* [PATCH net 0/8] Netfilter fixes for net
@ 2021-06-22 21:59 Pablo Neira Ayuso
2021-06-22 21:59 ` [PATCH net 1/8] MAINTAINERS: netfilter: add irc channel Pablo Neira Ayuso
` (8 more replies)
0 siblings, 9 replies; 18+ messages in thread
From: Pablo Neira Ayuso @ 2021-06-22 21:59 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Hi,
The following patchset contains Netfilter fixes for net:
1) Nicolas Dichtel updates MAINTAINERS file to add Netfilter IRC channel.
2) Skip non-IPv6 packets in nft_exthdr.
3) Skip non-TCP packets in nft_osf.
4) Skip non-TCP/UDP packets in nft_tproxy.
5) Memleak in hardware offload infrastructure when counters are used
for first time in a rule.
6) The VLAN transfer routine must use FLOW_DISSECTOR_KEY_BASIC instead
of FLOW_DISSECTOR_KEY_CONTROL. Moreover, make a more robust check
for 802.1q and 802.1ad to restore simple matching on transport
protocols.
7) Fix bogus EPERM when listing a ruleset when table ownership flag
is set on.
8) Honor table ownership flag when table is referenced by handle.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thank you!
----------------------------------------------------------------
The following changes since commit a4f0377db1254373513b992ff31a351a7111f0fd:
Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf (2021-06-15 15:26:07 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to e31f072ffab0397a328b31a9589dcf9733dc9c72:
netfilter: nf_tables: do not allow to delete table with owner by handle (2021-06-22 12:15:05 +0200)
----------------------------------------------------------------
Nicolas Dichtel (1):
MAINTAINERS: netfilter: add irc channel
Pablo Neira Ayuso (7):
netfilter: nft_exthdr: check for IPv6 packet before further processing
netfilter: nft_osf: check for TCP packet before further processing
netfilter: nft_tproxy: restrict support to TCP and UDP transport protocols
netfilter: nf_tables: memleak in hw offload abort path
netfilter: nf_tables_offload: check FLOW_DISSECTOR_KEY_BASIC in VLAN transfer logic
netfilter: nf_tables: skip netlink portID validation if zero
netfilter: nf_tables: do not allow to delete table with owner by handle
MAINTAINERS | 1 +
net/netfilter/nf_tables_api.c | 65 ++++++++++++++++++++++++---------------
net/netfilter/nf_tables_offload.c | 34 +++++---------------
net/netfilter/nft_exthdr.c | 3 ++
net/netfilter/nft_osf.c | 5 +++
net/netfilter/nft_tproxy.c | 9 +++++-
6 files changed, 65 insertions(+), 52 deletions(-)
^ permalink raw reply [flat|nested] 18+ messages in thread
* [PATCH net 1/8] MAINTAINERS: netfilter: add irc channel
2021-06-22 21:59 [PATCH net 0/8] Netfilter fixes for net Pablo Neira Ayuso
@ 2021-06-22 21:59 ` Pablo Neira Ayuso
2021-06-22 23:30 ` patchwork-bot+netdevbpf
2021-06-22 21:59 ` [PATCH net 2/8] netfilter: nft_exthdr: check for IPv6 packet before further processing Pablo Neira Ayuso
` (7 subsequent siblings)
8 siblings, 1 reply; 18+ messages in thread
From: Pablo Neira Ayuso @ 2021-06-22 21:59 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
The community #netfilter IRC channel is now live on the libera.chat network
(https://libera.chat/).
CC: Arturo Borrero Gonzalez <arturo@netfilter.org>
Link: https://marc.info/?l=netfilter&m=162210948632717
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
MAINTAINERS | 1 +
1 file changed, 1 insertion(+)
diff --git a/MAINTAINERS b/MAINTAINERS
index bfb3d0931cba..f3d44262d16e 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -12657,6 +12657,7 @@ W: http://www.netfilter.org/
W: http://www.iptables.org/
W: http://www.nftables.org/
Q: http://patchwork.ozlabs.org/project/netfilter-devel/list/
+C: irc://irc.libera.chat/netfilter
T: git git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
T: git git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git
F: include/linux/netfilter*
--
2.30.2
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH net 2/8] netfilter: nft_exthdr: check for IPv6 packet before further processing
2021-06-22 21:59 [PATCH net 0/8] Netfilter fixes for net Pablo Neira Ayuso
2021-06-22 21:59 ` [PATCH net 1/8] MAINTAINERS: netfilter: add irc channel Pablo Neira Ayuso
@ 2021-06-22 21:59 ` Pablo Neira Ayuso
2021-06-22 21:59 ` [PATCH net 3/8] netfilter: nft_osf: check for TCP " Pablo Neira Ayuso
` (6 subsequent siblings)
8 siblings, 0 replies; 18+ messages in thread
From: Pablo Neira Ayuso @ 2021-06-22 21:59 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
ipv6_find_hdr() does not validate that this is an IPv6 packet. Add a
sanity check for calling ipv6_find_hdr() to make sure an IPv6 packet
is passed for parsing.
