Netdev Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH 0/2] Netfilter fixes for net
@ 2015-12-22 17:53 Pablo Neira Ayuso
  2015-12-22 17:53 ` [PATCH 1/2] netfilter: nf_tables: use skb->protocol instead of assuming ethernet header Pablo Neira Ayuso
                   ` (2 more replies)
  0 siblings, 3 replies; 28+ messages in thread
From: Pablo Neira Ayuso @ 2015-12-22 17:53 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

Hi David,

The following patchset contains two netfilter fixes:

1) Oneliner from Florian to dump missing NFT_CT_L3PROTOCOL netlink
   attribute, from Florian Westphal.

2) Another oneliner for nf_tables to use skb->protocol from the new
   netdev family, we can't assume ethernet there.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit 73796d8bf27372e26c2b79881947304c14c2d353:

  Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net (2015-12-17 14:05:22 -0800)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to d5f79b6e4d169039903cc869e16e59ad861dd479:

  netfilter: nft_ct: include direction when dumping NFT_CT_L3PROTOCOL key (2015-12-18 14:45:45 +0100)

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: nft_ct: include direction when dumping NFT_CT_L3PROTOCOL key

Pablo Neira Ayuso (1):
      netfilter: nf_tables: use skb->protocol instead of assuming ethernet header

 net/netfilter/nf_tables_netdev.c | 2 +-
 net/netfilter/nft_ct.c           | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

^ permalink raw reply	[flat|nested] 28+ messages in thread

* [PATCH 1/2] netfilter: nf_tables: use skb->protocol instead of assuming ethernet header
  2015-12-22 17:53 [PATCH 0/2] Netfilter fixes for net Pablo Neira Ayuso
@ 2015-12-22 17:53 ` Pablo Neira Ayuso
  2015-12-22 17:53 ` [PATCH 2/2] netfilter: nft_ct: include direction when dumping NFT_CT_L3PROTOCOL key Pablo Neira Ayuso
  2015-12-22 19:55 ` [PATCH 0/2] Netfilter fixes for net David Miller
  2 siblings, 0 replies; 28+ messages in thread
From: Pablo Neira Ayuso @ 2015-12-22 17:53 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

Otherwise we may end up with incorrect network and transport header for
other protocols.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_tables_netdev.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nf_tables_netdev.c b/net/netfilter/nf_tables_netdev.c
index 7b9c053..edb3502f 100644
--- a/net/netfilter/nf_tables_netdev.c
+++ b/net/netfilter/nf_tables_netdev.c
@@ -94,7 +94,7 @@ nft_do_chain_netdev(void *priv, struct sk_buff *skb,
 {
 	struct nft_pktinfo pkt;
 
-	switch (eth_hdr(skb)->h_proto) {
+	switch (skb->protocol) {
 	case htons(ETH_P_IP):
 		nft_netdev_set_pktinfo_ipv4(&pkt, skb, state);
 		break;
-- 
2.1.4


^ permalink raw reply	[flat|nested] 28+ messages in thread

* [PATCH 2/2] netfilter: nft_ct: include direction when dumping NFT_CT_L3PROTOCOL key
  2015-12-22 17:53 [PATCH 0/2] Netfilter fixes for net Pablo Neira Ayuso
  2015-12-22 17:53 ` [PATCH 1/2] netfilter: nf_tables: use skb->protocol instead of assuming ethernet header Pablo Neira Ayuso
@ 2015-12-22 17:53 ` Pablo Neira Ayuso
  2015-12-22 19:55 ` [PATCH 0/2] Netfilter fixes for net David Miller
  2 siblings, 0 replies; 28+ messages in thread
From: Pablo Neira Ayuso @ 2015-12-22 17:53 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

From: Florian Westphal <fw@strlen.de>

one nft userspace test case fails with

'ct l3proto original ipv4' mismatches 'ct l3proto ipv4'

... because NFTA_CT_DIRECTION attr is missing.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nft_ct.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index 8cbca34..9399215 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -366,6 +366,7 @@ static int nft_ct_get_dump(struct sk_buff *skb, const struct nft_expr *expr)
 		goto nla_put_failure;
 
 	switch (priv->key) {
+	case NFT_CT_L3PROTOCOL:
 	case NFT_CT_PROTOCOL:
 	case NFT_CT_SRC:
 	case NFT_CT_DST:
-- 
2.1.4


^ permalink raw reply	[flat|nested] 28+ messages in thread

* Re: [PATCH 0/2] Netfilter fixes for net
  2015-12-22 17:53 [PATCH 0/2] Netfilter fixes for net Pablo Neira Ayuso
  2015-12-22 17:53 ` [PATCH 1/2] netfilter: nf_tables: use skb->protocol instead of assuming ethernet header Pablo Neira Ayuso
  2015-12-22 17:53 ` [PATCH 2/2] netfilter: nft_ct: include direction when dumping NFT_CT_L3PROTOCOL key Pablo Neira Ayuso
@ 2015-12-22 19:55 ` David Miller
  2 siblings, 0 replies; 28+ messages in thread
From: David Miller @ 2015-12-22 19:55 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, netdev

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 22 Dec 2015 18:53:15 +0100

> The following patchset contains two netfilter fixes:
> 
> 1) Oneliner from Florian to dump missing NFT_CT_L3PROTOCOL netlink
>    attribute, from Florian Westphal.
> 
> 2) Another oneliner for nf_tables to use skb->protocol from the new
>    netdev family, we can't assume ethernet there.
> 
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thanks Pablo.

