Re: [PATCH v8 5/6] net: ipv4, ipv6: run cgroup eBPF egress programs

On Fri, Nov 18, 2016 at 09:17:18AM -0800, Alexei Starovoitov wrote: > On Fri, Nov 18, 2016 at 01:37:32PM +0100, Pablo Neira Ayuso wrote: > > On Thu, Nov 17, 2016 at 07:27:08PM +0100, Daniel Mack wrote: > > [...] > > > @@ -312,6 +314,12 @@ int ip_mc_output(struct n

Re: [PATCH v8 5/6] net: ipv4, ipv6: run cgroup eBPF egress programs

On Thu, Nov 17, 2016 at 07:27:08PM +0100, Daniel Mack wrote: [...] > @@ -312,6 +314,12 @@ int ip_mc_output(struct net *net, struct sock *sk, > struct sk_buff *skb) > skb->dev = dev; > skb->protocol = htons(ETH_P_IP); > > + ret = BPF_CGROUP_RUN_PROG_INET_EGRESS(sk, skb); > +

Re: [PATCH nf-next,RFC] netfilter: nft_meta: add cgroup version 2 support

Hi Daniel, On Mon, Nov 14, 2016 at 11:10:04AM +0100, Daniel Mack wrote: [...] > On 11/14/2016 10:12 AM, Pablo Neira Ayuso wrote: > > Add cgroup version 2 support to nf_tables. > > > > This extension allows us to fetch the cgroup i-node number from the > >

[PATCH net] udp: restore UDPlite many-cast delivery

Honor udptable parameter that is passed to __udp*_lib_mcast_deliver(), otherwise udplite broadcast/multicast use the wrong table and it breaks. Fixes: 2dc41cff7545 ("udp: Use hash2 for long hash1 chains in __udp*_lib_mcast_deliver.") Signed-off-by: Pablo Neira Ayuso <pa...@

[PATCH nf-next,RFC] netfilter: nft_meta: add cgroup version 2 support

uld evaluate A's ruleset. Note that cgroup A would also jump to the root cgroup chain policy. Anyway, this cgroup i-node approach provides way more flexibility since it is up to the sysadmin to decide if he wants to honor the hierarchy or simply define a fast path to skip any further classificatio

[PATCH 13/39] netfilter: conntrack: simplify init/uninit of L4 protocol trackers

tering/unregistering multiple protocols. Signed-off-by: Davide Caratti <dcara...@redhat.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack_l4proto.h | 18 -- net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 76 +++

[PATCH 06/39] netfilter: nf_tables: use hook state from xt_action_param structure

Don't copy relevant fields from hook state structure, instead use the one that is already available in struct xt_action_param. This patch also adds a set of new wrapper functions to fetch relevant hook state structure fields. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- i

[PATCH 02/39] netfilter: remove comments that predate rcu days

We cannot block/sleep on nf_iterate because netfilter runs under rcu read lock these days, where blocking is well-known to be illegal. So let's remove these old comments. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/core.c | 7 --- 1 file changed, 7 del

[PATCH 36/39] netfilter: ipset: use setup_timer() and mod_timer().

From: Jozsef Kadlecsik Use setup_timer() and instead of init_timer(), being the preferred way of setting up a timer. Also, quoting the mod_timer() function comment: -> mod_timer() is a more efficient way to update the expire field of an active timer (if the timer is

[PATCH 18/39] netfilter: ipset: Headers file cleanup

From: Jozsef Kadlecsik Group counter helper functions together. Ported from a patch proposed by Sergey Popovich . Suggested-by: Sergey Popovich Signed-off-by: Jozsef Kadlecsik ---

[PATCH 03/39] netfilter: kill NF_HOOK_THRESH() and state->tresh

he hook state structure is not required anymore. And we can get rid of skip-hook-under-thresh loop in nf_iterate() in the core path that is only used by br_netfilter to search for the filter hook. Suggested-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfi

[PATCH 22/39] netfilter: ipset: Separate memsize calculation code into dedicated function

From: Jozsef Kadlecsik Hash types already has it's memsize calculation code in separate functions. Clean up and do the same for *bitmap* and *list* sets. Ported from a patch proposed by Sergey Popovich . Suggested-by: Sergey Popovich

[PATCH 39/39] netfilter: x_tables: simplify IS_ERR_OR_NULL to NULL test

ulia.law...@lip6.fr> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netfilter/arp_tables.c | 20 ++-- net/ipv4/netfilter/ip_tables.c | 20 ++-- net/ipv6/netfilter/ip6_tables.c | 20 ++-- net/netfilter/x_tables.c

[PATCH 00/39] Netfilter updates for net-next

mplify IS_ERR_OR_NULL to NULL test Liping Zhang (1): netfilter: nf_tables: simplify the basic expressions' init routine Pablo Neira Ayuso (11): netfilter: get rid of useless debugging from core netfilter: remove comments that predate rcu days netfilter: kill NF_HOOK_THRESH() and state-

[PATCH 09/39] netfilter: merge nf_iterate() into nf_hook_slow()

nf_queue code to get rid of it definitely, but given this is slow path anyway, let's have a look this later. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/core.c | 73 +--- net/netfilter/nf_internals.h | 5 --

[PATCH 08/39] netfilter: remove hook_entries field from nf_hook_state

-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/linux/netfilter.h | 10 -- include/linux/netfilter_ingress.h | 4 ++-- include/net/netfilter/nf_queue.h | 1 + net/bridge/br_netfilter_hooks.c | 4 ++-- net/bridge/netfilter/ebtable_broute.c | 2 +

[PATCH 30/39] netfilter: ipset: Make sure element data size is a multiple of u32

From: Jozsef Kadlecsik Data for hashing required to be array of u32. Make sure that element data always multiple of u32. Ported from a patch proposed by Sergey Popovich . Signed-off-by: Jozsef Kadlecsik ---

[PATCH 33/39] netfilter: ipset: Collapse same condition body to a single one

From: Jozsef Kadlecsik The set full case (with net_ratelimit()-ed pr_warn()) is already handled, simply jump there. Signed-off-by: Jozsef Kadlecsik --- net/netfilter/ipset/ip_set_hash_gen.h | 8 +--- 1 file changed, 1 insertion(+), 7

[PATCH 26/39] netfilter: ipset: Count non-static extension memory for userspace

From: Jozsef Kadlecsik Non-static (i.e. comment) extension was not counted into the memory size. A new internal counter is introduced for this. In the case of the hash types the sizes of the arrays are counted there as well so that we can avoid to scan the whole set

[PATCH 23/39] netfilter: ipset: Regroup ip_set_put_extensions and add extern

From: Jozsef Kadlecsik Cleanup: group ip_set_put_extensions and ip_set_get_extensions together and add missing extern. Signed-off-by: Jozsef Kadlecsik --- include/linux/netfilter/ipset/ip_set.h | 6 ++ 1 file changed, 2 insertions(+), 4

[PATCH 38/39] netfilter: conntrack: remove unused netns_ct member

From: Florian Westphal <f...@strlen.de> since 23014011ba420 ('netfilter: conntrack: support a fixed size of 128 distinct labels') this isn't needed anymore. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net

[PATCH 17/39] netfilter: ipset: Mark some helper args as const.

From: Jozsef Kadlecsik Mark some of the helpers arguments as const. Ported from a patch proposed by Sergey Popovich . Suggested-by: Sergey Popovich Signed-off-by: Jozsef Kadlecsik ---

[PATCH 14/39] udp: provide udp{4,6}_lib_lookup for nf_socket_ipv{4,6}

we also provide the functions when CONFIG_NF_SOCKET_IPV4 or CONFIG_NF_SOCKET_IPV6, respectively are set. Fixes: 8db4c5be88f6 ("netfilter: move socket lookup infrastructure to nf_socket_ipv{4,6}.c") Signed-off-by: Arnd Bergmann <a...@arndb.de> Signed-off-by: Pablo Neira Ayuso <pa...

