Re: [PATCH 0/7] Netfilter fixes for net

From: Pablo Neira Ayuso Date: Tue, 30 Aug 2016 13:26:16 +0200 > The following patchset contains Netfilter fixes for your net tree, > they are: ... > You can pull these changes from: > > git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git Pulled, thanks a lot

Re: [conntrack-tools PATCH 4/4] doc/manual/conntrack-tools: include some bits about init systems

Hi, Arturo, Several light fixes/suggestions are following: should be: of youe choice > + distro of your choose does this, as there are some interesting things > + to take into account. > + I would suggest: fallback (I think it is more techncally common, maybe I am wrong) > +

[nf-next:master 8/29] ERROR: "nf_conntrack_htable_size" [net/ipv4/netfilter/nf_conntrack_ipv4.ko] undefined!

tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master head: 779994fa3636d46848edb402fe7517968e036e6f commit: adf0516845bcd0e626323c858ece28ee58c74455 [8/29] netfilter: remove ip_conntrack* sysctl compat code config: arm64-defconfig (attached as .config) compiler:

[PATCH libnftnl] set: fix incorrect maximum set description attribute

Maximum set description attribute is NFTA_SET_DESC_MAX, instead of NFTA_SET_MAX. Signed-off-by: Pablo Neira Ayuso --- src/set.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/set.c b/src/set.c index 47b6ef4..4581e3f 100644 --- a/src/set.c +++

[nft PATCH v2 1/4] evaluate: Fix datalen checks in expr_evaluate_string()

I have been told that the flex scanner won't return empty strings, so strlen(data) should always be greater 0. To avoid a hard to debug issue though, add an assert() to make sure this is always the case before risking an unsigned variable underrun. A real issue though is the check for 'datalen -

[nft PATCH v2 2/4] netlink_delinearize: Avoid potential null pointer deref

As netlink_get_register() may return NULL, we must not pass the returned data unchecked to expr_set_type() as that will dereference it. Since the parser has failed at that point anyway, by returning early we can skip the useless statement allocation that follows in netlink_parse_ct_stmt().

[nft PATCH v2 4/4] evaluate: Avoid undefined behaviour in concat_subtype_id()

For the left side of a concat expression, dtype is NULL and therefore off is 0. In that case the code expects to get a datatype of TYPE_INVALID, but this is fragile as the output of concat_subtype_id() is undefined for n > 32 / TYPE_BITS. To fix this, call datatype_lookup() directly passing the

[nft PATCH v2 3/4] stmt_evaluate_reset: Have a generic fix for missing network context

Commit 17b495957b29e ("evaluate: reject: fix crash if we have transport protocol conflict from inet") took care of a crash when using inet or bridge families, but since then netdev family has been added which also does not implicitly define the network context. Therefore the crash can be

Re: [PATCH iptables v3 2/2] xtables-compat: add rule cache

On Fri, Aug 26, 2016 at 06:58:44PM +0200, Pablo M. Bermudo Garay wrote: > This patch adds a cache of rules within the nft handle. This feature is > useful since the whole ruleset was brought from the kernel for every > chain during listing operations. In addition with the new checks of > ruleset

[PATCH 2/2] netfilter: correct allowed characters in Call-ID SIP header

Current parsing methods for SIP header Call-ID do not check correctly all characters allowed by RFC 3261. In particular "," character is allowed instead of "'" character. As a result Call-ID headers like the following are discarded by IPVS SIP persistence engine. Call-ID: -.!%*_+`'~()<>:\"/[]?{}

[PATCH 1/2] netfilter: correct parsing of continuation lines in SIP headers

Current parsing methods for SIP headers do not properly manage continuation lines: in case of Call-ID header the first character of Call-ID header value is truncated. As a result IPVS SIP persistence engine hashes over a call-id that is not exactly the one present in the originale message.

[conntrack-tools PATCH 4/4] doc/manual/conntrack-tools: include some bits about init systems

Update the conntrack-tools manual to include some bits regarding init systems and the integration with systemd. More on this topic here: http://ral-arturo.blogspot.com.es/2016/08/why-conntrackd-in-debian-is-better-with.html Suggested-by: Pablo Neira Ayuso Signed-off-by:

[conntrack-tools PATCH 3/4] conntrackd.8: add reference to systemd

Add reference to systemd integration in the manpage. Signed-off-by: Arturo Borrero Gonzalez --- conntrackd.8 |7 +++ 1 file changed, 7 insertions(+) diff --git a/conntrackd.8 b/conntrackd.8 index bd195ec..6ccf261 100644 --- a/conntrackd.8 +++

[conntrack-tools PATCH 2/4] conntrackd.8: refresh file

Refresh conntrackd.8 manpage to match the help message in the binary. Changes are related to the syntax and options of conntrackd, the syntax of the manpage itself and clarification of some aspects. Also, break lines at 80 characters. Signed-off-by: Arturo Borrero Gonzalez

[PATCH 5/7] netfilter: nft_meta: improve the validity check of pkttype set expr

From: Liping Zhang "meta pkttype set" is only supported on prerouting chain with bridge family and ingress chain with netdev family. But the validate check is incomplete, and the user can add the nft rules on input chain with bridge family, for example: # nft add

[PATCH 4/7] netfilter: cttimeout: unlink timeout objs in the unconfirmed ct lists

From: Liping Zhang KASAN reported this bug: BUG: KASAN: use-after-free in icmp_packet+0x25/0x50 [nf_conntrack_ipv4] at addr 880002db08c8 Read of size 4 by task lt-nf-queue/19041 Call Trace: [] dump_stack+0x63/0x88 [] kasan_report_error+0x528/0x560

[PATCH 1/7] netfilter: nft_reject: restrict to INPUT/FORWARD/OUTPUT

From: Liping Zhang After I add the nft rule "nft add rule filter prerouting reject with tcp reset", kernel panic happened on my system: NULL pointer dereference at ... IP: [] nf_send_reset+0xaf/0x400 Call Trace: [] ? nf_reject_ip_tcphdr_get+0x160/0x160 []

[PATCH 6/7] netfilter: ebtables: put module reference when an incorrect extension is found

From: Sabrina Dubroca commit bcf493428840 ("netfilter: ebtables: Fix extension lookup with identical name") added a second lookup in case the extension that was found during the first lookup matched another extension with the same name, but didn't release the reference on

[PATCH 0/7] Netfilter fixes for net

Hi David, The following patchset contains Netfilter fixes for your net tree, they are: 1) Allow nf_tables reject expression from input, forward and output hooks, since only there the routing information is available, otherwise we crash. 2) Fix unsafe list iteration when flushing timeout and

[PATCH 3/7] netfilter: cttimeout: put back l4proto when replacing timeout policy

From: Liping Zhang We forget to call nf_ct_l4proto_put when replacing the existing timeout policy. Acctually, there's no need to get ct l4proto before doing replace, so we can move it to a later position. Signed-off-by: Liping Zhang

[PATCH 2/7] netfilter: nfnetlink: use list_for_each_entry_safe to delete all objects

From: Liping Zhang cttimeout and acct objects are deleted from the list while traversing it, so use list_for_each_entry is unsafe here. Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso ---

[PATCH libnftnl 2/3] expr: numgen: add missing trailing whitespace

Before patch: [ numgen reg 1 = inc(2)] After patch: [ numgen reg 1 = inc(2) ] Signed-off-by: Pablo Neira Ayuso --- src/expr/numgen.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/expr/numgen.c b/src/expr/numgen.c index 7be8270..e8fa9a1

[PATCH nft] tests: py: adapt netlink bytecode output of numgen and hash

Adapt them to the revisited output string now in libnftnl. Signed-off-by: Pablo Neira Ayuso --- tests/py/ip/hash.t.payload | 4 ++-- tests/py/ip/numgen.t.payload | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/py/ip/hash.t.payload

Re: [PATCH iptables 3/3] extensions: libip[6]t_REDIRECT: use new nft syntax when do xlate

On Sun, Aug 28, 2016 at 04:50:48PM +0800, Liping Zhang wrote: > From: Liping Zhang > > After commit "parser_bison: redirect to :port for consistency with > nat/masq statement" in nftables tree, we should recommend the end > user to use the new syntax. > > Before

Re: [PATCH iptables 2/3] extensions: libip[6]t_SNAT/DNAT: use the new nft syntax when do xlate

On Sun, Aug 28, 2016 at 04:50:47PM +0800, Liping Zhang wrote: > From: Liping Zhang > > After commit "src: add 'to' for snat and dnat" in nftables tree, > we should recommend the end user to use the new syntax. > > Before this patch: > # iptables-translate -t nat

Re: [PATCH iptables 1/3] extensions: libipt_DNAT/SNAT: fix "OOM" when do translation to nft

On Sun, Aug 28, 2016 at 04:50:46PM +0800, Liping Zhang wrote: > From: Liping Zhang > > When I want to translate SNAT target to nft rule, an error message > was printed out: > # iptables-translate -A POSTROUTING -j SNAT --to-source 1.1.1.1 > iptables-translate

Re: [PATCH nf-next] netfilter: log_arp: Use ARPHRD_ETHER instead of literal '1'

On Sun, Aug 28, 2016 at 09:41:22PM +0800, f...@ikuai8.com wrote: > From: Gao Feng > > There is one macro ARPHRD_ETHER which defines the ethernet proto for ARP, > so we could use it instead of the literal number '1'. Also applied, thanks. -- To unsubscribe from this list: send

Re: [PATCH v2 nf] netfilter: log: Check param to avoid overflow in nf_log_set

On Mon, Aug 29, 2016 at 06:25:28PM +0800, f...@ikuai8.com wrote: > From: Gao Feng > > The nf_log_set is an interface function, so it should do the strict sanity > check of parameters. Convert the return value of nf_log_set as int instead > of void. When the pf is invalid, return

Re: netfilter: get rid of per-object conntrack timers

On Thu, Aug 25, 2016 at 03:33:28PM +0200, Florian Westphal wrote: > During NFWS 2016 it was mentioned that per-conntrack timers have > two drawbacks: > - the 5-day default established timeout is very large and brings >extra constraints for the timer subsystem. > - most distros enable timer