Hi David,
The following patchset contains Netfilter fixes for your net tree,
they are:
1) Put back reference on CLUSTERIP configuration structure from the
error path, patch from Florian Westphal.
2) Put reference on CLUSTERIP configuration instead of freeing it,
another cpu may still be walking over it, also from Florian.
3) Refetch pointer to IPv6 header from nf_nat_ipv6_manip_pkt() given
packet manipulation may reallocation the skbuff header, from Florian.
4) Missing match size sanity checks in ebt_among, from Florian.
5) Convert BUG_ON to WARN_ON in ebtables, from Florian.
6) Sanity check userspace offsets from ebtables kernel, from Florian.
7) Missing checksum replace call in flowtable IPv4 DNAT, from Felix
Fietkau.
8) Bump the right stats on checksum error from bridge netfilter,
from Taehee Yoo.
9) Unset interface flag in IPv6 fib lookups otherwise we get
misleading routing lookup results, from Florian.
10) Missing sk_to_full_sk() in ip6_route_me_harder() from Eric Dumazet.
11) Don't allow devices to be part of multiple flowtables at the same
time, this may break setups.
12) Missing netlink attribute validation in flowtable deletion.
13) Wrong array index in nf_unregister_net_hook() call from error path
in flowtable addition path.
14) Fix FTP IPVS helper when NAT mangling is in place, patch from
Julian Anastasov.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit 9cb9c07d6b0c5fd97d83b8ab14d7e308ba4b612f:
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net (2018-02-23 15:14:17 -0800)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 8a949fff0302b50063f74bb345a66190015528d0:
ipvs: remove IPS_NAT_MASK check to fix passive FTP (2018-02-28 19:48:26 +0100)
----------------------------------------------------------------
Eric Dumazet (1):
netfilter: use skb_to_full_sk in ip6_route_me_harder
Felix Fietkau (1):
netfilter: nf_flow_table: fix checksum when handling DNAT
Florian Westphal (7):
netfilter: ipt_CLUSTERIP: put config struct if we can't increment ct refcount
netfilter: ipt_CLUSTERIP: put config instead of freeing it
netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt
netfilter: bridge: ebt_among: add missing match size checks
netfilter: ebtables: convert BUG_ONs to WARN_ONs
netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets
netfilter: don't set F_IFACE on ipv6 fib lookups
Julian Anastasov (1):
ipvs: remove IPS_NAT_MASK check to fix passive FTP
Pablo Neira Ayuso (3):
netfilter: nf_tables: return EBUSY if device already belongs to flowtable
netfilter: nf_tables: missing attribute validation in nf_tables_delflowtable()
netfilter: nf_tables: use the right index from flowtable error path
Taehee Yoo (1):
netfilter: increase IPSTATS_MIB_CSUMERRORS stat
net/bridge/br_netfilter_hooks.c | 4 +++-
net/bridge/netfilter/ebt_among.c | 21 +++++++++++++++--
net/bridge/netfilter/ebtables.c | 40 ++++++++++++++++++++++++--------
net/ipv4/netfilter/ipt_CLUSTERIP.c | 15 ++++++++----
net/ipv4/netfilter/nf_flow_table_ipv4.c | 1 +
net/ipv6/netfilter.c | 9 +++----
net/ipv6/netfilter/ip6t_rpfilter.c | 4 ----
net/ipv6/netfilter/nf_nat_l3proto_ipv6.c | 4 ++++
net/ipv6/netfilter/nft_fib_ipv6.c | 12 ++--------
net/netfilter/ipvs/ip_vs_ftp.c | 2 +-
net/netfilter/nf_tables_api.c | 25 ++++++++++++++++++--
11 files changed, 98 insertions(+), 39 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
