* [PATCH net 0/6] Netfilter fixes for net
@ 2022-02-10 23:10 Pablo Neira Ayuso
2022-02-10 23:10 ` [PATCH net 1/6] selftests: netfilter: add synproxy test Pablo Neira Ayuso
` (5 more replies)
0 siblings, 6 replies; 17+ messages in thread
From: Pablo Neira Ayuso @ 2022-02-10 23:10 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Hi,
The following patchset contains Netfilter fixes for net:
1) Add selftest for nft_synproxy, from Florian Westphal.
2) xt_socket destroy path incorrectly disables IPv4 defrag for
IPv6 traffic (typo), from Eric Dumazet.
3) Fix exit value selftest nft_concat_range.sh, from Hangbin Liu.
4) nft_synproxy disables the IPv4 hooks if the IPv6 hooks fail
to be registered.
5) disable rp_filter on router in selftest nft_fib.sh, also
from Hangbin Liu.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit 7db788ad627aabff2b74d4f1a3b68516d0fee0d7:
nfp: flower: fix ida_idx not being released (2022-02-08 21:06:35 -0800)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD
for you to fetch changes up to bbe4c0896d25009a7c86285d2ab024eed4374eea:
selftests: netfilter: disable rp_filter on router (2022-02-11 00:01:04 +0100)
----------------------------------------------------------------
Eric Dumazet (1):
netfilter: xt_socket: fix a typo in socket_mt_destroy()
Florian Westphal (1):
selftests: netfilter: add synproxy test
Hangbin Liu (2):
selftests: netfilter: fix exit value for nft_concat_range
selftests: netfilter: disable rp_filter on router
Pablo Neira Ayuso (2):
netfilter: nft_synproxy: unregister hooks on init error path
selftests: netfilter: synproxy test requires nf_conntrack
net/netfilter/nft_synproxy.c | 4 +-
net/netfilter/xt_socket.c | 2 +-
tools/testing/selftests/netfilter/Makefile | 2 +-
.../selftests/netfilter/nft_concat_range.sh | 2 +-
tools/testing/selftests/netfilter/nft_fib.sh | 1 +
tools/testing/selftests/netfilter/nft_synproxy.sh | 117 +++++++++++++++++++++
6 files changed, 124 insertions(+), 4 deletions(-)
create mode 100755 tools/testing/selftests/netfilter/nft_synproxy.sh
^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH net 1/6] selftests: netfilter: add synproxy test
2022-02-10 23:10 [PATCH net 0/6] Netfilter fixes for net Pablo Neira Ayuso
@ 2022-02-10 23:10 ` Pablo Neira Ayuso
2022-02-11 12:10 ` patchwork-bot+netdevbpf
2022-02-10 23:10 ` [PATCH net 2/6] netfilter: xt_socket: fix a typo in socket_mt_destroy() Pablo Neira Ayuso
` (4 subsequent siblings)
5 siblings, 1 reply; 17+ messages in thread
From: Pablo Neira Ayuso @ 2022-02-10 23:10 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
From: Florian Westphal <fw@strlen.de>
Simple test for synproxy feature, iperf3 should be intercepted
by synproxy netns, but connection should still succeed.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
tools/testing/selftests/netfilter/Makefile | 2 +-
.../selftests/netfilter/nft_synproxy.sh | 115 ++++++++++++++++++
2 files changed, 116 insertions(+), 1 deletion(-)
create mode 100755 tools/testing/selftests/netfilter/nft_synproxy.sh
diff --git a/tools/testing/selftests/netfilter/Makefile b/tools/testing/selftests/netfilter/Makefile
index ffca314897c4..e4f845dd942b 100644
--- a/tools/testing/selftests/netfilter/Makefile
+++ b/tools/testing/selftests/netfilter/Makefile
@@ -6,7 +6,7 @@ TEST_PROGS := nft_trans_stress.sh nft_fib.sh nft_nat.sh bridge_brouter.sh \
nft_concat_range.sh nft_conntrack_helper.sh \
nft_queue.sh nft_meta.sh nf_nat_edemux.sh \
ipip-conntrack-mtu.sh conntrack_tcp_unreplied.sh \
- conntrack_vrf.sh
+ conntrack_vrf.sh nft_synproxy.sh
LDLIBS = -lmnl
TEST_GEN_FILES = nf-queue
diff --git a/tools/testing/selftests/netfilter/nft_synproxy.sh b/tools/testing/selftests/netfilter/nft_synproxy.sh
new file mode 100755
index 000000000000..09bb95c87198
--- /dev/null
+++ b/tools/testing/selftests/netfilter/nft_synproxy.sh
@@ -0,0 +1,115 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+#
+
+# Kselftest framework requirement - SKIP code is 4.
