Eric Dumazet | 24 Jul 00:53 2014
Picon

[PATCH] netfilter: nf_sockopt_find() should return ERESTARTSYS

From: Eric Dumazet <edumazet <at> google.com>

getsockopt() or setsockopt() sometimes returns -EINTR instead of
-ENOPROTOOPT, causing headaches to application developers.

This is because unsupported commands might go through nf_sockopt_find()
and this function returns -EINTR instead of -ERESTARTSYS if
a signal is pending.

Signed-off-by: Eric Dumazet <edumazet <at> google.com>
---
 net/netfilter/nf_sockopt.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nf_sockopt.c b/net/netfilter/nf_sockopt.c
index f042ae521557..37181447715b 100644
--- a/net/netfilter/nf_sockopt.c
+++ b/net/netfilter/nf_sockopt.c
 <at>  <at>  -66,7 +66,7  <at>  <at>  static struct nf_sockopt_ops *nf_sockopt_find(struct sock *sk, u_int8_t pf,
 	struct nf_sockopt_ops *ops;

 	if (mutex_lock_interruptible(&nf_sockopt_mutex) != 0)
-		return ERR_PTR(-EINTR);
+		return ERR_PTR(-ERESTARTSYS);

 	list_for_each_entry(ops, &nf_sockopts, list) {
 		if (ops->pf == pf) {

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
(Continue reading)

Pablo Neira Ayuso | 23 Jul 23:49 2014

[PATCH nft 1/3] main: propagate error to shell

Before:

 # nft add rule ip test input ip hdrlength 3
 <cmdline>:1:1-37: Error: Could not process rule: Invalid argument
 add rule ip test input ip hdrlength 3
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 # echo $?
 0

After:

 # nft add rule ip test input ip hdrlength 3
 <cmdline>:1:1-37: Error: Could not process rule: Invalid argument
 add rule ip test input ip hdrlength 3
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 # echo $?
 1

Reported-by: Ana Rey Botello <anarey <at> gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo <at> netfilter.org>
---
 src/main.c |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/main.c b/src/main.c
index bd8feee..04a98e3 100644
--- a/src/main.c
+++ b/src/main.c
 <at>  <at>  -200,6 +200,8  <at>  <at>  static int nft_netlink(struct parser_state *state, struct list_head *msgs)
 				netlink_io_error(&ctx, &cmd->location,
(Continue reading)

Pablo Neira Ayuso | 23 Jul 23:45 2014

[PATCH libnftnl] set_elem: add nft_set_elems_nlmsg_build_payload_iter()

This new interface allows you to put as many set elements as possible
into a netlink message. The iterator stores the last element that has
fit into a netlink message, so you can continue adding more set elements
across several netlink messages.

Signed-off-by: Pablo Neira Ayuso <pablo <at> netfilter.org>
---
 include/libnftnl/set.h |    3 ++
 src/libnftnl.map       |    4 +++
 src/set_elem.c         |   83 +++++++++++++++++++++++++++++++++++++++++-------
 3 files changed, 79 insertions(+), 11 deletions(-)

diff --git a/include/libnftnl/set.h b/include/libnftnl/set.h
index 4d08f16..4f2016d 100644
--- a/include/libnftnl/set.h
+++ b/include/libnftnl/set.h
 <at>  <at>  -121,4 +121,7  <at>  <at>  struct nft_set_elem *nft_set_elems_iter_cur(struct nft_set_elems_iter *iter);
 struct nft_set_elem *nft_set_elems_iter_next(struct nft_set_elems_iter *iter);
 void nft_set_elems_iter_destroy(struct nft_set_elems_iter *iter);

+int nft_set_elems_nlmsg_build_payload_iter(struct nlmsghdr *nlh,
+					   struct nft_set_elems_iter *iter);
+
 #endif /* _LIBNFTNL_SET_H_ */
diff --git a/src/libnftnl.map b/src/libnftnl.map
index b11db67..e8c634f 100644
--- a/src/libnftnl.map
+++ b/src/libnftnl.map
 <at>  <at>  -206,3 +206,7  <at>  <at>  LIBNFTNL_1.1 {
   nft_set_attr_set_data;
(Continue reading)

Paul Bolle | 23 Jul 11:28 2014
Picon

netfilter: remnants of ulog targets

Pablo,

Your commit 7200135bc1e6 ("netfilter: kill ulog targets") landed in
today's linux-next (ie, next-20140723). It removes two Kconfig symbols:
IP_NF_TARGET_ULOG and BRIDGE_EBT_ULOG.

