On Mon, Aug 08, 2016 at 10:10:26PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> Currently, user can add a conntrack with different l4proto via nfnetlink.
> For example, original tuple is TCP while reply tuple is SCTP. This is
> invalid combination, we should report EINVAL to userspace.
Al
On Wed, Aug 10, 2016 at 12:57:45PM +0200, Pablo Neira Ayuso wrote:
> On Tue, Aug 09, 2016 at 08:46:16PM +0200, Laura Garcia Liebana wrote:
> > Fix the direct assignment of offset and length attributes included in
> > nft_exthdr structure from u32 data to u8.
>
> Applied to my nf tree, I just made
On Wed, Aug 10, 2016 at 05:12:05PM +0200, Carlos Falgueras García wrote:
> An error at Makefile.am has caused that the tests
> 'nft-expr_immediate-test.c' and 'nft-expr_lookup-tests.c' have not been
> compiled since they were created. This patch fix that error and some errors
> in both tests.
Appl
On Tue, Aug 09, 2016 at 08:46:16PM +0200, Laura Garcia Liebana wrote:
> Fix the direct assignment of offset and length attributes included in
> nft_exthdr structure from u32 data to u8.
Applied to my nf tree, I just made a minor edition on this patch.
Thanks.
--
To unsubscribe from this list: sen
Four tests to cover file inclusion using:
1) Absolute path.
2) Relative path.
3) Default include directory path.
And one more test to cover endless file inclusion loop.
Signed-off-by: Pablo Neira Ayuso
---
tests/shell/testcases/include/0001absolute_0| 29 +++
tests/shel
This patch adds a new hash expression, this provides jhash support but
this can be extended to support for other hash functions.
The modulus and seed already comes embedded into this new expression.
Use case example:
meta mark set hash ip saddr mod 10
Signed-off-by: Laura Garcia Liebana
---
Cha
On Wed, Aug 10, 2016 at 11:43:36AM +0200, Laura Garcia Liebana wrote:
> diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c
> new file mode 100644
> index 000..d0069eb
> --- /dev/null
> +++ b/net/netfilter/nft_hash.c
> @@ -0,0 +1,141 @@
> +/*
> + * Copyright (c) 2016 Laura Garcia
If we find a matching element that is inactive with no descendants, we
jump to the found label, then crash because of nul-dereference on the
left branch.
Fix this by checking that the element is active and not an interval end
and skipping the logic that only applies to the tree iteration.
Signed-
From: Laura Garcia Liebana
Fix the direct assignment of offset and length attributes included in
nft_exthdr structure from u32 data to u8.
Signed-off-by: Laura Garcia Liebana
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nft_exthdr.c | 11 +--
1 file changed, 9 insertions(+), 2 d
On Wed, Aug 10, 2016 at 11:48:55AM +0200, Carlos Falgueras García wrote:
> This patch implements the function 'bool nftnl_rule_cmp(const struct
> nftnl_rule *r, const struct nftnl_rule *r2)' for rule comparison.
>
> Expressions within rules need to be compared, so also has been created the
> funct
From: Liping Zhang
The 'name' filed in struct nf_conntrack_expect_policy{} is not a
pointer, so check it is NULL or not will always return true. Even if the
name is empty, slash will always be displayed like follows:
# cat /proc/net/nf_conntrack_expect
297 l3proto = 2 proto=6 src=1.1.1.1 dst=
Hi David,
The following patchset contains Netfilter fixes for your net tree,
they are:
1) Use mod_timer_pending() to avoid reactivating a dead expectation in
the h323 conntrack helper, from Liping Zhang.
2) Oneliner to fix a type in the register name defined in the nf_tables
header.
3) Do
From: Liping Zhang
Currently, user can add a conntrack with different l4proto via nfnetlink.
For example, original tuple is TCP while reply tuple is SCTP. This is
invalid combination, we should report EINVAL to userspace.
Signed-off-by: Liping Zhang
Signed-off-by: Pablo Neira Ayuso
---
net/ne
From: Liping Zhang
Like NFQNL_MSG_VERDICT_BATCH do, we should also reject the verdict
request when the portid is not same with the initial portid(maybe
from another process).
