Re: [PATCH nf 1/2,v3] netfilter: nfnetlink_cthelper: fix runtime expectation policy updates

Hi Pablo, 2017-03-21 22:57 GMT+08:00 Pablo Neira Ayuso : > We only allow runtime updates of expectation policies for timeout and > maximum number of expectations, otherwise reject the update. > > Signed-off-by: Pablo Neira Ayuso > --- > v3: Fixed

[PATCH nf v2 1/1] netfilter: helper: Add the rcu lock when call __nf_conntrack_helper_find

From: Gao Feng When invoke __nf_conntrack_helper_find, it needs the rcu lock to protect the helper module which would not be unloaded. Now there are two caller nf_conntrack_helper_try_module_get and ctnetlink_create_expect which don't hold rcu lock. And the other callers left

RE: [PATCH RESENT nf 1/1] netfilter: ctlink: Fix one possible use-after-free in ctnetlink_create_expect

Hi Pablo, > -Original Message- > From: netfilter-devel-ow...@vger.kernel.org > [mailto:netfilter-devel-ow...@vger.kernel.org] On Behalf Of Gao Feng > Sent: Wednesday, March 22, 2017 9:37 AM > To: pa...@netfilter.org; netfilter-devel@vger.kernel.org > Cc: 'Gao Feng' >

Re: [PATCH 2/2 nf] netfilter: cthelper: Fix memory leak

Hi Pablo, On chromebook kevin: Tested-by: Jeffy Chen On 03/21/2017 08:41 PM, Pablo Neira Ayuso wrote: From: Jeffy Chen We have memory leaks of nf_conntrack_helper & expect_policy. Signed-off-by: Jeffy Chen

[PATCH nf-next v2 1/1] netfilter: helper: Remove useless rcu lock when get expectfn

From: Gao Feng Because these two functions return the nf_ct_helper_expectfn pointer which should be protected by rcu lock. So it should makes sure the caller should hold the rcu lock, not inside these functions. Signed-off-by: Gao Feng --- v2: Shorter

[PATCH 1/2] netfilter: ipset: warn users of list:set that parameter 'size' is ignored

Since kernel commit 00590fdd5be0 ("netfilter: ipset: Introduce RCU locking in list type"), the parameter 'size' has not been in use and is ignored by the kernel. This is not very apparent to the user. This commit makes 'size' optional and also warns the user if they try to specify it. We also

[PATCH] netfilter: ipset: print out warnings generated by commands

Warnings are only printed out for IPSET_CMD_TEST. The user won't see warnings from other commands. Reviewed-by: Josh Hunt Signed-off-by: Vishwanath Pai --- src/ipset.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/ipset.c

[PATCH 2/2] netfilter: ipset: warn users of list:set that parameter 'size' is ignored

Revision 4 warns the users that the parameter 'size' is ignored. The kernel module doesn't need any changes, it will work with both the revisions. Note that this will not restore old behavior before commit 00590fdd5be0 ("netfilter: ipset: Introduce RCU locking in list type") for users of the

RE: [PATCH RESENT nf 1/1] netfilter: ctlink: Fix one possible use-after-free in ctnetlink_create_expect

Hi Pablo, > -Original Message- > From: netfilter-devel-ow...@vger.kernel.org > [mailto:netfilter-devel-ow...@vger.kernel.org] On Behalf Of > gfree.w...@foxmail.com > Sent: Wednesday, March 22, 2017 9:25 AM > To: pa...@netfilter.org; netfilter-devel@vger.kernel.org; >

[PATCH RESENT nf 1/1] netfilter: ctlink: Fix one possible use-after-free in ctnetlink_create_expect

From: Gao Feng There is no rcu_read_lock during ctlink gets the helper and inserts the expectation. So there is one possible use-after-free issue when unload the helper module. For example: CPU1CPU2 ctlink gets the helper

[PATCH nf v4 1/2] netfilter: helper: Rename struct nf_ct_helper_expectfn to nf_ct_nat_helper

From: Gao Feng Rename struct nf_ct_helper_expectfn to nf_ct_nat_helper, and rename other functions or variables which refer to it. The new name is better than the old one. Signed-off-by: Gao Feng --- v3: Rename the nf_ct_helper_expectfn, func, and member, per

[PATCH nf v4 2/2] netfilter: helper: Fix possible panic caused by invoking expectfn unloaded

From: Gao Feng Because the conntrack NAT module could be rmmod anytime, so we should really leave things in clean state if such thing happens and make sure we don't leave any packet running over code that will be gone after the removal. We only removed the expectations when

[nft PATCH 3/3] sets: Fix for missing space after last element

Not having a space between the last element in a set and the closing curly brace looks ugly, so add it here. This also adjusts all shell testcases as they match whitespace in nft output and therefore fail otherwise. Signed-off-by: Phil Sutter --- src/expression.c

[nft PATCH 2/3] tests: shell: netns/0003many_0: Fix cleanup after error

If rule set applying failed, this would leave a stray netns in place. Interestingly, this situation led to other, seemingly unrelated testcases to fail with spurious errors, e.g. sets/0015rulesetflush_0: | $ ./run-tests.sh testcases/sets/0015rulesetflush_0 | I: using nft binary ../../src/nft | |

[nft PATCH 1/3] tests: Add test cases for nested anonymous sets

This makes sure nesting of anonymous sets works regardless of whether defines are used or not. As a side-effect, it also checks that overlap checking when IP address prefixes are used, works. Signed-off-by: Phil Sutter --- tests/py/ip/sets.t | 4 +++

Re: [PATCH nf 5/5] netfilter: nfnl_cthelper: fix a race when walk the nf_ct_helper_hash table

2017-03-21 23:26 GMT+08:00 Pablo Neira Ayuso : [...] >> >> After I have a closer look, I find that we do not support netns for the >> nfct_helper currently. So this possible_net_t field is not necessary for >> the time being. > > Oh, I see. This is probably one of the

Re: [PATCH v2] bridge: ebtables: fix reception of frames DNAT-ed to bridge device

On Tue, 21 Mar 2017 23:28:45 +0100 Linus Lüssing wrote: > However, the IP code drops it in the beginning of ip_input.c/ip_rcv() > as the dnat target did not update the skb->pkt_type. If after > dnat'ing the packet is now destined to us then the skb->pkt_type > needs to

[PATCH v2] bridge: ebtables: fix reception of frames DNAT-ed to bridge device

When trying to redirect bridged frames to the bridge device itself via the ebtables nat-prerouting chain and the dnat target then this currently fails: The ethernet destination of the frame is dnat'ed to the MAC address of the bridge itself just fine and the correctly altered frame can even be

Re: [PATCH 00/22] Netfilter/IPVS updates for net-next

From: Pablo Neira Ayuso Date: Mon, 20 Mar 2017 11:08:28 +0100 > The following patchset contains Netfilter/IPVS updates for your > net-next tree. A couple of new features for nf_tables, and unsorted > cleanups and incremental updates for the Netfilter tree. More >

Re: [PATCH] ulogd: add +1 char for null char

Hello, Thanks for the report and the patch. I'm not sure of your implementation. Can you test with the patch to follow ? On Mon, 2017-03-20 at 10:31 +0200, Alexandru Ardelean wrote: > This is a bit zealous to fix like this, but it seems to work. > > The crash was reproduced on ppc32, with GCC

[PATCH 2/5] ipset: hash:ip: add support for new netmask types

Uses new netmask support added in previous commit to allow user to specify cidr, netmask, or wildcard mask as arguments to the netmask parameter at creation time. Signed-off-by: Josh Hunt --- lib/ipset_hash_ip.c | 166 1

[PATCH 3/5] ipset: hash:ipport: netmask support

Adds netmask support to hash:ipport sets. Signed-off-by: Josh Hunt --- lib/ipset_hash_ipport.c | 194 1 file changed, 194 insertions(+) diff --git a/lib/ipset_hash_ipport.c b/lib/ipset_hash_ipport.c index 2166922..a2cf79e

