* [PATCH 0/2] Netfilter fixes for net
@ 2019-10-02 18:53 Pablo Neira Ayuso
2019-10-02 18:53 ` [PATCH 1/2] netfilter: drop bridge nf reset from nf_reset Pablo Neira Ayuso
` (2 more replies)
0 siblings, 3 replies; 34+ messages in thread
From: Pablo Neira Ayuso @ 2019-10-02 18:53 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi,
The following patchset contains Netfilter fixes for net:
1) Remove the skb_ext_del from nf_reset, and renames it to a more
fitting nf_reset_ct(). Patch from Florian Westphal.
2) Fix deadlock in nft_connlimit between packet path updates and
the garbage collector.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit 9cfc370240c31c7f31f445e69190dd15be8e5d7d:
Merge tag 'mac80211-for-davem-2019-10-01' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211 (2019-10-01 09:28:56 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 34a4c95abd25ab41fb390b985a08a651b1fa0b0f:
netfilter: nft_connlimit: disable bh on garbage collection (2019-10-01 18:42:15 +0200)
----------------------------------------------------------------
Florian Westphal (1):
netfilter: drop bridge nf reset from nf_reset
Pablo Neira Ayuso (1):
netfilter: nft_connlimit: disable bh on garbage collection
drivers/net/ppp/pptp.c | 4 ++--
drivers/net/tun.c | 2 +-
drivers/net/virtio_net.c | 2 +-
drivers/net/vrf.c | 8 ++++----
drivers/net/wireless/mac80211_hwsim.c | 4 ++--
drivers/staging/octeon/ethernet-tx.c | 6 ++----
include/linux/skbuff.h | 5 +----
net/batman-adv/soft-interface.c | 2 +-
net/core/skbuff.c | 2 +-
net/dccp/ipv4.c | 2 +-
net/ipv4/ip_input.c | 2 +-
net/ipv4/ipmr.c | 4 ++--
net/ipv4/netfilter/nf_dup_ipv4.c | 2 +-
net/ipv4/raw.c | 2 +-
net/ipv4/tcp_ipv4.c | 2 +-
net/ipv4/udp.c | 4 ++--
net/ipv6/ip6_input.c | 2 +-
net/ipv6/netfilter/nf_dup_ipv6.c | 2 +-
net/ipv6/raw.c | 2 +-
net/l2tp/l2tp_core.c | 2 +-
net/l2tp/l2tp_eth.c | 2 +-
net/l2tp/l2tp_ip.c | 2 +-
net/l2tp/l2tp_ip6.c | 2 +-
net/netfilter/ipvs/ip_vs_xmit.c | 2 +-
net/netfilter/nft_connlimit.c | 7 ++++++-
net/openvswitch/vport-internal_dev.c | 2 +-
net/packet/af_packet.c | 4 ++--
net/sctp/input.c | 2 +-
net/xfrm/xfrm_input.c | 2 +-
net/xfrm/xfrm_interface.c | 2 +-
net/xfrm/xfrm_output.c | 2 +-
net/xfrm/xfrm_policy.c | 2 +-
32 files changed, 46 insertions(+), 46 deletions(-)
^ permalink raw reply [flat|nested] 34+ messages in thread
* [PATCH 1/2] netfilter: drop bridge nf reset from nf_reset
2019-10-02 18:53 [PATCH 0/2] Netfilter fixes for net Pablo Neira Ayuso
@ 2019-10-02 18:53 ` Pablo Neira Ayuso
2019-10-02 18:53 ` [PATCH 2/2] netfilter: nft_connlimit: disable bh on garbage collection Pablo Neira Ayuso
2019-10-02 20:23 ` [PATCH 0/2] Netfilter fixes for net David Miller
2 siblings, 0 replies; 34+ messages in thread
From: Pablo Neira Ayuso @ 2019-10-02 18:53 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Florian Westphal <fw@strlen.de>
commit 174e23810cd31
("sk_buff: drop all skb extensions on free and skb scrubbing") made napi
recycle always drop skb extensions. The additional skb_ext_del() that is
performed via nf_reset on napi skb recycle is not needed anymore.
Most nf_reset() calls in the stack are there so queued skb won't block
'rmmod nf_conntrack' indefinitely.
This removes the skb_ext_del from nf_reset, and renames it to a more
fitting nf_reset_ct().
In a few selected places, add a call to skb_ext_reset to make sure that
no active extensions remain.
I am submitting this for "net", because we're still early in the release
cycle. The patch applies to net-next too, but I think the rename causes
needless divergence between those trees.
Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
drivers/net/ppp/pptp.c | 4 ++--
drivers/net/tun.c | 2 +-
drivers/net/virtio_net.c | 2 +-
drivers/net/vrf.c | 8 ++++----
drivers/net/wireless/mac80211_hwsim.c | 4 ++--
drivers/staging/octeon/ethernet-tx.c | 6 ++----
include/linux/skbuff.h | 5 +----
net/batman-adv/soft-interface.c | 2 +-
net/core/skbuff.c | 2 +-
net/dccp/ipv4.c | 2 +-
net/ipv4/ip_input.c | 2 +-
net/ipv4/ipmr.c | 4 ++--
net/ipv4/netfilter/nf_dup_ipv4.c | 2 +-
net/ipv4/raw.c | 2 +-
net/ipv4/tcp_ipv4.c | 2 +-
net/ipv4/udp.c | 4 ++--
net/ipv6/ip6_input.c | 2 +-
net/ipv6/netfilter/nf_dup_ipv6.c | 2 +-
net/ipv6/raw.c | 2 +-
net/l2tp/l2tp_core.c | 2 +-
net/l2tp/l2tp_eth.c | 2 +-
net/l2tp/l2tp_ip.c | 2 +-
net/l2tp/l2tp_ip6.c | 2 +-
net/netfilter/ipvs/ip_vs_xmit.c | 2 +-
net/openvswitch/vport-internal_dev.c | 2 +-
net/packet/af_packet.c | 4 ++--
net/sctp/input.c | 2 +-
net/xfrm/xfrm_input.c | 2 +-
net/xfrm/xfrm_interface.c | 2 +-
net/xfrm/xfrm_output.c | 2 +-
net/xfrm/xfrm_policy.c | 2 +-
31 files changed, 40 insertions(+), 45 deletions(-)
diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c
index 734de7de03f7..e1fabb3e3246 100644
--- a/drivers/net/ppp/pptp.c
+++ b/drivers/net/ppp/pptp.c
@@ -238,7 +238,7 @@ static int pptp_xmit(struct ppp_channel *chan, struct sk_buff *skb)
skb_dst_drop(skb);
skb_dst_set(skb, &rt->dst);
- nf_reset(skb);
+ nf_reset_ct(skb);
skb->ip_summed = CHECKSUM_NONE;
ip_select_ident(net, skb, NULL);
@@ -358,7 +358,7 @@ static int pptp_rcv(struct sk_buff *skb)
po = lookup_chan(htons(header->call_id), iph->saddr);
if (po) {
skb_dst_drop(skb);
- nf_reset(skb);
+ nf_reset_ct(skb);
return sk_receive_skb(sk_pppox(po), skb, 0);
}
drop:
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index aab0be40d443..812dc3a65efb 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -1104,7 +1104,7 @@ static netdev_tx_t tun_net_xmit(struct sk_buff *skb, struct net_device *dev)
*/
skb_orphan(skb);
- nf_reset(skb);
+ nf_reset_ct(skb);
if (ptr_ring_produce(&tfile->tx_ring, skb))
goto drop;
diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
index ba98e0971b84..5a635f028bdc 100644
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -1585,7 +1585,7 @@ static netdev_tx_t start_xmit(struct sk_buff *skb, struct net_device *dev)
/* Don't wait up for transmitted skbs to be freed. */
if (!use_napi) {
skb_orphan(skb);
- nf_reset(skb);
+ nf_reset_ct(skb);
}
/* If running out of space, stop queue to avoid getting packets that we
diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
index a4b38a980c3c..ee52bde058df 100644
--- a/drivers/net/vrf.c
+++ b/drivers/net/vrf.c
@@ -366,7 +366,7 @@ static int vrf_finish_output6(struct net *net, struct sock *sk,
struct neighbour *neigh;
int ret;
- nf_reset(skb);
+ nf_reset_ct(skb);
skb->protocol = htons(ETH_P_IPV6);
skb->dev = dev;
@@ -459,7 +459,7 @@ static struct sk_buff *vrf_ip6_out_direct(struct net_device *vrf_dev,
/* reset skb device */
if (likely(err == 1))
- nf_reset(skb);
+ nf_reset_ct(skb);
else
skb = NULL;
@@ -560,7 +560,7 @@ static int vrf_finish_output(struct net *net, struct sock *sk, struct sk_buff *s
bool is_v6gw = false;
int ret = -EINVAL;
- nf_reset(skb);
+ nf_reset_ct(skb);
/* Be paranoid, rather than too clever. */
if (unlikely(skb_headroom(skb) < hh_len && dev->header_ops)) {
@@ -670,7 +670,7 @@ static struct sk_buff *vrf_ip_out_direct(struct net_device *vrf_dev,
/* reset skb device */
if (likely(err == 1))
- nf_reset(skb);
+ nf_reset_ct(skb);
else
skb = NULL;
diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
index 635956024e88..45c73a6f09a1 100644
--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -1261,8 +1261,8 @@ static bool mac80211_hwsim_tx_frame_no_nl(struct ieee80211_hw *hw,
skb_orphan(skb);
skb_dst_drop(skb);
skb->mark = 0;
- secpath_reset(skb);
- nf_reset(skb);
+ skb_ext_reset(skb);
+ nf_reset_ct(skb);
/*
* Get absolute mactime here so all HWs RX at the "same time", and
diff --git a/drivers/staging/octeon/ethernet-tx.c b/drivers/staging/octeon/ethernet-tx.c
index c64728fc21f2..a62057555d1b 100644
--- a/drivers/staging/octeon/ethernet-tx.c
+++ b/drivers/staging/octeon/ethernet-tx.c
@@ -349,10 +349,8 @@ int cvm_oct_xmit(struct sk_buff *skb, struct net_device *dev)
*/
dst_release(skb_dst(skb));
skb_dst_set(skb, NULL);
-#ifdef CONFIG_XFRM
- secpath_reset(skb);
-#endif
- nf_reset(skb);
+ skb_ext_reset(skb);
+ nf_reset_ct(skb);
#ifdef CONFIG_NET_SCHED
skb->tc_index = 0;
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index e7d3b1a513ef..4351577b14d7 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -4160,15 +4160,12 @@ static inline void __skb_ext_copy(struct sk_buff *d, const struct sk_buff *s) {}
static inline void skb_ext_copy(struct sk_buff *dst, const struct sk_buff *s) {}
#endif /* CONFIG_SKB_EXTENSIONS */
-static inline void nf_reset(struct sk_buff *skb)
+static inline void nf_reset_ct(struct sk_buff *skb)
{
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
nf_conntrack_put(skb_nfct(skb));
skb->_nfct = 0;
#endif
-#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
- skb_ext_del(skb, SKB_EXT_BRIDGE_NF);
-#endif
}
static inline void nf_reset_trace(struct sk_buff *skb)
diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
index a1146cb10919..9cbed6f5a85a 100644
--- a/net/batman-adv/soft-interface.c
+++ b/net/batman-adv/soft-interface.c
@@ -436,7 +436,7 @@ void batadv_interface_rx(struct net_device *soft_iface,
/* clean the netfilter state now that the batman-adv header has been
* removed
*/
- nf_reset(skb);
+ nf_reset_ct(skb);
if (unlikely(!pskb_may_pull(skb, ETH_HLEN)))
goto dropped;
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 01d65206f4fb..529133611ea2 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -5120,7 +5120,7 @@ void skb_scrub_packet(struct sk_buff *skb, bool xnet)
skb->ignore_df = 0;
skb_dst_drop(skb);
skb_ext_reset(skb);
- nf_reset(skb);
+ nf_reset_ct(skb);
nf_reset_trace(skb);
#ifdef CONFIG_NET_SWITCHDEV
diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
index b685bc82f8d0..d9b4200ed12d 100644
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -871,7 +871,7 @@ static int dccp_v4_rcv(struct sk_buff *skb)
if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
goto discard_and_relse;
- nf_reset(skb);
+ nf_reset_ct(skb);
return __sk_receive_skb(sk, skb, 1, dh->dccph_doff * 4, refcounted);
diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
index 1e2392b7c64e..c59a78a267c3 100644
--- a/net/ipv4/ip_input.c
+++ b/net/ipv4/ip_input.c
@@ -199,7 +199,7 @@ void ip_protocol_deliver_rcu(struct net *net, struct sk_buff *skb, int protocol)
kfree_skb(skb);
return;
}
- nf_reset(skb);
+ nf_reset_ct(skb);
}
ret = INDIRECT_CALL_2(ipprot->handler, tcp_v4_rcv, udp_rcv,
skb);
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index 313470f6bb14..716d5472c022 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -1794,7 +1794,7 @@ static void ip_encap(struct net *net, struct sk_buff *skb,
ip_send_check(iph);
memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
- nf_reset(skb);
+ nf_reset_ct(skb);
}
static inline int ipmr_forward_finish(struct net *net, struct sock *sk,
@@ -2140,7 +2140,7 @@ int ip_mr_input(struct sk_buff *skb)
mroute_sk = rcu_dereference(mrt->mroute_sk);
if (mroute_sk) {
- nf_reset(skb);
+ nf_reset_ct(skb);
raw_rcv(mroute_sk, skb);
return 0;
}
diff --git a/net/ipv4/netfilter/nf_dup_ipv4.c b/net/ipv4/netfilter/nf_dup_ipv4.c
index af3fbf76dbd3..6cc5743c553a 100644
--- a/net/ipv4/netfilter/nf_dup_ipv4.c
+++ b/net/ipv4/netfilter/nf_dup_ipv4.c
@@ -65,7 +65,7 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum,
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
/* Avoid counting cloned packets towards the original connection. */
- nf_reset(skb);
+ nf_reset_ct(skb);
nf_ct_set(skb, NULL, IP_CT_UNTRACKED);
#endif
/*
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index 80da5a66d5d7..3183413ebc6c 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -332,7 +332,7 @@ int raw_rcv(struct sock *sk, struct sk_buff *skb)
kfree_skb(skb);
return NET_RX_DROP;
}
- nf_reset(skb);
+ nf_reset_ct(skb);
skb_push(skb, skb->data - skb_network_header(skb));
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 2ee45e3755e9..bf124b1742df 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1916,7 +1916,7 @@ int tcp_v4_rcv(struct sk_buff *skb)
if (tcp_v4_inbound_md5_hash(sk, skb))
goto discard_and_relse;
- nf_reset(skb);
+ nf_reset_ct(skb);
if (tcp_filter(sk, skb))
goto discard_and_relse;
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index cf755156a684..e8443cc5c1ab 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1969,7 +1969,7 @@ static int udp_queue_rcv_one_skb(struct sock *sk, struct sk_buff *skb)
*/
if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
goto drop;
- nf_reset(skb);
+ nf_reset_ct(skb);
if (static_branch_unlikely(&udp_encap_needed_key) && up->encap_type) {
int (*encap_rcv)(struct sock *sk, struct sk_buff *skb);
@@ -2298,7 +2298,7 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
goto drop;
- nf_reset(skb);
+ nf_reset_ct(skb);
/* No socket. Drop packet silently, if checksum is wrong */
if (udp_lib_checksum_complete(skb))
diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
index d432d0011c16..7e5df23cbe7b 100644
--- a/net/ipv6/ip6_input.c
+++ b/net/ipv6/ip6_input.c
@@ -371,7 +371,7 @@ void ip6_protocol_deliver_rcu(struct net *net, struct sk_buff *skb, int nexthdr,
/* Free reference early: we don't need it any more,
and it may hold ip_conntrack module loaded
indefinitely. */
- nf_reset(skb);
+ nf_reset_ct(skb);
skb_postpull_rcsum(skb, skb_network_header(skb),
skb_network_header_len(skb));
diff --git a/net/ipv6/netfilter/nf_dup_ipv6.c b/net/ipv6/netfilter/nf_dup_ipv6.c
index e6c9da9866b1..a0a2de30be3e 100644
--- a/net/ipv6/netfilter/nf_dup_ipv6.c
+++ b/net/ipv6/netfilter/nf_dup_ipv6.c
@@ -54,7 +54,7 @@ void nf_dup_ipv6(struct net *net, struct sk_buff *skb, unsigned int hooknum,
return;
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
- nf_reset(skb);
+ nf_reset_ct(skb);
nf_ct_set(skb, NULL, IP_CT_UNTRACKED);
#endif
if (hooknum == NF_INET_PRE_ROUTING ||
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index 6e1888ee4036..a77f6b7d3a7c 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -215,7 +215,7 @@ static bool ipv6_raw_deliver(struct sk_buff *skb, int nexthdr)
/* Not releasing hash table! */
if (clone) {
- nf_reset(clone);
+ nf_reset_ct(clone);
rawv6_rcv(sk, clone);
}
}
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 105e5a7092e7..f82ea12bac37 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1078,7 +1078,7 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len
memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED |
IPSKB_REROUTED);
- nf_reset(skb);
+ nf_reset_ct(skb);
bh_lock_sock(sk);
if (sock_owned_by_user(sk)) {
diff --git a/net/l2tp/l2tp_eth.c b/net/l2tp/l2tp_eth.c
index bd3f39349d40..fd5ac2788e45 100644
--- a/net/l2tp/l2tp_eth.c
+++ b/net/l2tp/l2tp_eth.c
@@ -151,7 +151,7 @@ static void l2tp_eth_dev_recv(struct l2tp_session *session, struct sk_buff *skb,
skb->ip_summed = CHECKSUM_NONE;
skb_dst_drop(skb);
- nf_reset(skb);
+ nf_reset_ct(skb);
rcu_read_lock();
dev = rcu_dereference(spriv->dev);
diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
index 622833317dcb..0d7c887a2b75 100644
--- a/net/l2tp/l2tp_ip.c
+++ b/net/l2tp/l2tp_ip.c
@@ -193,7 +193,7 @@ static int l2tp_ip_recv(struct sk_buff *skb)
if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
goto discard_put;
- nf_reset(skb);
+ nf_reset_ct(skb);
return sk_receive_skb(sk, skb, 1);
diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
index 687e23a8b326..802f19aba7e3 100644
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -206,7 +206,7 @@ static int l2tp_ip6_recv(struct sk_buff *skb)
if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
goto discard_put;
- nf_reset(skb);
+ nf_reset_ct(skb);
return sk_receive_skb(sk, skb, 1);
diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
index 9c464d24beec..888d3068a492 100644
--- a/net/netfilter/ipvs/ip_vs_xmit.c
+++ b/net/netfilter/ipvs/ip_vs_xmit.c
@@ -613,7 +613,7 @@ static inline int ip_vs_tunnel_xmit_prepare(struct sk_buff *skb,
if (unlikely(cp->flags & IP_VS_CONN_F_NFCT))
ret = ip_vs_confirm_conntrack(skb);
if (ret == NF_ACCEPT) {
- nf_reset(skb);
+ nf_reset_ct(skb);
skb_forward_csum(skb);
}
return ret;
diff --git a/net/openvswitch/vport-internal_dev.c b/net/openvswitch/vport-internal_dev.c
index d2437b5b2f6a..21c90d3a7ebf 100644
--- a/net/openvswitch/vport-internal_dev.c
+++ b/net/openvswitch/vport-internal_dev.c
@@ -237,7 +237,7 @@ static netdev_tx_t internal_dev_recv(struct sk_buff *skb)
}
skb_dst_drop(skb);
- nf_reset(skb);
+ nf_reset_ct(skb);
secpath_reset(skb);
skb->pkt_type = PACKET_HOST;
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index e2742b006d25..82a50e850245 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1821,7 +1821,7 @@ static int packet_rcv_spkt(struct sk_buff *skb, struct net_device *dev,
skb_dst_drop(skb);
/* drop conntrack reference */
- nf_reset(skb);
+ nf_reset_ct(skb);
spkt = &PACKET_SKB_CB(skb)->sa.pkt;
@@ -2121,7 +2121,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
skb_dst_drop(skb);
/* drop conntrack reference */
- nf_reset(skb);
+ nf_reset_ct(skb);
spin_lock(&sk->sk_receive_queue.lock);
po->stats.stats1.tp_packets++;
diff --git a/net/sctp/input.c b/net/sctp/input.c
index 1008cdc44dd6..5a070fb5b278 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -201,7 +201,7 @@ int sctp_rcv(struct sk_buff *skb)
if (!xfrm_policy_check(sk, XFRM_POLICY_IN, skb, family))
goto discard_release;
- nf_reset(skb);
+ nf_reset_ct(skb);
if (sk_filter(sk, skb))
goto discard_release;
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 6088bc2dc11e..9b599ed66d97 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -706,7 +706,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
if (err)
goto drop;
- nf_reset(skb);
+ nf_reset_ct(skb);
if (decaps) {
sp = skb_sec_path(skb);
diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c
index 2ab4859df55a..0f5131bc3342 100644
--- a/net/xfrm/xfrm_interface.c
+++ b/net/xfrm/xfrm_interface.c
@@ -185,7 +185,7 @@ static void xfrmi_scrub_packet(struct sk_buff *skb, bool xnet)
skb->skb_iif = 0;
skb->ignore_df = 0;
skb_dst_drop(skb);
- nf_reset(skb);
+ nf_reset_ct(skb);
nf_reset_trace(skb);
if (!xnet)
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
index 9499b35feb92..b1db55b50ba1 100644
--- a/net/xfrm/xfrm_output.c
+++ b/net/xfrm/xfrm_output.c
@@ -502,7 +502,7 @@ int xfrm_output_resume(struct sk_buff *skb, int err)
struct net *net = xs_net(skb_dst(skb)->xfrm);
while (likely((err = xfrm_output_one(skb, err)) == 0)) {
- nf_reset(skb);
+ nf_reset_ct(skb);
err = skb_dst(skb)->ops->local_out(net, skb->sk, skb);
if (unlikely(err != 1))
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 21e939235b39..f2d1e573ea55 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -2808,7 +2808,7 @@ static void xfrm_policy_queue_process(struct timer_list *t)
continue;
}
- nf_reset(skb);
+ nf_reset_ct(skb);
skb_dst_drop(skb);
skb_dst_set(skb, dst);
--
2.11.0
^ permalink raw reply related [flat|nested] 34+ messages in thread
* [PATCH 2/2] netfilter: nft_connlimit: disable bh on garbage collection
2019-10-02 18:53 [PATCH 0/2] Netfilter fixes for net Pablo Neira Ayuso
2019-10-02 18:53 ` [PATCH 1/2] netfilter: drop bridge nf reset from nf_reset Pablo Neira Ayuso
@ 2019-10-02 18:53 ` Pablo Neira Ayuso
2019-10-02 20:23 ` [PATCH 0/2] Netfilter fixes for net David Miller
2 siblings, 0 replies; 34+ messages in thread
From: Pablo Neira Ayuso @ 2019-10-02 18:53 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
BH must be disabled when invoking nf_conncount_gc_list() to perform
garbage collection, otherwise deadlock might happen.
