On Tue, Sep 06, 2016 at 04:51:17PM +0200, Florian Westphal wrote:
> f...@ikuai8.com wrote:
> > From: Gao Feng
> >
> > When memory is exhausted, nfct_seqadj_ext_add may fail to add the seqadj
> > extension. But the function nf_ct_seqadj_init doesn't check if get
On Tue, Sep 06, 2016 at 09:57:23AM +0800, f...@ikuai8.com wrote:
> From: Gao Feng
>
> When memory is exhausted, nfct_seqadj_ext_add may fail to add the seqadj
> extension. But the function nf_ct_seqadj_init doesn't check if get valid
> seqadj pointer by the nfct_seqadj.
>
> Now
On Sat, Sep 03, 2016 at 07:51:50PM +0800, f...@ikuai8.com wrote:
> From: Gao Feng
>
> When memory is exhausted, nfct_seqadj_ext_add may fail to add the seqadj
> extension. But the function nf_ct_seqadj_init doesn't check if get valid
> seqadj pointer by the nfct_seqadj, while
ashion
as well as randomly.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/uapi/linux/netfilter/nf_tables.h | 24
net/netfilter/Kconfig| 6 +
net/netfilter/Makefile |
From: Florian Westphal <f...@strlen.de>
After timer removal this just calls nf_ct_delete so remove the __ prefix
version and make nf_ct_kill a shorthand for nf_ct_delete.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
From: Gao Feng <f...@ikuai8.com>
There is one macro ARPHRD_ETHER which defines the ethernet proto for ARP,
so we could use it instead of the literal number '1'.
Signed-off-by: Gao Feng <f...@ikuai8.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ipv4/netf
rian Westphal <f...@strlen.de>
Acked-by: Eric Dumazet <eduma...@google.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_conntrack.h | 23 +++--
net/netfilter/nf_conntrack_core.c| 91
net/net
the set insert operation so we can fetch the
existing element that clashes with the one you want to add, we need
this to make sure the element data doesn't differ.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_tables.h | 3 ++-
net/netfilter/nf_tables
to what I observed on the netfilter user mailing list.
So let's get rid of this.
Note that nf_conntrack_htable_size and unsigned int nf_conntrack_max do
not need to be exported as symbol anymore.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_conntrack_l4p
2: Use cond_resched_rcu_qs & add comment wrt. missing restart on
nulls value change in gc worker, suggested by Eric Dumazet.
v3: don't call cancel_delayed_work_sync twice (again, Eric).
Signed-off-by: Florian Westphal <f...@strlen.de>
Acked-by: Eric Dumazet <eduma...@google.com>
Signed-off-by:
From: Gao Feng <f...@ikuai8.com>
We only need first 4 bytes instead of 8 bytes to get the ports of
tcp/udp/dccp/sctp/udplite in their pkt_to_tuple function.
Signed-off-by: Gao Feng <f...@ikuai8.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
From: Colin Ian King <colin.k...@canonical.com>
trivial fix to spelling mistake in pr_debug message
Signed-off-by: Colin Ian King <colin.k...@canonical.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_ftp.c | 2 +-
1 file changed,
From: Florian Westphal <f...@strlen.de>
Once timer is removed from nf_conn struct we cannot open-code
the removal sequence anymore.
Signed-off-by: Florian Westphal <f...@strlen.de>
Acked-by: Julian Anastasov <j...@ssi.bg>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.or
EBUSY.
# nft add table x
# nft add chain x y
# nft add chain x y { type nat hook input priority 0\; }
:1:1-49: Error: Could not process rule: Device or resource busy
add chain x y { type nat hook input priority 0; }
^
Signed-off-by: Pablo Neira
("netfilter: nf_conntrack: use SLAB_DESTROY_BY_RCU and get
rid of call_rcu()")
Signed-off-by: Florian Westphal <f...@strlen.de>
Acked-by: Eric Dumazet <eduma...@google.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_core.c |
our
existing infrastructure.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/uapi/linux/netfilter/nf_tables.h | 19 +
net/netfilter/Kconfig| 6 ++
net/netfilter/Makefile | 1 +
net/netfilter/nft_quota.c| 121 +++
global resize lock so we can't evict without adding a 'expired' list
to drop from later. Considering that resizes are very rare it doesn't
seem worth doing it.
