]> git.ipfire.org Git - thirdparty/kernel/linux.git/commit
projects / thirdparty / kernel / linux.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 390a57d) | patch
netfilter: add more netlink-based policy range checks
authorFlorian Westphal <fw@strlen.de>
Mon, 9 Mar 2026 23:26:46 +0000 (00:26 +0100)
committerFlorian Westphal <fw@strlen.de>
Wed, 8 Apr 2026 05:51:30 +0000 (07:51 +0200)
commit66b75e6bbeeb489156a74534561bbbd360843a73
treeb6225d9061f18da68932b635e57b19320999696btree | snapshot
parent390a57dd61af837fcf5ad0681267890bd6cdd594commit | diff
netfilter: add more netlink-based policy range checks

These spots either already check the attribute range manually
before use or the consuming functions tolerate unexpected values.

Nevertheless, add more range checks via netlink policy so we gain
more users and avoid possible re-use in other places that might
not have the required manual checks.  This also improves error
reporting: netlink core can generate extack errors.

Signed-off-by: Florian Westphal <fw@strlen.de>
23 files changed:
net/netfilter/ipset/ip_set_core.c diff | blob | blame | history
net/netfilter/nf_tables_api.c diff | blob | blame | history
net/netfilter/nfnetlink_acct.c diff | blob | blame | history
net/netfilter/nfnetlink_cthelper.c diff | blob | blame | history
net/netfilter/nfnetlink_hook.c diff | blob | blame | history
net/netfilter/nfnetlink_log.c diff | blob | blame | history
net/netfilter/nfnetlink_osf.c diff | blob | blame | history
net/netfilter/nfnetlink_queue.c diff | blob | blame | history
net/netfilter/nft_compat.c diff | blob | blame | history
net/netfilter/nft_connlimit.c diff | blob | blame | history
net/netfilter/nft_ct.c diff | blob | blame | history
net/netfilter/nft_dynset.c diff | blob | blame | history
net/netfilter/nft_exthdr.c diff | blob | blame | history
net/netfilter/nft_inner.c diff | blob | blame | history
net/netfilter/nft_limit.c diff | blob | blame | history
net/netfilter/nft_log.c diff | blob | blame | history
net/netfilter/nft_osf.c diff | blob | blame | history
net/netfilter/nft_payload.c diff | blob | blame | history
net/netfilter/nft_queue.c diff | blob | blame | history
net/netfilter/nft_quota.c diff | blob | blame | history
net/netfilter/nft_synproxy.c diff | blob | blame | history
net/netfilter/nft_tunnel.c diff | blob | blame | history
net/netfilter/nft_xfrm.c diff | blob | blame | history
A mirror of Linus' kernel repository