Netfilter-Devel Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH 0/5] Netfilter fixes for net
@ 2017-07-18 10:13 Pablo Neira Ayuso
  2017-07-18 10:13 ` [PATCH 1/5] netfilter: nfnetlink: Improve input length sanitization in nfnetlink_rcv Pablo Neira Ayuso
                   ` (5 more replies)
  0 siblings, 6 replies; 9+ messages in thread
From: Pablo Neira Ayuso @ 2017-07-18 10:13 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

Hi David,

The following patchset contains Netfilter fixes for your net tree,
they are:

1) Missing netlink message sanity check in nfnetlink, patch from
   Mateusz Jurczyk.

2) We now have netfilter per-netns hooks, so let's kill global hook
   infrastructure, this infrastructure is known to be racy with netns.
   We don't care about out of tree modules. Patch from Florian Westphal.

3) find_appropriate_src() is buggy when colissions happens after the
   conversion of the nat bysource to rhashtable. Also from Florian.

4) Remove forward chain in nf_tables arp family, it's useless and it is
   causing quite a bit of confusion, from Florian Westphal.

5) nf_ct_remove_expect() is called with the wrong parameter, causing
   kernel oops, patch from Florian Westphal.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit 533da29b584de5ae0e9dafafbe52809f59cb5300:

  Merge branch 'bcmgenet-Fragmented-SKB-corrections' (2017-07-15 21:29:08 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 36ac344e16e04e3e55e8fed7446095a6458c64e6:

  netfilter: expect: fix crash when putting uninited expectation (2017-07-17 17:03:12 +0200)

----------------------------------------------------------------
Florian Westphal (4):
      netfilter: remove old pre-netns era hook api
      netfilter: nat: fix src map lookup
      netfilter: nf_tables: only allow in/output for arp packets
      netfilter: expect: fix crash when putting uninited expectation

Mateusz Jurczyk (1):
      netfilter: nfnetlink: Improve input length sanitization in nfnetlink_rcv

 include/linux/netfilter.h           |   9 ---
 net/ipv4/netfilter/nf_tables_arp.c  |   3 +-
 net/netfilter/core.c                | 143 ------------------------------------
 net/netfilter/nf_conntrack_expect.c |   2 +-
 net/netfilter/nf_nat_core.c         |  17 +++--
 net/netfilter/nfnetlink.c           |   6 +-
 6 files changed, 14 insertions(+), 166 deletions(-)

^ permalink raw reply	[flat|nested] 9+ messages in thread

* [PATCH 1/5] netfilter: nfnetlink: Improve input length sanitization in nfnetlink_rcv
  2017-07-18 10:13 [PATCH 0/5] Netfilter fixes for net Pablo Neira Ayuso
@ 2017-07-18 10:13 ` Pablo Neira Ayuso
  2017-07-18 10:13 ` [PATCH 2/5] netfilter: remove old pre-netns era hook api Pablo Neira Ayuso
                   ` (4 subsequent siblings)
  5 siblings, 0 replies; 9+ messages in thread
From: Pablo Neira Ayuso @ 2017-07-18 10:13 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

From: Mateusz Jurczyk <mjurczyk@google.com>

Verify that the length of the socket buffer is sufficient to cover the
nlmsghdr structure before accessing the nlh->nlmsg_len field for further
input sanitization. If the client only supplies 1-3 bytes of data in
sk_buff, then nlh->nlmsg_len remains partially uninitialized and
contains leftover memory from the corresponding kernel allocation.
Operating on such data may result in indeterminate evaluation of the
nlmsg_len < NLMSG_HDRLEN expression.

The bug was discovered by a runtime instrumentation designed to detect
use of uninitialized memory in the kernel. The patch prevents this and
other similar tools (e.g. KMSAN) from flagging this behavior in the future.

Signed-off-by: Mateusz Jurczyk <mjurczyk@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nfnetlink.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index 92b05e188fd1..733d3e4a30d8 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -472,8 +472,7 @@ static void nfnetlink_rcv_skb_batch(struct sk_buff *skb, struct nlmsghdr *nlh)
 	if (msglen > skb->len)
 		msglen = skb->len;
 
-	if (nlh->nlmsg_len < NLMSG_HDRLEN ||
-	    skb->len < NLMSG_HDRLEN + sizeof(struct nfgenmsg))
+	if (skb->len < NLMSG_HDRLEN + sizeof(struct nfgenmsg))
 		return;
 
 	err = nla_parse(cda, NFNL_BATCH_MAX, attr, attrlen, nfnl_batch_policy,
@@ -500,7 +499,8 @@ static void nfnetlink_rcv(struct sk_buff *skb)
 {
 	struct nlmsghdr *nlh = nlmsg_hdr(skb);
 
-	if (nlh->nlmsg_len < NLMSG_HDRLEN ||
+	if (skb->len < NLMSG_HDRLEN ||
+	    nlh->nlmsg_len < NLMSG_HDRLEN ||
 	    skb->len < nlh->nlmsg_len)
 		return;
 
-- 
2.1.4


^ permalink raw reply	[flat|nested] 9+ messages in thread

* [PATCH 2/5] netfilter: remove old pre-netns era hook api
  2017-07-18 10:13 [PATCH 0/5] Netfilter fixes for net Pablo Neira Ayuso
  2017-07-18 10:13 ` [PATCH 1/5] netfilter: nfnetlink: Improve input length sanitization in nfnetlink_rcv Pablo Neira Ayuso
@ 2017-07-18 10:13 ` Pablo Neira Ayuso
  2017-07-18 10:13 ` [PATCH 3/5] netfilter: nat: fix src map lookup Pablo Neira Ayuso
                   ` (3 subsequent siblings)
  5 siblings, 0 replies; 9+ messages in thread
From: Pablo Neira Ayuso @ 2017-07-18 10:13 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

From: Florian Westphal <fw@strlen.de>

no more users in the tree, remove this.

The old api is racy wrt. module removal, all users have been converted
to the netns-aware api.

The old api pretended we still have global hooks but that has not been
true for a long time.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/linux/netfilter.h |   9 ---
 net/netfilter/core.c      | 143 ----------------------------------------------
 2 files changed, 152 deletions(-)

diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index a4b97be30b28..22f081065d49 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -61,8 +61,6 @@ typedef unsigned int nf_hookfn(void *priv,
 			       struct sk_buff *skb,
 			       const struct nf_hook_state *state);
 struct nf_hook_ops {
-	struct list_head	list;
-
 	/* User fills in from here down. */
 	nf_hookfn		*hook;
 	struct net_device	*dev;
@@ -160,13 +158,6 @@ int nf_register_net_hooks(struct net *net, const struct nf_hook_ops *reg,
 void nf_unregister_net_hooks(struct net *net, const struct nf_hook_ops *reg,
 			     unsigned int n);
 
-int nf_register_hook(struct nf_hook_ops *reg);
-void nf_unregister_hook(struct nf_hook_ops *reg);
-int nf_register_hooks(struct nf_hook_ops *reg, unsigned int n);
-void nf_unregister_hooks(struct nf_hook_ops *reg, unsigned int n);
-int _nf_register_hooks(struct nf_hook_ops *reg, unsigned int n);
-void _nf_unregister_hooks(struct nf_hook_ops *reg, unsigned int n);
-
 /* Functions to register get/setsockopt ranges (non-inclusive).  You
    need to check permissions yourself! */
 int nf_register_sockopt(struct nf_sockopt_ops *reg);
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 552d606e57ca..368610dbc3c0 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -227,114 +227,6 @@ void nf_unregister_net_hooks(struct net *net, const struct nf_hook_ops *reg,
 }
 EXPORT_SYMBOL(nf_unregister_net_hooks);
 
