From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.us.es ([193.147.175.20]:58602 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752736AbeCXUea (ORCPT ); Sat, 24 Mar 2018 16:34:30 -0400 Received: from antivirus1-rhel7.int (unknown [192.168.2.11]) by mail.us.es (Postfix) with ESMTP id 6AD27E2C41 for ; Sat, 24 Mar 2018 21:34:16 +0100 (CET) Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id 56B7EBAC29 for ; Sat, 24 Mar 2018 21:34:16 +0100 (CET) From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: davem@davemloft.net, netdev@vger.kernel.org Subject: [PATCH 0/7] Netfilter fixes for net Date: Sat, 24 Mar 2018 21:34:16 +0100 Message-Id: <20180324203423.4513-1-pablo@netfilter.org> Sender: netdev-owner@vger.kernel.org List-ID: Hi David, The following patchset contains Netfilter fixes for your net tree, they are: 1) Don't pick fixed hash implementation for NFT_SET_EVAL sets, otherwise userspace hits EOPNOTSUPP with valid rules using the meter statement, from Florian Westphal. 2) If you send a batch that flushes the existing ruleset (that contains a NAT chain) and the new ruleset definition comes with a new NAT chain, don't bogusly hit EBUSY. Also from Florian. 3) Missing netlink policy attribute validation, from Florian. 4) Detach conntrack template from skbuff if IP_NODEFRAG is set on, from Paolo Abeni. 5) Cache device names in flowtable object, otherwise we may end up walking over devices going aways given no rtnl_lock is held. 6) Fix incorrect net_device ingress with ingress hooks. 7) Fix crash when trying to read more data than available in UDP packets from the nf_socket infrastructure, from Subash. You can pull these changes from: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git Thanks! ---------------------------------------------------------------- The following changes since commit 36fe095606f881e6a3c7f9283c986aec6083f3e6: Merge branch 'phy-relax-error-checking' (2018-03-19 21:14:27 -0400) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD for you to fetch changes up to 32c1733f0dd4bd11d6e65512bf4dc337c0452c8e: netfilter: nf_socket: Fix out of bounds access in nf_sk_lookup_slow_v{4,6} (2018-03-24 21:17:14 +0100) ---------------------------------------------------------------- Florian Westphal (3): netfilter: nf_tables: meter: pick a set backend that supports updates netfilter: nf_tables: permit second nat hook if colliding hook is going away netfilter: nf_tables: add missing netlink attrs to policies Pablo Neira Ayuso (2): netfilter: nf_tables: cache device name in flowtable object netfilter: nf_tables: do not hold reference on netdevice from preparation phase Paolo Abeni (1): netfilter: drop template ct when conntrack is skipped. Subash Abhinov Kasiviswanathan (1): netfilter: nf_socket: Fix out of bounds access in nf_sk_lookup_slow_v{4,6} include/net/netfilter/nf_tables.h | 4 + net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 14 +++- net/ipv4/netfilter/nf_socket_ipv4.c | 6 +- net/ipv6/netfilter/nf_socket_ipv6.c | 6 +- net/netfilter/nf_tables_api.c | 106 +++++++++++++++++++------ net/netfilter/nft_set_hash.c | 2 +- 6 files changed, 109 insertions(+), 29 deletions(-)