[PATCH 32/39] netfilter: ipset: Make struct htype per ipset family

From: Jozsef Kadlecsik Before this patch struct htype created at the first source of ip_set_hash_gen.h and it is common for both IPv4 and IPv6 set variants. Make struct htype per ipset family and use NLEN to make nets array fixed size to simplify struct htype

[PATCH 31/39] netfilter: ipset: Optimize hash creation routine

From: Jozsef Kadlecsik Exit as easly as possible on error and use RCU_INIT_POINTER() as set is not seen at creation time. Signed-off-by: Jozsef Kadlecsik --- net/netfilter/ipset/ip_set_hash_gen.h | 63 --- 1

[PATCH 35/39] netfilter: ipset: hash:ipmac type support added to ipset

From: Tomasz Chilinski Introduce the hash:ipmac type. Signed-off-by: Tomasz Chili??ski Signed-off-by: Jozsef Kadlecsik --- net/netfilter/ipset/Kconfig | 9 + net/netfilter/ipset/Makefile

[PATCH 12/39] netfilter: nf_tables: simplify the basic expressions' init routine

Zhang <zlpnob...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables_core.h | 33 -- net/netfilter/nf_tables_core.c | 80 +++--- net/netfilter/nft_bitwise.c| 13 +- net/netfilt

[PATCH 21/39] netfilter: ipset: Split extensions into separate files

From: Jozsef Kadlecsik Cleanup to separate all extensions into individual files. Ported from a patch proposed by Sergey Popovich . Suggested-by: Sergey Popovich Signed-off-by: Jozsef Kadlecsik

[PATCH 28/39] netfilter: ipset: Simplify mtype_expire() for hash types

From: Jozsef Kadlecsik Remove one leve of intendation by using continue while iterating over elements in bucket. Ported from a patch proposed by Sergey Popovich . Signed-off-by: Jozsef Kadlecsik ---

[PATCH 29/39] netfilter: ipset: Make NLEN compile time constant for hash types

From: Jozsef Kadlecsik Hash types define HOST_MASK before inclusion of ip_set_hash_gen.h and the only place where NLEN needed to be calculated at runtime is *_create() method. Ported from a patch proposed by Sergey Popovich . Signed-off-by:

[PATCH 05/39] netfilter: x_tables: move hook state into xt_action_param structure

Place pointer to hook state in xt_action_param structure instead of copying the fields that we need. After this change xt_action_param fits into one cacheline. This patch also adds a set of new wrapper functions to fetch relevant hook state structure fields. Signed-off-by: Pablo Neira Ayuso <

[PATCH 16/39] netfilter: ipset: Remove extra whitespaces in ip_set.h

From: Jozsef Kadlecsik Remove unnecessary whitespaces. Ported from a patch proposed by Sergey Popovich . Suggested-by: Sergey Popovich Signed-off-by: Jozsef Kadlecsik ---

[PATCH 15/39] netfilter: conntrack: fix NF_REPEAT handling

lso moved the comment that explains this where it belongs. --pablo ] Fixes: 08733a0cb7de ("netfilter: handle NF_REPEAT from nf_conntrack_in()") Signed-off-by: Arnd Bergmann <a...@arndb.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_co

[PATCH 34/39] netfilter: ipset: Fix reported memory size for hash:* types

From: Jozsef Kadlecsik The calculation of the full allocated memory did not take into account the size of the base hash bucket structure at some places. Signed-off-by: Jozsef Kadlecsik --- net/netfilter/ipset/ip_set_hash_gen.h | 16

[PATCH 24/39] netfilter: ipset: Add element count to hash headers

header that is exported to userspace. This field is then printed by the userspace tool for hashes. Signed-off-by: Eric B Munson <emun...@akamai.com> Cc: Pablo Neira Ayuso <pa...@netfilter.org> Cc: Josh Hunt <joh...@akamai.com> Cc: netfilter-de...@vger.kernel.org Signed-off-b

[PATCH 25/39] netfilter: ipset: Add element count to all set types header

From: Jozsef Kadlecsik It is better to list the set elements for all set types, thus the header information is uniform. Element counts are therefore added to the bitmap and list types. Signed-off-by: Jozsef Kadlecsik ---

[PATCH 37/39] netfilter: ipset: hash: fix boolreturn.cocci warnings

From: kbuild test robot net/netfilter/ipset/ip_set_hash_ipmac.c:70:8-9: WARNING: return of 0/1 in function 'hash_ipmac4_data_list' with return type bool net/netfilter/ipset/ip_set_hash_ipmac.c:178:8-9: WARNING: return of 0/1 in function 'hash_ipmac6_data_list' with

[PATCH 11/39] netfilter: nft_hash: get random bytes if seed is not specified

If the user doesn't specify a seed, generate one at configuration time. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nft_hash.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c

[PATCH 10/39] netfilter: handle NF_REPEAT from nf_conntrack_in()

NF_REPEAT is only needed from nf_conntrack_in() under a very specific case required by the TCP protocol tracker, we can handle this case without returning to the core hook path. Handling of NF_REPEAT from the nf_reinject() is left untouched. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.

