From: Gao Feng
The helper and timeout strings are from user-space, we need to make
sure they are null terminated. If not, evil user could make kernel
read the unexpected memory, even print it when fail to find by the
following codes.
pr_info_ratelimited("No such helper \"%s\"\n", helper_name);
Rosysong wrote:
> I met a strange issue on nftables when I ran my commands on Linux (mips
> target, linux-4.9.102).
> Using specific ip address can not restrict the traffic flow while using
> broadcast address is ok (The ip for my machine is 192.168.2.223). Anybody
> can tell my why
This extends log statement to support the behaviour achieved with
AUDIT target in iptables.
Audit logging is enabled via a pseudo log level 8. In this case any
other settings like log prefix are ignored since audit log format is
fixed.
Signed-off-by: Phil Sutter
---
Two reports point to a crash in nft when 'flush' is provided
on existing ruleset. In that case, nft will crash with a null-ptr
dereference.
"evaluate: do not inconditionally update cache from flush command"
causes the commit to fail due to a cache inconsistency, we then trip
over NULL
On Tue, May 29, 2018 at 9:27 AM, Alin Năstac wrote:
> On Mon, May 28, 2018 at 9:54 PM, Pablo Neira Ayuso
> wrote:
>> On Mon, May 28, 2018 at 06:07:29PM +0200, Alin Nastac wrote:
>>> Signed-off-by: Alin Nastac
>>> ---
>>> include/linux/netfilter_bridge/ebt_limit.h | 4
>>>
On Tue, May 29, 2018 at 02:34:13PM +0200, Florian Westphal wrote:
> without this followup fix to recent commit jumps are evaluated
> like gotos due to bogus restore of rule head.
> We need to store not the rule, but the next rule location in the
> current-generation rules array.
>
> Fixes:
without this followup fix to recent commit jumps are evaluated
like gotos due to bogus restore of rule head.
We need to store not the rule, but the next rule location in the
current-generation rules array.
Fixes: 5f861203063fd ("netfilter: nf_tables: remove synchronize_rcu in commit
phase")
kbuild test robot wrote:
> >> include/linux/rcupdate.h:686:9: sparse: context imbalance in
> >> 'nft_netlink_dump_start_rcu' - unexpected unlock
Yep, i forgot to mention this in change log.
I don't know how to fix this.
nft_netlink_dump_start_rcu() is called with rcu read lock held.
But we
Hi all,
I met a strange issue on nftables when I ran my commands on Linux (mips
target, linux-4.9.102).
Using specific ip address can not restrict the traffic flow while using
broadcast address is ok (The ip for my machine is 192.168.2.223). Anybody can
tell my why ??
table ip
Hi,
On Tue, 29 May 2018, Pablo Neira Ayuso wrote:
> On Tue, May 29, 2018 at 11:58:29AM +0800, gfree.w...@vip.163.com wrote:
> > From: Gao Feng
> >
> > The helper and timeout strings are from user-space, we need to make
> > sure they are null terminated. If not, evil user could make kernel
> >
On Tue, May 29, 2018 at 11:58:29AM +0800, gfree.w...@vip.163.com wrote:
> From: Gao Feng
>
> The helper and timeout strings are from user-space, we need to make
> sure they are null terminated. If not, evil user could make kernel
> read the unexpected memory, even print it when fail to find by
upport-for-native-socket-matching/20180529-064304
> base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git
> master
> config: i386-allmodconfig (attached as .config)
> compiler: gcc-7 (Debian 7.3.0-16) 7.3.0
> reproduce:
> # save the attached .config to
12 matches
Mail list logo