torvalds/linux
3
0
Fork 0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2026-03-21 23:16:50 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
linux/net/netfilter
History
Weiming Shi dbdfaae960 nfnetlink_osf: validate individual option lengths in fingerprints 
nfnl_osf_add_callback() validates opt_num bounds and string
NUL-termination but does not check individual option length fields.
A zero-length option causes nf_osf_match_one() to enter the option
matching loop even when foptsize sums to zero, which matches packets
with no TCP options where ctx->optp is NULL:

 Oops: general protection fault
 KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
 RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)
 Call Trace:
  nf_osf_match (net/netfilter/nfnetlink_osf.c:227)
  xt_osf_match_packet (net/netfilter/xt_osf.c:32)
  ipt_do_table (net/ipv4/netfilter/ip_tables.c:293)
  nf_hook_slow (net/netfilter/core.c:623)
  ip_local_deliver (net/ipv4/ip_input.c:262)
  ip_rcv (net/ipv4/ip_input.c:573)

Additionally, an MSS option (kind=2) with length < 4 causes
out-of-bounds reads when nf_osf_match_one() unconditionally accesses
optp[2] and optp[3] for MSS value extraction.  While RFC 9293
section 3.2 specifies that the MSS option is always exactly 4
bytes (Kind=2, Length=4), the check uses "< 4" rather than
"!= 4" because lengths greater than 4 do not cause memory
safety issues -- the buffer is guaranteed to be at least
foptsize bytes by the ctx->optsize == foptsize check.

Reject fingerprints where any option has zero length, or where an MSS
option has length less than 4, at add time rather than trusting these
values in the packet matching hot path.

Fixes: 11eeef41d5 ("netfilter: passive OS fingerprint xtables match")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
2026-03-19 10:27:07 +01:00
..
ipset
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
ipvs
Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses
2026-02-22 08:26:33 -08:00
core.c
netfilter: nf_dup{4, 6}: Move duplication check to task_struct
2025-05-23 13:57:12 +02:00
Kconfig
netfilter: Exclude LEGACY TABLES on PREEMPT_RT.
2025-07-25 18:38:50 +02:00
Makefile
netfilter: flowtable: move path discovery infrastructure to its own file
2025-11-27 23:59:43 +00:00
nf_bpf_link.c
netfilter: bpf: defer hook memory release until rcu readers are done
2026-03-19 10:26:31 +01:00
nf_conncount.c
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
nf_conntrack_acct.c
netfilter: conntrack: remove extension register api
2022-02-04 06:30:28 +01:00
nf_conntrack_amanda.c
netfilter: annotate NAT helper hook pointers with __rcu
2026-02-17 15:04:20 +01:00
nf_conntrack_bpf.c
Merge tag 'net-next-7.0' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next
2026-02-11 19:31:52 -08:00
nf_conntrack_broadcast.c
netfilter: conntrack: remove skb argument from nf_ct_refresh
2025-01-19 16:41:55 +01:00
nf_conntrack_core.c
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
nf_conntrack_ecache.c
net: replace use of system_wq with system_percpu_wq
2025-09-22 17:40:30 -07:00
nf_conntrack_expect.c
treewide, timers: Rename from_timer() to timer_container_of()
2025-06-08 09:07:37 +02:00
nf_conntrack_extend.c
netfilter: conntrack: fix extension size table
2023-09-13 21:57:50 +02:00
nf_conntrack_ftp.c
