Hi,
On Thu, Apr 25, 2024 at 06:28:40PM +0200, Ismael Luceno wrote:
> It was observed in the wild that pairs of consecutive packets would leave
> the IPVS with the same wrong checksum, and the issue only went away when
> disabling GSO.
>
> IPVS needs to avoid computing the SCTP checksum when
On Sun, Apr 21, 2024 at 04:22:32PM +0200, Ismael Luceno wrote:
> It was observed in the wild that pairs of consecutive packets would leave
> the IPVS with the same wrong checksum, and the issue only went away when
> disabling GSO.
>
> IPVS needs to avoid computing the SCTP checksum when using
On Mon, Jan 15, 2024 at 05:39:22PM +0300, Fedor Pchelkin wrote:
> Inside decrement_ttl() upon discovering that the packet ttl has exceeded,
> __IP_INC_STATS and __IP6_INC_STATS macros can be called from preemptible
> context having the following backtrace:
>
> check_preemption_disabled: 48
On Sun, Apr 18, 2021 at 09:02:12PM -0400, Valdis Klētnieks wrote:
> While doing some code auditing for -Woverride_init, I spotted some
> questionable code
>
> commit 502e84e2382d92654a2ecbc52cdbdb5a11cdcec7
> Author: Felix Fietkau
> Date: Wed Mar 24 02:30:54 2021 +0100
>
> net: ethernet:
On Mon, Apr 12, 2021 at 03:04:16PM +1000, Stephen Rothwell wrote:
> Hi all,
>
> After merging the net-next tree, today's linux-next build (x86_64
> allmodconfig) failed like this:
>
> In file included from include/asm-generic/bug.h:20,
> from arch/x86/include/asm/bug.h:93,
>
On Wed, Mar 31, 2021 at 04:53:10PM -0400, Richard Guy Briggs wrote:
> On 2021-03-31 22:22, Pablo Neira Ayuso wrote:
> > On Fri, Mar 26, 2021 at 01:38:59PM -0400, Richard Guy Briggs wrote:
> > > Reduce logging of nftables events to a level similar to iptables.
> > > Rest
On Fri, Mar 26, 2021 at 01:38:59PM -0400, Richard Guy Briggs wrote:
> @@ -8006,12 +7966,65 @@ static void nft_commit_notify(struct net *net, u32
> portid)
> WARN_ON_ONCE(!list_empty(>nft.notify_list));
> }
>
> +static int nf_tables_commit_audit_alloc(struct list_head *adl,
> +
UAF, Florian reported. I'm attaching an incremental fix.
nf_tables_commit_audit_collect() refers to the trans object which
might have been already released.
commit e4d272948d25b66d86fc241cefd95281bfb1079e
Author: Pablo Neira Ayuso
Date: Wed Mar 31 22:19:51 2021 +0200
netfilter: nf_tables: us
On Wed, Mar 31, 2021 at 03:26:06PM +0100, Colin King wrote:
> From: Colin Ian King
>
> Currently the call to nf_log_register is returning an error code that
> is not being assigned to ret and yet ret is being checked. Fix this by
> adding in the missing assignment.
Applied, thanks.
On Sun, Mar 28, 2021 at 09:30:49PM +0200, Jozsef Kadlecsik wrote:
> On Sat, 27 Mar 2021, Wan Jiabing wrote:
>
> > struct ip_set is declared twice. One is declared at 79th line,
> > so remove the duplicate.
>
> Yes, it's a duplicate. Pablo, could you apply it?
Applied, thanks Jozsef.
On Sun, Mar 28, 2021 at 08:50:45PM -0400, Paul Moore wrote:
[...]
> Netfilter folks, were you planning to pull this via your tree/netdev
> or would you like me to merge this via the audit tree? If the latter,
> I would appreciate it if I could get an ACK from one of you; if the
> former, my ACK
On Mon, Mar 22, 2021 at 04:49:04PM -0400, Richard Guy Briggs wrote:
> diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> index c1eb5cdb3033..42ba44890523 100644
> --- a/net/netfilter/nf_tables_api.c
> +++ b/net/netfilter/nf_tables_api.c
[...]
> @@ -8006,12 +7938,47 @@
On Thu, Mar 18, 2021 at 11:39:52AM -0400, Richard Guy Briggs wrote:
> Reduce logging of nftables events to a level similar to iptables.
> Restore the table field to list the table, adding the generation.
>
> Indicate the op as the most significant operation in the event.
>
> A couple of sample
On Thu, Mar 11, 2021 at 01:55:59PM +0800, YueHaibing wrote:
> commit e97c3e278e95 ("tproxy: split off ipv6 defragmentation to a separate
> module") left behind this.
Applied, thanks.
On Fri, Mar 05, 2021 at 02:42:09AM -0600, Gustavo A. R. Silva wrote:
> In preparation to enable -Wimplicit-fallthrough for Clang, fix multiple
> warnings by explicitly adding multiple break statements instead of just
> letting the code fall through to the next case.
Applied to nf-next, thanks.
On Mon, Mar 08, 2021 at 02:24:10PM +1300, Mark Tomlinson wrote:
> The patches to change to using RCU synchronization in x_tables cause
> updating tables to be slowed down by an order of magnitude. This has
> been tried before, see https://lore.kernel.org/patchwork/patch/151796/
> and ultimately
On Sun, Mar 14, 2021 at 10:30:55AM +, David R wrote:
> I attempted to upgrade my home server to 5.11 today. The system panics
> soon after boot with the following :-
>
> In iptables by the looks of the stack.
>
> 5.10.23 works fine.
>
> Can provide config (and boot logs from 5.10.23) if
On Mon, Feb 22, 2021 at 08:00:00AM +, Dmitry V. Levin wrote:
> Apparently, and
> could not be included into the same
> compilation unit because of a cut-and-paste typo in the former header.
Applied, thanks.
On Thu, Feb 04, 2021 at 12:04:21AM +0100, Pablo Neira Ayuso wrote:
> On Thu, Jan 28, 2021 at 05:59:23PM +, Colin King wrote:
> > From: Colin Ian King
> >
> > The variable err is being assigned a value that is never read,
> > the same error number is being r
On Thu, Jan 28, 2021 at 05:59:23PM +, Colin King wrote:
> From: Colin Ian King
>
> The variable err is being assigned a value that is never read,
> the same error number is being returned at the error return
> path via label err1. Clean up the code by removing the assignment.
Applied to
On Sat, Jan 09, 2021 at 08:01:21PM +0800, Dinghao Liu wrote:
> When register_pernet_subsys() fails, nf_nat_bysource
> should be freed just like when nf_ct_extend_register()
> fails.
Applied, thanks.
On Tue, Jan 05, 2021 at 11:31:20PM +0800, Chen Yi wrote:
> Fix nft_conntrack_helper.sh false fail report:
>
> 1) Conntrack tool need "-f ipv6" parameter to show out ipv6 traffic items.
>
> 2) Sleep 1 second after background nc send packet, to make sure check
> is after this statement executed.
>
Please, Cc netfilter-de...@vger.kernel.org, and a more few comments
below.
On Mon, Jan 04, 2021 at 07:07:23PM +0800, Yi Chen wrote:
> From: yiche
>
> Fix nft_conntrack_helper.sh fake fail:
> conntrack tool need "-f ipv6" parameter to show out ipv6 traffic items.
> sleep 1 second after
On Mon, Dec 14, 2020 at 11:40:15PM +, Colin King wrote:
> From: Colin Ian King
>
> The intention of the err_expr cleanup path is to iterate over the
> allocated expr_array objects and free them, starting from i - 1 and
> working down to the start of the array. Currently the loop counter
> is
On Tue, Dec 15, 2020 at 03:38:30PM +0100, Pablo Neira Ayuso wrote:
> Hi,
>
> On Mon, Dec 14, 2020 at 11:40:15PM +, Colin King wrote:
> > From: Colin Ian King
> >
> > The intention of the err_expr cleanup path is to iterate over the
> > allocated expr_arra
op")
> Fixes: 8cfd9b0f8515 ("netfilter: nftables: generalize set expressions
> support")
> Signed-off-by: Colin Ian King
Reviewed-by: Pablo Neira Ayuso
@Jakub: Would you please take this one into net-next? Thanks!
