[PATCH nf] netfilter: nf_conncount: use rb_link_node_rcu() instead of rb_link_node()

rbnode in insert_tree() is rcu protected pointer. So, in order to handle this pointer, _rcu function should be used. rb_link_node_rcu() is a rcu version of rb_link_node(). Fixes: 34848d5c896e ("netfilter: nf_conncount: Split insert and traversal") Signed-off-by: Taehee Yoo --- net

[PATCH nf] netfilter: nf_tables: deactivate expressions in rule replecement routine

t;netfilter: nf_tables: bogus EBUSY in chain deletions") Reported by: Christoph Anton Mitterer Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914505 Link: https://bugzilla.kernel.org/show_bug.cgi?id=201791 Signed-off-by: Taehee Yoo --- net/netfilter/nf_tables_api.c | 15 --- 1

Re: [PATCH nf] netfilter: xt_TEE: fix build failure

On Mon, 26 Nov 2018 at 20:28, Pablo Neira Ayuso wrote: > > On Mon, Nov 26, 2018 at 06:39:28PM +0900, Taehee Yoo wrote: > > Hi Pablo, > > > > According to Masahiro Yamada, this is Kconfig bug and he is fixing Kconfig. > > https://lkml.org/lkml/2018/11/26/291 >

[PATCH nf] netfilter: nf_tables: fix suspicious RCU usage in nft_chain_stats_replace()

89279.430135] ? is_bpf_text_address+0x5/0xf0 [89279.430135] ? check_flags.part.35+0x440/0x440 [89279.430135] ? __lock_is_held+0xb4/0x140 [89279.430135] nf_tables_commit+0x2555/0x39c0 [nf_tables] Fixes: f102d66b335a4 ("netfilter: nf_tables: use dedicated mutex to guard transactions")

Re: [PATCH nf] netfilter: xt_TEE: fix build failure

Hi Pablo, According to Masahiro Yamada, this is Kconfig bug and he is fixing Kconfig. https://lkml.org/lkml/2018/11/26/291 So that I think this patch will be useless. Could you check it up? Thanks! On Sun, 18 Nov 2018 at 23:39, Taehee Yoo wrote: > > xt_TEE.c needs nf_dup_ipv6.c to s

[PATCH nf] netfilter: nf_conncount: remove wrong condition check routine

count: fix list_del corruption in conn_free") Signed-off-by: Taehee Yoo --- net/netfilter/nf_conncount.c | 7 ++- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c index 8acae4a3e4c0..b6d0f6deea86 100644 --- a/net

[PATCH nf v2 2/2] netfilter: nat: fix double register in masquerade modules

37/0x92 [nf_tables] [ ... ] Fixes: 8dd33cc93ec9 ("netfilter: nf_nat: generalize IPv4 masquerading support for nf_tables") Fixes: be6b635cd674 ("netfilter: nf_nat: generalize IPv6 masquerading support for nf_tables") Signed-off-by: Taehee Yoo --- v2: - Add second patch - return

[PATCH nf v2 0/2] netfilter: fix notifier registration bugs

-register, masquerade modules manage reference count. but it's not enough. So that, this patch uses mutex instead of atomic value. v2: - Add second patch - return success when notifier is already registered. (Florian Westphal) v1: Initial patch Taehee Yoo (2): netfilter: add missing error handling

[PATCH nf v2 1/2] netfilter: add missing error handling code for register functions

register_{netdevice/inetaddr/inet6addr}_notifier returns value that could be error value. so that error handling code are needed. Signed-off-by: Taehee Yoo --- v2: - Add second patch - return success when notifier is already registered. (Florian Westphal) v1: Initial patch .../net/netfilter

Re: [PATCH nf-next] netfilter: add missing error handling code for register functions.

On Tue, 20 Nov 2018 at 06:19, Florian Westphal wrote: > Hi Florian! Thank you for the review! > Taehee Yoo wrote: > > register_{netdevice/inetaddr/inet6addr}_notifier returns value that > > could be error value. so that error handling code are needed. > > Nothing sh

[PATCH nf-next] netfilter: add missing error handling code for register functions.

register_{netdevice/inetaddr/inet6addr}_notifier returns value that could be error value. so that error handling code are needed. Signed-off-by: Taehee Yoo --- .../net/netfilter/ipv4/nf_nat_masquerade.h| 2 +- .../net/netfilter/ipv6/nf_nat_masquerade.h| 2 +- net/ipv4/netfilter

Re: [PATCH nf] netfilter: xt_TEE: fix build failure

On Mon, 19 Nov 2018 at 02:15, Randy Dunlap wrote: > > On 11/18/18 6:39 AM, Taehee Yoo wrote: > > xt_TEE.c needs nf_dup_ipv6.c to support ipv6 packet duplication. > > So that if xt_TEE is enabled, nf_dup_ipv6 will be automatically selected. > > But there is build failur

[PATCH nf] netfilter: xt_TEE: fix build failure

`tee_tg6': net/netfilter/xt_TEE.c:57: undefined reference to `nf_dup_ipv6' This patch forces to avoid above config. Fixes: 5d400a4933e8 ("netfilter: Kconfig: Change select IPv6 dependencies") Reported-by: Randy Dunlap Reported-by: Reported-by: Stephen Rothwell Signed-off-by: Taehee Yoo

[PATCH nf] netfilter: xt_hashlimit: fix a possible memory leak in htable_create()

In the htable_create(), hinfo is allocated by vmalloc() So that if error occurred, hinfo should be freed. Fixes: 11d5f15723c9 ("netfilter: xt_hashlimit: Create revision 2 to support higher pps rates") Signed-off-by: Taehee Yoo --- net/netfilter/xt_hashlimit.c | 9 +++-- 1 file

[PATCH nf-next 2/2] netfilter: nf_flow_table: simplify nf_flow_offload_gc_step()

nf_flow_offload_gc_step() and nf_flow_table_iterate() are very similar. so that many duplicate code can be removed. After this patch, nf_flow_offload_gc_step() is simple callback function of nf_flow_table_iterate() like nf_flow_table_do_cleanup(). Signed-off-by: Taehee Yoo --- net/netfilter

[PATCH nf-next 1/2] netfilter: nf_flow_table: make nf_flow_table_iterate() static

nf_flow_table_iterate() is local function. It can be static function. Signed-off-by: Taehee Yoo --- include/net/netfilter/nf_flow_table.h | 4 net/netfilter/nf_flow_table_core.c| 8 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/include/net/netfilter

[PATCH nf-next 0/2] netfilter: nf_flow_table: remove duplicate code in nf_flow_table_core.c

lookup routine. So that duplicate code in nf_flow_offload_gc_step() can be removed. Taehee Yoo (2): netfilter: nf_flow_table: make nf_flow_table_iterate() static netfilter: nf_flow_table: simplify nf_flow_offload_gc_step() include/net/netfilter/nf_flow_table.h | 4 --- net/netfilter

[PATCH nf v3 4/4] netfilter: ipt_CLUSTERIP: check MAC address when duplicate config is set

--local-node 1 After this patch, above commands are disallowed. v3: add Fourth patch. v2: - use spin_lock_bh() instead of spin_lock() (Pablo Neira Ayuso) - add missing dev_mc_add() and dev_mc_del(). - add Third patch. v1: Initial patch Signed-off-by: Taehee Yoo --- net/ipv4/netfilter

[PATCH nf v3 3/4] netfilter: ipt_CLUSTERIP: fix sleep-in-atomic bug in clusterip_config_entry_put()

x630 [ipt_CLUSTERIP] [ ... ] v3: add Fourth patch. v2: - use spin_lock_bh() instead of spin_lock() (Pablo Neira Ayuso) - add missing dev_mc_add() and dev_mc_del(). - add Third patch. v1: Initial patch Fixes: b3e456fce9f5 ("netfilter: ipt_CLUSTERIP: fix a race condition of proc file creation&quo

[PATCH nf v3 2/4] netfilter: ipt_CLUSTERIP: remove wrong WARN_ON_ONCE in netns exit routine

nstead of spin_lock() (Pablo Neira Ayuso) - add missing dev_mc_add() and dev_mc_del(). - add Third patch. v1: Initial patch Fixes: 613d0776d3fe ("netfilter: exit_net cleanup check added") Signed-off-by: Taehee Yoo --- net/ipv4/netfilter/ipt_CLUSTERIP.c | 1 - 1 file changed, 1 deletio

[PATCH nf v3 1/4] netfilter: ipt_CLUSTERIP: fix deadlock in netns exit routine

x94/0x140 [ 342.123094] cleanup_net+0x45b/0x900 [ ... ] v3: add Fourth patch. v2: - use spin_lock_bh() instead of spin_lock() (Pablo Neira Ayuso) - add missing dev_mc_add() and dev_mc_del(). - add Third patch. v1: Initial patch Fixes: 202f59afd441 ("netfilter: ipt_CLUSTERIP: do not hold dev

[PATCH nf v3 0/4] netfilter: ipt_CLUSTERIP: fix bugs in ipt_CLUSTERIP

mc_del(). - add Third patch. v1: Initial patch Taehee Yoo (4): netfilter: ipt_CLUSTERIP: fix deadlock in netns exit routine netfilter: ipt_CLUSTERIP: remove wrong WARN_ON_ONCE in netns exit routine netfilter: ipt_CLUSTERIP: fix sleep-in-atomic bug in clusterip_config_entry_put() net

[PATCH nf v2 3/3] netfilter: nf_conncount: fix unexpected permanent node of list.

: Initial patch Fixes: cb2b36f5a97d ("netfilter: nf_conncount: Switch to plain list") Signed-off-by: Taehee Yoo --- net/netfilter/nf_conncount.c | 17 ++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c

[PATCH nf v2 2/3] netfilter: nf_conncount: fix list_del corruption in conn_free

ira Ayuso) - Add Third patch. v1: Initial patch Fixes: 5c789e131cbb ("netfilter: nf_conncount: Add list lock and gc worker, and RCU for init tree search") Signed-off-by: Taehee Yoo --- net/netfilter/nf_conncount.c | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --

[PATCH nf v2 1/3] netfilter: nf_conncount: use spin_lock_bh instead of spin_lock

[ ... ] v2: - Use spin_lock_bh() in nf_conncount_add() (Pablo Neira Ayuso) - Add Third patch. v1: Initial patch Fixes: 5c789e131cbb ("netfilter: nf_conncount: Add list lock and gc worker, and RCU for init tree search") Signed-off-by: Taehee Yoo --- net/netfilter/nf_conncount.c | 12 ++-- 1

