[PATCH V2 1/2] netfilter: ctnetlink: Fix regression in CTA_STATUS processing

The libnetfilter_conntrack userland library always sets IPS_CONFIRMED when building a CTA_STATUS attribute. If this toggles the bit from 0->1, the parser will return an error. On Linux 4.4+ this will cause any NFQA_EXP attribute in the packet to be ignored. This breaks conntrackd's userland

Re: [PATCH v2 net] net: free ip_vs_dest structs when refcnt=0

Hello, On Mon, 23 Jan 2017, David Windsor wrote: > Currently, the ip_vs_dest cache frees ip_vs_dest objects when their > reference count becomes < 0. Aside from not being semantically sound, > this is problematic for the new type refcount_t, which will be introduced > shortly in a

Re: [PATCH 02/14] tcp: fix mark propagation with fwmark_reflect enabled

On Thu, 2017-01-26 at 20:19 +0100, Pablo Neira Ayuso wrote: > Right. This is not percpu as in IPv4. > > I can send a follow up patch to get this in sync with the way we do it > in IPv4, ie. add percpu socket. > > Fine with this approach? Thanks! Not really. percpu sockets are going to slow

Re: [PATCH 02/14] tcp: fix mark propagation with fwmark_reflect enabled

On Thu, Jan 26, 2017 at 10:02:40AM -0800, Eric Dumazet wrote: > On Thu, 2017-01-26 at 17:37 +0100, Pablo Neira Ayuso wrote: > > From: Pau Espin Pedrol > > > > Otherwise, RST packets generated by the TCP stack for non-existing > > sockets always have mark 0. > > The mark

Re: [PATCH 02/14] tcp: fix mark propagation with fwmark_reflect enabled

On Thu, 2017-01-26 at 17:37 +0100, Pablo Neira Ayuso wrote: > From: Pau Espin Pedrol > > Otherwise, RST packets generated by the TCP stack for non-existing > sockets always have mark 0. > The mark from the original packet is assigned to the netns_ipv4/6 > socket used to

Re: ip_rcv_finish() NULL pointer kernel panic

On Thu, 2017-01-26 at 10:00 -0800, Eric Dumazet wrote: > On Thu, 2017-01-26 at 17:24 +0100, Florian Westphal wrote: > > > I think it makes sense to set dst->incoming > > to a stub in br_netfilter_rtable_init() to just kfree_skb()+ > > WARN_ON_ONCE(), no need to add code to ip stack or crash

Re: ip_rcv_finish() NULL pointer kernel panic

On Thu, 2017-01-26 at 17:24 +0100, Florian Westphal wrote: > I think it makes sense to set dst->incoming > to a stub in br_netfilter_rtable_init() to just kfree_skb()+ > WARN_ON_ONCE(), no need to add code to ip stack or crash kernel > due to brnf bug. Just kfree_skb() would hide bugs. Dropping

Re: ip_rcv_finish() NULL pointer kernel panic

From: Florian Westphal Date: Thu, 26 Jan 2017 17:24:33 +0100 > Eric Dumazet wrote: >> > Though possibly with different things not setting the "input" function >> > pointer in the "struct dst_entry". >> > >> > include/net/dst.h: >> > 496 static inline

[PATCH nft v3 4/6] src: Allow list stateful objects in a table

Currently, stateful objects can be listed by: listing all objects in all tables; listing a single object in a table. Now it's allowed to list all objects in a table. $ nft list counters table filter table ip filter { counter https-traffic { packets 14825 bytes 950063

[PATCH nft v3 5/6] tests: py: Add suport for stateful objects in python tests

This allows to write pytests using the new stateful objects. To add an object use the symbol '%', followed by the name, type and specifications (currently used in quota): %cnt1 type counter;ok # Adds the counter cnt1 to all tables %qt1 type quota over 25 mbytes;ok # Adds the quota qt1 to all

[PATCH nft v3 2/6] src: Allow list single stateful object

Currently the stateful objects can only be listed in groups. With this patch listing a single object is allowed: $ nft list counter filter https-traffic table ip filter { counter https-traffic { packets 4014 bytes 228948 } } $ nft list quota filter https-quota

[PATCH 10/14] netfilter: nf_tables: validate the name size when possible

From: Liping Zhang Currently, if the user add a stateful object with the name size exceed NFT_OBJ_MAXNAMELEN - 1 (i.e. 31), we truncate it down to 31 silently. This is not friendly, furthermore, this will cause duplicated stateful objects when the first 31 characters of the

[PATCH 01/14] netfilter: use fwmark_reflect in nf_send_reset

From: Pau Espin Pedrol Otherwise, RST packets generated by ipt_REJECT always have mark 0 when the routing is checked later in the same code path. Fixes: e110861f8609 ("net: add a sysctl to reflect the fwmark on replies") Cc: Lorenzo Colitti

