date:20180423

Re: [Patch nf] ipvs: initialize tbl->entries in ip_vs_lblc_init_svc()

2018-04-23 Thread Julian Anastasov


Hello,

On Mon, 23 Apr 2018, Cong Wang wrote:

> Similarly, tbl->entries is not initialized after kmalloc(),
> therefore causes an uninit-value warning in ip_vs_lblc_check_expire(),
> as reported by syzbot.
> 
> Reported-by: 
> Cc: Simon Horman 
> Cc: Julian Anastasov 
> Cc: Pablo Neira Ayuso 
> Signed-off-by: Cong Wang 

Thanks!

Acked-by: Julian Anastasov 

> ---
>  net/netfilter/ipvs/ip_vs_lblc.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/net/netfilter/ipvs/ip_vs_lblc.c b/net/netfilter/ipvs/ip_vs_lblc.c
> index 3057e453bf31..83918119ceb8 100644
> --- a/net/netfilter/ipvs/ip_vs_lblc.c
> +++ b/net/netfilter/ipvs/ip_vs_lblc.c
> @@ -371,6 +371,7 @@ static int ip_vs_lblc_init_svc(struct ip_vs_service *svc)
>   tbl->counter = 1;
>   tbl->dead = false;
>   tbl->svc = svc;
> + atomic_set(>entries, 0);
>  
>   /*
>*Hook periodic timer for garbage collection
> -- 
> 2.13.0

Regards

--
Julian Anastasov 
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [Patch nf] ipvs: initialize tbl->entries after allocation

2018-04-23 Thread Julian Anastasov


Hello,

On Mon, 23 Apr 2018, Cong Wang wrote:

> tbl->entries is not initialized after kmalloc(), therefore
> causes an uninit-value warning in ip_vs_lblc_check_expire()
> as reported by syzbot.
> 
> Reported-by: 
> Cc: Simon Horman 
> Cc: Julian Anastasov 
> Cc: Pablo Neira Ayuso 
> Signed-off-by: Cong Wang 

Thanks!

Acked-by: Julian Anastasov 

> ---
>  net/netfilter/ipvs/ip_vs_lblcr.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/net/netfilter/ipvs/ip_vs_lblcr.c 
> b/net/netfilter/ipvs/ip_vs_lblcr.c
> index 92adc04557ed..bc2bc5eebcb8 100644
> --- a/net/netfilter/ipvs/ip_vs_lblcr.c
> +++ b/net/netfilter/ipvs/ip_vs_lblcr.c
> @@ -534,6 +534,7 @@ static int ip_vs_lblcr_init_svc(struct ip_vs_service *svc)
>   tbl->counter = 1;
>   tbl->dead = false;
>   tbl->svc = svc;
> + atomic_set(>entries, 0);
>  
>   /*
>*Hook periodic timer for garbage collection
> -- 
> 2.13.0

Regards

--
Julian Anastasov 
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v5] libxt_CONNMARK: Support bit-shifting for --restore,set and save-mark

2018-04-23 Thread Jack Ma

This patch adds a new feature to iptables that allow bitshifting for
--restore,set and save-mark operations. This allows existing logic
operators (and, or and xor) and mask to co-operate with new bitshift
operations.

The intention is to provide uses with more fexible uses of skb->mark
and ct->mark. For example, users can save extra bits in skb->mark:
skb->mark = ct->mark << 8;

Change since v2:

1) Fix invalid data pointer caster which would result in loss of
   the significance.

Change since v3:

1) Fix serveral indentation problems.

Change since v4:

1) Hide 'shift' operations when it is not set.

Reviewed-by: Florian Westphal 
Signed-off-by: Jack Ma 
---
 extensions/libxt_CONNMARK.c   | 293 --
 include/linux/netfilter/xt_connmark.h |   5 +
 2 files changed, 285 insertions(+), 13 deletions(-)

diff --git a/extensions/libxt_CONNMARK.c b/extensions/libxt_CONNMARK.c
index 94984cdc..1a859456 100644
--- a/extensions/libxt_CONNMARK.c
+++ b/extensions/libxt_CONNMARK.c
@@ -32,28 +32,42 @@ struct xt_connmark_target_info {
 };
 
 enum {
+   D_SHIFT_LEFT = 0,
+   D_SHIFT_RIGHT,
+};
+
+enum {
O_SET_MARK = 0,
O_SAVE_MARK,
O_RESTORE_MARK,
O_AND_MARK,
O_OR_MARK,
O_XOR_MARK,
+   O_LEFT_SHIFT_MARK,
+   O_RIGHT_SHIFT_MARK,
O_SET_XMARK,
O_CTMASK,
O_NFMASK,
O_MASK,
-   F_SET_MARK = 1 << O_SET_MARK,
-   F_SAVE_MARK= 1 << O_SAVE_MARK,
-   F_RESTORE_MARK = 1 << O_RESTORE_MARK,
-   F_AND_MARK = 1 << O_AND_MARK,
-   F_OR_MARK  = 1 << O_OR_MARK,
-   F_XOR_MARK = 1 << O_XOR_MARK,
-   F_SET_XMARK= 1 << O_SET_XMARK,
-   F_CTMASK   = 1 << O_CTMASK,
-   F_NFMASK   = 1 << O_NFMASK,
-   F_MASK = 1 << O_MASK,
-   F_OP_ANY   = F_SET_MARK | F_SAVE_MARK | F_RESTORE_MARK |
-F_AND_MARK | F_OR_MARK | F_XOR_MARK | F_SET_XMARK,
+   F_SET_MARK = 1 << O_SET_MARK,
+   F_SAVE_MARK= 1 << O_SAVE_MARK,
+   F_RESTORE_MARK = 1 << O_RESTORE_MARK,
+   F_AND_MARK = 1 << O_AND_MARK,
+   F_OR_MARK  = 1 << O_OR_MARK,
+   F_XOR_MARK = 1 << O_XOR_MARK,
+   F_LEFT_SHIFT_MARK  = 1 << O_LEFT_SHIFT_MARK,
+   F_RIGHT_SHIFT_MARK = 1 << O_RIGHT_SHIFT_MARK,
+   F_SET_XMARK= 1 << O_SET_XMARK,
+   F_CTMASK   = 1 << O_CTMASK,
+   F_NFMASK   = 1 << O_NFMASK,
+   F_MASK = 1 << O_MASK,
+   F_OP_ANY   = F_SET_MARK | F_SAVE_MARK | F_RESTORE_MARK |
+F_AND_MARK | F_OR_MARK | F_XOR_MARK | F_SET_XMARK,
+};
+
+static const char *const xt_connmark_shift_ops[] = {
+   "left-shift-mark",
+   "right-shift-mark"
 };
 
 static void CONNMARK_help(void)
@@ -104,6 +118,36 @@ static const struct xt_option_entry connmark_tg_opts[] = {
 };
 #undef s
 
+#define s struct xt_connmark_tginfo2
+static const struct xt_option_entry connmark_tg_opts_v2[] = {
+   {.name = "set-xmark", .id = O_SET_XMARK, .type = XTTYPE_MARKMASK32,
+.excl = F_OP_ANY},
+   {.name = "set-mark", .id = O_SET_MARK, .type = XTTYPE_MARKMASK32,
+.excl = F_OP_ANY},
+   {.name = "and-mark", .id = O_AND_MARK, .type = XTTYPE_UINT32,
+.excl = F_OP_ANY},
+   {.name = "or-mark", .id = O_OR_MARK, .type = XTTYPE_UINT32,
+.excl = F_OP_ANY},
+   {.name = "xor-mark", .id = O_XOR_MARK, .type = XTTYPE_UINT32,
+.excl = F_OP_ANY},
+   {.name = "save-mark", .id = O_SAVE_MARK, .type = XTTYPE_NONE,
+.excl = F_OP_ANY},
+   {.name = "restore-mark", .id = O_RESTORE_MARK, .type = XTTYPE_NONE,
+.excl = F_OP_ANY},
+   {.name = "left-shift-mark", .id = O_LEFT_SHIFT_MARK, .type = 
XTTYPE_UINT8,
+.min = 0, .max = 32},
+   {.name = "right-shift-mark", .id = O_RIGHT_SHIFT_MARK, .type = 
XTTYPE_UINT8,
+.min = 0, .max = 32},
+   {.name = "ctmask", .id = O_CTMASK, .type = XTTYPE_UINT32,
+.excl = F_MASK, .flags = XTOPT_PUT, XTOPT_POINTER(s, ctmask)},
+   {.name = "nfmask", .id = O_NFMASK, .type = XTTYPE_UINT32,
+.excl = F_MASK, .flags = XTOPT_PUT, XTOPT_POINTER(s, nfmask)},
+   {.name = "mask", .id = O_MASK, .type = XTTYPE_UINT32,
+.excl = F_CTMASK | F_NFMASK},
+   XTOPT_TABLEEND,
+};
+#undef s
+
 static void connmark_tg_help(void)
 {
printf(
@@ -122,6 +166,15 @@ static void connmark_tg_help(void)
 );
 }
 
+static void connmark_tg_help_v2(void)
+{
+   connmark_tg_help();
+   printf(
+"  --left-shift-mark value   Left shift the ctmark with bits\n"
+"  --right-shift-mark value  Right shift the ctmark with bits\n"
+);
+}
+
 static void connmark_tg_init(struct xt_entry_target *target)
 {
struct xt_connmark_tginfo1 *info = (void *)target->data;
@@ -134,6 +187,18 @@ static void connmark_tg_init(struct xt_entry_target

[PATCH v4] libxt_CONNMARK: Support bit-shifting for --restore,set and save-mark

2018-04-23 Thread Jack Ma

This patch adds a new feature to iptables that allow bitshifting for
--restore,set and save-mark operations. This allows existing logic
operators (and, or and xor) and mask to co-operate with new bitshift
operations.

The intention is to provide uses with more fexible uses of skb->mark
and ct->mark. For example, users can save extra bits in skb->mark:
skb->mark = ct->mark << 8;

Change since v2:

1) Fix invalid data pointer caster which would result in loss of
   the significance.

Change since v3:

1) Fix serveral indentation problems.

Reviewed-by: Florian Westphal 
Signed-off-by: Jack Ma 
---
 extensions/libxt_CONNMARK.c   | 286 --
 include/linux/netfilter/xt_connmark.h |   5 +
 2 files changed, 279 insertions(+), 12 deletions(-)

diff --git a/extensions/libxt_CONNMARK.c b/extensions/libxt_CONNMARK.c
index 94984cdc..cc9116c9 100644
--- a/extensions/libxt_CONNMARK.c
+++ b/extensions/libxt_CONNMARK.c
@@ -32,30 +32,42 @@ struct xt_connmark_target_info {
 };
 
 enum {
+   D_SHIFT_LEFT = 0,
+   D_SHIFT_RIGHT,
+};
+
+enum {
O_SET_MARK = 0,
O_SAVE_MARK,
O_RESTORE_MARK,
O_AND_MARK,
O_OR_MARK,
O_XOR_MARK,
+   O_LEFT_SHIFT_MARK,
+   O_RIGHT_SHIFT_MARK,
O_SET_XMARK,
O_CTMASK,
O_NFMASK,
O_MASK,
-   F_SET_MARK = 1 << O_SET_MARK,
-   F_SAVE_MARK= 1 << O_SAVE_MARK,
-   F_RESTORE_MARK = 1 << O_RESTORE_MARK,
-   F_AND_MARK = 1 << O_AND_MARK,
-   F_OR_MARK  = 1 << O_OR_MARK,
-   F_XOR_MARK = 1 << O_XOR_MARK,
-   F_SET_XMARK= 1 << O_SET_XMARK,
-   F_CTMASK   = 1 << O_CTMASK,
-   F_NFMASK   = 1 << O_NFMASK,
-   F_MASK = 1 << O_MASK,
-   F_OP_ANY   = F_SET_MARK | F_SAVE_MARK | F_RESTORE_MARK |
-F_AND_MARK | F_OR_MARK | F_XOR_MARK | F_SET_XMARK,
+   F_SET_MARK = 1 << O_SET_MARK,
+   F_SAVE_MARK= 1 << O_SAVE_MARK,
+   F_RESTORE_MARK = 1 << O_RESTORE_MARK,
+   F_AND_MARK = 1 << O_AND_MARK,
+   F_OR_MARK  = 1 << O_OR_MARK,
+   F_XOR_MARK = 1 << O_XOR_MARK,
+   F_LEFT_SHIFT_MARK  = 1 << O_LEFT_SHIFT_MARK,
+   F_RIGHT_SHIFT_MARK = 1 << O_RIGHT_SHIFT_MARK,
+   F_SET_XMARK= 1 << O_SET_XMARK,
+   F_CTMASK   = 1 << O_CTMASK,
+   F_NFMASK   = 1 << O_NFMASK,
+   F_MASK = 1 << O_MASK,
+   F_OP_ANY   = F_SET_MARK | F_SAVE_MARK | F_RESTORE_MARK |
+F_AND_MARK | F_OR_MARK | F_XOR_MARK | F_SET_XMARK,
 };
 
+static const char *const xt_connmark_shift_ops[] =
+  { "left-shift-mark", "right-shift-mark" };
+
 static void CONNMARK_help(void)
 {
printf(
@@ -104,6 +116,36 @@ static const struct xt_option_entry connmark_tg_opts[] = {
 };
 #undef s
 