[PATCH nf v2 0/3] netfilter: nf_conncount: fix bugs in conn_free

Taehee Yoo (3): netfilter: nf_conncount: use spin_lock_bh instead of spin_lock netfilter: nf_conncount: fix list_del corruption in conn_free netfilter: nf_conncount: fix unexpected permanent node of list. net/netfilter/nf_conncount.c | 36 +--- 1 file changed

Re: [PATCH nf] netfilter: xt_RATEEST: remove netns exit routine

On Sat, 3 Nov 2018 at 22:47, Pablo Neira Ayuso wrote: > > Hi Taehee! > > On Wed, Oct 31, 2018 at 03:22:22AM +0900, Taehee Yoo wrote: > > On Tue, 30 Oct 2018 at 08:00, Pablo Neira Ayuso wrote: > > > > > > > Hi Pablo, > > Thank you for review! >

[PATCH iptables] iptables: iptables-test: fix netns test

: 0123183f43a9 ("iptables-test: add -N option to exercise netns removal path") Reported-by: Pablo Neira Ayuso Signed-off-by: Taehee Yoo --- iptables-test.py | 22 +- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/iptables-test.py b/iptables-test.py inde

Re: [PATCH nf 1/2] netfilter: nf_conncount: use spin_lock_bh instead of spin_lock

Thanks to all reviewer! On Tue, 30 Oct 2018 at 08:41, Florian Westphal wrote: > > Pablo Neira Ayuso wrote: > > On Thu, Oct 25, 2018 at 11:56:12PM +0900, Taehee Yoo wrote: > > > conn_free() holds lock with spin_lock(). and it is called by both > > > nf_conncount_loo

Re: [PATCH nf] netfilter: xt_RATEEST: remove netns exit routine

On Tue, 30 Oct 2018 at 08:00, Pablo Neira Ayuso wrote: > Hi Pablo, Thank you for review! > On Fri, Oct 19, 2018 at 12:27:57AM +0900, Taehee Yoo wrote: > > xt_rateest_net_exit() was added to check whether rules are flushed > > successfully. but ->net_exit() callback i

[PATCH nf 2/2] netfilter: nf_conncount: fix list_del corruption in conn_free

st lock and gc worker, and RCU for init tree search") Signed-off-by: Taehee Yoo --- net/netfilter/nf_conncount.c | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c index 8c6ece33b31f..2d7527533cf6 100644

[PATCH nf 0/2] netfilter: nf_conncount: fix bugs in conn_free

double delete of list element. So that dead flag is added. Taehee Yoo (2): netfilter: nf_conncount: use spin_lock_bh instead of spin_lock netfilter: nf_conncount: fix list_del corruption in conn_free net/netfilter/nf_conncount.c | 13 - 1 file changed, 8 insertions(+), 5 deletions

[PATCH nf 1/2] netfilter: nf_conncount: use spin_lock_bh instead of spin_lock

Fixes: 5c789e131cbb ("netfilter: nf_conncount: Add list lock and gc worker, and RCU for init tree search") Signed-off-by: Taehee Yoo --- net/netfilter/nf_conncount.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_c

[PATCH nf] netfilter: xt_IDLETIMER: add sysfs filename checking routine

timer_tg_checkentry+0x3e5/0xb1b [xt_IDLETIMER] [95765.449755] ? rcu_read_lock_sched_held+0x114/0x130 [95765.449755] ? __kmalloc_track_caller+0x211/0x2b0 [95765.449755] ? memcpy+0x34/0x50 [95765.449755] idletimer_tg_checkentry+0x4e2/0xb1b [xt_IDLETIMER] [ ... ] Fixes: 0902b469bd25 ("netfilter:

[PATCH nf] netfilter: xt_RATEEST: remove netns exit routine

held+0xb4/0x140 [ 668.813518] process_one_work+0xc13/0x1de0 [ 668.813518] ? pwq_dec_nr_in_flight+0x3c0/0x3c0 [ 668.813518] ? set_load_weight+0x270/0x270 [ ... ] Fixes: 3427b2ab63fa ("netfilter: make xt_rateest hash table per net") Signed-off-by: Taehee Yoo --- net/netfilter/xt_RAT

[PATCH nf-next] netfilter: nfnetlink_log: remove empty nfnetlink_log.h header file

/include/net/netfilter/nfnetlink_log.h file is empty. so that it can be removed. Signed-off-by: Taehee Yoo --- include/net/netfilter/nfnetlink_log.h | 1 - 1 file changed, 1 deletion(-) delete mode 100644 include/net/netfilter/nfnetlink_log.h diff --git a/include/net/netfilter/nfnetlink_log.h

[PATCH nf v2 3/3] netfilter: ipt_CLUSTERIP: fix sleep-in-atomic bug in clusterip_config_entry_put()

x630 [ipt_CLUSTERIP] [ ... ] v3: add Third patch. v2: - use spin_lock_bh() instead of spin_lock() (Pablo Neira Ayuso) - add missing dev_mc_add() and dev_mc_del(). v1: Initial patch Fixes: b3e456fce9f5 ("netfilter: ipt_CLUSTERIP: fix a race condition of proc file creation") Signed-off-by: Taehee

