[PATCH 4/8] netfilter: invoke synchronize_rcu after set the _hook_ to NULL

gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netfilter/nf_nat_snmp_basic.c | 1 + net/netfilter/nf_conntrack_ecache.c| 2 ++ net/netfilter/nf_conntrack_netlink.c | 1 + net/netfilter/nf_nat_core.c| 2 ++ net/netfilter/nfnetlink_cttimeout.c

[PATCH 0/8] Netfilter fixes for net

ash table netfilter: nf_ct_ext: fix possible panic after nf_ct_extend_unregister netfilter: nfnetlink_queue: fix secctx memory leak Pablo Neira Ayuso (1): netfilter: nfnl_cthelper: fix runtime expectation policy updates net/ipv4/netfilter/nf_nat_snmp_basic.c | 20 +-- net/netfil

[PATCH 2/8] netfilter: nfnl_cthelper: fix runtime expectation policy updates

We only allow runtime updates of expectation policies for timeout and maximum number of expectations, otherwise reject the update. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> Acked-by: Liping Zhang <zlpnob...@gmail.com> --- net/netfilter/nfnetlink_cth

[PATCH 1/8] netfilter: nfnl_cthelper: fix incorrect helper->expect_class_max

to a proper value. So if nla_get_be32(tb[NFCTH_POLICY_SET_NUM]) is zero, report -EINVAL to the userspace. Signed-off-by: Liping Zhang <zlpnob...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nfnetlink_cthelper.c | 20 +++- 1 file

Re: [Outreachy kernel] [PATCH] net: netfilter: Remove complexity

On Tue, Mar 28, 2017 at 06:30:56PM +0530, Arushi Singhal wrote: > To remove complexity of code the function is added in nfnetlink.h > to make code more clear and readable. Patch looks good, you can also use this new function from other _fill_info() functions in the netfilter code, eg.

Re: [PATCH 0/2] netfilter: Remove unnecessary cast on void pointer

On Tue, Mar 21, 2017 at 05:49:52PM +0530, simran singhal wrote: > This patch series remove unnecessary cast on void pointer. > > simran singhal (2): > netfilter: ipset: Remove unnecessary cast on void pointer > netfilter: Remove unnecessary cast on void pointer Please, merge this two patches

Re: [Outreachy kernel] Re: [PATCH] net: netfilter: Remove multiple assignment.

On Mon, Mar 27, 2017 at 05:48:41PM +0530, Arushi Singhal wrote: > On Mon, Mar 27, 2017 at 5:38 PM, Pablo Neira Ayuso <pa...@netfilter.org> > wrote: > > > On Sat, Mar 25, 2017 at 06:19:47PM +0530, Arushi Singhal wrote: > > > This patch removes multiple assignment

Re: [PATCH] net: netfilter: Remove multiple assignment.

On Sat, Mar 25, 2017 at 06:19:47PM +0530, Arushi Singhal wrote: > This patch removes multiple assignments. > Done using coccinelle. > @@ > identifier i1,i2; > constant c; > @@ > - i1=i2=c; > + i1=c; > + i2=c; You have to explain why this is bad.

Re: [PATCH] net: netfilters: Remove extra parenthesis

Hi Arushi, On Sat, Mar 25, 2017 at 07:23:13PM +0530, Arushi Singhal wrote: > diff --git a/net/netfilter/nf_conntrack_netlink.c > b/net/netfilter/nf_conntrack_netlink.c > index 6806b5e73567..aa344c5868c5 100644 > --- a/net/netfilter/nf_conntrack_netlink.c > +++

Re: [PATCH nf v3 1/1] netfilter: snmp: Fix one possible panic when snmp_trap_helper fail to register

On Tue, Mar 21, 2017 at 08:22:29AM +0800, f...@ikuai8.com wrote: > From: Gao Feng > > In the commit 93557f53e1fb ("netfilter: nf_conntrack: nf_conntrack snmp > helper"), the snmp_helper is replaced by nf_nat_snmp_hook. So the > snmp_helper is never registered. But it still tries

Re: [PATCH net-next v3 0/2] GTP SGSN-side tunnels

On Fri, Mar 24, 2017 at 02:57:41PM +0100, Jonas Bonn wrote: > On 03/24/2017 11:41 AM, Pablo Neira Ayuso wrote: > >On Fri, Mar 24, 2017 at 10:33:56AM +0100, Jonas Bonn wrote: > >>Changes since v2: > >> > >>* Move #define of legacy netlink attribute into enum >

Re: [PATCH nf v3 1/1] netfilter: snmp: Fix one possible panic when snmp_trap_helper fail to register

