All of lore.kernel.org
 help / color / mirror / Atom feed
From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org
Subject: [PATCH net 0/3] Netfilter fixes for net
Date: Sat, 12 Mar 2022 23:03:12 +0100	[thread overview]
Message-ID: <20220312220315.64531-1-pablo@netfilter.org> (raw)

Hi,

The following patchset contains Netfilter fixes for net coming late
in the 5.17-rc process:

1) Revert port remap to mitigate shadowing service ports, this is causing
   problems in existing setups and this mitigation can be achieved with
   explicit ruleset, eg.

	... tcp sport < 16386 tcp dport >= 32768 masquerade random

  This patches provided a built-in policy similar to the one described above.

2) Disable register tracking infrastructure in nf_tables. Florian reported
   two issues:

   - Existing expressions with no implemented .reduce interface
     that causes data-store on register should cancel the tracking.
   - Register clobbering might be possible storing data on registers that
     are larger than 32-bits.

   This might lead to generating incorrect ruleset bytecode. These two
   issues are scheduled to be addressed in the next release cycle.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit f8e9bd34cedd89b93b1167aa32ab8ecd6c2ccf4a:

  Merge branch 'smc-fix' (2022-03-03 10:34:18 +0000)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to ed5f85d4229010235eab1e3d9acf6970d9304963:

  netfilter: nf_tables: disable register tracking (2022-03-12 16:07:38 +0100)

----------------------------------------------------------------
Florian Westphal (2):
      Revert "netfilter: nat: force port remap to prevent shadowing well-known ports"
      Revert "netfilter: conntrack: tag conntracks picked up in local out hook"

Pablo Neira Ayuso (1):
      netfilter: nf_tables: disable register tracking

 include/net/netfilter/nf_conntrack.h         |  1 -
 net/netfilter/nf_conntrack_core.c            |  3 --
 net/netfilter/nf_nat_core.c                  | 43 ++--------------------------
 net/netfilter/nf_tables_api.c                |  9 ++++--
 tools/testing/selftests/netfilter/nft_nat.sh |  5 ++--
 5 files changed, 12 insertions(+), 49 deletions(-)

             reply	other threads:[~2022-03-12 22:03 UTC|newest]

Thread overview: 42+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-03-12 22:03 Pablo Neira Ayuso [this message]
2022-03-12 22:03 ` [PATCH net 1/3] Revert "netfilter: nat: force port remap to prevent shadowing well-known ports" Pablo Neira Ayuso
2022-03-14 23:00   ` patchwork-bot+netdevbpf
2022-03-12 22:03 ` [PATCH net 2/3] Revert "netfilter: conntrack: tag conntracks picked up in local out hook" Pablo Neira Ayuso
2022-03-12 22:03 ` [PATCH net 3/3] netfilter: nf_tables: disable register tracking Pablo Neira Ayuso
2022-03-14 22:54 ` [PATCH net 0/3] Netfilter fixes for net Jakub Kicinski
2022-03-14 23:07   ` Florian Westphal
2022-03-14 23:18     ` Jakub Kicinski
  -- strict thread matches above, loose matches on Subject: below --
2024-04-18  1:09 Pablo Neira Ayuso
2024-03-21  0:06 Pablo Neira Ayuso
2024-02-29  0:01 Pablo Neira Ayuso
2024-02-14 23:38 Pablo Neira Ayuso
2023-07-26 15:23 [PATCH net 0/3] netfilter " Florian Westphal
2023-06-08 19:57 [PATCH net 0/3] Netfilter " Pablo Neira Ayuso
2023-05-17 12:37 Florian Westphal
2023-05-03  6:32 Pablo Neira Ayuso
2023-03-07 10:04 Pablo Neira Ayuso
2023-03-07 12:57 ` Paolo Abeni
2023-03-07 17:26   ` Jakub Kicinski
2023-03-08  9:34     ` Pablo Neira Ayuso
2023-03-01 22:20 Pablo Neira Ayuso
2023-01-13 16:41 Pablo Neira Ayuso
2023-01-18  3:03 ` Jakub Kicinski
2023-01-11 21:22 Pablo Neira Ayuso
2022-11-22 21:28 Pablo Neira Ayuso
2022-11-09 11:28 Pablo Neira Ayuso
2022-10-12 12:18 [PATCH net 0/3] netfilter " Florian Westphal
2022-07-11  9:33 [PATCH net 0/3] Netfilter " Pablo Neira Ayuso
2022-06-29 17:13 Pablo Neira Ayuso
2022-06-30  3:20 ` patchwork-bot+netdevbpf
2022-04-28 14:21 Pablo Neira Ayuso
2022-03-28  8:20 Pablo Neira Ayuso
2022-03-17 20:25 Pablo Neira Ayuso
2021-12-17  8:53 Pablo Neira Ayuso
2021-06-10 16:54 Pablo Neira Ayuso
2021-02-02 15:21 Pablo Neira Ayuso
2021-02-02 15:25 ` Pablo Neira Ayuso
2021-01-27 13:25 Pablo Neira Ayuso
2021-01-12 22:20 Pablo Neira Ayuso
2021-01-13  4:26 ` Jakub Kicinski
2021-01-03 19:29 Pablo Neira Ayuso
2021-01-04 23:04 ` Jakub Kicinski

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220312220315.64531-1-pablo@netfilter.org \
    --to=pablo@netfilter.org \
    --cc=davem@davemloft.net \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.