Netfilter-Devel Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH 0/4] Netfilter fixes for net
@ 2020-10-13 23:45 Pablo Neira Ayuso
  2020-10-13 23:45 ` [PATCH 1/4] selftests: netfilter: extend nfqueue test case Pablo Neira Ayuso
                   ` (4 more replies)
  0 siblings, 5 replies; 30+ messages in thread
From: Pablo Neira Ayuso @ 2020-10-13 23:45 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev, kuba

Hi,

The following patchset contains Netfilter fixes for net:

1) Extend nf_queue selftest to cover re-queueing, non-gso mode and
   delayed queueing, from Florian Westphal.

2) Clear skb->tstamp in IPVS forwarding path, from Julian Anastasov.

3) Provide netlink extended error reporting for EEXIST case.

4) Missing VLAN offload tag and proto in log target.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Absolutely nothing urgent in this batch, you might consider pulling this
once net-next.git gets merged into net.git so this shows up in 5.10-rc.

Thank you.

----------------------------------------------------------------

The following changes since commit 874fb9e2ca949b443cc419a4f2227cafd4381d39:

  ipv4: Restore flowi4_oif update before call to xfrm_lookup_route (2020-10-10 11:38:59 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 0d9826bc18ce356e8909919ad681ad65d0a6061e:

  netfilter: nf_log: missing vlan offload tag and proto (2020-10-14 01:25:14 +0200)

----------------------------------------------------------------
Florian Westphal (1):
      selftests: netfilter: extend nfqueue test case

Julian Anastasov (1):
      ipvs: clear skb->tstamp in forwarding path

Pablo Neira Ayuso (2):
      netfilter: nftables: extend error reporting for chain updates
      netfilter: nf_log: missing vlan offload tag and proto

 include/net/netfilter/nf_log.h                 |  1 +
 net/ipv4/netfilter/nf_log_arp.c                | 19 ++++++-
 net/ipv4/netfilter/nf_log_ipv4.c               |  6 ++-
 net/ipv6/netfilter/nf_log_ipv6.c               |  8 +--
 net/netfilter/ipvs/ip_vs_xmit.c                |  6 +++
 net/netfilter/nf_log_common.c                  | 12 +++++
 net/netfilter/nf_tables_api.c                  | 19 +++++--
 tools/testing/selftests/netfilter/nf-queue.c   | 61 ++++++++++++++++++----
 tools/testing/selftests/netfilter/nft_queue.sh | 70 +++++++++++++++++++++-----
 9 files changed, 168 insertions(+), 34 deletions(-)

^ permalink raw reply	[flat|nested] 30+ messages in thread

* [PATCH 1/4] selftests: netfilter: extend nfqueue test case
  2020-10-13 23:45 [PATCH 0/4] Netfilter fixes for net Pablo Neira Ayuso
@ 2020-10-13 23:45 ` Pablo Neira Ayuso
  2020-10-14  3:10   ` patchwork-bot+netdevbpf
  2020-10-13 23:45 ` [PATCH 2/4] ipvs: clear skb->tstamp in forwarding path Pablo Neira Ayuso
                   ` (3 subsequent siblings)
  4 siblings, 1 reply; 30+ messages in thread
From: Pablo Neira Ayuso @ 2020-10-13 23:45 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev, kuba

From: Florian Westphal <fw@strlen.de>

add a test with re-queueing: usespace doesn't pass accept verdict,
but tells to re-queue to another nf_queue instance.

Also, make the second nf-queue program use non-gso mode, kernel will
have to perform software segmentation.

Lastly, do not queue every packet, just one per second, and add delay
when re-injecting the packet to the kernel.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 tools/testing/selftests/netfilter/nf-queue.c  | 61 +++++++++++++---
 .../testing/selftests/netfilter/nft_queue.sh  | 70 +++++++++++++++----
 2 files changed, 109 insertions(+), 22 deletions(-)

diff --git a/tools/testing/selftests/netfilter/nf-queue.c b/tools/testing/selftests/netfilter/nf-queue.c
index 29c73bce38fa..9e56b9d47037 100644
--- a/tools/testing/selftests/netfilter/nf-queue.c
+++ b/tools/testing/selftests/netfilter/nf-queue.c
@@ -17,9 +17,12 @@
 
 struct options {
 	bool count_packets;
+	bool gso_enabled;
 	int verbose;
 	unsigned int queue_num;
 	unsigned int timeout;
+	uint32_t verdict;
+	uint32_t delay_ms;
 };
 
 static unsigned int queue_stats[5];
@@ -27,7 +30,7 @@ static struct options opts;
 
 static void help(const char *p)
 {
-	printf("Usage: %s [-c|-v [-vv] ] [-t timeout] [-q queue_num]\n", p);
+	printf("Usage: %s [-c|-v [-vv] ] [-t timeout] [-q queue_num] [-Qdst_queue ] [ -d ms_delay ] [-G]\n", p);
 }
 
 static int parse_attr_cb(const struct nlattr *attr, void *data)
@@ -162,7 +165,7 @@ nfq_build_cfg_params(char *buf, uint8_t mode, int range, int queue_num)
 }
 
 static struct nlmsghdr *
-nfq_build_verdict(char *buf, int id, int queue_num, int verd)
+nfq_build_verdict(char *buf, int id, int queue_num, uint32_t verd)
 {
 	struct nfqnl_msg_verdict_hdr vh = {
 		.verdict = htonl(verd),
@@ -189,9 +192,6 @@ static void print_stats(void)
 	unsigned int last, total;
 	int i;
 
-	if (!opts.count_packets)
-		return;
-
 	total = 0;
 	last = queue_stats[0];
 
@@ -234,7 +234,8 @@ struct mnl_socket *open_queue(void)
 
 	nlh = nfq_build_cfg_params(buf, NFQNL_COPY_PACKET, 0xFFFF, queue_num);
 
-	flags = NFQA_CFG_F_GSO | NFQA_CFG_F_UID_GID;
+	flags = opts.gso_enabled ? NFQA_CFG_F_GSO : 0;
+	flags |= NFQA_CFG_F_UID_GID;
 	mnl_attr_put_u32(nlh, NFQA_CFG_FLAGS, htonl(flags));
 	mnl_attr_put_u32(nlh, NFQA_CFG_MASK, htonl(flags));
 
@@ -255,6 +256,17 @@ struct mnl_socket *open_queue(void)
 	return nl;
 }
 
+static void sleep_ms(uint32_t delay)
+{
+	struct timespec ts = { .tv_sec = delay / 1000 };
+
+	delay %= 1000;
+
+	ts.tv_nsec = delay * 1000llu * 1000llu;
+
+	nanosleep(&ts, NULL);
+}
+
 static int mainloop(void)
 {
 	unsigned int buflen = 64 * 1024 + MNL_SOCKET_BUFFER_SIZE;
@@ -278,7 +290,7 @@ static int mainloop(void)
 
 		ret = mnl_socket_recvfrom(nl, buf, buflen);
 		if (ret == -1) {
-			if (errno == ENOBUFS)
+			if (errno == ENOBUFS || errno == EINTR)
 				continue;
 
 			if (errno == EAGAIN) {
@@ -298,7 +310,10 @@ static int mainloop(void)
 		}
 
 		id = ret - MNL_CB_OK;
-		nlh = nfq_build_verdict(buf, id, opts.queue_num, NF_ACCEPT);
+		if (opts.delay_ms)
+			sleep_ms(opts.delay_ms);
+
+		nlh = nfq_build_verdict(buf, id, opts.queue_num, opts.verdict);
 		if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
 			perror("mnl_socket_sendto");
 			exit(EXIT_FAILURE);
@@ -314,7 +329,7 @@ static void parse_opts(int argc, char **argv)
 {
 	int c;
 
-	while ((c = getopt(argc, argv, "chvt:q:")) != -1) {
+	while ((c = getopt(argc, argv, "chvt:q:Q:d:G")) != -1) {
 		switch (c) {
 		case 'c':
 			opts.count_packets = true;
@@ -328,20 +343,48 @@ static void parse_opts(int argc, char **argv)
 			if (opts.queue_num > 0xffff)
 				opts.queue_num = 0;
 			break;
+		case 'Q':
+			opts.verdict = atoi(optarg);
+			if (opts.verdict > 0xffff) {
+				fprintf(stderr, "Expected destination queue number\n");
+				exit(1);
+			}
+
+			opts.verdict <<= 16;
+			opts.verdict |= NF_QUEUE;
+			break;
+		case 'd':
+			opts.delay_ms = atoi(optarg);
+			if (opts.delay_ms == 0) {
+				fprintf(stderr, "Expected nonzero delay (in milliseconds)\n");
+				exit(1);
+			}
+			break;
 		case 't':
 			opts.timeout = atoi(optarg);
 			break;
+		case 'G':
+			opts.gso_enabled = false;
+			break;
 		case 'v':
 			opts.verbose++;
 			break;
 		}
 	}
+
+	if (opts.verdict != NF_ACCEPT && (opts.verdict >> 16 == opts.queue_num)) {
+		fprintf(stderr, "Cannot use same destination and source queue\n");
+		exit(1);
+	}
 }
 
 int main(int argc, char *argv[])
 {
 	int ret;
 
