gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ipv4/netfilter/nf_nat_snmp_basic.c | 1 +
net/netfilter/nf_conntrack_ecache.c| 2 ++
net/netfilter/nf_conntrack_netlink.c | 1 +
net/netfilter/nf_nat_core.c| 2 ++
net/netfilter/nfnetlink_cttimeout.c
ash table
netfilter: nf_ct_ext: fix possible panic after nf_ct_extend_unregister
netfilter: nfnetlink_queue: fix secctx memory leak
Pablo Neira Ayuso (1):
netfilter: nfnl_cthelper: fix runtime expectation policy updates
net/ipv4/netfilter/nf_nat_snmp_basic.c | 20 +--
net/netfil
We only allow runtime updates of expectation policies for timeout and
maximum number of expectations, otherwise reject the update.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
Acked-by: Liping Zhang <zlpnob...@gmail.com>
---
net/netfilter/nfnetlink_cth
to a proper value.
So if nla_get_be32(tb[NFCTH_POLICY_SET_NUM]) is zero, report -EINVAL to
the userspace.
Signed-off-by: Liping Zhang <zlpnob...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nfnetlink_cthelper.c | 20 +++-
1 file
On Tue, Mar 28, 2017 at 06:30:56PM +0530, Arushi Singhal wrote:
> To remove complexity of code the function is added in nfnetlink.h
> to make code more clear and readable.
Patch looks good, you can also use this new function from other
_fill_info() functions in the netfilter code, eg.
On Tue, Mar 21, 2017 at 05:49:52PM +0530, simran singhal wrote:
> This patch series remove unnecessary cast on void pointer.
>
> simran singhal (2):
> netfilter: ipset: Remove unnecessary cast on void pointer
> netfilter: Remove unnecessary cast on void pointer
Please, merge this two patches
On Mon, Mar 27, 2017 at 05:48:41PM +0530, Arushi Singhal wrote:
> On Mon, Mar 27, 2017 at 5:38 PM, Pablo Neira Ayuso <pa...@netfilter.org>
> wrote:
>
> > On Sat, Mar 25, 2017 at 06:19:47PM +0530, Arushi Singhal wrote:
> > > This patch removes multiple assignment
On Sat, Mar 25, 2017 at 06:19:47PM +0530, Arushi Singhal wrote:
> This patch removes multiple assignments.
> Done using coccinelle.
> @@
> identifier i1,i2;
> constant c;
> @@
> - i1=i2=c;
> + i1=c;
> + i2=c;
You have to explain why this is bad.
Hi Arushi,
On Sat, Mar 25, 2017 at 07:23:13PM +0530, Arushi Singhal wrote:
> diff --git a/net/netfilter/nf_conntrack_netlink.c
> b/net/netfilter/nf_conntrack_netlink.c
> index 6806b5e73567..aa344c5868c5 100644
> --- a/net/netfilter/nf_conntrack_netlink.c
> +++
On Tue, Mar 21, 2017 at 08:22:29AM +0800, f...@ikuai8.com wrote:
> From: Gao Feng
>
> In the commit 93557f53e1fb ("netfilter: nf_conntrack: nf_conntrack snmp
> helper"), the snmp_helper is replaced by nf_nat_snmp_hook. So the
> snmp_helper is never registered. But it still tries
On Fri, Mar 24, 2017 at 02:57:41PM +0100, Jonas Bonn wrote:
> On 03/24/2017 11:41 AM, Pablo Neira Ayuso wrote:
> >On Fri, Mar 24, 2017 at 10:33:56AM +0100, Jonas Bonn wrote:
> >>Changes since v2:
> >>
> >>* Move #define of legacy netlink attribute into enum
>
On Fri, Mar 24, 2017 at 01:21:30PM +0100, Pablo Neira Ayuso wrote:
> On Tue, Mar 21, 2017 at 08:22:29AM +0800, f...@ikuai8.com wrote:
> > From: Gao Feng <f...@ikuai8.com>
> >
> > In the commit 93557f53e1fb ("netfilter: nf_conntrack: nf_conntrack snmp
> >
On Tue, Mar 21, 2017 at 08:22:29AM +0800, f...@ikuai8.com wrote:
> From: Gao Feng
>
> In the commit 93557f53e1fb ("netfilter: nf_conntrack: nf_conntrack snmp
> helper"), the snmp_helper is replaced by nf_nat_snmp_hook. So the
> snmp_helper is never registered. But it still tries
On Fri, Mar 24, 2017 at 11:15:25AM +0100, Harald Welte wrote:
> Hi Jonas,
>
> looks fine to me, but I haven't tested it. Did you manually test it
> using the extended libgtpnl + tools?