Fixes: 96518518cc41 ("netfilter: add nftables")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_exthdr.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
index f64f0017e9a5..670dd146fb2b 100644
--- a/net/netfilter/nft_exthdr.c
+++ b/net/netfilter/nft_exthdr.c
@@ -42,6 +42,9 @@ static void nft_exthdr_ipv6_eval(const struct nft_expr *expr,
unsigned int offset = 0;
int err;
+ if (pkt->skb->protocol != htons(ETH_P_IPV6))
+ goto err;
+
err = ipv6_find_hdr(pkt->skb, &offset, priv->type, NULL, NULL);
if (priv->flags & NFT_EXTHDR_F_PRESENT) {
nft_reg_store8(dest, err >= 0);
--
2.30.2
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH net 3/8] netfilter: nft_osf: check for TCP packet before further processing
2021-06-22 21:59 [PATCH net 0/8] Netfilter fixes for net Pablo Neira Ayuso
2021-06-22 21:59 ` [PATCH net 1/8] MAINTAINERS: netfilter: add irc channel Pablo Neira Ayuso
2021-06-22 21:59 ` [PATCH net 2/8] netfilter: nft_exthdr: check for IPv6 packet before further processing Pablo Neira Ayuso
@ 2021-06-22 21:59 ` Pablo Neira Ayuso
2021-06-22 21:59 ` [PATCH net 4/8] netfilter: nft_tproxy: restrict support to TCP and UDP transport protocols Pablo Neira Ayuso
` (5 subsequent siblings)
8 siblings, 0 replies; 18+ messages in thread
From: Pablo Neira Ayuso @ 2021-06-22 21:59 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
The osf expression only supports for TCP packets, add a upfront sanity
check to skip packet parsing if this is not a TCP packet.
Fixes: b96af92d6eaf ("netfilter: nf_tables: implement Passive OS fingerprint module in nft_osf")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_osf.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/netfilter/nft_osf.c b/net/netfilter/nft_osf.c
index ac61f708b82d..d82677e83400 100644
--- a/net/netfilter/nft_osf.c
+++ b/net/netfilter/nft_osf.c
@@ -28,6 +28,11 @@ static void nft_osf_eval(const struct nft_expr *expr, struct nft_regs *regs,
struct nf_osf_data data;
struct tcphdr _tcph;
+ if (pkt->tprot != IPPROTO_TCP) {
+ regs->verdict.code = NFT_BREAK;
+ return;
+ }
+
tcp = skb_header_pointer(skb, ip_hdrlen(skb),
sizeof(struct tcphdr), &_tcph);
if (!tcp) {
--
2.30.2
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH net 4/8] netfilter: nft_tproxy: restrict support to TCP and UDP transport protocols
2021-06-22 21:59 [PATCH net 0/8] Netfilter fixes for net Pablo Neira Ayuso
` (2 preceding siblings ...)
2021-06-22 21:59 ` [PATCH net 3/8] netfilter: nft_osf: check for TCP " Pablo Neira Ayuso
@ 2021-06-22 21:59 ` Pablo Neira Ayuso
2021-06-22 21:59 ` [PATCH net 5/8] netfilter: nf_tables: memleak in hw offload abort path Pablo Neira Ayuso
` (4 subsequent siblings)
8 siblings, 0 replies; 18+ messages in thread
From: Pablo Neira Ayuso @ 2021-06-22 21:59 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Add unfront check for TCP and UDP packets before performing further
processing.
Fixes: 4ed8eb6570a4 ("netfilter: nf_tables: Add native tproxy support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_tproxy.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_tproxy.c b/net/netfilter/nft_tproxy.c
index accef672088c..5cb4d575d47f 100644
--- a/net/netfilter/nft_tproxy.c
+++ b/net/netfilter/nft_tproxy.c
@@ -30,6 +30,12 @@ static void nft_tproxy_eval_v4(const struct nft_expr *expr,
__be16 tport = 0;
struct sock *sk;
+ if (pkt->tprot != IPPROTO_TCP &&
+ pkt->tprot != IPPROTO_UDP) {
+ regs->verdict.code = NFT_BREAK;
+ return;
+ }
+
hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr);
if (!hp) {
regs->verdict.code = NFT_BREAK;
@@ -91,7 +97,8 @@ static void nft_tproxy_eval_v6(const struct nft_expr *expr,
memset(&taddr, 0, sizeof(taddr));
- if (!pkt->tprot_set) {
+ if (pkt->tprot != IPPROTO_TCP &&
+ pkt->tprot != IPPROTO_UDP) {
regs->verdict.code = NFT_BREAK;
return;
}
--
2.30.2
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH net 5/8] netfilter: nf_tables: memleak in hw offload abort path
2021-06-22 21:59 [PATCH net 0/8] Netfilter fixes for net Pablo Neira Ayuso
` (3 preceding siblings ...)
2021-06-22 21:59 ` [PATCH net 4/8] netfilter: nft_tproxy: restrict support to TCP and UDP transport protocols Pablo Neira Ayuso
@ 2021-06-22 21:59 ` Pablo Neira Ayuso
2021-06-22 21:59 ` [PATCH net 6/8] netfilter: nf_tables_offload: check FLOW_DISSECTOR_KEY_BASIC in VLAN transfer logic Pablo Neira Ayuso
` (3 subsequent siblings)
8 siblings, 0 replies; 18+ messages in thread
From: Pablo Neira Ayuso @ 2021-06-22 21:59 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Release flow from the abort path, this is easy to reproduce since
b72920f6e4a9 ("netfilter: nftables: counter hardware offload support").
If the preparation phase fails, then the abort path is exercised without
releasing the flow rule object.
unreferenced object 0xffff8881f0fa7700 (size 128):
comm "nft", pid 1335, jiffies 4294931120 (age 4163.740s)
hex dump (first 32 bytes):
08 e4 de 13 82 88 ff ff 98 e4 de 13 82 88 ff ff ................
