Commit 9a2f97bb authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 



Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for net:

1) Fix a deadlock when module is requested via netlink_bind()
   in nfnetlink, from Florian Westphal.

2) Fix ipt_rpfilter and ip6t_rpfilter with VRF, from Miaohe Lin.

3) Skip master comparison in SIP helper to fix expectation clash
   under two valid scenarios, from xiao ruizhu.

4) Remove obsolete comments in nf_conntrack codebase, from
   Yonatan Goldschmidt.

5) Fix redirect extension module autoload, from Christian Hesse.

6) Fix incorrect mssg option sent to client in synproxy,
   from Fernando Fernandez.

7) Fix incorrect window calculations in TCP conntrack, from
   Florian Westphal.

8) Don't bail out when updating basechain policy due to recent
   offload works, also from Florian.

9) Allow symhash to use modulus 1 as other hash extensions do,
   from Laura.Garcia.

10) Missing NAT chain module autoload for the inet family,
    from Phil Sutter.

11) Fix missing adjustment of TCP RST packet in synproxy,
    from Fernando Fernandez.

12) Skip EAGAIN path when nft_meta_bridge is built-in or
    not selected.

13) Conntrack bridge does not depend on nf_tables_bridge.

14) Turn NF_TABLES_BRIDGE into tristate to fix possible
    link break of nft_meta_bridge, from Arnd Bergmann.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 31cc088a dfee0e99

include/linux/netfilter/nf_conntrack_h323_asn1.h

+1 −2
Original line number Diff line number Diff line 
/* SPDX-License-Identifier: GPL-2.0-only */

/****************************************************************************

 * ip_conntrack_h323_asn1.h - BER and PER decoding library for H.323

 * 			      conntrack/NAT module.

 * BER and PER decoding library for H.323 conntrack/NAT module.

 *

 * Copyright (c) 2006 by Jing Min Zhao <zhaojingmin@users.sourceforge.net>

 *

include/net/netfilter/nf_conntrack_expect.h

+9 −3
Original line number Diff line number Diff line
@@ -76,6 +76,11 @@ struct nf_conntrack_expect_policy { 
#define NF_CT_EXPECT_CLASS_DEFAULT	0

#define NF_CT_EXPECT_MAX_CNT		255



/* Allow to reuse expectations with the same tuples from different master

 * conntracks.

 */

#define NF_CT_EXP_F_SKIP_MASTER	0x1



int nf_conntrack_expect_pernet_init(struct net *net);

void nf_conntrack_expect_pernet_fini(struct net *net);
@@ -122,10 +127,11 @@ void nf_ct_expect_init(struct nf_conntrack_expect *, unsigned int, u_int8_t, 
		       u_int8_t, const __be16 *, const __be16 *);

void nf_ct_expect_put(struct nf_conntrack_expect *exp);

int nf_ct_expect_related_report(struct nf_conntrack_expect *expect, 

				u32 portid, int report);

static inline int nf_ct_expect_related(struct nf_conntrack_expect *expect)

				u32 portid, int report, unsigned int flags);

static inline int nf_ct_expect_related(struct nf_conntrack_expect *expect,

				       unsigned int flags)

{

	return nf_ct_expect_related_report(expect, 0, 0);

	return nf_ct_expect_related_report(expect, 0, 0, flags);

}



#endif /*_NF_CONNTRACK_EXPECT_H*/

include/net/netfilter/nf_conntrack_synproxy.h

+1 −0
Original line number Diff line number Diff line
@@ -68,6 +68,7 @@ struct synproxy_options { 
	u8				options;

	u8				wscale;

	u16				mss;

	u16				mss_encode;

	u32				tsval;

	u32				tsecr;

};

net/bridge/netfilter/Kconfig

+3 −3
Original line number Diff line number Diff line
@@ -6,7 +6,7 @@ 
menuconfig NF_TABLES_BRIDGE

	depends on BRIDGE && NETFILTER && NF_TABLES

	select NETFILTER_FAMILY_BRIDGE

	bool "Ethernet Bridge nf_tables support"

	tristate "Ethernet Bridge nf_tables support"



if NF_TABLES_BRIDGE
@@ -25,6 +25,8 @@ config NF_LOG_BRIDGE 
	tristate "Bridge packet logging"

	select NF_LOG_COMMON



endif # NF_TABLES_BRIDGE



config NF_CONNTRACK_BRIDGE

	tristate "IPv4/IPV6 bridge connection tracking support"

	depends on NF_CONNTRACK
@@ -39,8 +41,6 @@ config NF_CONNTRACK_BRIDGE 


	  To compile it as a module, choose M here.  If unsure, say N.



endif # NF_TABLES_BRIDGE



menuconfig BRIDGE_NF_EBTABLES

	tristate "Ethernet Bridge tables (ebtables) support"

	depends on BRIDGE && NETFILTER && NETFILTER_XTABLES

net/ipv4/netfilter/ipt_CLUSTERIP.c

+2 −2
Original line number Diff line number Diff line
@@ -416,8 +416,8 @@ clusterip_tg(struct sk_buff *skb, const struct xt_action_param *par) 
	     ctinfo == IP_CT_RELATED_REPLY))

		return XT_CONTINUE;



	/* ip_conntrack_icmp guarantees us that we only have ICMP_ECHO,

	 * TIMESTAMP, INFO_REQUEST or ADDRESS type icmp packets from here

	/* nf_conntrack_proto_icmp guarantees us that we only have ICMP_ECHO,

	 * TIMESTAMP, INFO_REQUEST or ICMP_ADDRESS type icmp packets from here

	 * on, which all have an ID field [relevant for hashing]. */



	hash = clusterip_hashfn(skb, cipinfo->config);