<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net/netfilter/xt_CT.c, branch v4.2</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>netfilter: nf_conntrack: checking for IS_ERR() instead of NULL</title>
<updated>2015-07-30T12:04:19+00:00</updated>
<author>
<name>Dan Carpenter</name>
<email>dan.carpenter@oracle.com</email>
</author>
<published>2015-07-27T22:42:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1a727c63612fc582370cf3dc01239d3d239743b5'/>
<id>1a727c63612fc582370cf3dc01239d3d239743b5</id>
<content type='text'>
We recently changed this from nf_conntrack_alloc() to nf_ct_tmpl_alloc()
so the error handling needs to changed to check for NULL instead of
IS_ERR().

Fixes: 0838aa7fcfcd ('netfilter: fix netns dependencies with conntrack templates')
Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
We recently changed this from nf_conntrack_alloc() to nf_ct_tmpl_alloc()
so the error handling needs to changed to check for NULL instead of
IS_ERR().

Fixes: 0838aa7fcfcd ('netfilter: fix netns dependencies with conntrack templates')
Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: fix netns dependencies with conntrack templates</title>
<updated>2015-07-20T12:58:19+00:00</updated>
<author>
<name>Pablo Neira Ayuso</name>
<email>pablo@netfilter.org</email>
</author>
<published>2015-07-13T13:11:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0838aa7fcfcd875caa7bcc5dab0c3fd40444553d'/>
<id>0838aa7fcfcd875caa7bcc5dab0c3fd40444553d</id>
<content type='text'>
Quoting Daniel Borkmann:

"When adding connection tracking template rules to a netns, f.e. to
configure netfilter zones, the kernel will endlessly busy-loop as soon
as we try to delete the given netns in case there's at least one
template present, which is problematic i.e. if there is such bravery that
the priviledged user inside the netns is assumed untrusted.

Minimal example:

  ip netns add foo
  ip netns exec foo iptables -t raw -A PREROUTING -d 1.2.3.4 -j CT --zone 1
  ip netns del foo

What happens is that when nf_ct_iterate_cleanup() is being called from
nf_conntrack_cleanup_net_list() for a provided netns, we always end up
with a net-&gt;ct.count &gt; 0 and thus jump back to i_see_dead_people. We
don't get a soft-lockup as we still have a schedule() point, but the
serving CPU spins on 100% from that point onwards.

Since templates are normally allocated with nf_conntrack_alloc(), we
also bump net-&gt;ct.count. The issue why they are not yet nf_ct_put() is
because the per netns .exit() handler from x_tables (which would eventually
invoke xt_CT's xt_ct_tg_destroy() that drops reference on info-&gt;ct) is
called in the dependency chain at a *later* point in time than the per
netns .exit() handler for the connection tracker.

This is clearly a chicken'n'egg problem: after the connection tracker
.exit() handler, we've teared down all the connection tracking
infrastructure already, so rightfully, xt_ct_tg_destroy() cannot be
invoked at a later point in time during the netns cleanup, as that would
lead to a use-after-free. At the same time, we cannot make x_tables depend
on the connection tracker module, so that the xt_ct_tg_destroy() would
be invoked earlier in the cleanup chain."

Daniel confirms this has to do with the order in which modules are loaded or
having compiled nf_conntrack as modules while x_tables built-in. So we have no
guarantees regarding the order in which netns callbacks are executed.

Fix this by allocating the templates through kmalloc() from the respective
SYNPROXY and CT targets, so they don't depend on the conntrack kmem cache.
Then, release then via nf_ct_tmpl_free() from destroy_conntrack(). This branch
is marked as unlikely since conntrack templates are rarely allocated and only
from the configuration plane path.

Note that templates are not kept in any list to avoid further dependencies with
nf_conntrack anymore, thus, the tmpl larval list is removed.

Reported-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Tested-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Quoting Daniel Borkmann:

"When adding connection tracking template rules to a netns, f.e. to
configure netfilter zones, the kernel will endlessly busy-loop as soon
as we try to delete the given netns in case there's at least one
template present, which is problematic i.e. if there is such bravery that
the priviledged user inside the netns is assumed untrusted.

Minimal example:

  ip netns add foo
  ip netns exec foo iptables -t raw -A PREROUTING -d 1.2.3.4 -j CT --zone 1
  ip netns del foo

What happens is that when nf_ct_iterate_cleanup() is being called from
nf_conntrack_cleanup_net_list() for a provided netns, we always end up
with a net-&gt;ct.count &gt; 0 and thus jump back to i_see_dead_people. We
don't get a soft-lockup as we still have a schedule() point, but the
serving CPU spins on 100% from that point onwards.

Since templates are normally allocated with nf_conntrack_alloc(), we
also bump net-&gt;ct.count. The issue why they are not yet nf_ct_put() is
because the per netns .exit() handler from x_tables (which would eventually
invoke xt_CT's xt_ct_tg_destroy() that drops reference on info-&gt;ct) is
called in the dependency chain at a *later* point in time than the per
netns .exit() handler for the connection tracker.

This is clearly a chicken'n'egg problem: after the connection tracker
.exit() handler, we've teared down all the connection tracking
infrastructure already, so rightfully, xt_ct_tg_destroy() cannot be
invoked at a later point in time during the netns cleanup, as that would
lead to a use-after-free. At the same time, we cannot make x_tables depend
on the connection tracker module, so that the xt_ct_tg_destroy() would
be invoked earlier in the cleanup chain."

Daniel confirms this has to do with the order in which modules are loaded or
having compiled nf_conntrack as modules while x_tables built-in. So we have no
guarantees regarding the order in which netns callbacks are executed.

Fix this by allocating the templates through kmalloc() from the respective
SYNPROXY and CT targets, so they don't depend on the conntrack kmem cache.
Then, release then via nf_ct_tmpl_free() from destroy_conntrack(). This branch
is marked as unlikely since conntrack templates are rarely allocated and only
from the configuration plane path.

Note that templates are not kept in any list to avoid further dependencies with
nf_conntrack anymore, thus, the tmpl larval list is removed.

Reported-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Tested-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: nf_conntrack: don't release a conntrack with non-zero refcnt</title>
<updated>2014-02-05T16:46:06+00:00</updated>
<author>
<name>Pablo Neira Ayuso</name>
<email>pablo@netfilter.org</email>
</author>
<published>2014-02-03T19:01:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e53376bef2cd97d3e3f61fdc677fb8da7d03d0da'/>
<id>e53376bef2cd97d3e3f61fdc677fb8da7d03d0da</id>
<content type='text'>
With this patch, the conntrack refcount is initially set to zero and
it is bumped once it is added to any of the list, so we fulfill
Eric's golden rule which is that all released objects always have a
refcount that equals zero.

Andrey Vagin reports that nf_conntrack_free can't be called for a
conntrack with non-zero ref-counter, because it can race with
nf_conntrack_find_get().

A conntrack slab is created with SLAB_DESTROY_BY_RCU. Non-zero
ref-counter says that this conntrack is used. So when we release
a conntrack with non-zero counter, we break this assumption.

CPU1                                    CPU2
____nf_conntrack_find()
                                        nf_ct_put()
                                         destroy_conntrack()
                                        ...
                                        init_conntrack
                                         __nf_conntrack_alloc (set use = 1)
atomic_inc_not_zero(&amp;ct-&gt;use) (use = 2)
                                         if (!l4proto-&gt;new(ct, skb, dataoff, timeouts))
                                          nf_conntrack_free(ct); (use = 2 !!!)
                                        ...
                                        __nf_conntrack_alloc (set use = 1)
 if (!nf_ct_key_equal(h, tuple, zone))
  nf_ct_put(ct); (use = 0)
   destroy_conntrack()
                                        /* continue to work with CT */

After applying the path "[PATCH] netfilter: nf_conntrack: fix RCU
race in nf_conntrack_find_get" another bug was triggered in
destroy_conntrack():

