From e413350c6d8b76783dde165eddcc0bc93d7a17ca Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 25 Feb 2019 17:36:42 +0100 Subject: [PATCH] 4.9-stable patches added patches: netfilter-nf_tables-fix-flush-after-rule-deletion-in-the-same-batch.patch revert-bridge-do-not-add-port-to-router-list-when-receives-query-with-source-0.0.0.0.patch --- ...fter-rule-deletion-in-the-same-batch.patch | 35 ++++++++++++ ...n-receives-query-with-source-0.0.0.0.patch | 56 +++++++++++++++++++ queue-4.9/series | 2 + 3 files changed, 93 insertions(+) create mode 100644 queue-4.9/netfilter-nf_tables-fix-flush-after-rule-deletion-in-the-same-batch.patch create mode 100644 queue-4.9/revert-bridge-do-not-add-port-to-router-list-when-receives-query-with-source-0.0.0.0.patch diff --git a/queue-4.9/netfilter-nf_tables-fix-flush-after-rule-deletion-in-the-same-batch.patch b/queue-4.9/netfilter-nf_tables-fix-flush-after-rule-deletion-in-the-same-batch.patch new file mode 100644 index 00000000000..ec806b42186 --- /dev/null +++ b/queue-4.9/netfilter-nf_tables-fix-flush-after-rule-deletion-in-the-same-batch.patch @@ -0,0 +1,35 @@ +From 23b7ca4f745f21c2b9cfcb67fdd33733b3ae7e66 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Fri, 15 Feb 2019 12:50:24 +0100 +Subject: netfilter: nf_tables: fix flush after rule deletion in the same batch + +From: Pablo Neira Ayuso + +commit 23b7ca4f745f21c2b9cfcb67fdd33733b3ae7e66 upstream. + +Flush after rule deletion bogusly hits -ENOENT. Skip rules that have +been already from nft_delrule_by_chain() which is always called from the +flush path. + +Fixes: cf9dc09d0949 ("netfilter: nf_tables: fix missing rules flushing per table") +Reported-by: Phil Sutter +Acked-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_tables_api.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -263,6 +263,9 @@ static int nft_delrule_by_chain(struct n + int err; + + list_for_each_entry(rule, &ctx->chain->rules, list) { ++ if (!nft_is_active_next(ctx->net, rule)) ++ continue; ++ + err = nft_delrule(ctx, rule); + if (err < 0) + return err; diff --git a/queue-4.9/revert-bridge-do-not-add-port-to-router-list-when-receives-query-with-source-0.0.0.0.patch b/queue-4.9/revert-bridge-do-not-add-port-to-router-list-when-receives-query-with-source-0.0.0.0.patch new file mode 100644 index 00000000000..37eeedb20ea --- /dev/null +++ b/queue-4.9/revert-bridge-do-not-add-port-to-router-list-when-receives-query-with-source-0.0.0.0.patch @@ -0,0 +1,56 @@ +From 278e2148c07559dd4ad8602f22366d61eb2ee7b7 Mon Sep 17 00:00:00 2001 +From: Hangbin Liu +Date: Fri, 22 Feb 2019 21:22:32 +0800 +Subject: Revert "bridge: do not add port to router list when receives query with source 0.0.0.0" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hangbin Liu + +commit 278e2148c07559dd4ad8602f22366d61eb2ee7b7 upstream. + +This reverts commit 5a2de63fd1a5 ("bridge: do not add port to router list +when receives query with source 0.0.0.0") and commit 0fe5119e267f ("net: +bridge: remove ipv6 zero address check in mcast queries") + +The reason is RFC 4541 is not a standard but suggestive. Currently we +will elect 0.0.0.0 as Querier if there is no ip address configured on +bridge. If we do not add the port which recives query with source +0.0.0.0 to router list, the IGMP reports will not be about to forward +to Querier, IGMP data will also not be able to forward to dest. + +As Nikolay suggested, revert this change first and add a boolopt api +to disable none-zero election in future if needed. + +Reported-by: Linus Lüssing +Reported-by: Sebastian Gottschall +Fixes: 5a2de63fd1a5 ("bridge: do not add port to router list when receives query with source 0.0.0.0") +Fixes: 0fe5119e267f ("net: bridge: remove ipv6 zero address check in mcast queries") +Signed-off-by: Hangbin Liu +Acked-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/bridge/br_multicast.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -1287,14 +1287,7 @@ static void br_multicast_query_received( + return; + + br_multicast_update_query_timer(br, query, max_delay); +- +- /* Based on RFC4541, section 2.1.1 IGMP Forwarding Rules, +- * the arrival port for IGMP Queries where the source address +- * is 0.0.0.0 should not be added to router port list. +- */ +- if ((saddr->proto == htons(ETH_P_IP) && saddr->u.ip4) || +- saddr->proto == htons(ETH_P_IPV6)) +- br_multicast_mark_router(br, port); ++ br_multicast_mark_router(br, port); + } + + static int br_ip4_multicast_query(struct net_bridge *br, diff --git a/queue-4.9/series b/queue-4.9/series index c4801b234f3..be6fe9cfa1c 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -55,3 +55,5 @@ kbuild-add-no-integrated-as-clang-option-unconditionally.patch irqchip-gic-v3-convert-arm64-gic-accessors-to-read-write-_sysreg_s.patch mm-zsmalloc.c-change-stat-type-parameter-to-int.patch mm-zsmalloc.c-fix-wunneeded-internal-declaration-warning.patch +revert-bridge-do-not-add-port-to-router-list-when-receives-query-with-source-0.0.0.0.patch +netfilter-nf_tables-fix-flush-after-rule-deletion-in-the-same-batch.patch -- 2.47.2