[PATCH 0/7] Netfilter fixes for net

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Tue, 24 Mar 2020 23:32:13 +0100

Hi,

The following patchset contains Netfilter fixes for net:

1) A new selftest for nf_queue, from Florian Westphal. This test
   covers two recent fixes: 07f8e4d0fddb ("tcp: also NULL skb->dev
   when copy was needed") and b738a185beaa ("tcp: ensure skb->dev is
   NULL before leaving TCP stack").

2) The fwd action breaks with ifb. For safety in next extensions,
   make sure the fwd action only runs from ingress until it is extended
   to be used from a different hook.

3) The pipapo set type now reports EEXIST in case of subrange overlaps.
   Update the rbtree set to validate range overlaps, so far this
   validation is only done only from userspace. From Stefano Brivio.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thank you.

----------------------------------------------------------------

The following changes since commit 749f6f6843115b424680f1aada3c0dd613ad807c:

  net: phy: dp83867: w/a for fld detect threshold bootstrapping issue (2020-03-21 20:09:57 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to a64d558d8cf98424cc5eb9ae6631782cd8bf789c:

  selftests: netfilter: add nfqueue test case (2020-03-24 20:00:12 +0100)

----------------------------------------------------------------
Florian Westphal (1):
      selftests: netfilter: add nfqueue test case

Pablo Neira Ayuso (3):
      netfilter: nf_tables: Allow set back-ends to report partial overlaps on insertion
      netfilter: nft_fwd_netdev: validate family and chain type
      netfilter: nft_fwd_netdev: allow to redirect to ifb via ingress

Stefano Brivio (3):
      netfilter: nft_set_pipapo: Separate partial and complete overlap cases on insertion
      netfilter: nft_set_rbtree: Introduce and use nft_rbtree_interval_start()
      netfilter: nft_set_rbtree: Detect partial overlaps on insertion

 net/netfilter/nf_tables_api.c                  |   5 +
 net/netfilter/nft_fwd_netdev.c                 |  13 +
 net/netfilter/nft_set_pipapo.c                 |  34 ++-
 net/netfilter/nft_set_rbtree.c                 |  87 +++++-
 tools/testing/selftests/netfilter/Makefile     |   6 +-
 tools/testing/selftests/netfilter/config       |   6 +
 tools/testing/selftests/netfilter/nf-queue.c   | 352 +++++++++++++++++++++++++
 tools/testing/selftests/netfilter/nft_queue.sh | 332 +++++++++++++++++++++++
 8 files changed, 818 insertions(+), 17 deletions(-)
 create mode 100644 tools/testing/selftests/netfilter/nf-queue.c
 create mode 100755 tools/testing/selftests/netfilter/nft_queue.sh