RE: [PATCH nf-next v2 1/1] netfilter: SYNPROXY: Return NF_STOLEN instead of NF_DROP during handshaking

> -Original Message- > From: netfilter-devel-ow...@vger.kernel.org > On Fri, Apr 14, 2017 at 07:04:44AM +0800, Gao Feng wrote: > > > -Original Message- > > > From: Pablo Neira Ayuso [mailto:pa...@netfilter.org] > > > > > > On Wed, Apr 12, 2017 at 10:14:50AM +0800,

Re: [PATCH nf V2] netfilter: ctnetlink: make it safer when updating ct->status

Hi Pablo, 2017-04-14 7:25 GMT+08:00 Pablo Neira Ayuso : > On Thu, Apr 13, 2017 at 08:53:47PM +0800, Liping Zhang wrote: >> From: Liping Zhang >> >> User can update the ct->status via nfnetlink, but using a non-atomic >> operation "ct->status |= status;".

RE: [PATCH nf v2] netfilter: cttimeout: Fix one possible use-after-free issue

> From: Pablo Neira Ayuso [mailto:pa...@netfilter.org] > On Fri, Apr 14, 2017 at 09:13:40AM +0800, gfree.w...@foxmail.com wrote: > > From: Gao Feng > > > > The function ctnl_untimeout is used to untimeout every conntrack which > > is using the timeout. But it is necessary to add

[PATCH nf v3] netfilter: xt_CT: fix refcnt leak on error path

From: Gao Feng There are two cases which causes refcnt leak. 1. When nf_ct_timeout_ext_add failed in xt_ct_set_timeout, it should free the timeout refcnt. Now goto the err_put_timeout error handler instead of going ahead. 2. When the time policy is not found, we should call

Re: [libnetfilter_queue][PATCH 2/2] Declare the define visivility attribute together

On 4/13/17 6:30 PM, Pablo Neira Ayuso wrote: > On Thu, Apr 13, 2017 at 06:22:54PM -0700, Khem Raj wrote: >>> It would be good if you send me a patch for libnetfilter_queue that >>> applies on top of you previous patch, or I can simply revert. >> >> I will send a patch which uses EXPORT_FUNCTION

Re: [libnetfilter_queue][PATCH 2/2] Declare the define visivility attribute together

On Thu, Apr 13, 2017 at 06:22:54PM -0700, Khem Raj wrote: > > It would be good if you send me a patch for libnetfilter_queue that > > applies on top of you previous patch, or I can simply revert. > > I will send a patch which uses EXPORT_FUNCTION instead and declare it > before definition like

Re: [PATCH nf v2] netfilter: cttimeout: Fix one possible use-after-free issue

On Fri, Apr 14, 2017 at 09:13:40AM +0800, gfree.w...@foxmail.com wrote: > From: Gao Feng > > The function ctnl_untimeout is used to untimeout every conntrack > which is using the timeout. But it is necessary to add one barrier > synchronize_rcu because of racing. Maybe one

Re: [libnetfilter_queue][PATCH 2/2] Declare the define visivility attribute together

On 4/13/17 4:49 PM, Pablo Neira Ayuso wrote: > On Fri, Apr 14, 2017 at 01:37:19AM +0200, Pablo Neira Ayuso wrote: >> On Mon, Apr 10, 2017 at 12:58:04PM -0700, Khem Raj wrote: >>> clang ignores the visibility attribute if its not >>> defined before the definition. As a result these >>> symbols

[PATCH nf v2] netfilter: cttimeout: Fix one possible use-after-free issue

From: Gao Feng The function ctnl_untimeout is used to untimeout every conntrack which is using the timeout. But it is necessary to add one barrier synchronize_rcu because of racing. Maybe one conntrack has already owned this timeout, but it is not inserted into unconfirmed list

Re: [PATCH nf v5 2/3] netfilter: nat_helper: Make sure every proto nat module uses its nat_helper

On Fri, Apr 14, 2017 at 08:46:44AM +0800, Gao Feng wrote: > > -Original Message- > > From: Pablo Neira Ayuso [mailto:pa...@netfilter.org] > > On Fri, Mar 31, 2017 at 06:38:20PM +0800, gfree.w...@foxmail.com wrote: > > > +static struct nf_ct_nat_helper pptp_nat = { > > > + .name

RE: [PATCH nf] netfilter: xt_CT: fix cthelper module's refcnt leak

> -Original Message- > From: Liping Zhang [mailto:zlpnob...@gmail.com] > Hi Pablo, > > 2017-04-14 6:30 GMT+08:00 Pablo Neira Ayuso : > >> We should call module_put when the time policy is not found. > >> Otherwise, the related cthelper module cannot be removed

RE: [PATCH nf v5 2/3] netfilter: nat_helper: Make sure every proto nat module uses its nat_helper

> -Original Message- > From: Pablo Neira Ayuso [mailto:pa...@netfilter.org] > On Fri, Mar 31, 2017 at 06:38:20PM +0800, gfree.w...@foxmail.com wrote: > > +static struct nf_ct_nat_helper pptp_nat = { > > + .name = "pptp_nat", > > Why all these with "xyz_nat" names? I

[PATCH 5/9] netfilter: make it safer during the inet6_dev->addr_list traversal

From: Liping Zhang inet6_dev->addr_list is protected by inet6_dev->lock, so only using rcu_read_lock is not enough, we should acquire read_lock_bh(>lock) before the inet6_dev->addr_list traversal. Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira

[PATCH 7/9] netfilter: nf_ct_expect: use proper RCU list traversal/update APIs

From: Liping Zhang We should use proper RCU list APIs to manipulate help->expectations, as we can dump the conntrack's expectations via nfnetlink, i.e. in ctnetlink_exp_ct_dump_table(), where only rcu_read_lock is acquired. So for list traversal, use

[PATCH 9/9] netfilter: ipt_CLUSTERIP: Fix wrong conntrack netns refcnt usage

From: Gao Feng Current codes invoke wrongly nf_ct_netns_get in the destroy routine, it should use nf_ct_netns_put, not nf_ct_netns_get. It could cause some modules could not be unloaded. Fixes: ecb2421b5ddf ("netfilter: add and use nf_ct_netns_get/put") Signed-off-by: Gao Feng

[PATCH 3/9] netfilter: helper: Add the rcu lock when call __nf_conntrack_helper_find

From: Gao Feng When invoke __nf_conntrack_helper_find, it needs the rcu lock to protect the helper module which would not be unloaded. Now there are two caller nf_conntrack_helper_try_module_get and ctnetlink_create_expect which don't hold rcu lock. And the other callers left

[PATCH 0/9] Netfilter fixes for net

Hi David, The following patchset contains Netfilter fixes for your net tree, they are: 1) Missing TCP header sanity check in TCPMSS target, from Eric Dumazet. 2) Incorrect event message type for related conntracks created via ctnetlink, from Liping Zhang. 3) Fix incorrect rcu locking when

[PATCH 2/9] netfilter: ctnetlink: using bit to represent the ct event

From: Liping Zhang Otherwise, creating a new conntrack via nfnetlink: # conntrack -I -p udp -s 1.1.1.1 -d 2.2.2.2 -t 10 --sport 10 --dport 20 will emit the wrong ct events(where UPDATE should be NEW): # conntrack -E [UPDATE] udp 17 10 src=1.1.1.1 dst=2.2.2.2

[PATCH 4/9] netfilter: ctnetlink: make it safer when checking the ct helper name

From: Liping Zhang One CPU is doing ctnetlink_change_helper(), while another CPU is doing unhelp() at the same time. So even if help->helper is not NULL at first, the later statement strcmp(help->helper->name, ...) may still access the NULL pointer. So we must use

[PATCH 1/9] netfilter: xt_TCPMSS: add more sanity tests on tcph->doff

From: Eric Dumazet Denys provided an awesome KASAN report pointing to an use after free in xt_TCPMSS I have provided three patches to fix this issue, either in xt_TCPMSS or in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible impact. Signed-off-by: Eric

Re: [PATCH nf-next] ipvs: remove unused function ip_vs_set_state_timeout

On Mon, Apr 10, 2017 at 03:50:44PM -0400, Aaron Conole wrote: > There are no in-tree callers of this function and it isn't exported. Simon, let me know if you want to take this, or just add your Signed-off-by. Thanks! > Signed-off-by: Aaron Conole > --- >

Re: [PATCH nf v5 2/3] netfilter: nat_helper: Make sure every proto nat module uses its nat_helper

On Fri, Mar 31, 2017 at 06:38:20PM +0800, gfree.w...@foxmail.com wrote: > +static struct nf_ct_nat_helper pptp_nat = { > + .name = "pptp_nat", Why all these with "xyz_nat" names? This is going to break ctnetlink, as this is the name that identifies the NAT helper to be

