[PATCH nf 1/1] netfilter: snmp: Fix one possible panic when snmp_trap_helper fail to register

[fgao]

From: Gao Feng 

In the commit ("netfilter: nf_conntrack: nf_conntrack snmp helper"),
the snmp_helper is replaced by nf_nat_snmp_hook. So the snmp_helper
is never registered. But it still tries to unregister the snmp_helper,
it could cause the panic.

Now remove the useless snmp_helper and the unregister call in the
error handler.

Fixes: 93557f53e1fb ("netfilter: nf_conntrack: nf_conntrack snmp helper")

Signed-off-by: Gao Feng 
---
 net/ipv4/netfilter/nf_nat_snmp_basic.c | 14 +-
 1 file changed, 1 insertion(+), 13 deletions(-)

diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c 
b/net/ipv4/netfilter/nf_nat_snmp_basic.c
index c9b52c3..5787364 100644
--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c
+++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
@@ -1260,16 +1260,6 @@ static int help(struct sk_buff *skb, unsigned int 
protoff,
.timeout= 180,
 };
 
-static struct nf_conntrack_helper snmp_helper __read_mostly = {
-   .me = THIS_MODULE,
-   .help   = help,
-   .expect_policy  = _exp_policy,
-   .name   = "snmp",
-   .tuple.src.l3num= AF_INET,
-   .tuple.src.u.udp.port   = cpu_to_be16(SNMP_PORT),
-   .tuple.dst.protonum = IPPROTO_UDP,
-};
-
 static struct nf_conntrack_helper snmp_trap_helper __read_mostly = {
.me = THIS_MODULE,
.help   = help,
@@ -1294,10 +1284,8 @@ static int __init nf_nat_snmp_basic_init(void)
RCU_INIT_POINTER(nf_nat_snmp_hook, help);
 
ret = nf_conntrack_helper_register(_trap_helper);
-   if (ret < 0) {
-   nf_conntrack_helper_unregister(_helper);
+   if (ret < 0)
return ret;
-   }
return ret;
 }
 
-- 
1.9.1


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH net] bridge: ebtables: fix reception of frames DNAT-ed to bridge device

[Linus Lüssing]

On Fri, Mar 17, 2017 at 02:10:44PM +0100, Pablo Neira Ayuso wrote:
> Wait.
> 
> May this break local multicast listener that are bound to the bridge
> interface? Assuming the bridge interface got an IP address, and that
> there is local multicast listener.
> 
> Missing anything here?

Hm, for multicast packets usually the code path a few lines
later in br_handle_frame_finish() should be taken instead.

But you might be right for IP multicast packets with a unicast MAC
destination (due to whatever reason, for instance via DNAT'ing
again).

Will check that - thanks!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH nf 3/5] netfilter: drop const qualifier from struct nf_conntrack_expect_policy

[Liping Zhang]

From: Liping Zhang 

So we can modify the nf_conntrack_expect_policy directly, the next patch
will need this.

Signed-off-by: Liping Zhang 
---
 include/net/netfilter/nf_conntrack_helper.h | 4 ++--
 net/ipv4/netfilter/nf_nat_snmp_basic.c  | 2 +-
 net/netfilter/nf_conntrack_amanda.c | 2 +-
 net/netfilter/nf_conntrack_expect.c | 2 +-
 net/netfilter/nf_conntrack_ftp.c| 2 +-
 net/netfilter/nf_conntrack_h323_main.c  | 6 +++---
 net/netfilter/nf_conntrack_helper.c | 2 +-
 net/netfilter/nf_conntrack_pptp.c   | 2 +-
 net/netfilter/nf_conntrack_sane.c   | 2 +-
 net/netfilter/nf_conntrack_sip.c| 2 +-
 net/netfilter/nf_conntrack_tftp.c   | 2 +-
 11 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack_helper.h 
b/include/net/netfilter/nf_conntrack_helper.h
index 1eaac1f..621a404 100644
--- a/include/net/netfilter/nf_conntrack_helper.h
+++ b/include/net/netfilter/nf_conntrack_helper.h
@@ -27,7 +27,7 @@ struct nf_conntrack_helper {
 
char name[NF_CT_HELPER_NAME_LEN]; /* name of the module */
struct module *me;  /* pointer to self */
-   const struct nf_conntrack_expect_policy *expect_policy;
+   struct nf_conntrack_expect_policy *expect_policy;
 
/* length of internal data, ie. sizeof(struct nf_ct_*_master) */
size_t data_len;
@@ -61,7 +61,7 @@ struct nf_conntrack_helper 
*nf_conntrack_helper_try_module_get(const char *name,
 void nf_ct_helper_init(struct nf_conntrack_helper *helper,
   u16 l3num, u16 protonum, const char *name,
   u16 default_port, u16 spec_port, u32 id,
-  const struct nf_conntrack_expect_policy *exp_pol,
+  struct nf_conntrack_expect_policy *exp_pol,
   u32 expect_class_max, u32 data_len,
   int (*help)(struct sk_buff *skb, unsigned int protoff,
   struct nf_conn *ct,
diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c 
b/net/ipv4/netfilter/nf_nat_snmp_basic.c
index c9b52c3..5f32532 100644
--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c
+++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
@@ -1255,7 +1255,7 @@ static int help(struct sk_buff *skb, unsigned int protoff,
return ret;
 }
 
-static const struct nf_conntrack_expect_policy snmp_exp_policy = {
+static struct nf_conntrack_expect_policy snmp_exp_policy = {
.max_expected   = 0,
.timeout= 180,
 };
diff --git a/net/netfilter/nf_conntrack_amanda.c 
b/net/netfilter/nf_conntrack_amanda.c
index 57a26cc..fbf9f59 100644
--- a/net/netfilter/nf_conntrack_amanda.c
+++ b/net/netfilter/nf_conntrack_amanda.c
@@ -167,7 +167,7 @@ static int amanda_help(struct sk_buff *skb,
return ret;
 }
 
-static const struct nf_conntrack_expect_policy amanda_exp_policy = {
+static struct nf_conntrack_expect_policy amanda_exp_policy = {
.max_expected   = 3,
.timeout= 180,
 };
diff --git a/net/netfilter/nf_conntrack_expect.c 
b/net/netfilter/nf_conntrack_expect.c
index 4b2e1fb..2d81122 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -402,7 +402,7 @@ static void evict_oldest_expect(struct nf_conn *master,
 
 static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect)
 {
-   const struct nf_conntrack_expect_policy *p;
+   struct nf_conntrack_expect_policy *p;
struct nf_conntrack_expect *i;
struct nf_conn *master = expect->master;
struct nf_conn_help *master_help = nfct_help(master);
diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index 4aecef4..ad51dd3 100644
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -561,7 +561,7 @@ static int nf_ct_ftp_from_nlattr(struct nlattr *attr, 
struct nf_conn *ct)
 
 static struct nf_conntrack_helper ftp[MAX_PORTS * 2] __read_mostly;
 
-static const struct nf_conntrack_expect_policy ftp_exp_policy = {
+static struct nf_conntrack_expect_policy ftp_exp_policy = {
.max_expected   = 1,
.timeout= 5 * 60,
 };
diff --git a/net/netfilter/nf_conntrack_h323_main.c 
b/net/netfilter/nf_conntrack_h323_main.c
index f65d936..2223c57 100644
--- a/net/netfilter/nf_conntrack_h323_main.c
+++ b/net/netfilter/nf_conntrack_h323_main.c
@@ -629,7 +629,7 @@ static int h245_help(struct sk_buff *skb, unsigned int 
protoff,
 }
 
 //
-static const struct nf_conntrack_expect_policy h245_exp_policy = {
+static struct nf_conntrack_expect_policy h245_exp_policy = {
.max_expected   = H323_RTP_CHANNEL_MAX * 4 + 2 /* T.120 */,
.timeout= 240,
 };
@@ -1205,7 +1205,7 @@ static int q931_help(struct sk_buff *skb, unsigned int 
protoff,
 }
 
 

[PATCH nf 1/5] netfilter: nfnl_cthelper: don't report error if NFCTH_PRIV_DATA_LEN is empty

[Liping Zhang]

From: Liping Zhang 

Currently, when we create cthelper via nfnetlink, -EINVAL will be
returned if the NFCTH_PRIV_DATA_LEN attribute is empty.

But enforcing the user to specify the NFCTH_PRIV_DATA_LEN attr seems
unnecessary, so it's better to set the helper->data_len to zero if
the NFCTH_PRIV_DATA_LEN attribute is empty.

Found by running example program from libnetfilter_cthelper:
  # ./libnetfilter_cthelper/examples/nfct-helper-add test 1
  error: Invalid argument

Signed-off-by: Liping Zhang 
---
 net/netfilter/nfnetlink_cthelper.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/nfnetlink_cthelper.c 
b/net/netfilter/nfnetlink_cthelper.c
index 2defe73..9c24301 100644
--- a/net/netfilter/nfnetlink_cthelper.c
+++ b/net/netfilter/nfnetlink_cthelper.c
@@ -205,7 +205,7 @@ nfnl_cthelper_create(const struct nlattr * const tb[],
struct nf_conntrack_helper *helper;
int ret;
 
-   if (!tb[NFCTH_TUPLE] || !tb[NFCTH_POLICY] || !tb[NFCTH_PRIV_DATA_LEN])
+   if (!tb[NFCTH_TUPLE] || !tb[NFCTH_POLICY])
return -EINVAL;
 
helper = kzalloc(sizeof(struct nf_conntrack_helper), GFP_KERNEL);
@@ -217,7 +217,8 @@ nfnl_cthelper_create(const struct nlattr * const tb[],
goto err1;
 
strncpy(helper->name, nla_data(tb[NFCTH_NAME]), NF_CT_HELPER_NAME_LEN);
-   helper->data_len = ntohl(nla_get_be32(tb[NFCTH_PRIV_DATA_LEN]));
+   if (tb[NFCTH_PRIV_DATA_LEN])
+   helper->data_len = ntohl(nla_get_be32(tb[NFCTH_PRIV_DATA_LEN]));
helper->flags |= NF_CT_HELPER_F_USERSPACE;
memcpy(>tuple, tuple, sizeof(struct nf_conntrack_tuple));
 
-- 
2.5.5


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH nf 4/5] netfilter: nfnl_cthelper: fix memory leak when do update

[Liping Zhang]

From: Liping Zhang 

When invoke nfnl_cthelper_update, we will malloc a new expect_policy,
then only point the helper->expect_policy to the new one but ignore
the old one, so it will be leaked forever.

Another issue is that the user can modify the expect_class_max to a
new value, for example, decrease the expect_class_max from 3 to 0.
Then, exp->class created by ctnetlink_alloc_expect may become invalid,
and out of bound access will happen.

So keep it simple, when update the cthelper, reject to modify the
expect_class_max, and we can modify the struct nf_conntrack_expect_policy
directly instead of allocing a new object, then memory leak does not
exist anymore.

Signed-off-by: Liping Zhang 
---
 net/netfilter/nfnetlink_cthelper.c | 35 +++
 1 file changed, 23 insertions(+), 12 deletions(-)

diff --git a/net/netfilter/nfnetlink_cthelper.c 
b/net/netfilter/nfnetlink_cthelper.c
index cc70dd5..fc4733f 100644
--- a/net/netfilter/nfnetlink_cthelper.c
+++ b/net/netfilter/nfnetlink_cthelper.c
@@ -156,7 +156,7 @@ nfnl_cthelper_expect_policy_set[NFCTH_POLICY_SET_MAX+1] = {
 
 static int
 nfnl_cthelper_parse_expect_policy(struct nf_conntrack_helper *helper,
- const struct nlattr *attr)
+ const struct nlattr *attr, bool update)
 {
int i, ret;
struct nf_conntrack_expect_policy *expect_policy;
@@ -172,15 +172,23 @@ nfnl_cthelper_parse_expect_policy(struct 
nf_conntrack_helper *helper,
return -EINVAL;
 
class_max = ntohl(nla_get_be32(tb[NFCTH_POLICY_SET_NUM]));
-   if (class_max == 0)
-   return -EINVAL;
-   if (class_max > NF_CT_MAX_EXPECT_CLASSES)
-   return -EOVERFLOW;
 
