Re: [PATCH net] nftables: use list_for_each_entry_safe_reverse to traversal commit_list in nf_tables_abort

> > No need to resend. > > Yes, we need this reverse iteration there to handle the 'delete table' > command in the batch. This problem happens since we have > nft_flush_table(). > > Other callsites are artificially restriction deletion of inactive > objects but that should be removed as we already

[ISSUE] nftables: !=range doesn't really work

nftable transform 'x !=a-b' in wrong way: cmp x < a cmp x > b which means x has to be xb. but it should be xb. It seems that the vm system in kernel is too simple and fast to provide some expr or process for this case, afaics. does upstream have been preparing some fix for this ? -- To

[PATCH net] netfilter: check duplicate config when initializing in ipt_CLUSTERIP

one. Suggested-by: Marcelo Ricardo Leitner <marcelo.leit...@gmail.com> Signed-off-by: Xin Long <lucien@gmail.com> --- net/ipv4/netfilter/ipt_CLUSTERIP.c | 26 +++--- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/net/ipv4/netfilter/ipt_CLUSTERI

[PATCHv2 net] netfilter: check duplicate config when initializing in ipt_CLUSTERIP

roc file node creation is done. v1->v2: correct the err clusterip_config_init returns. Suggested-by: Marcelo Ricardo Leitner <marcelo.leit...@gmail.com> Signed-off-by: Xin Long <lucien@gmail.com> --- net/ipv4/netfilter/ipt_CLUSTERIP.c | 34 +++---

Re: [PATCH net] netfilter: check duplicate config when initializing in ipt_CLUSTERIP

On Tue, Dec 20, 2016 at 8:48 AM, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > On Thu, Dec 15, 2016 at 12:31:40PM +0800, Xin Long wrote: >> @@ -185,6 +186,17 @@ clusterip_config_init(const struct >> ipt_clusterip_tgt_info *i, __be32 ip, >> atomic_set(>ref

Re: [PATCH net] net: sched: fix NULL pointer dereference when action calls some targets

On Wed, Aug 9, 2017 at 7:33 AM, Cong Wang <xiyou.wangc...@gmail.com> wrote: > On Mon, Aug 7, 2017 at 7:33 PM, Xin Long <lucien@gmail.com> wrote: >> On Tue, Aug 8, 2017 at 9:15 AM, Cong Wang <xiyou.wangc...@gmail.com> wrote: >>> This looks like a completely

Re: [PATCH net] net: sched: fix NULL pointer dereference when action calls some targets

On Thu, Aug 17, 2017 at 5:57 PM, Cong Wang <xiyou.wangc...@gmail.com> wrote: > On Wed, Aug 16, 2017 at 1:39 AM, Xin Long <lucien@gmail.com> wrote: >> On Wed, Aug 9, 2017 at 7:33 AM, Cong Wang <xiyou.wangc...@gmail.com> wrote: >>> On Mon, Aug 7, 2017 at 7:3

Re: [PATCH net] net: sched: fix NULL pointer dereference when action calls some targets

On Thu, Aug 17, 2017 at 10:33 PM, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > On Thu, Aug 17, 2017 at 12:02:20PM +0200, Pablo Neira Ayuso wrote: >> On Wed, Aug 16, 2017 at 08:39:44PM +1200, Xin Long wrote: >> > On Wed, Aug 9, 2017 at 7:33 AM, Cong Wang <xiyo

[PATCH net] netfilter: check for seqadj ext existence before adding it in nf_nat_setup_info

hu...@redhat.com> Acked-by: Florian Westphal <f...@strlen.de> Signed-off-by: Xin Long <lucien@gmail.com> --- net/netfilter/nf_nat_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c index eb54178..b1d3740

[PATCH net] netfilter: do not hold dev in ipt_CLUSTERIP

Jianlin Shi <ji...@redhat.com> Signed-off-by: Xin Long <lucien@gmail.com> --- net/ipv4/netfilter/ipt_CLUSTERIP.c | 31 ++- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTER

[PATCHv2 net] netfilter: do not hold dev in ipt_CLUSTERIP

tch doesn't remove the codes checking if the dev exists before creating a config. v1->v2: - As Pablo Neira Ayuso's suggestion, register a netdevice notifier to manage c->ifindex and dev's mc. Reported-by: Jianlin Shi <ji...@redhat.com> Signed-off-by: Xin Long <lucien@g

Re: [PATCH net] netfilter: do not hold dev in ipt_CLUSTERIP

On Wed, May 24, 2017 at 5:26 AM, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > On Sat, May 20, 2017 at 05:08:06PM +0800, Xin Long wrote: >> It's a terrible thing to hold dev in iptables target. When the dev is >> being removed, unregister_netdevice has to wait for the

[PATCH net 1/2] netfilter: ipvs: fix the issue that sctp_conn_schedule drops non-INIT packet

means ipvs will accept it without creating a conn for it, just like what it does for tcp. Fixes: 5e26b1b3abce ("ipvs: support scheduling inverse and icmp SCTP packets") Reported-by: Li Shuang <shu...@redhat.com> Signed-off-by: Xin Long <lucien@gmail.com> --- net/netfilter/ipvs/i

[PATCH net 2/2] netfilter: ipvs: do not create conn for ABORT packet in sctp_conn_schedule

There's no reason for ipvs to create a conn for an ABORT packet even if sysctl_sloppy_sctp is set. This patch is to accept it without creating a conn, just as ipvs does for tcp's RST packet. Signed-off-by: Xin Long <lucien@gmail.com> --- net/netfilter/ipvs/ip_vs_proto_sctp.c | 3 ++-

[PATCH net 0/2] netfilter: ipvs: some fixes in sctp_conn_schedule

Patch 1/2 fixes the regression introduced by commit 5e26b1b3abce. Patch 2/2 makes ipvs not create conn for sctp ABORT packet. Xin Long (2): netfilter: ipvs: fix the issue that sctp_conn_schedule drops non-INIT packet netfilter: ipvs: do not create conn for ABORT packet

Re: [PATCH net] netfilter: on setsockopt() acquire sock lock only in the required scope

On Thu, Feb 8, 2018 at 6:38 PM, Paolo Abeni wrote: > The Syzbot reported a possible deadlock in the netfilter area caused by > rtnl lock, xt lock and socket lock being acquired with a different order > on different code paths, leading to the following backtrace: > >

Re: [PATCH net v2] netfilter: drop outermost socket lock in getsockopt()

err = compat_nf_getsockopt(sk, PF_INET6, > - optname, optval, ); > - release_sock(sk); > + err = compat_nf_getsockopt(sk, PF_INET6, optname, optval, > ); > if (err >= 0) > err = put_user(len, optlen); > } > -- > 2.14.3 > Reviewed-by: Xin Long <lucien@gmail.com> -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

[PATCH net] netfilter: unlock xt_table earlier in __do_replace

, just as do_replace_finish does for ebtables. Signed-off-by: Xin Long <lucien@gmail.com> --- net/ipv4/netfilter/arp_tables.c | 3 ++- net/ipv4/netfilter/ip_tables.c | 3 ++- net/ipv6/netfilter/ip6_tables.c | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ne