Re:Re: [PATCH nf v6 3/3] netfilter: nat_helper: Remove the expectations when its module is unloaded

Hi Liping, At 2017-05-05 09:59:06, "Liping Zhang" wrote: >Hi Feng, > >2017-05-05 8:55 GMT+08:00 : >[...] >> +static void >> +nf_ct_flush_expect(const struct module *me) >> +{ >> + struct nf_conntrack_expect *exp; >> + const struct

Re: [PATCH nf v6 3/3] netfilter: nat_helper: Remove the expectations when its module is unloaded

Hi Feng, 2017-05-05 8:55 GMT+08:00 : [...] > +static void > +nf_ct_flush_expect(const struct module *me) > +{ > + struct nf_conntrack_expect *exp; > + const struct hlist_node *next; > + u32 i; > + > + if (!me) > + return; > + > +

[PATCH nf v6 1/3] netfilter: helper: Rename struct nf_ct_helper_expectfn to nf_ct_nat_helper

From: Gao Feng Rename struct nf_ct_helper_expectfn to nf_ct_nat_helper, and rename other functions or variables which refer to it. The new name is better than the old one. Signed-off-by: Gao Feng --- v6: Rename the helper name of ftp, tftp.. to

[PATCH nf v6 3/3] netfilter: nat_helper: Remove the expectations when its module is unloaded

From: Gao Feng Because the conntrack NAT module could be rmmod anytime, so we should really leave things in clean state if such thing happens and make sure we don't leave any packet running over code that will be gone after the removal. We only removed the expectations

[PATCH nf v6 2/3] netfilter: nat_helper: Register one nf_ct_nat_helper each proto nat module

From: Gao Feng There are multiple proto nat modules which depend on the follow_master_nat in the nf_nat_core. When this module is gone, all modules which refers to it could not work well. Now register one struct nf_ct_nat_helper in every proto nat module, it makes sure

Re: [nft PATCH] List handles of added rules if requested

On Thu, May 04, 2017 at 05:37:25PM +0200, Thomas Woerner wrote: > On 05/04/2017 03:44 PM, Florian Westphal wrote: > > Pablo Neira Ayuso wrote: > >> On Thu, May 04, 2017 at 02:34:21PM +0200, Phil Sutter wrote: > >>> Being able to retrieve an added rule's handle atomically is a

Re: [nft PATCH] List handles of added rules if requested

On Thu, May 04, 2017 at 04:00:42PM +0200, Pablo Neira Ayuso wrote: > On Thu, May 04, 2017 at 03:44:19PM +0200, Florian Westphal wrote: > > Pablo Neira Ayuso wrote: > > > On Thu, May 04, 2017 at 02:34:21PM +0200, Phil Sutter wrote: > > > > Being able to retrieve an added

Re: [PATCH -stable 0/3] ipvs: patches for stable

Hello, On Thu, 4 May 2017, Pablo Neira Ayuso wrote: > On Mon, May 01, 2017 at 04:45:34PM +0300, Julian Anastasov wrote: > > Hello, > > > > The following patches are rediffs for "ipvs: SNAT packet replies > > only for NATed connections" for different stable kernels: > > > > The

Re: [PATCH nft] parser: allow listing sets in one table

On Thu, May 04, 2017 at 06:09:31PM +0200, Florian Westphal wrote: > currently nft can lists sets: > nft list sets > > but unlike e.g. 'quotas' or 'counters' we didn't support > restricting it to a table. Now its possible to restrict set > definition listing to one table: > > nft list sets table

[PATCH nft] parser: allow listing sets in one table

currently nft can lists sets: nft list sets but unlike e.g. 'quotas' or 'counters' we didn't support restricting it to a table. Now its possible to restrict set definition listing to one table: nft list sets table inet filter Signed-off-by: Florian Westphal --- src/evaluate.c

Re: [nft PATCH] List handles of added rules if requested

On 05/04/2017 03:44 PM, Florian Westphal wrote: Pablo Neira Ayuso wrote: On Thu, May 04, 2017 at 02:34:21PM +0200, Phil Sutter wrote: Being able to retrieve an added rule's handle atomically is a crucial feature for scripts invoking nft command: Without it, there is no