nf_conncount_add+0x1f/0x50 [nf_conncount]
nft_connlimit_eval+0x4c/0xe0 [nft_connlimit]
nft_dynset_eval+0xb5/0x100 [nf_tables]
nft_do_chain+0xea/0x420 [nf_tables]
? sch_direct_xmit+0x111/0x360
? noqueue_init+0x10/0x10
? __qdisc_run+0x84/0x510
? tcp_packet+0x655/0x1610 [nf_conntrack]
? ip_finish_output2+0x1a7/0x430
? tcp_error+0x130/0x150 [nf_conntrack]
? nf_conntrack_in+0x1fc/0x4c0 [nf_conntrack]
nft_do_chain_ipv4+0x66/0x80 [nf_tables]
nf_hook_slow+0x44/0xc0
ip_rcv+0xb5/0xd0
? ip_rcv_finish_core.isra.19+0x360/0x360
__netif_receive_skb_one_core+0x52/0x70
netif_receive_skb_internal+0x34/0xe0
napi_gro_receive+0xba/0xe0
e1000_clean_rx_irq+0x1e9/0x420 [e1000e]
e1000e_poll+0xbe/0x290 [e1000e]
net_rx_action+0x149/0x3b0
__do_softirq+0xde/0x2d8
irq_exit+0xba/0xc0
do_IRQ+0x85/0xd0
common_interrupt+0xf/0xf
</IRQ>
RIP: 0010:nf_conncount_gc_list+0x3b/0x130 [nf_conncount]
Fixes: 2f971a8f4255 ("netfilter: nf_conncount: move all list iterations under spinlock")
Reported-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_connlimit.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_connlimit.c b/net/netfilter/nft_connlimit.c
index af1497ab9464..69d6173f91e2 100644
--- a/net/netfilter/nft_connlimit.c
+++ b/net/netfilter/nft_connlimit.c
@@ -218,8 +218,13 @@ static void nft_connlimit_destroy_clone(const struct nft_ctx *ctx,
static bool nft_connlimit_gc(struct net *net, const struct nft_expr *expr)
{
struct nft_connlimit *priv = nft_expr_priv(expr);
+ bool ret;
- return nf_conncount_gc_list(net, &priv->list);
+ local_bh_disable();
+ ret = nf_conncount_gc_list(net, &priv->list);
+ local_bh_enable();
+
+ return ret;
}
static struct nft_expr_type nft_connlimit_type;
--
2.11.0
^ permalink raw reply related [flat|nested] 34+ messages in thread
* Re: [PATCH 0/2] Netfilter fixes for net
2019-10-02 18:53 [PATCH 0/2] Netfilter fixes for net Pablo Neira Ayuso
2019-10-02 18:53 ` [PATCH 1/2] netfilter: drop bridge nf reset from nf_reset Pablo Neira Ayuso
2019-10-02 18:53 ` [PATCH 2/2] netfilter: nft_connlimit: disable bh on garbage collection Pablo Neira Ayuso
@ 2019-10-02 20:23 ` David Miller
2 siblings, 0 replies; 34+ messages in thread
From: David Miller @ 2019-10-02 20:23 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 2 Oct 2019 20:53:43 +0200
> The following patchset contains Netfilter fixes for net:
>
> 1) Remove the skb_ext_del from nf_reset, and renames it to a more
> fitting nf_reset_ct(). Patch from Florian Westphal.
>
> 2) Fix deadlock in nft_connlimit between packet path updates and
> the garbage collector.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 34+ messages in thread
* [PATCH 0/2] Netfilter fixes for net
@ 2020-07-04 0:13 Pablo Neira Ayuso
2020-07-05 0:47 ` David Miller
0 siblings, 1 reply; 34+ messages in thread
From: Pablo Neira Ayuso @ 2020-07-04 0:13 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi,
The following patchset contains Netfilter fixes for net:
1) Use kvfree() to release vmalloc()'ed areas in ipset, from Eric Dumazet.
2) UAF in nfnetlink_queue from the nf_conntrack_update() path.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thank you.
----------------------------------------------------------------
The following changes since commit 33c568ba49e2b0ff7c3daead5d9427be797a4c43:
Merge tag 'mac80211-for-net-2020-06-29' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211 (2020-06-29 16:58:30 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to d005fbb855d3b5660d62ee5a6bd2d99c13ff8cf3:
netfilter: conntrack: refetch conntrack after nf_conntrack_update() (2020-07-03 14:47:03 +0200)
----------------------------------------------------------------
Eric Dumazet (1):
netfilter: ipset: call ip_set_free() instead of kfree()
Pablo Neira Ayuso (1):
netfilter: conntrack: refetch conntrack after nf_conntrack_update()
net/netfilter/ipset/ip_set_bitmap_ip.c | 2 +-
net/netfilter/ipset/ip_set_bitmap_ipmac.c | 2 +-
net/netfilter/ipset/ip_set_bitmap_port.c | 2 +-
net/netfilter/ipset/ip_set_hash_gen.h | 4 ++--
net/netfilter/nf_conntrack_core.c | 2 ++
5 files changed, 7 insertions(+), 5 deletions(-)
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: [PATCH 0/2] Netfilter fixes for net
2020-07-04 0:13 Pablo Neira Ayuso
@ 2020-07-05 0:47 ` David Miller
0 siblings, 0 replies; 34+ messages in thread
From: David Miller @ 2020-07-05 0:47 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sat, 4 Jul 2020 02:13:57 +0200
> The following patchset contains Netfilter fixes for net:
>
> 1) Use kvfree() to release vmalloc()'ed areas in ipset, from Eric Dumazet.
>
> 2) UAF in nfnetlink_queue from the nf_conntrack_update() path.
>
> Please, pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 34+ messages in thread
* [PATCH 0/2] Netfilter fixes for net
@ 2020-04-29 21:48 Pablo Neira Ayuso
2020-05-01 1:07 ` David Miller
0 siblings, 1 reply; 34+ messages in thread
From: Pablo Neira Ayuso @ 2020-04-29 21:48 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter fixes for net:
1) Do not update the UDP checksum when it's zero, from Guillaume Nault.
2) Fix return of local variable in nf_osf, from Arnd Bergmann.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thank you.
----------------------------------------------------------------
The following changes since commit 52a90612fa6108d20cffd3cf6a2c228e2f3619f7:
net: remove obsolete comment (2020-04-25 20:49:32 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to c165d57b552aaca607fa5daf3fb524a6efe3c5a3:
netfilter: nf_osf: avoid passing pointer to local var (2020-04-29 21:17:57 +0200)
----------------------------------------------------------------
Arnd Bergmann (1):
netfilter: nf_osf: avoid passing pointer to local var
Guillaume Nault (1):
netfilter: nat: never update the UDP checksum when it's 0
net/netfilter/nf_nat_proto.c | 4 +---
net/netfilter/nfnetlink_osf.c | 12 +++++++-----
2 files changed, 8 insertions(+), 8 deletions(-)
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: [PATCH 0/2] Netfilter fixes for net
2020-04-29 21:48 Pablo Neira Ayuso
@ 2020-05-01 1:07 ` David Miller
0 siblings, 0 replies; 34+ messages in thread
From: David Miller @ 2020-05-01 1:07 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 29 Apr 2020 23:48:09 +0200
> The following patchset contains Netfilter fixes for net:
>
> 1) Do not update the UDP checksum when it's zero, from Guillaume Nault.
