On Sat, 12 Mar 2022 23:03:12 +0100 Pablo Neira Ayuso wrote: > 1) Revert port remap to mitigate shadowing service ports, this is causing > problems in existing setups and this mitigation can be achieved with > explicit ruleset, eg. > > ... tcp sport < 16386 tcp dport >= 32768 masquerade random > > This patches provided a built-in policy similar to the one described above. > > 2) Disable register tracking infrastructure in nf_tables. Florian reported > two issues: > > - Existing expressions with no implemented .reduce interface > that causes data-store on register should cancel the tracking. > - Register clobbering might be possible storing data on registers that > are larger than 32-bits. > > This might lead to generating incorrect ruleset bytecode. These two > issues are scheduled to be addressed in the next release cycle. Minor nit for the future - it'd still be useful to have Fixes tags even for reverts or current release fixes so that lowly backporters (myself included) do not have to dig into history to double confirm patches are not needed in the production kernels we maintain. Thanks!
