Re: [PATCH nft] parser: Removed LOOKUP token

[Florian Westphal]

Máté Eckl  wrote:
> It is never used.

Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH nft] parser: Removed LOOKUP token

[Máté Eckl]

It is never used.

Signed-off-by: Máté Eckl 
---
 src/parser_bison.y | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/parser_bison.y b/src/parser_bison.y
index ee3600d..dcd4683 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -181,7 +181,6 @@ int nft_lex(void *, void *, void *);
 %token DASH"-"
 %token AT  "@"
 %token VMAP"vmap"
-%token LOOKUP  "lookup"
 
 %token INCLUDE "include"
 %token DEFINE  "define"
-- 
ecklm

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH iptables-compat 2/3] iptables-compat: do not fail on restore if user chain exists

[Pablo Neira Ayuso]

On Fri, May 04, 2018 at 12:06:32PM +0200, Arturo Borrero Gonzalez wrote:
> On 4 May 2018 at 11:49, Pablo Neira Ayuso  wrote:
> >
> > +int nft_table_flush(struct nft_handle *h, const char *table)
> > +{
> > +   struct nftnl_table *r;
> > +   int ret = 0;
> > +
> > +   nft_fn = nft_table_flush;
> > +
> > +   r = nftnl_table_alloc();
> > +   if (r == NULL)
> > +   goto err;
> > +
> > +   nftnl_table_set_str(r, NFTNL_TABLE_NAME, table);
> > +
> > +   batch_table_add(h, NFT_COMPAT_TABLE_FLUSH, r);
> > +err:
> > +   /* the core expects 1 for success and 0 for error */
> > +   return ret == 0 ? 1 : 0;
> > +}
> > +
> 
> it seems ret is never set to something meaningful?

Indeed, will fix this before applying. Actually, I could revisit all
return values in the compat code. Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH ghak81 RFC V1 1/5] audit: normalize loginuid read access

[Richard Guy Briggs]

Recognizing that the loginuid is an internal audit value, use an access
function to retrieve the audit loginuid value for the task rather than
reaching directly into the task struct to get it.

Signed-off-by: Richard Guy Briggs 
---
 kernel/auditsc.c | 16 
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 479c031..f3817d0 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -374,7 +374,7 @@ static int audit_field_compare(struct task_struct *tsk,
case AUDIT_COMPARE_EGID_TO_OBJ_GID:
return audit_compare_gid(cred->egid, name, f, ctx);
case AUDIT_COMPARE_AUID_TO_OBJ_UID:
-   return audit_compare_uid(tsk->loginuid, name, f, ctx);
+   return audit_compare_uid(audit_get_loginuid(tsk), name, f, ctx);
case AUDIT_COMPARE_SUID_TO_OBJ_UID:
return audit_compare_uid(cred->suid, name, f, ctx);
case AUDIT_COMPARE_SGID_TO_OBJ_GID:
@@ -385,7 +385,7 @@ static int audit_field_compare(struct task_struct *tsk,
return audit_compare_gid(cred->fsgid, name, f, ctx);
/* uid comparisons */
case AUDIT_COMPARE_UID_TO_AUID:
-   return audit_uid_comparator(cred->uid, f->op, tsk->loginuid);
+   return audit_uid_comparator(cred->uid, f->op, 
audit_get_loginuid(tsk));
case AUDIT_COMPARE_UID_TO_EUID:
return audit_uid_comparator(cred->uid, f->op, cred->euid);
case AUDIT_COMPARE_UID_TO_SUID:
@@ -394,11 +394,11 @@ static int audit_field_compare(struct task_struct *tsk,
return audit_uid_comparator(cred->uid, f->op, cred->fsuid);
/* auid comparisons */
case AUDIT_COMPARE_AUID_TO_EUID:
-   return audit_uid_comparator(tsk->loginuid, f->op, cred->euid);
+   return audit_uid_comparator(audit_get_loginuid(tsk), f->op, 
cred->euid);
case AUDIT_COMPARE_AUID_TO_SUID:
-   return audit_uid_comparator(tsk->loginuid, f->op, cred->suid);
+   return audit_uid_comparator(audit_get_loginuid(tsk), f->op, 
cred->suid);
case AUDIT_COMPARE_AUID_TO_FSUID:
-   return audit_uid_comparator(tsk->loginuid, f->op, cred->fsuid);
+   return audit_uid_comparator(audit_get_loginuid(tsk), f->op, 
cred->fsuid);
/* euid comparisons */
case AUDIT_COMPARE_EUID_TO_SUID:
return audit_uid_comparator(cred->euid, f->op, cred->suid);
@@ -611,7 +611,7 @@ static int audit_filter_rules(struct task_struct *tsk,
result = match_tree_refs(ctx, rule->tree);
break;
case AUDIT_LOGINUID:
-   result = audit_uid_comparator(tsk->loginuid, f->op, 
f->uid);
+   result = audit_uid_comparator(audit_get_loginuid(tsk), 
f->op, f->uid);
break;
case AUDIT_LOGINUID_SET:
result = audit_comparator(audit_loginuid_set(tsk), 
f->op, f->val);
@@ -2287,8 +2287,8 @@ int audit_signal_info(int sig, struct task_struct *t)
(sig == SIGTERM || sig == SIGHUP ||
 sig == SIGUSR1 || sig == SIGUSR2)) {
audit_sig_pid = task_tgid_nr(tsk);
-   if (uid_valid(tsk->loginuid))
-   audit_sig_uid = tsk->loginuid;
+   if (uid_valid(audit_get_loginuid(tsk)))
+   audit_sig_uid = audit_get_loginuid(tsk);
else
audit_sig_uid = uid;
security_task_getsecid(tsk, _sig_sid);
-- 
1.8.3.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH ghak81 RFC V1 2/5] audit: convert sessionid unset to a macro

[Richard Guy Briggs]

Use a macro, "AUDIT_SID_UNSET", to replace each instance of
initialization and comparison to an audit session ID.

Signed-off-by: Richard Guy Briggs 
---
 include/linux/audit.h  | 2 +-
 include/net/xfrm.h | 2 +-
 include/uapi/linux/audit.h | 1 +
 init/init_task.c   | 2 +-
 kernel/auditsc.c   | 4 ++--
 5 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index 75d5b03..5f86f7c 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -513,7 +513,7 @@ static inline kuid_t audit_get_loginuid(struct task_struct 
*tsk)
 }
 static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
 {
-   return -1;
+   return AUDIT_SID_UNSET;
 }
 static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
 { }
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index a872379..fcce8ee 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -751,7 +751,7 @@ static inline void xfrm_audit_helper_usrinfo(bool 
task_valid,
audit_get_loginuid(current) :
INVALID_UID);
const unsigned int ses = task_valid ? audit_get_sessionid(current) :
-   (unsigned int) -1;
+   AUDIT_SID_UNSET;
 
audit_log_format(audit_buf, " auid=%u ses=%u", auid, ses);
audit_log_task_context(audit_buf);
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 4e61a9e..04f9bd2 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -465,6 +465,7 @@ struct audit_tty_status {
 };
 
 #define AUDIT_UID_UNSET (unsigned int)-1
+#define AUDIT_SID_UNSET ((unsigned int)-1)
 
 /* audit_rule_data supports filter rules with both integer and string
  * fields.  It corresponds with AUDIT_ADD_RULE, AUDIT_DEL_RULE and
diff --git a/init/init_task.c b/init/init_task.c
index 3ac6e75..c788f91 100644
--- a/init/init_task.c
+++ b/init/init_task.c
@@ -119,7 +119,7 @@ struct task_struct init_task
.thread_node= LIST_HEAD_INIT(init_signals.thread_head),
 #ifdef CONFIG_AUDITSYSCALL
.loginuid   = INVALID_UID,
-   .sessionid  = (unsigned int)-1,
+   .sessionid  = AUDIT_SID_UNSET,
 #endif
 #ifdef CONFIG_PERF_EVENTS
.perf_event_mutex = __MUTEX_INITIALIZER(init_task.perf_event_mutex),
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index f3817d0..6e3ceb9 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2050,7 +2050,7 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, 
kuid_t kloginuid,
 int audit_set_loginuid(kuid_t loginuid)
 {
struct task_struct *task = current;
-   unsigned int oldsessionid, sessionid = (unsigned int)-1;
+   unsigned int oldsessionid, sessionid = AUDIT_SID_UNSET;
kuid_t oldloginuid;
int rc;
 
@@ -2064,7 +2064,7 @@ int audit_set_loginuid(kuid_t loginuid)
/* are we setting or clearing? */
if (uid_valid(loginuid)) {
sessionid = (unsigned int)atomic_inc_return(_id);
-   if (unlikely(sessionid == (unsigned int)-1))
+   if (unlikely(sessionid == AUDIT_SID_UNSET))
sessionid = (unsigned 
int)atomic_inc_return(_id);
}
 
-- 
1.8.3.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH ghak81 RFC V1 0/5] audit: group task params

[Richard Guy Briggs]

Group the audit parameters for each task into one structure.
In particular, remove the loginuid and sessionid values and the audit
context pointer from the task structure, replacing them with an audit
task information structure to contain them.  Use access functions to
access audit values.

Note:  Use static allocation of the audit task information structure
initially.  Dynamic allocation was considered and attempted, but isn't
ready yet.  Static allocation has the limitation that future audit task
information structure changes would cause a visible change to the rest
of the kernel, whereas dynamic allocation would mostly hide any future
changes.

The first four access normalization patches could stand alone.

Passes audit-testsuite.

Richard Guy Briggs (5):
  audit: normalize loginuid read access
  audit: convert sessionid unset to a macro
  audit: use inline function to get audit context
  audit: use inline function to set audit context
  audit: collect audit task parameters

 MAINTAINERS  |  2 +-
 include/linux/audit.h| 30 ++---
 include/linux/audit_task.h   | 31 ++
 include/linux/sched.h|  6 +--
 include/net/xfrm.h   |  4 +-
 include/uapi/linux/audit.h   |  1 +
 init/init_task.c |  8 +++-
 kernel/audit.c   |  4 +-
 kernel/audit_watch.c |  2 +-
 kernel/auditsc.c | 82 ++--
 kernel/fork.c|  2 +-
 net/bridge/netfilter/ebtables.c  |  2 +-
 net/core/dev.c   |  2 +-
 net/netfilter/x_tables.c |  2 +-
 net/netlabel/netlabel_user.c |  2 +-
 security/integrity/ima/ima_api.c |  2 +-
 security/integrity/integrity_audit.c |  2 +-
 security/lsm_audit.c |  2 +-
 security/selinux/hooks.c |  4 +-
 security/selinux/selinuxfs.c |  6 +--
 security/selinux/ss/services.c   | 12 +++---
 21 files changed, 129 insertions(+), 79 deletions(-)
 create mode 100644 include/linux/audit_task.h

-- 
1.8.3.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH ghak81 RFC V1 4/5] audit: use inline function to set audit context

[Richard Guy Briggs]

Recognizing that the audit context is an internal audit value, use an
access function to set the audit context pointer for the task
rather than reaching directly into the task struct to set it.