+	opts.verdict = NF_ACCEPT;
+	opts.gso_enabled = true;
+
 	parse_opts(argc, argv);
 
 	ret = mainloop();
diff --git a/tools/testing/selftests/netfilter/nft_queue.sh b/tools/testing/selftests/netfilter/nft_queue.sh
index 6898448b4266..3d202b90b33d 100755
--- a/tools/testing/selftests/netfilter/nft_queue.sh
+++ b/tools/testing/selftests/netfilter/nft_queue.sh
@@ -12,6 +12,7 @@ sfx=$(mktemp -u "XXXXXXXX")
 ns1="ns1-$sfx"
 ns2="ns2-$sfx"
 nsrouter="nsrouter-$sfx"
+timeout=4
 
 cleanup()
 {
@@ -20,6 +21,7 @@ cleanup()
 	ip netns del ${nsrouter}
 	rm -f "$TMPFILE0"
 	rm -f "$TMPFILE1"
+	rm -f "$TMPFILE2" "$TMPFILE3"
 }
 
 nft --version > /dev/null 2>&1
@@ -42,6 +44,8 @@ fi
 
 TMPFILE0=$(mktemp)
 TMPFILE1=$(mktemp)
+TMPFILE2=$(mktemp)
+TMPFILE3=$(mktemp)
 trap cleanup EXIT
 
 ip netns add ${ns1}
@@ -83,7 +87,7 @@ load_ruleset() {
 	local name=$1
 	local prio=$2
 
-ip netns exec ${nsrouter} nft -f - <<EOF
+ip netns exec ${nsrouter} nft -f /dev/stdin <<EOF
 table inet $name {
 	chain nfq {
 		ip protocol icmp queue bypass
@@ -118,7 +122,7 @@ EOF
 load_counter_ruleset() {
 	local prio=$1
 
-ip netns exec ${nsrouter} nft -f - <<EOF
+ip netns exec ${nsrouter} nft -f /dev/stdin <<EOF
 table inet countrules {
 	chain pre {
 		type filter hook prerouting priority $prio; policy accept;
@@ -175,7 +179,7 @@ test_ping_router() {
 test_queue_blackhole() {
 	local proto=$1
 
-ip netns exec ${nsrouter} nft -f - <<EOF
+ip netns exec ${nsrouter} nft -f /dev/stdin <<EOF
 table $proto blackh {
 	chain forward {
 	type filter hook forward priority 0; policy accept;
@@ -184,10 +188,10 @@ table $proto blackh {
 }
 EOF
 	if [ $proto = "ip" ] ;then
-		ip netns exec ${ns1} ping -c 1 -q 10.0.2.99 > /dev/null
+		ip netns exec ${ns1} ping -W 2 -c 1 -q 10.0.2.99 > /dev/null
 		lret=$?
 	elif [ $proto = "ip6" ]; then
-		ip netns exec ${ns1} ping -c 1 -q dead:2::99 > /dev/null
+		ip netns exec ${ns1} ping -W 2 -c 1 -q dead:2::99 > /dev/null
 		lret=$?
 	else
 		lret=111
@@ -214,8 +218,8 @@ test_queue()
 	local last=""
 
 	# spawn nf-queue listeners
-	ip netns exec ${nsrouter} ./nf-queue -c -q 0 -t 3 > "$TMPFILE0" &
-	ip netns exec ${nsrouter} ./nf-queue -c -q 1 -t 3 > "$TMPFILE1" &
+	ip netns exec ${nsrouter} ./nf-queue -c -q 0 -t $timeout > "$TMPFILE0" &
+	ip netns exec ${nsrouter} ./nf-queue -c -q 1 -t $timeout > "$TMPFILE1" &
 	sleep 1
 	test_ping
 	ret=$?
@@ -250,11 +254,11 @@ test_queue()
 
 test_tcp_forward()
 {
-	ip netns exec ${nsrouter} ./nf-queue -q 2 -t 10 &
+	ip netns exec ${nsrouter} ./nf-queue -q 2 -t $timeout &
 	local nfqpid=$!
 
 	tmpfile=$(mktemp) || exit 1
-	dd conv=sparse status=none if=/dev/zero bs=1M count=100 of=$tmpfile
+	dd conv=sparse status=none if=/dev/zero bs=1M count=200 of=$tmpfile
 	ip netns exec ${ns2} nc -w 5 -l -p 12345 <"$tmpfile" >/dev/null &
 	local rpid=$!
 
@@ -270,15 +274,13 @@ test_tcp_forward()
 
 test_tcp_localhost()
 {
-	tc -net "${nsrouter}" qdisc add dev lo root netem loss random 1%
-
 	tmpfile=$(mktemp) || exit 1
 
-	dd conv=sparse status=none if=/dev/zero bs=1M count=900 of=$tmpfile
+	dd conv=sparse status=none if=/dev/zero bs=1M count=200 of=$tmpfile
 	ip netns exec ${nsrouter} nc -w 5 -l -p 12345 <"$tmpfile" >/dev/null &
 	local rpid=$!
 
-	ip netns exec ${nsrouter} ./nf-queue -q 3 -t 30 &
+	ip netns exec ${nsrouter} ./nf-queue -q 3 -t $timeout &
 	local nfqpid=$!
 
 	sleep 1
@@ -287,6 +289,47 @@ test_tcp_localhost()
 
 	wait $rpid
 	[ $? -eq 0 ] && echo "PASS: tcp via loopback"
+	wait 2>/dev/null
+}
+
+test_tcp_localhost_requeue()
+{
+ip netns exec ${nsrouter} nft -f /dev/stdin <<EOF
+flush ruleset
+table inet filter {
+	chain output {
+		type filter hook output priority 0; policy accept;
+		tcp dport 12345 limit rate 1/second burst 1 packets counter queue num 0
+	}
+	chain post {
+		type filter hook postrouting priority 0; policy accept;
+		tcp dport 12345 limit rate 1/second burst 1 packets counter queue num 0
+	}
+}
+EOF
+	tmpfile=$(mktemp) || exit 1
+	dd conv=sparse status=none if=/dev/zero bs=1M count=200 of=$tmpfile
+	ip netns exec ${nsrouter} nc -w 5 -l -p 12345 <"$tmpfile" >/dev/null &
+	local rpid=$!
+
+	ip netns exec ${nsrouter} ./nf-queue -c -q 1 -t $timeout > "$TMPFILE2" &
+
+	# nfqueue 1 will be called via output hook.  But this time,
+        # re-queue the packet to nfqueue program on queue 2.
+	ip netns exec ${nsrouter} ./nf-queue -G -d 150 -c -q 0 -Q 1 -t $timeout > "$TMPFILE3" &
+
+	sleep 1
+	ip netns exec ${nsrouter} nc -w 5 127.0.0.1 12345 <"$tmpfile" > /dev/null
+	rm -f "$tmpfile"
+
+	wait
+
+	if ! diff -u "$TMPFILE2" "$TMPFILE3" ; then
+		echo "FAIL: lost packets during requeue?!" 1>&2
+		return
+	fi
+
+	echo "PASS: tcp via loopback and re-queueing"
 }
 
 ip netns exec ${nsrouter} sysctl net.ipv6.conf.all.forwarding=1 > /dev/null
@@ -328,5 +371,6 @@ test_queue 20
 
 test_tcp_forward
 test_tcp_localhost
+test_tcp_localhost_requeue
 
 exit $ret
-- 
2.20.1


^ permalink raw reply	[flat|nested] 30+ messages in thread

* [PATCH 2/4] ipvs: clear skb->tstamp in forwarding path
  2020-10-13 23:45 [PATCH 0/4] Netfilter fixes for net Pablo Neira Ayuso
  2020-10-13 23:45 ` [PATCH 1/4] selftests: netfilter: extend nfqueue test case Pablo Neira Ayuso
@ 2020-10-13 23:45 ` Pablo Neira Ayuso
  2020-10-13 23:45 ` [PATCH 3/4] netfilter: nftables: extend error reporting for chain updates Pablo Neira Ayuso
                   ` (2 subsequent siblings)
  4 siblings, 0 replies; 30+ messages in thread
From: Pablo Neira Ayuso @ 2020-10-13 23:45 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev, kuba

From: Julian Anastasov <ja@ssi.bg>

fq qdisc requires tstamp to be cleared in forwarding path

Reported-by: Evgeny B <abt-admin@mail.ru>
Link: https://bugzilla.kernel.org/show_bug.cgi?id=209427
Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
Fixes: 8203e2d844d3 ("net: clear skb->tstamp in forwarding paths")
Fixes: fb420d5d91c1 ("tcp/fq: move back to CLOCK_MONOTONIC")
Fixes: 80b14dee2bea ("net: Add a new socket option for a future transmit time.")
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Reviewed-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/ipvs/ip_vs_xmit.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
index b00866d777fe..d2e5a8f644b8 100644
--- a/net/netfilter/ipvs/ip_vs_xmit.c
+++ b/net/netfilter/ipvs/ip_vs_xmit.c
@@ -609,6 +609,8 @@ static inline int ip_vs_tunnel_xmit_prepare(struct sk_buff *skb,
 	if (ret == NF_ACCEPT) {
 		nf_reset_ct(skb);
 		skb_forward_csum(skb);
+		if (skb->dev)
+			skb->tstamp = 0;
 	}
 	return ret;
 }
@@ -649,6 +651,8 @@ static inline int ip_vs_nat_send_or_cont(int pf, struct sk_buff *skb,
 
 	if (!local) {
 		skb_forward_csum(skb);
+		if (skb->dev)
+			skb->tstamp = 0;
 		NF_HOOK(pf, NF_INET_LOCAL_OUT, cp->ipvs->net, NULL, skb,
 			NULL, skb_dst(skb)->dev, dst_output);
 	} else
@@ -669,6 +673,8 @@ static inline int ip_vs_send_or_cont(int pf, struct sk_buff *skb,
 	if (!local) {
 		ip_vs_drop_early_demux_sk(skb);
 		skb_forward_csum(skb);
+		if (skb->dev)
+			skb->tstamp = 0;
 		NF_HOOK(pf, NF_INET_LOCAL_OUT, cp->ipvs->net, NULL, skb,
 			NULL, skb_dst(skb)->dev, dst_output);
 	} else
-- 
2.20.1


^ permalink raw reply	[flat|nested] 30+ messages in thread

* [PATCH 3/4] netfilter: nftables: extend error reporting for chain updates
  2020-10-13 23:45 [PATCH 0/4] Netfilter fixes for net Pablo Neira Ayuso
  2020-10-13 23:45 ` [PATCH 1/4] selftests: netfilter: extend nfqueue test case Pablo Neira Ayuso
  2020-10-13 23:45 ` [PATCH 2/4] ipvs: clear skb->tstamp in forwarding path Pablo Neira Ayuso
@ 2020-10-13 23:45 ` Pablo Neira Ayuso
  2020-10-13 23:45 ` [PATCH 4/4] netfilter: nf_log: missing vlan offload tag and proto Pablo Neira Ayuso
  2020-10-14  3:07 ` [PATCH 0/4] Netfilter fixes for net Jakub Kicinski
  4 siblings, 0 replies; 30+ messages in thread
From: Pablo Neira Ayuso @ 2020-10-13 23:45 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev, kuba

The initial support for netlink extended ACK is missing the chain update
path, which results in misleading error reporting in case of EEXIST.

Fixes 36dd1bcc07e5 ("netfilter: nf_tables: initial support for extended ACK reporting")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_tables_api.c | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 4603b667973a..0e43063767d6 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -2103,7 +2103,8 @@ static bool nft_hook_list_equal(struct list_head *hook_list1,
 }
 
 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
-			      u32 flags)
+			      u32 flags, const struct nlattr *attr,
+			      struct netlink_ext_ack *extack)
 {
 	const struct nlattr * const *nla = ctx->nla;
 	struct nft_table *table = ctx->table;
@@ -2119,9 +2120,10 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
 		return -EOPNOTSUPP;
 
 	if (nla[NFTA_CHAIN_HOOK]) {
-		if (!nft_is_base_chain(chain))
+		if (!nft_is_base_chain(chain)) {
+			NL_SET_BAD_ATTR(extack, attr);
 			return -EEXIST;
-
+		}
 		err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
 					   false);
 		if (err < 0)
@@ -2130,6 +2132,7 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
 		basechain = nft_base_chain(chain);
 		if (basechain->type != hook.type) {
 			nft_chain_release_hook(&hook);
+			NL_SET_BAD_ATTR(extack, attr);
 			return -EEXIST;
 		}
 
@@ -2137,6 +2140,7 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
 			if (!nft_hook_list_equal(&basechain->hook_list,
 						 &hook.list)) {
 				nft_chain_release_hook(&hook);
+				NL_SET_BAD_ATTR(extack, attr);
 				return -EEXIST;
 			}
 		} else {
@@ -2144,6 +2148,7 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
 			if (ops->hooknum != hook.num ||
 			    ops->priority != hook.priority) {
 				nft_chain_release_hook(&hook);
+				NL_SET_BAD_ATTR(extack, attr);
 				return -EEXIST;
 			}
 		}
@@ -2156,8 +2161,10 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
 
 		chain2 = nft_chain_lookup(ctx->net, table,
 					  nla[NFTA_CHAIN_NAME], genmask);
-		if (!IS_ERR(chain2))
+		if (!IS_ERR(chain2)) {
+			NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
 			return -EEXIST;
+		}
 	}
 
 	if (nla[NFTA_CHAIN_COUNTERS]) {
@@ -2200,6 +2207,7 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
 			    nft_trans_chain_update(tmp) &&
 			    nft_trans_chain_name(tmp) &&
 			    strcmp(name, nft_trans_chain_name(tmp)) == 0) {
+				NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
 				kfree(name);
 				goto err;
 			}
@@ -2322,7 +2330,8 @@ static int nf_tables_newchain(struct net *net, struct sock *nlsk,
 			return -EOPNOTSUPP;
 
 		flags |= chain->flags & NFT_CHAIN_BASE;
-		return nf_tables_updchain(&ctx, genmask, policy, flags);
+		return nf_tables_updchain(&ctx, genmask, policy, flags, attr,
+					  extack);
 	}
 
 	return nf_tables_addchain(&ctx, family, genmask, policy, flags);
-- 
2.20.1


^ permalink raw reply	[flat|nested] 30+ messages in thread

* [PATCH 4/4] netfilter: nf_log: missing vlan offload tag and proto
  2020-10-13 23:45 [PATCH 0/4] Netfilter fixes for net Pablo Neira Ayuso
                   ` (2 preceding siblings ...)
  2020-10-13 23:45 ` [PATCH 3/4] netfilter: nftables: extend error reporting for chain updates Pablo Neira Ayuso
@ 2020-10-13 23:45 ` Pablo Neira Ayuso
  2020-10-14  3:07 ` [PATCH 0/4] Netfilter fixes for net Jakub Kicinski
  4 siblings, 0 replies; 30+ messages in thread
From: Pablo Neira Ayuso @ 2020-10-13 23:45 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev, kuba

Dump vlan tag and proto for the usual vlan offload case if the
NF_LOG_MACDECODE flag is set on. Without this information the logging is
misleading as there is no reference to the VLAN header.

[12716.993704] test: IN=veth0 OUT= MACSRC=86:6c:92:ea:d6:73 MACDST=0e:3b:eb:86:73:76 VPROTO=8100 VID=10 MACPROTO=0800 SRC=192.168.10.2 DST=172.217.168.163 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=2548 DF PROTO=TCP SPT=55848 DPT=80 WINDOW=501 RES=0x00 ACK FIN URGP=0
[12721.157643] test: IN=veth0 OUT= MACSRC=86:6c:92:ea:d6:73 MACDST=0e:3b:eb:86:73:76 VPROTO=8100 VID=10 MACPROTO=0806 ARP HTYPE=1 PTYPE=0x0800 OPCODE=2 MACSRC=86:6c:92:ea:d6:73 IPSRC=192.168.10.2 MACDST=0e:3b:eb:86:73:76 IPDST=192.168.10.1

