Dmitry Vyukov wrote:
[ CC nf-devel, not sure if its nfnetlink fault or NETLINK_MMAP ]
> The following program causes GPF in netlink_getsockbyportid:
>
> // autogenerated by syzkaller (http://github.com/google/syzkaller)
> #include
> #include
> #include
> #include
> #include
>
> int main()
stéphane bryant wrote:
> On 01/15/2016 03:04 PM, Florian Westphal wrote:
> > Pablo Neira Ayuso wrote:
> >> For the specific case of nfnetlink_queue, I would expose the vlan
> >> information through a new netlink attribute NFQA_VLAN (similar to what
> >> w
Daniel Borkmann wrote:
> On 01/23/2016 08:25 PM, Florian Westphal wrote:
> >Dmitry Vyukov wrote:
> >
> >[ CC nf-devel, not sure if its nfnetlink fault or NETLINK_MMAP ]
> >
> >>The following program causes GPF in netlink_getsockbyportid:
[..]
> >CONFIG_
Just move the payload trim part to a separate function.
Next patch will add a second call site to deal with map ops
that use a lookup based on a binop result.
Signed-off-by: Florian Westphal
---
src/netlink_delinearize.c | 64 ++-
1 file changed, 36
One normal map lookup, one with an explicit binop.
The latter is supposed to also work with the followup patch applied.
Signed-off-by: Florian Westphal
---
tests/py/inet/map.t| 8
tests/py/inet/map.t.payload.inet | 11 +++
tests/py/inet/map.t.payload.ip
nft list before patch:
mark set unknown unknown & 0xfff [invalid type] map { 3 : 0x0017, 1 :
0x002a}
now:
mark set vlan id map { 3 : 0x0017, 1 : 0x002a}
Signed-off-by: Florian Westphal
---
src/netlink_delinearize.c | 19 +++
tests/py/inet/m
Pablo Neira Ayuso wrote:
> On Sun, Jan 24, 2016 at 06:58:27PM +0100, Florian Westphal wrote:
> > nft list before patch:
> > mark set unknown unknown & 0xfff [invalid type] map { 3 : 0x0017, 1 :
> > 0x002a}
> > now:
> > mark set vlan id map { 3 : 0x00
protocol != udp udp dport ssh
ip protocol != tcp counter packets 1 bytes 308 udp dport ssh
Signed-off-by: Florian Westphal
---
NB: ip protocol != udp udp dport ... is nonsensical, not sure
if its worth the hassle to try to reject stuff like this.
src/netlink_delinearize.c | 1 +
tests/py/ip
The spin_unlock call should have been left as-is, revert.
Fixes: b16c29191dc89bd ("netfilter: nf_conntrack: use safer way to lock all
buckets")
Reported-by: kernel test robot
Signed-off-by: Florian Westphal
---
net/netfilter/nfnetlink_cttimeout.c | 2 +-
1 file changed, 1 inser
Zhouyi Zhou wrote:
> Thanks Eric for your review and advice.
>
> I think hackers chould build a malicious h323 packet to overflow
> the pointer p which will panic during the memcpy(addr, p, len)
>
> For example, he may fabricate a very large taddr->ipAddress.ip;
Can you be more specific?
h323_
Weidong Wang wrote:
> In the 'for(...) {}', the *bucket alwasy < net->ct.htable_size,
> so remove the check
> @@ -1383,14 +1383,12 @@ get_next_corpse(struct net *net, int (*iter)(struct
> nf_conn *i, void *data),
> lockp = &nf_conntrack_locks[*bucket % CONNTRACK_LOCKS];
>
'meta priority foobar' did not return an error -- instead
we used min/max values with undefined content.
Signed-off-by: Florian Westphal
---
src/meta.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/meta.c b/src/meta.c
index 8cbc974..7f12f0c 100644
Pablo Neira Ayuso wrote:
> On Mon, Jan 25, 2016 at 11:15:44AM +, Asbjørn Sloth Tønnesen wrote:
> > This option was already silently allowed by 991fc4ae,
> > but didn't have any effect.
> >
> > This patch adds the check and documents it.
>
> Applied, thanks.
>
> > Cc: Clemence Faure
> > Sig
Pablo Neira Ayuso wrote:
> payload_match_postprocess() expects a relational with payload of his lhs
> and value on the rhs.
