Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > On Fri, Apr 01, 2016 at 02:17:20PM +0200, Florian Westphal wrote: > > This series adds more checks on xtables (arp, ip, ip6tables) rulesets. > > > > - check all offsets (target, next) of all rules during initial pass > > after copy from userspace. > > - check targets of jumps (-j bla): offset should be start of a rule > > - assert that alleged target size is at least as big as minimum target > > structure > > - change CONFIG_COMPAT code path to push ruleset via normal setsockopt > > path after initial 32->64 bit conversion to avoid duplicating checks > > - use a common helper to copy counters from userspace instead of > > the ip/ip6/arp implementation. > > > > Tested: > > - iptables.git iptables-test.py passes > > - made a few performance tests w. really silly rulesets to verify > > that things don't slow down too much, see individual patches for details. > > > > include/linux/netfilter/x_tables.h | 12 + > > net/ipv4/netfilter/arp_tables.c | 303 ++++++++++------------------------ > > net/ipv4/netfilter/ip_tables.c | 327 +++++++++---------------------------- > > net/ipv6/netfilter/ip6_tables.c | 320 ++++++++---------------------------- > > net/netfilter/x_tables.c | 244 +++++++++++++++++++++++++++ > > 5 files changed, 506 insertions(+), 700 deletions(-) > > Nice work, and we got less code to maintain, good :) > > I'm starting to consider that, given that this has been broken since > day 1, we pass this through nf-next and then later on we request > inclusion for -stable. Fine with me. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