Signed-off-by: Richard Guy Briggs 
---
 include/linux/audit.h | 8 
 kernel/auditsc.c  | 6 +++---
 kernel/fork.c | 2 +-
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index 93e4c61..dba0d45 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -235,6 +235,10 @@ extern void __audit_inode_child(struct inode *parent,
 extern void __audit_seccomp(unsigned long syscall, long signr, int code);
 extern void __audit_ptrace(struct task_struct *t);
 
+static inline void audit_set_context(struct task_struct *task, struct 
audit_context *ctx)
+{
+   task->audit_context = ctx;
+}
 static inline struct audit_context *audit_context(struct task_struct *task)
 {
return task->audit_context;
@@ -472,6 +476,10 @@ static inline bool audit_dummy_context(void)
 {
return true;
 }
+static inline void audit_set_context(struct task_struct *task, struct 
audit_context *ctx)
+{
+   task->audit_context = ctx;
+}
 static inline struct audit_context *audit_context(struct task_struct *task)
 {
return NULL;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index a4bbdcc..f294e4a 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -865,7 +865,7 @@ static inline struct audit_context 
*audit_take_context(struct task_struct *tsk,
audit_filter_inodes(tsk, context);
}
 
-   tsk->audit_context = NULL;
+   audit_set_context(tsk, NULL);
return context;
 }
 
@@ -952,7 +952,7 @@ int audit_alloc(struct task_struct *tsk)
}
context->filterkey = key;
 
-   tsk->audit_context  = context;
+   audit_set_context(tsk, context);
set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
return 0;
 }
@@ -1590,7 +1590,7 @@ void __audit_syscall_exit(int success, long return_code)
kfree(context->filterkey);
context->filterkey = NULL;
}
-   tsk->audit_context = context;
+   audit_set_context(tsk, context);
 }
 
 static inline void handle_one(const struct inode *inode)
diff --git a/kernel/fork.c b/kernel/fork.c
index 242c8c9..cd18448 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1713,7 +1713,7 @@ static __latent_entropy struct task_struct *copy_process(
p->start_time = ktime_get_ns();
p->real_start_time = ktime_get_boot_ns();
p->io_context = NULL;
-   p->audit_context = NULL;
+   audit_set_context(p, NULL);
cgroup_fork(p);
 #ifdef CONFIG_NUMA
p->mempolicy = mpol_dup(p->mempolicy);
-- 
1.8.3.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH ghak81 RFC V1 3/5] audit: use inline function to get audit context

[Richard Guy Briggs]

Recognizing that the audit context is an internal audit value, use an
access function to retrieve the audit context pointer for the task
rather than reaching directly into the task struct to get it.

Signed-off-by: Richard Guy Briggs 
---
 include/linux/audit.h| 16 ---
 include/net/xfrm.h   |  2 +-
 kernel/audit.c   |  4 +--
 kernel/audit_watch.c |  2 +-
 kernel/auditsc.c | 52 ++--
 net/bridge/netfilter/ebtables.c  |  2 +-
 net/core/dev.c   |  2 +-
 net/netfilter/x_tables.c |  2 +-
 net/netlabel/netlabel_user.c |  2 +-
 security/integrity/ima/ima_api.c |  2 +-
 security/integrity/integrity_audit.c |  2 +-
 security/lsm_audit.c |  2 +-
 security/selinux/hooks.c |  4 +--
 security/selinux/selinuxfs.c |  6 ++---
 security/selinux/ss/services.c   | 12 -
 15 files changed, 60 insertions(+), 52 deletions(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index 5f86f7c..93e4c61 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -235,26 +235,30 @@ extern void __audit_inode_child(struct inode *parent,
 extern void __audit_seccomp(unsigned long syscall, long signr, int code);
 extern void __audit_ptrace(struct task_struct *t);
 
+static inline struct audit_context *audit_context(struct task_struct *task)
+{
+   return task->audit_context;
+}
 static inline bool audit_dummy_context(void)
 {
-   void *p = current->audit_context;
+   void *p = audit_context(current);
return !p || *(int *)p;
 }
 static inline void audit_free(struct task_struct *task)
 {
-   if (unlikely(task->audit_context))
+   if (unlikely(audit_context(task)))
__audit_free(task);
 }
 static inline void audit_syscall_entry(int major, unsigned long a0,
   unsigned long a1, unsigned long a2,
   unsigned long a3)
 {
-   if (unlikely(current->audit_context))
+   if (unlikely(audit_context(current)))
__audit_syscall_entry(major, a0, a1, a2, a3);
 }
 static inline void audit_syscall_exit(void *pt_regs)
 {
-   if (unlikely(current->audit_context)) {
+   if (unlikely(audit_context(current))) {
int success = is_syscall_success(pt_regs);
long return_code = regs_return_value(pt_regs);
 
@@ -468,6 +472,10 @@ static inline bool audit_dummy_context(void)
 {
return true;
 }
+static inline struct audit_context *audit_context(struct task_struct *task)
+{
+   return NULL;
+}
 static inline struct filename *audit_reusename(const __user char *name)
 {
return NULL;
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index fcce8ee..2788332 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -736,7 +736,7 @@ static inline struct audit_buffer *xfrm_audit_start(const 
char *op)
 
if (audit_enabled == 0)
return NULL;
-   audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC,
+   audit_buf = audit_log_start(audit_context(current), GFP_ATOMIC,
AUDIT_MAC_IPSEC_EVENT);
if (audit_buf == NULL)
return NULL;
diff --git a/kernel/audit.c b/kernel/audit.c
index e9f9a90..9a03603 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1099,7 +1099,7 @@ static void audit_log_feature_change(int which, u32 
old_feature, u32 new_feature
 
if (audit_enabled == AUDIT_OFF)
return;
-   ab = audit_log_start(current->audit_context,
+   ab = audit_log_start(audit_context(current),
 GFP_KERNEL, AUDIT_FEATURE_CHANGE);
if (!ab)
return;
@@ -2317,7 +2317,7 @@ void audit_log_link_denied(const char *operation)
return;
 
/* Generate AUDIT_ANOM_LINK with subject, operation, outcome. */
-   ab = audit_log_start(current->audit_context, GFP_KERNEL,
+   ab = audit_log_start(audit_context(current), GFP_KERNEL,
 AUDIT_ANOM_LINK);
if (!ab)
return;
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index 9eb8b35..8b596c4 100644
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -274,7 +274,7 @@ static void audit_update_watch(struct audit_parent *parent,
/* If the update involves invalidating rules, do the inode-based
 * filtering now, so we don't omit records. */
if (invalidating && !audit_dummy_context())
-   audit_filter_inodes(current, current->audit_context);
+   audit_filter_inodes(current, audit_context(current));
 
/* updating ino will likely change which audit_hash_list we
 * are on so we need a new watch for the new list */
diff --git 

[PATCH ghak81 RFC V1 5/5] audit: collect audit task parameters

[Richard Guy Briggs]

The audit-related parameters in struct task_struct should ideally be
collected together and accessed through a standard audit API.

