netfilter: fix race condition in ipset save and delete
This fix adds a new reference counter (ref_kernel) for the struct ip_set.
The other reference counter (ref) is used to track references from the
userspace and we need a separate counter to keep track of in-kernel
references. Using the same ref
>I'm happy to announce ipset 6.28 with a couple of important fixes, some
>compatibility improvements and corrections.
> - Support older pkg-config packages
Whatever you did, it broke.
[ 51s] checking for libmnl... no
[ 51s] configure: error: in `/home/abuild/rpmbuild/BUILD/ipset-default-6.
Hi,
I'm happy to announce ipset 6.28 with a couple of important fixes, some
compatibility improvements and corrections.
Userspace changes:
- Support older pkg-config packages
- Add bash completion to the install routine (Mart Frauenlob)
- Fix misleading error message with comment extension
Avoid to print the reject with value in the translation when the value
is the default.
Before this patch:
$ sudo ip6tables-translate -A FORWARD -p TCP --dport 22 -j REJECT
nft add rule ip6 filter FORWARD tcp dport 22 counter reject with icmpv6 type
port-unreachable
After this patch:
$ sudo ip6
Avoid to print the reject with value in the translation when the value is the
default.
Before this patch:
$ sudo iptables-translate -A FORWARD -p TCP --dport 22 -j REJECT
nft add rule ip filter FORWARD tcp dport 22 counter reject with icmp type
port-unreachable
After this patch:
$ sudo iptabl
Add translation for icmp to nftables. Not supported icmp codes in nftables
are: network-unreachable, host-unreachable, protocol-unreachable,
port-unreachable, fragmentation-needed, source-route-failed,
network-unknown, host-unknown, network-prohibited, host-prohibited,
TOS-network-unreachable, TOS-
On Sun, Feb 21, 2016 at 12:03:59AM +0800, Zhouyi Zhou wrote:
> I think hackers chould build a malicious h323 packet to overflow
> the pointer p which will panic during the memcpy(addr, p, len)
> For example, he may fabricate a very large taddr->ipAddress.ip in
> function get_h225_addr.
>
> To avoi
Add the --disable-connlabel option and the appropriate functionality
associated with it.
After this patch, iptables configuration shows up as:
Iptables Configuration:
IPv4 support: yes
IPv6 support: yes
Devel support:ye
On Thu, Mar 10, 2016 at 10:40:29PM +0530, Shivani Bhardwaj wrote:
> Add the --disable-connlabel option and the appropriate functionality
> associated with it.
>
> After this patch, iptables configuration shows up as:
>
> Iptables Configuration:
> IPv4 support: yes
> IP
On Fri, Mar 11, 2016 at 05:06:04PM +0530, Piyush Pangtey wrote:
> Added full translation for multiport
>
> Examples :
> $ iptables-translate -A input -p tcp -m multiport --ports ssh:http -j ACCEPT
> nft add rule ip filter input ip protocol tcp tcp dport { ssh - http } tcp
> sport
> { ssh - http }
On Fri, Mar 11, 2016 at 08:49:32PM +0100, Roberto García wrote:
> Remove the log level when default is used
>
> Before:
> $ sudo iptables-translate -I INPUT -j LOG
> nft add rule filter INPUT log level warning
>
> After:
> $ sudo iptables-translate -I INPUT -j LOG
> nft ad
On Fri, Mar 11, 2016 at 04:34:06PM +0100, Florian Westphal wrote:
> Yuriy M. Kaminskiy wrote:
> > BTW, all those hash/conntrack/etc default sizes was calculated from
> > physical memory size in assumption there will be only *one* instance of
> > those tables. Obviously, introduction of network nam
On Thu, Mar 10, 2016 at 10:37:16PM +0100, Carlos Falgueras García wrote:
> Now it is possible to store multiple variable length user data into rule.
> Modify the parser in order to fill the nftnl_udata with the comment, and
> the print function for extract these commentary and print it to user.
>
Hi Carlos,
Almost there, just a bit more small incremental changes.
On Thu, Mar 10, 2016 at 10:37:13PM +0100, Carlos Falgueras García wrote:
> These functions allow to create a buffer (nftnl_udata_buf) of TLV objects
> (nftnl_udata). It is inspired by libmnl/src/attr.c. It can be used to store
>
On Thu, Mar 10, 2016 at 01:56:23AM +0100, Florian Westphal wrote:
> Ben Hawkes says:
> integer overflow in xt_alloc_table_info, which on 32-bit systems can
> lead to small structure allocation and a copy_from_user based heap
> corruption.
Applied, thanks Florian. I have slightly mangled this pa
15 matches
Mail list logo