-static LIST_HEAD(nf_hook_list);
-
-static int _nf_register_hook(struct nf_hook_ops *reg)
-{
-	struct net *net, *last;
-	int ret;
-
-	for_each_net(net) {
-		ret = nf_register_net_hook(net, reg);
-		if (ret && ret != -ENOENT)
-			goto rollback;
-	}
-	list_add_tail(&reg->list, &nf_hook_list);
-
-	return 0;
-rollback:
-	last = net;
-	for_each_net(net) {
-		if (net == last)
-			break;
-		nf_unregister_net_hook(net, reg);
-	}
-	return ret;
-}
-
-int nf_register_hook(struct nf_hook_ops *reg)
-{
-	int ret;
-
-	rtnl_lock();
-	ret = _nf_register_hook(reg);
-	rtnl_unlock();
-
-	return ret;
-}
-EXPORT_SYMBOL(nf_register_hook);
-
-static void _nf_unregister_hook(struct nf_hook_ops *reg)
-{
-	struct net *net;
-
-	list_del(&reg->list);
-	for_each_net(net)
-		nf_unregister_net_hook(net, reg);
-}
-
-void nf_unregister_hook(struct nf_hook_ops *reg)
-{
-	rtnl_lock();
-	_nf_unregister_hook(reg);
-	rtnl_unlock();
-}
-EXPORT_SYMBOL(nf_unregister_hook);
-
-int nf_register_hooks(struct nf_hook_ops *reg, unsigned int n)
-{
-	unsigned int i;
-	int err = 0;
-
-	for (i = 0; i < n; i++) {
-		err = nf_register_hook(&reg[i]);
-		if (err)
-			goto err;
-	}
-	return err;
-
-err:
-	if (i > 0)
-		nf_unregister_hooks(reg, i);
-	return err;
-}
-EXPORT_SYMBOL(nf_register_hooks);
-
-/* Caller MUST take rtnl_lock() */
-int _nf_register_hooks(struct nf_hook_ops *reg, unsigned int n)
-{
-	unsigned int i;
-	int err = 0;
-
-	for (i = 0; i < n; i++) {
-		err = _nf_register_hook(&reg[i]);
-		if (err)
-			goto err;
-	}
-	return err;
-
-err:
-	if (i > 0)
-		_nf_unregister_hooks(reg, i);
-	return err;
-}
-EXPORT_SYMBOL(_nf_register_hooks);
-
-void nf_unregister_hooks(struct nf_hook_ops *reg, unsigned int n)
-{
-	while (n-- > 0)
-		nf_unregister_hook(&reg[n]);
-}
-EXPORT_SYMBOL(nf_unregister_hooks);
-
-/* Caller MUST take rtnl_lock */
-void _nf_unregister_hooks(struct nf_hook_ops *reg, unsigned int n)
-{
-	while (n-- > 0)
-		_nf_unregister_hook(&reg[n]);
-}
-EXPORT_SYMBOL(_nf_unregister_hooks);
-
 /* Returns 1 if okfn() needs to be executed by the caller,
  * -EPERM for NF_DROP, 0 otherwise.  Caller must hold rcu_read_lock. */
 int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state,
@@ -450,37 +342,6 @@ void (*nf_nat_decode_session_hook)(struct sk_buff *, struct flowi *);
 EXPORT_SYMBOL(nf_nat_decode_session_hook);
 #endif
 
-static int nf_register_hook_list(struct net *net)
-{
-	struct nf_hook_ops *elem;
-	int ret;
-
-	rtnl_lock();
-	list_for_each_entry(elem, &nf_hook_list, list) {
-		ret = nf_register_net_hook(net, elem);
-		if (ret && ret != -ENOENT)
-			goto out_undo;
-	}
-	rtnl_unlock();
-	return 0;
-
-out_undo:
-	list_for_each_entry_continue_reverse(elem, &nf_hook_list, list)
-		nf_unregister_net_hook(net, elem);
-	rtnl_unlock();
-	return ret;
-}
-
-static void nf_unregister_hook_list(struct net *net)
-{
-	struct nf_hook_ops *elem;
-
-	rtnl_lock();
-	list_for_each_entry(elem, &nf_hook_list, list)
-		nf_unregister_net_hook(net, elem);
-	rtnl_unlock();
-}
-
 static int __net_init netfilter_net_init(struct net *net)
 {
 	int i, h, ret;
@@ -500,16 +361,12 @@ static int __net_init netfilter_net_init(struct net *net)
 		return -ENOMEM;
 	}
 #endif
-	ret = nf_register_hook_list(net);
-	if (ret)
-		remove_proc_entry("netfilter", net->proc_net);
 
