. Biederman (1):
netfilter: nf_queue: Make the queue_handler pernet
Florian Westphal (2):
netfilter: nfnetlink_queue: fix timestamp attribute
netfilter: conntrack: remove leftover binary sysctl define
Pablo Neira Ayuso (1):
netfilter: nf_ct_helper: bail out on duplicated
-by: Feng Gao <gfree.w...@gmail.com>
Reported-by: Taehee Yoo <ap420...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_helper.c | 9 -
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/net/netfilter/nf_conntra
824a ("netfilter:
factor out packet duplication for IPv4/IPv6") the flowi6_flags
update was lost.
This commit re-add it just before the routing decision.
Fixes: bbde9fc1824a ("netfilter: factor out packet duplication for IPv4/IPv6")
Signed-off-by: Paolo Abeni <pab...@redhat.co
rian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nfnetlink_queue.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index cb5b630..e34256
From: Florian Westphal <f...@strlen.de>
Users got removed in f8572d8f2a2ba ("sysctl net: Remove unused binary
sysctl code").
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_standal
;
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_tables_api.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 2011977..6947e25 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_table
On Wed, Jun 01, 2016 at 05:52:59PM +0800, Xiubo Li wrote:
> >> net/netfilter/x_tables.c | 3 +++
> >> 1 file changed, 3 insertions(+)
> >>
> >>diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
> >>index c8a0b7d..4df8e38 100644
> >>--- a/net/netfilter/x_tables.c
> >>+++
On Wed, Jun 01, 2016 at 04:34:28PM +0800, Xiubo Li wrote:
> Since we cannot make sure the 'hook_mask' will always be none zero
> here. If it equals to zero, the num_hooks will be zero too, and then
> kmalloc() will return ZERO_SIZE_PTR, which is (void *)16.
>
> Then the following error check will
On Fri, May 13, 2016 at 09:18:52PM -0500, Eric W. Biederman wrote:
>
> Florian Weber reported:
> > Under full load (unshare() in loop -> OOM conditions) we can
> > get kernel panic:
> >
> > BUG: unable to handle kernel NULL pointer dereference at 0008
> > IP: []
Cc'ing Eric Biederman.
On Mon, May 16, 2016 at 09:38:53PM -0700, Joe Stringer wrote:
> On 6 May 2016 at 04:03, Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> > Hi Joe,
> >
> > On Thu, May 05, 2016 at 03:50:37PM -0700, Joe Stringer wrote:
> >> diff --git a
This patch fixes a netns leak.
Fixes: 93edb8c7f94f ("gtp: reload GTPv1 header after pskb_may_pull()")
Reported-by: Cong Wang <xiyou.wangc...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
drivers/net/gtp.c | 15 ---
1 file changed, 12 inse
Hi Michal,
On Wed, Apr 27, 2016 at 02:48:02PM +0200, Michal Kubecek wrote:
> Commit 69b34fb996b2 ("netfilter: xt_LOG: add net namespace support for
> xt_LOG") disabled logging packets using the LOG target from non-init
> namespaces. The motivation was to prevent containers from flooding
> kernel
On Wed, May 11, 2016 at 05:41:13PM +0200, Florian Westphal wrote:
> diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
> index 5baa8e2..9722819 100644
> --- a/net/netfilter/nf_queue.c
> +++ b/net/netfilter/nf_queue.c
> @@ -102,6 +102,13 @@ void nf_queue_nf_hook_drop(struct net *net,
ot;)
Reported-by: Eric Dumazet <eric.duma...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
drivers/net/gtp.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
index 8ce1104..f7caf1e 100644
--- a/drivers/net/gtp.c
+++ b/dr
On Tue, May 10, 2016 at 10:16:33AM -0700, Tom Herbert wrote:
> On Tue, May 10, 2016 at 9:27 AM, David Miller <da...@davemloft.net> wrote:
> > From: Pablo Neira Ayuso <pa...@netfilter.org>
> > Date: Mon, 9 May 2016 00:55:48 +0200
> >
> >> This is an
enum ip_conntrack_info ctinfo;
>
> The problem is that a local variable shadows the function parameter.
> This removes the local variable, which looks like what Pablo originally
> intended.
Acked-by: Pablo Neira Ayuso <pa...@netfilter.org>
Sorry for this, I wonder why gcc didn'
From: Florian Westphal <f...@strlen.de>
Else we get 'BUG: spinlock bad magic on CPU#' on resize when
spin lock debugging is enabled.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_cor
ff-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nfnetlink_acct.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/netfilter/nfnetlink_acct.c b/net/netfilter/nfnetlink_acct.c
index 4c2b4c0..dbd0803 100644
--- a/net/netfilter/nfnetlink_acct.c
+++ b/net/netfilter/nfnetli
Hi David,
The following patchset contain Netfilter simple fixes for your net tree,
two one-liner and one two-liner:
1) Oneliner to fix missing spinlock definition that triggers
'BUG: spinlock bad magic on CPU#' when spinlock debugging is enabled,
from Florian Westphal.
2) Fix missing
From: Liping Zhang <liping.zh...@spreadtrum.com>
Workqueue maybe still in running while we destroy the IDLETIMER target,
thus cause a use after free error, add cancel_work_sync() to avoid such
situation.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo
for this situation, after
this patch, the drop counter is bumped whenever we drop packets, so we
can watch for unresolved clashes.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_conntrack_l4proto.h | 3 ++
net/netfilter/nf_conntrack_core.c
scribe' the affected/overlimit netns.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_core.c | 43 +++
1 file changed, 25 insertions(+), 18 deletions(-)
diff --g
http://patchwork.ozlabs.org/patch/582970/
This patch has clashed with input validation fixes for x_tables.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/linux/netfilter/x_tables.h | 6 +++---
net/ipv4/netfilter/arp_tables.c| 6 --
net/ipv4/netfilter/ip_tables.c | 6
nstead.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netns/conntrack.h | 1 -
net/netfilter/nf_conntrack_core.c | 20 +++-
2 files changed, 11 insertions(+), 10 deletions(-)
diff --git a
From: Florian Westphal <f...@strlen.de>
Once we place all conntracks in the same hash table we must also compare
the netns pointer to skip conntracks that belong to a different namespace.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa..
if node extensions are equal and make sure
we keep the existing internal states around.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nft_rbtree.c | 40 +++-
1 file changed, 35 insertions(+), 5 deletions(-)
diff --git a/net/net
drop_entry protection effective for SIP-pe
Pablo Neira Ayuso (14):
netfilter: nf_tables: introduce nft_setelem_parse_flags() helper
netfilter: nf_tables: parse element flags from nft_del_setelem()
netfilter: nft_rbtree: introduce nft_rbtree_interval_end() helper
netfilter:
From: Florian Westphal <f...@strlen.de>
Once we place all conntracks into a global hash table we want them to be
spread across entire hash table, even if namespaces have overlapping ip
addresses.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Nei
Currently, we support set names of up to 16 bytes, get this aligned
with the maximum length we can use in ipset to make it easier when
considering migration to nf_tables.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_tables.h| 2 +-
includ
From: Florian Westphal <f...@strlen.de>
Use a private seed and init it using get_random_once.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_expect.c | 7 +++
net/netfilter/nf_nat_
Parse flags and pass them to the set via ->deactivate() to check if we
remove the right element from the intervals.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_tables_api.c | 38 +-
1 file changed, 33 insertions(+), 5
This function parses the set element flags, thus, we can reuse the same
handling when deleting elements.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_tables_api.c | 34 ++
1 file changed, 22 insertions(+), 12 deletions(-)
diff
From: Florian Westphal <f...@strlen.de>
Will be needed soon when we place all in the same hash table.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_nat_core.c | 6 +++---
1 file changed, 3 insertio
Introduce a helper function to update conntrack counters.
__nf_ct_kill_acct() was unnecessarily subtracting skb_network_offset()
that is expected to be zero from the ipv4/ipv6 hooks.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_core.
From: Marco Angaroni
One-packet-scheduling is the most expensive mode in IPVS from
performance point of view: for each packet to be processed a new
connection data structure is created and, after packet is sent,
deleted by starting a new timer set to expire immediately.
that are inconsistently placed in the code.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ipv4/netfilter/arp_tables.c | 217 ++-
net/ipv4/netfilter/ip_tables.c | 244 +++-
net/ipv6/netfilter/ip6_tables.c
espace on a
64bit system.
NAT bysrc and expectation hash is still per namespace, those will
changed too soon.
Future patch will also make conntrack object slab cache global again.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
inc
From: Marco Angaroni
When using OPS mode in conjunction with SIP persistent-engine, packets
originating from the same ip-address/port could be balanced to different
real servers, and (to properly handle SIP responses) OPS connections
are created in the in-out direction
From: Florian Westphal <f...@strlen.de>
No need to disable BH here anymore:
stats are switched to _ATOMIC variant (== this_cpu_inc()), which
nowadays generates same code as the non _ATOMIC NF_STAT, at least on x86.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by:
n.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_core.c | 24 +++-
1 file changed, 19 insertions(+), 5 deletions(-)
diff --git a/net/netfilter/nf_conntrack_core.c
b/net/netfilter/nf_conntrack_core.c
index 1b63359..29fa08b 10064
ed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_core.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netfilter/nf_conntrack_core.c
b/net/netfilter/nf_conntrack_core.c
index 29fa08b..f2e75a5 100644
-
secure way to configure
iptables and connection tracking helpers through explicit rules.
Give the time we have waited for this, let's turn off this by default
now, worse case users still have a chance to recover the former
behaviour by explicitly enabling this back through sysctl.
Signed-off-by: P
t.
Labels (bits) already set thus cannot be re-set to zero, but
this is not supported by xtables connlabel match either.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nft_ct.c | 30 +
;
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_conntrack_expect.h| 1 +
include/net/netns/conntrack.h | 1 -
.../netfilter/nf_conntrack_l3proto_ipv4_compat.c | 6 ++--
net/netfilter/nf_conntrack_expect.c
since they are not part of the listing.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
.../netfilter/nf_conntrack_l3proto_ipv4_compat.c | 24 +-
1 file changed, 19 insertions(+), 5 deletions(-)
diff --git a/
From: Marco Angaroni
When using LVS-NAT and SIP persistence-egine over UDP, the following
limitations are present with current implementation:
1) To actually have load-balancing based on Call-ID header, you need to
use one-packet-scheduling mode. But with
From: Florian Westphal <f...@strlen.de>
We already include netns address in the hash, so we only need to use
net_eq in find_appropriate_src and can then put all entries into
same table.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa..
From: Florian Westphal <f...@strlen.de>
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_expect.c | 17 ++---
1 file changed, 10 insertions(+), 7 deletions(-)
diff --g
From: Florian Westphal <f...@strlen.de>
As earlier commit removed accessed to the hash from other files we can
also make it static.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_conntr
From: Florian Westphal <f...@strlen.de>
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c | 3 +++
net/netfilter/nf_conntrack_expect.c | 19 ++
If the protocol is not natively supported, this assigns generic protocol
tracker so we can always assume a valid pointer after these calls.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
Acked-by: Jarno Rajahalme <jrajaha...@nicira.com>
Acked-by: Joe Stringer <j...@ov
Add this new nft_rbtree_interval_end() helper function to check in the
end interval is set.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nft_rbtree.c | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/nft_rbtree.c
From: Liping Zhang <liping.zh...@spreadtrum.com>
ip6_route_output() will never return a NULL pointer, so there's no need
to check it.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ipv6/netfilter/ip6t_SY
extend it to also consider net_eq.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_core.c | 29 +++--
1 file changed, 11 insertions(+), 18 deletions(-)
diff --git a/net/netfilter/n
From: Marco Angaroni
DoS protection policy that deletes connections to avoid out of memory is
currently not effective for SIP-pe plus OPS-mode for two reasons:
1) connection templates (holding SIP call-id) are always skipped in
ip_vs_random_dropentry()
2)
Remove unnecessary check for non-nul pointer in destroy_conntrack()
given that __nf_ct_l4proto_find() returns the generic protocol tracker
if the protocol is not supported.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_core.c | 2 +-
1 file chan
From: Florian Westphal <f...@strlen.de>
An earlier patch changed lookup side to also net_eq() namespaces after
obtaining a reference on the conntrack, so a single kmemcache can be used.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa..
presented during the NetDev 1.1 [2].
Only IPv4 is supported at this time.
[1] http://git.osmocom.org/openggsn/
[2]
http://www.netdevconf.org/1.1/proceedings/slides/schultz-welte-osmocom-gtp.pdf
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
v2: Rebase on top of current HEAD to r
On Fri, May 06, 2016 at 04:32:38PM +0900, Simon Horman wrote:
> Hi Pablo,
>
> please consider these enhancements to the IPVS. They allow its
> DoS mitigation strategy effective in conjunction with the SIP persistence
> engine.
>
> The following changes since commit
presented during the NetDev 1.1 [2].
Only IPv4 is supported at this time.
[1] http://git.osmocom.org/openggsn/
[2]
http://www.netdevconf.org/1.1/proceedings/slides/schultz-welte-osmocom-gtp.pdf
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
drivers/net/Kconfig
Hi Joe,
On Thu, May 05, 2016 at 03:50:37PM -0700, Joe Stringer wrote:
> diff --git a/net/netfilter/nf_conntrack_helper.c
> b/net/netfilter/nf_conntrack_helper.c
> index 3b40ec575cd5..6860b19be406 100644
> --- a/net/netfilter/nf_conntrack_helper.c
> +++ b/net/netfilter/nf_conntrack_helper.c
> @@
On Thu, Apr 28, 2016 at 07:13:39PM +0200, Florian Westphal wrote:
> [ CCing netdev so netns folks can have a look too ]
>
> This patch series removes the per-netns connection tracking tables.
> All conntrack objects are then stored in one global global table.
>
> This avoids the infamous
On Wed, May 04, 2016 at 12:27:36AM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> > > - if (NF_CT_DIRECTION(hash))
> > > - goto release;
> > > - if (nf_ct_l3num(ct) != AF_INET)
> >
On Thu, Apr 28, 2016 at 07:13:39PM +0200, Florian Westphal wrote:
> [ CCing netdev so netns folks can have a look too ]
>
> This patch series removes the per-netns connection tracking tables.
> All conntrack objects are then stored in one global global table.
>
> This avoids the infamous
On Tue, May 03, 2016 at 08:12:50PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Apr 28, 2016 at 07:13:44PM +0200, Florian Westphal wrote:
> > The iteration process is lockless, so we test if the conntrack object is
> > eligible for printing (e.g. is AF_INET) after obtaining the refe
On Tue, May 03, 2016 at 07:55:59PM +0200, Florian Westphal wrote:
> > Otherwise, every time we'll go container destruction path, we'll hit
> > slow path, ie. scanning the full table.
>
> Yes, but I see no other choice.
Fair enough, will place this in nf-next, thanks.
On Thu, Apr 28, 2016 at 07:13:44PM +0200, Florian Westphal wrote:
> The iteration process is lockless, so we test if the conntrack object is
> eligible for printing (e.g. is AF_INET) after obtaining the reference
> count.
>
> Once we put all conntracks into same hash table we might see more
>
On Tue, May 03, 2016 at 07:17:44PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> > On Thu, Apr 28, 2016 at 07:13:42PM +0200, Florian Westphal wrote:
> > > Once we place all conntracks into same table iteration becomes more
> > >
On Thu, Apr 28, 2016 at 07:13:42PM +0200, Florian Westphal wrote:
> Once we place all conntracks into same table iteration becomes more
> costly because the table contains conntracks that we are not interested
> in (belonging to other netns).
>
> So don't bother scanning if the current namespace
On Wed, Apr 20, 2016 at 12:46:31PM +1000, Simon Horman wrote:
> Hi Pablo,
>
> please consider these enhancements to the IPVS. They allow SIP connections
> originating from real-servers to be load balanced by the SIP psersitence
> engine as is already implemented in the other direction. And for
From: Florian Westphal <f...@strlen.de>
The three variants use same copy code, condense this into a
helper and use that.
Make sure info.name is 0-terminated.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
inclu
rchain ]:
Before:
real0m24.874s
user0m7.532s
sys 0m16.076s
After:
real0m27.464s
user0m7.436s
sys 0m18.840s
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ipv4/netfilter/arp_tables.c | 16
From: Florian Westphal <f...@strlen.de>
32bit rulesets have different layout and alignment requirements, so once
more integrity checks get added to xt_check_entry_offsets it will reject
well-formed 32bit rulesets.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo
rgets get checked/validated.
Thus we also need to check for verdict presence here, else t->verdict
can point right after a blob.
Spotted with UBSAN while testing malformed blobs.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.or
;
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_conntrack_labels.h | 4 ++--
net/netfilter/nf_conntrack_labels.c | 9 +
net/netfilter/nft_ct.c | 2 ++
net/netfilter/xt_connlabel.c| 2 +-
net/openv
From: Florian Westphal <f...@strlen.de>
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ipv6/netfilter/ip6_tables.c | 59 +
1 file changed, 24 insertions(+), 35 deletions(-)
From: Florian Westphal <f...@strlen.de>
Always returned 0.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/linux/netfilter/x_tables.h | 2 +-
net/ipv4/netfilter/arp_tables.c| 17 +
From: Florian Westphal <f...@strlen.de>
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ipv4/netfilter/arp_tables.c | 82 ++---
1 file changed, 36 insertions(+), 46 deletions(-)
;
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ipv4/netfilter/arp_tables.c | 8 +---
net/ipv4/netfilter/ip_tables.c | 4
net/ipv6/netfilter/ip6_tables.c | 4
3 files changed, 13 insertions(+), 3 deletions(-
rian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_labels.c | 16 ++--
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/net/netfilter/nf_conntrack_labels.c
b/net/netfilter/nf_conntrack_labels.c
i
hal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_conntrack_labels.h | 1 -
net/netfilter/nf_conntrack_labels.c | 19 +--
net/netfilter/xt_connlabel.c| 12 +++-
3 files changed, 12
se structure size from the delta.
We also need the e->elems pointer in a followup change to validate matches.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/linux/netfilter/x_tables.h | 4 ++--
net/ipv4/net
From: Florian Westphal <f...@strlen.de>
commit 9e67d5a739327c44885adebb4f3a538050be73e4
("[NETFILTER]: x_tables: remove obsolete overflow check") left the
compat parts alone, but we can kill it there as well.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by:
imit --limit 1/s -j CHAIN0003
shows no noticeable differences in restore times:
old: 0m30.796s
new: 0m31.521s
64bit: 0m25.674s
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ipv4/netfilter/arp_tables.c | 114 ++--
From: Florian Westphal <f...@strlen.de>
Since 'netfilter: x_tables: validate targets of jumps' change we
validate that the target aligns exactly with beginning of a rule,
so offset test is now redundant.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Nei
bit arg to 'highest used'
netfilter: conntrack: don't acquire lock during seq_printf
Pablo Neira Ayuso (2):
netfilter: ctnetlink: remove unnecessary inlining
netfilter: ctnetlink: restore inlining for netlink message size
calculation
include/linux/netfilter/x_tables.h
added a
BUILD_BUG_ON just in case we have an arch that adds padding as well.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/x_tables.c | 81 +---
1 file changed, 76 insertio
To avoid adding new tests to all of ip/ip6/arptables move the current
checks into a helper, then extend this helper in followup patches.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/linux/netfilter/x_tables.
y, etc.) and the current
incarnation is short just fold its contents into the callers.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ipv4/netfilter/arp_tables.c | 19 ---
net/ipv4/netfilter
and
CONFIG_NETFILTER_NETLINK_GLUE_CT are not set.
Fixes: 4054ff45454a9a4 ("netfilter: ctnetlink: remove unnecessary inlining")
Reported-by: Stephen Rothwell <s...@canb.auug.org.au>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
Acked-by: Arnd Bergmann <a...@arndb.de>
---
net/netf
From: Florian Westphal <f...@strlen.de>
read access doesn't need any lock here.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_proto_sctp.c | 8 +---
net/netfilter/nf_conntrac
From: Florian Westphal <f...@strlen.de>
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/ipv4/netfilter/ip_tables.c | 59 +-
1 file changed, 24 insertions(+), 35 deletions(-)
Many of these functions are called from control plane path. Move
ctnetlink_nlmsg_size() under CONFIG_NF_CONNTRACK_EVENTS to avoid a
compilation warning when CONFIG_NF_CONNTRACK_EVENTS=n.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_netlink.c
From: Florian Westphal <f...@strlen.de>
The target size includes the size of the xt_entry_target struct.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/x_tables.c | 3 +++
1 file changed, 3 inserti
On Mon, Apr 18, 2016 at 10:04:43PM +0200, Arnd Bergmann wrote:
> On Monday 18 April 2016 20:43:36 Pablo Neira Ayuso wrote:
> > On Mon, Apr 18, 2016 at 08:33:15PM +0200, Arnd Bergmann wrote:
> > > On Monday 18 April 2016 20:16:59 Pablo Neira Ayuso wrote:
> > > > On S
On Mon, Apr 18, 2016 at 08:33:15PM +0200, Arnd Bergmann wrote:
> On Monday 18 April 2016 20:16:59 Pablo Neira Ayuso wrote:
> > On Sat, Apr 16, 2016 at 10:17:43PM +0200, Arnd Bergmann wrote:
> > > A recent patch removed many 'inline' annotations for static
> > > functi
On Thu, Apr 14, 2016 at 05:35:39PM -0700, Joe Stringer wrote:
> On 14 April 2016 at 03:35, Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> > On Thu, Apr 14, 2016 at 10:40:15AM +0200, Florian Westphal wrote:
> >> David Laight <david.lai...@aculab.com> wrote:
> >
On Sat, Apr 16, 2016 at 10:17:43PM +0200, Arnd Bergmann wrote:
> A recent patch removed many 'inline' annotations for static
> functions in this file, which has caused warnings for functions
> that are not used in a given configuration, in particular when
> CONFIG_NF_CONNTRACK_EVENTS is disabled:
On Thu, Apr 14, 2016 at 10:40:15AM +0200, Florian Westphal wrote:
> David Laight wrote:
> > From: Joe Stringer
> > > Sent: 13 April 2016 19:10
> > > This is the IPv6 equivalent of commit 8282f27449bf ("inet: frag: Always
> > > orphan skbs inside ip_defrag()").
> > >
> >
Hi David,
The following patchset contains Netfilter fixes for your net tree. More
specifically, they are:
1) Fix missing filter table per-netns registration in arptables, from
Florian Westphal.
2) Resolve out of bound access when parsing TCP options in
nf_conntrack_tcp, patch from Jozsef
1701 - 1800 of 2305 matches
Mail list logo