redonkable/alistair23-linux
redonkable/alistair23-linux
1
0
Fork 0
Code Releases Activity
alistair23-linux/include/net/netfilter
History
Florian Westphal 3c79107631 netfilter: ctnetlink: don't use conntrack/expect object addresses as id 
else, we leak the addresses to userspace via ctnetlink events
and dumps.

Compute an ID on demand based on the immutable parts of nf_conn struct.

Another advantage compared to using an address is that there is no
immediate re-use of the same ID in case the conntrack entry is freed and
reallocated again immediately.

Fixes: 3583240249 ("[NETFILTER]: nf_conntrack_expect: kill unique ID")
Fixes: 7f85f91472 ("[NETFILTER]: nf_conntrack: kill unique ID")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2019-04-15 07:31:44 +02:00
..
ipv4 netfilter: reject: skip csum verification for protocols that don't support it 2019-02-13 10:03:53 +01:00
ipv6 netfilter: reject: skip csum verification for protocols that don't support it 2019-02-13 10:03:53 +01:00
br_netfilter.h netfilter: physdev: relax br_netfilter dependency 2019-01-18 15:02:33 +01:00
nf_conntrack.h netfilter: ctnetlink: don't use conntrack/expect object addresses as id 2019-04-15 07:31:44 +02:00
nf_conntrack_acct.h netfilter: conntrack: remove empty pernet fini stubs 2018-12-21 00:51:54 +01:00
nf_conntrack_core.h netfilter: conntrack: remove nf_ct_l4proto_find_get 2019-01-18 15:02:34 +01:00
nf_conntrack_count.h netfilter: nf_conncount: speculative garbage collection on empty lists 2018-12-29 02:45:22 +01:00
nf_conntrack_ecache.h netfilter: conntrack: remove empty pernet fini stubs 2018-12-21 00:51:54 +01:00
nf_conntrack_expect.h
nf_conntrack_extend.h
nf_conntrack_helper.h netfilter: conntrack: remove empty pernet fini stubs 2018-12-21 00:51:54 +01:00
nf_conntrack_l4proto.h netfilter: conntrack: don't set related state for different outer address 2019-04-13 14:52:57 +02:00
nf_conntrack_labels.h
nf_conntrack_seqadj.h
nf_conntrack_synproxy.h
nf_conntrack_timeout.h netfilter: nf_tables: rework ct timeout set support 2018-08-29 13:04:38 +02:00
nf_conntrack_timestamp.h netfilter: conntrack: remove empty pernet fini stubs 2018-12-21 00:51:54 +01:00
nf_conntrack_tuple.h
nf_conntrack_zones.h
nf_dup_netdev.h
nf_flow_table.h netfilter: nft_flow_offload: fix interaction with vrf slave device 2019-01-11 00:55:37 +01:00
nf_log.h netfilter: check if the socket netns is correct. 2018-06-28 22:21:32 +09:00
nf_nat.h netfilter: nat: remove nf_nat_l3proto.h and nf_nat_core.h 2019-02-27 10:54:08 +01:00
nf_nat_helper.h
nf_nat_redirect.h
nf_queue.h
nf_reject.h netfilter: reject: skip csum verification for protocols that don't support it 2019-02-13 10:03:53 +01:00
nf_socket.h netfilter: Decrease code duplication regarding transparent socket option 2018-06-03 00:02:01 +02:00
nf_tables.h netfilter: nf_tables: bogus EBUSY when deleting set after flush 2019-03-11 13:19:24 +01:00
nf_tables_core.h netfilter: nf_tables: add direct calls for all builtin expressions 2019-01-18 15:02:33 +01:00
nf_tables_ipv4.h
nf_tables_ipv6.h
nf_tproxy.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2018-07-20 22:28:28 -07:00
nft_fib.h
nft_reject.h
xt_rateest.h