linux/net/ipv4/netfilter, branch v3.16

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next

2014-05-31T00:54:47Z

Pablo Neira Ayuso says: ==================== Netfilter/IPVS updates for net-next This small patchset contains three accumulated Netfilter/IPVS updates, they are: 1) Refactorize common NAT code by encapsulating it into a helper function, similarly to what we do in other conntrack extensions, from Florian Westphal. 2) A minor format string mismatch fix for IPVS, from Masanari Iida. 3) Add quota support to the netfilter accounting infrastructure, now you can add quotas to accounting objects via the nfnetlink interface and use them from iptables. You can also listen to quota notifications from userspace. This enhancement from Mathieu Poirier. ==================== Signed-off-by: David S. Miller

net: rename local_df to ignore_df

2014-05-12T18:03:41Z

As suggested by several people, rename local_df to ignore_df, since it means "ignore df bit if it is set". Cc: Maciej Żenczykowski Cc: Florian Westphal Cc: David S. Miller Cc: Eric Dumazet Signed-off-by: Cong Wang Acked-by: Maciej Żenczykowski Signed-off-by: David S. Miller

netfilter: ipv4: defrag: set local_df flag on defragmented skb

2014-05-04T11:23:28Z

else we may fail to forward skb even if original fragments do fit outgoing link mtu: 1. remote sends 2k packets in two 1000 byte frags, DF set 2. we want to forward but only see '2k > mtu and DF set' 3. we then send icmp error saying that outgoing link is 1500 But original sender never sent a packet that would not fit the outgoing link. Setting local_df makes outgoing path test size vs. IPCB(skb)->frag_max_size, so we will still send the correct error in case the largest original size did not fit outgoing link mtu. Reported-by: Maxime Bizon Suggested-by: Maxime Bizon Fixes: 5f2d04f1f9 (ipv4: fix path MTU discovery with connection tracking) Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

netfilter: add helper for adding nat extension

2014-04-29T18:56:22Z

Reduce copy-past a bit by adding a common helper. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

ipv4, fib: pass LOOPBACK_IFINDEX instead of 0 to flowi4_iif

2014-04-16T19:05:11Z

As suggested by Julian: Simply, flowi4_iif must not contain 0, it does not look logical to ignore all ip rules with specified iif. because in fib_rule_match() we do: if (rule->iifindex && (rule->iifindex != fl->flowi_iif)) goto out; flowi4_iif should be LOOPBACK_IFINDEX by default. We need to move LOOPBACK_IFINDEX to include/net/flow.h: 1) It is mostly used by flowi_iif 2) Fix the following compile error if we use it in flow.h by the patches latter: In file included from include/linux/netfilter.h:277:0, from include/net/netns/netfilter.h:5, from include/net/net_namespace.h:21, from include/linux/netdevice.h:43, from include/linux/icmpv6.h:12, from include/linux/ipv6.h:61, from include/net/ipv6.h:16, from include/linux/sunrpc/clnt.h:27, from include/linux/nfs_fs.h:30, from init/do_mounts.c:32: include/net/flow.h: In function ‘flowi4_init_output’: include/net/flow.h:84:32: error: ‘LOOPBACK_IFINDEX’ undeclared (first use in this function) Cc: Eric Biederman Cc: Julian Anastasov Cc: David S. Miller Signed-off-by: Cong Wang Signed-off-by: Cong Wang Signed-off-by: David S. Miller

netfilter: Can't fail and free after table replacement

2014-04-05T15:46:22Z

All xtables variants suffer from the defect that the copy_to_user() to copy the counters to user memory may fail after the table has already been exchanged and thus exposed. Return an error at this point will result in freeing the already exposed table. Any subsequent packet processing will result in a kernel panic. We can't copy the counters before exposing the new tables as we want provide the counter state after the old table has been unhooked. Therefore convert this into a silent error. Cc: Florian Westphal Signed-off-by: Thomas Graf Signed-off-by: Pablo Neira Ayuso

netfilter: nf_nat_snmp_basic: fix duplicates in if/else branches

2014-02-14T10:37:36Z

The solution was found by Patrick in 2.4 kernel sources. Cc: Patrick McHardy Signed-off-by: Francois-Xavier Le Bail Acked-by: Patrick McHardy Signed-off-by: Pablo Neira Ayuso

netfilter: nf_tables: add reject module for NFPROTO_INET

2014-02-06T08:44:18Z

Add a reject module for NFPROTO_INET. It does nothing but dispatch to the AF-specific modules based on the hook family. Signed-off-by: Patrick McHardy Signed-off-by: Pablo Neira Ayuso

netfilter: nft_reject: split up reject module into IPv4 and IPv6 specifc parts

2014-02-06T08:44:10Z

Currently the nft_reject module depends on symbols from ipv6. This is wrong since no generic module should force IPv6 support to be loaded. Split up the module into AF-specific and a generic part. Signed-off-by: Patrick McHardy Signed-off-by: Pablo Neira Ayuso

netfilter: nf_nat_h323: fix crash in nf_ct_unlink_expect_report()

2014-02-05T16:46:05Z

Similar bug fixed in SIP module in 3f509c6 ("netfilter: nf_nat_sip: fix incorrect handling of EBUSY for RTCP expectation"). BUG: unable to handle kernel paging request at 00100104 IP: [] nf_ct_unlink_expect_report+0x57/0xf0 [nf_conntrack] ... Call Trace: [] ? del_timer+0x48/0x70 [] nf_ct_remove_expectations+0x47/0x60 [nf_conntrack] [] nf_ct_delete_from_lists+0x59/0x90 [nf_conntrack] [] death_by_timeout+0x14e/0x1c0 [nf_conntrack] [] ? nf_conntrack_set_hashsize+0x190/0x190 [nf_conntrack] [] call_timer_fn+0x1d/0x80 [] run_timer_softirq+0x18e/0x1a0 [] ? nf_conntrack_set_hashsize+0x190/0x190 [nf_conntrack] [] __do_softirq+0xa3/0x170 [] ? __local_bh_enable+0x70/0x70 [] ? irq_exit+0x67/0xa0 [] ? do_IRQ+0x46/0xb0 [] ? clockevents_notify+0x35/0x110 [] ? common_interrupt+0x2c/0x40 [] ? cpuidle_enter_state+0x41/0xf0 [] ? cpuidle_idle_call+0x8b/0x100 [] ? arch_cpu_idle+0x8/0x30 [] ? cpu_idle_loop+0x4b/0x140 [] ? cpu_startup_entry+0x18/0x20 [] ? rest_init+0x5d/0x70 [] ? start_kernel+0x2ec/0x2f2 [] ? repair_env_string+0x5b/0x5b [] ? i386_start_kernel+0x33/0x35 Signed-off-by: Alexey Dobriyan Signed-off-by: Pablo Neira Ayuso