| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260102114128.7007-1-fw@strlen.de>
Date: Fri, 2 Jan 2026 12:41:22 +0100
From: Florian Westphal <fw@...len.de>
To: <netdev@...r.kernel.org>
Cc: Paolo Abeni <pabeni@...hat.com>,
"David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>,
<netfilter-devel@...r.kernel.org>,
pablo@...filter.org
Subject: [PATCH net 0/6] netfilter: updates for net
Hi,
The following patchset contains Netfilter fixes for *net*:
1) Fix overlap detection for nf_tables with concatenated ranges.
There are cases where element could not be added due to a conflict
with existing range, while kernel reports success to userspace.
2) update selftest to cover this bug.
3) synproxy update path should use READ/WRITE once as we replace
config struct while packet path might read it in parallel.
This relies on said config struct to fit sizeof(long).
From Fernando Fernandez Mancera.
4) Don't return -EEXIST from xtables in module load path, a pending
patch to module infra will spot a warning if this happens.
From Daniel Gomez.
5) Fix a memory leak in nf_tables when chain hits 2**32 users
and rule is to be hw-offloaded, from Zilin Guan.
6) Avoid infinite list growth when insert rate is high in nf_conncount,
also from Fernando.
Please, pull these changes from:
The following changes since commit dbf8fe85a16a33d6b6bd01f2bc606fc017771465:
Merge tag 'net-6.19-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net (2025-12-30 08:45:58 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-26-01-02
for you to fetch changes up to 7811ba452402d58628e68faedf38745b3d485e3c:
netfilter: nf_conncount: update last_gc only when GC has been performed (2026-01-02 10:44:28 +0100)
----------------------------------------------------------------
netfilter pull request nf-26-01-02
----------------------------------------------------------------
Daniel Gomez (1):
netfilter: replace -EEXIST with -EBUSY
Fernando Fernandez Mancera (2):
netfilter: nft_synproxy: avoid possible data-race on update operation
netfilter: nf_conncount: update last_gc only when GC has been performed
Florian Westphal (2):
netfilter: nft_set_pipapo: fix range overlap detection
selftests: netfilter: nft_concat_range.sh: add check for overlap detection bug
Zilin Guan (1):
netfilter: nf_tables: fix memory leak in nf_tables_newrule()
net/bridge/netfilter/ebtables.c | 2 +-
net/netfilter/nf_conncount.c | 2 +-
net/netfilter/nf_log.c | 4 +-
net/netfilter/nf_tables_api.c | 3 +-
net/netfilter/nft_set_pipapo.c | 4 +-
net/netfilter/nft_synproxy.c | 6 +--
net/netfilter/x_tables.c | 2 +-
.../selftests/net/netfilter/nft_concat_range.sh | 45 +++++++++++++++++++++-
8 files changed, 56 insertions(+), 12 deletions(-)
# WARNING: 0000-cover-letter.patch lacks signed-off-by tag!
# WARNING: skip 0000-cover-letter.patch, no "Fixes" tag!
# INFO: 0001-netfilter-nft_set_pipapo-fix-range-overlap-detection.patch fixes commit from v5.6~21^2~5^2~5
# WARNING: skip 0002-selftests-netfilter-nft_concat_range.sh-add-check-fo.patch, no "Fixes" tag!
# INFO: 0003-netfilter-nft_synproxy-avoid-possible-data-race-on-u.patch fixes commit from v5.4-rc1~131^2~26^2~23
# WARNING: skip 0004-netfilter-replace-EEXIST-with-EBUSY.patch, no "Fixes" tag!
# INFO: 0005-netfilter-nf_tables-fix-memory-leak-in-nf_tables_new.patch fixes commit from v6.5-rc2~22^2~39^2~5
# INFO: 0006-netfilter-nf_conncount-update-last_gc-only-when-GC-h.patch fixes commit from v5.19-rc1~159^2~45^2~2
Powered by blists - more mailing lists