Hi John,
Cc'ing netfilter-devel (better than only netdev, to attract the
attention from other Netfilter hacker fellows).
Some comments on this:
On Fri, Sep 21, 2012 at 10:10:48PM -0400, John Stultz wrote:
From: JP Abgrall j...@google.com
This module allows tracking stats at the socket level
On Fri, Sep 21, 2012 at 10:10:52PM -0400, John Stultz wrote:
From: JP Abgrall j...@google.com
Send notifications when the label becomes active after an idle period.
Send netlink message notifications in addition to sysfs notifications.
Using a uevent with
subsystem=xt_idletimer
On Thu, Oct 11, 2012 at 11:27:33PM +0200, Borislav Petkov wrote:
On Thu, Oct 11, 2012 at 12:13:33PM -0700, Ian Applegate wrote:
On machines serving mainly http traffic we are seeing the following
panic, which is not yet reproducible.
Must be this BUG_ON:
if
On Mon, Oct 29, 2012 at 08:40:44AM +0800, Fengguang Wu wrote:
Use PTR_RET rather than if(IS_ERR(...)) + PTR_ERR
Generated by: coccinelle/api/ptr_ret.cocci
Applied, thanks.
I have collapsed this patch and the one for ipv6/iptable_nat.c. They
are pretty small and description is the same.
--
To
On Fri, Oct 12, 2012 at 01:32:06AM +0200, Pablo Neira Ayuso wrote:
On Thu, Oct 11, 2012 at 11:27:33PM +0200, Borislav Petkov wrote:
On Thu, Oct 11, 2012 at 12:13:33PM -0700, Ian Applegate wrote:
On machines serving mainly http traffic we are seeing the following
panic, which is not yet
On Tue, Mar 12, 2013 at 08:07:55PM +0200, Silviu-Mihai Popescu wrote:
This uses PTR_RET instead of IS_ERR and PTR_ERR in order to increase
readability.
Applied, thanks.
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
On Tue, Mar 12, 2013 at 08:11:33PM +0200, Silviu-Mihai Popescu wrote:
This uses PTR_RET instead of IS_ERR and PTR_ERR in order to increase
readability.
Also applied, thanks.
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to
On Thu, Mar 14, 2013 at 01:40:14PM +0400, Vladimir Davydov wrote:
The patch introduces nf_conntrack_cleanup_net_list(), which cleanups
nf_conntrack for a list of netns and calls synchronize_net() only once
for them all. This should reduce netns destruction time.
Applied, thanks.
--
To
On Wed, Mar 20, 2013 at 12:09:59AM +0100, Paul Bolle wrote:
Kconfig symbol IP_NF_QUEUE is unused since commit
d16cf20e2f2f13411eece7f7fb72c17d141c4a84 (netfilter: remove ip_queue
support). Let's remove it too.
Applied, thanks for catching up this leftover.
--
To unsubscribe from this list:
Hi Dmitry,
On Mon, Mar 25, 2013 at 11:09:06PM +0100, dmitry pervushin wrote:
Fix the case in which timer has expired and we refresh it without
sending the notification
Signed-off-by: Ashish Sharma ashishsha...@google.com
Signed-off-by: JP Abgrall j...@google.com
Signed-off-by: John Stultz
On Mon, Mar 25, 2013 at 11:09:16PM +0100, dmitry pervushin wrote:
Send notifications when the label becomes active after an idle period.
Send netlink message notifications in addition to sysfs notifications.
Using a uevent with
subsystem=xt_idletimer
INTERFACE=...
On Mon, Mar 04, 2013 at 01:45:41PM +0100, Paul Bolle wrote:
Since commit c14b78e7decd0d1d5add6a4604feb8609fe920a9 (netfilter:
nfnetlink: add mutex per subsystem) building nefnetlink.o without
CONFIG_PROVE_RCU set, triggers this GCC warning:
net/netfilter/nfnetlink.c:65:22: warning:
On Mon, Mar 04, 2013 at 10:05:51PM +0100, Borislav Petkov wrote:
On Mon, Mar 04, 2013 at 09:43:11PM +0200, Alexandru Gheorghiu wrote:
Removed unused function nfnl_get_lock which fixed the following warning:
net/netfilter/nfnetlink.c:65:22: warning: ‘nfnl_get_lock’ defined but not
used
On Wed, Feb 13, 2013 at 10:46:09AM +0100, Michal Kubecek wrote:
Adjusting of data pointers in net/netfilter/nf_conntrack_frag6_*
sysctl table for other namespaces points to wrong netns_frags
structure and has reversed order of entries.
Problem introduced by commit c038a767cd69 in 3.7-rc1
On Sun, Feb 03, 2013 at 08:04:35AM -0800, Randy Dunlap wrote:
On 02/03/13 03:24, Florian Westphal wrote:
It was possible to set
NF_CONNTRACK=n
NF_CONNTRACK_LABELS=y
via NETFILTER_XT_MATCH_CONNLABEL=y:
warning: (NETFILTER_XT_MATCH_CONNLABEL) selects NF_CONNTRACK_LABELS which
has
On Fri, Feb 01, 2013 at 11:04:36PM +0800, Feng Gao wrote:
Hi Greg,
I have a question.
There are two duplicated lines now.
dh-expires = now +
msecs_to_jiffies(hinfo-cfg.expire);
rateinfo_recalc(dh, now, hinfo-cfg.mode);
1#
On Sat, Feb 02, 2013 at 12:56:17AM +0800, Feng Gao wrote:
[...]
So I wonder How could I commit the patch to kernel directly or how to
let owner could adopt my fix directly next time?
There is no file owners in the Linux kernel, we have subsystem
maintainers that take care of entire source code
On Mon, Dec 17, 2012 at 08:33:58PM -0800, Kevin Cernekee wrote:
Most SIP devices use a source port of 5060/udp on SIP requests, so the
response automatically comes back to port 5060:
phone_ip:5060 - proxy_ip:5060 REGISTER
proxy_ip:5060 - phone_ip:5060 100 Trying
The newer
Jan Engelhardt wrote:
while writing a netfilter match module I found that, when run,
skb-h.th is not set to the TCP header (it is assured that the packet
_is_ TCP), as this printk shows me:
skb: h.th=cb5bc4dc nh.iph=cb5bc4dc mac.raw=cb5bc4ce head=cb5bc400
data=cb5bc4dc tail=cb5bc510
78c2b7d8b8978e77fde5b11b3f27a0cd1031fe94 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso pa...@netfilter.org
Date: Tue, 18 Sep 2012 21:03:39 +0200
Subject: [PATCH] netfilter: fix IPv6 NAT dependencies in Kconfig
* NF_NAT_IPV6 requires IP6_NF_IPTABLES
* IP6_NF_TARGET_MASQUERADE, IP6_NF_TARGET_NETMAP, IP6_NF_TARGET_REDIRECT
: registering with nfnetlink.
[1.836202] BUG: unable to handle kernel NULL pointer dereference at
00e0
[1.837539] IP: [81a19123] mutex_lock_interruptible+0x23/0x70
Should be fixed by
commit 00545bec9412d130c77f72a08d6c8b6ad21d4a1e
Author: Pablo Neira Ayuso pa
On Wed, Aug 29, 2012 at 06:49:11PM +0200, Julia Lawall wrote:
From: Julia Lawall julia.law...@lip6.fr
Initialize return variable before exiting on an error path.
A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)
// smpl
(
On Wed, Aug 29, 2012 at 06:49:16PM +0200, Julia Lawall wrote:
From: Julia Lawall julia.law...@lip6.fr
Initialize return variable before exiting on an error path.
A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)
// smpl
(
On Wed, Aug 29, 2012 at 06:49:17PM +0200, Julia Lawall wrote:
From: Julia Lawall julia.law...@lip6.fr
Initialize return variable before exiting on an error path.
A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)
// smpl
(
On Thu, Aug 23, 2012 at 01:59:57PM +0800, Michael Wang wrote:
From: Michael Wang wang...@linux.vnet.ibm.com
Since 'list_for_each_continue_rcu' has already been replaced by
'list_for_each_entry_continue_rcu', pass 'list_head' to nf_iterate() as a
parameter can not benefit us any more.
This
On Thu, Aug 23, 2012 at 02:00:06PM +0800, Michael Wang wrote:
From: Michael Wang wang...@linux.vnet.ibm.com
Since 'list_for_each_continue_rcu' has already been replaced by
'list_for_each_entry_continue_rcu', pass 'list_head' to nf_queue() as a
parameter can not benefit us any more.
This
On Fri, Aug 17, 2012 at 12:33:39PM +0800, Michael Wang wrote:
From: Michael Wang wang...@linux.vnet.ibm.com
This patch replaces list_for_each_continue_rcu() with
list_for_each_entry_continue_rcu() to allow removing
list_for_each_continue_rcu().
Applied, thanks.
--
To unsubscribe from this
On Sun, Jul 29, 2012 at 08:14:49PM +0800, Fengguang Wu wrote:
--- linux.orig/net/bridge/netfilter/ebtable_filter.c 2012-07-29
08:41:09.703759534 +0800
+++ linux/net/bridge/netfilter/ebtable_filter.c 2012-07-29
08:41:14.255759643 +0800
@@ -100,9 +100,7 @@ static struct
Hi Mukund,
On Mon, Dec 10, 2012 at 12:48:49PM -0800, Mukund Jampala wrote:
problem description:
The problem occurs when iptables constructs the tcp reset packet.
It doesn't initialize the pointer to the tcp header within the skb.
When the skb is passed to the ixgbe driver for transmit, the
On Wed, Dec 26, 2012 at 10:49:40PM +0100, Jesper Juhl wrote:
'if ((!help) (!cda[CTA_EXPECT_TIMEOUT]))' then we should remember
to free 'exp' that was allocated by 'nf_ct_expect_alloc()' by jumping
to the 'err_out' label rather than the 'out' label in
ctnetlink_create_expect().
This patch
Hi,
On Wed, Jan 02, 2013 at 10:39:43AM -0800, Randy Dunlap wrote:
On 01/01/13 20:12, Stephen Rothwell wrote:
Hi all,
Changes since 20121224:
when NF_CONNTRACK is not enabled (build was on i386):
CC [M] net/netfilter/xt_CT.o
In file included from net/netfilter/xt_CT.c:16:0:
On Thu, Jan 03, 2013 at 02:35:59AM +0100, Pablo Neira Ayuso wrote:
when NF_CONNTRACK is not enabled (build was on i386):
CC [M] net/netfilter/xt_CT.o
In file included from net/netfilter/xt_CT.c:16:0:
include/net/netfilter/nf_conntrack.h:77:22: error: field 'ct_general' has
On Tue, Dec 11, 2012 at 01:58:02AM +0100, Pablo Neira Ayuso wrote:
[...]
On Mon, Dec 10, 2012 at 12:48:49PM -0800, Mukund Jampala wrote:
problem description:
The problem occurs when iptables constructs the tcp reset packet.
It doesn't initialize the pointer to the tcp header within the skb
Hi David,
On Mon, Dec 17, 2012 at 12:17:21AM +, David Woodhouse wrote:
On Mon, 2010-11-22 at 08:52 +0100, Eric Dumazet wrote:
Le dimanche 21 novembre 2010 à 18:40 -0800, Kevin Cernekee a écrit :
[v3:
Only activate the new forced_dport logic if the IP matches, but the
port does
On Sun, Dec 16, 2012 at 11:26:31PM -0800, Kevin Cernekee wrote:
On Sun, Dec 16, 2012 at 4:44 PM, Pablo Neira Ayuso pa...@netfilter.org
wrote:
What happened to this? OpenWRT is still carrying it, and it broke in
3.7. Here's a completely untested update...
I requested Kevin to resend
Hi Cong,
On Tue, Jan 15, 2013 at 07:58:34PM +0100, Cong Ding wrote:
If CONFIG_NF_CONNTRACK_ZONES is not defined, the variable ret might be
uninitialized when it goes to err1 through line 125 and 263 respectively.
So I change these goto err1 to return -EINVAL directly.
This is already fixed in
: In function ‘xt_ct_tg_check_v0’:
net/netfilter/xt_CT.c:112:6: warning: ‘ret’ may be used uninitialized in this
function [-Wmaybe-uninitialized]
Patch attached to address this issue.
From 3ceaa3b1baa660aaeef63b86ea9771dcab6d0acd Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso pa...@netfilter.org
Date
On Thu, Jan 10, 2013 at 01:01:21PM +0100, Borislav Petkov wrote:
On Thu, Jan 10, 2013 at 12:47:42PM +0100, Pablo Neira Ayuso wrote:
Patch attached to address this issue.
From 3ceaa3b1baa660aaeef63b86ea9771dcab6d0acd Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso pa...@netfilter.org
Hi,
On Wed, Aug 07, 2013 at 03:37:15PM +0800, Rui Xiang wrote:
To containerise iptables log, use ns_printk
to report individual logs to container as
getting syslog_ns from net-user_ns.
This patch is missing the removal of a couple of LOC at the very
beginning of ipt_log_packet and
On Wed, Oct 16, 2013 at 11:20:04AM +0200, Jiri Kosina wrote:
On Wed, 16 Oct 2013, Jozsef Kadlecsik wrote:
Today's linux-next merge of the trivial tree got conflicts in
net/netfilter/xt_set.c
caused by commits 3f79410 (treewide: Fix common typo in identify) and
bd3129f
On Thu, Oct 17, 2013 at 02:24:33PM +0100, Will Deacon wrote:
During kernel stability testing on an SMP ARMv7 system, Yalin Wang
reported the following panic from the netfilter code:
1fe0: 001c 5e2d3b10 4007e779 4009e110 6010 0032 ff565656
ff545454
[c06c48dc]
On Tue, Nov 26, 2013 at 02:11:57PM -0500, Sasha Levin wrote:
Ping? I still see this warning.
Did your test include patch 0c3c6c00c6?
On 09/07/2013 09:10 AM, Sasha Levin wrote:
Hi all,
While fuzzing with trinity inside a KVM tools guest, running latest -next
kernel, I've
stumbled on the
On Wed, Mar 12, 2014 at 08:29:07PM -0700, Alexei Starovoitov wrote:
On Wed, Mar 12, 2014 at 2:15 AM, Pablo Neira Ayuso pa...@netfilter.org
wrote:
[...]
The patches don't explain the reasons to do nft socket filtering.
OK, some reasons from the interface point of view:
1) It provides
On Wed, Mar 12, 2014 at 03:28:55PM -0400, David Miller wrote:
From: Joe Perches j...@perches.com
Date: Wed, 12 Mar 2014 10:04:19 -0700
The use of __constant_foo has been unnecessary for quite awhile now.
Make these uses consistent with the rest of the kernel.
Signed-off-by: Joe
On Wed, Mar 12, 2014 at 02:43:32PM -0700, Alexei Starovoitov wrote:
diff --git a/include/linux/filter.h b/include/linux/filter.h
index e568c8ef896b..6e6aab5e062b 100644
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -25,20 +25,45 @@ struct sock;
struct sk_filter
{
On Fri, Mar 14, 2014 at 08:28:05AM -0700, Alexei Starovoitov wrote:
On Thu, Mar 13, 2014 at 5:29 AM, Pablo Neira Ayuso pa...@netfilter.org
wrote:
On Wed, Mar 12, 2014 at 08:29:07PM -0700, Alexei Starovoitov wrote:
On Wed, Mar 12, 2014 at 2:15 AM, Pablo Neira Ayuso pa...@netfilter.org
On Fri, Mar 14, 2014 at 09:04:50PM -0700, Alexei Starovoitov wrote:
[...]
In the patches I sent, ebpf is _not_ exposed to the user.
From your last patch: http://patchwork.ozlabs.org/patch/329713/
diff --git a/include/uapi/linux/filter.h b/include/uapi/linux/filter.h
index
On Sat, Mar 15, 2014 at 08:53:55PM +0100, Daniel Borkmann wrote:
On 03/14/2014 09:08 PM, David Miller wrote:
From: Alexei Starovoitov a...@plumgrid.com
Date: Fri, 14 Mar 2014 12:51:17 -0700
can you please explain why the status of these
patches is 'deferred' in patchwork ?
Is it because of
On Thu, Mar 06, 2014 at 11:56:08AM -0800, beh...@converseincode.com wrote:
From: Mark Charlebois charl...@gmail.com
Replaced non-standard C use of Variable Length Arrays In Structs (VLAIS) in
xt_repldata.h with a C99 compliant flexible array member and then calculated
offsets to the other
Hi!
I'm going to reply to Daniel and you in the same email, see below.
On Tue, Mar 11, 2014 at 10:59:42AM -0700, Alexei Starovoitov wrote:
On Tue, Mar 11, 2014 at 3:29 AM, Daniel Borkmann dbork...@redhat.com wrote:
On 03/11/2014 10:19 AM, Pablo Neira Ayuso wrote:
Hi!
The following
On Wed, Mar 12, 2014 at 10:15:00AM +0100, Pablo Neira Ayuso wrote:
7/9:
whole nft_expr_autoload() looks scary from security point of view.
If I'm reading it correctly, the code will do request_module() based on
userspace request to attach filter?
Only root can invoke that code so far
On Wed, Feb 12, 2014 at 10:53:01AM +0100, Paul Bolle wrote:
There are two checks for CONFIG_NET_CLS_ROUTE, but the corresponding
Kconfig symbol was dropped in v2.6.39. Since the code guards access to
dst_entry.tclassid it seems CONFIG_IP_ROUTE_CLASSID should be used
instead.
Applied, thanks.
-by: Jiri Slaby jsl...@suse.cz
Cc: netfilter-de...@vger.kernel.org
Cc: netfil...@vger.kernel.org
Cc: coret...@netfilter.org
Cc: net...@vger.kernel.org
Cc: David S. Miller da...@davemloft.net
Cc: Patrick McHardy ka...@trash.net
Cc: Pablo Neira Ayuso pa...@netfilter.org
---
net/netfilter
On Sat, Jun 15, 2013 at 06:01:19AM +0800, Fengguang Wu wrote:
netlink: allow large data transfers from user-space
[...]
[ 65.085802] init: plymouth-upstart-bridge main process (345) terminated
with status 1
[ 65.138243] [ cut here ]
[ 65.140281] WARNING: at
-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/ipv4/netfilter/ipt_ULOG.c | 12
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
index ff4b781..32b0e97 100644
--- a/net/ipv4/netfilter/ipt_ULOG.c
+++ b/net/ipv4
On Mon, Jun 24, 2013 at 01:34:41PM +0200, Pablo Neira Ayuso wrote:
On Mon, Jun 24, 2013 at 05:52:08PM +0800, Gao feng wrote:
On 06/24/2013 05:41 PM, George Spelvin wrote:
Please try the patch below,
I think this bug is introduced by me :(
Thanks!
Well, you changed
Hi Dmitry,
You got some feedback for this patch:
https://patchwork.kernel.org/patch/2333851/
This patch still seem not to address some spots I already mention.
Please, have a look at my previous email and let me know if you have
any question.
Thanks.
On Sun, Apr 21, 2013 at 11:53:14AM +0200,
Hi,
Same thing with this patch:
https://patchwork.kernel.org/patch/2333841/
Regards.
On Sun, Apr 21, 2013 at 11:53:13AM +0200, dmitry pervushin wrote:
From: dmitry pervushin dpervus...@gmail.com
Fix the case in which timer has expired and we refresh it without
sending the notification
On Wed, May 22, 2013 at 02:50:31PM +0900, Simon Horman wrote:
This is intended for use in loops which read data protected by RCU and may
have a large number of iterations. Such an example is dumping the list of
connections known to IPVS: ip_vs_conn_array() and ip_vs_conn_seq_next().
The
On Wed, May 22, 2013 at 02:50:32PM +0900, Simon Horman wrote:
This avoids the situation where walking of a large number of connections
may prevent scheduling for a long time while also avoiding excessive
calls to rcu_read_unlock() and rcu_read_lock().
Note that in the case of
On Wed, May 22, 2013 at 01:31:08AM -0700, David Miller wrote:
From: Peter Zijlstra pet...@infradead.org
Date: Wed, 22 May 2013 09:54:38 +0200
On Wed, May 22, 2013 at 02:50:30PM +0900, Simon Horman wrote:
Add a helper that for use in loops which read data protected by RCU and
may have a
On Wed, May 22, 2013 at 02:59:10PM +0200, Jiri Slaby wrote:
From: Jeff Mahoney je...@suse.com
The FTP conntrack code currently only accepts the following format for
the 227 response for PASV:
227 Entering Passive Mode (148,100,81,40,31,161).
It doesn't accept the following format from
On Sun, Oct 27, 2013 at 08:39:47PM +, Linus Torvalds wrote:
On Sun, Oct 27, 2013 at 8:20 PM, Linus Torvalds
torva...@linux-foundation.org wrote:
Appended is a warning I get with DEBUG_TIMER_OBJECTS. Seems to be a
device-mapper issue.
.. and here's another one. This time it looks
On Mon, Oct 21, 2013 at 01:14:53PM +0100, Will Deacon wrote:
On Fri, Oct 18, 2013 at 06:18:13PM +0100, Eric Dumazet wrote:
On Fri, 2013-10-18 at 17:57 +0100, Will Deacon wrote:
Hi Pablo,
We also need fixes for net/ipv6/netfilter/ip6_tables.c and
net/ipv4/netfilter/arp_tables.c
for reporting.
From 2724ade097d59aaa3879ca485ae0fd61994cbc38 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso pa...@netfilter.org
Date: Mon, 28 Oct 2013 00:18:33 +0100
Subject: [PATCH] netfilter: bridge: fix nf_tables bridge dependencies with
main core
when CONFIG_NF_TABLES[_MODULE] is not enabled
On Thu, Jan 16, 2014 at 10:23:01AM +0100, Florian Westphal wrote:
Andrew Vagin ava...@parallels.com wrote:
I think it would be nice if we could keep it that way.
If everything fails we could proably intoduce a 'larval' dummy list
similar to the one used by template conntracks?
I'm
Dobriyan adobri...@gmail.com
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/ipv4/netfilter/nf_nat_h323.c |5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/netfilter/nf_nat_h323.c b/net/ipv4/netfilter/nf_nat_h323.c
index 9eea059d..574f7eb 100644
--- a/net
: Florian Westphal f...@strlen.de
Cc: Pablo Neira Ayuso pa...@netfilter.org
Cc: Patrick McHardy ka...@trash.net
Cc: Jozsef Kadlecsik kad...@blackhole.kfki.hu
Cc: David S. Miller da...@davemloft.net
Cc: Cyrill Gorcunov gorcu...@openvz.org
Signed-off-by: Andrey Vagin ava...@openvz.org
On Wed, Jan 01, 2014 at 06:27:19AM +0100, Michal Nazarewicz wrote:
The nfmsg variable is not used (except in sizeof operator which does
not care about its value) between the first and second time it is
assigned the value. Furthermore, nlmsg_data has no side effects, so
the assignment can be
On Fri, Mar 21, 2014 at 12:44:09PM -0400, Richard Guy Briggs wrote:
Remove duplicity and simplify code flow by moving the rcu_read_unlock() above
the condition and let the flow control exit naturally at the end of the
function.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
On Tue, Apr 29, 2014 at 03:21:21PM +0100, Patrick McHardy wrote:
On Tue, Apr 01, 2014 at 12:43:36AM +0900, Masanari Iida wrote:
Fix format string mismatch in mangle_connect_len()
All these patches seem like pointless noise to me. In none of these
cases can the value legitimately be
On Mon, Mar 31, 2014 at 06:14:18PM +0400, Andrey Vagin wrote:
nf_ct_gre_keymap_flush() removes a nf_ct_gre_keymap object from
net_gre-keymap_list and frees the object. But it doesn't clean
a reference on this object from ct_pptp_info-keymap[dir].
Then nf_ct_gre_keymap_destroy() may release the
On Tue, Apr 08, 2014 at 10:56:00AM +0400, Andrew Vagin wrote:
On Mon, Apr 07, 2014 at 04:51:58PM +0200, Pablo Neira Ayuso wrote:
On Mon, Mar 31, 2014 at 06:14:18PM +0400, Andrey Vagin wrote:
nf_ct_gre_keymap_flush() removes a nf_ct_gre_keymap object from
net_gre-keymap_list and frees
On Sat, Apr 12, 2014 at 04:58:18PM -0400, David Miller wrote:
From: Andrey Vagin ava...@openvz.org
Date: Fri, 11 Apr 2014 21:34:20 +0400
[ 251.920788] INFO: trying to register non-static key.
I'll let Pablo integrate this.
Applied, thanks.
--
To unsubscribe from this list: send the line
On Fri, Mar 28, 2014 at 01:54:32PM +0400, Andrey Vagin wrote:
len contains sizeof(nf_ct_ext) and size of extensions. In a worst
case it can contain all extensions. Bellow you can find sizes for all
types of extensions. Their sum is definitely bigger than 256.
nf_ct_ext_types[0]-len = 24
Hi Eric,
Thanks for looking into this.
On Wed, Jun 26, 2013 at 05:42:38AM -0700, Eric Dumazet wrote:
[...]
Nope there are several issues :
1) bug in netlink_alloc_large_skb() because it doesn't account
for sizeof(struct skb_shared_info) overhead and initialization.
Indeed, I can send a fix
On Fri, Jun 20, 2014 at 10:38:58PM +0200, Fabian Frederick wrote:
Fix checkpatch warning:
WARNING: kfree(NULL) is safe this check is probably not required
Applied, thanks.
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to
Neira Ayuso 2014-06-18 42 nf_log_packet(net,
par-family, par-hooknum, skb, par-in, par-out,
fab4085f Pablo Neira Ayuso 2014-06-18 @43li,
loginfo-prefix);
This needs to be:
nf_log_packet(net, par-family, par-hooknum, skb, par-in, par-out,
li
On Sat, Jul 26, 2014 at 10:41:04PM -0700, Alexei Starovoitov wrote:
On Fri, Jul 25, 2014 at 3:17 PM, Pablo Neira Ayuso pa...@netfilter.org
wrote:
The struct sk_filter is almost providing the generic framework, it
just needs to be generalized, a quick layout for it:
struct sk_filter
On Mon, Jul 28, 2014 at 11:29:40PM -0700, Alexei Starovoitov wrote:
clean up names related to socket filtering and bpf in the following way:
- everything that deals with sockets keeps 'sk_*' prefix
- everything that is pure BPF is changed to 'bpf_*' prefix
API for attaching classic BPF to a
On Tue, Jul 29, 2014 at 08:55:04AM -0700, Alexei Starovoitov wrote:
I don't think this is the right moment to add this, but we have to
keep in mind that something similar to this will need to be
accomodated in struct sk_filter at some point to avoid sloppy changes
that may result in
On Fri, Aug 22, 2014 at 10:40:15AM +0800, Zhouyi Zhou wrote:
Use HAVE_JUMP_LABEL as elsewhere in the kernel to ensure
that the toolchain has the required support in addition to
CONFIG_JUMP_LABEL being set.
Applied, thanks.
--
To unsubscribe from this list: send the line unsubscribe
On Wed, Jul 30, 2014 at 08:34:16PM -0700, Alexei Starovoitov wrote:
clean up names related to socket filtering and bpf in the following way:
- everything that deals with sockets keeps 'sk_*' prefix
- everything that is pure BPF is changed to 'bpf_*' prefix
split 'struct sk_filter' into
On Thu, Jul 31, 2014 at 02:02:19PM -0700, Alexei Starovoitov wrote:
On Thu, Jul 31, 2014 at 12:40 PM, Pablo Neira Ayuso pa...@netfilter.org
wrote:
On Wed, Jul 30, 2014 at 08:34:16PM -0700, Alexei Starovoitov wrote:
clean up names related to socket filtering and bpf in the following way
On Fri, Aug 01, 2014 at 09:50:31AM -0700, Alexei Starovoitov wrote:
On Fri, Aug 1, 2014 at 9:06 AM, Pablo Neira Ayuso pa...@netfilter.org wrote:
On Thu, Jul 31, 2014 at 02:02:19PM -0700, Alexei Starovoitov wrote:
On Thu, Jul 31, 2014 at 12:40 PM, Pablo Neira Ayuso pa...@netfilter.org
wrote
On Fri, Jul 25, 2014 at 01:25:35PM +0200, Daniel Borkmann wrote:
[ also Cc'ing Willem, Pablo ]
On 07/25/2014 10:04 AM, Alexei Starovoitov wrote:
'sk_filter' name is used as 'struct sk_filter', function sk_filter() and
as variable 'sk_filter', which makes code hard to read.
Also it's easily
On Fri, Jul 25, 2014 at 01:47:16AM +0530, Himangi Saraogi wrote:
In this file, function names are otherwise used as pointers without .
A simplified version of the Coccinelle semantic patch that makes this
change is as follows:
// smpl
@r@
identifier f;
@@
f(...) { ... }
@@
On Fri, Jul 25, 2014 at 02:25:31PM +0200, Paul Bolle wrote:
The ulog targets were recently killed. A few references to the Kconfig
macros CONFIG_IP_NF_TARGET_ULOG and CONFIG_BRIDGE_EBT_ULOG were left
untouched. Kill these too.
Those were my fault, applied, thanks Paul.
--
To unsubscribe from
On Fri, Jul 25, 2014 at 10:24:29AM -0700, Alexei Starovoitov wrote:
On Fri, Jul 25, 2014 at 6:00 AM, Daniel Borkmann dbork...@redhat.com wrote:
On 07/25/2014 01:54 PM, Pablo Neira Ayuso wrote:
On Fri, Jul 25, 2014 at 01:25:35PM +0200, Daniel Borkmann wrote:
[ also Cc'ing Willem, Pablo
On Fri, Jul 25, 2014 at 02:50:32PM -0400, Willem de Bruijn wrote:
On Fri, Jul 25, 2014 at 2:43 PM, Alexei Starovoitov a...@plumgrid.com wrote:
On Fri, Jul 25, 2014 at 11:32 AM, Willem de Bruijn will...@google.com
wrote:
This follows a convention in include/uapi/linux/netfilter/*.h that
On Fri, Jul 25, 2014 at 12:11:09PM -0700, Alexei Starovoitov wrote:
'sk_filter' name is used as 'struct sk_filter', function sk_filter() and
as variable 'sk_filter', which makes code hard to read.
Also it's easily confused with 'struct sock_filter'
Rename 'struct sk_filter' to 'struct
On Thu, Aug 07, 2014 at 02:49:08PM +0200, Julia Lawall wrote:
From: Julia Lawall julia.law...@lip6.fr
Convert a zero return value on error to a negative one, as returned
elsewhere in the function.
Applied, thanks Julia.
--
To unsubscribe from this list: send the line unsubscribe
On Sun, Oct 19, 2014 at 09:03:14PM -0400, David Miller wrote:
From: Linus Torvalds torva...@linux-foundation.org
Date: Sun, 19 Oct 2014 17:32:15 -0700
Looks like the module license issue was just overlooked when moving
the code out in commit c8d7b98bec43 (netfilter: move nf_send_resetX()
On Tue, Oct 21, 2014 at 11:23:16PM +0800, Feng Gao wrote:
Hi all,
Enhance the functions dsthash_alloc_init and hashlimit_mt in file
xt_hashlimit.c to avoid two duplicated codes following:
- dh-expires = now + msecs_to_jiffies(hinfo-cfg.expire);
- rateinfo_recalc(dh,
On Thu, Sep 04, 2014 at 10:17:18PM -0700, Alexei Starovoitov wrote:
allow user space to generate eBPF programs
uapi/linux/bpf.h: eBPF instruction set definition
linux/filter.h: the rest
This patch only moves macro definitions, but practically it freezes existing
eBPF instruction set,
On Sat, Sep 06, 2014 at 09:04:23AM -0700, Alexei Starovoitov wrote:
On Sat, Sep 6, 2014 at 7:10 AM, Pablo Neira Ayuso pa...@netfilter.org wrote:
On Thu, Sep 04, 2014 at 10:17:18PM -0700, Alexei Starovoitov wrote:
allow user space to generate eBPF programs
uapi/linux/bpf.h: eBPF
On Mon, Sep 08, 2014 at 09:51:12AM +0200, Bojan Prtvar wrote:
The skb_find_text() accepts uninitialized textsearch state variable.
Applied, thanks.
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info
Hi Bernhard,
Sorry for taking a bit to get back to you with feedback. We've been
discussing recently some changes in br_netfilter. Basically, to
modularize it [1] and this has taken a while.
Regarding your change. Sven Eckelmann (CC'ed in this email) sent a RFC
out of the merge window that have
On Tue, Sep 30, 2014 at 01:27:50PM +0200, Arnd Bergmann wrote:
A recent change introduced the NF_NAT_MASQUERADE_IPV4/6 symbols and now
builds the masquerading code based on this symbol rather than the
IP_NF_TARGET_MASQUERADE symbol, however the nf_nat.h header file
still uses the old symbol,
On Tue, Nov 18, 2014 at 08:47:31PM +0100, SF Markus Elfring wrote:
From: Markus Elfring elfr...@users.sourceforge.net
Date: Tue, 18 Nov 2014 20:37:05 +0100
The functions free_percpu() and module_put() test whether their argument
is NULL and then return immediately. Thus the test around the
1 - 100 of 995 matches
Mail list logo