+ksft_skip=4
+ret=0
+
+rnd=$(mktemp -u XXXXXXXX)
+nsr="nsr-$rnd" # synproxy machine
+ns1="ns1-$rnd" # iperf client
+ns2="ns2-$rnd" # iperf server
+
+checktool (){
+ if ! $1 > /dev/null 2>&1; then
+ echo "SKIP: Could not $2"
+ exit $ksft_skip
+ fi
+}
+
+checktool "nft --version" "run test without nft tool"
+checktool "ip -Version" "run test without ip tool"
+checktool "iperf3 --version" "run test without iperf3"
+checktool "ip netns add $nsr" "create net namespace"
+
+ip netns add $ns1
+ip netns add $ns2
+
+cleanup() {
+ ip netns pids $ns1 | xargs kill 2>/dev/null
+ ip netns pids $ns2 | xargs kill 2>/dev/null
+ ip netns del $ns1
+ ip netns del $ns2
+
+ ip netns del $nsr
+}
+
+trap cleanup EXIT
+
+ip link add veth0 netns $nsr type veth peer name eth0 netns $ns1
+ip link add veth1 netns $nsr type veth peer name eth0 netns $ns2
+
+for dev in lo veth0 veth1; do
+ip -net $nsr link set $dev up
+done
+
+ip -net $nsr addr add 10.0.1.1/24 dev veth0
+ip -net $nsr addr add 10.0.2.1/24 dev veth1
+
+ip netns exec $nsr sysctl -q net.ipv4.conf.veth0.forwarding=1
+ip netns exec $nsr sysctl -q net.ipv4.conf.veth1.forwarding=1
+ip netns exec $nsr sysctl -q net.netfilter.nf_conntrack_tcp_loose=0
+
+for n in $ns1 $ns2; do
+ ip -net $n link set lo up
+ ip -net $n link set eth0 up
+done
+ip -net $ns1 addr add 10.0.1.99/24 dev eth0
+ip -net $ns2 addr add 10.0.2.99/24 dev eth0
+ip -net $ns1 route add default via 10.0.1.1
+ip -net $ns2 route add default via 10.0.2.1
+
+# test basic connectivity
+if ! ip netns exec $ns1 ping -c 1 -q 10.0.2.99 > /dev/null; then
+ echo "ERROR: $ns1 cannot reach $ns2" 1>&2
+ exit 1
+fi
+
+if ! ip netns exec $ns2 ping -c 1 -q 10.0.1.99 > /dev/null; then
+ echo "ERROR: $ns2 cannot reach $ns1" 1>&2
+ exit 1
+fi
+
+ip netns exec $ns2 iperf3 -s > /dev/null 2>&1 &
+# ip netns exec $nsr tcpdump -vvv -n -i veth1 tcp | head -n 10 &
+
+sleep 1
+
+ip netns exec $nsr nft -f - <<EOF
+table inet filter {
+ chain prerouting {
+ type filter hook prerouting priority -300; policy accept;
+ meta iif veth0 tcp flags syn counter notrack
+ }
+
+ chain forward {
+ type filter hook forward priority 0; policy accept;
+
+ ct state new,established counter accept
+
+ meta iif veth0 meta l4proto tcp ct state untracked,invalid synproxy mss 1460 sack-perm timestamp
+
+ ct state invalid counter drop
+
+ # make ns2 unreachable w.o. tcp synproxy
+ tcp flags syn counter drop
+ }
+}
+EOF
+if [ $? -ne 0 ]; then
+ echo "SKIP: Cannot add nft synproxy"
+ exit $ksft_skip
+fi
+
+ip netns exec $ns1 timeout 5 iperf3 -c 10.0.2.99 -n $((1 * 1024 * 1024)) > /dev/null
+
+if [ $? -ne 0 ]; then
+ echo "FAIL: iperf3 returned an error" 1>&2
+ ret=$?
+ ip netns exec $nsr nft list ruleset
+else
+ echo "PASS: synproxy connection successful"
+fi
+
+exit $ret
--
2.30.2
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH net 2/6] netfilter: xt_socket: fix a typo in socket_mt_destroy()
2022-02-10 23:10 [PATCH net 0/6] Netfilter fixes for net Pablo Neira Ayuso
2022-02-10 23:10 ` [PATCH net 1/6] selftests: netfilter: add synproxy test Pablo Neira Ayuso
@ 2022-02-10 23:10 ` Pablo Neira Ayuso
2022-02-10 23:10 ` [PATCH net 3/6] selftests: netfilter: fix exit value for nft_concat_range Pablo Neira Ayuso
` (3 subsequent siblings)
5 siblings, 0 replies; 17+ messages in thread
From: Pablo Neira Ayuso @ 2022-02-10 23:10 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
From: Eric Dumazet <edumazet@google.com>
Calling nf_defrag_ipv4_disable() instead of nf_defrag_ipv6_disable()
was probably not the intent.
I found this by code inspection, while chasing a possible issue in TPROXY.
Fixes: de8c12110a13 ("netfilter: disable defrag once its no longer needed")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/xt_socket.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 5e6459e11605..662e5eb1cc39 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -221,7 +221,7 @@ static void socket_mt_destroy(const struct xt_mtdtor_param *par)
if (par->family == NFPROTO_IPV4)
nf_defrag_ipv4_disable(par->net);
else if (par->family == NFPROTO_IPV6)
- nf_defrag_ipv4_disable(par->net);
+ nf_defrag_ipv6_disable(par->net);
}
static struct xt_match socket_mt_reg[] __read_mostly = {
--
2.30.2
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH net 3/6] selftests: netfilter: fix exit value for nft_concat_range
2022-02-10 23:10 [PATCH net 0/6] Netfilter fixes for net Pablo Neira Ayuso
2022-02-10 23:10 ` [PATCH net 1/6] selftests: netfilter: add synproxy test Pablo Neira Ayuso
2022-02-10 23:10 ` [PATCH net 2/6] netfilter: xt_socket: fix a typo in socket_mt_destroy() Pablo Neira Ayuso
@ 2022-02-10 23:10 ` Pablo Neira Ayuso
2022-02-10 23:10 ` [PATCH net 4/6] netfilter: nft_synproxy: unregister hooks on init error path Pablo Neira Ayuso
` (2 subsequent siblings)
5 siblings, 0 replies; 17+ messages in thread
From: Pablo Neira Ayuso @ 2022-02-10 23:10 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
From: Hangbin Liu <liuhangbin@gmail.com>
When the nft_concat_range test failed, it exit 1 in the code
specifically.
