| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250717095808.41725-1-pablo@netfilter.org>
Date: Thu, 17 Jul 2025 11:58:08 +0200
From: Pablo Neira Ayuso <pablo@...filter.org>
To: netfilter-devel@...r.kernel.org
Cc: davem@...emloft.net,
netdev@...r.kernel.org,
kuba@...nel.org,
pabeni@...hat.com,
edumazet@...gle.com,
fw@...len.de,
horms@...nel.org
Subject: [PATCH net,v2 0/7] Netfilter fixes for net
v2: Include conntrack fix in cover letter.
-o-
Hi,
The following batch contains Netfilter fixes for net:
1) Three patches to enhance conntrack selftests for resize and clash
resolution, from Florian Westphal.
2) Expand nft_concat_range.sh selftest to improve coverage from error
path, from Florian Westphal.
3) Hide clash bit to userspace from netlink dumps until there is a
good reason to expose, from Florian Westphal.
4) Revert notification for device registration/unregistration for
nftables basechains and flowtables, we decided to go for a better
way to handle this through the nfnetlink_hook infrastructure which
will come via nf-next, patch from Phil Sutter.
5) Fix crash in conntrack due to race related to SLAB_TYPESAFE_BY_RCU
that results in removing a recycled object that is not yet in the
hashes. Move IPS_CONFIRM setting after the object is in the hashes.
From Florian Westphal.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-25-07-17
Thanks.
----------------------------------------------------------------
The following changes since commit 7727ec1523d7973defa1dff8f9c0aad288d04008:
net: emaclite: Fix missing pointer increment in aligned_read() (2025-07-11 16:37:06 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-25-07-17
for you to fetch changes up to 2d72afb340657f03f7261e9243b44457a9228ac7:
netfilter: nf_conntrack: fix crash due to removal of uninitialised entry (2025-07-17 11:23:33 +0200)
----------------------------------------------------------------
netfilter pull request 25-07-17
----------------------------------------------------------------
Florian Westphal (6):
selftests: netfilter: conntrack_resize.sh: extend resize test
selftests: netfilter: add conntrack clash resolution test case
selftests: netfilter: conntrack_resize.sh: also use udpclash tool
selftests: netfilter: nft_concat_range.sh: send packets to empty set
netfilter: nf_tables: hide clash bit from userspace
netfilter: nf_conntrack: fix crash due to removal of uninitialised entry
Phil Sutter (1):
Revert "netfilter: nf_tables: Add notifications for hook changes"
include/net/netfilter/nf_conntrack.h | 15 +-
include/net/netfilter/nf_tables.h | 5 -
include/uapi/linux/netfilter/nf_tables.h | 10 --
include/uapi/linux/netfilter/nfnetlink.h | 2 -
net/netfilter/nf_conntrack_core.c | 26 ++-
net/netfilter/nf_tables_api.c | 59 -------
net/netfilter/nf_tables_trace.c | 3 +
net/netfilter/nfnetlink.c | 1 -
net/netfilter/nft_chain_filter.c | 2 -
tools/testing/selftests/net/netfilter/.gitignore | 1 +
tools/testing/selftests/net/netfilter/Makefile | 3 +
.../selftests/net/netfilter/conntrack_clash.sh | 175 +++++++++++++++++++++
.../selftests/net/netfilter/conntrack_resize.sh | 97 +++++++++++-
.../selftests/net/netfilter/nft_concat_range.sh | 3 +
tools/testing/selftests/net/netfilter/udpclash.c | 158 +++++++++++++++++++
15 files changed, 468 insertions(+), 92 deletions(-)
create mode 100755 tools/testing/selftests/net/netfilter/conntrack_clash.sh
create mode 100644 tools/testing/selftests/net/netfilter/udpclash.c
Powered by blists - more mailing lists