The libnetfilter_conntrack userland library always sets IPS_CONFIRMED
when building a CTA_STATUS attribute. If this toggles the bit from
0->1, the parser will return an error. On Linux 4.4+ this will cause any
NFQA_EXP attribute in the packet to be ignored. This breaks conntrackd's
userland
Hello,
On Mon, 23 Jan 2017, David Windsor wrote:
> Currently, the ip_vs_dest cache frees ip_vs_dest objects when their
> reference count becomes < 0. Aside from not being semantically sound,
> this is problematic for the new type refcount_t, which will be introduced
> shortly in a
On Thu, 2017-01-26 at 20:19 +0100, Pablo Neira Ayuso wrote:
> Right. This is not percpu as in IPv4.
>
> I can send a follow up patch to get this in sync with the way we do it
> in IPv4, ie. add percpu socket.
>
> Fine with this approach? Thanks!
Not really.
percpu sockets are going to slow
On Thu, Jan 26, 2017 at 10:02:40AM -0800, Eric Dumazet wrote:
> On Thu, 2017-01-26 at 17:37 +0100, Pablo Neira Ayuso wrote:
> > From: Pau Espin Pedrol
> >
> > Otherwise, RST packets generated by the TCP stack for non-existing
> > sockets always have mark 0.
> > The mark
On Thu, 2017-01-26 at 17:37 +0100, Pablo Neira Ayuso wrote:
> From: Pau Espin Pedrol
>
> Otherwise, RST packets generated by the TCP stack for non-existing
> sockets always have mark 0.
> The mark from the original packet is assigned to the netns_ipv4/6
> socket used to
On Thu, 2017-01-26 at 10:00 -0800, Eric Dumazet wrote:
> On Thu, 2017-01-26 at 17:24 +0100, Florian Westphal wrote:
>
> > I think it makes sense to set dst->incoming
> > to a stub in br_netfilter_rtable_init() to just kfree_skb()+
> > WARN_ON_ONCE(), no need to add code to ip stack or crash
On Thu, 2017-01-26 at 17:24 +0100, Florian Westphal wrote:
> I think it makes sense to set dst->incoming
> to a stub in br_netfilter_rtable_init() to just kfree_skb()+
> WARN_ON_ONCE(), no need to add code to ip stack or crash kernel
> due to brnf bug.
Just kfree_skb() would hide bugs.
Dropping
From: Florian Westphal
Date: Thu, 26 Jan 2017 17:24:33 +0100
> Eric Dumazet wrote:
>> > Though possibly with different things not setting the "input" function
>> > pointer in the "struct dst_entry".
>> >
>> > include/net/dst.h:
>> > 496 static inline
Currently, stateful objects can be listed by: listing all objects in
all tables; listing a single object in a table. Now it's allowed to
list all objects in a table.
$ nft list counters table filter
table ip filter {
counter https-traffic {
packets 14825 bytes 950063
This allows to write pytests using the new stateful objects.
To add an object use the symbol '%', followed by the name, type and
specifications (currently used in quota):
%cnt1 type counter;ok # Adds the counter cnt1 to all tables
%qt1 type quota over 25 mbytes;ok # Adds the quota qt1 to all
Currently the stateful objects can only be listed in groups. With this
patch listing a single object is allowed:
$ nft list counter filter https-traffic
table ip filter {
counter https-traffic {
packets 4014 bytes 228948
}
}
$ nft list quota filter https-quota
From: Liping Zhang
Currently, if the user add a stateful object with the name size exceed
NFT_OBJ_MAXNAMELEN - 1 (i.e. 31), we truncate it down to 31 silently.
This is not friendly, furthermore, this will cause duplicated stateful
objects when the first 31 characters of the
From: Pau Espin Pedrol
Otherwise, RST packets generated by ipt_REJECT always have mark 0 when
the routing is checked later in the same code path.
Fixes: e110861f8609 ("net: add a sysctl to reflect the fwmark on replies")
Cc: Lorenzo Colitti
From: Liping Zhang
First, log prefix will be truncated to NF_LOG_PREFIXLEN-1, i.e. 127,
at nf_log_packet(), so the extra part is useless.
Second, after adding a log rule with a very very long prefix, we will
fail to dump the nft rules after this _special_ one, but
If the element exists and no NLM_F_EXCL is specified, do not bump
set->nelems, otherwise we leak one set element slot. This problem
amplifies if the set is full since the abort path always decrements the
counter for the -ENFILE case too, giving one spare extra slot.
Fix this by moving set->nelems
From: Florian Westphal
Instead of breaking loop and instant resched, don't bother checking
this in first place (the loop calls cond_resched for every bucket anyway).
Suggested-by: Nicolas Dichtel
Signed-off-by: Florian Westphal
From: Alexander Alemayhu
o s/numerice/numeric
o s/opertaor/operator
Signed-off-by: Alexander Alemayhu
Signed-off-by: Pablo Neira Ayuso
---
include/uapi/linux/netfilter/nf_tables.h | 4 ++--
1 file changed, 2 insertions(+),
From: Pau Espin Pedrol
Otherwise, RST packets generated by the TCP stack for non-existing
sockets always have mark 0.
The mark from the original packet is assigned to the netns_ipv4/6
socket used to send the response so that it can get copied into the
response skb when the
The flush operation needs to modify set and element objects, so let's
deconstify this.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h | 6 +++---
net/netfilter/nf_tables_api.c | 24
net/netfilter/nft_set_hash.c | 2
From: Liping Zhang
When dumping nft stateful objects, if NFTA_OBJ_TABLE and NFTA_OBJ_TYPE
attributes are not specified either, filter will become NULL, so oops
will happen(actually nft utility will always set NFTA_OBJ_TABLE attr,
so I write a test program to make this
Add missing set->ndeact update on each deactivated element from the set
flush path. Otherwise, sets with fixed size break after flush since
accounting breaks.
# nft add set x y { type ipv4_addr\; size 2\; }
# nft add element x y { 1.1.1.1 }
# nft add element x y { 1.1.1.2 }
# nft flush set x
From: William Breathitt Gray
The NF_CONNTRACK Kconfig option description makes an incorrect reference
to the "meta" expression where the "ct" expression would be correct.This
patch fixes the respective typographical error.
Fixes: d497c6352736 ("netfilter: add help
Eric Dumazet wrote:
> > Though possibly with different things not setting the "input" function
> > pointer in the "struct dst_entry".
> >
> > include/net/dst.h:
> > 496 static inline int dst_input(struct sk_buff *skb) {
> > 498 return
On Thu, Jan 26, 2017 at 05:06:56PM +0530, Shivani Bhardwaj wrote:
> On Thu, Jan 26, 2017 at 2:49 PM, Shyam Saini wrote:
> > Fix wrong appending of jump verdict after the comment
> >
> > For example:
> > $ iptables-translate -A INPUT -p tcp -m tcp --sport http -s
On Thu, 2017-01-26 at 09:32 -0600, Roy Keene wrote:
> This bug appears to have existed for a long time:
>
> https://www.spinics.net/lists/netdev/msg222459.html
>
> http://www.kernelhub.org/?p=2=823752
>
> Though possibly with different things not setting the "input" function
>
Currently, the ip_vs_dest cache frees ip_vs_dest objects when their
reference count becomes < 0. Aside from not being semantically sound,
this is problematic for the new type refcount_t, which will be introduced
shortly in a separate patch. refcount_t is the new kernel type for
holding reference
26 matches
Mail list logo