Re: [PATCH nf] netfilter: core: remove erroneous warn_on

@intel.com> > Signed-off-by: Florian Westphal <f...@strlen.de> > --- Acked-by: Aaron Conole <acon...@bytheb.org> -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH nf-next 1/3] netfilter: convert hook list to an array

Eric Dumazet <eric.duma...@gmail.com> writes: > On Wed, 2017-08-23 at 17:26 +0200, Florian Westphal wrote: >> From: Aaron Conole <acon...@bytheb.org> > > ... > >> -static struct nf_hook_entry __rcu **nf_hook_entry_head(struct net >> *net, const

Re: [PATCH iptables] iptables: support insisting that the lock is held

Aaron Conole <acon...@bytheb.org> writes: > Pablo Neira Ayuso <pa...@netfilter.org> writes: > >> On Thu, Apr 20, 2017 at 06:23:33PM +0900, Lorenzo Colitti wrote: >>> Currently, iptables programs will exit with an error if the >>> iptables lock cann

Re: [PATCH iptables] iptables: support insisting that the lock is held

Pablo Neira Ayuso writes: > On Thu, Apr 20, 2017 at 06:23:33PM +0900, Lorenzo Colitti wrote: >> Currently, iptables programs will exit with an error if the >> iptables lock cannot be acquired, but will silently continue if >> the lock cannot be opened at all. > > This sounds

[PATCH nf-next] ip_vs_sync: change comparison on sync_refresh_period

The sync_refresh_period variable is unsigned, so it can never be < 0. Signed-off-by: Aaron Conole <acon...@bytheb.org> --- net/netfilter/ipvs/ip_vs_sync.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_syn

[PATCH nf-next] nf_conntrack: remove double assignment

The protonet pointer will unconditionally be rewritten, so just do the needed assignment first. Signed-off-by: Aaron Conole <acon...@bytheb.org> --- net/netfilter/nf_conntrack_proto.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/net/netfilter/nf_conntrack_proto.c

[PATCH nf-next] nf_tables: remove double return statement

Signed-off-by: Aaron Conole <acon...@bytheb.org> --- net/netfilter/nf_tables_api.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 2d822d2..1452fb7 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/net

[PATCH nf-next] ipset: remove unused function __ip_set_get_netlink

There are no in-tree callers. Signed-off-by: Aaron Conole <acon...@bytheb.org> --- net/netfilter/ipset/ip_set_core.c | 8 1 file changed, 8 deletions(-) diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c index c296f9b..68ba531 100644 --- a/net/net

[PATCH nf-next] ipvs: remove unused function ip_vs_set_state_timeout

There are no in-tree callers of this function and it isn't exported. Signed-off-by: Aaron Conole <acon...@bytheb.org> --- include/net/ip_vs.h | 2 -- net/netfilter/ipvs/ip_vs_proto.c | 22 -- 2 files changed, 24 deletions(-) diff --git a/include/net/ip_

[PATCH nf-next] netfilter: add list element test to br_netfilter_hooks

The for-loop in the bridge hook entries assumes that the elements are always present. However, this assumption may not always be true. Fixes: 66cfc1dd07c7 ("netfilter: convert while loops to for loops") Signed-off-by: Aaron Conole <acon...@bytheb.org> -- Pablo, if possible could

[PATCH nf-next 1/3] netfilter: introduce accessor functions for hook entries

This allows easier future refactoring. Signed-off-by: Aaron Conole <acon...@bytheb.org> --- include/linux/netfilter.h | 27 +++ net/bridge/br_netfilter_hooks.c | 2 +- net/netfilter/core.c| 10 -- net/netfilter/nf_queue.c| 5 ++

[PATCH nf-next 2/3] netfilter: decouple nf_hook_entry and nf_hook_ops

From: Aaron Conole <acon...@redhat.com> During nfhook traversal we only need a very small subset of nf_hook_ops members. We need: - next element - hook function to call - hook function priv argument Bridge netfilter also needs 'thresh'; can be obtained via ->orig_ops. nf_hook_ent