Fixes: 97d32cf9440d ("netfilter: nfnetlink_queue: batch verdict support")
Signed-off-by: Liping Zhang
Reviewed-by: Flori
From: Liping Zhang
User can use NFQA_EXP to attach expectations to conntracks, but we
forget to put back nf_conntrack_expect when it is inserted successfully,
i.e. in this normal case, expect's use refcnt will be 3. So even we
unlink it and put it back later, the use refcnt is still 1, then the
m
On Tue, Aug 09, 2016 at 01:42:17PM +0200, Carlos Falgueras García wrote:
> Iterators do not modify objects which they iterate, so input pointer must
> be const.
Applied, thanks!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger
MFT_REG32_01 is a typo, rename this to NFT_REG32_01.
Signed-off-by: Pablo Neira Ayuso
---
include/uapi/linux/netfilter/nf_tables.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/uapi/linux/netfilter/nf_tables.h
b/include/uapi/linux/netfilter/nf_tables.h
index 01751f
The following patchset adds a check during the load of an u32 value
into an u8 attribute which can cause an overflow.
Laura Garcia Liebana (5):
netfilter: nf_tables: Check u32 load in u8 nft_bitwise attribute
netfilter: nf_tables: Check u32 load in u8 nft_byteorder attribute
netfilter: nf_t
From: Christophe Leroy
Do not drop packet when CSeq is 0 as 0 is also a valid value for CSeq.
simple_strtoul() will return 0 either when all digits are 0
or if there are no digits at all. Therefore when simple_strtoul()
returns 0 we check if first character is digit 0 or not.
Signed-off-by: Chr
Hello folks,
The deadline for the early bird registration of netdev 1.2
(Tokyo) is coming very soon (August 15, next Monday).
Please don't forget to register with the discount price.
Your early registration will be definitely helpful to
prepare the conference.
http://netdevconf.org/1.2/registrat
From: Liping Zhang
Commit 96d1327ac2e3 ("netfilter: h323: Use mod_timer instead of
set_expect_timeout") just simplify the source codes
if (!del_timer(&exp->timeout))
return 0;
add_timer(&exp->timeout);
to mod_timer(&exp->timeout, jiffies + info->timeout * HZ);
This is not correct
On Wed, Aug 10, 2016 at 10:38:08AM +0800, Liping Zhang wrote:
> Hi Laura,
>
> 2016-08-10 2:22 GMT+08:00 Laura Garcia Liebana :
> > This patch adds a new hash expression, this provides jhash support but
> > this can be extended to support for other hash functions.
> >
> > The modulus and seed alrea
From: Christophe Leroy
Do not drop packet when CSeq is 0 as 0 is also a valid value for CSeq.
simple_strtoul() will return 0 either when all digits are 0
or if there are no digits at all. Therefore when simple_strtoul()
returns 0 we check if first character is digit 0 or not.
Signed-off-by: Chr
From: Liping Zhang
Commit 96d1327ac2e3 ("netfilter: h323: Use mod_timer instead of
set_expect_timeout") just simplify the source codes
if (!del_timer(&exp->timeout))
return 0;
add_timer(&exp->timeout);
to mod_timer(&exp->timeout, jiffies + info->timeout * HZ);
This is not correct
This patch introduces deletion in a similar fashion as in iptables,
thus, we can delete the first rule that matches our description, for
example:
$ nft list -a ruleset
table ip t {
chain c {
ip saddr 1.1.1.1 counter packets 0 bytes 0 # handle
From: Liping Zhang
User can use NFQA_EXP to attach expectations to conntracks, but we
forget to put back nf_conntrack_expect when it is inserted successfully,
i.e. in this normal case, expect's use refcnt will be 3. So even we
unlink it and put it back later, the use refcnt is still 1, then the
m
If we find a matching element that is inactive with no descendants, we
jump to the found label, then crash because of nul-dereference on the
left branch.
Fix this by checking that the element is active and not an interval end
and skipping the logic that only applies to the tree iteration.