^ permalink raw reply	[flat|nested] 28+ messages in thread

* Re: [PATCH 0/2] Netfilter fixes for net
  2019-10-02 18:53 Pablo Neira Ayuso
@ 2019-10-02 20:23 ` David Miller
  0 siblings, 0 replies; 28+ messages in thread
From: David Miller @ 2019-10-02 20:23 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, netdev

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed,  2 Oct 2019 20:53:43 +0200

> The following patchset contains Netfilter fixes for net:
> 
> 1) Remove the skb_ext_del from nf_reset, and renames it to a more
>    fitting nf_reset_ct(). Patch from Florian Westphal.
> 
> 2) Fix deadlock in nft_connlimit between packet path updates and
>    the garbage collector.
> 
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thanks Pablo.

^ permalink raw reply	[flat|nested] 28+ messages in thread

* [PATCH 0/2] Netfilter fixes for net
@ 2019-10-02 18:53 Pablo Neira Ayuso
  2019-10-02 20:23 ` David Miller
  0 siblings, 1 reply; 28+ messages in thread
From: Pablo Neira Ayuso @ 2019-10-02 18:53 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

Hi,

The following patchset contains Netfilter fixes for net:

1) Remove the skb_ext_del from nf_reset, and renames it to a more
   fitting nf_reset_ct(). Patch from Florian Westphal.

2) Fix deadlock in nft_connlimit between packet path updates and
   the garbage collector.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 9cfc370240c31c7f31f445e69190dd15be8e5d7d:

  Merge tag 'mac80211-for-davem-2019-10-01' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211 (2019-10-01 09:28:56 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 34a4c95abd25ab41fb390b985a08a651b1fa0b0f:

  netfilter: nft_connlimit: disable bh on garbage collection (2019-10-01 18:42:15 +0200)

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: drop bridge nf reset from nf_reset

Pablo Neira Ayuso (1):
      netfilter: nft_connlimit: disable bh on garbage collection

 drivers/net/ppp/pptp.c                | 4 ++--
 drivers/net/tun.c                     | 2 +-
 drivers/net/virtio_net.c              | 2 +-
 drivers/net/vrf.c                     | 8 ++++----
 drivers/net/wireless/mac80211_hwsim.c | 4 ++--
 drivers/staging/octeon/ethernet-tx.c  | 6 ++----
 include/linux/skbuff.h                | 5 +----
 net/batman-adv/soft-interface.c       | 2 +-
 net/core/skbuff.c                     | 2 +-
 net/dccp/ipv4.c                       | 2 +-
 net/ipv4/ip_input.c                   | 2 +-
 net/ipv4/ipmr.c                       | 4 ++--
 net/ipv4/netfilter/nf_dup_ipv4.c      | 2 +-
 net/ipv4/raw.c                        | 2 +-
 net/ipv4/tcp_ipv4.c                   | 2 +-
 net/ipv4/udp.c                        | 4 ++--
 net/ipv6/ip6_input.c                  | 2 +-
 net/ipv6/netfilter/nf_dup_ipv6.c      | 2 +-
 net/ipv6/raw.c                        | 2 +-
 net/l2tp/l2tp_core.c                  | 2 +-
 net/l2tp/l2tp_eth.c                   | 2 +-
 net/l2tp/l2tp_ip.c                    | 2 +-
 net/l2tp/l2tp_ip6.c                   | 2 +-
 net/netfilter/ipvs/ip_vs_xmit.c       | 2 +-
 net/netfilter/nft_connlimit.c         | 7 ++++++-
 net/openvswitch/vport-internal_dev.c  | 2 +-
 net/packet/af_packet.c                | 4 ++--
 net/sctp/input.c                      | 2 +-
 net/xfrm/xfrm_input.c                 | 2 +-
 net/xfrm/xfrm_interface.c             | 2 +-
 net/xfrm/xfrm_output.c                | 2 +-
 net/xfrm/xfrm_policy.c                | 2 +-
 32 files changed, 46 insertions(+), 46 deletions(-)

^ permalink raw reply	[flat|nested] 28+ messages in thread

* Re: [PATCH 0/2] Netfilter fixes for net
  2019-02-11 16:53 Pablo Neira Ayuso
@ 2019-02-11 18:43 ` David Miller
  0 siblings, 0 replies; 28+ messages in thread
From: David Miller @ 2019-02-11 18:43 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, netdev

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 11 Feb 2019 17:53:17 +0100

> The following patchset contains Netfilter fixes for net:
> 
> 1) Out-of-bound access to packet data from the snmp nat helper,
>    from Jann Horn.
> 
> 2) ICMP(v6) error packets are set as related traffic by conntrack,
>    update protocol number before calling nf_nat_ipv4_manip_pkt()
>    to use ICMP(v6) rather than the original protocol number,
>    from Florian Westphal.
> 
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thanks Pablo.

