[PATCH 00/13] Netfilter fixes for net

Dichtel (2): netfilter: conntrack: remove obsolete sysctl (nf_conntrack_events_retry_timeout) netfilter: conntrack: restart gc immediately if GC_MAX_EVICTS is reached Pablo Neira Ayuso (2): netfilter: nft_range: validate operation netlink attribute netfilter: fix nf_queue handling Doc

Re: [PATCH] netfilter: don't permit unprivileged writes to global state via sysctls

On Sat, Sep 24, 2016 at 12:21:04AM +0200, Jann Horn wrote: > This prevents the modification of nf_conntrack_max in unprivileged network > namespaces. For unprivileged network namespaces, ip_conntrack_max is kept > as a readonly sysctl in order to minimize potential compatibility issues. > > This

Re: [PATCH net] conntrack: restart gc immediately if GC_MAX_EVICTS is reached

On Tue, Oct 18, 2016 at 02:37:32PM +0200, Nicolas Dichtel wrote: > When the maximum evictions number is reached, do not wait 5 seconds before > the next run. Applied, thanks Nicolas.

Re: [PATCH 01/28] [v2] netfilter: nf_tables: avoid uninitialized variable warning

On Tue, Oct 18, 2016 at 12:05:30AM +0200, Arnd Bergmann wrote: > The newly added nft_range_eval() function handles the two possible > nft range operations, but as the compiler warning points out, > any unexpected value would lead to the 'mismatch' variable being > used without being initialized: >

Re: [patch] netfilter: nft_exthdr: fix error handling in nft_exthdr_init()

On Wed, Oct 12, 2016 at 09:09:12AM +0300, Dan Carpenter wrote: > "err" needs to be signed for the error handling to work. Applied, thanks Dan.

Re: [patch v2] netfilter: nf_tables: underflow in nft_parse_u32_check()

On Wed, Oct 12, 2016 at 12:14:29PM +0300, Dan Carpenter wrote: > We don't want to allow negatives here. Applied, thanks.

Re: [PATCH net 1/2] conntrack: remove obsolete sysctl (nf_conntrack_events_retry_timeout)

On Mon, Oct 10, 2016 at 03:57:37PM +0200, Florian Westphal wrote: > Nicolas Dichtel wrote: > > This entry has been removed in commit 9500507c6138. > > > > Fixes: 9500507c6138 ("netfilter: conntrack: remove timer from ecache > > extension") > > Signed-off-by: Nicolas

Re: [PATCH net 2/2] conntrack: enable to tune gc parameters

On Fri, Oct 14, 2016 at 12:37:26PM +0200, Florian Westphal wrote: > Nicolas Dichtel wrote: > > Le 13/10/2016 à 22:43, Florian Westphal a écrit : [...] > > > (Or cause too many useless scans) > > > > > > Another idea worth trying might be to get rid of the max cap and >

Re: [GIT] Networking

}_validate()"). > > So I wouldn't call it a merge error - it just looks like a bug in the > network layer. So I'm not going to apply your patch even though it > looks plausible to me, simply because it's outside my area of > expertise. > > David? Pablo? This looks good, pleas

[PATCH 2/5] netfilter: accommodate different kconfig in nf_set_hooks_head

uot;) Signed-off-by: Aaron Conole <acon...@bytheb.org> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/core.c | 15 +++ 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/net/netfilter/core.c b/net/netfilter/core.c index e3f68a786afe..c

[PATCH 3/5] netfilter: xt_hashlimit: Fix link error in 32bit arch because of 64bit division

<v...@akamai.com> Acked-by: Maciej Żenczykowski <m...@google.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/xt_hashlimit.c | 15 --- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter

[PATCH 0/5] Netfilter fixes for net-next

Hi David, This is a pull request to address fallout from previous nf-next pull request, only fixes going on here: 1) Address a potential null dereference in nf_unregister_net_hook() when becomes nf_hook_entry_head is NULL, from Aaron Conole. 2) Missing ifdef for CONFIG_NETFILTER_INGRESS,

