<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/net/ipv4/netfilter, branch v2.6.22</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>[NETFILTER]: ip_tables: fix compat related crash</title>
<updated>2007-06-07T20:40:32+00:00</updated>
<author>
<name>Dmitry Mishin</name>
<email>dim@openvz.org</email>
</author>
<published>2007-06-05T19:56:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=4c1b52bc7a2f5ee01ea3fc248a8748a1c6843f7c'/>
<id>4c1b52bc7a2f5ee01ea3fc248a8748a1c6843f7c</id>
<content type='text'>
check_compat_entry_size_and_hooks iterates over the matches and calls
compat_check_calc_match, which loads the match and calculates the
compat offsets, but unlike the non-compat version, doesn't call
-&gt;checkentry yet. On error however it calls cleanup_matches, which in
turn calls -&gt;destroy, which can result in crashes if the destroy
function (validly) expects to only get called after the checkentry
function.

Add a compat_release_match function that only drops the module reference
on error and rename compat_check_calc_match to compat_find_calc_match to
reflect the fact that it doesn't call the checkentry function.

Reported by Jan Engelhardt &lt;jengelh@linux01.gwdg.de&gt;

Signed-off-by: Dmitry Mishin &lt;dim@openvz.org&gt;
Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
check_compat_entry_size_and_hooks iterates over the matches and calls
compat_check_calc_match, which loads the match and calculates the
compat offsets, but unlike the non-compat version, doesn't call
-&gt;checkentry yet. On error however it calls cleanup_matches, which in
turn calls -&gt;destroy, which can result in crashes if the destroy
function (validly) expects to only get called after the checkentry
function.

Add a compat_release_match function that only drops the module reference
on error and rename compat_check_calc_match to compat_find_calc_match to
reflect the fact that it doesn't call the checkentry function.

Reported by Jan Engelhardt &lt;jengelh@linux01.gwdg.de&gt;

Signed-off-by: Dmitry Mishin &lt;dim@openvz.org&gt;
Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[NETFILTER]: nf_conntrack: fix helper module unload races</title>
<updated>2007-06-07T20:40:26+00:00</updated>
<author>
<name>Patrick McHarrdy</name>
<email>kaber@trash.net</email>
</author>
<published>2007-06-05T19:55:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=3c158f7f57601bc27eab82f0dc4fd3fad314d845'/>
<id>3c158f7f57601bc27eab82f0dc4fd3fad314d845</id>
<content type='text'>
When a helper module is unloaded all conntracks refering to it have their
helper pointer NULLed out, leading to lots of races. In most places this
can be fixed by proper use of RCU (they do already check for != NULL,
but in a racy way), additionally nf_conntrack_expect_related needs to
bail out when no helper is present.

Also remove two paranoid BUG_ONs in nf_conntrack_proto_gre that are racy
and not worth fixing.

Signed-off-by: Patrick McHarrdy &lt;kaber@trash.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
When a helper module is unloaded all conntracks refering to it have their
helper pointer NULLed out, leading to lots of races. In most places this
can be fixed by proper use of RCU (they do already check for != NULL,
but in a racy way), additionally nf_conntrack_expect_related needs to
bail out when no helper is present.

Also remove two paranoid BUG_ONs in nf_conntrack_proto_gre that are racy
and not worth fixing.

Signed-off-by: Patrick McHarrdy &lt;kaber@trash.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[NETFILTER]: nf_nat_h323: call set_h225_addr instead of set_h225_addr_hook</title>
<updated>2007-05-24T23:44:40+00:00</updated>
<author>
<name>Jing Min Zhao</name>
<email>zhaojingmin@vivecode.com</email>
</author>
<published>2007-05-24T23:44:40+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=1ff75ed254bdbb47bb0c1d71a3cc65f6831a8e3a'/>
<id>1ff75ed254bdbb47bb0c1d71a3cc65f6831a8e3a</id>
<content type='text'>
They're the same.

Signed-off-by: Jing Min Zhao &lt;zhaojingmin@vivecode.com&gt;
Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
They're the same.

Signed-off-by: Jing Min Zhao &lt;zhaojingmin@vivecode.com&gt;
Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[NETFILTER]: nf_conntrack_ftp: fix newline sequence number calculation</title>
<updated>2007-05-24T23:41:50+00:00</updated>
<author>
<name>Patrick McHardy</name>
<email>kaber@trash.net</email>
</author>
<published>2007-05-24T23:41:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=25b86e05467a2bf936b78695ef49039e3bbd1e0c'/>
<id>25b86e05467a2bf936b78695ef49039e3bbd1e0c</id>
<content type='text'>
When the packet size is changed by the FTP NAT helper, the connection
tracking helper adjusts the sequence number of the newline character
by the size difference. This is wrong because NAT sequence number
adjustment happens after helpers are called, so the unadjusted number
is compared to the already adjusted one.

Based on report by YU, Haitao &lt;yuhaitao@tsinghua.org.cn&gt;

Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
When the packet size is changed by the FTP NAT helper, the connection
tracking helper adjusts the sequence number of the newline character
by the size difference. This is wrong because NAT sequence number
adjustment happens after helpers are called, so the unadjusted number
is compared to the already adjusted one.

