Eric Dumazet wrote:
> On Wed, 2018-02-14 at 12:13 +0100, Paolo Abeni wrote:
> > syzbot reported a division by 0 bug in the netfilter nat code:
>
> > Adding the relevant check at parse time could break existing
> > setup, moreover we would need to read/write such values
On Wed, Feb 14, 2018 at 01:30:37PM +0100, Florian Westphal wrote:
> Eric Dumazet wrote:
> > On Wed, 2018-02-14 at 12:13 +0100, Paolo Abeni wrote:
> > > syzbot reported a division by 0 bug in the netfilter nat code:
> >
> > > Adding the relevant check at parse time could
On man, 2018-01-22 at 15:54 +0100, Anders K. Pedersen | Cohaesio wrote:
> On tor, 2018-01-11 at 10:18 -0800, Wei Wang wrote:
> > On Thu, Jan 11, 2018 at 9:25 AM, Anders K. Pedersen | Cohaesio
> > wrote:
> > > On tir, 2017-12-26 at 12:05 +0100, Anders K. Pedersen | Cohaesio
> >
On Wed, 2018-02-14 at 13:30 +0100, Florian Westphal wrote:
> Eric Dumazet wrote:
> > On Wed, 2018-02-14 at 12:13 +0100, Paolo Abeni wrote:
> > > syzbot reported a division by 0 bug in the netfilter nat code:
> > > Adding the relevant check at parse time could break
On Wed, Feb 14, 2018 at 04:45:31PM +0100, Paolo Abeni wrote:
> Hi,
>
> On Wed, 2018-02-14 at 14:51 +0100, Pablo Neira Ayuso wrote:
> > On Wed, Feb 14, 2018 at 01:30:37PM +0100, Florian Westphal wrote:
> > > Eric Dumazet wrote:
> > > > On Wed, 2018-02-14 at 12:13 +0100,
Wrap code that releases existing dependencies that we have just
annotated in the context structure.
Signed-off-by: Pablo Neira Ayuso
---
src/payload.c | 22 +-
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/src/payload.c b/src/payload.c
Hi,
This patchset aims to address what Florian reported time ago [1]. This
is skipping removal of protocol key payload expressions at network base
for the netdev, bridge and inet.
It would better to annotate all redundant expressions and add a later
stage, where we can do smarter simplifications
This context information is very relevant when deciding if a redundant
dependency needs to be removed or not, specifically for the inet, bridge
and netdev families. This new parameter is used by follow up patch
entitled ("payload: add payload_should_dependency_kill()").
Signed-off-by: Pablo Neira
Payload protocol key expressions at network base are meaningful in the
netdev, bridge and inet families, do not exercise the redundant
dependency removal in those cases since it breaks rule semantics.
Signed-off-by: Pablo Neira Ayuso
---
src/payload.c | 31
Use payload_dependency_release() instead.
Signed-off-by: Pablo Neira Ayuso
---
include/payload.h | 3 +--
src/netlink_delinearize.c | 9 +++--
src/payload.c | 15 +--
3 files changed, 9 insertions(+), 18 deletions(-)
diff --git
Do not exercise dependency removal for protocol key network payload
expressions in bridge, netdev and inet families from meta expressions,
more specifically:
* inet: nfproto and ether type.
* netdev and bridge: meta protocol and ether type.
need to be left in place.
Signed-off-by: Pablo Neira
This helper function tells us if there is already a protocol key payload
expression, ie. those with EXPR_F_PROTOCOL flag set on, that we might
want to remove since we can infer from another expression in the upper
protocol base, eg.
ip protocol tcp tcp dport 22
'ip protocol tcp' can be
Hi,
On Wed, 2018-02-14 at 14:51 +0100, Pablo Neira Ayuso wrote:
> On Wed, Feb 14, 2018 at 01:30:37PM +0100, Florian Westphal wrote:
> > Eric Dumazet wrote:
> > > On Wed, 2018-02-14 at 12:13 +0100, Paolo Abeni wrote:
> > > > syzbot reported a division by 0 bug in the
On Wed, Feb 14, 2018 at 07:02:32PM +0200, Mantas Mikulėnas wrote:
> Hello,
>
> As of nftables 0.8.1, it seems I can no longer write anonymous sets
> which contain overlapping networks (CIDR masks).
>
> For example, I want to write the following ruleset:
>
> #!/usr/bin/nft -f
> define users = {
currently kernel may pick a set implementation that doesn't provide
a ->update() function. This causes an error when user attempts to
add the nftables rule that is supposed to add entries to the set.
Signed-off-by: Florian Westphal
---
Pablo, unless you have objections I would
On Wed, Feb 14, 2018 at 05:40:17PM +0100, Florian Westphal wrote:
> currently kernel may pick a set implementation that doesn't provide
> a ->update() function. This causes an error when user attempts to
> add the nftables rule that is supposed to add entries to the set.
>
> Signed-off-by:
syzbot reported a division by 0 bug in the netfilter nat code:
divide error: [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 4168 Comm: syzkaller034710 Not tainted 4.16.0-rc1+ #309
Hardware name: Google Google Compute Engine/Google Compute
Hello,
As of nftables 0.8.1, it seems I can no longer write anonymous sets
which contain overlapping networks (CIDR masks).
For example, I want to write the following ruleset:
#!/usr/bin/nft -f
define users = { 10.0.0.0/8, 193.219.181.192/26 }
define admins = { 10.123.0.0/24, 31.220.42.129 }
"fib" starts to behave strangely when an ipv6 default route is
added - the FIB lookup returns a route using 'oif' in this case.
This behaviour was inherited from ip6tables rpfilter so change
this as well.
Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1221
Signed-off-by: Florian
On Wed, Feb 07, 2018 at 02:48:21PM +0100, Florian Westphal wrote:
> Aeons ago, before namespaces, there was no need to ratelimit this:
> all of these error messages got triggered in response to iptables
> commands, which need CAP_NET_ADMIN.
>
> Nowadays we have namespaces, so its better to
On Wed, Feb 07, 2018 at 02:20:41PM +0100, Florian Westphal wrote:
> This rejects rulesets where a jump occurs to a non-user defined chain.
> This isn't limited in any way in the binary format (you can jump to
> any rule you want within the blob structure), but iptables tools
> do not offset such a
On Thu, Feb 08, 2018 at 12:19:00PM +0100, Paolo Abeni wrote:
> The Syzbot reported a possible deadlock in the netfilter area caused by
> rtnl lock, xt lock and socket lock being acquired with a different order
> on different code paths, leading to the following backtrace:
>
>
On Thu, Feb 08, 2018 at 01:53:52PM -0800, Cong Wang wrote:
> In clusterip_config_find_get() we hold RCU read lock so it could
> run concurrently with clusterip_config_entry_put(), as a result,
> the refcnt could go back to 1 from 0, which leads to a double
> list_del()... Just replace
On Wed, Feb 07, 2018 at 01:46:25PM +0100, Florian Westphal wrote:
> The rationale for removing the check is only correct for rulesets
> generated by ip(6)tables.
>
> In iptables, a jump can only occur to a user-defined chain, i.e.
> because we size the stack based on number of user-defined chains
On Mon, Feb 12, 2018 at 06:49:39PM +0100, Paolo Abeni wrote:
> syzbot reported that xt_LED may try to use the ledinternal->timer
> without previously initializing it:
>
> [ cut here ]
> kernel BUG at kernel/time/timer.c:958!
> invalid opcode: [#1] SMP KASAN
> Dumping
> On Wed, Feb 14, 2018 at 08:16:52PM +0100, Pablo Neira Ayuso wrote:
>> On Thu, Feb 15, 2018 at 12:34:31AM +0530, Shyam Saini wrote:
>> > Hi Pablo,
>> >
>> > On Thu, Feb 15, 2018 at 12:02 AM, Pablo Neira Ayuso
>> > wrote:
>> > > Restore original syntax for the yet
On Mon, Feb 12, 2018 at 09:45:42PM +0800, Zhu Lingshan wrote:
> when build kernel with default configure, files:
>
> generatenet/ipv4/netfilter/nf_nat_snmp_basic-asn1.c
> net/ipv4/netfilter/nf_nat_snmp_basic-asn1.h
>
> will be automatically generated by ASN.1 compiler, so
> No need to track them
On Wed, Feb 14, 2018 at 05:21:19PM +0100, Paolo Abeni wrote:
> syzbot reported a division by 0 bug in the netfilter nat code:
>
> divide error: [#1] SMP KASAN
> Dumping ftrace buffer:
> (ftrace buffer empty)
> Modules linked in:
> CPU: 1 PID: 4168 Comm: syzkaller034710 Not tainted
Hi Pablo,
On Thu, Feb 15, 2018 at 12:02 AM, Pablo Neira Ayuso wrote:
> Restore original syntax for the yet experimental VM low-level json
> representation.
>
> Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1224
> Signed-off-by: Pablo Neira Ayuso
On Thu, Feb 15, 2018 at 12:34:31AM +0530, Shyam Saini wrote:
> Hi Pablo,
>
> On Thu, Feb 15, 2018 at 12:02 AM, Pablo Neira Ayuso
> wrote:
> > Restore original syntax for the yet experimental VM low-level json
> > representation.
> >
> > Closes:
On Wed, Feb 14, 2018 at 08:16:52PM +0100, Pablo Neira Ayuso wrote:
> On Thu, Feb 15, 2018 at 12:34:31AM +0530, Shyam Saini wrote:
> > Hi Pablo,
> >
> > On Thu, Feb 15, 2018 at 12:02 AM, Pablo Neira Ayuso
> > wrote:
> > > Restore original syntax for the yet experimental VM
On Wed, Feb 07, 2018 at 11:40:00AM +0200, Ville Skyttä wrote:
> Previously, if man page build was enabled but no suitable docbook2man or
> the like tool was found, build failed at a later stage with
> undescriptive error message. Fail early and explicitly at configure
> stage instead.
Applied,
Signed-off-by: Pablo Neira Ayuso
---
examples/nft-set-del.c | 33 -
1 file changed, 24 insertions(+), 9 deletions(-)
diff --git a/examples/nft-set-del.c b/examples/nft-set-del.c
index 5e1fad30d341..8c216df861d7 100644
---
Instead of -1, which results n misleading error propagate to the caller
with errno == 0 (success).
Signed-off-by: Pablo Neira Ayuso
---
src/set_elem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/set_elem.c b/src/set_elem.c
index
Pablo Neira Ayuso wrote:
> On Wed, Feb 14, 2018 at 07:02:32PM +0200, Mantas Mikulėnas wrote:
> > Hello,
> >
> > As of nftables 0.8.1, it seems I can no longer write anonymous sets
> > which contain overlapping networks (CIDR masks).
> >
> > For example, I want to write the
Hi Florian,
I attached two 'draft' patches in this email :)
Thanks,
JackFrom 6d811e63c9c777ed4287bc4547134c99e939b49d Mon Sep 17 00:00:00 2001
From: Jack Ma
Date: Mon, 12 Feb 2018 13:41:29 +1300
Subject: [PATCH] libxt_CONNMARK: Support bit-shifting for --restore,set
36 matches
Mail list logo