2016-09-09 22:04 GMT+08:00 Pablo Neira Ayuso :
> More comments on things I see on nft_queue at this stage:
>
> 1) Another issue, I can see nfqueue_hash() depends on
> CONFIG_IP6_NF_IPTABLES, this is not good since nft_queue
> infrastructure should not depend on iptables.
From: Gao Feng
There are some codes of netfilter module which did not check the return
value of nft_register_chain_type. Add the checks now.
Signed-off-by: Gao Feng
---
v4: Cover the net/bridge, ipv4/netfilter, and ipv6/netfilter too;
v3: Split return value
On Fri, Sep 09, 2016 at 11:25:36PM +0800, f...@ikuai8.com wrote:
> From: Gao Feng
>
> There are some codes of netfilter module which did not check the return
> value of nft_register_chain_type. Add the checks now.
>
> Signed-off-by: Gao Feng
> ---
> v3: Split
From: Gao Feng
There are some codes of netfilter module which did not check the return
value of nft_register_chain_type. Add the checks now.
Signed-off-by: Gao Feng
---
v3: Split return value check of nft_register_chain_type as second patch
v2: Add all
From: Gao Feng
When memory is exhausted, nfct_seqadj_ext_add may fail to add the
synproxy and seqadj extensions. The function nf_ct_seqadj_init doesn't
check if get valid seqadj pointer by the nfct_seqadj.
Now drop the packet directly when fail to add seqadj extension to
avoid
On Thu, Sep 08, 2016 at 05:53:58PM +0800, f...@ikuai8.com wrote:
> From: Gao Feng
>
> There are some codes of netfilter module which did not check the return
> value of register_netdevice_notifier. Add the checks now.
>
> Signed-off-by: Gao Feng
> ---
> v2:
On Tue, Sep 06, 2016 at 10:35:47PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> After commit adf0516845bc ("netfilter: remove ip_conntrack* sysctl
> compat code"), ctl_table_path member in struct nf_conntrack_l3proto{}
> is not used anymore, remove it.
On Tue, Sep 06, 2016 at 10:33:37PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> Although the validation of queues_total and queuenum is checked in nft
> utility, but user can add nft rules via nfnetlink, so it is necessary
> to check the validation at the
Hi,
On Wed, Sep 07, 2016 at 09:26:29PM +0800, f...@ikuai8.com wrote:
> From: Gao Feng
>
> When memory is exhausted, nfct_seqadj_ext_add may fail to add the seqadj
> extension. But the function nf_ct_seqadj_init doesn't check if get valid
> seqadj pointer by the nfct_seqadj.
>
On Fri, Sep 09, 2016 at 02:43:16PM +0200, Florian Westphal wrote:
> This is what made ether addresses get formatted correctly with
> plain payload expression (ether saddr 00:11 ...) when listing
> rules. Not needed anymore since etheraddr_type is now BIG_ENDIAN.
>
> Signed-off-by: Florian
On Fri, Sep 09, 2016 at 02:43:14PM +0200, Florian Westphal wrote:
> ether daddr set 00:03:2d:2b:74:ec is listed as:
> ether daddr set ec:74:2b:2d:03:00
>
> (it was fine without 'set' keyword). Reason is that
> ether address was listed as being HOST endian.
>
> The payload expression (unlike
This is what made ether addresses get formatted correctly with
plain payload expression (ether saddr 00:11 ...) when listing
rules. Not needed anymore since etheraddr_type is now BIG_ENDIAN.
Signed-off-by: Florian Westphal
---
src/netlink_delinearize.c | 2 --
1 file changed, 2
ether daddr set 00:03:2d:2b:74:ec is listed as:
ether daddr set ec:74:2b:2d:03:00
(it was fine without 'set' keyword). Reason is that
ether address was listed as being HOST endian.
The payload expression (unlike statement) path contains
a few conversion call sites for this, i.e.:
if
Before previous commit, ether set (payload statement) was reversed on
output:
ether daddr set 00:03:2d:2b:74:ec
would be shown as 'ec:74:2b:2d:03:00'.
With ff:ff:ff ... such bug doesn't appear so use something
where it will show up.
Signed-off-by: Florian Westphal
---
Instead of several goto's just to return the result, simply return it.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_conntrack_helper.c | 15 ++-
1 file changed, 6 insertions(+), 9 deletions(-)
diff --git a/net/netfilter/nf_conntrack_helper.c
This patch introduces nft_set_pktinfo_unspec() that ensures proper
initialization all of pktinfo fields for non-IP traffic. This is used
by the bridge, netdev and arp families.
This new function relies on nft_set_pktinfo_proto_unspec() to set a new
tprot_set field that indicates if transport
These functions are extracted from the netdev family, they initialize
the pktinfo structure and validate that the IPv4 and IPv6 headers are
well-formed given that these functions are called from a path where
layer 3 sanitization did not happen yet.
These functions are placed in
Make sure the pktinfo protocol fields are initialized if this fails to
parse the transport header.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables_ipv6.h | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git
Consolidate pktinfo setup and validation by using the new generic
functions so we converge to the netdev family codebase.
We only need a linear IPv4 and IPv6 header from the reject expression,
so move nft_bridge_iphdr_validate() and nft_bridge_ip6hdr_validate()
to
19 matches
Mail list logo