Re: [PATCH nf v3] netfilter: bridge: ebt_among: add more missing match size checks

Eric Dumazet wrote: > > > On 03/08/2018 04:24 PM, Florian Westphal wrote: > >Eric Dumazet wrote: > >>>Fixes: c4585a2823edf ("bridge: ebt_among: add missing match size checks") > >>>Reported-by:

Re: [PATCH nf v3] netfilter: bridge: ebt_among: add more missing match size checks

On 03/08/2018 04:24 PM, Florian Westphal wrote: Eric Dumazet wrote: Fixes: c4585a2823edf ("bridge: ebt_among: add missing match size checks") Reported-by: Signed-off-by: Florian Westphal ---

Re: [PATCH nf v3] netfilter: bridge: ebt_among: add more missing match size checks

Eric Dumazet wrote: > >Fixes: c4585a2823edf ("bridge: ebt_among: add missing match size checks") > >Reported-by: > >Signed-off-by: Florian Westphal > >--- > > net/bridge/netfilter/ebt_among.c | 35

[PATCH nf v3] netfilter: bridge: ebt_among: add more missing match size checks

ebt_among is special, it has a dynamic match size and is exempt from the central size checks. commit c4585a2823edf ("bridge: ebt_among: add missing match size checks") added validation for pool size, but missed fact that the macros ebt_among_wh_src/dst can already return out-of-bound result

Re: [PATCH nf-next 1/2] netfilter: SYNPROXY: set transport header properly

Eric Dumazet wrote: > > > On 03/08/2018 07:01 AM, Serhey Popovych wrote: >> Eric Dumazet wrote: >>> >>> >>> On 03/08/2018 02:08 AM, Serhey Popovych wrote: We can't use skb_reset_transport_header() together with skb_put() to set skb->transport_header field because skb_put() does

[PATCH nf v2] netfilter: bridge: ebt_among: add more missing match size checks

ebt_among is special, it has a dynamic match size and is exempt from the central size checks. commit c4585a2823edf ("bridge: ebt_among: add missing match size checks") added validation for pool size, but missed fact that the macros ebt_among_wh_src/dst can already return out-of-bound result

[PATCH] rule: print handle attribute in more clearer manner

Print handles in this way: table ip filter { # handle 2 } Similarly, for chain, set and object handles Signed-off-by: Harsha Sharma --- src/rule.c | 63 +++--- 1 file changed, 32 insertions(+), 31 deletions(-)

Re: [PATCH nf-next 1/2] netfilter: SYNPROXY: set transport header properly

On 03/08/2018 07:01 AM, Serhey Popovych wrote: Eric Dumazet wrote: On 03/08/2018 02:08 AM, Serhey Popovych wrote: We can't use skb_reset_transport_header() together with skb_put() to set skb->transport_header field because skb_put() does not touch skb->data. Do this same way as we did for

Re: [PATCH nf-next 1/2] netfilter: SYNPROXY: set transport header properly

Eric Dumazet wrote: > > > On 03/08/2018 02:08 AM, Serhey Popovych wrote: >> We can't use skb_reset_transport_header() together with skb_put() to set >> skb->transport_header field because skb_put() does not touch skb->data. >> >> Do this same way as we did for csum_data in code: substract

Re: [PATCH nf-next 1/2] netfilter: SYNPROXY: set transport header properly

On 03/08/2018 02:08 AM, Serhey Popovych wrote: We can't use skb_reset_transport_header() together with skb_put() to set skb->transport_header field because skb_put() does not touch skb->data. Do this same way as we did for csum_data in code: substract skb->head from tcph. Signed-off-by:

[PATCH nf] netfilter: ebtables: fix erroneous reject of last rule

The last rule in the blob has next_entry offset that is same as total size. This made "ebtables32 -A OUTPUT -d de:ad:be:ef:01:02" fail on 64 bit kernel. Fixes: b71812168571fa ("netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets") Signed-off-by: Florian Westphal ---

Re: [PATCH nf] netfilter: bridge: ebt_among: add more missing match size checks

Florian Westphal wrote: > ebt_among is special, it has a dynamic match size and is exempt > from the central size checks. > > commit c4585a2823edf ("bridge: ebt_among: add missing match size checks") > added validation for pool size, but missed fact that the macros >

[PATCH nf-next 0/2] netfilter: set transport header properly

Using skb_reset_transport_header() after skb_put() does not make sense because we do not touch skb->data pointer. Therefore transport header still points to network header. Update skb->transport_header manually to difference between skb_put() returned pointer (old tail) and skb->head. Thanks,

[PATCH nf-next 1/2] netfilter: SYNPROXY: set transport header properly

We can't use skb_reset_transport_header() together with skb_put() to set skb->transport_header field because skb_put() does not touch skb->data. Do this same way as we did for csum_data in code: substract skb->head from tcph. Signed-off-by: Serhey Popovych ---

[PATCH nf-next 2/2] netfilter: nf_reject: set transport header properly

We can't use skb_reset_transport_header() together with skb_put() to set skb->transport_header field because skb_put() does not touch skb->data. Do this same way as we did for csum_data in code below: substract skb->head from tcph. Signed-off-by: Serhey Popovych ---

Re: [PATCH v4] netfilter : add NAT support for shifted portmap ranges

On 06-03-18 00:41, Pablo Neira Ayuso wrote: > Hi Thierry, > > On Fri, Feb 16, 2018 at 12:31:26PM +0100, Thierry Du Tre wrote: >> Op 30/01/2018 om 14:02 schreef Thierry Du Tre: >>> This is a patch proposal to support shifted ranges in portmaps. >>> (i.e. tcp/udp incoming port 5000-5100 on WAN