--- /dev/null
+From d6b6cb1d3e6f78d55c2d4043d77d0d8def3f3b99 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Tue, 17 Mar 2015 13:21:42 +0100
+Subject: netfilter: nf_tables: allow to change chain policy without hook if it exists
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit d6b6cb1d3e6f78d55c2d4043d77d0d8def3f3b99 upstream.
+
+If there's an existing base chain, we have to allow to change the
+default policy without indicating the hook information.
+
+However, if the chain doesn't exists, we have to enforce the presence of
+the hook attribute.
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_tables_api.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -855,7 +855,10 @@ static int nf_tables_newchain(struct soc
+
+ if (nla[NFTA_CHAIN_POLICY]) {
+ if ((chain != NULL &&
+- !(chain->flags & NFT_BASE_CHAIN)) ||
++ !(chain->flags & NFT_BASE_CHAIN)))
++ return -EOPNOTSUPP;
++
++ if (chain == NULL &&
+ nla[NFTA_CHAIN_HOOK] == NULL)
+ return -EOPNOTSUPP;
+
--- /dev/null
+From b18c5d15e8714336365d9d51782d5b53afa0443c Mon Sep 17 00:00:00 2001
+From: Chen Gang <gang.chen.5i5j@gmail.com>
+Date: Wed, 24 Dec 2014 23:04:54 +0800
+Subject: netfilter: nfnetlink_cthelper: Remove 'const' and '&' to avoid warnings
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chen Gang <gang.chen.5i5j@gmail.com>
+
+commit b18c5d15e8714336365d9d51782d5b53afa0443c upstream.
+
+The related code can be simplified, and also can avoid related warnings
+(with allmodconfig under parisc):
+
+ CC [M] net/netfilter/nfnetlink_cthelper.o
+ net/netfilter/nfnetlink_cthelper.c: In function ‘nfnl_cthelper_from_nlattr’:
+ net/netfilter/nfnetlink_cthelper.c:97:9: warning: passing argument 1 o ‘memcpy’ discards ‘const’ qualifier from pointer target type [-Wdiscarded-array-qualifiers]
+ memcpy(&help->data, nla_data(attr), help->helper->data_len);
+ ^
+ In file included from include/linux/string.h:17:0,
+ from include/uapi/linux/uuid.h:25,
+ from include/linux/uuid.h:23,
+ from include/linux/mod_devicetable.h:12,
+ from ./arch/parisc/include/asm/hardware.h:4,
+ from ./arch/parisc/include/asm/processor.h:15,
+ from ./arch/parisc/include/asm/spinlock.h:6,
+ from ./arch/parisc/include/asm/atomic.h:21,
+ from include/linux/atomic.h:4,
+ from ./arch/parisc/include/asm/bitops.h:12,
+ from include/linux/bitops.h:36,
+ from include/linux/kernel.h:10,
+ from include/linux/list.h:8,
+ from include/linux/module.h:9,
+ from net/netfilter/nfnetlink_cthelper.c:11:
+ ./arch/parisc/include/asm/string.h:8:8: note: expected ‘void *’ but argument is of type ‘const char (*)[]’
+ void * memcpy(void * dest,const void *src,size_t count);
+ ^
+
+Signed-off-by: Chen Gang <gang.chen.5i5j@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nfnetlink_cthelper.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/nfnetlink_cthelper.c
++++ b/net/netfilter/nfnetlink_cthelper.c
+@@ -86,7 +86,7 @@ nfnl_cthelper_parse_tuple(struct nf_conn
+ static int
+ nfnl_cthelper_from_nlattr(struct nlattr *attr, struct nf_conn *ct)
+ {
+- const struct nf_conn_help *help = nfct_help(ct);
++ struct nf_conn_help *help = nfct_help(ct);
+
+ if (attr == NULL)
+ return -EINVAL;
+@@ -94,7 +94,7 @@ nfnl_cthelper_from_nlattr(struct nlattr
+ if (help->helper->data_len == 0)
+ return -EINVAL;
+
+- memcpy(&help->data, nla_data(attr), help->helper->data_len);
++ memcpy(help->data, nla_data(attr), help->helper->data_len);
+ return 0;
+ }
+
--- /dev/null
+From 749177ccc74f9c6d0f51bd78a15c652a2134aa11 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Sat, 21 Mar 2015 19:25:05 +0100
+Subject: netfilter: nft_compat: set IP6T_F_PROTO flag if protocol is set
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 749177ccc74f9c6d0f51bd78a15c652a2134aa11 upstream.
