Re: [PATCH 0/5] Netfilter fixes for net

2018-03-12 Thread David Miller
From: Pablo Neira Ayuso 
Date: Mon, 12 Mar 2018 17:15:59 +0100

> The following patchset contains Netfilter fixes for your net tree, they are:
> 
> 1) Fixed hashtable representation doesn't support timeout flag, skip it
>otherwise rules to add elements from the packet fail bogusly fail with
>EOPNOTSUPP.
> 
> 2) Fix bogus error with 32-bits ebtables userspace and 64-bits kernel,
>patch from Florian Westphal.
> 
> 3) Sanitize proc names in several x_tables extensions, also from Florian.
> 
> 4) Add sanitization to ebt_among wormhash logic, from Florian.
> 
> 5) Missing release of hook array in flowtable.

Pulled, thank you.


[PATCH 0/5] Netfilter fixes for net

2018-03-12 Thread Pablo Neira Ayuso
Hi David,

The following patchset contains Netfilter fixes for your net tree, they are:

1) Fixed hashtable representation doesn't support timeout flag, skip it
   otherwise rules to add elements from the packet fail bogusly fail with
   EOPNOTSUPP.

2) Fix bogus error with 32-bits ebtables userspace and 64-bits kernel,
   patch from Florian Westphal.

3) Sanitize proc names in several x_tables extensions, also from Florian.

4) Add sanitization to ebt_among wormhash logic, from Florian.

5) Missing release of hook array in flowtable.


You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!



The following changes since commit ce380619fab99036f5e745c7a865b21c59f005f6:

  Merge tag 'please-pull-ia64_misc' of 
git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux (2018-03-05 20:31:14 
-0800)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to c04a3f730021c304c7cc4bc30ee57ee70ad98d57:

  netfilter: nf_tables: release flowtable hooks (2018-03-11 21:24:56 +0100)


Florian Westphal (3):
  netfilter: ebtables: fix erroneous reject of last rule
  netfilter: x_tables: add and use xt_check_proc_name
  netfilter: bridge: ebt_among: add more missing match size checks

Pablo Neira Ayuso (2):
  netfilter: nft_set_hash: skip fixed hash if timeout is specified
  netfilter: nf_tables: release flowtable hooks

 include/linux/netfilter/x_tables.h |  2 ++
 net/bridge/netfilter/ebt_among.c   | 34 ++
 net/bridge/netfilter/ebtables.c|  6 +-
 net/netfilter/nf_tables_api.c  |  1 +
 net/netfilter/nft_set_hash.c   |  2 +-
 net/netfilter/x_tables.c   | 30 ++
 net/netfilter/xt_hashlimit.c   | 16 ++--
 net/netfilter/xt_recent.c  |  6 +++---
 8 files changed, 86 insertions(+), 11 deletions(-)


Re: [PATCH 0/5] Netfilter fixes for net

2017-08-24 Thread David Miller
From: Pablo Neira Ayuso 
Date: Thu, 24 Aug 2017 16:43:26 +0200

> The following patchset contains Netfilter fixes for your net tree,
> they are:
 ...
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thanks.


[PATCH 0/5] Netfilter fixes for net

2017-08-24 Thread Pablo Neira Ayuso
Hi David,

The following patchset contains Netfilter fixes for your net tree,
they are:

1) Fix use after free of struct proc_dir_entry in ipt_CLUSTERIP, patch
   from Sabrina Dubroca.

2) Fix spurious EINVAL errors from iptables over nft compatibility layer.

3) Reload pointer to ip header only if there is non-terminal verdict,
   ie. XT_CONTINUE, otherwise invalid memory access may happen, patch
   from Taehee Yoo.

4) Fix interaction between SYNPROXY and NAT, SYNPROXY adds sequence
   adjustment already, however from nf_nat_setup() assumes there's not.
   Patch from Xin Long.

5) Fix burst arithmetics in nft_limit as Joe Stringer mentioned during
   NFWS in Faro. Patch from Andy Zhou.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks a lot!