Re: [PATCH RFC netfilter-next 1/3] netfilter: introduce accessor functions for hook entries

Pablo Neira Ayuso <pa...@netfilter.org> writes: > On Thu, Oct 27, 2016 at 02:27:51PM -0400, Aaron Conole wrote: >> This allows easier future refactoring. >> >> Signed-off-by: Aaron Conole <acon...@bytheb.org> >> --- &

[PATCH RFC netfilter-next 2/3] netfilter: decouple nf_hook_entry and nf_hook_ops

tch will turn the run-time list into an array that only stores hook functions plus their priv arguments. Suggested-by: Florian Westphal <f...@strlen.de> Signed-off-by: Aaron Conole <acon...@bytheb.org> --- include/linux/netfilter.h | 12 +++- 1 file changed, 7 insertions(+), 5 del

[PATCH RFC netfilter-next 0/3] Additional refactoring enhancements for nf_hook_entry

/netfilter-devel/msg44408.html Aaron Conole (3): netfilter: introduce accessor functions for hook entries netfilter: decouple nf_hook_entry and nf_hook_ops netfilter: Convert while loops to for-loops include/linux/netfilter.h | 42 + net/bridge

[PATCH RFC netfilter-next 3/3] netfilter: convert while loops to for loops

This is to facilitate converting from a singly-linked list to an array of elements. Signed-off-by: Aaron Conole <acon...@bytheb.org> --- include/linux/netfilter.h | 3 +-- net/bridge/br_netfilter_hooks.c | 8 net/netfilter/core.c| 6 ++ net/netfilter/nf_q

[PATCH RFC netfilter-next 1/3] netfilter: introduce accessor functions for hook entries

This allows easier future refactoring. Signed-off-by: Aaron Conole <acon...@bytheb.org> --- include/linux/netfilter.h | 35 ++- net/bridge/br_netfilter_hooks.c | 2 +- net/netfilter/core.c| 8 +++- net/netfilter/nf_queue.c

Re: [PATCH nf,v2] netfilter: nf_queue: don't re-enter same hook on packet reinjection

Florian Westphal <f...@strlen.de> writes: > Pablo Neira Ayuso <pa...@netfilter.org> wrote: >> On Mon, Oct 17, 2016 at 03:29:27PM -0400, Aaron Conole wrote: >> > Pablo Neira Ayuso <pa...@netfilter.org> writes: >> [...] >> > > From c1a731c6879

Re: [PATCH nf,v2] netfilter: nf_queue: don't re-enter same hook on packet reinjection

Pablo Neira Ayuso <pa...@netfilter.org> writes: > On Mon, Oct 17, 2016 at 11:23:01AM -0400, Aaron Conole wrote: >> Pablo Neira Ayuso <pa...@netfilter.org> writes: >> >> > Make sure we skip the current hook from where the packet was enqueued, >> > othe

Re: [PATCH nf,v2] netfilter: nf_queue: don't re-enter same hook on packet reinjection

Pablo Neira Ayuso writes: > Make sure we skip the current hook from where the packet was enqueued, > otherwise the packets gets enqueued over and over again. > > Fixes: e3b37f11e6e4 ("netfilter: replace list_head with single linked list") > Signed-off-by: Pablo Neira Ayuso

Re: [PATCH 00/10, nf-next] Netfilter core updates

Florian Westphal writes: > Pablo Neira Ayuso wrote: >> Let me know if you have any comment, otherwise I'll place this in the >> nf-next tree so we can follow up working on top of these. > > Please do, thanks! +1. Some of this work was in my back burner, so

Re: [PATCH 1/2 nf] netfilter: nf_queue: don't re-enter same hook on packet reinjection

ed. > > @Aaron: Please, I'd appreciate if you can have a look to confirm this bug > and the fix. Thanks. Looks like I missed this in my testing. Reviewed-by: Aaron Conole <acon...@bytheb.org> > net/netfilter/nf_queue.c | 1 + > 1 file changed, 1 insertion(+) > &g

