On Tue, Nov 10, 2015 at 01:22:15PM +0100, Arnd Bergmann wrote:
> Kconfig is too smart for its own good: a Kconfig line that states
>
> select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
>
> means that if IP6_NF_IPTABLES is set to 'm', then NF_DEFRAG_IPV6 will
> also be set to 'm', regardless of the s
On Tue, Nov 10, 2015 at 01:08:15PM +0100, Arnd Bergmann wrote:
> After a recent (correct) change, gcc started warning about the use
> of the 'flags' variable in nfulnl_recv_config()
>
> net/netfilter/nfnetlink_log.c: In function 'nfulnl_recv_config':
> net/netfilter/nfnetlink_log.c:320:14: warning
On Fri, Nov 06, 2015 at 10:13:16PM +0300, Dmitry Safonov wrote:
> I thought, it was decided to use 0/NULL/whatever, than uninitialized_var()?
> Is right now?
> http://thread.gmane.org/gmane.linux.kernel/1383415
I overlook that one. We should stick to mainstream policies as much as
possible.
Arnd
On Mon, Nov 09, 2015 at 01:35:11PM +0100, Gerhard Wiesinger wrote:
> On 08.11.2015 18:20, Greg KH wrote:
> >That's great, can you let me know the git commits that end up in Linus's
> >tree? That's what we need for the stable kernel.
>
> Find the commits here:
> https://git.kernel.org/cgit/linux/k
On Fri, Nov 06, 2015 at 09:48:14PM +0300, Dmitry Safonov wrote:
> With x86_64_defconfig:
> GCC thinks that in nfulnl_recv_config flags parameter is not inited but
> it was under the same condition (nfula[NFULA_CFG_FLAGS] == true).
> Suppress this warning:
> net/netfilter/nfnetlink_log.c: In f
On Fri, Oct 16, 2015 at 10:10:04PM +0200, Arnd Bergmann wrote:
> nft_dup_ipv4 and nft_dup_ipv6 select the respective nf_dup_ipv{4,6}
> drivers, which must not be built-in if nf_conntrack is a loadable
> module, otherwise we get a link error:
>
> net/built-in.o: In function `nf_dup_ipv6':
> (.text+
On Fri, Oct 09, 2015 at 08:45:42PM +0200, Arnd Bergmann wrote:
> A recent change to the dst_output handling caused a new warning
> when the call to NF_HOOK() is the only used of a local variable
> passed as 'dev', and CONFIG_NETFILTER is disabled:
>
> net/ipv6/ip6_output.c: In function 'ip6_output
On Thu, Oct 08, 2015 at 02:51:05PM +0200, Nikolay Aleksandrov wrote:
> On 10/08/2015 02:30 PM, Arnd Bergmann wrote:
> > With the ARM mini2440_defconfig, the bridge netfilter code gets
> > built with both CONFIG_NF_DEFRAG_IPV4 and CONFIG_NF_DEFRAG_IPV6
> > disabled, which leads to a harmless gcc war
his trivially changes the code to use 'struct timespec64' instead,
> to correct the result on 32-bit architectures.
>
> Signed-off-by: Arnd Bergmann
> Cc: Pablo Neira Ayuso
> Cc: Patrick McHardy
> Cc: Jozsef Kadlecsik
> Cc: netfilter-de...@vger.kernel.org
> Cc: c
On Tue, Aug 04, 2015 at 06:34:00PM -0700, Joe Stringer wrote:
> The flags were ignored for this function when it was introduced. Also
> fix the style problem in kzalloc.
Applied, thanks Joe.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to maj
On Sun, Jul 26, 2015 at 05:27:37PM +0530, Vaishali Thakkar wrote:
> For simple modules that contain a single xt_match without any
> additional setup code then ends up being a block of duplicated
> boilerplate. This patch adds a new macro, module_xt_match(),
> which replaces the module_init()/module
On Fri, Jul 17, 2015 at 04:17:56PM +0200, Michal Kubecek wrote:
> Currently nf_conntrack_proto_sctp module handles only packets between
> primary addresses used to establish the connection. Any packets between
> secondary addresses are classified as invalid so that usual firewall
> configurations d
On Fri, Jul 17, 2015 at 12:10:09PM +0200, Florian Westphal wrote:
> Toralf Förster wrote:
> > I do run a server with a 64 bit hardened Gentoo Linux (kernel currently
> > 4.0.8).