netfilter: annotate NAT helper hook pointers with __rcu
2026-02-17 15:04:20 +01:00
nf_conntrack_h323_asn1.c
netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
2026-03-13 15:31:15 +01:00
nf_conntrack_h323_main.c
netfilter: nf_conntrack_h323: don't pass uninitialised l3num value
2026-02-17 15:04:20 +01:00
nf_conntrack_h323_types.c
nf_conntrack_helper.c
netfilter: conntrack: helper: Replace -EEXIST by -EBUSY
2025-08-27 11:53:38 +02:00
nf_conntrack_irc.c
netfilter: annotate NAT helper hook pointers with __rcu
2026-02-17 15:04:20 +01:00
nf_conntrack_labels.c
netfilter: conntrack: switch connlabels to atomic_t
2023-10-24 13:16:30 +02:00
nf_conntrack_netbios_ns.c
netfilter: nf_conntrack_netbios_ns: fix helper module alias
2022-01-11 10:41:44 +01:00
nf_conntrack_netlink.c
netfilter: conntrack: add missing netlink policy validations
2026-03-13 15:31:14 +01:00
nf_conntrack_ovs.c
net/ipv6: Introduce payload_len helpers
2026-02-06 20:50:03 -08:00
nf_conntrack_pptp.c
netfilter: nf_conntrack: add missing __rcu annotations
2022-07-11 16:25:15 +02:00
nf_conntrack_proto_generic.c
netfilter: nf_conntrack: Add allow_clash to generic protocol handler
2026-01-20 16:23:37 +01:00
nf_conntrack_proto_gre.c
treewide: Replace kmalloc with kmalloc_obj for non-scalar types
2026-02-21 01:02:28 -08:00
nf_conntrack_proto_icmp.c
netfilter: nf_conntrack: enable icmp clash support
2026-01-20 16:23:37 +01:00
nf_conntrack_proto_icmpv6.c
netfilter: nf_conntrack: enable icmp clash support
2026-01-20 16:23:37 +01:00
nf_conntrack_proto_sctp.c
netfilter: conntrack: add missing netlink policy validations
2026-03-13 15:31:14 +01:00
nf_conntrack_proto_tcp.c
move asm/unaligned.h to linux/unaligned.h
2024-10-02 17:23:23 -04:00
nf_conntrack_proto_udp.c
netfilter: conntrack: udp: fix seen-reply test
2023-02-01 12:18:51 +01:00
nf_conntrack_proto.c
netfilter: conntrack: remove DCCP protocol support
2025-07-03 13:51:39 +02:00
nf_conntrack_sane.c
netfilter: nf_ct_sane: remove pseudo skb linearization
2022-08-11 16:50:25 +02:00
nf_conntrack_seqadj.c
netfilter: conntrack: remove extension register api
2022-02-04 06:30:28 +01:00
nf_conntrack_sip.c
netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()
2026-03-13 15:31:14 +01:00
nf_conntrack_snmp.c
netfilter: annotate NAT helper hook pointers with __rcu
2026-02-17 15:04:20 +01:00
nf_conntrack_standalone.c
netfilter: conntrack: disable 0 value for conntrack_max setting
2025-10-30 12:52:45 +01:00
nf_conntrack_tftp.c
netfilter: annotate NAT helper hook pointers with __rcu
2026-02-17 15:04:20 +01:00
nf_conntrack_timeout.c
netfilter: nf_conntrack: use rcu accessors where needed
2022-07-11 16:25:15 +02:00
nf_conntrack_timestamp.c
netfilter: conntrack: remove extension register api
2022-02-04 06:30:28 +01:00
nf_dup_netdev.c
netfilter: nf_dup_netdev: Move the recursion counter struct netdev_xmit
2025-05-23 13:57:12 +02:00
nf_flow_table_bpf.c
bpf: Remove redundant KF_TRUSTED_ARGS flag from all kfuncs
2026-01-02 12:04:28 -08:00
nf_flow_table_core.c
netfilter: flowtable: dedicated slab for flow entry
2026-02-06 13:34:55 +01:00
nf_flow_table_inet.c
net: netfilter: move nf flowtable bpf initialization in nf_flow_table_module_init()
2024-09-12 15:41:03 +02:00
nf_flow_table_ip.c
netfilter: nf_flow_table_ip: reset mac header before vlan push
2026-03-13 15:31:15 +01:00
