On Fri, Nov 18, 2016 at 09:17:18AM -0800, Alexei Starovoitov wrote:
> On Fri, Nov 18, 2016 at 01:37:32PM +0100, Pablo Neira Ayuso wrote:
> > On Thu, Nov 17, 2016 at 07:27:08PM +0100, Daniel Mack wrote:
> > [...]
> > > @@ -312,6 +314,12 @@ int ip_mc_output(struct n
On Thu, Nov 17, 2016 at 07:27:08PM +0100, Daniel Mack wrote:
[...]
> @@ -312,6 +314,12 @@ int ip_mc_output(struct net *net, struct sock *sk,
> struct sk_buff *skb)
> skb->dev = dev;
> skb->protocol = htons(ETH_P_IP);
>
> + ret = BPF_CGROUP_RUN_PROG_INET_EGRESS(sk, skb);
> +
Hi Daniel,
On Mon, Nov 14, 2016 at 11:10:04AM +0100, Daniel Mack wrote:
[...]
> On 11/14/2016 10:12 AM, Pablo Neira Ayuso wrote:
> > Add cgroup version 2 support to nf_tables.
> >
> > This extension allows us to fetch the cgroup i-node number from the
> >
Honor udptable parameter that is passed to __udp*_lib_mcast_deliver(),
otherwise udplite broadcast/multicast use the wrong table and it breaks.
Fixes: 2dc41cff7545 ("udp: Use hash2 for long hash1 chains in
__udp*_lib_mcast_deliver.")
Signed-off-by: Pablo Neira Ayuso <pa...@
uld evaluate A's ruleset. Note that cgroup A would
also jump to the root cgroup chain policy.
Anyway, this cgroup i-node approach provides way more flexibility since
it is up to the sysadmin to decide if he wants to honor the hierarchy or
simply define a fast path to skip any further classificatio
tering/unregistering multiple protocols.
Signed-off-by: Davide Caratti <dcara...@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_conntrack_l4proto.h | 18 --
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 76 +++
Don't copy relevant fields from hook state structure, instead use the
one that is already available in struct xt_action_param.
This patch also adds a set of new wrapper functions to fetch relevant
hook state structure fields.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
i
We cannot block/sleep on nf_iterate because netfilter runs under rcu
read lock these days, where blocking is well-known to be illegal. So
let's remove these old comments.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/core.c | 7 ---
1 file changed, 7 del
From: Jozsef Kadlecsik
Use setup_timer() and instead of init_timer(), being the preferred way
of setting up a timer.
Also, quoting the mod_timer() function comment:
-> mod_timer() is a more efficient way to update the expire field of an
active timer (if the timer is
From: Jozsef Kadlecsik
Group counter helper functions together.
Ported from a patch proposed by Sergey Popovich .
Suggested-by: Sergey Popovich
Signed-off-by: Jozsef Kadlecsik
---
he hook
state structure is not required anymore. And we can get rid of
skip-hook-under-thresh loop in nf_iterate() in the core path that is
only used by br_netfilter to search for the filter hook.
Suggested-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfi
From: Jozsef Kadlecsik
Hash types already has it's memsize calculation code in separate
functions. Clean up and do the same for *bitmap* and *list* sets.
Ported from a patch proposed by Sergey Popovich .
Suggested-by: Sergey Popovich
ulia.law...@lip6.fr>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ipv4/netfilter/arp_tables.c | 20 ++--
net/ipv4/netfilter/ip_tables.c | 20 ++--
net/ipv6/netfilter/ip6_tables.c | 20 ++--
net/netfilter/x_tables.c
mplify IS_ERR_OR_NULL to NULL test
Liping Zhang (1):
netfilter: nf_tables: simplify the basic expressions' init routine
Pablo Neira Ayuso (11):
netfilter: get rid of useless debugging from core
netfilter: remove comments that predate rcu days
netfilter: kill NF_HOOK_THRESH() and state-
nf_queue code to get rid of it definitely, but
given this is slow path anyway, let's have a look this later.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/core.c | 73 +---
net/netfilter/nf_internals.h | 5 --
-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/linux/netfilter.h | 10 --
include/linux/netfilter_ingress.h | 4 ++--
include/net/netfilter/nf_queue.h | 1 +
net/bridge/br_netfilter_hooks.c | 4 ++--
net/bridge/netfilter/ebtable_broute.c | 2 +
From: Jozsef Kadlecsik
Data for hashing required to be array of u32. Make sure that
element data always multiple of u32.
Ported from a patch proposed by Sergey Popovich .
Signed-off-by: Jozsef Kadlecsik
---
From: Jozsef Kadlecsik
The set full case (with net_ratelimit()-ed pr_warn()) is already
handled, simply jump there.
Signed-off-by: Jozsef Kadlecsik
---
net/netfilter/ipset/ip_set_hash_gen.h | 8 +---
1 file changed, 1 insertion(+), 7
From: Jozsef Kadlecsik
Non-static (i.e. comment) extension was not counted into the memory
size. A new internal counter is introduced for this. In the case of
the hash types the sizes of the arrays are counted there as well so
that we can avoid to scan the whole set
From: Jozsef Kadlecsik
Cleanup: group ip_set_put_extensions and ip_set_get_extensions
together and add missing extern.
Signed-off-by: Jozsef Kadlecsik
---
include/linux/netfilter/ipset/ip_set.h | 6 ++
1 file changed, 2 insertions(+), 4
From: Florian Westphal <f...@strlen.de>
since 23014011ba420 ('netfilter: conntrack: support a fixed size of 128
distinct labels')
this isn't needed anymore.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net
From: Jozsef Kadlecsik
Mark some of the helpers arguments as const.
Ported from a patch proposed by Sergey Popovich .
Suggested-by: Sergey Popovich
Signed-off-by: Jozsef Kadlecsik
---
we also provide the functions when
CONFIG_NF_SOCKET_IPV4 or CONFIG_NF_SOCKET_IPV6, respectively
are set.
Fixes: 8db4c5be88f6 ("netfilter: move socket lookup infrastructure to
nf_socket_ipv{4,6}.c")
Signed-off-by: Arnd Bergmann <a...@arndb.de>
Signed-off-by: Pablo Neira Ayuso <pa...
From: Jozsef Kadlecsik
Before this patch struct htype created at the first source
of ip_set_hash_gen.h and it is common for both IPv4 and IPv6
set variants.
Make struct htype per ipset family and use NLEN to make
nets array fixed size to simplify struct htype
From: Jozsef Kadlecsik
Exit as easly as possible on error and use RCU_INIT_POINTER()
as set is not seen at creation time.
Signed-off-by: Jozsef Kadlecsik
---
net/netfilter/ipset/ip_set_hash_gen.h | 63 ---
1
From: Tomasz Chilinski
Introduce the hash:ipmac type.
Signed-off-by: Tomasz Chili??ski
Signed-off-by: Jozsef Kadlecsik
---
net/netfilter/ipset/Kconfig | 9 +
net/netfilter/ipset/Makefile
Zhang <zlpnob...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_tables_core.h | 33 --
net/netfilter/nf_tables_core.c | 80 +++---
net/netfilter/nft_bitwise.c| 13 +-
net/netfilt
From: Jozsef Kadlecsik
Cleanup to separate all extensions into individual files.
Ported from a patch proposed by Sergey Popovich .
Suggested-by: Sergey Popovich
Signed-off-by: Jozsef Kadlecsik
From: Jozsef Kadlecsik
Remove one leve of intendation by using continue while
iterating over elements in bucket.
Ported from a patch proposed by Sergey Popovich .
Signed-off-by: Jozsef Kadlecsik
---
From: Jozsef Kadlecsik
Hash types define HOST_MASK before inclusion of ip_set_hash_gen.h
and the only place where NLEN needed to be calculated at runtime
is *_create() method.
Ported from a patch proposed by Sergey Popovich .
Signed-off-by:
Place pointer to hook state in xt_action_param structure instead of
copying the fields that we need. After this change xt_action_param fits
into one cacheline.
This patch also adds a set of new wrapper functions to fetch relevant
hook state structure fields.
Signed-off-by: Pablo Neira Ayuso <
From: Jozsef Kadlecsik
Remove unnecessary whitespaces.
Ported from a patch proposed by Sergey Popovich .
Suggested-by: Sergey Popovich
Signed-off-by: Jozsef Kadlecsik
---
lso moved the comment that explains this
where it belongs. --pablo ]
Fixes: 08733a0cb7de ("netfilter: handle NF_REPEAT from nf_conntrack_in()")
Signed-off-by: Arnd Bergmann <a...@arndb.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_co
From: Jozsef Kadlecsik
The calculation of the full allocated memory did not take
into account the size of the base hash bucket structure at some
places.
Signed-off-by: Jozsef Kadlecsik
---
net/netfilter/ipset/ip_set_hash_gen.h | 16
header that is
exported to userspace. This field is then printed by the userspace
tool for hashes.
Signed-off-by: Eric B Munson <emun...@akamai.com>
Cc: Pablo Neira Ayuso <pa...@netfilter.org>
Cc: Josh Hunt <joh...@akamai.com>
Cc: netfilter-de...@vger.kernel.org
Signed-off-b
From: Jozsef Kadlecsik
It is better to list the set elements for all set types, thus the
header information is uniform. Element counts are therefore added
to the bitmap and list types.
Signed-off-by: Jozsef Kadlecsik
---
From: kbuild test robot
net/netfilter/ipset/ip_set_hash_ipmac.c:70:8-9: WARNING: return of 0/1 in
function 'hash_ipmac4_data_list' with return type bool
net/netfilter/ipset/ip_set_hash_ipmac.c:178:8-9: WARNING: return of 0/1 in
function 'hash_ipmac6_data_list' with
If the user doesn't specify a seed, generate one at configuration time.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nft_hash.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c
NF_REPEAT is only needed from nf_conntrack_in() under a very specific
case required by the TCP protocol tracker, we can handle this case
without returning to the core hook path. Handling of NF_REPEAT from the
nf_reinject() is left untouched.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.
From: Jozsef Kadlecsik
Remove redundant parameters nets_length and dsize, because
they can be get from other parameters.
Ported from a patch proposed by Sergey Popovich .
Signed-off-by: Jozsef Kadlecsik
---
From: Jozsef Kadlecsik
Use struct ip_set_skbinfo in struct ip_set_ext instead of open
coded fields and assign structure members in get/init helpers
instead of copying members one by one. Explicitly note that
struct ip_set_skbinfo must be padded to prevent non-aligned
From: Jozsef Kadlecsik
Allocate memory with kmalloc() rather than kzalloc(): the string
is immediately initialized so it is unnecessary to zero out
the allocated memory area.
Ported from a patch proposed by Sergey Popovich .
Suggested-by:
eue userspace userspace
applications still work if they use NF_STOP for some exotic reason.
Out of tree modules using NF_STOP would break, but we don't care about
those.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/uapi/linux/netfilter.h | 2 +-
net/bridge/br_netfilter_ho
Use switch() for verdict handling and add explicit handling for
NF_STOLEN and other non-conventional verdicts.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/core.c | 18 ++
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/net/net
This patch remove compile time code to catch inconventional verdicts.
We have better ways to handle this case these days, eg. pr_debug() but
even though I don't think this is useful at all, so let's remove this.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/core
On Fri, Nov 11, 2016 at 01:32:38PM +0100, Julia Lawall wrote:
> Since commit 7926dbfa4bc1 ("netfilter: don't use
> mutex_lock_interruptible()"), the function xt_find_table_lock can only
> return NULL on an error. Simplify the call sites and update the
> comment before the function.
Applied,
Hi David,
On Thu, Nov 10, 2016 at 10:56:33AM +1100, Stephen Rothwell wrote:
> Hi all,
>
> Today's linux-next merge of the net-next tree got a conflict in:
>
> net/netfilter/ipvs/ip_vs_ctl.c
>
> between commit:
>
> 8fbfef7f505b ("ipvs: use IPVS_CMD_ATTR_MAX for family.maxattr")
>
> from
ed, we reuse the existing element. Otherwise,
these *racing* packets will not be handled properly.
Fixes: 22fe54d5fefc ("netfilter: nf_tables: add support for dynamic set
updates")
Signed-off-by: Liping Zhang <zlpnob...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilte
exhausted.
Fixes: 086f332167d6 ("netfilter: nf_tables: add clone interface to expression
operations")
Signed-off-by: Liping Zhang <zlpnob...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_tables.h | 6 --
net/netfilter/nf_tables_a
d. So just keep
it simple, in such case, report -EOPNOTSUPP to the user space.
Fixes: 22fe54d5fefc ("netfilter: nf_tables: add support for dynamic set
updates")
Signed-off-by: Liping Zhang <zlpnob...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ne
o Angaroni <marcoangar...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_sip.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 621b81c7b
NVALID and UNTRACKED apart.
Check skb->nfct for untracked dummy and behave as if skb->nfct is NULL.
