Hi,
The following patchset contains Netfilter fixes for net coming late
in the 5.17-rc process:
1) Revert port remap to mitigate shadowing service ports, this is causing
problems in existing setups and this mitigation can be achieved with
explicit ruleset, eg.
... tcp sport < 16386 tcp dport >= 32768 masquerade random
This patches provided a built-in policy similar to the one described above.
2) Disable register tracking infrastructure in nf_tables. Florian reported
two issues:
- Existing expressions with no implemented .reduce interface
that causes data-store on register should cancel the tracking.
- Register clobbering might be possible storing data on registers that
are larger than 32-bits.
This might lead to generating incorrect ruleset bytecode. These two
issues are scheduled to be addressed in the next release cycle.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit f8e9bd34cedd89b93b1167aa32ab8ecd6c2ccf4a:
Merge branch 'smc-fix' (2022-03-03 10:34:18 +0000)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD
for you to fetch changes up to ed5f85d4229010235eab1e3d9acf6970d9304963:
netfilter: nf_tables: disable register tracking (2022-03-12 16:07:38 +0100)
----------------------------------------------------------------
Florian Westphal (2):
Revert "netfilter: nat: force port remap to prevent shadowing well-known ports"
Revert "netfilter: conntrack: tag conntracks picked up in local out hook"
Pablo Neira Ayuso (1):
netfilter: nf_tables: disable register tracking
include/net/netfilter/nf_conntrack.h | 1 -
net/netfilter/nf_conntrack_core.c | 3 --
net/netfilter/nf_nat_core.c | 43 ++--------------------------
net/netfilter/nf_tables_api.c | 9 ++++--
tools/testing/selftests/netfilter/nft_nat.sh | 5 ++--
5 files changed, 12 insertions(+), 49 deletions(-)