The following changes since commit 073dd5ad34b1d3aaadaa7e5e8cbe576d9545f163:

  netfilter: fix netfilter_net_init() return (2017-07-18 14:50:28 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to c26844eda9d4fdbd20e3b3de2d0270e3a1ed:

  netfilter: nf_tables: Fix nft limit burst handling (2017-08-24 16:23:17 +0200)


Pablo Neira Ayuso (1):
  netfilter: nft_compat: check extension hook mask only if set

Sabrina Dubroca (1):
  netfilter: ipt_CLUSTERIP: fix use-after-free of proc entry

Taehee Yoo (1):
  netfilter: x_tables: Fix use-after-free in ipt_do_table.

Xin Long (1):
  netfilter: check for seqadj ext existence before adding it in 
nf_nat_setup_info

andy zhou (1):
  netfilter: nf_tables: Fix nft limit burst handling

 net/ipv4/netfilter/arp_tables.c| 10 +-
 net/ipv4/netfilter/ip_tables.c |  9 +
 net/ipv4/netfilter/ipt_CLUSTERIP.c |  4 +++-
 net/netfilter/nf_nat_core.c|  2 +-
 net/netfilter/nft_compat.c |  4 ++--
 net/netfilter/nft_limit.c  | 25 ++---
 6 files changed, 30 insertions(+), 24 deletions(-)



Re: [PATCH 0/5] Netfilter fixes for net

2017-07-18 Thread David Miller
From: Florian Westphal 
Date: Tue, 18 Jul 2017 23:11:57 +0200

> David Miller  wrote:
>> What about that change Eric Dumazet was talking about with Florian
>> that stopped instantiating conntrack by default in new namespaces?
> 
> Seems more appropriate for -next.  If you prefer net instead, let me know
> and I'll get to work.

Yeah it's more on the -next side, albeit annoying.

Ok, so nevermind :)


Re: [PATCH 0/5] Netfilter fixes for net

2017-07-18 Thread Florian Westphal
David Miller  wrote:
> What about that change Eric Dumazet was talking about with Florian
> that stopped instantiating conntrack by default in new namespaces?

Seems more appropriate for -next.  If you prefer net instead, let me know
and I'll get to work.


Re: [PATCH 0/5] Netfilter fixes for net

2017-07-18 Thread David Miller
From: Pablo Neira Ayuso 
Date: Tue, 18 Jul 2017 12:13:54 +0200

> The following patchset contains Netfilter fixes for your net tree,
> they are:
> 
> 1) Missing netlink message sanity check in nfnetlink, patch from
>Mateusz Jurczyk.
> 
> 2) We now have netfilter per-netns hooks, so let's kill global hook
>infrastructure, this infrastructure is known to be racy with netns.
>We don't care about out of tree modules. Patch from Florian Westphal.
> 
> 3) find_appropriate_src() is buggy when colissions happens after the
>conversion of the nat bysource to rhashtable. Also from Florian.
> 
> 4) Remove forward chain in nf_tables arp family, it's useless and it is
>causing quite a bit of confusion, from Florian Westphal.
> 
> 5) nf_ct_remove_expect() is called with the wrong parameter, causing
>kernel oops, patch from Florian Westphal.
> 
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thanks a lot.

What about that change Eric Dumazet was talking about with Florian
that stopped instantiating conntrack by default in new namespaces?

Just curious.


[PATCH 0/5] Netfilter fixes for net

2017-07-18 Thread Pablo Neira Ayuso
Hi David,

The following patchset contains Netfilter fixes for your net tree,
they are:

1) Missing netlink message sanity check in nfnetlink, patch from
   Mateusz Jurczyk.

2) We now have netfilter per-netns hooks, so let's kill global hook
   infrastructure, this infrastructure is known to be racy with netns.
   We don't care about out of tree modules. Patch from Florian Westphal.

3) find_appropriate_src() is buggy when colissions happens after the
   conversion of the nat bysource to rhashtable. Also from Florian.