&lt;4&gt;[67096.759334] ------------[ cut here ]------------
&lt;2&gt;[67096.759353] kernel BUG at net/netfilter/nf_conntrack_core.c:211!
...
&lt;4&gt;[67096.759837] Pid: 498649, comm: atdd veid: 666 Tainted: G         C ---------------    2.6.32-042stab084.18 #1 042stab084_18 /DQ45CB
&lt;4&gt;[67096.759932] RIP: 0010:[&lt;ffffffffa03d99ac&gt;]  [&lt;ffffffffa03d99ac&gt;] destroy_conntrack+0x15c/0x190 [nf_conntrack]
&lt;4&gt;[67096.760255] Call Trace:
&lt;4&gt;[67096.760255]  [&lt;ffffffff814844a7&gt;] nf_conntrack_destroy+0x17/0x30
&lt;4&gt;[67096.760255]  [&lt;ffffffffa03d9bb5&gt;] nf_conntrack_find_get+0x85/0x130 [nf_conntrack]
&lt;4&gt;[67096.760255]  [&lt;ffffffffa03d9fb2&gt;] nf_conntrack_in+0x352/0xb60 [nf_conntrack]
&lt;4&gt;[67096.760255]  [&lt;ffffffffa048c771&gt;] ipv4_conntrack_local+0x51/0x60 [nf_conntrack_ipv4]
&lt;4&gt;[67096.760255]  [&lt;ffffffff81484419&gt;] nf_iterate+0x69/0xb0
&lt;4&gt;[67096.760255]  [&lt;ffffffff814b5b00&gt;] ? dst_output+0x0/0x20
&lt;4&gt;[67096.760255]  [&lt;ffffffff814845d4&gt;] nf_hook_slow+0x74/0x110
&lt;4&gt;[67096.760255]  [&lt;ffffffff814b5b00&gt;] ? dst_output+0x0/0x20
&lt;4&gt;[67096.760255]  [&lt;ffffffff814b66d5&gt;] raw_sendmsg+0x775/0x910
&lt;4&gt;[67096.760255]  [&lt;ffffffff8104c5a8&gt;] ? flush_tlb_others_ipi+0x128/0x130
&lt;4&gt;[67096.760255]  [&lt;ffffffff8100bc4e&gt;] ? apic_timer_interrupt+0xe/0x20
&lt;4&gt;[67096.760255]  [&lt;ffffffff8100bc4e&gt;] ? apic_timer_interrupt+0xe/0x20
&lt;4&gt;[67096.760255]  [&lt;ffffffff814c136a&gt;] inet_sendmsg+0x4a/0xb0
&lt;4&gt;[67096.760255]  [&lt;ffffffff81444e93&gt;] ? sock_sendmsg+0x13/0x140
&lt;4&gt;[67096.760255]  [&lt;ffffffff81444f97&gt;] sock_sendmsg+0x117/0x140
&lt;4&gt;[67096.760255]  [&lt;ffffffff8102e299&gt;] ? native_smp_send_reschedule+0x49/0x60
&lt;4&gt;[67096.760255]  [&lt;ffffffff81519beb&gt;] ? _spin_unlock_bh+0x1b/0x20
&lt;4&gt;[67096.760255]  [&lt;ffffffff8109d930&gt;] ? autoremove_wake_function+0x0/0x40
&lt;4&gt;[67096.760255]  [&lt;ffffffff814960f0&gt;] ? do_ip_setsockopt+0x90/0xd80
&lt;4&gt;[67096.760255]  [&lt;ffffffff8100bc4e&gt;] ? apic_timer_interrupt+0xe/0x20
&lt;4&gt;[67096.760255]  [&lt;ffffffff8100bc4e&gt;] ? apic_timer_interrupt+0xe/0x20
&lt;4&gt;[67096.760255]  [&lt;ffffffff814457c9&gt;] sys_sendto+0x139/0x190
&lt;4&gt;[67096.760255]  [&lt;ffffffff810efa77&gt;] ? audit_syscall_entry+0x1d7/0x200
&lt;4&gt;[67096.760255]  [&lt;ffffffff810ef7c5&gt;] ? __audit_syscall_exit+0x265/0x290
&lt;4&gt;[67096.760255]  [&lt;ffffffff81474daf&gt;] compat_sys_socketcall+0x13f/0x210
&lt;4&gt;[67096.760255]  [&lt;ffffffff8104dea3&gt;] ia32_sysret+0x0/0x5

I have reused the original title for the RFC patch that Andrey posted and
most of the original patch description.

