Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3927861imm; Mon, 8 Oct 2018 11:49:59 -0700 (PDT) X-Google-Smtp-Source: ACcGV635ydWivFQNPtyVGBEZalvYRY+Vs9zmMMqJo73UD66+47RXT0jV4U51+GkkBlFojiL5jecO X-Received: by 2002:a63:f005:: with SMTP id k5-v6mr22375820pgh.259.1539024599900; Mon, 08 Oct 2018 11:49:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539024599; cv=none; d=google.com; s=arc-20160816; b=B1Unn+8wR5kgktrSHCBEC61AOpATKuzJjhKxJP62PWaTV1PjACqyG349mcQVAyCi1R 9Q29weExYZ7KmdxvHxd9U3UzRvjI32UFYeVyFQ1WW3yBmqXSLqFYA2X7ExsFAb34Ropa RleynS9EZCpD8OE658zAeblQR5LVAeG5HI1mPMCa7v2YLP/j8c9GwpEzX7cQHW2gbQGt XhSmVthXbHIRmN8KckwTGoi7pBGLSrBjHF5tbH7uUFRiBMnsCPwqlIBg3VhnJkhxz/8W BBm9Z6Djt8KKXN6jzX/z8kZynqvAO9oaiayGQUIydMHNRfYzg7HeUyYgjyLf+4WictqY F0Kw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=9XkfC7gekGnbNCr+ueHSC7QaNJniE7jU7R25W9icwkU=; b=YjT6B++vGfQxnVCHNdE3fBjYpOonMEWX3rRtCsViulF+pEtirPgQmh/iveo8pExG6w S1nfTxtXxc/T4FkgTm/iS6Grqpr0oupKwceN+hOhkIO72fmkHICPu4yfcrYO1K5SD71B rtmnPqeGQgy6HqgDJR+ypPHYgJ1wfsmbySvblRdRNDm+hvjgSn5Iny8xsGZo1vJ2Tk3N dmnSdfC1AeuL3xI3leNYUoifp91dOARylzgkHcAUzM7s0E5HXKFuo4A0fbeGwAMIVKa1 iM6owhTr/AkV2b/BrhpBKAj7E7CbjnibBjy0iipSXgnTcTSIqFbrg6YoK1X4V+WiM4Rw YaSA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=AxDvhTbb; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y34-v6si19121879plb.46.2018.10.08.11.49.45; Mon, 08 Oct 2018 11:49:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=AxDvhTbb; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731848AbeJICC2 (ORCPT + 99 others); Mon, 8 Oct 2018 22:02:28 -0400 Received: from mail.kernel.org ([198.145.29.99]:51688 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726991AbeJICC1 (ORCPT ); Mon, 8 Oct 2018 22:02:27 -0400 Received: from localhost (ip-213-127-77-176.ip.prioritytelecom.net [213.127.77.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id EA473204FD; Mon, 8 Oct 2018 18:49:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1539024560; bh=YfVWx+vmrq44s9Ggnw4FoI652JkxujFgO5ICBruZ2gk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=AxDvhTbbFv0NGIKgXVzsz9RAtqP87rOxZM9AhHozEHzJKTusJL6+vDsjVA9iLkgWq JnqQKKnz2KLVRi3Z0kRizRplfK2IKfEEmS0UTss4O1tEHP7hoGAp5nK/1lG2N4vxjZ OHqoYRcH2+4ju0YehR5rQHgn0P1FXc3X6VADaxrQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Martin Willi , Florian Westphal , Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 4.18 079/168] netfilter: xt_cluster: add dependency on conntrack module Date: Mon, 8 Oct 2018 20:30:59 +0200 Message-Id: <20181008175623.065215093@linuxfoundation.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20181008175620.043587728@linuxfoundation.org> References: <20181008175620.043587728@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Martin Willi [ Upstream commit c1dc2912059901f97345d9e10c96b841215fdc0f ] The cluster match requires conntrack for matching packets. If the netns does not have conntrack hooks registered, the match does not work at all. Implicitly load the conntrack hook for the family, exactly as many other extensions do. This ensures that the match works even if the hooks have not been registered by other means. Signed-off-by: Martin Willi Acked-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- net/netfilter/xt_cluster.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) --- a/net/netfilter/xt_cluster.c +++ b/net/netfilter/xt_cluster.c @@ -125,6 +125,7 @@ xt_cluster_mt(const struct sk_buff *skb, static int xt_cluster_mt_checkentry(const struct xt_mtchk_param *par) { struct xt_cluster_match_info *info = par->matchinfo; + int ret; if (info->total_nodes > XT_CLUSTER_NODES_MAX) { pr_info_ratelimited("you have exceeded the maximum number of cluster nodes (%u > %u)\n", @@ -135,7 +136,17 @@ static int xt_cluster_mt_checkentry(cons pr_info_ratelimited("node mask cannot exceed total number of nodes\n"); return -EDOM; } - return 0; + + ret = nf_ct_netns_get(par->net, par->family); + if (ret < 0) + pr_info_ratelimited("cannot load conntrack support for proto=%u\n", + par->family); + return ret; +} + +static void xt_cluster_mt_destroy(const struct xt_mtdtor_param *par) +{ + nf_ct_netns_put(par->net, par->family); } static struct xt_match xt_cluster_match __read_mostly = { @@ -144,6 +155,7 @@ static struct xt_match xt_cluster_match .match = xt_cluster_mt, .checkentry = xt_cluster_mt_checkentry, .matchsize = sizeof(struct xt_cluster_match_info), + .destroy = xt_cluster_mt_destroy, .me = THIS_MODULE, };