> > Around 12th of July it started to spew those messages into kern.log :
> >
> > /var/log/kern.log:Jul 12 15:26:07 to
On Tue, Jul 14, 2015 at 06:28:50PM +0200, Michal Kubecek wrote:
> On Tue, Jul 14, 2015 at 05:38:47PM +0200, Pablo Neira Ayuso wrote:
> > On Tue, Jul 14, 2015 at 02:23:11PM +0200, Michal Kubecek wrote:
> > > @@ -658,6 +696,18 @@ static struct ctl_table sctp_sysctl_table[] = {
>
On Tue, Jul 14, 2015 at 02:23:11PM +0200, Michal Kubecek wrote:
> @@ -658,6 +696,18 @@ static struct ctl_table sctp_sysctl_table[] = {
> .mode = 0644,
> .proc_handler = proc_dointvec_jiffies,
> },
> + {
> + .procname = "nf_conntrac
On Mon, Jul 13, 2015 at 08:02:36AM -0700, Dmitry Torokhov wrote:
> On Mon, Jul 13, 2015 at 6:20 AM, Pablo Neira Ayuso
> wrote:
> > On Thu, Jul 09, 2015 at 05:15:01PM -0700, Dmitry Torokhov wrote:
> >> Dynamically allocated sysfs attributes should be initialized with
On Thu, Jul 09, 2015 at 05:15:01PM -0700, Dmitry Torokhov wrote:
> Dynamically allocated sysfs attributes should be initialized with
> sysfs_attr_init() otherwise lockdep will be angry with us:
>
> [ 45.468653] BUG: key ffc030fad4e0 not in .data!
> [ 45.468655] [ cut here ]
ctly retrieve the inet6 device without taking a
> > reference as all netfilter hooks are protected by rcu_read_lock via
> > nf_hook_slow.
> >
> > Spotted while trying to destroy a Xen guest on the upstream Linux:
> > "unregister_netdevice: waiting for vif1.0 to
On Sat, Jun 20, 2015 at 07:40:03PM +0200, Florian Westphal wrote:
[...]
> > Introduced by commit:
> >
> > 71ae0dff02d7 ("netfilter: xtables: use percpu rule counters")
>
> Yes, sorry about this, should be fixed by dcb8f5c8139ef945cdfd
> ("netfilter: xtables: fix warnings on 32bit platforms").
On Tue, Jun 16, 2015 at 03:13:41PM +0300, Roman Khimov wrote:
> В письме от 16 июня 2015 12:48:41 пользователь Pablo Neira Ayuso написал:
[...]
> > But if we change the existing behaviour, users may be relying on it
> > and we'll get things broken for them. Someone else
On Mon, Jun 15, 2015 at 10:37:31PM +0300, Roman Khimov wrote:
> В письме от 15 июня 2015 19:06:39 пользователь Pablo Neira Ayuso написал:
> > On Mon, Jun 15, 2015 at 12:11:58PM +0300, Roman I Khimov wrote:
> > > Suppose that we're trying to use an xt_string netfilter module
: Eric Dumazet
> Fixes: b64c9256a9b76 ("tproxy: added IPv6 support to the socket match")
> Signed-off-by: Pablo Neira Ayuso
> [lizf: Backported to 3.4: adjust context]
> Signed-off-by: Zefan Li
Thanks for backporting this for 3.4.
Acked-by: Pablo Neira Ayuso
--
To unsubsc
Cc'ing Thomas.
On Mon, Jun 15, 2015 at 12:11:58PM +0300, Roman I Khimov wrote:
> Suppose that we're trying to use an xt_string netfilter module to match a
> string in a specially crafted packet that has "a nice string" starting at
> offset 28.
>
> It could be done in iptables like this:
>
> -A s
etfilter messages in dmesg remains unchanged
> with respect to all the other surrounding messages.)
>
> As for the module_exit, rather than replace it with __exitcall,
> we simply remove it, since it appears only UML does anything
> with those, and even for UML, there is no releva
On Tue, May 12, 2015 at 06:28:23PM -0700, Joe Perches wrote:
> Using seq_has_overflowed doesn't produce the right return value.
> Either 0 or -1 is, but 0 is much more common and works well when
> seq allocation retries.
>
> I believe this doesn't matter as the initial allocation is always
> suffi
On Wed, May 06, 2015 at 04:28:57PM +0200, Denys Vlasenko wrote:
> On x86 allyesconfig build:
> The function compiles to 489 bytes of machine code.