Collect the existing loginuid, sessionid and audit_context together in a
new struct audit_task_info pointer called "audit" in struct task_struct.

Use kmem_cache to manage this pool of memory.
Un-inline audit_free() to be able to always recover that memory.

See: https://github.com/linux-audit/audit-kernel/issues/81

Signed-off-by: Richard Guy Briggs 
---
 MAINTAINERS|  2 +-
 include/linux/audit.h  |  8 
 include/linux/audit_task.h | 31 +++
 include/linux/sched.h  |  6 ++
 init/init_task.c   |  8 ++--
 kernel/auditsc.c   |  4 ++--
 6 files changed, 46 insertions(+), 13 deletions(-)
 create mode 100644 include/linux/audit_task.h

diff --git a/MAINTAINERS b/MAINTAINERS
index 0a1410d..8c7992d 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -2510,7 +2510,7 @@ L:linux-au...@redhat.com (moderated for 
non-subscribers)
 W: https://github.com/linux-audit
 T: git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
 S: Supported
-F: include/linux/audit.h
+F: include/linux/audit*.h
 F: include/uapi/linux/audit.h
 F: kernel/audit*
 
diff --git a/include/linux/audit.h b/include/linux/audit.h
index dba0d45..1324969 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -237,11 +237,11 @@ extern void __audit_inode_child(struct inode *parent,
 
 static inline void audit_set_context(struct task_struct *task, struct 
audit_context *ctx)
 {
-   task->audit_context = ctx;
+   task->audit.ctx = ctx;
 }
 static inline struct audit_context *audit_context(struct task_struct *task)
 {
-   return task->audit_context;
+   return task->audit.ctx;
 }
 static inline bool audit_dummy_context(void)
 {
@@ -330,12 +330,12 @@ extern int auditsc_get_stamp(struct audit_context *ctx,
 
 static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
 {
-   return tsk->loginuid;
+   return tsk->audit.loginuid;
 }
 
 static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
 {
-   return tsk->sessionid;
+   return tsk->audit.sessionid;
 }
 
 extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
diff --git a/include/linux/audit_task.h b/include/linux/audit_task.h
new file mode 100644
index 000..d4b3a20
--- /dev/null
+++ b/include/linux/audit_task.h
@@ -0,0 +1,31 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/* audit_task.h -- definition of audit_task_info structure
+ *
+ * Copyright 2018 Red Hat Inc., Raleigh, North Carolina.
+ * All Rights Reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * Written by Richard Guy Briggs 
+ *
+ */
+
+#ifndef _LINUX_AUDIT_TASK_H_
+#define _LINUX_AUDIT_TASK_H_
+
+struct audit_context;
+struct audit_task_info {
+   kuid_t  loginuid;
+   unsigned intsessionid;
+   struct audit_context*ctx;
+};
+
+#endif
diff --git a/include/linux/sched.h b/include/linux/sched.h
index b3d697f..b58eca0 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -27,9 +27,9 @@
 #include 
 #include 
 #include 
+#include 
 
 /* task_struct member predeclarations (sorted alphabetically): */
-struct audit_context;
 struct backing_dev_info;
 struct bio_list;
 struct blk_plug;
@@ -832,10 +832,8 @@ struct task_struct {
 
struct callback_head*task_works;
 
-   struct audit_context*audit_context;
 #ifdef CONFIG_AUDITSYSCALL
-   kuid_t  loginuid;
-   unsigned intsessionid;
+   struct audit_task_info  audit;
 #endif
struct seccomp  seccomp;
 
diff --git a/init/init_task.c b/init/init_task.c
index c788f91..d33260d 100644
--- a/init/init_task.c
+++ b/init/init_task.c
@@ -9,6 +9,7 @@
 #include 
 #include 
 #include 
+#include 
 
 #include 
 #include 
@@ -118,8 +119,11 @@ struct task_struct init_task
.thread_group   = LIST_HEAD_INIT(init_task.thread_group),
.thread_node= LIST_HEAD_INIT(init_signals.thread_head),
 #ifdef CONFIG_AUDITSYSCALL
-   .loginuid   = INVALID_UID,
-   .sessionid  = AUDIT_SID_UNSET,
+   .audit  = {
+   .loginuid   = INVALID_UID,
+   .sessionid  = AUDIT_SID_UNSET,
+   .ctx= NULL,
+   },
 #endif
 #ifdef CONFIG_PERF_EVENTS

[PATCH nf] netfilter: core: add missing __rcu annotation

[Florian Westphal]

removes following sparse error:
net/netfilter/core.c:598:30: warning: incorrect type in argument 1 (different 
address spaces)
net/netfilter/core.c:598:30:expected struct nf_hook_entries **e
net/netfilter/core.c:598:30:got struct nf_hook_entries [noderef] 
**

Signed-off-by: Florian Westphal 
---
 net/netfilter/core.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 0f6b8172fb9a..206fb2c4c319 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -585,7 +585,8 @@ void (*nf_nat_decode_session_hook)(struct sk_buff *, struct 
flowi *);
 EXPORT_SYMBOL(nf_nat_decode_session_hook);
 #endif
 
-static void __net_init __netfilter_net_init(struct nf_hook_entries **e, int 
max)
+static void __net_init
+__netfilter_net_init(struct nf_hook_entries __rcu **e, int max)
 {
int h;
 
