On Tue, Jan 24, 2017 at 06:23:58PM +0100, Andreas Schultz wrote:
> Auto-load the module when userspace asks for the gtp netlink
> family.
This qualifies as fix, since autoload is broken.
You may send a batch including this for David's net tree.
On Tue, Jan 24, 2017 at 06:24:00PM +0100, Andreas Schultz wrote:
> The use of the passed through netlink src_net to check for a
> cross netns operation was wrong. Using the GTP socket and the
> GTP netdevice is always correct (even if the netdev has been
> moved to new netns after link creation).
Hi Andreas,
On Tue, Jan 24, 2017 at 06:24:02PM +0100, Andreas Schultz wrote:
> enable userspace to send error replies for invalid tunnels
>
> Signed-off-by: Andreas Schultz
> ---
> drivers/net/gtp.c | 8
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff
On Fri, Jan 13, 2017 at 04:41:03PM +0100, Arnd Bergmann wrote:
> We can't access c->pde if CONFIG_PROC_FS is disabled:
>
> net/ipv4/netfilter/ipt_CLUSTERIP.c: In function 'clusterip_config_find_get':
> net/ipv4/netfilter/ipt_CLUSTERIP.c:147:9: error: 'struct clusterip_config'
> has no member
On Mon, Jan 09, 2017 at 05:24:18PM -0500, William Breathitt Gray wrote:
> The NF_CONNTRACK Kconfig option description makes an incorrect reference
> to the "meta" expression where the "ct" expression would be correct.This
> patch fixes the respective typographical error.
Applied, thanks.
On Mon, Jan 02, 2017 at 05:19:39PM -0500, Willem de Bruijn wrote:
> From: Willem de Bruijn
>
> xtables list and save interfaces share xt_match and xt_target state
> with userspace. The kernel and userspace definitions of these structs
> differ. Currently, the structs are
On Tue, Dec 20, 2016 at 10:02:13PM +0800, Geliang Tang wrote:
> To make the code clearer, use rb_entry() instead of container_of() to
> deal with rbtree.
Applied this one to nf-next, thanks.
l to make sure
it can't be used until the proc file node creation is done.
Suggested-by: Marcelo Ricardo Leitner <marcelo.leit...@gmail.com>
Signed-off-by: Xin Long <lucien@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ipv4/net
] [] check_preemption_disabled+0xe5/0xf5
[19379.552842] [] debug_smp_processor_id+0x17/0x19
[19379.552849] [] nft_queue_eval+0x35/0x20c [nft_queue]
No need to disable preemption since we only fetch the numeric value, so
let's use raw_smp_processor_id() instead.
Signed-off-by: Pablo Neira Ayuso <
rk can not communicate with each
other.
Fixes: c5136b15ea36 ("netfilter: bridge: add and use br_nf_hook_thresh")
Signed-off-by: Artur Molchanov <artur.molcha...@synesis.ru>
Acked-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
n
("netfilter: nft_payload: layer 4 checksum adjustment for
pseudoheader fields")
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nft_payload.c | 27 +++
1 file changed, 19 insertions(+), 8 deletions(-)
diff --git a/net/netfilter/nft
passes != nft_expr_last() check.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_tables_api.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_
Molchanov (1):
bridge: netfilter: Fix dropping packets that moving through bridge
interface
Florian Westphal (1):
netfilter: nf_tables: fix oob access
Pablo Neira Ayuso (3):
netfilter: nft_quota: reset quota after dump
netfilter: nft_queue: use raw_smp_processor_id
<eric.duma...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nft_quota.c | 26 ++
1 file changed, 14 insertions(+), 12 deletions(-)
diff --git a/net/netfilter/nft_quota.c b/net/netfilter/nft_quota.c
index bd6efc53f26d..2d6fe35
On Tue, Dec 20, 2016 at 07:14:34PM +0800, Xin Long wrote:
> Now when adding an ipt_CLUSTERIP rule, it only checks duplicate config in
> clusterip_config_find_get(). But after that, there may be still another
> thread to insert a config with the same ip, then it leaves proc_create_data
> to do
es
tests: py: any: Make tests more generic by using other interfaces
tests: py: any: Remove duplicate tests
Nicholas Vinson (1):
nft: configure.ac: Replace magic dblatex dep.
Pablo Neira (2):
src: expose delinearize/linearize structures and stmt_error()
src: trigger la
On Thu, Dec 15, 2016 at 12:31:40PM +0800, Xin Long wrote:
> @@ -185,6 +186,17 @@ clusterip_config_init(const struct
> ipt_clusterip_tgt_info *i, __be32 ip,
> atomic_set(>refcount, 1);
> atomic_set(>entries, 1);
>
> + spin_lock_bh(>lock);
> + if (__clusterip_config_find(net,
ection 6 of 3GPP TS 29.060 v13.5.0
Release 13, available from
http://www.etsi.org/deliver/etsi_ts/129000_129099/129060/13.05.00_60/ts_129060v130500p.pdf
Signed-off-by: Harald Welte <lafo...@gnumonks.org>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
drivers/net/gtp.c | 4 ++
Hi David,
The following patchset contains two GTP tunneling fixes for your net
tree, they are:
1) Offset to IPv4 header in gtp_check_src_ms_ipv4() is incorrect, thus
this function always succeeds and therefore this defeats this sanity
check. This allows packets that have no PDP to go
to this function is successful.
Signed-off-by: Lionel Gauthier <lionel.gauth...@eurecom.fr>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
drivers/net/gtp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
inde
teful
objects")
Suggested-by: Eric Dumazet <eric.duma...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
v2: adjust stats on reset on the current cpu, turn 64bit counters into signed.
@David: Please, take this into net-next to help speed up thing, t
On Sat, Dec 10, 2016 at 07:40:08AM -0800, Eric Dumazet wrote:
> On Sat, 2016-12-10 at 15:25 +0100, Pablo Neira Ayuso wrote:
> > On Sat, Dec 10, 2016 at 03:16:55PM +0100, Pablo Neira Ayuso wrote:
> =
> >
> > - nft_counter_fetch(priv, , reset);
> >
On Sat, Dec 10, 2016 at 03:16:55PM +0100, Pablo Neira Ayuso wrote:
> On Sat, Dec 10, 2016 at 03:05:41PM +0100, Pablo Neira Ayuso wrote:
> [...]
> > -static void nft_counter_reset(struct nft_counter_percpu __percpu *counter,
> > - struct
On Sat, Dec 10, 2016 at 03:05:41PM +0100, Pablo Neira Ayuso wrote:
[...]
> -static void nft_counter_reset(struct nft_counter_percpu __percpu *counter,
> - struct nft_counter *total)
> -{
> - struct nft_counter_percpu *cpu_stats;
> - u64
on original sketch from Eric Dumazet.
Suggested-by: Eric Dumazet <eric.duma...@gmail.com>
Fixes: 43da04a593d8 ("netfilter: nf_tables: atomic dump and reset for stateful
objects")
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilt
Hi Arnd,
On Sat, Dec 10, 2016 at 11:36:34AM +0100, Arnd Bergmann wrote:
> A change to the netfilter code in net-next introduced the first caller of
> cmpxchg64 that can get built on ARMv7-M, leading to an error from the
> assembler that points out the lack of 64-bit atomics on this architecture:
On Fri, Dec 09, 2016 at 07:22:06AM -0800, Eric Dumazet wrote:
> On Fri, 2016-12-09 at 06:24 -0800, Eric Dumazet wrote:
>
> > It looks that you want a seqcount, even on 64bit arches,
> > so that CPU 2 can restart its loop, and more importantly you need
> > to not accumulate the values you read,
Hi Paul,
On Thu, Dec 08, 2016 at 07:40:14PM -0500, Paul Gortmaker wrote:
> On Wed, Dec 7, 2016 at 4:52 PM, Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> > This patch adds a new NFT_MSG_GETOBJ_RESET command perform an atomic
> > dump-and-reset of the stateful object. Thi
uot;)
Signed-off-by: Liping Zhang <zlpnob...@gmail.com>
Acked-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ipv4/netfilter/nft_fib_ipv4.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/ipv4/netfilter/nft_fib_ipv4.c
b
From: Arturo Borrero Gonzalez <art...@debian.org>
The email address has changed, let's update the copyright statements.
Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ipv4/netfilter/nft_masq_ipv4.c
uiltin| 408048 || 2241312
UDPLITE builtin | -|| 2577256
Signed-off-by: Davide Caratti <dcara...@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_nat_l4proto.h | 3 +++
net/netfilter/Kconfig | 2
and quotas.
This patch provides a native infrastructure for nf_tables to replace
nfacct, the extended accounting infrastructure for iptables.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_tables.h| 79 +
include/uapi/linux/netfilter/nf_tables.h
etfilter: x_tables: avoid warn and OOM killer on vmalloc call
Pablo Neira Ayuso (17):
Merge tag 'ipvs-for-v4.10' of https://git.kernel.org/.../horms/ipvs-next
netfilter: nft_payload: layer 4 checksum adjustment for pseudoheader
fields
netfilter: nf_tables: add stateful objects
From: Liping Zhang <zlpnob...@gmail.com>
Acctually ntohl and htonl are identical, so this doesn't affect
anything, but it is conceptually wrong.
Signed-off-by: Liping Zhang <zlpnob...@gmail.com>
Acked-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso &l
hal <f...@strlen.de>
Acked-by: Eric Dumazet <eduma...@google.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/linux/netfilter/x_tables.h | 6 +-
net/ipv4/netfilter/arp_tables.c| 4 ++--
net/ipv4/netfilter/ip_tables.c | 4 ++--
net/ipv6/netfi
uiltin| 428344 || 2241312
SCTP builtin | -|| 2597032
Signed-off-by: Davide Caratti <dcara...@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_nat_l4proto.h | 3 +++
net/netfilter/Kconfig | 2 +-
net/
its just important that its less than 0,
so return -1.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/linux/netfilter_ingress.h | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/include/linux/n
From: Florian Westphal <f...@strlen.de>
... so we can use current skb instead of working with a clone.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_dup_netdev.h | 1 +
net/netfilt
se directly when the first port is unmatched.
Fixes: dd2602d00f80 ("netfilter: xt_multiport: Use switch case instead
of multiple condition checks")
Signed-off-by: Gao Feng <f...@ikuai8.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/xt_multiport.c |
Notify on depleted quota objects. The NFT_QUOTA_F_DEPLETED flag
indicates we have reached overquota.
Add pointer to table from nft_object, so we can use it when sending the
depletion notification to userspace.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/net
hal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ipv4/netfilter/ipt_MASQUERADE.c | 8 +++-
net/netfilter/xt_NETMAP.c | 11 +--
net/netfilter/xt_REDIRECT.c | 12 ++--
net/netfilter/xt_nat.c | 18 +
From: Florian Westphal <f...@strlen.de>
Keeps some noise away from a followup patch.
Signed-off-by: Florian Westphal <f...@strlen.de>
Acked-by: Eric Dumazet <eduma...@google.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/linux/n
ly enable connection tracking in those that need conntrack.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_conntrack.h | 4
net/ipv4/netfilter/ipt_CLUSTERIP.c | 4 ++--
net/ipv4/netfilter/i
From: Liping Zhang <zlpnob...@gmail.com>
Otherwise, DHCP Discover packets(0.0.0.0->255.255.255.255) may be
dropped incorrectly.
Signed-off-by: Liping Zhang <zlpnob...@gmail.com>
Acked-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netf
calls to the percpu
allocator.
As Eric points out we can't use PAGE_SIZE, page_allocator would fail on
arches with 64k page size.
Suggested-by: Eric Dumazet <eduma...@google.com>
Signed-off-by: Florian Westphal <f...@strlen.de>
Acked-by: Eric Dumazet <eduma...@google.com>
Signed-off-b
dition, #include line has
been added to resolve correctly CTINFO2DIR macro.
Signed-off-by: Davide Caratti <dcara...@redhat.com>
Acked-by: Mikko Rapeli <mikko.rap...@iki.fi>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/uapi/linux/netfilter/nf_conntrack_tuple_common.h
uiltin| 409800 || 2241312
DCCP builtin | -|| 2578968
Signed-off-by: Davide Caratti <dcara...@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_nat_l4proto.h | 3 +++
net/netfilter/Kconfig | 2 +-
net/
From: Florian Westphal <f...@strlen.de>
so that conntrack core will add the needed hooks in this namespace.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ipv4/netfilter/nft_masq_ipv4.c | 7 +++
This new expression allows us to refer to existing stateful objects from
rules.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/uapi/linux/netfilter/nf_tables.h | 14
net/netfilter/Kconfig| 6 ++
net/netfilter/Makefile | 1
ode computes the CRC, to prevent offloaders from computing
it again (on ixgbe this resulted in a transmission with wrong L4 checksum).
Signed-off-by: Davide Caratti <dcara...@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_nat_proto_sctp.c | 5
From: Aaron Conole <acon...@bytheb.org>
This is to facilitate converting from a singly-linked list to an array
of elements.
Signed-off-by: Aaron Conole <acon...@bytheb.org>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/bridge/br_netfilter_hooks.c | 8 -
and named maps.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/uapi/linux/netfilter/nf_tables.h | 6 ++
net/netfilter/nf_tables_api.c| 4 ++
net/netfilter/nft_objref.c | 116 ++-
3 files changed, 125 insertions(+), 1 de
arbitrary key combination.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_tables.h| 9
include/uapi/linux/netfilter/nf_tables.h | 8
net/netfilter/nf_tables_api.c| 72 +++-
3 files changed, 79 inse
This patch adds the netlink code to filter out dump of stateful objects,
through the NFTA_OBJ_TYPE netlink attribute.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_tables_api.c | 50 +++
1 file changed, 50 insertions(+)
Register a new quota stateful object type into the new stateful object
infrastructure.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/uapi/linux/netfilter/nf_tables.h | 1 +
net/netfilter/nft_quota.c| 96 +++-
2 files chang
ft_payload.c
@@ -1,5 +1,6 @@
/*
* Copyright (c) 2008-2009 Patrick McHardy <ka...@trash.net>
+ * Copyright (c) 2016 Pablo Neira Ayuso <pa...@netfilter.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public Licen
d save.
Signed-off-by: Willem de Bruijn <will...@google.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/uapi/linux/netfilter/xt_bpf.h | 21
net/netfilter/xt_bpf.c| 96 +--
2 files changed, 101 insertions(+), 16
This patch adds a new NFT_MSG_GETOBJ_RESET command perform an atomic
dump-and-reset of the stateful object. This also comes with add support
for atomic dump and reset for counter and quota objects.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_ta
Context is not modified by nft_trans_alloc(), so constify it.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_tables_api.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
oogle.com>
Cc: Florian Westphal <f...@strlen.de>
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leit...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/x_tables.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/
Allow to restore consumed quota, this is useful to restore the quota
state across reboots.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nft_quota.c | 11 +--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nft_quota.c
This new function allows us to deactivate one single element, this is
required by the set flush command that comes in a follow up patch.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nft_set_hash.c | 24 +---
net/netfilter/nft_set_rbtree.
lement walk path, given we can
skip the lookup that happens in ->deactivate().
2) Add a new nft_trans_alloc_gfp() function since we need to allocate
transactions using GFP_ATOMIC given the set walk path happens with
held rcu_read_lock.
Signed-off-by: Pablo Neira Ayuso <pa...@n
latter approach, i.e. a put() without a get has no effect.
Conntrack is still enabled automatically regardless of the new sysctl
setting if the new net namespace requires connection tracking, e.g. when
NAT rules are created.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo
, instead
of the bytes that remain to be consumed.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nft_quota.c| 21 -
2 files changed, 18 insertions(+), 5 deletions(-)
diff --git a/includ
hal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_conntrack_l3proto.h | 4 ++
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 55 --
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 54 +++---
From: Aaron Conole <acon...@bytheb.org>
This allows easier future refactoring.
Signed-off-by: Aaron Conole <acon...@bytheb.org>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/linux/netfilter.h | 27 +++
net/bridge/br_netf
Register a new percpu counter stateful object type into the stateful
object infrastructure.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/uapi/linux/netfilter/nf_tables.h | 1 +
net/netfilter/nft_counter.c | 140 +--
2 files c
Introduce nf_tables_obj_notify() to notify internal state changes in
stateful objects. This is used by the quota object to report depletion
in a follow up patch.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_tables.h | 4
net/netfilter/nf_tables
reason is that defrag has impact on nft and iptables rulesets
(without defrag we might see framents).
