Hi David,
The following patchset contains Netfilter patches for your net tree:
1) Fix NULL pointer dereference from nf_nat_decode_session() if NAT is
not loaded, from Prashant Bhole.
2) Fix socket extension module autoload.
3) Don't bogusly reject sets with the NFT_SET_EVAL flag set on from
the dynset extension.
4) Fix races with nf_tables module removal and netns exit path,
patches from Florian Westphal.
5) Don't hit BUG_ON if jumpstack goes too deep, instead hit
WARN_ON_ONCE, from Taehee Yoo.
6) Another NULL pointer dereference from ctnetlink, again if NAT is
not loaded, from Florian Westphal.
7) Fix x_tables match list corruption in xt_connmark module removal
path, also from Florian.
8) nf_conncount doesn't properly deal with conntrack zones, hence
garbage collector may get rid of entries in a different zone.
From Yi-Hung Wei.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit 6892286e9c09925780fe2cb6db3585b56b71fe8e:
tcp: Do not reload skb pointer after skb_gro_receive(). (2018-06-11 20:00:56 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 21ba8847f857028dc83a0f341e16ecc616e34740:
netfilter: nf_conncount: Fix garbage collection with zones (2018-06-12 20:07:07 +0200)
----------------------------------------------------------------
Florian Westphal (4):
netfilter: nf_tables: fix module unload race
netfilter: nf_tables: close race between netns exit and rmmod
netfilter: ctnetlink: avoid null pointer dereference
netfilter: xt_connmark: fix list corruption on rmmod
Pablo Neira Ayuso (2):
netfilter: nft_socket: fix module autoload
netfilter: nft_dynset: do not reject set updates with NFT_SET_EVAL
Prashant Bhole (1):
netfilter: fix null-ptr-deref in nf_nat_decode_session
Taehee Yoo (1):
netfilter: nf_tables: use WARN_ON_ONCE instead of BUG_ON in nft_do_chain()
Yi-Hung Wei (1):
netfilter: nf_conncount: Fix garbage collection with zones
include/linux/netfilter.h | 2 +-
include/net/netfilter/nf_conntrack_count.h | 3 ++-
include/uapi/linux/netfilter/nf_tables.h | 2 +-
net/netfilter/nf_conncount.c | 13 +++++++++----
net/netfilter/nf_conntrack_netlink.c | 3 ++-
net/netfilter/nf_tables_api.c | 25 +++++++++++++++++++------
net/netfilter/nf_tables_core.c | 3 ++-
net/netfilter/nfnetlink.c | 10 +++++++---
net/netfilter/nft_chain_filter.c | 5 +++++
net/netfilter/nft_connlimit.c | 2 +-
net/netfilter/nft_dynset.c | 4 +---
net/netfilter/nft_socket.c | 1 +
net/netfilter/xt_connmark.c | 2 +-
13 files changed, 52 insertions(+), 23 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
