--- /dev/null
+From 1310b955c804975651dca6c674ebfd1cb2b4c7ff Mon Sep 17 00:00:00 2001
+From: Jesper Juhl <jj@chaosbits.net>
+Date: Wed, 26 Dec 2012 11:49:40 +0000
+Subject: netfilter: ctnetlink: fix leak in error path of ctnetlink_create_expect
+
+From: Jesper Juhl <jj@chaosbits.net>
+
+commit 1310b955c804975651dca6c674ebfd1cb2b4c7ff upstream.
+
+This patch fixes a leak in one of the error paths of
+ctnetlink_create_expect if no helper and no timeout is specified.
+
+Signed-off-by: Jesper Juhl <jj@chaosbits.net>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_conntrack_netlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -2514,7 +2514,7 @@ ctnetlink_create_expect(struct net *net,
+ if (!help) {
+ if (!cda[CTA_EXPECT_TIMEOUT]) {
+ err = -EINVAL;
+- goto out;
++ goto err_out;
+ }
+ exp->timeout.expires =
+ jiffies + ntohl(nla_get_be32(cda[CTA_EXPECT_TIMEOUT])) * HZ;
--- /dev/null
+From 757ae316fb35811cfd8c67de0e0b8680ec4c1f37 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Wed, 2 Jan 2013 16:30:01 +0000
+Subject: netfilter: fix missing dependencies for the NOTRACK target
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 757ae316fb35811cfd8c67de0e0b8680ec4c1f37 upstream.
+
+warning: (NETFILTER_XT_TARGET_NOTRACK) selects NETFILTER_XT_TARGET_CT which has unmet direct
++dependencies (NET && INET && NETFILTER && NETFILTER_XTABLES && NF_CONNTRACK && (IP_NF_RAW ||
++IP6_NF_RAW) && NETFILTER_ADVANCED)
+
+Reported-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: kbuild test robot <fengguang.wu@intel.com>
+Acked-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/Kconfig | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/netfilter/Kconfig
++++ b/net/netfilter/Kconfig
+@@ -682,6 +682,9 @@ config NETFILTER_XT_TARGET_NFQUEUE
+
+ config NETFILTER_XT_TARGET_NOTRACK
+ tristate '"NOTRACK" target support (DEPRECATED)'
++ depends on NF_CONNTRACK
++ depends on IP_NF_RAW || IP6_NF_RAW
++ depends on NETFILTER_ADVANCED
+ select NETFILTER_XT_TARGET_CT
+
+ config NETFILTER_XT_TARGET_RATEEST
--- /dev/null
+From 1e47ee8367babe6a5e8adf44a714c7086657b87e Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Thu, 10 Jan 2013 16:12:01 +0100
+Subject: netfilter: nf_conntrack: fix BUG_ON while removing nf_conntrack with netns
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 1e47ee8367babe6a5e8adf44a714c7086657b87e upstream.
+
+canqun zhang reported that we're hitting BUG_ON in the
+nf_conntrack_destroy path when calling kfree_skb while
+rmmod'ing the nf_conntrack module.
+
+Currently, the nf_ct_destroy hook is being set to NULL in the
+destroy path of conntrack.init_net. However, this is a problem
+since init_net may be destroyed before any other existing netns
+(we cannot assume any specific ordering while releasing existing
+netns according to what I read in recent emails).
+
+Thanks to Gao feng for initial patch to address this issue.
+
+Reported-by: canqun zhang <canqunzhang@gmail.com>
+Acked-by: Gao feng <gaofeng@cn.fujitsu.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/netfilter/nf_conntrack_core.h | 2 ++
+ net/netfilter/nf_conntrack_core.c | 9 +++++----
+ net/netfilter/nf_conntrack_standalone.c | 1 +
+ 3 files changed, 8 insertions(+), 4 deletions(-)
+
+--- a/include/net/netfilter/nf_conntrack_core.h
++++ b/include/net/netfilter/nf_conntrack_core.h
+@@ -31,6 +31,8 @@ extern void nf_conntrack_cleanup(struct
+ extern int nf_conntrack_proto_init(struct net *net);
+ extern void nf_conntrack_proto_fini(struct net *net);
+
++extern void nf_conntrack_cleanup_end(void);
++
+ extern bool
+ nf_ct_get_tuple(const struct sk_buff *skb,
+ unsigned int nhoff,
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -1383,11 +1383,12 @@ void nf_conntrack_cleanup(struct net *ne
+ synchronize_net();
+ nf_conntrack_proto_fini(net);
+ nf_conntrack_cleanup_net(net);
++}
+
+- if (net_eq(net, &init_net)) {
+- RCU_INIT_POINTER(nf_ct_destroy, NULL);
+- nf_conntrack_cleanup_init_net();
+- }
++void nf_conntrack_cleanup_end(void)
++{
++ RCU_INIT_POINTER(nf_ct_destroy, NULL);
++ nf_conntrack_cleanup_init_net();
+ }
+
+ void *nf_ct_alloc_hashtable(unsigned int *sizep, int nulls)
+--- a/net/netfilter/nf_conntrack_standalone.c
++++ b/net/netfilter/nf_conntrack_standalone.c
+@@ -571,6 +571,7 @@ static int __init nf_conntrack_standalon
+ static void __exit nf_conntrack_standalone_fini(void)
+ {
+ unregister_pernet_subsys(&nf_conntrack_net_ops);
++ nf_conntrack_cleanup_end();
+ }
+
+ module_init(nf_conntrack_standalone_init);
--- /dev/null
+From 0c36b48b36dc84d4215dc9d1cde1bda829214ba6 Mon Sep 17 00:00:00 2001
+From: Bob Hockney <bhockney@ix.netcom.com>
+Date: Sun, 16 Dec 2012 19:34:11 +0100
+Subject: netfilter: nfnetlink_log: fix mac address for 6in4 tunnels
+
+From: Bob Hockney <bhockney@ix.netcom.com>
+
+commit 0c36b48b36dc84d4215dc9d1cde1bda829214ba6 upstream.
+
+For tunnelled ipv6in4 packets, the LOG target (xt_LOG.c) adjusts
+the start of the mac field to start at the ethernet header instead
+of the ipv4 header for the tunnel. This patch conforms what is
+passed by the NFLOG target through nfnetlink to what the LOG target
+does. Code borrowed from xt_LOG.c.
+
+Signed-off-by: Bob Hockney <bhockney@ix.netcom.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nfnetlink_log.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/net/netfilter/nfnetlink_log.c
++++ b/net/netfilter/nfnetlink_log.c
+@@ -384,6 +384,7 @@ __build_packet_message(struct nfulnl_ins
+ struct nfgenmsg *nfmsg;
+ sk_buff_data_t old_tail = inst->skb->tail;
+ struct sock *sk;
++ const unsigned char *hwhdrp;
+
+ nlh = nlmsg_put(inst->skb, 0, 0,
+ NFNL_SUBSYS_ULOG << 8 | NFULNL_MSG_PACKET,
+@@ -485,9 +486,17 @@ __build_packet_message(struct nfulnl_ins
+ if (indev && skb_mac_header_was_set(skb)) {
+ if (nla_put_be16(inst->skb, NFULA_HWTYPE, htons(skb->dev->type)) ||
+ nla_put_be16(inst->skb, NFULA_HWLEN,
+- htons(skb->dev->hard_header_len)) ||
+- nla_put(inst->skb, NFULA_HWHEADER, skb->dev->hard_header_len,
+- skb_mac_header(skb)))
++ htons(skb->dev->hard_header_len)))
++ goto nla_put_failure;
++
++ hwhdrp = skb_mac_header(skb);
++
++ if (skb->dev->type == ARPHRD_SIT)
++ hwhdrp -= ETH_HLEN;
++
++ if (hwhdrp >= skb->head &&
++ nla_put(inst->skb, NFULA_HWHEADER,
++ skb->dev->hard_header_len, hwhdrp))
+ goto nla_put_failure;
+ }
+
--- /dev/null
+From e035edd16ee83498cccc9beedfc215e15cab3a07 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Mon, 17 Dec 2012 01:12:00 +0100
+Subject: netfilter: nfnetlink_log: fix possible compilation issue due to missing include
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit e035edd16ee83498cccc9beedfc215e15cab3a07 upstream.
