Re: [PATCH 2/2] netfilter: connlabels: move set helper to xt_connlabel

On Thu, Jul 21, 2016 at 12:51:17PM +0200, Florian Westphal wrote: > xt_connlabel is the only user so move it. > > Signed-off-by: Florian Westphal > --- > include/net/netfilter/nf_conntrack_labels.h | 2 -- > net/netfilter/nf_conntrack_labels.c | 17 - >

Re: [PATCH 1/1] netfilter: udp: Remove a bit misleading comment in udp_pkt_to_tuple

On Thu, Jul 21, 2016 at 05:26:47PM +0800, f...@ikuai8.com wrote: > From: Gao Feng Please, add description to your patches. Cc'ing netfilter-devel@vger.kernel.org is sufficient for netfilter patches unless you really want to attract attention from other netdev developers, and

Re: [PATCH nf-next v2 1/3] netfilter: bridge: add and use br_nf_hook_thresh

On Tue, Jul 12, 2016 at 11:32:19AM -0400, Aaron Conole wrote: > +/* recursively invokes nf_hook_slow (again), skipping already-called > + * hooks (< NF_BR_PRI_BRNF). > + * > + * Called with rcu read lock held. > + */ > +int br_nf_hook_thresh(unsigned int hook, struct net *net, > +

Re: [PATCH nf-next v2 2/3] netfilter: call nf_hook_state_init with rcu_read_lock held

On Tue, Jul 12, 2016 at 11:32:20AM -0400, Aaron Conole wrote: > From: Florian Westphal > > This makes things simpler because we can store the head of the list > in the nf_state structure without worrying about concurrent add/delete > of hook elements from the list. This is

Re: [PATCH v2 3/3] netfilter: replace list_head with single linked list

On Tue, Jul 12, 2016 at 11:32:21AM -0400, Aaron Conole wrote: > The netfilter hook list never uses the prev pointer, and so can be > trimmed to be a smaller singly-linked list. > > In addition to having a more light weight structure for hook traversal, > struct net becomes 5568 bytes (down from

Re: [PATCH nft 2/3] meta: add short-hand mnemonic for probalistic matching

On Thu, Jul 14, 2016 at 12:52:18PM +0200, Florian Westphal wrote: > Pablo Neira Ayuso <pa...@netfilter.org> wrote: > > On Tue, Jul 05, 2016 at 09:35:34AM +0200, Florian Westphal wrote: > > > Allow users to use a simpler way to specify probalistic matching, e. g.: > >

Re: [PATCH iptables 2/2] xtables-translate: fix issue with quotes

On Fri, Jul 22, 2016 at 05:48:34PM +0200, Pablo M. Bermudo Garay wrote: > Some translations included escaped quotes when they were called from > nft: > > $ sudo nft list ruleset > table ip mangle { > chain FORWARD { > type filter hook forward priority -150; policy accept; > ct

[PATCH nft] xt: use struct xt_xlate_{mt,tg}_params

Adapt this code to the new interface that introduces struct xt_xlate_{mt,tg}_params. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- src/xt.c | 20 +++- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/src/xt.c b/src/xt.c index afcc836..0777d9c

[RFC] l2tp for nftables

Hi James, I'm looking what is missing to add l2tp for nftables, after a quick glance this is what I found. The L2TPv3 over IP (after quick reading of the RFC) seems easy to add. I'm attaching a patch for the header layout definition (still parser side is missing, so this patch is incomplete).

[PATCH iptables] src: introduce struct xt_xlate_{mt,tg}_params

This structure is an extensible containers of parameters, so we don't need to propagate interface updates in every extension file in case we need to add new parameters in the future. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- extensions/libip6t_DNAT.c | 6 ++--- exte

Re: [PATCH iptables] iptables-translate: add in/out ifname wildcard match translation to nft

On Sat, Jul 30, 2016 at 01:20:59PM +0800, Liping Zhang wrote: > From: Liping Zhang > > In iptables, "-i eth+" means match all in ifname with the prefix "eth". > But in nftables, this was changed to "iifname eth*". So we should handle > this subtle difference. > >

Re: [PATCH] manpages: do not adjust reject-with type footnote indentation

On Tue, Jul 26, 2016 at 03:14:22PM +0100, Sami Kerola wrote: > The footnote clarification to option argument documentation, so keep the > indentation level same as for the arguments. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a

