On Mon, Feb 25, 2019 at 07:27:43PM +0800, Xin Long wrote:
> sctp_csum_check() is called by sctp_s/dnat_handler() where it calls
> skb_make_writable() to ensure sctphdr to be linearized.
>
> So there's no need to get sctphdr by calling skb_header_pointer()
> in sctp_csum_check().
Applied, thanks.
On Mon, Feb 25, 2019 at 04:21:14PM -0800, David Ahern wrote:
> From: David Ahern
>
> Followup to a173f066c7cf ("netfilter: bridge: Don't sabotage nf_hook
> calls from an l3mdev"). Some packets (e.g., ndisc) do not have the skb
> device flipped to the l3mdev (e.g., VRF) device. Update ip_sabotage_
On Wed, Feb 27, 2019 at 10:19:10AM -0800, Sami Tolvanen wrote:
> Use struct device_attribute instead of struct idletimer_tg_attr, and
> the correct callback function type to avoid indirect call mismatches
> with Control Flow Integrity checking.
Applied, thanks.
From: Florian Westphal
None of these functions calls any external functions, moving them allows
to avoid both the indirection and a need to export these symbols.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_nat_l3proto.h | 9 --
net/ipv4
From: Florian Westphal
We can now use direct calls.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_nat_l3proto.h | 9 -
net/netfilter/nf_nat_core.c| 17 -
net/netfilter/nf_nat_proto.c | 28
nda/commit/3b8384fc9f2941e2427f44c3aee29f561ed67894#diff-711e502fc81a65182c0954765b42919eR456
Signed-off-by: Florian Tham
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_conntrack_amanda.c | 9 +++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_conntrack_amand
1656615764136 222785706 nf_nat.ko
3187 844 04031 fbf nf_nat_ipv4.ko
3598 844 04442115a nf_nat_ipv6.ko
... so no drastic changes in combined size.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter
From: Florian Westphal
They are however frequently triggered by syzkaller, so remove them.
ebtables userspace should never trigger any of these, so there is little
value in making them pr_debug (or ratelimited).
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/bridge
rototypes are then removed as well.
v2: keep empty nf_nat_ipv6_csum_update stub for CONFIG_IPV6=n case.
v3: remove IS_ENABLED(NF_NAT_IPV4/6) tests, NF_NAT_IPVx toggles
are removed here.
v4: also get rid of the assignments in conditionals.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net
From: Florian Westphal
We can now use direct calls.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_nat_l3proto.h | 5 ---
net/netfilter/nf_nat_proto.c | 69 ++
2 files changed, 36 insertions(+), 38
From: Florian Westphal
after ipv4/6 nat tracker merge, there are no external callers, so
make last function static and remove the header.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_nat_l4proto.h | 16
net/netfilter
extension.
Moreover, allocate one single operation instead of recycling them, this
comes at the cost of consuming a bit more memory per rule, but it
simplifies the infrastructure.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h | 3 +
net/netfilter/nf_tables_api.c | 7
t the proto argument from u8 to u16
netfilter: nf_tables: check the result of dereferencing base_chain->stats
netfilter: nf_conntrack: ensure that CONNTRACK_LOCKS is power of 2
Pablo Neira Ayuso (4):
netfilter: nft_compat: use .release_ops and remove list of extension
hashtable is never used for 2-byte keys, remove nft_hash_key().
Fixes: e240cd0df481 ("netfilter: nf_tables: place all set backends in one
single module")
Reported-by: Florian Westphal
Tested-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nft_set_h
From: Florian Westphal
We can now use direct calls.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_nat_l3proto.h | 7 +++
net/netfilter/nf_nat_helper.c | 12
net/netfilter/nf_nat_proto.c | 22
an Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_conntrack.h | 10 +-
net/netfilter/nf_conntrack_core.c| 9 -
2 files changed, 9 insertions(+), 10 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack.h
b/include/net/netfilter/nf_conn
ned-off-by: Pablo Neira Ayuso
---
net/netfilter/nft_set_hash.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c
index 8d5611634a56..f4da3677bdfc 100644
--- a/net/netfilter/nft_set_hash.c
+++ b/net/netfilter/nft_set_hash.c
From: Florian Westphal
All l3proto function pointers have been removed.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_nat_l3proto.h | 8 -
net/netfilter/nf_nat_core.c| 54 --
net/netfilter
-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_nat.h | 39 +
include/net/netfilter/nf_nat_core.h | 29
include/net/netfilter/nf_nat_l3proto.h | 26 --
net/ipv4
ned-off-by: Pablo Neira Ayuso
---
net/netfilter/nft_set_hash.c | 23 +++
1 file changed, 19 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c
index 339a9dd1c832..8d5611634a56 100644
--- a/net/netfilter/nft_set_hash.c
From: Li RongQing
Empty case is fine and does not switch fall-through
Signed-off-by: Li RongQing
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_nat_core.c| 2 +-
net/netfilter/nf_tables_core.c | 1 -
2 files changed, 1 insertion(+), 2 deletions(-)
diff --git a/net/netfilter
()
- ip_vs_genl_parse_service()
This patch does not change any functionality but makes the source
code slightly easier to read.
Signed-off-by: Andrea Claudi
Acked-by: Julian Anastasov
Acked-by: Simon Horman
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/ipvs/ip_vs_ctl.c | 12
sport=5141 dport=80
[ASSURED]
[UPDATE] 10 CLOSE src=10.0.2.1 dst=10.0.0.1 sport=5141 dport=80 [ASSURED]
Cc: Jozsef Kadlecsik
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_conntrack_proto_tcp.c | 50 +++---
1 file chang
nft_masq_ipv4.ko
764 896 01660 67c nft_masq_ipv6.ko
after:
2010 960 02970 b9a nft_masq.ko
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nft_masq.h | 22 -
net/ipv4/netfilter/Kconfig | 9 --
net/ipv4
nft_chain_nat.ko
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/ipv4/netfilter/Kconfig | 13
net/ipv4/netfilter/Makefile | 1 -
net/ipv4/netfilter/nft_chain_nat_ipv4.c | 85 -
net/ipv6/netfilter/Kconfig | 11
From: Li RongQing
CONNTRACK_LOCKS is divisor when computer array index, if it is power of
2, compiler will optimize modulo operation as bitwise AND, or else
modulo will lower performance.
Suggested-by: Florian Westphal
Signed-off-by: Li RongQing
Signed-off-by: Pablo Neira Ayuso
---
net
filename
1910 960 02870 b36 nft_redir.ko
size is reduced, all helpers from nft_redir.ko can be made static.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nft_redir.h | 22 --
net/ipv4/netfilter/Kconfig | 8
r: nf_tables: don't assume chain stats are set
when jumplabel is set")
Signed-off-by: Eric Dumazet
Signed-off-by: Zhang Yu
Signed-off-by: Li RongQing
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_core.c | 14 --
1 file changed, 8 insertions(+), 6 deletions(-
itner
Acked-by: Julian Anastasov
Acked-by: Simon Horman
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/ipvs/ip_vs_proto_sctp.c | 7 ++-
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/net/netfilter/ipvs/ip_vs_proto_sctp.c
b/net/netfilter/ipvs/ip_vs_proto_sctp.c
index bc3d162
Signed-off-by: David Ahern
Signed-off-by: Pablo Neira Ayuso
---
net/bridge/br_netfilter_hooks.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index 40d058378b52..9d34de68571b 100644
--- a/net/bri
From: Sami Tolvanen
Use struct device_attribute instead of struct idletimer_tg_attr, and
the correct callback function type to avoid indirect call mismatches
with Control Flow Integrity checking.
Signed-off-by: Sami Tolvanen
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/xt_IDLETIMER.c
ilure.
and convert be16 to short in bridge/netfilter/ebtables.c
Signed-off-by: Zhang Yu
Signed-off-by: Li RongQing
Signed-off-by: Pablo Neira Ayuso
---
include/linux/netfilter/x_tables.h | 4 ++--
net/bridge/netfilter/ebtables.c| 6 +++---
net/netfilter/x_tables.c | 4 ++--
3
From: wenxu
The metadata_dst does not initialize the dst_cache field, this causes
problems to ip_md_tunnel_xmit() since it cannot use this cache, hence,
Triggering a route lookup for every packet.
Signed-off-by: wenxu
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nft_tunnel.c | 7
Hi,
On Sun, Mar 03, 2019 at 04:17:21PM +0800, Xin Long wrote:
> sctp_hdr(skb) only works when skb->transport_header is set
> properly.
>
> But in the path of nf_conntrack_in:
>
> sctp_packet() -> sctp_error() -> sctp_compute_cksum().
>
> skb->transport_header is not guaranteed to be right val
On Fri, Mar 01, 2019 at 01:56:06PM +0800, Su Yanjun wrote:
> From: Su Yanjun
>
> Because nf_conntrack_helper_unregister maybe used in an unloadable module,
> it uses 'synchronize_rcu' which may cause kernel panic.
>
> According to the artical:
> RCU and Unloadable Modules
> https://lwn.net/Artic
hi Arnd,
Cc'ing Alin Nastac.
On Mon, Mar 04, 2019 at 09:40:12PM +0100, Arnd Bergmann wrote:
> With CONFIG_IPV6=m and CONFIG_NF_CONNTRACK_SIP=y, we now get a link failure:
>
> net/netfilter/nf_conntrack_sip.o: In function `process_sdp':
> nf_conntrack_sip.c:(.text+0x4344): undefined reference to
On Wed, Apr 24, 2019 at 03:05:05PM +0100, Edward Cree wrote:
> On 06/02/2019 02:20, Jamal Hadi Salim wrote:
> > The classifiers dont mod the packets. The actions do. And they
> > maintain stats on the size on "entry" i.e pre-edit.
> > Each action keeps its own counters. If you did something like:
>
On Thu, Apr 25, 2019 at 02:23:08PM +0100, Edward Cree wrote:
> On 24/04/2019 16:03, Edward Cree wrote:
> > static int efx_tc_flower_replace(struct efx_nic *efx,
> > struct net_device *net_dev,
> > struct tc_cls_flower_offload *tc)
>
On Fri, Apr 05, 2019 at 11:24:14PM +0200, Johannes Berg wrote:
> From: Johannes Berg
>
> Now that we have nested policies, we can theoretically
> recurse forever parsing attributes if a (sub-)policy
> refers back to a higher level one. This is a situation
> that has happened in nl80211, and we've
On Fri, Apr 26, 2019 at 07:03:10PM +0200, Johannes Berg wrote:
> On Fri, 2019-04-26 at 18:57 +0200, Pablo Neira Ayuso wrote:
> >
> > > +/*
> > > + * Nested policies might refer back to the original
> > > + * policy in some cases, and userspace could try to
On Fri, Apr 26, 2019 at 02:13:06PM +0200, Johannes Berg wrote:
> diff --git a/include/uapi/linux/genetlink.h b/include/uapi/linux/genetlink.h
> index 877f7fa95466..9c0636ec2286 100644
> --- a/include/uapi/linux/genetlink.h
> +++ b/include/uapi/linux/genetlink.h
> @@ -48,6 +48,7 @@ enum {
> CT
On Fri, Apr 26, 2019 at 01:13:41PM +0100, Edward Cree wrote:
> On 25/04/2019 23:33, Pablo Neira Ayuso wrote:
> > On Thu, Apr 25, 2019 at 02:23:08PM +0100, Edward Cree wrote:
> >> On 24/04/2019 16:03, Edward Cree wrote:
> >>> static int efx_tc_flow
On Fri, Apr 26, 2019 at 02:13:46PM +0200, Johannes Berg wrote:
> diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
> index 4fc7c122e916..09a17b30ba73 100644
> --- a/net/wireless/nl80211.c
> +++ b/net/wireless/nl80211.c
> @@ -219,6 +219,8 @@ static int validate_ie_attr(const struct nlattr
On Fri, Apr 26, 2019 at 09:22:20PM +0200, Johannes Berg wrote:
> On Fri, 2019-04-26 at 20:21 +0200, Pablo Neira Ayuso wrote:
> > On Fri, Apr 26, 2019 at 02:13:06PM +0200, Johannes Berg wrote:
> > > diff --git a/include/uapi/linux/genetlink.h
> > > b/include/uapi/li
On Mon, Apr 29, 2019 at 03:11:06PM +0100, Edward Cree wrote:
> On 26/04/2019 19:49, Pablo Neira Ayuso wrote:
> > On Fri, Apr 26, 2019 at 01:13:41PM +0100, Edward Cree wrote:
> >> Thus if (and only if) two TC actions have the same tcfa_index, they will
> >> share a singl
On Mon, Apr 29, 2019 at 05:25:10PM +0100, Edward Cree wrote:
> On 29/04/2019 16:21, Pablo Neira Ayuso wrote:
> > On Mon, Apr 29, 2019 at 03:11:06PM +0100, Edward Cree wrote:
> >> This is a bit of a mess; the best idea I've got is for the
> >> TC_CLSFLOWER_STATS cal
Hi Jagdish,
On Thu, May 09, 2019 at 12:01:14AM +0530, Jagdish Motwani wrote:
> From: Jagdish Motwani
>
> In case of more than 1 nf_queues, hooks between them are being executed
> more than once.
This refers to NF_REPEAT, correct?
I think this broke with 960632ece6949. If so, it would be good t
On Thu, Apr 25, 2019 at 09:43:53PM +0800, linmiaohe wrote:
> From: Miaohe Lin
>
> When firewalld is enabled with ipv4/ipv6 rpfilter, vrf
> ipv4/ipv6 packets will be dropped because in device is
> vrf but out device is an enslaved device. So failed with
> the check of the rpfilter.
>
> Signed-off
translation and
error unwind.
Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support")
Reported-by: Tetsuo Handa
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/bridge/netfilter/ebtables.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletio
the helper return
immediately if its NULL.
In the notification case we don't hold the rcu read lock, but updates are
prevented due to transaction mutex. Use rcu_dereference_check() to make lockdep
aware of this.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/netfilt
and indirect calls are used only when IPV6 is a
module.
Fixes: a0ae2562c6c4b2 ("netfilter: conntrack: remove l3proto abstraction")
Signed-off-by: Subash Abhinov Kasiviswanathan
Reviewed-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_conntrack_h323_main.c | 11 +
, ie.
sES + synack => sIG
for reply traffic.
Fixes: a3c90f7a2323 ("netfilter: nf_tables: flow offload expression")
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nft_flow_offload.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/net/netfilter/nft_f
data-path to check for ct->status. If
IPS_DYING_BIT is set, garbage collector removes flow offload entries and
data-path routine ignores them.
Signed-off-by: Taehee Yoo
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_flow_table_core.c | 9 -
1 file changed, 8 insertions(+)
d-by: Jann Haber
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 50 +--
1 file changed, 39 insertions(+), 11 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_a
From: Florian Westphal
should be same as NFT_LOGLEVEL_AUDIT, so use -, not +.
Fixes: 7eced5ab5a73 ("netfilter: nf_tables: add NFT_LOGLEVEL_* enumeration and
use it")
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/uapi/linux/netfilter/nf_tables.h | 2
-off-by: Jakub Jankowski
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_conntrack_h323_asn1.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nf_conntrack_h323_asn1.c
b/net/netfilter/nf_conntrack_h323_asn1.c
index 1601275efe2d..4c2ef42e189c 100644
--- a/ne
: Taehee Yoo
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_flow_table_ip.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
index 1d291a51cd45..46022a2867d7 100644
--- a/net/netfilter/nf_flow_table_ip.c
finished and the following
message is printed:
[ 257.490952] unregister_netdevice: waiting for lo to become free. Usage count
= 1
Fixes: ac2a5e23 ("netfilter: add generic flow table infrastructure")
Signed-off-by: Taehee Yoo
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nft_flow
Jakub Jankowski (1):
netfilter: nf_conntrack_h323: restore boundary check correctness
Kristian Evensen (1):
netfilter: ctnetlink: Resolve conntrack L3-protocol flush regression
Pablo Neira Ayuso (2):
netfilter: nft_flow_offload: add entry to flowtable after confirmation
netf
Since this commit,
nfgen_family is used to filter out entries that should not be removed.
One example a broken tool is conntrack. conntrack always sets
nfgen_family to AF_INET, so after 59c08c69c278 only IPv4 entries were
removed with the -F parameter.
Pablo Neira Ayuso suggested using nfgenmsg->versi
Never used anywhere in the code.
Fixes: 7e0b2b57f01d ("netfilter: nft_ct: add ct timeout support")
Reported-by: Stéphane Veyret
Signed-off-by: Pablo Neira Ayuso
---
include/uapi/linux/netfilter/nf_tables.h | 2 --
1 file changed, 2 deletions(-)
diff --git a/include/uapi/linux
Taehee Yoo
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_flow_table_core.c | 25 ++---
1 file changed, 18 insertions(+), 7 deletions(-)
diff --git a/net/netfilter/nf_flow_table_core.c
b/net/netfilter/nf_flow_table_core.c
index 7aabfd4b1e50..a9e4f74b1ff6 100644
--- a/net
On Mon, May 13, 2019 at 10:36:51AM +, Jagdish Motwani wrote:
> Hi Pablo,
>
> The case I am referring to is : If there are more than 1 hooks
> returning NF_QUEUE verdict. When the first queue reinjects the
> packet, 'nf_reinject' starts traversing hooks with hook_index (i).
> However if it ag
the accept/drop actions; this also includes
> >basechain hardware offload only.
> >
> >Signed-off-by: Pablo Neira Ayuso
>
> [...]
>
> >+static int nft_flow_offload_chain(struct nft_trans *trans,
> >+ enum flow_blo
gt;And it exposes the flow_block_cb API through net/flow_offload.h. This
> >renames the existing codebase to adapt it to this name.
> >
> >Signed-off-by: Pablo Neira Ayuso
>
> [...]
>
>
> >+
> >+void *flow_block_cb_priv(struct flow_block_cb *block_cb)
&
On Wed, May 15, 2019 at 01:03:31AM +0200, Pablo Neira Ayuso wrote:
> On Tue, May 14, 2019 at 07:01:08PM +0200, Jiri Pirko wrote:
> > Thu, May 09, 2019 at 06:39:51PM CEST, pa...@netfilter.org wrote:
> > >This patch adds hardware offload support for nftables through the
> &
On Fri, May 17, 2019 at 04:27:29PM +0100, Edward Cree wrote:
> On 15/05/2019 20:39, Edward Cree wrote:
[...]
> Pablo, how do the two options interact with your netfilter offload? I'm
> guessing it's easier for you to find a unique pointer than to generate
> a unique u32 action_index for each act
On Mon, May 20, 2019 at 04:37:10PM +0100, Edward Cree wrote:
> On 19/05/2019 01:22, Pablo Neira Ayuso wrote:
> > On Fri, May 17, 2019 at 04:27:29PM +0100, Edward Cree wrote:
> >> On 15/05/2019 20:39, Edward Cree wrote:
> > [...]
> >> Pablo, how do the two opt
On Thu, Oct 05, 2017 at 11:56:44AM +0200, Florian Westphal wrote:
> Eric Dumazet wrote:
> > From: Eric Dumazet
> >
> > syzkaller reports an out of bound read in strlcpy(), triggered
> > by xt_copy_counters_from_user()
> >
> > Fix this by using memcpy(), then forcing a zero byte at the last posi
On Fri, Oct 06, 2017 at 12:44:03AM +0800, Lin Zhang wrote:
> In function {ipv4,ipv6}_synproxy_hook we expect a normal tcp packet,
> but the real server maybe reply an icmp error packet related to the
> exist tcp conntrack, so we will access wrong tcp data.
>
> For fix it, check for the protocol fi
f/xxx -j ACCEPT
> > # iptables -A INPUT -s 5.6.7.8 -j ACCEPT
> > iptables: Invalid argument. Run `dmesg' for more information.
[...]
> >
> > References: [1] https://marc.info/?l=netfilter-devel&m=150564724607440&w=2
> > [2] https://marc.i
On Mon, Oct 09, 2017 at 01:18:23PM +0200, Pablo Neira Ayuso wrote:
> On Fri, Oct 06, 2017 at 01:40:13PM -0400, Willem de Bruijn wrote:
> > On Fri, Oct 6, 2017 at 12:02 PM, Shmulik Ladkani wrote:
> > > From: Shmulik Ladkani
> > >
> > > Commit 2c16d60332
#x27;bpf_mt_check_v1' to fail.
> >
> >One suggested solution [1] was to hack iptables userspace, to perform a
> >"entries fixup" immediatley after IPT_SO_GET_ENTRIES, by opening a new,
> >process-local fd per every 'xt_bpf_info_v1' entry seen.
> &g
zsef Kadlecsik
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/ipset/ip_set_core.c | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_core.c
b/net/netfilter/ipset/ip_set_core.c
index a7f049ff3049..cf84f7b37cd9 100644
--- a/net/netfilter/i
: Lin Zhang
Signed-off-by: Pablo Neira Ayuso
---
net/ipv4/netfilter/ipt_SYNPROXY.c | 3 ++-
net/ipv6/netfilter/ip6t_SYNPROXY.c | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c
b/net/ipv4/netfilter/ipt_SYNPROXY.c
index 811689e523c3
;bpf_mt_check_v1' to fail.
One suggested solution [1] was to hack iptables userspace, to perform a
"entries fixup" immediatley after IPT_SO_GET_ENTRIES, by opening a new,
process-local fd per every 'xt_bpf_info_v1' entry seen.
However, in [2] both Pablo Neira Ayuso and Willem
ned-off-by: Pablo Neira Ayuso
---
include/linux/netfilter_bridge/ebtables.h | 7 ---
net/bridge/netfilter/ebtable_broute.c | 4 ++--
net/bridge/netfilter/ebtable_filter.c | 4 ++--
net/bridge/netfilter/ebtable_nat.c| 4 ++--
net/bridge/netfilter/ebtables.c
dules), according to RFC 3168
section 9.1.1 recommendation.
This patch implements ECN full-functionality option into ipvs xmit code.
Cc: netdev@vger.kernel.org
Cc: lvs-de...@vger.kernel.org
Signed-off-by: Vadim Fedorenko
Reviewed-by: Konstantin Khlebnikov
Acked-by: Julian Anastasov
Signed-off-by: Pablo
From: Jozsef Kadlecsik
Wrong comparison prevented the hash types to add a range with more than
2^31 addresses but reported as a success.
Fixes Netfilter's bugzilla id #1005, reported by Oleg Serditov and
Oliver Ford.
Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Pablo Neira Ayuso
---
From: Arvind Yadav
Free memory region, if nf_tables_set_alloc_name is not successful.
Fixes: 387454901bd6 ("netfilter: nf_tables: Allow set names of up to 255 chars")
Signed-off-by: Arvind Yadav
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 4 +++-
1 file
ables: introduce and use
xt_copy_counters_from_user")
Signed-off-by: Eric Dumazet
Cc: Willem de Bruijn
Acked-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/x_tables.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/x_tables.c b/net
Chain counters are only enabled on demand since 9f08ea848117, skip them
when dumping them via netlink.
Fixes: 9f08ea848117 ("netfilter: nf_tables: keep chain counters away from hot
path")
Reported-by: Johny Mattsson
Tested-by: Johny Mattsson
Signed-off-by: Pablo Neira Ayuso
---
net
filter
table ip filter {
chain c2 {
}
chain c2 {
}
}
Fixes: 664b0f8cd8 ("netfilter: nf_tables: add generation mask to chains")
Signed-off-by: JingPiao Chen
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 4 ++--
1 file changed, 2
d-off-by: Subash Abhinov Kasiviswanathan
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/xt_socket.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index e75ef39669c5..575d2153e3b8 100644
--- a/net/netfilter/xt_so
i handlers and the pernet
ops last.
Fixes: 1785e8f473082 ("netfiler: ipset: Add net namespace for ipset")
Reported-by: Li Shuang
Signed-off-by: Florian Westphal
Acked-by: Jozsef Kadlecsik
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/ipset/ip_set_core.c | 22 +-
: Fix adding an IPv4 range containing more than 2^31
addresses
Lin Zhang (1):
netfilter: SYNPROXY: skip non-tcp packet in {ipv4, ipv6}_synproxy_hook
Pablo Neira Ayuso (1):
netfilter: nf_tables: do not dump chain counters if not enabled
Ross Lagerwall (1):
netfilter: ipset: F
ide array allocation wrapper
segtree: allocate memory for arrays on heap
Pablo M. Bermudo Garay (5):
src: add new generic context structure nft_ctx
src: add --check option flag
parser: fix typo
src: add stateful object support for limit
tests: py: add tests f
On Mon, Jul 02, 2018 at 04:14:12PM +0100, Edward Cree wrote:
> Also involved adding a way to run a netfilter hook over a list of packets.
> Rather than attempting to make netfilter know about lists (which would be
> a major project in itself) we just let it call the regular okfn (in this
> case
Hi Joe,
On Sun, Mar 11, 2018 at 12:52:41PM -0700, Joe Perches wrote:
> On Mon, 2018-03-12 at 01:11 +0530, Arushi Singhal wrote:
> > Using pr_() is more concise than
> > printk(KERN_).
> > Replace printks having a log level with the appropriate
> > pr_*() macros.
> >
> > Signed-off-by: Arushi Sing
On Tue, Mar 06, 2018 at 12:47:55PM -0600, Gustavo A. R. Silva wrote:
> In preparation to enabling -Wvla, remove VLA and replace it
> with dynamic memory allocation.
Looks good but...
> Signed-off-by: Gustavo A. R. Silva
> ---
> net/netfilter/nfnetlink_cttimeout.c | 12 ++--
> 1 file cha
On Sun, Mar 11, 2018 at 05:12:09PM -0500, Gustavo A. R. Silva wrote:
> Hi Pablo,
>
> On 03/11/2018 05:04 PM, Pablo Neira Ayuso wrote:
> > On Tue, Mar 06, 2018 at 12:47:55PM -0600, Gustavo A. R. Silva wrote:
> > > In preparation to enabling -Wvla, remove VLA and repla
On Mon, Mar 12, 2018 at 03:56:15AM +0530, Arushi Singhal wrote:
> On Mon, Mar 12, 2018 at 2:17 AM, Pablo Neira Ayuso
> wrote:
>
> > Hi Joe,
> >
> > On Sun, Mar 11, 2018 at 12:52:41PM -0700, Joe Perches wrote:
> > > On Mon, 2018-03-12 at 01:11 +0530, Arushi S
d-by:
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/linux/netfilter/x_tables.h | 2 ++
net/netfilter/x_tables.c | 30 ++
net/netfilter/xt_hashlimit.c | 16 ++--
net/netfilter/xt_recent.c | 6 +++---
Otherwise we leak this array.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 558593e6a0a3..c4acc7340eb1 100644
--- a/net/netfilter/nf_tables_api.c
+++ b
ch.
Fixes: c4585a2823edf ("bridge: ebt_among: add missing match size checks")
Reported-by:
Signed-off-by: Florian Westphal
Reviewed-by: Eric Dumazet
Signed-off-by: Pablo Neira Ayuso
---
net/bridge/netfilter/ebt_among.c | 34 ++
1 file changed, 34 inserti
Fixed hash supports to timeouts, so skip it. Otherwise, userspace hits
EOPNOTSUPP.
Fixes: 6c03ae210ce3 ("netfilter: nft_set_hash: add non-resizable hashtable
implementation")
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nft_set_hash.c | 2 +-
1 file changed, 1 insertion(+),
;)
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/bridge/netfilter/ebtables.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 254ef9f49567..a94d23b0a9af 100644
--- a/net/bridge/n
21:24:56 +0100)
Florian Westphal (3):
netfilter: ebtables: fix erroneous reject of last rule
netfilter: x_tables: add and use xt_check_proc_name
netfilter: bridge: ebt_among: add more missing match size checks
Pablo Neira Ayuso (2):
From: Felix Fietkau
Reduce code duplication and make it much easier to read
Signed-off-by: Felix Fietkau
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_flow_table.c | 93 ---
1 file changed, 34 insertions(+), 59 deletions(-)
diff --git a/net
From: kbuild test robot
Fixes: 3ecbfd65f50e ("netfilter: nf_tables: allocate handle and delete objects
via handle")
Signed-off-by: Fengguang Wu
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff -
801 - 900 of 3693 matches
Mail list logo