[PATCH 0/5] Netfilter fixes for net

[PATCH 0/5] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi David,

The following patchset contains Netfilter fixes for net:

1) Fix warnings suspicious rcu usage when handling base chain
   statistics, from Taehee Yoo.

2) Refetch pointer to tcp header from nf_ct_sack_adjust() since
   skb_make_writable() may reallocate data area, reported by Google
   folks patch from Florian.

3) Incorrect netlink nest end after previous cancellation from error
   path in ipset, from Pan Bian.

4) Use dst_hold_safe() from nf_xfrm_me_harder(), from Florian.

5) Use rb_link_node_rcu() for rcu-protected rbtree node in
   nf_conncount, from Taehee Yoo.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit 986103e7920cabc0b910749e77ae5589d3934d52:

  net/ibmvnic: Fix RTNL deadlock during device reset (2018-12-03 15:53:55 -0800)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to d4e7df16567b80836a78d31b42f1a9355a636d67:

  netfilter: nf_conncount: use rb_link_node_rcu() instead of rb_link_node() (2018-12-13 01:14:58 +0100)

----------------------------------------------------------------
Florian Westphal (2):
      netfilter: seqadj: re-load tcp header pointer after possible head reallocation
      netfilter: nat: can't use dst_hold on noref dst

Pan Bian (1):
      netfilter: ipset: do not call ipset_nest_end after nla_nest_cancel

Taehee Yoo (2):
      netfilter: nf_tables: fix suspicious RCU usage in nft_chain_stats_replace()
      netfilter: nf_conncount: use rb_link_node_rcu() instead of rb_link_node()

 include/linux/netfilter/nfnetlink.h   | 12 ------------
 net/netfilter/ipset/ip_set_list_set.c |  2 +-
 net/netfilter/nf_conncount.c          |  2 +-
 net/netfilter/nf_conntrack_seqadj.c   |  7 ++++---
 net/netfilter/nf_nat_core.c           |  3 ++-
 net/netfilter/nf_tables_api.c         | 21 +++++++++++++--------
 net/netfilter/nf_tables_core.c        |  2 +-
 7 files changed, 22 insertions(+), 27 deletions(-)

[PATCH 1/5] netfilter: nf_tables: fix suspicious RCU usage in nft_chain_stats_replace()

[Pablo Neira Ayuso]

From: Taehee Yoo <ap420073@gmail.com>

basechain->stats is rcu protected data which is updated from
nft_chain_stats_replace(). This function is executed from the commit
phase which holds the pernet nf_tables commit mutex - not the global
nfnetlink subsystem mutex.

Test commands to reproduce the problem are:
   %iptables-nft -I INPUT
   %iptables-nft -Z
   %iptables-nft -Z

This patch uses RCU calls to handle basechain->stats updates to fix a
splat that looks like:

[89279.358755] =============================
[89279.363656] WARNING: suspicious RCU usage
[89279.368458] 4.20.0-rc2+ #44 Tainted: G        W    L
[89279.374661] -----------------------------
[89279.379542] net/netfilter/nf_tables_api.c:1404 suspicious rcu_dereference_protected() usage!
[...]
[89279.406556] 1 lock held by iptables-nft/5225:
[89279.411728]  #0: 00000000bf45a000 (&net->nft.commit_mutex){+.+.}, at: nf_tables_valid_genid+0x1f/0x70 [nf_tables]
[89279.424022] stack backtrace:
[89279.429236] CPU: 0 PID: 5225 Comm: iptables-nft Tainted: G        W    L    4.20.0-rc2+ #44
[89279.430135] Call Trace:
[89279.430135]  dump_stack+0xc9/0x16b
[89279.430135]  ? show_regs_print_info+0x5/0x5
[89279.430135]  ? lockdep_rcu_suspicious+0x117/0x160
[89279.430135]  nft_chain_commit_update+0x4ea/0x640 [nf_tables]
[89279.430135]  ? sched_clock_local+0xd4/0x140
[89279.430135]  ? check_flags.part.35+0x440/0x440
[89279.430135]  ? __rhashtable_remove_fast.constprop.67+0xec0/0xec0 [nf_tables]
[89279.430135]  ? sched_clock_cpu+0x126/0x170
[89279.430135]  ? find_held_lock+0x39/0x1c0
[89279.430135]  ? hlock_class+0x140/0x140
[89279.430135]  ? is_bpf_text_address+0x5/0xf0
[89279.430135]  ? check_flags.part.35+0x440/0x440
[89279.430135]  ? __lock_is_held+0xb4/0x140
[89279.430135]  nf_tables_commit+0x2555/0x39c0 [nf_tables]

Fixes: f102d66b335a4 ("netfilter: nf_tables: use dedicated mutex to guard transactions")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/linux/netfilter/nfnetlink.h | 12 ------------
 net/netfilter/nf_tables_api.c       | 21 +++++++++++++--------
 net/netfilter/nf_tables_core.c      |  2 +-
 3 files changed, 14 insertions(+), 21 deletions(-)

diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
index 4a520d3304a2..cf09ab37b45b 100644
--- a/include/linux/netfilter/nfnetlink.h
+++ b/include/linux/netfilter/nfnetlink.h
@@ -62,18 +62,6 @@ static inline bool lockdep_nfnl_is_held(__u8 subsys_id)
 }
 #endif /* CONFIG_PROVE_LOCKING */
 
-/*
- * nfnl_dereference - fetch RCU pointer when updates are prevented by subsys mutex
- *
- * @p: The pointer to read, prior to dereferencing
- * @ss: The nfnetlink subsystem ID
- *
- * Return the value of the specified RCU-protected pointer, but omit
- * the READ_ONCE(), because caller holds the NFNL subsystem mutex.
- */
-#define nfnl_dereference(p, ss)					\
-	rcu_dereference_protected(p, lockdep_nfnl_is_held(ss))
-
 #define MODULE_ALIAS_NFNL_SUBSYS(subsys) \
 	MODULE_ALIAS("nfnetlink-subsys-" __stringify(subsys))
 
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 2e61aab6ed73..6e548d7c9f67 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1216,7 +1216,8 @@ static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
 		if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
 			goto nla_put_failure;
 
-		if (basechain->stats && nft_dump_stats(skb, basechain->stats))
+		if (rcu_access_pointer(basechain->stats) &&
+		    nft_dump_stats(skb, rcu_dereference(basechain->stats)))
 			goto nla_put_failure;
 	}
 
@@ -1392,7 +1393,8 @@ static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
 	return newstats;
 }
 
-static void nft_chain_stats_replace(struct nft_base_chain *chain,
+static void nft_chain_stats_replace(struct net *net,
+				    struct nft_base_chain *chain,
 				    struct nft_stats __percpu *newstats)
 {
 	struct nft_stats __percpu *oldstats;
@@ -1400,8 +1402,9 @@ static void nft_chain_stats_replace(struct nft_base_chain *chain,
 	if (newstats == NULL)
 		return;
 
-	if (chain->stats) {
-		oldstats = nfnl_dereference(chain->stats, NFNL_SUBSYS_NFTABLES);
+	if (rcu_access_pointer(chain->stats)) {
+		oldstats = rcu_dereference_protected(chain->stats,
+					lockdep_commit_lock_is_held(net));
 		rcu_assign_pointer(chain->stats, newstats);
 		synchronize_rcu();
 		free_percpu(oldstats);
@@ -1439,9 +1442,10 @@ static void nf_tables_chain_destroy(struct nft_ctx *ctx)
 		struct nft_base_chain *basechain = nft_base_chain(chain);
 
 		module_put(basechain->type->owner);
-		free_percpu(basechain->stats);
-		if (basechain->stats)
+		if (rcu_access_pointer(basechain->stats)) {
 			static_branch_dec(&nft_counters_enabled);
+			free_percpu(rcu_dereference_raw(basechain->stats));
+		}
 		kfree(chain->name);
 		kfree(basechain);
 	} else {
@@ -1590,7 +1594,7 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
 				kfree(basechain);
 				return PTR_ERR(stats);
 			}
-			basechain->stats = stats;
+			rcu_assign_pointer(basechain->stats, stats);
 			static_branch_inc(&nft_counters_enabled);
 		}
 
@@ -6180,7 +6184,8 @@ static void nft_chain_commit_update(struct nft_trans *trans)
 		return;
 
 	basechain = nft_base_chain(trans->ctx.chain);
-	nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
+	nft_chain_stats_replace(trans->ctx.net, basechain,
+				nft_trans_chain_stats(trans));
 
 	switch (nft_trans_chain_policy(trans)) {
 	case NF_DROP:
diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
index 3fbce3b9c5ec..a50500232b0a 100644
--- a/net/netfilter/nf_tables_core.c
+++ b/net/netfilter/nf_tables_core.c
@@ -101,7 +101,7 @@ static noinline void nft_update_chain_stats(const struct nft_chain *chain,
 	struct nft_stats *stats;
 
 	base_chain = nft_base_chain(chain);
-	if (!base_chain->stats)
+	if (!rcu_access_pointer(base_chain->stats))
 		return;
 
 	local_bh_disable();
-- 
2.11.0

[PATCH 2/5] netfilter: seqadj: re-load tcp header pointer after possible head reallocation

[Pablo Neira Ayuso]

From: Florian Westphal <fw@strlen.de>

When adjusting sack block sequence numbers, skb_make_writable() gets
called to make sure tcp options are all in the linear area, and buffer
is not shared.

This can cause tcp header pointer to get reallocated, so we must
reaload it to avoid memory corruption.

This bug pre-dates git history.

Reported-by: Neel Mehta <nmehta@google.com>
Reported-by: Shane Huntley <shuntley@google.com>
Reported-by: Heather Adkins <argv@google.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_conntrack_seqadj.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/net/netfilter/nf_conntrack_seqadj.c b/net/netfilter/nf_conntrack_seqadj.c
index a975efd6b8c3..9da303461069 100644
--- a/net/netfilter/nf_conntrack_seqadj.c
+++ b/net/netfilter/nf_conntrack_seqadj.c
@@ -115,12 +115,12 @@ static void nf_ct_sack_block_adjust(struct sk_buff *skb,
 /* TCP SACK sequence number adjustment */
 static unsigned int nf_ct_sack_adjust(struct sk_buff *skb,
 				      unsigned int protoff,
-				      struct tcphdr *tcph,
 				      struct nf_conn *ct,
 				      enum ip_conntrack_info ctinfo)
 {
-	unsigned int dir, optoff, optend;
+	struct tcphdr *tcph = (void *)skb->data + protoff;
 	struct nf_conn_seqadj *seqadj = nfct_seqadj(ct);
+	unsigned int dir, optoff, optend;
 
 	optoff = protoff + sizeof(struct tcphdr);
 	optend = protoff + tcph->doff * 4;
@@ -128,6 +128,7 @@ static unsigned int nf_ct_sack_adjust(struct sk_buff *skb,
 	if (!skb_make_writable(skb, optend))
 		return 0;
 
+	tcph = (void *)skb->data + protoff;
 	dir = CTINFO2DIR(ctinfo);
 
 	while (optoff < optend) {
@@ -207,7 +208,7 @@ int nf_ct_seq_adjust(struct sk_buff *skb,
 		 ntohl(newack));
 	tcph->ack_seq = newack;
 
-	res = nf_ct_sack_adjust(skb, protoff, tcph, ct, ctinfo);
+	res = nf_ct_sack_adjust(skb, protoff, ct, ctinfo);
 out:
 	spin_unlock_bh(&ct->lock);
 
-- 
2.11.0

[PATCH 3/5] netfilter: ipset: do not call ipset_nest_end after nla_nest_cancel

[Pablo Neira Ayuso]

From: Pan Bian <bianpan2016@163.com>

In the error handling block, nla_nest_cancel(skb, atd) is called to
cancel the nest operation. But then, ipset_nest_end(skb, atd) is
unexpected called to end the nest operation. This patch calls the
ipset_nest_end only on the branch that nla_nest_cancel is not called.

Fixes: 45040978c899 ("netfilter: ipset: Fix set:list type crash when flush/dump set in parallel")
Signed-off-by: Pan Bian <bianpan2016@163.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/ipset/ip_set_list_set.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/ipset/ip_set_list_set.c b/net/netfilter/ipset/ip_set_list_set.c
index 4eef55da0878..8da228da53ae 100644
--- a/net/netfilter/ipset/ip_set_list_set.c
+++ b/net/netfilter/ipset/ip_set_list_set.c
@@ -531,8 +531,8 @@ list_set_list(const struct ip_set *set,
 		ret = -EMSGSIZE;
 	} else {
 		cb->args[IPSET_CB_ARG0] = i;
+		ipset_nest_end(skb, atd);
 	}
-	ipset_nest_end(skb, atd);
 out:
 	rcu_read_unlock();
 	return ret;
-- 
2.11.0

[PATCH 4/5] netfilter: nat: can't use dst_hold on noref dst

[Pablo Neira Ayuso]

From: Florian Westphal <fw@strlen.de>

The dst entry might already have a zero refcount, waiting on rcu list
to be free'd.  Using dst_hold() transitions its reference count to 1, and
next dst release will try to free it again -- resulting in a double free:

  WARNING: CPU: 1 PID: 0 at include/net/dst.h:239 nf_xfrm_me_harder+0xe7/0x130 [nf_nat]
  RIP: 0010:nf_xfrm_me_harder+0xe7/0x130 [nf_nat]
  Code: 48 8b 5c 24 60 65 48 33 1c 25 28 00 00 00 75 53 48 83 c4 68 5b 5d 41 5c c3 85 c0 74 0d 8d 48 01 f0 0f b1 0a 74 86 85 c0 75 f3 <0f> 0b e9 7b ff ff ff 29 c6 31 d2 b9 20 00 48 00 4c 89 e7 e8 31 27
  Call Trace:
  nf_nat_ipv4_out+0x78/0x90 [nf_nat_ipv4]
  nf_hook_slow+0x36/0xd0
  ip_output+0x9f/0xd0
  ip_forward+0x328/0x440
  ip_rcv+0x8a/0xb0

Use dst_hold_safe instead and bail out if we cannot take a reference.

Fixes: a4c2fd7f7891 ("net: remove DST_NOCACHE flag")
Reported-by: Martin Zaharinov <micron10@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_nat_core.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index e2b196054dfc..2268b10a9dcf 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -117,7 +117,8 @@ int nf_xfrm_me_harder(struct net *net, struct sk_buff *skb, unsigned int family)
 	dst = skb_dst(skb);
 	if (dst->xfrm)
 		dst = ((struct xfrm_dst *)dst)->route;
-	dst_hold(dst);
+	if (!dst_hold_safe(dst))
+		return -EHOSTUNREACH;
 
 	if (sk && !net_eq(net, sock_net(sk)))
 		sk = NULL;
-- 
2.11.0

[PATCH 5/5] netfilter: nf_conncount: use rb_link_node_rcu() instead of rb_link_node()

[Pablo Neira Ayuso]

From: Taehee Yoo <ap420073@gmail.com>

rbnode in insert_tree() is rcu protected pointer.
So, in order to handle this pointer, _rcu function should be used.
rb_link_node_rcu() is a rcu version of rb_link_node().

Fixes: 34848d5c896e ("netfilter: nf_conncount: Split insert and traversal")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_conncount.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
index b6d0f6deea86..9cd180bda092 100644
--- a/net/netfilter/nf_conncount.c
+++ b/net/netfilter/nf_conncount.c
@@ -427,7 +427,7 @@ insert_tree(struct net *net,
 	count = 1;
 	rbconn->list.count = count;
 
-	rb_link_node(&rbconn->node, parent, rbnode);
+	rb_link_node_rcu(&rbconn->node, parent, rbnode);
 	rb_insert_color(&rbconn->node, root);
 out_unlock:
 	spin_unlock_bh(&nf_conncount_locks[hash % CONNCOUNT_LOCK_SLOTS]);
-- 
2.11.0

Re: [PATCH 0/5] Netfilter fixes for net

[David Miller]

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 13 Dec 2018 02:06:26 +0100

> The following patchset contains Netfilter fixes for net:
> 
> 1) Fix warnings suspicious rcu usage when handling base chain
>    statistics, from Taehee Yoo.
> 
> 2) Refetch pointer to tcp header from nf_ct_sack_adjust() since
>    skb_make_writable() may reallocate data area, reported by Google
>    folks patch from Florian.
> 
> 3) Incorrect netlink nest end after previous cancellation from error
>    path in ipset, from Pan Bian.
> 
> 4) Use dst_hold_safe() from nf_xfrm_me_harder(), from Florian.
> 
> 5) Use rb_link_node_rcu() for rcu-protected rbtree node in
>    nf_conncount, from Taehee Yoo.
> 
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thanks.

Re: [PATCH 0/5] Netfilter fixes for net

[David Miller]

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue,  8 Sep 2020 17:09:42 +0200

> The following patchset contains Netfilter fixes for net:
> 
> 1) Allow conntrack entries with l3num == NFPROTO_IPV4 or == NFPROTO_IPV6
>    only via ctnetlink, from Will McVicker.
> 
> 2) Batch notifications to userspace to improve netlink socket receive
>    utilization.
> 
> 3) Restore mark based dump filtering via ctnetlink, from Martin Willi.
> 
> 4) nf_conncount_init() fails with -EPROTO with CONFIG_IPV6, from
>    Eelco Chaudron.
> 
> 5) Containers fail to match on meta skuid and skgid, use socket user_ns
>    to retrieve meta skuid and skgid.
> 
> Please, pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thanks Pablo.

[PATCH 0/5] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Allow conntrack entries with l3num == NFPROTO_IPV4 or == NFPROTO_IPV6
   only via ctnetlink, from Will McVicker.

2) Batch notifications to userspace to improve netlink socket receive
   utilization.

3) Restore mark based dump filtering via ctnetlink, from Martin Willi.

4) nf_conncount_init() fails with -EPROTO with CONFIG_IPV6, from
   Eelco Chaudron.

5) Containers fail to match on meta skuid and skgid, use socket user_ns
   to retrieve meta skuid and skgid.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thank you.

