[SRU][J:linux-bluefield][PATCH 1/1] netfilter: xtables: fix typo causing some targets not to load on IPv6

William Tu witu at nvidia.com
Wed Nov 27 17:59:00 UTC 2024 


From: William Tu <witu at nvidia.com>
Date: Wednesday, November 27, 2024 at 9:16 AM
To: kernel-team at lists.ubuntu.com <kernel-team at lists.ubuntu.com>
Cc: Bodong Wang <bodong at nvidia.com>, William Tu <witu at nvidia.com>, Vladimir Sokolovsky <vlad at nvidia.com>, dann.frazier at canonical.com <dann.frazier at canonical.com>, bartlomiej.zolnierkiewicz at canonical.com <bartlomiej.zolnierkiewicz at canonical.com>
Subject: [SRU][J:linux-bluefield][PATCH 1/1] netfilter: xtables: fix typo causing some targets not to load on IPv6

From: Pablo Neira Ayuso <pablo at netfilter.org>

BugLink: https://bugs.launchpad.net/bugs/2089780

- There is no NFPROTO_IPV6 family for mark and NFLOG.
- TRACE is also missing module autoload with NFPROTO_IPV6.

This results in ip6tables failing to restore a ruleset. This issue has been
reported by several users providing incomplete patches.

Very similar to Ilya Katsnelson's patch including a missing chunk in the
TRACE extension.

Fixes: 0bfcb7b71e73 ("netfilter: xtables: avoid NFPROTO_UNSPEC where needed")
Reported-by: Ignat Korchagin <ignat at cloudflare.com>
Reported-by: Ilya Katsnelson <me at 0upti.me>
Reported-by: Krzysztof Olędzki <ole at ans.pl>
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
(cherry picked from commit 306ed1728e8438caed30332e1ab46b28c25fe3d8)
Signed-off-by: William Tu <witu at nvidia.com>
---
 net/netfilter/xt_NFLOG.c | 2 +-
 net/netfilter/xt_TRACE.c | 1 +
 net/netfilter/xt_mark.c  | 2 +-
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c
index d80abd6ccaf8..6dcf4bc7e30b 100644
--- a/net/netfilter/xt_NFLOG.c
+++ b/net/netfilter/xt_NFLOG.c
@@ -79,7 +79,7 @@ static struct xt_target nflog_tg_reg[] __read_mostly = {
         {
                 .name       = "NFLOG",
                 .revision   = 0,
-               .family     = NFPROTO_IPV4,
+               .family     = NFPROTO_IPV6,
                 .checkentry = nflog_tg_check,
                 .destroy    = nflog_tg_destroy,
                 .target     = nflog_tg,
diff --git a/net/netfilter/xt_TRACE.c b/net/netfilter/xt_TRACE.c
index f3fa4f11348c..a642ff09fc8e 100644
--- a/net/netfilter/xt_TRACE.c
+++ b/net/netfilter/xt_TRACE.c
@@ -49,6 +49,7 @@ static struct xt_target trace_tg_reg[] __read_mostly = {
                 .target         = trace_tg,
                 .checkentry     = trace_tg_check,
                 .destroy        = trace_tg_destroy,
+               .me             = THIS_MODULE,
         },
 #endif
 };
diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
index f76fe04fc9a4..65b965ca40ea 100644
--- a/net/netfilter/xt_mark.c
+++ b/net/netfilter/xt_mark.c
@@ -62,7 +62,7 @@ static struct xt_target mark_tg_reg[] __read_mostly = {
         {
                 .name           = "MARK",
                 .revision       = 2,
-               .family         = NFPROTO_IPV4,
+               .family         = NFPROTO_IPV6,
                 .target         = mark_tg,
                 .targetsize     = sizeof(struct xt_mark_tginfo2),
                 .me             = THIS_MODULE,
--
2.37.1 (Apple Git-137.1)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20241127/b7392176/attachment.html>

More information about the kernel-team mailing list