mbox

[0/4] Netfilter/IPVS fixes for net

Message ID 1422737711-5169-1-git-send-email-pablo@netfilter.org
State Awaiting Upstream
Delegated to: Pablo Neira
Headers show

Pull-request

git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master

Message

Pablo Neira Ayuso Jan. 31, 2015, 8:55 p.m. UTC 
Hi David,

The following patchset contains Netfilter/IPVS fixes for your net tree,
they are:

1) Validate hooks for nf_tables NAT expressions, otherwise users can
   crash the kernel when using them from the wrong hook. We already
   got one user trapped on this when configuring masquerading.

2) Fix a BUG splat in nf_tables with CONFIG_DEBUG_PREEMPT=y. Reported
   by Andreas Schultz.

3) Avoid unnecessary reroute of traffic in the local input path
   in IPVS that triggers a crash in in xfrm. Reported by Florian
   Wiessner and fixes by Julian Anastasov.

4) Fix memory and module refcount leak from the error path of
   nf_tables_newchain().

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit 2061dcd6bff8b774b4fac8b0739b6be3f87bc9f2:

  net: sctp: fix race for one-to-many sockets in sendmsg's auto associate (2015-01-17 23:52:20 -0500)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master

for you to fetch changes up to f5553c19ff9058136e7082c0b1f4268e705ea538:

  netfilter: nf_tables: fix leaks in error path of nf_tables_newchain() (2015-01-30 18:42:08 +0100)

----------------------------------------------------------------
Julian Anastasov (1):
      ipvs: rerouting to local clients is not needed anymore

Pablo Neira Ayuso (3):
      netfilter: nf_tables: validate hooks in NAT expressions
      netfilter: nf_tables: disable preemption when restoring chain counters
      netfilter: nf_tables: fix leaks in error path of nf_tables_newchain()

 include/net/netfilter/nf_tables.h        |    2 ++
 net/bridge/netfilter/nft_reject_bridge.c |   29 +++++-----------------
 net/netfilter/ipvs/ip_vs_core.c          |   33 ++++++++++++++++--------
 net/netfilter/nf_tables_api.c            |   28 +++++++++++++++++++--
 net/netfilter/nft_masq.c                 |   26 ++++++++++++-------
 net/netfilter/nft_nat.c                  |   40 ++++++++++++++++++++++--------
 net/netfilter/nft_redir.c                |   25 +++++++++++++------
 7 files changed, 120 insertions(+), 63 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

David Miller Feb. 3, 2015, 3:31 a.m. UTC | #1 
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sat, 31 Jan 2015 21:55:07 +0100

> The following patchset contains Netfilter/IPVS fixes for your net tree,
> they are:
> 
> 1) Validate hooks for nf_tables NAT expressions, otherwise users can
>    crash the kernel when using them from the wrong hook. We already
>    got one user trapped on this when configuring masquerading.
> 
> 2) Fix a BUG splat in nf_tables with CONFIG_DEBUG_PREEMPT=y. Reported
>    by Andreas Schultz.
> 
> 3) Avoid unnecessary reroute of traffic in the local input path
>    in IPVS that triggers a crash in in xfrm. Reported by Florian
>    Wiessner and fixes by Julian Anastasov.
> 
> 4) Fix memory and module refcount leak from the error path of
>    nf_tables_newchain().

Pulled, thanks Pablo.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html