+#define s struct xt_connmark_tginfo2
+static const struct xt_option_entry connmark_tg_opts_v2[] = {
+   {.name = "set-xmark", .id = O_SET_XMARK, .type = XTTYPE_MARKMASK32,
+.excl = F_OP_ANY},
+   {.name = "set-mark", .id = O_SET_MARK, .type = XTTYPE_MARKMASK32,
+.excl = F_OP_ANY},
+   {.name = "and-mark", .id = O_AND_MARK, .type = XTTYPE_UINT32,
+.excl = F_OP_ANY},
+   {.name = "or-mark", .id = O_OR_MARK, .type = XTTYPE_UINT32,
+.excl = F_OP_ANY},
+   {.name = "xor-mark", .id = O_XOR_MARK, .type = XTTYPE_UINT32,
+.excl = F_OP_ANY},
+   {.name = "save-mark", .id = O_SAVE_MARK, .type = XTTYPE_NONE,
+.excl = F_OP_ANY},
+   {.name = "restore-mark", .id = O_RESTORE_MARK, .type = XTTYPE_NONE,
+.excl = F_OP_ANY},
+   {.name = "left-shift-mark", .id = O_LEFT_SHIFT_MARK, .type = 
XTTYPE_UINT8,
+.min = 0, .max = 32},
+   {.name = "right-shift-mark", .id = O_RIGHT_SHIFT_MARK, .type = 
XTTYPE_UINT8,
+.min = 0, .max = 32},
+   {.name = "ctmask", .id = O_CTMASK, .type = XTTYPE_UINT32,
+.excl = F_MASK, .flags = XTOPT_PUT, XTOPT_POINTER(s, ctmask)},
+   {.name = "nfmask", .id = O_NFMASK, .type = XTTYPE_UINT32,
+.excl = F_MASK, .flags = XTOPT_PUT, XTOPT_POINTER(s, nfmask)},
+   {.name = "mask", .id = O_MASK, .type = XTTYPE_UINT32,
+.excl = F_CTMASK | F_NFMASK},
+   XTOPT_TABLEEND,
+};
+#undef s
+
 static void connmark_tg_help(void)
 {
printf(
@@ -122,6 +164,15 @@ static void connmark_tg_help(void)
 );
 }
 
+static void connmark_tg_help_v2(void)
+{
+   connmark_tg_help();
+   printf(
+"  --left-shift-mark value   Left shift the ctmark with bits\n"
+"  --right-shift-mark value  Right shift the ctmark with bits\n"
+);
+}
+
 static void connmark_tg_init(struct xt_entry_target *target)
 {
struct xt_connmark_tginfo1 *info = (void *)target->data;
@@ -134,6 +185,18 @@ static void connmark_tg_init(struct xt_entry_target 
*target)
info->nfmask = UINT32_MAX;
 }
 
+static void

[PATCH nft 2/4] netlink: netlink_list_chains() callers always wants all existing chains

2018-04-23 Thread Pablo Neira Ayuso

Remove dead code, callers always need this to dump all of the existing
chains.

Signed-off-by: Pablo Neira Ayuso 
---
 src/netlink.c | 16 +---
 1 file changed, 1 insertion(+), 15 deletions(-)

diff --git a/src/netlink.c b/src/netlink.c
index d668fa8cdea3..8e34553635d0 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -711,7 +711,6 @@ int netlink_list_chains(struct netlink_ctx *ctx, const 
struct handle *h,
const struct location *loc)
 {
struct nftnl_chain_list *chain_cache;
-   struct chain *chain;
 
chain_cache = mnl_nft_chain_dump(ctx, h->family);
if (chain_cache == NULL) {
@@ -725,20 +724,7 @@ int netlink_list_chains(struct netlink_ctx *ctx, const 
struct handle *h,
nftnl_chain_list_foreach(chain_cache, list_chain_cb, ctx);
nftnl_chain_list_free(chain_cache);
 
-   /* Caller wants all existing chains */
-   if (h->chain == NULL)
-   return 0;
-
-   /* Check if this chain exists, otherwise return an error */
-   list_for_each_entry(chain, >list, list) {
-   if (strcmp(chain->handle.chain, h->chain) == 0)
-   return 0;
-   }
-
-   return netlink_io_error(ctx, NULL,
-   "Could not find chain `%s' in table `%s': %s",
-   h->chain, h->table,
-   strerror(ENOENT));
+   return 0;
 }
 
 int netlink_flush_chain(struct netlink_ctx *ctx, const struct cmd *cmd)
-- 
2.11.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH nft 3/4] netlink: don't pass location to netlink_list_*() function

2018-04-23 Thread Pablo Neira Ayuso

Not needed anymore.

Signed-off-by: Pablo Neira Ayuso 
---
 include/netlink.h | 18 ++
 src/netlink.c | 23 ---
 src/rule.c| 18 +++---
 3 files changed, 21 insertions(+), 38 deletions(-)

diff --git a/include/netlink.h b/include/netlink.h
index 81eaaa25cbeb..58b37d3cd572 100644
--- a/include/netlink.h
+++ b/include/netlink.h
@@ -129,8 +129,7 @@ extern int netlink_rename_chain_batch(struct netlink_ctx 
*ctx,
  const struct cmd *cmd);
 extern int netlink_delete_chain_batch(struct netlink_ctx *ctx,
  const struct cmd *cmd);
-extern int netlink_list_chains(struct netlink_ctx *ctx, const struct handle *h,
-  const struct location *loc);
+extern int netlink_list_chains(struct netlink_ctx *ctx, const struct handle 
*h);
 extern int netlink_flush_chain(struct netlink_ctx *ctx, const struct cmd *cmd);
 extern struct chain *netlink_delinearize_chain(struct netlink_ctx *ctx,
   const struct nftnl_chain *nlc);
@@ -139,10 +138,8 @@ extern int netlink_add_table_batch(struct netlink_ctx *ctx,
   const struct cmd *cmd, uint32_t flags);
 extern int netlink_delete_table_batch(struct netlink_ctx *ctx,
  const struct cmd *cmd);
-extern int netlink_list_tables(struct netlink_ctx *ctx, const struct handle *h,
-  const struct location *loc);
-extern int netlink_list_table(struct netlink_ctx *ctx, const struct handle *h,
- const struct location *loc);
+extern int netlink_list_tables(struct netlink_ctx *ctx, const struct handle 
*h);
+extern int netlink_list_table(struct netlink_ctx *ctx, const struct handle *h);
 extern int netlink_flush_table(struct netlink_ctx *ctx, const struct cmd *cmd);
 extern struct table *netlink_delinearize_table(struct netlink_ctx *ctx,
   const struct nftnl_table *nlt);
@@ -151,8 +148,7 @@ extern int netlink_add_set_batch(struct netlink_ctx *ctx, 
const struct cmd *cmd,
 uint32_t flags);
 extern int netlink_delete_set_batch(struct netlink_ctx *ctx,
const struct cmd *cmd);
-extern int netlink_list_sets(struct netlink_ctx *ctx, const struct handle *h,
-const struct location *loc);
+extern int netlink_list_sets(struct netlink_ctx *ctx, const struct handle *h);
 extern struct set *netlink_delinearize_set(struct netlink_ctx *ctx,
   const struct nftnl_set *nls);
 
@@ -174,8 +170,7 @@ extern int netlink_delinearize_setelem(struct 
nftnl_set_elem *nlse,
   const struct set *set,
   struct nft_cache *cache);
 
-extern int netlink_list_objs(struct netlink_ctx *ctx, const struct handle *h,
-const struct location *loc);
+extern int netlink_list_objs(struct netlink_ctx *ctx, const struct handle *h);
 extern int netlink_reset_objs(struct netlink_ctx *ctx, const struct cmd *cmd,
  uint32_t type, bool dump);
 extern int netlink_add_obj(struct netlink_ctx *ctx, const struct cmd *cmd,
@@ -186,8 +181,7 @@ extern struct obj *netlink_delinearize_obj(struct 
netlink_ctx *ctx,
   struct nftnl_obj *nlo);
 
 extern int netlink_list_flowtables(struct netlink_ctx *ctx,
-  const struct handle *h,
-  const struct location *loc);
+  const struct handle *h);
 extern int netlink_add_flowtable(struct netlink_ctx *ctx,
 const struct cmd *cmd, uint32_t flags);
 extern int netlink_delete_flowtable(struct netlink_ctx *ctx,
diff --git a/src/netlink.c b/src/netlink.c
index 8e34553635d0..9e11af5d026f 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -550,8 +550,7 @@ static int list_rule_cb(struct nftnl_rule *nlr, void *arg)
return 0;
 }
 
-static int netlink_list_rules(struct netlink_ctx *ctx, const struct handle *h,
- const struct location *loc)
+static int netlink_list_rules(struct netlink_ctx *ctx, const struct handle *h)
 {
struct nftnl_rule_list *rule_cache;
 
@@ -707,8 +706,7 @@ static int list_chain_cb(struct nftnl_chain *nlc, void *arg)
return 0;
 }
 
-int netlink_list_chains(struct netlink_ctx *ctx, const struct handle *h,
-   const struct location *loc)
+int netlink_list_chains(struct netlink_ctx *ctx, const struct handle *h)
 {
struct nftnl_chain_list *chain_cache;
 
@@ -787,8 +785,7 @@ static int list_table_cb(struct nftnl_table *nlt, void *arg)
return 0;
 }
 
-int netlink_list_tables(struct netlink_ctx *ctx, const struct handle *h,
-

[PATCH nft 4/4] netlink: remove unused function declarations

2018-04-23 Thread Pablo Neira Ayuso

Signed-off-by: Pablo Neira Ayuso 
---
 include/netlink.h | 4 
 1 file changed, 4 deletions(-)

diff --git a/include/netlink.h b/include/netlink.h
index 58b37d3cd572..92bae138bf91 100644
--- a/include/netlink.h
+++ b/include/netlink.h
@@ -110,10 +110,6 @@ extern void netlink_linearize_rule(struct netlink_ctx *ctx,
 extern struct rule *netlink_delinearize_rule(struct netlink_ctx *ctx,
 struct nftnl_rule *r);
 
-extern int netlink_add_rule(struct netlink_ctx *ctx, const struct handle *h,
-   const struct rule *rule, uint32_t flags);
-extern int netlink_delete_rule(struct netlink_ctx *ctx, const struct handle *h,
-  const struct location *loc);
 extern int netlink_add_rule_batch(struct netlink_ctx *ctx,
  const struct cmd *cmd,
  uint32_t flags);
-- 
2.11.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH nft 1/4] netlink: pass cmd object to netlink function calls

2018-04-23 Thread Pablo Neira Ayuso

Simplify function footprint.

Signed-off-by: Pablo Neira Ayuso 
---
 include/netlink.h |  78 ++---
 src/netlink.c | 127 +-
 src/rule.c|  87 -
 3 files changed, 129 insertions(+), 163 deletions(-)

diff --git a/include/netlink.h b/include/netlink.h
index 240441dde5dd..81eaaa25cbeb 100644
--- a/include/netlink.h
+++ b/include/netlink.h
@@ -115,48 +115,42 @@ extern int netlink_add_rule(struct netlink_ctx *ctx, 
const struct handle *h,
 extern int netlink_delete_rule(struct netlink_ctx *ctx, const struct handle *h,
   const struct location *loc);
 extern int netlink_add_rule_batch(struct netlink_ctx *ctx,
- const struct handle *h,
- const struct rule *rule, uint32_t flags);
+ const struct cmd *cmd,
+ uint32_t flags);
 extern int netlink_del_rule_batch(struct netlink_ctx *ctx,
- const struct handle *h,
- const struct location *loc);
+ const struct cmd *cmd);
 extern int netlink_replace_rule_batch(struct netlink_ctx *ctx,
+ const struct cmd *cmd);
+
+extern int netlink_add_chain_batch(struct netlink_ctx *ctx,
+  const struct cmd *cmd, uint32_t flags);
+extern int netlink_rename_chain_batch(struct netlink_ctx *ctx,
  const struct handle *h,
- const struct rule *rule,
- const struct location *loc);
-
-extern int netlink_add_chain_batch(struct netlink_ctx *ctx, const struct 
handle *h,
-const struct location *loc,
-const struct chain *chain, uint32_t flags);
-extern int netlink_rename_chain_batch(struct netlink_ctx *ctx, const struct 
handle *h,
-   const struct location *loc, const char *name);
-extern int netlink_delete_chain_batch(struct netlink_ctx *ctx, const struct 
handle *h,
-   const struct location *loc);
+ const struct cmd *cmd);
+extern int netlink_delete_chain_batch(struct netlink_ctx *ctx,
+ const struct cmd *cmd);
 extern int netlink_list_chains(struct netlink_ctx *ctx, const struct handle *h,
   const struct location *loc);
-extern int netlink_flush_chain(struct netlink_ctx *ctx, const struct handle *h,
-  const struct location *loc);
+extern int netlink_flush_chain(struct netlink_ctx *ctx, const struct cmd *cmd);
 extern struct chain *netlink_delinearize_chain(struct netlink_ctx *ctx,
   const struct nftnl_chain *nlc);
 
-extern int netlink_add_table_batch(struct netlink_ctx *ctx, const struct 
handle *h,
-const struct location *loc,
-const struct table *table, uint32_t flags);
-extern int netlink_delete_table_batch(struct netlink_ctx *ctx, const struct 
handle *h,
-   const struct location *loc);
+extern int netlink_add_table_batch(struct netlink_ctx *ctx,
+  const struct cmd *cmd, uint32_t flags);
+extern int netlink_delete_table_batch(struct netlink_ctx *ctx,
+ const struct cmd *cmd);
 extern int netlink_list_tables(struct netlink_ctx *ctx, const struct handle *h,
   const struct location *loc);
 extern int netlink_list_table(struct netlink_ctx *ctx, const struct handle *h,
  const struct location *loc);
-extern int netlink_flush_table(struct netlink_ctx *ctx, const struct handle *h,
-  const struct location *loc);
+extern int netlink_flush_table(struct netlink_ctx *ctx, const struct cmd *cmd);
 extern struct table *netlink_delinearize_table(struct netlink_ctx *ctx,
   const struct nftnl_table *nlt);
 
-extern int netlink_add_set_batch(struct netlink_ctx *ctx, const struct handle 
*h,
-  struct set *set, uint32_t flags);
-extern int netlink_delete_set_batch(struct netlink_ctx *ctx, const struct 
handle *h,
- const struct location *loc);
+extern int netlink_add_set_batch(struct netlink_ctx *ctx, const struct cmd 
*cmd,
+uint32_t flags);
+extern int netlink_delete_set_batch(struct netlink_ctx *ctx,
+   const struct cmd *cmd);
 extern int netlink_list_sets(struct netlink_ctx *ctx, const struct handle *h,
 const struct location *loc);

[Patch nf] ipvs: initialize tbl->entries in ip_vs_lblc_init_svc()

2018-04-23 Thread Cong Wang

Similarly, tbl->entries is not initialized after kmalloc(),
therefore causes an uninit-value warning in ip_vs_lblc_check_expire(),
as reported by syzbot.

