From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 28 May 2019 23:00:17 +0000 (-0700)
Subject: 5.0-stable patches
X-Git-Tag: v5.1.6~15
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9f8c9ab9a7076c7ca8d66cceaeb883f574adf42f;p=thirdparty%2Fkernel%2Fstable-queue.git

5.0-stable patches

added patches:
	netfilter-ctnetlink-resolve-conntrack-l3-protocol-flush-regression.patch
---

diff --git a/queue-5.0/netfilter-ctnetlink-resolve-conntrack-l3-protocol-flush-regression.patch b/queue-5.0/netfilter-ctnetlink-resolve-conntrack-l3-protocol-flush-regression.patch
new file mode 100644
index 00000000000..303ead63dfc
--- /dev/null
+++ b/queue-5.0/netfilter-ctnetlink-resolve-conntrack-l3-protocol-flush-regression.patch
@@ -0,0 +1,50 @@
+From f8e608982022fad035160870f5b06086d3cba54d Mon Sep 17 00:00:00 2001
+From: Kristian Evensen <kristian.evensen@gmail.com>
+Date: Fri, 3 May 2019 17:40:07 +0200
+Subject: netfilter: ctnetlink: Resolve conntrack L3-protocol flush regression
+
+From: Kristian Evensen <kristian.evensen@gmail.com>
+
+commit f8e608982022fad035160870f5b06086d3cba54d upstream.
+
+Commit 59c08c69c278 ("netfilter: ctnetlink: Support L3 protocol-filter
+on flush") introduced a user-space regression when flushing connection
+track entries. Before this commit, the nfgen_family field was not used
+by the kernel and all entries were removed. Since this commit,
+nfgen_family is used to filter out entries that should not be removed.
+One example a broken tool is conntrack. conntrack always sets
+nfgen_family to AF_INET, so after 59c08c69c278 only IPv4 entries were
+removed with the -F parameter.
+
+Pablo Neira Ayuso suggested using nfgenmsg->version to resolve the
+regression, and this commit implements his suggestion. nfgenmsg->version
+is so far set to zero, so it is well-suited to be used as a flag for
+selecting old or new flush behavior. If version is 0, nfgen_family is
+ignored and all entries are used. If user-space sets the version to one
+(or any other value than 0), then the new behavior is used. As version
+only can have two valid values, I chose not to add a new
+NFNETLINK_VERSION-constant.
+
+Fixes: 59c08c69c278 ("netfilter: ctnetlink: Support L3 protocol-filter on flush")
+Reported-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
+Tested-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_conntrack_netlink.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -1254,7 +1254,7 @@ static int ctnetlink_del_conntrack(struc
+ 	struct nf_conntrack_tuple tuple;
+ 	struct nf_conn *ct;
+ 	struct nfgenmsg *nfmsg = nlmsg_data(nlh);
+-	u_int8_t u3 = nfmsg->nfgen_family;
++	u_int8_t u3 = nfmsg->version ? nfmsg->nfgen_family : AF_UNSPEC;
+ 	struct nf_conntrack_zone zone;
+ 	int err;
+ 
diff --git a/queue-5.0/series b/queue-5.0/series
index ca9f3951741..9f41c91575d 100644
--- a/queue-5.0/series
+++ b/queue-5.0/series
@@ -37,3 +37,4 @@ bpf-devmap-fix-use-after-free-read-in-__dev_map_entry_free.patch
 batman-adv-mcast-fix-multicast-tt-tvlv-worker-locking.patch
 at76c50x-usb-don-t-register-led_trigger-if-usb_register_driver-failed.patch
 acct_on-don-t-mess-with-freeze-protection.patch
+netfilter-ctnetlink-resolve-conntrack-l3-protocol-flush-regression.patch