Re: [PATCH 00/28] Reenable maybe-uninitialized warnings

On Tue, Oct 18, 2016 at 12:03:28AM +0200, Arnd Bergmann wrote: > This is a set of patches that I hope to get into v4.9 in some form > in order to turn on the -Wmaybe-uninitialized warnings again. Hi Arnd, I jsut complained to Geert that I was introducing way to many bugs or pointless warnings

[PATCH nftables] Fix register allocation for EXPR_SET_ELEM

From: Anders K. Pedersen I noticed that while # nft add rule ip6 filter postrouting \ flow table acct_out \{ meta iif . ip6 saddr timeout 600s counter \} works, the opposite order for the concatenated expressions fails: # nft add rule ip6 filter postrouting \

[PATCH 28/28] Kbuild: bring back -Wmaybe-uninitialized warning

Traditionally, we have always had warnings about uninitialized variables enabled, as this is part of -Wall, and generally a good idea [1], but it also always produced false positives, mainly because this is a variation of the halting problem and provably impossible to get right in all cases [2].

[PATCH 01/28] [v2] netfilter: nf_tables: avoid uninitialized variable warning

The newly added nft_range_eval() function handles the two possible nft range operations, but as the compiler warning points out, any unexpected value would lead to the 'mismatch' variable being used without being initialized: net/netfilter/nft_range.c: In function 'nft_range_eval':

[PATCH 00/28] Reenable maybe-uninitialized warnings

This is a set of patches that I hope to get into v4.9 in some form in order to turn on the -Wmaybe-uninitialized warnings again. After talking to Linus in person at Linaro Connect about this, I spent some time on finding all the remaining warnings, and this is the resulting patch series. More

[PATCH nf] netfilter: x_tables: suppress kmemcheck warning

Markus Trippelsdorf reports: WARNING: kmemcheck: Caught 64-bit read from uninitialized memory (88001e605480) 4055601e008890686d81 u u u u u u u u u u u u u u u u i i i i i i i i u u u u u u u u ^ |RIP: 0010:[] [] nf_register_net_hook+0x51/0x160

Re: [PATCH nf,v2] netfilter: nf_queue: don't re-enter same hook on packet reinjection

Pablo Neira Ayuso writes: > On Mon, Oct 17, 2016 at 11:23:01AM -0400, Aaron Conole wrote: >> Pablo Neira Ayuso writes: >> >> > Make sure we skip the current hook from where the packet was enqueued, >> > otherwise the packets gets enqueued over and over

Re: [PATCH nf-next 0/2] netfilter: autoload NAT support for non-builtin L4 protocols

On Thu, Oct 06, 2016 at 07:09:27PM +0200, Davide Caratti wrote: > this series fixes SNAT/DNAT rules where port number translation is > explicitly configured, but only the L3 address is translated: > > # iptables -t nat -A POSTROUTING -o eth1 -p stcp -j SNAT --to-source > 10.0.0.1:61000 > #

Re: [PATCH nf,v2] netfilter: nf_queue: don't re-enter same hook on packet reinjection

On Mon, Oct 17, 2016 at 11:23:01AM -0400, Aaron Conole wrote: > Pablo Neira Ayuso writes: > > > Make sure we skip the current hook from where the packet was enqueued, > > otherwise the packets gets enqueued over and over again. > > > > Fixes: e3b37f11e6e4 ("netfilter: replace

Re: [PATCH 00/10, nf-next] Netfilter core updates

On Mon, Oct 17, 2016 at 09:52:14AM -0400, Aaron Conole wrote: > Florian Westphal writes: > > > Pablo Neira Ayuso wrote: > >> Let me know if you have any comment, otherwise I'll place this in the > >> nf-next tree so we can follow up working on top of these.

Re: [PATCH nft] src: support ct l3proto/protocol without direction syntax

On Thu, Sep 22, 2016 at 10:34:52PM +0800, Liping Zhang wrote: > From: Liping Zhang > > Acctually, ct l3proto and ct protocol are unrelated to direction, so > it's unnecessary that we must specify dir if we want to use them. > > Now add support that we can match ct

Re: [libnftnl PATCH] libnftnl: update Arturo Borrero Gonzalez email

On Mon, Oct 10, 2016 at 12:26:34PM +0200, Arturo Borrero Gonzalez wrote: > Update Arturo Borrero Gonzalez email address. Applied, thanks Arturo. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info

[PATCH libnftnl] set_elem: don't add NFTA_SET_ELEM_LIST_ELEMENTS attribute if set is empty

If the set is empty, don't send an empty NFTA_SET_ELEM_LIST_ELEMENTS netlink attributes with no elements. Signed-off-by: Pablo Neira Ayuso --- src/set_elem.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/set_elem.c b/src/set_elem.c index

