--- /dev/null
+From 95dd8653de658143770cb0e55a58d2aab97c79d2 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Thu, 9 Jul 2015 22:56:00 +0200
+Subject: netfilter: ctnetlink: put back references to master ct and expect objects
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 95dd8653de658143770cb0e55a58d2aab97c79d2 upstream.
+
+We have to put back the references to the master conntrack and the expectation
+that we just created, otherwise we'll leak them.
+
+Fixes: 0ef71ee1a5b9 ("netfilter: ctnetlink: refactor ctnetlink_create_expect")
+Reported-by: Tim Wiess <Tim.Wiess@watchguard.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_conntrack_netlink.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -2927,11 +2927,6 @@ ctnetlink_create_expect(struct net *net,
+ }
+
+ err = nf_ct_expect_related_report(exp, portid, report);
+- if (err < 0)
+- goto err_exp;
+-
+- return 0;
+-err_exp:
+ nf_ct_expect_put(exp);
+ err_ct:
+ nf_ct_put(ct);
--- /dev/null
+From 4b31814d20cbe5cd4ccf18089751e77a04afe4f2 Mon Sep 17 00:00:00 2001
+From: Joe Stringer <joestringer@nicira.com>
+Date: Tue, 21 Jul 2015 21:37:31 -0700
+Subject: netfilter: nf_conntrack: Support expectations in different zones
+
+From: Joe Stringer <joestringer@nicira.com>
+
+commit 4b31814d20cbe5cd4ccf18089751e77a04afe4f2 upstream.
+
+When zones were originally introduced, the expectation functions were
+all extended to perform lookup using the zone. However, insertion was
+not modified to check the zone. This means that two expectations which
+are intended to apply for different connections that have the same tuple
+but exist in different zones cannot both be tracked.
+
+Fixes: 5d0aa2ccd4 (netfilter: nf_conntrack: add support for "conntrack zones")
+Signed-off-by: Joe Stringer <joestringer@nicira.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_conntrack_expect.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_conntrack_expect.c
++++ b/net/netfilter/nf_conntrack_expect.c
+@@ -202,7 +202,8 @@ static inline int expect_clash(const str
+ a->mask.src.u3.all[count] & b->mask.src.u3.all[count];
+ }
+
+- return nf_ct_tuple_mask_cmp(&a->tuple, &b->tuple, &intersect_mask);
++ return nf_ct_tuple_mask_cmp(&a->tuple, &b->tuple, &intersect_mask) &&
++ nf_ct_zone(a->master) == nf_ct_zone(b->master);
+ }
+
+ static inline int expect_matches(const struct nf_conntrack_expect *a,
--- /dev/null
+From ba378ca9c04a5fc1b2cf0f0274a9d02eb3d1bad9 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Mon, 14 Sep 2015 18:04:09 +0200
+Subject: netfilter: nft_compat: skip family comparison in case of NFPROTO_UNSPEC
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit ba378ca9c04a5fc1b2cf0f0274a9d02eb3d1bad9 upstream.
+
+Fix lookup of existing match/target structures in the corresponding list
+by skipping the family check if NFPROTO_UNSPEC is used.
+
+This is resulting in the allocation and insertion of one match/target
+structure for each use of them. So this not only bloats memory
+consumption but also severely affects the time to reload the ruleset
+from the iptables-compat utility.
+
+After this patch, iptables-compat-restore and iptables-compat take
+almost the same time to reload large rulesets.
+
+Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nft_compat.c | 24 ++++++++++++++++++------
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+--- a/net/netfilter/nft_compat.c
++++ b/net/netfilter/nft_compat.c
+@@ -594,6 +594,13 @@ struct nft_xt {
+
+ static struct nft_expr_type nft_match_type;
+
++static bool nft_match_cmp(const struct xt_match *match,
++ const char *name, u32 rev, u32 family)
++{
++ return strcmp(match->name, name) == 0 && match->revision == rev &&
++ (match->family == NFPROTO_UNSPEC || match->family == family);
++}
++
+ static const struct nft_expr_ops *
+ nft_match_select_ops(const struct nft_ctx *ctx,
+ const struct nlattr * const tb[])
+@@ -601,7 +608,7 @@ nft_match_select_ops(const struct nft_ct
+ struct nft_xt *nft_match;
+ struct xt_match *match;
+ char *mt_name;
+- __u32 rev, family;
++ u32 rev, family;
+
+ if (tb[NFTA_MATCH_NAME] == NULL ||
+ tb[NFTA_MATCH_REV] == NULL ||
+@@ -616,8 +623,7 @@ nft_match_select_ops(const struct nft_ct
+ list_for_each_entry(nft_match, &nft_match_list, head) {
+ struct xt_match *match = nft_match->ops.data;
+
+- if (strcmp(match->name, mt_name) == 0 &&
+- match->revision == rev && match->family == family) {
++ if (nft_match_cmp(match, mt_name, rev, family)) {
+ if (!try_module_get(match->me))
+ return ERR_PTR(-ENOENT);
+
+@@ -669,6 +675,13 @@ static LIST_HEAD(nft_target_list);
+
+ static struct nft_expr_type nft_target_type;
+
++static bool nft_target_cmp(const struct xt_target *tg,
++ const char *name, u32 rev, u32 family)
++{
++ return strcmp(tg->name, name) == 0 && tg->revision == rev &&
++ (tg->family == NFPROTO_UNSPEC || tg->family == family);
++}
++
+ static const struct nft_expr_ops *
+ nft_target_select_ops(const struct nft_ctx *ctx,
+ const struct nlattr * const tb[])
+@@ -676,7 +689,7 @@ nft_target_select_ops(const struct nft_c
+ struct nft_xt *nft_target;
+ struct xt_target *target;
+ char *tg_name;
+- __u32 rev, family;
++ u32 rev, family;
+
+ if (tb[NFTA_TARGET_NAME] == NULL ||
+ tb[NFTA_TARGET_REV] == NULL ||
+@@ -691,8 +704,7 @@ nft_target_select_ops(const struct nft_c
+ list_for_each_entry(nft_target, &nft_target_list, head) {
+ struct xt_target *target = nft_target->ops.data;
+
+- if (strcmp(target->name, tg_name) == 0 &&
+- target->revision == rev && target->family == family) {
++ if (nft_target_cmp(target, tg_name, rev, family)) {
+ if (!try_module_get(target->me))
+ return ERR_PTR(-ENOENT);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