Re: [GIT 0/3] Second Round of IPVS Updates for v4.12

On Fri, Apr 14, 2017 at 08:51:19AM +0900, Simon Horman wrote: > On Fri, Apr 14, 2017 at 01:01:34AM +0200, Pablo Neira Ayuso wrote: > > Hi Simon, > > > > On Mon, Apr 10, 2017 at 09:58:32AM -0700, Simon Horman wrote: > > > Hi Pablo, > > > > > > please consider these clean-ups and enhancements to

Re: [PATCH nf V2] netfilter: nf_ct_helper: permit cthelpers with different names via nfnetlink

On Fri, Apr 14, 2017 at 07:50:26AM +0800, Liping Zhang wrote: > Hi Pablo, > > 2017-04-14 6:29 GMT+08:00 Pablo Neira Ayuso : > [...] > >> After I have a closer look, inside hlist_for_each_entry_rcu, we use the > >> rcu_dereference_raw() to get the pointer, and this will not

Re: [GIT 0/3] Second Round of IPVS Updates for v4.12

On Fri, Apr 14, 2017 at 01:01:34AM +0200, Pablo Neira Ayuso wrote: > Hi Simon, > > On Mon, Apr 10, 2017 at 09:58:32AM -0700, Simon Horman wrote: > > Hi Pablo, > > > > please consider these clean-ups and enhancements to IPVS for v4.12. > > > > * Removal unused variable > > * Use kzalloc where

Re: [PATCH nf V2] netfilter: nf_ct_helper: permit cthelpers with different names via nfnetlink

Hi Pablo, 2017-04-14 6:29 GMT+08:00 Pablo Neira Ayuso : [...] >> After I have a closer look, inside hlist_for_each_entry_rcu, we use the >> rcu_dereference_raw() to get the pointer, and this will not generate warning: >> >> #define hlist_for_each_entry_rcu(pos, head, member)

Re: [libnetfilter_queue][PATCH 2/2] Declare the define visivility attribute together

On Fri, Apr 14, 2017 at 01:37:19AM +0200, Pablo Neira Ayuso wrote: > On Mon, Apr 10, 2017 at 12:58:04PM -0700, Khem Raj wrote: > > clang ignores the visibility attribute if its not > > defined before the definition. As a result these > > symbols become hidden and consumers of this library > > fail

Re: [PATCH nf 2/2] netfilter: nfnl_cthelper: reject del request if helper obj is in use

On Fri, Apr 14, 2017 at 01:42:04AM +0200, Pablo Neira Ayuso wrote: > On Fri, Apr 14, 2017 at 07:37:50AM +0800, Liping Zhang wrote: > > Hi Pablo, > > > > 2017-04-14 7:16 GMT+08:00 Pablo Neira Ayuso : > > [...] > > >> #ifndef _NF_CONNTRACK_HELPER_H > > >> #define

Re: [PATCH nf 2/2] netfilter: nfnl_cthelper: reject del request if helper obj is in use

On Fri, Apr 14, 2017 at 07:37:50AM +0800, Liping Zhang wrote: > Hi Pablo, > > 2017-04-14 7:16 GMT+08:00 Pablo Neira Ayuso : > [...] > >> #ifndef _NF_CONNTRACK_HELPER_H > >> #define _NF_CONNTRACK_HELPER_H > >> +#include > >> #include > >> #include > >> #include > >>

Re: [PATCH nf 2/2] netfilter: nfnl_cthelper: reject del request if helper obj is in use

Hi Pablo, 2017-04-14 7:16 GMT+08:00 Pablo Neira Ayuso : [...] >> #ifndef _NF_CONNTRACK_HELPER_H >> #define _NF_CONNTRACK_HELPER_H >> +#include >> #include >> #include >> #include >> @@ -26,6 +27,7 @@ struct nf_conntrack_helper { >> struct hlist_node hnode;

Re: [libnetfilter_queue][PATCH 2/2] Declare the define visivility attribute together

On Mon, Apr 10, 2017 at 12:58:04PM -0700, Khem Raj wrote: > clang ignores the visibility attribute if its not > defined before the definition. As a result these > symbols become hidden and consumers of this library > fail to link due to these missing symbols Also applied, thanks. -- To

Re: [PATCH nf-next] ipset: remove unused function __ip_set_get_netlink

On Mon, Apr 10, 2017 at 03:52:37PM -0400, Aaron Conole wrote: > There are no in-tree callers. @Jozsef, let me know if I should just take this to save you a pull request. Thanks. > Signed-off-by: Aaron Conole > --- > net/netfilter/ipset/ip_set_core.c | 8 > 1 file