>
> 2) Fix return of local variable in nf_osf, from Arnd Bergmann.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 34+ messages in thread
* [PATCH 0/2] Netfilter fixes for net
@ 2020-04-21 10:37 Pablo Neira Ayuso
2020-04-21 18:50 ` David Miller
0 siblings, 1 reply; 34+ messages in thread
From: Pablo Neira Ayuso @ 2020-04-21 10:37 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi,
The following patchset contains Netfilter fixes for net:
1) flow_block_cb memleak in nf_flow_table_offload_del_cb(), from Roi Dayan.
2) Fix error path handling in nf_nat_inet_register_fn(), from Hillf Danton.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thank you.
----------------------------------------------------------------
The following changes since commit 82f35276c64ff720de11fba31fd6369b45647a2e:
Merge tag 'wireless-drivers-2020-04-14' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers (2020-04-14 13:07:19 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to b4faef1739dd1f3b3981b8bf173a2266ea86b1eb:
netfilter: nat: fix error handling upon registering inet hook (2020-04-19 14:59:31 +0200)
----------------------------------------------------------------
Hillf Danton (1):
netfilter: nat: fix error handling upon registering inet hook
Roi Dayan (1):
netfilter: flowtable: Free block_cb when being deleted
net/netfilter/nf_flow_table_core.c | 6 ++++--
net/netfilter/nf_nat_proto.c | 4 ++--
2 files changed, 6 insertions(+), 4 deletions(-)
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: [PATCH 0/2] Netfilter fixes for net
2020-04-21 10:37 Pablo Neira Ayuso
@ 2020-04-21 18:50 ` David Miller
0 siblings, 0 replies; 34+ messages in thread
From: David Miller @ 2020-04-21 18:50 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 21 Apr 2020 12:37:57 +0200
> The following patchset contains Netfilter fixes for net:
>
> 1) flow_block_cb memleak in nf_flow_table_offload_del_cb(), from Roi Dayan.
>
> 2) Fix error path handling in nf_nat_inet_register_fn(), from Hillf Danton.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 34+ messages in thread
* [PATCH 0/2] Netfilter fixes for net
@ 2019-02-11 16:53 Pablo Neira Ayuso
2019-02-11 18:43 ` David Miller
0 siblings, 1 reply; 34+ messages in thread
From: Pablo Neira Ayuso @ 2019-02-11 16:53 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter fixes for net:
1) Out-of-bound access to packet data from the snmp nat helper,
from Jann Horn.
2) ICMP(v6) error packets are set as related traffic by conntrack,
update protocol number before calling nf_nat_ipv4_manip_pkt()
to use ICMP(v6) rather than the original protocol number,
from Florian Westphal.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit 31b58ad0c3279817cd246eab27eaf53b626dfcde:
Merge branch 'r8169-revert-two-commits-due-to-a-regression' (2019-02-10 12:54:49 -0800)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 8303b7e8f018724a2cd7752eb29c2801fa8c4067:
netfilter: nat: fix spurious connection timeouts (2019-02-11 17:43:17 +0100)
----------------------------------------------------------------
Florian Westphal (1):
netfilter: nat: fix spurious connection timeouts
Jann Horn (1):
netfilter: nf_nat_snmp_basic: add missing length checks in ASN.1 cbs
net/ipv4/netfilter/nf_nat_l3proto_ipv4.c | 1 +
net/ipv4/netfilter/nf_nat_snmp_basic_main.c | 7 ++++++-
net/ipv6/netfilter/nf_nat_l3proto_ipv6.c | 1 +
3 files changed, 8 insertions(+), 1 deletion(-)
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: [PATCH 0/2] Netfilter fixes for net
2019-02-11 16:53 Pablo Neira Ayuso
@ 2019-02-11 18:43 ` David Miller
0 siblings, 0 replies; 34+ messages in thread
From: David Miller @ 2019-02-11 18:43 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 11 Feb 2019 17:53:17 +0100
> The following patchset contains Netfilter fixes for net:
>
> 1) Out-of-bound access to packet data from the snmp nat helper,
> from Jann Horn.
>
> 2) ICMP(v6) error packets are set as related traffic by conntrack,
> update protocol number before calling nf_nat_ipv4_manip_pkt()
> to use ICMP(v6) rather than the original protocol number,
> from Florian Westphal.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 34+ messages in thread
* [PATCH 0/2] Netfilter fixes for net
@ 2017-11-01 18:48 Pablo Neira Ayuso
2017-11-02 7:53 ` David Miller
0 siblings, 1 reply; 34+ messages in thread
From: Pablo Neira Ayuso @ 2017-11-01 18:48 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains two one-liner fixes for your net tree,
they are:
1) Disable fast hash operations for 2-bytes length keys which is leading
to incorrect lookups in nf_tables, from Anatole Denis.
2) Reload pointer ipv4 header after ip_route_me_harder() given this may
result in use-after-free due to skbuff header reallocation, patch
from Tejaswi Tanikella.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit 28e33f9d78eefe98ea86673ab31e988b37a9a738:
bpf: disallow arithmetic operations on context pointer (2017-10-18 13:21:13 +0100)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 7400bb4b5800831581a82f71700af6a5e815c3c8:
netfilter: nf_reject_ipv4: Fix use-after-free in send_reset (2017-11-01 12:15:29 +0100)
----------------------------------------------------------------
Anatole Denis (1):
netfilter: nft_set_hash: disable fast_ops for 2-len keys
Tejaswi Tanikella (1):
netfilter: nf_reject_ipv4: Fix use-after-free in send_reset
net/ipv4/netfilter/nf_reject_ipv4.c | 2 ++
net/netfilter/nft_set_hash.c | 1 -
2 files changed, 2 insertions(+), 1 deletion(-)
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: [PATCH 0/2] Netfilter fixes for net
2017-11-01 18:48 Pablo Neira Ayuso
@ 2017-11-02 7:53 ` David Miller
0 siblings, 0 replies; 34+ messages in thread
From: David Miller @ 2017-11-02 7:53 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 1 Nov 2017 19:48:10 +0100
> The following patchset contains two one-liner fixes for your net tree,
> they are:
>
> 1) Disable fast hash operations for 2-bytes length keys which is leading
> to incorrect lookups in nf_tables, from Anatole Denis.
>
> 2) Reload pointer ipv4 header after ip_route_me_harder() given this may
> result in use-after-free due to skbuff header reallocation, patch
> from Tejaswi Tanikella.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks a lot Pablo.
^ permalink raw reply [flat|nested] 34+ messages in thread
* [PATCH 0/2] Netfilter fixes for net
@ 2017-09-20 10:49 Pablo Neira Ayuso
2017-09-20 23:08 ` David Miller
0 siblings, 1 reply; 34+ messages in thread
From: Pablo Neira Ayuso @ 2017-09-20 10:49 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains two Netfilter fixes for your net tree,
they are:
1) Fix NAt compilation with UP, from Geert Uytterhoeven.