nf_flow_table_offload.c
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
nf_flow_table_path.c
netfilter: nf_conntrack: don't rely on implicit includes
2026-01-20 16:23:37 +01:00
nf_flow_table_procfs.c
netfilter: nf_flow_table: count pending offload workqueue tasks
2022-07-11 16:25:14 +02:00
nf_flow_table_xdp.c
treewide: Replace kmalloc with kmalloc_obj for non-scalar types
2026-02-21 01:02:28 -08:00
nf_hooks_lwtunnel.c
sysctl: treewide: constify the ctl_table argument of proc_handlers
2024-07-24 20:59:29 +02:00
nf_internals.h
netfilter: move the sysctl nf_hooks_lwtunnel into the netfilter core
2024-06-19 18:41:59 +02:00
nf_log_syslog.c
net/ipv6: Introduce payload_len helpers
2026-02-06 20:50:03 -08:00
nf_log.c
treewide: Replace kmalloc with kmalloc_obj for non-scalar types
2026-02-21 01:02:28 -08:00
nf_nat_amanda.c
netfilter: nat: move repetitive nat port reserve loop to a helper
2022-09-07 16:46:04 +02:00
nf_nat_bpf.c
bpf: Remove redundant KF_TRUSTED_ARGS flag from all kfuncs
2026-01-02 12:04:28 -08:00
nf_nat_core.c
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
nf_nat_ftp.c
netfilter: nat: move repetitive nat port reserve loop to a helper
2022-09-07 16:46:04 +02:00
nf_nat_helper.c
treewide: use get_random_u32_below() instead of deprecated function
2022-11-18 02:15:15 +01:00
nf_nat_irc.c
netfilter: nat: move repetitive nat port reserve loop to a helper
2022-09-07 16:46:04 +02:00
nf_nat_masquerade.c
treewide: Replace kmalloc with kmalloc_obj for non-scalar types
2026-02-21 01:02:28 -08:00
nf_nat_ovs.c
netfilter: nf_conntrack: don't rely on implicit includes
2026-01-20 16:23:37 +01:00
nf_nat_proto.c
netfilter: nf_conntrack: don't rely on implicit includes
2026-01-20 16:23:37 +01:00
nf_nat_redirect.c
netfilter: nat: fix ipv6 nat redirect with mapped and scoped addresses
2023-11-08 16:40:30 +01:00
nf_nat_sip.c
netfilter: nat: move repetitive nat port reserve loop to a helper
2022-09-07 16:46:04 +02:00
nf_nat_tftp.c
nf_queue.c
netfilter: move nf_reinject into nfnetlink_queue modules
2024-02-21 12:03:22 +01:00
nf_sockopt.c
nf_synproxy_core.c
netfilter: don't include xt and nftables.h in unrelated subsystems
2026-01-20 16:23:37 +01:00
nf_tables_api.c
netfilter: nf_tables: release flowtable after rcu grace period on error
2026-03-19 10:26:31 +01:00
nf_tables_core.c
netfilter: nf_tables: Only use nf_skip_indirect_calls() when MITIGATION_RETPOLINE
2025-03-23 10:53:47 +01:00
nf_tables_offload.c
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
nf_tables_trace.c
netfilter: nf_tables: hide clash bit from userspace
2025-07-14 15:22:35 +02:00
nfnetlink_acct.c
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
nfnetlink_cthelper.c
netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()
2026-03-10 14:10:42 +01:00
nfnetlink_cttimeout.c
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
nfnetlink_hook.c
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
nfnetlink_log.c
treewide: Replace kmalloc with kmalloc_obj for non-scalar types
2026-02-21 01:02:28 -08:00
nfnetlink_osf.c
nfnetlink_osf: validate individual option lengths in fingerprints
2026-03-19 10:27:07 +01:00
nfnetlink_queue.c
netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path
2026-03-10 14:10:42 +01:00
nfnetlink.c
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
nft_bitwise.c
