lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20190302183457.3079-1-pablo@netfilter.org>
Date:   Sat,  2 Mar 2019 19:34:28 +0100
From:   Pablo Neira Ayuso <pablo@...filter.org>
To:     netfilter-devel@...r.kernel.org
Cc:     davem@...emloft.net, netdev@...r.kernel.org
Subject: [PATCH 00/29] Netfilter/IPVS updates for net-next

Hi David,

The following patchset contains Netfilter/IPVS updates for net-next:

1) Add .release_ops to properly unroll .select_ops, use it from nft_compat.
   After this change, we can remove list of extensions too to simplify this
   codebase.

2) Update amanda conntrack helper to support v3.4, from Florian Tham.

3) Get rid of the obsolete BUGPRINT macro in ebtables, from
   Florian Westphal.

4) Merge IPv4 and IPv6 masquerading infrastructure into one single module.
   From Florian Westphal.

5) Patchset to remove nf_nat_l3proto structure to get rid of
   indirections, from Florian Westphal.

6) Skip unnecessary conntrack timeout updates in case the value is
   still the same, also from Florian Westphal.

7) Remove unnecessary 'fall through' comments in empty switch cases,
   from Li RongQing.

8) Fix lookup to fixed size hashtable sets on big endian with 32-bit keys.

9) Incorrect logic to deactivate path of fixed size hashtable sets,
   element was being tested to self.

10) Remove nft_hash_key(), the bitmap set is always selected for 16-bit
    keys.

11) Use boolean whenever possible in IPVS codebase, from Andrea Claudi.

12) Enter close state in conntrack if RST matches exact sequence number,
    from Florian Westphal.

13) Initialize dst_cache in tunnel extension, from wenxu.

14) Pass protocol as u16 to xt_check_match and xt_check_target, from
    Li RongQing.

15) SCTP header is granted to be in a linear area from IPVS NAT handler,
    from Xin Long.

16) Don't steal packets coming from slave VRF device from the
    ip_sabotage_in() path, from David Ahern.

17) Fix unsafe update of basechain stats, from Li RongQing.

18) Make sure CONNTRACK_LOCKS is power of 2 to let compiler optimize
    modulo operation as bitwise AND, from Li RongQing.

19) Use device_attribute instead of internal definition in the IDLETIMER
    target, from Sami Tolvanen.

20) Merge redir, masq and IPv4/IPv6 NAT chain types, from Florian Westphal.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git

Thanks!

----------------------------------------------------------------

The following changes since commit ff8285f81822dc8f528b36b6c5c8ab132367e92d:

  net: sched: pie: fix 64-bit division (2019-02-26 18:55:38 -0800)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git HEAD

for you to fetch changes up to db8ab38880e06dedbfc879e75f5b0ddc495f4eb6:

  netfilter: nf_tables: merge ipv4 and ipv6 nat chain types (2019-03-01 14:36:59 +0100)

----------------------------------------------------------------
Andrea Claudi (1):
      ipvs: change some data types from int to bool

David Ahern (1):
      netfilter: bridge: Don't sabotage nf_hook calls for an l3mdev slave

Florian Tham (1):
      netfilter: nf_conntrack_amanda: add support for STATE streams

Florian Westphal (15):
      netfilter: ebtables: remove BUGPRINT messages
      netfilter: nat: merge ipv4 and ipv6 masquerade functionality
      netfilter: nat: move nlattr parse and xfrm session decode to core
      netfilter: nat: merge nf_nat_ipv4,6 into nat core
      netfilter: nat: remove nf_nat_l4proto.h
      netfilter: nat: remove l3 manip_pkt hook
      netfilter: nat: remove csum_update hook
      netfilter: nat: remove csum_recalc hook
      netfilter: nat: remove l3proto struct
      netfilter: nat: remove nf_nat_l3proto.h and nf_nat_core.h
      netfilter: conntrack: avoid same-timeout update
      netfilter: conntrack: tcp: only close if RST matches exact sequence
      netfilter: nf_tables: nat: merge nft_redir protocol specific modules
      netfilter: nf_tables: nat: merge nft_masq protocol specific modules
      netfilter: nf_tables: merge ipv4 and ipv6 nat chain types

Li RongQing (4):
      netfilter: remove unneeded switch fall-through
      netfilter: convert the proto argument from u8 to u16
      netfilter: nf_tables: check the result of dereferencing base_chain->stats
      netfilter: nf_conntrack: ensure that CONNTRACK_LOCKS is power of 2

Pablo Neira Ayuso (4):
      netfilter: nft_compat: use .release_ops and remove list of extension
      netfilter: nft_set_hash: fix lookups with fixed size hash on big endian
      netfilter: nft_set_hash: bogus element self comparison from deactivation path
      netfilter: nft_set_hash: remove nft_hash_key()

Sami Tolvanen (1):
      netfilter: xt_IDLETIMER: fix sysfs callback function type