>
> Also, in code like this:
>
> + if (gtp->role == GTP_ROLE_SGSN) {
> + pctx =
On Fri, Mar 24, 2017 at 10:33:56AM +0100, Jonas Bonn wrote:
> Changes since v2:
>
> * Move #define of legacy netlink attribute into enum
> * Added note to commit message about load-testing use-case
> * Ack from Pablo
Thanks a lot Jonas!
David, please apply. Thanks!
low
up version.
Acked-by: Pablo Neira Ayuso <pa...@netfilter.org>
On Tue, Mar 21, 2017 at 02:14:34PM +0530, simran singhal wrote:
> This patch series clean up tests if NULL returned on failure.
$ git grep "== NULL" net/netfilter/ | wc -l
461
This is cleaning up just some of them, we still seem to have quite a
bit of them.
Main problem with this changes is
On Tue, Mar 21, 2017 at 04:10:26PM +0100, Jonas Bonn wrote:
> On 03/21/2017 04:07 PM, Pablo Neira Ayuso wrote:
> >On Tue, Mar 21, 2017 at 04:04:29PM +0100, Jonas Bonn wrote:
> >>diff --git a/include/uapi/linux/gtp.h b/include/uapi/linux/gtp.h
> >>index 72a04a0..c51eb
On Tue, Mar 21, 2017 at 04:04:29PM +0100, Jonas Bonn wrote:
> diff --git a/include/uapi/linux/gtp.h b/include/uapi/linux/gtp.h
> index 72a04a0..c51ebb0 100644
> --- a/include/uapi/linux/gtp.h
> +++ b/include/uapi/linux/gtp.h
> @@ -19,7 +19,7 @@ enum gtp_attrs {
> GTPA_LINK,
>
On Tue, Mar 21, 2017 at 01:09:47AM +0100, Linus Lüssing wrote:
> On Sun, Mar 19, 2017 at 05:55:06PM +0100, Linus Lüssing wrote:
> > On Fri, Mar 17, 2017 at 02:10:44PM +0100, Pablo Neira Ayuso wrote:
> > > Wait.
> > >
> > > May this break local multicast l
On Mon, Mar 20, 2017 at 01:37:01PM +0100, Arnd Bergmann wrote:
> The refcount variable was accidentally introduced without any reference
> to it. Removing it again avoids this warning:
>
> net/netfilter/nfnetlink_acct.c: In function 'nfnl_acct_try_del':
> net/netfilter/nfnetlink_acct.c:329:15:
From: Laura Garcia Liebana <nev...@gmail.com>
This patch renames the local nft_hash structure and functions
to nft_jhash in order to prepare the nft_hash module code to
add new hash functions.
Signed-off-by: Laura Garcia Liebana <laura.gar...@zevenet.com>
Signed-off-by: Pablo Nei
of symmetric hash
Liping Zhang (3):
netfilter: nf_tables: validate the expr explicitly after init successfully
netfilter: limit: use per-rule spinlock to improve the scalability
netfilter: nft_set_rbtree: use per-set rwlock to improve the scalability
Pablo Neira Ayuso (1
ically Dead Code")
Signed-off-by: Colin Ian King <colin.k...@canonical.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ipv4/netfilter/arp_tables.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp
22570582a net/netfilter/nf_conntrack_core.o
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_core.c | 57 ++-
1 file changed, 26 insertions(+), 31 deletions(-)
e can also handle families that observe both ipv4 and ipv6 traffic.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/uapi/linux/netfilter/nf_tables.h | 12 ++-
net/netfilter/nft_ct.c | 171 ++
From: Taehee Yoo <ap420...@gmail.com>
variable oiph is not used.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ipv4/netfilter/nf_reject_ipv4.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/net/ipv4/netfil
From: Hangbin Liu
Document sysctl pmtu_disc based on commit 3654e61137db ("ipvs: add
pmtu_disc option to disable IP DF for TUN packets").
Signed-off-by: Hangbin Liu
Signed-off-by: Simon Horman
---
as tested by nftables/tests/py/nft-test.py and
nftables/tests/shell/run-tests.sh.
Signed-off-by: Liping Zhang <zlpnob...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/bridge/netfilter/nft_reject_bridge.c | 6 +-
net/netfilter/nf_tables_api.c| 11 +
This new function consolidates set lookup via either name or ID by
introducing a new nft_set_lookup() function. Replace existing spots
where we can use this too.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_tables.h | 9 +
net/net
From: Cong Wang
At most it is used for debugging purpose, but I don't think
it is even useful for debugging, just remove it.
Signed-off-by: Cong Wang
Signed-off-by: Simon Horman
---
net/netfilter/ipvs/ip_vs_core.c | 2 --
From: Hangbin Liu
Document sysctl sync_ports based on commit f73181c8288f ("ipvs: add support
for sync threads").
Signed-off-by: Hangbin Liu
Signed-off-by: Simon Horman
---
Documentation/networking/ipvs-sysctl.txt | 8
ed-off-by: Laura Garcia Liebana <laura.gar...@zevenet.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/uapi/linux/netfilter/nf_tables.h | 13 +
net/netfilter/nft_hash.c | 99 +++-
2 files changed, 111 insertions(+), 1
y: Joe Perches <j...@perches.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/bridge/netfilter/ebt_log.c | 34 +-
net/ipv4/netfilter/nf_nat_snmp_basic.c | 15 ++-
2 files changed, 19 insertions(+), 30 deletions(-)
o use-after-free
situations.
Signed-off-by: Elena Reshetova <elena.reshet...@intel.com>
Signed-off-by: Hans Liljestrand <ishkam...@gmail.com>
Signed-off-by: Kees Cook <keesc...@chromium.org>
Signed-off-by: David Windsor <dwind...@gmail.com>
Signed-off-by: Pablo Neira Ayus
between them. Also use per-set rwlock since
each set is independent.
Reported-by: Karel Rericha <ka...@unitednetworks.cz>
Tested-by: Karel Rericha <ka...@unitednetworks.cz>
Signed-off-by: Liping Zhang <zlpnob...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilte
netfilter: refcounter conversions")
Signed-off-by: Elena Reshetova <elena.reshet...@intel.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nfnetlink_acct.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/net/netfilter/nfnetlink_acct.c b/net/netfilt
From: Liping Zhang <zlpnob...@gmail.com>
The limit token is independent between each rules, so there's no
need to use a global spinlock.
Signed-off-by: Liping Zhang <zlpnob...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nft_limit.c |
From: Phil Sutter <p...@nwl.cc>
Instead of the actual interface index or name, set destination register
to just 1 or 0 depending on whether the lookup succeeded or not if
NFTA_FIB_F_PRESENT was set in userspace.
Signed-off-by: Phil Sutter <p...@nwl.cc>
Signed-off-by: Pablo Nei
From: Hangbin Liu
Fix sync_threshold description which should have two values. Also add
sync_refresh_period and sync_retries based on commit 749c42b620a9
("ipvs: reduce sync rate with time thresholds").
Signed-off-by: Hangbin Liu
Signed-off-by: Simon
From: Florian Westphal <f...@strlen.de>
this is needed by the upcoming ct helper object type --
we'd like to be able use the table family (ip, ip6, inet) to figure
out which helper has to be requested.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Nei
From: Hangbin Liu
Document sysctl sync_qlen_max and sync_sock_size based on
commit 1c003b1580e2 ("ipvs: wakeup master thread").