[PATCH nf] netfilter: nft_rbtree: ignore inactive matching element with no descendants

-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- Slightly larger than Florian's fix but we get rid of the goto here that gcc consider branches with gotos as unlikely. net/netfilter/nft_rbtree.c | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/net/net

[PATCH libnftnl] src: don't set data_len to zero when returning pointers

nft already assumes that passing NULL as data_len is valid, otherwise it crashes. Fix this by leave data_len unset in this specific case. Fixes: bda7102 ("src: Fix nftnl_*_get_data() to return the real attribute length") Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org&g

Re: [RFC nft] meta: deprecate unqualified meta statements

On Wed, Jul 27, 2016 at 04:17:33AM +0200, Florian Westphal wrote: > During NFWS we discussed reducing the number of keywords in nftables. > > Obviously keywords are required for the parser to know what to expect. > > But always requiring the 'meta' keyword would allow us to handle > iif, oif,

Re: [nft PATCH 4/7] netlink: decode payload statment

On Wed, Jul 27, 2016 at 02:43:13AM +0200, Florian Westphal wrote: > This allows nft to display payload set operations if the > header isn't byte aligned or has non-byte divisible sizes. > > Signed-off-by: Florian Westphal > --- > src/netlink_delinearize.c | 165 >

Re: [nft PATCH 3/7] evaluate: add support to set IPv6 non-byte header fields

On Wed, Jul 27, 2016 at 02:43:12AM +0200, Florian Westphal wrote: > 'ip6 ecn set 1' will generate a zero-sized write operation. > Just like when matching on bit-sized header fields we need to > round up to a byte-sized quantity and add a mask to retain those > bits outside of the header bits that

Re: [nft PATCH 0/7] add payload set support for sub-byte sizes

rors here: warning: 2 lines add whitespace errors Please, amend these and other nitpicks and push these series, we can later on refine them if needed. Acked-by: Pablo Neira Ayuso <pa...@netfilter.org> Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilte

Re: [PATCH iptables 2/2] xtables-translate: fix issue with quotes

On Tue, Jul 26, 2016 at 06:22:49PM +0200, Pablo M. Bermudo Garay wrote: > 2016-07-25 17:31 GMT+02:00 Pablo Neira Ayuso <pa...@netfilter.org>: > > On Fri, Jul 22, 2016 at 05:48:34PM +0200, Pablo M. Bermudo Garay wrote: > >> Some translations included escaped quotes wh

Re: [PATCH iptables 1/2] include: xtables: fix struct definitions grepability

Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH v4] netfilter: nf_tables: add hash expression

On Thu, Aug 11, 2016 at 09:23:14AM +0200, Laura Garcia Liebana wrote: > diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c > new file mode 100644 > index 000..eb05527 > --- /dev/null > +++ b/net/netfilter/nft_hash.c > @@ -0,0 +1,136 @@ > +/* > + * Copyright (c) 2016 Laura Garcia

Re: [PATCH libnftnl] expr: hash: Jenkins hash expression support

Please, remove "Jenkins" from the title. And it would be good to add a test under the tests/ directory. On Tue, Aug 09, 2016 at 04:03:51PM +0200, Laura Garcia Liebana wrote: > diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h > index 6aa7756..811c254 100644 > ---

Re: [libnftnl PATCH 0/7] A bunch of covscan detected fixes

On Fri, Aug 12, 2016 at 01:58:17AM +0200, Pablo Neira Ayuso wrote: > On Fri, Aug 12, 2016 at 01:33:32AM +0200, Phil Sutter wrote: > > The following series aims at fixing a number of issues identified by > > Coverity tool. Due to limited familiarity with the whole code layout, I >

Re: [libnftnl PATCH 5/7] common: Avoid integer overflow in nftnl_batch_is_supported()

On Fri, Aug 12, 2016 at 01:33:37AM +0200, Phil Sutter wrote: > time() may return -1 which is then assigned to an unsigned integer type > and used as sequence number. The following code increments that number > multiple times, so it may overflow and get libmnl confused. To avoid > this, fall back

