lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20230118123208.17167-1-fw@strlen.de>
Date:   Wed, 18 Jan 2023 13:31:59 +0100
From:   Florian Westphal <fw@...len.de>
To:     <netdev@...r.kernel.org>
Cc:     Jakub Kicinski <kuba@...nel.org>,
        Eric Dumazet <edumazet@...gle.com>,
        Paolo Abeni <pabeni@...hat.com>,
        "David S. Miller" <davem@...emloft.net>,
        <netfilter-devel@...r.kernel.org>, Florian Westphal <fw@...len.de>
Subject: [PATCH net-next 0/9] Netfilter updates for net-next

Hello,

following patch set includes netfilter updates for your *net-next* tree.

1. Replace pr_debug use with nf_log infra for debugging in sctp
   conntrack.
2. Remove pr_debug calls, they are either useless or we have better
   options in place.
3. Avoid repeated load of ct->status in some spots.
   Some bit-flags cannot change during the lifeetime of
   a connection, so no need to re-fetch those.
4. Avoid uneeded nesting of rcu_read_lock during tuple lookup.
5. Remove the CLUSTERIP target.  Marked as obsolete for years,
   and we still have WARN splats wrt. races of the out-of-band
   /proc interface installed by this target.
6. Add static key to nf_tables to avoid the retpoline mitigation
   if/else if cascade provided the cpu doesn't need the retpoline thunk.
7. add nf_tables objref calls to the retpoline mitigation workaround.
8. Split parts of nft_ct.c that do not need symbols exported by
   the conntrack modules and place them in nf_tables directly.
   This allows to avoid indirect call for 'ct status' checks.
9. Add 'destroy' commands to nf_tables.  They are identical
   to the existing 'delete' commands, but do not indicate
   an error if the referenced object (set, chain, rule...)
   did not exist, from Fernando.

The following changes since commit c4791b3196bf46367bcf6cc56a09b32e037c4f49:

  Merge branch 'net-mdio-continue-separating-c22-and-c45' (2023-01-17 19:34:10 -0800)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git

for you to fetch changes up to f80a612dd77c4585171e44a06b490466bdeec1ae:

  netfilter: nf_tables: add support to destroy operation (2023-01-18 13:09:00 +0100)

----------------------------------------------------------------
Fernando Fernandez Mancera (1):
      netfilter: nf_tables: add support to destroy operation

Florian Westphal (8):
      netfilter: conntrack: sctp: use nf log infrastructure for invalid packets
      netfilter: conntrack: remove pr_debug calls
      netfilter: conntrack: avoid reload of ct->status
      netfilter: conntrack: move rcu read lock to nf_conntrack_find_get
      netfilter: ip_tables: remove clusterip target
      netfilter: nf_tables: add static key to skip retpoline workarounds
      netfilter: nf_tables: avoid retpoline overhead for objref calls
      netfilter: nf_tables: avoid retpoline overhead for some ct expression calls

 include/net/netfilter/nf_tables_core.h   |  16 +
 include/uapi/linux/netfilter/nf_tables.h |  14 +
 net/ipv4/netfilter/Kconfig               |  14 -
 net/ipv4/netfilter/Makefile              |   1 -
 net/ipv4/netfilter/ipt_CLUSTERIP.c       | 929 -------------------------------
 net/netfilter/Makefile                   |   6 +
 net/netfilter/nf_conntrack_core.c        |  46 +-
 net/netfilter/nf_conntrack_proto.c       |  20 +-
 net/netfilter/nf_conntrack_proto_sctp.c  |  46 +-
 net/netfilter/nf_conntrack_proto_tcp.c   |   9 -
 net/netfilter/nf_conntrack_proto_udp.c   |  10 +-
 net/netfilter/nf_tables_api.c            | 111 +++-
 net/netfilter/nf_tables_core.c           |  35 +-
 net/netfilter/nft_ct.c                   |  39 +-
 net/netfilter/nft_ct_fast.c              |  56 ++
 net/netfilter/nft_objref.c               |  12 +-
 16 files changed, 302 insertions(+), 1062 deletions(-)
 delete mode 100644 net/ipv4/netfilter/ipt_CLUSTERIP.c
 create mode 100644 net/netfilter/nft_ct_fast.c
-- 
2.38.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