[PATCH 20/53] ipset: remove unused function __ip_set_get_netlink

From: Aaron Conole <acon...@bytheb.org> There are no in-tree callers. Signed-off-by: Aaron Conole <acon...@bytheb.org> Acked-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/ipset/ip_set_core.c | 8

[PATCH 15/53] netfilter: ip6_tables: Remove unneccessary comments

From: Arushi Singhal This comments are obsolete and should go, as there are no set of rules per CPU anymore. Signed-off-by: Arushi Singhal --- net/ipv6/netfilter/ip6_tables.c | 9 - 1 file changed, 9 deletions(-) diff

[PATCH 25/53] netfilter: nft_ct: allow to set ctnetlink event types of a connection

oesn't copy those). Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/uapi/linux/netfilter/nf_tables.h | 2 ++ net/netfilter/nft_ct.c | 25 - 2 files changed, 26 inserti

[PATCH 24/53] netfilter: remove nf_ct_is_untracked

From: Florian Westphal <f...@strlen.de> This function is now obsolete and always returns false. This change has no effect on generated code. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/ip_vs.h

[PATCH 29/53] netfilter: helpers: remove data_len usage for inkernel helpers

From: Florian Westphal <f...@strlen.de> No need to track this for inkernel helpers anymore as NF_CT_HELPER_BUILD_BUG_ON checks do this now. All inkernel helpers know what kind of structure they stored in helper->data. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-

[PATCH 17/53] netfilter: nat: remove rcu_read_lock in __nf_nat_decode_session.

ff-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_nat_core.c | 7 ++- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c index 376c1b36f222..fb0e65411785 100644 --- a/net/netfilter/nf_nat_core.c +

[PATCH 30/53] netfilter: remove last traces of variable-sized extensions

From: Florian Westphal <f...@strlen.de> get rid of the (now unused) nf_ct_ext_add_length define and also rename the function to plain nf_ct_ext_add(). Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- inc

[PATCH 26/53] netfilter: conntrack: move helper struct to nf_conntrack_helper.h

From: Florian Westphal <f...@strlen.de> its definition is not needed in nf_conntrack.h. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack.h| 19 --- inc

[PATCH 33/53] nefilter: eache: reduce struct size from 32 to 24 byte

From: Florian Westphal <f...@strlen.de> Only "cache" needs to use ulong (its used with set_bit()), missed can use u16. Also add build-time assertion to ensure event bits fit. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfil

[PATCH 28/53] netfilter: nfnetlink_cthelper: reject too large userspace allocation requests

From: Florian Westphal <f...@strlen.de> Userspace should not abuse the kernel to store large amounts of data, reject requests larger than the private area can accommodate. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>

[PATCH 27/53] netfilter: helper: add build-time asserts for helper data size

macro should be used somehow is there... Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack_helper.h | 5 - net/netfilter/nf_conntrack_amanda.c | 2 ++ net/netfilter/nf_conntrack_ft

[PATCH 32/53] netfilter: allow early drop of assured conntracks

...@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack_l4proto.h | 3 ++ net/netfilter/nf_conntrack_core.c| 49 net/netfilter/nf_conntrack_proto_dccp.c | 16 + net/netfilter/nf_co

[PATCH 31/53] netfilter: conntrack: use u8 for extension sizes again

overflow. 3 years later we've managed to diet extensions a bit and we no longer need u16. Furthermore we can now add a compile-time assertion for this problem. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfi

[PATCH 34/53] netfilter: ipvs: fix incorrect conflict resolution

erged into nf-next, the merge resolution took the first version, dropping the conversion of nfct_nat(). While this doesn't cause a problem at the moment, it will once we stop adding the nat extension by default. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <p

[PATCH 37/53] ipvs: convert to use pernet nf_hook api

Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/ipvs/ip_vs_core.c | 19 +-- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/

[PATCH 35/53] netfilter: tcp: Use TCP_MAX_WSCALE instead of literal 14

m> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_proto_tcp.c | 7 +++ net/netfilter/nf_synproxy_core.c | 4 ++-- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_con

[PATCH 38/53] netfilter: decnet: only register hooks in init namespace

From: Florian Westphal <f...@strlen.de> looks like decnet isn't namespacified in first place, so restrict hook registration to the initial namespace. Prepares for eventual removal of legacy nf_register_hook() api. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo

[PATCH 36/53] netfilter: synproxy: only register hooks when needed

From: Florian Westphal <f...@strlen.de> Defer registration of the synproxy hooks until the first SYNPROXY rule is added. Also means we only register hooks in namespaces that need it. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa..

[PATCH 23/53] netfilter: kill the fake untracked conntrack objects

now need to test ct == NULL vs. ctinfo == IP_CT_UNTRACKED, but all other places can omit the nf_ct_is_untracked() check. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/ip_vs.h

[PATCH 39/53] ebtables: remove nf_hook_register usage

; Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/linux/netfilter_bridge/ebtables.h | 6 ++- net/bridge/netfilter/ebtable_broute.c | 4 +- net/bridge/netfilter/ebtable_filter.c | 15 ++-- net/bridge/netfilter/ebtable_nat.c| 15 ++-- net/bridge/ne

[PATCH 43/53] netfilter: conntrack: handle initial extension alloc via krealloc

ore; only offsets[]. Existing code makes sure the new (used) extension space gets zeroed out. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_extend.c | 51 +++-- 1 file c

[PATCH 42/53] netfilter: conntrack: mark extension structs as const

From: Florian Westphal <f...@strlen.de> Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack_extend.h | 4 ++-- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_

[PATCH 41/53] netfilter: conntrack: remove prealloc support

rea. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack_extend.h | 6 net/netfilter/nf_conntrack_extend.c | 49 +++-- net/netfilter/nf_nat_core.c

[PATCH 53/53] netfilter: nf_ct_ext: invoke destroy even when ext is not attached

("netfilter: don't attach a nat extension by default") Signed-off-by: Liping Zhang <zlpnob...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack_extend.h | 7 +-- net/netfilter/nf_conntrack_extend.c | 8 ++---

[PATCH 45/53] netfilter: pptp: attach nat extension when needed

From: Florian Westphal <f...@strlen.de> make sure nat extension gets added if the master conntrack is subject to NAT. This will be required once the nat core stops adding it by default. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa..

[PATCH 52/53] netfilter: snmp: avoid stack size warning

From: Florian Westphal <f...@strlen.de> net/ipv4/netfilter/nf_nat_snmp_basic.c:1158:1: warning: the frame size of 1160 bytes is larger than 1024 bytes Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> ---

[PATCH 46/53] netfilter: don't attach a nat extension by default

lorian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_nat.h | 2 +- net/ipv4/netfilter/nf_nat_l3proto_ipv4.c | 4 +--- net/ipv6/netfilter/nf_nat_l3proto_ipv6.c | 4 +--- net/netfilter/nf_nat_core.c |

[PATCH 51/53] netfilter: nf_queue: only call synchronize_net twice if nf_queue is active

during netns cleanup so no packets should be queued. For the rare case of base chain being unregistered or module removal while nfqueue is in use the extra hiccup due to the packet drops isn't a big deal. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa..

[PATCH 48/53] ipvs: change comparison on sync_refresh_period

From: Aaron Conole The sync_refresh_period variable is unsigned, so it can never be < 0. Signed-off-by: Aaron Conole Signed-off-by: Simon Horman --- net/netfilter/ipvs/ip_vs_sync.c | 2 +- 1 file changed, 1 insertion(+), 1

[PATCH 47/53] ipvs: remove unused function ip_vs_set_state_timeout

From: Aaron Conole There are no in-tree callers of this function and it isn't exported. Signed-off-by: Aaron Conole Signed-off-by: Simon Horman --- include/net/ip_vs.h | 2 -- net/netfilter/ipvs/ip_vs_proto.c | 22

[PATCH 44/53] netfilter: masquerade: attach nat extension if not present

nt yet. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netfilter/nf_nat_masquerade_ipv4.c | 5 +++-- net/ipv6/netfilter/nf_nat_masquerade_ipv6.c | 5 - 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/

[PATCH 50/53] netfilter: nf_log: don't call synchronize_rcu in nf_log_unset

ppears to be no need to call synchronize_rcu. v2: Liping Zhang points out that nf_log_unregister() needs to be called after pernet unregister, else rmmod would become unsafe. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/

[PATCH 49/53] netfilter: batch synchronize_net calls during hook unregister

ed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/core.c | 46 -- 1 file changed, 40 insertions(+), 6 deletions(-) diff --git a/net/netfilter/core.c b/net/netfilter/core.c

[PATCH 40/53] netfilter: SYNPROXY: Return NF_STOLEN instead of NF_DROP during handshaking

ao Feng <f...@ikuai8.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netfilter/ipt_SYNPROXY.c | 21 ++--- net/ipv6/netfilter/ip6t_SYNPROXY.c | 20 ++-- 2 files changed, 28 insertions(+), 13 deletions(-) diff --git a/net/ipv4/

[PATCH 16/53] netfilter: udplite: Remove duplicated udplite4/6 declaration

From: Gao Feng There are two nf_conntrack_l4proto_udp4 declarations in the head file nf_conntrack_ipv4/6.h. Now remove one which is not enbraced by the macro CONFIG_NF_CT_PROTO_UDPLITE. Signed-off-by: Gao Feng ---

[PATCH 22/53] netfilter: ecache: Refine the nf_ct_deliver_cached_events

avoid it. 2. Correct the return value check of notify->fcn. When send the event successfully, it returns 0, not postive value. Signed-off-by: Gao Feng <f...@ikuai8.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_ecache.c | 4 ++-- 1 file

[PATCH 19/53] netfilter: nf_conntrack: remove double assignment

From: Aaron Conole <acon...@bytheb.org> The protonet pointer will unconditionally be rewritten, so just do the needed assignment first. Signed-off-by: Aaron Conole <acon...@bytheb.org> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_proto

[PATCH 10/53] netfilter: Add nfnl_msg_type() helper function

Add and use nfnl_msg_type() function to replace opencoded nfnetlink message type. I suggested this change, Arushi Singhal made an initial patch to address this but was missing several spots. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/linux/netfilter/nfnetlink.h

[PATCH 02/53] netfilter: ipvs: Replace kzalloc with kcalloc.

From: Varsha Rao Replace kzalloc with kcalloc. As kcalloc is preferred for allocating an array instead of kzalloc. This patch fixes the checkpatch issue. Signed-off-by: Varsha Rao --- net/netfilter/ipvs/ip_vs_sync.c | 4 ++-- 1 file changed, 2

[PATCH 21/53] netfilter: nf_nat: Fix return NF_DROP in nfnetlink_parse_nat_setup

ed-off-by: Gao Feng <f...@ikuai8.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_nat_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c index fb0e65411785..5e35643da65

[PATCH 12/53] netfilter: Use seq_puts()/seq_putc() where possible

From: simran singhal <singhalsimr...@gmail.com> For string without format specifiers, use seq_puts(). For seq_printf("\n"), use seq_putc('\n'). Signed-off-by: simran singhal <singhalsimr...@gmail.com> Acked-by: Simon Horman <horms+rene...@verge.net.au> Signed-o

[PATCH 13/53] net: netfilter: Use list_{next/prev}_entry instead of list_entry

From: simran singhal <singhalsimr...@gmail.com> This patch replace list_entry with list_prev_entry as it makes the code more clear to read. Signed-off-by: simran singhal <singhalsimr...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_tabl

[PATCH 11/53] netfilter: Remove unnecessary cast on void pointer

n singhal <singhalsimr...@gmail.com> Reviewed-by: Stephen Hemminger <step...@networkplumber.org> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/bridge/netfilter/ebtables.c | 2 +- net/ipv4/netfilter/arp_tables.c | 21 - net

[PATCH 04/53] netfilter: nf_tables: add nft_is_base_chain() helper

This new helper function allows us to check if this is a basechain. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables.h | 5 + net/netfilter/nf_tables_api.c | 30 +++--- net/netfilter/nf_tables_netdev.c | 2 +