----------------------------------------------------------------

The following changes since commit 19162fd4063a3211843b997a454b505edb81d5ce:

  hv_netvsc: Fix hibernation for mlx5 VF driver (2020-09-07 21:04:36 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 0c92411bb81de9bc516d6924f50289d8d5f880e5:

  netfilter: nft_meta: use socket user_ns to retrieve skuid and skgid (2020-09-08 13:04:56 +0200)

----------------------------------------------------------------
Eelco Chaudron (1):
      netfilter: conntrack: nf_conncount_init is failing with IPv6 disabled

Martin Willi (1):
      netfilter: ctnetlink: fix mark based dump filtering regression

Pablo Neira Ayuso (2):
      netfilter: nf_tables: coalesce multiple notifications into one skbuff
      netfilter: nft_meta: use socket user_ns to retrieve skuid and skgid

Will McVicker (1):
      netfilter: ctnetlink: add a range check for l3/l4 protonum

 include/net/netns/nftables.h         |  1 +
 net/netfilter/nf_conntrack_netlink.c | 22 +++---------
 net/netfilter/nf_conntrack_proto.c   |  2 ++
 net/netfilter/nf_tables_api.c        | 70 +++++++++++++++++++++++++++++-------
 net/netfilter/nft_meta.c             |  4 +--
 5 files changed, 67 insertions(+), 32 deletions(-)

Re: [PATCH 0/5] Netfilter fixes for net

[David Miller]

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue,  4 Aug 2020 22:02:03 +0200

> The following patchset contains Netfilter fixes for net:
> 
> 1) Flush the cleanup xtables worker to make sure destructors
>    have completed, from Florian Westphal.
> 
> 2) iifgroup is matching erroneously, also from Florian.
> 
> 3) Add selftest for meta interface matching, from Florian Westphal.
> 
> 4) Move nf_ct_offload_timeout() to header, from Roi Dayan.
> 
> 5) Call nf_ct_offload_timeout() from flow_offload_add() to
>    make sure garbage collection does not evict offloaded flow,
>    from Roi Dayan.
> 
> Please, pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thanks Pablo.

[PATCH 0/5] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Flush the cleanup xtables worker to make sure destructors
   have completed, from Florian Westphal.

2) iifgroup is matching erroneously, also from Florian.

3) Add selftest for meta interface matching, from Florian Westphal.

4) Move nf_ct_offload_timeout() to header, from Roi Dayan.

5) Call nf_ct_offload_timeout() from flow_offload_add() to
   make sure garbage collection does not evict offloaded flow,
   from Roi Dayan.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thank you!

----------------------------------------------------------------

The following changes since commit 85496a29224188051b6135eb38da8afd4c584765:

  net: gemini: Fix missing clk_disable_unprepare() in error path of gemini_ethernet_port_probe() (2020-07-30 17:45:13 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 4203b19c27967d9eff6928f6a733f81892ffc592:

  netfilter: flowtable: Set offload timeout when adding flow (2020-08-03 12:37:24 +0200)

----------------------------------------------------------------
Florian Westphal (3):
      netfilter: nft_compat: make sure xtables destructors have run
      netfilter: nft_meta: fix iifgroup matching
      selftests: netfilter: add meta iif/oif match test

Roi Dayan (2):
      netfilter: conntrack: Move nf_ct_offload_timeout to header file
      netfilter: flowtable: Set offload timeout when adding flow

 include/net/netfilter/nf_conntrack.h          |  12 +++
 include/net/netfilter/nf_tables.h             |   2 +
 net/netfilter/nf_conntrack_core.c             |  12 ---
 net/netfilter/nf_flow_table_core.c            |   2 +
 net/netfilter/nf_tables_api.c                 |  10 ++-
 net/netfilter/nft_compat.c                    |  36 +++++++-
 net/netfilter/nft_meta.c                      |   2 +-
 tools/testing/selftests/netfilter/Makefile    |   2 +-
 tools/testing/selftests/netfilter/nft_meta.sh | 124 ++++++++++++++++++++++++++
 9 files changed, 182 insertions(+), 20 deletions(-)
 create mode 100755 tools/testing/selftests/netfilter/nft_meta.sh

Re: [PATCH 0/5] Netfilter fixes for net

[David Miller]

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 26 May 2020 22:10:23 +0200

> If it's still possible, it would be good to toss this pull request.
> 
> Otherwise, I will send another pull request to address the kbuild
> reports.

Unfortunately I pushed it out already, please send me follow-ups.

Thanks.

Re: [PATCH 0/5] Netfilter fixes for net

[Pablo Neira Ayuso]

On Mon, May 25, 2020 at 06:29:01PM -0700, David Miller wrote:
> From: Pablo Neira Ayuso <pablo@netfilter.org>
> Date: Mon, 25 May 2020 23:54:15 +0200
> 
> > The following patchset contains Netfilter fixes for net:
> > 
> > 1) Set VLAN tag in tcp reset/icmp unreachable packets to reject
> >    connections in the bridge family, from Michael Braun.
> > 
> > 2) Incorrect subcounter flag update in ipset, from Phil Sutter.
> > 
> > 3) Possible buffer overflow in the pptp conntrack helper, based
> >    on patch from Dan Carpenter.
> > 
> > 4) Restore userspace conntrack helper hook logic that broke after
> >    hook consolidation rework.
> > 
> > 5) Unbreak userspace conntrack helper registration via
> >    nfnetlink_cthelper.
> > 
> > You can pull these changes from:
> > 
> >   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
> 
> Pulled, thank you.

If it's still possible, it would be good to toss this pull request.

Otherwise, I will send another pull request to address the kbuild
reports.

Thank you.

Re: [PATCH 0/5] Netfilter fixes for net

[David Miller]

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 25 May 2020 23:54:15 +0200

> The following patchset contains Netfilter fixes for net:
> 
> 1) Set VLAN tag in tcp reset/icmp unreachable packets to reject
>    connections in the bridge family, from Michael Braun.
> 
> 2) Incorrect subcounter flag update in ipset, from Phil Sutter.
> 
> 3) Possible buffer overflow in the pptp conntrack helper, based
>    on patch from Dan Carpenter.
> 
> 4) Restore userspace conntrack helper hook logic that broke after
>    hook consolidation rework.
> 
> 5) Unbreak userspace conntrack helper registration via
>    nfnetlink_cthelper.
> 
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thank you.