-   expect_policy = kzalloc(sizeof(struct nf_conntrack_expect_policy) *
-   class_max, GFP_KERNEL);
-   if (expect_policy == NULL)
-   return -ENOMEM;
+   if (update) {
+   if (helper->expect_class_max + 1 != class_max)
+   return -EINVAL;
+
+   expect_policy = helper->expect_policy;
+   } else {
+   if (class_max == 0)
+   return -EINVAL;
+   if (class_max > NF_CT_MAX_EXPECT_CLASSES)
+   return -EOVERFLOW;
+
+   expect_policy = kcalloc(class_max, sizeof(*expect_policy),
+   GFP_KERNEL);
+   if (expect_policy == NULL)
+   return -ENOMEM;
+   }
 
for (i = 0; i < class_max; i++) {
if (!tb[NFCTH_POLICY_SET+i])
@@ -196,7 +204,8 @@ nfnl_cthelper_parse_expect_policy(struct 
nf_conntrack_helper *helper,
helper->expect_policy = expect_policy;
return 0;
 err:
-   kfree(expect_policy);
+   if (!update)
+   kfree(expect_policy);
return -EINVAL;
 }
 
@@ -214,7 +223,8 @@ nfnl_cthelper_create(const struct nlattr * const tb[],
if (helper == NULL)
return -ENOMEM;
 
-   ret = nfnl_cthelper_parse_expect_policy(helper, tb[NFCTH_POLICY]);
+   ret = nfnl_cthelper_parse_expect_policy(helper, tb[NFCTH_POLICY],
+   false);
if (ret < 0)
goto err1;
 
@@ -269,7 +279,8 @@ nfnl_cthelper_update(const struct nlattr * const tb[],
 
if (tb[NFCTH_POLICY]) {
ret = nfnl_cthelper_parse_expect_policy(helper,
-   tb[NFCTH_POLICY]);
+   tb[NFCTH_POLICY],
+   true);
if (ret < 0)
return ret;
}
-- 
2.5.5


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH libnetfilter_cthelper] examples: fix double free in nftc-helper-add

[Liping Zhang]

From: Liping Zhang 

After inputting the following test command, core dump happened:
  # ./examples/nfct-helper-add test 1
  *** Error in
 `.../libnetfilter_cthelper/examples/.libs/lt-nfct-helper-add':
  double free or corruption (fasttop): 0x01f3c070 ***
  === Backtrace: =
  /lib64/libc.so.6(+0x77de5)[0x7fd9ebe88de5]
  /lib64/libc.so.6(+0x8022a)[0x7fd9ebe9122a]
  /lib64/libc.so.6(cfree+0x4c)[0x7fd9ebe9478c]
  [...]

Because "struct nfct_helper_policy *p" had been freed by nfct_helper_free,
so there's no need to invoke nfct_helper_policy_free again, otherwise
dobule free error will happen.

Signed-off-by: Liping Zhang 
---
 examples/nfct-helper-add.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/nfct-helper-add.c b/examples/nfct-helper-add.c
index 6c47626..cb7291e 100644
--- a/examples/nfct-helper-add.c
+++ b/examples/nfct-helper-add.c
@@ -32,6 +32,7 @@ int main(int argc, char *argv[])
nfct_helper_attr_set_u16(nfct_helper, NFCTH_ATTR_PROTO_L3NUM, AF_INET);
nfct_helper_attr_set_u8(nfct_helper, NFCTH_ATTR_PROTO_L4NUM, 
IPPROTO_TCP);
 
+   /* Will be freed by nfct_helper_free. */
p = nfct_helper_policy_alloc();
if (p == NULL) {
perror("OOM");
@@ -49,7 +50,6 @@ int main(int argc, char *argv[])
nfct_helper_nlmsg_build_payload(nlh, nfct_helper);
 
nfct_helper_free(nfct_helper);
-   nfct_helper_policy_free(p);
 
nl = mnl_socket_open(NETLINK_NETFILTER);
if (nl == NULL) {
-- 
2.5.5


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH nf 5/5] netfilter: nfnl_cthelper: fix a race when walk the nf_ct_helper_hash table

[Liping Zhang]

From: Liping Zhang 

The nf_ct_helper_hash table is protected by nf_ct_helper_mutex, while
nfct_helper operation is protected by nfnl_lock(NFNL_SUBSYS_CTHELPER).
So it's possible that one CPU is walking the nf_ct_helper_hash for
cthelper add/get/del, another cpu is doing nf_conntrack_helpers_unregister
at the same time. This is dangrous, and may cause use after free error.

Note, delete operation will flush all cthelpers added via nfnetlink, so
using rcu to do protect is not easy.

Now introduce a dummy list to record all the cthelpers added via
nfnetlink, then we can walk the dummy list instead of walking the
nf_ct_helper_hash. Also, keep nfnl_cthelper_dump_table unchanged, it
may be invoked without nfnl_lock(NFNL_SUBSYS_CTHELPER) held.

