Removed parenthesis on the right hand side of assignment, as they are
not required.
The following coccinelle script was used to fix this issue:
@@
local idexpression id;
expression e;
@@
id =
-(
e
-)
Signed-off-by: Arushi Singhal
---
extensions/libebt_mark.c | 8
extensions/libxt_str
This patch add or remove unnecessary spaces as reported by
checkpatch.pl.
Signed-off-by: Arushi Singhal
---
extensions/libebt_802_3.c | 4 ++--
extensions/libip6t_dst.c| 8
extensions/libip6t_hbh.c| 8
extensions/libip6t_ipv6header.c | 2 +-
4 files change
Hi Pablo,
2017-03-29 21:00 GMT+08:00 Liping Zhang :
> From: Liping Zhang
>
> cthelpers added via nfnetlink may have the same tuple, i.e. except for
> the l3proto and l4proto, other fields are all zero. So even with the
> different names, we will also fail to add them:
> # nfct helper add ssdp i
Add blank line after declaration as reported by checkpatch.pl.
Signed-off-by: Arushi Singhal
---
extensions/libip6t_mh.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/extensions/libip6t_mh.c b/extensions/libip6t_mh.c
index f4c0fd9..ee17182 100644
--- a/extensions/libip6t_mh.c
+++ b/extensi
Remove assignments in if condition as reported by checkpatch.pl.
Signed-off-by: Arushi Singhal
---
extensions/libebt_ip.c | 11 ++-
extensions/libip6t_ipv6header.c | 5 +++--
2 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/extensions/libebt_ip.c b/extensions/libe
Add spaces around operator and remove trailing whitespaces.
Signed-off-by: Arushi Singhal
---
extensions/dscp_helper.c| 2 +-
extensions/libarpt_mangle.c | 2 +-
extensions/libip6t_ah.c | 2 +-
extensions/libip6t_dst.c| 6 +++---
extensions/libip6t_frag.c | 2 +-
extensions/li
From: Pablo Neira Ayuso
Date: Wed, 29 Mar 2017 14:14:02 +0200
> Hi David,
>
> The following patchset contains a rather large update with Netfilter
> fixes, specifically targeted to incorrect RCU usage in several spots and
> the userspace conntrack helper infrastructure (nfnetlink_cthelper),
> mo
Remove braces which are not required, to fix the check patch issue.
The following coccinelle script was used to fix this issue.
@@
expression e;
expression e1;
@@
if(e)
-{
e1;
-}
Signed-off-by: Varsha Rao
---
iptables/iptables-standalone.c | 3 +--
iptables/iptables.c| 3 +--
iptab
Static variables are initialized to zero by default, so remove explicit
initalization. This patch fixes the checkpatch issue.
Signed-off-by: Varsha Rao
---
iptables/ip6tables-restore.c | 2 +-
iptables/ip6tables-save.c| 2 +-
iptables/iptables-restore.c | 2 +-
iptables/iptables-save.c
This patchset fixes multiple checkpatch issues.
Varsha Rao (2):
iptables: Remove explicit static variables initalization.
iptables: Remove unnecessary braces.
iptables/ip6tables-restore.c | 2 +-
iptables/ip6tables-save.c | 2 +-
iptables/iptables-restore.c| 2 +-
iptables/ipta
This patch uses the following coccinelle script to remove
a variable that was simply used to store the return
value of a function call before returning it:
@@
identifier len,f;
@@
-int len;
... when != len
when strict
-len =
+return
f(...);
-return len;
Signed-off-by: Arushi Singha
On Wed, 29 Mar 2017, Arushi Singhal wrote:
> This patch uses the following coccinelle script to remove
> a variable that was simply used to store the return
> value of a function call before returning it:
>
> @@
> identifier len,f;
> @@
>
> -int len;
> ... when != len
> when strict
> -len
This patch uses the following coccinelle script to remove
a variable that was simply used to store the return
value of a function call before returning it:
@@
identifier len,f;
@@
-int len;
... when != len
when strict
-len =
+return
f(...);
-return len;
Signed-off-by: Arushi Singha
From: Liping Zhang
cthelpers added via nfnetlink may have the same tuple, i.e. except for
the l3proto and l4proto, other fields are all zero. So even with the
different names, we will also fail to add them:
# nfct helper add ssdp inet udp
# nfct helper add tftp inet udp
nfct v1.4.3: netlink
Hi Pablo,
> -Original Message-
> From: netfilter-devel-ow...@vger.kernel.org
> [mailto:netfilter-devel-ow...@vger.kernel.org] On Behalf Of Pablo Neira
Ayuso
> Sent: Wednesday, March 29, 2017 5:54 PM
> To: gfree.w...@foxmail.com
> Cc: netfilter-devel@vger.kernel.org; Gao Feng
> Subject: Re
From: Liping Zhang
We must call security_release_secctx to free the memory returned by
security_secid_to_secctx, otherwise memory may be leaked forever.
Fixes: ef493bd930ae ("netfilter: nfnetlink_queue: add security context
information")
Signed-off-by: Liping Zhang
Signed-off-by: Pablo Neira A
From: Gao Feng
In the commit 93557f53e1fb ("netfilter: nf_conntrack: nf_conntrack snmp
helper"), the snmp_helper is replaced by nf_nat_snmp_hook. So the
snmp_helper is never registered. But it still tries to unregister the
snmp_helper, it could cause the panic.
Now remove the useless snmp_helper
From: Liping Zhang
If one cpu is doing nf_ct_extend_unregister while another cpu is doing
__nf_ct_ext_add_length, then we may hit BUG_ON(t == NULL). Moreover,
there's no synchronize_rcu invocation after set nf_ct_ext_types[id] to
NULL, so it's possible that we may access invalid pointer.
But act
From: Liping Zhang
Otherwise, another CPU may access the invalid pointer. For example:
CPU0CPU1
- rcu_read_lock();
- pfunc = _hook_;
_hook_ = NULL; -
mod unload -
- pfunc(); // invalid, panic
From: Liping Zhang
The nf_ct_helper_hash table is protected by nf_ct_helper_mutex, while
nfct_helper operation is protected by nfnl_lock(NFNL_SUBSYS_CTHELPER).
So it's possible that one CPU is walking the nf_ct_helper_hash for
cthelper add/get/del, another cpu is doing nf_conntrack_helpers_unregi
From: Liping Zhang
The helper->expect_class_max must be set to the total number of
expect_policy minus 1, since we will use the statement "if (class >
helper->expect_class_max)" to validate the CTA_EXPECT_CLASS attr in
ctnetlink_alloc_expect.
So for compatibility, set the helper->expect_class_ma
From: Jeffy Chen
We have memory leaks of nf_conntrack_helper & expect_policy.
Signed-off-by: Jeffy Chen
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nfnetlink_cthelper.c | 12 +---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/nfnetlink_cthelper.c
We only allow runtime updates of expectation policies for timeout and
maximum number of expectations, otherwise reject the update.
Signed-off-by: Pablo Neira Ayuso
Acked-by: Liping Zhang
---
net/netfilter/nfnetlink_cthelper.c | 86 +-
1 file changed, 84 inser
Hi David,
The following patchset contains a rather large update with Netfilter
fixes, specifically targeted to incorrect RCU usage in several spots and
the userspace conntrack helper infrastructure (nfnetlink_cthelper),
more specifically they are:
1) expect_class_max is incorrect set via cthelper
On Wed, Mar 29, 2017 at 07:05:10PM +0800, Liping Zhang wrote:
> Hi Pablo,
>
> 2017-03-29 18:41 GMT+08:00 Pablo Neira Ayuso :
> [...]
> > Wait.
> >
> > Just a comestic change, would this look better if we just do:
> >
> > hlist_for_each_entry(cur, &nf_ct_helper_hash[h], hnode) {
> >
On Wed, Mar 29, 2017 at 06:50:46PM +0800, Gao Feng wrote:
> Hi Pablo,
>
> > -Original Message-
> > From: Pablo Neira Ayuso [mailto:pa...@netfilter.org]
> > Sent: Wednesday, March 29, 2017 6:44 PM
> > To: Gao Feng
> > Cc: netfilter-devel@vger.kernel.org; 'Gao Feng'
> > Subject: Re: [PATCH
On Wed, Mar 29, 2017 at 06:29:10PM +0800, Gao Feng wrote:
> Hi Pablo,
>
> > -Original Message-
> > From: Pablo Neira Ayuso [mailto:pa...@netfilter.org]
> > Sent: Wednesday, March 29, 2017 6:08 PM
> > To: gfree.w...@foxmail.com
> > Cc: netfilter-devel@vger.kernel.org; Gao Feng
> > Subject:
From: Gao Feng
When invoke __nf_conntrack_helper_find, it needs the rcu lock to
protect the helper module which would not be unloaded.
Now there are two caller nf_conntrack_helper_try_module_get and
ctnetlink_create_expect which don't hold rcu lock. And the other
callers left like ctnetlink_chan
Hi Pablo,
2017-03-29 18:41 GMT+08:00 Pablo Neira Ayuso :
[...]
> Wait.
>
> Just a comestic change, would this look better if we just do:
>
> hlist_for_each_entry(cur, &nf_ct_helper_hash[h], hnode) {
> if (!strcmp(h->name, name) &&
> (h->tuple.src.l3num
Hi Pablo,
> -Original Message-
> From: Pablo Neira Ayuso [mailto:pa...@netfilter.org]
> Sent: Wednesday, March 29, 2017 6:44 PM
> To: Gao Feng
> Cc: netfilter-devel@vger.kernel.org; 'Gao Feng'
> Subject: Re: [PATCH nf-next v2 1/1] netfilter: helper: Remove useless rcu
lock
> when get exp
On Sat, Mar 25, 2017 at 09:03:23PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> cthelpers added via nfnetlink may have the same tuple, i.e. except for
> the l3proto and l4proto, other fields are all zero. So even with the
> different names, we will also fail to add them:
> # nfct helper
On Sat, Mar 25, 2017 at 09:03:23PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> cthelpers added via nfnetlink may have the same tuple, i.e. except for
> the l3proto and l4proto, other fields are all zero. So even with the
> different names, we will also fail to add them:
> # nfct helper
On Tue, Mar 28, 2017 at 10:59:25PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> We must call security_release_secctx to free the memory returned by
> security_secid_to_secctx, otherwise memory may be leaked forever.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubsc
Hi Pablo,
> -Original Message-
> From: Pablo Neira Ayuso [mailto:pa...@netfilter.org]
> Sent: Wednesday, March 29, 2017 6:08 PM
> To: gfree.w...@foxmail.com
> Cc: netfilter-devel@vger.kernel.org; Gao Feng
> Subject: Re: [PATCH nf-next v2 1/1] netfilter: helper: Remove useless rcu
lock
> w
Removed parentheses on the right hand side of assignment, as they are
not required. The following coccinelle script was used to fix this
issue:
@@
local idexpression id;
expression e;
@@
id =
-(
e
-)
Signed-off-by: Arushi Singhal
---
net/ipv6/netfilter/nf_conntrack_reasm.c | 4 ++--
1 file cha
Replace explicit NULL comparison with ! operator to simplify code.
Signed-off-by: Arushi Singhal
---
net/netfilter/ipvs/ip_vs_ctl.c | 8 ++---
net/netfilter/ipvs/ip_vs_proto.c | 8 ++---
net/netfilter/nf_conntrack_broadcast.c | 2 +-
net/netfilter/nf_conntrack_core.c | 2 +
On Fri, Mar 24, 2017 at 01:21:12PM +0100, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > We can just use NFT_META_L4PROTO all the time, so we use it from IPv4
> > too, right?
>
> Right, we can indeed do that and change ip as well.
BTW, I think this problem may be the root cause for this
On Wed, Mar 22, 2017 at 10:15:02AM +0800, gfree.w...@foxmail.com wrote:
> From: Gao Feng
>
> Because these two functions return the nf_ct_helper_expectfn pointer
> which should be protected by rcu lock. So it should makes sure the
> caller should hold the rcu lock, not inside these functions.
>
fix the line over 80 characters as reported by checkpatch.pl
Signed-off-by: Arushi Singhal
---
net/ipv6/netfilter/ip6_tables.c| 6 --
net/ipv6/netfilter/ip6t_SYNPROXY.c | 3 ++-
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netf
Hi Feng,
Still two concerns with this.
On Wed, Mar 22, 2017 at 09:03:24AM +0800, gfree.w...@foxmail.com wrote:
> diff --git a/net/netfilter/nf_conntrack_helper.c
> b/net/netfilter/nf_conntrack_helper.c
> index 0eaa01e..c25c9be 100644
> --- a/net/netfilter/nf_conntrack_helper.c
> +++ b/net/netfil
On Wednesday 2017-03-29 11:15, SIMRAN SINGHAL wrote:
>> dest = kzalloc(sizeof(struct ip_vs_dest), GFP_KERNEL);
>>- if (dest == NULL)
>>+ if (!dest)
>> return -ENOMEM;
>
>But, according to me we should prefer !var over ( var ==NULL ) according to the
>c
On Wed, Mar 29, 2017 at 2:19 PM, SIMRAN SINGHAL
wrote:
> On Wed, Mar 29, 2017 at 12:25 PM, Jan Engelhardt wrote:
>>
>> On Tuesday 2017-03-28 18:23, SIMRAN SINGHAL wrote:
>>>On Tue, Mar 28, 2017 at 7:24 PM, Jan Engelhardt wrote:
On Tuesday 2017-03-28 15:13, simran singhal wrote:
>So
Removed parentheses on the right hand side of assignment, as they are
not required. The following coccinelle script was used to fix this
issue:
@@
local idexpression id;
expression e;
@@
id =
-(
e
-)
Signed-off-by: Arushi Singhal
---
net/ipv6/netfilter/nf_conntrack_reasm.c | 4 ++--
1 file cha
On Wed, Mar 29, 2017 at 12:25 PM, Jan Engelhardt wrote:
>
> On Tuesday 2017-03-28 18:23, SIMRAN SINGHAL wrote:
>>On Tue, Mar 28, 2017 at 7:24 PM, Jan Engelhardt wrote:
>>> On Tuesday 2017-03-28 15:13, simran singhal wrote:
>>>
Some functions like kmalloc/kzalloc return NULL on failure. When N
Fix checkpatch warnings:
WARNING: Block comments use a trailing */ on a separate line
WARNING: Block comments use * on subsequent lines
Signed-off-by: Arushi Singhal
---
net/ipv6/netfilter/ip6_tables.c | 16
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/net/ipv6/
45 matches
Mail list logo
