From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pablo Neira Ayuso Subject: [PATCH 0/9] Netfilter fixes for net Date: Fri, 14 Apr 2017 02:26:42 +0200 Message-ID: <1492129611-29336-1-git-send-email-pablo@netfilter.org> Cc: davem@davemloft.net, netdev@vger.kernel.org To: netfilter-devel@vger.kernel.org Return-path: Received: from mail.us.es ([193.147.175.20]:35280 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753201AbdDNA1E (ORCPT ); Thu, 13 Apr 2017 20:27:04 -0400 Received: from antivirus1-rhel7.int (unknown [192.168.2.11]) by mail.us.es (Postfix) with ESMTP id E6186E0437 for ; Fri, 14 Apr 2017 02:26:59 +0200 (CEST) Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id D83EADA7F7 for ; Fri, 14 Apr 2017 02:26:59 +0200 (CEST) Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id 8EB68DA7E9 for ; Fri, 14 Apr 2017 02:26:56 +0200 (CEST) Sender: netdev-owner@vger.kernel.org List-ID: Hi David, The following patchset contains Netfilter fixes for your net tree, they are: 1) Missing TCP header sanity check in TCPMSS target, from Eric Dumazet. 2) Incorrect event message type for related conntracks created via ctnetlink, from Liping Zhang. 3) Fix incorrect rcu locking when handling helpers from ctnetlink, from Gao feng. 4) Fix missing rcu locking when updating helper, from Liping Zhang. 5) Fix missing read_lock_bh when iterating over list of device addresses from TPROXY and redirect, also from Liping. 6) Fix crash when trying to dump expectations from conntrack with no helper via ctnetlink, from Liping. 7) Missing RCU protection to expecation list update given ctnetlink iterates over the list under rcu read lock side, from Liping too. 8) Don't dump autogenerated seed in nft_hash to userspace, this is very confusing to the user, again from Liping. 9) Fix wrong conntrack netns module refcount in ipt_CLUSTERIP, from Gao feng. You can pull these changes from: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git Thanks! ---------------------------------------------------------------- The following changes since commit 0b9aefea860063bb39e36bd7fe6c7087fed0ba87: tcp: minimize false-positives on TCP/GRO check (2017-04-03 18:43:41 -0700) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD for you to fetch changes up to fe50543c194e2e1aee2f3eba41fcafd187b3dbde: netfilter: ipt_CLUSTERIP: Fix wrong conntrack netns refcnt usage (2017-04-13 23:21:40 +0200) ---------------------------------------------------------------- Eric Dumazet (1): netfilter: xt_TCPMSS: add more sanity tests on tcph->doff Gao Feng (2): netfilter: helper: Add the rcu lock when call __nf_conntrack_helper_find netfilter: ipt_CLUSTERIP: Fix wrong conntrack netns refcnt usage Liping Zhang (6): netfilter: ctnetlink: using bit to represent the ct event netfilter: ctnetlink: make it safer when checking the ct helper name netfilter: make it safer during the inet6_dev->addr_list traversal netfilter: ctnetlink: skip dumping expect when nfct_help(ct) is NULL netfilter: nf_ct_expect: use proper RCU list traversal/update APIs netfilter: nft_hash: do not dump the auto generated seed net/ipv4/netfilter/ipt_CLUSTERIP.c | 2 +- net/netfilter/nf_conntrack_expect.c | 4 ++-- net/netfilter/nf_conntrack_helper.c | 17 ++++++++++----- net/netfilter/nf_conntrack_netlink.c | 41 +++++++++++++++++++++++++----------- net/netfilter/nf_nat_redirect.c | 2 ++ net/netfilter/nft_hash.c | 10 ++++++--- net/netfilter/xt_TCPMSS.c | 6 +++++- net/netfilter/xt_TPROXY.c | 5 ++++- 8 files changed, 62 insertions(+), 25 deletions(-)