Signed-off-by: Hangbin Liu
Signed-off-by: Simon Horman
---
Documentation/networking/ipvs-sysctl.txt
From: Florian Westphal <f...@strlen.de>
as comment says, the function is always called with rcu read lock held.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/bridge/br_netfilter_hooks.c | 3 ---
1 file ch
From: Phil Sutter <p...@nwl.cc>
Honor NFT_EXTHDR_F_PRESENT flag so we check if the TCP option is
present.
Signed-off-by: Phil Sutter <p...@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nft_exthdr.c | 13 ++---
1 file changed, 1
On Wed, Mar 15, 2017 at 11:06:05PM +0100, Pablo Neira Ayuso wrote:
> On Wed, Mar 15, 2017 at 10:16:19PM +0100, Linus Lüssing wrote:
> > On Wed, Mar 15, 2017 at 07:15:39PM +0100, Pablo Neira Ayuso wrote:
> > > Could you update ebtables dnat to check if the ethernet address
>
On Thu, Mar 16, 2017 at 01:43:10PM +0100, Simon Horman wrote:
> Hi Pablo,
>
> please consider these enhancements to the IPVS for v4.12.
>
> * Update sysctl documentation
> * Remove unnecessary printk in __ip_vs_init
>
> The following changes since commit
On Wed, Mar 15, 2017 at 10:16:19PM +0100, Linus Lüssing wrote:
> On Wed, Mar 15, 2017 at 07:15:39PM +0100, Pablo Neira Ayuso wrote:
> > Could you update ebtables dnat to check if the ethernet address
> > matches the one of the input bridge interface, so we mangle the
> > -
Hi Harald,
On Wed, Mar 15, 2017 at 08:10:38PM +0100, Harald Welte wrote:
> I've modified the patch slightly, see below (compile-tested, but not
> otherwise tested yet). Basically rename the flags attribute to 'role',
> expand the commit log and removed unrelated cosmetic changes.
>
> I've also
macvlan.c file seems to be both in VLAN and MACVLAN DRIVER, so remove
the MACVLAN DRIVER since this is redundant.
I propose with this patch to remove the VLAN (802.1Q) entry so this just
falls into the NETWORKING [GENERAL].
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
On Wed, Mar 15, 2017 at 03:27:20PM +0100, Linus Lüssing wrote:
> On Wed, Mar 15, 2017 at 11:42:11AM +0100, Pablo Neira Ayuso wrote:
> > I'm missing then why redirect is not then just enough for Linus usecase.
>
> For my usecase, the MAC address is configured by the user from a
&
On Wed, Mar 15, 2017 at 05:39:16PM +0100, Harald Welte wrote:
> Hi Jonas,
>
> are you working on the review feedback that was provided back in early
> February? I think there were some comments like
> * remove unrelated cosmetic change in comment
> * change from FLAGS to a dedicated MODE netlink
a u8 or
u16 integer.
Fixes: 665153ff5752 ("netfilter: nf_tables: add bitmap set type")
Signed-off-by: Liping Zhang <zlpnob...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nft_set_bitmap.c | 27 +--
1 file chang
nstead we have to cap by the largest fragment size seen.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/bridge/br_netfilter_hooks.c | 12 +++-
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/net/bridge
en trying to match encapsulated headers:
1) A packet that looks like IPv4 + AH + TCP dport 22 will *not* match.
2) A packet that looks like IPv6 + AH + TCP dport 22 will match.
Reported-by: Phil Sutter <p...@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfi
len
netfilter: nf_tables: fix mismatch in big-endian system
netfilter: nft_ct: do cleanup work when NFTA_CT_DIRECTION is invalid
Pablo Neira Ayuso (3):
netfilter: nf_tables: set pktinfo->thoff at AH header if found
netfilter: nft_set_bitmap: keep a list of dummy elements
per functions to store/load an u8 or u16
integer to/from the u32 data register, and use them in the right
place.
Signed-off-by: Liping Zhang <zlpnob...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_tables.h | 29 +++
.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 4
net/ipv4/netfilter/nf_nat_l3proto_ipv4.c | 5 -
2 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4
since we don't need to allocate the dummy nft_set_ext structure
anymore on the fly at the cost of increasing memory consumption because
of the list of dummy struct nft_set_ext.