On Fri, Mar 24, 2017 at 01:21:30PM +0100, Pablo Neira Ayuso wrote: > On Tue, Mar 21, 2017 at 08:22:29AM +0800, f...@ikuai8.com wrote: > > From: Gao Feng <f...@ikuai8.com> > > > > In the commit 93557f53e1fb ("netfilter: nf_conntrack: nf_conntrack snmp > >

Re: [PATCH nf v3 1/1] netfilter: snmp: Fix one possible panic when snmp_trap_helper fail to register

On Tue, Mar 21, 2017 at 08:22:29AM +0800, f...@ikuai8.com wrote: > From: Gao Feng > > In the commit 93557f53e1fb ("netfilter: nf_conntrack: nf_conntrack snmp > helper"), the snmp_helper is replaced by nf_nat_snmp_hook. So the > snmp_helper is never registered. But it still tries

Re: [PATCH net-next v3 0/2] GTP SGSN-side tunnels

On Fri, Mar 24, 2017 at 11:15:25AM +0100, Harald Welte wrote: > Hi Jonas, > > looks fine to me, but I haven't tested it. Did you manually test it > using the extended libgtpnl + tools? > > Also, in code like this: > > + if (gtp->role == GTP_ROLE_SGSN) { > + pctx =

Re: [PATCH net-next v3 0/2] GTP SGSN-side tunnels

On Fri, Mar 24, 2017 at 10:33:56AM +0100, Jonas Bonn wrote: > Changes since v2: > > * Move #define of legacy netlink attribute into enum > * Added note to commit message about load-testing use-case > * Ack from Pablo Thanks a lot Jonas! David, please apply. Thanks!

Re: [PATCH v2 1/2] gtp: rename SGSN netlink attribute

low up version. Acked-by: Pablo Neira Ayuso <pa...@netfilter.org>

Re: [PATCH 0/5] netfilter: Clean up tests if NULL returned on failure

On Tue, Mar 21, 2017 at 02:14:34PM +0530, simran singhal wrote: > This patch series clean up tests if NULL returned on failure. $ git grep "== NULL" net/netfilter/ | wc -l 461 This is cleaning up just some of them, we still seem to have quite a bit of them. Main problem with this changes is

Re: [PATCH v2 1/2] gtp: rename SGSN netlink attribute

On Tue, Mar 21, 2017 at 04:10:26PM +0100, Jonas Bonn wrote: > On 03/21/2017 04:07 PM, Pablo Neira Ayuso wrote: > >On Tue, Mar 21, 2017 at 04:04:29PM +0100, Jonas Bonn wrote: > >>diff --git a/include/uapi/linux/gtp.h b/include/uapi/linux/gtp.h > >>index 72a04a0..c51eb

Re: [PATCH v2 1/2] gtp: rename SGSN netlink attribute

On Tue, Mar 21, 2017 at 04:04:29PM +0100, Jonas Bonn wrote: > diff --git a/include/uapi/linux/gtp.h b/include/uapi/linux/gtp.h > index 72a04a0..c51ebb0 100644 > --- a/include/uapi/linux/gtp.h > +++ b/include/uapi/linux/gtp.h > @@ -19,7 +19,7 @@ enum gtp_attrs { > GTPA_LINK, >

Re: [Bridge] [PATCH net] bridge: ebtables: fix reception of frames DNAT-ed to bridge device

On Tue, Mar 21, 2017 at 01:09:47AM +0100, Linus Lüssing wrote: > On Sun, Mar 19, 2017 at 05:55:06PM +0100, Linus Lüssing wrote: > > On Fri, Mar 17, 2017 at 02:10:44PM +0100, Pablo Neira Ayuso wrote: > > > Wait. > > > > > > May this break local multicast l

Re: [PATCH] [netfilter-next] netfilter: remove unused refcount variable

On Mon, Mar 20, 2017 at 01:37:01PM +0100, Arnd Bergmann wrote: > The refcount variable was accidentally introduced without any reference > to it. Removing it again avoids this warning: > > net/netfilter/nfnetlink_acct.c: In function 'nfnl_acct_try_del': > net/netfilter/nfnetlink_acct.c:329:15:

[PATCH 02/22] netfilter: nft_hash: rename nft_hash to nft_jhash

From: Laura Garcia Liebana <nev...@gmail.com> This patch renames the local nft_hash structure and functions to nft_jhash in order to prepare the nft_hash module code to add new hash functions. Signed-off-by: Laura Garcia Liebana <laura.gar...@zevenet.com> Signed-off-by: Pablo Nei

