* [PATCH 0/2] Netfilter fixes for net
@ 2015-12-22 17:53 Pablo Neira Ayuso
2015-12-22 17:53 ` [PATCH 1/2] netfilter: nf_tables: use skb->protocol instead of assuming ethernet header Pablo Neira Ayuso
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2015-12-22 17:53 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains two netfilter fixes:
1) Oneliner from Florian to dump missing NFT_CT_L3PROTOCOL netlink
attribute, from Florian Westphal.
2) Another oneliner for nf_tables to use skb->protocol from the new
netdev family, we can't assume ethernet there.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit 73796d8bf27372e26c2b79881947304c14c2d353:
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net (2015-12-17 14:05:22 -0800)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to d5f79b6e4d169039903cc869e16e59ad861dd479:
netfilter: nft_ct: include direction when dumping NFT_CT_L3PROTOCOL key (2015-12-18 14:45:45 +0100)
----------------------------------------------------------------
Florian Westphal (1):
netfilter: nft_ct: include direction when dumping NFT_CT_L3PROTOCOL key
Pablo Neira Ayuso (1):
netfilter: nf_tables: use skb->protocol instead of assuming ethernet header
net/netfilter/nf_tables_netdev.c | 2 +-
net/netfilter/nft_ct.c | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 1/2] netfilter: nf_tables: use skb->protocol instead of assuming ethernet header
2015-12-22 17:53 [PATCH 0/2] Netfilter fixes for net Pablo Neira Ayuso
@ 2015-12-22 17:53 ` Pablo Neira Ayuso
2015-12-22 17:53 ` [PATCH 2/2] netfilter: nft_ct: include direction when dumping NFT_CT_L3PROTOCOL key Pablo Neira Ayuso
2015-12-22 19:55 ` [PATCH 0/2] Netfilter fixes for net David Miller
2 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2015-12-22 17:53 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Otherwise we may end up with incorrect network and transport header for
other protocols.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_netdev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nf_tables_netdev.c b/net/netfilter/nf_tables_netdev.c
index 7b9c053..edb3502f 100644
--- a/net/netfilter/nf_tables_netdev.c
+++ b/net/netfilter/nf_tables_netdev.c
@@ -94,7 +94,7 @@ nft_do_chain_netdev(void *priv, struct sk_buff *skb,
{
struct nft_pktinfo pkt;
- switch (eth_hdr(skb)->h_proto) {
+ switch (skb->protocol) {
case htons(ETH_P_IP):
nft_netdev_set_pktinfo_ipv4(&pkt, skb, state);
break;
--
2.1.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2] netfilter: nft_ct: include direction when dumping NFT_CT_L3PROTOCOL key
2015-12-22 17:53 [PATCH 0/2] Netfilter fixes for net Pablo Neira Ayuso
2015-12-22 17:53 ` [PATCH 1/2] netfilter: nf_tables: use skb->protocol instead of assuming ethernet header Pablo Neira Ayuso
@ 2015-12-22 17:53 ` Pablo Neira Ayuso
2015-12-22 19:55 ` [PATCH 0/2] Netfilter fixes for net David Miller
2 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2015-12-22 17:53 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Florian Westphal <fw@strlen.de>
one nft userspace test case fails with
'ct l3proto original ipv4' mismatches 'ct l3proto ipv4'
... because NFTA_CT_DIRECTION attr is missing.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_ct.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index 8cbca34..9399215 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -366,6 +366,7 @@ static int nft_ct_get_dump(struct sk_buff *skb, const struct nft_expr *expr)
goto nla_put_failure;
switch (priv->key) {
+ case NFT_CT_L3PROTOCOL:
case NFT_CT_PROTOCOL:
case NFT_CT_SRC:
case NFT_CT_DST:
--
2.1.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 0/2] Netfilter fixes for net
2015-12-22 17:53 [PATCH 0/2] Netfilter fixes for net Pablo Neira Ayuso
2015-12-22 17:53 ` [PATCH 1/2] netfilter: nf_tables: use skb->protocol instead of assuming ethernet header Pablo Neira Ayuso
2015-12-22 17:53 ` [PATCH 2/2] netfilter: nft_ct: include direction when dumping NFT_CT_L3PROTOCOL key Pablo Neira Ayuso
@ 2015-12-22 19:55 ` David Miller
2 siblings, 0 replies; 4+ messages in thread
From: David Miller @ 2015-12-22 19:55 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 22 Dec 2015 18:53:15 +0100
> The following patchset contains two netfilter fixes:
>
> 1) Oneliner from Florian to dump missing NFT_CT_L3PROTOCOL netlink
> attribute, from Florian Westphal.
>
> 2) Another oneliner for nf_tables to use skb->protocol from the new
> netdev family, we can't assume ethernet there.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-12-22 19:55 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-12-22 17:53 [PATCH 0/2] Netfilter fixes for net Pablo Neira Ayuso
2015-12-22 17:53 ` [PATCH 1/2] netfilter: nf_tables: use skb->protocol instead of assuming ethernet header Pablo Neira Ayuso
2015-12-22 17:53 ` [PATCH 2/2] netfilter: nft_ct: include direction when dumping NFT_CT_L3PROTOCOL key Pablo Neira Ayuso
2015-12-22 19:55 ` [PATCH 0/2] Netfilter fixes for net David Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.