Commit 6f97fde8 authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

1) Incorrect helper module alias in netbios_ns, from Florian Westphal.

2) Remove unused variable in nf_tables.

3) Uninitialized last expression in nf_tables register tracking.

4) Memleak in nft_connlimit after moving stateful data out of the
   expression data area.

5) Bogus invalid stats update when NF_REPEAT is returned, from Florian.

* git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf:
  netfilter: conntrack: don't increment invalid counter on NF_REPEAT
  netfilter: nft_connlimit: memleak if nf_ct_netns_get() fails
  netfilter: nf_tables: set last expression in register tracking area
  netfilter: nf_tables: remove unused variable
  netfilter: nf_conntrack_netbios_ns: fix helper module alias
====================

Link: https://lore.kernel.org/r/20220120125212.991271-1-pablo@netfilter.org


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents aafc2e32 830af2eb

net/netfilter/nf_conntrack_core.c

+5 −3
Original line number Diff line number Diff line
@@ -1924,15 +1924,17 @@ nf_conntrack_in(struct sk_buff *skb, const struct nf_hook_state *state) 
		pr_debug("nf_conntrack_in: Can't track with proto module\n");

		nf_ct_put(ct);

		skb->_nfct = 0;

		NF_CT_STAT_INC_ATOMIC(state->net, invalid);

		if (ret == -NF_DROP)

			NF_CT_STAT_INC_ATOMIC(state->net, drop);

		/* Special case: TCP tracker reports an attempt to reopen a

		 * closed/aborted connection. We have to go back and create a

		 * fresh conntrack.

		 */

		if (ret == -NF_REPEAT)

			goto repeat;



		NF_CT_STAT_INC_ATOMIC(state->net, invalid);

		if (ret == -NF_DROP)

			NF_CT_STAT_INC_ATOMIC(state->net, drop);



		ret = -ret;

		goto out;

	}

net/netfilter/nf_conntrack_netbios_ns.c

+3 −2
Original line number Diff line number Diff line
@@ -20,13 +20,14 @@ 
#include <net/netfilter/nf_conntrack_helper.h>

#include <net/netfilter/nf_conntrack_expect.h>



#define HELPER_NAME	"netbios-ns"

#define NMBD_PORT	137



MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");

MODULE_DESCRIPTION("NetBIOS name service broadcast connection tracking helper");

MODULE_LICENSE("GPL");

MODULE_ALIAS("ip_conntrack_netbios_ns");

MODULE_ALIAS_NFCT_HELPER("netbios_ns");

MODULE_ALIAS_NFCT_HELPER(HELPER_NAME);



static unsigned int timeout __read_mostly = 3;

module_param(timeout, uint, 0400);
@@ -44,7 +45,7 @@ static int netbios_ns_help(struct sk_buff *skb, unsigned int protoff, 
}



static struct nf_conntrack_helper helper __read_mostly = {

	.name			= "netbios-ns",

	.name			= HELPER_NAME,

	.tuple.src.l3num	= NFPROTO_IPV4,

	.tuple.src.u.udp.port	= cpu_to_be16(NMBD_PORT),

	.tuple.dst.protonum	= IPPROTO_UDP,

net/netfilter/nf_tables_api.c

+1 −3
Original line number Diff line number Diff line
@@ -8264,14 +8264,12 @@ static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *cha 
	void *data, *data_boundary;

	struct nft_rule_dp *prule;

	struct nft_rule *rule;

	int i;



	/* already handled or inactive chain? */

	if (chain->blob_next || !nft_is_active_next(net, chain))

		return 0;



	rule = list_entry(&chain->rules, struct nft_rule, list);

	i = 0;



	data_size = 0;

	list_for_each_entry_continue(rule, &chain->rules, list) {
@@ -8301,7 +8299,7 @@ static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *cha 
			return -ENOMEM;



		size = 0;

		track.last = last;

		track.last = nft_expr_last(rule);

		nft_rule_for_each_expr(expr, last, rule) {

			track.cur = expr;

net/netfilter/nft_connlimit.c

+10 −1
Original line number Diff line number Diff line
@@ -62,6 +62,7 @@ static int nft_connlimit_do_init(const struct nft_ctx *ctx, 
{

	bool invert = false;

	u32 flags, limit;

	int err;



	if (!tb[NFTA_CONNLIMIT_COUNT])

		return -EINVAL;
@@ -84,7 +85,15 @@ static int nft_connlimit_do_init(const struct nft_ctx *ctx, 
	priv->limit	= limit;

	priv->invert	= invert;



	return nf_ct_netns_get(ctx->net, ctx->family);

	err = nf_ct_netns_get(ctx->net, ctx->family);

	if (err < 0)

		goto err_netns;



	return 0;

err_netns:

	kfree(priv->list);



	return err;

}



static void nft_connlimit_do_destroy(const struct nft_ctx *ctx,