Reported-by: 
Cc: Simon Horman 
Cc: Julian Anastasov 
Cc: Pablo Neira Ayuso 
Signed-off-by: Cong Wang 
---
 net/netfilter/ipvs/ip_vs_lblc.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/netfilter/ipvs/ip_vs_lblc.c b/net/netfilter/ipvs/ip_vs_lblc.c
index 3057e453bf31..83918119ceb8 100644
--- a/net/netfilter/ipvs/ip_vs_lblc.c
+++ b/net/netfilter/ipvs/ip_vs_lblc.c
@@ -371,6 +371,7 @@ static int ip_vs_lblc_init_svc(struct ip_vs_service *svc)
tbl->counter = 1;
tbl->dead = false;
tbl->svc = svc;
+   atomic_set(>entries, 0);
 
/*
 *Hook periodic timer for garbage collection
-- 
2.13.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Patch nf] ipvs: initialize tbl->entries after allocation

2018-04-23 Thread Cong Wang

tbl->entries is not initialized after kmalloc(), therefore
causes an uninit-value warning in ip_vs_lblc_check_expire()
as reported by syzbot.

Reported-by: 
Cc: Simon Horman 
Cc: Julian Anastasov 
Cc: Pablo Neira Ayuso 
Signed-off-by: Cong Wang 
---
 net/netfilter/ipvs/ip_vs_lblcr.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/netfilter/ipvs/ip_vs_lblcr.c b/net/netfilter/ipvs/ip_vs_lblcr.c
index 92adc04557ed..bc2bc5eebcb8 100644
--- a/net/netfilter/ipvs/ip_vs_lblcr.c
+++ b/net/netfilter/ipvs/ip_vs_lblcr.c
@@ -534,6 +534,7 @@ static int ip_vs_lblcr_init_svc(struct ip_vs_service *svc)
tbl->counter = 1;
tbl->dead = false;
tbl->svc = svc;
+   atomic_set(>entries, 0);
 
/*
 *Hook periodic timer for garbage collection
-- 
2.13.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 00/12] Netfilter/IPVS fixes for net

2018-04-23 Thread David Miller

From: Pablo Neira Ayuso 
Date: Mon, 23 Apr 2018 19:57:02 +0200

> The following patchset contains Netfilter/IPVS fixes for your net tree,
> they are:
 ...
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thank you.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [nf-next] netfilter: extend SRH match to support matching previous, next and last SID

2018-04-23 Thread Ahmed Abdelsalam

On Mon, 23 Apr 2018 22:08:44 +0200
Florian Westphal  wrote:

> Ahmed Abdelsalam  wrote:
> > > > @@ -50,6 +62,12 @@ struct ip6t_srh {
> > > > __u8segs_left;
> > > > __u8last_entry;
> > > > __u16   tag;
> > > > +   struct in6_addr psid_addr;
> > > > +   struct in6_addr nsid_addr;
> > > > +   struct in6_addr lsid_addr;
> > > > +   struct in6_addr psid_msk;
> > > > +   struct in6_addr nsid_msk;
> > > > +   struct in6_addr lsid_msk;
> > > 
> > > This is changing something exposed through UAPI, so you will need a
> > > new revision for this.
> > 
> > Could you please advice what should be done in this case? 
> 
> You need to add
> struct ip6t_srh_v1 {
>   /* copy of struct ip6t_srh here */
> 
>   /* new fields go here */
> };
> 
> 
> Look at xt_conntrack.c, conntrack_mt_reg[] for an example of
> multi-revision match.
> 
> You can probably re-origanise code to avoid too much duplication.
> See 5a786232eb69a1f870ddc0cfd69d5bdef241a2ea in nf.git for an example,
> it makes v0 into a v1 struct at runtime and re-uses new v1 code
> for old v0.
> 
> 

Thanks Florian!  

-- 
Ahmed Abdelsalam 
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [nf-next] netfilter: extend SRH match to support matching previous, next and last SID

2018-04-23 Thread Florian Westphal

Ahmed Abdelsalam  wrote:
> > > @@ -50,6 +62,12 @@ struct ip6t_srh {
> > >   __u8segs_left;
> > >   __u8last_entry;
> > >   __u16   tag;
> > > + struct in6_addr psid_addr;
> > > + struct in6_addr nsid_addr;
> > > + struct in6_addr lsid_addr;
> > > + struct in6_addr psid_msk;
> > > + struct in6_addr nsid_msk;
> > > + struct in6_addr lsid_msk;
> > 
> > This is changing something exposed through UAPI, so you will need a
> > new revision for this.
> 
> Could you please advice what should be done in this case? 

You need to add
struct ip6t_srh_v1 {
/* copy of struct ip6t_srh here */

/* new fields go here */
};


Look at xt_conntrack.c, conntrack_mt_reg[] for an example of
multi-revision match.

You can probably re-origanise code to avoid too much duplication.
See 5a786232eb69a1f870ddc0cfd69d5bdef241a2ea in nf.git for an example,
it makes v0 into a v1 struct at runtime and re-uses new v1 code
for old v0.


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [nf-next] netfilter: extend SRH match to support matching previous, next and last SID

2018-04-23 Thread Ahmed Abdelsalam

On Mon, 23 Apr 2018 19:30:47 +0200
Pablo Neira Ayuso  wrote:

> On Mon, Apr 23, 2018 at 05:48:22AM -0500, Ahmed Abdelsalam wrote:
> > Signed-off-by: Ahmed Abdelsalam 
> > ---
> >  include/uapi/linux/netfilter_ipv6/ip6t_srh.h | 22 +--
> >  net/ipv6/netfilter/ip6t_srh.c| 41 
> > +++-
> >  2 files changed, 60 insertions(+), 3 deletions(-)
> > 
> > diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_srh.h 
> > b/include/uapi/linux/netfilter_ipv6/ip6t_srh.h
> > index f3cc0ef..9808382 100644
> > --- a/include/uapi/linux/netfilter_ipv6/ip6t_srh.h
> > +++ b/include/uapi/linux/netfilter_ipv6/ip6t_srh.h
> > @@ -17,7 +17,10 @@
> >  #define IP6T_SRH_LAST_GT0x0100
> >  #define IP6T_SRH_LAST_LT0x0200
> >  #define IP6T_SRH_TAG0x0400
> > -#define IP6T_SRH_MASK   0x07FF
> > +#define IP6T_SRH_PSID   0x0800
> > +#define IP6T_SRH_NSID   0x1000
> > +#define IP6T_SRH_LSID   0x2000
> > +#define IP6T_SRH_MASK   0x3FFF
> >  
> >  /* Values for "mt_invflags" field in struct ip6t_srh */
> >  #define IP6T_SRH_INV_NEXTHDR0x0001
> > @@ -31,7 +34,10 @@
> >  #define IP6T_SRH_INV_LAST_GT0x0100
> >  #define IP6T_SRH_INV_LAST_LT0x0200
> >  #define IP6T_SRH_INV_TAG0x0400
> > -#define IP6T_SRH_INV_MASK   0x07FF
> > +#define IP6T_SRH_INV_PSID   0x0800
> > +#define IP6T_SRH_INV_NSID   0x1000
> > +#define IP6T_SRH_INV_LSID   0x2000
> > +#define IP6T_SRH_INV_MASK   0x3FFF
> >  
> >  /**
> >   *  struct ip6t_srh - SRH match options
> > @@ -40,6 +46,12 @@
> >   *  @ segs_left: Segments left field of SRH
> >   *  @ last_entry: Last entry field of SRH
> >   *  @ tag: Tag field of SRH
> > + *  @ psid_addr: Address of previous SID in SRH SID list
> > + *  @ nsid_addr: Address of NEXT SID in SRH SID list
> > + *  @ lsid_addr: Address of LAST SID in SRH SID list
> > + *  @ psid_msk: Mask of previous SID in SRH SID list
> > + *  @ nsid_msk: Mask of next SID in SRH SID list
> > + *  @ lsid_msk: MAsk of last SID in SRH SID list
> >   *  @ mt_flags: match options
> >   *  @ mt_invflags: Invert the sense of match options
> >   */
> > @@ -50,6 +62,12 @@ struct ip6t_srh {
> > __u8segs_left;
> > __u8last_entry;
> > __u16   tag;
> > +   struct in6_addr psid_addr;
> > +   struct in6_addr nsid_addr;
> > +   struct in6_addr lsid_addr;
> > +   struct in6_addr psid_msk;
> > +   struct in6_addr nsid_msk;
> > +   struct in6_addr lsid_msk;
> 
> This is changing something exposed through UAPI, so you will need a
> new revision for this.

Could you please advice what should be done in this case? 

> 
> > __u16   mt_flags;
> > __u16   mt_invflags;
> >  };
> > diff --git a/net/ipv6/netfilter/ip6t_srh.c b/net/ipv6/netfilter/ip6t_srh.c
> > index 33719d5..2b5cc73 100644
> > --- a/net/ipv6/netfilter/ip6t_srh.c
> > +++ b/net/ipv6/netfilter/ip6t_srh.c
> > @@ -30,7 +30,9 @@ static bool srh_mt6(const struct sk_buff *skb, struct 
> > xt_action_param *par)
> > const struct ip6t_srh *srhinfo = par->matchinfo;
> > struct ipv6_sr_hdr *srh;
> > struct ipv6_sr_hdr _srh;
> > -   int hdrlen, srhoff = 0;
> > +   int hdrlen, psidoff, nsidoff, lsidoff, srhoff = 0;
> > +   struct in6_addr *psid, *nsid, *lsid;
> > +   struct in6_addr _psid, _nsid, _lsid;
> 
> Could you rearrange variable definitions? ie. longest line first, eg.
> 
>   int hdrlen, psidoff, nsidoff, lsidoff, srhoff = 0;
>   const struct ip6t_srh *srhinfo = par->matchinfo;
>   struct in6_addr *psid, *nsid, *lsid;
>   struct ipv6_sr_hdr *srh;
>   struct ipv6_sr_hdr _srh;
> 

Ok I will re-arrange them in reverse christmas tree form. 

Ahmed 

-- 
Ahmed Abdelsalam 
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 12/12] netfilter: xt_connmark: do not cast xt_connmark_tginfo1 to xt_connmark_tginfo2

2018-04-23 Thread Pablo Neira Ayuso

These structures have different layout, fill xt_connmark_tginfo2 with
old fields in xt_connmark_tginfo1. Based on patch from Jack Ma.

Fixes: 472a73e00757 ("netfilter: xt_conntrack: Support bit-shifting for 
CONNMARK & MARK targets.")
Signed-off-by: Pablo Neira Ayuso 
---
 net/netfilter/xt_connmark.c | 38 ++
 1 file changed, 22 insertions(+), 16 deletions(-)

diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index 4b424e6caf3e..94df000abb92 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -36,9 +36,7 @@ MODULE_ALIAS("ipt_connmark");
 MODULE_ALIAS("ip6t_connmark");
 
 static unsigned int
-connmark_tg_shift(struct sk_buff *skb,
-   const struct xt_connmark_tginfo1 *info,
-   u8 shift_bits, u8 shift_dir)
+connmark_tg_shift(struct sk_buff *skb, const struct xt_connmark_tginfo2 *info)
 {
enum ip_conntrack_info ctinfo;
u_int32_t new_targetmark;
@@ -52,10 +50,11 @@ connmark_tg_shift(struct sk_buff *skb,
switch (info->mode) {
case XT_CONNMARK_SET:
newmark = (ct->mark & ~info->ctmask) ^ info->ctmark;
-   if (shift_dir == D_SHIFT_RIGHT)
-   newmark >>= shift_bits;
+   if (info->shift_dir == D_SHIFT_RIGHT)
+   newmark >>= info->shift_bits;
else
-   newmark <<= shift_bits;
+   newmark <<= info->shift_bits;
+
if (ct->mark != newmark) {
ct->mark = newmark;
nf_conntrack_event_cache(IPCT_MARK, ct);
@@ -63,10 +62,11 @@ connmark_tg_shift(struct sk_buff *skb,
break;
case XT_CONNMARK_SAVE:
new_targetmark = (skb->mark & info->nfmask);
-   if (shift_dir == D_SHIFT_RIGHT)
-   new_targetmark >>= shift_bits;
+   if (info->shift_dir == D_SHIFT_RIGHT)
+   new_targetmark >>= info->shift_bits;
else
-   new_targetmark <<= shift_bits;
+   new_targetmark <<= info->shift_bits;
+
newmark = (ct->mark & ~info->ctmask) ^
  new_targetmark;
if (ct->mark != newmark) {
@@ -76,10 +76,11 @@ connmark_tg_shift(struct sk_buff *skb,
break;
case XT_CONNMARK_RESTORE:
new_targetmark = (ct->mark & info->ctmask);
-   if (shift_dir == D_SHIFT_RIGHT)
-   new_targetmark >>= shift_bits;
+   if (info->shift_dir == D_SHIFT_RIGHT)
+   new_targetmark >>= info->shift_bits;
else
-   new_targetmark <<= shift_bits;
+   new_targetmark <<= info->shift_bits;
+
newmark = (skb->mark & ~info->nfmask) ^
  new_targetmark;
skb->mark = newmark;
@@ -92,8 +93,14 @@ static unsigned int
 connmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
const struct xt_connmark_tginfo1 *info = par->targinfo;
-
-   return connmark_tg_shift(skb, info, 0, 0);
+   const struct xt_connmark_tginfo2 info2 = {
+   .ctmark = info->ctmark,
+   .ctmask = info->ctmask,
+   .nfmask = info->nfmask,
+   .mode   = info->mode,
+   };
+
+   return connmark_tg_shift(skb, );
 }
 
 static unsigned int
@@ -101,8 +108,7 @@ connmark_tg_v2(struct sk_buff *skb, const struct 
xt_action_param *par)
 {
const struct xt_connmark_tginfo2 *info = par->targinfo;
 
-   return connmark_tg_shift(skb, (const struct xt_connmark_tginfo1 *)info,
-info->shift_bits, info->shift_dir);
+   return connmark_tg_shift(skb, info);
 }
 
 static int connmark_tg_check(const struct xt_tgchk_param *par)
-- 
2.11.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 11/12] netfilter: nf_tables: fix out-of-bounds in nft_chain_commit_update

2018-04-23 Thread Pablo Neira Ayuso

From: Taehee Yoo 

When chain name is changed, nft_chain_commit_update is called.
In the nft_chain_commit_update, trans->ctx.chain->name has old chain name
and nft_trans_chain_name(trans) has new chain name.
If new chain name is longer than old chain name, KASAN warns
slab-out-of-bounds.