+
+ip6tables extensions check for this flag to restrict match/target to a
+given protocol. Without this flag set, SYNPROXY6 returns an error.
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nft_compat.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/netfilter/nft_compat.c
++++ b/net/netfilter/nft_compat.c
+@@ -82,6 +82,9 @@ nft_target_set_tgchk_param(struct xt_tgc
+ entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0;
+ break;
+ case AF_INET6:
++ if (proto)
++ entry->e6.ipv6.flags |= IP6T_F_PROTO;
++
+ entry->e6.ipv6.proto = proto;
+ entry->e6.ipv6.invflags = inv ? IP6T_INV_PROTO : 0;
+ break;
+@@ -313,6 +316,9 @@ nft_match_set_mtchk_param(struct xt_mtch
+ entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0;
+ break;
+ case AF_INET6:
++ if (proto)
++ entry->e6.ipv6.flags |= IP6T_F_PROTO;
++
+ entry->e6.ipv6.proto = proto;
+ entry->e6.ipv6.invflags = inv ? IP6T_INV_PROTO : 0;
+ break;
--- /dev/null
+From 78146572b9cd20452da47951812f35b1ad4906be Mon Sep 17 00:00:00 2001
+From: Ian Wilson <iwilson@brocade.com>
+Date: Thu, 12 Mar 2015 09:37:58 +0000
+Subject: netfilter: Zero the tuple in nfnl_cthelper_parse_tuple()
+
+From: Ian Wilson <iwilson@brocade.com>
+
+commit 78146572b9cd20452da47951812f35b1ad4906be upstream.
+
+nfnl_cthelper_parse_tuple() is called from nfnl_cthelper_new(),
+nfnl_cthelper_get() and nfnl_cthelper_del(). In each case they pass
+a pointer to an nf_conntrack_tuple data structure local variable:
+
+ struct nf_conntrack_tuple tuple;
+ ...
+ ret = nfnl_cthelper_parse_tuple(&tuple, tb[NFCTH_TUPLE]);
+
+The problem is that this local variable is not initialized, and
+nfnl_cthelper_parse_tuple() only initializes two fields: src.l3num and
+dst.protonum. This leaves all other fields with undefined values
+based on whatever is on the stack:
+
+ tuple->src.l3num = ntohs(nla_get_be16(tb[NFCTH_TUPLE_L3PROTONUM]));
+ tuple->dst.protonum = nla_get_u8(tb[NFCTH_TUPLE_L4PROTONUM]);
+
+The symptom observed was that when the rpc and tns helpers were added
+then traffic to port 1536 was being sent to user-space.
+
+Signed-off-by: Ian Wilson <iwilson@brocade.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nfnetlink_cthelper.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/netfilter/nfnetlink_cthelper.c
++++ b/net/netfilter/nfnetlink_cthelper.c
+@@ -77,6 +77,9 @@ nfnl_cthelper_parse_tuple(struct nf_conn
+ if (!tb[NFCTH_TUPLE_L3PROTONUM] || !tb[NFCTH_TUPLE_L4PROTONUM])
+ return -EINVAL;
+
++ /* Not all fields are initialized so first zero the tuple */
++ memset(tuple, 0, sizeof(struct nf_conntrack_tuple));
++
+ tuple->src.l3num = ntohs(nla_get_be16(tb[NFCTH_TUPLE_L3PROTONUM]));
+ tuple->dst.protonum = nla_get_u8(tb[NFCTH_TUPLE_L4PROTONUM]);
+
arm64-dma-mapping-always-clear-allocated-buffers.patch
kprobes-x86-return-correct-length-in-__copy_instruction.patch
config-enable-need_dma_map_state-by-default-when-swiotlb-is-selected.patch
+netfilter-nfnetlink_cthelper-remove-const-and-to-avoid-warnings.patch
+netfilter-zero-the-tuple-in-nfnl_cthelper_parse_tuple.patch
+netfilter-nft_compat-set-ip6t_f_proto-flag-if-protocol-is-set.patch
+netfilter-nf_tables-allow-to-change-chain-policy-without-hook-if-it-exists.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