+
+In (0c36b48 netfilter: nfnetlink_log: fix mac address for 6in4 tunnels)
+the include file that defines ARPD_SIT was missing. This passed unnoticed
+during my tests (I did not hit this problem here).
+
+net/netfilter/nfnetlink_log.c: In function '__build_packet_message':
+net/netfilter/nfnetlink_log.c:494:25: error: 'ARPHRD_SIT' undeclared (first use in this function)
+net/netfilter/nfnetlink_log.c:494:25: note: each undeclared identifier is reported only once for
++each function it appears in
+
+Reported-by: kbuild test robot <fengguang.wu@intel.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+---
+ net/netfilter/nfnetlink_log.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/netfilter/nfnetlink_log.c
++++ b/net/netfilter/nfnetlink_log.c
+@@ -13,6 +13,7 @@
+ */
+ #include <linux/module.h>
+ #include <linux/skbuff.h>
++#include <linux/if_arp.h>
+ #include <linux/init.h>
+ #include <linux/ip.h>
+ #include <linux/ipv6.h>
--- /dev/null
+From 5b76c4948fe6977bead2359c2054f3e6a2dcf3d0 Mon Sep 17 00:00:00 2001
+From: Jan Engelhardt <jengelh@inai.de>
+Date: Thu, 10 Jan 2013 12:30:05 +0000
+Subject: netfilter: x_tables: print correct hook names for ARP
+
+From: Jan Engelhardt <jengelh@inai.de>
+
+commit 5b76c4948fe6977bead2359c2054f3e6a2dcf3d0 upstream.
+
+arptables 0.0.4 (released on 10th Jan 2013) supports calling the
+CLASSIFY target, but on adding a rule to the wrong chain, the
+diagnostic is as follows:
+
+ # arptables -A INPUT -j CLASSIFY --set-class 0:0
+ arptables: Invalid argument
+ # dmesg | tail -n1
+ x_tables: arp_tables: CLASSIFY target: used from hooks
+ PREROUTING, but only usable from INPUT/FORWARD
+
+This is incorrect, since xt_CLASSIFY.c does specify
+(1 << NF_ARP_OUT) | (1 << NF_ARP_FORWARD).
+
+This patch corrects the x_tables diagnostic message to print the
+proper hook names for the NFPROTO_ARP case.
+
+Affects all kernels down to and including v2.6.31.
+
+Signed-off-by: Jan Engelhardt <jengelh@inai.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/x_tables.c | 28 ++++++++++++++++++++--------
+ 1 file changed, 20 insertions(+), 8 deletions(-)
+
+--- a/net/netfilter/x_tables.c
++++ b/net/netfilter/x_tables.c
+@@ -345,19 +345,27 @@ int xt_find_revision(u8 af, const char *
+ }
+ EXPORT_SYMBOL_GPL(xt_find_revision);
+
+-static char *textify_hooks(char *buf, size_t size, unsigned int mask)
++static char *
++textify_hooks(char *buf, size_t size, unsigned int mask, uint8_t nfproto)
+ {
+- static const char *const names[] = {
++ static const char *const inetbr_names[] = {
+ "PREROUTING", "INPUT", "FORWARD",
+ "OUTPUT", "POSTROUTING", "BROUTING",
+ };
+- unsigned int i;
++ static const char *const arp_names[] = {
++ "INPUT", "FORWARD", "OUTPUT",
++ };
++ const char *const *names;
++ unsigned int i, max;
+ char *p = buf;
+ bool np = false;
+ int res;
+
++ names = (nfproto == NFPROTO_ARP) ? arp_names : inetbr_names;
++ max = (nfproto == NFPROTO_ARP) ? ARRAY_SIZE(arp_names) :
++ ARRAY_SIZE(inetbr_names);
+ *p = '\0';
+- for (i = 0; i < ARRAY_SIZE(names); ++i) {
++ for (i = 0; i < max; ++i) {
+ if (!(mask & (1 << i)))
+ continue;
