so use 'ibridgename'
and 'obridgename' instead.
Old names are still recognized, listing shows the new names.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
doc/nft.xml| 8
src/meta.c | 15 +--
src/parser_bison.y
without it, you get:
nft list ct helpers table filter
Error: syntax error, unexpected string, expecting helper or helpers
Fixes: 14fd3ad720f6e ("src: prepare for future ct timeout policy support")
Signed-off-by: Florian Westphal <f...@strlen.de>
---
src/scanner.l | 1 +
1
add translations for ip, limit, log, mark, mark_m, nflog.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
NB: No tests yet, I need to implement 'ebtables-translate' first :-)
extensions/libebt_ip.c | 128 +
extensions/libebt_limit.c
Matthias Schiffer wrote:
> As an experiment, I created a reduced version of libnftnl by ripping out
> all import/export functions and related code like buffer handling. This
> reduced the size of libnftnl.so from 155KB to 110KB (on x86-64, -Os,
> stripped,
Phil Sutter wrote:
> Signed-off-by: Phil Sutter
> ---
> src/ct.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
I pushed this one, will review rest of series later today.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the
We will fail later when we can't parse the option, but that
failure only happens if the is actually used.
So in some cases things will work fine even if an extension
doesn't exist.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
iptables/xtables-eb.c | 17 ++---
1 file c
Its already there but it did not work because it wasn't loaded.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
iptables/xtables-eb.c | 16 ++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 33f785
: 0628b123c96d12 ("netfilter: nfnetlink: add batch support and use it from
nf_tables")
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/netfilter/nf_tables_api.c | 59 +++
1 file changed, 32 insertions(+), 27 deletions(-)
diff --git
set->name must be free'd here in case ops->init fails.
Fixes: 387454901bd6 ("netfilter: nf_tables: Allow set names of up to 255 chars")
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/netfilter/nf_tables_api.c | 8 +---
1 file changed, 5 insertions(+), 3 de
Signed-off-by: Florian Westphal <f...@strlen.de>
---
iptables/nft.c | 45 -
iptables/nft.h | 1 +
iptables/xtables-save.c | 8 +++-
iptables/xtables.c | 3 ++-
4 files changed, 14 insertions(+), 43 deletions(-)
diff
Signed-off-by: Florian Westphal <f...@strlen.de>
---
iptables/nft.c | 35 ++-
1 file changed, 22 insertions(+), 13 deletions(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index 91381419b9cb..a73c72bda7be 100644
--- a/iptables/nft.c
+++ b/iptables
proto is u16 in the data structure, so this gave:
nft-ipv6.c:422:44: warning: '__builtin___snprintf_chk' output may be truncated
before the last format character [-Wformat-truncation=]
Signed-off-by: Florian Westphal <f...@strlen.de>
---
iptables/nft-ipv4.c | 2 +-
iptables/nft-ipv6.c | 2
This allows xtables-compat to list all builtin tables unless one
contains nft specific expressions.
Tables that do not exist in xtables world are not printed anymore
(but a small hint is shown that such non-printable table(s) exist).
Signed-off-by: Florian Westphal <f...@strlen.de>
---
ip
F bits of ctmark 0xFFF(F)000F
> into the seventh hexadecimal (0) skb->mark 0xABC000(0)E.
>
> new_targetmark = (ctmark & ctmask) >> 12;
> (new) skb->mark = (skb->mark &~nfmask) ^
>new_targetmark;
>
> This will preserve the other bits that are n
Hi!
We are glad to announce a new round in the Netfilter Workshop series.
This year this event will take place in Berlin, Germany, from 15th
June to 18th June, 2018 [1].
The event will be hosted by Individual Network Berlin e.V. close to
Berlin Hauptbahnhof.
The Netfilter Workshop (NFWS) is the
rules exist no rule will need 64bit translation.