But when part of, or all of the test passed, it will failed the
[ ${passed} -eq 0 ] check and thus exit with 1, which is the same
exit value with failure result. Fix it by exit 0 when passed is not 0.
Fixes: 611973c1e06f ("selftests: netfilter: Introduce tests for sets with range concatenation")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
tools/testing/selftests/netfilter/nft_concat_range.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/testing/selftests/netfilter/nft_concat_range.sh b/tools/testing/selftests/netfilter/nft_concat_range.sh
index df322e47a54f..b35010cc7f6a 100755
--- a/tools/testing/selftests/netfilter/nft_concat_range.sh
+++ b/tools/testing/selftests/netfilter/nft_concat_range.sh
@@ -1601,4 +1601,4 @@ for name in ${TESTS}; do
done
done
-[ ${passed} -eq 0 ] && exit ${KSELFTEST_SKIP}
+[ ${passed} -eq 0 ] && exit ${KSELFTEST_SKIP} || exit 0
--
2.30.2
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH net 4/6] netfilter: nft_synproxy: unregister hooks on init error path
2022-02-10 23:10 [PATCH net 0/6] Netfilter fixes for net Pablo Neira Ayuso
` (2 preceding siblings ...)
2022-02-10 23:10 ` [PATCH net 3/6] selftests: netfilter: fix exit value for nft_concat_range Pablo Neira Ayuso
@ 2022-02-10 23:10 ` Pablo Neira Ayuso
2022-02-10 23:10 ` [PATCH net 5/6] selftests: netfilter: synproxy test requires nf_conntrack Pablo Neira Ayuso
2022-02-10 23:10 ` [PATCH net 6/6] selftests: netfilter: disable rp_filter on router Pablo Neira Ayuso
5 siblings, 0 replies; 17+ messages in thread
From: Pablo Neira Ayuso @ 2022-02-10 23:10 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Disable the IPv4 hooks if the IPv6 hooks fail to be registered.
Fixes: ad49d86e07a4 ("netfilter: nf_tables: Add synproxy support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_synproxy.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_synproxy.c b/net/netfilter/nft_synproxy.c
index a0109fa1e92d..1133e06f3c40 100644
--- a/net/netfilter/nft_synproxy.c
+++ b/net/netfilter/nft_synproxy.c
@@ -191,8 +191,10 @@ static int nft_synproxy_do_init(const struct nft_ctx *ctx,
if (err)
goto nf_ct_failure;
err = nf_synproxy_ipv6_init(snet, ctx->net);
- if (err)
+ if (err) {
+ nf_synproxy_ipv4_fini(snet, ctx->net);
goto nf_ct_failure;
+ }
break;
}
--
2.30.2
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH net 5/6] selftests: netfilter: synproxy test requires nf_conntrack
2022-02-10 23:10 [PATCH net 0/6] Netfilter fixes for net Pablo Neira Ayuso
` (3 preceding siblings ...)
2022-02-10 23:10 ` [PATCH net 4/6] netfilter: nft_synproxy: unregister hooks on init error path Pablo Neira Ayuso
@ 2022-02-10 23:10 ` Pablo Neira Ayuso
2022-02-10 23:10 ` [PATCH net 6/6] selftests: netfilter: disable rp_filter on router Pablo Neira Ayuso
5 siblings, 0 replies; 17+ messages in thread
From: Pablo Neira Ayuso @ 2022-02-10 23:10 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Otherwise, this test does not find the sysctl entry in place:
sysctl: cannot stat /proc/sys/net/netfilter/nf_conntrack_tcp_loose: No such file or directory
iperf3: error - unable to send control message: Bad file descriptor
FAIL: iperf3 returned an error
Fixes: 7152303cbec4 ("selftests: netfilter: add synproxy test")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
tools/testing/selftests/netfilter/nft_synproxy.sh | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tools/testing/selftests/netfilter/nft_synproxy.sh b/tools/testing/selftests/netfilter/nft_synproxy.sh
index 09bb95c87198..b62933b680d6 100755
--- a/tools/testing/selftests/netfilter/nft_synproxy.sh
+++ b/tools/testing/selftests/netfilter/nft_synproxy.sh
@@ -23,6 +23,8 @@ checktool "ip -Version" "run test without ip tool"
checktool "iperf3 --version" "run test without iperf3"
checktool "ip netns add $nsr" "create net namespace"
+modprobe -q nf_conntrack
+
ip netns add $ns1
ip netns add $ns2
--
2.30.2
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH net 6/6] selftests: netfilter: disable rp_filter on router
2022-02-10 23:10 [PATCH net 0/6] Netfilter fixes for net Pablo Neira Ayuso
` (4 preceding siblings ...)
2022-02-10 23:10 ` [PATCH net 5/6] selftests: netfilter: synproxy test requires nf_conntrack Pablo Neira Ayuso
@ 2022-02-10 23:10 ` Pablo Neira Ayuso
5 siblings, 0 replies; 17+ messages in thread
From: Pablo Neira Ayuso @ 2022-02-10 23:10 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
From: Hangbin Liu <liuhangbin@gmail.com>
Some distros may enable rp_filter by default. After ns1 change addr to
10.0.2.99 and set default router to 10.0.2.1, while the connected router
address is still 10.0.1.1. The router will not reply the arp request
from ns1. Fix it by setting the router's veth0 rp_filter to 0.
