On Fri, Jan 19, 2018 at 03:27:57AM +0100, Pablo Neira Ayuso wrote:
> On Fri, Jan 19, 2018 at 12:48:15PM +1100, Duncan Roe wrote:
> > On Tue, Jan 16, 2018 at 11:39:30PM +0100, Pablo Neira Ayuso wrote:
> > > On Wed, Jan 17, 2018 at 08:52:17AM +1100, Duncan Roe wrote:
> > > > On Wed, Jan 17, 2018 at 0
With a previously valid configuration, which "includes" files into the
main configuration, I get error messages with the HEAD of master on
January 16, 2018 9afd72a883e391e366a1d75bb4e1705357e078e9
systemd[1]: Starting nftables...
apu.allycomm.com nft[31431]: In file included from nftables.conf:
tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
head: e55311665286ab2744295575948c2b08dc001bf3
commit: 3ecbfd65f50e5ff9c538c1bfa3356ef52cc66586 [27/32] netfilter: nf_tables:
allocate handle and delete objects via handle
reproduce:
# apt-get install sparse
Fixes: 3ecbfd65f50e ("netfilter: nf_tables: allocate handle and delete objects
via handle")
Signed-off-by: Fengguang Wu
---
nf_tables_api.c |8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 1addc401
From: Wei Yongjun
Signed-off-by: Wei Yongjun
Signed-off-by: Pablo Neira Ayuso
---
net/ipv6/netfilter/nf_flow_table_ipv6.c | 1 -
net/netfilter/nf_queue.c| 2 --
2 files changed, 3 deletions(-)
diff --git a/net/ipv6/netfilter/nf_flow_table_ipv6.c
b/net/ipv6/netfilter/nf_flow_t
Several reasons for this:
* Several modules maintain internal version numbers, that they print at
boot/module load time, that are not exposed to userspace, as a
primitive mechanism to make revision number control from the earlier
days of Netfilter.
* IPset shows the protocol version at boot
From: Luis de Bethencourt
The trailing semicolon is an empty statement that does no operation.
Removing it since it doesn't do anything.
Signed-off-by: Luis de Bethencourt
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nft_dynset.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
di
EEXIST is used for an object that already exists, with the same
name/handle. However, there no same object there, instead there is a
object that is using the single slot that is available for NAT hooks
since patch f92b40a8b264 ("netfilter: core: only allow one nat hook per
hook point"). Let's chang
From: Ahmed Abdelsalam
It allows matching packets based on Segment Routing Header
(SRH) information.
The implementation considers revision 7 of the SRH draft.
https://tools.ietf.org/html/draft-ietf-6man-segment-routing-header-07
Currently supported match options include:
(1) Next Header
(2) Hdr
From: Florian Westphal
The clusterip target needs to register an arp mangling hook,
so make sure NF_ARP hooks are available.
Fixes: 2a95183a5e ("netfilter: don't allocate space for arp/bridge hooks unless
needed")
Reported-by: kernel test robot
Signed-off-by: Florian Westphal
Signed-off-by: P
From: Arnd Bergmann
The newly added NF_FLOW_TABLE options cause some build failures in
randconfig kernels:
- when CONFIG_NF_CONNTRACK is disabled, or is a loadable module but
NF_FLOW_TABLE is built-in:
In file included from net/netfilter/nf_flow_table.c:8:0:
include/net/netfilter/nf_connt
Otherwise netlink dump sends uninitialized fields to userspace.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 1addc401ff7d..f87314c6dcc4 100644
--- a/net
From: Alexey Dobriyan
/proc has been ignoring struct file_operations::owner field for 10 years.
Specifically, it started with commit 786d7e1612f0b0adb6046f19b906609e4fe8b1ba
("Fix rmmod/read/write races in /proc entries"). Notice the chunk where
inode->i_fop is initialized with proxy struct file_
From: Taehee Yoo
The basic SNMP ALG parse snmp ASN.1 payload
however, since 2012 linux kernel provide ASN.1 decoder library.
If we use ASN.1 decoder in the /lib/asn1_decoder.c, we can remove
about 1000 line of ASN.1 parsing routine.
To use asn1_decoder.c, we should write mib file(nf_nat_snmp_bas
From: Taehee Yoo
To see debug message of nf_nat_snmp_basic, we should set debug value
when we insert this module. but it is inconvenient and only using of
the dynamic debugging is enough to debug.
This patch just removes debug code. then in the next patch, debugging code
will be added.
Signed-o
From: "Gustavo A. R. Silva"
Return statements in functions returning bool should use
true/false instead of 1/0.
These issues were detected with the help of Coccinelle.
Signed-off-by: Gustavo A. R. Silva
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_conncount.c | 2 +-
net/netfilter/x
From: Harsha Sharma
This patch allows deletion of objects via unique handle which can be
listed via '-a' option.
Signed-off-by: Harsha Sharma
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h| 11 ++-
include/uapi/linux/netfilter/nf_tables.h | 10 +++
net/netfil
From: Subash Abhinov Kasiviswanathan
conntrack defrag is needed only if some module like CONNTRACK or NAT
explicitly requests it. For plain forwarding scenarios, defrag is
not needed and can be skipped if NOTRACK is set in a rule.
