Merge tag 'nf-23-12-20' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Pablu Neira Syuso says:

====================
netfilter pull request 23-12-20

The following patchset contains Netfilter fixes for net:

1) Skip set commit for deleted/destroyed sets, this might trigger
double deactivation of expired elements.

2) Fix packet mangling from egress, set transport offset from
mac header for netdev/egress.

Both fixes address bugs already present in several releases.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

David S. Miller 2 years ago a4255b2e 49fcf34a

+3 -3

3 changed files

expand all

include

net

netfilter

nf_tables_ipv4.h

net

netfilter

nf_tables_api.c

nf_tables_core.c

+1 -1

include/net/netfilter/nf_tables_ipv4.h

··· 30 30 return -1; 31 31 32 32 len = iph_totlen(pkt->skb, iph); 33 - thoff = iph->ihl * 4; 33 + thoff = skb_network_offset(pkt->skb) + (iph->ihl * 4); 34 34 if (pkt->skb->len < len) 35 35 return -1; 36 36 else if (len < thoff)

+1 -1

net/netfilter/nf_tables_api.c

··· 9887 9887 list_for_each_entry_safe(set, next, set_update_list, pending_update) { 9888 9888 list_del_init(&set->pending_update); 9889 9889 9890 - if (!set->ops->commit) 9890 + if (!set->ops->commit || set->dead) 9891 9891 continue; 9892 9892 9893 9893 set->ops->commit(set);

+1 -1

net/netfilter/nf_tables_core.c

··· 158 158 else { 159 159 if (!(pkt->flags & NFT_PKTINFO_L4PROTO)) 160 160 return false; 161 - ptr = skb_network_header(skb) + nft_thoff(pkt); 161 + ptr = skb->data + nft_thoff(pkt); 162 162 } 163 163 164 164 ptr += priv->offset;