* [PATCH 0/5] Netfilter fixes for net
@ 2020-05-25 21:54 Pablo Neira Ayuso
2020-05-25 21:54 ` [PATCH 1/5] netfilter: nft_reject_bridge: enable reject with bridge vlan Pablo Neira Ayuso
` (5 more replies)
0 siblings, 6 replies; 34+ messages in thread
From: Pablo Neira Ayuso @ 2020-05-25 21:54 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Hi,
The following patchset contains Netfilter fixes for net:
1) Set VLAN tag in tcp reset/icmp unreachable packets to reject
connections in the bridge family, from Michael Braun.
2) Incorrect subcounter flag update in ipset, from Phil Sutter.
3) Possible buffer overflow in the pptp conntrack helper, based
on patch from Dan Carpenter.
4) Restore userspace conntrack helper hook logic that broke after
hook consolidation rework.
5) Unbreak userspace conntrack helper registration via
nfnetlink_cthelper.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thank you.
----------------------------------------------------------------
The following changes since commit 98790bbac4db1697212ce9462ec35ca09c4a2810:
Merge tag 'efi-urgent-2020-05-24' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip (2020-05-24 10:24:10 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 703acd70f2496537457186211c2f03e792409e68:
netfilter: nfnetlink_cthelper: unbreak userspace helper support (2020-05-25 20:39:14 +0200)
----------------------------------------------------------------
Michael Braun (1):
netfilter: nft_reject_bridge: enable reject with bridge vlan
Pablo Neira Ayuso (3):
netfilter: nf_conntrack_pptp: prevent buffer overflows in debug code
netfilter: conntrack: make conntrack userspace helpers work again
netfilter: nfnetlink_cthelper: unbreak userspace helper support
Phil Sutter (1):
netfilter: ipset: Fix subcounter update skip
include/linux/netfilter/nf_conntrack_pptp.h | 2 +-
net/bridge/netfilter/nft_reject_bridge.c | 6 +++
net/ipv4/netfilter/nf_nat_pptp.c | 7 +--
net/netfilter/ipset/ip_set_list_set.c | 2 +-
net/netfilter/nf_conntrack_core.c | 78 ++++++++++++++++++++++++++---
net/netfilter/nf_conntrack_pptp.c | 62 +++++++++++++----------
net/netfilter/nfnetlink_cthelper.c | 3 +-
7 files changed, 119 insertions(+), 41 deletions(-)
^ permalink raw reply [flat|nested] 34+ messages in thread
* [PATCH 1/5] netfilter: nft_reject_bridge: enable reject with bridge vlan
2020-05-25 21:54 [PATCH 0/5] Netfilter fixes for net Pablo Neira Ayuso
@ 2020-05-25 21:54 ` Pablo Neira Ayuso
2020-05-25 21:54 ` [PATCH 2/5] netfilter: ipset: Fix subcounter update skip Pablo Neira Ayuso
` (4 subsequent siblings)
5 siblings, 0 replies; 34+ messages in thread
From: Pablo Neira Ayuso @ 2020-05-25 21:54 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
From: Michael Braun <michael-dev@fami-braun.de>
Currently, using the bridge reject target with tagged packets
results in untagged packets being sent back.
Fix this by mirroring the vlan id as well.
Fixes: 85f5b3086a04 ("netfilter: bridge: add reject support")
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/bridge/netfilter/nft_reject_bridge.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/bridge/netfilter/nft_reject_bridge.c b/net/bridge/netfilter/nft_reject_bridge.c
index b325b569e761..f48cf4cfb80f 100644
--- a/net/bridge/netfilter/nft_reject_bridge.c
+++ b/net/bridge/netfilter/nft_reject_bridge.c
@@ -31,6 +31,12 @@ static void nft_reject_br_push_etherhdr(struct sk_buff *oldskb,
ether_addr_copy(eth->h_dest, eth_hdr(oldskb)->h_source);
eth->h_proto = eth_hdr(oldskb)->h_proto;
skb_pull(nskb, ETH_HLEN);
+
+ if (skb_vlan_tag_present(oldskb)) {
+ u16 vid = skb_vlan_tag_get(oldskb);
+
+ __vlan_hwaccel_put_tag(nskb, oldskb->vlan_proto, vid);
+ }
}
static int nft_bridge_iphdr_validate(struct sk_buff *skb)
--
2.20.1
^ permalink raw reply related [flat|nested] 34+ messages in thread
* [PATCH 2/5] netfilter: ipset: Fix subcounter update skip
2020-05-25 21:54 [PATCH 0/5] Netfilter fixes for net Pablo Neira Ayuso
2020-05-25 21:54 ` [PATCH 1/5] netfilter: nft_reject_bridge: enable reject with bridge vlan Pablo Neira Ayuso
@ 2020-05-25 21:54 ` Pablo Neira Ayuso
2020-05-25 21:54 ` [PATCH 3/5] netfilter: nf_conntrack_pptp: prevent buffer overflows in debug code Pablo Neira Ayuso
` (3 subsequent siblings)
5 siblings, 0 replies; 34+ messages in thread
From: Pablo Neira Ayuso @ 2020-05-25 21:54 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
From: Phil Sutter <phil@nwl.cc>
If IPSET_FLAG_SKIP_SUBCOUNTER_UPDATE is set, user requested to not
update counters in sub sets. Therefore IPSET_FLAG_SKIP_COUNTER_UPDATE
must be set, not unset.
Fixes: 6e01781d1c80e ("netfilter: ipset: set match: add support to match the counters")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/ipset/ip_set_list_set.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/ipset/ip_set_list_set.c b/net/netfilter/ipset/ip_set_list_set.c
index cd747c0962fd..5a67f7966574 100644
--- a/net/netfilter/ipset/ip_set_list_set.c
+++ b/net/netfilter/ipset/ip_set_list_set.c
@@ -59,7 +59,7 @@ list_set_ktest(struct ip_set *set, const struct sk_buff *skb,
/* Don't lookup sub-counters at all */
opt->cmdflags &= ~IPSET_FLAG_MATCH_COUNTERS;
if (opt->cmdflags & IPSET_FLAG_SKIP_SUBCOUNTER_UPDATE)
- opt->cmdflags &= ~IPSET_FLAG_SKIP_COUNTER_UPDATE;
+ opt->cmdflags |= IPSET_FLAG_SKIP_COUNTER_UPDATE;
list_for_each_entry_rcu(e, &map->members, list) {
ret = ip_set_test(e->id, skb, par, opt);
if (ret <= 0)
--
2.20.1
^ permalink raw reply related [flat|nested] 34+ messages in thread
* [PATCH 3/5] netfilter: nf_conntrack_pptp: prevent buffer overflows in debug code
2020-05-25 21:54 [PATCH 0/5] Netfilter fixes for net Pablo Neira Ayuso
2020-05-25 21:54 ` [PATCH 1/5] netfilter: nft_reject_bridge: enable reject with bridge vlan Pablo Neira Ayuso
2020-05-25 21:54 ` [PATCH 2/5] netfilter: ipset: Fix subcounter update skip Pablo Neira Ayuso
@ 2020-05-25 21:54 ` Pablo Neira Ayuso
2020-05-25 21:54 ` [PATCH 4/5] netfilter: conntrack: make conntrack userspace helpers work again Pablo Neira Ayuso
` (2 subsequent siblings)
5 siblings, 0 replies; 34+ messages in thread
From: Pablo Neira Ayuso @ 2020-05-25 21:54 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Dan Carpenter says: "Smatch complains that the value for "cmd" comes
from the network and can't be trusted."
Add pptp_msg_name() helper function that checks for the array boundary.
Fixes: f09943fefe6b ("[NETFILTER]: nf_conntrack/nf_nat: add PPTP helper port")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/linux/netfilter/nf_conntrack_pptp.h | 2 +-
net/ipv4/netfilter/nf_nat_pptp.c | 7 +--
net/netfilter/nf_conntrack_pptp.c | 62 ++++++++++++---------
3 files changed, 38 insertions(+), 33 deletions(-)
diff --git a/include/linux/netfilter/nf_conntrack_pptp.h b/include/linux/netfilter/nf_conntrack_pptp.h
index fcc409de31a4..6a4ff6d5ebc2 100644
--- a/include/linux/netfilter/nf_conntrack_pptp.h
+++ b/include/linux/netfilter/nf_conntrack_pptp.h
@@ -10,7 +10,7 @@
#include <net/netfilter/nf_conntrack_expect.h>
#include <uapi/linux/netfilter/nf_conntrack_tuple_common.h>
-extern const char *const pptp_msg_name[];
+extern const char *const pptp_msg_name(u_int16_t msg);
/* state of the control session */
enum pptp_ctrlsess_state {
diff --git a/net/ipv4/netfilter/nf_nat_pptp.c b/net/ipv4/netfilter/nf_nat_pptp.c
index 3c25a467b3ef..7afde8828b4c 100644
--- a/net/ipv4/netfilter/nf_nat_pptp.c
+++ b/net/ipv4/netfilter/nf_nat_pptp.c
@@ -166,8 +166,7 @@ pptp_outbound_pkt(struct sk_buff *skb,
break;
default:
pr_debug("unknown outbound packet 0x%04x:%s\n", msg,
- msg <= PPTP_MSG_MAX ? pptp_msg_name[msg] :
- pptp_msg_name[0]);
+ pptp_msg_name(msg));
fallthrough;
case PPTP_SET_LINK_INFO:
/* only need to NAT in case PAC is behind NAT box */
@@ -268,9 +267,7 @@ pptp_inbound_pkt(struct sk_buff *skb,
pcid_off = offsetof(union pptp_ctrl_union, setlink.peersCallID);
break;
default:
- pr_debug("unknown inbound packet %s\n",
- msg <= PPTP_MSG_MAX ? pptp_msg_name[msg] :
- pptp_msg_name[0]);
+ pr_debug("unknown inbound packet %s\n", pptp_msg_name(msg));
fallthrough;
case PPTP_START_SESSION_REQUEST:
case PPTP_START_SESSION_REPLY:
diff --git a/net/netfilter/nf_conntrack_pptp.c b/net/netfilter/nf_conntrack_pptp.c
index a971183f11af..7ad247784cfa 100644
--- a/net/netfilter/nf_conntrack_pptp.c
+++ b/net/netfilter/nf_conntrack_pptp.c
@@ -72,24 +72,32 @@ EXPORT_SYMBOL_GPL(nf_nat_pptp_hook_expectfn);
#if defined(DEBUG) || defined(CONFIG_DYNAMIC_DEBUG)
/* PptpControlMessageType names */
-const char *const pptp_msg_name[] = {
- "UNKNOWN_MESSAGE",
- "START_SESSION_REQUEST",
- "START_SESSION_REPLY",
- "STOP_SESSION_REQUEST",
- "STOP_SESSION_REPLY",
- "ECHO_REQUEST",
- "ECHO_REPLY",
- "OUT_CALL_REQUEST",
- "OUT_CALL_REPLY",
- "IN_CALL_REQUEST",
- "IN_CALL_REPLY",
- "IN_CALL_CONNECT",
- "CALL_CLEAR_REQUEST",
- "CALL_DISCONNECT_NOTIFY",
- "WAN_ERROR_NOTIFY",
- "SET_LINK_INFO"
+static const char *const pptp_msg_name_array[PPTP_MSG_MAX + 1] = {
+ [0] = "UNKNOWN_MESSAGE",
+ [PPTP_START_SESSION_REQUEST] = "START_SESSION_REQUEST",
+ [PPTP_START_SESSION_REPLY] = "START_SESSION_REPLY",
+ [PPTP_STOP_SESSION_REQUEST] = "STOP_SESSION_REQUEST",
+ [PPTP_STOP_SESSION_REPLY] = "STOP_SESSION_REPLY",
+ [PPTP_ECHO_REQUEST] = "ECHO_REQUEST",
+ [PPTP_ECHO_REPLY] = "ECHO_REPLY",
+ [PPTP_OUT_CALL_REQUEST] = "OUT_CALL_REQUEST",
+ [PPTP_OUT_CALL_REPLY] = "OUT_CALL_REPLY",
+ [PPTP_IN_CALL_REQUEST] = "IN_CALL_REQUEST",
+ [PPTP_IN_CALL_REPLY] = "IN_CALL_REPLY",
+ [PPTP_IN_CALL_CONNECT] = "IN_CALL_CONNECT",
+ [PPTP_CALL_CLEAR_REQUEST] = "CALL_CLEAR_REQUEST",
+ [PPTP_CALL_DISCONNECT_NOTIFY] = "CALL_DISCONNECT_NOTIFY",
+ [PPTP_WAN_ERROR_NOTIFY] = "WAN_ERROR_NOTIFY",
+ [PPTP_SET_LINK_INFO] = "SET_LINK_INFO"
};
+
+const char *const pptp_msg_name(u_int16_t msg)
+{
+ if (msg > PPTP_MSG_MAX)
+ return pptp_msg_name_array[0];
+
+ return pptp_msg_name_array[msg];
+}
EXPORT_SYMBOL(pptp_msg_name);
#endif
@@ -276,7 +284,7 @@ pptp_inbound_pkt(struct sk_buff *skb, unsigned int protoff,
typeof(nf_nat_pptp_hook_inbound) nf_nat_pptp_inbound;
msg = ntohs(ctlh->messageType);
- pr_debug("inbound control message %s\n", pptp_msg_name[msg]);
+ pr_debug("inbound control message %s\n", pptp_msg_name(msg));
switch (msg) {
case PPTP_START_SESSION_REPLY:
@@ -311,7 +319,7 @@ pptp_inbound_pkt(struct sk_buff *skb, unsigned int protoff,
pcid = pptpReq->ocack.peersCallID;
if (info->pns_call_id != pcid)
goto invalid;
- pr_debug("%s, CID=%X, PCID=%X\n", pptp_msg_name[msg],
+ pr_debug("%s, CID=%X, PCID=%X\n", pptp_msg_name(msg),
ntohs(cid), ntohs(pcid));
if (pptpReq->ocack.resultCode == PPTP_OUTCALL_CONNECT) {
@@ -328,7 +336,7 @@ pptp_inbound_pkt(struct sk_buff *skb, unsigned int protoff,
goto invalid;
cid = pptpReq->icreq.callID;
- pr_debug("%s, CID=%X\n", pptp_msg_name[msg], ntohs(cid));
+ pr_debug("%s, CID=%X\n", pptp_msg_name(msg), ntohs(cid));
info->cstate = PPTP_CALL_IN_REQ;
info->pac_call_id = cid;
break;
@@ -347,7 +355,7 @@ pptp_inbound_pkt(struct sk_buff *skb, unsigned int protoff,
if (info->pns_call_id != pcid)
goto invalid;
- pr_debug("%s, PCID=%X\n", pptp_msg_name[msg], ntohs(pcid));
+ pr_debug("%s, PCID=%X\n", pptp_msg_name(msg), ntohs(pcid));
info->cstate = PPTP_CALL_IN_CONF;
/* we expect a GRE connection from PAC to PNS */
@@ -357,7 +365,7 @@ pptp_inbound_pkt(struct sk_buff *skb, unsigned int protoff,
case PPTP_CALL_DISCONNECT_NOTIFY:
/* server confirms disconnect */
cid = pptpReq->disc.callID;
- pr_debug("%s, CID=%X\n", pptp_msg_name[msg], ntohs(cid));
+ pr_debug("%s, CID=%X\n", pptp_msg_name(msg), ntohs(cid));
info->cstate = PPTP_CALL_NONE;
/* untrack this call id, unexpect GRE packets */
@@ -384,7 +392,7 @@ pptp_inbound_pkt(struct sk_buff *skb, unsigned int protoff,
invalid:
pr_debug("invalid %s: type=%d cid=%u pcid=%u "
"cstate=%d sstate=%d pns_cid=%u pac_cid=%u\n",
- msg <= PPTP_MSG_MAX ? pptp_msg_name[msg] : pptp_msg_name[0],
+ pptp_msg_name(msg),
msg, ntohs(cid), ntohs(pcid), info->cstate, info->sstate,
ntohs(info->pns_call_id), ntohs(info->pac_call_id));
return NF_ACCEPT;
@@ -404,7 +412,7 @@ pptp_outbound_pkt(struct sk_buff *skb, unsigned int protoff,
typeof(nf_nat_pptp_hook_outbound) nf_nat_pptp_outbound;
msg = ntohs(ctlh->messageType);
- pr_debug("outbound control message %s\n", pptp_msg_name[msg]);
+ pr_debug("outbound control message %s\n", pptp_msg_name(msg));
switch (msg) {
case PPTP_START_SESSION_REQUEST:
@@ -426,7 +434,7 @@ pptp_outbound_pkt(struct sk_buff *skb, unsigned int protoff,
info->cstate = PPTP_CALL_OUT_REQ;
/* track PNS call id */
cid = pptpReq->ocreq.callID;
- pr_debug("%s, CID=%X\n", pptp_msg_name[msg], ntohs(cid));
+ pr_debug("%s, CID=%X\n", pptp_msg_name(msg), ntohs(cid));
info->pns_call_id = cid;
break;
@@ -440,7 +448,7 @@ pptp_outbound_pkt(struct sk_buff *skb, unsigned int protoff,
pcid = pptpReq->icack.peersCallID;
if (info->pac_call_id != pcid)
goto invalid;
- pr_debug("%s, CID=%X PCID=%X\n", pptp_msg_name[msg],
+ pr_debug("%s, CID=%X PCID=%X\n", pptp_msg_name(msg),
ntohs(cid), ntohs(pcid));
if (pptpReq->icack.resultCode == PPTP_INCALL_ACCEPT) {
@@ -480,7 +488,7 @@ pptp_outbound_pkt(struct sk_buff *skb, unsigned int protoff,
invalid:
pr_debug("invalid %s: type=%d cid=%u pcid=%u "
"cstate=%d sstate=%d pns_cid=%u pac_cid=%u\n",
- msg <= PPTP_MSG_MAX ? pptp_msg_name[msg] : pptp_msg_name[0],
+ pptp_msg_name(msg),
msg, ntohs(cid), ntohs(pcid), info->cstate, info->sstate,
ntohs(info->pns_call_id), ntohs(info->pac_call_id));
return NF_ACCEPT;
--
2.20.1
^ permalink raw reply related [flat|nested] 34+ messages in thread
* [PATCH 4/5] netfilter: conntrack: make conntrack userspace helpers work again
2020-05-25 21:54 [PATCH 0/5] Netfilter fixes for net Pablo Neira Ayuso
` (2 preceding siblings ...)
