Re: [PATCH nf-next,RFC 03/10] netfilter: bridge: kill NF_HOOK_THRESH() and state->tresh

On Thu, Oct 13, 2016 at 05:10:55PM +0200, Florian Westphal wrote: > Pablo Neira Ayuso wrote: > > On Thu, Oct 13, 2016 at 02:25:45PM +0200, Florian Westphal wrote: > > > Pablo Neira Ayuso wrote: > > > > Patch c5136b15ea36 ("netfilter: bridge: add and use

Re: [PATCH nf-next,RFC 03/10] netfilter: bridge: kill NF_HOOK_THRESH() and state->tresh

On Thu, Oct 13, 2016 at 02:25:45PM +0200, Florian Westphal wrote: > Pablo Neira Ayuso wrote: > > Patch c5136b15ea36 ("netfilter: bridge: add and use br_nf_hook_thresh") > > introduced br_nf_hook_thresh(). > > > > Replace NF_HOOK_THRESH() by br_nf_hook_thresh from > >

Re: [PATCH nf-next,RFC 03/10] netfilter: bridge: kill NF_HOOK_THRESH() and state->tresh

Pablo Neira Ayuso wrote: > On Thu, Oct 13, 2016 at 02:25:45PM +0200, Florian Westphal wrote: > > Pablo Neira Ayuso wrote: > > > Patch c5136b15ea36 ("netfilter: bridge: add and use br_nf_hook_thresh") > > > introduced br_nf_hook_thresh(). > > > > > >

Re: [PATCH nf-next,RFC 03/10] netfilter: bridge: kill NF_HOOK_THRESH() and state->tresh

Pablo Neira Ayuso wrote: > int br_nf_hook_thresh(unsigned int hook, struct net *net, > struct sock *sk, struct sk_buff *skb, > struct net_device *indev, > struct net_device *outdev, > int

Re: [PATCH nf-next,RFC 08/10] netfilter: move NF_QUEUE handling away from core

Pablo Neira Ayuso wrote: > > Any reason why this is needed? > > AFAICS xt_NFQUEUE will never return NF_QUEUE after this patch. > > -j QUEUE uses the standard target to return NF_QUEUE. This is very > primitive way to queue packets to userspace queue 0 via nf_queue, but >

Re: [PATCH nf-next,RFC 08/10] netfilter: move NF_QUEUE handling away from core

On Thu, Oct 13, 2016 at 02:38:21PM +0200, Florian Westphal wrote: > Pablo Neira Ayuso wrote: [...] > > diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c > > index de4fa03f46f3..7040842c34f4 100644 > > --- a/net/ipv4/netfilter/ip_tables.c > > +++

Re: slab corruption with current -git

On Wed, Oct 12, 2016 at 11:27 PM, Markus Trippelsdorf wrote: > > Yeah. > > 105 entry->orig_ops = reg; > 106 entry->ops = *reg; > 107 entry->next = NULL; So ipt_register_table() does: ret = nf_register_net_hooks(net, ops,

Re: slab corruption with current -git

On Thu, Oct 13, 2016 at 12:49:33PM -0700, Linus Torvalds wrote: > That said, xt_hook_ops_alloc() itself is odd. Lookie here, this is the > loop that initializes things: > > for (i = 0, hooknum = 0; i < num_hooks && hook_mask != 0; > hook_mask >>= 1, ++hooknum) { > > and it

Re: slab corruption with current -git

Linus Torvalds wrote: > On Wed, Oct 12, 2016 at 11:27 PM, Markus Trippelsdorf > wrote: > > > > Yeah. > > > > 105 entry->orig_ops = reg; > > 106 entry->ops = *reg; > > 107 entry->next = NULL; > > So

Re: [PATCH net 2/2] conntrack: enable to tune gc parameters

Nicolas Dichtel wrote: > Le 10/10/2016 à 16:04, Florian Westphal a écrit : > > Nicolas Dichtel wrote: > >> After commit b87a2f9199ea ("netfilter: conntrack: add gc worker to remove > >> timed-out entries"), netlink conntrack deletion events

[PATCH libnftnl] src: add range expression

Add range expression available that is scheduled for linux kernel 4.9. This range expression allows us to check if a given value placed in a register is within/outside a specified interval. Signed-off-by: Pablo Neira Ayuso --- include/libnftnl/expr.h | 7 +

[PATCH 1/2 nf] netfilter: nf_queue: don't re-enter same hook on packet reinjection

Make sure we skip the current hook from where the packet was enqueued, otherwise the packets gets enqueued over and over again. Fixes: e3b37f11e6e4 ("netfilter: replace list_head with single linked list") Signed-off-by: Pablo Neira Ayuso --- I managed to reproduce this with

[PATCH 2/2 nf] netfilter: nft_range: validate operation netlink attribute

Use nft_parse_u32_check() to make sure we don't get a value over the unsigned 8-bit integer. Moreover, make sure this value doesn't go over the two supported range comparison modes. Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nft_range.c | 16 +++- 1 file

Re: slab corruption with current -git

On 2016.10.13 at 08:02 +0200, Markus Trippelsdorf wrote: > On 2016.10.11 at 04:57 -0400, David Miller wrote: > > From: Linus Torvalds > > Date: Mon, 10 Oct 2016 22:47:50 -0700 > > > > > On Mon, Oct 10, 2016 at 10:39 PM, Linus Torvalds > > >

[PATCH nft] src: use new range expression for != [a,b] intervals

Use new range expression in the kernel to fix wrong bytecode generation. This patch also adjust tests so we don't hit problems there. Signed-off-by: Pablo Neira Ayuso --- include/linux/netfilter/nf_tables.h| 29 + src/netlink_delinearize.c

Re: [PATCH 1/2 nf] netfilter: nf_queue: don't re-enter same hook on packet reinjection

Pablo Neira Ayuso writes: > Make sure we skip the current hook from where the packet was enqueued, > otherwise the packets gets enqueued over and over again. > > Fixes: e3b37f11e6e4 ("netfilter: replace list_head with single linked list") > Signed-off-by: Pablo Neira Ayuso

[PATCH nf-next,RFC 02/10] netfilter: remove comments that predate rcu days

We cannot block/sleep on nf_iterate because netfilter runs under rcu read lock these days, where blocking is illegal. So let's remove these old comments. Signed-off-by: Pablo Neira Ayuso --- net/netfilter/core.c | 7 --- 1 file changed, 7 deletions(-) diff --git

[PATCH nf-next,RFC 01/10] netfilter: get rid of useless debugging from core

Signed-off-by: Pablo Neira Ayuso --- net/netfilter/core.c | 9 - 1 file changed, 9 deletions(-) diff --git a/net/netfilter/core.c b/net/netfilter/core.c index fcb5d1df11e9..7b723bcd2522 100644 --- a/net/netfilter/core.c +++ b/net/netfilter/core.c @@ -323,15 +323,6

Re: [PATCH nf-next,RFC 03/10] netfilter: bridge: kill NF_HOOK_THRESH() and state->tresh

Pablo Neira Ayuso wrote: > Patch c5136b15ea36 ("netfilter: bridge: add and use br_nf_hook_thresh") > introduced br_nf_hook_thresh(). > > Replace NF_HOOK_THRESH() by br_nf_hook_thresh from > br_nf_forward_finish(), so we have no more callers for this macro. > > As a result,

[PATCH nf-next,RFC 08/10] netfilter: move NF_QUEUE handling away from core

Export a new nf_queue() function that translates the NF_QUEUE verdict depending on the scenario: 1) Drop packet if queue is full. 2) Accept packet if bypass is enabled. 3) Return stolen if packet is enqueued. We can call this function from xt_NFQUEUE and nft_queue. Thus, we move packet queuing

[PATCH nf-next,RFC 04/10] netfilter: deprecate NF_STOP

NF_STOP is only used by br_netfilter these days, and it can be emulated with a combination of NF_STOLEN plus explicit call to the ->okfn() function as Florian suggests. To retain binary compatibility with userspace nf_queue application, we have to keep NF_STOP around, so libnetfilter_queue

[PATCH nf-next,RFC 07/10] netfilter: use switch() to handle verdict cases from nf_hook_slow()

Use switch() for verdict handling and add explicit handling for NF_STOLEN and other non-conventional verdicts. Signed-off-by: Pablo Neira Ayuso --- net/netfilter/core.c | 28 ++-- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git

[PATCH nf-next,RFC 10/10] netfilter: inline nf_hook_slow() and rename it to nf_hook_iterate()

Now that this function has become smaller, inline it and use a better name to describe what this is doing. Signed-off-by: Pablo Neira Ayuso --- include/linux/netfilter.h | 41 +-- include/linux/netfilter_ingress.h | 2 +-

[PATCH nf-next,RFC 00/10] Netfilter core updates

Hi, This is a quick RFC that has passed just very basic testing here. This patchset achieves what it has been discussed during NetDev 1.2: 1) Deprecate NF_STOP, as this is only used by br_netfilter. 2) Remove threshold handling, this is also only used by br_netfilter too. 3) Move NF_QUEUE

[PATCH nf-next,RFC 03/10] netfilter: bridge: kill NF_HOOK_THRESH() and state->tresh

Patch c5136b15ea36 ("netfilter: bridge: add and use br_nf_hook_thresh") introduced br_nf_hook_thresh(). Replace NF_HOOK_THRESH() by br_nf_hook_thresh from br_nf_forward_finish(), so we have no more callers for this macro. As a result, state->thresh and explicit thresh parameter in the hook state

[PATCH nf-next,RFC 06/10] netfilter: nf_tables: use hook state from xt_action_param structure

Don't copy relevant fields from hook state structure, instead use the one that is already available in struct xt_action_param. This patch also adds a set of new wrapper functions to fetch relevant hook state structure fields. Signed-off-by: Pablo Neira Ayuso ---

[PATCH nf-next,RFC 09/10] netfilter: merge nf_iterate() into nf_hook_slow()

nf_iterate() has become rather simple, we can integrate this code into nf_hook_slow() to reduce the amount of LOC in the core path. However, we still need nf_iterate() around for nf_queue packet handling, so move this function there where we only need it. I think it should be possible to refactor

[PATCH nf-next,RFC 05/10] netfilter: x_tables: move hook state into xt_action_param structure

Place pointer to hook state in xt_action_param structure instead of copying the fields that we need. After this change xt_action_param fits into one cacheline. This patch also adds a set of new wrapper functions to fetch relevant hook state structure fields. Signed-off-by: Pablo Neira Ayuso

[PATCH nf-next,RFC 01/10] netfilter: get rid of useless debugging from core

Signed-off-by: Pablo Neira Ayuso --- net/netfilter/core.c | 9 - 1 file changed, 9 deletions(-) diff --git a/net/netfilter/core.c b/net/netfilter/core.c index fcb5d1df11e9..7b723bcd2522 100644 --- a/net/netfilter/core.c +++ b/net/netfilter/core.c @@ -323,15 +323,6

[PATCH nf-next,RFC 05/10] netfilter: x_tables: move hook state into xt_action_param structure

Place pointer to hook state in xt_action_param structure instead of copying the fields that we need. After this change xt_action_param fits into one cacheline. This patch also adds a set of new wrapper functions to fetch relevant hook state structure fields. Signed-off-by: Pablo Neira Ayuso

[PATCH nf-next,RFC 10/10] netfilter: inline nf_hook_slow() and rename it to nf_hook_iterate()

Now that this function has become smaller, inline it and use a better name to describe what this is doing. Signed-off-by: Pablo Neira Ayuso --- include/linux/netfilter.h | 41 +-- include/linux/netfilter_ingress.h | 2 +-

[PATCH nf-next,RFC 03/10] netfilter: bridge: kill NF_HOOK_THRESH() and state->tresh

Patch c5136b15ea36 ("netfilter: bridge: add and use br_nf_hook_thresh") introduced br_nf_hook_thresh(). Replace NF_HOOK_THRESH() by br_nf_hook_thresh from br_nf_forward_finish(), so we have no more callers for this macro. As a result, state->thresh and explicit thresh parameter in the hook state

[PATCH nf-next,RFC 02/10] netfilter: remove comments that predate rcu days

We cannot block/sleep on nf_iterate because netfilter runs under rcu read lock these days, where blocking is illegal. So let's remove these old comments. Signed-off-by: Pablo Neira Ayuso --- net/netfilter/core.c | 7 --- 1 file changed, 7 deletions(-) diff --git

[PATCH nf-next,RFC 04/10] netfilter: deprecate NF_STOP

NF_STOP is only used by br_netfilter these days, and it can be emulated with a combination of NF_STOLEN plus explicit call to the ->okfn() function as Florian suggests. To retain binary compatibility with userspace nf_queue application, we have to keep NF_STOP around, so libnetfilter_queue

Re: slab corruption with current -git

On 2016.10.11 at 04:57 -0400, David Miller wrote: > From: Linus Torvalds > Date: Mon, 10 Oct 2016 22:47:50 -0700 > > > On Mon, Oct 10, 2016 at 10:39 PM, Linus Torvalds > > wrote: > >> > >> I guess I will have to double-check that the

Re: slab corruption with current -git

On 2016.10.12 at 23:18 -0700, Linus Torvalds wrote: > On Oct 12, 2016 23:07, "Markus Trippelsdorf" wrote: > > > > This is nf_register_net_hook at net/netfilter/core.c:106 > > The "*regs" access? Yeah. 105 entry->orig_ops = reg; 106 entry->ops = *reg;