[PATCH 5/5] netfilter: nft_limit: fix divided by zero panic

3/0xd0 [] __ip_local_out+0xcd/0xe0 [] ? ip_forward_options+0x1b0/0x1b0 [] ip_local_out+0x1c/0x40 This is because divisor is 64-bit, but we treat it as a 32-bit integer, then 0xf becomes zero, i.e. divisor becomes 0. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by:

[PATCH 4/5] netfilter: fix namespace handling in nf_log_proc_dostring

char *data = "NONE"; if (write(stolen_fd, data, strlen(data)) != strlen(data)) err(1, "write"); return 0; } Repro: $ gcc -Wall -o attack attack.c -std=gnu99 $ cat /proc/sys/net/netfilter/nf_log/2 nf_log_ipv4 $ ./attack $ cat /proc/sys/net

[PATCH 1/5] netfilter: Fix potential null pointer dereference

heb.org> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/core.c b/net/netfilter/core.c index fa6715db4581..e3f68a786afe 100644 --- a/net/netfilter/core.c +++ b/net/netfilter/cor

Re: [PATCH v4 1/2] libxt_hashlimit: Prepare libxt_hashlimit.c for revision 2

On Mon, Sep 26, 2016 at 03:08:17PM -0400, Vishwanath Pai wrote: > I am planning to add a revision 2 for the hashlimit xtables module to > support higher packets per second rates. This patch renames all the > functions and variables related to revision 1 by adding _v1 at the > end of the names.

Re: [PATCH v4 2/2] libxt_hashlimit: Create revision 2 of xt_hashlimit to support higher pps rates

On Mon, Sep 26, 2016 at 03:08:52PM -0400, Vishwanath Pai wrote: > libxt_hashlimit: Create revision 2 of xt_hashlimit to support higher pps > rates > > Create a new revision for the hashlimit iptables extension module. Rev 2 > will support higher pps of upto 1 million, Version 1 supports only 10k.

Re: [PATCH] netfilter: fix namespace handling in nf_log_proc_dostring

On Sun, Sep 18, 2016 at 09:40:55PM +0200, Jann Horn wrote: > nf_log_proc_dostring() used current's network namespace instead of the one > corresponding to the sysctl file the write was performed on. Because the > permission check happens at open time and the nf_log files in namespaces > are

Re: [PATCH 1/3] netfilter: nf_tables: avoid uninitialized variable warning

On Fri, Sep 30, 2016 at 07:47:49PM +0200, Pablo Neira Ayuso wrote: > On Fri, Sep 30, 2016 at 06:05:34PM +0200, Arnd Bergmann wrote: > > The newly added nft_range_eval() function handles the two possible > > nft range operations, but as the compiler warning points out, > >

Re: [PATCH nf-next v4 1/2] netfilter: Fix potential null pointer dereference

On Wed, Sep 28, 2016 at 11:35:14AM -0400, Aaron Conole wrote: > It's possible for nf_hook_entry_head to return NULL. If two > nf_unregister_net_hook calls happen simultaneously with a single hook > entry in the list, both will enter the nf_hook_mutex critical section. > The first will

Re: [PATCH 1/3] netfilter: nf_tables: avoid uninitialized variable warning

On Fri, Sep 30, 2016 at 06:05:34PM +0200, Arnd Bergmann wrote: > The newly added nft_range_eval() function handles the two possible > nft range operations, but as the compiler warning points out, > any unexpected value would lead to the 'mismatch' variable being > used without being initialized: >

Re: [PATCH net-next v3] netfilter: xt_hashlimit: Fix link error in 32bit arch because of 64bit division

On Thu, Sep 29, 2016 at 01:39:50PM -0400, Vishwanath Pai wrote: > v2: > Remove unnecessary div64_u64 around constants > > v3: > remove backslashes > > -- > > Fix link error in 32bit arch because of 64bit division > > Division of 64bit integers will cause linker error undefined reference > to

Re: [PATCH nf-next v4 2/2] nf_set_hooks_head: accommodate different kconfig

On Wed, Sep 28, 2016 at 11:35:15AM -0400, Aaron Conole wrote: > When CONFIG_NETFILTER_INGRESS is unset (or no), we need to handle > the request for registration properly by dropping the hook. This > releases the entry during the set. Also applied. I have renamed the subject to:

Re: pull-request: wireless-drivers-next 2016-09-29

On Thu, Sep 29, 2016 at 07:57:28PM +0300, Kalle Valo wrote: > Hi Dave, > > this should be the last wireless-drivers-next pull request for 4.9, from > now on only important bugfixes. Nothing really special stands out, > iwlwifi being most active but other drivers also getting attention. More >

[PATCH 08/53] netfilter: nft_quota: fix overquota logic

Use xor to decide to break further rule evaluation or not, since the existing logic doesn't achieve the expected inversion. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nft_quota.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/net

[PATCH 02/53] netfilter: gre: Use consistent GRE and PTTP header structure instead of the ones defined by netfilter

From: Gao Feng <f...@ikuai8.com> There are two existing strutures which defines the GRE and PPTP header. So use these two structures instead of the ones defined by netfilter to keep consitent with other codes. Signed-off-by: Gao Feng <f...@ikuai8.com> Signed-off-by: Pablo Nei

[PATCH 17/53] netfilter: introduce nft_set_pktinfo_{ipv4, ipv6}_validate()

/netfilter/nf_tables_ipv{4,6}.h so they can be reused by a follow up patch to use them from the bridge family too. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables_ipv4.h | 42 ++ include/net/netfilter/nf_tables_ipv6.

[PATCH 19/53] netfilter: nf_tables: don't drop IPv6 packets that cannot parse transport

Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables_ipv6.h| 6 ++ net/ipv6/netfilter/nf_tables_ipv6.c | 4 +--- net/ipv6/netfilter/nft_chain_route_ipv6.c | 4 +--- 3 files changed, 4 insertions(+), 10 deletions(-) diff --git a/include/net/netfilter/nf_tables_ipv

[PATCH 15/53] netfilter: nf_tables: ensure proper initialization of nft_pktinfo fields

. Reported-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables.h | 18 ++ include/net/netfilter/nf_tables_ipv4.h | 1 + include/net/netfilter/nf_tables_ipv6.h | 1 + net/brid

[PATCH 10/53] netfilter: nf_ct_sip: allow tab character in SIP headers

"(" / ")" / "<" / ">" / ":" / "\" / DQUOTE / "/" / "[" / "]" / "?" / "{" / "}" ) Signed-off-by: Marco Angaroni <marcoangar...@gma

[PATCH 05/53] netfilter: ftp: Remove the useless dlen==0 condition check in find_pattern

o check it in find_pattern too. Signed-off-by: Gao Feng <f...@ikuai8.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_ftp.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ft

[PATCH 07/53] netfilter: nft_numgen: rename until attribute by modulus

iebana <nev...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/uapi/linux/netfilter/nf_tables.h | 4 ++-- net/netfilter/nft_numgen.c | 30 +++--- 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/include/ua

[PATCH 09/53] netfilter: nft_quota: introduce nft_overquota()

This is patch renames the existing function to nft_overquota() and make it return a boolean that tells us if we have exceeded our byte quota. Just a cleanup. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nft_quota.c | 8 1 file changed, 4 insertions

[PATCH 11/53] netfilter: nft_queue: check the validation of queues_total and queuenum

ueue.t: any/queue.t: 6 unit tests, 0 error, 0 warning Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nft_queue.c | 11 +++ 1 file changed, 11 insertions(+) diff --git a/net/netfilter/nft_queue

[PATCH 31/53] netfilter: nf_tables: improve nft payload fast eval

load_eval. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_tables_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core

[PATCH 21/53] netfilter: Add the missed return value check of register_netdevice_notifier

From: Gao Feng <f...@ikuai8.com> There are some codes of netfilter module which did not check the return value of register_netdevice_notifier. Add the checks now. Signed-off-by: Gao Feng <f...@ikuai8.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>

[PATCH 25/53] netfilter: nft_numgen: fix race between num generate and store it

91dbc6be0a62 ("netfilter: nf_tables: add number generator expression") Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nft_numgen.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --

[PATCH 18/53] netfilter: nf_tables_bridge: use nft_set_pktinfo_ipv{4, 6}_validate