Re: slab corruption with current -git

Michal Kubecek writes: > On Mon, Oct 10, 2016 at 04:24:01AM -0400, David Miller wrote: >> From: David Miller >> Date: Sun, 09 Oct 2016 23:57:45 -0400 (EDT) >> >> This means that the netns is possibly getting freed up before we >> unregister the netfilter

Re: slab corruption with current -git (was Re: [git pull] vfs pile 1 (splice))

by: Linus Torvalds <torva...@linux-foundation.org> > > to the patch, though. > > David, if you want me to just commit that thing directly, I can > obviously do so, but I do think somebody should look at > > (a) that I actually got the priority list ordering right on the

Re: slab corruption with current -git (was Re: [git pull] vfs pile 1 (splice))

Linus Torvalds writes: > On Sun, Oct 9, 2016 at 7:49 PM, Linus Torvalds > wrote: >> >> There is one *correct* way to remove an entry from a singly linked >> list, and it looks like this: >> >> struct entry **pp, *p; >> >> pp

Re: slab corruption with current -git (was Re: [git pull] vfs pile 1 (splice))

Florian Westphal writes: > Linus Torvalds wrote: >> On Sun, Oct 9, 2016 at 12:11 PM, Linus Torvalds >> wrote: >> > >> > Anyway, I don't think I can bisect it, but I'll try to narrow it down >> > a *bit* at least. >>

Re: [PATCH 2/3] netfilter: hide reference to nf_hooks_ingress

Arnd Bergmann writes: > A recent cleanup added an unconditional reference to the nf_hooks_ingress > pointer, > but that fails when CONFIG_NETFILTER_INGRESS is disabled and that member is > not present in net_device: > > net/netfilter/core.c: In function 'nf_set_hooks_head': >

[PATCH nf-next v4 0/2] fixes for recent nf_compact hooks

Two possible error conditions were caught during an extended testing session, and by a build robot. These patches fix the two issues (a missing handler when config is changed, and a potential NULL dereference). Aaron Conole (2): netfilter: Fix potential null pointer dereference

Re: [PATCH nf-next v3 1/2] netfilter: Fix potential null pointer dereference

Eric Dumazet <eric.duma...@gmail.com> writes: > On Wed, 2016-09-28 at 10:56 -0400, Aaron Conole wrote: >> Eric Dumazet <eric.duma...@gmail.com> writes: >> >> > On Wed, 2016-09-28 at 09:12 -0400, Aaron Conole wrote: >> >> It's possibl

[PATCH nf-next v4 2/2] nf_set_hooks_head: accommodate different kconfig

When CONFIG_NETFILTER_INGRESS is unset (or no), we need to handle the request for registration properly by dropping the hook. This releases the entry during the set. Fixes: e3b37f11e6e4 ("netfilter: replace list_head with single linked list") Signed-off-by: Aaron Conole <acon.

Re: [PATCH nf-next v3 1/2] netfilter: Fix potential null pointer dereference

Eric Dumazet <eric.duma...@gmail.com> writes: > On Wed, 2016-09-28 at 09:12 -0400, Aaron Conole wrote: >> It's possible for nf_hook_entry_head to return NULL. If two >> nf_unregister_net_hook calls happen simultaneously with a single hook >> entry in the list, both w

Re: [PATCH nf-next v2 1/2] netfilter: Fix potential null pointer dereference

Liping Zhang <zlpnob...@gmail.com> writes: > 2016-09-28 11:08 GMT+08:00 Liping Zhang <zlpnob...@gmail.com>: >> Hi Feng, >> >> 2016-09-28 9:23 GMT+08:00 Feng Gao <gfree.w...@gmail.com>: >>> Hi Aaraon, >>> >>> On Tue, Sep 27, 2

[PATCH nf-next v3 1/2] netfilter: Fix potential null pointer dereference

and attempt to dereference. This fix ensures that no null pointer dereference could occur when such a condition happens. Signed-off-by: Aaron Conole <acon...@bytheb.org> --- net/netfilter/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/core.c b/net/netfilter/

[PATCH nf-next v3 2/2] nf_set_hooks_head: accommodate different kconfig

When CONFIG_NETFILTER_INGRESS is unset (or no), we need to handle the request for registration properly by dropping the hook. This releases the entry during the set. Signed-off-by: Aaron Conole <acon...@bytheb.org> --- net/netfilter/core.c | 15 +++ 1 file changed, 11 inse

[PATCH nf-next v3 0/2] fixes for recent nf_compact hooks

Two possible error conditions were caught during an extended testing session, and by a build robot. These patches fix the two issues (a missing handler when config is changed, and a potential NULL dereference). Aaron Conole (2): netfilter: Fix potential null pointer dereference

[PATCH nf-next v2 0/2] fixes for recent nf_compact hooks

Two possible error conditions were caught during an extended testing session, and by a build robot. These patches fix the two issues (a missing handler when config is changed, and a potential NULL dereference). Aaron Conole (2): netfilter: Fix potential null pointer dereference

[PATCH nf-next v2 1/2] netfilter: Fix potential null pointer dereference

It's possible for nf_hook_entry_head to return NULL if two nf_unregister_net_hook calls happen simultaneously with a single hook entry in the list. This fix ensures that no null pointer dereference could occur when such a race happens. Signed-off-by: Aaron Conole <acon...@bytheb.org> --

Re: [PATCH nf-next 2/2] nf_set_hooks_head: acommodate different kconfig

Florian Westphal <f...@strlen.de> writes: > Aaron Conole <acon...@bytheb.org> wrote: >> When CONFIG_NETFILTER_INGRESS is unset (or no), we need to handle >> the request for registration properly by dropping the hook. This >> releases the entry during the set. &

[PATCH nf-next 1/2] netfilter: Fix potential null pointer dereference

It's possible for nf_hook_entry_head to return NULL if two nf_unregister_net_hook calls happen simultaneously with a single hook entry in the list. This fix ensures that no null pointer dereference could occur when such a race happens. Signed-off-by: Aaron Conole <acon...@bytheb.org> --

[PATCH nf-next 0/2] fixes for recent nf_compact hooks

Two possible error conditions were caught during an extended testing session, and by a build robot. These patches fix the two issues (a missing handler when config is changed, and a potential NULL dereference). Aaron Conole (2): netfilter: Fix potential null pointer dereference

[PATCH nf-next 2/2] nf_set_hooks_head: acommodate different kconfig

When CONFIG_NETFILTER_INGRESS is unset (or no), we need to handle the request for registration properly by dropping the hook. This releases the entry during the set. Signed-off-by: Aaron Conole <acon...@bytheb.org> --- net/netfilter/core.c | 4 1 file changed, 4 insertions(+) diff

Re: [PATCH] netfilter: replace list_head with single linked list

Aaron Conole <acon...@bytheb.org> writes: > The netfilter hook list never uses the prev pointer, and so can be trimmed to > be a simple singly-linked list. > > In addition to having a more light weight structure for hook traversal, > struct net becomes 5568 bytes (down

[PATCH nf-next v3 1/7] netfilter: bridge: add and use br_nf_hook_thresh

u read-side critical section to make a future cleanup simpler. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Aaron Conole <acon...@bytheb.org> --- include/net/netfilter/br_netfilter.h | 6 net/bridge/br_netfilter_hooks.c | 60 ++

[PATCH nf-next v3 5/7] nf_register_net_hook: Only allow sane values

This commit adds an upfront check for sane values to be passed when registering a netfilter hook. This will be used in a future patch for a simplified hook list traversal. Signed-off-by: Aaron Conole <acon...@bytheb.org> --- net/netfilter/core.c | 5 + 1 file changed, 5 insertions(+)

[PATCH nf-next v3 2/7] netfilter: call nf_hook_state_init with rcu_read_lock held

ed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Aaron Conole <acon...@bytheb.org> --- include/linux/netfilter.h | 8 +++- include/linux/netfilter_ingress.h | 1 + 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/include/linux/netfilter.h b/include

[PATCH] netfilter: replace list_head with single linked list

-off-by: Aaron Conole <acon...@bytheb.org> Signed-off-by: Florian Westphal <f...@strlen.de> --- include/linux/netdevice.h | 2 +- include/linux/netfilter.h | 61 + include/linux/netfilter_ingress.h | 16 +++-- include/net/netfilter/nf_queue.h | 3 +-

[PATCH nf-next v3 4/7] nf_hook_slow: Remove explicit rcu_read_lock

All of the callers of nf_hook_slow already hold the rcu_read_lock, so this cleanup removes the recursive call. This is just a cleanup, as the locking code gracefully handles this situation. Signed-off-by: Aaron Conole <acon...@bytheb.org> --- net/bridge/netfilter/ebt_redirect.c

Re: [PATCH nf-next v2 1/3] netfilter: bridge: add and use br_nf_hook_thresh

Pablo Neira Ayuso <pa...@netfilter.org> writes: > On Tue, Jul 12, 2016 at 11:32:19AM -0400, Aaron Conole wrote: >> +/* recursively invokes nf_hook_slow (again), skipping already-called >> + * hooks (< NF_BR_PRI_BRNF). >> + * >> + * Called with rcu read lock hel

[PATCH nf-next v2 0/3] Compact netfilter hooks list

and lockdep debugging enabled. Aaron Conole (2): netfilter: bridge: add and use br_nf_hook_thresh netfilter: replace list_head with single linked list Florian Westphal (1): netfilter: call nf_hook_state_init with rcu_read_lock held include/linux/netdevice.h | 2

[PATCH nf-next v2 1/3] netfilter: bridge: add and use br_nf_hook_thresh

strlen.de> Signed-off-by: Aaron Conole <acon...@bytheb.org> --- include/net/netfilter/br_netfilter.h | 6 net/bridge/br_netfilter_hooks.c | 57 ++-- net/bridge/br_netfilter_ipv6.c | 12 3 files changed, 59 insertions(+), 16 deleti

Re: [PATCH nf-next 3/3] netfilter: replace list_head with single linked list

Thanks for this; I will send a v2 in the next two days. -Aaron Florian Westphal <f...@strlen.de> writes: > Aaron Conole <acon...@bytheb.org> wrote: >> --- a/net/netfilter/core.c >> +++ b/net/netfilter/core > [..] >> +#define nf_entry_dereference(e) \

[PATCH nf-next 3/3] netfilter: replace list_head with single linked list

-off-by: Aaron Conole <acon...@bytheb.org> Signed-off-by: Florian Westphal <f...@strlen.de> --- include/linux/netdevice.h | 2 +- include/linux/netfilter.h | 18 +++--- include/linux/netfilter_ingress.h | 14 +++-- include/net/netfilter/nf_queue.h | 9 ++- inclu

[PATCH nf-next 1/3] netfilter: bridge: add and use br_nf_hook_thresh

strlen.de> Signed-off-by: Aaron Conole <acon...@bytheb.org> --- include/net/netfilter/br_netfilter.h | 6 net/bridge/br_netfilter_hooks.c | 57 ++-- net/bridge/br_netfilter_ipv6.c | 12 3 files changed, 59 insertions(+), 16 deleti

[PATCH nf-next 2/3] netfilter: call nf_hook_state_init with rcu_read_lock held

From: Florian Westphal <f...@strlen.de> This makes things simpler because we can store the head of the list in the nf_state structure without worrying about concurrent add/delete of hook elements from the list. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Aaron

[RFC nf-next 1/3] netfilter: bridge: add and use br_nf_hook_thresh

strlen.de> Signed-off-by: Aaron Conole <acon...@redhat.com> --- include/net/netfilter/br_netfilter.h | 6 net/bridge/br_netfilter_hooks.c | 57 ++-- net/bridge/br_netfilter_ipv6.c | 12 3 files changed, 59 insertions(+), 16 deleti

[RFC nf-next 2/3] netfilter: call nf_hook_state_init with rcu_read_lock held

From: Florian Westphal <f...@strlen.de> This makes things simpler because we can store the head of the list in the nf_state structure without worrying about concurrent add/delete of hook elements from the list. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Aaron