Re: [ipset] hash:net,iface bug?

On Mon, 23 May 2016, Jozsef Kadlecsik wrote: > On Mon, 23 May 2016, Marek Mrva wrote: > > > I have been playing with hash:net,iface table for a couple of days now, > > but for the love of me, I can't make it accept physdev: devices. > > > > The man says:

Re: [PATCH] ipset: Backports for the nla_put_net64() API changes

On Thu, 23 Jun 2016, Neutron Soutmun wrote: > * Backports the patch "libnl: nla_put_net64():align on a 64-bit area" [1] > by Nicolas Dichtel > > * Since the nla_put_net64() API has been changed, therefore, the > ip_set_compat.h.in should provides the macro

Re: [PATCH 1/1] netfilter: ipset: Fix set:list type crash when flush/dump set in parallel

On Mon, 29 Feb 2016, Pablo Neira Ayuso wrote: > On Wed, Feb 24, 2016 at 09:19:26PM +0100, Jozsef Kadlecsik wrote: > > Flushing/listing entries was not RCU safe, so parallel flush/dump > > could lead to kernel crash. Bug reported by Deniz Eren. > > > > Fixes

[PATCH 1/1] netfilter: ipset: Fix set:list type crash when flush/dump set in parallel

Flushing/listing entries was not RCU safe, so parallel flush/dump could lead to kernel crash. Bug reported by Deniz Eren. Fixes netfilter bugzilla id #1050. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_core.c | 3 ++ net/netfilter

[PATCH 0/1] ipset patch for nf

type crash when flush/dump set in parallel (2016-02-24 20:32:21 +0100) Jozsef Kadlecsik (1): netfilter: ipset: Fix set:list type crash when flush/dump set in parallel net/netfilter/ipset/ip_set_core.c | 3 +++ net

[ANNOUNCE] ipset 6.28 released

Hi, I'm happy to announce ipset 6.28 with a couple of important fixes, some compatibility improvements and corrections. Userspace changes: - Support older pkg-config packages - Add bash completion to the install routine (Mart Frauenlob) - Fix misleading error message with comment

[PATCH 1/1] netfilter: ipset: fix race condition in ipset save, swap and delete

Hunt <joh...@akamai.com> Signed-off-by: Vishwanath Pai <v...@akamai.com> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfilter/ipset/ip_set.h | 4 net/netfilter/ipset/ip_set_bitmap_gen.h | 2 +- net/netfilter/ip

[ANNOUNCE] ipset 6.29 released

Hi, ipset 6.29 is released, because the configure script was broken and a race condition was fixed in concurrent save-swap and then delete operations. Userspace changes: - Suppress unnecessary stderr in command loop for resize and list - Correction in comment test - Support chroot

Re: [ANNOUNCE] ipset 6.28 released

On Sat, 12 Mar 2016, Jan Engelhardt wrote: > >I'm happy to announce ipset 6.28 with a couple of important fixes, some > >compatibility improvements and corrections. > > - Support older pkg-config packages > > Whatever you did, it broke. > > [ 51s] checking for libmnl... no > [ 51s]

Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

On Mon, 28 Mar 2016, Eric Dumazet wrote: > On Mon, 2016-03-28 at 22:20 +0200, Jan Engelhardt wrote: > > On Monday 2016-03-28 21:29, David Miller wrote: > > >>> > > @@ -3716,6 +3716,8 @@ void tcp_parse_options(const struct sk_buff > > >>> > > *skb, > > >>> > > length--; > > >>> > >

Re: [PATCH v2] netfilter: fix race condition in ipset save, swap and delete

Hi, On Mon, 14 Mar 2016, Vishwanath Pai wrote: > I have updated the patch according to comments by Jozsef. Renamed > ref_kernel to ref_netlink, renamed _put/_get functions and updated the > description in commit log. Patch is applied to the ipset git tree - you use some older kernel tree and I