It left a few references to the related macros untouched:
    $ git grep -n -e IP_NF_TARGET_ULOG -e BRIDGE_EBT_ULOG next-20140723 | grep -v defconf
    next-20140723:include/net/netns/x_tables.h:18:#if IS_ENABLED(CONFIG_IP_NF_TARGET_ULOG)
    next-20140723:include/net/netns/x_tables.h:21:#if IS_ENABLED(CONFIG_BRIDGE_EBT_ULOG)
    next-20140723:net/bridge/netfilter/Makefile:39:obj-$(CONFIG_BRIDGE_EBT_ULOG) += ebt_ulog.o
    next-20140723:net/ipv4/netfilter/Makefile:60:obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o

Is the trivial patch to clean up these remnants of the ulog targets
queued somewhere? If not, should I submit it?

Paul Bolle

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Duan Jiong | 23 Jul 08:19 2014

[PATCH] netfilter: don't output error message redundantly


The function led_trigger_register() will only return -EEXIST when
error arises.

Signed-off-by: Duan Jiong <duanj.fnst <at> cn.fujitsu.com>
---
 net/netfilter/xt_LED.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/net/netfilter/xt_LED.c b/net/netfilter/xt_LED.c
index 993de2b..b47a58c 100644
--- a/net/netfilter/xt_LED.c
+++ b/net/netfilter/xt_LED.c
 <at>  <at>  -133,9 +133,7  <at>  <at>  static int led_tg_check(const struct xt_tgchk_param *par)

 	err = led_trigger_register(&ledinternal->netfilter_led_trigger);
 	if (err) {
-		pr_warning("led_trigger_register() failed\n");
-		if (err == -EEXIST)
-			pr_warning("Trigger name is already in use.\n");
+		pr_warning("Trigger name is already in use.\n");
 		goto exit_alloc;
 	}

--

-- 
1.8.3.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
(Continue reading)

Richard Wong | 22 Jul 13:21 2014

Good Day

I have a business proposal I would like to share with you, on your response I will email you with more details.

I await your quick response.

Kind regards
Richard Wong

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Simon Horman | 22 Jul 09:25 2014
Picon

[GIT PULL] Third Round of IPVS Fixes for v3.16

Hi Pablo,

please consider this third round of IPVS fixes for v3.16.

It includes one change from Alex Gartrell to:

* Maintain all DSCP and ECN bits for IPv6 tun forwarding
  This resolves an inconsistency between IPv4 and IPv6 behaviour.
  This behaviour was added when IPv6 support was added to IPVS
  in v2.6.27.

This pull request is for an unsigned, unannotated tag.
Please let me know if this doesn't work with your work flow.

The following changes since commit 2627b7e15c5064ddd5e578e4efd948d48d531a3f:

  ipvs: avoid netns exit crash on ip_vs_conn_drop_conntrack (2014-07-16 09:39:28 +0900)

are available in the git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/horms/ipvs.git tags/ipvs-fixes3-for-v3.16

for you to fetch changes up to 76f084bc10004b3050b2cff9cfac29148f1f6088:

  ipvs: Maintain all DSCP and ECN bits for ipv6 tun forwarding (2014-07-17 12:53:54 +0900)

----------------------------------------------------------------
Alex Gartrell (1):
      ipvs: Maintain all DSCP and ECN bits for ipv6 tun forwarding

(Continue reading)

Josh Hunt | 22 Jul 06:54 2014

[PATCH] netfilter: xt_hashlimit: handle iptables-restore of hash with same name

Below is a first pass attempt at fixing a problem we've come across when
trying to do an iptables-restore where the hashlimit name stays the same, but
one of the hashlimit parameters changes but does not take affect.

For ex, if you have an existing hashlimit rule, do an iptables-save, change the
rate for that rule, and then do an iptables-restore the new rate will not be
enforced.

This appears to be due to a problem where hashlimit only checks for existing
hashes by name and family and does not consider any of the other config
parameters.

I've attempted to fix this by having it check for all hashlimit config params,
this way it doesn't accidentally match just on name. This brought up an issue
of having to make hashlimit aware of how many references there are to its
proc entry.

