mirrors/linux
2
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2026-06-07 23:20:28 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
968cc2c96390f06e56ed6a43f935bfebdefed28f
linux/net/netfilter
History
Florian Westphal 968cc2c963 netfilter: disable payload mangling in userns 
Several parts of network stack rely on iph->ihl validation
done by network stack before PRE_ROUTING.

Disable this feature for user namespaces for now.

tcp option handling is likely safe even for LOCAL_IN, so this
this leaves tcp option mangling via nft_exthdr.c as-is.

I don't think these are the only means to alter packets, but these
appear to be relatively prominent.

This could be relaxed later.  Example:
 - allow userns for ingress hook.
 - allow userns if base is transport header.

 Also, we should revalidate or restrict generally:
 - Don't allow linklayer writes to spill into network header
 - restrict ipv4 and ipv6 to 'known safe' writes, e.g.
   saddr/daddr/check/tos

Reported-by: Qi Tang <tpluszz77@gmail.com>
Reported-by: Tong Liu <lyutoon@gmail.com>
Tested-by: Qi Tang <tpluszz77@gmail.com>
Link: https://lore.kernel.org/netfilter-devel/20260515100411.3141-1-fw@strlen.de/
Signed-off-by: Florian Westphal <fw@strlen.de>
2026-05-22 12:28:46 +02:00
..
ipset
netfilter: ipset: annotate "pos" for concurrent readers/writers
2026-05-16 13:21:42 +02:00
ipvs
ipvs: avoid possible loop in ip_vs_dst_event on resizing
2026-05-16 12:19:56 +02:00
core.c
netfilter: remove nf_ipv6_ops and use direct function calls
2026-03-29 11:21:24 -07:00
Kconfig
netfilter: conntrack: remove UDP-Lite conntrack support
2026-04-10 12:16:26 +02:00
Makefile
netfilter: flowtable: move path discovery infrastructure to its own file
2025-11-27 23:59:43 +00:00
nf_bpf_link.c
netfilter: bpf: defer hook memory release until rcu readers are done
2026-03-19 10:26:31 +01:00
nf_conncount.c
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
nf_conntrack_acct.c
netfilter: conntrack: remove extension register api
2022-02-04 06:30:28 +01:00
nf_conntrack_amanda.c
netfilter: use function typedefs for __rcu NAT helper hook pointers
2026-04-08 07:51:26 +02:00
nf_conntrack_bpf.c
Merge tag 'net-next-7.0' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next
2026-02-11 19:31:52 -08:00
nf_conntrack_broadcast.c
netfilter: nf_conntrack_expect: restore helper propagation via expectation
2026-05-08 01:30:17 +02:00
nf_conntrack_core.c
netfilter: nf_conntrack_gre: fix gre keymap list corruption
2026-05-22 12:28:46 +02:00
nf_conntrack_ecache.c
netfilter: ctnetlink: ensure safe access to master conntrack
2026-03-26 13:18:32 +01:00
nf_conntrack_expect.c
netfilter: nf_conntrack_expect: restore helper propagation via expectation
2026-05-08 01:30:17 +02:00
nf_conntrack_extend.c
netfilter: conntrack: fix extension size table
2023-09-13 21:57:50 +02:00
nf_conntrack_ftp.c
netfilter: use function typedefs for __rcu NAT helper hook pointers
2026-04-08 07:51:26 +02:00
nf_conntrack_h323_asn1.c
netfilter: nf_conntrack_h323: Correct indentation when H323_TRACE defined
2026-04-08 07:51:31 +02:00
nf_conntrack_h323_main.c
netfilter: nf_conntrack_expect: restore helper propagation via expectation
2026-05-08 01:30:17 +02:00
nf_conntrack_h323_types.c
nf_conntrack_helper.c
netfilter: nf_conntrack_helper: fix possible null deref during error log
2026-05-16 12:19:56 +02:00
nf_conntrack_irc.c
