From: Gao Feng
The return value of nf_tables_obj_lookup is valid pointer or one error.
There are two cases in nf_tables_newobj totally.
case1: return value is -ENOENT, the obj is NULL, it is unnecessary to
perform the latter check "obj != NULL".
case2: IS_ERR(obj) is false, the
On Thu, Jan 5, 2017 at 1:42 PM, Kevin Cernekee wrote:
> + * nfct timeout add long-timewait inet tcp \
> + * established 1000 close 10 time_wait 10 last_ack 10
> + * nfct timeout add long-timewait inet tcp time_wait 3600
> + * iptables -t raw -A OUTPUT -p
The UPnP Device Architecture spec provides a way for devices to connect
back to control points, called "Eventing" (chapter 4). This sequence can
look something like:
1) Outbound multicast M-SEARCH packet (dst: 1900/udp)
- Create expectation for unicast reply from to source port
2) Inbound
cache_update() fetches set elements, when the set is big and sorted
this leads to an unnecessary delay on 'nft flush ruleset'.
There is only a possible call to cache_flush() after the update, so
this update isn't needed.
Signed-off-by: Elise Lennion
---
src/evaluate.c
From: Pablo Neira Ayuso
Date: Thu, 5 Jan 2017 12:19:47 +0100
> The following patchset contains accumulated Netfilter fixes for your
> net tree:
>
> 1) Ensure quota dump and reset happens iff we can deliver numbers to
>userspace.
>
> 2) Silence splat on incorrect use
On Tue, Dec 27, 2016 at 07:16:53PM +0800, f...@ikuai8.com wrote:
> From: Gao Feng
>
> The current codes use strncpy to copy the dev name in
> nf_tables_newchain, there is no real issue now. Because the sizes of
> src and dst are IFNAMSIZ. But normally it should use count-1 with
On Thu, Dec 29, 2016 at 11:39:58AM +0800, f...@ikuai8.com wrote:
> From: Gao Feng
>
> There is one different brace style of condtion blocks in
> nf_tables_newrule. Now just make it uniform.
>
> Signed-off-by: Gao Feng
> ---
> net/netfilter/nf_tables_api.c | 4
On Thu, Dec 29, 2016 at 11:39:28AM +0800, f...@ikuai8.com wrote:
> From: Gao Feng
>
> Although current nf_tables_alloc_handle doesn't allocate any actual
> resource, but it should check invalid condition before allocation in
> logic.
>
> Signed-off-by: Gao Feng
On Tue, Dec 20, 2016 at 10:02:13PM +0800, Geliang Tang wrote:
> To make the code clearer, use rb_entry() instead of container_of() to
> deal with rbtree.
Applied this one to nf-next, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to
On Mon, Jan 02, 2017 at 01:29:39PM +0100, Davide Caratti wrote:
> unlike what happens with other protcols, conntrack entries are matched by
> SCTP packets even when crc32c is incorrect. Moreover, netfilter 'REJECT'
> target does not generate any ICMP on reception of SCTP packets, because it
>
We should also toss nf_bridge_info, if any -- packet is leaving via
ip_local_out, also, this skb isn't bridged -- it is a locally generated
copy. Also this avoids the need to touch this later when skb->nfct is
replaced with 'unsigned long _nfct' in followup patch.
Signed-off-by: Florian Westphal
Caveat: Patch #1 depends on 'netfilter: conntrack: validate SCTP crc32c in
PREROUTING' to be applied first, this patch is sitting in patchwork at
https://patchwork.ozlabs.org/patch/710170/ .
See individual patches for changes since v1.
Whenever we fetch skb conntrack info, we need to access two
Next patch makes direct skb->nfct access illegal, reduce noise
in next patch by using accessors we already have.
Signed-off-by: Florian Westphal
---
Changes since v2:
silence checkpatch, wrap long lines and remove spaces before casts.
include/net/ip_vs.h | 9
It is never accessed for reading and the only places that write to it
are the icmp(6) handlers, which also set skb->nfct (and skb->nfctinfo).
The conntrack core specifically checks for attached skb->nfct after
->error() invocation and returns early in this case.