[PATCH 00/22] Netfilter/IPVS updates for net-next

of symmetric hash Liping Zhang (3): netfilter: nf_tables: validate the expr explicitly after init successfully netfilter: limit: use per-rule spinlock to improve the scalability netfilter: nft_set_rbtree: use per-set rwlock to improve the scalability Pablo Neira Ayuso (1

[PATCH 05/22] netfilter: arp_tables: remove redundant check on ret being non-zero

ically Dead Code") Signed-off-by: Colin Ian King <colin.k...@canonical.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netfilter/arp_tables.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp

[PATCH 13/22] netfilter: nf_conntrack: reduce resolve_normal_ct args

22570582a net/netfilter/nf_conntrack_core.o Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_core.c | 57 ++- 1 file changed, 26 insertions(+), 31 deletions(-)

[PATCH 11/22] netfilter: nft_ct: add helper set support

e can also handle families that observe both ipv4 and ipv6 traffic. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/uapi/linux/netfilter/nf_tables.h | 12 ++- net/netfilter/nft_ct.c | 171 ++

[PATCH 09/22] netfilter: nf_reject: remove unused variable

From: Taehee Yoo <ap420...@gmail.com> variable oiph is not used. Signed-off-by: Taehee Yoo <ap420...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netfilter/nf_reject_ipv4.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/net/ipv4/netfil

[PATCH 20/22] ipvs: Document sysctl pmtu_disc

From: Hangbin Liu Document sysctl pmtu_disc based on commit 3654e61137db ("ipvs: add pmtu_disc option to disable IP DF for TUN packets"). Signed-off-by: Hangbin Liu Signed-off-by: Simon Horman ---

[PATCH 06/22] netfilter: nf_tables: validate the expr explicitly after init successfully

as tested by nftables/tests/py/nft-test.py and nftables/tests/shell/run-tests.sh. Signed-off-by: Liping Zhang <zlpnob...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/bridge/netfilter/nft_reject_bridge.c | 6 +- net/netfilter/nf_tables_api.c| 11 +

[PATCH 07/22] netfilter: nf_tables: add nft_set_lookup()

This new function consolidates set lookup via either name or ID by introducing a new nft_set_lookup() function. Replace existing spots where we can use this too. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables.h | 9 + net/net

[PATCH 16/22] ipvs: remove an annoying printk in netns init

From: Cong Wang At most it is used for debugging purpose, but I don't think it is even useful for debugging, just remove it. Signed-off-by: Cong Wang Signed-off-by: Simon Horman --- net/netfilter/ipvs/ip_vs_core.c | 2 --

[PATCH 19/22] ipvs: Document sysctl sync_ports

From: Hangbin Liu Document sysctl sync_ports based on commit f73181c8288f ("ipvs: add support for sync threads"). Signed-off-by: Hangbin Liu Signed-off-by: Simon Horman --- Documentation/networking/ipvs-sysctl.txt | 8

[PATCH 03/22] netfilter: nft_hash: support of symmetric hash

ed-off-by: Laura Garcia Liebana <laura.gar...@zevenet.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/uapi/linux/netfilter/nf_tables.h | 13 + net/netfilter/nft_hash.c | 99 +++- 2 files changed, 111 insertions(+), 1

[PATCH 04/22] netfilter: Use pr_cont where appropriate

y: Joe Perches <j...@perches.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/bridge/netfilter/ebt_log.c | 34 +- net/ipv4/netfilter/nf_nat_snmp_basic.c | 15 ++- 2 files changed, 19 insertions(+), 30 deletions(-)

[PATCH 21/22] netfilter: refcounter conversions

o use-after-free situations. Signed-off-by: Elena Reshetova <elena.reshet...@intel.com> Signed-off-by: Hans Liljestrand <ishkam...@gmail.com> Signed-off-by: Kees Cook <keesc...@chromium.org> Signed-off-by: David Windsor <dwind...@gmail.com> Signed-off-by: Pablo Neira Ayus

[PATCH 15/22] netfilter: nft_set_rbtree: use per-set rwlock to improve the scalability

between them. Also use per-set rwlock since each set is independent. Reported-by: Karel Rericha <ka...@unitednetworks.cz> Tested-by: Karel Rericha <ka...@unitednetworks.cz> Signed-off-by: Liping Zhang <zlpnob...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilte

[PATCH 22/22] netfilter: fix the warning on unused refcount variable

netfilter: refcounter conversions") Signed-off-by: Elena Reshetova <elena.reshet...@intel.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nfnetlink_acct.c | 1 - 1 file changed, 1 deletion(-) diff --git a/net/netfilter/nfnetlink_acct.c b/net/netfilt

[PATCH 14/22] netfilter: limit: use per-rule spinlock to improve the scalability

From: Liping Zhang <zlpnob...@gmail.com> The limit token is independent between each rules, so there's no need to use a global spinlock. Signed-off-by: Liping Zhang <zlpnob...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nft_limit.c |

[PATCH 12/22] netfilter: nft_fib: Support existence check

From: Phil Sutter <p...@nwl.cc> Instead of the actual interface index or name, set destination register to just 1 or 0 depending on whether the lookup succeeded or not if NFTA_FIB_F_PRESENT was set in userspace. Signed-off-by: Phil Sutter <p...@nwl.cc> Signed-off-by: Pablo Nei

[PATCH 17/22] ipvs: fix sync_threshold description and add sync_refresh_period, sync_retries

From: Hangbin Liu Fix sync_threshold description which should have two values. Also add sync_refresh_period and sync_retries based on commit 749c42b620a9 ("ipvs: reduce sync rate with time thresholds"). Signed-off-by: Hangbin Liu Signed-off-by: Simon

[PATCH 10/22] netfilter: provide nft_ctx in object init function

From: Florian Westphal <f...@strlen.de> this is needed by the upcoming ct helper object type -- we'd like to be able use the table family (ip, ip6, inet) to figure out which helper has to be requested. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Nei

[PATCH 18/22] ipvs: Document sysctl sync_qlen_max and sync_sock_size

From: Hangbin Liu Document sysctl sync_qlen_max and sync_sock_size based on commit 1c003b1580e2 ("ipvs: wakeup master thread"). Signed-off-by: Hangbin Liu Signed-off-by: Simon Horman --- Documentation/networking/ipvs-sysctl.txt

[PATCH 08/22] netfilter: bridge: remove unneeded rcu_read_lock

From: Florian Westphal <f...@strlen.de> as comment says, the function is always called with rcu read lock held. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/bridge/br_netfilter_hooks.c | 3 --- 1 file ch

[PATCH 01/22] netfilter: nft_exthdr: Allow checking TCP option presence, too

From: Phil Sutter <p...@nwl.cc> Honor NFT_EXTHDR_F_PRESENT flag so we check if the TCP option is present. Signed-off-by: Phil Sutter <p...@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nft_exthdr.c | 13 ++--- 1 file changed, 1

Re: [PATCH net] bridge: ebtables: fix reception of frames DNAT-ed to bridge device

On Wed, Mar 15, 2017 at 11:06:05PM +0100, Pablo Neira Ayuso wrote: > On Wed, Mar 15, 2017 at 10:16:19PM +0100, Linus Lüssing wrote: > > On Wed, Mar 15, 2017 at 07:15:39PM +0100, Pablo Neira Ayuso wrote: > > > Could you update ebtables dnat to check if the ethernet address >

Re: [GIT PULL 0/5] IPVS Updates for v4.12

On Thu, Mar 16, 2017 at 01:43:10PM +0100, Simon Horman wrote: > Hi Pablo, > > please consider these enhancements to the IPVS for v4.12. > > * Update sysctl documentation > * Remove unnecessary printk in __ip_vs_init > > The following changes since commit

Re: [PATCH net] bridge: ebtables: fix reception of frames DNAT-ed to bridge device

On Wed, Mar 15, 2017 at 10:16:19PM +0100, Linus Lüssing wrote: > On Wed, Mar 15, 2017 at 07:15:39PM +0100, Pablo Neira Ayuso wrote: > > Could you update ebtables dnat to check if the ethernet address > > matches the one of the input bridge interface, so we mangle the > > -

Re: [PATCH 1/1] gtp: support SGSN-side tunnels

Hi Harald, On Wed, Mar 15, 2017 at 08:10:38PM +0100, Harald Welte wrote: > I've modified the patch slightly, see below (compile-tested, but not > otherwise tested yet). Basically rename the flags attribute to 'role', > expand the commit log and removed unrelated cosmetic changes. > > I've also

[PATCH net] MAINTAINERS: remove MACVLAN and VLAN entries

macvlan.c file seems to be both in VLAN and MACVLAN DRIVER, so remove the MACVLAN DRIVER since this is redundant. I propose with this patch to remove the VLAN (802.1Q) entry so this just falls into the NETWORKING [GENERAL]. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> ---

Re: [PATCH net] bridge: ebtables: fix reception of frames DNAT-ed to bridge device

On Wed, Mar 15, 2017 at 03:27:20PM +0100, Linus Lüssing wrote: > On Wed, Mar 15, 2017 at 11:42:11AM +0100, Pablo Neira Ayuso wrote: > > I'm missing then why redirect is not then just enough for Linus usecase. > > For my usecase, the MAC address is configured by the user from a &