^ permalink raw reply	[flat|nested] 28+ messages in thread

* [PATCH 0/2] Netfilter fixes for net
@ 2019-02-11 16:53 Pablo Neira Ayuso
  2019-02-11 18:43 ` David Miller
  0 siblings, 1 reply; 28+ messages in thread
From: Pablo Neira Ayuso @ 2019-02-11 16:53 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

Hi David,

The following patchset contains Netfilter fixes for net:

1) Out-of-bound access to packet data from the snmp nat helper,
   from Jann Horn.

2) ICMP(v6) error packets are set as related traffic by conntrack,
   update protocol number before calling nf_nat_ipv4_manip_pkt()
   to use ICMP(v6) rather than the original protocol number,
   from Florian Westphal.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit 31b58ad0c3279817cd246eab27eaf53b626dfcde:

  Merge branch 'r8169-revert-two-commits-due-to-a-regression' (2019-02-10 12:54:49 -0800)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 8303b7e8f018724a2cd7752eb29c2801fa8c4067:

  netfilter: nat: fix spurious connection timeouts (2019-02-11 17:43:17 +0100)

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: nat: fix spurious connection timeouts

Jann Horn (1):
      netfilter: nf_nat_snmp_basic: add missing length checks in ASN.1 cbs

 net/ipv4/netfilter/nf_nat_l3proto_ipv4.c    | 1 +
 net/ipv4/netfilter/nf_nat_snmp_basic_main.c | 7 ++++++-
 net/ipv6/netfilter/nf_nat_l3proto_ipv6.c    | 1 +
 3 files changed, 8 insertions(+), 1 deletion(-)

^ permalink raw reply	[flat|nested] 28+ messages in thread

* Re: [PATCH 0/2] Netfilter fixes for net
  2017-11-01 18:48 Pablo Neira Ayuso
@ 2017-11-02  7:53 ` David Miller
  0 siblings, 0 replies; 28+ messages in thread
From: David Miller @ 2017-11-02  7:53 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, netdev

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed,  1 Nov 2017 19:48:10 +0100

> The following patchset contains two one-liner fixes for your net tree,
> they are:
> 
> 1) Disable fast hash operations for 2-bytes length keys which is leading
>    to incorrect lookups in nf_tables, from Anatole Denis.
> 
> 2) Reload pointer ipv4 header after ip_route_me_harder() given this may
>    result in use-after-free due to skbuff header reallocation, patch
>    from Tejaswi Tanikella.
> 
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thanks a lot Pablo.

^ permalink raw reply	[flat|nested] 28+ messages in thread

* [PATCH 0/2] Netfilter fixes for net
@ 2017-11-01 18:48 Pablo Neira Ayuso
  2017-11-02  7:53 ` David Miller
  0 siblings, 1 reply; 28+ messages in thread
From: Pablo Neira Ayuso @ 2017-11-01 18:48 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

Hi David,

The following patchset contains two one-liner fixes for your net tree,
they are:

1) Disable fast hash operations for 2-bytes length keys which is leading
   to incorrect lookups in nf_tables, from Anatole Denis.

2) Reload pointer ipv4 header after ip_route_me_harder() given this may
   result in use-after-free due to skbuff header reallocation, patch
   from Tejaswi Tanikella.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit 28e33f9d78eefe98ea86673ab31e988b37a9a738:

  bpf: disallow arithmetic operations on context pointer (2017-10-18 13:21:13 +0100)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 7400bb4b5800831581a82f71700af6a5e815c3c8:

  netfilter: nf_reject_ipv4: Fix use-after-free in send_reset (2017-11-01 12:15:29 +0100)

----------------------------------------------------------------
Anatole Denis (1):
      netfilter: nft_set_hash: disable fast_ops for 2-len keys

Tejaswi Tanikella (1):
      netfilter: nf_reject_ipv4: Fix use-after-free in send_reset

 net/ipv4/netfilter/nf_reject_ipv4.c | 2 ++
 net/netfilter/nft_set_hash.c        | 1 -
 2 files changed, 2 insertions(+), 1 deletion(-)

^ permalink raw reply	[flat|nested] 28+ messages in thread

* Re: [PATCH 0/2] Netfilter fixes for net
  2017-09-20 10:49 Pablo Neira Ayuso
@ 2017-09-20 23:08 ` David Miller
  0 siblings, 0 replies; 28+ messages in thread
From: David Miller @ 2017-09-20 23:08 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, netdev

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 20 Sep 2017 12:49:01 +0200

> The following patchset contains two Netfilter fixes for your net tree,
> they are:
> 
> 1) Fix NAt compilation with UP, from Geert Uytterhoeven.
> 
> 2) Fix incorrect number of entries when dumping a set, from
>    Vishwanath Pai.

