mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-01-04 04:04:19 +00:00
netfilter pull request 23-11-08
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEN9lkrMBJgcdVAPub1V2XiooUIOQFAmVLrH8ACgkQ1V2XiooU IOQBZxAAly/nvsb1D045b0FnHAWeB0+w1/1eiydfjIXNOYWVVCrDOLaVDOSnsYHy CWVij0REo4Sikkbc82UmggJdNcMDeEYtowNjCHtyE+ts4DcVlgqSq3uTdCnuCgsG t8rT40jZfAMbhgaM1e/kDMk6GfwDwLfKWExt6Wj2FhN5Kdh7UcSXZAyx+yRHbOM5 25uaZlBHBj2r9iEJokFXQ3zHXQJw4I2zxxZ4dFUSTUYNWEPsGCf5whpqsBgMmq/0 LDCiNQ7vdF4y6tZkD2PLnU8vYsF0t9aA6TKetsXT3BXZ2mkz5AJ2aAME9Fyn6aQW axTi8T02o6oFASAhl8Osc6J6sls0oQ44VswLl5OvOgvWtZOVYGrvXR6mHesPfbKr yeRNrVdFrlLWvNmHxuRU0/LeKfzmOih6QGFQ4NZ8lAFzsiCb6j7CSK9zqbnU9Hjb 36N+VRP/lexGbHhhemBcsGGEOoHdtDtBSjjXSsahEOqIfQ/rI3dVYfYTQ/R3/fpk i2DYkgf9BeuvRANukNbBi1TaphqCvV2N0ozStbNrmf0vcbq6+z4vkga2dQGUq/+I uYRSSQMhB9ZnSdoOpvDjYZWIUx96Vkm6HPBRUl70w4n2bUUri/1Qaq1u2ySPhIIY d7xh7271kXwjHiD7cdcwLa4+D5Ap/ZhWu49Jofb0iIQdvPr5O2w= =8Kr3 -----END PGP SIGNATURE----- Merge tag 'nf-23-11-08' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains Netfilter fixes for net: 1) Add missing netfilter modules description to fix W=1, from Florian Westphal. 2) Fix catch-all element GC with timeout when use with the pipapo set backend, this remained broken since I tried to fix it this summer, then another attempt to fix it recently. 3) Add missing IPVS modules descriptions to fix W=1, also from Florian. 4) xt_recent allocated a too small buffer to store an IPv4-mapped IPv6 address which can be parsed by in6_pton(), from Maciej Zenczykowski. Broken for many releases. 5) Skip IPv4-mapped IPv6, IPv4-compat IPv6, site/link local scoped IPv6 addressses to set up IPv6 NAT redirect, also from Florian. This is broken since 2012. * tag 'nf-23-11-08' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: netfilter: nat: fix ipv6 nat redirect with mapped and scoped addresses netfilter: xt_recent: fix (increase) ipv6 literal buffer length ipvs: add missing module descriptions netfilter: nf_tables: remove catchall element in GC sync path netfilter: add missing module descriptions ==================== Link: https://lore.kernel.org/r/20231108155802.84617-1-pablo@netfilter.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
This commit is contained in:
commit
0613736e8a
@ -135,3 +135,4 @@ static void __exit ebtable_broute_fini(void)
|
||||
module_init(ebtable_broute_init);
|
||||
module_exit(ebtable_broute_fini);
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_DESCRIPTION("Force packets to be routed instead of bridged");
|
||||
|
@ -116,3 +116,4 @@ static void __exit ebtable_filter_fini(void)
|
||||
module_init(ebtable_filter_init);
|
||||
module_exit(ebtable_filter_fini);
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_DESCRIPTION("ebtables legacy filter table");
|
||||
|
@ -116,3 +116,4 @@ static void __exit ebtable_nat_fini(void)
|
||||
module_init(ebtable_nat_init);
|
||||
module_exit(ebtable_nat_fini);
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_DESCRIPTION("ebtables legacy stateless nat table");
|
||||
|
@ -2595,3 +2595,4 @@ EXPORT_SYMBOL(ebt_do_table);
|
||||
module_init(ebtables_init);
|
||||
module_exit(ebtables_fini);
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_DESCRIPTION("ebtables legacy core");
|
||||
|
@ -416,3 +416,4 @@ module_exit(nf_conntrack_l3proto_bridge_fini);
|
||||
|
||||
MODULE_ALIAS("nf_conntrack-" __stringify(AF_BRIDGE));
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_DESCRIPTION("Bridge IPv4 and IPv6 connection tracking");
|
||||
|
@ -170,3 +170,4 @@ module_init(iptable_nat_init);
|
||||
module_exit(iptable_nat_exit);
|
||||
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_DESCRIPTION("iptables legacy nat table");
|
||||
|
@ -108,3 +108,4 @@ static void __exit iptable_raw_fini(void)
|
||||
module_init(iptable_raw_init);
|
||||
module_exit(iptable_raw_fini);
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_DESCRIPTION("iptables legacy raw table");
|
||||
|
@ -186,3 +186,4 @@ module_init(nf_defrag_init);
|
||||
module_exit(nf_defrag_fini);
|
||||
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_DESCRIPTION("IPv4 defragmentation support");
|
||||
|
@ -336,3 +336,4 @@ void nf_send_unreach(struct sk_buff *skb_in, int code, int hook)
|
||||
EXPORT_SYMBOL_GPL(nf_send_unreach);
|
||||
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_DESCRIPTION("IPv4 packet rejection core");
|
||||
|
@ -170,3 +170,4 @@ module_init(ip6table_nat_init);
|
||||
module_exit(ip6table_nat_exit);
|
||||
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_DESCRIPTION("Ip6tables legacy nat table");
|
||||
|
@ -106,3 +106,4 @@ static void __exit ip6table_raw_fini(void)
|
||||
module_init(ip6table_raw_init);
|
||||
module_exit(ip6table_raw_fini);
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_DESCRIPTION("Ip6tables legacy raw table");
|
||||
|
@ -182,3 +182,4 @@ module_init(nf_defrag_init);
|
||||
module_exit(nf_defrag_fini);
|
||||
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_DESCRIPTION("IPv6 defragmentation support");
|
||||
|
@ -413,3 +413,4 @@ void nf_send_unreach6(struct net *net, struct sk_buff *skb_in,
|
||||
EXPORT_SYMBOL_GPL(nf_send_unreach6);
|
||||
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_DESCRIPTION("IPv6 packet rejection core");
|
||||
|
@ -2450,3 +2450,4 @@ static void __exit ip_vs_cleanup(void)
|
||||
module_init(ip_vs_init);
|
||||
module_exit(ip_vs_cleanup);
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_DESCRIPTION("IP Virtual Server");
|
||||
|
@ -270,3 +270,4 @@ static void __exit ip_vs_dh_cleanup(void)
|
||||
module_init(ip_vs_dh_init);
|
||||
module_exit(ip_vs_dh_cleanup);
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_DESCRIPTION("ipvs destination hashing scheduler");
|
||||
|
@ -72,3 +72,4 @@ static void __exit ip_vs_fo_cleanup(void)
|
||||
module_init(ip_vs_fo_init);
|
||||
module_exit(ip_vs_fo_cleanup);
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_DESCRIPTION("ipvs weighted failover scheduler");
|
||||
|
@ -635,3 +635,4 @@ static void __exit ip_vs_ftp_exit(void)
|
||||
module_init(ip_vs_ftp_init);
|
||||
module_exit(ip_vs_ftp_exit);
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_DESCRIPTION("ipvs ftp helper");
|
||||
|
@ -632,3 +632,4 @@ static void __exit ip_vs_lblc_cleanup(void)
|
||||
module_init(ip_vs_lblc_init);
|
||||
module_exit(ip_vs_lblc_cleanup);
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_DESCRIPTION("ipvs locality-based least-connection scheduler");
|
||||
|
@ -817,3 +817,4 @@ static void __exit ip_vs_lblcr_cleanup(void)
|
||||
module_init(ip_vs_lblcr_init);
|
||||
module_exit(ip_vs_lblcr_cleanup);
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_DESCRIPTION("ipvs locality-based least-connection with replication scheduler");
|
||||
|
@ -86,3 +86,4 @@ static void __exit ip_vs_lc_cleanup(void)
|
||||
module_init(ip_vs_lc_init);
|
||||
module_exit(ip_vs_lc_cleanup);
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_DESCRIPTION("ipvs least connection scheduler");
|
||||
|
@ -136,3 +136,4 @@ static void __exit ip_vs_nq_cleanup(void)
|
||||
module_init(ip_vs_nq_init);
|
||||
module_exit(ip_vs_nq_cleanup);
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_DESCRIPTION("ipvs never queue scheduler");
|
||||
|
@ -79,3 +79,4 @@ static void __exit ip_vs_ovf_cleanup(void)
|
||||
module_init(ip_vs_ovf_init);
|
||||
module_exit(ip_vs_ovf_cleanup);
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_DESCRIPTION("ipvs overflow connection scheduler");
|
||||
|
@ -185,3 +185,4 @@ static void __exit ip_vs_sip_cleanup(void)
|
||||
module_init(ip_vs_sip_init);
|
||||
module_exit(ip_vs_sip_cleanup);
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_DESCRIPTION("ipvs sip helper");
|
||||
|
@ -122,4 +122,5 @@ static void __exit ip_vs_rr_cleanup(void)
|
||||
|
||||
module_init(ip_vs_rr_init);
|
||||
module_exit(ip_vs_rr_cleanup);
|
||||
MODULE_DESCRIPTION("ipvs round-robin scheduler");
|
||||
MODULE_LICENSE("GPL");
|
||||
|
@ -137,3 +137,4 @@ static void __exit ip_vs_sed_cleanup(void)
|
||||
module_init(ip_vs_sed_init);
|
||||
module_exit(ip_vs_sed_cleanup);
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_DESCRIPTION("ipvs shortest expected delay scheduler");
|
||||
|
@ -376,3 +376,4 @@ static void __exit ip_vs_sh_cleanup(void)
|
||||
module_init(ip_vs_sh_init);
|
||||
module_exit(ip_vs_sh_cleanup);
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_DESCRIPTION("ipvs source hashing scheduler");
|
||||
|
@ -137,3 +137,4 @@ static void __exit ip_vs_twos_cleanup(void)
|
||||
module_init(ip_vs_twos_init);
|
||||
module_exit(ip_vs_twos_cleanup);
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_DESCRIPTION("ipvs power of twos choice scheduler");
|
||||
|
@ -109,3 +109,4 @@ static void __exit ip_vs_wlc_cleanup(void)
|
||||
module_init(ip_vs_wlc_init);
|
||||
module_exit(ip_vs_wlc_cleanup);
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_DESCRIPTION("ipvs weighted least connection scheduler");
|
||||
|
@ -263,3 +263,4 @@ static void __exit ip_vs_wrr_cleanup(void)
|
||||
module_init(ip_vs_wrr_init);
|
||||
module_exit(ip_vs_wrr_cleanup);
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_DESCRIPTION("ipvs weighted round-robin scheduler");
|
||||
|
@ -82,3 +82,4 @@ int nf_conntrack_broadcast_help(struct sk_buff *skb,
|
||||
EXPORT_SYMBOL_GPL(nf_conntrack_broadcast_help);
|
||||
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_DESCRIPTION("Broadcast connection tracking helper");
|
||||
|
@ -57,6 +57,7 @@
|
||||
#include "nf_internals.h"
|
||||
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_DESCRIPTION("List and change connection tracking table");
|
||||
|
||||
struct ctnetlink_list_dump_ctx {
|
||||
struct nf_conn *last;
|
||||
|
@ -699,3 +699,4 @@ MODULE_ALIAS("ip_conntrack");
|
||||
MODULE_ALIAS("nf_conntrack-" __stringify(AF_INET));
|
||||
MODULE_ALIAS("nf_conntrack-" __stringify(AF_INET6));
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_DESCRIPTION("IPv4 and IPv6 connection tracking");
|
||||
|
@ -1263,6 +1263,7 @@ static void __exit nf_nat_cleanup(void)
|
||||
}
|
||||
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_DESCRIPTION("Network address translation core");
|
||||
|
||||
module_init(nf_nat_init);
|
||||
module_exit(nf_nat_cleanup);
|
||||
|
@ -80,6 +80,26 @@ EXPORT_SYMBOL_GPL(nf_nat_redirect_ipv4);
|
||||
|
||||
static const struct in6_addr loopback_addr = IN6ADDR_LOOPBACK_INIT;
|
||||
|
||||
static bool nf_nat_redirect_ipv6_usable(const struct inet6_ifaddr *ifa, unsigned int scope)
|
||||
{
|
||||
unsigned int ifa_addr_type = ipv6_addr_type(&ifa->addr);
|
||||
|
||||
if (ifa_addr_type & IPV6_ADDR_MAPPED)
|
||||
return false;
|
||||
|
||||
if ((ifa->flags & IFA_F_TENTATIVE) && (!(ifa->flags & IFA_F_OPTIMISTIC)))
|
||||
return false;
|
||||
|
||||
if (scope) {
|
||||
unsigned int ifa_scope = ifa_addr_type & IPV6_ADDR_SCOPE_MASK;
|
||||
|
||||
if (!(scope & ifa_scope))
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
unsigned int
|
||||
nf_nat_redirect_ipv6(struct sk_buff *skb, const struct nf_nat_range2 *range,
|
||||
unsigned int hooknum)
|
||||
@ -89,14 +109,19 @@ nf_nat_redirect_ipv6(struct sk_buff *skb, const struct nf_nat_range2 *range,
|
||||
if (hooknum == NF_INET_LOCAL_OUT) {
|
||||
newdst.in6 = loopback_addr;
|
||||
} else {
|
||||
unsigned int scope = ipv6_addr_scope(&ipv6_hdr(skb)->daddr);
|
||||
struct inet6_dev *idev;
|
||||
struct inet6_ifaddr *ifa;
|
||||
bool addr = false;
|
||||
|
||||
idev = __in6_dev_get(skb->dev);
|
||||
if (idev != NULL) {
|
||||
const struct inet6_ifaddr *ifa;
|
||||
|
||||
read_lock_bh(&idev->lock);
|
||||
list_for_each_entry(ifa, &idev->addr_list, if_list) {
|
||||
if (!nf_nat_redirect_ipv6_usable(ifa, scope))
|
||||
continue;
|
||||
|
||||
newdst.in6 = ifa->addr;
|
||||
addr = true;
|
||||
break;
|
||||
|
@ -6520,6 +6520,12 @@ static int nft_setelem_deactivate(const struct net *net,
|
||||
return ret;
|
||||
}
|
||||
|
||||
static void nft_setelem_catchall_destroy(struct nft_set_elem_catchall *catchall)
|
||||
{
|
||||
list_del_rcu(&catchall->list);
|
||||
kfree_rcu(catchall, rcu);
|
||||
}
|
||||
|
||||
static void nft_setelem_catchall_remove(const struct net *net,
|
||||
const struct nft_set *set,
|
||||
struct nft_elem_priv *elem_priv)
|
||||
@ -6528,8 +6534,7 @@ static void nft_setelem_catchall_remove(const struct net *net,
|
||||
|
||||
list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
|
||||
