> Hi all,
>
> After merging the netfilter-next tree, today's linux-next build (x86_64
> allmodconfig) produced this warning:
>
> net/netfilter/nfnetlink_acct.c: In function 'nfnl_acct_try_del':
> net/netfilter/nfnetlink_acct.c:329:15: warning: unused variable 'refcount' [-
> Wunused-variable]
>
This is a bit zealous to fix like this, but it seems to work.
The crash was reproduced on ppc32, with GCC 5.4 & musl libc 1.1.16.
And also on LEDE (mips_24kc and ARM):
https://github.com/openwrt/packages/issues/4123
https://github.com/openwrt/packages/issues/4090
I personally saw it on ppc32.
Th
Hi Elena,
On Mon, 20 Mar 2017 07:00:13 + "Reshetova, Elena"
wrote:
>
> > After merging the netfilter-next tree, today's linux-next build (x86_64
> > allmodconfig) produced this warning:
> >
> > net/netfilter/nfnetlink_acct.c: In function 'nfnl_acct_try_del':
> > net/netfilter/nfnetlink_acct
Hello!
On 3/20/2017 4:44 AM, f...@ikuai8.com wrote:
From: Gao Feng
In the commit ("netfilter: nf_conntrack: nf_conntrack snmp helper"),
Need to specify the 12-digit SHA1 ID as well.
the snmp_helper is replaced by nf_nat_snmp_hook. So the snmp_helper
is never registered. But it still tr
Signed-off-by: Elena Reshetova
---
net/netfilter/nfnetlink_acct.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/net/netfilter/nfnetlink_acct.c b/net/netfilter/nfnetlink_acct.c
index f44cbd3..c86da17 100644
--- a/net/netfilter/nfnetlink_acct.c
+++ b/net/netfilter/nfnetlink_acct.c
@@ -326,7 +3
Applied.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
From: Gao Feng
In the commit <93557f53e1fb> ("netfilter: nf_conntrack: nf_conntrack snmp
helper"), the snmp_helper is replaced by nf_nat_snmp_hook. So the
snmp_helper is never registered. But it still tries to unregister the
snmp_helper, it could cause the panic.
Now remove the useless snmp_help
From: Laura Garcia Liebana
This patch renames the local nft_hash structure and functions
to nft_jhash in order to prepare the nft_hash module code to
add new hash functions.
Signed-off-by: Laura Garcia Liebana
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nft_hash.c | 36
From: Phil Sutter
Honor NFT_EXTHDR_F_PRESENT flag so we check if the TCP option is
present.
Signed-off-by: Phil Sutter
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nft_exthdr.c | 13 ++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/nft_exthdr.c
From: Liping Zhang
Karel Rericha reported that in his test case, ICMP packets going through
boxes had normally about 5ms latency. But when running nft, actually
listing the sets with interval flags, latency would go up to 30-100ms.
This was observed when router throughput is from 600Mbps to 2Gbps
From: Florian Westphal
this allows to assign connection tracking helpers to
connections via nft objref infrastructure.
The idea is to first specifiy a helper object:
table ip filter {
ct helper some-name {
type "ftp"
protocol tcp
l3proto ip
}
}
and then assign it vi
From: Florian Westphal
this is needed by the upcoming ct helper object type --
we'd like to be able use the table family (ip, ip6, inet) to figure
out which helper has to be requested.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h | 3 +
From: Liping Zhang
The limit token is independent between each rules, so there's no
need to use a global spinlock.
Signed-off-by: Liping Zhang
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nft_limit.c | 10 +-
net/netfilter/xt_limit.c | 11 ++-
2 files changed, 11 insert
From: Hangbin Liu
Document sysctl pmtu_disc based on commit 3654e61137db ("ipvs: add
pmtu_disc option to disable IP DF for TUN packets").
