diff options
| author | David S. Miller <davem@davemloft.net> | 2019-06-19 04:43:40 +0300 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2019-06-19 04:43:40 +0300 |
| commit | d470e720ef27786d97b18e7cf50230610e4e6b17 (patch) | |
| tree | 98723a90af1aa9f3e86dcefece3d8e62df0fd8a2 /net | |
| parent | cb359b60416701c8bed82fec79de25a144beb893 (diff) | |
| parent | 8a3dca632538c550930ce8bafa8c906b130d35cf (diff) | |
| download | linux-d470e720ef27786d97b18e7cf50230610e4e6b17.tar.xz | |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says:
====================
Netfilter fixes for net
1) Module autoload for masquerade and redirection does not work.
2) Leak in unqueued packets in nf_ct_frag6_queue(). Ignore duplicated
fragments, pretend they are placed into the queue. Patches from
Guillaume Nault.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/ipv6/netfilter/nf_conntrack_reasm.c | 22 | ||||
| -rw-r--r-- | net/netfilter/nft_masq.c | 3 | ||||
| -rw-r--r-- | net/netfilter/nft_redir.c | 3 |
3 files changed, 14 insertions, 14 deletions
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c index 6f3abbb9e093..84322ce81d70 100644 --- a/net/ipv6/netfilter/nf_conntrack_reasm.c +++ b/net/ipv6/netfilter/nf_conntrack_reasm.c @@ -261,8 +261,14 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb, prev = fq->q.fragments_tail; err = inet_frag_queue_insert(&fq->q, skb, offset, end); - if (err) + if (err) { + if (err == IPFRAG_DUP) { + /* No error for duplicates, pretend they got queued. */ + kfree_skb(skb); + return -EINPROGRESS; + } goto insert_error; + } if (dev) fq->iif = dev->ifindex; @@ -289,15 +295,17 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb, skb->_skb_refdst = 0UL; err = nf_ct_frag6_reasm(fq, skb, prev, dev); skb->_skb_refdst = orefdst; - return err; + + /* After queue has assumed skb ownership, only 0 or + * -EINPROGRESS must be returned. + */ + return err ? -EINPROGRESS : 0; } skb_dst_drop(skb); return -EINPROGRESS; insert_error: - if (err == IPFRAG_DUP) - goto err; inet_frag_kill(&fq->q); err: skb_dst_drop(skb); @@ -476,12 +484,6 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user) ret = 0; } - /* after queue has assumed skb ownership, only 0 or -EINPROGRESS - * must be returned. - */ - if (ret) - ret = -EINPROGRESS; - spin_unlock_bh(&fq->q.lock); inet_frag_put(&fq->q); return ret; diff --git a/net/netfilter/nft_masq.c b/net/netfilter/nft_masq.c index 86fd90085eaf..8c1612d6bc2c 100644 --- a/net/netfilter/nft_masq.c +++ b/net/netfilter/nft_masq.c @@ -307,5 +307,4 @@ module_exit(nft_masq_module_exit); MODULE_LICENSE("GPL"); MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo@debian.org>"); -MODULE_ALIAS_NFT_AF_EXPR(AF_INET6, "masq"); -MODULE_ALIAS_NFT_AF_EXPR(AF_INET, "masq"); +MODULE_ALIAS_NFT_EXPR("masq"); diff --git a/net/netfilter/nft_redir.c b/net/netfilter/nft_redir.c index da74fdc4a684..8787e9f8ed71 100644 --- a/net/netfilter/nft_redir.c +++ b/net/netfilter/nft_redir.c @@ -294,5 +294,4 @@ module_exit(nft_redir_module_exit); MODULE_LICENSE("GPL"); MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo@debian.org>"); -MODULE_ALIAS_NFT_AF_EXPR(AF_INET, "redir"); -MODULE_ALIAS_NFT_AF_EXPR(AF_INET6, "redir"); +MODULE_ALIAS_NFT_EXPR("nat"); |