From: Pablo Neira Ayuso
Date: Tue, 30 Aug 2016 13:26:16 +0200
> The following patchset contains Netfilter fixes for your net tree,
> they are:
...
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks a lot
Hi, Arturo,
Several light fixes/suggestions are following:
should be: of youe choice
> + distro of your choose does this, as there are some interesting things
> + to take into account.
> +
I would suggest: fallback (I think it is more techncally common, maybe
I am wrong)
> +
tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
head: 779994fa3636d46848edb402fe7517968e036e6f
commit: adf0516845bcd0e626323c858ece28ee58c74455 [8/29] netfilter: remove
ip_conntrack* sysctl compat code
config: arm64-defconfig (attached as .config)
compiler:
Maximum set description attribute is NFTA_SET_DESC_MAX, instead of
NFTA_SET_MAX.
Signed-off-by: Pablo Neira Ayuso
---
src/set.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/set.c b/src/set.c
index 47b6ef4..4581e3f 100644
--- a/src/set.c
+++
I have been told that the flex scanner won't return empty strings, so
strlen(data) should always be greater 0. To avoid a hard to debug issue
though, add an assert() to make sure this is always the case before
risking an unsigned variable underrun.
A real issue though is the check for 'datalen -
As netlink_get_register() may return NULL, we must not pass the returned
data unchecked to expr_set_type() as that will dereference it. Since the
parser has failed at that point anyway, by returning early we can skip
the useless statement allocation that follows in
netlink_parse_ct_stmt().
For the left side of a concat expression, dtype is NULL and therefore
off is 0. In that case the code expects to get a datatype of
TYPE_INVALID, but this is fragile as the output of concat_subtype_id()
is undefined for n > 32 / TYPE_BITS.
To fix this, call datatype_lookup() directly passing the
Commit 17b495957b29e ("evaluate: reject: fix crash if we have transport
protocol conflict from inet") took care of a crash when using inet or
bridge families, but since then netdev family has been added which also
does not implicitly define the network context. Therefore the crash can
be
On Fri, Aug 26, 2016 at 06:58:44PM +0200, Pablo M. Bermudo Garay wrote:
> This patch adds a cache of rules within the nft handle. This feature is
> useful since the whole ruleset was brought from the kernel for every
> chain during listing operations. In addition with the new checks of
> ruleset
Current parsing methods for SIP header Call-ID do not check correctly all
characters allowed by RFC 3261. In particular "," character is allowed
instead of "'" character. As a result Call-ID headers like the following
are discarded by IPVS SIP persistence engine.
Call-ID: -.!%*_+`'~()<>:\"/[]?{}
Current parsing methods for SIP headers do not properly manage
continuation lines: in case of Call-ID header the first character of
Call-ID header value is truncated. As a result IPVS SIP persistence
engine hashes over a call-id that is not exactly the one present in
the originale message.
Update the conntrack-tools manual to include some bits regarding init systems
and the integration with systemd.
More on this topic here:
http://ral-arturo.blogspot.com.es/2016/08/why-conntrackd-in-debian-is-better-with.html
Suggested-by: Pablo Neira Ayuso
Signed-off-by:
Add reference to systemd integration in the manpage.
Signed-off-by: Arturo Borrero Gonzalez
---
conntrackd.8 |7 +++
1 file changed, 7 insertions(+)
diff --git a/conntrackd.8 b/conntrackd.8
index bd195ec..6ccf261 100644
--- a/conntrackd.8
+++
Refresh conntrackd.8 manpage to match the help message in the binary.
Changes are related to the syntax and options of conntrackd,
the syntax of the manpage itself and clarification of some aspects.
Also, break lines at 80 characters.
Signed-off-by: Arturo Borrero Gonzalez
From: Liping Zhang
"meta pkttype set" is only supported on prerouting chain with bridge
family and ingress chain with netdev family.
But the validate check is incomplete, and the user can add the nft
rules on input chain with bridge family, for example:
# nft add
From: Liping Zhang
KASAN reported this bug:
BUG: KASAN: use-after-free in icmp_packet+0x25/0x50 [nf_conntrack_ipv4] at
addr 880002db08c8
Read of size 4 by task lt-nf-queue/19041
Call Trace:
[] dump_stack+0x63/0x88
[] kasan_report_error+0x528/0x560
From: Liping Zhang
After I add the nft rule "nft add rule filter prerouting reject
with tcp reset", kernel panic happened on my system:
NULL pointer dereference at ...
IP: [] nf_send_reset+0xaf/0x400
Call Trace:
[] ? nf_reject_ip_tcphdr_get+0x160/0x160
[]
From: Sabrina Dubroca
commit bcf493428840 ("netfilter: ebtables: Fix extension lookup with
identical name") added a second lookup in case the extension that was
found during the first lookup matched another extension with the same
name, but didn't release the reference on
Hi David,
The following patchset contains Netfilter fixes for your net tree,
they are:
1) Allow nf_tables reject expression from input, forward and output hooks,
since only there the routing information is available, otherwise we crash.
2) Fix unsafe list iteration when flushing timeout and
From: Liping Zhang
We forget to call nf_ct_l4proto_put when replacing the existing
timeout policy. Acctually, there's no need to get ct l4proto
before doing replace, so we can move it to a later position.
Signed-off-by: Liping Zhang
From: Liping Zhang
cttimeout and acct objects are deleted from the list while traversing
it, so use list_for_each_entry is unsafe here.
Signed-off-by: Liping Zhang
Signed-off-by: Pablo Neira Ayuso
---
Before patch:
[ numgen reg 1 = inc(2)]
After patch:
[ numgen reg 1 = inc(2) ]
Signed-off-by: Pablo Neira Ayuso
---
src/expr/numgen.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/expr/numgen.c b/src/expr/numgen.c
index 7be8270..e8fa9a1
Adapt them to the revisited output string now in libnftnl.
Signed-off-by: Pablo Neira Ayuso
---
tests/py/ip/hash.t.payload | 4 ++--
tests/py/ip/numgen.t.payload | 6 +++---
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/tests/py/ip/hash.t.payload
On Sun, Aug 28, 2016 at 04:50:48PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> After commit "parser_bison: redirect to :port for consistency with
> nat/masq statement" in nftables tree, we should recommend the end
> user to use the new syntax.
>
> Before
On Sun, Aug 28, 2016 at 04:50:47PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> After commit "src: add 'to' for snat and dnat" in nftables tree,
> we should recommend the end user to use the new syntax.
>
> Before this patch:
> # iptables-translate -t nat
On Sun, Aug 28, 2016 at 04:50:46PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> When I want to translate SNAT target to nft rule, an error message
> was printed out:
> # iptables-translate -A POSTROUTING -j SNAT --to-source 1.1.1.1
> iptables-translate
On Sun, Aug 28, 2016 at 09:41:22PM +0800, f...@ikuai8.com wrote:
> From: Gao Feng
>
> There is one macro ARPHRD_ETHER which defines the ethernet proto for ARP,
> so we could use it instead of the literal number '1'.
Also applied, thanks.
--
To unsubscribe from this list: send
On Mon, Aug 29, 2016 at 06:25:28PM +0800, f...@ikuai8.com wrote:
> From: Gao Feng
>
> The nf_log_set is an interface function, so it should do the strict sanity
> check of parameters. Convert the return value of nf_log_set as int instead
> of void. When the pf is invalid, return
On Thu, Aug 25, 2016 at 03:33:28PM +0200, Florian Westphal wrote:
> During NFWS 2016 it was mentioned that per-conntrack timers have
> two drawbacks:
> - the 5-day default established timeout is very large and brings
>extra constraints for the timer subsystem.
> - most distros enable timer
29 matches
Mail list logo