On Mon, Dec 5, 2016 at 7:20 PM, Florian Westphal wrote:
> Willem de Bruijn wrote:
>> While we're discussing the patch, another question, about revisions: I
>> tested both modified and original iptables binaries on both standard
>> and modified
From: Willem de Bruijn
Add support for attaching an eBPF object by file descriptor.
The iptables binary can be called with a path to an elf object or a
pinned bpf object. Also pass the mode and path to the kernel to be
able to return it later for iptables dump and save.
Hi,
In order to reduce the (already large) batch that I'm going to pass to
David, I'm rebasing nf-next to squash patches that fix bugs,
compilation warnings and other fallout from ongoing development. List
of patches that I have squashed into master patch are:
* netfilter: nf_tables: silence gcc
tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
head: 34d360415a921406e622f60e202892af8cf4c57b
commit: 018914b2c913bcc9c571ae5a781280c76a15ddad [18/48] netfilter: defrag:
only register defrag functionality if needed
config: x86_64-randconfig-h0-12062249
The for-loop in the bridge hook entries assumes that the elements are
always present. However, this assumption may not always be true.
Fixes: 66cfc1dd07c7 ("netfilter: convert while loops to for loops")
Signed-off-by: Aaron Conole
--
Pablo, if possible could this be squashed
The quota is already fetched before reset, so there is no need to
re-fetch it, otherwise userspace reports consumed quota is always zero
on reset. This problem was likely introduced when rebasing this
patchset.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nft_quota.c
It seems git rebase and branch rmerge resulted patching the wrong spot,
restore check when adding elements, remove it from the deletion path so
flushing sets still works. The original patch applying this chunk in the
right spot: http://patchwork.ozlabs.org/patch/702919/.
Fixes: 34d360415a92
This patch moves the reset path from nft_counter_fetch() to
nft_counter_reset(), this patch aims to solve gcc compilation warning:
net/netfilter/nft_counter.c: In function 'nft_counter_fetch':
>> net/netfilter/nft_counter.c:128:18: warning: 'packets' may be used
>> uninitialized in this
Hello Aaron Conole,
This is a semi-automatic email about new static checker warnings.
The patch 66cfc1dd07c7: "netfilter: convert while loops to for loops"
from Nov 15, 2016, leads to the following Smatch complaint:
net/bridge/br_netfilter_hooks.c:1016 br_nf_hook_thresh()
warn:
tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
head: 34d360415a921406e622f60e202892af8cf4c57b
commit: 9fbf2fcf1734cbcd01ea3818242b6ed0c4d32869 [37/48] netfilter: nf_tables:
atomic dump and reset for stateful objects
config: i386-allmodconfig (attached as
On Tue, Dec 06, 2016 at 03:24:53PM +0300, Dan Carpenter wrote:
> On Tue, Dec 06, 2016 at 01:16:08PM +0100, Pablo Neira Ayuso wrote:
> > On Tue, Dec 06, 2016 at 02:57:34PM +0300, Dan Carpenter wrote:
> > > Hello Pablo Neira Ayuso,
> > >
> > > The patch 556c291b3a1b: "netfilter: nft_payload: layer
Not a problem in practise since objtype is ignored if the NFT_SET_OBJECT
flag is not set.
But call down gcc warnings:
net/netfilter/nf_tables_api.c: In function 'nf_tables_newset':
>> net/netfilter/nf_tables_api.c:3003:15: warning: 'objtype' may be used
+uninitialized in this function
Not a problem in practise since objtype is ignored if the NFT_SET_OBJECT
flag is not set.
But call down gcc warnings:
net/netfilter/nf_tables_api.c: In function 'nf_tables_newset':
>> net/netfilter/nf_tables_api.c:3003:15: warning: 'objtype' may be used
+uninitialized in this function
On Tue, Dec 06, 2016 at 01:16:08PM +0100, Pablo Neira Ayuso wrote:
> On Tue, Dec 06, 2016 at 02:57:34PM +0300, Dan Carpenter wrote:
> > Hello Pablo Neira Ayuso,
> >
> > The patch 556c291b3a1b: "netfilter: nft_payload: layer 4 checksum
> > adjustment for pseudoheader fields" from Nov 24, 2016,
On Fri, Dec 02, 2016 at 07:46:38AM -0200, Marcelo Ricardo Leitner wrote:
> Andrey Konovalov reported that this vmalloc call is based on an
> userspace request and that it's spewing traces, which may flood the logs
> and cause DoS if abused.
