[PATCH 1/2, libnftnl] tests: Consolidate printing error utilities

Created libtest.[hc] in order to consolidate code that is repeated in all tests. Signed-off-by: Carlos Falgueras García --- .gitignore | 1 + tests/Makefile.am | 52 + tests/libtest.c

Re: [PATCH v4] netfilter: nf_tables: add hash expression

On Thu, Aug 11, 2016 at 09:23:14AM +0200, Laura Garcia Liebana wrote: > diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c > new file mode 100644 > index 000..eb05527 > --- /dev/null > +++ b/net/netfilter/nft_hash.c > @@ -0,0 +1,136 @@ > +/* > + * Copyright (c) 2016 Laura Garcia

[PATCH v5] netfilter: nf_tables: add hash expression

This patch adds a new hash expression, this provides jhash support but this can be extended to support for other hash functions. The modulus and seed already comes embedded into this new expression. Use case example: meta mark set hash ip saddr mod 10 Signed-off-by: Laura Garcia Liebana

Re: [PATCH libnftnl] expr: hash: Jenkins hash expression support

Please, remove "Jenkins" from the title. And it would be good to add a test under the tests/ directory. On Tue, Aug 09, 2016 at 04:03:51PM +0200, Laura Garcia Liebana wrote: > diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h > index 6aa7756..811c254 100644 > ---

Re: [libnftnl PATCH 0/7] A bunch of covscan detected fixes

On Fri, Aug 12, 2016 at 01:58:17AM +0200, Pablo Neira Ayuso wrote: > On Fri, Aug 12, 2016 at 01:33:32AM +0200, Phil Sutter wrote: > > The following series aims at fixing a number of issues identified by > > Coverity tool. Due to limited familiarity with the whole code layout, I > > am not sure all

[libnftnl PATCH 0/7] A bunch of covscan detected fixes

The following series aims at fixing a number of issues identified by Coverity tool. Due to limited familiarity with the whole code layout, I am not sure all of them are really valid, but I tried my best to verify the concerns are legitimate and worth fixing. Phil Sutter (7): set: prevent

[libnftnl PATCH 7/7] ruleset: Initialize ctx.flags before calling nftnl_ruleset_ctx_set()

The called function otherwise accesses uninitialized data. Signed-off-by: Phil Sutter --- src/ruleset.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/ruleset.c b/src/ruleset.c index 93cf95ab61e15..a2d67cb550179 100644 --- a/src/ruleset.c +++ b/src/ruleset.c @@ -551,6

[libnftnl PATCH 3/7] expr/ct: prevent array index overrun in ctkey2str()

The array has NFT_CT_MAX fields, so indices must be less than that number. Fixes: 977b7a1dbe1bd ("ct: xml: use key names instead of numbers") Cc: Arturo Borrero Gonzalez Signed-off-by: Phil Sutter --- src/expr/ct.c | 2 +- 1 file changed, 1

[libnftnl PATCH 6/7] Avoid returning uninitialized data

Although the 'err' pointer should be interesting for users only if the parser returned non-zero, having it point to uninitialized data is generally a bad thing. Signed-off-by: Phil Sutter --- src/chain.c | 2 +- src/rule.c | 2 +- src/set.c | 2 +- src/table.c | 2 +- 4 files

Re: [libnftnl PATCH 5/7] common: Avoid integer overflow in nftnl_batch_is_supported()

On Fri, Aug 12, 2016 at 01:33:37AM +0200, Phil Sutter wrote: > time() may return -1 which is then assigned to an unsigned integer type > and used as sequence number. The following code increments that number > multiple times, so it may overflow and get libmnl confused. To avoid > this, fall back

Re: [libnftnl PATCH 2/7] ruleset: Prevent memleak in nftnl_ruleset_snprintf_*() functions

On Fri, Aug 12, 2016 at 01:42:02AM +0200, Pablo Neira Ayuso wrote: > On Fri, Aug 12, 2016 at 01:33:34AM +0200, Phil Sutter wrote: > > From: Phil Sutter > > > > This is an ugly aspect of the SNPRINTF_BUFFER_SIZE() macro: it contains > > a return statement and if that triggers,

[PATCH v4] netfilter: nf_tables: add hash expression

This patch adds a new hash expression, this provides jhash support but this can be extended to support for other hash functions. The modulus and seed already comes embedded into this new expression. Use case example: meta mark set hash ip saddr mod 10 Signed-off-by: Laura Garcia Liebana

Re: [PATCH 0/5] Check u32 load in u8 attributes

On Wed, Aug 10, 2016 at 05:29:34PM +0200, Laura Garcia Liebana wrote: > The following patchset adds a check during the load of an u32 value > into an u8 attribute which can cause an overflow. Could you collapse them all in one single patch? You can probably use this title: netfilter:

Re: [PATCH 2/4, libnfntl] Implement rule comparison

On Mon, Aug 08, 2016 at 01:17:56PM +0200, Carlos Falgueras García wrote: > diff --git a/src/expr/dynset.c b/src/expr/dynset.c > index 0eaa409..fa8b8d5 100644 > --- a/src/expr/dynset.c > +++ b/src/expr/dynset.c > @@ -370,6 +370,23 @@ static void nftnl_expr_dynset_free(const struct > nftnl_expr *e)

[libnftnl PATCH 1/7] set: prevent memleak in nftnl_jansson_parse_set_info()

From: Phil Sutter During list populating, in error case the function returns without freeing the newly allocated 'elem' object, thereby losing any references to it. Signed-off-by: Phil Sutter --- src/set.c | 10 +- 1 file changed, 5 insertions(+), 5

[libnftnl PATCH 2/7] ruleset: Prevent memleak in nftnl_ruleset_snprintf_*() functions

From: Phil Sutter This is an ugly aspect of the SNPRINTF_BUFFER_SIZE() macro: it contains a return statement and if that triggers, the function returns without freeing the iterator object. Therefore duplicate the 'ret < 0' check before calling it, freeing the iterator knowing

[libnftnl PATCH 4/7] expr/limit: Drop unreachable code in limit_to_type()

The function returns from inside the switch() in any case, so the final return statement is never reached. Fixes: 7769cbd9dfe69 ("expr: limit: add per-byte limiting support") Signed-off-by: Phil Sutter --- src/expr/limit.c | 1 - 1 file changed, 1 deletion(-) diff --git

Re: [libnftnl PATCH 2/7] ruleset: Prevent memleak in nftnl_ruleset_snprintf_*() functions

On Fri, Aug 12, 2016 at 01:33:34AM +0200, Phil Sutter wrote: > From: Phil Sutter > > This is an ugly aspect of the SNPRINTF_BUFFER_SIZE() macro: it contains > a return statement and if that triggers, the function returns without > freeing the iterator object. Therefore

Re: [PATCH 1/3, libnftnl] tests: Add missing tests to test-script.sh

Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH 2/3, libnftnl] expr: Fix lookup builder

On Wed, Aug 10, 2016 at 05:12:04PM +0200, Carlos Falgueras García wrote: > Deleted wrong braces that cause unwanted behaviour. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info

Re: [libnftnl PATCH 0/7] A bunch of covscan detected fixes

On Fri, Aug 12, 2016 at 02:05:54AM +0200, Pablo Neira Ayuso wrote: > On Fri, Aug 12, 2016 at 01:58:17AM +0200, Pablo Neira Ayuso wrote: > > On Fri, Aug 12, 2016 at 01:33:32AM +0200, Phil Sutter wrote: > > > The following series aims at fixing a number of issues identified by > > > Coverity tool.