[PATCH net 0/6,v3] Netfilter fixes for net

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org,
	pabeni@redhat.com, edumazet@google.com, fw@strlen.de,
	kadlec@netfilter.org
Subject: [PATCH net 0/6,v3] Netfilter fixes for net
Date: Wed, 29 May 2024 00:55:13 +0200	[thread overview]
Message-ID: <20240528225519.1155786-1-pablo@netfilter.org> (raw)

v3: fixes checkpatch warning in 4/6 on use of space instead of indentation.

-o-

Hi,

The following patchset contains Netfilter fixes for net:

Patch #1 syzbot reports that nf_reinject() could be called without
         rcu_read_lock() when flushing pending packets at nfnetlink
         queue removal, from Eric Dumazet.

Patch #2 flushes ipset list:set when canceling garbage collection to
         reference to other lists to fix a race, from Jozsef Kadlecsik.

Patch #3 restores q-in-q matching with nft_payload by reverting
         f6ae9f120dad ("netfilter: nft_payload: add C-VLAN support").

Patch #4 fixes vlan mangling in skbuff when vlan offload is present
         in skbuff, without this patch nft_payload corrupts packets
         in this case.

Patch #5 fixes possible nul-deref in tproxy no IP address is found in
         netdevice, reported by syzbot and patch from Florian Westphal.

Patch #6 removes a superfluous restriction which prevents loose fib
         lookups from input and forward hooks, from Eric Garver.

My assessment is that patches #1, #2 and #5 address possible kernel
crash, anything else in this batch fixes broken features.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-05-29

Thanks.

----------------------------------------------------------------

The following changes since commit 4b377b4868ef17b040065bd468668c707d2477a5:

  kprobe/ftrace: fix build error due to bad function definition (2024-05-17 19:17:55 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-05-29

for you to fetch changes up to e8ded22ef0f4831279c363c264cd41cd9d59ca9e:

  netfilter: nft_fib: allow from forward/input without iif selector (2024-05-29 00:37:51 +0200)

----------------------------------------------------------------
netfilter pull request 24-05-29

----------------------------------------------------------------
Alexander Maltsev (1):
      netfilter: ipset: Add list flush to cancel_gc

Eric Dumazet (1):
      netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu()

Eric Garver (1):
      netfilter: nft_fib: allow from forward/input without iif selector

Florian Westphal (1):
      netfilter: tproxy: bail out if IP has been disabled on the device

Pablo Neira Ayuso (2):
      netfilter: nft_payload: restore vlan q-in-q match support
      netfilter: nft_payload: skbuff vlan metadata mangle support

 net/ipv4/netfilter/nf_tproxy_ipv4.c   |  2 +
 net/netfilter/ipset/ip_set_list_set.c |  3 ++
 net/netfilter/nfnetlink_queue.c       |  2 +
 net/netfilter/nft_fib.c               |  8 ++-
 net/netfilter/nft_payload.c           | 95 ++++++++++++++++++++++++++---------
 5 files changed, 82 insertions(+), 28 deletions(-)

next             reply	other threads:[~2024-05-28 22:55 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-05-28 22:55 Pablo Neira Ayuso [this message]
2024-05-28 22:55 ` [PATCH net 1/6] netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu() Pablo Neira Ayuso
2024-05-30  8:30   ` patchwork-bot+netdevbpf
2024-05-28 22:55 ` [PATCH net 2/6] netfilter: ipset: Add list flush to cancel_gc Pablo Neira Ayuso
2024-05-28 22:55 ` [PATCH net 3/6] netfilter: nft_payload: restore vlan q-in-q match support Pablo Neira Ayuso
2024-05-28 22:55 ` [PATCH net 4/6] netfilter: nft_payload: skbuff vlan metadata mangle support Pablo Neira Ayuso
2024-05-28 22:55 ` [PATCH net 5/6] netfilter: tproxy: bail out if IP has been disabled on the device Pablo Neira Ayuso
2024-05-28 22:55 ` [PATCH net 6/6] netfilter: nft_fib: allow from forward/input without iif selector Pablo Neira Ayuso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240528225519.1155786-1-pablo@netfilter.org \
    --to=pablo@netfilter.org \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=fw@strlen.de \
    --cc=kadlec@netfilter.org \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pabeni@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.