48 e4 de 13 82 88 ff ff 01 00 00 00 00 00 00 00 H...............
backtrace:
[<00000000634547e7>] flow_rule_alloc+0x26/0x80
[<00000000c8426156>] nft_flow_rule_create+0xc9/0x3f0 [nf_tables]
[<0000000075ff8e46>] nf_tables_newrule+0xc79/0x10a0 [nf_tables]
[<00000000ba65e40e>] nfnetlink_rcv_batch+0xaac/0xf90 [nfnetlink]
[<00000000505c614a>] nfnetlink_rcv+0x1bb/0x1f0 [nfnetlink]
[<00000000eb78e1fe>] netlink_unicast+0x34b/0x480
[<00000000a8f72c94>] netlink_sendmsg+0x3af/0x690
[<000000009cb1ddf4>] sock_sendmsg+0x96/0xa0
[<0000000039d06e44>] ____sys_sendmsg+0x3fe/0x440
[<00000000137e82ca>] ___sys_sendmsg+0xd8/0x140
[<000000000c6bf6a6>] __sys_sendmsg+0xb3/0x130
[<0000000043bd6268>] do_syscall_64+0x40/0xb0
[<00000000afdebc2d>] entry_SYSCALL_64_after_hwframe+0x44/0xae
Remove flow rule release from the offload commit path, otherwise error
from the offload commit phase might trigger a double-free due to the
execution of the abort_offload -> abort. After this patch, the abort
path takes care of releasing the flow rule.
This fix also needs to move the nft_flow_rule_create() call before the
transaction object is added otherwise the abort path might find a NULL
pointer to the flow rule object for the NFT_CHAIN_HW_OFFLOAD case.
While at it, rename BASIC-like goto tags to slightly more meaningful
names rather than adding a new "err3" tag.
Fixes: 63b48c73ff56 ("netfilter: nf_tables_offload: undo updates if transaction fails")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_api.c | 51 +++++++++++++++++++------------
net/netfilter/nf_tables_offload.c | 17 -----------
2 files changed, 31 insertions(+), 37 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index bf4d6ec9fc55..ca9ec8721e6c 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3243,9 +3243,9 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
u8 genmask = nft_genmask_next(info->net);
struct nft_rule *rule, *old_rule = NULL;
struct nft_expr_info *expr_info = NULL;
+ struct nft_flow_rule *flow = NULL;
int family = nfmsg->nfgen_family;
struct net *net = info->net;
- struct nft_flow_rule *flow;
struct nft_userdata *udata;
struct nft_table *table;
struct nft_chain *chain;
@@ -3340,13 +3340,13 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
err = -EINVAL;
if (nla_type(tmp) != NFTA_LIST_ELEM)
- goto err1;
+ goto err_release_expr;
if (n == NFT_RULE_MAXEXPRS)
- goto err1;
+ goto err_release_expr;
err = nf_tables_expr_parse(&ctx, tmp, &expr_info[n]);
if (err < 0) {
NL_SET_BAD_ATTR(extack, tmp);
- goto err1;
+ goto err_release_expr;
}
size += expr_info[n].ops->size;
n++;
@@ -3355,7 +3355,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
/* Check for overflow of dlen field */
err = -EFBIG;
if (size >= 1 << 12)
- goto err1;
+ goto err_release_expr;
if (nla[NFTA_RULE_USERDATA]) {
ulen = nla_len(nla[NFTA_RULE_USERDATA]);
@@ -3366,7 +3366,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
err = -ENOMEM;
rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
if (rule == NULL)
- goto err1;
+ goto err_release_expr;
nft_activate_next(net, rule);
@@ -3385,7 +3385,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
err = nf_tables_newexpr(&ctx, &expr_info[i], expr);
if (err < 0) {
NL_SET_BAD_ATTR(extack, expr_info[i].attr);
- goto err2;
+ goto err_release_rule;
}
if (expr_info[i].ops->validate)
@@ -3395,16 +3395,24 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
expr = nft_expr_next(expr);
}
+ if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
+ flow = nft_flow_rule_create(net, rule);
+ if (IS_ERR(flow)) {
+ err = PTR_ERR(flow);
+ goto err_release_rule;
+ }
+ }
+
if (info->nlh->nlmsg_flags & NLM_F_REPLACE) {
trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
if (trans == NULL) {
err = -ENOMEM;
- goto err2;
+ goto err_destroy_flow_rule;
}
err = nft_delrule(&ctx, old_rule);
if (err < 0) {
nft_trans_destroy(trans);
- goto err2;
+ goto err_destroy_flow_rule;
}
list_add_tail_rcu(&rule->list, &old_rule->list);
@@ -3412,7 +3420,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
if (!trans) {
err = -ENOMEM;
- goto err2;
+ goto err_destroy_flow_rule;
}
if (info->nlh->nlmsg_flags & NLM_F_APPEND) {
@@ -3430,21 +3438,19 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
kvfree(expr_info);
chain->use++;
+ if (flow)
+ nft_trans_flow_rule(trans) = flow;
+
if (nft_net->validate_state == NFT_VALIDATE_DO)
return nft_table_validate(net, table);
- if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
- flow = nft_flow_rule_create(net, rule);
- if (IS_ERR(flow))
- return PTR_ERR(flow);
-
- nft_trans_flow_rule(trans) = flow;
- }
-
return 0;
-err2:
+
+err_destroy_flow_rule:
+ nft_flow_rule_destroy(flow);
+err_release_rule:
nf_tables_rule_release(&ctx, rule);
-err1:
+err_release_expr:
for (i = 0; i < n; i++) {
if (expr_info[i].ops) {
module_put(expr_info[i].ops->type->owner);
@@ -8839,11 +8845,16 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
nft_rule_expr_deactivate(&trans->ctx,
nft_trans_rule(trans),
NFT_TRANS_ABORT);
+ if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
+ nft_flow_rule_destroy(nft_trans_flow_rule(trans));
break;
case NFT_MSG_DELRULE:
trans->ctx.chain->use++;
nft_clear(trans->ctx.net, nft_trans_rule(trans));
nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
+ if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
+ nft_flow_rule_destroy(nft_trans_flow_rule(trans));
+
nft_trans_destroy(trans);
break;
case NFT_MSG_NEWSET:
diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c
index a48c5fd53a80..ec701b84844f 100644
--- a/net/netfilter/nf_tables_offload.c
+++ b/net/netfilter/nf_tables_offload.c
@@ -594,23 +594,6 @@ int nft_flow_rule_offload_commit(struct net *net)
}
}
- list_for_each_entry(trans, &nft_net->commit_list, list) {
- if (trans->ctx.family != NFPROTO_NETDEV)
- continue;
-
- switch (trans->msg_type) {
- case NFT_MSG_NEWRULE:
- case NFT_MSG_DELRULE:
- if (!(trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD))
- continue;
-
- nft_flow_rule_destroy(nft_trans_flow_rule(trans));
- break;
- default:
- break;
- }
- }
-
return err;
}
--
2.30.2
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH net 6/8] netfilter: nf_tables_offload: check FLOW_DISSECTOR_KEY_BASIC in VLAN transfer logic
2021-06-22 21:59 [PATCH net 0/8] Netfilter fixes for net Pablo Neira Ayuso
` (4 preceding siblings ...)
