linux/net/ipv4/netfilter, branch v3.0 Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v3.0 2011-06-29T12:47:32Z netfilter: Fix ip_route_me_harder triggering ip_rt_bug 2011-06-29T12:47:32Z Julian Anastasov ja@ssi.bg 2011-06-18T07:53:59Z urn:sha1:ed6e4ef836d425bc35e33bf20fcec95e68203afa Avoid creating input routes with ip_route_me_harder. It does not work for locally generated packets. Instead, restrict sockets to provide valid saddr for output route (or unicast saddr for transparent proxy). For other traffic allow saddr to be unicast or local but if callers forget to check saddr type use 0 for the output route. The resulting handling should be: - REJECT TCP: - in INPUT we can provide addr_type = RTN_LOCAL but better allow rejecting traffic delivered with local route (no IP address => use RTN_UNSPEC to allow also RTN_UNICAST). - FORWARD: RTN_UNSPEC => allow RTN_LOCAL/RTN_UNICAST saddr, add fix to ignore RTN_BROADCAST and RTN_MULTICAST - OUTPUT: RTN_UNSPEC - NAT, mangle, ip_queue, nf_ip_reroute: RTN_UNSPEC in LOCAL_OUT - IPVS: - use RTN_LOCAL in LOCAL_OUT and FORWARD after SNAT to restrict saddr to be local Signed-off-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: David S. Miller <davem@davemloft.net> netfilter: nf_nat: avoid double seq_adjust for loopback 2011-06-16T15:29:22Z Julian Anastasov ja@ssi.bg 2011-06-16T15:29:22Z urn:sha1:42c1edd345c8412d96e7a362ee06feb7be73bb6c Avoid double seq adjustment for loopback traffic because it causes silent repetition of TCP data. One example is passive FTP with DNAT rule and difference in the length of IP addresses. This patch adds check if packet is sent and received via loopback device. As the same conntrack is used both for outgoing and incoming direction, we restrict seq adjustment to happen only in POSTROUTING. Signed-off-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Patrick McHardy <kaber@trash.net> netfilter: fix looped (broad|multi)cast's MAC handling 2011-06-16T15:27:04Z Nicolas Cavallari cavallar@lri.fr 2011-06-16T15:27:04Z urn:sha1:2c38de4c1f8da799bdca0e4bb40ca13f2174d3e8 By default, when broadcast or multicast packet are sent from a local application, they are sent to the interface then looped by the kernel to other local applications, going throught netfilter hooks in the process. These looped packet have their MAC header removed from the skb by the kernel looping code. This confuse various netfilter's netlink queue, netlink log and the legacy ip_queue, because they try to extract a hardware address from these packets, but extracts a part of the IP header instead. This patch prevent NFQUEUE, NFLOG and ip_QUEUE to include a MAC header if there is none in the packet. Signed-off-by: Nicolas Cavallari <cavallar@lri.fr> Signed-off-by: Patrick McHardy <kaber@trash.net> netfilter: ipt_ecn: fix inversion for IP header ECN match 2011-06-16T15:24:55Z Patrick McHardy kaber@trash.net 2011-06-16T15:24:55Z urn:sha1:db898aa2ef6529fa80891e754d353063611c77de Userspace allows to specify inversion for IP header ECN matches, the kernel silently accepts it, but doesn't invert the match result. Signed-off-by: Patrick McHardy <kaber@trash.net> netfilter: ipt_ecn: fix protocol check in ecn_mt_check() 2011-06-16T15:24:17Z Patrick McHardy kaber@trash.net 2011-06-16T15:24:17Z urn:sha1:58d5a0257d2fd89fbe4451f704193cc95b0a9c97 Check for protocol inversion in ecn_mt_check() and remove the unnecessary runtime check for IPPROTO_TCP in ecn_mt(). Signed-off-by: Patrick McHardy <kaber@trash.net> netfilter: ip_tables: fix compile with debug 2011-06-16T15:16:37Z Sebastian Andrzej Siewior sebastian@breakpoint.cc 2011-06-16T15:16:37Z urn:sha1:63f6fe92c6b3cbf4c0bbbea4b31fdd3d68e21e4d Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Signed-off-by: Patrick McHardy <kaber@trash.net> netfilter: use unsigned variables for packet lengths in ip[6]_queue. 2011-06-05T23:37:16Z Dave Jones davej@redhat.com 2011-05-28T00:36:51Z urn:sha1:d232b8dded624af3e346b13807a591c63b601c44 Netlink message lengths can't be negative, so use unsigned variables. Signed-off-by: Dave Jones <davej@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: nf_conntrack: fix ct refcount leak in l4proto->error() 2011-06-05T23:37:02Z Pablo Neira Ayuso pablo@netfilter.org 2011-06-02T13:08:45Z urn:sha1:88ed01d17b44bc2bed4ad4835d3b1099bff3dd71 This patch fixes a refcount leak of ct objects that may occur if l4proto->error() assigns one conntrack object to one skbuff. In that case, we have to skip further processing in nf_conntrack_in(). With this patch, we can also fix wrong return values (-NF_ACCEPT) for special cases in ICMP[v6] that should not bump the invalid/error statistic counters. Reported-by: Zoltan Menyhart <Zoltan.Menyhart@bull.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: nf_nat: fix crash in nf_nat_csum 2011-06-05T23:36:46Z Julian Anastasov ja@ssi.bg 2011-05-29T20:42:29Z urn:sha1:d9be76f38526dccf84062e3ac3ed3a6a97698565 Fix crash in nf_nat_csum when mangling packets in OUTPUT hook where skb->dev is not defined, it is set later before POSTROUTING. Problem happens for CHECKSUM_NONE. We can check device from rt but using CHECKSUM_PARTIAL should be safe (skb_checksum_help). Signed-off-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: add more values to enum ip_conntrack_info 2011-06-05T23:35:10Z Eric Dumazet eric.dumazet@gmail.com 2011-05-19T13:44:27Z urn:sha1:fb04883371f2cb7867d24783e7d590036dc9b548 Following error is raised (and other similar ones) : net/ipv4/netfilter/nf_nat_standalone.c: In function ‘nf_nat_fn’: net/ipv4/netfilter/nf_nat_standalone.c:119:2: warning: case value ‘4’ not in enumerated type ‘enum ip_conntrack_info’ gcc barfs on adding two enum values and getting a not enumerated result : case IP_CT_RELATED+IP_CT_IS_REPLY: Add missing enum values Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> CC: David Miller <davem@davemloft.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>