Re: [PATCH nf-next,v3 3/3] netfilter: nfnetlink_queue: resolve clash for unconfirmed conntracks

Hi Pablo, I love your patch! Yet something to improve: [auto build test ERROR on nf-next/master] [also build test ERROR on v4.17-rc5] [cannot apply to nf/master next-20180517] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url: https

Re: [PATCH ghak81 V3 1/3] audit: use new audit_context access funciton for seccomp_actions_logged

On Wed, May 16, 2018 at 7:55 AM, Richard Guy Briggs wrote: > On the rebase of the following commit on the new seccomp actions_logged > function, one audit_context access was missed. > > commit cdfb6b341f0f2409aba24b84f3b4b2bba50be5c5 > ("audit: use inline function to get audit

Re: [PATCH ghak81 V3 3/3] audit: collect audit task parameters

On Wed, May 16, 2018 at 7:55 AM, Richard Guy Briggs wrote: > The audit-related parameters in struct task_struct should ideally be > collected together and accessed through a standard audit API. > > Collect the existing loginuid, sessionid and audit_context together in a > new

Re: [PATCH ghak81 V3 2/3] audit: normalize loginuid read access

On Wed, May 16, 2018 at 7:55 AM, Richard Guy Briggs wrote: > Recognizing that the loginuid is an internal audit value, use an access > function to retrieve the audit loginuid value for the task rather than > reaching directly into the task struct to get it. > > Signed-off-by:

Re: [PATCH 11/40] ipv6/flowlabel: simplify pid namespace lookup

Christoph Hellwig writes: > On Thu, May 17, 2018 at 12:28:01AM -0500, Eric W. Biederman wrote: >> > struct pid_namespace *proc_pid_namespace(struct inode *inode) >> > { >> >// maybe warn on for s_magic not on procfs?? >> >return inode->i_sb->s_fs_info; >> > } >> >> That

Re: [PATCH nft 0/7] Python test fixes

Máté Eckl wrote: > This sereis of patches fix or supplement files related to python tests that I > have met during my first test case. > > Máté Eckl (7): > test: Specify python version in nft-test.py > test: Small typo fixes in the python tests README > test/py: Updated

Re: [nft PATCH] nft.8: Document limitation of reject statement in bridge family

Phil Sutter wrote: > Bridge family allows reject statement in prerouting and input chains > only. Users can't know without looking at kernel code. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to

Re: [PATCH nft 1/2] Introduce socket matching

Máté Eckl wrote: > +socket_stmt : SOCKET EXISTS /* with the actual > implementation we cannot match abscence */ I think we should go for a native expression. I'll leave it up to you what you'd like to do next. There are a few options: 1. First go for TPROXY

Re: [PATCH nf-next] netfilter: nft_meta: fix wrong value dereference in nft_meta_set_eval

Taehee Yoo wrote: > In the nft_meta_set_eval, nftrace value is dereferenced as u32 from sreg. > But correct type is u8. so that sometimes incorrect value is dereferenced. Acked-by: Florian Westphal -- To unsubscribe from this list: send the line "unsubscribe

[PATCH nf-next] netfilter: nft_meta: fix wrong value dereference in nft_meta_set_eval

In the nft_meta_set_eval, nftrace value is dereferenced as u32 from sreg. But correct type is u8. so that sometimes incorrect value is dereferenced. Steps to reproduce: %nft add table ip filter %nft add chain ip filter input { type filter hook input priority 4\; } %nft add rule ip

Re: [PATCH nft 1/2] Introduce socket matching

Máté Eckl wrote: > Originally I also added the following lines but it made the print too slow for > the test to pass. > > It printed the following warning: > inet/socket.t: WARNING: line 8: 'add rule ip sockip4 sockchain socket > exists': 'socket exists' mismatches

Re: [PATCH v2] netfilter: properly initialize xt_table_info structure

On Thu, May 17, 2018 at 12:42:00PM +0200, Jan Engelhardt wrote: > > On Thursday 2018-05-17 12:09, Greg Kroah-Hartman wrote: > >> > --- a/net/netfilter/x_tables.c > >> > +++ b/net/netfilter/x_tables.c > >> > @@ -1183,11 +1183,10 @@ struct xt_table_info > >> > *xt_alloc_table_info(unsigned int

[PATCH libmnl] examples: add arp cache dump example

Adding ARP example in order to dump the info in the form: index= family= dst= lladdr= state= Signed-off-by: Laura Garcia Liebana --- examples/rtnl/Makefile.am | 6 +- examples/rtnl/rtnl-arp-dump.c | 161 ++ 2 files changed, 166

Re: [PATCH nf-next 0/2] netfilter: nft map lookups support for number generator expressions

On Fri, May 11, 2018 at 12:13:26AM +0200, Laura Garcia Liebana wrote: > The following patches complete the implementation of map lookups > using as a key the given number generator like incremental, random or > the different hash algorithms supported. This is useful for load > balancing use cases

Re: [PATCH nf-next] netfilter: fix fallout from xt/nf osf separation

On Tue, May 08, 2018 at 10:05:38AM +0200, Florian Westphal wrote: > Stephen Rothwell says: > today's linux-next build (x86_64 allmodconfig) produced this warning: > ./usr/include/linux/netfilter/nf_osf.h:25: found __[us]{8,16,32,64} type > without #include > > Fix that up and also move

Re: [PATCH nf-next] netfilter: nf_tables: remove old nf_log based tracing

On Fri, May 11, 2018 at 09:55:39PM +0200, Florian Westphal wrote: > nfnetlink tracing is available since nft 0.6 (June 2016). > Remove old nf_log based tracing to avoid rule counter in main loop. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the

[PATCH nf-next,v3 3/3] netfilter: nfnetlink_queue: resolve clash for unconfirmed conntracks

In nfqueue, two consecutive skbuffs may race to create the conntrack entry. Hence, the one that loses the race gets dropped due to clash in the insertion into the hashes from the nf_conntrack_confirm() path. This patch adds a new nf_conntrack_update() function which searches for possible clashes

[PATCH nf-next,v3 1/3] netfilter: add struct nf_ct_hook and use it

Move the nf_ct_destroy indirection to the struct nf_ct_hook. Signed-off-by: Pablo Neira Ayuso --- v3: no changes include/linux/netfilter.h | 7 ++- net/netfilter/core.c | 14 +++--- net/netfilter/nf_conntrack_core.c | 9 ++--- 3 files

[PATCH nf-next,v3 2/3] netfilter: add struct nf_nat_hook and use it

Move decode_session() and parse_nat_setup_hook() indirections to struct nf_nat_hook structure. Signed-off-by: Pablo Neira Ayuso --- v3: Move nf_nat_hook definition to linux/netfilter.h to address kbuild robot reports. include/linux/netfilter.h| 21

Re: [PATCH nf] netfilter: nf_tables: fix NULL pointer dereference on nft_ct_helper_obj_dump()

On Wed, May 16, 2018 at 04:21:05PM +0200, Florian Westphal wrote: > Taehee Yoo wrote: > > In the nft_ct_helper_obj_dump(), always priv->helper4 is dereferenced. > > But if family is ipv6, priv->helper6 should be dereferenced. > > > > Steps to reproduces: > > > >#test.nft

Re: [PATCH v2] netfilter: properly initialize xt_table_info structure

On Thursday 2018-05-17 12:09, Greg Kroah-Hartman wrote: >> > --- a/net/netfilter/x_tables.c >> > +++ b/net/netfilter/x_tables.c >> > @@ -1183,11 +1183,10 @@ struct xt_table_info *xt_alloc_table_info(unsigned >> > int size) >> > * than shoot all processes down before realizing there is

Re: [PATCH v2] netfilter: properly initialize xt_table_info structure

On Thu, May 17, 2018 at 02:55:42AM -0700, Eric Dumazet wrote: > > > On 05/17/2018 02:34 AM, Greg Kroah-Hartman wrote: > > When allocating a xt_table_info structure, we should be clearing out the > > full amount of memory that was allocated, not just the "header" of the > > structure. Otherwise

Re: [PATCH v2] netfilter: properly initialize xt_table_info structure

On 05/17/2018 02:34 AM, Greg Kroah-Hartman wrote: > When allocating a xt_table_info structure, we should be clearing out the > full amount of memory that was allocated, not just the "header" of the > structure. Otherwise odd values could be passed to userspace, which is > not a good thing. > >

[PATCH v2] netfilter: properly initialize xt_table_info structure

When allocating a xt_table_info structure, we should be clearing out the full amount of memory that was allocated, not just the "header" of the structure. Otherwise odd values could be passed to userspace, which is not a good thing. Cc: stable Signed-off-by: Greg

Re: [PATCH] netfilter: properly initialize xt_table_info structure

On Thu, May 17, 2018 at 10:59:51AM +0200, Michal Kubecek wrote: > On Thu, May 17, 2018 at 10:44:42AM +0200, Greg Kroah-Hartman wrote: > > When allocating a xt_table_info structure, we should be clearing out the > > full amount of memory that was allocated, not just the "header" of the > >

Re: [PATCH] netfilter: properly initialize xt_table_info structure

On Thu, May 17, 2018 at 10:44:42AM +0200, Greg Kroah-Hartman wrote: > When allocating a xt_table_info structure, we should be clearing out the > full amount of memory that was allocated, not just the "header" of the > structure. Otherwise odd values could be passed to userspace, which is > not a

[PATCH] netfilter: properly initialize xt_table_info structure

When allocating a xt_table_info structure, we should be clearing out the full amount of memory that was allocated, not just the "header" of the structure. Otherwise odd values could be passed to userspace, which is not a good thing. Cc: stable Signed-off-by: Greg

Re: [PATCH nft 1/2] Introduce socket matching

Originally I also added the following lines but it made the print too slow for the test to pass. It printed the following warning: inet/socket.t: WARNING: line 8: 'add rule ip sockip4 sockchain socket exists': 'socket exists' mismatches 'socke' inet/socket.t: WARNING: line 9:

[PATCH nft 5/7] test: py: print path of the logfile

It is good to know that a log is generated even without browsing the nft-test.py source code. Also print_info function is introduced. Signed-off-by: Máté Eckl --- tests/py/README | 2 ++ tests/py/nft-test.py | 5 - 2 files changed, 6 insertions(+), 1 deletion(-)

[PATCH nft 0/7] Python test fixes

This sereis of patches fix or supplement files related to python tests that I have met during my first test case. Máté Eckl (7): test: Specify python version in nft-test.py test: Small typo fixes in the python tests README test/py: Updated test file structure descripion in README test:

[PATCH nft 1/2] Introduce socket matching

Socket matching is achieved using the nft_compat interface. The list of known limitations of the current implementation are: * The absence of a corresponding socket cannot be matched (`socket missing`). * Only transparent socket flag can be matched, nowildcard is not a flag, it should be

[PATCH nft 3/7] test/py: Updated test file structure descripion in README

The order of the table and chain definitions have changed in test files. Now the name of the chain has to be specified in the definition of the table, so their order is reverted. Signed-off-by: Máté Eckl --- tests/py/README | 18 +- 1 file changed, 9

[PATCH nft 1/7] test: Specify python version in nft-test.py

/usr/bin/python is linked to different main version of python in different distributions (eg. 2 on debian, 3 on arch linux). Signed-off-by: Máté Eckl --- tests/py/nft-test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/py/nft-test.py

[PATCH nft 6/7] test: py: Added paylad file description to README

Signed-off-by: Máté Eckl --- tests/py/README | 29 ++--- 1 file changed, 26 insertions(+), 3 deletions(-) diff --git a/tests/py/README b/tests/py/README index 0e12dfa..ed5dc58 100644 --- a/tests/py/README +++ b/tests/py/README @@ -104,7 +104,30 @@ Line

[PATCH nft 7/7] test: py: Make diff functions use print_* functions

Signed-off-by: Máté Eckl --- tests/py/nft-test.py | 10 -- 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py index b536e9c..edc0b4b 100755 --- a/tests/py/nft-test.py +++ b/tests/py/nft-test.py @@ -161,15 +161,13

[PATCH nft 2/2] test: Added test cases for socket matching

Signed-off-by: Máté Eckl --- tests/py/inet/socket.t | 10 ++ tests/py/inet/socket.t.payload | 8 2 files changed, 18 insertions(+) create mode 100644 tests/py/inet/socket.t create mode 100644 tests/py/inet/socket.t.payload diff --git

[PATCH nft 2/7] test: Small typo fixes in the python tests README

Signed-off-by: Máté Eckl --- tests/py/README | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/py/README b/tests/py/README index 66f706f..005fe8e 100644 --- a/tests/py/README +++ b/tests/py/README @@ -77,7 +77,7 @@ Here, an example of a test file:

Re: [PATCH 11/40] ipv6/flowlabel: simplify pid namespace lookup

On Thu, May 17, 2018 at 12:28:01AM -0500, Eric W. Biederman wrote: > > struct pid_namespace *proc_pid_namespace(struct inode *inode) > > { > > // maybe warn on for s_magic not on procfs?? > > return inode->i_sb->s_fs_info; > > } > > That should work. Ideally out of line for the proc_fs.h