Re: routing table lookup

On Wed, Oct 12, 2016 at 12:17:24AM +0200, Bjørnar Ness wrote: > > Yeah, sortoff. But afaik rpfilter is a iptables module, and not > available in nftables yet. > > Pablo: is the "lookup in routing table from nftables" a total waste of time? You may be interested in

[patch] netfilter: nft_exthdr: fix error handling in nft_exthdr_init()

"err" needs to be signed for the error handling to work. Fixes: 36b701fae12a ('netfilter: nf_tables: validate maximum value of u32 netlink attributes') Signed-off-by: Dan Carpenter diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c index

[patch v2] netfilter: nf_tables: underflow in nft_parse_u32_check()

We don't want to allow negatives here. Fixes: 36b701fae12a ('netfilter: nf_tables: validate maximum value of u32 netlink attributes') Signed-off-by: Dan Carpenter --- v2: cosmetic change diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index

Re: [RFC] SIP conntrack handler and TCP fragmentation

Ulrich Weber wrote: > From reading the code this fixed the problem when Content-Length > points to one of the next TCP fragments. Right. > In our case Content-Length is always 0 with a couple of SUBSCRIBE calls. > E.g. a TCP packet starting with this will break the SIP

Re: [RFC] SIP conntrack handler and TCP fragmentation

Hi Florian, On 12.10.2016 09:52, Florian Westphal wrote: > Ulrich Weber wrote: >> I know the proper solution would be TCP defragmentation >> in the nf_conntrack_sip kernel module. However I'm not >> sure if this is worth the effort. > > I think an even better solution

[RFC] SIP conntrack handler and TCP fragmentation

Hi all, we had a customer with a Cisco Phone using SIP over TCP which subscribed to 15 Phone numbers. Since 15 subscribe calls dont fit in one packet, these requests were fragmented in multiple TCP packets. One of these fragments gets rejected then by nf_conntrack_sip with: nf_ct_sip: dropping

[patch] netfilter: nf_tables: underflow in nft_parse_u32_check()

We don't want to allow negatives here. Fixes: 36b701fae12a ('netfilter: nf_tables: validate maximum value of u32 netlink attributes') Signed-off-by: Dan Carpenter diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index b70d3ea..dd55187 100644

Re: [RFC] SIP conntrack handler and TCP fragmentation

Ulrich Weber wrote: > we had a customer with a Cisco Phone using SIP over TCP > which subscribed to 15 Phone numbers. > > Since 15 subscribe calls dont fit in one packet, these > requests were fragmented in multiple TCP packets. > > One of these fragments gets rejected

[PATCH nf] netfilter: nft_hash: add missing NFTA_HASH_OFFSET's nla_policy

From: Liping Zhang Missing the nla_policy description will also miss the validation check in kernel. Fixes: 70ca767ea1b2 ("netfilter: nft_hash: Add hash offset value") Signed-off-by: Liping Zhang --- net/netfilter/nft_hash.c | 1 + 1

[PATCH nf] netfilter: xt_ipcomp: add "ip[6]t_ipcomp" module alias name

From: Liping Zhang Otherwise, user cannot add related rules if xt_ipcomp.ko is not loaded: # iptables -A OUTPUT -p 108 -m ipcomp --ipcompspi 1 iptables: No chain/target/match by that name. Signed-off-by: Liping Zhang ---

Re: routing table lookup

2016-10-12 8:19 GMT+02:00 Michal Kubecek : > On Wed, Oct 12, 2016 at 12:17:24AM +0200, Bjørnar Ness wrote: >> >> Yeah, sortoff. But afaik rpfilter is a iptables module, and not >> available in nftables yet. >> >> Pablo: is the "lookup in routing table from nftables" a total waste

Re: [RFC] SIP conntrack handler and TCP fragmentation

On 12.10.2016 13:41, Florian Westphal wrote: > Ulrich Weber wrote: >> From reading the code this fixed the problem when Content-Length >> points to one of the next TCP fragments. > > Right. > >> In our case Content-Length is always 0 with a couple of SUBSCRIBE calls. >>

Re: [patch] netfilter: nf_tables: underflow in nft_parse_u32_check()

2016-10-12 14:08 GMT+08:00 Dan Carpenter : > We don't want to allow negatives here. > > Fixes: 36b701fae12a ('netfilter: nf_tables: validate maximum value of u32 > netlink attributes') > Signed-off-by: Dan Carpenter > > diff --git