Carlos Falgueras García | 24 May 17:17 2016
Picon
Gravatar

[PATCH] libnftnl: set_elem: Fix memory leak

User data must be freed.

How to reproduce:
    > nft add table t
    > nft add set t s {type ipv4_addr\;}
    > valgrind nft add element t s {1.1.1.1}

Signed-off-by: Carlos Falgueras García <carlosfg <at> riseup.net>
---
 src/set_elem.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/set_elem.c b/src/set_elem.c
index 353f21e..990be24 100644
--- a/src/set_elem.c
+++ b/src/set_elem.c
 <at>  <at>  -51,6 +51,9  <at>  <at>  void nftnl_set_elem_free(struct nftnl_set_elem *s)
 	if (s->flags & (1 << NFTNL_SET_ELEM_EXPR))
 		nftnl_expr_free(s->expr);

+	if (s->flags & (1 << NFTNL_SET_ELEM_USERDATA))
+		xfree(s->user.data);
+
 	xfree(s);
 }
 EXPORT_SYMBOL_ALIAS(nftnl_set_elem_free, nft_set_elem_free);
--

-- 
2.8.2

--
(Continue reading)

Florian Westphal | 24 May 14:02 2016
Picon

[PATCH nft] netlink_delinerize: don't use meta_match_postprocess for ct pp

meta_match_postprocess uses meta.base which is only accessible if
left expression has EXPR_META type, so we can't use it to handle ct postprocessing.

To reduce copy-pastry factor the common part into ct_meta_common_postprocess(),
then call that from both meta and ct postprocessing.

Signed-off-by: Florian Westphal <fw <at> strlen.de>
---
 src/netlink_delinearize.c | 36 +++++++++++++++++++++++++++++-------
 1 file changed, 29 insertions(+), 7 deletions(-)

diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index de5d66c..9e26078 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
 <at>  <at>  -1161,6 +1161,23  <at>  <at>  static void payload_match_postprocess(struct rule_pp_ctx *ctx,
 	}
 }

+static void ct_meta_common_postprocess(const struct expr *expr)
+{
+	const struct expr *left = expr->left;
+	struct expr *right = expr->right;
+
+	switch (expr->op) {
+	case OP_LOOKUP:
+		expr_set_type(right, left->dtype, left->byteorder);
+		if (right->dtype == &integer_type)
+			integer_type_postprocess(right);
+		break;
(Continue reading)

Pablo Neira Ayuso | 24 May 12:14 2016

Re: [PATCH 2/2] netfilter: helper: Fix helper unregister count.

On Tue, May 24, 2016 at 06:03:41PM +0800, Feng Gao wrote:
> Hi Pablo,
> 
> Then could you give me some tips that how could i should to do next?
> Rebase the codes, and resubmit the commit about register helpers?
> Or Give up this and try to other commits?

Let's get the fixes in the tree first. Then, I'd suggest you follow up
with your patches once the fixes show up in nf-next.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Pablo Neira Ayuso | 24 May 11:55 2016

Re: [PATCH 2/2] netfilter: helper: Fix helper unregister count.

On Tue, May 24, 2016 at 05:47:07PM +0800, Feng Gao wrote:
> yes.
> 
> It was my fault at that time.
> I thought there may be one problem that I forget test, so I just to notify
> you.
> I was afraid that it would break the work.

That's a valid concern, and I appreciate you indicated this. But then,
it's better if you resubmit and include in the description what you
did to test it.

> But I found i had tested that case after a while, it would not be wrong.
> Because that was my first commit to the netfilter, i don't want to break
> it. So i was too upset.

Don't get upset, it can be a bit frustrating to understand the whole
process in the beginning, and keep re-submitting if you think you're
doing the right thing.

Another note: I also remember you also posted patches out of the
"merge window".  Netfilter sticks to David Miller's net-next merge
window, which is now closed BTW. Merge window (not strictly this, but
an approximation) opens by when -rc1 is released and then it closes by
when the first mainline kernel version is released.

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
(Continue reading)

Pablo Neira Ayuso | 24 May 11:44 2016

Re: [PATCH 1/2] netfilter: helper: Fix incorrect helper name.


On Tue, May 24, 2016 at 05:36:30PM +0800, Feng Gao wrote:
> Yes, right.
> 
> You mean the module forbid the user enters the duplicated ports now.

OK, if this is OK to you I'll submit this, thanks for reviewing.

BTW:

A: No, please don't do it.
Q: Is it fine to top-post in this mailing list? [1]

:)

[1] https://en.wikipedia.org/wiki/Posting_style
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Pablo Neira Ayuso | 24 May 11:42 2016

Re: [PATCH 2/2] netfilter: helper: Fix helper unregister count.

On Tue, May 24, 2016 at 05:32:43PM +0800, Feng Gao wrote:
> Hi Pablo,
> 
> I remember my original commit is very simple.
> Just a few lines changes.
> 
> Then I make it more complicated according to your comments

Are you refering to this?

http://patchwork.ozlabs.org/patch/522709/

I suggested this specifically: "Could you investigate if it would be
possible to add a nf_conntrack_helpers_register()?"

Then, you followed up with a patchset that was fixing and reworking in
the same go.

The usual procedure is to split the submissions in logical changes,
starting from fixes (that are always prioritized) and then follow up
with rework/improvements/new features.

