Backport of iptables TEE target fixes to 4.19

2019-03-07 Thread Subash Abhinov Kasiviswanathan
Hi Pablo We noticed that iptables TEE target is broken on 4.19 but are subsequently fixed now by - 18c0ab87364ac5128a152055fdcb1d27e01caf01 netfilter: xt_TEE: add missing code to get interface index in checkentry. f24d2d4f9586985509320f90308723d3d0c4e47f netfilter: xt_TEE: fix wrong interface

Re: [PATCH nf] netfilter: nf_tables: fix set double-free in abort path

2019-03-07 Thread Pablo Neira Ayuso
Hi Florian, Thanks for sending a patch for this. On Thu, Mar 07, 2019 at 08:30:41PM +0100, Florian Westphal wrote: > The abort path can cause a double-free of an (anon) set. > > Added-and-to-be-aborted rule looks like this: > > udp dport { 137, 138 } drop > > The to-be-aborted transaction list

[PATCH nf] netfilter: nf_tables: return immediately on empty commit

2019-03-07 Thread Florian Westphal
When running 'nft flush ruleset' while no rules exist, we will increment the generation counter and announce a new genid to userspace, yet nothing had changed in the first place. Signed-off-by: Florian Westphal --- net/netfilter/nf_tables_api.c | 5 + 1 file changed, 5 insertions(+) diff --

Re: [PATCH nf] netfilter: nf_tables: fix set double-free in abort path

2019-03-07 Thread
Hi Florian, On Thu, 7 Mar 2019 20:30:41 +0100 Florian Westphal wrote: > The abort path can cause a double-free of an (anon) set. > > Added-and-to-be-aborted rule looks like this: > > udp dport { 137, 138 } drop > > The to-be-aborted transaction list looks like this: > newset > newsetelem > n

[PATCH nf] netfilter: nf_tables: fix set double-free in abort path

2019-03-07 Thread Florian Westphal
The abort path can cause a double-free of an (anon) set. Added-and-to-be-aborted rule looks like this: udp dport { 137, 138 } drop The to-be-aborted transaction list looks like this: newset newsetelem newsetelem rule This gets walked in reverse order, so first pass disables the rule, the set el

Re: [PATCH net-next 0/2] br_netfilter: enable in non-initial netns

2019-03-07 Thread Florian LAUNAY
Hi everyone, Can someone help move this topic forward ? This issue simply prevents any advanced use of docker in LXC. Thank you in advance! Florian LAUNAY On 07/11/2018 14:48, Christian Brauner wrote: Hey everyone, Over time I have seen multiple reports by users who want to run applications (

[PATCH libnftnl] src: libnftnl: export genid functions again

2019-03-07 Thread Florian Westphal
Can't use them currently: they are exported only under their old names. Fixes: 44d11498479a08 ("src: get rid of _attr_ infix in new nftnl_ definitions") Signed-off-by: Florian Westphal --- src/libnftnl.map | 16 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/l

Re: xtables-addons build fail with linux 5.0: "error: implicit declaration of function 'do_gettimeofday'; did you mean 'do_settimeofday64'?"

2019-03-07 Thread Jan Engelhardt
On Monday 2019-03-04 21:10, PGNet Dev wrote: >this patch, > > https://bugzilla.opensuse.org/show_bug.cgi?id=1127790#c3 Applied.