/net/netfilter/xt_TCPOPTSTRIP.c b/net/netfilter/xt_TCPOPTSTRIP.c index 25fd1c4e1eec..1eb1a44bfd3d 100644 --- a/net/netfilter/xt_TCPOPTSTRIP.c +++ b/net/netfilter/xt_TCPOPTSTRIP.c
@@ -30,17 +30,28 @@ static inline unsigned int optlen(const u_int8_t *opt, unsigned int offset)
30		30
31	static unsigned int	31	static unsigned int
32	tcpoptstrip_mangle_packet(struct sk_buff *skb,	32	tcpoptstrip_mangle_packet(struct sk_buff *skb,
33	const struct xt_tcpoptstrip_target_info *info,	33	const struct xt_action_param *par,
34	unsigned int tcphoff, unsigned int minlen)	34	unsigned int tcphoff, unsigned int minlen)
35	{	35	{
		36	const struct xt_tcpoptstrip_target_info *info = par->targinfo;
36	unsigned int optl, i, j;	37	unsigned int optl, i, j;
37	struct tcphdr *tcph;	38	struct tcphdr *tcph;
38	u_int16_t n, o;	39	u_int16_t n, o;
39	u_int8_t *opt;	40	u_int8_t *opt;
		41	int len;
		42
		43	/* This is a fragment, no TCP header is available */
		44	if (par->fragoff != 0)
		45	return XT_CONTINUE;
40		46
41	if (!skb_make_writable(skb, skb->len))	47	if (!skb_make_writable(skb, skb->len))
42	return NF_DROP;	48	return NF_DROP;
43		49
		50	len = skb->len - tcphoff;
		51	if (len < (int)sizeof(struct tcphdr) \|\|
		52	tcp_hdr(skb)->doff * 4 > len)
		53	return NF_DROP;
		54
44	tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);	55	tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
45	opt = (u_int8_t *)tcph;	56	opt = (u_int8_t *)tcph;
46		57
@@ -76,7 +87,7 @@ tcpoptstrip_mangle_packet(struct sk_buff *skb,
76	static unsigned int	87	static unsigned int
77	tcpoptstrip_tg4(struct sk_buff skb, const struct xt_action_param par)	88	tcpoptstrip_tg4(struct sk_buff skb, const struct xt_action_param par)
78	{	89	{
79	return tcpoptstrip_mangle_packet(skb, par->targinfo, ip_hdrlen(skb),	90	return tcpoptstrip_mangle_packet(skb, par, ip_hdrlen(skb),
80	sizeof(struct iphdr) + sizeof(struct tcphdr));	91	sizeof(struct iphdr) + sizeof(struct tcphdr));
81	}	92	}
82		93
@@ -94,7 +105,7 @@ tcpoptstrip_tg6(struct sk_buff skb, const struct xt_action_param par)
94	if (tcphoff < 0)	105	if (tcphoff < 0)
95	return NF_DROP;	106	return NF_DROP;
96		107
97	return tcpoptstrip_mangle_packet(skb, par->targinfo, tcphoff,	108	return tcpoptstrip_mangle_packet(skb, par, tcphoff,
98	sizeof(*ipv6h) + sizeof(struct tcphdr));	109	sizeof(*ipv6h) + sizeof(struct tcphdr));
99	}	110	}
100	#endif	111	#endif