[PATCH 00/35] Netfilter/IPVS updates for net-next

NFQA_CFG_F_CONNTRACK config flag Pablo Neira (1): netfilter: nfnetlink_log: validate dependencies to avoid breaking atomicity Pablo Neira Ayuso (9): netfilter: nfnetlink_queue: get rid of nfnetlink_queue_ct.c netfilter: rename nfnetlink_queue_core.c to nfnetlink_queue.c

[PATCH 04/35] netfilter: nfnetlink_queue: use y2038 safe timestamp

architectures. This is a copy and paste of Arnd's original patch for nfnetlink_log. Suggested-by: Arnd Bergmann <a...@arndb.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nfnetlink_queue.c | 7 --- 1 file changed, 4 insertions(+), 3 deletions(-) diff

[PATCH 02/35] netfilter: nfnetlink_queue: get rid of nfnetlink_queue_ct.c

, which creates another dependency with nf_conntrack at compilation time. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/linux/netfilter.h | 12 ++-- include/net/netfilter/nfnetlink_queue.h | 51 -- net/netfilter/Makefile | 1

[PATCH 11/35] ipvs: Remove possibly unused variables from ip_vs_conn_net_{init,cleanup}

From: Simon Horman If CONFIG_PROC_FS is undefined then the arguments of proc_create() and remove_proc_entry() are unused. As a result the net variables of ip_vs_conn_net_{init,cleanup} are unused. net/netfilter/ipvs//ip_vs_conn.c: In function ‘ip_vs_conn_net_init’:

[PATCH 06/35] netfilter: nfnetlink_queue: rename related to nfqueue attaching conntrack info

cha...@h4.dion.ne.jp> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/linux/netfilter.h| 4 +-- net/netfilter/core.c | 4 +-- net/netfilter/nf_conntrack_netlink.c | 60 ++-- net/netfilter/nfnetlink

[PATCH 13/35] netfilter: conntrack: fix crash on timeout object removal

of atomic ops. Reported-by: Stephen Hemminger <step...@networkplumber.org> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack_timeout.h | 25 - net/netfilter/nf_conntrack_core.c| 12 ++ net/netfilter/nfnetlink

[PATCH 15/35] netfilter: bridge: avoid unused label warning

ko...@cumulusnetworks.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/bridge/br_netfilter_hooks.c | 16 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c index 13f036

[PATCH 12/35] netfilter: xt_CT: don't put back reference to timeout policy object

On success, this shouldn't put back the timeout policy object, otherwise we may have module refcount overflow and we allow deletion of timeout that are still in use. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/xt_CT.c | 3 +++ 1 file changed, 3 insertions(+)

[PATCH 10/35] ipvs: Remove possibly unused variable from ip_vs_out

From: David Ahern Eric's net namespace changes in 1b75097dd7a26 leaves net unreferenced if CONFIG_IP_VS_IPV6 is not enabled: ../net/netfilter/ipvs/ip_vs_core.c: In function ‘ip_vs_out’: ../net/netfilter/ipvs/ip_vs_core.c:1177:14: warning: unused variable ‘net’

[PATCH 22/35] netfilter: ip6_tables: ternary operator layout

From: Ian Morris <i...@chirality.org.uk> Correct whitespace layout of ternary operators in the netfilter-ipv6 code. No changes detected by objdiff. Signed-off-by: Ian Morris <i...@chirality.org.uk> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv6/netfilte

[PATCH 21/35] netfilter: ipv6: whitespace around operators

From: Ian Morris <i...@chirality.org.uk> This patch cleanses whitespace around arithmetical operators. No changes detected by objdiff. Signed-off-by: Ian Morris <i...@chirality.org.uk> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv6/netfilter/nf_conntrack_

[PATCH 24/35] netfilter: ipv6: pointer cast layout

From: Ian Morris <i...@chirality.org.uk> Correct whitespace layout of a pointer casting. No changes detected by objdiff. Signed-off-by: Ian Morris <i...@chirality.org.uk> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv6/netfilter/nf_conntrack_reasm.c | 2

[PATCH 07/35] netfilter: Kconfig rename QUEUE_CT to GLUE_CT

cha...@h4.dion.ne.jp> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/Kconfig| 10 +- net/netfilter/nf_conntrack_netlink.c | 8 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/net/netfilter/Kconfig b/net/netfilter/Kco

[PATCH 16/35] netfilter: nfnetlink_log: autoload nf_conntrack_netlink module NFQA_CFG_F_CONNTRACK config flag

From: Ken-ichirou MATSUZAWA <chama...@gmail.com> This patch enables to load nf_conntrack_netlink module if NFULNL_CFG_F_CONNTRACK config flag is specified. Signed-off-by: Ken-ichirou MATSUZAWA <cha...@h4.dion.ne.jp> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>

[PATCH 26/35] netfilter: nfnetlink_log: validate dependencies to avoid breaking atomicity

error introduced in his patch 914eebf2f434 ("netfilter: nfnetlink_log: autoload nf_conntrack_netlink module NFQA_CFG_F_CONNTRACK config flag"). ] Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> Tested-by: Ken-ichirou MATSUZAWA <chama...@gmail.com> --- net/ne

[PATCH 25/35] netfilter: nfnetlink_log: consolidate check for instance in nfulnl_recv_config()

with no command and no config updates for an unexisting instance without triggering an error. So this is the only case that changes. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> Tested-by: Ken-ichirou MATSUZAWA <chama...@gmail.com> --- net/netfilter/nfnetlin

[PATCH 14/35] nfnetlink_cttimeout: add rcu_barrier() on module removal

Make sure kfree_rcu() released objects before leaving the module removal exit path. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nfnetlink_cttimeout.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/net

Re: [PATCH v3] netfilter: ipset: Fix sleeping memory allocation in atomic context

On Fri, Oct 16, 2015 at 01:58:55PM +0200, Jozsef Kadlecsik wrote: > The patch is applied in the ipset package tree. Thanks! Applied to the nf tree, thanks. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majord...@vger.kernel.org More majordomo

[PATCH 05/35] netfilter: remove dead code

From: Flavio Leitner <f...@sysclose.org> Remove __nf_conntrack_find() from headers. Fixes: dcd93ed4cd1 ("netfilter: nf_conntrack: remove dead code") Signed-off-by: Flavio Leitner <f...@sysclose.org> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/

[PATCH 19/35] netfilter: ip6_tables: function definition layout

From: Ian Morris <i...@chirality.org.uk> Use tabs instead of spaces to indent second line of parameters in function definitions. No changes detected by objdiff. Signed-off-by: Ian Morris <i...@chirality.org.uk> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> ---

[PATCH 09/35] netfilter: nfnetlink_log: allow to attach conntrack

mation is optional, you can set it via NFULNL_CFG_F_CONNTRACK flag with the NFULA_CFG_FLAGS attribute like NFQUEUE. Signed-off-by: Ken-ichirou MATSUZAWA <cha...@h4.dion.ne.jp> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/uapi/linux/netfilter/nfnetlink_log.h | 3 +++ net

[PATCH 29/35] netfilter: nf_queue: remove rcu_read_lock calls

From: Florian Westphal <f...@strlen.de> All verdict handlers make use of the nfnetlink .call_rcu callback so rcu readlock is already held. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilt

[PATCH 32/35] netfilter: ipv4: ternary operator layout

From: Ian Morris <i...@chirality.org.uk> Correct whitespace layout of ternary operators in the netfilter-ipv4 code. No changes detected by objdiff. Signed-off-by: Ian Morris <i...@chirality.org.uk> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netfilte

[PATCH 23/35] netfilter: ip6_tables: improve if statements

From: Ian Morris <i...@chirality.org.uk> Correct whitespace layout of if statements. No changes detected by objdiff. Signed-off-by: Ian Morris <i...@chirality.org.uk> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv6/netfilter/ip6_tables.c | 6 +++---

[PATCH 08/35] netfilter: ctnetlink: add const qualifier to nfnl_hook.get_ct

From: Ken-ichirou MATSUZAWA get_ct as is and will not update its skb argument, and users of nfnl_ct_hook is currently only nfqueue, we can add const qualifier. Signed-off-by: Ken-ichirou MATSUZAWA --- include/linux/netfilter.h| 2 +-

[PATCH 17/35] netfilter: nfqueue: don't use prev pointer

stphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_queue.c | 6 ++ 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c index 34f628e..634d18e 100644 --- a/net/netfilter

