Re: [patch 1/1] net/netfilter/x_tables.c: make allocation less aggressive

On Tue, 2018-01-30 at 11:30 -0800, a...@linux-foundation.org wrote: > From: Michal Hocko > Subject: net/netfilter/x_tables.c: make allocation less aggressive > > syzbot has noticed that xt_alloc_table_info can allocate a lot of memory. > This is an admin only interface but an

[patch 1/1] net/netfilter/x_tables.c: make allocation less aggressive

From: Michal Hocko Subject: net/netfilter/x_tables.c: make allocation less aggressive syzbot has noticed that xt_alloc_table_info can allocate a lot of memory. This is an admin only interface but an admin in a namespace is sufficient as well. eacd86ca3b03

Re: [netfilter-core] kernel panic: Out of memory and no killable processes... (2)

On Tue, 30 Jan 2018 15:01:04 +0100 Michal Hocko wrote: > > Well, this is not about syzkaller, it merely pointed out a potential > > DoS... And that has to be addressed somehow. > > So how about this? > --- argh ;) > >From d48e950f1b04f234b57b9e34c363bdcfec10aeee Mon Sep 17

[PATCH net] netfilter: on sockopt() acquire sock lock only in the required scope

Syzbot reported several deadlocks in the netfilter area caused by rtnl lock and socket lock being acquired with a different order on different code paths, leading to backtraces like the following one: == WARNING: possible circular locking

Re: [netfilter-core] kernel panic: Out of memory and no killable processes... (2)

On Tue 30-01-18 15:01:11, Florian Westphal wrote: > > From d48e950f1b04f234b57b9e34c363bdcfec10aeee Mon Sep 17 00:00:00 2001 > > From: Michal Hocko > > Date: Tue, 30 Jan 2018 14:51:07 +0100 > > Subject: [PATCH] net/netfilter/x_tables.c: make allocation less aggressive > >

Re: [netfilter-core] kernel panic: Out of memory and no killable processes... (2)

> From d48e950f1b04f234b57b9e34c363bdcfec10aeee Mon Sep 17 00:00:00 2001 > From: Michal Hocko > Date: Tue, 30 Jan 2018 14:51:07 +0100 > Subject: [PATCH] net/netfilter/x_tables.c: make allocation less aggressive Acked-by: Florian Westphal -- To unsubscribe from

Re: [netfilter-core] kernel panic: Out of memory and no killable processes... (2)

On Tue 30-01-18 10:57:39, Michal Hocko wrote: > On Tue 30-01-18 10:02:34, Dmitry Vyukov wrote: > > On Tue, Jan 30, 2018 at 9:28 AM, Kirill A. Shutemov > > wrote: > > > On Tue, Jan 30, 2018 at 09:11:27AM +0100, Florian Westphal wrote: > > >> Michal Hocko

[PATCH v4] netfilter : add NAT support for shifted portmap ranges

This is a patch proposal to support shifted ranges in portmaps. (i.e. tcp/udp incoming port 5000-5100 on WAN redirected to LAN 192.168.1.5:2000-2100) Currently DNAT only works for single port or identical port ranges. (i.e. ports 5000-5100 on WAN interface redirected to a LAN host while original

Re: question about UNDEFINE/REDEFINE

Hello Arturo, Dne pátek 26. ledna 2018 19:43:18 CET, Arturo Borrero Gonzalez napsal(a): > My suggestion is to simply create one variable per value: > > define INET_IFACES_VLAN43 = { bond0.x, bond3.y} > define INET_IFACES_VLAN3 = { bond3.x, bond3.y} > define XXX_VLAN43 = xxx > define XXX_VLAN3 =

Re: question about UNDEFINE/REDEFINE

Hello Pablo, Dne pátek 26. ledna 2018 14:45:49 CET, Pablo Neira Ayuso napsal(a): > 2) Probably even cleaner is to look at 'local' scopes like in bash. > > define local IP1 = 1.1.1.1 > > so the symbol is bound to this file - consider the content of a file > determines a given scope. This can be

Re: [netfilter-core] kernel panic: Out of memory and no killable processes... (2)

On Tue 30-01-18 10:02:34, Dmitry Vyukov wrote: > On Tue, Jan 30, 2018 at 9:28 AM, Kirill A. Shutemov > wrote: > > On Tue, Jan 30, 2018 at 09:11:27AM +0100, Florian Westphal wrote: > >> Michal Hocko wrote: > >> > On Mon 29-01-18 23:35:22, Florian Westphal

Re: [netfilter-core] kernel panic: Out of memory and no killable processes... (2)

On Tue 30-01-18 09:11:27, Florian Westphal wrote: > Michal Hocko wrote: > > On Mon 29-01-18 23:35:22, Florian Westphal wrote: > > > Kirill A. Shutemov wrote: > > [...] > > > > I hate what I'm saying, but I guess we need some tunable here. > > > > Not sure

Re: possible deadlock in xt_find_revision

#syz dup: possible deadlock in do_ip_getsockopt -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: possible deadlock in xt_find_table_lock

#syz dup: possible deadlock in do_ip_getsockopt -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [netfilter-core] kernel panic: Out of memory and no killable processes... (2)

On Tue, Jan 30, 2018 at 9:28 AM, Kirill A. Shutemov wrote: > On Tue, Jan 30, 2018 at 09:11:27AM +0100, Florian Westphal wrote: >> Michal Hocko wrote: >> > On Mon 29-01-18 23:35:22, Florian Westphal wrote: >> > > Kirill A. Shutemov

Re: [netfilter-core] kernel panic: Out of memory and no killable processes... (2)

On Tue, Jan 30, 2018 at 09:11:27AM +0100, Florian Westphal wrote: > Michal Hocko wrote: > > On Mon 29-01-18 23:35:22, Florian Westphal wrote: > > > Kirill A. Shutemov wrote: > > [...] > > > > I hate what I'm saying, but I guess we need some tunable here.

Re: [netfilter-core] kernel panic: Out of memory and no killable processes... (2)

Michal Hocko wrote: > On Mon 29-01-18 23:35:22, Florian Westphal wrote: > > Kirill A. Shutemov wrote: > [...] > > > I hate what I'm saying, but I guess we need some tunable here. > > > Not sure what exactly. > > > > Would memcg help? > > That really