> It has 25 callsites.
>
> textdata bss dec hex filename
> 82441375 22255384 20627456 125324215 7784bb7 vmlinux.before
> 824349
On Sun, May 03, 2015 at 11:20:26PM +0200, Daniel Borkmann wrote:
> >>In order to fix it, you also need to add:
> >>
> >> From 1d0ab253872cdd3d8e7913f59c266c7fd01771d0 Mon Sep 17 00:00:00 2001
> >>From: Eric Dumazet
> >>Date: Sun, 15 Mar 2015 21:12:12 -0700
> >>Subject: [PATCH] net: add sk_fullsock
On Mon, Apr 13, 2015 at 12:52:39AM +0200, Richard Weinberger wrote:
> The printed values are all of type unsigned integer, therefore use
> %u instead of %d. Otherwise an user can face negative values.
>
> Signed-off-by: Richard Weinberger
Acked-by: Pablo Neira Ayuso
--
To unsu
On Mon, Apr 13, 2015 at 12:52:37AM +0200, Richard Weinberger wrote:
> The netlink portid is an unsigned integer, use this type
> also in netfilter.
>
> Signed-off-by: Richard Weinberger
Acked-by: Pablo Neira Ayuso
--
To unsubscribe from this list: send the line "unsubscribe lin
278 2 65531 0 2004213241 -2129885586 1
> 1 -27747 0 2 65531 0 00 1
> 2 -27748 0 2 65531 0 00 1
>
> Signed-off-by: Richard Weinberger
Acked-by: Pablo Neira Ayuso
--
To unsubscribe from this list: send the line "unsubscribe linux-
On Mon, Mar 30, 2015 at 04:46:21PM -0700, Joe Perches wrote:
> Use the normal return values for bool functions
>
> Signed-off-by: Joe Perches
Acked-by: Pablo Neira Ayuso
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of
On Mon, Mar 23, 2015 at 11:50:10AM -0700, Joe Perches wrote:
> Use the #defines where appropriate.
>
> Miscellanea:
>
> Add explicit #include where it was not
> previously used so that these #defines are a bit more
> explicitly defined instead of indirectly included via:
> module.h->module
On Tue, Mar 24, 2015 at 12:38:28AM +1100, Stephen Rothwell wrote:
> Hi Joe,
>
> On Mon, 23 Mar 2015 06:23:51 -0700 Joe Perches wrote:
> >
> > Use the #defines where appropriate.
> >
> > Signed-off-by: Joe Perches
> > ---
> > > > Perhaps all the .level = 4 uses should be LOGLEVEL_WARNING
> > > >
On Mon, Mar 23, 2015 at 05:55:31AM -0700, Joe Perches wrote:
> On Mon, 2015-03-23 at 13:47 +0100, Pablo Neira Ayuso wrote:
> > On Mon, Mar 23, 2015 at 02:08:41PM +1100, Stephen Rothwell wrote:
> > > Today's linux-next merge of the net-next tree got a conflict
On Mon, Mar 23, 2015 at 02:08:41PM +1100, Stephen Rothwell wrote:
> Hi all,
>
> Today's linux-next merge of the net-next tree got a conflict in
> net/netfilter/nf_tables_core.c between commit 4017a7ee693d ("netfilter:
> restore rule tracing via nfnetlink_log") from the net tree and commit
> 01ef16
On Mon, Mar 16, 2015 at 11:25:17AM -0700, Joe Perches wrote:
> The seq_printf/seq_puts/seq_putc return values, because they
> are frequently misused, will eventually be converted to void.
>
> See: commit 1f33c41c03da ("seq_file: Rename seq_overflow() to
> seq_has_overflowed() and make public"
On Fri, Mar 13, 2015 at 03:22:07PM +0100, Richard Weinberger wrote:
> Am 13.03.2015 um 14:53 schrieb Pablo Neira Ayuso:
> >> You mean statistics via netlink attributes? I can add that!
> >
> > Add a new NFQNL_CFG_CMD_STATS command to request the statistics. If
> >
On Fri, Mar 13, 2015 at 02:43:54PM +0100, Richard Weinberger wrote:
> Am 13.03.2015 um 13:15 schrieb Pablo Neira Ayuso:
> > On Fri, Mar 13, 2015 at 12:31:16PM +0100, Richard Weinberger wrote:
> >> The printed values are all of type unsigned integer, therefore use
> >>
On Fri, Mar 13, 2015 at 12:31:15PM +0100, Richard Weinberger wrote:
> The netlink portid is an unsigned integer, use this type
> also in netfilter.
