On Mon, Mar 21, 2016 at 11:15:19AM -0700, Jarno Rajahalme wrote:
> OVS should call into CT NAT for packets of new expected connections only
> when the conntrack state is persisted with the 'commit' option to the
> OVS CT action. The test for this condition is doubly wrong, as the CT
> status field
On 21/03/16 23:10, Pablo Neira Ayuso wrote:
On Tue, Mar 15, 2016 at 09:28:04PM +0100, Carlos Falgueras García wrote:
These functions allow to create a buffer (nftnl_udata_buf) of TLV objects
(nftnl_udata). It is inspired by libmnl/src/attr.c. It can be used to store
several variable length user
On 21/03/16 23:13, Pablo Neira Ayuso wrote:
On Tue, Mar 15, 2016 at 09:28:07PM +0100, Carlos Falgueras García wrote:
Now it is possible to store multiple variable length user data into rule.
Modify the parser in order to fill the nftnl_udata with the comment, and
the print function for extract t
Some basic test regarding chains: jumps and validations.
Signed-off-by: Arturo Borrero Gonzalez
---
NOTE: the testcases/chains/0009masquerade_jump_1 file fails, seems like a bug
in the kernel validation. Needs more investigation.
tests/shell/testcases/chains/0001jumps_0 | 17 +++
On Tue, 2016-03-22 at 08:21 -0700, Eric Dumazet wrote:
> On Tue, 2016-03-22 at 23:08 +0800, Baozeng Ding wrote:
> > Hi all,
> >
> > The following program triggers an out-of-bounds bug in
> > sctp_getsockopt. The kernel version is 4.5 (on Mar 16
> > commit 09fd671ccb2475436bd5f597f751ca4a7d177aea).
On Tue, Mar 22, 2016 at 12:36:55PM +0100, Carlos Falgueras García wrote:
> On 21/03/16 23:10, Pablo Neira Ayuso wrote:
> >On Tue, Mar 15, 2016 at 09:28:04PM +0100, Carlos Falgueras García wrote:
> >>These functions allow to create a buffer (nftnl_udata_buf) of TLV objects
> >>(nftnl_udata). It is i
Otherwise this function may read data beyond the ruleset blob.
Signed-off-by: Florian Westphal
---
net/ipv4/netfilter/arp_tables.c | 6 --
net/ipv4/netfilter/ip_tables.c | 6 --
net/ipv6/netfilter/ip6_tables.c | 6 --
3 files changed, 12 insertions(+), 6 deletions(-)
diff --git a/n
We should check that e->target_offset is sane before
mark_source_chains gets called since it will fetch the target entry
for loop detection.
Signed-off-by: Florian Westphal
---
net/ipv4/netfilter/arp_tables.c | 17 -
net/ipv4/netfilter/ip_tables.c | 17 -
net/ipv
We have targets and standard targets -- the latter carries a verdict, so we
must check the standard size as well here -- later functions access t->verdict
which otherwise can point after the blob end.
Spotted with UBSAN.
Signed-off-by: Florian Westphal
---
include/linux/netfilter/x_tables.h |
3rd iteration.
In addition to the problem reported by Ben Hawkes this also adds
a few checks to better validate ->next_offset and the target.
I checked that ip(6)tables-restore still works w. simple rulesets.
The reproducer doesn't work anymore w. patch #4 applied.
--
To unsubscribe from this l
Ben Hawkes says:
In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
is possible for a user-supplied ipt_entry structure to have a large
next_offset field. This field is not bounds checked prior to writing a
counter value at the supplied offset.
Problem is that mark_source_
Ben Hawkes reported an out-of-bounds write in mark_source_chains().
This was caused by improper underflow check -- we should have bailed
earlier.
The underflow check has been fixed in the preceeding change
("netfilter: x_tables: fix unconditional helper").
Just to be safe also add checks to mark_
On Tue, Mar 22, 2016 at 06:02:53PM +0100, Florian Westphal wrote:
> Ben Hawkes reported an out-of-bounds write in mark_source_chains().
> This was caused by improper underflow check -- we should have bailed
> earlier.
>
> The underflow check has been fixed in the preceeding change
> ("netfilter: x
On Tue, Mar 22, 2016 at 10:43:06AM +0530, Shivani Bhardwaj wrote:
> Add the --disable-connlabel option and the appropriate functionality
> associated with it.
