* [PATCH 0/7] Netfilter fixes for net
@ 2020-06-25 18:26 Pablo Neira Ayuso
2020-06-25 18:26 ` [PATCH 1/7] netfilter: ipset: fix unaligned atomic access Pablo Neira Ayuso
` (7 more replies)
0 siblings, 8 replies; 38+ messages in thread
From: Pablo Neira Ayuso @ 2020-06-25 18:26 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Hi,
The following patchset contains Netfilter fixes for net, they are:
1) Unaligned atomic access in ipset, from Russell King.
2) Missing module description, from Rob Gill.
3) Patches to fix a module unload causing NULL pointer dereference in
xtables, from David Wilder. For the record, I posting here his cover
letter explaining the problem:
A crash happened on ppc64le when running ltp network tests triggered by
"rmmod iptable_mangle".
See previous discussion in this thread:
https://lists.openwall.net/netdev/2020/06/03/161 .
In the crash I found in iptable_mangle_hook() that
state->net->ipv4.iptable_mangle=NULL causing a NULL pointer dereference.
net->ipv4.iptable_mangle is set to NULL in +iptable_mangle_net_exit() and
called when ip_mangle modules is unloaded. A rmmod task was found running
in the crash dump. A 2nd crash showed the same problem when running
"rmmod iptable_filter" (net->ipv4.iptable_filter=NULL).
To fix this I added .pre_exit hook in all iptable_foo.c. The pre_exit will
un-register the underlying hook and exit would do the table freeing. The
netns core does an unconditional +synchronize_rcu after the pre_exit hooks
insuring no packets are in flight that have picked up the pointer before
completing the un-register.
These patches include changes for both iptables and ip6tables.
We tested this fix with ltp running iptables01.sh and iptables01.sh -6 a
loop for 72 hours.
4) Add a selftest for conntrack helper assignment, from Florian Westphal.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thank you.
----------------------------------------------------------------
The following changes since commit 67c20de35a3cc2e2cd940f95ebd85ed0a765315a:
net: Add MODULE_DESCRIPTION entries to network modules (2020-06-20 21:33:57 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 619ae8e0697a6fb85b99b19137590c7c337c579e:
selftests: netfilter: add test case for conntrack helper assignment (2020-06-25 00:50:31 +0200)
----------------------------------------------------------------
David Wilder (4):
netfilter: iptables: Split ipt_unregister_table() into pre_exit and exit helpers.
netfilter: iptables: Add a .pre_exit hook in all iptable_foo.c.
netfilter: ip6tables: Split ip6t_unregister_table() into pre_exit and exit helpers.
netfilter: ip6tables: Add a .pre_exit hook in all ip6table_foo.c.
Florian Westphal (1):
selftests: netfilter: add test case for conntrack helper assignment
Rob Gill (1):
netfilter: Add MODULE_DESCRIPTION entries to kernel modules
Russell King (1):
netfilter: ipset: fix unaligned atomic access
include/linux/netfilter_ipv4/ip_tables.h | 6 +
include/linux/netfilter_ipv6/ip6_tables.h | 3 +
net/bridge/netfilter/nft_meta_bridge.c | 1 +
net/bridge/netfilter/nft_reject_bridge.c | 1 +
net/ipv4/netfilter/ip_tables.c | 15 +-
net/ipv4/netfilter/ipt_SYNPROXY.c | 1 +
net/ipv4/netfilter/iptable_filter.c | 10 +-
net/ipv4/netfilter/iptable_mangle.c | 10 +-
net/ipv4/netfilter/iptable_nat.c | 10 +-
net/ipv4/netfilter/iptable_raw.c | 10 +-
net/ipv4/netfilter/iptable_security.c | 11 +-
net/ipv4/netfilter/nf_flow_table_ipv4.c | 1 +
net/ipv4/netfilter/nft_dup_ipv4.c | 1 +
net/ipv4/netfilter/nft_fib_ipv4.c | 1 +
net/ipv4/netfilter/nft_reject_ipv4.c | 1 +
net/ipv6/netfilter/ip6_tables.c | 15 +-
net/ipv6/netfilter/ip6t_SYNPROXY.c | 1 +
net/ipv6/netfilter/ip6table_filter.c | 10 +-
net/ipv6/netfilter/ip6table_mangle.c | 10 +-
net/ipv6/netfilter/ip6table_nat.c | 10 +-
net/ipv6/netfilter/ip6table_raw.c | 10 +-
net/ipv6/netfilter/ip6table_security.c | 10 +-
net/ipv6/netfilter/nf_flow_table_ipv6.c | 1 +
net/ipv6/netfilter/nft_dup_ipv6.c | 1 +
net/ipv6/netfilter/nft_fib_ipv6.c | 1 +
net/ipv6/netfilter/nft_reject_ipv6.c | 1 +
net/netfilter/ipset/ip_set_core.c | 2 +
net/netfilter/nf_dup_netdev.c | 1 +
net/netfilter/nf_flow_table_core.c | 1 +
net/netfilter/nf_flow_table_inet.c | 1 +
net/netfilter/nf_synproxy_core.c | 1 +
net/netfilter/nfnetlink.c | 1 +
net/netfilter/nft_compat.c | 1 +
net/netfilter/nft_connlimit.c | 1 +
net/netfilter/nft_counter.c | 1 +
net/netfilter/nft_ct.c | 1 +
net/netfilter/nft_dup_netdev.c | 1 +
net/netfilter/nft_fib_inet.c | 1 +
net/netfilter/nft_fib_netdev.c | 1 +
net/netfilter/nft_flow_offload.c | 1 +
net/netfilter/nft_hash.c | 1 +
net/netfilter/nft_limit.c | 1 +
net/netfilter/nft_log.c | 1 +
net/netfilter/nft_masq.c | 1 +
net/netfilter/nft_nat.c | 1 +
net/netfilter/nft_numgen.c | 1 +
net/netfilter/nft_objref.c | 1 +
net/netfilter/nft_osf.c | 1 +
net/netfilter/nft_queue.c | 1 +
net/netfilter/nft_quota.c | 1 +
net/netfilter/nft_redir.c | 1 +
net/netfilter/nft_reject.c | 1 +
net/netfilter/nft_reject_inet.c | 1 +
net/netfilter/nft_synproxy.c | 1 +
net/netfilter/nft_tunnel.c | 1 +
net/netfilter/xt_nat.c | 1 +
tools/testing/selftests/netfilter/Makefile | 2 +-
.../selftests/netfilter/nft_conntrack_helper.sh | 175 +++++++++++++++++++++
58 files changed, 344 insertions(+), 16 deletions(-)
create mode 100755 tools/testing/selftests/netfilter/nft_conntrack_helper.sh
^ permalink raw reply [flat|nested] 38+ messages in thread
* [PATCH 1/7] netfilter: ipset: fix unaligned atomic access
2020-06-25 18:26 [PATCH 0/7] Netfilter fixes for net Pablo Neira Ayuso
@ 2020-06-25 18:26 ` Pablo Neira Ayuso
2020-06-25 18:26 ` [PATCH 2/7] netfilter: Add MODULE_DESCRIPTION entries to kernel modules Pablo Neira Ayuso
` (6 subsequent siblings)
7 siblings, 0 replies; 38+ messages in thread
From: Pablo Neira Ayuso @ 2020-06-25 18:26 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
From: Russell King <rmk+kernel@armlinux.org.uk>
When using ip_set with counters and comment, traffic causes the kernel
to panic on 32-bit ARM:
Alignment trap: not handling instruction e1b82f9f at [<bf01b0dc>]
Unhandled fault: alignment exception (0x221) at 0xea08133c
PC is at ip_set_match_extensions+0xe0/0x224 [ip_set]
The problem occurs when we try to update the 64-bit counters - the
faulting address above is not 64-bit aligned. The problem occurs
due to the way elements are allocated, for example:
set->dsize = ip_set_elem_len(set, tb, 0, 0);
map = ip_set_alloc(sizeof(*map) + elements * set->dsize);
If the element has a requirement for a member to be 64-bit aligned,
and set->dsize is not a multiple of 8, but is a multiple of four,
then every odd numbered elements will be misaligned - and hitting
an atomic64_add() on that element will cause the kernel to panic.
ip_set_elem_len() must return a size that is rounded to the maximum
alignment of any extension field stored in the element. This change
ensures that is the case.
Fixes: 95ad1f4a9358 ("netfilter: ipset: Fix extension alignment")
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Acked-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/ipset/ip_set_core.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 340cb955af25..56621d6bfd29 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -460,6 +460,8 @@ ip_set_elem_len(struct ip_set *set, struct nlattr *tb[], size_t len,
for (id = 0; id < IPSET_EXT_ID_MAX; id++) {
if (!add_extension(id, cadt_flags, tb))
continue;
+ if (align < ip_set_extensions[id].align)
+ align = ip_set_extensions[id].align;
len = ALIGN(len, ip_set_extensions[id].align);
set->offset[id] = len;
set->extensions |= ip_set_extensions[id].type;
--
2.20.1
^ permalink raw reply related [flat|nested] 38+ messages in thread
* [PATCH 2/7] netfilter: Add MODULE_DESCRIPTION entries to kernel modules
2020-06-25 18:26 [PATCH 0/7] Netfilter fixes for net Pablo Neira Ayuso
2020-06-25 18:26 ` [PATCH 1/7] netfilter: ipset: fix unaligned atomic access Pablo Neira Ayuso
@ 2020-06-25 18:26 ` Pablo Neira Ayuso
2020-06-25 18:26 ` [PATCH 3/7] netfilter: iptables: Split ipt_unregister_table() into pre_exit and exit helpers Pablo Neira Ayuso
` (5 subsequent siblings)
7 siblings, 0 replies; 38+ messages in thread
From: Pablo Neira Ayuso @ 2020-06-25 18:26 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
From: Rob Gill <rrobgill@protonmail.com>
The user tool modinfo is used to get information on kernel modules, including a
description where it is available.
This patch adds a brief MODULE_DESCRIPTION to netfilter kernel modules
(descriptions taken from Kconfig file or code comments)
Signed-off-by: Rob Gill <rrobgill@protonmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/bridge/netfilter/nft_meta_bridge.c | 1 +
net/bridge/netfilter/nft_reject_bridge.c | 1 +
net/ipv4/netfilter/ipt_SYNPROXY.c | 1 +
net/ipv4/netfilter/nf_flow_table_ipv4.c | 1 +
net/ipv4/netfilter/nft_dup_ipv4.c | 1 +
net/ipv4/netfilter/nft_fib_ipv4.c | 1 +
net/ipv4/netfilter/nft_reject_ipv4.c | 1 +
net/ipv6/netfilter/ip6t_SYNPROXY.c | 1 +
net/ipv6/netfilter/nf_flow_table_ipv6.c | 1 +
net/ipv6/netfilter/nft_dup_ipv6.c | 1 +
net/ipv6/netfilter/nft_fib_ipv6.c | 1 +
net/ipv6/netfilter/nft_reject_ipv6.c | 1 +
net/netfilter/nf_dup_netdev.c | 1 +
net/netfilter/nf_flow_table_core.c | 1 +
net/netfilter/nf_flow_table_inet.c | 1 +
net/netfilter/nf_synproxy_core.c | 1 +
net/netfilter/nfnetlink.c | 1 +
net/netfilter/nft_compat.c | 1 +
net/netfilter/nft_connlimit.c | 1 +
net/netfilter/nft_counter.c | 1 +
net/netfilter/nft_ct.c | 1 +
net/netfilter/nft_dup_netdev.c | 1 +
net/netfilter/nft_fib_inet.c | 1 +
net/netfilter/nft_fib_netdev.c | 1 +
net/netfilter/nft_flow_offload.c | 1 +
net/netfilter/nft_hash.c | 1 +
net/netfilter/nft_limit.c | 1 +
net/netfilter/nft_log.c | 1 +
net/netfilter/nft_masq.c | 1 +
net/netfilter/nft_nat.c | 1 +
net/netfilter/nft_numgen.c | 1 +
net/netfilter/nft_objref.c | 1 +
net/netfilter/nft_osf.c | 1 +
net/netfilter/nft_queue.c | 1 +
net/netfilter/nft_quota.c | 1 +
net/netfilter/nft_redir.c | 1 +
net/netfilter/nft_reject.c | 1 +
net/netfilter/nft_reject_inet.c | 1 +
net/netfilter/nft_synproxy.c | 1 +
net/netfilter/nft_tunnel.c | 1 +
net/netfilter/xt_nat.c | 1 +
41 files changed, 41 insertions(+)
diff --git a/net/bridge/netfilter/nft_meta_bridge.c b/net/bridge/netfilter/nft_meta_bridge.c
index 7c9e92b2f806..8e8ffac037cd 100644
--- a/net/bridge/netfilter/nft_meta_bridge.c
+++ b/net/bridge/netfilter/nft_meta_bridge.c
@@ -155,3 +155,4 @@ module_exit(nft_meta_bridge_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("wenxu <wenxu@ucloud.cn>");
MODULE_ALIAS_NFT_AF_EXPR(AF_BRIDGE, "meta");
+MODULE_DESCRIPTION("Support for bridge dedicated meta key");
diff --git a/net/bridge/netfilter/nft_reject_bridge.c b/net/bridge/netfilter/nft_reject_bridge.c
index f48cf4cfb80f..deae2c9a0f69 100644
--- a/net/bridge/netfilter/nft_reject_bridge.c
+++ b/net/bridge/netfilter/nft_reject_bridge.c
@@ -455,3 +455,4 @@ module_exit(nft_reject_bridge_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
MODULE_ALIAS_NFT_AF_EXPR(AF_BRIDGE, "reject");
+MODULE_DESCRIPTION("Reject packets from bridge via nftables");
diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c b/net/ipv4/netfilter/ipt_SYNPROXY.c
index 748dc3ce58d3..f2984c7eef40 100644
--- a/net/ipv4/netfilter/ipt_SYNPROXY.c
+++ b/net/ipv4/netfilter/ipt_SYNPROXY.c
@@ -118,3 +118,4 @@ module_exit(synproxy_tg4_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
+MODULE_DESCRIPTION("Intercept TCP connections and establish them using syncookies");
diff --git a/net/ipv4/netfilter/nf_flow_table_ipv4.c b/net/ipv4/netfilter/nf_flow_table_ipv4.c
index e32e41b99f0f..aba65fe90345 100644
--- a/net/ipv4/netfilter/nf_flow_table_ipv4.c
+++ b/net/ipv4/netfilter/nf_flow_table_ipv4.c
@@ -34,3 +34,4 @@ module_exit(nf_flow_ipv4_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
MODULE_ALIAS_NF_FLOWTABLE(AF_INET);
+MODULE_DESCRIPTION("Netfilter flow table support");
diff --git a/net/ipv4/netfilter/nft_dup_ipv4.c b/net/ipv4/netfilter/nft_dup_ipv4.c
index abf89b972094..bcdb37f86a94 100644
--- a/net/ipv4/netfilter/nft_dup_ipv4.c
+++ b/net/ipv4/netfilter/nft_dup_ipv4.c
@@ -107,3 +107,4 @@ module_exit(nft_dup_ipv4_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
MODULE_ALIAS_NFT_AF_EXPR(AF_INET, "dup");
+MODULE_DESCRIPTION("IPv4 nftables packet duplication support");
diff --git a/net/ipv4/netfilter/nft_fib_ipv4.c b/net/ipv4/netfilter/nft_fib_ipv4.c
index ce294113dbcd..03df986217b7 100644
--- a/net/ipv4/netfilter/nft_fib_ipv4.c
+++ b/net/ipv4/netfilter/nft_fib_ipv4.c
@@ -210,3 +210,4 @@ module_exit(nft_fib4_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Florian Westphal <fw@strlen.de>");
MODULE_ALIAS_NFT_AF_EXPR(2, "fib");
+MODULE_DESCRIPTION("nftables fib / ip route lookup support");
diff --git a/net/ipv4/netfilter/nft_reject_ipv4.c b/net/ipv4/netfilter/nft_reject_ipv4.c
index 7e6fd5cde50f..e408f813f5d8 100644
--- a/net/ipv4/netfilter/nft_reject_ipv4.c
+++ b/net/ipv4/netfilter/nft_reject_ipv4.c
@@ -71,3 +71,4 @@ module_exit(nft_reject_ipv4_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_ALIAS_NFT_AF_EXPR(AF_INET, "reject");
+MODULE_DESCRIPTION("IPv4 packet rejection for nftables");
diff --git a/net/ipv6/netfilter/ip6t_SYNPROXY.c b/net/ipv6/netfilter/ip6t_SYNPROXY.c
index fd1f52a21bf1..d51d0c3e5fe9 100644
--- a/net/ipv6/netfilter/ip6t_SYNPROXY.c
