Re: [PATCH 4.19 2/2] netfilter: xt_TEE: add missing code to get interface index in checkentry.

On Mon, Mar 11, 2019 at 01:31:45PM +0100, Pablo Neira Ayuso wrote: Hi Greg, Cc'ing sta...@vger.kernel.org. Subash (he's on Cc) needs these two fixes for 4.19: f24d2d4f9586985509320f90308723d3d0c4e47f netfilter: xt_TEE: fix wrong interface selection 18c0ab87364ac5128a152055fdcb1d27e01caf01 net

Re: [PATCH nf] netfilter: nf_tables: return immediately on empty commit

On Thu, Mar 07, 2019 at 11:20:11PM +0100, Florian Westphal wrote: > When running 'nft flush ruleset' while no rules exist, we will increment > the generation counter and announce a new genid to userspace, yet > nothing had changed in the first place. Applied, thanks Florian.

[PATCH] netfilter: nf_conntrack_sip: remove direct dependency on IPv6

From: Alin Nastac Previous implementation was not usable with CONFIG_IPV6=m. Signed-off-by: Alin Nastac --- net/netfilter/nf_conntrack_sip.c | 37 - 1 file changed, 16 insertions(+), 21 deletions(-) diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfil

[PATCH nf-next v2] netfilter: nft_osf: Add version option support

Add version option support to the nftables "osf" expression. Signed-off-by: Fernando Fernandez Mancera --- v1: initial patch v2: flags type is now u32 and using snprintf() instead of strlcat() --- include/linux/netfilter/nfnetlink_osf.h | 11 ++--- include/uapi/linux/netfilter/nf_tables.h |

[PATCH libnftnl v2] expr: osf: add version option support

Signed-off-by: Fernando Fernandez Mancera --- v1: initial patch v2: flags type is now uint32_t --- include/libnftnl/expr.h | 1 + include/linux/netfilter/nf_tables.h | 2 ++ src/expr/osf.c | 17 + 3 files changed, 20 insertions(+) diff --git a/i

[PATCH nft v2 6/6] files: pf.os: merge the signatures spllited by version

In order to be able to identify the OS version we need to merge the signatures split by version. eg. 65535:64:1:60:M*,N,W1,N,N,T:FreeBSD:4.7-4.11::FreeBSD 4.7-5.2 65535:64:1:60:M*,N,W1,N,N,T:FreeBSD:5.0-5.2::FreeBSD 4.7-5.2 65535:64:1:60:M*,N,W1,N,N,T:FreeBSD:4.7-5.2::FreeBSD 4.7-5.2

[PATCH nft v2 5/6] files: osf: update pf.os with newer OS fingerprints

After notice that some fingerprints are outdated we have updated the most common of them. Signed-off-by: Fernando Fernandez Mancera --- v1: initial patch v2: flags type is now u32 --- files/osf/pf.os | 6 ++ 1 file changed, 6 insertions(+) diff --git a/files/osf/pf.os b/files/osf/pf.os inde

[PATCH nft v2 3/6] tests: py: add osf tests with versions

Signed-off-by: Fernando Fernandez Mancera --- v1: initial patch v2: flags type is now u32 --- tests/py/inet/osf.t | 4 +++ tests/py/inet/osf.t.json| 16 + tests/py/inet/osf.t.payload | 66 + 3 files changed, 86 insertions(+) diff --git a/t

[PATCH nft v2 4/6] doc: add osf version option to man page

Signed-off-by: Fernando Fernandez Mancera --- v1: initial patch v2: flags type is now u32 --- doc/primary-expression.txt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt index d819b24..a62ed00 100644 --- a/doc/primary-expression.txt +++

[PATCH nft v2 1/6] osf: add version fingerprint support

Add support for version fingerprint in "osf" expression. Example: table ip foo { chain bar { type filter hook input priority filter; policy accept; osf ttl skip name "Linux" osf ttl skip name version "Linux:4.20" } } Signed-off-by: F

[PATCH nft v2 2/6] json: osf: add version json support

Signed-off-by: Fernando Fernandez Mancera --- v1: initial patch v2: flags type is now u32 --- doc/libnftables-json.adoc | 7 +- src/json.c| 13 +++ src/parser_json.c | 48 ++- 3 files changed, 66 insertions(+), 2 deletions(-

Re: [PATCH nf] netfilter: nf_tables: return immediately on empty commit

Pablo Neira Ayuso wrote: > term1# nft add table x > term1# nft add table x > > term2# nft monitor > add table ip x > # new generation 1587 by process 14422 (nft) > # new generation 1588 by process 14423 (nft) > > So re-insertion of existing objects should not trigger unnecessary > generation cou

Re: [PATCH nf] netfilter: nf_tables: return immediately on empty commit

Hi Florian, On Thu, Mar 07, 2019 at 11:20:11PM +0100, Florian Westphal wrote: > When running 'nft flush ruleset' while no rules exist, we will increment > the generation counter and announce a new genid to userspace, yet > nothing had changed in the first place. > > Signed-off-by: Florian Westpha

Re: [libnetfilter_conntrack PATCH v2] Rename 'qa' directory to 'tests'

On Sat, Mar 09, 2019 at 11:56:05AM +0100, Phil Sutter wrote: > When searching for library tests, 'qa' is easily overlooked. Use a more > common name instead. Applied, thanks Phil!

Re: [PATCH 4.19 2/2] netfilter: xt_TEE: add missing code to get interface index in checkentry.

Hi Greg, Cc'ing sta...@vger.kernel.org. Subash (he's on Cc) needs these two fixes for 4.19: f24d2d4f9586985509320f90308723d3d0c4e47f netfilter: xt_TEE: fix wrong interface selection 18c0ab87364ac5128a152055fdcb1d27e01caf01 netfilter: xt_TEE: add missing code to get interface index in checkentry

[PATCH nf] netfilter: nf_tables: use-after-free in dynamic operations

Smatch reports: net/netfilter/nf_tables_api.c:2167 nf_tables_expr_destroy() error: dereferencing freed memory 'expr->ops' net/netfilter/nf_tables_api.c 2162 static void nf_tables_expr_destroy(const struct nft_ctx *ctx, 2163 struct nft_expr

[PATCH nf,v4] netfilter: nf_tables: bogus EBUSY when deleting set after flush

Set deletion after flush coming in the same batch results in EBUSY. Add set use counter to track the number of references to this set from rules. We cannot rely on the list of bindings for this since such list is still populated from the preparation phase. Reported-by: Václav Zindulka Signed-off-