Now it's doing cleanup_entry for oldinfo under the xt_table lock,
but it's not really necessary. After the replacement job is done
in xt_replace_table, oldinfo is not used elsewhere any more, and
it can be freed without xt_table lock safely.
The important thing is that rtnl_lock is called in some
Xin Long wrote:
> Now it's doing cleanup_entry for oldinfo under the xt_table lock,
> but it's not really necessary. After the replacement job is done
> in xt_replace_table, oldinfo is not used elsewhere any more, and
> it can be freed without xt_table lock safely.
Right.
> The important thing i
Gregory Vander Schueren wrote:
[ cc netdev ]
> If sysctl bridge-nf-call-iptables is enabled, iptables chains are already
> traversed from the bridging code. In such case, tproxy already happened when
> reaching ip_rcv. Thus no need to call skb_orphan as this would actually undo
> tproxy.
I don'
On Fri, Feb 16, 2018 at 12:02 PM, Florian Westphal wrote:
> Xin Long wrote:
>> Now it's doing cleanup_entry for oldinfo under the xt_table lock,
>> but it's not really necessary. After the replacement job is done
>> in xt_replace_table, oldinfo is not used elsewhere any more, and
>> it can be fre
On Fri, Feb 16, 2018 at 12:07:06PM +0100, Florian Westphal wrote:
> Gregory Vander Schueren wrote:
>
> [ cc netdev ]
>
> > If sysctl bridge-nf-call-iptables is enabled, iptables chains are already
> > traversed from the bridging code. In such case, tproxy already happened when
> > reaching ip_rc
Op 30/01/2018 om 14:02 schreef Thierry Du Tre:
> This is a patch proposal to support shifted ranges in portmaps.
> (i.e. tcp/udp incoming port 5000-5100 on WAN redirected to LAN
> 192.168.1.5:2000-2100)
>
> Currently DNAT only works for single port or identical port ranges.
> (i.e. ports 5000-51
During code audit I found two more bugs in CLUSTERIP,
first one is a refcount leak, second is possible use-after free
due to kfree() of rcu-protected (and already visible) structure.
I think its time to remove this target, so, if anyone has a good
reason to not nuke it in nf-next please let me kno
This needs to put() the entry to avoid a resource leak in error path.
Signed-off-by: Florian Westphal
---
net/ipv4/netfilter/ipt_CLUSTERIP.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c
b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index
Once struct is added to per-netns list it becomes visible to other cpus,
so we cannot use kfree().
Also delay setting entries refcount to 1 until after everything is
initialised so that when we call clusterip_config_put() in this spot
entries is still zero.
Signed-off-by: Florian Westphal
---
n
From: Alexei Starovoitov
Signed-off-by: Alexei Starovoitov
---
fs/exec.c | 40 +++-
include/linux/binfmts.h | 1 +
include/linux/umh.h | 4
kernel/module.c | 33 -
kernel/umh.c| 24 +
This is a very rough and early proof of concept that implements bpfilter.
The basic idea of bpfilter is that it can process iptables queries and
translate them in user space into BPF programs which can then get attached
at various locations. For simplicity, in this RFC we demo attaching them
to XDP
Signed-off-by: Daniel Borkmann
---
include/uapi/linux/bpf.h| 31 +++--
kernel/bpf/syscall.c| 39 +++---
net/bpfilter/Makefile | 2 +-
net/bpfilter/bpfilter.c | 59 +
net/bpfilter/bpfilter_mod.h | 285 ++-
net/bpfilter/ctor
From: "David S. Miller"
Signed-off-by: David S. Miller
Signed-off-by: Alexei Starovoitov
---
include/linux/bpfilter.h | 13 +++
include/uapi/linux/bpfilter.h | 200 ++
net/Kconfig | 2 +
net/Makefile | 1 +
ne
From: Alexei Starovoitov
Signed-off-by: Alexei Starovoitov
---
include/uapi/linux/bpf.h | 16
kernel/bpf/syscall.c | 41 +
2 files changed, 57 insertions(+)
diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index db6bd
On Fri, Feb 16, 2018 at 12:49:31PM +0100, Florian Westphal wrote:
> During code audit I found two more bugs in CLUSTERIP,
> first one is a refcount leak, second is possible use-after free
> due to kfree() of rcu-protected (and already visible) structure.
>
> I think its time to remove this target,
Daniel Borkmann wrote:
> This is a very rough and early proof of concept that implements bpfilter.
[..]
> Also, as a benefit from such design, we get BPF JIT compilation on x86_64,
> arm64, ppc64, sparc64, mips64, s390x and arm32, but also rule offloading
> into HW for free for Netronome NFP Sma
Hi Florian & Pablo,
Thank your very much for your quick feedback.
On 02/16/2018 12:28 PM, Pablo Neira Ayuso wrote:
On Fri, Feb 16, 2018 at 12:07:06PM +0100, Florian Westphal wrote:
Gregory Vander Schueren wrote:
[ cc netdev ]
If sysctl bridge-nf-call-iptables is enabled, iptables chains ar
Florian Westphal wrote:
> Daniel Borkmann wrote:
> Several questions spinning at the moment, I will probably come up with
> more:
... and here there are some more ...
One of the many pain points of xtables design is the assumption of 'used
only by sysadmin'.
This has not been true for a very l
Hi Florian,
thanks for your feedback! More inline:
On 02/16/2018 03:57 PM, Florian Westphal wrote:
> Daniel Borkmann wrote:
>> This is a very rough and early proof of concept that implements bpfilter.
>
> [..]
>
>> Also, as a benefit from such design, we get BPF JIT compilation on x86_64,
>> a
In nf_tables_set_alloc_name function, remove get_zeroed_page
find_first_zero_bit and set_bit functions. Instead use ida_simple_get
function as it simplifies the code.
Signed-off-by: Varsha Rao
---
net/netfilter/nf_tables_api.c | 27 +++
1 file changed, 11 insertions(+), 1
In the ip_rcv, IPSTATS_MIB_CSUMERRORS is increased when
checksum error is occurred.
bridge netfilter routine should increase IPSTATS_MIB_CSUMERRORS.
Signed-off-by: Taehee Yoo
---
net/bridge/br_netfilter_hooks.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/bridge/br_
Hi Florian,
On 02/16/2018 05:14 PM, Florian Westphal wrote:
> Florian Westphal wrote:
>> Daniel Borkmann wrote:
>> Several questions spinning at the moment, I will probably come up with
>> more:
>
> ... and here there are some more ...
>
> One of the many pain points of xtables design is the a
From: Florian Westphal
Date: Fri, 16 Feb 2018 15:57:27 +0100
> 4. Do you plan to reimplement connection tracking in userspace?
> If no, how will the bpf program interact with it?
The natural way to handle this, as with anything BPF related, is with
appropriate BPF helpers which would be added fo
From: Florian Westphal
Date: Fri, 16 Feb 2018 17:14:08 +0100
> Any particular reason why translating iptables rather than nftables
> (it should be possible to monitor the nftables changes that are
> announced by kernel and act on those)?
As Daniel said, iptables is by far the most deployed of t
From: Eric Dumazet
We had one report from syzkaller [1]
First issue is that INIT_WORK() should be done before mod_timer()
or we risk timer being fired too soon, even with a 1 second timer.
Second issue is that we need to reject too big info->timeout
to avoid overflows in msecs_to_jiffies(info->
25 matches
Mail list logo