+++ b/net/ipv6/netfilter/ip6t_SYNPROXY.c
@@ -121,3 +121,4 @@ module_exit(synproxy_tg6_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
+MODULE_DESCRIPTION("Intercept IPv6 TCP connections and establish them using syncookies");
diff --git a/net/ipv6/netfilter/nf_flow_table_ipv6.c b/net/ipv6/netfilter/nf_flow_table_ipv6.c
index a8566ee12e83..667b8af2546a 100644
--- a/net/ipv6/netfilter/nf_flow_table_ipv6.c
+++ b/net/ipv6/netfilter/nf_flow_table_ipv6.c
@@ -35,3 +35,4 @@ module_exit(nf_flow_ipv6_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
MODULE_ALIAS_NF_FLOWTABLE(AF_INET6);
+MODULE_DESCRIPTION("Netfilter flow table IPv6 module");
diff --git a/net/ipv6/netfilter/nft_dup_ipv6.c b/net/ipv6/netfilter/nft_dup_ipv6.c
index 2af32200507d..8b5193efb1f1 100644
--- a/net/ipv6/netfilter/nft_dup_ipv6.c
+++ b/net/ipv6/netfilter/nft_dup_ipv6.c
@@ -105,3 +105,4 @@ module_exit(nft_dup_ipv6_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
MODULE_ALIAS_NFT_AF_EXPR(AF_INET6, "dup");
+MODULE_DESCRIPTION("IPv6 nftables packet duplication support");
diff --git a/net/ipv6/netfilter/nft_fib_ipv6.c b/net/ipv6/netfilter/nft_fib_ipv6.c
index 7ece86afd079..e204163c7036 100644
--- a/net/ipv6/netfilter/nft_fib_ipv6.c
+++ b/net/ipv6/netfilter/nft_fib_ipv6.c
@@ -255,3 +255,4 @@ module_exit(nft_fib6_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Florian Westphal <fw@strlen.de>");
MODULE_ALIAS_NFT_AF_EXPR(10, "fib");
+MODULE_DESCRIPTION("nftables fib / ipv6 route lookup support");
diff --git a/net/ipv6/netfilter/nft_reject_ipv6.c b/net/ipv6/netfilter/nft_reject_ipv6.c
index 680a28ce29fd..c1098a1968e1 100644
--- a/net/ipv6/netfilter/nft_reject_ipv6.c
+++ b/net/ipv6/netfilter/nft_reject_ipv6.c
@@ -72,3 +72,4 @@ module_exit(nft_reject_ipv6_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_ALIAS_NFT_AF_EXPR(AF_INET6, "reject");
+MODULE_DESCRIPTION("IPv6 packet rejection for nftables");
diff --git a/net/netfilter/nf_dup_netdev.c b/net/netfilter/nf_dup_netdev.c
index f108a76925dd..2b01a151eaa8 100644
--- a/net/netfilter/nf_dup_netdev.c
+++ b/net/netfilter/nf_dup_netdev.c
@@ -73,3 +73,4 @@ EXPORT_SYMBOL_GPL(nft_fwd_dup_netdev_offload);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
+MODULE_DESCRIPTION("Netfilter packet duplication support");
diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
index afa85171df38..b1eb5272b379 100644
--- a/net/netfilter/nf_flow_table_core.c
+++ b/net/netfilter/nf_flow_table_core.c
@@ -594,3 +594,4 @@ module_exit(nf_flow_table_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
+MODULE_DESCRIPTION("Netfilter flow table module");
diff --git a/net/netfilter/nf_flow_table_inet.c b/net/netfilter/nf_flow_table_inet.c
index 88bedf1ff1ae..bc4126d8ef65 100644
--- a/net/netfilter/nf_flow_table_inet.c
+++ b/net/netfilter/nf_flow_table_inet.c
@@ -72,3 +72,4 @@ module_exit(nf_flow_inet_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
MODULE_ALIAS_NF_FLOWTABLE(1); /* NFPROTO_INET */
+MODULE_DESCRIPTION("Netfilter flow table mixed IPv4/IPv6 module");
diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
index b9cbe1e2453e..ebcdc8e54476 100644
--- a/net/netfilter/nf_synproxy_core.c
+++ b/net/netfilter/nf_synproxy_core.c
@@ -1237,3 +1237,4 @@ EXPORT_SYMBOL_GPL(nf_synproxy_ipv6_fini);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
+MODULE_DESCRIPTION("nftables SYNPROXY expression support");
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index 99127e2d95a8..5f24edf95830 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -33,6 +33,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK, NETLINK_NETFILTER);
+MODULE_DESCRIPTION("Netfilter messages via netlink socket");
#define nfnl_dereference_protected(id) \
rcu_dereference_protected(table[(id)].subsys, \
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index f9adca62ccb3..aa1a066cb74b 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -902,3 +902,4 @@ MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
MODULE_ALIAS_NFT_EXPR("match");
MODULE_ALIAS_NFT_EXPR("target");
+MODULE_DESCRIPTION("x_tables over nftables support");
diff --git a/net/netfilter/nft_connlimit.c b/net/netfilter/nft_connlimit.c
index 69d6173f91e2..7d0761fad37e 100644
--- a/net/netfilter/nft_connlimit.c
+++ b/net/netfilter/nft_connlimit.c
@@ -280,3 +280,4 @@ MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo Neira Ayuso");
MODULE_ALIAS_NFT_EXPR("connlimit");
MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_CONNLIMIT);
+MODULE_DESCRIPTION("nftables connlimit rule support");
diff --git a/net/netfilter/nft_counter.c b/net/netfilter/nft_counter.c
index f6d4d0fa23a6..85ed461ec24e 100644
--- a/net/netfilter/nft_counter.c
+++ b/net/netfilter/nft_counter.c
@@ -303,3 +303,4 @@ MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_ALIAS_NFT_EXPR("counter");
MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_COUNTER);
+MODULE_DESCRIPTION("nftables counter rule support");
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index faea72c2df32..77258af1fce0 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -1345,3 +1345,4 @@ MODULE_ALIAS_NFT_EXPR("notrack");
MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_CT_HELPER);
MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_CT_TIMEOUT);
MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_CT_EXPECT);
+MODULE_DESCRIPTION("Netfilter nf_tables conntrack module");
diff --git a/net/netfilter/nft_dup_netdev.c b/net/netfilter/nft_dup_netdev.c
index c2e78c160fd7..40788b3f1071 100644
--- a/net/netfilter/nft_dup_netdev.c
+++ b/net/netfilter/nft_dup_netdev.c
@@ -102,3 +102,4 @@ module_exit(nft_dup_netdev_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
MODULE_ALIAS_NFT_AF_EXPR(5, "dup");
+MODULE_DESCRIPTION("nftables netdev packet duplication support");
diff --git a/net/netfilter/nft_fib_inet.c b/net/netfilter/nft_fib_inet.c
index 465432e0531b..a88d44e163d1 100644
--- a/net/netfilter/nft_fib_inet.c
+++ b/net/netfilter/nft_fib_inet.c
@@ -76,3 +76,4 @@ module_exit(nft_fib_inet_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Florian Westphal <fw@strlen.de>");
MODULE_ALIAS_NFT_AF_EXPR(1, "fib");
+MODULE_DESCRIPTION("nftables fib inet support");
diff --git a/net/netfilter/nft_fib_netdev.c b/net/netfilter/nft_fib_netdev.c
index a2e726ae7f07..3f3478abd845 100644
--- a/net/netfilter/nft_fib_netdev.c
+++ b/net/netfilter/nft_fib_netdev.c
@@ -85,3 +85,4 @@ module_exit(nft_fib_netdev_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo M. Bermudo Garay <pablombg@gmail.com>");
MODULE_ALIAS_NFT_AF_EXPR(5, "fib");
+MODULE_DESCRIPTION("nftables netdev fib lookups support");
diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c
index b70b48996801..3b9b97aa4b32 100644
--- a/net/netfilter/nft_flow_offload.c
+++ b/net/netfilter/nft_flow_offload.c
@@ -286,3 +286,4 @@ module_exit(nft_flow_offload_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
MODULE_ALIAS_NFT_EXPR("flow_offload");
+MODULE_DESCRIPTION("nftables hardware flow offload module");
diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c
index b836d550b919..96371d878e7e 100644
--- a/net/netfilter/nft_hash.c
+++ b/net/netfilter/nft_hash.c
@@ -248,3 +248,4 @@ module_exit(nft_hash_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Laura Garcia <nevola@gmail.com>");
MODULE_ALIAS_NFT_EXPR("hash");
+MODULE_DESCRIPTION("Netfilter nftables hash module");
diff --git a/net/netfilter/nft_limit.c b/net/netfilter/nft_limit.c
index 35b67d7e3694..0e2c315c3b5e 100644
--- a/net/netfilter/nft_limit.c
+++ b/net/netfilter/nft_limit.c
@@ -372,3 +372,4 @@ MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_ALIAS_NFT_EXPR("limit");
MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_LIMIT);
+MODULE_DESCRIPTION("nftables limit expression support");
diff --git a/net/netfilter/nft_log.c b/net/netfilter/nft_log.c
index fe4831f2258f..57899454a530 100644
--- a/net/netfilter/nft_log.c
+++ b/net/netfilter/nft_log.c
@@ -298,3 +298,4 @@ module_exit(nft_log_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_ALIAS_NFT_EXPR("log");
+MODULE_DESCRIPTION("Netfilter nf_tables log module");
diff --git a/net/netfilter/nft_masq.c b/net/netfilter/nft_masq.c
index bc9fd98c5d6d..71390b727040 100644
--- a/net/netfilter/nft_masq.c
+++ b/net/netfilter/nft_masq.c
@@ -305,3 +305,4 @@ module_exit(nft_masq_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo@debian.org>");
MODULE_ALIAS_NFT_EXPR("masq");
+MODULE_DESCRIPTION("Netfilter nftables masquerade expression support");
diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c
index 23a7bfd10521..4bcf33b049c4 100644
--- a/net/netfilter/nft_nat.c
+++ b/net/netfilter/nft_nat.c
@@ -402,3 +402,4 @@ module_exit(nft_nat_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>");
MODULE_ALIAS_NFT_EXPR("nat");
+MODULE_DESCRIPTION("Network Address Translation support");
diff --git a/net/netfilter/nft_numgen.c b/net/netfilter/nft_numgen.c
index 48edb9d5f012..f1fc824f9737 100644
--- a/net/netfilter/nft_numgen.c
+++ b/net/netfilter/nft_numgen.c
@@ -217,3 +217,4 @@ module_exit(nft_ng_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Laura Garcia <nevola@gmail.com>");
MODULE_ALIAS_NFT_EXPR("numgen");
+MODULE_DESCRIPTION("nftables number generator module");
diff --git a/net/netfilter/nft_objref.c b/net/netfilter/nft_objref.c
index bfd18d2b65a2..5f9207a9f485 100644
--- a/net/netfilter/nft_objref.c
+++ b/net/netfilter/nft_objref.c
@@ -252,3 +252,4 @@ module_exit(nft_objref_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
MODULE_ALIAS_NFT_EXPR("objref");
+MODULE_DESCRIPTION("nftables stateful object reference module");
diff --git a/net/netfilter/nft_osf.c b/net/netfilter/nft_osf.c
index b42247aa48a9..c261d57a666a 100644
--- a/net/netfilter/nft_osf.c
+++ b/net/netfilter/nft_osf.c
@@ -149,3 +149,4 @@ module_exit(nft_osf_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Fernando Fernandez <ffmancera@riseup.net>");
MODULE_ALIAS_NFT_EXPR("osf");
+MODULE_DESCRIPTION("nftables passive OS fingerprint support");
diff --git a/net/netfilter/nft_queue.c b/net/netfilter/nft_queue.c
index 5ece0a6aa8c3..23265d757acb 100644
--- a/net/netfilter/nft_queue.c
+++ b/net/netfilter/nft_queue.c
@@ -216,3 +216,4 @@ module_exit(nft_queue_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Eric Leblond <eric@regit.org>");
MODULE_ALIAS_NFT_EXPR("queue");
+MODULE_DESCRIPTION("Netfilter nftables queue module");
diff --git a/net/netfilter/nft_quota.c b/net/netfilter/nft_quota.c
index 4413690591f2..0363f533a42b 100644
--- a/net/netfilter/nft_quota.c
+++ b/net/netfilter/nft_quota.c
@@ -254,3 +254,4 @@ MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
MODULE_ALIAS_NFT_EXPR("quota");
MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_QUOTA);
+MODULE_DESCRIPTION("Netfilter nftables quota module");
diff --git a/net/netfilter/nft_redir.c b/net/netfilter/nft_redir.c
index 5b779171565c..2056051c0af0 100644
--- a/net/netfilter/nft_redir.c
+++ b/net/netfilter/nft_redir.c
@@ -292,3 +292,4 @@ module_exit(nft_redir_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo@debian.org>");
MODULE_ALIAS_NFT_EXPR("redir");
+MODULE_DESCRIPTION("Netfilter nftables redirect support");
diff --git a/net/netfilter/nft_reject.c b/net/netfilter/nft_reject.c
index 00f865fb80ca..86eafbb0fdd0 100644
--- a/net/netfilter/nft_reject.c
+++ b/net/netfilter/nft_reject.c
@@ -119,3 +119,4 @@ EXPORT_SYMBOL_GPL(nft_reject_icmpv6_code);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
+MODULE_DESCRIPTION("Netfilter x_tables over nftables module");
diff --git a/net/netfilter/nft_reject_inet.c b/net/netfilter/nft_reject_inet.c
index f41f414b72d1..cf8f2646e93c 100644
--- a/net/netfilter/nft_reject_inet.c
+++ b/net/netfilter/nft_reject_inet.c
@@ -149,3 +149,4 @@ module_exit(nft_reject_inet_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_ALIAS_NFT_AF_EXPR(1, "reject");
+MODULE_DESCRIPTION("Netfilter nftables reject inet support");
diff --git a/net/netfilter/nft_synproxy.c b/net/netfilter/nft_synproxy.c
index e2c1fc608841..4fda8b3f1762 100644
--- a/net/netfilter/nft_synproxy.c
+++ b/net/netfilter/nft_synproxy.c
@@ -388,3 +388,4 @@ MODULE_LICENSE("GPL");
MODULE_AUTHOR("Fernando Fernandez <ffmancera@riseup.net>");
MODULE_ALIAS_NFT_EXPR("synproxy");
MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_SYNPROXY);
+MODULE_DESCRIPTION("nftables SYNPROXY expression support");
diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
index 30be5787fbde..d3eb953d0333 100644
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -719,3 +719,4 @@ MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
MODULE_ALIAS_NFT_EXPR("tunnel");
MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_TUNNEL);
+MODULE_DESCRIPTION("nftables tunnel expression support");
diff --git a/net/netfilter/xt_nat.c b/net/netfilter/xt_nat.c
index a8e5f6c8db7a..b4f7bbc3f3ca 100644
--- a/net/netfilter/xt_nat.c
+++ b/net/netfilter/xt_nat.c
@@ -244,3 +244,4 @@ MODULE_ALIAS("ipt_SNAT");
MODULE_ALIAS("ipt_DNAT");
MODULE_ALIAS("ip6t_SNAT");
MODULE_ALIAS("ip6t_DNAT");
+MODULE_DESCRIPTION("SNAT and DNAT targets support");
--
2.20.1
^ permalink raw reply related [flat|nested] 38+ messages in thread
* [PATCH 3/7] netfilter: iptables: Split ipt_unregister_table() into pre_exit and exit helpers.
