git.baikalelectronics.ru Git - kernel.git/commit

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

1) Protect nft_ct template with global mutex, from Pavel Skripkin.

2) Two recent commits switched inet rt and nexthop exception hashes
   from jhash to siphash. If those two spots are problematic then
   conntrack is affected as well, so switch voer to siphash too.
   While at it, add a hard upper limit on chain lengths and reject
   insertion if this is hit. Patches from Florian Westphal.

3) Fix use-after-scope in nf_socket_ipv6 reported by KASAN,
   from Benjamin Hesmans.

* git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf:
  netfilter: socket: icmp6: fix use-after-scope
  netfilter: refuse insertion if chain has grown too large
  netfilter: conntrack: switch to siphash
  netfilter: conntrack: sanitize table size default settings
  netfilter: nft_ct: protect nft_ct_pcpu_template_refcnt with mutex
====================

Link: https://lore.kernel.org/r/20210903163020.13741-1-pablo@netfilter.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

author	Jakub Kicinski <kuba@kernel.org>
	Fri, 3 Sep 2021 23:20:36 +0000 (16:20 -0700)
committer	Jakub Kicinski <kuba@kernel.org>
	Fri, 3 Sep 2021 23:20:37 +0000 (16:20 -0700)
commit	94a742a54c32b4874ad0afc48e3043e87e3f99c4
tree	23580061a801c3751e976f4ce80078478565ab76	tree \| snapshot
parent	ea9cd463274999e96bf50065202e4990863de455	commit \| diff
parent	a466f4871764472ce832a341828c9a6b9047cf2a	commit \| diff

Documentation/networking/nf_conntrack-sysctl.rst	diff1 \|	diff2 \|	blob \| history
include/uapi/linux/netfilter/nfnetlink_conntrack.h	diff1 \|	diff2 \|	blob \| history
net/netfilter/nf_conntrack_netlink.c	diff1 \|	diff2 \|	blob \| history
net/netfilter/nf_conntrack_standalone.c	diff1 \|	diff2 \|	blob \| history