2) Fix incorrect number of entries when dumping a set, from
Vishwanath Pai.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit 2bd6bf03f4c1c59381d62c61d03f6cc3fe71f66e:
Linux 4.14-rc1 (2017-09-16 15:47:51 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 7f4f7dd4417d9efd038b14d39c70170db2e0baa0:
netfilter: ipset: ipset list may return wrong member count for set with timeout (2017-09-18 17:35:32 +0200)
----------------------------------------------------------------
Geert Uytterhoeven (1):
netfilter: nat: Do not use ARRAY_SIZE() on spinlocks to fix zero div
Vishwanath Pai (1):
netfilter: ipset: ipset list may return wrong member count for set with timeout
net/netfilter/ipset/ip_set_hash_gen.h | 14 +++++++++++++-
net/netfilter/nf_nat_core.c | 12 ++++++------
2 files changed, 19 insertions(+), 7 deletions(-)
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: [PATCH 0/2] Netfilter fixes for net
2017-09-20 10:49 Pablo Neira Ayuso
@ 2017-09-20 23:08 ` David Miller
0 siblings, 0 replies; 34+ messages in thread
From: David Miller @ 2017-09-20 23:08 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 20 Sep 2017 12:49:01 +0200
> The following patchset contains two Netfilter fixes for your net tree,
> they are:
>
> 1) Fix NAt compilation with UP, from Geert Uytterhoeven.
>
> 2) Fix incorrect number of entries when dumping a set, from
> Vishwanath Pai.
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 34+ messages in thread
* [PATCH 0/2] Netfilter fixes for net
@ 2017-07-06 12:54 Pablo Neira Ayuso
2017-07-06 13:03 ` David Miller
0 siblings, 1 reply; 34+ messages in thread
From: Pablo Neira Ayuso @ 2017-07-06 12:54 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains two Netfilter fixes for your net tree,
they are:
1) Fix memleak from netns release path of conntrack protocol trackers,
patch from Liping Zhang.
2) Uninitialized flags field in ebt_log, that results in unpredictable
logging format in ebtables, also from Liping.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks a lot!
----------------------------------------------------------------
The following changes since commit e20bd60bf62a2448be873653c7febca1d4d73afc:
net: usb: asix88179_178a: Add support for the Belkin B2B128 (2017-06-27 15:46:07 -0400)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 91af6ba7ff16bd7e5919aedfe70aad73a3375619:
netfilter: ebt_nflog: fix unexpected truncated packet (2017-06-29 18:47:02 +0200)
----------------------------------------------------------------
Liping Zhang (2):
netfilter: nf_ct_dccp/sctp: fix memory leak after netns cleanup
netfilter: ebt_nflog: fix unexpected truncated packet
net/bridge/netfilter/ebt_nflog.c | 1 +
net/netfilter/nf_conntrack_proto_dccp.c | 7 +++++++
net/netfilter/nf_conntrack_proto_sctp.c | 7 +++++++
3 files changed, 15 insertions(+)
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: [PATCH 0/2] Netfilter fixes for net
2017-07-06 12:54 Pablo Neira Ayuso
@ 2017-07-06 13:03 ` David Miller
0 siblings, 0 replies; 34+ messages in thread
From: David Miller @ 2017-07-06 13:03 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 6 Jul 2017 14:54:23 +0200
> The following patchset contains two Netfilter fixes for your net tree,
> they are:
>
> 1) Fix memleak from netns release path of conntrack protocol trackers,
> patch from Liping Zhang.
>
> 2) Uninitialized flags field in ebt_log, that results in unpredictable
> logging format in ebtables, also from Liping.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
>
> Thanks a lot!
My name is David, and how do you do?
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 34+ messages in thread
* [PATCH 0/2] Netfilter fixes for net
@ 2015-12-22 17:53 Pablo Neira Ayuso
2015-12-22 19:55 ` David Miller
0 siblings, 1 reply; 34+ messages in thread
From: Pablo Neira Ayuso @ 2015-12-22 17:53 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains two netfilter fixes:
1) Oneliner from Florian to dump missing NFT_CT_L3PROTOCOL netlink
attribute, from Florian Westphal.
2) Another oneliner for nf_tables to use skb->protocol from the new
netdev family, we can't assume ethernet there.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit 73796d8bf27372e26c2b79881947304c14c2d353:
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net (2015-12-17 14:05:22 -0800)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to d5f79b6e4d169039903cc869e16e59ad861dd479:
netfilter: nft_ct: include direction when dumping NFT_CT_L3PROTOCOL key (2015-12-18 14:45:45 +0100)
----------------------------------------------------------------
Florian Westphal (1):
netfilter: nft_ct: include direction when dumping NFT_CT_L3PROTOCOL key
Pablo Neira Ayuso (1):
netfilter: nf_tables: use skb->protocol instead of assuming ethernet header
net/netfilter/nf_tables_netdev.c | 2 +-
net/netfilter/nft_ct.c | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: [PATCH 0/2] Netfilter fixes for net
2015-12-22 17:53 Pablo Neira Ayuso
@ 2015-12-22 19:55 ` David Miller
0 siblings, 0 replies; 34+ messages in thread
From: David Miller @ 2015-12-22 19:55 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 22 Dec 2015 18:53:15 +0100
> The following patchset contains two netfilter fixes:
>
> 1) Oneliner from Florian to dump missing NFT_CT_L3PROTOCOL netlink
> attribute, from Florian Westphal.
>
> 2) Another oneliner for nf_tables to use skb->protocol from the new
> netdev family, we can't assume ethernet there.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 34+ messages in thread
* [PATCH 0/2] Netfilter fixes for net
@ 2015-04-27 18:41 Pablo Neira Ayuso
2015-04-28 3:13 ` David Miller
0 siblings, 1 reply; 34+ messages in thread
From: Pablo Neira Ayuso @ 2015-04-27 18:41 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter fixes for your net tree,
they are:
1) Fix a crash in nf_tables when dictionaries are used from the ruleset,
due to memory corruption, from Florian Westphal.
2) Fix another crash in nf_queue when used with br_netfilter. Also from
Florian.
Both fixes are related to new stuff that got in 4.0-rc.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit b357a364c57c940ddb932224542494363df37378:
inet: fix possible panic in reqsk_queue_unlink() (2015-04-24 11:39:15 -0400)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
for you to fetch changes up to 547c4b547e07dcc60874b6ef6252dd49ff74aec1:
netfilter: bridge: fix NULL deref in physin/out ifindex helpers (2015-04-24 20:51:40 +0200)
----------------------------------------------------------------
Florian Westphal (2):
netfilter: nf_tables: fix wrong length for jump/goto verdicts
netfilter: bridge: fix NULL deref in physin/out ifindex helpers
include/linux/netfilter_bridge.h | 16 ++++++++++++++--
net/netfilter/nf_tables_api.c | 3 +--
2 files changed, 15 insertions(+), 4 deletions(-)
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: [PATCH 0/2] Netfilter fixes for net
2015-04-27 18:41 Pablo Neira Ayuso
@ 2015-04-28 3:13 ` David Miller
0 siblings, 0 replies; 34+ messages in thread
From: David Miller @ 2015-04-28 3:13 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 27 Apr 2015 20:41:55 +0200
> The following patchset contains Netfilter fixes for your net tree,
> they are:
>
> 1) Fix a crash in nf_tables when dictionaries are used from the ruleset,
> due to memory corruption, from Florian Westphal.
>
> 2) Fix another crash in nf_queue when used with br_netfilter. Also from
> Florian.
>
> Both fixes are related to new stuff that got in 4.0-rc.
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 34+ messages in thread
* [PATCH 0/2] Netfilter fixes for net
@ 2014-11-20 12:30 Pablo Neira Ayuso
2014-11-21 5:12 ` David Miller
0 siblings, 1 reply; 34+ messages in thread
From: Pablo Neira Ayuso @ 2014-11-20 12:30 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains two bugfixes for your net tree, they are:
1) Validate netlink group from nfnetlink to avoid an out of bound array
access. This should only happen with superuser priviledges though.
Discovered by Andrey Ryabinin using trinity.
