| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 18 Jan 2023 13:31:59 +0100
From: Florian Westphal <fw@...len.de>
To: <netdev@...r.kernel.org>
Cc: Jakub Kicinski <kuba@...nel.org>,
Eric Dumazet <edumazet@...gle.com>,
Paolo Abeni <pabeni@...hat.com>,
"David S. Miller" <davem@...emloft.net>,
<netfilter-devel@...r.kernel.org>, Florian Westphal <fw@...len.de>
Subject: [PATCH net-next 0/9] Netfilter updates for net-next
Hello,
following patch set includes netfilter updates for your *net-next* tree.
1. Replace pr_debug use with nf_log infra for debugging in sctp
conntrack.
2. Remove pr_debug calls, they are either useless or we have better
options in place.
3. Avoid repeated load of ct->status in some spots.
Some bit-flags cannot change during the lifeetime of
a connection, so no need to re-fetch those.
4. Avoid uneeded nesting of rcu_read_lock during tuple lookup.
5. Remove the CLUSTERIP target. Marked as obsolete for years,
and we still have WARN splats wrt. races of the out-of-band
/proc interface installed by this target.
6. Add static key to nf_tables to avoid the retpoline mitigation
if/else if cascade provided the cpu doesn't need the retpoline thunk.
7. add nf_tables objref calls to the retpoline mitigation workaround.
8. Split parts of nft_ct.c that do not need symbols exported by
the conntrack modules and place them in nf_tables directly.
This allows to avoid indirect call for 'ct status' checks.
9. Add 'destroy' commands to nf_tables. They are identical
to the existing 'delete' commands, but do not indicate
an error if the referenced object (set, chain, rule...)
did not exist, from Fernando.
The following changes since commit c4791b3196bf46367bcf6cc56a09b32e037c4f49:
Merge branch 'net-mdio-continue-separating-c22-and-c45' (2023-01-17 19:34:10 -0800)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git
for you to fetch changes up to f80a612dd77c4585171e44a06b490466bdeec1ae:
netfilter: nf_tables: add support to destroy operation (2023-01-18 13:09:00 +0100)
----------------------------------------------------------------
Fernando Fernandez Mancera (1):
netfilter: nf_tables: add support to destroy operation
Florian Westphal (8):
netfilter: conntrack: sctp: use nf log infrastructure for invalid packets
netfilter: conntrack: remove pr_debug calls
netfilter: conntrack: avoid reload of ct->status
netfilter: conntrack: move rcu read lock to nf_conntrack_find_get
netfilter: ip_tables: remove clusterip target
netfilter: nf_tables: add static key to skip retpoline workarounds
netfilter: nf_tables: avoid retpoline overhead for objref calls
netfilter: nf_tables: avoid retpoline overhead for some ct expression calls
include/net/netfilter/nf_tables_core.h | 16 +
include/uapi/linux/netfilter/nf_tables.h | 14 +
net/ipv4/netfilter/Kconfig | 14 -
net/ipv4/netfilter/Makefile | 1 -
net/ipv4/netfilter/ipt_CLUSTERIP.c | 929 -------------------------------
net/netfilter/Makefile | 6 +
net/netfilter/nf_conntrack_core.c | 46 +-
net/netfilter/nf_conntrack_proto.c | 20 +-
net/netfilter/nf_conntrack_proto_sctp.c | 46 +-
net/netfilter/nf_conntrack_proto_tcp.c | 9 -
net/netfilter/nf_conntrack_proto_udp.c | 10 +-
net/netfilter/nf_tables_api.c | 111 +++-
net/netfilter/nf_tables_core.c | 35 +-
net/netfilter/nft_ct.c | 39 +-
net/netfilter/nft_ct_fast.c | 56 ++
net/netfilter/nft_objref.c | 12 +-
16 files changed, 302 insertions(+), 1062 deletions(-)
delete mode 100644 net/ipv4/netfilter/ipt_CLUSTERIP.c
create mode 100644 net/netfilter/nft_ct_fast.c
--
2.38.2
Powered by blists - more mailing lists