Re: [PATCH nf] netfilter: ctnetlink: make it safer when updating ct->status

Hi Feng, 2017-04-13 11:22 GMT+08:00 Gao Feng : [...] >> No, it's better to do this together, there are two invocations, it's not >> good to >> copy these codes twice. > > You mean " on &= ~ IPS_UNCHANGEABLE_MASK " and " off &= ~ > IPS_UNCHANGEABLE_MASK " seems duplicated? I see. I misunderstood

RE: [PATCH nf] netfilter: ctnetlink: make it safer when updating ct->status

Hi Liping, > -Original Message- > From: Liping Zhang [mailto:zlpnob...@gmail.com] > Sent: Thursday, April 13, 2017 11:15 AM > To: Gao Feng > Cc: Liping Zhang ; Pablo Neira Ayuso > ; Netfilter Developer Mailing List > ; cerne...@chromium.org > Subject: Re: [PATCH nf] netfilter: ctnetlink:

Re: [PATCH nf] netfilter: ctnetlink: make it safer when updating ct->status

Hi Feng, 2017-04-13 10:42 GMT+08:00 Gao Feng : [...] >> +static void >> +__ctnetlink_change_status(struct nf_conn *ct, unsigned long on, >> + unsigned long off) >> +{ >> + unsigned long mask; >> + unsigned int bit; >> + >> + for (bit = 0; bit < __IPS_MAX_BIT; bit+

RE: [PATCH nf] netfilter: ctnetlink: make it safer when updating ct->status

> -Original Message- > From: Gao Feng [mailto:gfree.w...@foxmail.com] > Sent: Thursday, April 13, 2017 10:42 AM > To: 'Liping Zhang' ; 'pa...@netfilter.org' > > Cc: 'netfilter-devel@vger.kernel.org' ; > 'cerne...@chromium.org' ; 'Liping Zhang' > > Subject: RE: [PATCH nf] netfilter: ctnetl

RE: [PATCH nf] netfilter: ctnetlink: make it safer when updating ct->status

Hi Liping, > -Original Message- > From: netfilter-devel-ow...@vger.kernel.org > [mailto:netfilter-devel-ow...@vger.kernel.org] On Behalf Of Liping Zhang > Sent: Wednesday, April 12, 2017 11:57 PM > To: pa...@netfilter.org > Cc: netfilter-devel@vger.kernel.org; cerne...@chromium.org; Liping

[PATCH nf-next 1/1] netfilter: ecache: Refine the nf_ct_deliver_cached_events

From: Gao Feng 1. Remove single !events condition check to deliver the missed event even though there is no new event happened. Consider this case: 1) nf_ct_deliver_cached_events is invoked at the first time, the event is failed to deliver, then the missed is set. 2) nf_ct_deliver_cached_events

Re: [PATCH nf] netfilter: nft_hash: do not dump the auto generated seed

On Wed, Apr 12, 2017 at 10:43 PM, Florian Westphal wrote: > Liping Zhang wrote: >> >> +++ b/net/netfilter/nft_hash.c >> >> @@ -21,6 +21,7 @@ struct nft_hash { >> >> enum nft_registers sreg:8; >> >> enum nft_registers dreg:8; >> >> u8 len; >>

Re: [PATCH nf-next] ip_vs_sync: change comparison on sync_refresh_period

On Wed, Apr 12, 2017 at 04:38:12PM -0400, Aaron Conole wrote: > The sync_refresh_period variable is unsigned, so it can never be < 0. > > Signed-off-by: Aaron Conole Thanks Aaron, I have applied this to ipvs-next after updating the prefix to "ipvs:". -- To unsubscribe from this list: send the l

Re: [PATCH nf] netfilter: nft_hash: do not dump the auto generated seed

Liping Zhang wrote: > >> +++ b/net/netfilter/nft_hash.c > >> @@ -21,6 +21,7 @@ struct nft_hash { > >> enum nft_registers sreg:8; > >> enum nft_registers dreg:8; > >> u8 len; > >> + boolautogen_seed:1; > > > > Hi Lipin

[PATCH nf-next] ip_vs_sync: change comparison on sync_refresh_period

The sync_refresh_period variable is unsigned, so it can never be < 0. Signed-off-by: Aaron Conole --- net/netfilter/ipvs/ip_vs_sync.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c index b03c280..123dc0f 10064

[PATCH nf-next] nf_conntrack: remove double assignment

The protonet pointer will unconditionally be rewritten, so just do the needed assignment first. Signed-off-by: Aaron Conole --- net/netfilter/nf_conntrack_proto.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrac

[PATCH nf-next] nf_tables: remove double return statement

Signed-off-by: Aaron Conole --- net/netfilter/nf_tables_api.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 2d822d2..1452fb7 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -4435,8 +4435,6

[PATCH nf] netfilter: ctnetlink: make it safer when updating ct->status

From: Liping Zhang User can update the ct->status via nfnetlink, but using a non-atomic operation "ct->status |= status;". This is unsafe, and may clear IPS_DYING_BIT bit set by another CPU unexpectedly. For example: CPU0CPU1 ctnetlink_change_status_

Re: [PATCH ulogd2 1/2] ulogd.conf: harmonize log file options with module default values

On Tue, 7 Mar 2017, Eric Leblond wrote: > I really like the idea of getting an harmonized naming for the log > files but I think we should do it reverse for values that are not > commented in the configuration file. Most distributions and install are > shipping with a copy of default configuration

[PATCH nf 1/1] netfilter: nf_nat: Fix return NF_DROP in nfnetlink_parse_nat_setup

From: Gao Feng The __nf_nat_alloc_null_binding invokes nf_nat_setup_info which may return NF_DROP when memory is exhausted, so convert NF_DROP to -ENOMEM to make ctnetlink happy. Or ctnetlink_setup_nat treats it as a success when one error NF_DROP happens actully. Signed-off-by: Gao Feng --- n