Re: [PATCH 1/5] gtp: add genl family modules alias

On Tue, Jan 24, 2017 at 06:23:58PM +0100, Andreas Schultz wrote: > Auto-load the module when userspace asks for the gtp netlink > family. This qualifies as fix, since autoload is broken. You may send a batch including this for David's net tree.

Re: [PATCH 3/5] gtp: fix cross netns recv on gtp socket

On Tue, Jan 24, 2017 at 06:24:00PM +0100, Andreas Schultz wrote: > The use of the passed through netlink src_net to check for a > cross netns operation was wrong. Using the GTP socket and the > GTP netdevice is always correct (even if the netdev has been > moved to new netns after link creation).

Re: [PATCH 5/5] gtp: let userspace handle packets for invalid tunnels

Hi Andreas, On Tue, Jan 24, 2017 at 06:24:02PM +0100, Andreas Schultz wrote: > enable userspace to send error replies for invalid tunnels > > Signed-off-by: Andreas Schultz > --- > drivers/net/gtp.c | 8 > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff

Re: [PATCH] netfilter: ipt_CLUSTERIP: fix build error without procfs

On Fri, Jan 13, 2017 at 04:41:03PM +0100, Arnd Bergmann wrote: > We can't access c->pde if CONFIG_PROC_FS is disabled: > > net/ipv4/netfilter/ipt_CLUSTERIP.c: In function 'clusterip_config_find_get': > net/ipv4/netfilter/ipt_CLUSTERIP.c:147:9: error: 'struct clusterip_config' > has no member

Re: [PATCH] netfilter: Fix typo in NF_CONNTRACK Kconfig option description

On Mon, Jan 09, 2017 at 05:24:18PM -0500, William Breathitt Gray wrote: > The NF_CONNTRACK Kconfig option description makes an incorrect reference > to the "meta" expression where the "ct" expression would be correct.This > patch fixes the respective typographical error. Applied, thanks.

Re: [PATCH nf-next 0/7] xtables: use dedicated copy_to_user helpers

On Mon, Jan 02, 2017 at 05:19:39PM -0500, Willem de Bruijn wrote: > From: Willem de Bruijn > > xtables list and save interfaces share xt_match and xt_target state > with userspace. The kernel and userspace definitions of these structs > differ. Currently, the structs are

Re: [PATCH] netfilter: xt_connlimit: use rb_entry()

On Tue, Dec 20, 2016 at 10:02:13PM +0800, Geliang Tang wrote: > To make the code clearer, use rb_entry() instead of container_of() to > deal with rbtree. Applied this one to nf-next, thanks.

[PATCH 5/6] netfilter: ipt_CLUSTERIP: check duplicate config when initializing

l to make sure it can't be used until the proc file node creation is done. Suggested-by: Marcelo Ricardo Leitner <marcelo.leit...@gmail.com> Signed-off-by: Xin Long <lucien@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/net

[PATCH 2/6] netfilter: nft_queue: use raw_smp_processor_id()

] [] check_preemption_disabled+0xe5/0xf5 [19379.552842] [] debug_smp_processor_id+0x17/0x19 [19379.552849] [] nft_queue_eval+0x35/0x20c [nft_queue] No need to disable preemption since we only fetch the numeric value, so let's use raw_smp_processor_id() instead. Signed-off-by: Pablo Neira Ayuso <

[PATCH 6/6] bridge: netfilter: Fix dropping packets that moving through bridge interface

rk can not communicate with each other. Fixes: c5136b15ea36 ("netfilter: bridge: add and use br_nf_hook_thresh") Signed-off-by: Artur Molchanov <artur.molcha...@synesis.ru> Acked-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- n

[PATCH 4/6] netfilter: nft_payload: mangle ckecksum if NFT_PAYLOAD_L4CSUM_PSEUDOHDR is set

("netfilter: nft_payload: layer 4 checksum adjustment for pseudoheader fields") Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nft_payload.c | 27 +++ 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/net/netfilter/nft

[PATCH 3/6] netfilter: nf_tables: fix oob access

passes != nft_expr_last() check. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_tables_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_

[PATCH 0/6] Netfilter fixes for net

Molchanov (1): bridge: netfilter: Fix dropping packets that moving through bridge interface Florian Westphal (1): netfilter: nf_tables: fix oob access Pablo Neira Ayuso (3): netfilter: nft_quota: reset quota after dump netfilter: nft_queue: use raw_smp_processor_id

[PATCH 1/6] netfilter: nft_quota: reset quota after dump

<eric.duma...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nft_quota.c | 26 ++ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/net/netfilter/nft_quota.c b/net/netfilter/nft_quota.c index bd6efc53f26d..2d6fe35

Re: [PATCHv2 net] netfilter: check duplicate config when initializing in ipt_CLUSTERIP

On Tue, Dec 20, 2016 at 07:14:34PM +0800, Xin Long wrote: > Now when adding an ipt_CLUSTERIP rule, it only checks duplicate config in > clusterip_config_find_get(). But after that, there may be still another > thread to insert a config with the same ip, then it leaves proc_create_data > to do

[ANNOUNCE] nftables 0.7 release

es tests: py: any: Make tests more generic by using other interfaces tests: py: any: Remove duplicate tests Nicholas Vinson (1): nft: configure.ac: Replace magic dblatex dep. Pablo Neira (2): src: expose delinearize/linearize structures and stmt_error() src: trigger la

Re: [PATCH net] netfilter: check duplicate config when initializing in ipt_CLUSTERIP

On Thu, Dec 15, 2016 at 12:31:40PM +0800, Xin Long wrote: > @@ -185,6 +186,17 @@ clusterip_config_init(const struct > ipt_clusterip_tgt_info *i, __be32 ip, > atomic_set(>refcount, 1); > atomic_set(>entries, 1); > > + spin_lock_bh(>lock); > + if (__clusterip_config_find(net,

[PATCH 2/2] gtp: Fix initialization of Flags octet in GTPv1 header

ection 6 of 3GPP TS 29.060 v13.5.0 Release 13, available from http://www.etsi.org/deliver/etsi_ts/129000_129099/129060/13.05.00_60/ts_129060v130500p.pdf Signed-off-by: Harald Welte <lafo...@gnumonks.org> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- drivers/net/gtp.c | 4 ++

[PATCH 0/2] GTP tunneling fixes for net

Hi David, The following patchset contains two GTP tunneling fixes for your net tree, they are: 1) Offset to IPv4 header in gtp_check_src_ms_ipv4() is incorrect, thus this function always succeeds and therefore this defeats this sanity check. This allows packets that have no PDP to go

[PATCH 1/2] gtp: gtp_check_src_ms_ipv4() always return success

to this function is successful. Signed-off-by: Lionel Gauthier <lionel.gauth...@eurecom.fr> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- drivers/net/gtp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c inde

[PATCH net-next] netfilter: nft_counter: rework atomic dump and reset

teful objects") Suggested-by: Eric Dumazet <eric.duma...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- v2: adjust stats on reset on the current cpu, turn 64bit counters into signed. @David: Please, take this into net-next to help speed up thing, t

Re: [PATCH net-next] netfilter: nft_counter: rework atomic dump and reset

On Sat, Dec 10, 2016 at 07:40:08AM -0800, Eric Dumazet wrote: > On Sat, 2016-12-10 at 15:25 +0100, Pablo Neira Ayuso wrote: > > On Sat, Dec 10, 2016 at 03:16:55PM +0100, Pablo Neira Ayuso wrote: > = > > > > - nft_counter_fetch(priv, , reset); > >

Re: [PATCH net-next] netfilter: nft_counter: rework atomic dump and reset

On Sat, Dec 10, 2016 at 03:16:55PM +0100, Pablo Neira Ayuso wrote: > On Sat, Dec 10, 2016 at 03:05:41PM +0100, Pablo Neira Ayuso wrote: > [...] > > -static void nft_counter_reset(struct nft_counter_percpu __percpu *counter, > > - struct

Re: [PATCH net-next] netfilter: nft_counter: rework atomic dump and reset

On Sat, Dec 10, 2016 at 03:05:41PM +0100, Pablo Neira Ayuso wrote: [...] > -static void nft_counter_reset(struct nft_counter_percpu __percpu *counter, > - struct nft_counter *total) > -{ > - struct nft_counter_percpu *cpu_stats; > - u64

[PATCH net-next] netfilter: nft_counter: rework atomic dump and reset

on original sketch from Eric Dumazet. Suggested-by: Eric Dumazet <eric.duma...@gmail.com> Fixes: 43da04a593d8 ("netfilter: nf_tables: atomic dump and reset for stateful objects") Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilt

Re: [PATCH] ARM: add cmpxchg64 helper for ARMv7-M

Hi Arnd, On Sat, Dec 10, 2016 at 11:36:34AM +0100, Arnd Bergmann wrote: > A change to the netfilter code in net-next introduced the first caller of > cmpxchg64 that can get built on ARMv7-M, leading to an error from the > assembler that points out the lack of 64-bit atomics on this architecture:

Re: [PATCH 37/50] netfilter: nf_tables: atomic dump and reset for stateful objects

On Fri, Dec 09, 2016 at 07:22:06AM -0800, Eric Dumazet wrote: > On Fri, 2016-12-09 at 06:24 -0800, Eric Dumazet wrote: > > > It looks that you want a seqcount, even on 64bit arches, > > so that CPU 2 can restart its loop, and more importantly you need > > to not accumulate the values you read,

Re: [PATCH 37/50] netfilter: nf_tables: atomic dump and reset for stateful objects

Hi Paul, On Thu, Dec 08, 2016 at 07:40:14PM -0500, Paul Gortmaker wrote: > On Wed, Dec 7, 2016 at 4:52 PM, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > > This patch adds a new NFT_MSG_GETOBJ_RESET command perform an atomic > > dump-and-reset of the stateful object. Thi

[PATCH 27/50] netfilter: nft_fib_ipv4: initialize *dest to zero

uot;) Signed-off-by: Liping Zhang <zlpnob...@gmail.com> Acked-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netfilter/nft_fib_ipv4.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/ipv4/netfilter/nft_fib_ipv4.c b

[PATCH 03/50] netfilter: update Arturo Borrero Gonzalez email address

From: Arturo Borrero Gonzalez <art...@debian.org> The email address has changed, let's update the copyright statements. Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netfilter/nft_masq_ipv4.c

[PATCH 06/50] netfilter: built-in NAT support for UDPlite

uiltin| 408048 || 2241312 UDPLITE builtin | -|| 2577256 Signed-off-by: Davide Caratti <dcara...@redhat.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_nat_l4proto.h | 3 +++ net/netfilter/Kconfig | 2

[PATCH 32/50] netfilter: nf_tables: add stateful objects

and quotas. This patch provides a native infrastructure for nf_tables to replace nfacct, the extended accounting infrastructure for iptables. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables.h| 79 + include/uapi/linux/netfilter/nf_tables.h

[PATCH 00/50] Netfilter/IPVS updates for net-next

etfilter: x_tables: avoid warn and OOM killer on vmalloc call Pablo Neira Ayuso (17): Merge tag 'ipvs-for-v4.10' of https://git.kernel.org/.../horms/ipvs-next netfilter: nft_payload: layer 4 checksum adjustment for pseudoheader fields netfilter: nf_tables: add stateful objects

[PATCH 26/50] netfilter: nft_fib: convert htonl to ntohl properly

From: Liping Zhang <zlpnob...@gmail.com> Acctually ntohl and htonl are identical, so this doesn't affect anything, but it is conceptually wrong. Signed-off-by: Liping Zhang <zlpnob...@gmail.com> Acked-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso &l

[PATCH 23/50] netfilter: x_tables: pass xt_counters struct instead of packet counter

hal <f...@strlen.de> Acked-by: Eric Dumazet <eduma...@google.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/linux/netfilter/x_tables.h | 6 +- net/ipv4/netfilter/arp_tables.c| 4 ++-- net/ipv4/netfilter/ip_tables.c | 4 ++-- net/ipv6/netfi

