Unnamed repository; edit this file 'description' to name the repository. https://git.kobert.dev/pm24.git/atom?h=v6.6-rc2 2023-08-08T11:02:01Z 2023-08-08T11:02:01Z Yue Haibing yuehaibing@huawei.com 2023-08-07T14:25:26Z urn:sha1:61e9ab294b39e5e7c040884b65d06f52e06ac40f Commit f587de0e2feb ("[NETFILTER]: nf_conntrack/nf_nat: add H.323 helper port") declared but never implemented these. Signed-off-by: Yue Haibing <yuehaibing@huawei.com> Signed-off-by: Florian Westphal <fw@strlen.de> 2023-08-08T11:01:59Z Yue Haibing yuehaibing@huawei.com 2023-08-02T13:09:57Z urn:sha1:29cfda963f899da403d6bc5a3abe19d2e0be0cf4 Commit a23f89a99906 ("netfilter: conntrack: nf_ct_gre_keymap_flush() removal") leave this unused, remove it. Signed-off-by: Yue Haibing <yuehaibing@huawei.com> Signed-off-by: Florian Westphal <fw@strlen.de> 2023-04-21T23:39:40Z Florian Westphal fw@strlen.de 2023-04-13T15:13:19Z urn:sha1:9a32e9850686599ed194ccdceb6cd3dd56b2d9b9 The ->cleanup callback needs to be removed, this doesn't work anymore as the transaction mutex is already released in the ->abort function. Just do it after a successful validation pass, this either happens from commit or abort phases where transaction mutex is held. Fixes: f102d66b335a ("netfilter: nf_tables: use dedicated mutex to guard transactions") Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2023-01-02T14:10:05Z Jozsef Kadlecsik kadlec@netfilter.org 2022-12-30T12:24:38Z urn:sha1:5e29dc36bd5e2166b834ceb19990d9e68a734d7d When adding/deleting large number of elements in one step in ipset, it can take a reasonable amount of time and can result in soft lockup errors. The patch 5f7b51bf09ba ("netfilter: ipset: Limit the maximal range of consecutive elements to add/delete") tried to fix it by limiting the max elements to process at all. However it was not enough, it is still possible that we get hung tasks. Lowering the limit is not reasonable, so the approach in this patch is as follows: rely on the method used at resizing sets and save the state when we reach a smaller internal batch limit, unlock/lock and proceed from the saved state. Thus we can avoid long continuous tasks and at the same time removed the limit to add/delete large number of elements in one step. The nfnl mutex is held during the whole operation which prevents one to issue other ipset commands in parallel. Fixes: 5f7b51bf09ba ("netfilter: ipset: Limit the maximal range of consecutive elements to add/delete") Reported-by: syzbot+9204e7399656300bf271@syzkaller.appspotmail.com Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2022-11-30T17:55:36Z Vishwanath Pai vpai@akamai.com 2022-11-22T19:30:57Z urn:sha1:e9374524950512a1769f610a868fcdf89ea59b8e Add a new parameter to complement the existing 'netmask' option. The main difference between netmask and bitmask is that bitmask takes any arbitrary ip address as input, it does not have to be a valid netmask. The name of the new parameter is 'bitmask'. This lets us mask out arbitrary bits in the ip address, for example: ipset create set1 hash:ip bitmask 255.128.255.0 ipset create set2 hash:ip,port family inet6 bitmask ffff::ff80 Signed-off-by: Vishwanath Pai <vpai@akamai.com> Signed-off-by: Joshua Hunt <johunt@akamai.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2022-07-11T14:25:16Z Florian Westphal fw@strlen.de 2022-06-22T09:00:47Z urn:sha1:d3f2d0a292c24fc624afb2b4f47f838e83775721 sparse complains about incorrect rcu usage. Code uses the correct rcu access primitives, but the function pointers lack rcu annotations. Collapse all of them into a single structure, then annotate the pointer. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2022-07-11T14:25:15Z Florian Westphal fw@strlen.de 2022-06-22T09:00:45Z urn:sha1:6976890e8998afd8abbbd9fe27ed71387b24f57f Access to the hook pointers use correct helpers but the pointers lack the needed __rcu annotation. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2022-02-04T05:30:28Z Florian Westphal fw@strlen.de 2022-01-20T15:09:13Z urn:sha1:20ff32024624102596f2b4083a17a97ca71d6cd8 Instead of exposing the four hooks individually use a sinle hook ops structure. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2022-01-09T22:30:13Z Florian Westphal fw@strlen.de 2022-01-07T04:03:25Z urn:sha1:6ae7989c9af0d98ab64196f4f4c6f6499454bd23 nf_ct_put() results in a usesless indirection: nf_ct_put -> nf_conntrack_put -> nf_conntrack_destroy -> rcu readlock + indirect call of ct_hooks->destroy(). There are two _put helpers: nf_ct_put and nf_conntrack_put. The latter is what should be used in code that MUST NOT cause a linker dependency on the conntrack module (e.g. calls from core network stack). Everyone else should call nf_ct_put() instead. A followup patch will convert a few nf_conntrack_put() calls to nf_ct_put(), in particular from modules that already have a conntrack dependency such as act_ct or even nf_conntrack itself. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2022-01-09T22:30:13Z Florian Westphal fw@strlen.de 2022-01-07T04:03:22Z urn:sha1:719774377622bc4025d2a74f551b5dc2158c6c30 Convert nf_conn reference counting from atomic_t to refcount_t based api. refcount_t api provides more runtime sanity checks and will warn on certain constructs, e.g. refcount_inc() on a zero reference count, which usually indicates use-after-free. For this reason template allocation is changed to init the refcount to 1, the subsequenct add operations are removed. Likewise, init_conntrack() is changed to set the initial refcount to 1 instead refcount_inc(). This is safe because the new entry is not (yet) visible to other cpus. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>