Hi Greg, can you please apply commit dc3ee32e96d7 ("netfilter: nf_queue: Make
the queue_handler pernet") to 4.4-stable? syzbot is hitting the crash in
nfqnl_nf_hook_drop() by interrupting thread creation in pg_net_init(). An OOM
condition is not required, contrary to what is suggested by the orig
Signed-off-by: Florian Westphal
---
net/ipv4/netfilter/ipt_ECN.c | 2 +-
net/ipv4/netfilter/ipt_REJECT.c| 4 ++--
net/ipv4/netfilter/ipt_rpfilter.c | 2 +-
net/ipv6/netfilter/ip6t_REJECT.c | 4 ++--
net/ipv6/netfilter/ip6t_rpfilter.c | 2 +-
net/ipv6/netfilter/ip6t_srh.c |
all of these print simple error message - use single pr_ratelimit call.
checkpatch complains about lines > 80 but this would require splitting
several "literals" over multiple lines which is worse.
Signed-off-by: Florian Westphal
---
net/netfilter/xt_HMARK.c| 17 +++--
net/netfil
Signed-off-by: Florian Westphal
---
no changes.
net/ipv4/netfilter/ipt_rpfilter.c | 4 ++--
net/ipv6/netfilter/ip6t_rpfilter.c | 4 ++--
net/netfilter/xt_CONNSECMARK.c | 4 ++--
net/netfilter/xt_SECMARK.c | 4 ++--
4 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/net/i
remove several pr_info messages that cannot be triggered with iptables,
the check is only to ensure input is sane.
iptables(8) already prints error messages in these cases.
Signed-off-by: Florian Westphal
---
Changes since v2:
- remove a few more pr_info (dscp, checksum)
net/ipv4/netfilter/i
most messages are converted to info, since they occur in response to
wrong usage.
Size mismatch however is a real error (xtables ABI bug) that should not
occur.
Signed-off-by: Florian Westphal
---
changes since v1:
- use info (not err) for most cases.
net/netfilter/x_tables.c | 70 ++
also convert this to info for consistency.
These errors are informational message to user, given iptables doesn't
have netlink extack equivalent.
Signed-off-by: Florian Westphal
---
patch is new in v2 (split away from different patch).
net/netfilter/xt_set.c | 50 +--
ebt_among still uses pr_err -- these errors indicate ebtables tool bug,
not a usage error.
Signed-off-by: Florian Westphal
---
patch is new in v2 (split away from different patch).
net/bridge/netfilter/ebt_among.c | 10 +-
net/bridge/netfilter/ebt_limit.c | 4 ++--
2 files changed, 7
switch this to info, since these aren't really errors.
We only use printk because we cannot report meaningful errors
in the xtables framework.
Signed-off-by: Florian Westphal
---
Patch is new in v2.
net/netfilter/xt_NFQUEUE.c | 8 +---
1 file changed, 5 insertions(+), 3 deletions(-)
diff -
Aeons ago, before namespaces, there was no need to ratelimit this:
all of these error messages got triggered in response to iptables
commands, which need CAP_NET_ADMIN.
Nowadays we have namespaces, so its better to ratelimit these.
This should also help fuzzing (syzkaller), as it can generate a la
checkpatch complains about line > 80 but this would require splitting
"literal" over two lines which is worse.
Signed-off-by: Florian Westphal
---
no changes since v1.
net/netfilter/xt_CT.c | 25 +
1 file changed, 13 insertions(+), 12 deletions(-)
diff --git a/net/netfi
glibc before 2.19 missed the definition of IPPROTO_MH. This leads to
build failure:
parser_bison.y: In function 'nft_parse':
parser_bison.y:3793:21: error: 'IPPROTO_MH' undeclared (first use in this
function)
| MH { $$ = IPPROTO_MH; }
^
Since we have a local definition o
12 matches
Mail list logo
