Dichtel (2):
netfilter: conntrack: remove obsolete sysctl
(nf_conntrack_events_retry_timeout)
netfilter: conntrack: restart gc immediately if GC_MAX_EVICTS is reached
Pablo Neira Ayuso (2):
netfilter: nft_range: validate operation netlink attribute
netfilter: fix nf_queue handling
Doc
On Sat, Sep 24, 2016 at 12:21:04AM +0200, Jann Horn wrote:
> This prevents the modification of nf_conntrack_max in unprivileged network
> namespaces. For unprivileged network namespaces, ip_conntrack_max is kept
> as a readonly sysctl in order to minimize potential compatibility issues.
>
> This
On Tue, Oct 18, 2016 at 02:37:32PM +0200, Nicolas Dichtel wrote:
> When the maximum evictions number is reached, do not wait 5 seconds before
> the next run.
Applied, thanks Nicolas.
On Tue, Oct 18, 2016 at 12:05:30AM +0200, Arnd Bergmann wrote:
> The newly added nft_range_eval() function handles the two possible
> nft range operations, but as the compiler warning points out,
> any unexpected value would lead to the 'mismatch' variable being
> used without being initialized:
>
On Wed, Oct 12, 2016 at 09:09:12AM +0300, Dan Carpenter wrote:
> "err" needs to be signed for the error handling to work.
Applied, thanks Dan.
On Wed, Oct 12, 2016 at 12:14:29PM +0300, Dan Carpenter wrote:
> We don't want to allow negatives here.
Applied, thanks.
On Mon, Oct 10, 2016 at 03:57:37PM +0200, Florian Westphal wrote:
> Nicolas Dichtel wrote:
> > This entry has been removed in commit 9500507c6138.
> >
> > Fixes: 9500507c6138 ("netfilter: conntrack: remove timer from ecache
> > extension")
> > Signed-off-by: Nicolas
On Fri, Oct 14, 2016 at 12:37:26PM +0200, Florian Westphal wrote:
> Nicolas Dichtel wrote:
> > Le 13/10/2016 à 22:43, Florian Westphal a écrit :
[...]
> > > (Or cause too many useless scans)
> > >
> > > Another idea worth trying might be to get rid of the max cap and
>
}_validate()").
>
> So I wouldn't call it a merge error - it just looks like a bug in the
> network layer. So I'm not going to apply your patch even though it
> looks plausible to me, simply because it's outside my area of
> expertise.
>
> David? Pablo?
This looks good, pleas
uot;)
Signed-off-by: Aaron Conole <acon...@bytheb.org>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/core.c | 15 +++
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index e3f68a786afe..c
<v...@akamai.com>
Acked-by: Maciej Żenczykowski <m...@google.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/xt_hashlimit.c | 15 ---
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter
Hi David,
This is a pull request to address fallout from previous nf-next pull
request, only fixes going on here:
1) Address a potential null dereference in nf_unregister_net_hook()
when becomes nf_hook_entry_head is NULL, from Aaron Conole.
2) Missing ifdef for CONFIG_NETFILTER_INGRESS,
3/0xd0
[] __ip_local_out+0xcd/0xe0
[] ? ip_forward_options+0x1b0/0x1b0
[] ip_local_out+0x1c/0x40
This is because divisor is 64-bit, but we treat it as a 32-bit integer,
then 0xf becomes zero, i.e. divisor becomes 0.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by:
char *data = "NONE";
if (write(stolen_fd, data, strlen(data)) != strlen(data))
err(1, "write");
return 0;
}
Repro:
$ gcc -Wall -o attack attack.c -std=gnu99
$ cat /proc/sys/net/netfilter/nf_log/2
nf_log_ipv4
$ ./attack
$ cat /proc/sys/net
heb.org>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index fa6715db4581..e3f68a786afe 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/cor
On Mon, Sep 26, 2016 at 03:08:17PM -0400, Vishwanath Pai wrote:
> I am planning to add a revision 2 for the hashlimit xtables module to
> support higher packets per second rates. This patch renames all the
> functions and variables related to revision 1 by adding _v1 at the
> end of the names.
On Mon, Sep 26, 2016 at 03:08:52PM -0400, Vishwanath Pai wrote:
> libxt_hashlimit: Create revision 2 of xt_hashlimit to support higher pps
> rates
>
> Create a new revision for the hashlimit iptables extension module. Rev 2
> will support higher pps of upto 1 million, Version 1 supports only 10k.
On Sun, Sep 18, 2016 at 09:40:55PM +0200, Jann Horn wrote:
> nf_log_proc_dostring() used current's network namespace instead of the one
> corresponding to the sysctl file the write was performed on. Because the
> permission check happens at open time and the nf_log files in namespaces
> are
On Fri, Sep 30, 2016 at 07:47:49PM +0200, Pablo Neira Ayuso wrote:
> On Fri, Sep 30, 2016 at 06:05:34PM +0200, Arnd Bergmann wrote:
> > The newly added nft_range_eval() function handles the two possible
> > nft range operations, but as the compiler warning points out,
> >
On Wed, Sep 28, 2016 at 11:35:14AM -0400, Aaron Conole wrote:
> It's possible for nf_hook_entry_head to return NULL. If two
> nf_unregister_net_hook calls happen simultaneously with a single hook
> entry in the list, both will enter the nf_hook_mutex critical section.
> The first will
On Fri, Sep 30, 2016 at 06:05:34PM +0200, Arnd Bergmann wrote:
> The newly added nft_range_eval() function handles the two possible
> nft range operations, but as the compiler warning points out,
> any unexpected value would lead to the 'mismatch' variable being
> used without being initialized:
>
On Thu, Sep 29, 2016 at 01:39:50PM -0400, Vishwanath Pai wrote:
> v2:
> Remove unnecessary div64_u64 around constants
>
> v3:
> remove backslashes
>
> --
>
> Fix link error in 32bit arch because of 64bit division
>
> Division of 64bit integers will cause linker error undefined reference
> to
On Wed, Sep 28, 2016 at 11:35:15AM -0400, Aaron Conole wrote:
> When CONFIG_NETFILTER_INGRESS is unset (or no), we need to handle
> the request for registration properly by dropping the hook. This
> releases the entry during the set.
Also applied.
I have renamed the subject to:
On Thu, Sep 29, 2016 at 07:57:28PM +0300, Kalle Valo wrote:
> Hi Dave,
>
> this should be the last wireless-drivers-next pull request for 4.9, from
> now on only important bugfixes. Nothing really special stands out,
> iwlwifi being most active but other drivers also getting attention. More
>
Use xor to decide to break further rule evaluation or not, since the
existing logic doesn't achieve the expected inversion.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nft_quota.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/net
From: Gao Feng <f...@ikuai8.com>
There are two existing strutures which defines the GRE and PPTP header.
So use these two structures instead of the ones defined by netfilter to
keep consitent with other codes.
Signed-off-by: Gao Feng <f...@ikuai8.com>
Signed-off-by: Pablo Nei
/netfilter/nf_tables_ipv{4,6}.h
so they can be reused by a follow up patch to use them from the bridge
family too.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_tables_ipv4.h | 42 ++
include/net/netfilter/nf_tables_ipv6.
Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_tables_ipv6.h| 6 ++
net/ipv6/netfilter/nf_tables_ipv6.c | 4 +---
net/ipv6/netfilter/nft_chain_route_ipv6.c | 4 +---
3 files changed, 4 insertions(+), 10 deletions(-)
diff --git a/include/net/netfilter/nf_tables_ipv
.
Reported-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_tables.h | 18 ++
include/net/netfilter/nf_tables_ipv4.h | 1 +
include/net/netfilter/nf_tables_ipv6.h | 1 +
net/brid
"(" / ")" / "<" / ">" /
":" / "\" / DQUOTE /
"/" / "[" / "]" / "?" /
"{" / "}" )
Signed-off-by: Marco Angaroni <marcoangar...@gma
o check it in find_pattern too.
