qiurui
/
linux-kernelorg-stable
mirror of https://kernel.googlesource.com/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
1,337,902 Commits 112 Branches 5,484 Tags 9.2 GiB
C 97.1%
Assembly 1%
Shell 0.6%
Rust 0.4%
Python 0.4%
Other 0.3%
Go to file
Maxim Mikityanskiy 932b32ffd7 netfilter: socket: Lookup orig tuple for IPv6 SNAT 
nf_sk_lookup_slow_v4 does the conntrack lookup for IPv4 packets to
restore the original 5-tuple in case of SNAT, to be able to find the
right socket (if any). Then socket_match() can correctly check whether
the socket was transparent.

However, the IPv6 counterpart (nf_sk_lookup_slow_v6) lacks this
conntrack lookup, making xt_socket fail to match on the socket when the
packet was SNATed. Add the same logic to nf_sk_lookup_slow_v6.

IPv6 SNAT is used in Kubernetes clusters for pod-to-world packets, as
pods' addresses are in the fd00::/8 ULA subnet and need to be replaced
with the node's external address. Cilium leverages Envoy to enforce L7
policies, and Envoy uses transparent sockets. Cilium inserts an iptables
prerouting rule that matches on `-m socket --transparent` and redirects
the packets to localhost, but it fails to match SNATed IPv6 packets due
to that missing conntrack lookup.

Closes: https://github.com/cilium/cilium/issues/37932
Fixes: eb31628e37 ("netfilter: nf_tables: Add support for IPv6 NAT")
Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 		2025-03-23 10:53:47 +01:00
Documentation dt-bindings: net: Add support for Sophgo SG2044 dwmac 2025-03-07 19:06:36 -08:00
LICENSES LICENSES: add 0BSD license text 2024-09-01 20:43:24 -07:00
arch Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-03-06 13:03:35 -08:00
block block-6.14-20250228 2025-02-28 09:43:46 -08:00
certs sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3 2024-09-20 19:52:48 +03:00
crypto treewide: const qualify ctl_tables where applicable 2025-01-28 13:48:37 +01:00
drivers eth: fbnic: fix memory corruption in fbnic_tlv_attr_get_string() 2025-03-10 13:17:33 -07:00
fs Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-03-06 13:03:35 -08:00
include netfilter: fib: avoid lookup if socket is available 2025-03-21 10:12:15 +01:00
init Kbuild updates for v6.14 2025-01-31 12:07:07 -08:00
io_uring Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-03-06 13:03:35 -08:00
ipc treewide: const qualify ctl_tables where applicable 2025-01-28 13:48:37 +01:00
kernel net: move misc netdev_lock flavors to a separate header 2025-03-08 09:06:50 -08:00
lib Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-03-06 13:03:35 -08:00
mm arm64 fixes for -rc5 2025-03-01 13:44:51 -08:00
net netfilter: socket: Lookup orig tuple for IPv6 SNAT 2025-03-23 10:53:47 +01:00
rust Driver core api addition for 6.14-rc3 2025-02-16 12:54:42 -08:00
samples Driver core api addition for 6.14-rc3 2025-02-16 12:54:42 -08:00
scripts coccinelle: Add missing (GE)NL_SET_ERR_MSG_* to strings ending with newline test 2025-02-27 18:11:37 -08:00
security Landlock fix for v6.14-rc5 2025-02-26 11:55:44 -08:00
sound ASoC: Fixes for v6.14 2025-02-26 15:00:25 +01:00
tools selftests/net: expand cmsg_ip with MSG_MORE 2025-03-10 13:13:04 -07:00
usr kbuild: Drop support for include/asm-<arch> in headers_check.pl 2024-12-21 11:43:17 +09:00
virt KVM: remove kvm_arch_post_init_vm 2025-02-04 11:27:45 -05:00
.clang-format clang-format: Update with v6.11-rc1's `for_each` macro list 2024-08-02 13:20:31 +02:00
.clippy.toml rust: give Clippy the minimum supported Rust version 2025-01-10 00:17:25 +01:00
.cocciconfig
.editorconfig .editorconfig: remove trim_trailing_whitespace option 2024-06-13 16:47:52 +02:00
.get_maintainer.ignore MAINTAINERS: Retire Ralf Baechle 2024-11-12 15:48:59 +01:00
.gitattributes .gitattributes: set diff driver for Rust source code files 2023-05-31 17:48:25 +02:00
.gitignore rust: use host dylib naming convention to support macOS 2025-01-10 01:01:24 +01:00
.mailmap We have been notified of a TLS regression that will be addressed 2025-03-06 09:34:54 -10:00
.rustfmt.toml rust: add `.rustfmt.toml` 2022-09-28 09:02:20 +02:00
COPYING
CREDITS MAINTAINERS: Move Pavel to kernel.org address 2025-02-07 09:12:33 -08:00
Kbuild Kbuild updates for v6.1 2022-10-10 12:00:45 -07:00
Kconfig
MAINTAINERS MAINTAINERS: adjust entry in AIROHA ETHERNET DRIVER 2025-03-07 19:41:52 -08:00
Makefile Linux 6.14-rc5 2025-03-02 11:48:20 -08:00
README README: Fix spelling 2024-03-18 03:36:32 -06:00

README 

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the reStructuredText markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.