lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <20191209192638.71184-1-pablo@netfilter.org> Date: Mon, 9 Dec 2019 20:26:21 +0100 From: Pablo Neira Ayuso <pablo@...filter.org> To: netfilter-devel@...r.kernel.org Cc: davem@...emloft.net, netdev@...r.kernel.org Subject: [PATCH 00/17] Netfilter fixes for net Hi, The following patchset contains Netfilter fixes for net: 1) Wait for rcu grace period after releasing netns in ctnetlink, from Florian Westphal. 2) Incorrect command type in flowtable offload ndo invocation, from wenxu. 3) Incorrect callback type in flowtable offload flow tuple updates, also from wenxu. 4) Fix compile warning on flowtable offload infrastructure due to possible reference to uninitialized variable, from Nathan Chancellor. 5) Do not inline nf_ct_resolve_clash(), this is called from slow path / stress situations. From Florian Westphal. 6) Missing IPv6 flow selector description in flowtable offload. 7) Missing check for NETDEV_UNREGISTER in nf_tables offload infrastructure, from wenxu. 8) Update NAT selftest to use randomized netns names, from Florian Westphal. 9) Restore nfqueue bridge support, from Marco Oliverio. 10) Compilation warning in SCTP_CHUNKMAP_*() on xt_sctp header. From Phil Sutter. 11) Fix bogus lookup/get match for non-anonymous rbtree sets. 12) Missing netlink validation for NFT_SET_ELEM_INTERVAL_END elements. 13) Missing netlink validation for NFT_DATA_VALUE after nft_data_init(). 14) If rule specifies no actions, offload infrastructure returns EOPNOTSUPP. 15) Module refcount leak in object updates. 16) Missing sanitization for ARP traffic from br_netfilter, from Eric Dumazet. 17) Compilation breakage on big-endian due to incorrect memcpy() size in the flowtable offload infrastructure. You can pull these changes from: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git Thanks. ---------------------------------------------------------------- The following changes since commit 61183b056b49e2937ff92a1424291ba36a6f6d05: net: macb: add missed tasklet_kill (2019-11-28 23:05:28 -0800) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD for you to fetch changes up to 7acd9378dc65296b2531758aa62ee9bcf55b371c: netfilter: nf_flow_table_offload: Correct memcpy size for flow_overload_mangle() (2019-12-09 20:07:59 +0100) ---------------------------------------------------------------- Eric Dumazet (1): netfilter: bridge: make sure to pull arp header in br_nf_forward_arp() Florian Westphal (3): netfilter: ctnetlink: netns exit must wait for callbacks netfilter: conntrack: tell compiler to not inline nf_ct_resolve_clash selftests: netfilter: use randomized netns names Marco Oliverio (1): netfilter: nf_queue: enqueue skbs with NULL dst Nathan Chancellor (1): netfilter: nf_flow_table_offload: Don't use offset uninitialized in flow_offload_port_{d,s}nat Pablo Neira Ayuso (7): netfilter: nf_flow_table_offload: add IPv6 match description netfilter: nft_set_rbtree: bogus lookup/get on consecutive elements in named sets netfilter: nf_tables: validate NFT_SET_ELEM_INTERVAL_END netfilter: nf_tables: validate NFT_DATA_VALUE after nft_data_init() netfilter: nf_tables: skip module reference count bump on object updates netfilter: nf_tables_offload: return EOPNOTSUPP if rule specifies no actions netfilter: nf_flow_table_offload: Correct memcpy size for flow_overload_mangle() Phil Sutter (1): netfilter: uapi: Avoid undefined left-shift in xt_sctp.h wenxu (3): netfilter: nf_flow_table_offload: Fix block setup as TC_SETUP_FT cmd netfilter: nf_flow_table_offload: Fix block_cb tc_setup_type as TC_SETUP_CLSFLOWER netfilter: nf_tables_offload: Check for the NETDEV_UNREGISTER event include/uapi/linux/netfilter/xt_sctp.h | 6 +- net/bridge/br_netfilter_hooks.c | 3 + net/netfilter/nf_conntrack_core.c | 7 +- net/netfilter/nf_conntrack_netlink.c | 3 + net/netfilter/nf_flow_table_offload.c | 83 ++++--- net/netfilter/nf_queue.c | 2 +- net/netfilter/nf_tables_api.c | 18 +- net/netfilter/nf_tables_offload.c | 6 + net/netfilter/nft_bitwise.c | 4 +- net/netfilter/nft_cmp.c | 6 + net/netfilter/nft_range.c | 10 + net/netfilter/nft_set_rbtree.c | 21 +- tools/testing/selftests/netfilter/nft_nat.sh | 332 ++++++++++++++------------- 13 files changed, 288 insertions(+), 213 deletions(-)
Powered by blists - more mailing lists