Signed-off-by: Hangbin Liu
Signed-off-by: Simon Horman
---
Documentation/networking/ipvs-sysctl.txt | 8
1 file changed, 8 insertions(+)
diff --g
From: Cong Wang
At most it is used for debugging purpose, but I don't think
it is even useful for debugging, just remove it.
Signed-off-by: Cong Wang
Signed-off-by: Simon Horman
---
net/netfilter/ipvs/ip_vs_core.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/net/netfilter/ipvs/ip_vs_c
This new function consolidates set lookup via either name or ID by
introducing a new nft_set_lookup() function. Replace existing spots
where we can use this too.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h | 9 +
net/netfilter/nf_tables_api.c | 31
From: "Reshetova, Elena"
refcount_t type and corresponding API (see include/linux/refcount.h)
should be used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.
Signed-off-by: Ele
From: "Reshetova, Elena"
net/netfilter/nfnetlink_acct.c: In function 'nfnl_acct_try_del':
net/netfilter/nfnetlink_acct.c:329:15: warning: unused variable 'refcount'
[-Wunused-variable]
unsigned int refcount;
^
Fixes: b54ab92b84b6 ("netfilter: refcounter conversions")
Signed-off-by:
From: Liping Zhang
When we want to validate the expr's dependency or hooks, we must do two
things to accomplish it. First, write a X_validate callback function
and point ->validate to it. Second, call X_validate in init routine.
This is very common, such as fib, nat, reject expr and so on ...
It
From: Hangbin Liu
Fix sync_threshold description which should have two values. Also add
sync_refresh_period and sync_retries based on commit 749c42b620a9
("ipvs: reduce sync rate with time thresholds").
Signed-off-by: Hangbin Liu
Signed-off-by: Simon Horman
---
Documentation/networking/ipvs-s
From: Hangbin Liu
Document sysctl sync_qlen_max and sync_sock_size based on
commit 1c003b1580e2 ("ipvs: wakeup master thread").
Signed-off-by: Hangbin Liu
Signed-off-by: Simon Horman
---
Documentation/networking/ipvs-sysctl.txt | 14 ++
1 file changed, 14 insertions(+)
diff --git
From: Colin Ian King
ret is initialized to zero and if it is set to non-zero in the
xt_entry_foreach loop then we exit via the out_free label. Hence
the check for ret being non-zero is redundant and can be removed.
Detected by CoverityScan, CID#1357132 ("Logically Dead Code")
Signed-off-by: Col
From: Hangbin Liu
Document sysctl sync_ports based on commit f73181c8288f ("ipvs: add support
for sync threads").
Signed-off-by: Hangbin Liu
Signed-off-by: Simon Horman
---
Documentation/networking/ipvs-sysctl.txt | 8
1 file changed, 8 insertions(+)
diff --git a/Documentation/netwo
From: Phil Sutter
Instead of the actual interface index or name, set destination register
to just 1 or 0 depending on whether the lookup succeeded or not if
NFTA_FIB_F_PRESENT was set in userspace.
Signed-off-by: Phil Sutter
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nft_fib.h
From: Florian Westphal
also mark init_conntrack noinline, in most cases resolve_normal_ct will
find an existing conntrack entry.
textdata bss dec hex filename
167355707 176 22618585a net/netfilter/nf_conntrack_core.o
166875707 176 22570582a net/netfilt
From: Taehee Yoo
variable oiph is not used.
Signed-off-by: Taehee Yoo
Signed-off-by: Pablo Neira Ayuso
---
net/ipv4/netfilter/nf_reject_ipv4.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c
b/net/ipv4/netfilter/nf_reject_ipv4.c
index 146d86105183..7
On 3/20/2017 12:55 PM, f...@ikuai8.com wrote:
From: Gao Feng
In the commit <93557f53e1fb> ("netfilter: nf_conntrack: nf_conntrack snmp
Angle brackets not needed. :-)
The commit citing style is the same as for the Fixes: tag.
helper"), the snmp_helper is replaced by nf_nat_snmp_hook.
From: Joe Perches
Logging output was changed when simple printks without KERN_CONT
are now emitted on a new line and KERN_CONT is required to continue
lines so use pr_cont.
Miscellanea:
o realign arguments
o use print_hex_dump instead of a local variant
Signed-off-by: Joe Perches
Signed-off-b
Hi David,
The following patchset contains Netfilter/IPVS updates for your
net-next tree. A couple of new features for nf_tables, and unsorted
cleanups and incremental updates for the Netfilter tree. More
specifically, they are:
1) Allow to check for TCP option presence via nft_exthdr, patch
fr
From: Florian Westphal
as comment says, the function is always called with rcu read lock held.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/bridge/br_netfilter_hooks.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridg
From: Laura Garcia Liebana
This patch provides symmetric hash support according to source
ip address and port, and destination ip address and port.
For this purpose, the __skb_get_hash_symmetric() is used to
identify the flow as it uses FLOW_DISSECTOR_F_STOP_AT_FLOW_LABEL
flag by default.
The n
On Fri, Mar 17, 2017 at 12:03:17PM -0300, Elise Lennion wrote:
> This patch enables the command flush on flow tables, which removes all
> entries in it:
>
> $ nft flush flow table filter ft-https
>
> Command above flushes flow table 'ft-https' in table 'filter'.
Applied, thanks Elise.
--
To unsu
On Fri, Mar 17, 2017 at 12:04:48PM -0300, Elise Lennion wrote:
> The add / delete operations weren't documented yet. They fit better
> in the sets and maps blocks since these operations are used to directly
> modify their content.
Applied, thanks.
A couple requests:
1) Could you check that flow
On Fri, Mar 17, 2017 at 12:04:06PM -0300, Elise Lennion wrote:
> This patch enables the command flush on maps, which removes all
> entries in it:
>
> $ nft flush map filter map1
>
> Command above flushes map 'map1' in table 'filter'.
>
> The documentation was updated accordingly.
Also applied,
On Mon, Mar 20, 2017 at 5:37 PM, Sergei Shtylyov
wrote:
> Hello!
>
> On 3/20/2017 4:44 AM, f...@ikuai8.com wrote:
>
>> From: Gao Feng
>>
>> In the commit ("netfilter: nf_conntrack: nf_conntrack snmp helper"),
>
>
>Need to specify the 12-digit SHA1 ID as well.
Thanks Sergei.
I didn't know it
On Sat, Mar 18, 2017 at 03:40:45PM +0800, f...@ikuai8.com wrote:
> From: Gao Feng
>
> The helper module could register one helper expectfn by the function
> nf_ct_helper_expectfn_register. When the module is unloaded, it invokes
> the nf_ct_helper_expectfn_unregister to unregister the expectfn. B
On Mon, Mar 20, 2017 at 6:09 PM, Sergei Shtylyov
wrote:
> On 3/20/2017 12:55 PM, f...@ikuai8.com wrote:
>
>> From: Gao Feng
>>
>> In the commit <93557f53e1fb> ("netfilter: nf_conntrack: nf_conntrack snmp
>
>
>Angle brackets not needed. :-)
>The commit citing style is the same as for the F
Hi list,
inspired by the 'packet-tracer' cli-command of cisco ASAs I have
implemented a linux application with the same functionality. For those
of you who are not familiar with the command, please read up at lpt's
homepage: http://www.o-schroeder.de/projects/lpt/
My question is if this might be
The refcount variable was accidentally introduced without any reference
to it. Removing it again avoids this warning:
net/netfilter/nfnetlink_acct.c: In function 'nfnl_acct_try_del':
net/netfilter/nfnetlink_acct.c:329:15: error: unused variable 'refcount'
[-Werror=unused-variable]
Fixes: b54ab92
On Mon, Mar 20, 2017 at 6:44 PM, Pablo Neira Ayuso wrote:
> On Sat, Mar 18, 2017 at 03:40:45PM +0800, f...@ikuai8.com wrote:
>> From: Gao Feng
>>
>> The helper module could register one helper expectfn by the function
>> nf_ct_helper_expectfn_register. When the module is unloaded, it invokes
>> t
On Mon, Mar 20, 2017 at 01:37:01PM +0100, Arnd Bergmann wrote:
> The refcount variable was accidentally introduced without any reference
> to it. Removing it again avoids this warning:
>
> net/netfilter/nfnetlink_acct.c: In function 'nfnl_acct_try_del':
> net/netfilter/nfnetlink_acct.c:329:15: err
On Mon, Mar 20, 2017 at 11:44:42AM +0100, Pablo Neira Ayuso wrote:
> > diff --git a/net/netfilter/nf_conntrack_helper.c
> > b/net/netfilter/nf_conntrack_helper.c
> > index 6dc44d9..6c840af 100644
> > --- a/net/netfilter/nf_conntrack_helper.c
> > +++ b/net/netfilter/nf_conntrack_helper.c
> > @@ -13
On Mon, Mar 20, 2017 at 8:50 PM, Pablo Neira Ayuso wrote:
> On Mon, Mar 20, 2017 at 11:44:42AM +0100, Pablo Neira Ayuso wrote:
>> > diff --git a/net/netfilter/nf_conntrack_helper.c
>> > b/net/netfilter/nf_conntrack_helper.c
>> > index 6dc44d9..6c840af 100644
>> > --- a/net/netfilter/nf_conntrack_
On Mon, Mar 20, 2017 at 09:06:22PM +0800, Gao Feng wrote:
> On Mon, Mar 20, 2017 at 8:50 PM, Pablo Neira Ayuso
> wrote:
> > On Mon, Mar 20, 2017 at 11:44:42AM +0100, Pablo Neira Ayuso wrote:
> >> > diff --git a/net/netfilter/nf_conntrack_helper.c
> >> > b/net/netfilter/nf_conntrack_helper.c
> >>
On Mon, Mar 20, 2017 at 9:17 PM, Gao Feng wrote:
> On Mon, Mar 20, 2017 at 9:11 PM, Pablo Neira Ayuso
> wrote:
>> On Mon, Mar 20, 2017 at 09:06:22PM +0800, Gao Feng wrote:
>>> On Mon, Mar 20, 2017 at 8:50 PM, Pablo Neira Ayuso
>>> wrote:
>>> > On Mon, Mar 20, 2017 at 11:44:42AM +0100, Pablo Ne
From: Liping Zhang
Otherwise, another CPU may access the invalid pointer. For example:
CPU0CPU1
- rcu_read_lock();
- pfunc = _hook_;
_hook_ = NULL; -
mod unload -
- pfunc(); // invalid, panic
On Mon, Mar 20, 2017 at 9:11 PM, Pablo Neira Ayuso wrote:
> On Mon, Mar 20, 2017 at 09:06:22PM +0800, Gao Feng wrote:
>> On Mon, Mar 20, 2017 at 8:50 PM, Pablo Neira Ayuso
>> wrote:
>> > On Mon, Mar 20, 2017 at 11:44:42AM +0100, Pablo Neira Ayuso wrote:
>> >> > diff --git a/net/netfilter/nf_conn
From: Liping Zhang
In nfct_helper_nlmsg_build_policy(), we always set the attribute type to
NFCTH_POLICY_SET, so we cannot add more than one nfct_helper_policy to
the kernel.
Also: in nfct_helper_nlmsg_parse_policy(), we will increase the
helper->policy_num for each nfct_helper_policy, but we mi
On 03/20/2017 01:15 PM, Feng Gao wrote:
From: Gao Feng
In the commit <93557f53e1fb> ("netfilter: nf_conntrack: nf_conntrack snmp
Angle brackets not needed. :-)
The commit citing style is the same as for the Fixes: tag.
