Florian Westphal b04df3da1b netfilter: nf_tables: do not defer rule destruction via call_rcu ...

nf_tables_chain_destroy can sleep, it can't be used from call_rcu
callbacks.

Moreover, nf_tables_rule_release() is only safe for error unwinding,
while transaction mutex is held and the to-be-desroyed rule was not
exposed to either dataplane or dumps, as it deactives+frees without
the required synchronize_rcu() in-between.

nft_rule_expr_deactivate() callbacks will change ->use counters
of other chains/sets, see e.g. nft_lookup .deactivate callback, these
must be serialized via transaction mutex.

Also add a few lockdep asserts to make this more explicit.

Calling synchronize_rcu() isn't ideal, but fixing this without is hard
and way more intrusive.  As-is, we can get:

WARNING: .. net/netfilter/nf_tables_api.c:5515 nft_set_destroy+0x..
Workqueue: events nf_tables_trans_destroy_work
RIP: 0010:nft_set_destroy+0x3fe/0x5c0
Call Trace:
 <TASK>
 nf_tables_trans_destroy_work+0x6b7/0xad0
 process_one_work+0x64a/0xce0
 worker_thread+0x613/0x10d0

In case the synchronize_rcu becomes an issue, we can explore alternatives.

One way would be to allocate nft_trans_rule objects + one nft_trans_chain
object, deactivate the rules + the chain and then defer the freeing to the
nft destroy workqueue.  We'd still need to keep the synchronize_rcu path as
a fallback to handle -ENOMEM corner cases though.

Reported-by: syzbot+b26935466701e56cfdc2@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/67478d92.050a0220.253251.0062.GAE@google.com/T/
Fixes: c03d278fdf ("netfilter: nf_tables: wait for rcu grace period on net_device removal")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

2024-12-11 23:27:50 +01:00

..

ipset

netfilter: ipset: Hold module reference while requesting a module

2024-12-04 15:39:22 +01:00

ipvs

ipvs: fix UB due to uninitialized stack access in ip_vs_protocol_init()

2024-11-28 13:14:23 +01:00

core.c

net/netfilter: make use of the helper macro LIST_HEAD()

2024-09-06 18:10:21 -07:00

Kconfig

netfilter: xtables: allow xtables-nft only builds

2024-01-29 15:43:21 +01:00

Makefile

netfilter: Add bpf_xdp_flow_lookup kfunc

2024-07-01 17:03:01 +02:00

nf_bpf_link.c

netfilter: bpf: Pass string literal as format argument of request_module()

2024-11-14 12:39:50 +01:00

nf_conncount.c

netfilter: move nf_ct_netns_get out of nf_conncount_init

2024-08-19 18:44:51 +02:00

nf_conntrack_acct.c

netfilter: conntrack: remove extension register api

2022-02-04 06:30:28 +01:00

nf_conntrack_amanda.c

netfilter: nf_conntrack_sip: fix expectation clash

2019-07-16 13:16:59 +02:00

nf_conntrack_bpf.c

net: netfilter: Make ct zone opts configurable for bpf ct helpers

2024-05-22 15:00:56 -07:00

nf_conntrack_broadcast.c

netfilter: add missing module descriptions

2023-11-08 13:52:32 +01:00

nf_conntrack_core.c

netfilter: nfnetlink_queue: remove old clash resolution logic

2024-09-26 13:03:03 +02:00

nf_conntrack_ecache.c

netfilter: ctnetlink: make event listener tracking global

2023-02-22 00:28:47 +01:00

nf_conntrack_expect.c

netfilter: expect: Simplify the allocation of slab caches in nf_conntrack_expect_init

2024-02-21 11:57:11 +01:00

nf_conntrack_extend.c

netfilter: conntrack: fix extension size table

2023-09-13 21:57:50 +02:00

nf_conntrack_ftp.c

netfilter: nf_ct_ftp: fix deadlock when nat rewrite is needed

2022-09-20 23:50:03 +02:00

nf_conntrack_h323_asn1.c

netfilter: nf_conntrack_h323: Add protection for bmp length out of range

2024-03-07 03:10:35 +01:00

nf_conntrack_h323_main.c

netfilter: nf_ct_h323: cap packet size at 64k

2022-08-11 16:50:49 +02:00

nf_conntrack_h323_types.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 484

2019-06-19 17:09:52 +02:00

nf_conntrack_helper.c

netfilter: conntrack: simplify nf_conntrack_alter_reply

2023-10-10 16:34:28 +02:00

nf_conntrack_irc.c

netfilter: nf_conntrack_irc: Tighten matching on DCC message

2022-09-07 15:55:23 +02:00

nf_conntrack_labels.c

netfilter: conntrack: switch connlabels to atomic_t

2023-10-24 13:16:30 +02:00

nf_conntrack_netbios_ns.c

netfilter: nf_conntrack_netbios_ns: fix helper module alias

2022-01-11 10:41:44 +01:00

nf_conntrack_netlink.c

genetlink: extend info user-storage to match NL cb ctx

2024-10-10 08:30:21 -07:00

nf_conntrack_ovs.c

netfilter: use nf_ip6_check_hbh_len in nf_ct_skb_network_trim

2023-03-08 14:25:41 +01:00

nf_conntrack_pptp.c

netfilter: nf_conntrack: add missing __rcu annotations

2022-07-11 16:25:15 +02:00

nf_conntrack_proto_dccp.c

netfilter: conntrack: dccp: try not to drop skb in conntrack

2024-05-06 11:13:56 +02:00

nf_conntrack_proto_generic.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

nf_conntrack_proto_gre.c

netfilter: conntrack: gre: don't set assured flag for clash entries

2023-07-05 14:42:15 +02:00

nf_conntrack_proto_icmp.c

netfilter: conntrack: pass hook state to log functions

2021-06-18 14:47:43 +02:00

nf_conntrack_proto_icmpv6.c

netfilter: conntrack: fix ct-state for ICMPv6 Multicast Router Discovery

2024-05-06 11:13:56 +02:00

nf_conntrack_proto_sctp.c

netfilter: conntrack: check SCTP_CID_SHUTDOWN_ACK for vtag setting in sctp_new

2024-01-31 23:13:57 +01:00

nf_conntrack_proto_tcp.c

move asm/unaligned.h to linux/unaligned.h

2024-10-02 17:23:23 -04:00

nf_conntrack_proto_udp.c

netfilter: conntrack: udp: fix seen-reply test

2023-02-01 12:18:51 +01:00

nf_conntrack_proto.c

netfilter: add missing module descriptions

2023-11-08 13:52:32 +01:00

nf_conntrack_sane.c

netfilter: nf_ct_sane: remove pseudo skb linearization

2022-08-11 16:50:25 +02:00

nf_conntrack_seqadj.c

netfilter: conntrack: remove extension register api

2022-02-04 06:30:28 +01:00

nf_conntrack_sip.c

netfilter: nf_conntrack_sip: fix the ct_sip_parse_numerical_param() return value.

2023-06-26 17:18:48 +02:00

nf_conntrack_snmp.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152

2019-05-30 11:26:32 -07:00

nf_conntrack_standalone.c

sysctl: treewide: constify the ctl_table argument of proc_handlers

2024-07-24 20:59:29 +02:00

nf_conntrack_tftp.c

netfilter: nf_conntrack_sip: fix expectation clash

2019-07-16 13:16:59 +02:00

nf_conntrack_timeout.c

netfilter: nf_conntrack: use rcu accessors where needed

2022-07-11 16:25:15 +02:00

nf_conntrack_timestamp.c

netfilter: conntrack: remove extension register api

2022-02-04 06:30:28 +01:00

nf_dup_netdev.c

netfilter: nf_dup_netdev: add and use recursion counter

2022-06-21 10:50:41 +02:00

nf_flow_table_bpf.c

netfilter: Add bpf_xdp_flow_lookup kfunc

2024-07-01 17:03:01 +02:00

nf_flow_table_core.c

net: netfilter: move nf flowtable bpf initialization in nf_flow_table_module_init()

2024-09-12 15:41:03 +02:00

nf_flow_table_inet.c

net: netfilter: move nf flowtable bpf initialization in nf_flow_table_module_init()

2024-09-12 15:41:03 +02:00

nf_flow_table_ip.c

netfilter: flowtable: validate vlan header

2024-08-22 12:14:18 +02:00

nf_flow_table_offload.c

netfilter: flowtable: initialise extack before use

2024-08-14 23:37:16 +02:00

nf_flow_table_procfs.c

netfilter: nf_flow_table: count pending offload workqueue tasks

2022-07-11 16:25:14 +02:00

nf_flow_table_xdp.c

netfilter: nf_tables: Add flowtable map for xdp offload

2024-07-01 17:01:53 +02:00

nf_hooks_lwtunnel.c

sysctl: treewide: constify the ctl_table argument of proc_handlers

2024-07-24 20:59:29 +02:00

nf_internals.h

netfilter: move the sysctl nf_hooks_lwtunnel into the netfilter core

2024-06-19 18:41:59 +02:00

nf_log_syslog.c

netfilter: propagate net to nf_bridge_get_physindev

2024-01-17 12:02:48 +01:00

nf_log.c

sysctl: treewide: constify the ctl_table argument of proc_handlers

2024-07-24 20:59:29 +02:00

nf_nat_amanda.c

netfilter: nat: move repetitive nat port reserve loop to a helper

2022-09-07 16:46:04 +02:00

nf_nat_bpf.c

bpf: treewide: Annotate BPF kfuncs in BTF

2024-01-31 20:40:56 -08:00

nf_nat_core.c

net: convert to nla_get_*_default()

2024-11-11 10:32:06 -08:00

nf_nat_ftp.c

netfilter: nat: move repetitive nat port reserve loop to a helper

2022-09-07 16:46:04 +02:00

nf_nat_helper.c

treewide: use get_random_u32_below() instead of deprecated function

2022-11-18 02:15:15 +01:00

nf_nat_irc.c

netfilter: nat: move repetitive nat port reserve loop to a helper

2022-09-07 16:46:04 +02:00

nf_nat_masquerade.c

netfilter: conntrack: add nf_ct_iter_data object for nf_ct_iterate_cleanup*()

2022-05-13 18:56:27 +02:00

nf_nat_ovs.c

netfilter: nf_nat: fix action not being set for all ct states

2024-01-03 11:17:17 +01:00

nf_nat_proto.c

Merge tag 'ipsec-next-2023-10-28' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next

2023-10-30 14:36:57 -07:00

nf_nat_redirect.c

netfilter: nat: fix ipv6 nat redirect with mapped and scoped addresses

2023-11-08 16:40:30 +01:00

nf_nat_sip.c

netfilter: nat: move repetitive nat port reserve loop to a helper

2022-09-07 16:46:04 +02:00

nf_nat_tftp.c

netfilter: nf_conntrack_sip: fix expectation clash

2019-07-16 13:16:59 +02:00

nf_queue.c

netfilter: move nf_reinject into nfnetlink_queue modules

2024-02-21 12:03:22 +01:00

nf_sockopt.c

netfilter: switch nf_setsockopt to sockptr_t

2020-07-24 15:41:54 -07:00

nf_synproxy_core.c

move asm/unaligned.h to linux/unaligned.h

2024-10-02 17:23:23 -04:00

nf_tables_api.c

netfilter: nf_tables: do not defer rule destruction via call_rcu

2024-12-11 23:27:50 +01:00

nf_tables_core.c

netfilter: nf_tables: don't initialize registers in nft_do_chain()

2024-08-20 12:37:25 +02:00

nf_tables_offload.c

netfilter: nf_tables: do not store nft_ctx in transaction objects

2024-06-25 20:40:47 +02:00

nf_tables_trace.c

net: add and use skb_get_hash_net

2024-06-12 14:33:38 -07:00

nfnetlink_acct.c

netfilter: use nfnetlink_unicast()

2021-05-29 01:04:53 +02:00

nfnetlink_cthelper.c

netfilter: nf_conntrack: use rcu accessors where needed

2022-07-11 16:25:15 +02:00

nfnetlink_cttimeout.c

netfilter: cttimeout: remove 'l3num' attr check

2024-06-26 00:54:53 +02:00

nfnetlink_hook.c

netfilter: nfnetlink hook: dump bpf prog id

2023-04-21 11:34:14 -07:00

nfnetlink_log.c

netfilter: nfnetlink_log: use proper helper for fetching physinif

2024-01-17 12:02:47 +01:00

nfnetlink_osf.c

netfilter: add missing module descriptions

2023-11-08 13:52:32 +01:00

nfnetlink_queue.c

netfilter: nfnetlink_queue: unbreak SCTP traffic

2024-08-19 18:44:50 +02:00

nfnetlink.c

netfilter: nfnetlink: Report extack policy errors for batched ops

2024-11-14 12:39:40 +01:00

nft_bitwise.c

netfilter: bitwise: add support for doing AND, OR and XOR directly

2024-11-15 12:07:04 +01:00

nft_byteorder.c

move asm/unaligned.h to linux/unaligned.h

2024-10-02 17:23:23 -04:00

nft_chain_filter.c

netfilter: nf_tables: remove NETDEV_CHANGENAME from netdev chain event handler

2024-05-06 11:13:55 +02:00

nft_chain_nat.c

netfilter: add missing module descriptions

2023-11-08 13:52:32 +01:00

nft_chain_route.c

netfilter: nf_tables: remove unused arg in nft_set_pktinfo_unspec()

2021-05-29 01:04:54 +02:00

nft_cmp.c

netfilter: nf_tables: pass context structure to nft_parse_register_load

2024-08-20 12:37:24 +02:00

nft_compat.c

netfilter: nf_tables: missing objects with no memcg accounting

2024-09-26 13:03:02 +02:00

nft_connlimit.c

netfilter: nf_tables: allow clone callbacks to sleep

2024-05-10 11:13:45 +02:00

nft_counter.c

netfilter: nft_counter: Use u64_stats_t for statistic.

2024-09-03 10:47:16 +02:00

nft_ct_fast.c

netfilter: nf_tables: fix ct untracked match breakage

2023-05-03 13:49:08 +02:00

nft_ct.c

netfilter: nf_tables: pass context structure to nft_parse_register_load

2024-08-20 12:37:24 +02:00

nft_dup_netdev.c

netfilter: nf_tables: pass context structure to nft_parse_register_load

2024-08-20 12:37:24 +02:00

nft_dynset.c

netfilter: nf_tables: set element timeout update support

2024-09-03 18:19:44 +02:00

nft_exthdr.c

move asm/unaligned.h to linux/unaligned.h

2024-10-02 17:23:23 -04:00

nft_fib_inet.c

netfilter: nft_fib: add reduce support

2022-03-20 00:29:47 +01:00

nft_fib_netdev.c

netfilter: nft_fib: add reduce support

2022-03-20 00:29:47 +01:00

nft_fib.c

netfilter: nf_tables: drop unused 3rd argument from validate callback ops

2024-09-03 10:47:17 +02:00

nft_flow_offload.c

netfilter: flow_offload: Convert nft_flow_route() to dscp_t.

