[PATCH net 00/14] Netfilter fixes for net

[Pablo Neira Ayuso <pablo@netfilter.org>]

Hi,

The following patchset contains Netfilter fixes for net. All fixes
included in this batch address problems appearing in several releases:

1) Fix crash with malformed ebtables blob which do not provide all
   entry points, from Florian Westphal.

2) Fix possible TCP connection clogging up with default 5-days
   timeout in conntrack, from Florian.

3) Fix crash in nf_tables tproxy with unsupported chains, also from Florian.

4) Do not allow to update implicit chains.

5) Make table handle allocation per-netns to fix data race.

6) Do not truncated payload length and offset, and checksum offset.
   Instead report EINVAl.

7) Enable chain stats update via static key iff no error occurs.

8) Restrict osf expression to ip, ip6 and inet families.

9) Restrict tunnel expression to netdev family.

10) Fix crash when trying to bind again an already bound chain.

11) Flowtable garbage collector might leave behind pending work to
    delete entries. This patch comes with a previous preparation patch
    as dependency.

12) Allow net.netfilter.nf_conntrack_frag6_high_thresh to be lowered,
    from Eric Dumazet.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 855a28f9c96c80e6cbd2d986a857235e34868064:

  net: dsa: don't dereference NULL extack in dsa_slave_changeupper() (2022-08-23 07:54:16 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to 00cd7bf9f9e06769ef84d5102774c8becd6a498a:

  netfilter: nf_defrag_ipv6: allow nf_conntrack_frag6_high_thresh increases (2022-08-24 08:06:44 +0200)

----------------------------------------------------------------
Eric Dumazet (1):
      netfilter: nf_defrag_ipv6: allow nf_conntrack_frag6_high_thresh increases

Florian Westphal (3):
      netfilter: ebtables: reject blobs that don't provide all entry points
      netfilter: conntrack: work around exceeded receive window
      netfilter: nft_tproxy: restrict to prerouting hook

Pablo Neira Ayuso (10):
      netfilter: nf_tables: disallow updates of implicit chain
      netfilter: nf_tables: make table handle allocation per-netns friendly
      netfilter: nft_payload: report ERANGE for too long offset and length
      netfilter: nft_payload: do not truncate csum_offset and csum_type
      netfilter: nf_tables: do not leave chain stats enabled on error
      netfilter: nft_osf: restrict osf to ipv4, ipv6 and inet families
      netfilter: nft_tunnel: restrict it to netdev family
      netfilter: nf_tables: disallow binding to already bound chain
      netfilter: flowtable: add function to invoke garbage collection immediately
      netfilter: flowtable: fix stuck flows on cleanup due to pending work

 include/linux/netfilter_bridge/ebtables.h |  4 ----
 include/net/netfilter/nf_flow_table.h     |  3 +++
 include/net/netfilter/nf_tables.h         |  1 +
 net/bridge/netfilter/ebtable_broute.c     |  8 --------
 net/bridge/netfilter/ebtable_filter.c     |  8 --------
 net/bridge/netfilter/ebtable_nat.c        |  8 --------
 net/bridge/netfilter/ebtables.c           |  8 +-------
 net/ipv6/netfilter/nf_conntrack_reasm.c   |  1 -
 net/netfilter/nf_conntrack_proto_tcp.c    | 31 +++++++++++++++++++++++++++++++
 net/netfilter/nf_flow_table_core.c        | 15 ++++++++++-----
 net/netfilter/nf_flow_table_offload.c     |  8 ++++++++
 net/netfilter/nf_tables_api.c             | 14 ++++++++++----
 net/netfilter/nft_osf.c                   | 18 +++++++++++++++---
 net/netfilter/nft_payload.c               | 29 +++++++++++++++++++++--------
 net/netfilter/nft_tproxy.c                |  8 ++++++++
 net/netfilter/nft_tunnel.c                |  1 +
 16 files changed, 109 insertions(+), 56 deletions(-)