[  175.015012] BUG: KASAN: slab-out-of-bounds in strcpy+0x9e/0xb0
[  175.022735] Write of size 1 at addr 880114e022da by task 
iptables-compat/1458

[  175.031353] CPU: 0 PID: 1458 Comm: iptables-compat Not tainted 4.16.0-rc7+ 
#146
[  175.031353] Hardware name: To be filled by O.E.M. To be filled by 
O.E.M./Aptio CRB, BIOS 5.6.5 07/08/2015
[  175.031353] Call Trace:
[  175.031353]  dump_stack+0x68/0xa0
[  175.031353]  print_address_description+0xd0/0x260
[  175.031353]  ? strcpy+0x9e/0xb0
[  175.031353]  kasan_report+0x234/0x350
[  175.031353]  __asan_report_store1_noabort+0x1c/0x20
[  175.031353]  strcpy+0x9e/0xb0
[  175.031353]  nf_tables_commit+0x1ccc/0x2990
[  175.031353]  nfnetlink_rcv+0x141e/0x16c0
[  175.031353]  ? nfnetlink_net_init+0x150/0x150
[  175.031353]  ? lock_acquire+0x370/0x370
[  175.031353]  ? lock_acquire+0x370/0x370
[  175.031353]  netlink_unicast+0x444/0x640
[  175.031353]  ? netlink_attachskb+0x700/0x700
[  175.031353]  ? _copy_from_iter_full+0x180/0x740
[  175.031353]  ? kasan_check_write+0x14/0x20
[  175.031353]  ? _copy_from_user+0x9b/0xd0
[  175.031353]  netlink_sendmsg+0x845/0xc70
[ ... ]

Steps to reproduce:
   iptables-compat -N 1
   iptables-compat -E 1 a

Signed-off-by: Taehee Yoo 
Signed-off-by: Pablo Neira Ayuso 
---
 net/netfilter/nf_tables_api.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 102ad873acb4..04d4e3772584 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -5745,7 +5745,7 @@ static void nft_chain_commit_update(struct nft_trans 
*trans)
struct nft_base_chain *basechain;
 
if (nft_trans_chain_name(trans))
-   strcpy(trans->ctx.chain->name, nft_trans_chain_name(trans));
+   swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
 
if (!nft_is_base_chain(trans->ctx.chain))
return;
-- 
2.11.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 03/12] netfilter: ebtables: don't attempt to allocate 0-sized compat array

2018-04-23 Thread Pablo Neira Ayuso

From: Florian Westphal 

Dmitry reports 32bit ebtables on 64bit kernel got broken by
a recent change that returns -EINVAL when ruleset has no entries.

ebtables however only counts user-defined chains, so for the
initial table nentries will be 0.

Don't try to allocate the compat array in this case, as no user
defined rules exist no rule will need 64bit translation.

Reported-by: Dmitry Vyukov 
Fixes: 7d7d7e02111e9 ("netfilter: compat: reject huge allocation requests")
Signed-off-by: Florian Westphal 
Signed-off-by: Pablo Neira Ayuso 
---
 net/bridge/netfilter/ebtables.c | 11 ++-
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 032e0fe45940..28a4c3490359 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1825,13 +1825,14 @@ static int compat_table_info(const struct 
ebt_table_info *info,
 {
unsigned int size = info->entries_size;
const void *entries = info->entries;
-   int ret;
 
newinfo->entries_size = size;
-
-   ret = xt_compat_init_offsets(NFPROTO_BRIDGE, info->nentries);
-   if (ret)
-   return ret;
+   if (info->nentries) {
+   int ret = xt_compat_init_offsets(NFPROTO_BRIDGE,
+info->nentries);
+   if (ret)
+   return ret;
+   }
 
return EBT_ENTRY_ITERATE(entries, size, compat_calc_entry, info,
entries, newinfo);
-- 
2.11.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 05/12] netfilter: conntrack: silent a memory leak warning

2018-04-23 Thread Pablo Neira Ayuso

From: Cong Wang 

The following memory leak is false postive:

unreferenced object 0x8f37f156fb38 (size 128):
  comm "softirq", pid 0, jiffies 4294899665 (age 11.292s)
  hex dump (first 32 bytes):
6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  
00 00 00 00 30 00 20 00 48 6b 6b 6b 6b 6b 6b 6b  0. .Hkkk
  backtrace:
[<4fda266a>] __kmalloc_track_caller+0x10d/0x141
[<7b0a7e3c>] __krealloc+0x45/0x62
[] nf_ct_ext_add+0xdc/0x133
[<99b47fd8>] init_conntrack+0x1b1/0x392
[<86dc36ec>] nf_conntrack_in+0x1ee/0x34b
[<940592de>] nf_hook_slow+0x36/0x95
[] nf_hook.constprop.43+0x1c3/0x1dd
[] __ip_local_out+0xae/0xb4
[<3e4192a6>] ip_local_out+0x17/0x33
[] igmp_ifc_timer_expire+0x23e/0x26f
[<6a8f3032>] call_timer_fn+0x14c/0x2a5
[<650c1725>] __run_timers.part.34+0x150/0x182
[<90e6946e>] run_timer_softirq+0x2a/0x4c
[<4d1e7293>] __do_softirq+0x1d1/0x3c2
[<4643557d>] irq_exit+0x53/0xa2
[<29ddee8f>] smp_apic_timer_interrupt+0x22a/0x235

because __krealloc() is not supposed to release the old
memory and it is released later via kfree_rcu(). Since this is
the only external user of __krealloc(), just mark it as not leak
here.

Signed-off-by: Cong Wang 
Signed-off-by: Pablo Neira Ayuso 
---
 net/netfilter/nf_conntrack_extend.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/netfilter/nf_conntrack_extend.c 
b/net/netfilter/nf_conntrack_extend.c
index 9fe0ddc333fb..bd71a828ebde 100644
--- a/net/netfilter/nf_conntrack_extend.c
+++ b/net/netfilter/nf_conntrack_extend.c
@@ -71,6 +71,7 @@ void *nf_ct_ext_add(struct nf_conn *ct, enum nf_ct_ext_id id, 
gfp_t gfp)
rcu_read_unlock();
 
alloc = max(newlen, NF_CT_EXT_PREALLOC);
+   kmemleak_not_leak(old);
new = __krealloc(old, alloc, gfp);
if (!new)
return NULL;
-- 
2.11.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 04/12] netfilter: xt_connmark: Add bit mapping for bit-shift operation.

2018-04-23 Thread Pablo Neira Ayuso

From: Jack Ma 

With the addition of bit-shift operations, we are able to shift
ct/skbmark based on user requirements. However, this change might also
cause the most left/right hand- side mark to be accidentially lost
during shift operations.

This patch adds the ability to 'grep' certain bits based on ctmask or
nfmask out of the original mark. Then, apply shift operations to achieve
a new mapping between ctmark and skb->mark.

For example: If someone would like save the fourth F bits of ctmark
0xFFF(F)000F into the seventh hexadecimal (0) skb->mark 0xABC000(0)E.

new_targetmark = (ctmark & ctmask) >> 12;
(new) skb->mark = (skb->mark &~nfmask) ^
   new_targetmark;

This will preserve the other bits that are not related to this
operation.

Fixes: 472a73e00757 ("netfilter: xt_conntrack: Support bit-shifting for 
CONNMARK & MARK targets.")
Reviewed-by: Florian Westphal 
Signed-off-by: Jack Ma 
Signed-off-by: Pablo Neira Ayuso 
---
 net/netfilter/xt_connmark.c | 19 +++
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index 773da82190dc..4b424e6caf3e 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -41,6 +41,7 @@ connmark_tg_shift(struct sk_buff *skb,
u8 shift_bits, u8 shift_dir)
 {
enum ip_conntrack_info ctinfo;
+   u_int32_t new_targetmark;
struct nf_conn *ct;
u_int32_t newmark;
 
@@ -61,24 +62,26 @@ connmark_tg_shift(struct sk_buff *skb,
}
break;
case XT_CONNMARK_SAVE:
-   newmark = (ct->mark & ~info->ctmask) ^
- (skb->mark & info->nfmask);
+   new_targetmark = (skb->mark & info->nfmask);
if (shift_dir == D_SHIFT_RIGHT)
-   newmark >>= shift_bits;
+   new_targetmark >>= shift_bits;
else
-   newmark <<= shift_bits;
+   new_targetmark <<= shift_bits;
+   newmark = (ct->mark & ~info->ctmask) ^
+ new_targetmark;
if (ct->mark != newmark) {
ct->mark = newmark;
nf_conntrack_event_cache(IPCT_MARK, ct);
}
break;
case XT_CONNMARK_RESTORE:
-   newmark = (skb->mark & ~info->nfmask) ^
- (ct->mark & info->ctmask);
+   new_targetmark = (ct->mark & info->ctmask);
if (shift_dir == D_SHIFT_RIGHT)
-   newmark >>= shift_bits;
+   new_targetmark >>= shift_bits;
else
-   newmark <<= shift_bits;
+   new_targetmark <<= shift_bits;
+   newmark = (skb->mark & ~info->nfmask) ^
+ new_targetmark;
skb->mark = newmark;
break;
}
-- 
2.11.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 09/12] netfilter: conntrack: include kmemleak.h for kmemleak_not_leak()

2018-04-23 Thread Pablo Neira Ayuso

From: Stephen Rothwell 

After merging the netfilter tree, today's linux-next build (powerpc
ppc64_defconfig) failed like this:

net/netfilter/nf_conntrack_extend.c: In function 'nf_ct_ext_add':
net/netfilter/nf_conntrack_extend.c:74:2: error: implicit declaration of 
function 'kmemleak_not_leak' [-Werror=implicit-function-declaration]
  kmemleak_not_leak(old);
  ^
cc1: some warnings being treated as errors

Fixes: 114aa35d06d4 ("netfilter: conntrack: silent a memory leak warning")
Signed-off-by: Stephen Rothwell 
Signed-off-by: Pablo Neira Ayuso 
---
 net/netfilter/nf_conntrack_extend.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/netfilter/nf_conntrack_extend.c 
b/net/netfilter/nf_conntrack_extend.c
index bd71a828ebde..277bbfe26478 100644
--- a/net/netfilter/nf_conntrack_extend.c
+++ b/net/netfilter/nf_conntrack_extend.c
@@ -9,6 +9,7 @@
  *  2 of the License, or (at your option) any later version.
  */
 #include 
+#include 
 #include 
 #include 
 #include 
-- 
2.11.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 10/12] netfilter: nf_tables: NAT chain and extensions require NF_TABLES

2018-04-23 Thread Pablo Neira Ayuso

Move these options inside the scope of the 'if' NF_TABLES and
NF_TABLES_IPV6 dependencies. This patch fixes:

   net/ipv6/netfilter/nft_chain_nat_ipv6.o: In function `nft_nat_do_chain':
>> net/ipv6/netfilter/nft_chain_nat_ipv6.c:37: undefined reference to 
>> `nft_do_chain'
   net/ipv6/netfilter/nft_chain_nat_ipv6.o: In function 
`nft_chain_nat_ipv6_exit':
>> net/ipv6/netfilter/nft_chain_nat_ipv6.c:94: undefined reference to 
>> `nft_unregister_chain_type'
   net/ipv6/netfilter/nft_chain_nat_ipv6.o: In function 
`nft_chain_nat_ipv6_init':
>> net/ipv6/netfilter/nft_chain_nat_ipv6.c:87: undefined reference to 
>> `nft_register_chain_type'

that happens with:

CONFIG_NF_TABLES=m
CONFIG_NFT_CHAIN_NAT_IPV6=y

Fixes: 02c7b25e5f54 ("netfilter: nf_tables: build-in filter chain type")
Reported-by: kbuild test robot 
Signed-off-by: Pablo Neira Ayuso 
---
 net/ipv6/netfilter/Kconfig | 55 +++---
 1 file changed, 28 insertions(+), 27 deletions(-)

diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index ccbfa83e4bb0..ce77bcc2490c 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -48,6 +48,34 @@ config NFT_CHAIN_ROUTE_IPV6
  fields such as the source, destination, flowlabel, hop-limit and
  the packet mark.
 
+if NF_NAT_IPV6
+
+config NFT_CHAIN_NAT_IPV6
+   tristate "IPv6 nf_tables nat chain support"
+   help
+ This option enables the "nat" chain for IPv6 in nf_tables. This
+ chain type is used to perform Network Address Translation (NAT)
+ packet transformations such as the source, destination address and
+ source and destination ports.
+
+config NFT_MASQ_IPV6
+   tristate "IPv6 masquerade support for nf_tables"
+   depends on NFT_MASQ
+   select NF_NAT_MASQUERADE_IPV6
+   help
+ This is the expression that provides IPv4 masquerading support for
+ nf_tables.
+
+config NFT_REDIR_IPV6
+   tristate "IPv6 redirect support for nf_tables"
+   depends on NFT_REDIR
+   select NF_NAT_REDIRECT
+   help
+ This is the expression that provides IPv4 redirect support for
+ nf_tables.
+
+endif # NF_NAT_IPV6
+
 config NFT_REJECT_IPV6
select NF_REJECT_IPV6
default NFT_REJECT
@@ -107,39 +135,12 @@ config NF_NAT_IPV6
 
 if NF_NAT_IPV6
 
-config NFT_CHAIN_NAT_IPV6
-   depends on NF_TABLES_IPV6
-   tristate "IPv6 nf_tables nat chain support"
-   help
- This option enables the "nat" chain for IPv6 in nf_tables. This
- chain type is used to perform Network Address Translation (NAT)
- packet transformations such as the source, destination address and
- source and destination ports.
-
 config NF_NAT_MASQUERADE_IPV6
tristate "IPv6 masquerade support"
help
  This is the kernel functionality to provide NAT in the masquerade
  flavour (automatic source address selection) for IPv6.
 