I also remember that at some point you withdrew indicating that there
was a problem, then came back telling this was OK, which confused me.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

(Continue reading)

Pablo Neira Ayuso | 24 May 11:26 2016

Re: [PATCH 2/2] netfilter: helper: Fix helper unregister count.

On Tue, May 24, 2016 at 12:18:58PM +0800, Feng Gao wrote:
> Hi,
> 
> I have committed the patches. see the following links
> http://patchwork.ozlabs.org/patch/565169/
> http://patchwork.ozlabs.org/patch/565170/
> http://patchwork.ozlabs.org/patch/565171/
> 
> But i don't know why they are not accepted yet.
> I have did all advises of Pablo.

I prefer to take these small patch fixes from Taehee Yoo, so I can
pass back this to -stable. Once they are applied, I'd suggest you
rebase your large rework to introduce these new helper functions to
register conntrack helpers.

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Arturo Borrero Gonzalez | 24 May 11:09 2016
Picon
Gravatar

[libnetfilter-conntrack PATCH] qa: update test_api with IPv6 NAT

Comparators are not implemented.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez <at> gmail.com>
---
 qa/test_api.c |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/qa/test_api.c b/qa/test_api.c
index 3742357..b96ecf7 100644
--- a/qa/test_api.c
+++ b/qa/test_api.c
 <at>  <at>  -178,6 +178,8  <at>  <at>  static int test_nfct_cmp_api_single(struct nf_conntrack *ct1,
 	/* FIXME: not implemented comparators: */
 	case ATTR_SNAT_IPV4:
 	case ATTR_DNAT_IPV4:
+	case ATTR_SNAT_IPV6:
+	case ATTR_DNAT_IPV6:
 	case ATTR_SNAT_PORT:
 	case ATTR_DNAT_PORT:

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Marek Mrva | 23 May 13:25 2016
Picon

[ipset] hash:net,iface bug?

Hi guys,

I have been playing with hash:net,iface table for a couple of days now, but for the love of me, I can't make it
accept physdev: devices.

The man says:
When the  interface  is  flagged  with physdev:, the interface is interpreted as the incoming/outgoing
bridge port.

It all boils down to this code (for IPv4):

--- kernel/net/netfilter/ipset/ip_set_hash_netiface.c <at> 154, ipset repository ---

static int
hash_netiface4_kadt(struct ip_set *set, const struct sk_buff *skb,
                    const struct xt_action_param *par,
                    enum ipset_adt adt, struct ip_set_adt_opt *opt)
{
--- snip ---
        if (opt->cmdflags & IPSET_FLAG_PHYSDEV) {
#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
                const char *eiface = SRCDIR ? get_physindev_name(skb) :
                                              get_physoutdev_name(skb);

                if (!eiface)
                        return -EINVAL;
                STRLCPY(e.iface, eiface);
                e.physdev = 1;
#endif
        } else {
(Continue reading)

Arturo Borrero Gonzalez | 23 May 08:49 2016
Picon
Gravatar

kernel 4.5.1 issue at system boot

This was in the log of my system boot today:

May 23 08:25:08 debianhost kernel: [  240.104042] INFO: task
modprobe:776 blocked for more than 120 seconds.
May 23 08:25:08 debianhost kernel: [  240.104049]       Tainted: G
       E   4.5.0-2-amd64 #1
May 23 08:25:08 debianhost kernel: [  240.104051] "echo 0 >
/proc/sys/kernel/hung_task_timeout_secs" disables this message.
May 23 08:25:08 debianhost kernel: [  240.104054] modprobe        D
ffff88007fa15980     0   776     98 0x00000000
May 23 08:25:08 debianhost kernel: [  240.104060]  ffff880078e4e600
ffffffff81a12500 ffff88007b20c000 ffff88007b20bc88
May 23 08:25:08 debianhost kernel: [  240.104065]  ffffffff81ad9ae4
ffff880078e4e600 00000000ffffffff ffffffff81ad9ae8
May 23 08:25:08 debianhost kernel: [  240.104069]  ffffffff815b36e1
ffffffff81ad9ae0 ffffffff815b396a ffffffff815b53f4
May 23 08:25:08 debianhost kernel: [  240.104073] Call Trace:
May 23 08:25:08 debianhost kernel: [  240.104083]
[<ffffffff815b36e1>] ? schedule+0x31/0x80
May 23 08:25:08 debianhost kernel: [  240.104087]
[<ffffffff815b396a>] ? schedule_preempt_disabled+0xa/0x10
May 23 08:25:08 debianhost kernel: [  240.104091]
[<ffffffff815b53f4>] ? __mutex_lock_slowpath+0xb4/0x130
May 23 08:25:08 debianhost kernel: [  240.104099]
[<ffffffffc06e600c>] ? nf_conntrack_ipv4_compat_init+0xc/0xc
[nf_conntrack_ipv4]
May 23 08:25:08 debianhost kernel: [  240.104103]
[<ffffffff815b548b>] ? mutex_lock+0x1b/0x30
May 23 08:25:08 debianhost kernel: [  240.104108]
[<ffffffff814b0aa5>] ? register_pernet_subsys+0x15/0x40
(Continue reading)

MRS. LIRA MANDOZA | 22 May 21:11 2016

THIS IS FROM MRS. LIRA MANDOZA


PLEASE KINDLY READ MY EMAIL ATTACHMENT AND GET BACK TO ME. I NEED YOUR ASSISTANCE.
Attachment (Mrs Lira Mandoza.pdf): application/pdf, 197 KiB

Gmane