netfilter: use function typedefs for __rcu NAT helper hook pointers
2026-04-08 07:51:26 +02:00
nf_conntrack_labels.c
netfilter: conntrack: switch connlabels to atomic_t
2023-10-24 13:16:30 +02:00
nf_conntrack_netbios_ns.c
netfilter: nf_conntrack_netbios_ns: fix helper module alias
2022-01-11 10:41:44 +01:00
nf_conntrack_netlink.c
netfilter: ctnetlink: check tuple and mask in expectations created via nfqueue
2026-05-08 01:30:17 +02:00
nf_conntrack_ovs.c
net/ipv6: Introduce payload_len helpers
2026-02-06 20:50:03 -08:00
nf_conntrack_pptp.c
netfilter: nf_conntrack_gre: fix gre keymap list corruption
2026-05-22 12:28:46 +02:00
nf_conntrack_proto_generic.c
netfilter: nf_conntrack: Add allow_clash to generic protocol handler
2026-01-20 16:23:37 +01:00
nf_conntrack_proto_gre.c
netfilter: nf_conntrack_gre: fix gre keymap list corruption
2026-05-22 12:28:46 +02:00
nf_conntrack_proto_icmp.c
netfilter: nf_conntrack: enable icmp clash support
2026-01-20 16:23:37 +01:00
nf_conntrack_proto_icmpv6.c
netfilter: nf_conntrack: enable icmp clash support
2026-01-20 16:23:37 +01:00
nf_conntrack_proto_sctp.c
netfilter: skip recording stale or retransmitted INIT
2026-04-28 17:52:19 -07:00
nf_conntrack_proto_tcp.c
netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without direction check
2026-05-22 12:27:55 +02:00
nf_conntrack_proto_udp.c
netfilter: conntrack: remove UDP-Lite conntrack support
2026-04-10 12:16:26 +02:00
nf_conntrack_proto.c
netfilter: conntrack: remove UDP-Lite conntrack support
2026-04-10 12:16:26 +02:00
nf_conntrack_sane.c
netfilter: nf_ct_sane: remove pseudo skb linearization
2022-08-11 16:50:25 +02:00
nf_conntrack_seqadj.c
netfilter: conntrack: remove extension register api
2022-02-04 06:30:28 +01:00
nf_conntrack_sip.c
netfilter: nf_conntrack_sip: get helper before allocating expectation
2026-05-08 01:30:17 +02:00
nf_conntrack_snmp.c
netfilter: use function typedefs for __rcu NAT helper hook pointers
2026-04-08 07:51:26 +02:00
nf_conntrack_standalone.c
netfilter: conntrack: remove UDP-Lite conntrack support
2026-04-10 12:16:26 +02:00
nf_conntrack_tftp.c
netfilter: use function typedefs for __rcu NAT helper hook pointers
2026-04-08 07:51:26 +02:00
nf_conntrack_timeout.c
netfilter: nf_conntrack: use rcu accessors where needed
2022-07-11 16:25:15 +02:00
nf_conntrack_timestamp.c
netfilter: conntrack: remove extension register api
2022-02-04 06:30:28 +01:00
nf_dup_netdev.c
netfilter: nft_fwd_netdev: use recursion counter in neigh egress path
2026-04-30 00:57:42 +02:00
nf_flow_table_bpf.c
bpf: Remove redundant KF_TRUSTED_ARGS flag from all kfuncs
2026-01-02 12:04:28 -08:00
nf_flow_table_core.c
netfilter: flowtable: fix inline pppoe encapsulation in xmit path
2026-05-01 01:24:01 +02:00
nf_flow_table_inet.c
net: netfilter: move nf flowtable bpf initialization in nf_flow_table_module_init()
2024-09-12 15:41:03 +02:00
nf_flow_table_ip.c
netfilter: flowtable: use skb_pull_rcsum() to pop vlan/pppoe header
2026-05-01 12:39:23 +02:00
nf_flow_table_offload.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2026-04-02 11:03:13 -07:00
nf_flow_table_path.c
netfilter: flowtable: fix inline pppoe encapsulation in xmit path
2026-05-01 01:24:01 +02:00
nf_flow_table_procfs.c
netfilter: nf_flow_table: count pending offload workqueue tasks
2022-07-11 16:25:14 +02:00
nf_flow_table_xdp.c
treewide: Replace kmalloc with kmalloc_obj for non-scalar types
2026-02-21 01:02:28 -08:00
