Re: [PATCH nf] netfilter: ipv6: Orphan skbs in nf_ct_frag6_gather()

On 14 April 2016 at 03:35, Pablo Neira Ayuso wrote: > On Thu, Apr 14, 2016 at 10:40:15AM +0200, Florian Westphal wrote: >> David Laight wrote: >> > From: Joe Stringer >> > > Sent: 13 April 2016 19:10 >> > > This is the IPv6 equivalent of commit

Re: [PATCH nf] netfilter: ipv6: Orphan skbs in nf_ct_frag6_gather()

On 14 April 2016 at 01:40, Florian Westphal wrote: > David Laight wrote: >> From: Joe Stringer >> > Sent: 13 April 2016 19:10 >> > This is the IPv6 equivalent of commit 8282f27449bf ("inet: frag: Always >> > orphan skbs inside ip_defrag()"). >> > >> >

[nft PATCH] tests/shell: delete tempfile failover in testcases

It seems both Debian/Fedora (and derivates) contains mktemp (from the coreutils package) so it makes no sense to have this failover, which looks buggy also. Signed-off-by: Arturo Borrero Gonzalez --- tests/shell/testcases/netns/0001nft-f_0 |8 +---

Re: [PATCH 2/4 v6] libnftnl: rule: Change the "userdata" attribute to use new TLV buffer

On 14/04/16 01:59, Pablo Neira Ayuso wrote: On Tue, Mar 22, 2016 at 08:46:25PM +0100, Carlos Falgueras García wrote: diff --git a/src/rule.c b/src/rule.c index 3a32bf6..db96e5b 100644 --- a/src/rule.c +++ b/src/rule.c @@ -28,6 +28,7 @@ #include #include #include +#include struct

[PATCH 2/2] extensions: libxt_NFQUEUE: Unstack different versions

Remove the stacking of older version into the newer one by adding the appropriate code corresponding to each version. Suggested-by: Florian Westphal Signed-off-by: Shivani Bhardwaj --- extensions/libxt_NFQUEUE.c | 104

[PATCH nf-next] netfilter: nf_ct_helper: disable automatic helper assignment

Four years ago we introduced a new sysctl knob to disable automatic helper assignment in 72110dfaa907 ("netfilter: nf_ct_helper: disable automatic helper assignment"). This knob kept this behaviour enabled by default to remain conservative. This measure was introduced to provide a secure way to

Re: [PATCH v5 nf-next 4/4] netfilter: nftables: add connlabel set support

On Thu, Apr 14, 2016 at 01:26:52PM +0200, Florian Westphal wrote: > Pablo Neira Ayuso wrote: > > On Thu, Apr 14, 2016 at 12:05:27PM +0200, Florian Westphal wrote: > > > Pablo Neira Ayuso wrote: > > > > On Tue, Apr 12, 2016 at 06:14:26PM +0200, Florian

Re: [PATCH nf-next] netfilter: conntrack: don't acquire lock during seq_printf

On Thu, Apr 14, 2016 at 01:16:56PM +0200, Florian Westphal wrote: > Pablo Neira Ayuso wrote: > > > net/netfilter/nf_conntrack_proto_sctp.c | 8 +--- > > > net/netfilter/nf_conntrack_proto_tcp.c | 8 +--- > > > 2 files changed, 2 insertions(+), 14 deletions(-) > > >

Re: [PATCH v5 nf-next 4/4] netfilter: nftables: add connlabel set support

Pablo Neira Ayuso wrote: > On Thu, Apr 14, 2016 at 12:05:27PM +0200, Florian Westphal wrote: > > Pablo Neira Ayuso wrote: > > > On Tue, Apr 12, 2016 at 06:14:26PM +0200, Florian Westphal wrote: > > > > diff --git a/net/netfilter/nft_ct.c

Re: [PATCH nf] netfilter: ipv6: Orphan skbs in nf_ct_frag6_gather()

On Thu, Apr 14, 2016 at 10:40:15AM +0200, Florian Westphal wrote: > David Laight wrote: > > From: Joe Stringer > > > Sent: 13 April 2016 19:10 > > > This is the IPv6 equivalent of commit 8282f27449bf ("inet: frag: Always > > > orphan skbs inside ip_defrag()"). > > > > >

Re: [nf_tables PATCH] netfilter: nf_tables: invert chain deletion abort path

On Fri, Apr 08, 2016 at 12:56:10PM +0200, Arturo Borrero Gonzalez wrote: > Before this patch, chain deletetion abort path re-add chains in reverse > order of what was originally in the ruleset. > Invert the order, so the ruleset is exactly the same after abort. > > Example, using 2 config files:

Re: [PATCH v5 nf-next 4/4] netfilter: nftables: add connlabel set support

On Thu, Apr 14, 2016 at 12:05:27PM +0200, Florian Westphal wrote: > Pablo Neira Ayuso wrote: > > On Tue, Apr 12, 2016 at 06:14:26PM +0200, Florian Westphal wrote: > > > diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c > > > index 25998fa..4ec1cea 100644 > > > ---

Re: [PATCH nf-next] netfilter: conntrack: don't acquire lock during seq_printf

On Mon, Apr 11, 2016 at 09:14:29PM +0200, Florian Westphal wrote: > read access doesn't need any lock here. > > Signed-off-by: Florian Westphal > --- > net/netfilter/nf_conntrack_proto_sctp.c | 8 +--- > net/netfilter/nf_conntrack_proto_tcp.c | 8 +--- > 2 files

Re: [PATCH v5 nf-next 4/4] netfilter: nftables: add connlabel set support

Pablo Neira Ayuso wrote: > On Tue, Apr 12, 2016 at 06:14:26PM +0200, Florian Westphal wrote: > > diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c > > index 25998fa..4ec1cea 100644 > > --- a/net/netfilter/nft_ct.c > > +++ b/net/netfilter/nft_ct.c > > @@ -29,6

RE: [PATCH nf] netfilter: ipv6: Orphan skbs in nf_ct_frag6_gather()

From: Joe Stringer > Sent: 13 April 2016 19:10 > This is the IPv6 equivalent of commit 8282f27449bf ("inet: frag: Always > orphan skbs inside ip_defrag()"). > > Prior to commit 029f7f3b8701 ("netfilter: ipv6: nf_defrag: avoid/free > clone operations"), ipv6 fragments sent to nf_ct_frag6_gather()

Re: [PATCH nf] netfilter: ipv6: Orphan skbs in nf_ct_frag6_gather()

David Laight wrote: > From: Joe Stringer > > Sent: 13 April 2016 19:10 > > This is the IPv6 equivalent of commit 8282f27449bf ("inet: frag: Always > > orphan skbs inside ip_defrag()"). > > > > Prior to commit 029f7f3b8701 ("netfilter: ipv6: nf_defrag: avoid/free > >

[nft PATCH] tests/shell: add testcases for Netfilter bug #965

Testscases for Netfilter bug #965: * add rule at position * insert rule at position * replace rule with given handle * delete rule with given handle * don't allow to delete rules with position keyword Netfilter Bugzilla: http://bugzilla.netfilter.org/show_bug.cgi?id=965 Signed-off-by: Arturo