Signed-
This patch separates the rule identification from the rule localization, so
the logic moves from the evaluator to the parser. This allows to revert the
patch "evaluate: improve rule managment checks"
(4176c7d30c2ff1b3f52468fc9c08b8df83f979a8) and saves a lot of code.
An specific error message is s
Fix the direct assignment from u32 data input into the len attribute
with a size of u8.
Signed-off-by: Laura Garcia Liebana
---
net/netfilter/nft_bitwise.c | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_bitwise.c b/net/netfilter/nft_bitwise.c
index d7
From: Liping Zhang
The 'name' filed in struct nf_conntrack_expect_policy{} is not a
pointer, so check it is NULL or not will always return true. Even if the
name is empty, slash will always be displayed like follows:
# cat /proc/net/nf_conntrack_expect
297 l3proto = 2 proto=6 src=1.1.1.1 dst=
From: Willem de Bruijn
The xt_bpf module applies BPF bytecode to the packet. Depending on
where the module is invoked, the kernel may pass a packet with or
without link layer header. Iptables has no such header.
A common `tcpdump -ddd ` compilation command may revert to
a physical device that ge
This patch implements the function 'bool nftnl_rule_cmp(const struct
nftnl_rule *r, const struct nftnl_rule *r2)' for rule comparison.
Expressions within rules need to be compared, so also has been created the
function 'nftnl_expr_cmp' which calls new field within
'nfntl_expr_': a function pointer
From: Liping Zhang
Currently, user can add a conntrack with different l4proto via nfnetlink.
For example, original tuple is TCP while reply tuple is SCTP. This is
invalid combination, we should report EINVAL to userspace.
Signed-off-by: Liping Zhang
Signed-off-by: Pablo Neira Ayuso
---
net/ne
From: Liping Zhang
Like NFQNL_MSG_VERDICT_BATCH do, we should also reject the verdict
request when the portid is not same with the initial portid(maybe
from another process).
Fixes: 97d32cf9440d ("netfilter: nfnetlink_queue: batch verdict support")
Signed-off-by: Liping Zhang
Reviewed-by: Flori
Fix the direct assignment from u32 data input into the dlen attribute
with a size of u8.
Signed-off-by: Laura Garcia Liebana
---
net/netfilter/nft_immediate.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immediate.c
index db3b746..6de59
MFT_REG32_01 is a typo, rename this to NFT_REG32_01.
Signed-off-by: Pablo Neira Ayuso
---
include/uapi/linux/netfilter/nf_tables.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/uapi/linux/netfilter/nf_tables.h
b/include/uapi/linux/netfilter/nf_tables.h
index 01751f
From: Laura Garcia Liebana
Fix the direct assignment of offset and length attributes included in
nft_exthdr structure from u32 data to u8.
Signed-off-by: Laura Garcia Liebana
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nft_exthdr.c | 11 +--
1 file changed, 9 insertions(+), 2 d
Fix the direct assignment from u32 data input into the family
attribute with a size of u8.
Signed-off-by: Laura Garcia Liebana
---
net/netfilter/nft_nat.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c
index ee2d717..74f8293 100644
--- a/n
Introduce nftnl_expr_iter_init() to allow stack allocated iterators for
internal use.
Signed-off-by: Carlos Falgueras García
---
src/rule.c | 30 +++---
1 file changed, 19 insertions(+), 11 deletions(-)
diff --git a/src/rule.c b/src/rule.c
index 11fceca..69ffc7e 100644
-
Resending as my robot didn't Cc netdev, sorry.
-o-
Hi David,
The following patchset contains Netfilter fixes for your net tree,
they are:
1) Use mod_timer_pending() to avoid reactivating a dead expectation in
the h323 conntrack helper, from Liping Zhang.
2) Oneliner to fix a type in the reg
Replace kmalloc(s*n) with kmalloc_array(n,s), thus making it
easier to check that the calculation doesn't wrap or return a smaller
allocation
Signed-off-by: Loganaden Velvindron
---
net/netfilter/x_tables.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/x_tab
Fix the direct assignment from u32 data input into the len and size
attributes with a size of u8.
