[PATCH nf-next 1/1] netfilter: nf_tables: Remove one useless condition check in nf_tables_newobj

From: Gao Feng The return value of nf_tables_obj_lookup is valid pointer or one error. There are two cases in nf_tables_newobj totally. case1: return value is -ENOENT, the obj is NULL, it is unnecessary to perform the latter check "obj != NULL". case2: IS_ERR(obj) is false, the

Re: [PATCH V2 conntrack-tools] conntrackd: cthelper: ssdp: Track UPnP eventing

On Thu, Jan 5, 2017 at 1:42 PM, Kevin Cernekee wrote: > + * nfct timeout add long-timewait inet tcp \ > + * established 1000 close 10 time_wait 10 last_ack 10 > + * nfct timeout add long-timewait inet tcp time_wait 3600 > + * iptables -t raw -A OUTPUT -p

[PATCH V2 conntrack-tools] conntrackd: cthelper: ssdp: Track UPnP eventing

The UPnP Device Architecture spec provides a way for devices to connect back to control points, called "Eventing" (chapter 4). This sequence can look something like: 1) Outbound multicast M-SEARCH packet (dst: 1900/udp) - Create expectation for unicast reply from to source port 2) Inbound

[PATCH nft] evaluate: Remove cache_update() in cmd_evaluate_flush()

cache_update() fetches set elements, when the set is big and sorted this leads to an unnecessary delay on 'nft flush ruleset'. There is only a possible call to cache_flush() after the update, so this update isn't needed. Signed-off-by: Elise Lennion --- src/evaluate.c

Re: [PATCH 0/6] Netfilter fixes for net

From: Pablo Neira Ayuso Date: Thu, 5 Jan 2017 12:19:47 +0100 > The following patchset contains accumulated Netfilter fixes for your > net tree: > > 1) Ensure quota dump and reset happens iff we can deliver numbers to >userspace. > > 2) Silence splat on incorrect use

Re: [PATCH nf-next 1/1] netfilter: Use strlcpy to copy dev name instead of strncpy

On Tue, Dec 27, 2016 at 07:16:53PM +0800, f...@ikuai8.com wrote: > From: Gao Feng > > The current codes use strncpy to copy the dev name in > nf_tables_newchain, there is no real issue now. Because the sizes of > src and dst are IFNAMSIZ. But normally it should use count-1 with

Re: [PATCH nf-next 2/2] netfilter: nf_tables: Make sure the uniform style of condition blocks in nf_tables_newrule

On Thu, Dec 29, 2016 at 11:39:58AM +0800, f...@ikuai8.com wrote: > From: Gao Feng > > There is one different brace style of condtion blocks in > nf_tables_newrule. Now just make it uniform. > > Signed-off-by: Gao Feng > --- > net/netfilter/nf_tables_api.c | 4

Re: [PATCH nf-next 1/2] netfilter: nf_tables: Check chain's use count before alloc new handle in nf_tables_newrule

On Thu, Dec 29, 2016 at 11:39:28AM +0800, f...@ikuai8.com wrote: > From: Gao Feng > > Although current nf_tables_alloc_handle doesn't allocate any actual > resource, but it should check invalid condition before allocation in > logic. > > Signed-off-by: Gao Feng

Re: [PATCH] netfilter: xt_connlimit: use rb_entry()

On Tue, Dec 20, 2016 at 10:02:13PM +0800, Geliang Tang wrote: > To make the code clearer, use rb_entry() instead of container_of() to > deal with rbtree. Applied this one to nf-next, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to

Re: [PATCH nf-next 0/2] nf_conntrack: validate crc32c on SCTP packets hitting PREROUTING hook

On Mon, Jan 02, 2017 at 01:29:39PM +0100, Davide Caratti wrote: > unlike what happens with other protcols, conntrack entries are matched by > SCTP packets even when crc32c is incorrect. Moreover, netfilter 'REJECT' > target does not generate any ICMP on reception of SCTP packets, because it >

[PATCH nf-next v2 2/4] netfilter: reset netfilter state when duplicating packet

We should also toss nf_bridge_info, if any -- packet is leaving via ip_local_out, also, this skb isn't bridged -- it is a locally generated copy. Also this avoids the need to touch this later when skb->nfct is replaced with 'unsigned long _nfct' in followup patch. Signed-off-by: Florian Westphal

[PATCH nf-next v2 0/4] netfilter: skbuff: merge nfctinfo bits and nfct pointer

Caveat: Patch #1 depends on 'netfilter: conntrack: validate SCTP crc32c in PREROUTING' to be applied first, this patch is sitting in patchwork at https://patchwork.ozlabs.org/patch/710170/ . See individual patches for changes since v1. Whenever we fetch skb conntrack info, we need to access two

[PATCH nf-next v2 3/4] netfilter: reduce direct skb->nfct usage

Next patch makes direct skb->nfct access illegal, reduce noise in next patch by using accessors we already have. Signed-off-by: Florian Westphal --- Changes since v2: silence checkpatch, wrap long lines and remove spaces before casts. include/net/ip_vs.h | 9

[PATCH nf-next v2 1/4] netfilter: conntrack: no need to pass ctinfo to error handler

