Re: [PATCH 1/1 linux-next] netfilter: conntrack: fix kmemleak false positive

Fabian Frederick wrote: > Hello Florian, > >         First problem is solved: table gets cleared 3 minutes earlier > but I still have kmemleak before running the following: > > echo scan > /sys/kernel/debug/kmemleak > cat /sys/kernel/debug/kmemleak > Nothing > echo scan >

Re: [PATCH v3 2/2] netfilter: Create revision 2 of xt_hashlimit to support higher pps rates

Thanks for pointing this out, I will reorder the fields to: struct hashlimit_cfg2 { __u64 avg;/* Average secs between packets * scale */ __u64 burst; __u32 mode; /* bitmask of XT_HASHLIMIT_HASH_* */ This should fix the hole and avoid padding. -Vishwanath On

Re: [PATCH nf] netfilter: nf_tables: Ensure u8 attributes are loaded from u32 within the bounds

On Thu, Sep 22, 2016 at 09:16:07AM -0700, Eric Dumazet wrote: > On Thu, 2016-09-22 at 16:58 +0200, Pablo Neira Ayuso wrote: > > attributes") > > > > Always use 12 bytes commit-ids. 4da449a is too short, given the number > > of changes we're getting in the kernel tree, this may become ambiguous >

Re: [PATCH nf] netfilter: nf_tables: Ensure u8 attributes are loaded from u32 within the bounds

On Thu, Sep 22, 2016 at 04:58:36PM +0200, Pablo Neira Ayuso wrote: > On Wed, Sep 14, 2016 at 03:00:02PM +0200, Laura Garcia Liebana wrote: > > Check storage of u32 netlink attributes in smaller resources. This > > validation is usually required when the u32 netlink attributes are being > > stored

Re: [PATCH 1/1 linux-next] netfilter: conntrack: fix kmemleak false positive

> On 21 September 2016 at 23:02 Florian Westphal wrote: > > > Fabian Frederick wrote: > > Since commit f330a7fdbe16 > > ("netfilter: conntrack: get rid of conntrack timer") > > > > closed connections remain longer in /proc/net/nf_conntrack > > > > Running

Re: [PATCH v3 2/2] netfilter: Create revision 2 of xt_hashlimit to support higher pps rates

On Thursday 2016-09-22 18:43, Vishwanath Pai wrote: >+struct hashlimit_cfg2 { >+ __u32 mode; /* bitmask of XT_HASHLIMIT_HASH_* */ >+ __u64 avg;/* Average secs between packets * scale */ >+ __u64 burst; /* Period multiplier for upper limit. */ This would have different

[PATCH v3 2/2] netfilter: Create revision 2 of xt_hashlimit to support higher pps rates

V2: Removed the call to BUG() in cfg_copy, we return -EINVAL instead and all calls to cfg_copy check for this V3: change "revision" in the call to cfg_copy inside htable_create to 2 previously this would pass down revision from the function parameter this is wrong since *cfg here is always

[PATCH v3 1/2] netfilter: Prepare xt_hashlimit.c for revision 2

I am planning to add a revision 2 for the hashlimit xtables module to support higher packets per second rates. This patch renames all the functions and variables related to revision 1 by adding _v1 at the end of the names. Signed-off-by: Vishwanath Pai Signed-off-by: Joshua Hunt

Re: [PATCH nf] netfilter: nf_tables: Ensure u8 attributes are loaded from u32 within the bounds

On Thu, 2016-09-22 at 16:58 +0200, Pablo Neira Ayuso wrote: > attributes") > > Always use 12 bytes commit-ids. 4da449a is too short, given the number > of changes we're getting in the kernel tree, this may become ambiguous > at some point so it won't be unique. > > You can achieve this via: git

Re: [PATCH nf-next] netfilter: xt_helper: Use sizeof(variable) instead of literal number