> ---
> net/netfilter/nf_tables_api.c | 4 ++-
On Fri, Nov 06, 2020 at 04:20:13PM +0800, xiakaixu1...@gmail.com wrote:
> From: Kaixu Xia
>
> Here we could use the '!=' expression to fix the following coccicheck
> warning:
>
> ./net/netfilter/xt_nfacct.c:30:41-46: WARNING: conversion to bool not needed
> here
Applied.
On Tue, Nov 24, 2020 at 08:09:19PM +0200, Julian Anastasov wrote:
>
> Hello,
>
> On Tue, 24 Nov 2020, Wang Hai wrote:
>
> > kmemleak report a memory leak as follows:
> >
> > BUG: memory leak
> > unreferenced object 0x8880759ea000 (size 256):
> > backtrace:
> > []
On Sun, Nov 22, 2020 at 02:51:18PM +, Alexander Lobakin wrote:
> From: Pablo Neira Ayuso
> Date: Sun, 22 Nov 2020 12:42:19 +0100
>
> > On Sun, Nov 22, 2020 at 10:26:16AM +, Alexander Lobakin wrote:
> >> From: Pablo Neira Ayuso
> >> Date
On Tue, Nov 17, 2020 at 10:57:52PM +0200, Julian Anastasov wrote:
>
> Hello,
>
> On Mon, 16 Nov 2020, Yejune Deng wrote:
>
> > atomic_inc_return() looks better
> >
> > Signed-off-by: Yejune Deng
>
> Looks good to me for -next, thanks!
>
> Acked-by: Julian Anastasov
Applied,
On Sun, Nov 22, 2020 at 10:26:16AM +, Alexander Lobakin wrote:
> From: Pablo Neira Ayuso
> Date: Fri, 20 Nov 2020 13:49:12 +0100
[...]
> > Something like this:
> >
> >
Hi Lukas,
On Sun, Nov 15, 2020 at 07:58:33PM -0800, Joe Perches wrote:
> On Mon, 2020-11-09 at 10:19 +0100, Lukas Bulwahn wrote:
> > The two file patterns in the NETFILTER section:
> >
> > F: include/linux/netfilter*
> > F: include/uapi/linux/netfilter*
> >
> > intended to match
On Mon, Nov 09, 2020 at 10:19:42AM +0100, Lukas Bulwahn wrote:
> The two file patterns in the NETFILTER section:
>
> F: include/linux/netfilter*
> F: include/uapi/linux/netfilter*
>
> intended to match the directories:
>
> ./include{/uapi}/linux/netfilter_{arp,bridge,ipv4,ipv6}
Casey Schaufler
> Cc: net...@vger.kernel.org
> Cc: netfilter-de...@vger.kernel.org
You can carry this tag in your follow up patches.
Acked-by: Pablo Neira Ayuso
Thanks.
> ---
> net/netfilter/nfnetlink_queue.c | 37 +
> 1 file changed, 14 insertions
On Thu, Oct 29, 2020 at 12:02:41PM +0100, Greg KH wrote:
> On Tue, Oct 27, 2020 at 09:19:22AM +0100, Pablo Neira Ayuso wrote:
> > Hi Greg,
> >
> > On Tue, Oct 27, 2020 at 07:21:11AM +0100, Greg KH wrote:
> > > On Sun, Oct 25, 2020 at 04:31:57PM -0700, Saeed Mirzam
Hi Greg,
On Tue, Oct 27, 2020 at 07:21:11AM +0100, Greg KH wrote:
> On Sun, Oct 25, 2020 at 04:31:57PM -0700, Saeed Mirzamohammadi wrote:
> > Adding stable.
>
> What did that do?
Saeed is requesting that stable maintainers cherry-picks this patch:
31cc578ae2de ("netfilter: nftables_offload:
On Wed, Sep 30, 2020 at 08:08:02AM +0300, Julian Anastasov wrote:
>
> Hello,
>
> On Mon, 28 Sep 2020, longguang.yue wrote:
>
> > Outputting client,virtual,dst addresses info when tcp state changes,
> > which makes the connection debug more clear
> >
> > Signed-off-by: longguang.yue
>
>
On Wed, Oct 07, 2020 at 12:32:52PM -0700, Francesco Ruggeri wrote:
> If the first packet conntrack sees after a re-register is an outgoing
> keepalive packet with no data (SEG.SEQ = SND.NXT-1), td_end is set to
> SND.NXT-1.
> When the peer correctly acknowledges SND.NXT, tcp_in_window fails
>
r->ops that fixes the slab-out-of-bounds Read issue.
Add nft_expr_more() and use it to fix this problem.
Signed-off-by: Saeed Mirzamohammadi
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h | 6 ++
net/netfilter/nf_tables_api.c | 6 +++---
net/netfilter/nf_tab
On Wed, Oct 14, 2020 at 02:06:28AM +0200, Pablo Neira Ayuso wrote:
> On Fri, Oct 09, 2020 at 10:05:48PM +0200, Florian Westphal wrote:
> > Jozsef Kadlecsik wrote:
> > > > The "delay unregister" remark was wrt. the "all rules were deleted"
> > > &g
On Fri, Oct 09, 2020 at 10:05:48PM +0200, Florian Westphal wrote:
> Jozsef Kadlecsik wrote:
> > > The "delay unregister" remark was wrt. the "all rules were deleted"
> > > case, i.e. add a "grace period" rather than acting right away when
> > > conntrack use count did hit 0.
> >
> > Now I
On Fri, Sep 18, 2020 at 09:17:29PM +0800, YueHaibing wrote:
> commit 9a32669fecfb ("netfilter: nf_tables_offload: support indr block call")
> left behind this.
Applied.
On Mon, Sep 21, 2020 at 09:24:40AM +0200, Simon Horman wrote:
> On Fri, Sep 18, 2020 at 09:16:56PM +0800, YueHaibing wrote:
> > They are not used since commit e4ff67513096 ("ipvs: add
> > sync_maxlen parameter for the sync daemon")
> >
> > Signed-off-by: YueHaibing
>
> Thanks, this look good to
On Fri, Sep 04, 2020 at 08:56:53PM +0800, Wang Hai wrote:
> BPDU_TYPE_TCN is never used after it was introduced.
> So better to remove it.
Applied, thanks.
On Mon, Aug 31, 2020 at 08:12:05PM +0300, Julian Anastasov wrote:
>
> Hello,
>
> On Sat, 29 Aug 2020, Yaroslav Bolyukin wrote:
>
> > This dependency was added because ipv6_find_hdr was in iptables specific
> > code but is no longer required
> >
> > Fixes: f8f626754ebe ("ipv6: Move
On Fri, Aug 28, 2020 at 02:14:48PM -0400, Tong Zhang wrote:
> Hi Pablo,
> I'm not an expert in this networking stuff.
> But from my point of view there's no point in checking if this
> condition is always true.
Understood.
> There's also no need of returning anything from the
>
On Sat, Aug 15, 2020 at 12:50:30PM -0400, Tong Zhang wrote:
> ct_sip_parse_numerical_param can only return 0 or 1, but the caller is
> checking parsing error using < 0
Is this are real issue in your setup or probably some static analysis
tool is reporting?
You are right that
On Thu, Aug 27, 2020 at 10:08:13PM +0800, YueHaibing wrote:
> Use ip_is_fragment() to simpify code.
Applied.
On Tue, Aug 11, 2020 at 03:46:40AM -0400, Peilin Ye wrote:
> do_ip_vs_set_ctl() is referencing uninitialized stack value when `len` is
> zero. Fix it.
Applied to nf-next, thanks.
On Fri, Aug 28, 2020 at 06:45:51PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > Hi Will,
> >
> > Given this is for -stable maintainers only, I'd suggest:
> >
> > 1) Specify what -stable kernel versions this patch applies to.
> >Expla
Hi Will,
Given this is for -stable maintainers only, I'd suggest:
1) Specify what -stable kernel versions this patch applies to.
