mirror of
				git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
				synced 2025-09-18 22:14:16 +00:00 
			
		
		
		
	Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says: ==================== The following patchset contains Netfilter fixes for your net tree, they are: 1) Fix a leak in IPVS, the sysctl table is not released accordingly when destroying a netns, patch from Tommi Rantala. 2) Fix a build error when TPROXY and socket are built-in but IPv6 defrag is compiled as module, from Florian Westphal. 3) Fix TCP tracket wrt. RFC5961 challenge ACK when in LAST_ACK state, patch from Jesper Dangaard Brouer. 4) Fix a bogus WARN_ON() in nf_tables when deleting a set element that stores a map, from Mirek Kratochvil. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
		
						commit
						1d6057019e
					
				
					 5 changed files with 42 additions and 5 deletions
				
			
		|  | @ -42,6 +42,9 @@ enum tcp_conntrack { | |||
| /* The field td_maxack has been set */ | ||||
| #define IP_CT_TCP_FLAG_MAXACK_SET		0x20 | ||||
| 
 | ||||
| /* Marks possibility for expected RFC5961 challenge ACK */ | ||||
| #define IP_CT_EXP_CHALLENGE_ACK 		0x40 | ||||
| 
 | ||||
| struct nf_ct_tcp_flags { | ||||
| 	__u8 flags; | ||||
| 	__u8 mask; | ||||
|  |  | |||
|  | @ -863,6 +863,7 @@ config NETFILTER_XT_TARGET_TPROXY | |||
| 	depends on NETFILTER_XTABLES | ||||
| 	depends on NETFILTER_ADVANCED | ||||
| 	depends on (IPV6 || IPV6=n) | ||||
| 	depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) | ||||
| 	depends on IP_NF_MANGLE | ||||
| 	select NF_DEFRAG_IPV4 | ||||
| 	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES | ||||
|  | @ -1356,6 +1357,7 @@ config NETFILTER_XT_MATCH_SOCKET | |||
| 	depends on NETFILTER_ADVANCED | ||||
| 	depends on !NF_CONNTRACK || NF_CONNTRACK | ||||
| 	depends on (IPV6 || IPV6=n) | ||||
| 	depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) | ||||
| 	select NF_DEFRAG_IPV4 | ||||
| 	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES | ||||
| 	help | ||||
|  |  | |||
|  | @ -3823,6 +3823,9 @@ static void __net_exit ip_vs_control_net_cleanup_sysctl(struct net *net) | |||
| 	cancel_work_sync(&ipvs->defense_work.work); | ||||
| 	unregister_net_sysctl_table(ipvs->sysctl_hdr); | ||||
| 	ip_vs_stop_estimator(net, &ipvs->tot_stats); | ||||
| 
 | ||||
| 	if (!net_eq(net, &init_net)) | ||||
| 		kfree(ipvs->sysctl_tbl); | ||||
| } | ||||
| 
 | ||||
| #else | ||||
|  |  | |||
|  | @ -202,7 +202,7 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = { | |||
|  *	sES -> sES	:-) | ||||
|  *	sFW -> sCW	Normal close request answered by ACK. | ||||
|  *	sCW -> sCW | ||||
|  *	sLA -> sTW	Last ACK detected. | ||||
|  *	sLA -> sTW	Last ACK detected (RFC5961 challenged) | ||||
|  *	sTW -> sTW	Retransmitted last ACK. Remain in the same state. | ||||
|  *	sCL -> sCL | ||||
|  */ | ||||
|  | @ -261,7 +261,7 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = { | |||
|  *	sES -> sES	:-) | ||||
|  *	sFW -> sCW	Normal close request answered by ACK. | ||||
|  *	sCW -> sCW | ||||
|  *	sLA -> sTW	Last ACK detected. | ||||
|  *	sLA -> sTW	Last ACK detected (RFC5961 challenged) | ||||
|  *	sTW -> sTW	Retransmitted last ACK. | ||||
|  *	sCL -> sCL | ||||
|  */ | ||||
|  | @ -906,6 +906,7 @@ static int tcp_packet(struct nf_conn *ct, | |||
| 					1 : ct->proto.tcp.last_win; | ||||