Re: [PATCH 00/35] Netfilter/IPVS updates for net-next

On Sat, Oct 17, 2015 at 06:07:43AM -0700, David Miller wrote: > From: Pablo Neira Ayuso <pa...@netfilter.org> > Date: Sat, 17 Oct 2015 13:32:35 +0200 > > > git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git HEAD > > Pablo, this gives merge conflic

Re: [PATCH nf-next 1/6] netfilter-ipv4: Line layout whitespace fixes

On Wed, Oct 14, 2015 at 11:17:03PM +0100, Ian Morris wrote: > Cleanses some whitespace issues by removing a leading space before a tab. > > No changes detected by objdiff. > > Signed-off-by: Ian Morris > --- > net/ipv4/netfilter/ipt_ECN.c | 2 +- >

Re: [PATCH v2] netfilter: ipset: Fix sleeping memory allocation in atomic context

On Thu, Oct 15, 2015 at 01:53:11PM -0700, Eric Dumazet wrote: > On Thu, 2015-10-15 at 23:20 +0300, Nikolay Borisov wrote: > > > While GFP_ATOMIC does indeed look the correct solution for this particular > > case I was wondering whether something like (GFP_KERNEL & ~__GFP_WAIT) > > wouldn't also

Re: [PATCH v2] netfilter: turn NF_HOOK into an inline function

On Fri, Oct 09, 2015 at 08:45:42PM +0200, Arnd Bergmann wrote: > A recent change to the dst_output handling caused a new warning > when the call to NF_HOOK() is the only used of a local variable > passed as 'dev', and CONFIG_NETFILTER is disabled: > > net/ipv6/ip6_output.c: In function

Re: [PATCH nf-next 0/6] coding style improvements: netfilter-ipv4

On Wed, Oct 14, 2015 at 11:17:02PM +0100, Ian Morris wrote: > This series of patches improves the coding style of the netfilter-ipv4 > code by addressing some issues detected by checkpatch. > > The changes were previously submitted as part of a larger monolithic > patch but on advice from

Re: [PATCH nf-next 0/7] coding style improvements for netfilter

On Sun, Oct 11, 2015 at 05:32:13PM +0100, Ian Morris wrote: > This series of patches improves the coding style of the netfilter-ipv6 > code by addressing some issues detected by checkpatch. > > The changes were previously submitted as part of a larger monolithic > patch but on advice from

Re: [PATCH nf-next 1/2] ipvs: Remove possibly unused variable from ip_vs_out

On Wed, Oct 07, 2015 at 04:58:47PM +0300, Sergei Shtylyov wrote: > Hello. > > On 10/7/2015 8:23 AM, Simon Horman wrote: > > >From: David Ahern > > > >Eric's net namespace changes in 1b75097dd7a26 leaves net unreferenced if > >CONFIG_IP_VS_IPV6 is not enabled: > > >

Re: [PATCH v2] bridge/netfilter: avoid unused label warning

On Thu, Oct 08, 2015 at 02:51:05PM +0200, Nikolay Aleksandrov wrote: > On 10/08/2015 02:30 PM, Arnd Bergmann wrote: > > With the ARM mini2440_defconfig, the bridge netfilter code gets > > built with both CONFIG_NF_DEFRAG_IPV4 and CONFIG_NF_DEFRAG_IPV6 > > disabled, which leads to a harmless gcc

Re: [PATCH net-next 2/3] ipv4: Pass struct net into ip_defrag and ip_check_defrag

dd a struct net parameter and stop making ip_defrag guess which > network namespace it needs to defragment packets in. > > Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> For the netfilter chunk: Acked-by: Pablo Neira Ayuso <pa...@netfilter.org> -

Re: [PATCH net-next 3/3] ipv6: Pass struct net into nf_ct_frag6_gather

gt; on input and the LOCAL_OUT chain on output. > > The addition of a net parameter makes it explicit which network > namespace the packets are being reassembled in, and removes the need > for nf_ct_frag6_gather to guess. For the netfilter chunk: Acked-by: Pablo Neira Ayuso <pa...@netfi

Re: [PATCH] netfilter: fix bad checksum on IPv6 when NAT is performed

On Tue, Oct 06, 2015 at 04:10:52PM +0200, Maxime Bizon wrote: > > With this setup: > > * non IPv6 checksumming capable network hardware > * GRO off > * IPv6 SNAT > > I get this when I receive an UDPv6 reply: ": hw csum failure" > > Call trace: > > * nf_ip6_checksum() calls

Re: [PATCH 08/12] nfnetlink: use y2038 safe timestamp

ivially changes the code to use 'struct timespec64' instead, > to correct the result on 32-bit architectures. > > Signed-off-by: Arnd Bergmann <a...@arndb.de> > Cc: Pablo Neira Ayuso <pa...@netfilter.org> > Cc: Patrick McHardy <ka...@trash.net> > Cc: Jozsef Kadl

Re: [PATCH nf-next] netfilter: Line layout whitespace fixes

On Fri, Oct 02, 2015 at 12:44:03AM +0100, Ian Morris wrote: > > On 30/09/15 23:17, Pablo Neira Ayuso wrote: > >On Thu, Sep 24, 2015 at 11:10:06AM +0100, Ian Morris wrote: > >>Fixes various whitespace issues detected by checkpatch (e.g. adding spaces > >>betwee

Re: [PATCH RFC 3/7] netfilter: add NF_INET_LOCAL_SOCKET_IN chain type

On Thu, Oct 01, 2015 at 11:07:30PM +0200, Daniel Mack wrote: [...] > That, however, got rejected because it doesn't work for multicast. This > patch set implements one of the things Pablo suggested in his reply. People are rising valid concerns here, so far we got a RFC where you say that you

Re: [PATCH nf-next] netfilter: Line layout whitespace fixes

On Thu, Sep 24, 2015 at 11:10:06AM +0100, Ian Morris wrote: > Fixes various whitespace issues detected by checkpatch (e.g. adding spaces > between operations, replacing spaces with tabs, etc) > > No changes detected by objdiff. These large cleanup patch causes problems for -stable maintainers,

Re: [PATCH nf-next] bridge: Pass net into br_validate_ipv4 and br_validate_ipv6

On Fri, Sep 25, 2015 at 04:52:51PM -0500, Eric W. Biederman wrote: > > The network namespace is easiliy available in state->net so use it. Also applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majord...@vger.kernel.org More

Re: [PATCH next 0/5] netfilter: Pass net into ip_route_me_harder

On Fri, Sep 25, 2015 at 03:01:42PM -0500, Eric W. Biederman wrote: > > This is the next installment of my work to pass struct net through the > output path so the code does not need to guess how to figure out which > network namespace it is in, and ultimately routes can have output > devices in

[PATCH 00/90] Netfilter/IPVS updates for net-next

Pass net into br_validate_ipv4 and br_validate_ipv6 Pablo Neira Ayuso (1): Merge tag 'ipvs2-for-v4.4' of https://git.kernel.org/.../horms/ipvs-next include/linux/netfilter.h | 2 +- include/linux/netfilter_ipv4.h| 2 +- include/linux/netfilter_ipv6.h| 2 +- inc

Re: [GIT PULL nf-next 00/84] Second Round of IPVS Updates for v4.4

On Thu, Sep 24, 2015 at 09:51:45AM +0900, Simon Horman wrote: > Hi Pablo, > > please consider these bug fixes and extensive clean-ups of IPVS > from Eric Biederman for v4.4. Pulled, thanks Simon. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to

Re: [PATCH next 00/84] ipvs: Stop guessing the network namespace (take 2)

On Wed, Sep 23, 2015 at 09:17:27AM +0900, Simon Horman wrote: > On Tue, Sep 22, 2015 at 10:50:41AM +0200, Pablo Neira Ayuso wrote: > > On Tue, Sep 22, 2015 at 10:22:13AM +0300, Julian Anastasov wrote: > > [...] > > > > > > v2 looks good to me, > >

[PATCH 03/30] ipvs: Handle inverse and icmp headers in ip_vs_leave

From: Alex Gartrell Signed-off-by: Alex Gartrell Acked-by: Julian Anastasov Signed-off-by: Simon Horman --- net/netfilter/ipvs/ip_vs_core.c | 33 + 1 file changed, 21 insertions(+), 12

[PATCH 04/30] ipvs: pull out ip_vs_try_to_schedule function

From: Alex Gartrell This is necessary as we'll be trying to schedule icmp later and we'll want to share this code. Signed-off-by: Alex Gartrell Acked-by: Julian Anastasov Signed-off-by: Simon Horman ---

[PATCH 06/30] ipvs: Make ip_vs_schedule aware of inverse iph'es

From: Alex Gartrell This is necessary to schedule icmp later. Signed-off-by: Alex Gartrell Acked-by: Julian Anastasov Signed-off-by: Simon Horman --- net/netfilter/ipvs/ip_vs_core.c | 50

[PATCH 00/30] Netfilter/IPVS updates for net-next

priv instead of nf_hook_ops to netfilter hooks netfilter: Pass net into nf_xfrm_me_harder netfilter: Use nf_ct_net instead of dev_net(out) in nf_nat_masquerade_ipv6 Pablo Neira Ayuso (1): Merge tag 'ipvs-for-v4.4' of https://git.kernel.org/.../horms/ipvs-next Documentatio

[PATCH 23/30] netfilter: nf_tables: Use pkt->net instead of computing net from the passed net_devices

From: "Eric W. Biederman" <ebied...@xmission.com> Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/bridge/netfilter/nft_reject_bridge.c | 13 ++--- net/ipv6/netfilter/nf

[PATCH 07/30] ipvs: add schedule_icmp sysctl

From: Alex Gartrell This sysctl will be used to enable the scheduling of icmp packets. Signed-off-by: Alex Gartrell Acked-by: Julian Anastasov Signed-off-by: Simon Horman --- include/net/ip_vs.h| 11

[PATCH 16/30] netfilter: ebtables: Simplify the arguments to ebt_do_table

ion.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/linux/netfilter_bridge/ebtables.h |6 +++--- net/bridge/netfilter/ebtable_broute.c |8 ++-- net/bridge/netfilter/ebtable_filter.c |6 ++ net/bridge/netfilter/ebtable_nat.c|6 +

[PATCH 01/30] ipvs: replace ip_vs_fill_ip4hdr with ip_vs_fill_iph_skb_off

From: Alex Gartrell This removes some duplicated code and makes the ICMPv6 path look more like the ICMP path. Signed-off-by: Alex Gartrell Acked-by: Julian Anastasov Signed-off-by: Simon Horman --- include/net/ip_vs.h

Re: [PATCH next 00/84] ipvs: Stop guessing the network namespace (take 2)

On Tue, Sep 22, 2015 at 10:22:13AM +0300, Julian Anastasov wrote: [...] > > v2 looks good to me, > > Acked-by: Julian Anastasov Thanks a lot for reviewing Julian. Simon, please let me know how you want to handle this. Thanks. -- To unsubscribe from this list: send the line

[PATCH 21/30] netfilter: x_tables: Use par->net instead of computing from the passed net devices

From: "Eric W. Biederman" <ebied...@xmission.com> Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/bridge/netfilter/ebt_log.c |2 +- net/bridge/netfilter/ebt_nflog.c |2

[PATCH 17/30] inet netfilter: Remove hook from ip6t_do_table, arp_do_table, ipt_do_table

e->hook instead of ops->hooknum for clarity and to reduce the number of cachelines the callers touch. Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/linux/netfilter_arp/arp_tables.h |1 -

[PATCH 10/30] ipvs: attempt to schedule icmp packets

From: Alex Gartrell Invoke the try_to_schedule logic from the icmp path and update it to the appropriate ip_vs_conn_put function. The schedule functions have been updated to reject the packets immediately for now. Signed-off-by: Alex Gartrell Acked-by:

[PATCH 26/30] netfilter: nf_conntrack: Add a struct net parameter to l4_pkt_to_tuple

r protocols) can get this right. Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack.h |3 ++- include/net/netfilter/nf_conntrack_core.h |1 + includ

[PATCH 18/30] inet netfilter: Prefer state->hook to ops->hooknum

ache line misses, and slightly more consistent code. Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |4 ++-- net/ipv4/netfilter/nf_defrag_ipv4.c

[PATCH 29/30] netfilter: Pass net into nf_xfrm_me_harder

From: "Eric W. Biederman" <ebied...@xmission.com> Instead of calling dev_net on a likley looking network device pass state->net into nf_xfrm_me_harder. Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> Signed-off-by: Pablo Neira Ayuso <pa...@net

[PATCH 02/30] ipvs: Add hdr_flags to iphdr

From: Alex Gartrell These flags contain information like whether or not the addresses are inverted or from icmp. The first will allow us to drop an inverse param all over the place, and the second will later be useful in scheduling icmp. Signed-off-by: Alex Gartrell

[PATCH 30/30] netfilter: Use nf_ct_net instead of dev_net(out) in nf_nat_masquerade_ipv6

From: "Eric W. Biederman" <ebied...@xmission.com> Use nf_ct_net(ct) instead of guessing that the netdevice out can reliably report the network namespace the conntrack operation is happening in. Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> Sign

[PATCH 09/30] ipvs: sh: support scheduling icmp/inverse packets consistently

From: Alex Gartrell "source_hash" the dest fields if it's an inverse packet. Signed-off-by: Alex Gartrell Acked-by: Julian Anastasov Signed-off-by: Simon Horman --- net/netfilter/ipvs/ip_vs_sh.c | 45

[PATCH 22/30] netfilter: nf_tables: Pass struct net in nft_pktinfo

uot;Eric W. Biederman" <ebied...@xmission.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables.h |3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_

[PATCH 28/30] netfilter: Pass priv instead of nf_hook_ops to netfilter hooks

W. Biederman" <ebied...@xmission.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/linux/netfilter.h |2 +- include/net/netfilter/br_netfilter.h |2 +- include/net/netfilter/nf_nat_l3proto.h | 32 -

[PATCH 19/30] netfilter: nf_tables: kill nft_pktinfo.ops

etails of nft_hook_ops are of no concern to the recpients of nft_pktinfo. Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables.h |9 - include/net/netfilter/nf_tables

[PATCH 24/30] netfilter: Pass net to nf_dup_ipv4 and nf_dup_ipv6

From: "Eric W. Biederman" <ebied...@xmission.com> This allows them to stop guessing the network namespace with pick_net. Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/n

[PATCH 27/30] ipvs: Read hooknum from state rather than ops->hooknum

From: "Eric W. Biederman" <ebied...@xmission.com> This should be more cache efficient as state is more likely to be in core, and the netfilter core will stop passing in ops soon. Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> Signed-off-by: Pablo

[PATCH 05/30] ipvs: drop inverse argument to conn_{in,out}_get

From: Alex Gartrell No longer necessary since the information is included in the ip_vs_iphdr itself. Signed-off-by: Alex Gartrell Acked-by: Julian Anastasov Signed-off-by: Simon Horman --- include/net/ip_vs.h

[PATCH 13/30] ipvs: support scheduling inverse and icmp UDP packets

From: Alex Gartrell In the event of an icmp packet, take only the ports instead of trying to grab the full header. In the event of an inverse packet, use the source address and port. Signed-off-by: Alex Gartrell Acked-by: Julian Anastasov

[PATCH 15/30] ipvs: add sysctl to ignore tunneled packets

From: Alex Gartrell This is a way to avoid nasty routing loops when multiple ipvs instances can forward to eachother. Signed-off-by: Alex Gartrell Signed-off-by: Simon Horman --- Documentation/networking/ipvs-sysctl.txt | 10

[PATCH 11/30] ipvs: ensure that ICMP cannot be sent in reply to ICMP

From: Alex Gartrell Check the header for icmp before sending a PACKET_TOO_BIG Signed-off-by: Alex Gartrell Acked-by: Julian Anastasov Signed-off-by: Simon Horman --- net/netfilter/ipvs/ip_vs_xmit.c |5 +++-- 1 file

[PATCH 20/30] netfilter: x_tables: Pass struct net in xt_action_param

uot;Eric W. Biederman" <ebied...@xmission.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/linux/netfilter/x_tables.h |3 ++- include/net/netfilter/nf_tables.h |1 + net/bridge/netfilter/ebtables.c|1 + net/ipv4/netfilter/arp_tables.c|

[PATCH 12/30] ipvs: support scheduling inverse and icmp TCP packets

From: Alex Gartrell In the event of an icmp packet, take only the ports instead of trying to grab the full header. In the event of an inverse packet, use the source address and port. Signed-off-by: Alex Gartrell Acked-by: Julian Anastasov

[PATCH 08/30] ipvs: Use outer header in ip_vs_bypass_xmit_v6

From: Alex Gartrell The ip_vs_iphdr may refer to an internal header, so use the outer one instead. Signed-off-by: Alex Gartrell Acked-by: Julian Anastasov Signed-off-by: Simon Horman --- net/netfilter/ipvs/ip_vs_xmit.c |

[PATCH 25/30] act_connmark: Remember the struct net instead of guessing it.

ion.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/tc_act/tc_connmark.h |1 + net/sched/act_connmark.c |3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/include/net/tc_act/tc_connmark.h b/include/net/tc_act/tc_co

[PATCH 4/4] netfilter: nf_log: wait for rcu grace after logger unregistration

The nf_log_unregister() function needs to call synchronize_rcu() to make sure that the objects are not dereferenced anymore on module removal. Fixes: 5962815a6a56 ("netfilter: nf_log: use an array of loggers instead of list") Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.

[PATCH 2/4] netfilter: bridge: fix routing of bridge frames with call-iptables=1

t;f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/linux/skbuff.h |6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index 2738d35..9987af0 100644 --- a/include/linux/skbuff.h +++ b/in

[PATCH 0/4] Netfilter fixes for net

logger unregistration (2015-09-17 13:37:31 +0200) Florian Westphal (2): netfilter: nf_log: don't zap all loggers on unregister netfilter: bridge: fix routing of bridge frames with call-iptables=1 Pablo Neira Ayuso (2

[PATCH 3/4] netfilter: nft_compat: skip family comparison in case of NFPROTO_UNSPEC

affects the time to reload the ruleset from the iptables-compat utility. After this patch, iptables-compat-restore and iptables-compat take almost the same time to reload large rulesets. Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables") Signed-off-by: Pablo N

Re: [PATCH next 0/30] Passing net through the netfilter hooks

On Thu, Sep 17, 2015 at 05:19:04PM -0700, David Miller wrote: > From: ebied...@xmission.com (Eric W. Biederman) > Date: Tue, 15 Sep 2015 19:59:49 -0500 > > > Pablo, Dave I don't know whose tree this makes more sense to go > > through. I am assuming at least initially Pablos as netfilter is > >

[PATCH 1/4] netfilter: nf_log: don't zap all loggers on unregister

-j LOG iptables: No chain/target/match by that name Fixes: 30e0c6a6be ("netfilter: nf_log: prepare net namespace support for loggers") Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_log.c |8

Re: [GIT-PULL nf-next 00/15] IPVS Updates for v4.4

On Thu, Sep 17, 2015 at 02:40:36PM +0900, Simon Horman wrote: > Hi Pablo, > > please consider these IPVS Updates for v4.4. > > The updates include the following from Alex Gartrell: > * Scheduling of ICMP > * Sysctl to ignore tunneled packets; and hence some packet-looping scenarios > > The

Re: [PATCH next 0/15] netfilter: Stop guessing net (take 2)

On Fri, Sep 18, 2015 at 02:28:40PM -0500, Eric W. Biederman wrote: > > This is the next installment of my work to pass struct net through the > output path so the code does not need to guess how to figure out which > network namespace it is in, and ultimately routes can have output > devices in

[ANNOUNCE] libnftnl 1.0.5 release

library versioning Pablo Neira Ayuso (1): bump version to 1.0.5

[ANNOUNCE] nftables 0.5 release

build with debug off Pablo Neira (1): netlink_delinearize: restore listing of host byteorder set elements Pablo Neira Ayuso (67): tests: regression: named sets work tests: regression: revisit chain tests payload: assert when accessing inner transport header evaluate: reject: fix dependenc

[ANNOUNCE] libnftnl 1.0.4 release

leaks at nft_[object]_nlmsg_parse Pablo Neira Ayuso (17): src: add missing include in utils.c ruleset: fix more leaks in error path src: split internal.h is smaller files Makefile: internal.h now resides in include src: restore static array with expression operations

Re: [PATCH v2 net-next] netfilter: ipset: Fixing unnamed union initg

On Sat, Sep 12, 2015 at 06:01:27PM -0700, Akemi Yagi wrote: > Thanks to all for this effort. The patch is finally in the mainline > kernel 4.3-rc1 released today. Now I wish backporting to the 4.2 > branch goes smoothly. It's on its path to 4.2: http://patchwork.ozlabs.org/patch/516795/ so I

[ANNOUNCE] Netdev 1.1 conference

Following the lastest successful Netdev 0.1 in Ottawa, Canada. We are happy to announce a new round of the Netdev conference series: Netdev 1.1 (year 1, conference 1) from 10th to 12th February 2016 in Seville, Spain (http://www.netdevconf.org/1.1/). Netdev 1.1 is a community-driven conference

[PATCH 2/6] netfilter: bridge: fix IPv6 packets not being bridged with CONFIG_IPV6=n

m host on left side to host on right side of the bridge. Fixes: 230ac490f7fba ("netfilter: bridge: split ipv6 code into separated file") Signed-off-by: Bernhard Thaler <bernhard.tha...@wvnet.at> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/br_n

[PATCH 5/6] netfilter: nfnetlink: work around wrong endianess in res_id field

the res_id field. Based on original patch from Florian Westphal. Reported-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nfnetlink.c |8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/net/netfilter/n

[PATCH 6/6] netfilter: conntrack: use nf_ct_tmpl_free in CT/synproxy error paths

gmail.com> Signed-off-by: Daniel Borkmann <dan...@iogearbox.net> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack.h |1 + net/netfilter/nf_conntrack_core.c|3 ++- net/netfilter/nf_synproxy_core.c |2 +- net/netfilter/xt_CT

[PATCH 4/6] netfilter: ipset: Fixing unnamed union init

7/5/74 Signed-off-by: Elad Raz <el...@mellanox.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/ipset/ip_set_hash_netnet.c | 20 ++-- net/netfilter/ipset/ip_set_hash_netportnet.c | 20 ++-- 2 files changed, 36 insertio

[PATCH 0/6] Netfilter fixes for net

Raz (1): netfilter: ipset: Fixing unnamed union init Jozsef Kadlecsik (1): netfilter: ipset: Out of bound access in hash:net* types fixed Pablo Neira Ayuso (2): netfilter: nf_tables: Use 32 bit addressing register from nft_type_to_reg() netfilter: nfnetlink: work around

[PATCH 3/6] netfilter: ipset: Out of bound access in hash:net* types fixed

From: Jozsef Kadlecsik Dave Jones reported that KASan detected out of bounds access in hash:net* types: [ 23.139532] == [ 23.146130] BUG: KASan: out of bounds access in hash_net4_add_cidr+0x1db/0x220

[PATCH 1/6] netfilter: nf_tables: Use 32 bit addressing register from nft_type_to_reg()

nft_type_to_reg() needs to return the register in the new 32 bit addressing, otherwise we hit EINVAL when using mappings. Fixes: 49499c3 ("netfilter: nf_tables: switch registers to 32 bit addressing") Reported-by: Andreas Schultz <aschu...@tpip.net> Signed-off-by: Pablo

[PATCH 1/9] ipvs: Add ovf scheduler

From: Raducu Deaconu rhadoo.i...@gmail.com The weighted overflow scheduling algorithm directs network connections to the server with the highest weight that is currently available and overflows to the next when active connections exceed the node's weight. Signed-off-by: Raducu Deaconu

[PATCH 0/9] Netfilter updates for net-next

netfilter: reduce sparse warnings Julian Anastasov (3): ipvs: call rtnl_lock early ipvs: add sync_maxlen parameter for the sync daemon ipvs: add more mcast parameters for the sync daemon Pablo Neira Ayuso (3): netfilter: nf_dup: fix sparse warnings netfilter: xt_TEE

[PATCH 3/9] ipvs: add sync_maxlen parameter for the sync daemon

From: Julian Anastasov j...@ssi.bg Allow setups with large MTU to send large sync packets by adding sync_maxlen parameter. The default value is now based on MTU but no more than 1500 for compatibility reasons. To avoid problems if MTU changes allow fragmentation by sending packets with DF=0.

<    16   17   18   19   20   21   22   23   24   >