>
> Moreover, payload_match_expand() releases the previous expression so
> valgrind reports an use-after-free when pruning the implicit binop.
Right, my bad. Please push t
Pablo Neira Ayuso wrote:
> On Mon, Feb 01, 2016 at 12:02:36PM +0100, Florian Westphal wrote:
> > 'meta priority foobar' did not return an error -- instead
> > we used min/max values with undefined content.
> >
> > Signed-off-by: Florian Westphal
>
&g
Replacement for iptables -m statistic 'random' mode.
I added it to meta match even though its not directly related to an skb
member. We already have cpu match which isn't related to skb either and
adding a new expression just for this seemed overkill.
If you'd rather like a new prandom expression
Signed-off-by: Florian Westphal
---
tests/py/any/meta.t | 6 ++
tests/py/any/meta.t.payload | 19 +++
2 files changed, 25 insertions(+)
diff --git a/tests/py/any/meta.t b/tests/py/any/meta.t
index c10297a..6298e5c 100644
--- a/tests/py/any/meta.t
+++ b/tests/py/any
Split it into its own function, caller is already quite big.
Signed-off-by: Florian Westphal
---
src/evaluate.c | 43 ++-
1 file changed, 22 insertions(+), 21 deletions(-)
diff --git a/src/evaluate.c b/src/evaluate.c
index ed78896..4d741e3 100644
--- a
ault op for the type <= so that
"nft ... meta random 0.5" will match every 2nd packet.
This means that users can still do something like
"nft ... meta random eq 0.1" although thats not very useful (matching
probability 1/UINT_MAX).
Signed-off-by: Florian Westphal
--
Eric Biggers wrote:
> This eliminates an "unused function" compiler warning when
> CONFIG_NF_CONNTRACK_LABELS is not defined.
>
> Signed-off-by: Eric Biggers
The nft_ct_get_eval_counter call should've been unconditional.
The #endif placement is wrong:
https://git.kernel.org/cgit/linux/kernel/g
Patrick McHardy wrote:
> Am 2. Februar 2016 00:19:00 MEZ, schrieb Florian Westphal :
> >
> > enum datatypes {
> > TYPE_INVALID,
> >@@ -78,6 +79,7 @@ enum datatypes {
> > TYPE_ICMPV6_CODE,
> > TYPE_ICMPX_CODE,
> > TYPE_DEVGROUP,
Patrick McHardy wrote:
> > > Any reason why you chose to add this type instead of a generic floating
> > > point type?
> >
> > I wanted 0. be tranlated to a value close to UINT32_MAX and 0.1
> > to something close to zero so that "meta random 0.999" can be translated to
> > something lik
Florian Westphal wrote:
> Patrick McHardy wrote:
> > > > Any reason why you chose to add this type instead of a generic floating
> > > > point type?
> > >
> > > I wanted 0. be tranlated to a value close to UINT32_MAX and 0.1
> > >
Florian Westphal wrote:
> Florian Westphal wrote:
> > Patrick McHardy wrote:
> > > > > Any reason why you chose to add this type instead of a generic
> > > > > floating point type?
> > > >
> > > > I wanted 0. be tranlated
Shivani Bhardwaj wrote:
> $ sudo iptables-translate -t nat -A PREROUTING -p tcp --dport 80 -j NFQUEUE
> --queue-num 30
> nft add rule ip nat PREROUTING tcp dport 80 counter queue num 30
>
> $ sudo iptables-translate -A FORWARD -j NFQUEUE --queue-num 0 --queue-bypass
> -p TCP --sport 80
> nft ad
Shivani Bhardwaj wrote:
> On Sun, Feb 7, 2016 at 2:55 PM, Florian Westphal wrote:
> > Seems this could be written similar to something like:
> >
> > if (info->flags & NFQ_FLAG_CPU_FANOUT) {
> > bool sep_needed = info->bypass & NFQ_FLAG_BYPAS
stephane.ml.bry...@gmail.com wrote:
> From: stephane
>
> -this creates 2 netlink attribute NLQA_VLAN and NLQA_L2HDR
> -these are filled up for the PF_BRIDGE family on the way to userspace, and
> used on the way back to modify the original skb accordingly
Looks good, some comments below.
> @@
stephane.ml.bry...@gmail.com wrote:
> From: stephane
>
> This just adds and registers a nf_afinfo for the ethernet
> bridge, which enables queuing to userspace for the AF_BRIDGE
> family. No checksum computation is done.
I think that using empty stub functions is ok for now,
we can add checksum
Patrick McHardy wrote:
Hi Patrick
> On 04.02, Florian Westphal wrote:
> > In fact, doing the scaling via precision_type seems to
> > be a lot simpler as then its applied only in this one case of the
> > prandom META_TEMPLATE while keeping this detail limited to meta.c
Pablo Neira Ayuso wrote:
> On Mon, Feb 15, 2016 at 01:54:46PM +0100, Florian Westphal wrote:
> > Patrick McHardy wrote:
> >
> > Hi Patrick
> >
> > > On 04.02, Florian Westphal wrote:
> > > > In fact, doing the scaling via precision_type seems
dule, so add an EXPORT_SYMBOL
for prandom_seed_full_state too.
Cc: Daniel Borkmann
Signed-off-by: Florian Westphal
---
include/uapi/linux/netfilter/nf_tables.h | 2 ++
lib/random32.c | 1 +
net/netfilter/nft_meta.c | 15 +++
3 files changed
Daniel Borkmann wrote:
> >+case NFT_META_PRANDOM:
> >+if (!prand_inited) {
> >+prandom_seed_full_state(&nft_prandom_state);
> >+prand_inited = true;
> >+}
>
> Should this be: prandom_init_once() ?
Thought about that but this is
Daniel Borkmann wrote:
> On 02/16/2016 02:19 PM, Florian Westphal wrote:
> >Daniel Borkmann wrote:
> >>>+ case NFT_META_PRANDOM:
> >>>+ if (!prand_inited) {
> >>>+ prandom_seed_full_state(&nft_prandom_st
dule, so add an EXPORT_SYMBOL
for prandom_seed_full_state too.
Cc: Daniel Borkmann
Signed-off-by: Florian Westphal
---
Change in v2: use prandom_init_once helper instead of
open-coding w. static variable
include/uapi/linux/netfilter/nf_tables.h | 2 ++
lib/random32.c
Stephane Bryant wrote:
> This makes nf queues use NFQA_VLAN and NFQA_L2HDR in verdict to modify the
> original skb
Looks good to me, thanks for addressing all my comments.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.ker
This work changes xtables to register tables only
when the ip(6)tables/arptables command is invoked inside a netns.
Also changes br_netfilter to not add its sabotage hooks until
a bridge is created inside the netns.
The initial namespace isn't affected; hooks are still registered
on module load ti
ook points are destroyed only once namespace is deleted, there is no
'usage count' (it makes no sense since there is no 'remove table' operation
in xtables api).
Signed-off-by: Florian Westphal
---
Changes since v3:
- split register/unregister API changes into extra ch
espace has
empty hook list and NF_HOOK() will boil down to single list_empty test even
if initial namespace does stateless packet filtering.
Signed-off-by: Florian Westphal
---
No changes since v3.
net/bridge/br_netfilter_hooks.c | 68 +++--
1 file changed, 65
the form
net->ipv4.iptable_$table = new_table
have to be moved to ip(6)t_register_table, else we can see NULL
net->ipv4.iptable_$table later.
This patch doesn't change functionality; without this the actual change
simply gets too big.
Signed-off-by: Florian Westphal
---
Not part
loaded
list is guaranteed to be empty.
Signed-off-by: Florian Westphal
---
No changes since v3.
include/linux/netfilter.h | 29 +++--
1 file changed, 11 insertions(+), 18 deletions(-)
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 0ad5567
Yigal Reiss (yreiss) wrote:
> So I tried batching the unicast netlink messages (carrying the packets) from
> kernel to user space. I do that by calling sk->sk_data_ready(sk); (in
> __netlink_sendskb() in af_netlink.c) only every [N] packets. This seems to
> contribute similar performance improv
filter ifnames '{type iface_name; }'
Signed-off-by: Florian Westphal
---
doc/nft.xml | 6 +++---
include/datatype.h| 2 ++
src/evaluate.c| 9 +
src/meta.c| 31 +++
src/netlink_delinearize.c | 6 +
Shivani Bhardwaj wrote:
> Change the data type of len from unsigned int to int in order to make
> it valid for checks like
>
> if (len < 0)
>
> The issue was brought into attention by the unexplained behavior of
> frag with frag-off. Bugzilla entry:
> https://bugzilla.netfilter.org/show_bug.cgi?
Pablo Neira Ayuso wrote:
> Hi Florian,
>
> On Fri, Feb 26, 2016 at 08:19:34PM +0100, Florian Westphal wrote:
> > String is an unqualified type and we do not have a data element to
> > derive the element size from at set creation time.
> >
> > Add a new string su
given
table filter {
set local {
type iface_index
elements = { lo }
}
chain input {
type filter hook input priority 0;
iif { @lan, } accept;
}
}
nft BUG()s. I don't see how we could support sets-in-set; add a sanity
check and error out instead.
Signed-off-by: Fl
Pablo Neira Ayuso wrote:
> > Ok, but how do you plan to handle the key length?
>
> Right, in concatenations we can infer this from the lhs, but in set
> definitions there is not way.
Okay. So whats the plan there?
> What I would suggest is to recover a patch that Patrick submitted that
> intro
Shivani Bhardwaj wrote:
> Add missing packet type "invalid" for DCCP.
>
> Signed-off-by: Shivani Bhardwaj
> ---
> src/proto.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/src/proto.c b/src/proto.c
> index 0ed98ed..4d049f5 100644
> --- a/src/proto.c
> +++ b/src/proto.c
> @@ -443,6 +
Shivani Bhardwaj wrote:
> On Tue, Mar 1, 2016 at 6:47 PM, Florian Westphal wrote:
> > Shivani Bhardwaj wrote:
> >> Add missing packet type "invalid" for DCCP.
> >>
> >> Signed-off-by: Shivani Bhardwaj
> >> ---
> >> src/proto.c |
Its possible that we cannot find the template without also
considering an implicit mask. For this we need to store the offset.
Signed-off-by: Florian Westphal
---
include/expression.h | 1 +
src/exthdr.c | 2 ++
2 files changed, 3 insertions(+)
diff --git a/include/expression.h b
We should treat exthdr just as if user asked for e.g. ip6 saddr
and inject the needed dependency statement.
Signed-off-by: Florian Westphal
---
src/payload.c | 66 ++-
1 file changed, 38 insertions(+), 28 deletions(-)
diff --git a/src
t and move test for left type to
binop_postprocess.
Signed-off-by: Florian Westphal
---
src/netlink_delinearize.c | 15 +++
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index eec7d0f..30c5f62 100644
---
netlink_gen_payload_mask assumes expr is a payload expression,
but most of this function would work fine with exthdr too.
So split the gernic part into a helper, followup patch will
add netlink_gen_exthdr_mask.
Signed-off-by: Florian Westphal
---
src/netlink_linearize.c | 35
Should treat this as if user would have asked to match ipv6 header field.
Signed-off-by: Florian Westphal
---
include/payload.h | 2 ++
src/evaluate.c| 17 ++---
src/payload.c | 15 +++
3 files changed, 31 insertions(+), 3 deletions(-)
diff --git a/include
13bits wide.
We use the implicit binop mask to re-do the template lookup with
corrected offset and size information.
Signed-off-by: Florian Westphal
---
include/exthdr.h | 2 ++
src/exthdr.c | 31 +++
src/netlink_delinearize.c | 12
3
exthdr expression requires a dependency on ipv6; we can
thus remove an ipv6 protocol test if its present.
Signed-off-by: Florian Westphal
---
src/netlink_delinearize.c | 13 ++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/src/netlink_delinearize.c b/src
This adds following enhancements and fixes for the exthdr
expression.
#1. Treat exthdr as if user asked for an ip6 protocol header field,
i.e. add ipv6 dependency for bridge/netdev/inet family.
#2. Add scaling and masking to handle protocol headers that have
non-byte divisible sizes.
Tested br
exhdr needs to be treated as if we'd test an ipv6 header field, i.e.
inet, bridge, netdev need to add a dependency on ipv6 protocol.
Signed-off-by: Florian Westphal
---
tests/py/ip6/dst.t.payload.inet | 30
tests/py/ip6/frag.t.payload.inet
dependency for them.
Signed-off-by: Florian Westphal
---
src/evaluate.c | 18 ++-
tests/py/any/frag.t | 67
tests/py/any/frag.t.payload | 109
tests/py/ip6/frag.t
mplate and undo the shift of the value.
Signed-off-by: Florian Westphal
---
src/netlink_linearize.c | 27 ---
1 file changed, 24 insertions(+), 3 deletions(-)
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index 7715a28..7ff3b00 100644
--- a/src/netlink_l
Pablo Neira Ayuso wrote:
> On Tue, Mar 01, 2016 at 09:40:45PM +0100, Laura Garcia Liebana wrote:
> > Add translation for random mode to nftables. The nth mode is not
> > supported yet.
> >
> > Examples:
> >
> > $ iptables-translate -A INPUT -m statistic --mode random --probability
> > 0.1 -j ACC
Pablo Neira Ayuso wrote:
[ nft meta random ]
> I'm fine with the probability scaling, but I think we should keep this
> consistent with other selectors, so I would use lt and gte instead
> here.
>
> We can potentially use ranges here too and other available operations
> such as prefixes (althou
Pablo Neira Ayuso wrote:
> On Wed, Mar 02, 2016 at 01:37:38PM +0100, Florian Westphal wrote:
> > Pablo Neira Ayuso wrote:
> >
> > [ nft meta random ]
> >
> > > I'm fine with the probability scaling, but I think we should keep this
> > > cons
Jan Engelhardt wrote:
> On Wednesday 2016-03-02 13:10, Florian Westphal wrote:
> >> case XT_STATISTIC_MODE_RANDOM:
> >> if ((prandom_u32() & 0x7FFF) <
> >> info->u.random.probability)
> >>
> >> --probability s
Jan Engelhardt wrote:
>
> On Wednesday 2016-03-02 15:50, Florian Westphal wrote:
> >>
> >> "--probability" is meant to represent saying "with a probability
> >> of p=10%, ...". This does not mandate any particular operator.
> >
&g
Pablo Neira Ayuso wrote:
> In all this thread you talk all the time on probability semantics,
> however the selector name is 'random'.
>
> Why don't you rename this to 'meta probability' instead?
>
> No changes in the semantics then, just use:
>
> meta probability 0.1
>
> and when expr
ut showing this implicit operator.
Future patches will add other cases where an operator
other than AND or EQ can be suppressed, so add an explicit
helper that can suppress the operator symbol.
Signed-off-by: Florian Westphal
---
src/expression.c | 20 +---
1 file changed, 13 insertions(
Signed-off-by: Florian Westphal
---
tests/py/any/meta.t | 16
tests/py/any/meta.t.payload | 15 +++
2 files changed, 31 insertions(+)
diff --git a/tests/py/any/meta.t b/tests/py/any/meta.t
index c10297a..4fa961f 100644
--- a/tests/py/any/meta.t
+++ b/tests
isting meta keys -- this way we do not allow statement
like 'meta probability ne 0.2' since parser will expect a probability
value instead of 'ne'.
Signed-off-by: Florian Westphal
---
NB: If you still dislike TYPE_PROBABILITY it would be possible
to handle the de-scaling duri
Jan Engelhardt wrote:
> On Thursday 2016-03-03 18:56, Florian Westphal wrote:
>
> >The float value has to be in range of 0.001 to 0.999 and
> >+
> >+if (tmp >= UINT_MAX || d > 0.999)
> >+return error(loc, "Pro
Jan Engelhardt wrote:
> >> >+ if (tmp >= UINT_MAX || d > 0.999)
> >> >+ return error(loc, "Probability " META_PROB_FMT " too
> >> >%s", d, "big");
> >>
> >> You are misappropriating some 430 points here. 0.999 maps to
> >> just 0xfe51.
> >
> >Sorry, I am not f
Jan Engelhardt wrote:
> On Friday 2016-03-04 12:12, Florian Westphal wrote:
> >Jan Engelhardt wrote:
> >> >> >+ if (tmp >= UINT_MAX || d > 0.999)
> >> >> >+ return error(loc, "Probability " META_
Shivani Bhardwaj wrote:
> Add translation for connlabel to nftables.
> Full translation for this match awaits the support for --set option.
Hmm, I sent patches for that a while ago, don't know why they were
not applied... Pablo?
> Examples:
>
> $ sudo iptables-translate -A INPUT -m connlabel --
Patrick McHardy wrote:
> Fix duplicated and incorrect assignments.
Ugh, my bad. Thanks for fixing this up!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-
Shivani Bhardwaj wrote:
> On Mon, Mar 7, 2016 at 6:35 PM, Pablo Neira Ayuso wrote:
> > On Sun, Mar 06, 2016 at 01:07:03AM +0100, Florian Westphal wrote:
> >> Shivani Bhardwaj wrote:
> >> > Add translation for connlabel to nftables.
> >> > Full transla
Zefir Kurtisi wrote:
> > Reproducing the crash
> > 1. build the firmware for the system to test
> >* use default configuration
> >* ensure to select CONFIG_BRIDGE_NETFILTER in kernel_menuconfig
> > 2. boot the device and access it over serial
> > 3. ensure br-lan bridge has at least two ac
We copy accoring to ->target|matchsize, so check that the netlink attribute
(which can include padding and might be larger) contains enough data.
Reported-by: Julia Lawall
Signed-off-by: Florian Westphal
---
net/netfilter/nft_compat.c | 6 ++
1 file changed, 6 insertions(+)
diff --gi
Need to fetch the offset from the exthdr template.
Signed-off-by: Florian Westphal
---
src/netlink_linearize.c | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index 07f70e0..49b4676 100644
--- a/src/netlink_linearize.c
Signed-off-by: Florian Westphal
---
tests/py/ip6/frag.t | 8
tests/py/ip6/frag.t.payload.inet | 38 ++
tests/py/ip6/frag.t.payload.ip6 | 30 ++
3 files changed, 72 insertions(+), 4 deletions(-)
diff --git a
... else rule like vlan pcp 1-3 won't work and will be displayed
as 0-0 (reverse direction already works since range is represented
as two lte/gte compare expressions).
Signed-off-by: Florian Westphal
---
src/netlink_linearize.c | 2 ++
tests/py/bridge/vlan.t.payload
e bug will be fixes in a followup commit.
Signed-off-by: Florian Westphal
---
tests/py/inet/tcp.t | 2 +-
tests/py/nft-test.py | 18 --
2 files changed, 13 insertions(+), 7 deletions(-)
diff --git a/tests/py/inet/tcp.t b/tests/py/inet/tcp.t
index f99035e..9618e53 100644
--- a/tests
it already has to check
if nextoff is in range to catch invalid jumps, so just do the check
when we move to a next entry as well.
Signed-off-by: Florian Westphal
---
net/ipv4/netfilter/arp_tables.c | 16
net/ipv4/netfilter/ip_tables.c | 15 ---
net/ipv6/netfil
Ben Hawkes says:
integer overflow in xt_alloc_table_info, which on 32-bit systems can
lead to small structure allocation and a copy_from_user based heap
corruption.
Reported-by: Ben Hawkes
Signed-off-by: Florian Westphal
---
net/netfilter/x_tables.c | 3 +++
1 file changed, 3 insertions
Arturo Borrero Gonzalez wrote:
> Reported by Debian lintian tool.
>
> Signed-off-by: Arturo Borrero Gonzalez
> ---
> extensions/libxt_rpfilter.man |2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
I pushed both patches to iptables master, thanks Arturo!
--
To unsubscribe from this lis
it already has to check
if nextoff is in range to catch invalid jumps, so just do the check
when we move to a next entry as well.
Also, check that the offset meets the xtables_entry alignment.
Reported-by: Ben Hawkes
Signed-off-by: Florian Westphal
---
net/ipv4/netfilter/arp_tables.c |
Pablo Neira Ayuso wrote:
> On Wed, Mar 09, 2016 at 12:04:21AM +0100, Florian Westphal wrote:
> > We copy accoring to ->target|matchsize, so check that the netlink attribute
> > (which can include padding and might be larger) contains enough data.
> >
> > Reported-by
Yigal Reiss (yreiss) wrote:
> Currently the "fail-open" feature in NFQUEUE passes packets only in the case
> where the limit comes from the queue size (queue->queue_total >=
> queue->queue_maxlen).
Right.
> In case where the qlen is high and the load is high, packets will be dropped
> as resu
David Miller wrote:
> From: Cyrill Gorcunov
> Date: Fri, 11 Mar 2016 01:40:56 +0300
>
> > On Thu, Mar 10, 2016 at 05:36:30PM -0500, David Miller wrote:
> >> >
> >> > Works like a charm! So David, what are the next steps then?
> >> > Mind to gather all your patches into one (maybe)?
> >>
> >> I
Piyush Pangtey wrote:
> Memory leak due to the absence of matching free :
> ==4797== 189 bytes in 27 blocks are definitely lost in loss record 22 of 51
> ==4797==at 0x4C2AB80: malloc (in
> /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==4797==by 0x57A3839: strdup (strdup.c:42)
> =
Patch #1 is a cleanup, #2 avoids ctnetlink even storm when label replacement
doesn't change anything, #3 is the actual change.
With patch #3 'ct label set ct label | foo' works, there are no changes
needed on nft/userspace side.
--
To unsubscribe from this list: send the line "unsubscribe netfilt
make the replace function only send a ctnetlink event if the contents
of the new set is different.
Otherwise 'ct label set ct label | bar'
will cause netlink event storm since we "replace" labels for each packet.
Signed-off-by: Florian Westphal
---
No changes since
Currently labels can only be set either by iptables connlabel
match or via ctnetlink.
Before adding nftables set support, clean up the clabel core and move
helpers that nft will not need after all to the xtables module.
Signed-off-by: Florian Westphal
---
Changes since v2:
keep
a label one has to use:
ct label set ct label | bar
as 'ct label set bar' will clear all other labels.
Signed-off-by: Florian Westphal
---
No changes since v2.
net/netfilter/nft_ct.c | 31 +++
1 file changed, 31 insertions(+)
diff --git a/net/netfil
a label one has to use:
ct label set ct label | bar
as 'ct label set bar' will clear all other labels.
Signed-off-by: Florian Westphal
---
Supersede of v3, kbuild robot reported error wrt. unhandled
case in nft_ct_destroy, add default: label.
net/netfilter/nft_ct.c | 33
Hi Pablo
This attempts to implement the set support via your proposed
setter attribute.
IOW instead of taking an sreg and replacing the entire label
area with whatever is contained therein take a bit number
passed in from userspace and set only that one bit.
So ct label set foo
will really mean
much the same way as '-m connlabel --set foo'.
Signed-off-by: Florian Westphal
---
I find the placement of the expr <-> attribute conversion
in netlink_(de)linearize to be pretty bad, but doing it
during stmt_evaluate_ct() requires extra member in
stmt->ct to store t
x27; label and leave the rest alone.
Signed-off-by: Florian Westphal
---
Pablo, I know its too late for -next, I'm resending this now while
this stuff is fresh on my plate -- its unlikely that this will cause
merge issues.
So if everything is fine I can resubmit once -next opens u
ed-off-by: Florian Westphal
---
include/libnftnl/expr.h | 1 +
include/linux/netfilter/nf_tables.h | 2 ++
src/expr/ct.c | 31 +++
3 files changed, 34 insertions(+)
diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h
inde
Pablo Neira Ayuso wrote:
> If we have some generic way to parse immediates, this would look like:
>
> if (nfntl_attr_is_set(nle, NFTNL_EXPR_CT_SREG)) {
> ...
> } else if (nftnl_attr_is_set(nle, NFTNL_EXPR_CT_IMM)) {
> ...
> }
>
> Would this
Pablo Neira Ayuso wrote:
> On Tue, Mar 15, 2016 at 05:10:09PM +0100, Florian Westphal wrote:
> > Instead of taking the value to set from a source register, userspace
> > passes the bit that we should set as a netlink attribute.
> >
> > This follows a similar appro
Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > > @@ -777,6 +778,7 @@ enum nft_ct_attributes {
> > > NFTA_CT_KEY,
> > > NFTA_CT_DIRECTION,
> > > NFTA_CT_SREG,
> > > + NFTA_CT_LABEL,
> >
> > We can probably add:
> >
1 - 100 of 1716 matches
Mail list logo