[PATCH nf v2] netfilter: nat: limit port clash resolution attempts

2018-12-08 Thread Florian Westphal
In case almost or all available ports are taken, clash resolution can take a very long time, resulting in soft lockup. This can happen when many to-be-natted hosts connect to same destination:port (e.g. a proxy) and all connections pass the same SNAT. Pick a random offset in the acceptable

Re: Another compilation error

2018-12-08 Thread Ansuel Smith
Sorry already patched. Ignore this. Il giorno sab 8 dic 2018 alle ore 20:29 Ansuel Smith ha scritto: > > Think is triggerd with nftables support > > In file included from > /home/daniel/Build/openwrt-ath79/staging_dir/toolchain-mips_24kc_gcc-7.3.0_musl/include/net/ethernet.h:10:0, >

Another compilation error

2018-12-08 Thread Ansuel Smith
Think is triggerd with nftables support In file included from /home/daniel/Build/openwrt-ath79/staging_dir/toolchain-mips_24kc_gcc-7.3.0_musl/include/net/ethernet.h:10:0, from ../iptables/nft-bridge.h:8, from libebt_vlan.c:18:

Re: [PATCH nf] netfilter: nat: limit port clash resolution attempts

2018-12-08 Thread Florian Westphal
Xiaozhou Liu wrote: > > + for (i = 0; i < attempts; ++off) { > > *portptr = htons(min + off % range_size); > > - if (++i != range_size && nf_nat_used_tuple(tuple, ct)) > > + if (nf_nat_used_tuple(tuple, ct)) > > continue; > > if

Re: [PATCH nf] netfilter: nat: limit port clash resolution attempts

2018-12-08 Thread Xiaozhou Liu
On Sat, Dec 08, 2018 at 11:07:44AM +0100, Florian Westphal wrote: > Pablo, > > this will unfortunately result in a nf-next merge conflict > due to *rover removal in nf-next. > I can send a patch vs. nf-next instead if you prefer. > > net/netfilter/nf_nat_proto_common.c | 26

[PATCH nf] netfilter: nat: limit port clash resolution attempts

2018-12-08 Thread Florian Westphal
In case almost or all available ports are taken, clash resolution can take a very long time, resulting in soft lockup. This can happen when many to-be-natted hosts connect to same destination:port (e.g. a proxy) and all connections pass the same SNAT. Pick a random offset in the acceptable

[PATCH nf] netfilter: nf_conncount: use rb_link_node_rcu() instead of rb_link_node()

2018-12-07 Thread Taehee Yoo
rbnode in insert_tree() is rcu protected pointer. So, in order to handle this pointer, _rcu function should be used. rb_link_node_rcu() is a rcu version of rb_link_node(). Fixes: 34848d5c896e ("netfilter: nf_conncount: Split insert and traversal") Signed-off-by: Taehee Yoo ---

Urgently need money? We can help you!

2018-12-07 Thread Mr. Muller Dieter
Urgently need money? We can help you! Are you by the current situation in trouble or threatens you in trouble? In this way, we give you the ability to take a new development. As a rich person I feel obliged to assist people who are struggling to give them a chance. Everyone deserved a second

Re: [PATCH RFC] src: support for arp ether and IP source and destination fields

2018-12-07 Thread Pablo Neira Ayuso
On Fri, Dec 07, 2018 at 02:05:15PM +0100, Florian Westphal wrote: > Pablo Neira Ayuso wrote: > > Add ip-saddr, ip-daddr, ether-saddr, ether-daddr for arp, eg. > > > > # nft add table arp x > > # nft add chain arp x y { type filter hook input priority 0\; } > > # nft add rule arp x y arp

Re: [PATCH RFC] src: support for arp ether and IP source and destination fields

2018-12-07 Thread Florian Westphal
Pablo Neira Ayuso wrote: > Add ip-saddr, ip-daddr, ether-saddr, ether-daddr for arp, eg. > > # nft add table arp x > # nft add chain arp x y { type filter hook input priority 0\; } > # nft add rule arp x y arp ip-saddr 192.168.2.1 counter 'arp {ip,ether} {s,d}addr' would create ambiguities?

[PATCH RFC] src: support for arp ether and IP source and destination fields

2018-12-07 Thread Pablo Neira Ayuso
Add ip-saddr, ip-daddr, ether-saddr, ether-daddr for arp, eg. # nft add table arp x # nft add chain arp x y { type filter hook input priority 0\; } # nft add rule arp x y arp ip-saddr 192.168.2.1 counter Testing this: # ip neigh flush dev eth0 # ping 8.8.8.8 # nft list ruleset table arp

Re: [PATCH nf] netfilter: seqadj: re-load tcp header pointer after possible head reallocation

2018-12-07 Thread Pablo Neira Ayuso
On Wed, Dec 05, 2018 at 02:12:19PM +0100, Florian Westphal wrote: > When adjusting sack block sequence numbers, skb_make_writable() gets > called to make sure tcp options are all in the linear area, and buffer > is not shared. > > This can cause tcp header pointer to get reallocated, so we must >

