korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2025-01-14 17:55:42 +08:00
Code Issues Packages Projects Releases Wiki Activity
1,066,827 Commits 115 Branches 5,359 Tags 7.4 GiB
C 97.5%
Assembly 1%
Shell 0.6%
Python 0.3%
Makefile 0.3%
4225152bfb
Go to file
Ignat Korchagin 4225152bfb netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate() 
[ Upstream commit 7e0f122c65 ]

Commit d0009effa8 ("netfilter: nf_tables: validate NFPROTO_* family") added
some validation of NFPROTO_* families in the nft_compat module, but it broke
the ability to use legacy iptables modules in dual-stack nftables.

While with legacy iptables one had to independently manage IPv4 and IPv6
tables, with nftables it is possible to have dual-stack tables sharing the
rules. Moreover, it was possible to use rules based on legacy iptables
match/target modules in dual-stack nftables.

As an example, the program from [2] creates an INET dual-stack family table
using an xt_bpf based rule, which looks like the following (the actual output
was generated with a patched nft tool as the current nft tool does not parse
dual stack tables with legacy match rules, so consider it for illustrative
purposes only):

table inet testfw {
  chain input {
    type filter hook prerouting priority filter; policy accept;
    bytecode counter packets 0 bytes 0 accept
  }
}

After d0009effa8 ("netfilter: nf_tables: validate NFPROTO_* family") we get
EOPNOTSUPP for the above program.

Fix this by allowing NFPROTO_INET for nft_(match/target)_validate(), but also
restrict the functions to classic iptables hooks.

Changes in v3:
  * clarify that upstream nft will not display such configuration properly and
    that the output was generated with a patched nft tool
  * remove example program from commit description and link to it instead
  * no code changes otherwise

Changes in v2:
  * restrict nft_(match/target)_validate() to classic iptables hooks
  * rewrite example program to use unmodified libnftnl

Fixes: d0009effa8 ("netfilter: nf_tables: validate NFPROTO_* family")
Link: https://lore.kernel.org/all/Zc1PfoWN38UuFJRI@calendula/T/#mc947262582c90fec044c7a3398cc92fac7afea72 [1]
Link: https://lore.kernel.org/all/20240220145509.53357-1-ignat@cloudflare.com/ [2]
Reported-by: Jordan Griege <jgriege@cloudflare.com>
Signed-off-by: Ignat Korchagin <ignat@cloudflare.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-03-06 14:38:46 +00:00
arch s390: use the correct count for __iowrite64_copy() 2024-03-01 13:21:59 +01:00
block blk-iocost: Fix an UBSAN shift-out-of-bounds warning 2024-02-23 08:54:59 +01:00
certs
crypto crypto: api - Disallow identical driver names 2024-02-23 08:54:23 +01:00
Documentation platform/x86: asus-wmi: Document the dgpu_disable sysfs attribute 2024-03-01 13:21:52 +01:00
drivers stmmac: Clear variable when destroying workqueue 2024-03-06 14:38:46 +00:00
fs ext4: avoid bb_free and bb_fragments inconsistency in mb_free_blocks() 2024-03-01 13:22:00 +01:00
include uapi: in6: replace temporary label with rfc9486 2024-03-06 14:38:45 +00:00
init rootfs: Fix support for rootfstype= when root= is given 2024-01-25 14:52:48 -08:00
io_uring io_uring/rw: ensure io->bytes_done is always initialized 2024-01-25 14:52:48 -08:00
ipc ipc/sem: Fix dangling sem_array access in semtimedop race 2022-12-08 11:28:45 +01:00
kernel bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel 2024-03-01 13:21:59 +01:00
lib debugobjects: Recheck debug_objects_enabled before reporting 2024-03-01 13:21:54 +01:00
LICENSES
mm userfaultfd: fix mmap_changing checking in mfill_atomic_hugetlb 2024-03-01 13:21:43 +01:00
net netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate() 2024-03-06 14:38:46 +00:00
samples samples/hw_breakpoint: fix building without module unloading 2023-09-23 11:10:01 +02:00
scripts bpf, scripts: Correct GPL license name 2024-03-01 13:21:58 +01:00
security lsm: fix the logic in security_inode_getsecctx() 2024-02-23 08:55:05 +01:00
sound ALSA: usb-audio: Ignore clock selector errors for single connection 2024-03-01 13:21:45 +01:00
tools tools/virtio: fix build 2024-03-01 13:21:52 +01:00
usr
virt KVM: Grab a reference to KVM for VM and vCPU stats file descriptors 2023-08-03 10:22:40 +02:00
.clang-format
.cocciconfig
.get_maintainer.ignore
.gitattributes
.gitignore
.mailmap
COPYING
CREDITS
Kbuild
Kconfig
MAINTAINERS iio: stx104: Move to addac subdirectory 2023-08-26 14:23:27 +02:00
Makefile Linux 5.15.150 2024-03-01 13:22:01 +01:00
README

README 

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.