+ res = snprintf(p, size, "%s%s", np ? "/" : "", names[i]);
+@@ -402,8 +410,10 @@ int xt_check_match(struct xt_mtchk_param
+ pr_err("%s_tables: %s match: used from hooks %s, but only "
+ "valid from %s\n",
+ xt_prefix[par->family], par->match->name,
+- textify_hooks(used, sizeof(used), par->hook_mask),
+- textify_hooks(allow, sizeof(allow), par->match->hooks));
++ textify_hooks(used, sizeof(used), par->hook_mask,
++ par->family),
++ textify_hooks(allow, sizeof(allow), par->match->hooks,
++ par->family));
+ return -EINVAL;
+ }
+ if (par->match->proto && (par->match->proto != proto || inv_proto)) {
+@@ -575,8 +585,10 @@ int xt_check_target(struct xt_tgchk_para
+ pr_err("%s_tables: %s target: used from hooks %s, but only "
+ "usable from %s\n",
+ xt_prefix[par->family], par->target->name,
+- textify_hooks(used, sizeof(used), par->hook_mask),
+- textify_hooks(allow, sizeof(allow), par->target->hooks));
++ textify_hooks(used, sizeof(used), par->hook_mask,
++ par->family),
++ textify_hooks(allow, sizeof(allow), par->target->hooks,
++ par->family));
+ return -EINVAL;
+ }
+ if (par->target->proto && (par->target->proto != proto || inv_proto)) {
--- /dev/null
+From 10db9069eb5c60195170a4119bdbcbce69a4945f Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Thu, 20 Dec 2012 01:54:51 +0000
+Subject: netfilter: xt_CT: recover NOTRACK target support
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 10db9069eb5c60195170a4119bdbcbce69a4945f upstream.
+
+Florian Westphal reported that the removal of the NOTRACK target
+(9655050 netfilter: remove xt_NOTRACK) is breaking some existing
+setups.
+
+That removal was scheduled for removal since long time ago as
+described in Documentation/feature-removal-schedule.txt
+
+What: xt_NOTRACK
+Files: net/netfilter/xt_NOTRACK.c
+When: April 2011
+Why: Superseded by xt_CT
+
+Still, people may have not notice / may have decided to stick to an
+old iptables version. I agree with him in that some more conservative
+approach by spotting some printk to warn users for some time is less
+agressive.
+
+Current iptables 1.4.16.3 already contains the aliasing support
+that makes it point to the CT target, so upgrading would fix it.
+Still, the policy so far has been to avoid pushing our users to
+upgrade.
+
+As a solution, this patch recovers the NOTRACK target inside the CT
+target and it now spots a warning.
+
+Reported-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/netns/x_tables.h | 1
+ net/netfilter/Kconfig | 4 +++
+ net/netfilter/xt_CT.c | 50 ++++++++++++++++++++++++++++++++++++++++++-
+ 3 files changed, 54 insertions(+), 1 deletion(-)
+
+--- a/include/net/netns/x_tables.h
++++ b/include/net/netns/x_tables.h
+@@ -8,6 +8,7 @@ struct ebt_table;
+
+ struct netns_xt {
+ struct list_head tables[NFPROTO_NUMPROTO];
++ bool notrack_deprecated_warning;
+ #if defined(CONFIG_BRIDGE_NF_EBTABLES) || \
+ defined(CONFIG_BRIDGE_NF_EBTABLES_MODULE)
+ struct ebt_table *broute_table;
+--- a/net/netfilter/Kconfig
++++ b/net/netfilter/Kconfig
+@@ -680,6 +680,10 @@ config NETFILTER_XT_TARGET_NFQUEUE
+
+ To compile it as a module, choose M here. If unsure, say N.