Before the fix:
# ./nft_fib.sh
PASS: fib expression did not cause unwanted packet drops
Netns nsrouter-HQkDORO2 fib counter doesn't match expected packet count of 1 for 1.1.1.1
table inet filter {
chain prerouting {
type filter hook prerouting priority filter; policy accept;
ip daddr 1.1.1.1 fib saddr . iif oif missing counter packets 0 bytes 0 drop
ip6 daddr 1c3::c01d fib saddr . iif oif missing counter packets 0 bytes 0 drop
}
}
After the fix:
# ./nft_fib.sh
PASS: fib expression did not cause unwanted packet drops
PASS: fib expression did drop packets for 1.1.1.1
PASS: fib expression did drop packets for 1c3::c01d
Fixes: 82944421243e ("selftests: netfilter: add fib test case")
Signed-off-by: Yi Chen <yiche@redhat.com>
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
tools/testing/selftests/netfilter/nft_fib.sh | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/testing/selftests/netfilter/nft_fib.sh b/tools/testing/selftests/netfilter/nft_fib.sh
index 6caf6ac8c285..695a1958723f 100755
--- a/tools/testing/selftests/netfilter/nft_fib.sh
+++ b/tools/testing/selftests/netfilter/nft_fib.sh
@@ -174,6 +174,7 @@ test_ping() {
ip netns exec ${nsrouter} sysctl net.ipv6.conf.all.forwarding=1 > /dev/null
ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null
ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null
+ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth0.rp_filter=0 > /dev/null
sleep 3
--
2.30.2
^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [PATCH net 1/6] selftests: netfilter: add synproxy test
2022-02-10 23:10 ` [PATCH net 1/6] selftests: netfilter: add synproxy test Pablo Neira Ayuso
@ 2022-02-11 12:10 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 17+ messages in thread
From: patchwork-bot+netdevbpf @ 2022-02-11 12:10 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, davem, netdev, kuba
Hello:
This series was applied to netdev/net.git (master)
by Pablo Neira Ayuso <pablo@netfilter.org>:
On Fri, 11 Feb 2022 00:10:16 +0100 you wrote:
> From: Florian Westphal <fw@strlen.de>
>
> Simple test for synproxy feature, iperf3 should be intercepted
> by synproxy netns, but connection should still succeed.
>
> Signed-off-by: Florian Westphal <fw@strlen.de>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
>
> [...]
Here is the summary with links:
- [net,1/6] selftests: netfilter: add synproxy test
https://git.kernel.org/netdev/net/c/7152303cbec4
- [net,2/6] netfilter: xt_socket: fix a typo in socket_mt_destroy()
https://git.kernel.org/netdev/net/c/75063c9294fb
- [net,3/6] selftests: netfilter: fix exit value for nft_concat_range
https://git.kernel.org/netdev/net/c/2e71ec1a725a
- [net,4/6] netfilter: nft_synproxy: unregister hooks on init error path
https://git.kernel.org/netdev/net/c/2b4e5fb4d377
- [net,5/6] selftests: netfilter: synproxy test requires nf_conntrack
https://git.kernel.org/netdev/net/c/249749c88906
- [net,6/6] selftests: netfilter: disable rp_filter on router
https://git.kernel.org/netdev/net/c/bbe4c0896d25
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH net 0/6] Netfilter fixes for net
@ 2024-04-04 10:43 Pablo Neira Ayuso
0 siblings, 0 replies; 17+ messages in thread
From: Pablo Neira Ayuso @ 2024-04-04 10:43 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
Hi,
The following patchset contains Netfilter fixes for net:
Patch #1 unlike early commit path stage which triggers a call to abort,
an explicit release of the batch is required on abort, otherwise
mutex is released and commit_list remains in place.
Patch #2 release mutex after nft_gc_seq_end() in commit path, otherwise
async GC worker could collect expired objects.
Patch #3 flush pending destroy work in module removal path, otherwise UaF
is possible.
Patch #4 and #6 restrict the table dormant flag with basechain updates
to fix state inconsistency in the hook registration.
Patch #5 adds missing RCU read side lock to flowtable type to avoid races
with module removal.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-04-04
Thanks.
----------------------------------------------------------------
The following changes since commit 72076fc9fe60b9143cd971fd8737718719bc512e:
Revert "tg3: Remove residual error handling in tg3_suspend" (2024-04-04 10:51:01 +0200)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-04-04
for you to fetch changes up to 1bc83a019bbe268be3526406245ec28c2458a518:
netfilter: nf_tables: discard table flag update with pending basechain deletion (2024-04-04 11:38:35 +0200)
----------------------------------------------------------------
netfilter pull request 24-04-04
----------------------------------------------------------------
Pablo Neira Ayuso (5):
netfilter: nf_tables: release batch on table validation from abort path
netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path
netfilter: nf_tables: flush pending destroy work before exit_net release
netfilter: nf_tables: reject new basechain after table flag update
netfilter: nf_tables: discard table flag update with pending basechain deletion
Ziyang Xuan (1):
netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()
net/netfilter/nf_tables_api.c | 50 +++++++++++++++++++++++++++++--------------
1 file changed, 34 insertions(+), 16 deletions(-)
^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH net 0/6] Netfilter fixes for net
@ 2024-01-31 22:59 Pablo Neira Ayuso
0 siblings, 0 replies; 17+ messages in thread
From: Pablo Neira Ayuso @ 2024-01-31 22:59 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet, fw
Hi,
The following patchset contains Netfilter fixes for net:
1) TCP conntrack now only evaluates window negotiation for packets in
the REPLY direction, from Ryan Schaefer. Otherwise SYN retransmissions
trigger incorrect window scale negotiation. From Ryan Schaefer.