-config NFT_MASQ_IPV6
-   tristate "IPv6 masquerade support for nf_tables"
-   depends on NF_TABLES_IPV6
-   depends on NFT_MASQ
-   select NF_NAT_MASQUERADE_IPV6
-   help
- This is the expression that provides IPv4 masquerading support for
- nf_tables.
-
-config NFT_REDIR_IPV6
-   tristate "IPv6 redirect support for nf_tables"
-   depends on NF_TABLES_IPV6
-   depends on NFT_REDIR
-   select NF_NAT_REDIRECT
-   help
- This is the expression that provides IPv4 redirect support for
- nf_tables.
-
 endif # NF_NAT_IPV6
 
 config IP6_NF_IPTABLES
-- 
2.11.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 01/12] netfilter: nf_conntrack_sip: allow duplicate SDP expectations

2018-04-23 Thread Pablo Neira Ayuso

From: Florian Westphal 

Callum Sinclair reported SIP IP Phone errors that he tracked down to
such phones sending session descriptions for different media types but
with same port numbers.

The expect core will only 'refresh' existing expectation if it is
from same master AND same expectation class (media type).
As expectation class is different, we get an error.

The SIP connection tracking code will then

1). drop the SDP packet
2). if an rtp expectation was already installed successfully,
error on rtcp expectation will cancel the rtp one.

Make the expect core report back to caller when the conflict is due
to different expectation class and have SIP tracker ignore soft-error.

Reported-by: Callum Sinclair 
Tested-by: Callum Sinclair 
Signed-off-by: Florian Westphal 
Signed-off-by: Pablo Neira Ayuso 
---
 net/netfilter/nf_conntrack_expect.c |  5 -
 net/netfilter/nf_conntrack_sip.c| 16 
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/net/netfilter/nf_conntrack_expect.c 
b/net/netfilter/nf_conntrack_expect.c
index 8ef21d9f9a00..4b2b3d53acfc 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -252,7 +252,7 @@ static inline int expect_clash(const struct 
nf_conntrack_expect *a,
 static inline int expect_matches(const struct nf_conntrack_expect *a,
 const struct nf_conntrack_expect *b)
 {
-   return a->master == b->master && a->class == b->class &&
+   return a->master == b->master &&
   nf_ct_tuple_equal(>tuple, >tuple) &&
   nf_ct_tuple_mask_equal(>mask, >mask) &&
   net_eq(nf_ct_net(a->master), nf_ct_net(b->master)) &&
@@ -421,6 +421,9 @@ static inline int __nf_ct_expect_check(struct 
nf_conntrack_expect *expect)
h = nf_ct_expect_dst_hash(net, >tuple);
hlist_for_each_entry_safe(i, next, _ct_expect_hash[h], hnode) {
if (expect_matches(i, expect)) {
+   if (i->class != expect->class)
+   return -EALREADY;
+
if (nf_ct_remove_expect(i))
break;
} else if (expect_clash(i, expect)) {
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 4dbb5bad4363..908e51e2dc2b 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -938,11 +938,19 @@ static int set_expected_rtp_rtcp(struct sk_buff *skb, 
unsigned int protoff,
   datalen, rtp_exp, rtcp_exp,
   mediaoff, medialen, daddr);
else {
-   if (nf_ct_expect_related(rtp_exp) == 0) {
-   if (nf_ct_expect_related(rtcp_exp) != 0)
-   nf_ct_unexpect_related(rtp_exp);
-   else
+   /* -EALREADY handling works around end-points that send
+* SDP messages with identical port but different media type,
+* we pretend expectation was set up.
+*/
+   int errp = nf_ct_expect_related(rtp_exp);
+
+   if (errp == 0 || errp == -EALREADY) {
+   int errcp = nf_ct_expect_related(rtcp_exp);
+
+   if (errcp == 0 || errcp == -EALREADY)
ret = NF_ACCEPT;
+   else if (errp == 0)
+   nf_ct_unexpect_related(rtp_exp);
}
}
nf_ct_expect_put(rtcp_exp);
-- 
2.11.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 08/12] netfilter: nf_tables: free set name in error path

2018-04-23 Thread Pablo Neira Ayuso

From: Florian Westphal 

set->name must be free'd here in case ops->init fails.

Fixes: 387454901bd6 ("netfilter: nf_tables: Allow set names of up to 255 chars")
Signed-off-by: Florian Westphal 
Signed-off-by: Pablo Neira Ayuso 
---
 net/netfilter/nf_tables_api.c | 8 +---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index b1984f8f7253..102ad873acb4 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3212,18 +3212,20 @@ static int nf_tables_newset(struct net *net, struct 
sock *nlsk,
 
err = ops->init(set, , nla);
if (err < 0)
-   goto err2;
+   goto err3;
 
err = nft_trans_set_add(, NFT_MSG_NEWSET, set);
if (err < 0)
-   goto err3;
+   goto err4;
 
list_add_tail_rcu(>list, >sets);
table->use++;
return 0;
 
-err3:
+err4:
ops->destroy(set);
+err3:
+   kfree(set->name);
 err2:
kvfree(set);
 err1:
-- 
2.11.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 00/12] Netfilter/IPVS fixes for net

2018-04-23 Thread Pablo Neira Ayuso

Hi David,

The following patchset contains Netfilter/IPVS fixes for your net tree,
they are:

1) Fix SIP conntrack with phones sending session descriptions for different
   media types but same port numbers, from Florian Westphal.

2) Fix incorrect rtnl_lock mutex logic from IPVS sync thread, from Julian
   Anastasov.

3) Skip compat array allocation in ebtables if there is no entries, also
   from Florian.

4) Do not lose left/right bits when shifting marks from xt_connmark, from
   Jack Ma.

5) Silence false positive memleak in conntrack extensions, from Cong Wang.

6) Fix CONFIG_NF_REJECT_IPV6=m link problems, from Arnd Bergmann.

7) Cannot kfree rule that is already in list in nf_tables, switch order
   so this error handling is not required, from Florian Westphal.

8) Release set name in error path, from Florian.

9) include kmemleak.h in nf_conntrack_extend.c, from Stepheh Rothwell.

10) NAT chain and extensions depend on NF_TABLES.

11) Out of bound access when renaming chains, from Taehee Yoo.

12) Incorrect casting in xt_connmark leads to wrong bitshifting.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks.



The following changes since commit a2ac99905f1ea8b15997a6ec39af69aa28a3653b:

  vhost-net: set packet weight of tx polling to 2 * vq size (2018-04-09 
11:01:37 -0400)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 5a786232eb69a1f870ddc0cfd69d5bdef241a2ea:

  netfilter: xt_connmark: do not cast xt_connmark_tginfo1 to 
xt_connmark_tginfo2 (2018-04-19 16:19:28 +0200)


Arnd Bergmann (1):
  netfilter: fix CONFIG_NF_REJECT_IPV6=m link error

Cong Wang (1):
  netfilter: conntrack: silent a memory leak warning

Florian Westphal (4):
  netfilter: nf_conntrack_sip: allow duplicate SDP expectations
  netfilter: ebtables: don't attempt to allocate 0-sized compat array
  netfilter: nf_tables: can't fail after linking rule into active rule list
  netfilter: nf_tables: free set name in error path

Jack Ma (1):
  netfilter: xt_connmark: Add bit mapping for bit-shift operation.

Julian Anastasov (1):
  ipvs: fix rtnl_lock lockups caused by start_sync_thread

Pablo Neira Ayuso (2):
  netfilter: nf_tables: NAT chain and extensions require NF_TABLES
  netfilter: xt_connmark: do not cast xt_connmark_tginfo1 to 
xt_connmark_tginfo2

Stephen Rothwell (1):
  netfilter: conntrack: include kmemleak.h for kmemleak_not_leak()

Taehee Yoo (1):
  netfilter: nf_tables: fix out-of-bounds in nft_chain_commit_update

 net/bridge/netfilter/ebtables.c |  11 +--
 net/ipv6/netfilter/Kconfig  |  55 ++---
 net/netfilter/Kconfig   |   1 +
 net/netfilter/ipvs/ip_vs_ctl.c  |   8 --
 net/netfilter/ipvs/ip_vs_sync.c | 155 +++-
 net/netfilter/nf_conntrack_expect.c |   5 +-
 net/netfilter/nf_conntrack_extend.c |   2 +
 net/netfilter/nf_conntrack_sip.c|  16 +++-
 net/netfilter/nf_tables_api.c   |  69 
 net/netfilter/xt_connmark.c |  49 +++-
 10 files changed, 200 insertions(+), 171 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [nf-next] netfilter: extend SRH match to support matching previous, next and last SID

2018-04-23 Thread Pablo Neira Ayuso

On Mon, Apr 23, 2018 at 05:48:22AM -0500, Ahmed Abdelsalam wrote:
> IPv6 Segment Routing Header (SRH) contains a list of SIDs to be crossed by
> SR encapsulated packet. Each SID is encoded as an IPv6 prefix.
> 
> When a Firewall receives an SR encapsulated packet, it should be able to
> identify which node previously processed the packet (previous SID), which
> node is going to process the packet next (next SID), and which node is the
> last to process the packet (last SID) which represent the final destination
> of the packet in case of inline SR mode.
> 
> An example use-case of using these features could be SID list that includes
> two firewalls. When the second firewall receives a packet, it can check
> whether the packet has been processed by the first firewall or not. Based on
> that check, it decides to apply all rules, apply just subset of the rules,
> or totally skip all rules and forward the packet to the next SID.
> 
> This patch extends SRH match to support matching previous SID, next SID, and
> last SID.
> 
> Signed-off-by: Ahmed Abdelsalam 
> ---
>  include/uapi/linux/netfilter_ipv6/ip6t_srh.h | 22 +--
>  net/ipv6/netfilter/ip6t_srh.c| 41 
> +++-
>  2 files changed, 60 insertions(+), 3 deletions(-)
> 
> diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_srh.h 
> b/include/uapi/linux/netfilter_ipv6/ip6t_srh.h
> index f3cc0ef..9808382 100644
> --- a/include/uapi/linux/netfilter_ipv6/ip6t_srh.h
> +++ b/include/uapi/linux/netfilter_ipv6/ip6t_srh.h
> @@ -17,7 +17,10 @@
>  #define IP6T_SRH_LAST_GT0x0100
>  #define IP6T_SRH_LAST_LT0x0200
>  #define IP6T_SRH_TAG0x0400
> -#define IP6T_SRH_MASK   0x07FF
> +#define IP6T_SRH_PSID   0x0800
> +#define IP6T_SRH_NSID   0x1000
> +#define IP6T_SRH_LSID   0x2000
> +#define IP6T_SRH_MASK   0x3FFF
>  
>  /* Values for "mt_invflags" field in struct ip6t_srh */
>  #define IP6T_SRH_INV_NEXTHDR0x0001
> @@ -31,7 +34,10 @@
>  #define IP6T_SRH_INV_LAST_GT0x0100
>  #define IP6T_SRH_INV_LAST_LT0x0200
>  #define IP6T_SRH_INV_TAG0x0400
> -#define IP6T_SRH_INV_MASK   0x07FF
> +#define IP6T_SRH_INV_PSID   0x0800
> +#define IP6T_SRH_INV_NSID   0x1000
> +#define IP6T_SRH_INV_LSID   0x2000
> +#define IP6T_SRH_INV_MASK   0x3FFF
>  
>  /**
>   *  struct ip6t_srh - SRH match options
> @@ -40,6 +46,12 @@
>   *  @ segs_left: Segments left field of SRH
>   *  @ last_entry: Last entry field of SRH
>   *  @ tag: Tag field of SRH
> + *  @ psid_addr: Address of previous SID in SRH SID list
> + *  @ nsid_addr: Address of NEXT SID in SRH SID list
> + *  @ lsid_addr: Address of LAST SID in SRH SID list
> + *  @ psid_msk: Mask of previous SID in SRH SID list
> + *  @ nsid_msk: Mask of next SID in SRH SID list
> + *  @ lsid_msk: MAsk of last SID in SRH SID list
>   *  @ mt_flags: match options
>   *  @ mt_invflags: Invert the sense of match options
>   */
> @@ -50,6 +62,12 @@ struct ip6t_srh {
>   __u8segs_left;
>   __u8last_entry;
>   __u16   tag;
> + struct in6_addr psid_addr;
> + struct in6_addr nsid_addr;
> + struct in6_addr lsid_addr;
> + struct in6_addr psid_msk;
> + struct in6_addr nsid_msk;
> + struct in6_addr lsid_msk;

This is changing something exposed through UAPI, so you will need a
new revision for this.

