[0/4] ipset patches for nf-next

Message ID	1528196913-13755-1-git-send-email-kadlec@blackhole.kfki.hu
State	Accepted
Delegated to:	Pablo Neira
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> To: netfilter-devel@vger.kernel.org Cc: Pablo Neira Ayuso <pablo@netfilter.org> Subject: [PATCH 0/4] ipset patches for nf-next Date: Tue, 5 Jun 2018 13:08:29 +0200 Message-Id: <1528196913-13755-1-git-send-email-kadlec@blackhole.kfki.hu> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk

Message ID

1528196913-13755-1-git-send-email-kadlec@blackhole.kfki.hu

State

Accepted

Delegated to:

Pablo Neira

Headers

From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
To: netfilter-devel@vger.kernel.org
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Subject: [PATCH 0/4] ipset patches for nf-next
Date: Tue,  5 Jun 2018 13:08:29 +0200
Message-Id: <1528196913-13755-1-git-send-email-kadlec@blackhole.kfki.hu>
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk

Message

Jozsef Kadlecsik June 5, 2018, 11:08 a.m. UTC

Hi Pablo,

Please pull the next patches for nf-next:

- Check hook mask for unsupported hooks instead of supported ones in xt_set.
  (Serhey Popovych).
- List/save just timing out entries with "timeout 1" instead of "timeout 0":
  zero timeout value means permanent entries. When restoring the elements,
  we'd add non-timing out entries. Fixes netfilter bugzilla id #1258.
- Limit max timeout value to (UINT_MAX >> 1)/MSEC_PER_SEC due to the negative
  value condition in msecs_to_jiffies(). msecs_to_jiffies() should be revised:
  if one wants to set the timeout above 2147483, msecs_to_jiffies() sets
  the value to 4294967. (Reported by Maxim Masiutin).
- Forbid family for hash:mac sets in the kernel module: ipset userspace tool
  enforces it but third party tools could create sets with this parameter. Such
  sets then cannot be listed/saved with ipset itself. (Florent Fourcot)

Best regards,
Jozsef

The following changes since commit f624434a0ec96ac338f10f3f7f5a2ef287dd597e:

  Merge tag 'wireless-drivers-next-for-davem-2018-05-31' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next (2018-06-03 11:03:10 -0400)

are available in the git repository at:

  git://blackhole.kfki.hu/nf-next 96569e20b

for you to fetch changes up to 96569e20b472394072c40c41548a37f14bc10882:

  netfilter: ipset: forbid family for hash:mac sets (2018-06-05 12:41:29 +0200)

----------------------------------------------------------------
Florent Fourcot (1):
      netfilter: ipset: forbid family for hash:mac sets

Jozsef Kadlecsik (2):
      netfilter: ipset: List timing out entries with "timeout 1" instead of zero
      netfilter: ipset: Limit max timeout value

Serhey Popovych (1):
      netfilter: xt_set: Check hook mask correctly

 include/linux/netfilter/ipset/ip_set_timeout.h | 20 ++++++++++++++------
 net/netfilter/ipset/ip_set_hash_gen.h          |  5 ++++-
 net/netfilter/xt_set.c                         | 10 +++++-----
 3 files changed, 23 insertions(+), 12 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Pablo Neira Ayuso June 5, 2018, 3:19 p.m. UTC | #1

Hi Jozsef,

On Tue, Jun 05, 2018 at 01:08:29PM +0200, Jozsef Kadlecsik wrote:
> Hi Pablo,
> 
> Please pull the next patches for nf-next:
> 
> - Check hook mask for unsupported hooks instead of supported ones in xt_set.
>   (Serhey Popovych).
> - List/save just timing out entries with "timeout 1" instead of "timeout 0":
>   zero timeout value means permanent entries. When restoring the elements,
>   we'd add non-timing out entries. Fixes netfilter bugzilla id #1258.
> - Limit max timeout value to (UINT_MAX >> 1)/MSEC_PER_SEC due to the negative
>   value condition in msecs_to_jiffies(). msecs_to_jiffies() should be revised:
>   if one wants to set the timeout above 2147483, msecs_to_jiffies() sets
>   the value to 4294967. (Reported by Maxim Masiutin).
> - Forbid family for hash:mac sets in the kernel module: ipset userspace tool
>   enforces it but third party tools could create sets with this parameter. Such
>   sets then cannot be listed/saved with ipset itself. (Florent Fourcot)

These are fixes and net-next is closed, please route them through nf.git.

Thanks !
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Jozsef Kadlecsik June 5, 2018, 6:34 p.m. UTC | #2

Hi Pablo,

On Tue, 5 Jun 2018, Pablo Neira Ayuso wrote:

> These are fixes and net-next is closed, please route them through 
> nf.git.

No problem, I'll resubmit the patches when net-next opens up again, for 
nf.git.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[0/4] ipset patches for nf-next

Pull-request

Message

Comments