Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says:
====================
Netfilter fixes for net
The following patchset contains five Netfilter fixes for your net tree,
they are:
1) Silence a warning on falling back to vmalloc(). Since 88eab472ec
, we can
easily hit this warning message, that gets users confused. So let's get rid
of it.
2) Recently when porting the template object allocation on top of kmalloc to
fix the netns dependencies between x_tables and conntrack, the error
checks where left unchanged. Remove IS_ERR() and check for NULL instead.
Patch from Dan Carpenter.
3) Don't ignore gfp_flags in the new nf_ct_tmpl_alloc() function, from
Joe Stringer.
4) Fix a crash due to NULL pointer dereference in ip6t_SYNPROXY, patch from
Phil Sutter.
5) The sequence number of the Syn+ack that is sent from SYNPROXY to clients is
not adjusted through our NAT infrastructure, as a result the client may
ignore this TCP packet and TCP flow hangs until the client probes us. Also
from Phil Sutter.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Коммит
182554570a
|
@ -226,7 +226,8 @@ synproxy_send_client_ack(const struct synproxy_net *snet,
|
|||
|
||||
synproxy_build_options(nth, opts);
|
||||
|
||||
synproxy_send_tcp(skb, nskb, NULL, 0, niph, nth, tcp_hdr_size);
|
||||
synproxy_send_tcp(skb, nskb, skb->nfct, IP_CT_ESTABLISHED_REPLY,
|
||||
niph, nth, tcp_hdr_size);
|
||||
}
|
||||
|
||||
static bool
|
||||
|
|
|
@ -37,12 +37,13 @@ synproxy_build_ip(struct sk_buff *skb, const struct in6_addr *saddr,
|
|||
}
|
||||
|
||||
static void
|
||||
synproxy_send_tcp(const struct sk_buff *skb, struct sk_buff *nskb,
|
||||
synproxy_send_tcp(const struct synproxy_net *snet,
|
||||
const struct sk_buff *skb, struct sk_buff *nskb,
|
||||
struct nf_conntrack *nfct, enum ip_conntrack_info ctinfo,
|
||||
struct ipv6hdr *niph, struct tcphdr *nth,
|
||||
unsigned int tcp_hdr_size)
|
||||
{
|
||||
struct net *net = nf_ct_net((struct nf_conn *)nfct);
|
||||
struct net *net = nf_ct_net(snet->tmpl);
|
||||
struct dst_entry *dst;
|
||||
struct flowi6 fl6;
|
||||
|
||||
|
@ -83,7 +84,8 @@ free_nskb:
|
|||
}
|
||||
|
||||
static void
|
||||
synproxy_send_client_synack(const struct sk_buff *skb, const struct tcphdr *th,
|
||||
synproxy_send_client_synack(const struct synproxy_net *snet,
|
||||
const struct sk_buff *skb, const struct tcphdr *th,
|
||||
const struct synproxy_options *opts)
|
||||
{
|
||||
struct sk_buff *nskb;
|
||||
|
@ -119,7 +121,7 @@ synproxy_send_client_synack(const struct sk_buff *skb, const struct tcphdr *th,
|
|||
|
||||
synproxy_build_options(nth, opts);
|
||||
|
||||
synproxy_send_tcp(skb, nskb, skb->nfct, IP_CT_ESTABLISHED_REPLY,
|
||||
synproxy_send_tcp(snet, skb, nskb, skb->nfct, IP_CT_ESTABLISHED_REPLY,
|
||||
niph, nth, tcp_hdr_size);
|
||||
}
|
||||
|
||||
|
@ -163,7 +165,7 @@ synproxy_send_server_syn(const struct synproxy_net *snet,
|
|||
|
||||
synproxy_build_options(nth, opts);
|
||||
|
||||
synproxy_send_tcp(skb, nskb, &snet->tmpl->ct_general, IP_CT_NEW,
|
||||
