From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org,
pabeni@redhat.com, edumazet@google.com, fw@strlen.de
Subject: [PATCH net 0/3] Netfilter fixes for net
Date: Thu, 29 Feb 2024 01:01:32 +0100 [thread overview]
Message-ID: <20240229000135.8780-1-pablo@netfilter.org> (raw)
Hi,
The following patchset contains Netfilter fixes for net:
Patch #1 restores NFPROTO_INET with nft_compat, from Ignat Korchagin.
Patch #2 fixes an issue with bridge netfilter and broadcast/multicast
packets.
There is a day 0 bug in br_netfilter when used with connection tracking.
Conntrack assumes that an nf_conn structure that is not yet added to
hash table ("unconfirmed"), is only visible by the current cpu that is
processing the sk_buff.
For bridge this isn't true, sk_buff can get cloned in between, and
clones can be processed in parallel on different cpu.
This patch disables NAT and conntrack helpers for multicast packets.
Patch #3 adds a selftest to cover for the br_netfilter bug.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-02-29
Thanks.
----------------------------------------------------------------
The following changes since commit 359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79:
l2tp: pass correct message length to ip6_append_data (2024-02-22 10:42:17 +0100)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-02-29
for you to fetch changes up to 6523cf516c55db164f8f73306027b1caebb5628e:
selftests: netfilter: add bridge conntrack + multicast test case (2024-02-29 00:22:48 +0100)
----------------------------------------------------------------
netfilter pull request 24-02-29
----------------------------------------------------------------
Florian Westphal (2):
netfilter: bridge: confirm multicast packets before passing them up the stack
selftests: netfilter: add bridge conntrack + multicast test case
Ignat Korchagin (1):
netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate()
include/linux/netfilter.h | 1 +
net/bridge/br_netfilter_hooks.c | 96 +++++++++++
net/bridge/netfilter/nf_conntrack_bridge.c | 30 ++++
net/netfilter/nf_conntrack_core.c | 1 +
net/netfilter/nft_compat.c | 20 +++
tools/testing/selftests/netfilter/Makefile | 3 +-
.../selftests/netfilter/bridge_netfilter.sh | 188 +++++++++++++++++++++
7 files changed, 338 insertions(+), 1 deletion(-)
create mode 100644 tools/testing/selftests/netfilter/bridge_netfilter.sh
next reply other threads:[~2024-02-29 0:01 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-29 0:01 Pablo Neira Ayuso [this message]
2024-02-29 0:01 ` [PATCH net 1/3] netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate() Pablo Neira Ayuso
2024-02-29 11:40 ` patchwork-bot+netdevbpf
2024-02-29 0:01 ` [PATCH net 2/3] netfilter: bridge: confirm multicast packets before passing them up the stack Pablo Neira Ayuso
2024-02-29 0:01 ` [PATCH net 3/3] selftests: netfilter: add bridge conntrack + multicast test case Pablo Neira Ayuso
2024-02-29 11:33 ` Paolo Abeni
-- strict thread matches above, loose matches on Subject: below --
2024-04-18 1:09 [PATCH net 0/3] Netfilter fixes for net Pablo Neira Ayuso
2024-03-21 0:06 Pablo Neira Ayuso
2024-02-14 23:38 Pablo Neira Ayuso
2023-07-26 15:23 [PATCH net 0/3] netfilter " Florian Westphal
2023-06-08 19:57 [PATCH net 0/3] Netfilter " Pablo Neira Ayuso
2023-05-17 12:37 Florian Westphal
2023-05-03 6:32 Pablo Neira Ayuso
2023-03-07 10:04 Pablo Neira Ayuso
2023-03-07 12:57 ` Paolo Abeni
2023-03-07 17:26 ` Jakub Kicinski
2023-03-08 9:34 ` Pablo Neira Ayuso
2023-03-01 22:20 Pablo Neira Ayuso
2023-01-13 16:41 Pablo Neira Ayuso
2023-01-18 3:03 ` Jakub Kicinski
2023-01-11 21:22 Pablo Neira Ayuso
2022-11-22 21:28 Pablo Neira Ayuso
2022-11-09 11:28 Pablo Neira Ayuso
2022-10-12 12:18 [PATCH net 0/3] netfilter " Florian Westphal
2022-07-11 9:33 [PATCH net 0/3] Netfilter " Pablo Neira Ayuso
2022-06-29 17:13 Pablo Neira Ayuso
2022-06-30 3:20 ` patchwork-bot+netdevbpf
2022-04-28 14:21 Pablo Neira Ayuso
2022-03-28 8:20 Pablo Neira Ayuso
2022-03-17 20:25 Pablo Neira Ayuso
2022-03-12 22:03 Pablo Neira Ayuso
2022-03-14 22:54 ` Jakub Kicinski
2022-03-14 23:07 ` Florian Westphal
2022-03-14 23:18 ` Jakub Kicinski
2021-12-17 8:53 Pablo Neira Ayuso
2021-06-10 16:54 Pablo Neira Ayuso
2021-02-02 15:21 Pablo Neira Ayuso
2021-02-02 15:25 ` Pablo Neira Ayuso
2021-01-27 13:25 Pablo Neira Ayuso
2021-01-12 22:20 Pablo Neira Ayuso
2021-01-13 4:26 ` Jakub Kicinski
2021-01-03 19:29 Pablo Neira Ayuso
2021-01-04 23:04 ` Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240229000135.8780-1-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.