[PATCH net-next v2] netfilter: ipv6: nf_defrag: Pass on packets to stack per RFC2460

[Subash Abhinov Kasiviswanathan]

ipv6_defrag pulls network headers before fragment header. In case of
an error, the netfilter layer is currently dropping these packets.
This results in failure of some IPv6 standards tests which passed on
older kernels due to the netfilter framework using cloning.

The test case run here is a check for ICMPv6 error message replies
when some invalid IPv6 fragments are sent. This specific test case is
listed in https://www.ipv6ready.org/docs/Core_Conformance_Latest.pdf
in the Extension Header Processing Order section.

A packet with unrecognized option Type 11 is sent and the test expects
an ICMP error in line with RFC2460 section 4.2 -

11 - discard the packet and, only if the packet's Destination
 Address was not a multicast address, send an ICMP Parameter
 Problem, Code 2, message to the packet's Source Address,
 pointing to the unrecognized Option Type.

Since netfilter layer now drops all invalid IPv6 frag packets, we no
longer see the ICMP error message and fail the test case.

To fix this, save the transport header . If defrag is unable to process
the packet due to RFC2460, restore the transport header and allow packet
to be processed by stack. There is no change for other packet
processing paths.

Tested by confirming that stack sends an ICMP error when it receives
these packets. Also tested that fragmented ICMP pings succeed.

v1->v2: Instead of cloning always, save the transport_header and
restore it in case of this specific error. Update the title and
commit message accordingly.

Signed-off-by: Subash Abhinov Kasiviswanathan 
---
 net/ipv6/netfilter/nf_conntrack_reasm.c | 15 ++-
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c 
b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 977d890..ce53dcf 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -231,7 +231,7 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct 
sk_buff *skb,
 
if ((unsigned int)end > IPV6_MAXPLEN) {
pr_debug("offset is too large.\n");
-   return -1;
+   return -EINVAL;
}
 
ecn = ip6_frag_ecn(ipv6_hdr(skb));
@@ -264,7 +264,7 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct 
sk_buff *skb,
 * this case. -DaveM
 */
pr_debug("end of fragment not rounded to 8 bytes.\n");
-   return -1;
+   return -EPROTO;
}
if (end > fq->q.len) {
/* Some bits beyond end -> corruption. */
@@ -358,7 +358,7 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct 
sk_buff *skb,
 discard_fq:
inet_frag_kill(>q, _frags);
 err:
-   return -1;
+   return -EINVAL;
 }
 
 /*
@@ -567,6 +567,7 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct 
sk_buff *skb,
 
 int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user)
 {
+   u16 savethdr = skb->transport_header;
struct net_device *dev = skb->dev;
int fhoff, nhoff, ret;
struct frag_hdr *fhdr;
@@ -600,8 +601,12 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff 
*skb, u32 user)
 
spin_lock_bh(>q.lock);
 
-   if (nf_ct_frag6_queue(fq, skb, fhdr, nhoff) < 0) {
-   ret = -EINVAL;
+   ret = nf_ct_frag6_queue(fq, skb, fhdr, nhoff);
+   if (ret < 0) {
+   if (ret == -EPROTO) {
+   skb->transport_header = savethdr;
+   ret = 0;
+   }
goto out_unlock;
}
 
-- 
1.9.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[ulog2] Plugin ulogd_filter_HTTPSNIFF proposal

[Jean Weisbuch]

I created a filter plugin for ulogd2 that does retrieve informations 
from HTTP request, it is similar to ulogd_filter_PWSNIFF (on which the 
code is based) which allows to monitor/log HTTP requests sent/recieved 
by the system.
Other solutions based on PCAP allows to log HTTP queries but not along 
with informations such as the UID that did sent the packet which can be 
useful to which users are executing virus/hacked scripts.


Output of "ulogd --info ulogd_filter_HTTPSNIFF.so" :
    Input keys:
        Key: raw.pkt (raw data)
    Output keys:
        Key: httpsniff.host (string)
        Key: httpsniff.uri (string)
        Key: httpsniff.method (unsigned int 8)


The code is available at : https://github.com/jb-boin/ulogd_filter_HTTPSNIFF

It requires both https://bugzilla.netfilter.org/show_bug.cgi?id=1192 and 
https://bugzilla.netfilter.org/show_bug.cgi?id=1193 to be fixed for it 
to work correctly.