Since conntrack defrag is currently higher priority than raw tabl
From: Florian Westphal
request_module may return a positive error result from modprobe,
if we cast this to ERR_PTR this returns a garbage result (it passes
IS_ERR checks).
Fix it by ignoring modprobe return values entirely, just retry the
table lookup instead.
Reported-by: syzbot+980925dbfbc7f9
From: Arnd Bergmann
As a side-effect of adding the module option, we now get a section
mismatch warning:
WARNING: net/ipv4/netfilter/iptable_raw.o(.data+0x1c): Section mismatch in
reference from the variable packet_raw to the function
.init.text:iptable_raw_table_init()
The variable packet_raw
From: Taehee Yoo
Use nf_ct_helper_log to write log message.
Signed-off-by: Taehee Yoo
Signed-off-by: Pablo Neira Ayuso
---
net/ipv4/netfilter/nf_nat_snmp_basic.c | 11 ++-
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c
b/net/ipv4/
From: Arnd Bergmann
Without CONFIG_NF_FLOW_TABLE, the new nft_flow_offload module produces
a link error:
net/netfilter/nft_flow_offload.o: In function
`nft_flow_offload_iterate_cleanup':
nft_flow_offload.c:(.text+0xb0): undefined reference to `nf_flow_table_iterate'
net/netfilter/nft_flow_offlo
From: Arnd Bergmann
We cannot access the skb->_nfct field when CONFIG_NF_CONNTRACK is
disabled:
net/ipv4/netfilter/nf_defrag_ipv4.c: In function 'ipv4_conntrack_defrag':
net/ipv4/netfilter/nf_defrag_ipv4.c:83:9: error: 'struct sk_buff' has no member
named '_nfct'
net/ipv6/netfilter/nf_defrag_ip
From: Taehee Yoo
The snmp_translate() receives ctinfo data to get dir value only.
because of caller already has dir value, we just replace ctinfo with dir.
Signed-off-by: Taehee Yoo
Signed-off-by: Pablo Neira Ayuso
---
net/ipv4/netfilter/nf_nat_snmp_basic.c | 7 ++-
1 file changed, 2 inse
From: Taehee Yoo
Remove comments that do not let us know important information.
Signed-off-by: Taehee Yoo
Signed-off-by: Pablo Neira Ayuso
---
net/ipv4/netfilter/nf_nat_snmp_basic.c | 30 --
1 file changed, 30 deletions(-)
diff --git a/net/ipv4/netfilter/nf_nat_sn
From: Subash Abhinov Kasiviswanathan
ipv6_defrag pulls network headers before fragment header. In case of
an error, the netfilter layer is currently dropping these packets.
This results in failure of some IPv6 standards tests which passed on
older kernels due to the netfilter framework using clon
Now that we have a single table list for each netns, we can get rid of
one pointer per family and the global afinfo list, thus, shrinking
struct netns for nftables that now becomes 64 bytes smaller.
And call __nft_release_afinfo() from __net_exit path accordingly to
release netnamespace objects on
From: Wei Yongjun
Fixes the following sparse warning:
net/netfilter/core.c:380:6: warning:
symbol '__nf_unregister_net_hook' was not declared. Should it be static?
Signed-off-by: Wei Yongjun
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/core.c | 4 ++--
1 file changed, 2 insertions(+),
Remove the infrastructure to register/unregister nft_af_info structure,
this structure stores no useful information anymore.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h | 23 +--
net/bridge/netfilter/nf_tables_bridge.c | 25 +--
net/ipv4/netfilter/nf_tables_arp
From: Wei Yongjun
Fix a typo, we should check 'flowtable' instead of 'table'.
Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend")
Signed-off-by: Wei Yongjun
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 2 +-
1 file changed, 1 insertion(+), 1 d
Place all existing user defined tables in struct net *, instead of
having one list per family. This saves us from one level of indentation
in netlink dump functions.
Place pointer to struct nft_af_info in struct nft_table temporarily, as
we still need this to put back reference module reference co
Pass family number instead, this comes in preparation for the removal of
struct nft_af_info.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 16 +++-
1 file changed, 7 insertions(+), 9 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_ta
From: Florian Westphal
a typo causes module auto load support to never be compiled in.
Fixes: 03d13b6868a2 ("netfilter: xtables: add and use
xt_request_find_table_lock")
Reported-by: Pablo Neira Ayuso
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/x_table
We already validate the hook through bitmask, so this check is
superfluous. When removing this, this patch is also fixing a bug in the
new flowtable codebase, since ctx->afi points to the table family
instead of the netdev family which is where the flowtable is really
hooked in.
Signed-off-by: Pab
Replace it by a direct check for the netdev protocol family.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h | 6 --
net/netfilter/nf_tables_api.c | 2 +-
net/netfilter/nf_tables_netdev.c | 1 -
3 files changed, 1 insertion(+), 8 deletions(-)
diff --git a/include
nf_tables_table_enable() and nf_tables_table_disable() take a pointer to
struct nft_af_info that is never used, remove it.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 21 ++---
1 file changed, 6 insertions(+), 15 deletions(-)
diff --git a/net/netfilter/n
Hi David,
The following patchset contains Netfilter/IPVS updates for your net-next
tree. Basically, a new extension for ip6tables, simplification work of
nf_tables that saves us 500 LoC, allow raw table registration before
defragmentation, conversion of the SNMP helper to use the ASN.1 code
genera
On 19 January 2018 at 13:47, Pablo Neira Ayuso wrote:
> Several reasons for this:
>
> * Several modules maintain internal version numbers, that they print at
> boot/module load time, that are not exposed to userspace, as a
> primitive mechanism to make revision number control from the earlier
On Fri, 19 Jan 2018, Pablo Neira Ayuso wrote:
> Several reasons for this:
>
> * Several modules maintain internal version numbers, that they print at
> boot/module load time, that are not exposed to userspace, as a
> primitive mechanism to make revision number control from the earlier
> day
On Tue, Jan 16, 2018 at 12:45:32AM +0300, Alexey Dobriyan wrote:
> /proc has been ignoring struct file_operations::owner field for 10 years.
> Specifically, it started with commit 786d7e1612f0b0adb6046f19b906609e4fe8b1ba
> ("Fix rmmod/read/write races in /proc entries"). Notice the chunk where
> in
On Tue, Jan 16, 2018 at 02:51:01PM +, Luis de Bethencourt wrote:
> The trailing semicolon is an empty statement that does no operation.
> Removing it since it doesn't do anything.
Applied.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to
Pablo Neira Ayuso wrote:
> Several reasons for this:
>
> * Several modules maintain internal version numbers, that they print at
> boot/module load time, that are not exposed to userspace, as a
> primitive mechanism to make revision number control from the earlier
> days of Netfilter.
>
>
On Thu, Jan 18, 2018 at 05:25:12PM -0600, Gustavo A. R. Silva wrote:
> Return statements in functions returning bool should use
> true/false instead of 1/0.
>
> These issues were detected with the help of Coccinelle.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe ne
On Mon, Jan 08, 2018 at 12:09:17AM +0900, Taehee Yoo wrote:
> The goal of this patch set are to use the ASN.1 decoder library
> to parse SNMP ASN.1 payload.
Thanks, I'm going to apply to nf-next.
I've been postponing this to schedule time to test this intensively,
but I've been failing to find th
On Fri, Jan 19, 2018 at 01:17:47PM +0100, Arturo Borrero Gonzalez wrote:
> Mention nftables earlier in the documentation, so users have more context on
> what
> we are talking about.
>
> This is Debian bug #887718, which contains:
>
> <<<
> Currently one must read down 100 lines before it is eve
Several reasons for this:
* Several modules maintain internal version numbers, that they print at
boot/module load time, that are not exposed to userspace, as a
primitive mechanism to make revision number control from the earlier
days of Netfilter.
* IPset shows the protocol version at boot
From: Harsha Sharma
This patch allows deletion of objects via unique handle which can be
listed via '-a' option.
Signed-off-by: Harsha Sharma
Signed-off-by: Pablo Neira Ayuso
---
@Harsha: I have collapsed all of your patches to add handles everywhere before
pushing this into my nf-nex
Mention nftables earlier in the documentation, so users have more context on
what
we are talking about.
This is Debian bug #887718, which contains:
<<<
Currently one must read down 100 lines before it is even mentioned.
You might want to make the connection between "nft" and "nftables" as
early
On Tue, Jan 16, 2018 at 09:50:13PM +0530, Shyam Saini wrote:
> This patch adds test cases for iptables to nft translation of cluster match
> This adds all test cases including corner cases.
>
> Run these test cases like:
>
> $ ./xlate-test.py extensions/libxt_cluster.txlate
Applied, thanks
On Thu, Jan 18, 2018 at 12:28:33AM +0530, Varsha Rao wrote:
> Add readme for compile options test script.
Applied, thanks Varsha.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.
On Tue, Jan 16, 2018 at 05:19:57PM +0100, Phil Sutter wrote:
> This removes libnftables pkg-config file along with the few lines of
> code to adjust and install it.
Applied, thanks Phil.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to major
On Fri, Jan 19, 2018 at 08:30:17AM +0530, Varsha Rao wrote:
> The following macros check if particular C types in specific header file
> exists, these header files defines them and are already included in the
> source code. So, remove them.
>
> AC_HEADER_STDBOOL - stdbool.h
> AC_TYPE_INT and AC_TY
Otherwise netlink dump sends uninitialized fields to userspace.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 1addc401ff7d..f87314c6dcc4 100644
--- a/net
This patch add code to allocate unique object handles and delete objects
via those unique object handles.
Signed-off-by: Pablo Neira Ayuso
---
@Harsha: Only this one missing, I quickly made it here.
include/net/netfilter/nf_tables.h| 2 ++
include/uapi/linux/netfilter/nf_tables.h | 3
54 matches
Mail list logo