[PATCH 01/53] netfilter: ipvs: don't check for presence of nat extension

From: Florian Westphal Check for the NAT status bits, they are set once conntrack needs NAT in source or reply direction, this is slightly faster than nfct_nat() as that has to check the extension area. Signed-off-by: Florian Westphal ---

[PATCH 03/53] ipvs: remove unused variable

From: Arushi Singhal This patch uses the following coccinelle script to remove a variable that was simply used to store the return value of a function call before returning it: @@ identifier len,f; @@ -int len; ... when != len when strict -len = +return

[PATCH 05/53] netfilter: expect: Make sure the max_expected limit is effective

L when it exceeds the limit. Signed-off-by: Gao Feng <f...@ikuai8.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack_expect.h | 1 + net/netfilter/nf_conntrack_helper.c | 3 +++ net/netfilter/nf_conntrack_irc.c| 6 +++

Re: [GIT PULL 0/2] Third Round of IPVS Updates for v4.12

On Fri, Apr 28, 2017 at 12:11:57PM +0200, Simon Horman wrote: > Hi Pablo, > > please consider these enhancements to IPVS for v4.12. > If it is too late for v4.12 then please consider them for v4.13. > > * Remove unused function > * Correct comparison of unsigned value Pulled, thanks Simon.

Re: [GIT PULL v2 0/1] IPVS Fixes for v4.11

On Fri, Apr 28, 2017 at 12:11:53PM +0200, Simon Horman wrote: > Hi Pablo, > > please consider this fix to IPVS for v4.11. > Or if it is too late for v4.11 please consider it for v4.12. > I would also like it considered for stable. > > * Explicitly forbid ipv6 service/dest creation if ipv6 mod is

Re: [PATCH net v3] bridge: ebtables: fix reception of frames DNAT-ed to bridge device/port

On Wed, Apr 19, 2017 at 09:47:33PM +0200, Linus Lüssing wrote: > When trying to redirect bridged frames to the bridge device itself or > a bridge port (brouting) via the dnat target then this currently fails: > > The ethernet destination of the frame is dnat'ed to the MAC address of > the bridge

Re: [PATCH net-next v5 1/2] net sched actions: dump more than TCA_ACT_MAX_PRIO actions per batch

On Mon, Apr 24, 2017 at 08:49:00AM -0400, Jamal Hadi Salim wrote: > On 17-04-24 05:14 AM, Simon Horman wrote: > [..] > > >Jamal, I am confused about why are you so concerned about the space > >consumed by this attribute, it's per-message, right? Is it the bigger > >picture you are worried about -

Re: [GIT 0/3] Second Round of IPVS Updates for v4.12

On Fri, Apr 14, 2017 at 02:06:25AM +0200, Pablo Neira Ayuso wrote: > On Fri, Apr 14, 2017 at 08:51:19AM +0900, Simon Horman wrote: > > On Fri, Apr 14, 2017 at 01:01:34AM +0200, Pablo Neira Ayuso wrote: > > > Hi Simon, > > > > > > On Mon, Apr 10, 2017 at

Re: [PATCH nf-next] ipset: remove unused function __ip_set_get_netlink

On Fri, Apr 14, 2017 at 04:15:41PM +0200, Jozsef Kadlecsik wrote: > Hi Pablo, > > On Fri, 14 Apr 2017, Pablo Neira Ayuso wrote: > > > On Mon, Apr 10, 2017 at 03:52:37PM -0400, Aaron Conole wrote: > > > There are no in-tree callers. > > > > @Jozsef, let me

[PATCH 3/9] netfilter: helper: Add the rcu lock when call __nf_conntrack_helper_find

ds rcu lock, so their caller should hold the rcu lock, not in these two functions. Signed-off-by: Gao Feng <f...@ikuai8.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_helper.c | 17 - net/netfilter/nf_conntrack_netlink.c | 10 +

[PATCH 7/9] netfilter: nf_ct_expect: use proper RCU list traversal/update APIs

rsal, use hlist_for_each_entry_rcu; for list add/del, use hlist_add_head_rcu and hlist_del_rcu. Signed-off-by: Liping Zhang <zlpnob...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_expect.c | 4 ++-- net/netfilter/nf_conntrack_netlink.c | 6 +++--- 2 files