Cc: Eric Dumazet &lt;edumazet@google.com&gt;
Cc: Andrew Vagin &lt;avagin@parallels.com&gt;
Cc: Florian Westphal &lt;fw@strlen.de&gt;
Reported-by: Andrew Vagin &lt;avagin@parallels.com&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Reviewed-by: Eric Dumazet &lt;edumazet@google.com&gt;
Acked-by: Andrew Vagin &lt;avagin@parallels.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
With this patch, the conntrack refcount is initially set to zero and
it is bumped once it is added to any of the list, so we fulfill
Eric's golden rule which is that all released objects always have a
refcount that equals zero.

Andrey Vagin reports that nf_conntrack_free can't be called for a
conntrack with non-zero ref-counter, because it can race with
nf_conntrack_find_get().

A conntrack slab is created with SLAB_DESTROY_BY_RCU. Non-zero
ref-counter says that this conntrack is used. So when we release
a conntrack with non-zero counter, we break this assumption.

CPU1                                    CPU2
____nf_conntrack_find()
                                        nf_ct_put()
                                         destroy_conntrack()
                                        ...
                                        init_conntrack
                                         __nf_conntrack_alloc (set use = 1)
atomic_inc_not_zero(&amp;ct-&gt;use) (use = 2)
                                         if (!l4proto-&gt;new(ct, skb, dataoff, timeouts))
                                          nf_conntrack_free(ct); (use = 2 !!!)
                                        ...
                                        __nf_conntrack_alloc (set use = 1)
 if (!nf_ct_key_equal(h, tuple, zone))
  nf_ct_put(ct); (use = 0)
   destroy_conntrack()
                                        /* continue to work with CT */

After applying the path "[PATCH] netfilter: nf_conntrack: fix RCU
race in nf_conntrack_find_get" another bug was triggered in
destroy_conntrack():