netfilter: bitwise: add support for doing AND, OR and XOR directly
2024-11-15 12:07:04 +01:00
nft_byteorder.c
move asm/unaligned.h to linux/unaligned.h
2024-10-02 17:23:23 -04:00
nft_chain_filter.c
netfilter: nf_tables: Fix for duplicate device in netdev hooks
2026-03-10 14:10:42 +01:00
nft_chain_nat.c
netfilter: add missing module descriptions
2023-11-08 13:52:32 +01:00
nft_chain_route.c
nft_cmp.c
netfilter: nf_tables: pass context structure to nft_parse_register_load
2024-08-20 12:37:24 +02:00
nft_compat.c
treewide: Replace kmalloc with kmalloc_obj for non-scalar types
2026-02-21 01:02:28 -08:00
nft_connlimit.c
treewide: Replace kmalloc with kmalloc_obj for non-scalar types
2026-02-21 01:02:28 -08:00
nft_counter.c
netfilter: nft_counter: serialize reset with spinlock
2026-02-17 15:04:20 +01:00
nft_ct_fast.c
netfilter: nf_tables: fix ct untracked match breakage
2023-05-03 13:49:08 +02:00
nft_ct.c
netfilter: nft_ct: drop pending enqueued packets on removal
2026-03-13 15:31:15 +01:00
nft_dup_netdev.c
netfilter: nf_tables: pass context structure to nft_parse_register_load
2024-08-20 12:37:24 +02:00
nft_dynset.c
nf_tables: nft_dynset: fix possible stateful expression memleak in error path
2026-03-13 15:31:15 +01:00
nft_exthdr.c
netfilter: conntrack: remove DCCP protocol support
2025-07-03 13:51:39 +02:00
nft_fib_inet.c
netfilter: nft_fib: add reduce support
2022-03-20 00:29:47 +01:00
nft_fib_netdev.c
netfilter: nft_fib: add reduce support
2022-03-20 00:29:47 +01:00
nft_fib.c
netfilter: nf_tables: drop unused 3rd argument from validate callback ops
2024-09-03 10:47:17 +02:00
nft_flow_offload.c
netfilter: nf_conntrack: don't rely on implicit includes
2026-01-20 16:23:37 +01:00
nft_fwd_netdev.c
netfilter: nf_tables: drop unused 3rd argument from validate callback ops
2024-09-03 10:47:17 +02:00
nft_hash.c
netfilter: nf_tables: pass context structure to nft_parse_register_load
2024-08-20 12:37:24 +02:00
nft_immediate.c
netfilter: nf_tables: drop unused 3rd argument from validate callback ops
2024-09-03 10:47:17 +02:00
nft_inner.c
netfilter: nft_inner: Use nested-BH locking for nft_pcpu_tun_ctx
2025-05-23 13:57:12 +02:00
nft_last.c
treewide: Replace kmalloc with kmalloc_obj for non-scalar types
2026-02-21 01:02:28 -08:00
nft_limit.c
treewide: Replace kmalloc with kmalloc_obj for non-scalar types
2026-02-21 01:02:28 -08:00
nft_log.c
audit: add audit_log_nf_skb helper function
2025-12-16 11:04:14 -05:00
nft_lookup.c
netfilter: nf_tables: use C99 struct initializer for nft_set_iter
2025-10-30 12:52:45 +01:00
nft_masq.c
netfilter: nf_tables: drop unused 3rd argument from validate callback ops
2024-09-03 10:47:17 +02:00
nft_meta.c
netfilter: nf_tables: missing objects with no memcg accounting
2024-09-26 13:03:02 +02:00
nft_nat.c
netfilter: nf_tables: drop unused 3rd argument from validate callback ops
2024-09-03 10:47:17 +02:00
nft_numgen.c
treewide: Replace kmalloc with kmalloc_obj for non-scalar types
2026-02-21 01:02:28 -08:00
nft_objref.c
netfilter: nft_objref: validate objref and objrefmap expressions
2025-10-08 13:17:25 +02:00
nft_osf.c
netfilter: nf_tables: drop unused 3rd argument from validate callback ops
2024-09-03 10:47:17 +02:00
nft_payload.c
netfilter: nft_payload: extend offset to 65535 bytes
2025-09-02 15:28:18 +02:00
nft_queue.c
netfilter: nf_tables: drop unused 3rd argument from validate callback ops
2024-09-03 10:47:17 +02:00
nft_quota.c
treewide: Replace kmalloc with kmalloc_obj for non-scalar types
2026-02-21 01:02:28 -08:00
nft_range.c
netfilter: nf_tables: pass context structure to nft_parse_register_load
2024-08-20 12:37:24 +02:00
nft_redir.c
netfilter: nf_tables: drop unused 3rd argument from validate callback ops
2024-09-03 10:47:17 +02:00
nft_reject_inet.c
netfilter: nf_tables: drop unused 3rd argument from validate callback ops
2024-09-03 10:47:17 +02:00
nft_reject_netdev.c
netfilter: nf_tables: drop unused 3rd argument from validate callback ops
2024-09-03 10:47:17 +02:00
nft_reject.c
netfilter: nf_tables: drop unused 3rd argument from validate callback ops
2024-09-03 10:47:17 +02:00
nft_rt.c
netfilter: nf_tables: drop unused 3rd argument from validate callback ops
2024-09-03 10:47:17 +02:00
nft_set_bitmap.c
netfilter: nft_set_bitmap: fix lockdep splat due to missing annotation
2025-09-10 20:28:24 +02:00
nft_set_hash.c
netfilter: nf_tables: clone set on flush only
2026-03-05 13:22:37 +01:00
nft_set_pipapo_avx2.c
netfilter: nft_set_pipapo_avx2: fix skip of expired entries
2025-09-24 11:50:28 +02:00
nft_set_pipapo_avx2.h
netfilter: nft_set_pipapo: use avx2 algorithm for insertions too
2025-08-20 13:52:37 +02:00
nft_set_pipapo.c
netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()
2026-03-10 14:10:42 +01:00
nft_set_pipapo.h
netfilter: nft_set_pipapo: split gc into unlink and reclaim phase
2026-03-05 13:22:37 +01:00
nft_set_rbtree.c
netfilter: revert nft_set_rbtree: validate open interval overlap
2026-03-13 15:31:14 +01:00
nft_socket.c
netfilter: nft_socket: remove WARN_ON_ONCE with huge level value
2025-08-07 13:19:26 +02:00
nft_synproxy.c
netfilter: don't include xt and nftables.h in unrelated subsystems
2026-01-20 16:23:37 +01:00
nft_tproxy.c
netfilter: nf_tables: drop unused 3rd argument from validate callback ops
2024-09-03 10:47:17 +02:00
nft_tunnel.c
netfilter: nft_tunnel: fix geneve_opt dump
2025-05-23 13:57:12 +02:00
nft_xfrm.c
xfrm: add generic iptfs defines and functionality
2024-12-05 10:01:28 +01:00
utils.c
netfilter: move nf_reinject into nfnetlink_queue modules
2024-02-21 12:03:22 +01:00
x_tables.c
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
xt_addrtype.c
netfilter: xtables: avoid NFPROTO_UNSPEC where needed
2024-10-09 23:20:46 +02:00
xt_AUDIT.c
audit: add audit_log_nf_skb helper function
2025-12-16 11:04:14 -05:00
xt_bpf.c
xt_cgroup.c
net: cgroup: Guard users of sock_cgroup_classid()
2025-04-24 16:04:02 +02:00
xt_CHECKSUM.c
netfilter: xtables: avoid NFPROTO_UNSPEC where needed
2024-10-09 23:20:46 +02:00
xt_CLASSIFY.c
netfilter: xtables: avoid NFPROTO_UNSPEC where needed
2024-10-09 23:20:46 +02:00
xt_cluster.c
netfilter: xtables: avoid NFPROTO_UNSPEC where needed
2024-10-09 23:20:46 +02:00
xt_comment.c
xt_connbytes.c
netfilter: xtables: avoid NFPROTO_UNSPEC where needed
2024-10-09 23:20:46 +02:00
xt_connlabel.c
xt_connlimit.c
netfilter: nf_conncount: rework API to use sk_buff directly
2025-11-28 00:05:49 +00:00
xt_connmark.c
netfilter: xtables: avoid NFPROTO_UNSPEC where needed
2024-10-09 23:20:46 +02:00
xt_CONNSECMARK.c
netfilter: xtables: avoid NFPROTO_UNSPEC where needed
2024-10-09 23:20:46 +02:00
xt_conntrack.c
xt_cpu.c
xt_CT.c