Xin Long (1):
      ipvs: get sctphdr by sctphoff in sctp_csum_check

wenxu (1):
      netfilter: nft_tunnel: Add dst_cache support

 include/linux/netfilter/x_tables.h                 |   4 +-
 include/net/netfilter/nf_conntrack.h               |  10 +-
 include/net/netfilter/nf_nat.h                     |  45 +-
 include/net/netfilter/nf_nat_core.h                |  29 -
 include/net/netfilter/nf_nat_l3proto.h             |  50 --
 include/net/netfilter/nf_nat_l4proto.h             |  16 -
 include/net/netfilter/nf_tables.h                  |   3 +
 include/net/netfilter/nft_masq.h                   |  22 -
 include/net/netfilter/nft_redir.h                  |  22 -
 net/bridge/br_netfilter_hooks.c                    |   3 +-
 net/bridge/netfilter/ebtables.c                    | 137 ++--
 net/ipv4/netfilter/Kconfig                         |  50 +-
 net/ipv4/netfilter/Makefile                        |   7 -
 net/ipv4/netfilter/iptable_nat.c                   |   8 +-
 net/ipv4/netfilter/nf_nat_l3proto_ipv4.c           | 388 -----------
 net/ipv4/netfilter/nft_chain_nat_ipv4.c            |  87 ---
 net/ipv4/netfilter/nft_masq_ipv4.c                 |  90 ---
 net/ipv4/netfilter/nft_redir_ipv4.c                |  82 ---
 net/ipv6/netfilter/Kconfig                         |  48 +-
 net/ipv6/netfilter/Makefile                        |   7 -
 net/ipv6/netfilter/ip6table_nat.c                  |   8 +-
 net/ipv6/netfilter/nf_nat_l3proto_ipv6.c           | 427 ------------
 net/ipv6/netfilter/nf_nat_masquerade_ipv6.c        | 240 -------
 net/ipv6/netfilter/nft_chain_nat_ipv6.c            |  85 ---
 net/ipv6/netfilter/nft_masq_ipv6.c                 |  91 ---
 net/ipv6/netfilter/nft_redir_ipv6.c                |  83 ---
 net/netfilter/Kconfig                              |  14 +-
 net/netfilter/Makefile                             |   3 +
 net/netfilter/ipvs/ip_vs_ctl.c                     |  12 +-
 net/netfilter/ipvs/ip_vs_ftp.c                     |   4 +-
 net/netfilter/ipvs/ip_vs_proto_sctp.c              |   7 +-
 net/netfilter/ipvs/ip_vs_proto_tcp.c               |   8 +-
 net/netfilter/ipvs/ip_vs_proto_udp.c               |   8 +-
 net/netfilter/ipvs/ip_vs_xmit.c                    |   4 +-
 net/netfilter/nf_conntrack_amanda.c                |   9 +-
 net/netfilter/nf_conntrack_core.c                  |  11 +-
 net/netfilter/nf_conntrack_netlink.c               |   2 +-
 net/netfilter/nf_conntrack_proto_tcp.c             |  50 +-
 net/netfilter/nf_nat_core.c                        | 196 ++++--
 net/netfilter/nf_nat_helper.c                      |  15 +-
 .../nf_nat_masquerade.c}                           | 208 +++++-
 net/netfilter/nf_nat_proto.c                       | 744 ++++++++++++++++++++-
 net/netfilter/nf_tables_api.c                      |   7 +-
 net/netfilter/nf_tables_core.c                     |  15 +-
 net/netfilter/nft_chain_nat.c                      | 108 +++
 net/netfilter/nft_compat.c                         | 281 ++------
 net/netfilter/nft_masq.c                           | 180 ++++-
 net/netfilter/nft_nat.c                            |   2 -
 net/netfilter/nft_redir.c                          | 154 ++++-
 net/netfilter/nft_set_hash.c                       |  38 +-
 net/netfilter/nft_tunnel.c                         |   7 +
 net/netfilter/x_tables.c                           |   4 +-
 net/netfilter/xt_IDLETIMER.c                       |  14 +-
 net/netfilter/xt_nat.c                             |   2 +-
 net/openvswitch/Kconfig                            |   2 -
 net/openvswitch/conntrack.c                        |  12 +-
 tools/testing/selftests/net/config                 |   3 +-
 57 files changed, 1747 insertions(+), 2419 deletions(-)
 delete mode 100644 include/net/netfilter/nf_nat_core.h
 delete mode 100644 include/net/netfilter/nf_nat_l3proto.h
 delete mode 100644 include/net/netfilter/nf_nat_l4proto.h
 delete mode 100644 include/net/netfilter/nft_masq.h
 delete mode 100644 include/net/netfilter/nft_redir.h
 delete mode 100644 net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
 delete mode 100644 net/ipv4/netfilter/nft_chain_nat_ipv4.c
 delete mode 100644 net/ipv4/netfilter/nft_masq_ipv4.c
 delete mode 100644 net/ipv4/netfilter/nft_redir_ipv4.c
 delete mode 100644 net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
 delete mode 100644 net/ipv6/netfilter/nf_nat_masquerade_ipv6.c
 delete mode 100644 net/ipv6/netfilter/nft_chain_nat_ipv6.c
 delete mode 100644 net/ipv6/netfilter/nft_masq_ipv6.c
 delete mode 100644 net/ipv6/netfilter/nft_redir_ipv6.c
 rename net/{ipv4/netfilter/nf_nat_masquerade_ipv4.c => netfilter/nf_nat_masquerade.c} (51%)
 create mode 100644 net/netfilter/nft_chain_nat.c

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