5.1-stable patches

added patches:
	netfilter-ctnetlink-resolve-conntrack-l3-protocol-flush-regression.patch

diff --git a/queue-5.1/netfilter-ctnetlink-resolve-conntrack-l3-protocol-flush-regression.patch b/queue-5.1/netfilter-ctnetlink-resolve-conntrack-l3-protocol-flush-regression.patch
new file mode 100644 (file)
index 0000000..303ead6
--- /dev/null
+++ b/queue-5.1/netfilter-ctnetlink-resolve-conntrack-l3-protocol-flush-regression.patch
@@ -0,0 +1,50 @@
+From f8e608982022fad035160870f5b06086d3cba54d Mon Sep 17 00:00:00 2001
+From: Kristian Evensen <kristian.evensen@gmail.com>
+Date: Fri, 3 May 2019 17:40:07 +0200
+Subject: netfilter: ctnetlink: Resolve conntrack L3-protocol flush regression
+
+From: Kristian Evensen <kristian.evensen@gmail.com>
+
+commit f8e608982022fad035160870f5b06086d3cba54d upstream.
+
+Commit 59c08c69c278 ("netfilter: ctnetlink: Support L3 protocol-filter
+on flush") introduced a user-space regression when flushing connection
+track entries. Before this commit, the nfgen_family field was not used
+by the kernel and all entries were removed. Since this commit,
+nfgen_family is used to filter out entries that should not be removed.
+One example a broken tool is conntrack. conntrack always sets
+nfgen_family to AF_INET, so after 59c08c69c278 only IPv4 entries were
+removed with the -F parameter.
+
+Pablo Neira Ayuso suggested using nfgenmsg->version to resolve the
+regression, and this commit implements his suggestion. nfgenmsg->version
+is so far set to zero, so it is well-suited to be used as a flag for
+selecting old or new flush behavior. If version is 0, nfgen_family is
+ignored and all entries are used. If user-space sets the version to one
+(or any other value than 0), then the new behavior is used. As version
+only can have two valid values, I chose not to add a new
+NFNETLINK_VERSION-constant.
+
+Fixes: 59c08c69c278 ("netfilter: ctnetlink: Support L3 protocol-filter on flush")
+Reported-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
+Tested-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_conntrack_netlink.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -1254,7 +1254,7 @@ static int ctnetlink_del_conntrack(struc
+       struct nf_conntrack_tuple tuple;
+       struct nf_conn *ct;
+       struct nfgenmsg *nfmsg = nlmsg_data(nlh);
+-      u_int8_t u3 = nfmsg->nfgen_family;
++      u_int8_t u3 = nfmsg->version ? nfmsg->nfgen_family : AF_UNSPEC;
+       struct nf_conntrack_zone zone;
+       int err;
+ 

diff --git a/queue-5.1/series b/queue-5.1/series
index ecb77e5e1bad6b3377c049830cbed8cd57857522..aa8d0b0c58778d0d493a222fe714361acd6696af 100644 (file)
--- a/queue-5.1/series
+++ b/queue-5.1/series
@@ -40,3 +40,4 @@ bpf-devmap-fix-use-after-free-read-in-__dev_map_entry_free.patch
 batman-adv-mcast-fix-multicast-tt-tvlv-worker-locking.patch
 at76c50x-usb-don-t-register-led_trigger-if-usb_register_driver-failed.patch
 acct_on-don-t-mess-with-freeze-protection.patch
+netfilter-ctnetlink-resolve-conntrack-l3-protocol-flush-regression.patch