2021-06-22 21:59 ` [PATCH net 5/8] netfilter: nf_tables: memleak in hw offload abort path Pablo Neira Ayuso
@ 2021-06-22 21:59 ` Pablo Neira Ayuso
2021-06-22 22:00 ` [PATCH net 7/8] netfilter: nf_tables: skip netlink portID validation if zero Pablo Neira Ayuso
` (2 subsequent siblings)
8 siblings, 0 replies; 18+ messages in thread
From: Pablo Neira Ayuso @ 2021-06-22 21:59 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
The VLAN transfer logic should actually check for
FLOW_DISSECTOR_KEY_BASIC, not FLOW_DISSECTOR_KEY_CONTROL. Moreover, do
not fallback to case 2) .n_proto is set to 802.1q or 802.1ad, if
FLOW_DISSECTOR_KEY_BASIC is unset.
Fixes: 783003f3bb8a ("netfilter: nftables_offload: special ethertype handling for VLAN")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_offload.c | 17 +++++++----------
1 file changed, 7 insertions(+), 10 deletions(-)
diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c
index ec701b84844f..b58d73a96523 100644
--- a/net/netfilter/nf_tables_offload.c
+++ b/net/netfilter/nf_tables_offload.c
@@ -54,15 +54,10 @@ static void nft_flow_rule_transfer_vlan(struct nft_offload_ctx *ctx,
struct nft_flow_rule *flow)
{
struct nft_flow_match *match = &flow->match;
- struct nft_offload_ethertype ethertype;
-
- if (match->dissector.used_keys & BIT(FLOW_DISSECTOR_KEY_CONTROL) &&
- match->key.basic.n_proto != htons(ETH_P_8021Q) &&
- match->key.basic.n_proto != htons(ETH_P_8021AD))
- return;
-
- ethertype.value = match->key.basic.n_proto;
- ethertype.mask = match->mask.basic.n_proto;
+ struct nft_offload_ethertype ethertype = {
+ .value = match->key.basic.n_proto,
+ .mask = match->mask.basic.n_proto,
+ };
if (match->dissector.used_keys & BIT(FLOW_DISSECTOR_KEY_VLAN) &&
(match->key.vlan.vlan_tpid == htons(ETH_P_8021Q) ||
@@ -76,7 +71,9 @@ static void nft_flow_rule_transfer_vlan(struct nft_offload_ctx *ctx,
match->dissector.offset[FLOW_DISSECTOR_KEY_CVLAN] =
offsetof(struct nft_flow_key, cvlan);
match->dissector.used_keys |= BIT(FLOW_DISSECTOR_KEY_CVLAN);
- } else {
+ } else if (match->dissector.used_keys & BIT(FLOW_DISSECTOR_KEY_BASIC) &&
+ (match->key.basic.n_proto == htons(ETH_P_8021Q) ||
+ match->key.basic.n_proto == htons(ETH_P_8021AD))) {
match->key.basic.n_proto = match->key.vlan.vlan_tpid;
match->mask.basic.n_proto = match->mask.vlan.vlan_tpid;
match->key.vlan.vlan_tpid = ethertype.value;
--
2.30.2
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH net 7/8] netfilter: nf_tables: skip netlink portID validation if zero
2021-06-22 21:59 [PATCH net 0/8] Netfilter fixes for net Pablo Neira Ayuso
` (5 preceding siblings ...)
2021-06-22 21:59 ` [PATCH net 6/8] netfilter: nf_tables_offload: check FLOW_DISSECTOR_KEY_BASIC in VLAN transfer logic Pablo Neira Ayuso
@ 2021-06-22 22:00 ` Pablo Neira Ayuso
2021-06-22 22:00 ` [PATCH net 8/8] netfilter: nf_tables: do not allow to delete table with owner by handle Pablo Neira Ayuso
2021-06-22 22:41 ` [PATCH net 0/8] Netfilter fixes for net David Miller
8 siblings, 0 replies; 18+ messages in thread
From: Pablo Neira Ayuso @ 2021-06-22 22:00 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
nft_table_lookup() allows us to obtain the table object by the name and
the family. The netlink portID validation needs to be skipped for the
dump path, since the ownership only applies to commands to update the
given table. Skip validation if the specified netlink PortID is zero
when calling nft_table_lookup().
