Re: [PATCH 1/1] netfilter: Add helper array register/unregister functions

2016-07-18 11:39 GMT+08:00 : > From: Gao Feng > > Add nf_ct_helper_init, nf_conntrack_helpers_register/unregister > functions to enhance the conntrack helper codes. I think this patch is breaking something ... This irc: > - if (ports[i] ==

Re: [PATCH] netfilter: nf_conntrack_sip: CSeq 0 is a valid CSeq

2016-07-04 14:14 GMT+08:00 Christophe Leroy : >> I think there is no need to convert simple_strtoul to kstrtouint, add >> a further check seems better? >> Like this: >> - if (!cseq) { >> + if (!cseq && *(*dptr + matchoff) != '0') { >> > > And what about an

Re: [PATCH] netfilter: nf_conntrack_sip: CSeq 0 is a valid CSeq

2016-07-01 17:48 GMT+08:00 Christophe Leroy : > Do not drop packet when CSeq is 0 as 0 is also a valid value for CSeq. > > --- a/net/netfilter/nf_conntrack_sip.c > +++ b/net/netfilter/nf_conntrack_sip.c > @@ -1368,6 +1368,7 @@ static int process_sip_response(struct sk_buff

Re: kernel v4.8: iptables logs are truncated with the 4.8 kernel?

Hi Justin, 2016-10-05 6:02 GMT+08:00 Justin Piszcz : > Hello, > > kernel 4.8 with ulogd-2.0.5- IPs are no longer logged: > > Oct 4 17:51:30 atom INPUT_BLOCK IN=eth1 OUT= > MAC=00:1b:21:9c:3b:fa:3e:94:d5:d2:49:1e:08:00 LEN=0 TOS=00 PREC=0x00 > TTL=0 ID=0 PROTO=0 MARK=0 >

Re: kernel v4.8: iptables logs are truncated with the 4.8 kernel?

Hi Chris, 2016-10-10 15:02 GMT+08:00 Chris Caputo : > On Tue, 4 Oct 2016, Justin Piszcz wrote: >> kernel 4.8 with ulogd-2.0.5- IPs are no longer logged: >> >> Oct 4 17:51:30 atom INPUT_BLOCK IN=eth1 OUT= >> MAC=00:1b:21:9c:3b:fa:3e:94:d5:d2:49:1e:08:00 LEN=0 TOS=00 PREC=0x00 >>

Re: kernel v4.8: iptables logs are truncated with the 4.8 kernel?

2016-10-11 2:33 GMT+08:00 Chris Caputo : >> >> What numbers did you specify after --nflog-size option? >> --nflog-size 0 or ...? If you want log the whole packet to >> the ulogd, please do not specify this nflog-size option. > > Not specifying nflog-size does not appear to log the

Re: kernel v4.8: iptables logs are truncated with the 4.8 kernel?

2016-10-11 11:57 GMT+08:00 Chris Caputo : > I have tested the above patch with 4.8.1, with and without nflog-size > defined in an iptables configuration, and it works well. > > The ulogd-2.0.5 segfaults no longer happen when nflog-size is not present > in a target. > > I recommend

Re: [PATCH] net: netfilter: Replace explicit NULL comparisons

2017-04-09 16:26 GMT+08:00 Jan Engelhardt : > > On Sunday 2017-04-09 05:42, Arushi Singhal wrote: >>On Sun, Apr 9, 2017 at 1:44 AM, Pablo Neira Ayuso wrote: >> On Sat, Apr 08, 2017 at 08:21:56PM +0200, Jan Engelhardt wrote: >> > On Saturday

[PATCH 1/3] sysctl: add sanity check for proc_douintvec

From: Liping Zhang <zlpnob...@gmail.com> Commit e7d316a02f68 ("sysctl: handle error writing UINT_MAX to u32 fields") introduced the proc_douintvec helper function, but it forgot to add the related sanity check when doing register_sysctl_table. So add it now. Signed-off-by: Lipi

[PATCH 3/3] sysctl: report EINVAL if value is larger than UINT_MAX for proc_douintvec

From: Liping Zhang <zlpnob...@gmail.com> Currently, inputting the following command will succeed but actually the value will be truncated: # echo 0x12 > /proc/sys/net/ipv4/tcp_notsent_lowat This is not friendly to the user, so instead, we should report error when the value

[PATCH 2/3] sysctl: don't print negative flag for proc_douintvec

From: Liping Zhang <zlpnob...@gmail.com> I saw some very confusing sysctl output on my system: # cat /proc/sys/net/core/xfrm_aevent_rseqth -2 # cat /proc/sys/net/core/xfrm_aevent_etime -10 cat /proc/sys/net/ipv4/tcp_notsent_lowat -4294967295 Because we forget to set the *neg

[PATCH 0/3] sysctl: fix some bugs related to proc_douintvec

From: Liping Zhang <zlpnob...@gmail.com> This patch set aims to fix some bugs introduced by commit e7d316a02f68 ("sysctl: handle error writing UINT_MAX to u32 fields"). Liping Zhang (3): sysctl: add sanity check for proc_douintvec sysctl: don't print negative flag for proc_do

Re: kernel v4.8: iptables logs are truncated with the 4.8 kernel?

Hi Justin, 2016-10-05 6:02 GMT+08:00 Justin Piszcz : > Hello, > > kernel 4.8 with ulogd-2.0.5- IPs are no longer logged: > > Oct 4 17:51:30 atom INPUT_BLOCK IN=eth1 OUT= > MAC=00:1b:21:9c:3b:fa:3e:94:d5:d2:49:1e:08:00 LEN=0 TOS=00 PREC=0x00 > TTL=0 ID=0 PROTO=0 MARK=0 > Oct 4 17:51:31 atom

Re: kernel v4.8: iptables logs are truncated with the 4.8 kernel?

Hi Chris, 2016-10-10 15:02 GMT+08:00 Chris Caputo : > On Tue, 4 Oct 2016, Justin Piszcz wrote: >> kernel 4.8 with ulogd-2.0.5- IPs are no longer logged: >> >> Oct 4 17:51:30 atom INPUT_BLOCK IN=eth1 OUT= >> MAC=00:1b:21:9c:3b:fa:3e:94:d5:d2:49:1e:08:00 LEN=0 TOS=00 PREC=0x00 >> TTL=0 ID=0

Re: kernel v4.8: iptables logs are truncated with the 4.8 kernel?

2016-10-11 2:33 GMT+08:00 Chris Caputo : >> >> What numbers did you specify after --nflog-size option? >> --nflog-size 0 or ...? If you want log the whole packet to >> the ulogd, please do not specify this nflog-size option. > > Not specifying nflog-size does not appear to log the whole packet...

Re: kernel v4.8: iptables logs are truncated with the 4.8 kernel?

2016-10-11 11:57 GMT+08:00 Chris Caputo : > I have tested the above patch with 4.8.1, with and without nflog-size > defined in an iptables configuration, and it works well. > > The ulogd-2.0.5 segfaults no longer happen when nflog-size is not present > in a target. > > I recommend this fix.

[PATCH 0/3] sysctl: fix some bugs related to proc_douintvec

From: Liping Zhang This patch set aims to fix some bugs introduced by commit e7d316a02f68 ("sysctl: handle error writing UINT_MAX to u32 fields"). Liping Zhang (3): sysctl: add sanity check for proc_douintvec sysctl: don't print negative flag for proc_douintvec sysctl: rep

[PATCH 3/3] sysctl: report EINVAL if value is larger than UINT_MAX for proc_douintvec

From: Liping Zhang Currently, inputting the following command will succeed but actually the value will be truncated: # echo 0x12 > /proc/sys/net/ipv4/tcp_notsent_lowat This is not friendly to the user, so instead, we should report error when the value is larger than UINT_MAX. Fi

[PATCH 2/3] sysctl: don't print negative flag for proc_douintvec

From: Liping Zhang I saw some very confusing sysctl output on my system: # cat /proc/sys/net/core/xfrm_aevent_rseqth -2 # cat /proc/sys/net/core/xfrm_aevent_etime -10 cat /proc/sys/net/ipv4/tcp_notsent_lowat -4294967295 Because we forget to set the *negp flag in proc_douintvec, so

[PATCH 1/3] sysctl: add sanity check for proc_douintvec

From: Liping Zhang Commit e7d316a02f68 ("sysctl: handle error writing UINT_MAX to u32 fields") introduced the proc_douintvec helper function, but it forgot to add the related sanity check when doing register_sysctl_table. So add it now. Signed-off-by: Liping Zhang --- fs/proc/pro

Re: [PATCH] net: netfilter: Replace explicit NULL comparisons

2017-04-09 16:26 GMT+08:00 Jan Engelhardt : > > On Sunday 2017-04-09 05:42, Arushi Singhal wrote: >>On Sun, Apr 9, 2017 at 1:44 AM, Pablo Neira Ayuso wrote: >> On Sat, Apr 08, 2017 at 08:21:56PM +0200, Jan Engelhardt wrote: >> > On Saturday 2017-04-08 19:21, Arushi Singhal wrote: >>

Re: [PATCH 1/1] netfilter: Add helper array register/unregister functions

2016-07-18 11:39 GMT+08:00 : > From: Gao Feng > > Add nf_ct_helper_init, nf_conntrack_helpers_register/unregister > functions to enhance the conntrack helper codes. I think this patch is breaking something ... This irc: > - if (ports[i] == IRC_PORT) > -

Re: [PATCH] netfilter: nf_conntrack_sip: CSeq 0 is a valid CSeq

2016-07-01 17:48 GMT+08:00 Christophe Leroy : > Do not drop packet when CSeq is 0 as 0 is also a valid value for CSeq. > > --- a/net/netfilter/nf_conntrack_sip.c > +++ b/net/netfilter/nf_conntrack_sip.c > @@ -1368,6 +1368,7 @@ static int process_sip_response(struct sk_buff *skb, > unsigned int

Re: [PATCH] netfilter: nf_conntrack_sip: CSeq 0 is a valid CSeq

2016-07-04 14:14 GMT+08:00 Christophe Leroy : >> I think there is no need to convert simple_strtoul to kstrtouint, add >> a further check seems better? >> Like this: >> - if (!cseq) { >> + if (!cseq && *(*dptr + matchoff) != '0') { >> > > And what about an invalid CSeq that would look