Hi,
The following patchset contains Netfilter fixes for net:
1) Restrict xtables extensions to families that are safe, syzbot found
a way to combine ebtables with extensions that are never used by
userspace tools. From Florian Westphal.
2) Set l3mdev inconditionally whenever possible in nft_fib to fix lookup
mismatch, also from Florian.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-10-09
Thanks.
----------------------------------------------------------------
The following changes since commit 983e35ce2e1ee4037f6f5d5398dfc107b22ad569:
net: hns3/hns: Update the maintainer for the HNS3/HNS ethernet driver (2024-10-09 13:40:42 +0100)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-10-09
for you to fetch changes up to c6a0862bee696cfb236a4e160a7f376c0ecdcf0c:
selftests: netfilter: conntrack_vrf.sh: add fib test case (2024-10-09 23:31:15 +0200)
----------------------------------------------------------------
netfilter pull request 24-10-09
----------------------------------------------------------------
Florian Westphal (3):
netfilter: xtables: avoid NFPROTO_UNSPEC where needed
netfilter: fib: check correct rtable in vrf setups
selftests: netfilter: conntrack_vrf.sh: add fib test case
net/ipv4/netfilter/nft_fib_ipv4.c | 4 +-
net/ipv6/netfilter/nft_fib_ipv6.c | 5 +-
net/netfilter/xt_CHECKSUM.c | 33 +++++--
net/netfilter/xt_CLASSIFY.c | 16 +++-
net/netfilter/xt_CONNSECMARK.c | 36 ++++---
net/netfilter/xt_CT.c | 106 ++++++++++++++-------
net/netfilter/xt_IDLETIMER.c | 59 ++++++++----
net/netfilter/xt_LED.c | 39 +++++---
net/netfilter/xt_NFLOG.c | 36 ++++---
net/netfilter/xt_RATEEST.c | 39 +++++---
net/netfilter/xt_SECMARK.c | 27 +++++-
net/netfilter/xt_TRACE.c | 35 ++++---
net/netfilter/xt_addrtype.c | 15 ++-
net/netfilter/xt_cluster.c | 33 +++++--
net/netfilter/xt_connbytes.c | 4 +-
net/netfilter/xt_connlimit.c | 39 +++++---
net/netfilter/xt_connmark.c | 28 +++++-
net/netfilter/xt_mark.c | 42 ++++++--
.../selftests/net/netfilter/conntrack_vrf.sh | 33 +++++++
19 files changed, 459 insertions(+), 170 deletions(-)
Hi, The following patchset contains Netfilter fixes for net: 1) Restrict xtables extensions to families that are safe, syzbot found a way to combine ebtables with extensions that are never used by userspace tools. From Florian Westphal. 2) Set l3mdev inconditionally whenever possible in nft_fib to fix lookup mismatch, also from Florian. Please, pull these changes from: git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-10-09 Thanks. ---------------------------------------------------------------- The following changes since commit 983e35ce2e1ee4037f6f5d5398dfc107b22ad569: net: hns3/hns: Update the maintainer for the HNS3/HNS ethernet driver (2024-10-09 13:40:42 +0100) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-10-09 for you to fetch changes up to c6a0862bee696cfb236a4e160a7f376c0ecdcf0c: selftests: netfilter: conntrack_vrf.sh: add fib test case (2024-10-09 23:31:15 +0200) ---------------------------------------------------------------- netfilter pull request 24-10-09 ---------------------------------------------------------------- Florian Westphal (3): netfilter: xtables: avoid NFPROTO_UNSPEC where needed netfilter: fib: check correct rtable in vrf setups selftests: netfilter: conntrack_vrf.sh: add fib test case net/ipv4/netfilter/nft_fib_ipv4.c | 4 +- net/ipv6/netfilter/nft_fib_ipv6.c | 5 +- net/netfilter/xt_CHECKSUM.c | 33 +++++-- net/netfilter/xt_CLASSIFY.c | 16 +++- net/netfilter/xt_CONNSECMARK.c | 36 ++++--- net/netfilter/xt_CT.c | 106 ++++++++++++++------- net/netfilter/xt_IDLETIMER.c | 59 ++++++++---- net/netfilter/xt_LED.c | 39 +++++--- net/netfilter/xt_NFLOG.c | 36 ++++--- net/netfilter/xt_RATEEST.c | 39 +++++--- net/netfilter/xt_SECMARK.c | 27 +++++- net/netfilter/xt_TRACE.c | 35 ++++--- net/netfilter/xt_addrtype.c | 15 ++- net/netfilter/xt_cluster.c | 33 +++++-- net/netfilter/xt_connbytes.c | 4 +- net/netfilter/xt_connlimit.c | 39 +++++--- net/netfilter/xt_connmark.c | 28 +++++- net/netfilter/xt_mark.c | 42 ++++++-- .../selftests/net/netfilter/conntrack_vrf.sh | 33 +++++++ 19 files changed, 459 insertions(+), 170 deletions(-)