I included proposed patchs for those two bugs.


I have been using it with a MariaDB output for about 3 months on more 
than 30 Debian Jessie hosts, ulogd2 compiled as packages using the 
Debian Stretch 2.0.5-5 source package and i didnt hit any issue so far.

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] netfilter: nf_tables: flow_offload depends on flow_table

[Arnd Bergmann]

Without CONFIG_NF_FLOW_TABLE, the new nft_flow_offload module produces
a link error:

net/netfilter/nft_flow_offload.o: In function 
`nft_flow_offload_iterate_cleanup':
nft_flow_offload.c:(.text+0xb0): undefined reference to `nf_flow_table_iterate'
net/netfilter/nft_flow_offload.o: In function `flow_offload_iterate_cleanup':
nft_flow_offload.c:(.text+0x160): undefined reference to `flow_offload_dead'
net/netfilter/nft_flow_offload.o: In function `nft_flow_offload_eval':
nft_flow_offload.c:(.text+0xc4c): undefined reference to `flow_offload_alloc'
nft_flow_offload.c:(.text+0xc64): undefined reference to `flow_offload_add'
nft_flow_offload.c:(.text+0xc94): undefined reference to `flow_offload_free'

This adds a Kconfig dependency for it.

Fixes: a3c90f7a2323 ("netfilter: nf_tables: flow offload expression")
Signed-off-by: Arnd Bergmann 
---
 net/netfilter/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index ea447826e127..9019fa98003d 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -506,7 +506,7 @@ config NFT_CT
  connection tracking information such as the flow state.
 
 config NFT_FLOW_OFFLOAD
-   depends on NF_CONNTRACK
+   depends on NF_CONNTRACK && NF_FLOW_TABLE
tristate "Netfilter nf_tables hardware flow offload module"
help
  This option adds the "flow_offload" expression that you can use to
-- 
2.9.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v3] netfilter : add NAT support for shifted portmap ranges

[Thierry Du Tre]

This is a patch proposal to support shifted ranges in portmaps.
(i.e. tcp/udp incoming port 5000-5100 on WAN redirected to LAN 
192.168.1.5:2000-2100)

Currently DNAT only works for single port or identical port ranges.
(i.e. ports 5000-5100 on WAN interface redirected to a LAN host while original 
destination port is not altered)
When different port ranges are configured, either 'random' mode should be used, 
or else all incoming connections are mapped onto the first port in the redirect 
range. (in described example WAN:5000-5100 will all be mapped to 
192.168.1.5:2000)

This patch introduces a new mode indicated by flag NF_NAT_RANGE_PROTO_OFFSET 
which uses a base port value to calculate an offset with the destination port 
present in the incoming stream. That offset is then applied as index within the 
redirect port range (index modulo rangewidth to handle range overflow).

In described example the base port would be 5000. An incoming stream with 
destination port 5004 would result in an offset value 4 which means that the 
NAT'ed stream will be using destination port 2004.

Other possibilities include deterministic mapping of larger or multiple ranges 
to a smaller range : WAN:5000-5999 -> LAN:5000-5099 (maps WAN port 5*xx to port 
51xx)

This patch does not change any current behavior. It just adds new NAT proto 
range functionality which must be selected via the specific flag when intended 
to use.

A patch for iptables (libipt_DNAT.c) will also be proposed which makes this 
functionality immediately available.

Signed-off-by: Thierry Du Tre 

---
Changes in v3:
- use nf_nat_range as name for updated struct, renamed existing 
nf_nat_range to nf_nat_range1
- reverted all nf_nat_range2 occurences

Changes in v2:
- added new revision for SNAT and DNAT targets to support the new base port 
variable in struct nf_nat_range2
- replaced all occurences of struct nf_nat_range with struct nf_nat_range2

 include/uapi/linux/netfilter/nf_nat.h | 12 +++-
 net/netfilter/nf_nat_core.c   |  9 +++---
 net/netfilter/nf_nat_proto_common.c   |  5 ++-
 net/netfilter/xt_nat.c| 58 ++-
 4 files changed, 77 insertions(+), 7 deletions(-)

diff --git a/include/uapi/linux/netfilter/nf_nat.h 
b/include/uapi/linux/netfilter/nf_nat.h
index a33000d..0fa792a 100644
--- a/include/uapi/linux/netfilter/nf_nat.h
+++ b/include/uapi/linux/netfilter/nf_nat.h
@@ -10,6 +10,7 @@
 #define NF_NAT_RANGE_PROTO_RANDOM  (1 << 2)
 #define NF_NAT_RANGE_PERSISTENT(1 << 3)
 #define NF_NAT_RANGE_PROTO_RANDOM_FULLY(1 << 4)
+#define NF_NAT_RANGE_PROTO_OFFSET  (1 << 5)
 