[PATCH 5/5] hash:ip,port: add netmask support to man page

Adds netmask to hash:ip,port create options, describe how it works, and provide examples. Signed-off-by: Josh Hunt --- src/ipset.8 | 47 ++- 1 file changed, 46 insertions(+), 1 deletion(-) diff --git a/src/ipset.8 b/src/ipset.8

[PATCH 0/5] ipset: Extend netmask support for userspace

These are the userspace changes to add the ability to specify a netmask or wildcard mask for the set during creation instead of just a cidr value. Example usage: Legacy behavior: ipset create foo hash:ip family inet6 netmask 64 New netmask support (equivalent to legacy example): ipset create

[PATCH 4/5] hash:ip: add new netmask support to man page

Updates hash:ip create options to list new mask param to netmask, describe how it works, and provide examples. Signed-off-by: Josh Hunt --- src/ipset.8 | 43 --- 1 file changed, 36 insertions(+), 7 deletions(-) diff --git a/src/ipset.8

[PATCH 1/5] ipset: netmask: expand to support cidr and full mask

Convert netmask to store cidr and netmask. Signed-off-by: Josh Hunt --- include/libipset/data.h | 5 ++- include/libipset/linux_ip_set.h | 5 +++ include/libipset/print.h| 3 ++ lib/data.c | 25 +-- lib/debug.c

[PATCH 0/4] netfilter: ipset: Extend netmask support for kernel

Currently netmasks at set creation, for those sets which have support for it, are limited to cidr values. This patch set extends that to also allow for conventional netmask values and wildcard masks. We have found numerous uses for wildcard masks and have this support deployed on our network.

[PATCH 3/4] netfilter: ipset: hash:ip: add support for new netmask types

Enable new netmask suport for hash:ip set types. Example usage: Legacy behavior: ipset create foo hash:ip family inet6 netmask 64 New netmask support (equivalent to legacy example): ipset create foo hash:ip family inet6 netmask ::::: New wildcard mask support: ipset create foo

[PATCH 1/4] net: netfilter: add nf_inet_addr_mask_inplace helper fn

Adds new helper function to be used for ipset nf_inet_addr netmask support. Signed-off-by: Josh Hunt --- include/linux/netfilter.h | 9 + 1 file changed, 9 insertions(+) diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h index a4b97be..4218969 100644

[PATCH 4/4] netfilter: ipset: hash:ipport: add netmask support

Initial netmask support for hash:ipport set types. Signed-off-by: Josh Hunt --- net/netfilter/ipset/ip_set_hash_ipport.c | 29 - 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/net/netfilter/ipset/ip_set_hash_ipport.c

Re: [PATCH 2/2] netfilter: ipvs: Compress return logic

Hello! On 03/21/2017 04:23 PM, simran singhal wrote: Simplify function returns by merging assignment and return into one command line. You mean "one statement"? Signed-off-by: simran singhal --- --This is my contribution to the netfilter project of

Re: [PATCH nf 5/5] netfilter: nfnl_cthelper: fix a race when walk the nf_ct_helper_hash table

On Tue, Mar 21, 2017 at 11:19:11PM +0800, Liping Zhang wrote: > Hi Pablo, > > 2017-03-21 22:48 GMT+08:00 Liping Zhang : > > 2017-03-21 18:33 GMT+08:00 Pablo Neira Ayuso : > >>> +struct nfnl_cthelper { > >>> + struct list_headlist; >

[Netdev ANNOUNCE]: Two new talks on network emulators and zero copy sendmsg

The tech committee would like to announce two new accepted talks. The first one is a talk on container based network emulators by Brian Linkletter and the second one is by Willem de Bruijn on zero copy sendmsg. Details are as follows: 1) Investigating Linux Network Behaviour Using Open-Source

Re: [PATCH nf 5/5] netfilter: nfnl_cthelper: fix a race when walk the nf_ct_helper_hash table

Hi Pablo, 2017-03-21 22:48 GMT+08:00 Liping Zhang : > 2017-03-21 18:33 GMT+08:00 Pablo Neira Ayuso : >>> +struct nfnl_cthelper { >>> + struct list_headlist; >>> + struct nf_conntrack_helper *helper; >>> +}; >>> + >>> +static

[PATCH nf 1/2,v3] netfilter: nfnetlink_cthelper: fix runtime expectation policy updates

We only allow runtime updates of expectation policies for timeout and maximum number of expectations, otherwise reject the update. Signed-off-by: Pablo Neira Ayuso --- v3: Fixed expect_class_max semantics. Compile-tested only. net/netfilter/nfnetlink_cthelper.c | 86

Re: [PATCH nf 3/5] netfilter: drop const qualifier from struct nf_conntrack_expect_policy

On Tue, Mar 21, 2017 at 11:00:02PM +0800, Liping Zhang wrote: > Hi Pablo, > > 2017-03-21 18:34 GMT+08:00 Pablo Neira Ayuso : > > On Sun, Mar 19, 2017 at 10:36:00PM +0800, Liping Zhang wrote: > >> From: Liping Zhang > >> > >> So we can modify the

Re: [PATCH nf 2/5] netfilter: nfnl_cthelper: fix incorrect helper->expect_class_max

On Tue, Mar 21, 2017 at 10:35:43PM +0800, Liping Zhang wrote: > Hi Pablo, > > 2017-03-21 18:27 GMT+08:00 Pablo Neira Ayuso : > [...] > >> + class_max = ntohl(nla_get_be32(tb[NFCTH_POLICY_SET_NUM])); > >> + if (class_max == 0) > >> + return -EINVAL; > > > >

Re: [PATCH nf 5/5] netfilter: nfnl_cthelper: fix a race when walk the nf_ct_helper_hash table

2017-03-21 18:33 GMT+08:00 Pablo Neira Ayuso : > On Sun, Mar 19, 2017 at 10:36:02PM +0800, Liping Zhang wrote: >> From: Liping Zhang >> >> The nf_ct_helper_hash table is protected by nf_ct_helper_mutex, while >> nfct_helper operation is protected by

RE: [PATCH net-next 1/1] netfilter: helper: Remove the rcu lock in nf_ct_helper_expectfn_find_by_name and nf_ct_helper_expectfn_find_by_symbol.

Hi Pablo, > -Original Message- > From: Pablo Neira Ayuso [mailto:pa...@netfilter.org] > Sent: Tuesday, March 21, 2017 10:30 PM > To: f...@ikuai8.com > Cc: netfilter-devel@vger.kernel.org; gfree.w...@gmail.com > Subject: Re: [PATCH net-next 1/1] netfilter: helper: Remove the rcu lock in >

Re: [PATCH nf 2/5] netfilter: nfnl_cthelper: fix incorrect helper->expect_class_max

Hi Pablo, 2017-03-21 18:27 GMT+08:00 Pablo Neira Ayuso : [...] >> + class_max = ntohl(nla_get_be32(tb[NFCTH_POLICY_SET_NUM])); >> + if (class_max == 0) >> + return -EINVAL; > > I think this patch is just fixing up this case. We should always > provide a

Re: Interrest in a ASA-like packet tracer?

On Mon, Mar 20, 2017 at 01:33:33PM +0100, Oliver Schröder wrote: > Hi list, > > inspired by the 'packet-tracer' cli-command of cisco ASAs I have > implemented a linux application with the same functionality. For those > of you who are not familiar with the command, please read up at lpt's >

RE: [PATCH nf v3 2/2] netfilter: helper: Fix possible panic caused by invoking expectfn unloaded

Hi Pablo, > -Original Message- > From: netfilter-devel-ow...@vger.kernel.org > [mailto:netfilter-devel-ow...@vger.kernel.org] On Behalf Of Pablo Neira Ayuso > Sent: Tuesday, March 21, 2017 10:13 PM > To: f...@ikuai8.com > Cc: netfilter-devel@vger.kernel.org; gfree_w...@126.com > Subject:

Re: [PATCH net-next 1/1] netfilter: helper: Remove the rcu lock in nf_ct_helper_expectfn_find_by_name and nf_ct_helper_expectfn_find_by_symbol.

