Hi All,
My server had a locking problem with the logs located below. I can not
reproduce this erroneous situation again but I think that there is an
active vulnerability at my server because of this error.
My server's kernel version is v4.6.4.
What can be the cause of this error or do you have
tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
flow-offload-hw-v2
head: d2a66b6aae8b1294d8cb550520485eeb03fa1619
commit: d2a66b6aae8b1294d8cb550520485eeb03fa1619 [6/6] netfilter:
nf_flow_table: add hardware offload support
config: sparc64-allyesconfig (attached as
tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
flow-offload-hw-v2
head: d2a66b6aae8b1294d8cb550520485eeb03fa1619
commit: d2a66b6aae8b1294d8cb550520485eeb03fa1619 [6/6] netfilter:
nf_flow_table: add hardware offload support
config: alpha-allyesconfig (attached as .config)
Every flow_offload entry is added into the table twice. Because of this,
rhashtable_free_and_destroy can't be used, since it would call kfree for
each flow_offload object twice.
This patch adds a call to nf_flow_table_iterate_cleanup() to schedule
removal of entries, then there is an explicitly
Move the flowtable cleanup routines to nf_flow_table and expose the
nf_flow_table_cleanup() helper function.
Signed-off-by: Pablo Neira Ayuso
---
This is another dependency for the fix in patch 3/3.
include/net/netfilter/nf_flow_table.h | 3 +++
nft_flow_offload module removal does not require to flush existing
flowtables, it is valid to remove this module while keeping flowtables
around.
Signed-off-by: Pablo Neira Ayuso
---
This patch is a dependency for bugfix in patch 3/3. PATCH 2/3 moves
flowtable cleanup to the
Pablo Neira Ayuso wrote the following:
> On Mon, Feb 05, 2018 at 01:16:08PM +0100, Pablo Neira Ayuso wrote:
> > On Mon, Feb 05, 2018 at 01:58:26PM +1000, David McCullough wrote:
> > >
> > > Hi devel,
> > >
> > > I am looking for some feedback on IPv6 behaviour with/without netfilter in
> > >
On Mon, 2018-02-05 at 14:41 -0800, Cong Wang wrote:
> rateest_hash is supposed to be protected by xt_rateest_mutex,
> and, as suggested by Eric, lookup and insert should be atomic,
> so we should acquire the xt_rateest_mutex once for both.
>
> So introduce a non-locking helper for internal use
Cong Wang wrote:
> rateest_hash is supposed to be protected by xt_rateest_mutex,
> and, as suggested by Eric, lookup and insert should be atomic,
> so we should acquire the xt_rateest_mutex once for both.
>
> So introduce a non-locking helper for internal use and keep
rateest_hash is supposed to be protected by xt_rateest_mutex,
and, as suggested by Eric, lookup and insert should be atomic,
so we should acquire the xt_rateest_mutex once for both.
So introduce a non-locking helper for internal use and keep the
locking one for external.
Reported-by:
When cleaning up flowtable entries, associated dst and ct entries need
to be released as well
Signed-off-by: Felix Fietkau
---
net/netfilter/nf_flow_table.c | 19 +--
1 file changed, 5 insertions(+), 14 deletions(-)
diff --git a/net/netfilter/nf_flow_table.c
Every flow_offload entry is added into the table twice. Because of this,
rhashtable_free_and_destroy can't be used, since it would call kfree for
each flow_offload object twice.
Signed-off-by: Felix Fietkau
---
include/net/netfilter/nf_flow_table.h | 2 ++
syzbot wrote:
#syz-fix: netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in
clusterip_tg_check()
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More
On Mon, Feb 05, 2018 at 01:16:08PM +0100, Pablo Neira Ayuso wrote:
> On Mon, Feb 05, 2018 at 01:58:26PM +1000, David McCullough wrote:
> >
> > Hi devel,
> >
> > I am looking for some feedback on IPv6 behaviour with/without netfilter in
> > the path. We are in process of some IPv6 certification
On Mon, Feb 05, 2018 at 01:58:26PM +1000, David McCullough wrote:
>
> Hi devel,
>
> I am looking for some feedback on IPv6 behaviour with/without netfilter in
> the path. We are in process of some IPv6 certification at a lab.
>
> RFC2460 has a bunch of conditions under which certain ICMPv6
15 matches
Mail list logo