lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 15 Jun 2015 23:25:57 +0200
From:	Pablo Neira Ayuso <pablo@...filter.org>
To:	netfilter-devel@...r.kernel.org
Cc:	davem@...emloft.net, netdev@...r.kernel.org
Subject: [PATCH 00/32] Netfilter updates for net-next

Hi David,

This a bit large (and late) patchset that contains Netfilter updates for
net-next. Most relevantly br_netfilter fixes, ipset RCU support, removal of
x_tables percpu ruleset copy and rework of the nf_tables netdev support. More
specifically, they are:

1) Warn the user when there is a better protocol conntracker available, from
   Marcelo Ricardo Leitner.

2) Fix forwarding of IPv6 fragmented traffic in br_netfilter, from Bernhard
   Thaler. This comes with several patches to prepare the change in first place.

3) Get rid of special mtu handling of PPPoE/VLAN frames for br_netfilter. This
   is not needed anymore since now we use the largest fragment size to
   refragment, from Florian Westphal.

4) Restore vlan tag when refragmenting in br_netfilter, also from Florian.

5) Get rid of the percpu ruleset copy in x_tables, from Florian. Plus another
   follow up patch to refine it from Eric Dumazet.

6) Several ipset cleanups, fixes and finally RCU support, from Jozsef Kadlecsik.

7) Get rid of parens in Netfilter Kconfig files.

8) Attach the net_device to the basechain as opposed to the initial per table
   approach in the nf_tables netdev family.

9) Subscribe to netdev events to detect the removal and registration of a
   device that is referenced by a basechain.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git

Have a nice and safe travel to NFWS in Budapest.

Thanks!

----------------------------------------------------------------

The following changes since commit c63264def3393dd123bfa630a7a46b5d6d2d6038:

  Merge branch 'tcp-gso-settings-defer' (2015-06-11 16:33:11 -0700)

are available in the git repository at:


  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master

for you to fetch changes up to 835b803377f5f11f9ccf234f70ed667a82605c45:

  netfilter: nf_tables_netdev: unregister hooks on net_device removal (2015-06-15 23:02:35 +0200)

----------------------------------------------------------------
Bernhard Thaler (7):
      netfilter: bridge: refactor clearing BRNF_NF_BRIDGE_PREROUTING
      netfilter: bridge: re-order br_nf_pre_routing_finish_ipv6()
      netfilter: bridge: detect NAT66 correctly and change MAC address
      netfilter: bridge: refactor frag_max_size
      netfilter: bridge: rename br_parse_ip_options
      netfilter: bridge: re-order check_hbh_len()
      netfilter: bridge: forward IPv6 fragmented packets

Eric Dumazet (1):
      netfilter: x_tables: remove XT_TABLE_INFO_SZ and a dereference.

Florian Westphal (4):
      net: ip_fragment: remove BRIDGE_NETFILTER mtu special handling
      netfilter: bridge: restore vlan tag when refragmenting
      netfilter: xtables: use percpu rule counters
      netfilter: xtables: avoid percpu ruleset duplication

Jozsef Kadlecsik (10):
      netfilter: ipset: Use MSEC_PER_SEC consistently
      netfilter: ipset: Fix cidr handling for hash:*net* types
      netfilter: ipset: Fix parallel resizing and listing of the same set
      netfilter: ipset: Make sure listing doesn't grab a set which is just being destroyed.
      netfilter:ipset Remove rbtree from hash:net,iface
      netfilter: ipset: Prepare the ipset core to use RCU at set level
      netfilter: ipset: Introduce RCU locking in bitmap:* types
      netfilter: ipset: Introduce RCU locking in hash:* types
      netfilter: ipset: Introduce RCU locking in list type
      netfilter: ipset: Fix coding styles reported by checkpatch.pl

Marcelo Ricardo Leitner (1):
      netfilter: conntrack: warn the user if there is a better helper to use