2) Restrict tunnel objects to NFPROTO_NETDEV which is where it makes sense
to use this object type.
3) Fix conntrack pick up from the middle of SCTP_CID_SHUTDOWN_ACK packets.
From Xin Long.
4) Another attempt from Jozsef Kadlecsik to address the slow down of the
swap command in ipset.
5) Replace a BUG_ON by WARN_ON_ONCE in nf_log, and consolidate check for
the case that the logger is NULL from the read side lock section.
6) Address lack of sanitization for custom expectations. Restrict layer 3
and 4 families to what it is supported by userspace.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-01-31
Thanks.
----------------------------------------------------------------
The following changes since commit a2933a8759a62269754e54733d993b19de870e84:
selftests: bonding: do not test arp/ns target with mode balance-alb/tlb (2024-01-25 09:50:54 +0100)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-01-31
for you to fetch changes up to 8059918a1377f2f1fff06af4f5a4ed3d5acd6bc4:
netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations (2024-01-31 23:14:14 +0100)
----------------------------------------------------------------
netfilter pull request 24-01-31
----------------------------------------------------------------
Jozsef Kadlecsik (1):
netfilter: ipset: fix performance regression in swap operation
Pablo Neira Ayuso (3):
netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV
netfilter: nf_log: replace BUG_ON by WARN_ON_ONCE when putting logger
netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations
Ryan Schaefer (1):
netfilter: conntrack: correct window scaling with retransmitted SYN
Xin Long (1):
netfilter: conntrack: check SCTP_CID_SHUTDOWN_ACK for vtag setting in sctp_new
include/linux/netfilter/ipset/ip_set.h | 4 ++++
include/net/netfilter/nf_tables.h | 2 ++
net/netfilter/ipset/ip_set_bitmap_gen.h | 14 ++++++++++---
net/netfilter/ipset/ip_set_core.c | 37 +++++++++++++++++++++++++--------
net/netfilter/ipset/ip_set_hash_gen.h | 15 ++++++++++---
net/netfilter/ipset/ip_set_list_set.c | 13 +++++++++---
net/netfilter/nf_conntrack_proto_sctp.c | 2 +-
net/netfilter/nf_conntrack_proto_tcp.c | 10 +++++----
net/netfilter/nf_log.c | 7 ++++---
net/netfilter/nf_tables_api.c | 14 ++++++++-----
net/netfilter/nft_ct.c | 24 +++++++++++++++++++++
net/netfilter/nft_tunnel.c | 1 +
12 files changed, 112 insertions(+), 31 deletions(-)
^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH net 0/6] Netfilter fixes for net
@ 2024-01-24 19:12 Pablo Neira Ayuso
0 siblings, 0 replies; 17+ messages in thread
From: Pablo Neira Ayuso @ 2024-01-24 19:12 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet, fw
Hi,
The following patchset contains Netfilter fixes for net:
1) Update nf_tables kdoc to keep it in sync with the code, from George Guo.
2) Handle NETDEV_UNREGISTER event for inet/ingress basechain.
3) Reject configuration that cause nft_limit to overflow, from Florian Westphal.
4) Restrict anonymous set/map names to 16 bytes, from Florian Westphal.
5) Disallow to encode queue number and error in verdicts. This reverts
a patch which seems to have introduced an early attempt to support for
nfqueue maps, which is these days supported via nft_queue expression.
6) Sanitize family via .validate for expressions that explicitly refer
to NF_INET_* hooks.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-01-24
Thanks.
----------------------------------------------------------------
The following changes since commit 32f2a0afa95fae0d1ceec2ff06e0e816939964b8:
net/sched: flower: Fix chain template offload (2024-01-24 01:33:59 +0000)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-01-24
for you to fetch changes up to d0009effa8862c20a13af4cb7475d9771b905693:
netfilter: nf_tables: validate NFPROTO_* family (2024-01-24 20:02:40 +0100)
----------------------------------------------------------------
netfilter pull request 24-01-24
----------------------------------------------------------------
Florian Westphal (3):
netfilter: nft_limit: reject configurations that cause integer overflow
netfilter: nf_tables: restrict anonymous set and map names to 16 bytes
netfilter: nf_tables: reject QUEUE/DROP verdict parameters
George Guo (1):
netfilter: nf_tables: cleanup documentation
Pablo Neira Ayuso (2):
netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain
netfilter: nf_tables: validate NFPROTO_* family
include/net/netfilter/nf_tables.h | 49 +++++++++++++++++++++++++++++++--------
net/netfilter/nf_tables_api.c | 20 ++++++++--------
net/netfilter/nft_chain_filter.c | 11 +++++++--
net/netfilter/nft_compat.c | 12 ++++++++++
net/netfilter/nft_flow_offload.c | 5 ++++
net/netfilter/nft_limit.c | 23 ++++++++++++------
net/netfilter/nft_nat.c | 5 ++++
net/netfilter/nft_rt.c | 5 ++++
net/netfilter/nft_socket.c | 5 ++++
net/netfilter/nft_synproxy.c | 7 ++++--
net/netfilter/nft_tproxy.c | 5 ++++
net/netfilter/nft_xfrm.c | 5 ++++
12 files changed, 121 insertions(+), 31 deletions(-)
^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH net 0/6] Netfilter fixes for net
@ 2023-12-06 18:03 Pablo Neira Ayuso
0 siblings, 0 replies; 17+ messages in thread
From: Pablo Neira Ayuso @ 2023-12-06 18:03 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet, fw
Hi,
The following patchset contains Netfilter fixes for net:
1) Incorrect nf_defrag registration for bpf link infra, from D. Wythe.
