| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20190422204801.26321-1-pablo@netfilter.org>
Date: Mon, 22 Apr 2019 22:47:51 +0200
From: Pablo Neira Ayuso <pablo@...filter.org>
To: netfilter-devel@...r.kernel.org
Cc: davem@...emloft.net, netdev@...r.kernel.org
Subject: [PATCH 00/10] Netfilter/IPVS fixes for net
Hi David,
The following patchset contains Netfilter/IPVS fixes for your net tree:
1) Add a selftest for icmp packet too big errors with conntrack, from
Florian Westphal.
2) Validate inner header in ICMP error message does not lie to us
in conntrack, also from Florian.
3) Initialize ct->timeout to calm down KASAN, from Alexander Potapenko.
4) Skip ICMP error messages from tunnels in IPVS, from Julian Anastasov.
5) Use a hash to expose conntrack and expectation ID, from Florian Westphal.
6) Prevent shift wrap in nft_chain_parse_hook(), from Dan Carpenter.
7) Fix broken ICMP ID randomization with NAT, also from Florian.
8) Remove WARN_ON in ebtables compat that is reached via syzkaller,
from Florian Westphal.
9) Fix broken timestamps since fb420d5d91c1 ("tcp/fq: move back to
CLOCK_MONOTONIC"), from Florian.
10) Fix logging of invalid packets in conntrack, from Andrei Vagin.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit ed0de45a1008991fdaa27a0152befcb74d126a8b:
ipv4: recompile ip options in ipv4_link_failure (2019-04-12 17:23:46 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to d48668052b2603b6262459625c86108c493588dd:
netfilter: fix nf_l4proto_log_invalid to log invalid packets (2019-04-22 10:38:50 +0200)
----------------------------------------------------------------
Alexander Potapenko (1):
netfilter: conntrack: initialize ct->timeout
Andrei Vagin (1):
netfilter: fix nf_l4proto_log_invalid to log invalid packets
Dan Carpenter (1):
netfilter: nf_tables: prevent shift wrap in nft_chain_parse_hook()
Florian Westphal (6):
selftests: netfilter: check icmp pkttoobig errors are set as related
netfilter: conntrack: don't set related state for different outer address
netfilter: ctnetlink: don't use conntrack/expect object addresses as id
netfilter: nat: fix icmp id randomization
netfilter: ebtables: CONFIG_COMPAT: drop a bogus WARN_ON
netfilter: never get/set skb->tstamp
Julian Anastasov (1):
ipvs: do not schedule icmp errors from tunnels
include/net/netfilter/nf_conntrack.h | 2 +
include/net/netfilter/nf_conntrack_l4proto.h | 6 +
net/bridge/netfilter/ebtables.c | 3 +-
net/netfilter/ipvs/ip_vs_core.c | 2 +-
net/netfilter/nf_conntrack_core.c | 43 +++-
net/netfilter/nf_conntrack_netlink.c | 34 ++-
net/netfilter/nf_conntrack_proto.c | 2 +-
net/netfilter/nf_conntrack_proto_icmp.c | 93 +++++--
net/netfilter/nf_conntrack_proto_icmpv6.c | 52 +---
net/netfilter/nf_nat_core.c | 11 +-
net/netfilter/nf_tables_api.c | 2 +-
net/netfilter/nfnetlink_log.c | 2 +-
net/netfilter/nfnetlink_queue.c | 2 +-
net/netfilter/xt_time.c | 23 +-
tools/testing/selftests/netfilter/Makefile | 2 +-
.../selftests/netfilter/conntrack_icmp_related.sh | 283 +++++++++++++++++++++
tools/testing/selftests/netfilter/nft_nat.sh | 36 ++-
17 files changed, 493 insertions(+), 105 deletions(-)
create mode 100755 tools/testing/selftests/netfilter/conntrack_icmp_related.sh
Powered by blists - more mailing lists