Fixes: 6001a930ce03 ("netfilter: nftables: introduce table ownership")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_api.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index ca9ec8721e6c..1d62b1a83299 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -571,7 +571,7 @@ static struct nft_table *nft_table_lookup(const struct net *net,
table->family == family &&
nft_active_genmask(table, genmask)) {
if (nft_table_has_owner(table) &&
- table->nlpid != nlpid)
+ nlpid && table->nlpid != nlpid)
return ERR_PTR(-EPERM);
return table;
--
2.30.2
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH net 8/8] netfilter: nf_tables: do not allow to delete table with owner by handle
2021-06-22 21:59 [PATCH net 0/8] Netfilter fixes for net Pablo Neira Ayuso
` (6 preceding siblings ...)
2021-06-22 22:00 ` [PATCH net 7/8] netfilter: nf_tables: skip netlink portID validation if zero Pablo Neira Ayuso
@ 2021-06-22 22:00 ` Pablo Neira Ayuso
2021-06-22 22:41 ` [PATCH net 0/8] Netfilter fixes for net David Miller
8 siblings, 0 replies; 18+ messages in thread
From: Pablo Neira Ayuso @ 2021-06-22 22:00 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
nft_table_lookup_byhandle() also needs to validate the netlink PortID
owner when deleting a table by handle.
Fixes: 6001a930ce03 ("netfilter: nftables: introduce table ownership")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_api.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 1d62b1a83299..fcb15b8904e8 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -583,7 +583,7 @@ static struct nft_table *nft_table_lookup(const struct net *net,
static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
const struct nlattr *nla,
- u8 genmask)
+ u8 genmask, u32 nlpid)
{
struct nftables_pernet *nft_net;
struct nft_table *table;
@@ -591,8 +591,13 @@ static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
nft_net = nft_pernet(net);
list_for_each_entry(table, &nft_net->tables, list) {
if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
- nft_active_genmask(table, genmask))
+ nft_active_genmask(table, genmask)) {
+ if (nft_table_has_owner(table) &&
+ nlpid && table->nlpid != nlpid)
+ return ERR_PTR(-EPERM);
+
return table;
+ }
}
return ERR_PTR(-ENOENT);
@@ -1279,7 +1284,8 @@ static int nf_tables_deltable(struct sk_buff *skb, const struct nfnl_info *info,
if (nla[NFTA_TABLE_HANDLE]) {
attr = nla[NFTA_TABLE_HANDLE];
- table = nft_table_lookup_byhandle(net, attr, genmask);
+ table = nft_table_lookup_byhandle(net, attr, genmask,
+ NETLINK_CB(skb).portid);
} else {
attr = nla[NFTA_TABLE_NAME];
table = nft_table_lookup(net, attr, family, genmask,
--
2.30.2
^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [PATCH net 0/8] Netfilter fixes for net
2021-06-22 21:59 [PATCH net 0/8] Netfilter fixes for net Pablo Neira Ayuso
` (7 preceding siblings ...)
2021-06-22 22:00 ` [PATCH net 8/8] netfilter: nf_tables: do not allow to delete table with owner by handle Pablo Neira Ayuso
@ 2021-06-22 22:41 ` David Miller
2021-06-22 23:06 ` Pablo Neira Ayuso
8 siblings, 1 reply; 18+ messages in thread
From: David Miller @ 2021-06-22 22:41 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, kuba
[davem@localhost net]$ git pull --no-ff git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
From git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
* branch HEAD -> FETCH_HEAD
Already up to date.
[davem@localhost net]$
???
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH net 0/8] Netfilter fixes for net
2021-06-22 22:41 ` [PATCH net 0/8] Netfilter fixes for net David Miller
@ 2021-06-22 23:06 ` Pablo Neira Ayuso
0 siblings, 0 replies; 18+ messages in thread
From: Pablo Neira Ayuso @ 2021-06-22 23:06 UTC (permalink / raw)
To: David Miller; +Cc: netfilter-devel, netdev, kuba
On Tue, Jun 22, 2021 at 03:41:12PM -0700, David Miller wrote:
>
> [davem@localhost net]$ git pull --no-ff git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
> From git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
> * branch HEAD -> FETCH_HEAD
> Already up to date.
> [davem@localhost net]$
>
> ???
A robot got stuck here and it did not push out to origin for some
reason, sorry. Please retry, it should be there now.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH net 1/8] MAINTAINERS: netfilter: add irc channel
2021-06-22 21:59 ` [PATCH net 1/8] MAINTAINERS: netfilter: add irc channel Pablo Neira Ayuso
@ 2021-06-22 23:30 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 18+ messages in thread
From: patchwork-bot+netdevbpf @ 2021-06-22 23:30 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, davem, netdev, kuba
Hello:
This series was applied to netdev/net.git (refs/heads/master):
On Tue, 22 Jun 2021 23:59:54 +0200 you wrote:
> From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
>
> The community #netfilter IRC channel is now live on the libera.chat network
> (https://libera.chat/).
>
> CC: Arturo Borrero Gonzalez <arturo@netfilter.org>
> Link: https://marc.info/?l=netfilter&m=162210948632717
> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
>
> [...]