Re: [libnftnl PATCH 0/2] chain: Support per chain rules list

2018-12-07 Thread Pablo Neira Ayuso
On Thu, Dec 06, 2018 at 05:17:50PM +0100, Phil Sutter wrote: > This series implements a rule list in chains to allow for per chain rule > caches in iptables-nft as well as nftables. > > A second patch then adds utility functions for chain and rule lookups, > preparing for further optimizing these

[libnftnl PATCH 0/2] chain: Support per chain rules list

2018-12-06 Thread Phil Sutter
This series implements a rule list in chains to allow for per chain rule caches in iptables-nft as well as nftables. A second patch then adds utility functions for chain and rule lookups, preparing for further optimizing these tasks in a transparent way since users won't open-code the chain/rule

[libnftnl PATCH 2/2] chain: Add lookup functions for chain list and rules in chain

2018-12-06 Thread Phil Sutter
For now, these lookup functions simply iterate over the linked list until they find the right entry. In future, they may make use of more optimized data structures behind the curtains. Signed-off-by: Phil Sutter --- include/libnftnl/chain.h | 2 ++ src/chain.c | 28

[PATCH v2 nf-next] netfilter: conntrack: udp: only extend timeout to stream mode after 2s

2018-12-06 Thread Florian Westphal
Currently DNS resolvers that send both A and queries from same source port can trigger stream mode prematurely, which results in non-early-evictable conntrack entry for three minutes, even though DNS requests are done in a few milliseconds. Add a two second grace period where we continue to

[PATCH nf-next] netfilter: conntrack: udp: reduce default timeouts

2018-12-05 Thread Florian Westphal
We have no explicit signal when a UDP stream has terminated, peers just stop sending. For unreplied UDP case, 10 seconds should be enough to cover delayed replies, and for suspected stream connections a timeout of two minutes is sane to keep NAT mapping alive a while longer. It matches tcp

[PATCH nf-next] netfilter: conntrack: udp: only extend timeout after 2s

2018-12-05 Thread Florian Westphal
DNS resolvers that send both A and queries from same source port can trigger stream mode prematurely, which results in non-early-evictable ct for three minutes, even though request is done after a few milliseconds. Add a two second grace period where we continue to use the ordinary

[PATCH nf-next] netfilter: nat: remove unnecessary 'else if' branch

2018-12-05 Thread Xiaozhou Liu
Since a pseudo-random starting point is used in finding a port in the default case, that 'else if' branch above is no longer a necessity. So remove it to simplify code. Signed-off-by: Xiaozhou Liu --- net/netfilter/nf_nat_proto_common.c | 2 -- 1 file changed, 2 deletions(-) diff --git

[PATCH nf] netfilter: seqadj: re-load tcp header pointer after possible head reallocation

2018-12-05 Thread Florian Westphal
When adjusting sack block sequence numbers, skb_make_writable() gets called to make sure tcp options are all in the linear area, and buffer is not shared. This can cause tcp header pointer to get reallocated, so we must reaload it to avoid memory corruption. This bug pre-dates git history.

Re: Proposal: rename of arptables.git and ebtables.git

2018-12-05 Thread Pablo Neira Ayuso
On Wed, Dec 05, 2018 at 12:18:30PM +0100, Arturo Borrero Gonzalez wrote: [...] > I would apply the -legacy renaming patch regardless. We already did this > with arptables after the agreement @ NFWS. In fact, me sending the patch > now (instead of last summer) is just my lack of time to write it

Re: Proposal: rename of arptables.git and ebtables.git

2018-12-05 Thread Arturo Borrero Gonzalez
On 12/4/18 11:57 AM, Pablo Neira Ayuso wrote: > On Tue, Dec 04, 2018 at 11:50:46AM +0100, Arturo Borrero Gonzalez wrote: >> On 11/28/18 2:10 PM, Arturo Borrero Gonzalez wrote: >>> On 11/28/18 1:44 PM, Arturo Borrero Gonzalez wrote: Hi, Now that the iptables.git repo offers

Re: stable nftables kernel changes for port to 3.12 kernel

2018-12-05 Thread Pablo Neira Ayuso
On Wed, Dec 05, 2018 at 12:59:43AM +0200, Pavel Melnik wrote: > Hi > > > I'd just change NF_IP6_PRI_RAW to -450 and use ip6tables rules in raw > > table. > > We will try, thanks Have a look at: commit 902d6a4c2a4f411582689e53fb101895ffe99028 Author: Subash Abhinov Kasiviswanathan Date: Wed

Re: stable nftables kernel changes for port to 3.12 kernel

2018-12-04 Thread Pavel Melnik
Hi I'd just change NF_IP6_PRI_RAW to -450 and use ip6tables rules in raw table. We will try, thanks nft add table ip6 filter nft add chain ... and so on. I have tried this, but no effect .. Regards, Pavel