synproxy_send_tcp(snet, skb, nskb, &snet->tmpl->ct_general, IP_CT_NEW,
|
||||
niph, nth, tcp_hdr_size);
|
||||
}
|
||||
|
||||
|
@ -203,7 +205,7 @@ synproxy_send_server_ack(const struct synproxy_net *snet,
|
|||
|
||||
synproxy_build_options(nth, opts);
|
||||
|
||||
synproxy_send_tcp(skb, nskb, NULL, 0, niph, nth, tcp_hdr_size);
|
||||
synproxy_send_tcp(snet, skb, nskb, NULL, 0, niph, nth, tcp_hdr_size);
|
||||
}
|
||||
|
||||
static void
|
||||
|
@ -241,7 +243,8 @@ synproxy_send_client_ack(const struct synproxy_net *snet,
|
|||
|
||||
synproxy_build_options(nth, opts);
|
||||
|
||||
synproxy_send_tcp(skb, nskb, NULL, 0, niph, nth, tcp_hdr_size);
|
||||
synproxy_send_tcp(snet, skb, nskb, skb->nfct, IP_CT_ESTABLISHED_REPLY,
|
||||
niph, nth, tcp_hdr_size);
|
||||
}
|
||||
|
||||
static bool
|
||||
|
@ -301,7 +304,7 @@ synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par)
|
|||
XT_SYNPROXY_OPT_SACK_PERM |
|
||||
XT_SYNPROXY_OPT_ECN);
|
||||
|
||||
synproxy_send_client_synack(skb, th, &opts);
|
||||
synproxy_send_client_synack(snet, skb, th, &opts);
|
||||
return NF_DROP;
|
||||
|
||||
} else if (th->ack && !(th->fin || th->rst || th->syn)) {
|
||||
|
|
|
@ -292,7 +292,7 @@ struct nf_conn *nf_ct_tmpl_alloc(struct net *net, u16 zone, gfp_t flags)
|
|||
{
|
||||
struct nf_conn *tmpl;
|
||||
|
||||
tmpl = kzalloc(sizeof(struct nf_conn), GFP_KERNEL);
|
||||
tmpl = kzalloc(sizeof(*tmpl), flags);
|
||||
if (tmpl == NULL)
|
||||
return NULL;
|
||||
|
||||
|
@ -303,7 +303,7 @@ struct nf_conn *nf_ct_tmpl_alloc(struct net *net, u16 zone, gfp_t flags)
|
|||
if (zone) {
|
||||
struct nf_conntrack_zone *nf_ct_zone;
|
||||
|
||||
nf_ct_zone = nf_ct_ext_add(tmpl, NF_CT_EXT_ZONE, GFP_ATOMIC);
|
||||
nf_ct_zone = nf_ct_ext_add(tmpl, NF_CT_EXT_ZONE, flags);
|
||||
if (!nf_ct_zone)
|
||||
goto out_free;
|
||||
nf_ct_zone->id = zone;
|
||||
|
@ -1544,10 +1544,8 @@ void *nf_ct_alloc_hashtable(unsigned int *sizep, int nulls)
|
|||
sz = nr_slots * sizeof(struct hlist_nulls_head);
|
||||
hash = (void *)__get_free_pages(GFP_KERNEL | __GFP_NOWARN | __GFP_ZERO,
|
||||
get_order(sz));
|
||||
if (!hash) {
|
||||
printk(KERN_WARNING "nf_conntrack: falling back to vmalloc.\n");
|
||||
if (!hash)
|
||||
hash = vzalloc(sz);
|
||||
}
|
||||
|
||||
if (hash && nulls)
|
||||
for (i = 0; i < nr_slots; i++)
|
||||
|
|
|
@ -353,10 +353,8 @@ static int __net_init synproxy_net_init(struct net *net)
|
|||
int err = -ENOMEM;
|
||||
|
||||
ct = nf_ct_tmpl_alloc(net, 0, GFP_KERNEL);
|
||||
if (IS_ERR(ct)) {
|
||||
err = PTR_ERR(ct);
|
||||
if (!ct)
|
||||
goto err1;
|
||||
}
|
||||
|
||||
if (!nfct_seqadj_ext_add(ct))
|
||||
goto err2;
|
||||
|
|
|
@ -202,9 +202,10 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par,
|
|||
goto err1;
|
||||
|
||||
ct = nf_ct_tmpl_alloc(par->net, info->zone, GFP_KERNEL);
|
||||
ret = PTR_ERR(ct);
|
||||
if (IS_ERR(ct))
|
||||
if (!ct) {
|
||||
ret = -ENOMEM;
|
||||
goto err2;
|
||||
}
|
||||
|
||||
ret = 0;
|
||||
if ((info->ct_events || info->exp_events) &&
|
||||
|
|
Загрузка…
Ссылка в новой задаче