Re: [PATCH] netfilter: ip_vs_sync: fix bogus maybe-uninitialized warning

2016-10-24 Thread Arnd Bergmann
On Monday, October 24, 2016 10:47:54 PM CEST Julian Anastasov wrote: > > diff --git a/net/netfilter/ipvs/ip_vs_sync.c > > b/net/netfilter/ipvs/ip_vs_sync.c > > index 1b07578bedf3..9350530c16c1 100644 > > --- a/net/netfilter/ipvs/ip_vs_sync.c > > +++ b/net/netfilter/ipvs/ip_vs_sync.c > > @@ -283,6

Re: [PATCH] nf_conntrack_sip: check for trailing spaces

2016-10-24 Thread Ulrich Weber
Hi Pablo, good point, will send a new version! Thanks Ulrich On 20.10.2016 20:17, Pablo Neira Ayuso wrote: > Hi Ulrich, > > Cc'ing Marco Angaroni. > > On Wed, Oct 19, 2016 at 10:24:02AM +0200, Ulrich Weber wrote: >> on SIP requests, so a fragmented TCP SIP packet starting with >>

[PATCH] netfilter: ip_vs_sync: fix bogus maybe-uninitialized warning

2016-10-24 Thread Arnd Bergmann
Building the ip_vs_sync code with CONFIG_OPTIMIZE_INLINING on x86 confuses the compiler to the point where it produces a rather dubious warning message: net/netfilter/ipvs/ip_vs_sync.c:1073:33: error: ‘opt.init_seq’ may be used uninitialized in this function [-Werror=maybe-uninitialized]

[PATCH 3/3 nft] src: add fib expression

2016-10-24 Thread Florian Westphal
This adds the 'fib' expression which can be used to obtain the output interface from the route table based on either source or destination address of a packet. This can be used to e.g. add reverse path filtering: # drop if not coming from the same interface packet # arrived on # nft add rule

[PATCH 2/3 libnftables] expr: add fib expression

2016-10-24 Thread Florian Westphal
Signed-off-by: Florian Westphal --- include/libnftnl/expr.h | 6 + include/linux/netfilter/nf_tables.h | 36 + src/Makefile.am | 1 + src/expr/fib.c | 273 src/expr_ops.c

[PATCH 0/3 various] netfilter: add fib expression

2016-10-24 Thread Florian Westphal
This adds the FIB expression to query fib for oif and route/address type. This provides functionality of the xtables 'rpfilter' and 'addrtype' matches. The '--local' option supported by the rpfilter match is not supported anymore, but it is possible to use extra rules (either checking for

[PATCH 1/3 nf-next] nf_tables: add fib expression

2016-10-24 Thread Florian Westphal
Add FIB expression, supported for ipv4, ipv6 and inet family (the latter just dispatches to ipv4 or ipv6 one based on nfproto). Currently supports fetching output interface index/name and the rtm_type associated with an address. This can be used for adding path filtering. rtm_type is useful to