Re: [ANNOUNCE] ipset 6.29 released

On Thu, 17 Mar 2016, AllKind wrote: > On 16.03.2016 21:40, Jozsef Kadlecsik wrote: > > > > ipset 6.29 is released, because the configure script was broken and a > > race condition was fixed in concurrent save-swap and then delete > > operations. > [...] >

Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

On Sun, 27 Mar 2016, Baozeng Ding wrote: > The following program triggers stack-out-of-bounds in tcp_packet. The > kernel version is 4.5 (on Mar 16 commit > 09fd671ccb2475436bd5f597f751ca4a7d177aea). > Uncovered with syzkaller. Thanks. > >

Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

On Mon, 28 Mar 2016, Jozsef Kadlecsik wrote: > On Sun, 27 Mar 2016, Baozeng Ding wrote: > > > The following program triggers stack-out-of-bounds in tcp_packet. The > > kernel version is 4.5 (on Mar 16 commit > > 09fd671ccb2475436bd5f597f751ca4a7d177aea). > > Un

[PATCH 1/1] netfilter: ipset: Check IPSET_ATTR_ETHER netlink attribute length

-by: Julia Lawall <julia.law...@lip6.fr> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_bitmap_ipmac.c | 2 ++ net/netfilter/ipset/ip_set_hash_mac.c | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/net/net

[PATCH 0/1] ipset patch for nf

to d8aacd87180141ff6b812b53de77a4336e87c91a: netfilter: ipset: Check IPSET_ATTR_ETHER netlink attribute length (2016-03-08 20:36:17 +0100) Jozsef Kadlecsik (1): netfilter: ipset: Check IPSET_ATTR_ETHER netlink attribute length net

[PATCH 0/1] netfilter TCP conntrack option parser fix

) Jozsef Kadlecsik (1): net: netfilter: Fix stack out of bounds when parsing TCP options net/netfilter/nf_conntrack_proto_tcp.c | 4 1 file changed, 4 insertions(+) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of

[PATCH 1/1] net: netfilter: Fix stack out of bounds when parsing TCP options

TCP option code and size. Reported-by: Baozeng Ding <splovi...@gmail.com> Tested-by: Baozeng Ding <splovi...@gmail.com> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/nf_conntrack_proto_tcp.c | 4 1 file changed, 4 insertions(+) diff --g

Re: new ipset set type - hash:ip,mac

On Sun, 24 Apr 2016, Tomasz Chiliński wrote: > First - thanks a lot for excellent ipset toolkit! > Second - Sorry for posting directly to you, but didn't get reply from > netfilter-devel > mailing list after trying to subscribe there. > > I've created lately my own very missed set type

Re: [ipset] hash:net,iface bug?

On Mon, 23 May 2016, Marek Mrva wrote: > I have been playing with hash:net,iface table for a couple of days now, > but for the love of me, I can't make it accept physdev: devices. > > The man says: When the interface is flagged with physdev:, the interface > is interpreted as the

Re: [PATCH 1/3] netfilter: ipset: use setup_timer() and mod_timer().

On Sat, 14 May 2016, Muhammad Falak R Wani wrote: > Use setup_timer() and instead of init_timer(), being the preferred way > of setting up a timer. > > Also, quoting the mod_timer() function comment: > -> mod_timer() is a more efficient way to update the expire field of an >active timer (if

Re: [PATCH v3 nf-next 5/7] netfilter: add and use nf_ct_set helper

On Mon, 23 Jan 2017, Florian Westphal wrote: > Jozsef Kadlecsik <kad...@blackhole.kfki.hu> wrote: > > > > > --- a/net/netfilter/core.c > > > > > +++ b/net/netfilter/core.c > > > > > @@ -375,7 +375,7 @@ void nf_ct_attach(str

[PATCH 2/2] netfilter: ipset: Null pointer exception in ipset list:set

uting the above will crash the kernel. Signed-off-by: Vishwanath Pai <v...@akamai.com> Reviewed-by: Josh Hunt <joh...@akamai.com> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_list_set.c | 9 ++--- 1 file changed, 6 insertions(+),

