14 files changed, 213 insertions, 28 deletions
diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index 9e6e683cc3..e7d26d9943 100644
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -457,7 +457,7 @@ static void ip_frag_queue(struct ipq *qp, struct sk_buff *skb)
        if (pskb_pull(skb, ihl) == NULL)
                goto err;
-        if (pskb_trim(skb, end-offset))
+        if (pskb_trim_rcsum(skb, end-offset))
                goto err;
        /* Find out which fragments are in front and at the back of us
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index e046f55218..30aa8e2ee2 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -34,6 +34,7 @@ config IP_NF_CT_ACCT
 config IP_NF_CONNTRACK_MARK
        bool  'Connection mark tracking support'
+        depends on IP_NF_CONNTRACK
        help
          This option enables support for connection marks, used by the
          `CONNMARK' target and `connmark' match. Similar to the mark value
@@ -85,6 +86,25 @@ config IP_NF_IRC
          To compile it as a module, choose M here.  If unsure, say Y.
+config IP_NF_NETBIOS_NS
+        tristate "NetBIOS name service protocol support (EXPERIMENTAL)"
+        depends on IP_NF_CONNTRACK && EXPERIMENTAL
+        help
+          NetBIOS name service requests are sent as broadcast messages from an
+          unprivileged port and responded to with unicast messages to the
+          same port. This make them hard to firewall properly because connection
+          tracking doesn't deal with broadcasts. This helper tracks locally
+          originating NetBIOS name service requests and the corresponding
+          responses. It relies on correct IP address configuration, specifically
+          netmask and broadcast address. When properly configured, the output
+          of "ip address show" should look similar to this:
+          $ ip -4 address show eth0
+          4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
+              inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
+          
+          To compile it as a module, choose M here.  If unsure, say N.
 config IP_NF_TFTP
        tristate "TFTP protocol support"
        depends on IP_NF_CONNTRACK
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index a7bd38f505..1ba0db7468 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -21,6 +21,7 @@ obj-$(CONFIG_IP_NF_AMANDA) += ip_conntrack_amanda.o
 obj-$(CONFIG_IP_NF_TFTP) += ip_conntrack_tftp.o
 obj-$(CONFIG_IP_NF_FTP) += ip_conntrack_ftp.o
 obj-$(CONFIG_IP_NF_IRC) += ip_conntrack_irc.o
+obj-$(CONFIG_IP_NF_NETBIOS_NS) += ip_conntrack_netbios_ns.o
 # NAT helpers 
 obj-$(CONFIG_IP_NF_NAT_AMANDA) += ip_nat_amanda.o
diff --git a/net/ipv4/netfilter/ip_conntrack_amanda.c b/net/ipv4/netfilter/ip_conntrack_amanda.c
index be4c9eb324..dc20881004 100644
--- a/net/ipv4/netfilter/ip_conntrack_amanda.c
+++ b/net/ipv4/netfilter/ip_conntrack_amanda.c
@@ -108,6 +108,7 @@ static int help(struct sk_buff **pskb,
                }
                exp->expectfn = NULL;
+                exp->flags = 0;
                exp->tuple.src.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip;
                exp->tuple.src.u.tcp.port = 0;
diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c
index a064860019..19cba16e6e 100644
--- a/net/ipv4/netfilter/ip_conntrack_core.c
+++ b/net/ipv4/netfilter/ip_conntrack_core.c
@@ -197,7 +197,7 @@ ip_ct_invert_tuple(struct ip_conntrack_tuple *inverse,
 /* ip_conntrack_expect helper functions */
-static void unlink_expect(struct ip_conntrack_expect *exp)
+void ip_ct_unlink_expect(struct ip_conntrack_expect *exp)
 {
        ASSERT_WRITE_LOCK(&ip_conntrack_lock);
        IP_NF_ASSERT(!timer_pending(&exp->timeout));
@@ -207,18 +207,12 @@ static void unlink_expect(struct ip_conntrack_expect *exp)
        ip_conntrack_expect_put(exp);
 }
-void __ip_ct_expect_unlink_destroy(struct ip_conntrack_expect *exp)
-{
-        unlink_expect(exp);
-        ip_conntrack_expect_put(exp);