Re: stable nftables kernel changes for port to 3.12 kernel

2018-12-04 Thread Florian Westphal
Pavel Melnik wrote: > We were asked to implement functionality to drop fragmented IPv6 packets, > addressed to local interface, on device based 3.12 kernel Urgh. I'd just change NF_IP6_PRI_RAW to -450 and use ip6tables rules in raw table. > But we observed the 'same' issue if try to use

stable nftables kernel changes for port to 3.12 kernel

2018-12-04 Thread Pavel Melnik
Hi We were asked to implement functionality to drop fragmented IPv6 packets, addressed to local interface, on device based 3.12 kernel As I understand it's not possible to do this by ip6tables rule in the case when nf_conntrack is enabled, but it possible if use nftables Could you please

Re: Proposal: rename of arptables.git and ebtables.git

2018-12-04 Thread Jan Engelhardt
On Tuesday 2018-12-04 11:57, Pablo Neira Ayuso wrote: >On Tue, Dec 04, 2018 at 11:50:46AM +0100, Arturo Borrero Gonzalez wrote: >> On 11/28/18 2:10 PM, Arturo Borrero Gonzalez wrote: >> > On 11/28/18 1:44 PM, Arturo Borrero Gonzalez wrote: >> >> Hi, >> >> >> >> Now that the iptables.git repo

Re: Proposal: rename of arptables.git and ebtables.git

2018-12-04 Thread Pablo Neira Ayuso
On Tue, Dec 04, 2018 at 11:50:46AM +0100, Arturo Borrero Gonzalez wrote: > On 11/28/18 2:10 PM, Arturo Borrero Gonzalez wrote: > > On 11/28/18 1:44 PM, Arturo Borrero Gonzalez wrote: > >> Hi, > >> > >> Now that the iptables.git repo offers arptables-nft and ebtables-nft, > >> arptables.git holds

Re: Proposal: rename of arptables.git and ebtables.git

2018-12-04 Thread Arturo Borrero Gonzalez
On 11/28/18 2:10 PM, Arturo Borrero Gonzalez wrote: > On 11/28/18 1:44 PM, Arturo Borrero Gonzalez wrote: >> Hi, >> >> Now that the iptables.git repo offers arptables-nft and ebtables-nft, >> arptables.git holds arptables-legacy, etc, why we don't just rename the >> repos? >> >> * from

Re: [PATCH v3] netfilter/ipset: replace a strncpy() with strscpy()

2018-12-04 Thread Jozsef Kadlecsik
Hi, On Sat, 1 Dec 2018, Qian Cai wrote: > To make overflows as obvious as possible and to prevent code from blithely > proceeding with a truncated string. This also has a side-effect to fix a > compilation warning when using GCC 8.2.1. > > net/netfilter/ipset/ip_set_core.c: In function

Re: [PATCH nf] netfilter: nf_tables: fix suspicious RCU usage in nft_chain_stats_replace()

2018-12-03 Thread Pablo Neira Ayuso
On Mon, Nov 26, 2018 at 08:03:30PM +0900, Taehee Yoo wrote: > basechain->stats is rcu protected data. > And write critical section of basechain->stats data is > nft_chain_stats_replace(). > The function is executed in commit phase. so that actually commit_mutex > lock protects that. > Hence

[PATCH nft] parser: bail out on incorrect burst unit

2018-12-03 Thread Pablo Neira Ayuso
Burst can be either bytes or packets, depending on the rate limit unit. # nft add rule x y iif eth0 limit rate 512 kbytes/second burst 5 packets Error: syntax error, unexpected packets, expecting string or bytes add rule x y iif eth0 limit rate 512 kbytes/second burst 5 packets

Re: [PATCH RESEND iptables] include: extend the headers conflict workaround to in6.h

2018-12-03 Thread Pablo Neira Ayuso
On Sun, Dec 02, 2018 at 06:56:34PM +0200, Baruch Siach wrote: > Commit 8d9d7e4b9ef ("include: fix build with kernel headers before 4.2") > introduced a kernel/user headers conflict workaround that allows build > of iptables with kernel headers older than 4.2. This minor extension > allows build

Re: [iptables PATCH] extensions: libipt_realm: Document allowed realm values

2018-12-03 Thread Pablo Neira Ayuso
On Mon, Dec 03, 2018 at 02:52:28PM +0100, Phil Sutter wrote: > Older versions of iptables allowed for negative realm values by accident > (they would be cast to unsigned). While this was clearly a bug, document > the fixed behaviour. Applied, thanks Phil.

[iptables PATCH] extensions: libipt_realm: Document allowed realm values

2018-12-03 Thread Phil Sutter
Older versions of iptables allowed for negative realm values by accident (they would be cast to unsigned). While this was clearly a bug, document the fixed behaviour. Signed-off-by: Phil Sutter --- extensions/libipt_realm.man | 2 ++ 1 file changed, 2 insertions(+) diff --git

[PATCH v3] netfilter: nf_conntrack_sip: add sip_external_media logic

2018-12-03 Thread Alin Nastac
From: Alin Nastac Allow media streams that are not passing through this router. When enabled, the sip_external_media logic will leave SDP payload untouched when it detects that interface towards INVITEd party is the same with the one towards media endpoint. Signed-off-by: Alin Nastac ---

[PATCH v3] netfilter/ipset: replace a strncpy() with strscpy()