2024-11-15 11:00:29 +01:00

nft_fwd_netdev.c

netfilter: nf_tables: drop unused 3rd argument from validate callback ops

2024-09-03 10:47:17 +02:00

nft_hash.c

netfilter: nf_tables: pass context structure to nft_parse_register_load

2024-08-20 12:37:24 +02:00

nft_immediate.c

netfilter: nf_tables: drop unused 3rd argument from validate callback ops

2024-09-03 10:47:17 +02:00

nft_inner.c

netfilter: nft_inner: incorrect percpu area handling under softirq

2024-12-03 22:10:58 +01:00

nft_last.c

netfilter: nf_tables: allow clone callbacks to sleep

2024-05-10 11:13:45 +02:00

nft_limit.c

netfilter: nf_tables: allow clone callbacks to sleep

2024-05-10 11:13:45 +02:00

nft_log.c

netfilter: nf_tables: missing objects with no memcg accounting

2024-09-26 13:03:02 +02:00

nft_lookup.c

netfilter: nf_tables: drop unused 3rd argument from validate callback ops

2024-09-03 10:47:17 +02:00

nft_masq.c

netfilter: nf_tables: drop unused 3rd argument from validate callback ops

2024-09-03 10:47:17 +02:00

nft_meta.c

netfilter: nf_tables: missing objects with no memcg accounting

2024-09-26 13:03:02 +02:00

nft_nat.c

netfilter: nf_tables: drop unused 3rd argument from validate callback ops

2024-09-03 10:47:17 +02:00

nft_numgen.c

netfilter: nf_tables: missing objects with no memcg accounting

2024-09-26 13:03:02 +02:00

nft_objref.c

netfilter: nf_tables: pass context structure to nft_parse_register_load

2024-08-20 12:37:24 +02:00

nft_osf.c

netfilter: nf_tables: drop unused 3rd argument from validate callback ops

2024-09-03 10:47:17 +02:00

nft_payload.c

netfilter: nft_payload: sanitize offset and length before calling skb_checksum()

