From: Linus Torvalds
Date: Mon, 10 Oct 2016 22:47:50 -0700
> On Mon, Oct 10, 2016 at 10:39 PM, Linus Torvalds
> wrote:
>>
>> I guess I will have to double-check that the slub corruption is gone
>> still with that fixed.
>
> So I'm not getting any warnings now from SLUB debugging. So the
> origi
On Mon, Oct 10, 2016 at 04:24:01AM -0400, David Miller wrote:
> From: David Miller
> Date: Sun, 09 Oct 2016 23:57:45 -0400 (EDT)
>
> This means that the netns is possibly getting freed up before we
> unregister the netfilter hooks.
Sounds a bit like the issue discussed here:
https://marc.info
Michal Kubecek writes:
> On Mon, Oct 10, 2016 at 04:24:01AM -0400, David Miller wrote:
>> From: David Miller
>> Date: Sun, 09 Oct 2016 23:57:45 -0400 (EDT)
>>
>> This means that the netns is possibly getting freed up before we
>> unregister the netfilter hooks.
>
> Sounds a bit like the issue d
From: Liping Zhang
Justin and Chris spotted that iptables NFLOG target was broken when they
upgraded the kernel to 4.8: "ulogd-2.0.5- IPs are no longer logged" or
"results in segfaults in ulogd-2.0.5".
Because "struct nf_loginfo li;" is a local variable, and flags will be
filled with garbage val
From: Liping Zhang
If ipv4 packet is truncated, we should not try to dereference the
iph pointer. Otherwise, if the user add such iptables rules
"-j NFLOG --nflog-size 0", we will dereference the NULL pointer
and crash may happen.
Reported-by: Chris Caputo
Signed-off-by: Liping Zhang
---
Sorr
From: Liping Zhang
If ipv4 packet is truncated, we should not try to dereference the
iph pointer. Otherwise, if the user add such iptables rules
"-j NFLOG --nflog-size 0", we will dereference the NULL pointer
and crash may happen.
Reported-by: Chris Caputo
Signed-off-by: Liping Zhang
---
filt
From: Liping Zhang
Justin and Chris spotted that iptables NFLOG target was broken when they
upgraded the kernel to 4.8: "ulogd-2.0.5- IPs are no longer logged" or
"results in segfaults in ulogd-2.0.5".
Because "struct nf_loginfo li;" is a local variable, and flags will be
filled with garbage val
Hello, netfilter-devel.
Is it possible/planned to be able to do routing table lookup from
within nftables?
Thinking then of a routingtable like "set". This would be nice to be able to do
early drop on bgp populated saddr based rtbl.
--
Bj(/)rnar
--
To unsubscribe from this list: send the line "u
On Tuesday 2016-10-11 20:11, Bjørnar Ness wrote:
>Hello, netfilter-devel.
>
>Is it possible/planned to be able to do routing table lookup from
>within nftables?
>Thinking then of a routingtable like "set". This would be nice to be able to do
>early drop on bgp populated saddr based rtbl.
Well you
2016-10-11 20:28 GMT+02:00 Jan Engelhardt :
> Well you can mark routes with realm numbers, and match on that. (In
> iptables, this was done with -m realm.) At least that is the idea. Not
> sure if the skb field that holds the information is already
> filled in before FORWARD (at which point I guess
On Tuesday 2016-10-11 21:10, Bjørnar Ness wrote:
>2016-10-11 20:28 GMT+02:00 Jan Engelhardt :
>> Well you can mark routes with realm numbers, and match on that. (In
>> iptables, this was done with -m realm.) At least that is the idea. Not
>> sure if the skb field that holds the information is alre
> -Original Message-
> From: Liping Zhang [mailto:zlpnob...@163.com]
> Sent: Tuesday, October 11, 2016 9:04 AM
> To: pa...@netfilter.org
> Cc: netfilter-devel@vger.kernel.org; jpis...@lucidpixels.com;
> ccap...@alt.net; v...@akamai.com; Liping Zhang
> Subject: [PATCH nf] netfilter: xt_NFL
2016-10-11 22:18 GMT+02:00 Jan Engelhardt :
>
> On Tuesday 2016-10-11 21:10, Bjørnar Ness wrote:
>>2016-10-11 20:28 GMT+02:00 Jan Engelhardt :
>>> Well you can mark routes with realm numbers, and match on that. (In
>>> iptables, this was done with -m realm.) At least that is the idea. Not
>>> sure
"err" needs to be signed for the error handling to work.
Fixes: 36b701fae12a ('netfilter: nf_tables: validate maximum value of u32
netlink attributes')
Signed-off-by: Dan Carpenter
diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
index a84cf3d..47beb3a 100644
--- a/net/netfi
On Wed, Oct 12, 2016 at 12:17:24AM +0200, Bjørnar Ness wrote:
>
> Yeah, sortoff. But afaik rpfilter is a iptables module, and not
> available in nftables yet.
>
> Pablo: is the "lookup in routing table from nftables" a total waste of time?
You may be interested in
https://www.youtube.com/watc
15 matches
Mail list logo