 #define NF_NAT_RANGE_PROTO_RANDOM_ALL  \
(NF_NAT_RANGE_PROTO_RANDOM | NF_NAT_RANGE_PROTO_RANDOM_FULLY)
@@ -17,7 +18,7 @@
 #define NF_NAT_RANGE_MASK  \
(NF_NAT_RANGE_MAP_IPS | NF_NAT_RANGE_PROTO_SPECIFIED |  \
 NF_NAT_RANGE_PROTO_RANDOM | NF_NAT_RANGE_PERSISTENT |  \
-NF_NAT_RANGE_PROTO_RANDOM_FULLY)
+NF_NAT_RANGE_PROTO_RANDOM_FULLY | NF_NAT_RANGE_PROTO_OFFSET)
 
 struct nf_nat_ipv4_range {
unsigned intflags;
@@ -32,12 +33,21 @@ struct nf_nat_ipv4_multi_range_compat {
struct nf_nat_ipv4_rangerange[1];
 };
 
+struct nf_nat_range1 {
+   unsigned intflags;
+   union nf_inet_addr  min_addr;
+   union nf_inet_addr  max_addr;
+   union nf_conntrack_man_protomin_proto;
+   union nf_conntrack_man_protomax_proto;
+};
+
 struct nf_nat_range {
unsigned intflags;
union nf_inet_addr  min_addr;
union nf_inet_addr  max_addr;
union nf_conntrack_man_protomin_proto;
union nf_conntrack_man_protomax_proto;
+   union nf_conntrack_man_protobase_proto;
 };
 
 #endif /* _NETFILTER_NF_NAT_H */
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index af8345f..de5c327 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -347,9 +347,10 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple,
/* Only bother mapping if it's not already in range and unique */
if (!(range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL)) {
if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
-   if (l4proto->in_range(tuple, maniptype,
- >min_proto,
- >max_proto) &&
+   if (!(range->flags & NF_NAT_RANGE_PROTO_OFFSET) &&
+   l4proto->in_range(tuple, maniptype,
+ >min_proto,
+ >max_proto) &&
(range->min_proto.all == range->max_proto.all ||
 

[PATCH RFC nft] src: ct: add connection counting support

[Florian Westphal]

This adds support for a native connlimit replacement.

It re-uses nftables concatenation support and thus allows
using any key combinations supported by nftables.

Because counting is expensive, it is useful to limit this
to new connections only.  Example:

  ct state new ct count { ip saddr . tcp dport } gt 10 drop

TODO: man page entry.

NB: This uses {} to separate ct count statement from grouping to
avoid shift/reduce conflicts in the parser, unlike fib we do not
have distinct 'end marker' available.

Signed-off-by: Florian Westphal 
---
 include/expression.h|  1 +
 include/linux/netfilter/nf_tables.h |  1 +
 src/ct.c| 12 
 src/evaluate.c  |  7 +++
 src/netlink_delinearize.c   | 24 
 src/netlink_linearize.c | 12 
 src/parser_bison.y  |  5 +
 tests/py/inet/ct.t  |  2 ++
 tests/py/inet/ct.t.payload  | 16 
 9 files changed, 80 insertions(+)

diff --git a/include/expression.h b/include/expression.h
index 0a0e178fe468..b80d081b1595 100644
--- a/include/expression.h
+++ b/include/expression.h
@@ -303,6 +303,7 @@ struct expr {
enum proto_basesbase;
int8_t  direction;
uint8_t nfproto;
+   struct expr *expr;
} ct;
struct {
/* EXPR_NUMGEN */
diff --git a/include/linux/netfilter/nf_tables.h 
b/include/linux/netfilter/nf_tables.h
index a3ee277b17a1..695e307e6e8e 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -929,6 +929,7 @@ enum nft_ct_keys {
NFT_CT_AVGPKT,
NFT_CT_ZONE,
NFT_CT_EVENTMASK,
+   NFT_CT_COUNT,
 };
 