+
++config NETFILTER_XT_TARGET_NOTRACK
++ tristate '"NOTRACK" target support (DEPRECATED)'
++ select NETFILTER_XT_TARGET_CT
++
+ config NETFILTER_XT_TARGET_RATEEST
+ tristate '"RATEEST" target support'
+ depends on NETFILTER_ADVANCED
+--- a/net/netfilter/xt_CT.c
++++ b/net/netfilter/xt_CT.c
+@@ -377,14 +377,60 @@ static struct xt_target xt_ct_tg_reg[] _
+ },
+ };
+
++static unsigned int
++notrack_tg(struct sk_buff *skb, const struct xt_action_param *par)
++{
++ /* Previously seen (loopback)? Ignore. */
++ if (skb->nfct != NULL)
++ return XT_CONTINUE;
++
++ skb->nfct = &nf_ct_untracked_get()->ct_general;
++ skb->nfctinfo = IP_CT_NEW;
++ nf_conntrack_get(skb->nfct);
++
++ return XT_CONTINUE;
++}
++
++static int notrack_chk(const struct xt_tgchk_param *par)
++{
++ if (!par->net->xt.notrack_deprecated_warning) {
++ pr_info("netfilter: NOTRACK target is deprecated, "
++ "use CT instead or upgrade iptables\n");
++ par->net->xt.notrack_deprecated_warning = true;
++ }
++ return 0;
++}
++
++static struct xt_target notrack_tg_reg __read_mostly = {
++ .name = "NOTRACK",
++ .revision = 0,
++ .family = NFPROTO_UNSPEC,
++ .checkentry = notrack_chk,
++ .target = notrack_tg,
++ .table = "raw",
++ .me = THIS_MODULE,
++};
++
+ static int __init xt_ct_tg_init(void)
+ {
+- return xt_register_targets(xt_ct_tg_reg, ARRAY_SIZE(xt_ct_tg_reg));
++ int ret;
++
++ ret = xt_register_target(¬rack_tg_reg);
++ if (ret < 0)
++ return ret;
++
++ ret = xt_register_targets(xt_ct_tg_reg, ARRAY_SIZE(xt_ct_tg_reg));
++ if (ret < 0) {
++ xt_unregister_target(¬rack_tg_reg);
++ return ret;
++ }
++ return 0;
+ }
+
+ static void __exit xt_ct_tg_exit(void)
+ {
+ xt_unregister_targets(xt_ct_tg_reg, ARRAY_SIZE(xt_ct_tg_reg));
++ xt_unregister_target(¬rack_tg_reg);
+ }
+
+ module_init(xt_ct_tg_init);
+@@ -394,3 +440,5 @@ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Xtables: connection tracking target");
+ MODULE_ALIAS("ipt_CT");
+ MODULE_ALIAS("ip6t_CT");
++MODULE_ALIAS("ipt_NOTRACK");
++MODULE_ALIAS("ip6t_NOTRACK");
--- /dev/null
+From 32263dd1b43378b4f7d7796ed713f77e95f27e8a Mon Sep 17 00:00:00 2001
+From: "Vitaly E. Lavrov" <lve@guap.ru>
+Date: Mon, 24 Dec 2012 14:42:17 +0100
+Subject: netfilter: xt_hashlimit: fix namespace destroy path
+
+From: "Vitaly E. Lavrov" <lve@guap.ru>
+
+commit 32263dd1b43378b4f7d7796ed713f77e95f27e8a upstream.
+
+recent_net_exit() is called before recent_mt_destroy() in the
+destroy path of network namespaces. Make sure there are no entries
+in the parent proc entry xt_recent before removing it.
