Phil Sutter wrote:
> Regarding empty fall through (which seems to be the reason for your
> NACK): There was but a single fall through comment for an empty case in
> the whole code, and there are literally hundreds of them. Covscan didn't
> complain about those, hence why I think even
Phil Sutter wrote:
> While revisiting all of them, clear a few oddities as well:
>
> - There's no point in marking empty fall through cases: They are easy to
> spot and a common concept when using switch().
NACK, sorry. There a source-code checkers that flag this
(they have
also mention that 'ip' is used when the family gets omitted.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
doc/nft.xml | 27 +++
1 file changed, 27 insertions(+)
diff --git a/doc/nft.xml b/doc/nft.xml
index 2b88727c941b..1039b03e06ce 100644
--- a/doc/nft.xml
Signed-off-by: Florian Westphal <f...@strlen.de>
---
doc/nft.xml | 12 +++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/doc/nft.xml b/doc/nft.xml
index 2b88727..b6b5506 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -1663,7 +1663,10 @@ filter output ip daddr loc
should have no impact, function still always returns 0.
This patch is only to ease review.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
include/linux/netfilter/x_tables.h | 2 +-
net/bridge/netfilter/ebtables.c| 10 --
net/ipv4/netfilter/arp_tables.c| 10 +++--
allows to have size checks in a single spot.
This is supposed to reduce oom situations when fuzz-testing xtables.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
include/linux/netfilter/x_tables.h | 1 +
net/ipv4/netfilter/arp_tables.c| 2 +-
net/ipv4/netfilter/ip_tables.c
be pr_debug but in case this break rulesets somehow its
useful to know why blob was rejected.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/ipv4/netfilter/arp_tables.c | 17 -
net/ipv4/netfilter/ip_tables.c | 17 -
net/ipv6/netfilter/ip6_tables.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/netfilter/x_tables.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 33724b08b8f0..7521e8a72c06 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_ta
with fuzzing by avoiding oom-killer.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/netfilter/x_tables.c | 26 ++
1 file changed, 18 insertions(+), 8 deletions(-)
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index e878c85a9268..33724b08b8f0
Arbitrary limit, however, this still allows huge rulesets
(> 1 million rules). This helps with automated fuzzer as it prevents
oom-killer invocation.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/netfilter/x_tables.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
d
This is a very conservative limit (134217728 rules), but good
enough to not trigger frequent oom from syzkaller.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/netfilter/x_tables.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netfilter/x_tables.c b/net/net
Allow followup patch to change on location instead of three.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
include/linux/netfilter/x_tables.h | 2 ++
net/ipv4/netfilter/arp_tables.c| 13 +++--
net/ipv4/netfilter/ip_tables.c | 13 +++--
net/ipv6/net
in the rule blob. One base chain that is referenced multiple times
in hook blob is then only printed once.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/netfilter/x_tables.c | 31 ++-
1 file changed, 30 insertions(+), 1 deletion(-)
diff --git a/net/net
Check that userspace ERROR target (custom user-defined chains) match
expected format, and the chain name is null terminated.
This is irrelevant for kernel, but iptables itself relies on sane input
when it dumps rules from kernel.
Signed-off-by: Florian Westphal <f...@strlen.de>
--
hecked in more detail later on when
loop-detection is performed.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/ipv4/netfilter/arp_tables.c | 5 -
net/ipv4/netfilter/ip_tables.c | 5 -
net/ipv6/netfilter/ip6_tables.c | 5 -
net/netfilter/x_tables.c
syzkaller managed to trigger various interesting features, such
as ability to create rulesets that can't be shown with iptables(8).
These patches add more checks/restrictions to the x_tables validation
of the blob coming in from userspace.
In particular:
1. check error target name is
Ahmed Abdelsalam wrote:
> > Ahmed Abdelsalam wrote:
> > > Type 0 and 2 of the IPv6 Routing extension header are not handled
> > > properly by exthdr_init_raw() in src/exthdr.c
> > >
> > > In order to fix the bug, we extended the "enum nft_exthdr_op" to
Ahmed Abdelsalam wrote:
> Type 0 and 2 of the IPv6 Routing extension header are not handled
> properly by exthdr_init_raw() in src/exthdr.c
>
> In order to fix the bug, we extended the "enum nft_exthdr_op" to
> differentiate between rt, rt0, and rt2.