[PATCH 0/5] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Set VLAN tag in tcp reset/icmp unreachable packets to reject
   connections in the bridge family, from Michael Braun.

2) Incorrect subcounter flag update in ipset, from Phil Sutter.

3) Possible buffer overflow in the pptp conntrack helper, based
   on patch from Dan Carpenter.

4) Restore userspace conntrack helper hook logic that broke after
   hook consolidation rework.

5) Unbreak userspace conntrack helper registration via
   nfnetlink_cthelper.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thank you.

----------------------------------------------------------------

The following changes since commit 98790bbac4db1697212ce9462ec35ca09c4a2810:

  Merge tag 'efi-urgent-2020-05-24' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip (2020-05-24 10:24:10 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 703acd70f2496537457186211c2f03e792409e68:

  netfilter: nfnetlink_cthelper: unbreak userspace helper support (2020-05-25 20:39:14 +0200)

----------------------------------------------------------------
Michael Braun (1):
      netfilter: nft_reject_bridge: enable reject with bridge vlan

Pablo Neira Ayuso (3):
      netfilter: nf_conntrack_pptp: prevent buffer overflows in debug code
      netfilter: conntrack: make conntrack userspace helpers work again
      netfilter: nfnetlink_cthelper: unbreak userspace helper support

Phil Sutter (1):
      netfilter: ipset: Fix subcounter update skip

 include/linux/netfilter/nf_conntrack_pptp.h |  2 +-
 net/bridge/netfilter/nft_reject_bridge.c    |  6 +++
 net/ipv4/netfilter/nf_nat_pptp.c            |  7 +--
 net/netfilter/ipset/ip_set_list_set.c       |  2 +-
 net/netfilter/nf_conntrack_core.c           | 78 ++++++++++++++++++++++++++---
 net/netfilter/nf_conntrack_pptp.c           | 62 +++++++++++++----------
 net/netfilter/nfnetlink_cthelper.c          |  3 +-
 7 files changed, 119 insertions(+), 41 deletions(-)

Re: [PATCH 0/5] Netfilter fixes for net

[David Miller]

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 25 Sep 2019 22:29:58 +0200

> The following patchset contains Netfilter fixes for net:
> 
> 1) Add NFT_CHAIN_POLICY_UNSET to replace hardcoded -1 to
>    specify that the chain policy is unset. The chain policy
>    field is actually defined as an 8-bit unsigned integer.
> 
> 2) Remove always true condition reported by smatch in
>    chain policy check.
> 
> 3) Fix element lookup on dynamic sets, from Florian Westphal.
> 
> 4) Use __u8 in ebtables uapi header, from Masahiro Yamada.
> 
> 5) Bogus EBUSY when removing flowtable after chain flush,
>    from Laura Garcia Liebana.
> 
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thanks Pablo.

[PATCH 0/5] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Add NFT_CHAIN_POLICY_UNSET to replace hardcoded -1 to
   specify that the chain policy is unset. The chain policy
   field is actually defined as an 8-bit unsigned integer.

2) Remove always true condition reported by smatch in
   chain policy check.

3) Fix element lookup on dynamic sets, from Florian Westphal.

4) Use __u8 in ebtables uapi header, from Masahiro Yamada.

5) Bogus EBUSY when removing flowtable after chain flush,
   from Laura Garcia Liebana.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 864668bfc374dfbf4851ec828b9049e08f9057b1:

  selftests: Add test cases for `ip nexthop flush proto XX` (2019-09-19 18:35:55 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 9b05b6e11d5e93a3a517cadc12b9836e0470c255:

  netfilter: nf_tables: bogus EBUSY when deleting flowtable after flush (2019-09-25 11:01:19 +0200)

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: nf_tables: allow lookups in dynamic sets

Laura Garcia Liebana (1):
      netfilter: nf_tables: bogus EBUSY when deleting flowtable after flush

Masahiro Yamada (1):
      netfilter: ebtables: use __u8 instead of uint8_t in uapi header

Pablo Neira Ayuso (2):
      netfilter: nf_tables: add NFT_CHAIN_POLICY_UNSET and use it
      netfilter: nf_tables_offload: fix always true policy is unset check

 include/net/netfilter/nf_tables.h              |  6 ++++++
 include/uapi/linux/netfilter_bridge/ebtables.h |  6 +++---
 net/netfilter/nf_tables_api.c                  | 25 ++++++++++++++++++++++---
 net/netfilter/nf_tables_offload.c              |  2 +-
 net/netfilter/nft_flow_offload.c               | 19 +++++++++++++++++++
 net/netfilter/nft_lookup.c                     |  3 ---
 usr/include/Makefile                           |  1 -
 7 files changed, 51 insertions(+), 11 deletions(-)

Re: [PATCH 0/5] Netfilter fixes for net

[David Miller]

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed,  4 Sep 2019 21:36:41 +0200

> The following patchset contains Netfilter fixes for net:
> 
> 1) br_netfilter drops IPv6 packets if ipv6 is disabled, from Leonardo Bras.
> 
> 2) nft_socket hits BUG() due to illegal skb->sk caching, patch from
>    Fernando Fernandez Mancera.
> 
> 3) nft_fib_netdev could be called with ipv6 disabled, leading to crash
>    in the fib lookup, also from Leonardo.
> 
> 4) ctnetlink honors IPS_OFFLOAD flag, just like nf_conntrack sysctl does.
> 
> 5) Properly set up flowtable entry timeout, otherwise immediate
>    removal by garbage collector might occur.
> 
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thanks.

[PATCH 0/5] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) br_netfilter drops IPv6 packets if ipv6 is disabled, from Leonardo Bras.

2) nft_socket hits BUG() due to illegal skb->sk caching, patch from
   Fernando Fernandez Mancera.

3) nft_fib_netdev could be called with ipv6 disabled, leading to crash
   in the fib lookup, also from Leonardo.

4) ctnetlink honors IPS_OFFLOAD flag, just like nf_conntrack sysctl does.

