Hi,
The following patchset contains Netfilter fixes for net. All fixes
included in this batch address problems appearing in several releases:
1) Fix crash with malformed ebtables blob which do not provide all
entry points, from Florian Westphal.
2) Fix possible TCP connection clogging up with default 5-days
timeout in conntrack, from Florian.
3) Fix crash in nf_tables tproxy with unsupported chains, also from Florian.
4) Do not allow to update implicit chains.
5) Make table handle allocation per-netns to fix data race.
6) Do not truncated payload length and offset, and checksum offset.
Instead report EINVAl.
7) Enable chain stats update via static key iff no error occurs.
8) Restrict osf expression to ip, ip6 and inet families.
9) Restrict tunnel expression to netdev family.
10) Fix crash when trying to bind again an already bound chain.
11) Flowtable garbage collector might leave behind pending work to
delete entries. This patch comes with a previous preparation patch
as dependency.
12) Allow net.netfilter.nf_conntrack_frag6_high_thresh to be lowered,
from Eric Dumazet.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit 855a28f9c96c80e6cbd2d986a857235e34868064:
net: dsa: don't dereference NULL extack in dsa_slave_changeupper() (2022-08-23 07:54:16 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD
for you to fetch changes up to 00cd7bf9f9e06769ef84d5102774c8becd6a498a:
netfilter: nf_defrag_ipv6: allow nf_conntrack_frag6_high_thresh increases (2022-08-24 08:06:44 +0200)
----------------------------------------------------------------
Eric Dumazet (1):
netfilter: nf_defrag_ipv6: allow nf_conntrack_frag6_high_thresh increases
Florian Westphal (3):
netfilter: ebtables: reject blobs that don't provide all entry points
netfilter: conntrack: work around exceeded receive window
netfilter: nft_tproxy: restrict to prerouting hook
Pablo Neira Ayuso (10):
netfilter: nf_tables: disallow updates of implicit chain
netfilter: nf_tables: make table handle allocation per-netns friendly
netfilter: nft_payload: report ERANGE for too long offset and length
netfilter: nft_payload: do not truncate csum_offset and csum_type
netfilter: nf_tables: do not leave chain stats enabled on error
netfilter: nft_osf: restrict osf to ipv4, ipv6 and inet families
netfilter: nft_tunnel: restrict it to netdev family
netfilter: nf_tables: disallow binding to already bound chain
netfilter: flowtable: add function to invoke garbage collection immediately
netfilter: flowtable: fix stuck flows on cleanup due to pending work
include/linux/netfilter_bridge/ebtables.h | 4 ----
include/net/netfilter/nf_flow_table.h | 3 +++
include/net/netfilter/nf_tables.h | 1 +
net/bridge/netfilter/ebtable_broute.c | 8 --------
net/bridge/netfilter/ebtable_filter.c | 8 --------
net/bridge/netfilter/ebtable_nat.c | 8 --------
net/bridge/netfilter/ebtables.c | 8 +-------
net/ipv6/netfilter/nf_conntrack_reasm.c | 1 -
net/netfilter/nf_conntrack_proto_tcp.c | 31 +++++++++++++++++++++++++++++++
net/netfilter/nf_flow_table_core.c | 15 ++++++++++-----
net/netfilter/nf_flow_table_offload.c | 8 ++++++++
net/netfilter/nf_tables_api.c | 14 ++++++++++----
net/netfilter/nft_osf.c | 18 +++++++++++++++---
net/netfilter/nft_payload.c | 29 +++++++++++++++++++++--------
net/netfilter/nft_tproxy.c | 8 ++++++++
net/netfilter/nft_tunnel.c | 1 +
16 files changed, 109 insertions(+), 56 deletions(-)
