From: Gao Feng
The info->target is from userspace and it would be used directly.
So we need to add the sanity check to make sure it is a valid standard
target, although the ebtables tool has already checked it. Kernel need
to check anything from userspace.
If the target was set as an evil value,
At 2017-05-16 00:56:59, "Pablo Neira Ayuso" wrote:
>On Mon, May 15, 2017 at 06:56:02PM +0200, Pablo Neira Ayuso wrote:
>> On Fri, May 12, 2017 at 05:44:10PM +0800, gfree.w...@vip.163.com wrote:
>> > From: Gao Feng
>> >
>> > The info->target is from userspace and it would be used directly.
>> > S
Hello,
On Wed, 2017-04-12 at 14:40 +0300, Kaarle Ritvanen wrote:
> On Tue, 7 Mar 2017, Eric Leblond wrote:
>
> > I really like the idea of getting an harmonized naming for the log
> > files but I think we should do it reverse for values that are not
> > commented in the configuration file. Most d
Hi,
On Mon, 2017-05-15 at 19:55 +0200, Pablo Neira Ayuso wrote:
> On Mon, May 15, 2017 at 07:49:18PM +0200, Eric Leblond wrote:
> > Hello,
> > Le 15 mai 2017 6:52 PM, Pablo Neira Ayuso
> > a
> > écrit :
> >
> > On Thu, May 11, 2017 at 06:56:38PM +0200, Eric Leblond wrote:
> >
On Mon, May 15, 2017 at 07:49:18PM +0200, Eric Leblond wrote:
>Hello,
>Le 15 mai 2017 6:52 PM, Pablo Neira Ayuso a
>écrit :
>
> On Thu, May 11, 2017 at 06:56:38PM +0200, Eric Leblond wrote:
> > This patch fixes the creation of connection tracking entry from
> > netlink
On Mon, May 15, 2017 at 06:44:32PM +0200, Phil Sutter wrote:
> On Mon, May 15, 2017 at 05:53:31PM +0200, Pablo Neira Ayuso wrote:
> > On Mon, May 15, 2017 at 04:51:49PM +0200, Phil Sutter wrote:
> > > When committing a transaction, report PID and name of user space process
> > > which initiated it.
On Fri, May 05, 2017 at 08:55:12AM +0800, gfree.w...@vip.163.com wrote:
> diff --git a/net/ipv4/netfilter/nf_nat_h323.c
> b/net/ipv4/netfilter/nf_nat_h323.c
> index 346e764..ce2095c 100644
> --- a/net/ipv4/netfilter/nf_nat_h323.c
> +++ b/net/ipv4/netfilter/nf_nat_h323.c
> @@ -21,6 +21,26 @@
> #in
On Tue, May 02, 2017 at 11:47:02AM +0200, Arturo Borrero Gonzalez wrote:
> Print elements per line instead of all in a single line.
> The elements which can be 'short' are printed 5 per line,
> and others, like IPv4 addresses are printed 2 per line.
>
> Example:
>
> % nft list ruleset -nnn
> tabl
On Tue, May 09, 2017 at 05:37:11PM +0200, Florian Westphal wrote:
> 'ip protocol ne 6' is not a dependency for nexthdr protocol, and must
> not be stored as such.
>
> Fixes: 0b858391781ba308 ("src: annotate follow up dependency just after
> killing another")
> Signed-off-by: Florian Westphal
Ac
On Sun, May 14, 2017 at 09:35:22PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> When dumping the elements related to a specified set, we may invoke the
> nf_tables_dump_set with the NFNL_SUBSYS_NFTABLES lock not acquired. So
> we should use the proper rcu operation to avoid race condition,
On Mon, May 15, 2017 at 06:56:02PM +0200, Pablo Neira Ayuso wrote:
> On Fri, May 12, 2017 at 05:44:10PM +0800, gfree.w...@vip.163.com wrote:
> > From: Gao Feng
> >
> > The info->target is from userspace and it would be used directly.
> > So we need to add the sanity check to make sure it is a val
On Fri, May 12, 2017 at 05:44:10PM +0800, gfree.w...@vip.163.com wrote:
> From: Gao Feng
>
> The info->target is from userspace and it would be used directly.
> So we need to add the sanity check to make sure it is a valid standard
> target, although the ebtables tool has already checked it. Kern
On Thu, May 11, 2017 at 06:56:38PM +0200, Eric Leblond wrote:
> This patch fixes the creation of connection tracking entry from
> netlink when synproxy is used. It was missing the addition of
> the synproxy extension.
>
> This was causing kernel crashes when a conntrack entry created by
> conntrac
On Tue, May 09, 2017 at 04:17:37PM -0400, Willem de Bruijn wrote:
> From: Willem de Bruijn
>
> When looking up an iptables rule, the iptables binary compares the
> aligned match and target data (XT_ALIGN). In some cases this can
> exceed the actual data size to include padding bytes.
