[PATCH 0/7] Netfilter fixes for net

. Biederman (1): netfilter: nf_queue: Make the queue_handler pernet Florian Westphal (2): netfilter: nfnetlink_queue: fix timestamp attribute netfilter: conntrack: remove leftover binary sysctl define Pablo Neira Ayuso (1): netfilter: nf_ct_helper: bail out on duplicated

[PATCH 7/7] netfilter: nf_ct_helper: bail out on duplicated helpers

-by: Feng Gao <gfree.w...@gmail.com> Reported-by: Taehee Yoo <ap420...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_helper.c | 9 - 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/net/netfilter/nf_conntra

[PATCH 5/7] netfilter: nf_dup_ipv6: set again FLOWI_FLAG_KNOWN_NH at flowi6_flags

824a ("netfilter: factor out packet duplication for IPv4/IPv6") the flowi6_flags update was lost. This commit re-add it just before the routing decision. Fixes: bbde9fc1824a ("netfilter: factor out packet duplication for IPv4/IPv6") Signed-off-by: Paolo Abeni <pab...@redhat.co

[PATCH 1/7] netfilter: nfnetlink_queue: fix timestamp attribute

rian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nfnetlink_queue.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index cb5b630..e34256

[PATCH 2/7] netfilter: conntrack: remove leftover binary sysctl define

From: Florian Westphal <f...@strlen.de> Users got removed in f8572d8f2a2ba ("sysctl net: Remove unused binary sysctl code"). Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_standal

[PATCH 6/7] netfilter: nf_tables: validate NFTA_SET_TABLE parameter

; Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_tables_api.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 2011977..6947e25 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_table

Re: [PATCH] netfilter: fix possible ZERO_SIZE_PTR pointerdereferencing error.

On Wed, Jun 01, 2016 at 05:52:59PM +0800, Xiubo Li wrote: > >> net/netfilter/x_tables.c | 3 +++ > >> 1 file changed, 3 insertions(+) > >> > >>diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c > >>index c8a0b7d..4df8e38 100644 > >>--- a/net/netfilter/x_tables.c > >>+++

Re: [PATCH] netfilter: fix possible ZERO_SIZE_PTR pointer dereferencing error.

On Wed, Jun 01, 2016 at 04:34:28PM +0800, Xiubo Li wrote: > Since we cannot make sure the 'hook_mask' will always be none zero > here. If it equals to zero, the num_hooks will be zero too, and then > kmalloc() will return ZERO_SIZE_PTR, which is (void *)16. > > Then the following error check will

Re: [PATCH] nf_queue: Make the queue_handler pernet

On Fri, May 13, 2016 at 09:18:52PM -0500, Eric W. Biederman wrote: > > Florian Weber reported: > > Under full load (unshare() in loop -> OOM conditions) we can > > get kernel panic: > > > > BUG: unable to handle kernel NULL pointer dereference at 0008 > > IP: []

Re: [PATCH net] netfilter: nf_conntrack: Use net_mutex for helper unregistration.

Cc'ing Eric Biederman. On Mon, May 16, 2016 at 09:38:53PM -0700, Joe Stringer wrote: > On 6 May 2016 at 04:03, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > > Hi Joe, > > > > On Thu, May 05, 2016 at 03:50:37PM -0700, Joe Stringer wrote: > >> diff --git a

[PATCH net-next] gtp: put back reference to netns when not required anymore

This patch fixes a netns leak. Fixes: 93edb8c7f94f ("gtp: reload GTPv1 header after pskb_may_pull()") Reported-by: Cong Wang <xiyou.wangc...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- drivers/net/gtp.c | 15 --- 1 file changed, 12 inse

Re: [PATCH nf-next] netfilter: allow logging from non-init namespaces

Hi Michal, On Wed, Apr 27, 2016 at 02:48:02PM +0200, Michal Kubecek wrote: > Commit 69b34fb996b2 ("netfilter: xt_LOG: add net namespace support for > xt_LOG") disabled logging packets using the LOG target from non-init > namespaces. The motivation was to prevent containers from flooding > kernel

