Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v4.9 2016-11-30T19:50:23Z 2016-11-30T19:50:23Z Hongxu Jia hongxu.jia@windriver.com 2016-11-30T02:56:26Z urn:sha1:17a49cd549d9dc8707dc9262210166455c612dde Since 09d9686047db ("netfilter: x_tables: do compat validation via translate_table"), it used compatr structure to assign newinfo structure. In translate_compat_table of ip_tables.c and ip6_tables.c, it used compatr->hook_entry to replace info->hook_entry and compatr->underflow to replace info->underflow, but not do the same replacement in arp_tables.c. It caused invoking 32-bit "arptbale -P INPUT ACCEPT" failed in 64bit kernel. -------------------------------------- root@qemux86-64:~# arptables -P INPUT ACCEPT root@qemux86-64:~# arptables -P INPUT ACCEPT ERROR: Policy for `INPUT' offset 448 != underflow 0 arptables: Incompatible with this kernel -------------------------------------- Fixes: 09d9686047db ("netfilter: x_tables: do compat validation via translate_table") Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Acked-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2016-10-31T12:17:38Z Liping Zhang zlpnobody@gmail.com 2016-10-29T14:09:51Z urn:sha1:b73b8a1ba598236296a46103d81c10d629d9a470 The NFTA_DUP_SREG_DEV attribute is not a must option, so we should use it in routing lookup only when the user specify it. Fixes: d877f07112f1 ("netfilter: nf_tables: add nft_dup expression") Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2016-09-25T21:34:19Z Pablo Neira Ayuso pablo@netfilter.org 2016-09-25T21:23:57Z urn:sha1:f20fbc0717f9f007c94b2641134b19228d0ce9ed Conflicts: net/netfilter/core.c net/netfilter/nf_tables_netdev.c Resolve two conflicts before pull request for David's net-next tree: 1) Between c73c24849011 ("netfilter: nf_tables_netdev: remove redundant ip_hdr assignment") from the net tree and commit ddc8b6027ad0 ("netfilter: introduce nft_set_pktinfo_{ipv4, ipv6}_validate()"). 2) Between e8bffe0cf964 ("net: Add _nf_(un)register_hooks symbols") and Aaron Conole's patches to replace list_head with single linked list. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2016-09-25T21:16:45Z Liping Zhang liping.zhang@spreadtrum.com 2016-09-25T08:47:05Z urn:sha1:8cb2a7d5667ab9a9c2fdd356357b85b63b320901 nf_log is used by both nftables and iptables, so use XT_LOG_XXX macros here is not appropriate. Replace them with NF_LOG_XXX. Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2016-09-25T21:16:43Z Liping Zhang liping.zhang@spreadtrum.com 2016-09-25T08:35:56Z urn:sha1:ff107d27761ff4b644c82c209e004ec9c8fbbc22 NFTA_LOG_FLAGS attribute is already supported, but the related NF_LOG_XXX flags are not exposed to the userspace. So we cannot explicitly enable log flags to log uid, tcp sequence, ip options and so on, i.e. such rule "nft add rule filter output log uid" is not supported yet. So move NF_LOG_XXX macro definitions to the uapi/../nf_log.h. In order to keep consistent with other modules, change NF_LOG_MASK to refer to all supported log flags. On the other hand, add a new NF_LOG_DEFAULT_MASK to refer to the original default log flags. Finally, if user specify the unsupported log flags or NFTA_LOG_GROUP and NFTA_LOG_FLAGS are set at the same time, report EINVAL to the userspace. Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2016-09-24T19:29:53Z Aaron Conole aconole@bytheb.org 2016-09-21T15:35:04Z urn:sha1:e2361cb90a0327bdab34d01d1a7b9dbd67c31e60 All of the callers of nf_hook_slow already hold the rcu_read_lock, so this cleanup removes the recursive call. This is just a cleanup, as the locking code gracefully handles this situation. Signed-off-by: Aaron Conole <aconole@bytheb.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2016-09-23T10:46:57Z David S. Miller davem@davemloft.net 2016-09-23T10:46:57Z urn:sha1:d6989d4bbe6c4d1c2a76696833a07f044e85694d 2016-09-12T22:52:44Z David S. Miller davem@davemloft.net 2016-09-12T22:52:44Z urn:sha1:b20b378d49926b82c0a131492fa8842156e0e8a9 Conflicts: drivers/net/ethernet/mediatek/mtk_eth_soc.c drivers/net/ethernet/qlogic/qed/qed_dcbx.c drivers/net/phy/Kconfig All conflicts were cases of overlapping commits. Signed-off-by: David S. Miller <davem@davemloft.net> 2016-09-12T17:54:45Z Gao Feng fgao@ikuai8.com 2016-09-10T02:04:30Z urn:sha1:23d07508d25cea9984ee068538b4e86932b015c2 There are some codes of netfilter module which did not check the return value of nft_register_chain_type. Add the checks now. Signed-off-by: Gao Feng <fgao@ikuai8.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2016-09-12T16:51:57Z Pablo Neira Ayuso pablo@netfilter.org 2016-09-09T10:42:49Z urn:sha1:beac5afa2d78605b70f40cf5ab5601ab10659c7f This patch introduces nft_set_pktinfo_unspec() that ensures proper initialization all of pktinfo fields for non-IP traffic. This is used by the bridge, netdev and arp families. This new function relies on nft_set_pktinfo_proto_unspec() to set a new tprot_set field that indicates if transport protocol information is available. Remain fields are zeroed. The meta expression has been also updated to check to tprot_set in first place given that zero is a valid tprot value. Even a handcrafted packet may come with the IPPROTO_RAW (255) protocol number so we can't rely on this value as tprot unset. Reported-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>