* [PATCH 1/8] netfilter: nf_ct_helper: warn when not applying default helper assignment
2017-02-23 11:14 [PATCH 0/8] Netfilter fixes for net Pablo Neira Ayuso
@ 2017-02-23 11:14 ` Pablo Neira Ayuso
2017-02-23 11:14 ` [PATCH 2/8] netfilter: ctnetlink: Fix regression in CTA_STATUS processing Pablo Neira Ayuso
` (7 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Pablo Neira Ayuso @ 2017-02-23 11:14 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Jiri Kosina <jkosina@suse.cz>
Commit 3bb398d925 ("netfilter: nf_ct_helper: disable automatic helper
assignment") is causing behavior regressions in firewalls, as traffic
handled by conntrack helpers is now by default not passed through even
though it was before due to missing CT targets (which were not necessary
before this commit).
The default had to be switched off due to security reasons [1] [2] and
therefore should stay the way it is, but let's be friendly to firewall
admins and issue a warning the first time we're in situation where packet
would be likely passed through with the old default but we're likely going
to drop it on the floor now.
Rewrite the code a little bit as suggested by Linus, so that we avoid
spaghettiing the code even more -- namely the whole decision making
process regarding helper selection (either automatic or not) is being
separated, so that the whole logic can be simplified and code (condition)
duplication reduced.
[1] https://cansecwest.com/csw12/conntrack-attack.pdf
[2] https://home.regit.org/netfilter-en/secure-use-of-helpers/
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_conntrack_helper.c | 39 ++++++++++++++++++++++++-------------
1 file changed, 26 insertions(+), 13 deletions(-)
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index 7341adf7059d..6dc44d9b4190 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -188,6 +188,26 @@ nf_ct_helper_ext_add(struct nf_conn *ct,
}
EXPORT_SYMBOL_GPL(nf_ct_helper_ext_add);
+static struct nf_conntrack_helper *
+nf_ct_lookup_helper(struct nf_conn *ct, struct net *net)
+{
+ if (!net->ct.sysctl_auto_assign_helper) {
+ if (net->ct.auto_assign_helper_warned)
+ return NULL;
+ if (!__nf_ct_helper_find(&ct->tuplehash[IP_CT_DIR_REPLY].tuple))
+ return NULL;
+ pr_info("nf_conntrack: default automatic helper assignment "
+ "has been turned off for security reasons and CT-based "
+ " firewall rule not found. Use the iptables CT target "
+ "to attach helpers instead.\n");
+ net->ct.auto_assign_helper_warned = 1;
+ return NULL;
+ }
+
+ return __nf_ct_helper_find(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
+}
+
+
int __nf_ct_try_assign_helper(struct nf_conn *ct, struct nf_conn *tmpl,
gfp_t flags)
{
@@ -213,21 +233,14 @@ int __nf_ct_try_assign_helper(struct nf_conn *ct, struct nf_conn *tmpl,
}
help = nfct_help(ct);
- if (net->ct.sysctl_auto_assign_helper && helper == NULL) {
- helper = __nf_ct_helper_find(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
- if (unlikely(!net->ct.auto_assign_helper_warned && helper)) {
- pr_info("nf_conntrack: automatic helper "
- "assignment is deprecated and it will "
- "be removed soon. Use the iptables CT target "
- "to attach helpers instead.\n");
- net->ct.auto_assign_helper_warned = true;
- }
- }
if (helper == NULL) {
- if (help)
- RCU_INIT_POINTER(help->helper, NULL);
- return 0;
+ helper = nf_ct_lookup_helper(ct, net);
+ if (helper == NULL) {
+ if (help)
+ RCU_INIT_POINTER(help->helper, NULL);
+ return 0;
+ }
}
if (help == NULL) {
--
2.1.4
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 2/8] netfilter: ctnetlink: Fix regression in CTA_STATUS processing
2017-02-23 11:14 [PATCH 0/8] Netfilter fixes for net Pablo Neira Ayuso
2017-02-23 11:14 ` [PATCH 1/8] netfilter: nf_ct_helper: warn when not applying default helper assignment Pablo Neira Ayuso
@ 2017-02-23 11:14 ` Pablo Neira Ayuso
2017-02-23 11:14 ` [PATCH 3/8] netfilter: ctnetlink: Fix regression in CTA_HELP processing Pablo Neira Ayuso
` (6 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Pablo Neira Ayuso @ 2017-02-23 11:14 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Kevin Cernekee <cernekee@chromium.org>
The libnetfilter_conntrack userland library always sets IPS_CONFIRMED
when building a CTA_STATUS attribute. If this toggles the bit from
0->1, the parser will return an error. On Linux 4.4+ this will cause any
NFQA_EXP attribute in the packet to be ignored. This breaks conntrackd's
userland helpers because they operate on unconfirmed connections.
Instead of returning -EBUSY if the user program asks to modify an
unchangeable bit, simply ignore the change.
Also, fix the logic so that user programs are allowed to clear
the bits that they are allowed to change.
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/uapi/linux/netfilter/nf_conntrack_common.h | 4 ++++
net/netfilter/nf_conntrack_netlink.c | 26 +++++++++++++++++++++-
2 files changed, 29 insertions(+), 1 deletion(-)
diff --git a/include/uapi/linux/netfilter/nf_conntrack_common.h b/include/uapi/linux/netfilter/nf_conntrack_common.h
index 6d074d14ee27..6a8e33dd4ecb 100644
--- a/include/uapi/linux/netfilter/nf_conntrack_common.h
+++ b/include/uapi/linux/netfilter/nf_conntrack_common.h
@@ -82,6 +82,10 @@ enum ip_conntrack_status {
IPS_DYING_BIT = 9,
IPS_DYING = (1 << IPS_DYING_BIT),
+ /* Bits that cannot be altered from userland. */
+ IPS_UNCHANGEABLE_MASK = (IPS_NAT_DONE_MASK | IPS_NAT_MASK |
+ IPS_EXPECTED | IPS_CONFIRMED | IPS_DYING),
+
/* Connection has fixed timeout. */
IPS_FIXED_TIMEOUT_BIT = 10,
IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 27540455dc62..bf04b7e9d6f7 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -2270,6 +2270,30 @@ ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct,
}
static int
+ctnetlink_update_status(struct nf_conn *ct, const struct nlattr * const cda[])
+{
+ unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS]));
+ unsigned long d = ct->status ^ status;
+
+ if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
+ /* SEEN_REPLY bit can only be set */
+ return -EBUSY;
+
+ if (d & IPS_ASSURED && !(status & IPS_ASSURED))
+ /* ASSURED bit can only be set */
+ return -EBUSY;
+
+ /* This check is less strict than ctnetlink_change_status()
+ * because callers often flip IPS_EXPECTED bits when sending
+ * an NFQA_CT attribute to the kernel. So ignore the
+ * unchangeable bits but do not error out.
+ */
+ ct->status = (status & ~IPS_UNCHANGEABLE_MASK) |
+ (ct->status & IPS_UNCHANGEABLE_MASK);
+ return 0;
+}
+
+static int
ctnetlink_glue_parse_ct(const struct nlattr *cda[], struct nf_conn *ct)
{
int err;
@@ -2280,7 +2304,7 @@ ctnetlink_glue_parse_ct(const struct nlattr *cda[], struct nf_conn *ct)
return err;
}
if (cda[CTA_STATUS]) {
- err = ctnetlink_change_status(ct, cda);
+ err = ctnetlink_update_status(ct, cda);
if (err < 0)
return err;
}
--
2.1.4
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 3/8] netfilter: ctnetlink: Fix regression in CTA_HELP processing
2017-02-23 11:14 [PATCH 0/8] Netfilter fixes for net Pablo Neira Ayuso
2017-02-23 11:14 ` [PATCH 1/8] netfilter: nf_ct_helper: warn when not applying default helper assignment Pablo Neira Ayuso
2017-02-23 11:14 ` [PATCH 2/8] netfilter: ctnetlink: Fix regression in CTA_STATUS processing Pablo Neira Ayuso
@ 2017-02-23 11:14 ` Pablo Neira Ayuso
2017-02-23 11:14 ` [PATCH 4/8] Fix bug: sometimes valid entries in hash:* types of sets were evicted Pablo Neira Ayuso
` (5 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Pablo Neira Ayuso @ 2017-02-23 11:14 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Kevin Cernekee <cernekee@chromium.org>
Prior to Linux 4.4, it was usually harmless to send a CTA_HELP attribute
containing the name of the current helper. That is no longer the case:
as of Linux 4.4, if ctnetlink_change_helper() returns an error from
the ct->master check, processing of the request will fail, skipping the
NFQA_EXP attribute (if present).
This patch changes the behavior to improve compatibility with user
programs that expect the kernel interface to work the way it did prior
to Linux 4.4. If a user program specifies CTA_HELP but the argument
matches the current conntrack helper name, ignore it instead of generating
an error.
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_conntrack_netlink.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index bf04b7e9d6f7..6806b5e73567 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1478,14 +1478,23 @@ static int ctnetlink_change_helper(struct nf_conn *ct,
struct nlattr *helpinfo = NULL;
int err;
- /* don't change helper of sibling connections */
- if (ct->master)
- return -EBUSY;
-
err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo);
if (err < 0)
return err;
+ /* don't change helper of sibling connections */
+ if (ct->master) {
+ /* If we try to change the helper to the same thing twice,
+ * treat the second attempt as a no-op instead of returning
+ * an error.
+ */
+ if (help && help->helper &&
+ !strcmp(help->helper->name, helpname))
+ return 0;
+ else
+ return -EBUSY;
+ }
+
if (!strcmp(helpname, "")) {
if (help && help->helper) {
/* we had a helper before ... */
--
2.1.4
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 4/8] Fix bug: sometimes valid entries in hash:* types of sets were evicted
2017-02-23 11:14 [PATCH 0/8] Netfilter fixes for net Pablo Neira Ayuso
` (2 preceding siblings ...)
2017-02-23 11:14 ` [PATCH 3/8] netfilter: ctnetlink: Fix regression in CTA_HELP processing Pablo Neira Ayuso
@ 2017-02-23 11:14 ` Pablo Neira Ayuso
2017-02-23 11:14 ` [PATCH 5/8] netfilter: ipset: Null pointer exception in ipset list:set Pablo Neira Ayuso
` (4 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Pablo Neira Ayuso @ 2017-02-23 11:14 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Wrong index was used and therefore when shrinking a hash bucket at
deleting an entry, valid entries could be evicted as well.
Thanks to Eric Ewanco for the thorough bugreport.
Fixes netfilter bugzilla #1119
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
---
net/netfilter/ipset/ip_set_hash_gen.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h
index 1b05d4a7d5a1..f236c0bc7b3f 100644
--- a/net/netfilter/ipset/ip_set_hash_gen.h
+++ b/net/netfilter/ipset/ip_set_hash_gen.h
@@ -897,7 +897,7 @@ mtype_del(struct ip_set *set, void *value, const struct ip_set_ext *ext,
continue;
data = ahash_data(n, j, dsize);
memcpy(tmp->value + k * dsize, data, dsize);
- set_bit(j, tmp->used);
+ set_bit(k, tmp->used);
k++;
}
tmp->pos = k;
--
2.1.4
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 5/8] netfilter: ipset: Null pointer exception in ipset list:set
2017-02-23 11:14 [PATCH 0/8] Netfilter fixes for net Pablo Neira Ayuso
` (3 preceding siblings ...)
2017-02-23 11:14 ` [PATCH 4/8] Fix bug: sometimes valid entries in hash:* types of sets were evicted Pablo Neira Ayuso
@ 2017-02-23 11:14 ` Pablo Neira Ayuso
2017-02-23 11:14 ` [PATCH 6/8] netfilter: xt_hashlimit: Fix integer divide round to zero Pablo Neira Ayuso
` (3 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Pablo Neira Ayuso @ 2017-02-23 11:14 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Vishwanath Pai <vpai@akamai.com>
If we use before/after to add an element to an empty list it will cause
a kernel panic.
$> cat crash.restore
create a hash:ip
create b hash:ip
create test list:set timeout 5 size 4
add test b before a
$> ipset -R < crash.restore
Executing the above will crash the kernel.