-}
 static void expectation_timed_out(unsigned long ul_expect)
 {
        struct ip_conntrack_expect *exp = (void *)ul_expect;
        write_lock_bh(&ip_conntrack_lock);
-        unlink_expect(exp);
+        ip_ct_unlink_expect(exp);
        write_unlock_bh(&ip_conntrack_lock);
        ip_conntrack_expect_put(exp);
 }
@@ -264,10 +258,14 @@ find_expectation(const struct ip_conntrack_tuple *tuple)
                   master ct never got confirmed, we'd hold a reference to it
                   and weird things would happen to future packets). */
                if (ip_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask)
-                    && is_confirmed(i->master)
+                    && is_confirmed(i->master)) {
-                    && del_timer(&i->timeout)) {
+                        if (i->flags & IP_CT_EXPECT_PERMANENT) {
-                        unlink_expect(i);
+                                atomic_inc(&i->use);
-                        return i;
+                                return i;
+                        } else if (del_timer(&i->timeout)) {
+                                ip_ct_unlink_expect(i);
+                                return i;
+                        }
                }
        }
        return NULL;
@@ -284,7 +282,7 @@ void ip_ct_remove_expectations(struct ip_conntrack *ct)
        list_for_each_entry_safe(i, tmp, &ip_conntrack_expect_list, list) {
                if (i->master == ct && del_timer(&i->timeout)) {
-                        unlink_expect(i);
+                        ip_ct_unlink_expect(i);
                        ip_conntrack_expect_put(i);
                }
        }
@@ -925,7 +923,7 @@ void ip_conntrack_unexpect_related(struct ip_conntrack_expect *exp)
        /* choose the the oldest expectation to evict */
        list_for_each_entry_reverse(i, &ip_conntrack_expect_list, list) {
                if (expect_matches(i, exp) && del_timer(&i->timeout)) {
-                        unlink_expect(i);
+                        ip_ct_unlink_expect(i);
                        write_unlock_bh(&ip_conntrack_lock);
                        ip_conntrack_expect_put(i);
                        return;
@@ -934,6 +932,9 @@ void ip_conntrack_unexpect_related(struct ip_conntrack_expect *exp)
        write_unlock_bh(&ip_conntrack_lock);
 }
+/* We don't increase the master conntrack refcount for non-fulfilled
+ * conntracks. During the conntrack destruction, the expectations are 
+ * always killed before the conntrack itself */
 struct ip_conntrack_expect *ip_conntrack_expect_alloc(struct ip_conntrack *me)
 {
        struct ip_conntrack_expect *new;
@@ -944,17 +945,14 @@ struct ip_conntrack_expect *ip_conntrack_expect_alloc(struct ip_conntrack *me)
                return NULL;
        }
        new->master = me;
-        atomic_inc(&new->master->ct_general.use);
        atomic_set(&new->use, 1);
        return new;
 }
 void ip_conntrack_expect_put(struct ip_conntrack_expect *exp)
 {
-        if (atomic_dec_and_test(&exp->use)) {
+        if (atomic_dec_and_test(&exp->use))
-                ip_conntrack_put(exp->master);
                kmem_cache_free(ip_conntrack_expect_cachep, exp);
-        }
 }
 static void ip_conntrack_expect_insert(struct ip_conntrack_expect *exp)
@@ -982,7 +980,7 @@ static void evict_oldest_expect(struct ip_conntrack *master)
        list_for_each_entry_reverse(i, &ip_conntrack_expect_list, list) {
                if (i->master == master) {
                        if (del_timer(&i->timeout)) {
-                                unlink_expect(i);
+                                ip_ct_unlink_expect(i);
                                ip_conntrack_expect_put(i);
                        }
                        break;
@@ -1099,7 +1097,7 @@ void ip_conntrack_helper_unregister(struct ip_conntrack_helper *me)
        /* Get rid of expectations */
        list_for_each_entry_safe(exp, tmp, &ip_conntrack_expect_list, list) {
