Re: linux-next: manual merge of the vfs tree with the netfilter tree

Hi Jann, On Thu, 7 Dec 2017 01:48:14 +0100 Jann Horn wrote: > > > I can't tell if the strlen test from the former is still needed, so I > > just used the vfs tree version for now. > > Yeah, both of the checks from the netfilter tree are still necessary > independent of the

linux-next: manual merge of the netfilter-next tree with the netfilter tree

Hi all, Today's linux-next merge of the netfilter-next tree got a conflict in: net/netfilter/nf_conntrack_h323_asn1.c between commit: bc7d811ace4a ("netfilter: nf_ct_h323: Convert CHECK_BOUND macro to function") from the netfilter tree and commit: e3e52b49c9e7 ("netfilter:

Re: [PATCH net-next] bridge: ebtables: Avoid resetting limit rule state

Hi Linus, On Mon, Dec 04, 2017 at 05:53:35AM +0100, Linus Lüssing wrote: > Hi Pablo, > > Thanks for your reply! > > On Tue, Nov 28, 2017 at 12:30:08AM +0100, Pablo Neira Ayuso wrote: > > [...] > > > diff --git a/net/bridge/netfilter/ebt_limit.c > > > b/net/bridge/netfilter/ebt_limit.c > > >

linux-next: manual merge of the vfs tree with the netfilter tree

Hi Al, Today's linux-next merge of the vfs tree got a conflict in: net/netfilter/xt_bpf.c between commit: 6ab405114b0b ("netfilter: xt_bpf: add overflow checks") from the netfilter tree and commit: af58d2496b49 ("fix "netfilter: xt_bpf: Fix XT_BPF_MODE_FD_PINNED mode of

Re: libnftables extended API proposal (Was: Re: [nft PATCH] libnftables: Fix for multiple context instances)

Hi Phil, On Tue, Dec 05, 2017 at 02:43:17PM +0100, Phil Sutter wrote: [...] > My "vision" for an extended API which actually provides an additional > benefit is something that allows to work with the entities nft language > defines in an abstract manner, ideally without having to invoke the >

Re: [PATCH 27/45] net: remove duplicate includes

From: Pravin Shedge Date: Wed, 6 Dec 2017 23:02:58 +0530 > These duplicate includes have been found with scripts/checkincludes.pl but > they have been removed manually to avoid removing false positives. > > Signed-off-by: Pravin Shedge

Re: [PATCH nf-next 2/2] netfilter: reduce hook array sizes to what is needed

On Sun, Dec 03, 2017 at 12:58:48AM +0100, Florian Westphal wrote: > Not all families share the same hook count. > > Can't use the corresponding ARP, BRIDGE, DECNET defines because they are > defined in uapi headers and including them causes build failures. > > struct net before: > /* size: 6592,

Re: [nf-next:master 14/14] net/bridge/br_netfilter_hooks.c:994:30: error: 'struct netns_nf' has no member named 'hooks_bridge'; did you mean 'hooks_ipv4'?

Hi Florian, On Thu, Dec 07, 2017 at 01:59:32AM +0800, kbuild test robot wrote: > tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git > master > head: bcbfcb63a93704140d66f49b6f7d783988f37b4e > commit: bcbfcb63a93704140d66f49b6f7d783988f37b4e [14/14] netfilter: reduce >

[nf-next:master 14/14] net/bridge/br_netfilter_hooks.c:994:30: error: 'struct netns_nf' has no member named 'hooks_bridge'; did you mean 'hooks_ipv4'?

tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master head: bcbfcb63a93704140d66f49b6f7d783988f37b4e commit: bcbfcb63a93704140d66f49b6f7d783988f37b4e [14/14] netfilter: reduce hook array sizes to what is needed config: i386-randconfig-x002-201749 (attached as .config)

[nf-next:master 14/14] net/netfilter/nf_queue.c:208:34: error: 'const struct netns_nf' has no member named 'hooks_bridge'; did you mean 'hooks_ipv4'?

tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master head: bcbfcb63a93704140d66f49b6f7d783988f37b4e commit: bcbfcb63a93704140d66f49b6f7d783988f37b4e [14/14] netfilter: reduce hook array sizes to what is needed config: i386-randconfig-x014-201749 (attached as .config)

[PATCH 27/45] net: remove duplicate includes

These duplicate includes have been found with scripts/checkincludes.pl but they have been removed manually to avoid removing false positives. Signed-off-by: Pravin Shedge --- net/core/netprio_cgroup.c| 1 - net/dsa/slave.c | 1 -

