lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 26 Sep 2016 01:06:10 +0200
From:   Pablo Neira Ayuso <pablo@...filter.org>
To:     netfilter-devel@...r.kernel.org
Cc:     davem@...emloft.net, netdev@...r.kernel.org
Subject: [PATCH 00/53] Netfilter updates for net-next

Hi David,

The following patchset contains Netfilter updates for your net-next
tree, they are:

1) Consolidate GRE protocol tracker using new GRE protocol definitions,
   patches from Gao Feng.

2) Properly parse continuation lines in SIP helper, update allowed
   characters in Call-ID header and allow tabs in SIP headers as
   specified by RFC3261, from Marco Angaroni.

3) Remove useless code in FTP conntrack helper, also from Gao Feng.

4) Add number generation expression for nf_tables, with random and
   incremental generators. This also includes specific offset to add
   to the result, patches from Laura Garcia Liebana. Liping Zhang
   follows with a fix to avoid a race in this new expression.

5) Fix new quota expression inversion logic, added in the previous
   pull request.

6) Missing validation of queue configuration in nft_queue, patch
   from Liping Zhang.

7) Remove unused ctl_table_path, as part of the deprecation of the
   ip_conntrack sysctl interface coming in the previous batch.
   Again from Liping Zhang.

8) Add offset attribute to nft_hash expression, so we can generate
   any output from a specific base offset. Moreover, check for
   possible overflow, patches from Laura Garcia.

9) Allow to invert dynamic set insertion from packet path, to check
   for overflows in case the set is full.

10) Revisit nft_set_pktinfo*() logic from nf_tables to ensure
    proper initialization of layer 4 protocol. Consolidate pktinfo
    structure initialization for bridge and netdev families.

11) Do not inconditionally drop IPv6 packets that we cannot parse
    transport protocol for ip6 and inet families, let the user decide
    on this via ruleset policy.

12) Get rid of gotos in __nf_ct_try_assign_helper().

13) Check for return value in register_netdevice_notifier() and
    nft_register_chain_type(), patches from Gao Feng.

14) Get rid of CONFIG_IP6_NF_IPTABLES dependency in nf_queue
    infrastructure that is common to nf_tables, from Liping Zhang.

15) Disable 'found' and 'searched' stats that are updates from the
    packet hotpath, not very useful these days.

16) Validate maximum value of u32 netlink attributes in nf_tables,
    this introduces nft_parse_u32_check(). From Laura Garcia.

17) Add missing code to integrate nft_queue with maps, patch from
    Liping Zhang. This also includes missing support ranges in
    nft_queue bridge family.

18) Fix check in nft_payload_fast_eval() that ensure that we don't
    go over the skbuff data boundary, from Liping Zhang.

19) Check if transport protocol is set from nf_tables tracing and
    payload expression. Again from Liping Zhang.

20) Use net_get_random_once() whenever possible, from Gao Feng.

21) Replace hardcoded value by sizeof() in xt_helper, from Gao Feng.

22) Remove superfluous check for found element in nft_lookup.

23) Simplify TCPMSS logic to check for minimum MTU, from Gao Feng.

24) Replace double linked list by single linked list in Netfilter
    core hook infrastructure, patchset from Aaron Conole. This
    includes several patches to prepare this update.

25) Fix wrong sequence adjustment of TCP RST with no ACK, from
    Gao Feng.

26) Relax check for direction attribute in nft_ct for layer 3 and 4
    protocol fields, from Liping Zhang.

27) Add new revision for hashlimit to support higher pps of upto 1
    million, from Vishwanath Pai.

28) Evict stale entries in nf_conntrack when reading entries from
    /proc/net/nf_conntrack, from Florian Westphal.

29) Fix transparent match for IPv6 request sockets, from Krisztian
    Kovacs.

30) Add new range expression for nf_tables.

31) Add missing code to support for flags in nft_log. Expose NF_LOG_*
    flags via uapi and use it from the generic logging infrastructure,
    instead of using xt specific definitions, from Liping Zhang.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git

Thanks!

----------------------------------------------------------------

The following changes since commit fe0acb5fcb7fe8cb3d68bbdb8459865c972d8f83:

  Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/next-queue (2016-09-25 06:01:05 -0400)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git HEAD

for you to fetch changes up to f20fbc0717f9f007c94b2641134b19228d0ce9ed:

  Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next (2016-09-25 23:34:19 +0200)

----------------------------------------------------------------
Aaron Conole (5):
      netfilter: call nf_hook_ingress with rcu_read_lock
      netfilter: Remove explicit rcu_read_lock in nf_hook_slow
      netfilter: Only allow sane values in nf_register_net_hook
      netfilter: nf_queue: whitespace cleanup
      netfilter: replace list_head with single linked list

Florian Westphal (4):
      netfilter: conntrack: remove packet hotpath stats
      netfilter: bridge: add and use br_nf_hook_thresh
      netfilter: call nf_hook_state_init with rcu_read_lock held
      netfilter: evict stale entries when user reads /proc/net/nf_conntrack