Here is the summary with links:
- [net,1/8] MAINTAINERS: netfilter: add irc channel
https://git.kernel.org/netdev/net/c/8744365e2584
- [net,2/8] netfilter: nft_exthdr: check for IPv6 packet before further processing
https://git.kernel.org/netdev/net/c/cdd73cc545c0
- [net,3/8] netfilter: nft_osf: check for TCP packet before further processing
https://git.kernel.org/netdev/net/c/8f518d43f89a
- [net,4/8] netfilter: nft_tproxy: restrict support to TCP and UDP transport protocols
https://git.kernel.org/netdev/net/c/52f0f4e178c7
- [net,5/8] netfilter: nf_tables: memleak in hw offload abort path
https://git.kernel.org/netdev/net/c/3c5e44622011
- [net,6/8] netfilter: nf_tables_offload: check FLOW_DISSECTOR_KEY_BASIC in VLAN transfer logic
https://git.kernel.org/netdev/net/c/ea45fdf82cc9
- [net,7/8] netfilter: nf_tables: skip netlink portID validation if zero
https://git.kernel.org/netdev/net/c/534799097a77
- [net,8/8] netfilter: nf_tables: do not allow to delete table with owner by handle
https://git.kernel.org/netdev/net/c/e31f072ffab0
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH net 0/8] Netfilter fixes for net
2022-08-10 4:27 ` Jakub Kicinski
@ 2022-08-10 7:59 ` Pablo Neira Ayuso
0 siblings, 0 replies; 18+ messages in thread
From: Pablo Neira Ayuso @ 2022-08-10 7:59 UTC (permalink / raw)
To: Jakub Kicinski; +Cc: netfilter-devel, davem, netdev, pabeni, edumazet
On Tue, Aug 09, 2022 at 09:27:14PM -0700, Jakub Kicinski wrote:
> On Wed, 10 Aug 2022 00:05:24 +0200 Pablo Neira Ayuso wrote:
> > git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
>
> That is not the tree you want me to pull from. Mumble, mumble.
Right, one of my computers was running an old version of the script.
Sorry about this.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH net 0/8] Netfilter fixes for net
2022-08-09 22:05 Pablo Neira Ayuso
@ 2022-08-10 4:27 ` Jakub Kicinski
2022-08-10 7:59 ` Pablo Neira Ayuso
0 siblings, 1 reply; 18+ messages in thread
From: Jakub Kicinski @ 2022-08-10 4:27 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, davem, netdev, pabeni, edumazet
On Wed, 10 Aug 2022 00:05:24 +0200 Pablo Neira Ayuso wrote:
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
That is not the tree you want me to pull from. Mumble, mumble.
^ permalink raw reply [flat|nested] 18+ messages in thread
* [PATCH net 0/8] Netfilter fixes for net
@ 2022-08-09 22:05 Pablo Neira Ayuso
2022-08-10 4:27 ` Jakub Kicinski
0 siblings, 1 reply; 18+ messages in thread
From: Pablo Neira Ayuso @ 2022-08-09 22:05 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
Hi,
The following patchset contains Netfilter fixes for net:
1) Harden set element field checks to avoid out-of-bound memory access,
this patch also fixes the type of issue described in 7e6bc1f6cabc
("netfilter: nf_tables: stricter validation of element data") in a
broader way.
2) Patches to restrict the chain, set, and rule id lookup in the
transaction to the corresponding top-level table, patches from
Thadeu Lima de Souza Cascardo.
3) Fix incorrect comment in ip6t_LOG.h
4) nft_data_init() performs upfront validation of the expected data.
struct nft_data_desc is used to describe the expected data to be
received from userspace. The .size field represents the maximum size
that can be stored, for bound checks. Then, .len is an input/output field
which stores the expected length as input (this is optional, to restrict
the checks), as output it stores the real length received from userspace
(if it was not specified as input). This patch comes in response to
7e6bc1f6cabc ("netfilter: nf_tables: stricter validation of element data")
to address this type of issue in a more generic way by avoid opencoded
data validation. Next patch requires this as a dependency.
5) Disallow jump to implicit chain from set element, this configuration
is invalid. Only allow jump to chain via immediate expression is
supported at this stage.
6) Fix possible null-pointer derefence in the error path of table updates,
if memory allocation of the transaction fails. From Florian Westphal.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit b8c3bf0ed2edf2deaedba5f0bf0bb54c76dee71d:
Merge tag 'for-net-2022-08-08' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth (2022-08-08 20:59:07 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 580077855a40741cf511766129702d97ff02f4d9:
netfilter: nf_tables: fix null deref due to zeroed list head (2022-08-09 20:13:30 +0200)
----------------------------------------------------------------
Christophe JAILLET (1):
netfilter: ip6t_LOG: Fix a typo in a comment
Florian Westphal (1):
netfilter: nf_tables: fix null deref due to zeroed list head
Pablo Neira Ayuso (3):
netfilter: nf_tables: validate variable length element extension
netfilter: nf_tables: upfront validation of data via nft_data_init()
netfilter: nf_tables: disallow jump to implicit chain from set element
Thadeu Lima de Souza Cascardo (3):
netfilter: nf_tables: do not allow SET_ID to refer to another table
netfilter: nf_tables: do not allow CHAIN_ID to refer to another table
netfilter: nf_tables: do not allow RULE_ID to refer to another chain
include/net/netfilter/nf_tables.h | 13 +-
include/uapi/linux/netfilter_ipv6/ip6t_LOG.h | 2 +-
net/netfilter/nf_tables_api.c | 184 ++++++++++++++++++---------
net/netfilter/nft_bitwise.c | 66 +++++-----
net/netfilter/nft_cmp.c | 44 +++----
net/netfilter/nft_dynset.c | 2 +-
net/netfilter/nft_immediate.c | 22 +++-
net/netfilter/nft_range.c | 27 ++--
8 files changed, 222 insertions(+), 138 deletions(-)
^ permalink raw reply [flat|nested] 18+ messages in thread
* [PATCH net 0/8] Netfilter fixes for net
@ 2022-03-01 21:53 Pablo Neira Ayuso
0 siblings, 0 replies; 18+ messages in thread
From: Pablo Neira Ayuso @ 2022-03-01 21:53 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Hi,
The following patchset contains Netfilter fixes for net:
1) Use kfree_rcu(ptr, rcu) variant, using kfree_rcu(ptr) was not
intentional. From Eric Dumazet.