-- 
2.16.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] netfilter: nf_queue: Replace conntrack entry

[kbuild test robot]

Hi Kristian,

Thank you for the patch! Yet something to improve:

[auto build test ERROR on nf-next/master]
[also build test ERROR on v4.17-rc3 next-20180503]
[if your patch is applied to the wrong git tree, please drop us a note to help 
improve the system]

url:
https://github.com/0day-ci/linux/commits/Kristian-Evensen/netfilter-nf_queue-Replace-conntrack-entry/20180504-051218
base:   https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
config: x86_64-randconfig-s5-05041850 (attached as .config)
compiler: gcc-7 (Debian 7.3.0-16) 7.3.0
reproduce:
# save the attached .config to linux build tree
make ARCH=x86_64 

All errors (new ones prefixed by >>):

   net/netfilter/nfnetlink_queue.o: In function `nfqnl_update_ct':
>> net/netfilter/nfnetlink_queue.c:1062: undefined reference to 
>> `nf_ct_l3proto_find_get'
>> net/netfilter/nfnetlink_queue.c:1069: undefined reference to 
>> `nf_ct_l4proto_find_get'
>> net/netfilter/nfnetlink_queue.c:1071: undefined reference to 
>> `nf_ct_get_tuple'
>> net/netfilter/nfnetlink_queue.c:1079: undefined reference to 
>> `nf_conntrack_find_get'

vim +1062 net/netfilter/nfnetlink_queue.c

  1046  
  1047  #if IS_ENABLED(CONFIG_NF_CONNTRACK)
  1048  static void nfqnl_update_ct(struct net *net, struct sk_buff *skb)
  1049  {
  1050  const struct nf_conntrack_l3proto *l3proto;
  1051  const struct nf_conntrack_l4proto *l4proto;
  1052  struct nf_conntrack_tuple_hash *h;
  1053  struct nf_conntrack_tuple tuple;
  1054  enum ip_conntrack_info ctinfo;
  1055  struct nf_conn *ct = NULL;
  1056  unsigned int dataoff;
  1057  u16 l3num;
  1058  u8 l4num;
  1059  
  1060  ct = nf_ct_get(skb, );
  1061  l3num = nf_ct_l3num(ct);
> 1062  l3proto = nf_ct_l3proto_find_get(l3num);
  1063  
  1064  if (l3proto->get_l4proto(skb, skb_network_offset(skb), ,
  1065   ) <= 0) {
  1066  return;
  1067  }
  1068  
> 1069  l4proto = nf_ct_l4proto_find_get(l3num, l4num);
  1070  
> 1071  if (!nf_ct_get_tuple(skb, skb_network_offset(skb), dataoff, 
> l3num,
  1072   l4num, net, , l3proto, l4proto)) {
  1073  return;
  1074  }
  1075  
  1076  #if IS_ENABLED(CONFIG_NF_CONNTRACK_ZONES)
  1077  h = nf_conntrack_find_get(net, >zone, );
  1078  #else
> 1079  h = nf_conntrack_find_get(net, NULL, );
  1080  #endif
  1081  
  1082  if (h) {
  1083  pr_debug("%s: tuple %u %pI4:%hu -> %pI4:%hu\n", 
__func__,
  1084   tuple.dst.protonum, ,
  1085   ntohs(tuple.src.u.all), ,
  1086   ntohs(tuple.dst.u.all));
  1087  nf_ct_put(ct);
  1088  ct = nf_ct_tuplehash_to_ctrack(h);
  1089  nf_ct_set(skb, ct, IP_CT_NEW);
  1090  }
  1091  }
  1092  #endif
  1093  

---
0-DAY kernel test infrastructureOpen Source Technology Center
https://lists.01.org/pipermail/kbuild-all   Intel Corporation


.config.gz
Description: application/gzip

Re: [PATCH 1/1] netfilter: Fix handling simultaneous open in TCP conntrack

[Jozsef Kadlecsik]

Hi Pablo,

[Sorry for the delay.]

On Fri, 27 Apr 2018, Pablo Neira Ayuso wrote:

> On Sat, Apr 21, 2018 at 01:43:48PM +0200, Jozsef Kadlecsik wrote:
> > Dominique Martinet reported a TCP hang problem when simultaneous open 
> > was used. The problem is that the tcp_conntracks state table is not 
> > smart enough to handle the case. The state table could be fixed by 
> > introducing a new state, but that would require more lines of code 
> > compared to this patch, due to the required backward compatibility 
> > with ctnetlink.
> 
> BTW, what is exactly the problem in ctnetlink. I think probably there is 
> a way to do some mapping to avoid this. Thanks!

There's nothing wrong with ctnetlink, I was too terse.

If a new state is introduced, then there'd be a hole in several internal 
tables (tcp_conntrack_names, tcp_timeouts, tcp_conntracks state table) and 
that'd be ugly. However if the states are renumbered in order to get rid 
of the holes, then that'd broke the backward compatibility in ctnetlink - 
and userspace anyway, because the constants are exposed through 
uapi/linux/netfilter/nf_conntrack_tcp.h. Or some mapping could be used as 
you suggest but that seems to be overkill compared to the few lines of 
code in the patch.