Signed-off-by: Liping Zhang 
---
 net/netfilter/nfnetlink_cthelper.c | 176 +++--
 1 file changed, 89 insertions(+), 87 deletions(-)

diff --git a/net/netfilter/nfnetlink_cthelper.c 
b/net/netfilter/nfnetlink_cthelper.c
index fc4733f..47424ec 100644
--- a/net/netfilter/nfnetlink_cthelper.c
+++ b/net/netfilter/nfnetlink_cthelper.c
@@ -32,6 +32,13 @@ MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Pablo Neira Ayuso ");
 MODULE_DESCRIPTION("nfnl_cthelper: User-space connection tracking helpers");
 
+struct nfnl_cthelper {
+   struct list_headlist;
+   struct nf_conntrack_helper  *helper;
+};
+
+static LIST_HEAD(nfnl_cthelper_list);
+
 static int
 nfnl_userspace_cthelper(struct sk_buff *skb, unsigned int protoff,
struct nf_conn *ct, enum ip_conntrack_info ctinfo)
@@ -214,14 +221,21 @@ nfnl_cthelper_create(const struct nlattr * const tb[],
 struct nf_conntrack_tuple *tuple)
 {
struct nf_conntrack_helper *helper;
+   struct nfnl_cthelper *nfcth;
int ret;
 
if (!tb[NFCTH_TUPLE] || !tb[NFCTH_POLICY])
return -EINVAL;
 
+   nfcth = kmalloc(sizeof(struct nfnl_cthelper), GFP_KERNEL);
+   if (nfcth == NULL)
+   return -ENOMEM;
+
helper = kzalloc(sizeof(struct nf_conntrack_helper), GFP_KERNEL);
-   if (helper == NULL)
+   if (helper == NULL) {
+   kfree(nfcth);
return -ENOMEM;
+   }
 
ret = nfnl_cthelper_parse_expect_policy(helper, tb[NFCTH_POLICY],
false);
@@ -260,10 +274,13 @@ nfnl_cthelper_create(const struct nlattr * const tb[],
if (ret < 0)
goto err2;
 
+   nfcth->helper = helper;
+   list_add_tail(>list, _cthelper_list);
return 0;
 err2:
kfree(helper->expect_policy);
 err1:
+   kfree(nfcth);
kfree(helper);
return ret;
 }
@@ -309,7 +326,8 @@ static int nfnl_cthelper_new(struct net *net, struct sock 
*nfnl,
const char *helper_name;
struct nf_conntrack_helper *cur, *helper = NULL;
struct nf_conntrack_tuple tuple;
-   int ret = 0, i;
+   struct nfnl_cthelper *nlcth;
+   int ret = 0;
 
if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE])
return -EINVAL;
@@ -320,28 +338,22 @@ static int nfnl_cthelper_new(struct net *net, struct sock 
*nfnl,
if (ret < 0)
return ret;
 
-   for (i = 0; i < nf_ct_helper_hsize && !helper; i++) {
-   hlist_for_each_entry(cur, _ct_helper_hash[i], hnode) {
-
-   /* skip non-userspace conntrack helpers. */
-   if (!(cur->flags & NF_CT_HELPER_F_USERSPACE))
-   continue;
+   list_for_each_entry(nlcth, _cthelper_list, list) {
+   cur = nlcth->helper;
 
-   if (strncmp(cur->name, helper_name,
-   NF_CT_HELPER_NAME_LEN) != 0)
-   continue;
+   if (strncmp(cur->name, helper_name, NF_CT_HELPER_NAME_LEN))
+   continue;
 
-   if ((tuple.src.l3num != cur->tuple.src.l3num ||
-tuple.dst.protonum != cur->tuple.dst.protonum))
-   continue;
+   if ((tuple.src.l3num != cur->tuple.src.l3num ||
+tuple.dst.protonum != cur->tuple.dst.protonum))
+   continue;
 
-   if (nlh->nlmsg_flags & NLM_F_EXCL) {
-   ret = -EEXIST;
-   goto err;
-   }
-   helper = cur;
-   break;
+   if (nlh->nlmsg_flags & NLM_F_EXCL) {
+   ret = -EEXIST;
+   goto err;
}
+   helper = cur;
+   break;
}
 
if (helper == NULL)
@@ -513,11 +525,12 @@ static int nfnl_cthelper_get(struct net *net, struct sock 
*nfnl,
 struct sk_buff *skb, const struct 

