Add API support to accept pre-bound file descriptor from a
privileged process for creating a handle. Also clean-up
the handle without close the passing file descriptor. This
paves the path for privilege separation.
Change-Id: I815fb20cf1aadf931679d9470e6977a45681b4c9
---
Add API support to accept pre-bound file descriptor from a
privileged process for creating a handle. Also clean-up
the handle without close the passing file descriptor. This
paves the path for privilege separation.
Signed-off-by: Skylar Chang
---
Prints program version just like iptables/ip6tables.
Signed-off-by: Dan Williams
---
iptables/ip6tables-restore.c | 15 +++
iptables/iptables-restore.c | 10 --
2 files changed, 20 insertions(+), 11 deletions(-)
diff --git a/iptables/ip6tables-restore.c
When an unknown option is given, iptables-restore should exit instead of
continue its operation. For example, if `--table` was misspelled, this
could lead to an unwanted change. Moreover, exit with a status code of
1. Make the same change for iptables-save.
OTOH, exit with a status code of 0 when
From: Eric Dumazet
Denys provided an awesome KASAN report pointing to an use
after free in xt_TCPMSS
I have provided three patches to fix this issue, either in xt_TCPMSS or
in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible
impact.
Signed-off-by: Eric
On Mon, 2017-04-03 at 15:14 +0300, Denys Fedoryshchenko wrote:
> On 2017-04-03 15:09, Eric Dumazet wrote:
> > On Mon, 2017-04-03 at 11:10 +0300, Denys Fedoryshchenko wrote:
> >
> >> I modified patch a little as:
> >> if (th->doff * 4 < sizeof(_tcph)) {
> >> par->hotdrop = true;
> >>
On 2017-04-03 15:09, Eric Dumazet wrote:
On Mon, 2017-04-03 at 11:10 +0300, Denys Fedoryshchenko wrote:
I modified patch a little as:
if (th->doff * 4 < sizeof(_tcph)) {
par->hotdrop = true;
WARN_ON_ONCE(!tcpinfo->option);
return false;
}
And it did triggered WARN once at morning, and
On Mon, 2017-04-03 at 11:10 +0300, Denys Fedoryshchenko wrote:
> I modified patch a little as:
> if (th->doff * 4 < sizeof(_tcph)) {
> par->hotdrop = true;
> WARN_ON_ONCE(!tcpinfo->option);
> return false;
> }
>
> And it did triggered WARN once at morning, and didn't hit KASAN. I will
>
From: Liping Zhang
This can prevent the nft utility from printing out the auto generated
seed to the user, which is unnecessary and confusing.
Signed-off-by: Liping Zhang
---
net/netfilter/nft_hash.c | 10 +++---
1 file changed, 7 insertions(+), 3
From: Liping Zhang
Typing the "nft add rule x y ct mark set jhash ip saddr mod 2" will
not generate a random seed, instead, the seed will always be zero.
So if seed option is empty, we shoulde not set the NFTA_HASH_SEED
attribute, then a random seed will be generted in the
On 2017-04-02 20:26, Eric Dumazet wrote:
On Sun, 2017-04-02 at 10:14 -0700, Eric Dumazet wrote:
Could that be that netfilter does not abort earlier if TCP header is
completely wrong ?
Yes, I wonder if this patch would be better, unless we replicate the
th->doff sanity check in all netfilter
Recent languages implements array to hold its length. This patch
enables to help to wrap these. As of this C library, we can use
this like below without double sized buffer.
char buf[MNL_SOCKET_BUFFER_SIZE];
b = mnl_nlmsg_batch_start(buf, sizeof(buf));
nlbuf =
12 matches
Mail list logo