ted by Pablo. Also maintain current behavior for -w to
sleep for 1 second as mentioned by Liping.
v2->v3: Move the millisecond behavior to a new option as suggested
by Pablo.
Cc: Liping Zhang <zlpnob...@gmail.com>
Cc: Pablo Neira Ayuso <pa...@netfilter.org>
Signed-off-by: Subash Abhin
.@gmail.com>
Cc: Pablo Neira Ayuso <pa...@netfilter.org>
Signed-off-by: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org>
---
iptables/ip6tables.c | 26 --
iptables/iptables.8.in | 7 +++
iptables/iptables.c| 26 ++
on error when enabling nftables
Cc: Liping Zhang <zlpnob...@gmail.com>
Cc: Pablo Neira Ayuso <pa...@netfilter.org>
Signed-off-by: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org>
---
iptables/ip6tables.c | 26 --
iptables/iptables.8.in |
Minor change to remove the unused macro added as part of commit
e8f857a5a1514c3e7d0d8ea0f7d2d571f0e37bd1 ("xtables: Add an interval
option for xtables lock wait")
Signed-off-by: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org>
---
iptables/xshared.c | 1 -
1 file cha
On 2017-03-15 07:45, Lorenzo Colitti wrote:
1. Factor out repeated code to a new xs_has_arg function.
2. Add a new parse_wait_time option to parse the value of -w.
3. Make parse_wait_interval take argc and argv so its callers
can be simpler.
Signed-off-by: Lorenzo Colitti
Delayed workqueue causes wakeups to idle CPUs. This was
causing a power impact for devices. Use deferable work
queue instead so that gc_worker runs when CPU is active only.
Signed-off-by: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org>
---
net/netfilter/nf_conntrack_core.c | 2
if (info->flags & XT_SOCKET_RESTORESKMARK && !wildcard &&
- transparent)
+ transparent && sk_fullsock(sk))
pskb->mark = sk->sk_mark;
if (sk != skb->sk)
What about socket_mt6_v1_v2_v3() ?
Thanks.
Hi
ip_local_deliver_finish+0x174/0x3e0 net/ipv4/ip_input.c:216
Fixes: a9407388 ("netfilter: xt_socket: prepare for TCP_NEW_SYN_RECV
support")
Signed-off-by: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org>
---
net/netfilter/xt_socket.c | 2 +-
1 file changed, 1 insertio
On 2017-09-21 18:01, Eric Dumazet wrote:
On Thu, 2017-09-21 at 16:08 -0600, Subash Abhinov Kasiviswanathan
wrote:
An out of bounds error was detected on an ARM64 target with
Android based kernel 4.9. This occurs while trying to
restore mark on a skb from an inet request socket.
BUG: KASAN
ip_local_deliver_finish+0x174/0x3e0 net/ipv4/ip_input.c:216
v1->v2: Change socket_mt6_v1_v2_v3() as well as mentioned by Eric
Fixes: a9407388 ("netfilter: xt_socket: prepare for TCP_NEW_SYN_RECV
support")
Signed-off-by: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org>
ip_local_deliver_finish+0x174/0x3e0 net/ipv4/ip_input.c:216
v1->v2: Change socket_mt6_v1_v2_v3() as well as mentioned by Eric
v2->v3: Put the correct fixes tag
Fixes: 01555e74bde5 ("netfilter: xt_socket: add XT_SOCKET_RESTORESKMARK flag")
Signed-off-by: Subash Abhinov Kasivi
ter to pass in the priority during module load as suggested
by Pablo. Also update commit text.
Signed-off-by: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org>
---
net/ipv4/netfilter/iptable_raw.c| 14 +-
net/ipv4/netfilter/nf_defrag_ipv4.c | 2 +-
2 files changed, 14 i
. We need to introduce a lower
priority rule and deprecate the existing rule.
Signed-off-by: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org>
---
include/uapi/linux/netfilter_ipv4.h | 3 ++-
net/ipv4/netfilter/nf_defrag_ipv4.c | 6 +++---
2 files changed, 5 insertions(+), 4 del
We can probably skip defrag if explicit notrack is requested via rule.
Hi Pablo
Thanks for the suggestion. I tried this and it appears that defrag
occurs before NOTRACK is hit in raw table in PREROUTING. This is because
the defrag priority happens to be higher than that of RAW.
to be fragmented after encryption since
these packets were smaller in size than the wifi MTU.
Signed-off-by: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org>
---
Documentation/networking/ip-sysctl.txt | 3 +++
include/linux/inetdevice.h | 2 ++
include/uapi/linu
This breaks connection tracking for packets coming in via such
interfaces.
Nowadays we only enable defrag in a network namespace if the
ip/nftables
ruleset requires it, so this setting would be counter-productive.
Hi Florian
This usecase is run on an Android based device, so there will be
I'm actually refering to module_param(), that is specified at modprobe
time. Such parameter would set an alternative hook priority for the
raw table, ie. before the defrag hook. I guess there must be a way to
store these module parameters in Android, so whenever modprobe is
invoked, either
Would it work for you if this is specific via global modparam? I'm
telling this because:
1) This is changing the default behaviour, which is always tricky.
2) This is already solved in nftables, so whatever solution that we
apply, it should be iptables specific.
If modparam is fine, just
Can we get the same thing for IPv6, for symmetry?
Thanks!
Hi Pablo
Yes, I can include IPv6 in v3.
--
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum,
a Linux Foundation Collaborative Project
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
On 2018-01-08 06:32, Pablo Neira Ayuso wrote:
Hi Subash,
One more concern before this gets upstream.
Do you think we can turn this into an on/off knob instead?
I mean, I think it's good if you add a new
NF_IP_PRI_RAW_BEFORE_DEFRAG and we place it into uapi.
I'm just worried about follow up
mit text.
v2->v3: Implement similar functionality for IPv6 as well
v3->v4: Add NF_IP_PRI_RAW_BEFORE_DEFRAG in uapi and make the module
load priority into an on/off knob. Add the module name to the print.
Signed-off-by: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org>
tle and
commit message accordingly.
Signed-off-by: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org>
---
net/ipv6/netfilter/nf_conntrack_reasm.c | 15 ++-
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c
b/net/ipv6/
On 2018-01-11 23:35, Florian Westphal wrote:
Subash Abhinov Kasiviswanathan <subas...@codeaurora.org> wrote:
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c
b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 977d890..a44c8b2 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/ne
On 2018-01-11 22:10, kbuild test robot wrote:
tree:
https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git
master
head: 902d6a4c2a4f411582689e53fb101895ffe99028
commit: 902d6a4c2a4f411582689e53fb101895ffe99028 [16/16] netfilter:
nf_defrag: Skip defrag if NOTRACK is set
config:
)
Reported-by: kbuild test robot <fengguang...@intel.com>
Signed-off-by: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org>
---
net/ipv4/netfilter/iptable_raw.c | 2 +-
net/ipv4/netfilter/nf_defrag_ipv4.c | 6 +-
net/ipv6/netfilter/ip6table_raw.c | 2
this cloned skb and pass on the
original skb.
Signed-off-by: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org>
---
net/ipv6/netfilter/nf_conntrack_reasm.c | 15 +--
net/ipv6/netfilter/nf_defrag_ipv6_hooks.c | 4 ++--
2 files changed, 15 insertions(+), 4 deletions(-)
diff --git
was not released if an error in
IPv6 fragmentation header was detected by RFC2460.
Fixes: 83f1999caeb1 ("netfilter: ipv6: nf_defrag: Pass on packets to stack per
RFC2460")
Signed-off-by: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org>
---
Hi Pablo
This needs to be picked up f
ter to pass in the priority during module load as suggested
by Pablo. Also update commit text.
v2->v3: Implement similar functionality for IPv6 as well
Signed-off-by: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org>
---
net/ipv4/netfilter/iptable_raw.c | 14
;)
Signed-off-by: Tejaswi Tanikella <tejas...@codeaurora.org>
Signed-off-by: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
Hi Pablo
This patch is a backport and it is for 4.9 and older kernels only.
---
net/netfilter/x
gned-off-by: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org>
---
Hi Pablo
This crash was seen on a 4.9 based kernel, so the call stack is slightly
different from current upstream code. xt_socket_lookup_slow_v{4,6} was replaced
by nf_sk_lookup_slow_v4 on newer kernels after commit
I think its best if you wait before the patch ends up in linus' tree so
you can reference the commit id from the backports commit message.
Hi Florian
Sure, I can do that.
--
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum,
a Linux Foundation Collaborative Project
--
To
31 matches
Mail list logo