[PATCH 11/14] netfilter: nft_log: restrict the log prefix length to 127

From: Liping Zhang First, log prefix will be truncated to NF_LOG_PREFIXLEN-1, i.e. 127, at nf_log_packet(), so the extra part is useless. Second, after adding a log rule with a very very long prefix, we will fail to dump the nft rules after this _special_ one, but

[PATCH 12/14] netfilter: nf_tables: fix set->nelems counting with no NLM_F_EXCL

If the element exists and no NLM_F_EXCL is specified, do not bump set->nelems, otherwise we leak one set element slot. This problem amplifies if the set is full since the abort path always decrements the counter for the -ENFILE case too, giving one spare extra slot. Fix this by moving set->nelems

[PATCH 08/14] netfilter: conntrack: remove GC_MAX_EVICTS break

From: Florian Westphal Instead of breaking loop and instant resched, don't bother checking this in first place (the loop calls cond_resched for every bucket anyway). Suggested-by: Nicolas Dichtel Signed-off-by: Florian Westphal

[PATCH 03/14] netfilter: nf_tables: fix spelling mistakes

From: Alexander Alemayhu o s/numerice/numeric o s/opertaor/operator Signed-off-by: Alexander Alemayhu Signed-off-by: Pablo Neira Ayuso --- include/uapi/linux/netfilter/nf_tables.h | 4 ++-- 1 file changed, 2 insertions(+),

[PATCH 02/14] tcp: fix mark propagation with fwmark_reflect enabled

From: Pau Espin Pedrol Otherwise, RST packets generated by the TCP stack for non-existing sockets always have mark 0. The mark from the original packet is assigned to the netns_ipv4/6 socket used to send the response so that it can get copied into the response skb when the

[PATCH 13/14] netfilter: nf_tables: deconstify walk callback function

The flush operation needs to modify set and element objects, so let's deconstify this. Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_tables.h | 6 +++--- net/netfilter/nf_tables_api.c | 24 net/netfilter/nft_set_hash.c | 2

[PATCH 05/14] netfilter: nf_tables: fix possible oops when dumping stateful objects

From: Liping Zhang When dumping nft stateful objects, if NFTA_OBJ_TABLE and NFTA_OBJ_TYPE attributes are not specified either, filter will become NULL, so oops will happen(actually nft utility will always set NFTA_OBJ_TABLE attr, so I write a test program to make this

[PATCH 14/14] netfilter: nf_tables: bump set->ndeact on set flush

Add missing set->ndeact update on each deactivated element from the set flush path. Otherwise, sets with fixed size break after flush since accounting breaks. # nft add set x y { type ipv4_addr\; size 2\; } # nft add element x y { 1.1.1.1 } # nft add element x y { 1.1.1.2 } # nft flush set x

[PATCH 06/14] netfilter: Fix typo in NF_CONNTRACK Kconfig option description

From: William Breathitt Gray The NF_CONNTRACK Kconfig option description makes an incorrect reference to the "meta" expression where the "ct" expression would be correct.This patch fixes the respective typographical error. Fixes: d497c6352736 ("netfilter: add help

Re: ip_rcv_finish() NULL pointer kernel panic

Eric Dumazet wrote: > > Though possibly with different things not setting the "input" function > > pointer in the "struct dst_entry". > > > > include/net/dst.h: > > 496 static inline int dst_input(struct sk_buff *skb) { > > 498 return

Re: [PATCH] iptables: fix the wrong appending of jump verdict after the comment.

On Thu, Jan 26, 2017 at 05:06:56PM +0530, Shivani Bhardwaj wrote: > On Thu, Jan 26, 2017 at 2:49 PM, Shyam Saini wrote: > > Fix wrong appending of jump verdict after the comment > > > > For example: > > $ iptables-translate -A INPUT -p tcp -m tcp --sport http -s

Re: ip_rcv_finish() NULL pointer kernel panic

On Thu, 2017-01-26 at 09:32 -0600, Roy Keene wrote: > This bug appears to have existed for a long time: > > https://www.spinics.net/lists/netdev/msg222459.html > > http://www.kernelhub.org/?p=2=823752 > > Though possibly with different things not setting the "input" function >

[PATCH v2 net] net: free ip_vs_dest structs when refcnt=0

Currently, the ip_vs_dest cache frees ip_vs_dest objects when their reference count becomes < 0. Aside from not being semantically sound, this is problematic for the new type refcount_t, which will be introduced shortly in a separate patch. refcount_t is the new kernel type for holding reference