Best regards,
Jozsef
-
E-mail  : kad...@blackhole.kfki.hu, kadlecsik.joz...@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
  H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH iptables-compat 2/3] iptables-compat: do not fail on restore if user chain exists

[Arturo Borrero Gonzalez]

On 4 May 2018 at 11:49, Pablo Neira Ayuso  wrote:
>
> +int nft_table_flush(struct nft_handle *h, const char *table)
> +{
> +   struct nftnl_table *r;
> +   int ret = 0;
> +
> +   nft_fn = nft_table_flush;
> +
> +   r = nftnl_table_alloc();
> +   if (r == NULL)
> +   goto err;
> +
> +   nftnl_table_set_str(r, NFTNL_TABLE_NAME, table);
> +
> +   batch_table_add(h, NFT_COMPAT_TABLE_FLUSH, r);
> +err:
> +   /* the core expects 1 for success and 0 for error */
> +   return ret == 0 ? 1 : 0;
> +}
> +

it seems ret is never set to something meaningful?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH iptables-compat 2/3] iptables-compat: do not fail on restore if user chain exists

[Pablo Neira Ayuso]

The following snippet fails if user chain FOO exists, but it should not fail:

iptables-compat -F
iptables-compat -N FOO
iptables-compat-save > foo
iptables-compat-restore < foo

Reported-by: Florian Westphal 
Signed-off-by: Pablo Neira Ayuso 
---
 iptables/nft-shared.h  |  2 +-
 iptables/nft.c | 25 +
 iptables/nft.h |  1 +
 iptables/xtables-restore.c |  6 +++---
 4 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index e13a1a8563c3..1520d613b528 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -255,7 +255,7 @@ struct nft_xt_restore_cb {
int (*chain_user_add)(struct nft_handle *h, const char *chain,
  const char *table);
 
-   int (*rule_flush)(struct nft_handle *h, const char *chain, const char 
*table);
+   int (*table_flush)(struct nft_handle *h, const char *table);
 
int (*do_command)(struct nft_handle *h, int argc, char *argv[],
  char **table, bool restore);
diff --git a/iptables/nft.c b/iptables/nft.c
index e60923d6ecbf..5858e01e52ac 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -262,6 +262,7 @@ enum obj_update_type {
NFT_COMPAT_RULE_REPLACE,
NFT_COMPAT_RULE_DELETE,
NFT_COMPAT_RULE_FLUSH,
+   NFT_COMPAT_TABLE_FLUSH,
 };
 
 enum obj_action {
@@ -1283,6 +1284,25 @@ next:
return 1;
 }
 
+int nft_table_flush(struct nft_handle *h, const char *table)
+{
+   struct nftnl_table *r;
+   int ret = 0;
+
+   nft_fn = nft_table_flush;
+
+   r = nftnl_table_alloc();
+   if (r == NULL)
+   goto err;
+
+   nftnl_table_set_str(r, NFTNL_TABLE_NAME, table);
+
+   batch_table_add(h, NFT_COMPAT_TABLE_FLUSH, r);
+err:
+   /* the core expects 1 for success and 0 for error */
+   return ret == 0 ? 1 : 0;
+}
+
 static void
 __nft_rule_flush(struct nft_handle *h, const char *table, const char *chain)
 {
@@ -2294,6 +2314,11 @@ static int nft_action(struct nft_handle *h, int action)
nft_compat_rule_batch_add(h, NFT_MSG_DELRULE, 0,
  seq++, n->rule);
break;
+   case NFT_COMPAT_TABLE_FLUSH:
+   nft_compat_table_batch_add(h, NFT_MSG_DELTABLE,
+  0,
+  seq++, n->table);
+   break;
}
 
h->obj_list_num--;
diff --git a/iptables/nft.h b/iptables/nft.h
index aaf3cbe0c0e3..2d5c37e5b502 100644
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -58,6 +58,7 @@ struct nftnl_chain_list;
 int nft_for_each_table(struct nft_handle *h, int (*func)(struct nft_handle *h, 
const char *tablename, bool counters), bool counters);
 bool nft_table_find(struct nft_handle *h, const char *tablename);
 int nft_table_purge_chains(struct nft_handle *h, const char *table, struct 
nftnl_chain_list *list);
+int nft_table_flush(struct nft_handle *h, const char *table);
 
 /*
  * Operations with chains.
diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
index fc39ad9c4fa5..3de496f85387 100644
--- a/iptables/xtables-restore.c
+++ b/iptables/xtables-restore.c
@@ -191,7 +191,7 @@ struct nft_xt_restore_cb restore_cb = {
.commit = nft_commit,
.abort  = nft_abort,
.chains_purge   = nft_table_purge_chains,
-   .rule_flush = nft_rule_flush,
+   .table_flush= nft_table_flush,
.chain_del  = chain_delete,
.do_command = do_commandx,
.chain_set  = nft_chain_set,
@@ -270,8 +270,8 @@ void xtables_restore_parse(struct nft_handle *h,
if (noflush == 0) {
DEBUGP("Cleaning all chains of table '%s'\n",
table);
-   if (cb->rule_flush)
-   cb->rule_flush(h, NULL, table);
+   if (cb->table_flush)
+   cb->table_flush(h, table);
}
 
ret = 1;
-- 
2.11.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH iptables-compat 1/3] iptables-compat: remove non-batching routines

[Pablo Neira Ayuso]

This is only needed by 3.16, which was released 8 months after nftables was
merged upstream. That kernel version supports a reduced featureset.

Signed-off-by: Pablo Neira Ayuso 
---
 iptables/nft.c | 157 +++--
 iptables/nft.h |   3 --
 2 files changed, 7 insertions(+), 153 deletions(-)

diff --git a/iptables/nft.c b/iptables/nft.c
index e7cb827bb132..e60923d6ecbf 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -517,30 +517,6 @@ struct builtin_table xtables_bridge[TABLES_MAX] = {
},
 };
 
-int nft_table_add(struct nft_handle *h, struct nftnl_table *t, uint16_t flags)
-{
-   char buf[MNL_SOCKET_BUFFER_SIZE];
-   struct nlmsghdr *nlh;
-   int ret;
-
-   nlh = nftnl_table_nlmsg_build_hdr(buf, NFT_MSG_NEWTABLE, h->family,
-   NLM_F_ACK|flags, h->seq);
-   nftnl_table_nlmsg_build_payload(nlh, t);
-   nftnl_table_free(t);
-
-#ifdef NLDEBUG
-   char tmp[1024];
-
-   nft_table_snprintf(tmp, sizeof(tmp), t, 0, 0);
-   printf("DEBUG: table: %s\n", tmp);
-   mnl_nlmsg_fprintf(stdout, nlh, nlh->nlmsg_len, sizeof(struct nfgenmsg));
-#endif
-
-   ret = mnl_talk(h, nlh, NULL, NULL);
-
-   return (ret == 0 || (ret == -1 && errno == EEXIST)) ? 0 : -1;
-}
-
 static int nft_table_builtin_add(struct nft_handle *h,
 struct builtin_table *_t)
 {
@@ -556,10 +532,7 @@ static int nft_table_builtin_add(struct nft_handle *h,
 
nftnl_table_set(t, NFTNL_TABLE_NAME, (char *)_t->name);
 
-   if (h->batch_support)
-   ret = batch_table_add(h, NFT_COMPAT_TABLE_ADD, t);
-   else
-   ret = nft_table_add(h, t, NLM_F_EXCL);
+   ret = batch_table_add(h, NFT_COMPAT_TABLE_ADD, t);
 
if (ret == 0)
_t->initialized = true;
@@ -587,29 +560,6 @@ nft_chain_builtin_alloc(struct builtin_table *table,
return c;
 }
 
-int nft_chain_add(struct nft_handle *h, struct nftnl_chain *c, uint16_t flags)
-{
-   char buf[MNL_SOCKET_BUFFER_SIZE];
-   struct nlmsghdr *nlh;
-
-   /* NLM_F_CREATE requests module autoloading */
-   nlh = nftnl_chain_nlmsg_build_hdr(buf, NFT_MSG_NEWCHAIN, h->family,
-   NLM_F_ACK|flags|NLM_F_CREATE,
-   h->seq);
-   nftnl_chain_nlmsg_build_payload(nlh, c);
-   nftnl_chain_free(c);
-
-#ifdef NLDEBUG
-   char tmp[1024];
-
-   nft_chain_snprintf(tmp, sizeof(tmp), c, 0, 0);
-   printf("DEBUG: chain: %s\n", tmp);
-   mnl_nlmsg_fprintf(stdout, nlh, nlh->nlmsg_len, sizeof(struct nfgenmsg));
-#endif
-
-   return mnl_talk(h, nlh, NULL, NULL);
-}
-
 static void nft_chain_builtin_add(struct nft_handle *h,
  struct builtin_table *table,
  struct builtin_chain *chain)
@@ -620,10 +570,7 @@ static void nft_chain_builtin_add(struct nft_handle *h,
if (c == NULL)
return;
 
-   if (h->batch_support)
-   batch_chain_add(h, NFT_COMPAT_CHAIN_ADD, c);
-   else
-   nft_chain_add(h, c, NLM_F_EXCL);
+   batch_chain_add(h, NFT_COMPAT_CHAIN_ADD, c);
 }
 
 /* find if built-in table already exists */
@@ -713,49 +660,6 @@ static bool nft_chain_builtin(struct nftnl_chain *c)
return nftnl_chain_get(c, NFTNL_CHAIN_HOOKNUM) != NULL;
 }
 
-static bool mnl_batch_supported(struct nft_handle *h)
-{
-   char buf[MNL_SOCKET_BUFFER_SIZE];
-   uint32_t seq = 1;
-   int ret;
-
-   mnl_nftnl_batch_begin(h->batch, seq++);
-
-   nftnl_set_nlmsg_build_hdr(mnl_nlmsg_batch_current(h->batch),
-   NFT_MSG_NEWSET, AF_INET,
-   NLM_F_ACK, seq++);
-   mnl_nlmsg_batch_next(h->batch);
-
-   mnl_nftnl_batch_end(h->batch, seq++);
-
-   ret = mnl_socket_sendto(h->nl, mnl_nlmsg_batch_head(h->batch),
-   mnl_nlmsg_batch_size(h->batch));
-   if (ret < 0)
-   goto err;
-
-   mnl_nlmsg_batch_reset(h->batch);
-
-   ret = mnl_socket_recvfrom(h->nl, buf, sizeof(buf));
-   while (ret > 0) {
-   ret = mnl_cb_run(buf, ret, 0, mnl_socket_get_portid(h->nl),
-NULL, NULL);
-   if (ret <= 0)
-   break;
-
-   ret = mnl_socket_recvfrom(h->nl, buf, sizeof(buf));
-   }
-
-   /* We're sending an incomplete message to see if the kernel supports
-* set messages in batches. EINVAL means that we sent an incomplete
-* message with missing attributes. The kernel just ignores messages
-* that we cannot include in the batch.
-*/
-   return (ret == -1 && errno == EINVAL) ? true : false;
-err:
-   mnl_nlmsg_batch_reset(h->batch);
-   return ret;
-}
-
 static int nft_restart(struct nft_handle *h)
 {
mnl_socket_close(h->nl);

[PATCH iptables-compat 3/3] iptables-compat: chains are purge out already from table flush

[Pablo Neira Ayuso]

Remove dead code that uses the ancient non-batch netlink API. Chains
are already purged out from table flush.

