Re: [PATCH nf 2/2] netfilter: nfnetlink_cttimeout: pass default timeout policy to obj_to_nlattr

Hi Pablo, I love your patch! Yet something to improve: [auto build test ERROR on nf/master] url: https://github.com/0day-ci/linux/commits/Pablo-Neira-Ayuso/netfilter-add-nf_-tcp-udp-sctp-icmp-dccp-icmpv6-generic-_pernet/20181102-101813 base: https://git.kernel.org/pub/scm/linux/kernel/git

[PATCH xtables] iptables-nft: fix bogus handling of zero saddr/daddr

rule for 0.0.0.0/8 is added as 0.0.0.0/0, because we did not check mask (or negation, for that matter). Fix this and add test cases too. This also revealed an ip6tables-nft-save bug, it would print ' !-d', not '! -d'. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1287 Signed-off-by:

[PATCH nf,v2 1/2] netfilter: conntrack: add nf_{tcp,udp,sctp,icmp,dccp,icmpv6,generic}_pernet()

Expose these functions to access conntrack protocol tracker netns area, nfnetlink_cttimeout needs this. Signed-off-by: Pablo Neira Ayuso --- v2: Place these functions in nf_conntrack_l4proto.h. Wrap nf_dccp_pernet() and nf_sctp_pernet() around ifdef -kbuild robot.

[PATCH nf,v2 2/2] netfilter: nfnetlink_cttimeout: pass default timeout policy to obj_to_nlattr

Otherwise, we hit a NULL pointer deference since handlers always assume default timeout policy is passed. netlink: 24 bytes leftover after parsing attributes in process `syz-executor2'. kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access

[PATCH nf] netfilter: nft_compat: ebtables 'nat' table is normal chain type

Unlike ip(6)tables, the ebtables nat table has no special properties. This bug causes 'ebtables -A' to fail when using a target such as 'snat' (ebt_snat target sets ".table = "nat"'). Targets that have no table restrictions work fine. Signed-off-by: Florian Westphal ---

[PATCH iptables 5/6] ebtables: add redirect test case

Signed-off-by: Florian Westphal --- extensions/libebt_redirect.c | 2 +- extensions/libebt_redirect.t | 4 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 extensions/libebt_redirect.t diff --git a/extensions/libebt_redirect.c b/extensions/libebt_redirect.c index

[PATCH iptables 4/6] ebtables: add test cases

Signed-off-by: Florian Westphal --- extensions/libebt_802_3.t | 3 +++ extensions/libebt_arp.t | 11 +++ extensions/libebt_ip.t | 10 ++ extensions/libebt_ip6.t | 12 extensions/libebt_log.t | 6 ++ extensions/libebt_mark.t| 5 +

[PATCH iptables 1/6] tests: add basic ebtables test support

now that we have ebtables-save, lets add test cases for ebtables-nft as well. Signed-off-by: Florian Westphal --- extensions/libebt_standard.t | 6 ++ iptables-test.py | 13 ++--- 2 files changed, 16 insertions(+), 3 deletions(-) create mode 100644

[PATCH iptables 2/6] ebtables: fix -j CONTINUE handling for add/delete

-j CONTINUE can be added, but it can't be removed: extensions/libebt_standard.t: ERROR: line 5 (cannot find: ebtables -I INPUT -d de:ad:be:ef:00:00 -j CONTINUE) This problem stems from silly ambiguity in ebtables-nft vs. iptables. In iptables, you can do iptables -A INPUT (no -j) in ebtables,

[PATCH iptables 0/6] misc. ebtables-nft improvements

This series fixes a few smaller bugs in ebtables-nft, adds the 'arpreply' target and adds initial testcases for all ebtables extensions ebtables-nft is supposed to support. It also adds the 'arpreply' target to ebtables-nft. Florian Westphal (6): tests: add basic ebtables test support