[PATCH nf v2 0/3] netfilter: ipt_CLUSTERIP: fix bugs in ipt_CLUSTERIP

n_lock() (Pablo Neira Ayuso) - add missing dev_mc_add() and dev_mc_del(). v1: Initial patch Taehee Yoo (3): netfilter: ipt_CLUSTERIP: fix deadlock in netns exit routine netfilter: ipt_CLUSTERIP: remove wrong WARN_ON_ONCE in netns exit routine netfilter: ipt_CLUSTERIP: fix sleep-in-atom

[PATCH nf v2 1/3] netfilter: ipt_CLUSTERIP: fix deadlock in netns exit routine

x94/0x140 [ 342.123094] cleanup_net+0x45b/0x900 [ ... ] v3: add Third patch. v2: - use spin_lock_bh() instead of spin_lock() (Pablo Neira Ayuso) - add missing dev_mc_add() and dev_mc_del(). v1: Initial patch Fixes: 202f59afd441 ("netfilter: ipt_CLUSTERIP: do not hold dev") Signed-off-by: Ta

[PATCH nf v2 2/3] netfilter: ipt_CLUSTERIP: remove wrong WARN_ON_ONCE in netns exit routine

nstead of spin_lock() (Pablo Neira Ayuso) - add missing dev_mc_add() and dev_mc_del(). v1: Initial patch Fixes: 613d0776d3fe ("netfilter: exit_net cleanup check added") Signed-off-by: Taehee Yoo --- net/ipv4/netfilter/ipt_CLUSTERIP.c | 1 - 1 file changed, 1 deletion(-) diff --git a/ne

[PATCH nf v2] netfilter: nf_flow_table: do not remove offload when other netns's interface is down

interface that has index is same with offload is down, that offload will be removed. This patch adds netns checking code to the offload cleanup routine. Fixes: 59c466dd68e7 ("netfilter: nf_flow_table: add a new flow state for tearing down offloading") Signed-off-by: Taehee Yoo --- v2: do

[PATCH nf-next] netfilter: nf_flow_table: remove unnecessary parameter of nf_flow_table_cleanup()

parameter net of nf_flow_table_cleanup() is not used. So that it can be removed. Signed-off-by: Taehee Yoo --- include/net/netfilter/nf_flow_table.h | 2 +- net/netfilter/nf_flow_table_core.c| 2 +- net/netfilter/nft_flow_offload.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions

Re: [PATCH nf 2/2] netfilter: xt_TEE: add missing code to get interface index in checkentry.

On Thu, 11 Oct 2018 at 19:17, Pablo Neira Ayuso wrote: > Hi Pablo, > On Wed, Oct 10, 2018 at 07:56:18PM +0200, Pablo Neira Ayuso wrote: > > On Sun, Oct 07, 2018 at 12:09:32AM +0900, Taehee Yoo wrote: > > > checkentry(tee_tg_check) should initialize priv->oif from dev if

Re: [PATCH nf] netfilter: nf_flow_table: do not remove offload when other netns's interface is down

On Thu, 11 Oct 2018 at 03:09, Pablo Neira Ayuso wrote: > Hi Pablo, Thank you for review! > On Tue, Oct 09, 2018 at 02:59:48AM +0900, Taehee Yoo wrote: > > When interface is down, offload cleanup function(nf_flow_table_do_cleanup) > > is called and that checks whether interfac

Re: [PATCH nf 1/2] netfilter: ipt_CLUSTERIP: fix deadlock in netns exit routine

On Thu, 11 Oct 2018 at 02:32, Pablo Neira Ayuso wrote: > Hi Pablo, Thank you for review! > On Sat, Oct 06, 2018 at 01:42:42AM +0900, Taehee Yoo wrote: > > diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c > > b/net/ipv4/netfilter/ipt_CLUSTERIP.c > > index 2c8d313ae

Re: [PATCH nf-next] netfilter: nf_flow_table: remove flowtable hook flush routine in netns exit routine

On Tue, 9 Oct 2018 at 08:19, Pablo Neira Ayuso wrote: > > Hi Taehee, > Hi Pablo, Thank you for your review! > I can reproduce it, so this is a bug :-). Still one question below: > > On Tue, Oct 02, 2018 at 02:17:14AM +0900, Taehee Yoo wrote: > [...] > >

[PATCH nf] netfilter: nf_flow_table: do not remove offload when other netns's interface is down

aring down offloading") Signed-off-by: Taehee Yoo --- include/net/netfilter/nf_flow_table.h | 2 +- net/netfilter/nf_flow_table_core.c| 10 +++--- net/netfilter/nft_flow_offload.c | 2 +- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/include/net/netfilter/nf_flow_

[PATCH nf-next] netfilter: nf_nat_snmp_basic: add missing helper alias name

elper-snmp_trap" by MODULE_ALIAS_NFCT_HELPER(snmp_trap) test command: %iptables -t raw -I PREROUTING -p udp -j CT --helper snmp_trap %lsmod | grep nf_nat_snmp_basic We can see nf_nat_snmp_basic module is uploaded automatically. Signed-off-by: Taehee Yoo --- net/ipv4/netfilter/nf_nat_snmp_b

[PATCH nf 1/2] netfilter: xt_TEE: fix wrong interface selection

Above rule is in the root netns. but that rule could get enp2s0 ifindex of vm1 by notifier handler. After this patch, TEE rule is added to the per-netns list. Fixes: 9e2f6c5d78db ("netfilter: Rework xt_TEE netdevice notifier") Signed-off-by: Taehee Yoo --- net/netfilter/xt_

[PATCH nf 0/2] netfilter: xt_TEE: fix bugs in xt_TEE

ted. Taehee Yoo (2): netfilter: xt_TEE: fix wrong interface selection netfilter: xt_TEE: add missing code to get interface index in checkentry. net/netfilter/xt_TEE.c | 76 -- 1 file changed, 59 insertions(+), 17 deletions(-) -- 2.17.1

[PATCH nf 2/2] netfilter: ipt_CLUSTERIP: remove wrong WARN_ON_ONCE in netns exit routine

net cleanup check added") Signed-off-by: Taehee Yoo --- net/ipv4/netfilter/ipt_CLUSTERIP.c | 1 - 1 file changed, 1 deletion(-) diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c index 6ccabe6f74a6..20b452df856c 100644 --- a/net/ipv4/netfilter/ipt_CLUSTERIP.

[PATCH nf 1/2] netfilter: ipt_CLUSTERIP: fix deadlock in netns exit routine

x94/0x140 [ 342.123094] cleanup_net+0x45b/0x900 [ ... ] Fixes: 202f59afd441 ("netfilter: ipt_CLUSTERIP: do not hold dev") Signed-off-by: Taehee Yoo --- net/ipv4/netfilter/ipt_CLUSTERIP.c | 71 +- 1 file changed, 40 insertions(+), 31 deletions(-) diff --git a/n

[PATCH nf 0/2] netfilter: ipt_CLUSTERIP: fix bugs in ipt_CLUSTERIP

0x3e0 [ 399.686238] ? kthread_create_worker_on_cpu+0xc0/0xc0 [ 399.692027] ret_from_fork+0x3a/0x50 [ 399.696210] INFO: lockdep is turned off. Taehee Yoo (2): netfilter: ipt_CLUSTERIP: fix deadlock in netns exit routine netfilter: ipt_CLUSTERIP: remove wrong WARN_ON_ONCE in netns exit

[PATCH nf-next] netfilter: nf_flow_table: remove flowtable hook flush routine in netns exit routine

it_net) doesn't make flowtable leak. Signed-off-by: Taehee Yoo --- net/netfilter/nf_tables_api.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index f0159eea2978..42487d01a3ed 100644 --- a/net/netfilter/nf_tables_api.c +++

[PATCH nf-next] netfilter: nf_tables: use rhashtable_lookup() instead of rhashtable_lookup_fast()

Internally, rhashtable_lookup_fast() calls rcu_read_lock() then, calls rhashtable_lookup(). so that in places where are guaranteed by rcu read lock, rhashtable_lookup() is enough. Signed-off-by: Taehee Yoo --- net/netfilter/nf_flow_table_core.c | 4 ++-- net/netfilter/nft_set_hash.c | 8

[PATCH nf-next] netfilter: nf_flow_table: remove unnecessary nat flag check code

nf_flow_offload_{ip/ipv6}_hook() check nat flag then, call nf_flow_nat_{ip/ipv6} but that also check nat flag. so that nat flag check code in nf_flow_offload_{ip/ipv6}_hook() are unnecessary. Signed-off-by: Taehee Yoo --- net/netfilter/nf_flow_table_ip.c | 6 ++ 1 file changed, 2 insertions

[PATCH nf-next] netfilter: nf_tables: use rhashtable_walk_enter instead of rhashtable_walk_init

rhashtable_walk_init() is deprecated and rhashtable_walk_enter() can be used instead. rhashtable_walk_init() is wrapper function of rhashtable_walk_enter() so that logic is actually same. But rhashtable_walk_enter() doesn't return error hence error path code can be removed. Signed-off-by: Taehee

[PATCH nf-next] netfilter: nat: remove duplicate skb_is_nonlinear() in __nf_nat_mangle_tcp_packet()

__nf_nat_mangle_tcp_packet() and nf_nat_mangle_udp_packet() call mangle_contents(). and __nf_nat_mangle_tcp_packet() and mangle_contents() call skb_is_nonlinear(). so that skb_is_nonlinear() in __nf_nat_mangle_tcp_packet() is unnecessary. Signed-off-by: Taehee Yoo --- net/netfilter

[PATCH nf-next] netfilter: nat: remove unnecessary rcu_read_lock in nf_nat_redirect_ipv{4/6}

nf_nat_redirect_ipv4() and nf_nat_redirect_ipv6() are only called by netfilter hook point. so that rcu_read_lock and rcu_read_unlock() are unnecessary. Signed-off-by: Taehee Yoo --- net/netfilter/nf_nat_redirect.c | 4 1 file changed, 4 deletions(-) diff --git a/net/netfilter

[PATCH nf] netfilter: nft_set_rbtree: add missing rb_erase() in GC routine

[ 430.535635] ? do_raw_spin_trylock+0x101/0x1a0 [ 430.535635] ? do_raw_spin_lock+0x1f0/0x1f0 [ 430.535635] ? _raw_spin_lock_irq+0x10/0x70 [ 430.535635] worker_thread+0x15d/0x1120 [ ... ] Fixes: 8d8540c4f5e0 ("netfilter: nft_set_rbtree: add timeout support") Signed-off-by:

[PATCH nf] netfilter: nf_tables: release chain in flushing set

Fixes: 8411b6442e59 ("netfilter: nf_tables: support for set flushing") Signed-off-by: Taehee Yoo --- net/netfilter/nf_tables_api.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 1dca5683f59f..2cfb173cd0b2 100644 ---

[PATCH nf] netfilter: nft_set: fix allocation size overflow in privsize callback.

1f2d0 ("netfilter: nf_tables: add netlink set API") Signed-off-by: Taehee Yoo --- include/net/netfilter/nf_tables.h | 4 ++-- net/netfilter/nf_tables_api.c | 2 +- net/netfilter/nft_set_bitmap.c| 6 +++--- net/netfilter/nft_set_hash.c | 8 net/netfilter/nft_se

Re: [PATCH V2 nf 3/3] netfilter: nf_tables: add default set size

2018-07-19 1:44 GMT+09:00 Pablo Neira Ayuso : > Hi, > > On Tue, Jul 10, 2018 at 11:22:36PM +0900, Taehee Yoo wrote: >> In order to restrict element number of each set, member ->size is used. >> that used to be given by user-space. if user-space don't specify ->

Re: [PATCH V2 nf 2/3] netfilter: nft_set_rbtree: fix panic when destroying set by GC

2018-07-17 1:09 GMT+09:00 Pablo Neira Ayuso : > Hi Taehee, > > On Tue, Jul 10, 2018 at 11:22:01PM +0900, Taehee Yoo wrote: >> This patch fixes below. >> 1. check null pointer of rb_next. >> rb_next can return null. so null check routine should be added. >> 2. a

[PATCH V2 nf] netfilter: nf_tables: fix jumpstack depth validation

blo Neira Ayuso Signed-off-by: Taehee Yoo --- include/net/netfilter/nf_tables.h | 4 ++-- net/netfilter/nf_tables_api.c | 11 --- net/netfilter/nft_immediate.c | 3 +++ net/netfilter/nft_lookup.c| 13 +++-- 4 files changed, 20 insertions(+), 11 deletions(-) diff

Re: [PATCH nf-next] netfilter: nf_tables: fix jumpstack depth validation

2018-07-12 7:33 GMT+09:00 Pablo Neira Ayuso : > On Mon, Jun 11, 2018 at 09:04:39PM +0900, Taehee Yoo wrote: > [...] >> diff --git a/include/net/netfilter/nf_tables.h >> b/include/net/netfilter/nf_tables.h >> index 08c005c..a7d6476 100644 >> --- a/include/net/netfilte

[PATCH V2 nf 3/3] netfilter: nf_tables: add default set size

ble ip aa { map map1 { type ipv4_addr : verdict size 65535 } } V2: - Add default set->size value instead add check set->size routine. - Requested by Florian Westphal Suggested-by: Florian Westphal Signed-off-by: Taehee Yoo ---

[PATCH V2 nf 2/3] netfilter: nft_set_rbtree: fix panic when destroying set by GC

/0x1b0 [ 2402.534212] ? do_raw_spin_lock+0x1f0/0x1f0 [ 2402.534212] worker_thread+0x169/0x1150 V2: - Do not add interval check routine in nft_set_rbtree. - Requested by Pablo Neira Ayuso Fixes: 8d8540c4f5e0("netfilter: nft_set_rbtree: add timeout support") Signed-off-by: Taehee Yoo

[PATCH V2 nf 1/3] netfilter: nft_set_hash: add rcu_barrier() in the nft_rhash_destroy()

ck_cpu+0x132/0x170 [ 200.990352] ? find_held_lock+0x39/0x1b0 [ 200.994355] ? sched_clock_local+0x10d/0x130 [ 200.999531] ? memset+0x1f/0x40 Fixes: 9d0982927e79 ("netfilter: nft_hash: add support for timeouts") Signed-off-by: Taehee Yoo --- net/netfilter/nft_set_hash.c | 1 + 1

[PATCH V2 nf 0/3] netfilter: nf_tables: fix set destroying bugs

alue instead add check set->size routine. Requested by Florian Westphal Taehee Yoo (3): netfilter: nft_set_hash: add rcu_barrier() in the nft_rhash_destroy() netfilter: nft_set_rbtree: fix panic when destroying set by GC netfilter: nf_tables: add default set size net/netfilter/nf

Re: [PATCH nf 0/4] netfilter: nf_tables: fix set destroying bugs

2018-07-09 22:56 GMT+09:00 Pablo Neira Ayuso : > On Sun, Jul 01, 2018 at 08:43:16PM +0900, Taehee Yoo wrote: >> This patch series fixes nft_set_hash and nft_set_rbtree bugs. >> >> First patch adds nft_rhash_iterate_destroy(). >> it walks and destroys all elemen

Re: [PATCH nf 3/4] netfilter: nft_set_rbtree: fix panic when destroying set by GC

2018-07-09 22:48 GMT+09:00 Pablo Neira Ayuso : > On Tue, Jul 03, 2018 at 11:40:06PM +0900, Taehee Yoo wrote: >> 2018-07-03 19:20 GMT+09:00 Pablo Neira Ayuso : >> > On Sun, Jul 01, 2018 at 08:44:52PM +0900, Taehee Yoo wrote: >> >> This patch fixes below. >>

Re: [PATCH nf 3/4] netfilter: nft_set_rbtree: fix panic when destroying set by GC

2018-07-03 19:20 GMT+09:00 Pablo Neira Ayuso : > On Sun, Jul 01, 2018 at 08:44:52PM +0900, Taehee Yoo wrote: >> This patch fixes below. >> 1. check null pointer of rb_next. >> rb_next can return null. so null check routine should be added. >> 2. check wheth

Re: [PATCH nf 4/4] netfilter: nf_tables: check set->size before decreasing set->nelems

2018-07-02 20:38 GMT+09:00 Florian Westphal : > Taehee Yoo wrote: >> set->nelems is increased when set->size is given. >> so that checking set->size routine should be added. > > Does it make sense to have sets with no upper size? > > I think it makes more

Re: [PATCH nf 1/4] netfilter: nft_set_hash: fix panic when destroying set

2018-07-02 20:45 GMT+09:00 Florian Westphal : > Taehee Yoo wrote: >> In order to destroy elements of set, a rhashtable_free_and_destroy() >> is used. the rhashtable_free_and_destroy() cancels a re-hash deferred work >> then walks and destroys elements. at this moment, some

[PATCH nf 3/4] netfilter: nft_set_rbtree: fix panic when destroying set by GC

: 8d8540c4f5e0("netfilter: nft_set_rbtree: add timeout support") Signed-off-by: Taehee Yoo --- net/netfilter/nft_set_rbtree.c | 34 ++ 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtr

[PATCH nf 2/4] netfilter: nft_set_hash: add rcu_barrier() in the nft_rhash_destroy()

+0x10d/0x130 [ 200.999531] ? memset+0x1f/0x40 Fixes: 9d0982927e79 ("netfilter: nft_hash: add support for timeouts") Signed-off-by: Taehee Yoo --- net/netfilter/nft_set_hash.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash

[PATCH nf 4/4] netfilter: nf_tables: check set->size before decreasing set->nelems

set->nelems is increased when set->size is given. so that checking set->size routine should be added. Signed-off-by: Taehee Yoo --- net/netfilter/nf_tables_api.c | 6 -- net/netfilter/nft_set_hash.c | 3 ++- net/netfilter/nft_set_rbtree.c | 7 --- 3 files changed, 10 inserti

[PATCH nf 1/4] netfilter: nft_set_hash: fix panic when destroying set

999531] ? memset+0x1f/0x40 Signed-off-by: Taehee Yoo --- net/netfilter/nft_set_hash.c | 42 +++--- 1 file changed, 35 insertions(+), 7 deletions(-) diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c index 6f9a136..695d5e8 100644 --- a/net/net

[PATCH nf 0/4] netfilter: nf_tables: fix set destroying bugs

bugs. Last patch adds set->size checking routine. Taehee Yoo (4): netfilter: nft_set_hash: fix panic when destroying set netfilter: nft_set_hash: add rcu_barrier() in the nft_rhash_destroy() netfilter: nft_set_rbtree: fix panic when destroying set by GC netfilter: nf_tables: check

Re: [PATCH nf-next] netfilter: nft_reject_bridge: remove unnecessary ttl set

2018-06-27 23:48 GMT+09:00 Pablo Neira Ayuso : > On Tue, Jun 12, 2018 at 01:54:47AM +0900, Taehee Yoo wrote: >> In the nft_reject_br_send_v4_tcp_reset(), a ttl is set by >> the nf_reject_ip_tcphdr_put(). so, below code is unnecessary. > > Applied, thanks. > > BT

[PATCH nf-next] netfilter: nft_reject_bridge: remove unnecessary ttl set

In the nft_reject_br_send_v4_tcp_reset(), a ttl is set by the nf_reject_ip_tcphdr_put(). so, below code is unnecessary. Signed-off-by: Taehee Yoo --- net/bridge/netfilter/nft_reject_bridge.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/net/bridge/netfilter

[PATCH nf-next] netfilter: nf_tables: use WARN_ON_ONCE instead of BUG_ON in nft_do_chain()

When depth of chain is bigger than NFT_JUMP_STACK_SIZE, the nft_do_chain crashes. But there is no need to crash hard here. Suggested-by: Florian Westphal Signed-off-by: Taehee Yoo --- net/netfilter/nf_tables_core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net

Re: [PATCH nf-next] netfilter: nf_tables: fix jumpstack depth validation

Thank you for reviewing! 2018년 6월 11일 (월) 오후 9:14, Florian Westphal 님이 작성: > > Taehee Yoo wrote: > > The level of struct nft_ctx is updated by nf_tables_check_loops(). > > [..] > > > [ 168.803743] kernel BUG at net/netfilter/nf_tables_core.c:186! > > Cou

[PATCH nf-next] netfilter: nf_tables: fix jumpstack depth validation

68.922459] ip_local_deliver+0x293/0x3c0 [ 168.922459] ? ip_call_ra_chain+0x490/0x490 [ 168.922459] ? ip_rcv_finish+0x1910/0x1910 [ 168.922459] ip_rcv+0x802/0xe10 [ ... ] Signed-off-by: Taehee Yoo --- include/net/netfilter/nf_tables.h | 4 ++-- net/netfilter/nf_tables_api.c | 10 +++--- net/

[PATCH nf] netfilter: nft_set_rbtree: fix parameter of __nft_rbtree_lookup()

: f9121355eb6f ("netfilter: nft_set_rbtree: incorrect assumption on lower interval lookups") Signed-off-by: Taehee Yoo --- net/netfilter/nft_set_rbtree.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c ind

