Commit 24c7a64e authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf 

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

1) Fix crash with malformed ebtables blob which do not provide all
   entry points, from Florian Westphal.

2) Fix possible TCP connection clogging up with default 5-days
   timeout in conntrack, from Florian.

3) Fix crash in nf_tables tproxy with unsupported chains, also from Florian.

4) Do not allow to update implicit chains.

5) Make table handle allocation per-netns to fix data race.

6) Do not truncated payload length and offset, and checksum offset.
   Instead report EINVAl.

7) Enable chain stats update via static key iff no error occurs.

8) Restrict osf expression to ip, ip6 and inet families.

9) Restrict tunnel expression to netdev family.

10) Fix crash when trying to bind again an already bound chain.

11) Flowtable garbage collector might leave behind pending work to
    delete entries. This patch comes with a previous preparation patch
    as dependency.

12) Allow net.netfilter.nf_conntrack_frag6_high_thresh to be lowered,
    from Eric Dumazet.

* git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
  netfilter: nf_defrag_ipv6: allow nf_conntrack_frag6_high_thresh increases
  netfilter: flowtable: fix stuck flows on cleanup due to pending work
  netfilter: flowtable: add function to invoke garbage collection immediately
  netfilter: nf_tables: disallow binding to already bound chain
  netfilter: nft_tunnel: restrict it to netdev family
  netfilter: nft_osf: restrict osf to ipv4, ipv6 and inet families
  netfilter: nf_tables: do not leave chain stats enabled on error
  netfilter: nft_payload: do not truncate csum_offset and csum_type
  netfilter: nft_payload: report ERANGE for too long offset and length
  netfilter: nf_tables: make table handle allocation per-netns friendly
  netfilter: nf_tables: disallow updates of implicit chain
  netfilter: nft_tproxy: restrict to prerouting hook
  netfilter: conntrack: work around exceeded receive window
  netfilter: ebtables: reject blobs that don't provide all entry points
====================

Link: https://lore.kernel.org/r/20220824220330.64283-1-pablo@netfilter.org


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents b09da012 00cd7bf9

include/linux/netfilter_bridge/ebtables.h

+0 −4
Original line number Diff line number Diff line
@@ -94,10 +94,6 @@ struct ebt_table { 
	struct ebt_replace_kernel *table;

	unsigned int valid_hooks;

	rwlock_t lock;

	/* e.g. could be the table explicitly only allows certain

	 * matches, targets, ... 0 == let it in */

	int (*check)(const struct ebt_table_info *info,

	   unsigned int valid_hooks);

	/* the data used by the kernel */

	struct ebt_table_info *private;

	struct nf_hook_ops *ops;

include/net/netfilter/nf_flow_table.h

+3 −0
Original line number Diff line number Diff line
@@ -270,6 +270,7 @@ void flow_offload_refresh(struct nf_flowtable *flow_table, 


struct flow_offload_tuple_rhash *flow_offload_lookup(struct nf_flowtable *flow_table,

						     struct flow_offload_tuple *tuple);

void nf_flow_table_gc_run(struct nf_flowtable *flow_table);

void nf_flow_table_gc_cleanup(struct nf_flowtable *flowtable,

			      struct net_device *dev);

void nf_flow_table_cleanup(struct net_device *dev);
@@ -306,6 +307,8 @@ void nf_flow_offload_stats(struct nf_flowtable *flowtable, 
			   struct flow_offload *flow);



void nf_flow_table_offload_flush(struct nf_flowtable *flowtable);

void nf_flow_table_offload_flush_cleanup(struct nf_flowtable *flowtable);



int nf_flow_table_offload_setup(struct nf_flowtable *flowtable,

				struct net_device *dev,

				enum flow_block_command cmd);

include/net/netfilter/nf_tables.h

+1 −0
Original line number Diff line number Diff line
@@ -1652,6 +1652,7 @@ struct nftables_pernet { 
	struct list_head	module_list;

	struct list_head	notify_list;

	struct mutex		commit_mutex;

	u64			table_handle;

	unsigned int		base_seq;

	u8			validate_state;

};

net/bridge/netfilter/ebtable_broute.c

+0 −8
Original line number Diff line number Diff line
@@ -36,18 +36,10 @@ static struct ebt_replace_kernel initial_table = { 
	.entries	= (char *)&initial_chain,

};



static int check(const struct ebt_table_info *info, unsigned int valid_hooks)

{

	if (valid_hooks & ~(1 << NF_BR_BROUTING))

		return -EINVAL;

	return 0;

}



static const struct ebt_table broute_table = {

	.name		= "broute",

	.table		= &initial_table,

	.valid_hooks	= 1 << NF_BR_BROUTING,

	.check		= check,

	.me		= THIS_MODULE,

};

net/bridge/netfilter/ebtable_filter.c

+0 −8
Original line number Diff line number Diff line
@@ -43,18 +43,10 @@ static struct ebt_replace_kernel initial_table = { 
	.entries	= (char *)initial_chains,

};



static int check(const struct ebt_table_info *info, unsigned int valid_hooks)

{

	if (valid_hooks & ~FILTER_VALID_HOOKS)

		return -EINVAL;

	return 0;

}



static const struct ebt_table frame_filter = {

	.name		= "filter",

	.table		= &initial_table,

	.valid_hooks	= FILTER_VALID_HOOKS,

	.check		= check,

	.me		= THIS_MODULE,

};