[PATCH nft] tests: tests to include files

Four tests to cover file inclusion using: 1) Absolute path. 2) Relative path. 3) Default include directory path. And one more test to cover endless file inclusion loop. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- tests/shell/testcases/include/0001absolute_0

[PATCH 6/9] netfilter: nfnetlink_queue: fix memory leak when attach expectation successfully

he use refcnt is still 1, then the memory will be leaked forever. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_netlink.c | 8 ++-- 1 file changed, 2 insertions(+), 6 deletions(-)

[PATCH 3/9] netfilter: nft_rbtree: ignore inactive matching element with no descendants

-off-by: Pablo Neira Ayuso <pa...@netfilter.org> Tested-by: Anders K. Pedersen <a...@akp.dk> --- net/netfilter/nft_rbtree.c | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/net/netfilter/nft_rbtree.c b/net/netfilter/nft_rbtree.c index 6473936..ffe9ae0 1006

[PATCH 5/9] netfilter: nf_ct_expect: remove the redundant slash when policy name is empty

h...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_expect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c index 9e36931..f8dbac

[PATCH 8/9] netfilter: ctnetlink: reject new conntrack request with different l4proto

liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_netlink.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index b9bfe64..fdfc71f 100644 -

[PATCH 7/9] netfilter: nfnetlink_queue: reject verdict request from different portid

uot;) Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Reviewed-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nfnetlink_queue.c | 6 ++ 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/net

[PATCH 2/9] netfilter: nf_tables: s/MFT_REG32_01/NFT_REG32_01

MFT_REG32_01 is a typo, rename this to NFT_REG32_01. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/uapi/linux/netfilter/nf_tables.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/net

[PATCH 9/9] netfilter: nft_exthdr: Add size check on u8 nft_exthdr attributes

From: Laura Garcia Liebana <nev...@gmail.com> Fix the direct assignment of offset and length attributes included in nft_exthdr structure from u32 data to u8. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>

[PATCH 0/9] Netfilter fixes for net

Pablo Neira Ayuso (2): netfilter: nf_tables: s/MFT_REG32_01/NFT_REG32_01 netfilter: nft_rbtree: ignore inactive matching element with no descendants include/uapi/linux/netfilter/nf_tables.h | 2 +- net/netfilter/nf_conntrack_expect.c | 2 +- net/netfilter/nf_conntrack_h323_main.c

[PATCH 3/9] netfilter: nft_rbtree: ignore inactive matching element with no descendants

-off-by: Pablo Neira Ayuso <pa...@netfilter.org> Tested-by: Anders K. Pedersen <a...@akp.dk> --- net/netfilter/nft_rbtree.c | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/net/netfilter/nft_rbtree.c b/net/netfilter/nft_rbtree.c index 6473936..ffe9ae0 1006

[PATCH 9/9] netfilter: nft_exthdr: Add size check on u8 nft_exthdr attributes

From: Laura Garcia Liebana <nev...@gmail.com> Fix the direct assignment of offset and length attributes included in nft_exthdr structure from u32 data to u8. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>

Re: [PATCH 2/4, V3, libnftnl] Implement rule comparison

On Wed, Aug 10, 2016 at 11:48:55AM +0200, Carlos Falgueras García wrote: > This patch implements the function 'bool nftnl_rule_cmp(const struct > nftnl_rule *r, const struct nftnl_rule *r2)' for rule comparison. > > Expressions within rules need to be compared, so also has been created the >

Re: [PATCH 2/3, libnftnl] expr: Fix lookup builder

On Wed, Aug 10, 2016 at 05:12:04PM +0200, Carlos Falgueras García wrote: > Deleted wrong braces that cause unwanted behaviour. Also applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo

Re: [PATCH nf] netfilter: nfnetlink_queue: reject verdict request from different portid

On Mon, Aug 08, 2016 at 10:07:27PM +0800, Liping Zhang wrote: > From: Liping Zhang > > Like NFQNL_MSG_VERDICT_BATCH do, we should also reject the verdict > request when the portid is not same with the initial portid(maybe > from another process). Applied, thanks. --

Re: [libnftnl PATCH 2/7] ruleset: Prevent memleak in nftnl_ruleset_snprintf_*() functions