2020-05-25 21:54 ` [PATCH 3/5] netfilter: nf_conntrack_pptp: prevent buffer overflows in debug code Pablo Neira Ayuso
@ 2020-05-25 21:54 ` Pablo Neira Ayuso
2020-05-26 18:45 ` Jakub Kicinski
2020-05-25 21:54 ` [PATCH 5/5] netfilter: nfnetlink_cthelper: unbreak userspace helper support Pablo Neira Ayuso
2020-05-26 1:29 ` [PATCH 0/5] Netfilter fixes for net David Miller
5 siblings, 1 reply; 34+ messages in thread
From: Pablo Neira Ayuso @ 2020-05-25 21:54 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Florian Westphal says:
"Problem is that after the helper hook was merged back into the confirm
one, the queueing itself occurs from the confirm hook, i.e. we queue
from the last netfilter callback in the hook-list.
Therefore, on return, the packet bypasses the confirm action and the
connection is never committed to the main conntrack table.
To fix this there are several ways:
1. revert the 'Fixes' commit and have a extra helper hook again.
Works, but has the drawback of adding another indirect call for
everyone.
2. Special case this: split the hooks only when userspace helper
gets added, so queueing occurs at a lower priority again,
and normal enqueue reinject would eventually call the last hook.
3. Extend the existing nf_queue ct update hook to allow a forced
confirmation (plus run the seqadj code).
This goes for 3)."
Fixes: 827318feb69cb ("netfilter: conntrack: remove helper hook again")
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_conntrack_core.c | 78 ++++++++++++++++++++++++++++---
1 file changed, 72 insertions(+), 6 deletions(-)
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 1d57b95d3481..08e0c19f6b39 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -2016,22 +2016,18 @@ static void nf_conntrack_attach(struct sk_buff *nskb, const struct sk_buff *skb)
nf_conntrack_get(skb_nfct(nskb));
}
-static int nf_conntrack_update(struct net *net, struct sk_buff *skb)
+static int __nf_conntrack_update(struct net *net, struct sk_buff *skb,
+ struct nf_conn *ct)
{
struct nf_conntrack_tuple_hash *h;
struct nf_conntrack_tuple tuple;
enum ip_conntrack_info ctinfo;
struct nf_nat_hook *nat_hook;
unsigned int status;
- struct nf_conn *ct;
int dataoff;
u16 l3num;
u8 l4num;
- ct = nf_ct_get(skb, &ctinfo);
- if (!ct || nf_ct_is_confirmed(ct))
- return 0;
-
l3num = nf_ct_l3num(ct);
dataoff = get_l4proto(skb, skb_network_offset(skb), l3num, &l4num);
@@ -2088,6 +2084,76 @@ static int nf_conntrack_update(struct net *net, struct sk_buff *skb)
return 0;
}
+/* This packet is coming from userspace via nf_queue, complete the packet
+ * processing after the helper invocation in nf_confirm().
+ */
+static int nf_confirm_cthelper(struct sk_buff *skb, struct nf_conn *ct,
+ enum ip_conntrack_info ctinfo)
+{
+ const struct nf_conntrack_helper *helper;
+ const struct nf_conn_help *help;
+ unsigned int protoff;
+
+ help = nfct_help(ct);
+ if (!help)
+ return 0;
+
+ helper = rcu_dereference(help->helper);
+ if (!(helper->flags & NF_CT_HELPER_F_USERSPACE))
+ return 0;
+
+ switch (nf_ct_l3num(ct)) {
+ case NFPROTO_IPV4:
+ protoff = skb_network_offset(skb) + ip_hdrlen(skb);
+ break;
+#if IS_ENABLED(CONFIG_IPV6)
+ case NFPROTO_IPV6: {
+ __be16 frag_off;
+ u8 pnum;
+
+ pnum = ipv6_hdr(skb)->nexthdr;
+ protoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &pnum,
+ &frag_off);
+ if (protoff < 0 || (frag_off & htons(~0x7)) != 0)
+ return 0;
+ break;
+ }
+#endif
+ default:
+ return 0;
+ }
+
+ if (test_bit(IPS_SEQ_ADJUST_BIT, &ct->status) &&
+ !nf_is_loopback_packet(skb)) {
+ if (!nf_ct_seq_adjust(skb, ct, ctinfo, protoff)) {
+ NF_CT_STAT_INC_ATOMIC(nf_ct_net(ct), drop);
+ return -1;
+ }
+ }
+
+ /* We've seen it coming out the other side: confirm it */
+ return nf_conntrack_confirm(skb) == NF_DROP ? - 1 : 0;
+}
+
+static int nf_conntrack_update(struct net *net, struct sk_buff *skb)
+{
+ enum ip_conntrack_info ctinfo;
+ struct nf_conn *ct;
+ int err;
+
+ ct = nf_ct_get(skb, &ctinfo);
+ if (!ct)
+ return 0;
+
+ if (!nf_ct_is_confirmed(ct)) {
+ err = __nf_conntrack_update(net, skb, ct);
+ if (err < 0)
+ return err;
+ }
+
+ return nf_confirm_cthelper(skb, ct, ctinfo);
+}
+
static bool nf_conntrack_get_tuple_skb(struct nf_conntrack_tuple *dst_tuple,
const struct sk_buff *skb)
{
--
2.20.1
^ permalink raw reply related [flat|nested] 34+ messages in thread
* Re: [PATCH 4/5] netfilter: conntrack: make conntrack userspace helpers work again
2020-05-25 21:54 ` [PATCH 4/5] netfilter: conntrack: make conntrack userspace helpers work again Pablo Neira Ayuso
@ 2020-05-26 18:45 ` Jakub Kicinski
0 siblings, 0 replies; 34+ messages in thread
From: Jakub Kicinski @ 2020-05-26 18:45 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, davem, netdev
On Mon, 25 May 2020 23:54:19 +0200 Pablo Neira Ayuso wrote:
> +/* This packet is coming from userspace via nf_queue, complete the packet
> + * processing after the helper invocation in nf_confirm().
> + */
> +static int nf_confirm_cthelper(struct sk_buff *skb, struct nf_conn *ct,
> + enum ip_conntrack_info ctinfo)
> +{
> + const struct nf_conntrack_helper *helper;
> + const struct nf_conn_help *help;
> + unsigned int protoff;
> +
> + help = nfct_help(ct);
> + if (!help)
> + return 0;
> +
> + helper = rcu_dereference(help->helper);
> + if (!(helper->flags & NF_CT_HELPER_F_USERSPACE))
> + return 0;
> +
> + switch (nf_ct_l3num(ct)) {
> + case NFPROTO_IPV4:
> + protoff = skb_network_offset(skb) + ip_hdrlen(skb);
> + break;
> +#if IS_ENABLED(CONFIG_IPV6)
> + case NFPROTO_IPV6: {
> + __be16 frag_off;
> + u8 pnum;
> +
> + pnum = ipv6_hdr(skb)->nexthdr;
> + protoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &pnum,
> + &frag_off);
> + if (protoff < 0 || (frag_off & htons(~0x7)) != 0)
> + return 0;
> + break;
> + }
net/netfilter/nf_conntrack_core.c: In function nf_confirm_cthelper:
net/netfilter/nf_conntrack_core.c:2117:15: warning: comparison of unsigned expression in < 0 is always false [-Wtype-limits]
2117 | if (protoff < 0 || (frag_off & htons(~0x7)) != 0)
| ^
^ permalink raw reply [flat|nested] 34+ messages in thread
* [PATCH 5/5] netfilter: nfnetlink_cthelper: unbreak userspace helper support
2020-05-25 21:54 [PATCH 0/5] Netfilter fixes for net Pablo Neira Ayuso
` (3 preceding siblings ...)
2020-05-25 21:54 ` [PATCH 4/5] netfilter: conntrack: make conntrack userspace helpers work again Pablo Neira Ayuso
@ 2020-05-25 21:54 ` Pablo Neira Ayuso
2020-05-26 1:29 ` [PATCH 0/5] Netfilter fixes for net David Miller
5 siblings, 0 replies; 34+ messages in thread
From: Pablo Neira Ayuso @ 2020-05-25 21:54 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Restore helper data size initialization and fix memcopy of the helper
data size.
Fixes: 157ffffeb5dc ("netfilter: nfnetlink_cthelper: reject too large userspace allocation requests")
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nfnetlink_cthelper.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c
index a5f294aa8e4c..5b0d0a77379c 100644
--- a/net/netfilter/nfnetlink_cthelper.c
+++ b/net/netfilter/nfnetlink_cthelper.c
@@ -103,7 +103,7 @@ nfnl_cthelper_from_nlattr(struct nlattr *attr, struct nf_conn *ct)
if (help->helper->data_len == 0)
return -EINVAL;
- nla_memcpy(help->data, nla_data(attr), sizeof(help->data));
+ nla_memcpy(help->data, attr, sizeof(help->data));
return 0;
}
@@ -240,6 +240,7 @@ nfnl_cthelper_create(const struct nlattr * const tb[],
ret = -ENOMEM;
goto err2;
}
+ helper->data_len = size;
helper->flags |= NF_CT_HELPER_F_USERSPACE;
memcpy(&helper->tuple, tuple, sizeof(struct nf_conntrack_tuple));
--
2.20.1
^ permalink raw reply related [flat|nested] 34+ messages in thread
* Re: [PATCH 0/5] Netfilter fixes for net
2020-05-25 21:54 [PATCH 0/5] Netfilter fixes for net Pablo Neira Ayuso
` (4 preceding siblings ...)
2020-05-25 21:54 ` [PATCH 5/5] netfilter: nfnetlink_cthelper: unbreak userspace helper support Pablo Neira Ayuso
@ 2020-05-26 1:29 ` David Miller
2020-05-26 20:10 ` Pablo Neira Ayuso
5 siblings, 1 reply; 34+ messages in thread
From: David Miller @ 2020-05-26 1:29 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, kuba
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 25 May 2020 23:54:15 +0200
> The following patchset contains Netfilter fixes for net:
>
> 1) Set VLAN tag in tcp reset/icmp unreachable packets to reject
> connections in the bridge family, from Michael Braun.
>
> 2) Incorrect subcounter flag update in ipset, from Phil Sutter.
>
> 3) Possible buffer overflow in the pptp conntrack helper, based
> on patch from Dan Carpenter.
>
> 4) Restore userspace conntrack helper hook logic that broke after
> hook consolidation rework.
>
> 5) Unbreak userspace conntrack helper registration via
> nfnetlink_cthelper.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thank you.
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: [PATCH 0/5] Netfilter fixes for net
2020-05-26 1:29 ` [PATCH 0/5] Netfilter fixes for net David Miller
@ 2020-05-26 20:10 ` Pablo Neira Ayuso
2020-05-26 23:08 ` David Miller
0 siblings, 1 reply; 34+ messages in thread
From: Pablo Neira Ayuso @ 2020-05-26 20:10 UTC (permalink / raw)
To: David Miller; +Cc: netfilter-devel, netdev, kuba
On Mon, May 25, 2020 at 06:29:01PM -0700, David Miller wrote:
> From: Pablo Neira Ayuso <pablo@netfilter.org>
> Date: Mon, 25 May 2020 23:54:15 +0200
>
> > The following patchset contains Netfilter fixes for net:
> >
> > 1) Set VLAN tag in tcp reset/icmp unreachable packets to reject
> > connections in the bridge family, from Michael Braun.
> >
> > 2) Incorrect subcounter flag update in ipset, from Phil Sutter.
> >
> > 3) Possible buffer overflow in the pptp conntrack helper, based
> > on patch from Dan Carpenter.
> >
> > 4) Restore userspace conntrack helper hook logic that broke after
> > hook consolidation rework.
> >
> > 5) Unbreak userspace conntrack helper registration via
> > nfnetlink_cthelper.
> >
> > You can pull these changes from:
> >
> > git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
>
> Pulled, thank you.
If it's still possible, it would be good to toss this pull request.
Otherwise, I will send another pull request to address the kbuild
reports.
Thank you.
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: [PATCH 0/5] Netfilter fixes for net
2020-05-26 20:10 ` Pablo Neira Ayuso
@ 2020-05-26 23:08 ` David Miller
0 siblings, 0 replies; 34+ messages in thread
From: David Miller @ 2020-05-26 23:08 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, kuba
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 26 May 2020 22:10:23 +0200
> If it's still possible, it would be good to toss this pull request.
>
> Otherwise, I will send another pull request to address the kbuild
> reports.
Unfortunately I pushed it out already, please send me follow-ups.
Thanks.
^ permalink raw reply [flat|nested] 34+ messages in thread
* [PATCH 0/5] Netfilter fixes for net
@ 2020-09-08 15:09 Pablo Neira Ayuso
2020-09-09 3:08 ` David Miller
0 siblings, 1 reply; 34+ messages in thread
From: Pablo Neira Ayuso @ 2020-09-08 15:09 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Hi,
The following patchset contains Netfilter fixes for net:
1) Allow conntrack entries with l3num == NFPROTO_IPV4 or == NFPROTO_IPV6
only via ctnetlink, from Will McVicker.
2) Batch notifications to userspace to improve netlink socket receive
utilization.
3) Restore mark based dump filtering via ctnetlink, from Martin Willi.
4) nf_conncount_init() fails with -EPROTO with CONFIG_IPV6, from
Eelco Chaudron.
5) Containers fail to match on meta skuid and skgid, use socket user_ns
to retrieve meta skuid and skgid.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thank you.
----------------------------------------------------------------
The following changes since commit 19162fd4063a3211843b997a454b505edb81d5ce:
hv_netvsc: Fix hibernation for mlx5 VF driver (2020-09-07 21:04:36 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 0c92411bb81de9bc516d6924f50289d8d5f880e5:
netfilter: nft_meta: use socket user_ns to retrieve skuid and skgid (2020-09-08 13:04:56 +0200)
----------------------------------------------------------------
Eelco Chaudron (1):
netfilter: conntrack: nf_conncount_init is failing with IPv6 disabled
Martin Willi (1):
netfilter: ctnetlink: fix mark based dump filtering regression
Pablo Neira Ayuso (2):
netfilter: nf_tables: coalesce multiple notifications into one skbuff
netfilter: nft_meta: use socket user_ns to retrieve skuid and skgid
Will McVicker (1):
netfilter: ctnetlink: add a range check for l3/l4 protonum
include/net/netns/nftables.h | 1 +
net/netfilter/nf_conntrack_netlink.c | 22 +++---------
net/netfilter/nf_conntrack_proto.c | 2 ++
net/netfilter/nf_tables_api.c | 70 +++++++++++++++++++++++++++++-------
net/netfilter/nft_meta.c | 4 +--
5 files changed, 67 insertions(+), 32 deletions(-)
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: [PATCH 0/5] Netfilter fixes for net
2020-09-08 15:09 Pablo Neira Ayuso
@ 2020-09-09 3:08 ` David Miller
0 siblings, 0 replies; 34+ messages in thread
From: David Miller @ 2020-09-09 3:08 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, kuba
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 8 Sep 2020 17:09:42 +0200
> The following patchset contains Netfilter fixes for net:
>
> 1) Allow conntrack entries with l3num == NFPROTO_IPV4 or == NFPROTO_IPV6
> only via ctnetlink, from Will McVicker.
>
> 2) Batch notifications to userspace to improve netlink socket receive
> utilization.
>
> 3) Restore mark based dump filtering via ctnetlink, from Martin Willi.
>
> 4) nf_conncount_init() fails with -EPROTO with CONFIG_IPV6, from
> Eelco Chaudron.
>
> 5) Containers fail to match on meta skuid and skgid, use socket user_ns
> to retrieve meta skuid and skgid.
>
> Please, pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 34+ messages in thread
* [PATCH 0/5] Netfilter fixes for net
@ 2020-08-04 20:02 Pablo Neira Ayuso
2020-08-04 20:32 ` David Miller
0 siblings, 1 reply; 34+ messages in thread
From: Pablo Neira Ayuso @ 2020-08-04 20:02 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi,
The following patchset contains Netfilter fixes for net:
1) Flush the cleanup xtables worker to make sure destructors
have completed, from Florian Westphal.