4) Remove forward chain in nf_tables arp family, it's useless and it is
   causing quite a bit of confusion, from Florian Westphal.

5) nf_ct_remove_expect() is called with the wrong parameter, causing
   kernel oops, patch from Florian Westphal.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!



The following changes since commit 533da29b584de5ae0e9dafafbe52809f59cb5300:

  Merge branch 'bcmgenet-Fragmented-SKB-corrections' (2017-07-15 21:29:08 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 36ac344e16e04e3e55e8fed7446095a6458c64e6:

  netfilter: expect: fix crash when putting uninited expectation (2017-07-17 
17:03:12 +0200)


Florian Westphal (4):
  netfilter: remove old pre-netns era hook api
  netfilter: nat: fix src map lookup
  netfilter: nf_tables: only allow in/output for arp packets
  netfilter: expect: fix crash when putting uninited expectation

Mateusz Jurczyk (1):
  netfilter: nfnetlink: Improve input length sanitization in nfnetlink_rcv

 include/linux/netfilter.h   |   9 ---
 net/ipv4/netfilter/nf_tables_arp.c  |   3 +-
 net/netfilter/core.c| 143 
 net/netfilter/nf_conntrack_expect.c |   2 +-
 net/netfilter/nf_nat_core.c |  17 +++--
 net/netfilter/nfnetlink.c   |   6 +-
 6 files changed, 14 insertions(+), 166 deletions(-)


Re: [PATCH 0/5] Netfilter fixes for net-next

2016-10-05 Thread David Miller
From: Pablo Neira Ayuso 
Date: Thu,  6 Oct 2016 02:07:44 +0200

> This is a pull request to address fallout from previous nf-next pull
> request, only fixes going on here:
> 
> 1) Address a potential null dereference in nf_unregister_net_hook()
>when becomes nf_hook_entry_head is NULL, from Aaron Conole.
> 
> 2) Missing ifdef for CONFIG_NETFILTER_INGRESS, also from Aaron.
> 
> 3) Fix linking problems in xt_hashlimit in x86_32, from Pai.
> 
> 4) Fix permissions of nf_log sysctl from unpriviledge netns, from
>Jann Horn.
> 
> 5) Fix possible divide by zero in nft_limit, from Liping Zhang.
> 
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git

Pulled, thanks Pablo.


[PATCH 0/5] Netfilter fixes for net-next

2016-10-05 Thread Pablo Neira Ayuso
Hi David,

This is a pull request to address fallout from previous nf-next pull
request, only fixes going on here:

1) Address a potential null dereference in nf_unregister_net_hook()
   when becomes nf_hook_entry_head is NULL, from Aaron Conole.

2) Missing ifdef for CONFIG_NETFILTER_INGRESS, also from Aaron.

3) Fix linking problems in xt_hashlimit in x86_32, from Pai.

4) Fix permissions of nf_log sysctl from unpriviledge netns, from
   Jann Horn.

5) Fix possible divide by zero in nft_limit, from Liping Zhang.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git

P.S: Sorry for not addressing this any sooner, a mixture of traveling
overhead, conference and problems with wifi connection has prevented me
to do this any sooner.

Thanks!



The following changes since commit 803783849fed11e38a30f31932c02c815520da70:

  mlx5: Add ndo_poll_controller() implementation (2016-09-30 02:11:16 -0400)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git HEAD

for you to fetch changes up to 2fa46c130193300f06e68727ae98ec9f6184cad4:

  netfilter: nft_limit: fix divided by zero panic (2016-10-04 08:59:03 +0200)


Aaron Conole (2):
  netfilter: Fix potential null pointer dereference
  netfilter: accommodate different kconfig in nf_set_hooks_head

