Hi Shmulik,
On 10/09/2017 01:57 PM, Pablo Neira Ayuso wrote:
On Mon, Oct 09, 2017 at 01:18:23PM +0200, Pablo Neira Ayuso wrote:
On Fri, Oct 06, 2017 at 01:40:13PM -0400, Willem de Bruijn wrote:
On Fri, Oct 6, 2017 at 12:02 PM, Shmulik Ladkani wrote:
From: Shmulik Ladkani
Commit 2c16d603326
: [1] https://marc.info/?l=netfilter-devel&m=150564724607440&w=2
[2] https://marc.info/?l=netfilter-devel&m=150575727129880&w=2
Cc: Pablo Neira Ayuso
Cc: Willem de Bruijn
Reported-by: Rafael Buchbinder
Signed-off-by: Shmulik Ladkani
Acked-by: Daniel Borkmann
Hi Steffen,
On 06/15/2018 08:17 AM, Steffen Klassert wrote:
> On Thu, Jun 14, 2018 at 10:18:31AM -0700, David Miller wrote:
>> From: Pablo Neira Ayuso
>> Date: Thu, 14 Jun 2018 16:19:34 +0200
>>
>>> This patchset proposes a new fast forwarding path infrastructure
>>> that combines the GRO/GSO and
On 06/17/2018 11:23 AM, Steffen Klassert wrote:
[...]
>> Would be curious about
>> the numbers. You'd get implicit batching for the forwarding via devmap
>> as well if you're required to flush it out via different device with
>> XDP_REDIRECT; otherwise XDP_TX of course. Given we have recently
>> in
On 10/04/2018 02:03 AM, Pablo Neira Ayuso wrote:
> This new field allows you to restrict the metadata template for a given
> tunnel driver. This is convenient in scenarios that combine different
> tunneling drivers, to deal with possible misconfigurations given that
> the template can be interprete
On 10/04/2018 12:56 PM, Pablo Neira Ayuso wrote:
> On Thu, Oct 04, 2018 at 11:25:33AM +0200, Daniel Borkmann wrote:
>> On 10/04/2018 02:03 AM, Pablo Neira Ayuso wrote:
[...]
>>> diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
>>> index a70097
carried something along these lines
locally for a while now, but it's just too annyoing. :/ Build works fine
now also when xtables.pc is not available.
[1] http://www.spinics.net/lists/netdev/msg366162.html
Fixes: 5cd1adba79d3 ("Update to current iptables headers")
Signed-o
Hi Willem,
On 12/05/2016 09:28 PM, Willem de Bruijn wrote:
From: Willem de Bruijn
Add support for attaching an eBPF object by file descriptor.
The iptables binary can be called with a path to an elf object or a
pinned bpf object. Also pass the mode and path to the kernel to be
able to return
On 01/23/2016 08:25 PM, Florian Westphal wrote:
Dmitry Vyukov wrote:
[ CC nf-devel, not sure if its nfnetlink fault or NETLINK_MMAP ]
The following program causes GPF in netlink_getsockbyportid:
// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include
#include
#include
use prandom_u32 directly.
Unlike bpf nft_meta can be built as a module, so add an EXPORT_SYMBOL
for prandom_seed_full_state too.
Cc: Daniel Borkmann
Signed-off-by: Florian Westphal
[...]
