Hi Florian & Pablo,
I noticed that lots iptables users are likely to miss the '-w' option while
implementing multi-process program.
Due to the fact that the iptables and ip6tables do not wait for the
xtable_lock, people can easily mis-configure
their iptables command because of concurrency
AC_ARG_WITH runs this when EITHER --with-foo or --without-foo is given,
so use 'withval'.
After this patch:
./configure -> xtables off
./configure --with-xtables -> xtables on
./configure --without-xtables -> xtables off (was on).
Reported-by: Alexander Dahl
Signed-off-by:
This is a patch proposal to support shifted ranges in portmaps.
(i.e. tcp/udp incoming port 5000-5100 on WAN redirected to LAN
192.168.1.5:2000-2100)
Currently DNAT only works for single port or identical port ranges.
(i.e. ports 5000-5100 on WAN interface redirected to a LAN host while original
Hello Florian,
thanks for your quick fix. :-)
> diff --git a/configure.ac b/configure.ac
> index 284bcc502346..eb673d52c6f2 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -99,7 +99,7 @@ AM_CONDITIONAL([BUILD_CLI], [test "x$with_cli" != xno])
>
> AC_ARG_WITH([xtables],
On Fri, Mar 30, 2018 at 1:46 PM, Pablo Neira Ayuso wrote:
> One module per supported filter chain family type takes too much memory
> for very little code - too much modularization - place all chain filter
> definitions in one single file.
>
> Signed-off-by: Pablo Neira Ayuso
On Wed, Apr 04, 2018 at 05:38:31PM +0200, Arnd Bergmann wrote:
> On Fri, Mar 30, 2018 at 1:46 PM, Pablo Neira Ayuso
> wrote:
> > One module per supported filter chain family type takes too much memory
> > for very little code - too much modularization - place all chain
Dmitry reports 32bit ebtables on 64bit kernel got broken by
a recent change that returns -EINVAL when ruleset has no entries.
ebtables however only counts user-defined chains, so for the
initial table nentries will be 0.
Don't try to allocate the compat array in this case, as no user
defined
Dmitry Vyukov wrote:
> Hi Florian, Pablo,
>
> After the recent netfilter pull syzkaller in compat mode started failing with:
>
> getsockopt(EBT_SO_GET_INIT_ENTRIES) (errno 22)
>
> I think this is caused by:
>
> commit 7d7d7e02111e9a4dc9d0658597f528f815d820fd
> Author:
On Wed, Apr 4, 2018 at 9:04 PM, Florian Westphal wrote:
> Dmitry Vyukov wrote:
>> One question:
>>
>> > We will need to special-case compat_table_info() in ebtables.c to
>> > either not allocate the compat array for nentries == 0, or pretend
>> > it was 1.
>>
Hi Florian, Pablo,
After the recent netfilter pull syzkaller in compat mode started failing with:
getsockopt(EBT_SO_GET_INIT_ENTRIES) (errno 22)
I think this is caused by:
commit 7d7d7e02111e9a4dc9d0658597f528f815d820fd
Author: Florian Westphal
Date: Tue Feb 27 19:42:35 2018
On Wed, Apr 4, 2018 at 8:51 PM, Florian Westphal wrote:
> Dmitry Vyukov wrote:
>> Hi Florian, Pablo,
>>
>> After the recent netfilter pull syzkaller in compat mode started failing
>> with:
>>
>> getsockopt(EBT_SO_GET_INIT_ENTRIES) (errno 22)
>>
>> I think
Dmitry Vyukov wrote:
> One question:
>
> > We will need to special-case compat_table_info() in ebtables.c to
> > either not allocate the compat array for nentries == 0, or pretend
> > it was 1.
>
> nentries == 0 is returned to us by EBT_SO_GET_INIT_INFO, and I think
> there
12 matches
Mail list logo