+
+Signed-off-by: Vitaly E. Lavrov <lve@guap.ru>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/xt_hashlimit.c | 29 +++++++++++++++++++++++++----
+ 1 file changed, 25 insertions(+), 4 deletions(-)
+
+--- a/net/netfilter/xt_hashlimit.c
++++ b/net/netfilter/xt_hashlimit.c
+@@ -318,7 +318,10 @@ static void htable_destroy(struct xt_has
+ parent = hashlimit_net->ipt_hashlimit;
+ else
+ parent = hashlimit_net->ip6t_hashlimit;
+- remove_proc_entry(hinfo->pde->name, parent);
++
++ if(parent != NULL)
++ remove_proc_entry(hinfo->pde->name, parent);
++
+ htable_selective_cleanup(hinfo, select_all);
+ vfree(hinfo);
+ }
+@@ -856,6 +859,27 @@ static int __net_init hashlimit_proc_net
+
+ static void __net_exit hashlimit_proc_net_exit(struct net *net)
+ {
++ struct xt_hashlimit_htable *hinfo;
++ struct hlist_node *pos;
++ struct proc_dir_entry *pde;
++ struct hashlimit_net *hashlimit_net = hashlimit_pernet(net);
++
++ /* recent_net_exit() is called before recent_mt_destroy(). Make sure
++ * that the parent xt_recent proc entry is is empty before trying to
++ * remove it.
++ */
++ mutex_lock(&hashlimit_mutex);
++ pde = hashlimit_net->ipt_hashlimit;
++ if (pde == NULL)
++ pde = hashlimit_net->ip6t_hashlimit;
++
++ hlist_for_each_entry(hinfo, pos, &hashlimit_net->htables, node)
++ remove_proc_entry(hinfo->pde->name, pde);
++
++ hashlimit_net->ipt_hashlimit = NULL;
++ hashlimit_net->ip6t_hashlimit = NULL;
++ mutex_unlock(&hashlimit_mutex);
++
+ proc_net_remove(net, "ipt_hashlimit");
+ #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
+ proc_net_remove(net, "ip6t_hashlimit");
+@@ -872,9 +896,6 @@ static int __net_init hashlimit_net_init
+
+ static void __net_exit hashlimit_net_exit(struct net *net)
+ {
+- struct hashlimit_net *hashlimit_net = hashlimit_pernet(net);
+-
+- BUG_ON(!hlist_empty(&hashlimit_net->htables));
+ hashlimit_proc_net_exit(net);
+ }
+
--- /dev/null
+From 09181842b000344b1205801df3aa5b726c03cc62 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Mon, 24 Dec 2012 13:09:25 +0100
+Subject: netfilter: xt_hashlimit: fix race that results in duplicated entries
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 09181842b000344b1205801df3aa5b726c03cc62 upstream.
+
+Two packets may race to create the same entry in the hashtable,
+double check if this packet lost race. This double checking only
+happens in the path of the packet that creates the hashtable for
+first time.
+
+Note that, with this patch, no packet drops occur if the race happens.
+
+Reported-by: Feng Gao <gfree.wind@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/xt_hashlimit.c | 25 +++++++++++++++++++++----
+ 1 file changed, 21 insertions(+), 4 deletions(-)
+
+--- a/net/netfilter/xt_hashlimit.c
++++ b/net/netfilter/xt_hashlimit.c
+@@ -157,11 +157,22 @@ dsthash_find(const struct xt_hashlimit_h
+ /* allocate dsthash_ent, initialize dst, put in htable and lock it */
+ static struct dsthash_ent *
+ dsthash_alloc_init(struct xt_hashlimit_htable *ht,
+- const struct dsthash_dst *dst)
++ const struct dsthash_dst *dst, bool *race)
+ {
+ struct dsthash_ent *ent;
+
+ spin_lock(&ht->lock);
++
++ /* Two or more packets may race to create the same entry in the
++ * hashtable, double check if this packet lost race.