| 			ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_scale = | ||||
| 				ct->proto.tcp.last_wscale; | ||||
| 			ct->proto.tcp.last_flags &= ~IP_CT_EXP_CHALLENGE_ACK; | ||||
| 			ct->proto.tcp.seen[ct->proto.tcp.last_dir].flags = | ||||
| 				ct->proto.tcp.last_flags; | ||||
| 			memset(&ct->proto.tcp.seen[dir], 0, | ||||
|  | @ -923,7 +924,9 @@ static int tcp_packet(struct nf_conn *ct, | |||
| 		 * may be in sync but we are not. In that case, we annotate | ||||
| 		 * the TCP options and let the packet go through. If it is a | ||||
| 		 * valid SYN packet, the server will reply with a SYN/ACK, and | ||||
| 		 * then we'll get in sync. Otherwise, the server ignores it. */ | ||||
| 		 * then we'll get in sync. Otherwise, the server potentially | ||||
| 		 * responds with a challenge ACK if implementing RFC5961. | ||||
| 		 */ | ||||
| 		if (index == TCP_SYN_SET && dir == IP_CT_DIR_ORIGINAL) { | ||||
| 			struct ip_ct_tcp_state seen = {}; | ||||
| 
 | ||||
|  | @ -939,6 +942,13 @@ static int tcp_packet(struct nf_conn *ct, | |||
| 				ct->proto.tcp.last_flags |= | ||||
| 					IP_CT_TCP_FLAG_SACK_PERM; | ||||
| 			} | ||||
| 			/* Mark the potential for RFC5961 challenge ACK,
 | ||||
| 			 * this pose a special problem for LAST_ACK state | ||||
| 			 * as ACK is intrepretated as ACKing last FIN. | ||||
| 			 */ | ||||
| 			if (old_state == TCP_CONNTRACK_LAST_ACK) | ||||
| 				ct->proto.tcp.last_flags |= | ||||
| 					IP_CT_EXP_CHALLENGE_ACK; | ||||
| 		} | ||||
| 		spin_unlock_bh(&ct->lock); | ||||
| 		if (LOG_INVALID(net, IPPROTO_TCP)) | ||||
|  | @ -970,6 +980,25 @@ static int tcp_packet(struct nf_conn *ct, | |||
| 			nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, | ||||
| 				  "nf_ct_tcp: invalid state "); | ||||
| 		return -NF_ACCEPT; | ||||
| 	case TCP_CONNTRACK_TIME_WAIT: | ||||
| 		/* RFC5961 compliance cause stack to send "challenge-ACK"
 | ||||
| 		 * e.g. in response to spurious SYNs.  Conntrack MUST | ||||
| 		 * not believe this ACK is acking last FIN. | ||||
| 		 */ | ||||
| 		if (old_state == TCP_CONNTRACK_LAST_ACK && | ||||
| 		    index == TCP_ACK_SET && | ||||
| 		    ct->proto.tcp.last_dir != dir && | ||||
| 		    ct->proto.tcp.last_index == TCP_SYN_SET && | ||||
| 		    (ct->proto.tcp.last_flags & IP_CT_EXP_CHALLENGE_ACK)) { | ||||
| 			/* Detected RFC5961 challenge ACK */ | ||||
| 			ct->proto.tcp.last_flags &= ~IP_CT_EXP_CHALLENGE_ACK; | ||||
| 			spin_unlock_bh(&ct->lock); | ||||
| 			if (LOG_INVALID(net, IPPROTO_TCP)) | ||||
| 				nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, | ||||
| 				      "nf_ct_tcp: challenge-ACK ignored "); | ||||
| 			return NF_ACCEPT; /* Don't change state */ | ||||
| 		} | ||||
| 		break; | ||||
| 	case TCP_CONNTRACK_CLOSE: | ||||
| 		if (index == TCP_RST_SET | ||||
| 		    && (ct->proto.tcp.seen[!dir].flags & IP_CT_TCP_FLAG_MAXACK_SET) | ||||
|  |  | |||
|  | @ -4472,9 +4472,9 @@ EXPORT_SYMBOL_GPL(nft_data_init); | |||
|  */ | ||||
| void nft_data_uninit(const struct nft_data *data, enum nft_data_types type) | ||||
| { | ||||
| 	switch (type) { | ||||
| 	case NFT_DATA_VALUE: | ||||
| 	if (type < NFT_DATA_VERDICT) | ||||
| 		return; | ||||
| 	switch (type) { | ||||
| 	case NFT_DATA_VERDICT: | ||||
| 		return nft_verdict_uninit(data); | ||||
| 	default: | ||||
|  |  | |||
		Loading…
	
	Add table
		
		Reference in a new issue
	
	 David S. Miller
						David S. Miller