| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260205110905.26629-1-fw@strlen.de>
Date: Thu, 5 Feb 2026 12:08:54 +0100
From: Florian Westphal <fw@...len.de>
To: <netdev@...r.kernel.org>
Cc: Paolo Abeni <pabeni@...hat.com>,
"David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>,
<netfilter-devel@...r.kernel.org>,
pablo@...filter.org
Subject: [PATCH net-next 00/11] netfilter: updates for net-next
The following patchset contains Netfilter updates for *net-next*:
1) Fix net-next-only use-after-free bug in nf_tables rbtree set:
Expired elements cannot be released right away after unlink anymore
because there is no guarantee that the binary-search blob is going to
be updated. Spotted by syzkaller.
2) Fix esoteric bug in nf_queue with udp fraglist gro, broken since
6.11. Patch 3 adds extends the nfqueue selftest for this.
4) Use dedicated slab for flowtable entries, currently the -512 cache
is used, which is wasteful. From Qingfang Deng.
5) Recent net-next update extended existing test for ip6ip6 tunnels, add
the required /config entry. Test still passed by accident because the
previous tests network setup gets re-used, so also update the test so
it will fail in case the ip6ip6 tunnel interface cannot be added.
6) Fix 'nft get element mytable myset { 1.2.3.4 }' on big endian
platforms, this was broken since code was added in v5.1.
7-10) update nf_tables rbtree set type to detect partial
operlaps. This will eventually speed up nftables userspace: at this
time userspace does a netlink dump of the set content which slows down
incremental updates on interval sets. From Pablo Neira Ayuso.
11) fixes nf_tables counter reset support on 32bit platforms, where counter
reset may cause huge values to appear due to wraparound.
Broken since reset feature was added in v6.11. From Anders Grahn.
Please, pull these changes from:
https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git tags/nf-next-26-02-05
for you to fetch changes up to bd3aaea1ae36e2931ddb8e40464a4cd3cfa43bf6:
netfilter: nft_counter: fix reset of counters on 32bit archs (2026-02-05 11:45:28 +0100)
----------------------------------------------------------------
netfilter pull request nf-next-26-02-05
----------------------------------------------------------------
Anders Grahn (1):
netfilter: nft_counter: fix reset of counters on 32bit archs
Florian Westphal (5):
netfilter: nft_set_rbtree: don't gc elements on insert
netfilter: nfnetlink_queue: do shared-unconfirmed check before segmentation
selftests: netfilter: nft_queue.sh: add udp fraglist gro test case
selftests: netfilter: add IPV6_TUNNEL to config
netfilter: nft_set_hash: fix get operation on big endian
Pablo Neira Ayuso (4):
netfilter: nft_set_rbtree: fix bogus EEXIST with NLM_F_CREATE with null interval
netfilter: nft_set_rbtree: check for partial overlaps in anonymous sets
netfilter: nft_set_rbtree: validate element belonging to interval
netfilter: nft_set_rbtree: validate open interval overlap
Qingfang Deng (1):
netfilter: flowtable: dedicated slab for flow entry
include/linux/u64_stats_sync.h | 10 +
include/net/netfilter/nf_queue.h | 1 +
include/net/netfilter/nf_tables.h | 4 +
net/netfilter/nf_flow_table_core.c | 12 +-
net/netfilter/nf_tables_api.c | 26 +-
net/netfilter/nfnetlink_queue.c | 123 +++---
net/netfilter/nft_counter.c | 4 +-
net/netfilter/nft_set_hash.c | 9 +-
net/netfilter/nft_set_rbtree.c | 376 ++++++++++++++----
tools/testing/selftests/net/netfilter/config | 1 +
.../selftests/net/netfilter/nft_flowtable.sh | 19 +-
.../selftests/net/netfilter/nft_queue.sh | 142 ++++++-
12 files changed, 579 insertions(+), 148 deletions(-)
--
2.52.0
Powered by blists - more mailing lists