/nft_reject_bridge.c. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables_bridge.h | 7 net/bridge/netfilter/nf_tables_bridge.c | 72 +--- net/bridge/netfilter/nft_reject_bridge.c | 44 ++- 3 files changed, 45 inse

[PATCH 13/53] netfilter: nft_hash: Add hash offset value

From: Laura Garcia Liebana Add support to pass through an offset to the hash value. With this feature, the sysadmin is able to generate a hash with a given offset value. Example: meta mark set jhash ip saddr mod 2 seed 0xabcd offset 100 This option generates marks

[PATCH 26/53] netfilter: nft_hash: fix hash overflow validation

itself. Fixes: 70ca767ea1b2 ("netfilter: nft_hash: Add hash offset value") Reported-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nft_hash.c |

[PATCH 12/53] netfilter: nf_conntrack: remove unused ctl_table_path member in nf_conntrack_l3proto

; Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack_l3proto.h | 4 1 file changed, 4 deletions(-) diff --git a/include/net/netfilter/nf_conntrack_l3proto.h b/include/net/netfilter/nf_conntrack_l3proto.h index cdc920b4c4c2..8992e4229da9 100644

[PATCH 29/53] netfilter: nft_queue: add _SREG_QNUM attr to select the queue number

u16 type is already enough. Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org> Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/uapi/linux/netfilter/nf_tables.h | 2 + net/netfilter/nft_q

[PATCH 20/53] netfilter: nf_conntrack: simplify __nf_ct_try_assign_helper() return logic

From: Pablo Neira <pa...@netfilter.org> Instead of several goto's just to return the result, simply return it. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_helper.c | 15 ++- 1 file changed, 6 insertions(+), 9 deletions(-) diff

[PATCH 28/53] netfilter: nf_tables: validate maximum value of u32 netlink attributes

check on u8 nft_exthdr attributes"). Fixes: 96518518cc41 ("netfilter: add nftables") Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org> Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net

[PATCH 14/53] netfilter: nft_dynset: allow to invert match criteria

and our set already contains 4 entries already, then this packet is dropped. You can already express this in positive logic, assuming default policy to drop: # nft filter input flow table xyz size 4 { ip saddr timeout 10s counter } accept Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.

[PATCH 04/53] netfilter: nf_ct_sip: correct allowed characters in Call-ID SIP header

quot; / "`" / "'" / "~" / "(" / ")" / "<" / ">" / ":" / "\" / DQUOTE / "/" / "[" / "]" / "?" / "{" / "}&q

[PATCH 16/53] netfilter: nf_tables_ipv6: setup pktinfo transport field on failure to parse

Make sure the pktinfo protocol fields are initialized if this fails to parse the transport header. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables_ipv6.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/include/net/net

[PATCH 32/53] netfilter: nf_tables: check tprot_set first when we use xt.thoff

Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_tables_core.c | 5 - net/netfilter/nf_tables_trace.c | 20 +++- net/netfilter/nft_payload.c | 4 3 files changed, 19 ins

[PATCH 23/53] netfilter: nf_queue: get rid of dependency on IP6_NF_IPTABLES

Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_queue.h | 4 1 file changed, 4 deletions(-) diff --git a/include/net/netfilter/nf_queue.h b/include/net/netfilter/nf_queue.h index 0dbce55437f2..c

[PATCH 48/53] netfilter: xt_hashlimit: Create revision 2 to support higher pps rates

those functions and moved all the common code to a *_common function. Signed-off-by: Vishwanath Pai <v...@akamai.com> Signed-off-by: Joshua Hunt <joh...@akamai.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/uapi/linux/netfilter/xt_hashlimit.h | 23 ++ net/

[PATCH 35/53] netfilter: nft_lookup: remove superfluous element found check

We already checked for !found just a bit before: if (!found) { regs->verdict.code = NFT_BREAK; return; } if (found && set->flags & NFT_SET_MAP) ^ So this redundant check can just go away. Signed-off-by:

[PATCH 52/53] netfilter: nft_log: complete NFTA_LOG_FLAGS attr support

flags. Finally, if user specify the unsupported log flags or NFTA_LOG_GROUP and NFTA_LOG_FLAGS are set at the same time, report EINVAL to the userspace. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/ne

[PATCH 46/53] netfilter: nft_ct: report error if mark and dir specified simultaneously

Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nft_ct.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c index 825fbbc62f48..d7b0d171172a 100644 --- a/net/netfilter/nft_ct.c +

[PATCH 43/53] netfilter: replace list_head with single linked list

device becomes 2176 bytes (down from 2240). Signed-off-by: Aaron Conole <acon...@bytheb.org> Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/linux/netdevice.h | 2 +- include/linux/n

[PATCH 51/53] netfilter: nf_tables: add range expression

gt;=) cmp(sreg, data, <=) This new range expression provides an alternative way to express this. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables_core.h | 3 + include/uapi/linux/netfilter/nf_tables.h | 29 +

[PATCH 33/53] netfilter: Enhance the codes used to get random once

From: Gao Feng <f...@ikuai8.com> There are some codes which are used to get one random once in netfilter. We could use net_get_random_once to simplify these codes. Signed-off-by: Gao Feng <f...@ikuai8.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netf

[PATCH 44/53] netfilter: seqadj: Fix the wrong ack adjust for the RST packet without ack

618628 To summarize, it is clear that the seqadj codes adjust the 0 ack when receive one TCP RST packet without ack. Signed-off-by: Gao Feng <f...@ikuai8.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_seqadj.c | 20 1 fil

[PATCH 41/53] netfilter: Only allow sane values in nf_register_net_hook

From: Aaron Conole <acon...@bytheb.org> This commit adds an upfront check for sane values to be passed when registering a netfilter hook. This will be used in a future patch for a simplified hook list traversal. Signed-off-by: Aaron Conole <acon...@bytheb.org> Signed-off-by: Pablo

[PATCH 42/53] netfilter: nf_queue: whitespace cleanup

From: Aaron Conole <acon...@bytheb.org> A future patch will modify the hook drop and outfn functions. This will cause the line lengths to take up too much space. This is simply a readability change. Signed-off-by: Aaron Conole <acon...@bytheb.org> Signed-off-by: Pablo Nei

[PATCH 47/53] netfilter: xt_hashlimit: Prepare for revision 2

Pai <v...@akamai.com> Signed-off-by: Joshua Hunt <joh...@akamai.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/xt_hashlimit.c | 61 ++-- 1 file changed, 31 insertions(+), 30 deletions(-) diff --git a/net/netfil

[PATCH 30/53] netfilter: nf_queue: improve queue range support for bridge family

first queue num. Because in nfqueue_hash, we only support ipv4 and ipv6 family. Now add support for bridge family too. Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org> Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.

[PATCH 49/53] netfilter: evict stale entries when user reads /proc/net/nf_conntrack

f conntrack timer") Reported-by: Fabian Frederick <f...@skynet.be> Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_standalone.c | 5 + 1 file changed, 5 insertions(+) diff --git a/net/ne

[PATCH 34/53] netfilter: xt_helper: Use sizeof(variable) instead of literal number

From: Gao Feng <f...@ikuai8.com> It's better to use sizeof(info->name)-1 as index to force set the string tail instead of literal number '29'. Signed-off-by: Gao Feng <f...@ikuai8.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/xt_helper.c | 2

[PATCH 40/53] netfilter: Remove explicit rcu_read_lock in nf_hook_slow

; Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/bridge/netfilter/ebt_redirect.c| 2 +- net/bridge/netfilter/ebtables.c| 2 +- net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 2 +- net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 2 +-

[PATCH 37/53] netfilter: bridge: add and use br_nf_hook_thresh

u read-side critical section to make a future cleanup simpler. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Aaron Conole <acon...@bytheb.org> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/br_netfilter.h | 6 net/bri

[PATCH 27/53] netfilter: nft_numgen: add number generation offset

et 100 This will generate marks with the serie 100, 101, 100, 101, ... Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org> Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/uapi/linux/netfilter/nf_tables.