[PATCH nf] netfilter: nft_reject_bridge: fix skb allocation size in nft_reject_br_send_v6_unreach

In order to allocate icmpv6 skb, sizeof(struct ipv6hdr) should be used. Signed-off-by: Taehee Yoo --- net/bridge/netfilter/nft_reject_bridge.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/bridge/netfilter/nft_reject_bridge.c b/net/bridge/netfilter/nft_reject_bridge.c

[PATCH nf-next] netfilter: nf_tables: remove unused variables

The comment and trace_loginfo are not used anymore. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- net/netfilter/nf_tables_core.c | 16 1 file changed, 16 deletions(-) diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c index d457d85..a1b93fa

[PATCH nf] netfilter: nf_tables: increse nft_counters_enabled in nft_chain_stats_replace()

] nf_tables_chain_destroy+0x19d/0x210 [nf_tables] [ 286.449144] nf_tables_commit+0x1891/0x1c50 [nf_tables] [ 286.449144] nfnetlink_rcv+0x1148/0x13d0 [nfnetlink] [ ... ] Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- net/netfilter/nf_tables_api.c | 4 +++- 1 file changed, 3 insertions

[PATCH nf] netfilter: nf_tables: fix NULL-ptr in nf_tables_dump_obj()

] [ 306.528284] netlink_rcv_skb+0x1c9/0x2f0 [ 306.528284] ? nfnetlink_bind+0x1d0/0x1d0 [nfnetlink] [ 306.528284] ? debug_check_no_locks_freed+0x270/0x270 [ 306.528284] ? netlink_ack+0x7a0/0x7a0 [ 306.528284] ? ns_capable_common+0x6e/0x110 [ ... ] Signed-off-by: Taehee Yoo <ap420...@gmail.

[PATCH nf-next] netfilter: nft_meta: fix wrong value dereference in nft_meta_set_eval

trace id 16767227 ip filter input rule nftrace set 0 (verdict continue) trace id 16767227 ip filter input verdict continue trace id 16767227 ip filter input Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- net/netfilter/nft_meta.c | 14 -- 1 file changed, 8 insertions(+), 6 de

[PATCH nf] netfilter: nf_tables: fix NULL pointer dereference on nft_ct_helper_obj_dump()

479fe ]--- [ 916.777204] Kernel panic - not syncing: Fatal exception [ 916.778158] Kernel Offset: 0x1400 from 0x8100 (relocation range: 0x8000-0xffffbfff) Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- net/netfilter/nft_ct.c | 20 ---

[PATCH nf 5/5] netfilter: nf_tables: add call validate callback.

A validate callback is called just before calling a ->commit callback. If it is failed, ->abort is called. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- net/netfilter/nfnetlink.c | 13 + 1 file changed, 13 insertions(+) diff --git a/net/netfilter/nfnetlink.c b/n

[PATCH nf 4/5] netfilter: nf_tables: use chain info to validate type and hook.

mation that is allocated in the nf_tables_validate. But exceptionally, the nf_tables_check_loops can call that if ops is "immediate". Now, nft_compat.c uses common validate routine instead of the nft_compat_chain_validate_dependency. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- net/net

[PATCH nf 3/5] netfilter: nf_tables: add type and hook validate routine

s->validate() to use chain information array insted of basechain's data. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- include/linux/netfilter/nfnetlink.h | 1 + include/net/netfilter/nf_tables.h | 1 + include/net/netns/nftables.h| 3 + net/netfilter/nf_tables_api

[PATCH nf 2/5] netfilter: nf_tables: remove nft_af_info.

The struct nft_af_info was removed. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- include/net/netns/nftables.h | 2 -- 1 file changed, 2 deletions(-) diff --git a/include/net/netns/nftables.h b/include/net/netns/nftables.h index 4813435..29c3851 100644 --- a/include/net/netns/nfta

[PATCH nf 0/5] netfilter: nf_tables: add validate non-basechain ruleset routine

outine are like below. 1. select_ops() 2. init() 3. call_batch() 4. validate() 5. commit()/abort() Taehee Yoo (5): netfilter: nf_tables: use nft_ctx instead of nft_chain netfilter: nf_tables: remove nft_af_info. netfilter: nf_tables: add type and hook validate routine net

[PATCH nf 1/5] netfilter: nf_tables: use nft_ctx instead of nft_chain

This patch prepares for next patches. The nft_chain_validate_hooks and nft_chain_validate_dependency are going to use both net and nft_chain. Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- include/net/netfilter/nf_tables.h| 4 ++-- net/bridge/netfilter/nft_reject_bridge.

Re: [PATCH 1/3 nf-next] netfilter: nf_tables: add release callback in nft_expr_type

2018-04-30 3:03 GMT+09:00 Florian Westphal <f...@strlen.de>: > Taehee Yoo <ap420...@gmail.com> wrote: >> This patch adds the new release callback to release resources >> allocated in nft_expr_type->select_ops. >> This release callback can be used by error path

[PATCH 2/3 nf-next] netfilter: fix error path of the nf_tables_newrule

path of the nf_tables_newrule anymore. Steps to reproduce: $iptables-compat -I OUTPUT -m cpu --cpu 0 $iptables-compat -F $lsmod Module Size Used by xt_cpu 16384 1 Signed-off-by: Taehee Yoo <ap420...@gmail.com> --- net/netfilter/nf_tables

  1   2   >