[PATCH net-next v2] netfilter: ipv6: nf_defrag: Pass on packets to stack per RFC2460
ipv6_defrag pulls network headers before fragment header. In case of an error, the netfilter layer is currently dropping these packets. This results in failure of some IPv6 standards tests which passed on older kernels due to the netfilter framework using cloning. The test case run here is a check for ICMPv6 error message replies when some invalid IPv6 fragments are sent. This specific test case is listed in https://www.ipv6ready.org/docs/Core_Conformance_Latest.pdf in the Extension Header Processing Order section. A packet with unrecognized option Type 11 is sent and the test expects an ICMP error in line with RFC2460 section 4.2 - 11 - discard the packet and, only if the packet's Destination Address was not a multicast address, send an ICMP Parameter Problem, Code 2, message to the packet's Source Address, pointing to the unrecognized Option Type. Since netfilter layer now drops all invalid IPv6 frag packets, we no longer see the ICMP error message and fail the test case. To fix this, save the transport header . If defrag is unable to process the packet due to RFC2460, restore the transport header and allow packet to be processed by stack. There is no change for other packet processing paths. Tested by confirming that stack sends an ICMP error when it receives these packets. Also tested that fragmented ICMP pings succeed. v1->v2: Instead of cloning always, save the transport_header and restore it in case of this specific error. Update the title and commit message accordingly. Signed-off-by: Subash Abhinov Kasiviswanathan--- net/ipv6/netfilter/nf_conntrack_reasm.c | 15 ++- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c index 977d890..ce53dcf 100644 --- a/net/ipv6/netfilter/nf_conntrack_reasm.c +++ b/net/ipv6/netfilter/nf_conntrack_reasm.c @@ -231,7 +231,7 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb, if ((unsigned int)end > IPV6_MAXPLEN) { pr_debug("offset is too large.\n"); - return -1; + return -EINVAL; } ecn = ip6_frag_ecn(ipv6_hdr(skb)); @@ -264,7 +264,7 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb, * this case. -DaveM */ pr_debug("end of fragment not rounded to 8 bytes.\n"); - return -1; + return -EPROTO; } if (end > fq->q.len) { /* Some bits beyond end -> corruption. */ @@ -358,7 +358,7 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb, discard_fq: inet_frag_kill(>q, _frags); err: - return -1; + return -EINVAL; } /* @@ -567,6 +567,7 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb, int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user) { + u16 savethdr = skb->transport_header; struct net_device *dev = skb->dev; int fhoff, nhoff, ret; struct frag_hdr *fhdr; @@ -600,8 +601,12 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user) spin_lock_bh(>q.lock); - if (nf_ct_frag6_queue(fq, skb, fhdr, nhoff) < 0) { - ret = -EINVAL; + ret = nf_ct_frag6_queue(fq, skb, fhdr, nhoff); + if (ret < 0) { + if (ret == -EPROTO) { + skb->transport_header = savethdr; + ret = 0; + } goto out_unlock; } -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[ulog2] Plugin ulogd_filter_HTTPSNIFF proposal
