From: Pablo Neira Ayuso
Date: Fri, 17 Jun 2016 20:25:12 +0200
> The following patchset contains Netfilter fixes for your net tree,
> they are rather small patches but fixing several outstanding bugs in
> nf_conntrack and nf_tables, as well as minor problems with missing
> SYNPROXY header uapi ins
Following the fixes for version check in iptables and nftables, make
conntrack-tools avoid generating false warning for Flex version greater
than 2.5.x.
Signed-off-by: Shivani Bhardwaj
---
configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.a
Before this patch, no check on the version of flex was done because of
which configure script did not show any warning messages for
inappropriate version of flex. Following iptables, show the version of
flex in the output of configure script, also show warning if necessary.
Signed-off-by: Shivani
According to the previous logic of version check for flex, anything
greater than 2.5.33 but within 2.5.x was acceptable. The issue was
observed when a false warning generated for flex version 2.6.0.
New logic works for basically everything greater than 2.5.33.
Signed-off-by: Shivani Bhardwaj
---
From: Florian Westphal
I forgot to move the kmem_cache_destroy into the exit path.
Fixes: 0c5366b3a8c7 ("netfilter: conntrack: use single slab cache)
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_conntrack_core.c | 2 ++
1 file changed, 2 insertions(+)
Matt Whitlock says:
Without this line, the file xt_SYNPROXY.h does not get installed in
/usr/include/linux/netfilter/, and thus user-space programs cannot make
use of it.
Reported-by: Matt Whitlock
Signed-off-by: Pablo Neira Ayuso
---
include/uapi/linux/netfilter/Kbuild | 1 +
1 file change
From: Liping Zhang
When we add a nft rule like follows:
# nft add rule filter test tcp dport vmap {1: jump test}
-ELOOP error will be returned, and the anonymous set will be
destroyed.
But after that, nf_tables_abort will also try to remove the
element and destroy the set, which was already de
Hi David,
The following patchset contains Netfilter fixes for your net tree,
they are rather small patches but fixing several outstanding bugs in
nf_conntrack and nf_tables, as well as minor problems with missing
SYNPROXY header uapi installation:
1) Oneliner not to leak conntrack kmemcache on mo
From: Liping Zhang
We should check "i" is used as a dictionary or not, "binding" is already
checked before.
Signed-off-by: Liping Zhang
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nf_table
Liping Zhang says:
"Users may add such a wrong nft rules successfully, which will cause an
endless jump loop:
# nft add rule filter test tcp dport vmap {1: jump test}
This is because before we commit, the element in the current anonymous
set is inactive, so osp->walk will skip this element and
From: Liping Zhang
nft_genmask_cur has already done left-shift operator on the gencursor,
so there's no need to do left-shift operator on it again.
Fixes: ea4bd995b0f2 ("netfilter: nf_tables: add transaction helper functions")
Cc: Patrick McHardy
Signed-off-by: Liping Zhang
Signed-off-by: Pabl
./usr/include/linux/netfilter/xt_SYNPROXY.h:11: found __[us]{8,16,32,64} type
without #include
Reported-by: kbuild test robot
Signed-off-by: Pablo Neira Ayuso
---
include/uapi/linux/netfilter/xt_SYNPROXY.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/include/uapi/linux/netfilter/xt_S
From: Roberto GarcĂa
Add translation for the CONNMARK target to nftables.
The following options have no available translation:
--save-mark [--nfmask nfmask] [--ctmask ctmask]
--restore-mark [--nfmask nfmask] [--ctmask ctmask]
Examples:
# iptables-translate -t mangle -A PREROUTING -j CON
On Fri, 2016-06-17 at 13:59 +0200, Pablo Neira Ayuso wrote:
> On Thu, Jun 16, 2016 at 11:20:59AM -0700, Joe Perches wrote:
> > There are several FWINV #defines with identical form
> > that hide a specific structure variable and dereference
> > it with a invflags member.
> Right, this macro is obscu
On 06/17/2016 07:22 AM, Pablo Neira Ayuso wrote:
> On Wed, Jun 15, 2016 at 03:13:15PM +, Lubashev, Igor wrote:
>> Vish, Pablo,
>>
>> I wonder about the value of sending more data than a client is
>> willing to consume (setting aside the important fact that the client
>> code crashes due to the
NETMAP_print is also used by its .save hook so this change
broke iptables-save output.
Revert the patch, rename NETMAP_print to __NETMAP_print and
use that as the workhorse for both xtables -L and xtables-save.
The addition of the 'to' prefix is done in the .print hook only.
Reported-by: Shivani
Pablo Neira Ayuso wrote:
> On Wed, Jun 15, 2016 at 02:02:40AM +0530, Shivani Bhardwaj wrote:
> > diff --git a/extensions/libipt_NETMAP.t b/extensions/libipt_NETMAP.t
> > index 31924b9..de2bf8f 100644
> > --- a/extensions/libipt_NETMAP.t
> > +++ b/extensions/libipt_NETMAP.t
> > @@ -1,4 +1,4 @@
> >
On Thu, Jun 16, 2016 at 11:20:59AM -0700, Joe Perches wrote:
> There are several FWINV #defines with identical form
> that hide a specific structure variable and dereference
> it with a invflags member.
Right, this macro is obscure indeed.
> $ git grep "define FWINV"
> include/linux/netfilter_bri
On Wed, Jun 15, 2016 at 02:02:40AM +0530, Shivani Bhardwaj wrote:
> diff --git a/extensions/libipt_NETMAP.t b/extensions/libipt_NETMAP.t
> index 31924b9..de2bf8f 100644
> --- a/extensions/libipt_NETMAP.t
> +++ b/extensions/libipt_NETMAP.t
> @@ -1,4 +1,4 @@
> :PREROUTING,INPUT,OUTPUT,POSTROUTING
>
./usr/include/linux/netfilter/xt_SYNPROXY.h:11: found __[us]{8,16,32,64} type
without #include
Reported-by: kbuild test robot
Signed-off-by: Pablo Neira Ayuso
---
include/uapi/linux/netfilter/xt_SYNPROXY.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/include/uapi/linux/netfilter/xt_S
Hi,
[auto build test WARNING on nf/master]
url:
https://github.com/0day-ci/linux/commits/Pablo-Neira-Ayuso/netfilter-add-missing-xt_SYNPROXY-h-header-to-Kbuild/20160617-190435
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf master
config: i386-tinyconfig (attached as .config
On Wed, Jun 15, 2016 at 03:13:15PM +, Lubashev, Igor wrote:
> Vish, Pablo,
>
> I wonder about the value of sending more data than a client is
> willing to consume (setting aside the important fact that the client
> code crashes due to the extra data).
>
> It seems that we should either drop t
Hi Shivani,
On Fri, Jun 17, 2016 at 03:36:14AM +0530, Shivani Bhardwaj wrote:
> According to the previous logic of version check for flex, anything
> greater than 2.5.33 but within 2.5.x was acceptable. The issue was
> observed when a false warning generated for flex version 2.6.0.
> New logic wor
Matt Whitlock says:
Without this line, the file xt_SYNPROXY.h does not get installed in
/usr/include/linux/netfilter/, and thus user-space programs cannot make
use of it.
Reported-by: Matt Whitlock
Signed-off-by: Pablo Neira Ayuso
---
include/uapi/linux/netfilter/Kbuild | 1 +
1 file change
24 matches
Mail list logo