2) Don't push ethernet header before calling the netfilter output hook
for multicast traffic, this breaks ebtables since it expects to see
skb->data pointing to the network header, patch from Linus Luessing.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit feb91a02ccb09661507f170b2a444aec94f307f9:
ipv6: mld: fix add_grhead skb_over_panic for devs with large MTUs (2014-11-16 16:55:06 -0500)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
for you to fetch changes up to f0b4eeced518c632210ef2aea44fc92cc9e86cce:
bridge: fix netfilter/NF_BR_LOCAL_OUT for own, locally generated queries (2014-11-17 12:38:02 +0100)
----------------------------------------------------------------
Linus Lüssing (1):
bridge: fix netfilter/NF_BR_LOCAL_OUT for own, locally generated queries
Pablo Neira Ayuso (1):
netfilter: nfnetlink: fix insufficient validation in nfnetlink_bind
net/bridge/br_multicast.c | 3 +--
net/netfilter/nfnetlink.c | 12 +++++++++++-
2 files changed, 12 insertions(+), 3 deletions(-)
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: [PATCH 0/2] Netfilter fixes for net
2014-11-20 12:30 Pablo Neira Ayuso
@ 2014-11-21 5:12 ` David Miller
0 siblings, 0 replies; 34+ messages in thread
From: David Miller @ 2014-11-21 5:12 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 20 Nov 2014 13:30:49 +0100
> The following patchset contains two bugfixes for your net tree, they are:
>
> 1) Validate netlink group from nfnetlink to avoid an out of bound array
> access. This should only happen with superuser priviledges though.
> Discovered by Andrey Ryabinin using trinity.
>
> 2) Don't push ethernet header before calling the netfilter output hook
> for multicast traffic, this breaks ebtables since it expects to see
> skb->data pointing to the network header, patch from Linus Luessing.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 34+ messages in thread
* [PATCH 0/2] netfilter fixes for net
@ 2014-01-07 22:13 Pablo Neira Ayuso
2014-01-07 23:38 ` David Miller
0 siblings, 1 reply; 34+ messages in thread
From: Pablo Neira Ayuso @ 2014-01-07 22:13 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains two patches:
* fix the IRC NAT helper which was broken when adding (incomplete) IPv6
support, from Daniel Borkmann.
* Refine the previous bugtrap that Jesper added to catch problems for the
usage of the sequence adjustment extension in IPVs in Dec 16th, it may
spam messages in case of finding a real bug.
I know it's fairly late, so please let me know if you prefer that I pass
you these via net-next.
Thanks!
----------------------------------------------------------------
The following changes since commit f35f76ee76df008131bbe01a2297de0c55ee2297:
xen-netback: Include header for vmalloc (2014-01-05 20:34:36 -0500)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
for you to fetch changes up to f2661adc0c134d890d84c32d7cb54a2b4d1f0a5f:
netfilter: only warn once on wrong seqadj usage (2014-01-06 14:23:17 +0100)
----------------------------------------------------------------
Daniel Borkmann (1):
netfilter: nf_nat: fix access to uninitialized buffer in IRC NAT helper
Jesper Dangaard Brouer (1):
netfilter: only warn once on wrong seqadj usage
net/netfilter/nf_conntrack_seqadj.c | 2 +-
net/netfilter/nf_nat_irc.c | 32 +++++++++++++++++++++++++++-----
2 files changed, 28 insertions(+), 6 deletions(-)
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: [PATCH 0/2] netfilter fixes for net
2014-01-07 22:13 [PATCH 0/2] netfilter " Pablo Neira Ayuso
@ 2014-01-07 23:38 ` David Miller
0 siblings, 0 replies; 34+ messages in thread
From: David Miller @ 2014-01-07 23:38 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 7 Jan 2014 23:13:37 +0100
> The following patchset contains two patches:
>
> * fix the IRC NAT helper which was broken when adding (incomplete) IPv6
> support, from Daniel Borkmann.
>
> * Refine the previous bugtrap that Jesper added to catch problems for the
> usage of the sequence adjustment extension in IPVs in Dec 16th, it may
> spam messages in case of finding a real bug.
>
> I know it's fairly late, so please let me know if you prefer that I pass
> you these via net-next.
These look fine, thanks Pablo.
^ permalink raw reply [flat|nested] 34+ messages in thread
* [PATCH 0/2] netfilter fixes for net
@ 2013-12-13 18:24 Pablo Neira Ayuso
2013-12-17 20:07 ` David Miller
0 siblings, 1 reply; 34+ messages in thread
From: Pablo Neira Ayuso @ 2013-12-13 18:24 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains two Netfilter fixes for your net
tree, they are:
* Fix endianness in nft_reject, the NFTA_REJECT_TYPE netlink attributes
was not converted to network byte order as needed by all nfnetlink
subsystems, from Eric Leblond.
* Restrict SYNPROXY target to INPUT and FORWARD chains, this avoid a
possible crash due to misconfigurations, from Patrick McHardy.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
Thanks!
----------------------------------------------------------------
The following changes since commit 8afdd99a1315e759de04ad6e2344f0c5f17ecb1b:
udp: ipv4: fix an use after free in __udp4_lib_rcv() (2013-12-10 22:58:40 -0500)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
for you to fetch changes up to a3adadf3018102c24754e0b53a5515c40fbaff4a:
netfilter: nft_reject: fix endianness in dump function (2013-12-12 09:37:39 +0100)
----------------------------------------------------------------
Eric Leblond (1):
netfilter: nft_reject: fix endianness in dump function
Patrick McHardy (1):
netfilter: SYNPROXY target: restrict to INPUT/FORWARD
net/ipv4/netfilter/ipt_SYNPROXY.c | 1 +
net/ipv4/netfilter/nft_reject_ipv4.c | 2 +-
net/ipv6/netfilter/ip6t_SYNPROXY.c | 1 +
3 files changed, 3 insertions(+), 1 deletion(-)
Eric Leblond (1):
netfilter: nft_reject: fix endianness in dump function
Patrick McHardy (1):
netfilter: SYNPROXY target: restrict to INPUT/FORWARD
net/ipv4/netfilter/ipt_SYNPROXY.c | 1 +
net/ipv4/netfilter/nft_reject_ipv4.c | 2 +-
net/ipv6/netfilter/ip6t_SYNPROXY.c | 1 +
3 files changed, 3 insertions(+), 1 deletion(-)
--
1.7.10.4
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: [PATCH 0/2] netfilter fixes for net
2013-12-13 18:24 Pablo Neira Ayuso
@ 2013-12-17 20:07 ` David Miller
0 siblings, 0 replies; 34+ messages in thread
From: David Miller @ 2013-12-17 20:07 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 13 Dec 2013 19:24:57 +0100
> The following patchset contains two Netfilter fixes for your net
> tree, they are:
>
> * Fix endianness in nft_reject, the NFTA_REJECT_TYPE netlink attributes
> was not converted to network byte order as needed by all nfnetlink
> subsystems, from Eric Leblond.
>
> * Restrict SYNPROXY target to INPUT and FORWARD chains, this avoid a
> possible crash due to misconfigurations, from Patrick McHardy.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 34+ messages in thread
* [PATCH 0/2] netfilter fixes for net
@ 2013-04-19 1:16 Pablo Neira Ayuso
2013-04-19 18:25 ` David Miller
0 siblings, 1 reply; 34+ messages in thread
From: Pablo Neira Ayuso @ 2013-04-19 1:16 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
If time allows, please consider pulling the following patchset contains two
late Netfilter fixes, they are:
* Skip broadcast/multicast locally generated traffic in the rpfilter,
(closes netfilter bugzilla #814), from Florian Westphal.
* Fix missing elements in the listing of ipset bitmap ip,mac set
type with timeout support enabled, from Jozsef Kadlecsik.