>
> This patch should
Signed-off-by: Florian Westphal <f...@strlen.de>
---
doc/nft.xml | 26 +-
1 file changed, 25 insertions(+), 1 deletion(-)
diff --git a/doc/nft.xml b/doc/nft.xml
index bddc527f19a7..2b88727c941b 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -2523,6 +2523,9 @@ filter
Luke Bratch wrote:
> Hello
>
> [1.] One line summary of the problem:
>
> The patch "netfilter: on sockopt() acquire sock lock only in the required
> scope" breaks at least sshuttle.
>
> [2.] Full description of the problem/report:
>
> sshuttle does not work in at least
Signed-off-by: Florian Westphal <f...@strlen.de>
---
tests/py/any/rawpayload.t | 19 +++
tests/py/any/rawpayload.t.payload | 49 +++
tests/py/arp/arp.t| 2 ++
tests/py/arp/arp.t.payload| 10
tests/
Signed-off-by: Florian Westphal <f...@strlen.de>
---
doc/nft.xml | 59 +++
1 file changed, 59 insertions(+)
diff --git a/doc/nft.xml b/doc/nft.xml
index 6748265c8ae8..bddc527f19a7 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -
This patch series aims to make raw payload expressions work.
Raw payload expressions use following syntax:
@base,offset,length
which tells nftables user wants to read 'length' bits off 'offset' bits
relative to @base.
base can be either ll,nh, or th.
See patch 4 for documentation update.
This
The invalid type prints prominent "[invalid]", so prefer integer type
in raw expressions.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
src/payload.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/payload.c b/src/payload.c
index 7ca170edbb6d..a1e7e77ed5c5
Else, '@ll,0,8' will be mapped to 'inet nfproto', but thats
not correct (inet is a pseudo header).
Signed-off-by: Florian Westphal <f...@strlen.de>
---
src/payload.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/payload.c b/src/payload.c
index a1e7e77ed5c5..ef437b
tax.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
include/expression.h | 1 +
src/evaluate.c | 3 +++
src/parser_bison.y | 3 +++
src/payload.c| 2 +-
4 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/include/expression.h b/include/expression.h
index 0a0e
Julian Anastasov <j...@ssi.bg> wrote:
> On Sat, 24 Feb 2018, Florian Westphal wrote:
>
> > FTP passive mode got broken by this change:
> > - if (.. && nfct_nat(ct)) {
> > + if (.. (ct->status & IPS_NAT_MASK)) {
>
> Looks like this chec
Arturo Borrero Gonzalez wrote:
> Copied back from the downstream Debian package.
applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at
Harsha Sharma wrote:
> Print error message and exit. For e.g.
>
> nft -c " "
> nft: no command specified
>
> Without this patch, it segfaults.
Right.
> strcat(buf, " ");
> }
> strcat(buf, "\n");
> +
> +
Arturo Borrero Gonzalez <art...@netfilter.org> wrote:
> On 24 February 2018 at 23:07, Florian Westphal <f...@strlen.de> wrote:
> > Any reason why this doesn't use
> > #! @sbindir@nft -f ?
> I didn't expect we were using these files for development activities.
ok,
Arturo Borrero Gonzalez wrote:
> Include some examples in the nftables tarball on using the ct helper
> infraestructure, inspired from wiki.nftables.org.
>
> Signed-off-by: Arturo Borrero Gonzalez
> ---
> v2: fix some typos
>
>
Arturo Borrero Gonzalez wrote:
> Concatenate all family/hook examples into a single one by means of includes.
>
> Put all example files under examples/. Use the '.nft' prefix and mark
> them as executable files. Use a static shebang declaration, since these
> are examples
tfilter: ipvs: don't check for presence of nat
extension")
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/netfilter/ipvs/ip_vs_nfct.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/ipvs/ip_vs_nfct.c b/net/netfilter/ipvs/ip_vs_nfct.c
in
Arturo Borrero Gonzalez wrote:
> Concatenate all family/hook examples into a single one.
Oh? I actually liked the 'atomic' versions, because i could
run nft -f /etc/nftables/ipv4-filter to get empty 'iptables' filter.
--
To unsubscribe from this list: send the line
Pablo Neira Ayuso wrote:
> On Tue, Feb 20, 2018 at 05:52:54PM -0800, Alexei Starovoitov wrote:
> > On Tue, Feb 20, 2018 at 11:44:31AM +0100, Pablo Neira Ayuso wrote:
> > >
> > > Don't get me wrong, no software is safe from security issues, but if you
> > > don't abstract
; Date: Mon, 12 Feb 2018 13:41:29 +1300
> Subject: [PATCH] libxt_CONNMARK: Support bit-shifting for --restore,set and
> save-mark
>
> Added bit-shifting operations for --restore & set & save-mark.
>
> Signed-off-by: Jack Ma <jack...@alliedtelesis.co.nz>
> Signed-off
David Miller wrote:
> From: Phil Sutter
> Date: Mon, 19 Feb 2018 18:14:11 +0100
>
> > OK, so reading between the lines you're saying that nftables project
> > has failed to provide an adequate successor to iptables?
>
> Whilst it is great that the atomic table
David Miller <da...@davemloft.net> wrote:
> From: Florian Westphal <f...@strlen.de>
> Date: Mon, 19 Feb 2018 15:53:14 +0100
>
> > Sure, but looking at all the things that were added to iptables
> > to alleviate some of the issues (ipset for instance) show that w
David Miller <da...@davemloft.net> wrote:
> From: Florian Westphal <f...@strlen.de>
> Date: Mon, 19 Feb 2018 15:59:35 +0100
>
> > David Miller <da...@davemloft.net> wrote:
> >> It also means that the scope of developers who can contribute and
David Miller wrote:
> From: Daniel Borkmann
> Date: Mon, 19 Feb 2018 13:03:17 +0100
>
> > Thought was that it would be more suitable to push all the complexity of
> > such translation into user space which brings couple of additional
> > advantages
>
David Miller wrote:
> > How many of those wide-spread applications are you aware of? The two
> > projects you have pointed out (docker and kubernetes) don't. As the
> > assumption that many such tools would need to be supported drives a lot
> > of the design decisions, I
mask defines what to clear,
for nfmark what to keep, i.e. we're supposed to only alter the lower
bits of the ctmark.
nftables can't do this at the moment because bitwise operator RHS
requires immediate values.
same is true for 'restore'.
Signed-off-by: Florian Westphal <f...@strlen.de>
.
In that case we can simply use an immediate value without
need for logical operators.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
extensions/libxt_CONNMARK.c | 6 +++---
extensions/libxt_CONNMARK.txlate | 3 +++
extensions/libxt_MARK.c | 6 +++---
exte
kbuild test robot <l...@intel.com> wrote:
> Hi Florian,
>
> I love your patch! Perhaps something to improve:
>
> [auto build test WARNING on nf/master]
>
> url:
> https://github.com/0day-ci/linux/commits/Florian-Westphal/netfilter-ipt_CLUSTERIP-two-more-fixes/2
l4proto->manip_pkt() can cause reallocation of skb head so pointer
to the ipv6 header must be reloaded.
Reported-and-tested-by: <syzbot+10005f4292fc9cc89...@syzkaller.appspotmail.com>
Fixes: 58a317f1061c89 ("netfilter: ipv6: add IPv6 NAT support")
Signed-off-by: Florian Westp
All of these conditions are not fatal and should have
been WARN_ONs from the get-go.
Convert them to WARN_ONs and bail out.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 3f536c7a3354..254ef9f49567
Daniel Borkmann wrote:
> As rule translation can potentially become very complex, this is performed
> entirely in user space. In order to ease deployment, request_module() code
> is extended to allow user mode helpers to be invoked. Idea is that user mode
> helpers are built
Duncan Roe wrote:
> Signed-off-by: Duncan Roe
> ---
> doc/nft.xml | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a
and to succeed.
However, given similar future bugs, kernel might have told us something
like 'expression failed inititialisation' or 'set lacks update
callback', which is much more helpful for developers to pinpoint the
place where netlink processing failed on nftables kernel side.
Signed-off-by: Flor
nft can match tcp flags, so add ece/cwr translation.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
extensions/libxt_ecn.c | 50 +
extensions/libxt_ecn.txlate | 6 ++
2 files changed, 38 insertions(+), 18 deletions(-)
diff
Harald Welte wrote:
> I believe _if_ one wants to use the approach of "hiding" eBPF behind
> iptables, then either
[..]
> b) you must introduce new 'tables', like an 'xdp' table which then has
>the notion of processing very early in processing, way before the
>normal
Florian Westphal <f...@strlen.de> wrote:
> David Miller <da...@davemloft.net> wrote:
> > From: Florian Westphal <f...@strlen.de>
> > Date: Fri, 16 Feb 2018 17:14:08 +0100
> >
> > > Any particular reason why translating iptables rather than
and to succeed.
However, given similar future bugs, kernel might have told us something
like 'expression failed inititialisation' or 'set lacks update
callback', which is much more helpful for developers to pinpoint the
place where netlink processing failed on nftables kernel side.
Signed-off-by: Flor
David Miller <da...@davemloft.net> wrote:
> From: Florian Westphal <f...@strlen.de>
> Date: Fri, 16 Feb 2018 17:14:08 +0100
>
> > Any particular reason why translating iptables rather than nftables
> > (it should be possible to monitor the nftables changes
Daniel Borkmann <dan...@iogearbox.net> wrote:
> Hi Florian,
>
> On 02/16/2018 05:14 PM, Florian Westphal wrote:
> > Florian Westphal <f...@strlen.de> wrote:
> >> Daniel Borkmann <dan...@iogearbox.net> wrote:
> >> Several questions spinning at
Florian Westphal <f...@strlen.de> wrote:
> Daniel Borkmann <dan...@iogearbox.net> wrote:
> Several questions spinning at the moment, I will probably come up with
> more:
... and here there are some more ...
One of the many pain points of xtables design is the assumption of '
Daniel Borkmann wrote:
> This is a very rough and early proof of concept that implements bpfilter.
[..]
> Also, as a benefit from such design, we get BPF JIT compilation on x86_64,
> arm64, ppc64, sparc64, mips64, s390x and arm32, but also rule offloading
> into HW for
Once struct is added to per-netns list it becomes visible to other cpus,
so we cannot use kfree().
Also delay setting entries refcount to 1 until after everything is
initialised so that when we call clusterip_config_put() in this spot
entries is still zero.
Signed-off-by: Florian Westphal &l
This needs to put() the entry to avoid a resource leak in error path.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/ipv4/netfilter/ipt_CLUSTERIP.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c
b/net/ipv4/net
During code audit I found two more bugs in CLUSTERIP,
first one is a refcount leak, second is possible use-after free
due to kfree() of rcu-protected (and already visible) structure.
I think its time to remove this target, so, if anyone has a good
reason to not nuke it in nf-next please let me
Gregory Vander Schueren wrote:
[ cc netdev ]
> If sysctl bridge-nf-call-iptables is enabled, iptables chains are already
> traversed from the bridging code. In such case, tproxy already happened when
> reaching ip_rcv. Thus no need to call skb_orphan as this
Xin Long wrote:
> Now it's doing cleanup_entry for oldinfo under the xt_table lock,
> but it's not really necessary. After the replacement job is done
> in xt_replace_table, oldinfo is not used elsewhere any more, and
> it can be freed without xt_table lock safely.
Right.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
src/payload.c | 4
1 file changed, 4 insertions(+)
diff --git a/src/payload.c b/src/payload.c
index 60090accbcd8..63c9f7157e4e 100644
--- a/src/payload.c
+++ b/src/payload.c
@@ -618,6 +618,10 @@ void payload_expr_expand(struct lis
"fib" starts to behave strangely when an ipv6 default route is
added - the FIB lookup returns a route using 'oif' in this case.
This behaviour was inherited from ip6tables rpfilter so change
this as well.
Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1221
Signed-off-b
Pablo Neira Ayuso wrote:
> On Wed, Feb 14, 2018 at 07:02:32PM +0200, Mantas Mikulėnas wrote:
> > Hello,
> >
> > As of nftables 0.8.1, it seems I can no longer write anonymous sets
> > which contain overlapping networks (CIDR masks).
> >
> > For example, I want to write the
currently kernel may pick a set implementation that doesn't provide
a ->update() function. This causes an error when user attempts to
add the nftables rule that is supposed to add entries to the set.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
Pablo, unless you have objection
Eric Dumazet wrote:
> On Wed, 2018-02-14 at 12:13 +0100, Paolo Abeni wrote:
> > syzbot reported a division by 0 bug in the netfilter nat code:
>
> > Adding the relevant check at parse time could break existing
> > setup, moreover we would need to read/write such values
Paolo Abeni wrote:
> Fixes: c7232c9979cb ("netfilter: add protocol independent NAT core")
are you sure?
When I looked this was a day 0 bug, the code was just moved from ipv4.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message
divide error: [#1] SMP KASAN
RIP: 0010:nf_nat_l4proto_unique_tuple+0x291/0x530
net/netfilter/nf_nat_proto_common.c:88
looks like a day 0 bug.
Avoid this by forcing a min_range of 1.
Reported-by: <syzbot+8012e198bd037f487...@syzkaller.appspotmail.com>
Signed-off-by: Florian Westp
syzbot wrote:
> Hello,
>
> syzbot hit the following crash on net-next commit
> 9a61df9e5f7471fe5be3e02bd0bed726b2761a54 (Sat Feb 10 03:32:41 2018 +)
> Merge tag 'kbuild-v4.16-2' of
>
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/ipv4/netfilter/ipt_ECN.c | 2 +-
net/ipv4/netfilter/ipt_REJECT.c| 4 ++--
net/ipv4/netfilter/ipt_rpfilter.c | 2 +-
net/ipv6/netfilter/ip6t_REJECT.c | 4 ++--
net/ipv6/netfilter/ip6t_rpfilter.c | 2 +-
net/ipv6/net
all of these print simple error message - use single pr_ratelimit call.
checkpatch complains about lines > 80 but this would require splitting
several "literals" over multiple lines which is worse.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/netfilter
Signed-off-by: Florian Westphal <f...@strlen.de>
---
no changes.
net/ipv4/netfilter/ipt_rpfilter.c | 4 ++--
net/ipv6/netfilter/ip6t_rpfilter.c | 4 ++--
net/netfilter/xt_CONNSECMARK.c | 4 ++--
net/netfilter/xt_SECMARK.c | 4 ++--
4 files changed, 8 insertions(+), 8 del
remove several pr_info messages that cannot be triggered with iptables,
the check is only to ensure input is sane.
iptables(8) already prints error messages in these cases.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
Changes since v2:
- remove a few more pr_info (dscp, checksum
most messages are converted to info, since they occur in response to
wrong usage.
Size mismatch however is a real error (xtables ABI bug) that should not
occur.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
changes since v1:
- use info (not err) for most cases.
net/net
also convert this to info for consistency.
These errors are informational message to user, given iptables doesn't
have netlink extack equivalent.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
patch is new in v2 (split away from different patch).
net/netfilter/xt_set.
ebt_among still uses pr_err -- these errors indicate ebtables tool bug,
not a usage error.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
patch is new in v2 (split away from different patch).
net/bridge/netfilter/ebt_among.c | 10 +-
net/bridge/netfilter/ebt_limit.c | 4 +
switch this to info, since these aren't really errors.
We only use printk because we cannot report meaningful errors
in the xtables framework.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
Patch is new in v2.
net/netfilter/xt_NFQUEUE.c | 8 +---
1 file changed, 5 insertions
Aeons ago, before namespaces, there was no need to ratelimit this:
all of these error messages got triggered in response to iptables
commands, which need CAP_NET_ADMIN.
Nowadays we have namespaces, so its better to ratelimit these.
This should also help fuzzing (syzkaller), as it can generate a
checkpatch complains about line > 80 but this would require splitting
"literal" over two lines which is worse.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
no changes since v1.
net/netfilter/xt_CT.c | 25 +
1 file changed, 13 insertions(+), 12
place refcount_inc() with
> refcount_inc_not_zero(), as for c->refcount.
Reviewed-by: Florian Westphal <f...@strlen.de>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Cong Wang wrote:
> In clusterip_config_find_get() we hold RCU read lock so it could
> run concurrently with clusterip_config_entry_put(), as a result,
> the refcnt could go back to 1 from 0, which leads to a double
> list_del()... Just replace refcount_inc() with
>
Pablo Neira Ayuso wrote:
> > --- a/net/bridge/netfilter/ebt_among.c
> > +++ b/net/bridge/netfilter/ebt_among.c
> > @@ -187,17 +187,17 @@ static int ebt_among_mt_check(const struct
> > xt_mtchk_param *par)
> > expected_length += ebt_mac_wormhash_size(wh_src);
> >
> >
Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> On Wed, Feb 07, 2018 at 02:48:23PM +0100, Florian Westphal wrote:
> > prefer pr_debug for cases where error is usually not seen by users.
