| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20220312220315.64531-1-pablo@netfilter.org>
Date: Sat, 12 Mar 2022 23:03:12 +0100
From: Pablo Neira Ayuso <pablo@...filter.org>
To: netfilter-devel@...r.kernel.org
Cc: davem@...emloft.net, netdev@...r.kernel.org, kuba@...nel.org
Subject: [PATCH net 0/3] Netfilter fixes for net
Hi,
The following patchset contains Netfilter fixes for net coming late
in the 5.17-rc process:
1) Revert port remap to mitigate shadowing service ports, this is causing
problems in existing setups and this mitigation can be achieved with
explicit ruleset, eg.
... tcp sport < 16386 tcp dport >= 32768 masquerade random
This patches provided a built-in policy similar to the one described above.
2) Disable register tracking infrastructure in nf_tables. Florian reported
two issues:
- Existing expressions with no implemented .reduce interface
that causes data-store on register should cancel the tracking.
- Register clobbering might be possible storing data on registers that
are larger than 32-bits.
This might lead to generating incorrect ruleset bytecode. These two
issues are scheduled to be addressed in the next release cycle.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit f8e9bd34cedd89b93b1167aa32ab8ecd6c2ccf4a:
Merge branch 'smc-fix' (2022-03-03 10:34:18 +0000)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD
for you to fetch changes up to ed5f85d4229010235eab1e3d9acf6970d9304963:
netfilter: nf_tables: disable register tracking (2022-03-12 16:07:38 +0100)
----------------------------------------------------------------
Florian Westphal (2):
Revert "netfilter: nat: force port remap to prevent shadowing well-known ports"
Revert "netfilter: conntrack: tag conntracks picked up in local out hook"
Pablo Neira Ayuso (1):
netfilter: nf_tables: disable register tracking
include/net/netfilter/nf_conntrack.h | 1 -
net/netfilter/nf_conntrack_core.c | 3 --
net/netfilter/nf_nat_core.c | 43 ++--------------------------
net/netfilter/nf_tables_api.c | 9 ++++--
tools/testing/selftests/netfilter/nft_nat.sh | 5 ++--
5 files changed, 12 insertions(+), 49 deletions(-)
Powered by blists - more mailing lists