On Wed, Oct 12, 2016 at 12:17:24AM +0200, Bjørnar Ness wrote:
>
> Yeah, sortoff. But afaik rpfilter is a iptables module, and not
> available in nftables yet.
>
> Pablo: is the "lookup in routing table from nftables" a total waste of time?
You may be interested in
"err" needs to be signed for the error handling to work.
Fixes: 36b701fae12a ('netfilter: nf_tables: validate maximum value of u32
netlink attributes')
Signed-off-by: Dan Carpenter
diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
index
We don't want to allow negatives here.
Fixes: 36b701fae12a ('netfilter: nf_tables: validate maximum value of u32
netlink attributes')
Signed-off-by: Dan Carpenter
---
v2: cosmetic change
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index
Ulrich Weber wrote:
> From reading the code this fixed the problem when Content-Length
> points to one of the next TCP fragments.
Right.
> In our case Content-Length is always 0 with a couple of SUBSCRIBE calls.
> E.g. a TCP packet starting with this will break the SIP
Hi Florian,
On 12.10.2016 09:52, Florian Westphal wrote:
> Ulrich Weber wrote:
>> I know the proper solution would be TCP defragmentation
>> in the nf_conntrack_sip kernel module. However I'm not
>> sure if this is worth the effort.
>
> I think an even better solution
Hi all,
we had a customer with a Cisco Phone using SIP over TCP
which subscribed to 15 Phone numbers.
Since 15 subscribe calls dont fit in one packet, these
requests were fragmented in multiple TCP packets.
One of these fragments gets rejected then by nf_conntrack_sip with:
nf_ct_sip: dropping
We don't want to allow negatives here.
Fixes: 36b701fae12a ('netfilter: nf_tables: validate maximum value of u32
netlink attributes')
Signed-off-by: Dan Carpenter
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index b70d3ea..dd55187 100644
Ulrich Weber wrote:
> we had a customer with a Cisco Phone using SIP over TCP
> which subscribed to 15 Phone numbers.
>
> Since 15 subscribe calls dont fit in one packet, these
> requests were fragmented in multiple TCP packets.
>
> One of these fragments gets rejected
From: Liping Zhang
Missing the nla_policy description will also miss the validation check
in kernel.
Fixes: 70ca767ea1b2 ("netfilter: nft_hash: Add hash offset value")
Signed-off-by: Liping Zhang
---
net/netfilter/nft_hash.c | 1 +
1
From: Liping Zhang
Otherwise, user cannot add related rules if xt_ipcomp.ko is not loaded:
# iptables -A OUTPUT -p 108 -m ipcomp --ipcompspi 1
iptables: No chain/target/match by that name.
Signed-off-by: Liping Zhang
---
2016-10-12 8:19 GMT+02:00 Michal Kubecek :
> On Wed, Oct 12, 2016 at 12:17:24AM +0200, Bjørnar Ness wrote:
>>
>> Yeah, sortoff. But afaik rpfilter is a iptables module, and not
>> available in nftables yet.
>>
>> Pablo: is the "lookup in routing table from nftables" a total waste
On 12.10.2016 13:41, Florian Westphal wrote:
> Ulrich Weber wrote:
>> From reading the code this fixed the problem when Content-Length
>> points to one of the next TCP fragments.
>
> Right.
>
>> In our case Content-Length is always 0 with a couple of SUBSCRIBE calls.
>>
2016-10-12 14:08 GMT+08:00 Dan Carpenter :
> We don't want to allow negatives here.
>
> Fixes: 36b701fae12a ('netfilter: nf_tables: validate maximum value of u32
> netlink attributes')
> Signed-off-by: Dan Carpenter
>
> diff --git
13 matches
Mail list logo