>
> Before
On Sat, May 06, 2017 at 08:28:02PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> We cannot setup nat info if the ct has been confirmed already, else,
> different cpu may race to handle the same ct. In extreme situation,
> we may hit the "BUG_ON(nf_nat_initialized(ct, maniptype))" in the
> n
On Mon, May 08, 2017 at 11:48:42AM +0200, Simon Horman wrote:
> Hi Pablo,
>
> please consider this fix to IPVS for v4.12.
>
> * It is a fix from Julian Anastasov to only SNAT SNAT packet replies only for
> NATed connections
>
>
> My understanding is that this fix is appropriate for 4.9.25, 4.
On Mon, May 15, 2017 at 05:53:31PM +0200, Pablo Neira Ayuso wrote:
> On Mon, May 15, 2017 at 04:51:49PM +0200, Phil Sutter wrote:
> > When committing a transaction, report PID and name of user space process
> > which initiated it.
> >
> > Signed-off-by: Phil Sutter
> > ---
> > include/uapi/linux
On Sun, May 07, 2017 at 10:01:56PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> We can still delete the ct helper even if it is in use, this will cause
> a use-after-free error. In more detail, I mean:
> # nfct helper add ssdp inet udp
> # iptables -t raw -A OUTPUT -p udp -j CT --helpe
On Sun, May 07, 2017 at 10:01:55PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> And convert module_put invocation to nf_conntrack_helper_put, this is
> prepared for the followup patch, which will add a refcnt for cthelper,
> so we can reject the deleting request when cthelper is in use.
A
On Sat, May 06, 2017 at 08:28:02PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> We cannot setup nat info if the ct has been confirmed already, else,
> different cpu may race to handle the same ct. In extreme situation,
> we may hit the "BUG_ON(nf_nat_initialized(ct, maniptype))" in the
> n
Andreas reports that the following incremental update using our commit
protocol doesn't work.
# nft -f incremental-update.nft
delete element ip filter client_to_any { 10.180.86.22 : goto CIn_1 }
delete chain ip filter CIn_1
... Error: Could not process rule: Device or resource busy
The existi
Do not assume userspace always sends us NFT_DATA_VALUE for bitwise and
cmp expressions. Although NFT_DATA_VERDICT does not make any sense, it
is still possible to handcraft a netlink message using this incorrect
data type.
Signed-off-by: Pablo Neira Ayuso
---
Rebased on top of nf. Remove previous
On Tue, May 09, 2017 at 09:41:15AM +0200, Arturo Borrero Gonzalez wrote:
> If a node goes to live, ask the other for resync at startup.
> This has to be done usually by hand, but I guess is an operation common
> enough to add some bits to ease people life here.
Also applied, thanks.
--
To unsubscr
On Tue, May 09, 2017 at 09:41:10AM +0200, Arturo Borrero Gonzalez wrote:
> These digest_msg() functions can use resync_send() as well.
>
> While at it, bring back a call to kernel_resync() in notrack_local() which was
> lost in a previous commit.
Applied, thanks.
--
To unsubscribe from this list:
On Mon, May 15, 2017 at 04:51:49PM +0200, Phil Sutter wrote:
> When committing a transaction, report PID and name of user space process
> which initiated it.
>
> Signed-off-by: Phil Sutter
> ---
> include/uapi/linux/netfilter/nf_tables.h | 16 +++
> net/netfilter/nf_tables_api.c
This is a hopefully correct implementation of what I wanted to achieve
in the same named RFC sent before: Instead of relying on the netlink
msgid to be equal to the sender's PID, make use of the kernel
infrastructure added in a previous patch.
Note that this implementation does not use libnftnl li
Signed-off-by: Phil Sutter
---
include/linux/netfilter/nf_tables.h | 15 +++
1 file changed, 15 insertions(+)
diff --git a/include/linux/netfilter/nf_tables.h
b/include/linux/netfilter/nf_tables.h
index 683f6f88fcace..2a73c80f80f65 100644
--- a/include/linux/netfilter/nf_tables.h
++
This adds support for printing the process ID and name for changes which
'nft monitor' reports:
| nft -a -p monitor
| add chain ip t2 bla3 # pid 11616 (nft)
If '-n' was given in addition to '-p', parsing the process name from
/proc//cmdline is suppressed.
Signed-off-by: Phil Sutter
---
include
When committing a transaction, report PID and name of user space process
which initiated it.
Signed-off-by: Phil Sutter
---
include/uapi/linux/netfilter/nf_tables.h | 16 +++
net/netfilter/nf_tables_api.c| 49
2 files changed, 65 insertions(+)
bugzilla-dae...@netfilter.org wrote:
[ Switching to email ]
> https://bugzilla.netfilter.org/show_bug.cgi?id=1145
>
> --- Comment #1 from Ian Kumlien ---
> Is there anything obvious that i'm doing wrong? Is there something else i
> could
> try?
This boils down to nested sets:
define dnat_ho
30 matches
Mail list logo