Merge branch 'master' of git://1984.lsi.us.es/nf

davem330 · davem330 · commit 4f4ecd5f2a94 · 2013-04-04T17:41:53.000-04:00
Pablo Neira Ayuso says:

====================
The following patchset contains netfilter updates for your net tree,
they are:

* Fix missing the skb-&gt;trace reset in nf_reset, noticed by Gao Feng
  while using the TRACE target with several net namespaces.

* Fix prefix translation in IPv6 NPT if non-multiple of 32 prefixes
  are used, from Matthias Schiffer.

* Fix invalid nfacct objects with empty name, they are now rejected
  with -EINVAL, spotted by Michael Zintakis, patch from myself.

* A couple of fixes for wrong return values in the error path of
  nfnetlink_queue and nf_conntrack, from Wei Yongjun.
====================

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
@@ -2641,6 +2641,9 @@ static inline void nf_reset(struct sk_buff *skb)
 	nf_bridge_put(skb->nf_bridge);
 	skb->nf_bridge = NULL;
 #endif
+#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
+	skb->nf_trace = 0;
+#endif
 }
 
 /* Note: This doesn't put any conntrack and bridge info in dst. */
diff --git a/net/ipv6/netfilter/ip6t_NPT.c b/net/ipv6/netfilter/ip6t_NPT.c
@@ -57,7 +57,7 @@ static bool ip6t_npt_map_pfx(const struct ip6t_npt_tginfo *npt,
 		if (pfx_len - i >= 32)
 			mask = 0;
 		else
-			mask = htonl(~((1 << (pfx_len - i)) - 1));
+			mask = htonl((1 << (i - pfx_len + 32)) - 1);
 
 		idx = i / 32;
 		addr->s6_addr32[idx] &= mask;
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
@@ -568,6 +568,7 @@ static int __init nf_conntrack_standalone_init(void)
 		register_net_sysctl(&init_net, "net", nf_ct_netfilter_table);
 	if (!nf_ct_netfilter_header) {
 		pr_err("nf_conntrack: can't register to sysctl.\n");
+		ret = -ENOMEM;
 		goto out_sysctl;
 	}
 #endif
diff --git a/net/netfilter/nfnetlink_acct.c b/net/netfilter/nfnetlink_acct.c
@@ -49,6 +49,8 @@ nfnl_acct_new(struct sock *nfnl, struct sk_buff *skb,
 		return -EINVAL;
 
 	acct_name = nla_data(tb[NFACCT_NAME]);
+	if (strlen(acct_name) == 0)
+		return -EINVAL;
 
 	list_for_each_entry(nfacct, &nfnl_acct_list, head) {
 		if (strncmp(nfacct->name, acct_name, NFACCT_NAME_MAX) != 0)
diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
@@ -1062,8 +1062,10 @@ static int __init nfnetlink_queue_init(void)
 
 #ifdef CONFIG_PROC_FS
 	if (!proc_create("nfnetlink_queue", 0440,
-			 proc_net_netfilter, &nfqnl_file_ops))
+			 proc_net_netfilter, &nfqnl_file_ops)) {
+		status = -ENOMEM;
 		goto cleanup_subsys;
+	}
 #endif
 
 	register_netdevice_notifier(&nfqnl_dev_notifier);

Original file line number	Diff line number	Diff line change
`@@ -2641,6 +2641,9 @@ static inline void nf_reset(struct sk_buff *skb)`
`2641`	`2641`	`nf_bridge_put(skb->nf_bridge);`
`2642`	`2642`	`skb->nf_bridge = NULL;`
`2643`	`2643`	`#endif`
	`2644`	`+#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)`
	`2645`	`+ skb->nf_trace = 0;`
	`2646`	`+#endif`
`2644`	`2647`	`}`
`2645`	`2648`
`2646`	`2649`	`/* Note: This doesn't put any conntrack and bridge info in dst. */`
Original file line number	Diff line number	Diff line change
`@@ -568,6 +568,7 @@ static int __init nf_conntrack_standalone_init(void)`
`568`	`568`	`register_net_sysctl(&init_net, "net", nf_ct_netfilter_table);`
`569`	`569`	`if (!nf_ct_netfilter_header) {`
`570`	`570`	`pr_err("nf_conntrack: can't register to sysctl.\n");`
	`571`	`+ ret = -ENOMEM;`
`571`	`572`	`goto out_sysctl;`
`572`	`573`	`}`
`573`	`574`	`#endif`