[PATCH 5.10.y 0/3] netfilter: nf_tables fixes for 5.10.y

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



please consider applying these nf_tables fixes to the 5.10.y tree.
These patches had to mangled to make them apply to 5.10.y.

I've done the follwoing tests in a kasan/kmemleak enabled vm:
1. run upstream nft python/shell tests.
   Without patch 2 and 3 doing so results in kernel crash.
   Some tests fail but afaics those are expected to
   fail on 5.10 due to lack of feature being tested.
2. Tested the 'conncount' feature (its affected by last patch).
   Worked as designed.
3. ran nftables related kernel self tests.

No kmemleak or kasan splats were seen.

Eric Dumazet (1):
  netfilter: nftables: avoid potential overflows on 32bit arches

Pablo Neira Ayuso (2):
  netfilter: nf_tables: initialize set before expression setup
  netfilter: nftables: clone set element expression template

 net/netfilter/nf_tables_api.c | 89 ++++++++++++++++++++++-------------
 net/netfilter/nft_set_hash.c  | 10 ++--
 2 files changed, 62 insertions(+), 37 deletions(-)


[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux