refs/heads/testing - pub/scm/linux/kernel/git/fwestphal/nf-next

commit: 0c82f2d6a4032a3cd3bc73599f20618958578fc5
[log] [tgz]
author: Florian Westphal <fw@strlen.de>
Tue Mar 10 00:26:46 2026 +0100
committer: Florian Westphal <fw@strlen.de>
Wed Mar 11 22:26:52 2026 +0100
tree: 259dba20df1f914d1b0795fac23a4b04b3436d42
parent: 9e310de8b0452edcf88c6409ae57f3b120d9ca23 [diff]

netfilter: add more netlink-based policy range checks

These spots either already check the attribute range manually
before use or the consuming functions tolerate unexpected values.

Nevertheless, add more range checks via netlink policy so we gain
more users and avoid possible re-use in other places that might
not have the required manual checks.  This also improves error
reporting: netlink core can generate extack errors.

Signed-off-by: Florian Westphal <fw@strlen.de>

include/uapi/linux/netfilter/nf_conntrack_common.h[diff]
net/netfilter/ipset/ip_set_core.c[diff]
net/netfilter/nf_conntrack_netlink.c[diff]
net/netfilter/nf_conntrack_proto_tcp.c[diff]
net/netfilter/nf_tables_api.c[diff]
net/netfilter/nfnetlink_acct.c[diff]
net/netfilter/nfnetlink_cthelper.c[diff]
net/netfilter/nfnetlink_hook.c[diff]
net/netfilter/nfnetlink_log.c[diff]
net/netfilter/nfnetlink_queue.c[diff]
net/netfilter/nft_compat.c[diff]
net/netfilter/nft_connlimit.c[diff]
net/netfilter/nft_ct.c[diff]
net/netfilter/nft_dynset.c[diff]
net/netfilter/nft_exthdr.c[diff]
net/netfilter/nft_inner.c[diff]
net/netfilter/nft_limit.c[diff]
net/netfilter/nft_log.c[diff]
net/netfilter/nft_osf.c[diff]
net/netfilter/nft_payload.c[diff]
net/netfilter/nft_queue.c[diff]
net/netfilter/nft_quota.c[diff]
net/netfilter/nft_synproxy.c[diff]
net/netfilter/nft_tunnel.c[diff]
net/netfilter/nft_xfrm.c[diff]

25 files changed

tree: 259dba20df1f914d1b0795fac23a4b04b3436d42