Hi Pablo,
Please pull the next patches for nf git tree:
- Check hook mask for unsupported hooks instead of supported ones in xt_set.
(Serhey Popovych).
- List/save just timing out entries with "timeout 1" instead of "timeout 0":
zero timeout value means permanent entries. When restoring the elements,
we'd add non-timing out entries. Fixes netfilter bugzilla id #1258.
- Limit max timeout value to (UINT_MAX >> 1)/MSEC_PER_SEC due to the
negative value condition in msecs_to_jiffies(). msecs_to_jiffies()
should be revised: if one wants to set the timeout above 2147483,
msecs_to_jiffies() sets the value to 4294967. (Reported by Maxim Masiutin).
- Forbid family for hash:mac sets in the kernel module: ipset userspace tool
enforces it but third party tools could create sets with this parameter.
Such sets then cannot be listed/saved with ipset itself. (Florent Fourcot)
Best regards,
Jozsef
The following changes since commit 6fcc02e3c2bddeaf628fde3c6a5ab3216d45691a:
ipvs: fix check on xmit to non-local addresses (2018-06-04 18:28:47 +0200)
are available in the git repository at:
git://blackhole.kfki.hu/nf cbdebe481a14b
for you to fetch changes up to cbdebe481a14b42c45aa9f4ceb5ff19b55de2c57:
netfilter: ipset: forbid family for hash:mac sets (2018-06-06 14:01:00 +0200)
----------------------------------------------------------------
Florent Fourcot (1):
netfilter: ipset: forbid family for hash:mac sets
Jozsef Kadlecsik (2):
netfilter: ipset: List timing out entries with "timeout 1" instead of zero
netfilter: ipset: Limit max timeout value
Serhey Popovych (1):
netfilter: xt_set: Check hook mask correctly
include/linux/netfilter/ipset/ip_set_timeout.h | 20 ++++++++++++++------
net/netfilter/ipset/ip_set_hash_gen.h | 5 ++++-
net/netfilter/xt_set.c | 10 +++++-----
3 files changed, 23 insertions(+), 12 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
