| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 2 Mar 2019 19:34:28 +0100
From: Pablo Neira Ayuso <pablo@...filter.org>
To: netfilter-devel@...r.kernel.org
Cc: davem@...emloft.net, netdev@...r.kernel.org
Subject: [PATCH 00/29] Netfilter/IPVS updates for net-next
Hi David,
The following patchset contains Netfilter/IPVS updates for net-next:
1) Add .release_ops to properly unroll .select_ops, use it from nft_compat.
After this change, we can remove list of extensions too to simplify this
codebase.
2) Update amanda conntrack helper to support v3.4, from Florian Tham.
3) Get rid of the obsolete BUGPRINT macro in ebtables, from
Florian Westphal.
4) Merge IPv4 and IPv6 masquerading infrastructure into one single module.
From Florian Westphal.
5) Patchset to remove nf_nat_l3proto structure to get rid of
indirections, from Florian Westphal.
6) Skip unnecessary conntrack timeout updates in case the value is
still the same, also from Florian Westphal.
7) Remove unnecessary 'fall through' comments in empty switch cases,
from Li RongQing.
8) Fix lookup to fixed size hashtable sets on big endian with 32-bit keys.
9) Incorrect logic to deactivate path of fixed size hashtable sets,
element was being tested to self.
10) Remove nft_hash_key(), the bitmap set is always selected for 16-bit
keys.
11) Use boolean whenever possible in IPVS codebase, from Andrea Claudi.
12) Enter close state in conntrack if RST matches exact sequence number,
from Florian Westphal.
13) Initialize dst_cache in tunnel extension, from wenxu.
14) Pass protocol as u16 to xt_check_match and xt_check_target, from
Li RongQing.
15) SCTP header is granted to be in a linear area from IPVS NAT handler,
from Xin Long.
16) Don't steal packets coming from slave VRF device from the
ip_sabotage_in() path, from David Ahern.
17) Fix unsafe update of basechain stats, from Li RongQing.
18) Make sure CONNTRACK_LOCKS is power of 2 to let compiler optimize
modulo operation as bitwise AND, from Li RongQing.
19) Use device_attribute instead of internal definition in the IDLETIMER
target, from Sami Tolvanen.
20) Merge redir, masq and IPv4/IPv6 NAT chain types, from Florian Westphal.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git
Thanks!
----------------------------------------------------------------
The following changes since commit ff8285f81822dc8f528b36b6c5c8ab132367e92d:
net: sched: pie: fix 64-bit division (2019-02-26 18:55:38 -0800)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git HEAD
for you to fetch changes up to db8ab38880e06dedbfc879e75f5b0ddc495f4eb6:
netfilter: nf_tables: merge ipv4 and ipv6 nat chain types (2019-03-01 14:36:59 +0100)
----------------------------------------------------------------
Andrea Claudi (1):
ipvs: change some data types from int to bool
David Ahern (1):
netfilter: bridge: Don't sabotage nf_hook calls for an l3mdev slave
Florian Tham (1):
netfilter: nf_conntrack_amanda: add support for STATE streams
Florian Westphal (15):
netfilter: ebtables: remove BUGPRINT messages
netfilter: nat: merge ipv4 and ipv6 masquerade functionality
netfilter: nat: move nlattr parse and xfrm session decode to core
netfilter: nat: merge nf_nat_ipv4,6 into nat core
netfilter: nat: remove nf_nat_l4proto.h
netfilter: nat: remove l3 manip_pkt hook
netfilter: nat: remove csum_update hook
netfilter: nat: remove csum_recalc hook
netfilter: nat: remove l3proto struct
netfilter: nat: remove nf_nat_l3proto.h and nf_nat_core.h
netfilter: conntrack: avoid same-timeout update
netfilter: conntrack: tcp: only close if RST matches exact sequence
netfilter: nf_tables: nat: merge nft_redir protocol specific modules
netfilter: nf_tables: nat: merge nft_masq protocol specific modules
netfilter: nf_tables: merge ipv4 and ipv6 nat chain types
Li RongQing (4):
netfilter: remove unneeded switch fall-through
netfilter: convert the proto argument from u8 to u16
netfilter: nf_tables: check the result of dereferencing base_chain->stats
netfilter: nf_conntrack: ensure that CONNTRACK_LOCKS is power of 2
Pablo Neira Ayuso (4):
netfilter: nft_compat: use .release_ops and remove list of extension
netfilter: nft_set_hash: fix lookups with fixed size hash on big endian
netfilter: nft_set_hash: bogus element self comparison from deactivation path
netfilter: nft_set_hash: remove nft_hash_key()
Sami Tolvanen (1):
netfilter: xt_IDLETIMER: fix sysfs callback function type
Xin Long (1):
ipvs: get sctphdr by sctphoff in sctp_csum_check
wenxu (1):
netfilter: nft_tunnel: Add dst_cache support
include/linux/netfilter/x_tables.h | 4 +-
include/net/netfilter/nf_conntrack.h | 10 +-
include/net/netfilter/nf_nat.h | 45 +-
include/net/netfilter/nf_nat_core.h | 29 -
include/net/netfilter/nf_nat_l3proto.h | 50 --
include/net/netfilter/nf_nat_l4proto.h | 16 -
include/net/netfilter/nf_tables.h | 3 +
include/net/netfilter/nft_masq.h | 22 -
include/net/netfilter/nft_redir.h | 22 -
net/bridge/br_netfilter_hooks.c | 3 +-
net/bridge/netfilter/ebtables.c | 137 ++--
net/ipv4/netfilter/Kconfig | 50 +-
net/ipv4/netfilter/Makefile | 7 -
net/ipv4/netfilter/iptable_nat.c | 8 +-
net/ipv4/netfilter/nf_nat_l3proto_ipv4.c | 388 -----------
net/ipv4/netfilter/nft_chain_nat_ipv4.c | 87 ---
net/ipv4/netfilter/nft_masq_ipv4.c | 90 ---
net/ipv4/netfilter/nft_redir_ipv4.c | 82 ---
net/ipv6/netfilter/Kconfig | 48 +-
net/ipv6/netfilter/Makefile | 7 -
net/ipv6/netfilter/ip6table_nat.c | 8 +-
net/ipv6/netfilter/nf_nat_l3proto_ipv6.c | 427 ------------
net/ipv6/netfilter/nf_nat_masquerade_ipv6.c | 240 -------
net/ipv6/netfilter/nft_chain_nat_ipv6.c | 85 ---
net/ipv6/netfilter/nft_masq_ipv6.c | 91 ---
net/ipv6/netfilter/nft_redir_ipv6.c | 83 ---
net/netfilter/Kconfig | 14 +-
net/netfilter/Makefile | 3 +
net/netfilter/ipvs/ip_vs_ctl.c | 12 +-
net/netfilter/ipvs/ip_vs_ftp.c | 4 +-
net/netfilter/ipvs/ip_vs_proto_sctp.c | 7 +-
net/netfilter/ipvs/ip_vs_proto_tcp.c | 8 +-
net/netfilter/ipvs/ip_vs_proto_udp.c | 8 +-
net/netfilter/ipvs/ip_vs_xmit.c | 4 +-
net/netfilter/nf_conntrack_amanda.c | 9 +-
net/netfilter/nf_conntrack_core.c | 11 +-
net/netfilter/nf_conntrack_netlink.c | 2 +-
net/netfilter/nf_conntrack_proto_tcp.c | 50 +-
net/netfilter/nf_nat_core.c | 196 ++++--
net/netfilter/nf_nat_helper.c | 15 +-
.../nf_nat_masquerade.c} | 208 +++++-
net/netfilter/nf_nat_proto.c | 744 ++++++++++++++++++++-
net/netfilter/nf_tables_api.c | 7 +-
net/netfilter/nf_tables_core.c | 15 +-
net/netfilter/nft_chain_nat.c | 108 +++
net/netfilter/nft_compat.c | 281 ++------
net/netfilter/nft_masq.c | 180 ++++-
net/netfilter/nft_nat.c | 2 -
net/netfilter/nft_redir.c | 154 ++++-
net/netfilter/nft_set_hash.c | 38 +-
net/netfilter/nft_tunnel.c | 7 +
net/netfilter/x_tables.c | 4 +-
net/netfilter/xt_IDLETIMER.c | 14 +-
net/netfilter/xt_nat.c | 2 +-
net/openvswitch/Kconfig | 2 -
net/openvswitch/conntrack.c | 12 +-
tools/testing/selftests/net/config | 3 +-
57 files changed, 1747 insertions(+), 2419 deletions(-)
delete mode 100644 include/net/netfilter/nf_nat_core.h
delete mode 100644 include/net/netfilter/nf_nat_l3proto.h
delete mode 100644 include/net/netfilter/nf_nat_l4proto.h
delete mode 100644 include/net/netfilter/nft_masq.h
delete mode 100644 include/net/netfilter/nft_redir.h
delete mode 100644 net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
delete mode 100644 net/ipv4/netfilter/nft_chain_nat_ipv4.c
delete mode 100644 net/ipv4/netfilter/nft_masq_ipv4.c
delete mode 100644 net/ipv4/netfilter/nft_redir_ipv4.c
delete mode 100644 net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
delete mode 100644 net/ipv6/netfilter/nf_nat_masquerade_ipv6.c
delete mode 100644 net/ipv6/netfilter/nft_chain_nat_ipv6.c
delete mode 100644 net/ipv6/netfilter/nft_masq_ipv6.c
delete mode 100644 net/ipv6/netfilter/nft_redir_ipv6.c
rename net/{ipv4/netfilter/nf_nat_masquerade_ipv4.c => netfilter/nf_nat_masquerade.c} (51%)
create mode 100644 net/netfilter/nft_chain_nat.c
Powered by blists - more mailing lists