From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org,
pabeni@redhat.com, edumazet@google.com
Subject: Re: [PATCH net 00/14,v2] Netfilter/IPVS fixes for net
Date: Tue, 20 Jun 2023 19:00:20 +0200 [thread overview]
Message-ID: <ZJHbJHKVSNpp5dBd@calendula> (raw)
In-Reply-To: <20230620093542.69232-1-pablo@netfilter.org>
Hi,
I found another bug on this batch.
I need a v3. Sorry for the inconvenience.
On Tue, Jun 20, 2023 at 11:35:28AM +0200, Pablo Neira Ayuso wrote:
> This is v2 addressing comments from Simon Horman.
>
> -o-
>
> Hi,
>
> The following patchset contains Netfilter/IPVS fixes for net:
>
> 1) Fix UDP segmentation with IPVS tunneled traffic, from Terin Stock.
>
> 2) Fix chain binding transaction logic, add a bound flag to rule
> transactions. Remove incorrect logic in nft_data_hold() and
> nft_data_release().
>
> 3) Add a NFT_TRANS_PREPARE_ERROR deactivate state to deal with releasing
> the set/chain as a follow up to 1240eb93f061 ("netfilter: nf_tables:
> incorrect error path handling with NFT_MSG_NEWRULE")
>
> 4) Drop map element references from preparation phase instead of
> set destroy path, otherwise bogus EBUSY with transactions such as:
>
> flush chain ip x y
> delete chain ip x w
>
> where chain ip x y contains jump/goto from set elements.
>
> 5) Pipapo set type does not regard generation mask from the walk
> iteration.
>
> 6) Fix reference count underflow in set element reference to
> stateful object.
>
> 7) Several patches to tighten the nf_tables API:
> - disallow set element updates of bound anonymous set
> - disallow unbound anonymous set/chain at the end of transaction.
> - disallow updates of anonymous set.
> - disallow timeout configuration for anonymous sets.
>
> 8) Fix module reference leak in chain updates.
>
> 9) Fix nfnetlink_osf module autoload.
>
> 10) Fix deletion of basechain when NFTA_CHAIN_HOOK is specified as
> in iptables-nft.
>
> Please, pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-23-06-20
>
> Thanks.
>
> ----------------------------------------------------------------
>
> The following changes since commit 0dbcac3a6dbb32c1de53ebebfd28452965e12950:
>
> Merge tag 'mlx5-fixes-2023-06-16' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux (2023-06-19 10:28:56 +0100)
>
> are available in the Git repository at:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-23-06-20
>
> for you to fetch changes up to 0bbeb93db1729a135370a99d1be715fd8a59e6c0:
>
> netfilter: nf_tables: Fix for deleting base chains with payload (2023-06-19 23:29:18 +0200)
>
> ----------------------------------------------------------------
> netfilter pull request 23-06-20
>
> ----------------------------------------------------------------
> Pablo Neira Ayuso (12):
> netfilter: nf_tables: fix chain binding transaction logic
> netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain
> netfilter: nf_tables: drop map element references from preparation phase
> netfilter: nft_set_pipapo: .walk does not deal with generations
> netfilter: nf_tables: fix underflow in object reference counter
> netfilter: nf_tables: disallow element updates of bound anonymous sets
> netfilter: nf_tables: reject unbound anonymous set before commit phase
> netfilter: nf_tables: reject unbound chain set before commit phase
> netfilter: nf_tables: disallow updates of anonymous sets
> netfilter: nf_tables: disallow timeout for anonymous sets
> netfilter: nf_tables: drop module reference after updating chain
> netfilter: nfnetlink_osf: fix module autoload
>
> Phil Sutter (1):
> netfilter: nf_tables: Fix for deleting base chains with payload
>
> Terin Stock (1):
> ipvs: align inner_mac_header for encapsulation
>
> include/net/netfilter/nf_tables.h | 31 +++-
> net/netfilter/ipvs/ip_vs_xmit.c | 2 +
> net/netfilter/nf_tables_api.c | 366 ++++++++++++++++++++++++++++++--------
> net/netfilter/nfnetlink_osf.c | 1 +
> net/netfilter/nft_immediate.c | 78 +++++++-
> net/netfilter/nft_set_bitmap.c | 5 +-
> net/netfilter/nft_set_hash.c | 23 ++-
> net/netfilter/nft_set_pipapo.c | 20 ++-
> net/netfilter/nft_set_rbtree.c | 5 +-
> net/netfilter/xt_osf.c | 1 -
> 10 files changed, 435 insertions(+), 97 deletions(-)
>
prev parent reply other threads:[~2023-06-20 17:00 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-20 9:35 [PATCH net 00/14,v2] Netfilter/IPVS fixes for net Pablo Neira Ayuso
2023-06-20 9:35 ` [PATCH net 01/14] ipvs: align inner_mac_header for encapsulation Pablo Neira Ayuso
2023-06-20 9:35 ` [PATCH net 02/14] netfilter: nf_tables: fix chain binding transaction logic Pablo Neira Ayuso
2023-06-20 9:35 ` [PATCH net 03/14] netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain Pablo Neira Ayuso
2023-06-20 9:35 ` [PATCH net 04/14] netfilter: nf_tables: drop map element references from preparation phase Pablo Neira Ayuso
2023-06-20 9:35 ` [PATCH net 05/14] netfilter: nft_set_pipapo: .walk does not deal with generations Pablo Neira Ayuso
2023-06-20 9:35 ` [PATCH net 06/14] netfilter: nf_tables: fix underflow in object reference counter Pablo Neira Ayuso
2023-06-20 9:35 ` [PATCH net 07/14] netfilter: nf_tables: disallow element updates of bound anonymous sets Pablo Neira Ayuso
2023-06-20 9:35 ` [PATCH net 08/14] netfilter: nf_tables: reject unbound anonymous set before commit phase Pablo Neira Ayuso
2023-06-20 9:35 ` [PATCH net 09/14] netfilter: nf_tables: reject unbound chain " Pablo Neira Ayuso
2023-06-20 9:35 ` [PATCH net 10/14] netfilter: nf_tables: disallow updates of anonymous sets Pablo Neira Ayuso
2023-06-20 9:35 ` [PATCH net 11/14] netfilter: nf_tables: disallow timeout for " Pablo Neira Ayuso
2023-06-20 9:35 ` [PATCH net 12/14] netfilter: nf_tables: drop module reference after updating chain Pablo Neira Ayuso
2023-06-20 9:35 ` [PATCH net 13/14] netfilter: nfnetlink_osf: fix module autoload Pablo Neira Ayuso
2023-06-20 9:35 ` [PATCH net 14/14] netfilter: nf_tables: Fix for deleting base chains with payload Pablo Neira Ayuso
2023-06-20 17:00 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZJHbJHKVSNpp5dBd@calendula \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).