Re: [PATCH] Out Of Bound Read in Netfilter Conntrack

Eric Sesterhenn wrote: > Add missing counter decrement to prevent out of bounds memory read. > > Signed-off-by: Eric Sesterhenn > > diff --git a/net/netfilter/nf_conntrack_h323_asn1.c > b/net/netfilter/nf_conntrack_h323_asn1.c > index

[PATCH nf-next v4 1/2] netfilter: x_tables: make xt_replace_table wait until old rules are not used anymore

xt_replace_table relies on table replacement counter retrieval (which uses xt_recseq to synchronize pcpu counters). This is fine, however with large rule set get_counters() can take a very long time -- it needs to synchronize all counters because it has to assume concurrent modifications can

[PATCH nf-next v4 2/2] netfilter: x_tables: don't use seqlock when fetching old counters

after previous commit xt_replace_table will wait until all cpus had even seqcount (i.e., no cpu is accessing old ruleset). Add a 'old' counter retrival version that doesn't synchronize counters. Its not needed, the old counters are not in use anymore at this point. This speeds up table

[PATCH v4 nf-next 0/2] netfilter: x_tables: speed up iptables-restore

iptables-restore can take quite a long time when sytem is busy, in order of half a minute or more. The main reason for this is the way ip(6)tables performs table swap: When xt_replace_table assigns the new ruleset pointer, it does not wait for other processors to finish with old ruleset.

Re: [PATCH v3 nf-next 1/2] netfilter: x_tables: wait until old table isn't used anymore

On Wed, Oct 11, 2017 at 11:18 AM, Florian Westphal wrote: > Eric Dumazet wrote: >> On Wed, Oct 11, 2017 at 10:48 AM, Florian Westphal wrote: >> > Eric Dumazet wrote: >> >> On Wed, Oct 11, 2017 at 7:26 AM, Florian

Re: [PATCH v3 nf-next 1/2] netfilter: x_tables: wait until old table isn't used anymore

Eric Dumazet wrote: > On Wed, Oct 11, 2017 at 10:48 AM, Florian Westphal wrote: > > Eric Dumazet wrote: > >> On Wed, Oct 11, 2017 at 7:26 AM, Florian Westphal wrote: > >> > xt_replace_table relies on table replacement

Re: [PATCH nf] netfilter: x_tables: ensure readers see new ->private value

On Wed, Oct 11, 2017 at 11:03 AM, Florian Westphal wrote: > Eric Dumazet wrote: > But it seems we need an extra smp_wmb() after > smp_wmb(); > table->private = newinfo; > > Otherwise we have no guarantee other cpus actually see the new > ->private value. > >

[PATCH nf] netfilter: x_tables: ensure readers see new ->private value

Eric Dumazet wrote: But it seems we need an extra smp_wmb() after smp_wmb(); table->private = newinfo; Otherwise we have no guarantee other cpus actually see the new ->private value. Suggested-by: Eric Dumazet Signed-off-by: Florian Westphal

Re: [PATCH v3 nf-next 1/2] netfilter: x_tables: wait until old table isn't used anymore

On Wed, Oct 11, 2017 at 10:48 AM, Florian Westphal wrote: > Eric Dumazet wrote: >> On Wed, Oct 11, 2017 at 7:26 AM, Florian Westphal wrote: >> > xt_replace_table relies on table replacement counter retrieval (which >> > uses xt_recseq to

Re: [PATCH v3 nf-next 1/2] netfilter: x_tables: wait until old table isn't used anymore

Eric Dumazet wrote: > On Wed, Oct 11, 2017 at 7:26 AM, Florian Westphal wrote: > > xt_replace_table relies on table replacement counter retrieval (which > > uses xt_recseq to synchronize pcpu counters). > > > > This is fine, however with large rule set

Re: [PATCH v2] nftables: Add support for reserved header and addrs for routing header type 0

On Fri, Oct 6, 2017 at 1:06 PM, Harsha Sharma wrote: > Add support for IPV6 routing header type 0 reserved field and addresses > with corresponding tests > > Signed-off-by: Harsha Sharma > --- > For struct exthdr_rt0, I have specified type

Re: [PATCH v3 nf-next 1/2] netfilter: x_tables: wait until old table isn't used anymore

On Wed, Oct 11, 2017 at 7:26 AM, Florian Westphal wrote: > xt_replace_table relies on table replacement counter retrieval (which > uses xt_recseq to synchronize pcpu counters). > > This is fine, however with large rule set get_counters() can take > a very long time -- it needs to

[PATCH v3 nf-next 2/2] netfilter: x_tables: don't use seqlock when fetching old counters

after previous commit xt_replace_table will wait until all cpus had even seqcount (i.e., no cpu is accessing old ruleset). Add a 'old' counter retrival version that doesn't synchronize counters. Its not needed, the old counters are not in use anymore at this point. This speeds up table

[PATCH v3 nf-next 0/2] netfilter: x_tables: speed up iptables-restore

iptables-restore can take quite a long time when sytem is busy, in order of half a minute or more. The main reason for this is the way ip(6)tables performs table swap: When xt_replace_table assigns the new ruleset pointer, it does not wait for other processors to finish with old ruleset.

[PATCH v3 nf-next 1/2] netfilter: x_tables: wait until old table isn't used anymore

xt_replace_table relies on table replacement counter retrieval (which uses xt_recseq to synchronize pcpu counters). This is fine, however with large rule set get_counters() can take a very long time -- it needs to synchronize all counters because it has to assume concurrent modifications can

Re: [PATCH nft 0/9] tests: Move tests from files to shell.

Hi Varsha, On Wed, Oct 11, 2017 at 10:03:56AM +0530, Varsha Rao wrote: > Test files of tests/files/ are moved to tests/shell. We have more than 100 tests these days, could you have a look at the repository to see if this is adding redundant tests for what we have? If we already have a test

[PATCH nf-next 3/3] netfilter: conntrack: remove pf argument from l4 packet functions

not needed/used anymore. Signed-off-by: Florian Westphal --- include/net/netfilter/nf_conntrack_l4proto.h | 1 - net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 1 - net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 1 - net/netfilter/nf_conntrack_core.c | 2 +-

[PATCH nf-next 2/3] netfilter: conntrack: add and use nf_ct_l4proto_log_invalid

We currently pass down the l4 protocol to the conntrack ->packet() function, but the only user of this is the debug info decision. Same information can be derived from struct nf_conn. Add a wrapper for the previous patch that extracs the information from nf_conn and passes it to

[PATCH nf-next 0/3] netfilter: remove pf argument from conntrack l4 packet function

We currently pass pf to the packet() function of the l4 trackers, but this isn't needed -- its only required for the 'log invalid' check and the l4 protocol is also available in the nf_conn entry. This series adds helpers for logging invalid packets, similar to nf_ct_helper_log(). I added a

[PATCH nf-next 1/3] netfilter: conntrack: add and use nf_l4proto_log_invalid

We currently pass down the l4 protocol to the conntrack ->packet() function, but the only user of this is the debug info decision. Same information can be derived from struct nf_conn. As a first step, add and use a new log function for this, similar to nf_ct_helper_log(). Add __cold annotation

[redirect: netdev => netfilter-devel] Accept packets that the H.245 ALG can't process

Hey, There's a patch that may be of interest to this group. [ I'll admit, I share interest in this patch ]. It was sent to netdev. Though it looks like it should have been sent here. Link: https://patchwork.ozlabs.org/patch/765233/ I wouldn't want to send the patch again, since it's from Blair