On Thu, Mar 16, 2017 at 11:49:03AM +, Neil Wilson wrote:
> Refactor and improve nat support to allow conntrack to manage IPv6
> NAT entries.
>
> Refactor and improve conntrack nat tests to include IPv6 NAT.
Applied, thanks Neil!
--
To unsubscribe from this list: send the line "unsubscribe net
On Thu, Mar 16, 2017 at 01:43:10PM +0100, Simon Horman wrote:
> Hi Pablo,
>
> please consider these enhancements to the IPVS for v4.12.
>
> * Update sysctl documentation
> * Remove unnecessary printk in __ip_vs_init
>
> The following changes since commit 03e5fd0e9bcc1f34b7a542786b34b8f771e7c260:
On Thu, Mar 16, 2017 at 10:03:34AM +0200, Elena Reshetova wrote:
> refcount_t type and corresponding API (see include/linux/refcount.h)
> should be used instead of atomic_t when the variable is used as
> a reference counter. This allows to avoid accidental
> refcounter overflows that might lead to
On Thu, Mar 16, 2017 at 07:52:19AM +, Reshetova, Elena wrote:
>
> > On Wed, Mar 15, 2017 at 01:10:38PM +0200, Elena Reshetova wrote:
> > > This series, for the netfilter subsystem, replaces atomic_t reference
> > > counters with the new refcount_t type and API (see
> > > include/linux/refcoun
On Thu, Mar 16, 2017 at 01:43:20PM +0100, Phil Sutter wrote:
> This adds support for matching on inverse ND messages as defined by
> RFC3122 (not implemented in Linux) and MLDv2 as defined by RFC3810.
>
> Note that ICMPV6_MLD2_REPORT macro is defined in linux/icmpv6.h but
> including that header l
On Thu, Mar 16, 2017 at 01:43:21PM +0100, Phil Sutter wrote:
> This adds a description of the icmp and icmpv6 expressions (to match
> various ICMP header fields) as well as the icmp and icmpv6 type types
> (yay) which are used for ICMP(v6) type field.
Also applied. Thanks.
--
To unsubscribe from t
With 4.10.3, ipset 6.32 seems to run into an issue:
[ 59s]
/home/abuild/rpmbuild/BUILD/ipset-default-6.32/kernel/net/netfilter/xt_set.c:
In function 'set_match_v0':
[ 59s]
/home/abuild/rpmbuild/BUILD/ipset-default-6.32/kernel/net/netfilter/xt_set.c:75:18:
error: 'struct xt_action_param' h
This code is already protected by the nfnl_lock mutex.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nfnetlink_cthelper.c | 7 +--
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/net/netfilter/nfnetlink_cthelper.c
b/net/netfilter/nfnetlink_cthelper.c
index f0241a1e1083..31
On Fri, 17 Mar 2017, Jan Engelhardt wrote:
> With 4.10.3, ipset 6.32 seems to run into an issue:
>
> [ 59s]
> /home/abuild/rpmbuild/BUILD/ipset-default-6.32/kernel/net/netfilter/xt_set.c:
> In function 'set_match_v0':
> [ 59s]
> /home/abuild/rpmbuild/BUILD/ipset-default-6.32/kernel/net/net
On Thu, Mar 16, 2017 at 09:27:36AM +0800, f...@ikuai8.com wrote:
> From: Gao Feng
>
> When nf_conntrack_helper_register failed, the error handler just frees
> the helper, but it does not free the helper->expect_policy which is
> allocated in nfnl_cthelper_parse_expect_policy.
Applied, thanks.
--
Release the helper object and the expect_policy.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nfnetlink_cthelper.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/netfilter/nfnetlink_cthelper.c
b/net/netfilter/nfnetlink_cthelper.c
index 3166406d68d3..2defe730b1f4 100644
--- a/ne
On Tue, Mar 14, 2017 at 02:26:06PM +0800, f...@ikuai8.com wrote:
> From: Gao Feng
>
> The helper module permits the helper modules register expectfn, and
> it could be hold by external caller. But when the module is unloaded,
> there may be some pending expect nodes which still hold the function
On Wed, Mar 15, 2017 at 11:06:05PM +0100, Pablo Neira Ayuso wrote:
> On Wed, Mar 15, 2017 at 10:16:19PM +0100, Linus Lüssing wrote:
> > On Wed, Mar 15, 2017 at 07:15:39PM +0100, Pablo Neira Ayuso wrote:
> > > Could you update ebtables dnat to check if the ethernet address
> > > matches the one of t
On Thu, Mar 16, 2017 at 12:54:20PM +0900, Lorenzo Colitti wrote:
> This slightly simplifies configure.ac and results in more
> correct dependencies.
