READ_ONCE() now implies smp_read_barrier_depends(), which means that
the instances in arpt_do_table(), ipt_do_table(), and ip6t_do_table()
are now redundant. This commit removes them and adjusts the comments.
Signed-off-by: Paul E. McKenney
Cc: Pablo Neira Ayuso
Cc: Jozsef Kadlecsik
Cc: Floria
On Tue, Oct 10, 2017 at 01:58:41AM +1100, Duncan Roe wrote:
> Insert synopsis and description between those for add|insert and delete
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo
From: Pablo Neira Ayuso
Date: Mon, 9 Oct 2017 18:25:34 +0200
> The following patchset contains Netfilter/IPVS fixes for your net tree,
> they are:
...
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks!
--
To unsubscribe from thi
Hi David,
The following patchset contains Netfilter/IPVS fixes for your net tree,
they are:
1) Fix packet drops due to incorrect ECN handling in IPVS, from Vadim
Fedorenko.
2) Fix splat with mark restoration in xt_socket with non-full-sock,
patch from Subash Abhinov Kasiviswanathan.
3) ip
From: Vadim Fedorenko
IPVS tunnel mode works as simple tunnel (see RFC 3168) copying ECN field
to outer header. That's result in packet drops on egress tunnels in case
the egress tunnel operates as ECN-capable with Full-functionality option
(like ip_tunnel and ip6_tunnel kernel modules), accordin
From: Florian Westphal
Removing the ipset module leaves a small window where one cpu performs
module removal while another runs a command like 'ipset flush'.
ipset uses net_generic(), unregistering the pernet ops frees this
storage area.
Fix it by first removing the user-visible api handlers an
From: Jozsef Kadlecsik
Wrong comparison prevented the hash types to add a range with more than
2^31 addresses but reported as a success.
Fixes Netfilter's bugzilla id #1005, reported by Oleg Serditov and
Oliver Ford.
Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Pablo Neira Ayuso
---
net/ne
From: Artem Savkov
It is possible for ebt_in_hook to be triggered before ebt_table is assigned
resulting in a NULL-pointer dereference. Make sure hooks are
registered as the last step.
Fixes: aee12a0a3727 ("ebtables: remove nf_hook_register usage")
Signed-off-by: Artem Savkov
Signed-off-by: Pab
From: Ross Lagerwall
Fix a race between ip_set_dump_start() and ip_set_swap().
The race is as follows:
* Without holding the ref lock, ip_set_swap() checks ref_netlink of the
set and it is 0.
* ip_set_dump_start() takes a reference on the set.
* ip_set_swap() does the swap (even though it now h
From: JingPiao Chen
# nft add table filter
# nft add chain filter c1
# nft rename chain filter c1 c2
Error: Could not process rule: No such file or directory
rename chain filter c1 c2
^^
# nft add chain filter c2
# nft rename chain filter c1 c2
# nft list table fil
Chain counters are only enabled on demand since 9f08ea848117, skip them
when dumping them via netlink.
Fixes: 9f08ea848117 ("netfilter: nf_tables: keep chain counters away from hot
path")
Reported-by: Johny Mattsson
Tested-by: Johny Mattsson
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/
From: Arvind Yadav
Free memory region, if nf_tables_set_alloc_name is not successful.
Fixes: 387454901bd6 ("netfilter: nf_tables: Allow set names of up to 255 chars")
Signed-off-by: Arvind Yadav
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 4 +++-
1 file changed, 3 ins
From: Eric Dumazet
syzkaller reports an out of bound read in strlcpy(), triggered
by xt_copy_counters_from_user()
Fix this by using memcpy(), then forcing a zero byte at the last position
of the destination, as Florian did for the non COMPAT code.
Fixes: d7591f0c41ce ("netfilter: x_tables: intr
From: Lin Zhang
In function {ipv4,ipv6}_synproxy_hook we expect a normal tcp packet, but
the real server maybe reply an icmp error packet related to the exist
tcp conntrack, so we will access wrong tcp data.
Fix it by checking for the protocol field and only process tcp traffic.
Signed-off-by:
From: Shmulik Ladkani
Commit 2c16d6033264 ("netfilter: xt_bpf: support ebpf") introduced
support for attaching an eBPF object by an fd, with the
'bpf_mt_check_v1' ABI expecting the '.fd' to be specified upon each
IPT_SO_SET_REPLACE call.
However this breaks subsequent iptables calls:
# iptable
From: Subash Abhinov Kasiviswanathan
An out of bounds error was detected on an ARM64 target with
Android based kernel 4.9. This occurs while trying to
restore mark on a skb from an inet request socket.
BUG: KASAN: slab-out-of-bounds in socket_match.isra.2+0xc8/0x1f0
net/netfilter/xt_socket.c:24
Insert synopsis and description between those for add|insert and delete
Signed-off-by: Duncan Roe
---
doc/nft.xml | 17 +
1 file changed, 17 insertions(+)
diff --git a/doc/nft.xml b/doc/nft.xml
index 80ffcd7..c7e12c9 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -839,6 +839,15 @
Previously, an MSS range of e.g. 65535:1000 was silently accepted but
would then never match a packet since the kernel checks whether the MSS
value is greater than or equal to the first *and* less than or equal to
the second value.
Detect this as a parameter problem and update the man page accordi
On Mon, Oct 09, 2017 at 02:35:46PM +0200, Daniel Borkmann wrote:
> On 10/09/2017 02:27 PM, Shmulik Ladkani wrote:
> >From: Shmulik Ladkani
> >
> >Commit 2c16d6033264 ("netfilter: xt_bpf: support ebpf") introduced
> >support for attaching an eBPF object by an fd, with the
> >'bpf_mt_check_v1' ABI e
On Fri, Oct 06, 2017 at 08:17:54PM +0530, Harsha Sharma wrote:
> Static const char * array should be static const char *
> const array as per linux-kernel coding style
Applied.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.