Re: [PATCH nf-next] nf_tables: remove double return statement

Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH nf-next] nf_conntrack: remove double assignment

On Wed, Apr 12, 2017 at 04:32:54PM -0400, Aaron Conole wrote: > The protonet pointer will unconditionally be rewritten, so just do the > needed assignment first. Also applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to

Re: [PATCH nf V2] netfilter: ctnetlink: make it safer when updating ct->status

On Thu, Apr 13, 2017 at 08:53:47PM +0800, Liping Zhang wrote: > From: Liping Zhang > > User can update the ct->status via nfnetlink, but using a non-atomic > operation "ct->status |= status;". This is unsafe, and may clear > IPS_DYING_BIT bit set by another CPU unexpectedly.

Re: [PATCH nf 2/2] netfilter: nfnl_cthelper: reject del request if helper obj is in use

On Sun, Apr 09, 2017 at 04:22:14PM +0800, Liping Zhang wrote: > From: Liping Zhang > > We can still delete the ct helper even if it is in use, this will cause > a use-after-free error. In more detail, I mean: > # nfct helper add ssdp inet udp > # iptables -t raw -A

[PATCH nf v2] net/openvswitch: Delete conntrack entry clashing with an expectation.

Conntrack helpers do not check for a potentially clashing conntrack entry when creating a new expectation. Also, nf_conntrack_in() will check expectations (via init_conntrack()) only if a conntrack entry can not be found. The expectation for a packet which also matches an existing conntrack

Re: [PATCH nft] hash: generate a random seed if seed option is empty

Hi Pablo, 2017-04-14 4:57 GMT+08:00 Pablo Neira Ayuso : [...] >> - nftnl_expr_set_u32(nle, NFTNL_EXPR_HASH_SEED, expr->hash.seed); >> + if (expr->hash.seed) >> + nftnl_expr_set_u32(nle, NFTNL_EXPR_HASH_SEED, expr->hash.seed); > > I prefer we have a

Re: [PATCH nf-next v2 1/1] netfilter: SYNPROXY: Return NF_STOLEN instead of NF_DROP during handshaking

On Fri, Apr 14, 2017 at 07:04:44AM +0800, Gao Feng wrote: > > -Original Message- > > From: Pablo Neira Ayuso [mailto:pa...@netfilter.org] > > > > On Wed, Apr 12, 2017 at 10:14:50AM +0800, gfree.w...@foxmail.com wrote: > > > > > > Current SYNPROXY codes return NF_DROP during normal TCP

Re: [PATCH 1/2 v2] iptables-restore/ip6tables-restore: add --version/-V argument

On Mon, Apr 10, 2017 at 12:31:56PM -0500, Dan Williams wrote: > Prints program version just like iptables/ip6tables. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at

Re: [PATCH 2/2 v2] iptables-restore.8: document -w/-W options

On Mon, Apr 10, 2017 at 12:35:18PM -0500, Dan Williams wrote: > Fixes: 999eaa241212d3952ddff39a99d0d55a74e3639e Also applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at

RE: [PATCH nf-next v2 1/1] netfilter: SYNPROXY: Return NF_STOLEN instead of NF_DROP during handshaking

> -Original Message- > From: Pablo Neira Ayuso [mailto:pa...@netfilter.org] > > On Wed, Apr 12, 2017 at 10:14:50AM +0800, gfree.w...@foxmail.com wrote: > > > > Current SYNPROXY codes return NF_DROP during normal TCP handshaking, > > it is not friendly to caller. Because the nf_hook_slow

Re: [PATCH nf] datapath: Delete conntrack entry clashing with an expectation.

Sorry for the mistake in the commit title, will send v2 shortly. Jarno > On Apr 13, 2017, at 4:01 PM, Jarno Rajahalme wrote: > > Conntrack helpers do not check for a potentially clashing conntrack > entry when creating a new expectation. Also, nf_conntrack_in() will > check

[PATCH nf] datapath: Delete conntrack entry clashing with an expectation.

