Re: [PATCH 4.4 018/101] netfilter: synproxy: fix conntrackd interaction

2017-08-17 Thread Greg Kroah-Hartman 
On Thu, Aug 17, 2017 at 07:57:07AM +0200, Stefan Bader wrote:
> On 03.07.2017 15:34, Greg Kroah-Hartman wrote:
> > 4.4-stable review patch.  If anyone has any objections, please let me know.
> 
> We found that pulling below patch into stable trees without also pulling
> 
> commit 9c3f3794926a997b1cab6c42480ff300efa2d162
> Author: Liping Zhang 
> Date:   Sat Mar 25 16:35:29 2017 +0800
> 
> netfilter: nf_ct_ext: fix possible panic after nf_ct_extend_unregister
> 
> will result in a regression, at least in 4.4.y[1]. Stable maintainers who 
> picked
> up below patch might want to consider picking up above fix.

Thanks, I've now picked this one up too.

greg k-h

Re: [PATCH 4.4 018/101] netfilter: synproxy: fix conntrackd interaction

2017-08-17 Thread Greg Kroah-Hartman 
On Thu, Aug 17, 2017 at 07:57:07AM +0200, Stefan Bader wrote:
> On 03.07.2017 15:34, Greg Kroah-Hartman wrote:
> > 4.4-stable review patch.  If anyone has any objections, please let me know.
> 
> We found that pulling below patch into stable trees without also pulling
> 
> commit 9c3f3794926a997b1cab6c42480ff300efa2d162
> Author: Liping Zhang 
> Date:   Sat Mar 25 16:35:29 2017 +0800
> 
> netfilter: nf_ct_ext: fix possible panic after nf_ct_extend_unregister
> 
> will result in a regression, at least in 4.4.y[1]. Stable maintainers who 
> picked
> up below patch might want to consider picking up above fix.

Thanks, I've now picked this one up too.

greg k-h

Re: [PATCH 4.4 018/101] netfilter: synproxy: fix conntrackd interaction

2017-08-16 Thread Stefan Bader 
On 03.07.2017 15:34, Greg Kroah-Hartman wrote:
> 4.4-stable review patch.  If anyone has any objections, please let me know.

We found that pulling below patch into stable trees without also pulling

commit 9c3f3794926a997b1cab6c42480ff300efa2d162
Author: Liping Zhang 
Date:   Sat Mar 25 16:35:29 2017 +0800

netfilter: nf_ct_ext: fix possible panic after nf_ct_extend_unregister

will result in a regression, at least in 4.4.y[1]. Stable maintainers who picked
up below patch might want to consider picking up above fix.

-Stefan


[1] http://bugs.launchpad.net/bugs/1709032
> 
> --
> 
> From: Eric Leblond 
> 
> commit 87e94dbc210a720a34be5c1174faee5c84be963e upstream.
> 
> This patch fixes the creation of connection tracking entry from
> netlink when synproxy is used. It was missing the addition of
> the synproxy extension.
> 
> This was causing kernel crashes when a conntrack entry created by
> conntrackd was used after the switch of traffic from active node
> to the passive node.
> 
> Signed-off-by: Eric Leblond 
> Signed-off-by: Pablo Neira Ayuso 
> Signed-off-by: Greg Kroah-Hartman 
> 
> ---
>  net/netfilter/nf_conntrack_netlink.c |4 
>  1 file changed, 4 insertions(+)
> 
> --- a/net/netfilter/nf_conntrack_netlink.c
> +++ b/net/netfilter/nf_conntrack_netlink.c
> @@ -45,6 +45,8 @@
>  #include 
>  #include 
>  #include 
> +#include 
> +#include 
>  #ifdef CONFIG_NF_NAT_NEEDED
>  #include 
>  #include 
> @@ -1798,6 +1800,8 @@ ctnetlink_create_conntrack(struct net *n
>   nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);
>   nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC);
>   nf_ct_labels_ext_add(ct);
> + nfct_seqadj_ext_add(ct);
> + nfct_synproxy_ext_add(ct);
>  
>   /* we must add conntrack extensions before confirmation. */
>   ct->status |= IPS_CONFIRMED;
> 
> 




signature.asc
Description: OpenPGP digital signature

Re: [PATCH 4.4 018/101] netfilter: synproxy: fix conntrackd interaction

2017-08-16 Thread Stefan Bader 
On 03.07.2017 15:34, Greg Kroah-Hartman wrote:
> 4.4-stable review patch.  If anyone has any objections, please let me know.

