Support of key and value association with a certain timeout.
Example:
nft add map nftlb mapa { type inet_service: ipv4_addr\;
timeout 5s\; }
Results in:
table ip nftlb {
map mapa {
type inet_service : ipv4_addr
timeout 5s
}
}
Signed-off-by: Laur
On Thu, Mar 01, 2018 at 03:00:26PM +0100, Phil Sutter wrote:
> The following series fixes (potential) issues identified by a static
> code checker, so may appear a bit artificial at times.
Series applied, thanks Phil.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
On Fri, Mar 02, 2018 at 10:50:18AM +0100, Laura Garcia Liebana wrote:
> Support of key and value association with a certain timeout.
>
> Example:
>
> nft add map nftlb mapa { type inet_service: ipv4_addr\;
> timeout 5s\; }
>
> Results in:
>
> table ip nftlb {
> map mapa {
>
On 2 March 2018 at 11:47, Pablo Neira Ayuso wrote:
> On Fri, Mar 02, 2018 at 10:50:18AM +0100, Laura Garcia Liebana wrote:
>> Support of key and value association with a certain timeout.
>>
>> Example:
>>
>> nft add map nftlb mapa { type inet_service: ipv4_addr\;
>> timeout 5s\; }
>>
>> Results i
Signed-off-by: Geert Uytterhoeven
---
net/netfilter/xt_limit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index 55d18cd676356cc9..9f098ecb24497e9a 100644
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -
Includes the size of the type integer in order to be used
as a key in a map or set.
Without this patch we obtain the following error:
Error: unqualified key type integer specified in map definition
add map nftlb mapa { type integer : ipv4_addr; timeout 5s; }
^^^
Hi Laura,
On Fri, Mar 02, 2018 at 05:34:02PM +0100, Laura Garcia Liebana wrote:
[...]
> diff --git a/src/datatype.c b/src/datatype.c
> index 324ac80..06015bb 100644
> --- a/src/datatype.c
> +++ b/src/datatype.c
> @@ -356,6 +356,7 @@ const struct datatype integer_type = {
> .type =
On Fri, Mar 02, 2018 at 06:58:44PM +0100, Phil Sutter wrote:
> Hi Laura,
>
> On Fri, Mar 02, 2018 at 05:34:02PM +0100, Laura Garcia Liebana wrote:
> [...]
> > diff --git a/src/datatype.c b/src/datatype.c
> > index 324ac80..06015bb 100644
> > --- a/src/datatype.c
> > +++ b/src/datatype.c
> > @@ -35
Hi David,
The following patchset contains Netfilter fixes for your net tree,
they are:
1) Put back reference on CLUSTERIP configuration structure from the
error path, patch from Florian Westphal.
2) Put reference on CLUSTERIP configuration instead of freeing it,
another cpu may still be wa
If the netdevice is already part of a flowtable, return EBUSY. I cannot
find a valid usecase for having two flowtables bound to the same
netdevice. We can still have two flowtable where the device set is
disjoint.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 18 ++
Return -EINVAL is mandatory attributes are missing.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 43acdeef045d..2b5aa78979db 100644
--- a/net/netfilte
From: Florian Westphal
This needs to put() the entry to avoid a resource leak in error path.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/ipv4/netfilter/ipt_CLUSTERIP.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/netfilter/i
From: Felix Fietkau
Add a missing call to csum_replace4 like on SNAT.
Signed-off-by: Felix Fietkau
Signed-off-by: Pablo Neira Ayuso
---
net/ipv4/netfilter/nf_flow_table_ipv4.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/ipv4/netfilter/nf_flow_table_ipv4.c
b/net/ipv4/netfilter/nf_
From: Julian Anastasov
The IPS_NAT_MASK check in 4.12 replaced previous check for nfct_nat()
which was needed to fix a crash in 2.6.36-rc, see
commit 7bcbf81a2296 ("ipvs: avoid oops for passive FTP").
But as IPVS does not set the IPS_SRC_NAT and IPS_DST_NAT bits,
checking for IPS_NAT_MASK prevent
From: Florian Westphal
"fib" starts to behave strangely when an ipv6 default route is
added - the FIB lookup returns a route using 'oif' in this case.
This behaviour was inherited from ip6tables rpfilter so change
this as well.
Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1221
Signe
From: Eric Dumazet
For some reason, Florian forgot to apply to ip6_route_me_harder
the fix that went in commit 29e09229d9f2 ("netfilter: use
skb_to_full_sk in ip_route_me_harder")
Fixes: ca6fb0651883 ("tcp: attach SYNACK messages to request sockets instead of
listener")
Signed-off-by: Eric Dum
From: Florian Westphal
All of these conditions are not fatal and should have
been WARN_ONs from the get-go.
Convert them to WARN_ONs and bail out.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/bridge/netfilter/ebtables.c | 27 ++-
1 file cha
Use the right loop index, not the number of devices in the array that we
need to remove, the following message uncovered the problem:
[ 5437.044119] hook not found, pf 5 num 0
[ 5437.044140] WARNING: CPU: 2 PID: 24983 at net/netfilter/core.c:376
__nf_unregister_net_hook+0x250/0x280
Signed-off-by
From: Florian Westphal
We need to make sure the offsets are not out of range of the
total size.
Also check that they are in ascending order.
The WARN_ON triggered by syzkaller (it sets panic_on_warn) is
changed to also bail out, no point in continuing parsing.
Briefly tested with simple ruleset
From: Florian Westphal
ebt_among is special, it has a dynamic match size and is exempt
from the central size checks.
Therefore it must check that the size of the match structure
provided from userspace is sane by making sure em->match_size
is at least the minimum size of the expected structure.
From: Florian Westphal
l4proto->manip_pkt() can cause reallocation of skb head so pointer
to the ipv6 header must be reloaded.
Reported-and-tested-by:
Fixes: 58a317f1061c89 ("netfilter: ipv6: add IPv6 NAT support")
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/ipv6
From: Taehee Yoo
In the ip_rcv, IPSTATS_MIB_CSUMERRORS is increased when
checksum error is occurred.
bridge netfilter routine should increase IPSTATS_MIB_CSUMERRORS.
Signed-off-by: Taehee Yoo
Signed-off-by: Pablo Neira Ayuso
---
net/bridge/br_netfilter_hooks.c | 4 +++-
1 file changed, 3 inse
From: Florian Westphal
Once struct is added to per-netns list it becomes visible to other cpus,
so we cannot use kfree().
Also delay setting entries refcount to 1 until after everything is
initialised so that when we call clusterip_config_put() in this spot
entries is still zero.
Signed-off-by:
From: Pablo Neira Ayuso
Date: Fri, 2 Mar 2018 21:32:48 +0100
> The following patchset contains Netfilter fixes for your net tree,
> they are:
...
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thank you.
--
To unsubscribe from this
24 matches
Mail list logo
