Pablo Neira Ayuso wrote:
> On Wed, Feb 07, 2018 at 02:48:22PM +0100, Florian Westphal wrote:
> > remove several pr_info messages that cannot be triggered with iptables.
> >
> > Signed-off-by: Florian Westphal
> > ---
> > net/ipv4/netfilter/ipt_ECN.c | 10
Pablo Neira Ayuso wrote:
> > --- a/net/bridge/netfilter/ebt_among.c
> > +++ b/net/bridge/netfilter/ebt_among.c
> > @@ -187,17 +187,17 @@ static int ebt_among_mt_check(const struct
> > xt_mtchk_param *par)
> > expected_length += ebt_mac_wormhash_size(wh_src);
> >
> >
Pablo Neira Ayuso wrote:
> On Wed, Feb 07, 2018 at 02:48:23PM +0100, Florian Westphal wrote:
> > prefer pr_debug for cases where error is usually not seen by users.
> > checkpatch complains due to lines > 80 but adding a newline doesn't
> > make things any more readable.
> >
On Wed, Feb 07, 2018 at 08:23:23PM +0100, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > > --- a/net/bridge/netfilter/ebt_among.c
> > > +++ b/net/bridge/netfilter/ebt_among.c
> > > @@ -187,17 +187,17 @@ static int ebt_among_mt_check(const struct
> > > xt_mtchk_param
On Wed, 7 Feb 2018 18:44:39 +0100 Pablo Neira Ayuso wrote:
> Hi,
>
> On Wed, Jan 31, 2018 at 09:19:16AM +0100, Michal Hocko wrote:
> [...]
> > Yeah, we do not BUG but rather fail instead. See __vmalloc_node_range.
> > My excavation tools pointed me to "VM: Rework vmalloc
From: Pablo Neira Ayuso
Date: Wed, 7 Feb 2018 18:42:18 +0100
> The following patchset contains Netfilter fixes for you net tree, they
> are:
...
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks Pablo.
>
On 02/06/2018 05:37 PM, Pablo Neira Ayuso wrote:
> This patch allows netlink busses to provide object descriptions to
> userspace, in terms of supported attributes and its corresponding
> datatypes.
>
> Userspace sends a requests that looks like:
>
> netlink header
> NLA_DESC_REQ_BUS
Hi all,
Commit
d8ed9600581d ("netfilter: remove useless prototype")
is missing a Signed-off-by from its committer.
--
Cheers,
Stephen Rothwell
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo
There is a race condition between clusterip_config_entry_put()
and clusterip_config_init(), after we release the spinlock in
clusterip_config_entry_put(), a new proc file with a same IP could
be created immediately since it is already removed from the configs
list, therefore it triggers this
On Tue, 2018-02-06 at 22:42 -0800, Cong Wang wrote:
> On Tue, Feb 6, 2018 at 6:27 AM, syzbot
> wrote:
> > Hello,
> >
> > syzbot hit the following crash on net-next commit
> > 617aebe6a97efa539cc4b8a52adccd89596e6be0 (Sun Feb 4 00:25:42 2018
flow_offload_del frees the flow, so all associated resource must be
freed before.
Since the ct entry in struct flow_offload_entry was allocated by
flow_offload_alloc, it should be freed by flow_offload_free to take care
of the error handling path when flow_offload_add fails.
While at it, make
On Wed, 7 Feb 2018, Pablo Neira Ayuso wrote:
> On Tue, Feb 06, 2018 at 07:18:47PM +0100, Phil Sutter wrote:
> > Automatic merging of adjacent/overlapping ranges upon insertion has
> > clear benefits performance- and readability-wise. The drawbacks which
> > led to disabling it by default don't
Signed-off-by: Ville Skyttä
---
INSTALL | 2 +-
doc/nft.xml | 2 +-
include/datatype.h | 2 +-
src/exthdr.c| 4 ++--
Hi Pablo,
On Wed, Feb 07, 2018 at 12:39:43AM +0100, Pablo Neira Ayuso wrote:
> On Tue, Feb 06, 2018 at 07:18:47PM +0100, Phil Sutter wrote:
> > Automatic merging of adjacent/overlapping ranges upon insertion has
> > clear benefits performance- and readability-wise. The drawbacks which
> > led to
You dropped syzbot from CC ;)
Add syzbot+03218bcdba6aa7644...@syzkaller.appspotmail.com to To or CC.
On Wed, Feb 7, 2018 at 11:42 AM, syzbot
wrote:
>> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git
>> master
>
>
> Can't find the
On Wed, Feb 07, 2018 at 09:49:02AM +0100, Felix Fietkau wrote:
> flow_offload_del frees the flow, so all associated resource must be
> freed before.
>
> Since the ct entry in struct flow_offload_entry was allocated by
> flow_offload_alloc, it should be freed by flow_offload_free to take care
> of
On Wed, Feb 07, 2018 at 11:50:41AM +0900, Taehee Yoo wrote:
> prototype nf_ct_nat_offset is not used anymore.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git
master
Can't find the corresponding bug.
I can't reproduce the issue locally, so asking the syzbot to test the
tentive fix for me (and hoping I did not mess with the tag/format)
---
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master
I can't reproduce the issue locally, so asking the syzbot to test the
tentive fix for me (and hoping I did not mess with the tag/format)
---
net/ipv4/netfilter/ipt_CLUSTERIP.c | 30 +++---
1
Hello,
syzbot tried to test the proposed patch but build/boot failed:
kernel build failed: failed to run /usr/bin/make [make bzImage -j 32
CC=/syzkaller/gcc/bin/gcc]: exit status 2
scripts/kconfig/conf --silentoldconfig Kconfig
CHK include/config/kernel.release
CHK
Paolo Abeni wrote:
[ pruning CC list ]
> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master
>
> I can't reproduce the issue locally, so asking the syzbot to test the
> tentive fix for me (and hoping I did not mess with the tag/format)
I can
The rationale for removing the check is only correct for rulesets
generated by ip(6)tables.
In iptables, a jump can only occur to a user-defined chain, i.e.
because we size the stack based on number of user-defined chains we
cannot exceed stack size.
However, the underlying binary format has no
Aeons ago, before namespaces, there was no need to ratelimit this:
all of these error messages got triggered in response to iptables
commands, which need CAP_NET_ADMIN.
Nowadays we have namespaces, so its better to ratelimit these.
This should also help fuzzing (syzkaller), as it can generate a
Signed-off-by: Florian Westphal
---
net/bridge/netfilter/ebt_among.c | 10
net/bridge/netfilter/ebt_limit.c | 4 ++--
net/ipv4/netfilter/ipt_ECN.c | 2 +-
net/ipv4/netfilter/ipt_REJECT.c | 4 ++--
net/ipv6/netfilter/ip6t_REJECT.c | 4 ++--
remove several pr_info messages that cannot be triggered with iptables.
Signed-off-by: Florian Westphal
---
net/ipv4/netfilter/ipt_ECN.c | 10 --
net/netfilter/xt_HL.c| 13 +++--
net/netfilter/xt_LED.c | 4 +---
net/netfilter/xt_cgroup.c| 4
checkpatch complains about line > 80 but this would require splitting
"literal" over two lines which is worse.
Signed-off-by: Florian Westphal
---
net/netfilter/xt_CT.c | 25 +
1 file changed, 13 insertions(+), 12 deletions(-)
diff --git
Signed-off-by: Florian Westphal
---
net/netfilter/x_tables.c | 70 +++-
1 file changed, 34 insertions(+), 36 deletions(-)
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 2f685ee1f9c8..0f81294dea7b 100644
---
all of these print simple error message - use single pr_ratelimit call.
checkpatch complains about lines > 80 but this would require splitting
several "literals" over multiple lines which is worse.
Signed-off-by: Florian Westphal
---
net/netfilter/xt_HMARK.c| 24
Signed-off-by: Florian Westphal
---
net/ipv4/netfilter/ipt_rpfilter.c | 4 ++--
net/ipv6/netfilter/ip6t_rpfilter.c | 4 ++--
net/netfilter/xt_CONNSECMARK.c | 4 ++--
net/netfilter/xt_SECMARK.c | 4 ++--
4 files changed, 8 insertions(+), 8 deletions(-)
diff --git
prefer pr_debug for cases where error is usually not seen by users.
checkpatch complains due to lines > 80 but adding a newline doesn't
make things any more readable.
Signed-off-by: Florian Westphal
---
net/ipv4/netfilter/ipt_rpfilter.c | 2 +-
On Wed, 2018-02-07 at 09:43 +0100, Paolo Abeni wrote:
> On Tue, 2018-02-06 at 22:42 -0800, Cong Wang wrote:
> > On Tue, Feb 6, 2018 at 6:27 AM, syzbot
> > wrote:
> > > Hello,
> > >
> > > syzbot hit the following crash on net-next commit
> >
Thanks for your advices. I will try to create the erroneous situation
by triggering icmp error for existing connection and try non-tcp patch
and kernel upgrade respectively. I will report the results at mail
list.
> On Tue, Feb 6, 2018, 7:10 AM Pablo Neira Ayuso wrote:
>>
>>
Hi Florian,
Thanks for looking into this, comments below.