Re: [PATCH ulogd2] ulogd: fix crash when ipv4 packet is truncated

On Tue, Oct 11, 2016 at 10:22:27PM +0800, Liping Zhang wrote: > From: Liping Zhang > > If ipv4 packet is truncated, we should not try to dereference the > iph pointer. Otherwise, if the user add such iptables rules > "-j NFLOG --nflog-size 0", we will dereference the

Re: [patch v2] netfilter: nf_tables: underflow in nft_parse_u32_check()

On Wed, Oct 12, 2016 at 12:14:29PM +0300, Dan Carpenter wrote: > We don't want to allow negatives here. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at

Re: [patch] netfilter: nft_exthdr: fix error handling in nft_exthdr_init()

On Wed, Oct 12, 2016 at 09:09:12AM +0300, Dan Carpenter wrote: > "err" needs to be signed for the error handling to work. Applied, thanks Dan. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at

Re: [PATCH net 1/2] conntrack: remove obsolete sysctl (nf_conntrack_events_retry_timeout)

On Mon, Oct 10, 2016 at 03:57:37PM +0200, Florian Westphal wrote: > Nicolas Dichtel wrote: > > This entry has been removed in commit 9500507c6138. > > > > Fixes: 9500507c6138 ("netfilter: conntrack: remove timer from ecache > > extension") > > Signed-off-by: Nicolas

Re: [PATCH nf] netfilter: xt_NFLOG: fix unexpected truncated packet

On Tue, Oct 11, 2016 at 10:26:27PM +0800, Liping Zhang wrote: > From: Liping Zhang > > Justin and Chris spotted that iptables NFLOG target was broken when they > upgraded the kernel to 4.8: "ulogd-2.0.5- IPs are no longer logged" or > "results in segfaults in

Re: [PATCH nf] netfilter: xt_ipcomp: add "ip[6]t_ipcomp" module alias name

On Wed, Oct 12, 2016 at 09:09:22PM +0800, Liping Zhang wrote: > From: Liping Zhang > > Otherwise, user cannot add related rules if xt_ipcomp.ko is not loaded: > # iptables -A OUTPUT -p 108 -m ipcomp --ipcompspi 1 > iptables: No chain/target/match by that name.

Re: [PATCH nf] netfilter: nft_hash: add missing NFTA_HASH_OFFSET's nla_policy

On Wed, Oct 12, 2016 at 09:10:45PM +0800, Liping Zhang wrote: > From: Liping Zhang > > Missing the nla_policy description will also miss the validation check > in kernel. Also applied, thanks Liping. -- To unsubscribe from this list: send the line "unsubscribe

Re: [PATCH nf,v2] netfilter: nf_queue: don't re-enter same hook on packet reinjection

Pablo Neira Ayuso writes: > Make sure we skip the current hook from where the packet was enqueued, > otherwise the packets gets enqueued over and over again. > > Fixes: e3b37f11e6e4 ("netfilter: replace list_head with single linked list") > Signed-off-by: Pablo Neira Ayuso

[ANNOUNCE] ipset 6.30 released

Hi, I'm happy to announce ipset 6.30 which introduces a new set type, hash:ip,mac, and brings a couple of small corrections and backports from the most recent kernel tree. Userspace changes: - Drop extra comma from error message (Neutron Soutmun) - Fix the incorrect dynamic/static modules

Re: [PATCH 00/10, nf-next] Netfilter core updates

Florian Westphal writes: > Pablo Neira Ayuso wrote: >> Let me know if you have any comment, otherwise I'll place this in the >> nf-next tree so we can follow up working on top of these. > > Please do, thanks! +1. Some of this work was in my back burner, so

[PATCH 18/22] netfilter: ipset: hash:ipmac type support added to ipset

From: Tomasz Chilinski Signed-off-by: Tomasz Chili??ski Signed-off-by: Jozsef Kadlecsik --- net/netfilter/ipset/Kconfig | 9 + net/netfilter/ipset/Makefile| 1 +

[PATCH 07/22] netfilter: ipset: Regroup ip_set_put_extensions and add extern

Signed-off-by: Jozsef Kadlecsik --- include/linux/netfilter/ipset/ip_set.h | 6 ++ 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h index b5bd0fb3..7a218eb 100644 ---

[PATCH 10/22] netfilter: ipset: Count non-static extension memory for userspace

Non-static (i.e. comment) extension was not counted into the memory size. A new internal counter is introduced for this. In the case of the hash types the sizes of the arrays are counted there as well so that we can avoid to scan the whole set when just the header data is requested.

