[TEXTSEARCH] Fix broken good shift array calculation in Boyer-Moore

2006-01-29 Thread Pablo Neira Ayuso
] Signed-off-by: Pablo Neira Ayuso [EMAIL PROTECTED] Index: net-2.6.git/lib/ts_bm.c === --- net-2.6.git.orig/lib/ts_bm.c2006-01-29 05:10:25.0 +0100 +++ net-2.6.git/lib/ts_bm.c 2006-01-29 05:25:47.0 +0100

Re: [NETFILTER]: Introduce nf_inet_address

2008-02-22 Thread Pablo Neira Ayuso
Patrick McHardy wrote: Yes, that was a bug in the lastest release. We need to release a 1.4.1 version or something like that, but I'm not too familiar with the release process, so I haven't done this so far. I can schedule one for this weekend, just send me an ACK. -- Los honestos son

Re: [NETFILTER]: Introduce nf_inet_address

2008-02-22 Thread Pablo Neira Ayuso
Patrick McHardy wrote: Pablo Neira Ayuso wrote: Patrick McHardy wrote: Yes, that was a bug in the lastest release. We need to release a 1.4.1 version or something like that, but I'm not too familiar with the release process, so I haven't done this so far. I can schedule one

Re: [PATCH] net: sched: act_connmark: don't zap skb-nfct

2015-04-28 Thread Pablo Neira Ayuso
Acked-by: Pablo Neira Ayuso pa...@netfilter.org -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

[PATCH 6/6] net: move qdisc ingress filtering on top of netfilter ingress hooks

2015-04-29 Thread Pablo Neira Ayuso
. This only depends on the basic hook infrastructure that resides on net/core/hooks.c, so you have enable qdisc ingress filtering without the layer 3 netfilter hooks. Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- include/linux/rtnetlink.h | 13 --- net/core/dev.c| 92

Re: [PATCH 6/6] net: move qdisc ingress filtering on top of netfilter ingress hooks

2015-04-29 Thread Pablo Neira Ayuso
On Wed, Apr 29, 2015 at 10:27:05PM +0200, Daniel Borkmann wrote: On 04/29/2015 08:53 PM, Pablo Neira Ayuso wrote: Port qdisc ingress on top of the Netfilter ingress allows us to detach the qdisc ingress filtering code from the core, so now it resides where it really belongs. Hm

Re: [PATCH net-next 0/6] ipv6: netfilter - coding style improvements

2015-04-26 Thread Pablo Neira Ayuso
On Sat, Apr 25, 2015 at 10:26:54AM +0100, Ian Morris wrote: This series of patches removes some style issues in the ipv6 netfilter code detected by checkpatch. There is no change to functionality and no changes to the resultant object determined by objdiff. Please, Cc:

[PATCH 2/2] netfilter: bridge: fix NULL deref in physin/out ifindex helpers

2015-04-27 Thread Pablo Neira Ayuso
: bridge: add helpers for fetching physin/outdev) Signed-off-by: Florian Westphal f...@strlen.de Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- include/linux/netfilter_bridge.h | 16 ++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/include/linux

[PATCH 0/2] Netfilter fixes for net

2015-04-27 Thread Pablo Neira Ayuso
Hi David, The following patchset contains Netfilter fixes for your net tree, they are: 1) Fix a crash in nf_tables when dictionaries are used from the ruleset, due to memory corruption, from Florian Westphal. 2) Fix another crash in nf_queue when used with br_netfilter. Also from Florian.

[PATCH 1/2] netfilter: nf_tables: fix wrong length for jump/goto verdicts

2015-04-27 Thread Pablo Neira Ayuso
From: Florian Westphal f...@strlen.de NFT_JUMP/GOTO erronously sets length to sizeof(void *). We then allocate insufficient memory when such element is added to a vmap. Suggested-by: Patrick McHardy ka...@trash.net Signed-off-by: Florian Westphal f...@strlen.de Signed-off-by: Pablo Neira Ayuso

[PATCH 0/2 net-next] critical ingress path performance improvements

2015-05-10 Thread Pablo Neira Ayuso
old box. As it's been stated before, most users don't need this: 24824a09 (net: dynamic ingress_queue allocation) So getting the code inlined into the core introduces a penalty to everyone in this world. Please apply, thanks! Pablo Neira Ayuso (2): net: kill useless net_*_ingress_queue

[PATCH 12/21] netfilter: ipset: Fix ext_*() macros

2015-05-18 Thread Pablo Neira Ayuso
From: Sergey Popovich popovich_ser...@mail.ua So pointers returned by these macros could be referenced with - directly. Signed-off-by: Sergey Popovich popovich_ser...@mail.ua Signed-off-by: Jozsef Kadlecsik kad...@blackhole.kfki.hu Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org

[PATCH 21/21] netfilter: Use correct return for seq_show functions

2015-05-18 Thread Pablo Neira Ayuso
patch. Miscellanea: o Don't use strlen, use *ptr to determine if a string should be emitted like all the other tests here o Delete unnecessary return statements Signed-off-by: Joe Perches j...@perches.com Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- net/netfilter

[PATCH 19/21] netfilter: xt_MARK: Add ARP support

2015-05-18 Thread Pablo Neira Ayuso
From: Zhang Chunyu zhan...@cn.fujitsu.com Add arpt_MARK to xt_mark. The corresponding userspace update is available at: http://git.netfilter.org/arptables/commit/?id=4bb2f8340783fd3a3f70aa6f8807428a280f8474 Signed-off-by: Zhang Chunyu zhan...@cn.fujitsu.com Signed-off-by: Pablo Neira Ayuso pa

Re: [PATCH] netfilter: ipset: deinline ip_set_put_extensions()

2015-05-14 Thread Pablo Neira Ayuso
On Wed, May 06, 2015 at 04:28:57PM +0200, Denys Vlasenko wrote: On x86 allyesconfig build: The function compiles to 489 bytes of machine code. It has 25 callsites. textdata bss dec hex filename 82441375 22255384 20627456 125324215 7784bb7 vmlinux.before 82434909

Re: [PATCH 1/1] netfilter: Fix kernel panic in nfulnl_rcv_nl_event

2015-05-20 Thread Pablo Neira Ayuso
On Sun, May 17, 2015 at 02:30:31PM -0700, Francesco Ruggeri wrote: nfnetlink_log_init registers netlink callback nfulnl_rcv_nl_event before registering the pernet_subsys, but the callback relies on data structures allocated by pernet init functions. When nfnetlink_log is loaded, if a netlink

Re: [PATCH 03/11] netfilter: don't use module_init/exit in core IPV4 code

2015-06-03 Thread Pablo Neira Ayuso
messages.) As for the module_exit, rather than replace it with __exitcall, we simply remove it, since it appears only UML does anything with those, and even for UML, there is no relevant cleanup to be done here. Cc: Pablo Neira Ayuso pa...@netfilter.org Cc: Patrick McHardy ka...@trash.net

Re: [PATCH net] netfilter: nf_queue: Don't recompute the hook_list head

2015-06-23 Thread Pablo Neira Ayuso
On Mon, Jun 22, 2015 at 09:56:37AM -0500, Eric W. Biederman wrote: Pablo Neira Ayuso pa...@netfilter.org writes: [...] There is no nfnetlink_queue support for the netdev family at this moment, so this can't be triggered unless you use an out of tree module. I have a patch here to add

Re: [PATCH net] netfilter: nf_qeueue: Drop queue entries on nf_unregister_hook

2015-06-20 Thread Pablo Neira Ayuso
On Fri, Jun 19, 2015 at 02:03:39PM -0500, Eric W. Biederman wrote: Add code to nf_unregister_hook to flush the nf_queue when a hook is unregistered. This guarantees that the pointer that the nf_queue code retains into the nf_hook list will remain valid while a packet is queued. I think the

Re: [PATCH net] netfilter: nf_queue: Don't recompute the hook_list head

2015-06-20 Thread Pablo Neira Ayuso
On Fri, Jun 19, 2015 at 05:23:37PM -0500, Eric W. Biederman wrote: If someone sends packets from one of the netdevice ingress hooks to the a userspace queue, and then userspace later accepts the packet, the netfilter code can enter an infinite loop as the list head will never be found.

Re: [PATCH net-next] x_table: align per cpu xt_counter

2015-06-18 Thread Pablo Neira Ayuso
On Wed, Jun 17, 2015 at 07:08:15PM +0200, Florian Westphal wrote: Eric Dumazet eric.duma...@gmail.com wrote: From: Eric Dumazet eduma...@google.com Let's force a 16 bytes alignment on xt_counter percpu allocations, so that bytes and packets sit in same cache line. xt_counter being

Re: [PATCH net-next 00/43] Simplify netfilter and network namespaces (take 2)

2015-06-18 Thread Pablo Neira Ayuso
On Wed, Jun 17, 2015 at 10:09:40AM -0500, Eric W. Biederman wrote: [...] There are a few extra cleanups in the first group of changes sprinkled in as I noticed a few other things as I was sorting out the network namespace computation logic. This is a rather large patchset that address many

Re: [PATCH] net: fix search limit handling in skb_find_text()

2015-06-18 Thread Pablo Neira Ayuso
On Tue, Jun 16, 2015 at 03:13:41PM +0300, Roman Khimov wrote: В письме от 16 июня 2015 12:48:41 пользователь Pablo Neira Ayuso написал: [...] But if we change the existing behaviour, users may be relying on it and we'll get things broken for them. Someone else will come later one

[PATCH 09/12] netfilter: use forward declaration instead of including linux/proc_fs.h

2015-06-19 Thread Pablo Neira Ayuso
’: net/netfilter/nf_synproxy_core.c:326:2: error: implicit declaration of function ‘proc_create’ [-Werror=implicit-function-declaration] if (!proc_create(synproxy, S_IRUGO, net-proc_net_stat, ^ Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org Signed-off-by: Eric W. Biederman ebied

[PATCH 00/12] Netfilter updates for net-next

2015-06-19 Thread Pablo Neira Ayuso
: sched: Simplify em_ipset_match Florian Westphal (1): netfilter: xtables: fix warnings on 32bit platforms Harout Hedeshian (1): netfilter: xt_socket: add XT_SOCKET_RESTORESKMARK flag Pablo Neira Ayuso (5): netfilter: bridge: rename br_netfilter.c to br_netfilter_hooks.c

[PATCH 02/12] netfilter: xt_socket: add XT_SOCKET_RESTORESKMARK flag

2015-06-19 Thread Pablo Neira Ayuso
--mark 10 -j action2 iptables -t mangle -A action -m mark --mark 11 -j action3 Signed-off-by: Harout Hedeshian haro...@codeaurora.org Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- include/uapi/linux/netfilter/xt_socket.h |8 net/netfilter/xt_socket.c| 59

[PATCH 06/12] netfilter: Kill unused copies of RCV_SKB_FAIL

2015-06-19 Thread Pablo Neira Ayuso
From: Eric W. Biederman ebied...@xmission.com This appears to have been a dead macro in both nfnetlink_log.c and nfnetlink_queue_core.c since these pieces of code were added in 2005. Signed-off-by: Eric W. Biederman ebied...@xmission.com Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org

[PATCH 12/12] netfilter: xtables: fix warnings on 32bit platforms

2015-06-19 Thread Pablo Neira Ayuso
from integer of different size [-Wint-to-pointer-cast] Fixes: 71ae0dff02d756e (netfilter: xtables: use percpu rule counters) Reported-by: kbuild test robot fengguang...@intel.com Signed-off-by: Florian Westphal f...@strlen.de Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- include/linux

[PATCH 11/12] netfilter: Remove spurios included of netfilter.h

2015-06-19 Thread Pablo Neira Ayuso
From: Eric W Biederman ebied...@xmission.com While testing my netfilter changes I noticed several files where recompiling unncessarily because they unncessarily included netfilter.h. Signed-off-by: Eric W. Biederman ebied...@xmission.com Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org

[PATCH 10/12] netfilter: don't pull include/linux/netfilter.h from netns headers

2015-06-19 Thread Pablo Neira Ayuso
/nfnetlink_queue_core.c:23: include/uapi/linux/netfilter.h:76:17: error: field ‘in’ has incomplete type struct in_addr in; And also explicit include linux/netfilter.h in several spots. Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org Signed-off-by: Eric W. Biederman ebied...@xmission.com

Re: [PATCH 00/32] Netfilter updates for net-next

2015-06-20 Thread Pablo Neira Ayuso
On Sat, Jun 20, 2015 at 03:11:30PM +0200, Jakub Kiciński wrote: On Mon, 15 Jun 2015 23:25:57 +0200, Pablo Neira Ayuso wrote: Hi David, This a bit large (and late) patchset that contains Netfilter updates for net-next. Most relevantly br_netfilter fixes, ipset RCU support, removal

Re: [PATCH net] netfilter: nf_qeueue: Drop queue entries on nf_unregister_hook

2015-06-20 Thread Pablo Neira Ayuso
On Sat, Jun 20, 2015 at 01:32:48PM +0200, Patrick McHardy wrote: On 20.06, Pablo Neira Ayuso wrote: On Fri, Jun 19, 2015 at 02:03:39PM -0500, Eric W. Biederman wrote: Add code to nf_unregister_hook to flush the nf_queue when a hook is unregistered. This guarantees that the pointer

Re: linux-next: build warnings after merge of the net-next tree

2015-06-20 Thread Pablo Neira Ayuso
On Sat, Jun 20, 2015 at 07:40:03PM +0200, Florian Westphal wrote: [...] Introduced by commit: 71ae0dff02d7 (netfilter: xtables: use percpu rule counters) Yes, sorry about this, should be fixed by dcb8f5c8139ef945cdfd (netfilter: xtables: fix warnings on 32bit platforms). There's a

Re: [PATCH net] netfilter: nf_queue: Don't recompute the hook_list head

2015-06-20 Thread Pablo Neira Ayuso
On Sat, Jun 20, 2015 at 09:08:20AM -0500, Eric W. Biederman wrote: Pablo Neira Ayuso pa...@netfilter.org writes: On Fri, Jun 19, 2015 at 05:23:37PM -0500, Eric W. Biederman wrote: If someone sends packets from one of the netdevice ingress hooks to the a userspace queue

Re: [PATCH net] netfilter: nftables: Do not run chains in the wrong network namespace

2015-06-19 Thread Pablo Neira Ayuso
this by simply not running nf_tables chains in the wrong network namespace. Cc: sta...@vger.kernel.org Signed-off-by: Eric W. Biederman ebied...@xmission.com Acked-by: Pablo Neira Ayuso pa...@netfilter.org @David: Patrick sent a similar patch to address this, if you can get this into the net tree

[PATCH 08/12] net: include missing headers in net/net_namespace.h

2015-06-19 Thread Pablo Neira Ayuso
Include linux/idr.h and linux/skbuff.h since they are required by objects that are declared in the net structure. struct net { ... struct idr netns_ids; ... struct sk_buff_head wext_nlevents; ... Signed-off-by: Pablo Neira Ayuso pa

[PATCH 05/12] netfilter: bridge: split ipv6 code into separated file

2015-06-19 Thread Pablo Neira Ayuso
Resolve compilation breakage when CONFIG_IPV6 is not set by moving the IPv6 code into a separated br_netfilter_ipv6.c file. Fixes: efb6de9b4ba0 (netfilter: bridge: forward IPv6 fragmented packets) Reported-by: kbuild test robot fengguang...@intel.com Signed-off-by: Pablo Neira Ayuso pa

[PATCH 07/12] net: sched: Simplify em_ipset_match

2015-06-19 Thread Pablo Neira Ayuso
From: Eric W. Biederman ebied...@xmission.com em-net is always set and always available, use it in preference to dev_net(skb-dev). Signed-off-by: Eric W. Biederman ebied...@xmission.com Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- net/sched/em_ipset.c |4 ++-- 1 file changed, 2

[PATCH 04/12] netfilter: bridge: rename br_netfilter.c to br_netfilter_hooks.c

2015-06-19 Thread Pablo Neira Ayuso
To prepare separation of the IPv6 code into different file. Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- net/bridge/Makefile |1 + net/bridge/{br_netfilter.c = br_netfilter_hooks.c} |0 2 files changed, 1 insertion(+) rename net/bridge

[PATCH 03/12] netfilter: x_tables: align per cpu xt_counter

2015-06-19 Thread Pablo Neira Ayuso
Cc: Florian Westphal f...@strlen.de Acked-by: Florian Westphal f...@strlen.de Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- include/linux/netfilter/x_tables.h |6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/include/linux/netfilter/x_tables.h b/include/linux

[PATCH 01/12] netfilter: nfnetlink_queue: add security context information

2015-06-19 Thread Pablo Neira Ayuso
. Signed-off-by: Roman Kubiak r.kub...@samsung.com Acked-by: Florian Westphal f...@strlen.de Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- include/uapi/linux/netfilter/nfnetlink_queue.h |4 ++- net/netfilter/nfnetlink_queue_core.c | 35 +++- 2 files changed

Re: [PATCH net-next 00/15] Simplify netfilter and network namespaces

2015-06-15 Thread Pablo Neira Ayuso
On Mon, Jun 15, 2015 at 10:06:27AM -0500, Eric W. Biederman wrote: Pablo Neira Ayuso pa...@netfilter.org writes: Hi Eric, On Sun, Jun 14, 2015 at 10:07:30PM -0500, Eric W. Biederman wrote: While looking into what it would take to route packets out to network devices in other

Re: [PATCH nf-next] net: ip_fragment: remove BRIDGE_NETFILTER mtu special handling

2015-06-12 Thread Pablo Neira Ayuso
On Fri, Jun 05, 2015 at 01:28:38PM +0200, Florian Westphal wrote: since commit d6b915e29f4adea9 (ip_fragment: don't forward defragmented DF packet) the largest fragment size is available in the IPCB. Therefore we no longer need to care about 'encapsulation' overhead of stripped PPPOE/VLAN

Re: [PATCH net-next] x_table: align per cpu xt_counter

2015-06-18 Thread Pablo Neira Ayuso
On Thu, Jun 18, 2015 at 03:43:26AM -0700, David Miller wrote: From: Eric Dumazet eric.duma...@gmail.com Date: Mon, 15 Jun 2015 18:10:13 -0700 From: Eric Dumazet eduma...@google.com Let's force a 16 bytes alignment on xt_counter percpu allocations, so that bytes and packets sit in same

Re: [PATCH] net: fix search limit handling in skb_find_text()

2015-06-15 Thread Pablo Neira Ayuso
Cc'ing Thomas. On Mon, Jun 15, 2015 at 12:11:58PM +0300, Roman I Khimov wrote: Suppose that we're trying to use an xt_string netfilter module to match a string in a specially crafted packet that has a nice string starting at offset 28. It could be done in iptables like this: -A

Re: [PATCH] net: fix search limit handling in skb_find_text()

2015-06-16 Thread Pablo Neira Ayuso
On Mon, Jun 15, 2015 at 10:37:31PM +0300, Roman Khimov wrote: В письме от 15 июня 2015 19:06:39 пользователь Pablo Neira Ayuso написал: On Mon, Jun 15, 2015 at 12:11:58PM +0300, Roman I Khimov wrote: Suppose that we're trying to use an xt_string netfilter module to match a string

Re: [PATCH net-next 00/15] Simplify netfilter and network namespaces

2015-06-16 Thread Pablo Neira Ayuso
On Mon, Jun 15, 2015 at 07:26:13PM -0500, Eric W. Biederman wrote: [...] So what I am in the processes of doing is reviewing and testing the combined set of patches and hopefully I will have something for you soon (tomorrow?). Unless Pablo has objections. Please, feel free to take over my

[PATCH 24/32] netfilter: ipset: Introduce RCU locking in bitmap:* types

2015-06-15 Thread Pablo Neira Ayuso
From: Jozsef Kadlecsik kad...@blackhole.kfki.hu There's nothing much required because the bitmap types use atomic bit operations. However the logic of adding elements slightly changed: first the MAC address updated (which is not atomic), then the element activated (added). The extensions may call

[PATCH 32/32] netfilter: nf_tables_netdev: unregister hooks on net_device removal

2015-06-15 Thread Pablo Neira Ayuso
are not registered. This flag is used by the netdev family to handle the case where the net_device object is gone. Currently this flag is not exposed to userspace. Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- include/net/netfilter/nf_tables.h |7 net/netfilter/nf_tables_api.c

[PATCH 04/32] netfilter: bridge: detect NAT66 correctly and change MAC address

2015-06-15 Thread Pablo Neira Ayuso
Thaler bernhard.tha...@wvnet.at Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- include/linux/netfilter_ipv6.h |1 + include/linux/skbuff.h |6 - net/bridge/br_netfilter.c | 55 +--- net/ipv6/netfilter.c |1 + 4

[PATCH 02/32] netfilter: bridge: refactor clearing BRNF_NF_BRIDGE_PREROUTING

2015-06-15 Thread Pablo Neira Ayuso
From: Bernhard Thaler bernhard.tha...@wvnet.at use binary AND on complement of BRNF_NF_BRIDGE_PREROUTING to unset bit in nf_bridge-mask. Signed-off-by: Bernhard Thaler bernhard.tha...@wvnet.at Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- net/bridge/br_netfilter.c |4 ++-- 1 file

[PATCH 08/32] netfilter: bridge: forward IPv6 fragmented packets

2015-06-15 Thread Pablo Neira Ayuso
Thaler bernhard.tha...@wvnet.at [pa...@netfilter.org: small changes to br_nf_dev_queue_xmit] Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- include/linux/netfilter_ipv6.h |2 + net/bridge/br_netfilter.c | 139 net/bridge/br_private.h

[PATCH 01/32] netfilter: conntrack: warn the user if there is a better helper to use

2015-06-15 Thread Pablo Neira Ayuso
Borkmann dan...@iogearbox.net Signed-off-by: Marcelo Ricardo Leitner marcelo.leit...@gmail.com Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- net/netfilter/nf_conntrack_proto_generic.c |8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/net/netfilter

[PATCH 03/32] netfilter: bridge: re-order br_nf_pre_routing_finish_ipv6()

2015-06-15 Thread Pablo Neira Ayuso
From: Bernhard Thaler bernhard.tha...@wvnet.at Put br_nf_pre_routing_finish_ipv6() after daddr_was_changed() and br_nf_pre_routing_finish_bridge() to prepare calling these functions from there. Signed-off-by: Bernhard Thaler bernhard.tha...@wvnet.at Signed-off-by: Pablo Neira Ayuso pa

[PATCH 05/32] netfilter: bridge: refactor frag_max_size

2015-06-15 Thread Pablo Neira Ayuso
its value in forward and xmit functions. Signed-off-by: Bernhard Thaler bernhard.tha...@wvnet.at Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- include/linux/skbuff.h|1 + net/bridge/br_netfilter.c | 20 +++- net/bridge/br_private.h |1 - 3 files changed, 8

[PATCH 00/32] Netfilter updates for net-next

2015-06-15 Thread Pablo Neira Ayuso
to use Pablo Neira Ayuso (5): netfilter: Kconfig: get rid of parens around depends on Merge branch 'master' of git://blackhole.kfki.hu/nf-next netfilter: nf_tables: attach net_device to basechain netfilter: nf_tables: add nft_register_basechain

[PATCH 31/32] netfilter: nf_tables: add nft_register_basechain() and nft_unregister_basechain()

2015-06-15 Thread Pablo Neira Ayuso
This wrapper functions take care of hook registration for basechains. Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- net/netfilter/nf_tables_api.c | 52 + 1 file changed, 37 insertions(+), 15 deletions(-) diff --git a/net/netfilter

[PATCH 21/32] netfilter: ipset: Make sure listing doesn't grab a set which is just being destroyed.

2015-06-15 Thread Pablo Neira Ayuso
From: Jozsef Kadlecsik kad...@blackhole.kfki.hu There was a small window when all sets are destroyed and a concurrent listing of all sets could grab a set which is just being destroyed. Signed-off-by: Jozsef Kadlecsik kad...@blackhole.kfki.hu --- net/netfilter/ipset/ip_set_core.c | 49

[PATCH 26/32] netfilter: ipset: Introduce RCU locking in list type

2015-06-15 Thread Pablo Neira Ayuso
From: Jozsef Kadlecsik kad...@blackhole.kfki.hu Standard rculist is used. Signed-off-by: Jozsef Kadlecsik kad...@blackhole.kfki.hu --- net/netfilter/ipset/ip_set_list_set.c | 398 - 1 file changed, 189 insertions(+), 209 deletions(-) diff --git

[PATCH 20/32] netfilter: ipset: Fix parallel resizing and listing of the same set

2015-06-15 Thread Pablo Neira Ayuso
From: Jozsef Kadlecsik kad...@blackhole.kfki.hu When elements added to a hash:* type of set and resizing triggered, parallel listing could start to list the original set (before resizing) and continue with listing the new set. Fix it by references and using the original hash table for listing.

[PATCH 27/32] netfilter: ipset: Fix coding styles reported by checkpatch.pl

2015-06-15 Thread Pablo Neira Ayuso
From: Jozsef Kadlecsik kad...@blackhole.kfki.hu Signed-off-by: Jozsef Kadlecsik kad...@blackhole.kfki.hu --- include/linux/netfilter/ipset/ip_set.h |5 +- include/uapi/linux/netfilter/ipset/ip_set.h |6 +- net/netfilter/ipset/ip_set_bitmap_gen.h | 11 +-

[PATCH 16/32] netfilter: ipset: Permit CIDR equal to the host address CIDR in IPv6

2015-06-15 Thread Pablo Neira Ayuso
From: Sergey Popovich popovich_ser...@mail.ua Permit userspace to supply CIDR length equal to the host address CIDR length in netlink message. Prohibit any other CIDR length for IPv6 variant of the set. Also return -IPSET_ERR_HASH_RANGE_UNSUPPORTED instead of generic -IPSET_ERR_PROTOCOL in IPv6

[PATCH 17/32] netfilter: ipset: Make sure we always return line number on batch

2015-06-15 Thread Pablo Neira Ayuso
From: Sergey Popovich popovich_ser...@mail.ua Even if we return with generic IPSET_ERR_PROTOCOL it is good idea to return line number if we called in batch mode. Moreover we are not always exiting with IPSET_ERR_PROTOCOL. For example hash:ip,port,net may return IPSET_ERR_HASH_RANGE_UNSUPPORTED

[PATCH 15/32] netfilter: ipset: Check extensions attributes before getting extensions.

2015-06-15 Thread Pablo Neira Ayuso
From: Sergey Popovich popovich_ser...@mail.ua Make all extensions attributes checks within ip_set_get_extensions() and reduce number of duplicated code. Signed-off-by: Sergey Popovich popovich_ser...@mail.ua Signed-off-by: Jozsef Kadlecsik kad...@blackhole.kfki.hu ---

[PATCH 07/32] netfilter: bridge: re-order check_hbh_len()

2015-06-15 Thread Pablo Neira Ayuso
From: Bernhard Thaler bernhard.tha...@wvnet.at Prepare check_hbh_len() to be called from newly introduced br_validate_ipv6() in next commit. Signed-off-by: Bernhard Thaler bernhard.tha...@wvnet.at Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- net/bridge/br_netfilter.c | 111

[PATCH 09/32] net: ip_fragment: remove BRIDGE_NETFILTER mtu special handling

2015-06-15 Thread Pablo Neira Ayuso
doesn't use device mtu in such cases. Signed-off-by: Florian Westphal f...@strlen.de Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- include/linux/netfilter_bridge.h |7 --- net/bridge/br_netfilter.c|7 +++ net/ipv4/ip_output.c |4 3 files changed

[PATCH 10/32] netfilter: bridge: restore vlan tag when refragmenting

2015-06-15 Thread Pablo Neira Ayuso
Neira Ayuso pa...@netfilter.org --- net/bridge/br_netfilter.c | 10 ++ 1 file changed, 10 insertions(+) diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c index 1e62ae5..e4e5f2f 100644 --- a/net/bridge/br_netfilter.c +++ b/net/bridge/br_netfilter.c @@ -116,6 +116,8 @@ struct

[PATCH 28/32] netfilter: Kconfig: get rid of parens around depends on

2015-06-15 Thread Pablo Neira Ayuso
According to the reporter, they are not needed. Reported-by: Sergei Shtylyov sergei.shtyl...@cogentembedded.com Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- net/ipv4/netfilter/Kconfig |3 ++- net/ipv6/netfilter/Kconfig |3 ++- net/netfilter/Kconfig | 18

[PATCH 30/32] netfilter: nf_tables: attach net_device to basechain

2015-06-15 Thread Pablo Neira Ayuso
structure which is required the netdev notification subscription that follows up in a patch to handle gone net_devices. Suggested-by: Patrick McHardy ka...@trash.net Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- include/net/netfilter/nf_tables.h|4 +- include/uapi/linux

[PATCH 06/32] netfilter: bridge: rename br_parse_ip_options

2015-06-15 Thread Pablo Neira Ayuso
bernhard.tha...@wvnet.at Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- net/bridge/br_netfilter.c |9 - 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c index 1f30b28..962d5f8 100644 --- a/net/bridge/br_netfilter.c +++ b

[PATCH 22/32] netfilter:ipset Remove rbtree from hash:net,iface

2015-06-15 Thread Pablo Neira Ayuso
From: Jozsef Kadlecsik kad...@blackhole.kfki.hu Remove rbtree in order to introduce RCU instead of rwlock in ipset Signed-off-by: Jozsef Kadlecsik kad...@blackhole.kfki.hu --- net/netfilter/ipset/ip_set_hash_netiface.c | 163 1 file changed, 20 insertions(+), 143

[PATCH 25/32] netfilter: ipset: Introduce RCU locking in hash:* types

2015-06-15 Thread Pablo Neira Ayuso
From: Jozsef Kadlecsik kad...@blackhole.kfki.hu Three types of data need to be protected in the case of the hash types: a. The hash buckets: standard rcu pointer operations are used. b. The element blobs in the hash buckets are stored in an array and a bitmap is used for book-keeping to tell

[PATCH 13/32] netfilter: ipset: Use MSEC_PER_SEC consistently

2015-06-15 Thread Pablo Neira Ayuso
From: Jozsef Kadlecsik kad...@blackhole.kfki.hu Signed-off-by: Jozsef Kadlecsik kad...@blackhole.kfki.hu --- include/linux/netfilter/ipset/ip_set_timeout.h |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/linux/netfilter/ipset/ip_set_timeout.h

[PATCH 19/32] netfilter: ipset: Fix cidr handling for hash:*net* types

2015-06-15 Thread Pablo Neira Ayuso
From: Jozsef Kadlecsik kad...@blackhole.kfki.hu Commit Simplify cidr handling for hash:*net* types broke the cidr handling for the hash:*net* types when the sets were used by the SET target: entries with invalid cidr values were added to the sets. Reported by Jonathan Johnson. Testsuite entry is

[PATCH 11/32] netfilter: xtables: use percpu rule counters

2015-06-15 Thread Pablo Neira Ayuso
Dumazet eduma...@google.com Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- include/linux/netfilter/x_tables.h | 49 net/ipv4/netfilter/arp_tables.c| 32 +++ net/ipv4/netfilter/ip_tables.c | 31

[PATCH 18/32] netfilter: ipset: Check CIDR value only when attribute is given

2015-06-15 Thread Pablo Neira Ayuso
From: Sergey Popovich popovich_ser...@mail.ua There is no reason to check CIDR value regardless attribute specifying CIDR is given. Initialize cidr array in element structure on element structure declaration to let more freedom to the compiler to optimize initialization right before element

[PATCH 14/32] netfilter: ipset: Use SET_WITH_*() helpers to test set extensions

2015-06-15 Thread Pablo Neira Ayuso
From: Sergey Popovich popovich_ser...@mail.ua Signed-off-by: Sergey Popovich popovich_ser...@mail.ua Signed-off-by: Jozsef Kadlecsik kad...@blackhole.kfki.hu --- net/netfilter/ipset/ip_set_core.c | 12 ++-- net/netfilter/ipset/ip_set_hash_gen.h |2 +- 2 files changed, 7

[PATCH 12/32] netfilter: xtables: avoid percpu ruleset duplication

2015-06-15 Thread Pablo Neira Ayuso
...@redhat.com Signed-off-by: Florian Westphal f...@strlen.de Acked-by: Eric Dumazet eduma...@google.com Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- include/linux/netfilter/x_tables.h |4 +-- net/ipv4/netfilter/arp_tables.c| 50 +-- net/ipv4/netfilter/ip_tables.c

[PATCH 29/32] netfilter: x_tables: remove XT_TABLE_INFO_SZ and a dereference.

2015-06-15 Thread Pablo Neira Ayuso
compiler. Then, we attempt a kmalloc() if total size is under order-3 allocation, to reduce TLB pressure, as in many cases, rules fit in 32 KB. Signed-off-by: Eric Dumazet eduma...@google.com Cc: Florian Westphal f...@strlen.de Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- include/linux

[PATCH 23/32] netfilter: ipset: Prepare the ipset core to use RCU at set level

2015-06-15 Thread Pablo Neira Ayuso
From: Jozsef Kadlecsik kad...@blackhole.kfki.hu Replace rwlock_t with spinlock_t in struct ip_set and change the locking accordingly. Convert the comment extension into an rcu-avare object. Also, simplify the timeout routines. Signed-off-by: Jozsef Kadlecsik kad...@blackhole.kfki.hu ---

Re: [PATCH net-next 00/15] Simplify netfilter and network namespaces

2015-06-15 Thread Pablo Neira Ayuso
Hi Eric, On Sun, Jun 14, 2015 at 10:07:30PM -0500, Eric W. Biederman wrote: While looking into what it would take to route packets out to network devices in other network namespaces I started looking at the netfilter hooks, and there is a lot of nasty code to figure out which network

[PATCH 4/4] netfilter: nf_tables: add netdev table to filter from ingress

2015-05-28 Thread Pablo Neira Ayuso
This allows us to create netdev tables that contain ingress chains. Use skb_header_pointer() as we may see shared sk_buffs at this stage. This change provides access to the existing nf_tables features from the ingress hook. Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- include/net

[PATCH 0/4] Netfilter updates for net-next

2015-05-28 Thread Pablo Neira Ayuso
from ingress (2015-05-26 18:41:23 +0200) Florian Westphal (1): netfilter: remove unused comefrom hookmask argument Pablo Neira Ayuso (3): netfilter: default CONFIG_NETFILTER_INGRESS to y netfilter: nf_tables: allow

[PATCH 3/4] netfilter: nf_tables: allow to bind table to net_device

2015-05-28 Thread Pablo Neira Ayuso
This patch adds the internal NFT_AF_NEEDS_DEV flag to indicate that you must attach this table to a net_device. This change is required by the follow up patch that introduces the new netdev table. Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- include/net/netfilter/nf_tables.h

[PATCH 1/4] netfilter: remove unused comefrom hookmask argument

2015-05-28 Thread Pablo Neira Ayuso
From: Florian Westphal f...@strlen.de Signed-off-by: Florian Westphal f...@strlen.de Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- net/ipv4/netfilter/ip_tables.c |4 +--- net/ipv6/netfilter/ip6_tables.c |4 +--- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git

[PATCH 2/4] netfilter: default CONFIG_NETFILTER_INGRESS to y

2015-05-28 Thread Pablo Neira Ayuso
Useful to compile-test all options. Suggested-by: Alexei Stavoroitov a...@plumgrid.com Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- net/netfilter/Kconfig |1 + 1 file changed, 1 insertion(+) diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index db1c674..9a89e7c 100644

Re: [PATCH 2/4] netfilter: default CONFIG_NETFILTER_INGRESS to y

2015-05-29 Thread Pablo Neira Ayuso
On Fri, May 29, 2015 at 08:19:35AM +0200, Jan Engelhardt wrote: On Friday 2015-05-29 01:44, Pablo Neira Ayuso wrote: Useful to compile-test all options. --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -3,6 +3,7 @@ menu Core Netfilter Configuration config NETFILTER_INGRESS