 /**
diff --git a/src/ct.c b/src/ct.c
index d5347974bd0d..ffa5fb70154a 100644
--- a/src/ct.c
+++ b/src/ct.c
@@ -269,6 +269,8 @@ static const struct ct_template ct_templates[] = {
  BYTEORDER_HOST_ENDIAN, 16),
[NFT_CT_EVENTMASK]  = CT_TEMPLATE("event", _event_type,
  BYTEORDER_HOST_ENDIAN, 32),
+   [NFT_CT_COUNT]  = CT_TEMPLATE("count", _type,
+ BYTEORDER_HOST_ENDIAN, 32),
 };
 
 static void ct_print(enum nft_ct_keys key, int8_t dir, uint8_t nfproto,
@@ -306,6 +308,16 @@ static void ct_print(enum nft_ct_keys key, int8_t dir, 
uint8_t nfproto,
 static void ct_expr_print(const struct expr *expr, struct output_ctx *octx)
 {
ct_print(expr->ct.key, expr->ct.direction, expr->ct.nfproto, octx);
+
+   switch (expr->ct.key) {
+   case NFT_CT_COUNT:
+   nft_print(octx, " { ");
+   expr_print(expr->ct.expr, octx);
+   nft_print(octx, " }");
+   break;
+   default:
+   break;
+   }
 }
 
 static bool ct_expr_cmp(const struct expr *e1, const struct expr *e2)
diff --git a/src/evaluate.c b/src/evaluate.c
index 7fe738d8d590..c8ebbf02a11a 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -767,6 +767,13 @@ static int expr_evaluate_ct(struct eval_ctx *ctx, struct 
expr **expr)
case NFT_CT_DST:
ct_gen_nh_dependency(ctx, ct);
break;
+   case NFT_CT_COUNT:
+   if (ct->ct.expr == NULL)
+   return expr_error(ctx->msgs, ct, "missing key\n");
+
+   if (expr_evaluate(ctx, >ct.expr) < 0)
+   return -1;
+   break;
default:
break;
}
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 2637f4baaec4..8ad3bf239019 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -718,6 +718,28 @@ static void netlink_parse_ct_expr(struct netlink_parse_ctx 
*ctx,
key  = nftnl_expr_get_u32(nle, NFTNL_EXPR_CT_KEY);
expr = ct_expr_alloc(loc, key, dir, NFPROTO_UNSPEC);
 
+   if (key == NFT_CT_COUNT) {
+   enum nft_registers sreg;
+   struct expr *sexpr;
+   uint32_t len;
+
+   sreg = netlink_parse_register(nle, NFTNL_EXPR_CT_SREG);
+   sexpr = netlink_get_register(ctx, loc, sreg);
+
+   if (sexpr == NULL)
+   return netlink_error(ctx, loc,
+"ct count has no expression");
+
+   len = nftnl_expr_get_u32(nle,
+NFTNL_EXPR_CT_SREG_LEN) * 
BITS_PER_BYTE;
+   if (sexpr->len < len) {
+   sexpr = netlink_parse_concat_expr(ctx, loc, sreg, len);
+   if (sexpr == NULL)
+   return;
+   }
+   expr->ct.expr = sexpr;
+   }
+
dreg = 

Re: [PATCH v2] netfilter : add NAT support for shifted portmap ranges

[Thierry Du Tre]

Hi Pablo, thanks for you quick response.

Op 12/01/2018 om 1:21 schreef Pablo Neira Ayuso:
> Hi Thierry,
> 
> On Thu, Jan 11, 2018 at 07:42:27PM +0100, Thierry Du Tre wrote:
>> This is a patch proposal to support shifted ranges in portmaps.
> 
> I think you can get a much smaller patch if you rename the existing
> "struct nf_nat_range" to "struct nf_nat_range_old", then the idea is
> to dump the old representation into the new one, something like:
> 
>  struct nf_nat_range range = {};
> 
>  memcpy(, range_old, sizeof(range_old));

I did think about this but then checked other xt modules with multiple 
revisions :
xt_hashlimit.c - struct xt_hashlimit_mtinfo3
xt_conntrack.c - struct xt_conntrack_mtinfo3
xt_mark.c - struct xt_mark_tginfo2

But you prefer changing uapi/linux/netfilter/nf_nat.h with something like this ?