I created a filter plugin for ulogd2 that does retrieve informations from HTTP request, it is similar to ulogd_filter_PWSNIFF (on which the code is based) which allows to monitor/log HTTP requests sent/recieved by the system. Other solutions based on PCAP allows to log HTTP queries but not along with informations such as the UID that did sent the packet which can be useful to which users are executing virus/hacked scripts. Output of "ulogd --info ulogd_filter_HTTPSNIFF.so" : Input keys: Key: raw.pkt (raw data) Output keys: Key: httpsniff.host (string) Key: httpsniff.uri (string) Key: httpsniff.method (unsigned int 8) The code is available at : https://github.com/jb-boin/ulogd_filter_HTTPSNIFF It requires both https://bugzilla.netfilter.org/show_bug.cgi?id=1192 and https://bugzilla.netfilter.org/show_bug.cgi?id=1193 to be fixed for it to work correctly. I included proposed patchs for those two bugs. I have been using it with a MariaDB output for about 3 months on more than 30 Debian Jessie hosts, ulogd2 compiled as packages using the Debian Stretch 2.0.5-5 source package and i didnt hit any issue so far. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] netfilter: nf_tables: flow_offload depends on flow_table
Without CONFIG_NF_FLOW_TABLE, the new nft_flow_offload module produces a link error: net/netfilter/nft_flow_offload.o: In function `nft_flow_offload_iterate_cleanup': nft_flow_offload.c:(.text+0xb0): undefined reference to `nf_flow_table_iterate' net/netfilter/nft_flow_offload.o: In function `flow_offload_iterate_cleanup': nft_flow_offload.c:(.text+0x160): undefined reference to `flow_offload_dead' net/netfilter/nft_flow_offload.o: In function `nft_flow_offload_eval': nft_flow_offload.c:(.text+0xc4c): undefined reference to `flow_offload_alloc' nft_flow_offload.c:(.text+0xc64): undefined reference to `flow_offload_add' nft_flow_offload.c:(.text+0xc94): undefined reference to `flow_offload_free' This adds a Kconfig dependency for it. Fixes: a3c90f7a2323 ("netfilter: nf_tables: flow offload expression") Signed-off-by: Arnd Bergmann--- net/netfilter/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index ea447826e127..9019fa98003d 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -506,7 +506,7 @@ config NFT_CT connection tracking information such as the flow state. config NFT_FLOW_OFFLOAD - depends on NF_CONNTRACK + depends on NF_CONNTRACK && NF_FLOW_TABLE tristate "Netfilter nf_tables hardware flow offload module" help This option adds the "flow_offload" expression that you can use to -- 2.9.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v3] netfilter : add NAT support for shifted portmap ranges
This is a patch proposal to support shifted ranges in portmaps. (i.e. tcp/udp incoming port 5000-5100 on WAN redirected to LAN 192.168.1.5:2000-2100) Currently DNAT only works for single port or identical port ranges. (i.e. ports 5000-5100 on WAN interface redirected to a LAN host while original destination port is not altered) When different port ranges are configured, either 'random' mode should be used, or else all incoming connections are mapped onto the first port in the redirect range. (in described example WAN:5000-5100 will all be mapped to 192.168.1.5:2000) This patch introduces a new mode indicated by flag NF_NAT_RANGE_PROTO_OFFSET which uses a base port value to calculate an offset with the destination port present in the incoming stream. That offset is then applied as index within the redirect port range (index modulo rangewidth to handle range overflow). In described example the base port would be 5000. An incoming stream with destination port 5004 would result in an offset value 4 which means that the NAT'ed stream will be using destination port 2004. Other possibilities include deterministic mapping of larger or multiple ranges to a smaller range : WAN:5000-5999 -> LAN:5000-5099 (maps WAN