> > checkpatch complains due to lines > 80 but adding a newline doesn't
> >
Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> On Wed, Feb 07, 2018 at 02:48:22PM +0100, Florian Westphal wrote:
> > remove several pr_info messages that cannot be triggered with iptables.
> >
> > Signed-off-by: Florian Westphal <f...@strlen.de>
> > ---
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/netfilter/x_tables.c | 70 +++-
1 file changed, 34 insertions(+), 36 deletions(-)
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 2f685ee1f9c8..0f81294dea7b
all of these print simple error message - use single pr_ratelimit call.
checkpatch complains about lines > 80 but this would require splitting
several "literals" over multiple lines which is worse.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/netfilter
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/ipv4/netfilter/ipt_rpfilter.c | 4 ++--
net/ipv6/netfilter/ip6t_rpfilter.c | 4 ++--
net/netfilter/xt_CONNSECMARK.c | 4 ++--
net/netfilter/xt_SECMARK.c | 4 ++--
4 files changed, 8 insertions(+), 8 deletions(-)
diff
prefer pr_debug for cases where error is usually not seen by users.
checkpatch complains due to lines > 80 but adding a newline doesn't
make things any more readable.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/ipv4/netfilter/ipt_rpfilter.c | 2 +-
net/ipv6/
checkpatch complains about line > 80 but this would require splitting
"literal" over two lines which is worse.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/netfilter/xt_CT.c | 25 +
1 file changed, 13 insertions(+), 12 deletions(-)
diff --
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/bridge/netfilter/ebt_among.c | 10
net/bridge/netfilter/ebt_limit.c | 4 ++--
net/ipv4/netfilter/ipt_ECN.c | 2 +-
net/ipv4/netfilter/ipt_REJECT.c | 4 ++--
net/ipv6/netfilter/ip6t_REJECT.c | 4 ++--
net/ipv6/net
remove several pr_info messages that cannot be triggered with iptables.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/ipv4/netfilter/ipt_ECN.c | 10 --
net/netfilter/xt_HL.c| 13 +++--
net/netfilter/xt_LED.c | 4 +---
net/netfilter/xt_cgroup.c
Aeons ago, before namespaces, there was no need to ratelimit this:
all of these error messages got triggered in response to iptables
commands, which need CAP_NET_ADMIN.
Nowadays we have namespaces, so its better to ratelimit these.
This should also help fuzzing (syzkaller), as it can generate a
by programs
that don't call xtables(-restore) tools.
This change also prevents the syzkaller reported crash as
ruleset gets rejected.
Reported-by: syzbot+e783f671527912cd9...@syzkaller.appspotmail.com
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/ipv4/netfilter/arp_tables.
.
Fixes: 7814b6ec6d0d6 ("netfilter: xtables: don't save/restore jumpstack offset")
Reported-by: syzbot+e783f671527912cd9...@syzkaller.appspotmail.com
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/ipv4/netfilter/arp_tables.c | 4
net/ipv4/netfilter/ip_tables.c | 7 +
Paolo Abeni wrote:
[ pruning CC list ]
> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master
>
> I can't reproduce the issue locally, so asking the syzbot to test the
> tentive fix for me (and hoping I did not mess with the tag/format)
I can
Jack Ma wrote:
> Our current condition is:
>
> 1) only 0xfff0 (three F available in skb->mark), but 0xf000 (five F
> available in ct->mark)
>
> We wish to copy either 0xfff0 or 0x00fff000 from ct->mark into skb->mark,
>
>
> What about '-j CONNMARK
internal use and keep the
> locking one for external.
Looks good, thanks Cong.
Reviewed-by: Florian Westphal <f...@strlen.de>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo i
syzbot wrote:
#syz-fix: netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in
clusterip_tg_check()
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More
Cong Wang wrote:
> On Wed, Jan 31, 2018 at 5:44 PM, Eric Dumazet wrote:
> > On Wed, 2018-01-31 at 16:26 -0800, Cong Wang wrote:
> >> rateest_hash is supposed to be protected by xt_rateest_mutex.
> >>
> >> Reported-by:
601 - 700 of 1651 matches
Mail list logo