Based on report by YU, Haitao &lt;yuhaitao@tsinghua.org.cn&gt;

Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[NETFILTER]: nf_conntrack_ipv4: fix incorrect #ifdef config name</title>
<updated>2007-05-19T21:24:16+00:00</updated>
<author>
<name>Patrick McHardy</name>
<email>kaber@trash.net</email>
</author>
<published>2007-05-19T21:24:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=3ad2a6fb6bcc2f464cdde093a76b76b90b90c66c'/>
<id>3ad2a6fb6bcc2f464cdde093a76b76b90b90c66c</id>
<content type='text'>
The option is named CONFIG_NF_NAT not CONFIG_IP_NF_NAT. Remove the ifdef
completely since helpers also expect defragmented packet even without
NAT.

Noticed by Robert P. J. Day &lt;rpjday@mindspring.com&gt;

Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The option is named CONFIG_NF_NAT not CONFIG_IP_NF_NAT. Remove the ifdef
completely since helpers also expect defragmented packet even without
NAT.

Noticed by Robert P. J. Day &lt;rpjday@mindspring.com&gt;

Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[NETFILTER]: iptable_raw: ignore short packets sent by SOCK_RAW sockets</title>
<updated>2007-05-11T06:47:59+00:00</updated>
<author>
<name>Patrick McHardy</name>
<email>kaber@trash.net</email>
</author>
<published>2007-05-10T21:17:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=802169a4b0f71d25a0f798a9c0657a565b1e79bc'/>
<id>802169a4b0f71d25a0f798a9c0657a565b1e79bc</id>
<content type='text'>
iptables matches and targets expect packets to have at least a full
IP header and a valid header length. Ignore packets sent through
raw sockets for which this isn't true as in the other tables.

Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
iptables matches and targets expect packets to have at least a full
IP header and a valid header length. Ignore packets sent through
raw sockets for which this isn't true as in the other tables.

Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[NETFILTER]: iptable_{filter,mangle}: more descriptive "happy cracking" message</title>
<updated>2007-05-11T06:47:59+00:00</updated>
<author>
<name>Patrick McHardy</name>
<email>kaber@trash.net</email>
</author>
<published>2007-05-10T21:16:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=4a176c1a61ed279f4d98b6adf9be84fb905d921c'/>
<id>4a176c1a61ed279f4d98b6adf9be84fb905d921c</id>
<content type='text'>
Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[NETFILTER]: nf_nat: remove unused argument of function allocating binding</title>
<updated>2007-05-11T06:47:44+00:00</updated>
<author>
<name>Yasuyuki Kozakai</name>
<email>yasuyuki.kozakai@toshiba.co.jp</email>
</author>
<published>2007-05-10T21:14:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=ba4c7cbadd2c025321809b522c398fc81cd5d75d'/>
<id>ba4c7cbadd2c025321809b522c398fc81cd5d75d</id>
<content type='text'>
nf_nat_rule_find, alloc_null_binding and alloc_null_binding_confirmed
do not use the argument 'info', which is actually ct-&gt;nat.info.
If they are necessary to access it again, we can use the argument 'ct'
instead.

Signed-off-by: Yasuyuki Kozakai &lt;yasuyuki.kozakai@toshiba.co.jp&gt;
Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
nf_nat_rule_find, alloc_null_binding and alloc_null_binding_confirmed
do not use the argument 'info', which is actually ct-&gt;nat.info.
If they are necessary to access it again, we can use the argument 'ct'
instead.

Signed-off-by: Yasuyuki Kozakai &lt;yasuyuki.kozakai@toshiba.co.jp&gt;
Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[NETFILTER]: Clean up table initialization</title>
<updated>2007-05-11T06:47:43+00:00</updated>
<author>
<name>Patrick McHardy</name>
<email>kaber@trash.net</email>
</author>
<published>2007-05-10T21:14:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=3c2ad469c317147fc1de19579f8173ddb68a9e91'/>
<id>3c2ad469c317147fc1de19579f8173ddb68a9e91</id>
<content type='text'>
- move arp_tables initial table structure definitions to arp_tables.h
  similar to ip_tables and ip6_tables

- use C99 initializers

- use initializer macros where possible

Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
- move arp_tables initial table structure definitions to arp_tables.h
  similar to ip_tables and ip6_tables

- use C99 initializers

- use initializer macros where possible

Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[NETFILTER]: sip: Fix RTP address NAT</title>
<updated>2007-05-03T10:35:31+00:00</updated>
<author>
<name>Herbert Xu</name>
<email>herbert@gondor.apana.org.au</email>
</author>
<published>2007-05-03T10:35:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=cfd6c38096d75c8b86782683c5f45c415a505b78'/>
<id>cfd6c38096d75c8b86782683c5f45c415a505b78</id>
<content type='text'>
I needed to use this recently to talk to a Cisco server.  In my case
I only did SNAT while the Cisco server used a different address for
RTP traffic than the one for SIP.  I discovered that nf_nat_sip NATed
the RTP address to the SIP one which was unnecessary but OK.  However,
in doing so it did not DNAT the destination address on the RTP traffic
to the Cisco back to the original RTP address.

This patch corrects this by noting down the RTP address and using it
when the expectation fires.

Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
I needed to use this recently to talk to a Cisco server.  In my case
I only did SNAT while the Cisco server used a different address for
RTP traffic than the one for SIP.  I discovered that nf_nat_sip NATed
the RTP address to the SIP one which was unnecessary but OK.  However,
in doing so it did not DNAT the destination address on the RTP traffic
to the Cisco back to the original RTP address.

This patch corrects this by noting down the RTP address and using it
when the expectation fires.

Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
</feed>
