Re: [PATCH 00/11] Netfilter fixes for net
From: Pablo Neira AyusoDate: Wed, 7 Feb 2018 18:42:18 +0100 > The following patchset contains Netfilter fixes for you net tree, they > are: ... > You can pull these changes from: > > git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git Pulled, thanks Pablo. > P.S: Again more fixes cooking on netfilter-de...@vger.kernel.org, so > another round is likely coming up soon. Ok, no problem.
[PATCH 00/11] Netfilter fixes for net
Hi David, The following patchset contains Netfilter fixes for you net tree, they are: 1) Restore __GFP_NORETRY in xt_table allocations to mitigate effects of large memory allocation requests, from Michal Hocko. 2) Release IPv6 fragment queue in case of error in fragmentation header, this is a follow up to amend patch 83f1999caeb1, from Subash Abhinov Kasiviswanathan. 3) Flowtable infrastructure depends on NETFILTER_INGRESS as it registers a hook for each flowtable, reported by John Crispin. 4) Missing initialization of info->priv in xt_cgroup version 1, from Cong Wang. 5) Give a chance to garbage collector to run after scheduling flowtable cleanup. 6) Releasing flowtable content on nft_flow_offload module removal is not required at all, there is not dependencies between this module and flowtables, remove it. 7) Fix missing xt_rateest_mutex grabbing for hash insertions, also from Cong Wang. 8) Move nf_flow_table_cleanup() routine to flowtable core, this patch is a dependency for the next patch in this list. 9) Flowtable resources are not properly released on removal from the control plane. Fix this resource leak by scheduling removal of all entries and explicit call to the garbage collector. 10) nf_ct_nat_offset() declaration is dead code, this function prototype is not used anywhere, remove it. From Taehee Yoo. 11) Fix another flowtable resource leak on entry insertion failures, this patch also fixes a possible use-after-free. Patch from Felix Fietkau. You can pull these changes from: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git Thanks! P.S: Again more fixes cooking on netfilter-de...@vger.kernel.org, so another round is likely coming up soon. The following changes since commit 743efac1c670c6618742c923f6275d819604: net: pxa168_eth: add netconsole support (2018-02-01 14:58:37 -0500) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD for you to fetch changes up to 0ff90b6c20340e57616a51ae1a1bf18156d6638a: netfilter: nf_flow_offload: fix use-after-free and a resource leak (2018-02-07 11:55:52 +0100) Cong Wang (2): netfilter: xt_cgroup: initialize info->priv in cgroup_mt_check_v1() netfilter: xt_RATEEST: acquire xt_rateest_mutex for hash insert Felix Fietkau (1): netfilter: nf_flow_offload: fix use-after-free and a resource leak Michal Hocko (1): netfilter: x_tables: make allocation less aggressive Pablo Neira Ayuso (5): netfilter: flowtable infrastructure depends on NETFILTER_INGRESS netfilter: nft_flow_offload: wait for garbage collector to run after cleanup netfilter: nft_flow_offload: no need to flush entries on module removal netfilter: nft_flow_offload: move flowtable cleanup routines to nf_flow_table netfilter: nf_tables: fix flowtable free Subash Abhinov Kasiviswanathan (1): netfilter: ipv6: nf_defrag: Kill frag queue on RFC2460 failure Taehee Yoo (1): netfilter: remove useless prototype include/net/netfilter/nf_conntrack.h| 5 --- include/net/netfilter/nf_flow_table.h | 6 ++- net/ipv4/netfilter/Kconfig | 3 +- net/ipv4/netfilter/nf_flow_table_ipv4.c | 1 + net/ipv6/netfilter/Kconfig | 3 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 1 + net/ipv6/netfilter/nf_flow_table_ipv6.c | 1 + net/netfilter/Kconfig | 8 ++-- net/netfilter/nf_flow_table.c | 76 ++--- net/netfilter/nf_flow_table_inet.c | 1 + net/netfilter/nf_tables_api.c | 17 +++- net/netfilter/nft_flow_offload.c| 24 +-- net/netfilter/x_tables.c| 7 ++- net/netfilter/xt_RATEEST.c | 22 +++--- net/netfilter/xt_cgroup.c | 1 + 15 files changed, 97 insertions(+), 79 deletions(-)
Re: [PATCH 00/11] Netfilter fixes for net
From: Pablo Neira AyusoDate: Wed, 30 Nov 2016 22:57:14 +0100 > This is a large batch of Netfilter fixes for net, they are: ... > I know is late but I think these are important, specifically the NAT > bits, as they are mostly addressing fallout from recent changes. I also > read there are chances to have -rc8, if that is the case, that would > also give us a bit more time to test this. > > You can pull these changes from: > > git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git Pulled, thanks Pablo.
