| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 14 Mar 2022 15:54:40 -0700
From: Jakub Kicinski <kuba@...nel.org>
To: Pablo Neira Ayuso <pablo@...filter.org>
Cc: netfilter-devel@...r.kernel.org, davem@...emloft.net,
netdev@...r.kernel.org
Subject: Re: [PATCH net 0/3] Netfilter fixes for net
On Sat, 12 Mar 2022 23:03:12 +0100 Pablo Neira Ayuso wrote:
> 1) Revert port remap to mitigate shadowing service ports, this is causing
> problems in existing setups and this mitigation can be achieved with
> explicit ruleset, eg.
>
> ... tcp sport < 16386 tcp dport >= 32768 masquerade random
>
> This patches provided a built-in policy similar to the one described above.
>
> 2) Disable register tracking infrastructure in nf_tables. Florian reported
> two issues:
>
> - Existing expressions with no implemented .reduce interface
> that causes data-store on register should cancel the tracking.
> - Register clobbering might be possible storing data on registers that
> are larger than 32-bits.
>
> This might lead to generating incorrect ruleset bytecode. These two
> issues are scheduled to be addressed in the next release cycle.
Minor nit for the future - it'd still be useful to have Fixes tags even
for reverts or current release fixes so that lowly backporters (myself
included) do not have to dig into history to double confirm patches
are not needed in the production kernels we maintain. Thanks!
Powered by blists - more mailing lists