port 5*xx to port 51xx) This patch does not change any current behavior. It just adds new NAT proto range functionality which must be selected via the specific flag when intended to use. A patch for iptables (libipt_DNAT.c) will also be proposed which makes this functionality immediately available. Signed-off-by: Thierry Du Tre--- Changes in v3: - use nf_nat_range as name for updated struct, renamed existing nf_nat_range to nf_nat_range1 - reverted all nf_nat_range2 occurences Changes in v2: - added new revision for SNAT and DNAT targets to support the new base port variable in struct nf_nat_range2 - replaced all occurences of struct nf_nat_range with struct nf_nat_range2 include/uapi/linux/netfilter/nf_nat.h | 12 +++- net/netfilter/nf_nat_core.c | 9 +++--- net/netfilter/nf_nat_proto_common.c | 5 ++- net/netfilter/xt_nat.c| 58 ++- 4 files changed, 77 insertions(+), 7 deletions(-) diff --git a/include/uapi/linux/netfilter/nf_nat.h b/include/uapi/linux/netfilter/nf_nat.h index a33000d..0fa792a 100644 --- a/include/uapi/linux/netfilter/nf_nat.h +++ b/include/uapi/linux/netfilter/nf_nat.h @@ -10,6 +10,7 @@ #define NF_NAT_RANGE_PROTO_RANDOM (1 << 2) #define NF_NAT_RANGE_PERSISTENT(1 << 3) #define NF_NAT_RANGE_PROTO_RANDOM_FULLY(1 << 4) +#define NF_NAT_RANGE_PROTO_OFFSET (1 << 5) #define NF_NAT_RANGE_PROTO_RANDOM_ALL \ (NF_NAT_RANGE_PROTO_RANDOM | NF_NAT_RANGE_PROTO_RANDOM_FULLY) @@ -17,7 +18,7 @@ #define NF_NAT_RANGE_MASK \ (NF_NAT_RANGE_MAP_IPS | NF_NAT_RANGE_PROTO_SPECIFIED | \ NF_NAT_RANGE_PROTO_RANDOM | NF_NAT_RANGE_PERSISTENT | \ -NF_NAT_RANGE_PROTO_RANDOM_FULLY) +NF_NAT_RANGE_PROTO_RANDOM_FULLY | NF_NAT_RANGE_PROTO_OFFSET) struct nf_nat_ipv4_range { unsigned intflags; @@ -32,12 +33,21 @@ struct nf_nat_ipv4_multi_range_compat { struct nf_nat_ipv4_rangerange[1]; }; +struct nf_nat_range1 { + unsigned intflags; + union nf_inet_addr min_addr; + union nf_inet_addr max_addr; + union nf_conntrack_man_protomin_proto; + union nf_conntrack_man_protomax_proto; +}; + struct nf_nat_range { unsigned intflags; union nf_inet_addr min_addr; union nf_inet_addr max_addr; union nf_conntrack_man_protomin_proto; union nf_conntrack_man_protomax_proto; + union nf_conntrack_man_protobase_proto; }; #endif /* _NETFILTER_NF_NAT_H */ diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c index af8345f..de5c327 100644 --- a/net/netfilter/nf_nat_core.c +++ b/net/netfilter/nf_nat_core.c @@ -347,9 +347,10 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple, /* Only bother mapping if it's not already in range and unique */ if (!(range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL)) { if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { - if (l4proto->in_range(tuple, maniptype, - >min_proto, - >max_proto) && + if (!(range->flags & NF_NAT_RANGE_PROTO_OFFSET) && + l4proto->in_range(tuple, maniptype, + >min_proto, + >max_proto) && (range->min_proto.all == range->max_proto.all ||
[PATCH RFC nft] src: ct: add connection counting support
This adds support for a native connlimit replacement. It re-uses nftables concatenation support and thus allows using any key combinations supported by nftables. Because counting is expensive, it is useful to limit this to new connections only. Example: ct state new ct count { ip saddr . tcp dport } gt 10 drop TODO: man page entry. NB: This uses {} to separate ct count statement from grouping to avoid shift/reduce conflicts in the parser, unlike fib we do not have distinct 'end marker' available. Signed-off-by: Florian Westphal--- include/expression.h| 