if (catchall->elem == elem_priv) {
|
||||
list_del_rcu(&catchall->list);
|
||||
kfree_rcu(catchall, rcu);
|
||||
nft_setelem_catchall_destroy(catchall);
|
||||
break;
|
||||
}
|
||||
}
|
||||
@ -9678,11 +9683,12 @@ static struct nft_trans_gc *nft_trans_gc_catchall(struct nft_trans_gc *gc,
|
||||
unsigned int gc_seq,
|
||||
bool sync)
|
||||
{
|
||||
struct nft_set_elem_catchall *catchall;
|
||||
struct nft_set_elem_catchall *catchall, *next;
|
||||
const struct nft_set *set = gc->set;
|
||||
struct nft_elem_priv *elem_priv;
|
||||
struct nft_set_ext *ext;
|
||||
|
||||
list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
|
||||
list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
|
||||
ext = nft_set_elem_ext(set, catchall->elem);
|
||||
|
||||
if (!nft_set_elem_expired(ext))
|
||||
@ -9700,7 +9706,13 @@ static struct nft_trans_gc *nft_trans_gc_catchall(struct nft_trans_gc *gc,
|
||||
if (!gc)
|
||||
return NULL;
|
||||
|
||||
nft_trans_gc_elem_add(gc, catchall->elem);
|
||||
elem_priv = catchall->elem;
|
||||
if (sync) {
|
||||
nft_setelem_data_deactivate(gc->net, gc->set, elem_priv);
|
||||
nft_setelem_catchall_destroy(catchall);
|
||||
}
|
||||
|
||||
nft_trans_gc_elem_add(gc, elem_priv);
|
||||
}
|
||||
|
||||
return gc;
|
||||
@ -11386,4 +11398,5 @@ module_exit(nf_tables_module_exit);
|
||||
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
|
||||
MODULE_DESCRIPTION("Framework for packet filtering and classification");
|
||||
MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
|
||||
|
@ -447,4 +447,5 @@ module_init(nfnl_osf_init);
|
||||
module_exit(nfnl_osf_fini);
|
||||
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_DESCRIPTION("Passive OS fingerprint matching");
|
||||
MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_OSF);
|
||||
|
@ -137,6 +137,7 @@ module_init(nft_chain_nat_init);
|
||||
module_exit(nft_chain_nat_exit);
|
||||
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_DESCRIPTION("nftables network address translation support");
|
||||
#ifdef CONFIG_NF_TABLES_IPV4
|
||||
MODULE_ALIAS_NFT_CHAIN(AF_INET, "nat");
|
||||
#endif
|
||||
|
@ -204,4 +204,5 @@ bool nft_fib_reduce(struct nft_regs_track *track,
|
||||
EXPORT_SYMBOL_GPL(nft_fib_reduce);
|
||||
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_DESCRIPTION("Query routing table from nftables");
|
||||
MODULE_AUTHOR("Florian Westphal <fw@strlen.de>");
|
||||
|
@ -270,4 +270,5 @@ module_exit(nft_fwd_netdev_module_exit);
|
||||
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
|
||||
MODULE_DESCRIPTION("nftables netdev packet forwarding support");
|
||||
MODULE_ALIAS_NFT_AF_EXPR(5, "fwd");
|
||||
|
@ -561,7 +561,7 @@ recent_mt_proc_write(struct file *file, const char __user *input,
|
||||
{
|
||||
struct recent_table *t = pde_data(file_inode(file));
|
||||
struct recent_entry *e;
|
||||
char buf[sizeof("+b335:1d35:1e55:dead:c0de:1715:5afe:c0de")];
|
||||
char buf[sizeof("+b335:1d35:1e55:dead:c0de:1715:255.255.255.255")];
|
||||
const char *c = buf;
|
||||
union nf_inet_addr addr = {};
|
||||
u_int16_t family;
|
||||
|
Loading…
Reference in New Issue
Block a user