Hi,
I am new here, but isn't it strange that you mask the flags with the
HANDLE attribute?
Regards,
Máté
2018-03-11 14:18 GMT+01:00 Harsha Sharma :
> Correct one typo for parsing set handles.
>
> Signed-off-by: Harsha Sharma
> ---
>
On Sun, 11 Mar 2018 23:00:41 +0100
Pablo Neira Ayuso wrote:
> On Tue, Feb 27, 2018 at 07:25:14AM +0100, Ahmed Abdelsalam wrote:
> > Type 0 and 2 of the IPv6 Routing extension header are not handled
> > properly by exthdr_init_raw() in src/exthdr.c
> >
> > In order to fix
Arturo Borrero Gonzalez wrote:
> On 12 March 2018 at 12:36, Florian Westphal wrote:
> > +
> > +install-data-hook:
> > + ${SED} -i 's|@sbindir[@]|${sbindir}/|g' ${DESTDIR}${pkgsysconfdir}/*
> > --
>
> The shebang in those files is static now
the '_array' variant is just a wrapper for get/set api; this
allows the array variant to be removed from libnftnl.
Signed-off-by: Florian Westphal
---
src/netlink.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/netlink.c b/src/netlink.c
index
Using pr_() is more concise than printk(KERN_).
This patch:
* Replace printks having a log level with the appropriate
pr_*() macros.
* Define pr_fmt() to include relevant name.
* Remove redundant prefixes from pr_*() calls.
* Indent the code where possible.
* Remove the useless output messages.
*
Partially answering to myself : here is a good starting point for
nftables dev ->
https://zasdfgbnm.github.io/2017/09/07/Extending-nftables/
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at
On 12 March 2018 at 12:36, Florian Westphal wrote:
> +
> +install-data-hook:
> + ${SED} -i 's|@sbindir[@]|${sbindir}/|g' ${DESTDIR}${pkgsysconfdir}/*
> --
The shebang in those files is static now (#!/usr/sbin/nft -f)
Perhaps we should differentiate between files we use for
Stéphane Veyret wrote:
> A few words on the specs I imagined for the port triggering:
>
> table ip trigger {
> chain postrouting {
> type filter hook postrouting priority 0;
> ip dport 554 trigger open rtsp timeout 300 # Open the
> trigger named rtsp
Hi David,
The following patchset contains Netfilter/IPVS updates for your net-next
tree. This batch comes with more input sanitization for xtables to
address bug reports from fuzzers, preparation works to the flowtable
infrastructure and assorted updates. In no particular order, they are:
1)
From: Florian Westphal
no need to bother even trying to allocating huge compat offset arrays,
such ruleset is rejected later on anyway becaus we refuse to allocate
overly large rule blobs.
However, compat translation happens before blob allocation, so we should
add a check there
From: "Gustavo A. R. Silva"
Return statements in functions returning bool should use
true/false instead of 1/0.
This issue was detected with the help of Coccinelle.
Signed-off-by: Gustavo A. R. Silva
Signed-off-by: Pablo Neira Ayuso
From: Florian Westphal
allows to have size checks in a single spot.
This is supposed to reduce oom situations when fuzz-testing xtables.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
From: Yi-Hung Wei
Currently, nf_conncount_count() counts the number of connections that
matches key and inserts a conntrack 'tuple' with the same key into the
accounting data structure. This patch supports another use case that only
counts the number of connections where
All existing keys, except the NFT_CT_SRC and NFT_CT_DST are assumed to
have strict datatypes. This is causing problems with sets and
concatenations given the specific length of these keys is not known.
Signed-off-by: Pablo Neira Ayuso
Acked-by: Florian Westphal
From: Felix Fietkau
Needed to remove a direct dependency on ipv6.ko from flowtable
infrastructure. Make it inline like ip_dst_mtu_maybe_forward().
Signed-off-by: Felix Fietkau
Signed-off-by: Pablo Neira Ayuso
---
include/net/ip6_route.h | 21
From: Felix Fietkau
Simplifies further code cleanups
Signed-off-by: Felix Fietkau
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_flow_table.h | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git
From: Florian Westphal
should have no impact, function still always returns 0.
This patch is only to ease review.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/linux/netfilter/x_tables.h | 2 +-
From: Yi-Hung Wei
Remove parameter 'family' in nf_conncount_count() and count_tree().
It is because the parameter is not useful after commit 625c556118f3
("netfilter: connlimit: split xt_connlimit into front and backend").
Signed-off-by: Yi-Hung Wei
From: "Gustavo A. R. Silva"
Assign true or false to boolean variables instead of an integer value.
This issue was detected with the help of Coccinelle.
Signed-off-by: Gustavo A. R. Silva
Signed-off-by: Simon Horman
From: Ahmed Abdelsalam
This fixes Netfilter's bugzilla #1219.
Type 0 and 2 of the IPv6 Routing extension header are not handled
properlyby exthdr_init_raw() in src/exthdr.c
In order to fix the bug, we extended the "enum nft_exthdr_op" to
differentiate between rt, rt0, and
From: Felix Fietkau
Preparation for adding more code to the same module
Signed-off-by: Felix Fietkau
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/Makefile | 2 ++
net/netfilter/{nf_flow_table.c =>
From: Felix Fietkau
Reduces the number of cache lines touched in the offload forwarding
path. This is safe because PMTU limits are bypassed for the forwarding
path (see commit f87c10a8aa1e for more details).
Signed-off-by: Felix Fietkau
Signed-off-by: Pablo Neira
From: Florian Westphal
I placed the helpers within CONFIG_COMPAT section, move them
outside.
Fixes: 472ebdcd15ebdb ("netfilter: x_tables: check error target size too")
Fixes: 07a9da51b4b6ae ("netfilter: x_tables: check standard verdicts in core")
Signed-off-by: Florian Westphal
From: Felix Fietkau
Reduce code duplication and make it much easier to read
Signed-off-by: Felix Fietkau
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_flow_table.c | 93 ---
1 file changed, 34
From: Cong Wang
As suggested by Eric, we need to make the xt_rateest
hash table and its lock per netns to reduce lock
contentions.
Cc: Florian Westphal
Cc: Eric Dumazet
Cc: Pablo Neira Ayuso
Signed-off-by:
From: Florian Westphal
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/x_tables.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index
From: Florian Westphal
Harmless from kernel point of view, but again iptables assumes that
this is true when decoding ruleset coming from kernel.
If a (syzkaller generated) ruleset doesn't have the underflow/policy
stored as the last rule in the base chain, then iptables will
From: Florian Westphal
Harmless from kernel point of view, but iptables assumes that this is
true when decoding a ruleset.
iptables walks the dumped blob from kernel, and, for each entry that
creates a new chain it prints out rule/chain information.
Base chains (hook entry
From: Xin Long
Now it's doing cleanup_entry for oldinfo under the xt_table lock,
but it's not really necessary. After the replacement job is done
in xt_replace_table, oldinfo is not used elsewhere any more, and
it can be freed without xt_table lock safely.
The important
From: Taehee Yoo
parameter protoff in nf_conntrack_broadcast_help is not used anywhere.
Signed-off-by: Taehee Yoo
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_conntrack_helper.h | 3 +--
From: Florian Westphal
Userspace must provide a valid verdict to the standard target.
The verdict can be either a jump (signed int > 0), or a return code.
Allowed return codes are either RETURN (pop from stack), NF_ACCEPT, DROP
and QUEUE (latter is allowed for legacy reasons).
From: Florian Westphal
Check that userspace ERROR target (custom user-defined chains) match
expected format, and the chain name is null terminated.
This is irrelevant for kernel, but iptables itself relies on sane input
when it dumps rules from kernel.
Signed-off-by: Florian
From: Florian Westphal
This is a very conservative limit (134217728 rules), but good
enough to not trigger frequent oom from syzkaller.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/x_tables.c | 3 +++
From: Taehee Yoo
parameter skb in nfnl_acct_overquota is not used anywhere.
Signed-off-by: Taehee Yoo
Signed-off-by: Pablo Neira Ayuso
---
include/linux/netfilter/nfnetlink_acct.h | 3 +--
net/netfilter/nfnetlink_acct.c |
From: Taehee Yoo
If use the ipv6_addr_is_multicast instead of xt_cluster_ipv6_is_multicast,
then we can reduce code size.
Signed-off-by: Taehee Yoo
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/xt_cluster.c | 10 +-
1
From: kbuild test robot
Fixes: 3ecbfd65f50e ("netfilter: nf_tables: allocate handle and delete objects
via handle")
Signed-off-by: Fengguang Wu
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 8
skb_copy_expand without __GFP_NOWARN already does a dump_stack
on OOM so these messages are redundant.
Signed-off-by: Joe Perches
---
drivers/net/ethernet/qualcomm/qca_spi.c | 1 -
drivers/net/usb/lg-vl600.c | 6 +-
drivers/net/wimax/i2400m/usb-rx.c | 3
From: Pablo Neira Ayuso
Date: Mon, 12 Mar 2018 18:58:50 +0100
> The following patchset contains Netfilter/IPVS updates for your net-next
> tree. This batch comes with more input sanitization for xtables to
> address bug reports from fuzzers, preparation works to the
On 2018-03-12 19:58, David Miller wrote:
> From: Pablo Neira Ayuso
> Date: Mon, 12 Mar 2018 18:58:50 +0100
>
>> The following patchset contains Netfilter/IPVS updates for your net-next
>> tree. This batch comes with more input sanitization for xtables to
>> address bug
Stéphane Veyret wrote:
> 2018-03-12 12:25 GMT+01:00 Florian Westphal :
> > (Or i still fail to understand what you want to do, it does
> > sound exactly like expectations, e.g. for ftp data channel in
> > response to PASV command on ftp control channel).
>
>
2018-03-12 16:53 GMT+01:00 Florian Westphal :
>> It may be what I'm looking for. But I couldn't find any documentation
>> about this “ct expectation” command. Or do you mean I should create a
>> conntrack helper module for that?
>
> Right, this doesn't exist yet.
>
> I think we
From: Florian Westphal
recent and hashlimit both create /proc files, but only check that
name is 0 terminated.
This can trigger WARN() from procfs when name is "" or "/".
Add helper for this and then use it for both.
Cc: Eric Dumazet
Reported-by: Eric
From: Florian Westphal
ebt_among is special, it has a dynamic match size and is exempt
from the central size checks.
commit c4585a2823edf ("bridge: ebt_among: add missing match size checks")
added validation for pool size, but missed fact that the macros
ebt_among_wh_src/dst can
Otherwise we leak this array.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 558593e6a0a3..c4acc7340eb1 100644
---
From: Florian Westphal
The last rule in the blob has next_entry offset that is same as total size.
This made "ebtables32 -A OUTPUT -d de:ad:be:ef:01:02" fail on 64 bit kernel.
Fixes: b71812168571fa ("netfilter: ebtables: CONFIG_COMPAT: don't trust
userland offsets")
Thank you for your help.
2018-03-12 12:25 GMT+01:00 Florian Westphal :
> (Or i still fail to understand what you want to do, it does
> sound exactly like expectations, e.g. for ftp data channel in
> response to PASV command on ftp control channel).
No, what I would like to have
On Mon, Mar 12, 2018 at 01:00:17PM +0100, Florian Westphal wrote:
> the '_array' variant is just a wrapper for get/set api; this
> allows the array variant to be removed from libnftnl.
LGTM, thanks Florian!
> Signed-off-by: Florian Westphal
> ---
> src/netlink.c | 8
>
Fixed hash supports to timeouts, so skip it. Otherwise, userspace hits
EOPNOTSUPP.