5) Properly set up flowtable entry timeout, otherwise immediate
   removal by garbage collector might occur.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit e33b4325e60e146c2317a8b548cbd633239ff83b:

  net: stmmac: dwmac-sun8i: Variable "val" in function sun8i_dwmac_set_syscon() could be uninitialized (2019-09-02 11:48:15 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 110e48725db6262f260f10727d0fb2d3d25895e4:

  netfilter: nf_flow_table: set default timeout after successful insertion (2019-09-03 22:55:42 +0200)

----------------------------------------------------------------
Fernando Fernandez Mancera (1):
      netfilter: nft_socket: fix erroneous socket assignment

Leonardo Bras (2):
      netfilter: bridge: Drops IPv6 packets if IPv6 module is not loaded
      netfilter: nft_fib_netdev: Terminate rule eval if protocol=IPv6 and ipv6 module is disabled

Pablo Neira Ayuso (2):
      netfilter: ctnetlink: honor IPS_OFFLOAD flag
      netfilter: nf_flow_table: set default timeout after successful insertion

 net/bridge/br_netfilter_hooks.c      | 4 ++++
 net/netfilter/nf_conntrack_netlink.c | 7 +++++--
 net/netfilter/nf_flow_table_core.c   | 2 +-
 net/netfilter/nft_fib_netdev.c       | 3 +++
 net/netfilter/nft_socket.c           | 6 +++---
 5 files changed, 16 insertions(+), 6 deletions(-)

Re: [PATCH 0/5] Netfilter fixes for net

[David Miller]

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 30 Aug 2019 14:06:59 +0200

> The following patchset contains Netfilter fixes for net:
> 
> 1) Spurious warning when loading rules using the physdev match,
>    from Todd Seidelmann.
> 
> 2) Fix FTP conntrack helper debugging output, from Thomas Jarosch.
> 
> 3) Restore per-netns nf_conntrack_{acct,helper,timeout} sysctl knobs,
>    from Florian Westphal.
> 
> 4) Clear skbuff timestamp from the flowtable datapath, also from Florian.
> 
> 5) Fix incorrect byteorder of NFT_META_BRI_IIFVPROTO, from wenxu.

Pulled, thanks.

[PATCH 0/5] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Spurious warning when loading rules using the physdev match,
   from Todd Seidelmann.

2) Fix FTP conntrack helper debugging output, from Thomas Jarosch.

3) Restore per-netns nf_conntrack_{acct,helper,timeout} sysctl knobs,
   from Florian Westphal.

4) Clear skbuff timestamp from the flowtable datapath, also from Florian.

5) Fix incorrect byteorder of NFT_META_BRI_IIFVPROTO, from wenxu.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit f53a7ad189594a112167efaf17ea8d0242b5ac00:

  r8152: Set memory to all 0xFFs on failed reg reads (2019-08-25 19:52:59 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to daf1de9078792a4d60e36aa7ecf3aadca65277c2:

  netfilter: nft_meta_bridge: Fix get NFT_META_BRI_IIFVPROTO in network byteorder (2019-08-30 02:49:04 +0200)

----------------------------------------------------------------
Florian Westphal (2):
      netfilter: conntrack: make sysctls per-namespace again
      netfilter: nf_flow_table: clear skb tstamp before xmit

Thomas Jarosch (1):
      netfilter: nf_conntrack_ftp: Fix debug output

Todd Seidelmann (1):
      netfilter: xt_physdev: Fix spurious error message in physdev_mt_check

wenxu (1):
      netfilter: nft_meta_bridge: Fix get NFT_META_BRI_IIFVPROTO in network byteorder

 net/bridge/netfilter/nft_meta_bridge.c  | 2 +-
 net/netfilter/nf_conntrack_ftp.c        | 2 +-
 net/netfilter/nf_conntrack_standalone.c | 5 +++++
 net/netfilter/nf_flow_table_ip.c        | 3 ++-
 net/netfilter/xt_physdev.c              | 6 ++----
 5 files changed, 11 insertions(+), 7 deletions(-)

Re: [PATCH 0/5] Netfilter fixes for net

[David Miller]

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 19 Aug 2019 20:49:06 +0200

> The following patchset contains Netfilter fixes for net:
> 
> 1) Remove IP MASQUERADING record in MAINTAINERS file,
>    from Denis Efremov.
> 
> 2) Counter arguments are swapped in ebtables, from
>    Todd Seidelmann.
> 
> 3) Missing netlink attribute validation in flow_offload
>    extension.
> 
> 4) Incorrect alignment in xt_nfacct that breaks 32-bits
>    userspace / 64-bits kernels, from Juliana Rodrigueiro.
> 
> 5) Missing include guard in nf_conntrack_h323_types.h,
>    from Masahiro Yamada.
> 
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thanks.

[PATCH 0/5] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Remove IP MASQUERADING record in MAINTAINERS file,
   from Denis Efremov.

2) Counter arguments are swapped in ebtables, from
   Todd Seidelmann.

3) Missing netlink attribute validation in flow_offload
   extension.

4) Incorrect alignment in xt_nfacct that breaks 32-bits
   userspace / 64-bits kernels, from Juliana Rodrigueiro.

5) Missing include guard in nf_conntrack_h323_types.h,
   from Masahiro Yamada.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit cfef46d692efd852a0da6803f920cc756eea2855:

  ravb: Fix use-after-free ravb_tstamp_skb (2019-08-18 14:19:14 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 38a429c898ddd210cc35463b096389f97c3c5a73:

  netfilter: add include guard to nf_conntrack_h323_types.h (2019-08-19 13:59:57 +0200)

----------------------------------------------------------------
Denis Efremov (1):
      MAINTAINERS: Remove IP MASQUERADING record

Juliana Rodrigueiro (1):
      netfilter: xt_nfacct: Fix alignment mismatch in xt_nfacct_match_info

Masahiro Yamada (1):
      netfilter: add include guard to nf_conntrack_h323_types.h

Pablo Neira Ayuso (1):
      netfilter: nft_flow_offload: missing netlink attribute policy

Todd Seidelmann (1):
      netfilter: ebtables: Fix argument order to ADD_COUNTER

 MAINTAINERS                                       |  5 ----
 include/linux/netfilter/nf_conntrack_h323_types.h |  5 ++++
 include/uapi/linux/netfilter/xt_nfacct.h          |  5 ++++
 net/bridge/netfilter/ebtables.c                   |  8 ++---
 net/netfilter/nft_flow_offload.c                  |  6 ++++
 net/netfilter/xt_nfacct.c                         | 36 ++++++++++++++++-------
 6 files changed, 45 insertions(+), 20 deletions(-)

Re: [PATCH 0/5] Netfilter fixes for net

[David Miller]

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 11 Mar 2019 23:50:30 +0100

> The following patchset contains Netfilter fixes for your net tree:
> 
> 1) Fix list corruption in device notifier in the masquerade
>    infrastructure, from Florian Westphal.
> 
> 2) Fix double-free of sets and use-after-free when deleting elements.
> 
> 3) Don't bogusly return EBUSY when removing a set after flush command.
> 
> 4) Use-after-free in dynamically allocate operations.
> 
> 5) Don't report a new ruleset generation to userspace if transaction
>    list is empty, this invalidates the userspace cache innecessarily.
>    From Florian Westphal.
> 
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thanks Pablo.

