Commit 27c064ae authored by David S. Miller's avatar David S. Miller

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf

Pablo Neira Ayuso says:

====================
The following patchset contains Netfilter fixes for net:

1) Fix deadlock in nfnetlink due to missing mutex release in error path,
   from Ziyang Xuan.

2) Clean up pending autoload module list from nf_tables_exit_net() path,
   from Shigeru Yoshida.

3) Fixes for the netfilter's reverse path selftest, from Phil Sutter.

All of these bugs have been around for several releases.
====================
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 5d041588 58bb78ce
...@@ -10090,7 +10090,8 @@ static void __net_exit nf_tables_exit_net(struct net *net) ...@@ -10090,7 +10090,8 @@ static void __net_exit nf_tables_exit_net(struct net *net)
struct nftables_pernet *nft_net = nft_pernet(net); struct nftables_pernet *nft_net = nft_pernet(net);
mutex_lock(&nft_net->commit_mutex); mutex_lock(&nft_net->commit_mutex);
if (!list_empty(&nft_net->commit_list)) if (!list_empty(&nft_net->commit_list) ||
!list_empty(&nft_net->module_list))
__nf_tables_abort(net, NFNL_ABORT_NONE); __nf_tables_abort(net, NFNL_ABORT_NONE);
__nft_release_tables(net); __nft_release_tables(net);
mutex_unlock(&nft_net->commit_mutex); mutex_unlock(&nft_net->commit_mutex);
......
...@@ -294,6 +294,7 @@ static int nfnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, ...@@ -294,6 +294,7 @@ static int nfnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
nfnl_lock(subsys_id); nfnl_lock(subsys_id);
if (nfnl_dereference_protected(subsys_id) != ss || if (nfnl_dereference_protected(subsys_id) != ss ||
nfnetlink_find_client(type, ss) != nc) { nfnetlink_find_client(type, ss) != nc) {
nfnl_unlock(subsys_id);
err = -EAGAIN; err = -EAGAIN;
break; break;
} }
......
...@@ -15,7 +15,7 @@ fi ...@@ -15,7 +15,7 @@ fi
if ip6tables-legacy --version >/dev/null 2>&1; then if ip6tables-legacy --version >/dev/null 2>&1; then
ip6tables='ip6tables-legacy' ip6tables='ip6tables-legacy'
elif ! ip6tables --version >/dev/null 2>&1; then elif ip6tables --version >/dev/null 2>&1; then
ip6tables='ip6tables' ip6tables='ip6tables'
else else
ip6tables='' ip6tables=''
...@@ -62,9 +62,11 @@ ip -net "$ns1" a a fec0:42::2/64 dev v0 nodad ...@@ -62,9 +62,11 @@ ip -net "$ns1" a a fec0:42::2/64 dev v0 nodad
ip -net "$ns2" a a fec0:42::1/64 dev d0 nodad ip -net "$ns2" a a fec0:42::1/64 dev d0 nodad
# firewall matches to test # firewall matches to test
ip netns exec "$ns2" "$iptables" -t raw -A PREROUTING -s 192.168.0.0/16 -m rpfilter [ -n "$iptables" ] && ip netns exec "$ns2" \
ip netns exec "$ns2" "$ip6tables" -t raw -A PREROUTING -s fec0::/16 -m rpfilter "$iptables" -t raw -A PREROUTING -s 192.168.0.0/16 -m rpfilter
ip netns exec "$ns2" nft -f - <<EOF [ -n "$ip6tables" ] && ip netns exec "$ns2" \
"$ip6tables" -t raw -A PREROUTING -s fec0::/16 -m rpfilter
[ -n "$nft" ] && ip netns exec "$ns2" $nft -f - <<EOF
table inet t { table inet t {
chain c { chain c {
type filter hook prerouting priority raw; type filter hook prerouting priority raw;
...@@ -106,8 +108,8 @@ testrun() { ...@@ -106,8 +108,8 @@ testrun() {
if [ -n "$nft" ]; then if [ -n "$nft" ]; then
( (
echo "delete table inet t"; echo "delete table inet t";
ip netns exec "$ns2" nft -s list table inet t; ip netns exec "$ns2" $nft -s list table inet t;
) | ip netns exec "$ns2" nft -f - ) | ip netns exec "$ns2" $nft -f -
fi fi
# test 1: martian traffic should fail rpfilter matches # test 1: martian traffic should fail rpfilter matches
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment