Hi,
I have placed this patch in the nf-next tree to be included in the
next pull request.
Thanks.
Hi,
On Thu, Apr 25, 2024 at 06:28:40PM +0200, Ismael Luceno wrote:
> It was observed in the wild that pairs of consecutive packets would leave
> the IPVS with the same wrong checksum, and the issue only went away when
> disabling GSO.
>
> IPVS needs to avoid computing the SCTP checksum when using
On Sun, Apr 21, 2024 at 04:22:32PM +0200, Ismael Luceno wrote:
> It was observed in the wild that pairs of consecutive packets would leave
> the IPVS with the same wrong checksum, and the issue only went away when
> disabling GSO.
>
> IPVS needs to avoid computing the SCTP checksum when using GSO.
On Mon, Jan 15, 2024 at 05:39:22PM +0300, Fedor Pchelkin wrote:
> Inside decrement_ttl() upon discovering that the packet ttl has exceeded,
> __IP_INC_STATS and __IP6_INC_STATS macros can be called from preemptible
> context having the following backtrace:
>
> check_preemption_disabled: 48 callbac
On Sun, Apr 18, 2021 at 09:02:12PM -0400, Valdis Klētnieks wrote:
> While doing some code auditing for -Woverride_init, I spotted some
> questionable code
>
> commit 502e84e2382d92654a2ecbc52cdbdb5a11cdcec7
> Author: Felix Fietkau
> Date: Wed Mar 24 02:30:54 2021 +0100
>
> net: ethernet:
On Mon, Apr 12, 2021 at 03:04:16PM +1000, Stephen Rothwell wrote:
> Hi all,
>
> After merging the net-next tree, today's linux-next build (x86_64
> allmodconfig) failed like this:
>
> In file included from include/asm-generic/bug.h:20,
> from arch/x86/include/asm/bug.h:93,
>
On Wed, Mar 31, 2021 at 04:53:10PM -0400, Richard Guy Briggs wrote:
> On 2021-03-31 22:22, Pablo Neira Ayuso wrote:
> > On Fri, Mar 26, 2021 at 01:38:59PM -0400, Richard Guy Briggs wrote:
> > > Reduce logging of nftables events to a level similar to iptables.
> > > Rest
On Fri, Mar 26, 2021 at 01:38:59PM -0400, Richard Guy Briggs wrote:
> @@ -8006,12 +7966,65 @@ static void nft_commit_notify(struct net *net, u32
> portid)
> WARN_ON_ONCE(!list_empty(&net->nft.notify_list));
> }
>
> +static int nf_tables_commit_audit_alloc(struct list_head *adl,
> +
;s a UAF, Florian reported. I'm attaching an incremental fix.
nf_tables_commit_audit_collect() refers to the trans object which
might have been already released.
commit e4d272948d25b66d86fc241cefd95281bfb1079e
Author: Pablo Neira Ayuso
Date: Wed Mar 31 22:19:51 2021 +0200
netfilter: nf_
On Wed, Mar 31, 2021 at 03:26:06PM +0100, Colin King wrote:
> From: Colin Ian King
>
> Currently the call to nf_log_register is returning an error code that
> is not being assigned to ret and yet ret is being checked. Fix this by
> adding in the missing assignment.
Applied, thanks.
On Sun, Mar 28, 2021 at 09:30:49PM +0200, Jozsef Kadlecsik wrote:
> On Sat, 27 Mar 2021, Wan Jiabing wrote:
>
> > struct ip_set is declared twice. One is declared at 79th line,
> > so remove the duplicate.
>
> Yes, it's a duplicate. Pablo, could you apply it?
Applied, thanks Jozsef.
On Sun, Mar 28, 2021 at 08:50:45PM -0400, Paul Moore wrote:
[...]
> Netfilter folks, were you planning to pull this via your tree/netdev
> or would you like me to merge this via the audit tree? If the latter,
> I would appreciate it if I could get an ACK from one of you; if the
> former, my ACK is
On Mon, Mar 22, 2021 at 04:49:04PM -0400, Richard Guy Briggs wrote:
> diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> index c1eb5cdb3033..42ba44890523 100644
> --- a/net/netfilter/nf_tables_api.c
> +++ b/net/netfilter/nf_tables_api.c
[...]
> @@ -8006,12 +7938,47 @@ stat
On Thu, Mar 18, 2021 at 11:39:52AM -0400, Richard Guy Briggs wrote:
> Reduce logging of nftables events to a level similar to iptables.
> Restore the table field to list the table, adding the generation.
>
> Indicate the op as the most significant operation in the event.
>
> A couple of sample ev
On Thu, Mar 11, 2021 at 01:55:59PM +0800, YueHaibing wrote:
> commit e97c3e278e95 ("tproxy: split off ipv6 defragmentation to a separate
> module") left behind this.
Applied, thanks.
On Fri, Mar 05, 2021 at 02:42:09AM -0600, Gustavo A. R. Silva wrote:
> In preparation to enable -Wimplicit-fallthrough for Clang, fix multiple
> warnings by explicitly adding multiple break statements instead of just
> letting the code fall through to the next case.
Applied to nf-next, thanks.
On Mon, Mar 08, 2021 at 02:24:10PM +1300, Mark Tomlinson wrote:
> The patches to change to using RCU synchronization in x_tables cause
> updating tables to be slowed down by an order of magnitude. This has
> been tried before, see https://lore.kernel.org/patchwork/patch/151796/
> and ultimately was
On Sun, Mar 14, 2021 at 10:30:55AM +, David R wrote:
> I attempted to upgrade my home server to 5.11 today. The system panics
> soon after boot with the following :-
>
> In iptables by the looks of the stack.
>
> 5.10.23 works fine.
>
> Can provide config (and boot logs from 5.10.23) if requ
On Mon, Feb 22, 2021 at 08:00:00AM +, Dmitry V. Levin wrote:
> Apparently, and
> could not be included into the same
> compilation unit because of a cut-and-paste typo in the former header.
Applied, thanks.
On Thu, Feb 04, 2021 at 12:04:21AM +0100, Pablo Neira Ayuso wrote:
> On Thu, Jan 28, 2021 at 05:59:23PM +, Colin King wrote:
> > From: Colin Ian King
> >
> > The variable err is being assigned a value that is never read,
> > the same error number is being r
On Thu, Jan 28, 2021 at 05:59:23PM +, Colin King wrote:
> From: Colin Ian King
>
> The variable err is being assigned a value that is never read,
> the same error number is being returned at the error return
> path via label err1. Clean up the code by removing the assignment.
Applied to nf,
On Sat, Jan 09, 2021 at 08:01:21PM +0800, Dinghao Liu wrote:
> When register_pernet_subsys() fails, nf_nat_bysource
> should be freed just like when nf_ct_extend_register()
> fails.
Applied, thanks.
On Tue, Jan 05, 2021 at 11:31:20PM +0800, Chen Yi wrote:
> Fix nft_conntrack_helper.sh false fail report:
>
> 1) Conntrack tool need "-f ipv6" parameter to show out ipv6 traffic items.
>
> 2) Sleep 1 second after background nc send packet, to make sure check
> is after this statement executed.
>
Please, Cc netfilter-de...@vger.kernel.org, and a more few comments
below.
On Mon, Jan 04, 2021 at 07:07:23PM +0800, Yi Chen wrote:
> From: yiche
>
> Fix nft_conntrack_helper.sh fake fail:
> conntrack tool need "-f ipv6" parameter to show out ipv6 traffic items.
> sleep 1 second after background
On Mon, Dec 14, 2020 at 11:40:15PM +, Colin King wrote:
> From: Colin Ian King
>
> The intention of the err_expr cleanup path is to iterate over the
> allocated expr_array objects and free them, starting from i - 1 and
> working down to the start of the array. Currently the loop counter
> is
On Tue, Dec 15, 2020 at 03:38:30PM +0100, Pablo Neira Ayuso wrote:
> Hi,
>
> On Mon, Dec 14, 2020 at 11:40:15PM +, Colin King wrote:
> > From: Colin Ian King
> >
> > The intention of the err_expr cleanup path is to iterate over the
> > allocated expr_arra
op")
> Fixes: 8cfd9b0f8515 ("netfilter: nftables: generalize set expressions
> support")
> Signed-off-by: Colin Ian King
Reviewed-by: Pablo Neira Ayuso
@Jakub: Would you please take this one into net-next? Thanks!
> ---
> net/netfilter/nf_tables_api.c | 4 ++--
On Fri, Nov 06, 2020 at 04:20:13PM +0800, xiakaixu1...@gmail.com wrote:
> From: Kaixu Xia
>
> Here we could use the '!=' expression to fix the following coccicheck
> warning:
>
> ./net/netfilter/xt_nfacct.c:30:41-46: WARNING: conversion to bool not needed
> here
Applied.
On Tue, Nov 24, 2020 at 08:09:19PM +0200, Julian Anastasov wrote:
>
> Hello,
>
> On Tue, 24 Nov 2020, Wang Hai wrote:
>
> > kmemleak report a memory leak as follows:
> >
> > BUG: memory leak
> > unreferenced object 0x8880759ea000 (size 256):
> > backtrace:
> > [] kme
On Sun, Nov 22, 2020 at 02:51:18PM +, Alexander Lobakin wrote:
> From: Pablo Neira Ayuso
> Date: Sun, 22 Nov 2020 12:42:19 +0100
>
> > On Sun, Nov 22, 2020 at 10:26:16AM +, Alexander Lobakin wrote:
> >> From: Pablo Neira Ayuso
> >> Date
On Tue, Nov 17, 2020 at 10:57:52PM +0200, Julian Anastasov wrote:
>
> Hello,
>
> On Mon, 16 Nov 2020, Yejune Deng wrote:
>
> > atomic_inc_return() looks better
> >
> > Signed-off-by: Yejune Deng
>
> Looks good to me for -next, thanks!
>
> Acked-by: Julian Anastasov
Applied, tha
On Sun, Nov 22, 2020 at 10:26:16AM +, Alexander Lobakin wrote:
> From: Pablo Neira Ayuso
> Date: Fri, 20 Nov 2020 13:49:12 +0100
[...]
> > Something like this:
> >
> >
ches files, but
> > not directories.
> >
> > Rectify the patterns to match the intended directories.
> []
> diff --git a/MAINTAINERS b/MAINTAINERS
> []
> > @@ -12139,10 +12139,10 @@ W:http://www.nftables.org/
> > Q: http://patchwork.ozlabs.org/project/
On Mon, Nov 09, 2020 at 10:19:42AM +0100, Lukas Bulwahn wrote:
> The two file patterns in the NETFILTER section:
>
> F: include/linux/netfilter*
> F: include/uapi/linux/netfilter*
>
> intended to match the directories:
>
> ./include{/uapi}/linux/netfilter_{arp,bridge,ipv4,ipv6}
>
Casey Schaufler
> Cc: net...@vger.kernel.org
> Cc: netfilter-de...@vger.kernel.org
You can carry this tag in your follow up patches.
Acked-by: Pablo Neira Ayuso
Thanks.
> ---
> net/netfilter/nfnetlink_queue.c | 37 +
> 1 file changed, 14 insertions(+
Some HID devices don't use a report ID because they only have a single
report. In those cases, the report ID in struct hid_report will be zero
and the data for the report will start at the first byte, so don't skip
over the first byte.
Signed-off-by: Pablo Ceballos
---
drivers/hid/
On 2/11/20 11:07, Maxime Ripard wrote:
Hi,
On Sat, Oct 31, 2020 at 09:34:15PM -0300, Pablo Greco wrote:
The Ethernet PHY on the Bananapi M1 has the RX and TX delays enabled on
the PHY, using pull-ups on the RXDLY and TXDLY pins.
Fix the phy-mode description to correct reflect this so that
Ethernet PHY on BananaPi M2 Berry provides RX and TX delays. Fix ethernet
node to reflect that fact.
Fixes: 27e81e1970a8 ("ARM: dts: sun8i: v40: bananapi-m2-berry: Enable GMAC
ethernet controller")
Signed-off-by: Pablo Greco
---
arch/arm/boot/dts/sun8i-v40-bananapi-m2-berry.dts | 2
3.3 V in order to fix this.
Fixes: 23edc168bd98 ("ARM: dts: sun8i: Add board dts file for Banana Pi M2
Berry")
Fixes: 27e81e1970a8 ("ARM: dts: sun8i: v40: bananapi-m2-berry: Enable GMAC
ethernet controller")
Signed-off-by: Pablo Greco
---
arch/arm/boot/dts/sun8i-v40-banana
("net: phy: realtek: fix rtl8211e
rx/tx delay config").
Fixes: 8a5b272fbf44 ("ARM: dts: sun7i: Add Banana Pi board")
Signed-off-by: Pablo Greco
---
arch/arm/boot/dts/sun7i-a20-bananapi.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/sun7i
Ethernet PHY on BananaPi M2 Berry provides RX and TX delays. Fix ethernet
node to reflect that fact.
Fixes: 27e81e1970a8 ("ARM: dts: sun8i: v40: bananapi-m2-berry: Enable GMAC
ethernet controller")
Signed-off-by: Pablo Greco
---
arch/arm/boot/dts/sun8i-v40-bananapi-m2-berry.dts | 2
("net: phy: realtek: fix rtl8211e
rx/tx delay config").
Fixes: 8a5b272fbf44 ("ARM: dts: sun7i: Add Banana Pi board")
Signed-off-by: Pablo Greco
---
arch/arm/boot/dts/sun7i-a20-bananapi.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/sun7i
3.3 V in order to fix this.
Fixes: 23edc168bd98 ("ARM: dts: sun8i: Add board dts file for Banana Pi M2
Berry")
Fixes: 27e81e1970a8 ("ARM: dts: sun8i: v40: bananapi-m2-berry: Enable GMAC
ethernet controller")
Signed-off-by: Pablo Greco
---
arch/arm/boot/dts/sun8i-v40-banana
On Thu, Oct 29, 2020 at 12:02:41PM +0100, Greg KH wrote:
> On Tue, Oct 27, 2020 at 09:19:22AM +0100, Pablo Neira Ayuso wrote:
> > Hi Greg,
> >
> > On Tue, Oct 27, 2020 at 07:21:11AM +0100, Greg KH wrote:
> > > On Sun, Oct 25, 2020 at 04:31:57PM -0700, Saeed Mirzam
Hi Greg,
On Tue, Oct 27, 2020 at 07:21:11AM +0100, Greg KH wrote:
> On Sun, Oct 25, 2020 at 04:31:57PM -0700, Saeed Mirzamohammadi wrote:
> > Adding stable.
>
> What did that do?
Saeed is requesting that stable maintainers cherry-picks this patch:
31cc578ae2de ("netfilter: nftables_offload: KAS
On Wed, Sep 30, 2020 at 08:08:02AM +0300, Julian Anastasov wrote:
>
> Hello,
>
> On Mon, 28 Sep 2020, longguang.yue wrote:
>
> > Outputting client,virtual,dst addresses info when tcp state changes,
> > which makes the connection debug more clear
> >
> > Signed-off-by: longguang.yue
>
>
On Wed, Oct 07, 2020 at 12:32:52PM -0700, Francesco Ruggeri wrote:
> If the first packet conntrack sees after a re-register is an outgoing
> keepalive packet with no data (SEG.SEQ = SND.NXT-1), td_end is set to
> SND.NXT-1.
> When the peer correctly acknowledges SND.NXT, tcp_in_window fails
> check
e expr->ops that fixes the slab-out-of-bounds Read issue.
Add nft_expr_more() and use it to fix this problem.
Signed-off-by: Saeed Mirzamohammadi
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h | 6 ++
net/netfilter/nf_tables_api.c | 6 +++---
net/netfilter/n
On Wed, Oct 14, 2020 at 02:06:28AM +0200, Pablo Neira Ayuso wrote:
> On Fri, Oct 09, 2020 at 10:05:48PM +0200, Florian Westphal wrote:
> > Jozsef Kadlecsik wrote:
> > > > The "delay unregister" remark was wrt. the "all rules were deleted"
> > > &g
On Fri, Oct 09, 2020 at 10:05:48PM +0200, Florian Westphal wrote:
> Jozsef Kadlecsik wrote:
> > > The "delay unregister" remark was wrt. the "all rules were deleted"
> > > case, i.e. add a "grace period" rather than acting right away when
> > > conntrack use count did hit 0.
> >
> > Now I underst
On Fri, Sep 18, 2020 at 09:17:29PM +0800, YueHaibing wrote:
> commit 9a32669fecfb ("netfilter: nf_tables_offload: support indr block call")
> left behind this.
Applied.
ibing
>
> Thanks, this look good to me.
>
> Acked-by: Simon Horman
>
> Pablo, please consider this for nf-next.
Applied, thanks.
On Fri, Sep 04, 2020 at 08:56:53PM +0800, Wang Hai wrote:
> BPDU_TYPE_TCN is never used after it was introduced.
> So better to remove it.
Applied, thanks.
On Mon, Aug 31, 2020 at 08:12:05PM +0300, Julian Anastasov wrote:
>
> Hello,
>
> On Sat, 29 Aug 2020, Yaroslav Bolyukin wrote:
>
> > This dependency was added because ipv6_find_hdr was in iptables specific
> > code but is no longer required
> >
> > Fixes: f8f626754ebe ("ipv6: Move ipv6_fi
On Fri, Aug 28, 2020 at 02:14:48PM -0400, Tong Zhang wrote:
> Hi Pablo,
> I'm not an expert in this networking stuff.
> But from my point of view there's no point in checking if this
> condition is always true.
Understood.
> There's also no need
On Sat, Aug 15, 2020 at 12:50:30PM -0400, Tong Zhang wrote:
> ct_sip_parse_numerical_param can only return 0 or 1, but the caller is
> checking parsing error using < 0
Is this are real issue in your setup or probably some static analysis
tool is reporting?
You are right that ct_sip_parse_numerica
On Thu, Aug 27, 2020 at 10:08:13PM +0800, YueHaibing wrote:
> Use ip_is_fragment() to simpify code.
Applied.
On Tue, Aug 11, 2020 at 03:46:40AM -0400, Peilin Ye wrote:
> do_ip_vs_set_ctl() is referencing uninitialized stack value when `len` is
> zero. Fix it.
Applied to nf-next, thanks.
On Fri, Aug 28, 2020 at 06:45:51PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > Hi Will,
> >
> > Given this is for -stable maintainers only, I'd suggest:
> >
> > 1) Specify what -stable kernel versions this patch applies to.
> >
Hi Will,
Given this is for -stable maintainers only, I'd suggest:
1) Specify what -stable kernel versions this patch applies to.
Explain that this problem is gone since what kernel version.
2) Maybe clarify that this is only for stable in the patch subject,
e.g. [PATCH -stable v3] netfilte
ovolt = <330>;
+ regulator-name = "vcc-3v3";
};
®_dcdc2 {
Should this be done also for the bananapi-m2-berry?, it is basically the
same device
sun8i-v40-bananapi-m2-berry.dts
Pablo
sted-by: Julian Anastasov
> > > Signed-off-by: Peilin Ye
> >
> > Looks good to me, thanks!
> >
> > Acked-by: Julian Anastasov
>
> Pablo, could you consider this for nf-next or should we repost when
> net-next re-opens?
No worries, it will sit in netfilter's patchwork until net-next
reopens.
On Sun, Aug 09, 2020 at 08:28:01PM +0200, Florian Westphal wrote:
> WARNING: CPU: 1 PID: 16059 at lib/refcount.c:31
> refcount_warn_saturate+0xdf/0xf
> [..]
> __nft_mt_tg_destroy+0x42/0x50 [nft_compat]
> nft_target_destroy+0x63/0x80 [nft_compat]
> nf_tables_expr_destroy+0x1b/0x30 [nf_tables]
>
Hi,
This patch is much smaller and if you confirm this is address the
issue, then this is awesome.
On Mon, Aug 03, 2020 at 06:31:56PM +, William Mcvicker wrote:
[...]
> diff --git a/net/netfilter/nf_conntrack_netlink.c
> b/net/netfilter/nf_conntrack_netlink.c
> index 31fa94064a62..56d310f8b2
Hi William,
On Fri, Jul 31, 2020 at 12:26:11AM +, William Mcvicker wrote:
> Hi Pablo,
>
> Yes, I believe this oops is only triggered by userspace when the user
> specifically passes in an invalid nf_nat_l3protos index. I'm happy to re-work
> the patch
Hi Will,
On Mon, Jul 27, 2020 at 05:57:20PM +, Will McVicker wrote:
> The indexes to the nf_nat_l[34]protos arrays come from userspace. So we
> need to make sure that before indexing the arrays, we verify the index
> is within the array bounds in order to prevent an OOB memory access.
> Here i
Applied, thanks.
On Sat, Jul 25, 2020 at 07:02:25PM +0200, Alexander A. Klimov wrote:
> Rationale:
> Reduces attack surface on kernel devs opening the links for MITM
> as HTTPS traffic is much harder to manipulate.
Applied.
On Sun, Jul 19, 2020 at 01:52:02PM +0200, Alexander A. Klimov wrote:
> Rationale:
> Reduces attack surface on kernel devs opening the links for MITM
> as HTTPS traffic is much harder to manipulate.
LGTM.
Can you squash this patch into this?
netfilter: xtables: Replace HTTP links with HTTPS ones
On Wed, Jul 08, 2020 at 03:09:39PM -0500, Gustavo A. R. Silva wrote:
> Replace the existing /* fall through */ comments and its variants with
> the new pseudo-keyword macro fallthrough[1]. Also, remove unnecessary
> fall-through markings when it is the case.
Applied, thanks.
On Tue, Jul 07, 2020 at 02:47:17PM -0500, Gustavo A. R. Silva wrote:
> Replace the existing /* fall through */ comments and its variants with
> the new pseudo-keyword macro fallthrough[1]. Also, remove unnecessary
> fall-through markings when it is the case.
I suggest:
netfilter: Use fall
Hi Gaurav,
On Wed, Jun 24, 2020 at 10:36:25PM -0400, Gaurav Singh wrote:
> ah cannot be NULL since its already checked above after
> assignment and is being dereferenced before in pr().
> Remove the redundant null check.
Could you collapse all your patches into one?
They look like the same logic
On Wed, Jun 24, 2020 at 08:34:23AM -0400, Richard Guy Briggs wrote:
> On 2020-06-24 12:03, Pablo Neira Ayuso wrote:
> > On Thu, Jun 04, 2020 at 09:20:49AM -0400, Richard Guy Briggs wrote:
[...]
> > > diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables
On Thu, Jun 04, 2020 at 09:20:49AM -0400, Richard Guy Briggs wrote:
> iptables, ip6tables, arptables and ebtables table registration,
> replacement and unregistration configuration events are logged for the
> native (legacy) iptables setsockopt api, but not for the
> nftables netlink api which is u
On Mon, Jun 22, 2020 at 01:37:09PM +0200, Jan Engelhardt wrote:
>
> On Monday 2020-06-15 01:34, Alexander A. Klimov wrote:
> >>
> >> A header file rename is no problem. We even have dummy headers
> > Hmm.. if I understand all of you correctly, David, Stefano, Pablo
On Sun, Jun 14, 2020 at 11:08:08PM +0200, Jan Engelhardt wrote:
>
> On Sunday 2020-06-14 22:19, David Howells wrote:
> >Alexander A. Klimov wrote:
> >
> >> *Is it a good idea to rename files in include/uapi/ ?*
> >
> >Very likely not. If programs out there are going to be built on a
> >case-sens
On Tue, Jun 09, 2020 at 02:58:12PM -0700, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit:7ae77150 Merge tag 'powerpc-5.8-1' of git://git.kernel.org..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=128a9df210
> kernel
On Tue, Jun 09, 2020 at 02:58:12PM -0700, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit:7ae77150 Merge tag 'powerpc-5.8-1' of git://git.kernel.org..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1741f5f210
> kernel
On Wed, May 27, 2020 at 01:10:39AM -0700, Nathan Chancellor wrote:
> Clang warns:
>
> net/netfilter/nf_conntrack_core.c:2068:21: warning: variable 'ctinfo' is
> uninitialized when used here [-Wuninitialized]
> nf_ct_set(skb, ct, ctinfo);
>^~
> net/netfilter/
On Thu, Apr 30, 2020 at 11:30:48PM +0200, Arnd Bergmann wrote:
> gcc-10 warns around a suspicious access to an empty struct member:
>
> net/netfilter/nf_conntrack_core.c: In function '__nf_conntrack_alloc':
> net/netfilter/nf_conntrack_core.c:1522:9: warning: array subscript 0 is
> outside the bo
On Wed, Apr 29, 2020 at 09:00:41PM +0200, Arnd Bergmann wrote:
> gcc-10 points out that a code path exists where a pointer to a stack
> variable may be passed back to the caller:
>
> net/netfilter/nfnetlink_osf.c: In function 'nf_osf_hdr_ctx_init':
> cc1: warning: function may return address of lo
ink:
> https://lore.kernel.org/lkml/CAHk-=wiAsJLw1egFEE=z7-ggtm6wcvtyytxza1+bhqta4gg...@mail.gmail.com/
> Reported-by: Linus Torvalds
> Signed-off-by: Paul E. McKenney
> Cc: Pablo Neira Ayuso
> Cc: Jozsef Kadlecsik
> Cc: Florian Westphal
> Cc: "David S. Miller"
&g
On Tue, Sep 24, 2019 at 07:40:06AM +0900, Masahiro Yamada wrote:
> When CONFIG_UAPI_HEADER_TEST=y, exported headers are compile-tested to
> make sure they can be included from user-space.
>
> Currently, linux/netfilter_bridge/ebtables.h is excluded from the test
> coverage. To make it join the com
On Sun, Sep 22, 2019 at 08:49:11PM +0900, Masahiro Yamada wrote:
> Hi Pablo,
>
> On Sun, Sep 22, 2019 at 4:13 PM Pablo Neira Ayuso wrote:
> >
> > On Sun, Sep 22, 2019 at 09:11:11AM +0200, Pablo Neira Ayuso wrote:
> > > On Sat, Sep 21, 2019 at 10:46:48PM +0900, Masah
On Sun, Sep 22, 2019 at 09:11:11AM +0200, Pablo Neira Ayuso wrote:
> On Sat, Sep 21, 2019 at 10:46:48PM +0900, Masahiro Yamada wrote:
> > When CONFIG_UAPI_HEADER_TEST=y, exported headers are compile-tested to
> > make sure they can be included from user-space.
> >
On Sat, Sep 21, 2019 at 10:46:48PM +0900, Masahiro Yamada wrote:
> When CONFIG_UAPI_HEADER_TEST=y, exported headers are compile-tested to
> make sure they can be included from user-space.
>
> Currently, linux/netfilter_bridge/ebtables.h is excluded from the test
> coverage. To make it join the com
On Sat, Sep 07, 2019 at 08:41:22PM +0200, Arnd Bergmann wrote:
> On Sat, Sep 7, 2019 at 8:07 PM Pablo Neira Ayuso wrote:
> >
> > Hi Arnd,
> >
> > On Fri, Sep 06, 2019 at 05:12:30PM +0200, Arnd Bergmann wrote:
> > > The nft_offload_ctx structure is much
Hi Arnd,
On Fri, Sep 06, 2019 at 05:12:30PM +0200, Arnd Bergmann wrote:
> The nft_offload_ctx structure is much too large to put on the
> stack:
>
> net/netfilter/nf_tables_offload.c:31:23: error: stack frame size of 1200
> bytes in function 'nft_flow_rule_create' [-Werror,-Wframe-larger-than=]
On Tue, Aug 27, 2019 at 02:34:14PM -0300, Leonardo Bras wrote:
> On Tue, 2019-08-27 at 12:35 +0200, Pablo Neira Ayuso wrote:
[...]
> > NFT_BREAK instead to stop evaluating this rule, this results in a
> > mismatch, so you let the user decide what to do with packets that do
>
On Wed, Aug 21, 2019 at 11:15:06AM -0300, Leonardo Bras wrote:
> If IPv6 is disabled on boot (ipv6.disable=1), but nft_fib_inet ends up
> dealing with a IPv6 package, it causes a kernel panic in
> fib6_node_lookup_1(), crashing in bad_page_fault.
Q: How do you get to see IPv6 packets if IPv6 modul
On Tue, Aug 20, 2019 at 01:15:58PM -0300, Leonardo Bras wrote:
> On Tue, 2019-08-20 at 07:36 +0200, Florian Westphal wrote:
> > Wouldn't fib_netdev.c have the same problem?
> Probably, but I haven't hit this issue yet.
>
> > If so, might be better to place this test in both
> > nft_fib6_eval_type
On Mon, Aug 19, 2019 at 04:39:27PM +0900, Masahiro Yamada wrote:
> Add a header include guard just in case.
Applied.
On Wed, Aug 14, 2019 at 03:35:02PM +0300, Denis Efremov wrote:
> This entry is in MAINTAINERS for historical purpose.
> It doesn't match current sources since the commit
> adf82accc5f5 ("netfilter: x_tables: merge ip and
> ipv6 masquerade modules") moved the module.
> The net/netfilter/xt_MASQUERAD
On Wed, Aug 14, 2019 at 09:58:09AM -0700, Nathan Chancellor wrote:
> clang warns:
>
> net/netfilter/nft_bitwise.c:138:50: error: size argument in 'memcmp'
> call is a comparison [-Werror,-Wmemsize-comparison]
> if (memcmp(&priv->xor, &zero, sizeof(priv->xor) ||
>
Applied, thanks.
On Thu, Aug 08, 2019 at 01:43:22AM -0400, Valdis Klētnieks wrote:
> Sparse warns about two tables not being declared.
>
> CHECK net/netfilter/nf_nat_proto.c
> net/netfilter/nf_nat_proto.c:725:26: warning: symbol 'nf_nat_ipv4_ops' was
> not declared. Should it be static?
> net/netfilter/nf_nat
On Thu, Aug 08, 2019 at 01:28:08AM -0400, Valdis Klētnieks wrote:
> Sparse rightly complains about undeclared symbols.
>
> CHECK net/netfilter/nft_set_hash.c
> net/netfilter/nft_set_hash.c:647:21: warning: symbol 'nft_set_rhash_type' was
> not declared. Should it be static?
> net/netfilter/nf
On Tue, Aug 13, 2019 at 09:09:41AM +0300, Denis Efremov wrote:
> Update MAINTAINERS record to reflect the filename change
> from ipt_MASQUERADE.c to xt_MASQUERADE.c
This entry is there for historical purpose. I'd suggest you send a
patch to remove it so this just falls under the netfilter section.
On Tue, Jul 23, 2019 at 03:23:03AM +0200, Matteo Croce wrote:
> Use shared sysctl variables for zero and one constants, as in commit
> eec4844fae7c ("proc/sysctl: add shared variables for range check")
Applied, thanks.
On Mon, Jul 29, 2019 at 12:51:38AM +0900, Masahiro Yamada wrote:
> Add a header include guard just in case.
Applied to nf.git, thanks.
BTW, is the _UAPI_ prefix really needed? I can see netfilter headers
under include/uapi/ sometimes are prefixed by UAPI and sometimes not.
Thanks.
1 - 100 of 633 matches
Mail list logo