Hi Florian,
I attached two 'draft' patches in this email :)
Thanks,
JackFrom 6d811e63c9c777ed4287bc4547134c99e939b49d Mon Sep 17 00:00:00 2001
From: Jack Ma
Date: Mon, 12 Feb 2018 13:41:29 +1300
Subject: [PATCH] libxt_CONNMARK: Support bit-shifting for --restore,set and
save-mark
Added bit-shi
"fib" starts to behave strangely when an ipv6 default route is
added - the FIB lookup returns a route using 'oif' in this case.
This behaviour was inherited from ip6tables rpfilter so change
this as well.
Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1221
Signed-off-by: Florian Westpha
Pablo Neira Ayuso wrote:
> On Wed, Feb 14, 2018 at 07:02:32PM +0200, Mantas Mikulėnas wrote:
> > Hello,
> >
> > As of nftables 0.8.1, it seems I can no longer write anonymous sets
> > which contain overlapping networks (CIDR masks).
> >
> > For example, I want to write the following ruleset:
> >
On Wed, Feb 07, 2018 at 02:20:41PM +0100, Florian Westphal wrote:
> This rejects rulesets where a jump occurs to a non-user defined chain.
> This isn't limited in any way in the binary format (you can jump to
> any rule you want within the blob structure), but iptables tools
> do not offset such a
On Wed, Feb 14, 2018 at 05:21:19PM +0100, Paolo Abeni wrote:
> syzbot reported a division by 0 bug in the netfilter nat code:
>
> divide error: [#1] SMP KASAN
> Dumping ftrace buffer:
> (ftrace buffer empty)
> Modules linked in:
> CPU: 1 PID: 4168 Comm: syzkaller034710 Not tainted 4.16.0-
On Mon, Feb 12, 2018 at 06:49:39PM +0100, Paolo Abeni wrote:
> syzbot reported that xt_LED may try to use the ledinternal->timer
> without previously initializing it:
>
> [ cut here ]
> kernel BUG at kernel/time/timer.c:958!
> invalid opcode: [#1] SMP KASAN
> Dumping f
> On Wed, Feb 14, 2018 at 08:16:52PM +0100, Pablo Neira Ayuso wrote:
>> On Thu, Feb 15, 2018 at 12:34:31AM +0530, Shyam Saini wrote:
>> > Hi Pablo,
>> >
>> > On Thu, Feb 15, 2018 at 12:02 AM, Pablo Neira Ayuso
>> > wrote:
>> > > Restore original syntax for the yet experimental VM low-level json
>
On Mon, Feb 12, 2018 at 09:45:42PM +0800, Zhu Lingshan wrote:
> when build kernel with default configure, files:
>
> generatenet/ipv4/netfilter/nf_nat_snmp_basic-asn1.c
> net/ipv4/netfilter/nf_nat_snmp_basic-asn1.h
>
> will be automatically generated by ASN.1 compiler, so
> No need to track them
On Wed, Feb 07, 2018 at 01:46:25PM +0100, Florian Westphal wrote:
> The rationale for removing the check is only correct for rulesets
> generated by ip(6)tables.
>
> In iptables, a jump can only occur to a user-defined chain, i.e.
> because we size the stack based on number of user-defined chains
On Thu, Feb 08, 2018 at 01:53:52PM -0800, Cong Wang wrote:
> In clusterip_config_find_get() we hold RCU read lock so it could
> run concurrently with clusterip_config_entry_put(), as a result,
> the refcnt could go back to 1 from 0, which leads to a double
> list_del()... Just replace refcount_inc(
On Wed, Feb 07, 2018 at 02:48:21PM +0100, Florian Westphal wrote:
> Aeons ago, before namespaces, there was no need to ratelimit this:
> all of these error messages got triggered in response to iptables
> commands, which need CAP_NET_ADMIN.