1 + include/linux/netfilter/nf_tables.h | 1 + src/ct.c| 12 src/evaluate.c | 7 +++ src/netlink_delinearize.c | 24 src/netlink_linearize.c | 12 src/parser_bison.y | 5 + tests/py/inet/ct.t | 2 ++ tests/py/inet/ct.t.payload | 16 9 files changed, 80 insertions(+) diff --git a/include/expression.h b/include/expression.h index 0a0e178fe468..b80d081b1595 100644 --- a/include/expression.h +++ b/include/expression.h @@ -303,6 +303,7 @@ struct expr { enum proto_basesbase; int8_t direction; uint8_t nfproto; + struct expr *expr; } ct; struct { /* EXPR_NUMGEN */ diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index a3ee277b17a1..695e307e6e8e 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -929,6 +929,7 @@ enum nft_ct_keys { NFT_CT_AVGPKT, NFT_CT_ZONE, NFT_CT_EVENTMASK, + NFT_CT_COUNT, }; /** diff --git a/src/ct.c b/src/ct.c index d5347974bd0d..ffa5fb70154a 100644 --- a/src/ct.c +++ b/src/ct.c @@ -269,6 +269,8 @@ static const struct ct_template ct_templates[] = { BYTEORDER_HOST_ENDIAN, 16), [NFT_CT_EVENTMASK] = CT_TEMPLATE("event", _event_type, BYTEORDER_HOST_ENDIAN, 32), + [NFT_CT_COUNT] = CT_TEMPLATE("count", _type, + BYTEORDER_HOST_ENDIAN, 32), }; static void ct_print(enum nft_ct_keys key, int8_t dir, uint8_t nfproto, @@ -306,6 +308,16 @@ static void ct_print(enum nft_ct_keys key, int8_t dir, uint8_t nfproto, static void ct_expr_print(const struct expr *expr, struct output_ctx *octx) { ct_print(expr->ct.key, expr->ct.direction, expr->ct.nfproto, octx); + + switch (expr->ct.key) { + case NFT_CT_COUNT: + nft_print(octx, " { "); + expr_print(expr->ct.expr, octx); + nft_print(octx, " }"); + break; + default: + break; + } } static bool ct_expr_cmp(const struct expr *e1, const struct expr *e2) diff --git a/src/evaluate.c b/src/evaluate.c index 7fe738d8d590..c8ebbf02a11a 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -767,6 +767,13 @@ static int expr_evaluate_ct(struct eval_ctx *ctx, struct expr **expr) case NFT_CT_DST: ct_gen_nh_dependency(ctx, ct); break; + case NFT_CT_COUNT: + if (ct->ct.expr == NULL) + return expr_error(ctx->msgs, ct, "missing key\n"); + + if (expr_evaluate(ctx, >ct.expr) < 0) + return -1; + break; default: break; } diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index 2637f4baaec4..8ad3bf239019 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -718,6 +718,28 @@ static void netlink_parse_ct_expr(struct netlink_parse_ctx *ctx, key = nftnl_expr_get_u32(nle, NFTNL_EXPR_CT_KEY); expr = ct_expr_alloc(loc, key, dir, NFPROTO_UNSPEC); + if (key == NFT_CT_COUNT) { + enum nft_registers sreg; + struct expr *sexpr; + uint32_t len; + + sreg = netlink_parse_register(nle, NFTNL_EXPR_CT_SREG); + sexpr = netlink_get_register(ctx, loc, sreg); + + if (sexpr == NULL) + return netlink_error(ctx, loc, +"ct count has no expression"); + + len = nftnl_expr_get_u32(nle, +NFTNL_EXPR_CT_SREG_LEN) * BITS_PER_BYTE; + if (sexpr->len < len) { + sexpr = netlink_parse_concat_expr(ctx, loc, sreg, len); + if (sexpr == NULL) + return; + } + expr->ct.expr = sexpr; + } + dreg =
Re: [PATCH v2] netfilter : add NAT support for shifted portmap ranges
