* [PATCH 0/2] Netfilter fixes for net
@ 2015-12-22 17:53 Pablo Neira Ayuso
2015-12-22 17:53 ` [PATCH 1/2] netfilter: nf_tables: use skb->protocol instead of assuming ethernet header Pablo Neira Ayuso
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2015-12-22 17:53 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains two netfilter fixes:
1) Oneliner from Florian to dump missing NFT_CT_L3PROTOCOL netlink
attribute, from Florian Westphal.
2) Another oneliner for nf_tables to use skb->protocol from the new
netdev family, we can't assume ethernet there.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit 73796d8bf27372e26c2b79881947304c14c2d353:
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net (2015-12-17 14:05:22 -0800)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to d5f79b6e4d169039903cc869e16e59ad861dd479:
netfilter: nft_ct: include direction when dumping NFT_CT_L3PROTOCOL key (2015-12-18 14:45:45 +0100)
----------------------------------------------------------------
Florian Westphal (1):
netfilter: nft_ct: include direction when dumping NFT_CT_L3PROTOCOL key
Pablo Neira Ayuso (1):
netfilter: nf_tables: use skb->protocol instead of assuming ethernet header
net/netfilter/nf_tables_netdev.c | 2 +-
net/netfilter/nft_ct.c | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 1/2] netfilter: nf_tables: use skb->protocol instead of assuming ethernet header
2015-12-22 17:53 [PATCH 0/2] Netfilter fixes for net Pablo Neira Ayuso
@ 2015-12-22 17:53 ` Pablo Neira Ayuso
2015-12-22 17:53 ` [PATCH 2/2] netfilter: nft_ct: include direction when dumping NFT_CT_L3PROTOCOL key Pablo Neira Ayuso
2015-12-22 19:55 ` [PATCH 0/2] Netfilter fixes for net David Miller
2 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2015-12-22 17:53 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Otherwise we may end up with incorrect network and transport header for
other protocols.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_netdev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nf_tables_netdev.c b/net/netfilter/nf_tables_netdev.c
index 7b9c053..edb3502f 100644
--- a/net/netfilter/nf_tables_netdev.c
+++ b/net/netfilter/nf_tables_netdev.c
@@ -94,7 +94,7 @@ nft_do_chain_netdev(void *priv, struct sk_buff *skb,
{
struct nft_pktinfo pkt;
- switch (eth_hdr(skb)->h_proto) {
+ switch (skb->protocol) {
case htons(ETH_P_IP):
nft_netdev_set_pktinfo_ipv4(&pkt, skb, state);
break;
--
2.1.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2] netfilter: nft_ct: include direction when dumping NFT_CT_L3PROTOCOL key
2015-12-22 17:53 [PATCH 0/2] Netfilter fixes for net Pablo Neira Ayuso
2015-12-22 17:53 ` [PATCH 1/2] netfilter: nf_tables: use skb->protocol instead of assuming ethernet header Pablo Neira Ayuso
@ 2015-12-22 17:53 ` Pablo Neira Ayuso
2015-12-22 19:55 ` [PATCH 0/2] Netfilter fixes for net David Miller
2 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2015-12-22 17:53 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Florian Westphal <fw@strlen.de>
one nft userspace test case fails with
'ct l3proto original ipv4' mismatches 'ct l3proto ipv4'
... because NFTA_CT_DIRECTION attr is missing.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_ct.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index 8cbca34..9399215 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -366,6 +366,7 @@ static int nft_ct_get_dump(struct sk_buff *skb, const struct nft_expr *expr)
goto nla_put_failure;
switch (priv->key) {
+ case NFT_CT_L3PROTOCOL:
case NFT_CT_PROTOCOL:
case NFT_CT_SRC:
case NFT_CT_DST:
--
2.1.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 0/2] Netfilter fixes for net
2015-12-22 17:53 [PATCH 0/2] Netfilter fixes for net Pablo Neira Ayuso
2015-12-22 17:53 ` [PATCH 1/2] netfilter: nf_tables: use skb->protocol instead of assuming ethernet header Pablo Neira Ayuso
2015-12-22 17:53 ` [PATCH 2/2] netfilter: nft_ct: include direction when dumping NFT_CT_L3PROTOCOL key Pablo Neira Ayuso
@ 2015-12-22 19:55 ` David Miller
2 siblings, 0 replies; 4+ messages in thread
From: David Miller @ 2015-12-22 19:55 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 22 Dec 2015 18:53:15 +0100
> The following patchset contains two netfilter fixes:
>
> 1) Oneliner from Florian to dump missing NFT_CT_L3PROTOCOL netlink
> attribute, from Florian Westphal.
>
> 2) Another oneliner for nf_tables to use skb->protocol from the new
> netdev family, we can't assume ethernet there.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-12-22 19:55 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-12-22 17:53 [PATCH 0/2] Netfilter fixes for net Pablo Neira Ayuso
2015-12-22 17:53 ` [PATCH 1/2] netfilter: nf_tables: use skb->protocol instead of assuming ethernet header Pablo Neira Ayuso
2015-12-22 17:53 ` [PATCH 2/2] netfilter: nft_ct: include direction when dumping NFT_CT_L3PROTOCOL key Pablo Neira Ayuso
2015-12-22 19:55 ` [PATCH 0/2] Netfilter fixes for net David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).