[PATCH 0/5] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi David,

The following patchset contains Netfilter fixes for your net tree:

1) Fix list corruption in device notifier in the masquerade
   infrastructure, from Florian Westphal.

2) Fix double-free of sets and use-after-free when deleting elements.

3) Don't bogusly return EBUSY when removing a set after flush command.

4) Use-after-free in dynamically allocate operations.

5) Don't report a new ruleset generation to userspace if transaction
   list is empty, this invalidates the userspace cache innecessarily.
   From Florian Westphal.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit 1e027960edfaa6a43f9ca31081729b716598112b:

  net/hsr: fix possible crash in add_timer() (2019-03-07 11:02:08 -0800)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to b8b27498659c65034032af79842913844a6cc79a:

  netfilter: nf_tables: return immediately on empty commit (2019-03-11 20:01:20 +0100)

----------------------------------------------------------------
Florian Westphal (2):
      netfilter: nat: don't register device notifier twice
      netfilter: nf_tables: return immediately on empty commit

Pablo Neira Ayuso (3):
      netfilter: nf_tables: fix set double-free in abort path
      netfilter: nf_tables: bogus EBUSY when deleting set after flush
      netfilter: nf_tables: use-after-free in dynamic operations

 include/net/netfilter/nf_tables.h | 12 ++++++---
 net/netfilter/nf_nat_masquerade.c | 35 +++++++++++++------------
 net/netfilter/nf_tables_api.c     | 54 +++++++++++++++++++++++++++++++++------
 net/netfilter/nft_dynset.c        | 13 +++++++---
 net/netfilter/nft_lookup.c        | 13 +++++++---
 net/netfilter/nft_objref.c        | 13 +++++++---
 6 files changed, 100 insertions(+), 40 deletions(-)

Re: [PATCH 0/5] Netfilter fixes for net

[David Miller]

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 24 Aug 2017 16:43:26 +0200

> The following patchset contains Netfilter fixes for your net tree,
> they are:
 ...
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thanks.

[PATCH 0/5] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi David,

The following patchset contains Netfilter fixes for your net tree,
they are:

1) Fix use after free of struct proc_dir_entry in ipt_CLUSTERIP, patch
   from Sabrina Dubroca.

2) Fix spurious EINVAL errors from iptables over nft compatibility layer.

3) Reload pointer to ip header only if there is non-terminal verdict,
   ie. XT_CONTINUE, otherwise invalid memory access may happen, patch
   from Taehee Yoo.

4) Fix interaction between SYNPROXY and NAT, SYNPROXY adds sequence
   adjustment already, however from nf_nat_setup() assumes there's not.
   Patch from Xin Long.

5) Fix burst arithmetics in nft_limit as Joe Stringer mentioned during
   NFWS in Faro. Patch from Andy Zhou.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks a lot!

----------------------------------------------------------------

The following changes since commit 073dd5ad34b1d3aaadaa7e5e8cbe576d9545f163:

  netfilter: fix netfilter_net_init() return (2017-07-18 14:50:28 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to c26844eda9d4fdbd266660e3b3de2d0270e3a1ed:

  netfilter: nf_tables: Fix nft limit burst handling (2017-08-24 16:23:17 +0200)

----------------------------------------------------------------
Pablo Neira Ayuso (1):
      netfilter: nft_compat: check extension hook mask only if set

Sabrina Dubroca (1):
      netfilter: ipt_CLUSTERIP: fix use-after-free of proc entry

Taehee Yoo (1):
      netfilter: x_tables: Fix use-after-free in ipt_do_table.

Xin Long (1):
      netfilter: check for seqadj ext existence before adding it in nf_nat_setup_info

andy zhou (1):
      netfilter: nf_tables: Fix nft limit burst handling

 net/ipv4/netfilter/arp_tables.c    | 10 +++++-----
 net/ipv4/netfilter/ip_tables.c     |  9 +++++----
 net/ipv4/netfilter/ipt_CLUSTERIP.c |  4 +++-
 net/netfilter/nf_nat_core.c        |  2 +-
 net/netfilter/nft_compat.c         |  4 ++--
 net/netfilter/nft_limit.c          | 25 ++++++++++++++-----------
 6 files changed, 30 insertions(+), 24 deletions(-)

Re: [PATCH 0/5] Netfilter fixes for net

[David Miller]

From: Florian Westphal <fw@strlen.de>
Date: Tue, 18 Jul 2017 23:11:57 +0200

> David Miller <davem@davemloft.net> wrote:
>> What about that change Eric Dumazet was talking about with Florian
>> that stopped instantiating conntrack by default in new namespaces?
> 
> Seems more appropriate for -next.  If you prefer net instead, let me know
> and I'll get to work.

Yeah it's more on the -next side, albeit annoying.

Ok, so nevermind :)

Re: [PATCH 0/5] Netfilter fixes for net

[Florian Westphal]

David Miller <davem@davemloft.net> wrote:
> What about that change Eric Dumazet was talking about with Florian
> that stopped instantiating conntrack by default in new namespaces?

Seems more appropriate for -next.  If you prefer net instead, let me know
and I'll get to work.

