summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid S. Miller <davem@davemloft.net>2013-11-04 19:48:57 -0500
committerDavid S. Miller <davem@davemloft.net>2013-11-04 19:48:57 -0500
commitf8785c55141d698d988c6a1ffe4530bc7fa6e886 (patch)
treedc629fe50865a6f3e5e47eaf8c4a9e3e1995bbec
parent72c39a0ade6229a938736fe1aa1d5e471fc7face (diff)
parentc359c4157cf0d852387aff2f2d83fef039aadc2c (diff)
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nftables
Pablo Neira Ayuso says: ==================== This batch contains fives nf_tables patches for your net-next tree, they are: * Fix possible use after free in the module removal path of the x_tables compatibility layer, from Dan Carpenter. * Add filter chain type for the bridge family, from myself. * Fix Kconfig dependencies of the nf_tables bridge family with the core, from myself. * Fix sparse warnings in nft_nat, from Tomasz Bursztyka. * Remove duplicated include in the IPv4 family support for nf_tables, from Wei Yongjun. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/bridge/netfilter/Kconfig1
-rw-r--r--net/bridge/netfilter/nf_tables_bridge.c41
-rw-r--r--net/ipv4/netfilter/nf_tables_ipv4.c1
-rw-r--r--net/netfilter/nft_compat.c8
-rw-r--r--net/netfilter/nft_nat.c12
5 files changed, 52 insertions, 11 deletions
diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig
index 68f8128147be..5ca74a0e595f 100644
--- a/net/bridge/netfilter/Kconfig
+++ b/net/bridge/netfilter/Kconfig
@@ -3,6 +3,7 @@
#
#
config NF_TABLES_BRIDGE
+ depends on NF_TABLES
tristate "Ethernet Bridge nf_tables support"
menuconfig BRIDGE_NF_EBTABLES
diff --git a/net/bridge/netfilter/nf_tables_bridge.c b/net/bridge/netfilter/nf_tables_bridge.c
index e8cb016fa34d..cf54b22818c8 100644
--- a/net/bridge/netfilter/nf_tables_bridge.c
+++ b/net/bridge/netfilter/nf_tables_bridge.c
@@ -1,5 +1,6 @@
/*
* Copyright (c) 2008 Patrick McHardy <kaber@trash.net>
+ * Copyright (c) 2013 Pablo Neira Ayuso <pablo@netfilter.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
@@ -47,14 +48,50 @@ static struct pernet_operations nf_tables_bridge_net_ops = {
.exit = nf_tables_bridge_exit_net,
};
+static unsigned int
+nft_do_chain_bridge(const struct nf_hook_ops *ops,
+ struct sk_buff *skb,
+ const struct net_device *in,
+ const struct net_device *out,
+ int (*okfn)(struct sk_buff *))
+{
+ struct nft_pktinfo pkt;
+
+ nft_set_pktinfo(&pkt, ops, skb, in, out);
+
+ return nft_do_chain_pktinfo(&pkt, ops);
+}
+
+static struct nf_chain_type filter_bridge = {
+ .family = NFPROTO_BRIDGE,
+ .name = "filter",
+ .type = NFT_CHAIN_T_DEFAULT,
+ .hook_mask = (1 << NF_BR_LOCAL_IN) |
+ (1 << NF_BR_FORWARD) |
+ (1 << NF_BR_LOCAL_OUT),
+ .fn = {
+ [NF_BR_LOCAL_IN] = nft_do_chain_bridge,
+ [NF_BR_FORWARD] = nft_do_chain_bridge,
+ [NF_BR_LOCAL_OUT] = nft_do_chain_bridge,
+ },
+};
+
static int __init nf_tables_bridge_init(void)
{
- return register_pernet_subsys(&nf_tables_bridge_net_ops);
+ int ret;
+
+ nft_register_chain_type(&filter_bridge);
+ ret = register_pernet_subsys(&nf_tables_bridge_net_ops);
+ if (ret < 0)
+ nft_unregister_chain_type(&filter_bridge);
+
+ return ret;
}
static void __exit nf_tables_bridge_exit(void)
{
- return unregister_pernet_subsys(&nf_tables_bridge_net_ops);
+ unregister_pernet_subsys(&nf_tables_bridge_net_ops);
+ nft_unregister_chain_type(&filter_bridge);
}
module_init(nf_tables_bridge_init);
diff --git a/net/ipv4/netfilter/nf_tables_ipv4.c b/net/ipv4/netfilter/nf_tables_ipv4.c
index 8f7536be1322..0f4cbfeb19bd 100644
--- a/net/ipv4/netfilter/nf_tables_ipv4.c
+++ b/net/ipv4/netfilter/nf_tables_ipv4.c
@@ -16,7 +16,6 @@
#include <net/netfilter/nf_tables.h>
#include <net/net_namespace.h>
#include <net/ip.h>
-#include <net/net_namespace.h>
#include <net/netfilter/nf_tables_ipv4.h>
static unsigned int nft_ipv4_output(const struct nf_hook_ops *ops,
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index 4811f762e060..a82667c64729 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -634,9 +634,9 @@ nft_match_select_ops(const struct nft_ctx *ctx,
static void nft_match_release(void)
{
- struct nft_xt *nft_match;
+ struct nft_xt *nft_match, *tmp;
- list_for_each_entry(nft_match, &nft_match_list, head)
+ list_for_each_entry_safe(nft_match, tmp, &nft_match_list, head)
kfree(nft_match);
}
@@ -705,9 +705,9 @@ nft_target_select_ops(const struct nft_ctx *ctx,
static void nft_target_release(void)
{
- struct nft_xt *nft_target;
+ struct nft_xt *nft_target, *tmp;
- list_for_each_entry(nft_target, &nft_target_list, head)
+ list_for_each_entry_safe(nft_target, tmp, &nft_target_list, head)
kfree(nft_target);
}
diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c
index b0b87b2d2411..d3b1ffe26181 100644
--- a/net/netfilter/nft_nat.c
+++ b/net/netfilter/nft_nat.c
@@ -47,8 +47,10 @@ static void nft_nat_eval(const struct nft_expr *expr,
memset(&range, 0, sizeof(range));
if (priv->sreg_addr_min) {
if (priv->family == AF_INET) {
- range.min_addr.ip = data[priv->sreg_addr_min].data[0];
- range.max_addr.ip = data[priv->sreg_addr_max].data[0];
+ range.min_addr.ip = (__force __be32)
+ data[priv->sreg_addr_min].data[0];
+ range.max_addr.ip = (__force __be32)
+ data[priv->sreg_addr_max].data[0];
} else {
memcpy(range.min_addr.ip6,
@@ -62,8 +64,10 @@ static void nft_nat_eval(const struct nft_expr *expr,
}
if (priv->sreg_proto_min) {
- range.min_proto.all = data[priv->sreg_proto_min].data[0];
- range.max_proto.all = data[priv->sreg_proto_max].data[0];
+ range.min_proto.all = (__force __be16)
+ data[priv->sreg_proto_min].data[0];
+ range.max_proto.all = (__force __be16)
+ data[priv->sreg_proto_max].data[0];
range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
}