WSL2-Linux-Kernel/net/ipv4/netfilter
David S. Miller 11afbff861 Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

The following patchset contains Netfilter updates for your net-next
tree, mostly from Florian Westphal to sort out the lack of sufficient
validation in x_tables and connlabel preparation patches to add
nf_tables support. They are:

1) Ensure we don't go over the ruleset blob boundaries in
   mark_source_chains().

2) Validate that target jumps land on an existing xt_entry. This extra
   sanitization comes with a performance penalty when loading the ruleset.

3) Introduce xt_check_entry_offsets() and use it from {arp,ip,ip6}tables.

4) Get rid of the smallish check_entry() functions in {arp,ip,ip6}tables.

5) Make sure the minimal possible target size in x_tables.

6) Similar to #3, add xt_compat_check_entry_offsets() for compat code.

7) Check that standard target size is valid.

8) More sanitization to ensure that the target_offset field is correct.

9) Add xt_check_entry_match() to validate that matches are well-formed.

10-12) Three patch to reduce the number of parameters in
    translate_compat_table() for {arp,ip,ip6}tables by using a container
    structure.

13) No need to return value from xt_compat_match_from_user(), so make
    it void.

14) Consolidate translate_table() so it can be used by compat code too.

15) Remove obsolete check for compat code, so we keep consistent with
    what was already removed in the native layout code (back in 2007).

16) Get rid of target jump validation from mark_source_chains(),
    obsoleted by #2.

17) Introduce xt_copy_counters_from_user() to consolidate counter
    copying, and use it from {arp,ip,ip6}tables.

18,22) Get rid of unnecessary explicit inlining in ctnetlink for dump
    functions.

19) Move nf_connlabel_match() to xt_connlabel.

20) Skip event notification if connlabel did not change.

21) Update of nf_connlabels_get() to make the upcoming nft connlabel
    support easier.

23) Remove spinlock to read protocol state field in conntrack.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2016-04-24 00:12:08 -04:00
..
Kconfig netfilter: nf_dup: add missing dependencies with NF_CONNTRACK 2015-12-10 18:17:06 +01:00
Makefile netfilter: nf_tables: add nft_dup expression 2015-08-07 11:49:49 +02:00
arp_tables.c netfilter: x_tables: introduce and use xt_copy_counters_from_user 2016-04-14 00:30:41 +02:00
arpt_mangle.c
arptable_filter.c netfilter: arp_tables: register table in initns 2016-04-07 11:58:49 +02:00
ip_tables.c netfilter: x_tables: introduce and use xt_copy_counters_from_user 2016-04-14 00:30:41 +02:00
ipt_CLUSTERIP.c netfilter: ipv4: whitespace around operators 2015-10-16 19:19:23 +02:00
ipt_ECN.c net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool 2015-08-17 21:33:06 -07:00
ipt_MASQUERADE.c netfilter: nf_nat: generalize IPv4 masquerading support for nf_tables 2014-09-09 16:31:29 +02:00
ipt_REJECT.c ipv4: Push struct net down into nf_send_reset 2015-09-29 20:21:31 +02:00
ipt_SYNPROXY.c netfilter: ipv4: fix NULL dereference 2016-03-28 17:59:29 +02:00
ipt_ah.c netfilter: ipv4: whitespace around operators 2015-10-16 19:19:23 +02:00
ipt_rpfilter.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-10-24 06:54:12 -07:00
iptable_filter.c netfilter: xtables: don't hook tables by default 2016-03-02 20:05:24 +01:00
iptable_mangle.c netfilter: xtables: don't hook tables by default 2016-03-02 20:05:24 +01:00
iptable_nat.c netfilter: xtables: don't hook tables by default 2016-03-02 20:05:24 +01:00
iptable_raw.c netfilter: xtables: don't hook tables by default 2016-03-02 20:05:24 +01:00
iptable_security.c netfilter: xtables: don't hook tables by default 2016-03-02 20:05:24 +01:00
nf_conntrack_l3proto_ipv4.c net ipv4: use preferred log methods 2015-11-18 13:37:20 -05:00
nf_conntrack_l3proto_ipv4_compat.c netfilter: Remove uses of seq_<foo> return values 2015-03-18 10:51:35 +01:00
nf_conntrack_proto_icmp.c netfilter: nf_conntrack: Add a struct net parameter to l4_pkt_to_tuple 2015-09-18 22:00:04 +02:00
nf_defrag_ipv4.c netfilter: nf_defrag_ipv4: Drop redundant ip_send_check() 2016-03-02 20:05:22 +01:00
nf_dup_ipv4.c ipv4, ipv6: Pass net into ip_local_out and ip6_local_out 2015-10-08 04:27:02 -07:00
nf_log_arp.c netfilter: Use LOGLEVEL_<FOO> defines 2015-03-25 12:09:39 +01:00
nf_log_ipv4.c netfilter: Use LOGLEVEL_<FOO> defines 2015-03-25 12:09:39 +01:00
nf_nat_h323.c netfilter: nf_nat_h323: fix crash in nf_ct_unlink_expect_report() 2014-02-05 17:46:05 +01:00
nf_nat_l3proto_ipv4.c netfilter: Allow calling into nat helper without skb_dst. 2016-03-14 23:47:27 +01:00
nf_nat_masquerade_ipv4.c ipv4: Don't do expensive useless work during inetdev destroy. 2016-03-13 23:28:35 -04:00
nf_nat_pptp.c netfilter: Fix removal of GRE expectation entries created by PPTP 2015-11-09 13:32:14 +01:00
nf_nat_proto_gre.c netfilter: use IS_ENABLED() macro 2014-06-30 11:38:03 +02:00
nf_nat_proto_icmp.c net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool 2015-08-17 21:33:06 -07:00
nf_nat_snmp_basic.c net ipv4: use preferred log methods 2015-11-18 13:37:20 -05:00
nf_reject_ipv4.c netfilter: remove duplicate include 2015-11-23 17:54:43 +01:00
nf_tables_arp.c netfilter: nf_tables: release objects on netns destruction 2015-12-28 18:34:35 +01:00
nf_tables_ipv4.c netfilter: nf_tables: release objects on netns destruction 2015-12-28 18:34:35 +01:00
nft_chain_nat_ipv4.c netfilter: Pass priv instead of nf_hook_ops to netfilter hooks 2015-09-18 22:00:16 +02:00
nft_chain_route_ipv4.c ipv4: Pass struct net into ip_route_me_harder 2015-09-29 20:21:32 +02:00
nft_dup_ipv4.c netfilter: Pass net to nf_dup_ipv4 and nf_dup_ipv6 2015-09-18 21:59:11 +02:00
nft_masq_ipv4.c netfilter: nft_masq: support port range 2016-03-02 20:05:27 +01:00
nft_redir_ipv4.c netfilter: nf_tables: kill nft_pktinfo.ops 2015-09-18 21:58:01 +02:00
nft_reject_ipv4.c ipv4: Push struct net down into nf_send_reset 2015-09-29 20:21:31 +02:00