Re: [PATCH nf V2] netfilter: fix oops in nfqueue during netns error unwinding

On Wed, May 11, 2016 at 05:41:13PM +0200, Florian Westphal wrote: > diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c > index 5baa8e2..9722819 100644 > --- a/net/netfilter/nf_queue.c > +++ b/net/netfilter/nf_queue.c > @@ -102,6 +102,13 @@ void nf_queue_nf_hook_drop(struct net *net,

[PATCH net-next] gtp: reload GTPv1 header after pskb_may_pull()

ot;) Reported-by: Eric Dumazet <eric.duma...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- drivers/net/gtp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c index 8ce1104..f7caf1e 100644 --- a/drivers/net/gtp.c +++ b/dr

Re: [PATCH nf-next,v2] gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)

On Tue, May 10, 2016 at 10:16:33AM -0700, Tom Herbert wrote: > On Tue, May 10, 2016 at 9:27 AM, David Miller <da...@davemloft.net> wrote: > > From: Pablo Neira Ayuso <pa...@netfilter.org> > > Date: Mon, 9 May 2016 00:55:48 +0200 > > > >> This is an

Re: [PATCH] netfilter: conntrack: remove uninitialized shadow variable

enum ip_conntrack_info ctinfo; > > The problem is that a local variable shadows the function parameter. > This removes the local variable, which looks like what Pablo originally > intended. Acked-by: Pablo Neira Ayuso <pa...@netfilter.org> Sorry for this, I wonder why gcc didn'

[PATCH 1/3] netfilter: conntrack: init all_locks to avoid debug warning

From: Florian Westphal <f...@strlen.de> Else we get 'BUG: spinlock bad magic on CPU#' on resize when spin lock debugging is enabled. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_cor

[PATCH 3/3] netfilter: nfnetlink_acct: validate NFACCT_QUOTA parameter

ff-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nfnetlink_acct.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/netfilter/nfnetlink_acct.c b/net/netfilter/nfnetlink_acct.c index 4c2b4c0..dbd0803 100644 --- a/net/netfilter/nfnetlink_acct.c +++ b/net/netfilter/nfnetli

[PATCH 0/3] Netfilter fixes for net

Hi David, The following patchset contain Netfilter simple fixes for your net tree, two one-liner and one two-liner: 1) Oneliner to fix missing spinlock definition that triggers 'BUG: spinlock bad magic on CPU#' when spinlock debugging is enabled, from Florian Westphal. 2) Fix missing

[PATCH 2/3] netfilter: IDLETIMER: fix race condition when destroy the target

From: Liping Zhang <liping.zh...@spreadtrum.com> Workqueue maybe still in running while we destroy the IDLETIMER target, thus cause a use after free error, add cancel_work_sync() to avoid such situation. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo

[PATCH 26/36] netfilter: conntrack: introduce clash resolution on insertion race

for this situation, after this patch, the drop counter is bumped whenever we drop packets, so we can watch for unresolved clashes. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack_l4proto.h | 3 ++ net/netfilter/nf_conntrack_core.c

[PATCH 23/36] netfilter: conntrack: consider ct netns in early_drop logic

scribe' the affected/overlimit netns. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_core.c | 43 +++ 1 file changed, 25 insertions(+), 18 deletions(-) diff --g

[PATCH 13/36] netfilter: fix IS_ERR_VALUE usage

http://patchwork.ozlabs.org/patch/582970/ This patch has clashed with input validation fixes for x_tables. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/linux/netfilter/x_tables.h | 6 +++--- net/ipv4/netfilter/arp_tables.c| 6 -- net/ipv4/netfilter/ip_tables.c | 6

[PATCH 04/36] netfilter: conntrack: move generation seqcnt out of netns_ct

nstead. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netns/conntrack.h | 1 - net/netfilter/nf_conntrack_core.c | 20 +++- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a

[PATCH 20/36] netfilter: conntrack: check netns when comparing conntrack objects

From: Florian Westphal <f...@strlen.de> Once we place all conntracks in the same hash table we must also compare the netns pointer to skip conntracks that belong to a different namespace. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa..

