linux/net/netfilter, branch v6.4

netfilter: nf_tables: Fix for deleting base chains with payload

2023-06-20T20:43:42Z

When deleting a base chain, iptables-nft simply submits the whole chain to the kernel, including the NFTA_CHAIN_HOOK attribute. The new code added by fixed commit then turned this into a chain update, destroying the hook but not the chain itself. Detect the situation by checking if the chain type is either netdev or inet/ingress. Fixes: 7d937b107108f ("netfilter: nf_tables: support for deleting devices in an existing netdev chain") Signed-off-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso

netfilter: nfnetlink_osf: fix module autoload

2023-06-20T20:43:42Z

Move the alias from xt_osf to nfnetlink_osf. Fixes: f9324952088f ("netfilter: nfnetlink_osf: extract nfnetlink_subsystem code from xt_osf.c") Signed-off-by: Pablo Neira Ayuso

netfilter: nf_tables: drop module reference after updating chain

2023-06-20T20:43:42Z

Otherwise the module reference counter is leaked. Fixes b9703ed44ffb ("netfilter: nf_tables: support for adding new devices to an existing netdev chain") Signed-off-by: Pablo Neira Ayuso

netfilter: nf_tables: disallow timeout for anonymous sets

2023-06-20T20:43:41Z

Never used from userspace, disallow these parameters. Signed-off-by: Pablo Neira Ayuso

netfilter: nf_tables: disallow updates of anonymous sets

2023-06-20T20:43:41Z

Disallow updates of set timeout and garbage collection parameters for anonymous sets. Fixes: 123b99619cca ("netfilter: nf_tables: honor set timeout and garbage collection updates") Signed-off-by: Pablo Neira Ayuso

netfilter: nf_tables: reject unbound chain set before commit phase

2023-06-20T20:43:41Z

Use binding list to track set transaction and to check for unbound chains before entering the commit phase. Bail out if chain binding remain unused before entering the commit step. Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING") Signed-off-by: Pablo Neira Ayuso

netfilter: nf_tables: reject unbound anonymous set before commit phase

2023-06-20T20:43:41Z

Add a new list to track set transaction and to check for unbound anonymous sets before entering the commit phase. Bail out at the end of the transaction handling if an anonymous set remains unbound. Fixes: 96518518cc41 ("netfilter: add nftables") Signed-off-by: Pablo Neira Ayuso

netfilter: nf_tables: disallow element updates of bound anonymous sets

2023-06-20T20:43:40Z

Anonymous sets come with NFT_SET_CONSTANT from userspace. Although API allows to create anonymous sets without NFT_SET_CONSTANT, it makes no sense to allow to add and to delete elements for bound anonymous sets. Fixes: 96518518cc41 ("netfilter: add nftables") Signed-off-by: Pablo Neira Ayuso

netfilter: nf_tables: fix underflow in object reference counter

2023-06-20T20:43:40Z

Since ("netfilter: nf_tables: drop map element references from preparation phase"), integration with commit protocol is better, therefore drop the workaround that b91d90368837 ("netfilter: nf_tables: fix leaking object reference count") provides. Signed-off-by: Pablo Neira Ayuso

netfilter: nft_set_pipapo: .walk does not deal with generations

2023-06-20T20:43:40Z

The .walk callback iterates over the current active set, but it might be useful to iterate over the next generation set. Use the generation mask to determine what set view (either current or next generation) is use for the walk iteration. Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") Signed-off-by: Pablo Neira Ayuso