mbox

[net,0/3] netfilter fixes for net

Message ID 20230726152524.26268-1-fw@strlen.de (mailing list archive)
State Accepted
Delegated to: Netdev Maintainers
Headers show

Pull-request

https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-23-07-26

Message

Florian Westphal July 26, 2023, 3:23 p.m. UTC
Hello,

Here are three netfilter fixes for the *net* tree:
1. On-demand overlap detection in 'rbtree' set can cause memory leaks.
   This is broken since 6.2.

2. An earlier fix in 6.4 to address an imbalance in refcounts during
   transaction error unwinding was incomplete, from Pablo Neira.

3. Disallow adding a rule to a deleted chain, also from Pablo.
   Broken since 5.9.

The following changes since commit d4a7ce642100765119a872d4aba1bf63e3a22c8a:

  igc: Fix Kernel Panic during ndo_tx_timeout callback (2023-07-26 09:54:40 +0100)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-23-07-26

for you to fetch changes up to 0ebc1064e4874d5987722a2ddbc18f94aa53b211:

  netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID (2023-07-26 16:48:49 +0200)

----------------------------------------------------------------
netfilter pull request 2023-07-26

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: nft_set_rbtree: fix overlap expiration walk

Pablo Neira Ayuso (2):
      netfilter: nf_tables: skip immediate deactivate in _PREPARE_ERROR
      netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID

 net/netfilter/nf_tables_api.c  |  5 +++--
 net/netfilter/nft_immediate.c  | 27 ++++++++++++++++++---------
 net/netfilter/nft_set_rbtree.c | 20 ++++++++++++++------
 3 files changed, 35 insertions(+), 17 deletions(-)