>
> After this patch, iptables configuration shows up as:
>
> Iptables Configuration:
> IPv4 support: yes
> IP
Hi Arturo,
On Fri, Mar 18, 2016 at 08:29:29PM +0100, Arturo Borrero Gonzalez wrote:
> Currently, parser allows both 'handle' and 'position' as part of the
> same grammar rule. But we don't combine them in any case actually.
>
> As a result of this, deleting rules using "position" keyword deletes
On Sat, Mar 19, 2016 at 02:05:49AM +0530, Guruswamy Basavaiah wrote:
> translation for iptables --flush
>
> Examples: $ sudo
> iptables-translate -F INPUT nft flush chain ip filter INPUT
>
> $ sudo iptables-translate -F -t nat
> nft flush table ip nat
Applied, thanks.
--
To unsubscribe from th
On Fri, Mar 18, 2016 at 02:32:08PM +0100, Arturo Borrero Gonzalez wrote:
> New simple testcases for kernel commit/rollback operations.
>
> * ruleset A is loaded (good ruleset)
> * ruleset B is loaded (bad ruleset): fail is expected
> * ruleset A should remain in the kernel
$ git am nft-tests-shel
I and trying use netfilter, and expectations, for ALG development. But
running the example test for creating a new expectation doesn't work. I
thought it used to on an older version, but not now. I see there are a lot
of changes to conntrack lately and wonder if this have been changed?
Here
Hi Stephane,
We're almost there, a bit more changes for this please.
On Sun, Mar 20, 2016 at 09:06:46AM +0100, Stephane Bryant wrote:
> This makes nf queues use NFQA_VLAN and NFQA_L2HDR in verdict to modify the
> original skb
>
> Signed-off-by: Stephane Bryant
> ---
> net/netfilter/nfnetlink_q
On Tue, Mar 22, 2016 at 02:51:19PM -0400, Bill wrote:
> I and trying use netfilter, and expectations, for ALG development. But
> running the example test for creating a new expectation doesn't work. I
> thought it used to on an older version, but not now. I see there are a lot
> of changes to
On Fri, Mar 18, 2016 at 09:41:31AM +0100, Arturo Borrero Gonzalez wrote:
> From: Arturo Borrero Gonzalez
>
> The modprobe call can return != 0 if, for example, a module was builtin and
> we are triying to remove it, so force return code of 0 at the end of the
> script.
>
> This patch also adds t
On Tue, Mar 22, 2016 at 02:06:09PM +0100, Arturo Borrero Gonzalez wrote:
> Some basic test regarding chains: jumps and validations.
>
> Signed-off-by: Arturo Borrero Gonzalez
> ---
> NOTE: the testcases/chains/0009masquerade_jump_1 file fails, seems like a bug
> in the kernel validation. Needs mor
Now it is possible to store multiple variable length user data into rule.
Modify the parser in order to fill the nftnl_udata with the comment, and
the print function for extract these commentary and print it to user.
Signed-off-by: Carlos Falgueras García
---
include/rule.h| 7 +
Now is it possible to store multiple variable length user data into a rule.
Modify XML and JSON parsers to support this new feature.
Signed-off-by: Carlos Falgueras García
---
include/json.h | 7 ++
include/utils.h | 2 +
include/xml.h | 6 ++
src/jansson.c | 66 +++
src/
Modify nft-rule-test.c to check TLV attribute inclusion in nftnl_rule.
Add "*-rule-udata.[json|xml]" to check parsers.
Signed-off-by: Carlos Falgueras García
---
tests/jsonfiles/71-rule-udata.json | 1 +
tests/nft-rule-test.c | 21 +
tests/xmlfiles/82-rule-udata
These functions allow to create a buffer (nftnl_udata_buf) of TLV objects
(nftnl_udata). It is inspired by libmnl/src/attr.c. It can be used to store
several variable length user data into an object.
Example usage:
```
struct nftnl_udata_buf *buf;
struct nftnl_udata *attr;
Good day,
On 22.03.2016 14:06, Arturo Borrero Gonzalez wrote:
Some basic test regarding chains: jumps and validations.
Signed-off-by: Arturo Borrero Gonzalez
---
NOTE: the testcases/chains/0009masquerade_jump_1 file fails, seems like a bug
in the kernel validation. Needs more investigation.
27 matches
Mail list logo