From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org,
pabeni@redhat.com, edumazet@google.com, fw@strlen.de
Subject: [PATCH net,v2 00/13] Netfilter fixes for net
Date: Thu, 18 Jan 2024 17:17:13 +0100 [thread overview]
Message-ID: <20240118161726.14838-1-pablo@netfilter.org> (raw)
Hi,
The following batch contains Netfilter fixes for net. Slightly larger
than usual because this batch includes several patches to tighten the
nf_tables control plane to reject inconsistent configuration:
1) Restrict NFTA_SET_POLICY to NFT_SET_POL_PERFORMANCE and
NFT_SET_POL_MEMORY.
2) Bail out if a nf_tables expression registers more than 16 netlink
attributes which is what struct nft_expr_info allows.
3) Bail out if NFT_EXPR_STATEFUL provides no .clone interface, remove
existing fallback to memcpy() when cloning which might accidentally
duplicate memory reference to the same object.
4) Fix br_netfilter interaction with neighbour layer. This requires
three preparation patches:
- Use nf_bridge_get_physinif() in nfnetlink_log
- Use nf_bridge_info_exists() to check in br_netfilter context
is available in nf_queue.
- Pass net to nf_bridge_get_physindev()
And finally, the fix which replaces physindev with physinif
in nf_bridge_info.
Patches from Pavel Tikhomirov.
5) Catch-all deactivation happens in the transaction, hence this
oneliner to check for the next generation. This bug uncovered after
the removal of the _BUSY bit, which happened in set elements back in
summer 2023.
6) Ensure set (total) key length size and concat field length description
is consistent, otherwise bail out.
7) Skip set element with the _DEAD flag on from the netlink dump path.
A tests occasionally shows that dump is mismatching because GC might
lose race to get rid of this element while a netlink dump is in
progress.
8) Reject NFT_SET_CONCAT for field_count < 1.
9) Use IP6_INC_STATS in ipvs to fix preemption BUG splat, patch
from Fedor Pchelkin.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-01-18
Thanks.
----------------------------------------------------------------
This is v2 without Jozsef's ipset patch.
----------------------------------------------------------------
The following changes since commit ea937f77208323d35ffe2f8d8fc81b00118bfcda:
net: netdevsim: don't try to destroy PHC on VFs (2024-01-17 10:56:44 +0000)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-01-18
for you to fetch changes up to d6938c1c76c64f42363d0d1f051e1b4641c2ad40:
ipvs: avoid stat macros calls from preemptible context (2024-01-17 12:02:51 +0100)
----------------------------------------------------------------
netfilter pull request 24-01-18
----------------------------------------------------------------
Fedor Pchelkin (1):
ipvs: avoid stat macros calls from preemptible context
Pablo Neira Ayuso (8):
netfilter: nf_tables: reject invalid set policy
netfilter: nf_tables: validate .maxattr at expression registration
netfilter: nf_tables: bail out if stateful expression provides no .clone
netfilter: nft_limit: do not ignore unsupported flags
netfilter: nf_tables: check if catch-all set element is active in next generation
netfilter: nf_tables: do not allow mismatch field size and set key length
netfilter: nf_tables: skip dead set elements in netlink dump
netfilter: nf_tables: reject NFT_SET_CONCAT with not field length description
Pavel Tikhomirov (4):
netfilter: nfnetlink_log: use proper helper for fetching physinif
netfilter: nf_queue: remove excess nf_bridge variable
netfilter: propagate net to nf_bridge_get_physindev
netfilter: bridge: replace physindev with physinif in nf_bridge_info
include/linux/netfilter_bridge.h | 6 ++--
include/linux/skbuff.h | 2 +-
net/bridge/br_netfilter_hooks.c | 42 ++++++++++++++++++++++------
net/bridge/br_netfilter_ipv6.c | 14 +++++++---
net/ipv4/netfilter/nf_reject_ipv4.c | 9 ++++--
net/ipv6/netfilter/nf_reject_ipv6.c | 11 ++++++--
net/netfilter/ipset/ip_set_hash_netiface.c | 8 +++---
net/netfilter/ipvs/ip_vs_xmit.c | 4 +--
net/netfilter/nf_log_syslog.c | 13 +++++----
net/netfilter/nf_queue.c | 6 ++--
net/netfilter/nf_tables_api.c | 44 +++++++++++++++++++++---------
net/netfilter/nfnetlink_log.c | 8 +++---
net/netfilter/nft_limit.c | 19 ++++++++-----
net/netfilter/xt_physdev.c | 2 +-
14 files changed, 125 insertions(+), 63 deletions(-)
next reply other threads:[~2024-01-18 16:17 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-18 16:17 Pablo Neira Ayuso [this message]
2024-01-18 16:17 ` [PATCH net 01/13] netfilter: nf_tables: reject invalid set policy Pablo Neira Ayuso
2024-01-18 21:10 ` patchwork-bot+netdevbpf
2024-01-18 16:17 ` [PATCH net 02/13] netfilter: nf_tables: validate .maxattr at expression registration Pablo Neira Ayuso
2024-01-18 16:17 ` [PATCH net 03/13] netfilter: nf_tables: bail out if stateful expression provides no .clone Pablo Neira Ayuso
2024-01-18 16:17 ` [PATCH net 04/13] netfilter: nft_limit: do not ignore unsupported flags Pablo Neira Ayuso
2024-01-18 16:17 ` [PATCH net 05/13] netfilter: nfnetlink_log: use proper helper for fetching physinif Pablo Neira Ayuso
2024-01-18 16:17 ` [PATCH net 06/13] netfilter: nf_queue: remove excess nf_bridge variable Pablo Neira Ayuso
2024-01-18 16:17 ` [PATCH net 07/13] netfilter: propagate net to nf_bridge_get_physindev Pablo Neira Ayuso
2024-01-18 16:17 ` [PATCH net 08/13] netfilter: bridge: replace physindev with physinif in nf_bridge_info Pablo Neira Ayuso
2024-01-18 16:17 ` [PATCH net 09/13] netfilter: nf_tables: check if catch-all set element is active in next generation Pablo Neira Ayuso
2024-01-18 16:17 ` [PATCH net 10/13] netfilter: nf_tables: do not allow mismatch field size and set key length Pablo Neira Ayuso
2024-01-18 16:17 ` [PATCH net 11/13] netfilter: nf_tables: skip dead set elements in netlink dump Pablo Neira Ayuso
2024-01-18 16:17 ` [PATCH net 12/13] netfilter: nf_tables: reject NFT_SET_CONCAT with not field length description Pablo Neira Ayuso
2024-01-18 16:17 ` [PATCH net 13/13] ipvs: avoid stat macros calls from preemptible context Pablo Neira Ayuso
2024-02-08 11:28 [PATCH net,v2 00/13] Netfilter fixes for net Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240118161726.14838-1-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.