On Fri, Aug 12, 2016 at 02:44:58AM +0200, Phil Sutter wrote: > On Fri, Aug 12, 2016 at 01:42:02AM +0200, Pablo Neira Ayuso wrote: > > On Fri, Aug 12, 2016 at 01:33:34AM +0200, Phil Sutter wrote: > > > From: Phil Sutter <psut...@redhat.com> > > &

Re: [PATCH 1/4, V2, libnftnl] tests: Fix segfaults due outbound access

On Sat, Aug 13, 2016 at 05:25:19PM +0200, Carlos Falgueras García wrote: > Another possible solution is something like this: > > static const char *element2str(uint32_t element) { > - if (element < MAX_ELEMENT) > + if (element < MAX_ELEMENT ||

Re: [PATCH 2/2 libnftnl] expr: cmp: Use cmp2str() instead of directly access to array

On Mon, Aug 15, 2016 at 12:27:37PM +0200, Carlos Falgueras García wrote: Please always add a description to your patches, even if it is only one line to explain why we need this. Thanks. > Signed-off-by: Carlos Falgueras García > --- > src/expr/cmp.c | 2 +- > 1 file

Re: [PATCH 1/2 libnftnl] expr: Improve bound checking in stringification functions

On Mon, Aug 15, 2016 at 12:27:36PM +0200, Carlos Falgueras García wrote: > --- a/src/utils.c > +++ b/src/utils.c > @@ -23,6 +23,7 @@ > #include > > static const char *const nftnl_family_str[NFPROTO_NUMPROTO] = { > + [NFPROTO_UNSPEC]= "unknown", > [NFPROTO_INET] =

Re: [PATCH 1/2 libnftnl] utils: Fix out of bound access in nftnl_family2str

On Mon, Aug 15, 2016 at 12:51:02PM +0200, Carlos Falgueras García wrote: > Checks array limits before access it and adds a missed translation. > > Signed-off-by: Carlos Falgueras García > --- > src/utils.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff

Re: [PATCH nf-next V2] netfilter: conntrack: simplify the code by using nf_conntrack_get_ht

On Sat, Jul 30, 2016 at 07:42:53PM +0800, Liping Zhang wrote: > From: Liping Zhang > > Since Commit 64b87639c9cb ("netfilter: conntrack: fix race between > nf_conntrack proc read and hash resize") introdue the > nf_conntrack_get_ht, so there's no need to check

Re: [PATCH v5] netfilter: nf_tables: add hash expression

On Thu, Aug 11, 2016 at 06:02:07PM +0200, Laura Garcia Liebana wrote: > This patch adds a new hash expression, this provides jhash support but > this can be extended to support for other hash functions. > > The modulus and seed already comes embedded into this new expression. > > Use case

Re: [PATCH nf-next] netfilter: physdev: add missed blank

Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH 3/4, V3, nft] Simplify parser rule_spec tree

On Wed, Aug 10, 2016 at 11:48:56AM +0200, Carlos Falgueras García wrote: > This patch separates the rule identification from the rule localization, so > the logic moves from the evaluator to the parser. This allows to revert the > patch "evaluate: improve rule managment checks" >

[PATCH] netfilter: remove ip_conntrack* sysctl compat code

to what I observed on the netfilter user mailing list. So let's get rid of this. Note that nf_conntrack_htable_size and unsigned int nf_conntrack_max do not need to be exported as symbol anymore. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack_l4p

Re: [PATCH netfilter] extensions/libxt_bpf.man: clarify BPF code generation with tcpdump

On Wed, Aug 10, 2016 at 03:23:07PM -0400, Willem de Bruijn wrote: > From: Willem de Bruijn > > The xt_bpf module applies BPF bytecode to the packet. Depending on > where the module is invoked, the kernel may pass a packet with or > without link layer header. Iptables has no

Re: [PATCH nf-next V2] netfilter: conntrack: simplify the code by using nf_conntrack_get_ht

On Fri, Aug 12, 2016 at 07:12:32PM +0800, Liping Zhang wrote: > 2016-08-12 18:34 GMT+08:00 Pablo Neira Ayuso <pa...@netfilter.org>: [...] > > > > I think it is a good time to kill compat /proc/net/ip_conntrack*. That > > has been there for so long already. So

