Hi all,
After merging the netfilter-next tree, today's linux-next build (powerpc
allyesconfig) failed like this:
ld: net/ipv4/netfilter/nf_reject_ipv4.o:(.opd+0x78): multiple definition of
`nf_reject_verify_csum'; net/netfilter/nft_reject_inet.o:(.opd+0x78): first
defined here
ld: net/ipv4/netf
From: wenxu
[ Upstream commit a799aea0988ea0d1b1f263e996fdad2f6133c680 ]
Using the following example:
client 1.1.1.7 ---> 2.2.2.7 which dnat to 10.0.0.7 server
The first reply packet (ie. syn+ack) uses an incorrect destination
address for the reverse route lookup since it uses:
From: Taehee Yoo
[ Upstream commit b91d9036883793122cf6575ca4dfbfbdd201a83d ]
There is no code that decreases the reference count of stateful objects
in error path of the nft_add_set_elem(). this causes a leak of reference
count of stateful objects.
Test commands:
$nft add table ip filter
From: wenxu
[ Upstream commit 10f4e765879e514e1ce7f52ed26603047af196e2 ]
In the forward chain, the iif is changed from slave device to master vrf
device. Thus, flow offload does not find a match on the lower slave
device.
This patch uses the cached route, ie. dst->dev, to update the iif and
oif
From: Henry Yen
[ Upstream commit 2314e879747e82896f51cce4488f6a00f3e1af7b ]
This patch uses nfct_help() to detect whether an established connection
needs conntrack helper instead of using test_bit(IPS_HELPER_BIT,
&ct->status).
The reason is that IPS_HELPER_BIT is only set when using explicit C
From: wenxu
[ Upstream commit a799aea0988ea0d1b1f263e996fdad2f6133c680 ]
Using the following example:
client 1.1.1.7 ---> 2.2.2.7 which dnat to 10.0.0.7 server
The first reply packet (ie. syn+ack) uses an incorrect destination
address for the reverse route lookup since it uses:
From: Taehee Yoo
[ Upstream commit b91d9036883793122cf6575ca4dfbfbdd201a83d ]
There is no code that decreases the reference count of stateful objects
in error path of the nft_add_set_elem(). this causes a leak of reference
count of stateful objects.
Test commands:
$nft add table ip filter
From: wenxu
[ Upstream commit 10f4e765879e514e1ce7f52ed26603047af196e2 ]
In the forward chain, the iif is changed from slave device to master vrf
device. Thus, flow offload does not find a match on the lower slave
device.
This patch uses the cached route, ie. dst->dev, to update the iif and
oif
From: Henry Yen
[ Upstream commit 2314e879747e82896f51cce4488f6a00f3e1af7b ]
This patch uses nfct_help() to detect whether an established connection
needs conntrack helper instead of using test_bit(IPS_HELPER_BIT,
&ct->status).
The reason is that IPS_HELPER_BIT is only set when using explicit C
tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
head: bfcf40da75597a7c6761ab7dd8bba18b487ae2d9
commit: bfcf40da75597a7c6761ab7dd8bba18b487ae2d9 [9/9] netfilter: reject: skip
csum verification for protocols that don't support it
config: i386-defconfig (attached as
From: Taehee Yoo
[ Upstream commit b91d9036883793122cf6575ca4dfbfbdd201a83d ]
There is no code that decreases the reference count of stateful objects
in error path of the nft_add_set_elem(). this causes a leak of reference
count of stateful objects.
Test commands:
$nft add table ip filter
tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
head: bfcf40da75597a7c6761ab7dd8bba18b487ae2d9
commit: bfcf40da75597a7c6761ab7dd8bba18b487ae2d9 [9/9] netfilter: reject: skip
csum verification for protocols that don't support it
config: x86_64-randconfig-s2-021308
+ENOENT” or just --ignore-error=delete causes
delete_cb to continue even if the NFCT_Q_DESTROY operation failed.
A simpler alternative might be to ignore destroy failures in delete_cb
altogether.
ignore-error-20190212.patch
Description: ignore-error-20190212.patch
Try compiling against libtirpc on systems where RPC headers are not
provided by Glibc.
Due to naming conflicts, rpc_call() has had to be renamed.
Cc: Jan Engelhardt
Signed-off-by: Phil Sutter
---
Note that I didn't do real functional testing apart from running
conntrack and nfct testsuites. OTO
Hi Jan,
On Wed, Feb 13, 2019 at 12:30:17AM +0100, Jan Engelhardt wrote:
> On Wednesday 2019-02-13 00:22, Phil Sutter wrote:
>
> > SUBDIRS = extensions src
> > DIST_SUBDIRS = include src extensions
> >-LIBS = @LIBNETFILTER_CONNTRACK_LIBS@
> >+LIBS = @LIBNETFILTER_CONNTRACK_LIBS@ @LIBTIRPC_LIBS@
On Wednesday 2019-02-13 00:22, Phil Sutter wrote:
> SUBDIRS = extensions src
> DIST_SUBDIRS = include src extensions
>-LIBS = @LIBNETFILTER_CONNTRACK_LIBS@
>+LIBS = @LIBNETFILTER_CONNTRACK_LIBS@ @LIBTIRPC_LIBS@
This should all use ${LIBNETFILTER_CONNTRACK_LIBS} ${LIBTIRPC_LIBS}.