[PATCH 02/22] netfilter: ipset: Headers file cleanup

Remove extra whitespace, group counter helper together. Mark some of the helpers arguments as const. Ported from a patch proposed by Sergey Popovich . Suggested-by: Sergey Popovich Signed-off-by: Jozsef Kadlecsik ---

[PATCH 09/22] netfilter: ipset: Add element count to all set types header

It is better to list the set elements for all set types, thus the header information is uniform. Element counts are therefore added to the bitmap and list types. Signed-off-by: Jozsef Kadlecsik --- include/linux/netfilter/ipset/ip_set.h| 2 ++

[PATCH 00/22] ipset patches for nf-next

Hi Pablo, Please consider to apply the next bunch of patches for ipset. There is new set type in it (hash:ip,mac), elemet counts are reported to userspace in the set headers data and a couple of small cleanups, improvements * rcu_dereference_bh_nfnl() redefined to accept netfilter subsys id. *

[PATCH 17/22] netfilter: ipset: Fix reported memory size for hash:* types

The calculation of the full allocated memory did not take into account the size of the base hash bucket structure at some places. Signed-off-by: Jozsef Kadlecsik --- net/netfilter/ipset/ip_set_hash_gen.h | 16 +--- 1 file changed, 9 insertions(+), 7

[PATCH 03/22] netfilter: ipset: Improve skbinfo get/init helpers

Use struct ip_set_skbinfo in struct ip_set_ext instead of open coded fields and assign structure members in get/init helpers instead of copying members one by one. Ported from a patch proposed by Sergey Popovich . Suggested-by: Sergey Popovich

[PATCH 22/22] netfilter: ipset: hash: fix boolreturn.cocci warnings

From: kbuild test robot net/netfilter/ipset/ip_set_hash_ipmac.c:70:8-9: WARNING: return of 0/1 in function 'hash_ipmac4_data_list' with return type bool net/netfilter/ipset/ip_set_hash_ipmac.c:178:8-9: WARNING: return of 0/1 in function 'hash_ipmac6_data_list' with

[PATCH 01/22] netfilter: ipset: Correct rcu_dereference_bh_nfnl() usage

When rcu_dereference_bh_nfnl() macro would be defined on the target system it will accept pointer and subsystem id. Check if rcu_dereference_bh_nfnl() is defined and make it accepting two arguments. Ported from a patch proposed by Sergey Popovich . Suggested-by: Sergey

[PATCH 11/22] netfilter: ipset: Simplify mtype_expire() for hash types

Remove redundant parameters nets_length and dsize: they could be get from other parameters. Remove one leve of intendation by using continue while iterating over elements in bucket. Ported from a patch proposed by Sergey Popovich . Signed-off-by: Jozsef Kadlecsik

[PATCH 19/22] netfilter: ipset: use setup_timer() and mod_timer().

From: Muhammad Falak R Wani Use setup_timer() and instead of init_timer(), being the preferred way of setting up a timer. Also, quoting the mod_timer() function comment: -> mod_timer() is a more efficient way to update the expire field of an active timer (if the timer

[PATCH 12/22] netfilter: ipset: Make NLEN compile time constant for hash types

Hash types define HOST_MASK before inclusion of ip_set_hash_gen.h and the only place where NLEN needed to be calculated at runtime is *_create() method. Ported from a patch proposed by Sergey Popovich . Signed-off-by: Jozsef Kadlecsik ---

[PATCH 15/22] netfilter: ipset: Make struct htype per ipset family

Before this patch struct htype created at the first source of ip_set_hash_gen.h and it is common for both IPv4 and IPv6 set variants. Make struct htype per ipset family and use NLEN to make nets array fixed size to simplify struct htype allocation. Ported from a patch proposed by Sergey Popovich

[PATCH 04/22] netfilter: ipset: Improve comment extension helpers

Allocate memory with kmalloc() rather than kzalloc(). Ported from a patch proposed by Sergey Popovich . Suggested-by: Sergey Popovich Signed-off-by: Jozsef Kadlecsik --- include/linux/netfilter/ipset/ip_set_comment.h

[PATCH 05/22] netfilter: ipset: Split extensions into separate files

Ported from a patch proposed by Sergey Popovich . Suggested-by: Sergey Popovich Signed-off-by: Jozsef Kadlecsik --- include/linux/netfilter/ipset/ip_set.h | 95 +-

[PATCH 13/22] netfilter: ipset: Make sure element data size is a multiple of u32

Data for hashing required to be array of u32. Make sure that element data always multiple of u32. Ported from a patch proposed by Sergey Popovich . Signed-off-by: Jozsef Kadlecsik --- net/netfilter/ipset/ip_set_hash_gen.h | 10 -- 1

[PATCH 21/22] netfilter: ipset: use setup_timer() and mod_timer().

