[PATCH nf 1/1] netfilter: h323,sip: Fix possible dead loop in nat_rtp_rtcp and nf_nat_sdp_media

From: Gao Feng When h323 and sip try to insert expect nodes, they would increase the port by 2 for loop, and the loop condition is that "port != 0". So when the start port is odd number, port never increases to zero. Now make port as u32 instead of u_int16_t, and the loop

Re: [PATCH nf 1/1] netfilter: h323,sip: Fix possible dead loop in nat_rtp_rtcp and nf_nat_sdp_media

Hi Liping, On Thu, Mar 2, 2017 at 7:18 PM, Liping Zhang wrote: > Hi, > 2017-03-02 18:18 GMT+08:00 Gao Feng : > [...] >> The expect class is NF_CT_EXPECT_CLASS_DEFAULT, and proto is >> IPPROTO_UDP at the function "expect_rtp_rtcp", >> And it makes sure the

[PATCH nf,v2] netfilter: nf_tables: don't call nfnetlink_set_err() if nfnetlink_send() fails

The underlying nlmsg_multicast() already sets sk->sk_err for us to notify socket overruns, so we should not do anything with this return value. So we just call nfnetlink_set_err() if: 1) We fail to allocate the netlink message. or 2) We don't have enough space in the netlink message to place

ANNOUNCE: Netdev 2.1 New Gold Sponsor

We'd like to announce Mojatatu Networks as our second Gold Sponsor. Thank you for the continued support! cheers, jamal -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at

Re: [PATCH nf 1/1] netfilter: h323,sip: Fix possible dead loop in nat_rtp_rtcp and nf_nat_sdp_media

Hi, 2017-03-02 15:57 GMT+08:00 : > From: Gao Feng > > When h323 and sip try to insert expect nodes, they would increase > the port by 2 for loop, and the loop condition is that "port != 0". > So when the start port is odd number, port never increases to zero.

[PATCH nftables] tests: py: fix some typos in README

Signed-off-by: Timothy Redaelli --- tests/py/README | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/py/README b/tests/py/README index 82d73a2..66f706f 100644 --- a/tests/py/README +++ b/tests/py/README @@ -40,21 +40,21 @@ families. Unless you

Re: [PATCH nftables] tests: py: fix some typos in README

Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

nft: ah expression doesn't work for IPv6

Hi, There is currently an open issue with nft in that ah expression doesn't work for IPv6 since it creates a payload expression which doesn't find the AH IPv6 extension header. There has been a discussion about this problem off-list in which two alternative "solutions" were named, both involve

Re: nft: ah expression doesn't work for IPv6

On Thu, Mar 02, 2017 at 10:01:29PM +0100, Pablo Neira Ayuso wrote: > On Thu, Mar 02, 2017 at 08:56:52PM +0100, Phil Sutter wrote: > > Hi, > > > > There is currently an open issue with nft in that ah expression doesn't > > work for IPv6 since it creates a payload expression which doesn't find > >

Re: [PATCH nf 1/1] netfilter: h323,sip: Fix possible dead loop in nat_rtp_rtcp and nf_nat_sdp_media

Hi, 2017-03-02 18:18 GMT+08:00 Gao Feng : [...] > The expect class is NF_CT_EXPECT_CLASS_DEFAULT, and proto is > IPPROTO_UDP at the function "expect_rtp_rtcp", > And it makes sure the port is even number. > > But look at the process_gcf, the port is got from the packet data at >

Re: [PATCH V3] audit: normalize NETFILTER_PKT

On Wed, Mar 1, 2017 at 5:34 PM, Richard Guy Briggs wrote: > On 2017-03-01 17:19, Paul Moore wrote: >> On Wed, Mar 1, 2017 at 11:28 AM, Richard Guy Briggs wrote: >> > On 2017-02-28 17:22, Paul Moore wrote: >> >> On Sun, Feb 26, 2017 at 3:49 PM, Richard Guy Briggs

Re: [PATCH V3] audit: normalize NETFILTER_PKT

On 2017-03-02 19:16, Paul Moore wrote: > On Wed, Mar 1, 2017 at 5:34 PM, Richard Guy Briggs wrote: > > On 2017-03-01 17:19, Paul Moore wrote: > >> On Wed, Mar 1, 2017 at 11:28 AM, Richard Guy Briggs > >> wrote: > >> > On 2017-02-28 17:22, Paul Moore wrote: > >>

Re: [PATCH V3] audit: normalize NETFILTER_PKT

On Thu, Mar 2, 2017 at 9:00 PM, Richard Guy Briggs wrote: > On 2017-03-02 19:16, Paul Moore wrote: >> On Wed, Mar 1, 2017 at 5:34 PM, Richard Guy Briggs wrote: >> > On 2017-03-01 17:19, Paul Moore wrote: >> >> On Wed, Mar 1, 2017 at 11:28 AM, Richard Guy Briggs

[PATCH nf 1/1] netfilter: nat_masquerade: Check oom when invoke nfct_nat

From: Gao Feng When memory is exhausted, nf_ct_nat_ext_add may return NULL. Then nf_nat_ipv4_fn and nf_nat_ipv6_fn would return NF_ACCEPT in this case. So we need add the NULL check when invoke nfct_nat in these two functions. Signed-off-by: Gao Feng ---

[PATCH nf-next v3 2/2] netfilter: nft_hash: support of symmetric hash

This patch provides symmetric hash support according to source ip address and port, and destination ip address and port. For this purpose, the __skb_get_hash_symmetric() is used to identify the flow as it uses FLOW_DISSECTOR_F_STOP_AT_FLOW_LABEL flag by default. The new attribute NFTA_HASH_TYPE