On Thu, Aug 18, 2016 at 09:34:04AM +0200, Josue Alvarez wrote:
> On 18/08/2016 00:44, Pablo Neira Ayuso wrote:
> >Probably using an old kernel version with no quota support?
>
> I found out that the issue came from libnetfilter_acct, from which I had one
> package installed (1.0.2) and some binari
Check for overflow of u8 fields from u32 netlink attributes and maximum
values.
Refer to 4da449ae1df
Signed-off-by: Laura Garcia Liebana
---
(was: netfilter: nf_tables: Check for overflow of u8 fields from u32
netlink attributes)
Changes in V4:
- Define NFT_CMP_MAX
include/uapi/linux/
2016-08-17 16:23 GMT+02:00 Pablo Neira Ayuso :
> On Tue, Aug 16, 2016 at 07:44:32PM +0200, Pablo M. Bermudo Garay wrote:
>> The comment_xlate function was not supporting this option that is
>> necessary in some situations.
>
> I have applied what I'm attaching to this email, that is more simple
> t
From: Colin Ian King
trivial fix to spelling mistake in pr_debug message
Signed-off-by: Colin Ian King
---
net/netfilter/nf_conntrack_ftp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index 4314700..b69
The dynset expression matches if we can fit a new entry into the set.
If there is not room for it, then it breaks the rule evaluation.
This patch introduces the inversion flag to obtain the opposite
behaviour, ie. explicity drop packets that don't fit into set.
For example:
# nft filter input s
On Thu, Aug 18, 2016 at 05:12:36PM +0200, Carlos Falgueras García wrote:
> Before this patch, comparison between rules with distinct number of
> expressions can returns that they are equals when they are not. Example:
>
> r1[e1, e2] == r2[e1, e2, e3]
Applied.
I have mangled patch title to
On Thu, Aug 18, 2016 at 06:41:12PM +0800, Liping Zhang wrote:
> So I think it seems better that we take another patch to fix the
> problem in cttimeout.
Fine with me, will take your patch, thanks!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a mess
From: Pablo Neira Ayuso
Date: Thu, 18 Aug 2016 19:29:02 +0200
> The following patchset contains Netfilter updates for your net tree,
> they are:
...
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks a lot Pablo.
--
To unsubscribe
Before this patch, comparison between rules with distinct number of
expressions can returns that they are equals when they are not. Example:
r1[e1, e2] == r2[e1, e2, e3]
Reported-by: Pablo Neira Ayuso
Signed-off-by: Carlos Falgueras García
---
src/rule.c | 1 +
1 file changed, 1 insert
From: Liping Zhang
In general, when we want to delete a netns, cttimeout_net_exit will
be called before ipt_unregister_table, i.e. before ctnl_timeout_put.
But after call kfree_rcu in cttimeout_net_exit, we will still decrease
the timeout object's refcnt in ctnl_timeout_put, this is incorrect,
a
From: Liping Zhang
We should skip the conntracks that belong to a different namespace,
otherwise other unrelated netns's conntrack entries will be dumped via
/proc/net/nf_conntrack.
Fixes: 56d52d4892d0 ("netfilter: conntrack: use a single hashtable for all
namespaces")
Signed-off-by: Liping Zha
From: Liping Zhang
Suppose that we input the following commands at first:
# nfacct add test
# iptables -A INPUT -m nfacct --nfacct-name test
And now "test" acct's refcnt is 2, but later when we try to delete the
"test" nfacct and the related iptables rule at the same time, race maybe
happen:
From: Eric Dumazet
inet_lookup_listener() and inet6_lookup_listener() no longer
take a reference on the found listener.
This minimal patch adds back the refcounting, but we might do
this differently in net-next later.
Fixes: 3b24d854cb35 ("tcp/dccp: do not touch listener sk_refcnt under synfloo
Hi David,
The following patchset contains Netfilter updates for your net tree,
they are:
1) Dump only conntrack that belong to this namespace via /proc file.
This is some fallout from the conversion to single conntrack table
for all netns, patch from Liping Zhang.
2) Missing MODULE_ALIAS_N
From: Liping Zhang
We should report the over quota message to the right net namespace
instead of the init netns.
Signed-off-by: Liping Zhang
Signed-off-by: Pablo Neira Ayuso
---
include/linux/netfilter/nfnetlink_acct.h | 4 ++--
net/netfilter/nfnetlink_acct.c | 9 +
net/netf
From: Liping Zhang
Otherwise, if nfnetlink_log.ko is not loaded, we cannot add rules
to log packets to the userspace when we specify it with arp family,
such as:
# nft add rule arp filter input log group 0
:1:1-37: Error: Could not process rule: No such file or
directory
add rule arp fil
This is required to iterate over the hash table in cttimeout, ctnetlink
and nf_conntrack_ipv4.
>> ERROR: "nf_conntrack_htable_size" [net/netfilter/nfnetlink_cttimeout.ko]
>> undefined!
ERROR: "nf_conntrack_htable_size" [net/netfilter/nf_conntrack_netlink.ko]
undefined!
ERROR: "nf_conntrack
From: Liping Zhang
In general, when we want to delete a netns, cttimeout_net_exit will
be called before ipt_unregister_table, i.e. before ctnl_timeout_put.
But after call kfree_rcu in cttimeout_net_exit, we will still decrease
the timeout object's refcnt in ctnl_timeout_put, this is incorrect,
a
Check for overflow of u8 fields from u32 netlink attributes and maximum
values.
Refer to 4da449ae1df
Signed-off-by: Laura Garcia Liebana
---
(was: netfilter: nf_tables: Check for overflow of u8 fields from u32
netlink attributes)
Changes in V3:
- Use ERANGE instead of EINVAL when valida
Hi Pablo,
2016-08-18 6:37 GMT+08:00 Pablo Neira Ayuso :
>
> Wait. I noticed we have the same problem in cttimeout, so it would be
> good to fix this in the same logical change.
>
> I'm attaching your original patch that I have mangled here, including
> the cttimeout chunk.
>
> Let me know if you h
Add support for the number generator expression in netfilter.
Signed-off-by: Laura Garcia Liebana
---
Changes in V5:
- Reorder the functions
- Add attributes checks
- Use switch instead of if statements
include/uapi/linux/netfilter/nf_tables.h | 25
net/netfilter/K
On 18/08/2016 00:44, Pablo Neira Ayuso wrote:
Probably using an old kernel version with no quota support?
I found out that the issue came from libnetfilter_acct, from which I had
one package installed (1.0.2) and some binaries from the git version
installed with 'make install' from the source
22 matches
Mail list logo
