[PATCH nf 1/1] netfilter: expect: Make sure the max_expected limit is effective

2017-03-23 Thread gfree . wind
From: Gao Feng Because the type of expecting, the member of nf_conn_help, is u8, it would overflow after reach U8_MAX(255). So it doesn't work when we configure the max_expected exceeds 255 with expect policy. Now add the check for max_expected. Return the -EINVAL when it

[ANNOUNCE] Linux Security Summit 2017 - CFP

2017-03-23 Thread James Morris
== ANNOUNCEMENT AND CALL FOR PARTICIPATION LINUX SECURITY SUMMIT 2017 14-15 September

[ANNOUNCE]: New sponsor and accepted talk

2017-03-23 Thread Jamal Hadi Salim
Two announcements for today. An accepted talk and a new sponsor. 1) The tech committee would like to announce a new accepted talk. Arthur Davis and Tom Distler will talk about their quest for a quest for a network configuration solution for a large Linux storage application Details are as

Re: [PATCH V4 2/2] audit: normalize NETFILTER_PKT

2017-03-23 Thread Paul Moore
On Wed, Mar 22, 2017 at 3:05 AM, Richard Guy Briggs wrote: > Eliminate flipping in and out of message fields, dropping fields in the > process. > > Sample raw message format IPv4 UDP: > type=NETFILTER_PKT msg=audit(1487874761.386:228): mark=0xae8a2732 > saddr=127.0.0.1

Re: [PATCH V4 1/2] netfilter: xt_AUDIT: use consistent ipv4 network offset

2017-03-23 Thread Paul Moore
On Wed, Mar 22, 2017 at 7:43 AM, Richard Guy Briggs wrote: > On 2017-03-22 12:11, Pablo Neira Ayuso wrote: >> On Wed, Mar 22, 2017 at 03:05:36AM -0400, Richard Guy Briggs wrote: >> > Even though the skb->data pointer has been moved from the link layer >> > header to the network

[PATCH nf V2] netfilter: nfnl_cthelper: fix a race when walk the nf_ct_helper_hash table

2017-03-23 Thread Liping Zhang
From: Liping Zhang The nf_ct_helper_hash table is protected by nf_ct_helper_mutex, while nfct_helper operation is protected by nfnl_lock(NFNL_SUBSYS_CTHELPER). So it's possible that one CPU is walking the nf_ct_helper_hash for cthelper add/get/del, another cpu is doing

[PATCH nft] tests: nft removes required payload protocol expressions

2017-03-23 Thread Florian Westphal
This test fails with 'ip protocol tcp tcp dport 22' mismatches 'tcp dport 22' ip protocol tcp tcp dport 22 is *ONLY* identical to 'tcp dport 22' in the ip family. For netdev/inet/bridge, the dependency is required because we only want to match ipv4 packets. Signed-off-by: Florian Westphal