2) iifgroup is matching erroneously, also from Florian.
3) Add selftest for meta interface matching, from Florian Westphal.
4) Move nf_ct_offload_timeout() to header, from Roi Dayan.
5) Call nf_ct_offload_timeout() from flow_offload_add() to
make sure garbage collection does not evict offloaded flow,
from Roi Dayan.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thank you!
----------------------------------------------------------------
The following changes since commit 85496a29224188051b6135eb38da8afd4c584765:
net: gemini: Fix missing clk_disable_unprepare() in error path of gemini_ethernet_port_probe() (2020-07-30 17:45:13 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 4203b19c27967d9eff6928f6a733f81892ffc592:
netfilter: flowtable: Set offload timeout when adding flow (2020-08-03 12:37:24 +0200)
----------------------------------------------------------------
Florian Westphal (3):
netfilter: nft_compat: make sure xtables destructors have run
netfilter: nft_meta: fix iifgroup matching
selftests: netfilter: add meta iif/oif match test
Roi Dayan (2):
netfilter: conntrack: Move nf_ct_offload_timeout to header file
netfilter: flowtable: Set offload timeout when adding flow
include/net/netfilter/nf_conntrack.h | 12 +++
include/net/netfilter/nf_tables.h | 2 +
net/netfilter/nf_conntrack_core.c | 12 ---
net/netfilter/nf_flow_table_core.c | 2 +
net/netfilter/nf_tables_api.c | 10 ++-
net/netfilter/nft_compat.c | 36 +++++++-
net/netfilter/nft_meta.c | 2 +-
tools/testing/selftests/netfilter/Makefile | 2 +-
tools/testing/selftests/netfilter/nft_meta.sh | 124 ++++++++++++++++++++++++++
9 files changed, 182 insertions(+), 20 deletions(-)
create mode 100755 tools/testing/selftests/netfilter/nft_meta.sh
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: [PATCH 0/5] Netfilter fixes for net
2020-08-04 20:02 Pablo Neira Ayuso
@ 2020-08-04 20:32 ` David Miller
0 siblings, 0 replies; 34+ messages in thread
From: David Miller @ 2020-08-04 20:32 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 4 Aug 2020 22:02:03 +0200
> The following patchset contains Netfilter fixes for net:
>
> 1) Flush the cleanup xtables worker to make sure destructors
> have completed, from Florian Westphal.
>
> 2) iifgroup is matching erroneously, also from Florian.
>
> 3) Add selftest for meta interface matching, from Florian Westphal.
>
> 4) Move nf_ct_offload_timeout() to header, from Roi Dayan.
>
> 5) Call nf_ct_offload_timeout() from flow_offload_add() to
> make sure garbage collection does not evict offloaded flow,
> from Roi Dayan.
>
> Please, pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 34+ messages in thread
* [PATCH 0/5] Netfilter fixes for net
@ 2019-09-25 20:29 Pablo Neira Ayuso
2019-09-27 18:16 ` David Miller
0 siblings, 1 reply; 34+ messages in thread
From: Pablo Neira Ayuso @ 2019-09-25 20:29 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi,
The following patchset contains Netfilter fixes for net:
1) Add NFT_CHAIN_POLICY_UNSET to replace hardcoded -1 to
specify that the chain policy is unset. The chain policy
field is actually defined as an 8-bit unsigned integer.
2) Remove always true condition reported by smatch in
chain policy check.
3) Fix element lookup on dynamic sets, from Florian Westphal.
4) Use __u8 in ebtables uapi header, from Masahiro Yamada.
5) Bogus EBUSY when removing flowtable after chain flush,
from Laura Garcia Liebana.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit 864668bfc374dfbf4851ec828b9049e08f9057b1:
selftests: Add test cases for `ip nexthop flush proto XX` (2019-09-19 18:35:55 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 9b05b6e11d5e93a3a517cadc12b9836e0470c255:
netfilter: nf_tables: bogus EBUSY when deleting flowtable after flush (2019-09-25 11:01:19 +0200)
----------------------------------------------------------------
Florian Westphal (1):
netfilter: nf_tables: allow lookups in dynamic sets
Laura Garcia Liebana (1):
netfilter: nf_tables: bogus EBUSY when deleting flowtable after flush
Masahiro Yamada (1):
netfilter: ebtables: use __u8 instead of uint8_t in uapi header
Pablo Neira Ayuso (2):
netfilter: nf_tables: add NFT_CHAIN_POLICY_UNSET and use it
netfilter: nf_tables_offload: fix always true policy is unset check
include/net/netfilter/nf_tables.h | 6 ++++++
include/uapi/linux/netfilter_bridge/ebtables.h | 6 +++---
net/netfilter/nf_tables_api.c | 25 ++++++++++++++++++++++---
net/netfilter/nf_tables_offload.c | 2 +-
net/netfilter/nft_flow_offload.c | 19 +++++++++++++++++++
net/netfilter/nft_lookup.c | 3 ---
usr/include/Makefile | 1 -
7 files changed, 51 insertions(+), 11 deletions(-)
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: [PATCH 0/5] Netfilter fixes for net
2019-09-25 20:29 Pablo Neira Ayuso
@ 2019-09-27 18:16 ` David Miller
0 siblings, 0 replies; 34+ messages in thread
From: David Miller @ 2019-09-27 18:16 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 25 Sep 2019 22:29:58 +0200
> The following patchset contains Netfilter fixes for net:
>
> 1) Add NFT_CHAIN_POLICY_UNSET to replace hardcoded -1 to
> specify that the chain policy is unset. The chain policy
> field is actually defined as an 8-bit unsigned integer.
>
> 2) Remove always true condition reported by smatch in
> chain policy check.
>
> 3) Fix element lookup on dynamic sets, from Florian Westphal.
>
> 4) Use __u8 in ebtables uapi header, from Masahiro Yamada.
>
> 5) Bogus EBUSY when removing flowtable after chain flush,
> from Laura Garcia Liebana.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 34+ messages in thread
* [PATCH 0/5] Netfilter fixes for net
@ 2019-09-04 19:36 Pablo Neira Ayuso
2019-09-04 22:04 ` David Miller
0 siblings, 1 reply; 34+ messages in thread
From: Pablo Neira Ayuso @ 2019-09-04 19:36 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi,
The following patchset contains Netfilter fixes for net:
1) br_netfilter drops IPv6 packets if ipv6 is disabled, from Leonardo Bras.
2) nft_socket hits BUG() due to illegal skb->sk caching, patch from
Fernando Fernandez Mancera.
3) nft_fib_netdev could be called with ipv6 disabled, leading to crash
in the fib lookup, also from Leonardo.
4) ctnetlink honors IPS_OFFLOAD flag, just like nf_conntrack sysctl does.
5) Properly set up flowtable entry timeout, otherwise immediate
removal by garbage collector might occur.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit e33b4325e60e146c2317a8b548cbd633239ff83b:
net: stmmac: dwmac-sun8i: Variable "val" in function sun8i_dwmac_set_syscon() could be uninitialized (2019-09-02 11:48:15 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 110e48725db6262f260f10727d0fb2d3d25895e4:
netfilter: nf_flow_table: set default timeout after successful insertion (2019-09-03 22:55:42 +0200)
----------------------------------------------------------------
Fernando Fernandez Mancera (1):
netfilter: nft_socket: fix erroneous socket assignment
Leonardo Bras (2):
netfilter: bridge: Drops IPv6 packets if IPv6 module is not loaded
netfilter: nft_fib_netdev: Terminate rule eval if protocol=IPv6 and ipv6 module is disabled
Pablo Neira Ayuso (2):
netfilter: ctnetlink: honor IPS_OFFLOAD flag
netfilter: nf_flow_table: set default timeout after successful insertion
net/bridge/br_netfilter_hooks.c | 4 ++++
net/netfilter/nf_conntrack_netlink.c | 7 +++++--
net/netfilter/nf_flow_table_core.c | 2 +-
net/netfilter/nft_fib_netdev.c | 3 +++
net/netfilter/nft_socket.c | 6 +++---
5 files changed, 16 insertions(+), 6 deletions(-)
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: [PATCH 0/5] Netfilter fixes for net
2019-09-04 19:36 Pablo Neira Ayuso
@ 2019-09-04 22:04 ` David Miller
0 siblings, 0 replies; 34+ messages in thread
From: David Miller @ 2019-09-04 22:04 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 4 Sep 2019 21:36:41 +0200
> The following patchset contains Netfilter fixes for net:
>
> 1) br_netfilter drops IPv6 packets if ipv6 is disabled, from Leonardo Bras.
>
> 2) nft_socket hits BUG() due to illegal skb->sk caching, patch from
> Fernando Fernandez Mancera.
