[PATCH 7/8] netfilter: nfnetlink_queue: fix NFQA_VLAN_MAX definition

From: Ken-ichirou MATSUZAWA <chama...@gmail.com> Should be - 1 as in other _MAX definitions. Signed-off-by: Ken-ichirou MATSUZAWA <cha...@h4.dion.ne.jp> Acked-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- incl

[PATCH 6/8] netfilter: xt_hashlimit: Fix integer divide round to zero.

rowa...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/xt_hashlimit.c | 25 + 1 file changed, 9 insertions(+), 16 deletions(-) diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c index 10063408141d..84ad5a

[PATCH 3/8] netfilter: ctnetlink: Fix regression in CTA_HELP processing

e current conntrack helper name, ignore it instead of generating an error. Signed-off-by: Kevin Cernekee <cerne...@chromium.org> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_netlink.c | 17 + 1 file changed, 13 insertions(+), 4 del

[PATCH 4/8] Fix bug: sometimes valid entries in hash:* types of sets were evicted

From: Jozsef Kadlecsik Wrong index was used and therefore when shrinking a hash bucket at deleting an entry, valid entries could be evicted as well. Thanks to Eric Ewanco for the thorough bugreport. Fixes netfilter bugzilla #1119 Signed-off-by: Jozsef Kadlecsik

Re: [PATCH net-next 2/2] netfilter: nf_ct_expect: Change __nf_ct_expect_check() return value.

On Tue, Feb 21, 2017 at 03:25:22PM -0800, Jarno Rajahalme wrote: > Commit 4dee62b1 ("netfilter: nf_ct_expect: nf_ct_expect_insert() > returns void") inadvertently changed the successful return value of > nf_ct_expect_related_report() from 0 to 1 due to > __nf_ct_expect_check() returning 1 on

Re: [PATCH net-next 1/2] netfilter: nf_ct_expect: nf_ct_expect_related_report(): Return zero on success,

On Tue, Feb 21, 2017 at 03:25:21PM -0800, Jarno Rajahalme wrote: > Commit 4dee62b1 ("netfilter: nf_ct_expect: nf_ct_expect_insert() > returns void") inadvertently changed the successful return value of > nf_ct_expect_related_report() from 0 to 1, which caused openvswitch > conntrack integration

Re: [PATCH v2] netfilter: xt_hashlimit: Fix integer divide round to zero.

On Mon, Feb 06, 2017 at 11:50:33PM +0100, Alban Browaeys wrote: > Diving the divider by the multiplier before applying to the input. > When this would "divide by zero", divide the multiplier by the divider > first then multiply the input by this value. > > Currently user2creds outputs zero when

Re: [PATCH net-next v2 2/6] gtp: merge gtp_get_net and gtp_genl_find_dev

On Mon, Feb 13, 2017 at 03:13:37PM +0100, Andreas Schultz wrote: > > > - On Feb 6, 2017, at 2:55 PM, Harald Welte lafo...@netfilter.org wrote: > > > Hi Andreas, > > > > On Mon, Jan 30, 2017 at 05:37:09PM +0100, Andreas Schultz wrote: > >> Both function are always used together with the

Re: [PATCH 1/1] gtp: support SGSN-side tunnels

On Mon, Feb 13, 2017 at 10:25:19AM +0100, Andreas Schultz wrote: > Hi, > > I'm a bit late to comment, but maybe you can consider an additional > change for v2... > > - On Feb 3, 2017, at 10:12 AM, Jonas Bonn jo...@southpole.se wrote: > > > The GTP-tunnel driver is explicitly GGSN-side as it

[PATCH 05/21] netfilter: nf_tables: add flush field to struct nft_set_iter

. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables.h | 1 + net/netfilter/nf_tables_api.c | 4 2 files changed, 5 insertions(+) diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index ab155644d489..5830f5

[PATCH 01/21] netfilter: nft_exthdr: Add support for existence check

From: Phil Sutter <p...@nwl.cc> If NFT_EXTHDR_F_PRESENT is set, exthdr will not copy any header field data into *dest, but instead set it to 1 if the header is found and 0 otherwise. Signed-off-by: Phil Sutter <p...@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>

[PATCH 04/21] netfilter: nf_tables: rename deactivate_one() to flush()