netfilter: xt_CT: drop pending enqueued packets on template removal
2026-03-13 15:31:15 +01:00
xt_dccp.c
netfilter: x_tables: guard option walkers against 1-byte tail reads
2026-03-10 14:10:42 +01:00
xt_devgroup.c
xt_dscp.c
xt_DSCP.c
netfilter: x_tables: use correct integer types
2022-07-11 16:40:45 +02:00
xt_ecn.c
xt_esp.c
xt_hashlimit.c
Convert 'alloc_flex' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
xt_helper.c
xt_hl.c
xt_HL.c
xt_HMARK.c
xt_IDLETIMER.c
netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels
2026-03-10 14:10:43 +01:00
xt_ipcomp.c
xt_iprange.c
xt_ipvs.c
xt_l2tp.c
xt_LED.c
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
xt_length.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf
2023-02-22 21:25:23 -08:00
xt_limit.c
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
xt_LOG.c
netfilter: log: work around missing softdep backend module
2021-09-21 03:46:56 +02:00
xt_mac.c
xt_mark.c
netfilter: xtables: support arpt_mark and ipv6 optstrip for iptables-nft only builds
2025-05-22 17:16:02 +02:00
xt_MASQUERADE.c
xt_multiport.c
xt_nat.c
xt_NETMAP.c
xt_nfacct.c
netfilter: xt_nfacct: don't assume acct name is null-terminated
2025-07-25 18:40:43 +02:00
xt_NFLOG.c
netfilter: xtables: fix typo causing some targets not to load on IPv6
2024-10-21 11:31:26 +02:00
xt_NFQUEUE.c
xt_osf.c
netfilter: nfnetlink_osf: fix module autoload
2023-06-20 22:43:42 +02:00
xt_owner.c
netfilter: xt_owner: Fix for unsafe access of sk->sk_socket
2023-12-06 17:52:15 +01:00
xt_physdev.c
netfilter: propagate net to nf_bridge_get_physindev
2024-01-17 12:02:48 +01:00
xt_pkttype.c
xt_policy.c
xt_quota.c
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
xt_rateest.c
xt_RATEEST.c
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
xt_realm.c
xt_recent.c
Convert 'alloc_flex' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
xt_REDIRECT.c
netfilter: nft_redir: use struct nf_nat_range2 throughout and deduplicate eval call-backs
2023-03-22 21:48:59 +01:00
xt_repldata.h
netfilter: xtables: Use strscpy() instead of strscpy_pad()
2025-03-23 10:53:47 +01:00
xt_sctp.c
netfilter: xt_sctp: validate the flag_info count
2023-08-30 17:34:01 +02:00
xt_SECMARK.c
netfilter: xtables: avoid NFPROTO_UNSPEC where needed
2024-10-09 23:20:46 +02:00
xt_set.c
xt_socket.c
net: annotate data-races around sk->sk_mark
2023-07-29 18:13:41 +01:00
xt_state.c
xt_statistic.c
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
xt_string.c
xt_tcpmss.c
netfilter: xt_tcpmss: check remaining length before reading optlen
2026-01-20 16:23:38 +01:00
xt_TCPMSS.c
netfilter: x_tables: use correct integer types
2022-07-11 16:40:45 +02:00
xt_TCPOPTSTRIP.c
netfilter: xtables: support arpt_mark and ipv6 optstrip for iptables-nft only builds
2025-05-22 17:16:02 +02:00
xt_tcpudp.c
netfilter: x_tables: guard option walkers against 1-byte tail reads
2026-03-10 14:10:42 +01:00
xt_TEE.c
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
xt_time.c
netfilter: xt_time: use unsigned int for monthday bit shift
2026-03-13 15:31:15 +01:00
xt_TPROXY.c
netfilter: xt_TPROXY: remove pr_debug invocations
2022-07-21 00:56:00 +02:00
xt_TRACE.c
netfilter: xtables: fix typo causing some targets not to load on IPv6
2024-10-21 11:31:26 +02:00
xt_u32.c
netfilter: xt_u32: validate user space input
2023-08-30 17:34:01 +02:00