[PATCH nf] netfilter: x_tables: initialise match/target check parameter struct

syzbot reports following splat: BUG: KMSAN: uninit-value in ebt_stp_mt_check+0x24b/0x450 net/bridge/netfilter/ebt_stp.c:162 ebt_stp_mt_check+0x24b/0x450 net/bridge/netfilter/ebt_stp.c:162 xt_check_match+0x1438/0x1650 net/netfilter/x_tables.c:506 ebt_check_match

[PATCH nf] netfilter: nft_socket: fix module autoload

Add alias definition for module autoload when adding socket rules. Fixes: 554ced0a6e29 ("netfilter: nf_tables: add support for native socket matching") Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nft_socket.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/netfilter/nft_socket.c

Re: [PATCH nft] expr: add map lookups for numgen statements

Hi Laura, On Sun, Apr 22, 2018 at 11:05:53AM +0200, Laura Garcia Liebana wrote: > +numgen_expr : NUMGEN numgen_type MOD NUM > offset_opt numgen_map_expr Hint: Instead of adding numgen_map_expr, what you could do is to reuse the existing parser. Look: # nft add

[PATCH nft] src: do not reset generation ID on ruleset flush

If 'flush ruleset' command is done, release the cache but still keep the generation ID around. Hence, follow up calls to cache_update() will assume that cache is updated and will not perform a netlink dump. Signed-off-by: Pablo Neira Ayuso --- include/rule.h | 4 +++- src/evaluate.c | 3 ++-

Re: [PATCH v2 nft] Set/print base chain prios with textual names

On Thu, Jun 07, 2018 at 12:28:16PM +0200, Máté Eckl wrote: > Like this? I don't know how common or accepted is it to use inline struct > definitions, but I think this is the only better way then the actual. > > static const char *chain_prio2str(int prio) > { > static

Re: [PATCH nf-next] netfilter: nf_conntrack: Increase __IPS_MAX_BIT with new bit IPS_OFFLOAD_BIT

On Thu, Jun 07, 2018 at 06:15:14PM +0800, gfree.w...@vip.163.com wrote: > From: Gao Feng > > The __IPS_MAX_BIT is used in __ctnetlink_change_status as the max bit > value. When add new bit IPS_OFFLOAD_BIT whose value is 14, we should > increase the __IPS_MAX_BIT too, from 14 to 15. > > There is

Re: [PATCH v2 nft] Set/print base chain prios with textual names

On Thu, Jun 07, 2018 at 02:19:02AM +0200, Pablo Neira Ayuso wrote: > Hi Máté, > > Thanks for working on this. > > See comments below. > > On Wed, Jun 06, 2018 at 09:33:56PM +0200, Máté Eckl wrote: > > v2: > > - more comprehensive names > > - expose basic priorities used by iptables > > - use

[PATCH nf-next] netfilter: nf_conntrack: Increase __IPS_MAX_BIT with new bit IPS_OFFLOAD_BIT

From: Gao Feng The __IPS_MAX_BIT is used in __ctnetlink_change_status as the max bit value. When add new bit IPS_OFFLOAD_BIT whose value is 14, we should increase the __IPS_MAX_BIT too, from 14 to 15. There is no any bug in current codes, although it lost one loop in __ctnetlink_change_status.