2020-06-25 18:26 [PATCH 0/7] Netfilter fixes for net Pablo Neira Ayuso
2020-06-25 18:26 ` [PATCH 1/7] netfilter: ipset: fix unaligned atomic access Pablo Neira Ayuso
2020-06-25 18:26 ` [PATCH 2/7] netfilter: Add MODULE_DESCRIPTION entries to kernel modules Pablo Neira Ayuso
@ 2020-06-25 18:26 ` Pablo Neira Ayuso
2020-06-25 18:26 ` [PATCH 4/7] netfilter: iptables: Add a .pre_exit hook in all iptable_foo.c Pablo Neira Ayuso
` (4 subsequent siblings)
7 siblings, 0 replies; 38+ messages in thread
From: Pablo Neira Ayuso @ 2020-06-25 18:26 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
From: David Wilder <dwilder@us.ibm.com>
The pre_exit will un-register the underlying hook and .exit will do the
table freeing. The netns core does an unconditional synchronize_rcu after
the pre_exit hooks insuring no packets are in flight that have picked up
the pointer before completing the un-register.
Fixes: b9e69e127397 ("netfilter: xtables: don't hook tables by default")
Signed-off-by: David Wilder <dwilder@us.ibm.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/linux/netfilter_ipv4/ip_tables.h | 6 ++++++
net/ipv4/netfilter/ip_tables.c | 15 ++++++++++++++-
2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h
index b394bd4f68a3..c4676d6feeff 100644
--- a/include/linux/netfilter_ipv4/ip_tables.h
+++ b/include/linux/netfilter_ipv4/ip_tables.h
@@ -25,6 +25,12 @@
int ipt_register_table(struct net *net, const struct xt_table *table,
const struct ipt_replace *repl,
const struct nf_hook_ops *ops, struct xt_table **res);
+
+void ipt_unregister_table_pre_exit(struct net *net, struct xt_table *table,
+ const struct nf_hook_ops *ops);
+
+void ipt_unregister_table_exit(struct net *net, struct xt_table *table);
+
void ipt_unregister_table(struct net *net, struct xt_table *table,
const struct nf_hook_ops *ops);
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index c2670eaa74e6..5bf9fa06aee0 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1797,11 +1797,22 @@ int ipt_register_table(struct net *net, const struct xt_table *table,
return ret;
}
+void ipt_unregister_table_pre_exit(struct net *net, struct xt_table *table,
+ const struct nf_hook_ops *ops)
+{
+ nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks));
+}
+
+void ipt_unregister_table_exit(struct net *net, struct xt_table *table)
+{
+ __ipt_unregister_table(net, table);
+}
+
void ipt_unregister_table(struct net *net, struct xt_table *table,
const struct nf_hook_ops *ops)
{
if (ops)
- nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks));
+ ipt_unregister_table_pre_exit(net, table, ops);
__ipt_unregister_table(net, table);
}
@@ -1958,6 +1969,8 @@ static void __exit ip_tables_fini(void)
EXPORT_SYMBOL(ipt_register_table);
EXPORT_SYMBOL(ipt_unregister_table);
+EXPORT_SYMBOL(ipt_unregister_table_pre_exit);
+EXPORT_SYMBOL(ipt_unregister_table_exit);
EXPORT_SYMBOL(ipt_do_table);
module_init(ip_tables_init);
module_exit(ip_tables_fini);
--
2.20.1
^ permalink raw reply related [flat|nested] 38+ messages in thread
* [PATCH 4/7] netfilter: iptables: Add a .pre_exit hook in all iptable_foo.c.
2020-06-25 18:26 [PATCH 0/7] Netfilter fixes for net Pablo Neira Ayuso
` (2 preceding siblings ...)
2020-06-25 18:26 ` [PATCH 3/7] netfilter: iptables: Split ipt_unregister_table() into pre_exit and exit helpers Pablo Neira Ayuso
@ 2020-06-25 18:26 ` Pablo Neira Ayuso
2020-06-25 18:26 ` [PATCH 5/7] netfilter: ip6tables: Split ip6t_unregister_table() into pre_exit and exit helpers Pablo Neira Ayuso
` (3 subsequent siblings)
7 siblings, 0 replies; 38+ messages in thread
From: Pablo Neira Ayuso @ 2020-06-25 18:26 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
From: David Wilder <dwilder@us.ibm.com>
Using new helpers ipt_unregister_table_pre_exit() and
ipt_unregister_table_exit().
Fixes: b9e69e127397 ("netfilter: xtables: don't hook tables by default")
Signed-off-by: David Wilder <dwilder@us.ibm.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/ipv4/netfilter/iptable_filter.c | 10 +++++++++-
net/ipv4/netfilter/iptable_mangle.c | 10 +++++++++-
net/ipv4/netfilter/iptable_nat.c | 10 ++++++++--
net/ipv4/netfilter/iptable_raw.c | 10 +++++++++-
net/ipv4/netfilter/iptable_security.c | 11 +++++++++--
5 files changed, 44 insertions(+), 7 deletions(-)
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index 9d54b4017e50..8f7bc1ee7453 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -72,16 +72,24 @@ static int __net_init iptable_filter_net_init(struct net *net)
return 0;
}
+static void __net_exit iptable_filter_net_pre_exit(struct net *net)
+{
+ if (net->ipv4.iptable_filter)
+ ipt_unregister_table_pre_exit(net, net->ipv4.iptable_filter,
+ filter_ops);
+}
+
static void __net_exit iptable_filter_net_exit(struct net *net)
{
if (!net->ipv4.iptable_filter)
return;
- ipt_unregister_table(net, net->ipv4.iptable_filter, filter_ops);
+ ipt_unregister_table_exit(net, net->ipv4.iptable_filter);
net->ipv4.iptable_filter = NULL;
}
static struct pernet_operations iptable_filter_net_ops = {
.init = iptable_filter_net_init,
+ .pre_exit = iptable_filter_net_pre_exit,
.exit = iptable_filter_net_exit,
};
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index bb9266ea3785..f703a717ab1d 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -100,15 +100,23 @@ static int __net_init iptable_mangle_table_init(struct net *net)
return ret;
}
+static void __net_exit iptable_mangle_net_pre_exit(struct net *net)
+{
+ if (net->ipv4.iptable_mangle)
+ ipt_unregister_table_pre_exit(net, net->ipv4.iptable_mangle,
+ mangle_ops);
+}
+
static void __net_exit iptable_mangle_net_exit(struct net *net)
{
if (!net->ipv4.iptable_mangle)
return;
- ipt_unregister_table(net, net->ipv4.iptable_mangle, mangle_ops);
+ ipt_unregister_table_exit(net, net->ipv4.iptable_mangle);
net->ipv4.iptable_mangle = NULL;
}
static struct pernet_operations iptable_mangle_net_ops = {
+ .pre_exit = iptable_mangle_net_pre_exit,
.exit = iptable_mangle_net_exit,
};
diff --git a/net/ipv4/netfilter/iptable_nat.c b/net/ipv4/netfilter/iptable_nat.c
index ad33687b7444..b0143b109f25 100644
--- a/net/ipv4/netfilter/iptable_nat.c
+++ b/net/ipv4/netfilter/iptable_nat.c
@@ -113,16 +113,22 @@ static int __net_init iptable_nat_table_init(struct net *net)
return ret;
}
+static void __net_exit iptable_nat_net_pre_exit(struct net *net)
+{
+ if (net->ipv4.nat_table)
+ ipt_nat_unregister_lookups(net);
+}
+
static void __net_exit iptable_nat_net_exit(struct net *net)
{
if (!net->ipv4.nat_table)
return;
- ipt_nat_unregister_lookups(net);
- ipt_unregister_table(net, net->ipv4.nat_table, NULL);
+ ipt_unregister_table_exit(net, net->ipv4.nat_table);
net->ipv4.nat_table = NULL;
}
static struct pernet_operations iptable_nat_net_ops = {
+ .pre_exit = iptable_nat_net_pre_exit,
.exit = iptable_nat_net_exit,
};
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index 69697eb4bfc6..9abfe6bf2cb9 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -67,15 +67,23 @@ static int __net_init iptable_raw_table_init(struct net *net)
return ret;
}
+static void __net_exit iptable_raw_net_pre_exit(struct net *net)
+{
+ if (net->ipv4.iptable_raw)
+ ipt_unregister_table_pre_exit(net, net->ipv4.iptable_raw,
+ rawtable_ops);
+}
+
static void __net_exit iptable_raw_net_exit(struct net *net)
{
if (!net->ipv4.iptable_raw)
return;
- ipt_unregister_table(net, net->ipv4.iptable_raw, rawtable_ops);
+ ipt_unregister_table_exit(net, net->ipv4.iptable_raw);
net->ipv4.iptable_raw = NULL;
}
static struct pernet_operations iptable_raw_net_ops = {
+ .pre_exit = iptable_raw_net_pre_exit,
.exit = iptable_raw_net_exit,
};
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c
index ac633c1db97e..415c1975d770 100644
--- a/net/ipv4/netfilter/iptable_security.c
+++ b/net/ipv4/netfilter/iptable_security.c
@@ -62,16 +62,23 @@ static int __net_init iptable_security_table_init(struct net *net)
return ret;
}
+static void __net_exit iptable_security_net_pre_exit(struct net *net)
+{
+ if (net->ipv4.iptable_security)
+ ipt_unregister_table_pre_exit(net, net->ipv4.iptable_security,
+ sectbl_ops);
+}
+
static void __net_exit iptable_security_net_exit(struct net *net)
{
if (!net->ipv4.iptable_security)
return;
-
- ipt_unregister_table(net, net->ipv4.iptable_security, sectbl_ops);
+ ipt_unregister_table_exit(net, net->ipv4.iptable_security);
net->ipv4.iptable_security = NULL;
}
static struct pernet_operations iptable_security_net_ops = {
+ .pre_exit = iptable_security_net_pre_exit,
.exit = iptable_security_net_exit,
};
--
2.20.1
^ permalink raw reply related [flat|nested] 38+ messages in thread
* [PATCH 5/7] netfilter: ip6tables: Split ip6t_unregister_table() into pre_exit and exit helpers.
2020-06-25 18:26 [PATCH 0/7] Netfilter fixes for net Pablo Neira Ayuso
` (3 preceding siblings ...)
2020-06-25 18:26 ` [PATCH 4/7] netfilter: iptables: Add a .pre_exit hook in all iptable_foo.c Pablo Neira Ayuso
@ 2020-06-25 18:26 ` Pablo Neira Ayuso
2020-06-25 18:26 ` [PATCH 6/7] netfilter: ip6tables: Add a .pre_exit hook in all ip6table_foo.c Pablo Neira Ayuso
` (2 subsequent siblings)
7 siblings, 0 replies; 38+ messages in thread
From: Pablo Neira Ayuso @ 2020-06-25 18:26 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
From: David Wilder <dwilder@us.ibm.com>
The pre_exit will un-register the underlying hook and .exit will do
the table freeing. The netns core does an unconditional synchronize_rcu
after the pre_exit hooks insuring no packets are in flight that have
picked up the pointer before completing the un-register.
