subject:"\[PATCH 0\/6\] Netfilter fixes for net"

[PATCH 0/6] Netfilter fixes for net

2018-02-01 Thread Pablo Neira Ayuso

Hi David,

The following patchset contains Netfilter fixes for your net tree,
they are:

1) Fix OOM that syskaller triggers with ipt_replace.size = -1 and
   IPT_SO_SET_REPLACE socket option, from Dmitry Vyukov.

2) Check for too long extension name in xt_request_find_{match|target}
   that result in out-of-bound reads, from Eric Dumazet.

3) Fix memory exhaustion bug in ipset hash:*net* types when adding ranges
   that look like x.x.x.x-255.255.255.255, from Jozsef Kadlecsik.

4) Fix pointer leaks to userspace in x_tables, from Dmitry Vyukov.

5) Insufficient sanity checks in clusterip_tg_check(), also from Dmitry.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

P.S: Another batch is following up soon, there are more fixes cooking on
 the mailing list.



The following changes since commit d1616f07e8f1a4a490d1791316d4a68906b284aa:

  net: fec: free/restore resource in related probe error pathes (2018-01-05 
11:19:11 -0500)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 3f34cfae1238848fd53f25e5c8fd59da57901f4b:

  netfilter: on sockopt() acquire sock lock only in the required scope 
(2018-01-31 16:37:47 +0100)


Dmitry Vyukov (3):
  netfilter: x_tables: fix int overflow in xt_alloc_table_info()
  netfilter: x_tables: fix pointer leaks to userspace
  netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in 
clusterip_tg_check()

Eric Dumazet (1):
  netfilter: x_tables: avoid out-of-bounds reads in 
xt_request_find_{match|target}

Jozsef Kadlecsik (1):
  netfilter: ipset: Fix wraparound in hash:*net* types

Paolo Abeni (1):
  netfilter: on sockopt() acquire sock lock only in the required scope

 net/ipv4/ip_sockglue.c | 14 +++
 net/ipv4/netfilter/ipt_CLUSTERIP.c | 16 +---
 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |  6 -
 net/ipv6/ipv6_sockglue.c   | 17 -
 net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 18 -
 net/netfilter/ipset/ip_set_hash_ipportnet.c| 26 +--
 net/netfilter/ipset/ip_set_hash_net.c  |  9 +++
 net/netfilter/ipset/ip_set_hash_netiface.c |  9 +++
 net/netfilter/ipset/ip_set_hash_netnet.c   | 28 ++---
 net/netfilter/ipset/ip_set_hash_netport.c  | 19 +++---
 net/netfilter/ipset/ip_set_hash_netportnet.c   | 35 +-
 net/netfilter/x_tables.c   |  9 +--
 net/netfilter/xt_IDLETIMER.c   |  1 +
 net/netfilter/xt_LED.c |  1 +
 net/netfilter/xt_limit.c   |  3 +--
 net/netfilter/xt_nfacct.c  |  1 +
 net/netfilter/xt_statistic.c   |  1 +
 17 files changed, 114 insertions(+), 99 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/6] Netfilter fixes for net

2017-02-27 Thread David Miller

From: Pablo Neira Ayuso 
Date: Mon, 27 Feb 2017 12:35:36 +0100

> The following patchset contains netfilter fixes for you net tree,
> they are:
> 
> 1) Missing ct zone size in the nft_ct initialization path, patch
>from Florian Westphal.
> 
> 2) Two patches for netfilter uapi headers, one to remove unnecessary
>sysctl.h inclusion and another to fix compilation of xt_hashlimit.h
>in userspace, from Dmitry V. Levin.
> 
> 3) Patch to fix a sloppy change in nf_ct_expect that incorrectly
>simplified nf_ct_expect_related_report() in the previous nf-next
>batch. This also includes another patch for __nf_ct_expect_check()
>to report success by returning 0 to keep it consistent with other
>existing functions. From Jarno Rajahalme.
> 
> 4) The ->walk() iterator of the new bitmap set type goes over the real
>bitmap size, this results in incorrect dumps when NFTA_SET_USERDATA
>is used.
> 
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thanks Pablo.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 0/6] Netfilter fixes for net

2017-02-27 Thread Pablo Neira Ayuso

Hi David,

The following patchset contains netfilter fixes for you net tree,
they are:

1) Missing ct zone size in the nft_ct initialization path, patch
   from Florian Westphal.

2) Two patches for netfilter uapi headers, one to remove unnecessary
   sysctl.h inclusion and another to fix compilation of xt_hashlimit.h
   in userspace, from Dmitry V. Levin.

3) Patch to fix a sloppy change in nf_ct_expect that incorrectly
   simplified nf_ct_expect_related_report() in the previous nf-next
   batch. This also includes another patch for __nf_ct_expect_check()
   to report success by returning 0 to keep it consistent with other
   existing functions. From Jarno Rajahalme.

4) The ->walk() iterator of the new bitmap set type goes over the real
   bitmap size, this results in incorrect dumps when NFTA_SET_USERDATA
   is used.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!



The following changes since commit 9c4713701c01e4cef6e2315c2818abc919ffb0de:

  bpf: Fix bpf_xdp_event_output (2017-02-23 13:53:42 -0500)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 13aa5a8f498dacd5f1a8e35be72af47e630fb8c6:

  netfilter: nft_set_bitmap: incorrect bitmap size (2017-02-26 21:00:19 +0100)


Dmitry V. Levin (2):
  uapi: stop including linux/sysctl.h in uapi/linux/netfilter.h
  uapi: fix linux/netfilter/xt_hashlimit.h userspace compilation error

Florian Westphal (1):
  netfilter: nft_ct: fix random validation errors for zone set support

Jarno Rajahalme (2):
  netfilter: nf_ct_expect: nf_ct_expect_related_report(): Return zero on 
success.
  netfilter: nf_ct_expect: Change __nf_ct_expect_check() return value.

Pablo Neira Ayuso (1):
  netfilter: nft_set_bitmap: incorrect bitmap size

 include/uapi/linux/netfilter.h  | 1 -
 include/uapi/linux/netfilter/xt_hashlimit.h | 1 +
 net/netfilter/nf_conntrack_expect.c | 6 +++---
 net/netfilter/nft_ct.c  | 1 +
 net/netfilter/nft_set_bitmap.c  | 2 +-
 5 files changed, 6 insertions(+), 5 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/6] Netfilter fixes for net

2017-01-05 Thread David Miller

From: Pablo Neira Ayuso 
Date: Thu,  5 Jan 2017 12:19:47 +0100

> The following patchset contains accumulated Netfilter fixes for your
> net tree:
> 
> 1) Ensure quota dump and reset happens iff we can deliver numbers to
>userspace.
> 
> 2) Silence splat on incorrect use of smp_processor_id() from nft_queue.
> 
> 3) Fix an out-of-bound access reported by KASAN in
>nf_tables_rule_destroy(), patch from Florian Westphal.
> 
> 4) Fix layer 4 checksum mangling in the nf_tables payload expression
>with IPv6.
> 
> 5) Fix a race in the CLUSTERIP target from control plane path when two
>threads run to add a new configuration object. Serialize invocations
>of clusterip_config_init() using spin_lock. From Xin Long.
> 
> 6) Call br_nf_pre_routing_finish_bridge_finish() once we are done with
>the br_nf_pre_routing_finish() hook. From Artur Molchanov.
> 
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thanks Pablo.

And a happy new year to you too!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 0/6] Netfilter fixes for net

2017-01-05 Thread Pablo Neira Ayuso

Hi David,

The following patchset contains accumulated Netfilter fixes for your
net tree:

1) Ensure quota dump and reset happens iff we can deliver numbers to
   userspace.

2) Silence splat on incorrect use of smp_processor_id() from nft_queue.

3) Fix an out-of-bound access reported by KASAN in
   nf_tables_rule_destroy(), patch from Florian Westphal.

4) Fix layer 4 checksum mangling in the nf_tables payload expression
   with IPv6.

5) Fix a race in the CLUSTERIP target from control plane path when two
   threads run to add a new configuration object. Serialize invocations
   of clusterip_config_init() using spin_lock. From Xin Long.

6) Call br_nf_pre_routing_finish_bridge_finish() once we are done with
   the br_nf_pre_routing_finish() hook. From Artur Molchanov.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Wish you a nice new year btw, thanks!