[PATCH 9/9] netfilter: ipt_CLUSTERIP: Fix wrong conntrack netns refcnt usage

off-by: Gao Feng <f...@ikuai8.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netfilter/ipt_CLUSTERIP.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c index 52f26

[PATCH 1/9] netfilter: xt_TCPMSS: add more sanity tests on tcph->doff

: Eric Dumazet <eduma...@google.com> Reported-by: Denys Fedoryshchenko <nuclear...@nuclearcat.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/xt_TCPMSS.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/net/netfilter/xt_TCPMSS.c b/n

[PATCH 4/9] netfilter: ctnetlink: make it safer when checking the ct helper name

So we must use rcu_read_lock and rcu_dereference to avoid such _bad_ thing happen. Fixes: f95d7a46bc57 ("netfilter: ctnetlink: Fix regression in CTA_HELP processing") Signed-off-by: Liping Zhang <zlpnob...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/

[PATCH 0/9] Netfilter fixes for net

Hi David, The following patchset contains Netfilter fixes for your net tree, they are: 1) Missing TCP header sanity check in TCPMSS target, from Eric Dumazet. 2) Incorrect event message type for related conntracks created via ctnetlink, from Liping Zhang. 3) Fix incorrect rcu locking when

[PATCH 8/9] netfilter: nft_hash: do not dump the auto generated seed

ail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nft_hash.c | 10 +++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c index eb2721af898d..c4dad1254ead 100644 --- a/net/netfilter/nf

[PATCH 6/9] netfilter: ctnetlink: skip dumping expect when nfct_help(ct) is NULL

d/0x20 nfnetlink_rcv_msg+0x60a/0x6a9 [nfnetlink] ? nfnetlink_rcv_msg+0x1b9/0x6a9 [nfnetlink] [...] Signed-off-by: Liping Zhang <zlpnob...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_netlink.c | 6 ++ 1 file changed, 6 inserti

[PATCH 5/9] netfilter: make it safer during the inet6_dev->addr_list traversal

From: Liping Zhang <zlpnob...@gmail.com> inet6_dev->addr_list is protected by inet6_dev->lock, so only using rcu_read_lock is not enough, we should acquire read_lock_bh(>lock) before the inet6_dev->addr_list traversal. Signed-off-by: Liping Zhang <zlpnob...@gmail.com> Si

[PATCH 2/9] netfilter: ctnetlink: using bit to represent the ct event

.2.2.2 sport=10 dport=20 [UNREPLIED] src=2.2.2.2 dst=1.1.1.1 sport=20 dport=10 mark=0 Signed-off-by: Liping Zhang <zlpnob...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_netlink.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)

Re: [PATCH nf-next] ipvs: remove unused function ip_vs_set_state_timeout

On Mon, Apr 10, 2017 at 03:50:44PM -0400, Aaron Conole wrote: > There are no in-tree callers of this function and it isn't exported. Simon, let me know if you want to take this, or just add your Signed-off-by. Thanks! > Signed-off-by: Aaron Conole > --- >

Re: [GIT 0/3] Second Round of IPVS Updates for v4.12

On Fri, Apr 14, 2017 at 08:51:19AM +0900, Simon Horman wrote: > On Fri, Apr 14, 2017 at 01:01:34AM +0200, Pablo Neira Ayuso wrote: > > Hi Simon, > > > > On Mon, Apr 10, 2017 at 09:58:32AM -0700, Simon Horman wrote: > > > Hi Pablo, > > > > > >

Re: [PATCH nf-next] ipset: remove unused function __ip_set_get_netlink

On Mon, Apr 10, 2017 at 03:52:37PM -0400, Aaron Conole wrote: > There are no in-tree callers. @Jozsef, let me know if I should just take this to save you a pull request. Thanks. > Signed-off-by: Aaron Conole > --- > net/netfilter/ipset/ip_set_core.c | 8 > 1 file

Re: [PATCH nf-next] nf_conntrack: remove double assignment

On Wed, Apr 12, 2017 at 04:32:54PM -0400, Aaron Conole wrote: > The protonet pointer will unconditionally be rewritten, so just do the > needed assignment first. Also applied, thanks.

Re: [PATCH nf-next] nf_tables: remove double return statement

Applied, thanks.

Re: [GIT 0/3] Second Round of IPVS Updates for v4.12

Hi Simon, On Mon, Apr 10, 2017 at 09:58:32AM -0700, Simon Horman wrote: > Hi Pablo, > > please consider these clean-ups and enhancements to IPVS for v4.12. > > * Removal unused variable > * Use kzalloc where appropriate > * More efficient detection of presence of NAT extension > > > The

Re: [PATCH v3 1/5] netlink: extended ACK reporting

On Tue, Apr 11, 2017 at 08:25:57AM -0600, David Ahern wrote: > On 4/11/17 1:02 AM, Johannes Berg wrote: > > On Tue, 2017-04-11 at 08:59 +0200, Pablo Neira Ayuso wrote: > >> CAP_ACK means: trim off the payload that the netlink error message > >> is embedding

Re: [PATCH v3 1/5] netlink: extended ACK reporting

On Mon, Apr 10, 2017 at 09:35:27AM -0600, David Ahern wrote: > On 4/10/17 9:30 AM, Johannes Berg wrote: > > On Mon, 2017-04-10 at 09:26 -0600, David Ahern wrote: > >> On 4/8/17 2:24 PM, Johannes Berg wrote: > >>> @@ -2300,14 +2332,35 @@ void netlink_ack(struct sk_buff *in_skb, > >>> struct

Re: [PATCH] net: netfilter: ipvs: Replace explicit NULL comparison

Arushi, On Sun, Apr 09, 2017 at 06:21:51AM +0800, kbuild test robot wrote: > Hi Arushi, > > [auto build test WARNING on ipvs-next/master] > [also build test WARNING on v4.11-rc5 next-20170407] > [if your patch is applied to the wrong git tree, please drop us a note to > help improve the system]

Re: [PATCH] net: netfilter: Replace explicit NULL comparisons

On Sun, Apr 09, 2017 at 09:12:18AM +0530, Arushi Singhal wrote: > On Sun, Apr 9, 2017 at 1:44 AM, Pablo Neira Ayuso <pa...@netfilter.org> > wrote: > > > On Sat, Apr 08, 2017 at 08:21:56PM +0200, Jan Engelhardt wrote: > > > On Saturday 2017-04-08 19:21, Arushi Singh

Re: [PATCH net] netfilter: xt_TCPMSS: add more sanity tests on tcph->doff

On Mon, Apr 03, 2017 at 10:55:11AM -0700, Eric Dumazet wrote: > From: Eric Dumazet > > Denys provided an awesome KASAN report pointing to an use > after free in xt_TCPMSS > > I have provided three patches to fix this issue, either in xt_TCPMSS or > in xt_tcpudp.c. It seems

Re: [PATCH] net: netfilter: Replace explicit NULL comparisons

On Sat, Apr 08, 2017 at 08:21:56PM +0200, Jan Engelhardt wrote: > On Saturday 2017-04-08 19:21, Arushi Singhal wrote: > > >Replace explicit NULL comparison with ! operator to simplify code. > > I still wouldn't do this, for the same reason as before. Comparing to > NULL explicitly more or less

Re: [PATCH] net: ipv6: Remove unneccessary comments

On Sat, Apr 08, 2017 at 09:19:30PM +0530, Arushi Singhal wrote: > This comments are obsolete and should go, as there are no set of rules per > CPU anymore. Applied, thanks.

Re: [RFC 0/3] netlink: extended error reporting

On Fri, Apr 07, 2017 at 09:29:17PM +0200, Johannes Berg wrote: > On Fri, 2017-04-07 at 21:21 +0200, Pablo Neira Ayuso wrote: > > I think the most flexible way is to pass the container error > > structure to nla_parse() so it sets this for you. This would also > > save tons of

Re: [RFC 0/3] netlink: extended error reporting

On Fri, Apr 07, 2017 at 12:20:53PM -0700, David Miller wrote: [...] > Let's just discuss the UAPI, since people complain we don't talk > about that enough :-) For those playing at home it is three new > attributes returned in a netlink ACK when the application asks > for the extended response: >