Fixes: 6c03ae210ce3 ("netfilter: nft_set_hash: add non-resizable hashtable
implementation")
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nft_set_hash.c | 2 +-
1 file changed, 1
Hi David,
The following patchset contains Netfilter fixes for your net tree, they are:
1) Fixed hashtable representation doesn't support timeout flag, skip it
otherwise rules to add elements from the packet fail bogusly fail with
EOPNOTSUPP.
2) Fix bogus error with 32-bits ebtables
commit 6c9230e79339ca ("nftables: rearrange files and examples")
removed the install hook for the old 'iptables table skeleton rulesets'.
This restores the install hook for some of these.
Reported-by: Duncan Roe
Cc: Arturo Borrero Gonzalez
From: Felix Fietkau
Date: Mon, 12 Mar 2018 20:30:01 +0100
> It's not dead and useless. In its current state, it has a software fast
> path that significantly improves nftables routing/NAT throughput,
> especially on embedded devices.
> On some devices, I've seen "only" 20%
On 2018-03-12 21:01, David Miller wrote:
> From: Felix Fietkau
> Date: Mon, 12 Mar 2018 20:30:01 +0100
>
>> It's not dead and useless. In its current state, it has a software fast
>> path that significantly improves nftables routing/NAT throughput,
>> especially on embedded
From: Pablo Neira Ayuso
Date: Mon, 12 Mar 2018 17:15:59 +0100
> The following patchset contains Netfilter fixes for your net tree, they are:
>
> 1) Fixed hashtable representation doesn't support timeout flag, skip it
>otherwise rules to add elements from the packet fail
In preparation to enabling -Wvla, remove VLA and replace it
with dynamic memory allocation.
>From a security viewpoint, the use of Variable Length Arrays can be
a vector for stack overflow attacks. Also, in general, as the code
evolves it is easy to lose track of how big a VLA can get. Thus, we
In preparation to enabling -Wvla, remove VLA and replace it
with dynamic memory allocation.
>From a security viewpoint, the use of Variable Length Arrays can be
a vector for stack overflow attacks. Also, in general, as the code
evolves it is easy to lose track of how big a VLA can get. Thus, we
Hi Pablo, thanks for the reply. Just wanted to clarify your first comment below:
On Mon, Mar 12, 2018 at 09:41:00AM +0100, Pablo Neira Ayuso wrote:
> To: Bernie Harris
> Cc: netfilter-devel@vger.kernel.org; kad...@blackhole.kfki.hu;
> f...@strlen.de; da...@davemloft.net
> Subject: Re: [PATCH
Package: iptables
Dear Maintainers,
Le 11/03/2018 à 21:57, Pablo Neira Ayuso a écrit :
> Hi Alban,
>
> On Tue, Jan 23, 2018 at 11:44:22AM +0100, Alban Vidal wrote:
>> 1) Adding -z or --zero option: Reset to zero counters of the chains.
> I have no objections to this -z feature, but better use -Z
In preparation to enabling -Wvla, remove VLA and replace it
with dynamic memory allocation.
>From a security viewpoint, the use of Variable Length Arrays can be
a vector for stack overflow attacks. Also, in general, as the code
evolves it is easy to lose track of how big a VLA can get. Thus, we
In preparation to enabling -Wvla, remove VLA and replace it
with dynamic memory allocation.
>From a security viewpoint, the use of Variable Length Arrays can be
a vector for stack overflow attacks. Also, in general, as the code
evolves it is easy to lose track of how big a VLA can get. Thus, we
On Mon, 2018-03-12 at 18:14 -0500, Gustavo A. R. Silva wrote:
> In preparation to enabling -Wvla, remove VLA and replace it
> with dynamic memory allocation.
>
> From a security viewpoint, the use of Variable Length Arrays can be
> a vector for stack overflow attacks. Also, in general, as the
60 matches
Mail list logo