[patch 28/46] netfilter: x_tables: fix match/target revision lookup

public inbox for netdev@vger.kernel.org 
 help / color / mirror / Atom feed

* [patch 28/46] netfilter: x_tables: fix match/target revision lookup
       [not found] ` <20090123011110.GA19756@kroah.com>
@ 2009-01-23  1:12   ` Greg KH
  2009-01-23  1:12   ` [patch 29/46] netfilter: ebtables: fix inversion in match code Greg KH
  2009-01-23  1:12   ` [patch 30/46] netfilter: nf_conntrack: fix ICMP/ICMPv6 timeout sysctls on big-endian Greg KH
  2 siblings, 0 replies; 3+ messages in thread
From: Greg KH @ 2009-01-23  1:12 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Justin Forbes, Zwane Mwaikambo, Theodore Ts'o, Randy Dunlap,
	Dave Jones, Chuck Wolber, Chris Wedgwood, Michael Krufky,
	Chuck Ebbert, Domenico Andreoli, Willy Tarreau,
	Rodrigo Rubira Branco, Jake Edge, Eugene Teo, torvalds, akpm,
	alan, netdev, netfilter-devel, Patrick McHardy, davem

[-- Attachment #1: netfilter-x_tables-fix-match-target-revision-lookup.patch --]
[-- Type: text/plain, Size: 1182 bytes --]

2.6.28-stable review patch.  If anyone has any objections, please let us know.

------------------

From: Patrick McHardy <kaber@trash•net>

Upstream commit 656caff:

Commit 55b69e91 (netfilter: implement NFPROTO_UNSPEC as a wildcard
for extensions) broke revision probing for matches and targets that
are registered with NFPROTO_UNSPEC.

Fix by continuing the search on the NFPROTO_UNSPEC list if nothing
is found on the af-specific lists.

Signed-off-by: Patrick McHardy <kaber@trash•net>
Signed-off-by: David S. Miller <davem@davemloft•net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse•de>

---
 net/netfilter/x_tables.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -273,6 +273,10 @@ static int match_revfn(u8 af, const char
 				have_rev = 1;
 		}
 	}
+
+	if (af != NFPROTO_UNSPEC && !have_rev)
+		return match_revfn(NFPROTO_UNSPEC, name, revision, bestp);
+
 	return have_rev;
 }
 
@@ -289,6 +293,10 @@ static int target_revfn(u8 af, const cha
 				have_rev = 1;
 		}
 	}
+
+	if (af != NFPROTO_UNSPEC && !have_rev)
+		return target_revfn(NFPROTO_UNSPEC, name, revision, bestp);
+
 	return have_rev;
 }
 


^ permalink raw reply	[flat|nested] 3+ messages in thread

* [patch 29/46] netfilter: ebtables: fix inversion in match code
       [not found] ` <20090123011110.GA19756@kroah.com>
  2009-01-23  1:12   ` [patch 28/46] netfilter: x_tables: fix match/target revision lookup Greg KH
@ 2009-01-23  1:12   ` Greg KH
  2009-01-23  1:12   ` [patch 30/46] netfilter: nf_conntrack: fix ICMP/ICMPv6 timeout sysctls on big-endian Greg KH
  2 siblings, 0 replies; 3+ messages in thread
From: Greg KH @ 2009-01-23  1:12 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Justin Forbes, Zwane Mwaikambo, Theodore Ts'o, Randy Dunlap,
	Dave Jones, Chuck Wolber, Chris Wedgwood, Michael Krufky,
	Chuck Ebbert, Domenico Andreoli, Willy Tarreau,
	Rodrigo Rubira Branco, Jake Edge, Eugene Teo, torvalds, akpm,
	alan, netdev, netfilter-devel, Patrick McHardy, davem,
	Jan Engelhardt

[-- Attachment #1: netfilter-ebtables-fix-inversion-in-match-code.patch --]
[-- Type: text/plain, Size: 1054 bytes --]

2.6.28-stable review patch.  If anyone has any objections, please let us know.

------------------

From: Patrick McHardy <kaber@trash•net>

Upstream commit d61ba9f:

Commit 8cc784ee (netfilter: change return types of match functions
for ebtables extensions) broke ebtables matches by inverting the
sense of match/nomatch.