This small cleanup I can still take it but...
> Signed-off-by: Richard Weinberger
> ---
> net/netfilter/nfnetlink_log.c| 4 ++--
> net/netf
On Fri, Mar 13, 2015 at 12:31:16PM +0100, Richard Weinberger wrote:
> The printed values are all of type unsigned integer, therefore use
> %u instead of %d. Otherwise an user can face negative values.
>
> Fixes:
> $ cat /proc/net/netfilter/nfnetlink_queue
> 0 29508 278 2 65531 0 2004213
Hi Jozsef,
On Wed, Mar 11, 2015 at 08:08:26PM +0100, Jozsef Kadlecsik wrote:
> On Wed, 11 Feb 2015, kbuild test robot wrote:
>
> > net/netfilter/xt_set.c:196:9-10: WARNING: return of 0/1 in function
> > 'set_match_v3' with return type bool
> > net/netfilter/xt_set.c:242:9-10: WARNING: return of
On Fri, Mar 06, 2015 at 11:34:29AM +0100, Imre Palik wrote:
> On 02/26/15 17:34, David Miller wrote:
> > From: Imre Palik
> > Date: Thu, 26 Feb 2015 11:19:25 +0100
> >
> >> If you are looking for peculiarities in my setup then here they are:
> >> I am on 4k pages, and perf is not working :-(
> >>
On Wed, Feb 11, 2015 at 08:33:05PM +0800, kbuild test robot wrote:
> net/netfilter/xt_set.c:196:9-10: WARNING: return of 0/1 in function
> 'set_match_v3' with return type bool
> net/netfilter/xt_set.c:242:9-10: WARNING: return of 0/1 in function
> 'set_match_v4' with return type bool
>
> Return
On Mon, Jan 12, 2015 at 04:38:16PM +0530, Rahul Sharma wrote:
> Hi Pablo, Hannes
>
> On Fri, Jan 9, 2015 at 9:20 PM, Hannes Frederic Sowa
> wrote:
> > On Fr, 2015-01-09 at 12:45 +0100, Pablo Neira Ayuso wrote:
> >> Hi Hannes,
> >>
> >> On Fri, Jan
Hi Hannes,
On Fri, Jan 09, 2015 at 12:34:15PM +0100, Hannes Frederic Sowa wrote:
> On Fri, Jan 9, 2015, at 08:18, Rahul Sharma wrote:
> > Hi Pablo,
> >
> > On Fri, Jan 9, 2015 at 5:35 AM, Pablo Neira Ayuso
> > wrote:
> > > On Thu, Jan 08, 2015 at 11:39:16
On Fri, Jan 09, 2015 at 12:48:24PM +0530, Rahul Sharma wrote:
> Hi Pablo,
>
> On Fri, Jan 9, 2015 at 5:35 AM, Pablo Neira Ayuso wrote:
> > On Thu, Jan 08, 2015 at 11:39:16PM +0100, Hannes Frederic Sowa wrote:
> >> Hi Pablo,
> >>
> >> On Thu, Jan
On Fri, Jan 09, 2015 at 06:53:06PM +0900, YOSHIFUJI Hideaki wrote:
> Hi,
>
> Rahul Sharma wrote:
> >ipv6_find_hdr() currently assumes that the next-header field in the
> >fragment header of the non-first fragment is the "protocol number of
> >the last header" (here last header excludes any extensi
On Thu, Jan 08, 2015 at 11:39:16PM +0100, Hannes Frederic Sowa wrote:
> Hi Pablo,
>
> On Thu, Jan 8, 2015, at 21:53, Pablo Neira Ayuso wrote:
> > I'm afraid we cannot just get rid of that !ipv6_ext_hdr() check. The
> > ipv6_find_hdr() function is designed to ret
On Thu, Jan 08, 2015 at 09:53:28PM +0100, Pablo Neira Ayuso wrote:
> On Wed, Jan 07, 2015 at 11:43:16AM +0100, Hannes Frederic Sowa wrote:
> > > >> @@ -250,9 +251,7 @@ int ipv6_find_hdr(const struct sk_buff *
> > > >>
> > > >>
On Wed, Jan 07, 2015 at 11:43:16AM +0100, Hannes Frederic Sowa wrote:
> > >> @@ -250,9 +251,7 @@ int ipv6_find_hdr(const struct sk_buff *
> > >>
> > >> _frag_off = ntohs(*fp) & ~0x7;
> > >> if (_frag_off) {
> > >> - if (t
On Wed, Jan 07, 2015 at 03:03:20AM +0530, Rahul Sharma wrote:
> ipv6_find_hdr() currently assumes that the next-header field in the
> fragment header of the non-first fragment is the "protocol number of
> the last header" (here last header excludes any extension header
> protocol numbers ) which is
On Wed, Dec 24, 2014 at 11:04:54PM +0800, Chen Gang wrote:
> The related code can be simplified, and also can avoid related warnings
> (with allmodconfig under parisc):
>
> CC [M] net/netfilter/nfnetlink_cthelper.o
> net/netfilter/nfnetlink_cthelper.c: In function ‘nfnl_cthelper_from_nlattr
On Sat, Dec 27, 2014 at 12:39:25AM +, Asbjoern Sloth Toennesen wrote:
> Update: I errously assumed that git add, while writing the commit
> message, would be added to the commit.
> Based on net-next f96fe225. Compiles and checkpatch clean.
>
> Jumping between chains doesn't mix well with flush
On Mon, Dec 22, 2014 at 07:36:15PM +0100, Fabian Frederick wrote:
> sizeof(char) is always 1.
Applied, thanks.
Made a small change on it:
> Suggested-by: Joe Perches
> Signed-off-by: Fabian Frederick
> ---
> net/netfilter/nf_log.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> d
On Wed, Dec 17, 2014 at 11:51:25AM +0300, Evgeniy Polyakov wrote:
> Hi everyone
>
> 16.12.2014, 23:17, "Joe Perches" :
> > Invert logic in test to use continue.
> >
> > This routine already uses continue, use it a bit more to
> > minimize > 80 column long lines and unnecessary indentation.
> >
> >
On Wed, Dec 17, 2014 at 11:51:25AM +0300, Evgeniy Polyakov wrote:
> Hi everyone
>
> 16.12.2014, 23:17, "Joe Perches" :
> > Invert logic in test to use continue.
> >
> > This routine already uses continue, use it a bit more to
> > minimize > 80 column long lines and unnecessary indentation.
> >
> >
case
> race occured, re-add the CT to the dying list.
>
> While at this, fix coding style of the comment that has been
> updated.
>
> Fixes: 93bb0ceb75be2 ("netfilter: conntrack: remove central spinlock
> nf_conntrack_lock")
> Reported-by: bill bonaparte
> Signed
On Thu, Nov 27, 2014 at 08:26:30PM +0100, Bernhard Thaler wrote:
> Hi,
>
> I tested Sven's patch in my setup and I think it should be safe to use
> it. It is shorter and cleaner written and he submitted it earlier.
Thanks for testing.
> I will be happy to assist you or Sven if any further work i
On Thu, Nov 27, 2014 at 10:22:19PM -0800, Steven Noonan wrote:
> It incorrectly identifies itself as "IPv4" packet logging.
Applied.
Please, Cc netfilter-de...@vger.kernel.org in your future patches.
Thanks.
> Signed-off-by: Steven Noonan
> ---
> net/ipv6/netfilter/nf_log_ipv6.c | 2 +-
> 1 f
On Wed, Nov 26, 2014 at 11:33:19AM +0100, Andreas Ruprecht wrote:
> Sure.
>
> When the file is compiled, i.e. CONFIG_NETFILTER_XT_TARGET_REDIRECT is
> selected, all headers will be included and all functions inside the file
> will be compiled, regardless of other Kconfig options.
>
> This means r
On Tue, Nov 25, 2014 at 09:23:52AM -0200, Marcelo Ricardo Leitner wrote:
> On 25-11-2014 00:42, Stephen Rothwell wrote:
> >Hi all,
> >
> >Today's linux-next merge of the net-next tree got a conflict in
> >net/netfilter/nf_log.c between commit e71456ae9871 ("netfilter: Remove
> >checks of seq_printf
On Thu, Nov 20, 2014 at 10:13:59AM +0900, Simon Horman wrote:
> On Thu, Nov 20, 2014 at 12:26:56AM +0200, Julian Anastasov wrote:
> >
> > Hello,
> >
> > On Tue, 18 Nov 2014, SF Markus Elfring wrote:
> >
> > > From: Markus Elfring
> > > Date: Tue, 18 Nov 2014 20:37:05 +0100
> > >
> > > The
On Tue, Nov 18, 2014 at 08:47:31PM +0100, SF Markus Elfring wrote:
> From: Markus Elfring
> Date: Tue, 18 Nov 2014 20:37:05 +0100
>
> The functions free_percpu() and module_put() test whether their argument
> is NULL and then return immediately. Thus the test around the call is
> not needed.
@IP
rting. I think the attached patch fixes this problem.
>From 289a727f1561b4e228078d60235f77e88b350f84 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso
Date: Fri, 14 Nov 2014 18:14:33 +0100
Subject: [PATCH] netfilter: nfnetlink: fix insufficient validation in
nfnetlink_bind
Make sure the netlink
in case you need this for the netfilter chunks:
Acked-by: Pablo Neira Ayuso
Thanks.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
arious
> print_tuple/_print_tuple functions.
>
> Link:
> http://lkml.kernel.org/p/f2e8cf8df433a197daa62cbaf124c900c708edc7.1412031505.git@perches.com
>
> Cc: Pablo Neira Ayuso
> Cc: Patrick McHardy
> Cc: Jozsef Kadlecsik
> Cc: netfilter-de...@vger.kernel.org
> Cc: c
On Tue, Nov 04, 2014 at 09:31:50AM -0500, Steven Rostedt wrote:
> On Tue, 4 Nov 2014 15:22:36 +0100
> Pablo Neira Ayuso wrote:
>
> > On Tue, Nov 04, 2014 at 08:05:35AM -0500, Steven Rostedt wrote:
> > > On Wed, 29 Oct 2014 17:56:04 -0400
> > > Steven Rostedt wr
ked-by for this?
If Florian's concern were addressed, then:
Acked-by: Pablo Neira Ayuso
to this patch and 4/8.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.k
On Tue, Oct 21, 2014 at 11:23:16PM +0800, Feng Gao wrote:
> Hi all,
>
> Enhance the functions "dsthash_alloc_init" and "hashlimit_mt" in file
> "xt_hashlimit.c" to avoid two duplicated codes following:
>
> - dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire);
> - rateinfo
On Sun, Oct 19, 2014 at 09:03:14PM -0400, David Miller wrote:
> From: Linus Torvalds
> Date: Sun, 19 Oct 2014 17:32:15 -0700
>
> > Looks like the module license issue was just overlooked when moving
> > the code out in commit c8d7b98bec43 ("netfilter: move nf_send_resetX()
> > code to nf_reject_i
43faaa6583c3135030be5eb4693acb
> Author: Pablo Neira Ayuso
> Date: Fri Sep 26 14:35:15 2014 +0200
>
> netfilter: move nf_send_resetX() code to nf_reject_ipvX modules
>
> Move nf_send_reset() and nf_send_reset6() to nf_reject_ipv4 and
> nf_reject_ipv6 respe
Hi Bernhard,
Sorry for taking a bit to get back to you with feedback. We've been
discussing recently some changes in br_netfilter. Basically, to
modularize it [1] and this has taken a while.
Regarding your change. Sven Eckelmann (CC'ed in this email) sent a RFC
out of the merge window that have r
On Tue, Sep 30, 2014 at 01:27:50PM +0200, Arnd Bergmann wrote:
> A recent change introduced the NF_NAT_MASQUERADE_IPV4/6 symbols and now
> builds the masquerading code based on this symbol rather than the
> IP_NF_TARGET_MASQUERADE symbol, however the nf_nat.h header file
> still uses the old symbol
Hi Randy,
On Fri, Sep 26, 2014 at 09:54:52AM -0700, Randy Dunlap wrote:
> On 09/25/14 16:28, a...@linux-foundation.org wrote:
> > The mm-of-the-moment snapshot 2014-09-25-16-28 has been uploaded to
> >
> >http://www.ozlabs.org/~akpm/mmotm/
> >
> > mmotm-readme.txt says
> >
> > README for mm
On Tue, Sep 23, 2014 at 06:46:27PM +0100, Ben Hutchings wrote:
> On Tue, 2014-09-23 at 18:05 +0100, Rob Jones wrote:
> > Reduce boilerplate code by using __seq_open_private() instead of seq_open()
> > in xt_match_open() and xt_target_open().
> >
> > Signed-off-by: Rob Jones
> > ---
> >
> > This
de_ipv6.o] Error 1
Patch attached, thanks for reporting.
>From bc96cd5a3f47e9a6401bc5fb0f7b26145271f6a0 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso
Date: Thu, 11 Sep 2014 16:55:04 +0200
Subject: [PATCH nf-next] netfilter: fix compilation of masquerading without IP_NF_TARGET_MASQUERADE
MIME-Ver
On Mon, Sep 08, 2014 at 09:51:12AM +0200, Bojan Prtvar wrote:
> The skb_find_text() accepts uninitialized textsearch state variable.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo inf
On Sat, Sep 06, 2014 at 09:04:23AM -0700, Alexei Starovoitov wrote:
> On Sat, Sep 6, 2014 at 7:10 AM, Pablo Neira Ayuso wrote:
> > On Thu, Sep 04, 2014 at 10:17:18PM -0700, Alexei Starovoitov wrote:
> >> allow user space to generate eBPF programs
> >>
> >> ua
On Thu, Sep 04, 2014 at 10:17:18PM -0700, Alexei Starovoitov wrote:
> allow user space to generate eBPF programs
>
> uapi/linux/bpf.h: eBPF instruction set definition
>
> linux/filter.h: the rest
>
> This patch only moves macro definitions, but practically it freezes existing
> eBPF instruction
tteo Croce
Signed-off-by: Pablo Neira Ayuso
I think it's the root cause for this problem.
> c7ff3c30 c7ff3d98
> [ 191.490095] NIP [c02f9924] nft_do_chain+0x438/0x4f4
> [ 191.494890] LR [c0365b54] nft_do_chain_ipv4+0x6c/0x7c
> [ 191.499833] Call Trace:
> [ 191.502295]
On Fri, Aug 22, 2014 at 10:40:15AM +0800, Zhouyi Zhou wrote:
> Use HAVE_JUMP_LABEL as elsewhere in the kernel to ensure
> that the toolchain has the required support in addition to
> CONFIG_JUMP_LABEL being set.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe linux-k
On Thu, Aug 07, 2014 at 02:49:08PM +0200, Julia Lawall wrote:
> From: Julia Lawall
>
> Convert a zero return value on error to a negative one, as returned
> elsewhere in the function.
Applied, thanks Julia.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body o
On Fri, Aug 01, 2014 at 09:50:31AM -0700, Alexei Starovoitov wrote:
> On Fri, Aug 1, 2014 at 9:06 AM, Pablo Neira Ayuso wrote:
> > On Thu, Jul 31, 2014 at 02:02:19PM -0700, Alexei Starovoitov wrote:
> >> On Thu, Jul 31, 2014 at 12:40 PM, Pablo Neira Ayuso
> >> wrote:
On Thu, Jul 31, 2014 at 02:02:19PM -0700, Alexei Starovoitov wrote:
> On Thu, Jul 31, 2014 at 12:40 PM, Pablo Neira Ayuso
> wrote:
> > On Wed, Jul 30, 2014 at 08:34:16PM -0700, Alexei Starovoitov wrote:
> >> clean up names related to socket filtering and bpf
On Wed, Jul 30, 2014 at 08:34:16PM -0700, Alexei Starovoitov wrote:
> clean up names related to socket filtering and bpf in the following way:
> - everything that deals with sockets keeps 'sk_*' prefix
> - everything that is pure BPF is changed to 'bpf_*' prefix
>
> split 'struct sk_filter' into
>
On Tue, Jul 29, 2014 at 08:55:04AM -0700, Alexei Starovoitov wrote:
> > I don't think this is the right moment to add this, but we have to
> > keep in mind that something similar to this will need to be
> > accomodated in struct sk_filter at some point to avoid sloppy changes
> > that may result in
On Mon, Jul 28, 2014 at 11:29:40PM -0700, Alexei Starovoitov wrote:
> clean up names related to socket filtering and bpf in the following way:
> - everything that deals with sockets keeps 'sk_*' prefix
> - everything that is pure BPF is changed to 'bpf_*' prefix
>
> API for attaching classic BPF t
On Sat, Jul 26, 2014 at 10:41:04PM -0700, Alexei Starovoitov wrote:
> On Fri, Jul 25, 2014 at 3:17 PM, Pablo Neira Ayuso
> wrote:
> > The struct sk_filter is almost providing the generic framework, it
> > just needs to be generalized, a quick layout for it:
> &
On Fri, Jul 25, 2014 at 12:11:09PM -0700, Alexei Starovoitov wrote:
> 'sk_filter' name is used as 'struct sk_filter', function sk_filter() and
> as variable 'sk_filter', which makes code hard to read.