Signed-off-by: Laura Garcia Liebana
---
net/netfilter/nft_byteorder.c | 13 +++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nft_byteorder.c b/net/netfilter
On Wed, Aug 10, 2016 at 11:48:54AM +0200, Carlos Falgueras García wrote:
> Introduce nftnl_expr_iter_init() to allow stack allocated iterators for
> internal use.
Applied with minor changes, see below.
>
> Signed-off-by: Carlos Falgueras García
> ---
> src/rule.c | 30 +++---
Fix the direct assignment from u32 data input into the len attribute
with a size of u8.
Signed-off-by: Laura Garcia Liebana
---
net/netfilter/nft_cmp.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_cmp.c b/net/netfilter/nft_cmp.c
index e25b35d..ca247e5
It is easier to check that the calculation doesn't wrap or return a smaller
allocation.
Signed-off-by: Loganaden Velvindron
---
net/netfilter/x_tables.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index e0aa7c1..c8f20f2
On Wed, Aug 10, 2016 at 12:58:38PM +0200, Pablo Neira Ayuso wrote:
> On Wed, Aug 10, 2016 at 12:57:45PM +0200, Pablo Neira Ayuso wrote:
> > On Tue, Aug 09, 2016 at 08:46:16PM +0200, Laura Garcia Liebana wrote:
> > > Fix the direct assignment of offset and length attributes included in
> > > nft_ext
Deleted wrong braces that cause unwanted behaviour.
Signed-off-by: Carlos Falgueras García
---
src/expr/lookup.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/expr/lookup.c b/src/expr/lookup.c
index 57612d1..60da653 100644
--- a/src/expr/lookup.c
+++ b/src/expr/lookup
Signed-off-by: Carlos Falgueras García
---
tests/test-script.sh | 3 +++
1 file changed, 3 insertions(+)
diff --git a/tests/test-script.sh b/tests/test-script.sh
index b040158..ba13571 100755
--- a/tests/test-script.sh
+++ b/tests/test-script.sh
@@ -4,7 +4,9 @@
./nft-expr_cmp-test
./nft-expr_c
An error at Makefile.am has caused that the tests
'nft-expr_immediate-test.c' and 'nft-expr_lookup-tests.c' have not been
compiled since they were created. This patch fix that error and some errors
in both tests.
Signed-off-by: Carlos Falgueras García
---
tests/Makefile.am | 4 +--
On 08/10/2016 01:41 PM, Pablo Neira Ayuso wrote:
On Wed, Aug 10, 2016 at 11:48:54AM +0200, Carlos Falgueras García wrote:
Introduce nftnl_expr_iter_init() to allow stack allocated iterators for
internal use.
Applied with minor changes, see below.
Signed-off-by: Carlos Falgueras García
---
On Wed, Aug 10, 2016 at 05:12:04PM +0200, Carlos Falgueras García wrote:
> Deleted wrong braces that cause unwanted behaviour.
Also applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo in
On Mon, Aug 08, 2016 at 10:07:27PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> Like NFQNL_MSG_VERDICT_BATCH do, we should also reject the verdict
> request when the portid is not same with the initial portid(maybe
> from another process).
Applied, thanks.
--
To unsubscribe from this list
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
On Mon, Aug 08, 2016 at 10:03:40PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> User can use NFQA_EXP to attach expectations to conntracks, but we
> forget to put back nf_conntrack_expect when it is inserted successfully,
> i.e. in this normal case, expect's use refcnt will be 3. So even w
On Wed, Aug 10, 2016 at 01:56:32PM +0200, Carlos Falgueras García wrote:
> On 08/10/2016 01:41 PM, Pablo Neira Ayuso wrote:
> >>@@ -1025,10 +1033,16 @@ int nftnl_expr_foreach(struct nftnl_rule *r,
> >> }
> >> EXPORT_SYMBOL_ALIAS(nftnl_expr_foreach, nft_rule_expr_foreach);
> >>
> >>-struct nftnl_exp
From: Pablo Neira Ayuso
Date: Wed, 10 Aug 2016 20:56:25 +0200
> The following patchset contains Netfilter fixes for your net tree,
> they are:
...
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks a lot Pablo!
--
To unsubscribe f
56 matches
Mail list logo