We found that pulling below patch into stable trees without also pulling

commit 9c3f3794926a997b1cab6c42480ff300efa2d162
Author: Liping Zhang 
Date:   Sat Mar 25 16:35:29 2017 +0800

netfilter: nf_ct_ext: fix possible panic after nf_ct_extend_unregister

will result in a regression, at least in 4.4.y[1]. Stable maintainers who picked
up below patch might want to consider picking up above fix.

-Stefan


[1] http://bugs.launchpad.net/bugs/1709032
> 
> --
> 
> From: Eric Leblond 
> 
> commit 87e94dbc210a720a34be5c1174faee5c84be963e upstream.
> 
> This patch fixes the creation of connection tracking entry from
> netlink when synproxy is used. It was missing the addition of
> the synproxy extension.
> 
> This was causing kernel crashes when a conntrack entry created by
> conntrackd was used after the switch of traffic from active node
> to the passive node.
> 
> Signed-off-by: Eric Leblond 
> Signed-off-by: Pablo Neira Ayuso 
> Signed-off-by: Greg Kroah-Hartman 
> 
> ---
>  net/netfilter/nf_conntrack_netlink.c |4 
>  1 file changed, 4 insertions(+)
> 
> --- a/net/netfilter/nf_conntrack_netlink.c
> +++ b/net/netfilter/nf_conntrack_netlink.c
> @@ -45,6 +45,8 @@
>  #include 
>  #include 
>  #include 
> +#include 
> +#include 
>  #ifdef CONFIG_NF_NAT_NEEDED
>  #include 
>  #include 
> @@ -1798,6 +1800,8 @@ ctnetlink_create_conntrack(struct net *n
>   nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);
>   nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC);
>   nf_ct_labels_ext_add(ct);
> + nfct_seqadj_ext_add(ct);
> + nfct_synproxy_ext_add(ct);
>  
>   /* we must add conntrack extensions before confirmation. */
>   ct->status |= IPS_CONFIRMED;
> 
> 




signature.asc
Description: OpenPGP digital signature

[PATCH 4.4 018/101] netfilter: synproxy: fix conntrackd interaction

2017-07-03 Thread Greg Kroah-Hartman 
4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Eric Leblond 

commit 87e94dbc210a720a34be5c1174faee5c84be963e upstream.

This patch fixes the creation of connection tracking entry from
netlink when synproxy is used. It was missing the addition of
the synproxy extension.

This was causing kernel crashes when a conntrack entry created by
conntrackd was used after the switch of traffic from active node
to the passive node.

Signed-off-by: Eric Leblond 
Signed-off-by: Pablo Neira Ayuso 
Signed-off-by: Greg Kroah-Hartman 

---
 net/netfilter/nf_conntrack_netlink.c |4 
 1 file changed, 4 insertions(+)

--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -45,6 +45,8 @@
 #include 
 #include 
 #include 
+#include 
+#include 
 #ifdef CONFIG_NF_NAT_NEEDED
 #include 
 #include 
@@ -1798,6 +1800,8 @@ ctnetlink_create_conntrack(struct net *n
nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);
nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC);
nf_ct_labels_ext_add(ct);
+   nfct_seqadj_ext_add(ct);
+   nfct_synproxy_ext_add(ct);
 
/* we must add conntrack extensions before confirmation. */
ct->status |= IPS_CONFIRMED;

[PATCH 4.4 018/101] netfilter: synproxy: fix conntrackd interaction

2017-07-03 Thread Greg Kroah-Hartman 
4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Eric Leblond 

commit 87e94dbc210a720a34be5c1174faee5c84be963e upstream.

This patch fixes the creation of connection tracking entry from
netlink when synproxy is used. It was missing the addition of
the synproxy extension.

This was causing kernel crashes when a conntrack entry created by
conntrackd was used after the switch of traffic from active node
to the passive node.

Signed-off-by: Eric Leblond 
Signed-off-by: Pablo Neira Ayuso 
Signed-off-by: Greg Kroah-Hartman 

---
 net/netfilter/nf_conntrack_netlink.c |4 
 1 file changed, 4 insertions(+)

--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -45,6 +45,8 @@
 #include 
 #include 
 #include 
+#include 
+#include 
 #ifdef CONFIG_NF_NAT_NEEDED
 #include 
 #include 
@@ -1798,6 +1800,8 @@ ctnetlink_create_conntrack(struct net *n
nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);
nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC);
nf_ct_labels_ext_add(ct);
+   nfct_seqadj_ext_add(ct);
+   nfct_synproxy_ext_add(ct);
 
/* we must add conntrack extensions before confirmation. */
ct->status |= IPS_CONFIRMED;