[ANNOUNCE] ipset 6.31 released

Hi, ipset 6.31 has just been released with two important bugfixes. So please upgrade your ipset package. Userspace changes: - Update manpage about the size parameter of list:set types. - New test to verify that only the intended entries are deleted at hash types. Kernel part changes:

Re: Parameter 'size' in type list:set is ignored

m fixed sized arrays to linked lists. > I think this change was introduced in v4.2 by the following commit: > commit 00590fdd5be0d763631ef10e6a3e2ce8fc2d9ec3 > Author: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> > Date: Sat Jun 13 16:56:02 2015 +0200 > >

Re: Parameter 'size' in type list:set is ignored

On Wed, 15 Feb 2017, Vishwanath Pai wrote: > On 02/15/2017 04:33 AM, Jozsef Kadlecsik wrote: > > On Tue, 14 Feb 2017, Vishwanath Pai wrote: > > > >> I noticed that in recent versions of ipset the parameter 'size' in set > >> type list:set is ignored. I noticed t

Re: [PATCH] netfilter: ipset: Null pointer exception in ipset list:set

Hi, On Wed, 15 Feb 2017, Vishwanath Pai wrote: > If we use before/after to add an element to an empty list it will cause > a kernel panic. > > $> cat crash.restore > create a hash:ip > create b hash:ip > create test list:set timeout 5 size 4 > add test b before a > > $> ipset -R <

[PATCH 09/22] netfilter: ipset: Add element count to hash headers

header that is exported to userspace. This field is then printed by the userspace tool for hashes. Signed-off-by: Eric B Munson <emun...@akamai.com> Cc: Pablo Neira Ayuso <pa...@netfilter.org> Cc: Josh Hunt <joh...@akamai.com> Cc: netfilter-devel@vger.kernel.org Signed-off-b

[PATCH 13/22] netfilter: ipset: Simplify mtype_expire() for hash types

Remove one leve of intendation by using continue while iterating over elements in bucket. Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_has

[PATCH 11/22] netfilter: ipset: Count non-static extension memory for userspace

-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfilter/ipset/ip_set.h | 8 ++-- include/linux/netfilter/ipset/ip_set_comment.h | 7 +-- net/netfilter/ipset/ip_set_bitmap_gen.h| 5 +++-- net/netfilter/ipset/ip_set_core.c | 2 +

[PATCH 04/22] netfilter: ipset: Improve skbinfo get/init helpers

proposed by Sergey Popovich <popovich_ser...@mail.ua>. Suggested-by: Sergey Popovich <popovich_ser...@mail.ua> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfilter/ipset/ip_set.h | 30 +++--- net/netfilter/ipset/ip_se

[PATCH 19/22] netfilter: ipset: Fix reported memory size for hash:* types

The calculation of the full allocated memory did not take into account the size of the base hash bucket structure at some places. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_hash_gen.h | 16 +--- 1 file changed, 9 insertions

[PATCH 18/22] netfilter: ipset: Collapse same condition body to a single one

The set full case (with net_ratelimit()-ed pr_warn()) is already handled, simply jump there. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_hash_gen.h | 8 +--- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/net/netfilter

[PATCH 10/22] netfilter: ipset: Add element count to all set types header

It is better to list the set elements for all set types, thus the header information is uniform. Element counts are therefore added to the bitmap and list types. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfilter/ipset/ip_set.h| 2 ++ include

[PATCH 21/22] netfilter: ipset: use setup_timer() and mod_timer().

mer() and mod_timer() to setup and arm a timer, making the code compact and easier to read. Signed-off-by: Muhammad Falak R Wani <falakre...@gmail.com> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_bitmap_gen.h | 7 ++- net/

[PATCH 20/22] netfilter: ipset: hash:ipmac type support added to ipset

From: Tomasz Chilinski <tomasz.chilin...@chilan.com> Introduce the hash:ipmac type. Signed-off-by: Tomasz Chili??ski <tomasz.chilin...@chilan.com> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/Kconfig | 9 + net/netfil

[PATCH 06/22] netfilter: ipset: Split extensions into separate files

Cleanup to separate all extensions into individual files. Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Suggested-by: Sergey Popovich <popovich_ser...@mail.ua> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfil

[PATCH 17/22] netfilter: ipset: Make struct htype per ipset family

<popovich_ser...@mail.ua>. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_hash_gen.h| 51 +++- net/netfilter/ipset/ip_set_hash_ip.c | 10 +++--- net/netfilter/ipset/ip_set_hash_ipmark.c | 10

[PATCH 07/22] netfilter: ipset: Separate memsize calculation code into dedicated function

Hash types already has it's memsize calculation code in separate functions. Clean up and do the same for *bitmap* and *list* sets. Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Suggested-by: Sergey Popovich <popovich_ser...@mail.ua> Signed-off-by: Jozs

[PATCH 12/22] netfilter: ipset: Remove redundant mtype_expire() arguments

Remove redundant parameters nets_length and dsize, because they can be get from other parameters. Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_hash_gen.h | 9 +

[PATCH 22/22] netfilter: ipset: hash: fix boolreturn.cocci warnings

a_list' with return type bool Return statements in functions returning bool should use true/false instead of 1/0. Generated by: scripts/coccinelle/misc/boolreturn.cocci CC: Tomasz Chilinski <tomasz.chilin...@chilan.com> Signed-off-by: Fengguang Wu <fengguang...@intel.com> Signed-off-by: Joz

[PATCH 14/22] netfilter: ipset: Make NLEN compile time constant for hash types

Hash types define HOST_MASK before inclusion of ip_set_hash_gen.h and the only place where NLEN needed to be calculated at runtime is *_create() method. Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu&

[PATCH 01/22] netfilter: ipset: Remove extra whitespaces in ip_set.h

Remove unnecessary whitespaces. Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Suggested-by: Sergey Popovich <popovich_ser...@mail.ua> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfilter/ipset/ip_set.h | 13 +++

[PATCH 02/22] netfilter: ipset: Mark some helper args as const.

Mark some of the helpers arguments as const. Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Suggested-by: Sergey Popovich <popovich_ser...@mail.ua> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfilter/ipset/ip

[PATCH 00/22] ipset patches for nf-next, v3

) Eric B Munson (1): netfilter: ipset: Add element count to hash headers Jozsef Kadlecsik (19): netfilter: ipset: Remove extra whitespaces in ip_set.h netfilter: ipset: Mark some helper args as const. netfilter: ipset: Headers file cleanup netfilter: ipset: Improve

[PATCH 02/22] netfilter: ipset: Headers file cleanup

Remove extra whitespace, group counter helper together. Mark some of the helpers arguments as const. Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Suggested-by: Sergey Popovich <popovich_ser...@mail.ua> Signed-off-by: Jozsef Kadlecsik <kad...@bl

[PATCH 17/22] netfilter: ipset: Fix reported memory size for hash:* types

The calculation of the full allocated memory did not take into account the size of the base hash bucket structure at some places. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_hash_gen.h | 16 +--- 1 file changed, 9 insertions

[PATCH 20/22] netfilter: ipset: use setup_timer() and mod_timer().

the timer is inactive it will be activated). Use setup_timer() and mod_timer() to setup and arm a timer, making the code compact and easier to read. Signed-off-by: Muhammad Falak R Wani <falakre...@gmail.com> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> ---

[PATCH 14/22] netfilter: ipset: Optimize hash creation routine

Exit as easly as possible on error and use RCU_INIT_POINTER() as set is not seen at creation time. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_hash_gen.h | 63 --- 1 file changed, 29 insertions(+), 34 del

[PATCH 10/22] netfilter: ipset: Count non-static extension memory for userspace

-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfilter/ipset/ip_set.h | 8 ++-- include/linux/netfilter/ipset/ip_set_comment.h | 7 +-- net/netfilter/ipset/ip_set_bitmap_gen.h| 5 +++-- net/netfilter/ipset/ip_set_core.c | 2 +