Although semantics are similar to deactivate() with no implicit element lookup, this is only called from the set flush path, so better rename this to flush(). Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables.h | 8 net/netfilter/nf_tables

[PATCH 07/21] netfilter: nf_tables: add space notation to sets

of elements, so we cannot calculate the real memory that this set needs. This also helps us break ties in the set backend selection routine, eg. two backend implementations provide the same performance. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables.h | 2 +

[PATCH 13/21] netfilter: nf_ct_sip: Use mod_timer_pending()

From: Gao Feng <f...@ikuai8.com> timer_del() followed by timer_add() can be replaced by mod_timer_pending(). Signed-off-by: Gao Feng <f...@ikuai8.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_sip.c | 12 +--- 1 file cha

[PATCH 02/21] netfilter: nf_tables: pass netns to set->ops->remove()

This new parameter is required by the new bitmap set type that comes in a follow up patch. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables.h | 3 ++- net/netfilter/nf_tables_api.c | 6 +++--- net/netfilter/nft_set_hash.c | 3 ++- net/net

[PATCH 15/21] netfilter: nfnetlink: get rid of u_intX_t types

Use uX types instead. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nfnetlink.c | 16 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c index a09fa9fd8f3d..586212ebba9e 100644 ---

[PATCH 03/21] netfilter: nf_tables: use struct nft_set_iter in set element flush

Instead of struct nft_set_dump_args, remove unnecessary wrapper structure. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_tables_api.c | 12 +--- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/net

[PATCH 09/21] netfilter: nft_ct: add zone id get support

an error. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/uapi/linux/netfilter/nf_tables.h | 2 ++ net/netfilter/nft_ct.c | 22 +++--- 2 files changed, 21 insertions(+), 3 deletions(-)

[PATCH 06/21] netfilter: nf_tables: rename struct nft_set_estimate class field

Use lookup as field name instead, to prepare the introduction of the memory class in a follow up patch. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables.h | 4 ++-- net/netfilter/nf_tables_api.c | 12 ++-- net/netfilter/nft_set_

[PATCH 08/21] netfilter: nf_tables: add bitmap set type

ise the hash table set implementation is used. For 8 bit keys, the bitmap consumes 66 bytes. For 16 bit keys, the bitmap takes 16388 bytes. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/Kconfig | 6 + net/netfilter/Makefile | 1 + net/

[PATCH 10/21] netfilter: nft_ct: prepare for key-dependent error unwind

y have that in the set_destroy function place that in a separate function and call it from the set init function. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nft_ct.c | 29 +++-- 1 file chan

[PATCH 14/21] netfilter: nf_ct_expect: nf_ct_expect_insert() returns void

From: Gao Feng <f...@ikuai8.com> Because nf_ct_expect_insert() always succeeds now, its return value can be just void instead of int. And remove code that checks for its return value. Signed-off-by: Gao Feng <f...@ikuai8.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilte

[PATCH 00/21] Netfilter updates for net-next

zone id set support Gao Feng (2): netfilter: nf_ct_sip: Use mod_timer_pending() netfilter: nf_ct_expect: nf_ct_expect_insert() returns void Manuel Messner (1): netfilter: nft_exthdr: add TCP option matching Pablo Neira Ayuso (14): netfilter: nf_tables: pass netns to set->

[PATCH 12/21] netfilter: nft_exthdr: add TCP option matching

From: Manuel Messner <m...@skelett.io> This patch implements the kernel side of the TCP option patch. Signed-off-by: Manuel Messner <m...@skelett.io> Reviewed-by: Florian Westphal <f...@strlen.de> Acked-by: Phil Sutter <p...@nwl.cc> Signed-off-by: Pablo Neira Ay

[PATCH 19/21] netfilter: nf_tables: add NFTA_RULE_ID attribute

to refer to an anonymous set from a batch. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables.h| 3 +++ include/uapi/linux/netfilter/nf_tables.h | 2 ++ net/netfilter/nf_tables_api.c| 26 ++ 3 files chang

[PATCH 20/21] netfilter: update MAINTAINERS

Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- MAINTAINERS | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index a9368bba9b37..5864bbd99f8f 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -8579,9 +8579,8 @@ F:Documen