&lt;4&gt;[67096.759334] ------------[ cut here ]------------
&lt;2&gt;[67096.759353] kernel BUG at net/netfilter/nf_conntrack_core.c:211!
...
&lt;4&gt;[67096.759837] Pid: 498649, comm: atdd veid: 666 Tainted: G         C ---------------    2.6.32-042stab084.18 #1 042stab084_18 /DQ45CB
&lt;4&gt;[67096.759932] RIP: 0010:[&lt;ffffffffa03d99ac&gt;]  [&lt;ffffffffa03d99ac&gt;] destroy_conntrack+0x15c/0x190 [nf_conntrack]
&lt;4&gt;[67096.760255] Call Trace:
&lt;4&gt;[67096.760255]  [&lt;ffffffff814844a7&gt;] nf_conntrack_destroy+0x17/0x30
&lt;4&gt;[67096.760255]  [&lt;ffffffffa03d9bb5&gt;] nf_conntrack_find_get+0x85/0x130 [nf_conntrack]
&lt;4&gt;[67096.760255]  [&lt;ffffffffa03d9fb2&gt;] nf_conntrack_in+0x352/0xb60 [nf_conntrack]
&lt;4&gt;[67096.760255]  [&lt;ffffffffa048c771&gt;] ipv4_conntrack_local+0x51/0x60 [nf_conntrack_ipv4]
&lt;4&gt;[67096.760255]  [&lt;ffffffff81484419&gt;] nf_iterate+0x69/0xb0
&lt;4&gt;[67096.760255]  [&lt;ffffffff814b5b00&gt;] ? dst_output+0x0/0x20
&lt;4&gt;[67096.760255]  [&lt;ffffffff814845d4&gt;] nf_hook_slow+0x74/0x110
&lt;4&gt;[67096.760255]  [&lt;ffffffff814b5b00&gt;] ? dst_output+0x0/0x20
&lt;4&gt;[67096.760255]  [&lt;ffffffff814b66d5&gt;] raw_sendmsg+0x775/0x910
&lt;4&gt;[67096.760255]  [&lt;ffffffff8104c5a8&gt;] ? flush_tlb_others_ipi+0x128/0x130
&lt;4&gt;[67096.760255]  [&lt;ffffffff8100bc4e&gt;] ? apic_timer_interrupt+0xe/0x20
&lt;4&gt;[67096.760255]  [&lt;ffffffff8100bc4e&gt;] ? apic_timer_interrupt+0xe/0x20
&lt;4&gt;[67096.760255]  [&lt;ffffffff814c136a&gt;] inet_sendmsg+0x4a/0xb0
&lt;4&gt;[67096.760255]  [&lt;ffffffff81444e93&gt;] ? sock_sendmsg+0x13/0x140
&lt;4&gt;[67096.760255]  [&lt;ffffffff81444f97&gt;] sock_sendmsg+0x117/0x140
&lt;4&gt;[67096.760255]  [&lt;ffffffff8102e299&gt;] ? native_smp_send_reschedule+0x49/0x60
&lt;4&gt;[67096.760255]  [&lt;ffffffff81519beb&gt;] ? _spin_unlock_bh+0x1b/0x20
&lt;4&gt;[67096.760255]  [&lt;ffffffff8109d930&gt;] ? autoremove_wake_function+0x0/0x40
&lt;4&gt;[67096.760255]  [&lt;ffffffff814960f0&gt;] ? do_ip_setsockopt+0x90/0xd80
&lt;4&gt;[67096.760255]  [&lt;ffffffff8100bc4e&gt;] ? apic_timer_interrupt+0xe/0x20
&lt;4&gt;[67096.760255]  [&lt;ffffffff8100bc4e&gt;] ? apic_timer_interrupt+0xe/0x20
&lt;4&gt;[67096.760255]  [&lt;ffffffff814457c9&gt;] sys_sendto+0x139/0x190
&lt;4&gt;[67096.760255]  [&lt;ffffffff810efa77&gt;] ? audit_syscall_entry+0x1d7/0x200
&lt;4&gt;[67096.760255]  [&lt;ffffffff810ef7c5&gt;] ? __audit_syscall_exit+0x265/0x290
&lt;4&gt;[67096.760255]  [&lt;ffffffff81474daf&gt;] compat_sys_socketcall+0x13f/0x210
&lt;4&gt;[67096.760255]  [&lt;ffffffff8104dea3&gt;] ia32_sysret+0x0/0x5

I have reused the original title for the RFC patch that Andrey posted and
most of the original patch description.

Cc: Eric Dumazet &lt;edumazet@google.com&gt;
Cc: Andrew Vagin &lt;avagin@parallels.com&gt;
Cc: Florian Westphal &lt;fw@strlen.de&gt;
Reported-by: Andrew Vagin &lt;avagin@parallels.com&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Reviewed-by: Eric Dumazet &lt;edumazet@google.com&gt;
Acked-by: Andrew Vagin &lt;avagin@parallels.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: xt_CT: fix error value in xt_ct_tg_check()</title>
<updated>2014-01-03T22:41:39+00:00</updated>
<author>
<name>Eric Leblond</name>
<email>eric@regit.org</email>
</author>
<published>2014-01-02T09:03:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=14abfa161d256c60f3ea6ba494704ac634b94f63'/>
<id>14abfa161d256c60f3ea6ba494704ac634b94f63</id>
<content type='text'>
If setting event mask fails then we were returning 0 for success.
This patch updates return code to -EINVAL in case of problem.

Signed-off-by: Eric Leblond &lt;eric@regit.org&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
If setting event mask fails then we were returning 0 for success.
This patch updates return code to -EINVAL in case of problem.