Re: [nf-next PATCH] netfilter: nf_tables: Return info of added rules back to user space

On Thu, May 04, 2017 at 03:35:44PM +0200, Pablo Neira Ayuso wrote: > On Thu, May 04, 2017 at 02:34:17PM +0200, Phil Sutter wrote: > > This allows user space to reliably match kernel generated handles with > > added rules for reference. > > > > Signed-off-by: Phil Sutter > > --- > >

Re: [PATCH -stable 0/3] ipvs: patches for stable

On Mon, May 01, 2017 at 04:45:34PM +0300, Julian Anastasov wrote: > Hello, > > The following patches are rediffs for "ipvs: SNAT packet replies > only for NATed connections" for different stable kernels: > > The official patch for the net tree (will come from Simon) works for: > 4.9.25,

Re: net: possible deadlock in skb_queue_tail

On Thu, 2017-05-04 at 15:49 +0200, Andrey Konovalov wrote: > On Fri, Feb 24, 2017 at 3:56 AM, Florian Westphal wrote: > > Andrey Konovalov wrote: > > > > [ CC Paolo ] > > > > > I've got the following error report while fuzzing the kernel with > > >

Re: net: possible deadlock in skb_queue_tail

On Fri, Feb 24, 2017 at 3:56 AM, Florian Westphal wrote: > Andrey Konovalov wrote: > > [ CC Paolo ] > >> I've got the following error report while fuzzing the kernel with syzkaller. >> >> On commit c470abd4fde40ea6a0846a2beab642a578c0b8cd (4.10). >> >>

Re: [nft PATCH] List handles of added rules if requested

Pablo Neira Ayuso wrote: > On Thu, May 04, 2017 at 02:34:21PM +0200, Phil Sutter wrote: > > Being able to retrieve an added rule's handle atomically is a crucial > > feature for scripts invoking nft command: Without it, there is no way to > > be sure a handle extracted from

Re: [nft PATCH] List handles of added rules if requested

On Thu, May 04, 2017 at 02:34:21PM +0200, Phil Sutter wrote: > Being able to retrieve an added rule's handle atomically is a crucial > feature for scripts invoking nft command: Without it, there is no way to > be sure a handle extracted from 'nft list ruleset' command actually > refers to the rule

Re: [nf-next PATCH] netfilter: nf_tables: Return info of added rules back to user space

On Thu, May 04, 2017 at 02:34:17PM +0200, Phil Sutter wrote: > This allows user space to reliably match kernel generated handles with > added rules for reference. > > Signed-off-by: Phil Sutter > --- > net/netfilter/nf_tables_api.c | 19 ++- > 1 file changed, 18

[nft PATCH] List handles of added rules if requested

Being able to retrieve an added rule's handle atomically is a crucial feature for scripts invoking nft command: Without it, there is no way to be sure a handle extracted from 'nft list ruleset' command actually refers to the rule one has added before or that of another process which ran in

[nf-next PATCH] netfilter: nf_tables: Return info of added rules back to user space

This allows user space to reliably match kernel generated handles with added rules for reference. Signed-off-by: Phil Sutter --- net/netfilter/nf_tables_api.c | 19 ++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_tables_api.c

Re: [nft PATCH] nft.8: Enhance NAT documentation

On Tue, May 02, 2017 at 07:51:27PM +0200, Phil Sutter wrote: > This adds documentation about masquerade and redirect statements, points > out that for any NAT statement both prerouting and postrouting chains > are required and adds a bunch of examples to the section's end. Applied, thanks. -- To

Re: [nft PATCH] nft.8: Enhance NAT documentation

On 2 May 2017 at 19:51, Phil Sutter wrote: > This adds documentation about masquerade and redirect statements, points > out that for any NAT statement both prerouting and postrouting chains > are required and adds a bunch of examples to the section's end. > > Signed-off-by: Phil