We just opened call for proposals. We hope the conference
will be the great venue as previous netdev conferences.
http://netdevconf.org/1.2/submit-proposal.html
Netdev 1.2 is a community-driven conference geared towards
Linux netheads. Linux kernel networking and user space
utilization of the
Since we cannot make sure that the 'hook_mask' will always be none
zero here. If it equals to zero, the num_hooks will be zero too,
and then kmalloc() will return ZERO_SIZE_PTR, which is (void *)16.
Then the following error check will fails:
ops = kmalloc(sizeof(*ops) * num_hooks, GFP_KERNEL);
On 01/06/2016 19:04, Pablo Neira Ayuso wrote:
On Wed, Jun 01, 2016 at 05:52:59PM +0800, Xiubo Li wrote:
net/netfilter/x_tables.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index c8a0b7d..4df8e38 100644
--- a/net/netfilter/x_tab
From: Pablo Neira Ayuso
Date: Wed, 1 Jun 2016 14:03:17 +0200
> The following patchset contains Netfilter fixes for your net tree,
> they are:
...
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks Pablo.
--
To unsubscribe from th
netfilter/nflog: nflog-range does not truncate packets
The --nflog-range parameter from userspace is ignored in the kernel and
the entire packet is sent to the userspace. The per-instance parameter
copy_range still works, with this change --nflog-range will have
preference over copy_range.
Signed
libxt_hashlimit: iptables-restore does not work as expected with xt_hashlimit
Add the following iptables rule.
$ iptables -A INPUT -m hashlimit --hashlimit-above 200/sec \
--hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name hashlimit1 \
--hashlimit-htable-expire 3 -j DROP
$ iptab
libxt_hashlimit: Create revision 2 of xt_hashlimit to support higher pps rates
Create a new revision for the hashlimit iptables extension module. Rev 2
will support higher pps of upto 1 million, Version 1 supports only 10k.
To support this we have to increase the size of the variables avg and
bur
libxt_hashlimit: Prepare libxt_hashlimit.c for revision 2
I am planning to add a revision 2 for the hashlimit xtables module to
support higher packets per second rates. This patch renames all the
functions and variables related to revision 1 by adding _v1 at the end of
the names.
Signed-off-by: V
netfilter: iptables-restore does not work as expected with xt_hashlimit
Add the following iptables rule.
$ iptables -A INPUT -m hashlimit --hashlimit-above 200/sec \
--hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name hashlimit1 \
--hashlimit-htable-expire 3 -j DROP
$ iptables-sa
netfilter: Create revision 2 of xt_hashlimit to support higher pps rates
Create a new revision for the hashlimit iptables extension module. Rev 2
will support higher pps of upto 1 million, Version 1 supports only 10k.
To support this we have to increase the size of the variables avg and
burst in
netfilter: Prepare xt_hashlimit.c for revision 2
I am planning to add a revision 2 for the hashlimit xtables module to
support higher packets per second rates. This patch renames all the
functions and variables related to revision 1 by adding _v1 at the end of
the names.
Signed-off-by: Vishwanath
On Wed, Jun 01, 2016 at 06:22:55PM +0200, Peter Zijlstra wrote:
> On Wed, Jun 01, 2016 at 09:52:14PM +0800, Boqun Feng wrote:
> > On Tue, May 31, 2016 at 11:41:37AM +0200, Peter Zijlstra wrote:
>
> > > @@ -292,7 +282,7 @@ static void sem_wait_array(struct sem_ar
> > > sem = sma->sem_base
Fix old identifiers like 'ipcomp' and 'op' with 'comp' and 'operation'
instead. Update some FIXME datatypes.
Signed-off-by: Laura Garcia Liebana
---
doc/nft.xml | 16
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/doc/nft.xml b/doc/nft.xml
index 0ebf51a..b9f3c69 1
Add translation for Hop-By-Hop header to nftables. Hbh options are not
supported yet in nft.