Fixes: b9e69e127397 ("netfilter: xtables: don't hook tables by default")
Signed-off-by: David Wilder <dwilder@us.ibm.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/linux/netfilter_ipv6/ip6_tables.h | 3 +++
net/ipv6/netfilter/ip6_tables.c | 15 ++++++++++++++-
2 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h
index 8225f7821a29..1547d5f9ae06 100644
--- a/include/linux/netfilter_ipv6/ip6_tables.h
+++ b/include/linux/netfilter_ipv6/ip6_tables.h
@@ -29,6 +29,9 @@ int ip6t_register_table(struct net *net, const struct xt_table *table,
const struct nf_hook_ops *ops, struct xt_table **res);
void ip6t_unregister_table(struct net *net, struct xt_table *table,
const struct nf_hook_ops *ops);
+void ip6t_unregister_table_pre_exit(struct net *net, struct xt_table *table,
+ const struct nf_hook_ops *ops);
+void ip6t_unregister_table_exit(struct net *net, struct xt_table *table);
extern unsigned int ip6t_do_table(struct sk_buff *skb,
const struct nf_hook_state *state,
struct xt_table *table);
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index e27393498ecb..e96a431549bc 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1807,11 +1807,22 @@ int ip6t_register_table(struct net *net, const struct xt_table *table,
return ret;
}
+void ip6t_unregister_table_pre_exit(struct net *net, struct xt_table *table,
+ const struct nf_hook_ops *ops)
+{
+ nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks));
+}
+
+void ip6t_unregister_table_exit(struct net *net, struct xt_table *table)
+{
+ __ip6t_unregister_table(net, table);
+}
+
void ip6t_unregister_table(struct net *net, struct xt_table *table,
const struct nf_hook_ops *ops)
{
if (ops)
- nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks));
+ ip6t_unregister_table_pre_exit(net, table, ops);
__ip6t_unregister_table(net, table);
}
@@ -1969,6 +1980,8 @@ static void __exit ip6_tables_fini(void)
EXPORT_SYMBOL(ip6t_register_table);
EXPORT_SYMBOL(ip6t_unregister_table);
+EXPORT_SYMBOL(ip6t_unregister_table_pre_exit);
+EXPORT_SYMBOL(ip6t_unregister_table_exit);
EXPORT_SYMBOL(ip6t_do_table);
module_init(ip6_tables_init);
--
2.20.1
^ permalink raw reply related [flat|nested] 38+ messages in thread
* [PATCH 6/7] netfilter: ip6tables: Add a .pre_exit hook in all ip6table_foo.c.
2020-06-25 18:26 [PATCH 0/7] Netfilter fixes for net Pablo Neira Ayuso
` (4 preceding siblings ...)
2020-06-25 18:26 ` [PATCH 5/7] netfilter: ip6tables: Split ip6t_unregister_table() into pre_exit and exit helpers Pablo Neira Ayuso
@ 2020-06-25 18:26 ` Pablo Neira Ayuso
2020-06-25 18:26 ` [PATCH 7/7] selftests: netfilter: add test case for conntrack helper assignment Pablo Neira Ayuso
2020-06-25 19:59 ` [PATCH 0/7] Netfilter fixes for net David Miller
7 siblings, 0 replies; 38+ messages in thread
From: Pablo Neira Ayuso @ 2020-06-25 18:26 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
From: David Wilder <dwilder@us.ibm.com>
Using new helpers ip6t_unregister_table_pre_exit() and
ip6t_unregister_table_exit().
Fixes: b9e69e127397 ("netfilter: xtables: don't hook tables by default")
Signed-off-by: David Wilder <dwilder@us.ibm.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/ipv6/netfilter/ip6table_filter.c | 10 +++++++++-
net/ipv6/netfilter/ip6table_mangle.c | 10 +++++++++-
net/ipv6/netfilter/ip6table_nat.c | 10 ++++++++--
net/ipv6/netfilter/ip6table_raw.c | 10 +++++++++-
net/ipv6/netfilter/ip6table_security.c | 10 +++++++++-
5 files changed, 44 insertions(+), 6 deletions(-)
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index 32667f5d5a33..88337b51ffbf 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -73,16 +73,24 @@ static int __net_init ip6table_filter_net_init(struct net *net)
return 0;
}
+static void __net_exit ip6table_filter_net_pre_exit(struct net *net)
+{
+ if (net->ipv6.ip6table_filter)
+ ip6t_unregister_table_pre_exit(net, net->ipv6.ip6table_filter,
+ filter_ops);
+}
+
static void __net_exit ip6table_filter_net_exit(struct net *net)
{
if (!net->ipv6.ip6table_filter)
return;
- ip6t_unregister_table(net, net->ipv6.ip6table_filter, filter_ops);
+ ip6t_unregister_table_exit(net, net->ipv6.ip6table_filter);
net->ipv6.ip6table_filter = NULL;
}
static struct pernet_operations ip6table_filter_net_ops = {
.init = ip6table_filter_net_init,
+ .pre_exit = ip6table_filter_net_pre_exit,
.exit = ip6table_filter_net_exit,
};
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index 070afb97fa2b..1a2748611e00 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -93,16 +93,24 @@ static int __net_init ip6table_mangle_table_init(struct net *net)
return ret;
}
+static void __net_exit ip6table_mangle_net_pre_exit(struct net *net)
+{
+ if (net->ipv6.ip6table_mangle)
+ ip6t_unregister_table_pre_exit(net, net->ipv6.ip6table_mangle,
+ mangle_ops);
+}
+
static void __net_exit ip6table_mangle_net_exit(struct net *net)
{
if (!net->ipv6.ip6table_mangle)
return;
- ip6t_unregister_table(net, net->ipv6.ip6table_mangle, mangle_ops);
+ ip6t_unregister_table_exit(net, net->ipv6.ip6table_mangle);
net->ipv6.ip6table_mangle = NULL;
}
static struct pernet_operations ip6table_mangle_net_ops = {
+ .pre_exit = ip6table_mangle_net_pre_exit,
.exit = ip6table_mangle_net_exit,
};
diff --git a/net/ipv6/netfilter/ip6table_nat.c b/net/ipv6/netfilter/ip6table_nat.c
index 0f4875952efc..0a23265e3caa 100644
--- a/net/ipv6/netfilter/ip6table_nat.c
+++ b/net/ipv6/netfilter/ip6table_nat.c
@@ -114,16 +114,22 @@ static int __net_init ip6table_nat_table_init(struct net *net)
return ret;
}
+static void __net_exit ip6table_nat_net_pre_exit(struct net *net)
+{
+ if (net->ipv6.ip6table_nat)
+ ip6t_nat_unregister_lookups(net);
+}
+
static void __net_exit ip6table_nat_net_exit(struct net *net)
{
if (!net->ipv6.ip6table_nat)
return;
- ip6t_nat_unregister_lookups(net);
- ip6t_unregister_table(net, net->ipv6.ip6table_nat, NULL);
+ ip6t_unregister_table_exit(net, net->ipv6.ip6table_nat);
net->ipv6.ip6table_nat = NULL;
}
static struct pernet_operations ip6table_nat_net_ops = {
+ .pre_exit = ip6table_nat_net_pre_exit,
.exit = ip6table_nat_net_exit,
};
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index a22100b1cf2c..8f9e742226f7 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -66,15 +66,23 @@ static int __net_init ip6table_raw_table_init(struct net *net)
return ret;
}
+static void __net_exit ip6table_raw_net_pre_exit(struct net *net)
+{
+ if (net->ipv6.ip6table_raw)
+ ip6t_unregister_table_pre_exit(net, net->ipv6.ip6table_raw,
+ rawtable_ops);
+}
+
static void __net_exit ip6table_raw_net_exit(struct net *net)
{
if (!net->ipv6.ip6table_raw)
return;
- ip6t_unregister_table(net, net->ipv6.ip6table_raw, rawtable_ops);
+ ip6t_unregister_table_exit(net, net->ipv6.ip6table_raw);
net->ipv6.ip6table_raw = NULL;
}
static struct pernet_operations ip6table_raw_net_ops = {
+ .pre_exit = ip6table_raw_net_pre_exit,
.exit = ip6table_raw_net_exit,
};
diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c
index a74335fe2bd9..5e8c48fed032 100644
--- a/net/ipv6/netfilter/ip6table_security.c
+++ b/net/ipv6/netfilter/ip6table_security.c
@@ -61,15 +61,23 @@ static int __net_init ip6table_security_table_init(struct net *net)
return ret;
}
+static void __net_exit ip6table_security_net_pre_exit(struct net *net)
+{
+ if (net->ipv6.ip6table_security)
+ ip6t_unregister_table_pre_exit(net, net->ipv6.ip6table_security,
+ sectbl_ops);
+}
+
static void __net_exit ip6table_security_net_exit(struct net *net)
{
if (!net->ipv6.ip6table_security)
return;
- ip6t_unregister_table(net, net->ipv6.ip6table_security, sectbl_ops);
+ ip6t_unregister_table_exit(net, net->ipv6.ip6table_security);
net->ipv6.ip6table_security = NULL;
}
static struct pernet_operations ip6table_security_net_ops = {
+ .pre_exit = ip6table_security_net_pre_exit,
.exit = ip6table_security_net_exit,
};
--
2.20.1
^ permalink raw reply related [flat|nested] 38+ messages in thread
* [PATCH 7/7] selftests: netfilter: add test case for conntrack helper assignment
2020-06-25 18:26 [PATCH 0/7] Netfilter fixes for net Pablo Neira Ayuso
` (5 preceding siblings ...)
2020-06-25 18:26 ` [PATCH 6/7] netfilter: ip6tables: Add a .pre_exit hook in all ip6table_foo.c Pablo Neira Ayuso
@ 2020-06-25 18:26 ` Pablo Neira Ayuso
2020-06-25 19:59 ` [PATCH 0/7] Netfilter fixes for net David Miller
7 siblings, 0 replies; 38+ messages in thread
From: Pablo Neira Ayuso @ 2020-06-25 18:26 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
From: Florian Westphal <fw@strlen.de>
check that 'nft ... ct helper set <foo>' works:
1. configure ftp helper via nft and assign it to
connections on port 2121
2. check with 'conntrack -L' that the next connection
has the ftp helper attached to it.
Also add a test for auto-assign (old behaviour).
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
tools/testing/selftests/netfilter/Makefile | 2 +-
.../netfilter/nft_conntrack_helper.sh | 175 ++++++++++++++++++
2 files changed, 176 insertions(+), 1 deletion(-)
create mode 100755 tools/testing/selftests/netfilter/nft_conntrack_helper.sh
diff --git a/tools/testing/selftests/netfilter/Makefile b/tools/testing/selftests/netfilter/Makefile
index 9c0f758310fe..a179f0dca8ce 100644
--- a/tools/testing/selftests/netfilter/Makefile
+++ b/tools/testing/selftests/netfilter/Makefile
@@ -3,7 +3,7 @@
TEST_PROGS := nft_trans_stress.sh nft_nat.sh bridge_brouter.sh \
conntrack_icmp_related.sh nft_flowtable.sh ipvs.sh \
- nft_concat_range.sh \
+ nft_concat_range.sh nft_conntrack_helper.sh \
nft_queue.sh
LDLIBS = -lmnl
diff --git a/tools/testing/selftests/netfilter/nft_conntrack_helper.sh b/tools/testing/selftests/netfilter/nft_conntrack_helper.sh
new file mode 100755
index 000000000000..edf0a48da6bf
--- /dev/null
+++ b/tools/testing/selftests/netfilter/nft_conntrack_helper.sh
@@ -0,0 +1,175 @@
+#!/bin/bash
+#
+# This tests connection tracking helper assignment:
+# 1. can attach ftp helper to a connection from nft ruleset.
+# 2. auto-assign still works.
+#
+# Kselftest framework requirement - SKIP code is 4.
+ksft_skip=4
+ret=0
+
+sfx=$(mktemp -u "XXXXXXXX")
+ns1="ns1-$sfx"
+ns2="ns2-$sfx"
+testipv6=1
+
+cleanup()
+{
+ ip netns del ${ns1}
+ ip netns del ${ns2}
+}
+
+nft --version > /dev/null 2>&1
+if [ $? -ne 0 ];then
+ echo "SKIP: Could not run test without nft tool"
+ exit $ksft_skip
+fi
+
+ip -Version > /dev/null 2>&1
+if [ $? -ne 0 ];then
+ echo "SKIP: Could not run test without ip tool"
+ exit $ksft_skip
+fi
+
+conntrack -V > /dev/null 2>&1
+if [ $? -ne 0 ];then
+ echo "SKIP: Could not run test without conntrack tool"
+ exit $ksft_skip
+fi
+
+which nc >/dev/null 2>&1
+if [ $? -ne 0 ];then
+ echo "SKIP: Could not run test without netcat tool"
+ exit $ksft_skip
+fi
+
+trap cleanup EXIT
+
+ip netns add ${ns1}
+ip netns add ${ns2}
+
+ip link add veth0 netns ${ns1} type veth peer name veth0 netns ${ns2} > /dev/null 2>&1
+if [ $? -ne 0 ];then
+ echo "SKIP: No virtual ethernet pair device support in kernel"
+ exit $ksft_skip
+fi
+
+ip -net ${ns1} link set lo up
+ip -net ${ns1} link set veth0 up
+
+ip -net ${ns2} link set lo up
+ip -net ${ns2} link set veth0 up
+
+ip -net ${ns1} addr add 10.0.1.1/24 dev veth0
+ip -net ${ns1} addr add dead:1::1/64 dev veth0
+
+ip -net ${ns2} addr add 10.0.1.2/24 dev veth0
+ip -net ${ns2} addr add dead:1::2/64 dev veth0
+
+load_ruleset_family() {
+ local family=$1
+ local ns=$2
+
+ip netns exec ${ns} nft -f - <<EOF
+table $family raw {
+ ct helper ftp {
+ type "ftp" protocol tcp
+ }
+ chain pre {
+ type filter hook prerouting priority 0; policy accept;
+ tcp dport 2121 ct helper set "ftp"
+ }
+ chain output {
+ type filter hook output priority 0; policy accept;
+ tcp dport 2121 ct helper set "ftp"
+ }
+}
+EOF
+ return $?