Hi Pablo, thanks for you quick response. Op 12/01/2018 om 1:21 schreef Pablo Neira Ayuso: > Hi Thierry, > > On Thu, Jan 11, 2018 at 07:42:27PM +0100, Thierry Du Tre wrote: >> This is a patch proposal to support shifted ranges in portmaps. > > I think you can get a much smaller patch if you rename the existing > "struct nf_nat_range" to "struct nf_nat_range_old", then the idea is > to dump the old representation into the new one, something like: > > struct nf_nat_range range = {}; > > memcpy(, range_old, sizeof(range_old)); I did think about this but then checked other xt modules with multiple revisions : xt_hashlimit.c - struct xt_hashlimit_mtinfo3 xt_conntrack.c - struct xt_conntrack_mtinfo3 xt_mark.c - struct xt_mark_tginfo2 But you prefer changing uapi/linux/netfilter/nf_nat.h with something like this ? +struct nf_nat_range1 { + unsigned intflags; + union nf_inet_addr min_addr; + union nf_inet_addr max_addr; + union nf_conntrack_man_protomin_proto; + union nf_conntrack_man_protomax_proto; +}; + struct nf_nat_range { unsigned intflags; union nf_inet_addr min_addr; union nf_inet_addr max_addr; union nf_conntrack_man_protomin_proto; union nf_conntrack_man_protomax_proto; + union nf_conntrack_man_protobase_proto; }; In your reply to my first patch proposal you mentioned the backwards compatibility problem regarding userspace applications. The new revisions for SNAT and DNAT target do keep ABI constant, but changing the current nf_nat_range definition will impact API (although it won't trigger any compile errors because new nf_nat_range is a simple superset of the current definition). Is that ok for you then ? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 0/1] ipset patch for the nf tree
Hi Pablo, Here follows a patch for the nf tree, please apply it: - The patch "Fix adding an IPv4 range containing more than 2^31 addresses" introduced a wraparound bug, which could lead to memory exhaustion, which is fixed here (netfilter bugzilla id #1212, reported by Thomas Schwark) Best regards, Jozsef The following changes since commit 889c604fd0b5f6d3b8694ade229ee44124de1127: netfilter: x_tables: fix int overflow in xt_alloc_table_info() (2018-01-07 00:17:23 +0100) are available in the git repository at: git://blackhole.kfki.hu/nf ba31d2d88b9 for you to fetch changes up to ba31d2d88b95ce1872fc17ffd0da70b68be0a07f: Fix wraparound bug introduced in commit 48596a8ddc46 (2018-01-12 11:07:35 +0100) Jozsef Kadlecsik (1): Fix wraparound bug introduced in commit 48596a8ddc46 net/netfilter/ipset/ip_set_hash_ipportnet.c | 26 ++--- net/netfilter/ipset/ip_set_hash_net.c| 9 --- net/netfilter/ipset/ip_set_hash_netiface.c | 9 --- net/netfilter/ipset/ip_set_hash_netnet.c | 28 +++--- net/netfilter/ipset/ip_set_hash_netport.c| 19 --- net/netfilter/ipset/ip_set_hash_netportnet.c | 35 ++-- 6 files changed, 63 insertions(+), 63 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 1/1] Fix wraparound bug introduced in commit 48596a8ddc46
The patch "netfilter: ipset: Fix adding an IPv4 range containing more than 2^31 addresses" introduced a wraparound bug, which could lead to memory exhaustion when adding an x.x.x.x-255.255.255.255 range to any hash:*net* types. Fixes Netfilter's bugzilla id #1212, reported by Thomas Schwark. Signed-off-by: Jozsef Kadlecsik--- net/netfilter/ipset/ip_set_hash_ipportnet.c | 26 ++--- net/netfilter/ipset/ip_set_hash_net.c| 9 --- net/netfilter/ipset/ip_set_hash_netiface.c | 9 --- net/netfilter/ipset/ip_set_hash_netnet.c | 28 +++--- net/netfilter/ipset/ip_set_hash_netport.c| 19 --- net/netfilter/ipset/ip_set_hash_netportnet.c | 35 ++-- 6 files changed, 63 insertions(+), 63 deletions(-) diff --git a/net/netfilter/ipset/ip_set_hash_ipportnet.c b/net/netfilter/ipset/ip_set_hash_ipportnet.c index 0f164e9..88b83d6 100644 --- a/net/netfilter/ipset/ip_set_hash_ipportnet.c +++ b/net/netfilter/ipset/ip_set_hash_ipportnet.c @@ -168,7 +168,7 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[], struct