Commit ceef59b5 authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next 



Florian Westphal says:

====================
The following set contains changes for your *net-next* tree:

- make conntrack ignore packets that are delayed (containing
  data already acked).  The current behaviour to flag them as INVALID
  causes more harm than good, let them pass so peer can send an
  immediate ACK for the most recent sequence number.
- make conntrack recognize when both peers have sent 'invalid' FINs:
  This helps cleaning out stale connections faster for those cases where
  conntrack is no longer in sync with the actual connection state.
- Now that DECNET is gone, we don't need to reserve space for DECNET
  related information.
- compact common 'find a free port number for the new inbound
  connection' code and move it to a helper, then cap number of tries
  the new helper will make until it gives up.
- replace various instances of strlcpy with strscpy, from Wolfram Sang.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 9f8f1933 adda60cc

include/net/netfilter/nf_nat_helper.h

+1 −0
Original line number Diff line number Diff line
@@ -38,4 +38,5 @@ bool nf_nat_mangle_udp_packet(struct sk_buff *skb, struct nf_conn *ct, 
 * to port ct->master->saved_proto. */

void nf_nat_follow_master(struct nf_conn *ct, struct nf_conntrack_expect *this);



u16 nf_nat_exp_find_port(struct nf_conntrack_expect *exp, u16 port);

#endif

include/uapi/linux/netfilter.h

+2 −0
Original line number Diff line number Diff line
@@ -63,7 +63,9 @@ enum { 
	NFPROTO_NETDEV =  5,

	NFPROTO_BRIDGE =  7,

	NFPROTO_IPV6   = 10,

#ifndef __KERNEL__ /* no longer supported by kernel */

	NFPROTO_DECNET = 12,

#endif

	NFPROTO_NUMPROTO,

};

net/ipv4/netfilter/nf_nat_h323.c

+4 −56
Original line number Diff line number Diff line
@@ -291,20 +291,7 @@ static int nat_t120(struct sk_buff *skb, struct nf_conn *ct, 
	exp->expectfn = nf_nat_follow_master;

	exp->dir = !dir;



	/* Try to get same port: if not, try to change it. */

	for (; nated_port != 0; nated_port++) {

		int ret;



		exp->tuple.dst.u.tcp.port = htons(nated_port);

		ret = nf_ct_expect_related(exp, 0);

		if (ret == 0)

			break;

		else if (ret != -EBUSY) {

			nated_port = 0;

			break;

		}

	}



	nated_port = nf_nat_exp_find_port(exp, nated_port);

	if (nated_port == 0) {	/* No port available */

		net_notice_ratelimited("nf_nat_h323: out of TCP ports\n");

		return 0;
@@ -347,20 +334,7 @@ static int nat_h245(struct sk_buff *skb, struct nf_conn *ct, 
	if (info->sig_port[dir] == port)

		nated_port = ntohs(info->sig_port[!dir]);



	/* Try to get same port: if not, try to change it. */

	for (; nated_port != 0; nated_port++) {

		int ret;



		exp->tuple.dst.u.tcp.port = htons(nated_port);

		ret = nf_ct_expect_related(exp, 0);

		if (ret == 0)

			break;

		else if (ret != -EBUSY) {

			nated_port = 0;

			break;

		}

	}



	nated_port = nf_nat_exp_find_port(exp, nated_port);

	if (nated_port == 0) {	/* No port available */

		net_notice_ratelimited("nf_nat_q931: out of TCP ports\n");

		return 0;
@@ -439,20 +413,7 @@ static int nat_q931(struct sk_buff *skb, struct nf_conn *ct, 
	if (info->sig_port[dir] == port)

		nated_port = ntohs(info->sig_port[!dir]);



	/* Try to get same port: if not, try to change it. */

	for (; nated_port != 0; nated_port++) {

		int ret;



		exp->tuple.dst.u.tcp.port = htons(nated_port);

		ret = nf_ct_expect_related(exp, 0);

		if (ret == 0)

			break;

		else if (ret != -EBUSY) {

			nated_port = 0;

			break;

