Re: linux-next: manual merge of the vfs tree with the netfilter tree

[Stephen Rothwell]

Hi Jann,

On Thu, 7 Dec 2017 01:48:14 +0100 Jann Horn  wrote:
>
> > I can't tell if the strlen test from the former is still needed, so I
> > just used the vfs tree version for now.  
> 
> Yeah, both of the checks from the netfilter tree are still necessary
> independent of the commit from the vfs tree.

Rats.  I will see what I can do about that.

> > I fixed it up (see below)  
> 
> Did you mean to paste in the fixed-up patch below this message?

Ah, well actually the diff ended up empty (since I used one side of the
conflicting part).
-- 
Cheers,
Stephen Rothwell
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

linux-next: manual merge of the netfilter-next tree with the netfilter tree

[Stephen Rothwell]

Hi all,

Today's linux-next merge of the netfilter-next tree got a conflict in:

  net/netfilter/nf_conntrack_h323_asn1.c

between commit:

  bc7d811ace4a ("netfilter: nf_ct_h323: Convert CHECK_BOUND macro to function")

from the netfilter tree and commit:

  e3e52b49c9e7 ("netfilter: nf_conntrack_h323: Remove unwanted comments.")

from the netfilter-next tree.

I fixed it up (see below) and can carry the fix as necessary. This
is now fixed as far as linux-next is concerned, but any non trivial
conflicts should be mentioned to your upstream maintainer when your tree
is submitted for merging.  You may also want to consider cooperating
with the maintainer of the conflicting tree to minimise any particularly
complex conflicts.

-- 
Cheers,
Stephen Rothwell

diff --cc net/netfilter/nf_conntrack_h323_asn1.c
index dc6347342e34,475fc8a9b477..
--- a/net/netfilter/nf_conntrack_h323_asn1.c
+++ b/net/netfilter/nf_conntrack_h323_asn1.c
@@@ -164,20 -166,6 +165,19 @@@ static unsigned int get_len(struct bits
return v;
  }
  
 +static int nf_h323_error_boundary(struct bitstr *bs, size_t bytes, size_t 
bits)
 +{
 +  bits += bs->bit;
 +  bytes += bits / BITS_PER_BYTE;
 +  if (bits % BITS_PER_BYTE > 0)
 +  bytes++;
 +
 +  if (*bs->cur + bytes > *bs->end)
 +  return 1;
 +
 +  return 0;
 +}
 +
- //
  static unsigned int get_bit(struct bitstr *bs)
  {
unsigned int b = (*bs->cur) & (0x80 >> bs->bit);
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH net-next] bridge: ebtables: Avoid resetting limit rule state

[Pablo Neira Ayuso]

Hi Linus,

On Mon, Dec 04, 2017 at 05:53:35AM +0100, Linus Lüssing wrote:
> Hi Pablo,
> 
> Thanks for your reply!
> 
> On Tue, Nov 28, 2017 at 12:30:08AM +0100, Pablo Neira Ayuso wrote:
> > [...]
> > > diff --git a/net/bridge/netfilter/ebt_limit.c 
> > > b/net/bridge/netfilter/ebt_limit.c
> > > index 61a9f1be1263..f74b48633feb 100644
> > > --- a/net/bridge/netfilter/ebt_limit.c
> > > +++ b/net/bridge/netfilter/ebt_limit.c
> > > @@ -69,6 +69,10 @@ static int ebt_limit_mt_check(const struct 
> > > xt_mtchk_param *par)
> > >  {
> > >   struct ebt_limit_info *info = par->matchinfo;
> > >  
> > > + /* Do not reset state on unrelated table changes */
> > > + if (info->prev)
> > > + return 0;
> > 
> > What kernel version are you using? I suspect you don't have this
> > applied?
> 
> I'm indeed using a 4.4.102 kernel, as LEDE is still in the process
> of updating to 4.14. So 4.4 with LEDE is where I got the measurement
> results from.
> 
> > 
> > commit ec23189049651b16dc2ffab35a4371dc1f491aca
> > Author: Willem de Bruijn 
> > Date:   Mon Jan 2 17:19:46 2017 -0500
> > 
> > xtables: extend matches and targets with .usersize
> 
> And so, no I do not have this patch. I looked at it now, but it
> does not seem to have any relation with .matchinfo, does it?
> 
> I also had a quick look at a 4.15-rc1 kernel in a VM now. I still
> end up in ebt_limit_mt_check() with the variables being reset
> when editing the table somewhere.

My question is if your fix would work with 4.15-rc1.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

linux-next: manual merge of the vfs tree with the netfilter tree

[Stephen Rothwell]

Hi Al,

Today's linux-next merge of the vfs tree got a conflict in:

  net/netfilter/xt_bpf.c

between commit:

  6ab405114b0b ("netfilter: xt_bpf: add overflow checks")

from the netfilter tree and commit:

  af58d2496b49 ("fix "netfilter: xt_bpf: Fix XT_BPF_MODE_FD_PINNED mode of 
'xt_bpf_info_v1'"")

from the vfs tree.

I can't tell if the strlen test from the former is still needed, so I
just used the vfs tree version for now.

I fixed it up (see below) and can carry the fix as necessary. This
is now fixed as far as linux-next is concerned, but any non trivial
conflicts should be mentioned to your upstream maintainer when your tree
is submitted for merging.  You may also want to consider cooperating
with the maintainer of the conflicting tree to minimise any particularly
complex conflicts.

Al, can I convince you to submit fixes to the appropriate maintainers
(or have you done so and it just hasn't been picked up yet)?

-- 
Cheers,
Stephen Rothwell
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: libnftables extended API proposal (Was: Re: [nft PATCH] libnftables: Fix for multiple context instances)

[Pablo Neira Ayuso]

Hi Phil,

On Tue, Dec 05, 2017 at 02:43:17PM +0100, Phil Sutter wrote:
[...]
> My "vision" for an extended API which actually provides an additional
> benefit is something that allows to work with the entities nft language
> defines in an abstract manner, ideally without having to invoke the
> parser all the time.
>
> Naturally, nftables entities are hierarchical: rules are contained in
> chains, chains contained in tables, etc. At the topmost level, there is
> something I call 'ruleset', which is basically just an instance of
> struct nft_cache. Since we have that in nft context already, it was
> optimized out (for now at least). As a leftover, I have a function which
> does a cache update (although this might be done implicitly as well).
> 
> For each entity contained in the ruleset, I wrote two functions, lookup
> and create, to reference them later. Due to the hierarchical layout,
> both functions take the higher-level entity as an argument. For
> instance:
> 
> | struct nft_table *nft_table_lookup(struct nft_ctx *nft,
> |  unsigned int family,
> |  const char *name);
> | struct nft_chain *nft_chain_new(struct nft_ctx *nft,
> |   struct nft_table *table,
> |   const char *name);
> 
> Family and name are enough to uniquely identify a table. By passing the
> returned object to the second function and a name, a new chain in that
> table can be created - or more precisely, a command (struct cmd
> instance) is created and stored in a new field of struct nft_ctx for
> later, when calling:
> 
> | int nft_ruleset_commit(struct nft_ctx *nft);
> 
> This constructs a new batch job using the previously created commands
> and calls netlink_batch_send().
> 
> The entities I've defined so far are:
> 
> struct nft_table;
> struct nft_chain;
> struct nft_rule;
> struct nft_set;
> struct nft_expr; /* actually this should be setelem */
> 
> The implementation is very incomplete and merely a playground at this
> point. I started with using the parser for everything, then tried to
> eliminate as much as possible. E.g. the first version to add an element
> to a set looked roughly like this (pseudo-code):
> 
> | int nft_set_add_element(struct nft_ctx *nft, struct nft_set *set,
> |   const char *elem)
> | {
> | char buf[1024];
> | 
> | sprintf(buf, "add element ip t %s %s", set->name, elem);
> | scanner_push_buffer(scanner, _cmdline, buf);
> | nft_parse(nft, scanner, );
> | list_splice_tail(, >cmds);
> | }
> 
> After tweaking the parser a bit, I can use it now to parse just a
> set_list_member_expr and use the struct expr it returns. This made it
> possible to create the desired struct cmd in above function without
> having to invoke the parser there.
> 
> Exercising this refining consequently should allow to reach arbitrary
> levels of granularity. For instance, one could stop at statement level,
> i.e. statements are created using a string representation. Or one could
> go down to expression level, and statements are created using one or two
> expressions (depending on whether it is relational or not). Of course
> this means the library will eventually become as complicated as the
> parser itself, not necessarily a good thing.

Yes, and we'll expose all internal representation details, that we
will need to maintain forever if we don't want to break backward.

> On the other hand, having an abstract representation for set elements is
> quite convenient - their string representations might differ (take e.g.
> "22" vs. "ssh") so strcmp() is not sufficient to compare them.
> 
> I hope this allows you to get an idea of how I imagine extended API
> although certainly details are missing here. What do you think about it?
> Are you fine with the general concept so we can discuss details or do
> you see a fundamental problem with it?

OK, my understanding is that you would like to operate with some
native library object representation.

Most objects (table, chain...) are easy to represent, as you
mentioned. Rules are the most complex ones internally, but you can
probably abstract a simplified representation that suits well for your
usecases, e.g expose them in an iptables like representation -
something like adding matches and actions - Obviously, this needs to
allow to take sets as input, eg.

int meta_match_immediate(struct nft_rule *r, enum nft_meta_type, void 
*data);
int meta_match_set(struct nft_rule *r, enum nft_meta_type, struct 
nft_set *set);

meta_match_immediate() adds a meta + cmp to the rule, to compare for
an immediate value. meta_match_set() adds meta + lookup.

A list of use-cases, for the third party application, would be good to
have to design this API.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  

Re: [PATCH 27/45] net: remove duplicate includes

[David Miller]

From: Pravin Shedge 
Date: Wed,  6 Dec 2017 23:02:58 +0530

> These duplicate includes have been found with scripts/checkincludes.pl but
> they have been removed manually to avoid removing false positives.
> 
> Signed-off-by: Pravin Shedge 

Networking patches need to be sent to net...@vger.kernel.org

Thank you.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nf-next 2/2] netfilter: reduce hook array sizes to what is needed

[Pablo Neira Ayuso]

On Sun, Dec 03, 2017 at 12:58:48AM +0100, Florian Westphal wrote:
> Not all families share the same hook count.
> 
> Can't use the corresponding ARP, BRIDGE, DECNET defines because they are
> defined in uapi headers and including them causes build failures.
> 
> struct net before:
> /* size: 6592, cachelines: 103, members: 46 */
> after:
> /* size: 5952, cachelines: 93, members: 46 */
> 
> Also, no need to define hook points if the family isn't supported.
> 
> Signed-off-by: Florian Westphal 
> ---
>  include/linux/netfilter.h |  6 ++
>  include/net/netns/netfilter.h | 19 ++-
>  net/netfilter/core.c  | 22 ++
>  3 files changed, 42 insertions(+), 5 deletions(-)
> 
> diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
> index 80aa9a0b3d10..30a0d12a1f6d 100644
> --- a/include/linux/netfilter.h
> +++ b/include/linux/netfilter.h
> @@ -202,15 +202,21 @@ static inline int nf_hook(u_int8_t pf, unsigned int 
> hook, struct net *net,
>   case NFPROTO_IPV6:
>   hook_head = rcu_dereference(net->nf.hooks_ipv6[hook]);
>   break;
> +#if IS_ENABLED(CONFIG_IP_NF_ARPTABLES)

There'a also nftables here that can use the NFPROTO_ARP family.

>   case NFPROTO_ARP:
>   hook_head = rcu_dereference(net->nf.hooks_arp[hook]);
>   break;
> +#endif
> +#if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE)

Same here with ebtables?

>   case NFPROTO_BRIDGE:
>   hook_head = rcu_dereference(net->nf.hooks_bridge[hook]);
>   break;
> +#endif
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [nf-next:master 14/14] net/bridge/br_netfilter_hooks.c:994:30: error: 'struct netns_nf' has no member named 'hooks_bridge'; did you mean 'hooks_ipv4'?

[Pablo Neira Ayuso]

Hi Florian,

On Thu, Dec 07, 2017 at 01:59:32AM +0800, kbuild test robot wrote:
> tree:   https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git 
> master
> head:   bcbfcb63a93704140d66f49b6f7d783988f37b4e
> commit: bcbfcb63a93704140d66f49b6f7d783988f37b4e [14/14] netfilter: reduce 
> hook array sizes to what is needed
> config: i386-randconfig-x002-201749 (attached as .config)
> compiler: gcc-7 (Debian 7.2.0-12) 7.2.1 20171025
> reproduce:
> git checkout bcbfcb63a93704140d66f49b6f7d783988f37b4e
> # save the attached .config to linux build tree
> make ARCH=i386 
> 
> All error/warnings (new ones prefixed by >>):
> 
>In file included from include/linux/srcu.h:33:0,
> from include/linux/notifier.h:16,
> from include/linux/memory_hotplug.h:7,
> from include/linux/mmzone.h:780,
> from include/linux/gfp.h:6,
> from include/linux/umh.h:4,
> from include/linux/kmod.h:22,
> from include/linux/module.h:13,
> from net/bridge/br_netfilter_hooks.c:17:
>net/bridge/br_netfilter_hooks.c: In function 'br_nf_hook_thresh':
> >> net/bridge/br_netfilter_hooks.c:994:30: error: 'struct netns_nf' has no 
> >> member named 'hooks_bridge'; did you mean 'hooks_ipv4'?
>  e = rcu_dereference(net->nf.hooks_bridge[hook]);
>  ^

I'm going to toss this patch from nf-next, will trigger a rebase,
please take the time to review this.

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[nf-next:master 14/14] net/bridge/br_netfilter_hooks.c:994:30: error: 'struct netns_nf' has no member named 'hooks_bridge'; did you mean 'hooks_ipv4'?

[kbuild test robot]

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
head:   bcbfcb63a93704140d66f49b6f7d783988f37b4e
commit: bcbfcb63a93704140d66f49b6f7d783988f37b4e [14/14] netfilter: reduce hook 
array sizes to what is needed
config: i386-randconfig-x002-201749 (attached as .config)
compiler: gcc-7 (Debian 7.2.0-12) 7.2.1 20171025
reproduce:
git checkout bcbfcb63a93704140d66f49b6f7d783988f37b4e
# save the attached .config to linux build tree
make ARCH=i386 

All error/warnings (new ones prefixed by >>):

   In file included from include/linux/srcu.h:33:0,
from include/linux/notifier.h:16,
from include/linux/memory_hotplug.h:7,
from include/linux/mmzone.h:780,
from include/linux/gfp.h:6,
from include/linux/umh.h:4,
from include/linux/kmod.h:22,
from include/linux/module.h:13,
from net/bridge/br_netfilter_hooks.c:17:
   net/bridge/br_netfilter_hooks.c: In function 'br_nf_hook_thresh':
>> net/bridge/br_netfilter_hooks.c:994:30: error: 'struct netns_nf' has no 
>> member named 'hooks_bridge'; did you mean 'hooks_ipv4'?
 e = rcu_dereference(net->nf.hooks_bridge[hook]);
 ^
   include/linux/rcupdate.h:349:10: note: in definition of macro 
'__rcu_dereference_check'
 typeof(*p) *p1 = (typeof(*p) *__force)lockless_dereference(p); \
 ^
   include/linux/rcupdate.h:545:28: note: in expansion of macro 
'rcu_dereference_check'
#define rcu_dereference(p) rcu_dereference_check(p, 0)
   ^
>> net/bridge/br_netfilter_hooks.c:994:6: note: in expansion of macro 
>> 'rcu_dereference'
 e = rcu_dereference(net->nf.hooks_bridge[hook]);
 ^~~
>> net/bridge/br_netfilter_hooks.c:994:30: error: 'struct netns_nf' has no 
>> member named 'hooks_bridge'; did you mean 'hooks_ipv4'?
 e = rcu_dereference(net->nf.hooks_bridge[hook]);
 ^
   include/linux/rcupdate.h:349:36: note: in definition of macro 
'__rcu_dereference_check'
 typeof(*p) *p1 = (typeof(*p) *__force)lockless_dereference(p); \
   ^
   include/linux/rcupdate.h:545:28: note: in expansion of macro 
'rcu_dereference_check'
#define rcu_dereference(p) rcu_dereference_check(p, 0)
   ^
>> net/bridge/br_netfilter_hooks.c:994:6: note: in expansion of macro 
>> 'rcu_dereference'
 e = rcu_dereference(net->nf.hooks_bridge[hook]);
 ^~~
   In file included from include/uapi/linux/stddef.h:2:0,
from include/linux/stddef.h:5,
from include/uapi/linux/posix_types.h:5,
from include/uapi/linux/types.h:14,
from include/linux/types.h:6,
from include/linux/list.h:5,
from include/linux/module.h:9,
from net/bridge/br_netfilter_hooks.c:17:
>> net/bridge/br_netfilter_hooks.c:994:30: error: 'struct netns_nf' has no 
>> member named 'hooks_bridge'; did you mean 'hooks_ipv4'?
 e = rcu_dereference(net->nf.hooks_bridge[hook]);
 ^
   include/linux/compiler.h:622:9: note: in definition of macro 
'lockless_dereference'
 typeof(p) _p1 = READ_ONCE(p); \
^
   include/linux/rcupdate.h:486:2: note: in expansion of macro 
'__rcu_dereference_check'
 __rcu_dereference_check((p), (c) || rcu_read_lock_held(), __rcu)
 ^~~
   include/linux/rcupdate.h:545:28: note: in expansion of macro 
'rcu_dereference_check'
#define rcu_dereference(p) rcu_dereference_check(p, 0)
   ^
>> net/bridge/br_netfilter_hooks.c:994:6: note: in expansion of macro 
>> 'rcu_dereference'
 e = rcu_dereference(net->nf.hooks_bridge[hook]);
 ^~~
   In file included from include/uapi/linux/stddef.h:2:0,
from include/linux/stddef.h:5,
from include/uapi/linux/posix_types.h:5,
from include/uapi/linux/types.h:14,
from include/linux/types.h:6,
from include/linux/list.h:5,
from include/linux/module.h:9,
from net/bridge/br_netfilter_hooks.c:17:
>> net/bridge/br_netfilter_hooks.c:994:30: error: 'struct netns_nf' has no 
>> member named 'hooks_bridge'; did you mean 'hooks_ipv4'?
 e = rcu_dereference(net->nf.hooks_bridge[hook]);
 ^
   include/linux/compiler.h:339:17: note: in definition of macro '__READ_ONCE'
 union { typeof(x) __val; char __c[1]; } __u;   \
^
   include/linux/compiler.h:622:26: note: in expansion of macro 'READ_ONCE'
 typeof(p) _p1 = READ_ONCE(p); \
  

[nf-next:master 14/14] net/netfilter/nf_queue.c:208:34: error: 'const struct netns_nf' has no member named 'hooks_bridge'; did you mean 'hooks_ipv4'?

[kbuild test robot]

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
head:   bcbfcb63a93704140d66f49b6f7d783988f37b4e
commit: bcbfcb63a93704140d66f49b6f7d783988f37b4e [14/14] netfilter: reduce hook 
array sizes to what is needed
config: i386-randconfig-x014-201749 (attached as .config)
compiler: gcc-7 (Debian 7.2.0-12) 7.2.1 20171025
reproduce:
git checkout bcbfcb63a93704140d66f49b6f7d783988f37b4e
# save the attached .config to linux build tree
make ARCH=i386 

All error/warnings (new ones prefixed by >>):

   In file included from include/linux/srcu.h:33:0,
from include/linux/notifier.h:16,
from include/linux/memory_hotplug.h:7,
from include/linux/mmzone.h:780,
from include/linux/gfp.h:6,
from include/linux/slab.h:15,
from net/netfilter/nf_queue.c:7:
   net/netfilter/nf_queue.c: In function 'nf_hook_entries_head':
>> net/netfilter/nf_queue.c:208:34: error: 'const struct netns_nf' has no 
>> member named 'hooks_bridge'; did you mean 'hooks_ipv4'?
  return rcu_dereference(net->nf.hooks_bridge[hooknum]);
 ^
   include/linux/rcupdate.h:349:10: note: in definition of macro 
'__rcu_dereference_check'
 typeof(*p) *p1 = (typeof(*p) *__force)lockless_dereference(p); \
 ^
>> include/linux/rcupdate.h:545:28: note: in expansion of macro 
>> 'rcu_dereference_check'
#define rcu_dereference(p) rcu_dereference_check(p, 0)
   ^
>> net/netfilter/nf_queue.c:208:10: note: in expansion of macro 
>> 'rcu_dereference'
  return rcu_dereference(net->nf.hooks_bridge[hooknum]);
 ^~~
>> net/netfilter/nf_queue.c:208:34: error: 'const struct netns_nf' has no 
>> member named 'hooks_bridge'; did you mean 'hooks_ipv4'?
  return rcu_dereference(net->nf.hooks_bridge[hooknum]);
 ^
   include/linux/rcupdate.h:349:36: note: in definition of macro 
'__rcu_dereference_check'
 typeof(*p) *p1 = (typeof(*p) *__force)lockless_dereference(p); \
   ^
>> include/linux/rcupdate.h:545:28: note: in expansion of macro 
>> 'rcu_dereference_check'
#define rcu_dereference(p) rcu_dereference_check(p, 0)
   ^
>> net/netfilter/nf_queue.c:208:10: note: in expansion of macro 
>> 'rcu_dereference'
  return rcu_dereference(net->nf.hooks_bridge[hooknum]);
 ^~~
   In file included from include/linux/linkage.h:5:0,
from include/linux/kernel.h:7,
from net/netfilter/nf_queue.c:6:
>> net/netfilter/nf_queue.c:208:34: error: 'const struct netns_nf' has no 
>> member named 'hooks_bridge'; did you mean 'hooks_ipv4'?
  return rcu_dereference(net->nf.hooks_bridge[hooknum]);
 ^
   include/linux/compiler.h:622:9: note: in definition of macro 
'lockless_dereference'
 typeof(p) _p1 = READ_ONCE(p); \
^
>> include/linux/rcupdate.h:486:2: note: in expansion of macro 
>> '__rcu_dereference_check'
 __rcu_dereference_check((p), (c) || rcu_read_lock_held(), __rcu)
 ^~~
>> include/linux/rcupdate.h:545:28: note: in expansion of macro 
>> 'rcu_dereference_check'
#define rcu_dereference(p) rcu_dereference_check(p, 0)
   ^
>> net/netfilter/nf_queue.c:208:10: note: in expansion of macro 
>> 'rcu_dereference'
  return rcu_dereference(net->nf.hooks_bridge[hooknum]);
 ^~~
   In file included from include/linux/linkage.h:5:0,
from include/linux/kernel.h:7,
from net/netfilter/nf_queue.c:6:
>> net/netfilter/nf_queue.c:208:34: error: 'const struct netns_nf' has no 
>> member named 'hooks_bridge'; did you mean 'hooks_ipv4'?
  return rcu_dereference(net->nf.hooks_bridge[hooknum]);
 ^
   include/linux/compiler.h:339:17: note: in definition of macro '__READ_ONCE'
 union { typeof(x) __val; char __c[1]; } __u;   \
^
   include/linux/compiler.h:622:26: note: in expansion of macro 'READ_ONCE'
 typeof(p) _p1 = READ_ONCE(p); \
 ^
>> include/linux/rcupdate.h:349:48: note: in expansion of macro 
>> 'lockless_dereference'
 typeof(*p) *p1 = (typeof(*p) *__force)lockless_dereference(p); \
   ^~~~
>> include/linux/rcupdate.h:486:2: note: in expansion of macro 
>> '__rcu_dereference_check'
 __rcu_dereference_check((p), (c) || rcu_read_lock_held(), __rcu)
 ^~~
>> include/linux/rcupdate.h:545:28: note: in expansion of macro 
>> 'rcu_dereference_check'
#define rcu_dereference(p) 

