Re: Snooping expected connections in a user CT helper

On Wed, Aug 17, 2016 at 6:12 PM, Pablo Neira Ayuso wrote: > Looking at ctnetlink, it should be possible to make it via > CTA_EXPECT_HELP_NAME. Thus, by when we find a matching expectation, > the helper is set to this new connection too. > > See line 1086 in

[PATCH v2 1/2 net-next] netfilter: gre: Use consistent GRE_* macros instead of ones defined by netfilter.

From: Gao Feng There are already some GRE_* macros in kernel, so it is unnecessary to define these macros. And remove some useless macros Signed-off-by: Gao Feng --- v2: Split the original patch to review easily v1: Intial patch

[PATCH v2 1/2 net-next] netfilter: gre: Use consistent GRE_* macros instead of ones defined by netfilter.

From: Gao Feng There are already some GRE_* macros in kernel, so it is unnecessary to define these macros. And remove some useless macros Signed-off-by: Gao Feng --- v2: Split the original patch to review easily v1: Intial patch

[PATCH v2 2/2 net-next] netfilter: gre: Use consistent GRE and PTTP header structure instead of the ones defined by netfilter

From: Gao Feng There are two existing strutures which defines the GRE and PPTP header. So use these two structures instead of the ones defined by netfilter to keep consitent with other codes. Signed-off-by: Gao Feng --- v2: Split the original patch to review

[PATCH iptables] iptables-restore: add missing arguments to usage message

iptables-restore was missing -n, -T and -M from the usage message, added them to match the man page. Signed-off-by: Brian Haley diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c index 9393924..dc0acb0 100644 --- a/iptables/ip6tables-restore.c +++

Re: [PATCH nft] parser_bison: keep snat/dnat existing syntax unchanged

On Mon, Aug 22, 2016 at 11:34:15PM +0800, Liping Zhang wrote: > From: Liping Zhang > > We should keep existing syntax unchanged, and this was emphasized > in the commit 850f0a56b6ad ("src: add 'to' for snat and dnat")'s > commit log: "Existing syntax is still

Re: [PATCH 3/4 V6 nft] test: shell: Add tests for deleting rule by description

Hi Carlos, One of this test fails... so please send me a follow up to fix it. W: [FAILED] ./testcases/rule_management/0010delete-by-desc_0 This chunk also looks a bit strange to me. set +e; # Next commands can return 0 REMAINS_RULE2DEL=$($NFT list -a ruleset | grep -c "$RULE2DEL")

Re: [PATCH nft] tests: shell: add testcase for reject expr

On Mon, Aug 22, 2016 at 11:43:53PM +0800, Liping Zhang wrote: > From: Liping Zhang > > Reject expr is only valid in input/forward/output chain, > and if user can add reject expr in prerouting chain, kernel > panic will happen. > > So add a simple test case to cover

Re: [PATCH 1/4 V6 nft] Simplify parser rule_spec tree

On Sun, Aug 21, 2016 at 11:22:07PM +0200, Carlos Falgueras García wrote: > This patch separates the rule identification from the rule localization, so > the logic moves from the evaluator to the parser. This allows to revert the > patch "evaluate: improve rule managment checks" >

Re: [PATCH nft 1/2] ct: allow numeric conntrack labels

On Mon, Aug 22, 2016 at 12:17:26PM +0200, Florian Westphal wrote: > When dumping labels in rule list we try to print a symbolic name. > If we don't find one, we print the bit number instead. > > This changes nft to also allow use of the number instead of a name > when adding ct label rules so

[PATCH nft] tests: shell: add testcase for reject expr

From: Liping Zhang Reject expr is only valid in input/forward/output chain, and if user can add reject expr in prerouting chain, kernel panic will happen. So add a simple test case to cover this situation. Signed-off-by: Liping Zhang

Re: [PATCH v3] netfilter: nf_tables: Ensure init attributes are within the bounds

Hi Laura, [auto build test WARNING on nf-next/master] [also build test WARNING on v4.8-rc3 next-20160822] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] [Suggest to use git(>=2.9.0) format-patch --base= (or --base=auto for convenie

[PATCH iptables v2 1/2] xtables-compat: check if nft ruleset is compatible

This patch adds a verification of the compatibility between the nft ruleset and iptables. Nft tables, chains and rules are checked to be compatible with iptables. If something is not compatible, the execution stops and an error message is displayed to the user. This checking is triggered by

[PATCH nf] netfilter: nft_meta: improve the validity check of pkttype set expr

From: Liping Zhang "meta pkttype set" is only supported on prerouting chain with bridge family and ingress chain with netdev family. But the validate check is incomplete, and the user can add the nft rules on input chain with bridge family, for example: # nft add

[PATCH nf 1/3] netfilter: nfnetlink: use list_for_each_entry_safe to delete all objects

From: Liping Zhang cttimeout and acct objects are deleted from the list while traversing it, so use list_for_each_entry is unsafe here. Signed-off-by: Liping Zhang --- net/netfilter/nfnetlink_acct.c | 6 +++---

[PATCH nf 3/3] netfilter: cttimeout: unlink timeout objs in the unconfirmed ct lists

From: Liping Zhang KASAN reported this bug: BUG: KASAN: use-after-free in icmp_packet+0x25/0x50 [nf_conntrack_ipv4] at addr 880002db08c8 Read of size 4 by task lt-nf-queue/19041 Call Trace: [] dump_stack+0x63/0x88 [] kasan_report_error+0x528/0x560

[PATCH nf 2/3] netfilter: cttimeout: put back l4proto when replacing timeout policy

From: Liping Zhang We forget to call nf_ct_l4proto_put when replacing the existing timeout policy. Acctually, there's no need to get ct l4proto before doing replace, so we can move it to a later position. Signed-off-by: Liping Zhang ---

[ANNOUNCE] nfacct 1.0.2 release

Hi! The Netfilter project presents: nfacct 1.0.2 nfacct is the command line tool to create/retrieve/delete accounting objects. See ChangeLog that comes attached to this email for more details. You can download it from: ftp://ftp.netfilter.org/pub/nfacct/

[ANNOUNCE] libnetfilter_acct 1.0.3 release

Hi! The Netfilter project presents: libnetfilter_acct 1.0.3 libnetfilter_acct is the userspace library providing interface to extended accounting infrastructure. See ChangeLog that comes attached to this email for more details. You can download it from:

[ANNOUNCE] libnetfilter_conntrack 1.0.6 release

Hi! The Netfilter project presents: libnetfilter_conntrack 1.0.6 libnetfilter_conntrack is a userspace library providing a programming interface (API) to the in-kernel connection tracking state table. The library libnetfilter_conntrack has been previously known as libnfnetlink_conntrack

[PATCH iptables v2 2/2] xtables-translate-restore: do not escape quotes

If quotes are escaped, nft -f is unable to parse and load the translated ruleset. Signed-off-by: Pablo M. Bermudo Garay --- Changes in v2: - Do not use strcmp against 'program_name' global, propagate 'bool restore' argument instead. iptables/nft-ipv4.c | 6

[PATCH iptables v2 1/2] xtables-translate: add escape_quotes option to comment_xlate

The comment_xlate function was not supporting this option that is necessary in some situations. Signed-off-by: Pablo M. Bermudo Garay --- Changes in v2: - Ensure that the comment string is null-terminated. extensions/libxt_comment.c | 11 ++- iptables/nft-ipv4.c

[PATCH nft 1/2] ct: allow numeric conntrack labels

When dumping labels in rule list we try to print a symbolic name. If we don't find one, we print the bit number instead. This changes nft to also allow use of the number instead of a name when adding ct label rules so that such dumps can also be restored again. This is similar to other cases,

[PATCH nft 2/2] ct: display bit number instead of raw value

... and add test cases for ct label. Currently this dumped 'label 0x2', now 'label 1' would be shown. This makes add/list behave the same. Signed-off-by: Florian Westphal --- src/ct.c | 2 +- tests/py/any/ct.t | 4 tests/py/any/ct.t.payload | 11

Re: [PATCH iptables 2/3] xtables-compat: check if nft ruleset is compatible

On Sun, Aug 21, 2016 at 08:10:26PM +0200, Pablo M. Bermudo Garay wrote: > This patch adds a verification of the compatibility between the nft > ruleset and iptables. If the nft ruleset is not compatible with > iptables, the execution stops and an error message is displayed to the > user. Please,

Re: [PATCH v5] netfilter: nft_numgen: add number generator expression

On Thu, Aug 18, 2016 at 12:13:13PM +0200, Laura Garcia Liebana wrote: > Add support for the number generator expression in netfilter. Applied, thanks. I have rewritten the description to something larger. Writing larger description is good for the record, specifically it is good to indicate

Re: [PATCH 1/1] netfilter: gre: Use the consitent GRE and PPTP struct instead of the structures defined in netfilter

On Fri, Aug 19, 2016 at 11:01:34PM +0800, f...@ikuai8.com wrote: > From: Gao Feng > > There are two structures which define the GRE header and PPTP > header. So it is unneccessary to define duplicated structures in > netfilter again. Please, split this change in smaller

Re: [PATCH nf-next] netfilter: nft_dynset: allow to invert match criteria

Hi Pablo, [auto build test ERROR on nf-next/master] url: https://github.com/0day-ci/linux/commits/Pablo-Neira-Ayuso/netfilter-nft_dynset-allow-to-invert-match-criteria/20160819-114223 base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master config: x86_64-rhel

Re: [PATCH v3] netfilter: nf_tables: Ensure init attributes are within the bounds

On Mon, Aug 22, 2016 at 05:10:02PM +0800, kbuild test robot wrote: > Hi Laura, > > [auto build test ERROR on nf-next/master] > [also build test ERROR on v4.8-rc3 next-20160822] > [if your patch is applied to the wrong git tree, please drop us a note to > help improve the

Re: [PATCH v3] netfilter: nf_tables: Ensure init attributes are within the bounds

Hi Laura, [auto build test ERROR on nf-next/master] [also build test ERROR on v4.8-rc3 next-20160822] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] [Suggest to use git(>=2.9.0) format-patch --base= (or --base=auto for convenience) to rec

Re: [PATCH nf-next 2/6] netfilter: conntrack: get rid of conntrack timer

Eric Dumazet wrote: > On Fri, 2016-08-19 at 18:04 +0200, Florian Westphal wrote: > > Eric Dumazet wrote: > > > On Fri, 2016-08-19 at 17:16 +0200, Florian Westphal wrote: > > > > > > > Hmm, nf_conntrack_find caller needs to hold rcu_read_lock,