2) Use-after-free in netfilter hook core, from Eric Dumazet.
3) Missing rcu read lock side for netfilter egress hook,
from Florian Westphal.
4) nf_queue assume state->sk is full socket while it might not be.
Invoke sock_gen_put(), from Florian Westphal.
5) Add selftest to exercise the reported KASAN splat in 4)
6) Fix possible use-after-free in nf_queue in case sk_refcnt is 0.
Also from Florian.
7) Use input interface index only for hardware offload, not for
the software plane. This breaks tc ct action. Patch from Paul Blakey.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit 277f2bb14361790a70e4b3c649e794b75a91a597:
ibmvnic: schedule failover only if vioctl fails (2022-02-22 17:06:27 -0800)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD
for you to fetch changes up to db6140e5e35a48405e669353bd54042c1d4c3841:
net/sched: act_ct: Fix flow table lookup failure with no originating ifindex (2022-03-01 22:08:31 +0100)
----------------------------------------------------------------
Eric Dumazet (2):
netfilter: nf_tables: prefer kfree_rcu(ptr, rcu) variant
netfilter: fix use-after-free in __nf_register_net_hook()
Florian Westphal (5):
netfilter: egress: silence egress hook lockdep splats
netfilter: nf_queue: don't assume sk is full socket
selftests: netfilter: add nfqueue TCP_NEW_SYN_RECV socket race test
netfilter: nf_queue: fix possible use-after-free
netfilter: nf_queue: handle socket prefetch
Paul Blakey (1):
net/sched: act_ct: Fix flow table lookup failure with no originating ifindex
include/linux/netfilter_netdev.h | 4 +
include/net/netfilter/nf_flow_table.h | 6 +-
include/net/netfilter/nf_queue.h | 2 +-
net/netfilter/core.c | 5 +-
net/netfilter/nf_flow_table_offload.c | 6 +-
net/netfilter/nf_queue.c | 36 +++++-
net/netfilter/nf_tables_api.c | 4 +-
net/netfilter/nfnetlink_queue.c | 12 +-
net/sched/act_ct.c | 13 ++-
tools/testing/selftests/netfilter/.gitignore | 1 +
tools/testing/selftests/netfilter/Makefile | 2 +-
tools/testing/selftests/netfilter/connect_close.c | 136 ++++++++++++++++++++++
tools/testing/selftests/netfilter/nft_queue.sh | 19 +++
13 files changed, 226 insertions(+), 20 deletions(-)
create mode 100644 tools/testing/selftests/netfilter/connect_close.c
^ permalink raw reply [flat|nested] 18+ messages in thread
* [PATCH net 0/8] Netfilter fixes for net
@ 2022-01-27 23:52 Pablo Neira Ayuso
0 siblings, 0 replies; 18+ messages in thread
From: Pablo Neira Ayuso @ 2022-01-27 23:52 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Hi,
The following patchset contains Netfilter fixes for net:
1) Remove leftovers from flowtable modules, from Geert Uytterhoeven.
2) Missing refcount increment of conntrack template in nft_ct,
from Florian Westphal.
3) Reduce nft_zone selftest time, also from Florian.
4) Add selftest to cover stateless NAT on fragments, from Florian Westphal.
5) Do not set net_device when for reject packets from the bridge path,
from Phil Sutter.
6) Cancel register tracking info on nft_byteorder operations.
7) Extend nft_concat_range selftest to cover set reload with no elements,
from Florian Westphal.
8) Remove useless update of pointer in chain blob builder, reported
by kbuild test robot.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit 2f61353cd2f789a4229b6f5c1c24a40a613357bb:
net: hns3: handle empty unknown interrupt for VF (2022-01-25 13:08:05 +0000)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to b07f413732549e5a96e891411fbb5980f2d8e5a1:
netfilter: nf_tables: remove assignment with no effect in chain blob builder (2022-01-27 17:50:56 +0100)
----------------------------------------------------------------
Florian Westphal (4):
netfilter: nft_ct: fix use after free when attaching zone template
selftests: netfilter: reduce zone stress test running time
selftests: netfilter: check stateless nat udp checksum fixup
selftests: nft_concat_range: add test for reload with no element add/del
Geert Uytterhoeven (1):
netfilter: Remove flowtable relics
Pablo Neira Ayuso (2):
netfilter: nft_byteorder: track register operations
netfilter: nf_tables: remove assignment with no effect in chain blob builder
Phil Sutter (1):
netfilter: nft_reject_bridge: Fix for missing reply from prerouting
net/bridge/netfilter/nft_reject_bridge.c | 8 +-
net/ipv4/netfilter/Kconfig | 4 -
net/ipv6/netfilter/Kconfig | 4 -
net/ipv6/netfilter/Makefile | 3 -
net/ipv6/netfilter/nf_flow_table_ipv6.c | 0
net/netfilter/nf_tables_api.c | 1 -
net/netfilter/nft_byteorder.c | 12 ++
net/netfilter/nft_ct.c | 5 +-
.../selftests/netfilter/nft_concat_range.sh | 72 +++++++++-
tools/testing/selftests/netfilter/nft_nat.sh | 152 +++++++++++++++++++++
.../testing/selftests/netfilter/nft_zones_many.sh | 12 +-
11 files changed, 249 insertions(+), 24 deletions(-)
delete mode 100644 net/ipv6/netfilter/nf_flow_table_ipv6.c
^ permalink raw reply [flat|nested] 18+ messages in thread
* [PATCH net 0/8] Netfilter fixes for net
@ 2021-05-07 17:47 Pablo Neira Ayuso
0 siblings, 0 replies; 18+ messages in thread
From: Pablo Neira Ayuso @ 2021-05-07 17:47 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Hi,
The following patchset contains Netfilter fixes for your net tree:
1) Add SECMARK revision 1 to fix incorrect layout that prevents
from remove rule with this target, from Phil Sutter.
