mirror of
https://github.com/torvalds/linux.git
synced 2024-12-05 18:41:23 +00:00
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf
Pablo Neira Ayuso says: ==================== Netfilter fixes for net 1) Fix regression in ipset hash:ip with IPv4 range, from Vishwanath Pai. This is fixing up a bug introduced in the 6.0 release. 2) The "netfilter: ipset: enforce documented limit to prevent allocating huge memory" patch contained a wrong condition which makes impossible to add up to 64 clashing elements to a hash:net,iface type of set while it is the documented feature of the set type. The patch fixes the condition and thus makes possible to add the elements while keeps preventing allocating huge memory, from Jozsef Kadlecsik. This has been broken for several releases. 3) Missing locking when updating the flow block list which might lead a reader to crash. This has been broken since the introduction of the flowtable hardware offload support. * git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: netfilter: flowtable_offload: add missing locking netfilter: ipset: restore allowing 64 clashing elements in hash:net,iface netfilter: ipset: regression in ip_set_hash_ip.c ==================== Link: https://lore.kernel.org/r/20221122212814.63177-1-pablo@netfilter.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
This commit is contained in:
commit
0830b1effd
@ -916,7 +916,7 @@ mtype_add(struct ip_set *set, void *value, const struct ip_set_ext *ext,
|
||||
#ifdef IP_SET_HASH_WITH_MULTI
|
||||
if (h->bucketsize >= AHASH_MAX_TUNED)
|
||||
goto set_full;
|
||||
else if (h->bucketsize < multi)
|
||||
else if (h->bucketsize <= multi)
|
||||
h->bucketsize += AHASH_INIT_SIZE;
|
||||
#endif
|
||||
if (n->size >= AHASH_MAX(h)) {
|
||||
|
@ -151,18 +151,16 @@ hash_ip4_uadt(struct ip_set *set, struct nlattr *tb[],
|
||||
if (((u64)ip_to - ip + 1) >> (32 - h->netmask) > IPSET_MAX_RANGE)
|
||||
return -ERANGE;
|
||||
|
||||
if (retried) {
|
||||
if (retried)
|
||||
ip = ntohl(h->next.ip);
|
||||
e.ip = htonl(ip);
|
||||
}
|
||||
for (; ip <= ip_to;) {
|
||||
e.ip = htonl(ip);
|
||||
ret = adtfn(set, &e, &ext, &ext, flags);
|
||||
if (ret && !ip_set_eexist(ret, flags))
|
||||
return ret;
|
||||
|
||||
ip += hosts;
|
||||
e.ip = htonl(ip);
|
||||
if (e.ip == 0)
|
||||
if (ip == 0)
|
||||
return 0;
|
||||
|
||||
ret = 0;
|
||||
|
@ -1098,6 +1098,7 @@ static int nf_flow_table_block_setup(struct nf_flowtable *flowtable,
|
||||
struct flow_block_cb *block_cb, *next;
|
||||
int err = 0;
|
||||
|
||||
down_write(&flowtable->flow_block_lock);
|
||||
switch (cmd) {
|
||||
case FLOW_BLOCK_BIND:
|
||||
list_splice(&bo->cb_list, &flowtable->flow_block.cb_list);
|
||||
@ -1112,6 +1113,7 @@ static int nf_flow_table_block_setup(struct nf_flowtable *flowtable,
|
||||
WARN_ON_ONCE(1);
|
||||
err = -EOPNOTSUPP;
|
||||
}
|
||||
up_write(&flowtable->flow_block_lock);
|
||||
|
||||
return err;
|
||||
}
|
||||
@ -1168,7 +1170,9 @@ static int nf_flow_table_offload_cmd(struct flow_block_offload *bo,
|
||||
|
||||
nf_flow_table_block_offload_init(bo, dev_net(dev), cmd, flowtable,
|
||||
extack);
|
||||
down_write(&flowtable->flow_block_lock);
|
||||
err = dev->netdev_ops->ndo_setup_tc(dev, TC_SETUP_FT, bo);
|
||||
up_write(&flowtable->flow_block_lock);
|
||||
if (err < 0)
|
||||
return err;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user