Re: [PATCH nf-next] netfilter: xt_bpf: support ebpf

On Mon, Dec 5, 2016 at 7:20 PM, Florian Westphal wrote: > Willem de Bruijn wrote: >> While we're discussing the patch, another question, about revisions: I >> tested both modified and original iptables binaries on both standard >> and modified

[PATCH nf-next v2] netfilter: xt_bpf: support ebpf

From: Willem de Bruijn Add support for attaching an eBPF object by file descriptor. The iptables binary can be called with a path to an elf object or a pinned bpf object. Also pass the mode and path to the kernel to be able to return it later for iptables dump and save.

Rebasing nf-next

Hi, In order to reduce the (already large) batch that I'm going to pass to David, I'm rebasing nf-next to squash patches that fix bugs, compilation warnings and other fallout from ongoing development. List of patches that I have squashed into master patch are: * netfilter: nf_tables: silence gcc

[nf-next:master 18/48] net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:94:9: error: 'struct net' has no member named 'ct'

tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master head: 34d360415a921406e622f60e202892af8cf4c57b commit: 018914b2c913bcc9c571ae5a781280c76a15ddad [18/48] netfilter: defrag: only register defrag functionality if needed config: x86_64-randconfig-h0-12062249

[PATCH nf-next] netfilter: add list element test to br_netfilter_hooks

The for-loop in the bridge hook entries assumes that the elements are always present. However, this assumption may not always be true. Fixes: 66cfc1dd07c7 ("netfilter: convert while loops to for loops") Signed-off-by: Aaron Conole -- Pablo, if possible could this be squashed

[PATCH nf-next] netfilter: nft_quota: don't read quota twice on reset

The quota is already fetched before reset, so there is no need to re-fetch it, otherwise userspace reports consumed quota is always zero on reset. This problem was likely introduced when rebasing this patchset. Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nft_quota.c

[PATCH nf-next 1/2] netfilter: nf_tables: restore check for NFTA_SET_ELEM_LIST_ELEMENTS

It seems git rebase and branch rmerge resulted patching the wrong spot, restore check when adding elements, remove it from the deletion path so flushing sets still works. The original patch applying this chunk in the right spot: http://patchwork.ozlabs.org/patch/702919/. Fixes: 34d360415a92

[PATCH nf-next 2/2] netfilter: nft_counter: move counter reset into separated function

This patch moves the reset path from nft_counter_fetch() to nft_counter_reset(), this patch aims to solve gcc compilation warning: net/netfilter/nft_counter.c: In function 'nft_counter_fetch': >> net/netfilter/nft_counter.c:128:18: warning: 'packets' may be used >> uninitialized in this

[bug report] netfilter: convert while loops to for loops

Hello Aaron Conole, This is a semi-automatic email about new static checker warnings. The patch 66cfc1dd07c7: "netfilter: convert while loops to for loops" from Nov 15, 2016, leads to the following Smatch complaint: net/bridge/br_netfilter_hooks.c:1016 br_nf_hook_thresh() warn:

[nf-next:master 37/48] net/netfilter/nft_counter.c:128:18: warning: 'packets' may be used uninitialized in this function

tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master head: 34d360415a921406e622f60e202892af8cf4c57b commit: 9fbf2fcf1734cbcd01ea3818242b6ed0c4d32869 [37/48] netfilter: nf_tables: atomic dump and reset for stateful objects config: i386-allmodconfig (attached as

Re: [bug report] netfilter: nft_payload: layer 4 checksum adjustment for pseudoheader fields

On Tue, Dec 06, 2016 at 03:24:53PM +0300, Dan Carpenter wrote: > On Tue, Dec 06, 2016 at 01:16:08PM +0100, Pablo Neira Ayuso wrote: > > On Tue, Dec 06, 2016 at 02:57:34PM +0300, Dan Carpenter wrote: > > > Hello Pablo Neira Ayuso, > > > > > > The patch 556c291b3a1b: "netfilter: nft_payload: layer

[PATCH nf-next,v2] netfilter: nf_tables: silence gcc warning with stateful object maps

Not a problem in practise since objtype is ignored if the NFT_SET_OBJECT flag is not set. But call down gcc warnings: net/netfilter/nf_tables_api.c: In function 'nf_tables_newset': >> net/netfilter/nf_tables_api.c:3003:15: warning: 'objtype' may be used +uninitialized in this function

[PATCH nf-next] netfilter: nf_tables: silence gcc warning with stateful object maps

Not a problem in practise since objtype is ignored if the NFT_SET_OBJECT flag is not set. But call down gcc warnings: net/netfilter/nf_tables_api.c: In function 'nf_tables_newset': >> net/netfilter/nf_tables_api.c:3003:15: warning: 'objtype' may be used +uninitialized in this function

Re: [bug report] netfilter: nft_payload: layer 4 checksum adjustment for pseudoheader fields

On Tue, Dec 06, 2016 at 01:16:08PM +0100, Pablo Neira Ayuso wrote: > On Tue, Dec 06, 2016 at 02:57:34PM +0300, Dan Carpenter wrote: > > Hello Pablo Neira Ayuso, > > > > The patch 556c291b3a1b: "netfilter: nft_payload: layer 4 checksum > > adjustment for pseudoheader fields" from Nov 24, 2016,

