On Thu, Feb 23, 2017 at 8:59 PM, Florian Westphal wrote:
> Richard Guy Briggs wrote:
>> > Not following, sorry, are you saying users can/should use -j MARK
>> > somehow?
>>
>> Part of the discussed design and rationale for stripping many of the
>> vanishing fields is that when setting up netfilte
Andrey Konovalov wrote:
[ CC Paolo ]
> I've got the following error report while fuzzing the kernel with syzkaller.
>
> On commit c470abd4fde40ea6a0846a2beab642a578c0b8cd (4.10).
>
> Unfortunately I can't reproduce it.
This needs NETLINK_BROADCAST_ERROR enabled on a netlink socket
that then s
Richard Guy Briggs wrote:
> > Not following, sorry, are you saying users can/should use -j MARK
> > somehow?
>
> Part of the discussed design and rationale for stripping many of the
> vanishing fields is that when setting up netfilter rules to invoke the
> AUDIT target, an accompanying nf mark sh
Paul Moore wrote:
> On Thu, Feb 23, 2017 at 12:35 PM, Richard Guy Briggs wrote:
> > I had another idea on how to include the sport and dport and that was to
> > use the same identifier for sport/icmptype and also for dport/icmpcode,
> > but you've already said you are not interested.
>
> Not at
Commit 4dee62b1b9b4 ("netfilter: nf_ct_expect: nf_ct_expect_insert()
returns void") inadvertently changed the successful return value of
nf_ct_expect_related_report() from 0 to 1 due to
__nf_ct_expect_check() returning 1 on success. Prevent this
regression in the future by changing the return valu
Commit 4dee62b1b9b4 ("netfilter: nf_ct_expect: nf_ct_expect_insert()
returns void") inadvertently changed the successful return value of
nf_ct_expect_related_report() from 0 to 1, which caused openvswitch
conntrack integration fail in FTP test cases.
Fix this by always returning zero on the succes
On Thu, Feb 23, 2017 at 12:35 PM, Richard Guy Briggs wrote:
> On 2017-02-23 12:14, Paul Moore wrote:
>> On Thu, Feb 23, 2017 at 12:13 PM, Richard Guy Briggs wrote:
>> > On 2017-02-23 12:06, Paul Moore wrote:
>> >> On Thu, Feb 23, 2017 at 12:04 PM, Richard Guy Briggs
>> >> wrote:
>> >> > On 2017
Include like some of uapi/linux/netfilter/xt_*.h
headers do to fix the following linux/netfilter/xt_hashlimit.h
userspace compilation error:
/usr/include/linux/netfilter/xt_hashlimit.h:90:12: error: 'NAME_MAX' undeclared
here (not in a function)
char name[NAME_MAX];
Signed-off-by: Dmitry V. L
Alexander Alemayhu wrote:
> Was added but not used in d7b451fe1a45 (src: add TCP option matching
> requirements, 2017-02-07). Fixes the following warning:
>
> expr/exthdr.c: In function ‘nftnl_expr_exthdr_json_parse’:
> expr/exthdr.c:244:10: warning: unused variable ‘uval8’ [-Wunused-variable]
>
Was added but not used in d7b451fe1a45 (src: add TCP option matching
requirements, 2017-02-07). Fixes the following warning:
expr/exthdr.c: In function ‘nftnl_expr_exthdr_json_parse’:
expr/exthdr.c:244:10: warning: unused variable ‘uval8’ [-Wunused-variable]
uint8_t uval8;
^
Signe
On Thu, Feb 23, 2017 at 05:49:28AM +0300, Dmitry V. Levin wrote:
> linux/netfilter.h is the last uapi header file that includes
> linux/sysctl.h but it does not depend on definitions provided
> by this essentially dead header file.
Applied, thanks.
--
To unsubscribe from this list: send the line "
On Mon, Feb 13, 2017 at 10:26:49PM +0100, Florian Westphal wrote:
> Dan reports:
> net/netfilter/nft_ct.c:549 nft_ct_set_init()
> error: uninitialized symbol 'len'.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord..
How are you today and your family? I require your attention and honest
co-operation about some issues which i will really want to discuss with you
which. Looking forward to read from you soon.
Qin's
__
Sky Silk, http://aknet.kz
--
To unsubscribe from this
On 2017-02-23 12:14, Paul Moore wrote:
> On Thu, Feb 23, 2017 at 12:13 PM, Richard Guy Briggs wrote:
> > On 2017-02-23 12:06, Paul Moore wrote:
> >> On Thu, Feb 23, 2017 at 12:04 PM, Richard Guy Briggs
> >> wrote:
> >> > On 2017-02-23 11:57, Paul Moore wrote:
> >> >> On Thu, Feb 23, 2017 at 10:5
On 2017-02-23 12:20, Steve Grubb wrote:
> On Wednesday, February 22, 2017 9:50:54 PM EST Richard Guy Briggs wrote:
> > Simplify and eliminate flipping in and out of message fields, relying on
> > nfmark the way we do for audit_key.