>
> Florian Westphal also mentioned that this call
tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
head: 34d360415a921406e622f60e202892af8cf4c57b
commit: bbf56b9c79b71b247caa9188998cd54b084445c1 [41/48] netfilter: nf_tables:
add stateful object reference to set elements
config: x86_64-randconfig-x014-201649
On Tue, Dec 06, 2016 at 02:57:34PM +0300, Dan Carpenter wrote:
> Hello Pablo Neira Ayuso,
>
> The patch 556c291b3a1b: "netfilter: nft_payload: layer 4 checksum
> adjustment for pseudoheader fields" from Nov 24, 2016, leads to the
> following static checker warning:
>
>
Hello Pablo Neira Ayuso,
The patch 556c291b3a1b: "netfilter: nft_payload: layer 4 checksum
adjustment for pseudoheader fields" from Nov 24, 2016, leads to the
following static checker warning:
net/netfilter/nft_payload.c:301 nft_payload_set_eval()
error: uninitialized symbol
On lun., déc. 5, 2016 at 11:37 , Pablo Neira Ayuso
wrote:
You can use this new command to remove all existing elements in a set:
# nft flush set filter xyz
After this command, the set 'xyz' in table 'filter' becomes empty.
Signed-off-by: Pablo Neira Ayuso
On Tue, Dec 06, 2016 at 12:13:37PM +0100, Anatole Denis wrote:
> On lun., déc. 5, 2016 at 11:37 , Pablo Neira Ayuso
> wrote:
> >You can use this new command to remove all existing elements in a set:
> >
> > # nft flush set filter xyz
> >
> >After this command, the set 'xyz'
On Mon, Dec 05, 2016 at 03:33:57PM +0100, Davide Caratti wrote:
> SCTP GSO and hardware can do CRC32c computation after netfilter processing,
> so we can avoid calling sctp_compute_checksum() on skb if skb->ip_summed
> is equal to CHECKSUM_PARTIAL. Moreover, set skb->ip_summed to CHECKSUM_NONE
>
On Fri, Dec 02, 2016 at 07:50:36PM +0100, Florian Westphal wrote:
[...]
> diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
> index 44410d30d461..9c34c2cabd76 100644
> --- a/net/netfilter/Kconfig
> +++ b/net/netfilter/Kconfig
> @@ -169,16 +169,6 @@ config NF_CT_PROTO_SCTP
> If you
On Sat, Dec 03, 2016 at 09:25:08PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> Otherwise, DHCP Discover packets(0.0.0.0->255.255.255.255) may be
> dropped incorrectly.
Applied, thanks Liping.
--
To unsubscribe from this list: send the line "unsubscribe
On Sat, Dec 03, 2016 at 02:02:10PM +0100, Florian Westphal wrote:
> kbuild test robot wrote:
> > All error/warnings (new ones prefixed by >>):
> >
> >In file included from include/uapi/linux/stddef.h:1:0,
> > from include/linux/stddef.h:4,
> >
On Mon, Nov 28, 2016 at 11:40:05AM +0100, Florian Westphal wrote:
> The caller assumes that < 0 means that skb was stolen (or free'd).
>
> All other return values continue skb processing.
>
> nf_hook_slow returns 3 different return value types:
>
> A) a (negative) errno value: the skb was
On Sun, Dec 04, 2016 at 11:37:22PM +0100, Florian Westphal wrote:
> conntrack depends on defrag support, but not vice versa, so we cannot
> place defrag_ipv4/6 into netns->ct:
>
> net/ipv4/netfilter/nf_defrag_ipv4.c:110:9: error: 'struct net' has no member
> named 'ct'
>
> Move it into net->nf.
On Mon, Dec 05, 2016 at 10:30:38PM -0200, Elise Lennion wrote:
> nft describe displays, to the user, which values are available for a selector,
> then the values should be in host byte order.
>
> Reported-by: Pablo Neira Ayuso
> Fixes: ccc5da470e76 ("datatype: Replace
27 matches
Mail list logo