@intel.com>
> Signed-off-by: Florian Westphal <f...@strlen.de>
> ---
Acked-by: Aaron Conole <acon...@bytheb.org>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Eric Dumazet <eric.duma...@gmail.com> writes:
> On Wed, 2017-08-23 at 17:26 +0200, Florian Westphal wrote:
>> From: Aaron Conole <acon...@bytheb.org>
>
> ...
>
>> -static struct nf_hook_entry __rcu **nf_hook_entry_head(struct net
>> *net, const
Aaron Conole <acon...@bytheb.org> writes:
> Pablo Neira Ayuso <pa...@netfilter.org> writes:
>
>> On Thu, Apr 20, 2017 at 06:23:33PM +0900, Lorenzo Colitti wrote:
>>> Currently, iptables programs will exit with an error if the
>>> iptables lock cann
Pablo Neira Ayuso writes:
> On Thu, Apr 20, 2017 at 06:23:33PM +0900, Lorenzo Colitti wrote:
>> Currently, iptables programs will exit with an error if the
>> iptables lock cannot be acquired, but will silently continue if
>> the lock cannot be opened at all.
>
> This sounds
The sync_refresh_period variable is unsigned, so it can never be < 0.
Signed-off-by: Aaron Conole <acon...@bytheb.org>
---
net/netfilter/ipvs/ip_vs_sync.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_syn
The protonet pointer will unconditionally be rewritten, so just do the
needed assignment first.
Signed-off-by: Aaron Conole <acon...@bytheb.org>
---
net/netfilter/nf_conntrack_proto.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto.c
Signed-off-by: Aaron Conole <acon...@bytheb.org>
---
net/netfilter/nf_tables_api.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 2d822d2..1452fb7 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/net
There are no in-tree callers.
Signed-off-by: Aaron Conole <acon...@bytheb.org>
---
net/netfilter/ipset/ip_set_core.c | 8
1 file changed, 8 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_core.c
b/net/netfilter/ipset/ip_set_core.c
index c296f9b..68ba531 100644
--- a/net/net
There are no in-tree callers of this function and it isn't exported.
Signed-off-by: Aaron Conole <acon...@bytheb.org>
---
include/net/ip_vs.h | 2 --
net/netfilter/ipvs/ip_vs_proto.c | 22 --
2 files changed, 24 deletions(-)
diff --git a/include/net/ip_
The for-loop in the bridge hook entries assumes that the elements are
always present. However, this assumption may not always be true.
Fixes: 66cfc1dd07c7 ("netfilter: convert while loops to for loops")
Signed-off-by: Aaron Conole <acon...@bytheb.org>
--
Pablo, if possible could
This allows easier future refactoring.
Signed-off-by: Aaron Conole <acon...@bytheb.org>
---
include/linux/netfilter.h | 27 +++
net/bridge/br_netfilter_hooks.c | 2 +-
net/netfilter/core.c| 10 --
net/netfilter/nf_queue.c| 5 ++
From: Aaron Conole <acon...@redhat.com>
During nfhook traversal we only need a very small subset of
nf_hook_ops members.
We need:
- next element
- hook function to call
- hook function priv argument
Bridge netfilter also needs 'thresh'; can be obtained via ->orig_ops.
nf_hook_ent
Pablo Neira Ayuso <pa...@netfilter.org> writes:
> On Thu, Oct 27, 2016 at 02:27:51PM -0400, Aaron Conole wrote:
>> This allows easier future refactoring.
>>
>> Signed-off-by: Aaron Conole <acon...@bytheb.org>
>> ---
&
tch will turn the run-time list into an array that only
stores hook functions plus their priv arguments.
Suggested-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Aaron Conole <acon...@bytheb.org>
---
include/linux/netfilter.h | 12 +++-
1 file changed, 7 insertions(+), 5 del
/netfilter-devel/msg44408.html
Aaron Conole (3):
netfilter: introduce accessor functions for hook entries
netfilter: decouple nf_hook_entry and nf_hook_ops
netfilter: Convert while loops to for-loops
include/linux/netfilter.h | 42 +
net/bridge
This is to facilitate converting from a singly-linked list to an array
of elements.
Signed-off-by: Aaron Conole <acon...@bytheb.org>
---
include/linux/netfilter.h | 3 +--
net/bridge/br_netfilter_hooks.c | 8
net/netfilter/core.c| 6 ++
net/netfilter/nf_q
This allows easier future refactoring.
Signed-off-by: Aaron Conole <acon...@bytheb.org>
---
include/linux/netfilter.h | 35 ++-
net/bridge/br_netfilter_hooks.c | 2 +-
net/netfilter/core.c| 8 +++-
net/netfilter/nf_queue.c
Florian Westphal <f...@strlen.de> writes:
> Pablo Neira Ayuso <pa...@netfilter.org> wrote:
>> On Mon, Oct 17, 2016 at 03:29:27PM -0400, Aaron Conole wrote:
>> > Pablo Neira Ayuso <pa...@netfilter.org> writes:
>> [...]
>> > > From c1a731c6879
Pablo Neira Ayuso <pa...@netfilter.org> writes:
> On Mon, Oct 17, 2016 at 11:23:01AM -0400, Aaron Conole wrote:
>> Pablo Neira Ayuso <pa...@netfilter.org> writes:
>>
>> > Make sure we skip the current hook from where the packet was enqueued,
>> > othe
Pablo Neira Ayuso writes:
> Make sure we skip the current hook from where the packet was enqueued,
> otherwise the packets gets enqueued over and over again.
>
> Fixes: e3b37f11e6e4 ("netfilter: replace list_head with single linked list")
> Signed-off-by: Pablo Neira Ayuso
Florian Westphal writes:
> Pablo Neira Ayuso wrote:
>> Let me know if you have any comment, otherwise I'll place this in the
>> nf-next tree so we can follow up working on top of these.
>
> Please do, thanks!
+1. Some of this work was in my back burner, so
ed.
>
> @Aaron: Please, I'd appreciate if you can have a look to confirm this bug
> and the fix. Thanks.
Looks like I missed this in my testing.
Reviewed-by: Aaron Conole <acon...@bytheb.org>
> net/netfilter/nf_queue.c | 1 +
> 1 file changed, 1 insertion(+)
>
&g
Michal Kubecek writes:
> On Mon, Oct 10, 2016 at 04:24:01AM -0400, David Miller wrote:
>> From: David Miller
>> Date: Sun, 09 Oct 2016 23:57:45 -0400 (EDT)
>>
>> This means that the netns is possibly getting freed up before we
>> unregister the netfilter
by: Linus Torvalds <torva...@linux-foundation.org>
>
> to the patch, though.
>
> David, if you want me to just commit that thing directly, I can
> obviously do so, but I do think somebody should look at
>
> (a) that I actually got the priority list ordering right on the
Linus Torvalds writes:
> On Sun, Oct 9, 2016 at 7:49 PM, Linus Torvalds
> wrote:
>>
>> There is one *correct* way to remove an entry from a singly linked
>> list, and it looks like this:
>>
>> struct entry **pp, *p;
>>
>> pp
Florian Westphal writes:
> Linus Torvalds wrote:
>> On Sun, Oct 9, 2016 at 12:11 PM, Linus Torvalds
>> wrote:
>> >
>> > Anyway, I don't think I can bisect it, but I'll try to narrow it down
>> > a *bit* at least.
>>
Arnd Bergmann writes:
> A recent cleanup added an unconditional reference to the nf_hooks_ingress
> pointer,
> but that fails when CONFIG_NETFILTER_INGRESS is disabled and that member is
> not present in net_device:
>
> net/netfilter/core.c: In function 'nf_set_hooks_head':
>
Two possible error conditions were caught during an extended testing
session, and by a build robot. These patches fix the two issues (a
missing handler when config is changed, and a potential NULL
dereference).
Aaron Conole (2):
netfilter: Fix potential null pointer dereference
Eric Dumazet <eric.duma...@gmail.com> writes:
> On Wed, 2016-09-28 at 10:56 -0400, Aaron Conole wrote:
>> Eric Dumazet <eric.duma...@gmail.com> writes:
>>
>> > On Wed, 2016-09-28 at 09:12 -0400, Aaron Conole wrote:
>> >> It's possibl
When CONFIG_NETFILTER_INGRESS is unset (or no), we need to handle
the request for registration properly by dropping the hook. This
releases the entry during the set.
Fixes: e3b37f11e6e4 ("netfilter: replace list_head with single linked list")
Signed-off-by: Aaron Conole <acon.
Eric Dumazet <eric.duma...@gmail.com> writes:
> On Wed, 2016-09-28 at 09:12 -0400, Aaron Conole wrote:
>> It's possible for nf_hook_entry_head to return NULL. If two
>> nf_unregister_net_hook calls happen simultaneously with a single hook
>> entry in the list, both w
Liping Zhang <zlpnob...@gmail.com> writes:
> 2016-09-28 11:08 GMT+08:00 Liping Zhang <zlpnob...@gmail.com>:
>> Hi Feng,
>>
>> 2016-09-28 9:23 GMT+08:00 Feng Gao <gfree.w...@gmail.com>:
>>> Hi Aaraon,
>>>
>>> On Tue, Sep 27, 2
and attempt to dereference.
This fix ensures that no null pointer dereference could occur when such
a condition happens.
Signed-off-by: Aaron Conole <acon...@bytheb.org>
---
net/netfilter/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/core.c b/net/netfilter/
When CONFIG_NETFILTER_INGRESS is unset (or no), we need to handle
the request for registration properly by dropping the hook. This
releases the entry during the set.
Signed-off-by: Aaron Conole <acon...@bytheb.org>
---
net/netfilter/core.c | 15 +++
1 file changed, 11 inse
Two possible error conditions were caught during an extended testing
session, and by a build robot. These patches fix the two issues (a
missing handler when config is changed, and a potential NULL
dereference).
Aaron Conole (2):
netfilter: Fix potential null pointer dereference
Two possible error conditions were caught during an extended testing
session, and by a build robot. These patches fix the two issues (a
missing handler when config is changed, and a potential NULL
dereference).
Aaron Conole (2):
netfilter: Fix potential null pointer dereference
It's possible for nf_hook_entry_head to return NULL if two
nf_unregister_net_hook calls happen simultaneously with a single hook
entry in the list. This fix ensures that no null pointer dereference
could occur when such a race happens.
Signed-off-by: Aaron Conole <acon...@bytheb.org>
--
Florian Westphal <f...@strlen.de> writes:
> Aaron Conole <acon...@bytheb.org> wrote:
>> When CONFIG_NETFILTER_INGRESS is unset (or no), we need to handle
>> the request for registration properly by dropping the hook. This
>> releases the entry during the set.
&
It's possible for nf_hook_entry_head to return NULL if two
nf_unregister_net_hook calls happen simultaneously with a single hook
entry in the list. This fix ensures that no null pointer dereference
could occur when such a race happens.
Signed-off-by: Aaron Conole <acon...@bytheb.org>
--
Two possible error conditions were caught during an extended testing
session, and by a build robot. These patches fix the two issues (a
missing handler when config is changed, and a potential NULL
dereference).
Aaron Conole (2):
netfilter: Fix potential null pointer dereference
When CONFIG_NETFILTER_INGRESS is unset (or no), we need to handle
the request for registration properly by dropping the hook. This
releases the entry during the set.
Signed-off-by: Aaron Conole <acon...@bytheb.org>
---
net/netfilter/core.c | 4
1 file changed, 4 insertions(+)
diff
Aaron Conole <acon...@bytheb.org> writes:
> The netfilter hook list never uses the prev pointer, and so can be trimmed to
> be a simple singly-linked list.
>
> In addition to having a more light weight structure for hook traversal,
> struct net becomes 5568 bytes (down
u read-side critical section to make a
future cleanup simpler.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Aaron Conole <acon...@bytheb.org>
---
include/net/netfilter/br_netfilter.h | 6
net/bridge/br_netfilter_hooks.c | 60 ++
This commit adds an upfront check for sane values to be passed when
registering a netfilter hook. This will be used in a future patch for a
simplified hook list traversal.
Signed-off-by: Aaron Conole <acon...@bytheb.org>
---
net/netfilter/core.c | 5 +
1 file changed, 5 insertions(+)
ed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Aaron Conole <acon...@bytheb.org>
---
include/linux/netfilter.h | 8 +++-
include/linux/netfilter_ingress.h | 1 +
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/include/linux/netfilter.h b/include
-off-by: Aaron Conole <acon...@bytheb.org>
Signed-off-by: Florian Westphal <f...@strlen.de>
---
include/linux/netdevice.h | 2 +-
include/linux/netfilter.h | 61 +
include/linux/netfilter_ingress.h | 16 +++--
include/net/netfilter/nf_queue.h | 3 +-
All of the callers of nf_hook_slow already hold the rcu_read_lock, so this
cleanup removes the recursive call. This is just a cleanup, as the locking
code gracefully handles this situation.
Signed-off-by: Aaron Conole <acon...@bytheb.org>
---
net/bridge/netfilter/ebt_redirect.c
Pablo Neira Ayuso <pa...@netfilter.org> writes:
> On Tue, Jul 12, 2016 at 11:32:19AM -0400, Aaron Conole wrote:
>> +/* recursively invokes nf_hook_slow (again), skipping already-called
>> + * hooks (< NF_BR_PRI_BRNF).
>> + *
>> + * Called with rcu read lock hel
and lockdep debugging enabled.
Aaron Conole (2):
netfilter: bridge: add and use br_nf_hook_thresh
netfilter: replace list_head with single linked list
Florian Westphal (1):
netfilter: call nf_hook_state_init with rcu_read_lock held
include/linux/netdevice.h | 2
strlen.de>
Signed-off-by: Aaron Conole <acon...@bytheb.org>
---
include/net/netfilter/br_netfilter.h | 6
net/bridge/br_netfilter_hooks.c | 57 ++--
net/bridge/br_netfilter_ipv6.c | 12
3 files changed, 59 insertions(+), 16 deleti
Thanks for this; I will send a v2 in the next two days.
-Aaron
Florian Westphal <f...@strlen.de> writes:
> Aaron Conole <acon...@bytheb.org> wrote:
>> --- a/net/netfilter/core.c
>> +++ b/net/netfilter/core
> [..]
>> +#define nf_entry_dereference(e) \
-off-by: Aaron Conole <acon...@bytheb.org>
Signed-off-by: Florian Westphal <f...@strlen.de>
---
include/linux/netdevice.h | 2 +-
include/linux/netfilter.h | 18 +++---
include/linux/netfilter_ingress.h | 14 +++--
include/net/netfilter/nf_queue.h | 9 ++-
inclu
strlen.de>
Signed-off-by: Aaron Conole <acon...@bytheb.org>
---
include/net/netfilter/br_netfilter.h | 6
net/bridge/br_netfilter_hooks.c | 57 ++--
net/bridge/br_netfilter_ipv6.c | 12
3 files changed, 59 insertions(+), 16 deleti
From: Florian Westphal <f...@strlen.de>
This makes things simpler because we can store the head of the list
in the nf_state structure without worrying about concurrent add/delete
of hook elements from the list.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Aaron
strlen.de>
Signed-off-by: Aaron Conole <acon...@redhat.com>
---
include/net/netfilter/br_netfilter.h | 6
net/bridge/br_netfilter_hooks.c | 57 ++--
net/bridge/br_netfilter_ipv6.c | 12
3 files changed, 59 insertions(+), 16 deleti
From: Florian Westphal <f...@strlen.de>
This makes things simpler because we can store the head of the list
in the nf_state structure without worrying about concurrent add/delete
of hook elements from the list.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Aaron
56 matches
Mail list logo