                if (exp->master->helper == me && del_timer(&exp->timeout)) {
-                        unlink_expect(exp);
+                        ip_ct_unlink_expect(exp);
                        ip_conntrack_expect_put(exp);
                }
        }
diff --git a/net/ipv4/netfilter/ip_conntrack_ftp.c b/net/ipv4/netfilter/ip_conntrack_ftp.c
index 3a2627db17..1b79ec3608 100644
--- a/net/ipv4/netfilter/ip_conntrack_ftp.c
+++ b/net/ipv4/netfilter/ip_conntrack_ftp.c
@@ -421,6 +421,7 @@ static int help(struct sk_buff **pskb,
                  { 0xFFFFFFFF, { .tcp = { 0xFFFF } }, 0xFF }});
        exp->expectfn = NULL;
+        exp->flags = 0;
        /* Now, NAT might want to mangle the packet, and register the
         * (possibly changed) expectation itself. */
diff --git a/net/ipv4/netfilter/ip_conntrack_irc.c b/net/ipv4/netfilter/ip_conntrack_irc.c
index 25438eec21..d7a8a98c05 100644
--- a/net/ipv4/netfilter/ip_conntrack_irc.c
+++ b/net/ipv4/netfilter/ip_conntrack_irc.c
@@ -221,6 +221,7 @@ static int help(struct sk_buff **pskb,
                                { { 0, { 0 } },
                                  { 0xFFFFFFFF, { .tcp = { 0xFFFF } }, 0xFF }});
                        exp->expectfn = NULL;
+                        exp->flags = 0;
                        if (ip_nat_irc_hook)
                                ret = ip_nat_irc_hook(pskb, ctinfo, 
                                                      addr_beg_p - ib_ptr,
diff --git a/net/ipv4/netfilter/ip_conntrack_netbios_ns.c b/net/ipv4/netfilter/ip_conntrack_netbios_ns.c
new file mode 100644
index 0000000000..2b5cf9c513
--- /dev/null
+++ b/net/ipv4/netfilter/ip_conntrack_netbios_ns.c
@@ -0,0 +1,131 @@
+/*
+ *      NetBIOS name service broadcast connection tracking helper
+ *
+ *      (c) 2005 Patrick McHardy <kaber@trash.net>
+ *
+ *      This program is free software; you can redistribute it and/or
+ *      modify it under the terms of the GNU General Public License
+ *      as published by the Free Software Foundation; either version
+ *      2 of the License, or (at your option) any later version.
+ */
+/*
+ *      This helper tracks locally originating NetBIOS name service
+ *      requests by issuing permanent expectations (valid until
+ *      timing out) matching all reply connections from the
+ *      destination network. The only NetBIOS specific thing is
+ *      actually the port number.
+ */
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/init.h>
+#include <linux/skbuff.h>
+#include <linux/netdevice.h>
+#include <linux/inetdevice.h>
+#include <linux/in.h>
+#include <linux/ip.h>
+#include <linux/udp.h>
+#include <net/route.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter_ipv4.h>
+#include <linux/netfilter_ipv4/ip_conntrack.h>
+#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
+MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
+MODULE_DESCRIPTION("NetBIOS name service broadcast connection tracking helper");
+MODULE_LICENSE("GPL");
+static unsigned int timeout = 3;
+module_param(timeout, int, 0600);
+MODULE_PARM_DESC(timeout, "timeout for master connection/replies in seconds");
+static int help(struct sk_buff **pskb,
+                struct ip_conntrack *ct, enum ip_conntrack_info ctinfo)
+{
+        struct ip_conntrack_expect *exp;
+        struct iphdr *iph = (*pskb)->nh.iph;
+        struct udphdr _uh, *uh;
+        struct rtable *rt = (struct rtable *)(*pskb)->dst;
+        struct in_device *in_dev;
+        u_int32_t mask = 0;
+        /* we're only interested in locally generated packets */
+        if ((*pskb)->sk == NULL)
+                goto out;
+        if (rt == NULL || !(rt->rt_flags & RTCF_BROADCAST))
+                goto out;
+        if (CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL)
+                goto out;
+        rcu_read_lock();
+        in_dev = __in_dev_get(rt->u.dst.dev);
+        if (in_dev != NULL) {
+                for_primary_ifa(in_dev) {