Re: [PATCH nf-next] netfilter: nf_dup4: remove redundant checksum recalculation

On Sat, Jul 30, 2016 at 07:44:12PM +0800, Liping Zhang wrote: > From: Liping Zhang > > IP header checksum will be recalculated at ip_local_out, so > there's no need to calculated it here, remove it. Also update > code comments to illustrate it, and delete the

Re: [libnftnl PATCH] utils: Don't return directly from SNPRINTF_BUFFER_SIZE

On Fri, Aug 12, 2016 at 02:39:50PM +0200, Phil Sutter wrote: > From: Phil Sutter > > Apart from being a bad idea in general, the return statement contained > in that macro in some cases leads to returning from functions without > properly cleaning up, thereby causing memory

Re: [PATCH 1/1] netfilter: Only need first 4 bytes to get l4proto ports

On Sat, Jul 23, 2016 at 07:21:47PM +0800, f...@ikuai8.com wrote: > From: Gao Feng > > We only need first 4 bytes instead of 8 bytes to get the ports of > tcp/udp/dccp/sctp/udplite in their pkt_to_tuple function. Applied, thanks. -- To unsubscribe from this list: send the line

Re: [PATCH nf-next v2] ipvs: use nf_ct_kill helper

On Wed, Aug 03, 2016 at 03:21:28PM +0200, Florian Westphal wrote: > Once timer is removed from nf_conn struct we cannot open-code > the removal sequence anymore. @Simon and other IPVS folks: I'm going to take this patch since Florian needs this merged for follow up patches. So I'm dealing with

Re: [PATCH 1/4, V2, libnftnl] tests: Fix segfaults due outbound access

On Fri, Aug 12, 2016 at 10:17:19PM +0200, Carlos Falgueras García wrote: > Changes random values for macros because the conversion to string of these > values are performed by accessing to an array of strings. Then, we should fix the functions to return "unknown" for out of bound access of the

Re: [PATCH 2/4, V2, libnftnl] tests: Fix wrong expression creation

Applied, thanks. On Fri, Aug 12, 2016 at 10:17:20PM +0200, Carlos Falgueras García wrote: > Signed-off-by: Carlos Falgueras García > --- > tests/nft-expr_masq-test.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/tests/nft-expr_masq-test.c

[PATCH nf-next,v2] netfilter: remove ip_conntrack* sysctl compat code

y many people in the user community according to what I observed on the netfilter user mailing list. So let's get rid of this. Note that nf_conntrack_max do not need to be exported as symbol anymore. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- v2: nf_conntrack_htabl

Re: [PATCH 3/3, libnftnl] tests: Fix tests for immediate and lookup expressions

On Wed, Aug 10, 2016 at 05:12:05PM +0200, Carlos Falgueras García wrote: > An error at Makefile.am has caused that the tests > 'nft-expr_immediate-test.c' and 'nft-expr_lookup-tests.c' have not been > compiled since they were created. This patch fix that error and some errors > in both tests.

[PATCH 4/9] netfilter: nf_conntrack_sip: CSeq 0 is a valid CSeq

igit 0 or not. Signed-off-by: Christophe Leroy <christophe.le...@c-s.fr> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_sip.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/

[PATCH 1/9] netfilter: nf_ct_h323: do not re-activate already expired timer

od_timer_pending here to fix this problem. Fixes: 96d1327ac2e3 ("netfilter: h323: Use mod_timer instead of set_expect_timeout") Cc: Gao Feng <f...@ikuai8.com> Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>

[PATCH 0/9] Netfilter fixes for net

netfilter: nfnetlink_queue: fix memory leak when attach expectation successfully netfilter: nfnetlink_queue: reject verdict request from different portid netfilter: ctnetlink: reject new conntrack request with different l4proto Pablo Neira Ayuso (2): netfilter: nf_tables: s

[PATCH 8/9] netfilter: ctnetlink: reject new conntrack request with different l4proto

liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_netlink.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index b9bfe64..fdfc71f 100644 -

[PATCH 7/9] netfilter: nfnetlink_queue: reject verdict request from different portid

uot;) Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Reviewed-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nfnetlink_queue.c | 6 ++ 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/net

[PATCH 6/9] netfilter: nfnetlink_queue: fix memory leak when attach expectation successfully

he use refcnt is still 1, then the memory will be leaked forever. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_netlink.c | 8 ++-- 1 file changed, 2 insertions(+), 6 deletions(-)

Re: [PATCH, v2] Constify iterators

On Tue, Aug 09, 2016 at 01:42:17PM +0200, Carlos Falgueras García wrote: > Iterators do not modify objects which they iterate, so input pointer must > be const. Applied, thanks! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to

[PATCH 2/9] netfilter: nf_tables: s/MFT_REG32_01/NFT_REG32_01

MFT_REG32_01 is a typo, rename this to NFT_REG32_01. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/uapi/linux/netfilter/nf_tables.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/net

[PATCH 4/9] netfilter: nf_conntrack_sip: CSeq 0 is a valid CSeq

igit 0 or not. Signed-off-by: Christophe Leroy <christophe.le...@c-s.fr> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_sip.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/

[PATCH 1/9] netfilter: nf_ct_h323: do not re-activate already expired timer

od_timer_pending here to fix this problem. Fixes: 96d1327ac2e3 ("netfilter: h323: Use mod_timer instead of set_expect_timeout") Cc: Gao Feng <f...@ikuai8.com> Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>

Re: [PATCH 0/5] Check u32 load in u8 attributes

On Wed, Aug 10, 2016 at 05:29:34PM +0200, Laura Garcia Liebana wrote: > The following patchset adds a check during the load of an u32 value > into an u8 attribute which can cause an overflow. Could you collapse them all in one single patch? You can probably use this title: netfilter:

Re: [PATCH 2/4, libnfntl] Implement rule comparison

On Mon, Aug 08, 2016 at 01:17:56PM +0200, Carlos Falgueras García wrote: > diff --git a/src/expr/dynset.c b/src/expr/dynset.c > index 0eaa409..fa8b8d5 100644 > --- a/src/expr/dynset.c > +++ b/src/expr/dynset.c > @@ -370,6 +370,23 @@ static void nftnl_expr_dynset_free(const struct > nftnl_expr *e)

Re: [libnftnl PATCH 2/7] ruleset: Prevent memleak in nftnl_ruleset_snprintf_*() functions

On Fri, Aug 12, 2016 at 01:33:34AM +0200, Phil Sutter wrote: > From: Phil Sutter > > This is an ugly aspect of the SNPRINTF_BUFFER_SIZE() macro: it contains > a return statement and if that triggers, the function returns without > freeing the iterator object. Therefore

Re: [PATCH 1/3, libnftnl] tests: Add missing tests to test-script.sh

Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH 2/3, libnftnl] expr: Fix lookup builder

On Wed, Aug 10, 2016 at 05:12:04PM +0200, Carlos Falgueras García wrote: > Deleted wrong braces that cause unwanted behaviour. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info

Re: [PATCH nft 2/3] meta: add short-hand mnemonic for probalistic matching

On Tue, Jul 05, 2016 at 09:35:34AM +0200, Florian Westphal wrote: > Allow users to use a simpler way to specify probalistic matching, e. g.: > > meta probability 0.5 (match approx. every 2nd packet) > meta probability 0.001(match approx. once every 1000 packets) > > nft

Re: [PATCH libnftnl] examples: selective rule dumping

On Thu, Jul 21, 2016 at 10:03:01AM +0200, jalvarez wrote: > Here are the changes then. > I didn't put it in nft-rule-get.c at first to avoid breaking the expected > behavior of the example. Thanks. Problem with this patch: You MUA seems to mangle it, so both patch -p1 < patch and git am tell me

Re: [PATCH libnftnl] examples: selective rule dumping

Please, send me your Signed-off-by: and a couple of lines with a description. No need to resend this patch, I'll amend this myself. But please include it next time. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to

Re: [PATCH 1/1] netfilter: Use IS_ERR_OR_NULL instead of IS_ERR and NULl check to simplify the codes in ip_vs_genl_dump_dests and resolve_normal_ct

This patch title is too long, no more than 80 chars please, when it goes over that boundary it becomes a description ;) More comments below. On Thu, Jul 21, 2016 at 10:09:19PM +0800, f...@ikuai8.com wrote: > From: Gao Feng > > Signed-off-by: Gao Feng > --- >

Re: [PATCH 1/1] netfilter: Use IS_ERR_OR_NULL instead of IS_ERR and NULl check to simplify the codes in ip_vs_genl_dump_dests and resolve_normal_ct