[PATCH 22/53] netfilter: Add the missed return value check of nft_register_chain_type

From: Gao Feng <f...@ikuai8.com> There are some codes of netfilter module which did not check the return value of nft_register_chain_type. Add the checks now. Signed-off-by: Gao Feng <f...@ikuai8.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- ne

[PATCH 50/53] netfilter: xt_socket: fix transparent match for IPv6 request sockets

et: prepare for TCP_NEW_SYN_RECV support") Signed-off-by: Alex Badics <alex.bad...@balabit.com> Signed-off-by: KOVACS Krisztian <hid...@balabit.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/tcp_input.c | 1 + net/ipv4/tcp_ipv4.c | 1 - 2 files changed, 1 inser

[PATCH 39/53] netfilter: call nf_hook_ingress with rcu_read_lock

ff-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/core/dev.c | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/net/core/dev.c b/net/core/dev.c index 34b5322bc081..064919425b7d 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -4040,12 +4040,17 @@ static inline int

[PATCH 45/53] netfilter: nft_ct: unnecessary to require dir when use ct l3proto/protocol

3proto and protocol are unrelated to direction. And for compatibility, even if the user specify the NFTA_CT_DIRECTION attr, do not report error, just skip it. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfi

[PATCH 53/53] netfilter: nf_log: get rid of XT_LOG_* macros

From: Liping Zhang <liping.zh...@spreadtrum.com> nf_log is used by both nftables and iptables, so use XT_LOG_XXX macros here is not appropriate. Replace them with NF_LOG_XXX. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilte

[PATCH 36/53] netfilter: xt_TCPMSS: Refactor the codes to decrease one condition check and more readable

he result of min(dst_mtu(skb_dst(skb)), in_mtu) to a new variable, then only perform one condition check, and it is more readable. Signed-off-by: Gao Feng <f...@ikuai8.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/xt_TCPMSS.c | 12 1 file

[PATCH 38/53] netfilter: call nf_hook_state_init with rcu_read_lock held

ed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Aaron Conole <acon...@bytheb.org> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/linux/netfilter.h | 8 +++- include/linux/netfilter_ingress.h | 1 + 2 files changed, 8 insertions(+), 1

[PATCH 24/53] netfilter: conntrack: remove packet hotpath stats

AT has to determine if it needs to pick a different source address. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/linux/netfilter/nf_conntrack_common.h | 4 include/uapi/linux/netfilter/nfnetlink_conntrack.h

[PATCH 03/53] netfilter: nf_ct_sip: correct parsing of continuation lines in SIP headers

/ "~" / "(" / ")" / "<" / ">" / ":" / "\" / DQUOTE / "/" / "[" / "]" / "?" / "{" / "}" ) Signed-off-by: Marco Angaroni <

[PATCH 06/53] netfilter: ftp: Remove the useless code

From: Gao Feng <f...@ikuai8.com> There are some debug code which are commented out in find_pattern by #if 0. Now remove them. Signed-off-by: Gao Feng <f...@ikuai8.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_ftp.c | 13 +--

[PATCH 00/53] Netfilter updates for net-next

character in SIP headers Pablo Neira (1): netfilter: nf_conntrack: simplify __nf_ct_try_assign_helper() return logic Pablo Neira Ayuso (11): netfilter: nft_quota: fix overquota logic netfilter: nft_quota: introduce nft_overquota() netfilter: nft_dynset: allow to invert

[PATCH 01/53] netfilter: gre: Use consistent GRE_* macros instead of ones defined by netfilter.

From: Gao Feng <f...@ikuai8.com> There are already some GRE_* macros in kernel, so it is unnecessary to define these macros. And remove some useless macros Signed-off-by: Gao Feng <f...@ikuai8.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- inclu

Re: [PATCH v3 2/2] netfilter: Create revision 2 of xt_hashlimit to support higher pps rates

On Sun, Sep 25, 2016 at 01:35:01PM +0200, Pablo Neira Ayuso wrote: > On Thu, Sep 22, 2016 at 02:39:45PM -0400, Vishwanath Pai wrote: > > Thanks for pointing this out, I will reorder the fields to: > > > > struct hashlimit_cfg2 { > > __u64 avg;/* Average s

Re: [PATCH] netfilter: xt_socket: fix transparent match for IPv6 request sockets

On Fri, Sep 23, 2016 at 11:27:42AM +0200, KOVACS Krisztian wrote: > The introduction of TCP_NEW_SYN_RECV state, and the addition of request > sockets to the ehash table seems to have broken the --transparent option > of the socket match for IPv6 (around commit a9407000). > > Now that the socket

Re: [PATCH v3 2/2] netfilter: Create revision 2 of xt_hashlimit to support higher pps rates

On Thu, Sep 22, 2016 at 02:39:45PM -0400, Vishwanath Pai wrote: > Thanks for pointing this out, I will reorder the fields to: > > struct hashlimit_cfg2 { > __u64 avg;/* Average secs between packets * scale */ > __u64 burst; > __u32 mode; /* bitmask of XT_HASHLIMIT_HASH_* */

Re: [PATCH nf v5] netfilter: seqadj: Fix the wrong ack adjust for the RST packet without ack

On Thu, Sep 22, 2016 at 02:53:53PM +0800, f...@ikuai8.com wrote: > From: Gao Feng > > It is valid that the TCP RST packet which does not set ack flag, and bytes > of ack number are zero. But current seqadj codes would adjust the "0" ack > to invalid ack number. Actually seqadj

Re: [PATCH nf-next v3 0/7] Compact netfilter hooks list

On Wed, Sep 21, 2016 at 11:35:00AM -0400, Aaron Conole wrote: > This series makes a simple change to shrink the netfilter hook list > from a double linked list, to a singly linked list. Since the hooks > are always traversed in-order, there is no need to maintain a previous > pointer. > > This

Re: [PATCH v6 5/6] net: ipv4, ipv6: run cgroup ebpf egress programs

On Thu, Sep 22, 2016 at 05:12:57PM +0200, Daniel Borkmann wrote: > On 09/22/2016 02:05 PM, Pablo Neira Ayuso wrote: [...] > >Have a look at net/ipv4/netfilter/nft_chain_route_ipv4.c for instance. > >In your case, you have to add a new chain type: > > > >static

Re: [PATCH v6 5/6] net: ipv4, ipv6: run cgroup eBPF egress programs

On Thu, Sep 22, 2016 at 11:54:11AM +0200, Thomas Graf wrote: > On 09/22/16 at 11:21am, Pablo Neira Ayuso wrote: > > I have a hard time to buy this new specific hook, I think we should > > shift focus of this debate, this is my proposal to untangle this: > > > > You ad

Re: [PATCH v6 5/6] net: ipv4, ipv6: run cgroup eBPF egress programs

On Wed, Sep 21, 2016 at 08:48:27PM +0200, Thomas Graf wrote: > On 09/21/16 at 05:45pm, Pablo Neira Ayuso wrote: > > On Tue, Sep 20, 2016 at 06:43:35PM +0200, Daniel Mack wrote: > > > The point is that from an application's perspective, restricting the > > > ability

Re: [PATCH nf v3] netfilter: seqadj: Fix the wrong ack adjust for the RST packet without ack

On top of Eric's comments. On Thu, Sep 22, 2016 at 10:22:45AM +0800, f...@ikuai8.com wrote: > diff --git a/net/netfilter/nf_conntrack_seqadj.c > b/net/netfilter/nf_conntrack_seqadj.c > index dff0f0c..3bd9c7e 100644 > --- a/net/netfilter/nf_conntrack_seqadj.c > +++

Re: [PATCH v6 5/6] net: ipv4, ipv6: run cgroup eBPF egress programs

Hi Daniel, On Tue, Sep 20, 2016 at 06:43:35PM +0200, Daniel Mack wrote: > Hi Pablo, > > On 09/20/2016 04:29 PM, Pablo Neira Ayuso wrote: > > On Mon, Sep 19, 2016 at 10:56:14PM +0200, Daniel Mack wrote: > > [...] > >> Why would we artificially limit the us

Re: [PATCH v6 5/6] net: ipv4, ipv6: run cgroup eBPF egress programs

On Mon, Sep 19, 2016 at 10:56:14PM +0200, Daniel Mack wrote: [...] > Why would we artificially limit the use-cases of this implementation if > the way it stands, both filtering and introspection are possible? Why should we place infrastructure in the kernel to filter packets so late, and why at

Re: [PATCH v6 5/6] net: ipv4, ipv6: run cgroup eBPF egress programs

On Mon, Sep 19, 2016 at 01:13:27PM -0700, Alexei Starovoitov wrote: > On Mon, Sep 19, 2016 at 09:19:10PM +0200, Pablo Neira Ayuso wrote: [...] > > 2) This will turn the stack into a nightmare to debug I predict. If > >any process with CAP_NET_ADMIN can potentially attach bpf b

Re: [PATCH v6 5/6] net: ipv4, ipv6: run cgroup eBPF egress programs

On Mon, Sep 19, 2016 at 09:30:02PM +0200, Daniel Mack wrote: > On 09/19/2016 09:19 PM, Pablo Neira Ayuso wrote: > > On Mon, Sep 19, 2016 at 06:44:00PM +0200, Daniel Mack wrote: > >> diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c > >> index 6001e78..5dc90aa

Re: [PATCH v6 5/6] net: ipv4, ipv6: run cgroup eBPF egress programs

On Mon, Sep 19, 2016 at 06:44:00PM +0200, Daniel Mack wrote: > diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c > index 6001e78..5dc90aa 100644 > --- a/net/ipv6/ip6_output.c > +++ b/net/ipv6/ip6_output.c > @@ -39,6 +39,7 @@ > #include > #include > > +#include > #include >

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

On Tue, Sep 13, 2016 at 09:42:19PM -0700, Alexei Starovoitov wrote: [...] > For us this cgroup+bpf is _not_ for filterting and _not_ for security. If your goal is monitoring, then convert these hooks not to allow to issue a verdict on the packet, so this becomes inoquous in the same fashion as

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

On Tue, Sep 13, 2016 at 03:31:20PM +0200, Daniel Mack wrote: > Hi, > > On 09/13/2016 01:56 PM, Pablo Neira Ayuso wrote: > > On Mon, Sep 12, 2016 at 06:12:09PM +0200, Daniel Mack wrote: > >> This is v5 of the patch set to allow eBPF programs for network > >> filter

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

Hi, On Mon, Sep 12, 2016 at 06:12:09PM +0200, Daniel Mack wrote: > This is v5 of the patch set to allow eBPF programs for network > filtering and accounting to be attached to cgroups, so that they apply > to all sockets of all tasks placed in that cgroup. The logic also > allows to be extendeded

[PATCH 1/4] netfilter: nf_tables_trace: fix endiness when dump chain policy

From: Liping Zhang <liping.zh...@spreadtrum.com> NFTA_TRACE_POLICY attribute is big endian, but we forget to call htonl to convert it. Fortunately, this attribute is parsed as big endian in libnftnl. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Nei

[PATCH 0/4] Netfilter fixes for net

200) Gao Feng (1): netfilter: synproxy: Check oom when adding synproxy and seqadj ct extensions Liping Zhang (2): netfilter: nf_tables_trace: fix endiness when dump chain policy netfilter: nft_chain_route: re-route before skb is queued to userspace Pablo Neira Ayuso

[PATCH 2/4] netfilter: nft_chain_route: re-route before skb is queued to userspace

Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netfilter/nft_chain_route_ipv4.c | 11 +++ net/ipv6/netfilter/nft_chain_route_ipv6.c | 10 +++--- 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/

[PATCH 4/4] netfilter: synproxy: Check oom when adding synproxy and seqadj ct extensions

avoid dereference NULL pointer in nf_ct_seqadj_init from init_conntrack(). Signed-off-by: Gao Feng <f...@ikuai8.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack_synproxy.h | 14 ++ net/netfilter/nf_conntrack_core.

[PATCH 3/4] netfilter: nf_nat: handle NF_DROP from nfnetlink_parse_nat_setup()

table"), this is problem. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_nat_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c index de31818..19c081e 100644 --- a/net/netfilt

<    10   11   12   13   14   15   16   17   18   19   >