Reported-by: XU Tianwen <evan.xu.tian...@gmail.com>
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/
Hi David,
The following patchset contains a larger than usual batch of Netfilter
fixes for your net tree. This series contains a mixture of old bugs and
recently introduced bugs, they are:
1) Fix a crash when using nft_dynset with nft_set_rbtree, which doesn't
support the set element updates
: conntrack: support a fixed size of 128
distinct labels")
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_conntrack_labels.h | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff -
From: WANG Cong <xiyou.wangc...@gmail.com>
family.maxattr is the max index for policy[], the size of
ops[] is determined with ARRAY_SIZE().
Reported-by: Andrey Konovalov <andreyk...@google.com>
Tested-by: Andrey Konovalov <andreyk...@google.com>
Cc: Pablo Neira Ayuso <pa...@
uot;)
Signed-off-by: Liping Zhang <zlpnob...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_tables_api.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 365d3
ted to address the issue, but
did not address the return type of nft_parse_u32_check.
Signed-off-by: John W. Linville <linvi...@tuxdriver.com>
Cc: Laura Garcia Liebana <nev...@gmail.com>
Cc: Pablo Neira Ayuso <pa...@netfilter.org>
Cc: Dan Carpenter <dan.carpen...@oracle.com>
/0x5a7 [nfnetlink]
Because we forget to fill the net pointer in bind_ctx, so dereferencing
it may cause kernel crash.
Reported-by: Dalegaard <dalega...@gmail.com>
Signed-off-by: Liping Zhang <zlpnob...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/
minutes
in worst case (entry expires right after it was deemed 'not expired').
Reported-by: Nicolas Dichtel <nicolas.dich...@6wind.com>
Signed-off-by: Florian Westphal <f...@strlen.de>
Acked-by: Nicolas Dichtel <nicolas.dich...@6wind.com>
Signed-off-by: Pablo Neira
ail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ipv4/netfilter/nft_dup_ipv4.c | 6 --
net/ipv6/netfilter/nft_dup_ipv6.c | 6 --
2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/net/ipv4/netfilter/nft_dup_ipv4.c
b/net/ipv4/netfilter/nft_d
t code or the warning, but
it deals with the same data, so I kept the two changes together.
Signed-off-by: Arnd Bergmann <a...@arndb.de>
Acked-by: Julian Anastasov <j...@ssi.bg>
Signed-off-by: Simon Horman <ho...@verge.net.au>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.o
SPEC, but the CT target
passes NFPROTO_IPV4/IPV6 to nf_conntrack_helper_try_module_get.
We should treat UNSPEC as wildcard and ignore the l3num instead.
Reported-by: Thomas Woerner <twoer...@redhat.com>
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neir
On Tue, Nov 08, 2016 at 02:28:19PM +0100, Arnd Bergmann wrote:
> gcc correctly identified a theoretical uninitialized variable use:
>
> net/netfilter/nf_conntrack_core.c: In function 'nf_conntrack_in':
> net/netfilter/nf_conntrack_core.c:1125:14: error: 'l4proto' may be used
> uninitialized in
On Tue, Nov 08, 2016 at 02:28:18PM +0100, Arnd Bergmann wrote:
> Since commit ca065d0cf80f ("udp: no longer use SLAB_DESTROY_BY_RCU")
> the udp6_lib_lookup and udp4_lib_lookup functions are only
> provided when it is actually possible to call them.
>
> However, moving the callers now caused a
On Mon, Nov 07, 2016 at 08:41:14AM -0700, Shuah Khan wrote:
> Fix the following warn:
>
>CC [M] net/netfilter/nft_range.o
> 8601,8605c9105
> net/netfilter/nft_range.c: In function ‘nft_range_eval’:
> net/netfilter/nft_range.c:45:5: warning: ‘mismatch’ may be used
> uninitialized in this
alov <andreyk...@google.com>
> > Tested-by: Andrey Konovalov <andreyk...@google.com>
> > Cc: Pablo Neira Ayuso <pa...@netfilter.org>
> > Signed-off-by: Cong Wang <xiyou.wangc...@gmail.com>
>
>
> Signed-off-by: Simon Horman <ho...@verge.net.au>
>
> Pablo, can you take this one into nf?
Applied, thanks!
osted to address compilation warnings. --pablo ]
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nft_fib.h | 31
include/uapi/linux/netfilter/nf_tables.h | 36
net/ipv4/netfilter/Kconfi
From: Calvin Owens <calvinow...@fb.com>
Since the code explicilty falls back to a smaller allocation when the
large one fails, we shouldn't complain when that happens.
Signed-off-by: Calvin Owens <calvinow...@fb.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
From: Florian Westphal <f...@strlen.de>
Currently not supported, we'd oops as skb was (or is) free'd elsewhere.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_tables_core.c | 1 +
1 file changed, 1
From: Liping Zhang <liping.zh...@spreadtrum.com>
After supporting this, we can combine it with hash expression to emulate
the 'cluster match'.
Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org>
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pab
condition
checks
Liping Zhang (3):
netfilter: nft_numgen: start round robin from zero
netfilter: nft_meta: permit pkttype mangling in ip/ip6 prerouting
netfilter: nf_tables: remove useless U8_MAX validation
Pablo Neira Ayuso (3):
netfilter: nft_ct: add notrack support
placing this new notrack expression into nft_ct.c, I think a single
module is too much.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nft_ct.c | 50 +-
1 file changed, 49 insertions(+), 1 deletion(-)
diff --git a/net/net
From: Gao Feng <f...@ikuai8.com>
There are multiple equality condition checks in the original codes, so it
is better to use switch case instead of them.
Signed-off-by: Gao Feng <f...@ikuai8.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/x
From: Liping Zhang <liping.zh...@spreadtrum.com>
Currently we start round robin from 1, but it's better to start round
robin from 0. This is to keep consistent with xt_statistic in iptables.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Nei
Move layer 2 packet logging into nf_log_l2packet() that resides in
nf_log_common.c, so this can be shared by both bridge and netdev
families.
This patch adds the boiler plate code to register the netdev logging
family.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
inclu
U8_MAX, although this will not happen, but it's
a logical mistake.
Now remove these redundant validation introduced by commit 36b701fae12a
("netfilter: nf_tables: validate maximum value of u32 netlink attributes")
Signed-off-by: Liping Zhang <zlpnob...@gmail.com>
Signed-off-by:
emented identical to "meta rtclassid", since it
is more logical to have this match in the routing expression going forward.
Signed-off-by: Anders K. Pedersen <a...@cohaesio.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/uapi/linux/netfilter
hal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nfnetlink_queue.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index af832c526048..5379f788a372 100644
-
We need this split to reuse existing codebase for the upcoming nf_tables
socket expression.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_socket.h | 27
net/ipv4/netfilter/Kconfig | 6 +
net/ipv4/netfilter/Makefile | 2
On Sat, Oct 29, 2016 at 01:26:12AM +0200, Florian Westphal wrote:
> Arnd Bergmann wrote:
> > The newly added nft fib code produces two warnings:
> >
> > net/ipv4/netfilter/nft_fib_ipv4.c: In function 'nft_fib4_eval':
> > net/ipv4/netfilter/nft_fib_ipv4.c:80:6: error: unused
On Fri, Oct 28, 2016 at 01:40:23PM +0200, Simon Horman wrote:
> On Fri, Oct 28, 2016 at 11:34:22AM +0200, Pablo Neira Ayuso wrote:
> > On Mon, Oct 24, 2016 at 10:47:54PM +0300, Julian Anastasov wrote:
> > >
> > > Hello,
> > >
> >
On Thu, Oct 27, 2016 at 10:40:14AM +0200, Daniel Mack wrote:
> On 10/26/2016 09:59 PM, Pablo Neira Ayuso wrote:
> > On Tue, Oct 25, 2016 at 12:14:08PM +0200, Daniel Mack wrote:
> > [...]
> >> Dumping programs once they are installed is problematic because of
> >
Hi Alexei,
On Wed, Oct 26, 2016 at 08:35:04PM -0700, Alexei Starovoitov wrote:
> On Wed, Oct 26, 2016 at 09:59:33PM +0200, Pablo Neira Ayuso wrote:
> > On Tue, Oct 25, 2016 at 12:14:08PM +0200, Daniel Mack wrote:
> > [...]
> > > Dumping programs once they are installe
On Mon, Oct 24, 2016 at 10:47:54PM +0300, Julian Anastasov wrote:
>
> Hello,
>
> On Mon, 24 Oct 2016, Arnd Bergmann wrote:
>
> > Building the ip_vs_sync code with CONFIG_OPTIMIZE_INLINING on x86
> > confuses the compiler to the point where it produces a rather
> > dubious warning message:
On Tue, Oct 25, 2016 at 03:56:39PM -0400, John W. Linville wrote:
> Commit 36b701fae12ac ("netfilter: nf_tables: validate maximum value of
> u32 netlink attributes") introduced nft_parse_u32_check with a return
> value of "unsigned int", yet on error it returns "-ERANGE".