Jann Horn (1):
  netfilter: fix namespace handling in nf_log_proc_dostring

Liping Zhang (1):
  netfilter: nft_limit: fix divided by zero panic

Vishwanath Pai (1):
  netfilter: xt_hashlimit: Fix link error in 32bit arch because of 64bit 
division

 net/netfilter/core.c | 17 -
 net/netfilter/nf_log.c   |  6 --
 net/netfilter/nft_limit.c|  4 ++--
 net/netfilter/xt_hashlimit.c | 15 ---
 4 files changed, 26 insertions(+), 16 deletions(-)


[PATCH 0/5] Netfilter fixes for net

2015-08-10 Thread Pablo Neira Ayuso
Hi David,

The following patchset contains five Netfilter fixes for your net tree,
they are:

1) Silence a warning on falling back to vmalloc(). Since 88eab472ec21, we can
   easily hit this warning message, that gets users confused. So let's get rid
   of it.

2) Recently when porting the template object allocation on top of kmalloc to
   fix the netns dependencies between x_tables and conntrack, the error
   checks where left unchanged. Remove IS_ERR() and check for NULL instead.
   Patch from Dan Carpenter.

3) Don't ignore gfp_flags in the new nf_ct_tmpl_alloc() function, from
   Joe Stringer.

4) Fix a crash due to NULL pointer dereference in ip6t_SYNPROXY, patch from
   Phil Sutter.

5) The sequence number of the Syn+ack that is sent from SYNPROXY to clients is
   not adjusted through our NAT infrastructure, as a result the client may
   ignore this TCP packet and TCP flow hangs until the client probes us.  Also
   from Phil Sutter.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!



The following changes since commit 15f1bb1f1e067be7088ed43ef23d59629bd24348:

  qlcnic: Fix corruption while copying (2015-07-29 23:57:26 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master

for you to fetch changes up to 3c16241c445303a90529565e7437e1f240acfef2:

  netfilter: SYNPROXY: fix sending window update to client (2015-08-10 13:55:07 
+0200)


Dan Carpenter (1):
  netfilter: nf_conntrack: checking for IS_ERR() instead of NULL

Joe Stringer (1):
  netfilter: conntrack: Use flags in nf_ct_tmpl_alloc()

Pablo Neira Ayuso (1):
  netfilter: nf_conntrack: silence warning on falling back to vmalloc()

Phil Sutter (2):
  netfilter: ip6t_SYNPROXY: fix NULL pointer dereference
  netfilter: SYNPROXY: fix sending window update to client

 net/ipv4/netfilter/ipt_SYNPROXY.c  |3 ++-
 net/ipv6/netfilter/ip6t_SYNPROXY.c |   19 +++
 net/netfilter/nf_conntrack_core.c  |8 +++-
 net/netfilter/nf_synproxy_core.c   |4 +---
 net/netfilter/xt_CT.c  |5 +++--
 5 files changed, 20 insertions(+), 19 deletions(-)
--
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


Re: [PATCH 0/5] Netfilter fixes for net

2015-08-10 Thread David Miller
From: Pablo Neira Ayuso pa...@netfilter.org
Date: Mon, 10 Aug 2015 19:58:34 +0200

 The following patchset contains five Netfilter fixes for your net tree,
 they are:
 
 1) Silence a warning on falling back to vmalloc(). Since 88eab472ec21, we can
easily hit this warning message, that gets users confused. So let's get rid
of it.
 
 2) Recently when porting the template object allocation on top of kmalloc to
fix the netns dependencies between x_tables and conntrack, the error
checks where left unchanged. Remove IS_ERR() and check for NULL instead.
Patch from Dan Carpenter.
 
 3) Don't ignore gfp_flags in the new nf_ct_tmpl_alloc() function, from
Joe Stringer.
 
 4) Fix a crash due to NULL pointer dereference in ip6t_SYNPROXY, patch from
Phil Sutter.
 
 5) The sequence number of the Syn+ack that is sent from SYNPROXY to clients is
not adjusted through our NAT infrastructure, as a result the client may
ignore this TCP packet and TCP flow hangs until the client probes us.  Also
from Phil Sutter.
 
 You can pull these changes from:
 
   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thanks Pablo.
--
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html