[PATCH 10/36] netfilter: nft_rbtree: allow adjacent intervals with dynamic updates

if node extensions are equal and make sure we keep the existing internal states around. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nft_rbtree.c | 40 +++- 1 file changed, 35 insertions(+), 5 deletions(-) diff --git a/net/net

[PATCH 00/36] Netfilter updates for net-next

drop_entry protection effective for SIP-pe Pablo Neira Ayuso (14): netfilter: nf_tables: introduce nft_setelem_parse_flags() helper netfilter: nf_tables: parse element flags from nft_del_setelem() netfilter: nft_rbtree: introduce nft_rbtree_interval_end() helper netfilter:

[PATCH 21/36] netfilter: conntrack: make netns address part of hash

From: Florian Westphal <f...@strlen.de> Once we place all conntracks into a global hash table we want them to be spread across entire hash table, even if namespaces have overlapping ip addresses. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Nei

[PATCH 29/36] netfilter: nf_tables: allow set names up to 32 bytes

Currently, we support set names of up to 16 bytes, get this aligned with the maximum length we can use in ipset to make it easier when considering migration to nf_tables. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables.h| 2 +- includ

[PATCH 05/36] netfilter: conntrack: use get_random_once for nat and expectations

From: Florian Westphal <f...@strlen.de> Use a private seed and init it using get_random_once. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_expect.c | 7 +++ net/netfilter/nf_nat_

[PATCH 08/36] netfilter: nf_tables: parse element flags from nft_del_setelem()

Parse flags and pass them to the set via ->deactivate() to check if we remove the right element from the intervals. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_tables_api.c | 38 +- 1 file changed, 33 insertions(+), 5

[PATCH 07/36] netfilter: nf_tables: introduce nft_setelem_parse_flags() helper

This function parses the set element flags, thus, we can reuse the same handling when deleting elements. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_tables_api.c | 34 ++ 1 file changed, 22 insertions(+), 12 deletions(-) diff

[PATCH 34/36] netfilter: conntrack: make netns address part of nat bysrc hash

From: Florian Westphal <f...@strlen.de> Will be needed soon when we place all in the same hash table. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_nat_core.c | 6 +++--- 1 file changed, 3 insertio

[PATCH 25/36] netfilter: conntrack: introduce nf_ct_acct_update()

Introduce a helper function to update conntrack counters. __nf_ct_kill_acct() was unnecessarily subtracting skb_network_offset() that is expected to be zero from the ipv4/ipv6 hooks. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_core.

[PATCH 02/36] ipvs: optimize release of connections in OPS mode

From: Marco Angaroni One-packet-scheduling is the most expensive mode in IPVS from performance point of view: for each packet to be processed a new connection data structure is created and, after packet is sent, deleted by starting a new timer set to expire immediately.

[PATCH 28/36] netfilter: x_tables: get rid of old and inconsistent debugging

that are inconsistently placed in the code. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netfilter/arp_tables.c | 217 ++- net/ipv4/netfilter/ip_tables.c | 244 +++- net/ipv6/netfilter/ip6_tables.c

[PATCH 22/36] netfilter: conntrack: use a single hashtable for all namespaces

espace on a 64bit system. NAT bysrc and expectation hash is still per namespace, those will changed too soon. Future patch will also make conntrack object slab cache global again. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- inc

[PATCH 03/36] ipvs: don't alter conntrack in OPS mode

From: Marco Angaroni When using OPS mode in conjunction with SIP persistent-engine, packets originating from the same ip-address/port could be balanced to different real servers, and (to properly handle SIP responses) OPS connections are created in the in-out direction

[PATCH 15/36] netfilter: conntrack: keep BH enabled during lookup

From: Florian Westphal <f...@strlen.de> No need to disable BH here anymore: stats are switched to _ATOMIC variant (== this_cpu_inc()), which nowadays generates same code as the non _ATOMIC NF_STAT, at least on x86. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by:

[PATCH 16/36] netfilter: conntrack: fix lookup race during hash resize

n.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_core.c | 24 +++- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 1b63359..29fa08b 10064

[PATCH 17/36] netfilter: conntrack: don't attempt to iterate over empty table

ed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_core.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 29fa08b..f2e75a5 100644 -

[PATCH 11/36] netfilter: nf_ct_helper: disable automatic helper assignment

secure way to configure iptables and connection tracking helpers through explicit rules. Give the time we have waited for this, let's turn off this by default now, worse case users still have a chance to recover the former behaviour by explicitly enabling this back through sysctl. Signed-off-by: P

[PATCH 14/36] netfilter: nftables: add connlabel set support

t. Labels (bits) already set thus cannot be re-set to zero, but this is not supported by xtables connlabel match either. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nft_ct.c | 30 +

[PATCH 33/36] netfilter: conntrack: use a single expectation table for all namespaces

; Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack_expect.h| 1 + include/net/netns/conntrack.h | 1 - .../netfilter/nf_conntrack_l3proto_ipv4_compat.c | 6 ++-- net/netfilter/nf_conntrack_expect.c

[PATCH 19/36] netfilter: conntrack: small refactoring of conntrack seq_printf

since they are not part of the listing. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- .../netfilter/nf_conntrack_l3proto_ipv4_compat.c | 24 +- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/

[PATCH 01/36] ipvs: handle connections started by real-servers

From: Marco Angaroni When using LVS-NAT and SIP persistence-egine over UDP, the following limitations are present with current implementation: 1) To actually have load-balancing based on Call-ID header, you need to use one-packet-scheduling mode. But with

[PATCH 35/36] netfilter: conntrack: use a single nat bysource table for all namespaces

From: Florian Westphal <f...@strlen.de> We already include netns address in the hash, so we only need to use net_eq in find_appropriate_src and can then put all entries into same table. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa..

[PATCH 32/36] netfilter: conntrack: make netns address part of expect hash

From: Florian Westphal <f...@strlen.de> Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_expect.c | 17 ++--- 1 file changed, 10 insertions(+), 7 deletions(-) diff --g

[PATCH 06/36] netfilter: conntrack: use get_random_once for conntrack hash seed

From: Florian Westphal <f...@strlen.de> As earlier commit removed accessed to the hash from other files we can also make it static. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntr

[PATCH 31/36] netfilter: conntrack: check netns when walking expect hash

From: Florian Westphal <f...@strlen.de> Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c | 3 +++ net/netfilter/nf_conntrack_expect.c | 19 ++

[PATCH 27/36] openvswitch: __nf_ct_l{3,4}proto_find() always return a valid pointer

If the protocol is not natively supported, this assigns generic protocol tracker so we can always assume a valid pointer after these calls. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> Acked-by: Jarno Rajahalme <jrajaha...@nicira.com> Acked-by: Joe Stringer <j...@ov

[PATCH 09/36] netfilter: nft_rbtree: introduce nft_rbtree_interval_end() helper

Add this new nft_rbtree_interval_end() helper function to check in the end interval is set. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nft_rbtree.c | 9 ++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/net/netfilter/nft_rbtree.c

[PATCH 12/36] netfilter: ip6t_SYNPROXY: unnecessary to check whether ip6_route_output returns NULL

From: Liping Zhang <liping.zh...@spreadtrum.com> ip6_route_output() will never return a NULL pointer, so there's no need to check it. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv6/netfilter/ip6t_SY

[PATCH 18/36] netfilter: conntrack: use nf_ct_key_equal() in more places

extend it to also consider net_eq. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_core.c | 29 +++-- 1 file changed, 11 insertions(+), 18 deletions(-) diff --git a/net/netfilter/n

[PATCH 30/36] ipvs: make drop_entry protection effective for SIP-pe

From: Marco Angaroni DoS protection policy that deletes connections to avoid out of memory is currently not effective for SIP-pe plus OPS-mode for two reasons: 1) connection templates (holding SIP call-id) are always skipped in ip_vs_random_dropentry() 2)

[PATCH 24/36] netfilter: conntrack: __nf_ct_l4proto_find() always returns valid pointer

Remove unnecessary check for non-nul pointer in destroy_conntrack() given that __nf_ct_l4proto_find() returns the generic protocol tracker if the protocol is not supported. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_core.c | 2 +- 1 file chan

[PATCH 36/36] netfilter: conntrack: use single slab cache

From: Florian Westphal <f...@strlen.de> An earlier patch changed lookup side to also net_eq() namespaces after obtaining a reference on the conntrack, so a single kmemcache can be used. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa..

[PATCH nf-next,v2] gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)

presented during the NetDev 1.1 [2]. Only IPv4 is supported at this time. [1] http://git.osmocom.org/openggsn/ [2] http://www.netdevconf.org/1.1/proceedings/slides/schultz-welte-osmocom-gtp.pdf Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- v2: Rebase on top of current HEAD to r

Re: [GIT PULL nf-next 0/1] Second Round of IPVS Updates for v4.7

On Fri, May 06, 2016 at 04:32:38PM +0900, Simon Horman wrote: > Hi Pablo, > > please consider these enhancements to the IPVS. They allow its > DoS mitigation strategy effective in conjunction with the SIP persistence > engine. > > The following changes since commit

[PATCH net-next] gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)

presented during the NetDev 1.1 [2]. Only IPv4 is supported at this time. [1] http://git.osmocom.org/openggsn/ [2] http://www.netdevconf.org/1.1/proceedings/slides/schultz-welte-osmocom-gtp.pdf Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- drivers/net/Kconfig

Re: [PATCH net] netfilter: nf_conntrack: Use net_mutex for helper unregistration.

Hi Joe, On Thu, May 05, 2016 at 03:50:37PM -0700, Joe Stringer wrote: > diff --git a/net/netfilter/nf_conntrack_helper.c > b/net/netfilter/nf_conntrack_helper.c > index 3b40ec575cd5..6860b19be406 100644 > --- a/net/netfilter/nf_conntrack_helper.c > +++ b/net/netfilter/nf_conntrack_helper.c > @@

Re: [PATCH nf-next 0/9] netfilter: remove per-netns conntrack tables, part 1

On Thu, Apr 28, 2016 at 07:13:39PM +0200, Florian Westphal wrote: > [ CCing netdev so netns folks can have a look too ] > > This patch series removes the per-netns connection tracking tables. > All conntrack objects are then stored in one global global table. > > This avoids the infamous

Re: [PATCH nf-next 5/9] netfilter: conntrack: small refactoring of conntrack seq_printf

On Wed, May 04, 2016 at 12:27:36AM +0200, Florian Westphal wrote: > Pablo Neira Ayuso <pa...@netfilter.org> wrote: > > > - if (NF_CT_DIRECTION(hash)) > > > - goto release; > > > - if (nf_ct_l3num(ct) != AF_INET) > >

Re: [PATCH nf-next 0/9] netfilter: remove per-netns conntrack tables, part 1

On Thu, Apr 28, 2016 at 07:13:39PM +0200, Florian Westphal wrote: > [ CCing netdev so netns folks can have a look too ] > > This patch series removes the per-netns connection tracking tables. > All conntrack objects are then stored in one global global table. > > This avoids the infamous

Re: [PATCH nf-next 5/9] netfilter: conntrack: small refactoring of conntrack seq_printf

On Tue, May 03, 2016 at 08:12:50PM +0200, Pablo Neira Ayuso wrote: > On Thu, Apr 28, 2016 at 07:13:44PM +0200, Florian Westphal wrote: > > The iteration process is lockless, so we test if the conntrack object is > > eligible for printing (e.g. is AF_INET) after obtaining the refe

Re: [PATCH nf-next 3/9] netfilter: conntrack: don't attempt to iterate over empty table

On Tue, May 03, 2016 at 07:55:59PM +0200, Florian Westphal wrote: > > Otherwise, every time we'll go container destruction path, we'll hit > > slow path, ie. scanning the full table. > > Yes, but I see no other choice. Fair enough, will place this in nf-next, thanks.

Re: [PATCH nf-next 5/9] netfilter: conntrack: small refactoring of conntrack seq_printf

On Thu, Apr 28, 2016 at 07:13:44PM +0200, Florian Westphal wrote: > The iteration process is lockless, so we test if the conntrack object is > eligible for printing (e.g. is AF_INET) after obtaining the reference > count. > > Once we put all conntracks into same hash table we might see more >

Re: [PATCH nf-next 3/9] netfilter: conntrack: don't attempt to iterate over empty table

On Tue, May 03, 2016 at 07:17:44PM +0200, Florian Westphal wrote: > Pablo Neira Ayuso <pa...@netfilter.org> wrote: > > On Thu, Apr 28, 2016 at 07:13:42PM +0200, Florian Westphal wrote: > > > Once we place all conntracks into same table iteration becomes more > > >

Re: [PATCH nf-next 3/9] netfilter: conntrack: don't attempt to iterate over empty table

On Thu, Apr 28, 2016 at 07:13:42PM +0200, Florian Westphal wrote: > Once we place all conntracks into same table iteration becomes more > costly because the table contains conntracks that we are not interested > in (belonging to other netns). > > So don't bother scanning if the current namespace

Re: [GIT PULL nf-next 0/3] IPVS Updates for v4.6

On Wed, Apr 20, 2016 at 12:46:31PM +1000, Simon Horman wrote: > Hi Pablo, > > please consider these enhancements to the IPVS. They allow SIP connections > originating from real-servers to be load balanced by the SIP psersitence > engine as is already implemented in the other direction. And for

[PATCH 17/23] netfilter: x_tables: introduce and use xt_copy_counters_from_user

From: Florian Westphal <f...@strlen.de> The three variants use same copy code, condense this into a helper and use that. Make sure info.name is 0-terminated. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- inclu

[PATCH 02/23] netfilter: x_tables: validate targets of jumps

rchain ]: Before: real0m24.874s user0m7.532s sys 0m16.076s After: real0m27.464s user0m7.436s sys 0m18.840s Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netfilter/arp_tables.c | 16

[PATCH 06/23] netfilter: x_tables: add compat version of xt_check_entry_offsets

From: Florian Westphal <f...@strlen.de> 32bit rulesets have different layout and alignment requirements, so once more integrity checks get added to xt_check_entry_offsets it will reject well-formed 32bit rulesets. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo

[PATCH 07/23] netfilter: x_tables: check standard target size too

rgets get checked/validated. Thus we also need to check for verdict presence here, else t->verdict can point right after a blob. Spotted with UBSAN while testing malformed blobs. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.or

[PATCH 21/23] netfilter: connlabels: change nf_connlabels_get bit arg to 'highest used'

; Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack_labels.h | 4 ++-- net/netfilter/nf_conntrack_labels.c | 9 + net/netfilter/nft_ct.c | 2 ++ net/netfilter/xt_connlabel.c| 2 +- net/openv

[PATCH 11/23] netfilter: ip6_tables: simplify translate_compat_table args

From: Florian Westphal <f...@strlen.de> Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv6/netfilter/ip6_tables.c | 59 + 1 file changed, 24 insertions(+), 35 deletions(-)

[PATCH 13/23] netfilter: x_tables: xt_compat_match_from_user doesn't need a retval

From: Florian Westphal <f...@strlen.de> Always returned 0. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/linux/netfilter/x_tables.h | 2 +- net/ipv4/netfilter/arp_tables.c| 17 +

[PATCH 12/23] netfilter: arp_tables: simplify translate_compat_table args

From: Florian Westphal <f...@strlen.de> Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netfilter/arp_tables.c | 82 ++--- 1 file changed, 36 insertions(+), 46 deletions(-)

[PATCH 01/23] netfilter: x_tables: don't move to non-existent next rule

; Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netfilter/arp_tables.c | 8 +--- net/ipv4/netfilter/ip_tables.c | 4 net/ipv6/netfilter/ip6_tables.c | 4 3 files changed, 13 insertions(+), 3 deletions(-

[PATCH 20/23] netfilter: labels: don't emit ct event if labels were not changed

rian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_labels.c | 16 ++-- 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/net/netfilter/nf_conntrack_labels.c b/net/netfilter/nf_conntrack_labels.c i

[PATCH 19/23] netfilter: connlabels: move helpers to xt_connlabel

hal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack_labels.h | 1 - net/netfilter/nf_conntrack_labels.c | 19 +-- net/netfilter/xt_connlabel.c| 12 +++- 3 files changed, 12

[PATCH 08/23] netfilter: x_tables: check for bogus target offset

se structure size from the delta. We also need the e->elems pointer in a followup change to validate matches. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/linux/netfilter/x_tables.h | 4 ++-- net/ipv4/net

[PATCH 15/23] netfilter: x_tables: remove obsolete overflow check for compat case too

From: Florian Westphal <f...@strlen.de> commit 9e67d5a739327c44885adebb4f3a538050be73e4 ("[NETFILTER]: x_tables: remove obsolete overflow check") left the compat parts alone, but we can kill it there as well. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by:

[PATCH 14/23] netfilter: x_tables: do compat validation via translate_table

imit --limit 1/s -j CHAIN0003 shows no noticeable differences in restore times: old: 0m30.796s new: 0m31.521s 64bit: 0m25.674s Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netfilter/arp_tables.c | 114 ++--

[PATCH 16/23] netfilter: x_tables: remove obsolete check

From: Florian Westphal <f...@strlen.de> Since 'netfilter: x_tables: validate targets of jumps' change we validate that the target aligns exactly with beginning of a rule, so offset test is now redundant. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Nei

[PATCH 00/23] Netfilter updates for net-next

bit arg to 'highest used' netfilter: conntrack: don't acquire lock during seq_printf Pablo Neira Ayuso (2): netfilter: ctnetlink: remove unnecessary inlining netfilter: ctnetlink: restore inlining for netlink message size calculation include/linux/netfilter/x_tables.h

[PATCH 09/23] netfilter: x_tables: validate all offsets and sizes in a rule

added a BUILD_BUG_ON just in case we have an arch that adds padding as well. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/x_tables.c | 81 +--- 1 file changed, 76 insertio

[PATCH 03/23] netfilter: x_tables: add and use xt_check_entry_offsets

To avoid adding new tests to all of ip/ip6/arptables move the current checks into a helper, then extend this helper in followup patches. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/linux/netfilter/x_tables.