Signed-off-by: Eric Leblond &lt;eric@regit.org&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: xt_CT: optimize XT_CT_NOTRACK</title>
<updated>2013-05-23T09:09:29+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2013-05-22T11:10:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=27e7190efd5b2f728686a8293af6d9bd34c4e562'/>
<id>27e7190efd5b2f728686a8293af6d9bd34c4e562</id>
<content type='text'>
The percpu untracked ct are not currently used for XT_CT_NOTRACK.

xt_ct_tg_check()/xt_ct_target() provides a single ct.

Thats not optimal as the ct-&gt;ct_general.use cache line will bounce among
cpus.

Use the intended [1] thing : xt_ct_target() should select the percpu
object.

[1] Refs :
commit 5bfddbd46a95c97 ("netfilter: nf_conntrack: IPS_UNTRACKED bit")
commit b3c5163fe0193a7 ("netfilter: nf_conntrack: per_cpu untracking")

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The percpu untracked ct are not currently used for XT_CT_NOTRACK.

xt_ct_tg_check()/xt_ct_target() provides a single ct.

Thats not optimal as the ct-&gt;ct_general.use cache line will bounce among
cpus.

Use the intended [1] thing : xt_ct_target() should select the percpu
object.

[1] Refs :
commit 5bfddbd46a95c97 ("netfilter: nf_conntrack: IPS_UNTRACKED bit")
commit b3c5163fe0193a7 ("netfilter: nf_conntrack: per_cpu untracking")

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: xt_CT: add alias flag</title>
<updated>2013-02-05T00:49:26+00:00</updated>
<author>
<name>Pablo Neira Ayuso</name>
<email>pablo@netfilter.org</email>
</author>
<published>2013-01-30T19:24:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5474f57f7d686ac918355419cb71496f835aaf5d'/>
<id>5474f57f7d686ac918355419cb71496f835aaf5d</id>
<content type='text'>
This patch adds the alias flag to support full NOTRACK target
aliasing.

Based on initial patch from Jozsef Kadlecsik.

Acked-by: Jozsef Kadlecsik &lt;kadlec@blackhole.kfki.hi&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This patch adds the alias flag to support full NOTRACK target
aliasing.

Based on initial patch from Jozsef Kadlecsik.

Acked-by: Jozsef Kadlecsik &lt;kadlec@blackhole.kfki.hi&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: xt_CT: merge common code of revision 0 and 1</title>
<updated>2013-02-05T00:49:16+00:00</updated>
<author>
<name>Pablo Neira Ayuso</name>
<email>pablo@netfilter.org</email>
</author>
<published>2013-01-30T19:20:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d52ed4379a8264bc9bc82c068448c424924f1fde'/>
<id>d52ed4379a8264bc9bc82c068448c424924f1fde</id>
<content type='text'>
This patch merges the common code for revision 0 and 1.

Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This patch merges the common code for revision 0 and 1.

Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: xt_CT: fix unset return value if conntrack zone are disabled</title>
<updated>2013-01-10T12:11:00+00:00</updated>
<author>
<name>Pablo Neira Ayuso</name>
<email>pablo@netfilter.org</email>
</author>
<published>2013-01-10T11:42:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4610476d89d53714ca94aae081fa035908bc137a'/>
<id>4610476d89d53714ca94aae081fa035908bc137a</id>
<content type='text'>
net/netfilter/xt_CT.c: In function ‘xt_ct_tg_check_v1’:
net/netfilter/xt_CT.c:250:6: warning: ‘ret’ may be used uninitialized in this function [-Wmaybe-uninitialized]
net/netfilter/xt_CT.c: In function ‘xt_ct_tg_check_v0’:
net/netfilter/xt_CT.c:112:6: warning: ‘ret’ may be used uninitialized in this function [-Wmaybe-uninitialized]

Reported-by: Borislav Petkov &lt;bp@alien8.de&gt;
Acked-by: Borislav Petkov &lt;bp@alien8.de&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
net/netfilter/xt_CT.c: In function ‘xt_ct_tg_check_v1’:
net/netfilter/xt_CT.c:250:6: warning: ‘ret’ may be used uninitialized in this function [-Wmaybe-uninitialized]
net/netfilter/xt_CT.c: In function ‘xt_ct_tg_check_v0’:
net/netfilter/xt_CT.c:112:6: warning: ‘ret’ may be used uninitialized in this function [-Wmaybe-uninitialized]

Reported-by: Borislav Petkov &lt;bp@alien8.de&gt;
Acked-by: Borislav Petkov &lt;bp@alien8.de&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: xt_CT: recover NOTRACK target support</title>
<updated>2012-12-24T11:55:09+00:00</updated>
<author>
<name>Pablo Neira Ayuso</name>
<email>pablo@netfilter.org</email>
</author>
<published>2012-12-20T01:54:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=10db9069eb5c60195170a4119bdbcbce69a4945f'/>
<id>10db9069eb5c60195170a4119bdbcbce69a4945f</id>
<content type='text'>
Florian Westphal reported that the removal of the NOTRACK target
(9655050 netfilter: remove xt_NOTRACK) is breaking some existing
setups.

That removal was scheduled for removal since long time ago as
described in Documentation/feature-removal-schedule.txt

What:  xt_NOTRACK
Files: net/netfilter/xt_NOTRACK.c
When:  April 2011
Why:   Superseded by xt_CT

Still, people may have not notice / may have decided to stick to an
old iptables version. I agree with him in that some more conservative
approach by spotting some printk to warn users for some time is less
agressive.

Current iptables 1.4.16.3 already contains the aliasing support
that makes it point to the CT target, so upgrading would fix it.
Still, the policy so far has been to avoid pushing our users to
upgrade.

As a solution, this patch recovers the NOTRACK target inside the CT
target and it now spots a warning.

Reported-by: Florian Westphal &lt;fw@strlen.de&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Florian Westphal reported that the removal of the NOTRACK target
(9655050 netfilter: remove xt_NOTRACK) is breaking some existing
setups.

That removal was scheduled for removal since long time ago as
described in Documentation/feature-removal-schedule.txt

What:  xt_NOTRACK
Files: net/netfilter/xt_NOTRACK.c
When:  April 2011
Why:   Superseded by xt_CT

Still, people may have not notice / may have decided to stick to an
old iptables version. I agree with him in that some more conservative
approach by spotting some printk to warn users for some time is less
agressive.

Current iptables 1.4.16.3 already contains the aliasing support
that makes it point to the CT target, so upgrading would fix it.
Still, the policy so far has been to avoid pushing our users to
upgrade.

As a solution, this patch recovers the NOTRACK target inside the CT
target and it now spots a warning.

Reported-by: Florian Westphal &lt;fw@strlen.de&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: xt_CT: fix crash while destroy ct templates</title>
<updated>2012-12-16T22:44:12+00:00</updated>
<author>
<name>Pablo Neira Ayuso</name>
<email>pablo@netfilter.org</email>
</author>
<published>2012-12-11T04:07:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=252b3e8c1bc0c2b20348ae87d67efcd0a8209f72'/>
<id>252b3e8c1bc0c2b20348ae87d67efcd0a8209f72</id>
<content type='text'>
In (d871bef netfilter: ctnetlink: dump entries from the dying and
unconfirmed lists), we assume that all conntrack objects are
inserted in any of the existing lists. However, template conntrack
objects were not. This results in hitting BUG_ON in the
destroy_conntrack path while removing a rule that uses the CT target.

This patch fixes the situation by adding the template lists, which
is where template conntrack objects reside now.

Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
In (d871bef netfilter: ctnetlink: dump entries from the dying and
unconfirmed lists), we assume that all conntrack objects are
inserted in any of the existing lists. However, template conntrack
objects were not. This results in hitting BUG_ON in the
destroy_conntrack path while removing a rule that uses the CT target.

This patch fixes the situation by adding the template lists, which
is where template conntrack objects reside now.

Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