>
> 3) nft_fib_netdev could be called with ipv6 disabled, leading to crash
> in the fib lookup, also from Leonardo.
>
> 4) ctnetlink honors IPS_OFFLOAD flag, just like nf_conntrack sysctl does.
>
> 5) Properly set up flowtable entry timeout, otherwise immediate
> removal by garbage collector might occur.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks.
^ permalink raw reply [flat|nested] 34+ messages in thread
* [PATCH 0/5] Netfilter fixes for net
@ 2019-08-30 12:06 Pablo Neira Ayuso
2019-08-31 0:52 ` David Miller
0 siblings, 1 reply; 34+ messages in thread
From: Pablo Neira Ayuso @ 2019-08-30 12:06 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi,
The following patchset contains Netfilter fixes for net:
1) Spurious warning when loading rules using the physdev match,
from Todd Seidelmann.
2) Fix FTP conntrack helper debugging output, from Thomas Jarosch.
3) Restore per-netns nf_conntrack_{acct,helper,timeout} sysctl knobs,
from Florian Westphal.
4) Clear skbuff timestamp from the flowtable datapath, also from Florian.
5) Fix incorrect byteorder of NFT_META_BRI_IIFVPROTO, from wenxu.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit f53a7ad189594a112167efaf17ea8d0242b5ac00:
r8152: Set memory to all 0xFFs on failed reg reads (2019-08-25 19:52:59 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to daf1de9078792a4d60e36aa7ecf3aadca65277c2:
netfilter: nft_meta_bridge: Fix get NFT_META_BRI_IIFVPROTO in network byteorder (2019-08-30 02:49:04 +0200)
----------------------------------------------------------------
Florian Westphal (2):
netfilter: conntrack: make sysctls per-namespace again
netfilter: nf_flow_table: clear skb tstamp before xmit
Thomas Jarosch (1):
netfilter: nf_conntrack_ftp: Fix debug output
Todd Seidelmann (1):
netfilter: xt_physdev: Fix spurious error message in physdev_mt_check
wenxu (1):
netfilter: nft_meta_bridge: Fix get NFT_META_BRI_IIFVPROTO in network byteorder
net/bridge/netfilter/nft_meta_bridge.c | 2 +-
net/netfilter/nf_conntrack_ftp.c | 2 +-
net/netfilter/nf_conntrack_standalone.c | 5 +++++
net/netfilter/nf_flow_table_ip.c | 3 ++-
net/netfilter/xt_physdev.c | 6 ++----
5 files changed, 11 insertions(+), 7 deletions(-)
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: [PATCH 0/5] Netfilter fixes for net
2019-08-30 12:06 Pablo Neira Ayuso
@ 2019-08-31 0:52 ` David Miller
0 siblings, 0 replies; 34+ messages in thread
From: David Miller @ 2019-08-31 0:52 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 30 Aug 2019 14:06:59 +0200
> The following patchset contains Netfilter fixes for net:
>
> 1) Spurious warning when loading rules using the physdev match,
> from Todd Seidelmann.
>
> 2) Fix FTP conntrack helper debugging output, from Thomas Jarosch.
>
> 3) Restore per-netns nf_conntrack_{acct,helper,timeout} sysctl knobs,
> from Florian Westphal.
>
> 4) Clear skbuff timestamp from the flowtable datapath, also from Florian.
>
> 5) Fix incorrect byteorder of NFT_META_BRI_IIFVPROTO, from wenxu.
Pulled, thanks.
^ permalink raw reply [flat|nested] 34+ messages in thread
* [PATCH 0/5] Netfilter fixes for net
@ 2019-08-19 18:49 Pablo Neira Ayuso
2019-08-19 20:16 ` David Miller
0 siblings, 1 reply; 34+ messages in thread
From: Pablo Neira Ayuso @ 2019-08-19 18:49 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi,
The following patchset contains Netfilter fixes for net:
1) Remove IP MASQUERADING record in MAINTAINERS file,
from Denis Efremov.
2) Counter arguments are swapped in ebtables, from
Todd Seidelmann.
3) Missing netlink attribute validation in flow_offload
extension.
4) Incorrect alignment in xt_nfacct that breaks 32-bits
userspace / 64-bits kernels, from Juliana Rodrigueiro.
5) Missing include guard in nf_conntrack_h323_types.h,
from Masahiro Yamada.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit cfef46d692efd852a0da6803f920cc756eea2855:
ravb: Fix use-after-free ravb_tstamp_skb (2019-08-18 14:19:14 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 38a429c898ddd210cc35463b096389f97c3c5a73:
netfilter: add include guard to nf_conntrack_h323_types.h (2019-08-19 13:59:57 +0200)
----------------------------------------------------------------
Denis Efremov (1):
MAINTAINERS: Remove IP MASQUERADING record
Juliana Rodrigueiro (1):
netfilter: xt_nfacct: Fix alignment mismatch in xt_nfacct_match_info
Masahiro Yamada (1):
netfilter: add include guard to nf_conntrack_h323_types.h
Pablo Neira Ayuso (1):
netfilter: nft_flow_offload: missing netlink attribute policy
Todd Seidelmann (1):
netfilter: ebtables: Fix argument order to ADD_COUNTER
MAINTAINERS | 5 ----
include/linux/netfilter/nf_conntrack_h323_types.h | 5 ++++
include/uapi/linux/netfilter/xt_nfacct.h | 5 ++++
net/bridge/netfilter/ebtables.c | 8 ++---
net/netfilter/nft_flow_offload.c | 6 ++++
net/netfilter/xt_nfacct.c | 36 ++++++++++++++++-------
6 files changed, 45 insertions(+), 20 deletions(-)
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: [PATCH 0/5] Netfilter fixes for net
2019-08-19 18:49 Pablo Neira Ayuso
@ 2019-08-19 20:16 ` David Miller
0 siblings, 0 replies; 34+ messages in thread
From: David Miller @ 2019-08-19 20:16 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 19 Aug 2019 20:49:06 +0200
> The following patchset contains Netfilter fixes for net:
>
> 1) Remove IP MASQUERADING record in MAINTAINERS file,
> from Denis Efremov.
>
> 2) Counter arguments are swapped in ebtables, from
> Todd Seidelmann.
>
> 3) Missing netlink attribute validation in flow_offload
> extension.
>
> 4) Incorrect alignment in xt_nfacct that breaks 32-bits
> userspace / 64-bits kernels, from Juliana Rodrigueiro.
>
> 5) Missing include guard in nf_conntrack_h323_types.h,
> from Masahiro Yamada.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks.
^ permalink raw reply [flat|nested] 34+ messages in thread
* [PATCH 0/5] Netfilter fixes for net
@ 2019-03-11 22:50 Pablo Neira Ayuso
2019-03-11 23:14 ` David Miller
0 siblings, 1 reply; 34+ messages in thread
From: Pablo Neira Ayuso @ 2019-03-11 22:50 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter fixes for your net tree:
1) Fix list corruption in device notifier in the masquerade
infrastructure, from Florian Westphal.
2) Fix double-free of sets and use-after-free when deleting elements.
3) Don't bogusly return EBUSY when removing a set after flush command.
4) Use-after-free in dynamically allocate operations.
5) Don't report a new ruleset generation to userspace if transaction
list is empty, this invalidates the userspace cache innecessarily.
From Florian Westphal.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit 1e027960edfaa6a43f9ca31081729b716598112b:
net/hsr: fix possible crash in add_timer() (2019-03-07 11:02:08 -0800)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to b8b27498659c65034032af79842913844a6cc79a:
netfilter: nf_tables: return immediately on empty commit (2019-03-11 20:01:20 +0100)
----------------------------------------------------------------
Florian Westphal (2):
netfilter: nat: don't register device notifier twice
netfilter: nf_tables: return immediately on empty commit
Pablo Neira Ayuso (3):
netfilter: nf_tables: fix set double-free in abort path
netfilter: nf_tables: bogus EBUSY when deleting set after flush
netfilter: nf_tables: use-after-free in dynamic operations
include/net/netfilter/nf_tables.h | 12 ++++++---
net/netfilter/nf_nat_masquerade.c | 35 +++++++++++++------------
net/netfilter/nf_tables_api.c | 54 +++++++++++++++++++++++++++++++++------
net/netfilter/nft_dynset.c | 13 +++++++---
net/netfilter/nft_lookup.c | 13 +++++++---
net/netfilter/nft_objref.c | 13 +++++++---
6 files changed, 100 insertions(+), 40 deletions(-)
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: [PATCH 0/5] Netfilter fixes for net
2019-03-11 22:50 Pablo Neira Ayuso
@ 2019-03-11 23:14 ` David Miller
0 siblings, 0 replies; 34+ messages in thread
From: David Miller @ 2019-03-11 23:14 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 11 Mar 2019 23:50:30 +0100
> The following patchset contains Netfilter fixes for your net tree:
>
> 1) Fix list corruption in device notifier in the masquerade
> infrastructure, from Florian Westphal.