[PATCH 04/23] netfilter: x_tables: kill check_entry helper

y, etc.) and the current incarnation is short just fold its contents into the callers. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netfilter/arp_tables.c | 19 --- net/ipv4/netfilter

[PATCH 22/23] netfilter: ctnetlink: restore inlining for netlink message size calculation

and CONFIG_NETFILTER_NETLINK_GLUE_CT are not set. Fixes: 4054ff45454a9a4 ("netfilter: ctnetlink: remove unnecessary inlining") Reported-by: Stephen Rothwell <s...@canb.auug.org.au> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> Acked-by: Arnd Bergmann <a...@arndb.de> --- net/netf

[PATCH 23/23] netfilter: conntrack: don't acquire lock during seq_printf

From: Florian Westphal <f...@strlen.de> read access doesn't need any lock here. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_proto_sctp.c | 8 +--- net/netfilter/nf_conntrac

[PATCH 10/23] netfilter: ip_tables: simplify translate_compat_table args

From: Florian Westphal <f...@strlen.de> Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netfilter/ip_tables.c | 59 +- 1 file changed, 24 insertions(+), 35 deletions(-)

[PATCH 18/23] netfilter: ctnetlink: remove unnecessary inlining

Many of these functions are called from control plane path. Move ctnetlink_nlmsg_size() under CONFIG_NF_CONNTRACK_EVENTS to avoid a compilation warning when CONFIG_NF_CONNTRACK_EVENTS=n. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_netlink.c

[PATCH 05/23] netfilter: x_tables: assert minimum target size

From: Florian Westphal <f...@strlen.de> The target size includes the size of the xt_entry_target struct. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/x_tables.c | 3 +++ 1 file changed, 3 inserti

Re: [PATCH] netfilter: ctnetlink: add more #ifdef around unused code

On Mon, Apr 18, 2016 at 10:04:43PM +0200, Arnd Bergmann wrote: > On Monday 18 April 2016 20:43:36 Pablo Neira Ayuso wrote: > > On Mon, Apr 18, 2016 at 08:33:15PM +0200, Arnd Bergmann wrote: > > > On Monday 18 April 2016 20:16:59 Pablo Neira Ayuso wrote: > > > > On S

Re: [PATCH] netfilter: ctnetlink: add more #ifdef around unused code

On Mon, Apr 18, 2016 at 08:33:15PM +0200, Arnd Bergmann wrote: > On Monday 18 April 2016 20:16:59 Pablo Neira Ayuso wrote: > > On Sat, Apr 16, 2016 at 10:17:43PM +0200, Arnd Bergmann wrote: > > > A recent patch removed many 'inline' annotations for static > > > functi

Re: [PATCH nf] netfilter: ipv6: Orphan skbs in nf_ct_frag6_gather()

On Thu, Apr 14, 2016 at 05:35:39PM -0700, Joe Stringer wrote: > On 14 April 2016 at 03:35, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > > On Thu, Apr 14, 2016 at 10:40:15AM +0200, Florian Westphal wrote: > >> David Laight <david.lai...@aculab.com> wrote: > >

Re: [PATCH] netfilter: ctnetlink: add more #ifdef around unused code

On Sat, Apr 16, 2016 at 10:17:43PM +0200, Arnd Bergmann wrote: > A recent patch removed many 'inline' annotations for static > functions in this file, which has caused warnings for functions > that are not used in a given configuration, in particular when > CONFIG_NF_CONNTRACK_EVENTS is disabled:

Re: [PATCH nf] netfilter: ipv6: Orphan skbs in nf_ct_frag6_gather()

On Thu, Apr 14, 2016 at 10:40:15AM +0200, Florian Westphal wrote: > David Laight wrote: > > From: Joe Stringer > > > Sent: 13 April 2016 19:10 > > > This is the IPv6 equivalent of commit 8282f27449bf ("inet: frag: Always > > > orphan skbs inside ip_defrag()"). > > > > >

[PATCH 0/3] Netfilter fixes for net

Hi David, The following patchset contains Netfilter fixes for your net tree. More specifically, they are: 1) Fix missing filter table per-netns registration in arptables, from Florian Westphal. 2) Resolve out of bound access when parsing TCP options in nf_conntrack_tcp, patch from Jozsef

<    13   14   15   16   17   18   19   20   21   22   >