>
> Tested by running ./configure with --with-xt-lock-name and
> without, and using strace to verify that the right lock is used.
>
> $ make distcle
On Thu, Mar 16, 2017 at 04:55:01PM +0900, Lorenzo Colitti wrote:
> 1. Factor out repeated code to a new xs_has_arg function.
> 2. Add a new parse_wait_time option to parse the value of -w.
> 3. Make parse_wait_interval take argc and argv so its callers
>can be simpler.
Also applied, thanks Lor
Hi Lorenzo,
On Thu, Mar 16, 2017 at 04:55:02PM +0900, Lorenzo Colitti wrote:
> Currently, ip[6]tables-restore does not perform any locking, so it
> is not safe to use concurrently with ip[6]tables.
>
> This patch makes ip[6]tables-restore wait for the lock if -w
> was specified. Arguments to -w a
Hi Pablo,
On Fri, Mar 17, 2017 at 9:08 PM, Pablo Neira Ayuso wrote:
> On Tue, Mar 14, 2017 at 02:26:06PM +0800, f...@ikuai8.com wrote:
>> From: Gao Feng
>>
>> The helper module permits the helper modules register expectfn, and
>> it could be hold by external caller. But when the module is unload
This patch enables the command flush on maps, which removes all
entries in it:
$ nft flush map filter map1
Command above flushes map 'map1' in table 'filter'.
The documentation was updated accordingly.
Signed-off-by: Elise Lennion
---
doc/nft.xml| 9 +
src/parser_bison.y | 4 +
This patch enables the command flush on flow tables, which removes all
entries in it:
$ nft flush flow table filter ft-https
Command above flushes flow table 'ft-https' in table 'filter'.
Signed-off-by: Elise Lennion
---
src/parser_bison.y | 4
1 file changed, 4 insertions(+)
diff --git
The add / delete operations weren't documented yet. They fit better
in the sets and maps blocks since these operations are used to directly
modify their content.
Signed-off-by: Elise Lennion
---
doc/nft.xml | 58 ++
1 file changed, 58 inser
The tech committee would like to announce our first accepted tutorial
Monsieurs Andy Gospodarek and Jesper Dangaard Brouer will give an
XDP tutorial catered to mere mortals titled "XDP for the Rest of Us"
Description:
-
XDP (eXpress Data Path) has been one of the most widely discussed topics
On Fri, Mar 17, 2017 at 10:20 PM, Pablo Neira Ayuso wrote:
> My concern with this is that one iptables-restore instance may
> postpone any other iptables call indefinitely, by simply typing
> "*filter" with no COMMIT ever.
True. But unless the command is run with just plain "-w" (i.e., wait
forev
tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
head: b54ab92b84b6161f91b1ad9160199422b3699009
commit: b54ab92b84b6161f91b1ad9160199422b3699009 [1/1] netfilter: refcounter
conversions
config: x86_64-randconfig-s0-03180414 (attached as .config)
compiler: gcc-4.4 (
Hi Elena,
[auto build test ERROR on nf-next/master]
[also build test ERROR on v4.11-rc2 next-20170310]
[if your patch is applied to the wrong git tree, please drop us a note to help
improve the system]
url:
https://github.com/0day-ci/linux/commits/Elena-Reshetova/net-netfilter-refcounter-con
From: Gao Feng
There is no rcu_read_lock during ctlink gets the helper and inserts the
expectation. So there is one possible use-after-free issue when unload
the helper module.
For example:
CPU1CPU2
ctlink gets the helper
helpe
Hi Pablo,
On Fri, Mar 17, 2017 at 10:09 PM, Gao Feng wrote:
> Hi Pablo,
>
> On Fri, Mar 17, 2017 at 9:08 PM, Pablo Neira Ayuso
> wrote:
>> On Tue, Mar 14, 2017 at 02:26:06PM +0800, f...@ikuai8.com wrote:
>>> From: Gao Feng
>>>
>>> The helper module permits the helper modules register expectfn,
Hi Pablo,
On Sat, Mar 18, 2017 at 11:46 AM, wrote:
> From: Gao Feng
>
> There is no rcu_read_lock during ctlink gets the helper and inserts the
> expectation. So there is one possible use-after-free issue when unload
> the helper module.
>
> For example:
>
> CPU1
On Sat, Mar 18, 2017 at 12:26 PM, Feng Gao wrote:
> Hi Pablo,
>
> On Sat, Mar 18, 2017 at 11:46 AM, wrote:
>> From: Gao Feng
>>
>> There is no rcu_read_lock during ctlink gets the helper and inserts the
>> expectation. So there is one possible use-after-free issue when unload
>> the helper modu
28 matches
Mail list logo
