From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 24 Feb 2017 06:48:54 +0000 (+0100)
Subject: 4.9-stable patches
X-Git-Tag: v4.4.52~8
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=850550b6d45d7fc91412e6a16066c8b99622fe6c;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	netfilter-nf_ct_helper-warn-when-not-applying-default-helper-assignment.patch
---

diff --git a/queue-4.9/netfilter-nf_ct_helper-warn-when-not-applying-default-helper-assignment.patch b/queue-4.9/netfilter-nf_ct_helper-warn-when-not-applying-default-helper-assignment.patch
new file mode 100644
index 00000000000..3052666a7ed
--- /dev/null
+++ b/queue-4.9/netfilter-nf_ct_helper-warn-when-not-applying-default-helper-assignment.patch
@@ -0,0 +1,95 @@
+From dfe75ff8ca74f54b0fa5a326a1aa9afa485ed802 Mon Sep 17 00:00:00 2001
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Wed, 1 Feb 2017 21:01:54 +0100
+Subject: netfilter: nf_ct_helper: warn when not applying default helper assignment
+
+From: Jiri Kosina <jkosina@suse.cz>
+
+commit dfe75ff8ca74f54b0fa5a326a1aa9afa485ed802 upstream.
+
+Commit 3bb398d925 ("netfilter: nf_ct_helper: disable automatic helper
+assignment") is causing behavior regressions in firewalls, as traffic
+handled by conntrack helpers is now by default not passed through even
+though it was before due to missing CT targets (which were not necessary
+before this commit).
+
+The default had to be switched off due to security reasons [1] [2] and
+therefore should stay the way it is, but let's be friendly to firewall
+admins and issue a warning the first time we're in situation where packet
+would be likely passed through with the old default but we're likely going
+to drop it on the floor now.
+
+Rewrite the code a little bit as suggested by Linus, so that we avoid
+spaghettiing the code even more -- namely the whole decision making
+process regarding helper selection (either automatic or not) is being
+separated, so that the whole logic can be simplified and code (condition)
+duplication reduced.
+
+[1] https://cansecwest.com/csw12/conntrack-attack.pdf
+[2] https://home.regit.org/netfilter-en/secure-use-of-helpers/
+
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_conntrack_helper.c |   39 ++++++++++++++++++++++++------------
+ 1 file changed, 26 insertions(+), 13 deletions(-)
+
+--- a/net/netfilter/nf_conntrack_helper.c
++++ b/net/netfilter/nf_conntrack_helper.c
+@@ -188,6 +188,26 @@ nf_ct_helper_ext_add(struct nf_conn *ct,
+ }
+ EXPORT_SYMBOL_GPL(nf_ct_helper_ext_add);
+ 
++static struct nf_conntrack_helper *
++nf_ct_lookup_helper(struct nf_conn *ct, struct net *net)
++{
++	if (!net->ct.sysctl_auto_assign_helper) {
++		if (net->ct.auto_assign_helper_warned)
++			return NULL;
++		if (!__nf_ct_helper_find(&ct->tuplehash[IP_CT_DIR_REPLY].tuple))
++			return NULL;
++		pr_info("nf_conntrack: default automatic helper assignment "
++			"has been turned off for security reasons and CT-based "
++			" firewall rule not found. Use the iptables CT target "
++			"to attach helpers instead.\n");
++		net->ct.auto_assign_helper_warned = 1;
++		return NULL;
++	}
++
++	return __nf_ct_helper_find(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
++}
++
++
+ int __nf_ct_try_assign_helper(struct nf_conn *ct, struct nf_conn *tmpl,
+ 			      gfp_t flags)
+ {
+@@ -213,21 +233,14 @@ int __nf_ct_try_assign_helper(struct nf_
+ 	}
+ 
+ 	help = nfct_help(ct);
+-	if (net->ct.sysctl_auto_assign_helper && helper == NULL) {
+-		helper = __nf_ct_helper_find(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
+-		if (unlikely(!net->ct.auto_assign_helper_warned && helper)) {
+-			pr_info("nf_conntrack: automatic helper "
+-				"assignment is deprecated and it will "
+-				"be removed soon. Use the iptables CT target "
+-				"to attach helpers instead.\n");
+-			net->ct.auto_assign_helper_warned = true;
+-		}
+-	}
+ 
+ 	if (helper == NULL) {
+-		if (help)
+-			RCU_INIT_POINTER(help->helper, NULL);
+-		return 0;
++		helper = nf_ct_lookup_helper(ct, net);
++		if (helper == NULL) {
++			if (help)
++				RCU_INIT_POINTER(help->helper, NULL);
++			return 0;
++		}
+ 	}
+ 
+ 	if (help == NULL) {
diff --git a/queue-4.9/series b/queue-4.9/series
index 0946e568094..7233fcd0345 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -25,3 +25,4 @@ usb-serial-ark3116-fix-register-accessor-error-handling.patch
 usb-serial-console-fix-uninitialised-spinlock.patch
 x86-platform-goldfish-prevent-unconditional-loading.patch
 goldfish-sanitize-the-broken-interrupt-handler.patch
+netfilter-nf_ct_helper-warn-when-not-applying-default-helper-assignment.patch