Explain that this problem is gone since what kernel version.
2) Maybe clarify that this is only for stable in the patch subject,
e.g. [PATCH -stable v3]
On Tue, Aug 11, 2020 at 02:59:59PM +0200, Simon Horman wrote:
> On Tue, Aug 11, 2020 at 01:29:04PM +0300, Julian Anastasov wrote:
> >
> > Hello,
> >
> > On Tue, 11 Aug 2020, Peilin Ye wrote:
> >
> > > do_ip_vs_set_ctl() is referencing uninitialized stack value when `len` is
> > > zero. Fix
On Sun, Aug 09, 2020 at 08:28:01PM +0200, Florian Westphal wrote:
> WARNING: CPU: 1 PID: 16059 at lib/refcount.c:31
> refcount_warn_saturate+0xdf/0xf
> [..]
> __nft_mt_tg_destroy+0x42/0x50 [nft_compat]
> nft_target_destroy+0x63/0x80 [nft_compat]
> nf_tables_expr_destroy+0x1b/0x30 [nf_tables]
>
Hi,
This patch is much smaller and if you confirm this is address the
issue, then this is awesome.
On Mon, Aug 03, 2020 at 06:31:56PM +, William Mcvicker wrote:
[...]
> diff --git a/net/netfilter/nf_conntrack_netlink.c
> b/net/netfilter/nf_conntrack_netlink.c
> index
Hi William,
On Fri, Jul 31, 2020 at 12:26:11AM +, William Mcvicker wrote:
> Hi Pablo,
>
> Yes, I believe this oops is only triggered by userspace when the user
> specifically passes in an invalid nf_nat_l3protos index. I'm happy to re-work
> the patch to check for this in
Hi Will,
On Mon, Jul 27, 2020 at 05:57:20PM +, Will McVicker wrote:
> The indexes to the nf_nat_l[34]protos arrays come from userspace. So we
> need to make sure that before indexing the arrays, we verify the index
> is within the array bounds in order to prevent an OOB memory access.
> Here
Applied, thanks.
On Sat, Jul 25, 2020 at 07:02:25PM +0200, Alexander A. Klimov wrote:
> Rationale:
> Reduces attack surface on kernel devs opening the links for MITM
> as HTTPS traffic is much harder to manipulate.
Applied.
On Sun, Jul 19, 2020 at 01:52:02PM +0200, Alexander A. Klimov wrote:
> Rationale:
> Reduces attack surface on kernel devs opening the links for MITM
> as HTTPS traffic is much harder to manipulate.
LGTM.
Can you squash this patch into this?
netfilter: xtables: Replace HTTP links with HTTPS ones
On Wed, Jul 08, 2020 at 03:09:39PM -0500, Gustavo A. R. Silva wrote:
> Replace the existing /* fall through */ comments and its variants with
> the new pseudo-keyword macro fallthrough[1]. Also, remove unnecessary
> fall-through markings when it is the case.
Applied, thanks.
On Tue, Jul 07, 2020 at 02:47:17PM -0500, Gustavo A. R. Silva wrote:
> Replace the existing /* fall through */ comments and its variants with
> the new pseudo-keyword macro fallthrough[1]. Also, remove unnecessary
> fall-through markings when it is the case.
I suggest:
netfilter: Use
Hi Gaurav,
On Wed, Jun 24, 2020 at 10:36:25PM -0400, Gaurav Singh wrote:
> ah cannot be NULL since its already checked above after
> assignment and is being dereferenced before in pr().
> Remove the redundant null check.
Could you collapse all your patches into one?
They look like the same
On Wed, Jun 24, 2020 at 08:34:23AM -0400, Richard Guy Briggs wrote:
> On 2020-06-24 12:03, Pablo Neira Ayuso wrote:
> > On Thu, Jun 04, 2020 at 09:20:49AM -0400, Richard Guy Briggs wrote:
[...]
> > > diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables
On Thu, Jun 04, 2020 at 09:20:49AM -0400, Richard Guy Briggs wrote:
> iptables, ip6tables, arptables and ebtables table registration,
> replacement and unregistration configuration events are logged for the
> native (legacy) iptables setsockopt api, but not for the
> nftables netlink api which is
On Mon, Jun 22, 2020 at 01:37:09PM +0200, Jan Engelhardt wrote:
>
> On Monday 2020-06-15 01:34, Alexander A. Klimov wrote:
> >>
> >> A header file rename is no problem. We even have dummy headers
> > Hmm.. if I understand all of you correctly, David, Stefano, Pablo and Al say
> > like no, not a
On Sun, Jun 14, 2020 at 11:08:08PM +0200, Jan Engelhardt wrote:
>
> On Sunday 2020-06-14 22:19, David Howells wrote:
> >Alexander A. Klimov wrote:
> >
> >> *Is it a good idea to rename files in include/uapi/ ?*
> >
> >Very likely not. If programs out there are going to be built on a
>
On Tue, Jun 09, 2020 at 02:58:12PM -0700, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit:7ae77150 Merge tag 'powerpc-5.8-1' of git://git.kernel.org..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=128a9df210
>
On Tue, Jun 09, 2020 at 02:58:12PM -0700, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit:7ae77150 Merge tag 'powerpc-5.8-1' of git://git.kernel.org..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1741f5f210
>
On Wed, May 27, 2020 at 01:10:39AM -0700, Nathan Chancellor wrote:
> Clang warns:
>
> net/netfilter/nf_conntrack_core.c:2068:21: warning: variable 'ctinfo' is
> uninitialized when used here [-Wuninitialized]
> nf_ct_set(skb, ct, ctinfo);
>^~
>
On Thu, Apr 30, 2020 at 11:30:48PM +0200, Arnd Bergmann wrote:
> gcc-10 warns around a suspicious access to an empty struct member:
>
> net/netfilter/nf_conntrack_core.c: In function '__nf_conntrack_alloc':
> net/netfilter/nf_conntrack_core.c:1522:9: warning: array subscript 0 is
> outside the
On Wed, Apr 29, 2020 at 09:00:41PM +0200, Arnd Bergmann wrote:
> gcc-10 points out that a code path exists where a pointer to a stack
> variable may be passed back to the caller:
>
> net/netfilter/nfnetlink_osf.c: In function 'nf_osf_hdr_ctx_init':
> cc1: warning: function may return address of
ink:
> https://lore.kernel.org/lkml/CAHk-=wiAsJLw1egFEE=z7-ggtm6wcvtyytxza1+bhqta4gg...@mail.gmail.com/
> Reported-by: Linus Torvalds
> Signed-off-by: Paul E. McKenney
> Cc: Pablo Neira Ayuso
> Cc: Jozsef Kadlecsik
> Cc: Florian Westphal
> Cc: "David S. Miller"
&g
On Tue, Sep 24, 2019 at 07:40:06AM +0900, Masahiro Yamada wrote:
> When CONFIG_UAPI_HEADER_TEST=y, exported headers are compile-tested to
> make sure they can be included from user-space.
>
> Currently, linux/netfilter_bridge/ebtables.h is excluded from the test
> coverage. To make it join the
On Sun, Sep 22, 2019 at 08:49:11PM +0900, Masahiro Yamada wrote:
> Hi Pablo,
>
> On Sun, Sep 22, 2019 at 4:13 PM Pablo Neira Ayuso wrote:
> >
> > On Sun, Sep 22, 2019 at 09:11:11AM +0200, Pablo Neira Ayuso wrote:
> > > On Sat, Sep 21, 2019 at 10:46:48PM +0900, Masah
On Sun, Sep 22, 2019 at 09:11:11AM +0200, Pablo Neira Ayuso wrote:
> On Sat, Sep 21, 2019 at 10:46:48PM +0900, Masahiro Yamada wrote:
> > When CONFIG_UAPI_HEADER_TEST=y, exported headers are compile-tested to
> > make sure they can be included from user-space.
> >
On Sat, Sep 21, 2019 at 10:46:48PM +0900, Masahiro Yamada wrote:
> When CONFIG_UAPI_HEADER_TEST=y, exported headers are compile-tested to
> make sure they can be included from user-space.