Fixes: 83e96d443b37 ("netfilter: log: split family specific code to nf_log_{ip,ip6,common}.c files")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/net/netfilter/nf_log.h   |  1 +
 net/ipv4/netfilter/nf_log_arp.c  | 19 +++++++++++++++++--
 net/ipv4/netfilter/nf_log_ipv4.c |  6 ++++--
 net/ipv6/netfilter/nf_log_ipv6.c |  8 +++++---
 net/netfilter/nf_log_common.c    | 12 ++++++++++++
 5 files changed, 39 insertions(+), 7 deletions(-)

diff --git a/include/net/netfilter/nf_log.h b/include/net/netfilter/nf_log.h
index 0d3920896d50..716db4a0fed8 100644
--- a/include/net/netfilter/nf_log.h
+++ b/include/net/netfilter/nf_log.h
@@ -108,6 +108,7 @@ int nf_log_dump_tcp_header(struct nf_log_buf *m, const struct sk_buff *skb,
 			   unsigned int logflags);
 void nf_log_dump_sk_uid_gid(struct net *net, struct nf_log_buf *m,
 			    struct sock *sk);
+void nf_log_dump_vlan(struct nf_log_buf *m, const struct sk_buff *skb);
 void nf_log_dump_packet_common(struct nf_log_buf *m, u_int8_t pf,
 			       unsigned int hooknum, const struct sk_buff *skb,
 			       const struct net_device *in,
diff --git a/net/ipv4/netfilter/nf_log_arp.c b/net/ipv4/netfilter/nf_log_arp.c
index 7a83f881efa9..136030ad2e54 100644
--- a/net/ipv4/netfilter/nf_log_arp.c
+++ b/net/ipv4/netfilter/nf_log_arp.c
@@ -43,16 +43,31 @@ static void dump_arp_packet(struct nf_log_buf *m,
 			    const struct nf_loginfo *info,
 			    const struct sk_buff *skb, unsigned int nhoff)
 {
-	const struct arphdr *ah;
-	struct arphdr _arph;
 	const struct arppayload *ap;
 	struct arppayload _arpp;
+	const struct arphdr *ah;
+	unsigned int logflags;
+	struct arphdr _arph;
 
 	ah = skb_header_pointer(skb, 0, sizeof(_arph), &_arph);
 	if (ah == NULL) {
 		nf_log_buf_add(m, "TRUNCATED");
 		return;
 	}
+
+	if (info->type == NF_LOG_TYPE_LOG)
+		logflags = info->u.log.logflags;
+	else
+		logflags = NF_LOG_DEFAULT_MASK;
+
+	if (logflags & NF_LOG_MACDECODE) {
+		nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM ",
+			       eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest);
+		nf_log_dump_vlan(m, skb);
+		nf_log_buf_add(m, "MACPROTO=%04x ",
+			       ntohs(eth_hdr(skb)->h_proto));
+	}
+
 	nf_log_buf_add(m, "ARP HTYPE=%d PTYPE=0x%04x OPCODE=%d",
 		       ntohs(ah->ar_hrd), ntohs(ah->ar_pro), ntohs(ah->ar_op));
 
diff --git a/net/ipv4/netfilter/nf_log_ipv4.c b/net/ipv4/netfilter/nf_log_ipv4.c
index 0c72156130b6..d07583fac8f8 100644
--- a/net/ipv4/netfilter/nf_log_ipv4.c
+++ b/net/ipv4/netfilter/nf_log_ipv4.c
@@ -284,8 +284,10 @@ static void dump_ipv4_mac_header(struct nf_log_buf *m,
 
 	switch (dev->type) {
 	case ARPHRD_ETHER:
-		nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM MACPROTO=%04x ",
-			       eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
+		nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM ",
+			       eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest);
+		nf_log_dump_vlan(m, skb);
+		nf_log_buf_add(m, "MACPROTO=%04x ",
 			       ntohs(eth_hdr(skb)->h_proto));
 		return;
 	default:
diff --git a/net/ipv6/netfilter/nf_log_ipv6.c b/net/ipv6/netfilter/nf_log_ipv6.c
index da64550a5707..8210ff34ed9b 100644
--- a/net/ipv6/netfilter/nf_log_ipv6.c
+++ b/net/ipv6/netfilter/nf_log_ipv6.c
@@ -297,9 +297,11 @@ static void dump_ipv6_mac_header(struct nf_log_buf *m,
 
 	switch (dev->type) {
 	case ARPHRD_ETHER:
-		nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM MACPROTO=%04x ",
-		       eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
-		       ntohs(eth_hdr(skb)->h_proto));
+		nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM ",
+			       eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest);
+		nf_log_dump_vlan(m, skb);
+		nf_log_buf_add(m, "MACPROTO=%04x ",
+			       ntohs(eth_hdr(skb)->h_proto));
 		return;
 	default:
 		break;
diff --git a/net/netfilter/nf_log_common.c b/net/netfilter/nf_log_common.c
index ae5628ddbe6d..fd7c5f0f5c25 100644
--- a/net/netfilter/nf_log_common.c
+++ b/net/netfilter/nf_log_common.c
@@ -171,6 +171,18 @@ nf_log_dump_packet_common(struct nf_log_buf *m, u_int8_t pf,
 }
 EXPORT_SYMBOL_GPL(nf_log_dump_packet_common);
 
+void nf_log_dump_vlan(struct nf_log_buf *m, const struct sk_buff *skb)
+{
+	u16 vid;
+
+	if (!skb_vlan_tag_present(skb))
+		return;
+
+	vid = skb_vlan_tag_get(skb);
+	nf_log_buf_add(m, "VPROTO=%04x VID=%u ", ntohs(skb->vlan_proto), vid);
+}
+EXPORT_SYMBOL_GPL(nf_log_dump_vlan);
+
 /* bridge and netdev logging families share this code. */
 void nf_log_l2packet(struct net *net, u_int8_t pf,
 		     __be16 protocol,
-- 
2.20.1


^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [PATCH 0/4] Netfilter fixes for net
  2020-10-13 23:45 [PATCH 0/4] Netfilter fixes for net Pablo Neira Ayuso
                   ` (3 preceding siblings ...)
  2020-10-13 23:45 ` [PATCH 4/4] netfilter: nf_log: missing vlan offload tag and proto Pablo Neira Ayuso
@ 2020-10-14  3:07 ` Jakub Kicinski
  4 siblings, 0 replies; 30+ messages in thread
From: Jakub Kicinski @ 2020-10-14  3:07 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel, davem, netdev

On Wed, 14 Oct 2020 01:45:55 +0200 Pablo Neira Ayuso wrote:
> Hi,
> 
> The following patchset contains Netfilter fixes for net:
> 
> 1) Extend nf_queue selftest to cover re-queueing, non-gso mode and
>    delayed queueing, from Florian Westphal.
> 
> 2) Clear skb->tstamp in IPVS forwarding path, from Julian Anastasov.
> 
> 3) Provide netlink extended error reporting for EEXIST case.
> 
> 4) Missing VLAN offload tag and proto in log target.
> 
> Please, pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
> 
> Absolutely nothing urgent in this batch, you might consider pulling this
> once net-next.git gets merged into net.git so this shows up in 5.10-rc.

Pulled, thanks!

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [PATCH 1/4] selftests: netfilter: extend nfqueue test case
  2020-10-13 23:45 ` [PATCH 1/4] selftests: netfilter: extend nfqueue test case Pablo Neira Ayuso
@ 2020-10-14  3:10   ` patchwork-bot+netdevbpf
  0 siblings, 0 replies; 30+ messages in thread
From: patchwork-bot+netdevbpf @ 2020-10-14  3:10 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel, davem, netdev, kuba

Hello:

This series was applied to netdev/net.git (refs/heads/master):

On Wed, 14 Oct 2020 01:45:56 +0200 you wrote:
> From: Florian Westphal <fw@strlen.de>
> 
> add a test with re-queueing: usespace doesn't pass accept verdict,
> but tells to re-queue to another nf_queue instance.
> 
> Also, make the second nf-queue program use non-gso mode, kernel will
> have to perform software segmentation.
> 
> [...]

Here is the summary with links:
  - [1/4] selftests: netfilter: extend nfqueue test case
    https://git.kernel.org/netdev/net/c/ea2f7da1799b
  - [2/4] ipvs: clear skb->tstamp in forwarding path
    https://git.kernel.org/netdev/net/c/7980d2eabde8
  - [3/4] netfilter: nftables: extend error reporting for chain updates
    https://git.kernel.org/netdev/net/c/98a381a7d489
  - [4/4] netfilter: nf_log: missing vlan offload tag and proto
    https://git.kernel.org/netdev/net/c/0d9826bc18ce

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [PATCH 0/4] Netfilter fixes for net
  2020-10-07  0:10 Pablo Neira Ayuso
@ 2020-10-09 19:19 ` Jakub Kicinski
  0 siblings, 0 replies; 30+ messages in thread
From: Jakub Kicinski @ 2020-10-09 19:19 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel, davem, netdev

On Wed,  7 Oct 2020 02:10:23 +0200 Pablo Neira Ayuso wrote:
> The following patchset contains Netfilter selftests fixes from
> Fabian Frederick:
> 
> 1) Extend selftest nft_meta.sh to check for meta cpu.
> 
> 2) Fix selftest nft_meta.sh error reporting.
> 
> 3) Fix shellcheck warnings in selftest nft_meta.sh.
> 
> 4) Extend selftest nft_meta.sh to check for meta time.
> 
> Please, pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thank you!

^ permalink raw reply	[flat|nested] 30+ messages in thread

* [PATCH 0/4] Netfilter fixes for net
@ 2020-10-07  0:10 Pablo Neira Ayuso
  2020-10-09 19:19 ` Jakub Kicinski
  0 siblings, 1 reply; 30+ messages in thread
From: Pablo Neira Ayuso @ 2020-10-07  0:10 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev, kuba

Hi,

The following patchset contains Netfilter selftests fixes from
Fabian Frederick:

1) Extend selftest nft_meta.sh to check for meta cpu.