@@ -241,6 +248,7 @@ int nft_meta_get_init(const struct nft_ctx *ctx,
{
struct nft_meta *priv = nft
On 02/16/2016 02:19 PM, Florian Westphal wrote:
Daniel Borkmann wrote:
+ case NFT_META_PRANDOM:
+ if (!prand_inited) {
+ prandom_seed_full_state(&nft_prandom_state);
+ prand_inited = true;
+ }
Should thi
On 02/04/2016 08:13 AM, Josh Boyer wrote:
On Thu, Jan 7, 2016 at 2:15 PM, Mikko Rapeli wrote:
On Thu, Jan 07, 2016 at 10:30:40AM -0800, Stephen Hemminger wrote:
On Thu, 7 Jan 2016 07:29:50 +
Mikko Rapeli wrote:
On Wed, Jan 06, 2016 at 09:20:07AM -0800, Stephen Hemminger wrote:
This comm
Hi Jozsef,
On 03/08/2016 08:44 PM, Jozsef Kadlecsik wrote:
Julia Lawall pointed out that IPSET_ATTR_ETHER netlink attribute length
was not checked explicitly, just for the maximum possible size. Malicious
netlink clients could send shorter attribute and thus resulting a kernel
read after the buf
On 06/09/2016 11:35 PM, Florian Westphal wrote:
Saeed Mahameed wrote:
index a1bd161..67de200 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -382,6 +382,7 @@ struct file *sock_alloc_file(struct socket *sock, int
flags, const char *dname)
}
sock->file = file;
+ file->f_ow
On 06/10/2016 12:21 AM, Daniel Borkmann wrote:
On 06/09/2016 11:35 PM, Florian Westphal wrote:
Saeed Mahameed wrote:
index a1bd161..67de200 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -382,6 +382,7 @@ struct file *sock_alloc_file(struct socket *sock, int
flags, const char *dname
From: Alexei Starovoitov
Signed-off-by: Alexei Starovoitov
---
fs/exec.c | 40 +++-
include/linux/binfmts.h | 1 +
include/linux/umh.h | 4
kernel/module.c | 33 -
kernel/umh.c| 24 +
r4 = *(u32 *)(r1 +12)
16: (55) if r4 != 0x202a8c0 goto pc+1
17: (04) (u32) r5 += (u32) 1
18: (55) if r5 != 0x1 goto pc+2
19: (b4) (u32) r0 = (u32) 1
20: (95) exit
21: (b4) (u32) r0 = (u32) 2
22: (95) exit
Thanks!
Alexei Starovoitov (2):
modules: allow insmod load regular elf binari
Signed-off-by: Daniel Borkmann
---
include/uapi/linux/bpf.h| 31 +++--
kernel/bpf/syscall.c| 39 +++---
net/bpfilter/Makefile | 2 +-
net/bpfilter/bpfilter.c | 59 +
net/bpfilter/bpfilter_mod.h | 285 ++-
net/bpfilter
From: "David S. Miller"
Signed-off-by: David S. Miller
Signed-off-by: Alexei Starovoitov
---
include/linux/bpfilter.h | 13 +++
include/uapi/linux/bpfilter.h | 200 ++
net/Kconfig | 2 +
net/Makefile | 1 +
ne
From: Alexei Starovoitov
Signed-off-by: Alexei Starovoitov
---
include/uapi/linux/bpf.h | 16
kernel/bpf/syscall.c | 41 +
2 files changed, 57 insertions(+)
diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index db6bd
Hi Florian,
thanks for your feedback! More inline:
On 02/16/2018 03:57 PM, Florian Westphal wrote:
> Daniel Borkmann wrote:
>> This is a very rough and early proof of concept that implements bpfilter.
>
> [..]
>
>> Also, as a benefit from such design, we get BPF J
Hi Florian,
On 02/16/2018 05:14 PM, Florian Westphal wrote:
> Florian Westphal wrote:
>> Daniel Borkmann wrote:
>> Several questions spinning at the moment, I will probably come up with
>> more:
>
> ... and here there are some more ...
>
> One of the many pai
Hi Harald,
On 02/17/2018 01:11 PM, Harald Welte wrote:
[...]
>> As rule translation can potentially become very complex, this is performed
>> entirely in user space. In order to ease deployment, request_module() code
>> is extended to allow user mode helpers to be invoked. Idea is that user mode
>
On 02/19/2018 05:37 PM, Pablo Neira Ayuso wrote:
[...]
> * Simplified infrastructure: We don't need the ebpf verifier complexity
> either given we trust the code we generate from the kernel. We don't
> need any complex userspace tooling either, just libnftnl and nft
> userspace binaries.
>
>
On 02/20/2018 11:44 AM, Pablo Neira Ayuso wrote:
> Hi David!
>
> On Mon, Feb 19, 2018 at 12:22:26PM -0500, David Miller wrote:
> [...]
>> Netfilter's chronic performance differential is why a lot of mindshare
>> was lost to userspace networking technologies.
>
> Claiming that Netfilter is the rea
Hi Pablo,
On 02/20/2018 11:58 AM, Pablo Neira Ayuso wrote:
> On Mon, Feb 19, 2018 at 08:57:39PM +0100, Daniel Borkmann wrote:
>> On 02/19/2018 05:37 PM, Pablo Neira Ayuso wrote:
>> [...]
>>> * Simplified infrastructure: We don't need the ebpf verifier complexity
&g
26 matches
Mail list logo