Pulled, thanks Pablo.

^ permalink raw reply	[flat|nested] 28+ messages in thread

* [PATCH 0/2] Netfilter fixes for net
@ 2017-09-20 10:49 Pablo Neira Ayuso
  2017-09-20 23:08 ` David Miller
  0 siblings, 1 reply; 28+ messages in thread
From: Pablo Neira Ayuso @ 2017-09-20 10:49 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

Hi David,

The following patchset contains two Netfilter fixes for your net tree,
they are:

1) Fix NAt compilation with UP, from Geert Uytterhoeven.

2) Fix incorrect number of entries when dumping a set, from
   Vishwanath Pai.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit 2bd6bf03f4c1c59381d62c61d03f6cc3fe71f66e:

  Linux 4.14-rc1 (2017-09-16 15:47:51 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 7f4f7dd4417d9efd038b14d39c70170db2e0baa0:

  netfilter: ipset: ipset list may return wrong member count for set with timeout (2017-09-18 17:35:32 +0200)

----------------------------------------------------------------
Geert Uytterhoeven (1):
      netfilter: nat: Do not use ARRAY_SIZE() on spinlocks to fix zero div

Vishwanath Pai (1):
      netfilter: ipset: ipset list may return wrong member count for set with timeout

 net/netfilter/ipset/ip_set_hash_gen.h | 14 +++++++++++++-
 net/netfilter/nf_nat_core.c           | 12 ++++++------
 2 files changed, 19 insertions(+), 7 deletions(-)

^ permalink raw reply	[flat|nested] 28+ messages in thread

* Re: [PATCH 0/2] Netfilter fixes for net
  2017-07-06 12:54 Pablo Neira Ayuso
@ 2017-07-06 13:03 ` David Miller
  0 siblings, 0 replies; 28+ messages in thread
From: David Miller @ 2017-07-06 13:03 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, netdev

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu,  6 Jul 2017 14:54:23 +0200

> The following patchset contains two Netfilter fixes for your net tree,
> they are:
> 
> 1) Fix memleak from netns release path of conntrack protocol trackers,
>    patch from Liping Zhang.
> 
> 2) Uninitialized flags field in ebt_log, that results in unpredictable
>    logging format in ebtables, also from Liping.
> 
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
> 
> Thanks a lot!

My name is David, and how do you do?

Pulled, thanks Pablo.

^ permalink raw reply	[flat|nested] 28+ messages in thread

* [PATCH 0/2] Netfilter fixes for net
@ 2017-07-06 12:54 Pablo Neira Ayuso
  2017-07-06 13:03 ` David Miller
  0 siblings, 1 reply; 28+ messages in thread
From: Pablo Neira Ayuso @ 2017-07-06 12:54 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

Hi David,

The following patchset contains two Netfilter fixes for your net tree,
they are:

1) Fix memleak from netns release path of conntrack protocol trackers,
   patch from Liping Zhang.

2) Uninitialized flags field in ebt_log, that results in unpredictable
   logging format in ebtables, also from Liping.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks a lot!

----------------------------------------------------------------

The following changes since commit e20bd60bf62a2448be873653c7febca1d4d73afc:

  net: usb: asix88179_178a: Add support for the Belkin B2B128 (2017-06-27 15:46:07 -0400)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 91af6ba7ff16bd7e5919aedfe70aad73a3375619:

  netfilter: ebt_nflog: fix unexpected truncated packet (2017-06-29 18:47:02 +0200)

----------------------------------------------------------------
Liping Zhang (2):
      netfilter: nf_ct_dccp/sctp: fix memory leak after netns cleanup
      netfilter: ebt_nflog: fix unexpected truncated packet

 net/bridge/netfilter/ebt_nflog.c        | 1 +
 net/netfilter/nf_conntrack_proto_dccp.c | 7 +++++++
 net/netfilter/nf_conntrack_proto_sctp.c | 7 +++++++
 3 files changed, 15 insertions(+)

^ permalink raw reply	[flat|nested] 28+ messages in thread

* Re: [PATCH 0/2] Netfilter fixes for net
  2015-04-27 18:41 Pablo Neira Ayuso
@ 2015-04-28  3:13 ` David Miller
  0 siblings, 0 replies; 28+ messages in thread
From: David Miller @ 2015-04-28  3:13 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, netdev

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 27 Apr 2015 20:41:55 +0200

> The following patchset contains Netfilter fixes for your net tree,
> they are:
> 
> 1) Fix a crash in nf_tables when dictionaries are used from the ruleset,
>    due to memory corruption, from Florian Westphal.
> 
> 2) Fix another crash in nf_queue when used with br_netfilter. Also from
>    Florian.
> 
> Both fixes are related to new stuff that got in 4.0-rc.