2024-10-31 10:54:49 +01:00

nft_queue.c

netfilter: nf_tables: drop unused 3rd argument from validate callback ops

2024-09-03 10:47:17 +02:00

nft_quota.c

netfilter: nf_tables: allow clone callbacks to sleep

2024-05-10 11:13:45 +02:00

nft_range.c

netfilter: nf_tables: pass context structure to nft_parse_register_load

2024-08-20 12:37:24 +02:00

nft_redir.c

netfilter: nf_tables: drop unused 3rd argument from validate callback ops

2024-09-03 10:47:17 +02:00

nft_reject_inet.c

netfilter: nf_tables: drop unused 3rd argument from validate callback ops

2024-09-03 10:47:17 +02:00

nft_reject_netdev.c

netfilter: nf_tables: drop unused 3rd argument from validate callback ops

2024-09-03 10:47:17 +02:00

nft_reject.c

netfilter: nf_tables: drop unused 3rd argument from validate callback ops

2024-09-03 10:47:17 +02:00

nft_rt.c

netfilter: nf_tables: drop unused 3rd argument from validate callback ops

2024-09-03 10:47:17 +02:00

nft_set_bitmap.c

netfilter: nf_tables: avoid false-positive lockdep splats in set walker

2024-11-05 22:06:22 +01:00

nft_set_hash.c

netfilter: nft_set_hash: skip duplicated elements pending gc run

2024-12-04 21:37:41 +01:00

nft_set_pipapo_avx2.c

netfilter: nft_set_pipapo_avx2: disable softinterrupts

2024-07-24 10:01:59 +02:00

nft_set_pipapo_avx2.h

netfilter: nf_tables: prefer direct calls for set lookups

2021-05-29 01:04:27 +02:00

nft_set_pipapo.c

netfilter: nf_tables: missing objects with no memcg accounting

2024-09-26 13:03:02 +02:00

nft_set_pipapo.h

netfilter: nf_set_pipapo: fix initial map fill

2024-07-17 19:00:47 +02:00

nft_set_rbtree.c

netfilter: nf_tables: restore set elements when delete set fails

2024-04-17 17:43:11 +02:00

nft_socket.c

netfilter: nft_socket: remove WARN_ON_ONCE on maximum cgroup level

2024-11-28 13:14:24 +01:00

nft_synproxy.c

netfilter: nf_tables: drop unused 3rd argument from validate callback ops

2024-09-03 10:47:17 +02:00

nft_tproxy.c

netfilter: nf_tables: drop unused 3rd argument from validate callback ops

2024-09-03 10:47:17 +02:00

nft_tunnel.c

net: convert to nla_get_*_default()

2024-11-11 10:32:06 -08:00

nft_xfrm.c

netfilter: nf_tables: drop unused 3rd argument from validate callback ops

2024-09-03 10:47:17 +02:00

utils.c

netfilter: move nf_reinject into nfnetlink_queue modules

2024-02-21 12:03:22 +01:00

x_tables.c

netfilter: Fix use-after-free in get_info()

2024-10-30 13:17:36 +01:00

xt_addrtype.c

netfilter: xtables: avoid NFPROTO_UNSPEC where needed

2024-10-09 23:20:46 +02:00

xt_AUDIT.c

netfilter: fix clang-12 fmt string warnings

2021-06-01 23:53:51 +02:00

xt_bpf.c

bpf: Refactor BPF_PROG_RUN into a function

2021-08-17 00:45:07 +02:00

xt_cgroup.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

xt_CHECKSUM.c

netfilter: xtables: avoid NFPROTO_UNSPEC where needed

2024-10-09 23:20:46 +02:00

xt_CLASSIFY.c

netfilter: xtables: avoid NFPROTO_UNSPEC where needed

2024-10-09 23:20:46 +02:00

xt_cluster.c

netfilter: xtables: avoid NFPROTO_UNSPEC where needed

2024-10-09 23:20:46 +02:00

xt_comment.c

treewide: Add SPDX license identifier for more missed files

2019-05-21 10:50:45 +02:00

xt_connbytes.c

netfilter: xtables: avoid NFPROTO_UNSPEC where needed

2024-10-09 23:20:46 +02:00

xt_connlabel.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

xt_connlimit.c

netfilter: xtables: avoid NFPROTO_UNSPEC where needed

2024-10-09 23:20:46 +02:00

xt_connmark.c

netfilter: xtables: avoid NFPROTO_UNSPEC where needed

2024-10-09 23:20:46 +02:00

xt_CONNSECMARK.c

netfilter: xtables: avoid NFPROTO_UNSPEC where needed

2024-10-09 23:20:46 +02:00

xt_conntrack.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

xt_cpu.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

xt_CT.c

netfilter: xtables: avoid NFPROTO_UNSPEC where needed

2024-10-09 23:20:46 +02:00

xt_dccp.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

xt_devgroup.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

xt_dscp.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

xt_DSCP.c

netfilter: x_tables: use correct integer types

2022-07-11 16:40:45 +02:00

xt_ecn.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

xt_esp.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

xt_hashlimit.c

proc: remove PDE_DATA() completely

2022-01-22 08:33:37 +02:00

xt_helper.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

xt_hl.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

xt_HL.c

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

2019-06-22 08:59:24 -04:00

xt_HMARK.c

netfilter: xt_HMARK: Use ip_is_fragment() helper

2020-08-28 19:55:51 +02:00

xt_IDLETIMER.c

netfilter: IDLETIMER: Fix for possible ABBA deadlock

2024-12-11 23:15:19 +01:00

xt_ipcomp.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152

2019-05-30 11:26:32 -07:00

xt_iprange.c

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next

2019-06-25 01:32:59 +02:00

xt_ipvs.c

treewide: Add SPDX license identifier for more missed files

2019-05-21 10:50:45 +02:00

xt_l2tp.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

xt_LED.c

netfilter: x_tables: fix LED ID check in led_tg_check()