Signed-off-by: Gao Feng <f...@ikuai8.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_ftp.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ft
iebana <nev...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/uapi/linux/netfilter/nf_tables.h | 4 ++--
net/netfilter/nft_numgen.c | 30 +++---
2 files changed, 17 insertions(+), 17 deletions(-)
diff --git a/include/ua
This is patch renames the existing function to nft_overquota() and make
it return a boolean that tells us if we have exceeded our byte quota.
Just a cleanup.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nft_quota.c | 8
1 file changed, 4 insertions
ueue.t:
any/queue.t: 6 unit tests, 0 error, 0 warning
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nft_queue.c | 11 +++
1 file changed, 11 insertions(+)
diff --git a/net/netfilter/nft_queue
load_eval.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_tables_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core
From: Gao Feng <f...@ikuai8.com>
There are some codes of netfilter module which did not check the return
value of register_netdevice_notifier. Add the checks now.
Signed-off-by: Gao Feng <f...@ikuai8.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
91dbc6be0a62 ("netfilter: nf_tables: add number generator expression")
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nft_numgen.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --
/nft_reject_bridge.c.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_tables_bridge.h | 7
net/bridge/netfilter/nf_tables_bridge.c | 72 +---
net/bridge/netfilter/nft_reject_bridge.c | 44 ++-
3 files changed, 45 inse
From: Laura Garcia Liebana
Add support to pass through an offset to the hash value. With this
feature, the sysadmin is able to generate a hash with a given
offset value.
Example:
meta mark set jhash ip saddr mod 2 seed 0xabcd offset 100
This option generates marks
itself.
Fixes: 70ca767ea1b2 ("netfilter: nft_hash: Add hash offset value")
Reported-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nft_hash.c |
;
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_conntrack_l3proto.h | 4
1 file changed, 4 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack_l3proto.h
b/include/net/netfilter/nf_conntrack_l3proto.h
index cdc920b4c4c2..8992e4229da9 100644
u16
type is already enough.
Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org>
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/uapi/linux/netfilter/nf_tables.h | 2 +
net/netfilter/nft_q
From: Pablo Neira <pa...@netfilter.org>
Instead of several goto's just to return the result, simply return it.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_helper.c | 15 ++-
1 file changed, 6 insertions(+), 9 deletions(-)
diff
check
on u8 nft_exthdr attributes").
Fixes: 96518518cc41 ("netfilter: add nftables")
Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org>
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net
and our set already contains 4 entries
already, then this packet is dropped.
You can already express this in positive logic, assuming default policy
to drop:
# nft filter input flow table xyz size 4 { ip saddr timeout 10s counter }
accept
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.
quot; / "`" / "'" / "~" /
"(" / ")" / "<" / ">" /
":" / "\" / DQUOTE /
"/" / "[" / "]" / "?" /
"{" / "}&q
Make sure the pktinfo protocol fields are initialized if this fails to
parse the transport header.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_tables_ipv6.h | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/include/net/net
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_tables_core.c | 5 -
net/netfilter/nf_tables_trace.c | 20 +++-
net/netfilter/nft_payload.c | 4
3 files changed, 19 ins
Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_queue.h | 4
1 file changed, 4 deletions(-)
diff --git a/include/net/netfilter/nf_queue.h b/include/net/netfilter/nf_queue.h
index 0dbce55437f2..c
those functions and moved all the common code to a *_common function.
Signed-off-by: Vishwanath Pai <v...@akamai.com>
Signed-off-by: Joshua Hunt <joh...@akamai.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/uapi/linux/netfilter/xt_hashlimit.h | 23 ++
net/
We already checked for !found just a bit before:
if (!found) {
regs->verdict.code = NFT_BREAK;
return;
}
if (found && set->flags & NFT_SET_MAP)
^
So this redundant check can just go away.
Signed-off-by:
flags.
Finally, if user specify the unsupported log flags or NFTA_LOG_GROUP
and NFTA_LOG_FLAGS are set at the same time, report EINVAL to the
userspace.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/ne
Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nft_ct.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index 825fbbc62f48..d7b0d171172a 100644
--- a/net/netfilter/nft_ct.c
+
device becomes
2176 bytes (down from 2240).
Signed-off-by: Aaron Conole <acon...@bytheb.org>
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/linux/netdevice.h | 2 +-
include/linux/n
gt;=)
cmp(sreg, data, <=)
This new range expression provides an alternative way to express this.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_tables_core.h | 3 +
include/uapi/linux/netfilter/nf_tables.h | 29 +
From: Gao Feng <f...@ikuai8.com>
There are some codes which are used to get one random once in netfilter.
We could use net_get_random_once to simplify these codes.
Signed-off-by: Gao Feng <f...@ikuai8.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netf
618628
To summarize, it is clear that the seqadj codes adjust the 0 ack when receive
one TCP RST packet without ack.
Signed-off-by: Gao Feng <f...@ikuai8.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_seqadj.c | 20
1 fil
From: Aaron Conole <acon...@bytheb.org>
This commit adds an upfront check for sane values to be passed when
registering a netfilter hook. This will be used in a future patch for a
simplified hook list traversal.
Signed-off-by: Aaron Conole <acon...@bytheb.org>
Signed-off-by: Pablo
From: Aaron Conole <acon...@bytheb.org>
A future patch will modify the hook drop and outfn functions. This will
cause the line lengths to take up too much space. This is simply a
readability change.
Signed-off-by: Aaron Conole <acon...@bytheb.org>
Signed-off-by: Pablo Nei
Pai <v...@akamai.com>
Signed-off-by: Joshua Hunt <joh...@akamai.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/xt_hashlimit.c | 61 ++--
1 file changed, 31 insertions(+), 30 deletions(-)
diff --git a/net/netfil
first queue num. Because in nfqueue_hash, we only support
ipv4 and ipv6 family. Now add support for bridge family too.
Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org>
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.
f conntrack timer")
Reported-by: Fabian Frederick <f...@skynet.be>
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_standalone.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/net/ne
From: Gao Feng <f...@ikuai8.com>
It's better to use sizeof(info->name)-1 as index to force set the string
tail instead of literal number '29'.
Signed-off-by: Gao Feng <f...@ikuai8.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/xt_helper.c | 2
;
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/bridge/netfilter/ebt_redirect.c| 2 +-
net/bridge/netfilter/ebtables.c| 2 +-
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 2 +-
net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 2 +-
u read-side critical section to make a
future cleanup simpler.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Aaron Conole <acon...@bytheb.org>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/br_netfilter.h | 6
net/bri
et 100
This will generate marks with the serie 100, 101, 100, 101, ...
Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org>
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/uapi/linux/netfilter/nf_tables.
From: Gao Feng <f...@ikuai8.com>
There are some codes of netfilter module which did not check the return
value of nft_register_chain_type. Add the checks now.
Signed-off-by: Gao Feng <f...@ikuai8.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
ne
et: prepare for TCP_NEW_SYN_RECV support")
Signed-off-by: Alex Badics <alex.bad...@balabit.com>
Signed-off-by: KOVACS Krisztian <hid...@balabit.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ipv4/tcp_input.c | 1 +
net/ipv4/tcp_ipv4.c | 1 -
2 files changed, 1 inser
ff-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/core/dev.c | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/net/core/dev.c b/net/core/dev.c
index 34b5322bc081..064919425b7d 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -4040,12 +4040,17 @@ static inline int
3proto and protocol are unrelated to direction.
And for compatibility, even if the user specify the NFTA_CT_DIRECTION
attr, do not report error, just skip it.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfi
From: Liping Zhang <liping.zh...@spreadtrum.com>
nf_log is used by both nftables and iptables, so use XT_LOG_XXX macros
here is not appropriate. Replace them with NF_LOG_XXX.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilte
he result of min(dst_mtu(skb_dst(skb)), in_mtu) to a new
variable, then only perform one condition check, and it is more readable.
Signed-off-by: Gao Feng <f...@ikuai8.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/xt_TCPMSS.c | 12
1 file
ed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Aaron Conole <acon...@bytheb.org>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/linux/netfilter.h | 8 +++-
include/linux/netfilter_ingress.h | 1 +
2 files changed, 8 insertions(+), 1
AT has to
determine if it needs to pick a different source address.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/linux/netfilter/nf_conntrack_common.h | 4
include/uapi/linux/netfilter/nfnetlink_conntrack.h
/ "~" /
"(" / ")" / "<" / ">" /
":" / "\" / DQUOTE /
"/" / "[" / "]" / "?" /
"{" / "}" )
Signed-off-by: Marco Angaroni <
From: Gao Feng <f...@ikuai8.com>
There are some debug code which are commented out in find_pattern by #if 0.
Now remove them.
Signed-off-by: Gao Feng <f...@ikuai8.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_ftp.c | 13 +--
character in SIP headers
Pablo Neira (1):
netfilter: nf_conntrack: simplify __nf_ct_try_assign_helper() return logic
Pablo Neira Ayuso (11):
netfilter: nft_quota: fix overquota logic
netfilter: nft_quota: introduce nft_overquota()
netfilter: nft_dynset: allow to invert
From: Gao Feng <f...@ikuai8.com>
There are already some GRE_* macros in kernel, so it is unnecessary
to define these macros. And remove some useless macros
Signed-off-by: Gao Feng <f...@ikuai8.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
inclu
On Sun, Sep 25, 2016 at 01:35:01PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Sep 22, 2016 at 02:39:45PM -0400, Vishwanath Pai wrote:
> > Thanks for pointing this out, I will reorder the fields to:
> >
> > struct hashlimit_cfg2 {
> > __u64 avg;/* Average s
On Fri, Sep 23, 2016 at 11:27:42AM +0200, KOVACS Krisztian wrote:
> The introduction of TCP_NEW_SYN_RECV state, and the addition of request
> sockets to the ehash table seems to have broken the --transparent option
> of the socket match for IPv6 (around commit a9407000).
>
> Now that the socket
On Thu, Sep 22, 2016 at 02:39:45PM -0400, Vishwanath Pai wrote:
> Thanks for pointing this out, I will reorder the fields to:
>
> struct hashlimit_cfg2 {
> __u64 avg;/* Average secs between packets * scale */
> __u64 burst;
> __u32 mode; /* bitmask of XT_HASHLIMIT_HASH_* */
On Thu, Sep 22, 2016 at 02:53:53PM +0800, f...@ikuai8.com wrote:
> From: Gao Feng
>
> It is valid that the TCP RST packet which does not set ack flag, and bytes
> of ack number are zero. But current seqadj codes would adjust the "0" ack
> to invalid ack number. Actually seqadj
On Wed, Sep 21, 2016 at 11:35:00AM -0400, Aaron Conole wrote:
> This series makes a simple change to shrink the netfilter hook list
> from a double linked list, to a singly linked list. Since the hooks
> are always traversed in-order, there is no need to maintain a previous
> pointer.
>
> This
On Thu, Sep 22, 2016 at 05:12:57PM +0200, Daniel Borkmann wrote:
> On 09/22/2016 02:05 PM, Pablo Neira Ayuso wrote:
[...]
> >Have a look at net/ipv4/netfilter/nft_chain_route_ipv4.c for instance.
> >In your case, you have to add a new chain type:
> >
> >static
On Thu, Sep 22, 2016 at 11:54:11AM +0200, Thomas Graf wrote:
> On 09/22/16 at 11:21am, Pablo Neira Ayuso wrote:
> > I have a hard time to buy this new specific hook, I think we should
> > shift focus of this debate, this is my proposal to untangle this:
> >
> > You ad
On Wed, Sep 21, 2016 at 08:48:27PM +0200, Thomas Graf wrote:
> On 09/21/16 at 05:45pm, Pablo Neira Ayuso wrote:
> > On Tue, Sep 20, 2016 at 06:43:35PM +0200, Daniel Mack wrote:
> > > The point is that from an application's perspective, restricting the
> > > ability
On top of Eric's comments.
On Thu, Sep 22, 2016 at 10:22:45AM +0800, f...@ikuai8.com wrote:
> diff --git a/net/netfilter/nf_conntrack_seqadj.c
> b/net/netfilter/nf_conntrack_seqadj.c
> index dff0f0c..3bd9c7e 100644
> --- a/net/netfilter/nf_conntrack_seqadj.c
> +++
Hi Daniel,
On Tue, Sep 20, 2016 at 06:43:35PM +0200, Daniel Mack wrote:
> Hi Pablo,
>
> On 09/20/2016 04:29 PM, Pablo Neira Ayuso wrote:
> > On Mon, Sep 19, 2016 at 10:56:14PM +0200, Daniel Mack wrote:
> > [...]
> >> Why would we artificially limit the us
On Mon, Sep 19, 2016 at 10:56:14PM +0200, Daniel Mack wrote:
[...]
> Why would we artificially limit the use-cases of this implementation if
> the way it stands, both filtering and introspection are possible?
Why should we place infrastructure in the kernel to filter packets so
late, and why at
On Mon, Sep 19, 2016 at 01:13:27PM -0700, Alexei Starovoitov wrote:
> On Mon, Sep 19, 2016 at 09:19:10PM +0200, Pablo Neira Ayuso wrote:
[...]
> > 2) This will turn the stack into a nightmare to debug I predict. If
> >any process with CAP_NET_ADMIN can potentially attach bpf b
On Mon, Sep 19, 2016 at 09:30:02PM +0200, Daniel Mack wrote:
> On 09/19/2016 09:19 PM, Pablo Neira Ayuso wrote:
> > On Mon, Sep 19, 2016 at 06:44:00PM +0200, Daniel Mack wrote:
> >> diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
> >> index 6001e78..5dc90aa
On Mon, Sep 19, 2016 at 06:44:00PM +0200, Daniel Mack wrote:
> diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
> index 6001e78..5dc90aa 100644
> --- a/net/ipv6/ip6_output.c
> +++ b/net/ipv6/ip6_output.c
> @@ -39,6 +39,7 @@
> #include
> #include
>
> +#include
> #include
>
On Tue, Sep 13, 2016 at 09:42:19PM -0700, Alexei Starovoitov wrote:
[...]
> For us this cgroup+bpf is _not_ for filterting and _not_ for security.
If your goal is monitoring, then convert these hooks not to allow to
issue a verdict on the packet, so this becomes inoquous in the same
fashion as
On Tue, Sep 13, 2016 at 03:31:20PM +0200, Daniel Mack wrote:
> Hi,
>
> On 09/13/2016 01:56 PM, Pablo Neira Ayuso wrote:
> > On Mon, Sep 12, 2016 at 06:12:09PM +0200, Daniel Mack wrote:
> >> This is v5 of the patch set to allow eBPF programs for network
> >> filter
Hi,
On Mon, Sep 12, 2016 at 06:12:09PM +0200, Daniel Mack wrote:
> This is v5 of the patch set to allow eBPF programs for network
> filtering and accounting to be attached to cgroups, so that they apply
> to all sockets of all tasks placed in that cgroup. The logic also
> allows to be extendeded
From: Liping Zhang <liping.zh...@spreadtrum.com>
NFTA_TRACE_POLICY attribute is big endian, but we forget to call
htonl to convert it. Fortunately, this attribute is parsed as big
endian in libnftnl.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Nei
200)
Gao Feng (1):
netfilter: synproxy: Check oom when adding synproxy and seqadj ct
extensions
Liping Zhang (2):
netfilter: nf_tables_trace: fix endiness when dump chain policy
netfilter: nft_chain_route: re-route before skb is queued to userspace
Pablo Neira Ayuso
Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ipv4/netfilter/nft_chain_route_ipv4.c | 11 +++
net/ipv6/netfilter/nft_chain_route_ipv6.c | 10 +++---
2 files changed, 14 insertions(+), 7 deletions(-)
diff --git a/
avoid dereference NULL pointer in nf_ct_seqadj_init from
init_conntrack().
Signed-off-by: Gao Feng <f...@ikuai8.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_conntrack_synproxy.h | 14 ++
net/netfilter/nf_conntrack_core.
table"), this is problem.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_nat_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index de31818..19c081e 100644
--- a/net/netfilt
1401 - 1500 of 2305 matches
Mail list logo