[PATCH] libnetfilter_conntrack: Add API support for passing bound file descriptor

Add API support to accept pre-bound file descriptor from a privileged process for creating a handle. Also clean-up the handle without close the passing file descriptor. This paves the path for privilege separation. Change-Id: I815fb20cf1aadf931679d9470e6977a45681b4c9 ---

[PATCH] libnfnetlink: Add API support for passing bound file descriptor

Add API support to accept pre-bound file descriptor from a privileged process for creating a handle. Also clean-up the handle without close the passing file descriptor. This paves the path for privilege separation. Signed-off-by: Skylar Chang ---

[PATCH] iptables-restore/ip6tables-restore: add --version/-V argument

Prints program version just like iptables/ip6tables. Signed-off-by: Dan Williams --- iptables/ip6tables-restore.c | 15 +++ iptables/iptables-restore.c | 10 -- 2 files changed, 20 insertions(+), 11 deletions(-) diff --git a/iptables/ip6tables-restore.c

[PATCH iptables v1] iptables-restore/save: exit when given an unknown option

When an unknown option is given, iptables-restore should exit instead of continue its operation. For example, if `--table` was misspelled, this could lead to an unwanted change. Moreover, exit with a status code of 1. Make the same change for iptables-save. OTOH, exit with a status code of 0 when

[PATCH net] netfilter: xt_TCPMSS: add more sanity tests on tcph->doff

From: Eric Dumazet Denys provided an awesome KASAN report pointing to an use after free in xt_TCPMSS I have provided three patches to fix this issue, either in xt_TCPMSS or in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible impact. Signed-off-by: Eric

Re: KASAN, xt_TCPMSS finally found nasty use-after-free bug? 4.10.8

On Mon, 2017-04-03 at 15:14 +0300, Denys Fedoryshchenko wrote: > On 2017-04-03 15:09, Eric Dumazet wrote: > > On Mon, 2017-04-03 at 11:10 +0300, Denys Fedoryshchenko wrote: > > > >> I modified patch a little as: > >> if (th->doff * 4 < sizeof(_tcph)) { > >> par->hotdrop = true; > >>

Re: KASAN, xt_TCPMSS finally found nasty use-after-free bug? 4.10.8

On 2017-04-03 15:09, Eric Dumazet wrote: On Mon, 2017-04-03 at 11:10 +0300, Denys Fedoryshchenko wrote: I modified patch a little as: if (th->doff * 4 < sizeof(_tcph)) { par->hotdrop = true; WARN_ON_ONCE(!tcpinfo->option); return false; } And it did triggered WARN once at morning, and

Re: KASAN, xt_TCPMSS finally found nasty use-after-free bug? 4.10.8

On Mon, 2017-04-03 at 11:10 +0300, Denys Fedoryshchenko wrote: > I modified patch a little as: > if (th->doff * 4 < sizeof(_tcph)) { > par->hotdrop = true; > WARN_ON_ONCE(!tcpinfo->option); > return false; > } > > And it did triggered WARN once at morning, and didn't hit KASAN. I will >

[PATCH nf] netfilter: nft_hash: do not dump the auto generated seed

From: Liping Zhang This can prevent the nft utility from printing out the auto generated seed to the user, which is unnecessary and confusing. Signed-off-by: Liping Zhang --- net/netfilter/nft_hash.c | 10 +++--- 1 file changed, 7 insertions(+), 3

[PATCH nft] hash: generate a random seed if seed option is empty

From: Liping Zhang Typing the "nft add rule x y ct mark set jhash ip saddr mod 2" will not generate a random seed, instead, the seed will always be zero. So if seed option is empty, we shoulde not set the NFTA_HASH_SEED attribute, then a random seed will be generted in the

Re: KASAN, xt_TCPMSS finally found nasty use-after-free bug? 4.10.8

On 2017-04-02 20:26, Eric Dumazet wrote: On Sun, 2017-04-02 at 10:14 -0700, Eric Dumazet wrote: Could that be that netfilter does not abort earlier if TCP header is completely wrong ? Yes, I wonder if this patch would be better, unless we replicate the th->doff sanity check in all netfilter

[PATCH libmnl] nlmsg: introduce mnl_nlmsg_batch_rest to get the rest length

Recent languages implements array to hold its length. This patch enables to help to wrap these. As of this C library, we can use this like below without double sized buffer. char buf[MNL_SOCKET_BUFFER_SIZE]; b = mnl_nlmsg_batch_start(buf, sizeof(buf)); nlbuf =