> Also it's easily confused with 'struct sock_filter'
> Rename 'struct sk_filter' to 'struct bpf_p
On Fri, Jul 25, 2014 at 02:50:32PM -0400, Willem de Bruijn wrote:
> On Fri, Jul 25, 2014 at 2:43 PM, Alexei Starovoitov wrote:
> > On Fri, Jul 25, 2014 at 11:32 AM, Willem de Bruijn
> > wrote:
> This follows a convention in include/uapi/linux/netfilter/*.h that
> likely predates the in
On Fri, Jul 25, 2014 at 10:24:29AM -0700, Alexei Starovoitov wrote:
> On Fri, Jul 25, 2014 at 6:00 AM, Daniel Borkmann wrote:
> > On 07/25/2014 01:54 PM, Pablo Neira Ayuso wrote:
> >>
> >> On Fri, Jul 25, 2014 at 01:25:35PM +0200, Daniel Borkmann wrote:
> >>
On Fri, Jul 25, 2014 at 02:25:31PM +0200, Paul Bolle wrote:
> The ulog targets were recently killed. A few references to the Kconfig
> macros CONFIG_IP_NF_TARGET_ULOG and CONFIG_BRIDGE_EBT_ULOG were left
> untouched. Kill these too.
Those were my fault, applied, thanks Paul.
--
To unsubscribe from
On Fri, Jul 25, 2014 at 01:47:16AM +0530, Himangi Saraogi wrote:
> In this file, function names are otherwise used as pointers without &.
>
> A simplified version of the Coccinelle semantic patch that makes this
> change is as follows:
>
> //
> @r@
> identifier f;
> @@
>
> f(...) { ... }
>
>
On Fri, Jul 25, 2014 at 01:25:35PM +0200, Daniel Borkmann wrote:
> [ also Cc'ing Willem, Pablo ]
>
> On 07/25/2014 10:04 AM, Alexei Starovoitov wrote:
> >'sk_filter' name is used as 'struct sk_filter', function sk_filter() and
> >as variable 'sk_filter', which makes code hard to read.
> >Also it's
gt; > 8cdb46da Hans Schillstrom 2013-05-15 36 struct net *net =
> > dev_net(par->in ? par->in : par->out);
> > 6939c33a Richard Weinberger 2012-02-10 37
> > 6939c33a Richard Weinberger 2012-02-10 38 li.type = NF_LOG_TYPE_LOG;
> > 6939c33a Richard Wei
On Fri, Jun 20, 2014 at 10:38:58PM +0200, Fabian Frederick wrote:
> Fix checkpatch warning:
> WARNING: kfree(NULL) is safe this check is probably not required
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kern
On Tue, Apr 29, 2014 at 03:21:21PM +0100, Patrick McHardy wrote:
> On Tue, Apr 01, 2014 at 12:43:36AM +0900, Masanari Iida wrote:
> > Fix format string mismatch in mangle_connect_len()
>
> All these patches seem like pointless noise to me. In none of these
> cases can the value legitimately be neg
On Sat, Apr 12, 2014 at 04:58:18PM -0400, David Miller wrote:
> From: Andrey Vagin
> Date: Fri, 11 Apr 2014 21:34:20 +0400
>
> > [ 251.920788] INFO: trying to register non-static key.
>
> I'll let Pablo integrate this.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscri
On Tue, Apr 08, 2014 at 10:56:00AM +0400, Andrew Vagin wrote:
> On Mon, Apr 07, 2014 at 04:51:58PM +0200, Pablo Neira Ayuso wrote:
> > On Mon, Mar 31, 2014 at 06:14:18PM +0400, Andrey Vagin wrote:
> > > nf_ct_gre_keymap_flush() removes a nf_ct_gre_keymap object from
> > &g
On Mon, Mar 31, 2014 at 06:14:18PM +0400, Andrey Vagin wrote:
> nf_ct_gre_keymap_flush() removes a nf_ct_gre_keymap object from
> net_gre->keymap_list and frees the object. But it doesn't clean
> a reference on this object from ct_pptp_info->keymap[dir].
> Then nf_ct_gre_keymap_destroy() may releas
401 - 500 of 572 matches
Mail list logo