[PATCH net] Netfilter fix for net

2015-06-01 Thread Pablo Neira Ayuso
Hi David, The following patch reverts the ebtables chunk that enforces counters that was introduced in the recently applied d26e2c9ffa38 ('Revert netfilter: ensure number of counters is 0 in do_replace()') since this breaks ebtables. You can pull this change from:

[PATCH net] Revert netfilter: ensure number of counters is 0 in do_replace()

2015-06-01 Thread Pablo Neira Ayuso
Reverting the ebtables part of 1086bbe97a07 makes this work again. Signed-off-by: Bernhard Thaler bernhard.tha...@wvnet.at Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- net/bridge/netfilter/ebtables.c |4 1 file changed, 4 deletions(-) diff --git a/net/bridge/netfilter

Re: [PATCH net] uapi: fix compatability of linux/in.h with netinet/in.h

2015-06-29 Thread Pablo Neira Ayuso
On Thu, Jun 25, 2015 at 11:12:06PM -0400, Stephen Hemminger wrote: This fixes breakage to iproute2 build with recent kernel headers caused by: commit a263653ed798216c0069922d7b5237ca49436007 Author: Pablo Neira Ayuso pa...@netfilter.org Date: Wed Jun 17 10:28:27 2015 -0500

[PATCH 3/3 nf-next] netfilter: nf_tables: add netdev table to filter from ingress

2015-05-25 Thread Pablo Neira Ayuso
This allows us to create netdev tables that contain ingress chains. Use skb_header_pointer() as we may see shared sk_buffs at this stage. This change provides access to the existing nf_tables features from the ingress hook. Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- include/net

[PATCH nft] src: add netdev family support

2015-05-25 Thread Pablo Neira Ayuso
netdev eth0 ingress counter or a bit more elaborated test like: http://people.netfilter.org/pablo/nft-ingress.ruleset More information will be available at the nftables documentation site [1]. [1] http://wiki.nftables.org/ Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- doc/nft.xml

[PATCH 2/3 nf-next] netfilter: nf_tables: allow to bind table to net_device

2015-05-25 Thread Pablo Neira Ayuso
This patch adds the internal NFT_AF_NEEDS_DEV flag to indicate that you must attach this table to a net_device. This change is required by the follow up patch that introduces the new netdev table. Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- include/net/netfilter/nf_tables.h

[PATCH 1/3 nf-next] netfilter: default CONFIG_NETFILTER_INGRESS to y

2015-05-25 Thread Pablo Neira Ayuso
Useful to compile-test all options. Suggested-by: by Alexei Stavoroitov a...@plumgrid.com Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- net/netfilter/Kconfig |1 + 1 file changed, 1 insertion(+) diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index db1c674..9a89e7c

[PATCH libnftnl] table: add netdev family support

2015-05-25 Thread Pablo Neira Ayuso
This adds support for the new 'netdev' family tables. Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- include/buffer.h|1 + include/libnftnl/table.h|1 + include/linux/netfilter.h |8 include/linux/netfilter/nf_tables.h

[PATCH 0/3 nf-next] nf_tables support at ingress

2015-05-25 Thread Pablo Neira Ayuso
prepare more patches to revisit our existing limit expression and to add support for the tee expression. If no objections, I'll enqueue this patchset to the nf-next tree. Thanks. [1] https://lwn.net/Articles/644937/ Pablo Neira Ayuso (3): netfilter: default CONFIG_NETFILTER_INGRESS to y

Re: [PATCH 1/3 nf-next] netfilter: default CONFIG_NETFILTER_INGRESS to y

2015-05-26 Thread Pablo Neira Ayuso
On Tue, May 26, 2015 at 09:44:44AM +0900, Simon Horman wrote: Hi Pablo, On Mon, May 25, 2015 at 02:46:40PM +0200, Pablo Neira Ayuso wrote: Useful to compile-test all options. Suggested-by: by Alexei Stavoroitov a...@plumgrid.com Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org

Re: [PATCH 2/3 nf-next] netfilter: nf_tables: allow to bind table to net_device

2015-05-26 Thread Pablo Neira Ayuso
On Tue, May 26, 2015 at 09:48:41AM +0900, Simon Horman wrote: Hi Pablo, On Mon, May 25, 2015 at 02:46:41PM +0200, Pablo Neira Ayuso wrote: This patch adds the internal NFT_AF_NEEDS_DEV flag to indicate that you must attach this table to a net_device. This change is required

Re: netfilter: ensure number of counters is 0 in do_replace()

2015-05-21 Thread Pablo Neira Ayuso
On Tue, May 19, 2015 at 08:55:17PM -0400, Dave Jones wrote: After improving setsockopt() coverage in trinity, I started triggering vmalloc failures pretty reliably from this code path: warn_alloc_failed+0xe9/0x140 __vmalloc_node_range+0x1be/0x270 vzalloc+0x4b/0x50 __do_replace+0x52/0x260

[PATCH 2/3] netfilter: ensure number of counters is 0 in do_replace()

2015-05-22 Thread Pablo Neira Ayuso
exists in ebtables, arptables, ipv6, and the compat variants. Signed-off-by: Dave Jones da...@codemonkey.org.uk Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- net/bridge/netfilter/ebtables.c |4 net/ipv4/netfilter/arp_tables.c |6 ++ net/ipv4/netfilter/ip_tables.c |6

  1   2   3   4   5   6   7   8   9   10   >