The nft_expr_ops might be freed in the nf_tables_expr_destroy but
after this, a member of nft_expr_ops is used.
Steps to reproduce:
$iptables-compat -I OUTPUT -m cpu --cpu 0
$iptables-compat -F
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
net/netfilter/nf_tables_api.
This patch adds the new release callback to release resources
allocated in nft_expr_type->select_ops.
This release callback can be used by error path in the
nf_tables_newrule routine.
Only the select_ops of the nft_compat.c allocates memory and holds
modules so far.
Signed-off-by: Taehee
ces allocated in nft_expr_type->select_ops.
The second patch modifies the error path of the nf_table_newrule by
using nft_expr_type->release callback.
The third patch solve use-after-free problem in nf_tables_rule_destroy.
Taehee Yoo (3):
netfilter: nf_tables: add release callback in nft_
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
net/netfilter/nf_tables_api.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 9134cc4..32bc32f 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/n
ipt_get_target is used to get struct xt_entry_target
and ipt_get_target_c is used to get const struct xt_entry_target.
However in the ipt_do_table, ipt_get_target is used to get
const struct xt_entry_target. it should be replaced by ipt_get_target_c.
Signed-off-by: Taehee Yoo <ap420...@gmail.
ebt_get_target similar to {ip/ip6/arp}t_get_target.
and ebt_get_target_c similar to {ip/ip6/arp}t_get_target_c.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
include/uapi/linux/netfilter_bridge/ebtables.h | 6 ++
net/bridge/netfilter/ebtables.c
In the check_target, ip6t_get_target is called twice.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
net/ipv6/netfilter/ip6_tables.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 0045087..0772f44 100644
---
.
but, we can use operation '!' simply.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
include/linux/netfilter_bridge/ebtables.h | 4
net/bridge/netfilter/ebtables.c | 2 +-
2 files changed, 1 insertion(+), 5 deletions(-)
diff --git a/include/linux/netfilter_bridge/ebtable
A ebt_free_table_info frees all of chainstacks.
It similar to xt_free_table_info. this inline function
reduces code line.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
net/bridge/netfilter/ebtables.c | 39 +++
1 file changed, 15 insertions(
There are no __exit mark in the helper modules.
because these exit functions used to be called by init function
but now that is not. so we can add __exit mark.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
net/netfilter/nf_conntrack_ftp.c | 3 +--
net/netfilter/nf_conntrack_irc.
xtables uses ADD_COUNTER macro to increase
packet and byte count. ebtables also can use this.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
net/bridge/netfilter/ebtables.c | 17 ++---
1 file changed, 6 insertions(+), 11 deletions(-)
diff --git a/net/bridge/netfilter/ebta
In the ip_rcv, IPSTATS_MIB_CSUMERRORS is increased when
checksum error is occurred.
bridge netfilter routine should increase IPSTATS_MIB_CSUMERRORS.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
net/bridge/br_netfilter_hooks.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
parameter protoff in nf_conntrack_broadcast_help is not used anywhere.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
include/net/netfilter/nf_conntrack_helper.h | 3 +--
net/netfilter/nf_conntrack_broadcast.c | 1 -
net/netfilter/nf_conntrack_netbios_ns.c | 5 +++--
net/net
If use the ipv6_addr_is_multicast instead of xt_cluster_ipv6_is_multicast,
then we can reduce code size.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
net/netfilter/xt_cluster.c | 10 +-
1 file changed, 1 insertion(+), 9 deletions(-)
diff --git a/net/netfilter/xt_cluster.c
parameter skb in nfnl_acct_overquota is not used anywhere.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
include/linux/netfilter/nfnetlink_acct.h | 3 +--
net/netfilter/nfnetlink_acct.c | 3 +--
net/netfilter/xt_nfacct.c| 2 +-
3 files changed, 3 insertions
prototype nf_ct_nat_offset is not used anymore.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
include/net/netfilter/nf_conntrack.h | 5 -
1 file changed, 5 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack.h
b/include/net/netfilter/nf_conntrack.h
index f5223bf..0
2017-12-26 12:25 GMT+09:00 kbuild test robot :
>
> Fixes: 499b2f89cea8 ("netfilter: nf_nat_snmp_basic: use asn1 decoder library")
> Signed-off-by: Fengguang Wu
> ---
> nf_nat_snmp_basic_main.c |4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
Use nf_ct_helper_log to write log message.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
V5 :
- fix sparse error
V4 :
- rename nf_nat_snmp_basic.c to nf_nat_snmp_basic_main.c
to fix compile error
V3 :
- be separated by previous patch.
V2 :
- Add missing nf_nat_snmp_basic.asn
mangles only first octet of IPv4 address.
but after this patch, the SNMP ALG mangles whole IPv4 Address.
And SNMPv3 is not supported.
I tested with snmp commands such ans snmpd, snmpwalk, snmptrap.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
V5 :
- fix sparse error
V4 :
-
To see debug message of nf_nat_snmp_basic, we should set debug value
when we insert this module. but it is inconvenient and only using of
the dynamic debugging is enough to debug.
This patch just removes debug code. then in the next patch, debugging code
will be added.
Signed-off-by: Taehee Yoo
The snmp_translate() receives ctinfo data to get dir value only.
because of caller already has dir value, we just replace ctinfo with dir.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
V5 :
- fix sparse error
V4 :
- rename nf_nat_snmp_basic.c to nf_nat_snmp_basic_main.c
to fix c
Remove comments that do not let us know important information.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
V5 :
- fix sparse error
V4 :
- rename nf_nat_snmp_basic.c to nf_nat_snmp_basic_main.c
to fix compile error
V3 :
- be separated by previous patch.
V2 :
- Add m
/debug/dynamic_debug/control
V5 :
- fix sparse error
V4 :
- rename nf_nat_snmp_basic.c to nf_nat_snmp_basic_main.c
to fix compile error
V3 :
- be separated by previous patch.
V2 :
- Add missing nf_nat_snmp_basic.asn1 file
V1 :
- Initial patch
Taehee Yoo (5):
netfilter: nf_nat_snmp_basic:
mangles only first octet of IPv4 address.
but after this patch, the SNMP ALG mangles whole IPv4 Address.
And SNMPv3 is not supported.
I tested with snmp commands such ans snmpd, snmpwalk, snmptrap.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
V4 :
- rename nf_nat_snmp_b
The snmp_translate() receives ctinfo data to get dir value only.
because of caller already has dir value, we just replace ctinfo with dir.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
V4 :
- rename nf_nat_snmp_basic.c to nf_nat_snmp_basic_main.c
to fix compile error
V3 :
- be sep
Use nf_ct_helper_log to write log message.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
V4 :
- rename nf_nat_snmp_basic.c to nf_nat_snmp_basic_main.c
to fix compile error
V3 :
- be separated by previous patch.
V2 :
- Add missing nf_nat_snmp_basic.asn1 file
V1 :
- Initial
Remove comments that do not let us know important information.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
V4 :
- rename nf_nat_snmp_basic.c to nf_nat_snmp_basic_main.c
to fix compile error
V3 :
- be separated by previous patch.
V2 :
- Add missing nf_nat_snmp_basic.asn1 fi
To see debug message of nf_nat_snmp_basic, we should set debug value
when we insert this module. but it is inconvenient and only using of
the dynamic debugging is enough to debug.
This patch just removes debug code. then in the next patch, debugging code
will be added.
Signed-off-by: Taehee Yoo
ys/kernel/debug/dynamic_debug/control
V4 :
- rename nf_nat_snmp_basic.c to nf_nat_snmp_basic_main.c
to fix compile error
V3 :
- be separated by previous patch.
V2 :
- Add missing nf_nat_snmp_basic.asn1 file
V1 :
- Initial patch
Taehee Yoo (5):
netfilter: nf_nat_snmp_basic: remove useless comment
Hi,
I found strange result while I test netfilter with RATEEST target and
rateest match.
please look at below test environment and result.
#Network
PC1(192.168.4.2) < ---> FW1(192.168.4.1)
PC2(192.168.5.2) < ---> FW2(192.168.5.1)
FW1 kernel version : before
The snmp_translate() receives ctinfo data to get dir value only.
because of caller already has dir value, we just replace ctinfo with dir.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
V3 :
- be separated by previous patch.
V2 :
- Add missing nf_nat_snmp_basic.asn1 file
V1 :
- I
mangles only first octet of IPv4 address.
but after this patch, the SNMP ALG mangles whole IPv4 Address.
And SNMPv3 is not supported.
I tested with snmp commands such ans snmpd, snmpwalk, snmptrap.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
V3 :
- be separated by previous patch.
V2 :
Remove comments that do not let us know important information.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
V3 :
- be separated by previous patch.
V2 :
- Add missing nf_nat_snmp_basic.asn1 file
V1 :
- Initial patch
net/ipv4/netfilter/nf_nat_snmp_basic.
Use nf_ct_helper_log to write log message.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
V3 :
- be separated by previous patch.
V2 :
- Add missing nf_nat_snmp_basic.asn1 file
V1 :
- Initial patch
net/ipv4/netfilter/nf_nat_snmp_basic.c | 11 ++-
1 file changed, 6 inse
c +p' > /sys/kernel/debug/dynamic_debug/control
V3 :
- be separated by previous patch.
V2 :
- Add missing nf_nat_snmp_basic.asn1 file
V1 :
- Initial patch
Taehee Yoo (5):
netfilter: nf_nat_snmp_basic: remove useless comment
netfilter: nf_nat_snmp_basic: remove debug parameter
netfilter: n
To see debug message of nf_nat_snmp_basic, we should set debug value
when we insert this module. but it is inconvenient and only using of
the dynamic debugging is enough to debug.
This patch just removes debug code. then in the next patch, debugging code
will be added.
Signed-off-by: Taehee Yoo
Hi Pablo
I apologize for late reply.
2017-11-13 22:50 GMT+09:00 Pablo Neira Ayuso <pa...@netfilter.org>:
> Hi Taehee,
>
> On Tue, Nov 07, 2017 at 11:58:36PM +0900, Taehee Yoo wrote:
>> The basic SNMP ALG parse snmp ASN.1 payload
>> however, since 2012 linux kernel pr
mangles only first octet of IPv4 address.
but after this patch, the SNMP ALG mangles whole IPv4 Address.
And SNMPv3 is not supported.
I tested with snmp commands such ans snmpd, snmpwalk, snmptrap.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
v2:
- Add missing nf_nat_snmp_basic.asn1 fi
2017-11-06 23:44 GMT+09:00 Pablo Neira Ayuso <pa...@netfilter.org>:
> On Sun, Oct 29, 2017 at 09:34:53PM +0900, Taehee Yoo wrote:
>> The basic SNMP ALG parse snmp ASN.1 payload
>> however, since 2012 linux kernel provide ASN.1 decoder library.
>> If we use ASN.1 decoder
mangles only first octet of IPv4 address.
but after this patch, the SNMP ALG mangles whole IPv4 Address.
And SNMPv3 is not supported.
I tested with snmp commands such ans snmpd, snmpwalk, snmptrap.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
net/ipv4/netfilter/Kconfig |1
_mutex);
[ 115.427760]lock(sk_lock-AF_INET);
[ 115.434723] lock(rtnl_mutex);
[ 115.438267]
[ 115.438267] *** DEADLOCK ***
[ ... ]
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
V2:
- Do not modify the xt_TEE.h
V1:
- Initial version
net/netfil
2017-09-04 0:32 GMT+09:00 Jan Engelhardt <jeng...@inai.de>:
>
> On Sunday 2017-09-03 16:30, Taehee Yoo wrote:
>
>>When xt_TEE target is inserted, lockdep warns about possible
>>DEADLOCK situation. to avoid deadlock situation
>>the register_netdevice_notifier() shou
_mutex);
[ 115.427760]lock(sk_lock-AF_INET);
[ 115.434723] lock(rtnl_mutex);
[ 115.438267]
[ 115.438267] *** DEADLOCK ***
[ ... ]
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
include/uapi/linux/netfilter/xt_TEE.h | 3 +-
net/netfil
lock(rtnl_mutex);
[ 148.996708]lock(sk_lock-AF_INET);
[ 149.003559] lock(rtnl_mutex);
[ 149.007103]
*** DEADLOCK ***
[ ... ]
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
net/ipv4/netfilter/ipt_CLUSTERIP.c | 70 +-
1
The nfulnl_log_packet() is added to make sure that the NFLOG target
works as only user-space logger. but now, nf_log_packet() can find proper
log function using NF_LOG_TYPE_ULOG and NF_LOG_TYPE_LOG.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
include/net/netfilter/nfnetlink_log.
-by: Taehee Yoo <ap420...@gmail.com>
---
net/netfilter/xt_connlimit.c | 23 ---
1 file changed, 8 insertions(+), 15 deletions(-)
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index 97589b8..ffa8eec 100644
--- a/net/netfilter/xt_connlimit.c
+++
The target variable is not used in the compat_copy_entry_from_user().
So It can be removed.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
net/ipv4/netfilter/arp_tables.c | 2 --
net/ipv4/netfilter/ip_tables.c | 2 --
2 files changed, 4 deletions(-)
diff --git a/net/ipv4/net
+0x60/0x60
[ ... ]
After this patch, only when verdict is XT_CONTINUE,
ipt_do_table() tries to get ip header.
Also arpt_do_table() is modified because it has same bug.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
V3:
- Modified arpt_do_table() is added.
V2:
- Change commit log messag
2017-07-26 20:06 GMT+09:00 Pablo Neira Ayuso <pa...@netfilter.org>:
> On Wed, Jul 26, 2017 at 11:27:16AM +0200, Florian Westphal wrote:
>> Taehee Yoo <ap420...@gmail.com> wrote:
>> > If verdict is NF_STOLEN in the SYNPROXY target,
>> > the skb is consumed.
&g
2017-06-20 3:04 GMT+09:00 Pablo Neira Ayuso <pa...@netfilter.org>:
> On Tue, Jun 06, 2017 at 12:21:25AM +0900, Taehee Yoo wrote:
>> diff --git a/net/netfilter/nfnetlink_queue.c
>> b/net/netfilter/nfnetlink_queue.c
>> index 8a0f218..bb27e99 100644
>> --- a/net/net
. xt_osf_match_packet
-xt_match.match
--nf_hook()
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
V2:
- Remove comments.
- The rcu_read_lock under below functions are removed.
- {tcp, udp, sctp}_app_conn_bind,
- ip_vs_bypass_xmit,
- ip_vs_bypass_xmit_v6,
- ip_vs_na
2017-05-24 21:25 GMT+09:00 Julian Anastasov :
>
> Hello,
>
> The IPVS part from patch looks good but can be extended
> to also remove rcu_read_lock and rcu_read_unlock from:
>
> 1. all app_conn_bind methods because ip_vs_bind_app() is called
> always under RCU lock
()
17. check_hlist
-count_tree
--count_them
---connlimit_mt
---xt_match.match
nf_hook()
18. hashlimit_mt_common
-hashlimit_mt_v1
--xt_match.match
---nf_hook()
-hashlimit_mt
--xt_match.match
---nf_hook()
19. xt_osf_match_packet
-xt_match.match
--nf_hook()
Signed-off-by: Taehee Yoo <ap
Thank you for your review!
2017-04-07 4:51 GMT+09:00 Pablo Neira Ayuso <pa...@netfilter.org>:
> On Tue, Mar 28, 2017 at 12:28:50AM +0900, Taehee Yoo wrote:
>> __nf_nat_decode_session is called from nf_nat_decode_session as decodefn.
>> before calling decodefn, it already
__nf_nat_decode_session is called from nf_nat_decode_session as decodefn.
before calling decodefn, it already set rcu_read_lock. so rcu_read_lock in
__nf_nat_decode_session can be removed.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
net/netfilter/nf_nat_core.c | 7 ++-
1 file c
org/patch/565170,
> http://patchwork.ozlabs.org/patch/565171
>
> But they are not accepted until now.
> Is there any problem now?
>
> Best Regards
> Feng
>
> On Sun, May 22, 2016 at 11:03 PM, Taehee Yoo <ap420...@gmail.com> wrote:
>>
>> 2016-05-17 19:38 G
2016-05-17 19:38 GMT+09:00 Pablo Neira Ayuso <pa...@netfilter.org>:
> On Sat, May 14, 2016 at 10:19:16PM +0900, Taehee Yoo wrote:
>> when register to helper, each helper adds port to name.
>> correct form is 'protocol name-port' but irc, sip and tftp adds
>>
helpers should unregister the only registered ports.
but, helper cannot have correct registered ports value when
failed to register.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
net/netfilter/nf_conntrack_ftp.c | 1 +
net/netfilter/nf_conntrack_irc.c | 1 +
net/net
when register to helper, each helper adds port to name.
correct form is 'protocol name-port' but irc, sip and tftp adds
a iterator value. so it fix it.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
net/netfilter/nf_conntrack_irc.c | 2 +-
net/netfilter/nf_conntrack_sip.c | 2 +
101 - 159 of 159 matches
Mail list logo