>   __u16   mt_flags;
>   __u16   mt_invflags;
>  };
> diff --git a/net/ipv6/netfilter/ip6t_srh.c b/net/ipv6/netfilter/ip6t_srh.c
> index 33719d5..2b5cc73 100644
> --- a/net/ipv6/netfilter/ip6t_srh.c
> +++ b/net/ipv6/netfilter/ip6t_srh.c
> @@ -30,7 +30,9 @@ static bool srh_mt6(const struct sk_buff *skb, struct 
> xt_action_param *par)
>   const struct ip6t_srh *srhinfo = par->matchinfo;
>   struct ipv6_sr_hdr *srh;
>   struct ipv6_sr_hdr _srh;
> - int hdrlen, srhoff = 0;
> + int hdrlen, psidoff, nsidoff, lsidoff, srhoff = 0;
> + struct in6_addr *psid, *nsid, *lsid;
> + struct in6_addr _psid, _nsid, _lsid;

Could you rearrange variable definitions? ie. longest line first, eg.

int hdrlen, psidoff, nsidoff, lsidoff, srhoff = 0;
const struct ip6t_srh *srhinfo = par->matchinfo;
struct in6_addr *psid, *nsid, *lsid;
struct ipv6_sr_hdr *srh;
struct ipv6_sr_hdr _srh;

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH iptables] ebtables-compat: add 'vlan' match extension

2018-04-23 Thread Florian Westphal

Signed-off-by: Florian Westphal 
---
 extensions/libebt_vlan.c  | 226 ++
 extensions/libebt_vlan.txlate |  11 ++
 iptables/xtables-eb.c |   1 +
 3 files changed, 238 insertions(+)
 create mode 100644 extensions/libebt_vlan.c
 create mode 100644 extensions/libebt_vlan.txlate

diff --git a/extensions/libebt_vlan.c b/extensions/libebt_vlan.c
new file mode 100644
index ..4e2ea0fcb7cd
--- /dev/null
+++ b/extensions/libebt_vlan.c
@@ -0,0 +1,226 @@
+/* ebt_vlan
+ *
+ * Authors:
+ * Bart De Schuymer 
+ * Nick Fedchik 
+ * June, 2002
+ */
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include "iptables/nft.h"
+#include "iptables/nft-bridge.h"
+
+#define NAME_VLAN_ID"id"
+#define NAME_VLAN_PRIO  "prio"
+#define NAME_VLAN_ENCAP "encap"
+
+#define VLAN_ID'1'
+#define VLAN_PRIO  '2'
+#define VLAN_ENCAP '3'
+
+static const struct option brvlan_opts[] = {
+   {"vlan-id"   , required_argument, NULL, VLAN_ID},
+   {"vlan-prio" , required_argument, NULL, VLAN_PRIO},
+   {"vlan-encap", required_argument, NULL, VLAN_ENCAP},
+   XT_GETOPT_TABLEEND,
+};
+
+/*
+ * option inverse flags definition
+ */
+#define OPT_VLAN_ID 0x01
+#define OPT_VLAN_PRIO   0x02
+#define OPT_VLAN_ENCAP  0x04
+#define OPT_VLAN_FLAGS (OPT_VLAN_ID | OPT_VLAN_PRIO | OPT_VLAN_ENCAP)
+
+static void brvlan_print_help(void)
+{
+   printf(
+"vlan options:\n"
+"--vlan-id [!] id   : vlan-tagged frame identifier, 0,1-4096 (integer)\n"
+"--vlan-prio [!] prio   : Priority-tagged frame's user priority, 0-7 
(integer)\n"
+"--vlan-encap [!] encap : Encapsulated frame protocol (hexadecimal or 
name)\n");
+}
+
+static struct ethertypeent *vlan_getethertypeent(FILE *etherf, const char 
*name)
+{
+   static struct ethertypeent et_ent;
+   char *e, *found_name;
+   char line[1024];
+
+   while ((e = fgets(line, sizeof(line), etherf))) {
+   char *endptr, *cp;
+
+   if (*e == '#')
+   continue;
+
+   cp = strpbrk(e, "#\n");
+   if (cp == NULL)
+   continue;
+   *cp = '\0';
+   found_name = e;
+
+   cp = strpbrk(e, " \t");
+   if (cp == NULL)
+   continue;
+
+   *cp++ = '\0';
+   while (*cp == ' ' || *cp == '\t')
+   cp++;
+   e = strpbrk(cp, " \t");
+   if (e != NULL)
+   *e++ = '\0';
+
+   et_ent.e_ethertype = strtol(cp, , 16);
+   if (*endptr != '\0' ||
+   (et_ent.e_ethertype < ETH_ZLEN || et_ent.e_ethertype > 
0x))
+   continue; // skip invalid etherproto type entry
+
+   if (strcasecmp(found_name, name) == 0)
+   return (_ent);
+
+   if (e != NULL) {
+   cp = e;
+   while (cp && *cp) {
+   if (*cp == ' ' || *cp == '\t') {
+   cp++;
+   continue;
+   }
+   e = cp;
+   cp = strpbrk(cp, " \t");
+   if (cp != NULL)
+   *cp++ = '\0';
+   if (strcasecmp(e, name) == 0)
+   return (_ent);
+   e = cp;
+   }
+   }
+   }
+
+   return NULL;
+}
+
+static struct ethertypeent *brvlan_getethertypebyname(const char *name)
+{
+   struct ethertypeent *e;
+   FILE *etherf;
+
+   etherf = fopen(_PATH_ETHERTYPES, "r");
+
+   e = vlan_getethertypeent(etherf, name);
+   fclose(etherf);
+   return (e);
+}
+
+static int
+brvlan_parse(int c, char **argv, int invert, unsigned int *flags,
+  const void *entry, struct xt_entry_match **match)
+{
+   struct ebt_vlan_info *vlaninfo = (struct ebt_vlan_info *) 
(*match)->data;
+   struct ethertypeent *ethent;
+   char *end;
+   struct ebt_vlan_info local;
+
+   switch (c) {
+   case VLAN_ID:
+   EBT_CHECK_OPTION(flags, OPT_VLAN_ID);
+   if (invert)
+   vlaninfo->invflags |= EBT_VLAN_ID;
+   local.id = strtoul(optarg, , 10);
+   if (local.id > 4094 || *end != '\0')
+   xtables_error(PARAMETER_PROBLEM, "Invalid --vlan-id 
range ('%s')", optarg);
+   vlaninfo->id = local.id;
+   vlaninfo->bitmask |= EBT_VLAN_ID;
+   break;
+   case VLAN_PRIO:
+   EBT_CHECK_OPTION(flags, OPT_VLAN_PRIO);
+   if (invert)
+   vlaninfo->invflags |= EBT_VLAN_PRIO;
+

[PATCH iptables] ebtables-compat: add 'pkttype' match extension

2018-04-23 Thread Florian Westphal

Signed-off-by: Florian Westphal 
---
 extensions/libebt_pkttype.c  | 119 +++
 extensions/libebt_pkttype.txlate |  20 +++
 iptables/xtables-eb.c|   1 +
 3 files changed, 140 insertions(+)
 create mode 100644 extensions/libebt_pkttype.c
 create mode 100644 extensions/libebt_pkttype.txlate

diff --git a/extensions/libebt_pkttype.c b/extensions/libebt_pkttype.c
new file mode 100644
index ..4e2d19de7983
--- /dev/null
+++ b/extensions/libebt_pkttype.c
@@ -0,0 +1,119 @@
+/* ebt_pkttype
+ *
+ * Authors:
+ * Bart De Schuymer 
+ *
+ * April, 2003
+ */
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+static const char *classes[] = {
+   "host",
+   "broadcast",
+   "multicast",
+   "otherhost",
+   "outgoing",
+   "loopback",
+   "fastroute",
+};
+
+static const struct option brpkttype_opts[] =
+{
+   { "pkttype-type", required_argument, 0, '1' },
+   { 0 }
+};
+
+static void brpkttype_print_help(void)
+{
+   printf(
+"pkttype options:\n"
+"--pkttype-type[!] type: class the packet belongs to\n"
+"Possible values: broadcast, multicast, host, otherhost, or any other byte 
value (which would be pretty useless).\n");
+}
+
+
+static int brpkttype_parse(int c, char **argv, int invert, unsigned int *flags,
+  const void *entry, struct xt_entry_match **match)
+{
+   struct ebt_pkttype_info *ptinfo = (struct ebt_pkttype_info 
*)(*match)->data;
+   char *end;
+   long int i;
+
+   switch (c) {
+   case '1':
+   if (invert)
+   ptinfo->invert = 1;
+   i = strtol(optarg, , 16);
+   if (*end != '\0') {
+   for (i = 0; i < ARRAY_SIZE(classes); i++) {
+   if (!strcasecmp(optarg, classes[i]))
+   break;
+   }
+   if (i >= ARRAY_SIZE(classes))
+   xtables_error(PARAMETER_PROBLEM, "Could not 
parse class '%s'", optarg);
+   }
+   if (i < 0 || i > 255)
+   xtables_error(PARAMETER_PROBLEM, "Problem with 
specified pkttype class");
+   ptinfo->pkt_type = (uint8_t)i;
+   break;
+   default:
+   return 0;
+   }
+   return 1;
+}
+
+
+static void brpkttype_print(const void *ip, const struct xt_entry_match 
*match, int numeric)
+{
+   struct ebt_pkttype_info *pt = (struct ebt_pkttype_info *)match->data;
+
+   printf("--pkttype-type %s", pt->invert ? "! " : "");
+
+   if (pt->pkt_type < ARRAY_SIZE(classes))
+   printf("%s ", classes[pt->pkt_type]);
+   else
+   printf("%d ", pt->pkt_type);
+}
+
+static int brpkttype_xlate(struct xt_xlate *xl,
+ const struct xt_xlate_mt_params *params)
+{
+   const struct ebt_pkttype_info *info = (const void*)params->match->data;
+
+   xt_xlate_add(xl, "meta pkttype %s", info->invert ? "!= " : "");
+
+   if (info->pkt_type < 3)
+   xt_xlate_add(xl, "%s ", classes[info->pkt_type]);
+   else if (info->pkt_type == 3)
+   xt_xlate_add(xl, "other ");
+   else
+   xt_xlate_add(xl, "%d ", info->pkt_type);
+
+   return 1;
+}
+
+static struct xtables_match brpkttype_match = {
+   .name   = "pkttype",
+   .version= XTABLES_VERSION,
+   .family = NFPROTO_BRIDGE,
+   .size   = XT_ALIGN(sizeof(struct ebt_pkttype_info)),
+   .userspacesize  = XT_ALIGN(sizeof(struct ebt_pkttype_info)),
+   .help   = brpkttype_print_help,
+   .parse  = brpkttype_parse,
+   .print  = brpkttype_print,
+   .xlate  = brpkttype_xlate,
+   .extra_opts = brpkttype_opts,
+};
+
+void _init(void)
+{
+   xtables_register_match(_match);
+}
diff --git a/extensions/libebt_pkttype.txlate b/extensions/libebt_pkttype.txlate
new file mode 100644
index ..94d016d9e70e
--- /dev/null
+++ b/extensions/libebt_pkttype.txlate
@@ -0,0 +1,20 @@
+ebtables-translate -A INPUT --pkttype-type host
+nft add rule bridge filter INPUT meta pkttype host counter
+
+ebtables-translate -A INPUT ! --pkttype-type broadcast
+nft add rule bridge filter INPUT meta pkttype != broadcast counter
+
+ebtables-translate -A INPUT --pkttype-type ! multicast
+nft add rule bridge filter INPUT meta pkttype != multicast counter
+
+ebtables-translate -A INPUT --pkttype-type otherhost
+nft add rule bridge filter INPUT meta pkttype other counter
+
+ebtables-translate -A INPUT --pkttype-type outgoing
+nft add rule bridge filter INPUT meta pkttype 4 counter
+
+ebtables-translate -A INPUT --pkttype-type loopback
+nft add rule bridge filter INPUT meta pkttype 5 counter
+
+ebtables-translate -A INPUT --pkttype-type fastroute
+nft

KMSAN: uninit-value in ip_vs_lblcr_check_expire

2018-04-23 Thread syzbot


Hello,

syzbot hit the following crash on  
https://github.com/google/kmsan.git/master commit

d2d741e5d1898dfde1a75ea3d29a9a3e2edf0617 (Sun Apr 22 15:05:22 2018 +)
kmsan: add initialization for shmem pages
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=3dfdea57819073a04f21


So far this crash happened 2 times on  
https://github.com/google/kmsan.git/master.

Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=6285034612850688

Kernel config: https://syzkaller.appspot.com/x/.config?id=328654897048964367
compiler: clang version 7.0.0 (trunk 329391)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+3dfdea57819073a04...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

RDX:  RSI: 2080 RDI: 0013
RBP: 0072bea0 R08:  R09: 
R10:  R11: 0246 R12: 0014
R13: 04f3 R14: 006fa768 R15: 
==
BUG: KMSAN: uninit-value in ip_vs_lblcr_check_expire+0x1551/0x1600  
net/netfilter/ipvs/ip_vs_lblcr.c:479

CPU: 0 PID: 13883 Comm: syz-executor4 Not tainted 4.16.0+ #86
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
 ip_vs_lblcr_check_expire+0x1551/0x1600 net/netfilter/ipvs/ip_vs_lblcr.c:479
 call_timer_fn+0x26a/0x5a0 kernel/time/timer.c:1326
 expire_timers kernel/time/timer.c:1363 [inline]
 __run_timers+0xda7/0x11c0 kernel/time/timer.c:1666
 run_timer_softirq+0x43/0x70 kernel/time/timer.c:1692
 __do_softirq+0x56d/0x93d kernel/softirq.c:285
 invoke_softirq kernel/softirq.c:365 [inline]
 irq_exit+0x202/0x240 kernel/softirq.c:405
 exiting_irq+0xe/0x10 arch/x86/include/asm/apic.h:541
 smp_apic_timer_interrupt+0x64/0x90 arch/x86/kernel/apic/apic.c:1055
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:857
 
RIP: 0010:native_restore_fl arch/x86/include/asm/irqflags.h:37 [inline]
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:78 [inline]
RIP: 0010:dump_stack+0x1af/0x1d0 lib/dump_stack.c:58
RSP: 0018:880156a2ef00 EFLAGS: 0286 ORIG_RAX: ff12
RAX: 8801fddc2590 RBX: 88014f62c418 RCX: 8800
RDX: 8801fd9c2590 RSI: b000 RDI: ea00
RBP: 880156a2ef48 R08: 0108 R09: 0002
R10:  R11:  R12: cf000109
R13: 0286 R14:  R15: 
 fail_dump lib/fault-inject.c:51 [inline]
 should_fail+0x87b/0xab0 lib/fault-inject.c:149
 should_failslab+0x279/0x2a0 mm/failslab.c:32
 slab_pre_alloc_hook mm/slab.h:422 [inline]
 slab_alloc_node mm/slub.c:2663 [inline]
 slab_alloc mm/slub.c:2745 [inline]
 kmem_cache_alloc+0x136/0xb90 mm/slub.c:2750
 dst_alloc+0x295/0x860 net/core/dst.c:104
 __ip6_dst_alloc net/ipv6/route.c:361 [inline]
 ip6_rt_cache_alloc+0x445/0xd00 net/ipv6/route.c:1061
 ip6_pol_route+0x3f19/0x5da0 net/ipv6/route.c:1751
 ip6_pol_route_output+0xe6/0x110 net/ipv6/route.c:1892
 fib6_rule_lookup+0x494/0x720 net/ipv6/fib6_rules.c:87
 ip6_route_output_flags+0x4fa/0x590 net/ipv6/route.c:1920
 ip6_dst_lookup_tail+0x2fe/0x1a60 net/ipv6/ip6_output.c:992
 ip6_dst_lookup_flow+0xfc/0x270 net/ipv6/ip6_output.c:1093
 rawv6_sendmsg+0x1b05/0x4fb0 net/ipv6/raw.c:908
 inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764
 sock_sendmsg_nosec net/socket.c:630 [inline]
 sock_sendmsg net/socket.c:640 [inline]
 ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
 __sys_sendmsg net/socket.c:2080 [inline]
 SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
 SyS_sendmsg+0x54/0x80 net/socket.c:2087
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x455389
RSP: 002b:7fa5b1000c68 EFLAGS: 0246 ORIG_RAX: 002e
RAX: ffda RBX: 7fa5b10016d4 RCX: 00455389
RDX:  RSI: 2080 RDI: 0013
RBP: 0072bea0 R08:  R09: 
R10:  R11: 0246 R12: 0014
R13: 04f3 R14: 006fa768 R15: 

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
 kmsan_alloc_meta_for_pages+0x161/0x3a0 mm/kmsan/kmsan.c:814
 kmsan_alloc_page+0x82/0xe0 mm/kmsan/kmsan.c:868
 __alloc_pages_nodemask+0xf5b/0x5dc0 mm/page_alloc.c:4283
 alloc_pages_current+0x6b5/0x970 mm/mempolicy.c:2055
 alloc_pages include/linux/gfp.h:494 [inline]
 kmalloc_order mm/slab_common.c:1164

KMSAN: uninit-value in ip_vs_lblc_check_expire

2018-04-23 Thread syzbot


Hello,

syzbot hit the following crash on  
https://github.com/google/kmsan.git/master commit

d2d741e5d1898dfde1a75ea3d29a9a3e2edf0617 (Sun Apr 22 15:05:22 2018 +)
kmsan: add initialization for shmem pages
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=3e9695f147fb529aa9bc


So far this crash happened 3 times on  
https://github.com/google/kmsan.git/master.

Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=5822255644803072

Kernel config: https://syzkaller.appspot.com/x/.config?id=328654897048964367
compiler: clang version 7.0.0 (trunk 329391)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+3e9695f147fb529aa...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

kernel msg: ebtables bug: please report to author: bad policy
==
BUG: KMSAN: uninit-value in ip_vs_lblc_check_expire+0xe62/0xf10  
net/netfilter/ipvs/ip_vs_lblc.c:315

CPU: 0 PID: 11383 Comm: syz-executor3 Not tainted 4.16.0+ #86
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
 ip_vs_lblc_check_expire+0xe62/0xf10 net/netfilter/ipvs/ip_vs_lblc.c:315
 call_timer_fn+0x26a/0x5a0 kernel/time/timer.c:1326
 expire_timers kernel/time/timer.c:1363 [inline]
 __run_timers+0xda7/0x11c0 kernel/time/timer.c:1666
 run_timer_softirq+0x43/0x70 kernel/time/timer.c:1692
 __do_softirq+0x56d/0x93d kernel/softirq.c:285
 invoke_softirq kernel/softirq.c:365 [inline]
 irq_exit+0x202/0x240 kernel/softirq.c:405
 exiting_irq+0xe/0x10 arch/x86/include/asm/apic.h:541
 smp_apic_timer_interrupt+0x64/0x90 arch/x86/kernel/apic/apic.c:1055
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:857
 
RIP: 0010:native_restore_fl arch/x86/include/asm/irqflags.h:37 [inline]
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:78 [inline]
RIP: 0010:vprintk_emit+0xcb2/0xff0 kernel/printk/printk.c:1899
RSP: 0018:8801c2a1f0d8 EFLAGS: 0296 ORIG_RAX: ff12
RAX: 0296 RBX: 8801574c4418 RCX: 0004
RDX: c900033a6000 RSI: 01bf RDI: 01c0
RBP: 8801c2a1f1f8 R08: 00219bfd8445 R09: 8801fd6d615d
R10:  R11:  R12: 
R13: 8b300430 R14:  R15: 
 vprintk_default+0x90/0xa0 kernel/printk/printk.c:1955
 vprintk_func+0x517/0x700 kernel/printk/printk_safe.c:379
 printk+0x1b6/0x1f0 kernel/printk/printk.c:1991
 translate_table+0x474/0x5e10 net/bridge/netfilter/ebtables.c:846
 do_replace_finish+0x1258/0x2ea0 net/bridge/netfilter/ebtables.c:1002
 do_replace+0x707/0x770 net/bridge/netfilter/ebtables.c:1141
 do_ebt_set_ctl+0x2ab/0x3c0 net/bridge/netfilter/ebtables.c:1518
 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
 nf_setsockopt+0x476/0x4d0 net/netfilter/nf_sockopt.c:115
 ip_setsockopt+0x24b/0x2b0 net/ipv4/ip_sockglue.c:1261
 udp_setsockopt+0x108/0x1b0 net/ipv4/udp.c:2406
 ipv6_setsockopt+0x30c/0x340 net/ipv6/ipv6_sockglue.c:917
 udpv6_setsockopt+0x110/0x1c0 net/ipv6/udp.c:1422
 sock_common_setsockopt+0x136/0x170 net/core/sock.c:2975
 SYSC_setsockopt+0x4b8/0x570 net/socket.c:1849
 SyS_setsockopt+0x76/0xa0 net/socket.c:1828
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x455389
RSP: 002b:7f470c9e3c68 EFLAGS: 0246 ORIG_RAX: 0036
RAX: ffda RBX: 7f470c9e46d4 RCX: 00455389
RDX: 0080 RSI:  RDI: 0013
RBP: 0072bea0 R08: 0dd0 R09: 
R10: 2dc0 R11: 0246 R12: 
R13: 051d R14: 006fab58 R15: 

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
 kmsan_alloc_meta_for_pages+0x161/0x3a0 mm/kmsan/kmsan.c:814
 kmsan_alloc_page+0x82/0xe0 mm/kmsan/kmsan.c:868
 __alloc_pages_nodemask+0xf5b/0x5dc0 mm/page_alloc.c:4283
 alloc_pages_current+0x6b5/0x970 mm/mempolicy.c:2055
 alloc_pages include/linux/gfp.h:494 [inline]
 kmalloc_order mm/slab_common.c:1164 [inline]
 kmalloc_order_trace+0xb9/0x390 mm/slab_common.c:1175
 kmalloc_large include/linux/slab.h:446 [inline]
 __kmalloc+0x332/0x350 mm/slub.c:3778
 kmalloc include/linux/slab.h:517 [inline]
 ip_vs_lblc_init_svc+0x57/0x310 net/netfilter/ipvs/ip_vs_lblc.c:355
 ip_vs_bind_scheduler+0xa4/0x1e0 net/netfilter/ipvs/ip_vs_sched.c:51
 ip_vs_add_service+0xa91/0x1d70 net/netfilter/ipvs/ip_vs_ctl.c:1265
 do_ip_vs_set_ctl+0x25c8/0x2790

[nf-next] netfilter: extend SRH match to support matching previous, next and last SID

2018-04-23 Thread Ahmed Abdelsalam

IPv6 Segment Routing Header (SRH) contains a list of SIDs to be crossed by
SR encapsulated packet. Each SID is encoded as an IPv6 prefix.

When a Firewall receives an SR encapsulated packet, it should be able to
identify which node previously processed the packet (previous SID), which
node is going to process the packet next (next SID), and which node is the
last to process the packet (last SID) which represent the final destination
of the packet in case of inline SR mode.

An example use-case of using these features could be SID list that includes
two firewalls. When the second firewall receives a packet, it can check
whether the packet has been processed by the first firewall or not. Based on
that check, it decides to apply all rules, apply just subset of the rules,
or totally skip all rules and forward the packet to the next SID.

This patch extends SRH match to support matching previous SID, next SID, and
last SID.

Signed-off-by: Ahmed Abdelsalam 
---
 include/uapi/linux/netfilter_ipv6/ip6t_srh.h | 22 +--
 net/ipv6/netfilter/ip6t_srh.c| 41 +++-
 2 files changed, 60 insertions(+), 3 deletions(-)

diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_srh.h 
b/include/uapi/linux/netfilter_ipv6/ip6t_srh.h
index f3cc0ef..9808382 100644
--- a/include/uapi/linux/netfilter_ipv6/ip6t_srh.h
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_srh.h
@@ -17,7 +17,10 @@
 #define IP6T_SRH_LAST_GT0x0100
 #define IP6T_SRH_LAST_LT0x0200
 #define IP6T_SRH_TAG0x0400
-#define IP6T_SRH_MASK   0x07FF
+#define IP6T_SRH_PSID   0x0800
+#define IP6T_SRH_NSID   0x1000
+#define IP6T_SRH_LSID   0x2000
+#define IP6T_SRH_MASK   0x3FFF
 
 /* Values for "mt_invflags" field in struct ip6t_srh */
 #define IP6T_SRH_INV_NEXTHDR0x0001
@@ -31,7 +34,10 @@
 #define IP6T_SRH_INV_LAST_GT0x0100
 #define IP6T_SRH_INV_LAST_LT0x0200
 #define IP6T_SRH_INV_TAG0x0400
-#define IP6T_SRH_INV_MASK   0x07FF
+#define IP6T_SRH_INV_PSID   0x0800
+#define IP6T_SRH_INV_NSID   0x1000
+#define IP6T_SRH_INV_LSID   0x2000
+#define IP6T_SRH_INV_MASK   0x3FFF
 
 /**
  *  struct ip6t_srh - SRH match options
@@ -40,6 +46,12 @@
  *  @ segs_left: Segments left field of SRH
  *  @ last_entry: Last entry field of SRH
  *  @ tag: Tag field of SRH
+ *  @ psid_addr: Address of previous SID in SRH SID list
+ *  @ nsid_addr: Address of NEXT SID in SRH SID list
+ *  @ lsid_addr: Address of LAST SID in SRH SID list
+ *  @ psid_msk: Mask of previous SID in SRH SID list
+ *  @ nsid_msk: Mask of next SID in SRH SID list
+ *  @ lsid_msk: MAsk of last SID in SRH SID list
  *  @ mt_flags: match options
  *  @ mt_invflags: Invert the sense of match options
  */
@@ -50,6 +62,12 @@ struct ip6t_srh {
__u8segs_left;
__u8last_entry;
__u16   tag;
+   struct in6_addr psid_addr;
+   struct in6_addr nsid_addr;
+   struct in6_addr lsid_addr;
+   struct in6_addr psid_msk;
+   struct in6_addr nsid_msk;
+   struct in6_addr lsid_msk;
__u16   mt_flags;
__u16   mt_invflags;
 };
diff --git a/net/ipv6/netfilter/ip6t_srh.c b/net/ipv6/netfilter/ip6t_srh.c
index 33719d5..2b5cc73 100644
--- a/net/ipv6/netfilter/ip6t_srh.c
+++ b/net/ipv6/netfilter/ip6t_srh.c
@@ -30,7 +30,9 @@ static bool srh_mt6(const struct sk_buff *skb, struct 
xt_action_param *par)
const struct ip6t_srh *srhinfo = par->matchinfo;
struct ipv6_sr_hdr *srh;
struct ipv6_sr_hdr _srh;
-   int hdrlen, srhoff = 0;
+   int hdrlen, psidoff, nsidoff, lsidoff, srhoff = 0;
+   struct in6_addr *psid, *nsid, *lsid;
+   struct in6_addr _psid, _nsid, _lsid;
 
if (ipv6_find_hdr(skb, , IPPROTO_ROUTING, NULL, NULL) < 0)
return false;
@@ -114,6 +116,43 @@ static bool srh_mt6(const struct sk_buff *skb, struct 
xt_action_param *par)
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_TAG,
!(srh->tag == srhinfo->tag)))
return false;
+
+   /* Previous SID matching */
+   if (srhinfo->mt_flags & IP6T_SRH_PSID) {
+   if (srh->segments_left == srh->first_segment)
+   return false;
+   psidoff = srhoff + sizeof(struct ipv6_sr_hdr) +
+ ((srh->segments_left + 1) * sizeof(struct in6_addr));
+   psid = skb_header_pointer(skb, psidoff, sizeof(_psid), &_psid);
+   if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_PSID,
+   ipv6_masked_addr_cmp(psid, >psid_msk,
+>psid_addr)))
+   return false;
+   }
+
+   /* Next SID matching */
+   if

[iptables 2/2] extensions: libip6t_srh: add test-cases for matching previous, next and last SID

2018-04-23 Thread Ahmed Abdelsalam

This patch adds some test-cases to "libip6t_srh.t" for matching previous SID,
next SID, and last SID.

Signed-off-by: Ahmed Abdelsalam 
---
 extensions/libip6t_srh.t | 4 
 1 file changed, 4 insertions(+)

diff --git a/extensions/libip6t_srh.t b/extensions/libip6t_srh.t
index 08897d5..88a379e 100644
--- a/extensions/libip6t_srh.t
+++ b/extensions/libip6t_srh.t
@@ -23,4 +23,8 @@
 -m srh ! --srh-tag 0;=;OK
 -m srh --srh-next-hdr 17 --srh-segs-left-eq 1 --srh-last-entry-eq 4 --srh-tag 
0;=;OK
 -m srh ! --srh-next-hdr 17 ! --srh-segs-left-eq 0 --srh-tag 0;=;OK
+-m srh --srh-psid A::2/64 --srh-nsid B2::/128 --srh-lsid C::/0;=;OK
+-m srh ! --srh-psid A::2/64 ! --srh-nsid B2::/128 ! --srh-lsid C::/0;=;OK
+-m srh --srh-psid A::2 --srh-nsid B2:: --srh-lsid C::;=;OK
+-m srh ! --srh-psid A::2 ! --srh-nsid B2:: ! --srh-lsid C::;=;OK
 -m srh;=;OK
-- 
2.1.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[iptables 1/2] extensions: libip6t_srh: support matching previous, next and last SID

2018-04-23 Thread Ahmed Abdelsalam

This patch extends the libip6t_srh shared library to support matching
previous SID, next SID, and last SID.

