Commit 59717f39 authored Jun 03, 2021 by David S. Miller

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf



Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for net:

1) Do not allow to add conntrack helper extension for confirmed
   conntracks in the nf_tables ct expectation support.

2) Fix bogus EBUSY in nfnetlink_cthelper when NFCTH_PRIV_DATA_LEN
   is passed on userspace helper updates.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

parents ab00f3e0 8971ee8b

net/netfilter/nfnetlink_cthelper.c

+6 −2

Original line number	Diff line number	Diff line
		@@ -380,10 +380,14 @@ static int
		nfnl_cthelper_update(const struct nlattr * const tb[],
		struct nf_conntrack_helper *helper)
		{
		u32 size;
		int ret;

		if (tb[NFCTH_PRIV_DATA_LEN])
		if (tb[NFCTH_PRIV_DATA_LEN]) {
		size = ntohl(nla_get_be32(tb[NFCTH_PRIV_DATA_LEN]));
		if (size != helper->data_len)
		return -EBUSY;
		}

		if (tb[NFCTH_POLICY]) {
		ret = nfnl_cthelper_update_policy(helper, tb[NFCTH_POLICY]);

net/netfilter/nft_ct.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1217,7 +1217,7 @@ static void nft_ct_expect_obj_eval(struct nft_object *obj,
		struct nf_conn *ct;

		ct = nf_ct_get(pkt->skb, &ctinfo);
		if (!ct \|\| ctinfo == IP_CT_UNTRACKED) {
		if (!ct \|\| nf_ct_is_confirmed(ct) \|\| nf_ct_is_template(ct)) {
		regs->verdict.code = NFT_BREAK;
		return;
		}