nf_hooks_lwtunnel.c
sysctl: treewide: constify the ctl_table argument of proc_handlers
2024-07-24 20:59:29 +02:00
nf_internals.h
netfilter: move the sysctl nf_hooks_lwtunnel into the netfilter core
2024-06-19 18:41:59 +02:00
nf_log_syslog.c
netfilter: require Ethernet MAC header before using eth_hdr()
2026-04-10 12:16:27 +02:00
nf_log.c
treewide: Replace kmalloc with kmalloc_obj for non-scalar types
2026-02-21 01:02:28 -08:00
nf_nat_amanda.c
netfilter: conntrack: remove sprintf usage
2026-04-20 23:27:46 +02:00
nf_nat_bpf.c
bpf: Remove redundant KF_TRUSTED_ARGS flag from all kfuncs
2026-01-02 12:04:28 -08:00
nf_nat_core.c
netfilter: nat: use kfree_rcu to release ops
2026-04-20 23:45:41 +02:00
nf_nat_ftp.c
netfilter: nat: move repetitive nat port reserve loop to a helper
2022-09-07 16:46:04 +02:00
nf_nat_helper.c
treewide: use get_random_u32_below() instead of deprecated function
2022-11-18 02:15:15 +01:00
nf_nat_irc.c
netfilter: nat: move repetitive nat port reserve loop to a helper
2022-09-07 16:46:04 +02:00
nf_nat_masquerade.c
netfilter: remove nf_ipv6_ops and use direct function calls
2026-03-29 11:21:24 -07:00
nf_nat_ovs.c
netfilter: nf_conntrack: don't rely on implicit includes
2026-01-20 16:23:37 +01:00
nf_nat_proto.c
netfilter: conntrack: remove UDP-Lite conntrack support
2026-04-10 12:16:26 +02:00
nf_nat_redirect.c
netfilter: nat: fix ipv6 nat redirect with mapped and scoped addresses
2023-11-08 16:40:30 +01:00
nf_nat_sip.c
netfilter: nf_conntrack_sip: don't use simple_strtoul
2026-04-24 20:09:57 +02:00
nf_nat_tftp.c
nf_queue.c
netfilter: nf_queue: hold bridge skb->dev while queued
2026-05-16 13:23:01 +02:00
nf_sockopt.c
nf_synproxy_core.c
netfilter: synproxy: refresh tcphdr after skb_ensure_writable
2026-05-22 12:28:40 +02:00
nf_tables_api.c
netfilter: nf_tables: fix netdev hook allocation memleak with dormant tables
2026-04-30 08:03:22 +02:00
nf_tables_core.c
netfilter: nf_tables: skip L4 header parsing for non-first fragments
2026-04-30 17:59:01 +02:00
nf_tables_offload.c
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
nf_tables_trace.c
netfilter: nf_tables: hide clash bit from userspace
2025-07-14 15:22:35 +02:00
nfnetlink_acct.c
netfilter: add more netlink-based policy range checks
2026-04-08 07:51:30 +02:00
nfnetlink_cthelper.c
netfilter: add more netlink-based policy range checks
2026-04-08 07:51:30 +02:00
nfnetlink_cttimeout.c
netfilter: conntrack: remove UDP-Lite conntrack support
2026-04-10 12:16:26 +02:00
nfnetlink_hook.c
netfilter: add more netlink-based policy range checks
2026-04-08 07:51:30 +02:00
nfnetlink_log.c
netfilter: nfnetlink: prefer skb_mac_header helpers
2026-04-10 12:16:26 +02:00
nfnetlink_osf.c
netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check
2026-04-20 23:45:44 +02:00
nfnetlink_queue.c
netfilter: disable payload mangling in userns
2026-05-22 12:28:46 +02:00
nfnetlink.c
net: Add SPDX ids to some source files
2026-03-09 18:32:45 -07:00
nft_bitwise.c
netfilter: reject zero shift in nft_bitwise
2026-04-24 20:09:57 +02:00
nft_byteorder.c
netfilter: nf_tables: add netlink policy based cap on registers
2026-04-08 07:51:31 +02:00
nft_chain_filter.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2026-03-12 12:53:34 -07:00
nft_chain_nat.c
netfilter: add missing module descriptions
2023-11-08 13:52:32 +01:00
nft_chain_route.c
nft_cmp.c
netfilter: nf_tables: add netlink policy based cap on registers
