From: Greg Kroah-Hartman Date: Mon, 25 Feb 2019 16:36:24 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.9.161~16 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=084c3703f63422a0ea66ee3e6f633c6b702586e6;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: netfilter-nf_tables-fix-flush-after-rule-deletion-in-the-same-batch.patch revert-bridge-do-not-add-port-to-router-list-when-receives-query-with-source-0.0.0.0.patch --- diff --git a/queue-4.4/netfilter-nf_tables-fix-flush-after-rule-deletion-in-the-same-batch.patch b/queue-4.4/netfilter-nf_tables-fix-flush-after-rule-deletion-in-the-same-batch.patch new file mode 100644 index 00000000000..16d979f2423 --- /dev/null +++ b/queue-4.4/netfilter-nf_tables-fix-flush-after-rule-deletion-in-the-same-batch.patch @@ -0,0 +1,35 @@ +From 23b7ca4f745f21c2b9cfcb67fdd33733b3ae7e66 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Fri, 15 Feb 2019 12:50:24 +0100 +Subject: netfilter: nf_tables: fix flush after rule deletion in the same batch + +From: Pablo Neira Ayuso + +commit 23b7ca4f745f21c2b9cfcb67fdd33733b3ae7e66 upstream. + +Flush after rule deletion bogusly hits -ENOENT. Skip rules that have +been already from nft_delrule_by_chain() which is always called from the +flush path. + +Fixes: cf9dc09d0949 ("netfilter: nf_tables: fix missing rules flushing per table") +Reported-by: Phil Sutter +Acked-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_tables_api.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -314,6 +314,9 @@ static int nft_delrule_by_chain(struct n + int err; + + list_for_each_entry(rule, &ctx->chain->rules, list) { ++ if (!nft_is_active_next(ctx->net, rule)) ++ continue; ++ + err = nft_delrule(ctx, rule); + if (err < 0) + return err; diff --git a/queue-4.4/revert-bridge-do-not-add-port-to-router-list-when-receives-query-with-source-0.0.0.0.patch b/queue-4.4/revert-bridge-do-not-add-port-to-router-list-when-receives-query-with-source-0.0.0.0.patch new file mode 100644 index 00000000000..7563229d81d --- /dev/null +++ b/queue-4.4/revert-bridge-do-not-add-port-to-router-list-when-receives-query-with-source-0.0.0.0.patch @@ -0,0 +1,56 @@ +From 278e2148c07559dd4ad8602f22366d61eb2ee7b7 Mon Sep 17 00:00:00 2001 +From: Hangbin Liu +Date: Fri, 22 Feb 2019 21:22:32 +0800 +Subject: Revert "bridge: do not add port to router list when receives query with source 0.0.0.0" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hangbin Liu + +commit 278e2148c07559dd4ad8602f22366d61eb2ee7b7 upstream. + +This reverts commit 5a2de63fd1a5 ("bridge: do not add port to router list +when receives query with source 0.0.0.0") and commit 0fe5119e267f ("net: +bridge: remove ipv6 zero address check in mcast queries") + +The reason is RFC 4541 is not a standard but suggestive. Currently we +will elect 0.0.0.0 as Querier if there is no ip address configured on +bridge. If we do not add the port which recives query with source +0.0.0.0 to router list, the IGMP reports will not be about to forward +to Querier, IGMP data will also not be able to forward to dest. + +As Nikolay suggested, revert this change first and add a boolopt api +to disable none-zero election in future if needed. + +Reported-by: Linus Lüssing +Reported-by: Sebastian Gottschall +Fixes: 5a2de63fd1a5 ("bridge: do not add port to router list when receives query with source 0.0.0.0") +Fixes: 0fe5119e267f ("net: bridge: remove ipv6 zero address check in mcast queries") +Signed-off-by: Hangbin Liu +Acked-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/bridge/br_multicast.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -1261,14 +1261,7 @@ static void br_multicast_query_received( + return; + + br_multicast_update_query_timer(br, query, max_delay); +- +- /* Based on RFC4541, section 2.1.1 IGMP Forwarding Rules, +- * the arrival port for IGMP Queries where the source address +- * is 0.0.0.0 should not be added to router port list. +- */ +- if ((saddr->proto == htons(ETH_P_IP) && saddr->u.ip4) || +- saddr->proto == htons(ETH_P_IPV6)) +- br_multicast_mark_router(br, port); ++ br_multicast_mark_router(br, port); + } + + static int br_ip4_multicast_query(struct net_bridge *br, diff --git a/queue-4.4/series b/queue-4.4/series index 8c892cb5f4e..4a9d810e37b 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -26,3 +26,5 @@ team-avoid-complex-list-operations-in-team_nl_cmd_options_set.patch sit-check-if-ipv6-enabled-before-calling-ip6_err_gen_icmpv6_unreach.patch net-mlx4_en-force-checksum_none-for-short-ethernet-frames.patch arcv2-enable-unaligned-access-in-early-asm-code.patch +revert-bridge-do-not-add-port-to-router-list-when-receives-query-with-source-0.0.0.0.patch +netfilter-nf_tables-fix-flush-after-rule-deletion-in-the-same-batch.patch