hash_ipportnet4_elem e = { .cidr = HOST_MASK - 1 }; struct ip_set_ext ext = IP_SET_INIT_UEXT(set); u32 ip = 0, ip_to = 0, p = 0, port, port_to; - u32 ip2_from = 0, ip2_to = 0, ip2_last, ip2; + u32 ip2_from = 0, ip2_to = 0, ip2; bool with_ports = false; u8 cidr; int ret; @@ -269,22 +269,21 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[], ip_set_mask_from_to(ip2_from, ip2_to, e.cidr + 1); } - if (retried) + if (retried) { ip = ntohl(h->next.ip); + p = ntohs(h->next.port); + ip2 = ntohl(h->next.ip2); + } else { + p = port; + ip2 = ip2_from; + } for (; ip <= ip_to; ip++) { e.ip = htonl(ip); - p = retried && ip == ntohl(h->next.ip) ? ntohs(h->next.port) - : port; for (; p <= port_to; p++) { e.port = htons(p); - ip2 = retried && - ip == ntohl(h->next.ip) && - p == ntohs(h->next.port) - ? ntohl(h->next.ip2) : ip2_from; - while (ip2 <= ip2_to) { + do { e.ip2 = htonl(ip2); - ip2_last = ip_set_range_to_cidr(ip2, ip2_to, - ); + ip2 = ip_set_range_to_cidr(ip2, ip2_to, ); e.cidr = cidr - 1; ret = adtfn(set, , , , flags); @@ -292,9 +291,10 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[], return ret; ret = 0; - ip2 = ip2_last + 1; - } + } while (ip2++ < ip2_to); + ip2 = ip2_from; } + p = port; } return ret; } diff --git a/net/netfilter/ipset/ip_set_hash_net.c b/net/netfilter/ipset/ip_set_hash_net.c index 1c67a17..5449e23 100644 --- a/net/netfilter/ipset/ip_set_hash_net.c +++ b/net/netfilter/ipset/ip_set_hash_net.c @@ -143,7 +143,7 @@ hash_net4_uadt(struct ip_set *set, struct nlattr *tb[], ipset_adtfn adtfn = set->variant->adt[adt]; struct hash_net4_elem e = { .cidr = HOST_MASK }; struct ip_set_ext ext = IP_SET_INIT_UEXT(set); - u32 ip = 0, ip_to = 0, last; + u32 ip = 0, ip_to = 0; int ret; if (tb[IPSET_ATTR_LINENO]) @@ -193,16 +193,15 @@ hash_net4_uadt(struct ip_set *set, struct nlattr *tb[], } if (retried) ip = ntohl(h->next.ip); - while (ip <= ip_to) { + do { e.ip = htonl(ip); - last = ip_set_range_to_cidr(ip, ip_to, ); + ip = ip_set_range_to_cidr(ip, ip_to, ); ret = adtfn(set, , , , flags); if (ret && !ip_set_eexist(ret, flags)) return ret; ret = 0; - ip = last + 1; - } + } while (ip++ < ip_to); return ret; } diff --git a/net/netfilter/ipset/ip_set_hash_netiface.c b/net/netfilter/ipset/ip_set_hash_netiface.c index d417074..f5164c1 100644 --- a/net/netfilter/ipset/ip_set_hash_netiface.c +++ b/net/netfilter/ipset/ip_set_hash_netiface.c @@ -200,7 +200,7 @@ hash_netiface4_uadt(struct ip_set *set, struct nlattr *tb[], ipset_adtfn adtfn = set->variant->adt[adt]; struct hash_netiface4_elem e = { .cidr = HOST_MASK, .elem = 1 }; struct ip_set_ext ext = IP_SET_INIT_UEXT(set); - u32 ip = 0, ip_to = 0,
A bug in commit: Use flock() for --concurrent option
Hello Phil Sutter I found a problem with this commit, Use flock() for --concurrent option The previous locking mechanism was not atomic, hence it was possible that a killed ebtables process would leave the lock file in place which in turn made future ebtables processes wait indefinitely for the lock to become free. Fix this by using flock(). This also simplifies code quite a bit because there is no need for a custom signal handler or an __exit routine anymore. Signed-off-by: Phil SutterSigned-off-by: Pablo Neira Ayuso if /var/lib/ebtables/ does not exist, ebtables cannot create the lock file. # ls /var/lib/ebtables ls: cannot access /var/lib/ebtables: No such file or directory # ebtables --concurrent -L Unable to create lock file /var/lib/ebtables/lock. Thanks -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html