2026-04-08 07:51:31 +02:00
nft_compat.c
netfilter: nft_compat: run xt_check_hooks_{match,target}() from .validate
2026-04-30 08:03:22 +02:00
nft_connlimit.c
netfilter: add more netlink-based policy range checks
2026-04-08 07:51:30 +02:00
nft_counter.c
netfilter: nf_tables: remove register tracking infrastructure
2026-02-25 19:36:26 -08:00
nft_ct_fast.c
netfilter: nf_tables: fix ct untracked match breakage
2023-05-03 13:49:08 +02:00
nft_ct.c
netfilter: nft_ct: fix missing expect put in obj eval
2026-05-08 01:30:17 +02:00
nft_dup_netdev.c
netfilter: nf_tables: remove register tracking infrastructure
2026-02-25 19:36:26 -08:00
nft_dynset.c
netfilter: add more netlink-based policy range checks
2026-04-08 07:51:30 +02:00
nft_exthdr.c
netfilter: nf_tables: skip L4 header parsing for non-first fragments
2026-04-30 17:59:01 +02:00
nft_fib_inet.c
netfilter: nf_tables: remove register tracking infrastructure
2026-02-25 19:36:26 -08:00
nft_fib_netdev.c
netfilter: nf_tables: remove register tracking infrastructure
2026-02-25 19:36:26 -08:00
nft_fib.c
netfilter: nf_tables: add netlink policy based cap on registers
2026-04-08 07:51:31 +02:00
nft_flow_offload.c
netfilter: nf_tables: remove register tracking infrastructure
2026-02-25 19:36:26 -08:00
nft_fwd_netdev.c
netfilter: nft_fwd_netdev: use recursion counter in neigh egress path
2026-04-30 00:57:42 +02:00
nft_hash.c
netfilter: nf_tables: add netlink policy based cap on registers
2026-04-08 07:51:31 +02:00
nft_immediate.c
netfilter: nf_tables_offload: add nft_flow_action_entry_next() and use it
2026-04-08 07:51:31 +02:00
nft_inner.c
netfilter: nft_inner: release local_lock before re-enabling softirqs
2026-05-16 13:21:41 +02:00
nft_last.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2026-02-26 10:23:00 -08:00
nft_limit.c
netfilter: add more netlink-based policy range checks
2026-04-08 07:51:30 +02:00
nft_log.c
netfilter: add more netlink-based policy range checks
2026-04-08 07:51:30 +02:00
nft_lookup.c
netfilter: nf_tables: add netlink policy based cap on registers
2026-04-08 07:51:31 +02:00
nft_masq.c
netfilter: nf_tables: remove register tracking infrastructure
2026-02-25 19:36:26 -08:00
nft_meta.c
netfilter: nft_meta: add double-tagged vlan and pppoe support
2026-04-08 07:51:31 +02:00
nft_nat.c
netfilter: nf_tables: remove register tracking infrastructure
2026-02-25 19:36:26 -08:00
nft_numgen.c
netfilter: nf_tables: add netlink policy based cap on registers
2026-04-08 07:51:31 +02:00
nft_objref.c
netfilter: nf_tables: add netlink policy based cap on registers
2026-04-08 07:51:31 +02:00
nft_osf.c
netfilter: nf_tables: skip L4 header parsing for non-first fragments
2026-04-30 17:59:01 +02:00
nft_payload.c
netfilter: disable payload mangling in userns
2026-05-22 12:28:46 +02:00
nft_queue.c
netfilter: add more netlink-based policy range checks
2026-04-08 07:51:30 +02:00
nft_quota.c
netfilter: add more netlink-based policy range checks
2026-04-08 07:51:30 +02:00
nft_range.c
netfilter: nf_tables: add netlink policy based cap on registers
2026-04-08 07:51:31 +02:00
nft_redir.c
netfilter: nf_tables: remove register tracking infrastructure
2026-02-25 19:36:26 -08:00
nft_reject_inet.c
netfilter: nf_tables: remove register tracking infrastructure
2026-02-25 19:36:26 -08:00
nft_reject_netdev.c
netfilter: nf_tables: remove register tracking infrastructure
2026-02-25 19:36:26 -08:00