[PATCH 22/22] netfilter: ipset: hash: fix boolreturn.cocci warnings

a_list' with return type bool Return statements in functions returning bool should use true/false instead of 1/0. Generated by: scripts/coccinelle/misc/boolreturn.cocci CC: Tomasz Chilinski <tomasz.chilin...@chilan.com> Signed-off-by: Fengguang Wu <fengguang...@intel.com> Signed-off-by: Joz

[PATCH 06/22] netfilter: ipset: Separate memsize calculation code into dedicated function

Hash types already has it's memsize calculation code in separate functions. Do the same for *bitmap* and *list* sets. Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Suggested-by: Sergey Popovich <popovich_ser...@mail.ua> Signed-off-by: Jozsef Ka

[PATCH 19/22] netfilter: ipset: use setup_timer() and mod_timer().

the timer is inactive it will be activated). Use setup_timer() and mod_timer() to setup and arm a timer, making the code compact and easier to read. Signed-off-by: Muhammad Falak R Wani <falakre...@gmail.com> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> ---

[PATCH 09/22] netfilter: ipset: Add element count to all set types header

It is better to list the set elements for all set types, thus the header information is uniform. Element counts are therefore added to the bitmap and list types. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfilter/ipset/ip_set.h| 2 ++ include

[PATCH 12/22] netfilter: ipset: Make NLEN compile time constant for hash types

Hash types define HOST_MASK before inclusion of ip_set_hash_gen.h and the only place where NLEN needed to be calculated at runtime is *_create() method. Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu&

[PATCH 13/22] netfilter: ipset: Make sure element data size is a multiple of u32

Data for hashing required to be array of u32. Make sure that element data always multiple of u32. Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_hash_gen.h | 10 +

[PATCH 03/22] netfilter: ipset: Improve skbinfo get/init helpers

.@mail.ua> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfilter/ipset/ip_set.h | 30 +++--- net/netfilter/ipset/ip_set_core.c | 12 ++-- net/netfilter/xt_set.c | 12 +++- 3 files changed, 24

[PATCH 01/22] netfilter: ipset: Correct rcu_dereference_bh_nfnl() usage

Sergey Popovich <popovich_ser...@mail.ua> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_hash_gen.h | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_se

[PATCH 08/22] netfilter: ipset: Add element count to hash headers

header that is exported to userspace. This field is then printed by the userspace tool for hashes. Signed-off-by: Eric B Munson <emun...@akamai.com> Cc: Pablo Neira Ayuso <pa...@netfilter.org> Cc: Josh Hunt <joh...@akamai.com> Cc: netfilter-devel@vger.kernel.org Signed-off-b

[PATCH 07/22] netfilter: ipset: Regroup ip_set_put_extensions and add extern

Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfilter/ipset/ip_set.h | 6 ++ 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h index b5bd0fb3..7a218eb

[PATCH 20/22] netfilter: ipset: use setup_timer() and mod_timer().

the timer is inactive it will be activated). Use setup_timer() and mod_timer() to setup and arm a timer, making the code compact and easier to read. Signed-off-by: Muhammad Falak R Wani <falakre...@gmail.com> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> ---

[PATCH 06/22] netfilter: ipset: Separate memsize calculation code into dedicated function

Hash types already has it's memsize calculation code in separate functions. Do the same for *bitmap* and *list* sets. Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Suggested-by: Sergey Popovich <popovich_ser...@mail.ua> Signed-off-by: Jozsef Ka

[PATCH 12/22] netfilter: ipset: Make NLEN compile time constant for hash types

Hash types define HOST_MASK before inclusion of ip_set_hash_gen.h and the only place where NLEN needed to be calculated at runtime is *_create() method. Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu&

[PATCH 15/22] netfilter: ipset: Make struct htype per ipset family

<popovich_ser...@mail.ua>. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_hash_gen.h| 51 +++- net/netfilter/ipset/ip_set_hash_ip.c | 10 +++--- net/netfilter/ipset/ip_set_hash_ipmark.c | 10

[PATCH 05/22] netfilter: ipset: Split extensions into separate files

Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Suggested-by: Sergey Popovich <popovich_ser...@mail.ua> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfilter/ipset/ip_set.h | 95 +--

[PATCH 13/22] netfilter: ipset: Make sure element data size is a multiple of u32

Data for hashing required to be array of u32. Make sure that element data always multiple of u32. Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_hash_gen.h | 10 +

[PATCH 04/22] netfilter: ipset: Improve comment extension helpers

Allocate memory with kmalloc() rather than kzalloc(). Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Suggested-by: Sergey Popovich <popovich_ser...@mail.ua> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfilter/ipse

[PATCH 22/22] netfilter: ipset: hash: fix boolreturn.cocci warnings

a_list' with return type bool Return statements in functions returning bool should use true/false instead of 1/0. Generated by: scripts/coccinelle/misc/boolreturn.cocci CC: Tomasz Chilinski <tomasz.chilin...@chilan.com> Signed-off-by: Fengguang Wu <fengguang...@intel.com> Signed-off-by: Joz

[PATCH 01/22] netfilter: ipset: Correct rcu_dereference_bh_nfnl() usage

Sergey Popovich <popovich_ser...@mail.ua> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_hash_gen.h | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_se

[PATCH 11/22] netfilter: ipset: Simplify mtype_expire() for hash types

Remove redundant parameters nets_length and dsize: they could be get from other parameters. Remove one leve of intendation by using continue while iterating over elements in bucket. Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Signed-off-by: Jozsef Kadlecsi

[PATCH 09/22] netfilter: ipset: Add element count to all set types header

It is better to list the set elements for all set types, thus the header information is uniform. Element counts are therefore added to the bitmap and list types. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfilter/ipset/ip_set.h| 2 ++ include

[PATCH 19/22] netfilter: ipset: use setup_timer() and mod_timer().

the timer is inactive it will be activated). Use setup_timer() and mod_timer() to setup and arm a timer, making the code compact and easier to read. Signed-off-by: Muhammad Falak R Wani <falakre...@gmail.com> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> ---

[PATCH 00/22] ipset patches for nf-next

): netfilter: ipset: Add element count to hash headers Jozsef Kadlecsik (16): netfilter: ipset: Correct rcu_dereference_bh_nfnl() usage netfilter: ipset: Headers file cleanup netfilter: ipset: Improve skbinfo get/init helpers netfilter: ipset: Improve comment extension helpers

[PATCH 18/22] netfilter: ipset: hash:ipmac type support added to ipset

From: Tomasz Chilinski <tomasz.chilin...@chilan.com> Signed-off-by: Tomasz Chili??ski <tomasz.chilin...@chilan.com> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/Kconfig | 9 + net/netfilter/ipset/Makefile| 1 + n

[PATCH 07/22] netfilter: ipset: Regroup ip_set_put_extensions and add extern

Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfilter/ipset/ip_set.h | 6 ++ 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h index b5bd0fb3..7a218eb

[PATCH 17/22] netfilter: ipset: Fix reported memory size for hash:* types

The calculation of the full allocated memory did not take into account the size of the base hash bucket structure at some places. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_hash_gen.h | 16 +--- 1 file changed, 9 insertions

[PATCH 10/22] netfilter: ipset: Count non-static extension memory for userspace

-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfilter/ipset/ip_set.h | 8 ++-- include/linux/netfilter/ipset/ip_set_comment.h | 7 +-- net/netfilter/ipset/ip_set_bitmap_gen.h| 5 +++-- net/netfilter/ipset/ip_set_core.c | 2 +

[PATCH 03/22] netfilter: ipset: Improve skbinfo get/init helpers

.@mail.ua> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfilter/ipset/ip_set.h | 30 +++--- net/netfilter/ipset/ip_set_core.c | 12 ++-- net/netfilter/xt_set.c | 12 +++- 3 files changed, 24

[PATCH 02/22] netfilter: ipset: Headers file cleanup

Remove extra whitespace, group counter helper together. Mark some of the helpers arguments as const. Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Suggested-by: Sergey Popovich <popovich_ser...@mail.ua> Signed-off-by: Jozsef Kadlecsik <kad...@bl

[ANNOUNCE] ipset 6.30 released

Hi, I'm happy to announce ipset 6.30 which introduces a new set type, hash:ip,mac, and brings a couple of small corrections and backports from the most recent kernel tree. Userspace changes: - Drop extra comma from error message (Neutron Soutmun) - Fix the incorrect dynamic/static modules

[PATCH 21/22] netfilter: ipset: use setup_timer() and mod_timer().

the timer is inactive it will be activated). Use setup_timer() and mod_timer() to setup and arm a timer, making the code compact and easier to read. Signed-off-by: Muhammad Falak R Wani <falakre...@gmail.com> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> ---

Re: [PATCH 2/4] netfilter: ipset: generalize netmask to support cidr and mask values

Hi Josh, Overall, I like the feature and the patches. After reviewing I comment only the parts where I believe some modifications are needed. On Tue, 21 Mar 2017, Josh Hunt wrote: > Extends ipset netmask support to handle both cidr values and full > netmasks. As part of that it now supports

Re: [PATCH 1/5] ipset: netmask: expand to support cidr and full mask

On Tue, 21 Mar 2017, Josh Hunt wrote: > Convert netmask to store cidr and netmask. > > Signed-off-by: Josh Hunt > --- > include/libipset/data.h | 5 ++- > include/libipset/linux_ip_set.h | 5 +++ > include/libipset/print.h| 3 ++ > lib/data.c

Re: [PATCH 3/4] netfilter: ipset: hash:ip: add support for new netmask types

> -#define IPSET_TYPE_REV_MAX 4 /* skbinfo support */ > +/* 4 skbinfo support */ > +#define IPSET_TYPE_REV_MAX 5 /* nf_inet_addr netmask support */ > > MODULE_LICENSE("GPL"); > MODULE_AUTHOR("Jozsef Kadlecsik &

Re: [PATCH 3/5] ipset: hash:ipport: netmask support

On Tue, 21 Mar 2017, Josh Hunt wrote: > Adds netmask support to hash:ipport sets. > > Signed-off-by: Josh Hunt > --- > lib/ipset_hash_ipport.c | 194 > > 1 file changed, 194 insertions(+) > > diff --git

Re: [PATCH 4/4] netfilter: ipset: hash:ipport: add netmask support

dded */ > +#define IPSET_TYPE_REV_MAX 6 /* netmask support added */ > > MODULE_LICENSE("GPL"); > MODULE_AUTHOR("Jozsef Kadlecsik <kad...@blackhole.kfki.hu>"); > @@ -38,6 +39,7 @@ > > /* Type specific function prefix */ > #define HTYPE

Re: [PATCH 2/4] netfilter: ipset: generalize netmask to support cidr and mask values

Hi Josh, On Tue, 28 Mar 2017, Josh Hunt wrote: > > Overall, I like the feature and the patches. After reviewing I comment > > only the parts where I believe some modifications are needed. > > Thanks for the review. I'll go through this and send a v2 in the next > few days. Thinking over it I

Re: [PATCH 2/4] netfilter: ipset: generalize netmask to support cidr and mask values

On Tue, 28 Mar 2017, Josh Hunt wrote: > > Thinking over it I understand better your approach: replace > > IPSET_ATTR_NETMASK with IPSET_ATTR_NETMASK_MASK completely and keeping > > the former for backward compatibility reasons only. What I propose is > > able to maintain syntax-compatibility

Re: ipset 6.32 - build failure

On Fri, 17 Mar 2017, Jan Engelhardt wrote: > With 4.10.3, ipset 6.32 seems to run into an issue: > > [ 59s] > /home/abuild/rpmbuild/BUILD/ipset-default-6.32/kernel/net/netfilter/xt_set.c: > In function 'set_match_v0': > [ 59s] >