Gao Feng (10):
      netfilter: gre: Use consistent GRE_* macros instead of ones defined by netfilter.
      netfilter: gre: Use consistent GRE and PTTP header structure instead of the ones defined by netfilter
      netfilter: ftp: Remove the useless dlen==0 condition check in find_pattern
      netfilter: ftp: Remove the useless code
      netfilter: Add the missed return value check of register_netdevice_notifier
      netfilter: Add the missed return value check of nft_register_chain_type
      netfilter: Enhance the codes used to get random once
      netfilter: xt_helper: Use sizeof(variable) instead of literal number
      netfilter: xt_TCPMSS: Refactor the codes to decrease one condition check and more readable
      netfilter: seqadj: Fix the wrong ack adjust for the RST packet without ack

KOVACS Krisztian (1):
      netfilter: xt_socket: fix transparent match for IPv6 request sockets

Laura Garcia Liebana (5):
      netfilter: nft_numgen: rename until attribute by modulus
      netfilter: nft_hash: Add hash offset value
      netfilter: nft_hash: fix hash overflow validation
      netfilter: nft_numgen: add number generation offset
      netfilter: nf_tables: validate maximum value of u32 netlink attributes

Liping Zhang (12):
      netfilter: nft_queue: check the validation of queues_total and queuenum
      netfilter: nf_conntrack: remove unused ctl_table_path member in nf_conntrack_l3proto
      netfilter: nf_queue: get rid of dependency on IP6_NF_IPTABLES
      netfilter: nft_numgen: fix race between num generate and store it
      netfilter: nft_queue: add _SREG_QNUM attr to select the queue number
      netfilter: nf_queue: improve queue range support for bridge family
      netfilter: nf_tables: improve nft payload fast eval
      netfilter: nf_tables: check tprot_set first when we use xt.thoff
      netfilter: nft_ct: unnecessary to require dir when use ct l3proto/protocol
      netfilter: nft_ct: report error if mark and dir specified simultaneously
      netfilter: nft_log: complete NFTA_LOG_FLAGS attr support
      netfilter: nf_log: get rid of XT_LOG_* macros

Marco Angaroni (3):
      netfilter: nf_ct_sip: correct parsing of continuation lines in SIP headers
      netfilter: nf_ct_sip: correct allowed characters in Call-ID SIP header
      netfilter: nf_ct_sip: allow tab character in SIP headers

Pablo Neira (1):
      netfilter: nf_conntrack: simplify __nf_ct_try_assign_helper() return logic

Pablo Neira Ayuso (11):
      netfilter: nft_quota: fix overquota logic
      netfilter: nft_quota: introduce nft_overquota()
      netfilter: nft_dynset: allow to invert match criteria
      netfilter: nf_tables: ensure proper initialization of nft_pktinfo fields
      netfilter: nf_tables_ipv6: setup pktinfo transport field on failure to parse
      netfilter: introduce nft_set_pktinfo_{ipv4, ipv6}_validate()
      netfilter: nf_tables_bridge: use nft_set_pktinfo_ipv{4, 6}_validate
      netfilter: nf_tables: don't drop IPv6 packets that cannot parse transport
      netfilter: nft_lookup: remove superfluous element found check
      netfilter: nf_tables: add range expression
      Merge branch 'master' of git://git.kernel.org/.../davem/net-next

Vishwanath Pai (2):
      netfilter: xt_hashlimit: Prepare for revision 2
      netfilter: xt_hashlimit: Create revision 2 to support higher pps rates