nft_reject.c
netfilter: nf_tables: drop unused 3rd argument from validate callback ops
2024-09-03 10:47:17 +02:00
nft_rt.c
netfilter: nf_tables: add netlink policy based cap on registers
2026-04-08 07:51:31 +02:00
nft_set_bitmap.c
netfilter: nft_set_bitmap: fix lockdep splat due to missing annotation
2025-09-10 20:28:24 +02:00
nft_set_hash.c
netfilter: nf_tables: clone set on flush only
2026-03-05 13:22:37 +01:00
nft_set_pipapo_avx2.c
netfilter: nft_set_pipapo_avx2: remove redundant loop in lookup_slow
2026-04-08 07:51:31 +02:00
nft_set_pipapo_avx2.h
netfilter: nft_set_pipapo: use avx2 algorithm for insertions too
2025-08-20 13:52:37 +02:00
nft_set_pipapo.c
netfilter: nft_set_pipapo: increment data in one step
2026-04-08 07:51:31 +02:00
nft_set_pipapo.h
netfilter: nft_set_pipapo: increment data in one step
2026-04-08 07:51:31 +02:00
nft_set_rbtree.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2026-03-26 12:09:57 -07:00
nft_socket.c
netfilter: nf_tables: add netlink policy based cap on registers
2026-04-08 07:51:31 +02:00
nft_synproxy.c
netfilter: add more netlink-based policy range checks
2026-04-08 07:51:30 +02:00
nft_tproxy.c
netfilter: nf_tables: skip L4 header parsing for non-first fragments
2026-04-30 17:59:01 +02:00
nft_tunnel.c
netfilter: nf_tables: add netlink policy based cap on registers
2026-04-08 07:51:31 +02:00
nft_xfrm.c
netfilter: nf_tables: add netlink policy based cap on registers
2026-04-08 07:51:31 +02:00
utils.c
netfilter: remove nf_ipv6_ops and use direct function calls
2026-03-29 11:21:24 -07:00
x_tables.c
netfilter: x_tables: add and use xtables_unregister_table_exit
2026-05-08 01:30:16 +02:00
xt_addrtype.c
netfilter: x_tables: add .check_hooks to matches and targets
2026-04-30 08:03:22 +02:00
xt_AUDIT.c
audit: add audit_log_nf_skb helper function
2025-12-16 11:04:14 -05:00
xt_bpf.c
xt_cgroup.c
netfilter: x_tables: ensure names are nul-terminated
2026-04-01 11:55:29 +02:00
xt_CHECKSUM.c
netfilter: xtables: avoid NFPROTO_UNSPEC where needed
2024-10-09 23:20:46 +02:00
xt_CLASSIFY.c
netfilter: xtables: avoid NFPROTO_UNSPEC where needed
2024-10-09 23:20:46 +02:00
xt_cluster.c
netfilter: xtables: avoid NFPROTO_UNSPEC where needed
2024-10-09 23:20:46 +02:00
xt_comment.c
xt_connbytes.c
net: Add SPDX ids to some source files
2026-03-09 18:32:45 -07:00
xt_connlabel.c
xt_connlimit.c
net: Add SPDX ids to some source files
2026-03-09 18:32:45 -07:00
xt_connmark.c
netfilter: xtables: avoid NFPROTO_UNSPEC where needed
2024-10-09 23:20:46 +02:00
xt_CONNSECMARK.c
netfilter: xtables: avoid NFPROTO_UNSPEC where needed
2024-10-09 23:20:46 +02:00
xt_conntrack.c
xt_cpu.c
netfilter: xt_cpu: prefer raw_smp_processor_id
2026-05-22 12:28:46 +02:00
xt_CT.c
netfilter: xt_CT: fix usersize for v1 and v2 revision
2026-04-30 08:03:22 +02:00
xt_dccp.c
netfilter: add deprecation warning for dccp support
2026-04-08 07:51:27 +02:00
xt_devgroup.c
netfilter: x_tables: add .check_hooks to matches and targets
2026-04-30 08:03:22 +02:00
xt_dscp.c
xt_DSCP.c
netfilter: x_tables: use correct integer types
2022-07-11 16:40:45 +02:00
xt_ecn.c
netfilter: xtables: fix L4 header parsing for non-first fragments
2026-04-30 17:59:01 +02:00
xt_esp.c
xt_hashlimit.c
netfilter: xtables: fix L4 header parsing for non-first fragments
2026-04-30 17:59:01 +02:00
xt_helper.c
xt_hl.c
netfilter: xt_HL: add pr_fmt and checkentry validation
2026-04-10 12:16:26 +02:00
