Hi Jann,
On Thu, 7 Dec 2017 01:48:14 +0100 Jann Horn wrote:
>
> > I can't tell if the strlen test from the former is still needed, so I
> > just used the vfs tree version for now.
>
> Yeah, both of the checks from the netfilter tree are still necessary
> independent of the commit from the vfs
Hi all,
Today's linux-next merge of the netfilter-next tree got a conflict in:
net/netfilter/nf_conntrack_h323_asn1.c
between commit:
bc7d811ace4a ("netfilter: nf_ct_h323: Convert CHECK_BOUND macro to function")
from the netfilter tree and commit:
e3e52b49c9e7 ("netfilter: nf_conntrack_
On Thu, Dec 7, 2017 at 1:10 AM, Stephen Rothwell wrote:
> Hi Al,
>
> Today's linux-next merge of the vfs tree got a conflict in:
>
> net/netfilter/xt_bpf.c
>
> between commit:
>
> 6ab405114b0b ("netfilter: xt_bpf: add overflow checks")
>
> from the netfilter tree and commit:
>
> af58d2496b49
Hi Linus,
On Mon, Dec 04, 2017 at 05:53:35AM +0100, Linus Lüssing wrote:
> Hi Pablo,
>
> Thanks for your reply!
>
> On Tue, Nov 28, 2017 at 12:30:08AM +0100, Pablo Neira Ayuso wrote:
> > [...]
> > > diff --git a/net/bridge/netfilter/ebt_limit.c
> > > b/net/bridge/netfilter/ebt_limit.c
> > > ind
Hi Al,
Today's linux-next merge of the vfs tree got a conflict in:
net/netfilter/xt_bpf.c
between commit:
6ab405114b0b ("netfilter: xt_bpf: add overflow checks")
from the netfilter tree and commit:
af58d2496b49 ("fix "netfilter: xt_bpf: Fix XT_BPF_MODE_FD_PINNED mode of
'xt_bpf_info_v1
Hi Phil,
On Tue, Dec 05, 2017 at 02:43:17PM +0100, Phil Sutter wrote:
[...]
> My "vision" for an extended API which actually provides an additional
> benefit is something that allows to work with the entities nft language
> defines in an abstract manner, ideally without having to invoke the
> pars
From: Pravin Shedge
Date: Wed, 6 Dec 2017 23:02:58 +0530
> These duplicate includes have been found with scripts/checkincludes.pl but
> they have been removed manually to avoid removing false positives.
>
> Signed-off-by: Pravin Shedge
Networking patches need to be sent to net...@vger.kernel.
On Sun, Dec 03, 2017 at 12:58:48AM +0100, Florian Westphal wrote:
> Not all families share the same hook count.
>
> Can't use the corresponding ARP, BRIDGE, DECNET defines because they are
> defined in uapi headers and including them causes build failures.
>
> struct net before:
> /* size: 6592,
Hi Florian,
On Thu, Dec 07, 2017 at 01:59:32AM +0800, kbuild test robot wrote:
> tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git
> master
> head: bcbfcb63a93704140d66f49b6f7d783988f37b4e
> commit: bcbfcb63a93704140d66f49b6f7d783988f37b4e [14/14] netfilter: reduce
> ho
tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
head: bcbfcb63a93704140d66f49b6f7d783988f37b4e
commit: bcbfcb63a93704140d66f49b6f7d783988f37b4e [14/14] netfilter: reduce hook
array sizes to what is needed
config: i386-randconfig-x002-201749 (attached as .config)
tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
head: bcbfcb63a93704140d66f49b6f7d783988f37b4e
commit: bcbfcb63a93704140d66f49b6f7d783988f37b4e [14/14] netfilter: reduce hook
array sizes to what is needed
config: i386-randconfig-x014-201749 (attached as .config)
These duplicate includes have been found with scripts/checkincludes.pl but
they have been removed manually to avoid removing false positives.
Signed-off-by: Pravin Shedge
---
net/core/netprio_cgroup.c| 1 -
net/dsa/slave.c | 1 -
net/netfilter/nf_conntrack_netlin
replacement for iptables "-m policy --dir in --policy {ipsec,none}".
Signed-off-by: Florian Westphal
---
Changes since v1:
- add ifdef CONFIG_XFRM in nft_meta_get_validate, no need for any
check if we don't support xfrm.
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nft_meta
This allows to reuse xt_connlimit infrastructure from nf_tables.
The upcoming nf_tables frontend can just pass in an nftables register
as input key, this allows limiting by arbitrary keys via concatenations.
For xt_connlimit, pass in the zone and the ip/ipv6 address as key
to keep same behaviour.
This patch takes argument of '-D' option and pass it to
nft_run_cmd_from_filename and parses the string in scanner_push_file along
with input file.
Signed-off-by: Harsha Sharma
---
I want to parse both input string and input file in scanner_push_file
but unable to do so. Any suggestions are welco
On Wed, Dec 06, 2017 at 09:15:44AM +0100, Pablo Neira Ayuso wrote:
> On Mon, Nov 20, 2017 at 12:05:54AM +0900, Taehee Yoo wrote:
> > The goal of this patch set are to use the ASN.1 decoder library
> > to parse SNMP ASN.1 payload.
>
> Series applied, thanks.
I'm hitting this here:
net/ipv4/netfil
On Wed, Nov 22, 2017 at 07:14:28PM +0100, Simon Horman wrote:
> On Mon, Nov 13, 2017 at 10:58:18PM +0800, gfree.w...@vip.163.com wrote:
> > From: Gao Feng
> >
> > The param of frag_safe_skb_hp, ipvsh, isn't used now. So remove it and
> > update the callers' codes too.
> >
> > Signed-off-by: Gao
On Thu, Nov 30, 2017 at 07:34:36PM +0530, Varsha Rao wrote:
> Change old multi-line comment style to kernel comment style and
> remove unwanted comments.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel
On Sun, Dec 03, 2017 at 12:58:46AM +0100, Florian Westphal wrote:
> struct net contains:
>
> struct nf_hook_entries __rcu *hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
>
> where NFPROTO_NUMPROTO = 13 and NF_MAX_HOOKS = 8.
>
> ... and that needs a *lot* more space than what we really need.
> We only ne
On Fri, Dec 01, 2017 at 12:21:01AM +0100, Florian Westphal wrote:
> This patch series removes all synchronize_net() calls from netfilter core
> to speed up net namespace create/delete rate.
>
> Freeing of hooks is moved to call_rcu at the cost of additional 24 bytes
> at the end of each rule blob.
On Fri, Dec 01, 2017 at 08:25:55PM +0100, Jozsef Kadlecsik wrote:
> Hi Florian,
>
> On Thu, 30 Nov 2017, Florian Westphal wrote:
>
> > When sets are extremely large we can get softlockup during ipset -L. We
> > could fix this by adding cond_resched_rcu() at the right location during
> > iterati
On Fri, Dec 01, 2017 at 08:14:48PM +0100, Jozsef Kadlecsik wrote:
> Hi Florian,
>
> On Thu, 30 Nov 2017, Florian Westphal wrote:
>
> > Check that we really hold nfnl mutex here instead of relying on correct
> > usage alone.
> >
> > Signed-off-by: Florian Westphal
>
> Yes, it's better this way
On Mon, Nov 20, 2017 at 12:05:54AM +0900, Taehee Yoo wrote:
> The goal of this patch set are to use the ASN.1 decoder library
> to parse SNMP ASN.1 payload.
Series applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@v
On Tue, Dec 05, 2017 at 03:42:41PM -0800, Kevin Cernekee wrote:
> The capability check in nfnetlink_rcv() verifies that the caller
> has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
> However, xt_osf_fingers is shared by all net namespaces on the
> system. An unprivileged user ca
24 matches
Mail list logo