>
> Nowadays we have namespaces, so its better to ratelim
On Thu, Feb 08, 2018 at 12:19:00PM +0100, Paolo Abeni wrote:
> The Syzbot reported a possible deadlock in the netfilter area caused by
> rtnl lock, xt lock and socket lock being acquired with a different order
> on different code paths, leading to the following backtrace:
>
> =
On Wed, Feb 14, 2018 at 08:16:52PM +0100, Pablo Neira Ayuso wrote:
> On Thu, Feb 15, 2018 at 12:34:31AM +0530, Shyam Saini wrote:
> > Hi Pablo,
> >
> > On Thu, Feb 15, 2018 at 12:02 AM, Pablo Neira Ayuso
> > wrote:
> > > Restore original syntax for the yet experimental VM low-level json
> > > re
On Thu, Feb 15, 2018 at 12:34:31AM +0530, Shyam Saini wrote:
> Hi Pablo,
>
> On Thu, Feb 15, 2018 at 12:02 AM, Pablo Neira Ayuso
> wrote:
> > Restore original syntax for the yet experimental VM low-level json
> > representation.
> >
> > Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1224
Instead of -1, which results n misleading error propagate to the caller
with errno == 0 (success).
Signed-off-by: Pablo Neira Ayuso
---
src/set_elem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/set_elem.c b/src/set_elem.c
index e02a38791c9a..1ac53dadbb75 100644
--- a
Signed-off-by: Pablo Neira Ayuso
---
examples/nft-set-del.c | 33 -
1 file changed, 24 insertions(+), 9 deletions(-)
diff --git a/examples/nft-set-del.c b/examples/nft-set-del.c
index 5e1fad30d341..8c216df861d7 100644
--- a/examples/nft-set-del.c
+++ b/examples/nf
Hi Pablo,
On Thu, Feb 15, 2018 at 12:02 AM, Pablo Neira Ayuso wrote:
> Restore original syntax for the yet experimental VM low-level json
> representation.
>
> Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1224
> Signed-off-by: Pablo Neira Ayuso
> ---
> I asked for this change to make r
On Wed, Feb 07, 2018 at 11:40:00AM +0200, Ville Skyttä wrote:
> Previously, if man page build was enabled but no suitable docbook2man or
> the like tool was found, build failed at a later stage with
> undescriptive error message. Fail early and explicitly at configure
> stage instead.
Applied, tha
Restore original syntax for the yet experimental VM low-level json
representation.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1224
Signed-off-by: Pablo Neira Ayuso
---
I asked for this change to make room for the high-level json
representation, but we can use -j options for this inste
On Wed, Feb 14, 2018 at 07:02:32PM +0200, Mantas Mikulėnas wrote:
> Hello,
>
> As of nftables 0.8.1, it seems I can no longer write anonymous sets
> which contain overlapping networks (CIDR masks).
>
> For example, I want to write the following ruleset:
>
> #!/usr/bin/nft -f
> define users = { 1
On Wed, Feb 14, 2018 at 05:40:17PM +0100, Florian Westphal wrote:
> currently kernel may pick a set implementation that doesn't provide
> a ->update() function. This causes an error when user attempts to
> add the nftables rule that is supposed to add entries to the set.
>
> Signed-off-by: Florian
Hello,
As of nftables 0.8.1, it seems I can no longer write anonymous sets
which contain overlapping networks (CIDR masks).
For example, I want to write the following ruleset:
#!/usr/bin/nft -f
define users = { 10.0.0.0/8, 193.219.181.192/26 }
define admins = { 10.123.0.0/24, 31.220.42.129 }
def
currently kernel may pick a set implementation that doesn't provide
a ->update() function. This causes an error when user attempts to
add the nftables rule that is supposed to add entries to the set.
Signed-off-by: Florian Westphal
---
Pablo, unless you have objections I would push this now.
dif
syzbot reported a division by 0 bug in the netfilter nat code:
divide error: [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 4168 Comm: syzkaller034710 Not tainted 4.16.0-rc1+ #309
Hardware name: Google Google Compute Engine/Google Compute Engine
On Wed, Feb 14, 2018 at 04:45:31PM +0100, Paolo Abeni wrote:
> Hi,
>
> On Wed, 2018-02-14 at 14:51 +0100, Pablo Neira Ayuso wrote:
> > On Wed, Feb 14, 2018 at 01:30:37PM +0100, Florian Westphal wrote:
> > > Eric Dumazet wrote:
> > > > On Wed, 2018-02-14 at 12:13 +0100, Paolo Abeni wrote:
> > > >
Hi,
On Wed, 2018-02-14 at 14:51 +0100, Pablo Neira Ayuso wrote:
> On Wed, Feb 14, 2018 at 01:30:37PM +0100, Florian Westphal wrote:
> > Eric Dumazet wrote:
> > > On Wed, 2018-02-14 at 12:13 +0100, Paolo Abeni wrote:
> > > > syzbot reported a division by 0 bug in the netfilter nat code:
> > > > Ad
Do not exercise dependency removal for protocol key network payload
expressions in bridge, netdev and inet families from meta expressions,
more specifically:
* inet: nfproto and ether type.
