linux/net/openvswitch
David S. Miller 0c84ea17ff Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for you net tree,
they are:

1) There was a race condition between parallel save/swap and delete,
   which resulted a kernel crash due to the increase ref for save, swap,
   wrong ref decrease operations. Reported and fixed by Vishwanath Pai.

2) OVS should call into CT NAT for packets of new expected connections only
   when the conntrack state is persisted with the 'commit' option to the
   OVS CT action. From Jarno Rajahalme.

3) Resolve kconfig dependencies with new OVS NAT support. From Arnd Bergmann.

4) Early validation of entry->target_offset to make sure it doesn't take us
   out from the blob, from Florian Westphal.

5) Again early validation of entry->next_offset to make sure it doesn't take
   out from the blob, also from Florian.

6) Check that entry->target_offset is always of of sizeof(struct xt_entry)
   for unconditional entries, when checking both from check_underflow()
   and when checking for loops in mark_source_chains(), again from
   Florian.

7) Fix inconsistent behaviour in nfnetlink_queue when
   NFQA_CFG_F_FAIL_OPEN is set and netlink_unicast() fails due to buffer
   overrun, we have to reinject the packet as the user expects.

8) Enforce nul-terminated table names from getsockopt GET_ENTRIES
   requests.

9) Don't assume skb->sk is set from nft_bridge_reject and synproxy,
   this fixes a recent update of the code to namespaceify
   ip_default_ttl, patch from Liping Zhang.

This batch comes with four patches to validate x_tables blobs coming
from userspace. CONFIG_USERNS exposes the x_tables interface to
unpriviledged users and to be honest this interface never received the
attention for this move away from the CAP_NET_ADMIN domain. Florian is
working on another round with more patches with more sanity checks, so
expect a bit more Netfilter fixes in this development cycle than usual.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2016-03-28 15:38:59 -04:00
..
Kconfig openvswitch: call only into reachable nf-nat code 2016-03-28 17:58:59 +02:00
Makefile
actions.c net: use skb_postpush_rcsum instead of own implementations 2016-02-19 23:43:10 -05:00
conntrack.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 2016-03-28 15:38:59 -04:00
conntrack.h openvswitch: Interface with NAT. 2016-03-14 23:47:29 +01:00
datapath.c ovs: allow nl 'flow set' to use ufid without flow key 2016-03-13 22:18:26 -04:00
datapath.h ovs: propagate per dp max headroom to all vports 2016-03-01 15:54:30 -05:00
dp_notify.c openvswitch: fix hangup on vxlan/gre/geneve device deletion 2015-12-03 14:29:25 -05:00
flow.c
flow.h ip_tunnels, bpf: define IP_TUNNEL_OPTS_MAX and use it 2016-03-18 19:38:46 -04:00
flow_netlink.c openvswitch: allow output of MPLS packets on tunnel vports 2016-03-18 18:26:38 -04:00
flow_netlink.h
flow_table.c
flow_table.h
vport-geneve.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2016-03-17 21:38:27 -07:00
vport-gre.c
vport-internal_dev.c ovs: internal_set_rx_headroom() can be static 2016-03-18 17:50:36 -04:00
vport-internal_dev.h
vport-netdev.c net: use skb_postpush_rcsum instead of own implementations 2016-02-19 23:43:10 -05:00
vport-netdev.h
vport-vxlan.c lwt: fix rx checksum setting for lwt devices tunneling over ipv6 2016-02-19 15:39:30 -05:00
vport.c
vport.h net: use skb_postpush_rcsum instead of own implementations 2016-02-19 23:43:10 -05:00