diff options
author | Scott Wood <scottwood@freescale.com> | 2013-10-29 20:03:43 (GMT) |
---|---|---|
committer | Scott Wood <scottwood@freescale.com> | 2013-10-29 20:03:43 (GMT) |
commit | ae60d5d27c429b13cf28a09ab8b9d30682433c5a (patch) | |
tree | 16b67511ef66b0580c267a5438d1face3a3778e6 /net/netfilter | |
parent | b095c5c2577aeedce2db847fa117596628d4e7cb (diff) | |
parent | d0ebef8230e267ec47d4d4a65fe3262e2ebb8026 (diff) | |
download | linux-fsl-qoriq-ae60d5d27c429b13cf28a09ab8b9d30682433c5a.tar.xz |
Revert to 3.8 (no rt, no stable)
This is a merge from rtmerge, which has been similarly reverted.
Conflicts:
drivers/crypto/caam/caamalg.c
drivers/misc/Makefile
Diffstat (limited to 'net/netfilter')
-rw-r--r-- | net/netfilter/core.c | 6 | ||||
-rw-r--r-- | net/netfilter/ipset/ip_set_core.c | 3 | ||||
-rw-r--r-- | net/netfilter/ipset/ip_set_list_set.c | 10 | ||||
-rw-r--r-- | net/netfilter/ipvs/ip_vs_pe_sip.c | 6 | ||||
-rw-r--r-- | net/netfilter/nf_conntrack_helper.c | 4 | ||||
-rw-r--r-- | net/netfilter/nf_conntrack_netlink.c | 3 | ||||
-rw-r--r-- | net/netfilter/nf_conntrack_sip.c | 2 | ||||
-rw-r--r-- | net/netfilter/nf_nat_core.c | 40 |
8 files changed, 44 insertions, 30 deletions
diff --git a/net/netfilter/core.c b/net/netfilter/core.c index c646ec8..a9c488b 100644 --- a/net/netfilter/core.c +++ b/net/netfilter/core.c @@ -20,17 +20,11 @@ #include <linux/proc_fs.h> #include <linux/mutex.h> #include <linux/slab.h> -#include <linux/locallock.h> #include <net/net_namespace.h> #include <net/sock.h> #include "nf_internals.h" -#ifdef CONFIG_PREEMPT_RT_BASE -DEFINE_LOCAL_IRQ_LOCK(xt_write_lock); -EXPORT_PER_CPU_SYMBOL(xt_write_lock); -#endif - static DEFINE_MUTEX(afinfo_mutex); const struct nf_afinfo __rcu *nf_afinfo[NFPROTO_NUMPROTO] __read_mostly; diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c index 38ca630..6d6d8f2 100644 --- a/net/netfilter/ipset/ip_set_core.c +++ b/net/netfilter/ipset/ip_set_core.c @@ -1470,8 +1470,7 @@ ip_set_utest(struct sock *ctnl, struct sk_buff *skb, if (ret == -EAGAIN) ret = 1; - return (ret < 0 && ret != -ENOTEMPTY) ? ret : - ret > 0 ? 0 : -IPSET_ERR_EXIST; + return ret < 0 ? ret : ret > 0 ? 0 : -IPSET_ERR_EXIST; } /* Get headed data of a set */ diff --git a/net/netfilter/ipset/ip_set_list_set.c b/net/netfilter/ipset/ip_set_list_set.c index 09c744a..8371c2b 100644 --- a/net/netfilter/ipset/ip_set_list_set.c +++ b/net/netfilter/ipset/ip_set_list_set.c @@ -174,13 +174,9 @@ list_set_add(struct list_set *map, u32 i, ip_set_id_t id, { const struct set_elem *e = list_set_elem(map, i); - if (e->id != IPSET_INVALID_ID) { - const struct set_elem *x = list_set_elem(map, map->size - 1); - - /* Last element replaced or pushed off */ - if (x->id != IPSET_INVALID_ID) - ip_set_put_byindex(x->id); - } + if (i == map->size - 1 && e->id != IPSET_INVALID_ID) + /* Last element replaced: e.g. add new,before,last */ + ip_set_put_byindex(e->id); if (with_timeout(map->timeout)) list_elem_tadd(map, i, id, ip_set_timeout_set(timeout)); else diff --git a/net/netfilter/ipvs/ip_vs_pe_sip.c b/net/netfilter/ipvs/ip_vs_pe_sip.c index e5920fb..12475ef 100644 --- a/net/netfilter/ipvs/ip_vs_pe_sip.c +++ b/net/netfilter/ipvs/ip_vs_pe_sip.c @@ -37,10 +37,14 @@ static int get_callid(const char *dptr, unsigned int dataoff, if (ret > 0) break; if (!ret) - return -EINVAL; + return 0; dataoff += *matchoff; } + /* Empty callid is useless */ + if (!