On Sat, Oct 07, 2017 at 04:17:52AM +0530, Harsha Sharma wrote:
> Refer to relative path for tests from any directory if path for testcases
> is specified.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kerne
Hi Harsha,
On Sat, Oct 07, 2017 at 04:00:33AM +0530, Harsha Sharma wrote:
> Merge assignment with return statement to directly return the value.
> Done using following coccinelle semantic patch
>
> @@
> local idexpression ret;
> expression e;
> @@
>
> -ret =
> +return
> e;
> -return ret;
>
On 10/09/2017 02:27 PM, Shmulik Ladkani wrote:
From: Shmulik Ladkani
Commit 2c16d6033264 ("netfilter: xt_bpf: support ebpf") introduced
support for attaching an eBPF object by an fd, with the
'bpf_mt_check_v1' ABI expecting the '.fd' to be specified upon each
IPT_SO_SET_REPLACE call.
However t
On Mon, Oct 9, 2017 at 5:32 PM, Pablo Neira Ayuso wrote:
> On Sat, Oct 07, 2017 at 01:11:17PM +0530, Harsha Sharma wrote:
>> On Fri, Oct 6, 2017 at 6:08 PM, Pablo Neira Ayuso
>> wrote:
>> > On Thu, Oct 05, 2017 at 03:45:39PM +0530, Harsha Sharma wrote:
>> >> Add testcases for creating named obje
From: Shmulik Ladkani
Commit 2c16d6033264 ("netfilter: xt_bpf: support ebpf") introduced
support for attaching an eBPF object by an fd, with the
'bpf_mt_check_v1' ABI expecting the '.fd' to be specified upon each
IPT_SO_SET_REPLACE call.
However this breaks subsequent iptables calls:
# iptable
On Sat, Oct 07, 2017 at 01:11:17PM +0530, Harsha Sharma wrote:
> On Fri, Oct 6, 2017 at 6:08 PM, Pablo Neira Ayuso wrote:
> > On Thu, Oct 05, 2017 at 03:45:39PM +0530, Harsha Sharma wrote:
> >> Add testcases for creating named objects with unique name, defined
> >> by user and referencing them fro
Hi Shmulik,
On 10/09/2017 01:57 PM, Pablo Neira Ayuso wrote:
On Mon, Oct 09, 2017 at 01:18:23PM +0200, Pablo Neira Ayuso wrote:
On Fri, Oct 06, 2017 at 01:40:13PM -0400, Willem de Bruijn wrote:
On Fri, Oct 6, 2017 at 12:02 PM, Shmulik Ladkani wrote:
From: Shmulik Ladkani
Commit 2c16d603326
On Mon, Oct 09, 2017 at 01:48:11PM +0200, Pablo Neira Ayuso wrote:
> Allow to use limit objects from dictionaries.
Please, ignore this. My robot accidentally included this, this is
already upstream for a while.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the bo
On Mon, Oct 09, 2017 at 01:18:23PM +0200, Pablo Neira Ayuso wrote:
> On Fri, Oct 06, 2017 at 01:40:13PM -0400, Willem de Bruijn wrote:
> > On Fri, Oct 6, 2017 at 12:02 PM, Shmulik Ladkani wrote:
> > > From: Shmulik Ladkani
> > >
> > > Commit 2c16d6033264 ("netfilter: xt_bpf: support ebpf") introd
The scanner rejects IPv4-Mapped IPv6 addresses, eg.
# cat test
#!/usr/sbin/nft -f
flush ruleset
table inet global {
set blackhole_ipv6 {
type ipv6_addr
flags interval
elements = { :::0.0.0.0/96 }
}
}
# nft -f test
test:8:30-38: Error: syntax error, unexp
Allow to use limit objects from dictionaries.
Fixes: c0697eabe832 ("src: add stateful object support for limit")
Signed-off-by: Pablo Neira Ayuso
---
src/parser_bison.y | 9 +
1 file changed, 9 insertions(+)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index f996d9d94880..7016f5
On Fri, Oct 06, 2017 at 01:40:13PM -0400, Willem de Bruijn wrote:
> On Fri, Oct 6, 2017 at 12:02 PM, Shmulik Ladkani wrote:
> > From: Shmulik Ladkani
> >
> > Commit 2c16d6033264 ("netfilter: xt_bpf: support ebpf") introduced
> > support for attaching an eBPF object by an fd, with the
> > 'bpf_mt_
On Fri, Oct 06, 2017 at 12:44:03AM +0800, Lin Zhang wrote:
> In function {ipv4,ipv6}_synproxy_hook we expect a normal tcp packet,
> but the real server maybe reply an icmp error packet related to the
> exist tcp conntrack, so we will access wrong tcp data.
>
> For fix it, check for the protocol fi
On 09/10/2017 12:31 PM, Florian Westphal wrote:
Tariq Toukan wrote:
On 04/09/2017 1:42 AM, Pablo Neira Ayuso wrote:
From: Aaron Conole
This converts the storage and layout of netfilter hook entries from a
linked list to an array. After this commit, hook entries will be
stored adjacent in
Tariq Toukan wrote:
> On 04/09/2017 1:42 AM, Pablo Neira Ayuso wrote:
> >From: Aaron Conole
> >
> >This converts the storage and layout of netfilter hook entries from a
> >linked list to an array. After this commit, hook entries will be
> >stored adjacent in memory. The next pointer is no longe
35 matches
Mail list logo