Signed-off-by: Vishwanath Pai <vpai@akamai.com>
Reviewed-by: Josh Hunt <johunt@akamai.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
---
net/netfilter/ipset/ip_set_list_set.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_list_set.c b/net/netfilter/ipset/ip_set_list_set.c
index 51077c53d76b..178d4eba013b 100644
--- a/net/netfilter/ipset/ip_set_list_set.c
+++ b/net/netfilter/ipset/ip_set_list_set.c
@@ -260,11 +260,14 @@ list_set_uadd(struct ip_set *set, void *value, const struct ip_set_ext *ext,
else
prev = e;
}
+
+ /* If before/after is used on an empty set */
+ if ((d->before > 0 && !next) ||
+ (d->before < 0 && !prev))
+ return -IPSET_ERR_REF_EXIST;
+
/* Re-add already existing element */
if (n) {
- if ((d->before > 0 && !next) ||
- (d->before < 0 && !prev))
- return -IPSET_ERR_REF_EXIST;
if (!flag_exist)
return -IPSET_ERR_EXIST;
/* Update extensions */
--
2.1.4
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 6/8] netfilter: xt_hashlimit: Fix integer divide round to zero.
2017-02-23 11:14 [PATCH 0/8] Netfilter fixes for net Pablo Neira Ayuso
` (4 preceding siblings ...)
2017-02-23 11:14 ` [PATCH 5/8] netfilter: ipset: Null pointer exception in ipset list:set Pablo Neira Ayuso
@ 2017-02-23 11:14 ` Pablo Neira Ayuso
2017-02-23 11:14 ` [PATCH 7/8] netfilter: nfnetlink_queue: fix NFQA_VLAN_MAX definition Pablo Neira Ayuso
` (2 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Pablo Neira Ayuso @ 2017-02-23 11:14 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Alban Browaeys <alban.browaeys@gmail.com>
Diving the divider by the multiplier before applying to the input.
When this would "divide by zero", divide the multiplier by the divider
first then multiply the input by this value.
Currently user2creds outputs zero when input value is bigger than the
number of slices and lower than scale.
This as then user input is applied an integer divide operation to
a number greater than itself (scale).
That rounds up to zero, then we multiply zero by the credits slice size.
iptables -t filter -I INPUT --protocol tcp --match hashlimit
--hashlimit 40/second --hashlimit-burst 20 --hashlimit-mode srcip
--hashlimit-name syn-flood --jump RETURN
thus trigger the overflow detection code:
xt_hashlimit: overflow, try lower: 25000/20
(25000 as hashlimit avg and 20 the burst)
Here:
134217 slices of (HZ * CREDITS_PER_JIFFY) size.
500000 is user input value
1000000 is XT_HASHLIMIT_SCALE_v2
gives: 0 as user2creds output
Setting burst to "1" typically solve the issue ...
but setting it to "40" does too !
This is on 32bit arch calling into revision 2 of hashlimit.
Signed-off-by: Alban Browaeys <alban.browaeys@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/xt_hashlimit.c | 25 +++++++++----------------
1 file changed, 9 insertions(+), 16 deletions(-)
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 10063408141d..84ad5ab34558 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -463,23 +463,16 @@ static u32 xt_hashlimit_len_to_chunks(u32 len)
/* Precision saver. */
static u64 user2credits(u64 user, int revision)
{
- if (revision == 1) {
- /* If multiplying would overflow... */
- if (user > 0xFFFFFFFF / (HZ*CREDITS_PER_JIFFY_v1))
- /* Divide first. */
- return div64_u64(user, XT_HASHLIMIT_SCALE)
- * HZ * CREDITS_PER_JIFFY_v1;
-
- return div64_u64(user * HZ * CREDITS_PER_JIFFY_v1,
- XT_HASHLIMIT_SCALE);
- } else {
- if (user > 0xFFFFFFFFFFFFFFFFULL / (HZ*CREDITS_PER_JIFFY))
- return div64_u64(user, XT_HASHLIMIT_SCALE_v2)
- * HZ * CREDITS_PER_JIFFY;
+ u64 scale = (revision == 1) ?
+ XT_HASHLIMIT_SCALE : XT_HASHLIMIT_SCALE_v2;
+ u64 cpj = (revision == 1) ?