Reported-by: Dmitry Vyukov <dvyu...@google.com>
Fixes: 7d7d7e02111e9 ("netfilter: compat: reject huge allocation requests")
Signed-off-by: Florian Westphal <f...@strlen.de>
---
This change fixes ebtables for me;
adding a --limit 1
Dmitry Vyukov wrote:
> One question:
>
> > We will need to special-case compat_table_info() in ebtables.c to
> > either not allocate the compat array for nentries == 0, or pretend
> > it was 1.
>
> nentries == 0 is returned to us by EBT_SO_GET_INIT_INFO, and I think
> there
c9d0658597f528f815d820fd
> Author: Florian Westphal <f...@strlen.de>
> Date: Tue Feb 27 19:42:35 2018 +0100
> netfilter: compat: reject huge allocation requests
>
> But I don't know if it's a problem with kernel or with our code (it
kernel.
> The idea behind checkpoi
>
Signed-off-by: Florian Westphal <f...@strlen.de>
---
configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 284bcc502346..eb673d52c6f2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -99,7 +99,7 @@ AM_CONDITIONAL([BUILD_CLI], [tes
We can now call the helper again, with set->init as new RHS expression.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
src/evaluate.c | 30 +-
1 file changed, 1 insertion(+), 29 deletions(-)
diff --git a/src/evaluate.c b/src/evaluate.c
index 964
Needed by followup patch. EXPR_SET_REF handling is bonkers, it
"works" when using { key : value } because ->key and ->left are aliased
in struct expr to the same location.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
src/evaluate.c | 4
1 file changed, 4 ins
... to reuse this in a followup patch.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
src/evaluate.c | 47 ---
1 file changed, 28 insertions(+), 19 deletions(-)
diff --git a/src/evaluate.c b/src/evaluate.c
index 967ad162e46e..189f1ea4fa6d
binop transfer is reponsible to apply needed shift operations
to the right hand side of a relational expression.
Split binop_transfer into different helpers to make it easier
to add EXPR_CONCAT handling later on.
While at it, also get rid of SET_REF and use recursive call instead.
--
To
to reuse this in a followup patch.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
src/evaluate.c | 47 +++
1 file changed, 31 insertions(+), 16 deletions(-)
diff --git a/src/evaluate.c b/src/evaluate.c
index 189f1ea4fa6d..acbb1234972a
Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> On Mon, Apr 02, 2018 at 10:30:12PM +0200, Florian Westphal wrote:
> > Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> > > On Sun, Apr 01, 2018 at 12:47:47AM +0200, Florian Westphal wrote:
> > > > t
to different expectation class and have SIP tracker ignore soft-error.
Reported-by: Callum Sinclair <callum.sincl...@alliedtelesis.co.nz>
Tested-by: Callum Sinclair <callum.sincl...@alliedtelesis.co.nz>
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/netfilter/nf_connt
Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> On Sun, Apr 01, 2018 at 12:47:47AM +0200, Florian Westphal wrote:
> > this makes following failing test case work:
> > ip6 dscp vmap { 0x04, ..
> >
> > problem was that the 6bit dscp value spans a byte bounda
based on the previous
payload size, we get a set with a keysize of 1 that is then
populated with keys of size 2 (which causes a kernel error).
So, fixup the set size so kernel is told to expect 2-byte keys
in this case.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
diff --git
Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> Cc'ing Arturo, he added the ebtables-compat layer so he probably
> remember more details on this.
>
> On Sat, Mar 31, 2018 at 07:17:41PM +0200, Florian Westphal wrote:
> > This (haycky) patch translates 'ebtables --mark
Pablo Neira Ayuso wrote:
> > diff --git a/tests/py/ip/masquerade.t b/tests/py/ip/masquerade.t
> > index 26c3704316ae..41f0e98aa6fb 100644
> > --- a/tests/py/ip/masquerade.t
> > +++ b/tests/py/ip/masquerade.t
> > @@ -27,4 +27,4 @@ ip saddr 10.1.1.1 masquerade drop;fail
> > #
This (haycky) patch translates 'ebtables --mark' to a native 'meta mark'
and dissects meta mark back to the ebt_mark_m binary representation when
parsing back nftables rules.