[PATCH nf 0/5] netfilter: nfnl_cthelper: fix some bugs

[Liping Zhang]

From: Liping Zhang 

This patch set aims to fix some bugs related to nfnetlink_cthelper.
They are:
1. if NFCTH_PRIV_DATA_LEN attr is empty, we cannot create a cthelper
   via nfnetlink
2. helper->expect_class_max is incorrect
3. when update cthelper via nfnetlink, memory leak will happen. It's
   ok to modify the nf_conntrack_expect_policy directly when do update,
   but drop the const qualifier is required
4. introduce a dummy list to fix a race when operate nfnl_cthelper

Note, the patch set is based on these three patches which have not
been applied or showed in nf picktree:
http://patchwork.ozlabs.org/patch/740302/
http://patchwork.ozlabs.org/patch/740300/
http://patchwork.ozlabs.org/patch/739509/

Liping Zhang (5):
  netfilter: nfnl_cthelper: don't report error if NFCTH_PRIV_DATA_LEN is
empty
  netfilter: nfnl_cthelper: fix incorrect helper->expect_class_max
  netfilter: drop const qualifier from struct nf_conntrack_expect_policy
  netfilter: nfnl_cthelper: fix memory leak when do update
  netfilter: nfnl_cthelper: fix a race when walk the nf_ct_helper_hash
table

 include/net/netfilter/nf_conntrack_helper.h |   4 +-
 net/ipv4/netfilter/nf_nat_snmp_basic.c  |   2 +-
 net/netfilter/nf_conntrack_amanda.c |   2 +-
 net/netfilter/nf_conntrack_expect.c |   2 +-
 net/netfilter/nf_conntrack_ftp.c|   2 +-
 net/netfilter/nf_conntrack_h323_main.c  |   6 +-
 net/netfilter/nf_conntrack_helper.c |   2 +-
 net/netfilter/nf_conntrack_pptp.c   |   2 +-
 net/netfilter/nf_conntrack_sane.c   |   2 +-
 net/netfilter/nf_conntrack_sip.c|   2 +-
 net/netfilter/nf_conntrack_tftp.c   |   2 +-
 net/netfilter/nfnetlink_cthelper.c  | 226 +++-
 12 files changed, 135 insertions(+), 119 deletions(-)

-- 
2.5.5


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

ANNOUNCE: New talk accepted! Droplet: DDoS countermeasures powered by BPF + XDP

[Jamal Hadi Salim]

I am going to keep netfilter and wireless lists on for now unless I hear
more objections. We will be doing about one a day from now until about
the time of the conference.

The tech committee would like to announce a new accepted talk.

Huapeng Zhou, Doug Porter, Ryan Tierney and Nikita Shirokov
are going to give a talk on Droplet which is used at Facebook
to plug in DDoS countermeasures.

More details:

Droplet is a generic framework to implement bpf policers to drop
packets at the earliest stage in the networking stack, preferably at
line rate. It's born for anti-DDoS and is the preferred infrastructure
at Facebook to plug in DDoS countermeasures. This talk presents the
overall architecture of Droplet and discusses a few issues in
developing and rolling out the software.

At a high level, Droplet takes bpf policer code written in restricted C
syntax, compiles it at runtime and hooks it into the kernel. The
framework abstracts out interactions between user space and kernel
space so the end user only needs to write policer code. It could chain
bpf programs together so we get multiple active DDoS countermeasures at
the same time. The policer code is shipped as configuration, which
enables fast response time when under active attacks.


cheers,
jamal
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [NetDev] [NetDev-tech] ANNOUNCE: New sponsor Netronome

[Alexander Alemayhu]

On Sat, Mar 18, 2017 at 09:56:36PM -0400, Jamal Hadi Salim wrote:
> 
> Note: this discussion already has generated more traffic
> than a few days worth of announcements ;->
>

IIRC Hajime always added links to the site in his announcements, which
made it easy to lookup netdev.  Maybe adding some lines about netdev to
all emails would reduce confusion? Suspect not everyone subscribed to
these lists knows what netdev is. 

Don't consider these emails spam at all :)

Thanks.

-- 
Mit freundlichen Grüßen

Alexander Alemayhu
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html