The checkpatch.pl reports the following error, if remove the ang
Recursive use of sets is handled in parts by parser_bison.y, which
has a rule for inline unnamed sets in set_list_member_expr, e.g. like
this:
| add rule ip saddr { { 1.1.1.0, 2.2.2.0 }, 3.3.3.0 }
Yet there is another way to have an unnamed set inline, which is via
define:
| define myset = {
|
When merging a nested set into the parent one, we are actually replacing
one item with the items of the nested set. Therefore we have to remove
the replaced item from size.
The respective bug isn't as easy to trigger, since the size field seems
to be relevant only when set elements are ranges whic
This series fixes a number of issues with nested anonymous sets.
Phil Sutter (2):
evaluate: set: Allow for set elems to be sets
evaluate: set: Fix nested set merge size adjustment
src/evaluate.c | 11 ++-
1 file changed, 10 insertions(+), 1 deletion(-)
--
2.11.0
--
To unsubscribe
The tech committee would like to announce a new accepted workshop.
Jamal Hadi Salim will chair the Traffic Control (tc) workshop
Details are as follows:
-
Face to Face discussions on different tc topics
Current WAG agenda (subject to update):
New tc offloads since netdev 1.2
New features/r
Hi Jamal,
So, the interesting thing is that I've been automatically
re-subscribed to peo...@netdevconf.org about 1 day after
I explicitly unsubscribed. What do I need to do to stop
receiving those unsolicited emails ?
Best regards,
Mathieu
- On Mar 20, 2017, at 1:32 PM, Jamal Hadi Salim j.
On Mon, Mar 20, 2017 at 06:56:44PM +, Mathieu Desnoyers wrote:
> Hi Jamal,
>
> So, the interesting thing is that I've been automatically
> re-subscribed to peo...@netdevconf.org about 1 day after
> I explicitly unsubscribed. What do I need to do to stop
> receiving those unsolicited emails ?
On Tue, Mar 21, 2017 at 12:35 AM, Sergei Shtylyov
wrote:
> On 03/20/2017 01:15 PM, Feng Gao wrote:
>
From: Gao Feng
In the commit <93557f53e1fb> ("netfilter: nf_conntrack: nf_conntrack
snmp
>>>
>>>
>>>
>>>Angle brackets not needed. :-)
>>>The commit citing style is the
From: Gao Feng
In the commit 93557f53e1fb ("netfilter: nf_conntrack: nf_conntrack snmp
helper"), the snmp_helper is replaced by nf_nat_snmp_hook. So the
snmp_helper is never registered. But it still tries to unregister the
snmp_helper, it could cause the panic.
Now remove the useless snmp_helper
On Sun, Mar 19, 2017 at 05:55:06PM +0100, Linus Lüssing wrote:
> On Fri, Mar 17, 2017 at 02:10:44PM +0100, Pablo Neira Ayuso wrote:
> > Wait.
> >
> > May this break local multicast listener that are bound to the bridge
> > interface? Assuming the bridge interface got an IP address, and that
> > th
From: Gao Feng
Because the conntrack NAT module could be rmmod anytime, so we should
really leave things in clean state if such thing happens and make sure
we don't leave any packet running over code that will be gone after
the removal.
We only removed the expectations when unregister conntrack
From: Gao Feng
It is possible that invoke one expectfn whose module is already unloaded.
These two patches are used to fix it.
Gao Feng (2):
netfilter: helper: Rename struct nf_ct_helper_expectfn to
nf_ct_nat_helper
netfilter: helper: Fix possible panic caused by invoking expectfn
un
From: Gao Feng
Rename struct nf_ct_helper_expectfn to nf_ct_nat_helper, and rename
other functions or variables which refer to it.
The new name is better than the old one.
Signed-off-by: Gao Feng
---
v3: Rename the nf_ct_helper_expectfn, func, and member, per Pablo,
v2: Use the module as the
61 matches
Mail list logo