lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20240512161436.168973-1-pablo@netfilter.org>
Date: Sun, 12 May 2024 18:14:19 +0200
From: Pablo Neira Ayuso <pablo@...filter.org>
To: netfilter-devel@...r.kernel.org
Cc: davem@...emloft.net,
	netdev@...r.kernel.org,
	kuba@...nel.org,
	pabeni@...hat.com,
	edumazet@...gle.com,
	fw@...len.de
Subject: [PATCH net-next 00/17] Netfilter updates for net-next

Hi,

The following patchset contains Netfilter updates for net-next:

Patch #1 skips transaction if object type provides no .update interface.

Patch #2 skips NETDEV_CHANGENAME which is unused.

Patch #3 enables conntrack to handle Multicast Router Advertisements and
	 Multicast Router Solicitations from the Multicast Router Discovery
	 protocol (RFC4286) as untracked opposed to invalid packets.
	 From Linus Luessing.

Patch #4 updates DCCP conntracker to mark invalid as invalid, instead of
	 dropping them, from Jason Xing.

Patch #5 uses NF_DROP instead of -NF_DROP since NF_DROP is 0, also from Jason.

Patch #6 removes reference in netfilter's sysctl documentation on pickup
	 entries which were already removed by Florian Westphal.

Patch #7 removes check for IPS_OFFLOAD flag to disable early drop which allows
	 to evict entries from the conntrack table, also from Florian.

Patches #8 to #16 updates nf_tables pipapo set backend to allocate the
	 datastructure copy on-demand from preparation phase, to better deal
	 with OOM situations where .commit step is too late to fail.
	 Series from Florian Westphal.

Patch #17 adds a selftest with packetdrill to cover conntrack TCP state
	 transitions, also from Florian.

Patch #18 use GFP_KERNEL to clone elements from control plane to avoid
	 quick atomic reserves exhaustion with large sets, reporter refers
	 to million entries magnitude.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git nf-next-24-05-12

Thanks.

----------------------------------------------------------------

The following changes since commit cdc74c9d06e72addde01092d09f13bb86d3ed7d0:

  Merge branch 'gve-queue-api' (2024-05-05 14:35:48 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git nf-next-24-05-12

for you to fetch changes up to fa23e0d4b756d25829e124d6b670a4c6bbd4bf7e:

  netfilter: nf_tables: allow clone callbacks to sleep (2024-05-10 11:13:45 +0200)

----------------------------------------------------------------
netfilter pull request 24-05-12

----------------------------------------------------------------
Florian Westphal (12):
      netfilter: conntrack: documentation: remove reference to non-existent sysctl
      netfilter: conntrack: remove flowtable early-drop test
      netfilter: nft_set_pipapo: move prove_locking helper around
      netfilter: nft_set_pipapo: make pipapo_clone helper return NULL
      netfilter: nft_set_pipapo: prepare destroy function for on-demand clone
      netfilter: nft_set_pipapo: prepare walk function for on-demand clone
      netfilter: nft_set_pipapo: merge deactivate helper into caller
      netfilter: nft_set_pipapo: prepare pipapo_get helper for on-demand clone
      netfilter: nft_set_pipapo: move cloning of match info to insert/removal path
      netfilter: nft_set_pipapo: remove dirty flag
      selftests: netfilter: add packetdrill based conntrack tests
      netfilter: nf_tables: allow clone callbacks to sleep

Jason Xing (2):
      netfilter: conntrack: dccp: try not to drop skb in conntrack
      netfilter: use NF_DROP instead of -NF_DROP

Linus Lüssing (1):
      netfilter: conntrack: fix ct-state for ICMPv6 Multicast Router Discovery

Pablo Neira Ayuso (2):
      netfilter: nf_tables: skip transaction if update object is not implemented
      netfilter: nf_tables: remove NETDEV_CHANGENAME from netdev chain event handler

 Documentation/networking/nf_conntrack-sysctl.rst   |   4 +-
 include/net/netfilter/nf_tables.h                  |   4 +-
 include/uapi/linux/icmpv6.h                        |   1 +
 net/ipv4/netfilter/iptable_filter.c                |   2 +-
 net/ipv6/netfilter/ip6table_filter.c               |   2 +-
 net/netfilter/nf_conntrack_core.c                  |   4 +-
 net/netfilter/nf_conntrack_proto_dccp.c            |   4 +-
 net/netfilter/nf_conntrack_proto_icmpv6.c          |   4 +-
 net/netfilter/nf_tables_api.c                      |  16 +-
 net/netfilter/nft_chain_filter.c                   |   6 +-
 net/netfilter/nft_connlimit.c                      |   4 +-
 net/netfilter/nft_counter.c                        |   4 +-
 net/netfilter/nft_dynset.c                         |   2 +-
 net/netfilter/nft_last.c                           |   4 +-
 net/netfilter/nft_limit.c                          |  14 +-
 net/netfilter/nft_quota.c                          |   4 +-
 net/netfilter/nft_set_pipapo.c                     | 258 ++++++++++-----------
 net/netfilter/nft_set_pipapo.h                     |   2 -
 tools/testing/selftests/net/netfilter/Makefile     |   2 +
 tools/testing/selftests/net/netfilter/config       |   1 +
 .../net/netfilter/nf_conntrack_packetdrill.sh      |  71 ++++++
 .../selftests/net/netfilter/packetdrill/common.sh  |  33 +++
 .../packetdrill/conntrack_ack_loss_stall.pkt       | 118 ++++++++++
 .../packetdrill/conntrack_inexact_rst.pkt          |  62 +++++
 .../packetdrill/conntrack_rst_invalid.pkt          |  59 +++++
 .../packetdrill/conntrack_syn_challenge_ack.pkt    |  44 ++++
 .../netfilter/packetdrill/conntrack_synack_old.pkt |  51 ++++
 .../packetdrill/conntrack_synack_reuse.pkt         |  34 +++
 28 files changed, 639 insertions(+), 175 deletions(-)
 create mode 100755 tools/testing/selftests/net/netfilter/nf_conntrack_packetdrill.sh
 create mode 100755 tools/testing/selftests/net/netfilter/packetdrill/common.sh
 create mode 100644 tools/testing/selftests/net/netfilter/packetdrill/conntrack_ack_loss_stall.pkt
 create mode 100644 tools/testing/selftests/net/netfilter/packetdrill/conntrack_inexact_rst.pkt
 create mode 100644 tools/testing/selftests/net/netfilter/packetdrill/conntrack_rst_invalid.pkt
 create mode 100644 tools/testing/selftests/net/netfilter/packetdrill/conntrack_syn_challenge_ack.pkt
 create mode 100644 tools/testing/selftests/net/netfilter/packetdrill/conntrack_synack_old.pkt
 create mode 100644 tools/testing/selftests/net/netfilter/packetdrill/conntrack_synack_reuse.pkt

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