Pulled, thanks Pablo.

^ permalink raw reply	[flat|nested] 28+ messages in thread

* [PATCH 0/2] Netfilter fixes for net
@ 2015-04-27 18:41 Pablo Neira Ayuso
  2015-04-28  3:13 ` David Miller
  0 siblings, 1 reply; 28+ messages in thread
From: Pablo Neira Ayuso @ 2015-04-27 18:41 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

Hi David,

The following patchset contains Netfilter fixes for your net tree,
they are:

1) Fix a crash in nf_tables when dictionaries are used from the ruleset,
   due to memory corruption, from Florian Westphal.

2) Fix another crash in nf_queue when used with br_netfilter. Also from
   Florian.

Both fixes are related to new stuff that got in 4.0-rc.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit b357a364c57c940ddb932224542494363df37378:

  inet: fix possible panic in reqsk_queue_unlink() (2015-04-24 11:39:15 -0400)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master

for you to fetch changes up to 547c4b547e07dcc60874b6ef6252dd49ff74aec1:

  netfilter: bridge: fix NULL deref in physin/out ifindex helpers (2015-04-24 20:51:40 +0200)

----------------------------------------------------------------
Florian Westphal (2):
      netfilter: nf_tables: fix wrong length for jump/goto verdicts
      netfilter: bridge: fix NULL deref in physin/out ifindex helpers

 include/linux/netfilter_bridge.h |   16 ++++++++++++++--
 net/netfilter/nf_tables_api.c    |    3 +--
 2 files changed, 15 insertions(+), 4 deletions(-)

^ permalink raw reply	[flat|nested] 28+ messages in thread

* Re: [PATCH 0/2] Netfilter fixes for net
  2014-11-20 12:30 Pablo Neira Ayuso
@ 2014-11-21  5:12 ` David Miller
  0 siblings, 0 replies; 28+ messages in thread
From: David Miller @ 2014-11-21  5:12 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, netdev

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 20 Nov 2014 13:30:49 +0100

> The following patchset contains two bugfixes for your net tree, they are:
> 
> 1) Validate netlink group from nfnetlink to avoid an out of bound array
>    access. This should only happen with superuser priviledges though.
>    Discovered by Andrey Ryabinin using trinity.
> 
> 2) Don't push ethernet header before calling the netfilter output hook
>    for multicast traffic, this breaks ebtables since it expects to see
>    skb->data pointing to the network header, patch from Linus Luessing.
> 
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thanks Pablo.

^ permalink raw reply	[flat|nested] 28+ messages in thread

* [PATCH 0/2] Netfilter fixes for net
@ 2014-11-20 12:30 Pablo Neira Ayuso
  2014-11-21  5:12 ` David Miller
  0 siblings, 1 reply; 28+ messages in thread
From: Pablo Neira Ayuso @ 2014-11-20 12:30 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

Hi David,

The following patchset contains two bugfixes for your net tree, they are:

1) Validate netlink group from nfnetlink to avoid an out of bound array
   access. This should only happen with superuser priviledges though.
   Discovered by Andrey Ryabinin using trinity.

2) Don't push ethernet header before calling the netfilter output hook
   for multicast traffic, this breaks ebtables since it expects to see
   skb->data pointing to the network header, patch from Linus Luessing.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit feb91a02ccb09661507f170b2a444aec94f307f9:

  ipv6: mld: fix add_grhead skb_over_panic for devs with large MTUs (2014-11-16 16:55:06 -0500)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master

for you to fetch changes up to f0b4eeced518c632210ef2aea44fc92cc9e86cce:

  bridge: fix netfilter/NF_BR_LOCAL_OUT for own, locally generated queries (2014-11-17 12:38:02 +0100)

----------------------------------------------------------------
Linus Lüssing (1):
      bridge: fix netfilter/NF_BR_LOCAL_OUT for own, locally generated queries

Pablo Neira Ayuso (1):
      netfilter: nfnetlink: fix insufficient validation in nfnetlink_bind

 net/bridge/br_multicast.c |    3 +--
 net/netfilter/nfnetlink.c |   12 +++++++++++-
 2 files changed, 12 insertions(+), 3 deletions(-)

^ permalink raw reply	[flat|nested] 28+ messages in thread

* Re: [PATCH 0/2] netfilter fixes for net
  2014-01-07 22:13 [PATCH 0/2] netfilter " Pablo Neira Ayuso
@ 2014-01-07 23:38 ` David Miller
  0 siblings, 0 replies; 28+ messages in thread
From: David Miller @ 2014-01-07 23:38 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, netdev

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue,  7 Jan 2014 23:13:37 +0100

> The following patchset contains two patches:
> 
> * fix the IRC NAT helper which was broken when adding (incomplete) IPv6
>   support, from Daniel Borkmann.
> 
> * Refine the previous bugtrap that Jesper added to catch problems for the
>   usage of the sequence adjustment extension in IPVs in Dec 16th, it may
>   spam messages in case of finding a real bug.
> 
> I know it's fairly late, so please let me know if you prefer that I pass
> you these via net-next.

