Commit d7fba8ff authored Jul 07, 2021 by David S. Miller

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf



Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for net:

1) Do not refresh timeout in SYN_SENT for syn retransmissions.
   Add selftest for unreplied TCP connection, from Florian Westphal.

2) Fix null dereference from error path with hardware offload
   in nftables.

3) Remove useless nf_ct_gre_keymap_flush() from netns exit path,
   from Vasily Averin.

4) Missing rcu read-lock side in ctnetlink helper info dump,
   also from Vasily.

5) Do not mark RST in the reply direction coming after SYN packet
   for an out-of-sync entry, from Ali Abdallah and Florian Westphal.

6) Add tcp_ignore_invalid_rst sysctl to allow to disable out of
   segment RSTs, from Ali.

7) KCSAN fix for nf_conntrack_all_lock(), from Manfred Spraul.

8) Honor NFTA_LAST_SET in nft_last.

9) Fix incorrect arithmetics when restore last_jiffies in nft_last.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

parents 0e02bf5d d322957e

Documentation/networking/nf_conntrack-sysctl.rst

+6 −0

Original line number	Diff line number	Diff line
		@@ -110,6 +110,12 @@ nf_conntrack_tcp_be_liberal - BOOLEAN
		Be conservative in what you do, be liberal in what you accept from others.
		If it's non-zero, we mark only out of window RST segments as INVALID.

		nf_conntrack_tcp_ignore_invalid_rst - BOOLEAN
		- 0 - disabled (default)
		- 1 - enabled

		If it's 1, we don't mark out of window RST segments as INVALID.

		nf_conntrack_tcp_loose - BOOLEAN
		- 0 - disabled
		- not 0 - enabled (default)

include/net/netfilter/nf_conntrack_core.h

+0 −1

Original line number	Diff line number	Diff line
		@@ -30,7 +30,6 @@ void nf_conntrack_cleanup_net(struct net *net);
		void nf_conntrack_cleanup_net_list(struct list_head *net_exit_list);

		void nf_conntrack_proto_pernet_init(struct net *net);
		void nf_conntrack_proto_pernet_fini(struct net *net);

		int nf_conntrack_proto_init(void);
		void nf_conntrack_proto_fini(void);

include/net/netns/conntrack.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -27,6 +27,7 @@ struct nf_tcp_net {
		u8 tcp_loose;
		u8 tcp_be_liberal;
		u8 tcp_max_retrans;
		u8 tcp_ignore_invalid_rst;
		#if IS_ENABLED(CONFIG_NF_FLOW_TABLE)
		unsigned int offload_timeout;
		unsigned int offload_pickup;

include/uapi/linux/netfilter/nfnetlink_log.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -61,7 +61,7 @@ enum nfulnl_attr_type {
		NFULA_HWTYPE, /* hardware type */
		NFULA_HWHEADER, /* hardware header */
		NFULA_HWLEN, /* hardware header length */
		NFULA_CT, /* nf_conntrack_netlink.h */
		NFULA_CT, /* nfnetlink_conntrack.h */
		NFULA_CT_INFO, /* enum ip_conntrack_info */
		NFULA_VLAN, /* nested attribute: packet vlan info */
		NFULA_L2HDR, /* full L2 header */

include/uapi/linux/netfilter/nfnetlink_queue.h

+2 −2

Original line number	Diff line number	Diff line
		@@ -51,11 +51,11 @@ enum nfqnl_attr_type {
		NFQA_IFINDEX_PHYSOUTDEV, /* __u32 ifindex */
		NFQA_HWADDR, /* nfqnl_msg_packet_hw */
		NFQA_PAYLOAD, /* opaque data payload */
		NFQA_CT, /* nf_conntrack_netlink.h */
		NFQA_CT, /* nfnetlink_conntrack.h */
		NFQA_CT_INFO, /* enum ip_conntrack_info */
		NFQA_CAP_LEN, /* __u32 length of captured packet */
		NFQA_SKB_INFO, /* __u32 skb meta information */
		NFQA_EXP, /* nf_conntrack_netlink.h */
		NFQA_EXP, /* nfnetlink_conntrack.h */
		NFQA_UID, /* __u32 sk uid */
		NFQA_GID, /* __u32 sk gid */
		NFQA_SECCTX, /* security context string */