[PATCH 27/39] netfilter: ipset: Remove redundant mtype_expire() arguments

From: Jozsef Kadlecsik Remove redundant parameters nets_length and dsize, because they can be get from other parameters. Ported from a patch proposed by Sergey Popovich . Signed-off-by: Jozsef Kadlecsik ---

[PATCH 19/39] netfilter: ipset: Improve skbinfo get/init helpers

From: Jozsef Kadlecsik Use struct ip_set_skbinfo in struct ip_set_ext instead of open coded fields and assign structure members in get/init helpers instead of copying members one by one. Explicitly note that struct ip_set_skbinfo must be padded to prevent non-aligned

[PATCH 20/39] netfilter: ipset: Use kmalloc() in comment extension helper

From: Jozsef Kadlecsik Allocate memory with kmalloc() rather than kzalloc(): the string is immediately initialized so it is unnecessary to zero out the allocated memory area. Ported from a patch proposed by Sergey Popovich . Suggested-by:

[PATCH 04/39] netfilter: deprecate NF_STOP

eue userspace userspace applications still work if they use NF_STOP for some exotic reason. Out of tree modules using NF_STOP would break, but we don't care about those. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/uapi/linux/netfilter.h | 2 +- net/bridge/br_netfilter_ho

[PATCH 07/39] netfilter: use switch() to handle verdict cases from nf_hook_slow()

Use switch() for verdict handling and add explicit handling for NF_STOLEN and other non-conventional verdicts. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/core.c | 18 ++ 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/net/net

[PATCH 01/39] netfilter: get rid of useless debugging from core

This patch remove compile time code to catch inconventional verdicts. We have better ways to handle this case these days, eg. pr_debug() but even though I don't think this is useful at all, so let's remove this. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/core

Re: [PATCH] netfilter: x_tables: simplify IS_ERR_OR_NULL to NULL test

On Fri, Nov 11, 2016 at 01:32:38PM +0100, Julia Lawall wrote: > Since commit 7926dbfa4bc1 ("netfilter: don't use > mutex_lock_interruptible()"), the function xt_find_table_lock can only > return NULL on an error. Simplify the call sites and update the > comment before the function. Applied,

Re: linux-next: manual merge of the net-next tree with the netfilter tree

Hi David, On Thu, Nov 10, 2016 at 10:56:33AM +1100, Stephen Rothwell wrote: > Hi all, > > Today's linux-next merge of the net-next tree got a conflict in: > > net/netfilter/ipvs/ip_vs_ctl.c > > between commit: > > 8fbfef7f505b ("ipvs: use IPVS_CMD_ATTR_MAX for family.maxattr") > > from

[PATCH 03/14] netfilter: nf_tables: fix race when create new element in dynset

ed, we reuse the existing element. Otherwise, these *racing* packets will not be handled properly. Fixes: 22fe54d5fefc ("netfilter: nf_tables: add support for dynamic set updates") Signed-off-by: Liping Zhang <zlpnob...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilte

[PATCH 02/14] netfilter: nf_tables: fix *leak* when expr clone fail

exhausted. Fixes: 086f332167d6 ("netfilter: nf_tables: add clone interface to expression operations") Signed-off-by: Liping Zhang <zlpnob...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables.h | 6 -- net/netfilter/nf_tables_a

[PATCH 01/14] netfilter: nft_dynset: fix panic if NFT_SET_HASH is not enabled

d. So just keep it simple, in such case, report -EOPNOTSUPP to the user space. Fixes: 22fe54d5fefc ("netfilter: nf_tables: add support for dynamic set updates") Signed-off-by: Liping Zhang <zlpnob...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ne

[PATCH 04/14] netfilter: nf_conntrack_sip: extend request line validation

o Angaroni <marcoangar...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_sip.c | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c index 621b81c7b

[PATCH 11/14] netfilter: connmark: ignore skbs with magic untracked conntrack objects

NVALID and UNTRACKED apart. Check skb->nfct for untracked dummy and behave as if skb->nfct is NULL. Reported-by: XU Tianwen <evan.xu.tian...@gmail.com> Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/

[PATCH 00/14] Netfilter fixes for net

Hi David, The following patchset contains a larger than usual batch of Netfilter fixes for your net tree. This series contains a mixture of old bugs and recently introduced bugs, they are: 1) Fix a crash when using nft_dynset with nft_set_rbtree, which doesn't support the set element updates

[PATCH 06/14] netfilter: conntrack: avoid excess memory allocation

: conntrack: support a fixed size of 128 distinct labels") Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack_labels.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff -

[PATCH 10/14] ipvs: use IPVS_CMD_ATTR_MAX for family.maxattr

From: WANG Cong <xiyou.wangc...@gmail.com> family.maxattr is the max index for policy[], the size of ops[] is determined with ARRAY_SIZE(). Reported-by: Andrey Konovalov <andreyk...@google.com> Tested-by: Andrey Konovalov <andreyk...@google.com> Cc: Pablo Neira Ayuso <pa...@

[PATCH 08/14] netfilter: nf_tables: destroy the set if fail to add transaction

uot;) Signed-off-by: Liping Zhang <zlpnob...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_tables_api.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 365d3

[PATCH 05/14] netfilter: nf_tables: fix type mismatch with error return from nft_parse_u32_check

ted to address the issue, but did not address the return type of nft_parse_u32_check. Signed-off-by: John W. Linville <linvi...@tuxdriver.com> Cc: Laura Garcia Liebana <nev...@gmail.com> Cc: Pablo Neira Ayuso <pa...@netfilter.org> Cc: Dan Carpenter <dan.carpen...@oracle.com>

[PATCH 14/14] netfilter: nf_tables: fix oops when inserting an element into a verdict map

/0x5a7 [nfnetlink] Because we forget to fill the net pointer in bind_ctx, so dereferencing it may cause kernel crash. Reported-by: Dalegaard <dalega...@gmail.com> Signed-off-by: Liping Zhang <zlpnob...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/

[PATCH 13/14] netfilter: conntrack: refine gc worker heuristics

minutes in worst case (entry expires right after it was deemed 'not expired'). Reported-by: Nicolas Dichtel <nicolas.dich...@6wind.com> Signed-off-by: Florian Westphal <f...@strlen.de> Acked-by: Nicolas Dichtel <nicolas.dich...@6wind.com> Signed-off-by: Pablo Neira

[PATCH 09/14] netfilter: nft_dup: do not use sreg_dev if the user doesn't specify it

ail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netfilter/nft_dup_ipv4.c | 6 -- net/ipv6/netfilter/nft_dup_ipv6.c | 6 -- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/net/ipv4/netfilter/nft_dup_ipv4.c b/net/ipv4/netfilter/nft_d

[PATCH 07/14] netfilter: ip_vs_sync: fix bogus maybe-uninitialized warning

t code or the warning, but it deals with the same data, so I kept the two changes together. Signed-off-by: Arnd Bergmann <a...@arndb.de> Acked-by: Julian Anastasov <j...@ssi.bg> Signed-off-by: Simon Horman <ho...@verge.net.au> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.o

[PATCH 12/14] netfilter: conntrack: fix CT target for UNSPEC helpers

SPEC, but the CT target passes NFPROTO_IPV4/IPV6 to nf_conntrack_helper_try_module_get. We should treat UNSPEC as wildcard and ignore the l3num instead. Reported-by: Thomas Woerner <twoer...@redhat.com> Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neir

Re: [PATCH 2/2] [nf-next] netfilter: fix NF_REPEAT handling

On Tue, Nov 08, 2016 at 02:28:19PM +0100, Arnd Bergmann wrote: > gcc correctly identified a theoretical uninitialized variable use: > > net/netfilter/nf_conntrack_core.c: In function 'nf_conntrack_in': > net/netfilter/nf_conntrack_core.c:1125:14: error: 'l4proto' may be used > uninitialized in

Re: [PATCH 1/2] [net-next] udp: provide udp{4,6}_lib_lookup for nf_socket_ipv{4,6}

On Tue, Nov 08, 2016 at 02:28:18PM +0100, Arnd Bergmann wrote: > Since commit ca065d0cf80f ("udp: no longer use SLAB_DESTROY_BY_RCU") > the udp6_lib_lookup and udp4_lib_lookup functions are only > provided when it is actually possible to call them. > > However, moving the callers now caused a

Re: [PATCH] net/netfilter: Fix use uninitialized warn in nft_range_eval()

On Mon, Nov 07, 2016 at 08:41:14AM -0700, Shuah Khan wrote: > Fix the following warn: > >CC [M] net/netfilter/nft_range.o > 8601,8605c9105 > net/netfilter/nft_range.c: In function ‘nft_range_eval’: > net/netfilter/nft_range.c:45:5: warning: ‘mismatch’ may be used > uninitialized in this

Re: [Patch net] ipvs: use IPVS_CMD_ATTR_MAX for family.maxattr

alov <andreyk...@google.com> > > Tested-by: Andrey Konovalov <andreyk...@google.com> > > Cc: Pablo Neira Ayuso <pa...@netfilter.org> > > Signed-off-by: Cong Wang <xiyou.wangc...@gmail.com> > > > Signed-off-by: Simon Horman <ho...@verge.net.au> > > Pablo, can you take this one into nf? Applied, thanks!

[PATCH 07/12] netfilter: nf_tables: add fib expression

osted to address compilation warnings. --pablo ] Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nft_fib.h | 31 include/uapi/linux/netfilter/nf_tables.h | 36 net/ipv4/netfilter/Kconfi

[PATCH 02/12] netfilter: nfnetlink_log: Use GFP_NOWARN for skb allocation

From: Calvin Owens <calvinow...@fb.com> Since the code explicilty falls back to a smaller allocation when the large one fails, we shouldn't complain when that happens. Signed-off-by: Calvin Owens <calvinow...@fb.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>

[PATCH 03/12] netfilter: nf_tables: allow expressions to return STOLEN

From: Florian Westphal <f...@strlen.de> Currently not supported, we'd oops as skb was (or is) free'd elsewhere. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_tables_core.c | 1 + 1 file changed, 1

[PATCH 05/12] netfilter: nft_meta: permit pkttype mangling in ip/ip6 prerouting

From: Liping Zhang <liping.zh...@spreadtrum.com> After supporting this, we can combine it with hash expression to emulate the 'cluster match'. Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org> Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pab

[PATCH 00/12] Netfilter updates for net-next

condition checks Liping Zhang (3): netfilter: nft_numgen: start round robin from zero netfilter: nft_meta: permit pkttype mangling in ip/ip6 prerouting netfilter: nf_tables: remove useless U8_MAX validation Pablo Neira Ayuso (3): netfilter: nft_ct: add notrack support

[PATCH 06/12] netfilter: nft_ct: add notrack support

placing this new notrack expression into nft_ct.c, I think a single module is too much. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nft_ct.c | 50 +- 1 file changed, 49 insertions(+), 1 deletion(-) diff --git a/net/net

[PATCH 01/12] netfilter: xt_multiport: Use switch case instead of multiple condition checks

From: Gao Feng <f...@ikuai8.com> There are multiple equality condition checks in the original codes, so it is better to use switch case instead of them. Signed-off-by: Gao Feng <f...@ikuai8.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/x

[PATCH 04/12] netfilter: nft_numgen: start round robin from zero

From: Liping Zhang <liping.zh...@spreadtrum.com> Currently we start round robin from 1, but it's better to start round robin from 0. This is to keep consistent with xt_statistic in iptables. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Nei

[PATCH 08/12] netfilter: nf_log: add packet logging for netdev family

Move layer 2 packet logging into nf_log_l2packet() that resides in nf_log_common.c, so this can be shared by both bridge and netdev families. This patch adds the boiler plate code to register the netdev logging family. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- inclu

[PATCH 11/12] netfilter: nf_tables: remove useless U8_MAX validation

U8_MAX, although this will not happen, but it's a logical mistake. Now remove these redundant validation introduced by commit 36b701fae12a ("netfilter: nf_tables: validate maximum value of u32 netlink attributes") Signed-off-by: Liping Zhang <zlpnob...@gmail.com> Signed-off-by:

[PATCH 10/12] netfilter: nf_tables: introduce routing expression

emented identical to "meta rtclassid", since it is more logical to have this match in the routing expression going forward. Signed-off-by: Anders K. Pedersen <a...@cohaesio.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/uapi/linux/netfilter