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/ipv4/nf_defrag_ipv4.h| 3 +-
include/net/netfilter/ipv6/nf_def
<dcara...@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/ipv4/nf_conntrack_ipv4.h | 3 +
include/net/netfilter/ipv6/nf_conntrack_ipv6.h | 3 +
include/net/netns/conntrack.h | 13 +
net/ipv4/netfilter/nf_conntrack_l3proto_
ry struct is now 32 bytes on x86_64.
A followup patch will turn the run-time list into an array that only
stores hook functions plus their priv arguments, eliminating the ->next
element.
Suggested-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Aaron Conole <acon...@bytheb.org>
Si
From: Dwip Banerjee
We decrement the IP ttl in all the modes in order to prevent infinite
route loops. The changes were done based on Julian Anastasov's
suggestions in a prior thread.
The ttl based check/discard and the actual decrement are done in
__ip_vs_get_out_rt()
From: Liping Zhang <zlpnob...@gmail.com>
So we can autoload nfnetlink_log.ko when the user adding nft log
group X rule in netdev family.
Signed-off-by: Liping Zhang <zlpnob...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nfnetlink_l
wup patch to add conditional register
of the hooks.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_conntrack_l3proto.h | 3 ---
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 6 --
net/ne
From: Gao Feng
This minor refactoring does not change the logic of function
ip_vs_genl_dump_dests.
Signed-off-by: Gao Feng
Acked-by: Julian Anastasov
Signed-off-by: Simon Horman
---
net/netfilter/ipvs/ip_vs_ctl.c | 2 +-
1
ra parameter into nf_log_l2packet to solve this issue.
Fixes: 1fddf4bad0ac ("netfilter: nf_log: add packet logging for netdev family")
Signed-off-by: Liping Zhang <zlpnob...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_log.h
<dcara...@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/linux/netfilter/nf_conntrack_dccp.h| 2 +-
include/net/netfilter/ipv4/nf_conntrack_ipv4.h | 3 +
include/net/netfilter/ipv6/nf_conntrack_ipv6.h | 3 +
include/net/netns/conntrack.h
aratti <dcara...@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/ipv4/nf_conntrack_ipv4.h | 3 +
include/net/netfilter/ipv6/nf_conntrack_ipv6.h | 3 +
include/net/netns/conntrack.h | 16 ++
net/ipv4/netfilter/nf_conntrack_l
On Tue, Dec 06, 2016 at 04:25:02PM -0500, Willem de Bruijn wrote:
> From: Willem de Bruijn
>
> Add support for attaching an eBPF object by file descriptor.
>
> The iptables binary can be called with a path to an elf object or a
> pinned bpf object. Also pass the mode and
On Fri, Dec 02, 2016 at 07:46:38AM -0200, Marcelo Ricardo Leitner wrote:
> Andrey Konovalov reported that this vmalloc call is based on an
> userspace request and that it's spewing traces, which may flood the logs
> and cause DoS if abused.
>
> Florian Westphal also mentioned that this call
On Mon, Dec 05, 2016 at 06:06:05PM -0500, Willem de Bruijn wrote:
[...]
> Eric also suggests a private variable to avoid being subject to
> changes to PATH_MAX. Then we can indeed also choose an arbitrary lower
> length than current PATH_MAX.
Good.
> FWIW, there is a workaround for users with
On Mon, Dec 05, 2016 at 02:59:09PM -0800, Eric Dumazet wrote:
> On Mon, 2016-12-05 at 23:40 +0100, Florian Westphal wrote:
>
> > Fair enough, I have no objections to the patch.
>
> An additional question is about PATH_MAX :
>
> Is it guaranteed to stay at 4096 forever ?