Re: [PATCH v2] netfilter: avoid warn and OOM killer on vmalloc call

On Fri, Dec 02, 2016 at 07:46:38AM -0200, Marcelo Ricardo Leitner wrote: > Andrey Konovalov reported that this vmalloc call is based on an > userspace request and that it's spewing traces, which may flood the logs > and cause DoS if abused. > > Florian Westphal also mentioned that this call

[nf-next:master 41/48] net/netfilter/nf_tables_api.c:3003:15: warning: 'objtype' may be used uninitialized in this function

tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master head: 34d360415a921406e622f60e202892af8cf4c57b commit: bbf56b9c79b71b247caa9188998cd54b084445c1 [41/48] netfilter: nf_tables: add stateful object reference to set elements config: x86_64-randconfig-x014-201649

Re: [bug report] netfilter: nft_payload: layer 4 checksum adjustment for pseudoheader fields

On Tue, Dec 06, 2016 at 02:57:34PM +0300, Dan Carpenter wrote: > Hello Pablo Neira Ayuso, > > The patch 556c291b3a1b: "netfilter: nft_payload: layer 4 checksum > adjustment for pseudoheader fields" from Nov 24, 2016, leads to the > following static checker warning: > >

[bug report] netfilter: nft_payload: layer 4 checksum adjustment for pseudoheader fields

Hello Pablo Neira Ayuso, The patch 556c291b3a1b: "netfilter: nft_payload: layer 4 checksum adjustment for pseudoheader fields" from Nov 24, 2016, leads to the following static checker warning: net/netfilter/nft_payload.c:301 nft_payload_set_eval() error: uninitialized symbol

Re: [PATCH nft] src: add support to flush sets

On lun., déc. 5, 2016 at 11:37 , Pablo Neira Ayuso wrote: You can use this new command to remove all existing elements in a set: # nft flush set filter xyz After this command, the set 'xyz' in table 'filter' becomes empty. Signed-off-by: Pablo Neira Ayuso

Re: [PATCH nft] src: add support to flush sets

On Tue, Dec 06, 2016 at 12:13:37PM +0100, Anatole Denis wrote: > On lun., déc. 5, 2016 at 11:37 , Pablo Neira Ayuso > wrote: > >You can use this new command to remove all existing elements in a set: > > > > # nft flush set filter xyz > > > >After this command, the set 'xyz'

Re: [PATCH nf-next] NAT: skip checksum on offload SCTP packets

On Mon, Dec 05, 2016 at 03:33:57PM +0100, Davide Caratti wrote: > SCTP GSO and hardware can do CRC32c computation after netfilter processing, > so we can avoid calling sctp_compute_checksum() on skb if skb->ip_summed > is equal to CHECKSUM_PARTIAL. Moreover, set skb->ip_summed to CHECKSUM_NONE >

Re: [PATCH nf-next 1/2] netfilter: conntrack: merge udp and udplite helpers

On Fri, Dec 02, 2016 at 07:50:36PM +0100, Florian Westphal wrote: [...] > diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig > index 44410d30d461..9c34c2cabd76 100644 > --- a/net/netfilter/Kconfig > +++ b/net/netfilter/Kconfig > @@ -169,16 +169,6 @@ config NF_CT_PROTO_SCTP > If you

Re: [PATCH nf-next] netfilter: rpfilter: bypass ipv4 lbcast packets with zeronet source

On Sat, Dec 03, 2016 at 09:25:08PM +0800, Liping Zhang wrote: > From: Liping Zhang > > Otherwise, DHCP Discover packets(0.0.0.0->255.255.255.255) may be > dropped incorrectly. Applied, thanks Liping. -- To unsubscribe from this list: send the line "unsubscribe

Re: [PATCH nf-next 1/2] netfilter: conntrack: merge udp and udplite helpers

On Sat, Dec 03, 2016 at 02:02:10PM +0100, Florian Westphal wrote: > kbuild test robot wrote: > > All error/warnings (new ones prefixed by >>): > > > >In file included from include/uapi/linux/stddef.h:1:0, > > from include/linux/stddef.h:4, > >

Re: [PATCH nf-next] netfilter: ingress: translate 0 nf_hook_slow retval to -EINPROGRESS

On Mon, Nov 28, 2016 at 11:40:05AM +0100, Florian Westphal wrote: > The caller assumes that < 0 means that skb was stolen (or free'd). > > All other return values continue skb processing. > > nf_hook_slow returns 3 different return value types: > > A) a (negative) errno value: the skb was

Re: [PATCH nf-next] netfilter: fix build failure with CONNTRACK=n NF_DEFRAG=y

On Sun, Dec 04, 2016 at 11:37:22PM +0100, Florian Westphal wrote: > conntrack depends on defrag support, but not vice versa, so we cannot > place defrag_ipv4/6 into netns->ct: > > net/ipv4/netfilter/nf_defrag_ipv4.c:110:9: error: 'struct net' has no member > named 'ct' > > Move it into net->nf.

Re: [PATCH nft] datatype: Display pre-defined inet_service values in host byte order

On Mon, Dec 05, 2016 at 10:30:38PM -0200, Elise Lennion wrote: > nft describe displays, to the user, which values are available for a selector, > then the values should be in host byte order. > > Reported-by: Pablo Neira Ayuso > Fixes: ccc5da470e76 ("datatype: Replace