Commit f8785c55 authored by David S. Miller's avatar David S. Miller

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nftables

Pablo Neira Ayuso says:

====================
This batch contains fives nf_tables patches for your net-next tree,
they are:

* Fix possible use after free in the module removal path of the
  x_tables compatibility layer, from Dan Carpenter.

* Add filter chain type for the bridge family, from myself.

* Fix Kconfig dependencies of the nf_tables bridge family with
  the core, from myself.

* Fix sparse warnings in nft_nat, from Tomasz Bursztyka.

* Remove duplicated include in the IPv4 family support for nf_tables,
  from Wei Yongjun.
====================
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 72c39a0a c359c415
...@@ -3,6 +3,7 @@ ...@@ -3,6 +3,7 @@
# #
# #
config NF_TABLES_BRIDGE config NF_TABLES_BRIDGE
depends on NF_TABLES
tristate "Ethernet Bridge nf_tables support" tristate "Ethernet Bridge nf_tables support"
menuconfig BRIDGE_NF_EBTABLES menuconfig BRIDGE_NF_EBTABLES
......
/* /*
* Copyright (c) 2008 Patrick McHardy <kaber@trash.net> * Copyright (c) 2008 Patrick McHardy <kaber@trash.net>
* Copyright (c) 2013 Pablo Neira Ayuso <pablo@netfilter.org>
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as * it under the terms of the GNU General Public License version 2 as
...@@ -47,14 +48,50 @@ static struct pernet_operations nf_tables_bridge_net_ops = { ...@@ -47,14 +48,50 @@ static struct pernet_operations nf_tables_bridge_net_ops = {
.exit = nf_tables_bridge_exit_net, .exit = nf_tables_bridge_exit_net,
}; };
static unsigned int
nft_do_chain_bridge(const struct nf_hook_ops *ops,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
struct nft_pktinfo pkt;
nft_set_pktinfo(&pkt, ops, skb, in, out);
return nft_do_chain_pktinfo(&pkt, ops);
}
static struct nf_chain_type filter_bridge = {
.family = NFPROTO_BRIDGE,
.name = "filter",
.type = NFT_CHAIN_T_DEFAULT,
.hook_mask = (1 << NF_BR_LOCAL_IN) |
(1 << NF_BR_FORWARD) |
(1 << NF_BR_LOCAL_OUT),
.fn = {
[NF_BR_LOCAL_IN] = nft_do_chain_bridge,
[NF_BR_FORWARD] = nft_do_chain_bridge,
[NF_BR_LOCAL_OUT] = nft_do_chain_bridge,
},
};
static int __init nf_tables_bridge_init(void) static int __init nf_tables_bridge_init(void)
{ {
return register_pernet_subsys(&nf_tables_bridge_net_ops); int ret;
nft_register_chain_type(&filter_bridge);
ret = register_pernet_subsys(&nf_tables_bridge_net_ops);
if (ret < 0)
nft_unregister_chain_type(&filter_bridge);
return ret;
} }
static void __exit nf_tables_bridge_exit(void) static void __exit nf_tables_bridge_exit(void)
{ {
return unregister_pernet_subsys(&nf_tables_bridge_net_ops); unregister_pernet_subsys(&nf_tables_bridge_net_ops);
nft_unregister_chain_type(&filter_bridge);
} }
module_init(nf_tables_bridge_init); module_init(nf_tables_bridge_init);
......
...@@ -16,7 +16,6 @@ ...@@ -16,7 +16,6 @@
#include <net/netfilter/nf_tables.h> #include <net/netfilter/nf_tables.h>
#include <net/net_namespace.h> #include <net/net_namespace.h>
#include <net/ip.h> #include <net/ip.h>
#include <net/net_namespace.h>
#include <net/netfilter/nf_tables_ipv4.h> #include <net/netfilter/nf_tables_ipv4.h>
static unsigned int nft_ipv4_output(const struct nf_hook_ops *ops, static unsigned int nft_ipv4_output(const struct nf_hook_ops *ops,
......
...@@ -634,9 +634,9 @@ nft_match_select_ops(const struct nft_ctx *ctx, ...@@ -634,9 +634,9 @@ nft_match_select_ops(const struct nft_ctx *ctx,
static void nft_match_release(void) static void nft_match_release(void)
{ {
struct nft_xt *nft_match; struct nft_xt *nft_match, *tmp;
list_for_each_entry(nft_match, &nft_match_list, head) list_for_each_entry_safe(nft_match, tmp, &nft_match_list, head)
kfree(nft_match); kfree(nft_match);
} }
...@@ -705,9 +705,9 @@ nft_target_select_ops(const struct nft_ctx *ctx, ...@@ -705,9 +705,9 @@ nft_target_select_ops(const struct nft_ctx *ctx,
static void nft_target_release(void) static void nft_target_release(void)
{ {
struct nft_xt *nft_target; struct nft_xt *nft_target, *tmp;
list_for_each_entry(nft_target, &nft_target_list, head) list_for_each_entry_safe(nft_target, tmp, &nft_target_list, head)
kfree(nft_target); kfree(nft_target);
} }
......
...@@ -47,8 +47,10 @@ static void nft_nat_eval(const struct nft_expr *expr, ...@@ -47,8 +47,10 @@ static void nft_nat_eval(const struct nft_expr *expr,
memset(&range, 0, sizeof(range)); memset(&range, 0, sizeof(range));
if (priv->sreg_addr_min) { if (priv->sreg_addr_min) {
if (priv->family == AF_INET) { if (priv->family == AF_INET) {
range.min_addr.ip = data[priv->sreg_addr_min].data[0]; range.min_addr.ip = (__force __be32)
range.max_addr.ip = data[priv->sreg_addr_max].data[0]; data[priv->sreg_addr_min].data[0];
range.max_addr.ip = (__force __be32)
data[priv->sreg_addr_max].data[0];
} else { } else {
memcpy(range.min_addr.ip6, memcpy(range.min_addr.ip6,
...@@ -62,8 +64,10 @@ static void nft_nat_eval(const struct nft_expr *expr, ...@@ -62,8 +64,10 @@ static void nft_nat_eval(const struct nft_expr *expr,
} }
if (priv->sreg_proto_min) { if (priv->sreg_proto_min) {
range.min_proto.all = data[priv->sreg_proto_min].data[0]; range.min_proto.all = (__force __be16)
range.max_proto.all = data[priv->sreg_proto_max].data[0]; data[priv->sreg_proto_min].data[0];
range.max_proto.all = (__force __be16)
data[priv->sreg_proto_max].data[0];
range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED; range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment