From: Julian Anastasov j...@ssi.bg
When the sync damon is started we need to hold rtnl
lock while calling ip_mc_join_group. Currently, we have
a wrong locking order because the correct one is
rtnl_lock-__ip_vs_mutex. It is implied from the usage
of __ip_vs_mutex in ip_vs_dst_event() which is
fengguang...@intel.com
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/ipv4/netfilter/nft_dup_ipv4.c |2 +-
net/ipv6/netfilter/nf_dup_ipv6.c |4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/netfilter/nft_dup_ipv4.c
b/net/ipv4/netfilter/nft_dup_ipv4
-by: Hannes Frederic Sowa han...@stressinduktion.org
Signed-off-by: Florian Westphal f...@strlen.de
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/ipv4/netfilter/arp_tables.c | 19 +++
net/ipv4/netfilter/ip_tables.c | 28 ++--
net/ipv6/netfilter
forwarded to it that use an address
from a prefix that has been invalidated.
Codes 5 and 6 are more informative subsets of code 1.
Signed-off-by: Andreas Herz a...@geekosphere.org
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/uapi/linux/netfilter_ipv6/ip6t_REJECT.h |4 +++-
net
robot fengguang...@intel.com
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/netfilter/xt_TEE.c |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/xt_TEE.c b/net/netfilter/xt_TEE.c
index 49fee6a..fd980aa 100644
--- a/net/netfilter/xt_TEE.c
+++ b/net
-by: Florian Westphal f...@strlen.de
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/bridge/netfilter/ebtables.c|2 +-
net/ipv6/netfilter/ip6t_SYNPROXY.c |2 +-
net/netfilter/core.c |3 ---
net/netfilter/nf_synproxy_core.c |6 +++---
4 files changed, 5
On Sat, Aug 22, 2015 at 08:44:48PM +0200, Pablo Neira Ayuso wrote:
[...]
I'll wait for some little time just in case someone raises any
concern.
JFYI, I'll be passing up this patch to David via the nf tree soon.
Thanks.
--
To unsubscribe from this list: send the line unsubscribe netdev
On Fri, Aug 21, 2015 at 09:23:38AM -0700, Simon Horman wrote:
Hi Pablo,
please consider these IPVS Updates for v4.3.
I realise these are a little late in the cycle, so if you would prefer
me to repost them for v4.4 then just let me know.
Pulled, thanks Simon.
Let me see if this gets into
://patchwork.ozlabs.org/patch/290976/
Do you think this one is acceptable ? I am not sure to understand David
last comment.
I think David suggests something like the (completely untested)
attached patch.
From 3aa0deafb5648427d154e26920d9d85f89dab190 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso pa
Cc'ing Andrew, since he's got a similar patch in mmotm [1].
On Sat, Aug 22, 2015 at 08:11:18PM +0200, Jozsef Kadlecsik wrote:
On Sat, 22 Aug 2015, Elad Raz wrote:
In continue to proposed Vinson Lee's post [1], this patch fixes compilation
issues founded at gcc 4.4.7. The initialization of
call-sites.
No functional changes in this patch.
The default zone becomes a global const object, namely nf_ct_zone_dflt
and will be returned directly in various cases, one being, when there's
f.e. no zoning support.
Signed-off-by: Daniel Borkmann dan...@iogearbox.net
Signed-off-by: Pablo Neira
This patch prepares the introduction of per-byte limiting.
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/netfilter/nft_limit.c | 86 -
1 file changed, 53 insertions(+), 33 deletions(-)
diff --git a/net/netfilter/nft_limit.c b/net
.
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/uapi/linux/netfilter/nf_tables.h |7
net/netfilter/nft_limit.c| 63 --
2 files changed, 66 insertions(+), 4 deletions(-)
diff --git a/include/uapi/linux/netfilter/nf_tables.h
b
objects
Signed-off-by: Andreas Schultz aschu...@tpip.net
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/linux/netfilter/nfnetlink_acct.h |3 +-
include/net/net_namespace.h |3 ++
net/netfilter/nfnetlink_acct.c | 71
To prepare introduction of bytes ratelimit support.
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/netfilter/nft_limit.c | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/net/netfilter/nft_limit.c b/net/netfilter/nft_limit.c
index 435c1cc..d0788e1
.
Signed-off-by: Florian Westphal f...@strlen.de
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/netfilter/nft_payload.c | 57 ++-
1 file changed, 56 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_payload.c b/net/netfilter
This patch adds the burst parameter. This burst indicates the number of packets
that can exceed the limit.
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/uapi/linux/netfilter/nf_tables.h |2 ++
net/netfilter/nft_limit.c| 20 ++--
2 files
Extracted from the xtables TEE target. This creates two new modules for IPv4
and IPv6 that are shared between the TEE target and the new nf_tables dup
expressions.
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/net/netfilter/ipv4/nf_dup_ipv4.h |7 ++
include/net/netfilter
a minimal implementation for
a possible mapping.
In order to not add/expose an extra ct-status bit, the zone structure has
been extended to carry a flag for deriving the mark.
Signed-off-by: Daniel Borkmann dan...@iogearbox.net
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/net
Rework the limit expression to use a token-based limiting approach that refills
the bucket gradually. The tokens are calculated at nanosecond granularity
instead jiffies to improve precision.
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/netfilter/nft_limit.c | 42
.
Based on the original tee expression from Arturo Borrero Gonzalez, although
this patch has diverted quite a bit from this initial effort due to the
change to support maps.
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/net/netfilter/nft_dup.h |9 +++
include/uapi
Use IS_ENABLED(CONFIG_NF_CONNTRACK) instead.
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/netfilter/xt_TEE.c |8 +++-
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/net/netfilter/xt_TEE.c b/net/netfilter/xt_TEE.c
index c5d6556..0ed9fb6 100644
--- a/net
This patch converts the existing seqlock to per-cpu counters.
Suggested-by: Eric Dumazet eric.duma...@gmail.com
Suggested-by: Patrick McHardy ka...@trash.net
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/netfilter/nft_counter.c | 97 ++-
1
into functions
netfilter: nf_conntrack: add direction support for zones
netfilter: nf_conntrack: add efficient mark to zone mapping
Florian Westphal (1):
netfilter: nft_payload: work around vlan header stripping
Pablo Neira Ayuso (11):
netfilter: nft_counter: convert
Use IS_ENABLED(CONFIG_NF_CONNTRACK) instead.
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/netfilter/xt_TEE.c |8 +++-
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/net/netfilter/xt_TEE.c b/net/netfilter/xt_TEE.c
index c5d6556..0ed9fb6 100644
--- a/net
.
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/uapi/linux/netfilter/nf_tables.h |7
net/netfilter/nft_limit.c| 63 --
2 files changed, 66 insertions(+), 4 deletions(-)
diff --git a/include/uapi/linux/netfilter/nf_tables.h
b
a minimal implementation for
a possible mapping.
In order to not add/expose an extra ct-status bit, the zone structure has
been extended to carry a flag for deriving the mark.
Signed-off-by: Daniel Borkmann dan...@iogearbox.net
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/net
Extracted from the xtables TEE target. This creates two new modules for IPv4
and IPv6 that are shared between the TEE target and the new nf_tables dup
expressions.
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/net/netfilter/ipv4/nf_dup_ipv4.h |7 ++
include/net/netfilter
This patch converts the existing seqlock to per-cpu counters.
Suggested-by: Eric Dumazet eric.duma...@gmail.com
Suggested-by: Patrick McHardy ka...@trash.net
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/netfilter/nft_counter.c | 97 ++-
1
This patch prepares the introduction of per-byte limiting.