+}
+
+check_for_helper()
+{
+ local netns=$1
+ local message=$2
+ local port=$3
+
+ ip netns exec ${netns} conntrack -L -p tcp --dport $port 2> /dev/null |grep -q 'helper=ftp'
+ if [ $? -ne 0 ] ; then
+ echo "FAIL: ${netns} did not show attached helper $message" 1>&2
+ ret=1
+ fi
+
+ echo "PASS: ${netns} connection on port $port has ftp helper attached" 1>&2
+ return 0
+}
+
+test_helper()
+{
+ local port=$1
+ local msg=$2
+
+ sleep 3 | ip netns exec ${ns2} nc -w 2 -l -p $port > /dev/null &
+
+ sleep 1
+ sleep 1 | ip netns exec ${ns1} nc -w 2 10.0.1.2 $port > /dev/null &
+
+ check_for_helper "$ns1" "ip $msg" $port
+ check_for_helper "$ns2" "ip $msg" $port
+
+ wait
+
+ if [ $testipv6 -eq 0 ] ;then
+ return 0
+ fi
+
+ ip netns exec ${ns1} conntrack -F 2> /dev/null
+ ip netns exec ${ns2} conntrack -F 2> /dev/null
+
+ sleep 3 | ip netns exec ${ns2} nc -w 2 -6 -l -p $port > /dev/null &
+
+ sleep 1
+ sleep 1 | ip netns exec ${ns1} nc -w 2 -6 dead:1::2 $port > /dev/null &
+
+ check_for_helper "$ns1" "ipv6 $msg" $port
+ check_for_helper "$ns2" "ipv6 $msg" $port
+
+ wait
+}
+
+load_ruleset_family ip ${ns1}
+if [ $? -ne 0 ];then
+ echo "FAIL: ${ns1} cannot load ip ruleset" 1>&2
+ exit 1
+fi
+
+load_ruleset_family ip6 ${ns1}
+if [ $? -ne 0 ];then
+ echo "SKIP: ${ns1} cannot load ip6 ruleset" 1>&2
+ testipv6=0
+fi
+
+load_ruleset_family inet ${ns2}
+if [ $? -ne 0 ];then
+ echo "SKIP: ${ns1} cannot load inet ruleset" 1>&2
+ load_ruleset_family ip ${ns2}
+ if [ $? -ne 0 ];then
+ echo "FAIL: ${ns2} cannot load ip ruleset" 1>&2
+ exit 1
+ fi
+
+ if [ $testipv6 -eq 1 ] ;then
+ load_ruleset_family ip6 ${ns2}
+ if [ $? -ne 0 ];then
+ echo "FAIL: ${ns2} cannot load ip6 ruleset" 1>&2
+ exit 1
+ fi
+ fi
+fi
+
+test_helper 2121 "set via ruleset"
+ip netns exec ${ns1} sysctl -q 'net.netfilter.nf_conntrack_helper=1'
+ip netns exec ${ns2} sysctl -q 'net.netfilter.nf_conntrack_helper=1'
+test_helper 21 "auto-assign"
+
+exit $ret
--
2.20.1
^ permalink raw reply related [flat|nested] 38+ messages in thread
* Re: [PATCH 0/7] Netfilter fixes for net
2020-06-25 18:26 [PATCH 0/7] Netfilter fixes for net Pablo Neira Ayuso
` (6 preceding siblings ...)
2020-06-25 18:26 ` [PATCH 7/7] selftests: netfilter: add test case for conntrack helper assignment Pablo Neira Ayuso
@ 2020-06-25 19:59 ` David Miller
7 siblings, 0 replies; 38+ messages in thread
From: David Miller @ 2020-06-25 19:59 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, kuba
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 25 Jun 2020 20:26:28 +0200
> The following patchset contains Netfilter fixes for net, they are:
...
> Please, pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 0/7] Netfilter fixes for net
2020-10-22 17:29 Pablo Neira Ayuso
@ 2020-10-22 19:16 ` Jakub Kicinski
0 siblings, 0 replies; 38+ messages in thread
From: Jakub Kicinski @ 2020-10-22 19:16 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, davem, netdev
On Thu, 22 Oct 2020 19:29:18 +0200 Pablo Neira Ayuso wrote:
> Hi Jakub,
>
> The following patchset contains Netfilter fixes for net:
>
> 1) Update debugging in IPVS tcp protocol handler to make it easier
> to understand, from longguang.yue
>
> 2) Update TCP tracker to deal with keepalive packet after
> re-registration, from Franceso Ruggeri.
>
> 3) Missing IP6SKB_FRAGMENTED from netfilter fragment reassembly,
> from Georg Kohmann.
>
> 4) Fix bogus packet drop in ebtables nat extensions, from
> Thimothee Cocault.
>
> 5) Fix typo in flowtable documentation.
>
> 6) Reset skb timestamp in nft_fwd_netdev.
Pulled, please remember about that [PATCH net] tag if you can, thanks!
^ permalink raw reply [flat|nested] 38+ messages in thread
* [PATCH 0/7] Netfilter fixes for net
@ 2020-10-22 17:29 Pablo Neira Ayuso
2020-10-22 19:16 ` Jakub Kicinski
0 siblings, 1 reply; 38+ messages in thread
From: Pablo Neira Ayuso @ 2020-10-22 17:29 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Hi Jakub,
The following patchset contains Netfilter fixes for net:
1) Update debugging in IPVS tcp protocol handler to make it easier
to understand, from longguang.yue
2) Update TCP tracker to deal with keepalive packet after
re-registration, from Franceso Ruggeri.
3) Missing IP6SKB_FRAGMENTED from netfilter fragment reassembly,
from Georg Kohmann.
4) Fix bogus packet drop in ebtables nat extensions, from
Thimothee Cocault.
5) Fix typo in flowtable documentation.
6) Reset skb timestamp in nft_fwd_netdev.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit df6afe2f7c19349de2ee560dc62ea4d9ad3ff889:
nexthop: Fix performance regression in nexthop deletion (2020-10-19 20:07:15 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to c77761c8a59405cb7aa44188b30fffe13fbdd02d:
netfilter: nf_fwd_netdev: clear timestamp in forwarding path (2020-10-22 14:49:36 +0200)
----------------------------------------------------------------
Francesco Ruggeri (1):
netfilter: conntrack: connection timeout after re-register
Georg Kohmann (1):
netfilter: Drop fragmented ndisc packets assembled in netfilter
Jeremy Sowden (1):
docs: nf_flowtable: fix typo.
Pablo Neira Ayuso (1):
netfilter: nf_fwd_netdev: clear timestamp in forwarding path
Saeed Mirzamohammadi (1):
netfilter: nftables_offload: KASAN slab-out-of-bounds Read in nft_flow_rule_create
Timothée COCAULT (1):
netfilter: ebtables: Fixes dropping of small packets in bridge nat
longguang.yue (1):
ipvs: adjust the debug info in function set_tcp_state
Documentation/networking/nf_flowtable.rst | 2 +-
include/net/netfilter/nf_tables.h | 6 ++++++
net/bridge/netfilter/ebt_dnat.c | 2 +-
net/bridge/netfilter/ebt_redirect.c | 2 +-
net/bridge/netfilter/ebt_snat.c | 2 +-
net/ipv6/netfilter/nf_conntrack_reasm.c | 1 +
net/netfilter/ipvs/ip_vs_proto_tcp.c | 10 ++++++----
net/netfilter/nf_conntrack_proto_tcp.c | 19 +++++++++++++------
net/netfilter/nf_dup_netdev.c | 1 +
net/netfilter/nf_tables_api.c | 6 +++---
net/netfilter/nf_tables_offload.c | 4 ++--
net/netfilter/nft_fwd_netdev.c | 1 +
12 files changed, 37 insertions(+), 19 deletions(-)
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 0/7] Netfilter fixes for net
2020-04-07 22:29 Pablo Neira Ayuso
@ 2020-04-08 1:08 ` David Miller
0 siblings, 0 replies; 38+ messages in thread
From: David Miller @ 2020-04-08 1:08 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 8 Apr 2020 00:29:29 +0200
> The following patchset contains Netfilter fixes for net, they are:
>
> 1) Fix spurious overlap condition in the rbtree tree, from Stefano Brivio.
>
> 2) Fix possible uninitialized pointer dereference in nft_lookup.
>
> 3) IDLETIMER v1 target matches the Android layout, from
> Maciej Zenczykowski.
>
> 4) Dangling pointer in nf_tables_set_alloc_name, from Eric Dumazet.
>
> 5) Fix RCU warning splat in ipset find_set_type(), from Amol Grover.
>
> 6) Report EOPNOTSUPP on unsupported set flags and object types in sets.
>
> 7) Add NFT_SET_CONCAT flag to provide consistent error reporting
> when users defines set with ranges in concatenations in old kernels.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks.
^ permalink raw reply [flat|nested] 38+ messages in thread
* [PATCH 0/7] Netfilter fixes for net
@ 2020-04-07 22:29 Pablo Neira Ayuso
2020-04-08 1:08 ` David Miller
0 siblings, 1 reply; 38+ messages in thread
From: Pablo Neira Ayuso @ 2020-04-07 22:29 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter fixes for net, they are:
1) Fix spurious overlap condition in the rbtree tree, from Stefano Brivio.
2) Fix possible uninitialized pointer dereference in nft_lookup.
3) IDLETIMER v1 target matches the Android layout, from
Maciej Zenczykowski.
4) Dangling pointer in nf_tables_set_alloc_name, from Eric Dumazet.
5) Fix RCU warning splat in ipset find_set_type(), from Amol Grover.
6) Report EOPNOTSUPP on unsupported set flags and object types in sets.
7) Add NFT_SET_CONCAT flag to provide consistent error reporting
when users defines set with ranges in concatenations in old kernels.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thank you.
----------------------------------------------------------------
The following changes since commit 0452800f6db4ed0a42ffb15867c0acfd68829f6a:
net: dsa: mt7530: fix null pointer dereferencing in port5 setup (2020-04-03 16:10:32 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to ef516e8625ddea90b3a0313f3a0b0baa83db7ac2:
netfilter: nf_tables: reintroduce the NFT_SET_CONCAT flag (2020-04-07 18:23:04 +0200)
----------------------------------------------------------------
Amol Grover (1):
netfilter: ipset: Pass lockdep expression to RCU lists
Eric Dumazet (1):
netfilter: nf_tables: do not leave dangling pointer in nf_tables_set_alloc_name
Maciej Żenczykowski (1):
netfilter: xt_IDLETIMER: target v1 - match Android layout
Pablo Neira Ayuso (3):
netfilter: nf_tables: do not update stateful expressions if lookup is inverted
netfilter: nf_tables: report EOPNOTSUPP on unsupported flags/object type
netfilter: nf_tables: reintroduce the NFT_SET_CONCAT flag
Stefano Brivio (1):
netfilter: nft_set_rbtree: Drop spurious condition for overlap detection on insertion
include/net/netfilter/nf_tables.h | 2 +-
include/uapi/linux/netfilter/nf_tables.h | 2 ++
include/uapi/linux/netfilter/xt_IDLETIMER.h | 1 +
net/netfilter/ipset/ip_set_core.c | 3 ++-
net/netfilter/nf_tables_api.c | 7 ++++---
net/netfilter/nft_lookup.c | 12 +++++++-----
net/netfilter/nft_set_bitmap.c | 1 -
net/netfilter/nft_set_rbtree.c | 23 +++++++++++------------
net/netfilter/xt_IDLETIMER.c | 3 +++
9 files changed, 31 insertions(+), 23 deletions(-)
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 0/7] Netfilter fixes for net
2020-03-24 22:32 Pablo Neira Ayuso
@ 2020-03-25 0:31 ` David Miller
0 siblings, 0 replies; 38+ messages in thread
From: David Miller @ 2020-03-25 0:31 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 24 Mar 2020 23:32:13 +0100
> The following patchset contains Netfilter fixes for net:
>
> 1) A new selftest for nf_queue, from Florian Westphal. This test
> covers two recent fixes: 07f8e4d0fddb ("tcp: also NULL skb->dev
> when copy was needed") and b738a185beaa ("tcp: ensure skb->dev is
> NULL before leaving TCP stack").
>
> 2) The fwd action breaks with ifb. For safety in next extensions,
> make sure the fwd action only runs from ingress until it is extended
> to be used from a different hook.
>
> 3) The pipapo set type now reports EEXIST in case of subrange overlaps.
> Update the rbtree set to validate range overlaps, so far this
> validation is only done only from userspace. From Stefano Brivio.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 38+ messages in thread
* [PATCH 0/7] Netfilter fixes for net
@ 2020-03-24 22:32 Pablo Neira Ayuso
2020-03-25 0:31 ` David Miller
0 siblings, 1 reply; 38+ messages in thread
From: Pablo Neira Ayuso @ 2020-03-24 22:32 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi,
The following patchset contains Netfilter fixes for net:
1) A new selftest for nf_queue, from Florian Westphal. This test
covers two recent fixes: 07f8e4d0fddb ("tcp: also NULL skb->dev
when copy was needed") and b738a185beaa ("tcp: ensure skb->dev is
NULL before leaving TCP stack").
2) The fwd action breaks with ifb. For safety in next extensions,
make sure the fwd action only runs from ingress until it is extended
to be used from a different hook.
3) The pipapo set type now reports EEXIST in case of subrange overlaps.
Update the rbtree set to validate range overlaps, so far this
validation is only done only from userspace. From Stefano Brivio.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thank you.
