mbox

[0/5] Netfilter fixes for net

Message ID 20180312161604.3060-1-pablo@netfilter.org
State Accepted, archived
Delegated to: David Miller
Headers show

Pull-request

git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

Message

Pablo Neira Ayuso March 12, 2018, 4:15 p.m. UTC 
Hi David,

The following patchset contains Netfilter fixes for your net tree, they are:

1) Fixed hashtable representation doesn't support timeout flag, skip it
   otherwise rules to add elements from the packet fail bogusly fail with
   EOPNOTSUPP.

2) Fix bogus error with 32-bits ebtables userspace and 64-bits kernel,
   patch from Florian Westphal.

3) Sanitize proc names in several x_tables extensions, also from Florian.

4) Add sanitization to ebt_among wormhash logic, from Florian.

5) Missing release of hook array in flowtable.


You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit ce380619fab99036f5e745c7a865b21c59f005f6:

  Merge tag 'please-pull-ia64_misc' of git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux (2018-03-05 20:31:14 -0800)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to c04a3f730021c304c7cc4bc30ee57ee70ad98d57:

  netfilter: nf_tables: release flowtable hooks (2018-03-11 21:24:56 +0100)

----------------------------------------------------------------
Florian Westphal (3):
      netfilter: ebtables: fix erroneous reject of last rule
      netfilter: x_tables: add and use xt_check_proc_name
      netfilter: bridge: ebt_among: add more missing match size checks

Pablo Neira Ayuso (2):
      netfilter: nft_set_hash: skip fixed hash if timeout is specified
      netfilter: nf_tables: release flowtable hooks

 include/linux/netfilter/x_tables.h |  2 ++
 net/bridge/netfilter/ebt_among.c   | 34 ++++++++++++++++++++++++++++++++++
 net/bridge/netfilter/ebtables.c    |  6 +++++-
 net/netfilter/nf_tables_api.c      |  1 +
 net/netfilter/nft_set_hash.c       |  2 +-
 net/netfilter/x_tables.c           | 30 ++++++++++++++++++++++++++++++
 net/netfilter/xt_hashlimit.c       | 16 ++++++++++------
 net/netfilter/xt_recent.c          |  6 +++---
 8 files changed, 86 insertions(+), 11 deletions(-)

Comments

David Miller March 12, 2018, 4:50 p.m. UTC | #1 
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 12 Mar 2018 17:15:59 +0100

> The following patchset contains Netfilter fixes for your net tree, they are:
> 
> 1) Fixed hashtable representation doesn't support timeout flag, skip it
>    otherwise rules to add elements from the packet fail bogusly fail with
>    EOPNOTSUPP.
> 
> 2) Fix bogus error with 32-bits ebtables userspace and 64-bits kernel,
>    patch from Florian Westphal.
> 
> 3) Sanitize proc names in several x_tables extensions, also from Florian.
> 
> 4) Add sanitization to ebt_among wormhash logic, from Florian.
> 
> 5) Missing release of hook array in flowtable.

Pulled, thank you.