[PATCH] netfilter: fix race condition in ipset save and delete

netfilter: fix race condition in ipset save and delete This fix adds a new reference counter (ref_kernel) for the struct ip_set. The other reference counter (ref) is used to track references from the userspace and we need a separate counter to keep track of in-kernel references. Using the same ref

Re: [ANNOUNCE] ipset 6.28 released

>I'm happy to announce ipset 6.28 with a couple of important fixes, some >compatibility improvements and corrections. > - Support older pkg-config packages Whatever you did, it broke. [ 51s] checking for libmnl... no [ 51s] configure: error: in `/home/abuild/rpmbuild/BUILD/ipset-default-6.

[ANNOUNCE] ipset 6.28 released

Hi, I'm happy to announce ipset 6.28 with a couple of important fixes, some compatibility improvements and corrections. Userspace changes: - Support older pkg-config packages - Add bash completion to the install routine (Mart Frauenlob) - Fix misleading error message with comment extension

[PATCH] extensions: libip6t_REJECT: Avoid to print the default reject with value in the translation

Avoid to print the reject with value in the translation when the value is the default. Before this patch: $ sudo ip6tables-translate -A FORWARD -p TCP --dport 22 -j REJECT nft add rule ip6 filter FORWARD tcp dport 22 counter reject with icmpv6 type port-unreachable After this patch: $ sudo ip6

[PATCH] extensions: libipt_REJECT: Avoid to print the default reject with value in the translation

Avoid to print the reject with value in the translation when the value is the default. Before this patch: $ sudo iptables-translate -A FORWARD -p TCP --dport 22 -j REJECT nft add rule ip filter FORWARD tcp dport 22 counter reject with icmp type port-unreachable After this patch: $ sudo iptabl

[PATCHv6] extensions: libipt_icmp: Add translation to nft

Add translation for icmp to nftables. Not supported icmp codes in nftables are: network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, network-unknown, host-unknown, network-prohibited, host-prohibited, TOS-network-unreachable, TOS-

Re: [PATCH V7] netfilter: h323: avoid potential attack

On Sun, Feb 21, 2016 at 12:03:59AM +0800, Zhouyi Zhou wrote: > I think hackers chould build a malicious h323 packet to overflow > the pointer p which will panic during the memcpy(addr, p, len) > For example, he may fabricate a very large taddr->ipAddress.ip in > function get_h225_addr. > > To avoi

[PATCH v3] configure: Show support for connlabel

Add the --disable-connlabel option and the appropriate functionality associated with it. After this patch, iptables configuration shows up as: Iptables Configuration: IPv4 support: yes IPv6 support: yes Devel support:ye

Re: [PATCH v2] configure: Show support for connlabel

On Thu, Mar 10, 2016 at 10:40:29PM +0530, Shivani Bhardwaj wrote: > Add the --disable-connlabel option and the appropriate functionality > associated with it. > > After this patch, iptables configuration shows up as: > > Iptables Configuration: > IPv4 support: yes > IP

Re: [PATCH v4] extensions: libxt_multiport: Add translation to nft

On Fri, Mar 11, 2016 at 05:06:04PM +0530, Piyush Pangtey wrote: > Added full translation for multiport > > Examples : > $ iptables-translate -A input -p tcp -m multiport --ports ssh:http -j ACCEPT > nft add rule ip filter input ip protocol tcp tcp dport { ssh - http } tcp > sport > { ssh - http }

Re: [PATCH] extensions: libip6t_LOG: Avoid to print the default log level in the translation

On Fri, Mar 11, 2016 at 08:49:32PM +0100, Roberto García wrote: > Remove the log level when default is used > > Before: > $ sudo iptables-translate -I INPUT -j LOG > nft add rule filter INPUT log level warning > > After: > $ sudo iptables-translate -I INPUT -j LOG > nft ad

Re: userns, netns, and quick physical memory consumption by unprivileged user

On Fri, Mar 11, 2016 at 04:34:06PM +0100, Florian Westphal wrote: > Yuriy M. Kaminskiy wrote: > > BTW, all those hash/conntrack/etc default sizes was calculated from > > physical memory size in assumption there will be only *one* instance of > > those tables. Obviously, introduction of network nam

Re: [PATCH 4/4 v4] nftables: rule: Change the field "rule->comment" for an nftnl_udata_buf

On Thu, Mar 10, 2016 at 10:37:16PM +0100, Carlos Falgueras García wrote: > Now it is possible to store multiple variable length user data into rule. > Modify the parser in order to fill the nftnl_udata with the comment, and > the print function for extract these commentary and print it to user. >

Re: [PATCH 1/4 v4] libnftnl: Implement new buffer of TLV objects

Hi Carlos, Almost there, just a bit more small incremental changes. On Thu, Mar 10, 2016 at 10:37:13PM +0100, Carlos Falgueras García wrote: > These functions allow to create a buffer (nftnl_udata_buf) of TLV objects > (nftnl_udata). It is inspired by libmnl/src/attr.c. It can be used to store >

Re: [PATCH nf] netfilter: x_tables: check for size overflow

On Thu, Mar 10, 2016 at 01:56:23AM +0100, Florian Westphal wrote: > Ben Hawkes says: > integer overflow in xt_alloc_table_info, which on 32-bit systems can > lead to small structure allocation and a copy_from_user based heap > corruption. Applied, thanks Florian. I have slightly mangled this pa