rbnode in insert_tree() is rcu protected pointer.
So, in order to handle this pointer, _rcu function should be used.
rb_link_node_rcu() is a rcu version of rb_link_node().
Fixes: 34848d5c896e ("netfilter: nf_conncount: Split insert and traversal")
Signed-off-by: Taehee Yoo
---
net
t;netfilter: nf_tables: bogus EBUSY in chain deletions")
Reported by: Christoph Anton Mitterer
Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914505
Link: https://bugzilla.kernel.org/show_bug.cgi?id=201791
Signed-off-by: Taehee Yoo
---
net/netfilter/nf_tables_api.c | 15 ---
1
On Mon, 26 Nov 2018 at 20:28, Pablo Neira Ayuso wrote:
>
> On Mon, Nov 26, 2018 at 06:39:28PM +0900, Taehee Yoo wrote:
> > Hi Pablo,
> >
> > According to Masahiro Yamada, this is Kconfig bug and he is fixing Kconfig.
> > https://lkml.org/lkml/2018/11/26/291
>
89279.430135] ? is_bpf_text_address+0x5/0xf0
[89279.430135] ? check_flags.part.35+0x440/0x440
[89279.430135] ? __lock_is_held+0xb4/0x140
[89279.430135] nf_tables_commit+0x2555/0x39c0 [nf_tables]
Fixes: f102d66b335a4 ("netfilter: nf_tables: use dedicated mutex to guard
transactions")
Hi Pablo,
According to Masahiro Yamada, this is Kconfig bug and he is fixing Kconfig.
https://lkml.org/lkml/2018/11/26/291
So that I think this patch will be useless.
Could you check it up?
Thanks!
On Sun, 18 Nov 2018 at 23:39, Taehee Yoo wrote:
>
> xt_TEE.c needs nf_dup_ipv6.c to s
count: fix list_del corruption in
conn_free")
Signed-off-by: Taehee Yoo
---
net/netfilter/nf_conncount.c | 7 ++-
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
index 8acae4a3e4c0..b6d0f6deea86 100644
--- a/net
37/0x92 [nf_tables]
[ ... ]
Fixes: 8dd33cc93ec9 ("netfilter: nf_nat: generalize IPv4 masquerading support
for nf_tables")
Fixes: be6b635cd674 ("netfilter: nf_nat: generalize IPv6 masquerading support
for nf_tables")
Signed-off-by: Taehee Yoo
---
v2:
- Add second patch
- return
-register, masquerade modules manage
reference count. but it's not enough.
So that, this patch uses mutex instead of atomic value.
v2:
- Add second patch
- return success when notifier is already registered. (Florian Westphal)
v1: Initial patch
Taehee Yoo (2):
netfilter: add missing error handling
register_{netdevice/inetaddr/inet6addr}_notifier returns value that
could be error value. so that error handling code are needed.
Signed-off-by: Taehee Yoo
---
v2:
- Add second patch
- return success when notifier is already registered. (Florian Westphal)
v1: Initial patch
.../net/netfilter
On Tue, 20 Nov 2018 at 06:19, Florian Westphal wrote:
>
Hi Florian!
Thank you for the review!
> Taehee Yoo wrote:
> > register_{netdevice/inetaddr/inet6addr}_notifier returns value that
> > could be error value. so that error handling code are needed.
>
> Nothing sh
register_{netdevice/inetaddr/inet6addr}_notifier returns value that
could be error value. so that error handling code are needed.
Signed-off-by: Taehee Yoo
---
.../net/netfilter/ipv4/nf_nat_masquerade.h| 2 +-
.../net/netfilter/ipv6/nf_nat_masquerade.h| 2 +-
net/ipv4/netfilter
On Mon, 19 Nov 2018 at 02:15, Randy Dunlap wrote:
>
> On 11/18/18 6:39 AM, Taehee Yoo wrote:
> > xt_TEE.c needs nf_dup_ipv6.c to support ipv6 packet duplication.
> > So that if xt_TEE is enabled, nf_dup_ipv6 will be automatically selected.
> > But there is build failur
`tee_tg6':
net/netfilter/xt_TEE.c:57: undefined reference to `nf_dup_ipv6'
This patch forces to avoid above config.
Fixes: 5d400a4933e8 ("netfilter: Kconfig: Change select IPv6 dependencies")
Reported-by: Randy Dunlap
Reported-by: Reported-by: Stephen Rothwell
Signed-off-by: Taehee Yoo
In the htable_create(), hinfo is allocated by vmalloc()
So that if error occurred, hinfo should be freed.
Fixes: 11d5f15723c9 ("netfilter: xt_hashlimit: Create revision 2 to support
higher pps rates")
Signed-off-by: Taehee Yoo
---
net/netfilter/xt_hashlimit.c | 9 +++--
1 file
nf_flow_offload_gc_step() and nf_flow_table_iterate() are very similar.
so that many duplicate code can be removed.
After this patch, nf_flow_offload_gc_step() is simple callback function of
nf_flow_table_iterate() like nf_flow_table_do_cleanup().
Signed-off-by: Taehee Yoo
---
net/netfilter
nf_flow_table_iterate() is local function.
It can be static function.
Signed-off-by: Taehee Yoo
---
include/net/netfilter/nf_flow_table.h | 4
net/netfilter/nf_flow_table_core.c| 8
2 files changed, 4 insertions(+), 8 deletions(-)
diff --git a/include/net/netfilter
lookup routine.
So that duplicate code in nf_flow_offload_gc_step() can be removed.
Taehee Yoo (2):
netfilter: nf_flow_table: make nf_flow_table_iterate() static
netfilter: nf_flow_table: simplify nf_flow_offload_gc_step()
include/net/netfilter/nf_flow_table.h | 4 ---
net/netfilter
--local-node 1
After this patch, above commands are disallowed.
v3: add Fourth patch.
v2:
- use spin_lock_bh() instead of spin_lock() (Pablo Neira Ayuso)
- add missing dev_mc_add() and dev_mc_del().
- add Third patch.
v1: Initial patch
Signed-off-by: Taehee Yoo
---
net/ipv4/netfilter
x630 [ipt_CLUSTERIP]
[ ... ]
v3: add Fourth patch.
v2:
- use spin_lock_bh() instead of spin_lock() (Pablo Neira Ayuso)
- add missing dev_mc_add() and dev_mc_del().
- add Third patch.
v1: Initial patch
Fixes: b3e456fce9f5 ("netfilter: ipt_CLUSTERIP: fix a race condition of proc
file creation&quo
nstead of spin_lock() (Pablo Neira Ayuso)
- add missing dev_mc_add() and dev_mc_del().
- add Third patch.
v1: Initial patch
Fixes: 613d0776d3fe ("netfilter: exit_net cleanup check added")
Signed-off-by: Taehee Yoo
---
net/ipv4/netfilter/ipt_CLUSTERIP.c | 1 -
1 file changed, 1 deletio
x94/0x140
[ 342.123094] cleanup_net+0x45b/0x900
[ ... ]
v3: add Fourth patch.
v2:
- use spin_lock_bh() instead of spin_lock() (Pablo Neira Ayuso)
- add missing dev_mc_add() and dev_mc_del().
- add Third patch.
v1: Initial patch
Fixes: 202f59afd441 ("netfilter: ipt_CLUSTERIP: do not hold dev
mc_del().
- add Third patch.
v1: Initial patch
Taehee Yoo (4):
netfilter: ipt_CLUSTERIP: fix deadlock in netns exit routine
netfilter: ipt_CLUSTERIP: remove wrong WARN_ON_ONCE in netns exit
routine
netfilter: ipt_CLUSTERIP: fix sleep-in-atomic bug in
clusterip_config_entry_put()
net
: Initial patch
Fixes: cb2b36f5a97d ("netfilter: nf_conncount: Switch to plain list")
Signed-off-by: Taehee Yoo
---
net/netfilter/nf_conncount.c | 17 ++---
1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
ira Ayuso)
- Add Third patch.
v1: Initial patch
Fixes: 5c789e131cbb ("netfilter: nf_conncount: Add list lock and gc worker, and
RCU for init tree search")
Signed-off-by: Taehee Yoo
---
net/netfilter/nf_conncount.c | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --
[ ... ]
v2:
- Use spin_lock_bh() in nf_conncount_add() (Pablo Neira Ayuso)
- Add Third patch.
v1: Initial patch
Fixes: 5c789e131cbb ("netfilter: nf_conncount: Add list lock and gc worker, and
RCU for init tree search")
Signed-off-by: Taehee Yoo
---
net/netfilter/nf_conncount.c | 12 ++--
1
Taehee Yoo (3):
netfilter: nf_conncount: use spin_lock_bh instead of spin_lock
netfilter: nf_conncount: fix list_del corruption in conn_free
netfilter: nf_conncount: fix unexpected permanent node of list.
net/netfilter/nf_conncount.c | 36 +---
1 file changed
On Sat, 3 Nov 2018 at 22:47, Pablo Neira Ayuso wrote:
>
> Hi Taehee!
>
> On Wed, Oct 31, 2018 at 03:22:22AM +0900, Taehee Yoo wrote:
> > On Tue, 30 Oct 2018 at 08:00, Pablo Neira Ayuso wrote:
> > >
> >
> > Hi Pablo,
> > Thank you for review!
>
: 0123183f43a9 ("iptables-test: add -N option to exercise netns removal
path")
Reported-by: Pablo Neira Ayuso
Signed-off-by: Taehee Yoo
---
iptables-test.py | 22 +-
1 file changed, 9 insertions(+), 13 deletions(-)
diff --git a/iptables-test.py b/iptables-test.py
inde
Thanks to all reviewer!
On Tue, 30 Oct 2018 at 08:41, Florian Westphal wrote:
>
> Pablo Neira Ayuso wrote:
> > On Thu, Oct 25, 2018 at 11:56:12PM +0900, Taehee Yoo wrote:
> > > conn_free() holds lock with spin_lock(). and it is called by both
> > > nf_conncount_loo
On Tue, 30 Oct 2018 at 08:00, Pablo Neira Ayuso wrote:
>
Hi Pablo,
Thank you for review!
> On Fri, Oct 19, 2018 at 12:27:57AM +0900, Taehee Yoo wrote:
> > xt_rateest_net_exit() was added to check whether rules are flushed
> > successfully. but ->net_exit() callback i
st lock and gc worker, and
RCU for init tree search")
Signed-off-by: Taehee Yoo
---
net/netfilter/nf_conncount.c | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
index 8c6ece33b31f..2d7527533cf6 100644
double delete of list element.
So that dead flag is added.
Taehee Yoo (2):
netfilter: nf_conncount: use spin_lock_bh instead of spin_lock
netfilter: nf_conncount: fix list_del corruption in conn_free
net/netfilter/nf_conncount.c | 13 -
1 file changed, 8 insertions(+), 5 deletions
Fixes: 5c789e131cbb ("netfilter: nf_conncount: Add list lock and gc worker, and
RCU for init tree search")
Signed-off-by: Taehee Yoo
---
net/netfilter/nf_conncount.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_c
timer_tg_checkentry+0x3e5/0xb1b [xt_IDLETIMER]
[95765.449755] ? rcu_read_lock_sched_held+0x114/0x130
[95765.449755] ? __kmalloc_track_caller+0x211/0x2b0
[95765.449755] ? memcpy+0x34/0x50
[95765.449755] idletimer_tg_checkentry+0x4e2/0xb1b [xt_IDLETIMER]
[ ... ]
Fixes: 0902b469bd25 ("netfilter:
held+0xb4/0x140
[ 668.813518] process_one_work+0xc13/0x1de0
[ 668.813518] ? pwq_dec_nr_in_flight+0x3c0/0x3c0
[ 668.813518] ? set_load_weight+0x270/0x270
[ ... ]
Fixes: 3427b2ab63fa ("netfilter: make xt_rateest hash table per net")
Signed-off-by: Taehee Yoo
---
net/netfilter/xt_RAT
/include/net/netfilter/nfnetlink_log.h file is empty.
so that it can be removed.