$ sudo ip6tables-translate -t filter -A INPUT -m hbh --hbh-len 22
nft add rule ip6 filter INPUT hbh hdrlength 22 counter
$ sudo ip6tables-translate -t filter -A INPUT -m hbh ! --hbh-len 22
nft add rule ip
On Wed, Jun 01, 2016 at 04:43:45PM +0200, Arturo Borrero Gonzalez wrote:
> On 31 May 2016 at 20:26, Laura Garcia Liebana wrote:
> > +static int __multiport_xlate_v1(const void *ip,
> > + const struct xt_entry_match *match,
> > + struct xt
The order of mask and mark in the output is wrong. This has been pointed
out:
http://git.netfilter.org/iptables/commit/?id=8548dd253833027c68ac6400c3118ef788fabe5d
by Liping Zhang .
This patch fixes the same issue with connmark.
Signed-off-by: Shivani Bhardwaj
---
extensions/libxt_connmark.c |
On Wed, Jun 01, 2016 at 03:07:14PM +0100, Will Deacon wrote:
> On Wed, Jun 01, 2016 at 02:45:41PM +0200, Peter Zijlstra wrote:
> > On Wed, Jun 01, 2016 at 01:13:33PM +0100, Will Deacon wrote:
> > > On Wed, Jun 01, 2016 at 02:06:54PM +0200, Peter Zijlstra wrote:
> >
> > > > Works for me; but that w
On 06/01/2016 05:31 AM, Peter Zijlstra wrote:
On Tue, May 31, 2016 at 04:01:06PM -0400, Waiman Long wrote:
You are doing two READ_ONCE's in the smp_cond_load_acquire loop. Can we
change it to do just one READ_ONCE, like
--- a/include/asm-generic/barrier.h
+++ b/include/asm-generic/barrier.h
@@
On Wed, Jun 01, 2016 at 09:52:14PM +0800, Boqun Feng wrote:
> On Tue, May 31, 2016 at 11:41:37AM +0200, Peter Zijlstra wrote:
> > @@ -292,7 +282,7 @@ static void sem_wait_array(struct sem_ar
> > sem = sma->sem_base + i;
> > spin_unlock_wait(&sem->lock);
> > }
> > - ip
Introduce a new configuration option for this expression, which allows users
to invert the logic of set lookups.
In _init() we will now return EINVAL if NFT_LOOKUP_F_INV is anyway
related to a map lookup.
The code in the _eval() function has been untangled and updated to sopport the
XOR of option
On Wed, Jun 01, 2016 at 12:06:59AM +0200, Laura Garcia Liebana wrote:
> Add translation of ipcomp to nftables.
>
> First value of the parameter 'ipcompspi' will be translated to 'cpi'
> parameter in nftables. Parameter 'compres' is not supported in nftables.
>
> Examples:
>
> $ sudo iptables-tra
On Wed, Jun 01, 2016 at 08:07:17PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> The mask and mark's order is reversed, so when we specify the mask, we will
> get the wrong translation result:
> # iptables-translate -A INPUT -m mark --mark 0x1/0xff
> nft add rule ip filter INPUT mark an
On 31 May 2016 at 20:26, Laura Garcia Liebana wrote:
> +static int __multiport_xlate_v1(const void *ip,
> + const struct xt_entry_match *match,
> + struct xt_xlate *xl, int numeric)
> +{
> + const struct xt_multiport_v1 *multiinfo
>
On Wed, Jun 01, 2016 at 02:45:41PM +0200, Peter Zijlstra wrote:
> On Wed, Jun 01, 2016 at 01:13:33PM +0100, Will Deacon wrote:
> > On Wed, Jun 01, 2016 at 02:06:54PM +0200, Peter Zijlstra wrote:
>
> > > Works for me; but that would loose using cmpwait() for
> > > !smp_cond_load_acquire() spins, yo
On Tue, May 31, 2016 at 11:41:37AM +0200, Peter Zijlstra wrote:
[snip]
> @@ -260,16 +260,6 @@ static void sem_rcu_free(struct rcu_head
> }
>
> /*
> - * spin_unlock_wait() and !spin_is_locked() are not memory barriers, they
> - * are only control barriers.
> - * The code must pair with spin_unlo
On Wed, Jun 01, 2016 at 01:13:33PM +0100, Will Deacon wrote:
> On Wed, Jun 01, 2016 at 02:06:54PM +0200, Peter Zijlstra wrote:
> > Works for me; but that would loose using cmpwait() for
> > !smp_cond_load_acquire() spins, you fine with that?
