This series adds more checks on xtables (arp, ip, ip6tables) rulesets. - check all offsets (target, next) of all rules during initial pass after copy from userspace. - check targets of jumps (-j bla): offset should be start of a rule - assert that alleged target size is at least as big as minimum target structure - change CONFIG_COMPAT code path to push ruleset via normal setsockopt path after initial 32->64 bit conversion to avoid duplicating checks - use a common helper to copy counters from userspace instead of the ip/ip6/arp implementation. Tested: - iptables.git iptables-test.py passes - made a few performance tests w. really silly rulesets to verify that things don't slow down too much, see individual patches for details. include/linux/netfilter/x_tables.h | 12 + net/ipv4/netfilter/arp_tables.c | 303 ++++++++++------------------------ net/ipv4/netfilter/ip_tables.c | 327 +++++++++---------------------------- net/ipv6/netfilter/ip6_tables.c | 320 ++++++++---------------------------- net/netfilter/x_tables.c | 244 +++++++++++++++++++++++++++ 5 files changed, 506 insertions(+), 700 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