Plan is to do this for all the ebt matches/watchers/targets so that
1. 'nft list ruleset' shows correct/expected output
2.
a gazillion of warnings, will fix in followup commit.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
tests/py/nft-test.py | 4
1 file changed, 4 insertions(+)
diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py
index 87e3d51ec2dd..7998914aa418 100755
--- a/tests/py/nft-test.py
+++ b
nft-test.py currently fails to properly compare tests involving a set,
after that bug is fixed these lines would fail, so fix this up before.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
tests/py/any/ct.t | 4 ++--
tests/py/any/meta.
Forgot to include '!=', this doesn't trigger at the moment due to
a bug in nft-test.py, so fix this before fixing our test script.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
tests/py/ip6/mh.t | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/py/ip6/mh.t b
it.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
src/netlink_delinearize.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 754a307e99f5..2126cf20c995 100644
--- a/src/netlink_delinearize.c
+++
nft-test.py currently fails to properly compare tests involving a set,
after that bug is fixed these lines would fail, so fix this up before.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
tests/py/ip/masquerade.t| 2 +-
tests/py/ip/redirect.t | 4 ++--
tests
nft-test.py has a bug where it won't check beginning of rule when
a set is used, i.e.
foo { set } bar;ok; baz { set } bar
passes, because we only check after {.
Fixing that revealed two issues, fixed in first two patches.
Rest fixes up test suite to avoid false positives (the expected
test
old:
add @set5{ ip6 saddr . ip6 daddr}
new:
add @set5 { ip6 saddr . ip6 daddr}
Signed-off-by: Florian Westphal <f...@strlen.de>
---
src/statement.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/statement.c b/src/statement.c
index b8e0b036b9eb..f81e0123adda
Fernando Fernandez Mancera wrote:
> +struct xt_osf_opt {
> +__u16 kind, length;
> +struct xt_osf_wcwc;
> +};
Please leave xt_foo things in the xt_osf header.
> +bool nf_osf_match(const struct sk_buff *skb, u_int8_t family,
> +
Phil Sutter wrote:
> > is hard to read. So, lets just add icmp/icmpv6 to
> > ip/ip6 protocol base so users can just go with
> >
> > icmp type destination-unreachable
>
> Does this then lead to generating protocol dependency in e.g. inet
> table?
Whats the expected behaviour
to not remove the
dependency can be reverted again.
Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org>
Signed-off-by: Florian Westphal <f...@strlen.de>
---
diff --git a/src/proto.c b/src/proto.c
index a54090a..8cf29d2 100644
--- a/src/proto.c
+++ b/src/proto.c
@@ -591,6 +591,7 @@ const struc
that won't restore because of ip vs ipv6 conflict.
After this patch, this lists as
meta l4proto icmp icmp type destination-unreachable
instead. We still remove the dependency in "ip" family.
Same applies to icmpv6-in-ip.
Reported-by: Phil Sutter <p...@nwl.cc>
Signed-o
Fernando Fernandez Mancera wrote:
> Added nf_osf_ttl() and nf_osf_match() into nf_osf.c in order to start
> the nftables OSF implementation.
> diff --git a/include/uapi/linux/netfilter/nf_osf.h
> b/include/uapi/linux/netfilter/nf_osf.h
> new file mode 100644
> index
-by: Phil Sutter <p...@nwl.cc>
Signed-off-by: Florian Westphal <f...@strlen.de>
---
src/netlink_linearize.c | 4
1 file changed, 4 insertions(+)
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index 1c06fc0..716e962 100644
--- a/src/netlink_linearize.c
+++ b/src/netli
Duncan Roe wrote:
> I ran the following command:
>
> ispell -p ./ispell_nft -H nft.xml
>
> to create the local dictionary ispell_nft.