Signed-off-by: Ahmed Abdelsalam 
---
 extensions/libip6t_srh.c| 65 -
 include/linux/netfilter_ipv6/ip6t_srh.h | 22 ++-
 2 files changed, 84 insertions(+), 3 deletions(-)

diff --git a/extensions/libip6t_srh.c b/extensions/libip6t_srh.c
index ac0ae08..5acc2ee 100644
--- a/extensions/libip6t_srh.c
+++ b/extensions/libip6t_srh.c
@@ -22,6 +22,9 @@ enum {
O_SRH_LAST_GT,
O_SRH_LAST_LT,
O_SRH_TAG,
+   O_SRH_PSID,
+   O_SRH_NSID,
+   O_SRH_LSID,
 };
 
 static void srh_help(void)
@@ -38,7 +41,10 @@ static void srh_help(void)
 "[!] --srh-last-entry-eq   last_entry  Last Entry value of SRH\n"
 "[!] --srh-last-entry-gt   last_entry  Last Entry value of SRH\n"
 "[!] --srh-last-entry-lt   last_entry  Last Entry value of SRH\n"
-"[!] --srh-tag tag Tag value of SRH\n");
+"[!] --srh-tag tag Tag value of SRH\n"
+"[!] --srh-psidaddr[/mask] SRH previous SID\n"
+"[!] --srh-nsidaddr[/mask] SRH next SID\n"
+"[!] --srh-lsidaddr[/mask] SRH Last SID\n");
 }
 
 #define s struct ip6t_srh
@@ -65,6 +71,12 @@ static const struct xt_option_entry srh_opts[] = {
.flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, last_entry)},
{ .name = "srh-tag", .id = O_SRH_TAG, .type = XTTYPE_UINT16,
.flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, tag)},
+   { .name = "srh-psid", .id = O_SRH_PSID, .type = XTTYPE_HOSTMASK,
+   .flags = XTOPT_INVERT},
+   { .name = "srh-nsid", .id = O_SRH_NSID, .type = XTTYPE_HOSTMASK,
+   .flags = XTOPT_INVERT},
+   { .name = "srh-lsid", .id = O_SRH_LSID, .type = XTTYPE_HOSTMASK,
+   .flags = XTOPT_INVERT},
{ }
 };
 #undef s
@@ -75,6 +87,12 @@ static void srh_init(struct xt_entry_match *m)
 
srhinfo->mt_flags = 0;
srhinfo->mt_invflags = 0;
+   memset(srhinfo->psid_addr.s6_addr, 0, 
sizeof(srhinfo->psid_addr.s6_addr));
+   memset(srhinfo->nsid_addr.s6_addr, 0, 
sizeof(srhinfo->nsid_addr.s6_addr));
+   memset(srhinfo->lsid_addr.s6_addr, 0, 
sizeof(srhinfo->lsid_addr.s6_addr));
+   memset(srhinfo->psid_msk.s6_addr, 0, sizeof(srhinfo->psid_msk.s6_addr));
+   memset(srhinfo->nsid_msk.s6_addr, 0, sizeof(srhinfo->nsid_msk.s6_addr));
+   memset(srhinfo->lsid_msk.s6_addr, 0, sizeof(srhinfo->lsid_msk.s6_addr));
 }
 
 static void srh_parse(struct xt_option_call *cb)
@@ -138,6 +156,27 @@ static void srh_parse(struct xt_option_call *cb)
if (cb->invert)
srhinfo->mt_invflags |= IP6T_SRH_INV_TAG;
break;
+   case O_SRH_PSID:
+   srhinfo->mt_flags |= IP6T_SRH_PSID;
+   srhinfo->psid_addr = cb->val.haddr.in6;
+   srhinfo->psid_msk  = cb->val.hmask.in6;
+   if (cb->invert)
+   srhinfo->mt_invflags |= IP6T_SRH_INV_PSID;
+   break;
+   case O_SRH_NSID:
+   srhinfo->mt_flags |= IP6T_SRH_NSID;
+   srhinfo->nsid_addr = cb->val.haddr.in6;
+   srhinfo->nsid_msk  = cb->val.hmask.in6;
+   if (cb->invert)
+   srhinfo->mt_invflags |= IP6T_SRH_INV_NSID;
+   break;
+   case O_SRH_LSID:
+   srhinfo->mt_flags |= IP6T_SRH_LSID;
+   srhinfo->lsid_addr = cb->val.haddr.in6;
+   srhinfo->lsid_msk  = cb->val.hmask.in6;
+   if (cb->invert)
+   srhinfo->mt_invflags |= IP6T_SRH_INV_LSID;
+   break;
}
 }
 
@@ -180,6 +219,18 @@ static void srh_print(const void *ip, const struct 
xt_entry_match *match,
if (srhinfo->mt_flags & IP6T_SRH_TAG)
printf(" tag:%s%d", srhinfo->mt_invflags & IP6T_SRH_INV_TAG ? 
"!" : "",
srhinfo->tag);
+   if (srhinfo->mt_flags & IP6T_SRH_PSID)
+   printf(" psid %s %s/%u", srhinfo->mt_invflags & 
IP6T_SRH_INV_PSID ? "!" : "",
+   xtables_ip6addr_to_numeric(>psid_addr),
+   xtables_ip6mask_to_cidr(>psid_msk));
+   if (srhinfo->mt_flags & IP6T_SRH_NSID)
+   printf(" nsid %s %s/%u", srhinfo->mt_invflags & 
IP6T_SRH_INV_NSID ? "!" : "",
+   xtables_ip6addr_to_numeric(>nsid_addr),
+   xtables_ip6mask_to_cidr(>nsid_msk));
+   if (srhinfo->mt_flags & IP6T_SRH_LSID)
+   printf(" lsid %s %s/%u", srhinfo->mt_invflags & 
IP6T_SRH_INV_LSID ? "!" : "",
+   xtables_ip6addr_to_numeric(>lsid_addr),
+   xtables_ip6mask_to_cidr(>lsid_msk));
 }
 
 static void srh_save(const void *ip, const struct xt_entry_match *match)
@@ -219,6 +270,18 @@ static void

[PATCH nf-next] netfilter: nf_tables: enable hashing of one element

2018-04-23 Thread Laura Garcia Liebana

The modulus in the hash function was limited to > 1 as initially
there was no sense to create a hashing of just one element.

Nevertheless, there are certain cases specially for load balancing
where this case needs to be addressed.

This patch fixes the following error.

Error: Could not process rule: Numerical result out of range
add rule ip nftlb lb01 dnat to jhash ip saddr mod 1 map { 0: 192.168.0.10 }
^^^

The solution comes to force the hash to 0 when the modulus is 1.

Signed-off-by: Laura Garcia Liebana 
---
 net/netfilter/nft_hash.c | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c
index 24f2f7567ddb..1c4f791552d0 100644
--- a/net/netfilter/nft_hash.c
+++ b/net/netfilter/nft_hash.c
@@ -53,7 +53,11 @@ static void nft_symhash_eval(const struct nft_expr *expr,
struct sk_buff *skb = pkt->skb;
u32 h;
 
-   h = reciprocal_scale(__skb_get_hash_symmetric(skb), priv->modulus);
+   if (priv->modulus)
+   h = reciprocal_scale(__skb_get_hash_symmetric(skb),
+priv->modulus);
+   else
+   h = 0;
 
regs->data[priv->dreg] = h + priv->offset;
 }
@@ -97,7 +101,7 @@ static int nft_jhash_init(const struct nft_ctx *ctx,
priv->len = len;
 
priv->modulus = ntohl(nla_get_be32(tb[NFTA_HASH_MODULUS]));
-   if (priv->modulus <= 1)
+   if (priv->modulus < 1)
return -ERANGE;
 
if (priv->offset + priv->modulus - 1 < priv->offset)
-- 
2.11.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

KMSAN: uninit-value in ebt_stp_mt_check

2018-04-23 Thread syzbot


Hello,

syzbot hit the following crash on  
https://github.com/google/kmsan.git/master commit

a7f95e9c8a95e9fbb388c3999b61a17667cd3bbe (Sat Apr 21 13:50:22 2018 +)
kmsan: disable assembly checksums
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=5c06e318fc558cc27823


So far this crash happened 3 times on  
https://github.com/google/kmsan.git/master.

C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5411555638247424
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=6309829995921408
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=4546610964987904

Kernel config: https://syzkaller.appspot.com/x/.config?id=328654897048964367
compiler: clang version 7.0.0 (trunk 329391)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+5c06e318fc558cc27...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.

If you forward the report, please keep this part and the footer.

==
BUG: KMSAN: uninit-value in ebt_stp_mt_check+0x248/0x410  
net/bridge/netfilter/ebt_stp.c:164

CPU: 0 PID: 4520 Comm: syzkaller565841 Not tainted 4.16.0+ #85
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
 ebt_stp_mt_check+0x248/0x410 net/bridge/netfilter/ebt_stp.c:164
 xt_check_match+0x1449/0x1660 net/netfilter/x_tables.c:499
 ebt_check_match net/bridge/netfilter/ebtables.c:374 [inline]
 ebt_check_entry net/bridge/netfilter/ebtables.c:704 [inline]
 translate_table+0x3ffd/0x5e10 net/bridge/netfilter/ebtables.c:945
 do_replace_finish+0x1258/0x2ea0 net/bridge/netfilter/ebtables.c:1002
 do_replace+0x707/0x770 net/bridge/netfilter/ebtables.c:1141
 do_ebt_set_ctl+0x2ab/0x3c0 net/bridge/netfilter/ebtables.c:1518
 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
 nf_setsockopt+0x476/0x4d0 net/netfilter/nf_sockopt.c:115
 ip_setsockopt+0x24b/0x2b0 net/ipv4/ip_sockglue.c:1261
 dccp_setsockopt+0x1c3/0x1f0 net/dccp/proto.c:576
 sock_common_setsockopt+0x136/0x170 net/core/sock.c:2975
 SYSC_setsockopt+0x4b8/0x570 net/socket.c:1849
 SyS_setsockopt+0x76/0xa0 net/socket.c:1828
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x445d39
RSP: 002b:7efff4e14da8 EFLAGS: 0246 ORIG_RAX: 0036
RAX: ffda RBX: 006dac24 RCX: 00445d39
RDX: 0080 RSI:  RDI: 0003
RBP:  R08: 0358 R09: 
R10: 28c0 R11: 0246 R12: 006dac20
R13: 006567646972625f R14: 6f745f3168746576 R15: 0002

Local variable description: mtpar.i@translate_table
Variable was created at:
 translate_table+0xb9/0x5e10 net/bridge/netfilter/ebtables.c:833
 do_replace_finish+0x1258/0x2ea0 net/bridge/netfilter/ebtables.c:1002
==


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkal...@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged

into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.

Note: all commands must start from beginning of the line in the email body.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [Patch nf] ipvs: initialize tbl->entries in ip_vs_lblc_init_svc()

Re: [Patch nf] ipvs: initialize tbl->entries after allocation

[PATCH v5] libxt_CONNMARK: Support bit-shifting for --restore,set and save-mark

[PATCH v4] libxt_CONNMARK: Support bit-shifting for --restore,set and save-mark

[PATCH nft 2/4] netlink: netlink_list_chains() callers always wants all existing chains

[PATCH nft 3/4] netlink: don't pass location to netlink_list_*() function

[PATCH nft 4/4] netlink: remove unused function declarations

[PATCH nft 1/4] netlink: pass cmd object to netlink function calls

[Patch nf] ipvs: initialize tbl->entries in ip_vs_lblc_init_svc()

[Patch nf] ipvs: initialize tbl->entries after allocation

Re: [PATCH 00/12] Netfilter/IPVS fixes for net

Re: [nf-next] netfilter: extend SRH match to support matching previous, next and last SID

Re: [nf-next] netfilter: extend SRH match to support matching previous, next and last SID

Re: [nf-next] netfilter: extend SRH match to support matching previous, next and last SID

[PATCH 12/12] netfilter: xt_connmark: do not cast xt_connmark_tginfo1 to xt_connmark_tginfo2

[PATCH 11/12] netfilter: nf_tables: fix out-of-bounds in nft_chain_commit_update

[PATCH 03/12] netfilter: ebtables: don't attempt to allocate 0-sized compat array

[PATCH 05/12] netfilter: conntrack: silent a memory leak warning

[PATCH 04/12] netfilter: xt_connmark: Add bit mapping for bit-shift operation.

[PATCH 09/12] netfilter: conntrack: include kmemleak.h for kmemleak_not_leak()

[PATCH 10/12] netfilter: nf_tables: NAT chain and extensions require NF_TABLES

[PATCH 01/12] netfilter: nf_conntrack_sip: allow duplicate SDP expectations

[PATCH 08/12] netfilter: nf_tables: free set name in error path

[PATCH 00/12] Netfilter/IPVS fixes for net

Re: [nf-next] netfilter: extend SRH match to support matching previous, next and last SID

[PATCH iptables] ebtables-compat: add 'vlan' match extension

[PATCH iptables] ebtables-compat: add 'pkttype' match extension

KMSAN: uninit-value in ip_vs_lblcr_check_expire

KMSAN: uninit-value in ip_vs_lblc_check_expire

[nf-next] netfilter: extend SRH match to support matching previous, next and last SID

[iptables 2/2] extensions: libip6t_srh: add test-cases for matching previous, next and last SID

[iptables 1/2] extensions: libip6t_srh: support matching previous, next and last SID

[PATCH nf-next] netfilter: nf_tables: enable hashing of one element

KMSAN: uninit-value in ebt_stp_mt_check

34 matches

Site Navigation

Mail list logo

Footer information