On Wed, Feb 07, 2018 at 02:48:28PM +0100, Florian Westphal wrote:
> Signed-off-by: Florian Westphal
> ---
> net/bridge/netfilter/ebt_among.c | 10
> net/bridge/netfilter/ebt_limit.c | 4 ++--
>
On Wed, Feb 07, 2018 at 02:48:23PM +0100, Florian Westphal wrote:
> prefer pr_debug for cases where error is usually not seen by users.
> checkpatch complains due to lines > 80 but adding a newline doesn't
> make things any more readable.
>
> Signed-off-by: Florian Westphal
> ---
On Wed, Feb 07, 2018 at 02:48:22PM +0100, Florian Westphal wrote:
> remove several pr_info messages that cannot be triggered with iptables.
>
> Signed-off-by: Florian Westphal
> ---
> net/ipv4/netfilter/ipt_ECN.c | 10 --
> net/netfilter/xt_HL.c| 13 +++--
From: Subash Abhinov Kasiviswanathan
Failures were seen in ICMPv6 fragmentation timeout tests if they were
run after the RFC2460 failure tests. Kernel was not sending out the
ICMPv6 fragment reassembly time exceeded packet after the fragmentation
reassembly timeout of 1
config NF_FLOW_TABLE depends on NETFILTER_INGRESS. If users forget to
enable this toggle, flowtable registration fails with EOPNOTSUPP.
Moreover, turn 'select NF_FLOW_TABLE' in every flowtable family flavour
into dependency instead, otherwise this new dependency on
NETFILTER_INGRESS causes a
Every flow_offload entry is added into the table twice. Because of this,
rhashtable_free_and_destroy can't be used, since it would call kfree for
each flow_offload object twice.
This patch cleans up the flowtable via nf_flow_table_iterate() to
schedule removal of entries by setting on the dying
From: Felix Fietkau
flow_offload_del frees the flow, so all associated resource must be
freed before.
Since the ct entry in struct flow_offload_entry was allocated by
flow_offload_alloc, it should be freed by flow_offload_free to take care
of the error handling path when
If netdevice goes down, then flowtable entries are scheduled to be
removed. Wait for garbage collector to have a chance to run so it can
delete them from the hashtable.
The flush call might sleep, so hold the nfnl mutex from
nft_flow_table_iterate() instead of rcu read side lock. The use of the
nft_flow_offload module removal does not require to flush existing
flowtables, it is valid to remove this module while keeping flowtables
around.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nft_flow_offload.c | 6 --
1 file changed, 6 deletions(-)
diff --git
From: Michal Hocko
syzbot has noticed that xt_alloc_table_info can allocate a lot of memory.
This is an admin only interface but an admin in a namespace is sufficient
as well. eacd86ca3b03 ("net/netfilter/x_tables.c: use kvmalloc() in
xt_alloc_table_info()") has changed the
From: Cong Wang
rateest_hash is supposed to be protected by xt_rateest_mutex,
and, as suggested by Eric, lookup and insert should be atomic,
so we should acquire the xt_rateest_mutex once for both.
So introduce a non-locking helper for internal use and keep the
locking
Hi David,
The following patchset contains Netfilter fixes for you net tree, they
are:
1) Restore __GFP_NORETRY in xt_table allocations to mitigate effects of
large memory allocation requests, from Michal Hocko.
2) Release IPv6 fragment queue in case of error in fragmentation header,
this
From: Cong Wang
xt_cgroup_info_v1->priv is an internal pointer only used for kernel,
we should not trust what user-space provides.
Reported-by:
Fixes: c38c4597e4bf ("netfilter: implement xt_cgroup cgroup2 path
Move the flowtable cleanup routines to nf_flow_table and expose the
nf_flow_table_cleanup() helper function.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_flow_table.h | 3 +++
net/netfilter/nf_flow_table.c | 24
Hi,
On Wed, Jan 31, 2018 at 09:19:16AM +0100, Michal Hocko wrote:
[...]
> Yeah, we do not BUG but rather fail instead. See __vmalloc_node_range.
> My excavation tools pointed me to "VM: Rework vmalloc code to support mapping
> of arbitray pages"
> by Christoph back in 2002. So yes, we can safely
This rejects rulesets where a jump occurs to a non-user defined chain.
This isn't limited in any way in the binary format (you can jump to
any rule you want within the blob structure), but iptables tools
do not offset such a feature.
Sending as RFC as this limits features that might be used by
Hello,
syzbot tried to test the proposed patch but build/boot failed:
kernel build failed: failed to run /usr/bin/make [make bzImage -j 32
CC=/syzkaller/gcc/bin/gcc]: exit status 2
scripts/kconfig/conf --silentoldconfig Kconfig
CHK include/config/kernel.release
CHK
49 matches
Mail list logo