----------------------------------------------------------------
The following changes since commit 749f6f6843115b424680f1aada3c0dd613ad807c:
net: phy: dp83867: w/a for fld detect threshold bootstrapping issue (2020-03-21 20:09:57 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to a64d558d8cf98424cc5eb9ae6631782cd8bf789c:
selftests: netfilter: add nfqueue test case (2020-03-24 20:00:12 +0100)
----------------------------------------------------------------
Florian Westphal (1):
selftests: netfilter: add nfqueue test case
Pablo Neira Ayuso (3):
netfilter: nf_tables: Allow set back-ends to report partial overlaps on insertion
netfilter: nft_fwd_netdev: validate family and chain type
netfilter: nft_fwd_netdev: allow to redirect to ifb via ingress
Stefano Brivio (3):
netfilter: nft_set_pipapo: Separate partial and complete overlap cases on insertion
netfilter: nft_set_rbtree: Introduce and use nft_rbtree_interval_start()
netfilter: nft_set_rbtree: Detect partial overlaps on insertion
net/netfilter/nf_tables_api.c | 5 +
net/netfilter/nft_fwd_netdev.c | 13 +
net/netfilter/nft_set_pipapo.c | 34 ++-
net/netfilter/nft_set_rbtree.c | 87 +++++-
tools/testing/selftests/netfilter/Makefile | 6 +-
tools/testing/selftests/netfilter/config | 6 +
tools/testing/selftests/netfilter/nf-queue.c | 352 +++++++++++++++++++++++++
tools/testing/selftests/netfilter/nft_queue.sh | 332 +++++++++++++++++++++++
8 files changed, 818 insertions(+), 17 deletions(-)
create mode 100644 tools/testing/selftests/netfilter/nf-queue.c
create mode 100755 tools/testing/selftests/netfilter/nft_queue.sh
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 0/7] Netfilter fixes for net
2020-01-25 17:34 Pablo Neira Ayuso
@ 2020-01-25 20:40 ` David Miller
0 siblings, 0 replies; 38+ messages in thread
From: David Miller @ 2020-01-25 20:40 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sat, 25 Jan 2020 18:34:08 +0100
> The following patchset contains Netfilter fixes for net:
...
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 38+ messages in thread
* [PATCH 0/7] Netfilter fixes for net
@ 2020-01-25 17:34 Pablo Neira Ayuso
2020-01-25 20:40 ` David Miller
0 siblings, 1 reply; 38+ messages in thread
From: Pablo Neira Ayuso @ 2020-01-25 17:34 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi,
The following patchset contains Netfilter fixes for net:
1) Missing netlink attribute sanity check for NFTA_OSF_DREG,
from Florian Westphal.
2) Use bitmap infrastructure in ipset to fix KASAN slab-out-of-bounds
reads, from Jozsef Kadlecsik.
3) Missing initial CLOSED state in new sctp connection through
ctnetlink events, from Jiri Wiesner.
4) Missing check for NFT_CHAIN_HW_OFFLOAD in nf_tables offload
indirect block infrastructure, from wenxu.
5) Add __nft_chain_type_get() to sanity check family and chain type.
6) Autoload modules from the nf_tables abort path to fix races
reported by syzbot.
7) Remove unnecessary skb->csum update on inet_proto_csum_replace16(),
from Praveen Chaudhary.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thank you.
----------------------------------------------------------------
The following changes since commit e02d9c4c68dc0ca08ded9487720bba775c09669b:
Merge branch 'bnxt_en-fixes' (2020-01-18 14:38:30 +0100)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 189c9b1e94539b11c80636bc13e9cf47529e7bba:
net: Fix skb->csum update in inet_proto_csum_replace16(). (2020-01-24 20:54:30 +0100)
----------------------------------------------------------------
Florian Westphal (1):
netfilter: nft_osf: add missing check for DREG attribute
Jiri Wiesner (1):
netfilter: conntrack: sctp: use distinct states for new SCTP connections
Kadlecsik József (1):
netfilter: ipset: use bitmap infrastructure completely
Pablo Neira Ayuso (2):
netfilter: nf_tables: add __nft_chain_type_get()
netfilter: nf_tables: autoload modules from the abort path
Praveen Chaudhary (1):
net: Fix skb->csum update in inet_proto_csum_replace16().
wenxu (1):
netfilter: nf_tables_offload: fix check the chain offload flag
include/linux/netfilter/ipset/ip_set.h | 7 --
include/linux/netfilter/nfnetlink.h | 2 +-
include/net/netns/nftables.h | 1 +
net/core/utils.c | 20 +++-
net/netfilter/ipset/ip_set_bitmap_gen.h | 2 +-
net/netfilter/ipset/ip_set_bitmap_ip.c | 6 +-
net/netfilter/ipset/ip_set_bitmap_ipmac.c | 6 +-
net/netfilter/ipset/ip_set_bitmap_port.c | 6 +-
net/netfilter/nf_conntrack_proto_sctp.c | 6 +-
net/netfilter/nf_tables_api.c | 155 +++++++++++++++++++++---------
net/netfilter/nf_tables_offload.c | 2 +-
net/netfilter/nfnetlink.c | 6 +-
net/netfilter/nft_osf.c | 3 +
13 files changed, 146 insertions(+), 76 deletions(-)
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 0/7] Netfilter fixes for net
2019-08-14 9:24 Pablo Neira Ayuso
@ 2019-08-15 21:02 ` David Miller
0 siblings, 0 replies; 38+ messages in thread
From: David Miller @ 2019-08-15 21:02 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 14 Aug 2019 11:24:33 +0200
> This patchset contains Netfilter fixes for net:
>
> 1) Extend selftest to cover flowtable with ipsec, from Florian Westphal.
>
> 2) Fix interaction of ipsec with flowtable, also from Florian.
>
> 3) User-after-free with bound set to rule that fails to load.
>
> 4) Adjust state and timeout for flows that expire.
>
> 5) Timeout update race with flows in teardown state.
>
> 6) Ensure conntrack id hash calculation use invariants as input,
> from Dirk Morris.
>
> 7) Do not push flows into flowtable for TCP fin/rst packets.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks.
^ permalink raw reply [flat|nested] 38+ messages in thread
* [PATCH 0/7] Netfilter fixes for net
@ 2019-08-14 9:24 Pablo Neira Ayuso
2019-08-15 21:02 ` David Miller
0 siblings, 1 reply; 38+ messages in thread
From: Pablo Neira Ayuso @ 2019-08-14 9:24 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi,
This patchset contains Netfilter fixes for net:
1) Extend selftest to cover flowtable with ipsec, from Florian Westphal.
2) Fix interaction of ipsec with flowtable, also from Florian.
3) User-after-free with bound set to rule that fails to load.
4) Adjust state and timeout for flows that expire.
5) Timeout update race with flows in teardown state.
6) Ensure conntrack id hash calculation use invariants as input,
from Dirk Morris.
7) Do not push flows into flowtable for TCP fin/rst packets.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit 5e5412c365a32e452daa762eac36121cb8a370bb:
net/socket: fix GCC8+ Wpacked-not-aligned warnings (2019-08-03 11:02:46 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to dfe42be15fde16232340b8b2a57c359f51cc10d9:
netfilter: nft_flow_offload: skip tcp rst and fin packets (2019-08-14 11:09:07 +0200)
----------------------------------------------------------------
Dirk Morris (1):
netfilter: conntrack: Use consistent ct id hash calculation
Florian Westphal (2):
selftests: netfilter: extend flowtable test script for ipsec
netfilter: nf_flow_table: fix offload for flows that are subject to xfrm
Pablo Neira Ayuso (4):
netfilter: nf_tables: use-after-free in failing rule with bound set
netfilter: nf_flow_table: conntrack picks up expired flows
netfilter: nf_flow_table: teardown flow timeout race
netfilter: nft_flow_offload: skip tcp rst and fin packets
include/net/netfilter/nf_tables.h | 9 +++-
net/netfilter/nf_conntrack_core.c | 16 ++++----
net/netfilter/nf_flow_table_core.c | 43 +++++++++++++------
net/netfilter/nf_flow_table_ip.c | 43 +++++++++++++++++++
net/netfilter/nf_tables_api.c | 15 ++++---
net/netfilter/nft_flow_offload.c | 9 ++--
tools/testing/selftests/netfilter/nft_flowtable.sh | 48 ++++++++++++++++++++++
7 files changed, 153 insertions(+), 30 deletions(-)
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 0/7] Netfilter fixes for net
2019-01-14 21:29 Pablo Neira Ayuso
@ 2019-01-15 21:32 ` David Miller
0 siblings, 0 replies; 38+ messages in thread
From: David Miller @ 2019-01-15 21:32 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 14 Jan 2019 22:29:33 +0100
> This is the first batch of Netfilter fixes for your net tree:
>
> 1) Fix endless loop in nf_tables rules netlink dump, from Phil Sutter.
>
> 2) Reference counter leak in object from the error path, from Taehee Yoo.
>
> 3) Selective rule dump requires table and chain.
>
> 4) Fix DNAT with nft_flow_offload reverse route lookup, from wenxu.
>
> 5) Use GFP_KERNEL_ACCOUNT in vmalloc allocation from ebtables, from
> Shakeel Butt.
>
> 6) Set ifindex from route to fix interaction with VRF slave device,
> also from wenxu.
>
> 7) Use nfct_help() to check for conntrack helper, IPS_HELPER status
> flag is only set from explicit helpers via -j CT, from Henry Yen.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 38+ messages in thread
* [PATCH 0/7] Netfilter fixes for net
@ 2019-01-14 21:29 Pablo Neira Ayuso
2019-01-15 21:32 ` David Miller
0 siblings, 1 reply; 38+ messages in thread
From: Pablo Neira Ayuso @ 2019-01-14 21:29 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
This is the first batch of Netfilter fixes for your net tree:
1) Fix endless loop in nf_tables rules netlink dump, from Phil Sutter.
2) Reference counter leak in object from the error path, from Taehee Yoo.
3) Selective rule dump requires table and chain.
4) Fix DNAT with nft_flow_offload reverse route lookup, from wenxu.
5) Use GFP_KERNEL_ACCOUNT in vmalloc allocation from ebtables, from
Shakeel Butt.
6) Set ifindex from route to fix interaction with VRF slave device,
also from wenxu.
7) Use nfct_help() to check for conntrack helper, IPS_HELPER status
flag is only set from explicit helpers via -j CT, from Henry Yen.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit a0071840d2040ea1b27e5a008182b09b88defc15:
lan743x: Remove phy_read from link status change function (2019-01-08 16:26:12 -0500)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 2314e879747e82896f51cce4488f6a00f3e1af7b:
netfilter: nft_flow_offload: fix checking method of conntrack helper (2019-01-14 12:50:59 +0100)
----------------------------------------------------------------
Henry Yen (1):
netfilter: nft_flow_offload: fix checking method of conntrack helper
Pablo Neira Ayuso (1):
netfilter: nf_tables: selective rule dump needs table to be specified
Phil Sutter (1):
netfilter: nf_tables: Fix for endless loop when dumping ruleset
Shakeel Butt (1):
netfilter: ebtables: account ebt_table_info to kmemcg
Taehee Yoo (1):
netfilter: nf_tables: fix leaking object reference count
wenxu (2):
netfilter: nft_flow_offload: Fix reverse route lookup
netfilter: nft_flow_offload: fix interaction with vrf slave device
include/net/netfilter/nf_flow_table.h | 1 -
net/bridge/netfilter/ebtables.c | 6 ++++--
net/netfilter/nf_flow_table_core.c | 5 +++--
net/netfilter/nf_tables_api.c | 14 +++++++-------
net/netfilter/nft_flow_offload.c | 13 ++++++++-----
5 files changed, 22 insertions(+), 17 deletions(-)
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 0/7] Netfilter fixes for net
2018-03-24 20:34 Pablo Neira Ayuso
@ 2018-03-24 21:10 ` David Miller
0 siblings, 0 replies; 38+ messages in thread
From: David Miller @ 2018-03-24 21:10 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sat, 24 Mar 2018 21:34:16 +0100
> The following patchset contains Netfilter fixes for your net tree,
> they are:
...
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thank you.
^ permalink raw reply [flat|nested] 38+ messages in thread
* [PATCH 0/7] Netfilter fixes for net
@ 2018-03-24 20:34 Pablo Neira Ayuso
2018-03-24 21:10 ` David Miller
0 siblings, 1 reply; 38+ messages in thread
From: Pablo Neira Ayuso @ 2018-03-24 20:34 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter fixes for your net tree,
they are:
1) Don't pick fixed hash implementation for NFT_SET_EVAL sets, otherwise
userspace hits EOPNOTSUPP with valid rules using the meter statement,
from Florian Westphal.
2) If you send a batch that flushes the existing ruleset (that contains
a NAT chain) and the new ruleset definition comes with a new NAT
chain, don't bogusly hit EBUSY. Also from Florian.
3) Missing netlink policy attribute validation, from Florian.
4) Detach conntrack template from skbuff if IP_NODEFRAG is set on,
from Paolo Abeni.
5) Cache device names in flowtable object, otherwise we may end up
walking over devices going aways given no rtnl_lock is held.
6) Fix incorrect net_device ingress with ingress hooks.
7) Fix crash when trying to read more data than available in UDP
packets from the nf_socket infrastructure, from Subash.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit 36fe095606f881e6a3c7f9283c986aec6083f3e6:
Merge branch 'phy-relax-error-checking' (2018-03-19 21:14:27 -0400)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 32c1733f0dd4bd11d6e65512bf4dc337c0452c8e:
netfilter: nf_socket: Fix out of bounds access in nf_sk_lookup_slow_v{4,6} (2018-03-24 21:17:14 +0100)
----------------------------------------------------------------
Florian Westphal (3):
netfilter: nf_tables: meter: pick a set backend that supports updates
netfilter: nf_tables: permit second nat hook if colliding hook is going away
netfilter: nf_tables: add missing netlink attrs to policies
Pablo Neira Ayuso (2):
netfilter: nf_tables: cache device name in flowtable object
netfilter: nf_tables: do not hold reference on netdevice from preparation phase
Paolo Abeni (1):
netfilter: drop template ct when conntrack is skipped.
Subash Abhinov Kasiviswanathan (1):
netfilter: nf_socket: Fix out of bounds access in nf_sk_lookup_slow_v{4,6}
include/net/netfilter/nf_tables.h | 4 +
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 14 +++-
net/ipv4/netfilter/nf_socket_ipv4.c | 6 +-
net/ipv6/netfilter/nf_socket_ipv6.c | 6 +-
net/netfilter/nf_tables_api.c | 106 +++++++++++++++++++------
net/netfilter/nft_set_hash.c | 2 +-
6 files changed, 109 insertions(+), 29 deletions(-)
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 0/7] Netfilter fixes for net
2016-08-30 11:26 Pablo Neira Ayuso
@ 2016-08-31 5:02 ` David Miller
0 siblings, 0 replies; 38+ messages in thread
From: David Miller @ 2016-08-31 5:02 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 30 Aug 2016 13:26:16 +0200
> The following patchset contains Netfilter fixes for your net tree,
> they are:
...
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks a lot Pablo.
^ permalink raw reply [flat|nested] 38+ messages in thread
* [PATCH 0/7] Netfilter fixes for net
@ 2016-08-30 11:26 Pablo Neira Ayuso
2016-08-31 5:02 ` David Miller
0 siblings, 1 reply; 38+ messages in thread
From: Pablo Neira Ayuso @ 2016-08-30 11:26 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter fixes for your net tree,
they are:
1) Allow nf_tables reject expression from input, forward and output hooks,
since only there the routing information is available, otherwise we crash.