The following changes since commit a220871be66f99d8957c693cf22ec67ecbd9c23a:

  virtio-net: correctly enable multiqueue (2016-12-13 10:37:38 -0500)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 14221cc45caad2fcab3a8543234bb7eda9b540d5:

  bridge: netfilter: Fix dropping packets that moving through bridge interface 
(2016-12-30 18:22:50 +0100)


Artur Molchanov (1):
  bridge: netfilter: Fix dropping packets that moving through bridge 
interface

Florian Westphal (1):
  netfilter: nf_tables: fix oob access

Pablo Neira Ayuso (3):
  netfilter: nft_quota: reset quota after dump
  netfilter: nft_queue: use raw_smp_processor_id()
  netfilter: nft_payload: mangle ckecksum if NFT_PAYLOAD_L4CSUM_PSEUDOHDR 
is set

Xin Long (1):
  netfilter: ipt_CLUSTERIP: check duplicate config when initializing

 net/bridge/br_netfilter_hooks.c|  2 +-
 net/ipv4/netfilter/ipt_CLUSTERIP.c | 34 +++---
 net/netfilter/nf_tables_api.c  |  2 +-
 net/netfilter/nft_payload.c| 27 +++
 net/netfilter/nft_queue.c  |  2 +-
 net/netfilter/nft_quota.c  | 26 ++
 6 files changed, 59 insertions(+), 34 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 0/6] Netfilter fixes for net

2016-08-18 Thread Pablo Neira Ayuso

Hi David,

The following patchset contains Netfilter updates for your net tree,
they are:

1) Dump only conntrack that belong to this namespace via /proc file.
   This is some fallout from the conversion to single conntrack table
   for all netns, patch from Liping Zhang.

2) Missing MODULE_ALIAS_NF_LOGGER() for the ARP family that prevents
   module autoloading, also from Liping Zhang.

3) Report overquota event to the right netnamespace, again from Liping.

4) Fix tproxy listener sk refcount that leads to crash, from
   Eric Dumazet.

5) Fix racy refcounting on object deletion from nfnetlink and rule
   removal both for nfacct and cttimeout, from Liping Zhang.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!



The following changes since commit a1560dd7a47f983419760aa7f6a481e3b910b54b:

  Merge branch 'mediatek-fixes' (2016-08-15 23:02:45 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to b75911b66ad508a3c3f006ce37d9f9ebee34da43:

  netfilter: cttimeout: fix use after free error when delete netns (2016-08-18 
15:17:00 +0200)


Eric Dumazet (1):
  netfilter: tproxy: properly refcount tcp listeners

Liping Zhang (5):
  netfilter: conntrack: do not dump other netns's conntrack entries via proc
  netfilter: nfnetlink_log: add "nf-logger-3-1" module alias name
  netfilter: nfnetlink_acct: report overquota to the right netns
  netfilter: nfnetlink_acct: fix race between nfacct del and xt_nfacct 
destroy
  netfilter: cttimeout: fix use after free error when delete netns

 include/linux/netfilter/nfnetlink_acct.h |  4 ++--
 net/netfilter/nf_conntrack_standalone.c  |  4 
 net/netfilter/nfnetlink_acct.c   | 17 +
 net/netfilter/nfnetlink_cttimeout.c  | 16 ++--
 net/netfilter/nfnetlink_log.c|  1 +
 net/netfilter/xt_TPROXY.c|  4 
 net/netfilter/xt_nfacct.c|  2 +-
 7 files changed, 31 insertions(+), 17 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/6] Netfilter fixes for net

2016-02-16 Thread David Miller

From: Pablo Neira Ayuso 
Date: Tue, 16 Feb 2016 18:02:31 +0100

> The following patchset contain a rather large batch for your net that
> includes accumulated bugfixes, they are:
 ...
> Due to the NetDev 1.1 organization burden, I had no chance to pass up
> this to you any sooner in this release cycle, sorry about that.

Understood :)

> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 0/6] Netfilter fixes for net

Re: [PATCH 0/6] Netfilter fixes for net

[PATCH 0/6] Netfilter fixes for net

Re: [PATCH 0/6] Netfilter fixes for net

[PATCH 0/6] Netfilter fixes for net

[PATCH 0/6] Netfilter fixes for net

Re: [PATCH 0/6] Netfilter fixes for net

7 matches

Site Navigation

Mail list logo

Footer information