Re: [PATCH 1/1] gtp: support SGSN-side tunnels

On Wed, Mar 15, 2017 at 05:39:16PM +0100, Harald Welte wrote: > Hi Jonas, > > are you working on the review feedback that was provided back in early > February? I think there were some comments like > * remove unrelated cosmetic change in comment > * change from FLAGS to a dedicated MODE netlink

[PATCH 04/10] netfilter: nft_set_bitmap: fetch the element key based on the set->klen

a u8 or u16 integer. Fixes: 665153ff5752 ("netfilter: nf_tables: add bitmap set type") Signed-off-by: Liping Zhang <zlpnob...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nft_set_bitmap.c | 27 +-- 1 file chang

[PATCH 06/10] netfilter: bridge: honor frag_max_size when refragmenting

nstead we have to cap by the largest fragment size seen. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/bridge/br_netfilter_hooks.c | 12 +++- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/net/bridge

[PATCH 03/10] netfilter: nf_tables: set pktinfo->thoff at AH header if found

en trying to match encapsulated headers: 1) A packet that looks like IPv4 + AH + TCP dport 22 will *not* match. 2) A packet that looks like IPv6 + AH + TCP dport 22 will match. Reported-by: Phil Sutter <p...@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfi

[PATCH 00/10] Netfilter fixes for net

len netfilter: nf_tables: fix mismatch in big-endian system netfilter: nft_ct: do cleanup work when NFTA_CT_DIRECTION is invalid Pablo Neira Ayuso (3): netfilter: nf_tables: set pktinfo->thoff at AH header if found netfilter: nft_set_bitmap: keep a list of dummy elements

[PATCH 05/10] netfilter: nf_tables: fix mismatch in big-endian system

per functions to store/load an u8 or u16 integer to/from the u32 data register, and use them in the right place. Signed-off-by: Liping Zhang <zlpnob...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables.h | 29 +++

[PATCH 01/10] netfilter: don't track fragmented packets

.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 4 net/ipv4/netfilter/nf_nat_l3proto_ipv4.c | 5 - 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4

[PATCH 08/10] netfilter: nft_set_bitmap: keep a list of dummy elements

since we don't need to allocate the dummy nft_set_ext structure anymore on the fly at the cost of increasing memory consumption because of the list of dummy struct nft_set_ext. Fixes: 665153ff5752 ("netfilter: nf_tables: add bitmap set type") Signed-off-by: Pablo Neira Ayuso <pa...@

[PATCH 09/10] Revert "netfilter: nf_tables: add flush field to struct nft_set_iter"

This reverts commit 1f48ff6c5393aa7fe290faf5d633164f105b0aa7. This patch is not required anymore now that we keep a dummy list of set elements in the bitmap set implementation, so revert this before we forget this code has no clients. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.

[PATCH 10/10] netfilter: nft_ct: do cleanup work when NFTA_CT_DIRECTION is invalid

...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nft_ct.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c index 91585b5e5307..0264258c46fe 100644 --- a/net/netfilter/nft_ct.c +++ b/net/n

[PATCH 02/10] netfilter: nf_nat_sctp: fix ICMP packet to be dropped accidently

when packet is ICMP, the computation of checksum is ignored as well. Signed-off-by: Ying Xue <ying@windriver.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_nat_proto_sctp.c | 13 - 1 file changed, 12 insertions(+), 1 deletion(-) di

[PATCH 07/10] netfilter: Force fake conntrack entry to be at least 8 bytes aligned

nfo into nfct pointer storage area") Signed-off-by: Steven Rostedt (VMware) <rost...@goodmis.org> Acked-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack.h | 2 +- net/netfilter/nf_conntr

Re: [PATCH net-next] net/gtp: Add udp source port generation according to flow hash

e, > > So where do we go from here? should I resubmit the patch? IIRC this patch didn't get into the merge window in time, so it's reasonable to resubmit I think. You may want to add this to the patch: Acked-by: Pablo Neira Ayuso <pa...@netfilter.org> Thanks Or.

Re: [PATCH net] bridge: ebtables: fix reception of frames DNAT-ed to bridge device

On Wed, Mar 15, 2017 at 11:26:08AM +0100, Florian Westphal wrote: > Linus Lüssing wrote: > > When trying to redirect bridged frames to the bridge device itself > > via the ebtables nat-prerouting chain and the dnat target then this > > currently fails: > > > > The

Re: [PATCH net] bridge: ebtables: fix reception of frames DNAT-ed to bridge device

On Wed, Mar 15, 2017 at 04:18:11AM +0100, Linus Lüssing wrote: > When trying to redirect bridged frames to the bridge device itself > via the ebtables nat-prerouting chain and the dnat target then this > currently fails: > > The ethernet destination of the frame is dnat'ed to the MAC address of >

Re: [PATCH net-next 2/4] gtp: add genl cmd to enable GTP encapsulation on UDP socket

On Tue, Mar 14, 2017 at 01:28:25PM +0100, Andreas Schultz wrote: > - On Mar 14, 2017, at 12:43 PM, pablo pa...@netfilter.org wrote: [...] > A GTP entity serves multiple local IP endpoints, It manages outgoing tunnels > by the local APN/VRF, source IP, destination IP and remote tunnel id,

Re: [PATCH net-next 0/4] gtp: support multiple APN's per GTP endpoint

On Tue, Mar 14, 2017 at 01:42:44PM +0100, Andreas Schultz wrote: > > It is definitely not acceptable to break the existing API. > > The specific use case of the API that is no longer supported was never used by > anyone. [...] Yes, this was used openggsn and I tested this with a full blown FOSS

Re: [PATCH net-next 0/4] gtp: support multiple APN's per GTP endpoint

On Tue, Mar 14, 2017 at 12:25:44PM +0100, Andreas Schultz wrote: [...] > API impact: > --- > > This is probably the most problematic part of this series... > > The removeal of the TEID form the netdevice also means that the gtp genl API > for retriving tunnel information and removing

Re: [PATCH net-next 2/4] gtp: add genl cmd to enable GTP encapsulation on UDP socket

On Tue, Mar 14, 2017 at 12:25:46PM +0100, Andreas Schultz wrote: > @@ -1254,6 +1293,8 @@ static struct nla_policy gtp_genl_policy[GTPA_MAX + 1] > = { > [GTPA_NET_NS_FD]= { .type = NLA_U32, }, > [GTPA_I_TEI]= { .type = NLA_U32, }, > [GTPA_O_TEI]=

Re: [PATCH net-next 1/4] gtp: move TEID hash to per socket structure

On Tue, Mar 14, 2017 at 12:25:45PM +0100, Andreas Schultz wrote: > @@ -275,9 +280,9 @@ static int gtp1u_udp_encap_recv(struct gtp_dev *gtp, > struct sk_buff *skb) > > gtp1 = (struct gtp1_header *)(skb->data + sizeof(struct udphdr)); > > - pctx = gtp1_pdp_find(gtp, ntohl(gtp1->tid));

Re: [PATCH net] bridge: drop netfilter fake rtable unconditionally

t.com> > Debugged-by: Hannes Frederic Sowa <han...@stressinduktion.org> > Signed-off-by: Florian Westphal <f...@strlen.de> > --- > David, I know you *love* the fake_rtable turd, but I think > this patch should go directly via net and not nf tree. > After all, this a

Re: [PATCH net-next v5 0/7] gtp: misc improvements

olve that I had to > switch the socket references from the struct socket to the internal > struct sock. This should have no functionl impact, but we can now hang > on to the reference without blocking user space from closing the GTP socket. Acked-by: Pablo Neira Ayuso <pa...@netfilte

Re: [PATCH] netfilter: Force fake conntrack entry to be at least 8 bytes aligned

On Sat, Mar 11, 2017 at 10:12:22AM +0100, Florian Westphal wrote: > Steven Rostedt (VMware) wrote: > > Since the nfct and nfctinfo have been combined, the nf_conn structure > > must be at least 8 bytes aligned, as the 3 LSB bits are used for the > > nfctinfo. But there's a

Re: [net] netfilter: nat: sctp: fix ICMP packet to be dropped accidently

On Sat, Mar 04, 2017 at 06:00:02PM +0800, Ying Xue wrote: > Regarding RFC 792, the first 64 bits of the original SCTP datagram's > data could be contained in ICMP packet, such as: > > 0 1 2 3 > 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0

Re: [PATCH] netfilter: Use pr_cont where appropriate

On Tue, Feb 28, 2017 at 02:09:24PM -0800, Joe Perches wrote: > Logging output was changed when simple printks without KERN_CONT > are now emitted on a new line and KERN_CONT is required to continue > lines so use pr_cont. > > Miscellanea: > > o realign arguments > o use print_hex_dump instead of

Re: [PATCH] netfilter: remove redundant check on ret being non-zero

On Tue, Feb 28, 2017 at 11:31:15AM +, Colin King wrote: > From: Colin Ian King > > ret is initialized to zero and if it is set to non-zero in the > xt_entry_foreach loop then we exit via the out_free label. Hence > the check for ret being non-zero is redundant and

[PATCH 0/4] Netfilter fixes for net

) Christophe Leroy (1): netfilter: nf_conntrack_sip: fix wrong memory initialisation Florian Westphal (1): netfilter: use skb_to_full_sk in ip_route_me_harder Pablo Neira Ayuso (2): netfilter: nft_set_rbtree: incorrect assumption on lower interval lookups netfilter: nf_tables

[PATCH 1/4] netfilter: use skb_to_full_sk in ip_route_me_harder

f-by: Florian Westphal <f...@strlen.de> Tested-by: Daniel J Blueman <dan...@quora.org> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netfilter.c | 7 --- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilte

[PATCH 4/4] netfilter: nf_tables: don't call nfnetlink_set_err() if nfnetlink_send() fails

ted-by: Alexander Alemayhu <alexan...@alemayhu.com> Tested-by: Alexander Alemayhu <alexan...@alemayhu.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables.h | 6 +- net/netfilter/nf_tables_api.c | 133 --

[PATCH 3/4] netfilter: nft_set_rbtree: incorrect assumption on lower interval lookups

-by: Simon Hanisch <hani...@wh2.tu-dresden.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nft_set_rbtree.c | 9 - 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c index

[PATCH 2/4] netfilter: nf_conntrack_sip: fix wrong memory initialisation

, 4 * sizeof(sip[i])); But as the sip[] table is allocated in the BSS, it is already set to 0 Fixes: 82de0be6862cd ("netfilter: Add helper array register/unregister functions") Signed-off-by: Christophe Leroy <christophe.le...@c-s.fr> Signed-off-by: Pablo Neira Ayuso <pa..

Re: [PATCH] netfilter: nf_conntrack_sip: fix wrong memory initialisation

On Wed, Mar 01, 2017 at 03:33:26PM +0100, Christophe Leroy wrote: > In commit 82de0be6862cd ("netfilter: Add helper array > register/unregister functions"), > struct nf_conntrack_helper sip[MAX_PORTS][4] was changed to > sip[MAX_PORTS * 4], so the memory init should have been changed to >

Re: [PATCH 09/14] netfilter: conntrack: refine gc worker heuristics, redux

On Wed, Mar 01, 2017 at 04:02:53PM +0100, Nicolas Dichtel wrote: > Le 27/01/2017 à 17:51, Nicolas Dichtel a écrit : > > Le 26/01/2017 à 17:38, Pablo Neira Ayuso a écrit : > >> From: Florian Westphal <f...@strlen.de> > >> > >> This further refin

Re: [4.9.10] ip_route_me_harder() reading off-slab

On Mon, Feb 27, 2017 at 10:41:48PM +0800, Daniel J Blueman wrote: > On 17 February 2017 at 15:39, Florian Westphal wrote: > > Daniel J Blueman wrote: > > > > [ CC nf-devel, pablo ] > > > >> When booting a VM in libvirt/KVM attached to a local bridge and KASAN >

[PATCH 2/6] uapi: stop including linux/sysctl.h in uapi/linux/netfilter.h

by: Dmitry V. Levin <l...@altlinux.org> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/uapi/linux/netfilter.h | 1 - 1 file changed, 1 deletion(-) diff --git a/include/uapi/linux/netfilter.h b/include/uapi/linux/netfilter.h index 7550e9176a54..c111a91adcc0 100644 --

[PATCH 3/6] uapi: fix linux/netfilter/xt_hashlimit.h userspace compilation error

ot in a function) char name[NAME_MAX]; Signed-off-by: Dmitry V. Levin <l...@altlinux.org> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/uapi/linux/netfilter/xt_hashlimit.h | 1 + 1 file changed, 1 insertion(+) diff --git a/include/uapi/linux/netfilter/xt_hashl

[PATCH 4/6] netfilter: nf_ct_expect: nf_ct_expect_related_report(): Return zero on success.

test cases. Fix this by always returning zero on the success code path. Fixes: 4dee62b1b9b4 ("netfilter: nf_ct_expect: nf_ct_expect_insert() returns void") Signed-off-by: Jarno Rajahalme <ja...@ovn.org> Acked-by: Joe Stringer <j...@ovn.org> Signed-off-by: Pablo Neira Ayuso &l

[PATCH 0/6] Netfilter fixes for net

ect: nf_ct_expect_related_report(): Return zero on success. netfilter: nf_ct_expect: Change __nf_ct_expect_check() return value. Pablo Neira Ayuso (1): netfilter: nft_set_bitmap: incorrect bitmap size include/uapi/linux/netfilter.h | 1 - include/uapi/linux/netfilter/xt_hashlimit.h

[PATCH 6/6] netfilter: nft_set_bitmap: incorrect bitmap size

priv->bitmap_size stores the real bitmap size, instead of the full struct nft_bitmap object. Fixes: 665153ff5752 ("netfilter: nf_tables: add bitmap set type") Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nft_set_bitmap.c | 2 +- 1 file changed

[PATCH 5/6] netfilter: nf_ct_expect: Change __nf_ct_expect_check() return value.

this regression in the future by changing the return value of __nf_ct_expect_check() to 0 on success. Signed-off-by: Jarno Rajahalme <ja...@ovn.org> Acked-by: Joe Stringer <j...@ovn.org> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_ex

[PATCH 1/6] netfilter: nft_ct: fix random validation errors for zone set support

y: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nft_ct.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c index c6b8022c0e47..bf548a7a71ec 100644 --- a/net/netfilter/nft

Re: [PATCH net-next] net/gtp: Add udp source port generation according to flow hash

On Thu, Feb 23, 2017 at 03:21:13PM +0100, Andreas Schultz wrote: > - On Feb 23, 2017, at 2:49 PM, pablo pa...@netfilter.org wrote: [...] > > According to specs, section 4.4.2.3 Encapsulated T-PDU, TS 29.281. > > > > "The UDP Source Port is a locally allocated port number at the sending > >

Re: [PATCH net-next] net/gtp: Add udp source port generation according to flow hash

On Thu, Feb 23, 2017 at 10:35:56AM +0100, Andreas Schultz wrote: > - On Feb 22, 2017, at 10:47 PM, Tom Herbert t...@herbertland.com wrote: [...] > > This shouldn't be taken as a HW requirement and it's unlikely we'd add > > explicit GTP support in flow_dissector. If we can't get entropy in the

Re: [PATCH net-next] net/gtp: Add udp source port generation according to flow hash

On Wed, Feb 22, 2017 at 01:47:17PM -0800, Tom Herbert wrote: > On Wed, Feb 22, 2017 at 1:29 PM, Or Gerlitz wrote: > > On Thu, Feb 16, 2017 at 11:58 PM, Andreas Schultz wrote: > >> Hi Or, > >> - On Feb 16, 2017, at 3:59 PM, Or Gerlitz

Re: netfilter: nft_ct: add zone id set support

<f...@strlen.de> > > > AuthorDate: Fri Feb 3 13:35:50 2017 +0100 > > > Committer: Pablo Neira Ayuso <pa...@netfilter.org> > > > CommitDate: Wed Feb 8 14:16:23 2017 +0100 > > > > > Unlike for the other cases of the switch statement, "len" is

[PATCH 0/8] Netfilter fixes for net

queue: fix NFQA_VLAN_MAX definition Kevin Cernekee (2): netfilter: ctnetlink: Fix regression in CTA_STATUS processing netfilter: ctnetlink: Fix regression in CTA_HELP processing Liping Zhang (1): netfilter: nfnetlink: remove static declaration from err_list Pablo Neira Ayuso (1):

[PATCH 5/8] netfilter: ipset: Null pointer exception in ipset list:set

From: Vishwanath Pai If we use before/after to add an element to an empty list it will cause a kernel panic. $> cat crash.restore create a hash:ip create b hash:ip create test list:set timeout 5 size 4 add test b before a $> ipset -R < crash.restore Executing the above will

[PATCH 1/8] netfilter: nf_ct_helper: warn when not applying default helper assignment

ng separated, so that the whole logic can be simplified and code (condition) duplication reduced. [1] https://cansecwest.com/csw12/conntrack-attack.pdf [2] https://home.regit.org/netfilter-en/secure-use-of-helpers/ Signed-off-by: Jiri Kosina <jkos...@suse.cz> Signed-off-by: Pablo Neira Ayuso <pa..

[PATCH 8/8] netfilter: nfnetlink: remove static declaration from err_list

_NFTABLES). Signed-off-by: Liping Zhang <zlpnob...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nfnetlink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c index a09fa

[PATCH 2/8] netfilter: ctnetlink: Fix regression in CTA_STATUS processing

the bits that they are allowed to change. Signed-off-by: Kevin Cernekee <cerne...@chromium.org> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/uapi/linux/netfilter/nf_conntrack_common.h | 4 net/netfilter/nf_conntrack_netlink.c | 26 +-

<    6   7   8   9   10   11   12   13   14   15   >