>
> Currently, linux/netfilter_bridge/ebtables.h is excluded from the test
> coverage. To make it join the
On Sat, Sep 07, 2019 at 08:41:22PM +0200, Arnd Bergmann wrote:
> On Sat, Sep 7, 2019 at 8:07 PM Pablo Neira Ayuso wrote:
> >
> > Hi Arnd,
> >
> > On Fri, Sep 06, 2019 at 05:12:30PM +0200, Arnd Bergmann wrote:
> > > The nft_offload_ctx structure is much
Hi Arnd,
On Fri, Sep 06, 2019 at 05:12:30PM +0200, Arnd Bergmann wrote:
> The nft_offload_ctx structure is much too large to put on the
> stack:
>
> net/netfilter/nf_tables_offload.c:31:23: error: stack frame size of 1200
> bytes in function 'nft_flow_rule_create' [-Werror,-Wframe-larger-than=]
On Tue, Aug 27, 2019 at 02:34:14PM -0300, Leonardo Bras wrote:
> On Tue, 2019-08-27 at 12:35 +0200, Pablo Neira Ayuso wrote:
[...]
> > NFT_BREAK instead to stop evaluating this rule, this results in a
> > mismatch, so you let the user decide what to do with packets that do
>
On Wed, Aug 21, 2019 at 11:15:06AM -0300, Leonardo Bras wrote:
> If IPv6 is disabled on boot (ipv6.disable=1), but nft_fib_inet ends up
> dealing with a IPv6 package, it causes a kernel panic in
> fib6_node_lookup_1(), crashing in bad_page_fault.
Q: How do you get to see IPv6 packets if IPv6
On Tue, Aug 20, 2019 at 01:15:58PM -0300, Leonardo Bras wrote:
> On Tue, 2019-08-20 at 07:36 +0200, Florian Westphal wrote:
> > Wouldn't fib_netdev.c have the same problem?
> Probably, but I haven't hit this issue yet.
>
> > If so, might be better to place this test in both
> > nft_fib6_eval_type
On Mon, Aug 19, 2019 at 04:39:27PM +0900, Masahiro Yamada wrote:
> Add a header include guard just in case.
Applied.
On Wed, Aug 14, 2019 at 03:35:02PM +0300, Denis Efremov wrote:
> This entry is in MAINTAINERS for historical purpose.
> It doesn't match current sources since the commit
> adf82accc5f5 ("netfilter: x_tables: merge ip and
> ipv6 masquerade modules") moved the module.
> The
On Wed, Aug 14, 2019 at 09:58:09AM -0700, Nathan Chancellor wrote:
> clang warns:
>
> net/netfilter/nft_bitwise.c:138:50: error: size argument in 'memcmp'
> call is a comparison [-Werror,-Wmemsize-comparison]
> if (memcmp(>xor, , sizeof(priv->xor) ||
>
Applied, thanks.
On Thu, Aug 08, 2019 at 01:43:22AM -0400, Valdis Klētnieks wrote:
> Sparse warns about two tables not being declared.
>
> CHECK net/netfilter/nf_nat_proto.c
> net/netfilter/nf_nat_proto.c:725:26: warning: symbol 'nf_nat_ipv4_ops' was
> not declared. Should it be static?
>
On Thu, Aug 08, 2019 at 01:28:08AM -0400, Valdis Klētnieks wrote:
> Sparse rightly complains about undeclared symbols.
>
> CHECK net/netfilter/nft_set_hash.c
> net/netfilter/nft_set_hash.c:647:21: warning: symbol 'nft_set_rhash_type' was
> not declared. Should it be static?
>
On Tue, Aug 13, 2019 at 09:09:41AM +0300, Denis Efremov wrote:
> Update MAINTAINERS record to reflect the filename change
> from ipt_MASQUERADE.c to xt_MASQUERADE.c
This entry is there for historical purpose. I'd suggest you send a
patch to remove it so this just falls under the netfilter
On Tue, Jul 23, 2019 at 03:23:03AM +0200, Matteo Croce wrote:
> Use shared sysctl variables for zero and one constants, as in commit
> eec4844fae7c ("proc/sysctl: add shared variables for range check")
Applied, thanks.