[PATCH 12/12] netfilter: nf_queue: place volatile data in own cacheline

hal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nfnetlink_queue.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index af832c526048..5379f788a372 100644 -

[PATCH 09/12] netfilter: move socket lookup infrastructure to nf_socket_ipv{4,6}.c

We need this split to reuse existing codebase for the upcoming nf_tables socket expression. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_socket.h | 27 net/ipv4/netfilter/Kconfig | 6 + net/ipv4/netfilter/Makefile | 2

Re: [PATCH] [v2 netfilter-next] netfilter: nf_tables: fib warnings

On Sat, Oct 29, 2016 at 01:26:12AM +0200, Florian Westphal wrote: > Arnd Bergmann wrote: > > The newly added nft fib code produces two warnings: > > > > net/ipv4/netfilter/nft_fib_ipv4.c: In function 'nft_fib4_eval': > > net/ipv4/netfilter/nft_fib_ipv4.c:80:6: error: unused

Re: [PATCH] netfilter: ip_vs_sync: fix bogus maybe-uninitialized warning

On Fri, Oct 28, 2016 at 01:40:23PM +0200, Simon Horman wrote: > On Fri, Oct 28, 2016 at 11:34:22AM +0200, Pablo Neira Ayuso wrote: > > On Mon, Oct 24, 2016 at 10:47:54PM +0300, Julian Anastasov wrote: > > > > > > Hello, > > > > >

Re: [PATCH v7 0/6] Add eBPF hooks for cgroups

On Thu, Oct 27, 2016 at 10:40:14AM +0200, Daniel Mack wrote: > On 10/26/2016 09:59 PM, Pablo Neira Ayuso wrote: > > On Tue, Oct 25, 2016 at 12:14:08PM +0200, Daniel Mack wrote: > > [...] > >> Dumping programs once they are installed is problematic because of > >

Re: [PATCH v7 0/6] Add eBPF hooks for cgroups

Hi Alexei, On Wed, Oct 26, 2016 at 08:35:04PM -0700, Alexei Starovoitov wrote: > On Wed, Oct 26, 2016 at 09:59:33PM +0200, Pablo Neira Ayuso wrote: > > On Tue, Oct 25, 2016 at 12:14:08PM +0200, Daniel Mack wrote: > > [...] > > > Dumping programs once they are installe

Re: [PATCH] netfilter: ip_vs_sync: fix bogus maybe-uninitialized warning

On Mon, Oct 24, 2016 at 10:47:54PM +0300, Julian Anastasov wrote: > > Hello, > > On Mon, 24 Oct 2016, Arnd Bergmann wrote: > > > Building the ip_vs_sync code with CONFIG_OPTIMIZE_INLINING on x86 > > confuses the compiler to the point where it produces a rather > > dubious warning message:

Re: [PATCH v2] netfilter: fix type mismatch with error return from nft_parse_u32_check

On Tue, Oct 25, 2016 at 03:56:39PM -0400, John W. Linville wrote: > Commit 36b701fae12ac ("netfilter: nf_tables: validate maximum value of > u32 netlink attributes") introduced nft_parse_u32_check with a return > value of "unsigned int", yet on error it returns "-ERANGE". > > This patch corrects

Re: [PATCH v7 0/6] Add eBPF hooks for cgroups

On Tue, Oct 25, 2016 at 12:14:08PM +0200, Daniel Mack wrote: [...] > Dumping programs once they are installed is problematic because of > the internal optimizations done to the eBPF program during its > lifetime. Also, the references to maps etc. would need to be > restored during the

Re: [PATCH net-next] nfnetlink_log: Use GFP_NOWARN for skb allocation

On Fri, Oct 07, 2016 at 02:02:16PM -0700, Calvin Owens wrote: > Since the code explicilty falls back to a smaller allocation when the > large one fails, we shouldn't complain when that happens. Applied, thanks.