Signed-off-by: Taehee Yoo
---
include/net/netfilter/nfnetlink_log.h | 1 -
1 file changed, 1 deletion(-)
delete mode 100644 include/net/netfilter/nfnetlink_log.h
diff --git a/include/net/netfilter/nfnetlink_log.h
x630 [ipt_CLUSTERIP]
[ ... ]
v3: add Third patch.
v2:
- use spin_lock_bh() instead of spin_lock() (Pablo Neira Ayuso)
- add missing dev_mc_add() and dev_mc_del().
v1: Initial patch
Fixes: b3e456fce9f5 ("netfilter: ipt_CLUSTERIP: fix a race condition of proc
file creation")
Signed-off-by: Taehee
n_lock() (Pablo Neira Ayuso)
- add missing dev_mc_add() and dev_mc_del().
v1: Initial patch
Taehee Yoo (3):
netfilter: ipt_CLUSTERIP: fix deadlock in netns exit routine
netfilter: ipt_CLUSTERIP: remove wrong WARN_ON_ONCE in netns exit
routine
netfilter: ipt_CLUSTERIP: fix sleep-in-atom
x94/0x140
[ 342.123094] cleanup_net+0x45b/0x900
[ ... ]
v3: add Third patch.
v2:
- use spin_lock_bh() instead of spin_lock() (Pablo Neira Ayuso)
- add missing dev_mc_add() and dev_mc_del().
v1: Initial patch
Fixes: 202f59afd441 ("netfilter: ipt_CLUSTERIP: do not hold dev")
Signed-off-by: Ta
nstead of spin_lock() (Pablo Neira Ayuso)
- add missing dev_mc_add() and dev_mc_del().
v1: Initial patch
Fixes: 613d0776d3fe ("netfilter: exit_net cleanup check added")
Signed-off-by: Taehee Yoo
---
net/ipv4/netfilter/ipt_CLUSTERIP.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/ne
interface that has index is same with offload
is down, that offload will be removed.
This patch adds netns checking code to the offload cleanup routine.
Fixes: 59c466dd68e7 ("netfilter: nf_flow_table: add a new flow state for
tearing down offloading")
Signed-off-by: Taehee Yoo
---
v2: do
parameter net of nf_flow_table_cleanup() is not used.
So that it can be removed.
Signed-off-by: Taehee Yoo
---
include/net/netfilter/nf_flow_table.h | 2 +-
net/netfilter/nf_flow_table_core.c| 2 +-
net/netfilter/nft_flow_offload.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions
On Thu, 11 Oct 2018 at 19:17, Pablo Neira Ayuso wrote:
>
Hi Pablo,
> On Wed, Oct 10, 2018 at 07:56:18PM +0200, Pablo Neira Ayuso wrote:
> > On Sun, Oct 07, 2018 at 12:09:32AM +0900, Taehee Yoo wrote:
> > > checkentry(tee_tg_check) should initialize priv->oif from dev if
On Thu, 11 Oct 2018 at 03:09, Pablo Neira Ayuso wrote:
>
Hi Pablo,
Thank you for review!
> On Tue, Oct 09, 2018 at 02:59:48AM +0900, Taehee Yoo wrote:
> > When interface is down, offload cleanup function(nf_flow_table_do_cleanup)
> > is called and that checks whether interfac
On Thu, 11 Oct 2018 at 02:32, Pablo Neira Ayuso wrote:
>
Hi Pablo,
Thank you for review!
> On Sat, Oct 06, 2018 at 01:42:42AM +0900, Taehee Yoo wrote:
> > diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c
> > b/net/ipv4/netfilter/ipt_CLUSTERIP.c
> > index 2c8d313ae
On Tue, 9 Oct 2018 at 08:19, Pablo Neira Ayuso wrote:
>
> Hi Taehee,
>
Hi Pablo,
Thank you for your review!
> I can reproduce it, so this is a bug :-). Still one question below:
>
> On Tue, Oct 02, 2018 at 02:17:14AM +0900, Taehee Yoo wrote:
> [...]
> >
aring down offloading")
Signed-off-by: Taehee Yoo
---
include/net/netfilter/nf_flow_table.h | 2 +-
net/netfilter/nf_flow_table_core.c| 10 +++---
net/netfilter/nft_flow_offload.c | 2 +-
3 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/include/net/netfilter/nf_flow_
elper-snmp_trap" by MODULE_ALIAS_NFCT_HELPER(snmp_trap)
test command:
%iptables -t raw -I PREROUTING -p udp -j CT --helper snmp_trap
%lsmod | grep nf_nat_snmp_basic
We can see nf_nat_snmp_basic module is uploaded automatically.
Signed-off-by: Taehee Yoo
---
net/ipv4/netfilter/nf_nat_snmp_b
Above rule is in the root netns. but that rule could get enp2s0
ifindex of vm1 by notifier handler.
After this patch, TEE rule is added to the per-netns list.
Fixes: 9e2f6c5d78db ("netfilter: Rework xt_TEE netdevice notifier")
Signed-off-by: Taehee Yoo
---
net/netfilter/xt_
ted.
Taehee Yoo (2):
netfilter: xt_TEE: fix wrong interface selection
netfilter: xt_TEE: add missing code to get interface index in
checkentry.
net/netfilter/xt_TEE.c | 76 --
1 file changed, 59 insertions(+), 17 deletions(-)
--
2.17.1
net cleanup check added")
Signed-off-by: Taehee Yoo
---
net/ipv4/netfilter/ipt_CLUSTERIP.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c
b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index 6ccabe6f74a6..20b452df856c 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.
x94/0x140
[ 342.123094] cleanup_net+0x45b/0x900
[ ... ]
Fixes: 202f59afd441 ("netfilter: ipt_CLUSTERIP: do not hold dev")
Signed-off-by: Taehee Yoo
---
net/ipv4/netfilter/ipt_CLUSTERIP.c | 71 +-
1 file changed, 40 insertions(+), 31 deletions(-)
diff --git a/n
0x3e0
[ 399.686238] ? kthread_create_worker_on_cpu+0xc0/0xc0
[ 399.692027] ret_from_fork+0x3a/0x50
[ 399.696210] INFO: lockdep is turned off.
Taehee Yoo (2):
netfilter: ipt_CLUSTERIP: fix deadlock in netns exit routine
netfilter: ipt_CLUSTERIP: remove wrong WARN_ON_ONCE in netns
exit
it_net) doesn't make flowtable leak.
Signed-off-by: Taehee Yoo
---
net/netfilter/nf_tables_api.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index f0159eea2978..42487d01a3ed 100644
--- a/net/netfilter/nf_tables_api.c
+++
Internally, rhashtable_lookup_fast() calls rcu_read_lock() then,
calls rhashtable_lookup(). so that in places where are guaranteed
by rcu read lock, rhashtable_lookup() is enough.
Signed-off-by: Taehee Yoo
---
net/netfilter/nf_flow_table_core.c | 4 ++--
net/netfilter/nft_set_hash.c | 8
nf_flow_offload_{ip/ipv6}_hook() check nat flag then, call
nf_flow_nat_{ip/ipv6} but that also check nat flag. so that
nat flag check code in nf_flow_offload_{ip/ipv6}_hook() are unnecessary.
Signed-off-by: Taehee Yoo
---
net/netfilter/nf_flow_table_ip.c | 6 ++
1 file changed, 2 insertions
rhashtable_walk_init() is deprecated and rhashtable_walk_enter() can be
used instead. rhashtable_walk_init() is wrapper function of
rhashtable_walk_enter() so that logic is actually same.
But rhashtable_walk_enter() doesn't return error hence error path
code can be removed.
Signed-off-by: Taehee
__nf_nat_mangle_tcp_packet() and nf_nat_mangle_udp_packet() call
mangle_contents(). and __nf_nat_mangle_tcp_packet()
and mangle_contents() call skb_is_nonlinear(). so that
skb_is_nonlinear() in __nf_nat_mangle_tcp_packet() is unnecessary.
Signed-off-by: Taehee Yoo
---
net/netfilter
nf_nat_redirect_ipv4() and nf_nat_redirect_ipv6() are only called by
netfilter hook point. so that rcu_read_lock and rcu_read_unlock() are
unnecessary.
Signed-off-by: Taehee Yoo
---
net/netfilter/nf_nat_redirect.c | 4
1 file changed, 4 deletions(-)
diff --git a/net/netfilter
[ 430.535635] ? do_raw_spin_trylock+0x101/0x1a0
[ 430.535635] ? do_raw_spin_lock+0x1f0/0x1f0
[ 430.535635] ? _raw_spin_lock_irq+0x10/0x70
[ 430.535635] worker_thread+0x15d/0x1120
[ ... ]
Fixes: 8d8540c4f5e0 ("netfilter: nft_set_rbtree: add timeout support")
Signed-off-by:
Fixes: 8411b6442e59 ("netfilter: nf_tables: support for set flushing")
Signed-off-by: Taehee Yoo
---
net/netfilter/nf_tables_api.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 1dca5683f59f..2cfb173cd0b2 100644
---
1f2d0 ("netfilter: nf_tables: add netlink set API")
Signed-off-by: Taehee Yoo
---
include/net/netfilter/nf_tables.h | 4 ++--
net/netfilter/nf_tables_api.c | 2 +-
net/netfilter/nft_set_bitmap.c| 6 +++---
net/netfilter/nft_set_hash.c | 8
net/netfilter/nft_se
2018-07-19 1:44 GMT+09:00 Pablo Neira Ayuso :
> Hi,
>
> On Tue, Jul 10, 2018 at 11:22:36PM +0900, Taehee Yoo wrote:
>> In order to restrict element number of each set, member ->size is used.
>> that used to be given by user-space. if user-space don't specify ->
2018-07-17 1:09 GMT+09:00 Pablo Neira Ayuso :
> Hi Taehee,
>
> On Tue, Jul 10, 2018 at 11:22:01PM +0900, Taehee Yoo wrote:
>> This patch fixes below.
>> 1. check null pointer of rb_next.
>> rb_next can return null. so null check routine should be added.
>> 2. a
blo Neira Ayuso
Signed-off-by: Taehee Yoo
---
include/net/netfilter/nf_tables.h | 4 ++--
net/netfilter/nf_tables_api.c | 11 ---
net/netfilter/nft_immediate.c | 3 +++
net/netfilter/nft_lookup.c| 13 +++--
4 files changed, 20 insertions(+), 11 deletions(-)
diff
2018-07-12 7:33 GMT+09:00 Pablo Neira Ayuso :
> On Mon, Jun 11, 2018 at 09:04:39PM +0900, Taehee Yoo wrote:
> [...]
>> diff --git a/include/net/netfilter/nf_tables.h
>> b/include/net/netfilter/nf_tables.h
>> index 08c005c..a7d6476 100644
>> --- a/include/net/netfilte
ble ip aa {
map map1 {
type ipv4_addr : verdict
size 65535
}
}
V2:
- Add default set->size value instead add check set->size routine.
- Requested by Florian Westphal
Suggested-by: Florian Westphal
Signed-off-by: Taehee Yoo
---
/0x1b0
[ 2402.534212] ? do_raw_spin_lock+0x1f0/0x1f0
[ 2402.534212] worker_thread+0x169/0x1150
V2:
- Do not add interval check routine in nft_set_rbtree.
- Requested by Pablo Neira Ayuso
Fixes: 8d8540c4f5e0("netfilter: nft_set_rbtree: add timeout support")
Signed-off-by: Taehee Yoo
ck_cpu+0x132/0x170
[ 200.990352] ? find_held_lock+0x39/0x1b0
[ 200.994355] ? sched_clock_local+0x10d/0x130
[ 200.999531] ? memset+0x1f/0x40
Fixes: 9d0982927e79 ("netfilter: nft_hash: add support for timeouts")
Signed-off-by: Taehee Yoo
---
net/netfilter/nft_set_hash.c | 1 +
1
alue instead add check set->size routine.
Requested by Florian Westphal
Taehee Yoo (3):
netfilter: nft_set_hash: add rcu_barrier() in the nft_rhash_destroy()
netfilter: nft_set_rbtree: fix panic when destroying set by GC
netfilter: nf_tables: add default set size
net/netfilter/nf
2018-07-09 22:56 GMT+09:00 Pablo Neira Ayuso :
> On Sun, Jul 01, 2018 at 08:43:16PM +0900, Taehee Yoo wrote:
>> This patch series fixes nft_set_hash and nft_set_rbtree bugs.
>>
>> First patch adds nft_rhash_iterate_destroy().
>> it walks and destroys all elemen
2018-07-09 22:48 GMT+09:00 Pablo Neira Ayuso :
> On Tue, Jul 03, 2018 at 11:40:06PM +0900, Taehee Yoo wrote:
>> 2018-07-03 19:20 GMT+09:00 Pablo Neira Ayuso :
>> > On Sun, Jul 01, 2018 at 08:44:52PM +0900, Taehee Yoo wrote:
>> >> This patch fixes below.
>>
2018-07-03 19:20 GMT+09:00 Pablo Neira Ayuso :
> On Sun, Jul 01, 2018 at 08:44:52PM +0900, Taehee Yoo wrote:
>> This patch fixes below.
>> 1. check null pointer of rb_next.
>> rb_next can return null. so null check routine should be added.
>> 2. check wheth
2018-07-02 20:38 GMT+09:00 Florian Westphal :
> Taehee Yoo wrote:
>> set->nelems is increased when set->size is given.
>> so that checking set->size routine should be added.
>
> Does it make sense to have sets with no upper size?
>
> I think it makes more
2018-07-02 20:45 GMT+09:00 Florian Westphal :
> Taehee Yoo wrote:
>> In order to destroy elements of set, a rhashtable_free_and_destroy()
>> is used. the rhashtable_free_and_destroy() cancels a re-hash deferred work
>> then walks and destroys elements. at this moment, some
: 8d8540c4f5e0("netfilter: nft_set_rbtree: add timeout support")
Signed-off-by: Taehee Yoo
---
net/netfilter/nft_set_rbtree.c | 34 ++
1 file changed, 22 insertions(+), 12 deletions(-)
diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtr
+0x10d/0x130
[ 200.999531] ? memset+0x1f/0x40
Fixes: 9d0982927e79 ("netfilter: nft_hash: add support for timeouts")
Signed-off-by: Taehee Yoo
---
net/netfilter/nft_set_hash.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash
set->nelems is increased when set->size is given.
so that checking set->size routine should be added.
Signed-off-by: Taehee Yoo
---
net/netfilter/nf_tables_api.c | 6 --
net/netfilter/nft_set_hash.c | 3 ++-
net/netfilter/nft_set_rbtree.c | 7 ---
3 files changed, 10 inserti
999531] ? memset+0x1f/0x40
Signed-off-by: Taehee Yoo
---
net/netfilter/nft_set_hash.c | 42 +++---
1 file changed, 35 insertions(+), 7 deletions(-)
diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c
index 6f9a136..695d5e8 100644
--- a/net/net
bugs.
Last patch adds set->size checking routine.
Taehee Yoo (4):
netfilter: nft_set_hash: fix panic when destroying set
netfilter: nft_set_hash: add rcu_barrier() in the nft_rhash_destroy()
netfilter: nft_set_rbtree: fix panic when destroying set by GC
netfilter: nf_tables: check
2018-06-27 23:48 GMT+09:00 Pablo Neira Ayuso :
> On Tue, Jun 12, 2018 at 01:54:47AM +0900, Taehee Yoo wrote:
>> In the nft_reject_br_send_v4_tcp_reset(), a ttl is set by
>> the nf_reject_ip_tcphdr_put(). so, below code is unnecessary.
>
> Applied, thanks.
>
> BT
In the nft_reject_br_send_v4_tcp_reset(), a ttl is set by
the nf_reject_ip_tcphdr_put(). so, below code is unnecessary.
Signed-off-by: Taehee Yoo
---
net/bridge/netfilter/nft_reject_bridge.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/net/bridge/netfilter
When depth of chain is bigger than NFT_JUMP_STACK_SIZE,
the nft_do_chain crashes.
But there is no need to crash hard here.
Suggested-by: Florian Westphal
Signed-off-by: Taehee Yoo
---
net/netfilter/nf_tables_core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net
Thank you for reviewing!
2018년 6월 11일 (월) 오후 9:14, Florian Westphal 님이 작성:
>
> Taehee Yoo wrote:
> > The level of struct nft_ctx is updated by nf_tables_check_loops().
>
> [..]
>
> > [ 168.803743] kernel BUG at net/netfilter/nf_tables_core.c:186!
>
> Cou
68.922459] ip_local_deliver+0x293/0x3c0
[ 168.922459] ? ip_call_ra_chain+0x490/0x490
[ 168.922459] ? ip_rcv_finish+0x1910/0x1910
[ 168.922459] ip_rcv+0x802/0xe10
[ ... ]
Signed-off-by: Taehee Yoo
---
include/net/netfilter/nf_tables.h | 4 ++--
net/netfilter/nf_tables_api.c | 10 +++---
net/
: f9121355eb6f ("netfilter: nft_set_rbtree: incorrect assumption on lower
interval lookups")
Signed-off-by: Taehee Yoo
---
net/netfilter/nft_set_rbtree.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c
ind
In order to allocate icmpv6 skb, sizeof(struct ipv6hdr) should be used.
Signed-off-by: Taehee Yoo
---
net/bridge/netfilter/nft_reject_bridge.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bridge/netfilter/nft_reject_bridge.c
b/net/bridge/netfilter/nft_reject_bridge.c
The comment and trace_loginfo are not used anymore.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
net/netfilter/nf_tables_core.c | 16
1 file changed, 16 deletions(-)
diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
index d457d85..a1b93fa
] nf_tables_chain_destroy+0x19d/0x210 [nf_tables]
[ 286.449144] nf_tables_commit+0x1891/0x1c50 [nf_tables]
[ 286.449144] nfnetlink_rcv+0x1148/0x13d0 [nfnetlink]
[ ... ]
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
net/netfilter/nf_tables_api.c | 4 +++-
1 file changed, 3 insertions
]
[ 306.528284] netlink_rcv_skb+0x1c9/0x2f0
[ 306.528284] ? nfnetlink_bind+0x1d0/0x1d0 [nfnetlink]
[ 306.528284] ? debug_check_no_locks_freed+0x270/0x270
[ 306.528284] ? netlink_ack+0x7a0/0x7a0
[ 306.528284] ? ns_capable_common+0x6e/0x110
[ ... ]
Signed-off-by: Taehee Yoo <ap420...@gmail.
trace id 16767227 ip filter input rule nftrace set 0 (verdict continue)
trace id 16767227 ip filter input verdict continue
trace id 16767227 ip filter input
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
net/netfilter/nft_meta.c | 14 --
1 file changed, 8 insertions(+), 6 de
479fe ]---
[ 916.777204] Kernel panic - not syncing: Fatal exception
[ 916.778158] Kernel Offset: 0x1400 from 0x8100 (relocation
range: 0x8000-0xffffbfff)
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
net/netfilter/nft_ct.c | 20 ---
A validate callback is called just before calling a ->commit callback.
If it is failed, ->abort is called.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
net/netfilter/nfnetlink.c | 13 +
1 file changed, 13 insertions(+)
diff --git a/net/netfilter/nfnetlink.c b/n
mation that is allocated in the nf_tables_validate.
But exceptionally, the nf_tables_check_loops can call
that if ops is "immediate".
Now, nft_compat.c uses common validate routine instead of
the nft_compat_chain_validate_dependency.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
net/net
s->validate() to use chain information array
insted of basechain's data.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
include/linux/netfilter/nfnetlink.h | 1 +
include/net/netfilter/nf_tables.h | 1 +
include/net/netns/nftables.h| 3 +
net/netfilter/nf_tables_api
The struct nft_af_info was removed.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
include/net/netns/nftables.h | 2 --
1 file changed, 2 deletions(-)
diff --git a/include/net/netns/nftables.h b/include/net/netns/nftables.h
index 4813435..29c3851 100644
--- a/include/net/netns/nfta
outine are like below.
1. select_ops()
2. init()
3. call_batch()
4. validate()
5. commit()/abort()
Taehee Yoo (5):
netfilter: nf_tables: use nft_ctx instead of nft_chain
netfilter: nf_tables: remove nft_af_info.
netfilter: nf_tables: add type and hook validate routine
net
This patch prepares for next patches.
The nft_chain_validate_hooks and
nft_chain_validate_dependency are going to use both net and nft_chain.
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
include/net/netfilter/nf_tables.h| 4 ++--
net/bridge/netfilter/nft_reject_bridge.
2018-04-30 3:03 GMT+09:00 Florian Westphal <f...@strlen.de>:
> Taehee Yoo <ap420...@gmail.com> wrote:
>> This patch adds the new release callback to release resources
>> allocated in nft_expr_type->select_ops.
>> This release callback can be used by error path
path
of the nf_tables_newrule anymore.
Steps to reproduce:
$iptables-compat -I OUTPUT -m cpu --cpu 0
$iptables-compat -F
$lsmod
Module Size Used by
xt_cpu 16384 1
Signed-off-by: Taehee Yoo <ap420...@gmail.com>
---
net/netfilter/nf_tables
1 - 100 of 159 matches
Mail list logo