Re: [PATCH 0/5] Netfilter fixes for net

[David Miller]

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 18 Jul 2017 12:13:54 +0200

> The following patchset contains Netfilter fixes for your net tree,
> they are:
> 
> 1) Missing netlink message sanity check in nfnetlink, patch from
>    Mateusz Jurczyk.
> 
> 2) We now have netfilter per-netns hooks, so let's kill global hook
>    infrastructure, this infrastructure is known to be racy with netns.
>    We don't care about out of tree modules. Patch from Florian Westphal.
> 
> 3) find_appropriate_src() is buggy when colissions happens after the
>    conversion of the nat bysource to rhashtable. Also from Florian.
> 
> 4) Remove forward chain in nf_tables arp family, it's useless and it is
>    causing quite a bit of confusion, from Florian Westphal.
> 
> 5) nf_ct_remove_expect() is called with the wrong parameter, causing
>    kernel oops, patch from Florian Westphal.
> 
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thanks a lot.

What about that change Eric Dumazet was talking about with Florian
that stopped instantiating conntrack by default in new namespaces?

Just curious.

[PATCH 0/5] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi David,

The following patchset contains Netfilter fixes for your net tree,
they are:

1) Missing netlink message sanity check in nfnetlink, patch from
   Mateusz Jurczyk.

2) We now have netfilter per-netns hooks, so let's kill global hook
   infrastructure, this infrastructure is known to be racy with netns.
   We don't care about out of tree modules. Patch from Florian Westphal.

3) find_appropriate_src() is buggy when colissions happens after the
   conversion of the nat bysource to rhashtable. Also from Florian.

4) Remove forward chain in nf_tables arp family, it's useless and it is
   causing quite a bit of confusion, from Florian Westphal.

5) nf_ct_remove_expect() is called with the wrong parameter, causing
   kernel oops, patch from Florian Westphal.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit 533da29b584de5ae0e9dafafbe52809f59cb5300:

  Merge branch 'bcmgenet-Fragmented-SKB-corrections' (2017-07-15 21:29:08 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 36ac344e16e04e3e55e8fed7446095a6458c64e6:

  netfilter: expect: fix crash when putting uninited expectation (2017-07-17 17:03:12 +0200)

----------------------------------------------------------------
Florian Westphal (4):
      netfilter: remove old pre-netns era hook api
      netfilter: nat: fix src map lookup
      netfilter: nf_tables: only allow in/output for arp packets
      netfilter: expect: fix crash when putting uninited expectation

Mateusz Jurczyk (1):
      netfilter: nfnetlink: Improve input length sanitization in nfnetlink_rcv

 include/linux/netfilter.h           |   9 ---
 net/ipv4/netfilter/nf_tables_arp.c  |   3 +-
 net/netfilter/core.c                | 143 ------------------------------------
 net/netfilter/nf_conntrack_expect.c |   2 +-
 net/netfilter/nf_nat_core.c         |  17 +++--
 net/netfilter/nfnetlink.c           |   6 +-
 6 files changed, 14 insertions(+), 166 deletions(-)

Re: [PATCH 0/5] Netfilter fixes for net

[David Miller]

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 10 Aug 2015 19:58:34 +0200

> The following patchset contains five Netfilter fixes for your net tree,
> they are:
> 
> 1) Silence a warning on falling back to vmalloc(). Since 88eab472ec21, we can
>    easily hit this warning message, that gets users confused. So let's get rid
>    of it.
> 
> 2) Recently when porting the template object allocation on top of kmalloc to
>    fix the netns dependencies between x_tables and conntrack, the error
>    checks where left unchanged. Remove IS_ERR() and check for NULL instead.
>    Patch from Dan Carpenter.
> 
> 3) Don't ignore gfp_flags in the new nf_ct_tmpl_alloc() function, from
>    Joe Stringer.
> 
> 4) Fix a crash due to NULL pointer dereference in ip6t_SYNPROXY, patch from
>    Phil Sutter.
> 
> 5) The sequence number of the Syn+ack that is sent from SYNPROXY to clients is
>    not adjusted through our NAT infrastructure, as a result the client may
>    ignore this TCP packet and TCP flow hangs until the client probes us.  Also
>    from Phil Sutter.
> 
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thanks Pablo.

[PATCH 0/5] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi David,

The following patchset contains five Netfilter fixes for your net tree,
they are:

1) Silence a warning on falling back to vmalloc(). Since 88eab472ec21, we can
   easily hit this warning message, that gets users confused. So let's get rid
   of it.

2) Recently when porting the template object allocation on top of kmalloc to
   fix the netns dependencies between x_tables and conntrack, the error
   checks where left unchanged. Remove IS_ERR() and check for NULL instead.
   Patch from Dan Carpenter.

3) Don't ignore gfp_flags in the new nf_ct_tmpl_alloc() function, from
   Joe Stringer.

4) Fix a crash due to NULL pointer dereference in ip6t_SYNPROXY, patch from
   Phil Sutter.

5) The sequence number of the Syn+ack that is sent from SYNPROXY to clients is
   not adjusted through our NAT infrastructure, as a result the client may
   ignore this TCP packet and TCP flow hangs until the client probes us.  Also
   from Phil Sutter.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit 15f1bb1f1e067be7088ed43ef23d59629bd24348:

  qlcnic: Fix corruption while copying (2015-07-29 23:57:26 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master

for you to fetch changes up to 3c16241c445303a90529565e7437e1f240acfef2:

  netfilter: SYNPROXY: fix sending window update to client (2015-08-10 13:55:07 +0200)

----------------------------------------------------------------
Dan Carpenter (1):
      netfilter: nf_conntrack: checking for IS_ERR() instead of NULL

Joe Stringer (1):
      netfilter: conntrack: Use flags in nf_ct_tmpl_alloc()

Pablo Neira Ayuso (1):
      netfilter: nf_conntrack: silence warning on falling back to vmalloc()

Phil Sutter (2):
      netfilter: ip6t_SYNPROXY: fix NULL pointer dereference
      netfilter: SYNPROXY: fix sending window update to client

 net/ipv4/netfilter/ipt_SYNPROXY.c  |    3 ++-
 net/ipv6/netfilter/ip6t_SYNPROXY.c |   19 +++++++++++--------
 net/netfilter/nf_conntrack_core.c  |    8 +++-----
 net/netfilter/nf_synproxy_core.c   |    4 +---
 net/netfilter/xt_CT.c              |    5 +++--
 5 files changed, 20 insertions(+), 19 deletions(-)