These look fine, thanks Pablo.

^ permalink raw reply	[flat|nested] 28+ messages in thread

* [PATCH 0/2] netfilter fixes for net
@ 2014-01-07 22:13 " Pablo Neira Ayuso
  2014-01-07 23:38 ` David Miller
  0 siblings, 1 reply; 28+ messages in thread
From: Pablo Neira Ayuso @ 2014-01-07 22:13 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

Hi David,

The following patchset contains two patches:

* fix the IRC NAT helper which was broken when adding (incomplete) IPv6
  support, from Daniel Borkmann.

* Refine the previous bugtrap that Jesper added to catch problems for the
  usage of the sequence adjustment extension in IPVs in Dec 16th, it may
  spam messages in case of finding a real bug.

I know it's fairly late, so please let me know if you prefer that I pass
you these via net-next.

Thanks!

----------------------------------------------------------------

The following changes since commit f35f76ee76df008131bbe01a2297de0c55ee2297:

  xen-netback: Include header for vmalloc (2014-01-05 20:34:36 -0500)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master

for you to fetch changes up to f2661adc0c134d890d84c32d7cb54a2b4d1f0a5f:

  netfilter: only warn once on wrong seqadj usage (2014-01-06 14:23:17 +0100)

----------------------------------------------------------------
Daniel Borkmann (1):
      netfilter: nf_nat: fix access to uninitialized buffer in IRC NAT helper

Jesper Dangaard Brouer (1):
      netfilter: only warn once on wrong seqadj usage

 net/netfilter/nf_conntrack_seqadj.c |    2 +-
 net/netfilter/nf_nat_irc.c          |   32 +++++++++++++++++++++++++++-----
 2 files changed, 28 insertions(+), 6 deletions(-)

^ permalink raw reply	[flat|nested] 28+ messages in thread

* Re: [PATCH 0/2] netfilter fixes for net
  2013-12-13 18:24 Pablo Neira Ayuso
@ 2013-12-17 20:07 ` David Miller
  0 siblings, 0 replies; 28+ messages in thread
From: David Miller @ 2013-12-17 20:07 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, netdev

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 13 Dec 2013 19:24:57 +0100

> The following patchset contains two Netfilter fixes for your net
> tree, they are:
> 
> * Fix endianness in nft_reject, the NFTA_REJECT_TYPE netlink attributes
>   was not converted to network byte order as needed by all nfnetlink
>   subsystems, from Eric Leblond.
> 
> * Restrict SYNPROXY target to INPUT and FORWARD chains, this avoid a
>   possible crash due to misconfigurations, from Patrick McHardy.
> 
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master

Pulled, thanks Pablo.

^ permalink raw reply	[flat|nested] 28+ messages in thread

* [PATCH 0/2] netfilter fixes for net
@ 2013-12-13 18:24 Pablo Neira Ayuso
  2013-12-17 20:07 ` David Miller
  0 siblings, 1 reply; 28+ messages in thread
From: Pablo Neira Ayuso @ 2013-12-13 18:24 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

Hi David,

The following patchset contains two Netfilter fixes for your net
tree, they are:

* Fix endianness in nft_reject, the NFTA_REJECT_TYPE netlink attributes
  was not converted to network byte order as needed by all nfnetlink
  subsystems, from Eric Leblond.

* Restrict SYNPROXY target to INPUT and FORWARD chains, this avoid a
  possible crash due to misconfigurations, from Patrick McHardy.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master

Thanks!

----------------------------------------------------------------

The following changes since commit 8afdd99a1315e759de04ad6e2344f0c5f17ecb1b:

  udp: ipv4: fix an use after free in __udp4_lib_rcv() (2013-12-10 22:58:40 -0500)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master

for you to fetch changes up to a3adadf3018102c24754e0b53a5515c40fbaff4a:

  netfilter: nft_reject: fix endianness in dump function (2013-12-12 09:37:39 +0100)

----------------------------------------------------------------
Eric Leblond (1):
      netfilter: nft_reject: fix endianness in dump function

Patrick McHardy (1):
      netfilter: SYNPROXY target: restrict to INPUT/FORWARD

 net/ipv4/netfilter/ipt_SYNPROXY.c    |    1 +
 net/ipv4/netfilter/nft_reject_ipv4.c |    2 +-
 net/ipv6/netfilter/ip6t_SYNPROXY.c   |    1 +
 3 files changed, 3 insertions(+), 1 deletion(-)


