Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDenis Kirjanov <dkirjanov@suse.com>2019-05-02 13:49:28 +0200
committerDenis Kirjanov <dkirjanov@suse.com>2019-05-02 13:49:42 +0200
commite25c55dbb7b589a8290529593acc3f7f0ee555b3 (patch)
treeec07c461b0de70a817be62822ccc85ff8b14bccb
parentbd252e068a166e078058acfb1c2113034b701d4c (diff)
ipvs: remove IPS_NAT_MASK check to fix passive FTP (git-fixes).
-rw-r--r--patches.fixes/0006-ipvs-remove-IPS_NAT_MASK-check-to-fix-passive-FTP.patch46
-rw-r--r--series.conf1
2 files changed, 47 insertions, 0 deletions
diff --git a/patches.fixes/0006-ipvs-remove-IPS_NAT_MASK-check-to-fix-passive-FTP.patch b/patches.fixes/0006-ipvs-remove-IPS_NAT_MASK-check-to-fix-passive-FTP.patch
new file mode 100644
index 0000000000..21b951e589
--- /dev/null
+++ b/patches.fixes/0006-ipvs-remove-IPS_NAT_MASK-check-to-fix-passive-FTP.patch
@@ -0,0 +1,46 @@
+From: Julian Anastasov <ja@ssi.bg>
+Subject: ipvs: remove IPS_NAT_MASK check to fix passive FTP
+Patch-mainline: v4.16-rc5
+Git-commit: 8a949fff0302b50063f74bb345a66190015528d0
+References: git-fixes
+
+The IPS_NAT_MASK check in 4.12 replaced previous check for nfct_nat()
+which was needed to fix a crash in 2.6.36-rc, see
+commit 7bcbf81a2296 ("ipvs: avoid oops for passive FTP").
+But as IPVS does not set the IPS_SRC_NAT and IPS_DST_NAT bits,
+checking for IPS_NAT_MASK prevents PASV response to be properly
+mangled and blocks the transfer. Remove the check as it is not
+needed after 3.12 commit 41d73ec053d2 ("netfilter: nf_conntrack:
+make sequence number adjustments usuable without NAT") which
+changes nfct_nat() with nfct_seqadj() and especially after 3.13
+commit b25adce16064 ("ipvs: correct usage/allocation of seqadj
+ext in ipvs").
+
+Thanks to Li Shuang and Florian Westphal for reporting the problem!
+
+Reported-by: Li Shuang <shuali@redhat.com>
+Fixes: be7be6e161a2 ("netfilter: ipvs: fix incorrect conflict resolution")
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Acked-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/ipvs/ip_vs_ftp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/ipvs/ip_vs_ftp.c b/net/netfilter/ipvs/ip_vs_ftp.c
+index fb780be76d15..e273c59dfcba 100644
+--- a/net/netfilter/ipvs/ip_vs_ftp.c
++++ b/net/netfilter/ipvs/ip_vs_ftp.c
+@@ -260,7 +260,7 @@ static int ip_vs_ftp_out(struct ip_vs_app *app, struct ip_vs_conn *cp,
+ buf_len = strlen(buf);
+
+ ct = nf_ct_get(skb, &ctinfo);
+- if (ct && (ct->status & IPS_NAT_MASK)) {
++ if (ct) {
+ bool mangled;
+
+ /* If mangling fails this function will return 0
+--
+2.12.3
+
diff --git a/series.conf b/series.conf
index a96060abbe..29cac56021 100644
--- a/series.conf
+++ b/series.conf
@@ -14026,6 +14026,7 @@
patches.fixes/netfilter-ebtables-CONFIG_COMPAT-don-t-trust-userlan.patch
patches.suse/netfilter-don-t-set-F_IFACE-on-ipv6-fib-lookups.patch
patches.fixes/netfilter-use-skb_to_full_sk-in-ip6_route_me_harder.patch
+ patches.fixes/0006-ipvs-remove-IPS_NAT_MASK-check-to-fix-passive-FTP.patch
patches.fixes/batman-adv-fix-packet-checksum-in-receive-path.patch
patches.fixes/batman-adv-invalidate-checksum-on-fragment-reassembl.patch
patches.fixes/batman-adv-Ignore-invalid-batadv_iv_gw-during-netlin.patch