Subscribe nft monitor only to NFNLGRP_NFTABLES and nft monitor trace
only to NFNLGRP_NFTRACE. In netlink_monitor() depending on the command
call setsockopt() once.
Signed-off-by: Varsha Rao
---
src/netlink.c | 11 ---
1 file changed, 4 insertions(+), 7 deletions(-)
diff --git a/src/netl
Marcos Paulo de Souza wrote:
> [marcos@Icarus ~]$ conntrack -l something
> nfct_labelmap_new: No such file or directory
> Segmentation fault (core dumped)
conntrack should not pass NULL in the first place.
However I agree that lnf-conntrack should be more robust
so I applied this patch, thanks.
When CONNLABEL_CFG isn't available (/etc/xtables/connlabel.conf),
conntrack tool crashes:
[marcos@Icarus ~]$ conntrack -l something
nfct_labelmap_new: No such file or directory
Segmentation fault (core dumped)
I can see this problem in Fedora 26, because connlabel.conf does not
come along the con
On Mon, Jul 24, 2017 at 11:59:40AM +0200, Pablo Neira Ayuso wrote:
> Hi Greg,
>
> Please, apply this commit:
>
> commit 3c5ab3f395d66a9e4e937fcfdf6ebc63894f028b
> Author: Julian Anastasov
> Date: Sat Apr 29 20:33:09 2017 +0300
>
> ipvs: SNAT packet replies only for NATed connections
>
>
From: Manfred Spraul
As we want to remove spin_unlock_wait() and replace it with explicit
spin_lock()/spin_unlock() calls, we can use this to simplify the
locking.
In addition:
- Reading nf_conntrack_locks_all needs ACQUIRE memory ordering.
- The new code avoids the backwards loop.
Only slightl
The following series removes the hard-coded restriction on name length
of tables, chains, sets and objects.
The first patch introduces nla_strdup() which aids in duplicating a
string contained in a netlink attribute. It is used to replace the call
to nla_strlcpy() when populating name fields.
I'v
Same conversion as for table names, use NFT_NAME_MAXLEN as upper
boundary as well.
Signed-off-by: Phil Sutter
---
include/net/netfilter/nf_tables.h| 2 +-
include/uapi/linux/netfilter/nf_tables.h | 1 -
net/netfilter/nf_tables_api.c| 13 ++---
net/netfilter/nft_objr
Allocate all table names dynamically to allow for arbitrary lengths but
introduce NFT_NAME_MAXLEN as an upper sanity boundary. It's value was
chosen to allow using a domain name as per RFC 1035.
Signed-off-by: Phil Sutter
---
include/net/netfilter/nf_tables.h| 2 +-
include/uapi/linux/n
This is similar to strdup() for netlink string attributes.
Signed-off-by: Phil Sutter
---
include/net/netlink.h | 1 +
lib/nlattr.c | 24
2 files changed, 25 insertions(+)
diff --git a/include/net/netlink.h b/include/net/netlink.h
index 01709172b3d38..5c1fc1d4
Same conversion as for table names, use NFT_NAME_MAXLEN as upper
boundary as well.
Signed-off-by: Phil Sutter
---
include/net/netfilter/nf_tables.h| 4 ++--
include/uapi/linux/netfilter/nf_tables.h | 1 -
net/netfilter/nf_tables_api.c| 40 +++-
n
Same conversion as for table names, use NFT_NAME_MAXLEN as upper
boundary as well.
Signed-off-by: Phil Sutter
---
include/net/netfilter/nf_tables.h| 2 +-
include/uapi/linux/netfilter/nf_tables.h | 1 -
net/netfilter/nf_tables_api.c| 22 --
net/netfilter
On Mon, Jul 24, 2017 at 07:29:11PM +0200, Phil Sutter wrote:
> Now that they contain process information, they're actually interesting.
> For backwards compatibility, print process information only if it was
> present in the message.
Applied, thanks Phil.
--
To unsubscribe from this list: send the
On Mon, Jul 24, 2017 at 10:25 AM, Stephen Hemminger
wrote:
> Fixes warning because location is u32 and can never be netative
> warning: comparison of unsigned expression < 0 is always false [-Wtype-limits]
>
> Signed-off-by: Stephen Hemminger
Acked-by: Michael Chan
--
To unsubscribe from this l
On Mon, Jul 24, 2017 at 10:25 AM, Stephen Hemminger
wrote:
> Fix a couple of warnings where variable ‘txq’ set but not used
>
> Signed-off-by: Stephen Hemminger
Acked-by: Michael Chan v, i);
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to
Signed-off-by: Stephen Hemminger
---
net/bluetooth/6lowpan.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
index 2af4f1cc0ab4..4e2576fc0c59 100644
--- a/net/bluetooth/6lowpan.c
+++ b/net/bluetooth/6lowpan.c
@@ -273,9 +273,6 @@ static int i
Now that they contain process information, they're actually interesting.