2) Skip inactive elements in pipapo set backend walk to avoid double
deactivation, from Florian Westphal.
3) Fix NFT_*_F_PRESENT check with big endian arch, also from Florian.
4) Bail out if number of expressions in NFTA_DYNSET_EXPRESSIONS mismatch
stateful expressions in set declaration.
5) Honor family in table lookup by handle. Broken since 4.16.
6) Use sk_callback_lock to protect access to sk->sk_socket in xt_owner.
sock_orphan() might zap this pointer, from Phil Sutter.
All of these fixes address broken stuff for several releases.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-23-12-06
Thanks.
----------------------------------------------------------------
The following changes since commit 54d4434da824460a190d547404530eff12a7907d:
Merge branch 'hv_netvsc-fix-race-of-netvsc-vf-register-and-slave-bit' (2023-11-21 13:15:05 +0100)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-23-12-06
for you to fetch changes up to 7ae836a3d630e146b732fe8ef7d86b243748751f:
netfilter: xt_owner: Fix for unsafe access of sk->sk_socket (2023-12-06 17:52:15 +0100)
----------------------------------------------------------------
netfilter pull request 23-12-06
----------------------------------------------------------------
D. Wythe (1):
netfilter: bpf: fix bad registration on nf_defrag
Florian Westphal (2):
netfilter: nft_set_pipapo: skip inactive elements during set walk
netfilter: nf_tables: fix 'exist' matching on bigendian arches
Pablo Neira Ayuso (2):
netfilter: nf_tables: bail out on mismatching dynset and set expressions
netfilter: nf_tables: validate family when identifying table via handle
Phil Sutter (1):
netfilter: xt_owner: Fix for unsafe access of sk->sk_socket
net/netfilter/nf_bpf_link.c | 10 +++++-----
net/netfilter/nf_tables_api.c | 5 +++--
net/netfilter/nft_dynset.c | 13 +++++++++----
net/netfilter/nft_exthdr.c | 4 ++--
net/netfilter/nft_fib.c | 8 ++++++--
net/netfilter/nft_set_pipapo.c | 3 +++
net/netfilter/xt_owner.c | 16 ++++++++++++----
7 files changed, 40 insertions(+), 19 deletions(-)
^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH net 0/6] Netfilter fixes for net
@ 2023-11-15 18:45 Pablo Neira Ayuso
0 siblings, 0 replies; 17+ messages in thread
From: Pablo Neira Ayuso @ 2023-11-15 18:45 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet, fw
Hi,
The following patchset contains Netfilter fixes for net:
1) Remove unused variable causing compilation warning in nft_set_rbtree,
from Yang Li. This unused variable is a left over from previous
merge window.
2) Possible return of uninitialized in nf_conntrack_bridge, from
Linkui Xiao. This is there since nf_conntrack_bridge is available.
3) Fix incorrect pointer math in nft_byteorder, from Dan Carpenter.
Problem has been there since 2016.
4) Fix bogus error in destroy set element command. Problem is there
since this new destroy command was added.
5) Fix race condition in ipset between swap and destroy commands and
add/del/test control plane. This problem is there since ipset was
merged.
6) Split async and sync catchall GC in two function to fix unsafe
iteration over RCU. This is a fix-for-fix that was included in
the previous pull request.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-23-11-15
Thanks.
----------------------------------------------------------------
The following changes since commit 4b7b492615cf3017190f55444f7016812b66611d:
af_unix: fix use-after-free in unix_stream_read_actor() (2023-11-14 10:51:13 +0100)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-23-11-15
for you to fetch changes up to 8837ba3e58ea1e3d09ae36db80b1e80853aada95:
netfilter: nf_tables: split async and sync catchall in two functions (2023-11-14 16:16:21 +0100)
----------------------------------------------------------------
netfilter pull request 23-11-15
----------------------------------------------------------------
Dan Carpenter (1):
netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval()
Jozsef Kadlecsik (1):
netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test
Linkui Xiao (1):
netfilter: nf_conntrack_bridge: initialize err to 0
Pablo Neira Ayuso (2):
netfilter: nf_tables: bogus ENOENT when destroying element which does not exist
netfilter: nf_tables: split async and sync catchall in two functions
Yang Li (1):
netfilter: nft_set_rbtree: Remove unused variable nft_net
include/net/netfilter/nf_tables.h | 4 +-
net/bridge/netfilter/nf_conntrack_bridge.c | 2 +-
net/netfilter/ipset/ip_set_core.c | 14 +++----
net/netfilter/nf_tables_api.c | 60 ++++++++++++++++--------------
net/netfilter/nft_byteorder.c | 5 ++-
net/netfilter/nft_meta.c | 2 +-
net/netfilter/nft_set_rbtree.c | 2 -
7 files changed, 47 insertions(+), 42 deletions(-)
^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH net 0/6] Netfilter fixes for net
@ 2023-07-05 23:04 Pablo Neira Ayuso
0 siblings, 0 replies; 17+ messages in thread
From: Pablo Neira Ayuso @ 2023-07-05 23:04 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
Hi,
The following patchset contains Netfilter fixes for net:
1) Fix missing overflow use refcount checks in nf_tables.