Signed-off-by: Florian Westphal <f...@strlen.de>
Acked-by: Eric Dumazet <eduma...@google.com>
Signed-off-by: Pab
nft_dump_register() should only be used with registers, not with
immediates.
Fixes: cb1b69b0b15b ("netfilter: nf_tables: add hash expression")
Fixes: 91dbc6be0a62("netfilter: nf_tables: add number generator expression")
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.
Introduce a new function to wrap the code that parses the chain hook
configuration so we can reuse this code to validate chain updates.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_tables_api.c | 152 +-
1 file chang
30 second timeouts.
Without this change it will take several minutes until conntrack count
comes back to normal.
Signed-off-by: Florian Westphal <f...@strlen.de>
Acked-by: Eric Dumazet <eduma...@google.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_con
Use nft_set_* prefix for backend set implementations, thus we can use
nft_hash for the new hash expression.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/Kconfig| 4 ++--
net/netfilter/Makefile | 4 ++-
Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ipv4/netfilter/nf_dup_ipv4.c | 10 --
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/net/ipv4/netfilter/nf_dup_ipv4.c b/net/ipv4/netfilter/nf_dup_ipv4.c
index ceb18
From: Wei Yongjun <weiyj...@gmail.com>
Fixes the following sparse warning:
net/netfilter/nft_hash.c:40:25: warning:
symbol 'nft_hash_policy' was not declared. Should it be static?
Signed-off-by: Wei Yongjun <weiyongj...@huawei.com>
Signed-off-by: Pablo Neira Ayuso <pa..
From: Pablo Neira <pa...@netfilter.org>
Should be attributes, instead of attibutes, for consistency with other
definitions.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/uapi/linux/netfilter/nf_tables.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
;
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_log.h | 3 +--
net/bridge/netfilter/nf_log_bridge.c | 3 +--
net/ipv4/netfilter/nf_log_arp.c | 3 +--
net/ipv4/netfilter/nf_log_ipv4.c | 3 +--
net/ipv6/netfilter/nf_log_ipv6.c | 3 +--
net/
have.
Cc: Herbert Xu <herb...@gondor.apana.org.au>
Cc: Thomas Graf <tg...@suug.ch>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
Acked-by: Herbert Xu <herb...@gondor.apana.org.au>
---
include/linux/rhashtable.h | 70 +---
From: Hangbin Liu <liuhang...@gmail.com>
Signed-off-by: Hangbin Liu <liuhang...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/xt_physdev.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/xt_physdev
to evict the same conntrack.
Because DYING will then be set right before we report the destroy event
we can no longer skip event reporting when dying bit is set.
Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org>
Signed-off-by: Florian Westphal <f...@strlen.de>
Acked-by: Eric Dumazet
netlink.ko]
undefined!
ERROR: "nf_conntrack_htable_size" [net/ipv4/netfilter/nf_conntrack_ipv4.ko]
undefined!
Fixes: adf0516845bcd0 ("netfilter: remove ip_conntrack* sysctl compat code")
Reported-by: kbuild test robot <fengguang...@intel.com>
Reported-by: Stephen Rothwell &l
checksum recalculation
netfilter: conntrack: simplify the code by using nf_conntrack_get_ht
Pablo Neira (1):
netfilter: nf_tables: typo in trace attribute definition
Pablo Neira Ayuso (9):
netfilter: nf_tables: rename set implementations
netfilter: remove ip_conntr
From: Florian Westphal <f...@strlen.de>
... so we don't need to touch all of these places when we get rid of the
timer in nf_conn.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ipv4/netfilter/nf_conntrack_l3p
t hash ip saddr mod 10
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/uapi/linux/netfilter/nf_tables.h | 20 +
net/netfilter/Kconfig| 6 ++
net/netfilter/Makefile |
le and hash size. And convert
nf_conntrack_get_ht to inline function here.
Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org>
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_conntrack.h
Hi David,
The following patchset contains Netfilter fixes for your net tree,
they are:
1) Allow nf_tables reject expression from input, forward and output hooks,
since only there the routing information is available, otherwise we crash.
2) Fix unsafe list iteration when flushing timeout and
lem.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nft_meta.h | 4
net/bridge/netfilter/nft_meta_bridge.c | 1 +
net/netfilter/nft_meta.c | 17 +
3 files
missed to unlink the timeout objects in the
unconfirmed ct lists, so we will access the timeout objects that have
already been freed.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nfnetlin
se the reference on the incorrect module.
Fixes: bcf493428840 ("netfilter: ebtables: Fix extension lookup with identical
name")
Signed-off-by: Sabrina Dubroca <s...@queasysnail.net>
Acked-by: Phil Sutter <p...@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
--
dtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nfnetlink_cttimeout.c | 33 +++--
1 file changed, 15 insertions(+), 18 deletions(-)
diff --git a/net/netfilter/nfnetlink_cttimeout.c
b/net/netfilter/nfnetlink_cttimeout.c
inde
ting information is not exist,
then we will dereference the NULL pointer and oops happen.
So we restrict reject expression to INPUT, FORWARD and OUTPUT chain.
This is consistent with iptables REJECT target.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by:
From: Liping Zhang <liping.zh...@spreadtrum.com>
cttimeout and acct objects are deleted from the list while traversing
it, so use list_for_each_entry is unsafe here.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilte
Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_tables_netdev.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/net/netfilter/nf_tables_netdev.c b/net/netfilter/nf_tables_netdev.c
index 5eefe4a..75d696f 100644
-
On Mon, Aug 29, 2016 at 06:25:28PM +0800, f...@ikuai8.com wrote:
> From: Gao Feng
>
> The nf_log_set is an interface function, so it should do the strict sanity
> check of parameters. Convert the return value of nf_log_set as int instead
> of void. When the pf is invalid, return
On Sun, Aug 28, 2016 at 10:30:18PM +0800, f...@ikuai8.com wrote:
> From: Gao Feng
>
> The nf_log_set is an interface function, so it should do the strict sanity
> check of parameters. Add one sanity check for pf, it could not exceed
> NFPROTO_NUMPROTO, and print error log when
Hi Eric,
On Sat, Jul 30, 2016 at 08:24:37AM -0500, Eric W. Biederman wrote:
> Michal Kubecek writes:
>
> > There is a race condition between nf_{,un}register_hook() and
> > cleanup_net() which can either trigger WARN check or cause a memory
> > leak. The scenario is like this
On Fri, Aug 26, 2016 at 07:27:36PM +0800, Herbert Xu wrote:
> On Thu, Aug 25, 2016 at 04:41:26PM +0200, Pablo Neira Ayuso wrote:
> > This patch modifies __rhashtable_insert_fast() so it returns the
> > existing object that clashes with the one that you want to insert.
> &g
the set insert operation so we can fetch the
existing element that clashes with the one you want to add, we need
this to make sure the element data doesn't differ.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
v2: Adapt this patch to semantics changes in rhashtable_lookup_get_inse
have.
Cc: Herbert Xu <herb...@gondor.apana.org.au>
Cc: Thomas Graf <tg...@suug.ch>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
v2: Address Herbert's feedback:
* Modify __rhashtable_insert_fast() so this returns the object if it
exists, NULL if it does not
On Fri, Aug 19, 2016 at 11:03:46PM +0800, Feng Gao wrote:
> My email server reports the last same patch email failed to send.
> So I just sent it again.
>
> I am sorry, if anyone receives duplicated ones.
git am
Hi Thomas,
On Fri, Aug 19, 2016 at 07:07:39PM +0200, Thomas Graf wrote:
> On 08/19/16 at 06:21pm, Pablo Neira Ayuso wrote:
> > On Fri, Aug 19, 2016 at 12:35:14PM +0200, Daniel Mack wrote:
> > > Also true. A cgroup can currently only hold one bpf program for ea
On Sun, Aug 21, 2016 at 03:21:10PM +, Wei Yongjun wrote:
> Fixes the following sparse warning:
>
> net/netfilter/nft_hash.c:40:25: warning:
> symbol 'nft_hash_policy' was not declared. Should it be static?
Applied, thanks.
On Thu, Aug 18, 2016 at 04:47:57PM +0100, Colin King wrote:
> From: Colin Ian King
>
> trivial fix to spelling mistake in pr_debug message
Applied.
On Fri, Aug 19, 2016 at 11:01:34PM +0800, f...@ikuai8.com wrote:
> From: Gao Feng
>
> There are two structures which define the GRE header and PPTP
> header. So it is unneccessary to define duplicated structures in
> netfilter again.
Please, split this change in smaller
On Fri, Aug 19, 2016 at 01:20:25PM +0200, Daniel Borkmann wrote:
> On 08/19/2016 11:19 AM, Pablo Neira Ayuso wrote:
> [...]
> > * During the Netfilter Workshop, the main concern to add this new socket
>
> Don't really know what was discussed exactly at NFWS, but ...
Slides
Hi Daniel,
On Fri, Aug 19, 2016 at 12:35:14PM +0200, Daniel Mack wrote:
> Hi Pablo,
>
> On 08/19/2016 11:19 AM, Pablo Neira Ayuso wrote:
> > On Wed, Aug 17, 2016 at 04:00:43PM +0200, Daniel Mack wrote:
> >> I'd appreciate some feedback on this. Pablo has some remai
h file or
directory
add rule arp filter input log group 0
^
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nfnetlink_log.c | 1 +
1 file changed, 1 insertion(+)
Hi David,
The following patchset contains Netfilter updates for your net tree,
they are:
1) Dump only conntrack that belong to this namespace via /proc file.
This is some fallout from the conversion to single conntrack table
for all netns, patch from Liping Zhang.
2) Missing
From: Liping Zhang <liping.zh...@spreadtrum.com>
We should report the over quota message to the right net namespace
instead of the init netns.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
inclu
on to one atomic
operation atomic_cmpxchg here to fix this problem.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nfnetlink_acct.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git
ble for all
namespaces")
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Reviewed-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_standalone.c | 4
1 file changed, 4 inserti
ch listener sk_refcnt under synflood")
Reported-and-tested-by: Denys Fedoryshchenko <nuclear...@nuclearcat.com>
Signed-off-by: Eric Dumazet <eduma...@google.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/xt_TPROXY.c | 4
1 file changed,
]
So only when the refcnt decreased to 0, we call kfree_rcu to free the
timeout object. And like nfnetlink_acct do, use atomic_cmpxchg to
avoid race between ctnl_timeout_try_del and ctnl_timeout_put.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Nei
On Wed, Aug 17, 2016 at 09:56:46AM -0700, Eric Dumazet wrote:
> From: Eric Dumazet
>
> inet_lookup_listener() and inet6_lookup_listener() no longer
> take a reference on the found listener.
>
> This minimal patch adds back the refcounting, but we might do
> this differently
MFT_REG32_01 is a typo, rename this to NFT_REG32_01.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/uapi/linux/netfilter/nf_tables.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/uapi/linux/netfilter/nf_tables.h
b/include/uapi/linux/net
h...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_expect.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nf_conntrack_expect.c
b/net/netfilter/nf_conntrack_expect.c
index 9e36931..f8dbac
he use refcnt is still 1, then the
memory will be leaked forever.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_netlink.c | 8 ++--
1 file changed, 2 insertions(+), 6 deletions(-)
uot;)
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Reviewed-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nfnetlink_queue.c | 6 ++
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/net
od_timer_pending here to fix this problem.
Fixes: 96d1327ac2e3 ("netfilter: h323: Use mod_timer instead of
set_expect_timeout")
Cc: Gao Feng <f...@ikuai8.com>
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
From: Laura Garcia Liebana <nev...@gmail.com>
Fix the direct assignment of offset and length attributes included in
nft_exthdr structure from u32 data to u8.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
Pablo Neira Ayuso (2):
netfilter: nf_tables: s/MFT_REG32_01/NFT_REG32_01
netfilter: nft_rbtree: ignore inactive matching element with no
descendants
include/uapi/linux/netfilter/nf_tables.h | 2 +-
net/netfilter/nf_conntrack_expect.c | 2 +-
net/netfilter/nf_conntrack_h323_main.c
igit 0 or not.
Signed-off-by: Christophe Leroy <christophe.le...@c-s.fr>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_sip.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/
liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_netlink.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/netfilter/nf_conntrack_netlink.c
b/net/netfilter/nf_conntrack_netlink.c
index b9bfe64..fdfc71f 100644
-
-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
Tested-by: Anders K. Pedersen <a...@akp.dk>
---
net/netfilter/nft_rbtree.c | 10 ++
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nft_rbtree.c b/net/netfilter/nft_rbtree.c
index 6473936..ffe9ae0 1006
On Wed, Aug 03, 2016 at 12:41:40PM +0200, Christophe Leroy wrote:
> Do not drop packet when CSeq is 0 as 0 is also a valid value for CSeq.
>
> simple_strtoul() will return 0 either when all digits are 0
> or if there are no digits at all. Therefore when simple_strtoul()
> returns 0 we check if
On Sat, Jul 30, 2016 at 08:24:37AM -0500, Eric W. Biederman wrote:
> Michal Kubecek writes:
>
> > There is a race condition between nf_{,un}register_hook() and
> > cleanup_net() which can either trigger WARN check or cause a memory
> > leak. The scenario is like this (2a and 2b
From: Toby DiPasquale <t...@cbcg.net>
This patch corrects an off-by-one error in the DecodeQ931 function in
the nf_conntrack_h323 module. This error could result in reading off
the end of a Q.931 frame.
Signed-off-by: Toby DiPasquale <t...@cbcg.net>
Signed-off-by: Pablo Nei
From: Liping Zhang <liping.zh...@spreadtrum.com>
From: Liping Zhang <liping.zh...@spreadtrum.com>
Similar to ctnl_untimeout, when hash resize happened, we should try
to do unhelp from the 0# bucket again.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by:
If the table and/or chain attributes are set in a rule dump request,
we filter out the rules based on this selection.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_tables_api.c | 38 ++
1 file changed, 38 insertions(+)
diff
..@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_conntrack_labels.h | 16
net/netfilter/nf_conntrack_labels.c | 13 +++--
net/netfilter/nf_conntrack_netlink.c| 10 +-
n
liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nft_compat.c | 32
1 file changed, 24 insertions(+), 8 deletions(-)
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index 6228c
ething fail, we should put nf_connlabels back.
Otherwise, we may waste to alloc the memory that will never be used.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Acked-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net
We can pass the netns pointer as parameter to the functions that need to
gain access to it. From basechains, I didn't find any client for this
field anymore so let's remove this too.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_tables.
timer deletion.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_conntrack.h | 1 +
net/netfilter/nf_conntrack_core.c| 95 ++--
2 files changed, 48 insertions(+), 48
fined rule gets an implicit RETURN, so we get
300k jumps + 100k userchains + 100k returns -> 500k rule entries
Fixes: 36472341017529e ("netfilter: x_tables: validate targets of jumps")
Reported-by: Jeff Wu <wuji...@gmail.com>
Tested-by: Jeff Wu <wuji...@gmail.com>
Sign
g hash resize"). And
add a wrapper function nf_conntrack_get_ht to get hash and hsize
suggested by Florian Westphal.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_conntrack_core.
From: Michal Kubecek
Some users observed that "least connection" distribution algorithm doesn't
handle well bursts of TCP connections from reconnecting clients after
a node or network failure.
This is because the algorithm counts active connection as worth 256
inactive ones
o src manip
took place yet.
Tested with http-client-benchmark + httpterm with DNAT and SNAT rules
in place.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_conntrack.h | 3 +-
include/net/netfilter
ack_alloc -> early_drop), rcu_read_lock is not held, so race
with hash resize will happen.
Fixes: 242922a02717 ("netfilter: conntrack: simplify early_drop")
Cc: Florian Westphal <f...@strlen.de>
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pabl
liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nft_log.c | 26 ++
1 file changed, 18 insertions(+), 8 deletions(-)
diff --git a/net/netfilter/nft_log.c b/net/netfilter/nft_log.c
index 713d668..e1b34ff 100644
--- a/net/netfilt
bysource
hash table rather than just using nat extension ->destroy hook for this.
nf_conn size doesn't increase due to aligment, followup patch replaces
hlist_node with single pointer.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.
enable it manually via
"echo 1 > /proc/sys/net/netfilter/nf_conntrack_acct".
This is not friendly, so like xt_connbytes do, if the user
want to use ct byte/packet expr, enable nf_conntrack_acct
automatically.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-
d-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nft_log.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_log.c b/net/netfilter/nft_log.c
index 5f6f088..24a73bb 100644
-
From: Gao Feng <f...@ikuai8.com>
Simplify the code without any side effect. The set_expect_timeout is
used to modify the timer expired time. It tries to delete timer, and
add it again. So we could use mod_timer directly.
Signed-off-by: Gao Feng <f...@ikuai8.com>
Signed-off-by:
From: Liping Zhang <liping.zh...@spreadtrum.com>
User can specify the log level larger than 7(debug level) via
nfnetlink, this is invalid. So in this case, we should report
EINVAL to the userspace.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Nei
d physdev-is-out. Fix it and update the
debug message to make it clearer.
Signed-off-by: Hangbin Liu <liuhang...@gmail.com>
Reviewed-by: Marcelo R Leitner <marcelo.leit...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/xt_physdev.c | 8
ch/target module, there's no need to
"cache" it. And nft_[match|target]_release are useless anymore, remove
them.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nft_compat.c | 43 +
y name that has been inconsistently exposed to
userspace through ports, eg. ftp-2121, and through an incremental id,
eg. tftp-1.
Signed-off-by: Gao Feng <f...@ikuai8.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_conntrack_helper.h | 15 +++
d, try to unlink timeout objects
from the 0# bucket again.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nfnetlink_cttimeout.c | 20 ++--
1 file changed, 14 insertions(+), 6 deletions(-)
From: Florian Westphal <f...@strlen.de>
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_conntrack.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/net/netfilter
From: Florian Westphal <f...@strlen.de>
xt_connlabel is the only user so move it.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_conntrack_labels.h | 2 --
net/netfilter/nf_conntrack_lab
ed
Michal Kubecek (1):
ipvs: count pre-established TCP states as active
Pablo Neira Ayuso (3):
netfilter: nf_tables: get rid of possible_net_t from set and basechain
Merge tag 'ipvs-for-v4.8' of https://git.kernel.org/.../horms/ipvs-next
netfilter: nf_tables: allow to
1501 - 1600 of 2305 matches
Mail list logo