+ CREDITS_PER_JIFFY_v1 : CREDITS_PER_JIFFY;
- return div64_u64(user * HZ * CREDITS_PER_JIFFY,
- XT_HASHLIMIT_SCALE_v2);
- }
+ /* Avoid overflow: divide the constant operands first */
+ if (scale >= HZ * cpj)
+ return div64_u64(user, div64_u64(scale, HZ * cpj));
+
+ return user * div64_u64(HZ * cpj, scale);
}
static u32 user2credits_byte(u32 user)
--
2.1.4
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 7/8] netfilter: nfnetlink_queue: fix NFQA_VLAN_MAX definition
2017-02-23 11:14 [PATCH 0/8] Netfilter fixes for net Pablo Neira Ayuso
` (5 preceding siblings ...)
2017-02-23 11:14 ` [PATCH 6/8] netfilter: xt_hashlimit: Fix integer divide round to zero Pablo Neira Ayuso
@ 2017-02-23 11:14 ` Pablo Neira Ayuso
2017-02-23 11:14 ` [PATCH 8/8] netfilter: nfnetlink: remove static declaration from err_list Pablo Neira Ayuso
2017-02-23 16:00 ` [PATCH 0/8] Netfilter fixes for net David Miller
8 siblings, 0 replies; 10+ messages in thread
From: Pablo Neira Ayuso @ 2017-02-23 11:14 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Ken-ichirou MATSUZAWA <chamaken@gmail.com>
Should be - 1 as in other _MAX definitions.
Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/uapi/linux/netfilter/nfnetlink_queue.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/uapi/linux/netfilter/nfnetlink_queue.h b/include/uapi/linux/netfilter/nfnetlink_queue.h
index ae30841ff94e..d42f0396fe30 100644
--- a/include/uapi/linux/netfilter/nfnetlink_queue.h
+++ b/include/uapi/linux/netfilter/nfnetlink_queue.h
@@ -36,7 +36,7 @@ enum nfqnl_vlan_attr {
NFQA_VLAN_TCI, /* __be16 skb htons(vlan_tci) */
__NFQA_VLAN_MAX,
};
-#define NFQA_VLAN_MAX (__NFQA_VLAN_MAX + 1)
+#define NFQA_VLAN_MAX (__NFQA_VLAN_MAX - 1)
enum nfqnl_attr_type {
NFQA_UNSPEC,
--
2.1.4
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 8/8] netfilter: nfnetlink: remove static declaration from err_list
2017-02-23 11:14 [PATCH 0/8] Netfilter fixes for net Pablo Neira Ayuso
` (6 preceding siblings ...)
2017-02-23 11:14 ` [PATCH 7/8] netfilter: nfnetlink_queue: fix NFQA_VLAN_MAX definition Pablo Neira Ayuso
@ 2017-02-23 11:14 ` Pablo Neira Ayuso
2017-02-23 16:00 ` [PATCH 0/8] Netfilter fixes for net David Miller
8 siblings, 0 replies; 10+ messages in thread
From: Pablo Neira Ayuso @ 2017-02-23 11:14 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Liping Zhang <zlpnobody@gmail.com>
Otherwise, different subsys will race to access the err_list, with holding
the different nfnl_lock(subsys_id).
But this will not happen now, since ->call_batch is only implemented by
nftables, so the err_list is protected by nfnl_lock(NFNL_SUBSYS_NFTABLES).
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nfnetlink.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index a09fa9fd8f3d..6fa448478cba 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -279,7 +279,7 @@ static void nfnetlink_rcv_batch(struct sk_buff *skb, struct nlmsghdr *nlh,
struct net *net = sock_net(skb->sk);
const struct nfnetlink_subsystem *ss;
const struct nfnl_callback *nc;
- static LIST_HEAD(err_list);
+ LIST_HEAD(err_list);
u32 status;
int err;
--
2.1.4
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH 0/8] Netfilter fixes for net
2017-02-23 11:14 [PATCH 0/8] Netfilter fixes for net Pablo Neira Ayuso
` (7 preceding siblings ...)
2017-02-23 11:14 ` [PATCH 8/8] netfilter: nfnetlink: remove static declaration from err_list Pablo Neira Ayuso
@ 2017-02-23 16:00 ` David Miller
8 siblings, 0 replies; 10+ messages in thread
From: David Miller @ 2017-02-23 16:00 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 23 Feb 2017 12:14:01 +0100
> The following patchset contains Netfilter fixes for your net tree,
> they are:
...
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks a lot!
^ permalink raw reply [flat|nested] 10+ messages in thread