Re: [PATCH nf-next] netfilter: nft_queue: check the validation of queues_total and queuenum

2016-09-09 22:04 GMT+08:00 Pablo Neira Ayuso : > More comments on things I see on nft_queue at this stage: > > 1) Another issue, I can see nfqueue_hash() depends on > CONFIG_IP6_NF_IPTABLES, this is not good since nft_queue > infrastructure should not depend on iptables.

[PATCH v4 2/2 nf-next] netfilter: Add the missed return value check of nft_register_chain_type

From: Gao Feng There are some codes of netfilter module which did not check the return value of nft_register_chain_type. Add the checks now. Signed-off-by: Gao Feng --- v4: Cover the net/bridge, ipv4/netfilter, and ipv6/netfilter too; v3: Split return value

Re: [PATCH v3 2/2 nf-next] netfilter: Add the missed return value check of nft_register_chain_type

On Fri, Sep 09, 2016 at 11:25:36PM +0800, f...@ikuai8.com wrote: > From: Gao Feng > > There are some codes of netfilter module which did not check the return > value of nft_register_chain_type. Add the checks now. > > Signed-off-by: Gao Feng > --- > v3: Split

[PATCH v3 2/2 nf-next] netfilter: Add the missed return value check of nft_register_chain_type

From: Gao Feng There are some codes of netfilter module which did not check the return value of nft_register_chain_type. Add the checks now. Signed-off-by: Gao Feng --- v3: Split return value check of nft_register_chain_type as second patch v2: Add all

[PATCH v7 nf] netfilter: synproxy: Check oom when adding synproxy and seqadj ct extensions

From: Gao Feng When memory is exhausted, nfct_seqadj_ext_add may fail to add the synproxy and seqadj extensions. The function nf_ct_seqadj_init doesn't check if get valid seqadj pointer by the nfct_seqadj. Now drop the packet directly when fail to add seqadj extension to avoid

Re: [PATCH v2 nf-next] netfilter: Add the missed return value check of register_netdevice_notifier

On Thu, Sep 08, 2016 at 05:53:58PM +0800, f...@ikuai8.com wrote: > From: Gao Feng > > There are some codes of netfilter module which did not check the return > value of register_netdevice_notifier. Add the checks now. > > Signed-off-by: Gao Feng > --- > v2:

Re: [PATCH nf-next] netfilter: nf_conntrack: remove unused ctl_table_path member in nf_conntrack_l3proto

On Tue, Sep 06, 2016 at 10:35:47PM +0800, Liping Zhang wrote: > From: Liping Zhang > > After commit adf0516845bc ("netfilter: remove ip_conntrack* sysctl > compat code"), ctl_table_path member in struct nf_conntrack_l3proto{} > is not used anymore, remove it.

Re: [PATCH nf-next] netfilter: nft_queue: check the validation of queues_total and queuenum

On Tue, Sep 06, 2016 at 10:33:37PM +0800, Liping Zhang wrote: > From: Liping Zhang > > Although the validation of queues_total and queuenum is checked in nft > utility, but user can add nft rules via nfnetlink, so it is necessary > to check the validation at the

Re: [PATCH v6 nf] netfilter: seqadj: Drop the packet directly when fail to add seqadj extension to avoid dereference NULL pointer later

Hi, On Wed, Sep 07, 2016 at 09:26:29PM +0800, f...@ikuai8.com wrote: > From: Gao Feng > > When memory is exhausted, nfct_seqadj_ext_add may fail to add the seqadj > extension. But the function nf_ct_seqadj_init doesn't check if get valid > seqadj pointer by the nfct_seqadj. >

Re: [PATCH nft 3/3] payload: remove byteorder conversion

On Fri, Sep 09, 2016 at 02:43:16PM +0200, Florian Westphal wrote: > This is what made ether addresses get formatted correctly with > plain payload expression (ether saddr 00:11 ...) when listing > rules. Not needed anymore since etheraddr_type is now BIG_ENDIAN. > > Signed-off-by: Florian

Re: [PATCH nft 1/3] datatype: ll: use big endian byte ordering

On Fri, Sep 09, 2016 at 02:43:14PM +0200, Florian Westphal wrote: > ether daddr set 00:03:2d:2b:74:ec is listed as: > ether daddr set ec:74:2b:2d:03:00 > > (it was fine without 'set' keyword). Reason is that > ether address was listed as being HOST endian. > > The payload expression (unlike

[PATCH nft 3/3] payload: remove byteorder conversion

This is what made ether addresses get formatted correctly with plain payload expression (ether saddr 00:11 ...) when listing rules. Not needed anymore since etheraddr_type is now BIG_ENDIAN. Signed-off-by: Florian Westphal --- src/netlink_delinearize.c | 2 -- 1 file changed, 2

[PATCH nft 1/3] datatype: ll: use big endian byte ordering

ether daddr set 00:03:2d:2b:74:ec is listed as: ether daddr set ec:74:2b:2d:03:00 (it was fine without 'set' keyword). Reason is that ether address was listed as being HOST endian. The payload expression (unlike statement) path contains a few conversion call sites for this, i.e.: if

[PATCH nft 2/3] tests: catch ordering issue w. ether set

Before previous commit, ether set (payload statement) was reversed on output: ether daddr set 00:03:2d:2b:74:ec would be shown as 'ec:74:2b:2d:03:00'. With ff:ff:ff ... such bug doesn't appear so use something where it will show up. Signed-off-by: Florian Westphal ---

[PATCH nf-next] netfilter: nf_conntrack: simplify __nf_ct_try_assign_helper() return logic

Instead of several goto's just to return the result, simply return it. Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_conntrack_helper.c | 15 ++- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/net/netfilter/nf_conntrack_helper.c

[PATCH nf-next 1/5] netfilter: nf_tables: ensure proper initialization of nft_pktinfo fields

This patch introduces nft_set_pktinfo_unspec() that ensures proper initialization all of pktinfo fields for non-IP traffic. This is used by the bridge, netdev and arp families. This new function relies on nft_set_pktinfo_proto_unspec() to set a new tprot_set field that indicates if transport

[PATCH nf-next 3/5] netfilter: introduce nft_set_pktinfo_{ipv4,ipv6}_validate()

These functions are extracted from the netdev family, they initialize the pktinfo structure and validate that the IPv4 and IPv6 headers are well-formed given that these functions are called from a path where layer 3 sanitization did not happen yet. These functions are placed in

[PATCH nf-next 2/5] netfilter: nf_tables_ipv6: setup pktinfo transport field on failure to parse

Make sure the pktinfo protocol fields are initialized if this fails to parse the transport header. Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_tables_ipv6.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git

[PATCH nf-next 4/5] netfilter: nf_tables_bridge: use nft_set_pktinfo_ipv{4,6}_validate

Consolidate pktinfo setup and validation by using the new generic functions so we converge to the netdev family codebase. We only need a linear IPv4 and IPv6 header from the reject expression, so move nft_bridge_iphdr_validate() and nft_bridge_ip6hdr_validate() to