Hello,
Here are three netfilter fixes for the *net* tree:
1. On-demand overlap detection in 'rbtree' set can cause memory leaks.
This is broken since 6.2.
2. An earlier fix in 6.4 to address an imbalance in refcounts during
transaction error unwinding was incomplete, from Pablo Neira.
3. Disallow adding a rule to a deleted chain, also from Pablo.
Broken since 5.9.
The following changes since commit d4a7ce642100765119a872d4aba1bf63e3a22c8a:
igc: Fix Kernel Panic during ndo_tx_timeout callback (2023-07-26 09:54:40 +0100)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-23-07-26
for you to fetch changes up to 0ebc1064e4874d5987722a2ddbc18f94aa53b211:
netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID (2023-07-26 16:48:49 +0200)
----------------------------------------------------------------
netfilter pull request 2023-07-26
----------------------------------------------------------------
Florian Westphal (1):
netfilter: nft_set_rbtree: fix overlap expiration walk
Pablo Neira Ayuso (2):
netfilter: nf_tables: skip immediate deactivate in _PREPARE_ERROR
netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID
net/netfilter/nf_tables_api.c | 5 +++--
net/netfilter/nft_immediate.c | 27 ++++++++++++++++++---------
net/netfilter/nft_set_rbtree.c | 20 ++++++++++++++------
3 files changed, 35 insertions(+), 17 deletions(-)