On Tue, Sep 20, 2016 at 10:31:04AM +0800, f...@ikuai8.com wrote: > From: Gao Feng > > It's better to use sizeof(info->name)-1 as index to force set the string > tail instead of literal number '29'. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe

Re: [PATCH nf-next] netfilter: nf_tables: check tprot_set first when we use xt.thoff

On Sat, Sep 17, 2016 at 02:31:20PM +0800, Liping Zhang wrote: > From: Liping Zhang > > pkt->xt.thoff is not always set properly, but we use it without any check. > For payload expr, it will cause wrong results. For nftrace, we may notify > the wrong network or

Re: [PATCH nf-next] netfilter: nf_queue: improve queue range support for bridge family

On Thu, Sep 15, 2016 at 08:50:16PM +0800, Liping Zhang wrote: > From: Liping Zhang > > After commit ac2863445686 ("netfilter: bridge: add nf_afinfo to enable > queuing to userspace"), we can queue packets to the user space in bridge > family. But when the user

Re: [PATCH nft] tests: py: add more test cases for queue expr

On Thu, Sep 15, 2016 at 12:02:09AM +0800, Liping Zhang wrote: > From: Liping Zhang > > It's necessary to cover more test cases, for example, large queue > range 1-65535, error queue number 65536. > > Also add a space before tailing square brackets, this is updated

Re: [PATCH nf-next V2] netfilter: nft_queue: add _SREG_QNUM attr to select the queue number

On Wed, Sep 14, 2016 at 11:41:46PM +0800, Liping Zhang wrote: > From: Liping Zhang > > Currently, the user can specify the queue numbers by _QUEUE_NUM and > _QUEUE_TOTAL attributes, this is enough in most situations. > > But acctually, it is not very flexible, for

Re: [PATCH nf] netfilter: nf_tables: Ensure u8 attributes are loaded from u32 within the bounds

On Thu, Sep 22, 2016 at 04:58:36PM +0200, Pablo Neira Ayuso wrote: > On Wed, Sep 14, 2016 at 03:00:02PM +0200, Laura Garcia Liebana wrote: > > Check storage of u32 netlink attributes in smaller resources. This > > validation is usually required when the u32 netlink attributes are being > > stored

[PATCH nft] src: support ct l3proto/protocol without direction syntax

From: Liping Zhang Acctually, ct l3proto and ct protocol are unrelated to direction, so it's unnecessary that we must specify dir if we want to use them. Now add support that we can match ct l3proto/protocol without direction: # nft add rule filter input ct

Re: [PATCH v3 libnftnl] expr: numgen: add number generation offset

On Tue, Sep 13, 2016 at 01:50:41PM +0200, Laura Garcia Liebana wrote: > Add support to pass through an offset value to the counter > initialization. With this feature, the sysadmin is able to apply a value > to be added to the generated number. > > Example: > > meta mark set numgen inc mod

Re: [PATCH conntrack-tools] Link nfct and helper modules with `-z lazy`

On Sun, Sep 11, 2016 at 01:54:19PM -0700, Kevin Cernekee wrote: > Some distributions, such as Gentoo and Chrome OS, try to link all > programs with `-z now` as a security hardening measure. This breaks > nfct, because nfct cannot satisfy all of the helper modules' symbols. > Therefore nfct

[PATCH nf v5] netfilter: seqadj: Fix the wrong ack adjust for the RST packet without ack

From: Gao Feng It is valid that the TCP RST packet which does not set ack flag, and bytes of ack number are zero. But current seqadj codes would adjust the "0" ack to invalid ack number. Actually seqadj need to check the ack flag before adjust it for these RST packets. The

[PATCH nf v4] netfilter: seqadj: Fix the wrong ack adjust for the RST packet without ack

From: Gao Feng It is valid that the TCP RST packet which does not set ack flag, and bytes of ack number are zero. But current seqadj codes would adjust the "0" ack to invalid ack number. Actually seqadj need to check the ack flag before adjust it for these RST packets. The