[PATCH 16/21] netfilter: nfnetlink: add nfnetlink_rcv_skb_batch()

Add new nfnetlink_rcv_skb_batch() to wrap initial nfnetlink batch handling. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nfnetlink.c | 51 ++- 1 file changed, 28 insertions(+), 23 deletions(-) diff --git a/net/net

[PATCH 11/21] netfilter: nft_ct: add zone id set support

packet alloc/free of the template, use a percpu template 'scratch' object and use the refcount to detect the (unlikely) case where the template is still attached to another skb (i.e., previous skb was nfqueued ...). Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Nei

[PATCH 18/21] netfilter: nf_tables: add check_genid to the nfnetlink subsystem

This patch implements the check generation id as provided by nfnetlink. This allows us to reject ruleset updates against stale baseline, so userspace can retry update with a fresh ruleset cache. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_tables_api

[PATCH 21/21] netfilter: nf_tables: honor NFT_SET_OBJECT in set backend selection

Check for NFT_SET_OBJECT feature flag, otherwise we may end up selecting the wrong set backend. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_tables_api.c | 3 ++- net/netfilter/nft_set_hash.c | 2 +- net/netfilter/nft_set_rbtree.c | 2 +- 3 files chan

[PATCH 17/21] netfilter: nfnetlink: allow to check for generation ID

in the batch begin message, then no check is performed. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/linux/netfilter/nfnetlink.h | 1 + include/uapi/linux/netfilter/nfnetlink.h | 12 net/netfilter/nfnetlink.c

[PATCH net-next,v2] gtp: add MAINTAINERS

From: Pablo Neira <pa...@netfilter.org> Add maintainers for this tunnel driver. Include main osmocom.org mailist list too. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- v2: Harald suggests osmocom-net-g...@lists.osmocom.org is better ML for this. MAINTAINERS | 8

[PATCH net-next] gtp: add MAINTAINERS

Add maintainers for this tunnel driver. Include main osmocom.org mailist list too. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- MAINTAINERS | 8 1 file changed, 8 insertions(+) diff --git a/MAINTAINERS b/MAINTAINERS index 5864bbd99f8f..ce5dde23bd00

Re: [PATCH] net: fix description of skb_find_text() according to removed functionality

text()") > Signed-off-by: Igor Pylypiv <igor.pyly...@gmail.com> Acked-by: Pablo Neira Ayuso <pa...@netfilter.org>

Re: [PATCH] net: fix description of skb_find_text() according to removed functionality

On Tue, Feb 07, 2017 at 11:13:12PM -0800, Igor Pylypiv wrote: > I am not planning to to add a new user of this functions. > Use of skb_find_text() was a part of my Linux study and its > description informed me that I can use textsearch_next() > which I cannot. Just want to fix this. Send us a

Re: [PATCH] Revert "net: Remove state argument from skb_find_text()"

On Sat, Feb 04, 2017 at 09:48:30PM -0800, Igor Pylypiv wrote: > This reverts commit 059a2440fd3cf4ec57735db2c0a90401cde84fca. > > Textsearch state parameter should be passed by pointer because > its resulting value is needed for call to textsearch_next(). You're right this renders

Re: [PATCH 1/1] gtp: support SGSN-side tunnels

On Mon, Feb 06, 2017 at 03:16:22PM +0100, Harald Welte wrote: > Hi Jonas, > > On Mon, Feb 06, 2017 at 02:33:07PM +0100, Jonas Bonn wrote: > > Fair enough. The use-case I am looking at involves PGW load-testing where > > the simulated load is generated locally on the SGSN so it _is_ seeing IP > >

Re: [PATCH 1/1] gtp: support SGSN-side tunnels

Hi Jonas, On Mon, Feb 06, 2017 at 02:33:07PM +0100, Jonas Bonn wrote: > Hi Pablo, > > On 02/06/2017 12:08 PM, Pablo Neira Ayuso wrote: > >Hi Jonas, > > > >On Fri, Feb 03, 2017 at 10:12:31AM +0100, Jonas Bonn wrote: > >>The GTP-tunnel driver is explici

Re: [PATCH] netfilter: xt_hashlimit: Fix integer divide round to zero.

On Sat, Feb 04, 2017 at 11:47:31PM +0100, Alban Browaeys wrote: > Diving the divider by the multiplier before applying to the input. > When this would "divide by zero", divide the multiplier by the divider > first then multiply the input by this value. > > Currently user2creds outputs zero when

Re: [PATCH 1/1] gtp: support SGSN-side tunnels

Hi Jonas, On Fri, Feb 03, 2017 at 10:12:31AM +0100, Jonas Bonn wrote: > The GTP-tunnel driver is explicitly GGSN-side as it searches for PDP > contexts based on the incoming packets _destination_ address. If we > want to write an SGSN, then we want to be idenityfing PDP contexts > based on

[PATCH 01/27] netfilter: merge udp and udplite conntrack helpers

268 87731 156b3 nf_conntrack.ko new: textdata bss dec hex filename 24421184 03626 e2a nf_conntrack_proto_udp.o 68565 17721 268 86554 1521a nf_conntrack.ko Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Nei

[PATCH 11/27] arptables: use match, target and data copy_to_user helpers

From: Willem de Bruijn <will...@google.com> Convert arptables to copying entries, matches and targets one by one, using the xt_match_to_user and xt_target_to_user helper functions. Signed-off-by: Willem de Bruijn <will...@google.com> Signed-off-by: Pablo Neira Ayuso <pa..

[PATCH 08/27] xtables: add xt_match, xt_target and data copy_to_user functions

oogle.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/linux/netfilter/x_tables.h | 9 +++ net/netfilter/x_tables.c | 54 ++ 2 files changed, 63 insertions(+) diff --git a/include/linux/netfilter/x_tables.h b/inclu

[PATCH 06/27] netfilter: conntrack: validate SCTP crc32c in PREROUTING

smatching crc32c in the SCTP header. Signed-off-by: Davide Caratti <dcara...@redhat.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_proto_sctp.c | 32 1 file changed, 32 insertions(+) diff

[PATCH 04/27] netfilter: nft_ct: add average bytes per packet support

From: Liping Zhang <zlpnob...@gmail.com> Similar to xt_connbytes, user can match how many average bytes per packet a connection has transferred so far. Signed-off-by: Liping Zhang <zlpnob...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/ua

[PATCH 05/27] netfilter: select LIBCRC32C together with SCTP conntrack

32c so that it is selected when NF_CT_PROTO_SCTP=y. Signed-off-by: Davide Caratti <dcara...@redhat.com> Reviewed-by: Marcelo Ricardo Leitner <marcelo.leit...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/Kconfig | 2 +- 1 file changed, 1 insertion

[PATCH 09/27] iptables: use match, target and data copy_to_user helpers

From: Willem de Bruijn <will...@google.com> Convert iptables to copying entries, matches and targets one by one, using the xt_match_to_user and xt_target_to_user helper functions. Signed-off-by: Willem de Bruijn <will...@google.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilte

[PATCH 10/27] ip6tables: use match, target and data copy_to_user helpers

From: Willem de Bruijn <will...@google.com> Convert ip6tables to copying entries, matches and targets one by one, using the xt_match_to_user and xt_target_to_user helper functions. Signed-off-by: Willem de Bruijn <will...@google.com> Signed-off-by: Pablo Neira Ayuso <pa..

[PATCH 16/27] netfilter: nft_meta: deal with PACKET_LOOPBACK in netdev family

onvert it to PACKET_BROADCAST/MULTICAST according to the destination address's type; For ipv6, convert it to PACKET_MULTICAST directly. Signed-off-by: Liping Zhang <zlpnob...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nft_meta.c | 28 ++

[PATCH 12/27] ebtables: use match, target and data copy_to_user helpers

rwrite fields of an already copy_to_user'd struct with ebt_XXX_to_user helpers that copy all relevant fields of the struct from scratch. Signed-off-by: Willem de Bruijn <will...@google.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/bridge/netfilt

[PATCH 13/27] xtables: use match, target and data copy_to_user helpers in compat

From: Willem de Bruijn <will...@google.com> Convert compat to copying entries, matches and targets one by one, using the xt_match_to_user and xt_target_to_user helper functions. Signed-off-by: Willem de Bruijn <will...@google.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilte

[PATCH 07/27] netfilter: xt_connlimit: use rb_entry()

