Re: [PATCH nft 1/3] meta: add random expression key

Pablo Neira Ayuso wrote: > On Tue, Jul 05, 2016 at 09:35:33AM +0200, Florian Westphal wrote: > > meta random fills a 32bit register with a pseudo-random number. > > > > For instance one can now use > > > > meta random <= 2147483647 > > > > ... to match every 2nd packet, on

[ANNOUNCE] Suspending Patrick McHardy as coreteam member

The netfilter project regrets to have to suspend its core team member Patrick McHardy from the core team. This is a grave step, definitely the first in the projects history, and it is not one we take lightly. Over many months, severe allegations have been brought forward against the style of his

Re: [PATCH V2 iptables] extensions: libxt_connlabel: Add translation to nft

On Sun, Jul 17, 2016 at 12:41:59PM +0200, Florian Westphal wrote: > Pablo Neira Ayuso wrote: > > On Sat, Jul 16, 2016 at 08:12:51PM +0200, Florian Westphal wrote: > > > Pablo Neira Ayuso wrote: > > > > On Sat, Jul 16, 2016 at 04:51:30PM +0200, Pablo

Re: [PATCH nf] netfilter: nft_ct: fix unpaired nf_connlabels_get/put call

On Sat, Jul 16, 2016 at 11:18:01AM +0200, Florian Westphal wrote: > Liping Zhang wrote: > > From: Liping Zhang > > > > We only get nf_connlabels if the user add ct label set expr successfully, > > but we will also put nf_connlabels if the user

[PATCH nf-next 0/3] netfilter: fix some small bugs related to nft_log

From: Liping Zhang This patchset is very small, aim to fix some bugs related to nftables log expr. patch#1 fix a possible memory leak if the user specify the log prefix but the log expr init fail. patch#2 add a validity check of log level, otherwise user can

[PATCH nf-next 1/3] netfilter: nft_log: fix possible memory leak if log expr init fail

From: Liping Zhang Suppose that we specify the NFTA_LOG_PREFIX, then NFTA_LOG_LEVEL and NFTA_LOG_GROUP are specified together or nf_logger_find_get call returns fail, i.e. expr init fail, memory leak will happen. Signed-off-by: Liping Zhang

[PATCH nf-next 2/3] netfilter: nft_log: check the validity of log level

From: Liping Zhang User can specify the log level larger than 7(debug level) via nfnetlink, this is invalid. So in this case, we should report EINVAL to the userspace. Signed-off-by: Liping Zhang --- net/netfilter/nft_log.c | 5 +

[PATCH nf-next 3/3] netfilter: nft_log: fix snaplen does not truncate packets

From: Liping Zhang There's a similar problem in xt_NFLOG, and was fixed by commit 7643507fe8b5 ("netfilter: xt_NFLOG: nflog-range does not truncate packets"). Only set copy_len here does not work, so we should enable NF_LOG_F_COPY_LEN also. Signed-off-by: Liping