For backwards compatibility, print process information only if it was
present in the message.
Signed-off-by: Phil Sutter
---
changes since v1:
- Abort with netlink_abi_error() if attribute validation fails.
- Prefix message
warning: ‘recent_old_fops’ defined but not used
Signed-off-by: Stephen Hemminger
---
net/netfilter/xt_recent.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index 3f6c4fa78bdb..245fa350a7a8 100644
--- a/net/netfilter/xt_
The variable owned_by_user is always set, but only used
when kernel is configured with LOCKDEP enabled.
Get rid of the warning by moving the code to put the call
to owned_by_user into the the rcu_protected call.
Signed-off-by: Stephen Hemminger
---
net/socket.c | 6 ++
1 file changed, 2 ins
warning: variable ‘netdev’ set but not used
Signed-off-by: Stephen Hemminger
---
drivers/net/ethernet/emulex/benet/be_roce.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/drivers/net/ethernet/emulex/benet/be_roce.c
b/drivers/net/ethernet/emulex/benet/be_roce.c
index 2b62841c4c63..05989a
Various fixes for warnings in network code and drivers.
Stephen Hemminger (6):
bnxt: fix unsigned comparsion with 0
bnxt: fix unused variable warnings
benet: fix set but not used warning
netfilter: remove unused variable
socket: fix set not used warning
6lowpan: fix set not used warnin
Fixes warning because location is u32 and can never be netative
warning: comparison of unsigned expression < 0 is always false [-Wtype-limits]
Signed-off-by: Stephen Hemminger
---
drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
Fix a couple of warnings where variable ‘txq’ set but not used
Signed-off-by: Stephen Hemminger
---
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 4
1 file changed, 4 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index e7c853
When skb is queued to userspace it leaves softirq/rcu protection.
skb->nfct (via conntrack extensions such as helper) could then reference
modules that no longer exist if the conntrack was not yet confirmed.
nf_ct_iterate_destroy() will set the DYING bit for unconfirmed
conntracks, we therefore so
There is a long-standing race that occurs with module removal (such as helpers)
nfqueue, and unconfirmed (not in hash table) conntracks.
The main issue is that
a). unconfirmed conntracks can't safely be mangled from other cpu (we assume
exclusive access to grow/alter the extension area) and
b)
We have several spots that open-code a expect walk, add a helper
that is similar to nf_ct_iterate_destroy/nf_ct_iterate_cleanup.
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_conntrack_expect.h | 5 +++
net/netfilter/nf_conntrack_expect.c | 54 +
n
queued skbs might be using conntrack extensions that are being removed,
such as timeout. This happens for skbs that have a skb->nfct in
unconfirmed state (i.e., not in hash table yet).
This is destructive, but there are only two use cases:
- module removal (rare)
- netns cleanup (most likely no
This also removes __nf_ct_unconfirmed_destroy() call from
nf_ct_iterate_cleanup_net, so that function can be used only
when missing conntracks from unconfirmed list isn't a problem.
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_conntrack.h | 3 +++
net/netfilter/nf_conntrack_core
On Mon, Jul 24, 2017 at 01:17:30PM +0200, Pablo Neira Ayuso wrote:
> On Wed, Jul 19, 2017 at 04:32:57PM +0200, Phil Sutter wrote:
> > Now that they contain process information, they're actually interesting.
> > For backwards compatibility, print process information only if it was
> > present in the
On Mon, Jul 24, 2017 at 05:10:05PM +0200, Phil Sutter wrote:
> Since all names in nftables are now dynamically allocated, choosing a
> large hard-coded length limit does not bloat nftables' footprint
> anymore.
>
> Introduce a common upper limit on all names for sanity reasons - the
> chosen value
Since all names in nftables are now dynamically allocated, choosing a
large hard-coded length limit does not bloat nftables' footprint
anymore.
Introduce a common upper limit on all names for sanity reasons - the
chosen value of 255 characters allows to use a DNS name as per RFC 1035.
Sugested-by
Hi Pablo!
On Mon, Jul 24, 2017 at 11:58:05AM +0200, Pablo Neira Ayuso wrote:
> Hi Willy, Ben & Sasha,
>
> Please, apply this commit:
>
> commit 3c5ab3f395d66a9e4e937fcfdf6ebc63894f028b
> Author: Julian Anastasov
> Date: Sat Apr 29 20:33:09 2017 +0300
>
> ipvs: SNAT packet replies only fo
On Wed, Jul 19, 2017 at 04:32:57PM +0200, Phil Sutter wrote:
> Now that they contain process information, they're actually interesting.
> For backwards compatibility, print process information only if it was
> present in the message.
Wait, a couple of comments.
[...]
> diff --git a/src/netlink.c
On Wed, Jul 19, 2017 at 04:32:57PM +0200, Phil Sutter wrote:
> Now that they contain process information, they're actually interesting.
> For backwards compatibility, print process information only if it was
> present in the message.
Also applied, thanks.
--
To unsubscribe from this list: send the
On Wed, Jul 19, 2017 at 04:32:23PM +0200, Phil Sutter wrote:
> This is helpful for 'nft monitor' to track which process caused a given
> change to the ruleset.
Applied, thanks Phil.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@
On Wed, Jul 19, 2017 at 02:27:33PM +0900, Taehee Yoo wrote:
> This patch removes duplicate rcu_read_lock().
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kerne
On Mon, Jul 10, 2017 at 03:06:39PM +0200, Florian Westphal wrote:
> assuming we have lockless readers we should make sure they can only
> see expectations that have already been initialized.
>
> hlist_add_head_rcu acts as memory barrier, move it after timer setup.
>
> Theoretically we could crash
On Mon, Jul 24, 2017 at 11:58:05AM +0200, Pablo Neira Ayuso wrote:
> Hi Willy, Ben & Sasha,
>
> Please, apply this commit:
>
> commit 3c5ab3f395d66a9e4e937fcfdf6ebc63894f028b
> Author: Julian Anastasov
> Date: Sat Apr 29 20:33:09 2017 +0300
>
> ipvs: SNAT packet replies only for NATed con
Hi Greg,
Please, apply this commit:
commit 3c5ab3f395d66a9e4e937fcfdf6ebc63894f028b
Author: Julian Anastasov
Date: Sat Apr 29 20:33:09 2017 +0300
ipvs: SNAT packet replies only for NATed connections
to stable 4.4.y.
Julian made a backport for you, in case cherry-pick doesn't work, that
On Mon, Jul 24, 2017 at 11:44:51AM +0200, Florian Westphal wrote:
> Oleg wrote:
> > On Sat, Jul 22, 2017 at 06:38:55PM +0200, Florian Westphal wrote:
> > > Oleg wrote:
> > > > static void*
> > > > thread_start(void *data)
> > > > {
> > > > struct nfq_handle *h;
> > > > int fd, n;
Hi Willy, Ben & Sasha,
Please, apply this commit:
commit 3c5ab3f395d66a9e4e937fcfdf6ebc63894f028b
Author: Julian Anastasov
Date: Sat Apr 29 20:33:09 2017 +0300
ipvs: SNAT packet replies only for NATed connections
to stable 3.2.y.
Julian made a backport for you, that is available at Netf
Hi Ben,
Please, apply this commit:
commit 3c5ab3f395d66a9e4e937fcfdf6ebc63894f028b
Author: Julian Anastasov
Date: Sat Apr 29 20:33:09 2017 +0300
ipvs: SNAT packet replies only for NATed connections
to stable 3.2.y.
Julian also made a backport for you, that is available at Netfilter's
pa
Hi Phil,
On Thu, Jul 20, 2017 at 05:24:45PM +0200, Phil Sutter wrote:
> The following series removes the hard-coded restriction on name length
> of tables, chains, sets and objects.
>
> The first patch introduces nla_strdup() which aids in duplicating a
> string contained in a netlink attribute.
Oleg wrote:
> On Sat, Jul 22, 2017 at 06:38:55PM +0200, Florian Westphal wrote:
> > Oleg wrote:
> > > static void*
> > > thread_start(void *data)
> > > {
> > > struct nfq_handle *h;
> > > int fd, n;
> > > static char *pkt_buf;
> >
> > static? Looks buggy...
>
> Hm, why
On Sat, Jul 22, 2017 at 06:38:55PM +0200, Florian Westphal wrote:
> Oleg wrote:
> > static void*
> > thread_start(void *data)
> > {
> > struct nfq_handle *h;
> > int fd, n;
> > static char *pkt_buf;
>
> static? Looks buggy...
Hm, why :-)? This function must be local and
44 matches
Mail list logo
