Re: [PACTH nf-next] netfilter: nf_reject_ipv4: don't send tcp RST if the packet is non-TCP

Hi Marcelo, 2016-06-20 23:48 GMT+08:00 Marcelo Ricardo Leitner : > > A different check/log is made for ip6: > nf_reject_ip6_tcphdr_get(): > /* IP header checks: fragment, too short. */ > if (proto != IPPROTO_TCP || *otcplen < sizeof(struct tcphdr)) { >

[PATCH iptables] configure: Remove flex check warning

Remove the warning about outdated version of flex as it is not needed anymore. Signed-off-by: Shivani Bhardwaj --- configure.ac | 15 --- 1 file changed, 15 deletions(-) diff --git a/configure.ac b/configure.ac index b170add..c91e9e7 100644 --- a/configure.ac

[PATCH conntrack-tools] configure: Remove flex check warning

Remove the warning about outdated version of flex as it is not needed anymore. Signed-off-by: Shivani Bhardwaj --- configure.ac | 15 --- 1 file changed, 15 deletions(-) diff --git a/configure.ac b/configure.ac index c541034..b6c5439 100644 --- a/configure.ac

[PACTH nf-next] netfilter: nf_reject_ipv4: don't send tcp RST if the packet is non-TCP

From: Liping Zhang In iptables, if the user add a rule to send tcp RST and specify the non-TCP protocol, such as UDP, kernel will reject this request. But in nftables, this validity check only occurs in nft tool, i.e. only in userspace. This means that user can add

[PATCH nf] netfilter: nf_tables: fix memory leak if expr init fails

From: Liping Zhang If expr init fails then we need to free it. So when the user add a nft rule as follows: # nft add rule filter input tcp dport 22 flow table ssh \ { ip saddr limit rate 0/second } memory leak will happen. Signed-off-by: Liping Zhang

Re: [PATCH libnetfilter_queue] src: make nfq_open_nfnl thread-safe

On Mon, Jun 20, 2016 at 02:52:27PM +0200, Florian Westphal wrote: > Pablo Neira Ayuso wrote: > > On Mon, Jun 20, 2016 at 02:42:59PM +0200, Pablo Neira Ayuso wrote: > > > On Mon, Jun 20, 2016 at 01:19:52PM +0200, Florian Westphal wrote: > > > > nfq_open_nfnl uses an

Re: [PATCH libnetfilter_queue] src: make nfq_open_nfnl thread-safe

Pablo Neira Ayuso wrote: > On Mon, Jun 20, 2016 at 02:42:59PM +0200, Pablo Neira Ayuso wrote: > > On Mon, Jun 20, 2016 at 01:19:52PM +0200, Florian Westphal wrote: > > > nfq_open_nfnl uses an intermediate static object, so when > > > it is invoked by distinct threads at the

Re: [PATCH libnetfilter_queue] src: make nfq_open_nfnl thread-safe

On Mon, Jun 20, 2016 at 01:19:52PM +0200, Florian Westphal wrote: > nfq_open_nfnl uses an intermediate static object, so when > it is invoked by distinct threads at the same time there is a small > chance that some threads end up with another threads nfq_handle pointer > stored in ->data. > >

[PATCH libnetfilter_queue] src: make nfq_open_nfnl thread-safe

nfq_open_nfnl uses an intermediate static object, so when it is invoked by distinct threads at the same time there is a small chance that some threads end up with another threads nfq_handle pointer stored in ->data. Tested-by: Michal Tesar Signed-off-by: Florian Westphal

[PATCH libnftnl, v2] fix some error checking in parser functions

Use a variable 'ret' multiple times without treat the error between can overwrite the previous error value, and may execute code which should not. Bad way: int f() { int ret; ret = g(); ret = h(); return ret; }

Re: [PATCH conntrack-tools] configure: Fix flex version check

On Sat, Jun 18, 2016 at 10:19:51PM +0530, Shivani Bhardwaj wrote: > Hi Pablo, > > Just to avoid any confusion, should I be following up with patches for > iptables and conntrack-tools to completely remove this check? It is > already not there in nft. Please let me know. Yes, please remove this