>
> To be safe, maybe
On Mon, Dec 05, 2016 at 11:34:15PM +0100, Pablo Neira Ayuso wrote:
> On Mon, Dec 05, 2016 at 10:30:01PM +0100, Florian Westphal wrote:
> > Eric Dumazet <eric.duma...@gmail.com> wrote:
> > > On Mon, 2016-12-05 at 15:28 -0500, Willem de Bruijn wrote:
> &
On Mon, Dec 05, 2016 at 10:30:01PM +0100, Florian Westphal wrote:
> Eric Dumazet wrote:
> > On Mon, 2016-12-05 at 15:28 -0500, Willem de Bruijn wrote:
> > > From: Willem de Bruijn
> > >
> > > Add support for attaching an eBPF object by file
On Tue, Nov 15, 2016 at 10:01:41AM +0100, Simon Horman wrote:
> Hi Pablo,
>
> please consider these enhancements to the IPVS for v4.10.
>
> * Decrement the IP ttl in all the modes in order to prevent infinite
> route loops. Thanks to Dwip Banerjee.
> * Use IS_ERR_OR_NULL macro. Clean-up from
Hi David,
This is a large batch of Netfilter fixes for net, they are:
1) Three patches to fix NAT conversion to rhashtable: Switch to rhlist
structure that allows to have several objects with the same key.
Moreover, fix wrong comparison logic in nf_nat_bysource_cmp() as this is
operations")
Reported-by: Dmitry Vyukov <dvyu...@google.com>
Debugged-by: Andrey Konovalov <andreyk...@google.com>
Diagnosed-by: Eric Dumazet
Signed-off-by: Florian Westphal <f...@strlen.de>
Acked-by: Eric Dumazet <eduma...@google.com>
Signed-off-by: Pablo Neira Ayuso <p
-by: Hongxu Jia <hongxu@windriver.com>
Acked-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ipv4/netfilter/arp_tables.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/i
()-inited area.
Fixes: 7c9664351980aaa6a ("netfilter: move nat hlist_head to nf_conn")
Reported-by: Stas Nichiporovich <stas...@gmail.com>
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfil
es: cb1b69b0b15b ("netfilter: nf_tables: add hash expression")
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nft_hash.c | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/ne
From: Florian Westphal <f...@strlen.de>
Since kernel 4.7 this defaults to off.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
Documentation/networking/nf_conntrack-sysctl.txt | 7 +--
1 file changed, 5 insertio
From: Liping Zhang <zlpnob...@gmail.com>
Otherwise, kernel panic will happen if the user does not specify
the related attributes.
Fixes: 0f3cd9b36977 ("netfilter: nf_tables: add range expression")
Signed-off-by: Liping Zhang <zlpnob...@gmail.com>
Signed-off-by:
sets.
Fixes: a8b1e36d0d1d ("netfilter: nft_dynset: fix element timeout for HZ !=
1000")
Reported-by: Liping Zhang <zlpnob...@gmail.com>
Signed-off-by: Anders K. Pedersen <a...@cohaesio.com>
Acked-by: Liping Zhang <zlpnob...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa.
to get hashed to
same bucket).
The second case results in unneeded port conflict resolutions attempts.
Fixes: 870190a9ec907 ("netfilter: nat: convert nat bysrc hash to rhashtable")
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilte
rently attached to the skb.
Signed-off-by: David Ahern <d...@cumulusnetworks.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ipv6/netfilter/nf_reject_ipv6.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/ipv6/netfilter/nf_reject_ipv6.c
b/net/ipv6/netfilte
;
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ipv4/netfilter.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index c3776ff6749f..b3cc1335adbc 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -2
netfilter: nat: convert nat bysrc hash to rhashtable")
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_conntrack.h | 2 +-
net/netfilter/nf_nat_core.c | 40 +--
On Mon, Nov 28, 2016 at 01:12:07PM +0200, Denys Fedoryshchenko wrote:
> On 2016-11-28 13:06, Pablo Neira Ayuso wrote:
> >Why does your patch reverts NF_NAT_RANGE_PROTO_RANDOM_FULLY?
>
> Ops, sorry i just did mistake with files, actually it is in reverse ( did
> this patch, and
On Mon, Nov 28, 2016 at 12:45:59PM +0200, Denys Fedoryshchenko wrote:
> Hello,
>
> I noticed that if i specify -j SNAT with options --random --random-fully
> still it keeps persistence for source IP.
So you specify both?
> Actually truly random src ip required in some scenarios like links
1201 - 1300 of 2305 matches
Mail list logo