[PATCH 08/13] netfilter: nft_exthdr: fix error handling in nft_exthdr_init()

From: Dan Carpenter <dan.carpen...@oracle.com> "err" needs to be signed for the error handling to work. Fixes: 36b701fae12a ('netfilter: nf_tables: validate maximum value of u32 netlink attributes') Signed-off-by: Dan Carpenter <dan.carpen...@oracle.com> Signed-off-by:

[PATCH 09/13] netfilter: nft_range: validate operation netlink attribute

Use nft_parse_u32_check() to make sure we don't get a value over the unsigned 8-bit integer. Moreover, make sure this value doesn't go over the two supported range comparison modes. Fixes: 9286c2eb1fda ("netfilter: nft_range: validate operation netlink attribute") Signed-off-by: P

[PATCH 03/13] netfilter: conntrack: remove obsolete sysctl (nf_conntrack_events_retry_timeout)

...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- Documentation/networking/nf_conntrack-sysctl.txt | 18 -- 1 file changed, 18 deletions(-) diff --git a/Documentation/networking/nf_conntrack-sysctl.txt b/Documentation/networking/nf_connt

[PATCH 10/13] netfilter: nf_tables: avoid uninitialized variable warning

bogus 'default' clause as in my first approach, and is nicer than using the 'uninitialized_var' macro. Fixes: 0f3cd9b36977 ("netfilter: nf_tables: add range expression") Link: http://patchwork.ozlabs.org/patch/677114/ Signed-off-by: Arnd Bergmann <a...@arndb.de> Signed-off-by:

[PATCH 13/13] netfilter: fix nf_queue handling

st") Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/core.c | 13 +++- net/netfilter/nf_internals.h | 2 +- net/netfilter/nf_queue.c | 48 +--- 3 files changed, 36 insertions(+), 27 deletions(-) diff --

[PATCH 06/13] netfilter: nft_hash: add missing NFTA_HASH_OFFSET's nla_policy

From: Liping Zhang <liping.zh...@spreadtrum.com> Missing the nla_policy description will also miss the validation check in kernel. Fixes: 70ca767ea1b2 ("netfilter: nft_hash: Add hash offset value") Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by:

[PATCH 04/13] netfilter: xt_NFLOG: fix unexpected truncated packet

@lucidpixels.com> Reported-by: Chris Caputo <ccap...@alt.net> Tested-by: Chris Caputo <ccap...@alt.net> Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/xt_NFLOG.c | 1 + 1 file changed, 1 in

[PATCH 01/13] netfilter: xt_hashlimit: Add missing ULL suffixes for 64-bit constants

nstant is too large for ‘long’ type Fixes: 11d5f15723c9f39d ("netfilter: xt_hashlimit: Create revision 2 to support higher pps rates") Signed-off-by: Geert Uytterhoeven <ge...@linux-m68k.org> Acked-by: Vishwanath Pai <v...@akamai.com> Signed-off-by: Pablo Neira Ayuso <pa...@ne

[PATCH 02/13] netfilter: nft_dynset: fix element timeout for HZ != 1000

urrent nf and nf-next trees. Fixes: 22fe54d5fefc ("netfilter: nf_tables: add support for dynamic set updates") Signed-off-by: Anders K. Pedersen <a...@cohaesio.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nft_dynset.c | 6 -- 1 file changed,

[PATCH 11/13] netfilter: x_tables: suppress kmemcheck warning

al <f...@strlen.de> Acked-by: Aaron Conole <acon...@bytheb.org> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/x_tables.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index e0aa7c1

[PATCH 12/13] netfilter: conntrack: restart gc immediately if GC_MAX_EVICTS is reached

strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index ba6a1d421222..df2f5a3901df 100644 --- a/net

[PATCH 05/13] netfilter: xt_ipcomp: add "ip[6]t_ipcomp" module alias name

; Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/xt_ipcomp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/netfilter/xt_ipcomp.c b/net/netfilter/xt_ipcomp.c index 89d53104c6b3..000e70377f85 100644 --- a/net/netfilter/xt_ipcomp.c +++ b/net/netfilter/xt_ipcom

[PATCH 07/13] netfilter: nf_tables: underflow in nft_parse_u32_check()

From: Dan Carpenter <dan.carpen...@oracle.com> We don't want to allow negatives here. Fixes: 36b701fae12a ('netfilter: nf_tables: validate maximum value of u32 netlink attributes') Signed-off-by: Dan Carpenter <dan.carpen...@oracle.com> Signed-off-by: Pablo Neira Ayuso <pa..

<    9   10   11   12   13   14   15   16   17   18   >