+struct nf_nat_range1 {
+   unsigned intflags;
+   union nf_inet_addr  min_addr;
+   union nf_inet_addr  max_addr;
+   union nf_conntrack_man_protomin_proto;
+   union nf_conntrack_man_protomax_proto;
+};
+
 struct nf_nat_range {
unsigned intflags;
union nf_inet_addr  min_addr;
union nf_inet_addr  max_addr;
union nf_conntrack_man_protomin_proto;
union nf_conntrack_man_protomax_proto;
+   union nf_conntrack_man_protobase_proto;
 };

In your reply to my first patch proposal you mentioned the backwards 
compatibility problem regarding userspace applications.
The new revisions for SNAT and DNAT target do keep ABI constant, but changing 
the current nf_nat_range definition will impact API (although it won't trigger 
any compile errors because new nf_nat_range is a simple superset of the current 
definition).
Is that ok for you then ?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 0/1] ipset patch for the nf tree

[Jozsef Kadlecsik]

Hi Pablo,

Here follows a patch for the nf tree, please apply it:

- The patch "Fix adding an IPv4 range containing more than 2^31
  addresses" introduced a wraparound bug, which could lead to
  memory exhaustion, which is fixed here (netfilter bugzilla
  id #1212, reported by Thomas Schwark)

Best regards,
Jozsef

The following changes since commit 889c604fd0b5f6d3b8694ade229ee44124de1127:

  netfilter: x_tables: fix int overflow in xt_alloc_table_info() (2018-01-07 
00:17:23 +0100)

are available in the git repository at:

  git://blackhole.kfki.hu/nf ba31d2d88b9

for you to fetch changes up to ba31d2d88b95ce1872fc17ffd0da70b68be0a07f:

  Fix wraparound bug introduced in commit 48596a8ddc46 (2018-01-12 11:07:35 
+0100)


Jozsef Kadlecsik (1):
  Fix wraparound bug introduced in commit 48596a8ddc46

 net/netfilter/ipset/ip_set_hash_ipportnet.c  | 26 ++---
 net/netfilter/ipset/ip_set_hash_net.c|  9 ---
 net/netfilter/ipset/ip_set_hash_netiface.c   |  9 ---
 net/netfilter/ipset/ip_set_hash_netnet.c | 28 +++---
 net/netfilter/ipset/ip_set_hash_netport.c| 19 ---
 net/netfilter/ipset/ip_set_hash_netportnet.c | 35 ++--
 6 files changed, 63 insertions(+), 63 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 1/1] Fix wraparound bug introduced in commit 48596a8ddc46

[Jozsef Kadlecsik]

The patch "netfilter: ipset: Fix adding an IPv4 range containing
more than 2^31 addresses" introduced a wraparound bug, which could
lead to memory exhaustion when adding an x.x.x.x-255.255.255.255
range to any hash:*net* types.

Fixes Netfilter's bugzilla id #1212, reported by Thomas Schwark.

Signed-off-by: Jozsef Kadlecsik 
---
 net/netfilter/ipset/ip_set_hash_ipportnet.c  | 26 ++---
 net/netfilter/ipset/ip_set_hash_net.c|  9 ---
 net/netfilter/ipset/ip_set_hash_netiface.c   |  9 ---
 net/netfilter/ipset/ip_set_hash_netnet.c | 28 +++---
 net/netfilter/ipset/ip_set_hash_netport.c| 19 ---
 net/netfilter/ipset/ip_set_hash_netportnet.c | 35 ++--
 6 files changed, 63 insertions(+), 63 deletions(-)

diff --git a/net/netfilter/ipset/ip_set_hash_ipportnet.c 
b/net/netfilter/ipset/ip_set_hash_ipportnet.c
index 0f164e9..88b83d6 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportnet.c
@@ -168,7 +168,7 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr 
*tb[],
struct hash_ipportnet4_elem e = { .cidr = HOST_MASK - 1 };
struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
u32 ip = 0, ip_to = 0, p = 0, port, port_to;
-   u32 ip2_from = 0, ip2_to = 0, ip2_last, ip2;
+   u32 ip2_from = 0, ip2_to = 0, ip2;
bool with_ports = false;
u8 cidr;
int ret;
@@ -269,22 +269,21 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr 
*tb[],
ip_set_mask_from_to(ip2_from, ip2_to, e.cidr + 1);
}
 