2) Fix unsafe list iteration when flushing timeout and accouting objects.
3) Fix refcount leak on timeout policy parsing failure.
4) Unlink timeout object for unconfirmed conntracks too
5) Missing validation of pkttype mangling from bridge family.
6) Fix refcount leak on ebtables on second lookup for the specific
bridge match extension, this patch from Sabrina Dubroca.
7) Remove unnecessary ip_hdr() in nf_tables_netdev family.
Patches from 1-5 and 7 from Liping Zhang.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit 51af96b53469f3b8cfcfe0504d0ff87239175b78:
mlxsw: router: Enable neighbors to be created on stacked devices (2016-08-24 09:39:04 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to c73c2484901139c28383b58eabcbf4d613e91518:
netfilter: nf_tables_netdev: remove redundant ip_hdr assignment (2016-08-30 11:41:04 +0200)
----------------------------------------------------------------
Liping Zhang (6):
netfilter: nft_reject: restrict to INPUT/FORWARD/OUTPUT
netfilter: nfnetlink: use list_for_each_entry_safe to delete all objects
netfilter: cttimeout: put back l4proto when replacing timeout policy
netfilter: cttimeout: unlink timeout objs in the unconfirmed ct lists
netfilter: nft_meta: improve the validity check of pkttype set expr
netfilter: nf_tables_netdev: remove redundant ip_hdr assignment
Sabrina Dubroca (1):
netfilter: ebtables: put module reference when an incorrect extension is found
include/net/netfilter/nft_meta.h | 4 +++
include/net/netfilter/nft_reject.h | 4 +++
net/bridge/netfilter/ebtables.c | 2 ++
net/bridge/netfilter/nft_meta_bridge.c | 1 +
net/ipv4/netfilter/nft_reject_ipv4.c | 1 +
net/ipv6/netfilter/nft_reject_ipv6.c | 1 +
net/netfilter/nf_tables_netdev.c | 1 -
net/netfilter/nfnetlink_acct.c | 6 ++---
net/netfilter/nfnetlink_cttimeout.c | 49 +++++++++++++++++++---------------
net/netfilter/nft_meta.c | 17 +++++++++---
net/netfilter/nft_reject.c | 16 +++++++++++
net/netfilter/nft_reject_inet.c | 7 ++++-
12 files changed, 79 insertions(+), 30 deletions(-)
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 0/7] Netfilter fixes for net
2016-06-17 18:25 Pablo Neira Ayuso
@ 2016-06-18 2:50 ` David Miller
0 siblings, 0 replies; 38+ messages in thread
From: David Miller @ 2016-06-18 2:50 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 17 Jun 2016 20:25:12 +0200
> The following patchset contains Netfilter fixes for your net tree,
> they are rather small patches but fixing several outstanding bugs in
> nf_conntrack and nf_tables, as well as minor problems with missing
> SYNPROXY header uapi installation:
...
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 38+ messages in thread
* [PATCH 0/7] Netfilter fixes for net
@ 2016-06-17 18:25 Pablo Neira Ayuso
2016-06-18 2:50 ` David Miller
0 siblings, 1 reply; 38+ messages in thread
From: Pablo Neira Ayuso @ 2016-06-17 18:25 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter fixes for your net tree,
they are rather small patches but fixing several outstanding bugs in
nf_conntrack and nf_tables, as well as minor problems with missing
SYNPROXY header uapi installation:
1) Oneliner not to leak conntrack kmemcache on module removal, this
problem was introduced in the previous merge window, patch from
Florian Westphal.
2) Two fixes for insufficient ruleset loop validation, one due to
incorrect flag check in nf_tables_bind_set() and another related to
silly wrong generation mask logic from the walk path, from Liping
Zhang.
3) Fix double-free of anonymous sets on error, this fix simplifies the
code to let the abort path take care of releasing the set object,
also from Liping Zhang.
4) The introduction of helper function for transactions broke the skip
inactive rules logic from the nft_do_chain(), again from Liping
Zhang.
5) Two patches to install uapi xt_SYNPROXY.h header and calm down
kbuild robot due to missing #include <linux/types.h>.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit 61e0979a497b07f5a82f3050e37ecc7093e2971d:
Merge branch 'ovs-notifications' (2016-06-14 22:21:45 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 1463847e93fe693e89c52b03ab4ede6800d717c1:
netfilter: xt_SYNPROXY: include missing <linux/types.h> (2016-06-17 13:47:40 +0200)
----------------------------------------------------------------
Florian Westphal (1):
netfilter: conntrack: destroy kmemcache on module removal
Liping Zhang (3):
netfilter: nf_tables: fix wrong check of NFT_SET_MAP in nf_tables_bind_set
netfilter: nf_tables: fix wrong destroy anonymous sets if binding fails
netfilter: nf_tables: fix a wrong check to skip the inactive rules
Pablo Neira Ayuso (3):
netfilter: nf_tables: reject loops from set element jump to chain
netfilter: xt_SYNPROXY: add missing header to Kbuild
netfilter: xt_SYNPROXY: include missing <linux/types.h>
include/net/netfilter/nf_tables.h | 1 +
include/uapi/linux/netfilter/Kbuild | 1 +
include/uapi/linux/netfilter/xt_SYNPROXY.h | 2 ++
net/netfilter/nf_conntrack_core.c | 2 ++
net/netfilter/nf_tables_api.c | 24 +++++++++++-------------
net/netfilter/nf_tables_core.c | 2 +-
net/netfilter/nft_hash.c | 3 +--
net/netfilter/nft_rbtree.c | 3 +--
8 files changed, 20 insertions(+), 18 deletions(-)
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 0/7] Netfilter fixes for net
2016-06-01 12:03 Pablo Neira Ayuso
@ 2016-06-02 0:54 ` David Miller
0 siblings, 0 replies; 38+ messages in thread
From: David Miller @ 2016-06-02 0:54 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 1 Jun 2016 14:03:17 +0200
> The following patchset contains Netfilter fixes for your net tree,
> they are:
...
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 38+ messages in thread
* [PATCH 0/7] Netfilter fixes for net
@ 2016-06-01 12:03 Pablo Neira Ayuso
2016-06-02 0:54 ` David Miller
0 siblings, 1 reply; 38+ messages in thread
From: Pablo Neira Ayuso @ 2016-06-01 12:03 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter fixes for your net tree,
they are:
1) Fix incorrect timestamp in nfnetlink_queue introduced when addressing
y2038 safe timestamp, from Florian Westphal.
2) Get rid of leftover conntrack definition from the previous merge
window, oneliner from Florian.
3) Make nf_queue handler pernet to resolve race on dereferencing the
hook state structure with netns removal, from Eric Biederman.
4) Ensure clean exit on unregistered helper ports, from Taehee Yoo.
5) Restore FLOWI_FLAG_KNOWN_NH in nf_dup_ipv6. This got lost while
generalizing xt_TEE to add packet duplication support in nf_tables,
from Paolo Abeni.
6) Insufficient netlink NFTA_SET_TABLE attribute check in
nf_tables_getset(), from Phil Turnbull.
7) Reject helper registration on duplicated ports via modparams.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit 1b7cc307a88377b0c948f9cbc36d026b272fe6e3:
Merge branch 'bnxt_en-fixes' (2016-05-11 23:46:09 -0400)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 893e093c786c4256d52809eed697e9d70a6f6643:
netfilter: nf_ct_helper: bail out on duplicated helpers (2016-05-31 11:57:18 +0200)
----------------------------------------------------------------
Eric W. Biederman (1):
netfilter: nf_queue: Make the queue_handler pernet
Florian Westphal (2):
netfilter: nfnetlink_queue: fix timestamp attribute
netfilter: conntrack: remove leftover binary sysctl define
Pablo Neira Ayuso (1):
netfilter: nf_ct_helper: bail out on duplicated helpers
Paolo Abeni (1):
netfilter: nf_dup_ipv6: set again FLOWI_FLAG_KNOWN_NH at flowi6_flags
Phil Turnbull (1):
netfilter: nf_tables: validate NFTA_SET_TABLE parameter
Taehee Yoo (1):
netfilter: nf_ct_helper: Fix helper unregister count.
include/net/netfilter/nf_queue.h | 4 ++--
include/net/netns/netfilter.h | 2 ++
net/ipv6/netfilter/nf_dup_ipv6.c | 1 +
net/netfilter/nf_conntrack_ftp.c | 1 +
net/netfilter/nf_conntrack_helper.c | 9 ++++-----
net/netfilter/nf_conntrack_irc.c | 1 +
net/netfilter/nf_conntrack_sane.c | 1 +
net/netfilter/nf_conntrack_sip.c | 1 +
net/netfilter/nf_conntrack_standalone.c | 2 --
net/netfilter/nf_conntrack_tftp.c | 1 +
net/netfilter/nf_queue.c | 17 ++++++++---------
net/netfilter/nf_tables_api.c | 2 ++
net/netfilter/nfnetlink_queue.c | 20 +++++++++++++-------
13 files changed, 37 insertions(+), 25 deletions(-)
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 0/7] Netfilter fixes for net
2015-07-08 9:48 Pablo Neira Ayuso
@ 2015-07-09 7:03 ` David Miller
0 siblings, 0 replies; 38+ messages in thread
From: David Miller @ 2015-07-09 7:03 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 8 Jul 2015 11:48:13 +0200
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks a lot Pablo.
^ permalink raw reply [flat|nested] 38+ messages in thread
* [PATCH 0/7] Netfilter fixes for net
@ 2015-07-08 9:48 Pablo Neira Ayuso
2015-07-09 7:03 ` David Miller
0 siblings, 1 reply; 38+ messages in thread
From: Pablo Neira Ayuso @ 2015-07-08 9:48 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter fixes for your net tree. This batch
mostly comes with patches to address fallout from the previous merge window
cycle, they are:
1) Use entry->state.hook_list from nf_queue() instead of the global nf_hooks
which is not valid when used from NFPROTO_NETDEV, this should cause no
problems though since we have no userspace queueing for that family, but
let's fix this now for the sake of correctness. Patch from Eric W. Biederman.
2) Fix compilation breakage in bridge netfilter if CONFIG_NF_DEFRAG_IPV4 is not
set, from Bernhard Thaler.
3) Use percpu jumpstack in arptables too, now that there's a single copy of the
rule blob we can't store the return address there anymore. Patch from
Florian Westphal.
4) Fix a skb leak in the xmit path of bridge netfilter, problem there since
2.6.37 although it should be not possible to hit invalid traffic there, also
from Florian.
5) Eric Leblond reports that when loading a large ruleset with many missing
modules after a fresh boot, nf_tables can take long time commit it. Fix this
by processing the full batch until the end, even on missing modules, then
abort only once and restart processing.
6) Add bridge netfilter files to the MAINTAINER files.
7) Fix a net_device refcount leak in the new IPV6 bridge netfilter code, from
Julien Grall.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit 4da3064d1775810f10f7ddc1c34c3f1ff502a654:
Merge tag 'devicetree-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/glikely/linux (2015-07-01 19:40:18 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
for you to fetch changes up to 86e8971800381c3a8d8d9327f83b1f97ccb04a4f:
netfilter: bridge: Use __in6_dev_get rather than in6_dev_get in br_validate_ipv6 (2015-07-08 11:02:16 +0200)
----------------------------------------------------------------
Bernhard Thaler (1):
netfilter: bridge: fix CONFIG_NF_DEFRAG_IPV4/6 related warnings/errors
Eric W. Biederman (1):
netfilter: nf_queue: Don't recompute the hook_list head
Florian Westphal (2):
netfilter: arptables: use percpu jumpstack
netfilter: bridge: don't leak skb in error paths
Julien Grall (1):
netfilter: bridge: Use __in6_dev_get rather than in6_dev_get in br_validate_ipv6
Pablo Neira Ayuso (2):
netfilter: nfnetlink: keep going batch handling on missing modules
MAINTAINER: add bridge netfilter
MAINTAINERS | 1 +
net/bridge/br_netfilter_hooks.c | 16 +++++++++++-----
net/bridge/br_netfilter_ipv6.c | 2 +-
net/ipv4/netfilter/arp_tables.c | 25 ++++++++++++++++---------
net/netfilter/nf_queue.c | 2 +-
net/netfilter/nfnetlink.c | 38 +++++++++++++++++++++++++-------------
6 files changed, 55 insertions(+), 29 deletions(-)
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 0/7] netfilter fixes for net
2014-10-20 8:10 [PATCH 0/7] netfilter " Pablo Neira Ayuso
@ 2014-10-20 15:58 ` David Miller
0 siblings, 0 replies; 38+ messages in thread
From: David Miller @ 2014-10-20 15:58 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 20 Oct 2014 10:10:32 +0200
> The following patchset contains netfilter fixes for your net tree,
> they are:
...
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks a lot Pablo.
^ permalink raw reply [flat|nested] 38+ messages in thread
* [PATCH 0/7] netfilter fixes for net
@ 2014-10-20 8:10 Pablo Neira Ayuso
2014-10-20 15:58 ` David Miller
0 siblings, 1 reply; 38+ messages in thread
From: Pablo Neira Ayuso @ 2014-10-20 8:10 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains netfilter fixes for your net tree,
they are:
1) Fix missing MODULE_LICENSE() in the new nf_reject_ipv{4,6} modules.
2) Restrict nat and masq expressions to the nat chain type. Otherwise,
users may crash their kernel if they attach a nat/masq rule to a non
nat chain.
3) Fix hook validation in nft_compat when non-base chains are used.
Basically, initialize hook_mask to zero.
4) Make sure you use match/targets in nft_compat from the right chain
type. The existing validation relies on the table name which can be
avoided by
5) Better netlink attribute validation in nft_nat. This expression has
to reject the configuration when no address and proto configurations
are specified.
6) Interpret NFTA_NAT_REG_*_MAX if only if NFTA_NAT_REG_*_MIN is set.
Yet another sanity check to reject incorrect configurations from
userspace.
