Hi Florian, On Fri, Apr 01, 2016 at 02:17:20PM +0200, Florian Westphal wrote: > This series adds more checks on xtables (arp, ip, ip6tables) rulesets. > > - check all offsets (target, next) of all rules during initial pass > after copy from userspace. > - check targets of jumps (-j bla): offset should be start of a rule > - assert that alleged target size is at least as big as minimum target > structure > - change CONFIG_COMPAT code path to push ruleset via normal setsockopt > path after initial 32->64 bit conversion to avoid duplicating checks > - use a common helper to copy counters from userspace instead of > the ip/ip6/arp implementation. > > Tested: > - iptables.git iptables-test.py passes > - made a few performance tests w. really silly rulesets to verify > that things don't slow down too much, see individual patches for details. > > include/linux/netfilter/x_tables.h | 12 + > net/ipv4/netfilter/arp_tables.c | 303 ++++++++++------------------------ > net/ipv4/netfilter/ip_tables.c | 327 +++++++++---------------------------- > net/ipv6/netfilter/ip6_tables.c | 320 ++++++++---------------------------- > net/netfilter/x_tables.c | 244 +++++++++++++++++++++++++++ > 5 files changed, 506 insertions(+), 700 deletions(-) Nice work, and we got less code to maintain, good :) I'm starting to consider that, given that this has been broken since day 1, we pass this through nf-next and then later on we request inclusion for -stable. We'll have more time in case of fallout (I know you have done a great effort to intensively test this) but this batch looks large that why I'm thinking about this route change. Let me know, thanks! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
