On Tue, Oct 18, 2016 at 12:03:28AM +0200, Arnd Bergmann wrote:
> This is a set of patches that I hope to get into v4.9 in some form
> in order to turn on the -Wmaybe-uninitialized warnings again.
Hi Arnd,
I jsut complained to Geert that I was introducing way to many
bugs or pointless warnings
From: Anders K. Pedersen
I noticed that while
# nft add rule ip6 filter postrouting \
flow table acct_out \{ meta iif . ip6 saddr timeout 600s counter \}
works, the opposite order for the concatenated expressions fails:
# nft add rule ip6 filter postrouting \
Traditionally, we have always had warnings about uninitialized variables
enabled, as this is part of -Wall, and generally a good idea [1], but it
also always produced false positives, mainly because this is a variation
of the halting problem and provably impossible to get right in all cases
[2].
The newly added nft_range_eval() function handles the two possible
nft range operations, but as the compiler warning points out,
any unexpected value would lead to the 'mismatch' variable being
used without being initialized:
net/netfilter/nft_range.c: In function 'nft_range_eval':
This is a set of patches that I hope to get into v4.9 in some form
in order to turn on the -Wmaybe-uninitialized warnings again.
After talking to Linus in person at Linaro Connect about this, I
spent some time on finding all the remaining warnings, and this
is the resulting patch series. More
Markus Trippelsdorf reports:
WARNING: kmemcheck: Caught 64-bit read from uninitialized memory
(88001e605480)
4055601e008890686d81
u u u u u u u u u u u u u u u u i i i i i i i i u u u u u u u u
^
|RIP: 0010:[] []
nf_register_net_hook+0x51/0x160
Pablo Neira Ayuso writes:
> On Mon, Oct 17, 2016 at 11:23:01AM -0400, Aaron Conole wrote:
>> Pablo Neira Ayuso writes:
>>
>> > Make sure we skip the current hook from where the packet was enqueued,
>> > otherwise the packets gets enqueued over and over
On Thu, Oct 06, 2016 at 07:09:27PM +0200, Davide Caratti wrote:
> this series fixes SNAT/DNAT rules where port number translation is
> explicitly configured, but only the L3 address is translated:
>
> # iptables -t nat -A POSTROUTING -o eth1 -p stcp -j SNAT --to-source
> 10.0.0.1:61000
> #
On Mon, Oct 17, 2016 at 11:23:01AM -0400, Aaron Conole wrote:
> Pablo Neira Ayuso writes:
>
> > Make sure we skip the current hook from where the packet was enqueued,
> > otherwise the packets gets enqueued over and over again.
> >
> > Fixes: e3b37f11e6e4 ("netfilter: replace
On Mon, Oct 17, 2016 at 09:52:14AM -0400, Aaron Conole wrote:
> Florian Westphal writes:
>
> > Pablo Neira Ayuso wrote:
> >> Let me know if you have any comment, otherwise I'll place this in the
> >> nf-next tree so we can follow up working on top of these.
On Thu, Sep 22, 2016 at 10:34:52PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> Acctually, ct l3proto and ct protocol are unrelated to direction, so
> it's unnecessary that we must specify dir if we want to use them.
>
> Now add support that we can match ct
On Mon, Oct 10, 2016 at 12:26:34PM +0200, Arturo Borrero Gonzalez wrote:
> Update Arturo Borrero Gonzalez email address.
Applied, thanks Arturo.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info
If the set is empty, don't send an empty NFTA_SET_ELEM_LIST_ELEMENTS
netlink attributes with no elements.
Signed-off-by: Pablo Neira Ayuso
---
src/set_elem.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/set_elem.c b/src/set_elem.c
index
On Tue, Oct 11, 2016 at 10:22:27PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> If ipv4 packet is truncated, we should not try to dereference the
> iph pointer. Otherwise, if the user add such iptables rules
> "-j NFLOG --nflog-size 0", we will dereference the
On Wed, Oct 12, 2016 at 12:14:29PM +0300, Dan Carpenter wrote:
> We don't want to allow negatives here.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at
On Wed, Oct 12, 2016 at 09:09:12AM +0300, Dan Carpenter wrote:
> "err" needs to be signed for the error handling to work.
Applied, thanks Dan.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at
On Mon, Oct 10, 2016 at 03:57:37PM +0200, Florian Westphal wrote:
> Nicolas Dichtel wrote:
> > This entry has been removed in commit 9500507c6138.
