[PATCH 2/2 libnftnl] Check memory allocations in setters

When you set an object attribute the memory is copied, sometimes an allocations is needed and it must be checked. Before this patch all setters method return void, so this patch makes all setters return int instead void to communicate the error to user. Summary: * All setters return int

Re: [PATCH 1/2 libnftnl] Fix leak in nftnl_*_unset()

On 06/10/2016 01:14 PM, Arturo Borrero Gonzalez wrote: On 10 June 2016 at 12:20, Carlos Falgueras García wrote: Signed-off-by: Carlos Falgueras García --- src/rule.c | 1 + src/set_elem.c | 1 + 2 files changed, 2 insertions(+) diff --git

Re: [PATCH 2/2 libnftnl] Check memory allocations in setters

On Fri, Jun 10, 2016 at 12:20:54PM +0200, Carlos Falgueras García wrote: > When you set an object attribute the memory is copied, sometimes an > allocations is needed and it must be checked. Before this patch all setters > method return void, so this patch makes all setters return int instead void

[PATCH] ip6tables: Warn about use of DROP in nat table

Clone of 1eada72b with 9bb76094 and e0390bee on top. Signed-off-by: Thomas Woerner --- :100644 100644 2731209... c48ddf9... M iptables/ip6tables.c iptables/ip6tables.c | 7 +++ 1 file changed, 7 insertions(+) diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c

Re: ip6tables: Warn about use of DROP in nat table

On Friday 2016-06-10 12:16, Thomas Woerner wrote: > in iptables.c there is a check of DROP usage in the nat table.In ip6tables, > this check is not there.Is this intentional? It must be an oversight, since IPv6 did not have nat back then. -- To unsubscribe from this list: send the line

[PATCH nft] tests: shell: make testcases which using tcp/udp port more rubost

From: Liping Zhang In my mechain, port 12345 is mapped to italk in /etc/services: italk 12345/tcp # Italk Chat System So when we add nft rule with udp port "12345", nft list ruleset will displayed it as "italk", that cause the result is not

[PATCH nf-next] netfilter: conntrack: align nf_conn on cacheline boundary

increases struct size by 32 bytes (288 -> 320), but it is the right thing, else any attempt to (re-)arrange nf_conn members by cacheline won't work. Signed-off-by: Florian Westphal --- gives checkpatch warn due to line > 80 lines but I don't want to add a line-break after |

[PATCH nf-next] netfilter: make comparision helpers stub functions in ZONES=n case

Those comparisions are useless in case of ZONES=n; all conntracks will reside in the same zone by definition. Signed-off-by: Florian Westphal --- include/net/netfilter/nf_conntrack_zones.h | 12 1 file changed, 12 insertions(+) diff --git

[PATCH nf-next 0/3] netfilter: fix a endless jump loop bug

From: Liping Zhang This patch set mainly fix a endless jump loop bug, for example, user can add the following nft rules successfully: # nft add table filter # nft add chain filter test # nft add rule filter test tcp dport vmap {1: jump test} This is because we

[PATCH nf-next 1/3] netfilter: nf_tables: fix wrong check of NFT_SET_MAP in nf_tables_bind_set

From: Liping Zhang We should check "i" is used as a dictionary or not, "binding" is already checked before. Signed-off-by: Liping Zhang --- net/netfilter/nf_tables_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git

[PATCH nf-next 3/3] netfilter: nf_tables: fix wrong destroy anonymous sets if binding fails

From: Liping Zhang When we add a nft rule like follows: # nft add rule filter test tcp dport vmap {1: jump test} -ELOOP error will be returned, and the anonymous set will be destroyed. But after that, nf_tables_abort will also try to remove the element and destroy

[PATCH nf-next 2/3] netfilter: nf_tables: fix a endless jump loop when use vmap

From: Liping Zhang Currently, user can add such a wrong nft rules successfully, which will cause an endless jump loop: # nft add rule filter test tcp dport vmap {1: jump test} This is because before we commit, the element in the current anonymous set is inactive,

RE: [PATCH net-next] nfnetlink_queue: enable PID info retrieval

From: Eric Dumazet > Sent: 09 June 2016 22:17 > On Thu, 2016-06-09 at 23:50 +0300, Saeed Mahameed wrote: > > From: Matthew Finlay > > > > diff --git a/net/socket.c b/net/socket.c > > index a1bd161..67de200 100644 > > --- a/net/socket.c > > +++ b/net/socket.c > > @@ -382,6

ip6tables: Warn about use of DROP in nat table

Hello, in iptables.c there is a check of DROP usage in the nat table.In ip6tables, this check is not there.Is this intentional? These are the commits for iptables that added and modified the check:1eada72b, 9bb76094 and e0390bee What do you think about adding this also to ip6ables?

[PATCH 2/2 v2,libnftnl] Check memory allocations in setters

When you set an object attribute the memory is copied, sometimes an allocations is needed and it must be checked. Before this patch all setters method return void, so this patch makes all setters return int instead void to communicate the error to user. Summary: * All setters return int

[PATCH 1/2 v2,libnftnl] Fix leak in nftnl_*_unset()

Signed-off-by: Carlos Falgueras García --- src/rule.c | 2 ++ src/set_elem.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/src/rule.c b/src/rule.c index 1e1a138..19e8b95 100644 --- a/src/rule.c +++ b/src/rule.c @@ -111,7 +111,9 @@ void nftnl_rule_unset(struct

[PATCH nf] netfilter: conntrack: destroy kmemcache on module removal

I forgot to move the kmem_cache_destroy into the exit path. Fixes: 0c5366b3a8c7 ("netfilter: conntrack: use single slab cache) Signed-off-by: Florian Westphal --- net/netfilter/nf_conntrack_core.c | 2 ++ 1 file changed, 2 insertions(+) diff --git

Re: [PATCH net-next] nfnetlink_queue: enable PID info retrieval

On Fri, 2016-06-10 at 14:29 +, David Laight wrote: > From: Eric Dumazet > > Sent: 09 June 2016 22:17 > > On Thu, 2016-06-09 at 23:50 +0300, Saeed Mahameed wrote: > > > From: Matthew Finlay > > > > > > > diff --git a/net/socket.c b/net/socket.c > > > index a1bd161..67de200