netfilter: late backports from upstream
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2121393
This patch set fixes a myriad of bugs in netfilter.
Those are:
-
re-enable conntrack expectation events. This is a regression in the 9.1 development cycle.
-
netfilter: nf_tables: fix null deref due to zeroed list head Fix crash during error unwinding if a memory allocation failed.
-
A couple of patches to avoid nonsensical flags/combinations. In recent months there was a huge number of bug reports all caused by "creative" unsupported combinations, hence these patches to catch all of this as early as possible.
-
Data coherency fixes, this could cause netlink dumps to miss the "intr" flag to signal that the dump is inconsistent.
-
Fix crash in classic ebtables. While we don't ship this binary, the syscall interface is still there.
-
nft_tproxy must not be used in OUTPUT hook, but the check was missing. Using it in output results in a crash, i.e. this can't break existing setups.
-
restrict the number of operations permitted on "implicit chains".
-
fix a memory leak in br_netfilter when skb had metadata dst already assigned.
-
tighten IRC DCC parsing; it was possible to make conntrack open a dnat from remote client, by adding the "DCC" command to a PING, clients that reflected this text trigged the "DCC" port forward logic.
Signed-off-by: Florian Westphal fwestpha@redhat.com