> >
> > Fixes: 9500507c6138 ("netfilter: conntrack: remove timer from ecache
> > extension")
> > Signed-off-by: Nicolas
On Tue, Oct 11, 2016 at 10:26:27PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> Justin and Chris spotted that iptables NFLOG target was broken when they
> upgraded the kernel to 4.8: "ulogd-2.0.5- IPs are no longer logged" or
> "results in segfaults in
On Wed, Oct 12, 2016 at 09:09:22PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> Otherwise, user cannot add related rules if xt_ipcomp.ko is not loaded:
> # iptables -A OUTPUT -p 108 -m ipcomp --ipcompspi 1
> iptables: No chain/target/match by that name.
On Wed, Oct 12, 2016 at 09:10:45PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> Missing the nla_policy description will also miss the validation check
> in kernel.
Also applied, thanks Liping.
--
To unsubscribe from this list: send the line "unsubscribe
Pablo Neira Ayuso writes:
> Make sure we skip the current hook from where the packet was enqueued,
> otherwise the packets gets enqueued over and over again.
>
> Fixes: e3b37f11e6e4 ("netfilter: replace list_head with single linked list")
> Signed-off-by: Pablo Neira Ayuso
Hi,
I'm happy to announce ipset 6.30 which introduces a new set type,
hash:ip,mac, and brings a couple of small corrections and backports from
the most recent kernel tree.
Userspace changes:
- Drop extra comma from error message (Neutron Soutmun)
- Fix the incorrect dynamic/static modules
Florian Westphal writes:
> Pablo Neira Ayuso wrote:
>> Let me know if you have any comment, otherwise I'll place this in the
>> nf-next tree so we can follow up working on top of these.
>
> Please do, thanks!
+1. Some of this work was in my back burner, so
From: Tomasz Chilinski
Signed-off-by: Tomasz Chili??ski
Signed-off-by: Jozsef Kadlecsik
---
net/netfilter/ipset/Kconfig | 9 +
net/netfilter/ipset/Makefile| 1 +
Signed-off-by: Jozsef Kadlecsik
---
include/linux/netfilter/ipset/ip_set.h | 6 ++
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/include/linux/netfilter/ipset/ip_set.h
b/include/linux/netfilter/ipset/ip_set.h
index b5bd0fb3..7a218eb 100644
---
Non-static (i.e. comment) extension was not counted into the memory
size. A new internal counter is introduced for this. In the case of
the hash types the sizes of the arrays are counted there as well so
that we can avoid to scan the whole set when just the header data
is requested.
Remove extra whitespace, group counter helper together. Mark some of
the helpers arguments as const.
Ported from a patch proposed by Sergey Popovich .
Suggested-by: Sergey Popovich
Signed-off-by: Jozsef Kadlecsik
---
It is better to list the set elements for all set types, thus the
header information is uniform. Element counts are therefore added
to the bitmap and list types.
Signed-off-by: Jozsef Kadlecsik
---
include/linux/netfilter/ipset/ip_set.h| 2 ++
Hi Pablo,
Please consider to apply the next bunch of patches for ipset.
There is new set type in it (hash:ip,mac), elemet counts are reported
to userspace in the set headers data and a couple of small cleanups,
improvements
* rcu_dereference_bh_nfnl() redefined to accept netfilter subsys id.
*
The calculation of the full allocated memory did not take
into account the size of the base hash bucket structure at some
places.
Signed-off-by: Jozsef Kadlecsik
---
net/netfilter/ipset/ip_set_hash_gen.h | 16 +---
1 file changed, 9 insertions(+), 7
Use struct ip_set_skbinfo in struct ip_set_ext instead of open
coded fields and assign structure members in get/init helpers
instead of copying members one by one.
Ported from a patch proposed by Sergey Popovich .
Suggested-by: Sergey Popovich
From: kbuild test robot
net/netfilter/ipset/ip_set_hash_ipmac.c:70:8-9: WARNING: return of 0/1 in
function 'hash_ipmac4_data_list' with return type bool
net/netfilter/ipset/ip_set_hash_ipmac.c:178:8-9: WARNING: return of 0/1 in
function 'hash_ipmac6_data_list' with
When rcu_dereference_bh_nfnl() macro would be defined on the target
system it will accept pointer and subsystem id.
Check if rcu_dereference_bh_nfnl() is defined and make it accepting two
arguments.
Ported from a patch proposed by Sergey Popovich .
Suggested-by: Sergey
Remove redundant parameters nets_length and dsize:
they could be get from other parameters.
Remove one leve of intendation by using continue while
iterating over elements in bucket.
Ported from a patch proposed by Sergey Popovich .
Signed-off-by: Jozsef Kadlecsik
From: Muhammad Falak R Wani
Use setup_timer() and instead of init_timer(), being the preferred way
of setting up a timer.
Also, quoting the mod_timer() function comment:
-> mod_timer() is a more efficient way to update the expire field of an
active timer (if the timer
Hash types define HOST_MASK before inclusion of ip_set_hash_gen.h
and the only place where NLEN needed to be calculated at runtime
is *_create() method.