* netdev and bridge: meta protocol and ether type.
need to be left in place.
Signed-off-by: Pablo Neira Ay
This helper function tells us if there is already a protocol key payload
expression, ie. those with EXPR_F_PROTOCOL flag set on, that we might
want to remove since we can infer from another expression in the upper
protocol base, eg.
ip protocol tcp tcp dport 22
'ip protocol tcp' can be re
Use payload_dependency_release() instead.
Signed-off-by: Pablo Neira Ayuso
---
include/payload.h | 3 +--
src/netlink_delinearize.c | 9 +++--
src/payload.c | 15 +--
3 files changed, 9 insertions(+), 18 deletions(-)
diff --git a/include/payload.h b/include
This context information is very relevant when deciding if a redundant
dependency needs to be removed or not, specifically for the inet, bridge
and netdev families. This new parameter is used by follow up patch
entitled ("payload: add payload_should_dependency_kill()").
Signed-off-by: Pablo Neira
Payload protocol key expressions at network base are meaningful in the
netdev, bridge and inet families, do not exercise the redundant
dependency removal in those cases since it breaks rule semantics.
Signed-off-by: Pablo Neira Ayuso
---
src/payload.c | 31 +--
1 file
Wrap code that releases existing dependencies that we have just
annotated in the context structure.
Signed-off-by: Pablo Neira Ayuso
---
src/payload.c | 22 +-
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/src/payload.c b/src/payload.c
index df3c8136c88c..21c
Hi,
This patchset aims to address what Florian reported time ago [1]. This
is skipping removal of protocol key payload expressions at network base
for the netdev, bridge and inet.
It would better to annotate all redundant expressions and add a later
stage, where we can do smarter simplifications
On Wed, Feb 14, 2018 at 01:30:37PM +0100, Florian Westphal wrote:
> Eric Dumazet wrote:
> > On Wed, 2018-02-14 at 12:13 +0100, Paolo Abeni wrote:
> > > syzbot reported a division by 0 bug in the netfilter nat code:
> >
> > > Adding the relevant check at parse time could break existing
> > > setup
On man, 2018-01-22 at 15:54 +0100, Anders K. Pedersen | Cohaesio wrote:
> On tor, 2018-01-11 at 10:18 -0800, Wei Wang wrote:
> > On Thu, Jan 11, 2018 at 9:25 AM, Anders K. Pedersen | Cohaesio
> > wrote:
> > > On tir, 2017-12-26 at 12:05 +0100, Anders K. Pedersen | Cohaesio
> > > wrote:
> > > > Hel
On Wed, 2018-02-14 at 13:30 +0100, Florian Westphal wrote:
> Eric Dumazet wrote:
> > On Wed, 2018-02-14 at 12:13 +0100, Paolo Abeni wrote:
> > > syzbot reported a division by 0 bug in the netfilter nat code:
> > > Adding the relevant check at parse time could break existing
> > > setup, moreover w
Eric Dumazet wrote:
> On Wed, 2018-02-14 at 12:13 +0100, Paolo Abeni wrote:
> > syzbot reported a division by 0 bug in the netfilter nat code:
>
> > Adding the relevant check at parse time could break existing
> > setup, moreover we would need to read/write such values atomically
> > to avoid pos
On Wed, 2018-02-14 at 12:13 +0100, Paolo Abeni wrote:
> syzbot reported a division by 0 bug in the netfilter nat code:
...
> Adding the relevant check at parse time could break existing
> setup, moreover we would need to read/write such values atomically
> to avoid possible transient negative ran
syzbot reported a division by 0 bug in the netfilter nat code:
divide error: [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 4168 Comm: syzkaller034710 Not tainted 4.16.0-rc1+ #309
Hardware name: Google Google Compute Engine/Google Compute Engine
39 matches
Mail list logo