From 8f46df184c31f3e97ef8c08fbf83c776f4eb5e21 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Fri, 10 Jan 2014 15:11:25 +0100 Subject: [PATCH 1/3] netfilter: nf_tables: fix missing byteorder conversion in policy When fetching the policy attribute, the byteorder conversion was missing, breaking the chain policy setting. Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_tables_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 36add31e08e7..117bbaaddde6 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -859,7 +859,7 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb, nla[NFTA_CHAIN_HOOK] == NULL) return -EOPNOTSUPP; - policy = nla_get_be32(nla[NFTA_CHAIN_POLICY]); + policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY])); switch (policy) { case NF_DROP: case NF_ACCEPT: From 419331d8ff0ff2b009db5cbc2de9e8731828dc49 Mon Sep 17 00:00:00 2001 From: Paul Gortmaker Date: Mon, 13 Jan 2014 13:01:10 -0500 Subject: [PATCH 2/3] netfilter: Add dependency on IPV6 for NF_TABLES_INET Commit 1d49144c0aa ("netfilter: nf_tables: add "inet" table for IPv4/IPv6") allows creation of non-IPV6 enabled .config files that will fail to configure/link as follows: warning: (NF_TABLES_INET) selects NF_TABLES_IPV6 which has unmet direct dependencies (NET && INET && IPV6 && NETFILTER && NF_TABLES) warning: (NF_TABLES_INET) selects NF_TABLES_IPV6 which has unmet direct dependencies (NET && INET && IPV6 && NETFILTER && NF_TABLES) warning: (NF_TABLES_INET) selects NF_TABLES_IPV6 which has unmet direct dependencies (NET && INET && IPV6 && NETFILTER && NF_TABLES) net/built-in.o: In function `nft_reject_eval': nft_reject.c:(.text+0x651e8): undefined reference to `nf_ip6_checksum' nft_reject.c:(.text+0x65270): undefined reference to `ip6_route_output' nft_reject.c:(.text+0x656c4): undefined reference to `ip6_dst_hoplimit' make: *** [vmlinux] Error 1 Since the feature is to allow for a mixed IPV4 and IPV6 table, it seems sensible to make it depend on IPV6. Signed-off-by: Paul Gortmaker Acked-by: Patrick McHardy Signed-off-by: Pablo Neira Ayuso --- net/netfilter/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 37d2092705a7..6941a4f3b3ee 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -429,7 +429,7 @@ config NF_TABLES To compile it as a module, choose M here. config NF_TABLES_INET - depends on NF_TABLES + depends on NF_TABLES && IPV6 select NF_TABLES_IPV4 select NF_TABLES_IPV6 tristate "Netfilter nf_tables mixed IPv4/IPv6 tables support" From 847c8e2959f7f8f1462e33c0a720c6267b984ed8 Mon Sep 17 00:00:00 2001 From: Kristian Evensen Date: Fri, 10 Jan 2014 21:43:20 +0100 Subject: [PATCH 3/3] netfilter: nft_ct: fix compilation warning if NF_CONNTRACK_MARK is not set net/netfilter/nft_ct.c: In function 'nft_ct_set_eval': net/netfilter/nft_ct.c:136:6: warning: unused variable 'value' [-Wunused-variable] Reported-by: kbuild test robot Signed-off-by: Kristian Evensen Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nft_ct.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c index c7c12858e113..917052e20602 100644 --- a/net/netfilter/nft_ct.c +++ b/net/netfilter/nft_ct.c @@ -133,7 +133,9 @@ static void nft_ct_set_eval(const struct nft_expr *expr, { const struct nft_ct *priv = nft_expr_priv(expr); struct sk_buff *skb = pkt->skb; +#ifdef CONFIG_NF_CONNTRACK_MARK u32 value = data[priv->sreg].data[0]; +#endif enum ip_conntrack_info ctinfo; struct nf_conn *ct;