Re: [RFC 0/3] netlink: extended error reporting

On Fri, Apr 07, 2017 at 12:22:23PM -0700, David Miller wrote: > From: Johannes Berg <johan...@sipsolutions.net> > Date: Fri, 07 Apr 2017 21:09:45 +0200 > > > On Fri, 2017-04-07 at 21:06 +0200, Pablo Neira Ayuso wrote: > >> On Fri, Apr 07, 2017 at 08:59:1

Re: [RFC 0/3] netlink: extended error reporting

On Fri, Apr 07, 2017 at 09:09:45PM +0200, Johannes Berg wrote: > On Fri, 2017-04-07 at 21:06 +0200, Pablo Neira Ayuso wrote: > > On Fri, Apr 07, 2017 at 08:59:12PM +0200, Johannes Berg wrote: > > [...] > > > Heh. I think I really want to solve - at least partially - > &

Re: [RFC 0/3] netlink: extended error reporting

On Fri, Apr 07, 2017 at 08:59:12PM +0200, Johannes Berg wrote: [...] > Heh. I think I really want to solve - at least partially - nla_parse() > to see that it can be done this way. It'd be nice to even transform all > the callers (I generated half of these patches with spatch anyway) to > have at

Re: [RFC 0/3] netlink: extended error reporting

) We can just send follow up patches to refine, I think it's a good start, Johannes? BTW, for this co-authored effort in designing this: Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> Thanks!

Re: [PATCH] net: ipv6: Removed unnecessary parenthesis

On Wed, Mar 29, 2017 at 02:32:43PM +0530, Arushi Singhal wrote: > Removed parentheses on the right hand side of assignment, as they are > not required. The following coccinelle script was used to fix this > issue: > > @@ > local idexpression id; > expression e; > @@ > > id = > -( > e > -) You

Re: [PATCH 1/4] net: netfilter:Remove exceptional & on function name

On Sun, Apr 02, 2017 at 02:52:12PM +0530, Arushi Singhal wrote: > Remove & from function pointers to conform to the style found elsewhere > in the file. Done using the following semantic patch > > // > @r@ > identifier f; > @@ > > f(...) { ... } > @@ > identifier r.f; > @@ > > - > + f > //

Re: [Outreachy kernel] [PATCH] net: ipv6: netfilter: Format block comments.

On Wed, Mar 29, 2017 at 02:09:43PM +0530, Arushi Singhal wrote: > Fix checkpatch warnings: > WARNING: Block comments use a trailing */ on a separate line > WARNING: Block comments use * on subsequent lines > > Signed-off-by: Arushi Singhal > --- >

Re: [PATCH] net: netfilter: Use list_{next/prev}_entry instead of list_entry

On Wed, Mar 29, 2017 at 11:15:40AM +0530, simran singhal wrote: > This patch replace list_entry with list_prev_entry as it makes the > code more clear to read. Also applied, thanks.

Re: [PATCH] net: netfilter: Use seq_puts()/seq_putc() where possible

On Wed, Mar 29, 2017 at 03:25:17AM +0530, simran singhal wrote: > For string without format specifiers, use seq_puts(). For > seq_printf("\n"), use seq_putc('\n'). Applied, thanks.

Re: [PATCH v2] net: Remove unnecessary cast on void pointer

On Wed, Mar 29, 2017 at 12:35:16AM +0530, simran singhal wrote: > The following Coccinelle script was used to detect this: > @r@ > expression x; > void* e; > type T; > identifier f; > @@ > ( > *((T *)e) > | > ((T *)x)[...] > | > ((T*)x)->f > | > > - (T*) > e > ) > > Unnecessary

Re: [PATCH] net: ipv4: netfilter: Remove unused function nf_nat_need_gre()

On Sat, Apr 01, 2017 at 07:06:33PM +0530, simran singhal wrote: > The function nf_nat_need_gre() on being called, simply returns > back. The function doesn't have FIXME code around. > Hence, nf_nat_need_gre() and its calls have been removed. > > Signed-off-by: simran singhal

Re: [Outreachy kernel] [PATCH] net: netfilter: Remove typedef from "typedef struct bitstr_t".

On Tue, Mar 28, 2017 at 11:54:13PM +0530, Arushi Singhal wrote: > This patch removes typedefs from struct and renames it from "typedef struct > bitstr_t" to "struct bitstr" as per kernel coding standards." > > Signed-off-by: Arushi Singhal > --- >

Re: [Outreachy kernel] [PATCH v3] net: netfilter: Add nfnl_msg_type() helper function

b, u32 portid, u32 > seq, u32 type, > struct nlattr *nest_parms; > unsigned int flags = portid ? NLM_F_MULTI : 0, event; > > - event = NFNL_SUBSYS_CTNETLINK << 8 | IPCTNL_MSG_CT_NEW; I can find many more spots to be replaced via: git grep NFNL_SUBSYS_ net/netfilter/ Patch

Re: [PATCH v2] net: netfilter: Remove multiple assignment.

Hi Arushi, On Tue, Mar 28, 2017 at 04:03:27AM +0530, Arushi Singhal wrote: > This patch removes multiple assignments to follow the kernel coding > style as also reported by checkpatch.pl. > Done using coccinelle. > @@ > identifier i1,i2; > constant c; > @@ > - i1=i2=c; > + i1=c; > + i2=i1; I see

Re: [PATCH 1/2] net: netfilter: Remove typedef from "typedef struct field_t"

On Sat, Mar 25, 2017 at 05:57:55PM +0530, Arushi Singhal wrote: > This patch removes typedefs from struct and renames it from "typedef struct > field_t" to "struct field" as per kernel coding standards." > > Signed-off-by: Arushi Singhal > --- >

Re: [PATCH] net: netfilter: Replace explicit NULL comparison with ! operator

On Tue, Apr 04, 2017 at 01:41:11PM -0400, Simon Horman wrote: > On Wed, Mar 29, 2017 at 03:45:01PM +0530, Arushi Singhal wrote: > > Replace explicit NULL comparison with ! operator to simplify code. > > > > Signed-off-by: Arushi Singhal > > --- > >

Re: [PATCH v2] net: netfilter: remove unused variable

On Thu, Mar 30, 2017 at 07:38:08PM +0530, Arushi Singhal wrote: > On Thu, Mar 30, 2017 at 6:25 PM, Simon Horman wrote: > > > On Wed, Mar 29, 2017 at 08:27:52PM +0530, Arushi Singhal wrote: > > > This patch uses the following coccinelle script to remove > > > a variable that

[PATCH 6/8] netfilter: nf_ct_ext: fix possible panic after nf_ct_extend_unregister

he future. Last, we use kfree_rcu to free nf_ct_ext, so rcu_barrier() is unnecessary anymore, remove it too. Signed-off-by: Liping Zhang <zlpnob...@gmail.com> Acked-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ne

[PATCH 8/8] netfilter: nfnetlink_queue: fix secctx memory leak

ng Zhang <zlpnob...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nfnetlink_queue.c | 9 +++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index 3ee0b8a000a4..9

[PATCH 7/8] netfilter: nf_nat_snmp: Fix panic when snmp_trap_helper fails to register

nic. Now remove the useless snmp_helper and the unregister call in the error handler. Fixes: 93557f53e1fb ("netfilter: nf_conntrack: nf_conntrack snmp helper") Signed-off-by: Gao Feng <f...@ikuai8.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/i

[PATCH 3/8] netfilter: nfnl_cthelper: Fix memory leak

From: Jeffy Chen <jeffy.c...@rock-chips.com> We have memory leaks of nf_conntrack_helper & expect_policy. Signed-off-by: Jeffy Chen <jeffy.c...@rock-chips.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nfnetlink_cthelper.c | 12 +

[PATCH 5/8] netfilter: nfnl_cthelper: fix a race when walk the nf_ct_helper_hash table

we can walk the dummy list instead of walking the nf_ct_helper_hash. Also, keep nfnl_cthelper_dump_table unchanged, it may be invoked without nfnl_lock(NFNL_SUBSYS_CTHELPER) held. Signed-off-by: Liping Zhang <zlpnob...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>

<    5   6   7   8   9   10   11   12   13   14   >