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/netfilter/nft_limit.c | 86 -
1 file changed, 53 insertions(+), 33 deletions(-)
diff --git a/net/netfilter/nft_limit.c b/net
objects
Signed-off-by: Andreas Schultz aschu...@tpip.net
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/linux/netfilter/nfnetlink_acct.h |3 +-
include/net/net_namespace.h |3 ++
net/netfilter/nfnetlink_acct.c | 71
://paste.fedoraproject.org/242835/65657871/
Signed-off-by: Daniel Borkmann dan...@iogearbox.net
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/net/netfilter/nf_conntrack_zones.h | 31 +++-
include/uapi/linux/netfilter/nfnetlink_conntrack.h |1 +
include/uapi/linux/netfilter/xt_CT.h
call-sites.
No functional changes in this patch.
The default zone becomes a global const object, namely nf_ct_zone_dflt
and will be returned directly in various cases, one being, when there's
f.e. no zoning support.
Signed-off-by: Daniel Borkmann dan...@iogearbox.net
Signed-off-by: Pablo Neira
):
netfilter: nf_conntrack: push zone object into functions
netfilter: nf_conntrack: add direction support for zones
netfilter: nf_conntrack: add efficient mark to zone mapping
Florian Westphal (1):
netfilter: nft_payload: work around vlan header stripping
Pablo Neira Ayuso (10
Rework the limit expression to use a token-based limiting approach that refills
the bucket gradually. The tokens are calculated at nanosecond granularity
instead jiffies to improve precision.
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/netfilter/nft_limit.c | 42
.
Based on the original tee expression from Arturo Borrero Gonzalez, although
this patch has diverted quite a bit from this initial effort due to the
change to support maps.
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/net/netfilter/nft_dup.h |9 +++
include/uapi
.
Signed-off-by: Florian Westphal f...@strlen.de
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/netfilter/nft_payload.c | 57 ++-
1 file changed, 56 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_payload.c b/net/netfilter
To prepare introduction of bytes ratelimit support.
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/netfilter/nft_limit.c | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/net/netfilter/nft_limit.c b/net/netfilter/nft_limit.c
index 435c1cc..d0788e1
This patch adds the burst parameter. This burst indicates the number of packets
that can exceed the limit.
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/uapi/linux/netfilter/nf_tables.h |2 ++
net/netfilter/nft_limit.c| 20 ++--
2 files
The cost per packet can be calculated from the control plane path since this
doesn't ever change.
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/netfilter/nft_limit.c | 25 ++---
1 file changed, 18 insertions(+), 7 deletions(-)
diff --git a/net/netfilter
Neira Ayuso pa...@netfilter.org
---
net/netfilter/nf_conntrack_core.c |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_conntrack_core.c
b/net/netfilter/nf_conntrack_core.c
index f168099..3c20d02 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net
From: Phil Sutter p...@nwl.cc
This happens when networking namespaces are enabled.
Suggested-by: Patrick McHardy ka...@trash.net
Signed-off-by: Phil Sutter p...@nwl.cc
Acked-by: Patrick McHardy ka...@trash.net
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/ipv6/netfilter
Since 88eab472ec21 (netfilter: conntrack: adjust nf_conntrack_buckets default
value), the hashtable can easily hit this warning. We got reports from users
that are getting this message in a quite spamming fashion, so better silence
this.
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
Acked
update to client (2015-08-10 13:55:07
+0200)
Dan Carpenter (1):
netfilter: nf_conntrack: checking for IS_ERR() instead of NULL
Joe Stringer (1):
netfilter: conntrack: Use flags in nf_ct_tmpl_alloc()
Pablo Neira Ayuso (1
-by: Dan Carpenter dan.carpen...@oracle.com
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/netfilter/nf_synproxy_core.c |4 +---
net/netfilter/xt_CT.c|5 +++--
2 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter
a window probe is
being sent).
Signed-off-by: Phil Sutter p...@nwl.cc
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/ipv4/netfilter/ipt_SYNPROXY.c |3 ++-
net/ipv6/netfilter/ip6t_SYNPROXY.c |3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/ipv4
On Mon, Aug 10, 2015 at 10:06:07AM +0200, Patrick McHardy wrote:
On 09.08, Phil Sutter wrote:
This is the identical fix as netfilter: ipt_SYNPROXY: fix sending
window update to client but for the IPv6 variant which obviously
suffers from the same issue.
Looks fine to me.
Acked-by:
.
Fixes: 085db2c04557 (netfilter: Per network namespace netfilter hooks.)
Reported-by: kbu...@01.org
Reported-by: Dan Carpenter dan.carpen...@oracle.com
Signed-off-by: Eric W. Biederman ebied...@xmission.com
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/netfilter/core.c |4
, e.g. 1000 -- in this case it would be feasible to allocate the
entire stack in the percpu area which would avoid one dereference.
Signed-off-by: Florian Westphal f...@strlen.de
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/linux/netfilter/x_tables.h |1 -
net/ipv4/netfilter
From: Bernhard Thaler bernhard.tha...@wvnet.at
Fix checkpatch.pl ERROR: do not initialise statics to 0 or NULL for
all statics explicitly initialized to 0.
Signed-off-by: Bernhard Thaler bernhard.tha...@wvnet.at
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/bridge
From: Florian Westphal f...@strlen.de
Don't bother testing if we need to switch to alternate stack
unless TEE target is used.
Suggested-by: Eric Dumazet eric.duma...@gmail.com
Signed-off-by: Florian Westphal f...@strlen.de
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/linux
dependency from nft to xtables core its put into core.c
instead of the x_tables core.
Signed-off-by: Florian Westphal f...@strlen.de
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/linux/netfilter.h | 11 +++
net/netfilter/core.c |3 +++
net/netfilter/xt_TEE.c| 13
increments together.
Signed-off-by: Eric W. Biederman ebied...@xmission.com
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/netfilter/core.c | 17 ++---
1 file changed, 6 insertions(+), 11 deletions(-)
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index
From: Eric W. Biederman ebied...@xmission.com
- Register the nftables chains in the network namespace that they need
to run in.
- Remove the hacks that stopped chains running in the wrong network
namespace.
Signed-off-by: Eric W. Biederman ebied...@xmission.com
Signed-off-by: Pablo Neira
.
The stacksize is then set to the largest chain depth seen.
Signed-off-by: Florian Westphal f...@strlen.de
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/ipv4/netfilter/arp_tables.c | 19 ---
net/ipv4/netfilter/ip_tables.c | 28 ++--
net/ipv6/netfilter
: xtables: remove __pure annotation
netfilter: bridge: reduce nf_bridge_info to 32 bytes again
Michal Kubeček (1):
netfilter: nf_ct_sctp: minimal multihoming support
Pablo Neira Ayuso (3):
netfilter: nf_queue: fix nf_queue_nf_hook_drop()
netfilter: fix possible removal
cause us problems in the future, so better
address this problem now by keeping a reference to the original nf_hook_ops
structure to make sure we delete the right hook from nf_unregister_net_hook().
Fixes: 085db2c04557 (netfilter: Per network namespace netfilter hooks.)
Signed-off-by: Pablo Neira Ayuso
From: Eric W. Biederman ebied...@xmission.com
- Add a new set of functions for registering and unregistering per
network namespace hooks.
- Modify the old global namespace hook functions to use the per
network namespace hooks in their implementation, so their remains a
single list that
-by: Florian Westphal f...@strlen.de
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/ipv4/netfilter/arp_tables.c |2 +-
net/ipv4/netfilter/ip_tables.c |2 +-
net/ipv6/netfilter/ip6_tables.c |2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/ipv4
From: Eric W. Biederman ebied...@xmission.com
The function obscures what is going on in nf_hook_thresh and it's existence
requires computing the hook list twice.
Signed-off-by: Eric W. Biederman ebied...@xmission.com
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/linux
of nf_hook_mutex as
nothing in the selection requires the hook list, and error handling
is simpler if a mutex is not held.
Signed-off-by: Eric W. Biederman ebied...@xmission.com
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/netfilter/core.c | 32
.
Signed-off-by: Florian Westphal f...@strlen.de
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/linux/netfilter_bridge.h | 12 +---
include/linux/skbuff.h| 19 +--
net/bridge/br_netfilter_hooks.c | 14
From: Subash Abhinov Kasiviswanathan subas...@codeaurora.org
Make it similar to reject_tg() in ipt_REJECT.
Suggested-by: Pablo Neira Ayuso pa...@netfilter.org
Signed-off-by: Subash Abhinov Kasiviswanathan subas...@codeaurora.org
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/ipv6
085db2c04557 (netfilter: Per network namespace netfilter hooks.) introduced a
new nf_hook_list that is global, so let's avoid this overlap.
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
Acked-by: Eric W. Biederman ebied...@xmission.com
---
include/linux/netfilter.h | 14
)
HEARTBEAT_ACKED: 210 seconds (hb_interval * path_max_retry + max_rto)
(We cannot expect to see the shutdown sequence so that, unlike
ESTABLISHED, the HEARTBEAT_ACKED timeout shouldn't be too long.)
Signed-off-by: Michal Kubecek mkube...@suse.cz
Signed-off-by: Pablo Neira Ayuso pa
for this
netns, not for every netns.
Reported-by: Fengguang Wu fengguang...@intel.com
Fixes: 085db2c04557 (netfilter: Per network namespace netfilter hooks.)
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
Acked-by: Eric W. Biederman ebied...@xmission.com
---
net/netfilter/core.c |2 +-
net
On Tue, Jul 28, 2015 at 12:53:26AM +0200, Phil Sutter wrote:
Upon receipt of SYNACK from the server, ipt_SYNPROXY first sends back an ACK
to
finish the server handshake, then calls nf_ct_seqadj_init() to initiate
sequence number adjustment of forwarded packets to the client and finally
On Mon, Aug 03, 2015 at 11:30:16AM -0700, Joe Stringer wrote:
On 3 August 2015 at 11:29, Joe Stringer joestrin...@nicira.com wrote:
On 30 July 2015 at 04:57, Pablo Neira Ayuso pa...@netfilter.org wrote:
On Tue, Jul 28, 2015 at 01:42:28AM +0300, Dan Carpenter wrote:
We recently changed
On Thu, Jul 30, 2015 at 03:01:08PM +0300, Dan Carpenter wrote:
On Thu, Jul 30, 2015 at 01:57:43PM +0200, Pablo Neira Ayuso wrote:
I have also appended this chunk, since synproxy is also affected:
Thanks. I have rechecked my scripts and I *should* have caught that.
I'm not sure what went
On Tue, Jul 28, 2015 at 01:42:28AM +0300, Dan Carpenter wrote:
We recently changed this from nf_conntrack_alloc() to nf_ct_tmpl_alloc()
so the error handling needs to changed to check for NULL instead of
IS_ERR().
Fixes: 0838aa7fcfcd ('netfilter: fix netns dependencies with conntrack
On Fri, Jul 17, 2015 at 04:17:56PM +0200, Michal Kubecek wrote:
Currently nf_conntrack_proto_sctp module handles only packets between
primary addresses used to establish the connection. Any packets between
secondary addresses are classified as invalid so that usual firewall
configurations drop
Hi Simon,
On Thu, Jul 16, 2015 at 11:14:07AM +0900, Simon Horman wrote:
Hi Pablo,
please consider this fix for v4.2.
For reasons that are not clear to me it is a bumper crop.
It seems to me that they are all relevant to stable.
Please let me know if you need my help to get the fixes into
On Tue, Jul 21, 2015 at 09:37:31PM -0700, Joe Stringer wrote:
When zones were originally introduced, the expectation functions were
all extended to perform lookup using the zone. However, insertion was
not modified to check the zone. This means that two expectations which
are intended to apply
From: Alex Gartrell agartr...@fb.com
It is possible that we bind against a local socket in early_demux when we
are actually going to want to forward it. In this case, the socket serves
no purpose and only serves to confuse things (particularly functions which
implicitly expect sk_fullsock to be
connections that have the same tuple
but exist in different zones cannot both be tracked.
Fixes: 5d0aa2ccd4 (netfilter: nf_conntrack: add support for conntrack zones)
Signed-off-by: Joe Stringer joestrin...@nicira.com
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/netfilter
From: Julian Anastasov j...@ssi.bg
Fix crash in 3.5+ if FTP is used after switching
sync_version to 0.
Fixes: 749c42b620a9 (ipvs: reduce sync rate with time thresholds)
Signed-off-by: Julian Anastasov j...@ssi.bg
Signed-off-by: Simon Horman ho...@verge.net.au
---
net/netfilter/ipvs/ip_vs_sync.c
From: Alex Gartrell agartr...@fb.com
Previously there was a trivial panic
unshare -n /bin/bash EOF
ip addr add dev lo face::1/128
ipvsadm -A -t [face::1]:15213
ipvsadm -a -t [face::1]:15213 -r b00c::1
echo boom | nc face::1 15213
EOF
This patch allows us to replicate the net logic above and
We have to put back the references to the master conntrack and the expectation
that we just created, otherwise we'll leak them.
Fixes: 0ef71ee1a5b9 (netfilter: ctnetlink: refactor ctnetlink_create_expect)
Reported-by: Tim Wiess tim.wi...@watchguard.com
Signed-off-by: Pablo Neira Ayuso pa
trace 41d156354d18c039 ]---
Signed-off-by: Dmitry Torokhov d...@google.com
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/netfilter/xt_IDLETIMER.c |1 +
1 file changed, 1 insertion(+)
diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c
index f407ebc1..29d2c31
protocol v0 and FTP
ipvs: call skb_sender_cpu_clear
Pablo Neira Ayuso (3):
netfilter: ctnetlink: put back references to master ct and expect objects
netfilter: fix netns dependencies with conntrack templates
Merge tag 'ipvs-fixes-for-v4.2' of https://git.kernel.org/.../horms/ipvs
is removed.
Reported-by: Daniel Borkmann dan...@iogearbox.net
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
Tested-by: Daniel Borkmann dan...@iogearbox.net
---
include/net/netfilter/nf_conntrack.h |2 +-
include/net/netns/conntrack.h|1 -
net/netfilter/nf_conntrack_core.c
From: Julian Anastasov j...@ssi.bg
Michael Vallaly reports about wrong source address used
in rare cases for tunneled traffic. Looks like
__ip_vs_get_out_rt in 3.10+ is providing uninitialized
dest_dst-dst_saddr.ip because ip_vs_dest_dst_alloc uses
kmalloc. While we retry after seeing EINVAL from
From: Julian Anastasov j...@ssi.bg
I overlooked the svc-sched_data usage from schedulers
when the services were converted to RCU in 3.10. Now
the rare ipvsadm -E command can change the scheduler
but due to the reverse order of ip_vs_bind_scheduler
and ip_vs_unbind_scheduler we provide new
From: Julian Anastasov j...@ssi.bg
Reset XPS's sender_cpu on forwarding.
Signed-off-by: Julian Anastasov j...@ssi.bg
Fixes: 2bd82484bb4c (xps: fix xps for stacked devices)
Signed-off-by: Simon Horman ho...@verge.net.au
---
net/netfilter/ipvs/ip_vs_xmit.c |6 ++
1 file changed, 6
On Wed, Jul 15, 2015 at 03:05:00PM -0500, Eric W. Biederman wrote:
Pablo Neira Ayuso pa...@netfilter.org writes:
[...]
There are lots of other possible and desirable cleanups but this one is
a core change needed to make the other changes independent small
changes.
The state-net field
On Fri, Jul 10, 2015 at 06:11:46PM -0500, Eric W. Biederman wrote:
By maintining a set of functions to register and unregister netfilter
hooks both globally and per network namespace I have managed to write a
compact patchset that maintain per network netfilter chains, and
registers the
On Fri, Jul 10, 2015 at 06:15:06PM -0500, Eric W. Biederman wrote:
@@ -102,13 +112,35 @@ int nf_register_hook(struct nf_hook_ops *reg)
#endif
return 0;
}
-EXPORT_SYMBOL(nf_register_hook);
+EXPORT_SYMBOL(nf_register_net_hook);
-void nf_unregister_hook(struct nf_hook_ops *reg)
On Fri, Jul 10, 2015 at 03:42:49PM +0900, Simon Horman wrote:
From: Markus Elfring elfr...@users.sourceforge.net
The module_put() function tests whether its argument is NULL and then
returns immediately. Thus the test around the call is not needed.
This issue was detected by using the
On Tue, Jul 14, 2015 at 06:28:50PM +0200, Michal Kubecek wrote:
On Tue, Jul 14, 2015 at 05:38:47PM +0200, Pablo Neira Ayuso wrote:
On Tue, Jul 14, 2015 at 02:23:11PM +0200, Michal Kubecek wrote:
@@ -658,6 +696,18 @@ static struct ctl_table sctp_sysctl_table[] = {
.mode
On Tue, Jul 14, 2015 at 02:23:11PM +0200, Michal Kubecek wrote:
@@ -658,6 +696,18 @@ static struct ctl_table sctp_sysctl_table[] = {
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
+ {
+ .procname =
On Thu, Jul 09, 2015 at 05:15:01PM -0700, Dmitry Torokhov wrote:
Dynamically allocated sysfs attributes should be initialized with
sysfs_attr_init() otherwise lockdep will be angry with us:
[ 45.468653] BUG: key ffc030fad4e0 not in .data!
[ 45.468655] [ cut here
On Mon, Jul 13, 2015 at 08:02:36AM -0700, Dmitry Torokhov wrote:
On Mon, Jul 13, 2015 at 6:20 AM, Pablo Neira Ayuso pa...@netfilter.org
wrote:
On Thu, Jul 09, 2015 at 05:15:01PM -0700, Dmitry Torokhov wrote:
Dynamically allocated sysfs attributes should be initialized with
sysfs_attr_init
: forward IPv6 fragmented packets)
Reported-by: kbuild test robot fengguang...@intel.com
Signed-off-by: Bernhard Thaler bernhard.tha...@wvnet.at
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/bridge/br_netfilter_hooks.c |4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff
: bridge: don't leak skb in error paths
Julien Grall (1):
netfilter: bridge: Use __in6_dev_get rather than in6_dev_get in
br_validate_ipv6
Pablo Neira Ayuso (2):
netfilter: nfnetlink: keep going batch handling on missing modules
MAINTAINER: add bridge netfilter
MAINTAINERS
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/ipv4/netfilter/arp_tables.c | 25 -
1 file changed, 16 insertions(+), 9 deletions(-)
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 95c9b6e..92305a1 100644
--- a/net/ipv4
...@wvnet.at
Cc: Pablo Neira Ayuso pa...@netfilter.org
Cc: f...@strlen.de
Cc: ian.campb...@citrix.com
Cc: wei.l...@citrix.com
Cc: Bob Liu bob@oracle.com
---
Note that it's impossible to create new guest after this message.
I'm not sure if it's normal.
Changes in v2
synchronize_rcu() call in a row.
This patch changes the policy to keep full batch processing on missing modules
errors so we abort only once.
Reported-by: Eric Leblond e...@regit.org
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/netfilter/nfnetlink.c | 38
packets)
Signed-off-by: Florian Westphal f...@strlen.de
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/bridge/br_netfilter_hooks.c | 12
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index
So scripts/get_maintainer.pl shows the Netfilter mailing lists.
Reported-by: Julien Grall julien.gr...@citrix.com
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
MAINTAINERS |1 +
1 file changed, 1 insertion(+)
diff --git a/MAINTAINERS b/MAINTAINERS
index 993d4cf..8183b465 100644
:
unregister_netdevice: waiting for vif1.0 to become free. Usage count = 1
Signed-off-by: Julien Grall julien.gr...@citrix.com
Cc: Bernhard Thaler bernhard.tha...@wvnet.at
Cc: Pablo Neira Ayuso pa...@netfilter.org
Cc: f...@strlen.de
Cc: ian.campb...@citrix.com
Cc: wei.l...@citrix.com
Cc: Bob Liu bob
2101 - 2200 of 2305 matches
Mail list logo