++ */
++ ent = dsthash_find(ht, dst);
++ if (ent != NULL) {
++ spin_unlock(&ht->lock);
++ *race = true;
++ return ent;
++ }
++
+ /* initialize hash with random val at the time we allocate
+ * the first hashtable entry */
+ if (unlikely(!ht->rnd_initialized)) {
+@@ -588,6 +599,7 @@ hashlimit_mt(const struct sk_buff *skb,
+ unsigned long now = jiffies;
+ struct dsthash_ent *dh;
+ struct dsthash_dst dst;
++ bool race = false;
+ u32 cost;
+
+ if (hashlimit_init_dst(hinfo, &dst, skb, par->thoff) < 0)
+@@ -596,13 +608,18 @@ hashlimit_mt(const struct sk_buff *skb,
+ rcu_read_lock_bh();
+ dh = dsthash_find(hinfo, &dst);
+ if (dh == NULL) {
+- dh = dsthash_alloc_init(hinfo, &dst);
++ dh = dsthash_alloc_init(hinfo, &dst, &race);
+ if (dh == NULL) {
+ rcu_read_unlock_bh();
+ goto hotdrop;
++ } else if (race) {
++ /* Already got an entry, update expiration timeout */
++ dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire);
++ rateinfo_recalc(dh, now, hinfo->cfg.mode);
++ } else {
++ dh->expires = jiffies + msecs_to_jiffies(hinfo->cfg.expire);
++ rateinfo_init(dh, hinfo);
+ }
+- dh->expires = jiffies + msecs_to_jiffies(hinfo->cfg.expire);
+- rateinfo_init(dh, hinfo);
+ } else {
+ /* update expiration timeout */
+ dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire);
--- /dev/null
+From 2727de76041b2064c0b74f00a2a89678fb3efafc Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 3 Jan 2013 22:18:39 +0000
+Subject: netfilter: xt_recent: avoid high order page allocations
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 2727de76041b2064c0b74f00a2a89678fb3efafc upstream.
+
+xt_recent can try high order page allocations and this can fail.
+
+iptables: page allocation failure: order:9, mode:0xc0d0
+
+It also wastes about half the allocated space because of kmalloc()
+power-of-two roundups and struct recent_table layout.
+
+Use vmalloc() instead to save space and be less prone to allocation
+errors when memory is fragmented.
+
+Reported-by: Miroslav Kratochvil <exa.exa@gmail.com>
+Reported-by: Dave Jones <davej@redhat.com>
+Reported-by: Harald Reindl <h.reindl@thelounge.net>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/xt_recent.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+--- a/net/netfilter/xt_recent.c
++++ b/net/netfilter/xt_recent.c
+@@ -29,6 +29,7 @@
+ #include <linux/skbuff.h>
+ #include <linux/inet.h>
+ #include <linux/slab.h>
++#include <linux/vmalloc.h>
+ #include <net/net_namespace.h>
+ #include <net/netns/generic.h>
+
+@@ -310,6 +311,14 @@ out:
+ return ret;
+ }
+
++static void recent_table_free(void *addr)
++{
++ if (is_vmalloc_addr(addr))
++ vfree(addr);
++ else
++ kfree(addr);
++}
++
+ static int recent_mt_check(const struct xt_mtchk_param *par,
+ const struct xt_recent_mtinfo_v1 *info)
+ {
+@@ -322,6 +331,7 @@ static int recent_mt_check(const struct
+ #endif
+ unsigned int i;
+ int ret = -EINVAL;
++ size_t sz;
+
+ if (unlikely(!hash_rnd_inited)) {
+ get_random_bytes(&hash_rnd, sizeof(hash_rnd));
+@@ -360,8 +370,11 @@ static int recent_mt_check(const struct
+ goto out;
+ }
+
+- t = kzalloc(sizeof(*t) + sizeof(t->iphash[0]) * ip_list_hash_size,
+- GFP_KERNEL);
++ sz = sizeof(*t) + sizeof(t->iphash[0]) * ip_list_hash_size;
++ if (sz <= PAGE_SIZE)
++ t = kzalloc(sz, GFP_KERNEL);
++ else
++ t = vzalloc(sz);
+ if (t == NULL) {
+ ret = -ENOMEM;
+ goto out;
+@@ -377,14 +390,14 @@ static int recent_mt_check(const struct
+ uid = make_kuid(&init_user_ns, ip_list_uid);
+ gid = make_kgid(&init_user_ns, ip_list_gid);
+ if (!uid_valid(uid) || !gid_valid(gid)) {
+- kfree(t);
++ recent_table_free(t);
+ ret = -EINVAL;
+ goto out;
+ }
+ pde = proc_create_data(t->name, ip_list_perms, recent_net->xt_recent,
+ &recent_mt_fops, t);
+ if (pde == NULL) {
+- kfree(t);
++ recent_table_free(t);
+ ret = -ENOMEM;
+ goto out;
+ }
+@@ -435,7 +448,7 @@ static void recent_mt_destroy(const stru
+ remove_proc_entry(t->name, recent_net->xt_recent);
+ #endif
+ recent_table_flush(t);
+- kfree(t);
++ recent_table_free(t);
+ }
+ mutex_unlock(&recent_mutex);
+ }
--- /dev/null
+From 665e205c16c1f902ac6763b8ce8a0a3a1dcefe59 Mon Sep 17 00:00:00 2001
+From: "Vitaly E. Lavrov" <lve@guap.ru>
+Date: Mon, 24 Dec 2012 13:55:20 +0100
+Subject: netfilter: xt_recent: fix namespace destroy path
+
+From: "Vitaly E. Lavrov" <lve@guap.ru>
+
+commit 665e205c16c1f902ac6763b8ce8a0a3a1dcefe59 upstream.
