Commit 525de9a7 authored Feb 11, 2022 by David S. Miller

Merge ra.kernel.org:/pub/scm/linux/kernel/git/netfilter/nf



Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for net:

1) Add selftest for nft_synproxy, from Florian Westphal.

2) xt_socket destroy path incorrectly disables IPv4 defrag for
   IPv6 traffic (typo), from Eric Dumazet.

3) Fix exit value selftest nft_concat_range.sh, from Hangbin Liu.

4) nft_synproxy disables the IPv4 hooks if the IPv6 hooks fail
   to be registered.

5) disable rp_filter on router in selftest nft_fib.sh, also
   from Hangbin Liu.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

parents dcd54265 bbe4c089

net/netfilter/nft_synproxy.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -191,8 +191,10 @@ static int nft_synproxy_do_init(const struct nft_ctx *ctx,
		if (err)
		goto nf_ct_failure;
		err = nf_synproxy_ipv6_init(snet, ctx->net);
		if (err)
		if (err) {
		nf_synproxy_ipv4_fini(snet, ctx->net);
		goto nf_ct_failure;
		}
		break;
		}

net/netfilter/xt_socket.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -221,7 +221,7 @@ static void socket_mt_destroy(const struct xt_mtdtor_param *par)
		if (par->family == NFPROTO_IPV4)
		nf_defrag_ipv4_disable(par->net);
		else if (par->family == NFPROTO_IPV6)
		nf_defrag_ipv4_disable(par->net);
		nf_defrag_ipv6_disable(par->net);
		}

		static struct xt_match socket_mt_reg[] __read_mostly = {

tools/testing/selftests/netfilter/Makefile

+1 −1

Original line number	Diff line number	Diff line
		@@ -6,7 +6,7 @@ TEST_PROGS := nft_trans_stress.sh nft_fib.sh nft_nat.sh bridge_brouter.sh \
		nft_concat_range.sh nft_conntrack_helper.sh \
		nft_queue.sh nft_meta.sh nf_nat_edemux.sh \
		ipip-conntrack-mtu.sh conntrack_tcp_unreplied.sh \
		conntrack_vrf.sh
		conntrack_vrf.sh nft_synproxy.sh

		LDLIBS = -lmnl
		TEST_GEN_FILES = nf-queue

tools/testing/selftests/netfilter/nft_concat_range.sh

+1 −1

Original line number	Diff line number	Diff line
		@@ -1601,4 +1601,4 @@ for name in ${TESTS}; do
		done
		done

		[ ${passed} -eq 0 ] && exit ${KSELFTEST_SKIP}
		[ ${passed} -eq 0 ] && exit ${KSELFTEST_SKIP} \|\| exit 0

tools/testing/selftests/netfilter/nft_fib.sh

+1 −0

Original line number	Diff line number	Diff line
		@@ -174,6 +174,7 @@ test_ping() {
		ip netns exec ${nsrouter} sysctl net.ipv6.conf.all.forwarding=1 > /dev/null
		ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null
		ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null
		ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth0.rp_filter=0 > /dev/null

		sleep 3