2) Fix selftest nft_meta.sh error reporting.

3) Fix shellcheck warnings in selftest nft_meta.sh.

4) Extend selftest nft_meta.sh to check for meta time.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thank you!

----------------------------------------------------------------

The following changes since commit 25b8ab916dd7a1f490b603d68c7765c06f9ed9e1:

  Merge tag 'mac80211-for-net-2020-09-21' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211 (2020-09-21 14:54:35 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 48d072c4e8cdb542ade06727c31d7851bcc40a89:

  selftests: netfilter: add time counter check (2020-09-30 11:49:18 +0200)

----------------------------------------------------------------
Fabian Frederick (4):
      selftests: netfilter: add cpu counter check
      selftests: netfilter: fix nft_meta.sh error reporting
      selftests: netfilter: remove unused cnt and simplify command testing
      selftests: netfilter: add time counter check

 tools/testing/selftests/netfilter/nft_meta.sh | 32 +++++++++++++++++++++------
 1 file changed, 25 insertions(+), 7 deletions(-)

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [PATCH 0/4] Netfilter fixes for net
  2020-06-14 21:52 Pablo Neira Ayuso
@ 2020-06-15 20:27 ` David Miller
  0 siblings, 0 replies; 30+ messages in thread
From: David Miller @ 2020-06-15 20:27 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, netdev, kuba

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sun, 14 Jun 2020 23:52:57 +0200

> The following patchset contains Netfilter fixes for net:
> 
> 1) Fix bogus EEXIST on element insertions to the rbtree with timeouts,
>    from Stefano Brivio.
> 
> 2) Preempt BUG splat in the pipapo element insertion path, also from
>    Stefano.
> 
> 3) Release filter from the ctnetlink error path.
> 
> 4) Release flowtable hooks from the deletion path.
> 
> Please, pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thanks Pablo.

^ permalink raw reply	[flat|nested] 30+ messages in thread

* [PATCH 0/4] Netfilter fixes for net
@ 2020-06-14 21:52 Pablo Neira Ayuso
  2020-06-15 20:27 ` David Miller
  0 siblings, 1 reply; 30+ messages in thread
From: Pablo Neira Ayuso @ 2020-06-14 21:52 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev, kuba

Hi,

The following patchset contains Netfilter fixes for net:

1) Fix bogus EEXIST on element insertions to the rbtree with timeouts,
   from Stefano Brivio.

2) Preempt BUG splat in the pipapo element insertion path, also from
   Stefano.

3) Release filter from the ctnetlink error path.

4) Release flowtable hooks from the deletion path.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thank you.

----------------------------------------------------------------

The following changes since commit af7b4801030c07637840191c69eb666917e4135d:

  Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net (2020-06-07 17:27:45 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 3003055f50663095472144994dac0339076031a8:

  netfilter: nf_tables: hook list memleak in flowtable deletion (2020-06-12 17:48:21 +0200)

----------------------------------------------------------------
Pablo Neira Ayuso (2):
      netfilter: ctnetlink: memleak in filter initialization error path
      netfilter: nf_tables: hook list memleak in flowtable deletion

Stefano Brivio (2):
      netfilter: nft_set_rbtree: Don't account for expired elements on insertion
      netfilter: nft_set_pipapo: Disable preemption before getting per-CPU pointer

 net/netfilter/nf_conntrack_netlink.c | 32 ++++++++++++++++++++++----------
 net/netfilter/nf_tables_api.c        | 31 ++++++++++++++++++++++++-------
 net/netfilter/nft_set_pipapo.c       |  6 +++++-
 net/netfilter/nft_set_rbtree.c       | 21 ++++++++++++++-------
 4 files changed, 65 insertions(+), 25 deletions(-)

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [PATCH 0/4] Netfilter fixes for net
  2020-03-20 13:51 Pablo Neira Ayuso
@ 2020-03-21  2:34 ` David Miller
  0 siblings, 0 replies; 30+ messages in thread
From: David Miller @ 2020-03-21  2:34 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, netdev

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 20 Mar 2020 14:51:30 +0100

> The following patchset contains Netfilter fixes for net:
> 
> 1) Refetch IP header pointer after pskb_may_pull() in flowtable,
>    from Haishuang Yan.
> 
> 2) Fix memleak in flowtable offload in nf_flow_table_free(),
>    from Paul Blakey.
> 
> 3) Set control.addr_type mask in flowtable offload, from Edward Cree.

Pulled, thanks Pablo.

^ permalink raw reply	[flat|nested] 30+ messages in thread

* [PATCH 0/4] Netfilter fixes for net
@ 2020-03-20 13:51 Pablo Neira Ayuso
  2020-03-21  2:34 ` David Miller
  0 siblings, 1 reply; 30+ messages in thread
From: Pablo Neira Ayuso @ 2020-03-20 13:51 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

Hi,

The following patchset contains Netfilter fixes for net:

1) Refetch IP header pointer after pskb_may_pull() in flowtable,
   from Haishuang Yan.

2) Fix memleak in flowtable offload in nf_flow_table_free(),
   from Paul Blakey.

3) Set control.addr_type mask in flowtable offload, from Edward Cree.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thank you.

----------------------------------------------------------------

The following changes since commit 3c025b6317272ee8493ee20fa5035c087626af48:

  Merge branch 'wireguard-fixes' (2020-03-18 18:51:43 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 15ff197237e76c4dab06b7b518afaa4ebb1c43e0:

  netfilter: flowtable: populate addr_type mask (2020-03-19 21:20:04 +0100)

----------------------------------------------------------------
Edward Cree (1):
      netfilter: flowtable: populate addr_type mask

Haishuang Yan (2):
      netfilter: flowtable: reload ip{v6}h in nf_flow_nat_ip{v6}
      netfilter: flowtable: reload ip{v6}h in nf_flow_tuple_ip{v6}

Paul Blakey (1):
      netfilter: flowtable: Fix flushing of offloaded flows on free

 net/netfilter/nf_flow_table_core.c    |  3 +++
 net/netfilter/nf_flow_table_ip.c      | 14 ++++++++++----
 net/netfilter/nf_flow_table_offload.c |  1 +
 3 files changed, 14 insertions(+), 4 deletions(-)

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [PATCH 0/4] Netfilter fixes for net
  2019-12-26 16:39 Pablo Neira Ayuso
@ 2019-12-26 21:11 ` David Miller
  0 siblings, 0 replies; 30+ messages in thread
From: David Miller @ 2019-12-26 21:11 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, netdev

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 26 Dec 2019 17:39:52 +0100

> The following patchset contains Netfilter fixes for net:
> 
> 1) Fix endianness issue in flowtable TCP flags dissector,
>    from Arnd Bergmann.
> 
> 2) Extend flowtable test script with dnat rules, from Florian Westphal.
> 
> 3) Reject padding in ebtables user entries and validate computed user
>    offset, reported by syzbot, from Florian Westphal.
> 
> 4) Fix endianness in nft_tproxy, from Phil Sutter.
> 
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thank you.

^ permalink raw reply	[flat|nested] 30+ messages in thread

* [PATCH 0/4] Netfilter fixes for net
@ 2019-12-26 16:39 Pablo Neira Ayuso
  2019-12-26 21:11 ` David Miller
  0 siblings, 1 reply; 30+ messages in thread
From: Pablo Neira Ayuso @ 2019-12-26 16:39 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

Hi,

The following patchset contains Netfilter fixes for net:

1) Fix endianness issue in flowtable TCP flags dissector,
   from Arnd Bergmann.

2) Extend flowtable test script with dnat rules, from Florian Westphal.

3) Reject padding in ebtables user entries and validate computed user
   offset, reported by syzbot, from Florian Westphal.

4) Fix endianness in nft_tproxy, from Phil Sutter.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 0fd260056ef84ede8f444c66a3820811691fe884:

  Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf (2019-12-19 14:20:47 -0800)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 8cb4ec44de42b99b92399b4d1daf3dc430ed0186:

  netfilter: nft_tproxy: Fix port selector on Big Endian (2019-12-20 02:12:28 +0100)

----------------------------------------------------------------
Arnd Bergmann (1):
      netfilter: nf_flow_table: fix big-endian integer overflow

Florian Westphal (2):
      selftests: netfilter: extend flowtable test script with dnat rule
      netfilter: ebtables: compat: reject all padding in matches/watchers

Phil Sutter (1):
      netfilter: nft_tproxy: Fix port selector on Big Endian

 net/bridge/netfilter/ebtables.c                    | 33 +++++++++---------
 net/netfilter/nf_flow_table_offload.c              |  2 +-
 net/netfilter/nft_tproxy.c                         |  4 +--
 tools/testing/selftests/netfilter/nft_flowtable.sh | 39 +++++++++++++++++++---
 4 files changed, 53 insertions(+), 25 deletions(-)

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [PATCH 0/4] Netfilter fixes for net
  2017-05-29 11:34 Pablo Neira Ayuso
@ 2017-05-30  3:20 ` David Miller
  0 siblings, 0 replies; 30+ messages in thread
From: David Miller @ 2017-05-30  3:20 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, netdev

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 29 May 2017 13:34:28 +0200

> Hi David,
> 
> The following patchset contains Netfilter fixes for your net tree,
> they are:
> 
> 1) Conntrack SCTP CRC32c checksum mangling may operate on non-linear
>    skbuff, patch from Davide Caratti.
> 
> 2) nf_tables rb-tree set backend does not handle element re-addition
>    after deletion in the same transaction, leading to infinite loop.
> 
> 3) Atomically unclear the IPS_SRC_NAT_DONE_BIT on nat module removal,
>    from Liping Zhang.
> 
> 4) Conntrack hashtable resizing while ctnetlink dump is progress leads
>    to a dead reference to released objects in the lists, also from
>    Liping.
> 
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thanks a lot Pablo.

^ permalink raw reply	[flat|nested] 30+ messages in thread

* [PATCH 0/4] Netfilter fixes for net
@ 2017-05-29 11:34 Pablo Neira Ayuso
  2017-05-30  3:20 ` David Miller
  0 siblings, 1 reply; 30+ messages in thread
From: Pablo Neira Ayuso @ 2017-05-29 11:34 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

Hi David,

The following patchset contains Netfilter fixes for your net tree,
they are:

1) Conntrack SCTP CRC32c checksum mangling may operate on non-linear
   skbuff, patch from Davide Caratti.

2) nf_tables rb-tree set backend does not handle element re-addition
   after deletion in the same transaction, leading to infinite loop.

3) Atomically unclear the IPS_SRC_NAT_DONE_BIT on nat module removal,
   from Liping Zhang.

4) Conntrack hashtable resizing while ctnetlink dump is progress leads
   to a dead reference to released objects in the lists, also from
   Liping.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit 6d18c732b95c0a9d35e9f978b4438bba15412284:

  bridge: start hello_timer when enabling KERNEL_STP in br_stp_start (2017-05-21 13:33:28 -0400)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to fefa92679dbe0c613e62b6c27235dcfbe9640ad1:

  netfilter: ctnetlink: fix incorrect nf_ct_put during hash resize (2017-05-24 11:26:01 +0200)

----------------------------------------------------------------
Davide Caratti (1):
      netfilter: conntrack: fix false CRC32c mismatch using paged skb

Liping Zhang (2):
      netfilter: nat: use atomic bit op to clear the _SRC_NAT_DONE_BIT
      netfilter: ctnetlink: fix incorrect nf_ct_put during hash resize

Pablo Neira Ayuso (1):
      netfilter: nft_set_rbtree: handle element re-addition after deletion

 net/netfilter/nf_conntrack_netlink.c    |  7 ++++++-
 net/netfilter/nf_conntrack_proto_sctp.c |  9 ++++++---
 net/netfilter/nf_nat_core.c             |  2 +-
 net/netfilter/nft_set_rbtree.c          | 22 +++++++++++-----------
 4 files changed, 24 insertions(+), 16 deletions(-)

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [PATCH 0/4] Netfilter fixes for net
  2017-03-03 19:22 Pablo Neira Ayuso
@ 2017-03-04  4:41 ` David Miller
  0 siblings, 0 replies; 30+ messages in thread
From: David Miller @ 2017-03-04  4:41 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, netdev

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri,  3 Mar 2017 20:22:21 +0100

> The following patchset contains Netfilter fixes for your net tree,
> they are:
> 
> 1) Missing check for full sock in ip_route_me_harder(), from
>    Florian Westphal.
> 
> 2) Incorrect sip helper structure initilization that breaks it when
>    several ports are used, from Christophe Leroy.
> 
> 3) Fix incorrect assumption when looking up for matching with adjacent
>    intervals in the nft_set_rbtree.
> 
> 4) Fix broken netlink event error reporting in nf_tables that results
>    in misleading ESRCH errors propagated to userspace listeners.
> 
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thanks a lot Pablo.

^ permalink raw reply	[flat|nested] 30+ messages in thread

* [PATCH 0/4] Netfilter fixes for net
@ 2017-03-03 19:22 Pablo Neira Ayuso
  2017-03-04  4:41 ` David Miller
  0 siblings, 1 reply; 30+ messages in thread
From: Pablo Neira Ayuso @ 2017-03-03 19:22 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

Hi David,

The following patchset contains Netfilter fixes for your net tree,
they are:

1) Missing check for full sock in ip_route_me_harder(), from
   Florian Westphal.

2) Incorrect sip helper structure initilization that breaks it when
   several ports are used, from Christophe Leroy.

3) Fix incorrect assumption when looking up for matching with adjacent
   intervals in the nft_set_rbtree.

4) Fix broken netlink event error reporting in nf_tables that results
   in misleading ESRCH errors propagated to userspace listeners.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit 2f44f75257d57f0d5668dba3a6ada0f4872132c9:

  Merge branch 'qed-fixes' (2017-02-27 09:22:10 -0500)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 25e94a997b324b5f167f56d56d7106d38b78c9de:

  netfilter: nf_tables: don't call nfnetlink_set_err() if nfnetlink_send() fails (2017-03-03 13:48:34 +0100)

----------------------------------------------------------------
Christophe Leroy (1):
      netfilter: nf_conntrack_sip: fix wrong memory initialisation

Florian Westphal (1):
      netfilter: use skb_to_full_sk in ip_route_me_harder

Pablo Neira Ayuso (2):
      netfilter: nft_set_rbtree: incorrect assumption on lower interval lookups
      netfilter: nf_tables: don't call nfnetlink_set_err() if nfnetlink_send() fails

 include/net/netfilter/nf_tables.h |   6 +-
 net/ipv4/netfilter.c              |   7 +-
 net/netfilter/nf_conntrack_sip.c  |   2 -
 net/netfilter/nf_tables_api.c     | 133 ++++++++++++++++----------------------
 net/netfilter/nft_set_rbtree.c    |   9 ++-
 5 files changed, 66 insertions(+), 91 deletions(-)

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [PATCH 0/4] Netfilter fixes for net
  2016-09-13  9:05 Pablo Neira Ayuso
@ 2016-09-13 15:17 ` David Miller
  0 siblings, 0 replies; 30+ messages in thread
From: David Miller @ 2016-09-13 15:17 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, netdev

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 13 Sep 2016 11:05:13 +0200

> The following patchset contains Netfilter fixes for your net tree,
> they are:
 ...
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thanks Pablo.

^ permalink raw reply	[flat|nested] 30+ messages in thread

* [PATCH 0/4] Netfilter fixes for net
@ 2016-09-13  9:05 Pablo Neira Ayuso
  2016-09-13 15:17 ` David Miller
  0 siblings, 1 reply; 30+ messages in thread
From: Pablo Neira Ayuso @ 2016-09-13  9:05 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

Hi David,

The following patchset contains Netfilter fixes for your net tree,
they are:

1) Endianess fix for the new nf_tables netlink trace infrastructure,
   NFTA_TRACE_POLICY endianess was not correct, patch from Liping Zhang.

2) Fix broken re-route after userspace queueing in nf_tables route
   chain. This patch is large but it is simple since it is just getting
   this code in sync with iptable_mangle. Also from Liping.

3) NAT mangling via ctnetlink lies to userspace when nf_nat_setup_info()
   fails to setup the NAT conntrack extension. This problem has been
   there since the beginning, but it can now show up after rhashtable
   conversion.

4) Fix possible NULL pointer dereference due to failures in allocating
   the synproxy and seqadj conntrack extensions, from Gao feng.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit 6e1ce3c3451291142a57c4f3f6f999a29fb5b3bc:

  af_unix: split 'u->readlock' into two: 'iolock' and 'bindlock' (2016-09-04 13:29:29 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 4440a2ab3b9f40dddbe006331ef0659c76859296:

  netfilter: synproxy: Check oom when adding synproxy and seqadj ct extensions (2016-09-13 10:50:56 +0200)

----------------------------------------------------------------
Gao Feng (1):
      netfilter: synproxy: Check oom when adding synproxy and seqadj ct extensions

Liping Zhang (2):
      netfilter: nf_tables_trace: fix endiness when dump chain policy
      netfilter: nft_chain_route: re-route before skb is queued to userspace

Pablo Neira Ayuso (1):
      netfilter: nf_nat: handle NF_DROP from nfnetlink_parse_nat_setup()

 include/net/netfilter/nf_conntrack_synproxy.h | 14 ++++++++++++++
 net/ipv4/netfilter/nft_chain_route_ipv4.c     | 11 +++++++----
 net/ipv6/netfilter/nft_chain_route_ipv6.c     | 10 +++++++---
 net/netfilter/nf_conntrack_core.c             |  6 +++---
 net/netfilter/nf_nat_core.c                   |  5 +++--
 net/netfilter/nf_tables_trace.c               |  2 +-
 6 files changed, 35 insertions(+), 13 deletions(-)

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [PATCH 0/4] Netfilter fixes for net
  2015-10-19 18:22 Pablo Neira Ayuso
@ 2015-10-22  2:27 ` David Miller
  0 siblings, 0 replies; 30+ messages in thread
From: David Miller @ 2015-10-22  2:27 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, netdev

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 19 Oct 2015 20:22:51 +0200

> The following patchset contains four Netfilter fixes for net, they are:
> 
> 1) Fix Kconfig dependencies of new nf_dup_ipv4 and nf_dup_ipv6.
> 
> 2) Remove bogus test nh_scope in IPv4 rpfilter match that is breaking
>    --accept-local, from Xin Long.
> 
> 3) Wait for RCU grace period after dropping the pending packets in the
>    nfqueue, from Florian Westphal.
> 
> 4) Fix sleeping allocation while holding spin_lock_bh, from Nikolay Borisov.
> 
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thanks a lot Pablo.