On Thu, Jul 21, 2016 at 06:45:53PM +0200, Pablo Neira Ayuso wrote: > > diff --git a/net/netfilter/nf_conntrack_core.c > > b/net/netfilter/nf_conntrack_core.c > > index 153e33f..634d592 100644 > > --- a/net/netfilter/nf_conntrack_core.c > > +++ b/net/netfilter/nf_co

Re: [PATCH v2 iptables] connlabel: clarify default config path

On Thu, Jul 21, 2016 at 12:23:13AM +0200, Florian Westphal wrote: > Pablo suggested to print full config file path for connlabel.conf > parsing errors. > > Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org> > Signed-off-by: Florian Westphal <f...@strlen.de> Acke

Re: [PATCH 1/1] netfilter: Use IS_ERR_OR_NULL instead of IS_ERR and NULl check to simplify the codes in ip_vs_genl_dump_dests and resolve_normal_ct

This patch title is too long, no more than 80 chars. On Thu, Jul 21, 2016 at 10:09:19PM +0800, f...@ikuai8.com wrote: > From: Gao Feng Please, include a description here. > Signed-off-by: Gao Feng More comments below. > --- > v1: Initial Version > >

Re: [PATCH V2 iptables] extensions: libxt_connlabel: Add translation to nft

On Sat, Jul 16, 2016 at 08:12:51PM +0200, Florian Westphal wrote: > Pablo Neira Ayuso <pa...@netfilter.org> wrote: > > On Sat, Jul 16, 2016 at 04:51:30PM +0200, Pablo Neira Ayuso wrote: > > > On Sat, Jul 16, 2016 at 06:42:24PM +0800, Liping Zhang wrote: > > > >

[ANNOUNCE] Suspending Patrick McHardy as coreteam member

The netfilter project regrets to have to suspend its core team member Patrick McHardy from the core team. This is a grave step, definitely the first in the projects history, and it is not one we take lightly. Over many months, severe allegations have been brought forward against the style of his

Re: [PATCH V2 iptables] extensions: libxt_connlabel: Add translation to nft

On Sun, Jul 17, 2016 at 12:41:59PM +0200, Florian Westphal wrote: > Pablo Neira Ayuso <pa...@netfilter.org> wrote: > > On Sat, Jul 16, 2016 at 08:12:51PM +0200, Florian Westphal wrote: > > > Pablo Neira Ayuso <pa...@netfilter.org> wrote: > > > > On Sa

Re: [PATCH nf] netfilter: nft_ct: fix unpaired nf_connlabels_get/put call

On Sat, Jul 16, 2016 at 11:18:01AM +0200, Florian Westphal wrote: > Liping Zhang wrote: > > From: Liping Zhang > > > > We only get nf_connlabels if the user add ct label set expr successfully, > > but we will also put nf_connlabels if the user

[PATCH nf-next] netfilter: nf_tables: allow to filter out rules by table and chain

If the table and/or chain attributes are set in a rule dump request, we filter out the rules based on this selection. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- Compiled tested only. net/netfilter/nf_tables_api.c | 39 +++ 1 file chang

Re: [PATCH v3 nf] netfilter: x_tables: speed up jump target validation

On Thu, Jul 14, 2016 at 05:51:26PM +0200, Florian Westphal wrote: > After this change ruleset restore times get again close to what one > gets when reverting 36472341017529e (~3 seconds on my workstation). Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe

Re: [PATCH nf-next 3/3] netfilter: nft_log: fix snaplen does not truncate packets

On Mon, Jul 18, 2016 at 08:44:17PM +0800, Liping Zhang wrote: > From: Liping Zhang > > There's a similar problem in xt_NFLOG, and was fixed by commit 7643507fe8b5 > ("netfilter: xt_NFLOG: nflog-range does not truncate packets"). Only set > copy_len here does not

Re: [PATCH iptables 2/2] extensions: libxt_NFLOG: translate to nft log snaplen if nflog-size is specified

On Mon, Jul 18, 2016 at 10:14:28PM +0800, Liping Zhang wrote: > From: Liping Zhang > > The nflog-size was introduced by commit 7070b1f3c88a ("extensions: > libxt_NFLOG: nflog-range does not truncate packets"). Then make > the nflog-range become deprecated, because it

