Home Explore Help
Register Sign In
phyus
/
linux-vybrid_public
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

Pablo Neira Ayuso says:

====================
The following patchset contains three Netfilter fixes for your net tree,
they are:

* fix incorrect comparison in the new netnet hash ipset type, from
  Dave Jones.

* fix splat in hashlimit due to missing removal of the content of its
  proc entry in netnamespaces, from Sergey Popovich.

* fix missing rule flushing operation by table in nf_tables. Table
  flushing was already discussed back in October but this got lost and
  no patch has hit the tree to address this issue so far, from me.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller 11 years ago
parent
66e56cd46b cf9dc09d09
commit
6a46ff87d4
3 changed files with 45 additions and 28 deletions
Split View Show Diff Stats
  1. 1 1
      net/netfilter/ipset/ip_set_hash_netnet.c
  2. 33 13
      net/netfilter/nf_tables_api.c
  3. 11 14
      net/netfilter/xt_hashlimit.c

+ 1 - 1
net/netfilter/ipset/ip_set_hash_netnet.c
View File 

@@ -59,7 +59,7 @@ hash_netnet4_data_equal(const struct hash_netnet4_elem *ip1,
 
 		     u32 *multi)
 
 {
 
 	return ip1->ipcmp == ip2->ipcmp &&
 
-	       ip2->ccmp == ip2->ccmp;
 
+	       ip1->ccmp == ip2->ccmp;
 
 }
 
 
 static inline int

+ 33 - 13
net/netfilter/nf_tables_api.c
View File 

@@ -1717,6 +1717,19 @@ nf_tables_delrule_one(struct nft_ctx *ctx, struct nft_rule *rule)
 
 	return -ENOENT;
 
 }
 
 
+static int nf_table_delrule_by_chain(struct nft_ctx *ctx)
 
+{
 
+	struct nft_rule *rule;
 
+	int err;
 
+
 
+	list_for_each_entry(rule, &ctx->chain->rules, list) {
 
+		err = nf_tables_delrule_one(ctx, rule);
 
+		if (err < 0)
 
+			return err;
 
+	}
 
+	return 0;
 
+}
 
+
 
 static int nf_tables_delrule(struct sock *nlsk, struct sk_buff *skb,
 
 			     const struct nlmsghdr *nlh,
 
 			     const struct nlattr * const nla[])
 
@@ -1725,8 +1738,8 @@ static int nf_tables_delrule(struct sock *nlsk, struct sk_buff *skb,
 
 	const struct nft_af_info *afi;
 
 	struct net *net = sock_net(skb->sk);
 
 	const struct nft_table *table;
 
-	struct nft_chain *chain;
 
-	struct nft_rule *rule, *tmp;
 
+	struct nft_chain *chain = NULL;
 
+	struct nft_rule *rule;
 
 	int family = nfmsg->nfgen_family, err = 0;
 
 	struct nft_ctx ctx;
 
 
@@ -1738,22 +1751,29 @@ static int nf_tables_delrule(struct sock *nlsk, struct sk_buff *skb,
 
 	if (IS_ERR(table))
 
 		return PTR_ERR(table);
 
 
-	chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
 
-	if (IS_ERR(chain))
 
-		return PTR_ERR(chain);
 
+	if (nla[NFTA_RULE_CHAIN]) {
 
+		chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
 
+		if (IS_ERR(chain))
 
+			return PTR_ERR(chain);
 
+	}
 
 
 	nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
 
 
-	if (nla[NFTA_RULE_HANDLE]) {
 
-		rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
 
-		if (IS_ERR(rule))
 
-			return PTR_ERR(rule);
 
+	if (chain) {
 
+		if (nla[NFTA_RULE_HANDLE]) {
 
+			rule = nf_tables_rule_lookup(chain,
 
+						     nla[NFTA_RULE_HANDLE]);
 
+			if (IS_ERR(rule))
 
+				return PTR_ERR(rule);
 
 
-		err = nf_tables_delrule_one(&ctx, rule);
 
-	} else {
 
-		/* Remove all rules in this chain */
 
-		list_for_each_entry_safe(rule, tmp, &chain->rules, list) {
 
 			err = nf_tables_delrule_one(&ctx, rule);
 
+		} else {
 
+			err = nf_table_delrule_by_chain(&ctx);
 
+		}
 
+	} else {
 
+		list_for_each_entry(chain, &table->chains, list) {
 
+			ctx.chain = chain;
 
+			err = nf_table_delrule_by_chain(&ctx);
 
 			if (err < 0)
 
 				break;
 
 		}

+ 11 - 14
net/netfilter/xt_hashlimit.c
View File 

@@ -325,21 +325,24 @@ static void htable_gc(unsigned long htlong)
 
 	add_timer(&ht->timer);
 
 }
 
 
-static void htable_destroy(struct xt_hashlimit_htable *hinfo)
 
+static void htable_remove_proc_entry(struct xt_hashlimit_htable *hinfo)
 
 {
 
 	struct hashlimit_net *hashlimit_net = hashlimit_pernet(hinfo->net);
 
 	struct proc_dir_entry *parent;
 
 
-	del_timer_sync(&hinfo->timer);
 
-
 
 	if (hinfo->family == NFPROTO_IPV4)
 
 		parent = hashlimit_net->ipt_hashlimit;
 
 	else
 
 		parent = hashlimit_net->ip6t_hashlimit;
 
 
-	if(parent != NULL)
 
+	if (parent != NULL)
 
 		remove_proc_entry(hinfo->name, parent);
 
+}
 
 
+static void htable_destroy(struct xt_hashlimit_htable *hinfo)
 
+{
 
+	del_timer_sync(&hinfo->timer);
 
+	htable_remove_proc_entry(hinfo);
 
 	htable_selective_cleanup(hinfo, select_all);
 
 	kfree(hinfo->name);
 
 	vfree(hinfo);
 
@@ -883,21 +886,15 @@ static int __net_init hashlimit_proc_net_init(struct net *net)
 
 static void __net_exit hashlimit_proc_net_exit(struct net *net)
 
 {
 
 	struct xt_hashlimit_htable *hinfo;
 
-	struct proc_dir_entry *pde;
 
 	struct hashlimit_net *hashlimit_net = hashlimit_pernet(net);
 
 
-	/* recent_net_exit() is called before recent_mt_destroy(). Make sure
 
-	 * that the parent xt_recent proc entry is is empty before trying to
 
-	 * remove it.
 
+	/* hashlimit_net_exit() is called before hashlimit_mt_destroy().
 
+	 * Make sure that the parent ipt_hashlimit and ip6t_hashlimit proc
 
+	 * entries is empty before trying to remove it.
 
 	 */
 
 	mutex_lock(&hashlimit_mutex);
 
-	pde = hashlimit_net->ipt_hashlimit;
 
-	if (pde == NULL)
 
-		pde = hashlimit_net->ip6t_hashlimit;
 
-
 
 	hlist_for_each_entry(hinfo, &hashlimit_net->htables, node)
 
-		remove_proc_entry(hinfo->name, pde);
 
-
 
+		htable_remove_proc_entry(hinfo);
 
 	hashlimit_net->ipt_hashlimit = NULL;
 
 	hashlimit_net->ip6t_hashlimit = NULL;
 
 	mutex_unlock(&hashlimit_mutex);