On Tue, Mar 14, 2017 at 04:29:05PM +0800, f...@ikuai8.com wrote: > From: Gao Feng > > Because these two functions return the nf_ct_helper_expectfn pointer > which should be protected by rcu lock. So it should makes sure the > caller should hold the rcu lock, not inside these

Re: [PATCH nf 1/5] netfilter: nfnl_cthelper: don't report error if NFCTH_PRIV_DATA_LEN is empty

Hi Pablo, 2017-03-21 18:18 GMT+08:00 Pablo Neira Ayuso : > On Sun, Mar 19, 2017 at 10:35:58PM +0800, Liping Zhang wrote: >> From: Liping Zhang >> >> Currently, when we create cthelper via nfnetlink, -EINVAL will be >> returned if the NFCTH_PRIV_DATA_LEN

Re: [PATCH iptables v2 2/2] iptables-restore: support acquiring the lock.

On Thu, Mar 16, 2017 at 04:55:02PM +0900, Lorenzo Colitti wrote: > Currently, ip[6]tables-restore does not perform any locking, so it > is not safe to use concurrently with ip[6]tables. > > This patch makes ip[6]tables-restore wait for the lock if -w > was specified. Arguments to -w and -W are

[PATCH v2 1/2] netfilter: ipset: Compress return logic

Simplify function returns by merging assignment and return into one command line. Signed-off-by: simran singhal --- --This is my contribution to the netfilter project of Outreachy Round 14. net/netfilter/ipset/ip_set_list_set.c | 5 + 1 file changed, 1

[PATCH v2 2/2] netfilter: ipvs: Compress return logic

Simplify function returns by merging assignment and return into one command line. Signed-off-by: simran singhal --- --This is my contribution to the netfilter project of Outreachy Round 14. net/netfilter/ipvs/ip_vs_ftp.c | 5 + 1 file changed, 1 insertion(+),

[PATCH v2 0/2] netfilter: Compress return logic

This patch series Simplify function returns by merging assignment and return into one command line. v2: -Change the subject of cover patch simran singhal (2): netfilter: ipset: Compress return logic netfilter: ipvs: Compress return logic net/netfilter/ipset/ip_set_list_set.c | 5 +

Re: [nft PATCH 0/2] Some fixes for nested sets

On Mon, Mar 20, 2017 at 05:38:54PM +0100, Phil Sutter wrote: > This series fixes a number of issues with nested anonymous sets. Series applied. Phil, I'd appreciate if you can follow up with a patch that adds tests/shell to cover this fix. Thanks. -- To unsubscribe from this list: send the line

[PATCH 1/2,v2] netfilter: nfnetlink_cthelper: fix runtime expectation policy updates

We only allow runtime updates of expectation policies for timeout and maximum number of expectations, otherwise reject the update. Signed-off-by: Pablo Neira Ayuso --- v2: While at this, make sure we don't break atomicity in case of malformed netlink attributes. So we

[PATCH 2/2] netfilter: ipvs: Compress return logic

Simplify function returns by merging assignment and return into one command line. Signed-off-by: simran singhal --- --This is my contribution to the netfilter project of Outreachy Round 14. net/netfilter/ipvs/ip_vs_ftp.c | 5 + 1 file changed, 1 insertion(+),

Re: [PATCH nf 4/5] netfilter: nfnl_cthelper: fix memory leak when do update

On Tue, Mar 21, 2017 at 11:32:08AM +0100, Pablo Neira Ayuso wrote: > On Sun, Mar 19, 2017 at 10:36:01PM +0800, Liping Zhang wrote: > > From: Liping Zhang > > > > When invoke nfnl_cthelper_update, we will malloc a new expect_policy, > > then only point the

[PATCH 0/2] netfilter: ,net...@vger.kernel.org

This patch series Simplify function returns by merging assignment and return into one command line. simran singhal (2): netfilter: ipset: Compress return logic netfilter: ipvs: Compress return logic net/netfilter/ipset/ip_set_list_set.c | 5 + net/netfilter/ipvs/ip_vs_ftp.c| 5

[PATCH 2/2 nf] netfilter: cthelper: Fix memory leak

From: Jeffy Chen We have memory leaks of nf_conntrack_helper & expect_policy. Signed-off-by: Jeffy Chen Signed-off-by: Pablo Neira Ayuso --- Heavily based on your original patch, so I'm keeping you as original author

[PATCH 1/2 nf] netfilter: nfnetlink_cthelper: fix runtime expectation policy updates

We only allow runtime updates of expectation policies for timeout and maximum number of expectations, otherwise reject the update. Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nfnetlink_cthelper.c | 68 -- 1 file changed, 66

[PATCH 2/2] netfilter: Remove unnecessary cast on void pointer

The following Coccinelle script was used to detect this: @r@ expression x; void* e; type T; identifier f; @@ ( *((T *)e) | ((T *)x)[...] | ((T*)x)->f | - (T*) e ) Signed-off-by: simran singhal --- --This is my contribution to the netfilter project of

[PATCH 1/2] netfilter: ipset: Remove unnecessary cast on void pointer

The following Coccinelle script was used to detect this: @r@ expression x; void* e; type T; identifier f; @@ ( *((T *)e) | ((T *)x)[...] | ((T*)x)->f | - (T*) e ) Signed-off-by: simran singhal --- --This is my contribution to the netfilter project of

[PATCH 0/2] netfilter: Remove unnecessary cast on void pointer

This patch series remove unnecessary cast on void pointer. simran singhal (2): netfilter: ipset: Remove unnecessary cast on void pointer netfilter: Remove unnecessary cast on void pointer net/netfilter/ipset/ip_set_bitmap_gen.h | 4 ++-- net/netfilter/ipset/ip_set_core.c | 2 +-

Re: [PATCH] [RESENT]netfilter: nfnetlink_cthelper: Fix memory leak

On Tue, Mar 21, 2017 at 03:07:10PM +0800, Jeffy Chen wrote: > We have memory leaks of nf_conntrack_helper & expect_policy. > > Signed-off-by: Jeffy Chen > --- > > net/netfilter/nfnetlink_cthelper.c | 7 +++ > 1 file changed, 7 insertions(+) > > diff --git

Re: [PATCH] [RESENT]netfilter: nfnetlink_cthelper: Fix memory leak

On Tue, Mar 21, 2017 at 03:07:10PM +0800, Jeffy Chen wrote: > We have memory leaks of nf_conntrack_helper & expect_policy. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at

Re: [PATCH libnetfilter_cthelper] examples: fix double free in nftc-helper-add

On Sun, Mar 19, 2017 at 10:01:10PM +0800, Liping Zhang wrote: > From: Liping Zhang > > After inputting the following test command, core dump happened: > # ./examples/nfct-helper-add test 1 > *** Error in > `.../libnetfilter_cthelper/examples/.libs/lt-nfct-helper-add': >

Re: [PATCH nf 2/5] netfilter: nfnl_cthelper: fix incorrect helper->expect_class_max

On Sun, Mar 19, 2017 at 10:35:59PM +0800, Liping Zhang wrote: > From: Liping Zhang > > The helper->expect_class_max must be set to the total number of > expect_policy minus 1, since we will use the statement "if (class > > helper->expect_class_max)" to validate the

Re: [PATCH nf 5/5] netfilter: nfnl_cthelper: fix a race when walk the nf_ct_helper_hash table

On Sun, Mar 19, 2017 at 10:36:02PM +0800, Liping Zhang wrote: > From: Liping Zhang > > The nf_ct_helper_hash table is protected by nf_ct_helper_mutex, while > nfct_helper operation is protected by nfnl_lock(NFNL_SUBSYS_CTHELPER). > So it's possible that one CPU is walking

Re: [PATCH nf 4/5] netfilter: nfnl_cthelper: fix memory leak when do update

On Sun, Mar 19, 2017 at 10:36:01PM +0800, Liping Zhang wrote: > From: Liping Zhang > > When invoke nfnl_cthelper_update, we will malloc a new expect_policy, > then only point the helper->expect_policy to the new one but ignore > the old one, so it will be leaked forever. >

Re: [Bridge] [PATCH net] bridge: ebtables: fix reception of frames DNAT-ed to bridge device