+
+recent_net_exit() is called before recent_mt_destroy() in the
+destroy path of network namespaces. Make sure there are no entries
+in the parent proc entry xt_recent before removing it.
+
+Signed-off-by: Vitaly E. Lavrov <lve@guap.ru>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/xt_recent.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+--- a/net/netfilter/xt_recent.c
++++ b/net/netfilter/xt_recent.c
+@@ -431,7 +431,8 @@ static void recent_mt_destroy(const stru
+ list_del(&t->list);
+ spin_unlock_bh(&recent_lock);
+ #ifdef CONFIG_PROC_FS
+- remove_proc_entry(t->name, recent_net->xt_recent);
++ if (recent_net->xt_recent != NULL)
++ remove_proc_entry(t->name, recent_net->xt_recent);
+ #endif
+ recent_table_flush(t);
+ kfree(t);
+@@ -615,6 +616,20 @@ static int __net_init recent_proc_net_in
+
+ static void __net_exit recent_proc_net_exit(struct net *net)
+ {
++ struct recent_net *recent_net = recent_pernet(net);
++ struct recent_table *t;
++
++ /* recent_net_exit() is called before recent_mt_destroy(). Make sure
++ * that the parent xt_recent proc entry is is empty before trying to
++ * remove it.
++ */
++ spin_lock_bh(&recent_lock);
++ list_for_each_entry(t, &recent_net->tables, list)
++ remove_proc_entry(t->name, recent_net->xt_recent);
++
++ recent_net->xt_recent = NULL;
++ spin_unlock_bh(&recent_lock);
++
+ proc_net_remove(net, "xt_recent");
+ }
+ #else
+@@ -638,9 +653,6 @@ static int __net_init recent_net_init(st
+
+ static void __net_exit recent_net_exit(struct net *net)
+ {
+- struct recent_net *recent_net = recent_pernet(net);
+-
+- BUG_ON(!list_empty(&recent_net->tables));
+ recent_proc_net_exit(net);
+ }
+
x86-sandy-bridge-sandy-bridge-workaround-depends-on-config_pci.patch
xfs-fix-periodic-log-flushing.patch
target-fix-regression-with-dev_link_magic-in-target_fabric_port_link.patch
+netfilter-nfnetlink_log-fix-mac-address-for-6in4-tunnels.patch
+netfilter-nfnetlink_log-fix-possible-compilation-issue-due-to-missing-include.patch
+netfilter-xt_ct-recover-notrack-target-support.patch
+netfilter-fix-missing-dependencies-for-the-notrack-target.patch
+netfilter-xt_hashlimit-fix-namespace-destroy-path.patch
+netfilter-xt_hashlimit-fix-race-that-results-in-duplicated-entries.patch
+netfilter-xt_recent-fix-namespace-destroy-path.patch
+netfilter-xt_recent-avoid-high-order-page-allocations.patch
+netfilter-nf_conntrack-fix-bug_on-while-removing-nf_conntrack-with-netns.patch
+netfilter-x_tables-print-correct-hook-names-for-arp.patch
+netfilter-ctnetlink-fix-leak-in-error-path-of-ctnetlink_create_expect.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