The following changes since commit c2d421e171868586939c328dfb91bab840fe4c49:
netfilter: nf_nat: fix race when unloading protocol modules (2013-04-12 11:46:31 +0200)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
for you to fetch changes up to f83a7ea2075ca896f2dbf07672bac9cf3682ff74:
netfilter: xt_rpfilter: skip locally generated broadcast/multicast, too (2013-04-19 00:11:59 +0200)
----------------------------------------------------------------
Florian Westphal (1):
netfilter: xt_rpfilter: skip locally generated broadcast/multicast, too
Jozsef Kadlecsik (1):
netfilter: ipset: bitmap:ip,mac: fix listing with timeout
net/ipv4/netfilter/ipt_rpfilter.c | 8 +++++++-
net/ipv6/netfilter/ip6t_rpfilter.c | 8 +++++++-
net/netfilter/ipset/ip_set_bitmap_ipmac.c | 6 +++++-
3 files changed, 19 insertions(+), 3 deletions(-)
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: [PATCH 0/2] netfilter fixes for net
2013-04-19 1:16 Pablo Neira Ayuso
@ 2013-04-19 18:25 ` David Miller
0 siblings, 0 replies; 34+ messages in thread
From: David Miller @ 2013-04-19 18:25 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 19 Apr 2013 03:16:00 +0200
> If time allows, please consider pulling the following patchset contains two
> late Netfilter fixes, they are:
>
> * Skip broadcast/multicast locally generated traffic in the rpfilter,
> (closes netfilter bugzilla #814), from Florian Westphal.
>
> * Fix missing elements in the listing of ipset bitmap ip,mac set
> type with timeout support enabled, from Jozsef Kadlecsik.
>
> The following changes since commit c2d421e171868586939c328dfb91bab840fe4c49:
>
> netfilter: nf_nat: fix race when unloading protocol modules (2013-04-12 11:46:31 +0200)
>
> are available in the git repository at:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 34+ messages in thread
* [PATCH 0/2] netfilter fixes for net
@ 2013-02-26 13:45 pablo
2013-02-26 22:24 ` David Miller
0 siblings, 1 reply; 34+ messages in thread
From: pablo @ 2013-02-26 13:45 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Hi David,
The following patchset contains two bugfixes for netfilter/ipset via
Jozsef Kadlecsik, they are:
* Fix timeout corruption if sets are resized, by Josh Hunt.
* Fix bogus error report if the flag nomatch is set, from Jozsef.
You can pull these changes from:
git://1984.lsi.us.es/nf master
Thanks!
Josh Hunt (1):
netfilter: ipset: timeout values corrupted on set resize
Jozsef Kadlecsik (1):
netfilter: ipset: "Directory not empty" error message
include/linux/netfilter/ipset/ip_set_ahash.h | 4 +++-
net/netfilter/ipset/ip_set_core.c | 3 ++-
2 files changed, 5 insertions(+), 2 deletions(-)
--
1.7.10.4
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: [PATCH 0/2] netfilter fixes for net
2013-02-26 13:45 pablo
@ 2013-02-26 22:24 ` David Miller
0 siblings, 0 replies; 34+ messages in thread
From: David Miller @ 2013-02-26 22:24 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: pablo@netfilter.org
Date: Tue, 26 Feb 2013 14:45:18 +0100
> From: Pablo Neira Ayuso <pablo@netfilter.org>
>
> Hi David,
>
> The following patchset contains two bugfixes for netfilter/ipset via
> Jozsef Kadlecsik, they are:
>
> * Fix timeout corruption if sets are resized, by Josh Hunt.
>
> * Fix bogus error report if the flag nomatch is set, from Jozsef.
>
> You can pull these changes from:
>
> git://1984.lsi.us.es/nf master
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 34+ messages in thread
* [PATCH 0/2] netfilter fixes for net
@ 2012-11-22 9:10 pablo
2012-11-22 20:28 ` David Miller
0 siblings, 1 reply; 34+ messages in thread
From: pablo @ 2012-11-22 9:10 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Hi David,
The following patchset contains two Netfilter fixes:
* Fix buffer overflow in the name of the timeout policy object
in the cttimeout infrastructure, from Florian Westphal.
* Fix a bug in the hash set in case that IP ranges are
specified, from Jozsef Kadlecsik.
You can pull these changes from:
git://1984.lsi.us.es/nf master
Thanks!
Florian Westphal (1):
netfilter: cttimeout: fix buffer overflow
Jozsef Kadlecsik (1):
netfilter: ipset: Fix range bug in hash:ip,port,net
net/netfilter/ipset/ip_set_hash_ip.c | 4 ++--
net/netfilter/ipset/ip_set_hash_ipport.c | 7 +++----
net/netfilter/ipset/ip_set_hash_ipportip.c | 7 +++----
net/netfilter/ipset/ip_set_hash_ipportnet.c | 7 +++++--
net/netfilter/nfnetlink_cttimeout.c | 3 ++-
5 files changed, 15 insertions(+), 13 deletions(-)
--
1.7.10.4
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: [PATCH 0/2] netfilter fixes for net
2012-11-22 9:10 pablo
@ 2012-11-22 20:28 ` David Miller
0 siblings, 0 replies; 34+ messages in thread
From: David Miller @ 2012-11-22 20:28 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: pablo@netfilter.org
Date: Thu, 22 Nov 2012 10:10:50 +0100
> The following patchset contains two Netfilter fixes:
>
> * Fix buffer overflow in the name of the timeout policy object
> in the cttimeout infrastructure, from Florian Westphal.
>
> * Fix a bug in the hash set in case that IP ranges are
> specified, from Jozsef Kadlecsik.
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 34+ messages in thread
end of thread, other threads:[~2020-07-05 0:47 UTC | newest]
Thread overview: 34+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-02 18:53 [PATCH 0/2] Netfilter fixes for net Pablo Neira Ayuso
2019-10-02 18:53 ` [PATCH 1/2] netfilter: drop bridge nf reset from nf_reset Pablo Neira Ayuso
2019-10-02 18:53 ` [PATCH 2/2] netfilter: nft_connlimit: disable bh on garbage collection Pablo Neira Ayuso
2019-10-02 20:23 ` [PATCH 0/2] Netfilter fixes for net David Miller
-- strict thread matches above, loose matches on Subject: below --
2020-07-04 0:13 Pablo Neira Ayuso
2020-07-05 0:47 ` David Miller
2020-04-29 21:48 Pablo Neira Ayuso
2020-05-01 1:07 ` David Miller
2020-04-21 10:37 Pablo Neira Ayuso
2020-04-21 18:50 ` David Miller
2019-02-11 16:53 Pablo Neira Ayuso
2019-02-11 18:43 ` David Miller
2017-11-01 18:48 Pablo Neira Ayuso
2017-11-02 7:53 ` David Miller
2017-09-20 10:49 Pablo Neira Ayuso
2017-09-20 23:08 ` David Miller
2017-07-06 12:54 Pablo Neira Ayuso
2017-07-06 13:03 ` David Miller
2015-12-22 17:53 Pablo Neira Ayuso
2015-12-22 19:55 ` David Miller
2015-04-27 18:41 Pablo Neira Ayuso
2015-04-28 3:13 ` David Miller
2014-11-20 12:30 Pablo Neira Ayuso
2014-11-21 5:12 ` David Miller
2014-01-07 22:13 [PATCH 0/2] netfilter " Pablo Neira Ayuso
2014-01-07 23:38 ` David Miller
2013-12-13 18:24 Pablo Neira Ayuso
2013-12-17 20:07 ` David Miller
2013-04-19 1:16 Pablo Neira Ayuso
2013-04-19 18:25 ` David Miller
2013-02-26 13:45 pablo
2013-02-26 22:24 ` David Miller
2012-11-22 9:10 pablo
2012-11-22 20:28 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).