2024-11-28 13:14:24 +01:00

xt_length.c

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf

2023-02-22 21:25:23 -08:00

xt_limit.c

netfilter: x_tables: improve limit_mt scalability

2021-05-29 01:04:52 +02:00

xt_LOG.c

netfilter: log: work around missing softdep backend module

2021-09-21 03:46:56 +02:00

xt_mac.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

xt_mark.c

netfilter: xtables: fix typo causing some targets not to load on IPv6

2024-10-21 11:31:26 +02:00

xt_MASQUERADE.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

xt_multiport.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

xt_nat.c

netfilter: Add MODULE_DESCRIPTION entries to kernel modules

2020-06-25 00:50:31 +02:00

xt_NETMAP.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

xt_nfacct.c

netfilter: Remove unnecessary conversion to bool

2020-12-01 09:45:29 +01:00

xt_NFLOG.c

netfilter: xtables: fix typo causing some targets not to load on IPv6

2024-10-21 11:31:26 +02:00

xt_NFQUEUE.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

xt_osf.c

netfilter: nfnetlink_osf: fix module autoload

2023-06-20 22:43:42 +02:00

xt_owner.c

netfilter: xt_owner: Fix for unsafe access of sk->sk_socket

2023-12-06 17:52:15 +01:00

xt_physdev.c

netfilter: propagate net to nf_bridge_get_physindev

2024-01-17 12:02:48 +01:00

xt_pkttype.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

xt_policy.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

xt_quota.c

treewide: Add SPDX license identifier for more missed files

2019-05-21 10:50:45 +02:00

xt_rateest.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

xt_RATEEST.c

netfilter: xtables: avoid NFPROTO_UNSPEC where needed

2024-10-09 23:20:46 +02:00

xt_realm.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

xt_recent.c

netfilter: xt_recent: Lift restrictions on max hitcount value

2024-06-28 17:57:50 +02:00

xt_REDIRECT.c

netfilter: nft_redir: use struct nf_nat_range2 throughout and deduplicate eval call-backs

2023-03-22 21:48:59 +01:00

xt_repldata.h

netfilter: xtables: refactor deprecated strncpy

2023-08-22 15:13:21 +02:00

xt_sctp.c

netfilter: xt_sctp: validate the flag_info count

2023-08-30 17:34:01 +02:00

xt_SECMARK.c

netfilter: xtables: avoid NFPROTO_UNSPEC where needed

2024-10-09 23:20:46 +02:00

xt_set.c

netfilter: inline four headers files into another one.

2019-08-13 12:14:26 +02:00

xt_socket.c

net: annotate data-races around sk->sk_mark

2023-07-29 18:13:41 +01:00

xt_state.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

xt_statistic.c

treewide: use get_random_u32() when possible

2022-10-11 17:42:58 -06:00

xt_string.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

xt_tcpmss.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

xt_TCPMSS.c

netfilter: x_tables: use correct integer types

2022-07-11 16:40:45 +02:00

xt_TCPOPTSTRIP.c

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

2019-06-22 08:59:24 -04:00

xt_tcpudp.c

xtables: move icmp/icmpv6 logic to xt_tcpudp

2023-03-22 21:48:59 +01:00

xt_TEE.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 3

2019-05-21 11:28:40 +02:00

xt_time.c

netfilter: Replace HTTP links with HTTPS ones

2020-07-29 20:09:18 +02:00

xt_TPROXY.c

netfilter: xt_TPROXY: remove pr_debug invocations

2022-07-21 00:56:00 +02:00

xt_TRACE.c

netfilter: xtables: fix typo causing some targets not to load on IPv6

2024-10-21 11:31:26 +02:00

xt_u32.c

netfilter: xt_u32: validate user space input

2023-08-30 17:34:01 +02:00