> ispell_nft contains almost every special word in nft.xml.
> The idea is that anyone can run ispell the same way and only have to
Subash Abhinov Kasiviswanathan wrote:
> skb_header_pointer will copy data into a buffer if data is non linear,
> otherwise it will return a pointer in the linear section of the data.
> nf_sk_lookup_slow_v{4,6} always copies data of size udphdr but later
> accesses memory
s for template ct on every target/match
> manipulating skb->_nfct, simply drop the template ct when skipping
> nf_conntrack_in().
Fixes: 7b4fdf77a450ec ("netfilter: don't track fragmented packets")
Acked-by: Florian Westphal <f...@strlen.de>
--
To unsubscribe from this list: send
Phil Sutter wrote:
> > This is clashing with existing fixes in nf.git.
> TBH, I never know which kernel to test against. Candidates usually are
> nf-next, nf, net-next and sometimes even net. Probably business as
> usual, or do you have a suggestion as to what I should "default" to?
Phil Sutter wrote:
> This tests what kernel commit ae6153b50f9bf ("netfilter: nf_tables:
> permit second nat hook if colliding hook is going away") fixed for.
Applied, thank you.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message
Fixes: 8aeff920dcc9 ("netfilter: nf_tables: add stateful object reference to
set elements")
Fixes: f25ad2e907f1 ("netfilter: nf_tables: prepare for expressions associated
to set elements")
Fixes: 1a94e38d254b ("netfilter: nf_tables: add NFTA_RULE_ID attribute")
Sign
Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> On Tue, Mar 20, 2018 at 12:43:33PM +0100, Florian Westphal wrote:
> > I don't understand why push,ack is invalid in first place.
> > If we do not have a valid connection at this point then a pure
> > ack wo
Pablo Neira Ayuso wrote:
> The example rule in the iptables-extensions(8) manpage suggests:
>
> iptables -A INPUT -i eth0 -p tcp --dport 80
> -m state --state UNTRACKED,INVALID -j SYNPROXY
> --sack-perm --timestamp --mss 1460
kbuild test robot wrote:
> -bool nf_tables_allow_nat_conflict(const struct net *net,
> - const struct nf_hook_ops *ops)
> +static bool nf_tables_allow_nat_conflict(const struct net *net,
> + const struct
Duncan Roe wrote:
> Fix a few more items as per commit f9cb9580b924f6320005f429f7d59e52a38aff82
>
> Also insert a missing space I noticed along the way
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a
and the beginning of the new attribute.
Zero it to silence memory sanitizer output.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
src/attr.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/src/attr.c b/src/attr.c
index 4f131874c11e..0359ba959d7a 100644
--- a/src/attr.c
+++
the exception once.
Fixes: f92b40a8b2645 ("netfilter: core: only allow one nat hook per hook point")
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/netfilter/nf_tables_api.c | 64 ++-
1 file changed, 63 insertions(+), 1 deletion(-)
also mention how to quit interactive mode and provide
small table add example.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
doc/nft.xml | 63 -
1 file changed, 62 insertions(+), 1 deletion(-)
diff --git a/doc/nft.xml
Jack Ma wrote:
> Are these patches likely to be reviewed recently?
>
> Also, any recommended maintainer for delivery :P?
Sorry, I forgot about your mail.
In the future, please re-ping after i did not reply for 3 days or so.
There is no record of your patches at
Signed-off-by: Florian Westphal <f...@strlen.de>
---
tests/py/ip6/srh.t | 22
tests/py/ip6/srh.t.payload | 64 ++
2 files changed, 86 insertions(+)
create mode 100644 tests/py/ip6/srh.t
create mode 100644 tests/
>
Fixes: 1400288f6d39d ("src: handle rt0 and rt2 properly")
Reported-by: Phil Sutter <p...@nwl.cc>
Signed-off-by: Florian Westphal <f...@strlen.de>
---
NB: Kernel change that introduced RT0, 2 , 4 can be reverted now.
doc/nft.xml | 13 +
i
else is found we at least have a non-ideal
match rather than no match at all.
