Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

1) Fix regression in ipset hash:ip with IPv4 range, from Vishwanath Pai.
This is fixing up a bug introduced in the 6.0 release.

2) The "netfilter: ipset: enforce documented limit to prevent allocating
huge memory" patch contained a wrong condition which makes impossible to
add up to 64 clashing elements to a hash:net,iface type of set while it
is the documented feature of the set type. The patch fixes the condition
and thus makes possible to add the elements while keeps preventing
allocating huge memory, from Jozsef Kadlecsik. This has been broken
for several releases.

3) Missing locking when updating the flow block list which might lead
a reader to crash. This has been broken since the introduction of the
flowtable hardware offload support.

* git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
netfilter: flowtable_offload: add missing locking
netfilter: ipset: restore allowing 64 clashing elements in hash:net,iface
netfilter: ipset: regression in ip_set_hash_ip.c
====================

Link: https://lore.kernel.org/r/20221122212814.63177-1-pablo@netfilter.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

+8 -6
+1 -1
net/netfilter/ipset/ip_set_hash_gen.h
··· 916 916 #ifdef IP_SET_HASH_WITH_MULTI 917 917 if (h->bucketsize >= AHASH_MAX_TUNED) 918 918 goto set_full; 919 - else if (h->bucketsize < multi) 919 + else if (h->bucketsize <= multi) 920 920 h->bucketsize += AHASH_INIT_SIZE; 921 921 #endif 922 922 if (n->size >= AHASH_MAX(h)) {
+3 -5
net/netfilter/ipset/ip_set_hash_ip.c
··· 151 151 if (((u64)ip_to - ip + 1) >> (32 - h->netmask) > IPSET_MAX_RANGE) 152 152 return -ERANGE; 153 153 154 - if (retried) { 154 + if (retried) 155 155 ip = ntohl(h->next.ip); 156 - e.ip = htonl(ip); 157 - } 158 156 for (; ip <= ip_to;) { 157 + e.ip = htonl(ip); 159 158 ret = adtfn(set, &e, &ext, &ext, flags); 160 159 if (ret && !ip_set_eexist(ret, flags)) 161 160 return ret; 162 161 163 162 ip += hosts; 164 - e.ip = htonl(ip); 165 - if (e.ip == 0) 163 + if (ip == 0) 166 164 return 0; 167 165 168 166 ret = 0;
+4
net/netfilter/nf_flow_table_offload.c
··· 1098 1098 struct flow_block_cb *block_cb, *next; 1099 1099 int err = 0; 1100 1100 1101 + down_write(&flowtable->flow_block_lock); 1101 1102 switch (cmd) { 1102 1103 case FLOW_BLOCK_BIND: 1103 1104 list_splice(&bo->cb_list, &flowtable->flow_block.cb_list); ··· 1113 1112 WARN_ON_ONCE(1); 1114 1113 err = -EOPNOTSUPP; 1115 1114 } 1115 + up_write(&flowtable->flow_block_lock); 1116 1116 1117 1117 return err; 1118 1118 } ··· 1170 1168 1171 1169 nf_flow_table_block_offload_init(bo, dev_net(dev), cmd, flowtable, 1172 1170 extack); 1171 + down_write(&flowtable->flow_block_lock); 1173 1172 err = dev->netdev_ops->ndo_setup_tc(dev, TC_SETUP_FT, bo); 1173 + up_write(&flowtable->flow_block_lock); 1174 1174 if (err < 0) 1175 1175 return err; 1176 1176