^ permalink raw reply	[flat|nested] 30+ messages in thread

* [PATCH 0/4] Netfilter fixes for net
@ 2015-10-19 18:22 Pablo Neira Ayuso
  2015-10-22  2:27 ` David Miller
  0 siblings, 1 reply; 30+ messages in thread
From: Pablo Neira Ayuso @ 2015-10-19 18:22 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

Hi David,

The following patchset contains four Netfilter fixes for net, they are:

1) Fix Kconfig dependencies of new nf_dup_ipv4 and nf_dup_ipv6.

2) Remove bogus test nh_scope in IPv4 rpfilter match that is breaking
   --accept-local, from Xin Long.

3) Wait for RCU grace period after dropping the pending packets in the
   nfqueue, from Florian Westphal.

4) Fix sleeping allocation while holding spin_lock_bh, from Nikolay Borisov.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit b84f78782052ee4516903e5d0566a5eee365b771:

  net: Initialize flow flags in input path (2015-09-29 21:52:32 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 00db674bedd68ff8b5afae9030ff5e04d45d1b4a:

  netfilter: ipset: Fix sleeping memory allocation in atomic context (2015-10-17 13:01:24 +0200)

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: sync with packet rx also after removing queue entries

Nikolay Borisov (1):
      netfilter: ipset: Fix sleeping memory allocation in atomic context

Pablo Neira Ayuso (1):
      netfilter: fix Kconfig dependencies for nf_dup_ipv{4,6}

lucien (1):
      netfilter: ipt_rpfilter: remove the nh_scope test in rpfilter_lookup_reverse

 net/ipv4/netfilter/Kconfig            | 1 +
 net/ipv4/netfilter/ipt_rpfilter.c     | 4 +---
 net/ipv6/netfilter/Kconfig            | 1 +
 net/netfilter/core.c                  | 2 ++
 net/netfilter/ipset/ip_set_list_set.c | 2 +-
 5 files changed, 6 insertions(+), 4 deletions(-)

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [PATCH 0/4] Netfilter fixes for net
  2015-09-18  9:17 Pablo Neira Ayuso
@ 2015-09-21  5:32 ` David Miller
  0 siblings, 0 replies; 30+ messages in thread
From: David Miller @ 2015-09-21  5:32 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, netdev

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 18 Sep 2015 11:17:52 +0200

> The following patch contains Netfilter fixes for your net tree, they are:
> 
> 1) nf_log_unregister() should only set to NULL the logger that is being
>    unregistered, instead of everything else. Patch from Florian Westphal.
> 
> 2) Fix a crash when accessing physoutdev from PREROUTING in br_netfilter.
>    This is partially reverting the patch to shrink nf_bridge_info to 32 bytes.
>    Also from Florian.
> 
> 3) Use existing match/target extensions in the internal nft_compat extension
>    lists when the extension is family unspecific (ie. NFPROTO_UNSPEC).
> 
> 4) Wait for rcu grace period before leaving nf_log_unregister().
> 
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thanks Pablo.

^ permalink raw reply	[flat|nested] 30+ messages in thread

* [PATCH 0/4] Netfilter fixes for net
@ 2015-09-18  9:17 Pablo Neira Ayuso
  2015-09-21  5:32 ` David Miller
  0 siblings, 1 reply; 30+ messages in thread
From: Pablo Neira Ayuso @ 2015-09-18  9:17 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

Hi David,

The following patch contains Netfilter fixes for your net tree, they are:

1) nf_log_unregister() should only set to NULL the logger that is being
   unregistered, instead of everything else. Patch from Florian Westphal.

2) Fix a crash when accessing physoutdev from PREROUTING in br_netfilter.
   This is partially reverting the patch to shrink nf_bridge_info to 32 bytes.
   Also from Florian.

3) Use existing match/target extensions in the internal nft_compat extension
   lists when the extension is family unspecific (ie. NFPROTO_UNSPEC).

4) Wait for rcu grace period before leaving nf_log_unregister().

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit e8684c88774c0ddfeefdbed0aa469b25b9962f3e:

  irda: ali-ircc: Fix deadlock in ali_ircc_sir_change_speed() (2015-09-11 16:18:33 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master

for you to fetch changes up to ad5001cc7cdf9aaee5eb213fdee657e4a3c94776:

  netfilter: nf_log: wait for rcu grace after logger unregistration (2015-09-17 13:37:31 +0200)

----------------------------------------------------------------
Florian Westphal (2):
      netfilter: nf_log: don't zap all loggers on unregister
      netfilter: bridge: fix routing of bridge frames with call-iptables=1

Pablo Neira Ayuso (2):
      netfilter: nft_compat: skip family comparison in case of NFPROTO_UNSPEC
      netfilter: nf_log: wait for rcu grace after logger unregistration

 include/linux/skbuff.h     |    6 +++---
 net/netfilter/nf_log.c     |    9 +++++++--
 net/netfilter/nft_compat.c |   24 ++++++++++++++++++------
 3 files changed, 28 insertions(+), 11 deletions(-)

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [PATCH 0/4] Netfilter fixes for net
  2015-05-16 18:47 Pablo Neira Ayuso
@ 2015-05-16 20:45 ` David Miller
  0 siblings, 0 replies; 30+ messages in thread
From: David Miller @ 2015-05-16 20:45 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, netdev

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sat, 16 May 2015 20:47:14 +0200

> The following patchset contains Netfilter fixes for your net tree, they are:
> 
> 1) Fix a leak in IPVS, the sysctl table is not released accordingly when
>    destroying a netns, patch from Tommi Rantala.
> 
> 2) Fix a build error when TPROXY and socket are built-in but IPv6 defrag is
>    compiled as module, from Florian Westphal.
> 
> 3) Fix TCP tracket wrt. RFC5961 challenge ACK when in LAST_ACK state, patch
>    from Jesper Dangaard Brouer.
> 
> 4) Fix a bogus WARN_ON() in nf_tables when deleting a set element that stores
>    a map, from Mirek Kratochvil.

Pulled, thanks Pablo.

^ permalink raw reply	[flat|nested] 30+ messages in thread

* [PATCH 0/4] Netfilter fixes for net
@ 2015-05-16 18:47 Pablo Neira Ayuso
  2015-05-16 20:45 ` David Miller
  0 siblings, 1 reply; 30+ messages in thread
From: Pablo Neira Ayuso @ 2015-05-16 18:47 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

Hi David,

The following patchset contains Netfilter fixes for your net tree, they are:

1) Fix a leak in IPVS, the sysctl table is not released accordingly when
   destroying a netns, patch from Tommi Rantala.

2) Fix a build error when TPROXY and socket are built-in but IPv6 defrag is
   compiled as module, from Florian Westphal.

3) Fix TCP tracket wrt. RFC5961 challenge ACK when in LAST_ACK state, patch
   from Jesper Dangaard Brouer.