> >
> > The two conversions in the patch were both !acq
On Wed, Jun 01, 2016 at 02:06:54PM +0200, Peter Zijlstra wrote:
> On Wed, Jun 01, 2016 at 01:00:10PM +0100, Will Deacon wrote:
> > On Wed, Jun 01, 2016 at 11:31:58AM +0200, Peter Zijlstra wrote:
> > > Will, since ARM64 seems to want to use this, does the below make sense
> > > to you?
> >
> > Not
From: Liping Zhang
The mask and mark's order is reversed, so when we specify the mask, we will
get the wrong translation result:
# iptables-translate -A INPUT -m mark --mark 0x1/0xff
nft add rule ip filter INPUT mark and 0x1 == 0xff counter
Apply this patch, translation will become:
# ipta
On Wed, Jun 01, 2016 at 01:00:10PM +0100, Will Deacon wrote:
> On Wed, Jun 01, 2016 at 11:31:58AM +0200, Peter Zijlstra wrote:
> > Will, since ARM64 seems to want to use this, does the below make sense
> > to you?
>
> Not especially -- I was going to override smp_cond_load_acquire anyway
> because
From: Phil Turnbull
If the NFTA_SET_TABLE parameter is missing and the NLM_F_DUMP flag is
not set, then a NULL pointer dereference is triggered in
nf_tables_set_lookup because ctx.table is NULL.
Signed-off-by: Phil Turnbull
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c |
Don't allow registration of helpers using the same tuple:
{ l3proto, l4proto, src-port }
We lookup for the helper from the packet path using this tuple through
__nf_ct_helper_find(). Therefore, we have to avoid having two helpers
with the same tuple to ensure predictible behaviour.
Don't
From: Paolo Abeni
With the commit 48e8aa6e3137 ("ipv6: Set FLOWI_FLAG_KNOWN_NH at
flowi6_flags") ip6_pol_route() callers were asked to to set the
FLOWI_FLAG_KNOWN_NH properly and xt_TEE was updated accordingly,
but with the later refactor in commit bbde9fc1824a ("netfilter:
factor out packet dupl
From: "Eric W. Biederman"
Florian Weber reported:
> Under full load (unshare() in loop -> OOM conditions) we can
> get kernel panic:
>
> BUG: unable to handle kernel NULL pointer dereference at 0008
> IP: [] nfqnl_nf_hook_drop+0x35/0x70
> [..]
> task: 88012dfa3840 ti: 88012dff
From: Florian Westphal
Users got removed in f8572d8f2a2ba ("sysctl net: Remove unused binary
sysctl code").
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_conntrack_standalone.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/net/netfilter/nf_conntr
From: Florian Westphal
Since 4.4 we erronously use timestamp of the netlink skb (which is zero).
Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1066
Fixes: b28b1e826f818c30ea7 ("netfilter: nfnetlink_queue: use y2038 safe
timestamp")
Signed-off-by: Florian Westphal
Signed-off-by: Pabl
From: Taehee Yoo
helpers should unregister the only registered ports.
but, helper cannot have correct registered ports value when
failed to register.
Signed-off-by: Taehee Yoo
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_conntrack_ftp.c | 1 +
net/netfilter/nf_conntrack_irc.c | 1 +
Hi David,
The following patchset contains Netfilter fixes for your net tree,
they are:
1) Fix incorrect timestamp in nfnetlink_queue introduced when addressing
y2038 safe timestamp, from Florian Westphal.
2) Get rid of leftover conntrack definition from the previous merge
window, oneliner
On Wed, Jun 01, 2016 at 11:31:58AM +0200, Peter Zijlstra wrote:
> On Tue, May 31, 2016 at 04:01:06PM -0400, Waiman Long wrote:
> > You are doing two READ_ONCE's in the smp_cond_load_acquire loop. Can we
> > change it to do just one READ_ONCE, like
> >
> > --- a/include/asm-generic/barrier.h
> > ++
On Wed, Jun 01, 2016 at 12:24:32PM +0100, Will Deacon wrote:
> > --- a/arch/arm/include/asm/spinlock.h
> > +++ b/arch/arm/include/asm/spinlock.h
> > @@ -50,8 +50,22 @@ static inline void dsb_sev(void)
> > * memory.
> > */
> >
> > -#define arch_spin_unlock_wait(lock) \
> > - do { while (arch
Hi Peter,
On Tue, May 31, 2016 at 11:41:38AM +0200, Peter Zijlstra wrote:
> This patch updates/fixes all spin_unlock_wait() implementations.
>
> The update is in semantics; where it previously was only a control
> dependency, we now upgrade to a full load-acquire to match the
> store-release from
On Wed, Jun 01, 2016 at 12:16:51PM +0200, Pablo M. Bermudo Garay wrote:
> Special sets like maps and flow tables have their own commands to be
> listed and inspected.
>
> Before this patch, "nft list set" was able to display these special sets
> content:
>
> # nft list set filter test
> table
On Wed, Jun 01, 2016 at 05:52:59PM +0800, Xiubo Li wrote:
> >> net/netfilter/x_tables.c | 3 +++
> >> 1 file changed, 3 insertions(+)
> >>
> >>diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
> >>index c8a0b7d..4df8e38 100644
> >>--- a/net/netfilter/x_tables.c
> >>+++ b/net/netfilt
Special sets like maps and flow tables have their own commands to be
listed and inspected.
Before this patch, "nft list set" was able to display these special sets
content:
# nft list set filter test
table ip filter {
map test {
type ipv4_addr : inet_service
2016-06-01 11:20 GMT+02:00 Pablo Neira Ayuso :
> I'd suggest:
>
> set == NULL && set->flags & (SET_F_EVAL | SET_F_MAP)
Oh, sure. Thank you for pointing that out.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@
net/netfilter/x_tables.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index c8a0b7d..4df8e38 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1185,6 +1185,9 @@ struct nf_hook_ops *xt_hook_link(const struct xt_
Signed-off-by: Pablo Neira Ayuso
---
configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 0d7e6ed..0e7edcf 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4,7 +4,7 @@
AC_PREREQ(2.61)
AC_COPYRIGHT([Copyright (c) 2008 Patrick McHard
On Tue, May 31, 2016 at 09:16:32PM +0200, Laura Garcia Liebana wrote:
> Fix the compression parameter index 'cpi' instead of 'cfi'.
Applied, thanks Laura.
BTW, see below.
> Signed-off-by: Laura Garcia Liebana
> ---
> doc/nft.xml | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff
On Tue, May 31, 2016 at 04:01:06PM -0400, Waiman Long wrote:
> You are doing two READ_ONCE's in the smp_cond_load_acquire loop. Can we
> change it to do just one READ_ONCE, like
>
> --- a/include/asm-generic/barrier.h
> +++ b/include/asm-generic/barrier.h
> @@ -229,12 +229,18 @@ do {
> * value;
On Wed, Jun 01, 2016 at 04:34:28PM +0800, Xiubo Li wrote:
> Since we cannot make sure the 'hook_mask' will always be none zero
> here. If it equals to zero, the num_hooks will be zero too, and then
> kmalloc() will return ZERO_SIZE_PTR, which is (void *)16.
>
> Then the following error check will
On Wed, Jun 01, 2016 at 10:51:17AM +0200, Pablo M. Bermudo Garay wrote:
> Special sets like maps and flow tables have their own commands to be
> listed and inspected.
>
> Before this patch, "nft list set" was able to display these special sets
> content:
>
> # nft list set filter test
> table
Arturo Borrero Gonzalez wrote:
> On 31 May 2016 at 17:50, Arturo Borrero Gonzalez
> wrote:
> > On 31 May 2016 at 16:44, Florian Westphal wrote:
> >> I think its better to use a
> >>
> >> } else if (priv->invert) {
> >> return;
> >> }
> >>
>
> Not that easy, we should consider 4 cases:
>
Special sets like maps and flow tables have their own commands to be
listed and inspected.
Before this patch, "nft list set" was able to display these special sets
content:
# nft list set filter test
table ip filter {
map test {
type ipv4_addr : inet_service
Since we cannot make sure the 'hook_mask' will always be none zero
here. If it equals to zero, the num_hooks will be zero too, and then
kmalloc() will return ZERO_SIZE_PTR, which is (void *)16.
Then the following error check will fails:
ops = kmalloc(sizeof(*ops) * num_hooks, GFP_KERNEL);
if (
53 matches
Mail list logo