>
> 2) Fix double-free of sets and use-after-free when deleting elements.
>
> 3) Don't bogusly return EBUSY when removing a set after flush command.
>
> 4) Use-after-free in dynamically allocate operations.
>
> 5) Don't report a new ruleset generation to userspace if transaction
> list is empty, this invalidates the userspace cache innecessarily.
> From Florian Westphal.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 34+ messages in thread
* [PATCH 0/5] Netfilter fixes for net
@ 2018-12-13 1:06 Pablo Neira Ayuso
2018-12-13 5:37 ` David Miller
0 siblings, 1 reply; 34+ messages in thread
From: Pablo Neira Ayuso @ 2018-12-13 1:06 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter fixes for net:
1) Fix warnings suspicious rcu usage when handling base chain
statistics, from Taehee Yoo.
2) Refetch pointer to tcp header from nf_ct_sack_adjust() since
skb_make_writable() may reallocate data area, reported by Google
folks patch from Florian.
3) Incorrect netlink nest end after previous cancellation from error
path in ipset, from Pan Bian.
4) Use dst_hold_safe() from nf_xfrm_me_harder(), from Florian.
5) Use rb_link_node_rcu() for rcu-protected rbtree node in
nf_conncount, from Taehee Yoo.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit 986103e7920cabc0b910749e77ae5589d3934d52:
net/ibmvnic: Fix RTNL deadlock during device reset (2018-12-03 15:53:55 -0800)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to d4e7df16567b80836a78d31b42f1a9355a636d67:
netfilter: nf_conncount: use rb_link_node_rcu() instead of rb_link_node() (2018-12-13 01:14:58 +0100)
----------------------------------------------------------------
Florian Westphal (2):
netfilter: seqadj: re-load tcp header pointer after possible head reallocation
netfilter: nat: can't use dst_hold on noref dst
Pan Bian (1):
netfilter: ipset: do not call ipset_nest_end after nla_nest_cancel
Taehee Yoo (2):
netfilter: nf_tables: fix suspicious RCU usage in nft_chain_stats_replace()
netfilter: nf_conncount: use rb_link_node_rcu() instead of rb_link_node()
include/linux/netfilter/nfnetlink.h | 12 ------------
net/netfilter/ipset/ip_set_list_set.c | 2 +-
net/netfilter/nf_conncount.c | 2 +-
net/netfilter/nf_conntrack_seqadj.c | 7 ++++---
net/netfilter/nf_nat_core.c | 3 ++-
net/netfilter/nf_tables_api.c | 21 +++++++++++++--------
net/netfilter/nf_tables_core.c | 2 +-
7 files changed, 22 insertions(+), 27 deletions(-)
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: [PATCH 0/5] Netfilter fixes for net
2018-12-13 1:06 Pablo Neira Ayuso
@ 2018-12-13 5:37 ` David Miller
0 siblings, 0 replies; 34+ messages in thread
From: David Miller @ 2018-12-13 5:37 UTC (permalink / raw)
Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 13 Dec 2018 02:06:26 +0100
> The following patchset contains Netfilter fixes for net:
>
> 1) Fix warnings suspicious rcu usage when handling base chain
> statistics, from Taehee Yoo.
>
> 2) Refetch pointer to tcp header from nf_ct_sack_adjust() since
> skb_make_writable() may reallocate data area, reported by Google
> folks patch from Florian.
>
> 3) Incorrect netlink nest end after previous cancellation from error
> path in ipset, from Pan Bian.
>
> 4) Use dst_hold_safe() from nf_xfrm_me_harder(), from Florian.
>
> 5) Use rb_link_node_rcu() for rcu-protected rbtree node in
> nf_conncount, from Taehee Yoo.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks.
^ permalink raw reply [flat|nested] 34+ messages in thread
* [PATCH 0/5] Netfilter fixes for net
@ 2017-08-24 14:43 Pablo Neira Ayuso
2017-08-24 18:49 ` David Miller
0 siblings, 1 reply; 34+ messages in thread
From: Pablo Neira Ayuso @ 2017-08-24 14:43 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter fixes for your net tree,
they are:
1) Fix use after free of struct proc_dir_entry in ipt_CLUSTERIP, patch
from Sabrina Dubroca.
2) Fix spurious EINVAL errors from iptables over nft compatibility layer.
3) Reload pointer to ip header only if there is non-terminal verdict,
ie. XT_CONTINUE, otherwise invalid memory access may happen, patch
from Taehee Yoo.
4) Fix interaction between SYNPROXY and NAT, SYNPROXY adds sequence
adjustment already, however from nf_nat_setup() assumes there's not.
Patch from Xin Long.
5) Fix burst arithmetics in nft_limit as Joe Stringer mentioned during
NFWS in Faro. Patch from Andy Zhou.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks a lot!
----------------------------------------------------------------
The following changes since commit 073dd5ad34b1d3aaadaa7e5e8cbe576d9545f163:
netfilter: fix netfilter_net_init() return (2017-07-18 14:50:28 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to c26844eda9d4fdbd266660e3b3de2d0270e3a1ed:
netfilter: nf_tables: Fix nft limit burst handling (2017-08-24 16:23:17 +0200)
----------------------------------------------------------------
Pablo Neira Ayuso (1):
netfilter: nft_compat: check extension hook mask only if set
Sabrina Dubroca (1):
netfilter: ipt_CLUSTERIP: fix use-after-free of proc entry
Taehee Yoo (1):
netfilter: x_tables: Fix use-after-free in ipt_do_table.
Xin Long (1):
netfilter: check for seqadj ext existence before adding it in nf_nat_setup_info
andy zhou (1):
netfilter: nf_tables: Fix nft limit burst handling
net/ipv4/netfilter/arp_tables.c | 10 +++++-----
net/ipv4/netfilter/ip_tables.c | 9 +++++----
net/ipv4/netfilter/ipt_CLUSTERIP.c | 4 +++-
net/netfilter/nf_nat_core.c | 2 +-
net/netfilter/nft_compat.c | 4 ++--
net/netfilter/nft_limit.c | 25 ++++++++++++++-----------
6 files changed, 30 insertions(+), 24 deletions(-)
^ permalink raw reply [flat|nested] 34+ messages in thread
* [PATCH 0/5] Netfilter fixes for net
@ 2017-07-18 10:13 Pablo Neira Ayuso
2017-07-18 19:03 ` David Miller
0 siblings, 1 reply; 34+ messages in thread
From: Pablo Neira Ayuso @ 2017-07-18 10:13 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter fixes for your net tree,
they are:
1) Missing netlink message sanity check in nfnetlink, patch from
Mateusz Jurczyk.
2) We now have netfilter per-netns hooks, so let's kill global hook
infrastructure, this infrastructure is known to be racy with netns.
We don't care about out of tree modules. Patch from Florian Westphal.
3) find_appropriate_src() is buggy when colissions happens after the
conversion of the nat bysource to rhashtable. Also from Florian.
4) Remove forward chain in nf_tables arp family, it's useless and it is
causing quite a bit of confusion, from Florian Westphal.
5) nf_ct_remove_expect() is called with the wrong parameter, causing
kernel oops, patch from Florian Westphal.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit 533da29b584de5ae0e9dafafbe52809f59cb5300:
Merge branch 'bcmgenet-Fragmented-SKB-corrections' (2017-07-15 21:29:08 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 36ac344e16e04e3e55e8fed7446095a6458c64e6:
netfilter: expect: fix crash when putting uninited expectation (2017-07-17 17:03:12 +0200)
----------------------------------------------------------------
Florian Westphal (4):
netfilter: remove old pre-netns era hook api
netfilter: nat: fix src map lookup
netfilter: nf_tables: only allow in/output for arp packets
netfilter: expect: fix crash when putting uninited expectation
Mateusz Jurczyk (1):
netfilter: nfnetlink: Improve input length sanitization in nfnetlink_rcv
include/linux/netfilter.h | 9 ---
net/ipv4/netfilter/nf_tables_arp.c | 3 +-
net/netfilter/core.c | 143 ------------------------------------
net/netfilter/nf_conntrack_expect.c | 2 +-
net/netfilter/nf_nat_core.c | 17 +++--
net/netfilter/nfnetlink.c | 6 +-
6 files changed, 14 insertions(+), 166 deletions(-)
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: [PATCH 0/5] Netfilter fixes for net
2017-07-18 10:13 Pablo Neira Ayuso
@ 2017-07-18 19:03 ` David Miller
2017-07-18 21:11 ` Florian Westphal
0 siblings, 1 reply; 34+ messages in thread
From: David Miller @ 2017-07-18 19:03 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 18 Jul 2017 12:13:54 +0200
> The following patchset contains Netfilter fixes for your net tree,
> they are:
>
> 1) Missing netlink message sanity check in nfnetlink, patch from
> Mateusz Jurczyk.