 	return ret;
 }
 
 static void __net_exit netfilter_net_exit(struct net *net)
 {
-	nf_unregister_hook_list(net);
 	remove_proc_entry("netfilter", net->proc_net);
 }
 
-- 
2.1.4

^ permalink raw reply	[flat|nested] 9+ messages in thread

* [PATCH 3/5] netfilter: nat: fix src map lookup
  2017-07-18 10:13 [PATCH 0/5] Netfilter fixes for net Pablo Neira Ayuso
  2017-07-18 10:13 ` [PATCH 1/5] netfilter: nfnetlink: Improve input length sanitization in nfnetlink_rcv Pablo Neira Ayuso
  2017-07-18 10:13 ` [PATCH 2/5] netfilter: remove old pre-netns era hook api Pablo Neira Ayuso
@ 2017-07-18 10:13 ` Pablo Neira Ayuso
  2017-07-18 10:13 ` [PATCH 4/5] netfilter: nf_tables: only allow in/output for arp packets Pablo Neira Ayuso
                   ` (2 subsequent siblings)
  5 siblings, 0 replies; 9+ messages in thread
From: Pablo Neira Ayuso @ 2017-07-18 10:13 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

From: Florian Westphal <fw@strlen.de>

When doing initial conversion to rhashtable I replaced the bucket
walk with a single rhashtable_lookup_fast().

When moving to rhlist I failed to properly walk the list of identical
tuples, but that is what is needed for this to work correctly.
The table contains the original tuples, so the reply tuples are all
distinct.

We currently decide that mapping is (not) in range only based on the
first entry, but in case its not we need to try the reply tuple of the
next entry until we either find an in-range mapping or we checked
all the entries.

This bug makes nat core attempt collision resolution while it might be
able to use the mapping as-is.

Fixes: 870190a9ec90 ("netfilter: nat: convert nat bysrc hash to rhashtable")
Reported-by: Jaco Kroon <jaco@uls.co.za>
Tested-by: Jaco Kroon <jaco@uls.co.za>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_nat_core.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index 832c5a08d9a5..eb541786ccb7 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -222,20 +222,21 @@ find_appropriate_src(struct net *net,
 		.tuple = tuple,
 		.zone = zone
 	};
-	struct rhlist_head *hl;
+	struct rhlist_head *hl, *h;
 
 	hl = rhltable_lookup(&nf_nat_bysource_table, &key,
 			     nf_nat_bysource_params);
-	if (!hl)
-		return 0;
 
-	ct = container_of(hl, typeof(*ct), nat_bysource);
+	rhl_for_each_entry_rcu(ct, h, hl, nat_bysource) {
+		nf_ct_invert_tuplepr(result,
+				     &ct->tuplehash[IP_CT_DIR_REPLY].tuple);
+		result->dst = tuple->dst;
 
-	nf_ct_invert_tuplepr(result,
-			     &ct->tuplehash[IP_CT_DIR_REPLY].tuple);
-	result->dst = tuple->dst;
+		if (in_range(l3proto, l4proto, result, range))
+			return 1;
+	}
 
-	return in_range(l3proto, l4proto, result, range);
+	return 0;
 }
 
 /* For [FUTURE] fragmentation handling, we want the least-used
-- 
2.1.4

^ permalink raw reply	[flat|nested] 9+ messages in thread

* [PATCH 4/5] netfilter: nf_tables: only allow in/output for arp packets
  2017-07-18 10:13 [PATCH 0/5] Netfilter fixes for net Pablo Neira Ayuso
                   ` (2 preceding siblings ...)
  2017-07-18 10:13 ` [PATCH 3/5] netfilter: nat: fix src map lookup Pablo Neira Ayuso
@ 2017-07-18 10:13 ` Pablo Neira Ayuso
  2017-07-18 10:13 ` [PATCH 5/5] netfilter: expect: fix crash when putting uninited expectation Pablo Neira Ayuso
  2017-07-18 19:03 ` [PATCH 0/5] Netfilter fixes for net David Miller
  5 siblings, 0 replies; 9+ messages in thread
From: Pablo Neira Ayuso @ 2017-07-18 10:13 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

From: Florian Westphal <fw@strlen.de>

arp packets cannot be forwarded.

They can be bridged, but then they can be filtered using
either ebtables or nftables bridge family.

The bridge netfilter exposes a "call-arptables" switch which
pushes packets into arptables, but lets not expose this for nftables, so better
close this asap.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/ipv4/netfilter/nf_tables_arp.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/net/ipv4/netfilter/nf_tables_arp.c b/net/ipv4/netfilter/nf_tables_arp.c
index 805c8ddfe860..4bbc273b45e8 100644
--- a/net/ipv4/netfilter/nf_tables_arp.c
+++ b/net/ipv4/netfilter/nf_tables_arp.c
@@ -72,8 +72,7 @@ static const struct nf_chain_type filter_arp = {
 	.family		= NFPROTO_ARP,
 	.owner		= THIS_MODULE,
 	.hook_mask	= (1 << NF_ARP_IN) |
-			  (1 << NF_ARP_OUT) |
-			  (1 << NF_ARP_FORWARD),
+			  (1 << NF_ARP_OUT),
 };
 
 static int __init nf_tables_arp_init(void)
-- 
2.1.4


^ permalink raw reply	[flat|nested] 9+ messages in thread

* [PATCH 5/5] netfilter: expect: fix crash when putting uninited expectation
  2017-07-18 10:13 [PATCH 0/5] Netfilter fixes for net Pablo Neira Ayuso
                   ` (3 preceding siblings ...)
  2017-07-18 10:13 ` [PATCH 4/5] netfilter: nf_tables: only allow in/output for arp packets Pablo Neira Ayuso
@ 2017-07-18 10:13 ` Pablo Neira Ayuso
  2017-07-18 19:03 ` [PATCH 0/5] Netfilter fixes for net David Miller
  5 siblings, 0 replies; 9+ messages in thread
From: Pablo Neira Ayuso @ 2017-07-18 10:13 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

From: Florian Westphal <fw@strlen.de>

We crash in __nf_ct_expect_check, it calls nf_ct_remove_expect on the
uninitialised expectation instead of existing one, so del_timer chokes
on random memory address.

Fixes: ec0e3f01114ad32711243 ("netfilter: nf_ct_expect: Add nf_ct_remove_expect()")
Reported-by: Sergey Kvachonok <ravenexp@gmail.com>
Tested-by: Sergey Kvachonok <ravenexp@gmail.com>
Cc: Gao Feng <fgao@ikuai8.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_conntrack_expect.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index e03d16ed550d..899c2c36da13 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -422,7 +422,7 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect)
 	h = nf_ct_expect_dst_hash(net, &expect->tuple);
 	hlist_for_each_entry_safe(i, next, &nf_ct_expect_hash[h], hnode) {
 		if (expect_matches(i, expect)) {
-			if (nf_ct_remove_expect(expect))
+			if (nf_ct_remove_expect(i))
 				break;
 		} else if (expect_clash(i, expect)) {
 			ret = -EBUSY;
-- 
2.1.4

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH 0/5] Netfilter fixes for net
  2017-07-18 10:13 [PATCH 0/5] Netfilter fixes for net Pablo Neira Ayuso
                   ` (4 preceding siblings ...)
  2017-07-18 10:13 ` [PATCH 5/5] netfilter: expect: fix crash when putting uninited expectation Pablo Neira Ayuso
@ 2017-07-18 19:03 ` David Miller
  2017-07-18 21:11   ` Florian Westphal
  5 siblings, 1 reply; 9+ messages in thread
From: David Miller @ 2017-07-18 19:03 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, netdev