2) Do not set IPS_ASSURED for IPS_NAT_CLASH entries in GRE tracker,
from Florian Westphal.
3) Bail out if nf_ct_helper_hash is NULL before registering helper,
from Florent Revest.
4) Use siphash() instead siphash_4u64() to fix performance regression,
also from Florian.
5) Do not allow to add rules to removed chains via ID,
from Thadeu Lima de Souza Cascardo.
6) Fix oob read access in byteorder expression, also from Thadeu.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-23-07-06
Thanks.
----------------------------------------------------------------
The following changes since commit c451410ca7e3d8eeb31d141fc20c200e21754ba4:
Merge branch 'mptcp-fixes' (2023-07-05 10:51:14 +0100)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-23-07-06
for you to fetch changes up to caf3ef7468f7534771b5c44cd8dbd6f7f87c2cbd:
netfilter: nf_tables: prevent OOB access in nft_byteorder_eval (2023-07-06 00:53:14 +0200)
----------------------------------------------------------------
netfilter pull request 23-07-06
----------------------------------------------------------------
Florent Revest (1):
netfilter: conntrack: Avoid nf_ct_helper_hash uses after free
Florian Westphal (2):
netfilter: conntrack: gre: don't set assured flag for clash entries
netfilter: conntrack: don't fold port numbers into addresses before hashing
Pablo Neira Ayuso (1):
netfilter: nf_tables: report use refcount overflow
Thadeu Lima de Souza Cascardo (2):
netfilter: nf_tables: do not ignore genmask when looking up chain by id
netfilter: nf_tables: prevent OOB access in nft_byteorder_eval
include/net/netfilter/nf_conntrack_tuple.h | 3 +
include/net/netfilter/nf_tables.h | 31 ++++-
net/netfilter/nf_conntrack_core.c | 20 ++--
net/netfilter/nf_conntrack_helper.c | 4 +
net/netfilter/nf_conntrack_proto_gre.c | 10 +-
net/netfilter/nf_tables_api.c | 174 ++++++++++++++++++-----------
net/netfilter/nft_byteorder.c | 14 +--
net/netfilter/nft_flow_offload.c | 6 +-
net/netfilter/nft_immediate.c | 8 +-
net/netfilter/nft_objref.c | 8 +-
10 files changed, 178 insertions(+), 100 deletions(-)
^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH net 0/6] Netfilter fixes for net
@ 2023-06-27 6:52 Pablo Neira Ayuso
0 siblings, 0 replies; 17+ messages in thread
From: Pablo Neira Ayuso @ 2023-06-27 6:52 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
Hi,
The following patchset contains Netfilter fixes for net:
1) Reset shift on Boyer-Moore string match for each block,
from Jeremy Sowden.
2) Fix acccess to non-linear area in DCCP conntrack helper,
from Florian Westphal.
3) Fix kernel-doc warnings, by Randy Dunlap.
4) Bail out if expires= does not show in SIP helper message,
or make ct_sip_parse_numerical_param() tristate and report
error if expires= cannot be parsed.
5) Unbind non-anonymous set in case rule construction fails.
6) Fix underflow in chain reference counter in case set element
already exists or it cannot be created.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-23-06-27
Thanks.
----------------------------------------------------------------
The following changes since commit 6709d4b7bc2e079241fdef15d1160581c5261c10:
net: nfc: Fix use-after-free caused by nfc_llcp_find_local (2023-06-26 10:57:23 +0100)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-23-06-27
for you to fetch changes up to b389139f12f287b8ed2e2628b72df89a081f0b59:
netfilter: nf_tables: fix underflow in chain reference counter (2023-06-26 17:18:55 +0200)
----------------------------------------------------------------
netfilter pull request 23-06-27
----------------------------------------------------------------
Florian Westphal (1):
netfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one
Ilia.Gavrilov (1):
netfilter: nf_conntrack_sip: fix the ct_sip_parse_numerical_param() return value.
Jeremy Sowden (1):
lib/ts_bm: reset initial match offset for every block of text
Pablo Neira Ayuso (2):
netfilter: nf_tables: unbind non-anonymous set if rule construction fails
netfilter: nf_tables: fix underflow in chain reference counter
Randy Dunlap (1):
linux/netfilter.h: fix kernel-doc warnings
include/linux/netfilter.h | 4 +--
lib/ts_bm.c | 4 ++-
net/netfilter/nf_conntrack_proto_dccp.c | 52 +++++++++++++++++++++++++++++++--
net/netfilter/nf_conntrack_sip.c | 2 +-
net/netfilter/nf_tables_api.c | 6 +++-
5 files changed, 60 insertions(+), 8 deletions(-)
^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH net 0/6] Netfilter fixes for net
@ 2022-02-04 15:18 Pablo Neira Ayuso
0 siblings, 0 replies; 17+ messages in thread
From: Pablo Neira Ayuso @ 2022-02-04 15:18 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Hi,
The following patchset contains Netfilter fixes for net:
1) Don't refresh timeout for SCTP flows in CLOSED state.
2) Don't allow access to transport header if fragment offset is set on.