On Mon, Jul 29, 2019 at 12:51:38AM +0900, Masahiro Yamada wrote:
> Add a header include guard just in case.
Applied to nf.git, thanks.
BTW, is the _UAPI_ prefix really needed? I can see netfilter headers
under include/uapi/ sometimes are prefixed by UAPI and sometimes not.
Thanks.
On Thu, Jul 25, 2019 at 07:18:03AM +1000, Stephen Rothwell wrote:
> Hi all,
>
> Commit
>
> 5f5ff5ca2e18 ("netfilter: nf_tables: Make nft_meta expression more robust")
>
> is missing a Signed-off-by from its author.
Fixed, thanks.
Looks good, but you will have to wait until net-next reopens:
http://vger.kernel.org/~davem/net-next.html
Will keep this in my patchwork until that happens.
Thanks.
On Tue, Jul 16, 2019 at 10:13:01AM +0800, yangxingwu wrote:
> this patch removes extra spaces
>
> Signed-off-by: yangxingwu
>
On Tue, Jul 02, 2019 at 03:59:36AM +, Miaohe Lin wrote:
> When firewalld is enabled with ipv4/ipv6 rpfilter, vrf
> ipv4/ipv6 packets will be dropped. Vrf device will pass
> through netfilter hook twice. One with enslaved device
> and another one with l3 master device. So in device may
>
On Tue, Jul 16, 2019 at 02:56:09AM +0900, Masahiro Yamada wrote:
> On Tue, Jul 16, 2019 at 2:33 AM Pablo Neira Ayuso wrote:
> >
> > On Mon, Jul 15, 2019 at 07:28:04PM +0200, Laura Garcia wrote:
> > > CC'ing netfilter.
> > >
> > > On Mon, Jul 15,
On Mon, Jul 15, 2019 at 07:28:04PM +0200, Laura Garcia wrote:
> CC'ing netfilter.
>
> On Mon, Jul 15, 2019 at 6:45 PM Randy Dunlap wrote:
> >
> > On 7/14/19 9:48 PM, Stephen Rothwell wrote:
> > > Hi all,
> > >
> > > Please do not add v5.4 material to your linux-next included branches
> > > until
On Wed, Jul 10, 2019 at 10:06:09AM +0200, Simon Horman wrote:
> On Wed, Jul 10, 2019 at 03:45:52PM +0800, yangxingwu wrote:
> > ---
> > net/netfilter/ipvs/ip_vs_mh.c | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/net/netfilter/ipvs/ip_vs_mh.c
On Mon, Jul 15, 2019 at 09:57:03AM +0200, Pablo Neira Ayuso wrote:
> On Fri, Jul 12, 2019 at 09:07:21PM +0800, yangxingwu wrote:
> > this patch removes the extra space and use bitmap_zalloc instead
> >
> > Signed-off-by: yangxingwu
> > ---
> > net/netfilter/ip
On Fri, Jul 12, 2019 at 09:07:21PM +0800, yangxingwu wrote:
> this patch removes the extra space and use bitmap_zalloc instead
>
> Signed-off-by: yangxingwu
> ---
> net/netfilter/ipvs/ip_vs_mh.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git
On Wed, Jul 03, 2019 at 09:29:26PM +0300, Julian Anastasov wrote:
>
> Hello,
>
> On Wed, 3 Jul 2019, Randy Dunlap wrote:
>
> > On 7/3/19 4:49 AM, Stephen Rothwell wrote:
> > > Hi all,
> > >
> > > Changes since 20190702:
> > >
> >
> > on i386:
>
> Oh, well. net/gre.h was included
On Tue, Jul 02, 2019 at 08:11:53PM +0200, Markus Elfring wrote:
> From: Markus Elfring
> Date: Tue, 2 Jul 2019 20:06:30 +0200
>
> A string which did not contain a data format specification should be put
> into a sequence. Thus use the corresponding function “seq_puts”.
>
> This issue was
1 - 100 of 995 matches
Mail list logo
