Re: [PATCH] ipvs: Fix inappropriate output of procfs

On Sun, Oct 15, 2017 at 05:11:28PM +0300, Julian Anastasov wrote: > On Sun, 15 Oct 2017, KUWAZAWA Takuya wrote: > > > Information about ipvs in different network namespace can be seen via > > procfs. > > > > How to reproduce: > > > > # ip netns add ns01 > > # ip netns add ns02 > > # ip

Re: [PATCH] ipvs: Fix inappropriate output of procfs

On Sun, Oct 15, 2017 at 05:11:28PM +0300, Julian Anastasov wrote: > On Sun, 15 Oct 2017, KUWAZAWA Takuya wrote: > > > Information about ipvs in different network namespace can be seen via > > procfs. > > > > How to reproduce: > > > > # ip netns add ns01 > > # ip netns add ns02 > > # ip

Re: [PATCH] netfilter: ebtables: clean up initialization of buf

On Mon, Oct 16, 2017 at 11:24:02AM +0100, Colin King wrote: > From: Colin Ian King > > buf is initialized to buf_start and then set on the next statement > to buf_start + offsets[i]. Clean this up to just initialize buf > to buf_start + offsets[i] to clean up the clang

Re: [PATCH] netfilter: ebtables: clean up initialization of buf

On Mon, Oct 16, 2017 at 11:24:02AM +0100, Colin King wrote: > From: Colin Ian King > > buf is initialized to buf_start and then set on the next statement > to buf_start + offsets[i]. Clean this up to just initialize buf > to buf_start + offsets[i] to clean up the clang build warning: > "Value

Re: [PATCH 13/14] netfilter/ipvs: Use %pS printk format for direct addresses

On Mon, Oct 09, 2017 at 07:52:24AM +0200, Simon Horman wrote: > On Wed, Sep 06, 2017 at 10:28:00PM +0200, Helge Deller wrote: > > The debug and error printk functions in ipvs uses wrongly the %pF instead of > > the %pS printk format specifier for printing symbols for the address > > returned > >

Re: [PATCH 13/14] netfilter/ipvs: Use %pS printk format for direct addresses

On Mon, Oct 09, 2017 at 07:52:24AM +0200, Simon Horman wrote: > On Wed, Sep 06, 2017 at 10:28:00PM +0200, Helge Deller wrote: > > The debug and error printk functions in ipvs uses wrongly the %pF instead of > > the %pS printk format specifier for printing symbols for the address > > returned > >

Re: [PATCH] netfilter: ip6_tables: remove redundant assignment to e

On Tue, Oct 17, 2017 at 01:02:00PM +0100, Colin King wrote: > From: Colin Ian King > > The assignment to variable e is redundant since the same assignment > occurs just a few lines later, hence it can be removed. Cleans up > clang warning: warning: Value stored to 'e'

Re: [PATCH] netfilter: ip6_tables: remove redundant assignment to e

On Tue, Oct 17, 2017 at 01:02:00PM +0100, Colin King wrote: > From: Colin Ian King > > The assignment to variable e is redundant since the same assignment > occurs just a few lines later, hence it can be removed. Cleans up > clang warning: warning: Value stored to 'e' is never read Seems like

Re: [PATCH] netfilter: nf_conntrack_h323: Remove typedef struct

On Fri, Oct 13, 2017 at 04:23:57AM +0530, Harsha Sharma wrote: > Remove typedef from struct as linux-kernel coding style tends to > avoid using typedefs. > Done using following coccinelle semantic patch Applied, thanks Harsha.

Re: [PATCH] netfilter: nf_conntrack_h323: Remove typedef struct

On Fri, Oct 13, 2017 at 04:23:57AM +0530, Harsha Sharma wrote: > Remove typedef from struct as linux-kernel coding style tends to > avoid using typedefs. > Done using following coccinelle semantic patch Applied, thanks Harsha.

Re: [PATCH] INSTALL: Update dependency list and configure with libxtables support

On Thu, Oct 05, 2017 at 01:01:09PM +0530, Harsha Sharma wrote: > Add configure with lixtables in INSTALL and required dependencies for > the same Applied, thanks. I have mangled this a bit. Applying: INSTALL: Update dependency list and configure with libxtables support patch:29: space before

Re: [PATCH] INSTALL: Update dependency list and configure with libxtables support

On Thu, Oct 05, 2017 at 01:01:09PM +0530, Harsha Sharma wrote: > Add configure with lixtables in INSTALL and required dependencies for > the same Applied, thanks. I have mangled this a bit. Applying: INSTALL: Update dependency list and configure with libxtables support patch:29: space before

Re: [PATCH] test: shell: execute shell/run-tests.sh from any directory

On Thu, Oct 05, 2017 at 01:13:47PM +0530, Harsha Sharma wrote: > Update shell/run-tests.sh to refer /src/nft with a relative path Applied, thanks Harsha.

Re: [PATCH] test: shell: execute shell/run-tests.sh from any directory

On Thu, Oct 05, 2017 at 01:13:47PM +0530, Harsha Sharma wrote: > Update shell/run-tests.sh to refer /src/nft with a relative path Applied, thanks Harsha.

Re: [Outreachy kernel] [PATCH 3/3] evaluate: make pointers in string arrays constant

On Mon, Oct 02, 2017 at 01:02:50PM +0530, Harsha Sharma wrote: > static const char * array should probably be static const char * const > array > as per linux-kernel coding style > > Signed-off-by: Harsha Sharma > --- > src/evaluate.c | 4 ++-- > 1 file changed, 2

Re: [Outreachy kernel] [PATCH 3/3] evaluate: make pointers in string arrays constant

On Mon, Oct 02, 2017 at 01:02:50PM +0530, Harsha Sharma wrote: > static const char * array should probably be static const char * const > array > as per linux-kernel coding style > > Signed-off-by: Harsha Sharma > --- > src/evaluate.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-)

Re: [PATCH] iptables: Constify option struct

On Wed, Sep 27, 2017 at 05:14:52PM +0530, Harsha Sharma wrote: > The struct of type option is only used to initialise a field inside > the xtables_globals struct and is not modified anywhere. > Done using following coccinelle semantic patch Applied, thanks.

Re: [PATCH] iptables: Constify option struct

On Wed, Sep 27, 2017 at 05:14:52PM +0530, Harsha Sharma wrote: > The struct of type option is only used to initialise a field inside > the xtables_globals struct and is not modified anywhere. > Done using following coccinelle semantic patch Applied, thanks.

Re: [PATCH] netfilter: nf_tables: Release memory obtained by kasprintf

On Wed, Sep 20, 2017 at 12:31:28PM +0530, Arvind Yadav wrote: > Free memory region, if nf_tables_set_alloc_name is not successful. Applied, thanks. I have added this tag to this patch: Fixes: 387454901bd6 ("netfilter: nf_tables: Allow set names of up to 255 chars")

Re: [PATCH] netfilter: nf_tables: Release memory obtained by kasprintf

On Wed, Sep 20, 2017 at 12:31:28PM +0530, Arvind Yadav wrote: > Free memory region, if nf_tables_set_alloc_name is not successful. Applied, thanks. I have added this tag to this patch: Fixes: 387454901bd6 ("netfilter: nf_tables: Allow set names of up to 255 chars")

Re: [PATCH] exthdr: Add support for reserved header and address

Hi Harsha, On Mon, Oct 02, 2017 at 02:07:00AM +0530, Harsha Sharma wrote: > Add support for IPV6 type 0 routing header reserved field and address > unable to test it with nft-test.py It seems you didn't test this patch. # python nft-test.py ip6/rt.t

Re: [PATCH] exthdr: Add support for reserved header and address

Hi Harsha, On Mon, Oct 02, 2017 at 02:07:00AM +0530, Harsha Sharma wrote: > Add support for IPV6 type 0 routing header reserved field and address > unable to test it with nft-test.py It seems you didn't test this patch. # python nft-test.py ip6/rt.t

Re: [PATCH v3] ebtables: fix race condition in frame_filter_net_init()

On Tue, Sep 26, 2017 at 06:35:45PM +0200, Artem Savkov wrote: > It is possible for ebt_in_hook to be triggered before ebt_table is assigned > resulting in a NULL-pointer dereference. Make sure hooks are > registered as the last step. Applied, thanks.

Re: [PATCH v3] ebtables: fix race condition in frame_filter_net_init()

On Tue, Sep 26, 2017 at 06:35:45PM +0200, Artem Savkov wrote: > It is possible for ebt_in_hook to be triggered before ebt_table is assigned > resulting in a NULL-pointer dereference. Make sure hooks are > registered as the last step. Applied, thanks.

Re: [PATCH] netfilter: nat: Do not use ARRAY_SIZE() on spinlocks to fix zero div

On Sun, Sep 10, 2017 at 01:41:41PM +0200, Geert Uytterhoeven wrote: > If no spinlock debugging options (CONFIG_GENERIC_LOCKBREAK, > CONFIG_DEBUG_SPINLOCK, CONFIG_DEBUG_LOCK_ALLOC) are enabled on a UP > platform (e.g. m68k defconfig), arch_spinlock_t is an empty struct, > hence using

Re: [PATCH] netfilter: nat: Do not use ARRAY_SIZE() on spinlocks to fix zero div

On Sun, Sep 10, 2017 at 01:41:41PM +0200, Geert Uytterhoeven wrote: > If no spinlock debugging options (CONFIG_GENERIC_LOCKBREAK, > CONFIG_DEBUG_SPINLOCK, CONFIG_DEBUG_LOCK_ALLOC) are enabled on a UP > platform (e.g. m68k defconfig), arch_spinlock_t is an empty struct, > hence using

Re: [netfilter-core] [PATCH] netfilter: nat: constify rhashtable_params

On Fri, Sep 08, 2017 at 01:46:30PM +0200, Pablo Neira Ayuso wrote: > On Wed, Aug 30, 2017 at 05:18:04PM +0530, Arvind Yadav wrote: > > rhashtable_params are not supposed to change at runtime. All > > Functions rhashtable_* working with const rhashtable_params > > provided

Re: [netfilter-core] [PATCH] netfilter: nat: constify rhashtable_params

On Fri, Sep 08, 2017 at 01:46:30PM +0200, Pablo Neira Ayuso wrote: > On Wed, Aug 30, 2017 at 05:18:04PM +0530, Arvind Yadav wrote: > > rhashtable_params are not supposed to change at runtime. All > > Functions rhashtable_* working with const rhashtable_params > > provided

Re: [PATCH v2] netfilter: xt_hashlimit: fix build error caused by 64bit division

On Fri, Sep 08, 2017 at 01:38:58AM -0400, Vishwanath Pai wrote: > 64bit division causes build/link errors on 32bit architectures. It > prints out error messages like: > > ERROR: "__aeabi_uldivmod" [net/netfilter/xt_hashlimit.ko] undefined! > > The value of avg passed through by userspace in BYTE

Re: [PATCH v2] netfilter: xt_hashlimit: fix build error caused by 64bit division

On Fri, Sep 08, 2017 at 01:38:58AM -0400, Vishwanath Pai wrote: > 64bit division causes build/link errors on 32bit architectures. It > prints out error messages like: > > ERROR: "__aeabi_uldivmod" [net/netfilter/xt_hashlimit.ko] undefined! > > The value of avg passed through by userspace in BYTE

Re: [PATCH] net:netfilter alloc xt_byteslimit_htable with wrong size

On Fri, Sep 08, 2017 at 11:00:16AM +0800, zhizhou.t...@gmail.com wrote: > From: Zhizhou Tian > > struct xt_byteslimit_htable used hlist_head, > but alloc memory with sizeof(struct list_head) Applied, thanks. For the record, I have mangled the patch titled to:

Re: [PATCH] net:netfilter alloc xt_byteslimit_htable with wrong size

On Fri, Sep 08, 2017 at 11:00:16AM +0800, zhizhou.t...@gmail.com wrote: > From: Zhizhou Tian > > struct xt_byteslimit_htable used hlist_head, > but alloc memory with sizeof(struct list_head) Applied, thanks. For the record, I have mangled the patch titled to: netfilter: xt_hashlimit:

Re: [PATCH] netfilter: nat: constify rhashtable_params

On Wed, Aug 30, 2017 at 05:18:04PM +0530, Arvind Yadav wrote: > rhashtable_params are not supposed to change at runtime. All > Functions rhashtable_* working with const rhashtable_params > provided by . So mark the non-const structs > as const. Applied to nf, thanks.

Re: [PATCH] netfilter: nat: constify rhashtable_params

On Wed, Aug 30, 2017 at 05:18:04PM +0530, Arvind Yadav wrote: > rhashtable_params are not supposed to change at runtime. All > Functions rhashtable_* working with const rhashtable_params > provided by . So mark the non-const structs > as const. Applied to nf, thanks.

Re: [PATCH] netfilter: xt_hashlimit: avoid 64-bit division

On Wed, Sep 06, 2017 at 10:48:22PM +0200, Arnd Bergmann wrote: > On Wed, Sep 6, 2017 at 10:22 PM, Vishwanath Pai wrote: > > On 09/06/2017 03:57 PM, Arnd Bergmann wrote: > >> 64-bit division is expensive on 32-bit architectures, and > >> requires a special function call to avoid a

Re: [PATCH] netfilter: xt_hashlimit: avoid 64-bit division

On Wed, Sep 06, 2017 at 10:48:22PM +0200, Arnd Bergmann wrote: > On Wed, Sep 6, 2017 at 10:22 PM, Vishwanath Pai wrote: > > On 09/06/2017 03:57 PM, Arnd Bergmann wrote: > >> 64-bit division is expensive on 32-bit architectures, and > >> requires a special function call to avoid a link error like:

Re: [PATCH][V2] netfilter: fix indent on if statements

On Tue, Aug 15, 2017 at 10:50:34AM +0100, Colin King wrote: > From: Colin Ian King > > The returns on some if statements are not indented correctly, > add in the missing tab. Applied, thanks.

Re: [PATCH][V2] netfilter: fix indent on if statements

On Tue, Aug 15, 2017 at 10:50:34AM +0100, Colin King wrote: > From: Colin Ian King > > The returns on some if statements are not indented correctly, > add in the missing tab. Applied, thanks.

Re: [PATCH v2] netfilter: nf_nat_h323: fix logical-not-parentheses warning

On Mon, Aug 14, 2017 at 10:36:03AM -0700, Nick Desaulniers wrote: > Minor nit for the commit message that can get fixed up when being merged: > > On Fri, Aug 11, 2017 at 11:16 AM, Nick Desaulniers > wrote: > > > if (x) > > return > > ... > > > > rather than: > > > >

Re: [PATCH v2] netfilter: nf_nat_h323: fix logical-not-parentheses warning

On Mon, Aug 14, 2017 at 10:36:03AM -0700, Nick Desaulniers wrote: > Minor nit for the commit message that can get fixed up when being merged: > > On Fri, Aug 11, 2017 at 11:16 AM, Nick Desaulniers > wrote: > > > if (x) > > return > > ... > > > > rather than: > > > > if (!x == 0) > > should

Re: [PATCH] netfilter: xtables: use audit_log()

On Mon, Aug 07, 2017 at 09:44:26PM +0800, Geliang Tang wrote: > Use audit_log() instead of open-coding it. As said, collapsed into 'netfilter: ebtables: use audit_log()', just for the record.

Re: [PATCH] netfilter: ebtables: use audit_log()

On Mon, Aug 07, 2017 at 09:44:25PM +0800, Geliang Tang wrote: > Use audit_log() instead of open-coding it. Applied, thanks. BTW, I have collapse your xtables change to this patch too. part of the same logical change. Hint: If you see yourself writing exactly the same description for each patch

Re: [PATCH] netfilter: xtables: use audit_log()

On Mon, Aug 07, 2017 at 09:44:26PM +0800, Geliang Tang wrote: > Use audit_log() instead of open-coding it. As said, collapsed into 'netfilter: ebtables: use audit_log()', just for the record.

Re: [PATCH] netfilter: ebtables: use audit_log()

On Mon, Aug 07, 2017 at 09:44:25PM +0800, Geliang Tang wrote: > Use audit_log() instead of open-coding it. Applied, thanks. BTW, I have collapse your xtables change to this patch too. part of the same logical change. Hint: If you see yourself writing exactly the same description for each patch

Re: [PATCH] netfilter: nf_nat_h323: fix logical-not-parentheses warning

Hi Nick, On Mon, Jul 31, 2017 at 11:39:49AM -0700, Nick Desaulniers wrote: > Clang produces the following warning: [...] > Also, it's even cleaner to use the form: > > if (x) > > but then if the return codes change from treating 0 as success (unlikely), > then all call sites must be updated. >

Re: [PATCH] netfilter: nf_nat_h323: fix logical-not-parentheses warning

Hi Nick, On Mon, Jul 31, 2017 at 11:39:49AM -0700, Nick Desaulniers wrote: > Clang produces the following warning: [...] > Also, it's even cleaner to use the form: > > if (x) > > but then if the return codes change from treating 0 as success (unlikely), > then all call sites must be updated. >

Re: [PATCH nf-next] netfilter: constify nf_loginfo structures

On Tue, Aug 01, 2017 at 12:48:03PM +0200, Julia Lawall wrote: > The nf_loginfo structures are only passed as the seventh argument to > nf_log_trace, which is declared as const or stored in a local const > variable. Thus the nf_loginfo structures themselves can be const. > > Done with the help of

Re: [PATCH nf-next] netfilter: constify nf_loginfo structures

On Tue, Aug 01, 2017 at 12:48:03PM +0200, Julia Lawall wrote: > The nf_loginfo structures are only passed as the seventh argument to > nf_log_trace, which is declared as const or stored in a local const > variable. Thus the nf_loginfo structures themselves can be const. > > Done with the help of

Re: [PATCH 1/1 v3 nf-next] netfilter: constify nf_conntrack_l3/4proto parameters

On Tue, Aug 01, 2017 at 12:25:01PM +0200, Julia Lawall wrote: > When a nf_conntrack_l3/4proto parameter is not on the left hand side > of an assignment, its address is not taken, and it is not passed to a > function that may modify its fields, then it can be declared as const. > > This change is

Re: [PATCH 1/1 v3 nf-next] netfilter: constify nf_conntrack_l3/4proto parameters

On Tue, Aug 01, 2017 at 12:25:01PM +0200, Julia Lawall wrote: > When a nf_conntrack_l3/4proto parameter is not on the left hand side > of an assignment, its address is not taken, and it is not passed to a > function that may modify its fields, then it can be declared as const. > > This change is

Re: [PATCH net 5/7] gtp: Initialize 64-bit per-cpu stats correctly

; allocation. > > Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling > Protocol (GTP-U)") > Signed-off-by: Florian Fainelli <f.faine...@gmail.com> Acked-by: Pablo Neira Ayuso <pa...@netfilter.org> Thanks!

Re: [PATCH net 5/7] gtp: Initialize 64-bit per-cpu stats correctly

; allocation. > > Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling > Protocol (GTP-U)") > Signed-off-by: Florian Fainelli Acked-by: Pablo Neira Ayuso Thanks!

Re: [PATCH 1/1 v2] netfilter: constify nf_conntrack_l3/4proto parameters

Hi Julia, On Sun, Jul 30, 2017 at 09:38:44PM +0200, Julia Lawall wrote: > When a nf_conntrack_l3/4proto parameter is not on the left hand side > of an assignment, its address is not taken, and it is not passed to a > function that may modify its fields, then it can be declared as const. > > This

Re: [PATCH 1/1 v2] netfilter: constify nf_conntrack_l3/4proto parameters

Hi Julia, On Sun, Jul 30, 2017 at 09:38:44PM +0200, Julia Lawall wrote: > When a nf_conntrack_l3/4proto parameter is not on the left hand side > of an assignment, its address is not taken, and it is not passed to a > function that may modify its fields, then it can be declared as const. > > This

Re: [PATCH nf-next] netfilter: ipset: deduplicate prefixlen maps

On Thu, Jul 20, 2017 at 02:13:00PM -0400, Aaron Conole wrote: > The prefixlen maps used here are identical, and have been since > introduction. It seems to make sense to use a single large map, > that the preprocessor will fill appropriately. Applied, thanks.

Re: [PATCH nf-next] netfilter: ipset: deduplicate prefixlen maps

On Thu, Jul 20, 2017 at 02:13:00PM -0400, Aaron Conole wrote: > The prefixlen maps used here are identical, and have been since > introduction. It seems to make sense to use a single large map, > that the preprocessor will fill appropriately. Applied, thanks.

Re: [PATCH 1/1] netfilter: nf_ct_expect: fix expect removal

Hi Jiri, On Mon, Jul 17, 2017 at 05:06:48PM +0200, Jiri Slaby wrote: > Commit ec0e3f01114a ("netfilter: nf_ct_expect: Add > nf_ct_remove_expect()") introduced a helper nf_ct_remove_expect. It was > used over the code, but one location used a wrong variable and it > resulted in a crash in this

Re: [PATCH 1/1] netfilter: nf_ct_expect: fix expect removal

Hi Jiri, On Mon, Jul 17, 2017 at 05:06:48PM +0200, Jiri Slaby wrote: > Commit ec0e3f01114a ("netfilter: nf_ct_expect: Add > nf_ct_remove_expect()") introduced a helper nf_ct_remove_expect. It was > used over the code, but one location used a wrong variable and it > resulted in a crash in this

Re: [netfilter-core] [PATCH v2] netfilter: nfnetlink: Improve input length sanitization in nfnetlink_rcv

On Thu, Jun 29, 2017 at 06:22:40PM +0200, Pablo Neira Ayuso wrote: > On Tue, Jun 27, 2017 at 07:05:27PM +0200, Pablo Neira Ayuso wrote: > > On Tue, Jun 27, 2017 at 05:58:25PM +0200, Pablo Neira Ayuso wrote: > > > On Wed, Jun 07, 2017 at 03:50:38PM +0200, Mateusz Jurczyk wro

Re: [netfilter-core] [PATCH v2] netfilter: nfnetlink: Improve input length sanitization in nfnetlink_rcv

On Thu, Jun 29, 2017 at 06:22:40PM +0200, Pablo Neira Ayuso wrote: > On Tue, Jun 27, 2017 at 07:05:27PM +0200, Pablo Neira Ayuso wrote: > > On Tue, Jun 27, 2017 at 05:58:25PM +0200, Pablo Neira Ayuso wrote: > > > On Wed, Jun 07, 2017 at 03:50:38PM +0200, Mateusz Jurczyk wro

Re: nf_conntrack: Infoleak via CTA_ID and CTA_EXPECT_ID

On Fri, Jun 30, 2017 at 10:23:24PM +0200, Richard Weinberger wrote: > Florian, > > Am 30.06.2017 um 21:55 schrieb Florian Westphal: > >>> Why not use a hash of the address? > >> > >> Would also work. Or xor it with a random number. > >> > >> On the other hand, for user space it would be more

Re: nf_conntrack: Infoleak via CTA_ID and CTA_EXPECT_ID

On Fri, Jun 30, 2017 at 10:23:24PM +0200, Richard Weinberger wrote: > Florian, > > Am 30.06.2017 um 21:55 schrieb Florian Westphal: > >>> Why not use a hash of the address? > >> > >> Would also work. Or xor it with a random number. > >> > >> On the other hand, for user space it would be more

Re: [PATCH] netfilter: ctnetlink: move CTA_TIMEOUT case to outside

On Fri, Jun 09, 2017 at 12:37:47PM +0800, Haishuang Yan wrote: > When cda[CTA_TIMEOUT] is zero, ctnetlink_new_conntrack will > free allocated ct and return, so move it to outside to optimize > this situation. > > Signed-off-by: Haishuang Yan > --- >

Re: [PATCH] netfilter: ctnetlink: move CTA_TIMEOUT case to outside

On Fri, Jun 09, 2017 at 12:37:47PM +0800, Haishuang Yan wrote: > When cda[CTA_TIMEOUT] is zero, ctnetlink_new_conntrack will > free allocated ct and return, so move it to outside to optimize > this situation. > > Signed-off-by: Haishuang Yan > --- > net/netfilter/nf_conntrack_netlink.c | 5

Re: [PATCH] netfilter: conntrack: fix clash resolution in nat

Hi, On Wed, Jun 14, 2017 at 04:11:23PM +0800, Haishuang Yan wrote: > In our openstack environment, slow dns lookup for hostname when > parallel dns requests for IPv4 and IPv6 addresses from VM, the > second IPv6 request( record) is dropped on its way in compute > node. > > We found many

Re: [PATCH] netfilter: conntrack: fix clash resolution in nat

Hi, On Wed, Jun 14, 2017 at 04:11:23PM +0800, Haishuang Yan wrote: > In our openstack environment, slow dns lookup for hostname when > parallel dns requests for IPv4 and IPv6 addresses from VM, the > second IPv6 request( record) is dropped on its way in compute > node. > > We found many

Re: [PATCH v2] netfilter: nfnetlink: Improve input length sanitization in nfnetlink_rcv

On Tue, Jun 27, 2017 at 07:05:27PM +0200, Pablo Neira Ayuso wrote: > On Tue, Jun 27, 2017 at 05:58:25PM +0200, Pablo Neira Ayuso wrote: > > On Wed, Jun 07, 2017 at 03:50:38PM +0200, Mateusz Jurczyk wrote: > > > Verify that the length of the socket buffer is sufficient to cover

Re: [PATCH v2] netfilter: nfnetlink: Improve input length sanitization in nfnetlink_rcv

On Tue, Jun 27, 2017 at 07:05:27PM +0200, Pablo Neira Ayuso wrote: > On Tue, Jun 27, 2017 at 05:58:25PM +0200, Pablo Neira Ayuso wrote: > > On Wed, Jun 07, 2017 at 03:50:38PM +0200, Mateusz Jurczyk wrote: > > > Verify that the length of the socket buffer is sufficient to cover

Re: [PATCH v2] netfilter: nfnetlink: Improve input length sanitization in nfnetlink_rcv

On Tue, Jun 27, 2017 at 05:58:25PM +0200, Pablo Neira Ayuso wrote: > On Wed, Jun 07, 2017 at 03:50:38PM +0200, Mateusz Jurczyk wrote: > > Verify that the length of the socket buffer is sufficient to cover the > > nlmsghdr structure before accessing the nlh->nlmsg_len field for

Re: [PATCH v2] netfilter: nfnetlink: Improve input length sanitization in nfnetlink_rcv

On Tue, Jun 27, 2017 at 05:58:25PM +0200, Pablo Neira Ayuso wrote: > On Wed, Jun 07, 2017 at 03:50:38PM +0200, Mateusz Jurczyk wrote: > > Verify that the length of the socket buffer is sufficient to cover the > > nlmsghdr structure before accessing the nlh->nlmsg_len field for

Re: [PATCH v2] netfilter: nfnetlink: Improve input length sanitization in nfnetlink_rcv

On Wed, Jun 07, 2017 at 03:50:38PM +0200, Mateusz Jurczyk wrote: > Verify that the length of the socket buffer is sufficient to cover the > nlmsghdr structure before accessing the nlh->nlmsg_len field for further > input sanitization. If the client only supplies 1-3 bytes of data in > sk_buff,

Re: [PATCH v2] netfilter: nfnetlink: Improve input length sanitization in nfnetlink_rcv

On Wed, Jun 07, 2017 at 03:50:38PM +0200, Mateusz Jurczyk wrote: > Verify that the length of the socket buffer is sufficient to cover the > nlmsghdr structure before accessing the nlh->nlmsg_len field for further > input sanitization. If the client only supplies 1-3 bytes of data in > sk_buff,

Re: [PATCH net-next] netfilter: conntrack: add a new NF_CT_EXT_EXPAND extension

On Mon, Jun 26, 2017 at 06:53:09PM +0200, Florian Westphal wrote: > Lin Zhang wrote: > > In the current conntrack extend code, if we want to add a new > > extension, we must be add a new extension id and recompile kernel. > > I think that is not be convenient for users,

Re: [PATCH net-next] netfilter: conntrack: add a new NF_CT_EXT_EXPAND extension

On Mon, Jun 26, 2017 at 06:53:09PM +0200, Florian Westphal wrote: > Lin Zhang wrote: > > In the current conntrack extend code, if we want to add a new > > extension, we must be add a new extension id and recompile kernel. > > I think that is not be convenient for users, so i add a new extension

Re: [PATCH net-next] netfilter: conntrack: add a new NF_CT_EXT_EXPAND extension

On Mon, Jun 26, 2017 at 02:10:46PM +0800, Lin Zhang wrote: > In the current conntrack extend code, if we want to add a new > extension, we must be add a new extension id and recompile kernel. Yes, this is designed in this way on purpose. Because we do not want to endorse proliferation of

Re: [PATCH net-next] netfilter: conntrack: add a new NF_CT_EXT_EXPAND extension

On Mon, Jun 26, 2017 at 02:10:46PM +0800, Lin Zhang wrote: > In the current conntrack extend code, if we want to add a new > extension, we must be add a new extension id and recompile kernel. Yes, this is designed in this way on purpose. Because we do not want to endorse proliferation of

Re: [PATCH] net: netfilter: netlink: delete extra spaces

On Fri, May 12, 2017 at 01:11:06PM +0800, linzhang wrote: > This patch cleans up extra spaces. Applied.

Re: [PATCH] net: netfilter: netlink: delete extra spaces

On Fri, May 12, 2017 at 01:11:06PM +0800, linzhang wrote: > This patch cleans up extra spaces. Applied.

Re: [PATCH] net: fix potential null pointer dereference

On Tue, May 23, 2017 at 06:18:37PM -0500, Gustavo A. R. Silva wrote: > Add null check to avoid a potential null pointer dereference. > > Addresses-Coverity-ID: 1408831 > Signed-off-by: Gustavo A. R. Silva <garsi...@embeddedor.com> Acked-by: Pablo Neira Ayuso <pa...@netfilte

Re: [PATCH] net: fix potential null pointer dereference

On Tue, May 23, 2017 at 06:18:37PM -0500, Gustavo A. R. Silva wrote: > Add null check to avoid a potential null pointer dereference. > > Addresses-Coverity-ID: 1408831 > Signed-off-by: Gustavo A. R. Silva Acked-by: Pablo Neira Ayuso This is a fix for the net.git tree BTW.

Re: [PATCH] netfilter: conntrack: Force inlining of build check to prevent build failure

ined! > > > > Fix this by forcing inlining of total_extension_size(). > > > > Fixes: b3a5db109e0670d6 ("netfilter: conntrack: use u8 for extension sizes > > again") > > Signed-off-by: Geert Uytterhoeven <ge...@linux-m68k.org> > > Pablo, I'm going to apply this directly to my tree to fix this build > failure, I hope you don't mind. Acked-by: Pablo Neira Ayuso <pa...@netfilter.org>

Re: [PATCH] netfilter: conntrack: Force inlining of build check to prevent build failure

by forcing inlining of total_extension_size(). > > > > Fixes: b3a5db109e0670d6 ("netfilter: conntrack: use u8 for extension sizes > > again") > > Signed-off-by: Geert Uytterhoeven > > Pablo, I'm going to apply this directly to my tree to fix this build > failure, I hope you don't mind. Acked-by: Pablo Neira Ayuso

Re: [PATCH] netfilter: ctnetlink: Make some parameters integer to avoid enum mismatch

On Mon, May 01, 2017 at 11:07:30AM -0700, Matthias Kaehlcke wrote: > El Wed, Apr 19, 2017 at 11:39:20AM -0700 Matthias Kaehlcke ha dit: > > > Not all parameters passed to ctnetlink_parse_tuple() and > > ctnetlink_exp_dump_tuple() match the enum type in the signatures of these > > functions. Since

Re: [PATCH] netfilter: ctnetlink: Make some parameters integer to avoid enum mismatch

On Mon, May 01, 2017 at 11:07:30AM -0700, Matthias Kaehlcke wrote: > El Wed, Apr 19, 2017 at 11:39:20AM -0700 Matthias Kaehlcke ha dit: > > > Not all parameters passed to ctnetlink_parse_tuple() and > > ctnetlink_exp_dump_tuple() match the enum type in the signatures of these > > functions. Since

Re: [PATCH net v3] bridge: ebtables: fix reception of frames DNAT-ed to bridge device/port

On Wed, Apr 19, 2017 at 09:47:33PM +0200, Linus Lüssing wrote: > When trying to redirect bridged frames to the bridge device itself or > a bridge port (brouting) via the dnat target then this currently fails: > > The ethernet destination of the frame is dnat'ed to the MAC address of > the bridge

Re: [PATCH net v3] bridge: ebtables: fix reception of frames DNAT-ed to bridge device/port

On Wed, Apr 19, 2017 at 09:47:33PM +0200, Linus Lüssing wrote: > When trying to redirect bridged frames to the bridge device itself or > a bridge port (brouting) via the dnat target then this currently fails: > > The ethernet destination of the frame is dnat'ed to the MAC address of > the bridge

Re: [PATCH nf-next] ipset: remove unused function __ip_set_get_netlink

On Fri, Apr 14, 2017 at 04:15:41PM +0200, Jozsef Kadlecsik wrote: > Hi Pablo, > > On Fri, 14 Apr 2017, Pablo Neira Ayuso wrote: > > > On Mon, Apr 10, 2017 at 03:52:37PM -0400, Aaron Conole wrote: > > > There are no in-tree callers. > > > > @Jozsef, let me

Re: [PATCH nf-next] ipset: remove unused function __ip_set_get_netlink

On Fri, Apr 14, 2017 at 04:15:41PM +0200, Jozsef Kadlecsik wrote: > Hi Pablo, > > On Fri, 14 Apr 2017, Pablo Neira Ayuso wrote: > > > On Mon, Apr 10, 2017 at 03:52:37PM -0400, Aaron Conole wrote: > > > There are no in-tree callers. > > > > @Jozsef, let me

Re: [PATCH nf-next] ipvs: remove unused function ip_vs_set_state_timeout

On Mon, Apr 10, 2017 at 03:50:44PM -0400, Aaron Conole wrote: > There are no in-tree callers of this function and it isn't exported. Simon, let me know if you want to take this, or just add your Signed-off-by. Thanks! > Signed-off-by: Aaron Conole > --- >

Re: [PATCH nf-next] ipvs: remove unused function ip_vs_set_state_timeout

On Mon, Apr 10, 2017 at 03:50:44PM -0400, Aaron Conole wrote: > There are no in-tree callers of this function and it isn't exported. Simon, let me know if you want to take this, or just add your Signed-off-by. Thanks! > Signed-off-by: Aaron Conole > --- > include/net/ip_vs.h | 2

Re: [PATCH nf-next] ipset: remove unused function __ip_set_get_netlink

On Mon, Apr 10, 2017 at 03:52:37PM -0400, Aaron Conole wrote: > There are no in-tree callers. @Jozsef, let me know if I should just take this to save you a pull request. Thanks. > Signed-off-by: Aaron Conole > --- > net/netfilter/ipset/ip_set_core.c | 8 > 1 file

Re: [PATCH nf-next] ipset: remove unused function __ip_set_get_netlink

On Mon, Apr 10, 2017 at 03:52:37PM -0400, Aaron Conole wrote: > There are no in-tree callers. @Jozsef, let me know if I should just take this to save you a pull request. Thanks. > Signed-off-by: Aaron Conole > --- > net/netfilter/ipset/ip_set_core.c | 8 > 1 file changed, 8

Re: [PATCH nf-next] nf_conntrack: remove double assignment

On Wed, Apr 12, 2017 at 04:32:54PM -0400, Aaron Conole wrote: > The protonet pointer will unconditionally be rewritten, so just do the > needed assignment first. Also applied, thanks.

Re: [PATCH nf-next] nf_conntrack: remove double assignment

On Wed, Apr 12, 2017 at 04:32:54PM -0400, Aaron Conole wrote: > The protonet pointer will unconditionally be rewritten, so just do the > needed assignment first. Also applied, thanks.

Re: [PATCH nf-next] nf_tables: remove double return statement

Applied, thanks.

Re: [PATCH nf-next] nf_tables: remove double return statement

Applied, thanks.

Re: [PATCH] net: netfilter: ipvs: Replace explicit NULL comparison

Arushi, On Sun, Apr 09, 2017 at 06:21:51AM +0800, kbuild test robot wrote: > Hi Arushi, > > [auto build test WARNING on ipvs-next/master] > [also build test WARNING on v4.11-rc5 next-20170407] > [if your patch is applied to the wrong git tree, please drop us a note to > help improve the system]

Re: [PATCH] net: netfilter: ipvs: Replace explicit NULL comparison

Arushi, On Sun, Apr 09, 2017 at 06:21:51AM +0800, kbuild test robot wrote: > Hi Arushi, > > [auto build test WARNING on ipvs-next/master] > [also build test WARNING on v4.11-rc5 next-20170407] > [if your patch is applied to the wrong git tree, please drop us a note to > help improve the system]

Re: [PATCH] net: netfilter: Replace explicit NULL comparisons

On Sun, Apr 09, 2017 at 09:12:18AM +0530, Arushi Singhal wrote: > On Sun, Apr 9, 2017 at 1:44 AM, Pablo Neira Ayuso <pa...@netfilter.org> > wrote: > > > On Sat, Apr 08, 2017 at 08:21:56PM +0200, Jan Engelhardt wrote: > > > On Saturday 2017-04-08 19:21, Arushi Singh

Re: [PATCH] net: netfilter: Replace explicit NULL comparisons

On Sun, Apr 09, 2017 at 09:12:18AM +0530, Arushi Singhal wrote: > On Sun, Apr 9, 2017 at 1:44 AM, Pablo Neira Ayuso > wrote: > > > On Sat, Apr 08, 2017 at 08:21:56PM +0200, Jan Engelhardt wrote: > > > On Saturday 2017-04-08 19:21, Arushi Singhal wrote: > >

<    1   2   3   4   5   6   7   8   9   10   >