>
> This patch corrects
On Tue, Oct 25, 2016 at 12:14:08PM +0200, Daniel Mack wrote:
[...]
> Dumping programs once they are installed is problematic because of
> the internal optimizations done to the eBPF program during its
> lifetime. Also, the references to maps etc. would need to be
> restored during the
On Fri, Oct 07, 2016 at 02:02:16PM -0700, Calvin Owens wrote:
> Since the code explicilty falls back to a smaller allocation when the
> large one fails, we shouldn't complain when that happens.
Applied, thanks.
From: Dan Carpenter <dan.carpen...@oracle.com>
"err" needs to be signed for the error handling to work.
Fixes: 36b701fae12a ('netfilter: nf_tables: validate maximum value of u32
netlink attributes')
Signed-off-by: Dan Carpenter <dan.carpen...@oracle.com>
Signed-off-by:
Use nft_parse_u32_check() to make sure we don't get a value over the
unsigned 8-bit integer. Moreover, make sure this value doesn't go over
the two supported range comparison modes.
Fixes: 9286c2eb1fda ("netfilter: nft_range: validate operation netlink
attribute")
Signed-off-by: P
...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
Documentation/networking/nf_conntrack-sysctl.txt | 18 --
1 file changed, 18 deletions(-)
diff --git a/Documentation/networking/nf_conntrack-sysctl.txt
b/Documentation/networking/nf_connt
bogus 'default' clause as in my
first approach, and is nicer than using the 'uninitialized_var'
macro.
Fixes: 0f3cd9b36977 ("netfilter: nf_tables: add range expression")
Link: http://patchwork.ozlabs.org/patch/677114/
Signed-off-by: Arnd Bergmann <a...@arndb.de>
Signed-off-by:
st")
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/core.c | 13 +++-
net/netfilter/nf_internals.h | 2 +-
net/netfilter/nf_queue.c | 48 +---
3 files changed, 36 insertions(+), 27 deletions(-)
diff --
From: Liping Zhang <liping.zh...@spreadtrum.com>
Missing the nla_policy description will also miss the validation check
in kernel.
Fixes: 70ca767ea1b2 ("netfilter: nft_hash: Add hash offset value")
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by:
@lucidpixels.com>
Reported-by: Chris Caputo <ccap...@alt.net>
Tested-by: Chris Caputo <ccap...@alt.net>
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/xt_NFLOG.c | 1 +
1 file changed, 1 in
nstant is too large
for ‘long’ type
Fixes: 11d5f15723c9f39d ("netfilter: xt_hashlimit: Create revision 2 to support
higher pps rates")
Signed-off-by: Geert Uytterhoeven <ge...@linux-m68k.org>
Acked-by: Vishwanath Pai <v...@akamai.com>
Signed-off-by: Pablo Neira Ayuso <pa...@ne
urrent nf and
nf-next trees.
Fixes: 22fe54d5fefc ("netfilter: nf_tables: add support for dynamic set
updates")
Signed-off-by: Anders K. Pedersen <a...@cohaesio.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nft_dynset.c | 6 --
1 file changed,
al <f...@strlen.de>
Acked-by: Aaron Conole <acon...@bytheb.org>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/x_tables.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index e0aa7c1
strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nf_conntrack_core.c
b/net/netfilter/nf_conntrack_core.c
index ba6a1d421222..df2f5a3901df 100644
--- a/net
;
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/xt_ipcomp.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/netfilter/xt_ipcomp.c b/net/netfilter/xt_ipcomp.c
index 89d53104c6b3..000e70377f85 100644
--- a/net/netfilter/xt_ipcomp.c
+++ b/net/netfilter/xt_ipcom
From: Dan Carpenter <dan.carpen...@oracle.com>
We don't want to allow negatives here.
Fixes: 36b701fae12a ('netfilter: nf_tables: validate maximum value of u32
netlink attributes')
Signed-off-by: Dan Carpenter <dan.carpen...@oracle.com>
Signed-off-by: Pablo Neira Ayuso <pa..
1301 - 1400 of 2305 matches
Mail list logo