(You're writi
Try compiling against libtirpc on systems where RPC headers are not
provided by Glibc.
Due to naming conflicts, rpc_call() has had to be renamed.
Signed-off-by: Phil Sutter
---
Note that I didn't do real functional testing apart from running
conntrack and nfct testsuites. OTOH, in Fedora Rawhide
Mark fall through cases as such. Note that correctness of those fall
throughs have not been verified.
Signed-off-by: Phil Sutter
---
include/jhash.h | 2 +-
src/cache-ct.c | 2 ++
src/cache-exp.c | 1 +
src/tcp.c | 1 +
4 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/include
Due to the first switch() in that function, default case in second one
is unreachable. Given that both of them contain the same cases but the
first one merely acts as an invalid command barrier (adding no value to
the second one), drop the first one to make invalid commands actually
hit default cas
On Tue, Feb 12, 2019 at 09:00:48PM +0100, Pablo Neira Ayuso wrote:
> @@ -324,8 +297,10 @@ nft_target_destroy(const struct nft_ctx *ctx, const
> struct nft_expr *expr)
> if (par.target->destroy != NULL)
> par.target->destroy(&par);
>
> - if (nft_xt_put(container_of(expr->o
According to RFC4291, IPv6 prefixes are represented in CIDR notation.
While the use of a "netmask" notation is not explicitly denied, its
existence merely stems from applying IPv4 standards to IPv6. This is not
necessarily correct.
Therefore change printing of IPv6 prefixes to use CIDR notation as
Add .release_ops, that is called in case of error at a later stage in
the expression initialization path, ie. .select_ops() has been already
set up operations and that needs to be undone.
This allows us to follow a more simplistic approach, ie. place the
match/target into the list from the .select
On Tue, Feb 12, 2019 at 05:35:08PM +0100, Alin Nastac wrote:
> From: Alin Nastac
>
> Some protocols have other means to verify the payload integrity
> (AH, ESP, SCTP) while others are incompatible with nf_ip(6)_checksum
> implementation because checksum is either optional or might be
> partial (U
On Tue, Feb 12, 2019 at 05:31:31PM +0100, Phil Sutter wrote:
> The value dhcpv6_msg_type points at is used as index to dhcpv6_timeouts
> array, so upper boundary check has to treat a value of
> ARRAY_SIZE(dhcpv6_timeouts) as invalid.
Applied, thanks Phil.
From: Alin Nastac
Some protocols have other means to verify the payload integrity
(AH, ESP, SCTP) while others are incompatible with nf_ip(6)_checksum
implementation because checksum is either optional or might be
partial (UDPLITE, DCCP, GRE). Because nf_ip(6)_checksum was used
to validate the pa
The value dhcpv6_msg_type points at is used as index to dhcpv6_timeouts
array, so upper boundary check has to treat a value of
ARRAY_SIZE(dhcpv6_timeouts) as invalid.
Fixes: 36118bfc4901b ("conntrackd: helpers: add DHCPv6 helper")
Signed-off-by: Phil Sutter
---
src/helpers/dhcpv6.c | 2 +-
1 fil
Hi Pablo,
On Tue, Feb 12, 2019 at 11:21 AM Alin Năstac wrote:
> I will send you later today the v2 version of this patch.
I have problems with the inline function defined in
include/net/netfilter/nft_reject.h. Mu CONFIG_NF_TABLES is disabled
and I get the following error when I try to include it
Pablo Neira Ayuso wrote:
> Add .release_ops, that is called in case of error at a later stage in
> the expression initialization path, ie. .select_ops() has been already
> set up operations and that needs to be undone.
>
> This allows us to follow a more simplistic approach, ie. place the
> match
Add .release_ops, that is called in case of error at a later stage in
the expression initialization path, ie. .select_ops() has been already
set up operations and that needs to be undone.
This allows us to follow a more simplistic approach, ie. place the
match/target into the list from the .select
On Mon, Feb 11, 2019 at 04:14:39PM +0100, Andrea Claudi wrote:
> ipvs relies on nf_defrag_ipv6 module to manage IPv6 fragmentation,
> but lacks proper Kconfig dependencies and does not explicitly
> request defrag features.
>
> As a result, if netfilter hooks are not loaded, when IPv6 fragmented
>
Hi Pablo,
On Tue, Feb 12, 2019 at 11:20 AM Pablo Neira Ayuso wrote:
>
> Hi Alin,
>
> On Tue, Feb 12, 2019 at 07:25:29AM +0100, Alin Năstac wrote:
> > The pseudo-header proto=0 issue must also be addressed in
> > net/bridge/netfilter/nft_reject_bridge.c.
> >
> > I see you haven't pushed yet my com
Hi Alin,
On Tue, Feb 12, 2019 at 07:25:29AM +0100, Alin Năstac wrote:
> The pseudo-header proto=0 issue must also be addressed in
> net/bridge/netfilter/nft_reject_bridge.c.
>
> I see you haven't pushed yet my commit. Do you want me to issue the
> 2nd version of this patch?
You choose:
1) I pus
On Mon, Feb 11, 2019 at 04:14:39PM +0100, Andrea Claudi wrote:
> ipvs relies on nf_defrag_ipv6 module to manage IPv6 fragmentation,
> but lacks proper Kconfig dependencies and does not explicitly
> request defrag features.
>
> As a result, if netfilter hooks are not loaded, when IPv6 fragmented
>
33 matches
Mail list logo