7) Conditional NAT attribute dumping depending on the existing
configuration.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit 01d2d484e49e9bc0ed9b5fdaf345a0e2bf35ffed:
Merge branch 'bcmgenet_systemport' (2014-10-10 15:39:22 -0400)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
for you to fetch changes up to 1e2d56a5d33a7e1fcd21ed3859f52596d02708b0:
netfilter: nft_nat: dump attributes if they are set (2014-10-18 14:16:13 +0200)
----------------------------------------------------------------
Pablo Neira Ayuso (7):
netfilter: missing module license in the nf_reject_ipvX modules
netfilter: nf_tables: restrict nat/masq expressions to nat chain type
netfilter: nft_compat: fix hook validation for non-base chains
netfilter: nft_compat: validate chain type in match/target
netfilter: nft_nat: insufficient attribute validation
netfilter: nft_nat: NFTA_NAT_REG_ADDR_MAX depends on NFTA_NAT_REG_ADDR_MIN
netfilter: nft_nat: dump attributes if they are set
include/net/netfilter/nf_tables.h | 3 ++
include/net/netfilter/nft_masq.h | 3 ++
net/ipv4/netfilter/nf_reject_ipv4.c | 3 ++
net/ipv4/netfilter/nft_masq_ipv4.c | 1 +
net/ipv6/netfilter/nf_reject_ipv6.c | 4 ++
net/ipv6/netfilter/nft_masq_ipv6.c | 1 +
net/netfilter/nf_tables_api.c | 14 ++++++
net/netfilter/nft_compat.c | 79 ++++++++++++++++++++++++++++----
net/netfilter/nft_masq.c | 12 +++++
net/netfilter/nft_nat.c | 86 ++++++++++++++++++++++-------------
10 files changed, 165 insertions(+), 41 deletions(-)
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 0/7] netfilter fixes for net
2013-11-21 9:05 Pablo Neira Ayuso
@ 2013-11-21 17:45 ` David Miller
0 siblings, 0 replies; 38+ messages in thread
From: David Miller @ 2013-11-21 17:45 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 21 Nov 2013 10:05:21 +0100
> The following patchset contains fixes for your net tree, they are:
>
> * Remove extra quote from connlimit configuration in Kconfig, from
> Randy Dunlap.
>
> * Fix missing mss option in syn packets sent to the backend in our
> new synproxy target, from Martin Topholm.
>
> * Use window scale announced by client when sending the forged
> syn to the backend, from Martin Topholm.
>
> * Fix IPv6 address comparison in ebtables, from Luís Fernando
> Cornachioni Estrozi.
>
> * Fix wrong endianess in sequence adjustment which breaks helpers
> in NAT configurations, from Phil Oester.
>
> * Fix the error path handling of nft_compat, from me.
>
> * Make sure the global conntrack counter is decremented after the
> object has been released, also from me.
Pulled, thanks a lot Pablo.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 38+ messages in thread
* [PATCH 0/7] netfilter fixes for net
@ 2013-11-21 9:05 Pablo Neira Ayuso
2013-11-21 17:45 ` David Miller
0 siblings, 1 reply; 38+ messages in thread
From: Pablo Neira Ayuso @ 2013-11-21 9:05 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David!
The following patchset contains fixes for your net tree, they are:
* Remove extra quote from connlimit configuration in Kconfig, from
Randy Dunlap.
* Fix missing mss option in syn packets sent to the backend in our
new synproxy target, from Martin Topholm.
* Use window scale announced by client when sending the forged
syn to the backend, from Martin Topholm.
* Fix IPv6 address comparison in ebtables, from Luís Fernando
Cornachioni Estrozi.
* Fix wrong endianess in sequence adjustment which breaks helpers
in NAT configurations, from Phil Oester.
* Fix the error path handling of nft_compat, from me.
* Make sure the global conntrack counter is decremented after the
object has been released, also from me.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
Thanks!
----------------------------------------------------------------
The following changes since commit 42a2d923cc349583ebf6fdd52a7d35e1c2f7e6bd:
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next (2013-11-13 17:40:34 +0900)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
for you to fetch changes up to acab78b99633f12aa2b697474562e19c5718a1ca:
netfilter: ebt_ip6: fix source and destination matching (2013-11-19 15:33:29 +0100)
----------------------------------------------------------------
Luís Fernando Cornachioni Estrozi (1):
netfilter: ebt_ip6: fix source and destination matching
Martin Topholm (2):
netfilter: synproxy: send mss option to backend
netfilter: synproxy: correct wscale option passing
Pablo Neira Ayuso (2):
netfilter: nft_compat: fix error path in nft_parse_compat()
netfilter: nf_conntrack: decrement global counter after object release
Phil Oester (1):
netfilter: fix wrong byte order in nf_ct_seqadj_set internal information
Randy Dunlap (1):
netfilter: fix connlimit Kconfig prompt string
net/bridge/netfilter/ebt_ip6.c | 8 +++++---
net/ipv4/netfilter/ipt_SYNPROXY.c | 1 +
net/ipv6/netfilter/ip6t_SYNPROXY.c | 1 +
net/netfilter/Kconfig | 2 +-
net/netfilter/nf_conntrack_core.c | 3 ++-
net/netfilter/nf_conntrack_seqadj.c | 4 ++--
net/netfilter/nf_synproxy_core.c | 7 ++++---
net/netfilter/nft_compat.c | 19 +++++++++++++------
8 files changed, 29 insertions(+), 16 deletions(-)
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [PATCH 0/7] netfilter fixes for net
2013-09-17 22:21 Pablo Neira Ayuso
@ 2013-09-18 0:23 ` David Miller
0 siblings, 0 replies; 38+ messages in thread
From: David Miller @ 2013-09-18 0:23 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 18 Sep 2013 00:21:59 +0200
> The following patchset contains Netfilter fixes for you net tree,
> mostly targeted to ipset, they are:
...
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
Looks good, pulled, thanks a lot.
^ permalink raw reply [flat|nested] 38+ messages in thread
* [PATCH 0/7] netfilter fixes for net
@ 2013-09-17 22:21 Pablo Neira Ayuso
2013-09-18 0:23 ` David Miller
0 siblings, 1 reply; 38+ messages in thread
From: Pablo Neira Ayuso @ 2013-09-17 22:21 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Resending pull request email, previous one was missing the pull request
information itself, sorry.
--
Hi David,
The following patchset contains Netfilter fixes for you net tree,
mostly targeted to ipset, they are:
* Fix ICMPv6 NAT due to wrong comparison, code instead of type, from
Phil Oester.
* Fix RCU race in conntrack extensions release path, from Michal Kubecek.
* Fix missing inversion in the userspace ipset test command match if
the nomatch option is specified, from Jozsef Kadlecsik.
* Skip layer 4 protocol matching in ipset in case of IPv6 fragments,
also from Jozsef Kadlecsik.
* Fix sequence adjustment in nfnetlink_queue due to using the netlink
skb instead of the network skb, from Gao feng.
* Make sure we cannot swap of sets with different layer 3 family in
ipset, from Jozsef Kadlecsik.
* Fix possible bogus matching in ipset if hash sets with net elements
are used, from Oliver Smith.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
Thanks!
----------------------------------------------------------------
The following changes since commit c19d65c95c6d472d69829fea7d473228493d5245:
bnx2x: Fix configuration of doorbell block (2013-09-09 17:06:14 -0400)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
for you to fetch changes up to 0a0d80eb39aa465b7bdf6f7754d0ba687eb3d2a7:
netfilter: nfnetlink_queue: use network skb for sequence adjustment (2013-09-17 13:05:12 +0200)
----------------------------------------------------------------
Gao feng (1):
netfilter: nfnetlink_queue: use network skb for sequence adjustment
Jozsef Kadlecsik (3):
netfilter: ipset: Skip really non-first fragments for IPv6 when getting port/protocol
netfilter: ipset: Consistent userspace testing with nomatch flag
netfilter: ipset: Validate the set family and not the set type family at swapping
Michal Kubeček (1):
netfilter: nf_conntrack: use RCU safe kfree for conntrack extensions
Oliver Smith (1):
netfilter: ipset: Fix serious failure in CIDR tracking
Phil Oester (1):
netfilter: nf_nat_proto_icmpv6:: fix wrong comparison in icmpv6_manip_pkt
include/linux/netfilter/ipset/ip_set.h | 6 ++++--
include/net/netfilter/nf_conntrack_extend.h | 2 +-
net/ipv6/netfilter/nf_nat_proto_icmpv6.c | 4 ++--
net/netfilter/ipset/ip_set_core.c | 5 ++---
net/netfilter/ipset/ip_set_getport.c | 4 ++--
net/netfilter/ipset/ip_set_hash_gen.h | 28 +++++++++++++++------------
net/netfilter/ipset/ip_set_hash_ipportnet.c | 4 ++--
net/netfilter/ipset/ip_set_hash_net.c | 4 ++--
net/netfilter/ipset/ip_set_hash_netiface.c | 4 ++--
net/netfilter/ipset/ip_set_hash_netport.c | 4 ++--
net/netfilter/nfnetlink_queue_core.c | 2 +-
11 files changed, 36 insertions(+), 31 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 38+ messages in thread
* [PATCH 0/7] netfilter fixes for net
@ 2013-09-17 22:07 Pablo Neira Ayuso
0 siblings, 0 replies; 38+ messages in thread
From: Pablo Neira Ayuso @ 2013-09-17 22:07 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter fixes for you net tree,
they are:
* Fix ICMPv6 NAT due to wrong comparison, code instead of type, from
Phil Oester.
* Fix RCU race in conntrack extensions release path, from Michal Kubecek.
* Fix missing inversion in the userspace ipset test command match if
the nomatch option is specified, from Jozsef Kadlecsik.
* Skip layer 4 protocol matching in ipset in case of IPv6 fragments,
also from Jozsef Kadlecsik.
* Fix sequence adjustment in nfnetlink_queue due to using the netlink
skb instead of the network skb, from Gao feng.
* Make sure we cannot swap of sets with different layer 3 family in
ipset, from Jozsef Kadlecsik.
* Fix possible bogus matching in ipset if hash sets with net elements
are used, from Oliver Smith.
Gao feng (1):
netfilter: nfnetlink_queue: use network skb for sequence adjustment
Jozsef Kadlecsik (3):
netfilter: ipset: Skip really non-first fragments for IPv6 when getting port/protocol
netfilter: ipset: Consistent userspace testing with nomatch flag
netfilter: ipset: Validate the set family and not the set type family at swapping
Michal Kubeček (1):
netfilter: nf_conntrack: use RCU safe kfree for conntrack extensions
Oliver Smith (1):
netfilter: ipset: Fix serious failure in CIDR tracking
Phil Oester (1):
netfilter: nf_nat_proto_icmpv6:: fix wrong comparison in icmpv6_manip_pkt
include/linux/netfilter/ipset/ip_set.h | 6 ++++--
include/net/netfilter/nf_conntrack_extend.h | 2 +-
net/ipv6/netfilter/nf_nat_proto_icmpv6.c | 4 ++--
net/netfilter/ipset/ip_set_core.c | 5 ++---
net/netfilter/ipset/ip_set_getport.c | 4 ++--
net/netfilter/ipset/ip_set_hash_gen.h | 28 +++++++++++++++------------
net/netfilter/ipset/ip_set_hash_ipportnet.c | 4 ++--
net/netfilter/ipset/ip_set_hash_net.c | 4 ++--
net/netfilter/ipset/ip_set_hash_netiface.c | 4 ++--
net/netfilter/ipset/ip_set_hash_netport.c | 4 ++--
net/netfilter/nfnetlink_queue_core.c | 2 +-
11 files changed, 36 insertions(+), 31 deletions(-)
--
1.7.10.4
^ permalink raw reply [flat|nested] 38+ messages in thread
end of thread, other threads:[~2020-10-22 19:16 UTC | newest]
Thread overview: 38+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-25 18:26 [PATCH 0/7] Netfilter fixes for net Pablo Neira Ayuso
2020-06-25 18:26 ` [PATCH 1/7] netfilter: ipset: fix unaligned atomic access Pablo Neira Ayuso
2020-06-25 18:26 ` [PATCH 2/7] netfilter: Add MODULE_DESCRIPTION entries to kernel modules Pablo Neira Ayuso
2020-06-25 18:26 ` [PATCH 3/7] netfilter: iptables: Split ipt_unregister_table() into pre_exit and exit helpers Pablo Neira Ayuso
2020-06-25 18:26 ` [PATCH 4/7] netfilter: iptables: Add a .pre_exit hook in all iptable_foo.c Pablo Neira Ayuso
2020-06-25 18:26 ` [PATCH 5/7] netfilter: ip6tables: Split ip6t_unregister_table() into pre_exit and exit helpers Pablo Neira Ayuso
2020-06-25 18:26 ` [PATCH 6/7] netfilter: ip6tables: Add a .pre_exit hook in all ip6table_foo.c Pablo Neira Ayuso
2020-06-25 18:26 ` [PATCH 7/7] selftests: netfilter: add test case for conntrack helper assignment Pablo Neira Ayuso
2020-06-25 19:59 ` [PATCH 0/7] Netfilter fixes for net David Miller
-- strict thread matches above, loose matches on Subject: below --
2020-10-22 17:29 Pablo Neira Ayuso
2020-10-22 19:16 ` Jakub Kicinski
2020-04-07 22:29 Pablo Neira Ayuso
2020-04-08 1:08 ` David Miller
2020-03-24 22:32 Pablo Neira Ayuso
2020-03-25 0:31 ` David Miller
2020-01-25 17:34 Pablo Neira Ayuso
2020-01-25 20:40 ` David Miller
2019-08-14 9:24 Pablo Neira Ayuso
2019-08-15 21:02 ` David Miller
2019-01-14 21:29 Pablo Neira Ayuso
2019-01-15 21:32 ` David Miller
2018-03-24 20:34 Pablo Neira Ayuso
2018-03-24 21:10 ` David Miller
2016-08-30 11:26 Pablo Neira Ayuso
2016-08-31 5:02 ` David Miller
2016-06-17 18:25 Pablo Neira Ayuso
2016-06-18 2:50 ` David Miller
2016-06-01 12:03 Pablo Neira Ayuso
2016-06-02 0:54 ` David Miller
2015-07-08 9:48 Pablo Neira Ayuso
2015-07-09 7:03 ` David Miller
2014-10-20 8:10 [PATCH 0/7] netfilter " Pablo Neira Ayuso
2014-10-20 15:58 ` David Miller
2013-11-21 9:05 Pablo Neira Ayuso
2013-11-21 17:45 ` David Miller
2013-09-17 22:21 Pablo Neira Ayuso
2013-09-18 0:23 ` David Miller
2013-09-17 22:07 Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).