[PATCH 0/7] Netfilter fixes for net

Sat, 24 Mar 2018 13:35:27 -0700 

Hi David,

The following patchset contains Netfilter fixes for your net tree,
they are:

1) Don't pick fixed hash implementation for NFT_SET_EVAL sets, otherwise
   userspace hits EOPNOTSUPP with valid rules using the meter statement,
   from Florian Westphal.

2) If you send a batch that flushes the existing ruleset (that contains
   a NAT chain) and the new ruleset definition comes with a new NAT
   chain, don't bogusly hit EBUSY. Also from Florian.

3) Missing netlink policy attribute validation, from Florian.

4) Detach conntrack template from skbuff if IP_NODEFRAG is set on,
   from Paolo Abeni.

5) Cache device names in flowtable object, otherwise we may end up
   walking over devices going aways given no rtnl_lock is held.

6) Fix incorrect net_device ingress with ingress hooks.

7) Fix crash when trying to read more data than available in UDP
   packets from the nf_socket infrastructure, from Subash.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit 36fe095606f881e6a3c7f9283c986aec6083f3e6:

  Merge branch 'phy-relax-error-checking' (2018-03-19 21:14:27 -0400)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 32c1733f0dd4bd11d6e65512bf4dc337c0452c8e:

  netfilter: nf_socket: Fix out of bounds access in nf_sk_lookup_slow_v{4,6} 
(2018-03-24 21:17:14 +0100)

----------------------------------------------------------------
Florian Westphal (3):
      netfilter: nf_tables: meter: pick a set backend that supports updates
      netfilter: nf_tables: permit second nat hook if colliding hook is going 
away
      netfilter: nf_tables: add missing netlink attrs to policies

Pablo Neira Ayuso (2):
      netfilter: nf_tables: cache device name in flowtable object
      netfilter: nf_tables: do not hold reference on netdevice from preparation 
phase

Paolo Abeni (1):
      netfilter: drop template ct when conntrack is skipped.

Subash Abhinov Kasiviswanathan (1):
      netfilter: nf_socket: Fix out of bounds access in nf_sk_lookup_slow_v{4,6}

 include/net/netfilter/nf_tables.h              |   4 +
 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |  14 +++-
 net/ipv4/netfilter/nf_socket_ipv4.c            |   6 +-
 net/ipv6/netfilter/nf_socket_ipv6.c            |   6 +-
 net/netfilter/nf_tables_api.c                  | 106 +++++++++++++++++++------
 net/netfilter/nft_set_hash.c                   |   2 +-
 6 files changed, 109 insertions(+), 29 deletions(-)

Reply via email to