 include/linux/netdevice.h                          |   2 +-
 include/linux/netfilter.h                          |  61 ++--
 include/linux/netfilter/nf_conntrack_common.h      |   4 -
 include/linux/netfilter/nf_conntrack_proto_gre.h   |  64 +---
 include/linux/netfilter_ingress.h                  |  18 +-
 include/net/netfilter/br_netfilter.h               |   6 +
 include/net/netfilter/nf_conntrack_l3proto.h       |   4 -
 include/net/netfilter/nf_log.h                     |  11 +-
 include/net/netfilter/nf_queue.h                   |  69 +++--
 include/net/netfilter/nf_tables.h                  |  19 ++
 include/net/netfilter/nf_tables_bridge.h           |   7 -
 include/net/netfilter/nf_tables_core.h             |   3 +
 include/net/netfilter/nf_tables_ipv4.h             |  43 +++
 include/net/netfilter/nf_tables_ipv6.h             |  53 +++-
 include/net/netns/netfilter.h                      |   2 +-
 include/uapi/linux/if_tunnel.h                     |   1 +
 include/uapi/linux/netfilter/nf_log.h              |  12 +
 include/uapi/linux/netfilter/nf_tables.h           |  45 ++-
 include/uapi/linux/netfilter/nfnetlink_conntrack.h |   8 +-
 include/uapi/linux/netfilter/xt_hashlimit.h        |  23 ++
 net/bridge/br_netfilter_hooks.c                    |  53 +++-
 net/bridge/br_netfilter_ipv6.c                     |  12 +-
 net/bridge/netfilter/ebt_log.c                     |   2 +-
 net/bridge/netfilter/ebt_redirect.c                |   2 +-
 net/bridge/netfilter/ebtables.c                    |   2 +-
 net/bridge/netfilter/nf_tables_bridge.c            |  92 +-----
 net/bridge/netfilter/nft_reject_bridge.c           |  44 ++-
 net/core/dev.c                                     |   7 +-
 net/ipv4/netfilter/ip_tables.c                     |   2 +-
 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c     |   2 +-
 net/ipv4/netfilter/nf_conntrack_proto_icmp.c       |   2 +-
 net/ipv4/netfilter/nf_log_arp.c                    |   2 +-
 net/ipv4/netfilter/nf_log_ipv4.c                   |  10 +-
 net/ipv4/netfilter/nf_nat_proto_gre.c              |  13 +-
 net/ipv4/netfilter/nf_tables_arp.c                 |   7 +-
 net/ipv4/netfilter/nf_tables_ipv4.c                |   5 +-
 net/ipv4/tcp_input.c                               |   1 +
 net/ipv4/tcp_ipv4.c                                |   1 -
 net/ipv6/netfilter/ip6_tables.c                    |   2 +-
 net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c     |   2 +-
 net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c     |   2 +-
 net/ipv6/netfilter/nf_log_ipv6.c                   |  18 +-
 net/ipv6/netfilter/nf_tables_ipv6.c                |   9 +-
 net/ipv6/netfilter/nft_chain_route_ipv6.c          |   4 +-
 net/netfilter/Makefile                             |   3 +-
 net/netfilter/core.c                               | 152 +++++----
 net/netfilter/nf_conntrack_core.c                  |  16 +-
 net/netfilter/nf_conntrack_ftp.c                   |  15 +-
 net/netfilter/nf_conntrack_h323_main.c             |   2 +-
 net/netfilter/nf_conntrack_helper.c                |  17 +-
 net/netfilter/nf_conntrack_netlink.c               |   6 +-
 net/netfilter/nf_conntrack_proto_gre.c             |  14 +-
 net/netfilter/nf_conntrack_seqadj.c                |  20 +-
 net/netfilter/nf_conntrack_sip.c                   |  10 +-
 net/netfilter/nf_conntrack_standalone.c            |  13 +-
 net/netfilter/nf_internals.h                       |  10 +-
 net/netfilter/nf_log_common.c                      |   4 +-
 net/netfilter/nf_queue.c                           |  18 +-
 net/netfilter/nf_tables_api.c                      |  25 ++
 net/netfilter/nf_tables_core.c                     |  16 +-
 net/netfilter/nf_tables_inet.c                     |   5 +-
 net/netfilter/nf_tables_netdev.c                   | 101 ++----
 net/netfilter/nf_tables_trace.c                    |  20 +-
 net/netfilter/nfnetlink_cthelper.c                 |   2 +-
 net/netfilter/nfnetlink_log.c                      |   8 +-
 net/netfilter/nfnetlink_queue.c                    |  19 +-
 net/netfilter/nft_bitwise.c                        |   8 +-
 net/netfilter/nft_byteorder.c                      |  15 +-
 net/netfilter/nft_cmp.c                            |   3 +
 net/netfilter/nft_ct.c                             |  21 +-
 net/netfilter/nft_dynset.c                         |  20 +-
 net/netfilter/nft_exthdr.c                         |  12 +-
 net/netfilter/nft_hash.c                           |  17 +-
 net/netfilter/nft_immediate.c                      |   4 +
 net/netfilter/nft_log.c                            |   9 +-
 net/netfilter/nft_lookup.c                         |   2 +-
 net/netfilter/nft_meta.c                           |   2 +
 net/netfilter/nft_numgen.c                         |  54 ++--
 net/netfilter/nft_payload.c                        |   4 +
 net/netfilter/nft_queue.c                          | 113 ++++++-
 net/netfilter/nft_quota.c                          |   8 +-
 net/netfilter/nft_range.c                          | 138 +++++++++
 net/netfilter/xt_RATEEST.c                         |   6 +-
 net/netfilter/xt_TCPMSS.c                          |  12 +-
 net/netfilter/xt_TEE.c                             |   8 +-
 net/netfilter/xt_connlimit.c                       |   8 +-
 net/netfilter/xt_hashlimit.c                       | 339 ++++++++++++++++-----
 net/netfilter/xt_helper.c                          |   4 +-
 net/netfilter/xt_recent.c                          |   7 +-
 89 files changed, 1381 insertions(+), 680 deletions(-)
 delete mode 100644 include/net/netfilter/nf_tables_bridge.h
 create mode 100644 include/uapi/linux/netfilter/nf_log.h
 create mode 100644 net/netfilter/nft_range.c

Powered by blists - more mailing lists