Eric Leblond (1):
  netfilter: nft_reject: fix endianness in dump function

Patrick McHardy (1):
  netfilter: SYNPROXY target: restrict to INPUT/FORWARD

 net/ipv4/netfilter/ipt_SYNPROXY.c    |    1 +
 net/ipv4/netfilter/nft_reject_ipv4.c |    2 +-
 net/ipv6/netfilter/ip6t_SYNPROXY.c   |    1 +
 3 files changed, 3 insertions(+), 1 deletion(-)

-- 
1.7.10.4

^ permalink raw reply	[flat|nested] 28+ messages in thread

* Re: [PATCH 0/2] netfilter fixes for net
  2013-04-19  1:16 Pablo Neira Ayuso
@ 2013-04-19 18:25 ` David Miller
  0 siblings, 0 replies; 28+ messages in thread
From: David Miller @ 2013-04-19 18:25 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, netdev

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 19 Apr 2013 03:16:00 +0200

> If time allows, please consider pulling the following patchset contains two
> late Netfilter fixes, they are:
> 
> * Skip broadcast/multicast locally generated traffic in the rpfilter,
>   (closes netfilter bugzilla #814), from Florian Westphal.
> 
> * Fix missing elements in the listing of ipset bitmap ip,mac set
>   type with timeout support enabled, from Jozsef Kadlecsik.
> 
> The following changes since commit c2d421e171868586939c328dfb91bab840fe4c49:
> 
>   netfilter: nf_nat: fix race when unloading protocol modules (2013-04-12 11:46:31 +0200)
> 
> are available in the git repository at:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master

Pulled, thanks Pablo.

^ permalink raw reply	[flat|nested] 28+ messages in thread

* [PATCH 0/2] netfilter fixes for net
@ 2013-04-19  1:16 Pablo Neira Ayuso
  2013-04-19 18:25 ` David Miller
  0 siblings, 1 reply; 28+ messages in thread
From: Pablo Neira Ayuso @ 2013-04-19  1:16 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

Hi David,

If time allows, please consider pulling the following patchset contains two
late Netfilter fixes, they are:

* Skip broadcast/multicast locally generated traffic in the rpfilter,
  (closes netfilter bugzilla #814), from Florian Westphal.

* Fix missing elements in the listing of ipset bitmap ip,mac set
  type with timeout support enabled, from Jozsef Kadlecsik.

The following changes since commit c2d421e171868586939c328dfb91bab840fe4c49:

  netfilter: nf_nat: fix race when unloading protocol modules (2013-04-12 11:46:31 +0200)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master

for you to fetch changes up to f83a7ea2075ca896f2dbf07672bac9cf3682ff74:

  netfilter: xt_rpfilter: skip locally generated broadcast/multicast, too (2013-04-19 00:11:59 +0200)

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: xt_rpfilter: skip locally generated broadcast/multicast, too

Jozsef Kadlecsik (1):
      netfilter: ipset: bitmap:ip,mac: fix listing with timeout

 net/ipv4/netfilter/ipt_rpfilter.c         |    8 +++++++-
 net/ipv6/netfilter/ip6t_rpfilter.c        |    8 +++++++-
 net/netfilter/ipset/ip_set_bitmap_ipmac.c |    6 +++++-
 3 files changed, 19 insertions(+), 3 deletions(-)


^ permalink raw reply	[flat|nested] 28+ messages in thread

* Re: [PATCH 0/2] netfilter fixes for net
  2013-02-26 13:45 pablo
@ 2013-02-26 22:24 ` David Miller
  0 siblings, 0 replies; 28+ messages in thread
From: David Miller @ 2013-02-26 22:24 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, netdev

From: pablo@netfilter.org
Date: Tue, 26 Feb 2013 14:45:18 +0100

> From: Pablo Neira Ayuso <pablo@netfilter.org>
> 
> Hi David,
> 
> The following patchset contains two bugfixes for netfilter/ipset via
> Jozsef Kadlecsik, they are:
> 
> * Fix timeout corruption if sets are resized, by Josh Hunt.
> 
> * Fix bogus error report if the flag nomatch is set, from Jozsef.
> 
> You can pull these changes from:
> 
> git://1984.lsi.us.es/nf master

Pulled, thanks Pablo.

^ permalink raw reply	[flat|nested] 28+ messages in thread

* [PATCH 0/2] netfilter fixes for net
@ 2013-02-26 13:45 pablo
  2013-02-26 22:24 ` David Miller
  0 siblings, 1 reply; 28+ messages in thread
From: pablo @ 2013-02-26 13:45 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

From: Pablo Neira Ayuso <pablo@netfilter.org>

Hi David,

The following patchset contains two bugfixes for netfilter/ipset via
Jozsef Kadlecsik, they are:

* Fix timeout corruption if sets are resized, by Josh Hunt.

* Fix bogus error report if the flag nomatch is set, from Jozsef.

You can pull these changes from:

git://1984.lsi.us.es/nf master

Thanks!

