Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says: ==================== The following patchset contains Netfilter fixes for your net tree, they are: 1) Fix a leak in IPVS, the sysctl table is not released accordingly when destroying a netns, patch from Tommi Rantala. 2) Fix a build error when TPROXY and socket are built-in but IPv6 defrag is compiled as module, from Florian Westphal. 3) Fix TCP tracket wrt. RFC5961 challenge ACK when in LAST_ACK state, patch from Jesper Dangaard Brouer. 4) Fix a bogus WARN_ON() in nf_tables when deleting a set element that stores a map, from Mirek Kratochvil. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
commit
1d6057019e
|
@ -42,6 +42,9 @@ enum tcp_conntrack {
|
|||
/* The field td_maxack has been set */
|
||||
#define IP_CT_TCP_FLAG_MAXACK_SET 0x20
|
||||
|
||||
/* Marks possibility for expected RFC5961 challenge ACK */
|
||||
#define IP_CT_EXP_CHALLENGE_ACK 0x40
|
||||
|
||||
struct nf_ct_tcp_flags {
|
||||
__u8 flags;
|
||||
__u8 mask;
|
||||
|
|
|
@ -863,6 +863,7 @@ config NETFILTER_XT_TARGET_TPROXY
|
|||
depends on NETFILTER_XTABLES
|
||||
depends on NETFILTER_ADVANCED
|
||||
depends on (IPV6 || IPV6=n)
|
||||
depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
|
||||
depends on IP_NF_MANGLE
|
||||
select NF_DEFRAG_IPV4
|
||||
select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
|
||||
|
@ -1356,6 +1357,7 @@ config NETFILTER_XT_MATCH_SOCKET
|
|||
depends on NETFILTER_ADVANCED
|
||||
depends on !NF_CONNTRACK || NF_CONNTRACK
|
||||
depends on (IPV6 || IPV6=n)
|
||||
depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
|
||||
select NF_DEFRAG_IPV4
|
||||
select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
|
||||
help
|
||||
|
|
|
@ -3823,6 +3823,9 @@ static void __net_exit ip_vs_control_net_cleanup_sysctl(struct net *net)
|
|||
cancel_work_sync(&ipvs->defense_work.work);
|
||||
unregister_net_sysctl_table(ipvs->sysctl_hdr);
|
||||
ip_vs_stop_estimator(net, &ipvs->tot_stats);
|
||||
|
||||
if (!net_eq(net, &init_net))
|
||||
kfree(ipvs->sysctl_tbl);
|
||||
}
|
||||
|
||||
#else
|
||||
|
|
|
@ -202,7 +202,7 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
|
|||
* sES -> sES :-)
|
||||
* sFW -> sCW Normal close request answered by ACK.
|
||||
* sCW -> sCW
|
||||
* sLA -> sTW Last ACK detected.
|
||||
* sLA -> sTW Last ACK detected (RFC5961 challenged)
|
||||
* sTW -> sTW Retransmitted last ACK. Remain in the same state.
|
||||
* sCL -> sCL
|
||||
*/
|
||||
|
@ -261,7 +261,7 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
|
|||
* sES -> sES :-)
|
||||
* sFW -> sCW Normal close request answered by ACK.
|
||||
* sCW -> sCW
|
||||
* sLA -> sTW Last ACK detected.
|
||||
* sLA -> sTW Last ACK detected (RFC5961 challenged)
|
||||
* sTW -> sTW Retransmitted last ACK.
|
||||
* sCL -> sCL
|
||||
*/
|
||||
|
@ -906,6 +906,7 @@ static int tcp_packet(struct nf_conn *ct,
|
|||
1 : ct->proto.tcp.last_win;
|
||||
ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_scale =
|
||||
ct->proto.tcp.last_wscale;
|
||||
ct->proto.tcp.last_flags &= ~IP_CT_EXP_CHALLENGE_ACK;
|
||||
ct->proto.tcp.seen[ct->proto.tcp.last_dir].flags =
|
||||
ct->proto.tcp.last_flags;
|
||||
memset(&ct->proto.tcp.seen[dir], 0,
|
||||
|
@ -923,7 +924,9 @@ static int tcp_packet(struct nf_conn *ct,
|
|||
* may be in sync but we are not. In that case, we annotate
|
||||
* the TCP options and let the packet go through. If it is a
|
||||
* valid SYN packet, the server will reply with a SYN/ACK, and
|
||||
* then we'll get in sync. Otherwise, the server ignores it. */
|
||||
* then we'll get in sync. Otherwise, the server potentially
|
||||
* responds with a challenge ACK if implementing RFC5961.
|
||||
*/
|
||||
if (index == TCP_SYN_SET && dir == IP_CT_DIR_ORIGINAL) {
|
||||
struct ip_ct_tcp_state seen = {};
|
||||
|
||||
|
@ -939,6 +942,13 @@ static int tcp_packet(struct nf_conn *ct,
|
|||
ct->proto.tcp.last_flags |=
|
||||
IP_CT_TCP_FLAG_SACK_PERM;
|
||||
}
|
||||
/* Mark the potential for RFC5961 challenge ACK,
|
||||
* this pose a special problem for LAST_ACK state
|
||||
* as ACK is intrepretated as ACKing last FIN.
|
||||
*/
|
||||
if (old_state == TCP_CONNTRACK_LAST_ACK)
|
||||
ct->proto.tcp.last_flags |=
|
||||
IP_CT_EXP_CHALLENGE_ACK;
|
||||
}
|
||||
spin_unlock_bh(&ct->lock);
|
||||
if (LOG_INVALID(net, IPPROTO_TCP))
|
||||
|
@ -970,6 +980,25 @@ static int tcp_packet(struct nf_conn *ct,
|
|||
nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
|
||||
"nf_ct_tcp: invalid state ");
|
||||
return -NF_ACCEPT;
|
||||
case TCP_CONNTRACK_TIME_WAIT:
|
||||
/* RFC5961 compliance cause stack to send "challenge-ACK"
|
||||
* e.g. in response to spurious SYNs. Conntrack MUST
|
||||
* not believe this ACK is acking last FIN.
|
||||
*/
|
||||
if (old_state == TCP_CONNTRACK_LAST_ACK &&
|
||||
index == TCP_ACK_SET &&
|
||||
ct->proto.tcp.last_dir != dir &&
|
||||
ct->proto.tcp.last_index == TCP_SYN_SET &&
|
||||
(ct->proto.tcp.last_flags & IP_CT_EXP_CHALLENGE_ACK)) {
|
||||
/* Detected RFC5961 challenge ACK */
|
||||
ct->proto.tcp.last_flags &= ~IP_CT_EXP_CHALLENGE_ACK;
|
||||
spin_unlock_bh(&ct->lock);
|
||||
if (LOG_INVALID(net, IPPROTO_TCP))
|
||||
nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
|
||||
"nf_ct_tcp: challenge-ACK ignored ");
|
||||
return NF_ACCEPT; /* Don't change state */
|
||||
}
|
||||
break;
|
||||
case TCP_CONNTRACK_CLOSE:
|
||||
if (index == TCP_RST_SET
|
||||
&& (ct->proto.tcp.seen[!dir].flags & IP_CT_TCP_FLAG_MAXACK_SET)
|
||||
|
|
|
@ -4472,9 +4472,9 @@ EXPORT_SYMBOL_GPL(nft_data_init);
|
|||
*/
|
||||
void nft_data_uninit(const struct nft_data *data, enum nft_data_types type)
|
||||
{
|
||||
switch (type) {
|
||||
case NFT_DATA_VALUE:
|
||||
if (type < NFT_DATA_VERDICT)
|
||||
return;
|
||||
switch (type) {
|
||||
case NFT_DATA_VERDICT:
|
||||
return nft_verdict_uninit(data);
|
||||
default:
|
||||
|
|
Loading…
Reference in New Issue