Fixes: 665153ff5752 ("netfilter: nf_tables: add bitmap set type")
Signed-off-by: Pablo Neira Ayuso <pa...@
This reverts commit 1f48ff6c5393aa7fe290faf5d633164f105b0aa7.
This patch is not required anymore now that we keep a dummy list of
set elements in the bitmap set implementation, so revert this before
we forget this code has no clients.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.
...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nft_ct.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index 91585b5e5307..0264258c46fe 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/n
when packet is ICMP, the computation of checksum
is ignored as well.
Signed-off-by: Ying Xue <ying@windriver.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_nat_proto_sctp.c | 13 -
1 file changed, 12 insertions(+), 1 deletion(-)
di
nfo into nfct pointer storage area")
Signed-off-by: Steven Rostedt (VMware) <rost...@goodmis.org>
Acked-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_conntrack.h | 2 +-
net/netfilter/nf_conntr
e,
>
> So where do we go from here? should I resubmit the patch?
IIRC this patch didn't get into the merge window in time, so it's
reasonable to resubmit I think.
You may want to add this to the patch:
Acked-by: Pablo Neira Ayuso <pa...@netfilter.org>
Thanks Or.
On Wed, Mar 15, 2017 at 11:26:08AM +0100, Florian Westphal wrote:
> Linus Lüssing wrote:
> > When trying to redirect bridged frames to the bridge device itself
> > via the ebtables nat-prerouting chain and the dnat target then this
> > currently fails:
> >
> > The
On Wed, Mar 15, 2017 at 04:18:11AM +0100, Linus Lüssing wrote:
> When trying to redirect bridged frames to the bridge device itself
> via the ebtables nat-prerouting chain and the dnat target then this
> currently fails:
>
> The ethernet destination of the frame is dnat'ed to the MAC address of
>
On Tue, Mar 14, 2017 at 01:28:25PM +0100, Andreas Schultz wrote:
> - On Mar 14, 2017, at 12:43 PM, pablo pa...@netfilter.org wrote:
[...]
> A GTP entity serves multiple local IP endpoints, It manages outgoing tunnels
> by the local APN/VRF, source IP, destination IP and remote tunnel id,
On Tue, Mar 14, 2017 at 01:42:44PM +0100, Andreas Schultz wrote:
> > It is definitely not acceptable to break the existing API.
>
> The specific use case of the API that is no longer supported was never used by
> anyone. [...]
Yes, this was used openggsn and I tested this with a full blown FOSS
On Tue, Mar 14, 2017 at 12:25:44PM +0100, Andreas Schultz wrote:
[...]
> API impact:
> ---
>
> This is probably the most problematic part of this series...
>
> The removeal of the TEID form the netdevice also means that the gtp genl API
> for retriving tunnel information and removing
On Tue, Mar 14, 2017 at 12:25:46PM +0100, Andreas Schultz wrote:
> @@ -1254,6 +1293,8 @@ static struct nla_policy gtp_genl_policy[GTPA_MAX + 1]
> = {
> [GTPA_NET_NS_FD]= { .type = NLA_U32, },
> [GTPA_I_TEI]= { .type = NLA_U32, },
> [GTPA_O_TEI]=
On Tue, Mar 14, 2017 at 12:25:45PM +0100, Andreas Schultz wrote:
> @@ -275,9 +280,9 @@ static int gtp1u_udp_encap_recv(struct gtp_dev *gtp,
> struct sk_buff *skb)
>
> gtp1 = (struct gtp1_header *)(skb->data + sizeof(struct udphdr));
>
> - pctx = gtp1_pdp_find(gtp, ntohl(gtp1->tid));
t.com>
> Debugged-by: Hannes Frederic Sowa <han...@stressinduktion.org>
> Signed-off-by: Florian Westphal <f...@strlen.de>
> ---
> David, I know you *love* the fake_rtable turd, but I think
> this patch should go directly via net and not nf tree.
> After all, this a
olve that I had to
> switch the socket references from the struct socket to the internal
> struct sock. This should have no functionl impact, but we can now hang
> on to the reference without blocking user space from closing the GTP socket.
Acked-by: Pablo Neira Ayuso <pa...@netfilte
On Sat, Mar 11, 2017 at 10:12:22AM +0100, Florian Westphal wrote:
> Steven Rostedt (VMware) wrote:
> > Since the nfct and nfctinfo have been combined, the nf_conn structure
> > must be at least 8 bytes aligned, as the 3 LSB bits are used for the
> > nfctinfo. But there's a
On Sat, Mar 04, 2017 at 06:00:02PM +0800, Ying Xue wrote:
> Regarding RFC 792, the first 64 bits of the original SCTP datagram's
> data could be contained in ICMP packet, such as:
>
> 0 1 2 3
> 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0
On Tue, Feb 28, 2017 at 02:09:24PM -0800, Joe Perches wrote:
> Logging output was changed when simple printks without KERN_CONT
> are now emitted on a new line and KERN_CONT is required to continue
> lines so use pr_cont.
>
> Miscellanea:
>
> o realign arguments
> o use print_hex_dump instead of
On Tue, Feb 28, 2017 at 11:31:15AM +, Colin King wrote:
> From: Colin Ian King
>
> ret is initialized to zero and if it is set to non-zero in the
> xt_entry_foreach loop then we exit via the out_free label. Hence
> the check for ret being non-zero is redundant and
)
Christophe Leroy (1):
netfilter: nf_conntrack_sip: fix wrong memory initialisation
Florian Westphal (1):
netfilter: use skb_to_full_sk in ip_route_me_harder
Pablo Neira Ayuso (2):
netfilter: nft_set_rbtree: incorrect assumption on lower interval lookups
netfilter: nf_tables
f-by: Florian Westphal <f...@strlen.de>
Tested-by: Daniel J Blueman <dan...@quora.org>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ipv4/netfilter.c | 7 ---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilte
ted-by: Alexander Alemayhu <alexan...@alemayhu.com>
Tested-by: Alexander Alemayhu <alexan...@alemayhu.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_tables.h | 6 +-
net/netfilter/nf_tables_api.c | 133 --
-by: Simon Hanisch <hani...@wh2.tu-dresden.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nft_set_rbtree.c | 9 -
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c
index
, 4 * sizeof(sip[i]));
But as the sip[] table is allocated in the BSS, it is already set to 0
Fixes: 82de0be6862cd ("netfilter: Add helper array register/unregister
functions")
Signed-off-by: Christophe Leroy <christophe.le...@c-s.fr>
Signed-off-by: Pablo Neira Ayuso <pa..
On Wed, Mar 01, 2017 at 03:33:26PM +0100, Christophe Leroy wrote:
> In commit 82de0be6862cd ("netfilter: Add helper array
> register/unregister functions"),
> struct nf_conntrack_helper sip[MAX_PORTS][4] was changed to
> sip[MAX_PORTS * 4], so the memory init should have been changed to
>
On Wed, Mar 01, 2017 at 04:02:53PM +0100, Nicolas Dichtel wrote:
> Le 27/01/2017 à 17:51, Nicolas Dichtel a écrit :
> > Le 26/01/2017 à 17:38, Pablo Neira Ayuso a écrit :
> >> From: Florian Westphal <f...@strlen.de>
> >>
> >> This further refin
On Mon, Feb 27, 2017 at 10:41:48PM +0800, Daniel J Blueman wrote:
> On 17 February 2017 at 15:39, Florian Westphal wrote:
> > Daniel J Blueman wrote:
> >
> > [ CC nf-devel, pablo ]
> >
> >> When booting a VM in libvirt/KVM attached to a local bridge and KASAN
>
by: Dmitry V. Levin <l...@altlinux.org>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/uapi/linux/netfilter.h | 1 -
1 file changed, 1 deletion(-)
diff --git a/include/uapi/linux/netfilter.h b/include/uapi/linux/netfilter.h
index 7550e9176a54..c111a91adcc0 100644
--
ot in a function)
char name[NAME_MAX];
Signed-off-by: Dmitry V. Levin <l...@altlinux.org>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/uapi/linux/netfilter/xt_hashlimit.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/uapi/linux/netfilter/xt_hashl
test cases.
Fix this by always returning zero on the success code path.
