[PATCH nf 1/1] netfilter: snmp: Fix one possible panic when snmp_trap_helper fail to register

From: Gao Feng In the commit ("netfilter: nf_conntrack: nf_conntrack snmp helper"), the snmp_helper is replaced by nf_nat_snmp_hook. So the snmp_helper is never registered. But it still tries to unregister the snmp_helper, it could cause the panic. Now remove the useless snmp_helper and the unre

linux-next: build warning after merge of the netfilter-next tree

Hi all, After merging the netfilter-next tree, today's linux-next build (x86_64 allmodconfig) produced this warning: net/netfilter/nfnetlink_acct.c: In function 'nfnl_acct_try_del': net/netfilter/nfnetlink_acct.c:329:15: warning: unused variable 'refcount' [-Wunused-variable] unsigned int refc

Re: [PATCH net] bridge: ebtables: fix reception of frames DNAT-ed to bridge device

On Fri, Mar 17, 2017 at 02:10:44PM +0100, Pablo Neira Ayuso wrote: > Wait. > > May this break local multicast listener that are bound to the bridge > interface? Assuming the bridge interface got an IP address, and that > there is local multicast listener. > > Missing anything here? Hm, for multi

[PATCH nf 3/5] netfilter: drop const qualifier from struct nf_conntrack_expect_policy

From: Liping Zhang So we can modify the nf_conntrack_expect_policy directly, the next patch will need this. Signed-off-by: Liping Zhang --- include/net/netfilter/nf_conntrack_helper.h | 4 ++-- net/ipv4/netfilter/nf_nat_snmp_basic.c | 2 +- net/netfilter/nf_conntrack_amanda.c | 2

[PATCH nf 1/5] netfilter: nfnl_cthelper: don't report error if NFCTH_PRIV_DATA_LEN is empty

From: Liping Zhang Currently, when we create cthelper via nfnetlink, -EINVAL will be returned if the NFCTH_PRIV_DATA_LEN attribute is empty. But enforcing the user to specify the NFCTH_PRIV_DATA_LEN attr seems unnecessary, so it's better to set the helper->data_len to zero if the NFCTH_PRIV_DATA

[PATCH nf 4/5] netfilter: nfnl_cthelper: fix memory leak when do update

From: Liping Zhang When invoke nfnl_cthelper_update, we will malloc a new expect_policy, then only point the helper->expect_policy to the new one but ignore the old one, so it will be leaked forever. Another issue is that the user can modify the expect_class_max to a new value, for example, decr

[PATCH nf 2/5] netfilter: nfnl_cthelper: fix incorrect helper->expect_class_max

From: Liping Zhang The helper->expect_class_max must be set to the total number of expect_policy minus 1, since we will use the statement "if (class > helper->expect_class_max)" to validate the CTA_EXPECT_CLASS attr in ctnetlink_alloc_expect. So for compatibility, set the helper->expect_class_ma

[PATCH libnetfilter_cthelper] examples: fix double free in nftc-helper-add

From: Liping Zhang After inputting the following test command, core dump happened: # ./examples/nfct-helper-add test 1 *** Error in `.../libnetfilter_cthelper/examples/.libs/lt-nfct-helper-add': double free or corruption (fasttop): 0x01f3c070 *** === Backtrace: = /l

[PATCH nf 5/5] netfilter: nfnl_cthelper: fix a race when walk the nf_ct_helper_hash table

From: Liping Zhang The nf_ct_helper_hash table is protected by nf_ct_helper_mutex, while nfct_helper operation is protected by nfnl_lock(NFNL_SUBSYS_CTHELPER). So it's possible that one CPU is walking the nf_ct_helper_hash for cthelper add/get/del, another cpu is doing nf_conntrack_helpers_unregi

[PATCH nf 0/5] netfilter: nfnl_cthelper: fix some bugs

From: Liping Zhang This patch set aims to fix some bugs related to nfnetlink_cthelper. They are: 1. if NFCTH_PRIV_DATA_LEN attr is empty, we cannot create a cthelper via nfnetlink 2. helper->expect_class_max is incorrect 3. when update cthelper via nfnetlink, memory leak will happen. It's o

ANNOUNCE: New talk accepted! Droplet: DDoS countermeasures powered by BPF + XDP

I am going to keep netfilter and wireless lists on for now unless I hear more objections. We will be doing about one a day from now until about the time of the conference. The tech committee would like to announce a new accepted talk. Huapeng Zhou, Doug Porter, Ryan Tierney and Nikita Shirokov a