		}

	}



	nated_port = nf_nat_exp_find_port(exp, nated_port);

	if (nated_port == 0) {	/* No port available */

		net_notice_ratelimited("nf_nat_ras: out of TCP ports\n");

		return 0;
@@ -532,20 +493,7 @@ static int nat_callforwarding(struct sk_buff *skb, struct nf_conn *ct, 
	exp->expectfn = ip_nat_callforwarding_expect;

	exp->dir = !dir;



	/* Try to get same port: if not, try to change it. */

	for (nated_port = ntohs(port); nated_port != 0; nated_port++) {

		int ret;



		exp->tuple.dst.u.tcp.port = htons(nated_port);

		ret = nf_ct_expect_related(exp, 0);

		if (ret == 0)

			break;

		else if (ret != -EBUSY) {

			nated_port = 0;

			break;

		}

	}



	nated_port = nf_nat_exp_find_port(exp, ntohs(port));

	if (nated_port == 0) {	/* No port available */

		net_notice_ratelimited("nf_nat_q931: out of TCP ports\n");

		return 0;

net/netfilter/ipset/ip_set_core.c

+2 −2
Original line number Diff line number Diff line
@@ -353,7 +353,7 @@ ip_set_init_comment(struct ip_set *set, struct ip_set_comment *comment, 
	c = kmalloc(sizeof(*c) + len + 1, GFP_ATOMIC);

	if (unlikely(!c))

		return;

	strlcpy(c->str, ext->comment, len + 1);

	strscpy(c->str, ext->comment, len + 1);

	set->ext_size += sizeof(*c) + strlen(c->str) + 1;

	rcu_assign_pointer(comment->c, c);

}
@@ -1072,7 +1072,7 @@ static int ip_set_create(struct sk_buff *skb, const struct nfnl_info *info, 
	if (!set)

		return -ENOMEM;

	spin_lock_init(&set->lock);

	strlcpy(set->name, name, IPSET_MAXNAMELEN);

	strscpy(set->name, name, IPSET_MAXNAMELEN);

	set->family = family;

	set->revision = revision;

net/netfilter/ipvs/ip_vs_ctl.c

+4 −4
Original line number Diff line number Diff line
@@ -2611,7 +2611,7 @@ ip_vs_copy_service(struct ip_vs_service_entry *dst, struct ip_vs_service *src) 
	dst->addr = src->addr.ip;

	dst->port = src->port;

	dst->fwmark = src->fwmark;

	strlcpy(dst->sched_name, sched_name, sizeof(dst->sched_name));

	strscpy(dst->sched_name, sched_name, sizeof(dst->sched_name));

	dst->flags = src->flags;

	dst->timeout = src->timeout / HZ;

	dst->netmask = src->netmask;
@@ -2805,13 +2805,13 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) 
		mutex_lock(&ipvs->sync_mutex);

		if (ipvs->sync_state & IP_VS_STATE_MASTER) {

			d[0].state = IP_VS_STATE_MASTER;

			strlcpy(d[0].mcast_ifn, ipvs->mcfg.mcast_ifn,

			strscpy(d[0].mcast_ifn, ipvs->mcfg.mcast_ifn,

				sizeof(d[0].mcast_ifn));

			d[0].syncid = ipvs->mcfg.syncid;

		}

		if (ipvs->sync_state & IP_VS_STATE_BACKUP) {

			d[1].state = IP_VS_STATE_BACKUP;

			strlcpy(d[1].mcast_ifn, ipvs->bcfg.mcast_ifn,

			strscpy(d[1].mcast_ifn, ipvs->bcfg.mcast_ifn,

				sizeof(d[1].mcast_ifn));

			d[1].syncid = ipvs->bcfg.syncid;

		}
@@ -3561,7 +3561,7 @@ static int ip_vs_genl_new_daemon(struct netns_ipvs *ipvs, struct nlattr **attrs) 
	      attrs[IPVS_DAEMON_ATTR_MCAST_IFN] &&

	      attrs[IPVS_DAEMON_ATTR_SYNC_ID]))

		return -EINVAL;

	strlcpy(c.mcast_ifn, nla_data(attrs[IPVS_DAEMON_ATTR_MCAST_IFN]),

	strscpy(c.mcast_ifn, nla_data(attrs[IPVS_DAEMON_ATTR_MCAST_IFN]),

		sizeof(c.mcast_ifn));

	c.syncid = nla_get_u32(attrs[IPVS_DAEMON_ATTR_SYNC_ID]);