+                        if (ifa->ifa_broadcast == iph->daddr) {
+                                mask = ifa->ifa_mask;
+                                break;
+                        }
+                } endfor_ifa(in_dev);
+        }
+        rcu_read_unlock();
+        if (mask == 0)
+                goto out;
+        uh = skb_header_pointer(*pskb, iph->ihl * 4, sizeof(_uh), &_uh);
+        BUG_ON(uh == NULL);
+        exp = ip_conntrack_expect_alloc(ct);
+        if (exp == NULL)
+                goto out;
+        memset(&exp->tuple, 0, sizeof(exp->tuple));
+        exp->tuple.src.ip         = iph->daddr & mask;
+        exp->tuple.dst.ip         = iph->saddr;
+        exp->tuple.dst.u.udp.port = uh->source;
+        exp->tuple.dst.protonum   = IPPROTO_UDP;
+        memset(&exp->mask, 0, sizeof(exp->mask));
+        exp->mask.src.ip          = mask;
+        exp->mask.dst.ip          = 0xFFFFFFFF;
+        exp->mask.dst.u.udp.port  = 0xFFFF;
+        exp->mask.dst.protonum    = 0xFF;
+        exp->expectfn             = NULL;
+        exp->flags                = IP_CT_EXPECT_PERMANENT;
+        ip_conntrack_expect_related(exp);
+        ip_conntrack_expect_put(exp);
+        ip_ct_refresh_acct(ct, ctinfo, NULL, timeout * HZ);
+out:
+        return NF_ACCEPT;
+}
+static struct ip_conntrack_helper helper = {
+        .name                   = "netbios-ns",
+        .tuple = {
+                .src.u.udp.port = __constant_htons(137),
+                .dst.protonum   = IPPROTO_UDP,
+        },
+        .mask = {
+                .src.u.udp.port = 0xFFFF,
+                .dst.protonum   = 0xFF,
+        },
+        .max_expected           = 1,
+        .me                     = THIS_MODULE,
+        .help                   = help,
+};
+static int __init init(void)
+{
+        helper.timeout = timeout;
+        return ip_conntrack_helper_register(&helper);
+}
+static void __exit fini(void)
+{
+        ip_conntrack_helper_unregister(&helper);
+}
+module_init(init);
+module_exit(fini);
diff --git a/net/ipv4/netfilter/ip_conntrack_netlink.c b/net/ipv4/netfilter/ip_conntrack_netlink.c
index a4e9278db4..15aef35647 100644
--- a/net/ipv4/netfilter/ip_conntrack_netlink.c
+++ b/net/ipv4/netfilter/ip_conntrack_netlink.c
@@ -1349,8 +1349,10 @@ ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb,
                list_for_each_entry_safe(exp, tmp, &ip_conntrack_expect_list,
                                         list) {
                        if (exp->master->helper == h 
-                            && del_timer(&exp->timeout))
+                            && del_timer(&exp->timeout)) {
-                                __ip_ct_expect_unlink_destroy(exp);
+                                ip_ct_unlink_expect(exp);
+                                ip_conntrack_expect_put(exp);
+                        }
                }
                write_unlock(&ip_conntrack_lock);
        } else {
@@ -1358,8 +1360,10 @@ ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb,
                write_lock_bh(&ip_conntrack_lock);
                list_for_each_entry_safe(exp, tmp, &ip_conntrack_expect_list,
                                         list) {
-                        if (del_timer(&exp->timeout))
+                        if (del_timer(&exp->timeout)) {
-                                __ip_ct_expect_unlink_destroy(exp);
+                                ip_ct_unlink_expect(exp);
+                                ip_conntrack_expect_put(exp);
+                        }
                }
                write_unlock_bh(&ip_conntrack_lock);
        }
@@ -1413,6 +1417,7 @@ ctnetlink_create_expect(struct nfattr *cda[])
        }
        
        exp->expectfn = NULL;
+        exp->flags = 0;
        exp->master = ct;
        memcpy(&exp->tuple, &tuple, sizeof(struct ip_conntrack_tuple));
        memcpy(&exp->mask, &mask, sizeof(struct ip_conntrack_tuple));
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
