Re: [PATCH 00/29] Netfilter updates for net-next

From: Pablo Neira Ayuso Date: Mon, 5 Sep 2016 12:58:15 +0200 > Hi David, > > The following patchset contains Netfilter updates for your net-next > tree. Most relevant updates are the removal of per-conntrack timers to > use a workqueue/garbage collection approach instead

Re: [PATCH 8/7] net/netfilter/nf_conntrack_core: Remove another memory barrier

On Mon, Sep 05, 2016 at 08:57:19PM +0200, Manfred Spraul wrote: > On 09/02/2016 09:22 PM, Peter Zijlstra wrote: > Anyone around with a ppc or arm? How slow is the loop of the > spin_unlock_wait() calls? > Single CPU is sufficient. > > Question 1: How large is the difference between: >

Re: [PATCH v5 nf] netfilter: seqadj: Drop the packet directly when fail to add seqadj extension to avoid dereference NULL pointer later

Hi Pablo, On Tue, Sep 6, 2016 at 10:54 PM, Gao Feng wrote: > inline > > On Tue, Sep 6, 2016 at 10:51 PM, Florian Westphal wrote: >> f...@ikuai8.com wrote: >>> From: Gao Feng >>> >>> When memory is exhausted,

Re: [PATCH v4 nf] netfilter: seqadj: Drop the packet directly when fail to add seqadj extension to avoid dereference NULL pointer later

Hi Pablo, On Tue, Sep 6, 2016 at 6:17 PM, Pablo Neira Ayuso wrote: > On Tue, Sep 06, 2016 at 09:57:23AM +0800, f...@ikuai8.com wrote: >> From: Gao Feng >> >> When memory is exhausted, nfct_seqadj_ext_add may fail to add the seqadj >> extension. But the

Re: [PATCH v5 nf] netfilter: seqadj: Drop the packet directly when fail to add seqadj extension to avoid dereference NULL pointer later

inline On Tue, Sep 6, 2016 at 10:51 PM, Florian Westphal wrote: > f...@ikuai8.com wrote: >> From: Gao Feng >> >> When memory is exhausted, nfct_seqadj_ext_add may fail to add the seqadj >> extension. But the function nf_ct_seqadj_init doesn't

Re: [PATCH v5 nf] netfilter: seqadj: Drop the packet directly when fail to add seqadj extension to avoid dereference NULL pointer later

f...@ikuai8.com wrote: > From: Gao Feng > > When memory is exhausted, nfct_seqadj_ext_add may fail to add the seqadj > extension. But the function nf_ct_seqadj_init doesn't check if get valid > seqadj pointer by the nfct_seqadj. > > Now drop the packet

[PATCH v5 nf] netfilter: seqadj: Drop the packet directly when fail to add seqadj extension to avoid dereference NULL pointer later

From: Gao Feng When memory is exhausted, nfct_seqadj_ext_add may fail to add the seqadj extension. But the function nf_ct_seqadj_init doesn't check if get valid seqadj pointer by the nfct_seqadj. Now drop the packet directly when fail to add seqadj extension to avoid

[PATCH nf] netfilter: nft_chain_route: re-route before skb is queued to userspace

From: Liping Zhang Imagine such situation, user add the following nft rules, and queue the packets to userspace for further check: # ip rule add fwmark 0x0/0x1 lookup eth0 # ip rule add fwmark 0x1/0x1 lookup eth1 # nft add table filter # nft add chain filter

Re: [nft PATCH v2 2/4] netlink_delinearize: Avoid potential null pointer deref

Hi, On Mon, Sep 05, 2016 at 06:52:43PM +0200, Pablo Neira Ayuso wrote: > On Tue, Aug 30, 2016 at 07:39:50PM +0200, Phil Sutter wrote: > > As netlink_get_register() may return NULL, we must not pass the returned > > data unchecked to expr_set_type() as that will dereference it. Since the > >

Re: nfqueue & bridge netfilter considered broken

Pablo Neira Ayuso wrote: > On Fri, Sep 02, 2016 at 12:22:44PM +0200, Florian Westphal wrote: > > Pablo Neira Ayuso wrote: > > > On Fri, Sep 02, 2016 at 11:58:53AM +0200, Pablo Neira Ayuso wrote: > > > > On Fri, Sep 02, 2016 at 11:08:48AM +0200, Florian

Re: [PATCH 3/3] tests: py: any: Remove duplicate tests

Manuel Johannes Messner wrote: > This commit removes some duplicated tests. Looks good, I've pushed all three patches to nftables master, thanks Manuel. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a

Re: [PATCH v4 nf] netfilter: seqadj: Drop the packet directly when fail to add seqadj extension to avoid dereference NULL pointer later

inline On Tue, Sep 6, 2016 at 6:17 PM, Pablo Neira Ayuso wrote: > On Tue, Sep 06, 2016 at 09:57:23AM +0800, f...@ikuai8.com wrote: >> From: Gao Feng >> >> When memory is exhausted, nfct_seqadj_ext_add may fail to add the seqadj >> extension. But the

Re: [PATCH v4 nf] netfilter: seqadj: Drop the packet directly when fail to add seqadj extension to avoid dereference NULL pointer later

On Tue, Sep 06, 2016 at 09:57:23AM +0800, f...@ikuai8.com wrote: > From: Gao Feng > > When memory is exhausted, nfct_seqadj_ext_add may fail to add the seqadj > extension. But the function nf_ct_seqadj_init doesn't check if get valid > seqadj pointer by the nfct_seqadj. > > Now

Re: nfqueue & bridge netfilter considered broken

On Fri, Sep 02, 2016 at 12:22:44PM +0200, Florian Westphal wrote: > Pablo Neira Ayuso wrote: > > On Fri, Sep 02, 2016 at 11:58:53AM +0200, Pablo Neira Ayuso wrote: > > > On Fri, Sep 02, 2016 at 11:08:48AM +0200, Florian Westphal wrote: > > > > I - discard extra nfct entry

[NetDev] [ANNOUNCE] Netdev 1.2 weekly updates (6th September, 2016)

Hello folks, Tokyo is still being in a hot weather but it'll start comfortable autumn very soon. Here is an weekly update of Netdev 1.2 Tokyo. We again extended the deadline of early bird registration. Please don't miss the discount ticket - and your early registration will be definitely

[PATCH v2] netfilter: nft_hash: Add hash offset value

Add support to pass through an offset to the hash value. With this feature, the sysadmin is able to generate a hash with a given offset value. Example: meta mark set jhash ip saddr mod 2 seed 0xabcd sum 100 This option generates marks according to the source address from 100 to 101.