d162190bde
Pablo Neira Ayuso says:
====================
Netfilter/IPVS updates for net-next
The following patchset contains Netfilter/IPVS updates for your net-next
tree. This batch comes with more input sanitization for xtables to
address bug reports from fuzzers, preparation works to the flowtable
infrastructure and assorted updates. In no particular order, they are:
1) Make sure userspace provides a valid standard target verdict, from
Florian Westphal.
2) Sanitize error target size, also from Florian.
3) Validate that last rule in basechain matches underflow/policy since
userspace assumes this when decoding the ruleset blob that comes
from the kernel, from Florian.
4) Consolidate hook entry checks through xt_check_table_hooks(),
patch from Florian.
5) Cap ruleset allocations at 512 mbytes, 134217728 rules and reject
very large compat offset arrays, so we have a reasonable upper limit
and fuzzers don't exercise the oom-killer. Patches from Florian.
6) Several WARN_ON checks on xtables mutex helper, from Florian.
7) xt_rateest now has a hashtable per net, from Cong Wang.
8) Consolidate counter allocation in xt_counters_alloc(), from Florian.
9) Earlier xt_table_unlock() call in {ip,ip6,arp,eb}tables, patch
from Xin Long.
10) Set FLOW_OFFLOAD_DIR_* to IP_CT_DIR_* definitions, patch from
Felix Fietkau.
11) Consolidate code through flow_offload_fill_dir(), also from Felix.
12) Inline ip6_dst_mtu_forward() just like ip_dst_mtu_maybe_forward()
to remove a dependency with flowtable and ipv6.ko, from Felix.
13) Cache mtu size in flow_offload_tuple object, this is safe for
forwarding as
|
||
---|---|---|
.. | ||
ebt_802_3.c | ||
ebt_among.c | ||
ebt_arp.c | ||
ebt_arpreply.c | ||
ebt_dnat.c | ||
ebt_ip6.c | ||
ebt_ip.c | ||
ebt_limit.c | ||
ebt_log.c | ||
ebt_mark_m.c | ||
ebt_mark.c | ||
ebt_nflog.c | ||
ebt_pkttype.c | ||
ebt_redirect.c | ||
ebt_snat.c | ||
ebt_stp.c | ||
ebt_vlan.c | ||
ebtable_broute.c | ||
ebtable_filter.c | ||
ebtable_nat.c | ||
ebtables.c | ||
Kconfig | ||
Makefile | ||
nf_log_bridge.c | ||
nft_meta_bridge.c | ||
nft_reject_bridge.c |