Proposal: Add config option to set xtable_lock wait = true.

Hi Florian & Pablo, I noticed that lots iptables users are likely to miss the '-w' option while implementing multi-process program. Due to the fact that the iptables and ip6tables do not wait for the xtable_lock, people can easily mis-configure their iptables command because of concurrency

[PATCH nft] configure: don't enable xtables when --without-xtables is passed

AC_ARG_WITH runs this when EITHER --with-foo or --without-foo is given, so use 'withval'. After this patch: ./configure -> xtables off ./configure --with-xtables -> xtables on ./configure --without-xtables -> xtables off (was on). Reported-by: Alexander Dahl Signed-off-by:

[PATCH v6] netfilter : add NAT support for shifted portmap ranges

This is a patch proposal to support shifted ranges in portmaps. (i.e. tcp/udp incoming port 5000-5100 on WAN redirected to LAN 192.168.1.5:2000-2100) Currently DNAT only works for single port or identical port ranges. (i.e. ports 5000-5100 on WAN interface redirected to a LAN host while original

Re: [PATCH nft] configure: don't enable xtables when --without-xtables is passed

Hello Florian, thanks for your quick fix. :-) > diff --git a/configure.ac b/configure.ac > index 284bcc502346..eb673d52c6f2 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -99,7 +99,7 @@ AM_CONDITIONAL([BUILD_CLI], [test "x$with_cli" != xno]) > > AC_ARG_WITH([xtables],

Re: [PATCH 40/47] netfilter: nf_tables: build-in filter chain type

On Fri, Mar 30, 2018 at 1:46 PM, Pablo Neira Ayuso wrote: > One module per supported filter chain family type takes too much memory > for very little code - too much modularization - place all chain filter > definitions in one single file. > > Signed-off-by: Pablo Neira Ayuso

Re: [PATCH 40/47] netfilter: nf_tables: build-in filter chain type

On Wed, Apr 04, 2018 at 05:38:31PM +0200, Arnd Bergmann wrote: > On Fri, Mar 30, 2018 at 1:46 PM, Pablo Neira Ayuso > wrote: > > One module per supported filter chain family type takes too much memory > > for very little code - too much modularization - place all chain

[PATCH nf] netfilter: ebtables: don't attempt to allocate 0-sized compat array

Dmitry reports 32bit ebtables on 64bit kernel got broken by a recent change that returns -EINVAL when ruleset has no entries. ebtables however only counts user-defined chains, so for the initial table nentries will be 0. Don't try to allocate the compat array in this case, as no user defined

Re: compat ebtables broke in syzkaller

Dmitry Vyukov wrote: > Hi Florian, Pablo, > > After the recent netfilter pull syzkaller in compat mode started failing with: > > getsockopt(EBT_SO_GET_INIT_ENTRIES) (errno 22) > > I think this is caused by: > > commit 7d7d7e02111e9a4dc9d0658597f528f815d820fd > Author:

Re: compat ebtables broke in syzkaller

On Wed, Apr 4, 2018 at 9:04 PM, Florian Westphal wrote: > Dmitry Vyukov wrote: >> One question: >> >> > We will need to special-case compat_table_info() in ebtables.c to >> > either not allocate the compat array for nentries == 0, or pretend >> > it was 1. >>

compat ebtables broke in syzkaller

Hi Florian, Pablo, After the recent netfilter pull syzkaller in compat mode started failing with: getsockopt(EBT_SO_GET_INIT_ENTRIES) (errno 22) I think this is caused by: commit 7d7d7e02111e9a4dc9d0658597f528f815d820fd Author: Florian Westphal Date: Tue Feb 27 19:42:35 2018

Re: compat ebtables broke in syzkaller

On Wed, Apr 4, 2018 at 8:51 PM, Florian Westphal wrote: > Dmitry Vyukov wrote: >> Hi Florian, Pablo, >> >> After the recent netfilter pull syzkaller in compat mode started failing >> with: >> >> getsockopt(EBT_SO_GET_INIT_ENTRIES) (errno 22) >> >> I think

Re: compat ebtables broke in syzkaller

Dmitry Vyukov wrote: > One question: > > > We will need to special-case compat_table_info() in ebtables.c to > > either not allocate the compat array for nentries == 0, or pretend > > it was 1. > > nentries == 0 is returned to us by EBT_SO_GET_INIT_INFO, and I think > there