Pablo Neira Ayuso (5):
      netfilter: Kconfig: get rid of parens around depends on
      Merge branch 'master' of git://blackhole.kfki.hu/nf-next
      netfilter: nf_tables: attach net_device to basechain
      netfilter: nf_tables: add nft_register_basechain() and nft_unregister_basechain()
      netfilter: nf_tables_netdev: unregister hooks on net_device removal

Sergey Popovich (5):
      netfilter: ipset: Use SET_WITH_*() helpers to test set extensions
      netfilter: ipset: Check extensions attributes before getting extensions.
      netfilter: ipset: Permit CIDR equal to the host address CIDR in IPv6
      netfilter: ipset: Make sure we always return line number on batch
      netfilter: ipset: Check CIDR value only when attribute is given

 include/linux/netfilter/ipset/ip_set.h         |   29 +-
 include/linux/netfilter/ipset/ip_set_comment.h |   38 +-
 include/linux/netfilter/ipset/ip_set_timeout.h |   27 +-
 include/linux/netfilter/x_tables.h             |   56 +-
 include/linux/netfilter_bridge.h               |    7 -
 include/linux/netfilter_ipv6.h                 |    3 +
 include/linux/skbuff.h                         |    7 +-
 include/net/netfilter/nf_tables.h              |   11 +-
 include/uapi/linux/netfilter/ipset/ip_set.h    |    6 +-
 include/uapi/linux/netfilter/nf_tables.h       |    4 +-
 net/bridge/br_netfilter.c                      |  398 ++++++++-----
 net/bridge/br_private.h                        |    7 +-
 net/ipv4/ip_output.c                           |    4 -
 net/ipv4/netfilter/Kconfig                     |    3 +-
 net/ipv4/netfilter/arp_tables.c                |   86 +--
 net/ipv4/netfilter/ip_tables.c                 |   95 ++--
 net/ipv6/netfilter.c                           |    2 +
 net/ipv6/netfilter/Kconfig                     |    3 +-
 net/ipv6/netfilter/ip6_tables.c                |   96 ++--
 net/netfilter/Kconfig                          |   18 +-
 net/netfilter/ipset/ip_set_bitmap_gen.h        |   44 +-
 net/netfilter/ipset/ip_set_bitmap_ip.c         |   27 +-
 net/netfilter/ipset/ip_set_bitmap_ipmac.c      |   46 +-
 net/netfilter/ipset/ip_set_bitmap_port.c       |   24 +-
 net/netfilter/ipset/ip_set_core.c              |  344 ++++++------
 net/netfilter/ipset/ip_set_getport.c           |   13 +-
 net/netfilter/ipset/ip_set_hash_gen.h          |  714 +++++++++++++++---------
 net/netfilter/ipset/ip_set_hash_ip.c           |   39 +-
 net/netfilter/ipset/ip_set_hash_ipmark.c       |   46 +-
 net/netfilter/ipset/ip_set_hash_ipport.c       |   51 +-
 net/netfilter/ipset/ip_set_hash_ipportip.c     |   53 +-
 net/netfilter/ipset/ip_set_hash_ipportnet.c    |   58 +-
 net/netfilter/ipset/ip_set_hash_mac.c          |   19 +-
 net/netfilter/ipset/ip_set_hash_net.c          |   49 +-
 net/netfilter/ipset/ip_set_hash_netiface.c     |  225 ++------
 net/netfilter/ipset/ip_set_hash_netnet.c       |  120 ++--
 net/netfilter/ipset/ip_set_hash_netport.c      |   52 +-
 net/netfilter/ipset/ip_set_hash_netportnet.c   |  128 ++---
 net/netfilter/ipset/ip_set_list_set.c          |  419 +++++++-------
 net/netfilter/ipset/pfxlen.c                   |   16 +-
 net/netfilter/nf_conntrack_proto_generic.c     |    8 +-
 net/netfilter/nf_tables_api.c                  |  139 +++--
 net/netfilter/nf_tables_netdev.c               |   75 +++
 net/netfilter/x_tables.c                       |   37 +-
 net/netfilter/xt_set.c                         |   44 +-
 45 files changed, 1972 insertions(+), 1718 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