4) Fix a bogus WARN_ON() in nf_tables when deleting a set element that stores
   a map, from Mirek Kratochvil.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit 39376ccb1968ba9f83e2a880a8bf02ad5dea44e1:

  Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf (2015-04-27 23:12:34 -0400)

are available in the git repository at:


  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master

for you to fetch changes up to 960bd2c26421d321e890f1936938196ead41976f:

  netfilter: nf_tables: fix bogus warning in nft_data_uninit() (2015-05-15 22:07:30 +0200)

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: avoid build error if TPROXY/SOCKET=y && NF_DEFRAG_IPV6=m

Jesper Dangaard Brouer (1):
      conntrack: RFC5961 challenge ACK confuse conntrack LAST-ACK transition

Mirek Kratochvil (1):
      netfilter: nf_tables: fix bogus warning in nft_data_uninit()

Tommi Rantala (1):
      ipvs: fix memory leak in ip_vs_ctl.c

 include/uapi/linux/netfilter/nf_conntrack_tcp.h |    3 ++
 net/netfilter/Kconfig                           |    2 ++
 net/netfilter/ipvs/ip_vs_ctl.c                  |    3 ++
 net/netfilter/nf_conntrack_proto_tcp.c          |   35 +++++++++++++++++++++--
 net/netfilter/nf_tables_api.c                   |    4 +--
 5 files changed, 42 insertions(+), 5 deletions(-)

^ permalink raw reply	[flat|nested] 30+ messages in thread

* [PATCH 0/4] Netfilter fixes for net
@ 2014-08-11 17:06 Pablo Neira Ayuso
  0 siblings, 0 replies; 30+ messages in thread
From: Pablo Neira Ayuso @ 2014-08-11 17:06 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

Hi David,

The following patchset contains fixes for your net tree, they are:

1) Unitialize the set element key and data from the commit path,
   otherwise this leaks chain refcount if the transaction is aborted,
   reported by Thomas Graf.

2) Fix crash when updating chains without no counters in nf_tables,
   this slipped through in the new transaction infrastructure, reported
   by Matteo Croce.

3) Replace all mutex_lock_interruptible() by mutex_lock() in the Netfilter
   tree, suggested by Patrick McHardy. This implicitly fixes the problem
   that Eric Dumazet reported in: http://patchwork.ozlabs.org/patch/373076/

4) Fix error return code in nf_tables when deleting set element in
   nf_tables if the transaction cannot be allocated, from Julia Lawall.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit 33caee39925b887a99a2400dc5c980097c3573f9:

  Merge branch 'akpm' (patchbomb from Andrew Morton) (2014-08-06 21:14:42 -0700)

are available in the git repository at:


  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master

for you to fetch changes up to 609ccf087747de48ef52160f93e0df864c532a61:

  netfilter: nf_tables: fix error return code (2014-08-08 16:47:29 +0200)

----------------------------------------------------------------
Julia Lawall (1):
      netfilter: nf_tables: fix error return code

Pablo Neira Ayuso (3):
      netfilter: nf_tables: uninitialize element key/data from the commit path
      netfilter: nf_tables: don't update chain with unset counters
      netfilter: don't use mutex_lock_interruptible()

 net/bridge/netfilter/ebtables.c |   10 ++-------
 net/netfilter/core.c            |   11 ++-------
 net/netfilter/ipvs/ip_vs_ctl.c  |   19 ++++------------
 net/netfilter/nf_sockopt.c      |    8 ++-----
 net/netfilter/nf_tables_api.c   |   30 ++++++++++++++-----------
 net/netfilter/x_tables.c        |   47 ++++++++++-----------------------------
 6 files changed, 39 insertions(+), 86 deletions(-)

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [PATCH 0/4] netfilter fixes for net
  2013-04-12 10:13 [PATCH 0/4] netfilter " Pablo Neira Ayuso
@ 2013-04-12 18:28 ` David Miller
  0 siblings, 0 replies; 30+ messages in thread
From: David Miller @ 2013-04-12 18:28 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, netdev

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 12 Apr 2013 12:13:15 +0200

> The following patchset contains late netfilter fixes for your net
> tree, they are:
> 
> * Don't drop segmented TCP packets in the SIP helper, we've got reports
>   from users that this was breaking communications when the SIP phone
>   messages are larger than the MTU, from Patrick McHardy.
> 
> * Fix refcount leak in the ipset list set, from Jozsef Kadlecsik.
> 
> * On hash set resizing, the nomatch flag was lost, thus entirely inverting
>   the logic of the set matching, from Jozsef Kadlecsik.
> 
> * Fix crash on NAT modules removal. Timer expiration may race with the
>   module cleanup exit path while deleting conntracks, from Florian
>   Westphal.

Pulled, thanks Pablo.

^ permalink raw reply	[flat|nested] 30+ messages in thread

* [PATCH 0/4] netfilter fixes for net
@ 2013-04-12 10:13 Pablo Neira Ayuso
  2013-04-12 18:28 ` David Miller
  0 siblings, 1 reply; 30+ messages in thread
From: Pablo Neira Ayuso @ 2013-04-12 10:13 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

Hi David,

The following patchset contains late netfilter fixes for your net
tree, they are:

* Don't drop segmented TCP packets in the SIP helper, we've got reports
  from users that this was breaking communications when the SIP phone
  messages are larger than the MTU, from Patrick McHardy.

* Fix refcount leak in the ipset list set, from Jozsef Kadlecsik.

* On hash set resizing, the nomatch flag was lost, thus entirely inverting
  the logic of the set matching, from Jozsef Kadlecsik.

* Fix crash on NAT modules removal. Timer expiration may race with the
  module cleanup exit path while deleting conntracks, from Florian
  Westphal.

The following changes since commit 53f63189b1110559dce8c1ee29e8abc3e31f7630:

  Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net (2013-04-05 14:04:10 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master

for you to fetch changes up to c2d421e171868586939c328dfb91bab840fe4c49:

  netfilter: nf_nat: fix race when unloading protocol modules (2013-04-12 11:46:31 +0200)

Please, consider pulling this.
Thanks!

P.S: Jozsef has several updates for net-next that depend on these fixes,
could you pull from your net tree into your net-next tree, please? Thanks.

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: nf_nat: fix race when unloading protocol modules

Jozsef Kadlecsik (2):
      netfilter: ipset: list:set: fix reference counter update
      netfilter: ipset: hash:*net*: nomatch flag not excluded on set resize

Patrick McHardy (1):
      netfilter: nf_ct_sip: don't drop packets with offsets pointing outside the packet

 include/linux/netfilter/ipset/ip_set_ahash.h |   30 ++++++++++++++-----
 net/netfilter/ipset/ip_set_hash_ipportnet.c  |   18 ++++++++++++
 net/netfilter/ipset/ip_set_hash_net.c        |   22 ++++++++++++--
 net/netfilter/ipset/ip_set_hash_netiface.c   |   22 ++++++++++++--
 net/netfilter/ipset/ip_set_hash_netport.c    |   18 ++++++++++++
 net/netfilter/ipset/ip_set_list_set.c        |   10 +++++--
 net/netfilter/nf_conntrack_sip.c             |    6 ++--
 net/netfilter/nf_nat_core.c                  |   40 +++++---------------------
 8 files changed, 115 insertions(+), 51 deletions(-)


^ permalink raw reply	[flat|nested] 30+ messages in thread

end of thread, back to index

Thread overview: 30+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-13 23:45 [PATCH 0/4] Netfilter fixes for net Pablo Neira Ayuso
2020-10-13 23:45 ` [PATCH 1/4] selftests: netfilter: extend nfqueue test case Pablo Neira Ayuso
2020-10-14  3:10   ` patchwork-bot+netdevbpf
2020-10-13 23:45 ` [PATCH 2/4] ipvs: clear skb->tstamp in forwarding path Pablo Neira Ayuso
2020-10-13 23:45 ` [PATCH 3/4] netfilter: nftables: extend error reporting for chain updates Pablo Neira Ayuso
2020-10-13 23:45 ` [PATCH 4/4] netfilter: nf_log: missing vlan offload tag and proto Pablo Neira Ayuso
2020-10-14  3:07 ` [PATCH 0/4] Netfilter fixes for net Jakub Kicinski
  -- strict thread matches above, loose matches on Subject: below --
2020-10-07  0:10 Pablo Neira Ayuso
2020-10-09 19:19 ` Jakub Kicinski
2020-06-14 21:52 Pablo Neira Ayuso
2020-06-15 20:27 ` David Miller
2020-03-20 13:51 Pablo Neira Ayuso
2020-03-21  2:34 ` David Miller
2019-12-26 16:39 Pablo Neira Ayuso
2019-12-26 21:11 ` David Miller
2017-05-29 11:34 Pablo Neira Ayuso
2017-05-30  3:20 ` David Miller
2017-03-03 19:22 Pablo Neira Ayuso
2017-03-04  4:41 ` David Miller
2016-09-13  9:05 Pablo Neira Ayuso
2016-09-13 15:17 ` David Miller
2015-10-19 18:22 Pablo Neira Ayuso
2015-10-22  2:27 ` David Miller
2015-09-18  9:17 Pablo Neira Ayuso
2015-09-21  5:32 ` David Miller
2015-05-16 18:47 Pablo Neira Ayuso
2015-05-16 20:45 ` David Miller
2014-08-11 17:06 Pablo Neira Ayuso
2013-04-12 10:13 [PATCH 0/4] netfilter " Pablo Neira Ayuso
2013-04-12 18:28 ` David Miller

Netfilter-Devel Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/netfilter-devel/0 netfilter-devel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netfilter-devel netfilter-devel/ https://lore.kernel.org/netfilter-devel \
		netfilter-devel@vger.kernel.org
	public-inbox-index netfilter-devel

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.netfilter-devel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git