Fixes: 6c03ae210ce3 ("netfilter: nft_set_hash: add non-resizable hashtable
implementation")
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/netfilter/nf_tables_api.c | 5 -
net/netfilter/nft_set
David Miller wrote:
[ flow tables ]
> Ok, that seems to constrain the exposure.
>
> We should talk at some point about how exposed conntrack itself is.
Sure, we can do that.
If you have specific scenarios (synflood, peer that opens
100k (legitimate) connections,
David Miller wrote:
> From: Felix Fietkau
> Date: Mon, 12 Mar 2018 20:30:01 +0100
>
> > It's not dead and useless. In its current state, it has a software fast
> > path that significantly improves nftables routing/NAT throughput,
> > especially on embedded
Stéphane Veyret <svey...@gmail.com> wrote:
> 2018-03-12 12:25 GMT+01:00 Florian Westphal <f...@strlen.de>:
> > (Or i still fail to understand what you want to do, it does
> > sound exactly like expectations, e.g. for ftp data channel in
> > response to PA
Arturo Borrero Gonzalez <art...@netfilter.org> wrote:
> On 12 March 2018 at 12:36, Florian Westphal <f...@strlen.de> wrote:
> > +
> > +install-data-hook:
> > + ${SED} -i 's|@sbindir[@]|${sbindir}/|g' ${DESTDIR}${pkgsysconfdir}/*
> > --
>
> The
the '_array' variant is just a wrapper for get/set api; this
allows the array variant to be removed from libnftnl.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
src/netlink.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/netlink.c b/src/netlink.c
rt...@netfilter.org>
Signed-off-by: Florian Westphal <f...@strlen.de>
---
Makefile.am| 1 +
configure.ac | 2 ++
files/Makefile.am | 1 +
files/examples/Makefile.am | 18 ++
4 files changed, 22 insertions(+)
create mode 100644 files/Mak
Stéphane Veyret wrote:
> A few words on the specs I imagined for the port triggering:
>
> table ip trigger {
> chain postrouting {
> type filter hook postrouting priority 0;
> ip dport 554 trigger open rtsp timeout 300 # Open the
> trigger named rtsp
Arushi Singhal wrote:
> On Mon, Mar 12, 2018 at 2:17 AM, Pablo Neira Ayuso
> wrote:
>
> > Hi Joe,
> >
> > On Sun, Mar 11, 2018 at 12:52:41PM -0700, Joe Perches wrote:
> > > On Mon, 2018-03-12 at 01:11 +0530, Arushi Singhal wrote:
> > > >
Toralf Förster <toralf.foers...@gmx.de> wrote:
> On 03/10/2018 10:16 PM, Florian Westphal wrote:
> > Toralf Förster <toralf.foers...@gmx.de> wrote:
> >> At my server (stable hardened Gentoo with vanilla 4.15.7) I do have this
> >> rule:
> >>
> &g
Signed-off-by: Florian Westphal <f...@strlen.de>
---
doc/nft.xml | 81 +++--
1 file changed, 79 insertions(+), 2 deletions(-)
diff --git a/doc/nft.xml b/doc/nft.xml
index f7cf077..d3765fa 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@
Arushi Singhal wrote:
> I''ll resend the patch according your suggestions.
>
> Just for curiosity wanted to ask why not netdev_*().
netfilter is not a network driver.
