From: Florian Westphal <fw@strlen.de>
To: <netdev@vger.kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>, Jakub Kicinski <kuba@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Florian Westphal <fw@strlen.de>
Subject: [PATCH net 0/3] netfilter updates for net
Date: Tue, 26 Jul 2022 21:20:53 +0200 [thread overview]
Message-ID: <20220726192056.13497-1-fw@strlen.de> (raw)
Three late fixes for netfilter:
1) If nf_queue user requests packet truncation below size of l3 header,
we corrupt the skb, then crash. Reject such requests.
2) add cond_resched() calls when doing cycle detection in the
nf_tables graph. This avoids softlockup warning with certain
rulesets.
3) Reject rulesets that use nftables 'queue' expression in family/chain
combinations other than those that are supported. Currently the ruleset
will load, but when userspace attempts to reinject you get WARN splat +
packet drops.
The following changes since commit 9b134b1694ec8926926ba6b7b80884ea829245a0:
bridge: Do not send empty IFLA_AF_SPEC attribute (2022-07-26 15:35:53 +0200)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git
for you to fetch changes up to 47f4f510ad586032b85c89a0773fbb011d412425:
netfilter: nft_queue: only allow supported familes and hooks (2022-07-26 21:12:42 +0200)
----------------------------------------------------------------
Florian Westphal (3):
netfilter: nf_queue: do not allow packet truncation below transport header offset
netfilter: nf_tables: add rescheduling points during loop detection walks
netfilter: nft_queue: only allow supported familes and hooks
net/netfilter/nf_tables_api.c | 6 ++++++
net/netfilter/nfnetlink_queue.c | 7 ++++++-
net/netfilter/nft_queue.c | 27 +++++++++++++++++++++++++++
3 files changed, 39 insertions(+), 1 deletion(-)
--
2.35.1
next reply other threads:[~2022-07-26 19:21 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-26 19:20 Florian Westphal [this message]
2022-07-26 19:20 ` [PATCH net 1/3] netfilter: nf_queue: do not allow packet truncation below transport header offset Florian Westphal
2022-07-27 3:10 ` patchwork-bot+netdevbpf
2022-07-26 19:20 ` [PATCH net 2/3] netfilter: nf_tables: add rescheduling points during loop detection walks Florian Westphal
2022-07-26 19:20 ` [PATCH net 3/3] netfilter: nft_queue: only allow supported familes and hooks Florian Westphal
2023-09-20 8:41 [PATCH net 0/3] netfilter updates for net Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220726192056.13497-1-fw@strlen.de \
--to=fw@strlen.de \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.