2) Fix pernet exit path spat in arptables, from Florian Westphal.
3) Missing rcu_read_unlock() for unknown nfnetlink callbacks,
reported by syzbot, from Eric Dumazet.
4) Missing check for skb_header_pointer() NULL pointer in
nfnetlink_osf.
5) Remove BUG_ON() after skb_header_pointer() from packet path
in several conntrack helper and the TCP tracker.
6) Fix memleak in the new object error path of userdata.
7) Avoid overflows in nft_hash_buckets(), reported by syzbot,
also from Eric.
8) Avoid overflows in 32bit arches, from Eric.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit bd1af6b5fffd36c12997bd48d61d39dc5796fa7b:
Documentation: ABI: sysfs-class-net-qmi: document pass-through file (2021-05-03 13:40:17 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 6c8774a94e6ad26f29ef103c8671f55c255c6201:
netfilter: nftables: avoid potential overflows on 32bit arches (2021-05-07 10:01:39 +0200)
----------------------------------------------------------------
Eric Dumazet (3):
netfilter: nfnetlink: add a missing rcu_read_unlock()
netfilter: nftables: avoid overflows in nft_hash_buckets()
netfilter: nftables: avoid potential overflows on 32bit arches
Florian Westphal (1):
netfilter: arptables: use pernet ops struct during unregister
Pablo Neira Ayuso (4):
netfilter: xt_SECMARK: add new revision to fix structure layout
netfilter: nfnetlink_osf: Fix a missing skb_header_pointer() NULL check
netfilter: remove BUG_ON() after skb_header_pointer()
netfilter: nftables: Fix a memleak from userdata error path in new objects
include/linux/netfilter_arp/arp_tables.h | 3 +-
include/uapi/linux/netfilter/xt_SECMARK.h | 6 +++
net/ipv4/netfilter/arp_tables.c | 5 +-
net/ipv4/netfilter/arptable_filter.c | 2 +-
net/netfilter/nf_conntrack_ftp.c | 5 +-
net/netfilter/nf_conntrack_h323_main.c | 3 +-
net/netfilter/nf_conntrack_irc.c | 5 +-
net/netfilter/nf_conntrack_pptp.c | 4 +-
net/netfilter/nf_conntrack_proto_tcp.c | 6 ++-
net/netfilter/nf_conntrack_sane.c | 5 +-
net/netfilter/nf_tables_api.c | 11 ++--
net/netfilter/nfnetlink.c | 1 +
net/netfilter/nfnetlink_osf.c | 2 +
net/netfilter/nft_set_hash.c | 20 ++++---
net/netfilter/xt_SECMARK.c | 88 ++++++++++++++++++++++++-------
15 files changed, 124 insertions(+), 42 deletions(-)
^ permalink raw reply [flat|nested] 18+ messages in thread
end of thread, other threads:[~2022-08-10 8:00 UTC | newest]
Thread overview: 18+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-22 21:59 [PATCH net 0/8] Netfilter fixes for net Pablo Neira Ayuso
2021-06-22 21:59 ` [PATCH net 1/8] MAINTAINERS: netfilter: add irc channel Pablo Neira Ayuso
2021-06-22 23:30 ` patchwork-bot+netdevbpf
2021-06-22 21:59 ` [PATCH net 2/8] netfilter: nft_exthdr: check for IPv6 packet before further processing Pablo Neira Ayuso
2021-06-22 21:59 ` [PATCH net 3/8] netfilter: nft_osf: check for TCP " Pablo Neira Ayuso
2021-06-22 21:59 ` [PATCH net 4/8] netfilter: nft_tproxy: restrict support to TCP and UDP transport protocols Pablo Neira Ayuso
2021-06-22 21:59 ` [PATCH net 5/8] netfilter: nf_tables: memleak in hw offload abort path Pablo Neira Ayuso
2021-06-22 21:59 ` [PATCH net 6/8] netfilter: nf_tables_offload: check FLOW_DISSECTOR_KEY_BASIC in VLAN transfer logic Pablo Neira Ayuso
2021-06-22 22:00 ` [PATCH net 7/8] netfilter: nf_tables: skip netlink portID validation if zero Pablo Neira Ayuso
2021-06-22 22:00 ` [PATCH net 8/8] netfilter: nf_tables: do not allow to delete table with owner by handle Pablo Neira Ayuso
2021-06-22 22:41 ` [PATCH net 0/8] Netfilter fixes for net David Miller
2021-06-22 23:06 ` Pablo Neira Ayuso
-- strict thread matches above, loose matches on Subject: below --
2022-08-09 22:05 Pablo Neira Ayuso
2022-08-10 4:27 ` Jakub Kicinski
2022-08-10 7:59 ` Pablo Neira Ayuso
2022-03-01 21:53 Pablo Neira Ayuso
2022-01-27 23:52 Pablo Neira Ayuso
2021-05-07 17:47 Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.