[PATCH 05/50] netfilter: built-in NAT support for SCTP

uiltin| 428344 || 2241312 SCTP builtin | -|| 2597032 Signed-off-by: Davide Caratti <dcara...@redhat.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_nat_l4proto.h | 3 +++ net/netfilter/Kconfig | 2 +- net/

[PATCH 30/50] netfilter: ingress: translate 0 nf_hook_slow retval to -1

its just important that its less than 0, so return -1. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/linux/netfilter_ingress.h | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/include/linux/n

[PATCH 31/50] netfilter: add and use nf_fwd_netdev_egress

From: Florian Westphal <f...@strlen.de> ... so we can use current skb instead of working with a clone. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_dup_netdev.h | 1 + net/netfilt

[PATCH 29/50] netfilter: xt_multiport: Fix wrong unmatch result with multiple ports

se directly when the first port is unmatched. Fixes: dd2602d00f80 ("netfilter: xt_multiport: Use switch case instead of multiple condition checks") Signed-off-by: Gao Feng <f...@ikuai8.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/xt_multiport.c |

[PATCH 39/50] netfilter: nft_quota: add depleted flag for objects

Notify on depleted quota objects. The NFT_QUOTA_F_DEPLETED flag indicates we have reached overquota. Add pointer to table from nft_object, so we can use it when sending the depletion notification to userspace. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/net

[PATCH 15/50] netfilter: nat: add dependencies on conntrack module

hal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netfilter/ipt_MASQUERADE.c | 8 +++- net/netfilter/xt_NETMAP.c | 11 +-- net/netfilter/xt_REDIRECT.c | 12 ++-- net/netfilter/xt_nat.c | 18 +

[PATCH 24/50] netfilter: x_tables: pass xt_counters struct to counter allocator

From: Florian Westphal <f...@strlen.de> Keeps some noise away from a followup patch. Signed-off-by: Florian Westphal <f...@strlen.de> Acked-by: Eric Dumazet <eduma...@google.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/linux/n

[PATCH 14/50] netfilter: add and use nf_ct_netns_get/put

ly enable connection tracking in those that need conntrack. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack.h | 4 net/ipv4/netfilter/ipt_CLUSTERIP.c | 4 ++-- net/ipv4/netfilter/i

[PATCH 43/50] netfilter: rpfilter: bypass ipv4 lbcast packets with zeronet source

From: Liping Zhang <zlpnob...@gmail.com> Otherwise, DHCP Discover packets(0.0.0.0->255.255.255.255) may be dropped incorrectly. Signed-off-by: Liping Zhang <zlpnob...@gmail.com> Acked-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netf

[PATCH 25/50] netfilter: x_tables: pack percpu counter allocations

calls to the percpu allocator. As Eric points out we can't use PAGE_SIZE, page_allocator would fail on arches with 64k page size. Suggested-by: Eric Dumazet <eduma...@google.com> Signed-off-by: Florian Westphal <f...@strlen.de> Acked-by: Eric Dumazet <eduma...@google.com> Signed-off-b

[PATCH 09/50] netfilter: nf_conntrack_tuple_common.h: fix #include

dition, #include line has been added to resolve correctly CTINFO2DIR macro. Signed-off-by: Davide Caratti <dcara...@redhat.com> Acked-by: Mikko Rapeli <mikko.rap...@iki.fi> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/uapi/linux/netfilter/nf_conntrack_tuple_common.h

[PATCH 04/50] netfilter: built-in NAT support for DCCP

uiltin| 409800 || 2241312 DCCP builtin | -|| 2578968 Signed-off-by: Davide Caratti <dcara...@redhat.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_nat_l4proto.h | 3 +++ net/netfilter/Kconfig | 2 +- net/

[PATCH 16/50] netfilter: nf_tables: add conntrack dependencies for nat/masq/redir expressions

From: Florian Westphal <f...@strlen.de> so that conntrack core will add the needed hooks in this namespace. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netfilter/nft_masq_ipv4.c | 7 +++

[PATCH 35/50] netfilter: nf_tables: add stateful object reference expression

This new expression allows us to refer to existing stateful objects from rules. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/uapi/linux/netfilter/nf_tables.h | 14 net/netfilter/Kconfig| 6 ++ net/netfilter/Makefile | 1

[PATCH 44/50] netfilter: nat: skip checksum on offload SCTP packets

ode computes the CRC, to prevent offloaders from computing it again (on ixgbe this resulted in a transmission with wrong L4 checksum). Signed-off-by: Davide Caratti <dcara...@redhat.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_nat_proto_sctp.c | 5

[PATCH 22/50] netfilter: convert while loops to for loops

From: Aaron Conole <acon...@bytheb.org> This is to facilitate converting from a singly-linked list to an array of elements. Signed-off-by: Aaron Conole <acon...@bytheb.org> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/bridge/br_netfilter_hooks.c | 8 -

[PATCH 41/50] netfilter: nft_objref: support for stateful object maps

and named maps. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/uapi/linux/netfilter/nf_tables.h | 6 ++ net/netfilter/nf_tables_api.c| 4 ++ net/netfilter/nft_objref.c | 116 ++- 3 files changed, 125 insertions(+), 1 de

[PATCH 40/50] netfilter: nf_tables: add stateful object reference to set elements

arbitrary key combination. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables.h| 9 include/uapi/linux/netfilter/nf_tables.h | 8 net/netfilter/nf_tables_api.c| 72 +++- 3 files changed, 79 inse

[PATCH 42/50] netfilter: nf_tables: allow to filter stateful object dumps by type

This patch adds the netlink code to filter out dump of stateful objects, through the NFTA_OBJ_TYPE netlink attribute. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_tables_api.c | 50 +++ 1 file changed, 50 insertions(+)

[PATCH 34/50] netfilter: nft_quota: add stateful object type

Register a new quota stateful object type into the new stateful object infrastructure. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/uapi/linux/netfilter/nf_tables.h | 1 + net/netfilter/nft_quota.c| 96 +++- 2 files chang

[PATCH 28/50] netfilter: nft_payload: layer 4 checksum adjustment for pseudoheader fields

ft_payload.c @@ -1,5 +1,6 @@ /* * Copyright (c) 2008-2009 Patrick McHardy <ka...@trash.net> + * Copyright (c) 2016 Pablo Neira Ayuso <pa...@netfilter.org> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public Licen

[PATCH 49/50] netfilter: xt_bpf: support ebpf

d save. Signed-off-by: Willem de Bruijn <will...@google.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/uapi/linux/netfilter/xt_bpf.h | 21 net/netfilter/xt_bpf.c| 96 +-- 2 files changed, 101 insertions(+), 16

[PATCH 37/50] netfilter: nf_tables: atomic dump and reset for stateful objects

This patch adds a new NFT_MSG_GETOBJ_RESET command perform an atomic dump-and-reset of the stateful object. This also comes with add support for atomic dump and reset for counter and quota objects. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_ta

[PATCH 45/50] netfilter: nf_tables: constify struct nft_ctx * parameter in nft_trans_alloc()

Context is not modified by nft_trans_alloc(), so constify it. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_tables_api.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c

[PATCH 48/50] netfilter: x_tables: avoid warn and OOM killer on vmalloc call

oogle.com> Cc: Florian Westphal <f...@strlen.de> Signed-off-by: Marcelo Ricardo Leitner <marcelo.leit...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/x_tables.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/

[PATCH 50/50] netfilter: nft_quota: allow to restore consumed quota

Allow to restore consumed quota, this is useful to restore the quota state across reboots. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nft_quota.c | 11 +-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nft_quota.c

[PATCH 46/50] netfilter: nft_set: introduce nft_{hash, rbtree}_deactivate_one()

This new function allows us to deactivate one single element, this is required by the set flush command that comes in a follow up patch. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nft_set_hash.c | 24 +--- net/netfilter/nft_set_rbtree.

[PATCH 47/50] netfilter: nf_tables: support for set flushing

lement walk path, given we can skip the lookup that happens in ->deactivate(). 2) Add a new nft_trans_alloc_gfp() function since we need to allocate transactions using GFP_ATOMIC given the set walk path happens with held rcu_read_lock. Signed-off-by: Pablo Neira Ayuso <pa...@n

[PATCH 18/50] netfilter: conntrack: add nf_conntrack_default_on sysctl

latter approach, i.e. a put() without a get has no effect. Conntrack is still enabled automatically regardless of the new sysctl setting if the new net namespace requires connection tracking, e.g. when NAT rules are created. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo

[PATCH 36/50] netfilter: nft_quota: dump consumed quota

, instead of the bytes that remain to be consumed. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/uapi/linux/netfilter/nf_tables.h | 2 ++ net/netfilter/nft_quota.c| 21 - 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/includ

[PATCH 17/50] netfilter: conntrack: register hooks in netns when needed by ruleset

hal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack_l3proto.h | 4 ++ net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 55 -- net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 54 +++---

[PATCH 20/50] netfilter: introduce accessor functions for hook entries

From: Aaron Conole <acon...@bytheb.org> This allows easier future refactoring. Signed-off-by: Aaron Conole <acon...@bytheb.org> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/linux/netfilter.h | 27 +++ net/bridge/br_netf

[PATCH 33/50] netfilter: nft_counter: add stateful object type

Register a new percpu counter stateful object type into the stateful object infrastructure. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/uapi/linux/netfilter/nf_tables.h | 1 + net/netfilter/nft_counter.c | 140 +-- 2 files c

[PATCH 38/50] netfilter: nf_tables: notify internal updates of stateful objects

Introduce nf_tables_obj_notify() to notify internal state changes in stateful objects. This is used by the quota object to report depletion in a follow up patch. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables.h | 4 net/netfilter/nf_tables

[PATCH 19/50] netfilter: defrag: only register defrag functionality if needed

reason is that defrag has impact on nft and iptables rulesets (without defrag we might see framents). Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/ipv4/nf_defrag_ipv4.h| 3 +- include/net/netfilter/ipv6/nf_def

[PATCH 11/50] netfilter: conntrack: built-in support for SCTP

<dcara...@redhat.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/ipv4/nf_conntrack_ipv4.h | 3 + include/net/netfilter/ipv6/nf_conntrack_ipv6.h | 3 + include/net/netns/conntrack.h | 13 + net/ipv4/netfilter/nf_conntrack_l3proto_

[PATCH 21/50] netfilter: decouple nf_hook_entry and nf_hook_ops

ry struct is now 32 bytes on x86_64. A followup patch will turn the run-time list into an array that only stores hook functions plus their priv arguments, eliminating the ->next element. Suggested-by: Florian Westphal <f...@strlen.de> Signed-off-by: Aaron Conole <acon...@bytheb.org> Si

[PATCH 02/50] ipvs: Decrement ttl

From: Dwip Banerjee We decrement the IP ttl in all the modes in order to prevent infinite route loops. The changes were done based on Julian Anastasov's suggestions in a prior thread. The ttl based check/discard and the actual decrement are done in __ip_vs_get_out_rt()

[PATCH 08/50] netfilter: nfnetlink_log: add "nf-logger-5-1" module alias name

From: Liping Zhang <zlpnob...@gmail.com> So we can autoload nfnetlink_log.ko when the user adding nft log group X rule in netdev family. Signed-off-by: Liping Zhang <zlpnob...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nfnetlink_l

[PATCH 13/50] netfilter: conntrack: remove unused init_net hook

wup patch to add conditional register of the hooks. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack_l3proto.h | 3 --- net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 6 -- net/ne

[PATCH 01/50] ipvs: Use IS_ERR_OR_NULL(svc) instead of IS_ERR(svc) || svc == NULL

From: Gao Feng This minor refactoring does not change the logic of function ip_vs_genl_dump_dests. Signed-off-by: Gao Feng Acked-by: Julian Anastasov Signed-off-by: Simon Horman --- net/netfilter/ipvs/ip_vs_ctl.c | 2 +- 1

[PATCH 07/50] netfilter: nf_log: do not assume ethernet header in netdev family

ra parameter into nf_log_l2packet to solve this issue. Fixes: 1fddf4bad0ac ("netfilter: nf_log: add packet logging for netdev family") Signed-off-by: Liping Zhang <zlpnob...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_log.h