2018-12-01 Thread Qian Cai
To make overflows as obvious as possible and to prevent code from blithely proceeding with a truncated string. This also has a side-effect to fix a compilation warning when using GCC 8.2.1. net/netfilter/ipset/ip_set_core.c: In function 'ip_set_sockfn_get':

[PATCH nft] doc: nft: document ct count

2018-12-01 Thread Pablo Neira Ayuso
Signed-off-by: Pablo Neira Ayuso --- doc/payload-expression.txt | 8 1 file changed, 8 insertions(+) diff --git a/doc/payload-expression.txt b/doc/payload-expression.txt index a2284ce8c3d9..eb98e5d7898c 100644 --- a/doc/payload-expression.txt +++ b/doc/payload-expression.txt @@ -619,5

Re: [PATCH v2] netfilter: ipset: replace a strncpy() with strscpy()

2018-12-01 Thread Jozsef Kadlecsik
Hi, On Mon, 26 Nov 2018, Qian Cai wrote: > To make overflows as obvious as possible and to prevent code from blithely > proceeding with a truncated string. This also has a side-effect to fix a > compilation warning when using GCC 8.2.1. > > net/netfilter/ipset/ip_set_core.c: In function

Re: [PATCH nf-next] netfilter: nat: remove l4 protocol port rovers

2018-12-01 Thread Pablo Neira Ayuso
On Thu, Nov 15, 2018 at 10:22:59AM +0100, Florian Westphal wrote: > This is a leftover from days where single-cpu systems were common: > Store last port used to resolve a clash to use it as a starting point when > the next conflict needs to be resolved. > > When we have parallel attempt to

[PATCH nft 2/2] src: introduce simple hints on incorrect identifier

2018-12-01 Thread Pablo Neira Ayuso
# cat test.nft define test = "1.2.3.4" table ip x { chain y { ip saddr $text } } # nft -f test.nft test.nft:5:13-16: Error: unknown identifier 'text'; did you mean identifier ‘test’? ip saddr $text

[PATCH nft 2/3] src: allow for misspellings in object names

2018-11-30 Thread Pablo Neira Ayuso
Use this from the lookup path, to check for mispellings: # nft add table filter # nft add chain filtre test Error: No such file or directory; did you mean table ‘filter’ in family ip? add chain filtre test ^^ Signed-off-by: Pablo Neira Ayuso --- include/misspell.h | 13

[PATCH nft 1/3] utils: remove type checks in min() and max()

2018-11-30 Thread Pablo Neira Ayuso
So we can pass functions as parameters, needed by follow up patch. Signed-off-by: Pablo Neira Ayuso --- include/utils.h | 16 +--- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/include/utils.h b/include/utils.h index 01560eae8d7f..e791523c0471 100644 ---

[PATCH nft 3/3] misspell: add distance threshold for suggestions

2018-11-30 Thread Pablo Neira Ayuso
Restrict suggestions to threshold, like gcc does. Signed-off-by: Pablo Neira Ayuso --- src/misspell.c | 21 ++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/src/misspell.c b/src/misspell.c index 922d305d5e01..059d2e20de7a 100644 --- a/src/misspell.c +++

[PATCH v2] netfilter: nf_conntrack_sip: add sip_external_media logic

2018-11-30 Thread Alin Nastac
From: Alin Nastac Allow media streams that are not passing through this router. When enabled, the sip_external_media logic will leave SDP payload untouched when it detects that interface towards INVITEd party is the same with the one towards media endpoint. Signed-off-by: Alin Nastac ---

Re: [PATCH] netfilter: nf_conntrack_sip: add sip_external_media logic

2018-11-29 Thread kbuild test robot
Hi Alin, Thank you for the patch! Yet something to improve: [auto build test ERROR on nf/master] [also build test ERROR on v4.20-rc4 next-20181129] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url:

Re: [PATCH] netfilter: nf_conntrack_sip: add sip_external_media logic

2018-11-29 Thread kbuild test robot
Hi Alin, Thank you for the patch! Yet something to improve: [auto build test ERROR on nf/master] [also build test ERROR on v4.20-rc4 next-20181129] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url:

[PATCH nftables] src: xt: fix build when libxtables is not installed

2018-11-29 Thread Florian Westphal
If libxtables is not even installed, build fails due to to missing include file. ifdef LIBXTABLES guard fixes the first error, but results in two followup failures: 1. missing IFNAMSIZ definition 2. dereference of unknown struct. Signed-off-by: Florian Westphal --- src/xt.c | 5 + 1 file

[PATCH] netfilter: nf_conntrack_sip: add sip_external_media logic

2018-11-29 Thread Alin Nastac
Allow media streams that are not passing through this router. When enabled, the sip_external_media logic will leave SDP payload untouched when it detects that interface towards INVITEd party is the same with the one towards media endpoint. Signed-off-by: Alin Nastac ---

Re: 4.19.x kernels oops in nf_conncount_destroy

2018-11-28 Thread Todd Eigenschink
This morning I found this thread, which I didn't see last night. I'm not sure how I missed it, since I knew what I was searching for. It includes a link to the same patches as I mentioned, but with a status filter in the URL such that I can see the patches. I applied the three patches and tested

Re: RFC: Designing per chain rule cache support in libnftnl

2018-11-28 Thread Phil Sutter
Hi, On Wed, Nov 28, 2018 at 02:51:54PM +0100, Pablo Neira Ayuso wrote: > On Wed, Nov 28, 2018 at 02:21:01PM +0100, Phil Sutter wrote: > > Hi Pablo, > > > > On Fri, Nov 23, 2018 at 01:35:17PM +0100, Pablo Neira Ayuso wrote: > > > On Fri, Nov 23, 2018 at 12:25:45PM +0100, Florian Westphal wrote: >

Re: RFC: Designing per chain rule cache support in libnftnl

2018-11-28 Thread Pablo Neira Ayuso
On Wed, Nov 28, 2018 at 02:21:01PM +0100, Phil Sutter wrote: > Hi Pablo, > > On Fri, Nov 23, 2018 at 01:35:17PM +0100, Pablo Neira Ayuso wrote: > > On Fri, Nov 23, 2018 at 12:25:45PM +0100, Florian Westphal wrote: > > > Phil Sutter wrote: > > > > > If user doesn't want it cleared at

[PATCH nft] tests: fix return codes

2018-11-28 Thread Arturo Borrero Gonzalez
Please, consider merging the attached patch. thanks. commit 3497067ca187047c61d89ccad6eab4ebf5df9219 Author: Arturo Borrero Gonzalez Date: Wed Nov 28 14:31:57 2018 +0100 tests: fix return codes Try to return != 0 if a testsuite fails. Signed-off-by: Arturo Borrero

Re: RFC: Designing per chain rule cache support in libnftnl

2018-11-28 Thread Phil Sutter
Hi Pablo, On Fri, Nov 23, 2018 at 01:35:17PM +0100, Pablo Neira Ayuso wrote: > On Fri, Nov 23, 2018 at 12:25:45PM +0100, Florian Westphal wrote: > > Phil Sutter wrote: > > > > If user doesn't want it cleared at nftnl_chain_free() time they can > > > > always allocate a new nftnl_rule_list and

Re: Proposal: rename of arptables.git and ebtables.git

2018-11-28 Thread Arturo Borrero Gonzalez
On 11/28/18 1:44 PM, Arturo Borrero Gonzalez wrote: > Hi, > > Now that the iptables.git repo offers arptables-nft and ebtables-nft, > arptables.git holds arptables-legacy, etc, why we don't just rename the > repos? > > * from arptables.git to arptables-legacy.git > * from ebtables.git to

Proposal: rename of arptables.git and ebtables.git

2018-11-28 Thread Arturo Borrero Gonzalez
Hi, Now that the iptables.git repo offers arptables-nft and ebtables-nft, arptables.git holds arptables-legacy, etc, why we don't just rename the repos? * from arptables.git to arptables-legacy.git * from ebtables.git to ebtables-legacy.git This rename should help distros understand the

Re: [PATCH nf] netfilter: nf_tables: deactivate expressions in rule replecement routine

2018-11-28 Thread Pablo Neira Ayuso
Applied, thanks.

4.19.x kernels oops in nf_conncount_destroy

2018-11-27 Thread Todd Eigenschink
EPILOGUE-AS-PREAMBLE: I had already typed most of this when I thought to search the netfilter-devel archive. I found this, which sounds an awful lot like my issue: https://www.spinics.net/lists/netfilter-devel/msg56882.html However, the patch link in the first followup seems empty, so I can't

[PATCH nf] netfilter: nf_tables: deactivate expressions in rule replecement routine

2018-11-27 Thread Taehee Yoo
Rule replacement routine removes an old rule then adds a new rule. In the old rule removing routine, below steps are needed. Allocate trans, deactivate rule and deactivate expressons of rule. But there is no expression deactivation routine in rule replacement routine. test commands: %nft add

Re: [iptables PATCH] xtables: Don't use native nftables comments

2018-11-27 Thread Pablo Neira Ayuso
On Tue, Nov 27, 2018 at 08:07:11PM +0100, Phil Sutter wrote: > The problem with converting libxt_comment into nftables comment is that > rules change when parsing from kernel due to comment match being moved > to the end of the match list. And since match ordering matters, the rule > may not be

[iptables PATCH] xtables: Don't use native nftables comments

2018-11-27 Thread Phil Sutter
The problem with converting libxt_comment into nftables comment is that rules change when parsing from kernel due to comment match being moved to the end of the match list. And since match ordering matters, the rule may not be found anymore when checking or deleting. Apart from that, iptables-nft

[PATCH] netfilter: ipset: fix ip_set_byindex function

2018-11-27 Thread Florent Fourcot
New function added by "Introduction of new commands and protocol version 7" is not working, since we return skb2 to user Signed-off-by: Victorien Molle Signed-off-by: Florent Fourcot --- net/netfilter/ipset/ip_set_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git

Re: iptables configure ignore "--disable-silent-rules"