Signed-off-by: Pablo Neira Ayuso 
---
 iptables/nft-shared.h  |  2 --
 iptables/nft.c | 45 -
 iptables/xtables-restore.c |  5 -
 3 files changed, 52 deletions(-)

diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index 1520d613b528..79bea410c4d8 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -245,8 +245,6 @@ struct nftnl_chain_list;
 struct nft_xt_restore_cb {
void (*table_new)(struct nft_handle *h, const char *table);
struct nftnl_chain_list *(*chain_list)(struct nft_handle *h);
-   int (*chains_purge)(struct nft_handle *h, const char *table,
-   struct nftnl_chain_list *clist);
void (*chain_del)(struct nftnl_chain_list *clist, const char *curtable,
  const char *chain);
int (*chain_set)(struct nft_handle *h, const char *table,
diff --git a/iptables/nft.c b/iptables/nft.c
index 5858e01e52ac..2e8e0ae60b9d 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1397,18 +1397,6 @@ int nft_chain_user_add(struct nft_handle *h, const char 
*chain, const char *tabl
 #define NLM_F_NONREC   0x100   /* Do not delete recursively*/
 #endif
 
-static int __nft_chain_del(struct nft_handle *h, struct nftnl_chain *c)
-{
-   char buf[MNL_SOCKET_BUFFER_SIZE];
-   struct nlmsghdr *nlh;
-
-   nlh = nftnl_chain_nlmsg_build_hdr(buf, NFT_MSG_DELCHAIN, h->family,
- NLM_F_NONREC | NLM_F_ACK, h->seq);
-   nftnl_chain_nlmsg_build_payload(nlh, c);
-
-   return mnl_talk(h, nlh, NULL, NULL);
-}
-
 int nft_chain_user_del(struct nft_handle *h, const char *chain, const char 
*table)
 {
struct nftnl_chain_list *list;
@@ -1666,39 +1654,6 @@ err:
return ret == 0 ? 1 : 0;
 }
 
-int nft_table_purge_chains(struct nft_handle *h, const char *this_table,
-  struct nftnl_chain_list *chain_list)
-{
-   struct nftnl_chain_list_iter *iter;
-   struct nftnl_chain *chain_obj;
-
-   iter = nftnl_chain_list_iter_create(chain_list);
-   if (iter == NULL)
-   return 0;
-
-   chain_obj = nftnl_chain_list_iter_next(iter);
-   while (chain_obj != NULL) {
-   const char *table =
-   nftnl_chain_get_str(chain_obj, NFTNL_CHAIN_TABLE);
-
-   if (strcmp(this_table, table) != 0)
-   goto next;
-
-   if (nft_chain_builtin(chain_obj))
-   goto next;
-
-   if ( __nft_chain_del(h, chain_obj) < 0) {
-   if (errno != EBUSY)
-   return -1;
-   }
-next:
-   chain_obj = nftnl_chain_list_iter_next(iter);
-   }
-   nftnl_chain_list_iter_destroy(iter);
-
-   return 0;
-}
-
 static int __nft_rule_del(struct nft_handle *h, struct nftnl_rule_list *list,
  struct nftnl_rule *r)
 {
diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
index 3de496f85387..a33a659341db 100644
--- a/iptables/xtables-restore.c
+++ b/iptables/xtables-restore.c
@@ -190,7 +190,6 @@ struct nft_xt_restore_cb restore_cb = {
.chain_list = get_chain_list,
.commit = nft_commit,
.abort  = nft_abort,
-   .chains_purge   = nft_table_purge_chains,
.table_flush= nft_table_flush,
.chain_del  = chain_delete,
.do_command = do_commandx,
@@ -245,10 +244,6 @@ void xtables_restore_parse(struct nft_handle *h,
}
in_table = 0;
 
-   /* Purge out unused chains in this table */
-   if (!p->testing && cb->chains_purge)
-   cb->chains_purge(h, curtable, chain_list);
-
} else if ((buffer[0] == '*') && (!in_table)) {
/* New table */
char *table;
-- 
2.11.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH ebtables] Fix musl libc compatibility

[Baruch Siach]

Conflicting definitions of struct ethhdr between the kernel and musl
libc provides headers causes a build failure:

In file included from .../usr/include/netinet/ether.h:8:0,
 from useful_functions.c:28:
.../usr/include/netinet/if_ether.h:107:8: error: redefinition of ‘struct ethhdr’
 struct ethhdr {
^~
In file included from include/linux/netfilter_bridge.h:8:0,
 from include/linux/netfilter_bridge/ebtables.h:17,
 from include/ebtables_u.h:27,
 from useful_functions.c:25:
include/linux/if_ether.h:119:8: note: originally defined here
 struct ethhdr {
^~

Recent enough versions kernel headers allow the libc to suppress
conflicting kernel definitions. Include the libc proivded
netinet/ether.h before kernel headers to suppress the conflicting
definition of struct ethhdr.

Signed-off-by: Baruch Siach 
---
 include/ebtables_u.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/include/ebtables_u.h b/include/ebtables_u.h
index c8589969bd8e..4824a145964e 100644
--- a/include/ebtables_u.h
+++ b/include/ebtables_u.h
@@ -24,6 +24,7 @@
 #ifndef EBTABLES_U_H
 #define EBTABLES_U_H
 #include 
+#include 
 #include 
 #include 
 
-- 
2.17.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH][PING] Hide private symbols in libnfnetlink

[Yuri Gribov]

On Fri, May 4, 2018 at 1:23 AM, Jan Engelhardt  wrote:
> On Thursday 2018-05-03 17:03, Yuri Gribov wrote:
>
>>Hi all,
>>
>>Here's the updated version of the patch.
>>
>>diff --git a/src/Makefile.am b/src/Makefile.am
>>index d0098cc..d91c9f7 100644
>>--- a/src/Makefile.am
>>+++ b/src/Makefile.am
>>@@ -3,7 +3,8 @@ include $(top_srcdir)/Make_global.am
>> lib_LTLIBRARIES = libnfnetlink.la
>>
>> libnfnetlink_la_LDFLAGS = -Wc,-nostartfiles   \
>>--version-info $(LIBVERSION)
>>+-version-info $(LIBVERSION) \
>>+-Wl,--version-script=$(srcdir)/nfnl.version
>> libnfnetlink_la_SOURCES = libnfnetlink.c iftable.c rtnl.c
>>
>> noinst_HEADERS = iftable.h rtnl.h
>
> Another additional line will be needed,
>
> EXTRA_libnfnetlink_la_DEPENDENCIES = nfnl.version
>
> otherwise the linker won't rerun if the .version file gets modified.

Yup, reproduced. Attaching fixed patch.

-Y


0001-Hide-private-symbols-v5.patch
Description: Binary data