Reported-by: Matt Cross <matthltc@us•ibm.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas•de>
Signed-off-by: Patrick McHardy <kaber@trash•net>
Signed-off-by: David S. Miller <davem@davemloft•net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse•de>

---
 net/bridge/netfilter/ebtables.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -80,7 +80,7 @@ static inline int ebt_do_match (struct e
 {
 	par->match     = m->u.match;
 	par->matchinfo = m->data;
-	return m->u.match->match(skb, par);
+	return m->u.match->match(skb, par) ? EBT_MATCH : EBT_NOMATCH;
 }
 
 static inline int ebt_dev_check(char *entry, const struct net_device *device)


^ permalink raw reply	[flat|nested] 3+ messages in thread

* [patch 30/46] netfilter: nf_conntrack: fix ICMP/ICMPv6 timeout sysctls on big-endian
       [not found] ` <20090123011110.GA19756@kroah.com>
  2009-01-23  1:12   ` [patch 28/46] netfilter: x_tables: fix match/target revision lookup Greg KH
  2009-01-23  1:12   ` [patch 29/46] netfilter: ebtables: fix inversion in match code Greg KH
@ 2009-01-23  1:12   ` Greg KH
  2 siblings, 0 replies; 3+ messages in thread
From: Greg KH @ 2009-01-23  1:12 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Justin Forbes, Zwane Mwaikambo, Theodore Ts'o, Randy Dunlap,
	Dave Jones, Chuck Wolber, Chris Wedgwood, Michael Krufky,
	Chuck Ebbert, Domenico Andreoli, Willy Tarreau,
	Rodrigo Rubira Branco, Jake Edge, Eugene Teo, torvalds, akpm,
	alan, netdev, netfilter-devel, Patrick McHardy, davem

[-- Attachment #1: netfilter-nf_conntrack-fix-icmp-icmpv6-timeout-sysctls-on-big-endian.patch --]
[-- Type: text/plain, Size: 1693 bytes --]

2.6.28-stable review patch.  If anyone has any objections, please let us know.

------------------

From: Patrick McHardy <kaber@trash•net>

Upstream commit 71320af:

An old bug crept back into the ICMP/ICMPv6 conntrack protocols: the timeout
values are defined as unsigned longs, the sysctl's maxsize is set to
sizeof(unsigned int). Use unsigned int for the timeout values as in the
other conntrack protocols.

Reported-by: Jean-Mickael Guerin <jean-mickael.guerin@6wind•com>
Signed-off-by: Patrick McHardy <kaber@trash•net>
Signed-off-by: David S. Miller <davem@davemloft•net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse•de>

---
 net/ipv4/netfilter/nf_conntrack_proto_icmp.c   |    2 +-
 net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

--- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -20,7 +20,7 @@
 #include <net/netfilter/nf_conntrack_core.h>
 #include <net/netfilter/nf_log.h>
 
-static unsigned long nf_ct_icmp_timeout __read_mostly = 30*HZ;
+static unsigned int nf_ct_icmp_timeout __read_mostly = 30*HZ;
 
 static bool icmp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
 			      struct nf_conntrack_tuple *tuple)
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -26,7 +26,7 @@
 #include <net/netfilter/ipv6/nf_conntrack_icmpv6.h>
 #include <net/netfilter/nf_log.h>
 
-static unsigned long nf_ct_icmpv6_timeout __read_mostly = 30*HZ;
+static unsigned int nf_ct_icmpv6_timeout __read_mostly = 30*HZ;
 
 static bool icmpv6_pkt_to_tuple(const struct sk_buff *skb,
 				unsigned int dataoff,


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2009-01-23  1:15 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20090123010651.683741823@mini.kroah.org>
     [not found] ` <20090123011110.GA19756@kroah.com>
2009-01-23  1:12   ` [patch 28/46] netfilter: x_tables: fix match/target revision lookup Greg KH
2009-01-23  1:12   ` [patch 29/46] netfilter: ebtables: fix inversion in match code Greg KH
2009-01-23  1:12   ` [patch 30/46] netfilter: nf_conntrack: fix ICMP/ICMPv6 timeout sysctls on big-endian Greg KH

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox