Hi,
The following patchset contains Netfilter fixes for net:
Patch #1 reject destroy chain command to delete device hooks in netdev
family, hence, only delchain commands are allowed.
Patch #2 reject table flag update interference with netdev basechain
hook updates, this can leave hooks in inconsistent
registration/unregistration state.
Patch #3 do not unregister netdev basechain hooks if table is dormant.
Otherwise, splat with double unregistration is possible.
Patch #4 fixes Kconfig to allow to restore IP_NF_ARPTABLES,
from Kuniyuki Iwashima.
There are a more fixes still in progress on my side that need more work.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-03-28
Thanks.
----------------------------------------------------------------
The following changes since commit d24b03535e5eb82e025219c2f632b485409c898f:
nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet (2024-03-22 09:41:39 +0000)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-03-28
for you to fetch changes up to 15fba562f7a9f04322b8bfc8f392e04bb93d81be:
netfilter: arptables: Select NETFILTER_FAMILY_ARP when building arp_tables.c (2024-03-28 03:54:02 +0100)
----------------------------------------------------------------
netfilter pull request 24-03-28
----------------------------------------------------------------
Kuniyuki Iwashima (1):
netfilter: arptables: Select NETFILTER_FAMILY_ARP when building arp_tables.c
Pablo Neira Ayuso (3):
netfilter: nf_tables: reject destroy command to remove basechain hooks
netfilter: nf_tables: reject table flag and netdev basechain updates
netfilter: nf_tables: skip netdev hook unregistration if table is dormant
net/ipv4/netfilter/Kconfig | 1 +
net/netfilter/nf_tables_api.c | 50 ++++++++++++++++++++++++++++++++++++-------
2 files changed, 43 insertions(+), 8 deletions(-)
Hi, The following patchset contains Netfilter fixes for net: Patch #1 reject destroy chain command to delete device hooks in netdev family, hence, only delchain commands are allowed. Patch #2 reject table flag update interference with netdev basechain hook updates, this can leave hooks in inconsistent registration/unregistration state. Patch #3 do not unregister netdev basechain hooks if table is dormant. Otherwise, splat with double unregistration is possible. Patch #4 fixes Kconfig to allow to restore IP_NF_ARPTABLES, from Kuniyuki Iwashima. There are a more fixes still in progress on my side that need more work. Please, pull these changes from: git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-03-28 Thanks. ---------------------------------------------------------------- The following changes since commit d24b03535e5eb82e025219c2f632b485409c898f: nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet (2024-03-22 09:41:39 +0000) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-03-28 for you to fetch changes up to 15fba562f7a9f04322b8bfc8f392e04bb93d81be: netfilter: arptables: Select NETFILTER_FAMILY_ARP when building arp_tables.c (2024-03-28 03:54:02 +0100) ---------------------------------------------------------------- netfilter pull request 24-03-28 ---------------------------------------------------------------- Kuniyuki Iwashima (1): netfilter: arptables: Select NETFILTER_FAMILY_ARP when building arp_tables.c Pablo Neira Ayuso (3): netfilter: nf_tables: reject destroy command to remove basechain hooks netfilter: nf_tables: reject table flag and netdev basechain updates netfilter: nf_tables: skip netdev hook unregistration if table is dormant net/ipv4/netfilter/Kconfig | 1 + net/netfilter/nf_tables_api.c | 50 ++++++++++++++++++++++++++++++++++++------- 2 files changed, 43 insertions(+), 8 deletions(-)