From: Muhammad Falak R Wani Use setup_timer() and instead of init_timer(), being the preferred way of setting up a timer. Also, quoting the mod_timer() function comment: -> mod_timer() is a more efficient way to update the expire field of an active timer (if the timer

[PATCH 20/22] netfilter: ipset: use setup_timer() and mod_timer().

From: Muhammad Falak R Wani Use setup_timer() and instead of init_timer(), being the preferred way of setting up a timer. Also, quoting the mod_timer() function comment: -> mod_timer() is a more efficient way to update the expire field of an active timer (if the timer

[PATCH 06/22] netfilter: ipset: Separate memsize calculation code into dedicated function

Hash types already has it's memsize calculation code in separate functions. Do the same for *bitmap* and *list* sets. Ported from a patch proposed by Sergey Popovich . Suggested-by: Sergey Popovich Signed-off-by: Jozsef Kadlecsik

Re: [PATCH 00/10, nf-next] Netfilter core updates

Pablo Neira Ayuso wrote: > Let me know if you have any comment, otherwise I'll place this in the > nf-next tree so we can follow up working on top of these. Please do, thanks! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a

[PATCH 00/10, nf-next] Netfilter core updates

This is second round of patches to improve Netfilter hooks performance, following several of the ideas that we discussed during NetDev 1.2. This patchset implements the following: 1) Deprecate NF_STOP, as this is only used by br_netfilter. 2) Remove threshold handling, this is also only used by

[PATCH 10/10] netfilter: merge nf_iterate() into nf_hook_slow()

nf_iterate() has become rather simple, we can integrate this code into nf_hook_slow() to reduce the amount of LOC in the core path. However, we still need nf_iterate() around for nf_queue packet handling, so move this function there where we only need it. I think it should be possible to refactor

[PATCH 02/10] netfilter: remove comments that predate rcu days

We cannot block/sleep on nf_iterate because netfilter runs under rcu read lock these days, where blocking is well-known to be illegal. So let's remove these old comments. Signed-off-by: Pablo Neira Ayuso --- net/netfilter/core.c | 7 --- 1 file changed, 7 deletions(-)

[PATCH 07/10] netfilter: use switch() to handle verdict cases from nf_hook_slow()

Use switch() for verdict handling and add explicit handling for NF_STOLEN and other non-conventional verdicts. Signed-off-by: Pablo Neira Ayuso --- net/netfilter/core.c | 28 ++-- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git

[PATCH 08/10] netfilter: remove hook_entries field from nf_hook_state

This field is only useful for nf_queue, so store it in the nf_queue_entry structure instead, away from the core path. Pass hook_head to nf_hook_slow(). Since we always have a valid entry on the first iteration in nf_iterate(), we can use 'do { ... } while (entry)' loop instead. Signed-off-by:

[PATCH 06/10] netfilter: nf_tables: use hook state from xt_action_param structure

Don't copy relevant fields from hook state structure, instead use the one that is already available in struct xt_action_param. This patch also adds a set of new wrapper functions to fetch relevant hook state structure fields. Signed-off-by: Pablo Neira Ayuso ---

[PATCH 09/10] netfilter: handle queue bypass flag from nf_queue

Move queue bypass logic from nf_hook_slow() into nf_queue() that resides in net/netfilter/nf_queue.c, away from the core path. Signed-off-by: Pablo Neira Ayuso --- net/netfilter/core.c | 13 - net/netfilter/nf_internals.h | 4 ++--

[PATCH 03/10] netfilter: kill NF_HOOK_THRESH() and state->tresh

Patch c5136b15ea36 ("netfilter: bridge: add and use br_nf_hook_thresh") introduced br_nf_hook_thresh(). Replace NF_HOOK_THRESH() by br_nf_hook_thresh from br_nf_forward_finish(), so we have no more callers for this macro. As a result, state->thresh and explicit thresh parameter in the hook state

Re: [PATCH nf-next 2/5] netfilter: nft: basic routing expression

On 16 October 2016 at 15:42, Anders K. Pedersen | Cohaesio wrote: > From: Anders K. Pedersen > > Introduce basic infrastructure for nftables rt expression for routing > related data. Initially "rt classid" is implemented identical to "meta > rtclassid",

Re: [PATCH nf-next 1/5] netfilter: nft: UAPI headers for routing expression

On 16 October 2016 at 15:41, Anders K. Pedersen | Cohaesio wrote: > diff --git a/include/uapi/linux/netfilter/nf_tables.h > b/include/uapi/linux/netfilter/nf_tables.h > --- a/include/uapi/linux/netfilter/nf_tables.h > +++ b/include/uapi/linux/netfilter/nf_tables.h > @@ -759,6