Re: [PATCH nf-next 1/3] netfilter: nft_log: fix possible memory leak if log expr init fail

On Mon, Jul 18, 2016 at 08:44:15PM +0800, Liping Zhang wrote: > From: Liping Zhang > > Suppose that we specify the NFTA_LOG_PREFIX, then NFTA_LOG_LEVEL > and NFTA_LOG_GROUP are specified together or nf_logger_find_get > call returns fail, i.e. expr init fail, memory

Re: [PATCH iptables 1/2] extensions: libxt_NFLOG: display nflog-size even if it is zero

On Mon, Jul 18, 2016 at 10:14:27PM +0800, Liping Zhang wrote: > From: Liping Zhang > > The following iptables rules have the different semantics: > # iptables -A INPUT -j NFLOG > # iptables -A INPUT -j NFLOG --nflog-size 0 > > But they are all displayed as "-A

Re: 答复: [PATCH 1/1] netfilter: Add helper array register/unregister functions

On Wed, Jul 20, 2016 at 08:31:13AM +0800, 高峰 wrote: > Thanks Pablo. > > I had used the script "checkpatch.pl" to check the patch file. > There was no indentation error reported. > > So could you give me more tails please or point one indentation error? > Then I could correct it by myself next

Re: [PATCH 1/1] netfilter: Add helper array register/unregister functions

On Wed, Jul 20, 2016 at 08:51:17AM +0800, Liping Zhang wrote: > 2016-07-18 11:39 GMT+08:00 : > > From: Gao Feng > > > > Add nf_ct_helper_init, nf_conntrack_helpers_register/unregister > > functions to enhance the conntrack helper codes. > > I think this patch

[PATCH nf-next,v2] netfilter: nf_tables: allow to filter out rules by table and chain

From: Pablo Neira <pa...@netfilter.org> If the table and/or chain attributes are set in a rule dump request, we filter out the rules based on this selection. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_tables_api.c | 38 +

Re: [PATCH iptables] connlabel: clarify default config path

On Wed, Jul 20, 2016 at 11:58:24AM +0200, Florian Westphal wrote: > Pablo suggested to print full config file path for connlabel.conf > parsing errors. > > Signed-off-by: Florian Westphal > --- > Pablo, > > I could also add the suggested nfct_labels_get_path() to lnf_conntrack

Re: [PATCH nft] ct: use nftables sysconf location for connlabel configuration

27-29: Error: /etc/nftables/connlabel.conf: could not parse > conntrack label "foo" > > Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org> > Signed-off-by: Florian Westphal <f...@strlen.de> > --- > src/Makefile.am | 2 ++ > src/ct.c

Re: Multi-thread udp 4.7 regression, bisected to 71d8c47fc653

On Mon, Jul 11, 2016 at 06:17:39PM -0300, Marc Dionne wrote: > Hi Pablo, > > Testing out your patch: > > 1) With no NAT in place, the clash resolution happens, with no side > effects. No EPERM errors are seen. > > 2) With ip(6)table_nat loaded, the clash resolution fails and I get > some EPERM

Re: nftables: Dynamically updating sets gives syntax error

; > :1:28-32: Error: syntax error, unexpected saddr > > filter input set update ip saddr timeout 10s @myset > >    ^ > > I did a git bisect on this and found that it was broken by > > commit a3e60492a684be09374d0649735da42bdadc6b48 > Aut

[PATCH 2/6] netfilter: nft_meta: set skb->nf_trace appropriately

From: Liping Zhang <liping.zh...@spreadtrum.com> When user add a nft rule to set nftrace to zero, for example: # nft add rule ip filter input nftrace set 0 We should set nf_trace to zero also. Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Pablo Nei

[PATCH 5/6] netfilter: nft_ct: fix expiration getter

per-ct timer. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack.h | 8 net/netfilter/nft_ct.c | 6 +- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/inc

[PATCH 6/6] netfilter: conntrack: skip clash resolution if nat is in place

clash resolution on insertion race") Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> Tested-by: Marc Dionne <marc.c.dio...@gmail.com> --- net/netfilter/nf_conntrack_core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_

<    1   2   3   4   5   6   7   8   9   10   >