mirror of https://github.com/torvalds/linux.git
aef3a58b06
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEN9lkrMBJgcdVAPub1V2XiooUIOQFAmb1P8AACgkQ1V2XiooU IOT2KQ/9Gpf66VH41Byae9qzpgS+iRWUkN3Apn/5m7io/v0AuEmDfDRCPcOH/k8N 61m5RGBzuZETR3YhmlzzvMv5WXmHJmUCGjWm5M2b6Byji13GsdgTqJ3VXwgQXINI tuE2bRTRzm5oBOsJvTENb5X7A3Bmjnk93N4jJSQgQNzO+fTNgiUQxszrUc2llQLS D85VC94AtNu3fKbv+sv76yWGdR+srq2ePeN+6lDT/Hx6sqnU+uWziYaSXLTmWd9S va+yOgi2t0gJkCZqfR/Aw8fQJSpCLWFIy4LBJa1fFX6ni462w2c7VOMPHnJ3PlOy QG+UAH2brpRyIVn3IBzEeBDb1ZhrsHKsEaUz84LHs22XbZCCZ4xAfe0DsFmxC0o3 TW9f0RA9geRlnZOxHJRHc8I6Edi4B3oBcvbEe6PaoHeQJCUqfVJp8dgkLT0IvySJ TWYQEx8A/fSBKmr8QQ9L/wEomTTnvLuW5GW4dyOsfoyS7DKd9wgIycujakqmowIA ZnaXmosCtopNGrf5lxKsWYDac4VKLJufzjCj/4b7Q1BBaJXmSj0xVD0/0fSJeijk t9nfvvOwBKBYOoZOwYK2KD+YmMwxSuHz48yE0WZANoRnTP/gwFhY9bDmonqOi7+e L5Vbtv6QZtnChnHCSkRzXEkmKUIlzMoi607suV1jYmmDiEQoa+A= =a9OT -----END PGP SIGNATURE----- Merge tag 'nf-24-09-26' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf Pablo Neira Ayuso says: ==================== Netfilter fixes for net v2: with kdoc fixes per Paolo Abeni. The following patchset contains Netfilter fixes for net: Patch #1 and #2 handle an esoteric scenario: Given two tasks sending UDP packets to one another, two packets of the same flow in each direction handled by different CPUs that result in two conntrack objects in NEW state, where reply packet loses race. Then, patch #3 adds a testcase for this scenario. Series from Florian Westphal. 1) NAT engine can falsely detect a port collision if it happens to pick up a reply packet as NEW rather than ESTABLISHED. Add extra code to detect this and suppress port reallocation in this case. 2) To complete the clash resolution in the reply direction, extend conntrack logic to detect clashing conntrack in the reply direction to existing entry. 3) Adds a test case. Then, an assorted list of fixes follow: 4) Add a selftest for tproxy, from Antonio Ojea. 5) Guard ctnetlink_*_size() functions under #if defined(CONFIG_NETFILTER_NETLINK_GLUE_CT) || defined(CONFIG_NF_CONNTRACK_EVENTS) From Andy Shevchenko. 6) Use -m socket --transparent in iptables tproxy documentation. From XIE Zhibang. 7) Call kfree_rcu() when releasing flowtable hooks to address race with netlink dump path, from Phil Sutter. 8) Fix compilation warning in nf_reject with CONFIG_BRIDGE_NETFILTER=n. From Simon Horman. 9) Guard ctnetlink_label_size() under CONFIG_NF_CONNTRACK_EVENTS which is its only user, to address a compilation warning. From Simon Horman. 10) Use rcu-protected list iteration over basechain hooks from netlink dump path. 11) Fix memcg for nf_tables, use GFP_KERNEL_ACCOUNT is not complete. 12) Remove old nfqueue conntrack clash resolution. Instead trying to use same destination address consistently which requires double DNAT, use the existing clash resolution which allows clashing packets go through with different destination. Antonio Ojea originally reported an issue from the postrouting chain, I proposed a fix: https://lore.kernel.org/netfilter-devel/ZuwSwAqKgCB2a51-@calendula/T/ which he reported it did not work for him. 13) Adds a selftest for patch 12. 14) Fixes ipvs.sh selftest. netfilter pull request 24-09-26 * tag 'nf-24-09-26' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: selftests: netfilter: Avoid hanging ipvs.sh kselftest: add test for nfqueue induced conntrack race netfilter: nfnetlink_queue: remove old clash resolution logic netfilter: nf_tables: missing objects with no memcg accounting netfilter: nf_tables: use rcu chain hook list iterator from netlink dump path netfilter: ctnetlink: compile ctnetlink_label_size with CONFIG_NF_CONNTRACK_EVENTS netfilter: nf_reject: Fix build warning when CONFIG_BRIDGE_NETFILTER=n netfilter: nf_tables: Keep deleted flowtable hooks until after RCU docs: tproxy: ignore non-transparent sockets in iptables netfilter: ctnetlink: Guard possible unused functions selftests: netfilter: nft_tproxy.sh: add tcp tests selftests: netfilter: add reverse-clash resolution test case netfilter: conntrack: add clash resolution for reverse collisions netfilter: nf_nat: don't try nat source port reallocation for reverse dir clash ==================== Link: https://patch.msgid.link/20240926110717.102194-1-pablo@netfilter.org Signed-off-by: Paolo Abeni <pabeni@redhat.com> |
||
|---|---|---|
| .. | ||
| af_unix | ||
| forwarding | ||
| hsr | ||
| lib | ||
| mptcp | ||
| netfilter | ||
| openvswitch | ||
| packetdrill | ||
| rds | ||
| tcp_ao | ||
| .gitignore | ||
| Makefile | ||
| altnames.sh | ||
| amt.sh | ||
| arp_ndisc_evict_nocarrier.sh | ||
| arp_ndisc_untracked_subnets.sh | ||
| bareudp.sh | ||
| big_tcp.sh | ||
| bind_bhash.c | ||
| bind_bhash.sh | ||
| bind_timewait.c | ||
| bind_wildcard.c | ||
| bpf.mk | ||
| bpf_offload.py | ||
| cmsg_ipv6.sh | ||
| cmsg_sender.c | ||
| cmsg_so_mark.sh | ||
| cmsg_time.sh | ||
| config | ||
| drop_monitor_tests.sh | ||
| epoll_busy_poll.c | ||
| fcnal-test.sh | ||
| fdb_flush.sh | ||
| fib-onlink-tests.sh | ||
| fib_nexthop_multiprefix.sh | ||
| fib_nexthop_nongw.sh | ||
| fib_nexthops.sh | ||
| fib_rule_tests.sh | ||
| fib_tests.sh | ||
| fin_ack_lat.c | ||
| fin_ack_lat.sh | ||
| fq_band_pktlimit.sh | ||
| gre_gso.sh | ||
| gro.c | ||
| gro.sh | ||
| hwtstamp_config.c | ||
| icmp.sh | ||
| icmp_redirect.sh | ||
| in_netns.sh | ||
| io_uring_zerocopy_tx.c | ||
| io_uring_zerocopy_tx.sh | ||
| ioam6.sh | ||
| ioam6_parser.c | ||
| ip6_gre_headroom.sh | ||
| ip_defrag.c | ||
| ip_defrag.sh | ||
| ip_local_port_range.c | ||
| ip_local_port_range.sh | ||
| ipsec.c | ||
| ipv6_flowlabel.c | ||
| ipv6_flowlabel.sh | ||
| ipv6_flowlabel_mgr.c | ||
| l2_tos_ttl_inherit.sh | ||
| l2tp.sh | ||
| lib.sh | ||
| msg_zerocopy.c | ||
| msg_zerocopy.sh | ||
| nat6to4.bpf.c | ||
| ncdevmem.c | ||
| ndisc_unsolicited_na_test.sh | ||
| net_helper.sh | ||
| netdevice.sh | ||
| netns-name.sh | ||
| netns-sysctl.sh | ||
| nettest.c | ||
| nl_netdev.py | ||
| pmtu.sh | ||
| psock_fanout.c | ||
| psock_lib.h | ||
| psock_snd.c | ||
| psock_snd.sh | ||
| psock_tpacket.c | ||
| reuseaddr_conflict.c | ||
| reuseaddr_ports_exhausted.c | ||
| reuseaddr_ports_exhausted.sh | ||
| reuseport_addr_any.c | ||
| reuseport_addr_any.sh | ||
| reuseport_bpf.c | ||
| reuseport_bpf_cpu.c | ||
| reuseport_bpf_numa.c | ||
| reuseport_dualstack.c | ||
| route_localnet.sh | ||
| rps_default_mask.sh | ||
| rtnetlink.sh | ||
| run_afpackettests | ||
| run_netsocktests | ||
| rxtimestamp.c | ||
| rxtimestamp.sh | ||
| sample_map_ret0.bpf.c | ||
| sample_ret0.bpf.c | ||
| sctp_hello.c | ||
| sctp_vrf.sh | ||
| settings | ||
| setup_loopback.sh | ||
| setup_veth.sh | ||
| sk_bind_sendto_listen.c | ||
| sk_connect_zero_addr.c | ||
| sk_so_peek_off.c | ||
| so_incoming_cpu.c | ||
| so_netns_cookie.c | ||
| so_txtime.c | ||
| so_txtime.sh | ||
| socket.c | ||
| srv6_end_dt4_l3vpn_test.sh | ||
| srv6_end_dt6_l3vpn_test.sh | ||
| srv6_end_dt46_l3vpn_test.sh | ||
| srv6_end_dx4_netfilter_test.sh | ||
| srv6_end_dx6_netfilter_test.sh | ||
| srv6_end_flavors_test.sh | ||
| srv6_end_next_csid_l3vpn_test.sh | ||
| srv6_end_x_next_csid_l3vpn_test.sh | ||
| srv6_hencap_red_l3vpn_test.sh | ||
| srv6_hl2encap_red_l2vpn_test.sh | ||
| stress_reuseport_listen.c | ||
| stress_reuseport_listen.sh | ||
| tap.c | ||
| tcp_fastopen_backup_key.c | ||
| tcp_fastopen_backup_key.sh | ||
| tcp_inq.c | ||
| tcp_mmap.c | ||
| test_blackhole_dev.sh | ||
| test_bpf.sh | ||
| test_bridge_backup_port.sh | ||
| test_bridge_neigh_suppress.sh | ||
| test_ingress_egress_chaining.sh | ||
| test_vxlan_fdb_changelink.sh | ||
| test_vxlan_mdb.sh | ||
| test_vxlan_nolocalbypass.sh | ||
| test_vxlan_under_vrf.sh | ||
| test_vxlan_vnifiltering.sh | ||
| timestamping.c | ||
| tls.c | ||
| toeplitz.c | ||
| toeplitz.sh | ||
| toeplitz_client.sh | ||
| traceroute.sh | ||
| tun.c | ||
| txring_overwrite.c | ||
| txtimestamp.c | ||
| txtimestamp.sh | ||
| udpgro.sh | ||
| udpgro_bench.sh | ||
| udpgro_frglist.sh | ||
| udpgro_fwd.sh | ||
| udpgso.c | ||
| udpgso.sh | ||
| udpgso_bench.sh | ||
| udpgso_bench_rx.c | ||
| udpgso_bench_tx.c | ||
| unicast_extensions.sh | ||
| veth.sh | ||
| vlan_hw_filter.sh | ||
| vrf-xfrm-tests.sh | ||
| vrf_route_leaking.sh | ||
| vrf_strict_mode_test.sh | ||
| xdp_dummy.bpf.c | ||
| xfrm_policy.sh | ||
| xfrm_policy_add_speed.sh | ||
| ynl.mk | ||