[PATCH] netfilter: nf_ct_helper: Fix possible panic when nf_conntrack_helper_unregister is used in an unloadable module

From: Su Yanjun Because nf_conntrack_helper_unregister maybe used in an unloadable module, it uses 'synchronize_rcu' which may cause kernel panic. According to the artical: RCU and Unloadable Modules https://lwn.net/Articles/217484/ When we have a heavy rcu callback load, then some of the callb

[PATCH AUTOSEL 4.20 59/81] netfilter: nf_nat: skip nat clash resolution for same-origin entries

From: Martynas Pumputis [ Upstream commit 4e35c1cb9460240e983a01745b5f29fe3a4d8e39 ] It is possible that two concurrent packets originating from the same socket of a connection-less protocol (e.g. UDP) can end up having different IP_CT_DIR_REPLY tuples which results in one of the packets being d

[PATCH AUTOSEL 4.19 46/64] netfilter: nf_nat: skip nat clash resolution for same-origin entries

From: Martynas Pumputis [ Upstream commit 4e35c1cb9460240e983a01745b5f29fe3a4d8e39 ] It is possible that two concurrent packets originating from the same socket of a connection-less protocol (e.g. UDP) can end up having different IP_CT_DIR_REPLY tuples which results in one of the packets being d

[PATCH AUTOSEL 4.14 27/36] netfilter: nf_nat: skip nat clash resolution for same-origin entries

From: Martynas Pumputis [ Upstream commit 4e35c1cb9460240e983a01745b5f29fe3a4d8e39 ] It is possible that two concurrent packets originating from the same socket of a connection-less protocol (e.g. UDP) can end up having different IP_CT_DIR_REPLY tuples which results in one of the packets being d

[PATCH AUTOSEL 4.9 13/19] netfilter: nf_nat: skip nat clash resolution for same-origin entries

From: Martynas Pumputis [ Upstream commit 4e35c1cb9460240e983a01745b5f29fe3a4d8e39 ] It is possible that two concurrent packets originating from the same socket of a connection-less protocol (e.g. UDP) can end up having different IP_CT_DIR_REPLY tuples which results in one of the packets being d

Re: [nft PATCH 4/5] json: Fix memleaks in echo support

On Thu, Feb 28, 2019 at 11:30:26AM +0100, Phil Sutter wrote: > On Wed, Feb 27, 2019 at 11:29:26PM +0100, Pablo Neira Ayuso wrote: > [...] > > Not related to this patch: IIRC this echo support is not using the > > nlmsg_seq to correlate the command and the result that we obtain, > > right? Telling t

[PATCH nf-next 2/3] netfilter: nf_tables: nat: merge nft_masq protocol specific modules

The family specific masq modules are way too small to warrant an extra module, just place all of them in nft_masq. before: text data bss dec hex filename 1001 832 01833 729 nft_masq.ko 766 896 01662 67e nft_masq_ipv4.ko 764 896

[PATCH nf-next 3/3] netfilter: nf_tables: merge ipv4 and ipv6 nat chain types

Merge the ipv4 and ipv6 nat chain type. This is the last missing piece which allows to provide inet family support for nat in a follow patch. The kconfig knobs for ipv4/ipv6 nat chain are removed, the nat chain type will be built unconditionally if NFT_NAT expression is enabled. Before: text

[PATCH nf-next 1/3] netfilter: nf_tables: nat: merge nft_redir protocol specific modules

before: text data bss dec hex filename 990832 01822 71e nft_redir.ko 697896 01593 639 nft_redir_ipv4.ko 713896 01609 649 nft_redir_ipv6.ko after: text data bss dec hex filename 1910 960

[PATCH nf-next 0/3] netfilter: nf_tables: merge remaining nat related modules

This series merges the remaining nat related modules: redir, masq, and the nat chain type. This is the last missing piece to add inet family nat support to nftables. Florian Westphal (3): netfilter: nf_tables: nat: merge nft_redir protocol specific modules netfilter: nf_tables: nat: m

Re: [nft PATCH 4/5] json: Fix memleaks in echo support

On Wed, Feb 27, 2019 at 11:29:26PM +0100, Pablo Neira Ayuso wrote: [...] > Not related to this patch: IIRC this echo support is not using the > nlmsg_seq to correlate the command and the result that we obtain, > right? Telling this because this should work with a batch that > contains several reque