2018-11-27 Thread Jan Engelhardt
On Tuesday 2018-11-27 12:56, Rolf Eike Beer wrote: >Hi, > >it seems to me that "--disable-silent-rules" has no effect on iptables >configure, i.e. I still have to pass V=1 to make to see what it is actually >doing. This is expected because automake is not used in every directory. But V=1 is

iptables configure ignore "--disable-silent-rules"

2018-11-27 Thread Rolf Eike Beer
Hi, it seems to me that "--disable-silent-rules" has no effect on iptables configure, i.e. I still have to pass V=1 to make to see what it is actually doing. It also seems that the netfilter-announce archive is missing some mails (or they never got send), at least I don't see any iptables

[PATCH] netfilter: nf_nat_sip: fix RTP/RTCP source port translations

2018-11-27 Thread Alin Nastac
Perform the same SNAT translation on RTP/RTCP conntracks regardless of who sends the first datagram. Prior to this change, RTP packets send by the peer who required source port translation were forwarded with unmodified source port when this peer started its voice/video stream first.

Re: [PATCH] netfilter: nf_nat_sip: fix RTP/RTCP source port translations

2018-11-26 Thread Alin Năstac
Hi Pablo, On Tue, Nov 27, 2018 at 12:57 AM Pablo Neira Ayuso wrote: > > Hi Alin, > > On Mon, Nov 05, 2018 at 02:54:53PM +0100, Alin Nastac wrote: > > Perform the same SNAT translation on RTP/RTCP conntracks regardless of > > who sends the first datagram. > > > > Prior to this change, RTP packets

[no subject]

2018-11-26 Thread Offer
-- -- Guten Tag, Wir sind eine registrierte private Geldverleiher. Wir geben Kredite an Firmen, Einzelpersonen, die ihre finanzielle Status auf der ganzen Welt aktualisieren müssen, mit minimalen jährlichen Zinsen von 2% .reply, wenn nötig. Good Day, We are a registered private money lender. We

Re: [PATCH nf] netfilter: nf_conncount: remove wrong condition check routine

2018-11-26 Thread Pablo Neira Ayuso
On Sun, Nov 25, 2018 at 06:47:13PM +0900, Taehee Yoo wrote: > All lists in the tree_nodes_free() have both zero count and true dead flag. > Because lists are selected by nf_conncount_gc_list() and that makes that > zero-count and true dead flag. > So that the if statement of tree_nodes_free() is

Re: [PATCH nf v2 0/2] netfilter: fix notifier registration bugs

2018-11-26 Thread Pablo Neira Ayuso
On Thu, Nov 22, 2018 at 07:59:25PM +0900, Taehee Yoo wrote: > This patch series fix notifier registration bugs. > > First patch adds error handling code for failure of notifier registration. > notifier registration can be failed. so that error handling code are needed. > > Second patch fixes

Re: [PATCH v2] ipv6: Preserve link scope traffic original oif

2018-11-26 Thread Pablo Neira Ayuso
On Wed, Nov 21, 2018 at 02:00:30PM +0100, Alin Nastac wrote: > When ip6_route_me_harder is invoked, it resets outgoing interface of: > - link-local scoped packets sent by neighbor discovery > - multicast packets sent by MLD host > - multicast packets send by MLD proxy daemon that sets

Re: Did You Receive My Last Mail?

2018-11-26 Thread Reem Al-Hashimi
Hello, My name is ms. Reem Al-Hashimi. The UAE minister of state for international cooparation. I got your contact from an email database from your country. I have a financial transaction i would like to discuss with you. Please reply to reem2...@daum.net, for more details if you are

[PATCH v2] netfilter: ipset: replace a strncpy() with strscpy()

2018-11-26 Thread Qian Cai
To make overflows as obvious as possible and to prevent code from blithely proceeding with a truncated string. This also has a side-effect to fix a compilation warning when using GCC 8.2.1. net/netfilter/ipset/ip_set_core.c: In function 'ip_set_sockfn_get':

[PATCH] netfilter: update comment about get_unique_tuple()

2018-11-26 Thread Xiaozhou Liu
`__ip_conntrack_confirm' in the comments is confusing to newcomers since it has long been replaced with __nf_conntrack_confirm. Signed-off-by: Xiaozhou Liu --- net/netfilter/nf_nat_core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_nat_core.c

Re: [PATCH nf] netfilter: xt_TEE: fix build failure

2018-11-26 Thread Taehee Yoo
On Mon, 26 Nov 2018 at 20:28, Pablo Neira Ayuso wrote: > > On Mon, Nov 26, 2018 at 06:39:28PM +0900, Taehee Yoo wrote: > > Hi Pablo, > > > > According to Masahiro Yamada, this is Kconfig bug and he is fixing Kconfig. > > https://lkml.org/lkml/2018/11/26/291 > > > > So that I think this patch will

Re: [PATCH nf] netfilter: xt_TEE: fix build failure

2018-11-26 Thread Pablo Neira Ayuso
On Mon, Nov 26, 2018 at 06:39:28PM +0900, Taehee Yoo wrote: > Hi Pablo, > > According to Masahiro Yamada, this is Kconfig bug and he is fixing Kconfig. > https://lkml.org/lkml/2018/11/26/291 > > So that I think this patch will be useless. > Could you check it up? OK, will keep back your patch

[PATCH nf] netfilter: nf_tables: fix suspicious RCU usage in nft_chain_stats_replace()

2018-11-26 Thread Taehee Yoo
basechain->stats is rcu protected data. And write critical section of basechain->stats data is nft_chain_stats_replace(). The function is executed in commit phase. so that actually commit_mutex lock protects that. Hence commit_mutex lockdep should be used for rcu_dereference_protected() in the

Re: [PATCH] netfilter: ipset: replace a strncpy() with strscpy()

2018-11-26 Thread Jozsef Kadlecsik
Hi, On Wed, 21 Nov 2018, Qian Cai wrote: > To make overflows as obvious as possible and to prevent code from blithely > proceeding with a truncated string. This also has a side-effect to fix a > compilation warning using GCC 8.2.1. > > net/netfilter/ipset/ip_set_core.c: In function

Re: [PATCH nf] netfilter: xt_TEE: fix build failure

2018-11-26 Thread Taehee Yoo
Hi Pablo, According to Masahiro Yamada, this is Kconfig bug and he is fixing Kconfig. https://lkml.org/lkml/2018/11/26/291 So that I think this patch will be useless. Could you check it up? Thanks! On Sun, 18 Nov 2018 at 23:39, Taehee Yoo wrote: > > xt_TEE.c needs nf_dup_ipv6.c to support

Re: [PATCH nf] netfilter: nfnetlink_cttimeout: nf_proto_net must be first member of netns_proto_gre

2018-11-26 Thread Pablo Neira Ayuso
On Wed, Nov 21, 2018 at 01:38:59PM +0100, Florian Westphal wrote: > Can't move timeouts around, it appears conntrack sysctl unregister > assumes net_generic() returns nf_proto_net, so we get crash. > > Expose layout of netns_proto_gre instead. > > Reported-by: kernel test robot > Fixes:

[PATCH nf] netfilter: nf_conncount: remove wrong condition check routine

2018-11-25 Thread Taehee Yoo
All lists in the tree_nodes_free() have both zero count and true dead flag. Because lists are selected by nf_conncount_gc_list() and that makes that zero-count and true dead flag. So that the if statement of tree_nodes_free() is unnecessary and wrong. Fixes: 31568ec09ea0 ("netfilter:

[PATCH] include: extend the headers conflict workaround to in6.h

2018-11-24 Thread Baruch Siach
Commit 8d9d7e4b9ef ("include: fix build with kernel headers before 4.2") introduced a kernel/user headers conflict workaround that allows build of iptables with kernel headers older than 4.2. This minor extension allows build with kernel headers older than 3.12, which is the version that

Re: [iptables PATCH] ebtables: Use xtables_exit_err()

2018-11-23 Thread Florian Westphal
Phil Sutter wrote: > When e.g. ebtables-nft detects an incompatible table, a stray '.' was > printed as last line of output: > > | # ebtables-nft -L > | table `filter' is incompatible, use 'nft' tool. > | . > > This comes from ebtables' own exit_err callback. Instead use the common > one which

[iptables PATCH] ebtables: Use xtables_exit_err()

2018-11-23 Thread Phil Sutter
When e.g. ebtables-nft detects an incompatible table, a stray '.' was printed as last line of output: | # ebtables-nft -L | table `filter' is incompatible, use 'nft' tool. | . This comes from ebtables' own exit_err callback. Instead use the common one which also provides useful version

compilation error glibc

2018-11-23 Thread Ansuel Smith
arm-openwrt-linux-gnueabi-gcc -D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 -D_REENTRANT -DXTABLES_LIBDIR=\"/usr/lib/iptables\" -DXTABLES_INTERNAL -I../include -I.. -I../include -I..

Re: RFC: Designing per chain rule cache support in libnftnl

2018-11-23 Thread Pablo Neira Ayuso
On Fri, Nov 23, 2018 at 01:35:17PM +0100, Pablo Neira Ayuso wrote: > On Fri, Nov 23, 2018 at 12:25:45PM +0100, Florian Westphal wrote: > > Phil Sutter wrote: > > > > If user doesn't want it cleared at nftnl_chain_free() time they can > > > > always allocate a new nftnl_rule_list and splice to

Re: RFC: Designing per chain rule cache support in libnftnl

2018-11-23 Thread Pablo Neira Ayuso
On Fri, Nov 23, 2018 at 12:25:45PM +0100, Florian Westphal wrote: > Phil Sutter wrote: > > > If user doesn't want it cleared at nftnl_chain_free() time they can > > > always allocate a new nftnl_rule_list and splice to that list. > > > > Good point. What do you think about the simple approach of

Re: RFC: Designing per chain rule cache support in libnftnl

2018-11-23 Thread Florian Westphal
Phil Sutter wrote: > > If user doesn't want it cleared at nftnl_chain_free() time they can > > always allocate a new nftnl_rule_list and splice to that list. > > Good point. What do you think about the simple approach of introducing: > > | struct nftnl_rule_list *nftnl_chain_get_rule_list(const

