[PATCH 00/14] Netfilter/IPVS fixes for net

[Pablo Neira Ayuso <pablo@netfilter.org>]

Hi David,

The following patchset contains Netfilter fixes for your net tree,
they are:

1) Put back reference on CLUSTERIP configuration structure from the
   error path, patch from Florian Westphal.

2) Put reference on CLUSTERIP configuration instead of freeing it,
   another cpu may still be walking over it, also from Florian.

3) Refetch pointer to IPv6 header from nf_nat_ipv6_manip_pkt() given
   packet manipulation may reallocation the skbuff header, from Florian.

4) Missing match size sanity checks in ebt_among, from Florian.

5) Convert BUG_ON to WARN_ON in ebtables, from Florian.

6) Sanity check userspace offsets from ebtables kernel, from Florian.

7) Missing checksum replace call in flowtable IPv4 DNAT, from Felix
   Fietkau.

8) Bump the right stats on checksum error from bridge netfilter,
   from Taehee Yoo.

9) Unset interface flag in IPv6 fib lookups otherwise we get
   misleading routing lookup results, from Florian.

10) Missing sk_to_full_sk() in ip6_route_me_harder() from Eric Dumazet.

11) Don't allow devices to be part of multiple flowtables at the same
    time, this may break setups.

12) Missing netlink attribute validation in flowtable deletion.

13) Wrong array index in nf_unregister_net_hook() call from error path
    in flowtable addition path.

14) Fix FTP IPVS helper when NAT mangling is in place, patch from
    Julian Anastasov.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit 9cb9c07d6b0c5fd97d83b8ab14d7e308ba4b612f:

  Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net (2018-02-23 15:14:17 -0800)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 8a949fff0302b50063f74bb345a66190015528d0:

  ipvs: remove IPS_NAT_MASK check to fix passive FTP (2018-02-28 19:48:26 +0100)

----------------------------------------------------------------
Eric Dumazet (1):
      netfilter: use skb_to_full_sk in ip6_route_me_harder

Felix Fietkau (1):
      netfilter: nf_flow_table: fix checksum when handling DNAT

Florian Westphal (7):
      netfilter: ipt_CLUSTERIP: put config struct if we can't increment ct refcount
      netfilter: ipt_CLUSTERIP: put config instead of freeing it
      netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt
      netfilter: bridge: ebt_among: add missing match size checks
      netfilter: ebtables: convert BUG_ONs to WARN_ONs
      netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets
      netfilter: don't set F_IFACE on ipv6 fib lookups

Julian Anastasov (1):
      ipvs: remove IPS_NAT_MASK check to fix passive FTP

Pablo Neira Ayuso (3):
      netfilter: nf_tables: return EBUSY if device already belongs to flowtable
      netfilter: nf_tables: missing attribute validation in nf_tables_delflowtable()
      netfilter: nf_tables: use the right index from flowtable error path

Taehee Yoo (1):
      netfilter: increase IPSTATS_MIB_CSUMERRORS stat

 net/bridge/br_netfilter_hooks.c          |  4 +++-
 net/bridge/netfilter/ebt_among.c         | 21 +++++++++++++++--
 net/bridge/netfilter/ebtables.c          | 40 ++++++++++++++++++++++++--------
 net/ipv4/netfilter/ipt_CLUSTERIP.c       | 15 ++++++++----
 net/ipv4/netfilter/nf_flow_table_ipv4.c  |  1 +
 net/ipv6/netfilter.c                     |  9 +++----
 net/ipv6/netfilter/ip6t_rpfilter.c       |  4 ----
 net/ipv6/netfilter/nf_nat_l3proto_ipv6.c |  4 ++++
 net/ipv6/netfilter/nft_fib_ipv6.c        | 12 ++--------
 net/netfilter/ipvs/ip_vs_ftp.c           |  2 +-
 net/netfilter/nf_tables_api.c            | 25 ++++++++++++++++++--
 11 files changed, 98 insertions(+), 39 deletions(-)