Home Explore Help
Sign In
GfA
/
linux_kernel
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains four Netfilter fixes for net, they are:

1) Fix Kconfig dependencies of new nf_dup_ipv4 and nf_dup_ipv6.

2) Remove bogus test nh_scope in IPv4 rpfilter match that is breaking
   --accept-local, from Xin Long.

3) Wait for RCU grace period after dropping the pending packets in the
   nfqueue, from Florian Westphal.

4) Fix sleeping allocation while holding spin_lock_bh, from Nikolay Borisov.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller 9 years ago
parent
e53567948f 00db674bed
commit
36a28b2116
5 changed files with 6 additions and 4 deletions
Split View Show Diff Stats
  1. 1 0
      net/ipv4/netfilter/Kconfig
  2. 1 3
      net/ipv4/netfilter/ipt_rpfilter.c
  3. 1 0
      net/ipv6/netfilter/Kconfig
  4. 2 0
      net/netfilter/core.c
  5. 1 1
      net/netfilter/ipset/ip_set_list_set.c

+ 1 - 0
net/ipv4/netfilter/Kconfig
View File 

@@ -75,6 +75,7 @@ endif # NF_TABLES
 
 
 config NF_DUP_IPV4
 
 	tristate "Netfilter IPv4 packet duplication to alternate destination"
 
+	depends on !NF_CONNTRACK || NF_CONNTRACK
 
 	help
 
 	  This option enables the nf_dup_ipv4 core, which duplicates an IPv4
 
 	  packet to be rerouted to another destination.

+ 1 - 3
net/ipv4/netfilter/ipt_rpfilter.c
View File 

@@ -61,9 +61,7 @@ static bool rpfilter_lookup_reverse(struct flowi4 *fl4,
 
 	if (FIB_RES_DEV(res) == dev)
 
 		dev_match = true;
 
 #endif
 
-	if (dev_match || flags & XT_RPFILTER_LOOSE)
 
-		return FIB_RES_NH(res).nh_scope <= RT_SCOPE_HOST;
 
-	return dev_match;
 
+	return dev_match || flags & XT_RPFILTER_LOOSE;
 
 }
 
 
 static bool rpfilter_is_local(const struct sk_buff *skb)

+ 1 - 0
net/ipv6/netfilter/Kconfig
View File 

@@ -58,6 +58,7 @@ endif # NF_TABLES
 
 
 config NF_DUP_IPV6
 
 	tristate "Netfilter IPv6 packet duplication to alternate destination"
 
+	depends on !NF_CONNTRACK || NF_CONNTRACK
 
 	help
 
 	  This option enables the nf_dup_ipv6 core, which duplicates an IPv6
 
 	  packet to be rerouted to another destination.

+ 2 - 0
net/netfilter/core.c
View File 

@@ -152,6 +152,8 @@ void nf_unregister_net_hook(struct net *net, const struct nf_hook_ops *reg)
 
 #endif
 
 	synchronize_net();
 
 	nf_queue_nf_hook_drop(net, &entry->ops);
 
+	/* other cpu might still process nfqueue verdict that used reg */
 
+	synchronize_net();
 
 	kfree(entry);
 
 }
 
 EXPORT_SYMBOL(nf_unregister_net_hook);

+ 1 - 1
net/netfilter/ipset/ip_set_list_set.c
View File 

@@ -297,7 +297,7 @@ list_set_uadd(struct ip_set *set, void *value, const struct ip_set_ext *ext,
 
 	      ip_set_timeout_expired(ext_timeout(n, set))))
 
 		n =  NULL;
 
 
-	e = kzalloc(set->dsize, GFP_KERNEL);
 
+	e = kzalloc(set->dsize, GFP_ATOMIC);
 
 	if (!e)
 
 		return -ENOMEM;
 
 	e->id = d->id;