From: Geliang Tang <geliangt...@gmail.com> To make the code clearer, use rb_entry() instead of container_of() to deal with rbtree. Signed-off-by: Geliang Tang <geliangt...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/xt_connlimit.c | 4 ++

[PATCH 22/27] skbuff: add and use skb_nfct helper

From: Florian Westphal <f...@strlen.de> Followup patch renames skb->nfct and changes its type so add a helper to avoid intrusive rename change later. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- i

[PATCH 14/27] xtables: extend matches and targets with .usersize

the kernel" to find relevant matches and targets. Manually inspected the structs to derive a valid offsetof. Signed-off-by: Willem de Bruijn <will...@google.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/bridge/netfilter/ebt_limit.c | 1 + net/ipv4/netfilter/ipt

[PATCH 15/27] netfilter: pkttype: unnecessary to check ipv6 multicast address

From: Liping Zhang <zlpnob...@gmail.com> Since there's no broadcast address in IPV6, so in ipv6 family, the PACKET_LOOPBACK must be multicast packets, there's no need to check it again. Signed-off-by: Liping Zhang <zlpnob...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa..

[PATCH 18/27] netfilter: nf_tables: Eliminate duplicated code in nf_tables_table_enable()

ed-off-by: Feng <f...@ikuai8.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_tables_api.c | 48 ++- 1 file changed, 25 insertions(+), 23 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_

[PATCH 27/27] netfilter: allow logging from non-init namespaces

/proc/sys/net/netfilter/nf_log_all_netns to a nonzero value. This sysctl is only accessible from init_net so that one cannot switch the behaviour from inside a container. Signed-off-by: Michal Kubecek <mkube...@suse.cz> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- Docume

[PATCH 24/27] netfilter: guarantee 8 byte minalign for template addresses

the nf_conn entry protocol area. This works because templates are not handed off to L4 protocol trackers. Reported-by: kbuild test robot <fengguang...@intel.com> Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/n

[PATCH 25/27] netfilter: merge ctinfo into nfct pointer storage area

) helpers, this is to avoid undoing the skb_nfct() use when we remove untracked conntrack object in the future. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/linux/skbuff.h | 21 +

[PATCH 21/27] netfilter: reduce direct skb->nfct usage

From: Florian Westphal <f...@strlen.de> Next patch makes direct skb->nfct access illegal, reduce noise in next patch by using accessors we already have. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> ---

[PATCH 17/27] netfilter: nf_tables: eliminate useless condition checks

original condition checks. Signed-off-by: Gao Feng <f...@ikuai8.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_tables_api.c | 15 +++ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfil

[PATCH 20/27] netfilter: reset netfilter state when duplicating packet

ong _nfct' in followup patch. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netfilter/nf_dup_ipv4.c | 2 +- net/ipv6/netfilter/nf_dup_ipv6.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/net/ipv4/netf

[PATCH 23/27] netfilter: add and use nf_ct_set helper

From: Florian Westphal <f...@strlen.de> Add a helper to assign a nf_conn entry and the ctinfo bits to an sk_buff. This avoids changing code in followup patch that merges skb->nfct and skb->nfctinfo into skb->_nfct. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-

[PATCH 19/27] netfilter: conntrack: no need to pass ctinfo to error handler

and returns early in this case. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack_l4proto.h | 2 +- net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 12 ++-- net/ipv6/netfilter/nf

[PATCH 26/27] ipvs: free ip_vs_dest structs when refcnt=0

Signed-off-by: Simon Horman <ho...@verge.net.au> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/ip_vs.h| 2 +- net/netfilter/ipvs/ip_vs_ctl.c | 8 +++- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/include/net/ip_vs.h b/include/net/ip_v

[PATCH 02/27] netfilter: nat: merge udp and udplite helpers

ed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/Makefile | 1 - net/netfilter/nf_nat_proto_udp.c | 78 ++-- net/netfilter/nf_nat_proto_udplite.c | 73

[PATCH 03/27] netfilter: nf_tables: add missing descriptions in nft_ct_keys

From: Liping Zhang <zlpnob...@gmail.com> We missed to add descriptions about NFT_CT_LABELS, NFT_CT_PKTS and NFT_CT_BYTES, now add it. Signed-off-by: Liping Zhang <zlpnob...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/uapi/linux/netfilter/nf_t

[PATCH 00/27] Netfilter updates for net-next

Hi David, The following patchset contains Netfilter updates for your net-next tree, they are: 1) Stash ctinfo 3-bit field into pointer to nf_conntrack object from sk_buff so we only access one single cacheline in the conntrack hotpath. Patchset from Florian Westphal. 2) Don't leak pointer

Re: [PATCH net-next v2 5/6] gtp: add socket to pdp context

On Thu, Feb 02, 2017 at 03:38:07PM +0100, Andreas Schultz wrote: > > > - On Feb 2, 2017, at 3:28 PM, pablo pa...@netfilter.org wrote: > > > On Thu, Feb 02, 2017 at 03:12:55PM +0100, Andreas Schultz wrote: > >> Hi, > >> > >> - On Feb 2, 2017, at 2:56 PM, pablo pa...@netfilter.org wrote:

Re: [PATCH net-next v2 1/6] gtp: make GTP sockets in gtp_newlink optional

On Thu, Feb 02, 2017 at 03:30:51PM +0100, Andreas Schultz wrote: > > > - On Feb 2, 2017, at 3:10 PM, pablo pa...@netfilter.org wrote: > > > On Mon, Jan 30, 2017 at 05:37:08PM +0100, Andreas Schultz wrote: > >> Having both GTPv0-U and GTPv1-U is not always desirable. > >> Fallback from

Re: [PATCH net-next v2 3/6] gtp: unify genl_find_pdp and prepare for per socket lookup

On Thu, Feb 02, 2017 at 03:27:17PM +0100, Andreas Schultz wrote: > > > - On Feb 2, 2017, at 3:19 PM, pablo pa...@netfilter.org wrote: > > > On Mon, Jan 30, 2017 at 05:37:10PM +0100, Andreas Schultz wrote: > >> This unifies duplicate code into a helper. It also prepares the > >> groundwork

Re: [PATCH net-next v2 5/6] gtp: add socket to pdp context

On Thu, Feb 02, 2017 at 03:12:55PM +0100, Andreas Schultz wrote: > Hi, > > - On Feb 2, 2017, at 2:56 PM, pablo pa...@netfilter.org wrote: > > > On Mon, Jan 30, 2017 at 05:37:12PM +0100, Andreas Schultz wrote: > >> Having the socket present in context simplifies the sending logic. > >> It

Re: [PATCH net-next v2 3/6] gtp: unify genl_find_pdp and prepare for per socket lookup

On Mon, Jan 30, 2017 at 05:37:10PM +0100, Andreas Schultz wrote: > This unifies duplicate code into a helper. It also prepares the > groundwork to add a lookup version that uses the socket to find > attache pdp contexts. > > Signed-off-by: Andreas Schultz > --- >

Re: [PATCH net-next v2 1/6] gtp: make GTP sockets in gtp_newlink optional

On Mon, Jan 30, 2017 at 05:37:08PM +0100, Andreas Schultz wrote: > Having both GTPv0-U and GTPv1-U is not always desirable. > Fallback from GTPv1-U to GTPv0-U was depreciated from 3GPP > Rel-8 onwards. Post Rel-8 implementation are discuraged > from listening on the v0 port (see 3GPP TS 29.281,

Re: [PATCH net-next v2 5/6] gtp: add socket to pdp context

On Mon, Jan 30, 2017 at 05:37:12PM +0100, Andreas Schultz wrote: > Having the socket present in context simplifies the sending logic. > It also fixes the invalid assumption that we have to use the same > sending socket for all client IP's on a specific gtp interface. > > Signed-off-by: Andreas

[ANNOUNCE] iptables 1.6.1 release

ove useless functions xtables-translate: add escape_quotes option to comment_xlate xtables-compat: check if nft ruleset is compatible xtables-compat: add rule cache xtables-translate-restore: do not escape quotes Pablo Neira Ayuso (13): nft: xtables: add generic pars

Re: [PATCH v2 net] net: free ip_vs_dest structs when refcnt=0

On Fri, Jan 27, 2017 at 09:07:38AM +0100, Simon Horman wrote: > On Thu, Jan 26, 2017 at 10:49:10PM +0200, Julian Anastasov wrote: > > > > Hello, > > > > On Mon, 23 Jan 2017, David Windsor wrote: > > > > > Currently, the ip_vs_dest cache frees ip_vs_dest objects when their > > > reference

[PATCH net] tcp: don't annotate mark on control socket from tcp_v6_send_response()

use to carry the mark unless we later on reset it back, which I discarded since it looks ugly to me. Fixes: bf99b4ded5f8 ("tcp: fix mark propagation with fwmark_reflect enabled") Suggested-by: Eric Dumazet <eric.duma...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfil

Re: [PATCH 02/14] tcp: fix mark propagation with fwmark_reflect enabled

On Thu, Jan 26, 2017 at 10:02:40AM -0800, Eric Dumazet wrote: > On Thu, 2017-01-26 at 17:37 +0100, Pablo Neira Ayuso wrote: > > From: Pau Espin Pedrol <pespin.s...@gmail.com> > > > > Otherwise, RST packets generated by the TCP stack for non-existing > > sockets

[PATCH 01/14] netfilter: use fwmark_reflect in nf_send_reset

@google.com> Signed-off-by: Pau Espin Pedrol <pau.es...@tessares.net> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netfilter/nf_reject_ipv4.c | 2 ++ net/ipv6/netfilter/nf_reject_ipv6.c | 3 +++ 2 files changed, 5 insertions(+) diff --git a/net/ipv4/netf

[PATCH 10/14] netfilter: nf_tables: validate the name size when possible

igned-off-by: Liping Zhang <zlpnob...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_tables_api.c | 21 ++--- net/netfilter/nft_dynset.c| 3 ++- net/netfilter/nft_lookup.c| 3 ++- net/netfilter/nft_objref.c| 6 --

[PATCH 05/14] netfilter: nf_tables: fix possible oops when dumping stateful objects

/0x2a0 __netlink_dump_start+0x161/0x190 nf_tables_getobj+0xe8/0x280 [nf_tables] Fixes: a9fea2a3c3cf ("netfilter: nf_tables: allow to filter stateful object dumps by type") Signed-off-by: Liping Zhang <zlpnob...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/n

[PATCH 00/14] Netfilter fixes for net

possible netfilter: nft_log: restrict the log prefix length to 127 Pablo Neira Ayuso (3): netfilter: nf_tables: fix set->nelems counting with no NLM_F_EXCL netfilter: nf_tables: deconstify walk callback function netfilter: nf_tables: bump set->ndeact on set flush Pau

[PATCH 03/14] netfilter: nf_tables: fix spelling mistakes

From: Alexander Alemayhu <alexan...@alemayhu.com> o s/numerice/numeric o s/opertaor/operator Signed-off-by: Alexander Alemayhu <alexan...@alemayhu.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/uapi/linux/netfilter/nf_tables.h | 4 ++-- 1 file cha

[PATCH 02/14] tcp: fix mark propagation with fwmark_reflect enabled

b when the socket sends it. Fixes: e110861f8609 ("net: add a sysctl to reflect the fwmark on replies") Cc: Lorenzo Colitti <lore...@google.com> Signed-off-by: Pau Espin Pedrol <pau.es...@tessares.net> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/ip_o

[PATCH 13/14] netfilter: nf_tables: deconstify walk callback function

The flush operation needs to modify set and element objects, so let's deconstify this. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables.h | 6 +++--- net/netfilter/nf_tables_api.c | 24 net/netfilter/nft_set_hash.c

[PATCH 12/14] netfilter: nf_tables: fix set->nelems counting with no NLM_F_EXCL

ed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_tables_api.c | 16 +--- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index b84c7b25219b..831a9a16f563 100644 --- a/net/netfilter

[PATCH 14/14] netfilter: nf_tables: bump set->ndeact on set flush

t x y # nft add element x y { 1.1.1.1 } :1:1-28: Error: Could not process rule: Too many open files in system Fixes: 8411b6442e59 ("netfilter: nf_tables: support for set flushing") Reported-by: Elise Lennion <elise.lenn...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@n

[PATCH 06/14] netfilter: Fix typo in NF_CONNTRACK Kconfig option description

2736 ("netfilter: add help information to new nf_tables Kconfig options") Signed-off-by: William Breathitt Gray <vilhelm.g...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git

[PATCH 11/14] netfilter: nft_log: restrict the log prefix length to 127

in output { type filter hook output priority 0; policy accept; } } So now, restrict the log prefix length to NF_LOG_PREFIXLEN-1. Fixes: 96518518cc41 ("netfilter: add nftables") Signed-off-by: Liping Zhang <zlpnob...@gmail.com> Signed-off-by: Pablo Neira Ayuso <

[PATCH 08/14] netfilter: conntrack: remove GC_MAX_EVICTS break

trlen.de> Acked-by: Nicolas Dichtel <nicolas.dich...@6wind.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_core.c | 7 ++- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfi

[PATCH 04/14] netfilter: rpfilter: fix incorrect loopback packet judgment

ted broadcast/multicast, too") Fixes: f6d0cbcf09c5 ("netfilter: nf_tables: add fib expression") Signed-off-by: Liping Zhang <zlpnob...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nft_fib.h| 6 ++ net/ipv4/netfilte

[PATCH 09/14] netfilter: conntrack: refine gc worker heuristics, redux

htel <nicolas.dich...@6wind.com> Acked-by: Nicolas Dichtel <nicolas.dich...@6wind.com> Tested-by: Denys Fedoryshchenko <nuclear...@nuclearcat.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_core.c | 39 --

[PATCH 07/14] netfilter: ipt_CLUSTERIP: fix build error without procfs

the check inside of another #ifdef. Fixes: 6c5d5cfbe3c5 ("netfilter: ipt_CLUSTERIP: check duplicate config when initializing") Signed-off-by: Arnd Bergmann <a...@arndb.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netfilter/ipt_CLUSTERIP.c | 7 ++

Re: [PATCH net v2 3/3] gtp: fix cross netns recv on gtp socket

ink creation). > > Remove the now obsolete net field from gtp_dev. > > Signed-off-by: Andreas Schultz <aschu...@tpip.net> Acked-by: Pablo Neira Ayuso <pa...@netfilter.org>

Re: [PATCH net v2 1/3] gtp: add genl family modules alias

On Thu, Jan 26, 2017 at 04:11:32PM +0100, Andreas Schultz wrote: > Auto-load the module when userspace asks for the gtp netlink > family. > > Acked-by: Harald Welte <lafo...@netfilter.org> > Signed-off-by: Andreas Schultz <aschu...@tpip.net> Acked-by: Pablo Neira Ayuso <pa...@netfilter.org>

Re: [PATCH net v2 2/3] gtp: clear DF bit on GTP packet txç

y fragment the GTP > > packet if needed, according to IPv4. > > Acked-by: Harald Welte <lafo...@netfilter.org> > Signed-off-by: Andreas Schultz <aschu...@tpip.net> Acked-by: Pablo Neira Ayuso <pa...@netfilter.org>

Re: [PATCH 5/5] gtp: let userspace handle packets for invalid tunnels

On Tue, Jan 24, 2017 at 09:02:31PM +0100, Andreas Schultz wrote: > Hi Pablo, > > - On Jan 24, 2017, at 8:03 PM, pablo pa...@netfilter.org wrote: > > > Hi Andreas, > > > > On Tue, Jan 24, 2017 at 06:24:02PM +0100, Andreas Schultz wrote: > >> enable userspace to send error replies for invalid

Re: [PATCH 4/5] gtp: remove unnecessary rcu_read_lock

On Tue, Jan 24, 2017 at 06:24:01PM +0100, Andreas Schultz wrote: > The rcu read lock is hold by default in the ip input path. There > is no need to hold it twice in the socket recv decapsulate code path. I think this is net-next material since it is not essencial.

Re: [PATCH 2/5] gtp: clear DF bit on GTP packet tx

On Tue, Jan 24, 2017 at 06:23:59PM +0100, Andreas Schultz wrote: > 3GPP TS 29.281 and 3GPP TS 29.060 imply that GTP-U packets should be > sent with the DF bit cleared. For example 3GPP TS 29.060, Release 8, > Section 13.2.2: > > > Backbone router: Any router in the backbone may fragment the GTP >

<    7   8   9   10   11   12   13   14   15   16   >