Fixes: 4dee62b1b9b4 ("netfilter: nf_ct_expect: nf_ct_expect_insert() returns
void")
Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
Acked-by: Joe Stringer <j...@ovn.org>
Signed-off-by: Pablo Neira Ayuso &l
ect: nf_ct_expect_related_report(): Return zero on
success.
netfilter: nf_ct_expect: Change __nf_ct_expect_check() return value.
Pablo Neira Ayuso (1):
netfilter: nft_set_bitmap: incorrect bitmap size
include/uapi/linux/netfilter.h | 1 -
include/uapi/linux/netfilter/xt_hashlimit.h
priv->bitmap_size stores the real bitmap size, instead of the full
struct nft_bitmap object.
Fixes: 665153ff5752 ("netfilter: nf_tables: add bitmap set type")
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nft_set_bitmap.c | 2 +-
1 file changed
this
regression in the future by changing the return value of
__nf_ct_expect_check() to 0 on success.
Signed-off-by: Jarno Rajahalme <ja...@ovn.org>
Acked-by: Joe Stringer <j...@ovn.org>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_ex
y: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nft_ct.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index c6b8022c0e47..bf548a7a71ec 100644
--- a/net/netfilter/nft
On Thu, Feb 23, 2017 at 03:21:13PM +0100, Andreas Schultz wrote:
> - On Feb 23, 2017, at 2:49 PM, pablo pa...@netfilter.org wrote:
[...]
> > According to specs, section 4.4.2.3 Encapsulated T-PDU, TS 29.281.
> >
> > "The UDP Source Port is a locally allocated port number at the sending
> >
On Thu, Feb 23, 2017 at 10:35:56AM +0100, Andreas Schultz wrote:
> - On Feb 22, 2017, at 10:47 PM, Tom Herbert t...@herbertland.com wrote:
[...]
> > This shouldn't be taken as a HW requirement and it's unlikely we'd add
> > explicit GTP support in flow_dissector. If we can't get entropy in the
On Wed, Feb 22, 2017 at 01:47:17PM -0800, Tom Herbert wrote:
> On Wed, Feb 22, 2017 at 1:29 PM, Or Gerlitz wrote:
> > On Thu, Feb 16, 2017 at 11:58 PM, Andreas Schultz wrote:
> >> Hi Or,
> >> - On Feb 16, 2017, at 3:59 PM, Or Gerlitz
<f...@strlen.de>
> > > AuthorDate: Fri Feb 3 13:35:50 2017 +0100
> > > Committer: Pablo Neira Ayuso <pa...@netfilter.org>
> > > CommitDate: Wed Feb 8 14:16:23 2017 +0100
> > >
> > Unlike for the other cases of the switch statement, "len" is
queue: fix NFQA_VLAN_MAX definition
Kevin Cernekee (2):
netfilter: ctnetlink: Fix regression in CTA_STATUS processing
netfilter: ctnetlink: Fix regression in CTA_HELP processing
Liping Zhang (1):
netfilter: nfnetlink: remove static declaration from err_list
Pablo Neira Ayuso (1):
From: Vishwanath Pai
If we use before/after to add an element to an empty list it will cause
a kernel panic.
$> cat crash.restore
create a hash:ip
create b hash:ip
create test list:set timeout 5 size 4
add test b before a
$> ipset -R < crash.restore
Executing the above will
ng
separated, so that the whole logic can be simplified and code (condition)
duplication reduced.
[1] https://cansecwest.com/csw12/conntrack-attack.pdf
[2] https://home.regit.org/netfilter-en/secure-use-of-helpers/
Signed-off-by: Jiri Kosina <jkos...@suse.cz>
Signed-off-by: Pablo Neira Ayuso <pa..
_NFTABLES).
Signed-off-by: Liping Zhang <zlpnob...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nfnetlink.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index a09fa
the bits that they are allowed to change.
Signed-off-by: Kevin Cernekee <cerne...@chromium.org>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/uapi/linux/netfilter/nf_conntrack_common.h | 4
net/netfilter/nf_conntrack_netlink.c | 26 +-
1001 - 1100 of 2305 matches
Mail list logo