[PATCH 27/45] net: remove duplicate includes

[Pravin Shedge]

These duplicate includes have been found with scripts/checkincludes.pl but
they have been removed manually to avoid removing false positives.

Signed-off-by: Pravin Shedge 
---
 net/core/netprio_cgroup.c| 1 -
 net/dsa/slave.c  | 1 -
 net/netfilter/nf_conntrack_netlink.c | 1 -
 net/sched/act_meta_mark.c| 1 -
 net/sched/act_meta_skbtcindex.c  | 1 -
 net/sched/cls_api.c  | 1 -
 net/sched/cls_u32.c  | 1 -
 7 files changed, 7 deletions(-)

diff --git a/net/core/netprio_cgroup.c b/net/core/netprio_cgroup.c
index 1c48109..b905747 100644
--- a/net/core/netprio_cgroup.c
+++ b/net/core/netprio_cgroup.c
@@ -14,7 +14,6 @@
 #include 
 #include 
 #include 
-#include 
 #include 
 #include 
 #include 
diff --git a/net/dsa/slave.c b/net/dsa/slave.c
index d6e7a64..a95a55f 100644
--- a/net/dsa/slave.c
+++ b/net/dsa/slave.c
@@ -16,7 +16,6 @@
 #include 
 #include 
 #include 
-#include 
 #include 
 #include 
 #include 
diff --git a/net/netfilter/nf_conntrack_netlink.c 
b/net/netfilter/nf_conntrack_netlink.c
index 59c0899..332b518 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -45,7 +45,6 @@
 #include 
 #include 
 #include 
-#include 
 #include 
 #ifdef CONFIG_NF_NAT_NEEDED
 #include 
diff --git a/net/sched/act_meta_mark.c b/net/sched/act_meta_mark.c
index 1e3f10e..6445184 100644
--- a/net/sched/act_meta_mark.c
+++ b/net/sched/act_meta_mark.c
@@ -22,7 +22,6 @@
 #include 
 #include 
 #include 
-#include 
 
 static int skbmark_encode(struct sk_buff *skb, void *skbdata,
  struct tcf_meta_info *e)
diff --git a/net/sched/act_meta_skbtcindex.c b/net/sched/act_meta_skbtcindex.c
index 2ea1f26..7221437 100644
--- a/net/sched/act_meta_skbtcindex.c
+++ b/net/sched/act_meta_skbtcindex.c
@@ -22,7 +22,6 @@
 #include 
 #include 
 #include 
-#include 
 
 static int skbtcindex_encode(struct sk_buff *skb, void *skbdata,
 struct tcf_meta_info *e)
diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index ddcf04b..f40256a 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -23,7 +23,6 @@
 #include 
 #include 
 #include 
-#include 
 #include 
 #include 
 #include 
diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c
index ac152b4..507859c 100644
--- a/net/sched/cls_u32.c
+++ b/net/sched/cls_u32.c
@@ -45,7 +45,6 @@
 #include 
 #include 
 #include 
-#include 
 #include 
 
 struct tc_u_knode {
-- 
2.7.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v2 nf-next] netfilter: meta: secpath support

[Florian Westphal]

replacement for iptables "-m policy --dir in --policy {ipsec,none}".

Signed-off-by: Florian Westphal 
---
Changes since v1:
- add ifdef CONFIG_XFRM in nft_meta_get_validate, no need for any
  check if we don't support xfrm.

 include/uapi/linux/netfilter/nf_tables.h |  2 ++
 net/netfilter/nft_meta.c | 43 
 2 files changed, 45 insertions(+)

diff --git a/include/uapi/linux/netfilter/nf_tables.h 
b/include/uapi/linux/netfilter/nf_tables.h
index a3ee277b17a1..2efbf9744c2a 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -777,6 +777,7 @@ enum nft_exthdr_attributes {
  * @NFT_META_OIFGROUP: packet output interface group
  * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid)
  * @NFT_META_PRANDOM: a 32bit pseudo-random number
+ * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp)
  */
 enum nft_meta_keys {
NFT_META_LEN,
@@ -804,6 +805,7 @@ enum nft_meta_keys {
NFT_META_OIFGROUP,
NFT_META_CGROUP,
NFT_META_PRANDOM,
+   NFT_META_SECPATH,
 };
 
 /**
diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index 5a60eb23a7ed..1a91e676f13e 100644
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -210,6 +210,11 @@ void nft_meta_get_eval(const struct nft_expr *expr,
*dest = prandom_u32_state(state);
break;
}
+#ifdef CONFIG_XFRM
+   case NFT_META_SECPATH:
+   nft_reg_store8(dest, !!skb->sp);
+   break;
+#endif
default:
WARN_ON(1);
goto err;
@@ -308,6 +313,11 @@ int nft_meta_get_init(const struct nft_ctx *ctx,
prandom_init_once(_prandom_state);
len = sizeof(u32);
break;
+#ifdef CONFIG_XFRM
+   case NFT_META_SECPATH:
+   len = sizeof(u8);
+   break;
+#endif
default:
return -EOPNOTSUPP;
}
@@ -318,6 +328,38 @@ int nft_meta_get_init(const struct nft_ctx *ctx,
 }
 EXPORT_SYMBOL_GPL(nft_meta_get_init);
 
+static int nft_meta_get_validate(const struct nft_ctx *ctx,
+const struct nft_expr *expr,
+const struct nft_data **data)
+{
+#ifdef CONFIG_XFRM
+   const struct nft_meta *priv = nft_expr_priv(expr);
+   unsigned int hooks;
+
+   if (priv->key != NFT_META_SECPATH)
+   return 0;
+
+   switch (ctx->afi->family) {
+   case NFPROTO_NETDEV:
+   hooks = 1 << NF_NETDEV_INGRESS;
+   break;
+   case NFPROTO_IPV4:
+   case NFPROTO_IPV6:
+   case NFPROTO_INET:
+   hooks = (1 << NF_INET_PRE_ROUTING) |
+   (1 << NF_INET_LOCAL_IN) |
+   (1 << NF_INET_FORWARD);
+   break;
+   default:
+   return -EOPNOTSUPP;
+   }
+
+   return nft_chain_validate_hooks(ctx->chain, hooks);
+#else
+   return 0;
+#endif
+}
+
 int nft_meta_set_validate(const struct nft_ctx *ctx,
  const struct nft_expr *expr,
  const struct nft_data **data)
@@ -434,6 +476,7 @@ static const struct nft_expr_ops nft_meta_get_ops = {
.eval   = nft_meta_get_eval,
.init   = nft_meta_get_init,
.dump   = nft_meta_get_dump,
+   .validate   = nft_meta_get_validate,
 };
 
 static const struct nft_expr_ops nft_meta_set_ops = {
-- 
2.13.6

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v3 nf-next] netfilter: connlimit: split xt_connlimit into front/backend

[Florian Westphal]

This allows to reuse xt_connlimit infrastructure from nf_tables.

The upcoming nf_tables frontend can just pass in an nftables register
as input key, this allows limiting by arbitrary keys via concatenations.

For xt_connlimit, pass in the zone and the ip/ipv6 address as key
to keep same behaviour.

Signed-off-by: Florian Westphal 
---
 Changes since v2:
  - fix resource leak on kmalloc failure
in nf_conncount_init()
  - add include guard in nf_conntrack_count.h

 include/net/netfilter/nf_conntrack_count.h  |  17 ++
 include/uapi/linux/netfilter/xt_connlimit.h |   2 +-
 net/netfilter/Kconfig   |   3 +
 net/netfilter/Makefile  |   2 +
 net/netfilter/nf_conncount.c| 373 
 net/netfilter/xt_connlimit.c| 367 ++-
 6 files changed, 420 insertions(+), 344 deletions(-)
 create mode 100644 include/net/netfilter/nf_conntrack_count.h
 create mode 100644 net/netfilter/nf_conncount.c

diff --git a/include/net/netfilter/nf_conntrack_count.h 
b/include/net/netfilter/nf_conntrack_count.h
new file mode 100644
index 0..7cb13ea909b58
--- /dev/null
+++ b/include/net/netfilter/nf_conntrack_count.h
@@ -0,0 +1,17 @@
+#ifndef _NF_CONNTRACK_COUNT_H
+#define _NF_CONNTRACK_COUNT_H
+
+struct nf_conncount_data;
+
+struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int 
family,
+   unsigned int keylen);
+void nf_conncount_destroy(struct net *net, unsigned int family,
+ struct nf_conncount_data *data);
+
+unsigned int nf_conncount_count(struct net *net,
+   struct nf_conncount_data *data,
+   const u32 *key,
+   unsigned int family,
+   const struct nf_conntrack_tuple *tuple,
+   const struct nf_conntrack_zone *zone);
+#endif
diff --git a/include/uapi/linux/netfilter/xt_connlimit.h 
b/include/uapi/linux/netfilter/xt_connlimit.h
index 07e5e9d47882c..d4d1943dcd111 100644
--- a/include/uapi/linux/netfilter/xt_connlimit.h
+++ b/include/uapi/linux/netfilter/xt_connlimit.h
@@ -27,7 +27,7 @@ struct xt_connlimit_info {
__u32 flags;
 
/* Used internally by the kernel */
-   struct xt_connlimit_data *data __attribute__((aligned(8)));
+   struct nf_conncount_data *data __attribute__((aligned(8)));
 };
 
 #endif /* _XT_CONNLIMIT_H */
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index e4a13cc8a2e76..8a043b85fc071 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -62,6 +62,8 @@ config NF_LOG_NETDEV
select NF_LOG_COMMON
 
 if NF_CONNTRACK
+config NETFILTER_CONNCOUNT
+   tristate
 
 config NF_CONNTRACK_MARK
bool  'Connection mark tracking support'
@@ -1120,6 +1122,7 @@ config NETFILTER_XT_MATCH_CONNLIMIT
tristate '"connlimit" match support'
depends on NF_CONNTRACK
depends on NETFILTER_ADVANCED
+   select NETFILTER_CONNCOUNT
---help---
  This match allows you to match against the number of parallel
  connections to a server per client IP address (or address block).
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index f78ed2470831d..490a55e7166da 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -67,6 +67,8 @@ obj-$(CONFIG_NF_NAT_TFTP) += nf_nat_tftp.o
 # SYNPROXY
 obj-$(CONFIG_NETFILTER_SYNPROXY) += nf_synproxy_core.o
 
+obj-$(CONFIG_NETFILTER_CONNCOUNT) += nf_conncount.o
+
 # generic packet duplication from netdev family
 obj-$(CONFIG_NF_DUP_NETDEV)+= nf_dup_netdev.o
 
diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
new file mode 100644
index 0..798bc42399116
--- /dev/null
+++ b/net/netfilter/nf_conncount.c
@@ -0,0 +1,373 @@
+/*
+ * count the number of connections matching an arbitrary key.
+ *
+ * (C) 2017 Red Hat GmbH
+ * Author: Florian Westphal 
+ *
+ * split from xt_connlimit.c:
+ *   (c) 2000 Gerd Knorr 
+ *   Nov 2002: Martin Bene :
+ * only ignore TIME_WAIT or gone connections
+ *   (C) CC Computer Consultants GmbH, 2007
+ */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#define CONNCOUNT_SLOTS256U
+
+#ifdef CONFIG_LOCKDEP
+#define CONNCOUNT_LOCK_SLOTS   8U
+#else
+#define CONNCOUNT_LOCK_SLOTS   256U
+#endif
+
+#define CONNCOUNT_GC_MAX_NODES 8
+#define MAX_KEYLEN 5
+
+/* we will save the tuples of all connections we care about */
+struct nf_conncount_tuple {
+   struct hlist_node   node;
+   struct nf_conntrack_tuple   tuple;
+};
+
+struct 

[PATCH] src: Add option -D to define variable from command line

[Harsha Sharma]

This patch takes argument of '-D' option and pass it to
nft_run_cmd_from_filename and parses the string in scanner_push_file along
with input file.

Signed-off-by: Harsha Sharma 
---
I want to parse both input string and input file in scanner_push_file
but unable to do so. Any suggestions are welcome.

 include/nftables/nftables.h |  2 +-
 include/parser.h|  2 +-
 include/utils.h |  1 +
 src/libnftables.c   |  4 ++--
 src/main.c  | 22 ++
 src/parser_bison.y  |  2 +-
 src/rule.c  |  5 -
 src/scanner.l   | 25 -
 8 files changed, 44 insertions(+), 19 deletions(-)

diff --git a/include/nftables/nftables.h b/include/nftables/nftables.h
index 8e59f2b..4fa012a 100644
--- a/include/nftables/nftables.h
+++ b/include/nftables/nftables.h
@@ -61,6 +61,6 @@ int nft_ctx_add_include_path(struct nft_ctx *ctx, const char 
*path);
 void nft_ctx_clear_include_paths(struct nft_ctx *ctx);
 
 int nft_run_cmd_from_buffer(struct nft_ctx *nft, char *buf, size_t buflen);
-int nft_run_cmd_from_filename(struct nft_ctx *nft, const char *filename);
+int nft_run_cmd_from_filename(struct nft_ctx *nft, const char *filename, const 
char *variable);
 
 #endif /* LIB_NFTABLES_H */
diff --git a/include/parser.h b/include/parser.h
index 0bdb3fa..a774b69 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -40,7 +40,7 @@ extern void *scanner_init(struct parser_state *state);
 extern void scanner_destroy(void *scanner);
 
 extern int scanner_read_file(void *scanner, const char *filename,
-const struct location *loc);
+const char *variable, const struct location *loc);
 extern int scanner_include_file(struct nft_ctx *ctx, void *scanner,
const char *filename,
const struct location *loc);
diff --git a/include/utils.h b/include/utils.h
index 310389c..6569afe 100644
--- a/include/utils.h
+++ b/include/utils.h
@@ -122,6 +122,7 @@ static inline int fls(int x)
 }
 
 extern void __memory_allocation_error(const char *filename, uint32_t line) 
__noreturn;
+extern void __memory_allocation_error(const char *variable, uint32_t line) 
__noreturn;
 
 #define memory_allocation_error()  \
__memory_allocation_error(__FILE__, __LINE__);
diff --git a/src/libnftables.c b/src/libnftables.c
index c86d894..c0e7d9f 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -299,7 +299,7 @@ int nft_run_cmd_from_buffer(struct nft_ctx *nft, char *buf, 
size_t buflen)
return rc;
 }
 
-int nft_run_cmd_from_filename(struct nft_ctx *nft, const char *filename)
+int nft_run_cmd_from_filename(struct nft_ctx *nft, const char *filename, const 
char *variable)
 {
struct parser_state state;
LIST_HEAD(msgs);
@@ -315,7 +315,7 @@ int nft_run_cmd_from_filename(struct nft_ctx *nft, const 
char *filename)
parser_init(nft->nf_sock, >cache, ,
, nft->debug_mask, >output);
scanner = scanner_init();
-   if (scanner_read_file(scanner, filename, _location) < 0) {
+   if (scanner_read_file(scanner, filename, variable, _location) 
< 0) {
rc = -1;
goto err;
}
diff --git a/src/main.c b/src/main.c
index 353b87b..ff7495a 100644
--- a/src/main.c
+++ b/src/main.c
@@ -37,10 +37,11 @@ enum opt_vals {
OPT_DEBUG   = 'd',
OPT_HANDLE_OUTPUT   = 'a',
OPT_ECHO= 'e',
+   OPT_VARIABLE= 'D',
OPT_INVALID = '?',
 };
 
-#define OPTSTRING  "hvcf:iI:vnsNae"
+#define OPTSTRING  "hvcf:iI:vnsNaeD:"
 
 static const struct option options[] = {
{
@@ -95,6 +96,11 @@ static const struct option options[] = {
.val= OPT_ECHO,
},
{
+   .name   = "variable",
+   .val= OPT_VARIABLE,
+   .has_arg= 1,
+   },
+   {
.name   = NULL
}
 };
@@ -119,6 +125,7 @@ static void show_help(const char *name)
 "  -N  Translate IP addresses to names.\n"
 "  -a, --handleOutput rule handle.\n"
 "  -e, --echo  Echo what has been added, inserted or 
replaced.\n"
+"  

Re: [PATCH V3 0/5] netfilter: nf_nat_snmp_basic: use ASN.1 decoder

[Pablo Neira Ayuso]

On Wed, Dec 06, 2017 at 09:15:44AM +0100, Pablo Neira Ayuso wrote:
> On Mon, Nov 20, 2017 at 12:05:54AM +0900, Taehee Yoo wrote:
> > The goal of this patch set are to use the ASN.1 decoder library
> > to parse SNMP ASN.1 payload.
> 
> Series applied, thanks.

I'm hitting this here:

net/ipv4/netfilter/nf_nat_snmp_basic.c:57:36: fatal error: 
nf_nat_snmp_basic-asn1.h: File or directory does not exist
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nf-next] netfilter: ipvs: Remove useless ipvsh param of frag_safe_skb_hp

[Pablo Neira Ayuso]

On Wed, Nov 22, 2017 at 07:14:28PM +0100, Simon Horman wrote:
> On Mon, Nov 13, 2017 at 10:58:18PM +0800, gfree.w...@vip.163.com wrote:
> > From: Gao Feng 
> > 
> > The param of frag_safe_skb_hp, ipvsh, isn't used now. So remove it and
> > update the callers' codes too.
> > 
> > Signed-off-by: Gao Feng 
> > ---
> >  Simon advise me send the patch to netfilter group
> 
> Acked-by: Simon Horman 
> 
> Pablo, can you take this through the nf-next tree?

Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nf-next] net: netfilter: nf_conntrack_h323: Remove unwanted comments.

[Pablo Neira Ayuso]

On Thu, Nov 30, 2017 at 07:34:36PM +0530, Varsha Rao wrote:
> Change old multi-line comment style to kernel comment style and
> remove unwanted comments.

Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nf-next 0/2] netfilter: reduce size of hook entry points

[Pablo Neira Ayuso]

On Sun, Dec 03, 2017 at 12:58:46AM +0100, Florian Westphal wrote:
> struct net contains:
> 
> struct nf_hook_entries __rcu *hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
> 
> where NFPROTO_NUMPROTO = 13 and NF_MAX_HOOKS = 8.
> 
> ... and that needs a *lot* more space than what we really need.
> We only need hooks for arp, bridge, ipv4, ipv6 and decnet.
> 
> Arp only has 3 hook types, decnet has 7, all others have 5.
> So replace this with dedicated arrays of the correct size to save
> some space.

Also applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nf-next 0/3] netfilter: reduce netns create/delete cost

[Pablo Neira Ayuso]

On Fri, Dec 01, 2017 at 12:21:01AM +0100, Florian Westphal wrote:
> This patch series removes all synchronize_net() calls from netfilter core
> to speed up net namespace create/delete rate.
> 
> Freeing of hooks is moved to call_rcu at the cost of additional 24 bytes
> at the end of each rule blob.

Series applied, thanks Florian.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH ipset nf-next] netfilter: ipset: add resched points during set listing

[Pablo Neira Ayuso]

On Fri, Dec 01, 2017 at 08:25:55PM +0100, Jozsef Kadlecsik wrote:
> Hi Florian,
> 
> On Thu, 30 Nov 2017, Florian Westphal wrote:
> 
> > When sets are extremely large we can get softlockup during ipset -L. We 
> > could fix this by adding cond_resched_rcu() at the right location during 
> > iteration, but this only works if RCU nesting depth is 1.
> > 
> > At this time entire variant->list() is called under under 
> > rcu_read_lock_bh. This used to be a read_lock_bh() but as rcu doesn't 
> > really lock anything, it does not appear to be needed, so remove it 
> > (ipset increments set reference count before this, so a set deletion 
> > should not be possible).
> 
> Yes, the call of rcu_read_lock_bh() seems to be unnecessary, the
> set->variant->list() functions protect the sensitive parts with 
> rcu_read_lock() anyway. Thanks!
> 
> Acked-by: Jozsef Kadlecsik 

Also applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH ipset nf-next] netfilter: ipset: use nfnl_mutex_is_locked

[Pablo Neira Ayuso]

On Fri, Dec 01, 2017 at 08:14:48PM +0100, Jozsef Kadlecsik wrote:
> Hi Florian,
> 
> On Thu, 30 Nov 2017, Florian Westphal wrote:
> 
> > Check that we really hold nfnl mutex here instead of relying on correct
> > usage alone.
> > 
> > Signed-off-by: Florian Westphal 
> 
> Yes, it's better this way :-)
> 
> Acked-by: Jozsef Kadlecsik 

Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH V3 0/5] netfilter: nf_nat_snmp_basic: use ASN.1 decoder

[Pablo Neira Ayuso]

On Mon, Nov 20, 2017 at 12:05:54AM +0900, Taehee Yoo wrote:
> The goal of this patch set are to use the ASN.1 decoder library
> to parse SNMP ASN.1 payload.

Series applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] netfilter: xt_osf: Add missing permission checks

[Pablo Neira Ayuso]

On Tue, Dec 05, 2017 at 03:42:41PM -0800, Kevin Cernekee wrote:
> The capability check in nfnetlink_rcv() verifies that the caller
> has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
> However, xt_osf_fingers is shared by all net namespaces on the
> system.  An unprivileged user can create user and net namespaces
> in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
> check:
> 
> vpnns -- nfnl_osf -f /tmp/pf.os
> 
> vpnns -- nfnl_osf -f /tmp/pf.os -d
> 
> These non-root operations successfully modify the systemwide OS
> fingerprint list.  Add new capable() checks so that they can't.

Applied, thanks Kevin.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html