It is never accessed for reading and the only places that write to it are the icmp(6) handlers, which also set skb->nfct (and skb->nfctinfo). The conntrack core specifically checks for attached skb->nfct after ->error() invocation and returns early in this case. Signed-off-by: Florian Westphal

[PATCH nf-next v2 4/4] netfilter: merge ctinfo into nfct pointer storage area

Merge conntrack related status bits into skb->_nfct. After this change conntrack operations (lookup, creation, matching from ruleset) only accesses one instead of two sk_buff cache lines. This works for normal conntracks because we use a slab cache that guarantees hw cacheline or 8byte alignment

Re: [-stable 4.8.y] Revert NAT conversion to rhashtable

On Thu, Jan 05, 2017 at 11:52:07AM +0100, Pablo Neira Ayuso wrote: > On Wed, Jan 04, 2017 at 06:30:36PM +0100, Greg Kroah-Hartman wrote: > > On Mon, Dec 19, 2016 at 05:43:33PM +0100, Pablo Neira Ayuso wrote: > > > Hi Greg, > > > > > > Please revert the following two patches from 4.8.y: > > > > >

[PATCH iptables] iptables 1.6.1 release

Signed-off-by: Pablo Neira Ayuso --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 6ae63f83b084..eda7871405b3 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ -AC_INIT([iptables], [1.6.0])

[PATCH 5/6] netfilter: ipt_CLUSTERIP: check duplicate config when initializing

From: Xin Long Now when adding an ipt_CLUSTERIP rule, it only checks duplicate config in clusterip_config_find_get(). But after that, there may be still another thread to insert a config with the same ip, then it leaves proc_create_data to do duplicate check. It's more

[PATCH 3/6] netfilter: nf_tables: fix oob access

From: Florian Westphal BUG: KASAN: slab-out-of-bounds in nf_tables_rule_destroy+0xf1/0x130 at addr 88006a4c35c8 Read of size 8 by task nft/1607 When we've destroyed last valid expr, nft_expr_next() returns an invalid expr. We must not dereference it unless it passes !=

[PATCH 4/6] netfilter: nft_payload: mangle ckecksum if NFT_PAYLOAD_L4CSUM_PSEUDOHDR is set

If the NFT_PAYLOAD_L4CSUM_PSEUDOHDR flag is set, then mangle layer 4 checksum. This should not depend on csum_type NFT_PAYLOAD_CSUM_INET since IPv6 header has no checksum field, but still an update of any of the pseudoheader fields may trigger a layer 4 checksum update. Fixes: 1814096980bb

[PATCH 2/6] netfilter: nft_queue: use raw_smp_processor_id()

Using smp_processor_id() causes splats with PREEMPT_RCU: [19379.552780] BUG: using smp_processor_id() in preemptible [] code: ping/32389 [19379.552793] caller is debug_smp_processor_id+0x17/0x19 [...] [19379.552823] Call Trace: [19379.552832] [] dump_stack+0x67/0x90 [19379.552837] []

[PATCH 1/6] netfilter: nft_quota: reset quota after dump

Dumping of netlink attributes may fail due to insufficient room in the skbuff, so let's reset consumed quota if we succeed to put netlink attributes into the skbuff. Fixes: 43da04a593d8 ("netfilter: nf_tables: atomic dump and reset for stateful objects") Reported-by: Eric Dumazet

[PATCH 6/6] bridge: netfilter: Fix dropping packets that moving through bridge interface

From: Artur Molchanov Problem: br_nf_pre_routing_finish() calls itself instead of br_nf_pre_routing_finish_bridge(). Due to this bug reverse path filter drops packets that go through bridge interface. User impact: Local docker containers with bridge network can not

[PATCH 0/6] Netfilter fixes for net

Hi David, The following patchset contains accumulated Netfilter fixes for your net tree: 1) Ensure quota dump and reset happens iff we can deliver numbers to userspace. 2) Silence splat on incorrect use of smp_processor_id() from nft_queue. 3) Fix an out-of-bound access reported by KASAN in

Re: [PATCH] netfilter: use fwmark_reflect in nf_send_reset

Hi Pau, On Tue, Dec 27, 2016 at 10:51:09PM +0100, Pau Espin Pedrol wrote: > Hi, > > I will try to find some time over next weeks to have a look at it. > > If I understood correctly, RSTs generated from the stack are currently > not marked when fwmark_reflect is on no matter whether my patch is

Re: [-stable 4.8.y] Revert NAT conversion to rhashtable

On Wed, Jan 04, 2017 at 06:30:36PM +0100, Greg Kroah-Hartman wrote: > On Mon, Dec 19, 2016 at 05:43:33PM +0100, Pablo Neira Ayuso wrote: > > Hi Greg, > > > > Please revert the following two patches from 4.8.y: > > > > 870190a9ec9075205c0fa795a09fa931694a3ff1 ("netfilter: nat: convert nat > >

Re: [PATCH nf-next 4/4] netfilter: merge ctinfo into nfct pointer storage area

Hi Florian, [auto build test WARNING on nf-next/master] url: https://github.com/0day-ci/linux/commits/Florian-Westphal/netfilter-skbuff-merge-nfctinfo-bits-and-nfct-pointer/20170105-133727 base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master config: x86_64