3) Reinitialize internal conntrack state for retransmitted TCP
syn-ack packet.
4) Update MAINTAINER file to add the Netfilter group tree. Moving
forward, Florian Westphal has access to this tree so he can also
send pull requests.
5) Set on IPS_HELPER for entries created via ctnetlink, otherwise NAT
might zap it.
All patches from Florian Westphal.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit ed14fc7a79ab43e9f2cb1fa9c1733fdc133bba30:
net: sparx5: Fix get_stat64 crash in tcpdump (2022-02-03 19:01:15 -0800)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD
for you to fetch changes up to d1ca60efc53d665cf89ed847a14a510a81770b81:
netfilter: ctnetlink: disable helper autoassign (2022-02-04 05:39:57 +0100)
----------------------------------------------------------------
Florian Westphal (6):
netfilter: conntrack: don't refresh sctp entries in closed state
netfilter: nft_payload: don't allow th access for fragments
netfilter: conntrack: move synack init code to helper
netfilter: conntrack: re-init state for retransmitted syn-ack
MAINTAINERS: netfilter: update git links
netfilter: ctnetlink: disable helper autoassign
MAINTAINERS | 4 +-
include/uapi/linux/netfilter/nf_conntrack_common.h | 2 +-
net/netfilter/nf_conntrack_netlink.c | 3 +-
net/netfilter/nf_conntrack_proto_sctp.c | 9 ++++
net/netfilter/nf_conntrack_proto_tcp.c | 59 +++++++++++++++-------
net/netfilter/nft_exthdr.c | 2 +-
net/netfilter/nft_payload.c | 9 ++--
7 files changed, 61 insertions(+), 27 deletions(-)
^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH net 0/6] Netfilter fixes for net
@ 2021-07-23 15:54 Pablo Neira Ayuso
0 siblings, 0 replies; 17+ messages in thread
From: Pablo Neira Ayuso @ 2021-07-23 15:54 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Hi,
The following patchset contains Netfilter fixes for net:
1) Memleak in commit audit error path, from Dongliang Mu.
2) Avoid possible false sharing for flowtable timeout updates
and nft_last use.
3) Adjust conntrack timestamp due to garbage collection delay,
from Florian Westphal.
4) Fix nft_nat without layer 3 address for the inet family.
5) Fix compilation warning in nfnl_hook when ingress support
is disabled, from Arnd Bergmann.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit 5f119ba1d5771bbf46d57cff7417dcd84d3084ba:
net: decnet: Fix sleeping inside in af_decnet (2021-07-16 14:06:16 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 217e26bd87b2930856726b48a4e71c768b8c9bf5:
netfilter: nfnl_hook: fix unused variable warning (2021-07-23 14:45:03 +0200)
----------------------------------------------------------------
Arnd Bergmann (1):
netfilter: nfnl_hook: fix unused variable warning
Dongliang Mu (1):
netfilter: nf_tables: fix audit memory leak in nf_tables_commit
Florian Westphal (1):
netfilter: conntrack: adjust stop timestamp to real expiry value
Pablo Neira Ayuso (3):
netfilter: flowtable: avoid possible false sharing
netfilter: nft_last: avoid possible false sharing
netfilter: nft_nat: allow to specify layer 4 protocol NAT only
net/netfilter/nf_conntrack_core.c | 7 ++++++-
net/netfilter/nf_flow_table_core.c | 6 +++++-
net/netfilter/nf_tables_api.c | 12 ++++++++++++
net/netfilter/nfnetlink_hook.c | 2 ++
net/netfilter/nft_last.c | 20 +++++++++++++-------
net/netfilter/nft_nat.c | 4 +++-
6 files changed, 41 insertions(+), 10 deletions(-)
^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2024-04-04 10:43 UTC | newest]
Thread overview: 17+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-10 23:10 [PATCH net 0/6] Netfilter fixes for net Pablo Neira Ayuso
2022-02-10 23:10 ` [PATCH net 1/6] selftests: netfilter: add synproxy test Pablo Neira Ayuso
2022-02-11 12:10 ` patchwork-bot+netdevbpf
2022-02-10 23:10 ` [PATCH net 2/6] netfilter: xt_socket: fix a typo in socket_mt_destroy() Pablo Neira Ayuso
2022-02-10 23:10 ` [PATCH net 3/6] selftests: netfilter: fix exit value for nft_concat_range Pablo Neira Ayuso
2022-02-10 23:10 ` [PATCH net 4/6] netfilter: nft_synproxy: unregister hooks on init error path Pablo Neira Ayuso
2022-02-10 23:10 ` [PATCH net 5/6] selftests: netfilter: synproxy test requires nf_conntrack Pablo Neira Ayuso
2022-02-10 23:10 ` [PATCH net 6/6] selftests: netfilter: disable rp_filter on router Pablo Neira Ayuso
-- strict thread matches above, loose matches on Subject: below --
2024-04-04 10:43 [PATCH net 0/6] Netfilter fixes for net Pablo Neira Ayuso
2024-01-31 22:59 Pablo Neira Ayuso
2024-01-24 19:12 Pablo Neira Ayuso
2023-12-06 18:03 Pablo Neira Ayuso
2023-11-15 18:45 Pablo Neira Ayuso
2023-07-05 23:04 Pablo Neira Ayuso
2023-06-27 6:52 Pablo Neira Ayuso
2022-02-04 15:18 Pablo Neira Ayuso
2021-07-23 15:54 Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).