[PATCH -stable 3.12.y] netfilter: x_tables: speed up jump target validation

[ Upstream commit f4dc77713f8016d2e8a3295e1c9c53a21f296def ] The dummy ruleset I used to test the original validation change was broken, most rules were unreachable and were not tested by mark_source_chains(). In some cases rulesets that used to load in a few seconds now require several minutes.

[PATCH -stable 4.4.y] netfilter: x_tables: speed up jump target validation

[ Upstream commit f4dc77713f8016d2e8a3295e1c9c53a21f296def ] The dummy ruleset I used to test the original validation change was broken, most rules were unreachable and were not tested by mark_source_chains(). In some cases rulesets that used to load in a few seconds now require several minutes.

[PATCH -stable 3.14.y] netfilter: x_tables: speed up jump target validation

[ Upstream commit f4dc77713f8016d2e8a3295e1c9c53a21f296def ] The dummy ruleset I used to test the original validation change was broken, most rules were unreachable and were not tested by mark_source_chains(). In some cases rulesets that used to load in a few seconds now require several minutes.

[PATCH -stable 3.18.y] netfilter: x_tables: speed up jump target validation

[ Upstream commit f4dc77713f8016d2e8a3295e1c9c53a21f296def ] The dummy ruleset I used to test the original validation change was broken, most rules were unreachable and were not tested by mark_source_chains(). In some cases rulesets that used to load in a few seconds now require several minutes.

Re: [nft PATCH 0/7] add payload set support for sub-byte sizes

Pablo Neira Ayuso wrote: > On Wed, Jul 27, 2016 at 02:43:09AM +0200, Florian Westphal wrote: > > This series adds support for setting ipv6 flowlabel and e.g. > > ecn/dscp header fields for ipv4 and ipv6 by adding the needed > > bitwise ops (and removing them during netlink

Re: [nft PATCH 3/7] evaluate: add support to set IPv6 non-byte header fields

Pablo Neira Ayuso wrote: > On Wed, Jul 27, 2016 at 02:43:12AM +0200, Florian Westphal wrote: > > 'ip6 ecn set 1' will generate a zero-sized write operation. > > Just like when matching on bit-sized header fields we need to > > round up to a byte-sized quantity and add a mask

Re: [RFC nft] meta: deprecate unqualified meta statements

On Wed, Jul 27, 2016 at 04:17:33AM +0200, Florian Westphal wrote: > During NFWS we discussed reducing the number of keywords in nftables. > > Obviously keywords are required for the parser to know what to expect. > > But always requiring the 'meta' keyword would allow us to handle > iif, oif,

Re: [PATCH] manpages: do not adjust reject-with type footnote indentation

On Tue, Jul 26, 2016 at 03:14:22PM +0100, Sami Kerola wrote: > The footnote clarification to option argument documentation, so keep the > indentation level same as for the arguments. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a

Re: [PATCH iptables] iptables-translate: add in/out ifname wildcard match translation to nft

On Sat, Jul 30, 2016 at 01:20:59PM +0800, Liping Zhang wrote: > From: Liping Zhang > > In iptables, "-i eth+" means match all in ifname with the prefix "eth". > But in nftables, this was changed to "iifname eth*". So we should handle > this subtle difference. > >

[PATCH libnftnl] src: don't set data_len to zero when returning pointers

nft already assumes that passing NULL as data_len is valid, otherwise it crashes. Fix this by leave data_len unset in this specific case. Fixes: bda7102 ("src: Fix nftnl_*_get_data() to return the real attribute length") Signed-off-by: Pablo Neira Ayuso ---

[PATCH nf] netfilter: nft_rbtree: ignore inactive matching element with no descendants

If we find a matching element that is inactive with no descendants, we jump to the found label, then crash because of nul-dereference on the left branch. Fix this by checking that the element is active and not an interval end and skipping the logic that only applies to the tree iteration.

Re: [nft PATCH 0/7] add payload set support for sub-byte sizes

On Wed, Jul 27, 2016 at 02:43:09AM +0200, Florian Westphal wrote: > This series adds support for setting ipv6 flowlabel and e.g. > ecn/dscp header fields for ipv4 and ipv6 by adding the needed > bitwise ops (and removing them during netlink decoding). I'm hitting whitespace errors here:

Re: [nft PATCH 4/7] netlink: decode payload statment

On Wed, Jul 27, 2016 at 02:43:13AM +0200, Florian Westphal wrote: > This allows nft to display payload set operations if the > header isn't byte aligned or has non-byte divisible sizes. > > Signed-off-by: Florian Westphal > --- > src/netlink_delinearize.c | 165 >

Re: [nft PATCH 3/7] evaluate: add support to set IPv6 non-byte header fields

On Wed, Jul 27, 2016 at 02:43:12AM +0200, Florian Westphal wrote: > 'ip6 ecn set 1' will generate a zero-sized write operation. > Just like when matching on bit-sized header fields we need to > round up to a byte-sized quantity and add a mask to retain those > bits outside of the header bits that