[PATCH 10/50] netfilter: conntrack: built-in support for DCCP

<dcara...@redhat.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/linux/netfilter/nf_conntrack_dccp.h| 2 +- include/net/netfilter/ipv4/nf_conntrack_ipv4.h | 3 + include/net/netfilter/ipv6/nf_conntrack_ipv6.h | 3 + include/net/netns/conntrack.h

[PATCH 12/50] netfilter: conntrack: built-in support for UDPlite

aratti <dcara...@redhat.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/ipv4/nf_conntrack_ipv4.h | 3 + include/net/netfilter/ipv6/nf_conntrack_ipv6.h | 3 + include/net/netns/conntrack.h | 16 ++ net/ipv4/netfilter/nf_conntrack_l

Re: [PATCH nf-next v2] netfilter: xt_bpf: support ebpf

On Tue, Dec 06, 2016 at 04:25:02PM -0500, Willem de Bruijn wrote: > From: Willem de Bruijn > > Add support for attaching an eBPF object by file descriptor. > > The iptables binary can be called with a path to an elf object or a > pinned bpf object. Also pass the mode and

Re: [PATCH v2] netfilter: avoid warn and OOM killer on vmalloc call

On Fri, Dec 02, 2016 at 07:46:38AM -0200, Marcelo Ricardo Leitner wrote: > Andrey Konovalov reported that this vmalloc call is based on an > userspace request and that it's spewing traces, which may flood the logs > and cause DoS if abused. > > Florian Westphal also mentioned that this call

Re: [PATCH nf-next] netfilter: xt_bpf: support ebpf

On Mon, Dec 05, 2016 at 06:06:05PM -0500, Willem de Bruijn wrote: [...] > Eric also suggests a private variable to avoid being subject to > changes to PATH_MAX. Then we can indeed also choose an arbitrary lower > length than current PATH_MAX. Good. > FWIW, there is a workaround for users with

Re: [PATCH nf-next] netfilter: xt_bpf: support ebpf

On Mon, Dec 05, 2016 at 02:59:09PM -0800, Eric Dumazet wrote: > On Mon, 2016-12-05 at 23:40 +0100, Florian Westphal wrote: > > > Fair enough, I have no objections to the patch. > > An additional question is about PATH_MAX : > > Is it guaranteed to stay at 4096 forever ? > > To be safe, maybe

Re: [PATCH nf-next] netfilter: xt_bpf: support ebpf

On Mon, Dec 05, 2016 at 11:34:15PM +0100, Pablo Neira Ayuso wrote: > On Mon, Dec 05, 2016 at 10:30:01PM +0100, Florian Westphal wrote: > > Eric Dumazet <eric.duma...@gmail.com> wrote: > > > On Mon, 2016-12-05 at 15:28 -0500, Willem de Bruijn wrote: > &

Re: [PATCH nf-next] netfilter: xt_bpf: support ebpf

On Mon, Dec 05, 2016 at 10:30:01PM +0100, Florian Westphal wrote: > Eric Dumazet wrote: > > On Mon, 2016-12-05 at 15:28 -0500, Willem de Bruijn wrote: > > > From: Willem de Bruijn > > > > > > Add support for attaching an eBPF object by file

Re: [GIT PULL nf-next 0/2] IPVS Updates for v4.10

On Tue, Nov 15, 2016 at 10:01:41AM +0100, Simon Horman wrote: > Hi Pablo, > > please consider these enhancements to the IPVS for v4.10. > > * Decrement the IP ttl in all the modes in order to prevent infinite > route loops. Thanks to Dwip Banerjee. > * Use IS_ERR_OR_NULL macro. Clean-up from

[PATCH 00/11] Netfilter fixes for net

Hi David, This is a large batch of Netfilter fixes for net, they are: 1) Three patches to fix NAT conversion to rhashtable: Switch to rhlist structure that allows to have several objects with the same key. Moreover, fix wrong comparison logic in nf_nat_bysource_cmp() as this is

[PATCH 10/11] netfilter: ipv6: nf_defrag: drop mangled skb on ream error

operations") Reported-by: Dmitry Vyukov <dvyu...@google.com> Debugged-by: Andrey Konovalov <andreyk...@google.com> Diagnosed-by: Eric Dumazet Signed-off-by: Florian Westphal <f...@strlen.de> Acked-by: Eric Dumazet <eduma...@google.com> Signed-off-by: Pablo Neira Ayuso <p

[PATCH 11/11] netfilter: arp_tables: fix invoking 32bit "iptable -P INPUT ACCEPT" failed in 64bit kernel

-by: Hongxu Jia <hongxu@windriver.com> Acked-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netfilter/arp_tables.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/ipv4/netfilter/arp_tables.c b/net/i

[PATCH 09/11] netfilter: nat: fix crash when conntrack entry is re-used

()-inited area. Fixes: 7c9664351980aaa6a ("netfilter: move nat hlist_head to nf_conn") Reported-by: Stas Nichiporovich <stas...@gmail.com> Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfil

[PATCH 04/11] netfilter: nft_hash: validate maximum value of u32 netlink hash attribute

es: cb1b69b0b15b ("netfilter: nf_tables: add hash expression") Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nft_hash.c | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/ne

[PATCH 03/11] netfilter: fix nf_conntrack_helper documentation

From: Florian Westphal <f...@strlen.de> Since kernel 4.7 this defaults to off. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- Documentation/networking/nf_conntrack-sysctl.txt | 7 +-- 1 file changed, 5 insertio

[PATCH 08/11] netfilter: nft_range: add the missing NULL pointer check

From: Liping Zhang <zlpnob...@gmail.com> Otherwise, kernel panic will happen if the user does not specify the related attributes. Fixes: 0f3cd9b36977 ("netfilter: nf_tables: add range expression") Signed-off-by: Liping Zhang <zlpnob...@gmail.com> Signed-off-by:

[PATCH 07/11] netfilter: nf_tables: fix inconsistent element expiration calculation

sets. Fixes: a8b1e36d0d1d ("netfilter: nft_dynset: fix element timeout for HZ != 1000") Reported-by: Liping Zhang <zlpnob...@gmail.com> Signed-off-by: Anders K. Pedersen <a...@cohaesio.com> Acked-by: Liping Zhang <zlpnob...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa.

[PATCH 05/11] netfilter: nat: fix cmp return value

to get hashed to same bucket). The second case results in unneeded port conflict resolutions attempts. Fixes: 870190a9ec907 ("netfilter: nat: convert nat bysrc hash to rhashtable") Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilte

[PATCH 02/11] netfilter: Update nf_send_reset6 to consider L3 domain

rently attached to the skb. Signed-off-by: David Ahern <d...@cumulusnetworks.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv6/netfilter/nf_reject_ipv6.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/ipv6/netfilter/nf_reject_ipv6.c b/net/ipv6/netfilte

[PATCH 01/11] netfilter: Update ip_route_me_harder to consider L3 domain

; Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netfilter.c | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c index c3776ff6749f..b3cc1335adbc 100644 --- a/net/ipv4/netfilter.c +++ b/net/ipv4/netfilter.c @@ -2

[PATCH 06/11] netfilter: nat: switch to new rhlist interface

netfilter: nat: convert nat bysrc hash to rhashtable") Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack.h | 2 +- net/netfilter/nf_nat_core.c | 40 +--

Re: SNAT --random & fully is not actually random for ips

On Mon, Nov 28, 2016 at 01:12:07PM +0200, Denys Fedoryshchenko wrote: > On 2016-11-28 13:06, Pablo Neira Ayuso wrote: > >Why does your patch reverts NF_NAT_RANGE_PROTO_RANDOM_FULLY? > > Ops, sorry i just did mistake with files, actually it is in reverse ( did > this patch, and

Re: SNAT --random & fully is not actually random for ips

On Mon, Nov 28, 2016 at 12:45:59PM +0200, Denys Fedoryshchenko wrote: > Hello, > > I noticed that if i specify -j SNAT with options --random --random-fully > still it keeps persistence for source IP. So you specify both? > Actually truly random src ip required in some scenarios like links

<    8   9   10   11   12   13   14   15   16   17   >