netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 0/2] Netfilter fixes for net
@ 2015-12-22 17:53 Pablo Neira Ayuso
  2015-12-22 17:53 ` [PATCH 1/2] netfilter: nf_tables: use skb->protocol instead of assuming ethernet header Pablo Neira Ayuso
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2015-12-22 17:53 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

Hi David,

The following patchset contains two netfilter fixes:

1) Oneliner from Florian to dump missing NFT_CT_L3PROTOCOL netlink
   attribute, from Florian Westphal.

2) Another oneliner for nf_tables to use skb->protocol from the new
   netdev family, we can't assume ethernet there.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit 73796d8bf27372e26c2b79881947304c14c2d353:

  Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net (2015-12-17 14:05:22 -0800)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to d5f79b6e4d169039903cc869e16e59ad861dd479:

  netfilter: nft_ct: include direction when dumping NFT_CT_L3PROTOCOL key (2015-12-18 14:45:45 +0100)

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: nft_ct: include direction when dumping NFT_CT_L3PROTOCOL key

Pablo Neira Ayuso (1):
      netfilter: nf_tables: use skb->protocol instead of assuming ethernet header

 net/netfilter/nf_tables_netdev.c | 2 +-
 net/netfilter/nft_ct.c           | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH 1/2] netfilter: nf_tables: use skb->protocol instead of assuming ethernet header
  2015-12-22 17:53 [PATCH 0/2] Netfilter fixes for net Pablo Neira Ayuso
@ 2015-12-22 17:53 ` Pablo Neira Ayuso
  2015-12-22 17:53 ` [PATCH 2/2] netfilter: nft_ct: include direction when dumping NFT_CT_L3PROTOCOL key Pablo Neira Ayuso
  2015-12-22 19:55 ` [PATCH 0/2] Netfilter fixes for net David Miller
  2 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2015-12-22 17:53 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

Otherwise we may end up with incorrect network and transport header for
other protocols.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_tables_netdev.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nf_tables_netdev.c b/net/netfilter/nf_tables_netdev.c
index 7b9c053..edb3502f 100644
--- a/net/netfilter/nf_tables_netdev.c
+++ b/net/netfilter/nf_tables_netdev.c
@@ -94,7 +94,7 @@ nft_do_chain_netdev(void *priv, struct sk_buff *skb,
 {
 	struct nft_pktinfo pkt;
 
-	switch (eth_hdr(skb)->h_proto) {
+	switch (skb->protocol) {
 	case htons(ETH_P_IP):
 		nft_netdev_set_pktinfo_ipv4(&pkt, skb, state);
 		break;
-- 
2.1.4


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH 2/2] netfilter: nft_ct: include direction when dumping NFT_CT_L3PROTOCOL key
  2015-12-22 17:53 [PATCH 0/2] Netfilter fixes for net Pablo Neira Ayuso
  2015-12-22 17:53 ` [PATCH 1/2] netfilter: nf_tables: use skb->protocol instead of assuming ethernet header Pablo Neira Ayuso
@ 2015-12-22 17:53 ` Pablo Neira Ayuso
  2015-12-22 19:55 ` [PATCH 0/2] Netfilter fixes for net David Miller
  2 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2015-12-22 17:53 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

From: Florian Westphal <fw@strlen.de>

one nft userspace test case fails with

'ct l3proto original ipv4' mismatches 'ct l3proto ipv4'

... because NFTA_CT_DIRECTION attr is missing.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nft_ct.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index 8cbca34..9399215 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -366,6 +366,7 @@ static int nft_ct_get_dump(struct sk_buff *skb, const struct nft_expr *expr)
 		goto nla_put_failure;
 
 	switch (priv->key) {
+	case NFT_CT_L3PROTOCOL:
 	case NFT_CT_PROTOCOL:
 	case NFT_CT_SRC:
 	case NFT_CT_DST:
-- 
2.1.4


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH 0/2] Netfilter fixes for net
  2015-12-22 17:53 [PATCH 0/2] Netfilter fixes for net Pablo Neira Ayuso
  2015-12-22 17:53 ` [PATCH 1/2] netfilter: nf_tables: use skb->protocol instead of assuming ethernet header Pablo Neira Ayuso
  2015-12-22 17:53 ` [PATCH 2/2] netfilter: nft_ct: include direction when dumping NFT_CT_L3PROTOCOL key Pablo Neira Ayuso
@ 2015-12-22 19:55 ` David Miller
  2 siblings, 0 replies; 4+ messages in thread
From: David Miller @ 2015-12-22 19:55 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, netdev

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 22 Dec 2015 18:53:15 +0100

> The following patchset contains two netfilter fixes:
> 
> 1) Oneliner from Florian to dump missing NFT_CT_L3PROTOCOL netlink
>    attribute, from Florian Westphal.
> 
> 2) Another oneliner for nf_tables to use skb->protocol from the new
>    netdev family, we can't assume ethernet there.
> 
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thanks Pablo.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2015-12-22 19:55 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-12-22 17:53 [PATCH 0/2] Netfilter fixes for net Pablo Neira Ayuso
2015-12-22 17:53 ` [PATCH 1/2] netfilter: nf_tables: use skb->protocol instead of assuming ethernet header Pablo Neira Ayuso
2015-12-22 17:53 ` [PATCH 2/2] netfilter: nft_ct: include direction when dumping NFT_CT_L3PROTOCOL key Pablo Neira Ayuso
2015-12-22 19:55 ` [PATCH 0/2] Netfilter fixes for net David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).