On Tue, Mar 21, 2017 at 01:09:47AM +0100, Linus Lüssing wrote: > On Sun, Mar 19, 2017 at 05:55:06PM +0100, Linus Lüssing wrote: > > On Fri, Mar 17, 2017 at 02:10:44PM +0100, Pablo Neira Ayuso wrote: > > > Wait. > > > > > > May this break local multicast listener that are bound to the bridge > > >

Re: [PATCH nf 1/5] netfilter: nfnl_cthelper: don't report error if NFCTH_PRIV_DATA_LEN is empty

On Sun, Mar 19, 2017 at 10:35:58PM +0800, Liping Zhang wrote: > From: Liping Zhang > > Currently, when we create cthelper via nfnetlink, -EINVAL will be > returned if the NFCTH_PRIV_DATA_LEN attribute is empty. > > But enforcing the user to specify the NFCTH_PRIV_DATA_LEN

[PATCH 2/5] netfilter: Clean up tests if NULL returned on failure

Some functions like kmalloc/kzalloc return NULL on failure. When NULL represents failure, !x is commonly used. This was done using Coccinelle: @@ expression *e; identifier l1; @@ e = \(kmalloc\|kzalloc\|kcalloc\|devm_kzalloc\)(...); ... - e == NULL + !e Signed-off-by: simran singhal

[PATCH 1/5] netfilter: ipvs: Clean up tests if NULL returned on failure

Some functions like kmalloc/kzalloc return NULL on failure. When NULL represents failure, !x is commonly used. @@ expression *e; identifier l1; @@ e = \(kmalloc\|kzalloc\|kcalloc\|devm_kzalloc\)(...); ... - e == NULL + !e Signed-off-by: simran singhal --- --This is

[PATCH 5/5] netfilter: xt_TEE: Clean up tests if NULL returned on failure

Some functions like kmalloc/kzalloc return NULL on failure. When NULL represents failure, !x is commonly used. This was done using Coccinelle: @@ expression *e; identifier l1; @@ e = \(kmalloc\|kzalloc\|kcalloc\|devm_kzalloc\)(...); ... - e == NULL + !e Signed-off-by: simran singhal

[PATCH 3/5] netfilter: nf_tables_api: Clean up tests if NULL returned on failure

Some functions like kmalloc/kzalloc return NULL on failure. When NULL represents failure, !x is commonly used. This was done using Coccinelle: @@ expression *e; identifier l1; @@ e = \(kmalloc\|kzalloc\|kcalloc\|devm_kzalloc\)(...); ... - e == NULL + !e Signed-off-by: simran singhal

[PATCH 4/5] netfilter: nfnetlink: Clean up tests if NULL returned on failure

Some functions like kmalloc/kzalloc return NULL on failure. When NULL represents failure, !x is commonly used. This was done using Coccinelle: @@ expression *e; identifier l1; @@ e = \(kmalloc\|kzalloc\|kcalloc\|devm_kzalloc\)(...); ... - e == NULL + !e Signed-off-by: simran singhal

[PATCH nf v3 1/2] netfilter: helper: Rename struct nf_ct_helper_expectfn to nf_ct_nat_helper

From: Gao Feng Rename struct nf_ct_helper_expectfn to nf_ct_nat_helper, and rename other functions or variables which refer to it. The new name is better than the old one. Signed-off-by: Gao Feng --- v3: Rename the nf_ct_helper_expectfn, func, and member, per

[PATCH nf v3 0/2] Fix invoking expectfn unloaded

From: Gao Feng It is possible that invoke one expectfn whose module is already unloaded. These two patches are used to fix it. Gao Feng (2): netfilter: helper: Rename struct nf_ct_helper_expectfn to nf_ct_nat_helper netfilter: helper: Fix possible panic caused by

[PATCH nf v3 2/2] netfilter: helper: Fix possible panic caused by invoking expectfn unloaded

From: Gao Feng Because the conntrack NAT module could be rmmod anytime, so we should really leave things in clean state if such thing happens and make sure we don't leave any packet running over code that will be gone after the removal. We only removed the expectations when