-   if (retried)
+   if (retried) {
ip = ntohl(h->next.ip);
+   p = ntohs(h->next.port);
+   ip2 = ntohl(h->next.ip2);
+   } else {
+   p = port;
+   ip2 = ip2_from;
+   }
for (; ip <= ip_to; ip++) {
e.ip = htonl(ip);
-   p = retried && ip == ntohl(h->next.ip) ? ntohs(h->next.port)
-  : port;
for (; p <= port_to; p++) {
e.port = htons(p);
-   ip2 = retried &&
- ip == ntohl(h->next.ip) &&
- p == ntohs(h->next.port)
-   ? ntohl(h->next.ip2) : ip2_from;
-   while (ip2 <= ip2_to) {
+   do {
e.ip2 = htonl(ip2);
-   ip2_last = ip_set_range_to_cidr(ip2, ip2_to,
-   );
+   ip2 = ip_set_range_to_cidr(ip2, ip2_to, );
e.cidr = cidr - 1;
ret = adtfn(set, , , , flags);
 
@@ -292,9 +291,10 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr 
*tb[],
return ret;
 
ret = 0;
-   ip2 = ip2_last + 1;
-   }
+   } while (ip2++ < ip2_to);
+   ip2 = ip2_from;
}
+   p = port;
}
return ret;
 }
diff --git a/net/netfilter/ipset/ip_set_hash_net.c 
b/net/netfilter/ipset/ip_set_hash_net.c
index 1c67a17..5449e23 100644
--- a/net/netfilter/ipset/ip_set_hash_net.c
+++ b/net/netfilter/ipset/ip_set_hash_net.c
@@ -143,7 +143,7 @@ hash_net4_uadt(struct ip_set *set, struct nlattr *tb[],
ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_net4_elem e = { .cidr = HOST_MASK };
struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
-   u32 ip = 0, ip_to = 0, last;
+   u32 ip = 0, ip_to = 0;
int ret;
 
if (tb[IPSET_ATTR_LINENO])
@@ -193,16 +193,15 @@ hash_net4_uadt(struct ip_set *set, struct nlattr *tb[],
}
if (retried)
ip = ntohl(h->next.ip);
-   while (ip <= ip_to) {
+   do {
e.ip = htonl(ip);
-   last = ip_set_range_to_cidr(ip, ip_to, );
+   ip = ip_set_range_to_cidr(ip, ip_to, );
ret = adtfn(set, , , , flags);
if (ret && !ip_set_eexist(ret, flags))
return ret;
 
ret = 0;
-   ip = last + 1;
-   }
+   } while (ip++ < ip_to);
return ret;
 }
 
diff --git a/net/netfilter/ipset/ip_set_hash_netiface.c 
b/net/netfilter/ipset/ip_set_hash_netiface.c
index d417074..f5164c1 100644
--- a/net/netfilter/ipset/ip_set_hash_netiface.c
+++ b/net/netfilter/ipset/ip_set_hash_netiface.c
@@ -200,7 +200,7 @@ hash_netiface4_uadt(struct ip_set *set, struct nlattr *tb[],
ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_netiface4_elem e = { .cidr = HOST_MASK, .elem = 1 };
struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
-   u32 ip = 0, ip_to = 0, 

A bug in commit: Use flock() for --concurrent option

[Tangchen (UVP)]

Hello Phil Sutter

I found a problem with this commit, 

Use flock() for --concurrent option
The previous locking mechanism was not atomic, hence it was possible
that a killed ebtables process would leave the lock file in place which
in turn made future ebtables processes wait indefinitely for the lock to
become free.

Fix this by using flock(). This also simplifies code quite a bit because
there is no need for a custom signal handler or an __exit routine
anymore.

Signed-off-by: Phil Sutter 
Signed-off-by: Pablo Neira Ayuso 

if /var/lib/ebtables/ does not exist, ebtables cannot create the lock file.

# ls /var/lib/ebtables
ls: cannot access /var/lib/ebtables: No such file or directory
# ebtables --concurrent -L
Unable to create lock file /var/lib/ebtables/lock.

Thanks
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html