Conntrack helpers do not check for a potentially clashing conntrack entry when creating a new expectation. Also, nf_conntrack_in() will check expectations (via init_conntrack()) only if a conntrack entry can not be found. The expectation for a packet which also matches an existing conntrack

Re: [GIT 0/3] Second Round of IPVS Updates for v4.12

Hi Simon, On Mon, Apr 10, 2017 at 09:58:32AM -0700, Simon Horman wrote: > Hi Pablo, > > please consider these clean-ups and enhancements to IPVS for v4.12. > > * Removal unused variable > * Use kzalloc where appropriate > * More efficient detection of presence of NAT extension > > > The

Re: [PATCH nf-next 1/1] netfilter: cttimeout: Refine cttimeout_del_timeout

On Fri, Apr 07, 2017 at 07:25:36PM +0800, gfree.w...@foxmail.com wrote: > From: Gao Feng > > 1. Return one error when try to delete all timeouts and meet one erorr; > 2. Delete the condition block when fail to delete specified timeout. > It is more clear that it would stop the

Re: [PATCH nf 1/1] netfilter: cttimeout: Fix one possible use-after-free issue

On Fri, Apr 14, 2017 at 06:35:13AM +0800, Gao Feng wrote: > > -Original Message- > > From: Pablo Neira Ayuso [mailto:pa...@netfilter.org] > > On Thu, Apr 06, 2017 at 07:09:09PM +0800, gfree.w...@foxmail.com wrote: > > > > > > The function ctnl_untimeout is used to untimeout every conntrack

RE: [PATCH nf 1/1] netfilter: cttimeout: Fix one possible use-after-free issue

> -Original Message- > From: Pablo Neira Ayuso [mailto:pa...@netfilter.org] > On Thu, Apr 06, 2017 at 07:09:09PM +0800, gfree.w...@foxmail.com wrote: > > > > The function ctnl_untimeout is used to untimeout every conntrack which > > is using the timeout. But it is necessary to add one

Re: [PATCH nf] netfilter: xt_CT: fix cthelper module's refcnt leak

On Sat, Apr 08, 2017 at 11:38:48AM +0800, Liping Zhang wrote: > From: Liping Zhang > > We should call module_put when the time policy is not found. Otherwise, > the related cthelper module cannot be removed anymore. > > It is easy to reproduce by typing the following

Re: [PATCH nf V2] netfilter: nf_ct_helper: permit cthelpers with different names via nfnetlink

On Thu, Mar 30, 2017 at 10:12:00AM +0800, Liping Zhang wrote: > Hi Pablo, > > 2017-03-29 21:00 GMT+08:00 Liping Zhang : > > From: Liping Zhang > > > > cthelpers added via nfnetlink may have the same tuple, i.e. except for > > the l3proto and l4proto, other

Re: [PATCH libmnl] nlmsg: introduce mnl_nlmsg_batch_rest to get the rest length

On Mon, Apr 03, 2017 at 03:11:27PM +0900, Ken-ichirou MATSUZAWA wrote: > Recent languages implements array to hold its length. This patch > enables to help to wrap these. As of this C library, we can use > this like below without double sized buffer. > > char buf[MNL_SOCKET_BUFFER_SIZE]; > >

Re: [PATCH nf v2 1/1] netfilter: xt_CT: Fix one possible memleak of timeout

On Thu, Apr 06, 2017 at 07:19:34PM +0800, gfree.w...@foxmail.com wrote: > From: Gao Feng > > When nf_ct_timeout_ext_add failed in xt_ct_set_timeout, it should > free the timeout refcnt. > > Now goto the err_put_timeout error handler instead of going ahead. > > Signed-off-by:

RE: [PATCH nf 1/1] netfilter: seqadj: Fix possible non-linear data access for TCP header

> -Original Message- > From: Pablo Neira Ayuso [mailto:pa...@netfilter.org] > Sent: Friday, April 14, 2017 5:45 AM > To: gfree.w...@foxmail.com > Cc: netfilter-devel@vger.kernel.org; Gao Feng > Subject: Re: [PATCH nf 1/1] netfilter: seqadj: Fix possible non-linear data

Re: [PATCH nf-next v2 1/1] netfilter: SYNPROXY: Return NF_STOLEN instead of NF_DROP during handshaking

On Wed, Apr 12, 2017 at 10:14:50AM +0800, gfree.w...@foxmail.com wrote: > From: Gao Feng > > Current SYNPROXY codes return NF_DROP during normal TCP handshaking, > it is not friendly to caller. Because the nf_hook_slow would treat > the NF_DROP as an error, and return -EPERM. >

Re: [PATCH nf 1/1] netfilter: cttimeout: Fix one possible use-after-free issue

On Thu, Apr 06, 2017 at 07:09:09PM +0800, gfree.w...@foxmail.com wrote: > From: Gao Feng > > The function ctnl_untimeout is used to untimeout every conntrack > which is using the timeout. But it is necessary to add one barrier > synchronize_rcu because of racing. Maybe one

Re: [PATCH nf 1/1] netfilter: seqadj: Fix possible non-linear data access for TCP header

On Thu, Apr 13, 2017 at 11:42:49PM +0200, Pablo Neira Ayuso wrote: > On Thu, Apr 13, 2017 at 11:37:05PM +0200, Pablo Neira Ayuso wrote: > > On Mon, Apr 10, 2017 at 06:36:03PM +0800, gfree.w...@foxmail.com wrote: > > > From: Gao Feng > > > > > > The current call path of

Re: [PATCH nf 1/1] netfilter: seqadj: Fix possible non-linear data access for TCP header

On Thu, Apr 13, 2017 at 11:37:05PM +0200, Pablo Neira Ayuso wrote: > On Mon, Apr 10, 2017 at 06:36:03PM +0800, gfree.w...@foxmail.com wrote: > > From: Gao Feng > > > > The current call path of nf_ct_tcp_seqadj_set is the following. > > > >

Re: [PATCH nf 1/1] netfilter: seqadj: Fix possible non-linear data access for TCP header

On Mon, Apr 10, 2017 at 06:36:03PM +0800, gfree.w...@foxmail.com wrote: > From: Gao Feng > > The current call path of nf_ct_tcp_seqadj_set is the following. > > nfqnl_recv_verdict->ctnetlink_glue_hook->ctnetlink_glue_seqadj > ->nf_ct_tcp_seqadj_set. > > It couldn't make sure

Re: [PATCH nf 1/1] netfilter: CLUSTERIP: Fix one wrong refcnt usage

On Thu, Apr 06, 2017 at 09:45:22AM +0800, gfree.w...@foxmail.com wrote: > From: Gao Feng > > Current codes invoke wrongly nf_ct_netns_get in the destroy routine, > it should use nf_ct_netns_put, not nf_ct_netns_get. > It could cause some modules could not be unloaded. Applied

Re: [PATCH iptables v1] iptables-restore/save: exit when given an unknown option

On Mon, Apr 03, 2017 at 08:49:18PM +0200, Vincent Bernat wrote: > When an unknown option is given, iptables-restore should exit instead of > continue its operation. For example, if `--table` was misspelled, this > could lead to an unwanted change. Moreover, exit with a status code of > 1. Make the

Re: [PATCH nft] hash: generate a random seed if seed option is empty

On Thu, Apr 13, 2017 at 10:57:09PM +0200, Pablo Neira Ayuso wrote: > On Mon, Apr 03, 2017 at 04:29:57PM +0800, Liping Zhang wrote: > > From: Liping Zhang > > > > Typing the "nft add rule x y ct mark set jhash ip saddr mod 2" will > > not generate a random seed, instead, the

Re: [PATCH nft] hash: generate a random seed if seed option is empty

On Mon, Apr 03, 2017 at 04:29:57PM +0800, Liping Zhang wrote: > From: Liping Zhang > > Typing the "nft add rule x y ct mark set jhash ip saddr mod 2" will > not generate a random seed, instead, the seed will always be zero. > > So if seed option is empty, we shoulde not set

Re: [PATCH nf] netfilter: nft_hash: do not dump the auto generated seed

On Mon, Apr 03, 2017 at 04:34:38PM +0800, Liping Zhang wrote: > From: Liping Zhang > > This can prevent the nft utility from printing out the auto generated > seed to the user, which is unnecessary and confusing. Applied, thanks. -- To unsubscribe from this list: send the

Re: [PATCH] netfilter: nat: remove rcu_read_lock in __nf_nat_decode_session.

On Tue, Mar 28, 2017 at 12:28:50AM +0900, Taehee Yoo wrote: > __nf_nat_decode_session is called from nf_nat_decode_session as decodefn. > before calling decodefn, it already set rcu_read_lock. so rcu_read_lock in > __nf_nat_decode_session can be removed. Applied, thanks. -- To unsubscribe from

[PATCH nf V2] netfilter: ctnetlink: make it safer when updating ct->status

From: Liping Zhang User can update the ct->status via nfnetlink, but using a non-atomic operation "ct->status |= status;". This is unsafe, and may clear IPS_DYING_BIT bit set by another CPU unexpectedly. For example: CPU0CPU1