*matchlen) + return -EINVAL; + /* Too large is useless */ if (*matchlen > IP_VS_PEDATA_MAXLEN) return -EINVAL; diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c index 91527d5..884f2b3 100644 --- a/net/netfilter/nf_conntrack_helper.c +++ b/net/netfilter/nf_conntrack_helper.c @@ -236,9 +236,7 @@ int __nf_ct_try_assign_helper(struct nf_conn *ct, struct nf_conn *tmpl, /* We only allow helper re-assignment of the same sort since * we cannot reallocate the helper extension area. */ - struct nf_conntrack_helper *tmp = rcu_dereference(help->helper); - - if (tmp && tmp->help != helper->help) { + if (help->helper != helper) { RCU_INIT_POINTER(help->helper, NULL); goto out; } diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index a081915..627b0e5 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -1705,9 +1705,6 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb, if (nlh->nlmsg_flags & NLM_F_CREATE) { enum ip_conntrack_events events; - if (!cda[CTA_TUPLE_ORIG] || !cda[CTA_TUPLE_REPLY]) - return -EINVAL; - ct = ctnetlink_create_conntrack(net, zone, cda, &otuple, &rtuple, u3); if (IS_ERR(ct)) diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c index b4e0d1c..df8f4f2 100644 --- a/net/netfilter/nf_conntrack_sip.c +++ b/net/netfilter/nf_conntrack_sip.c @@ -1547,7 +1547,7 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff, msglen = origlen = end - dptr; if (msglen > datalen) - return NF_ACCEPT; + return NF_DROP; ret = process_sip_msg(skb, ct, protoff, dataoff, &dptr, &msglen); diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c index 4bc2aaf..5f2f910 100644 --- a/net/netfilter/nf_nat_core.c +++ b/net/netfilter/nf_nat_core.c @@ -468,22 +468,33 @@ EXPORT_SYMBOL_GPL(nf_nat_packet); struct nf_nat_proto_clean { u8 l3proto; u8 l4proto; + bool hash; }; -/* kill conntracks with affected NAT section */ -static int nf_nat_proto_remove(struct nf_conn *i, void *data) +/* Clear NAT section of all conntracks, in case we're loaded again. */ +static int nf_nat_proto_clean(struct nf_conn *i, void *data) { const struct nf_nat_proto_clean *clean = data; struct nf_conn_nat *nat = nfct_nat(i); if (!nat) return 0; - + if (!(i->status & IPS_SRC_NAT_DONE)) + return 0; if ((clean->l3proto && nf_ct_l3num(i) != clean->l3proto) || (clean->l4proto && nf_ct_protonum(i) != clean->l4proto)) return 0; - return i->status & IPS_NAT_MASK ? 1 : 0; + if (clean->hash) { + spin_lock_bh(&nf_nat_lock); + hlist_del_rcu(&nat->bysource); + spin_unlock_bh(&nf_nat_lock); + } else { + memset(nat, 0, sizeof(*nat)); + i->status &= ~(IPS_NAT_MASK | IPS_NAT_DONE_MASK | + IPS_SEQ_ADJUST); + } + return 0; } static void nf_nat_l4proto_clean(u8 l3proto, u8 l4proto) @@ -495,8 +506,16 @@ static void nf_nat_l4proto_clean(u8 l3proto, u8 l4proto) struct net *net; rtnl_lock(); + /* Step 1 - remove from bysource hash */ + clean.hash = true; for_each_net(net) - nf_ct_iterate_cleanup(net, nf_nat_proto_remove, &clean); + nf_ct_iterate_cleanup(net, nf_nat_proto_clean, &clean); + synchronize_rcu(); + + /* Step 2 - clean NAT section */ + clean.hash = false; + for_each_net(net) + nf_ct_iterate_cleanup(net, nf_nat_proto_clean, &clean); rtnl_unlock(); } @@ -508,9 +527,16 @@ static void nf_nat_l3proto_clean(u8 l3proto) struct net *net; rtnl_lock(); + /* Step 1 - remove from bysource hash */ + clean.hash = true; + for_each_net(net) + nf_ct_iterate_cleanup(net, nf_nat_proto_clean, &clean); + synchronize_rcu(); + /* Step 2 - clean NAT section */ + clean.hash = false; for_each_net(net) - nf_ct_iterate_cleanup(net, nf_nat_proto_remove, &clean); + nf_ct_iterate_cleanup(net, nf_nat_proto_clean, &clean); rtnl_unlock(); } @@ -748,7 +774,7 @@ static void __net_exit nf_nat_net_exit(struct net *net) { struct nf_nat_proto_clean clean = {}; - nf_ct_iterate_cleanup(net, &nf_nat_proto_remove, &clean); + nf_ct_iterate_cleanup(net, &nf_nat_proto_clean, &clean); synchronize_rcu(); nf_ct_free_hashtable(net->ct.nat_bysource, net->ct.nat_htable_size); } |