I'm not submitting this for inclusion yet, but for feedback. Mainly on the approach
and if there's possibly a better way of resolving this problem. My handling of
the proc "problem" is pretty messy right now and possibly incomplete, but the
patch below allows the case I described above to pass now. I hope to clean up
the proc handling in a v2.

Any feedback is greatly appreciated.

Thanks
Josh
---

    netfilter: xt_hashlimit: handle iptables-restore of hash with same name
(Continue reading)

Pablo Neira Ayuso | 21 Jul 14:31 2014

[PATCH libnftnl] src: stricter netlink attribute length validation

If the kernel sends us different data length for a given attribute,
stop further processing and indicate that an ABI breakage has ocurred.
This is an example of the (hypothetical) message that is shown in that
case:

 nf_tables kernel ABI is broken, contact your vendor.
 table.c:214 reason: Numerical result out of range

Signed-off-by: Pablo Neira Ayuso <pablo <at> netfilter.org>
---
 src/chain.c          |   36 ++++++++++++------------------------
 src/expr/bitwise.c   |   12 ++++--------
 src/expr/byteorder.c |    6 ++----
 src/expr/cmp.c       |   12 ++++--------
 src/expr/counter.c   |    6 ++----
 src/expr/ct.c        |   12 ++++--------
 src/expr/data_reg.c  |   24 ++++++++----------------
 src/expr/exthdr.c    |   12 ++++--------
 src/expr/immediate.c |   12 ++++--------
 src/expr/limit.c     |    6 ++----
 src/expr/log.c       |   18 ++++++------------
 src/expr/lookup.c    |   12 ++++--------
 src/expr/match.c     |   18 ++++++------------
 src/expr/meta.c      |    6 ++----
 src/expr/nat.c       |    6 ++----
 src/expr/payload.c   |    6 ++----
 src/expr/queue.c     |    6 ++----
 src/expr/reject.c    |   12 ++++--------
 src/expr/target.c    |   18 ++++++------------
 src/internal.h       |    9 +++++++++
(Continue reading)

Pablo Neira Ayuso | 21 Jul 14:15 2014

[PATCH net] IPVS fix pull request

Hi David,

Via Simon Horman, I received the following one-liner for your net tree:

1) Fix crash when exiting from netns that uses IPVS and conntrack,
   from Julian Anastasov via Simon Horman.

You can pull this change from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit ce355e209feb030945dae4c358c02f29a84f3f8b:

  netfilter: nf_tables: 64bit stats need some extra synchronization (2014-07-14 12:00:17 +0200)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master

for you to fetch changes up to 2627b7e15c5064ddd5e578e4efd948d48d531a3f:

  ipvs: avoid netns exit crash on ip_vs_conn_drop_conntrack (2014-07-16 09:39:28 +0900)

----------------------------------------------------------------
Julian Anastasov (1):
      ipvs: avoid netns exit crash on ip_vs_conn_drop_conntrack
(Continue reading)

Arturo Borrero Gonzalez | 18 Jul 13:08 2014
Picon

[libnftnl PATCH] src: improve printing of XML/JSON event wrapper header/footer

Every snprintf() call is warranteed to put the trailing \0 character, unless
the output was truncated, ie ret == bufsiz. In case of output truncated, the
caller must reallocate a buffer and start again.
This \0 character is used by other functions like fputs() and fprintf() to
know where a string ends, so they avoid adding garbage to the output.

The XML/JSON event wrapper header/footer is printed for each object, meaning
that the header is the first thing to be written to the buffer and the footer
the last; all objects share this code path.

A new helper function nft_fprintf2() is added because:
 * we need to handle the needed buffer resizing.
 * so, we can ignore about what string the header/footer are composed of.
 * nft_fprint() requires an object; the signature of the function differs.

There were two cases we weren't considering in the header/footer fprintf
functions: if the nft_event_[head|foot]er_snprintf() call returned 0 and/or if
returned < 0. Previous to this patch, we unconditionally do a fprintf().

Now with this patch, we avoid doing fprintf() if the inner snprintf() call:
 * failed (ret < 0)
 * didn't print nothing (ret == 0) to the buffer (even a \0 character)

Also, we were unconditionally adding a \0 character at buf[sizeof(buf) - 1],
meaning that if the inner snprintf() returned 0, we get sizeof(buf) - 2
characters of unknown value.

A side effect of this patch is that we avoid 2 syscall (2 fprintf() calls) per
nft object to be printed if the header/footer is empty (ie, no events flags
set).
(Continue reading)


Gmane