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 18 Jul 2017 12:13:54 +0200

> The following patchset contains Netfilter fixes for your net tree,
> they are:
> 
> 1) Missing netlink message sanity check in nfnetlink, patch from
>    Mateusz Jurczyk.
> 
> 2) We now have netfilter per-netns hooks, so let's kill global hook
>    infrastructure, this infrastructure is known to be racy with netns.
>    We don't care about out of tree modules. Patch from Florian Westphal.
> 
> 3) find_appropriate_src() is buggy when colissions happens after the
>    conversion of the nat bysource to rhashtable. Also from Florian.
> 
> 4) Remove forward chain in nf_tables arp family, it's useless and it is
>    causing quite a bit of confusion, from Florian Westphal.
> 
> 5) nf_ct_remove_expect() is called with the wrong parameter, causing
>    kernel oops, patch from Florian Westphal.
> 
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thanks a lot.

What about that change Eric Dumazet was talking about with Florian
that stopped instantiating conntrack by default in new namespaces?

Just curious.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH 0/5] Netfilter fixes for net
  2017-07-18 19:03 ` [PATCH 0/5] Netfilter fixes for net David Miller
@ 2017-07-18 21:11   ` Florian Westphal
  2017-07-18 21:54     ` David Miller
  0 siblings, 1 reply; 9+ messages in thread
From: Florian Westphal @ 2017-07-18 21:11 UTC (permalink / raw)
  To: David Miller; +Cc: pablo, netfilter-devel, netdev

David Miller <davem@davemloft.net> wrote:
> What about that change Eric Dumazet was talking about with Florian
> that stopped instantiating conntrack by default in new namespaces?

Seems more appropriate for -next.  If you prefer net instead, let me know
and I'll get to work.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH 0/5] Netfilter fixes for net
  2017-07-18 21:11   ` Florian Westphal
@ 2017-07-18 21:54     ` David Miller
  0 siblings, 0 replies; 9+ messages in thread
From: David Miller @ 2017-07-18 21:54 UTC (permalink / raw)
  To: fw; +Cc: pablo, netfilter-devel, netdev

From: Florian Westphal <fw@strlen.de>
Date: Tue, 18 Jul 2017 23:11:57 +0200

> David Miller <davem@davemloft.net> wrote:
>> What about that change Eric Dumazet was talking about with Florian
>> that stopped instantiating conntrack by default in new namespaces?
> 
> Seems more appropriate for -next.  If you prefer net instead, let me know
> and I'll get to work.

Yeah it's more on the -next side, albeit annoying.

Ok, so nevermind :)

^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, back to index

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-07-18 10:13 [PATCH 0/5] Netfilter fixes for net Pablo Neira Ayuso
2017-07-18 10:13 ` [PATCH 1/5] netfilter: nfnetlink: Improve input length sanitization in nfnetlink_rcv Pablo Neira Ayuso
2017-07-18 10:13 ` [PATCH 2/5] netfilter: remove old pre-netns era hook api Pablo Neira Ayuso
2017-07-18 10:13 ` [PATCH 3/5] netfilter: nat: fix src map lookup Pablo Neira Ayuso
2017-07-18 10:13 ` [PATCH 4/5] netfilter: nf_tables: only allow in/output for arp packets Pablo Neira Ayuso
2017-07-18 10:13 ` [PATCH 5/5] netfilter: expect: fix crash when putting uninited expectation Pablo Neira Ayuso
2017-07-18 19:03 ` [PATCH 0/5] Netfilter fixes for net David Miller
2017-07-18 21:11   ` Florian Westphal
2017-07-18 21:54     ` David Miller

Netfilter-Devel Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/netfilter-devel/0 netfilter-devel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netfilter-devel netfilter-devel/ https://lore.kernel.org/netfilter-devel \
		netfilter-devel@vger.kernel.org
	public-inbox-index netfilter-devel

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.netfilter-devel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git