Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

author David S. Miller <davem@davemloft.net>

Wed, 4 Sep 2019 22:03:55 +0000 (00:03 +0200)

committer David S. Miller <davem@davemloft.net>

Wed, 4 Sep 2019 22:03:55 +0000 (00:03 +0200)
author David S. Miller <davem@davemloft.net>
Wed, 4 Sep 2019 22:03:55 +0000 (00:03 +0200)
committer David S. Miller <davem@davemloft.net>
Wed, 4 Sep 2019 22:03:55 +0000 (00:03 +0200)
diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c

index d3f9592f4ff8d8435861cd95dd0d130e8fa22fbb..af7800103e51e5aee724ff314697d17ec583aeba 100644 (file)
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -496,6 +496,10 @@ static unsigned int br_nf_pre_routing(void *priv,
                 if (!brnet->call_ip6tables &&
                     !br_opt_get(br, BROPT_NF_CALL_IP6TABLES))
                         return NF_ACCEPT;
+               if (!ipv6_mod_enabled()) {
+                       pr_warn_once("Module ipv6 is disabled, so call_ip6tables is not supported.");
+                       return NF_DROP;
+               }
  
                 nf_bridge_pull_encap_header_rcsum(skb);
                 return br_nf_pre_routing_ipv6(priv, skb, state);
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c

index 6aa01eb6fe99ce8cdb62dec08c2b37a3701a6218..e2d13cd1887562c80361042c7fe72ad50b8034d5 100644 (file)
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -553,10 +553,8 @@ ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
                 goto nla_put_failure;
  
         if (ctnetlink_dump_status(skb, ct) < 0 ||
-           ctnetlink_dump_timeout(skb, ct) < 0 ||
             ctnetlink_dump_acct(skb, ct, type) < 0 ||
             ctnetlink_dump_timestamp(skb, ct) < 0 ||
-           ctnetlink_dump_protoinfo(skb, ct) < 0 ||
             ctnetlink_dump_helpinfo(skb, ct) < 0 ||
             ctnetlink_dump_mark(skb, ct) < 0 ||
             ctnetlink_dump_secctx(skb, ct) < 0 ||
@@ -568,6 +566,11 @@ ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
             ctnetlink_dump_ct_synproxy(skb, ct) < 0)
                 goto nla_put_failure;
  
+       if (!test_bit(IPS_OFFLOAD_BIT, &ct->status) &&
+           (ctnetlink_dump_timeout(skb, ct) < 0 ||
+            ctnetlink_dump_protoinfo(skb, ct) < 0))
+               goto nla_put_failure;
+
         nlmsg_end(skb, nlh);
         return skb->len;
  
diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c

index 80a8f9ae4c93118d651f6b27f97f1f89bda77cfe..a0b4bf654de2d75765bc27b4ea61c130f32a14a1 100644 (file)
--- a/net/netfilter/nf_flow_table_core.c
+++ b/net/netfilter/nf_flow_table_core.c
@@ -217,7 +217,7 @@ int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow)
                 return err;
         }
  
-       flow->timeout = (u32)jiffies;
+       flow->timeout = (u32)jiffies + NF_FLOW_TIMEOUT;
         return 0;
  }
  EXPORT_SYMBOL_GPL(flow_offload_add);
diff --git a/net/netfilter/nft_fib_netdev.c b/net/netfilter/nft_fib_netdev.c

index 2cf3f32fe6d2543fd338b0a545aca3fd975ec04f..a2e726ae7f07737b8dc5d420cacbf00885a90ba0 100644 (file)
--- a/net/netfilter/nft_fib_netdev.c
+++ b/net/netfilter/nft_fib_netdev.c
@@ -14,6 +14,7 @@
  #include <linux/netfilter/nf_tables.h>
  #include <net/netfilter/nf_tables_core.h>
  #include <net/netfilter/nf_tables.h>
+#include <net/ipv6.h>
  
  #include <net/netfilter/nft_fib.h>
  
@@ -34,6 +35,8 @@ static void nft_fib_netdev_eval(const struct nft_expr *expr,
                 }
                 break;
         case ETH_P_IPV6:
+               if (!ipv6_mod_enabled())
+                       break;
                 switch (priv->result) {
                 case NFT_FIB_RESULT_OIF:
                 case NFT_FIB_RESULT_OIFNAME:
diff --git a/net/netfilter/nft_socket.c b/net/netfilter/nft_socket.c

index d7f3776dfd719d402ae178890107db8ebd1627f2..637ce3e8c575ce1b95dfcd340347176772cdff2d 100644 (file)
--- a/net/netfilter/nft_socket.c
+++ b/net/netfilter/nft_socket.c
@@ -47,9 +47,6 @@ static void nft_socket_eval(const struct nft_expr *expr,
                 return;
         }
  
-       /* So that subsequent socket matching not to require other lookups. */
-       skb->sk = sk;
-
         switch(priv->key) {
         case NFT_SOCKET_TRANSPARENT:
                 nft_reg_store8(dest, inet_sk_transparent(sk));
@@ -66,6 +63,9 @@ static void nft_socket_eval(const struct nft_expr *expr,
                 WARN_ON(1);
                 regs->verdict.code = NFT_BREAK;
         }
+
+       if (sk != skb->sk)
+               sock_gen_put(sk);
  }
  
  static const struct nla_policy nft_socket_policy[NFTA_SOCKET_MAX + 1] = {
author	David S. Miller <davem@davemloft.net>
	Wed, 4 Sep 2019 22:03:55 +0000 (00:03 +0200)
committer	David S. Miller <davem@davemloft.net>
	Wed, 4 Sep 2019 22:03:55 +0000 (00:03 +0200)
net/bridge/br_netfilter_hooks.c		patch \| blob \| blame \| history
net/netfilter/nf_conntrack_netlink.c		patch \| blob \| blame \| history
net/netfilter/nf_flow_table_core.c		patch \| blob \| blame \| history
net/netfilter/nft_fib_netdev.c		patch \| blob \| blame \| history
net/netfilter/nft_socket.c		patch \| blob \| blame \| history