>
> 2) We now have netfilter per-netns hooks, so let's kill global hook
> infrastructure, this infrastructure is known to be racy with netns.
> We don't care about out of tree modules. Patch from Florian Westphal.
>
> 3) find_appropriate_src() is buggy when colissions happens after the
> conversion of the nat bysource to rhashtable. Also from Florian.
>
> 4) Remove forward chain in nf_tables arp family, it's useless and it is
> causing quite a bit of confusion, from Florian Westphal.
>
> 5) nf_ct_remove_expect() is called with the wrong parameter, causing
> kernel oops, patch from Florian Westphal.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks a lot.
What about that change Eric Dumazet was talking about with Florian
that stopped instantiating conntrack by default in new namespaces?
Just curious.
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: [PATCH 0/5] Netfilter fixes for net
2017-07-18 19:03 ` David Miller
@ 2017-07-18 21:11 ` Florian Westphal
2017-07-18 21:54 ` David Miller
0 siblings, 1 reply; 34+ messages in thread
From: Florian Westphal @ 2017-07-18 21:11 UTC (permalink / raw)
To: David Miller; +Cc: pablo, netfilter-devel, netdev
David Miller <davem@davemloft.net> wrote:
> What about that change Eric Dumazet was talking about with Florian
> that stopped instantiating conntrack by default in new namespaces?
Seems more appropriate for -next. If you prefer net instead, let me know
and I'll get to work.
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: [PATCH 0/5] Netfilter fixes for net
2017-07-18 21:11 ` Florian Westphal
@ 2017-07-18 21:54 ` David Miller
0 siblings, 0 replies; 34+ messages in thread
From: David Miller @ 2017-07-18 21:54 UTC (permalink / raw)
To: fw; +Cc: pablo, netfilter-devel, netdev
From: Florian Westphal <fw@strlen.de>
Date: Tue, 18 Jul 2017 23:11:57 +0200
> David Miller <davem@davemloft.net> wrote:
>> What about that change Eric Dumazet was talking about with Florian
>> that stopped instantiating conntrack by default in new namespaces?
>
> Seems more appropriate for -next. If you prefer net instead, let me know
> and I'll get to work.
Yeah it's more on the -next side, albeit annoying.
Ok, so nevermind :)
^ permalink raw reply [flat|nested] 34+ messages in thread
* [PATCH 0/5] Netfilter fixes for net
@ 2015-08-10 17:58 Pablo Neira Ayuso
2015-08-11 4:08 ` David Miller
0 siblings, 1 reply; 34+ messages in thread
From: Pablo Neira Ayuso @ 2015-08-10 17:58 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains five Netfilter fixes for your net tree,
they are:
1) Silence a warning on falling back to vmalloc(). Since 88eab472ec21, we can
easily hit this warning message, that gets users confused. So let's get rid
of it.
2) Recently when porting the template object allocation on top of kmalloc to
fix the netns dependencies between x_tables and conntrack, the error
checks where left unchanged. Remove IS_ERR() and check for NULL instead.
Patch from Dan Carpenter.
3) Don't ignore gfp_flags in the new nf_ct_tmpl_alloc() function, from
Joe Stringer.
4) Fix a crash due to NULL pointer dereference in ip6t_SYNPROXY, patch from
Phil Sutter.
5) The sequence number of the Syn+ack that is sent from SYNPROXY to clients is
not adjusted through our NAT infrastructure, as a result the client may
ignore this TCP packet and TCP flow hangs until the client probes us. Also
from Phil Sutter.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit 15f1bb1f1e067be7088ed43ef23d59629bd24348:
qlcnic: Fix corruption while copying (2015-07-29 23:57:26 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
for you to fetch changes up to 3c16241c445303a90529565e7437e1f240acfef2:
netfilter: SYNPROXY: fix sending window update to client (2015-08-10 13:55:07 +0200)
----------------------------------------------------------------
Dan Carpenter (1):
netfilter: nf_conntrack: checking for IS_ERR() instead of NULL
Joe Stringer (1):
netfilter: conntrack: Use flags in nf_ct_tmpl_alloc()
Pablo Neira Ayuso (1):
netfilter: nf_conntrack: silence warning on falling back to vmalloc()
Phil Sutter (2):
netfilter: ip6t_SYNPROXY: fix NULL pointer dereference
netfilter: SYNPROXY: fix sending window update to client
net/ipv4/netfilter/ipt_SYNPROXY.c | 3 ++-
net/ipv6/netfilter/ip6t_SYNPROXY.c | 19 +++++++++++--------
net/netfilter/nf_conntrack_core.c | 8 +++-----
net/netfilter/nf_synproxy_core.c | 4 +---
net/netfilter/xt_CT.c | 5 +++--
5 files changed, 20 insertions(+), 19 deletions(-)
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: [PATCH 0/5] Netfilter fixes for net
2015-08-10 17:58 Pablo Neira Ayuso
@ 2015-08-11 4:08 ` David Miller
0 siblings, 0 replies; 34+ messages in thread
From: David Miller @ 2015-08-11 4:08 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 10 Aug 2015 19:58:34 +0200
> The following patchset contains five Netfilter fixes for your net tree,
> they are:
>
> 1) Silence a warning on falling back to vmalloc(). Since 88eab472ec21, we can
> easily hit this warning message, that gets users confused. So let's get rid
> of it.
>
> 2) Recently when porting the template object allocation on top of kmalloc to
> fix the netns dependencies between x_tables and conntrack, the error
> checks where left unchanged. Remove IS_ERR() and check for NULL instead.
> Patch from Dan Carpenter.
>
> 3) Don't ignore gfp_flags in the new nf_ct_tmpl_alloc() function, from
> Joe Stringer.
>
> 4) Fix a crash due to NULL pointer dereference in ip6t_SYNPROXY, patch from
> Phil Sutter.
>
> 5) The sequence number of the Syn+ack that is sent from SYNPROXY to clients is
> not adjusted through our NAT infrastructure, as a result the client may
> ignore this TCP packet and TCP flow hangs until the client probes us. Also
> from Phil Sutter.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 34+ messages in thread
end of thread, other threads:[~2020-09-09 3:08 UTC | newest]
Thread overview: 34+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-25 21:54 [PATCH 0/5] Netfilter fixes for net Pablo Neira Ayuso
2020-05-25 21:54 ` [PATCH 1/5] netfilter: nft_reject_bridge: enable reject with bridge vlan Pablo Neira Ayuso
2020-05-25 21:54 ` [PATCH 2/5] netfilter: ipset: Fix subcounter update skip Pablo Neira Ayuso
2020-05-25 21:54 ` [PATCH 3/5] netfilter: nf_conntrack_pptp: prevent buffer overflows in debug code Pablo Neira Ayuso
2020-05-25 21:54 ` [PATCH 4/5] netfilter: conntrack: make conntrack userspace helpers work again Pablo Neira Ayuso
2020-05-26 18:45 ` Jakub Kicinski
2020-05-25 21:54 ` [PATCH 5/5] netfilter: nfnetlink_cthelper: unbreak userspace helper support Pablo Neira Ayuso
2020-05-26 1:29 ` [PATCH 0/5] Netfilter fixes for net David Miller
2020-05-26 20:10 ` Pablo Neira Ayuso
2020-05-26 23:08 ` David Miller
-- strict thread matches above, loose matches on Subject: below --
2020-09-08 15:09 Pablo Neira Ayuso
2020-09-09 3:08 ` David Miller
2020-08-04 20:02 Pablo Neira Ayuso
2020-08-04 20:32 ` David Miller
2019-09-25 20:29 Pablo Neira Ayuso
2019-09-27 18:16 ` David Miller
2019-09-04 19:36 Pablo Neira Ayuso
2019-09-04 22:04 ` David Miller
2019-08-30 12:06 Pablo Neira Ayuso
2019-08-31 0:52 ` David Miller
2019-08-19 18:49 Pablo Neira Ayuso
2019-08-19 20:16 ` David Miller
2019-03-11 22:50 Pablo Neira Ayuso
2019-03-11 23:14 ` David Miller
2018-12-13 1:06 Pablo Neira Ayuso
2018-12-13 5:37 ` David Miller
2017-08-24 14:43 Pablo Neira Ayuso
2017-08-24 18:49 ` David Miller
2017-07-18 10:13 Pablo Neira Ayuso
2017-07-18 19:03 ` David Miller
2017-07-18 21:11 ` Florian Westphal
2017-07-18 21:54 ` David Miller
2015-08-10 17:58 Pablo Neira Ayuso
2015-08-11 4:08 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).