> > > register_net_sysctl(net, "net/netfilter", table);
> > > if
Toralf Förster wrote:
> At my server (stable hardened Gentoo with vanilla 4.15.7) I do have this rule:
>
> /sbin/iptables -A OUTPUT -p tcp --destination-port 443 --syn --match
> connlimit --connlimit-above 3000 --connlimit-mask 0 --connlimit-daddr --match
> limit
c.duma...@gmail.com>
Reported-by: <syzbot+0502b00edac2a0680...@syzkaller.appspotmail.com>
Signed-off-by: Florian Westphal <f...@strlen.de>
---
include/linux/netfilter/x_tables.h | 2 ++
net/netfilter/x_tables.c | 30 ++
net/netfilter/xt_
Cong Wang wrote:
> On Fri, Mar 9, 2018 at 2:58 PM, Eric Dumazet wrote:
> >
> >
> > On 03/09/2018 02:56 PM, Eric Dumazet wrote:
> >
> >>
> >> I sent a patch a while back, but Pablo/Florian wanted more than that
> >> simple fix.
> >>
> >> We also
Eric Dumazet wrote:
> >>fs/proc/generic.c:354
> >
> >We need to reject empty names.
> >
>
> I sent a patch a while back, but Pablo/Florian wanted more than that simple
> fix.
>
> We also need to filter special characters like '/'
>
> Or maybe I am mixing with something
f ("bridge: ebt_among: add missing match size checks")
Reported-by: <syzbot+bdabab6f1983a03fc...@syzkaller.appspotmail.com>
Signed-off-by: Florian Westphal <f...@strlen.de>
---
v5: this is really v3 again, but with explicit (int)sizeof()
cast rather than use of temporary 'int mi
Stéphane Veyret wrote:
> Hi,
>
> I saw that patches have been written some years ago for port
> triggering in Netfilter, but no such feature is currently available in
> the kernel. Is there any reason for that? If I write and submit such a
> patch as Xtables-addons module,
Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> All existing keys, except the NFT_CT_SRC and NFT_CT_DST are assumed to
> have strict datatypes. This is causing problems with sets and
> concatenations given the specific length of these keys is not known.
Acked-by: Florian Westphal
f ("bridge: ebt_among: add missing match size checks")
Reported-by: <syzbot+bdabab6f1983a03fc...@syzkaller.appspotmail.com>
Signed-off-by: Florian Westphal <f...@strlen.de>
---
v4: rewrite wormhash_offset_invalid to make it clearer that
'off' is <= INT_MAX, objdump doesn
Eric Dumazet <eric.duma...@gmail.com> wrote:
>
>
> On 03/08/2018 04:24 PM, Florian Westphal wrote:
> >Eric Dumazet <eric.duma...@gmail.com> wrote:
> >>>Fixes: c4585a2823edf ("bridge: ebt_among: add missing match size checks&q
Eric Dumazet <eric.duma...@gmail.com> wrote:
> >Fixes: c4585a2823edf ("bridge: ebt_among: add missing match size checks")
> >Reported-by: <syzbot+bdabab6f1983a03fc...@syzkaller.appspotmail.com>
> >Signed-off-by: Florian Westphal <f...@strlen.de>
>
f ("bridge: ebt_among: add missing match size checks")
Reported-by: <syzbot+bdabab6f1983a03fc...@syzkaller.appspotmail.com>
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/bridge/netfilter/ebt_among.c | 35 +++
1 file changed, 35 insert
ebt_among: add missing match size checks")
Reported-by: <syzbot+bdabab6f1983a03fc...@syzkaller.appspotmail.com>
Cc: Paolo Abeni <pab...@redhat.com>
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/bridge/netfilter/ebt_among.c | 40 +
The last rule in the blob has next_entry offset that is same as total size.
This made "ebtables32 -A OUTPUT -d de:ad:be:ef:01:02" fail on 64 bit kernel.
Fixes: b71812168571fa ("netfilter: ebtables: CONFIG_COMPAT: don't trust
userland offsets")
Signed-off-by: Florian West
Florian Westphal <f...@strlen.de> wrote:
> ebt_among is special, it has a dynamic match size and is exempt
> from the central size checks.
>
> commit c4585a2823edf ("bridge: ebt_among: add missing match size checks")
> added validation for pool size,
same rules from the earlier patch.
Fixes: c4585a2823edf ("bridge: ebt_among: add missing match size checks")
Reported-by: <syzbot+bdabab6f1983a03fc...@syzkaller.appspotmail.com>
Signed-off-by: Florian Westphal <f...@strlen.de>
---
Paolo, if you have time it would be
Arturo Borrero Gonzalez wrote:
> On 5 March 2018 at 23:57, Laura Garcia Liebana wrote:
>
> > 141 files changed, 837 insertions(+), 526 deletions(-)
>
> Better place a new script as a testcase, and all the required dump
> files somewhere for it to read
I placed the helpers within CONFIG_COMPAT section, move them
outside.
Fixes: 472ebdcd15ebdb ("netfilter: x_tables: check error target size too")
Fixes: 07a9da51b4b6ae ("netfilter: x_tables: check standard verdicts in core")
Signed-off-by: Florian Westphal <f...@strlen
Paolo Abeni wrote:
> Currently, when coping ebt compat entries, no checks are in place
> for the offsets provided by user space, so that syzbot was able to
> trigger the following splat:
> ---
> net/bridge/netfilter/ebtables.c | 2 +-
> 1 file changed, 1 insertion(+), 1
ber of connections where 'tuple' is not provided. Therefore,
> proper changes are made on nf_conncount_count() to support the case where
> 'tuple' is NULL. This could be useful for querying statistics or
> debugging purpose.
Acked-by: Florian Westphal <f...@strlen.de>
--
To
Yi-Hung Wei <yihung@gmail.com> wrote:
> Remove parameter 'family' in nf_conncount_count() and count_tree().
> It is because the parameter is not useful after commit 625c556118f3
> ("netfilter: connlimit: split xt_connlimit into front and backend").
Acked-by: Florian
Matthias Schiffer wrote:
> I recently found myself in a situation that required me to filter IGMP
> packets of certain types on a bridge. Switching to nftables is
> unfortunately not an option at the moment because of hardware constraints,
> in particular regarding
examples: add ct helper examples
files: add load balance example
meta: introduce datatype ifname_type
Baruch Siach (1):
src: fix build with older glibc
David Fabian (1):
Added undefine/redefine keywords
Duncan Roe (1):
doc/nft.xml: fix typo
Florian Westphal (16):
Yi-Hung Wei <yihung@gmail.com> wrote:
> On Thu, Mar 1, 2018 at 12:09 AM, Florian Westphal <f...@strlen.de> wrote:
> > Yi-Hung Wei <yihung@gmail.com> wrote:
> >> Currently, nf_conncount_count() counts the number of connections that
> >> matches k
similar to previous patch, but instead of snprintf+temporary use sccanf.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
Harsha sent a patch to replace strncpy by snprintf but in this
case we can avoid temporary buffer completely.
src/datatype.c | 21 ++---
1 file c
Harsha Sharma wrote:
> For e.g.
>
> nft -c " "
> nft: no command specified
>
> Without this patch it segfaults.
Applied, thanks for following up.
I made one small change:
> + if (list_empty(>cmds)) {
> + fprintf(stderr, "nft: no command
Pablo Neira Ayuso wrote:
> This patch removes the following macros:
[..]
Applied, thanks for cleaning this up.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at
Yi-Hung Wei wrote:
> Currently, nf_conncount_count() counts the number of connections that
> matches key and inserts a conntrack 'tuple' associated with the key into
> the accounting data structure. This patch supports another use case that
> only counts the number of
Yi-Hung Wei wrote:
> This patch contains two parts.
>
> 1. Remove parameter 'family' in nf_conncount_count() and count_tree().
> Before commit 625c556118f3 ("netfilter: connlimit: split xt_connlimit
> into front and backend"), 'family' was used to determine the type
> of
501 - 600 of 1651 matches
Mail list logo