Re: [PATCH 1/1] netfilter: h323: Use mod_timer instead of set_expect_timeout

On Fri, Jul 22, 2016 at 12:59:15PM +0800, f...@ikuai8.com wrote: > From: Gao Feng > > It could simplify the codes without any side effect. > The set_expect_timeout is used to modify the timer expired time. > It tries to delete timer, and add it again. > So we could use mod_timer

Re: [PATCH 1/1] netfilter: udp: Remove a bit misleading comment in udp_pkt_to_tuple

On Thu, Jul 21, 2016 at 05:26:47PM +0800, f...@ikuai8.com wrote: > From: Gao Feng Please, add description to your patches. Cc'ing netfilter-de...@vger.kernel.org is sufficient for netfilter patches unless you really want to attract attention from other netdev developers, and

Re: [PATCH 1/1] netfilter: Use IS_ERR_OR_NULL instead of IS_ERR and NULl check to simplify the codes in ip_vs_genl_dump_dests and resolve_normal_ct

On Thu, Jul 21, 2016 at 06:45:53PM +0200, Pablo Neira Ayuso wrote: > > diff --git a/net/netfilter/nf_conntrack_core.c > > b/net/netfilter/nf_conntrack_core.c > > index 153e33f..634d592 100644 > > --- a/net/netfilter/nf_conntrack_core.c > > +++ b/net/netfilter/nf_co

Re: [PATCH 1/1] netfilter: Use IS_ERR_OR_NULL instead of IS_ERR and NULl check to simplify the codes in ip_vs_genl_dump_dests and resolve_normal_ct

This patch title is too long, no more than 80 chars. On Thu, Jul 21, 2016 at 10:09:19PM +0800, f...@ikuai8.com wrote: > From: Gao Feng Please, include a description here. > Signed-off-by: Gao Feng More comments below. > --- > v1: Initial Version > >

Re: [PATCH 1/1] netfilter: Use IS_ERR_OR_NULL instead of IS_ERR and NULl check to simplify the codes in ip_vs_genl_dump_dests and resolve_normal_ct

This patch title is too long, no more than 80 chars please, when it goes over that boundary it becomes a description ;) More comments below. On Thu, Jul 21, 2016 at 10:09:19PM +0800, f...@ikuai8.com wrote: > From: Gao Feng > > Signed-off-by: Gao Feng > --- >

Re: 答复: [PATCH 1/1] netfilter: Add helper array register/unregister functions

On Wed, Jul 20, 2016 at 08:31:13AM +0800, 高峰 wrote: > Thanks Pablo. > > I had used the script "checkpatch.pl" to check the patch file. > There was no indentation error reported. > > So could you give me more tails please or point one indentation error? > Then I could correct it by myself next

Re: 答复: [PATCH 1/1] netfilter: Add helper array register/unregister functions

On Wed, Jul 20, 2016 at 09:02:52AM +0800, 高峰 wrote: > Oh, thanks Liping. > I have not found the extra port styles are different of irc, sane and tftp > with ftp. > > Hi Pablo, > Then should I modify the original patch or send a new one? No need to resend, I have just sent an amendement that I'm

Re: [PATCH 1/1] netfilter: Add helper array register/unregister functions

On Wed, Jul 20, 2016 at 08:51:17AM +0800, Liping Zhang wrote: > 2016-07-18 11:39 GMT+08:00 : > > From: Gao Feng > > > > Add nf_ct_helper_init, nf_conntrack_helpers_register/unregister > > functions to enhance the conntrack helper codes. > > I think this patch

Re: [PATCH 1/1] netfilter: Add helper array register/unregister functions

On Mon, Jul 18, 2016 at 11:39:23AM +0800, f...@ikuai8.com wrote: > From: Gao Feng > > Add nf_ct_helper_init, nf_conntrack_helpers_register/unregister > functions to enhance the conntrack helper codes. Applied, thanks. I have manually updated indentations to make it fit to our

Re: [PATCH v2 3/3] netfilter: replace list_head with single linked list

On Tue, Jul 12, 2016 at 11:32:21AM -0400, Aaron Conole wrote: > The netfilter hook list never uses the prev pointer, and so can be > trimmed to be a smaller singly-linked list. > > In addition to having a more light weight structure for hook traversal, > struct net becomes 5568 bytes (down from

Re: [PATCH nf-next v2 2/3] netfilter: call nf_hook_state_init with rcu_read_lock held

On Tue, Jul 12, 2016 at 11:32:20AM -0400, Aaron Conole wrote: > From: Florian Westphal > > This makes things simpler because we can store the head of the list > in the nf_state structure without worrying about concurrent add/delete > of hook elements from the list. This is

Re: [PATCH nf-next v2 1/3] netfilter: bridge: add and use br_nf_hook_thresh

On Tue, Jul 12, 2016 at 11:32:19AM -0400, Aaron Conole wrote: > +/* recursively invokes nf_hook_slow (again), skipping already-called > + * hooks (< NF_BR_PRI_BRNF). > + * > + * Called with rcu read lock held. > + */ > +int br_nf_hook_thresh(unsigned int hook, struct net *net, > +

[PATCH 0/6] Netfilter/IPVS fixes for net

netfilter: nft_ct: fix expiration getter Liping Zhang (2): netfilter: nf_tables: fix memory leak if expr init fails netfilter: nft_meta: set skb->nf_trace appropriately Pablo Neira Ayuso (2): Merge tag 'ipvs-fixes2-for-v4.7' of https://git.kernel.org/.../horms/i

[PATCH 6/6] netfilter: conntrack: skip clash resolution if nat is in place

clash resolution on insertion race") Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> Tested-by: Marc Dionne <marc.c.dio...@gmail.com> --- net/netfilter/nf_conntrack_core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_

[PATCH 3/6] netfilter: conntrack: avoid integer overflow when resizing

From: Florian Westphal <f...@strlen.de> Can overflow so we might allocate very small table when bucket count is high on a 32bit platform. Note: resize is only possible from init_netns. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa..

[PATCH 5/6] netfilter: nft_ct: fix expiration getter

per-ct timer. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack.h | 8 net/netfilter/nft_ct.c | 6 +- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/inc

[PATCH 1/6] netfilter: nf_tables: fix memory leak if expr init fails

Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_tables_api.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 2c88187..cf7c745 100644 -

[PATCH 4/6] ipvs: fix bind to link-local mcast IPv6 address in backup

From: Quentin Armitage When using HEAD from https://git.kernel.org/cgit/utils/kernel/ipvsadm/ipvsadm.git/, the command: ipvsadm --start-daemon backup --mcast-interface eth0.60 \ --mcast-group ff02::1:81 fails with the error message: Argument list too long whereas

[PATCH 2/6] netfilter: nft_meta: set skb->nf_trace appropriately

From: Liping Zhang <liping.zh...@spreadtrum.com> When user add a nft rule to set nftrace to zero, for example: # nft add rule ip filter input nftrace set 0 We should set nf_trace to zero also. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Nei

Re: Multi-thread udp 4.7 regression, bisected to 71d8c47fc653

On Mon, Jul 11, 2016 at 06:17:39PM -0300, Marc Dionne wrote: > Hi Pablo, > > Testing out your patch: > > 1) With no NAT in place, the clash resolution happens, with no side > effects. No EPERM errors are seen. > > 2) With ip(6)table_nat loaded, the clash resolution fails and I get > some EPERM

Re: Multi-thread udp 4.7 regression, bisected to 71d8c47fc653

back the EPERM errors that you've observed so far. Please, test both scenarios and report back. Thanks. >From c3b9dfbcf35ea38a3dce22daf7450fc23c620aea Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso <pa...@netfilter.org> Date: Mon, 11 Jul 2016 17:28:54 +0200 Subject: [PATCH] netf

Re: [PATCH nf-next 3/3] netfilter: replace list_head with single linked list

On Sat, Jul 09, 2016 at 01:30:38AM +0200, Florian Westphal wrote: > Aaron Conole wrote: > > --- a/net/netfilter/core.c > > +++ b/net/netfilter/core > [..] > > +#define nf_entry_dereference(e) \ > > + rcu_dereference_protected(e, lockdep_is_held(_hook_mutex)) > > > >

Re: [GIT PULL nf] Second Round of IPVS Fixes for v4.7

On Thu, Jul 07, 2016 at 08:30:21PM +0200, Simon Horman wrote: > Hi Pablo, > > please consider this IPVS fix for v4.7. > > The fix from Quentin Armitage allows the backup sync daemon to > be bound to a link-local mcast IPv6 address as is already the case > for IPv4. > > The following changes

Re: [GIT PULL nf-next] IPVS Updates for v4.8

On Thu, Jul 07, 2016 at 08:40:39PM +0200, Simon Horman wrote: > Hi Pablo, > > please consider these enhancements to the IPVS. This alters the behaviour > of the "least connection" schedulers such that pre-established connections > are included in the active connection count. This avoids

Re: [PATCH iptables 3/3] libxt_hashlimit: iptables-restore does not work as expected with xt_hashlimit

On Wed, Jul 06, 2016 at 06:26:39PM -0400, Vishwanath Pai wrote: > On 07/05/2016 04:13 PM, Vishwanath Pai wrote: > > On 06/25/2016 05:39 AM, Pablo Neira Ayuso wrote: > >> I see, but I'm not convinced about this /proc rename feature. > >> > >> I think the main poi

[PATCH 17/26] netfilter: nft_rbtree: check for next generation when deactivating elements

set->ops->deactivate() is invoked from nft_del_setelem() that happens from the transaction path, so we have to check if the object is active in the next generation, not the current. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nft_rbtree.c | 2 +- 1 fil

[PATCH 25/26] netfilter: Convert FWINV<[foo]> macros and uses to NF_INVF

ate these macros into a single NF_INVF macro. Miscellanea: o Neaten the alignment around these uses o A few lines are > 80 columns for intelligibility Signed-off-by: Joe Perches <j...@perches.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/linux/netfilter/x

[PATCH 14/26] netfilter: nf_tables: add generation mask to tables

ect interferences through the generation counter so it can restart the dumping. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables.h | 6 ++- net/netfilter/nf_tables_api.c | 101 +- 2 files changed, 62 insertio

[PATCH 24/26] netfilter: Remove references to obsolete CONFIG_IP_ROUTE_FWMARK

From: Moritz Sichert <moritz+li...@sichert.me> This option was removed in commit 47dcf0cb1005 ("[NET]: Rethink mark field in struct flowi"). Signed-off-by: Moritz Sichert <moritz+li...@sichert.me> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> ---

[PATCH 04/26] netfilter: nf_log: handle NFPROTO_INET properly in nf_logger_[find_get|put]

From: Liping Zhang <liping.zh...@spreadtrum.com> When we request NFPROTO_INET, it means both NFPROTO_IPV4 and NFPROTO_IPV6. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_log.c | 20 +++

[PATCH 16/26] netfilter: nf_tables: add generation mask to sets

Similar to ("netfilter: nf_tables: add generation mask to tables"). Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables.h | 8 +++-- net/netfilter/nf_tables_api.c | 68 +++ net/netfilter/nft_dyns

[PATCH 03/26] netfilter: x_tables: fix possible ZERO_SIZE_PTR pointer dereferencing error.

<lixi...@cmss.chinamobile.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/x_tables.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index c69c892..8aff34e 100644 --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_t

[PATCH 26/26] netfilter: nf_log: fix error on write NONE to logger choice sysctl

t; /proc/sys/net/netfilter/nf_log/0 cat /proc/sys/net/netfilter/nf_log/0 nfnetlink_log echo NONE > /proc/sys/net/netfilter/nf_log/0 cat /proc/sys/net/netfilter/nf_log/0 NONE v2: add missed error check for proc_dostring Signed-off-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.

[PATCH 23/26] etherdevice.h & bridge: netfilter: Add and use ether_addr_equal_masked

om> Acked-by: David S. Miller <da...@davemloft.net> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/linux/etherdevice.h | 23 +++ net/bridge/netfilter/ebt_arp.c | 17 +- net/bridge/netfilter/ebt_stp.c | 49 ++---

[PATCH 20/26] netfilter: nf_tables: get rid of NFT_BASECHAIN_DISABLED

_basechain() since they have no clients anymore after this rework. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables.h | 1 - net/netfilter/nf_tables_api.c | 62 --- 2 files changed, 25 insertions(+), 38 deletion

[PATCH 07/26] netfilter: make comparision helpers stub functions in ZONES=n case

From: Florian Westphal <f...@strlen.de> Those comparisions are useless in case of ZONES=n; all conntracks will reside in the same zone by definition. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- inc

[PATCH 21/26] netfilter: nf_tables: add support for inverted logic in nft_lookup

_BREAK Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.g...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/uapi/linux/netfilter/nf_tables.h | 6 ++ net/netfilter/nft_lookup.c | 37 +++- 2 files changed,

[PATCH 13/26] netfilter: nf_tables: add generic macros to check for generation mask

Thus, we can reuse these to check the genmask of any object type, not only rules. This is required now that tables, chain and sets will get a generation mask field too in follow up patches. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables.

[PATCH 09/26] netfilter: move zone info into struct nf_conn

emoves the zone conntrack extension. The zone data is just 4 bytes, it fits into a padding hole before the tuplehash info, so we do not even increase the nf_conn structure size. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>

[PATCH 19/26] netfilter: conntrack: allow increasing bucket size via sysctl too

netfilter/nf_conntrack_buckets done Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- Documentation/networking/nf_conntrack-sysctl.txt | 3 +- include/net/netfilter/nf_conntrack.h | 1 + net/netfilter/nf_conntrack_core.

[PATCH 22/26] netfilter: x_tables: simplify ip{6}table_mangle_hook()

No need for a special case to handle NF_INET_POST_ROUTING, this is basically the same handling as for prerouting, input, forward. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netfilter/iptable_mangle.c | 4 net/ipv6/netfilter/ip6table_mangle.c | 4 2

[PATCH 12/26] netfilter: xt_NFLOG: nflog-range does not truncate packets

--nflog-size now. --nflog-range would still exist but does not do anything. Reported-by: Joe Dollard <jdoll...@akamai.com> Reviewed-by: Josh Hunt <joh...@akamai.com> Signed-off-by: Vishwanath Pai <v...@akamai.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>

[PATCH 02/26] netfilter: helper: avoid extra expectation iterations on unregister

From: Florian Westphal <f...@strlen.de> The expectation table is not duplicated per net namespace anymore, so we can move the expectation table and conntrack table iteration out of the per-net loop. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Nei

[PATCH 15/26] netfilter: nf_tables: add generation mask to chains

Similar to ("netfilter: nf_tables: add generation mask to tables"). Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables.h | 4 +- net/netfilter/nf_tables_api.c | 89 +-- 2 files changed, 60 i

[PATCH 11/26] netfilter: nf_reject_ipv4: don't send tcp RST if the packet is non-TCP

; Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netfilter/nf_reject_ipv4.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c index b6ea57e..fd82202 100644 --- a/net/ipv4/netfilter/nf_reject_ipv

[PATCH 06/26] netfilter: conntrack: align nf_conn on cacheline boundary

From: Florian Westphal <f...@strlen.de> increases struct size by 32 bytes (288 -> 320), but it is the right thing, else any attempt to (re-)arrange nf_conn members by cacheline won't work. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <p

[PATCH 18/26] netfilter: nft_hash: support deletion of inactive elements

This sequence is valid and may be triggered by robots. To resolve this problem, allow deactivating elements that are active in the current generation (ie. those that has been just added in this batch). Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nft_hash

[PATCH 05/26] netfilter: xt_TRACE: add explicitly nf_logger_find_get call

anully. So we should add request related nf_log module appropriately here. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Acked-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/xt_TRACE.c | 25 +

[PATCH 01/26] bridge: netfilter: checkpatch data type fixes

From: Tobin C Harding <m...@tobin.cc> checkpatch produces data type 'checks'. This patch amends them by changing, for example: uint8_t -> u8 Signed-off-by: Tobin C Harding <m...@tobin.cc> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/bridge/net

[PATCH 10/26] netfilter: Allow xt_owner in any user namespace

rnekee <cerne...@chromium.org> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/xt_owner.c | 41 +++-- 1 file changed, 35 insertions(+), 6 deletions(-) diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c index 1

[PATCH 08/26] netfilter: nf_log: Remove NULL check

From: Shivani Bhardwaj <shivanib...@gmail.com> If 'logger' was NULL, there would be a direct jump to the label 'out', since it has already been checked for NULL, remove this unnecessary check. Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com> Signed-off-by: Pablo Nei

[PATCH 00/26] Netfilter updates for net-next

handle NFPROTO_INET properly in nf_logger_[find_get|put] netfilter: xt_TRACE: add explicitly nf_logger_find_get call netfilter: nf_reject_ipv4: don't send tcp RST if the packet is non-TCP Moritz Sichert (1): netfilter: Remove references to obsolete CONFIG_IP_ROUTE_FWMARK

Re: [PATCH v2] netfilter: nf_log: fix error on write NONE to logger choice sysctl

On Fri, Jul 01, 2016 at 04:53:54PM +0300, Pavel Tikhomirov wrote: > It is hard to unbind nf-logger: > > echo NONE > /proc/sys/net/netfilter/nf_log/0 > bash: echo: write error: No such file or directory > > sysctl -w net.netfilter.nf_log.0=NONE > sysctl: setting key

Re: Multi-thread udp 4.7 regression, bisected to 71d8c47fc653

Hi, On Mon, Jul 04, 2016 at 09:35:28AM -0300, Marc Dionne wrote: > If there is no quick fix, seems like a revert should be considered: > - Looks to me like the commit attempts to fix a long standing bug > (exists at least as far back as 3.5, > https://bugzilla.kernel.org/show_bug.cgi?id=52991) >

[ANNOUNCE] libmnl 1.0.4 release

the same examples: fix display condition examples: use mnl_socket_setsockopt socket: creating a struct mnl_socket from a pre-existing socket doc: minor fix Markus Teich (1): header: use sysconf() instead of getpagesize() Pablo Neira Ayuso (18): examples: add genl

Re: [PATCH v3] netfilter/nflog: nflog-range does not truncate packets (userspace)

On Fri, Jun 24, 2016 at 04:42:31PM -0400, Vishwanath Pai wrote: > Added tests to libxt_NFLOG.t for the new option --nflog-size > > -- > > netfilter/nflog: nflog-range does not truncate packets > > The option --nflog-range has never worked, but we cannot just fix this > because users might be

Re: [PATCH] etherdevice.h & bridge: netfilter: Add and use ether_addr_equal_masked

On Tue, Jun 28, 2016 at 09:01:12AM -0400, David Miller wrote: > From: Joe Perches > Date: Fri, 24 Jun 2016 11:32:26 -0700 > > > There are code duplications of a masked ethernet address comparison here > > so make it a separate function instead. > > > > Miscellanea: > > > > o

Re: [PATCH iptables 3/3] libxt_hashlimit: iptables-restore does not work as expected with xt_hashlimit

Hi, On Fri, Jun 24, 2016 at 02:24:18PM -0400, Vishwanath Pai wrote: > On 06/23/2016 06:25 AM, Pablo Neira Ayuso wrote: > > On Wed, Jun 01, 2016 at 08:17:59PM -0400, Vishwanath Pai wrote: > >> libxt_hashlimit: iptables-restore does not work as expected with > >>

Re: [PATCH] bridge: netfilter: spanning tree: Add masked_ether_addr_equal and neatening

On Fri, Jun 24, 2016 at 10:51:28AM +0200, Pablo Neira Ayuso wrote: > On Thu, Jun 23, 2016 at 12:00:00PM -0700, Joe Perches wrote: > > On Thu, 2016-06-23 at 19:36 +0200, Pablo Neira Ayuso wrote: > > > On Wed, Jun 15, 2016 at 01:58:45PM -0700, Joe Perches wrote: > > &g

Re: [PATCH] bridge: netfilter: spanning tree: Add masked_ether_addr_equal and neatening

On Thu, Jun 23, 2016 at 12:00:00PM -0700, Joe Perches wrote: > On Thu, 2016-06-23 at 19:36 +0200, Pablo Neira Ayuso wrote: > > On Wed, Jun 15, 2016 at 01:58:45PM -0700, Joe Perches wrote: > > > > > > There is code duplication of a masked ethernet address co

Re: [PATCH v2 2/2] netfilter/nflog: nflog-range does not truncate packets (userspace)

On Tue, Jun 21, 2016 at 03:02:16PM -0400, Vishwanath Pai wrote: > netfilter/nflog: nflog-range does not truncate packets > > The option --nflog-range has never worked, but we cannot just fix this > because users might be using this feature option and their behavior would > change. Instead add a

Re: [PATCH] bridge: netfilter: spanning tree: Add masked_ether_addr_equal and neatening

On Wed, Jun 15, 2016 at 01:58:45PM -0700, Joe Perches wrote: > There is code duplication of a masked ethernet address comparison here > so make it a separate function instead. > > Miscellanea: > > o Neaten alignment of FWINV macro uses to make it clearer for the reader Applied, thanks. >

Re: [PATCH v2 1/2] netfilter/nflog: nflog-range does not truncate packets

On Tue, Jun 21, 2016 at 02:58:46PM -0400, Vishwanath Pai wrote: > netfilter/nflog: nflog-range does not truncate packets > > li->u.ulog.copy_len is currently ignored by the kernel, we should truncate > the packet to either li->u.ulog.copy_len (if set) or copy_range before > sending it to

Re: [PATCH 2/3] netfilter: Create revision 2 of xt_hashlimit to support higher pps rates

On Wed, Jun 01, 2016 at 08:11:38PM -0400, Vishwanath Pai wrote: > +static void > +cfg_copy(struct hashlimit_cfg2 *to, void *from, int revision) > +{ > + if (revision == 1) { > + struct hashlimit_cfg1 *cfg = (struct hashlimit_cfg1 *)from; > + > + to->mode = cfg->mode; >

Re: [PATCH iptables 1/3] libxt_hashlimit: Prepare libxt_hashlimit.c for revision 2

Not specifically related to this patch. It would be great if you can send us a patch to add new tests to iptables/extensions/libxt_hashlimit.t for this new higher resolution pps ratelimit. Thanks!

Re: [PATCH iptables 3/3] libxt_hashlimit: iptables-restore does not work as expected with xt_hashlimit

On Wed, Jun 01, 2016 at 08:17:59PM -0400, Vishwanath Pai wrote: > libxt_hashlimit: iptables-restore does not work as expected with xt_hashlimit > > Add the following iptables rule. > > $ iptables -A INPUT -m hashlimit --hashlimit-above 200/sec \ > --hashlimit-burst 5 --hashlimit-mode srcip

Re: [PATCH v2] netfilter: fix possible ZERO_SIZE_PTR pointer dereferencing error.

On Thu, Jun 02, 2016 at 10:59:56AM +0800, Xiubo Li wrote: > Since we cannot make sure that the 'hook_mask' will always be none > zero here. If it equals to zero, the num_hooks will be zero too, > and then kmalloc() will return ZERO_SIZE_PTR, which is (void *)16. > > Then the following error check

[PATCH 5/7] netfilter: nf_tables: fix a wrong check to skip the inactive rules

<ka...@trash.net> Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_tables_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/nf_tables_core.c b/net/netfil

[PATCH 4/7] netfilter: nf_tables: fix wrong destroy anonymous sets if binding fails

estroy the set, which was already destroyed and freed. If we add a nft wrong rule, nft_tables_abort will do the cleanup work rightly, so nf_tables_set_destroy call here is redundant and wrong, remove it. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Nei

[PATCH 6/7] netfilter: xt_SYNPROXY: add missing header to Kbuild

Matt Whitlock says: Without this line, the file xt_SYNPROXY.h does not get installed in /usr/include/linux/netfilter/, and thus user-space programs cannot make use of it. Reported-by: Matt Whitlock <ker...@mattwhitlock.name> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>

[PATCH 2/7] netfilter: nf_tables: fix wrong check of NFT_SET_MAP in nf_tables_bind_set

From: Liping Zhang <liping.zh...@spreadtrum.com> We should check "i" is used as a dictionary or not, "binding" is already checked before. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- n

[PATCH 3/7] netfilter: nf_tables: reject loops from set element jump to chain

ng. Reported-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> Tested-by: Liping Zhang <liping.zh...@spreadtrum.com> --- include/net/netfilter/nf_tables.h | 1 + net/netfilter/nf_tables_api.c | 15 +-- net/net

[PATCH 0/7] Netfilter fixes for net

): netfilter: nf_tables: fix wrong check of NFT_SET_MAP in nf_tables_bind_set netfilter: nf_tables: fix wrong destroy anonymous sets if binding fails netfilter: nf_tables: fix a wrong check to skip the inactive rules Pablo Neira Ayuso (3): netfilter: nf_tables: reject loops from set

[PATCH 1/7] netfilter: conntrack: destroy kmemcache on module removal

From: Florian Westphal <f...@strlen.de> I forgot to move the kmem_cache_destroy into the exit path. Fixes: 0c5366b3a8c7 ("netfilter: conntrack: use single slab cache) Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org

[PATCH 7/7] netfilter: xt_SYNPROXY: include missing

./usr/include/linux/netfilter/xt_SYNPROXY.h:11: found __[us]{8,16,32,64} type without #include Reported-by: kbuild test robot <l...@intel.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/uapi/linux/netfilter/xt_SYNPROXY.h | 2 ++ 1 file changed, 2 inserti

Re: rfc: netfilter: Unhide FWINV macro arguments ?

On Thu, Jun 16, 2016 at 11:20:59AM -0700, Joe Perches wrote: > There are several FWINV #defines with identical form > that hide a specific structure variable and dereference > it with a invflags member. Right, this macro is obscure indeed. > $ git grep "define FWINV" >

Re: [PATCH] netfilter/nflog: nflog-range does not truncate packets

On Wed, Jun 15, 2016 at 03:13:15PM +, Lubashev, Igor wrote: > Vish, Pablo, > > I wonder about the value of sending more data than a client is > willing to consume (setting aside the important fact that the client > code crashes due to the extra data). > > It seems that we should either drop

Re: [PATCH] netfilter/nflog: nflog-range does not truncate packets

On Sun, Jun 12, 2016 at 11:40:57PM -0400, Vishwanath Pai wrote: > On 06/09/2016 01:57 PM, Vishwanath Pai wrote: > > On 06/08/2016 08:16 AM, Pablo Neira Ayuso wrote: > >> Looking again at your code: > >> > >> case NFULNL_COPY_PACKET: > >> -

Re: [PATCH] netfilter: fix buffer null termination

On Tue, Jun 14, 2016 at 09:52:49PM +0530, Kishan Sandeep wrote: > Hi Pablo, > > On Tue, Jun 14, 2016 at 8:38 PM, Pablo Neira Ayuso <pa...@netfilter.org> > wrote: > > Cc'ing netfilter-devel. > > > > On Tue, Jun 14, 2016 at 07:39:27PM +0530, Kishan Sandeep w

Re: [PATCH] netfilter: fix buffer null termination

Cc'ing netfilter-devel. On Tue, Jun 14, 2016 at 07:39:27PM +0530, Kishan Sandeep wrote: > + netdev > > On Sat, Jun 11, 2016 at 10:18 AM, Kishan Sandeep > wrote: > > strncpy generally perferable fo non-terminated > > fixed-width strings. For NULL termination strlcpy >

Re: [PATCH 1/3] bridge: netfilter: checkpatch whitespace fixes

On Wed, Jun 08, 2016 at 07:31:21PM +0200, Pablo Neira Ayuso wrote: > Then you can follow up with a patch to add this function. > > Just a suggestion, let me know if this is fine with you. Forget this idea. Actually your patch from: Date: Tue, 07 Jun 2016 11:02:30 -0700 looks easier to

Re: [PATCH 1/3] bridge: netfilter: checkpatch whitespace fixes

On Wed, Jun 08, 2016 at 09:52:30AM -0700, Joe Perches wrote: > On Wed, 2016-06-08 at 13:52 +0200, Pablo Neira Ayuso wrote: > > On Tue, Jun 07, 2016 at 11:02:30AM -0700, Joe Perches wrote: > > > On Tue, 2016-06-07 at 19:34 +0200, Pablo Neira Ayuso wrote: > > > > On T

Re: [PATCH] netfilter/nflog: nflog-range does not truncate packets

On Tue, Jun 07, 2016 at 07:06:15PM -0400, Vishwanath Pai wrote: > On 06/06/2016 06:31 PM, Pablo Neira Ayuso wrote: > > On Wed, Jun 01, 2016 at 08:23:54PM -0400, Vishwanath Pai wrote: > >> netfilter/nflog: nflog-range does not truncate packets > >> > >> The --

Re: [PATCH 1/3] bridge: netfilter: checkpatch whitespace fixes

On Tue, Jun 07, 2016 at 11:02:30AM -0700, Joe Perches wrote: > On Tue, 2016-06-07 at 19:34 +0200, Pablo Neira Ayuso wrote: > > On Tue, Jun 07, 2016 at 10:04:40AM -0700, Joe Perches wrote: > > > One more question, is this chunk below correct from > > >

Re: [PATCH 1/3] bridge: netfilter: checkpatch whitespace fixes

On Tue, Jun 07, 2016 at 10:04:40AM -0700, Joe Perches wrote: > On Tue, 2016-06-07 at 17:14 +0200, Pablo Neira Ayuso wrote: > > On Tue, May 10, 2016 at 11:26:56AM +1000, tcharding wrote: > > > From: Tobin C Harding <m...@tobin.cc> > > > This is my second linux ke

Re: [PATCH 3/3] bridge: netfilter: checkpatch null comparison fixes

On Tue, May 10, 2016 at 11:26:58AM +1000, tcharding wrote: > From: Tobin C Harding > > checkpatch produces comparison to null 'checks'. > > This patch amends them. We have quite a lot of these in the netfilter tree, so I'd rather start using prefered coding style from now on

Re: [PATCH 2/3] bridge: netfilter: checkpatch data type fixes

On Tue, May 10, 2016 at 11:26:57AM +1000, tcharding wrote: > From: Tobin C Harding > > checkpatch produces data type 'checks'. > > This patch amends them by changing, for example: > uint8_t -> u8 This looks good. Applied, thanks.

Re: [PATCH 1/3] bridge: netfilter: checkpatch whitespace fixes

Hi, On Tue, May 10, 2016 at 11:26:56AM +1000, tcharding wrote: > From: Tobin C Harding > > checkpatch produces various white space 'checks'. > > This patch amends them. > > Signed-off-by: Tobin C Harding > --- > This is my second linux kernel patch. Unsure if I

Re: [PATCH][RESEND] gtp: #define _UAPI_LINUX_GTP_H_ and not _UAPI_LINUX_GTP_H__

ferent > macro [-Wheader-guard] > > fix by defining _UAPI_LINUX_GTP_H_ and not _UAPI_LINUX_GTP_H__ > > Signed-off-by: Colin Ian King <colin.k...@canonical.com> Acked-by: Pablo Neira Ayuso <pa...@netfilter.org>

[PATCH 2/2] ipvs: update real-server binding of outgoing connections in SIP-pe

From: Marco Angaroni Previous patch that introduced handling of outgoing packets in SIP persistent-engine did not call ip_vs_check_template() in case packet was matching a connection template. Assumption was that real-server was healthy, since it was sending a packet

[PATCH 1/2] netfilter: x_tables: don't reject valid target size on some architectures

org> Tested-by: John Stultz <john.stu...@linaro.org> Fixes: 7ed2abddd20cf ("netfilter: x_tables: check standard target size too") Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/x_tables.c | 4

[PATCH 0/2] Netfilter/IPVS fixes for net

Hi David, The following patchset contains two Netfilter/IPVS fixes for your net tree, they are: 1) Fix missing alignment in next offset calculation for standard targets, introduced in the previous merge window, patch from Florian Westphal. 2) Fix to correct the handling of outgoing

Re: [PATCH] netfilter/nflog: nflog-range does not truncate packets

On Wed, Jun 01, 2016 at 08:23:54PM -0400, Vishwanath Pai wrote: > netfilter/nflog: nflog-range does not truncate packets > > The --nflog-range parameter from userspace is ignored in the kernel and > the entire packet is sent to the userspace. The per-instance parameter > copy_range still works,

Re: [PATCH] gtp: #define _UAPI_LINUX_GTP_H_ and not _UAPI_LINUX_GTP_H__

ferent > macro [-Wheader-guard] > > fix by defining _UAPI_LINUX_GTP_H_ and not _UAPI_LINUX_GTP_H__ > > Signed-off-by: Colin Ian King <colin.k...@canonical.com> Acked-by: Pablo Neira Ayuso <pa...@netfilter.org> I don't see this in netdev's patchwork: http://p

Re: off-by-one in DecodeQ931

On Mon, Jun 06, 2016 at 04:35:55PM +0200, Florian Westphal wrote: > Toby DiPasquale wrote: > > Is this latest patch OK? > > Yes, I don't know why it wasn't applied yet. > > Pablo? This doesn't apply. $ git am /tmp/off-by-one-in-DecodeQ931.patch -s Applying: off-by-one in

Re: [PATCH 07/23] netfilter: x_tables: check standard target size too

On Mon, Jun 06, 2016 at 12:02:10AM +0200, Florian Westphal wrote: > Andreas Schwab wrote: > > > From: Florian Westphal > > > > > > We have targets and standard targets -- the latter carries a verdict. > > > > > > The ip/ip6tables validation functions will

Re: [GIT PULL] IPVS Fixes for v4.7

On Mon, Jun 06, 2016 at 06:24:36PM +0900, Simon Horman wrote: > Hi Pablo, > > please consider this IPVS fix for v4.7. > > The fix from Marco corrects the handling of outgoing connections > which use the SIP-pe such that the binding of a real-server > is updated when needed. This was an omission

[ANNOUNCE] nftables 0.6 release

ts tests/py: modify supported test file syntax tests/py: update test files syntax rule: add 'list flow tables' support rule: add support for display flow tables content src: add 'list maps' support src: add support for display maps content evaluate: fix &q

[PATCH 3/7] netfilter: nf_queue: Make the queue_handler pernet

pernet exit path is not experienced in batch mode. Reported-by: Florian Westphal <f...@strlen.de> Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> Acked-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfil

[PATCH 4/7] netfilter: nf_ct_helper: Fix helper unregister count.

From: Taehee Yoo <ap420...@gmail.com> helpers should unregister the only registered ports. but, helper cannot have correct registered ports value when failed to register. Signed-off-by: Taehee Yoo <ap420...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>

<    12   13   14   15   16   17   18   19   20   21   >