[PATCH 00/11] Netfilter fixes for net
Hi David, This is a large batch of Netfilter fixes for net, they are: 1) Three patches to fix NAT conversion to rhashtable: Switch to rhlist structure that allows to have several objects with the same key. Moreover, fix wrong comparison logic in nf_nat_bysource_cmp() as this is expecting a return value similar to memcmp(). Change location of the nat_bysource field in the nf_conn structure to avoid zeroing this as it breaks interaction with SLAB_DESTROY_BY_RCU and lead us to crashes. From Florian Westphal. 2) Don't allow malformed fragments go through in IPv6, drop them, otherwise we hit GPF, patch from Florian Westphal. 3) Fix crash if attributes are missing in nft_range, from Liping Zhang. 4) Fix arptables 32-bits userspace 64-bits kernel compat, from Hongxu Jia. 5) Two patches from David Ahern to fix netfilter interaction with vrf. From David Ahern. 6) Fix element timeout calculation in nf_tables, we take milliseconds from userspace, but we use jiffies from kernelspace. Patch from Anders K. Pedersen. 7) Missing validation length netlink attribute for nft_hash, from Laura Garcia. 8) Fix nf_conntrack_helper documentation, we don't default to off anymore for a bit of time so let's get this in sync with the code. I know is late but I think these are important, specifically the NAT bits, as they are mostly addressing fallout from recent changes. I also read there are chances to have -rc8, if that is the case, that would also give us a bit more time to test this. You can pull these changes from: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git Thanks! The following changes since commit b6e01232e25629907df9db19f25da7d4e8f5b589: net/mlx4_en: Free netdev resources under state lock (2016-11-23 20:18:36 -0500) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD for you to fetch changes up to 17a49cd549d9dc8707dc9262210166455c612dde: netfilter: arp_tables: fix invoking 32bit "iptable -P INPUT ACCEPT" failed in 64bit kernel (2016-11-30 20:50:23 +0100) Anders K. Pedersen (1): netfilter: nf_tables: fix inconsistent element expiration calculation David Ahern (2): netfilter: Update ip_route_me_harder to consider L3 domain netfilter: Update nf_send_reset6 to consider L3 domain Florian Westphal (5): netfilter: fix nf_conntrack_helper documentation netfilter: nat: fix cmp return value netfilter: nat: switch to new rhlist interface netfilter: nat: fix crash when conntrack entry is re-used netfilter: ipv6: nf_defrag: drop mangled skb on ream error Hongxu Jia (1): netfilter: arp_tables: fix invoking 32bit "iptable -P INPUT ACCEPT" failed in 64bit kernel Laura Garcia Liebana (1): netfilter: nft_hash: validate maximum value of u32 netlink hash attribute Liping Zhang (1): netfilter: nft_range: add the missing NULL pointer check Documentation/networking/nf_conntrack-sysctl.txt | 7 +++- include/net/netfilter/nf_conntrack.h | 6 +-- include/net/netfilter/nf_tables.h| 2 +- net/ipv4/netfilter.c | 5 ++- net/ipv4/netfilter/arp_tables.c | 4 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 4 +- net/ipv6/netfilter/nf_defrag_ipv6_hooks.c| 2 +- net/ipv6/netfilter/nf_reject_ipv6.c | 1 + net/netfilter/nf_nat_core.c | 49 +++- net/netfilter/nf_tables_api.c| 14 --- net/netfilter/nft_hash.c | 7 +++- net/netfilter/nft_range.c| 6 +++ 12 files changed, 69 insertions(+), 38 deletions(-)