Ported from a patch proposed by Sergey Popovich .
Signed-off-by: Jozsef Kadlecsik
---
Before this patch struct htype created at the first source
of ip_set_hash_gen.h and it is common for both IPv4 and IPv6
set variants.
Make struct htype per ipset family and use NLEN to make
nets array fixed size to simplify struct htype allocation.
Ported from a patch proposed by Sergey Popovich
Allocate memory with kmalloc() rather than kzalloc().
Ported from a patch proposed by Sergey Popovich .
Suggested-by: Sergey Popovich
Signed-off-by: Jozsef Kadlecsik
---
include/linux/netfilter/ipset/ip_set_comment.h
Ported from a patch proposed by Sergey Popovich .
Suggested-by: Sergey Popovich
Signed-off-by: Jozsef Kadlecsik
---
include/linux/netfilter/ipset/ip_set.h | 95 +-
Data for hashing required to be array of u32. Make sure that
element data always multiple of u32.
Ported from a patch proposed by Sergey Popovich .
Signed-off-by: Jozsef Kadlecsik
---
net/netfilter/ipset/ip_set_hash_gen.h | 10 --
1
From: Muhammad Falak R Wani
Use setup_timer() and instead of init_timer(), being the preferred way
of setting up a timer.
Also, quoting the mod_timer() function comment:
-> mod_timer() is a more efficient way to update the expire field of an
active timer (if the timer
From: Muhammad Falak R Wani
Use setup_timer() and instead of init_timer(), being the preferred way
of setting up a timer.
Also, quoting the mod_timer() function comment:
-> mod_timer() is a more efficient way to update the expire field of an
active timer (if the timer
Hash types already has it's memsize calculation code in separate
functions. Do the same for *bitmap* and *list* sets.
Ported from a patch proposed by Sergey Popovich .
Suggested-by: Sergey Popovich
Signed-off-by: Jozsef Kadlecsik
Pablo Neira Ayuso wrote:
> Let me know if you have any comment, otherwise I'll place this in the
> nf-next tree so we can follow up working on top of these.
Please do, thanks!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a
This is second round of patches to improve Netfilter hooks performance,
following several of the ideas that we discussed during NetDev 1.2. This
patchset implements the following:
1) Deprecate NF_STOP, as this is only used by br_netfilter.
2) Remove threshold handling, this is also only used by
nf_iterate() has become rather simple, we can integrate this code into
nf_hook_slow() to reduce the amount of LOC in the core path.
However, we still need nf_iterate() around for nf_queue packet handling,
so move this function there where we only need it. I think it should be
possible to refactor
We cannot block/sleep on nf_iterate because netfilter runs under rcu
read lock these days, where blocking is well-known to be illegal. So
let's remove these old comments.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/core.c | 7 ---
1 file changed, 7 deletions(-)
Use switch() for verdict handling and add explicit handling for
NF_STOLEN and other non-conventional verdicts.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/core.c | 28 ++--
1 file changed, 18 insertions(+), 10 deletions(-)
diff --git
This field is only useful for nf_queue, so store it in the
nf_queue_entry structure instead, away from the core path. Pass
hook_head to nf_hook_slow().
Since we always have a valid entry on the first iteration in
nf_iterate(), we can use 'do { ... } while (entry)' loop instead.
Signed-off-by:
Don't copy relevant fields from hook state structure, instead use the
one that is already available in struct xt_action_param.
This patch also adds a set of new wrapper functions to fetch relevant
hook state structure fields.
Signed-off-by: Pablo Neira Ayuso
---
Move queue bypass logic from nf_hook_slow() into nf_queue() that resides
in net/netfilter/nf_queue.c, away from the core path.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/core.c | 13 -
net/netfilter/nf_internals.h | 4 ++--
Patch c5136b15ea36 ("netfilter: bridge: add and use br_nf_hook_thresh")
introduced br_nf_hook_thresh().
Replace NF_HOOK_THRESH() by br_nf_hook_thresh from
br_nf_forward_finish(), so we have no more callers for this macro.
As a result, state->thresh and explicit thresh parameter in the hook
state
On 16 October 2016 at 15:42, Anders K. Pedersen | Cohaesio
wrote:
> From: Anders K. Pedersen
>
> Introduce basic infrastructure for nftables rt expression for routing
> related data. Initially "rt classid" is implemented identical to "meta
> rtclassid",
On 16 October 2016 at 15:41, Anders K. Pedersen | Cohaesio
wrote:
> diff --git a/include/uapi/linux/netfilter/nf_tables.h
> b/include/uapi/linux/netfilter/nf_tables.h
> --- a/include/uapi/linux/netfilter/nf_tables.h
> +++ b/include/uapi/linux/netfilter/nf_tables.h
> @@ -759,6
54 matches
Mail list logo