Josh Hunt (1):
  netfilter: ipset: timeout values corrupted on set resize

Jozsef Kadlecsik (1):
  netfilter: ipset: "Directory not empty" error message

 include/linux/netfilter/ipset/ip_set_ahash.h |    4 +++-
 net/netfilter/ipset/ip_set_core.c            |    3 ++-
 2 files changed, 5 insertions(+), 2 deletions(-)

-- 
1.7.10.4

^ permalink raw reply	[flat|nested] 28+ messages in thread

* Re: [PATCH 0/2] netfilter fixes for net
  2012-11-22  9:10 pablo
@ 2012-11-22 20:28 ` David Miller
  0 siblings, 0 replies; 28+ messages in thread
From: David Miller @ 2012-11-22 20:28 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, netdev

From: pablo@netfilter.org
Date: Thu, 22 Nov 2012 10:10:50 +0100

> The following patchset contains two Netfilter fixes:
> 
> * Fix buffer overflow in the name of the timeout policy object
>   in the cttimeout infrastructure, from Florian Westphal.
> 
> * Fix a bug in the hash set in case that IP ranges are
>   specified, from Jozsef Kadlecsik.

Pulled, thanks Pablo.

^ permalink raw reply	[flat|nested] 28+ messages in thread

* [PATCH 0/2] netfilter fixes for net
@ 2012-11-22  9:10 pablo
  2012-11-22 20:28 ` David Miller
  0 siblings, 1 reply; 28+ messages in thread
From: pablo @ 2012-11-22  9:10 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

From: Pablo Neira Ayuso <pablo@netfilter.org>

Hi David,

The following patchset contains two Netfilter fixes:

* Fix buffer overflow in the name of the timeout policy object
  in the cttimeout infrastructure, from Florian Westphal.

* Fix a bug in the hash set in case that IP ranges are
  specified, from Jozsef Kadlecsik.

You can pull these changes from:

git://1984.lsi.us.es/nf master

Thanks!

Florian Westphal (1):
  netfilter: cttimeout: fix buffer overflow

Jozsef Kadlecsik (1):
  netfilter: ipset: Fix range bug in hash:ip,port,net

 net/netfilter/ipset/ip_set_hash_ip.c        |    4 ++--
 net/netfilter/ipset/ip_set_hash_ipport.c    |    7 +++----
 net/netfilter/ipset/ip_set_hash_ipportip.c  |    7 +++----
 net/netfilter/ipset/ip_set_hash_ipportnet.c |    7 +++++--
 net/netfilter/nfnetlink_cttimeout.c         |    3 ++-
 5 files changed, 15 insertions(+), 13 deletions(-)

-- 
1.7.10.4


^ permalink raw reply	[flat|nested] 28+ messages in thread

end of thread, back to index

Thread overview: 28+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-12-22 17:53 [PATCH 0/2] Netfilter fixes for net Pablo Neira Ayuso
2015-12-22 17:53 ` [PATCH 1/2] netfilter: nf_tables: use skb->protocol instead of assuming ethernet header Pablo Neira Ayuso
2015-12-22 17:53 ` [PATCH 2/2] netfilter: nft_ct: include direction when dumping NFT_CT_L3PROTOCOL key Pablo Neira Ayuso
2015-12-22 19:55 ` [PATCH 0/2] Netfilter fixes for net David Miller
  -- strict thread matches above, loose matches on Subject: below --
2019-10-02 18:53 Pablo Neira Ayuso
2019-10-02 20:23 ` David Miller
2019-02-11 16:53 Pablo Neira Ayuso
2019-02-11 18:43 ` David Miller
2017-11-01 18:48 Pablo Neira Ayuso
2017-11-02  7:53 ` David Miller
2017-09-20 10:49 Pablo Neira Ayuso
2017-09-20 23:08 ` David Miller
2017-07-06 12:54 Pablo Neira Ayuso
2017-07-06 13:03 ` David Miller
2015-04-27 18:41 Pablo Neira Ayuso
2015-04-28  3:13 ` David Miller
2014-11-20 12:30 Pablo Neira Ayuso
2014-11-21  5:12 ` David Miller
2014-01-07 22:13 [PATCH 0/2] netfilter " Pablo Neira Ayuso
2014-01-07 23:38 ` David Miller
2013-12-13 18:24 Pablo Neira Ayuso
2013-12-17 20:07 ` David Miller
2013-04-19  1:16 Pablo Neira Ayuso
2013-04-19 18:25 ` David Miller
2013-02-26 13:45 pablo
2013-02-26 22:24 ` David Miller
2012-11-22  9:10 pablo
2012-11-22 20:28 ` David Miller

Netdev Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/netdev/0 netdev/git/0.git
	git clone --mirror https://lore.kernel.org/netdev/1 netdev/git/1.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netdev netdev/ https://lore.kernel.org/netdev \
		netdev@vger.kernel.org netdev@archiver.kernel.org
	public-inbox-index netdev

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.netdev


AGPL code for this site: git clone https://public-inbox.org/ public-inbox