Re: RFC: Designing per chain rule cache support in libnftnl

2018-11-23 Thread Phil Sutter
On Fri, Nov 23, 2018 at 07:49:49AM +0100, Florian Westphal wrote: > Phil Sutter wrote: > > In order to improve performance in 'nft -f' as well as xtables-restore > > with very large rulesets, we need to store rules by chain they belong > > to. In order to avoid pointless code duplication, this

Re: RFC: Designing per chain rule cache support in libnftnl

2018-11-22 Thread Florian Westphal
Phil Sutter wrote: > In order to improve performance in 'nft -f' as well as xtables-restore > with very large rulesets, we need to store rules by chain they belong > to. In order to avoid pointless code duplication, this should be > supported by libnftnl. Unfortunately we still need to change

Re: [iptables PATCH] arptables: Support --set-counters option

2018-11-22 Thread Florian Westphal
Phil Sutter wrote: > Relevant code for this was already present (short option '-c'), just the > long option definition was missing. Applied, thanks.

[iptables PATCH] arptables: Support --set-counters option

2018-11-22 Thread Phil Sutter
Relevant code for this was already present (short option '-c'), just the long option definition was missing. While being at it, add '-c' to help text. Signed-off-by: Phil Sutter --- iptables/xtables-arp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git

[PATCH nf v2 2/2] netfilter: nat: fix double register in masquerade modules

2018-11-22 Thread Taehee Yoo
masquerade modules register notifier and that should not be double-registered. so that these modules manage reference counter. If already notifiers are registered, it just return success. But there is unsafe scenario. test commands: while : do modprobe ip6t_MASQUERADE &

[PATCH nf v2 0/2] netfilter: fix notifier registration bugs

2018-11-22 Thread Taehee Yoo
This patch series fix notifier registration bugs. First patch adds error handling code for failure of notifier registration. notifier registration can be failed. so that error handling code are needed. Second patch fixes double-register bug in masqerade modules. In order to protect

[PATCH nf v2 1/2] netfilter: add missing error handling code for register functions

2018-11-22 Thread Taehee Yoo
register_{netdevice/inetaddr/inet6addr}_notifier returns value that could be error value. so that error handling code are needed. Signed-off-by: Taehee Yoo --- v2: - Add second patch - return success when notifier is already registered. (Florian Westphal) v1: Initial patch

[PATCH] netfilter: ipset: replace a strncpy() with strscpy()

2018-11-21 Thread Qian Cai
To make overflows as obvious as possible and to prevent code from blithely proceeding with a truncated string. This also has a side-effect to fix a compilation warning using GCC 8.2.1. net/netfilter/ipset/ip_set_core.c: In function 'ip_set_sockfn_get': net/netfilter/ipset/ip_set_core.c:2027:3:

[PATCH v2] ipv6: Preserve link scope traffic original oif

2018-11-21 Thread Alin Nastac
When ip6_route_me_harder is invoked, it resets outgoing interface of: - link-local scoped packets sent by neighbor discovery - multicast packets sent by MLD host - multicast packets send by MLD proxy daemon that sets outgoing interface through IPV6_PKTINFO ipi6_ifindex Link-local and

[PATCH nf] netfilter: nfnetlink_cttimeout: nf_proto_net must be first member of netns_proto_gre

2018-11-21 Thread Florian Westphal
Can't move timeouts around, it appears conntrack sysctl unregister assumes net_generic() returns nf_proto_net, so we get crash. Expose layout of netns_proto_gre instead. Reported-by: kernel test robot Fixes: 991acf532b netfilter: nfnetlink_cttimeout: fetch timeouts for udplite and gre, too

Re: [PATCH v2] ipv6: Preserve link scope traffic original oif

2018-11-21 Thread Pablo Neira Ayuso
On Wed, Nov 21, 2018 at 01:24:25PM +0100, Pablo Neira Ayuso wrote: > On Wed, Nov 21, 2018 at 12:17:50PM +0100, Alin Nastac wrote: > > When ip6_route_me_harder is invoked, it resets outgoing interface of: > > - link-local scoped packets sent by neighbor discovery > > - multicast packets sent by

Re: [PATCH v2] ipv6: Preserve link scope traffic original oif

2018-11-21 Thread Pablo Neira Ayuso
On Wed, Nov 21, 2018 at 12:17:50PM +0100, Alin Nastac wrote: > When ip6_route_me_harder is invoked, it resets outgoing interface of: > - link-local scoped packets sent by neighbor discovery > - multicast packets sent by MLD host > - multicast packets send by MLD proxy daemon that sets

[PATCH v2] ipv6: Preserve link scope traffic original oif

2018-11-21 Thread Alin Nastac
When ip6_route_me_harder is invoked, it resets outgoing interface of: - link-local scoped packets sent by neighbor discovery - multicast packets sent by MLD host - multicast packets send by MLD proxy daemon that sets outgoing interface through IPV6_PKTINFO ipi6_ifindex Link-local and

  1   2   3   4   5   6   7   8   9   10   >