Re: [PATCH nf-next] netfilter: allow early drop of assured conntracks

cp connections are now dropped > if they are no longer established (e.g. in finwait). > > This could be refined further, e.g. by adding 'soft' established timeout > (i.e., a timeout that is only used once we get close to resource > exhaustion). I like the idea and the implementation: Acked-by: Jozs

Re: [PATCH nf-next] ipset: remove unused function __ip_set_get_netlink

Hi Pablo, On Fri, 14 Apr 2017, Pablo Neira Ayuso wrote: > On Mon, Apr 10, 2017 at 03:52:37PM -0400, Aaron Conole wrote: > > There are no in-tree callers. > > @Jozsef, let me know if I should just take this to save you a pull > request. Just take it, thank you. Acked-by: Joz

Re: [PATCH next] iptables: on revision mismatch, do not call print/save

Hi, On Thu, 8 Dec 2016, Willem de Bruijn wrote: > From: Willem de Bruijn > > Between revisions, the layout of xtables data may change completely. > Do not interpret the data in a revision M with a module of revision N. > > Signed-off-by: Willem de Bruijn

Re: [PATCH nf] netfilter: nat: remove incorrect debug assert

On Fri, 3 Mar 2017, Florian Westphal wrote: > Pablo Neira Ayuso wrote: > > > However, changing test to if (iph->frag_off) return -NF_ACCEPT seems > > > wrong too because we have enough info to track. OTOH, this only happens > > > with HDRINCL+raw socket so perhaps we

[ANNOUNCE] ipset 6.32 released

Hi, ipset 6.32 has been released, with just userspace part changes. Omri Bahumi and Yoni Lavi discovered that due to the inproper handling of the ipset output buffer, the output may be truncated. So for example in an "ipset save" output, instead of 192.168.0.0/24, just 192.168.0.0 printed. If

Re: [ANNOUNCE] ipset 6.32 released

On Sun, 12 Mar 2017, Jozsef Kadlecsik wrote: > ipset 6.32 has been released, with just userspace part changes. > Omri Bahumi and Yoni Lavi discovered that due to the inproper handling of > the ipset output buffer, the output may be truncated. So for example in an > "ipset save

Re: [PATCH next] iptables: on revision mismatch, do not call print/save

On Thu, 27 Apr 2017, Willem de Bruijn wrote: > > Maybe the case can be reproduced with the following steps, but I'm > > guessing: > > > > - rules inserted > > - iptables binary downgraded/upgraded > > - rules listed > > It will. This is largely what the patch protects against. But perhaps > it

Re: [PATCH next] iptables: on revision mismatch, do not call print/save

Hi Willem, On Wed, 26 Apr 2017, Willem de Bruijn wrote: > On Wed, Apr 26, 2017 at 5:15 PM, Willem de Bruijn > wrote: > >>> The patch breaks backward/forward compatibility in a match/target. > >>> > >>> When the list of the revisions of a given match/target of

Re: [PATCH] ipset: Fix ipset command replacement in runtest.sh

Hi, On Tue, 30 May 2017, Neutron Soutmun wrote: > Fix the ipset command replacement. > > For ipset="/sbin/ipset" > > Actual: > /sbin//sbin/ipset 2>.foo.err | ... | xargs -n1 ipset > Expected: > /sbin/ipset 2>.foo.err | ... | xargs -n1 /sbin/ipset > --- > tests/runtest.sh | 2

Re: [PATCH 0/4] ipset patches for nf-next

Hi Pablo, On Mon, 18 Sep 2017, Pablo Neira Ayuso wrote: > On Mon, Sep 11, 2017 at 09:52:36PM +0200, Jozsef Kadlecsik wrote: > > Hi Pablo, > > > > Here follows a few ipset patches for the nf-next tree: > > > > * Merge assignment and simplify return in a fu

[HEADS UP] ipset git tree is rebased

Hello, I messed up and created duplicates in the public ipset git repo: 942de32 Merge branch 'master' of git.netfilter.org:ipset a029bc6 Reset state after a command failed, when multiple ones are issued. 2a98659 Handle padding attribute properly in userspace. 5128db6 Add test file missing from

  1   2   3   >