xt_HL.c
xt_HMARK.c
xt_IDLETIMER.c
netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels
2026-03-10 14:10:43 +01:00
xt_ipcomp.c
xt_iprange.c
xt_ipvs.c
xt_l2tp.c
xt_LED.c
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
xt_length.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf
2023-02-22 21:25:23 -08:00
xt_limit.c
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
xt_LOG.c
xt_mac.c
netfilter: xtables: restrict several matches to inet family
2026-04-20 23:27:52 +02:00
xt_mark.c
netfilter: xtables: support arpt_mark and ipv6 optstrip for iptables-nft only builds
2025-05-22 17:16:02 +02:00
xt_MASQUERADE.c
xt_multiport.c
netfilter: xt_multiport: validate range encoding in checkentry
2026-04-08 13:33:38 +02:00
xt_nat.c
xt_NETMAP.c
xt_nfacct.c
netfilter: xt_nfacct: don't assume acct name is null-terminated
2025-07-25 18:40:43 +02:00
xt_NFLOG.c
netfilter: xtables: fix typo causing some targets not to load on IPv6
2024-10-21 11:31:26 +02:00
xt_NFQUEUE.c
xt_osf.c
netfilter: xtables: fix L4 header parsing for non-first fragments
2026-04-30 17:59:01 +02:00
xt_owner.c
netfilter: xtables: restrict several matches to inet family
2026-04-20 23:27:52 +02:00
xt_physdev.c
netfilter: x_tables: add .check_hooks to matches and targets
2026-04-30 08:03:22 +02:00
xt_pkttype.c
xt_policy.c
netfilter: x_tables: add .check_hooks to matches and targets
2026-04-30 08:03:22 +02:00
xt_quota.c
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
xt_rateest.c
netfilter: x_tables: ensure names are nul-terminated
2026-04-01 11:55:29 +02:00
xt_RATEEST.c
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
xt_realm.c
netfilter: xtables: restrict several matches to inet family
2026-04-20 23:27:52 +02:00
xt_recent.c
Convert 'alloc_flex' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
xt_REDIRECT.c
netfilter: nft_redir: use struct nf_nat_range2 throughout and deduplicate eval call-backs
2023-03-22 21:48:59 +01:00
xt_repldata.h
netfilter: xtables: Use strscpy() instead of strscpy_pad()
2025-03-23 10:53:47 +01:00
xt_sctp.c
netfilter: xt_sctp: validate the flag_info count
2023-08-30 17:34:01 +02:00
xt_SECMARK.c
netfilter: xtables: avoid NFPROTO_UNSPEC where needed
2024-10-09 23:20:46 +02:00
xt_set.c
netfilter: x_tables: add .check_hooks to matches and targets
2026-04-30 08:03:22 +02:00
xt_socket.c
netfilter: xt_socket: enable defrag after all other checks
2026-04-10 12:16:26 +02:00
xt_state.c
xt_statistic.c
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
xt_string.c
xt_tcpmss.c
netfilter: xtables: fix L4 header parsing for non-first fragments
2026-04-30 17:59:01 +02:00
xt_TCPMSS.c
netfilter: x_tables: add .check_hooks to matches and targets
2026-04-30 08:03:22 +02:00
xt_TCPOPTSTRIP.c
netfilter: xtables: support arpt_mark and ipv6 optstrip for iptables-nft only builds
2025-05-22 17:16:02 +02:00
xt_tcpudp.c
netfilter: x_tables: guard option walkers against 1-byte tail reads
2026-03-10 14:10:42 +01:00
xt_TEE.c
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
xt_time.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2026-03-19 14:16:00 -07:00
xt_TPROXY.c
netfilter: xtables: fix L4 header parsing for non-first fragments
2026-04-30 17:59:01 +02:00
xt_TRACE.c
netfilter: xtables: fix typo causing some targets not to load on IPv6
2024-10-21 11:31:26 +02:00
xt_u32.c
netfilter: xt_u32: validate user space input
2023-08-30 17:34:01 +02:00