index f23ef1f88c..1985abc59d 100644
--- a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
@@ -349,6 +349,7 @@ static int tcp_to_nfattr(struct sk_buff *skb, struct nfattr *nfa,
        return 0;
 nfattr_failure:
+        read_unlock_bh(&tcp_lock);
        return -1;
 }
 #endif
diff --git a/net/ipv4/netfilter/ip_conntrack_standalone.c b/net/ipv4/netfilter/ip_conntrack_standalone.c
index ee5895afd0..ae3e3e655d 100644
--- a/net/ipv4/netfilter/ip_conntrack_standalone.c
+++ b/net/ipv4/netfilter/ip_conntrack_standalone.c
@@ -998,7 +998,7 @@ EXPORT_SYMBOL(ip_conntrack_expect_related);
 EXPORT_SYMBOL(ip_conntrack_unexpect_related);
 EXPORT_SYMBOL_GPL(ip_conntrack_expect_list);
 EXPORT_SYMBOL_GPL(__ip_conntrack_expect_find);
-EXPORT_SYMBOL_GPL(__ip_ct_expect_unlink_destroy);
+EXPORT_SYMBOL_GPL(ip_ct_unlink_expect);
 EXPORT_SYMBOL(ip_conntrack_tuple_taken);
 EXPORT_SYMBOL(ip_ct_gather_frags);
diff --git a/net/ipv4/netfilter/ip_conntrack_tftp.c b/net/ipv4/netfilter/ip_conntrack_tftp.c
index f8ff170f39..d2b5905334 100644
--- a/net/ipv4/netfilter/ip_conntrack_tftp.c
+++ b/net/ipv4/netfilter/ip_conntrack_tftp.c
@@ -75,6 +75,7 @@ static int tftp_help(struct sk_buff **pskb,
                exp->mask.dst.u.udp.port = 0xffff;
                exp->mask.dst.protonum = 0xff;
                exp->expectfn = NULL;
+                exp->flags = 0;
                DEBUGP("expect: ");
                DUMP_TUPLE(&exp->tuple);
diff --git a/net/ipv4/netfilter/ip_nat_rule.c b/net/ipv4/netfilter/ip_nat_rule.c
index 60d70fa41a..cb66b8bdde 100644
--- a/net/ipv4/netfilter/ip_nat_rule.c
+++ b/net/ipv4/netfilter/ip_nat_rule.c
@@ -255,6 +255,27 @@ alloc_null_binding(struct ip_conntrack *conntrack,
        return ip_nat_setup_info(conntrack, &range, hooknum);
 }
+unsigned int
+alloc_null_binding_confirmed(struct ip_conntrack *conntrack,
+                             struct ip_nat_info *info,
+                             unsigned int hooknum)
+{
+        u_int32_t ip
+                = (HOOK2MANIP(hooknum) == IP_NAT_MANIP_SRC
+                   ? conntrack->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip
+                   : conntrack->tuplehash[IP_CT_DIR_REPLY].tuple.src.ip);
+        u_int16_t all
+                = (HOOK2MANIP(hooknum) == IP_NAT_MANIP_SRC
+                   ? conntrack->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u.all
+                   : conntrack->tuplehash[IP_CT_DIR_REPLY].tuple.src.u.all);
+        struct ip_nat_range range
+                = { IP_NAT_RANGE_MAP_IPS, ip, ip, { all }, { all } };
+        DEBUGP("Allocating NULL binding for confirmed %p (%u.%u.%u.%u)\n",
+               conntrack, NIPQUAD(ip));
+        return ip_nat_setup_info(conntrack, &range, hooknum);
+}
 int ip_nat_rule_find(struct sk_buff **pskb,
                     unsigned int hooknum,
                     const struct net_device *in,
diff --git a/net/ipv4/netfilter/ip_nat_standalone.c b/net/ipv4/netfilter/ip_nat_standalone.c
index 89db052add..0ff368b131 100644
--- a/net/ipv4/netfilter/ip_nat_standalone.c
+++ b/net/ipv4/netfilter/ip_nat_standalone.c
@@ -123,8 +123,12 @@ ip_nat_fn(unsigned int hooknum,
                if (!ip_nat_initialized(ct, maniptype)) {
                        unsigned int ret;
-                        /* LOCAL_IN hook doesn't have a chain!  */
+                        if (unlikely(is_confirmed(ct)))
-                        if (hooknum == NF_IP_LOCAL_IN)
+                                /* NAT module was loaded late */
+                                ret = alloc_null_binding_confirmed(ct, info,
+                                                                   hooknum);
+                        else if (hooknum == NF_IP_LOCAL_IN)
+                                /* LOCAL_IN hook doesn't have a chain!  */
                                ret = alloc_null_binding(ct, info, hooknum);
                        else
                                ret = ip_nat_rule_find(pskb, hooknum,