Commit 36a28b21 authored by David S. Miller's avatar David S. Miller

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains four Netfilter fixes for net, they are:

1) Fix Kconfig dependencies of new nf_dup_ipv4 and nf_dup_ipv6.

2) Remove bogus test nh_scope in IPv4 rpfilter match that is breaking
   --accept-local, from Xin Long.

3) Wait for RCU grace period after dropping the pending packets in the
   nfqueue, from Florian Westphal.

4) Fix sleeping allocation while holding spin_lock_bh, from Nikolay Borisov.
====================
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents e5356794 00db674b
...@@ -75,6 +75,7 @@ endif # NF_TABLES ...@@ -75,6 +75,7 @@ endif # NF_TABLES
config NF_DUP_IPV4 config NF_DUP_IPV4
tristate "Netfilter IPv4 packet duplication to alternate destination" tristate "Netfilter IPv4 packet duplication to alternate destination"
depends on !NF_CONNTRACK || NF_CONNTRACK
help help
This option enables the nf_dup_ipv4 core, which duplicates an IPv4 This option enables the nf_dup_ipv4 core, which duplicates an IPv4
packet to be rerouted to another destination. packet to be rerouted to another destination.
......
...@@ -61,9 +61,7 @@ static bool rpfilter_lookup_reverse(struct flowi4 *fl4, ...@@ -61,9 +61,7 @@ static bool rpfilter_lookup_reverse(struct flowi4 *fl4,
if (FIB_RES_DEV(res) == dev) if (FIB_RES_DEV(res) == dev)
dev_match = true; dev_match = true;
#endif #endif
if (dev_match || flags & XT_RPFILTER_LOOSE) return dev_match || flags & XT_RPFILTER_LOOSE;
return FIB_RES_NH(res).nh_scope <= RT_SCOPE_HOST;
return dev_match;
} }
static bool rpfilter_is_local(const struct sk_buff *skb) static bool rpfilter_is_local(const struct sk_buff *skb)
......
...@@ -58,6 +58,7 @@ endif # NF_TABLES ...@@ -58,6 +58,7 @@ endif # NF_TABLES
config NF_DUP_IPV6 config NF_DUP_IPV6
tristate "Netfilter IPv6 packet duplication to alternate destination" tristate "Netfilter IPv6 packet duplication to alternate destination"
depends on !NF_CONNTRACK || NF_CONNTRACK
help help
This option enables the nf_dup_ipv6 core, which duplicates an IPv6 This option enables the nf_dup_ipv6 core, which duplicates an IPv6
packet to be rerouted to another destination. packet to be rerouted to another destination.
......
...@@ -152,6 +152,8 @@ void nf_unregister_net_hook(struct net *net, const struct nf_hook_ops *reg) ...@@ -152,6 +152,8 @@ void nf_unregister_net_hook(struct net *net, const struct nf_hook_ops *reg)
#endif #endif
synchronize_net(); synchronize_net();
nf_queue_nf_hook_drop(net, &entry->ops); nf_queue_nf_hook_drop(net, &entry->ops);
/* other cpu might still process nfqueue verdict that used reg */
synchronize_net();
kfree(entry); kfree(entry);
} }
EXPORT_SYMBOL(nf_unregister_net_hook); EXPORT_SYMBOL(nf_unregister_net_hook);
......
...@@ -297,7 +297,7 @@ list_set_uadd(struct ip_set *set, void *value, const struct ip_set_ext *ext, ...@@ -297,7 +297,7 @@ list_set_uadd(struct ip_set *set, void *value, const struct ip_set_ext *ext,
ip_set_timeout_expired(ext_timeout(n, set)))) ip_set_timeout_expired(ext_timeout(n, set))))
n = NULL; n = NULL;
e = kzalloc(set->dsize, GFP_KERNEL); e = kzalloc(set->dsize, GFP_ATOMIC);
if (!e) if (!e)
return -ENOMEM; return -ENOMEM;
e->id = d->id; e->id = d->id;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment