Commit 27c064ae authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf 



Pablo Neira Ayuso says:

====================
The following patchset contains Netfilter fixes for net:

1) Fix deadlock in nfnetlink due to missing mutex release in error path,
   from Ziyang Xuan.

2) Clean up pending autoload module list from nf_tables_exit_net() path,
   from Shigeru Yoshida.

3) Fixes for the netfilter's reverse path selftest, from Phil Sutter.

All of these bugs have been around for several releases.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 5d041588 58bb78ce

net/netfilter/nf_tables_api.c

+2 −1
Original line number Diff line number Diff line
@@ -10090,7 +10090,8 @@ static void __net_exit nf_tables_exit_net(struct net *net) 
	struct nftables_pernet *nft_net = nft_pernet(net);



	mutex_lock(&nft_net->commit_mutex);

	if (!list_empty(&nft_net->commit_list))

	if (!list_empty(&nft_net->commit_list) ||

	    !list_empty(&nft_net->module_list))

		__nf_tables_abort(net, NFNL_ABORT_NONE);

	__nft_release_tables(net);

	mutex_unlock(&nft_net->commit_mutex);

net/netfilter/nfnetlink.c

+1 −0
Original line number Diff line number Diff line
@@ -294,6 +294,7 @@ static int nfnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, 
			nfnl_lock(subsys_id);

			if (nfnl_dereference_protected(subsys_id) != ss ||

			    nfnetlink_find_client(type, ss) != nc) {

				nfnl_unlock(subsys_id);

				err = -EAGAIN;

				break;

			}

tools/testing/selftests/netfilter/rpath.sh

+8 −6
Original line number Diff line number Diff line
@@ -15,7 +15,7 @@ fi 


if ip6tables-legacy --version >/dev/null 2>&1; then

	ip6tables='ip6tables-legacy'

elif ! ip6tables --version >/dev/null 2>&1; then

elif ip6tables --version >/dev/null 2>&1; then

	ip6tables='ip6tables'

else

	ip6tables=''
@@ -62,9 +62,11 @@ ip -net "$ns1" a a fec0:42::2/64 dev v0 nodad 
ip -net "$ns2" a a fec0:42::1/64 dev d0 nodad



# firewall matches to test

ip netns exec "$ns2" "$iptables" -t raw -A PREROUTING -s 192.168.0.0/16 -m rpfilter

ip netns exec "$ns2" "$ip6tables" -t raw -A PREROUTING -s fec0::/16 -m rpfilter

ip netns exec "$ns2" nft -f - <<EOF

[ -n "$iptables" ] && ip netns exec "$ns2" \

	"$iptables" -t raw -A PREROUTING -s 192.168.0.0/16 -m rpfilter

[ -n "$ip6tables" ] && ip netns exec "$ns2" \

	"$ip6tables" -t raw -A PREROUTING -s fec0::/16 -m rpfilter

[ -n "$nft" ] && ip netns exec "$ns2" $nft -f - <<EOF

table inet t {

	chain c {

		type filter hook prerouting priority raw;
@@ -106,8 +108,8 @@ testrun() { 
	if [ -n "$nft" ]; then

		(

			echo "delete table inet t";

			ip netns exec "$ns2" nft -s list table inet t;

		) | ip netns exec "$ns2" nft -f -

			ip netns exec "$ns2" $nft -s list table inet t;

		) | ip netns exec "$ns2" $nft -f -

	fi



	# test 1: martian traffic should fail rpfilter matches