Signed-off-by: Florian Westphal
Merge conntrack related status bits into skb->_nfct.
After this change conntrack operations (lookup, creation, matching from
ruleset) only accesses one instead of two sk_buff cache lines.
This works for normal conntracks because we use a slab cache that
guarantees hw cacheline or 8byte alignment
On Thu, Jan 05, 2017 at 11:52:07AM +0100, Pablo Neira Ayuso wrote:
> On Wed, Jan 04, 2017 at 06:30:36PM +0100, Greg Kroah-Hartman wrote:
> > On Mon, Dec 19, 2016 at 05:43:33PM +0100, Pablo Neira Ayuso wrote:
> > > Hi Greg,
> > >
> > > Please revert the following two patches from 4.8.y:
> > >
> >
Signed-off-by: Pablo Neira Ayuso
---
configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 6ae63f83b084..eda7871405b3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
-AC_INIT([iptables], [1.6.0])
From: Xin Long
Now when adding an ipt_CLUSTERIP rule, it only checks duplicate config in
clusterip_config_find_get(). But after that, there may be still another
thread to insert a config with the same ip, then it leaves proc_create_data
to do duplicate check.
It's more
From: Florian Westphal
BUG: KASAN: slab-out-of-bounds in nf_tables_rule_destroy+0xf1/0x130 at addr
88006a4c35c8
Read of size 8 by task nft/1607
When we've destroyed last valid expr, nft_expr_next() returns an invalid expr.
We must not dereference it unless it passes !=
If the NFT_PAYLOAD_L4CSUM_PSEUDOHDR flag is set, then mangle layer 4
checksum. This should not depend on csum_type NFT_PAYLOAD_CSUM_INET
since IPv6 header has no checksum field, but still an update of any of
the pseudoheader fields may trigger a layer 4 checksum update.
Fixes: 1814096980bb
Using smp_processor_id() causes splats with PREEMPT_RCU:
[19379.552780] BUG: using smp_processor_id() in preemptible [] code:
ping/32389
[19379.552793] caller is debug_smp_processor_id+0x17/0x19
[...]
[19379.552823] Call Trace:
[19379.552832] [] dump_stack+0x67/0x90
[19379.552837] []
Dumping of netlink attributes may fail due to insufficient room in the
skbuff, so let's reset consumed quota if we succeed to put netlink
attributes into the skbuff.
Fixes: 43da04a593d8 ("netfilter: nf_tables: atomic dump and reset for stateful
objects")
Reported-by: Eric Dumazet
From: Artur Molchanov
Problem:
br_nf_pre_routing_finish() calls itself instead of
br_nf_pre_routing_finish_bridge(). Due to this bug reverse path filter drops
packets that go through bridge interface.
User impact:
Local docker containers with bridge network can not
Hi David,
The following patchset contains accumulated Netfilter fixes for your
net tree:
1) Ensure quota dump and reset happens iff we can deliver numbers to
userspace.
2) Silence splat on incorrect use of smp_processor_id() from nft_queue.
3) Fix an out-of-bound access reported by KASAN in
Hi Pau,
On Tue, Dec 27, 2016 at 10:51:09PM +0100, Pau Espin Pedrol wrote:
> Hi,
>
> I will try to find some time over next weeks to have a look at it.
>
> If I understood correctly, RSTs generated from the stack are currently
> not marked when fwmark_reflect is on no matter whether my patch is
On Wed, Jan 04, 2017 at 06:30:36PM +0100, Greg Kroah-Hartman wrote:
> On Mon, Dec 19, 2016 at 05:43:33PM +0100, Pablo Neira Ayuso wrote:
> > Hi Greg,
> >
> > Please revert the following two patches from 4.8.y:
> >
> > 870190a9ec9075205c0fa795a09fa931694a3ff1 ("netfilter: nat: convert nat
> >
Hi Florian,
[auto build test WARNING on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/Florian-Westphal/netfilter-skbuff-merge-nfctinfo-bits-and-nfct-pointer/20170105-133727
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
config: x86_64
27 matches
Mail list logo