> >
> > https://github.com/linux-audit/audit-kernel/issues/11
> >
On Wednesday, February 22, 2017 9:50:54 PM EST Richard Guy Briggs wrote:
> Simplify and eliminate flipping in and out of message fields, relying on
> nfmark the way we do for audit_key.
>
> https://github.com/linux-audit/audit-kernel/issues/11
>
> Signed-off-by: Richard Guy Briggs
If this is re
On 2017-02-23 18:06, Florian Westphal wrote:
> Richard Guy Briggs wrote:
> > On 2017-02-23 11:57, Paul Moore wrote:
> > > On Thu, Feb 23, 2017 at 10:51 AM, Richard Guy Briggs
> > > wrote:
> > > > On 2017-02-23 06:20, Florian Westphal wrote:
> > > >> Richard Guy Briggs wrote:
> > > >> > Simplify
On Thu, Feb 23, 2017 at 12:13 PM, Richard Guy Briggs wrote:
> On 2017-02-23 12:06, Paul Moore wrote:
>> On Thu, Feb 23, 2017 at 12:04 PM, Richard Guy Briggs wrote:
>> > On 2017-02-23 11:57, Paul Moore wrote:
>> >> On Thu, Feb 23, 2017 at 10:51 AM, Richard Guy Briggs
>> >> wrote:
>> >> > On 2017
On 2017-02-23 12:06, Paul Moore wrote:
> On Thu, Feb 23, 2017 at 12:04 PM, Richard Guy Briggs wrote:
> > On 2017-02-23 11:57, Paul Moore wrote:
> >> On Thu, Feb 23, 2017 at 10:51 AM, Richard Guy Briggs
> >> wrote:
> >> > On 2017-02-23 06:20, Florian Westphal wrote:
> >> >> Richard Guy Briggs wr
On Thu, Feb 23, 2017 at 12:04 PM, Richard Guy Briggs wrote:
> On 2017-02-23 11:57, Paul Moore wrote:
>> On Thu, Feb 23, 2017 at 10:51 AM, Richard Guy Briggs wrote:
>> > On 2017-02-23 06:20, Florian Westphal wrote:
>> >> Richard Guy Briggs wrote:
>> >> > Simplify and eliminate flipping in and out
Richard Guy Briggs wrote:
> On 2017-02-23 11:57, Paul Moore wrote:
> > On Thu, Feb 23, 2017 at 10:51 AM, Richard Guy Briggs
> > wrote:
> > > On 2017-02-23 06:20, Florian Westphal wrote:
> > >> Richard Guy Briggs wrote:
> > >> > Simplify and eliminate flipping in and out of message fields, relyi
On 2017-02-23 11:57, Paul Moore wrote:
> On Thu, Feb 23, 2017 at 10:51 AM, Richard Guy Briggs wrote:
> > On 2017-02-23 06:20, Florian Westphal wrote:
> >> Richard Guy Briggs wrote:
> >> > Simplify and eliminate flipping in and out of message fields, relying on
> >> > nfmark
> >> > the way we do
On Thu, Feb 23, 2017 at 10:51 AM, Richard Guy Briggs wrote:
> On 2017-02-23 06:20, Florian Westphal wrote:
>> Richard Guy Briggs wrote:
>> > Simplify and eliminate flipping in and out of message fields, relying on
>> > nfmark
>> > the way we do for audit_key.
>> >
>> > +struct nfpkt_par {
>> > +
From: Pablo Neira Ayuso
Date: Thu, 23 Feb 2017 12:14:01 +0100
> The following patchset contains Netfilter fixes for your net tree,
> they are:
...
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks a lot!
--
To unsubscribe from th
On 2017-02-23 06:20, Florian Westphal wrote:
> Richard Guy Briggs wrote:
> > Simplify and eliminate flipping in and out of message fields, relying on
> > nfmark
> > the way we do for audit_key.
> >
> > +struct nfpkt_par {
> > + int ipv;
> > + const void *saddr;
> > + const void *daddr;
> >
>
>
> Hi Richard,
>
> [auto build test WARNING on v4.9-rc8]
> [cannot apply to nf-next/master next-20170222]
> [if your patch is applied to the wrong git tree, please drop us a note to
> help improve the system]
>
> url:
> https://github.com/0day-ci/linux/com
Hi Laura,
[auto build test WARNING on v4.9-rc8]
[cannot apply to next-20170223]
[if your patch is applied to the wrong git tree, please drop us a note to help
improve the system]
url:
https://github.com/0day-ci/linux/commits/Laura-Garcia-Liebana/netfilter-nft_hash-symhash-type-support
Pablo Neira Ayuso wrote:
> On Thu, Feb 23, 2017 at 12:34:35PM +0100, Florian Westphal wrote:
> > Yes, Dan reported this and a patch is queued at
> > http://patchwork.ozlabs.org/patch/727573/
> >
> > Pablo, any reason why this is still waiting?
>
> I just flushing out my nf.git tree via pull requ
On Thu, Feb 23, 2017 at 12:34:35PM +0100, Florian Westphal wrote:
> Geert Uytterhoeven wrote:
> > On Wed, Feb 22, 2017 at 8:02 PM, Linux Kernel Mailing List
> > wrote:
> > > Web:
> > > https://git.kernel.org/torvalds/c/edee4f1e92458299505ff007733f676b00c516a1
> > > Commit: edee4f1e924
Geert Uytterhoeven wrote:
> On Wed, Feb 22, 2017 at 8:02 PM, Linux Kernel Mailing List
> wrote:
> > Web:
> > https://git.kernel.org/torvalds/c/edee4f1e92458299505ff007733f676b00c516a1
> > Commit: edee4f1e92458299505ff007733f676b00c516a1
> > Parent: 5c178d81b69f08ca3195427a6ea9a46d
This patch provides symmetric hash support according to source
ip address and port, and destination ip address and port.
The new attribute NFTA_HASH_TYPE has been included to support
different types of hashing functions. Currently supported
NFT_HASH_JENKINS through jhash and NFT_HASH_SYM through s
This patch provides symmetric hash support according to source
ip address and port, and destination ip address and port.
For this purpose, the __skb_get_hash_symmetric() is used to
identify the flow as it uses FLOW_DISSECTOR_F_STOP_AT_FLOW_LABEL
flag by default.
The new attribute NFTA_HASH_TYPE h
This patch renames the local nft_hash structure and functions
to nft_jhash in order to prepare the nft_hash module code to
add new hash functions.
Signed-off-by: Laura Garcia Liebana
---
net/netfilter/nft_hash.c | 36 ++--
1 file changed, 18 insertions(+), 18 dele
From: Jiri Kosina
Commit 3bb398d925 ("netfilter: nf_ct_helper: disable automatic helper
assignment") is causing behavior regressions in firewalls, as traffic
handled by conntrack helpers is now by default not passed through even
though it was before due to missing CT targets (which were not neces
From: Kevin Cernekee
Prior to Linux 4.4, it was usually harmless to send a CTA_HELP attribute
containing the name of the current helper. That is no longer the case:
as of Linux 4.4, if ctnetlink_change_helper() returns an error from
the ct->master check, processing of the request will fail, skip
From: Kevin Cernekee
The libnetfilter_conntrack userland library always sets IPS_CONFIRMED
when building a CTA_STATUS attribute. If this toggles the bit from
0->1, the parser will return an error. On Linux 4.4+ this will cause any
NFQA_EXP attribute in the packet to be ignored. This breaks con
From: Alban Browaeys
Diving the divider by the multiplier before applying to the input.
When this would "divide by zero", divide the multiplier by the divider
first then multiply the input by this value.
Currently user2creds outputs zero when input value is bigger than the
number of slices and
From: Ken-ichirou MATSUZAWA
Should be - 1 as in other _MAX definitions.
Signed-off-by: Ken-ichirou MATSUZAWA
Acked-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/uapi/linux/netfilter/nfnetlink_queue.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/incl
From: Jozsef Kadlecsik
Wrong index was used and therefore when shrinking a hash bucket at
deleting an entry, valid entries could be evicted as well.
Thanks to Eric Ewanco for the thorough bugreport.
Fixes netfilter bugzilla #1119
Signed-off-by: Jozsef Kadlecsik
---
net/netfilter/ipset/ip_set_
Hi David,
The following patchset contains Netfilter fixes for your net tree,
they are:
1) Revisit warning logic when not applying default helper assignment.
Jiri Kosina considers we are breaking existing setups and not warning
our users accordinly now that automatic helper assignment has be
From: Liping Zhang
Otherwise, different subsys will race to access the err_list, with holding
the different nfnl_lock(subsys_id).
But this will not happen now, since ->call_batch is only implemented by
nftables, so the err_list is protected by nfnl_lock(NFNL_SUBSYS_NFTABLES).
Signed-off-by: Lip
From: Vishwanath Pai
If we use before/after to add an element to an empty list it will cause
a kernel panic.
$> cat crash.restore
create a hash:ip
create b hash:ip
create test list:set timeout 5 size 4
add test b before a
$> ipset -R < crash.restore
Executing the above will crash the kernel.
This patch provides symmetric hash support according to source
ip address and port, and destination ip address and port.
The new attribute NFTA_HASH_TYPE has been included to support
different types of hashing functions. Currently supported
NFT_HASH_JENKINS through jhash and NFT_HASH_SYM through s
These changes add support for multi hash functions and include the
symmetric hash type.
As 2 different structures are needed, we're going to rename the
nft_hash structure to nft_jhash, and then provide support for
several hash functions before including the new type.
Laura Garcia Liebana (2):
n
Hi Florian,
On Wed, Feb 22, 2017 at 8:02 PM, Linux Kernel Mailing List
wrote:
> Web:
> https://git.kernel.org/torvalds/c/edee4f1e92458299505ff007733f676b00c516a1
> Commit: edee4f1e92458299505ff007733f676b00c516a1
> Parent: 5c178d81b69f08ca3195427a6ea9a46d9af23127
> Refname:ref
45 matches
Mail list logo