[PATCH v2 nf-next] netfilter: meta: secpath support

replacement for iptables "-m policy --dir in --policy {ipsec,none}". Signed-off-by: Florian Westphal --- Changes since v1: - add ifdef CONFIG_XFRM in nft_meta_get_validate, no need for any check if we don't support xfrm. include/uapi/linux/netfilter/nf_tables.h | 2 ++

[PATCH v3 nf-next] netfilter: connlimit: split xt_connlimit into front/backend

This allows to reuse xt_connlimit infrastructure from nf_tables. The upcoming nf_tables frontend can just pass in an nftables register as input key, this allows limiting by arbitrary keys via concatenations. For xt_connlimit, pass in the zone and the ip/ipv6 address as key to keep same

[PATCH] src: Add option -D to define variable from command line

This patch takes argument of '-D' option and pass it to nft_run_cmd_from_filename and parses the string in scanner_push_file along with input file. Signed-off-by: Harsha Sharma --- I want to parse both input string and input file in scanner_push_file but unable to do

Re: [PATCH V3 0/5] netfilter: nf_nat_snmp_basic: use ASN.1 decoder

On Wed, Dec 06, 2017 at 09:15:44AM +0100, Pablo Neira Ayuso wrote: > On Mon, Nov 20, 2017 at 12:05:54AM +0900, Taehee Yoo wrote: > > The goal of this patch set are to use the ASN.1 decoder library > > to parse SNMP ASN.1 payload. > > Series applied, thanks. I'm hitting this here:

Re: [PATCH nf-next] netfilter: ipvs: Remove useless ipvsh param of frag_safe_skb_hp

On Wed, Nov 22, 2017 at 07:14:28PM +0100, Simon Horman wrote: > On Mon, Nov 13, 2017 at 10:58:18PM +0800, gfree.w...@vip.163.com wrote: > > From: Gao Feng > > > > The param of frag_safe_skb_hp, ipvsh, isn't used now. So remove it and > > update the callers' codes too. > >

Re: [PATCH nf-next] net: netfilter: nf_conntrack_h323: Remove unwanted comments.

On Thu, Nov 30, 2017 at 07:34:36PM +0530, Varsha Rao wrote: > Change old multi-line comment style to kernel comment style and > remove unwanted comments. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to

Re: [PATCH nf-next 0/2] netfilter: reduce size of hook entry points

On Sun, Dec 03, 2017 at 12:58:46AM +0100, Florian Westphal wrote: > struct net contains: > > struct nf_hook_entries __rcu *hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS]; > > where NFPROTO_NUMPROTO = 13 and NF_MAX_HOOKS = 8. > > ... and that needs a *lot* more space than what we really need. > We only

Re: [PATCH nf-next 0/3] netfilter: reduce netns create/delete cost

On Fri, Dec 01, 2017 at 12:21:01AM +0100, Florian Westphal wrote: > This patch series removes all synchronize_net() calls from netfilter core > to speed up net namespace create/delete rate. > > Freeing of hooks is moved to call_rcu at the cost of additional 24 bytes > at the end of each rule

Re: [PATCH ipset nf-next] netfilter: ipset: add resched points during set listing

On Fri, Dec 01, 2017 at 08:25:55PM +0100, Jozsef Kadlecsik wrote: > Hi Florian, > > On Thu, 30 Nov 2017, Florian Westphal wrote: > > > When sets are extremely large we can get softlockup during ipset -L. We > > could fix this by adding cond_resched_rcu() at the right location during > >

Re: [PATCH ipset nf-next] netfilter: ipset: use nfnl_mutex_is_locked

On Fri, Dec 01, 2017 at 08:14:48PM +0100, Jozsef Kadlecsik wrote: > Hi Florian, > > On Thu, 30 Nov 2017, Florian Westphal wrote: > > > Check that we really hold nfnl mutex here instead of relying on correct > > usage alone. > > > > Signed-off-by: Florian Westphal > > Yes, it's

Re: [PATCH V3 0/5] netfilter: nf_nat_snmp_basic: use ASN.1 decoder

On Mon, Nov 20, 2017 at 12:05:54AM +0900, Taehee Yoo wrote: > The goal of this patch set are to use the ASN.1 decoder library > to parse SNMP ASN.1 payload. Series applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to

Re: [PATCH] netfilter: xt_osf: Add missing permission checks

On Tue, Dec 05, 2017 at 03:42:41PM -0800, Kevin Cernekee wrote: > The capability check in nfnetlink_rcv() verifies that the caller > has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. > However, xt_osf_fingers is shared by all net namespaces on the > system. An unprivileged user