Re: [PATCH v5 nf] netfilter: seqadj: Drop the packet directly when fail to add seqadj extension to avoid dereference NULL pointer later

On Tue, Sep 06, 2016 at 04:51:17PM +0200, Florian Westphal wrote: > f...@ikuai8.com wrote: > > From: Gao Feng > > > > When memory is exhausted, nfct_seqadj_ext_add may fail to add the seqadj > > extension. But the function nf_ct_seqadj_init doesn't check if get

Re: [PATCH v4 nf] netfilter: seqadj: Drop the packet directly when fail to add seqadj extension to avoid dereference NULL pointer later

On Tue, Sep 06, 2016 at 09:57:23AM +0800, f...@ikuai8.com wrote: > From: Gao Feng > > When memory is exhausted, nfct_seqadj_ext_add may fail to add the seqadj > extension. But the function nf_ct_seqadj_init doesn't check if get valid > seqadj pointer by the nfct_seqadj. > > Now

Re: [PATCH v3 nf] netfilter: seqadj: Fix one possible panic in seqadj when mem is exhausted

On Sat, Sep 03, 2016 at 07:51:50PM +0800, f...@ikuai8.com wrote: > From: Gao Feng > > When memory is exhausted, nfct_seqadj_ext_add may fail to add the seqadj > extension. But the function nf_ct_seqadj_init doesn't check if get valid > seqadj pointer by the nfct_seqadj, while

[PATCH 12/29] netfilter: nf_tables: add number generator expression

ashion as well as randomly. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/uapi/linux/netfilter/nf_tables.h | 24 net/netfilter/Kconfig| 6 + net/netfilter/Makefile |

[PATCH 27/29] netfilter: remove __nf_ct_kill_acct helper

From: Florian Westphal <f...@strlen.de> After timer removal this just calls nf_ct_delete so remove the __ prefix version and make nf_ct_kill a shorthand for nf_ct_delete. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>

[PATCH 28/29] netfilter: log_arp: Use ARPHRD_ETHER instead of literal '1'

From: Gao Feng <f...@ikuai8.com> There is one macro ARPHRD_ETHER which defines the ethernet proto for ARP, so we could use it instead of the literal number '1'. Signed-off-by: Gao Feng <f...@ikuai8.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netf

[PATCH 23/29] netfilter: conntrack: get rid of conntrack timer

rian Westphal <f...@strlen.de> Acked-by: Eric Dumazet <eduma...@google.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack.h | 23 +++-- net/netfilter/nf_conntrack_core.c| 91 net/net

[PATCH 19/29] netfilter: nf_tables: honor NLM_F_EXCL flag in set element insertion

the set insert operation so we can fetch the existing element that clashes with the one you want to add, we need this to make sure the element data doesn't differ. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables.h | 3 ++- net/netfilter/nf_tables

[PATCH 08/29] netfilter: remove ip_conntrack* sysctl compat code

to what I observed on the netfilter user mailing list. So let's get rid of this. Note that nf_conntrack_htable_size and unsigned int nf_conntrack_max do not need to be exported as symbol anymore. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack_l4p

[PATCH 25/29] netfilter: conntrack: add gc worker to remove timed-out entries

2: Use cond_resched_rcu_qs & add comment wrt. missing restart on nulls value change in gc worker, suggested by Eric Dumazet. v3: don't call cancel_delayed_work_sync twice (again, Eric). Signed-off-by: Florian Westphal <f...@strlen.de> Acked-by: Eric Dumazet <eduma...@google.com> Signed-off-by:

[PATCH 01/29] netfilter: conntrack: Only need first 4 bytes to get l4proto ports

From: Gao Feng <f...@ikuai8.com> We only need first 4 bytes instead of 8 bytes to get the ports of tcp/udp/dccp/sctp/udplite in their pkt_to_tuple function. Signed-off-by: Gao Feng <f...@ikuai8.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>

[PATCH 13/29] netfilter: fix spelling mistake: "delimitter" -> "delimiter"

From: Colin Ian King <colin.k...@canonical.com> trivial fix to spelling mistake in pr_debug message Signed-off-by: Colin Ian King <colin.k...@canonical.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_ftp.c | 2 +- 1 file changed,

[PATCH 05/29] ipvs: use nf_ct_kill helper

From: Florian Westphal <f...@strlen.de> Once timer is removed from nf_conn struct we cannot open-code the removal sequence anymore. Signed-off-by: Florian Westphal <f...@strlen.de> Acked-by: Julian Anastasov <j...@ssi.bg> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.or

[PATCH 17/29] netfilter: nf_tables: reject hook configuration updates on existing chains

EBUSY. # nft add table x # nft add chain x y # nft add chain x y { type nat hook input priority 0\; } :1:1-49: Error: Could not process rule: Device or resource busy add chain x y { type nat hook input priority 0; } ^ Signed-off-by: Pablo Neira

[PATCH 21/29] netfilter: restart search if moved to other chain

("netfilter: nf_conntrack: use SLAB_DESTROY_BY_RCU and get rid of call_rcu()") Signed-off-by: Florian Westphal <f...@strlen.de> Acked-by: Eric Dumazet <eduma...@google.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_core.c |

[PATCH 11/29] netfilter: nf_tables: add quota expression

our existing infrastructure. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/uapi/linux/netfilter/nf_tables.h | 19 + net/netfilter/Kconfig| 6 ++ net/netfilter/Makefile | 1 + net/netfilter/nft_quota.c| 121 +++

[PATCH 24/29] netfilter: evict stale entries on netlink dumps

global resize lock so we can't evict without adding a 'expired' list to drop from later. Considering that resizes are very rare it doesn't seem worth doing it. Signed-off-by: Florian Westphal <f...@strlen.de> Acked-by: Eric Dumazet <eduma...@google.com> Signed-off-by: Pab

[PATCH 20/29] netfilter: nf_tables: Use nla_put_be32() to dump immediate parameters

nft_dump_register() should only be used with registers, not with immediates. Fixes: cb1b69b0b15b ("netfilter: nf_tables: add hash expression") Fixes: 91dbc6be0a62("netfilter: nf_tables: add number generator expression") Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.

[PATCH 16/29] netfilter: nf_tables: introduce nft_chain_parse_hook()

Introduce a new function to wrap the code that parses the chain hook configuration so we can reuse this code to validate chain updates. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_tables_api.c | 152 +- 1 file chang

[PATCH 26/29] netfilter: conntrack: resched gc again if eviction rate is high

30 second timeouts. Without this change it will take several minutes until conntrack count comes back to normal. Signed-off-by: Florian Westphal <f...@strlen.de> Acked-by: Eric Dumazet <eduma...@google.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_con

[PATCH 06/29] netfilter: nf_tables: rename set implementations

Use nft_set_* prefix for backend set implementations, thus we can use nft_hash for the new hash expression. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/Kconfig| 4 ++-- net/netfilter/Makefile | 4 ++-

[PATCH 03/29] netfilter: nf_dup4: remove redundant checksum recalculation

Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netfilter/nf_dup_ipv4.c | 10 -- 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/net/ipv4/netfilter/nf_dup_ipv4.c b/net/ipv4/netfilter/nf_dup_ipv4.c index ceb18

[PATCH 14/29] netfilter: nft_hash: fix non static symbol warning

From: Wei Yongjun <weiyj...@gmail.com> Fixes the following sparse warning: net/netfilter/nft_hash.c:40:25: warning: symbol 'nft_hash_policy' was not declared. Should it be static? Signed-off-by: Wei Yongjun <weiyongj...@huawei.com> Signed-off-by: Pablo Neira Ayuso <pa..

[PATCH 15/29] netfilter: nf_tables: typo in trace attribute definition

From: Pablo Neira <pa...@netfilter.org> Should be attributes, instead of attibutes, for consistency with other definitions. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/uapi/linux/netfilter/nf_tables.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

[PATCH 29/29] netfilter: log: Check param to avoid overflow in nf_log_set

; Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_log.h | 3 +-- net/bridge/netfilter/nf_log_bridge.c | 3 +-- net/ipv4/netfilter/nf_log_arp.c | 3 +-- net/ipv4/netfilter/nf_log_ipv4.c | 3 +-- net/ipv6/netfilter/nf_log_ipv6.c | 3 +-- net/

[PATCH 18/29] rhashtable: add rhashtable_lookup_get_insert_key()

have. Cc: Herbert Xu <herb...@gondor.apana.org.au> Cc: Thomas Graf <tg...@suug.ch> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> Acked-by: Herbert Xu <herb...@gondor.apana.org.au> --- include/linux/rhashtable.h | 70 +---

[PATCH 02/29] netfilter: physdev: add missed blank

From: Hangbin Liu <liuhang...@gmail.com> Signed-off-by: Hangbin Liu <liuhang...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/xt_physdev.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/netfilter/xt_physdev

[PATCH 22/29] netfilter: don't rely on DYING bit to detect when destroy event was sent

to evict the same conntrack. Because DYING will then be set right before we report the destroy event we can no longer skip event reporting when dying bit is set. Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org> Signed-off-by: Florian Westphal <f...@strlen.de> Acked-by: Eric Dumazet

[PATCH 10/29] netfilter: nf_conntrack: restore nf_conntrack_htable_size as exported symbol

netlink.ko] undefined! ERROR: "nf_conntrack_htable_size" [net/ipv4/netfilter/nf_conntrack_ipv4.ko] undefined! Fixes: adf0516845bcd0 ("netfilter: remove ip_conntrack* sysctl compat code") Reported-by: kbuild test robot <fengguang...@intel.com> Reported-by: Stephen Rothwell &l

[PATCH 00/29] Netfilter updates for net-next

checksum recalculation netfilter: conntrack: simplify the code by using nf_conntrack_get_ht Pablo Neira (1): netfilter: nf_tables: typo in trace attribute definition Pablo Neira Ayuso (9): netfilter: nf_tables: rename set implementations netfilter: remove ip_conntr

[PATCH 04/29] netfilter: use_nf_conn_expires helper in more places

From: Florian Westphal <f...@strlen.de> ... so we don't need to touch all of these places when we get rid of the timer in nf_conn. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netfilter/nf_conntrack_l3p

[PATCH 07/29] netfilter: nf_tables: add hash expression

t hash ip saddr mod 10 Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/uapi/linux/netfilter/nf_tables.h | 20 + net/netfilter/Kconfig| 6 ++ net/netfilter/Makefile |

[PATCH 09/29] netfilter: conntrack: simplify the code by using nf_conntrack_get_ht

le and hash size. And convert nf_conntrack_get_ht to inline function here. Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org> Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack.h

[PATCH 0/7] Netfilter fixes for net

Hi David, The following patchset contains Netfilter fixes for your net tree, they are: 1) Allow nf_tables reject expression from input, forward and output hooks, since only there the routing information is available, otherwise we crash. 2) Fix unsafe list iteration when flushing timeout and

[PATCH 5/7] netfilter: nft_meta: improve the validity check of pkttype set expr

lem. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nft_meta.h | 4 net/bridge/netfilter/nft_meta_bridge.c | 1 + net/netfilter/nft_meta.c | 17 + 3 files

[PATCH 4/7] netfilter: cttimeout: unlink timeout objs in the unconfirmed ct lists

missed to unlink the timeout objects in the unconfirmed ct lists, so we will access the timeout objects that have already been freed. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nfnetlin

[PATCH 6/7] netfilter: ebtables: put module reference when an incorrect extension is found

se the reference on the incorrect module. Fixes: bcf493428840 ("netfilter: ebtables: Fix extension lookup with identical name") Signed-off-by: Sabrina Dubroca <s...@queasysnail.net> Acked-by: Phil Sutter <p...@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --

[PATCH 3/7] netfilter: cttimeout: put back l4proto when replacing timeout policy

dtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nfnetlink_cttimeout.c | 33 +++-- 1 file changed, 15 insertions(+), 18 deletions(-) diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c inde

[PATCH 1/7] netfilter: nft_reject: restrict to INPUT/FORWARD/OUTPUT

ting information is not exist, then we will dereference the NULL pointer and oops happen. So we restrict reject expression to INPUT, FORWARD and OUTPUT chain. This is consistent with iptables REJECT target. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by:

[PATCH 2/7] netfilter: nfnetlink: use list_for_each_entry_safe to delete all objects

From: Liping Zhang <liping.zh...@spreadtrum.com> cttimeout and acct objects are deleted from the list while traversing it, so use list_for_each_entry is unsafe here. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilte

[PATCH 7/7] netfilter: nf_tables_netdev: remove redundant ip_hdr assignment

Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_tables_netdev.c | 1 - 1 file changed, 1 deletion(-) diff --git a/net/netfilter/nf_tables_netdev.c b/net/netfilter/nf_tables_netdev.c index 5eefe4a..75d696f 100644 -

Re: [PATCH v2 nf] netfilter: log: Check param to avoid overflow in nf_log_set

On Mon, Aug 29, 2016 at 06:25:28PM +0800, f...@ikuai8.com wrote: > From: Gao Feng > > The nf_log_set is an interface function, so it should do the strict sanity > check of parameters. Convert the return value of nf_log_set as int instead > of void. When the pf is invalid, return

Re: [PATCH nf-next] netfilter: log: Check param to avoid overflow in nf_log_set

On Sun, Aug 28, 2016 at 10:30:18PM +0800, f...@ikuai8.com wrote: > From: Gao Feng > > The nf_log_set is an interface function, so it should do the strict sanity > check of parameters. Add one sanity check for pf, it could not exceed > NFPROTO_NUMPROTO, and print error log when

Re: [PATCH RESEND nf] netfilter: avoid a race between nf_register_hook() and cleanup_net()

Hi Eric, On Sat, Jul 30, 2016 at 08:24:37AM -0500, Eric W. Biederman wrote: > Michal Kubecek writes: > > > There is a race condition between nf_{,un}register_hook() and > > cleanup_net() which can either trigger WARN check or cause a memory > > leak. The scenario is like this

Re: [PATCH nf-next,v2 1/2] rhashtable: add rhashtable_lookup_get_insert_key()

On Fri, Aug 26, 2016 at 07:27:36PM +0800, Herbert Xu wrote: > On Thu, Aug 25, 2016 at 04:41:26PM +0200, Pablo Neira Ayuso wrote: > > This patch modifies __rhashtable_insert_fast() so it returns the > > existing object that clashes with the one that you want to insert. > &g

[PATCH nf-next,v2 2/2] netfilter: nf_tables: honor NLM_F_EXCL flag in set element insertion

the set insert operation so we can fetch the existing element that clashes with the one you want to add, we need this to make sure the element data doesn't differ. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- v2: Adapt this patch to semantics changes in rhashtable_lookup_get_inse

[PATCH nf-next,v2 1/2] rhashtable: add rhashtable_lookup_get_insert_key()

have. Cc: Herbert Xu <herb...@gondor.apana.org.au> Cc: Thomas Graf <tg...@suug.ch> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- v2: Address Herbert's feedback: * Modify __rhashtable_insert_fast() so this returns the object if it exists, NULL if it does not

Re: [PATCH 1/1] netfilter: gre: Use the consitent GRE and PPTP struct instead of the structures defined in netfilter

On Fri, Aug 19, 2016 at 11:03:46PM +0800, Feng Gao wrote: > My email server reports the last same patch email failed to send. > So I just sent it again. > > I am sorry, if anyone receives duplicated ones. git am

Re: [RFC PATCH 0/5] Add eBPF hooks for cgroups

Hi Thomas, On Fri, Aug 19, 2016 at 07:07:39PM +0200, Thomas Graf wrote: > On 08/19/16 at 06:21pm, Pablo Neira Ayuso wrote: > > On Fri, Aug 19, 2016 at 12:35:14PM +0200, Daniel Mack wrote: > > > Also true. A cgroup can currently only hold one bpf program for ea

Re: [PATCH -next] netfilter: nft_hash: fix non static symbol warning

On Sun, Aug 21, 2016 at 03:21:10PM +, Wei Yongjun wrote: > Fixes the following sparse warning: > > net/netfilter/nft_hash.c:40:25: warning: > symbol 'nft_hash_policy' was not declared. Should it be static? Applied, thanks.

Re: [PATCH] netfilter: fix spelling mistake: "delimitter" -> "delimiter"

On Thu, Aug 18, 2016 at 04:47:57PM +0100, Colin King wrote: > From: Colin Ian King > > trivial fix to spelling mistake in pr_debug message Applied.

Re: [PATCH 1/1] netfilter: gre: Use the consitent GRE and PPTP struct instead of the structures defined in netfilter

On Fri, Aug 19, 2016 at 11:01:34PM +0800, f...@ikuai8.com wrote: > From: Gao Feng > > There are two structures which define the GRE header and PPTP > header. So it is unneccessary to define duplicated structures in > netfilter again. Please, split this change in smaller

Re: [RFC PATCH 0/5] Add eBPF hooks for cgroups

On Fri, Aug 19, 2016 at 01:20:25PM +0200, Daniel Borkmann wrote: > On 08/19/2016 11:19 AM, Pablo Neira Ayuso wrote: > [...] > > * During the Netfilter Workshop, the main concern to add this new socket > > Don't really know what was discussed exactly at NFWS, but ... Slides

Re: [RFC PATCH 0/5] Add eBPF hooks for cgroups

Hi Daniel, On Fri, Aug 19, 2016 at 12:35:14PM +0200, Daniel Mack wrote: > Hi Pablo, > > On 08/19/2016 11:19 AM, Pablo Neira Ayuso wrote: > > On Wed, Aug 17, 2016 at 04:00:43PM +0200, Daniel Mack wrote: > >> I'd appreciate some feedback on this. Pablo has some remai

[PATCH 2/6] netfilter: nfnetlink_log: add "nf-logger-3-1" module alias name

h file or directory add rule arp filter input log group 0 ^ Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nfnetlink_log.c | 1 + 1 file changed, 1 insertion(+)

[PATCH 0/6] Netfilter fixes for net

Hi David, The following patchset contains Netfilter updates for your net tree, they are: 1) Dump only conntrack that belong to this namespace via /proc file. This is some fallout from the conversion to single conntrack table for all netns, patch from Liping Zhang. 2) Missing

[PATCH 3/6] netfilter: nfnetlink_acct: report overquota to the right netns

From: Liping Zhang <liping.zh...@spreadtrum.com> We should report the over quota message to the right net namespace instead of the init netns. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- inclu

[PATCH 5/6] netfilter: nfnetlink_acct: fix race between nfacct del and xt_nfacct destroy

on to one atomic operation atomic_cmpxchg here to fix this problem. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nfnetlink_acct.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git

[PATCH 1/6] netfilter: conntrack: do not dump other netns's conntrack entries via proc

ble for all namespaces") Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Reviewed-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_standalone.c | 4 1 file changed, 4 inserti

[PATCH 4/6] netfilter: tproxy: properly refcount tcp listeners

ch listener sk_refcnt under synflood") Reported-and-tested-by: Denys Fedoryshchenko <nuclear...@nuclearcat.com> Signed-off-by: Eric Dumazet <eduma...@google.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/xt_TPROXY.c | 4 1 file changed,

[PATCH 6/6] netfilter: cttimeout: fix use after free error when delete netns

] So only when the refcnt decreased to 0, we call kfree_rcu to free the timeout object. And like nfnetlink_acct do, use atomic_cmpxchg to avoid race between ctnl_timeout_try_del and ctnl_timeout_put. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Nei

Re: [PATCH net] netfilter: tproxy: properly refcount tcp listeners

On Wed, Aug 17, 2016 at 09:56:46AM -0700, Eric Dumazet wrote: > From: Eric Dumazet > > inet_lookup_listener() and inet6_lookup_listener() no longer > take a reference on the found listener. > > This minimal patch adds back the refcounting, but we might do > this differently

[PATCH 2/9] netfilter: nf_tables: s/MFT_REG32_01/NFT_REG32_01

MFT_REG32_01 is a typo, rename this to NFT_REG32_01. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/uapi/linux/netfilter/nf_tables.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/net

[PATCH 5/9] netfilter: nf_ct_expect: remove the redundant slash when policy name is empty

h...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_expect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c index 9e36931..f8dbac

[PATCH 6/9] netfilter: nfnetlink_queue: fix memory leak when attach expectation successfully

he use refcnt is still 1, then the memory will be leaked forever. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_netlink.c | 8 ++-- 1 file changed, 2 insertions(+), 6 deletions(-)

[PATCH 7/9] netfilter: nfnetlink_queue: reject verdict request from different portid

uot;) Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Reviewed-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nfnetlink_queue.c | 6 ++ 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/net

[PATCH 1/9] netfilter: nf_ct_h323: do not re-activate already expired timer

od_timer_pending here to fix this problem. Fixes: 96d1327ac2e3 ("netfilter: h323: Use mod_timer instead of set_expect_timeout") Cc: Gao Feng <f...@ikuai8.com> Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>

[PATCH 9/9] netfilter: nft_exthdr: Add size check on u8 nft_exthdr attributes

From: Laura Garcia Liebana <nev...@gmail.com> Fix the direct assignment of offset and length attributes included in nft_exthdr structure from u32 data to u8. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>

[PATCH 0/9] Netfilter fixes for net

Pablo Neira Ayuso (2): netfilter: nf_tables: s/MFT_REG32_01/NFT_REG32_01 netfilter: nft_rbtree: ignore inactive matching element with no descendants include/uapi/linux/netfilter/nf_tables.h | 2 +- net/netfilter/nf_conntrack_expect.c | 2 +- net/netfilter/nf_conntrack_h323_main.c

[PATCH 4/9] netfilter: nf_conntrack_sip: CSeq 0 is a valid CSeq

igit 0 or not. Signed-off-by: Christophe Leroy <christophe.le...@c-s.fr> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_sip.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/

[PATCH 8/9] netfilter: ctnetlink: reject new conntrack request with different l4proto

liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_netlink.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index b9bfe64..fdfc71f 100644 -

[PATCH 3/9] netfilter: nft_rbtree: ignore inactive matching element with no descendants

-off-by: Pablo Neira Ayuso <pa...@netfilter.org> Tested-by: Anders K. Pedersen <a...@akp.dk> --- net/netfilter/nft_rbtree.c | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/net/netfilter/nft_rbtree.c b/net/netfilter/nft_rbtree.c index 6473936..ffe9ae0 1006

Re: [PATCH v2] netfilter: nf_conntrack_sip: CSeq 0 is a valid CSeq

On Wed, Aug 03, 2016 at 12:41:40PM +0200, Christophe Leroy wrote: > Do not drop packet when CSeq is 0 as 0 is also a valid value for CSeq. > > simple_strtoul() will return 0 either when all digits are 0 > or if there are no digits at all. Therefore when simple_strtoul() > returns 0 we check if

Re: [PATCH RESEND nf] netfilter: avoid a race between nf_register_hook() and cleanup_net()

On Sat, Jul 30, 2016 at 08:24:37AM -0500, Eric W. Biederman wrote: > Michal Kubecek writes: > > > There is a race condition between nf_{,un}register_hook() and > > cleanup_net() which can either trigger WARN check or cause a memory > > leak. The scenario is like this (2a and 2b

[PATCH 12/25] netfilter: nf_conntrack_h323: fix off-by-one in DecodeQ931

From: Toby DiPasquale <t...@cbcg.net> This patch corrects an off-by-one error in the DecodeQ931 function in the nf_conntrack_h323 module. This error could result in reading off the end of a Q.931 frame. Signed-off-by: Toby DiPasquale <t...@cbcg.net> Signed-off-by: Pablo Nei

[PATCH 04/25] netfilter: nf_ct_helper: unlink helper again when hash resize happen

From: Liping Zhang <liping.zh...@spreadtrum.com> From: Liping Zhang <liping.zh...@spreadtrum.com> Similar to ctnl_untimeout, when hash resize happened, we should try to do unhelp from the 0# bucket again. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by:

[PATCH 20/25] netfilter: nf_tables: allow to filter out rules by table and chain

If the table and/or chain attributes are set in a rule dump request, we filter out the rules based on this selection. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_tables_api.c | 38 ++ 1 file changed, 38 insertions(+) diff

[PATCH 21/25] netfilter: conntrack: support a fixed size of 128 distinct labels

..@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack_labels.h | 16 net/netfilter/nf_conntrack_labels.c | 13 +++-- net/netfilter/nf_conntrack_netlink.c| 10 +- n

[PATCH 24/25] netfilter: nft_compat: put back match/target module if init fail

liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nft_compat.c | 32 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c index 6228c

[PATCH 15/25] netfilter: nft_ct: fix unpaired nf_connlabels_get/put call

ething fail, we should put nf_connlabels back. Otherwise, we may waste to alloc the memory that will never be used. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Acked-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net

[PATCH 11/25] netfilter: nf_tables: get rid of possible_net_t from set and basechain

We can pass the netns pointer as parameter to the functions that need to gain access to it. From basechains, I didn't find any client for this field anymore so let's remove this too. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables.

[PATCH 05/25] netfilter: conntrack: simplify early_drop

timer deletion. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack.h | 1 + net/netfilter/nf_conntrack_core.c| 95 ++-- 2 files changed, 48 insertions(+), 48

[PATCH 14/25] netfilter: x_tables: speed up jump target validation

fined rule gets an implicit RETURN, so we get 300k jumps + 100k userchains + 100k returns -> 500k rule entries Fixes: 36472341017529e ("netfilter: x_tables: validate targets of jumps") Reported-by: Jeff Wu <wuji...@gmail.com> Tested-by: Jeff Wu <wuji...@gmail.com> Sign

[PATCH 02/25] netfilter: conntrack: fix race between nf_conntrack proc read and hash resize

g hash resize"). And add a wrapper function nf_conntrack_get_ht to get hash and hsize suggested by Florian Westphal. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack_core.

[PATCH 01/25] ipvs: count pre-established TCP states as active

From: Michal Kubecek Some users observed that "least connection" distribution algorithm doesn't handle well bursts of TCP connections from reconnecting clients after a node or network failure. This is because the algorithm counts active connection as worth 256 inactive ones

[PATCH 07/25] netfilter: nat: convert nat bysrc hash to rhashtable

o src manip took place yet. Tested with http-client-benchmark + httpterm with DNAT and SNAT rules in place. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack.h | 3 +- include/net/netfilter

[PATCH 13/25] netfilter: conntrack: protect early_drop by rcu read lock

ack_alloc -> early_drop), rcu_read_lock is not held, so race with hash resize will happen. Fixes: 242922a02717 ("netfilter: conntrack: simplify early_drop") Cc: Florian Westphal <f...@strlen.de> Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pabl

[PATCH 17/25] netfilter: nft_log: fix possible memory leak if log expr init fail

liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nft_log.c | 26 ++ 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/net/netfilter/nft_log.c b/net/netfilter/nft_log.c index 713d668..e1b34ff 100644 --- a/net/netfilt

[PATCH 06/25] netfilter: move nat hlist_head to nf_conn

bysource hash table rather than just using nat extension ->destroy hook for this. nf_conn size doesn't increase due to aligment, followup patch replaces hlist_node with single pointer. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.

[PATCH 09/25] netfilter: nft_ct: make byte/packet expr more friendly

enable it manually via "echo 1 > /proc/sys/net/netfilter/nf_conntrack_acct". This is not friendly, so like xt_connbytes do, if the user want to use ct byte/packet expr, enable nf_conntrack_acct automatically. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-

[PATCH 19/25] netfilter: nft_log: fix snaplen does not truncate packets

d-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nft_log.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nft_log.c b/net/netfilter/nft_log.c index 5f6f088..24a73bb 100644 -

[PATCH 23/25] netfilter: h323: Use mod_timer instead of set_expect_timeout

From: Gao Feng <f...@ikuai8.com> Simplify the code without any side effect. The set_expect_timeout is used to modify the timer expired time. It tries to delete timer, and add it again. So we could use mod_timer directly. Signed-off-by: Gao Feng <f...@ikuai8.com> Signed-off-by:

[PATCH 18/25] netfilter: nft_log: check the validity of log level

From: Liping Zhang <liping.zh...@spreadtrum.com> User can specify the log level larger than 7(debug level) via nfnetlink, this is invalid. So in this case, we should report EINVAL to the userspace. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Nei

[PATCH 08/25] netfilter: physdev: physdev-is-out should not work with OUTPUT chain

d physdev-is-out. Fix it and update the debug message to make it clearer. Signed-off-by: Hangbin Liu <liuhang...@gmail.com> Reviewed-by: Marcelo R Leitner <marcelo.leit...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/xt_physdev.c | 8

[PATCH 25/25] netfilter: nft_compat: fix crash when related match/target module is removed

ch/target module, there's no need to "cache" it. And nft_[match|target]_release are useless anymore, remove them. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nft_compat.c | 43 +

[PATCH 16/25] netfilter: Add helper array register/unregister functions

y name that has been inconsistently exposed to userspace through ports, eg. ftp-2121, and through an incremental id, eg. tftp-1. Signed-off-by: Gao Feng <f...@ikuai8.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack_helper.h | 15 +++

[PATCH 03/25] netfilter: cttimeout: unlink timeout obj again when hash resize happen

d, try to unlink timeout objects from the 0# bucket again. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nfnetlink_cttimeout.c | 20 ++-- 1 file changed, 14 insertions(+), 6 deletions(-)

[PATCH 10/25] netfilter: constify arg to is_dying/confirmed

From: Florian Westphal <f...@strlen.de> Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/net/netfilter

[PATCH 22/25] netfilter: connlabels: move set helper to xt_connlabel

From: Florian Westphal <f...@strlen.de> xt_connlabel is the only user so move it. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack_labels.h | 2 -- net/netfilter/nf_conntrack_lab

[PATCH 00/25] Netfilter/IPVS updates for net-next

ed Michal Kubecek (1): ipvs: count pre-established TCP states as active Pablo Neira Ayuso (3): netfilter: nf_tables: get rid of possible_net_t from set and basechain Merge tag 'ipvs-for-v4.8' of https://git.kernel.org/.../horms/ipvs-next netfilter: nf_tables: allow to

<    11   12   13   14   15   16   17   18   19   20   >