From: Gao Feng
Because the type of expecting, the member of nf_conn_help, is u8, it
would overflow after reach U8_MAX(255). So it doesn't work when we
configure the max_expected exceeds 255 with expect policy.
Now add the check for max_expected. Return the -EINVAL when it
==
ANNOUNCEMENT AND CALL FOR PARTICIPATION
LINUX SECURITY SUMMIT 2017
14-15 September
Two announcements for today. An accepted talk and a new sponsor.
1) The tech committee would like to announce a new accepted talk.
Arthur Davis and Tom Distler will talk about their quest for a
quest for a network configuration solution for a large Linux storage
application
Details are as
On Wed, Mar 22, 2017 at 3:05 AM, Richard Guy Briggs wrote:
> Eliminate flipping in and out of message fields, dropping fields in the
> process.
>
> Sample raw message format IPv4 UDP:
> type=NETFILTER_PKT msg=audit(1487874761.386:228): mark=0xae8a2732
> saddr=127.0.0.1
On Wed, Mar 22, 2017 at 7:43 AM, Richard Guy Briggs wrote:
> On 2017-03-22 12:11, Pablo Neira Ayuso wrote:
>> On Wed, Mar 22, 2017 at 03:05:36AM -0400, Richard Guy Briggs wrote:
>> > Even though the skb->data pointer has been moved from the link layer
>> > header to the network
From: Liping Zhang
The nf_ct_helper_hash table is protected by nf_ct_helper_mutex, while
nfct_helper operation is protected by nfnl_lock(NFNL_SUBSYS_CTHELPER).
So it's possible that one CPU is walking the nf_ct_helper_hash for
cthelper add/get/del, another cpu is doing
This test fails with
'ip protocol tcp tcp dport 22' mismatches 'tcp dport 22'
ip protocol tcp tcp dport 22 is *ONLY* identical to
'tcp dport 22' in the ip family.
For netdev/inet/bridge, the dependency is required because
we only want to match ipv4 packets.
Signed-off-by: Florian Westphal